void
selinux_execve(const char *path, char *const argv[], char *const envp[],
int noexec)
{
char **nargv;
const char *sesh;
int argc, serrno;
debug_decl(selinux_execve, SUDO_DEBUG_SELINUX)
sesh = sudo_conf_sesh_path();
if (sesh == NULL) {
sudo_warnx("internal error: sesh path not set");
errno = EINVAL;
debug_return;
}
if (setexeccon(se_state.new_context)) {
sudo_warn(U_("unable to set exec context to %s"), se_state.new_context);
if (se_state.enforcing)
debug_return;
}
#ifdef HAVE_SETKEYCREATECON
if (setkeycreatecon(se_state.new_context)) {
sudo_warn(U_("unable to set key creation context to %s"), se_state.new_context);
if (se_state.enforcing)
debug_return;
}
#endif /* HAVE_SETKEYCREATECON */
/*
* Build new argv with sesh as argv[0].
* If argv[0] ends in -noexec, sesh will disable execute
* for the command it runs.
*/
for (argc = 0; argv[argc] != NULL; argc++)
continue;
nargv = sudo_emallocarray(argc + 2, sizeof(char *));
if (noexec)
nargv[0] = *argv[0] == '-' ? "-sesh-noexec" : "sesh-noexec";
else
nargv[0] = *argv[0] == '-' ? "-sesh" : "sesh";
nargv[1] = (char *)path;
memcpy(&nargv[2], &argv[1], argc * sizeof(char *)); /* copies NULL */
/* sesh will handle noexec for us. */
sudo_execve(sesh, nargv, envp, false);
serrno = errno;
free(nargv);
errno = serrno;
debug_return;
}
static JSBool
rpmsx_setprop(JSContext *cx, JSObject *obj, jsid id, JSBool strict, jsval *vp)
{
#if defined(WITH_SELINUX)
void * ptr = JS_GetInstancePrivate(cx, obj, &rpmsxClass, NULL);
jsint tiny = JSVAL_TO_INT(id);
security_context_t con = NULL;
int myint = 0xdeadbeef;
JSBool ok = JS_TRUE;
/* XXX the class has ptr == NULL, instances have ptr != NULL. */
if (ptr == NULL)
return JS_TRUE;
if (JSVAL_IS_STRING(*vp))
con = (security_context_t) JS_EncodeString(cx, JS_ValueToString(cx, *vp));
if (JSVAL_IS_INT(*vp))
myint = JSVAL_TO_INT(*vp);
switch (tiny) {
case _DEBUG:
if (!JS_ValueToInt32(cx, *vp, &_debug))
break;
break;
case _CURRENT: ok = _PUT_CON(setcon(con)); break;
case _EXEC: ok = _PUT_CON(setexeccon(con)); break;
case _FSCREATE: ok = _PUT_CON(setfscreatecon(con)); break;
case _KEYCREATE: ok = _PUT_CON(setkeycreatecon(con)); break;
case _SOCKCREATE: ok = _PUT_CON(setsockcreatecon(con)); break;
case _ENFORCE: ok = _PUT_INT(security_setenforce(myint)); break;
default:
break;
}
con = _free(con);
#endif
return JS_TRUE;
}
void
selinux_execve(const char *path, char *argv[], char *envp[])
{
if (setexeccon(se_state.new_context)) {
warning("unable to set exec context to %s", se_state.new_context);
if (se_state.enforcing)
return;
}
#ifdef HAVE_SETKEYCREATECON
if (setkeycreatecon(se_state.new_context)) {
warning("unable to set key creation context to %s", se_state.new_context);
if (se_state.enforcing)
return;
}
#endif /* HAVE_SETKEYCREATECON */
/* We use the "spare" slot in argv to store sesh. */
--argv;
argv[0] = *argv[1] == '-' ? "-sesh" : "sesh";
argv[1] = (char *)path;
execve(_PATH_SUDO_SESH, argv, envp);
}
