Skip to content

Commit acca96a

Browse files
bachradsusistephensmalley
authored andcommitted
sandbox: create a new session for sandboxed processes
It helps to prevent sandboxed processes to inject arbitrary commands into the parent. Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
1 parent 5b98f39 commit acca96a

File tree

1 file changed

+9
-4
lines changed

1 file changed

+9
-4
lines changed

Diff for: policycoreutils/sandbox/sandbox

+9-4
Original file line numberDiff line numberDiff line change
@@ -471,10 +471,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
471471
cmds += ["--"] + self.__paths
472472
return subprocess.Popen(cmds).wait()
473473

474-
selinux.setexeccon(self.__execcon)
475-
rc = subprocess.Popen(self.__cmds).wait()
476-
selinux.setexeccon(None)
477-
return rc
474+
pid = os.fork()
475+
if pid == 0:
476+
rc = os.setsid()
477+
if rc:
478+
return rc
479+
selinux.setexeccon(self.__execcon)
480+
os.execv(self.__cmds[0], self.__cmds)
481+
rc = os.waitpid(pid, 0)
482+
return os.WEXITSTATUS(rc[1])
478483

479484
finally:
480485
for i in self.__paths:

0 commit comments

Comments
 (0)