libselinux-2.5-12
- Fix -Wsign-compare warnings - Drop unused stdio_ext.h header file - Kill logging check for selinux_enabled() - Drop usage of _D_ALLOC_NAMLEN - Add openrc_contexts functions - Fix redefinition of XATTR_NAME_SELINUX - Correct error path to always try text - Clean up process_file() - Handle NULL pcre study data - Fix in tree compilation of utils that depend on libsepol
This commit is contained in:
parent
1eb2b767ff
commit
5ad771ed68
@ -1,8 +1,18 @@
|
||||
diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog
|
||||
index 24673dd..6588189 100644
|
||||
index 24673dd..bc68bed 100644
|
||||
--- libselinux-2.5/ChangeLog
|
||||
+++ libselinux-2.5/ChangeLog
|
||||
@@ -1,3 +1,19 @@
|
||||
@@ -1,3 +1,29 @@
|
||||
+ * Fix -Wsign-compare warnings, from Nicolas Iooss.
|
||||
+ * Drop unused stdio_ext.h header file, from William Roberts.
|
||||
+ * Kill logging check for selinux_enabled(), from William Roberts.
|
||||
+ * Drop usage of _D_ALLOC_NAMLEN, from William Roberts.
|
||||
+ * Add openrc_contexts functions, from Jason Zaman.
|
||||
+ * Fix redefinition of XATTR_NAME_SELINUX, from William Roberts.
|
||||
+ * Correct error path to always try text, from William Roberts.
|
||||
+ * Clean up process_file(), from William Roberts.
|
||||
+ * Handle NULL pcre study data, from Stephen Smalley.
|
||||
+ * Fix in tree compilation of utils that depend on libsepol, from Laurent Bigonville.
|
||||
+ * Change the location of _selinux.so, from Petr Lautrbach.
|
||||
+ * Clarify is_selinux_mls_enabled() description, from David King.
|
||||
+ * Explain how to free policy type from selinux_getpolicytype(), from David King.
|
||||
@ -494,12 +504,14 @@ index 0000000..fed6de8
|
||||
+ selinux.Test()
|
||||
+}
|
||||
diff --git libselinux-2.5/include/selinux/selinux.h libselinux-2.5/include/selinux/selinux.h
|
||||
index 2262086..3d8673f 100644
|
||||
index 2262086..45dd6ca 100644
|
||||
--- libselinux-2.5/include/selinux/selinux.h
|
||||
+++ libselinux-2.5/include/selinux/selinux.h
|
||||
@@ -544,6 +544,7 @@ extern const char *selinux_lxc_contexts_path(void);
|
||||
@@ -543,7 +543,9 @@ extern const char *selinux_virtual_image_context_path(void);
|
||||
extern const char *selinux_lxc_contexts_path(void);
|
||||
extern const char *selinux_x_context_path(void);
|
||||
extern const char *selinux_sepgsql_context_path(void);
|
||||
+extern const char *selinux_openrc_contexts_path(void);
|
||||
extern const char *selinux_openssh_contexts_path(void);
|
||||
+extern const char *selinux_snapperd_contexts_path(void);
|
||||
extern const char *selinux_systemd_contexts_path(void);
|
||||
@ -755,6 +767,36 @@ index 9669264..c775430 100644
|
||||
*sid = NULL;
|
||||
hvalue = sidtab_hash(ctx);
|
||||
|
||||
diff --git libselinux-2.5/src/booleans.c libselinux-2.5/src/booleans.c
|
||||
index 4b39a28..c438af1 100644
|
||||
--- libselinux-2.5/src/booleans.c
|
||||
+++ libselinux-2.5/src/booleans.c
|
||||
@@ -63,12 +63,11 @@ int security_get_boolean_names(char ***names, int *len)
|
||||
}
|
||||
|
||||
for (i = 0; i < *len; i++) {
|
||||
- n[i] = (char *)malloc(_D_ALLOC_NAMLEN(namelist[i]));
|
||||
+ n[i] = strdup(namelist[i]->d_name);
|
||||
if (!n[i]) {
|
||||
rc = -1;
|
||||
goto bad_freen;
|
||||
}
|
||||
- strcpy(n[i], namelist[i]->d_name);
|
||||
}
|
||||
rc = 0;
|
||||
*names = n;
|
||||
diff --git libselinux-2.5/src/callbacks.c libselinux-2.5/src/callbacks.c
|
||||
index cdf7b63..c3cf98b 100644
|
||||
--- libselinux-2.5/src/callbacks.c
|
||||
+++ libselinux-2.5/src/callbacks.c
|
||||
@@ -16,7 +16,6 @@ default_selinux_log(int type __attribute__((unused)), const char *fmt, ...)
|
||||
{
|
||||
int rc;
|
||||
va_list ap;
|
||||
- if (is_selinux_enabled() == 0) return 0;
|
||||
va_start(ap, fmt);
|
||||
rc = vfprintf(stderr, fmt, ap);
|
||||
va_end(ap);
|
||||
diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c
|
||||
index 7cf3139..364a746 100644
|
||||
--- libselinux-2.5/src/canonicalize_context.c
|
||||
@ -880,12 +922,14 @@ index b7cff7e..a58bf3f 100755
|
||||
for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done
|
||||
rm -f -- temp.aux -.o
|
||||
diff --git libselinux-2.5/src/file_path_suffixes.h libselinux-2.5/src/file_path_suffixes.h
|
||||
index d1f9b48..95b228b 100644
|
||||
index d1f9b48..2d3ca49 100644
|
||||
--- libselinux-2.5/src/file_path_suffixes.h
|
||||
+++ libselinux-2.5/src/file_path_suffixes.h
|
||||
@@ -24,6 +24,7 @@ S_(BINPOLICY, "/policy/policy")
|
||||
@@ -23,7 +23,9 @@ S_(BINPOLICY, "/policy/policy")
|
||||
S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
|
||||
S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
|
||||
S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
|
||||
+ S_(OPENRC_CONTEXTS, "/contexts/openrc_contexts")
|
||||
S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
|
||||
+ S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts")
|
||||
S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
|
||||
@ -911,7 +955,7 @@ index 52707d0..0cbe12d 100644
|
||||
char * ccontext = NULL;
|
||||
int err = errno;
|
||||
diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c
|
||||
index 3db4de0..3c687a2 100644
|
||||
index 3db4de0..ddf91f8 100644
|
||||
--- libselinux-2.5/src/init.c
|
||||
+++ libselinux-2.5/src/init.c
|
||||
@@ -11,7 +11,6 @@
|
||||
@ -922,7 +966,15 @@ index 3db4de0..3c687a2 100644
|
||||
|
||||
#include "dso.h"
|
||||
#include "policy.h"
|
||||
@@ -57,20 +56,15 @@ static int verify_selinuxmnt(const char *mnt)
|
||||
@@ -20,7 +19,6 @@
|
||||
|
||||
char *selinux_mnt = NULL;
|
||||
int selinux_page_size = 0;
|
||||
-int obj_class_compat = 1;
|
||||
|
||||
int has_selinux_config = 0;
|
||||
|
||||
@@ -57,20 +55,15 @@ static int verify_selinuxmnt(const char *mnt)
|
||||
|
||||
int selinuxfs_exists(void)
|
||||
{
|
||||
@ -946,7 +998,7 @@ index 3db4de0..3c687a2 100644
|
||||
__fsetlocking(fp, FSETLOCKING_BYCALLER);
|
||||
|
||||
num = getline(&buf, &len, fp);
|
||||
@@ -84,14 +78,6 @@ int selinuxfs_exists(void)
|
||||
@@ -84,14 +77,6 @@ int selinuxfs_exists(void)
|
||||
|
||||
free(buf);
|
||||
fclose(fp);
|
||||
@ -961,6 +1013,583 @@ index 3db4de0..3c687a2 100644
|
||||
return exists;
|
||||
}
|
||||
hidden_def(selinuxfs_exists)
|
||||
diff --git libselinux-2.5/src/label_file.c libselinux-2.5/src/label_file.c
|
||||
index 071d902..c243c67 100644
|
||||
--- libselinux-2.5/src/label_file.c
|
||||
+++ libselinux-2.5/src/label_file.c
|
||||
@@ -10,7 +10,6 @@
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
-#include <stdio_ext.h>
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
#include <limits.h>
|
||||
@@ -97,62 +96,42 @@ static int nodups_specs(struct saved_data *data, const char *path)
|
||||
return rc;
|
||||
}
|
||||
|
||||
-static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
- struct stat *sb, bool isbinary,
|
||||
- struct selabel_digest *digest)
|
||||
+static int process_text_file(FILE *fp, const char *prefix,
|
||||
+ struct selabel_handle *rec, const char *path)
|
||||
+{
|
||||
+ int rc;
|
||||
+ size_t line_len;
|
||||
+ unsigned int lineno = 0;
|
||||
+ char *line_buf = NULL;
|
||||
+
|
||||
+ while (getline(&line_buf, &line_len, fp) > 0) {
|
||||
+ rc = process_line(rec, path, prefix, line_buf, ++lineno);
|
||||
+ if (rc)
|
||||
+ goto out;
|
||||
+ }
|
||||
+ rc = 0;
|
||||
+out:
|
||||
+ free(line_buf);
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec,
|
||||
+ const char *path)
|
||||
{
|
||||
struct saved_data *data = (struct saved_data *)rec->data;
|
||||
- char mmap_path[PATH_MAX + 1];
|
||||
- int mmapfd;
|
||||
int rc;
|
||||
- struct stat mmap_stat;
|
||||
char *addr, *str_buf;
|
||||
- size_t len;
|
||||
int *stem_map;
|
||||
struct mmap_area *mmap_area;
|
||||
uint32_t i, magic, version;
|
||||
uint32_t entry_len, stem_map_len, regex_array_len;
|
||||
|
||||
- if (isbinary) {
|
||||
- len = strlen(path);
|
||||
- if (len >= sizeof(mmap_path))
|
||||
- return -1;
|
||||
- strcpy(mmap_path, path);
|
||||
- } else {
|
||||
- rc = snprintf(mmap_path, sizeof(mmap_path), "%s.bin", path);
|
||||
- if (rc >= (int)sizeof(mmap_path))
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
- mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC);
|
||||
- if (mmapfd < 0)
|
||||
- return -1;
|
||||
-
|
||||
- rc = fstat(mmapfd, &mmap_stat);
|
||||
- if (rc < 0) {
|
||||
- close(mmapfd);
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
- /* if mmap is old, ignore it */
|
||||
- if (mmap_stat.st_mtime < sb->st_mtime) {
|
||||
- close(mmapfd);
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
- /* ok, read it in... */
|
||||
- len = mmap_stat.st_size;
|
||||
- len += (sysconf(_SC_PAGE_SIZE) - 1);
|
||||
- len &= ~(sysconf(_SC_PAGE_SIZE) - 1);
|
||||
-
|
||||
mmap_area = malloc(sizeof(*mmap_area));
|
||||
if (!mmap_area) {
|
||||
- close(mmapfd);
|
||||
return -1;
|
||||
}
|
||||
|
||||
- addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, mmapfd, 0);
|
||||
- close(mmapfd);
|
||||
+ addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, fileno(fp), 0);
|
||||
if (addr == MAP_FAILED) {
|
||||
free(mmap_area);
|
||||
perror("mmap");
|
||||
@@ -227,7 +206,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
rc = next_entry(&stem_len, mmap_area, sizeof(uint32_t));
|
||||
if (rc < 0 || !stem_len) {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
/* Check for stem_len wrap around. */
|
||||
@@ -236,15 +215,15 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
/* Check if over-run before null check. */
|
||||
rc = next_entry(NULL, mmap_area, (stem_len + 1));
|
||||
if (rc < 0)
|
||||
- goto err;
|
||||
+ goto out;
|
||||
|
||||
if (buf[stem_len] != '\0') {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
} else {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
/* store the mapping between old and new */
|
||||
@@ -253,7 +232,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
newid = store_stem(data, buf, stem_len);
|
||||
if (newid < 0) {
|
||||
rc = newid;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
data->stem_arr[newid].from_mmap = 1;
|
||||
}
|
||||
@@ -264,7 +243,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
rc = next_entry(®ex_array_len, mmap_area, sizeof(uint32_t));
|
||||
if (rc < 0 || !regex_array_len) {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
for (i = 0; i < regex_array_len; i++) {
|
||||
@@ -274,7 +253,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
|
||||
rc = grow_specs(data);
|
||||
if (rc < 0)
|
||||
- goto err;
|
||||
+ goto out;
|
||||
|
||||
spec = &data->spec_arr[data->nspec];
|
||||
spec->from_mmap = 1;
|
||||
@@ -284,30 +263,31 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
|
||||
if (rc < 0 || !entry_len) {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
str_buf = malloc(entry_len);
|
||||
if (!str_buf) {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
rc = next_entry(str_buf, mmap_area, entry_len);
|
||||
if (rc < 0)
|
||||
- goto err;
|
||||
+ goto out;
|
||||
|
||||
if (str_buf[entry_len - 1] != '\0') {
|
||||
free(str_buf);
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
spec->lr.ctx_raw = str_buf;
|
||||
|
||||
if (strcmp(spec->lr.ctx_raw, "<<none>>") && rec->validating) {
|
||||
if (selabel_validate(rec, &spec->lr) < 0) {
|
||||
selinux_log(SELINUX_ERROR,
|
||||
- "%s: context %s is invalid\n", mmap_path, spec->lr.ctx_raw);
|
||||
- goto err;
|
||||
+ "%s: context %s is invalid\n",
|
||||
+ path, spec->lr.ctx_raw);
|
||||
+ goto out;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -315,17 +295,17 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
|
||||
if (rc < 0 || !entry_len) {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
spec->regex_str = (char *)mmap_area->next_addr;
|
||||
rc = next_entry(NULL, mmap_area, entry_len);
|
||||
if (rc < 0)
|
||||
- goto err;
|
||||
+ goto out;
|
||||
|
||||
if (spec->regex_str[entry_len - 1] != '\0') {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
/* Process mode */
|
||||
@@ -334,14 +314,14 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
else
|
||||
rc = next_entry(&mode, mmap_area, sizeof(mode_t));
|
||||
if (rc < 0)
|
||||
- goto err;
|
||||
+ goto out;
|
||||
|
||||
spec->mode = mode;
|
||||
|
||||
/* map the stem id from the mmap file to the data->stem_arr */
|
||||
rc = next_entry(&stem_id, mmap_area, sizeof(int32_t));
|
||||
if (rc < 0)
|
||||
- goto err;
|
||||
+ goto out;
|
||||
|
||||
if (stem_id < 0 || stem_id >= (int32_t)stem_map_len)
|
||||
spec->stem_id = -1;
|
||||
@@ -351,7 +331,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
/* retrieve the hasMetaChars bit */
|
||||
rc = next_entry(&meta_chars, mmap_area, sizeof(uint32_t));
|
||||
if (rc < 0)
|
||||
- goto err;
|
||||
+ goto out;
|
||||
|
||||
spec->hasMetaChars = meta_chars;
|
||||
/* and prefix length for use by selabel_lookup_best_match */
|
||||
@@ -359,7 +339,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
rc = next_entry(&prefix_len, mmap_area,
|
||||
sizeof(uint32_t));
|
||||
if (rc < 0)
|
||||
- goto err;
|
||||
+ goto out;
|
||||
|
||||
spec->prefix_len = prefix_len;
|
||||
}
|
||||
@@ -368,143 +348,207 @@ static int load_mmap(struct selabel_handle *rec, const char *path,
|
||||
rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
|
||||
if (rc < 0 || !entry_len) {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
spec->regex = (pcre *)mmap_area->next_addr;
|
||||
rc = next_entry(NULL, mmap_area, entry_len);
|
||||
if (rc < 0)
|
||||
- goto err;
|
||||
+ goto out;
|
||||
|
||||
/* Check that regex lengths match. pcre_fullinfo()
|
||||
* also validates its magic number. */
|
||||
rc = pcre_fullinfo(spec->regex, NULL, PCRE_INFO_SIZE, &len);
|
||||
if (rc < 0 || len != entry_len) {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
|
||||
if (rc < 0 || !entry_len) {
|
||||
rc = -1;
|
||||
- goto err;
|
||||
+ goto out;
|
||||
}
|
||||
- spec->lsd.study_data = (void *)mmap_area->next_addr;
|
||||
- spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA;
|
||||
- rc = next_entry(NULL, mmap_area, entry_len);
|
||||
- if (rc < 0)
|
||||
- goto err;
|
||||
|
||||
- /* Check that study data lengths match. */
|
||||
- rc = pcre_fullinfo(spec->regex, &spec->lsd,
|
||||
- PCRE_INFO_STUDYSIZE, &len);
|
||||
- if (rc < 0 || len != entry_len) {
|
||||
- rc = -1;
|
||||
- goto err;
|
||||
+ if (entry_len) {
|
||||
+ spec->lsd.study_data = (void *)mmap_area->next_addr;
|
||||
+ spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA;
|
||||
+ rc = next_entry(NULL, mmap_area, entry_len);
|
||||
+ if (rc < 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ /* Check that study data lengths match. */
|
||||
+ rc = pcre_fullinfo(spec->regex, &spec->lsd,
|
||||
+ PCRE_INFO_STUDYSIZE, &len);
|
||||
+ if (rc < 0 || len != entry_len) {
|
||||
+ rc = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
}
|
||||
|
||||
data->nspec++;
|
||||
}
|
||||
|
||||
- rc = digest_add_specfile(digest, NULL, addr, mmap_stat.st_size,
|
||||
- mmap_path);
|
||||
- if (rc)
|
||||
- goto err;
|
||||
-
|
||||
-err:
|
||||
+ rc = 0;
|
||||
+out:
|
||||
free(stem_map);
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
-static int process_file(const char *path, const char *suffix,
|
||||
- struct selabel_handle *rec,
|
||||
- const char *prefix, struct selabel_digest *digest)
|
||||
-{
|
||||
- FILE *fp;
|
||||
+struct file_details {
|
||||
+ const char *suffix;
|
||||
struct stat sb;
|
||||
- unsigned int lineno;
|
||||
- size_t line_len = 0;
|
||||
- char *line_buf = NULL;
|
||||
- int rc;
|
||||
- char stack_path[PATH_MAX + 1];
|
||||
- bool isbinary = false;
|
||||
+};
|
||||
+
|
||||
+static char *rolling_append(char *current, const char *suffix, size_t max)
|
||||
+{
|
||||
+ size_t size;
|
||||
+ size_t suffix_size;
|
||||
+ size_t current_size;
|
||||
+
|
||||
+ if (!suffix)
|
||||
+ return current;
|
||||
+
|
||||
+ current_size = strlen(current);
|
||||
+ suffix_size = strlen(suffix);
|
||||
+
|
||||
+ size = current_size + suffix_size;
|
||||
+ if (size < current_size || size < suffix_size)
|
||||
+ return NULL;
|
||||
+
|
||||
+ /* ensure space for the '.' and the '\0' characters. */
|
||||
+ if (size >= (SIZE_MAX - 2))
|
||||
+ return NULL;
|
||||
+
|
||||
+ size += 2;
|
||||
+
|
||||
+ if (size > max)
|
||||
+ return NULL;
|
||||
+
|
||||
+ /* Append any given suffix */
|
||||
+ char *to = current + current_size;
|
||||
+ *to++ = '.';
|
||||
+ strcpy(to, suffix);
|
||||
+
|
||||
+ return current;
|
||||
+}
|
||||
+
|
||||
+static bool fcontext_is_binary(FILE *fp)
|
||||
+{
|
||||
uint32_t magic;
|
||||
|
||||
- /* append the path suffix if we have one */
|
||||
- if (suffix) {
|
||||
- rc = snprintf(stack_path, sizeof(stack_path),
|
||||
- "%s.%s", path, suffix);
|
||||
- if (rc >= (int)sizeof(stack_path)) {
|
||||
- errno = ENAMETOOLONG;
|
||||
- return -1;
|
||||
- }
|
||||
- path = stack_path;
|
||||
+ size_t len = fread(&magic, sizeof(magic), 1, fp);
|
||||
+ rewind(fp);
|
||||
+
|
||||
+ return (len && (magic == SELINUX_MAGIC_COMPILED_FCONTEXT));
|
||||
+}
|
||||
+
|
||||
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
|
||||
+
|
||||
+static FILE *open_file(const char *path, const char *suffix,
|
||||
+ char *save_path, size_t len, struct stat *sb, bool open_oldest)
|
||||
+{
|
||||
+ unsigned int i;
|
||||
+ int rc;
|
||||
+ char stack_path[len];
|
||||
+ struct file_details *found = NULL;
|
||||
+
|
||||
+ /*
|
||||
+ * Rolling append of suffix. Try to open with path.suffix then the
|
||||
+ * next as path.suffix.suffix and so forth.
|
||||
+ */
|
||||
+ struct file_details fdetails[2] = {
|
||||
+ { .suffix = suffix },
|
||||
+ { .suffix = "bin" }
|
||||
+ };
|
||||
+
|
||||
+ rc = snprintf(stack_path, sizeof(stack_path), "%s", path);
|
||||
+ if (rc >= (int) sizeof(stack_path)) {
|
||||
+ errno = ENAMETOOLONG;
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
- /* Open the specification file. */
|
||||
- fp = fopen(path, "r");
|
||||
- if (fp) {
|
||||
- __fsetlocking(fp, FSETLOCKING_BYCALLER);
|
||||
+ for (i = 0; i < ARRAY_SIZE(fdetails); i++) {
|
||||
|
||||
- if (fstat(fileno(fp), &sb) < 0)
|
||||
- return -1;
|
||||
- if (!S_ISREG(sb.st_mode)) {
|
||||
- errno = EINVAL;
|
||||
- return -1;
|
||||
- }
|
||||
+ /* This handles the case if suffix is null */
|
||||
+ path = rolling_append(stack_path, fdetails[i].suffix,
|
||||
+ sizeof(stack_path));
|
||||
+ if (!path)
|
||||
+ return NULL;
|
||||
|
||||
- magic = 0;
|
||||
- if (fread(&magic, sizeof magic, 1, fp) != 1) {
|
||||
- if (ferror(fp)) {
|
||||
- errno = EINVAL;
|
||||
- fclose(fp);
|
||||
- return -1;
|
||||
- }
|
||||
- clearerr(fp);
|
||||
- }
|
||||
+ rc = stat(path, &fdetails[i].sb);
|
||||
+ if (rc)
|
||||
+ continue;
|
||||
|
||||
- if (magic == SELINUX_MAGIC_COMPILED_FCONTEXT) {
|
||||
- /* file_contexts.bin format */
|
||||
- fclose(fp);
|
||||
- fp = NULL;
|
||||
- isbinary = true;
|
||||
- } else {
|
||||
- rewind(fp);
|
||||
+ /* first file thing found, just take it */
|
||||
+ if (!found) {
|
||||
+ strcpy(save_path, path);
|
||||
+ found = &fdetails[i];
|
||||
+ continue;
|
||||
}
|
||||
- } else {
|
||||
+
|
||||
/*
|
||||
- * Text file does not exist, so clear the timestamp
|
||||
- * so that we will always pass the timestamp comparison
|
||||
- * with the bin file in load_mmap().
|
||||
+ * Keep picking the newest file found. Where "newest"
|
||||
+ * includes equality. This provides a precedence on
|
||||
+ * secondary suffixes even when the timestamp is the
|
||||
+ * same. Ie choose file_contexts.bin over file_contexts
|
||||
+ * even if the time stamp is the same. Invert this logic
|
||||
+ * on open_oldest set to true. The idea is that if the
|
||||
+ * newest file failed to process, we can attempt to
|
||||
+ * process the oldest. The logic here is subtle and depends
|
||||
+ * on the array ordering in fdetails for the case when time
|
||||
+ * stamps are the same.
|
||||
*/
|
||||
- sb.st_mtime = 0;
|
||||
+ if (open_oldest ^
|
||||
+ (fdetails[i].sb.st_mtime >= found->sb.st_mtime)) {
|
||||
+ found = &fdetails[i];
|
||||
+ strcpy(save_path, path);
|
||||
+ }
|
||||
}
|
||||
|
||||
- rc = load_mmap(rec, path, &sb, isbinary, digest);
|
||||
- if (rc == 0)
|
||||
- goto out;
|
||||
+ if (!found) {
|
||||
+ errno = ENOENT;
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ memcpy(sb, &found->sb, sizeof(*sb));
|
||||
+ return fopen(save_path, "r");
|
||||
+}
|
||||
|
||||
- if (!fp)
|
||||
- return -1; /* no text or bin file */
|
||||
+static int process_file(const char *path, const char *suffix,
|
||||
+ struct selabel_handle *rec,
|
||||
+ const char *prefix, struct selabel_digest *digest)
|
||||
+{
|
||||
+ int rc;
|
||||
+ unsigned int i;
|
||||
+ struct stat sb;
|
||||
+ FILE *fp = NULL;
|
||||
+ char found_path[PATH_MAX];
|
||||
|
||||
/*
|
||||
- * Then do detailed validation of the input and fill the spec array
|
||||
+ * On the first pass open the newest modified file. If it fails to
|
||||
+ * process, then the second pass shall open the oldest file. If both
|
||||
+ * passes fail, then it's a fatal error.
|
||||
*/
|
||||
- lineno = 0;
|
||||
- rc = 0;
|
||||
- while (getline(&line_buf, &line_len, fp) > 0) {
|
||||
- rc = process_line(rec, path, prefix, line_buf, ++lineno);
|
||||
- if (rc)
|
||||
- goto out;
|
||||
- }
|
||||
+ for (i = 0; i < 2; i++) {
|
||||
+ fp = open_file(path, suffix, found_path, sizeof(found_path),
|
||||
+ &sb, i > 0);
|
||||
+ if (fp == NULL)
|
||||
+ return -1;
|
||||
|
||||
- rc = digest_add_specfile(digest, fp, NULL, sb.st_size, path);
|
||||
+ rc = fcontext_is_binary(fp) ?
|
||||
+ load_mmap(fp, sb.st_size, rec, found_path) :
|
||||
+ process_text_file(fp, prefix, rec, found_path);
|
||||
+ if (!rc)
|
||||
+ rc = digest_add_specfile(digest, fp, NULL, sb.st_size,
|
||||
+ found_path);
|
||||
|
||||
-out:
|
||||
- free(line_buf);
|
||||
- if (fp)
|
||||
fclose(fp);
|
||||
- return rc;
|
||||
+
|
||||
+ if (!rc)
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
static void closef(struct selabel_handle *rec);
|
||||
diff --git libselinux-2.5/src/label_file.h libselinux-2.5/src/label_file.h
|
||||
index 72fed1f..6d1e890 100644
|
||||
--- libselinux-2.5/src/label_file.h
|
||||
+++ libselinux-2.5/src/label_file.h
|
||||
@@ -80,9 +80,12 @@ struct saved_data {
|
||||
|
||||
static inline pcre_extra *get_pcre_extra(struct spec *spec)
|
||||
{
|
||||
- if (spec->from_mmap)
|
||||
- return &spec->lsd;
|
||||
- else
|
||||
+ if (spec->from_mmap) {
|
||||
+ if (spec->lsd.study_data)
|
||||
+ return &spec->lsd;
|
||||
+ else
|
||||
+ return NULL;
|
||||
+ } else
|
||||
return spec->sd;
|
||||
}
|
||||
|
||||
diff --git libselinux-2.5/src/label_internal.h libselinux-2.5/src/label_internal.h
|
||||
index aa48fff..0827ef6 100644
|
||||
--- libselinux-2.5/src/label_internal.h
|
||||
+++ libselinux-2.5/src/label_internal.h
|
||||
@@ -124,7 +124,7 @@ selabel_validate(struct selabel_handle *rec,
|
||||
*/
|
||||
extern int myprintf_compat;
|
||||
extern void __attribute__ ((format(printf, 1, 2)))
|
||||
-(*myprintf) (const char *fmt, ...);
|
||||
+(*myprintf) (const char *fmt, ...) hidden;
|
||||
|
||||
#define COMPAT_LOG(type, fmt...) if (myprintf_compat) \
|
||||
myprintf(fmt); \
|
||||
diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c
|
||||
index 21ee58b..4f39fc7 100644
|
||||
--- libselinux-2.5/src/load_policy.c
|
||||
@ -1065,6 +1694,25 @@ index 5b495a0..a2f2c3e 100644
|
||||
|
||||
rc = lgetfilecon_raw(path, &con);
|
||||
if (rc == -1) {
|
||||
diff --git libselinux-2.5/src/policy.h libselinux-2.5/src/policy.h
|
||||
index bf270b5..f6d7242 100644
|
||||
--- libselinux-2.5/src/policy.h
|
||||
+++ libselinux-2.5/src/policy.h
|
||||
@@ -3,8 +3,13 @@
|
||||
|
||||
/* Private definitions used internally by libselinux. */
|
||||
|
||||
-/* xattr name for SELinux attributes. */
|
||||
+/*
|
||||
+ * xattr name for SELinux attributes.
|
||||
+ * This may have been exported via Kernel uapi header.
|
||||
+ */
|
||||
+#ifndef XATTR_NAME_SELINUX
|
||||
#define XATTR_NAME_SELINUX "security.selinux"
|
||||
+#endif
|
||||
|
||||
/* Initial length guess for getting contexts. */
|
||||
#define INITCONTEXTLEN 255
|
||||
diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c
|
||||
index 527a0a5..eee4612 100644
|
||||
--- libselinux-2.5/src/procattr.c
|
||||
@ -1116,20 +1764,35 @@ index 527a0a5..eee4612 100644
|
||||
|
||||
all_selfattr_def(con, current)
|
||||
diff --git libselinux-2.5/src/selinux_config.c libselinux-2.5/src/selinux_config.c
|
||||
index bec5f3b..c519a77 100644
|
||||
index bec5f3b..88bcc85 100644
|
||||
--- libselinux-2.5/src/selinux_config.c
|
||||
+++ libselinux-2.5/src/selinux_config.c
|
||||
@@ -50,7 +50,8 @@
|
||||
@@ -50,7 +50,9 @@
|
||||
#define BOOLEAN_SUBS 27
|
||||
#define OPENSSH_CONTEXTS 28
|
||||
#define SYSTEMD_CONTEXTS 29
|
||||
-#define NEL 30
|
||||
+#define SNAPPERD_CONTEXTS 30
|
||||
+#define NEL 31
|
||||
+#define OPENRC_CONTEXTS 31
|
||||
+#define NEL 32
|
||||
|
||||
/* Part of one-time lazy init */
|
||||
static pthread_once_t once = PTHREAD_ONCE_INIT;
|
||||
@@ -499,6 +500,13 @@ const char *selinux_openssh_contexts_path(void)
|
||||
@@ -492,6 +494,13 @@ const char *selinux_lxc_contexts_path(void)
|
||||
|
||||
hidden_def(selinux_lxc_contexts_path)
|
||||
|
||||
+const char *selinux_openrc_contexts_path(void)
|
||||
+{
|
||||
+ return get_path(OPENRC_CONTEXTS);
|
||||
+}
|
||||
+
|
||||
+hidden_def(selinux_openrc_contexts_path)
|
||||
+
|
||||
const char *selinux_openssh_contexts_path(void)
|
||||
{
|
||||
return get_path(OPENSSH_CONTEXTS);
|
||||
@@ -499,6 +508,13 @@ const char *selinux_openssh_contexts_path(void)
|
||||
|
||||
hidden_def(selinux_openssh_contexts_path)
|
||||
|
||||
@ -1144,12 +1807,14 @@ index bec5f3b..c519a77 100644
|
||||
{
|
||||
return get_path(SYSTEMD_CONTEXTS);
|
||||
diff --git libselinux-2.5/src/selinux_internal.h libselinux-2.5/src/selinux_internal.h
|
||||
index 46566f6..9b9145c 100644
|
||||
index 46566f6..3d5c9fb 100644
|
||||
--- libselinux-2.5/src/selinux_internal.h
|
||||
+++ libselinux-2.5/src/selinux_internal.h
|
||||
@@ -84,6 +84,7 @@ hidden_proto(selinux_mkload_policy)
|
||||
@@ -83,7 +83,9 @@ hidden_proto(selinux_mkload_policy)
|
||||
hidden_proto(selinux_media_context_path)
|
||||
hidden_proto(selinux_x_context_path)
|
||||
hidden_proto(selinux_sepgsql_context_path)
|
||||
+ hidden_proto(selinux_openrc_contexts_path)
|
||||
hidden_proto(selinux_openssh_contexts_path)
|
||||
+ hidden_proto(selinux_snapperd_contexts_path)
|
||||
hidden_proto(selinux_systemd_contexts_path)
|
||||
@ -1191,3 +1856,63 @@ index 060eaab..ed3bf0b 100644
|
||||
selinuxenabled
|
||||
selinuxexeccon
|
||||
setenforce
|
||||
diff --git libselinux-2.5/utils/Makefile libselinux-2.5/utils/Makefile
|
||||
index cf7af52..8497cb4 100644
|
||||
--- libselinux-2.5/utils/Makefile
|
||||
+++ libselinux-2.5/utils/Makefile
|
||||
@@ -3,6 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
|
||||
LIBDIR ?= $(PREFIX)/lib
|
||||
USRBINDIR ?= $(PREFIX)/sbin
|
||||
SBINDIR ?= $(DESTDIR)/sbin
|
||||
+INCLUDEDIR ?= $(PREFIX)/include
|
||||
|
||||
MAX_STACK_SIZE=8192
|
||||
CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \
|
||||
@@ -23,7 +24,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
|
||||
-fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \
|
||||
-fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \
|
||||
-Werror -Wno-aggregate-return -Wno-redundant-decls
|
||||
-override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS)
|
||||
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS)
|
||||
LDLIBS += -L../src -lselinux -L$(LIBDIR)
|
||||
|
||||
TARGETS=$(patsubst %.c,%,$(wildcard *.c))
|
||||
diff --git libselinux-2.5/utils/sefcontext_compile.c libselinux-2.5/utils/sefcontext_compile.c
|
||||
index d2578b6..fd6fb78 100644
|
||||
--- libselinux-2.5/utils/sefcontext_compile.c
|
||||
+++ libselinux-2.5/utils/sefcontext_compile.c
|
||||
@@ -228,10 +228,13 @@ static int write_binary_file(struct saved_data *data, int fd)
|
||||
if (len != to_write)
|
||||
goto err;
|
||||
|
||||
- /* determine the size of the pcre study info */
|
||||
- rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size);
|
||||
- if (rc < 0)
|
||||
- goto err;
|
||||
+ if (sd) {
|
||||
+ /* determine the size of the pcre study info */
|
||||
+ rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size);
|
||||
+ if (rc < 0)
|
||||
+ goto err;
|
||||
+ } else
|
||||
+ size = 0;
|
||||
|
||||
/* write the number of bytes in the pcre study data */
|
||||
to_write = size;
|
||||
@@ -239,10 +242,12 @@ static int write_binary_file(struct saved_data *data, int fd)
|
||||
if (len != 1)
|
||||
goto err;
|
||||
|
||||
- /* write the actual pcre study data as a char array */
|
||||
- len = fwrite(sd->study_data, 1, to_write, bin_file);
|
||||
- if (len != to_write)
|
||||
- goto err;
|
||||
+ if (sd) {
|
||||
+ /* write the actual pcre study data as a char array */
|
||||
+ len = fwrite(sd->study_data, 1, to_write, bin_file);
|
||||
+ if (len != to_write)
|
||||
+ goto err;
|
||||
+ }
|
||||
}
|
||||
|
||||
rc = 0;
|
||||
|
@ -3,13 +3,13 @@
|
||||
%endif
|
||||
|
||||
%define ruby_inc %(pkg-config --cflags ruby)
|
||||
%define libsepolver 2.5-9
|
||||
%define libsepolver 2.5-10
|
||||
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
|
||||
|
||||
Summary: SELinux library and simple utilities
|
||||
Name: libselinux
|
||||
Version: 2.5
|
||||
Release: 11%{?dist}
|
||||
Release: 12%{?dist}
|
||||
License: Public Domain
|
||||
Group: System Environment/Libraries
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
@ -20,7 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki
|
||||
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
|
||||
# run:
|
||||
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh libselinux
|
||||
# HEAD https://github.com/fedora-selinux/selinux/commit/9eb71873eb6e6073228257abbeb42f61b2719336
|
||||
# HEAD https://github.com/fedora-selinux/selinux/commit/caefad506ca46db441952ab64ebfc6202897516b
|
||||
Patch1: libselinux-fedora.patch
|
||||
BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
|
||||
%if 0%{?with_python3}
|
||||
@ -256,6 +256,18 @@ rm -rf %{buildroot}
|
||||
%{ruby_vendorarchdir}/selinux.so
|
||||
|
||||
%changelog
|
||||
* Mon Oct 03 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-12
|
||||
- Fix -Wsign-compare warnings
|
||||
- Drop unused stdio_ext.h header file
|
||||
- Kill logging check for selinux_enabled()
|
||||
- Drop usage of _D_ALLOC_NAMLEN
|
||||
- Add openrc_contexts functions
|
||||
- Fix redefinition of XATTR_NAME_SELINUX
|
||||
- Correct error path to always try text
|
||||
- Clean up process_file()
|
||||
- Handle NULL pcre study data
|
||||
- Fix in tree compilation of utils that depend on libsepol
|
||||
|
||||
* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-11
|
||||
- Rebuilt with libsepol-2.5-9
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user