From 7934e6fdcaea0ae6c5dfbe2759600c51ee497f25 Mon Sep 17 00:00:00 2001 From: Michal Schmidt Date: Apr 05 2009 23:00:36 +0000 Subject: - Fix wrong permissions on the cache dir preventing the jobs from being distributed. - SELinux policy update based on review comments on refpolicy ML. --- diff --git a/icecream-0.9.3-fix-perms-of-cache.patch b/icecream-0.9.3-fix-perms-of-cache.patch new file mode 100644 index 0000000..32650c9 --- /dev/null +++ b/icecream-0.9.3-fix-perms-of-cache.patch @@ -0,0 +1,124 @@ +Patch sent upstream (to Stephan Kulow) on 2009-04-06. -- Michal + +commit e5dcc8beda99ffb4cb19b8eef024dbc22b010d54 +Author: Michal Schmidt +Date: Sun Apr 5 23:32:32 2009 +0200 + + fix permissions in the cache dir + + The way icecream changes permissions of /var/cache/icecream is buggy. + When the daemon initializes, it creates the directory owned by root:root + and readable for everyone. As soon as it installs a foreign environment, + it changes the owner to root:icecream and removes access for everyone + else. This causes trouble for locally run icecc which wants read access + to /var/cache/icecream/native. As a result, local compile jobs can no + longer determine the native environment and fail to get distributed to + other nodes. + + This patch assigns the owners and permissions like this: + 0755 root:root /var/cache/icecream/ + 0775 root:icecream /var/cache/icecream/native/ + 0770 root:icecream /var/cache/icecream/target=/ + 0770 root:icecream /var/cache/icecream/target=// + + It also sets the umask in the initialization of the daemon so that we + can depend on it being sane and we no longer need some of the chmods. + + The access() check in start_install_environment() can be dropped, + because if we don't have access, we'll soon find out anyway. + +diff --git a/daemon/environment.cpp b/daemon/environment.cpp +index 9dc2831..979da91 100644 +--- a/daemon/environment.cpp ++++ b/daemon/environment.cpp +@@ -180,8 +180,6 @@ bool cleanup_cache( const string &basedir ) + log_perror( "mkdir in cleanup_cache() failed" ); + return false; + } +- chown( basedir.c_str(), 0, 0 ); +- chmod( basedir.c_str(), 0755 ); + + return ret; + } +@@ -219,14 +217,14 @@ size_t setup_env_cache(const string &basedir, string &native_environment, uid_t + if ( ::access( "/usr/bin/gcc", X_OK ) || ::access( "/usr/bin/g++", X_OK ) ) + return 0; + +- if ( mkdir( nativedir.c_str(), 0755 ) ) ++ if ( mkdir( nativedir.c_str(), 0775 ) ) + return 0; + +- if ( chown( nativedir.c_str(), nobody_uid, nobody_gid) ) { ++ if ( chown( nativedir.c_str(), 0, nobody_gid ) || ++ chmod( nativedir.c_str(), 0775 ) ) { + rmdir( nativedir.c_str() ); + return 0; + } +- chmod( nativedir.c_str(), 0755 ); + + flush_debug(); + pid_t pid = fork(); +@@ -251,7 +249,6 @@ size_t setup_env_cache(const string &basedir, string &native_environment, uid_t + } + } + // else +- umask(022); + + if ( setgid( nobody_gid ) < 0) { + log_perror("setgid failed"); +@@ -313,30 +310,28 @@ pid_t start_install_environment( const std::string &basename, const std::string + compression = BZip2; + } + +- if( ::access( basename.c_str(), W_OK ) ) { +- log_error() << "access for basename " << basename.c_str() << " gives " << strerror(errno) << endl; +- return 0; +- } +- +- chown( basename.c_str(), 0, nobody_gid ); +- chmod( basename.c_str(), 0770 ); +- +- if ( mkdir( dirname.c_str(), 0755 ) && errno != EEXIST ) { ++ if ( mkdir( dirname.c_str(), 0770 ) && errno != EEXIST ) { + log_perror( "mkdir target" ); + return 0; + } + +- chown( dirname.c_str(), 0, nobody_gid ); +- chmod( dirname.c_str(), 0770 ); ++ if ( chown( dirname.c_str(), 0, nobody_gid ) || ++ chmod( dirname.c_str(), 0770 ) ) { ++ log_perror( "chown,chmod target" ); ++ return 0; ++ } + + dirname = dirname + "/" + name; +- if ( mkdir( dirname.c_str(), 0700 ) ) { ++ if ( mkdir( dirname.c_str(), 0770 ) ) { + log_perror( "mkdir name" ); + return 0; + } + +- chown( dirname.c_str(), 0, nobody_gid ); +- chmod( dirname.c_str(), 0770 ); ++ if ( chown( dirname.c_str(), 0, nobody_gid ) || ++ chmod( dirname.c_str(), 0770 ) ) { ++ log_perror( "chown,chmod name" ); ++ return 0; ++ } + + int fds[2]; + if ( pipe( fds ) ) +diff --git a/daemon/main.cpp b/daemon/main.cpp +index 17fc761..7a6498f 100644 +--- a/daemon/main.cpp ++++ b/daemon/main.cpp +@@ -1598,6 +1598,8 @@ int main( int argc, char ** argv ) + } + } + ++ umask(022); ++ + if ( !logfile.length() && detach) + logfile = "/var/log/iceccd"; + diff --git a/icecream.spec b/icecream.spec index 3ee9827..fd34010 100644 --- a/icecream.spec +++ b/icecream.spec @@ -11,7 +11,7 @@ Name: icecream Version: 0.9.3 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Distributed compiler Group: Development/Tools @@ -31,6 +31,7 @@ Patch0: %{name}-rename-scheduler.patch Patch1: %{name}-cleanup-conffile.patch Patch2: %{name}-0.9.3-fix-gcc44-ftbfs.patch Patch3: %{name}-0.9.3-tighten-security.patch +Patch4: %{name}-0.9.3-fix-perms-of-cache.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -80,6 +81,7 @@ This package contains development files for %{name}. %patch1 -p0 %patch2 -p1 %patch3 -p1 +%patch4 -p1 sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE1} > icecream.sh sed -e 's|@LIBDIR@|%{_libdir}|g' %{SOURCE2} > icecream.csh mkdir SELinux @@ -237,6 +239,11 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/icecc.pc %changelog +* Mon Apr 06 2009 Michal Schmidt - 0.9.3-6 +- Fix wrong permissions on the cache dir preventing the jobs from being + distributed. +- SELinux policy update based on review comments on refpolicy ML. + * Mon Mar 02 2009 Michal Schmidt - 0.9.3-5 - Fix a fd leak from iceccd + avoid using system(). - Allows tighter SELinux policy. diff --git a/icecream.te b/icecream.te index 06227a6..b16b880 100644 --- a/icecream.te +++ b/icecream.te @@ -1,12 +1,11 @@ -policy_module(icecream,0.0.43) +policy_module(icecream,0.1.3) ######################################## # -# Declarations +# iceccd declarations # -# the compiler node daemon type iceccd_t; type iceccd_exec_t; init_daemon_domain(iceccd_t, iceccd_exec_t) @@ -20,29 +19,39 @@ files_tmp_file(iceccd_tmp_t) type iceccd_var_run_t; files_pid_file(iceccd_var_run_t) -# the working area type iceccd_cache_t; files_type(iceccd_cache_t) -# icecc-create-env script makes a tarball of the local compiler and its -# dependencies for other nodes to use +######################################## +# +# iceccd_createenv declarations +# + type iceccd_createenv_t; type iceccd_createenv_exec_t; -domain_type(iceccd_createenv_t) -domain_entry_file(iceccd_createenv_t, iceccd_createenv_exec_t) +application_domain(iceccd_createenv_t, iceccd_createenv_exec_t) role system_r types iceccd_createenv_t; -# foreign compilers -type iceccd_untrusted_t; -domain_type(iceccd_untrusted_t); -domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) -role system_r types iceccd_untrusted_t; +######################################## +# +# icecc_scheduler declarations +# -# the scheduler type icecc_scheduler_t; type icecc_scheduler_exec_t; init_daemon_domain(icecc_scheduler_t, icecc_scheduler_exec_t) +######################################## +# +# iceccd_untrusted declarations +# + +type iceccd_untrusted_t; +domain_type(iceccd_untrusted_t); +domain_entry_file(iceccd_untrusted_t, iceccd_cache_t) +role system_r types iceccd_untrusted_t; + +# port declarations. for separate module only. type iceccd_port_t; type icecc_scheduler_port_t; corenet_port(iceccd_port_t); @@ -50,31 +59,39 @@ corenet_port(icecc_scheduler_port_t); ######################################## # -# Icecream policy +# iceccd policy # -allow iceccd_t self:process { signal_perms setsched setrlimit }; +allow iceccd_t self:capability { chown dac_override fowner fsetid kill + setgid setuid sys_chroot }; +allow iceccd_t self:fifo_file rw_fifo_file_perms; allow iceccd_t self:netlink_route_socket r_netlink_socket_perms; +allow iceccd_t self:process { signal_perms setsched setrlimit }; allow iceccd_t self:tcp_socket create_stream_socket_perms; allow iceccd_t self:udp_socket create_socket_perms; -allow iceccd_t self:fifo_file rw_fifo_file_perms; -allow iceccd_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_chroot }; -allow iceccd_t iceccd_untrusted_t:process { siginh rlimitinh noatsecure signal }; -files_read_etc_files(iceccd_t) -libs_use_ld_so(iceccd_t) -libs_use_shared_libs(iceccd_t) -miscfiles_read_localization(iceccd_t) +dontaudit iceccd_t iceccd_untrusted_t:process { siginh rlimitinh + noatsecure }; -fs_getattr_all_fs(iceccd_t) -kernel_read_system_state(iceccd_t) -sysnet_read_config(iceccd_t) +allow iceccd_t iceccd_untrusted_t:process signal; -corecmd_exec_bin(iceccd_t) -corecmd_read_bin_symlinks(iceccd_t) +domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) +domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) + +manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) +logging_log_filetrans(iceccd_t, iceccd_log_t, file) + +manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) +files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) + +manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) +manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) +files_var_filetrans(iceccd_t, iceccd_cache_t, { dir file }) -files_getattr_tmp_dirs(iceccd_t) files_search_tmp(iceccd_t) +manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) +manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) +files_tmp_filetrans(iceccd_t, iceccd_tmp_t, { dir file }) corenet_all_recvfrom_unlabeled(iceccd_t) corenet_all_recvfrom_netlabel(iceccd_t) @@ -88,77 +105,89 @@ corenet_tcp_bind_generic_node(iceccd_t) allow iceccd_t iceccd_port_t:tcp_socket { name_bind }; allow iceccd_t icecc_scheduler_port_t:tcp_socket { name_connect }; -domtrans_pattern(iceccd_t, iceccd_createenv_exec_t, iceccd_createenv_t) -domtrans_pattern(iceccd_t, iceccd_cache_t, iceccd_untrusted_t) +corecmd_exec_bin(iceccd_t) +corecmd_read_bin_symlinks(iceccd_t) -manage_files_pattern(iceccd_t, iceccd_log_t, iceccd_log_t) -logging_log_filetrans(iceccd_t, iceccd_log_t, file) +#files_getattr_tmp_dirs(iceccd_t) +files_read_etc_files(iceccd_t) -manage_files_pattern(iceccd_t, iceccd_var_run_t, iceccd_var_run_t) -files_pid_filetrans(iceccd_t, iceccd_var_run_t, file) +fs_getattr_all_fs(iceccd_t) -manage_dirs_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) -manage_files_pattern(iceccd_t, iceccd_cache_t, iceccd_cache_t) +kernel_read_system_state(iceccd_t) -manage_dirs_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) -manage_files_pattern(iceccd_t, iceccd_tmp_t, iceccd_tmp_t) -files_tmp_filetrans(iceccd_t, iceccd_tmp_t, file) +sysnet_read_config(iceccd_t) +libs_use_ld_so(iceccd_t) +libs_use_shared_libs(iceccd_t) + +miscfiles_read_localization(iceccd_t) + +######################################## +# +# iceccd_createenv policy +# -allow iceccd_createenv_t iceccd_log_t:file { append }; allow iceccd_createenv_t self:fifo_file rw_fifo_file_perms; -# icecc-create-env looks for executable files to strip them. It does not -# really execute them, but the -x check would trigger a denial. Do not allow -# this, typically the binaries are already stripped