isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Back out changes to enable SELinux by default.

Browse Source 
This may return in a future release in a different form.
This commit is contained in:
Todd C. Miller
2021-12-22 11:13:22 -07:00
parent 0ed92e6165
commit e22cc72530
5 changed files with 24 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
NEWS
View File

@@ -59,12 +59,6 @@ What's new in Sudo 1.9.9
in Generalized Time format. This affected the NOTBEFORE and in Generalized Time format. This affected the NOTBEFORE and
NOTAFTER options in sudoers. Bug #1006 NOTAFTER options in sudoers. Bug #1006
* On systems where SELinux is enabled and sudo is built with SELinux
support, if the user's role is not "unconfined_r" sudo will always
execute commands via the "sesh" helper program. Previously, commands
were only executed via "sesh" if a role was specified in the sudoers
file rule or by the user on the command line.
* Added the -O and -P options to visudo, which can be used to check * Added the -O and -P options to visudo, which can be used to check
or set the owner and permissions. This can be used in conjunction or set the owner and permissions. This can be used in conjunction
with the -c option to check that the sudoers file ownership and with the -c option to check that the sudoers file ownership and

7
docs/UPGRADE.md
View File

@@ -3,13 +3,6 @@ Notes on upgrading from an older release
* Upgrading from a version prior to 1.9.9: * Upgrading from a version prior to 1.9.9:
On systems where SELinux is enabled and sudo is built with
SELinux support, if the user's role is not "unconfined_r" sudo
will always execute commands via the "sesh" helper program.
Previously, commands were only executed via "sesh" if a role
was specified in the sudoers file rule or by the user on the
command line.
Sudo now runs commands with the core limit resource limit set Sudo now runs commands with the core limit resource limit set
to 0 by default. While most operating systems restrict core to 0 by default. While most operating systems restrict core
dumps of set-user-ID programs like sudo, this protection is dumps of set-user-ID programs like sudo, this protection is

5
plugins/sudoers/policy.c
View File

@@ -632,7 +632,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
} }
/* Increase the length of command_info as needed, it is *not* checked. */ /* Increase the length of command_info as needed, it is *not* checked. */
command_info = calloc(69, sizeof(char *)); command_info = calloc(68, sizeof(char *));
if (command_info == NULL) if (command_info == NULL)
goto oom; goto oom;
@@ -941,9 +941,6 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
} }
#endif /* HAVE_LOGIN_CAP_H */ #endif /* HAVE_LOGIN_CAP_H */
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
if (asprintf(&command_info[info_len++], "selinux_rbac=%s",
def_selinux ? "true" : "false") == -1)
goto oom;
if (def_selinux && user_role != NULL) { if (def_selinux && user_role != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("selinux_role", user_role)) == NULL) if ((command_info[info_len++] = sudo_new_key_val("selinux_role", user_role)) == NULL)
goto oom; goto oom;

