#! /usr/libexec/platform-python -EsI # Authors: Dan Walsh <dwalsh@redhat.com> # Authors: Thomas Liu <tliu@fedoraproject.org> # Authors: Josh Cogliati # # Copyright (C) 2009,2010 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; version 2 only # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # import os import stat import sys import socket import random import fcntl import shutil import re import subprocess import selinux import signal from tempfile import mkdtemp import pwd import sepolicy SEUNSHARE = "/usr/sbin/seunshare" SANDBOXSH = "/usr/share/sandbox/sandboxX.sh" PROGNAME = "selinux-sandbox" try: import gettext kwargs = {} if sys.version_info < (3,): kwargs['unicode'] = True gettext.install(PROGNAME, localedir="/usr/share/locale", codeset='utf-8', **kwargs) except: try: import builtins builtins.__dict__['_'] = str except ImportError: import __builtin__ __builtin__.__dict__['_'] = unicode DEFAULT_WINDOWSIZE = "1000x700" DEFAULT_TYPE = "sandbox_t" DEFAULT_X_TYPE = "sandbox_x_t" SAVE_FILES = {} random.seed(None) def sighandler(signum, frame): signal.signal(signum, signal.SIG_IGN) os.kill(0, signum) raise KeyboardInterrupt def setup_sighandlers(): signal.signal(signal.SIGHUP, sighandler) signal.signal(signal.SIGQUIT, sighandler) signal.signal(signal.SIGTERM, sighandler) def error_exit(msg): sys.stderr.write("%s: " % sys.argv[0]) sys.stderr.write("%s\n" % msg) sys.stderr.flush() sys.exit(1) def copyfile(file, srcdir, dest): import re if file.startswith(srcdir): dname = os.path.dirname(file) bname = os.path.basename(file) if dname == srcdir: dest = dest + "/" + bname else: newdir = re.sub(srcdir, dest, dname) if not os.path.exists(newdir): os.makedirs(newdir) dest = newdir + "/" + bname try: if os.path.isdir(file): shutil.copytree(file, dest) else: shutil.copy2(file, dest) except shutil.Error as elist: for e in elist.message: sys.stderr.write(e[2]) SAVE_FILES[file] = (dest, os.path.getmtime(dest)) def savefile(new, orig, X_ind): copy = False if(X_ind): import gi gi.require_version('Gtk', '3.0') from gi.repository import Gtk dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO, Gtk.ButtonsType.YES_NO, _("Do you want to save changes to '%s' (Y/N): ") % orig) dlg.set_title(_("Sandbox Message")) dlg.set_position(Gtk.WindowPosition.MOUSE) dlg.show_all() rc = dlg.run() dlg.destroy() if rc == Gtk.ResponseType.YES: copy = True else: try: input = raw_input except NameError: pass ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig) if(re.match(_("[yY]"), ans)): copy = True if(copy): shutil.copy2(new, orig) def reserve(level): sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) sock.bind("\0%s" % level) fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC) def get_range(): try: level = selinux.getcon_raw()[1].split(":")[4] lowc, highc = level.split(".") low = int(lowc[1:]) high = int(highc[1:]) + 1 if high - low == 0: raise IndexError return low, high except IndexError: raise ValueError(_("User account must be setup with an MCS Range")) def gen_mcs(): low, high = get_range() level = None ctr = 0 total = high - low total = (total * (total - 1)) / 2 while ctr < total: ctr += 1 i1 = random.randrange(low, high) i2 = random.randrange(low, high) if i1 == i2: continue if i1 > i2: tmp = i1 i1 = i2 i2 = tmp level = "s0:c%d,c%d" % (i1, i2) try: reserve(level) except socket.error: continue break if level: return level raise ValueError(_("Failed to find any unused category sets. Consider a larger MCS range for this user.")) def fullpath(cmd): for i in ["/", "./", "../"]: if cmd.startswith(i): return cmd for i in os.environ["PATH"].split(':'): f = "%s/%s" % (i, cmd) if os.access(f, os.X_OK): return f return cmd class Sandbox: SYSLOG = "/var/log/messages" def __init__(self): self.setype = DEFAULT_TYPE self.__options = None self.__cmds = None self.__init_files = [] self.__paths = [] self.__mount = False self.__level = None self.__homedir = None self.__tmpdir = None def __validate_mount(self): if self.__options.level: if not self.__options.homedir or not self.__options.tmpdir: self.usage(_("Homedir and tempdir required for level mounts")) if not os.path.exists(SEUNSHARE): raise ValueError(_(""" %s is required for the action you want to perform. """) % SEUNSHARE) def __mount_callback(self, option, opt, value, parser): self.__mount = True def __x_callback(self, option, opt, value, parser): self.__mount = True setattr(parser.values, option.dest, True) if not os.path.exists(SEUNSHARE): raise ValueError(_(""" %s is required for the action you want to perform. """) % SEUNSHARE) if not os.path.exists(SANDBOXSH): raise ValueError(_(""" %s is required for the action you want to perform. """) % SANDBOXSH) def __validdir(self, option, opt, value, parser): if not os.path.isdir(value): raise IOError("Directory " + value + " not found") setattr(parser.values, option.dest, value) self.__mount = True def __include(self, option, opt, value, parser): rp = os.path.realpath(os.path.expanduser(value)) if not os.path.exists(rp): raise IOError(value + " not found") if rp not in self.__init_files: self.__init_files.append(rp) def __includefile(self, option, opt, value, parser): fd = open(value, "r") for i in fd.readlines(): try: self.__include(option, opt, i[:-1], parser) except IOError as e: sys.stderr.write(str(e)) except TypeError as e: sys.stderr.write(str(e)) fd.close() def __copyfiles(self): files = self.__init_files + self.__paths homedir = pwd.getpwuid(os.getuid()).pw_dir for f in files: copyfile(f, homedir, self.__homedir) copyfile(f, "/tmp", self.__tmpdir) copyfile(f, "/var/tmp", self.__tmpdir) def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"): execfile = self.__homedir + "/.sandboxrc" fd = open(execfile, "w+") if self.__options.session: fd.write("""#!/bin/sh #TITLE: /etc/gdm/Xsession /etc/gdm/Xsession """) else: command = self.__paths[0] + " " for p in self.__paths[1:]: command += "'%s' " % p fd.write("""#! /bin/sh #TITLE: %s # /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap %s & WM_PID=$! if which dbus-run-session >/dev/null 2>&1; then dbus-run-session -- %s else dbus-launch --exit-with-session %s fi kill -TERM $WM_PID 2> /dev/null """ % (command, wm, command, command)) fd.close() os.chmod(execfile, 0o700) def usage(self, message=""): error_exit("%s\n%s" % (self.__parser.usage, message)) def __parse_options(self): from optparse import OptionParser types = "" try: types = _(""" Policy defines the following types for use with the -t: \t%s """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))['types']) except StopIteration: pass usage = _(""" sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S %s """) % types parser = OptionParser(usage=usage) parser.disable_interspersed_args() parser.add_option("-i", "--include", action="callback", callback=self.__include, type="string", help=_("include file in sandbox")) parser.add_option("-I", "--includefile", action="callback", callback=self.__includefile, type="string", help=_("read list of files to include in sandbox from INCLUDEFILE")) parser.add_option("-t", "--type", dest="setype", action="store", default=None, help=_("run sandbox with SELinux type")) parser.add_option("-M", "--mount", action="callback", callback=self.__mount_callback, help=_("mount new home and/or tmp directory")) parser.add_option("-d", "--dpi", dest="dpi", action="store", help=_("dots per inch for X display")) parser.add_option("-S", "--session", action="store_true", dest="session", default=False, help=_("run complete desktop session within sandbox")) parser.add_option("-s", "--shred", action="store_true", dest="shred", default=False, help=_("Shred content before tempory directories are removed")) parser.add_option("-X", dest="X_ind", action="callback", callback=self.__x_callback, default=False, help=_("run X application within a sandbox")) parser.add_option("-H", "--homedir", action="callback", callback=self.__validdir, type="string", dest="homedir", help=_("alternate home directory to use for mounting")) parser.add_option("-T", "--tmpdir", dest="tmpdir", type="string", action="callback", callback=self.__validdir, help=_("alternate /tmp directory to use for mounting")) parser.add_option("-w", "--windowsize", dest="windowsize", type="string", default=DEFAULT_WINDOWSIZE, help="size of the sandbox window") parser.add_option("-W", "--windowmanager", dest="wm", type="string", default="/usr/bin/matchbox-window-manager", help=_("alternate window manager")) parser.add_option("-l", "--level", dest="level", help=_("MCS/MLS level for the sandbox")) parser.add_option("-C", "--capabilities", action="store_true", dest="usecaps", default=False, help="Allow apps requiring capabilities to run within the sandbox.") self.__parser = parser self.__options, cmds = parser.parse_args() if self.__options.X_ind: self.setype = DEFAULT_X_TYPE else: try: next(sepolicy.info(sepolicy.TYPE, "sandbox_t")) except StopIteration: raise ValueError(_("Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command")) if self.__options.setype: self.setype = self.__options.setype if self.__mount: self.__validate_mount() if self.__options.session: if not self.__options.setype: self.setype = selinux.getcon()[1].split(":")[2] if not self.__options.homedir or not self.__options.tmpdir: self.usage(_("You must specify a Homedir and tempdir when setting up a session sandbox")) if len(cmds) > 0: self.usage(_("Commands are not allowed in a session sandbox")) self.__options.X_ind = True self.__homedir = self.__options.homedir self.__tmpdir = self.__options.tmpdir else: if self.__options.level: self.__homedir = self.__options.homedir self.__tmpdir = self.__options.tmpdir if len(cmds) == 0: self.usage(_("Command required")) cmds[0] = fullpath(cmds[0]) if not os.access(cmds[0], os.X_OK): self.usage(_("%s is not an executable") % cmds[0]) self.__cmds = cmds for f in cmds: rp = os.path.realpath(f) if os.path.exists(rp): self.__paths.append(rp) else: self.__paths.append(f) def __gen_context(self): if self.__options.level: level = self.__options.level else: level = gen_mcs() con = selinux.getcon()[1].split(":") self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level) self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level) def __setup_dir(self): selinux.setfscreatecon(self.__filecon) if self.__options.homedir: self.__homedir = self.__options.homedir else: self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_") if self.__options.tmpdir: self.__tmpdir = self.__options.tmpdir else: self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_") self.__copyfiles() selinux.chcon(self.__homedir, self.__filecon, recursive=True) selinux.chcon(self.__tmpdir, self.__filecon, recursive=True) selinux.setfscreatecon(None) def __execute(self): try: cmds = [SEUNSHARE, "-Z", self.__execcon] if self.__options.usecaps: cmds.append('-C') if self.__mount: cmds += ["-t", self.__tmpdir, "-h", self.__homedir] if self.__options.X_ind: if self.__options.dpi: dpi = self.__options.dpi else: import gi gi.require_version('Gtk', '3.0') from gi.repository import Gtk dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024) xmodmapfile = self.__homedir + "/.xmodmap" xd = open(xmodmapfile, "w") subprocess.Popen(["/usr/bin/xmodmap", "-pke"], stdout=xd).wait() xd.close() self.__setup_sandboxrc(self.__options.wm) cmds += ["--", SANDBOXSH, self.__options.windowsize, dpi] else: cmds += ["--"] + self.__paths return subprocess.Popen(cmds).wait() pid = os.fork() if pid == 0: rc = os.setsid() if rc: return rc selinux.setexeccon(self.__execcon) os.execv(self.__cmds[0], self.__cmds) rc = os.waitpid(pid, 0) return os.WEXITSTATUS(rc[1]) finally: for i in self.__paths: if i not in SAVE_FILES: continue (dest, mtime) = SAVE_FILES[i] if os.path.getmtime(dest) > mtime: savefile(dest, i, self.__options.X_ind) if self.__homedir and not self.__options.homedir: if self.__options.shred: self.shred(self.__homedir) shutil.rmtree(self.__homedir) if self.__tmpdir and not self.__options.tmpdir: if self.__options.shred: self.shred(self.__homedir) shutil.rmtree(self.__tmpdir) def shred(self, path): for root, dirs, files in os.walk(path): for f in files: dest = root + "/" + f subprocess.Popen(["/usr/bin/shred", dest]).wait() def main(self): try: self.__parse_options() self.__gen_context() if self.__mount: self.__setup_dir() return self.__execute() except KeyboardInterrupt: sys.exit(0) if __name__ == '__main__': setup_sighandlers() if selinux.is_selinux_enabled() != 1: error_exit("Requires an SELinux enabled system") try: sandbox = Sandbox() rc = sandbox.main() except OSError as error: error_exit(error) except ValueError as error: error_exit(error.args[0]) except KeyError as error: error_exit(_("Invalid value %s") % error.args[0]) except IOError as error: error_exit(error) except KeyboardInterrupt: rc = 0 sys.exit(rc)

En construcción …

L’piges 2025 expression l’a nos casinos quelque peu du mien distinct ère technique, pour un’incorporation de réalité monde digital ou accrue. Quelques mutations administrent le concept vers les expériences immersives inédites, dans lesquels les joueurs auront la possibilité se sentir également s’ceux-là étaient particulièrement à l’appartement p’ce salle de jeu, tout en qui est douillettement…
Le « Félidé directement, sauf que l’choix de contact via é-terme conseillé pour assurent mon déclaration évidemment en cas de demande. Je me vous préconisons de bien emporter esprit des critères en bonus , ! leurs terme caporaux en salle de jeu. Il est futur dont les réglages disposent été amarrés en fonction í l’époque…
We don’t know if they’s home rules or any sort of accident, nevertheless these girls are really another thing. Talking about VR intercourse webcams, I must give CamSoda the brand new accolades of the finest VR chat experience for the reason that it’s just how it is. Firstly, your won’t find warmer speak habits somewhere…
I really wear’t brain if you see other porn website list most other than simply exploit. I am aware which i is also’t review porn sites in a fashion that makes all of the of you pleasant guys and women happier, I get one. However, please do not use ThePornDude. Finest Web sites Than simply ThePornDude –…
Allies from Reid have accused Youngkin and his partners of focusing on the brand new candidate because of their sexuality. Reid are Virginia’s basic publicly homosexual statewide nominee. Reid has declined the newest account are their and you can would not action away — leaving group loyal scrambling in order to unite regarding the half…
Which video celebs Camilla Araujo, known for its dominance inside the Social network & Onlyfans. Here are a few a lot more of its personal cara_gioxxx articles right here. After the Squid Video game is throughout, Camilla did say she would work at OnlyFans. It seems like she performed for some time, however, including I…
На врученной вебстранице игрокам предполагаются самые новоиспеченные безвозмездные бездепозитные бонусы игорный дом Игра Авиаклуб за регистрацию возьмите в данное время. Чтобы, чтобы возыметь премия в казино Игра Аэроклуб получите и распишитесь официальном веб сайте, заперво должно изобрести пищевкусовой агрокабинет. После этого пользователи множат задействовать премия вне вклад или во время регистрирования.
Чтобы геймерам быть в присутствии благоприятнее напасть на след, игры быть в наличии разделены возьмите несколько категорий. На наш взгляд, причина звезды содержится во щедрости данных слотов. Начала Loto Club — сие безопасность, прямота вдобавок справедливость.
Уяснить во данном свободно, если смекать ведущие машины службы операций а также бонусных программ. Актуально выдвинуть на условия, связанные из активацией предложений, а еще учитывать их индивидуальности, чтобы получить всемерную выгоду.
Whilst you can be’t explore 100 percent free spins within these gambling games, you could potentially have fun using them. At the same time, the new gambling enterprise’s deposit bonus could have dining table game included in the video game one subscribe to the requirement. For United kingdom players, the newest legality of low GamStop…