anyway. Just silence it. -dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; -allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; -allow iceccd_untrusted_t self:process signal_perms; -allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_sock_file_perms; -manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) -allow iceccd_untrusted_t iceccd_cache_t:file { execute_no_trans }; +dontaudit iceccd_createenv_t iceccd_tmp_t:file { execute }; -files_read_etc_files(iceccd_createenv_t) -libs_use_ld_so(iceccd_createenv_t) -libs_use_shared_libs(iceccd_createenv_t) -miscfiles_read_localization(iceccd_createenv_t) +allow iceccd_createenv_t iceccd_log_t:file { append }; manage_dirs_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) manage_files_pattern(iceccd_createenv_t, iceccd_cache_t, iceccd_cache_t) +# no files_var_filetrans, createenv does not create the cache dir itself + +manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) +files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, { dir file }) -files_read_usr_files(iceccd_createenv_t) -libs_exec_ld_so(iceccd_createenv_t) -libs_exec_lib_files(iceccd_createenv_t) -libs_domtrans_ldconfig(iceccd_createenv_t) corecmd_exec_bin(iceccd_createenv_t) corecmd_exec_shell(iceccd_createenv_t) + dev_read_urand(iceccd_createenv_t) + +files_read_etc_files(iceccd_createenv_t) +files_read_usr_files(iceccd_createenv_t) + kernel_read_system_state(iceccd_createenv_t) -# silence file(1) looking for /root/.magic -userdom_dontaudit_search_admin_dir(iceccd_createenv_t) -manage_dirs_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) -manage_files_pattern(iceccd_createenv_t, iceccd_tmp_t, iceccd_tmp_t) -files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, file) -files_tmp_filetrans(iceccd_createenv_t, iceccd_tmp_t, dir) +libs_exec_ld_so(iceccd_createenv_t) +libs_exec_lib_files(iceccd_createenv_t) + +libs_domtrans_ldconfig(iceccd_createenv_t) + +libs_use_ld_so(iceccd_createenv_t) +libs_use_shared_libs(iceccd_createenv_t) + +miscfiles_read_localization(iceccd_createenv_t) + +userdom_dontaudit_search_user_home_dirs(iceccd_createenv_t) optional_policy(` nscd_socket_use(iceccd_createenv_t) ') -# XXX: This could be avoided if iceccd only nuked the contents of -# /var/cache/icecream, not the directory itself. -files_var_filetrans(iceccd_t, iceccd_cache_t, dir) +######################################## +# +# iceccd_untrusted policy +# + +allow iceccd_untrusted_t self:fifo_file rw_fifo_file_perms; +allow iceccd_untrusted_t self:process signal_perms; +allow iceccd_untrusted_t iceccd_t:unix_stream_socket rw_stream_socket_perms; + +manage_files_pattern(iceccd_untrusted_t, iceccd_cache_t, iceccd_cache_t) + +can_exec(iceccd_untrusted_t, iceccd_cache_t) +######################################## +# +# icecc_scheduler policy +# allow icecc_scheduler_t self:tcp_socket create_stream_socket_perms; allow icecc_scheduler_t self:udp_socket create_socket_perms; -files_read_etc_files(icecc_scheduler_t) -libs_use_ld_so(icecc_scheduler_t) -libs_use_shared_libs(icecc_scheduler_t) -miscfiles_read_localization(icecc_scheduler_t) - corenet_all_recvfrom_unlabeled(icecc_scheduler_t) corenet_all_recvfrom_netlabel(icecc_scheduler_t) corenet_tcp_sendrecv_generic_if(icecc_scheduler_t) @@ -171,3 +200,10 @@ corenet_tcp_bind_generic_node(icecc_scheduler_t) corenet_udp_bind_generic_node(icecc_scheduler_t) allow icecc_scheduler_t icecc_scheduler_port_t:tcp_socket { name_bind }; allow icecc_scheduler_t icecc_scheduler_port_t:udp_socket { name_bind }; + +files_read_etc_files(icecc_scheduler_t) + +libs_use_ld_so(icecc_scheduler_t) +libs_use_shared_libs(icecc_scheduler_t) + +miscfiles_read_localization(icecc_scheduler_t)