/* * Authors: Dan Walsh <dwalsh@redhat.com> * Authors: Thomas Liu <tliu@fedoraproject.org> */ #define _GNU_SOURCE #include <signal.h> #include <sys/fsuid.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> #include <syslog.h> #include <sys/mount.h> #include <glob.h> #include <pwd.h> #include <sched.h> #include <string.h> #include <stdio.h> #include <regex.h> #include <unistd.h> #include <stdlib.h> #include <cap-ng.h> #include <getopt.h> /* for getopt_long() form of getopt() */ #include <limits.h> #include <stdlib.h> #include <errno.h> #include <fcntl.h> #include <selinux/selinux.h> #include <selinux/context.h> /* for context-mangling functions */ #include <dirent.h> #ifdef USE_NLS #include <locale.h> /* for setlocale() */ #include <libintl.h> /* for gettext() */ #define _(msgid) gettext (msgid) #else #define _(msgid) (msgid) #endif #ifndef MS_REC #define MS_REC 1<<14 #endif #ifndef MS_SLAVE #define MS_SLAVE 1<<19 #endif #ifndef PACKAGE #define PACKAGE "policycoreutils" /* the name of this package lang translation */ #endif #define BUF_SIZE 1024 #define DEFAULT_PATH "/usr/bin:/bin" #define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ") static int verbose = 0; static int child = 0; static capng_select_t cap_set = CAPNG_SELECT_CAPS; /** * This function will drop all capabilities. */ static int drop_caps(void) { if (capng_have_capabilities(cap_set) == CAPNG_NONE) return 0; capng_clear(cap_set); if (capng_lock() == -1 || capng_apply(cap_set) == -1) { fprintf(stderr, _("Failed to drop all capabilities\n")); return -1; } return 0; } /** * This function will drop all privileges. */ static int drop_privs(uid_t uid) { if (drop_caps() == -1 || setresuid(uid, uid, uid) == -1) { fprintf(stderr, _("Failed to drop privileges\n")); return -1; } return 0; } /** * If the user sends a siginto to seunshare, kill the child's session */ void handler(int sig) { if (child > 0) kill(-child,sig); } /** * Take care of any signal setup. */ static int set_signal_handles(void) { sigset_t empty; /* Empty the signal mask in case someone is blocking a signal */ if (sigemptyset(&empty)) { fprintf(stderr, "Unable to obtain empty signal set\n"); return -1; } (void)sigprocmask(SIG_SETMASK, &empty, NULL); /* Terminate on SIGHUP */ if (signal(SIGHUP, SIG_DFL) == SIG_ERR) { perror("Unable to set SIGHUP handler"); return -1; } if (signal(SIGINT, handler) == SIG_ERR) { perror("Unable to set SIGINT handler"); return -1; } return 0; } #define status_to_retval(status,retval) do { \ if ((status) == -1) \ retval = -1; \ else if (WIFEXITED((status))) \ retval = WEXITSTATUS((status)); \ else if (WIFSIGNALED((status))) \ retval = 128 + WTERMSIG((status)); \ else \ retval = -1; \ } while(0) /** * Spawn external command using system() with dropped privileges. * TODO: avoid system() and use exec*() instead */ static int spawn_command(const char *cmd, uid_t uid){ int childpid; int status = -1; if (verbose > 1) printf("spawn_command: %s\n", cmd); childpid = fork(); if (childpid == -1) { perror(_("Unable to fork")); return status; } if (childpid == 0) { if (drop_privs(uid) != 0) exit(-1); status = system(cmd); status_to_retval(status, status); exit(status); } waitpid(childpid, &status, 0); status_to_retval(status, status); return status; } /** * Check file/directory ownership, struct stat * must be passed to the * functions. */ static int check_owner_uid(uid_t uid, const char *file, struct stat *st) { if (S_ISLNK(st->st_mode)) { fprintf(stderr, _("Error: %s must not be a symbolic link\n"), file); return -1; } if (st->st_uid != uid) { fprintf(stderr, _("Error: %s not owned by UID %d\n"), file, uid); return -1; } return 0; } static int check_owner_gid(gid_t gid, const char *file, struct stat *st) { if (S_ISLNK(st->st_mode)) { fprintf(stderr, _("Error: %s must not be a symbolic link\n"), file); return -1; } if (st->st_gid != gid) { fprintf(stderr, _("Error: %s not owned by GID %d\n"), file, gid); return -1; } return 0; } #define equal_stats(one,two) \ ((one)->st_dev == (two)->st_dev && (one)->st_ino == (two)->st_ino && \ (one)->st_uid == (two)->st_uid && (one)->st_gid == (two)->st_gid && \ (one)->st_mode == (two)->st_mode) /** * Sanity check specified directory. Store stat info for future comparison, or * compare with previously saved info to detect replaced directories. * Note: This function does not perform owner checks. */ static int verify_directory(const char *dir, struct stat *st_in, struct stat *st_out) { struct stat sb; if (st_out == NULL) st_out = &sb; if (lstat(dir, st_out) == -1) { fprintf(stderr, _("Failed to stat %s: %s\n"), dir, strerror(errno)); return -1; } if (! S_ISDIR(st_out->st_mode)) { fprintf(stderr, _("Error: %s is not a directory: %s\n"), dir, strerror(errno)); return -1; } if (st_in && !equal_stats(st_in, st_out)) { fprintf(stderr, _("Error: %s was replaced by a different directory\n"), dir); return -1; } return 0; } /** * This function checks to see if the shell is known in /etc/shells. * If so, it returns 0. On error or illegal shell, it returns -1. */ static int verify_shell(const char *shell_name) { int rc = -1; const char *buf; if (!(shell_name && shell_name[0])) return rc; while ((buf = getusershell()) != NULL) { /* ignore comments */ if (*buf == '#') continue; /* check the shell skipping newline char */ if (!strcmp(shell_name, buf)) { rc = 0; break; } } endusershell(); return rc; } /** * Mount directory and check that we mounted the right directory. */ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st) { int flags = 0; int is_tmp = 0; if (verbose) printf(_("Mounting %s on %s\n"), src, dst); if (strcmp("/tmp", dst) == 0) { flags = flags | MS_NODEV | MS_NOSUID | MS_NOEXEC; is_tmp = 1; } /* mount directory */ if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) { fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno)); return -1; } /* verify whether we mounted what we expected to mount */ if (verify_directory(dst, src_st, NULL) < 0) return -1; /* bind mount /tmp on /var/tmp too */ if (is_tmp) { if (verbose) printf(_("Mounting /tmp on /var/tmp\n")); if (mount("/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) { fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno)); return -1; } } return 0; } /* If path is empy or ends with "/." or "/.. return -1 else return 0; */ static int bad_path(const char *path) { const char *ptr; ptr = path; while (*ptr) ptr++; if (ptr == path) return -1; // ptr null ptr--; if (ptr != path && *ptr == '.') { ptr--; if (*ptr == '/') return -1; // path ends in /. if (*ptr == '.') { if (ptr != path) { ptr--; if (*ptr == '/') return -1; // path ends in /.. } } } return 0; } static int rsynccmd(const char * src, const char *dst, char **cmdbuf) { char *buf = NULL; char *newbuf = NULL; glob_t fglob; fglob.gl_offs = 0; int flags = GLOB_PERIOD; unsigned int i = 0; int rc = -1; /* match glob for all files in src dir */ if (asprintf(&buf, "%s/*", src) == -1) { fprintf(stderr, "Out of memory\n"); return -1; } if (glob(buf, flags, NULL, &fglob) != 0) { free(buf); buf = NULL; return -1; } free(buf); buf = NULL; for ( i=0; i < fglob.gl_pathc; i++) { const char *path = fglob.gl_pathv[i]; if (bad_path(path)) continue; if (!buf) { if (asprintf(&newbuf, "\'%s\'", path) == -1) { fprintf(stderr, "Out of memory\n"); goto err; } } else { if (asprintf(&newbuf, "%s \'%s\'", buf, path) == -1) { fprintf(stderr, "Out of memory\n"); goto err; } } free(buf); buf = newbuf; newbuf = NULL; } if (buf) { if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s'", buf, dst) == -1) { fprintf(stderr, "Out of memory\n"); goto err; } *cmdbuf=newbuf; } else { *cmdbuf=NULL; } rc = 0; err: free(buf); buf = NULL; globfree(&fglob); return rc; } /** * Clean up runtime temporary directory. Returns 0 if