From e61de3d8f05d2d2bd3ffc452f24b46c8f866f549 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 23 Dec 2013 09:53:25 -0500 Subject: [PATCH] Verify context is not null when passed into lsetfilecon_raw --- libselinux-rhat.patch | 340 +++--------------------------------------- libselinux.spec | 5 +- 2 files changed, 23 insertions(+), 322 deletions(-) diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index bf75861..4a55e0a 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,324 +1,3 @@ -diff --git a/libselinux/Makefile b/libselinux/Makefile -index fd4f0b1..51469bc 100644 ---- a/libselinux/Makefile -+++ b/libselinux/Makefile -@@ -1,4 +1,4 @@ --SUBDIRS = src include utils man -+SUBDIRS = src include utils man golang - - DISABLE_AVC ?= n - DISABLE_SETRANS ?= n -diff --git a/libselinux/golang/Makefile b/libselinux/golang/Makefile -new file mode 100644 -index 0000000..e0be66f ---- /dev/null -+++ b/libselinux/golang/Makefile -@@ -0,0 +1,17 @@ -+# Installation directories. -+PREFIX ?= $(DESTDIR)/usr -+GODIR ?= $(PREFIX)/share/gocode/src/selinux -+ -+all: -+ -+install: -+ [ -d $(GODIR) ] || mkdir -p $(GODIR) -+ install -m 644 selinux.go $(GODIR) -+ -+test: -+ -+clean: -+ -+indent: -+ -+relabel: -diff --git a/libselinux/golang/selinux.go b/libselinux/golang/selinux.go -new file mode 100644 -index 0000000..018c955 ---- /dev/null -+++ b/libselinux/golang/selinux.go -@@ -0,0 +1,282 @@ -+package selinux -+ -+/* -+ The selinux package is a go bindings to libselinux required to add selinux -+ support to docker. -+ -+ Author Dan Walsh -+ -+ Used some ideas/code from the go-ini packages https://github.com/vaughan0 -+ By Vaughan Newton -+*/ -+ -+// #cgo pkg-config: libselinux -+// #include -+// #include -+import "C" -+import ( -+ "encoding/binary" -+ "crypto/rand" -+ "unsafe" -+ "fmt" -+ "bufio" -+ "regexp" -+ "io" -+ "os" -+ "strings" -+) -+ -+var ( -+ assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) -+ mcs_list = make(map[string]bool) -+) -+ -+func Matchpathcon(path string, mode int) (string, error) { -+ var con C.security_context_t -+ var scon string -+ rc, err := C.matchpathcon(C.CString(path),C.mode_t(mode), &con) -+ if rc == 0 { -+ scon = C.GoString(con) -+ C.free(unsafe.Pointer(con)) -+ } -+ return scon, err -+} -+ -+func Setfilecon(path,scon string) (int, error) { -+ rc, err := C.lsetfilecon(C.CString(path),C.CString(scon)) -+ return int(rc), err -+} -+ -+func Setexeccon(scon string) (int, error) { -+ var val *C.char -+ if ! Selinux_enabled() { -+ return 0, nil -+ } -+ if scon != "" { -+ val = C.CString(scon) -+ } else { -+ val = nil -+ } -+ rc, err := C.setexeccon(val) -+ return int(rc), err -+} -+ -+type Context struct { -+ con []string -+} -+func (c *Context) Set_user(user string) { -+ c.con[0]=user -+} -+func (c *Context) Get_user() string { -+ return c.con[0] -+} -+func (c *Context) Set_role(role string) { -+ c.con[1]=role -+} -+func (c *Context) Get_role() string { -+ return c.con[1] -+} -+func (c *Context) Set_type(setype string) { -+ c.con[2]=setype -+} -+func (c *Context) Get_type() string { -+ return c.con[2] -+} -+func (c *Context) Set_level(mls string) { -+ c.con[3]=mls -+} -+func (c *Context) Get_level() string { -+ return c.con[3] -+} -+func (c *Context) Get() string{ -+ return strings.Join(c.con,":") -+} -+func (c *Context) Set(scon string) { -+ c.con = strings.SplitN(scon,":",4) -+} -+func New_context(scon string) Context { -+ var con Context -+ con.Set(scon) -+ return con -+} -+ -+func Is_selinux_enabled() bool { -+ b := C.is_selinux_enabled() -+ if b > 0 { -+ return true; -+ } -+ return false -+} -+ -+func Selinux_enabled() bool { -+ b := C.is_selinux_enabled() -+ if b > 0 { -+ return true; -+ } -+ return false -+} -+ -+const ( -+ Enforcing = 1 -+ Permissive = 0 -+ Disabled = -1 -+) -+ -+func Selinux_getenforce() int { -+ return int(C.security_getenforce()) -+} -+ -+func Selinux_getenforcemode() (int) { -+ var enforce C.int -+ C.selinux_getenforcemode(&enforce) -+ return int(enforce) -+} -+ -+func mcs_add(mcs string) { -+ mcs_list[mcs] = true -+} -+ -+func mcs_delete(mcs string) { -+ mcs_list[mcs] = false -+} -+ -+func mcs_exists(mcs string) bool { -+ return mcs_list[mcs] -+} -+ -+func uniq_mcs(catRange uint32) string { -+ var n uint32 -+ var c1,c2 uint32 -+ var mcs string -+ for ;; { -+ binary.Read(rand.Reader, binary.LittleEndian, &n) -+ c1 = n % catRange -+ binary.Read(rand.Reader, binary.LittleEndian, &n) -+ c2 = n % catRange -+ if c1 == c2 { -+ continue -+ } else { -+ if c1 > c2 { -+ t := c1 -+ c1 = c2 -+ c2 = t -+ } -+ } -+ mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2) -+ if mcs_exists(mcs) { -+ continue -+ } -+ mcs_add(mcs) -+ break -+ } -+ return mcs -+} -+func free_context(process_label string) { -+ var scon Context -+ scon = New_context(process_label) -+ mcs_delete(scon.Get_level()) -+} -+ -+func Get_lxc_contexts() (process_label string, file_label string) { -+ var val, key string -+ var bufin *bufio.Reader -+ if ! Selinux_enabled() { -+ return -+ } -+ lxc_path := C.GoString(C.selinux_lxc_contexts_path()) -+ file_label = "system_u:object_r:svirt_sandbox_file_t:s0" -+ process_label = "system_u:system_r:svirt_lxc_net_t:s0" -+ -+ in, err := os.Open(lxc_path) -+ if err != nil { -+ goto exit -+ } -+ -+ defer in.Close() -+ bufin = bufio.NewReader(in) -+ -+ for done := false; !done; { -+ var line string -+ if line, err = bufin.ReadString('\n'); err != nil { -+ if err == io.EOF { -+ done = true -+ } else { -+ goto exit -+ } -+ } -+ line = strings.TrimSpace(line) -+ if len(line) == 0 { -+ // Skip blank lines -+ continue -+ } -+ if line[0] == ';' || line[0] == '#' { -+ // Skip comments -+ continue -+ } -+ if groups := assignRegex.FindStringSubmatch(line); groups != nil { -+ key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2]) -+ if key == "process" { -+ process_label = strings.Trim(val,"\"") -+ } -+ if key == "file" { -+ file_label = strings.Trim(val,"\"") -+ } -+ } -+ } -+exit: -+ var scon Context -+ mcs := uniq_mcs(1024) -+ scon = New_context(process_label) -+ scon.Set_level(mcs) -+ process_label = scon.Get() -+ scon = New_context(file_label) -+ scon.Set_level(mcs) -+ file_label = scon.Get() -+ return process_label, file_label -+} -+ -+func CopyLevel (src, dest string) (string, error) { -+ if ! Selinux_enabled() { -+ return "", nil -+ } -+ if src == "" { -+ return "", nil -+ } -+ rc, err := C.security_check_context(C.CString(src)) -+ if rc != 0 { -+ return "", err -+ } -+ rc, err = C.security_check_context(C.CString(dest)) -+ if rc != 0 { -+ return "", err -+ } -+ scon := New_context(src) -+ tcon := New_context(dest) -+ tcon.Set_level(scon.Get_level()) -+ return tcon.Get(), nil -+} -+ -+func Test() { -+ var plabel,flabel string -+ if ! Selinux_enabled() { -+ return -+ } -+ -+ plabel, flabel = Get_lxc_contexts() -+ fmt.Println(plabel) -+ fmt.Println(flabel) -+ free_context(plabel) -+ plabel, flabel = Get_lxc_contexts() -+ fmt.Println(plabel) -+ fmt.Println(flabel) -+ free_context(plabel) -+ if Selinux_enabled() { -+ fmt.Println("Enabled") -+ } else { -+ fmt.Println("Disabled") -+ } -+ fmt.Println(Selinux_getenforce()) -+ fmt.Println(Selinux_getenforcemode()) -+ flabel,_ = Matchpathcon("/home/dwalsh/.emacs", 0) -+ fmt.Println(flabel) -+} diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 02dd829..6dfdb46 100644 --- a/libselinux/src/Makefile @@ -520,6 +199,25 @@ index e419f1a..fdeca93 100644 /* Runtime disable of SELinux. */ rc = security_disable(); if (rc == 0) { +diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c +index fd9bb26..932fc62 100644 +--- a/libselinux/src/lsetfilecon.c ++++ b/libselinux/src/lsetfilecon.c +@@ -9,7 +9,13 @@ + + int lsetfilecon_raw(const char *path, const security_context_t context) + { +- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, ++ int rc; ++ if (! context) { ++ errno=EINVAL; ++ return -1; ++ } ++ ++ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, + 0); + if (rc < 0 && errno == ENOTSUP) { + security_context_t ccontext = NULL; diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c index 2d7369e..2a00807 100644 --- a/libselinux/src/matchpathcon.c diff --git a/libselinux.spec b/libselinux.spec index ce9b775..9c86123 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -10,7 +10,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 2.2.1 -Release: 4%{?dist} +Release: 5%{?dist} License: Public Domain Group: System Environment/Libraries Source: %{name}-%{version}.tgz @@ -243,6 +243,9 @@ rm -rf %{buildroot} %{ruby_sitearch}/selinux.so %changelog +* Mon Dec 23 2013 Dan Walsh - 2.2.1-5 +- Verify context is not null when passed into lsetfilecon_raw + * Wed Dec 18 2013 Dan Walsh - 2.2.1-4 - Mv selinux.go to /usr/share/gocode/src/selinux