2008-12-04 20:19:01 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/include/semanage/modules.h libsemanage-2.0.30/include/semanage/modules.h
|
2008-11-07 14:23:16 +00:00
|
|
|
--- nsalibsemanage/include/semanage/modules.h 2008-08-28 09:34:24.000000000 -0400
|
2008-12-04 20:19:01 +00:00
|
|
|
+++ libsemanage-2.0.30/include/semanage/modules.h 2008-12-04 15:15:23.000000000 -0500
|
2008-11-07 14:23:16 +00:00
|
|
|
@@ -30,10 +30,16 @@
|
|
|
|
|
|
|
|
int semanage_module_install(semanage_handle_t *,
|
|
|
|
char *module_data, size_t data_len);
|
|
|
|
+int semanage_module_install_file(semanage_handle_t *,
|
|
|
|
+ const char *module_name);
|
|
|
|
int semanage_module_upgrade(semanage_handle_t *,
|
|
|
|
char *module_data, size_t data_len);
|
|
|
|
+int semanage_module_upgrade_file(semanage_handle_t *,
|
|
|
|
+ const char *module_name);
|
|
|
|
int semanage_module_install_base(semanage_handle_t *,
|
|
|
|
char *module_data, size_t data_len);
|
|
|
|
+int semanage_module_install_base_file(semanage_handle_t *,
|
|
|
|
+ const char *module_name);
|
|
|
|
int semanage_module_remove(semanage_handle_t *, char *module_name);
|
|
|
|
|
|
|
|
/* semanage_module_info is for getting information on installed
|
2008-12-04 20:19:01 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/Makefile libsemanage-2.0.30/src/Makefile
|
2008-11-07 14:23:16 +00:00
|
|
|
--- nsalibsemanage/src/Makefile 2008-08-28 09:34:24.000000000 -0400
|
2008-12-04 20:19:01 +00:00
|
|
|
+++ libsemanage-2.0.30/src/Makefile 2008-12-04 15:15:23.000000000 -0500
|
2008-11-07 14:23:16 +00:00
|
|
|
@@ -54,7 +54,7 @@
|
|
|
|
ranlib $@
|
|
|
|
|
|
|
|
$(LIBSO): $(LOBJS)
|
|
|
|
- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -lselinux -lustr -L$(LIBDIR) -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
|
|
|
|
+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -lselinux -lbz2 -lustr -L$(LIBDIR) -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
|
|
|
|
ln -sf $@ $(TARGET)
|
|
|
|
|
|
|
|
conf-scan.c: conf-scan.l conf-parse.h
|
2008-12-04 20:19:01 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.30/src/direct_api.c
|
|
|
|
--- nsalibsemanage/src/direct_api.c 2008-11-14 17:10:15.000000000 -0500
|
|
|
|
+++ libsemanage-2.0.30/src/direct_api.c 2008-12-04 15:15:23.000000000 -0500
|
2008-11-07 14:23:16 +00:00
|
|
|
@@ -50,6 +50,7 @@
|
|
|
|
#include "semanage_store.h"
|
|
|
|
#include "database_policydb.h"
|
|
|
|
#include "policy.h"
|
|
|
|
+#include <sys/mman.h>
|
|
|
|
|
|
|
|
static void semanage_direct_destroy(semanage_handle_t * sh);
|
|
|
|
static int semanage_direct_disconnect(semanage_handle_t * sh);
|
|
|
|
@@ -57,10 +58,13 @@
|
|
|
|
static int semanage_direct_commit(semanage_handle_t * sh);
|
|
|
|
static int semanage_direct_install(semanage_handle_t * sh, char *data,
|
|
|
|
size_t data_len);
|
|
|
|
+static int semanage_direct_install_file(semanage_handle_t * sh, const char *module_name);
|
|
|
|
static int semanage_direct_upgrade(semanage_handle_t * sh, char *data,
|
|
|
|
size_t data_len);
|
|
|
|
+static int semanage_direct_upgrade_file(semanage_handle_t * sh, const char *module_name);
|
|
|
|
static int semanage_direct_install_base(semanage_handle_t * sh, char *base_data,
|
|
|
|
size_t data_len);
|
|
|
|
+static int semanage_direct_install_base_file(semanage_handle_t * sh, const char *module_name);
|
|
|
|
static int semanage_direct_remove(semanage_handle_t * sh, char *module_name);
|
|
|
|
static int semanage_direct_list(semanage_handle_t * sh,
|
|
|
|
semanage_module_info_t ** modinfo,
|
|
|
|
@@ -73,8 +77,11 @@
|
|
|
|
.begin_trans = semanage_direct_begintrans,
|
|
|
|
.commit = semanage_direct_commit,
|
|
|
|
.install = semanage_direct_install,
|
|
|
|
+ .install_file = semanage_direct_install_file,
|
|
|
|
.upgrade = semanage_direct_upgrade,
|
|
|
|
+ .upgrade_file = semanage_direct_upgrade_file,
|
|
|
|
.install_base = semanage_direct_install_base,
|
|
|
|
+ .install_base_file = semanage_direct_install_base_file,
|
|
|
|
.remove = semanage_direct_remove,
|
|
|
|
.list = semanage_direct_list
|
|
|
|
};
|
|
|
|
@@ -378,12 +385,157 @@
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
+#include <stdlib.h>
|
|
|
|
+#include <bzlib.h>
|
|
|
|
+#include <string.h>
|
|
|
|
+#include <sys/sendfile.h>
|
|
|
|
+
|
|
|
|
+/* bzip() a file to '*data', returning the total number of uncompressed bytes
|
|
|
|
+ * in the file. Returns 0 if file could not be decompressed. */
|
|
|
|
+static size_t bzip(const char *filename, char *data, size_t num_bytes) {
|
|
|
|
+ BZFILE* b;
|
|
|
|
+ size_t size = 1<<16;
|
|
|
|
+ int bzerror;
|
|
|
|
+ size_t total = 0;
|
|
|
|
+ size_t len = 0;
|
|
|
|
+ FILE *f;
|
|
|
|
+
|
|
|
|
+ if ((f = fopen(filename, "wb")) == NULL) {
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ b = BZ2_bzWriteOpen( &bzerror, f, 9, 0, 0);
|
|
|
|
+ if (bzerror != BZ_OK) {
|
|
|
|
+ BZ2_bzWriteClose ( &bzerror, b, 1, 0, 0 );
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ while ( num_bytes > total ) {
|
|
|
|
+ if (num_bytes - total > size) {
|
|
|
|
+ len = size;
|
|
|
|
+ } else {
|
|
|
|
+ len = num_bytes - total;
|
|
|
|
+ }
|
|
|
|
+ BZ2_bzWrite ( &bzerror, b, &data[total], len );
|
|
|
|
+ if (bzerror == BZ_IO_ERROR) {
|
|
|
|
+ BZ2_bzWriteClose ( &bzerror, b, 1, 0, 0 );
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+ total += len;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ BZ2_bzWriteClose ( &bzerror, b, 0, 0, 0 );
|
|
|
|
+ fclose(f);
|
|
|
|
+ if (bzerror == BZ_IO_ERROR) {
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+ return total;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* bunzip() a file to '*data', returning the total number of uncompressed bytes
|
|
|
|
+ * in the file. Returns 0 if file could not be decompressed. */
|
|
|
|
+size_t bunzip(FILE *f, char **data) {
|
|
|
|
+ BZFILE* b;
|
|
|
|
+ size_t nBuf;
|
|
|
|
+ char buf[1<<18];
|
|
|
|
+ size_t size = sizeof(buf);
|
|
|
|
+ int bzerror;
|
|
|
|
+ size_t total=0;
|
|
|
|
+
|
|
|
|
+ b = BZ2_bzReadOpen ( &bzerror, f, 0, 0, NULL, 0 );
|
|
|
|
+ if ( bzerror != BZ_OK ) {
|
|
|
|
+ BZ2_bzReadClose ( &bzerror, b );
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ char *uncompress = realloc(NULL, size);
|
|
|
|
+
|
|
|
|
+ while ( bzerror == BZ_OK) {
|
|
|
|
+ nBuf = BZ2_bzRead ( &bzerror, b, buf, sizeof(buf));
|
|
|
|
+ if (( bzerror == BZ_OK ) || ( bzerror == BZ_STREAM_END )) {
|
|
|
|
+ if (total + nBuf > size) {
|
|
|
|
+ size *= 2;
|
|
|
|
+ uncompress = realloc(uncompress, size);
|
|
|
|
+ }
|
|
|
|
+ memcpy(&uncompress[total], buf, nBuf);
|
|
|
|
+ total += nBuf;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+ if ( bzerror != BZ_STREAM_END ) {
|
|
|
|
+ BZ2_bzReadClose ( &bzerror, b );
|
|
|
|
+ free(uncompress);
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+ BZ2_bzReadClose ( &bzerror, b );
|
|
|
|
+
|
|
|
|
+ *data = uncompress;
|
|
|
|
+ return total;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* mmap() a file to '*data',
|
|
|
|
+ * If the file is bzip compressed map_file will uncompress
|
|
|
|
+ * the file into '*data'.
|
|
|
|
+ * Returns the total number of bytes in memory .
|
|
|
|
+ * Returns 0 if file could not be opened or mapped. */
|
|
|
|
+static size_t map_file(int fd, char **data, int *compressed)
|
|
|
|
+{
|
|
|
|
+ int size;
|
|
|
|
+ char *uncompress;
|
|
|
|
+ if ((size = bunzip(fdopen(fd, "r"), &uncompress)) > 0) {
|
|
|
|
+ *data = mmap(0, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
|
|
|
|
+ if (*data == MAP_FAILED) {
|
|
|
|
+ free(uncompress);
|
|
|
|
+ return 0;
|
|
|
|
+ } else {
|
|
|
|
+ memcpy(*data, uncompress, size);
|
|
|
|
+ }
|
|
|
|
+ free(uncompress);
|
|
|
|
+ *compressed = 1;
|
|
|
|
+ } else {
|
|
|
|
+ struct stat sb;
|
|
|
|
+ if (fstat(fd, &sb) == -1 ||
|
|
|
|
+ (*data = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0)) ==
|
|
|
|
+ MAP_FAILED) {
|
|
|
|
+ size = 0;
|
|
|
|
+ } else {
|
|
|
|
+ size = sb.st_size;
|
|
|
|
+ }
|
|
|
|
+ *compressed = 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ return size;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+static int dupfile( const char *dest, int src_fd) {
|
|
|
|
+ int dest_fd = -1;
|
|
|
|
+ int retval = 0;
|
|
|
|
+ int cnt;
|
|
|
|
+ char buf[1<<18];
|
|
|
|
+
|
|
|
|
+ if (lseek(src_fd, 0, SEEK_SET) == -1 ) return -1;
|
|
|
|
+
|
|
|
|
+ if ((dest_fd = open(dest, O_WRONLY | O_CREAT | O_TRUNC,
|
|
|
|
+ S_IRUSR | S_IWUSR)) == -1) {
|
|
|
|
+ return -1;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ while (( retval == 0 ) &&
|
|
|
|
+ ( cnt = read(src_fd, buf, sizeof(buf)))> 0 ) {
|
|
|
|
+ if (write(dest_fd, buf, cnt) < cnt) retval = -1;
|
|
|
|
+ }
|
|
|
|
+ close(dest_fd);
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
/* Writes a block of data to a file. Returns 0 on success, -1 on
|
|
|
|
* error. */
|
|
|
|
static int write_file(semanage_handle_t * sh,
|
|
|
|
const char *filename, char *data, size_t num_bytes)
|
|
|
|
{
|
|
|
|
int out;
|
|
|
|
+
|
|
|
|
+ /* Unlink no matter what, incase this file is a hard link, ignore error */
|
|
|
|
+ unlink(filename);
|
|
|
|
if ((out =
|
|
|
|
open(filename, O_WRONLY | O_CREAT | O_TRUNC,
|
|
|
|
S_IRUSR | S_IWUSR)) == -1) {
|
|
|
|
@@ -499,7 +651,7 @@
|
|
|
|
sepol_policydb_t *out = NULL;
|
|
|
|
|
|
|
|
/* Declare some variables */
|
|
|
|
- int modified, fcontexts_modified, ports_modified,
|
|
|
|
+ int modified = 0, fcontexts_modified, ports_modified,
|
|
|
|
seusers_modified, users_extra_modified;
|
|
|
|
dbase_config_t *users = semanage_user_dbase_local(sh);
|
|
|
|
dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
|
|
|
|
@@ -815,7 +967,9 @@
|
|
|
|
&filename)) != 0) {
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
- if (write_file(sh, filename, data, data_len) == -1) {
|
|
|
|
+
|
|
|
|
+ if (bzip(filename, data, data_len) == 0) {
|
|
|
|
+ ERR(sh, "Error while writing to %s.", filename);
|
|
|
|
retval = -3;
|
|
|
|
}
|
|
|
|
retval = 0;
|
|
|
|
@@ -826,19 +980,60 @@
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
-/* Similar to semanage_direct_install(), except that it checks that
|
|
|
|
- * there already exists a module with the same name and that the
|
|
|
|
- * module is an older version then the one in 'data'. Returns 0 on
|
|
|
|
- * success, -1 if out of memory, -2 if the data does not represent a
|
|
|
|
- * valid module file, -3 if error while writing file or reading
|
|
|
|
- * modules directory, -4 if there does not exist an older module or if
|
|
|
|
- * the previous module is same or newer than 'data'.
|
|
|
|
- */
|
|
|
|
-static int semanage_direct_upgrade(semanage_handle_t * sh,
|
|
|
|
- char *data, size_t data_len)
|
|
|
|
+/* Attempts to link a module to the sandbox's module directory, unlinking any
|
|
|
|
+ * previous module stored within. Returns 0 on success, -1 if out of memory, -2 if the
|
|
|
|
+ * data does not represent a valid module file, -3 if error while
|
|
|
|
+ * writing file. */
|
|
|
|
+
|
|
|
|
+static int semanage_direct_install_file(semanage_handle_t * sh,
|
|
|
|
+ const char *install_filename)
|
|
|
|
{
|
|
|
|
+
|
|
|
|
+ int retval = -1;
|
|
|
|
+ char *data = NULL;
|
|
|
|
+ size_t data_len = 0;
|
|
|
|
+ int compressed = 0;
|
|
|
|
+ int in_fd = -1;
|
|
|
|
+
|
|
|
|
+ if ((in_fd = open(install_filename, O_RDONLY)) == -1) {
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if ((data_len = map_file(in_fd, &data, &compressed)) == 0) {
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (compressed) {
|
|
|
|
+ char *module_name = NULL, *version = NULL, *filename = NULL;
|
|
|
|
+ if ((retval = parse_module_headers(sh, data, data_len,
|
|
|
|
+ &module_name, &version,
|
|
|
|
+ &filename)) != 0) {
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (data_len > 0) munmap(data, data_len);
|
|
|
|
+ data_len = 0;
|
|
|
|
+ retval = dupfile(filename, in_fd);
|
|
|
|
+ free(version);
|
|
|
|
+ free(filename);
|
|
|
|
+ free(module_name);
|
|
|
|
+
|
|
|
|
+ } else {
|
|
|
|
+ retval = semanage_direct_install(sh, data, data_len);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ cleanup:
|
|
|
|
+ close(in_fd);
|
|
|
|
+ if (data_len > 0) munmap(data, data_len);
|
|
|
|
+
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+static int get_direct_upgrade_filename(semanage_handle_t * sh,
|
|
|
|
+ char *data, size_t data_len, char **outfilename) {
|
|
|
|
int i, retval, num_modules = 0;
|
|
|
|
- char *module_name = NULL, *version = NULL, *filename = NULL;
|
|
|
|
+ char *filename = NULL, *module_name = NULL, *version = NULL;
|
|
|
|
semanage_module_info_t *modinfo = NULL;
|
|
|
|
if ((retval = parse_module_headers(sh, data, data_len,
|
|
|
|
&module_name, &version,
|
|
|
|
@@ -868,14 +1063,10 @@
|
|
|
|
if (retval == -4) {
|
|
|
|
ERR(sh, "There does not already exist a module named %s.",
|
|
|
|
module_name);
|
|
|
|
- goto cleanup;
|
|
|
|
- }
|
|
|
|
- if (write_file(sh, filename, data, data_len) == -1) {
|
|
|
|
- retval = -3;
|
|
|
|
}
|
|
|
|
+
|
|
|
|
cleanup:
|
|
|
|
free(version);
|
|
|
|
- free(filename);
|
|
|
|
free(module_name);
|
|
|
|
for (i = 0; modinfo != NULL && i < num_modules; i++) {
|
|
|
|
semanage_module_info_t *m =
|
|
|
|
@@ -883,6 +1074,80 @@
|
|
|
|
semanage_module_info_datum_destroy(m);
|
|
|
|
}
|
|
|
|
free(modinfo);
|
|
|
|
+ if (retval == 0) {
|
|
|
|
+ *outfilename = filename;
|
|
|
|
+ } else {
|
|
|
|
+ free(filename);
|
|
|
|
+ }
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Similar to semanage_direct_install(), except that it checks that
|
|
|
|
+ * there already exists a module with the same name and that the
|
|
|
|
+ * module is an older version then the one in 'data'. Returns 0 on
|
|
|
|
+ * success, -1 if out of memory, -2 if the data does not represent a
|
|
|
|
+ * valid module file, -3 if error while writing file or reading
|
|
|
|
+ * modules directory, -4 if there does not exist an older module or if
|
|
|
|
+ * the previous module is same or newer than 'data'.
|
|
|
|
+ */
|
|
|
|
+static int semanage_direct_upgrade(semanage_handle_t * sh,
|
|
|
|
+ char *data, size_t data_len)
|
|
|
|
+{
|
|
|
|
+ char *filename = NULL;
|
|
|
|
+ int retval = get_direct_upgrade_filename(sh,
|
|
|
|
+ data, data_len,
|
|
|
|
+ &filename);
|
|
|
|
+ if (retval == 0) {
|
|
|
|
+ if (bzip(filename, data, data_len) == 0) {
|
|
|
|
+ ERR(sh, "Error while writing to %s.", filename);
|
|
|
|
+ retval = -3;
|
|
|
|
+ }
|
|
|
|
+ free(filename);
|
|
|
|
+ }
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
+/* Attempts to link a module to the sandbox's module directory, unlinking any
|
|
|
|
+ * previous module stored within.
|
|
|
|
+ * Returns 0 on success, -1 if out of memory, -2 if the
|
|
|
|
+ * data does not represent a valid module file, -3 if error while
|
|
|
|
+ * writing file. */
|
|
|
|
+
|
|
|
|
+static int semanage_direct_upgrade_file(semanage_handle_t * sh,
|
|
|
|
+ const char *module_filename)
|
|
|
|
+{
|
|
|
|
+ int retval = -1;
|
|
|
|
+ char *data = NULL;
|
|
|
|
+ size_t data_len = 0;
|
|
|
|
+ int compressed = 0;
|
|
|
|
+ int in_fd = -1;
|
|
|
|
+
|
|
|
|
+ if ((in_fd = open(module_filename, O_RDONLY)) == -1) {
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if ((data_len = map_file(in_fd, &data, &compressed)) == 0) {
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (compressed) {
|
|
|
|
+ char *filename = NULL;
|
|
|
|
+ retval = get_direct_upgrade_filename(sh,
|
|
|
|
+ data, data_len,
|
|
|
|
+ &filename);
|
|
|
|
+
|
|
|
|
+ if (retval != 0) goto cleanup;
|
|
|
|
+
|
|
|
|
+ retval = dupfile(filename, in_fd);
|
|
|
|
+ free(filename);
|
|
|
|
+ } else {
|
|
|
|
+ retval = semanage_direct_upgrade(sh, data, data_len);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ cleanup:
|
|
|
|
+ close(in_fd);
|
|
|
|
+ if (data_len > 0) munmap(data, data_len);
|
|
|
|
+
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
@@ -903,7 +1168,8 @@
|
|
|
|
if ((filename = semanage_path(SEMANAGE_TMP, SEMANAGE_BASE)) == NULL) {
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
- if (write_file(sh, filename, base_data, data_len) == -1) {
|
|
|
|
+ if (bzip(filename, base_data, data_len) == 0) {
|
|
|
|
+ ERR(sh, "Error while writing to %s.", filename);
|
|
|
|
retval = -3;
|
|
|
|
}
|
|
|
|
retval = 0;
|
|
|
|
@@ -911,6 +1177,49 @@
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
+/* Writes a base module into a sandbox, overwriting any previous base
|
|
|
|
+ * module.
|
|
|
|
+ * Returns 0 on success, -1 if out of memory, -2 if the data does not represent
|
|
|
|
+ * a valid base module file, -3 if error while writing file.
|
|
|
|
+ */
|
|
|
|
+static int semanage_direct_install_base_file(semanage_handle_t * sh,
|
|
|
|
+ const char *install_filename)
|
|
|
|
+{
|
|
|
|
+ int retval = -1;
|
|
|
|
+ char *data = NULL;
|
|
|
|
+ size_t data_len = 0;
|
|
|
|
+ int compressed = 0;
|
|
|
|
+ int in_fd;
|
|
|
|
+
|
|
|
|
+ if ((in_fd = open(install_filename, O_RDONLY)) == -1) {
|
|
|
|
+ return 0;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if ((data_len = map_file(in_fd, &data, &compressed)) == 0) {
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (compressed) {
|
|
|
|
+ const char *filename = NULL;
|
|
|
|
+ if ((retval = parse_base_headers(sh, data, data_len)) != 0) {
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+ if ((filename = semanage_path(SEMANAGE_TMP, SEMANAGE_BASE)) == NULL) {
|
|
|
|
+ goto cleanup;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ retval = dupfile(filename, in_fd);
|
|
|
|
+ } else {
|
|
|
|
+ retval = semanage_direct_install_base(sh, data, data_len);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ cleanup:
|
|
|
|
+ close(in_fd);
|
|
|
|
+ if (data_len > 0) munmap(data, data_len);
|
|
|
|
+
|
|
|
|
+ return retval;
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
/* Removes a module from the sandbox. Returns 0 on success, -1 if out
|
|
|
|
* of memory, -2 if module not found or could not be removed. */
|
|
|
|
static int semanage_direct_remove(semanage_handle_t * sh, char *module_name)
|
|
|
|
@@ -1005,15 +1314,26 @@
|
|
|
|
* report it */
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
+ size_t size;
|
|
|
|
+ char *data = NULL;
|
|
|
|
+
|
|
|
|
+ if ((size = bunzip(fp, &data)) != 0) {
|
|
|
|
+ fclose(fp);
|
|
|
|
+ fp = fmemopen(data, size, "rb");
|
|
|
|
+ }
|
|
|
|
+ rewind(fp);
|
|
|
|
+
|
|
|
|
__fsetlocking(fp, FSETLOCKING_BYCALLER);
|
|
|
|
sepol_policy_file_set_fp(pf, fp);
|
|
|
|
if (sepol_module_package_info(pf, &type, &name, &version)) {
|
|
|
|
fclose(fp);
|
|
|
|
+ free(data);
|
|
|
|
free(name);
|
|
|
|
free(version);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
fclose(fp);
|
|
|
|
+ free(data);
|
|
|
|
if (type == SEPOL_POLICY_MOD) {
|
|
|
|
(*modinfo)[*num_modules].name = name;
|
|
|
|
(*modinfo)[*num_modules].version = version;
|
2008-12-04 20:19:01 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.h libsemanage-2.0.30/src/direct_api.h
|
|
|
|
--- nsalibsemanage/src/direct_api.h 2008-11-14 17:10:15.000000000 -0500
|
|
|
|
+++ libsemanage-2.0.30/src/direct_api.h 2008-12-04 15:15:23.000000000 -0500
|
|
|
|
@@ -37,6 +37,7 @@
|
2008-11-07 14:23:16 +00:00
|
|
|
|
|
|
|
int semanage_direct_access_check(struct semanage_handle *sh);
|
|
|
|
|
2008-12-04 20:19:01 +00:00
|
|
|
-int semanage_direct_mls_enabled(struct semanage_handle *sh);
|
2008-11-07 14:23:16 +00:00
|
|
|
+#include <stdio.h>
|
|
|
|
+size_t bunzip(FILE *f, char **data);
|
2008-12-04 20:19:01 +00:00
|
|
|
|
2008-11-07 14:23:16 +00:00
|
|
|
#endif
|
2008-12-04 20:19:01 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.30/src/genhomedircon.c
|
2008-09-10 14:37:31 +00:00
|
|
|
--- nsalibsemanage/src/genhomedircon.c 2008-08-28 09:34:24.000000000 -0400
|
2008-12-04 20:19:01 +00:00
|
|
|
+++ libsemanage-2.0.30/src/genhomedircon.c 2008-12-04 15:16:11.000000000 -0500
|
2008-08-29 18:57:16 +00:00
|
|
|
@@ -487,7 +487,6 @@
|
2008-01-22 19:38:14 +00:00
|
|
|
const char *role_prefix)
|
|
|
|
{
|
|
|
|
replacement_pair_t repl[] = {
|
|
|
|
- {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
|
|
|
|
{.search_for = TEMPLATE_HOME_DIR,.replace_with = home},
|
|
|
|
{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
|
|
|
|
{NULL, NULL}
|
2008-08-29 18:57:16 +00:00
|
|
|
@@ -547,7 +546,6 @@
|
2008-01-22 19:38:14 +00:00
|
|
|
replacement_pair_t repl[] = {
|
|
|
|
{.search_for = TEMPLATE_USER,.replace_with = user},
|
|
|
|
{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
|
|
|
|
- {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
|
|
|
|
{NULL, NULL}
|
|
|
|
};
|
|
|
|
Ustr *line = USTR_NULL;
|
2008-12-04 20:19:01 +00:00
|
|
|
@@ -794,6 +792,12 @@
|
|
|
|
* /root */
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
+ if (strcmp(pwent->pw_dir, "/root") == 0) {
|
|
|
|
+ /* don't relabel / genhomdircon checked to see if root
|
|
|
|
+ * was the user and if so, set his home directory to
|
|
|
|
+ * /root */
|
|
|
|
+ continue;
|
|
|
|
+ }
|
|
|
|
if (push_user_entry(&head, name, seuname,
|
|
|
|
prefix, pwent->pw_dir) != STATUS_SUCCESS) {
|
|
|
|
*errors = STATUS_ERR;
|
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/libsemanage.map libsemanage-2.0.30/src/libsemanage.map
|
|
|
|
--- nsalibsemanage/src/libsemanage.map 2008-11-14 17:10:15.000000000 -0500
|
|
|
|
+++ libsemanage-2.0.30/src/libsemanage.map 2008-12-04 15:15:23.000000000 -0500
|
2008-11-07 14:23:16 +00:00
|
|
|
@@ -3,8 +3,10 @@
|
|
|
|
semanage_is_managed; semanage_connect; semanage_disconnect;
|
|
|
|
semanage_msg_*;
|
|
|
|
semanage_begin_transaction; semanage_commit;
|
|
|
|
- semanage_module_install; semanage_module_upgrade;
|
|
|
|
- semanage_module_install_base; semanage_module_remove;
|
|
|
|
+ semanage_module_install; semanage_module_install_file;
|
|
|
|
+ semanage_module_upgrade; semanage_module_upgrade_file;
|
|
|
|
+ semanage_module_install_base; semanage_module_install_base_file;
|
|
|
|
+ semanage_module_remove;
|
|
|
|
semanage_module_list; semanage_module_info_datum_destroy;
|
|
|
|
semanage_module_list_nth; semanage_module_get_name;
|
|
|
|
semanage_module_get_version; semanage_select_store;
|
2008-12-04 20:19:01 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/modules.c libsemanage-2.0.30/src/modules.c
|
2008-11-07 14:23:16 +00:00
|
|
|
--- nsalibsemanage/src/modules.c 2008-08-28 09:34:24.000000000 -0400
|
2008-12-04 20:19:01 +00:00
|
|
|
+++ libsemanage-2.0.30/src/modules.c 2008-12-04 15:15:23.000000000 -0500
|
2008-11-07 14:23:16 +00:00
|
|
|
@@ -52,6 +52,25 @@
|
|
|
|
return sh->funcs->install(sh, module_data, data_len);
|
|
|
|
}
|
|
|
|
|
|
|
|
+int semanage_module_install_file(semanage_handle_t * sh,
|
|
|
|
+ const char *module_name) {
|
|
|
|
+
|
|
|
|
+ if (sh->funcs->install_file == NULL) {
|
|
|
|
+ ERR(sh,
|
|
|
|
+ "No install function defined for this connection type.");
|
|
|
|
+ return -1;
|
|
|
|
+ } else if (!sh->is_connected) {
|
|
|
|
+ ERR(sh, "Not connected.");
|
|
|
|
+ return -1;
|
|
|
|
+ } else if (!sh->is_in_transaction) {
|
|
|
|
+ if (semanage_begin_transaction(sh) < 0) {
|
|
|
|
+ return -1;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+ sh->modules_modified = 1;
|
|
|
|
+ return sh->funcs->install_file(sh, module_name);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
int semanage_module_upgrade(semanage_handle_t * sh,
|
|
|
|
char *module_data, size_t data_len)
|
|
|
|
{
|
|
|
|
@@ -71,6 +90,25 @@
|
|
|
|
return sh->funcs->upgrade(sh, module_data, data_len);
|
|
|
|
}
|
|
|
|
|
|
|
|
+int semanage_module_upgrade_file(semanage_handle_t * sh,
|
|
|
|
+ const char *module_name) {
|
|
|
|
+
|
|
|
|
+ if (sh->funcs->upgrade_file == NULL) {
|
|
|
|
+ ERR(sh,
|
|
|
|
+ "No upgrade function defined for this connection type.");
|
|
|
|
+ return -1;
|
|
|
|
+ } else if (!sh->is_connected) {
|
|
|
|
+ ERR(sh, "Not connected.");
|
|
|
|
+ return -1;
|
|
|
|
+ } else if (!sh->is_in_transaction) {
|
|
|
|
+ if (semanage_begin_transaction(sh) < 0) {
|
|
|
|
+ return -1;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+ sh->modules_modified = 1;
|
|
|
|
+ return sh->funcs->upgrade_file(sh, module_name);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
int semanage_module_install_base(semanage_handle_t * sh,
|
|
|
|
char *module_data, size_t data_len)
|
|
|
|
{
|
|
|
|
@@ -90,6 +128,25 @@
|
|
|
|
return sh->funcs->install_base(sh, module_data, data_len);
|
|
|
|
}
|
|
|
|
|
|
|
|
+int semanage_module_install_base_file(semanage_handle_t * sh,
|
|
|
|
+ const char *module_name) {
|
|
|
|
+
|
|
|
|
+ if (sh->funcs->install_base_file == NULL) {
|
|
|
|
+ ERR(sh,
|
|
|
|
+ "No install base function defined for this connection type.");
|
|
|
|
+ return -1;
|
|
|
|
+ } else if (!sh->is_connected) {
|
|
|
|
+ ERR(sh, "Not connected.");
|
|
|
|
+ return -1;
|
|
|
|
+ } else if (!sh->is_in_transaction) {
|
|
|
|
+ if (semanage_begin_transaction(sh) < 0) {
|
|
|
|
+ return -1;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+ sh->modules_modified = 1;
|
|
|
|
+ return sh->funcs->install_base_file(sh, module_name);
|
|
|
|
+}
|
|
|
|
+
|
|
|
|
int semanage_module_remove(semanage_handle_t * sh, char *module_name)
|
|
|
|
{
|
|
|
|
if (sh->funcs->remove == NULL) {
|
2008-12-04 20:19:01 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/policy.h libsemanage-2.0.30/src/policy.h
|
2008-11-07 14:23:16 +00:00
|
|
|
--- nsalibsemanage/src/policy.h 2008-08-28 09:34:24.000000000 -0400
|
2008-12-04 20:19:01 +00:00
|
|
|
+++ libsemanage-2.0.30/src/policy.h 2008-12-04 15:15:23.000000000 -0500
|
2008-11-07 14:23:16 +00:00
|
|
|
@@ -49,8 +49,14 @@
|
|
|
|
/* Install a policy module */
|
|
|
|
int (*install) (struct semanage_handle *, char *, size_t);
|
|
|
|
|
|
|
|
+ /* Install a policy module */
|
|
|
|
+ int (*install_file) (struct semanage_handle *, const char *);
|
|
|
|
+
|
|
|
|
/* Upgrade a policy module */
|
|
|
|
int (*upgrade) (struct semanage_handle *, char *, size_t);
|
|
|
|
+
|
|
|
|
+ /* Upgrade a policy module */
|
|
|
|
+ int (*upgrade_file) (struct semanage_handle *, const char *);
|
|
|
|
|
|
|
|
/* Remove a policy module */
|
|
|
|
int (*remove) (struct semanage_handle *, char *);
|
|
|
|
@@ -61,6 +67,9 @@
|
|
|
|
|
|
|
|
/* Install base policy */
|
|
|
|
int (*install_base) (struct semanage_handle *, char *, size_t);
|
|
|
|
+
|
|
|
|
+ /* Install a base module */
|
|
|
|
+ int (*install_base_file) (struct semanage_handle *, const char *);
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Should be backend independent */
|
2008-12-04 20:19:01 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.30/src/semanage.conf
|
2008-09-10 14:37:31 +00:00
|
|
|
--- nsalibsemanage/src/semanage.conf 2008-08-28 09:34:24.000000000 -0400
|
2008-12-04 20:19:01 +00:00
|
|
|
+++ libsemanage-2.0.30/src/semanage.conf 2008-12-04 15:15:23.000000000 -0500
|
2007-12-07 01:18:18 +00:00
|
|
|
@@ -35,4 +35,4 @@
|
|
|
|
# given in <sepol/policydb.h>. Change this setting if a different
|
|
|
|
# version is necessary.
|
|
|
|
#policy-version = 19
|
|
|
|
-
|
|
|
|
+expand-check=0
|
2008-12-04 20:19:01 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.30/src/semanage_store.c
|
|
|
|
--- nsalibsemanage/src/semanage_store.c 2008-11-11 16:13:18.000000000 -0500
|
|
|
|
+++ libsemanage-2.0.30/src/semanage_store.c 2008-12-04 15:15:23.000000000 -0500
|
2008-11-07 14:23:16 +00:00
|
|
|
@@ -440,6 +440,8 @@
|
|
|
|
char tmp[PATH_MAX];
|
|
|
|
char buf[4192];
|
|
|
|
|
|
|
|
+ if (link(src,dst) == 0) return 0;
|
|
|
|
+
|
|
|
|
n = snprintf(tmp, PATH_MAX, "%s.tmp", dst);
|
|
|
|
if (n < 0 || n >= PATH_MAX)
|
|
|
|
return -1;
|
2008-12-04 20:19:01 +00:00
|
|
|
@@ -1523,16 +1525,26 @@
|
2008-11-07 14:23:16 +00:00
|
|
|
ERR(sh, "Could not open module file %s for reading.", filename);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
+ size_t size;
|
|
|
|
+ char *data = NULL;
|
|
|
|
+
|
|
|
|
+ if ((size = bunzip(fp, &data)) != 0) {
|
|
|
|
+ fclose(fp);
|
|
|
|
+ fp = fmemopen(data, size, "rb");
|
|
|
|
+ }
|
|
|
|
+ rewind(fp);
|
|
|
|
__fsetlocking(fp, FSETLOCKING_BYCALLER);
|
|
|
|
sepol_policy_file_set_fp(pf, fp);
|
|
|
|
sepol_policy_file_set_handle(pf, sh->sepolh);
|
|
|
|
if (sepol_module_package_read(*package, pf, 0) == -1) {
|
|
|
|
ERR(sh, "Error while reading from module file %s.", filename);
|
|
|
|
fclose(fp);
|
|
|
|
+ free(data);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
sepol_policy_file_free(pf);
|
|
|
|
fclose(fp);
|
|
|
|
+ free(data);
|
|
|
|
return retval;
|
|
|
|
|
|
|
|
cleanup:
|