diff options
| author | Todd C. Miller <Todd.Miller@sudo.ws> | 2020-04-21 14:29:23 -0600 |
|---|---|---|
| committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2020-04-21 14:29:23 -0600 |
| commit | fb5034247b0f19325e5e7b245c9b0b34769f4292 (patch) | |
| tree | 05bb990bd0a84cfdde803ce9f1ab457a3d2971ca /src/selinux.c | |
| parent | d6889cdd25047d55330f53512282bec32c0ecbf5 (diff) | |
| download | sudo-fb5034247b0f19325e5e7b245c9b0b34769f4292.tar.gz | |
Fix sudoedit when running with SELinux RBAC mode.
We can't use run_command() to run sesh, that will use the sudo event
loop (and might run it in a pty!).
There's no need to relabel the tty when copying files.
Get the path to sesh from sudo.conf.
Currently, for SELinux RBAC, the editor runs with the target user's
security context. This defeats the purpose of sudoedit. Fixing
that requires passing file descriptors between the main sudo process
(running with the invoking user's security context) and sesh (runnning
with the target user's security context).
Diffstat (limited to 'src/selinux.c')
| -rw-r--r-- | src/selinux.c | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/src/selinux.c b/src/selinux.c index 9be57f92c..25e174865 100644 --- a/src/selinux.c +++ b/src/selinux.c @@ -387,7 +387,7 @@ bad: */ int selinux_setup(const char *role, const char *type, const char *ttyn, - int ptyfd) + int ptyfd, bool label_tty) { int ret = -1; debug_decl(selinux_setup, SUDO_DEBUG_SELINUX); @@ -416,7 +416,7 @@ selinux_setup(const char *role, const char *type, const char *ttyn, sudo_debug_printf(SUDO_DEBUG_INFO, "%s: new context %s", __func__, se_state.new_context); - if (relabel_tty(ttyn, ptyfd) == -1) { + if (label_tty && relabel_tty(ttyn, ptyfd) == -1) { sudo_warn(U_("unable to set tty context to %s"), se_state.new_context); goto done; } @@ -432,6 +432,28 @@ done: debug_return_int(ret); } +int +selinux_setcon(void) +{ + debug_decl(selinux_setcon, SUDO_DEBUG_SELINUX); + + if (setexeccon(se_state.new_context)) { + sudo_warn(U_("unable to set exec context to %s"), se_state.new_context); + if (se_state.enforcing) + debug_return_int(-1); + } + +#ifdef HAVE_SETKEYCREATECON + if (setkeycreatecon(se_state.new_context)) { + sudo_warn(U_("unable to set key creation context to %s"), se_state.new_context); + if (se_state.enforcing) + debug_return_int(-1); + } +#endif /* HAVE_SETKEYCREATECON */ + + debug_return_int(0); +} + void selinux_execve(int fd, const char *path, char *const argv[], char *envp[], bool noexec) @@ -448,19 +470,9 @@ selinux_execve(int fd, const char *path, char *const argv[], char *envp[], debug_return; } - if (setexeccon(se_state.new_context)) { - sudo_warn(U_("unable to set exec context to %s"), se_state.new_context); - if (se_state.enforcing) - debug_return; - } - -#ifdef HAVE_SETKEYCREATECON - if (setkeycreatecon(se_state.new_context)) { - sudo_warn(U_("unable to set key creation context to %s"), se_state.new_context); - if (se_state.enforcing) - debug_return; - } -#endif /* HAVE_SETKEYCREATECON */ + /* Set SELinux exec and keycreate contexts. */ + if (selinux_setcon() == -1) + debug_return; /* * Build new argv with sesh as argv[0]. |