53
src/selinux.c
View File

@@ -308,37 +308,21 @@ bad:
/* /*
* Determine the new security context based on the old context and the * Determine the new security context based on the old context and the
* specified role and type. * specified role and type.
* Returns 0 on success, 1 if SELinux is not needed, and -1 on failure. * Returns 0 on success, and -1 on failure.
*/ */
static int static int
get_exec_context(const char *role, const char *type) get_exec_context(const char *role, const char *type)
{ {
char *rolebuf = NULL, *typebuf = NULL;
char *new_context = NULL; char *new_context = NULL;
context_t context = NULL; context_t context = NULL;
char *typebuf = NULL;
int ret = -1; int ret = -1;
debug_decl(get_exec_context, SUDO_DEBUG_SELINUX); debug_decl(get_exec_context, SUDO_DEBUG_SELINUX);
/*
* Expand old_context into a context_t so that we can extract and modify
* its components easily.
*/
if ((context = context_new(se_state.old_context)) == NULL) {
sudo_warn("%s", U_("failed to get new context"));
goto done;
}
if (role == NULL) { if (role == NULL) {
rolebuf = strdup(context_role_get(context)); sudo_warnx(U_("you must specify a role for type %s"), type);
if (rolebuf == NULL) errno = EINVAL;
goto done; goto done;
role = rolebuf;
/* Skip SELinux role change for unconfined_r. */
if (strcmp(rolebuf, "unconfined_r") == 0 && type == NULL) {
ret = 1;
goto done;
}
} }
if (type == NULL) { if (type == NULL) {
if (get_default_type(role, &typebuf)) { if (get_default_type(role, &typebuf)) {
@@ -349,6 +333,15 @@ get_exec_context(const char *role, const char *type)
type = typebuf; type = typebuf;
} }
/*
* Expand old_context into a context_t so that we can extract and modify
* its components easily.
*/
if ((context = context_new(se_state.old_context)) == NULL) {
sudo_warn("%s", U_("failed to get new context"));
goto done;
}
/* /*
* Replace the role and type in "context" with the role and * Replace the role and type in "context" with the role and
* type we will be running the command as. * type we will be running the command as.
@@ -380,7 +373,6 @@ get_exec_context(const char *role, const char *type)
ret = 0; ret = 0;
done: done:
free(rolebuf);
free(typebuf); free(typebuf);
context_free(context); context_free(context);
freecon(new_context); freecon(new_context);
@@ -389,7 +381,7 @@ done:
/* /*
* Determine the exec and tty contexts the command will run in. * Determine the exec and tty contexts the command will run in.
* Returns 0 on success, 1 if SELinux is not needed, and -1 on failure. * Returns 0 on success and -1 on failure.
*/ */
int int
selinux_getexeccon(const char *role, const char *type) selinux_getexeccon(const char *role, const char *type)
@@ -412,20 +404,13 @@ selinux_getexeccon(const char *role, const char *type)
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: old context %s", __func__, sudo_debug_printf(SUDO_DEBUG_INFO, "%s: old context %s", __func__,
se_state.old_context); se_state.old_context);
ret = get_exec_context(role, type); ret = get_exec_context(role, type);
switch (ret) { if (ret == -1) {
case 0:
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: new context %s", __func__,
se_state.new_context);
break;
case 1:
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: no context change required",
__func__);
break;
default:
/* Audit role change failure (success is logged later). */ /* Audit role change failure (success is logged later). */
selinux_audit_role_change(); selinux_audit_role_change();
break; goto done;
} }
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: new context %s", __func__,
se_state.new_context);
done: done:
debug_return_int(ret); debug_return_int(ret);

26
src/sudo.c
View File

@@ -647,7 +647,7 @@ bad:
static void static void
command_info_to_details(char * const info[], struct command_details *details) command_info_to_details(char * const info[], struct command_details *details)
{ {
int i, selinux_rbac = -1; int i;
id_t id; id_t id;
char *cp; char *cp;
const char *errstr; const char *errstr;
@@ -826,14 +826,6 @@ command_info_to_details(char * const info[], struct command_details *details)
SET_STRING("runas_user=", runas_user) SET_STRING("runas_user=", runas_user)
break; break;
case 's': case 's':
if (strncmp("selinux_rbac=", info[i], sizeof("selinux_rbac=") - 1) == 0) {
selinux_rbac = sudo_strtobool(info[i] + sizeof("selinux_rbac=") - 1);
if (selinux_rbac == -1) {
sudo_debug_printf(SUDO_DEBUG_ERROR,
"invalid boolean value for %s", info[i]);
}
break;
}
SET_STRING("selinux_role=", selinux_role) SET_STRING("selinux_role=", selinux_role)
SET_STRING("selinux_type=", selinux_type) SET_STRING("selinux_type=", selinux_type)
SET_FLAG("set_utmp=", CD_SET_UTMP) SET_FLAG("set_utmp=", CD_SET_UTMP)
@@ -888,21 +880,11 @@ command_info_to_details(char * const info[], struct command_details *details)
sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
/* Newer sudoers plugin sets selinux_rbac, older only sets role/type. */ if (details->selinux_role != NULL && is_selinux_enabled() > 0) {
if (selinux_rbac == -1) SET(details->flags, CD_RBAC_ENABLED);
selinux_rbac = details->selinux_role || details->selinux_type;
if (selinux_rbac && is_selinux_enabled() > 0) {
i = selinux_getexeccon(details->selinux_role, details->selinux_type); i = selinux_getexeccon(details->selinux_role, details->selinux_type);
switch (i) { if (i != 0)
case 0:
SET(details->flags, CD_RBAC_ENABLED);
break;
case 1:
/* No role change needed. */
break;
default:
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
}
} }
#endif #endif
debug_return; debug_return;