[v2,9/9] libsemanage: respect shell paths with /usr prefix

Message ID	20241125111840.63845-9-cgoettsche@seltendoof.de (mailing list archive)
State	New
Delegated to:	Petr Lautrbach
Headers	show Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A50631990D3 for <selinux@vger.kernel.org>; Mon, 25 Nov 2024 11:18:50 +0000 (UTC) From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de> To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> Subject: [PATCH v2 9/9] libsemanage: respect shell paths with /usr prefix Date: Mon, 25 Nov 2024 12:18:40 +0100 Message-ID: <20241125111840.63845-9-cgoettsche@seltendoof.de> In-Reply-To: <20241125111840.63845-1-cgoettsche@seltendoof.de> References: <20241125111840.63845-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	[v2,1/9] libsemanage: set O_CLOEXEC flag for file descriptors \| expand [v2,1/9] libsemanage: set O_CLOEXEC flag for file descriptors [v2,2/9] libsemanage: handle cil_set_handle_unknown() failure [v2,3/9] libsemanage: handle shell allocation failure [v2,4/9] libsemanage: drop duplicate newlines and error descriptions in error messages [v2,5/9] libsemanage: check closing written files [v2,6/9] libsemanage: simplify file deletion [v2,7/9] libsemanage: optimize policy by default [v2,8/9] libsemanage/man: add documentation for command overrides [v2,9/9] libsemanage: respect shell paths with /usr prefix

Message ID

20241125111840.63845-9-cgoettsche@seltendoof.de (mailing list archive)

State

New

Delegated to:

Petr Lautrbach

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgoettsche@seltendoof.de>
To: selinux@vger.kernel.org
Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
Subject: [PATCH v2 9/9] libsemanage: respect shell paths with /usr prefix
Date: Mon, 25 Nov 2024 12:18:40 +0100
Message-ID: <20241125111840.63845-9-cgoettsche@seltendoof.de>
In-Reply-To: <20241125111840.63845-1-cgoettsche@seltendoof.de>
References: <20241125111840.63845-1-cgoettsche@seltendoof.de>
Reply-To: cgzones@googlemail.com
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

[v2,1/9] libsemanage: set O_CLOEXEC flag for file descriptors | expand

Commit Message

Christian Göttsche Nov. 25, 2024, 11:18 a.m. UTC

From: Christian Göttsche <cgzones@googlemail.com>

Consider paths with the prefix /usr for shells by including them in the
list of fallback default shells and by extending the check for a nologin
shell.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsemanage/src/genhomedircon.c | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

Comments

James Carter Nov. 27, 2024, 3:57 p.m. UTC | #1

On Tue, Nov 26, 2024 at 5:46 AM Christian Göttsche
<cgoettsche@seltendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@googlemail.com>
>
> Consider paths with the prefix /usr for shells by including them in the
> list of fallback default shells and by extending the check for a nologin
> shell.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

For these nine patches:
Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsemanage/src/genhomedircon.c | 32 +++++++++++++++++++++++---------
>  1 file changed, 23 insertions(+), 9 deletions(-)
>
> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
> index 19543799..8782e2cb 100644
> --- a/libsemanage/src/genhomedircon.c
> +++ b/libsemanage/src/genhomedircon.c
> @@ -192,15 +192,23 @@ static semanage_list_t *default_shell_list(void)
>         semanage_list_t *list = NULL;
>
>         if (semanage_list_push(&list, "/bin/csh")
> +           || semanage_list_push(&list, "/usr/bin/csh")
>             || semanage_list_push(&list, "/bin/tcsh")
> +           || semanage_list_push(&list, "/usr/bin/tcsh")
>             || semanage_list_push(&list, "/bin/ksh")
> +           || semanage_list_push(&list, "/usr/bin/ksh")
>             || semanage_list_push(&list, "/bin/bsh")
> +           || semanage_list_push(&list, "/usr/bin/bsh")
>             || semanage_list_push(&list, "/bin/ash")
> -           || semanage_list_push(&list, "/usr/bin/ksh")
> +           || semanage_list_push(&list, "/usr/bin/ash")
> +           || semanage_list_push(&list, "/bin/pdksh")
>             || semanage_list_push(&list, "/usr/bin/pdksh")
>             || semanage_list_push(&list, "/bin/zsh")
> +           || semanage_list_push(&list, "/usr/bin/zsh")
>             || semanage_list_push(&list, "/bin/sh")
> -           || semanage_list_push(&list, "/bin/bash"))
> +           || semanage_list_push(&list, "/usr/bin/sh")
> +           || semanage_list_push(&list, "/bin/bash")
> +           || semanage_list_push(&list, "/usr/bin/bash"))
>                 goto fail;
>
>         return list;
> @@ -210,6 +218,12 @@ static semanage_list_t *default_shell_list(void)
>         return NULL;
>  }
>
> +static bool is_nologin_shell(const char *path)
> +{
> +       return strcmp(path, PATH_NOLOGIN_SHELL) == 0 ||
> +              strcmp(path, "/usr" PATH_NOLOGIN_SHELL) == 0;
> +}
> +
>  static semanage_list_t *get_shell_list(void)
>  {
>         FILE *shells;
> @@ -223,13 +237,13 @@ static semanage_list_t *get_shell_list(void)
>                 return default_shell_list();
>         while ((len = getline(&temp, &buff_len, shells)) > 0) {
>                 if (temp[len-1] == '\n') temp[len-1] = 0;
> -               if (strcmp(temp, PATH_NOLOGIN_SHELL)) {
> -                       if (semanage_list_push(&list, temp)) {
> -                               free(temp);
> -                               semanage_list_destroy(&list);
> -                               fclose(shells);
> -                               return NULL;
> -                       }
> +               if (is_nologin_shell(temp))
> +                       continue;
> +               if (semanage_list_push(&list, temp)) {
> +                       free(temp);
> +                       semanage_list_destroy(&list);
> +                       fclose(shells);
> +                       return NULL;
>                 }
>         }
>         free(temp);
> --
> 2.45.2
>
>

Petr Lautrbach Nov. 27, 2024, 4:32 p.m. UTC | #2

James Carter <jwcart2@gmail.com> writes:

> On Tue, Nov 26, 2024 at 5:46 AM Christian Göttsche
> <cgoettsche@seltendoof.de> wrote:
>>
>> From: Christian Göttsche <cgzones@googlemail.com>
>>
>> Consider paths with the prefix /usr for shells by including them in the
>> list of fallback default shells and by extending the check for a nologin
>> shell.
>>
>> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> For these nine patches:
> Acked-by: James Carter <jwcart2@gmail.com>

It's merged now. Thanks!


>> ---
>>  libsemanage/src/genhomedircon.c | 32 +++++++++++++++++++++++---------
>>  1 file changed, 23 insertions(+), 9 deletions(-)
>>
>> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
>> index 19543799..8782e2cb 100644
>> --- a/libsemanage/src/genhomedircon.c
>> +++ b/libsemanage/src/genhomedircon.c
>> @@ -192,15 +192,23 @@ static semanage_list_t *default_shell_list(void)
>>         semanage_list_t *list = NULL;
>>
>>         if (semanage_list_push(&list, "/bin/csh")
>> +           || semanage_list_push(&list, "/usr/bin/csh")
>>             || semanage_list_push(&list, "/bin/tcsh")
>> +           || semanage_list_push(&list, "/usr/bin/tcsh")
>>             || semanage_list_push(&list, "/bin/ksh")
>> +           || semanage_list_push(&list, "/usr/bin/ksh")
>>             || semanage_list_push(&list, "/bin/bsh")
>> +           || semanage_list_push(&list, "/usr/bin/bsh")
>>             || semanage_list_push(&list, "/bin/ash")
>> -           || semanage_list_push(&list, "/usr/bin/ksh")
>> +           || semanage_list_push(&list, "/usr/bin/ash")
>> +           || semanage_list_push(&list, "/bin/pdksh")
>>             || semanage_list_push(&list, "/usr/bin/pdksh")
>>             || semanage_list_push(&list, "/bin/zsh")
>> +           || semanage_list_push(&list, "/usr/bin/zsh")
>>             || semanage_list_push(&list, "/bin/sh")
>> -           || semanage_list_push(&list, "/bin/bash"))
>> +           || semanage_list_push(&list, "/usr/bin/sh")
>> +           || semanage_list_push(&list, "/bin/bash")
>> +           || semanage_list_push(&list, "/usr/bin/bash"))
>>                 goto fail;
>>
>>         return list;
>> @@ -210,6 +218,12 @@ static semanage_list_t *default_shell_list(void)
>>         return NULL;
>>  }
>>
>> +static bool is_nologin_shell(const char *path)
>> +{
>> +       return strcmp(path, PATH_NOLOGIN_SHELL) == 0 ||
>> +              strcmp(path, "/usr" PATH_NOLOGIN_SHELL) == 0;
>> +}
>> +
>>  static semanage_list_t *get_shell_list(void)
>>  {
>>         FILE *shells;
>> @@ -223,13 +237,13 @@ static semanage_list_t *get_shell_list(void)
>>                 return default_shell_list();
>>         while ((len = getline(&temp, &buff_len, shells)) > 0) {
>>                 if (temp[len-1] == '\n') temp[len-1] = 0;
>> -               if (strcmp(temp, PATH_NOLOGIN_SHELL)) {
>> -                       if (semanage_list_push(&list, temp)) {
>> -                               free(temp);
>> -                               semanage_list_destroy(&list);
>> -                               fclose(shells);
>> -                               return NULL;
>> -                       }
>> +               if (is_nologin_shell(temp))
>> +                       continue;
>> +               if (semanage_list_push(&list, temp)) {
>> +                       free(temp);
>> +                       semanage_list_destroy(&list);
>> +                       fclose(shells);
>> +                       return NULL;
>>                 }
>>         }
>>         free(temp);
>> --
>> 2.45.2
>>
>>

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 19543799..8782e2cb 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -192,15 +192,23 @@  static semanage_list_t *default_shell_list(void)
 	semanage_list_t *list = NULL;
 
 	if (semanage_list_push(&list, "/bin/csh")
+	    || semanage_list_push(&list, "/usr/bin/csh")
 	    || semanage_list_push(&list, "/bin/tcsh")
+	    || semanage_list_push(&list, "/usr/bin/tcsh")
 	    || semanage_list_push(&list, "/bin/ksh")
+	    || semanage_list_push(&list, "/usr/bin/ksh")
 	    || semanage_list_push(&list, "/bin/bsh")
+	    || semanage_list_push(&list, "/usr/bin/bsh")
 	    || semanage_list_push(&list, "/bin/ash")
-	    || semanage_list_push(&list, "/usr/bin/ksh")
+	    || semanage_list_push(&list, "/usr/bin/ash")
+	    || semanage_list_push(&list, "/bin/pdksh")
 	    || semanage_list_push(&list, "/usr/bin/pdksh")
 	    || semanage_list_push(&list, "/bin/zsh")
+	    || semanage_list_push(&list, "/usr/bin/zsh")
 	    || semanage_list_push(&list, "/bin/sh")
-	    || semanage_list_push(&list, "/bin/bash"))
+	    || semanage_list_push(&list, "/usr/bin/sh")
+	    || semanage_list_push(&list, "/bin/bash")
+	    || semanage_list_push(&list, "/usr/bin/bash"))
 		goto fail;
 
 	return list;
@@ -210,6 +218,12 @@  static semanage_list_t *default_shell_list(void)
 	return NULL;
 }
 
+static bool is_nologin_shell(const char *path)
+{
+	return strcmp(path, PATH_NOLOGIN_SHELL) == 0 ||
+	       strcmp(path, "/usr" PATH_NOLOGIN_SHELL) == 0;
+}
+
 static semanage_list_t *get_shell_list(void)
 {
 	FILE *shells;
@@ -223,13 +237,13 @@  static semanage_list_t *get_shell_list(void)
 		return default_shell_list();
 	while ((len = getline(&temp, &buff_len, shells)) > 0) {
 		if (temp[len-1] == '\n') temp[len-1] = 0;
-		if (strcmp(temp, PATH_NOLOGIN_SHELL)) {
-			if (semanage_list_push(&list, temp)) {
-				free(temp);
-				semanage_list_destroy(&list);
-				fclose(shells);
-				return NULL;
-			}
+		if (is_nologin_shell(temp))
+			continue;
+		if (semanage_list_push(&list, temp)) {
+			free(temp);
+			semanage_list_destroy(&list);
+			fclose(shells);
+			return NULL;
 		}
 	}
 	free(temp);

[v2,9/9] libsemanage: respect shell paths with /usr prefix

Commit Message

Comments

Patch