[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole

Thu Jan 4 21:57:32 UTC 2007

Daniel J Walsh wrote:
> We still have a problem on MLS machines, in that newrole can be used to
> pass data via pseudo terminals.
> 
> script
> newrole -l SystemHigh
> cat TopSecret.doc
> ^d
> ^d
> cat typescript
> 
> I propose we add this patch to newrole to check if we are on a pseudo
> terminal and then fail if user is using -l.
> 
> Basically this patch checks the major number of the stdin, stdout,
> stderr for a number in the pseudo number range,  If yes the pseudo
> terminal, if not continue.  Not pretty but it solves the problem.  I
> could not figure out another way to check if you are on a pseudo terminal.
> Comments?
> 
> 
> diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po'
> --exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c
> policycoreutils-1.33.7/newrole/newrole.c
> --- nsapolicycoreutils/newrole/newrole.c        2006-11-29
> 17:11:18.000000000 -0500
> +++ policycoreutils-1.33.7/newrole/newrole.c    2007-01-04
> 16:24:47.000000000 -0500
> @@ -67,6 +67,7 @@
> #include <selinux/get_context_list.h>  /* for SELINUX_DEFAULTUSER */
> #include <signal.h>
> #include <unistd.h>            /* for getuid(), exit(), getopt() */
> +#include <sys/stat.h>
> #ifdef USE_AUDIT
> #include <libaudit.h>
> #endif
> @@ -93,6 +94,19 @@
> 
> extern char **environ;
> 
> +static int check_isapty(int fd) {
> +       struct stat buf;
> +       if ((isatty(fd)) && (fstat(fd, &buf) == 0)) {
> +               int dev=major(buf.st_rdev);
> +               if (dev >  135 && dev < 144) {

Where do these numbers come from?  Is UNIX98_PTY_SLAVE_MAJOR in
/usr/include/linux/major.h useful?  That's what the value is on
my system.  There's also PTY_SLAVE_MAJOR (value of 3) in that
file, but on my system that's the major for real ttys.

> +                       return 1;
> +               } else {
> +                       return 0;
> +               }
> +       }
> +       return 0;
> +}
> +                                      /**
>  * Construct from the current range and specified desired level a resulting
>  * range. If the specified level is a range, return that. If it is not,
> then
> @@ -733,6 +747,7 @@
>                                        security_context_t *new_context,
>                                        int *preserve_environment)
> {
> +       int i;                  /* index for open file descriptors */
>        int flag_index;         /* flag index in argv[] */
>        int clflag;             /* holds codes for command line flags */
>        char *role_s = NULL;    /* role spec'd by user in argv[] */
> @@ -793,6 +808,13 @@
>                                        "specified\n"));
>                                return -1;
>                        }
> +                       for (i=0; i < 3; i++) {
> +                               if (check_isapty(i)) {
> +                                       fprintf(stderr, "Error: you are
> not allowed to change levels on pseudo terminals\n");
> +                                       return -1;
> +                               }
> +                       }
> +
>                        level_s = optarg;
>                        break;
>                default:
> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.