5f9e3146a2
* Remove -lpthread from pkg-config file; it is not required.
223 lines
5.2 KiB
Diff
223 lines
5.2 KiB
Diff
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
|
|
index 02dd829..6dfdb46 100644
|
|
--- a/libselinux/src/Makefile
|
|
+++ b/libselinux/src/Makefile
|
|
@@ -114,7 +114,7 @@ $(LIBA): $(OBJS)
|
|
$(RANLIB) $@
|
|
|
|
$(LIBSO): $(LOBJS)
|
|
- $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
|
|
+ $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -llzma -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
|
|
ln -sf $@ $(TARGET)
|
|
|
|
$(LIBPC): $(LIBPC).in ../VERSION
|
|
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
|
|
index e419f1a..fdeca93 100644
|
|
--- a/libselinux/src/load_policy.c
|
|
+++ b/libselinux/src/load_policy.c
|
|
@@ -16,6 +16,82 @@
|
|
#include <dlfcn.h>
|
|
#include "policy.h"
|
|
#include <limits.h>
|
|
+#include <lzma.h>
|
|
+
|
|
+static char *lzmaread(int fd, size_t *rsize) {
|
|
+ int capacity = 64*1024;
|
|
+ char *buf = NULL;
|
|
+ int tmpsize = 8 * 1024;
|
|
+ unsigned char tmp[tmpsize];
|
|
+ unsigned char tmp_out[tmpsize];
|
|
+ size_t size = 0;
|
|
+ lzma_stream strm = LZMA_STREAM_INIT;
|
|
+ lzma_action action = LZMA_RUN;
|
|
+ lzma_ret ret;
|
|
+
|
|
+ FILE *stream = fdopen (fd, "r");
|
|
+ if (!stream) {
|
|
+ return NULL;
|
|
+ }
|
|
+ ret = lzma_stream_decoder(&strm, UINT64_MAX,
|
|
+ LZMA_CONCATENATED);
|
|
+
|
|
+ strm.avail_in = 0;
|
|
+ strm.next_out = tmp_out;
|
|
+ strm.avail_out = tmpsize;
|
|
+
|
|
+ buf = (char *) malloc (capacity);
|
|
+ if (!buf)
|
|
+ goto err;
|
|
+
|
|
+ while (1) {
|
|
+ if (strm.avail_in == 0) {
|
|
+ strm.next_in = tmp;
|
|
+ strm.avail_in = fread(tmp, 1, tmpsize, stream);
|
|
+
|
|
+ if (ferror(stream)) {
|
|
+ // POSIX says that fread() sets errno if
|
|
+ // an error occurred. ferror() doesn't
|
|
+ // touch errno.
|
|
+ goto err;
|
|
+ }
|
|
+ if (feof(stream)) action = LZMA_FINISH;
|
|
+ }
|
|
+
|
|
+ ret = lzma_code(&strm, action);
|
|
+
|
|
+ // Write and check write error before checking decoder error.
|
|
+ // This way as much data as possible gets written to output
|
|
+ // even if decoder detected an error.
|
|
+ if (strm.avail_out == 0 || ret != LZMA_OK) {
|
|
+ const size_t num = tmpsize - strm.avail_out;
|
|
+ if (num > capacity) {
|
|
+ buf = (char*) realloc (buf, size*2);
|
|
+ capacity = size;
|
|
+ }
|
|
+ memcpy (buf+size, tmp_out, num);
|
|
+ capacity -= num;
|
|
+ size += num;
|
|
+ strm.next_out = tmp_out;
|
|
+ strm.avail_out = tmpsize;
|
|
+ }
|
|
+ if (ret != LZMA_OK) {
|
|
+ if (ret == LZMA_STREAM_END) {
|
|
+ break;
|
|
+ } else {
|
|
+ goto err;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ *rsize = size;
|
|
+
|
|
+ goto exit;
|
|
+err:
|
|
+ free(buf); buf = NULL;
|
|
+exit:
|
|
+ lzma_end(&strm);
|
|
+ return buf;
|
|
+}
|
|
|
|
int security_load_policy(void *data, size_t len)
|
|
{
|
|
@@ -55,7 +131,7 @@ int selinux_mkload_policy(int preservebools)
|
|
struct stat sb;
|
|
struct utsname uts;
|
|
size_t size;
|
|
- void *map, *data;
|
|
+ void *map = NULL, *data=NULL;
|
|
int fd, rc = -1, prot;
|
|
sepol_policydb_t *policydb;
|
|
sepol_policy_file_t *pf;
|
|
@@ -181,24 +257,28 @@ checkbool:
|
|
goto dlclose;
|
|
}
|
|
|
|
- if (fstat(fd, &sb) < 0) {
|
|
- fprintf(stderr,
|
|
- "SELinux: Could not stat policy file %s: %s\n",
|
|
- path, strerror(errno));
|
|
- goto close;
|
|
- }
|
|
-
|
|
- prot = PROT_READ;
|
|
- if (setlocaldefs || preservebools)
|
|
- prot |= PROT_WRITE;
|
|
+ data = lzmaread(fd,&size);
|
|
|
|
- size = sb.st_size;
|
|
- data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
|
|
- if (map == MAP_FAILED) {
|
|
- fprintf(stderr,
|
|
- "SELinux: Could not map policy file %s: %s\n",
|
|
+ if (!data) {
|
|
+ if (fstat(fd, &sb) < 0) {
|
|
+ fprintf(stderr,
|
|
+ "SELinux: Could not stat policy file %s: %s\n",
|
|
path, strerror(errno));
|
|
- goto close;
|
|
+ goto close;
|
|
+ }
|
|
+
|
|
+ prot = PROT_READ;
|
|
+ if (setlocaldefs || preservebools)
|
|
+ prot |= PROT_WRITE;
|
|
+
|
|
+ size = sb.st_size;
|
|
+ data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
|
|
+ if (map == MAP_FAILED) {
|
|
+ fprintf(stderr,
|
|
+ "SELinux: Could not map policy file %s: %s\n",
|
|
+ path, strerror(errno));
|
|
+ goto close;
|
|
+ }
|
|
}
|
|
|
|
if (vers > kernvers && usesepol) {
|
|
@@ -210,6 +290,8 @@ checkbool:
|
|
goto unmap;
|
|
}
|
|
policy_file_set_mem(pf, data, size);
|
|
+ if (!map)
|
|
+ free(data);
|
|
if (policydb_read(policydb, pf)) {
|
|
policy_file_free(pf);
|
|
policydb_free(policydb);
|
|
@@ -223,7 +305,8 @@ checkbool:
|
|
path);
|
|
policy_file_free(pf);
|
|
policydb_free(policydb);
|
|
- munmap(map, sb.st_size);
|
|
+ if (map)
|
|
+ munmap(map, sb.st_size);
|
|
close(fd);
|
|
vers--;
|
|
goto search;
|
|
@@ -275,7 +358,7 @@ checkbool:
|
|
#endif
|
|
}
|
|
|
|
-
|
|
+
|
|
rc = security_load_policy(data, size);
|
|
|
|
if (rc)
|
|
@@ -286,7 +369,8 @@ checkbool:
|
|
unmap:
|
|
if (data != map)
|
|
free(data);
|
|
- munmap(map, sb.st_size);
|
|
+ if (map)
|
|
+ munmap(map, sb.st_size);
|
|
close:
|
|
close(fd);
|
|
dlclose:
|
|
@@ -410,7 +494,7 @@ int selinux_init_load_policy(int *enforce)
|
|
* already mounted and selinuxmnt set above.
|
|
*/
|
|
|
|
- if (seconfig == -1) {
|
|
+ if (*enforce == -1) {
|
|
/* Runtime disable of SELinux. */
|
|
rc = security_disable();
|
|
if (rc == 0) {
|
|
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
|
|
index 2d7369e..2a00807 100644
|
|
--- a/libselinux/src/matchpathcon.c
|
|
+++ b/libselinux/src/matchpathcon.c
|
|
@@ -2,6 +2,7 @@
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
#include <stdio.h>
|
|
+#include <syslog.h>
|
|
#include "selinux_internal.h"
|
|
#include "label_internal.h"
|
|
#include "callbacks.h"
|
|
@@ -62,7 +63,7 @@ static void
|
|
{
|
|
va_list ap;
|
|
va_start(ap, fmt);
|
|
- vfprintf(stderr, fmt, ap);
|
|
+ vsyslog(LOG_ERR, fmt, ap);
|
|
va_end(ap);
|
|
}
|
|
|