sys-process/vixie-cron/files/vixie-cron-4.1-selinux-2.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225

diff -ur vixie-cron-4.1/Makefile vixie-cron-4.1-selinux/Makefile
--- vixie-cron-4.1/Makefile	2004-08-28 02:09:33.000000000 +0800
+++ vixie-cron-4.1-selinux/Makefile	2017-04-26 22:16:53.321394815 +0800
@@ -68,7 +68,8 @@
 #<<want to use a nonstandard CC?>>
 CC		=	gcc -Wall -Wno-unused -Wno-comment
 #<<manifest defines>>
-DEFS		=
+DEFS		= -s -DWITH_SELINUX
+LIBS		+= 	-lselinux
 #(SGI IRIX systems need this)
 #DEFS		=	-D_BSD_SIGNALS -Dconst=
 #<<the name of the BSD-like install program>>
diff -ur vixie-cron-4.1/database.c vixie-cron-4.1-selinux/database.c
--- vixie-cron-4.1/database.c	2004-08-28 02:09:34.000000000 +0800
+++ vixie-cron-4.1-selinux/database.c	2017-04-27 01:31:34.757942605 +0800
@@ -28,6 +28,15 @@
 
 #include "cron.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include <selinux/get_context_list.h>
+#define SYSUSERNAME "system_u"
+#else
+#define SYSUSERNAME "*system*"
+#endif
+
 #define TMAX(a,b) ((a)>(b)?(a):(b))
 
 static	void		process_crontab(const char *, const char *,
@@ -183,7 +192,7 @@
 	if (fname == NULL) {
 		/* must be set to something for logging purposes.
 		 */
-		fname = "*system*";
+		fname = SYSUSERNAME;
 	} else if ((pw = getpwnam(uname)) == NULL) {
 		/* file doesn't have a user in passwd file.
 		 */
@@ -245,6 +254,117 @@
 		free_user(u);
 		log_it(fname, getpid(), "RELOAD", tabname);
 	}
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled()) {
+		security_context_t file_context=NULL;
+		security_context_t user_context=NULL;
+		context_t current_context = NULL;
+		char *current_context_str = NULL;
+		struct av_decision avd;
+		int retval=0;
+		char *seuser=NULL;
+		char *level=NULL;
+		int sys_user = 0;
+
+		sys_user = strcmp(SYSUSERNAME, fname);
+
+		if (fgetfilecon(crontab_fd, &file_context) < OK) {
+			log_it(fname, getpid(), "getfilecon FAILED", tabname);
+			goto next_crontab;
+		}
+
+		if (sys_user != 0) {
+			if (getseuserbyname(fname, &seuser, &level) < 0) {
+				log_it(fname, getpid(), "NO SEUSER", tabname);
+				goto next_crontab;
+			}
+		} else {
+			if (getcon(&current_context_str) < 0) {
+				log_it(fname, getpid(), "getcon FAILED", tabname);
+				goto next_crontab;
+			}
+
+			current_context = context_new(current_context_str);
+			if (current_context == 0) {
+				log_it(fname, getpid(), "context new FAILED", tabname);
+				freecon(current_context_str);
+				goto next_crontab;
+			}
+
+			seuser = context_user_get(current_context);
+			level = context_range_get(current_context);
+		}
+
+		if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) {
+			log_it(fname, getpid(), "NO CONTEXT", tabname);
+			freecon(file_context);
+			if (sys_user != 0) {
+				free(seuser);
+				free(level);
+			}
+			freecon(current_context_str);
+			context_free(current_context);
+			goto next_crontab;
+		}
+
+		/*
+		 * Since crontab files are not directly executed,
+		 * crond must ensure that the crontab file has
+		 * a context that is appropriate for the context of
+		 * the user cron job.  It performs an entrypoint
+		 * permission check for this purpose.
+		 */
+		security_class_t file_class;
+		access_vector_t entrypoint_bit;
+		file_class = string_to_security_class("file");
+		if (file_class == 0) {
+			log_it(fname, getpid(), "file CLASS NOT DEFINED", tabname);
+			freecon(current_context_str);
+			context_free(current_context);
+			freecon(user_context);
+			freecon(file_context);
+			if (sys_user != 0) {
+				free(seuser);
+				free(level);
+			}
+			goto next_crontab;
+		}
+
+		entrypoint_bit = string_to_av_perm(file_class, "entrypoint");
+		if (entrypoint_bit == 0) {
+			log_it(fname, getpid(), "file:entrypoint AV NOT DEFINED", tabname);
+			freecon(current_context_str);
+			context_free(current_context);
+			freecon(user_context);
+			freecon(file_context);
+			if (sys_user != 0) {
+				free(seuser);
+				free(level);
+			}
+			goto next_crontab;
+		}
+
+		retval = security_compute_av_raw(user_context,
+			file_context,
+			file_class,
+			entrypoint_bit,
+			&avd);
+
+		freecon(user_context);
+		freecon(file_context);
+		if (sys_user != 0) {
+			free(seuser);
+			free(level);
+		}
+		context_free(current_context);
+		freecon(current_context_str);
+
+		if (retval || ((entrypoint_bit & avd.allowed) != entrypoint_bit)) {
+			log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
+			goto next_crontab;
+		}
+	}
+#endif
 	u = load_user(crontab_fd, pw, fname);
 	if (u != NULL) {
 		u->mtime = statbuf->st_mtime;
diff -ur vixie-cron-4.1/do_command.c vixie-cron-4.1-selinux/do_command.c
--- vixie-cron-4.1/do_command.c	2004-08-28 02:09:34.000000000 +0800
+++ vixie-cron-4.1-selinux/do_command.c	2017-04-27 01:30:49.045144698 +0800
@@ -25,6 +25,12 @@
 
 #include "cron.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include <selinux/get_context_list.h>
+#endif
+
 static void		child_process(entry *, user *);
 static int		safe_p(const char *, const char *);
 
@@ -265,6 +271,49 @@
 				_exit(OK_EXIT);
 			}
 # endif /*DEBUGGING*/
+#ifdef WITH_SELINUX
+			if (is_selinux_enabled()) {
+				char *seuser = NULL;
+				char *level = NULL;
+				char *current_context_str = NULL;
+				security_context_t scontext;
+				context_t current_context = NULL;
+
+				if (strcmp("system_u", u->name) != 0) {
+					if (getseuserbyname(u->name, &seuser, &level) < 0) {
+						fprintf(stderr, "getseuserbyname: Could not determine seuser for user %s\n", u->name);
+						_exit(ERROR_EXIT);
+					}
+				} else {
+					if (getcon(&current_context_str) < 0) {
+						fprintf(stderr, "getcon FAILED\n");
+						_exit(ERROR_EXIT);
+					}
+
+					current_context = context_new(current_context_str);
+					if (current_context == NULL) {
+						fprintf(stderr, "failed to create new context: %s\n", current_context_str);
+						freecon(current_context_str);
+						_exit(ERROR_EXIT);
+					}
+
+					seuser = context_user_get(current_context);
+				}
+
+				if (get_default_context_with_level(seuser, level, NULL, &scontext) < 0) {
+					fprintf(stderr, "get_default_context_with_level: could not get security context for user %s, seuser %s\n", u->name, seuser);
+					_exit(ERROR_EXIT);
+				}
+
+				if (setexeccon(scontext) < 0) {
+					fprintf(stderr, "setexeccon: Could not set exec context to %s for user %s\n", scontext, u->name);
+					_exit(ERROR_EXIT);
+				}
+				free(seuser);
+				free(level);
+				freecon(scontext);
+			}
+#endif
 			execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
 			fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
 			perror("execl");