libselinux-2.5-3

- Fix location of selinuxfs mount point
- Only mount /proc if necessary
- procattr: return einval for <= 0 pid args
- procattr: return error on invalid pid_t input
This commit is contained in:
Petr Lautrbach 2016-04-08 20:35:44 +02:00
parent 408641d228
commit d11c40ba8a
2 changed files with 153 additions and 2 deletions

View File

@ -1,3 +1,16 @@
diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog
index 24673dd..1d6ac57 100644
--- libselinux-2.5/ChangeLog
+++ libselinux-2.5/ChangeLog
@@ -1,3 +1,8 @@
+ * Fix location of selinuxfs mount point, from Dan Walsh.
+ * Only mount /proc if necessary, from Stephen Smalley.
+ * procattr: return einval for <= 0 pid args, from Daniel Cashman.
+ * procattr: return error on invalid pid_t input, from Daniel Cashman.
+
2.5 2016-02-23
* selinux_restorecon.3 man page corrections, from Richard Haines.
* Add selinux_restorecon function, from Richard Haines.
diff --git libselinux-2.5/Makefile libselinux-2.5/Makefile diff --git libselinux-2.5/Makefile libselinux-2.5/Makefile
index 6142b60..bdf9de8 100644 index 6142b60..bdf9de8 100644
--- libselinux-2.5/Makefile --- libselinux-2.5/Makefile
@ -469,6 +482,54 @@ index 0000000..fed6de8
+func main() { +func main() {
+ selinux.Test() + selinux.Test()
+} +}
diff --git libselinux-2.5/man/man3/security_disable.3 libselinux-2.5/man/man3/security_disable.3
index c75ce0d..072923c 100644
--- libselinux-2.5/man/man3/security_disable.3
+++ libselinux-2.5/man/man3/security_disable.3
@@ -12,7 +12,7 @@ security_disable \- disable the SELinux kernel code at runtime
disables the SELinux kernel code, unregisters selinuxfs from
.IR /proc/filesystems ,
and then unmounts
-.IR /selinux .
+.IR /sys/fs/selinux .
.sp
This function can only be called at runtime and prior to the initial policy
load. After the initial policy load, the SELinux kernel code cannot be disabled,
diff --git libselinux-2.5/man/man3/selinux_status_open.3 libselinux-2.5/man/man3/selinux_status_open.3
index f779dd9..2d44be5 100644
--- libselinux-2.5/man/man3/selinux_status_open.3
+++ libselinux-2.5/man/man3/selinux_status_open.3
@@ -23,7 +23,7 @@ without invocation of system calls
.SH "DESCRIPTION"
Linux 2.6.37 or later provides a SELinux kernel status page; being mostly
placed on
-.I /selinux/status
+.I /sys/fs/selinux/status
entry. It enables userspace applications to mmap this page with read-only
mode, then it informs some status without system call invocations.
.sp
@@ -38,7 +38,7 @@ without system-call invocation or worker thread for monitoring.
.BR selinux_status_open ()
tries to
.BR open (2)
-.I /selinux/status
+.I /sys/fs/selinux/status
and
.BR mmap (2)
it in read-only mode. The file-descriptor and pointer to the page shall
diff --git libselinux-2.5/man/man8/avcstat.8 libselinux-2.5/man/man8/avcstat.8
index 204687d..2c4bce1 100644
--- libselinux-2.5/man/man8/avcstat.8
+++ libselinux-2.5/man/man8/avcstat.8
@@ -25,7 +25,7 @@ Display the cumulative values.
.TP
.B \-f
Specifies the location of the AVC statistics file, defaulting to
-.IR /selinux/avc/cache_stats .
+.IR /sys/fs/selinux/avc/cache_stats .
.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
diff --git libselinux-2.5/man/man8/selinux.8 libselinux-2.5/man/man8/selinux.8 diff --git libselinux-2.5/man/man8/selinux.8 libselinux-2.5/man/man8/selinux.8
index 6f1034b..c9f188c 100644 index 6f1034b..c9f188c 100644
--- libselinux-2.5/man/man8/selinux.8 --- libselinux-2.5/man/man8/selinux.8
@ -636,6 +697,40 @@ index 52707d0..0cbe12d 100644
if (rc < 0 && errno == ENOTSUP) { if (rc < 0 && errno == ENOTSUP) {
char * ccontext = NULL; char * ccontext = NULL;
int err = errno; int err = errno;
diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c
index 3db4de0..3530594 100644
--- libselinux-2.5/src/init.c
+++ libselinux-2.5/src/init.c
@@ -12,6 +12,7 @@
#include <stdint.h>
#include <limits.h>
#include <sys/mount.h>
+#include <linux/magic.h>
#include "dso.h"
#include "policy.h"
@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
int selinuxfs_exists(void)
{
- int exists = 0, mnt_rc = 0;
+ int exists = 0, mnt_rc = -1, rc;
+ struct statfs sb;
FILE *fp = NULL;
char *buf = NULL;
size_t len;
ssize_t num;
- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+ do {
+ rc = statfs("/proc", &sb);
+ } while (rc < 0 && errno == EINTR);
+
+ if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
+ mnt_rc = mount("proc", "/proc", "proc", 0, 0);
fp = fopen("/proc/filesystems", "r");
if (!fp) {
diff --git libselinux-2.5/src/lsetfilecon.c libselinux-2.5/src/lsetfilecon.c diff --git libselinux-2.5/src/lsetfilecon.c libselinux-2.5/src/lsetfilecon.c
index 1d3b28a..ea6d70b 100644 index 1d3b28a..ea6d70b 100644
--- libselinux-2.5/src/lsetfilecon.c --- libselinux-2.5/src/lsetfilecon.c
@ -677,6 +772,56 @@ index 5b495a0..3868711 100644
va_end(ap); va_end(ap);
} }
diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c
index 527a0a5..eee4612 100644
--- libselinux-2.5/src/procattr.c
+++ libselinux-2.5/src/procattr.c
@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
char *path;
pid_t tid;
- if (pid > 0)
+ if (pid > 0) {
rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
- else {
+ } else if (pid == 0) {
rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
if (rc < 0)
return -1;
@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
free(path);
tid = gettid();
rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
+ } else {
+ errno = EINVAL;
+ return -1;
}
if (rc < 0)
return -1;
@@ -303,11 +306,21 @@ static int setprocattrcon(const char * context,
#define getpidattr_def(fn, attr) \
int get##fn##_raw(pid_t pid, char **c) \
{ \
- return getprocattrcon_raw(c, pid, #attr); \
+ if (pid <= 0) { \
+ errno = EINVAL; \
+ return -1; \
+ } else { \
+ return getprocattrcon_raw(c, pid, #attr); \
+ } \
} \
int get##fn(pid_t pid, char **c) \
{ \
- return getprocattrcon(c, pid, #attr); \
+ if (pid <= 0) { \
+ errno = EINVAL; \
+ return -1; \
+ } else { \
+ return getprocattrcon(c, pid, #attr); \
+ } \
}
all_selfattr_def(con, current)
diff --git libselinux-2.5/src/setfilecon.c libselinux-2.5/src/setfilecon.c diff --git libselinux-2.5/src/setfilecon.c libselinux-2.5/src/setfilecon.c
index d05969c..3f0200e 100644 index d05969c..3f0200e 100644
--- libselinux-2.5/src/setfilecon.c --- libselinux-2.5/src/setfilecon.c

View File

@ -9,7 +9,7 @@
Summary: SELinux library and simple utilities Summary: SELinux library and simple utilities
Name: libselinux Name: libselinux
Version: 2.5 Version: 2.5
Release: 2%{?dist} Release: 3%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Libraries Group: System Environment/Libraries
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -20,7 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh libselinux # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libselinux
# HEAD https://github.com/fedora-selinux/selinux/commit/51852c78f110223be57cd9776069f14703ab49f9 # HEAD https://github.com/fedora-selinux/selinux/commit/4bfb84c7ff7b33cf06b9a6b2317d24054b9db562
Patch1: libselinux-fedora.patch Patch1: libselinux-fedora.patch
BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
%if 0%{?with_python3} %if 0%{?with_python3}
@ -255,6 +255,12 @@ rm -rf %{buildroot}
%{ruby_vendorarchdir}/selinux.so %{ruby_vendorarchdir}/selinux.so
%changelog %changelog
* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
- Fix location of selinuxfs mount point
- Only mount /proc if necessary
- procattr: return einval for <= 0 pid args
- procattr: return error on invalid pid_t input
* Sat Feb 27 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-2 * Sat Feb 27 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-2
- Use fully versioned arch-specific requires - Use fully versioned arch-specific requires