rpms/libselinux
7
0
Fork 0
Code Issues Pull Requests Releases Activity
2b807f244a
libselinux/0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch
Petr Lautrbach 74de835e2c Rebase on db0f2f382e31 at SELinuxProject 
- Use libsepol.so.2
- Convert matchpathcon to selabel_lookup()
- Change userspace AVC setenforce and policy load messages to audit
  format
- Remove trailing slash on selabel_file lookups
- Use kernel status page by default
2020-10-30 12:56:19 +01:00

209 lines
5.7 KiB
Diff
Raw Blame History

From d23342a9de2c30f72a3edb13455753caaf259589 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 4 Oct 2020 16:03:39 +0200
Subject: [PATCH] libselinux: convert matchpathcon to selabel_lookup()
Function matchpathcon() is deprecated in favor of selabel_lookup() but
program "matchpathcon" is much easier to use than "selabel_loopkup" to
find the file context which would be applied to some files and
directories.
More precisely:
matchpathcon /path/to/my/file
is easier to type and remember than:
selabel_lookup -b file -k /path/to/my/file
It also allows performing multiple context searches in one command,
where selabel_lookup cannot use multiple -k options.
Migrate matchpathcon to the preferred API.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/utils/Makefile | 2 -
libselinux/utils/matchpathcon.c | 87 ++++++++++++++-------------------
2 files changed, 38 insertions(+), 51 deletions(-)
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index aa2d3e1b144f..b018a08acbe0 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -56,8 +56,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
sefcontext_compile: sefcontext_compile.o ../src/regex.o
-matchpathcon: CFLAGS += -Wno-deprecated-declarations
-
all: $(TARGETS)
install: all
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index cc018d213f4c..a07e160dee71 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -1,15 +1,14 @@
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <getopt.h>
#include <errno.h>
-#include <string.h>
+#include <getopt.h>
#include <limits.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+#include <selinux/label.h>
#include <selinux/selinux.h>
-#include <limits.h>
+#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
static __attribute__ ((__noreturn__)) void usage(const char *progname)
{
@@ -19,15 +18,21 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
exit(1);
}
-static int printmatchpathcon(const char *path, int header, int mode)
+static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int header, int mode, int notrans)
{
- char *buf;
- int rc = matchpathcon(path, mode, &buf);
+ char *buf = NULL;
+ int rc;
+
+ if (notrans) {
+ rc = selabel_lookup_raw(hnd, &buf, path, mode);
+ } else {
+ rc = selabel_lookup(hnd, &buf, path, mode);
+ }
if (rc < 0) {
if (errno == ENOENT) {
buf = strdup("<<none>>");
} else {
- fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
+ fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path,
strerror(errno));
return 1;
}
@@ -66,15 +71,14 @@ static mode_t string_to_mode(char *s)
int main(int argc, char **argv)
{
- int i, init = 0, force_mode = 0;
+ int i, force_mode = 0;
int header = 1, opt;
int verify = 0;
int notrans = 0;
int error = 0;
int quiet = 0;
-
- fprintf(stderr,
- "Deprecated, use selabel_lookup\n");
+ struct selabel_handle *hnd;
+ struct selinux_opt options[SELABEL_NOPT] = {};
if (argc < 2)
usage(argv[0]);
@@ -96,23 +100,10 @@ int main(int argc, char **argv)
break;
case 'N':
notrans = 1;
- set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
break;
case 'f':
- if (init) {
- fprintf(stderr,
- "%s: -f and -p are exclusive\n",
- argv[0]);
- exit(1);
- }
- init = 1;
- if (matchpathcon_init(optarg)) {
- fprintf(stderr,
- "Error while processing %s: %s\n",
- optarg,
- errno ? strerror(errno) : "invalid");
- exit(1);
- }
+ options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
+ options[SELABEL_OPT_PATH].value = optarg;
break;
case 'P':
if (selinux_set_policy_root(optarg) < 0 ) {
@@ -124,20 +115,11 @@ int main(int argc, char **argv)
}
break;
case 'p':
- if (init) {
- fprintf(stderr,
- "%s: -f and -p are exclusive\n",
- argv[0]);
- exit(1);
- }
- init = 1;
- if (matchpathcon_init_prefix(NULL, optarg)) {
- fprintf(stderr,
- "Error while processing %s: %s\n",
- optarg,
- errno ? strerror(errno) : "invalid");
- exit(1);
- }
+ // This option has been deprecated since libselinux 2.5 (2016):
+ // https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6
+ fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]);
+ options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
+ options[SELABEL_OPT_SUBSET].value = optarg;
break;
case 'q':
quiet = 1;
@@ -146,6 +128,13 @@ int main(int argc, char **argv)
usage(argv[0]);
}
}
+ hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
+ if (!hnd) {
+ fprintf(stderr,
+ "Error while opening file contexts database: %s\n",
+ strerror(errno));
+ return -1;
+ }
for (i = optind; i < argc; i++) {
int rc, mode = 0;
struct stat buf;
@@ -185,19 +174,19 @@ int main(int argc, char **argv)
if (rc >= 0) {
printf("%s has context %s, should be ",
path, con);
- printmatchpathcon(path, 0, mode);
+ printmatchpathcon(hnd, path, 0, mode, notrans);
freecon(con);
} else {
printf
("actual context unknown: %s, should be ",
strerror(errno));
- printmatchpathcon(path, 0, mode);
+ printmatchpathcon(hnd, path, 0, mode, notrans);
}
}
} else {
- error |= printmatchpathcon(path, header, mode);
+ error |= printmatchpathcon(hnd, path, header, mode, notrans);
}
}
- matchpathcon_fini();
+ selabel_close(hnd);
return error;
}
--
2.29.0
Reference in New Issue View Git Blame Copy Permalink