dcavalca / rpms / util-linux

Forked from rpms/util-linux 2 years ago
Clone
531551
diff -up util-linux-2.23.2/sys-utils/Makemodule.am.kzak util-linux-2.23.2/sys-utils/Makemodule.am
531551
--- util-linux-2.23.2/sys-utils/Makemodule.am.kzak	2015-06-26 10:21:34.337221288 +0200
531551
+++ util-linux-2.23.2/sys-utils/Makemodule.am	2015-06-26 10:22:18.719885983 +0200
531551
@@ -308,7 +308,7 @@ if BUILD_NSENTER
531551
 usrbin_exec_PROGRAMS += nsenter
531551
 dist_man_MANS += sys-utils/nsenter.1
531551
 nsenter_SOURCES = sys-utils/nsenter.c
531551
-nsenter_LDADD = $(LDADD) libcommon.la
531551
+nsenter_LDADD = $(LDADD) libcommon.la $(SELINUX_LIBS)
531551
 endif
531551
 
531551
 if BUILD_HWCLOCK
531551
diff -up util-linux-2.23.2/sys-utils/nsenter.1.kzak util-linux-2.23.2/sys-utils/nsenter.1
531551
--- util-linux-2.23.2/sys-utils/nsenter.1.kzak	2015-06-26 10:14:00.947646586 +0200
531551
+++ util-linux-2.23.2/sys-utils/nsenter.1	2015-06-26 10:21:34.337221288 +0200
531551
@@ -155,6 +155,11 @@ Do not fork before exec'ing the specifie
531551
 PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
531551
 any children will also be in the newly entered PID namespace.
531551
 .TP
531551
+\fB\-Z\fR, \fB\-\-follow\-context\fR
531551
+Set the SELinux security context used for executing a new process according to
531551
+already running process specified by \fB\-\-target\fR PID. (The util-linux has
531551
+to be compiled with SELinux support otherwise the option is unavailable.)
531551
+.TP
531551
 \fB\-V\fR, \fB\-\-version\fR
531551
 Display version information and exit.
531551
 .TP
531551
@@ -163,10 +168,14 @@ Display help text and exit.
531551
 .SH SEE ALSO
531551
 .BR setns (2),
531551
 .BR clone (2)
531551
-.SH AUTHOR
531551
-.MT ebiederm@xmission.com
531551
+.SH AUTHORS
531551
+.UR biederm@xmission.com
531551
 Eric Biederman
531551
-.ME
531551
+.UE
531551
+.br
531551
+.UR kzak@redhat.com
531551
+Karel Zak
531551
+.UE
531551
 .SH AVAILABILITY
531551
 The nsenter command is part of the util-linux package and is available from
531551
 .UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
531551
diff -up util-linux-2.23.2/sys-utils/nsenter.c.kzak util-linux-2.23.2/sys-utils/nsenter.c
531551
--- util-linux-2.23.2/sys-utils/nsenter.c.kzak	2015-06-26 10:14:00.947646586 +0200
531551
+++ util-linux-2.23.2/sys-utils/nsenter.c	2015-06-26 10:21:34.337221288 +0200
531551
@@ -30,6 +30,10 @@
531551
 #include <sys/wait.h>
531551
 #include <grp.h>
531551
 
531551
+#ifdef HAVE_LIBSELINUX
531551
+# include <selinux/selinux.h>
531551
+#endif
531551
+
531551
 #include "strutils.h"
531551
 #include "nls.h"
531551
 #include "c.h"
531551
@@ -82,6 +86,9 @@ static void usage(int status)
531551
 	fputs(_(" -r, --root[=<dir>]     set the root directory\n"), out);
531551
 	fputs(_(" -w, --wd[=<dir>]       set the working directory\n"), out);
531551
 	fputs(_(" -F, --no-fork          do not fork before exec'ing <program>\n"), out);
531551
+#ifdef HAVE_LIBSELINUX
531551
+	fputs(_(" -Z, --follow-context   set SELinux context according to --target PID\n"), out);
531551
+#endif
531551
 
531551
 	fputs(USAGE_SEPARATOR, out);
531551
 	fputs(USAGE_HELP, out);
531551
@@ -185,6 +192,9 @@ int main(int argc, char *argv[])
531551
 		{ "wd", optional_argument, NULL, 'w' },
531551
 		{ "no-fork", no_argument, NULL, 'F' },
531551
 		{ "preserve-credentials", no_argument, NULL, OPT_PRESERVE_CRED },
531551
+#ifdef HAVE_LIBSELINUX
531551
+		{ "follow-context", no_argument, NULL, 'Z' },
531551
+#endif
531551
 		{ NULL, 0, NULL, 0 }
531551
 	};
531551
 
531551
@@ -194,6 +204,9 @@ int main(int argc, char *argv[])
531551
 	int do_fork = -1; /* unknown yet */
531551
 	uid_t uid = 0;
531551
 	gid_t gid = 0;
531551
+#ifdef HAVE_LIBSELINUX
531551
+	bool selinux = 0;
531551
+#endif
531551
 
531551
 	setlocale(LC_ALL, "");
531551
 	bindtextdomain(PACKAGE, LOCALEDIR);
531551
@@ -201,7 +214,7 @@ int main(int argc, char *argv[])
531551
 	atexit(close_stdout);
531551
 
531551
 	while ((c =
531551
-		getopt_long(argc, argv, "+hVt:m::u::i::n::p::U::S:G:r::w::F",
531551
+		getopt_long(argc, argv, "+hVt:m::u::i::n::p::U::S:G:r::w::FZ",
531551
 			    longopts, NULL)) != -1) {
531551
 		switch (c) {
531551
 		case 'h':
531551
@@ -275,11 +288,30 @@ int main(int argc, char *argv[])
531551
 		case OPT_PRESERVE_CRED:
531551
 			preserve_cred = 1;
531551
 			break;
531551
+#ifdef HAVE_LIBSELINUX
531551
+		case 'Z':
531551
+			selinux = 1;
531551
+			break;
531551
+#endif
531551
 		default:
531551
 			usage(EXIT_FAILURE);
531551
 		}
531551
 	}
531551
 
531551
+#ifdef HAVE_LIBSELINUX
531551
+	if (selinux && is_selinux_enabled() > 0) {
531551
+		char *scon = NULL;
531551
+
531551
+		if (!namespace_target_pid)
531551
+			errx(EXIT_FAILURE, _("no target PID specified for --follow-context"));
531551
+		if (getpidcon(namespace_target_pid, &scon) < 0)
531551
+			errx(EXIT_FAILURE, _("failed to get %d SELinux context"),
531551
+					(int) namespace_target_pid);
531551
+		if (setexeccon(scon) < 0)
531551
+			errx(EXIT_FAILURE, _("failed to set exec context to '%s'"), scon);
531551
+		freecon(scon);
531551
+	}
531551
+#endif
531551
 	/*
531551
 	 * Open remaining namespace and directory descriptors.
531551
 	 */