no problem was detected, * >0 if some error was detected, but errors here are treated as non-fatal and * left to tmpwatch to finish incomplete cleanup. */ static int cleanup_tmpdir(const char *tmpdir, const char *src, struct passwd *pwd, int copy_content) { char *cmdbuf = NULL; int rc = 0; /* rsync files back */ if (copy_content) { if (asprintf(&cmdbuf, "/usr/bin/rsync --exclude=.X11-unix -utrlHDq --delete '%s/' '%s/'", tmpdir, src) == -1) { fprintf(stderr, _("Out of memory\n")); cmdbuf = NULL; rc++; } if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) { fprintf(stderr, _("Failed to copy files from the runtime temporary directory\n")); rc++; } free(cmdbuf); cmdbuf = NULL; } /* remove files from the runtime temporary directory */ if (asprintf(&cmdbuf, "/bin/rm -r '%s/' 2>/dev/null", tmpdir) == -1) { fprintf(stderr, _("Out of memory\n")); cmdbuf = NULL; rc++; } /* this may fail if there's root-owned file left in the runtime tmpdir */ if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) rc++; free(cmdbuf); cmdbuf = NULL; /* remove runtime temporary directory */ if ((uid_t)setfsuid(0) != 0) { /* setfsuid does not return errror, but this check makes code checkers happy */ rc++; } if (rmdir(tmpdir) == -1) fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno)); if ((uid_t)setfsuid(pwd->pw_uid) != 0) { fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n")); rc++; } return rc; } /** * seunshare will create a tmpdir in /tmp, with root ownership. The parent * process waits for it child to exit to attempt to remove the directory. If * it fails to remove the directory, we will need to rely on tmpreaper/tmpwatch * to clean it up. */ static char *create_tmpdir(const char *src, struct stat *src_st, struct stat *out_st, struct passwd *pwd, security_context_t execcon) { char *tmpdir = NULL; char *cmdbuf = NULL; int fd_t = -1, fd_s = -1; struct stat tmp_st; security_context_t con = NULL; /* get selinux context */ if (execcon) { if ((uid_t)setfsuid(pwd->pw_uid) != 0) goto err; if ((fd_s = open(src, O_RDONLY)) < 0) { fprintf(stderr, _("Failed to open directory %s: %s\n"), src, strerror(errno)); goto err; } if (fstat(fd_s, &tmp_st) == -1) { fprintf(stderr, _("Failed to stat directory %s: %s\n"), src, strerror(errno)); goto err; } if (!equal_stats(src_st, &tmp_st)) { fprintf(stderr, _("Error: %s was replaced by a different directory\n"), src); goto err; } if (fgetfilecon(fd_s, &con) == -1) { fprintf(stderr, _("Failed to get context of the directory %s: %s\n"), src, strerror(errno)); goto err; } /* ok to not reach this if there is an error */ if ((uid_t)setfsuid(0) != pwd->pw_uid) goto err; } if (asprintf(&tmpdir, "/tmp/.sandbox-%s-XXXXXX", pwd->pw_name) == -1) { fprintf(stderr, _("Out of memory\n")); tmpdir = NULL; goto err; } if (mkdtemp(tmpdir) == NULL) { fprintf(stderr, _("Failed to create temporary directory: %s\n"), strerror(errno)); goto err; } /* temporary directory must be owned by root:user */ if (verify_directory(tmpdir, NULL, out_st) < 0) { goto err; } if (check_owner_uid(0, tmpdir, out_st) < 0) goto err; if (check_owner_gid(getgid(), tmpdir, out_st) < 0) goto err; /* change permissions of the temporary directory */ if ((fd_t = open(tmpdir, O_RDONLY)) < 0) { fprintf(stderr, _("Failed to open directory %s: %s\n"), tmpdir, strerror(errno)); goto err; } if (fstat(fd_t, &tmp_st) == -1) { fprintf(stderr, _("Failed to stat directory %s: %s\n"), tmpdir, strerror(errno)); goto err; } if (!equal_stats(out_st, &tmp_st)) { fprintf(stderr, _("Error: %s was replaced by a different directory\n"), tmpdir); goto err; } if (fchmod(fd_t, 01770) == -1) { fprintf(stderr, _("Unable to change mode on %s: %s\n"), tmpdir, strerror(errno)); goto err; } /* re-stat again to pick change mode */ if (fstat(fd_t, out_st) == -1) { fprintf(stderr, _("Failed to stat directory %s: %s\n"), tmpdir, strerror(errno)); goto err; } /* copy selinux context */ if (execcon) { if (fsetfilecon(fd_t, con) == -1) { fprintf(stderr, _("Failed to set context of the directory %s: %s\n"), tmpdir, strerror(errno)); goto err; } } if ((uid_t)setfsuid(pwd->pw_uid) != 0) goto err; if (rsynccmd(src, tmpdir, &cmdbuf) < 0) { goto err; } /* ok to not reach this if there is an error */ if ((uid_t)setfsuid(0) != pwd->pw_uid) goto err; if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) { fprintf(stderr, _("Failed to populate runtime temporary directory\n")); cleanup_tmpdir(tmpdir, src, pwd, 0); goto err; } goto good; err: free(tmpdir); tmpdir = NULL; good: free(cmdbuf); cmdbuf = NULL; freecon(con); con = NULL; if (fd_t >= 0) close(fd_t); if (fd_s >= 0) close(fd_s); return tmpdir; } #define PROC_BASE "/proc" static int killall (security_context_t execcon) { DIR *dir; security_context_t scon; struct dirent *de; pid_t *pid_table, pid, self; int i; int pids, max_pids; int running = 0; self = getpid(); if (!(dir = opendir(PROC_BASE))) { return -1; } max_pids = 256; pid_table = malloc(max_pids * sizeof (pid_t)); if (!pid_table) { (void)closedir(dir); return -1; } pids = 0; context_t con; con = context_new(execcon); const char *mcs = context_range_get(con); printf("mcs=%s\n", mcs); while ((de = readdir (dir)) != NULL) { if (!(pid = (pid_t)atoi(de->d_name)) || pid == self) continue; if (pids == max_pids) { pid_t *new_pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)); if (!new_pid_table) { free(pid_table); (void)closedir(dir); return -1; } pid_table = new_pid_table; max_pids *= 2; } pid_table[pids++] = pid; } (void)closedir(dir); for (i = 0; i < pids; i++) { pid_t id = pid_table[i]; if (getpidcon(id, &scon) == 0) { context_t pidcon = context_new(scon); /* Attempt to kill remaining processes */ if (strcmp(context_range_get(pidcon), mcs) == 0) kill(id, SIGKILL); context_free(pidcon); freecon(scon); } running++; } context_free(con); free(pid_table); return running; } int main(int argc, char **argv) { int status = -1; security_context_t execcon = NULL; int clflag; /* holds codes for command line flags */ int kill_all = 0; char *homedir_s = NULL; /* homedir spec'd by user in argv[] */ char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */ char *tmpdir_r = NULL; /* tmpdir created by seunshare */ struct stat st_curhomedir; struct stat st_homedir; struct stat st_tmpdir_s; struct stat st_tmpdir_r; const struct option long_options[] = { {"homedir", 1, 0, 'h'}, {"tmpdir", 1, 0, 't'}, {"kill", 1, 0, 'k'}, {"verbose", 1, 0, 'v'}, {"context", 1, 0, 'Z'}, {"capabilities", 1, 0, 'C'}, {NULL, 0, 0, 0} }; uid_t uid = getuid(); /* if (!uid) { fprintf(stderr, _("Must not be root")); return -1; } */ #ifdef USE_NLS setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); #endif struct passwd *pwd=getpwuid(uid); if (!pwd) { perror(_("getpwduid failed")); return -1; } if (verify_shell(pwd->pw_shell) < 0) { fprintf(stderr, _("Error: User shell is not valid\n")); return -1; } while (1) { clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL); if (clflag == -1) break; switch (clflag) { case 't': tmpdir_s = optarg; break; case 'k': kill_all = 1; break; case 'h': homedir_s = optarg; break; case 'v': verbose++; break; case 'C': cap_set = CAPNG_SELECT_CAPS; break; case 'Z': execcon = optarg; break; default: fprintf(stderr, "%s\n", USAGE_STRING); return -1; } } if (! homedir_s && ! tmpdir_s) { fprintf(stderr, _("Error: tmpdir and/or homedir required\n %s\n"), USAGE_STRING); return -1; } if (argc - optind < 1) { fprintf(stderr, _("Error: executable required\n %s\n"), USAGE_STRING); return -1; } if (execcon && is_selinux_enabled() != 1) { fprintf(stderr, _("Error: execution context specified, but SELinux is not enabled\n")); return -1; } if (set_signal_handles()) return -1; /* set fsuid to ruid */ /* Changing fsuid is usually required when user-specified