void selinux_execve(const char *path, char *const argv[], char *const envp[], int noexec) { char **nargv; const char *sesh; int argc, serrno; debug_decl(selinux_execve, SUDO_DEBUG_SELINUX) sesh = sudo_conf_sesh_path(); if (sesh == NULL) { sudo_warnx("internal error: sesh path not set"); errno = EINVAL; debug_return; } if (setexeccon(se_state.new_context)) { sudo_warn(U_("unable to set exec context to %s"), se_state.new_context); if (se_state.enforcing) debug_return; } #ifdef HAVE_SETKEYCREATECON if (setkeycreatecon(se_state.new_context)) { sudo_warn(U_("unable to set key creation context to %s"), se_state.new_context); if (se_state.enforcing) debug_return; } #endif /* HAVE_SETKEYCREATECON */ /* * Build new argv with sesh as argv[0]. * If argv[0] ends in -noexec, sesh will disable execute * for the command it runs. */ for (argc = 0; argv[argc] != NULL; argc++) continue; nargv = sudo_emallocarray(argc + 2, sizeof(char *)); if (noexec) nargv[0] = *argv[0] == '-' ? "-sesh-noexec" : "sesh-noexec"; else nargv[0] = *argv[0] == '-' ? "-sesh" : "sesh"; nargv[1] = (char *)path; memcpy(&nargv[2], &argv[1], argc * sizeof(char *)); /* copies NULL */ /* sesh will handle noexec for us. */ sudo_execve(sesh, nargv, envp, false); serrno = errno; free(nargv); errno = serrno; debug_return; }
static JSBool rpmsx_setprop(JSContext *cx, JSObject *obj, jsid id, JSBool strict, jsval *vp) { #if defined(WITH_SELINUX) void * ptr = JS_GetInstancePrivate(cx, obj, &rpmsxClass, NULL); jsint tiny = JSVAL_TO_INT(id); security_context_t con = NULL; int myint = 0xdeadbeef; JSBool ok = JS_TRUE; /* XXX the class has ptr == NULL, instances have ptr != NULL. */ if (ptr == NULL) return JS_TRUE; if (JSVAL_IS_STRING(*vp)) con = (security_context_t) JS_EncodeString(cx, JS_ValueToString(cx, *vp)); if (JSVAL_IS_INT(*vp)) myint = JSVAL_TO_INT(*vp); switch (tiny) { case _DEBUG: if (!JS_ValueToInt32(cx, *vp, &_debug)) break; break; case _CURRENT: ok = _PUT_CON(setcon(con)); break; case _EXEC: ok = _PUT_CON(setexeccon(con)); break; case _FSCREATE: ok = _PUT_CON(setfscreatecon(con)); break; case _KEYCREATE: ok = _PUT_CON(setkeycreatecon(con)); break; case _SOCKCREATE: ok = _PUT_CON(setsockcreatecon(con)); break; case _ENFORCE: ok = _PUT_INT(security_setenforce(myint)); break; default: break; } con = _free(con); #endif return JS_TRUE; }
void selinux_execve(const char *path, char *argv[], char *envp[]) { if (setexeccon(se_state.new_context)) { warning("unable to set exec context to %s", se_state.new_context); if (se_state.enforcing) return; } #ifdef HAVE_SETKEYCREATECON if (setkeycreatecon(se_state.new_context)) { warning("unable to set key creation context to %s", se_state.new_context); if (se_state.enforcing) return; } #endif /* HAVE_SETKEYCREATECON */ /* We use the "spare" slot in argv to store sesh. */ --argv; argv[0] = *argv[1] == '-' ? "-sesh" : "sesh"; argv[1] = (char *)path; execve(_PATH_SUDO_SESH, argv, envp); }