/* child */
close(sv[0]);
fcntl(sv[1], F_SETFD, FD_CLOEXEC);
-#ifdef HAVE_SELINUX
- if (rbac_enabled)
- selinux_setup(user_role, user_type, user_ttypath, -1);
-#endif
- if (exec_setup(PERM_DOWAIT) == TRUE) {
+ if (exec_setup(PERM_DOWAIT, rbac_enabled, user_ttypath, -1) == TRUE) {
/* headed for execve() */
closefrom(def_closefrom);
#ifdef HAVE_SELINUX
* If we don't need to wait for the command to finish, just exec it.
*/
if (!dowait) {
- exec_setup(0);
+ exec_setup(0, FALSE, NULL, -1);
closefrom(def_closefrom);
my_execve(path, argv, envp);
cstat->type = CMD_ERRNO;
/* child */
close(sv[0]);
fcntl(sv[1], F_SETFD, FD_CLOEXEC);
-#ifdef HAVE_SELINUX
- if (rbac_enabled)
- selinux_setup(user_role, user_type, slavename, io_fds[SFD_SLAVE]);
-#endif
- if (exec_setup(PERM_DOWAIT) == TRUE) {
+ if (exec_setup(PERM_DOWAIT, rbac_enabled, slavename, io_fds[SFD_SLAVE]) == TRUE) {
/* Close the other end of the stdin/stdout/stderr pipes and exec. */
if (io_pipe[STDIN_FILENO][1])
close(io_pipe[STDIN_FILENO][1]);
/* We must have a role, the type is optional (we can use the default). */
if (!role) {
- warningx("you must specify a role.");
+ warningx("you must specify a role for type %s", type);
+ errno = EINVAL;
return NULL;
}
if (!type) {
if (get_default_type(role, &typebuf)) {
- warningx("unable to get default type");
+ warningx("unable to get default type for role %s", role);
+ errno = EINVAL;
return NULL;
}
type = typebuf;
* type we will be running the command as.
*/
if (context_role_set(context, role)) {
- warningx("failed to set new role %s", role);
+ warning("failed to set new role %s", role);
goto bad;
}
if (context_type_set(context, type)) {
- warningx("failed to set new type %s", type);
+ warning("failed to set new type %s", type);
goto bad;
}
new_context = estrdup(context_str(context));
if (security_check_context(new_context) < 0) {
warningx("%s is not a valid context", new_context);
+ errno = EINVAL;
goto bad;
}
* Must run as root, before the uid change.
* If ptyfd is not -1, it indicates we are running
* in a pty and do not need to reset std{in,out,err}.
+ * Returns 0 on success and -1 on failure.
*/
-void
+int
selinux_setup(const char *role, const char *type, const char *ttyn,
int ptyfd)
{
+ int rval = -1;
+
/* Store the caller's SID in old_context. */
- if (getprevcon(&se_state.old_context))
- error(EXIT_FAILURE, "failed to get old_context");
+ if (getprevcon(&se_state.old_context)) {
+ warning("failed to get old_context");
+ goto done;
+ }
se_state.enforcing = security_getenforce();
- if (se_state.enforcing < 0)
- error(EXIT_FAILURE, "unable to determine enforcing mode.");
+ if (se_state.enforcing < 0) {
+ warning("unable to determine enforcing mode.");
+ goto done;
+ }
#ifdef DEBUG
warningx("your old context was %s", se_state.old_context);
#endif
se_state.new_context = get_exec_context(se_state.old_context, role, type);
if (!se_state.new_context)
- error(EXIT_FAILURE, "unable to get exec context");
+ goto done;
- if (relabel_tty(ttyn, ptyfd) < 0)
- error(EXIT_FAILURE, "unable to setup tty context for %s", se_state.new_context);
+ if (relabel_tty(ttyn, ptyfd) < 0) {
+ warning("unable to setup tty context for %s", se_state.new_context);
+ goto done;
+ }
#ifdef DEBUG
if (se_state.ttyfd != -1) {
}
#endif
+ rval = 0;
+
+done:
+ return rval;
}
void
void sudo_setspent __P((void));
/* selinux.c */
-void selinux_execve __P((const char *path, char *argv[], char *envp[]));
-void selinux_setup __P((const char *role, const char *type, const char *ttyn,
- int ttyfd));
int selinux_restore_tty __P((void));
+int selinux_setup __P((const char *role, const char *type, const char *ttyn,
+ int ttyfd));
+void selinux_execve __P((const char *path, char *argv[], char *envp[]));
/* set_perms.c */
int set_perms __P((int));
/* sudo.c */
FILE *open_sudoers __P((const char *, int, int *));
-int exec_setup __P((int));
+int exec_setup __P((int, int, const char *, int));
void cleanup __P((int));
void set_fqdn __P((void));
projects / sudo / commitdiff