findutils/findutils-selinux.patch
2005-03-17 13:24:54 +00:00

444 lines
13 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

--- findutils-4.2.20/find/util.c.selinux 2005-01-24 16:12:31.000000000 +0000
+++ findutils-4.2.20/find/util.c 2005-03-17 13:14:11.000000000 +0000
@@ -70,6 +70,9 @@
last_pred->need_stat = true;
last_pred->need_type = true;
last_pred->args.str = NULL;
+#ifdef WITH_SELINUX
+ last_pred->args.scontext = NULL;
+#endif
last_pred->pred_next = NULL;
last_pred->pred_left = NULL;
last_pred->pred_right = NULL;
--- findutils-4.2.20/find/find.c.selinux 2005-03-03 22:30:10.000000000 +0000
+++ findutils-4.2.20/find/find.c 2005-03-17 13:14:11.000000000 +0000
@@ -239,6 +239,93 @@
{
return lstat(name, p);
}
+#ifdef WITH_SELINUX
+
+static int
+fallback_getfilecon(const char *name, security_context_t *p, int prev_rv)
+{
+ /* Our original getfilecon() call failed. Perhaps we can't follow a
+ * symbolic link. If that might be the problem, lgetfilecon() the link.
+ * Otherwise, admit defeat.
+ */
+ switch (errno)
+ {
+ case ENOENT:
+ case ENOTDIR:
+#ifdef DEBUG_STAT
+ fprintf(stderr, "fallback_getfilecon(): getfilecon(%s) failed; falling back on lgetfilecon()\n", name);
+#endif
+ return lgetfilecon(name, p);
+
+ case EACCES:
+ case EIO:
+ case ELOOP:
+ case ENAMETOOLONG:
+#ifdef EOVERFLOW
+ case EOVERFLOW: /* EOVERFLOW is not #defined on UNICOS. */
+#endif
+ default:
+ return prev_rv;
+ }
+}
+
+
+/* optionh_getfilecon() implements the getfilecon operation when the
+ * -H option is in effect.
+ *
+ * If the item to be examined is a command-line argument, we follow
+ * symbolic links. If the getfilecon() call fails on the command-line
+ * item, we fall back on the properties of the symbolic link.
+ *
+ * If the item to be examined is not a command-line argument, we
+ * examine the link itself.
+ */
+int
+optionh_getfilecon(const char *name, security_context_t *p)
+{
+ if (0 == state.curdepth)
+ {
+ /* This file is from the command line; deference the link (if it
+ * is a link).
+ */
+ int rv = getfilecon(name, p);
+ if (0 == rv)
+ return 0; /* success */
+ else
+ return fallback_getfilecon(name, p, rv);
+ }
+ else
+ {
+ /* Not a file on the command line; do not derefernce the link.
+ */
+ return lgetfilecon(name, p);
+ }
+}
+
+/* optionl_getfilecon() implements the getfilecon operation when the
+ * -L option is in effect. That option makes us examine the thing the
+ * symbolic link points to, not the symbolic link itself.
+ */
+int
+optionl_getfilecon(const char *name, security_context_t *p)
+{
+ int rv = getfilecon(name, p);
+ if (0 == rv)
+ return 0; /* normal case. */
+ else
+ return fallback_getfilecon(name, p, rv);
+}
+
+/* optionp_getfilecon() implements the stat operation when the -P
+ * option is in effect (this is also the default). That option makes
+ * us examine the symbolic link itself, not the thing it points to.
+ */
+int
+optionp_getfilecon(const char *name, security_context_t *p)
+{
+ return lgetfilecon(name, p);
+}
+#endif /* WITH_SELINUX */
#ifdef DEBUG_STAT
static uintmax_t stat_count = 0u;
@@ -267,11 +354,17 @@
{
case SYMLINK_ALWAYS_DEREF: /* -L */
options.xstat = optionl_stat;
+#ifdef WITH_SELINUX
+ options.x_getfilecon = optionl_getfilecon;
+#endif /* WITH_SELINUX */
options.no_leaf_check = true;
break;
case SYMLINK_NEVER_DEREF: /* -P (default) */
options.xstat = optionp_stat;
+#ifdef WITH_SELINUX
+ options.x_getfilecon = optionp_getfilecon;
+#endif /* WITH_SELINUX */
/* Can't turn no_leaf_check off because the user might have specified
* -noleaf anyway
*/
@@ -279,6 +372,9 @@
case SYMLINK_DEREF_ARGSONLY: /* -H */
options.xstat = optionh_stat;
+#ifdef WITH_SELINUX
+ options.x_getfilecon = optionh_getfilecon;
+#endif /* WITH_SELINUX */
options.no_leaf_check = true;
}
@@ -384,6 +480,9 @@
int
main (int argc, char **argv)
{
+#ifdef WITH_SELINUX
+ int is_selinux_enabled_flag = is_selinux_enabled()>0;
+#endif /* WITH_SELINUX */
int i;
PFB parse_function; /* Pointer to the function which parses. */
struct predicate *cur_pred;
@@ -512,6 +611,14 @@
if (strchr ("-!(),", argv[i][0]) == NULL)
usage (_("paths must precede expression"));
predicate_name = argv[i];
+#ifdef WITH_SELINUX
+ if (! is_selinux_enabled_flag) {
+ if ((strncmp(predicate_name,"-context",strlen("-context"))==0) ||
+ (strncmp(predicate_name,"--context",strlen("--context"))==0)) {
+ error (1, 0,_("Error: invalid predicate %s: the kernel is not selinux-enabled.\n"),predicate_name);
+ }
+ }
+#endif
parse_function = find_parser (predicate_name);
if (parse_function == NULL)
/* Command line option not recognized */
--- findutils-4.2.20/find/find.1.selinux 2005-03-02 22:36:20.000000000 +0000
+++ findutils-4.2.20/find/find.1 2005-03-17 13:14:11.000000000 +0000
@@ -441,6 +441,9 @@
link to a file of type \fIc\fR; if the \-L option has been given, true
if \fIc\fR is `l'. In other words, for symbolic links, \-xtype checks
the type of the file that \-type does not check.
+.IP "\-context \fIscontext\fR"
+.IP "\--context \fIscontext\fR"
+(SELinux only) File has the security context \fIscontext\fR.
.SS ACTIONS
.IP "\-delete\fR"
@@ -713,6 +716,8 @@
File's type (like in ls \-l), U=unknown type (shouldn't happen)
.IP %Y
File's type (like %y), plus follow symlinks: L=loop, N=nonexistent
+.IP %Z
+(SELinux only) file's security context.
.PP
A `%' character followed by any other character is discarded (but the
other character is printed).
--- findutils-4.2.20/find/Makefile.in.selinux 2005-03-17 12:11:50.000000000 +0000
+++ findutils-4.2.20/find/Makefile.in 2005-03-17 13:14:11.000000000 +0000
@@ -52,7 +52,7 @@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
+DEFS = @DEFS@ -I. -I$(srcdir) -I.. -DWITH_SELINUX
DEPDIR = @DEPDIR@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
@@ -142,7 +142,7 @@
bin_PROGRAMS = find
find_SOURCES = find.c fstype.c parser.c pred.c tree.c util.c version.c
EXTRA_DIST = defs.h $(man_MANS)
-LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@
+LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ -lselinux
man_MANS = find.1
SUBDIRS = testsuite
subdir = find
--- findutils-4.2.20/find/defs.h.selinux 2005-03-04 09:58:29.000000000 +0000
+++ findutils-4.2.20/find/defs.h 2005-03-17 13:14:11.000000000 +0000
@@ -130,6 +130,10 @@
#define MODE_RWX (S_IXUSR | S_IXGRP | S_IXOTH | MODE_RW)
#define MODE_ALL (S_ISUID | S_ISGID | S_ISVTX | MODE_RWX)
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /*WITH_SELINUX*/
+
#if 1
#include <stdbool.h>
typedef bool boolean;
@@ -314,6 +318,9 @@
struct dir_id fileid; /* samefile */
mode_t type; /* type */
FILE *stream; /* fprint fprint0 */
+#ifdef WITH_SELINUX
+ security_context_t scontext; /* scontext */
+#endif /*WITH_SELINUX*/
struct format_val printf_vec; /* printf fprintf */
} args;
@@ -444,6 +451,9 @@
boolean pred_used PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
boolean pred_user PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
boolean pred_xtype PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
+#ifdef WITH_SELINUX
+boolean pred_scontext PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
+#endif /* WITH_SELINUX */
int launch PARAMS((const struct buildcmd_control *ctl,
struct buildcmd_state *buildstate));
@@ -524,6 +534,9 @@
* flag to open(2).
*/
boolean open_nofollow_available;
+#ifdef WITH_SELINUX
+ int (*x_getfilecon) ();
+#endif /* WITH_SELINUX */
};
extern struct options options;
--- findutils-4.2.20/find/Makefile.am.selinux 2004-11-23 00:10:40.000000000 +0000
+++ findutils-4.2.20/find/Makefile.am 2005-03-17 13:14:11.000000000 +0000
@@ -3,8 +3,9 @@
bin_PROGRAMS = find
find_SOURCES = find.c fstype.c parser.c pred.c tree.c util.c version.c
EXTRA_DIST = defs.h $(man_MANS)
+DEFS = @DEFS@ -I. -I$(srcdir) -I.. -DWITH_SELINUX
INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib -I../intl -DLOCALEDIR=\"$(localedir)\"
-LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@
+LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ -lselinux
man_MANS = find.1
SUBDIRS = testsuite
--- findutils-4.2.20/find/parser.c.selinux 2005-03-17 13:14:11.000000000 +0000
+++ findutils-4.2.20/find/parser.c 2005-03-17 13:14:11.000000000 +0000
@@ -36,6 +36,10 @@
#include <sys/file.h>
#endif
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /*WITH_SELINUX*/
+
#if ENABLE_NLS
# include <libintl.h>
# define _(Text) gettext (Text)
@@ -139,6 +143,9 @@
static boolean parse_warn PARAMS((char *argv[], int *arg_ptr));
static boolean parse_xtype PARAMS((char *argv[], int *arg_ptr));
static boolean parse_quit PARAMS((char *argv[], int *arg_ptr));
+#ifdef WITH_SELINUX
+static boolean parse_scontext PARAMS((char *argv[], int *arg_ptr));
+#endif /*WITH_SELINUX*/
static boolean insert_regex PARAMS((char *argv[], int *arg_ptr, boolean ignore_case));
static boolean insert_type PARAMS((char *argv[], int *arg_ptr, boolean (*which_pred )()));
@@ -266,6 +273,8 @@
{ARG_TEST, "wholename", parse_wholename}, /* GNU, replaces -path */
{ARG_OPTION, "xdev", parse_xdev},
{ARG_TEST, "xtype", parse_xtype}, /* GNU */
+ {ARG_TEST, "context", parse_scontext}, /* SELinux */
+ {ARG_TEST, "-context", parse_scontext}, /* SELinux */
{0, 0, 0}
};
@@ -744,6 +753,10 @@
-nouser -nogroup -path PATTERN -perm [+-]MODE -regex PATTERN\n\
-wholename PATTERN -size N[bcwkMG] -true -type [bcdpflsD] -uid N\n\
-used N -user NAME -xtype [bcdpfls]\n"));
+#ifdef WITH_SELINUX
+ puts (_("\
+ -context CONTEXT\n"));
+#endif /*WITH_SELINUX*/
puts (_("\
actions: -exec COMMAND ; -fprint FILE -fprint0 FILE -fprintf FILE FORMAT\n\
-fls FILE -ok COMMAND ; -print -print0 -printf FORMAT -prune -ls -delete\n\
@@ -1602,6 +1615,32 @@
return true;
}
+#ifdef WITH_SELINUX
+
+static boolean
+parse_scontext ( argv, arg_ptr )
+ char *argv[];
+ int *arg_ptr;
+{
+ struct predicate *our_pred;
+
+ if ( (argv == NULL) || (argv[*arg_ptr] == NULL) )
+ return( false );
+
+ our_pred = insert_primary(pred_scontext);
+ our_pred->need_stat = 0;
+#ifdef DEBUG
+ our_pred->p_name = find_pred_name (pred_scontext);
+#endif /*DEBUG*/
+
+ our_pred->args.scontext = argv[*arg_ptr];;
+
+ (*arg_ptr)++;
+ return( true );
+}
+
+#endif /*WITH_SELINUX*/
+
static boolean
parse_xtype (char **argv, int *arg_ptr)
{
@@ -1777,7 +1816,11 @@
if (*scan2 == '.')
for (scan2++; ISDIGIT (*scan2); scan2++)
/* Do nothing. */ ;
+#ifdef WITH_SELINUX
+ if (strchr ("abcdDfFgGhHiklmMnpPstuUyYZ", *scan2))
+#else /* WITH_SELINUX */
if (strchr ("abcdDfFgGhHiklmMnpPstuUyY", *scan2))
+#endif /* WITH_SELINUX */
{
segmentp = make_segment (segmentp, format, scan2 - format,
(int) *scan2);
--- findutils-4.2.20/find/pred.c.selinux 2005-03-04 10:33:39.000000000 +0000
+++ findutils-4.2.20/find/pred.c 2005-03-17 13:14:11.000000000 +0000
@@ -35,6 +35,14 @@
#include "wait.h"
#include "buildcmd.h"
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /*WITH_SELINUX*/
+
+#ifndef FNM_CASEFOLD
+#define FNM_CASEFOLD (1<<4)
+#endif /*FNM_CASEFOLD*/
+
#if ENABLE_NLS
# include <libintl.h>
# define _(Text) gettext (Text)
@@ -78,7 +86,6 @@
extern int yesno ();
-
/* Get or fake the disk device blocksize.
Usually defined by sys/param.h (if at all). */
#ifndef DEV_BSIZE
@@ -209,6 +216,9 @@
{pred_used, "used "},
{pred_user, "user "},
{pred_xtype, "xtype "},
+#ifdef WITH_SELINUX
+ {pred_scontext, "context"},
+#endif /*WITH_SELINUX*/
{0, "none "}
};
@@ -839,6 +849,26 @@
}
break;
+#ifdef WITH_SELINUX
+ case 'Z': /* SELinux security context */
+ {
+ security_context_t scontext;
+ int rv;
+ rv = (*options.x_getfilecon)(state.rel_pathname, &scontext);
+
+ if ( rv < 0 ) {
+ (void) fprintf(stderr, "getfileconf(%s): %s",
+ pathname, strerror(errno));
+ (void) fflush(stderr);
+ }
+ else {
+ segment->text[segment->text_len] = 's';
+ (void) fprintf (fp, segment->text, scontext);
+ freecon(scontext);
+ }
+ }
+ break ;
+#endif /* WITH_SELINUX */
}
}
return (true);
@@ -1411,6 +1441,34 @@
*/
return (pred_type (pathname, &sbuf, pred_ptr));
}
+
+
+#ifdef WITH_SELINUX
+
+boolean
+pred_scontext ( pathname, stat_buf, pred_ptr )
+ char *pathname;
+ struct stat *stat_buf;
+ struct predicate *pred_ptr;
+{
+ int rv;
+ security_context_t scontext;
+
+ rv = (* options.x_getfilecon)(state.rel_pathname, &scontext);
+
+ if ( rv < 0 ) {
+ (void) fprintf(stderr, "getfilecon(%s): %s\n", pathname, strerror(errno));
+ (void) fflush(stderr);
+ return ( false );
+ }
+
+ rv = (fnmatch(pred_ptr->args.scontext, scontext,0)==0);
+ freecon(scontext);
+ return rv;
+}
+
+#endif /*WITH_SELINUX*/
+
/* 1) fork to get a child; parent remembers the child pid
2) child execs the command requested