directory is * on an NFS mount. It's also desired to avoid leaking info about * existence of the files not accessible to the user. */ if (((uid_t)setfsuid(uid) != 0) && (errno != 0)) { fprintf(stderr, _("Error: unable to setfsuid %m\n")); return -1; } /* verify homedir and tmpdir */ if (homedir_s && ( verify_directory(homedir_s, NULL, &st_homedir) < 0 || check_owner_uid(uid, homedir_s, &st_homedir))) return -1; if (tmpdir_s && ( verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 || check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1; if ((uid_t)setfsuid(0) != uid) return -1; /* create runtime tmpdir */ if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s, &st_tmpdir_r, pwd, execcon)) == NULL) { fprintf(stderr, _("Failed to create runtime temporary directory\n")); return -1; } /* spawn child process */ child = fork(); if (child == -1) { perror(_("Unable to fork")); goto err; } if (child == 0) { char *display = NULL; char *LANG = NULL; char *RUNTIME_DIR = NULL; int rc = -1; char *resolved_path = NULL; if (unshare(CLONE_NEWNS) < 0) { perror(_("Failed to unshare")); goto childerr; } /* Remount / as SLAVE so that nothing mounted in the namespace shows up in the parent */ if (mount("none", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) { perror(_("Failed to make / a SLAVE mountpoint\n")); goto childerr; } /* assume fsuid==ruid after this point */ if ((uid_t)setfsuid(uid) != 0) goto childerr; resolved_path = realpath(pwd->pw_dir,NULL); if (! resolved_path) goto childerr; if (verify_directory(resolved_path, NULL, &st_curhomedir) < 0) goto childerr; if (check_owner_uid(uid, resolved_path, &st_curhomedir) < 0) goto childerr; /* mount homedir and tmpdir, in this order */ if (homedir_s && seunshare_mount(homedir_s, resolved_path, &st_homedir) != 0) goto childerr; if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp", &st_tmpdir_r) != 0) goto childerr; if (drop_privs(uid) != 0) goto childerr; /* construct a new environment */ if ((display = getenv("DISPLAY")) != NULL) { if ((display = strdup(display)) == NULL) { perror(_("Out of memory")); goto childerr; } } /* construct a new environment */ if ((LANG = getenv("LANG")) != NULL) { if ((LANG = strdup(LANG)) == NULL) { perror(_("Out of memory")); goto childerr; } } if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) { if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) { perror(_("Out of memory")); goto childerr; } } if ((rc = clearenv()) != 0) { perror(_("Failed to clear environment")); goto childerr; } if (display) rc |= setenv("DISPLAY", display, 1); if (LANG) rc |= setenv("LANG", LANG, 1); if (RUNTIME_DIR) rc |= setenv("XDG_RUNTIME_DIR", RUNTIME_DIR, 1); rc |= setenv("HOME", pwd->pw_dir, 1); rc |= setenv("SHELL", pwd->pw_shell, 1); rc |= setenv("USER", pwd->pw_name, 1); rc |= setenv("LOGNAME", pwd->pw_name, 1); rc |= setenv("PATH", DEFAULT_PATH, 1); if (rc != 0) { fprintf(stderr, _("Failed to construct environment\n")); goto childerr; } if (chdir(pwd->pw_dir)) { perror(_("Failed to change dir to homedir")); goto childerr; } setsid(); /* selinux context */ if (execcon) { /* try dyntransition, since no_new_privs can interfere * with setexeccon */ if (setcon(execcon) != 0) { /* failed; fall back to setexeccon */ if (setexeccon(execcon) != 0) { fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno)); goto childerr; } } } execv(argv[optind], argv + optind); fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); childerr: free(resolved_path); free(display); free(LANG); free(RUNTIME_DIR); exit(-1); } drop_caps(); /* parent waits for child exit to do the cleanup */ waitpid(child, &status, 0); status_to_retval(status, status); /* Make sure all child processes exit */ kill(-child,SIGTERM); if (execcon && kill_all) killall(execcon); if (tmpdir_r) cleanup_tmpdir(tmpdir_r, tmpdir_s, pwd, 1); err: free(tmpdir_r); return status; }