Permalink
Browse files

sandbox: create a new session for sandboxed processes

It helps to prevent sandboxed processes to inject arbitrary commands
into the parent.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
  • Loading branch information...
bachradsusi authored and stephensmalley committed Sep 23, 2016
1 parent 5b98f39 commit acca96a135a4d2a028ba9b636886af99c0915379
Showing with 9 additions and 4 deletions.
  1. +9 −4 policycoreutils/sandbox/sandbox
@@ -471,10 +471,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
cmds += ["--"] + self.__paths
return subprocess.Popen(cmds).wait()
selinux.setexeccon(self.__execcon)
rc = subprocess.Popen(self.__cmds).wait()
selinux.setexeccon(None)
return rc
pid = os.fork()
if pid == 0:
rc = os.setsid()
if rc:
return rc
selinux.setexeccon(self.__execcon)
os.execv(self.__cmds[0], self.__cmds)
rc = os.waitpid(pid, 0)
return os.WEXITSTATUS(rc[1])
finally:
for i in self.__paths:

0 comments on commit acca96a

Please sign in to comment.