diff -ur vixie-cron-4.1/Makefile vixie-cron-4.1-selinux/Makefile --- vixie-cron-4.1/Makefile 2004-08-28 02:09:33.000000000 +0800 +++ vixie-cron-4.1-selinux/Makefile 2017-04-26 22:16:53.321394815 +0800 @@ -68,7 +68,8 @@ #<> CC = gcc -Wall -Wno-unused -Wno-comment #<> -DEFS = +DEFS = -s -DWITH_SELINUX +LIBS += -lselinux #(SGI IRIX systems need this) #DEFS = -D_BSD_SIGNALS -Dconst= #<> diff -ur vixie-cron-4.1/database.c vixie-cron-4.1-selinux/database.c --- vixie-cron-4.1/database.c 2004-08-28 02:09:34.000000000 +0800 +++ vixie-cron-4.1-selinux/database.c 2017-04-27 01:31:34.757942605 +0800 @@ -28,6 +28,15 @@ #include "cron.h" +#ifdef WITH_SELINUX +#include +#include +#include +#define SYSUSERNAME "system_u" +#else +#define SYSUSERNAME "*system*" +#endif + #define TMAX(a,b) ((a)>(b)?(a):(b)) static void process_crontab(const char *, const char *, @@ -183,7 +192,7 @@ if (fname == NULL) { /* must be set to something for logging purposes. */ - fname = "*system*"; + fname = SYSUSERNAME; } else if ((pw = getpwnam(uname)) == NULL) { /* file doesn't have a user in passwd file. */ @@ -245,6 +254,117 @@ free_user(u); log_it(fname, getpid(), "RELOAD", tabname); } +#ifdef WITH_SELINUX + if (is_selinux_enabled()) { + security_context_t file_context=NULL; + security_context_t user_context=NULL; + context_t current_context = NULL; + char *current_context_str = NULL; + struct av_decision avd; + int retval=0; + char *seuser=NULL; + char *level=NULL; + int sys_user = 0; + + sys_user = strcmp(SYSUSERNAME, fname); + + if (fgetfilecon(crontab_fd, &file_context) < OK) { + log_it(fname, getpid(), "getfilecon FAILED", tabname); + goto next_crontab; + } + + if (sys_user != 0) { + if (getseuserbyname(fname, &seuser, &level) < 0) { + log_it(fname, getpid(), "NO SEUSER", tabname); + goto next_crontab; + } + } else { + if (getcon(¤t_context_str) < 0) { + log_it(fname, getpid(), "getcon FAILED", tabname); + goto next_crontab; + } + + current_context = context_new(current_context_str); + if (current_context == 0) { + log_it(fname, getpid(), "context new FAILED", tabname); + freecon(current_context_str); + goto next_crontab; + } + + seuser = context_user_get(current_context); + level = context_range_get(current_context); + } + + if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) { + log_it(fname, getpid(), "NO CONTEXT", tabname); + freecon(file_context); + if (sys_user != 0) { + free(seuser); + free(level); + } + freecon(current_context_str); + context_free(current_context); + goto next_crontab; + } + + /* + * Since crontab files are not directly executed, + * crond must ensure that the crontab file has + * a context that is appropriate for the context of + * the user cron job. It performs an entrypoint + * permission check for this purpose. + */ + security_class_t file_class; + access_vector_t entrypoint_bit; + file_class = string_to_security_class("file"); + if (file_class == 0) { + log_it(fname, getpid(), "file CLASS NOT DEFINED", tabname); + freecon(current_context_str); + context_free(current_context); + freecon(user_context); + freecon(file_context); + if (sys_user != 0) { + free(seuser); + free(level); + } + goto next_crontab; + } + + entrypoint_bit = string_to_av_perm(file_class, "entrypoint"); + if (entrypoint_bit == 0) { + log_it(fname, getpid(), "file:entrypoint AV NOT DEFINED", tabname); + freecon(current_context_str); + context_free(current_context); + freecon(user_context); + freecon(file_context); + if (sys_user != 0) { + free(seuser); + free(level); + } + goto next_crontab; + } + + retval = security_compute_av_raw(user_context, + file_context, + file_class, + entrypoint_bit, + &avd); + + freecon(user_context); + freecon(file_context); + if (sys_user != 0) { + free(seuser); + free(level); + } + context_free(current_context); + freecon(current_context_str); + + if (retval || ((entrypoint_bit & avd.allowed) != entrypoint_bit)) { + log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname); + goto next_crontab; + } + } +#endif u = load_user(crontab_fd, pw, fname); if (u != NULL) { u->mtime = statbuf->st_mtime; diff -ur vixie-cron-4.1/do_command.c vixie-cron-4.1-selinux/do_command.c --- vixie-cron-4.1/do_command.c 2004-08-28 02:09:34.000000000 +0800 +++ vixie-cron-4.1-selinux/do_command.c 2017-04-27 01:30:49.045144698 +0800 @@ -25,6 +25,12 @@ #include "cron.h" +#ifdef WITH_SELINUX +#include +#include +#include +#endif + static void child_process(entry *, user *); static int safe_p(const char *, const char *); @@ -265,6 +271,49 @@ _exit(OK_EXIT); } # endif /*DEBUGGING*/ +#ifdef WITH_SELINUX + if (is_selinux_enabled()) { + char *seuser = NULL; + char *level = NULL; + char *current_context_str = NULL; + security_context_t scontext; + context_t current_context = NULL; + + if (strcmp("system_u", u->name) != 0) { + if (getseuserbyname(u->name, &seuser, &level) < 0) { + fprintf(stderr, "getseuserbyname: Could not determine seuser for user %s\n", u->name); + _exit(ERROR_EXIT); + } + } else { + if (getcon(¤t_context_str) < 0) { + fprintf(stderr, "getcon FAILED\n"); + _exit(ERROR_EXIT); + } + + current_context = context_new(current_context_str); + if (current_context == NULL) { + fprintf(stderr, "failed to create new context: %s\n", current_context_str); + freecon(current_context_str); + _exit(ERROR_EXIT); + } + + seuser = context_user_get(current_context); + } + + if (get_default_context_with_level(seuser, level, NULL, &scontext) < 0) { + fprintf(stderr, "get_default_context_with_level: could not get security context for user %s, seuser %s\n", u->name, seuser); + _exit(ERROR_EXIT); + } + + if (setexeccon(scontext) < 0) { + fprintf(stderr, "setexeccon: Could not set exec context to %s for user %s\n", scontext, u->name); + _exit(ERROR_EXIT); + } + free(seuser); + free(level); + freecon(scontext); + } +#endif execle(shell, shell, "-c", e->cmd, (char *)0, e->envp); fprintf(stderr, "execl: couldn't exec `%s'\n", shell); perror("execl");