[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole

Thu Jan 4 21:34:39 UTC 2007

We still have a problem on MLS machines, in that newrole can be used to 
pass data via pseudo terminals.

script
newrole -l SystemHigh
cat TopSecret.doc
^d
^d
cat typescript

I propose we add this patch to newrole to check if we are on a pseudo 
terminal and then fail if user is using -l.

Basically this patch checks the major number of the stdin, stdout, 
stderr for a number in the pseudo number range,  If yes the pseudo 
terminal, if not continue.  Not pretty but it solves the problem.  I 
could not figure out another way to check if you are on a pseudo terminal. 

Comments?


diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po' 
--exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c 
policycoreutils-1.33.7/newrole/newrole.c

--- nsapolicycoreutils/newrole/newrole.c        2006-11-29 
17:11:18.000000000 -0500
+++ policycoreutils-1.33.7/newrole/newrole.c    2007-01-04 
16:24:47.000000000 -0500
@@ -67,6 +67,7 @@
 #include <selinux/get_context_list.h>  /* for SELINUX_DEFAULTUSER */
 #include <signal.h>
 #include <unistd.h>            /* for getuid(), exit(), getopt() */
+#include <sys/stat.h>
 #ifdef USE_AUDIT
 #include <libaudit.h>
 #endif
@@ -93,6 +94,19 @@

 extern char **environ;

+static int check_isapty(int fd) {
+       struct stat buf;
+       if ((isatty(fd)) && (fstat(fd, &buf) == 0)) {
+               int dev=major(buf.st_rdev);
+               if (dev >  135 && dev < 144) {
+                       return 1;
+               } else {
+                       return 0;
+               }
+       }
+       return 0;
+}
+                                      
 /**
  * Construct from the current range and specified desired level a resulting
  * range. If the specified level is a range, return that. If it is not, 
then
@@ -733,6 +747,7 @@
                                        security_context_t *new_context,
                                        int *preserve_environment)
 {
+       int i;                  /* index for open file descriptors */
        int flag_index;         /* flag index in argv[] */
        int clflag;             /* holds codes for command line flags */
        char *role_s = NULL;    /* role spec'd by user in argv[] */
@@ -793,6 +808,13 @@
                                        "specified\n"));
                                return -1;
                        }
+                       for (i=0; i < 3; i++) {
+                               if (check_isapty(i)) {
+                                       fprintf(stderr, "Error: you are 
not allowed to change levels on pseudo terminals\n");
+                                       return -1;
+                               }
+                       }
+
                        level_s = optarg;
                        break;
                default:


