diff options
author | Michael Stone <michael@laptop.org> | 2009-04-12 08:41:14 (GMT) |
---|---|---|
committer | Michael Stone <michael@laptop.org> | 2009-04-12 08:41:14 (GMT) |
commit | e81c6ce196116d6b6afe0efbfb559012820c88f2 (patch) | |
tree | c8edacc541e45bbbe1fe9584d2b6e693029290e4 /rainbow | |
parent | 4cb3c824c551be9d6379d851a7090ec2e8ebd673 (diff) |
Make xephyr optional, drop strace option.
Diffstat (limited to 'rainbow')
-rwxr-xr-x | rainbow/bin/rainbow-easy | 2 | ||||
-rwxr-xr-x | rainbow/bin/rainbow-run | 11 | ||||
-rw-r--r-- | rainbow/rainbow/inject.py | 75 |
3 files changed, 44 insertions, 44 deletions
diff --git a/rainbow/bin/rainbow-easy b/rainbow/bin/rainbow-easy index ac6381a..060c13c 100755 --- a/rainbow/bin/rainbow-easy +++ b/rainbow/bin/rainbow-easy @@ -23,4 +23,4 @@ for kv in env: EOF` fi -exec rainbow-run -s /var/spool/rainbow/2 -u "$SUDO_USER" -c "`pwd`" -f 0 -f 1 -f 2 -i "${SUDO_USER}_${ID}" -E "DISPLAY=$DISPLAY" -a /usr/bin/rainbow-xify -o audio -- $@ +exec rainbow-run -v -v -v -s /var/spool/rainbow/2 -u "$SUDO_USER" -c "`pwd`" -f 0 -f 1 -f 2 -i "${SUDO_USER}_${ID}" -E "DISPLAY=$DISPLAY" -a /usr/bin/rainbow-xify -o audio -o xephyr -- $@ diff --git a/rainbow/bin/rainbow-run b/rainbow/bin/rainbow-run index fc68e4d..2fa8d95 100755 --- a/rainbow/bin/rainbow-run +++ b/rainbow/bin/rainbow-run @@ -35,7 +35,7 @@ def main(): parser.add_option('-i', '--id', default=None, help="ID of shared-data group.") parser.add_option('-o', '--option', default=[], action='append', - help="Options: video, audio, serial, constant-uid, strace.") + help="Options: video, audio, serial, constant-uid, xephyr.") parser.add_option('-p', '--permissions', default=None, help="Location of a permissions.info file.") parser.add_option('-u', '--user', default=None, @@ -73,8 +73,8 @@ def main(): def check_groups(opts): return [grp.getgrnam(g)[2] for g in opts.group] - def check_strace(opts): - return 'strace' in opts.option + def check_xephyr(opts): + return 'xephyr' in opts.option def check_constant_uid(opts): return 'constant-uid' in opts.option @@ -108,15 +108,16 @@ def main(): pset = PermissionSet(opts.permissions or []) # Dirty hack -- pass 'constant-uid' and 'strace' in as permissions. <MS> - for perm in ('constant-uid', 'strace', 'audio', 'video', 'serial'): + for perm in ('constant-uid', 'audio', 'video', 'serial'): pset._permissions.setdefault(perm, locals()['check_'+perm.replace('-','_')](opts)) data_id = check_data_id(opts) assistant = check_assistant(opts) + xephyr = check_xephyr(opts) resume_uid = None - args = (report, spool, env, argv, cwd, pset, safe_fds, uid, gid, resume_uid, groups, [data_id], assistant) + args = (report, spool, env, argv, cwd, pset, safe_fds, uid, gid, resume_uid, groups, [data_id], assistant, xephyr) report(1, 'rainbow:\n%s', pformat(args)) unshare(CLONE_NEWNS) diff --git a/rainbow/rainbow/inject.py b/rainbow/rainbow/inject.py index 0b01f3b..7dec051 100644 --- a/rainbow/rainbow/inject.py +++ b/rainbow/rainbow/inject.py @@ -87,40 +87,39 @@ def mount_fsen(log, _): mount('tmpfs', '/var/tmp', 'tmpfs', 0, '') def run_assistant(log, assistant, env, owner_uid, owner_gid, uid, groups, safe_fds): - if assistant: - envdir = None - try: - envdir = mkdtemp() - chown(envdir, owner_uid, owner_gid) - pid = fork() - except: - if envdir: check_call(['/bin/rm', '-rf', envdir]) - raise + envdir = None + try: + envdir = mkdtemp() + chown(envdir, owner_uid, owner_gid) + pid = fork() + except: + if envdir: check_call(['/bin/rm', '-rf', envdir]) + raise + else: + if not pid: + log(1, 'Dropping privilege to run assistant.') + setgroups(groups) + setgid(owner_gid) + setuid(owner_uid) + log(1, 'Closing fds.') + for fd in get_fds(): + if fd not in safe_fds: + try: os.close(fd) # propagate failure from EIO or EBADF. + except: pass + log(1, 'Running assistant.') + assistant_argv = [assistant, '-v', '-v', '-v', '-u', str(uid), '-e', envdir] + log(1, '%r %r', assistant_argv, env) + execvpe(assistant_argv[0], assistant_argv, env) + _exit(55) else: - if not pid: - log(1, 'Dropping privilege to run assistant.') - setgroups(groups) - setgid(owner_gid) - setuid(owner_uid) - log(1, 'Closing fds.') - for fd in get_fds(): - if fd not in safe_fds: - try: os.close(fd) # propagate failure from EIO or EBADF. - except: pass - log(1, 'Running assistant.') - assistant_argv = [assistant, '-v', '-v', '-v', '-u', str(uid), '-e', envdir] - log(1, '%r %r', assistant_argv, env) - execvpe(assistant_argv[0], assistant_argv, env) - _exit(55) - else: - try: - pid, status = waitpid(pid, 0) - log(1, 'Assistant returned %d.', status) - assert not WEXITSTATUS(status) - return read_envdir(envdir) - finally: - log(1, 'pid %d uid %d', getpid(), getuid()) - if envdir: check_call(['/bin/rm', '-rf', envdir]) + try: + pid, status = waitpid(pid, 0) + log(1, 'Assistant returned %d.', status) + assert not WEXITSTATUS(status) + return read_envdir(envdir) + finally: + log(1, 'pid %d uid %d', getpid(), getuid()) + if envdir: check_call(['/bin/rm', '-rf', envdir]) def launch(log, _, uid, gid, groups, argv, env, cwd, pset, safe_fds): # Set appropriate group membership(s), depending on requested permissions @@ -251,7 +250,7 @@ def check_uid(_, spool, owner_uid, uid): assert readlink(join(spool, 'uid_to_owner_uid', str(uid))) == str(owner_uid) def inject(log, spool, env, argv, cwd, pset, safe_fds, owner_uid, owner_gid, - uid, groups, data_groups, assistant): + uid, groups, data_groups, assistant, xephyr): # Note: exceptions are intended to bubble up to the caller and should # terminate execution. check_data_groups(data_groups) @@ -280,10 +279,10 @@ def inject(log, spool, env, argv, cwd, pset, safe_fds, owner_uid, owner_gid, check_home(uid, gid, home) groups = configure_groups(log, owner_uid, groups, gid, data_group_to_gid, pset) - env_updates = configure_xephyr(log, spool, owner_gid, uid, env, safe_fds) - if env_updates: env.update(env_updates) - env_updates = run_assistant(log, assistant, env, owner_uid, owner_gid, uid, groups, safe_fds) - if env_updates: env.update(env_updates) + if xephyr: + env.update(configure_xephyr(log, spool, owner_gid, uid, env, safe_fds)) + if assistant: + env.update(run_assistant(log, assistant, env, owner_uid, owner_gid, uid, groups, safe_fds)) mount_fsen(log, home) |