/[smeserver]/rpms/sudo/sme9/sudo-1.8.6p3-noexec-update.patch
ViewVC logotype

Contents of /rpms/sudo/sme9/sudo-1.8.6p3-noexec-update.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Thu Feb 4 19:44:25 2021 UTC (3 years, 9 months ago) by jpp
Branch: MAIN
CVS Tags: sudo-1_8_6p3-30_el6_sme, sudo-1_8_6p3-29_el6_9, HEAD
Error occurred while calculating annotation data.
Sudo

1 diff -up sudo-1.8.6p3/config.h.in.noexec-update sudo-1.8.6p3/config.h.in
2 --- sudo-1.8.6p3/config.h.in.noexec-update 2012-09-18 15:57:43.000000000 +0200
3 +++ sudo-1.8.6p3/config.h.in 2016-11-24 10:35:39.742359619 +0100
4 @@ -87,6 +87,10 @@
5 don't. */
6 #undef HAVE_DECL_H_ERRNO
7
8 +/* Define to 1 if you have the declaration of `SECCOMP_SET_MODE_FILTER', and
9 + to 0 if you don't. */
10 +#undef HAVE_DECL_SECCOMP_SET_MODE_FILTER
11 +
12 /* Define to 1 if you have the declaration of `sys_sigabbrev', and to 0 if you
13 don't. */
14 #undef HAVE_DECL_SYS_SIGABBREV
15 @@ -134,9 +138,21 @@
16 /* Define to 1 if the compiler supports the __visibility__ attribute. */
17 #undef HAVE_DSO_VISIBILITY
18
19 +/* Define to 1 if you have the `exect' function. */
20 +#undef HAVE_EXECT
21 +
22 +/* Define to 1 if you have the `execvp' function. */
23 +#undef HAVE_EXECVP
24 +
25 +/* Define to 1 if you have the `execvpe' function. */
26 +#undef HAVE_EXECVPE
27 +
28 /* Define to 1 if your system has the F_CLOSEM fcntl. */
29 #undef HAVE_FCNTL_CLOSEM
30
31 +/* Define to 1 if you have the `fexecve' function. */
32 +#undef HAVE_FEXECVE
33 +
34 /* Define to 1 if you have the `fgetln' function. */
35 #undef HAVE_FGETLN
36
37 @@ -415,6 +431,12 @@
38 /* Define to 1 if you have the `posix_openpt' function. */
39 #undef HAVE_POSIX_OPENPT
40
41 +/* Define to 1 if you have the `posix_spawn' function. */
42 +#undef HAVE_POSIX_SPAWN
43 +
44 +/* Define to 1 if you have the `posix_spawnp' function. */
45 +#undef HAVE_POSIX_SPAWNP
46 +
47 /* Define to 1 if you have the `priv_set' function. */
48 #undef HAVE_PRIV_SET
49
50 @@ -694,6 +716,12 @@
51 /* Define to 1 if you have the `vsnprintf' function. */
52 #undef HAVE_VSNPRINTF
53
54 +/* Define to 1 if you have the `wordexp' function. */
55 +#undef HAVE_WORDEXP
56 +
57 +/* Define to 1 if you have the <wordexp.h> header file. */
58 +#undef HAVE_WORDEXP_H
59 +
60 /* Define to 1 if you have the <zlib.h> header file. */
61 #undef HAVE_ZLIB_H
62
63 diff -up sudo-1.8.6p3/configure.in.noexec-update sudo-1.8.6p3/configure.in
64 --- sudo-1.8.6p3/configure.in.noexec-update 2016-11-24 10:35:39.729359787 +0100
65 +++ sudo-1.8.6p3/configure.in 2016-11-24 10:35:39.743359606 +0100
66 @@ -1805,6 +1805,14 @@ case "$host" in
67 shadow_funcs="getspnam"
68 shadow_libs_optional="-lshadow"
69 test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
70 + # Check for SECCOMP_SET_MODE_FILTER in linux/seccomp.h
71 + AC_CHECK_DECLS([SECCOMP_SET_MODE_FILTER], [], [], [
72 +#include <sys/types.h>
73 +#include <sys/prctl.h>
74 +#include <asm/unistd.h>
75 +#include <linux/seccomp.h>
76 +#include <linux/filter.h>
77 + ])
78 ;;
79 *-convex-bsd*)
80 OSDEFS="${OSDEFS} -D_CONVEX_SOURCE"
81 @@ -2067,7 +2075,7 @@ AC_HEADER_DIRENT
82 AC_HEADER_TIME
83 AC_HEADER_STDBOOL
84 AC_HEADER_MAJOR
85 -AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
86 +AC_CHECK_HEADERS(malloc.h netgroup.h paths.h spawn.h utime.h utmpx.h wordexp.h sys/sockio.h sys/bsdtypes.h sys/select.h sys/stropts.h sys/sysmacros.h)
87 AC_CHECK_HEADERS([procfs.h] [sys/procfs.h], [AC_CHECK_MEMBERS(struct psinfo.pr_ttydev, [AC_CHECK_FUNCS(_ttyname_dev)], [], [AC_INCLUDES_DEFAULT
88 #ifdef HAVE_PROCFS_H
89 #include <procfs.h>
90 @@ -2199,7 +2207,8 @@ dnl
91 AC_FUNC_GETGROUPS
92 AC_CHECK_FUNCS(glob strrchr sysconf tzset strftime setenv \
93 regcomp setlocale nl_langinfo mbr_check_membership \
94 - setrlimit64)
95 + setrlimit64 \
96 + wordexp exect execvp execvpe fexecve posix_spawn posix_spawnp)
97 AC_REPLACE_FUNCS(getgrouplist)
98 AC_CHECK_FUNCS(getline, [], [
99 AC_LIBOBJ(getline)
100 diff -up sudo-1.8.6p3/include/missing.h.noexec-update sudo-1.8.6p3/include/missing.h
101 --- sudo-1.8.6p3/include/missing.h.noexec-update 2012-09-18 15:56:28.000000000 +0200
102 +++ sudo-1.8.6p3/include/missing.h 2016-11-24 10:35:39.743359606 +0100
103 @@ -198,6 +198,13 @@ typedef struct sigaction sigaction_t;
104 #endif
105
106 /*
107 + * The nitems macro may be defined in sys/param.h
108 + */
109 +#ifndef nitems
110 +# define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
111 +#endif
112 +
113 +/*
114 * If dirfd() does not exists, hopefully dd_fd does.
115 */
116 #if !defined(HAVE_DIRFD) && defined(HAVE_DD_FD)
117 diff -up sudo-1.8.6p3/src/Makefile.in.noexec-update sudo-1.8.6p3/src/Makefile.in
118 --- sudo-1.8.6p3/src/Makefile.in.noexec-update 2016-11-24 10:35:39.743359606 +0100
119 +++ sudo-1.8.6p3/src/Makefile.in 2016-11-24 10:46:58.563597083 +0100
120 @@ -105,7 +105,7 @@ sudo: $(OBJS) $(LT_LIBS)
121 $(LIBTOOL) --mode=link $(CC) -o $@ $(OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(LIBS)
122
123 libsudo_noexec.la: sudo_noexec.lo
124 - $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
125 + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) @LIBDL@ -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
126
127 sesh: sesh.o error.o exec_common.o @LIBINTL@ $(LT_LIBS)
128 $(LIBTOOL) --mode=link $(CC) -o $@ sesh.o error.o exec_common.o $(LDFLAGS) $(PIE_LDFLAGS) @LIBINTL@ $(LIBS)
129 diff -up sudo-1.8.6p3/src/sudo_noexec.c.noexec-update sudo-1.8.6p3/src/sudo_noexec.c
130 --- sudo-1.8.6p3/src/sudo_noexec.c.noexec-update 2012-09-18 15:56:30.000000000 +0200
131 +++ sudo-1.8.6p3/src/sudo_noexec.c 2016-11-24 10:35:39.743359606 +0100
132 @@ -1,5 +1,5 @@
133 /*
134 - * Copyright (c) 2004-2005, 2010-2011 Todd C. Miller <Todd.Miller@courtesan.com>
135 + * Copyright (c) 2004-2005, 2010-2016 Todd C. Miller <Todd.Miller@courtesan.com>
136 *
137 * Permission to use, copy, modify, and distribute this software for any
138 * purpose with or without fee is hereby granted, provided that the above
139 @@ -18,20 +18,64 @@
140
141 #include <sys/types.h>
142
143 +#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
144 +# include <sys/prctl.h>
145 +# include <asm/unistd.h>
146 +# include <linux/filter.h>
147 +# include <linux/seccomp.h>
148 +#endif
149 +
150 #include <errno.h>
151 #include <stdarg.h>
152 +#include <stdio.h>
153 +#include <stdlib.h>
154 +#include <unistd.h>
155 #ifdef HAVE_SPAWN_H
156 #include <spawn.h>
157 #endif
158 +#ifdef HAVE_STRING_H
159 +# include <string.h>
160 +#endif /* HAVE_STRING_H */
161 +#ifdef HAVE_STRINGS_H
162 +# include <strings.h>
163 +#endif /* HAVE_STRINGS_H */
164 +#ifdef HAVE_WORDEXP_H
165 +#include <wordexp.h>
166 +#endif
167 +#if defined(HAVE_SHL_LOAD)
168 +# include <dl.h>
169 +#elif defined(HAVE_DLOPEN)
170 +# include <dlfcn.h>
171 +#endif
172
173 #include "missing.h"
174 +#include "pathnames.h"
175 +
176 +#ifdef HAVE___INTERPOSE
177 +/*
178 + * Mac OS X 10.4 and above has support for library symbol interposition.
179 + * There is a good explanation of this in the Mac OS X Internals book.
180 + */
181 +typedef struct interpose_s {
182 + void *new_func;
183 + void *orig_func;
184 +} interpose_t;
185 +
186 +# define FN_NAME(fn) dummy_ ## fn
187 +# define INTERPOSE(fn) \
188 + __attribute__((__used__)) static const interpose_t interpose_ ## fn \
189 + __attribute__((__section__("__DATA,__interpose"))) = \
190 + { (void *)dummy_ ## fn, (void *)fn };
191 +#else
192 +# define FN_NAME(fn) fn
193 +# define INTERPOSE(fn)
194 +#endif
195
196 /*
197 - * Dummy versions of the execve() family of syscalls. We don't need
198 - * to stub out all of them, just the ones that correspond to actual
199 - * system calls (which varies by OS). Note that it is still possible
200 - * to access the real syscalls via the syscall() interface but very
201 - * few programs actually do that.
202 + * Dummy versions of the exec(3) family of syscalls. It is not enough to
203 + * just dummy out execve(2) since many C libraries do not call the public
204 + * execve(2) interface. Note that it is still possible to access the real
205 + * syscalls via the syscall(2) interface, but that is rarely done.
206 */
207
208 #define DUMMY_BODY \
209 @@ -40,61 +84,172 @@
210 return -1; \
211 }
212
213 +#define DUMMY1(fn, t1) \
214 +__dso_public int \
215 +FN_NAME(fn)(t1 a1) \
216 +DUMMY_BODY \
217 +INTERPOSE(fn)
218 +
219 #define DUMMY2(fn, t1, t2) \
220 __dso_public int \
221 -fn(t1 a1, t2 a2) \
222 -DUMMY_BODY
223 +FN_NAME(fn)(t1 a1, t2 a2) \
224 +DUMMY_BODY \
225 +INTERPOSE(fn)
226
227 #define DUMMY3(fn, t1, t2, t3) \
228 __dso_public int \
229 -fn(t1 a1, t2 a2, t3 a3) \
230 -DUMMY_BODY
231 +FN_NAME(fn)(t1 a1, t2 a2, t3 a3) \
232 +DUMMY_BODY \
233 +INTERPOSE(fn)
234
235 #define DUMMY6(fn, t1, t2, t3, t4, t5, t6) \
236 __dso_public int \
237 -fn(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6) \
238 -DUMMY_BODY
239 +FN_NAME(fn)(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6) \
240 +DUMMY_BODY \
241 +INTERPOSE(fn)
242
243 #define DUMMY_VA(fn, t1, t2) \
244 __dso_public int \
245 -fn(t1 a1, t2 a2, ...) \
246 -DUMMY_BODY
247 +FN_NAME(fn)(t1 a1, t2 a2, ...) \
248 +DUMMY_BODY \
249 +INTERPOSE(fn)
250
251 +/*
252 + * Standard exec(3) family of functions.
253 + */
254 DUMMY_VA(execl, const char *, const char *)
255 -DUMMY_VA(_execl, const char *, const char *)
256 -DUMMY_VA(__execl, const char *, const char *)
257 DUMMY_VA(execle, const char *, const char *)
258 -DUMMY_VA(_execle, const char *, const char *)
259 -DUMMY_VA(__execle, const char *, const char *)
260 DUMMY_VA(execlp, const char *, const char *)
261 -DUMMY_VA(_execlp, const char *, const char *)
262 -DUMMY_VA(__execlp, const char *, const char *)
263 -DUMMY3(exect, const char *, char * const *, char * const *)
264 -DUMMY3(_exect, const char *, char * const *, char * const *)
265 -DUMMY3(__exect, const char *, char * const *, char * const *)
266 DUMMY2(execv, const char *, char * const *)
267 -DUMMY2(_execv, const char *, char * const *)
268 -DUMMY2(__execv, const char *, char * const *)
269 DUMMY2(execvp, const char *, char * const *)
270 -DUMMY2(_execvp, const char *, char * const *)
271 -DUMMY2(__execvp, const char *, char * const *)
272 -DUMMY3(execvP, const char *, const char *, char * const *)
273 -DUMMY3(_execvP, const char *, const char *, char * const *)
274 -DUMMY3(__execvP, const char *, const char *, char * const *)
275 DUMMY3(execve, const char *, char * const *, char * const *)
276 -DUMMY3(_execve, const char *, char * const *, char * const *)
277 -DUMMY3(__execve, const char *, char * const *, char * const *)
278 +
279 +/*
280 + * Non-standard exec(3) functions and corresponding private versions.
281 + */
282 +#ifdef HAVE_EXECVP
283 +DUMMY3(execvP, const char *, const char *, char * const *)
284 +#endif
285 +#ifdef HAVE_EXECVPE
286 DUMMY3(execvpe, const char *, char * const *, char * const *)
287 -DUMMY3(_execvpe, const char *, char * const *, char * const *)
288 -DUMMY3(__execvpe, const char *, char * const *, char * const *)
289 +#endif
290 +#ifdef HAVE_EXECT
291 +DUMMY3(exect, const char *, char * const *, char * const *)
292 +#endif
293 +
294 +/*
295 + * Not all systems support fexecve(2), posix_spawn(2) and posix_spawnp(2).
296 + */
297 +#ifdef HAVE_FEXECVE
298 DUMMY3(fexecve, int , char * const *, char * const *)
299 -DUMMY3(_fexecve, int , char * const *, char * const *)
300 -DUMMY3(__fexecve, int , char * const *, char * const *)
301 -#ifdef HAVE_SPAWN_H
302 +#endif
303 +#ifdef HAVE_POSIX_SPAWN
304 DUMMY6(posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
305 -DUMMY6(_posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
306 -DUMMY6(__posix_spawn, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
307 +#endif
308 +#ifdef HAVE_POSIX_SPAWNP
309 DUMMY6(posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
310 -DUMMY6(_posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
311 -DUMMY6(__posix_spawnp, pid_t *, const char *, const posix_spawn_file_actions_t *, const posix_spawnattr_t *, char * const *, char * const *)
312 -#endif /* HAVE_SPAWN_H */
313 +#endif
314 +
315 +/*
316 + * system(3) and popen(3).
317 + * We can't use a wrapper for popen since it returns FILE *, not int.
318 + */
319 +DUMMY1(system, const char *)
320 +
321 +__dso_public FILE *
322 +FN_NAME(popen)(const char *c, const char *t)
323 +{
324 + errno = EACCES;
325 + return NULL;
326 +}
327 +INTERPOSE(popen)
328 +
329 +#if defined(HAVE_WORDEXP) && (defined(RTLD_NEXT) || defined(HAVE_SHL_LOAD) || defined(HAVE___INTERPOSE))
330 +/*
331 + * We can't use a wrapper for wordexp(3) since we still want to call
332 + * the real wordexp(3) but with WRDE_NOCMD added to the flags argument.
333 + */
334 +typedef int (*sudo_fn_wordexp_t)(const char *, wordexp_t *, int);
335 +
336 +__dso_public int
337 +FN_NAME(wordexp)(const char *words, wordexp_t *we, int flags)
338 +{
339 +#if defined(HAVE___INTERPOSE)
340 + return wordexp(words, we, flags | WRDE_NOCMD);
341 +#else
342 +# if defined(HAVE_DLOPEN)
343 + void *fn = dlsym(RTLD_NEXT, "wordexp");
344 +# elif defined(HAVE_SHL_LOAD)
345 + const char *name, *myname = _PATH_SUDO_NOEXEC;
346 + struct shl_descriptor *desc;
347 + void *fn = NULL;
348 + int idx = 0;
349 +
350 + name = strrchr(myname, '/');
351 + if (name != NULL)
352 + myname = name + 1;
353 +
354 + /* Search for wordexp() but skip this shared object. */
355 + while (shl_get(idx++, &desc) == 0) {
356 + name = strrchr(desc->filename, '/');
357 + if (name == NULL)
358 + name = desc->filename;
359 + else
360 + name++;
361 + if (strcmp(name, myname) == 0)
362 + continue;
363 + if (shl_findsym(&desc->handle, "wordexp", TYPE_PROCEDURE, &fn) == 0)
364 + break;
365 + }
366 +# else
367 + void *fn = NULL;
368 +# endif
369 + if (fn == NULL) {
370 + errno = EACCES;
371 + return -1;
372 + }
373 + return ((sudo_fn_wordexp_t)fn)(words, we, flags | WRDE_NOCMD);
374 +#endif /* HAVE___INTERPOSE */
375 +}
376 +INTERPOSE(wordexp)
377 +#endif /* HAVE_WORDEXP && (RTLD_NEXT || HAVE_SHL_LOAD || HAVE___INTERPOSE) */
378 +
379 +/*
380 + * On Linux we can use a seccomp() filter to disable exec.
381 + */
382 +#if defined(HAVE_DECL_SECCOMP_SET_MODE_FILTER) && HAVE_DECL_SECCOMP_SET_MODE_FILTER
383 +
384 +/* Older systems may not support execveat(2). */
385 +#ifndef __NR_execveat
386 +# define __NR_execveat -1
387 +#endif
388 +
389 +static void noexec_ctor(void) __attribute__((constructor));
390 +
391 +static void
392 +noexec_ctor(void)
393 +{
394 + struct sock_filter exec_filter[] = {
395 + /* Load syscall number into the accumulator */
396 + BPF_STMT(BPF_LD | BPF_ABS, offsetof(struct seccomp_data, nr)),
397 + /* Jump to deny for execve/execveat */
398 + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execve, 2, 0),
399 + BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_execveat, 1, 0),
400 + /* Allow non-matching syscalls */
401 + BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
402 + /* Deny execve/execveat syscall */
403 + BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (EACCES & SECCOMP_RET_DATA))
404 + };
405 + const struct sock_fprog exec_fprog = {
406 + nitems(exec_filter),
407 + exec_filter
408 + };
409 +
410 + /*
411 + * SECCOMP_MODE_FILTER will fail unless the process has
412 + * CAP_SYS_ADMIN or the no_new_privs bit is set.
413 + */
414 + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
415 + (void)prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &exec_fprog);
416 +}
417 +#endif /* HAVE_DECL_SECCOMP_SET_MODE_FILTER */

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed