[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole

Daniel J Walsh dwalsh at redhat.com
Thu Jan 4 22:19:02 UTC 2007 

Linda Knippers wrote:
> Daniel J Walsh wrote:
>   
>> We still have a problem on MLS machines, in that newrole can be used to
>> pass data via pseudo terminals.
>>
>> script
>> newrole -l SystemHigh
>> cat TopSecret.doc
>> ^d
>> ^d
>> cat typescript
>>
>> I propose we add this patch to newrole to check if we are on a pseudo
>> terminal and then fail if user is using -l.
>>
>> Basically this patch checks the major number of the stdin, stdout,
>> stderr for a number in the pseudo number range,  If yes the pseudo
>> terminal, if not continue.  Not pretty but it solves the problem.  I
>> could not figure out another way to check if you are on a pseudo terminal.
>> Comments?
>>
>>
>> diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po'
>> --exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c
>> policycoreutils-1.33.7/newrole/newrole.c
>> --- nsapolicycoreutils/newrole/newrole.c        2006-11-29
>> 17:11:18.000000000 -0500
>> +++ policycoreutils-1.33.7/newrole/newrole.c    2007-01-04
>> 16:24:47.000000000 -0500
>> @@ -67,6 +67,7 @@
>> #include <selinux/get_context_list.h>  /* for SELINUX_DEFAULTUSER */
>> #include <signal.h>
>> #include <unistd.h>            /* for getuid(), exit(), getopt() */
>> +#include <sys/stat.h>
>> #ifdef USE_AUDIT
>> #include <libaudit.h>
>> #endif
>> @@ -93,6 +94,19 @@
>>
>> extern char **environ;
>>
>> +static int check_isapty(int fd) {
>> +       struct stat buf;
>> +       if ((isatty(fd)) && (fstat(fd, &buf) == 0)) {
>> +               int dev=major(buf.st_rdev);
>> +               if (dev >  135 && dev < 144) {
>>     
>
> Where do these numbers come from?  Is UNIX98_PTY_SLAVE_MAJOR in
> /usr/include/linux/major.h useful?  That's what the value is on
> my system.  There's also PTY_SLAVE_MAJOR (value of 3) in that
> file, but on my system that's the major for real ttys.
>
>   
>> +                       return 1;
>> +               } else {
>> +                       return 0;
>> +               }
>> +       }
>> +       return 0;
>> +}
>> +                                      /**
>>  * Construct from the current range and specified desired level a resulting
>>  * range. If the specified level is a range, return that. If it is not,
>> then
>> @@ -733,6 +747,7 @@
>>                                        security_context_t *new_context,
>>                                        int *preserve_environment)
>> {
>> +       int i;                  /* index for open file descriptors */
>>        int flag_index;         /* flag index in argv[] */
>>        int clflag;             /* holds codes for command line flags */
>>        char *role_s = NULL;    /* role spec'd by user in argv[] */
>> @@ -793,6 +808,13 @@
>>                                        "specified\n"));
>>                                return -1;
>>                        }
>> +                       for (i=0; i < 3; i++) {
>> +                               if (check_isapty(i)) {
>> +                                       fprintf(stderr, "Error: you are
>> not allowed to change levels on pseudo terminals\n");
>> +                                       return -1;
>> +                               }
>> +                       }
>> +
>>                        level_s = optarg;
>>                        break;
>>                default:
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>     
devices.txt in kernel documentation.

> 2176 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2176>	136-143 char	Unix98 PTY slaves
> 2177 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2177>			  0 = /dev/pts/0	First Unix98 pseudo-TTY
> 2178 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2178>			  1 = /dev/pts/1	Second Unix98 pesudo-TTY
> 2179 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2179>			    ...
> 2180 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2180>	
> 2181 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2181>			These device nodes are automatically generated with
> 2182 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2182>			the proper permissions and modes by mounting the
> 2183 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2183>			devpts filesystem onto /dev/pts with the appropriate
> 2184 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2184>			mount options (distribution dependent, however, on
> 2185 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2185>			*most* distributions the appropriate options are
> 2186 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2186>			"mode=0620,gid=<gid of the "tty" group>".)
> 2187 <http://www.mjmwired.net/kernel/Documentation/devices.txt#2187>

More information about the redhat-lspp mailing list