packages/policycoreutils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
policycoreutils/backport-python-Harden-more-tools-against-rogue-modules.patch
zhangruifang2020 f6d4b53157 backport patches from upstream 
(cherry picked from commit 1003b6b593eac63d4bea5e6ffa36032c8666f601)
2024-01-31 15:12:30 +08:00

99 lines
2.6 KiB
Diff
Raw Blame History

From 94389f21022be68cb048b4b76d32c0f2440b15ee Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 6 Dec 2023 15:31:51 +0100
Subject: [PATCH] python: Harden more tools against "rogue" modules
Python scripts present in the same directory as the tool
override regular modules.
Fixes:
#cat > /usr/bin/signal.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#sandbox date
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
dbus/selinux_server.py | 2 +-
gui/polgengui.py | 2 +-
gui/system-config-selinux.py | 6 +++---
sandbox/sandbox | 2 +-
sandbox/start | 2 +-
5 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index a969f226..469c526f 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/python3 -EsI
import dbus
import dbus.service
diff --git a/gui/polgengui.py b/gui/polgengui.py
index 16116ba6..9c151a11 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# polgengui.py - GUI for SELinux Config tool in system-config-selinux
#
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index 9f53b7fe..0b6ba4b5 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
#
@@ -32,6 +32,8 @@ except RuntimeError as e:
print("This is a graphical application and requires DISPLAY to be set.")
sys.exit(1)
+sys.path.append('/usr/share/system-config-selinux')
+
from gi.repository import GObject
import statusPage
import booleansPage
@@ -66,8 +68,6 @@ except:
version = "1.0"
-sys.path.append('/usr/share/system-config-selinux')
-
##
## Pull in the Glade file
diff --git a/sandbox/sandbox b/sandbox/sandbox
index a2762a7d..fe631a92 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Dan Walsh <dwalsh@redhat.com>
# Authors: Thomas Liu <tliu@fedoraproject.org>
# Authors: Josh Cogliati
diff --git a/sandbox/start b/sandbox/start
index 4ed3cb5c..3c1a1783 100644
--- a/sandbox/start
+++ b/sandbox/start
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
try:
from subprocess import getstatusoutput
except ImportError:
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink