rpms/icecream/devel icecream-0.9.3-tighten-security.patch, NONE, 1.1 icecream.spec, 1.18, 1.19 icecream.te, 1.6, 1.7
Michal Schmidt
michich at fedoraproject.org
Mon Mar 2 10:21:30 UTC 2009
- Previous message (by thread): rpms/kdebase-workspace/F-9 kdebase-workspace-4.2.1-redhat-startkde.patch, NONE, 1.1 kdebase-workspace.spec, 1.135, 1.136 solid-bluetoothTrunkTo42.diff, 1.1, 1.2 kdebase-workspace-4.1.2-kdm-i18n.patch, 1.1, NONE kdebase-workspace-4.1.82-redhat-startkde.patch, 1.1, NONE
- Next message (by thread): rpms/kdebase/F-10 kdebase-4.2.1-home-icon.patch, NONE, 1.1 kdebase.spec, 1.357, 1.358 kdebase-4.2.0-home-icon.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: michich
Update of /cvs/pkgs/rpms/icecream/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16762
Modified Files:
icecream.spec icecream.te
Added Files:
icecream-0.9.3-tighten-security.patch
Log Message:
* Mon Mar 02 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-5
- Fix a fd leak from iceccd + avoid using system().
- Allows tighter SELinux policy.
icecream-0.9.3-tighten-security.patch:
--- NEW FILE icecream-0.9.3-tighten-security.patch ---
commit 3cf2e4b4f1912d18772a0fa476d4671c25ca2ea4
Author: coolo <coolo at 283d02a7-25f6-0310-bc7c-ecb5cbfe19da>
Date: Mon Mar 2 09:47:26 2009 +0000
more fixes from Michal Schmidt:
- don't leak file descriptor to create-env
- don't use the shell to call simple commands
git-svn-id: svn://anonsvn.kde.org/home/kde/trunk/icecream@934044 283d02a7-25f6-0310-bc7c-ecb5cbfe19da
diff --git a/daemon/environment.cpp b/daemon/environment.cpp
index fd38f8e..9dc2831 100644
--- a/daemon/environment.cpp
+++ b/daemon/environment.cpp
@@ -142,40 +142,48 @@ static void list_target_dirs( const string ¤t_target, const string &target
closedir( envdir );
}
-bool cleanup_cache( const string &basedir )
+/* Returns true if the child exited with success */
+static bool exec_and_wait( const char *const argv[] )
{
- flush_debug();
pid_t pid = fork();
- if ( pid )
- {
- int status = 0;
+ if ( pid == -1 ) {
+ log_perror("fork");
+ return false;
+ }
+ if ( pid ) {
+ // parent
+ int status;
while ( waitpid( pid, &status, 0 ) < 0 && errno == EINTR )
;
+ return WIFEXITED(status) && WEXITSTATUS(status) == 0;
+ }
+ // child
+ _exit(execv(argv[0], const_cast<char *const *>(argv)));
+}
- if ( mkdir( basedir.c_str(), 0755 ) && errno != EEXIST ) {
- if ( errno == EPERM )
- log_error() << "permission denied on mkdir " << basedir << endl;
- else
- log_perror( "mkdir in cleanup_cache() failed" );
- return false;
- }
- chown( basedir.c_str(), 0, 0 );
- chmod( basedir.c_str(), 0755 );
+bool cleanup_cache( const string &basedir )
+{
+ flush_debug();
- return WIFEXITED(status);
- }
- // else
- char **argv;
- argv = new char*[5];
- argv[0] = strdup( "/bin/rm" );
- argv[1] = strdup( "-rf" );
- argv[2] = strdup( "--" );
// make sure it ends with '/' to not fall into symlink traps
string bdir = basedir + '/';
- argv[3] = strdup( bdir.c_str() );
- argv[4] = NULL;
+ const char *const argv[] = {
+ "/bin/rm", "-rf", "--", bdir.c_str(), NULL
+ };
- _exit(execv(argv[0], argv));
+ bool ret = exec_and_wait( argv );
+
+ if ( mkdir( basedir.c_str(), 0755 ) && errno != EEXIST ) {
+ if ( errno == EPERM )
+ log_error() << "permission denied on mkdir " << basedir << endl;
+ else
+ log_perror( "mkdir in cleanup_cache() failed" );
+ return false;
+ }
+ chown( basedir.c_str(), 0, 0 );
+ chmod( basedir.c_str(), 0755 );
+
+ return ret;
}
Environments available_environmnents(const string &basedir)
@@ -259,7 +267,10 @@ size_t setup_env_cache(const string &basedir, string &native_environment, uid_t
_exit(1);
}
- if ( system( BINDIR "/icecc --build-native" ) ) {
+ const char *const argv[] = {
+ BINDIR "/icecc", "--build-native", NULL
+ };
+ if ( !exec_and_wait( argv ) ) {
log_error() << BINDIR "/icecc --build-native failed\n";
_exit(1);
}
diff --git a/services/comm.cpp b/services/comm.cpp
index 47e7304..5ffb790 100644
--- a/services/comm.cpp
+++ b/services/comm.cpp
@@ -987,6 +987,12 @@ open_send_broadcast (void)
return -1;
}
+ if (fcntl (ask_fd, F_SETFD, FD_CLOEXEC) < 0)
+ {
+ log_perror("open_send_broadcast fcntl");
+ close (ask_fd);
+ return -1;
+ }
int optval = 1;
if (setsockopt (ask_fd, SOL_SOCKET, SO_BROADCAST, &optval, sizeof(optval)) < 0)
{
Index: icecream.spec
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/devel/icecream.spec,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- icecream.spec 25 Feb 2009 06:38:17 -0000 1.18
+++ icecream.spec 2 Mar 2009 10:21:00 -0000 1.19
@@ -11,7 +11,7 @@
Name: icecream
Version: 0.9.3
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: Distributed compiler
Group: Development/Tools
@@ -30,6 +30,7 @@
Patch0: %{name}-rename-scheduler.patch
Patch1: %{name}-cleanup-conffile.patch
Patch2: %{name}-0.9.3-fix-gcc44-ftbfs.patch
+Patch3: %{name}-0.9.3-tighten-security.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -78,6 +79,7 @@
%patch0 -p1
%patch1 -p0
%patch2 -p1
+%patch3 -p1
sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh
sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh
mkdir SELinux
@@ -235,6 +237,10 @@
%{_libdir}/pkgconfig/icecc.pc
%changelog
+* Mon Mar 02 2009 Michal Schmidt <mschmidt at redhat.com> - 0.9.3-5
+- Fix a fd leak from iceccd + avoid using system().
+- Allows tighter SELinux policy.
+
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.9.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
Index: icecream.te
===================================================================
RCS file: /cvs/pkgs/rpms/icecream/devel/icecream.te,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- icecream.te 16 Feb 2009 20:52:28 -0000 1.6
+++ icecream.te 2 Mar 2009 10:21:00 -0000 1.7
@@ -1,5 +1,5 @@
-policy_module(icecream,0.0.42)
+policy_module(icecream,0.0.43)
########################################
#
@@ -146,15 +146,8 @@
nscd_socket_use(iceccd_createenv_t)
')
-# Some rules that can probably go away when iceccd is fixed properly:
-#
-# XXX: icecc-create-env does not really need to talk to the open UDP socket
-# leaked from its parent.
-dontaudit iceccd_createenv_t iceccd_t:udp_socket { read write };
-# XXX: iceccd could be modified to avoid the shell completely
-corecmd_exec_shell(iceccd_t)
-# XXX: fix iceccd to only nuke the contents of /var/cache/icecream,
-# not the directory itself.
+# XXX: This could be avoided if iceccd only nuked the contents of
+# /var/cache/icecream, not the directory itself.
files_var_filetrans(iceccd_t, iceccd_cache_t, dir)
- Previous message (by thread): rpms/kdebase-workspace/F-9 kdebase-workspace-4.2.1-redhat-startkde.patch, NONE, 1.1 kdebase-workspace.spec, 1.135, 1.136 solid-bluetoothTrunkTo42.diff, 1.1, 1.2 kdebase-workspace-4.1.2-kdm-i18n.patch, 1.1, NONE kdebase-workspace-4.1.82-redhat-startkde.patch, 1.1, NONE
- Next message (by thread): rpms/kdebase/F-10 kdebase-4.2.1-home-icon.patch, NONE, 1.1 kdebase.spec, 1.357, 1.358 kdebase-4.2.0-home-icon.patch, 1.2, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list