Re: [redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole

[Daniel J Walsh]

We still have a problem on MLS machines, in that newrole can be used to 
pass data via pseudo terminals.

script
newrole -l SystemHigh
cat TopSecret.doc
^d
^d
cat typescript
I propose we add this patch to newrole to check if we are on a pseudo 
terminal and then fail if user is using -l.

Basically this patch checks the major number of the stdin, stdout, 
stderr for a number in the pseudo number range,  If yes the pseudo 
terminal, if not continue.  Not pretty but it solves the problem.  I 
could not figure out another way to check if you are on a pseudo terminal. 

Comments?


diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po' 
--exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c 
policycoreutils-1.33.7/newrole/newrole.c
--- nsapolicycoreutils/newrole/newrole.c        2006-11-29 
17:11:18.000000000 -0500
+++ policycoreutils-1.33.7/newrole/newrole.c    2007-01-04 
16:24:47.000000000 -0500
@@ -67,6 +67,7 @@
#include <selinux/get_context_list.h>  /* for SELINUX_DEFAULTUSER */
#include <signal.h>
#include <unistd.h>            /* for getuid(), exit(), getopt() */
+#include <sys/stat.h>
#ifdef USE_AUDIT
#include <libaudit.h>
#endif
@@ -93,6 +94,19 @@

extern char **environ;

+static int check_isapty(int fd) {
+       struct stat buf;
+       if ((isatty(fd)) && (fstat(fd, &buf) == 0)) {
+               int dev=major(buf.st_rdev);
+               if (dev >  135 && dev < 144) {
+                       return 1;
+               } else {
+                       return 0;
+               }
+       }
+       return 0;
+}
+                                      
/**
 * Construct from the current range and specified desired level a resulting
 * range. If the specified level is a range, return that. If it is not, 
then
@@ -733,6 +747,7 @@
                                       security_context_t *new_context,
                                       int *preserve_environment)
{
+       int i;                  /* index for open file descriptors */
       int flag_index;         /* flag index in argv[] */
       int clflag;             /* holds codes for command line flags */
       char *role_s = NULL;    /* role spec'd by user in argv[] */
@@ -793,6 +808,13 @@
                                       "specified\n"));
                               return -1;
                       }
+                       for (i=0; i < 3; i++) {
+                               if (check_isapty(i)) {
+                                       fprintf(stderr, "Error: you are 
not allowed to change levels on pseudo terminals\n");
+                                       return -1;
+                               }
+                       }
+
                       level_s = optarg;
                       break;
               default:

--
redhat-lspp mailing list
redhat-lspp@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp