From 74de835e2cfa0c0d7c201a19acf9ecdd7b3f1a5a Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 30 Oct 2020 12:53:49 +0100 Subject: [PATCH] Rebase on db0f2f382e31 at SELinuxProject - Use libsepol.so.2 - Convert matchpathcon to selabel_lookup() - Change userspace AVC setenforce and policy load messages to audit format - Remove trailing slash on selabel_file lookups - Use kernel status page by default --- ...ux-use-kernel-status-page-by-default.patch | 506 ++++++++++++++++++ 0002-libselinux-fix-build-order.patch | 27 + ...ull-argument-specifiers-for-security.patch | 38 ++ ...e-trailing-slash-on-selabel_file-loo.patch | 64 +++ ...y-access-shared-memory-in-selinux_st.patch | 80 +++ ...alize-last_policyload-in-selinux_sta.patch | 54 ++ ...ew-log-callback-levels-for-enforcing.patch | 71 +++ ...-Fix-selabel_lookup-for-the-root-dir.patch | 30 ++ ...dditional-log-callback-details-in-ma.patch | 38 ++ ...e-userspace-AVC-setenforce-and-polic.patch | 37 ++ ...nvert-matchpathcon-to-selabel_lookup.patch | 208 +++++++ 0012-libsepol-Bump-libsepol.so-version.patch | 45 ++ ...-build-option-to-disable-X11-backend.patch | 48 ++ ...page-to-refer-seinfo-and-sesearch-to.patch | 6 +- libselinux.spec | 17 +- 15 files changed, 1264 insertions(+), 5 deletions(-) create mode 100644 0001-libselinux-use-kernel-status-page-by-default.patch create mode 100644 0002-libselinux-fix-build-order.patch create mode 100644 0003-libselinux-use-full-argument-specifiers-for-security.patch create mode 100644 0004-libselinux-Remove-trailing-slash-on-selabel_file-loo.patch create mode 100644 0005-libselinux-safely-access-shared-memory-in-selinux_st.patch create mode 100644 0006-libselinux-initialize-last_policyload-in-selinux_sta.patch create mode 100644 0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch create mode 100644 0008-libselinux-Fix-selabel_lookup-for-the-root-dir.patch create mode 100644 0009-libselinux-Add-additional-log-callback-details-in-ma.patch create mode 100644 0010-libselinux-Change-userspace-AVC-setenforce-and-polic.patch create mode 100644 0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch create mode 100644 0012-libsepol-Bump-libsepol.so-version.patch create mode 100644 0013-libselinux-Add-build-option-to-disable-X11-backend.patch rename 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch => 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch (87%) diff --git a/0001-libselinux-use-kernel-status-page-by-default.patch b/0001-libselinux-use-kernel-status-page-by-default.patch new file mode 100644 index 0000000..e2ddbff --- /dev/null +++ b/0001-libselinux-use-kernel-status-page-by-default.patch @@ -0,0 +1,506 @@ +From 05bdc03130d741e53e1fb45a958d0a2c184be503 Mon Sep 17 00:00:00 2001 +From: Mike Palmiotto +Date: Wed, 5 Aug 2020 15:43:12 -0400 +Subject: [PATCH] libselinux: use kernel status page by default + +Commit bc2a8f418e3b ("libselinux: add selinux_status_* interfaces for +/selinux/status") introduced the sestatus mechanism, which allows for +mmap()'ing of the kernel status page as a replacement for avc_netlink. + +The mechanism was initially intended for userspace object managers that +were calculating access decisions within their application and did not +rely on the libselinux AVC implementation. In order to properly make use +of sestatus within avc_has_perm(), the status mechanism needs to +properly set avc internals during status events; else, avc_enforcing is +never updated upon sestatus changes. + +This commit gets rid of the default avc_netlink_open() in +avc_init_internal(), replacing it with selinux_status_open(). In the +event that the kernel status page cannot be mapped, the netlink fallback +will be used. By default, avc_has_perm_noaudit() and +selinux_check_access() will now attempt to read the kernel status page, +which removes a system call from two critical code paths. + +Since the AVC thread create/stop callbacks were intended to avoid a +system call in the critical code path, they no longer need to be created +by default. In the event that the kernel status page is successfully +mapped, threads will not be created. Threads will still be +created/stopped for the sestatus fallback codepaths. + +Userspace object managers that still need a netlink socket can call +avc_netlink_acquire_fd() to open and/or obtain one. + +Update the manpage to reflect the new avc_netlink_acquire_fd() +functionality. + +Signed-off-by: Mike Palmiotto +Acked-by: Stephen Smalley +--- + libselinux/man/man3/avc_init.3 | 51 ++++++++++++-- + libselinux/man/man3/avc_netlink_loop.3 | 8 +++ + libselinux/man/man3/avc_open.3 | 36 +++++++++- + libselinux/man/man3/selinux_status_open.3 | 13 ++-- + libselinux/src/avc.c | 15 ++--- + libselinux/src/avc_internal.c | 82 ++++++++++++++++------- + libselinux/src/avc_internal.h | 4 ++ + libselinux/src/checkAccess.c | 2 +- + libselinux/src/sestatus.c | 24 +++++++ + 9 files changed, 184 insertions(+), 51 deletions(-) + +diff --git a/libselinux/man/man3/avc_init.3 b/libselinux/man/man3/avc_init.3 +index e26c3be6071c..a5dc7c93c703 100644 +--- a/libselinux/man/man3/avc_init.3 ++++ b/libselinux/man/man3/avc_init.3 +@@ -117,6 +117,8 @@ argument, which does not return under normal conditions. The + callback should cancel the running thread referenced by + .IR thread . + By default, threading is not used; see ++.B KERNEL STATUS PAGE ++and + .B NETLINK NOTIFICATION + below. + +@@ -153,14 +155,49 @@ callback should destroy + .IR lock , + freeing any resources associated with it. The default behavior is not to perform any locking. Note that undefined behavior may result if threading is used without appropriate locking. + . +-.SH "NETLINK NOTIFICATION" +-Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of +-.BR avc_has_perm (3) +-to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed. ++.SH "KERNEL STATUS PAGE" ++Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to ++.BR mmap (2) ++SELinux status state in read-only mode to avoid system calls during the cache hit code path. + +-In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to + .BR avc_init () +-however, a dedicated thread will be started to listen on the netlink socket. This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query. ++calls ++.BR selinux_status_open (3) ++to initialize the selinux status state. If successfully initialized, the userspace AVC will default to single-threaded mode and ignore the ++.B func_create_thread ++and ++.B func_stop_thread ++callbacks. All callbacks set via ++.BR selinux_set_callback (3) ++will still be honored. ++ ++.BR avc_has_perm (3) ++and ++.BR selinux_check_access (3) ++both check for status updates through calls to ++.BR selinux_status_updated (3) ++at the start of each permission query and take the appropriate action. ++ ++Two status types are currently implemented. ++.B setenforce ++events will change the effective enforcing state used within the AVC, and ++.B policyload ++events will result in a cache flush. ++. ++.SH "NETLINK NOTIFICATION" ++In the event that the kernel status page is not successfully ++.BR mmap (2)'ed ++the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates. ++.B setenforce ++and ++.B policyload ++events will have the same results as for the status page implementation, but all status update checks will now require a system call. ++ ++By default, ++.BR avc_open (3) ++does not set threading or locking callbacks. In the fallback case, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to ++.BR avc_init (), ++a dedicated thread will be started to listen on the netlink socket. This may increase performance in the absence of the status page and will ensure that log messages are generated immediately rather than at the time of the next permission query. + . + .SH "RETURN VALUE" + Functions with a return value return zero on success. On error, \-1 is returned and +@@ -192,5 +229,7 @@ Eamon Walsh + . + .SH "SEE ALSO" + .BR avc_open (3), ++.BR selinux_status_open (3), ++.BR selinux_status_updated (3), + .BR selinux_set_callback (3), + .BR selinux (8) +diff --git a/libselinux/man/man3/avc_netlink_loop.3 b/libselinux/man/man3/avc_netlink_loop.3 +index c8268a124df0..f03d78138d8c 100644 +--- a/libselinux/man/man3/avc_netlink_loop.3 ++++ b/libselinux/man/man3/avc_netlink_loop.3 +@@ -54,6 +54,11 @@ closes the netlink socket. This function is called automatically by + returns the netlink socket descriptor number and informs the userspace AVC + not to check the socket descriptor automatically on calls to + .BR avc_has_perm (3). ++If no such socket descriptor exists, ++.BR avc_netlink_acquire_fd (3) ++will first call ++.BR avc_netlink_open (3) ++and then return the resulting fd. + + .BR avc_netlink_release_fd () + returns control of the netlink socket to the userspace AVC, re-enabling +@@ -78,6 +83,9 @@ with a return value return zero on success. On error, \-1 is returned and + .I errno + is set appropriately. + . ++.SH "AUTHOR" ++Originally KaiGai Kohei. Updated by Mike Palmiotto ++. + .SH "SEE ALSO" + .BR avc_open (3), + .BR selinux_set_callback (3), +diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3 +index 5b275a8ee040..3090dd5077c7 100644 +--- a/libselinux/man/man3/avc_open.3 ++++ b/libselinux/man/man3/avc_open.3 +@@ -46,10 +46,37 @@ include the following: + .B AVC_OPT_SETENFORCE + This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise. The system enforcing mode will be ignored. + . +-.SH "NETLINK NOTIFICATION" +-Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of ++.SH "KERNEL STATUS PAGE" ++Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to ++.BR mmap (2) ++SELinux status state in read-only mode to avoid system calls during the cache hit code path. ++ ++.BR avc_open () ++calls ++.BR selinux_status_open (3) ++to initialize the selinux status state. ++ + .BR avc_has_perm (3) +-to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed. ++and ++.BR selinux_check_access (3) ++both check for status updates through calls to ++.BR selinux_status_updated (3) ++at the start of each permission query and take the appropriate action. ++ ++Two status types are currently implemented. ++.B setenforce ++events will change the effective enforcing state used within the AVC, and ++.B policyload ++events will result in a cache flush. ++. ++.SH "NETLINK NOTIFICATION" ++In the event that the kernel status page is not successfully ++.BR mmap (2)'ed ++the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates. ++.B setenforce ++and ++.B policyload ++events will have the same results as for the status page implementation, but all status update checks will now require a system call. + . + .SH "RETURN VALUE" + Functions with a return value return zero on success. On error, \-1 is returned and +@@ -61,9 +88,12 @@ Eamon Walsh + . + .SH "SEE ALSO" + .BR selinux (8), ++.BR selinux_check_access (3), + .BR avc_has_perm (3), + .BR avc_context_to_sid (3), + .BR avc_cache_stats (3), + .BR avc_add_callback (3), ++.BR selinux_status_open (3), ++.BR selinux_status_updated (3), + .BR selinux_set_callback (3), + .BR security_compute_av (3) +diff --git a/libselinux/man/man3/selinux_status_open.3 b/libselinux/man/man3/selinux_status_open.3 +index 2d44be57cbbc..5c9da2f61d19 100644 +--- a/libselinux/man/man3/selinux_status_open.3 ++++ b/libselinux/man/man3/selinux_status_open.3 +@@ -48,7 +48,7 @@ Set 1 on the + argument to handle a case of older kernels without kernel status page support. + In this case, this function tries to open a netlink socket using + .BR avc_netlink_open (3) +-and overwrite corresponding callbacks ( setenforce and policyload). ++and overwrite corresponding callbacks (setenforce and policyload). + Thus, we need to pay attention to the interaction with these interfaces, + when fallback mode is enabled. + .sp +@@ -57,9 +57,14 @@ unmap the kernel status page and close its file descriptor, or close the + netlink socket if fallbacked. + .sp + .BR selinux_status_updated () +-informs us whether something has been updated since the last call. +-It returns 0 if nothing was happened, however, 1 if something has been +-updated in this duration, or \-1 on error. ++processes status update events. There are two kinds of status updates. ++.B setenforce ++events will change the effective enforcing state used within the AVC, and ++.B policyload ++events will result in a cache flush. ++ ++This function returns 0 if there have been no updates since the last call, ++1 if there have been updates since the last call, or \-1 on error. + .sp + .BR selinux_status_getenforce () + returns 0 if SELinux is running in permissive mode, 1 if enforcing mode, +diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c +index b4648b2de170..8314d7ba3de6 100644 +--- a/libselinux/src/avc.c ++++ b/libselinux/src/avc.c +@@ -50,7 +50,6 @@ struct avc_callback_node { + struct avc_callback_node *next; + }; + +-static void *avc_netlink_thread = NULL; + static void *avc_lock = NULL; + static void *avc_log_lock = NULL; + static struct avc_node *avc_node_freelist = NULL; +@@ -215,17 +214,13 @@ static int avc_init_internal(const char *prefix, + avc_enforcing = rc; + } + +- rc = avc_netlink_open(0); ++ rc = selinux_status_open(1); + if (rc < 0) { + avc_log(SELINUX_ERROR, +- "%s: can't open netlink socket: %d (%s)\n", ++ "%s: could not open selinux status page: %d (%s)\n", + avc_prefix, errno, strerror(errno)); + goto out; + } +- if (avc_using_threads) { +- avc_netlink_thread = avc_create_thread(&avc_netlink_loop); +- avc_netlink_trouble = 0; +- } + avc_running = 1; + out: + return rc; +@@ -557,9 +552,7 @@ void avc_destroy(void) + + avc_get_lock(avc_lock); + +- if (avc_using_threads) +- avc_stop_thread(avc_netlink_thread); +- avc_netlink_close(); ++ selinux_status_close(); + + for (i = 0; i < AVC_CACHE_SLOTS; i++) { + node = avc_cache.slots[i]; +@@ -766,7 +759,7 @@ int avc_has_perm_noaudit(security_id_t ssid, + avd_init(avd); + + if (!avc_using_threads && !avc_app_main_loop) { +- (void)avc_netlink_check_nb(); ++ (void) selinux_status_updated(); + } + + if (!aeref) { +diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c +index 568a3d928ac1..4ef924527e10 100644 +--- a/libselinux/src/avc_internal.c ++++ b/libselinux/src/avc_internal.c +@@ -53,6 +53,49 @@ int avc_enforcing = 1; + int avc_setenforce = 0; + int avc_netlink_trouble = 0; + ++/* process setenforce events for netlink and sestatus */ ++int avc_process_setenforce(int enforcing) ++{ ++ int rc = 0; ++ ++ avc_log(SELINUX_INFO, ++ "%s: received setenforce notice (enforcing=%d)\n", ++ avc_prefix, enforcing); ++ if (avc_setenforce) ++ goto out; ++ avc_enforcing = enforcing; ++ if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) { ++ avc_log(SELINUX_ERROR, ++ "%s: cache reset returned %d (errno %d)\n", ++ avc_prefix, rc, errno); ++ return rc; ++ } ++ ++out: ++ return selinux_netlink_setenforce(enforcing); ++} ++ ++/* process policyload events for netlink and sestatus */ ++int avc_process_policyload(uint32_t seqno) ++{ ++ int rc = 0; ++ ++ avc_log(SELINUX_INFO, ++ "%s: received policyload notice (seqno=%u)\n", ++ avc_prefix, seqno); ++ rc = avc_ss_reset(seqno); ++ if (rc < 0) { ++ avc_log(SELINUX_ERROR, ++ "%s: cache reset returned %d (errno %d)\n", ++ avc_prefix, rc, errno); ++ return rc; ++ } ++ ++ selinux_flush_class_cache(); ++ ++ return selinux_netlink_policyload(seqno); ++} ++ + /* netlink socket code */ + static int fd = -1; + +@@ -177,20 +220,7 @@ static int avc_netlink_process(void *buf) + + case SELNL_MSG_SETENFORCE:{ + struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh); +- msg->val = !!msg->val; +- avc_log(SELINUX_INFO, +- "%s: received setenforce notice (enforcing=%d)\n", +- avc_prefix, msg->val); +- if (avc_setenforce) +- break; +- avc_enforcing = msg->val; +- if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) { +- avc_log(SELINUX_ERROR, +- "%s: cache reset returned %d (errno %d)\n", +- avc_prefix, rc, errno); +- return rc; +- } +- rc = selinux_netlink_setenforce(msg->val); ++ rc = avc_process_setenforce(!!msg->val); + if (rc < 0) + return rc; + break; +@@ -198,18 +228,7 @@ static int avc_netlink_process(void *buf) + + case SELNL_MSG_POLICYLOAD:{ + struct selnl_msg_policyload *msg = NLMSG_DATA(nlh); +- avc_log(SELINUX_INFO, +- "%s: received policyload notice (seqno=%u)\n", +- avc_prefix, msg->seqno); +- rc = avc_ss_reset(msg->seqno); +- if (rc < 0) { +- avc_log(SELINUX_ERROR, +- "%s: cache reset returned %d (errno %d)\n", +- avc_prefix, rc, errno); +- return rc; +- } +- selinux_flush_class_cache(); +- rc = selinux_netlink_policyload(msg->seqno); ++ rc = avc_process_policyload(msg->seqno); + if (rc < 0) + return rc; + break; +@@ -284,6 +303,17 @@ void avc_netlink_loop(void) + + int avc_netlink_acquire_fd(void) + { ++ if (fd < 0) { ++ int rc = 0; ++ rc = avc_netlink_open(0); ++ if (rc < 0) { ++ avc_log(SELINUX_ERROR, ++ "%s: could not open netlink socket: %d (%s)\n", ++ avc_prefix, errno, strerror(errno)); ++ return rc; ++ } ++ } ++ + avc_app_main_loop = 1; + + return fd; +diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h +index 3f8a6bb1cf84..da67affc9307 100644 +--- a/libselinux/src/avc_internal.h ++++ b/libselinux/src/avc_internal.h +@@ -32,6 +32,10 @@ extern void (*avc_func_get_lock) (void *); + extern void (*avc_func_release_lock) (void *); + extern void (*avc_func_free_lock) (void *); + ++/* selinux status processing for netlink and sestatus */ ++extern int avc_process_setenforce(int enforcing); ++extern int avc_process_policyload(uint32_t seqno); ++ + static inline void set_callbacks(const struct avc_memory_callback *mem_cb, + const struct avc_log_callback *log_cb, + const struct avc_thread_callback *thread_cb, +diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c +index 3491fded7895..b337ea64f977 100644 +--- a/libselinux/src/checkAccess.c ++++ b/libselinux/src/checkAccess.c +@@ -39,7 +39,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class, + if (rc < 0) + return rc; + +- (void) avc_netlink_check_nb(); ++ (void) selinux_status_updated(); + + sclass = string_to_security_class(class); + if (sclass == 0) { +diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c +index 86267ff89646..814e86ee10e7 100644 +--- a/libselinux/src/sestatus.c ++++ b/libselinux/src/sestatus.c +@@ -39,11 +39,14 @@ struct selinux_status_t + static struct selinux_status_t *selinux_status = NULL; + static int selinux_status_fd; + static uint32_t last_seqno; ++static uint32_t last_policyload; + + static uint32_t fallback_sequence; + static int fallback_enforcing; + static int fallback_policyload; + ++static void *fallback_netlink_thread = NULL; ++ + /* + * read_sequence + * +@@ -116,6 +119,15 @@ int selinux_status_updated(void) + + if (last_seqno != curr_seqno) + { ++ if (avc_enforcing != (int) selinux_status->enforcing) { ++ if (avc_process_setenforce(selinux_status->enforcing) < 0) ++ return -1; ++ } ++ if (last_policyload != selinux_status->policyload) { ++ if (avc_process_policyload(selinux_status->policyload) < 0) ++ return -1; ++ last_policyload = selinux_status->policyload; ++ } + last_seqno = curr_seqno; + result = 1; + } +@@ -282,6 +294,9 @@ int selinux_status_open(int fallback) + selinux_status_fd = fd; + last_seqno = (uint32_t)(-1); + ++ /* No need to use avc threads if the kernel status page is available */ ++ avc_using_threads = 0; ++ + return 0; + + error: +@@ -305,6 +320,12 @@ error: + selinux_status_fd = avc_netlink_acquire_fd(); + last_seqno = (uint32_t)(-1); + ++ if (avc_using_threads) ++ { ++ fallback_netlink_thread = avc_create_thread(&avc_netlink_loop); ++ avc_netlink_trouble = 0; ++ } ++ + fallback_sequence = 0; + fallback_enforcing = security_getenforce(); + fallback_policyload = 0; +@@ -333,6 +354,9 @@ void selinux_status_close(void) + /* fallback-mode */ + if (selinux_status == MAP_FAILED) + { ++ if (avc_using_threads) ++ avc_stop_thread(fallback_netlink_thread); ++ + avc_netlink_release_fd(); + avc_netlink_close(); + selinux_status = NULL; +-- +2.29.0 + diff --git a/0002-libselinux-fix-build-order.patch b/0002-libselinux-fix-build-order.patch new file mode 100644 index 0000000..00260c6 --- /dev/null +++ b/0002-libselinux-fix-build-order.patch @@ -0,0 +1,27 @@ +From e7abd802d4d8541627c590424a6578348ee6032b Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Thu, 6 Aug 2020 10:46:38 -0400 +Subject: [PATCH] libselinux: fix build order + +We need to install the include files before we try to build the source. +Otherwise, make DESTDIR=~/obj install can fail if there are older +headers under /usr/include. + +Signed-off-by: Stephen Smalley +--- + libselinux/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libselinux/Makefile b/libselinux/Makefile +index 16531fe95bf5..6a43b243f4da 100644 +--- a/libselinux/Makefile ++++ b/libselinux/Makefile +@@ -1,4 +1,4 @@ +-SUBDIRS = src include utils man ++SUBDIRS = include src utils man + + PKG_CONFIG ?= pkg-config + DISABLE_SETRANS ?= n +-- +2.29.0 + diff --git a/0003-libselinux-use-full-argument-specifiers-for-security.patch b/0003-libselinux-use-full-argument-specifiers-for-security.patch new file mode 100644 index 0000000..f8b0cc9 --- /dev/null +++ b/0003-libselinux-use-full-argument-specifiers-for-security.patch @@ -0,0 +1,38 @@ +From 21fb5f20da225cff23fd811f57cdaec5e9d7badb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Thu, 20 Aug 2020 17:15:51 +0200 +Subject: [PATCH] libselinux: use full argument specifiers for + security_check_context in man page +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The argument for security_check_context(_raw) is defined as `const char *`. + +Say so in the man page. + +Signed-off-by: Christian Göttsche +Acked-by: Stephen Smalley +--- + libselinux/man/man3/security_check_context.3 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libselinux/man/man3/security_check_context.3 b/libselinux/man/man3/security_check_context.3 +index 2b9a2d4c8b6a..213ac282588f 100644 +--- a/libselinux/man/man3/security_check_context.3 ++++ b/libselinux/man/man3/security_check_context.3 +@@ -5,9 +5,9 @@ security_check_context \- check the validity of a SELinux context + .SH "SYNOPSIS" + .B #include + .sp +-.BI "int security_check_context(char *" con ); ++.BI "int security_check_context(const char *" con ); + .sp +-.BI "int security_check_context_raw(char *" con ); ++.BI "int security_check_context_raw(const char *" con ); + . + .SH "DESCRIPTION" + .BR security_check_context () +-- +2.29.0 + diff --git a/0004-libselinux-Remove-trailing-slash-on-selabel_file-loo.patch b/0004-libselinux-Remove-trailing-slash-on-selabel_file-loo.patch new file mode 100644 index 0000000..d07a4e0 --- /dev/null +++ b/0004-libselinux-Remove-trailing-slash-on-selabel_file-loo.patch @@ -0,0 +1,64 @@ +From 9e4480b921bb50f59b064e842362b26b87e36bbd Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Mon, 24 Aug 2020 09:44:16 -0400 +Subject: [PATCH] libselinux: Remove trailing slash on selabel_file lookups. + +Having a trailing slash on a file lookup, e.g. "/some/path/", can +cause a different result, for example, when file contexts are written to have +the directory have a different label than the contents. This is inconsistent +with normal Linux behaviors where trailing slashes are ignored. + +Many callers already strip the trailing slash before the lookup or users +revise the file contexts to work around this. This fixes it comprehensively. + +v2: fix length issues + +Signed-off-by: Chris PeBenito +Acked-by: Stephen Smalley +--- + libselinux/src/label_file.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c +index 412904d14c06..6eeeea68aea4 100644 +--- a/libselinux/src/label_file.c ++++ b/libselinux/src/label_file.c +@@ -854,6 +854,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec, + struct saved_data *data = (struct saved_data *)rec->data; + struct spec *spec_arr = data->spec_arr; + int i, rc, file_stem; ++ size_t len; + mode_t mode = (mode_t)type; + char *clean_key = NULL; + const char *prev_slash, *next_slash; +@@ -894,6 +895,27 @@ static const struct spec **lookup_all(struct selabel_handle *rec, + key = clean_key; + } + ++ /* remove trailing slash */ ++ len = strlen(key); ++ if (len == 0) { ++ errno = EINVAL; ++ goto finish; ++ } ++ ++ if (key[len - 1] == '/') { ++ /* reuse clean_key from above if available */ ++ if (!clean_key) { ++ clean_key = (char *) malloc(len); ++ if (!clean_key) ++ goto finish; ++ ++ strncpy(clean_key, key, len - 1); ++ } ++ ++ clean_key[len - 1] = '\0'; ++ key = clean_key; ++ } ++ + sub = selabel_sub_key(data, key); + if (sub) + key = sub; +-- +2.29.0 + diff --git a/0005-libselinux-safely-access-shared-memory-in-selinux_st.patch b/0005-libselinux-safely-access-shared-memory-in-selinux_st.patch new file mode 100644 index 0000000..4c6c6b2 --- /dev/null +++ b/0005-libselinux-safely-access-shared-memory-in-selinux_st.patch @@ -0,0 +1,80 @@ +From ef902db9c842553fd1a6a81068f3d844d487f2fb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Tue, 25 Aug 2020 17:32:04 +0200 +Subject: [PATCH] libselinux: safely access shared memory in + selinux_status_updated() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Access the shared nenory safe in regard to consistent view of the SELinux +kernel status page - not in regard to thread-safety. + +Signed-off-by: Christian Göttsche +Acked-by: Stephen Smalley +--- + libselinux/src/sestatus.c | 40 ++++++++++++++++++++++++--------------- + 1 file changed, 25 insertions(+), 15 deletions(-) + +diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c +index 814e86ee10e7..ca2d3bbf9cb2 100644 +--- a/libselinux/src/sestatus.c ++++ b/libselinux/src/sestatus.c +@@ -91,7 +91,9 @@ static inline uint32_t read_sequence(struct selinux_status_t *status) + int selinux_status_updated(void) + { + uint32_t curr_seqno; +- int result = 0; ++ uint32_t tmp_seqno; ++ uint32_t enforcing; ++ uint32_t policyload; + + if (selinux_status == NULL) { + errno = EINVAL; +@@ -117,21 +119,29 @@ int selinux_status_updated(void) + if (last_seqno & 0x0001) + last_seqno = curr_seqno; + +- if (last_seqno != curr_seqno) +- { +- if (avc_enforcing != (int) selinux_status->enforcing) { +- if (avc_process_setenforce(selinux_status->enforcing) < 0) +- return -1; +- } +- if (last_policyload != selinux_status->policyload) { +- if (avc_process_policyload(selinux_status->policyload) < 0) +- return -1; +- last_policyload = selinux_status->policyload; +- } +- last_seqno = curr_seqno; +- result = 1; ++ if (last_seqno == curr_seqno) ++ return 0; ++ ++ /* sequence must not be changed during references */ ++ do { ++ enforcing = selinux_status->enforcing; ++ policyload = selinux_status->policyload; ++ tmp_seqno = curr_seqno; ++ curr_seqno = read_sequence(selinux_status); ++ } while (tmp_seqno != curr_seqno); ++ ++ if (avc_enforcing != (int) enforcing) { ++ if (avc_process_setenforce(enforcing) < 0) ++ return -1; ++ } ++ if (last_policyload != policyload) { ++ if (avc_process_policyload(policyload) < 0) ++ return -1; ++ last_policyload = policyload; + } +- return result; ++ last_seqno = curr_seqno; ++ ++ return 1; + } + + /* +-- +2.29.0 + diff --git a/0006-libselinux-initialize-last_policyload-in-selinux_sta.patch b/0006-libselinux-initialize-last_policyload-in-selinux_sta.patch new file mode 100644 index 0000000..ed147be --- /dev/null +++ b/0006-libselinux-initialize-last_policyload-in-selinux_sta.patch @@ -0,0 +1,54 @@ +From a63f93d83b57f1a10712c5fcd29be246e8eff20d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Tue, 25 Aug 2020 17:32:05 +0200 +Subject: [PATCH] libselinux: initialize last_policyload in + selinux_status_open() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If not initialized to the current policyload count, an enforcing change +will trigger policyload-callbacks in selinux_status_updated(). + +Signed-off-by: Christian Göttsche +Acked-by: Stephen Smalley +--- + libselinux/src/sestatus.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c +index ca2d3bbf9cb2..9ff2785d876a 100644 +--- a/libselinux/src/sestatus.c ++++ b/libselinux/src/sestatus.c +@@ -278,9 +278,10 @@ static int fallback_cb_policyload(int policyload) + */ + int selinux_status_open(int fallback) + { +- int fd; +- char path[PATH_MAX]; +- long pagesize; ++ int fd; ++ char path[PATH_MAX]; ++ long pagesize; ++ uint32_t seqno; + + if (!selinux_mnt) { + errno = ENOENT; +@@ -304,6 +305,14 @@ int selinux_status_open(int fallback) + selinux_status_fd = fd; + last_seqno = (uint32_t)(-1); + ++ /* sequence must not be changed during references */ ++ do { ++ seqno = read_sequence(selinux_status); ++ ++ last_policyload = selinux_status->policyload; ++ ++ } while (seqno != read_sequence(selinux_status)); ++ + /* No need to use avc threads if the kernel status page is available */ + avc_using_threads = 0; + +-- +2.29.0 + diff --git a/0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch b/0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch new file mode 100644 index 0000000..cb224c0 --- /dev/null +++ b/0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch @@ -0,0 +1,71 @@ +From a4149e0eab50092699f05217cbf10a60d84d8d20 Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Thu, 27 Aug 2020 08:58:39 -0400 +Subject: [PATCH] libselinux: Add new log callback levels for enforcing and + policy load notices. + +This will enable userspace object managers to send proper audits for policy +loads and setenforce messages generated by the userspace AVC code. + +Signed-off-by: Chris PeBenito +Acked-by: Stephen Smalley +--- + libselinux/include/selinux/selinux.h | 2 ++ + libselinux/man/man3/selinux_set_callback.3 | 5 +++++ + libselinux/src/avc_internal.c | 4 ++-- + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h +index c22834e58418..ae98a92e393e 100644 +--- a/libselinux/include/selinux/selinux.h ++++ b/libselinux/include/selinux/selinux.h +@@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb); + #define SELINUX_WARNING 1 + #define SELINUX_INFO 2 + #define SELINUX_AVC 3 ++#define SELINUX_POLICYLOAD 4 ++#define SELINUX_SETENFORCE 5 + #define SELINUX_TRANS_DIR "/var/run/setrans" + + /* Compute an access decision. */ +diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3 +index a4c613ad5d85..6dfe5ff6050f 100644 +--- a/libselinux/man/man3/selinux_set_callback.3 ++++ b/libselinux/man/man3/selinux_set_callback.3 +@@ -46,6 +46,11 @@ argument indicates the type of message and will be set to one of the following: + .B SELINUX_INFO + + .B SELINUX_AVC ++ ++.B SELINUX_POLICYLOAD ++ ++.B SELINUX_SETENFORCE ++ + . + .TP + .B SELINUX_CB_AUDIT +diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c +index 4ef924527e10..572b2159c3ed 100644 +--- a/libselinux/src/avc_internal.c ++++ b/libselinux/src/avc_internal.c +@@ -58,7 +58,7 @@ int avc_process_setenforce(int enforcing) + { + int rc = 0; + +- avc_log(SELINUX_INFO, ++ avc_log(SELINUX_SETENFORCE, + "%s: received setenforce notice (enforcing=%d)\n", + avc_prefix, enforcing); + if (avc_setenforce) +@@ -80,7 +80,7 @@ int avc_process_policyload(uint32_t seqno) + { + int rc = 0; + +- avc_log(SELINUX_INFO, ++ avc_log(SELINUX_POLICYLOAD, + "%s: received policyload notice (seqno=%u)\n", + avc_prefix, seqno); + rc = avc_ss_reset(seqno); +-- +2.29.0 + diff --git a/0008-libselinux-Fix-selabel_lookup-for-the-root-dir.patch b/0008-libselinux-Fix-selabel_lookup-for-the-root-dir.patch new file mode 100644 index 0000000..6328c0b --- /dev/null +++ b/0008-libselinux-Fix-selabel_lookup-for-the-root-dir.patch @@ -0,0 +1,30 @@ +From 075f9cfe7a0105e14e878b5617e80d391d016e08 Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Fri, 11 Sep 2020 15:56:14 -0400 +Subject: [PATCH] libselinux: Fix selabel_lookup() for the root dir. + +9e4480b921bb ("Remove trailing slash on selabel_file lookups.") introduced +a bug which turns the root directory lookup "/" into an empty string. + +Signed-off-by: Chris PeBenito +Acked-by: Stephen Smalley +--- + libselinux/src/label_file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c +index 6eeeea68aea4..726394ca4332 100644 +--- a/libselinux/src/label_file.c ++++ b/libselinux/src/label_file.c +@@ -902,7 +902,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec, + goto finish; + } + +- if (key[len - 1] == '/') { ++ if (len > 1 && key[len - 1] == '/') { + /* reuse clean_key from above if available */ + if (!clean_key) { + clean_key = (char *) malloc(len); +-- +2.29.0 + diff --git a/0009-libselinux-Add-additional-log-callback-details-in-ma.patch b/0009-libselinux-Add-additional-log-callback-details-in-ma.patch new file mode 100644 index 0000000..b0d892c --- /dev/null +++ b/0009-libselinux-Add-additional-log-callback-details-in-ma.patch @@ -0,0 +1,38 @@ +From f5d644c7e633042b04189bfa428d88b9bb985f36 Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Tue, 15 Sep 2020 13:33:31 -0400 +Subject: [PATCH] libselinux: Add additional log callback details in man page + for auditing. + +Add additional information about the log callback message types. Indicate +which types could be audited and the relevant audit record types for them. + +Signed-off-by: Chris PeBenito +Acked-by: Stephen Smalley +--- + libselinux/man/man3/selinux_set_callback.3 | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3 +index 6dfe5ff6050f..75f49b06d836 100644 +--- a/libselinux/man/man3/selinux_set_callback.3 ++++ b/libselinux/man/man3/selinux_set_callback.3 +@@ -51,6 +51,15 @@ argument indicates the type of message and will be set to one of the following: + + .B SELINUX_SETENFORCE + ++SELINUX_ERROR, SELINUX_WARNING, and SELINUX_INFO indicate standard log severity ++levels and are not auditable messages. ++ ++The SELINUX_AVC, SELINUX_POLICYLOAD, and SELINUX_SETENFORCE message types can be ++audited with AUDIT_USER_AVC, AUDIT_USER_MAC_POLICY_LOAD, and AUDIT_USER_MAC_STATUS ++values from libaudit, respectively. If they are not audited, SELINUX_AVC should be ++considered equivalent to SELINUX_ERROR; similarly, SELINUX_POLICYLOAD and ++SELINUX_SETENFORCE should be considered equivalent to SELINUX_INFO. ++ + . + .TP + .B SELINUX_CB_AUDIT +-- +2.29.0 + diff --git a/0010-libselinux-Change-userspace-AVC-setenforce-and-polic.patch b/0010-libselinux-Change-userspace-AVC-setenforce-and-polic.patch new file mode 100644 index 0000000..1e36c7e --- /dev/null +++ b/0010-libselinux-Change-userspace-AVC-setenforce-and-polic.patch @@ -0,0 +1,37 @@ +From 7ef5b1854f75056d23e60aabc86706dfed622669 Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Tue, 15 Sep 2020 13:33:32 -0400 +Subject: [PATCH] libselinux: Change userspace AVC setenforce and policy load + messages to audit format. + +Signed-off-by: Chris PeBenito +Acked-by: Stephen Smalley +--- + libselinux/src/avc_internal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c +index 572b2159c3ed..53a99a1fe957 100644 +--- a/libselinux/src/avc_internal.c ++++ b/libselinux/src/avc_internal.c +@@ -59,7 +59,7 @@ int avc_process_setenforce(int enforcing) + int rc = 0; + + avc_log(SELINUX_SETENFORCE, +- "%s: received setenforce notice (enforcing=%d)\n", ++ "%s: op=setenforce lsm=selinux enforcing=%d res=1", + avc_prefix, enforcing); + if (avc_setenforce) + goto out; +@@ -81,7 +81,7 @@ int avc_process_policyload(uint32_t seqno) + int rc = 0; + + avc_log(SELINUX_POLICYLOAD, +- "%s: received policyload notice (seqno=%u)\n", ++ "%s: op=load_policy lsm=selinux seqno=%u res=1", + avc_prefix, seqno); + rc = avc_ss_reset(seqno); + if (rc < 0) { +-- +2.29.0 + diff --git a/0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch b/0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch new file mode 100644 index 0000000..0ddec2b --- /dev/null +++ b/0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch @@ -0,0 +1,208 @@ +From d23342a9de2c30f72a3edb13455753caaf259589 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sun, 4 Oct 2020 16:03:39 +0200 +Subject: [PATCH] libselinux: convert matchpathcon to selabel_lookup() + +Function matchpathcon() is deprecated in favor of selabel_lookup() but +program "matchpathcon" is much easier to use than "selabel_loopkup" to +find the file context which would be applied to some files and +directories. + +More precisely: + + matchpathcon /path/to/my/file + +is easier to type and remember than: + + selabel_lookup -b file -k /path/to/my/file + +It also allows performing multiple context searches in one command, +where selabel_lookup cannot use multiple -k options. + +Migrate matchpathcon to the preferred API. + +Signed-off-by: Nicolas Iooss +Acked-by: Petr Lautrbach +--- + libselinux/utils/Makefile | 2 - + libselinux/utils/matchpathcon.c | 87 ++++++++++++++------------------- + 2 files changed, 38 insertions(+), 51 deletions(-) + +diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile +index aa2d3e1b144f..b018a08acbe0 100644 +--- a/libselinux/utils/Makefile ++++ b/libselinux/utils/Makefile +@@ -56,8 +56,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol + + sefcontext_compile: sefcontext_compile.o ../src/regex.o + +-matchpathcon: CFLAGS += -Wno-deprecated-declarations +- + all: $(TARGETS) + + install: all +diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c +index cc018d213f4c..a07e160dee71 100644 +--- a/libselinux/utils/matchpathcon.c ++++ b/libselinux/utils/matchpathcon.c +@@ -1,15 +1,14 @@ +-#include +-#include +-#include +-#include + #include +-#include ++#include + #include +-#include +-#include ++#include + #include +-#include ++#include + #include ++#include ++#include ++#include ++#include + + static __attribute__ ((__noreturn__)) void usage(const char *progname) + { +@@ -19,15 +18,21 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) + exit(1); + } + +-static int printmatchpathcon(const char *path, int header, int mode) ++static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int header, int mode, int notrans) + { +- char *buf; +- int rc = matchpathcon(path, mode, &buf); ++ char *buf = NULL; ++ int rc; ++ ++ if (notrans) { ++ rc = selabel_lookup_raw(hnd, &buf, path, mode); ++ } else { ++ rc = selabel_lookup(hnd, &buf, path, mode); ++ } + if (rc < 0) { + if (errno == ENOENT) { + buf = strdup("<>"); + } else { +- fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, ++ fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path, + strerror(errno)); + return 1; + } +@@ -66,15 +71,14 @@ static mode_t string_to_mode(char *s) + + int main(int argc, char **argv) + { +- int i, init = 0, force_mode = 0; ++ int i, force_mode = 0; + int header = 1, opt; + int verify = 0; + int notrans = 0; + int error = 0; + int quiet = 0; +- +- fprintf(stderr, +- "Deprecated, use selabel_lookup\n"); ++ struct selabel_handle *hnd; ++ struct selinux_opt options[SELABEL_NOPT] = {}; + + if (argc < 2) + usage(argv[0]); +@@ -96,23 +100,10 @@ int main(int argc, char **argv) + break; + case 'N': + notrans = 1; +- set_matchpathcon_flags(MATCHPATHCON_NOTRANS); + break; + case 'f': +- if (init) { +- fprintf(stderr, +- "%s: -f and -p are exclusive\n", +- argv[0]); +- exit(1); +- } +- init = 1; +- if (matchpathcon_init(optarg)) { +- fprintf(stderr, +- "Error while processing %s: %s\n", +- optarg, +- errno ? strerror(errno) : "invalid"); +- exit(1); +- } ++ options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH; ++ options[SELABEL_OPT_PATH].value = optarg; + break; + case 'P': + if (selinux_set_policy_root(optarg) < 0 ) { +@@ -124,20 +115,11 @@ int main(int argc, char **argv) + } + break; + case 'p': +- if (init) { +- fprintf(stderr, +- "%s: -f and -p are exclusive\n", +- argv[0]); +- exit(1); +- } +- init = 1; +- if (matchpathcon_init_prefix(NULL, optarg)) { +- fprintf(stderr, +- "Error while processing %s: %s\n", +- optarg, +- errno ? strerror(errno) : "invalid"); +- exit(1); +- } ++ // This option has been deprecated since libselinux 2.5 (2016): ++ // https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6 ++ fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]); ++ options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET; ++ options[SELABEL_OPT_SUBSET].value = optarg; + break; + case 'q': + quiet = 1; +@@ -146,6 +128,13 @@ int main(int argc, char **argv) + usage(argv[0]); + } + } ++ hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT); ++ if (!hnd) { ++ fprintf(stderr, ++ "Error while opening file contexts database: %s\n", ++ strerror(errno)); ++ return -1; ++ } + for (i = optind; i < argc; i++) { + int rc, mode = 0; + struct stat buf; +@@ -185,19 +174,19 @@ int main(int argc, char **argv) + if (rc >= 0) { + printf("%s has context %s, should be ", + path, con); +- printmatchpathcon(path, 0, mode); ++ printmatchpathcon(hnd, path, 0, mode, notrans); + freecon(con); + } else { + printf + ("actual context unknown: %s, should be ", + strerror(errno)); +- printmatchpathcon(path, 0, mode); ++ printmatchpathcon(hnd, path, 0, mode, notrans); + } + } + } else { +- error |= printmatchpathcon(path, header, mode); ++ error |= printmatchpathcon(hnd, path, header, mode, notrans); + } + } +- matchpathcon_fini(); ++ selabel_close(hnd); + return error; + } +-- +2.29.0 + diff --git a/0012-libsepol-Bump-libsepol.so-version.patch b/0012-libsepol-Bump-libsepol.so-version.patch new file mode 100644 index 0000000..8ee3d03 --- /dev/null +++ b/0012-libsepol-Bump-libsepol.so-version.patch @@ -0,0 +1,45 @@ +From 4a142ac46a116feb9f978eaec68a30efef979c73 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 9 Oct 2020 15:00:49 +0200 +Subject: [PATCH] libsepol: Bump libsepol.so version + +Previous commits removed some symbols and broke ABI, therefore we need to change +SONAME. + +See the following quotes from distribution guidelines: + +https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries + +Every time the shared library ABI changes in a way that may break +binaries linked against older versions of the shared library, the SONAME +of the library and the corresponding name for the binary package +containing the runtime shared library should change. + +https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning + +When new versions of the library are released, you should use an ABI +comparison tool to check for ABI differences in the built shared +libraries. If it detects any incompatibilities, bump the n number by +one. + +Signed-off-by: Petr Lautrbach +--- + libselinux/src/load_policy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c +index 2aea826f863e..0034fa53d6e6 100644 +--- a/libselinux/src/load_policy.c ++++ b/libselinux/src/load_policy.c +@@ -76,7 +76,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused))) + #ifdef SHARED + char *errormsg = NULL; + void *libsepolh = NULL; +- libsepolh = dlopen("libsepol.so.1", RTLD_NOW); ++ libsepolh = dlopen("libsepol.so.2", RTLD_NOW); + if (libsepolh) { + usesepol = 1; + dlerror(); +-- +2.29.0 + diff --git a/0013-libselinux-Add-build-option-to-disable-X11-backend.patch b/0013-libselinux-Add-build-option-to-disable-X11-backend.patch new file mode 100644 index 0000000..ab5faef --- /dev/null +++ b/0013-libselinux-Add-build-option-to-disable-X11-backend.patch @@ -0,0 +1,48 @@ +From db0f2f382e31c44eef8f636d5698f9f4b11b4eeb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= +Date: Mon, 12 Oct 2020 17:46:16 +0300 +Subject: [PATCH] libselinux: Add build option to disable X11 backend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Björn Bidar +--- + libselinux/Makefile | 5 ++++- + libselinux/src/Makefile | 4 ++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/libselinux/Makefile b/libselinux/Makefile +index 6a43b243f4da..cb5872b7b090 100644 +--- a/libselinux/Makefile ++++ b/libselinux/Makefile +@@ -17,7 +17,10 @@ endif + ifeq ($(DISABLE_BOOL),y) + DISABLE_FLAGS+= -DDISABLE_BOOL + endif +-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST ++ifeq ($(DISABLE_X11),y) ++ DISABLE_FLAGS+= -DNO_X_BACKEND ++endif ++export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 + + USE_PCRE2 ?= n + ifeq ($(USE_PCRE2),y) +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index 190016e2af34..be0b6eec6f6d 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -126,6 +126,10 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND + SRCS:= $(filter-out label_backends_android.c, $(SRCS)) + endif + ++ifeq ($(DISABLE_X11),y) ++SRCS:= $(filter-out label_x.c, $(SRCS)) ++endif ++ + SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS) + + all: $(LIBA) $(LIBSO) $(LIBPC) +-- +2.29.0 + diff --git a/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch b/0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch similarity index 87% rename from 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch rename to 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch index eef71e8..36986c7 100644 --- a/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch +++ b/0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch @@ -1,4 +1,4 @@ -From c36e12a0ed7641a9baa13afa1730b04eda0be07b Mon Sep 17 00:00:00 2001 +From a2f09a2faf2950d15fad34f23c65df62ec0d942c Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 16 Jul 2014 08:28:03 +0200 Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools. @@ -8,7 +8,7 @@ Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools. 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 -index e37aee6833b0..bf23b65579ca 100644 +index 31364271eed2..8b4fc3706989 100644 --- a/libselinux/man/man8/selinux.8 +++ b/libselinux/man/man8/selinux.8 @@ -91,11 +91,13 @@ This manual page was written by Dan Walsh . @@ -27,5 +27,5 @@ index e37aee6833b0..bf23b65579ca 100644 Every confined service on the system has a man page in the following format: .br -- -2.23.0 +2.29.0 diff --git a/libselinux.spec b/libselinux.spec index d4f3616..86b9517 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,5 +1,5 @@ %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 3.1-2 +%define libsepolver 3.1-4 Summary: SELinux library and simple utilities Name: libselinux @@ -16,7 +16,20 @@ Url: https://github.com/SELinuxProject/selinux/wiki # $ git format-patch -N libselinux-3.1 -- libselinux # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start -Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch +Patch0001: 0001-libselinux-use-kernel-status-page-by-default.patch +Patch0002: 0002-libselinux-fix-build-order.patch +Patch0003: 0003-libselinux-use-full-argument-specifiers-for-security.patch +Patch0004: 0004-libselinux-Remove-trailing-slash-on-selabel_file-loo.patch +Patch0005: 0005-libselinux-safely-access-shared-memory-in-selinux_st.patch +Patch0006: 0006-libselinux-initialize-last_policyload-in-selinux_sta.patch +Patch0007: 0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch +Patch0008: 0008-libselinux-Fix-selabel_lookup-for-the-root-dir.patch +Patch0009: 0009-libselinux-Add-additional-log-callback-details-in-ma.patch +Patch0010: 0010-libselinux-Change-userspace-AVC-setenforce-and-polic.patch +Patch0011: 0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch +Patch0012: 0012-libsepol-Bump-libsepol.so-version.patch +Patch0013: 0013-libselinux-Add-build-option-to-disable-X11-backend.patch +Patch0014: 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch # Patch list end BuildRequires: gcc BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel