[gdm] daemon: reset exec context after fork()

From: Ray Strode <halfline src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdm] daemon: reset exec context after fork()
Date: Thu, 6 Sep 2012 21:31:35 +0000 (UTC)

commit d4dbdc8c5a5703f205540d0c39459e1a06faf458
Author: Ray Strode <rstrode redhat com>
Date:   Thu Sep 6 17:14:06 2012 -0400

    daemon: reset exec context after fork()
    
    When pam_open_session finishes, the session worker
    is set up such that the next fork()/exec() may transition the
    user to a user specific context (such as staff_t).
    
    This makes sense for the first fork()/exec() (which is the user
    login), but the worker may fork()/exec() other workers after login
    for unlock operations.  These workers need to run in a gdm context
    not a user context.
    
    This commit changes gdm-session-worker to manually reset the exec()
    context after the first fork().
    
    https://bugzilla.gnome.org/show_bug.cgi?id=683426

 daemon/Makefile.am          |    2 ++
 daemon/gdm-session-worker.c |   11 +++++++++++
 2 files changed, 13 insertions(+), 0 deletions(-)
---
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 8d0cf5e..bb84765 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -27,6 +27,7 @@ AM_CPPFLAGS = \
 	$(WARN_CFLAGS)					\
 	$(DEBUG_CFLAGS)					\
 	$(SYSTEMD_CFLAGS)				\
+	$(LIBSELINUX_CFLAGS)	 			\
 	-DLANG_CONFIG_FILE=\"$(LANG_CONFIG_FILE)\"	\
 	$(NULL)
 
@@ -291,6 +292,7 @@ gdm_session_worker_LDADD = 			\
 	$(top_builddir)/common/libgdmcommon.la	\
 	$(DAEMON_LIBS)				\
 	$(SYSTEMD_LIBS) 			\
+	$(LIBSELINUX_LIBS) 			\
 	$(NULL)
 
 sbin_PROGRAMS = 			\
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
index 190123d..1ccc0b7 100644
--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
@@ -46,6 +46,10 @@
 #include <systemd/sd-daemon.h>
 #endif
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif /* HAVE_SELINUX */
+
 #include "gdm-common.h"
 #include "gdm-log.h"
 #include "gdm-session-worker.h"
@@ -1876,6 +1880,13 @@ gdm_session_worker_start_session (GdmSessionWorker  *worker,
                 _exit (127);
         }
 
+        /* If we end up execing again, make sure we don't use the executable context set up
+         * by pam_selinux durin pam_open_session
+         */
+#ifdef HAVE_SELINUX
+        setexeccon (NULL);
+#endif
+
         worker->priv->child_pid = session_pid;
 
         g_debug ("GdmSessionWorker: session opened creating reply...");

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]