sandbox: create a new session for sandboxed processes

It helps to prevent sandboxed processes to inject arbitrary commands into the parent. Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
SELinuxProject · Sep 23, 2016 · acca96a · acca96a
1 parent 5b98f39
commit acca96a
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
@@ -471,10 +471,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
                     cmds += ["--"] + self.__paths
                 return subprocess.Popen(cmds).wait()
 
-            selinux.setexeccon(self.__execcon)
-            rc = subprocess.Popen(self.__cmds).wait()
-            selinux.setexeccon(None)
-            return rc
+            pid = os.fork()
+            if pid == 0:
+                rc = os.setsid()
+                if rc:
+                    return rc
+                selinux.setexeccon(self.__execcon)
+                os.execv(self.__cmds[0], self.__cmds)
+            rc = os.waitpid(pid, 0)
+            return os.WEXITSTATUS(rc[1])
 
         finally:
             for i in self.__paths: