[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 4 21:34:39 UTC 2007
We still have a problem on MLS machines, in that newrole can be used to
pass data via pseudo terminals.
script
newrole -l SystemHigh
cat TopSecret.doc
^d
^d
cat typescript
I propose we add this patch to newrole to check if we are on a pseudo
terminal and then fail if user is using -l.
Basically this patch checks the major number of the stdin, stdout,
stderr for a number in the pseudo number range, If yes the pseudo
terminal, if not continue. Not pretty but it solves the problem. I
could not figure out another way to check if you are on a pseudo terminal.
Comments?
diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po'
--exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c
policycoreutils-1.33.7/newrole/newrole.c
--- nsapolicycoreutils/newrole/newrole.c 2006-11-29
17:11:18.000000000 -0500
+++ policycoreutils-1.33.7/newrole/newrole.c 2007-01-04
16:24:47.000000000 -0500
@@ -67,6 +67,7 @@
#include <selinux/get_context_list.h> /* for SELINUX_DEFAULTUSER */
#include <signal.h>
#include <unistd.h> /* for getuid(), exit(), getopt() */
+#include <sys/stat.h>
#ifdef USE_AUDIT
#include <libaudit.h>
#endif
@@ -93,6 +94,19 @@
extern char **environ;
+static int check_isapty(int fd) {
+ struct stat buf;
+ if ((isatty(fd)) && (fstat(fd, &buf) == 0)) {
+ int dev=major(buf.st_rdev);
+ if (dev > 135 && dev < 144) {
+ return 1;
+ } else {
+ return 0;
+ }
+ }
+ return 0;
+}
+
/**
* Construct from the current range and specified desired level a resulting
* range. If the specified level is a range, return that. If it is not,
then
@@ -733,6 +747,7 @@
security_context_t *new_context,
int *preserve_environment)
{
+ int i; /* index for open file descriptors */
int flag_index; /* flag index in argv[] */
int clflag; /* holds codes for command line flags */
char *role_s = NULL; /* role spec'd by user in argv[] */
@@ -793,6 +808,13 @@
"specified\n"));
return -1;
}
+ for (i=0; i < 3; i++) {
+ if (check_isapty(i)) {
+ fprintf(stderr, "Error: you are
not allowed to change levels on pseudo terminals\n");
+ return -1;
+ }
+ }
+
level_s = optarg;
break;
default:
More information about the redhat-lspp
mailing list