|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
From 641a7f0c61ff42ea55ad7152e7f874ea5d680a2d Mon Sep 17 00:00:00 2001
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
From: Dan Walsh <dwalsh@redhat.com>
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
Date: Wed, 9 Mar 2016 09:29:25 -0500
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
Subject: [PATCH] /dev/console must be labeled with SELinux label
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
If the user specifies an selinux_apifs_context all content created in
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
the container including /dev/console should use this label.
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
Currently when this uses the default label it gets labeled user_devpts_t,
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
which would require us to write a policy allowing container processes to
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
manage user_devpts_t. This means that an escaped process would be allowed
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
to attack all users terminals as well as other container terminals. Changing
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
the label to match the apifs_context, means the processes would only be allowed
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
to manage their specific tty.
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
This change fixes a problem preventing RKT containers from working with systemd-nspawn.
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
(cherry picked from commit 68b020494d1ff085281061413d9236b5865ef238)
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
---
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
src/nspawn/nspawn.c | 7 +++++++
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
1 file changed, 7 insertions(+)
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
index ef348c335b..8c06f6ef75 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
--- a/src/nspawn/nspawn.c
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
+++ b/src/nspawn/nspawn.c
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
@@ -87,6 +87,7 @@
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
#ifdef HAVE_SECCOMP
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
#include "seccomp-util.h"
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
#endif
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
+#include "selinux-util.h"
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
#include "signal-util.h"
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
#include "socket-util.h"
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
#include "stat-util.h"
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
@@ -3286,6 +3287,12 @@ int main(int argc, char *argv[]) {
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
goto finish;
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
}
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
+ if (arg_selinux_apifs_context) {
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
+ r = mac_selinux_apply(console, arg_selinux_apifs_context);
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
+ if (r < 0)
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
+ goto finish;
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
+ }
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
+
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
if (unlockpt(master) < 0) {
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
r = log_error_errno(errno, "Failed to unlock tty: %m");
|
|
Zbigniew Jędrzejewski-Szmek |
b9a1e3 |
goto finish;
|