diff --git libselinux-2.9/include/selinux/av_permissions.h libselinux-2.9/include/selinux/av_permissions.h index c1269af..631f027 100644 --- libselinux-2.9/include/selinux/av_permissions.h +++ libselinux-2.9/include/selinux/av_permissions.h @@ -876,6 +876,8 @@ #define NSCD__SHMEMHOST 0x00000080UL #define NSCD__GETSERV 0x00000100UL #define NSCD__SHMEMSERV 0x00000200UL +#define NSCD__GETNETGRP 0x00000400UL +#define NSCD__SHMEMNETGRP 0x00000800UL #define ASSOCIATION__SENDTO 0x00000001UL #define ASSOCIATION__RECVFROM 0x00000002UL #define ASSOCIATION__SETCONTEXT 0x00000004UL diff --git libselinux-2.9/man/man8/selinux.8 libselinux-2.9/man/man8/selinux.8 index e37aee6..bf23b65 100644 --- libselinux-2.9/man/man8/selinux.8 +++ libselinux-2.9/man/man8/selinux.8 @@ -91,11 +91,13 @@ This manual page was written by Dan Walsh . .BR sepolicy (8), .BR system-config-selinux (8), .BR togglesebool (8), -.BR restorecon (8), .BR fixfiles (8), +.BR restorecon (8), .BR setfiles (8), .BR semanage (8), .BR sepolicy (8) +.BR seinfo (8), +.BR sesearch (8) Every confined service on the system has a man page in the following format: .br diff --git libselinux-2.9/src/avc_sidtab.c libselinux-2.9/src/avc_sidtab.c index 9669264..c775430 100644 --- libselinux-2.9/src/avc_sidtab.c +++ libselinux-2.9/src/avc_sidtab.c @@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s, int hvalue, rc = 0; struct sidtab_node *cur; + if (! ctx) { + errno=EINVAL; + return -1; + } + *sid = NULL; hvalue = sidtab_hash(ctx); diff --git libselinux-2.9/src/canonicalize_context.c libselinux-2.9/src/canonicalize_context.c index ba4c9a2..c815872 100644 --- libselinux-2.9/src/canonicalize_context.c +++ libselinux-2.9/src/canonicalize_context.c @@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con, size_t size; int fd, ret; + if (! con) { + errno=EINVAL; + return -1; + } + if (!selinux_mnt) { errno = ENOENT; return -1; diff --git libselinux-2.9/src/check_context.c libselinux-2.9/src/check_context.c index 8a7997f..5be8434 100644 --- libselinux-2.9/src/check_context.c +++ libselinux-2.9/src/check_context.c @@ -14,6 +14,11 @@ int security_check_context_raw(const char * con) char path[PATH_MAX]; int fd, ret; + if (! con) { + errno=EINVAL; + return -1; + } + if (!selinux_mnt) { errno = ENOENT; return -1; diff --git libselinux-2.9/src/compute_av.c libselinux-2.9/src/compute_av.c index a47cffe..6d285a2 100644 --- libselinux-2.9/src/compute_av.c +++ libselinux-2.9/src/compute_av.c @@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon, return -1; } + if ((! scon) || (! tcon)) { + errno=EINVAL; + return -1; + } + snprintf(path, sizeof path, "%s/access", selinux_mnt); fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) diff --git libselinux-2.9/src/compute_create.c libselinux-2.9/src/compute_create.c index 0975aea..3e6a48c 100644 --- libselinux-2.9/src/compute_create.c +++ libselinux-2.9/src/compute_create.c @@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon, return -1; } + if ((! scon) || (! tcon)) { + errno=EINVAL; + return -1; + } + snprintf(path, sizeof path, "%s/create", selinux_mnt); fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) diff --git libselinux-2.9/src/compute_member.c libselinux-2.9/src/compute_member.c index 4e2d221..d1dd977 100644 --- libselinux-2.9/src/compute_member.c +++ libselinux-2.9/src/compute_member.c @@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon, return -1; } + if ((! scon) || (! tcon)) { + errno=EINVAL; + return -1; + } + snprintf(path, sizeof path, "%s/member", selinux_mnt); fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) diff --git libselinux-2.9/src/compute_relabel.c libselinux-2.9/src/compute_relabel.c index 49f77ef..c3db7c0 100644 --- libselinux-2.9/src/compute_relabel.c +++ libselinux-2.9/src/compute_relabel.c @@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon, return -1; } + if ((! scon) || (! tcon)) { + errno=EINVAL; + return -1; + } + snprintf(path, sizeof path, "%s/relabel", selinux_mnt); fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) diff --git libselinux-2.9/src/compute_user.c libselinux-2.9/src/compute_user.c index 7b88121..401fd10 100644 --- libselinux-2.9/src/compute_user.c +++ libselinux-2.9/src/compute_user.c @@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon, return -1; } + if (! scon) { + errno=EINVAL; + return -1; + } + snprintf(path, sizeof path, "%s/user", selinux_mnt); fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) diff --git libselinux-2.9/src/fsetfilecon.c libselinux-2.9/src/fsetfilecon.c index 52707d0..0cbe12d 100644 --- libselinux-2.9/src/fsetfilecon.c +++ libselinux-2.9/src/fsetfilecon.c @@ -9,8 +9,12 @@ int fsetfilecon_raw(int fd, const char * context) { - int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, - 0); + int rc; + if (! context) { + errno=EINVAL; + return -1; + } + rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; diff --git libselinux-2.9/src/lsetfilecon.c libselinux-2.9/src/lsetfilecon.c index 1d3b28a..ea6d70b 100644 --- libselinux-2.9/src/lsetfilecon.c +++ libselinux-2.9/src/lsetfilecon.c @@ -9,8 +9,13 @@ int lsetfilecon_raw(const char *path, const char * context) { - int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, - 0); + int rc; + if (! context) { + errno=EINVAL; + return -1; + } + + rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; diff --git libselinux-2.9/src/procattr.c libselinux-2.9/src/procattr.c index c6799ef..cbb6824 100644 --- libselinux-2.9/src/procattr.c +++ libselinux-2.9/src/procattr.c @@ -24,6 +24,7 @@ static __thread char destructor_initialized; /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and * has a definition for it */ +#ifndef OVERRIDE_GETTID #ifdef __BIONIC__ #define OVERRIDE_GETTID 0 #elif !defined(__GLIBC_PREREQ) @@ -33,6 +34,7 @@ static __thread char destructor_initialized; #else #define OVERRIDE_GETTID 0 #endif +#endif #if OVERRIDE_GETTID static pid_t gettid(void) diff --git libselinux-2.9/src/selinuxswig.i libselinux-2.9/src/selinuxswig.i index dbdb4c3..9c5b926 100644 --- libselinux-2.9/src/selinuxswig.i +++ libselinux-2.9/src/selinuxswig.i @@ -5,7 +5,9 @@ %module selinux %{ #include "../include/selinux/avc.h" + #include "../include/selinux/av_permissions.h" #include "../include/selinux/context.h" + #include "../include/selinux/flask.h" #include "../include/selinux/get_context_list.h" #include "../include/selinux/get_default_type.h" #include "../include/selinux/label.h" @@ -58,7 +60,9 @@ %ignore avc_netlink_check_nb; %include "../include/selinux/avc.h" +%include "../include/selinux/av_permissions.h" %include "../include/selinux/context.h" +%include "../include/selinux/flask.h" %include "../include/selinux/get_context_list.h" %include "../include/selinux/get_default_type.h" %include "../include/selinux/label.h" diff --git libselinux-2.9/src/selinuxswig_python.i libselinux-2.9/src/selinuxswig_python.i index 4c73bf9..6eaab08 100644 --- libselinux-2.9/src/selinuxswig_python.i +++ libselinux-2.9/src/selinuxswig_python.i @@ -1,10 +1,11 @@ /* Author: James Athey */ -/* Never build rpm_execcon interface */ +/* Never build rpm_execcon interface unless you need to have ACG compatibility #ifndef DISABLE_RPM #define DISABLE_RPM #endif +*/ %module selinux %{ diff --git libselinux-2.9/src/setfilecon.c libselinux-2.9/src/setfilecon.c index d05969c..3f0200e 100644 --- libselinux-2.9/src/setfilecon.c +++ libselinux-2.9/src/setfilecon.c @@ -9,8 +9,12 @@ int setfilecon_raw(const char *path, const char * context) { - int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, - 0); + int rc; + if (! context) { + errno=EINVAL; + return -1; + } + rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno;