The local service should use eval when it executes scripts since it has
the redirection set up in a variable.
This fixes#50.
X-Gentoo-Bug: 545012
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=545012
If selinux is disabled, then stub methods will be provided instead of
calling the real methods. This removes some warnings about unused
parameters which used to be covered up with #ifdef HAVE_SELINUX.
Signed-off-by: Jason Zaman <jason@perfinion.com>
The previous fix to --test (PR #34) prevented reading one too many
arguments when --exec -or --name was not specified, but created a
regression where the last argument would not print if either of those
arguments was specified. This corrects the issue.
Fixes#41.
checkpath -W can fail if the specified path doesn't actually exist yet.
In this case savecache script should attempt to create the path if it is
missing, however it is pre-empted by the checkpath call. This patch adds
an explicit existence test before executing checkpath.
This fixes#36.
If /tmp or / are read-only, the clean_run function can fail in some very
bad ways.
1. dir=$(mktemp -d) returns an EMPTY string on error.
2. "mount -o bind / $dir", and don't check the result of that,
3. "rm -rf $dir/run/*", which removes the REAL /run contents
4. box gets very weird from this point forward
Signed-Off-By: Robin H. Johnson <robbat2@gentoo.org>
Signed-Off-By: Chip Parker <infowolfe@gmail.com>
Reported-by: Chip Parker <infowolfe@gmail.com>
Tested-by: Chip Parker <infowolfe@gmail.com>
This is another security fix. If you use chown() or chmod() on a
symbolic link, it affects the referenced file, not the symbolic link
itself.
X-Gentoo-Bug: 540006
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006
The local service now redirects stdout and stderr for the scripts it
runs to /dev/null unless it is run in verbose mode.
X-Gentoo-Bug: 537444
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=537444
Do not change permissions on the target if it is a file and has multiple
hard links. This is necessary because a hard link can be an attack
vector to gain privilege escalation.
X-Gentoo-Bug: 540006
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006
sysfs now mounts all related sysfs file systems and returns success,
like netmount and localmount.
Also, we now check to make sure the cgroups are not mounted before we
mount them.
X-Gentoo-Bug: 530138
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=530138
runscript used to dlopen() runscript_selinux.so. This adds equivalent
functionality directly in to runscript instead. It authenticates with
either PAM or shadow and optionally has a dep on audit.
X-Gentoo-Bug: 517450
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=517450
Fixes#25
Note from William Hubbs:
The original patch overwrote CFLAGS. I modified this patch to add the
ncurses cflags to CPPFLAGS instead of overwriting CFLAGS.
Check for __FreeBSD_kernel instead of __GLIBC__ in source files.
note from William Hubbs:
I was told this is a better check for GNU/kFreeBSD than checking the
C library the source is being compiled against.
GNU/kFreeBSD than checking which library we are using.
