One Hat Cyber Team
Your IP :
216.73.216.216
Server IP :
194.44.31.54
Server :
Linux zen.imath.kiev.ua 4.18.0-553.77.1.el8_10.x86_64 #1 SMP Fri Oct 3 14:30:23 UTC 2025 x86_64
Server Software :
Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1k
PHP Version :
5.6.40
Buat File
|
Buat Folder
Eksekusi
Dir :
~
/
backup
/
oldserver
/
2
/
bin
/
Edit File:
sandbox
#! /usr/bin/python -Es # Authors: Dan Walsh <dwalsh@redhat.com> # Authors: Thomas Liu <tliu@fedoraproject.org> # Authors: Josh Cogliati # # Copyright (C) 2009,2010 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; version 2 only # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # import os, stat, sys, socket, random, fcntl, shutil, re, subprocess import selinux import signal from tempfile import mkdtemp import pwd import commands import sepolicy PROGNAME = "policycoreutils" SEUNSHARE = "/usr/sbin/seunshare" SANDBOXSH = "/usr/share/sandbox/sandboxX.sh" import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) try: gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode=False, codeset = 'utf-8') except IOError: import __builtin__ __builtin__.__dict__['_'] = unicode DEFAULT_WINDOWSIZE = "1000x700" DEFAULT_TYPE = "sandbox_t" DEFAULT_X_TYPE = "sandbox_x_t" SAVE_FILES = {} random.seed(None) def sighandler(signum, frame): signal.signal(signum, signal.SIG_IGN) os.kill(0, signum) raise KeyboardInterrupt def setup_sighandlers(): signal.signal(signal.SIGHUP, sighandler) signal.signal(signal.SIGQUIT, sighandler) signal.signal(signal.SIGTERM, sighandler) def error_exit(msg): sys.stderr.write("%s: " % sys.argv[0]) sys.stderr.write("%s\n" % msg) sys.stderr.flush() sys.exit(1) def copyfile(file, srcdir, dest): import re if file.startswith(srcdir): dname = os.path.dirname(file) bname = os.path.basename(file) if dname == srcdir: dest = dest + "/" + bname else: newdir = re.sub(srcdir, dest, dname) if not os.path.exists(newdir): os.makedirs(newdir) dest = newdir + "/" + bname try: if os.path.isdir(file): shutil.copytree(file, dest) else: shutil.copy2(file, dest) except shutil.Error, elist: for e in elist.message: sys.stderr.write(e[2]) SAVE_FILES[file] = (dest, os.path.getmtime(dest)) def savefile(new, orig, X_ind): copy = False if(X_ind): import gtk dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, gtk.BUTTONS_YES_NO, _("Do you want to save changes to '%s' (Y/N): ") % orig) dlg.set_title(_("Sandbox Message")) dlg.set_position(gtk.WIN_POS_MOUSE) dlg.show_all() rc = dlg.run() dlg.destroy() if rc == gtk.RESPONSE_YES: copy = True else: ans = raw_input(_("Do you want to save changes to '%s' (y/N): ") % orig) if(re.match(_("[yY]"),ans)): copy = True if(copy): shutil.copy2(new,orig) def reserve(level): sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.bind("\0%s" % level) fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC) def get_range(): try: level =selinux.getcon_raw()[1].split(":")[4] lowc,highc = level.split(".") low = int(lowc[1:]) high = int(highc[1:])+1 if high - low == 0: raise IndexError return low,high except IndexError: raise ValueError(_("User account must be setup with an MCS Range")) def gen_mcs(): low, high = get_range() level = None ctr = 0 total = high-low total = (total * (total - 1))/2 while ctr < total: ctr += 1 i1 = random.randrange(low, high) i2 = random.randrange(low, high) if i1 == i2: continue if i1 > i2: tmp = i1 i1 = i2 i2 = tmp level = "s0:c%d,c%d" % (i1, i2) try: reserve(level) except socket.error: continue break if level: return level raise ValueError(_("Failed to find any unused category sets. Consider a larger MCS range for this user.")) def fullpath(cmd): for i in [ "/", "./", "../" ]: if cmd.startswith(i): return cmd for i in os.environ["PATH"].split(':'): f = "%s/%s" % (i, cmd) if os.access(f, os.X_OK): return f return cmd class Sandbox: SYSLOG = "/var/log/messages" def __init__(self): self.setype = DEFAULT_TYPE self.__options = None self.__cmds = None self.__init_files = [] self.__paths = [] self.__mount = False self.__level = None self.__homedir = None self.__tmpdir = None def __validate_mount(self): if self.__options.level: if not self.__options.homedir or not self.__options.tmpdir: self.usage(_("Homedir and tempdir required for level mounts")) if not os.path.exists(SEUNSHARE): raise ValueError(_(""" %s is required for the action you want to perform. """) % SEUNSHARE) def __mount_callback(self, option, opt, value, parser): self.__mount = True def __x_callback(self, option, opt, value, parser): self.__mount = True setattr(parser.values, option.dest, True) if not os.path.exists(SEUNSHARE): raise ValueError(_(""" %s is required for the action you want to perform. """) % SEUNSHARE) if not os.path.exists(SANDBOXSH): raise ValueError(_(""" %s is required for the action you want to perform. """) % SANDBOXSH) def __validdir(self, option, opt, value, parser): if not os.path.isdir(value): raise IOError("Directory "+value+" not found") setattr(parser.values, option.dest, value) self.__mount = True def __include(self, option, opt, value, parser): rp = os.path.realpath(os.path.expanduser(value)) if not os.path.exists(rp): raise IOError(value+" not found") if rp not in self.__init_files: self.__init_files.append(rp) def __includefile(self, option, opt, value, parser): fd = open(value, "r") for i in fd.readlines(): try: self.__include(option, opt, i[:-1], parser) except IOError, e: sys.stderr.write(str(e)) except TypeError, e: sys.stderr.write(str(e)) fd.close() def __copyfiles(self): files = self.__init_files + self.__paths homedir=pwd.getpwuid(os.getuid()).pw_dir for f in files: copyfile(f, homedir, self.__homedir) copyfile(f, "/tmp", self.__tmpdir) copyfile(f, "/var/tmp", self.__tmpdir) def __setup_sandboxrc(self, wm = "/usr/bin/openbox"): execfile =self.__homedir + "/.sandboxrc" fd = open(execfile, "w+") if self.__options.session: fd.write("""#!/bin/sh #TITLE: /etc/gdm/Xsession /etc/gdm/Xsession """) else: command = self.__paths[0] + " " for p in self.__paths[1:]: command += "'%s' " % p fd.write("""#! /bin/sh #TITLE: %s /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap %s & WM_PID=$! dbus-launch --exit-with-session %s kill -TERM $WM_PID 2> /dev/null """ % (command, wm, command)) fd.close() os.chmod(execfile, 0700) def usage(self, message = ""): error_exit("%s\n%s" % (self.__parser.usage, message)) def __parse_options(self): from optparse import OptionParser types = "" try: types = _(""" Policy defines the following types for use with the -t: \t%s """) % "\n\t".join(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type")[0]['types']) except RuntimeError: pass usage = _(""" sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S %s """) % types parser = OptionParser(usage=usage) parser.disable_interspersed_args() parser.add_option("-i", "--include", action="callback", callback=self.__include, type="string", help=_("include file in sandbox")) parser.add_option("-I", "--includefile", action="callback", callback=self.__includefile, type="string", help=_("read list of files to include in sandbox from INCLUDEFILE")) parser.add_option("-t", "--type", dest="setype", action="store", default=None, help=_("run sandbox with SELinux type")) parser.add_option("-M", "--mount", action="callback", callback=self.__mount_callback, help=_("mount new home and/or tmp directory")) parser.add_option("-d", "--dpi", dest="dpi", action="store", help=_("dots per inch for X display")) parser.add_option("-S", "--session", action="store_true", dest="session", default=False, help=_("run complete desktop session within sandbox")) parser.add_option("-s", "--shred", action="store_true", dest="shred", default=False, help=_("Shred content before tempory directories are removed")) parser.add_option("-X", dest="X_ind", action="callback", callback=self.__x_callback, default=False, help=_("run X application within a sandbox")) parser.add_option("-H", "--homedir", action="callback", callback=self.__validdir, type="string", dest="homedir", help=_("alternate home directory to use for mounting")) parser.add_option("-T", "--tmpdir", dest="tmpdir", type="string", action="callback", callback=self.__validdir, help=_("alternate /tmp directory to use for mounting")) parser.add_option("-w", "--windowsize", dest="windowsize", type="string", default=DEFAULT_WINDOWSIZE, help="size of the sandbox window") parser.add_option("-W", "--windowmanager", dest="wm", type="string", default="/usr/bin/openbox", help=_("alternate window manager")) parser.add_option("-l", "--level", dest="level", help=_("MCS/MLS level for the sandbox")) parser.add_option("-C", "--capabilities", action="store_true", dest="usecaps", default=False, help="Allow apps requiring capabilities to run within the sandbox.") self.__parser=parser self.__options, cmds = parser.parse_args() if self.__options.X_ind: self.setype = DEFAULT_X_TYPE else: try: sepolicy.info(sepolicy.TYPE, "sandbox_t") except RuntimeError: raise ValueError(_("Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command")) if self.__options.setype: self.setype = self.__options.setype if self.__mount: self.__validate_mount() if self.__options.session: if not self.__options.setype: self.setype = selinux.getcon()[1].split(":")[2] if not self.__options.homedir or not self.__options.tmpdir: self.usage(_("You must specify a Homedir and tempdir when setting up a session sandbox")) if len(cmds) > 0: self.usage(_("Commands are not allowed in a session sandbox")) self.__options.X_ind = True self.__homedir = self.__options.homedir self.__tmpdir = self.__options.tmpdir else: if self.__options.level: self.__homedir = self.__options.homedir self.__tmpdir = self.__options.tmpdir if len(cmds) == 0: self.usage(_("Command required")) cmds[0] = fullpath(cmds[0]) if not os.access(cmds[0], os.X_OK): self.usage(_("%s is not an executable") % cmds[0] ) self.__cmds = cmds for f in cmds: rp = os.path.realpath(f) if os.path.exists(rp): self.__paths.append(rp) else: self.__paths.append(f) def __gen_context(self): if self.__options.level: level = self.__options.level else: level = gen_mcs() con = selinux.getcon()[1].split(":") self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level) self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level) def __setup_dir(self): if self.__options.level or self.__options.session: return if self.__options.homedir: selinux.chcon(self.__options.homedir, self.__filecon, recursive=True) self.__homedir = self.__options.homedir else: selinux.setfscreatecon(self.__filecon) self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_") if self.__options.tmpdir: selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True) self.__tmpdir = self.__options.tmpdir else: selinux.setfscreatecon(self.__filecon) self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_") selinux.setfscreatecon(None) self.__copyfiles() def __execute(self): try: cmds = [ SEUNSHARE, "-Z", self.__execcon ] if self.__options.usecaps: cmds.append('-C') if self.__mount: cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ] if self.__options.X_ind: if self.__options.dpi: dpi = self.__options.dpi else: import gtk dpi = str(gtk.settings_get_default().props.gtk_xft_dpi/1024) xmodmapfile = self.__homedir + "/.xmodmap" xd = open(xmodmapfile,"w") subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() xd.close() self.__setup_sandboxrc(self.__options.wm) cmds += [ "--", SANDBOXSH, self.__options.windowsize, dpi ] else: cmds += [ "--" ] + self.__paths return subprocess.Popen(cmds).wait() selinux.setexeccon(self.__execcon) rc = subprocess.Popen(self.__cmds).wait() selinux.setexeccon(None) return rc finally: for i in self.__paths: if i not in SAVE_FILES: continue (dest, mtime) = SAVE_FILES[i] if os.path.getmtime(dest) > mtime: savefile(dest, i, self.__options.X_ind) if self.__homedir and not self.__options.homedir: if self.__options.shred: self.shred(self.__homedir) shutil.rmtree(self.__homedir) if self.__tmpdir and not self.__options.tmpdir: if self.__options.shred: self.shred(self.__homedir) shutil.rmtree(self.__tmpdir) def shred(self, path): for root, dirs, files in os.walk(path): for f in files: dest = root + "/" + f subprocess.Popen(["/usr/bin/shred",dest]).wait() def main(self): try: self.__parse_options() self.__gen_context() self.__setup_dir() return self.__execute() except KeyboardInterrupt: sys.exit(0) if __name__ == '__main__': setup_sighandlers() if selinux.is_selinux_enabled() != 1: error_exit("Requires an SELinux enabled system") try: sandbox = Sandbox() rc = sandbox.main() except OSError, error: error_exit(error) except ValueError, error: error_exit(error.args[0]) except KeyError, error: error_exit(_("Invalid value %s") % error.args[0]) except IOError, error: error_exit(error) except KeyboardInterrupt: rc = 0 sys.exit(rc)
Simpan