From 60f91a52139f1b3e47bd27c1ffca30befb2cf630 Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Mar 02 2009 10:21:00 +0000 Subject: - Fix a fd leak from iceccd + avoid using system(). - Allows tighter SELinux policy. --- diff --git a/icecream-0.9.3-tighten-security.patch b/icecream-0.9.3-tighten-security.patch new file mode 100644 index 0000000..233d51d --- /dev/null +++ b/icecream-0.9.3-tighten-security.patch @@ -0,0 +1,118 @@ +commit 3cf2e4b4f1912d18772a0fa476d4671c25ca2ea4 +Author: coolo +Date: Mon Mar 2 09:47:26 2009 +0000 + + more fixes from Michal Schmidt: + - don't leak file descriptor to create-env + - don't use the shell to call simple commands + + + git-svn-id: svn://anonsvn.kde.org/home/kde/trunk/icecream@934044 283d02a7-25f6-0310-bc7c-ecb5cbfe19da + +diff --git a/daemon/environment.cpp b/daemon/environment.cpp +index fd38f8e..9dc2831 100644 +--- a/daemon/environment.cpp ++++ b/daemon/environment.cpp +@@ -142,40 +142,48 @@ static void list_target_dirs( const string ¤t_target, const string &target + closedir( envdir ); + } + +-bool cleanup_cache( const string &basedir ) ++/* Returns true if the child exited with success */ ++static bool exec_and_wait( const char *const argv[] ) + { +- flush_debug(); + pid_t pid = fork(); +- if ( pid ) +- { +- int status = 0; ++ if ( pid == -1 ) { ++ log_perror("fork"); ++ return false; ++ } ++ if ( pid ) { ++ // parent ++ int status; + while ( waitpid( pid, &status, 0 ) < 0 && errno == EINTR ) + ; ++ return WIFEXITED(status) && WEXITSTATUS(status) == 0; ++ } ++ // child ++ _exit(execv(argv[0], const_cast(argv))); ++} + +- if ( mkdir( basedir.c_str(), 0755 ) && errno != EEXIST ) { +- if ( errno == EPERM ) +- log_error() << "permission denied on mkdir " << basedir << endl; +- else +- log_perror( "mkdir in cleanup_cache() failed" ); +- return false; +- } +- chown( basedir.c_str(), 0, 0 ); +- chmod( basedir.c_str(), 0755 ); ++bool cleanup_cache( const string &basedir ) ++{ ++ flush_debug(); + +- return WIFEXITED(status); +- } +- // else +- char **argv; +- argv = new char*[5]; +- argv[0] = strdup( "/bin/rm" ); +- argv[1] = strdup( "-rf" ); +- argv[2] = strdup( "--" ); + // make sure it ends with '/' to not fall into symlink traps + string bdir = basedir + '/'; +- argv[3] = strdup( bdir.c_str() ); +- argv[4] = NULL; ++ const char *const argv[] = { ++ "/bin/rm", "-rf", "--", bdir.c_str(), NULL ++ }; + +- _exit(execv(argv[0], argv)); ++ bool ret = exec_and_wait( argv ); ++ ++ if ( mkdir( basedir.c_str(), 0755 ) && errno != EEXIST ) { ++ if ( errno == EPERM ) ++ log_error() << "permission denied on mkdir " << basedir << endl; ++ else ++ log_perror( "mkdir in cleanup_cache() failed" ); ++ return false; ++ } ++ chown( basedir.c_str(), 0, 0 ); ++ chmod( basedir.c_str(), 0755 ); ++ ++ return ret; + } + + Environments available_environmnents(const string &basedir) +@@ -259,7 +267,10 @@ size_t setup_env_cache(const string &basedir, string &native_environment, uid_t + _exit(1); + } + +- if ( system( BINDIR "/icecc --build-native" ) ) { ++ const char *const argv[] = { ++ BINDIR "/icecc", "--build-native", NULL ++ }; ++ if ( !exec_and_wait( argv ) ) { + log_error() << BINDIR "/icecc --build-native failed\n"; + _exit(1); + } +diff --git a/services/comm.cpp b/services/comm.cpp +index 47e7304..5ffb790 100644 +--- a/services/comm.cpp ++++ b/services/comm.cpp +@@ -987,6 +987,12 @@ open_send_broadcast (void) + return -1; + } + ++ if (fcntl (ask_fd, F_SETFD, FD_CLOEXEC) < 0) ++ { ++ log_perror("open_send_broadcast fcntl"); ++ close (ask_fd); ++ return -1; ++ } + int optval = 1; + if (setsockopt (ask_fd, SOL_SOCKET, SO_BROADCAST, &optval, sizeof(optval)) < 0) + { diff --git a/icecream.spec b/icecream.spec index 5a6a99a..3ee9827 100644 --- a/icecream.spec +++ b/icecream.spec @@ -11,7 +11,7 @@ Name: icecream Version: 0.9.3 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Distributed compiler Group: Development/Tools @@ -30,6 +30,7 @@ Source8: %{name}-manpages.tar.bz2 Patch0: %{name}-rename-scheduler.patch Patch1: %{name}-cleanup-conffile.patch Patch2: %{name}-0.9.3-fix-gcc44-ftbfs.patch +Patch3: %{name}-0.9.3-tighten-security.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -78,6 +79,7 @@ This package contains development files for %{name}. %patch0 -p1 %patch1 -p0 %patch2 -p1 +%patch3 -p1 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh mkdir SELinux @@ -235,6 +237,10 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/icecc.pc %changelog +* Mon Mar 02 2009 Michal Schmidt - 0.9.3-5 +- Fix a fd leak from iceccd + avoid using system(). +- Allows tighter SELinux policy. + * Tue Feb 24 2009 Fedora Release Engineering - 0.9.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild diff --git a/icecream.te b/icecream.te index 310f337..06227a6 100644 --- a/icecream.te +++ b/icecream.te @@ -1,5 +1,5 @@ -policy_module(icecream,0.0.42) +policy_module(icecream,0.0.43) ######################################## # @@ -146,15 +146,8 @@ optional_policy(` nscd_socket_use(iceccd_createenv_t) ') -# Some rules that can probably go away when iceccd is fixed properly: -# -# XXX: icecc-create-env does not really need to talk to the open UDP socket -# leaked from its parent. -dontaudit iceccd_createenv_t iceccd_t:udp_socket { read write }; -# XXX: iceccd could be modified to avoid the shell completely -corecmd_exec_shell(iceccd_t) -# XXX: fix iceccd to only nuke the contents of /var/cache/icecream, -# not the directory itself. +# XXX: This could be avoided if iceccd only nuked the contents of +# /var/cache/icecream, not the directory itself. files_var_filetrans(iceccd_t, iceccd_cache_t, dir)