It appears that the only reason we were force loading the usbcore
module was to facilitate mounting usbfs. Since we no longer mount
usbfs, this is no longer necessary.
X-Gentoo-Bug: 480312
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=480312
The usbfs and usbdevfs file systems have been deprecated since
Linux-2.6.32, so we remove the code to automount them.
X-Gentoo-Bug: 480312
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=480312
The selinux file system is mounted under /sys, so move the code for it
to the appropriate service.
X-Gentoo-Bug: 546290
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=546290
Tmpfiles.d processing had /run overriding /usr/lib and /etc, but this is
not correct. The correct order, from lowest to highest, for tmpfiles
processing is:
* /usr/lib/tmpfiles.d/*.conf
* /run/tmpfiles.d/*.conf
* /etc/tmpfiles.d
This means /run/tmpfiles.d/*.conf can override /etc/tmpfiles.d/*.conf,
but /etc/tmpfiles.d/*.conf can override both of them.
This fixes#49.
The local service should use eval when it executes scripts since it has
the redirection set up in a variable.
This fixes#50.
X-Gentoo-Bug: 545012
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=545012
If selinux is disabled, then stub methods will be provided instead of
calling the real methods. This removes some warnings about unused
parameters which used to be covered up with #ifdef HAVE_SELINUX.
Signed-off-by: Jason Zaman <jason@perfinion.com>
The previous fix to --test (PR #34) prevented reading one too many
arguments when --exec -or --name was not specified, but created a
regression where the last argument would not print if either of those
arguments was specified. This corrects the issue.
Fixes#41.
checkpath -W can fail if the specified path doesn't actually exist yet.
In this case savecache script should attempt to create the path if it is
missing, however it is pre-empted by the checkpath call. This patch adds
an explicit existence test before executing checkpath.
This fixes#36.
If /tmp or / are read-only, the clean_run function can fail in some very
bad ways.
1. dir=$(mktemp -d) returns an EMPTY string on error.
2. "mount -o bind / $dir", and don't check the result of that,
3. "rm -rf $dir/run/*", which removes the REAL /run contents
4. box gets very weird from this point forward
Signed-Off-By: Robin H. Johnson <robbat2@gentoo.org>
Signed-Off-By: Chip Parker <infowolfe@gmail.com>
Reported-by: Chip Parker <infowolfe@gmail.com>
Tested-by: Chip Parker <infowolfe@gmail.com>
This is another security fix. If you use chown() or chmod() on a
symbolic link, it affects the referenced file, not the symbolic link
itself.
X-Gentoo-Bug: 540006
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006
The local service now redirects stdout and stderr for the scripts it
runs to /dev/null unless it is run in verbose mode.
X-Gentoo-Bug: 537444
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=537444
Do not change permissions on the target if it is a file and has multiple
hard links. This is necessary because a hard link can be an attack
vector to gain privilege escalation.
X-Gentoo-Bug: 540006
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=540006
sysfs now mounts all related sysfs file systems and returns success,
like netmount and localmount.
Also, we now check to make sure the cgroups are not mounted before we
mount them.
X-Gentoo-Bug: 530138
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=530138
runscript used to dlopen() runscript_selinux.so. This adds equivalent
functionality directly in to runscript instead. It authenticates with
either PAM or shadow and optionally has a dep on audit.
X-Gentoo-Bug: 517450
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=517450
Fixes#25
Note from William Hubbs:
The original patch overwrote CFLAGS. I modified this patch to add the
ncurses cflags to CPPFLAGS instead of overwriting CFLAGS.