From da97ea7d41662aeb66a34f726807a923cfe31996 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 29 Nov 2021 12:51:17 +0100 Subject: [PATCH] policycoreutils-3.3-2 - setfiles/restorecon: support parallel relabeling with -T option - semodule: add -m | --checksum option Resolves: rhbz#2026682, rhbz#2026680 --- ...storecon-support-parallel-relabeling.patch | 253 +++++++ 0020-semodule-add-m-checksum-option.patch | 674 ++++++++++++++++++ 0021-semodule-Fix-lang_ext-column-index.patch | 29 + ...semodule-Don-t-forget-to-munmap-data.patch | 32 + policycoreutils.spec | 12 +- 5 files changed, 998 insertions(+), 2 deletions(-) create mode 100644 0019-setfiles-restorecon-support-parallel-relabeling.patch create mode 100644 0020-semodule-add-m-checksum-option.patch create mode 100644 0021-semodule-Fix-lang_ext-column-index.patch create mode 100644 0022-semodule-Don-t-forget-to-munmap-data.patch diff --git a/0019-setfiles-restorecon-support-parallel-relabeling.patch b/0019-setfiles-restorecon-support-parallel-relabeling.patch new file mode 100644 index 0000000..ad7d65c --- /dev/null +++ b/0019-setfiles-restorecon-support-parallel-relabeling.patch @@ -0,0 +1,253 @@ +From fba88f42bf8490a23fa6dcd33de2ccd59170009b Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Tue, 26 Oct 2021 13:52:39 +0200 +Subject: [PATCH] setfiles/restorecon: support parallel relabeling + +Use the newly introduced selinux_restorecon_parallel(3) in +setfiles/restorecon and a -T option to both to allow enabling parallel +relabeling. The default behavior without specifying the -T option is to +use 1 thread; parallel relabeling must be requested explicitly by +passing -T 0 (which will use as many threads as there are available CPU +cores) or -T , which will use threads. + +=== Benchmarks === +As measured on a 32-core cloud VM with Fedora 34. Not a fully +representative environment, but still the scaling is quite good. + +WITHOUT PATCHES: +$ time restorecon -rn /usr + +real 0m21.689s +user 0m21.070s +sys 0m0.494s + +WITH PATCHES: +$ time restorecon -rn /usr + +real 0m23.940s +user 0m23.127s +sys 0m0.653s +$ time restorecon -rn -T 2 /usr + +real 0m13.145s +user 0m25.306s +sys 0m0.695s +$ time restorecon -rn -T 4 /usr + +real 0m7.559s +user 0m28.470s +sys 0m1.099s +$ time restorecon -rn -T 8 /usr + +real 0m5.186s +user 0m37.450s +sys 0m2.094s +$ time restorecon -rn -T 16 /usr + +real 0m3.831s +user 0m51.220s +sys 0m4.895s +$ time restorecon -rn -T 32 /usr + +real 0m2.650s +user 1m5.136s +sys 0m6.614s + +Note that the benchmarks were performed in read-only mode (-n), so the +labels were only read and looked up in the database, not written. When +fixing labels on a heavily mislabeled system, the scaling would likely +be event better, since a larger % of work could be done in parallel. + +Signed-off-by: Ondrej Mosnacek +--- + policycoreutils/setfiles/Makefile | 2 +- + policycoreutils/setfiles/restore.c | 7 ++++--- + policycoreutils/setfiles/restore.h | 2 +- + policycoreutils/setfiles/restorecon.8 | 9 +++++++++ + policycoreutils/setfiles/setfiles.8 | 9 +++++++++ + policycoreutils/setfiles/setfiles.c | 28 ++++++++++++++++----------- + 6 files changed, 41 insertions(+), 16 deletions(-) + +diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile +index 63d818509791..d7670a8ff54b 100644 +--- a/policycoreutils/setfiles/Makefile ++++ b/policycoreutils/setfiles/Makefile +@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man + AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) + + CFLAGS ?= -g -Werror -Wall -W +-override LDLIBS += -lselinux -lsepol ++override LDLIBS += -lselinux -lsepol -lpthread + + ifeq ($(AUDITH), y) + override CFLAGS += -DUSE_AUDIT +diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c +index 9d688c609f79..74d48bb3752d 100644 +--- a/policycoreutils/setfiles/restore.c ++++ b/policycoreutils/setfiles/restore.c +@@ -72,7 +72,7 @@ void restore_finish(void) + } + } + +-int process_glob(char *name, struct restore_opts *opts) ++int process_glob(char *name, struct restore_opts *opts, size_t nthreads) + { + glob_t globbuf; + size_t i = 0; +@@ -91,8 +91,9 @@ int process_glob(char *name, struct restore_opts *opts) + continue; + if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) + continue; +- rc = selinux_restorecon(globbuf.gl_pathv[i], +- opts->restorecon_flags); ++ rc = selinux_restorecon_parallel(globbuf.gl_pathv[i], ++ opts->restorecon_flags, ++ nthreads); + if (rc < 0) + errors = rc; + } +diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h +index ac6ad6809f4f..bb35a1db9e34 100644 +--- a/policycoreutils/setfiles/restore.h ++++ b/policycoreutils/setfiles/restore.h +@@ -49,7 +49,7 @@ struct restore_opts { + void restore_init(struct restore_opts *opts); + void restore_finish(void); + void add_exclude(const char *directory); +-int process_glob(char *name, struct restore_opts *opts); ++int process_glob(char *name, struct restore_opts *opts, size_t nthreads); + extern char **exclude_list; + + #endif +diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 +index a8900f02b3f3..dbd55ce7c512 100644 +--- a/policycoreutils/setfiles/restorecon.8 ++++ b/policycoreutils/setfiles/restorecon.8 +@@ -33,6 +33,8 @@ restorecon \- restore file(s) default SELinux security contexts. + .RB [ \-W ] + .RB [ \-I | \-D ] + .RB [ \-x ] ++.RB [ \-T ++.IR nthreads ] + + .SH "DESCRIPTION" + This manual page describes the +@@ -160,6 +162,13 @@ prevent + .B restorecon + from crossing file system boundaries. + .TP ++.BI \-T \ nthreads ++use up to ++.I nthreads ++threads. Specify 0 to create as many threads as there are available ++CPU cores; 1 to use only a single thread (default); or any positive ++number to use the given number of threads (if possible). ++.TP + .SH "ARGUMENTS" + .IR pathname \ ... + The pathname for the file(s) to be relabeled. +diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 +index 0692121f2f4d..8ef9f602e843 100644 +--- a/policycoreutils/setfiles/setfiles.8 ++++ b/policycoreutils/setfiles/setfiles.8 +@@ -19,6 +19,8 @@ setfiles \- set SELinux file security contexts. + .RB [ \-W ] + .RB [ \-F ] + .RB [ \-I | \-D ] ++.RB [ \-T ++.IR nthreads ] + .I spec_file + .IR pathname \ ... + +@@ -161,6 +163,13 @@ quote marks or backslashes. The + option of GNU + .B find + produces input suitable for this mode. ++.TP ++.BI \-T \ nthreads ++use up to ++.I nthreads ++threads. Specify 0 to create as many threads as there are available ++CPU cores; 1 to use only a single thread (default); or any positive ++number to use the given number of threads (if possible). + + .SH "ARGUMENTS" + .TP +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index f018d161aa9e..2313a21fa0f3 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -1,4 +1,5 @@ + #include "restore.h" ++#include + #include + #include + #include +@@ -34,14 +35,14 @@ static __attribute__((__noreturn__)) void usage(const char *const name) + { + if (iamrestorecon) { + fprintf(stderr, +- "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" +- "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", ++ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] pathname...\n" ++ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] -f filename\n", + name, name); + } else { + fprintf(stderr, +- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n" +- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n" +- "usage: %s -s [-diIDlmnpqvFW] spec_file\n", ++ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n" ++ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n" ++ "usage: %s -s [-diIDlmnpqvFWT] spec_file\n", + name, name, name); + } + exit(-1); +@@ -144,12 +145,12 @@ int main(int argc, char **argv) + int opt, i = 0; + const char *input_filename = NULL; + int use_input_file = 0; +- char *buf = NULL; +- size_t buf_len; ++ char *buf = NULL, *endptr; ++ size_t buf_len, nthreads = 1; + const char *base; + int errors = 0; +- const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x"; +- const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0"; ++ const char *ropts = "e:f:hiIDlmno:pqrsvFRW0xT:"; ++ const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0T:"; + const char *opts; + union selinux_callback cb; + +@@ -370,6 +371,11 @@ int main(int argc, char **argv) + usage(argv[0]); + } + break; ++ case 'T': ++ nthreads = strtoull(optarg, &endptr, 10); ++ if (*optarg == '\0' || *endptr != '\0') ++ usage(argv[0]); ++ break; + case 'h': + case '?': + usage(argv[0]); +@@ -448,13 +454,13 @@ int main(int argc, char **argv) + buf[len - 1] = 0; + if (!strcmp(buf, "/")) + r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL; +- errors |= process_glob(buf, &r_opts) < 0; ++ errors |= process_glob(buf, &r_opts, nthreads) < 0; + } + if (strcmp(input_filename, "-") != 0) + fclose(f); + } else { + for (i = optind; i < argc; i++) +- errors |= process_glob(argv[i], &r_opts) < 0; ++ errors |= process_glob(argv[i], &r_opts, nthreads) < 0; + } + + maybe_audit_mass_relabel(r_opts.mass_relabel, errors); +-- +2.33.1 + diff --git a/0020-semodule-add-m-checksum-option.patch b/0020-semodule-add-m-checksum-option.patch new file mode 100644 index 0000000..afee33a --- /dev/null +++ b/0020-semodule-add-m-checksum-option.patch @@ -0,0 +1,674 @@ +From 4e6165719d3315b6502f3d290a549f9fa14c3238 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 16 Nov 2021 14:27:11 +0100 +Subject: [PATCH] semodule: add -m | --checksum option + +Since cil doesn't store module name and module version in module itself, +there's no simple way how to compare that installed module is the same +version as the module which is supposed to be installed. Even though the +version was not used by semodule itself, it was apparently used by some +team. + +With `semodule -l --checksum` users get SHA256 hashes of modules and +could compare them with their files which is faster than installing +modules again and again. + +E.g. + + # time ( + semodule -l --checksum | grep localmodule + /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum + ) + localmodule db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd + db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd - + + real 0m0.876s + user 0m0.849s + sys 0m0.028s + +vs + + # time semodule -i localmodule.pp + + real 0m6.147s + user 0m5.800s + sys 0m0.231s + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + policycoreutils/semodule/Makefile | 2 +- + policycoreutils/semodule/semodule.8 | 6 + + policycoreutils/semodule/semodule.c | 95 ++++++++- + policycoreutils/semodule/sha256.c | 294 ++++++++++++++++++++++++++++ + policycoreutils/semodule/sha256.h | 89 +++++++++ + 5 files changed, 480 insertions(+), 6 deletions(-) + create mode 100644 policycoreutils/semodule/sha256.c + create mode 100644 policycoreutils/semodule/sha256.h + +diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile +index 73801e487a76..9875ac383280 100644 +--- a/policycoreutils/semodule/Makefile ++++ b/policycoreutils/semodule/Makefile +@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man + + CFLAGS ?= -Werror -Wall -W + override LDLIBS += -lsepol -lselinux -lsemanage +-SEMODULE_OBJS = semodule.o ++SEMODULE_OBJS = semodule.o sha256.o + + all: semodule genhomedircon + +diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 +index 18d4f708661c..3a2fb21c2481 100644 +--- a/policycoreutils/semodule/semodule.8 ++++ b/policycoreutils/semodule/semodule.8 +@@ -95,6 +95,9 @@ only modules listed in \-\-extract after this option. + .B \-H,\-\-hll + Extract module as an HLL file. This only affects the \-\-extract option and + only modules listed in \-\-extract after this option. ++.TP ++.B \-m,\-\-checksum ++Add SHA256 checksum of modules to the list output. + + .SH EXAMPLE + .nf +@@ -130,6 +133,9 @@ $ semodule \-B \-S "/tmp/var/lib/selinux" + # Write the HLL version of puppet and the CIL version of wireshark + # modules at priority 400 to the current working directory + $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark ++# Check whether a module in "localmodule.pp" file is same as installed module "localmodule" ++$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum ++$ semodule -l -m | grep localmodule + .fi + + .SH SEE ALSO +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index c815f01546b4..ddbf10455abf 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -25,6 +25,8 @@ + #include + #include + ++#include "sha256.h" ++ + enum client_modes { + NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M, + LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M +@@ -57,6 +59,7 @@ static semanage_handle_t *sh = NULL; + static char *store; + static char *store_root; + int extract_cil = 0; ++static int checksum = 0; + + extern char *optarg; + extern int optind; +@@ -147,6 +150,7 @@ static void usage(char *progname) + printf(" -S,--store-path use an alternate path for the policy store root\n"); + printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); + printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); ++ printf(" -m, --checksum print module checksum (SHA256).\n"); + } + + /* Sets the global mode variable to new_mode, but only if no other +@@ -200,6 +204,7 @@ static void parse_command_line(int argc, char **argv) + {"disable", required_argument, NULL, 'd'}, + {"path", required_argument, NULL, 'p'}, + {"store-path", required_argument, NULL, 'S'}, ++ {"checksum", 0, NULL, 'm'}, + {NULL, 0, NULL, 0} + }; + int extract_selected = 0; +@@ -210,7 +215,7 @@ static void parse_command_line(int argc, char **argv) + no_reload = 0; + priority = 400; + while ((i = +- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts, ++ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts, + NULL)) != -1) { + switch (i) { + case 'b': +@@ -287,6 +292,9 @@ static void parse_command_line(int argc, char **argv) + case 'd': + set_mode(DISABLE_M, optarg); + break; ++ case 'm': ++ checksum = 1; ++ break; + case '?': + default:{ + usage(argv[0]); +@@ -338,6 +346,61 @@ static void parse_command_line(int argc, char **argv) + } + } + ++/* Get module checksum */ ++static char *hash_module_data(const char *module_name, const int prio) { ++ semanage_module_info_t *extract_info = NULL; ++ semanage_module_key_t *modkey = NULL; ++ Sha256Context context; ++ uint8_t sha256_hash[SHA256_HASH_SIZE]; ++ char *sha256_buf = NULL; ++ void *data; ++ size_t data_len = 0, i; ++ int result; ++ ++ result = semanage_module_key_create(sh, &modkey); ++ if (result != 0) { ++ goto cleanup_extract; ++ } ++ ++ result = semanage_module_key_set_name(sh, modkey, module_name); ++ if (result != 0) { ++ goto cleanup_extract; ++ } ++ ++ result = semanage_module_key_set_priority(sh, modkey, prio); ++ if (result != 0) { ++ goto cleanup_extract; ++ } ++ ++ result = semanage_module_extract(sh, modkey, 1, &data, &data_len, ++ &extract_info); ++ if (result != 0) { ++ goto cleanup_extract; ++ } ++ ++ Sha256Initialise(&context); ++ Sha256Update(&context, data, data_len); ++ ++ Sha256Finalise(&context, (SHA256_HASH *)sha256_hash); ++ ++ sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1); ++ ++ if (sha256_buf == NULL) ++ goto cleanup_extract; ++ ++ for (i = 0; i < SHA256_HASH_SIZE; i++) { ++ sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]); ++ } ++ sha256_buf[i * 2] = 0; ++ ++cleanup_extract: ++ semanage_module_info_destroy(sh, extract_info); ++ free(extract_info); ++ semanage_module_key_destroy(sh, modkey); ++ free(modkey); ++ return sha256_buf; ++} ++ + int main(int argc, char *argv[]) + { + int i, commit = 0; +@@ -546,6 +609,8 @@ cleanup_extract: + int modinfos_len = 0; + semanage_module_info_t *m = NULL; + int j = 0; ++ char *module_checksum = NULL; ++ uint16_t pri = 0; + + if (verbose) { + printf +@@ -570,7 +635,18 @@ cleanup_extract: + result = semanage_module_info_get_name(sh, m, &name); + if (result != 0) goto cleanup_list; + +- printf("%s\n", name); ++ result = semanage_module_info_get_priority(sh, m, &pri); ++ if (result != 0) goto cleanup_list; ++ ++ printf("%s", name); ++ if (checksum) { ++ module_checksum = hash_module_data(name, pri); ++ if (module_checksum) { ++ printf(" %s", module_checksum); ++ free(module_checksum); ++ } ++ } ++ printf("\n"); + } + } + else if (strcmp(mode_arg, "full") == 0) { +@@ -585,11 +661,12 @@ cleanup_extract: + } + + /* calculate column widths */ +- size_t column[4] = { 0, 0, 0, 0 }; ++ size_t column[5] = { 0, 0, 0, 0, 0 }; + + /* fixed width columns */ + column[0] = sizeof("000") - 1; + column[3] = sizeof("disabled") - 1; ++ column[4] = 64; /* SHA256_HASH_SIZE * 2 */ + + /* variable width columns */ + const char *tmp = NULL; +@@ -612,7 +689,6 @@ cleanup_extract: + + /* print out each module */ + for (j = 0; j < modinfos_len; j++) { +- uint16_t pri = 0; + const char *name = NULL; + int enabled = 0; + const char *lang_ext = NULL; +@@ -631,11 +707,20 @@ cleanup_extract: + result = semanage_module_info_get_lang_ext(sh, m, &lang_ext); + if (result != 0) goto cleanup_list; + +- printf("%0*u %-*s %-*s %-*s\n", ++ printf("%0*u %-*s %-*s %-*s", + (int)column[0], pri, + (int)column[1], name, + (int)column[2], lang_ext, + (int)column[3], enabled ? "" : "disabled"); ++ if (checksum) { ++ module_checksum = hash_module_data(name, pri); ++ if (module_checksum) { ++ printf(" %-*s", (int)column[4], module_checksum); ++ free(module_checksum); ++ } ++ } ++ printf("\n"); ++ + } + } + else { +diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c +new file mode 100644 +index 000000000000..fe2aeef07f53 +--- /dev/null ++++ b/policycoreutils/semodule/sha256.c +@@ -0,0 +1,294 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include "sha256.h" ++#include ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// MACROS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) ++ ++#define MIN(x, y) ( ((x)<(y))?(x):(y) ) ++ ++#define STORE32H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ ++ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } ++ ++#define LOAD32H(x, y) \ ++ { x = ((uint32_t)((y)[0] & 255)<<24) | \ ++ ((uint32_t)((y)[1] & 255)<<16) | \ ++ ((uint32_t)((y)[2] & 255)<<8) | \ ++ ((uint32_t)((y)[3] & 255)); } ++ ++#define STORE64H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ ++ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ ++ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ ++ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// CONSTANTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// The K array ++static const uint32_t K[64] = { ++ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, ++ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, ++ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, ++ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, ++ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, ++ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, ++ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, ++ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, ++ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, ++ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, ++ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, ++ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, ++ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL ++}; ++ ++#define BLOCK_SIZE 64 ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// INTERNAL FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// Various logical functions ++#define Ch( x, y, z ) (z ^ (x & (y ^ z))) ++#define Maj( x, y, z ) (((x | y) & z) | (x & y)) ++#define S( x, n ) ror((x),(n)) ++#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) ++#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) ++#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) ++#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) ++#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) ++ ++#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ ++ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ ++ t1 = Sigma0(a) + Maj(a, b, c); \ ++ d += t0; \ ++ h = t0 + t1; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// TransformFunction ++// ++// Compress 512-bits ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++static ++void ++ TransformFunction ++ ( ++ Sha256Context* Context, ++ uint8_t const* Buffer ++ ) ++{ ++ uint32_t S[8]; ++ uint32_t W[64]; ++ uint32_t t0; ++ uint32_t t1; ++ uint32_t t; ++ int i; ++ ++ // Copy state into S ++ for( i=0; i<8; i++ ) ++ { ++ S[i] = Context->state[i]; ++ } ++ ++ // Copy the state into 512-bits into W[0..15] ++ for( i=0; i<16; i++ ) ++ { ++ LOAD32H( W[i], Buffer + (4*i) ); ++ } ++ ++ // Fill W[16..63] ++ for( i=16; i<64; i++ ) ++ { ++ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; ++ } ++ ++ // Compress ++ for( i=0; i<64; i++ ) ++ { ++ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); ++ t = S[7]; ++ S[7] = S[6]; ++ S[6] = S[5]; ++ S[5] = S[4]; ++ S[4] = S[3]; ++ S[3] = S[2]; ++ S[2] = S[1]; ++ S[1] = S[0]; ++ S[0] = t; ++ } ++ ++ // Feedback ++ for( i=0; i<8; i++ ) ++ { ++ Context->state[i] = Context->state[i] + S[i]; ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ) ++{ ++ Context->curlen = 0; ++ Context->length = 0; ++ Context->state[0] = 0x6A09E667UL; ++ Context->state[1] = 0xBB67AE85UL; ++ Context->state[2] = 0x3C6EF372UL; ++ Context->state[3] = 0xA54FF53AUL; ++ Context->state[4] = 0x510E527FUL; ++ Context->state[5] = 0x9B05688CUL; ++ Context->state[6] = 0x1F83D9ABUL; ++ Context->state[7] = 0x5BE0CD19UL; ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ) ++{ ++ uint32_t n; ++ ++ if( Context->curlen > sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ while( BufferSize > 0 ) ++ { ++ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) ++ { ++ TransformFunction( Context, (uint8_t*)Buffer ); ++ Context->length += BLOCK_SIZE * 8; ++ Buffer = (uint8_t*)Buffer + BLOCK_SIZE; ++ BufferSize -= BLOCK_SIZE; ++ } ++ else ++ { ++ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); ++ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); ++ Context->curlen += n; ++ Buffer = (uint8_t*)Buffer + n; ++ BufferSize -= n; ++ if( Context->curlen == BLOCK_SIZE ) ++ { ++ TransformFunction( Context, Context->buf ); ++ Context->length += 8*BLOCK_SIZE; ++ Context->curlen = 0; ++ } ++ } ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ) ++{ ++ int i; ++ ++ if( Context->curlen >= sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ // Increase the length of the message ++ Context->length += Context->curlen * 8; ++ ++ // Append the '1' bit ++ Context->buf[Context->curlen++] = (uint8_t)0x80; ++ ++ // if the length is currently above 56 bytes we append zeros ++ // then compress. Then we can fall back to padding zeros and length ++ // encoding like normal. ++ if( Context->curlen > 56 ) ++ { ++ while( Context->curlen < 64 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ TransformFunction(Context, Context->buf); ++ Context->curlen = 0; ++ } ++ ++ // Pad up to 56 bytes of zeroes ++ while( Context->curlen < 56 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ ++ // Store length ++ STORE64H( Context->length, Context->buf+56 ); ++ TransformFunction( Context, Context->buf ); ++ ++ // Copy output ++ for( i=0; i<8; i++ ) ++ { ++ STORE32H( Context->state[i], Digest->bytes+(4*i) ); ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ) ++{ ++ Sha256Context context; ++ ++ Sha256Initialise( &context ); ++ Sha256Update( &context, Buffer, BufferSize ); ++ Sha256Finalise( &context, Digest ); ++} +diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h +new file mode 100644 +index 000000000000..406ed869cd82 +--- /dev/null ++++ b/policycoreutils/semodule/sha256.h +@@ -0,0 +1,89 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#pragma once ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include ++#include ++ ++typedef struct ++{ ++ uint64_t length; ++ uint32_t state[8]; ++ uint32_t curlen; ++ uint8_t buf[64]; ++} Sha256Context; ++ ++#define SHA256_HASH_SIZE ( 256 / 8 ) ++ ++typedef struct ++{ ++ uint8_t bytes [SHA256_HASH_SIZE]; ++} SHA256_HASH; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ); +-- +2.33.1 + diff --git a/0021-semodule-Fix-lang_ext-column-index.patch b/0021-semodule-Fix-lang_ext-column-index.patch new file mode 100644 index 0000000..2c0581b --- /dev/null +++ b/0021-semodule-Fix-lang_ext-column-index.patch @@ -0,0 +1,29 @@ +From 7537374e7f5802852c0c64b4cb2a9646402e3cba Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 16 Nov 2021 16:11:22 +0100 +Subject: [PATCH] semodule: Fix lang_ext column index + +lang_ext is 3. column - index number 2. + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + policycoreutils/semodule/semodule.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index ddbf10455abf..57f005ce2c62 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -684,7 +684,7 @@ cleanup_extract: + if (result != 0) goto cleanup_list; + + size = strlen(tmp); +- if (size > column[3]) column[3] = size; ++ if (size > column[2]) column[2] = size; + } + + /* print out each module */ +-- +2.33.1 + diff --git a/0022-semodule-Don-t-forget-to-munmap-data.patch b/0022-semodule-Don-t-forget-to-munmap-data.patch new file mode 100644 index 0000000..fa7fcd2 --- /dev/null +++ b/0022-semodule-Don-t-forget-to-munmap-data.patch @@ -0,0 +1,32 @@ +From 0c4e5d70fde006977e798d6cc7d80db2e8af7bb9 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 23 Nov 2021 17:38:51 +0100 +Subject: [PATCH] semodule: Don't forget to munmap() data + +semanage_module_extract() mmap()'s the module raw data but it leaves on +the caller to munmap() them. + +Reported-by: Ondrej Mosnacek +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + policycoreutils/semodule/semodule.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index 57f005ce2c62..94a9d131bb79 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -394,6 +394,9 @@ static char *hash_module_data(const char *module_name, const int prio) { + sha256_buf[i * 2] = 0; + + cleanup_extract: ++ if (data_len > 0) { ++ munmap(data, data_len); ++ } + semanage_module_info_destroy(sh, extract_info); + free(extract_info); + semanage_module_key_destroy(sh, modkey); +-- +2.33.1 + diff --git a/policycoreutils.spec b/policycoreutils.spec index f0ba239..814d310 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 3.0 %global libsepolver 3.3-1 %global libsemanagever 3.3-1 -%global libselinuxver 3.3-1 +%global libselinuxver 3.3-2 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -11,7 +11,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 3.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/selinux-3.3.tar.gz @@ -49,6 +49,10 @@ Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch Patch0018: 0018-Use-SHA-2-instead-of-SHA-1.patch +Patch0019: 0019-setfiles-restorecon-support-parallel-relabeling.patch +Patch0020: 0020-semodule-add-m-checksum-option.patch +Patch0021: 0021-semodule-Fix-lang_ext-column-index.patch +Patch0022: 0022-semodule-Don-t-forget-to-munmap-data.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -475,6 +479,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Nov 29 2021 Petr Lautrbach - 3.3-2 +- setfiles/restorecon: support parallel relabeling with -T option +- semodule: add -m | --checksum option + * Fri Oct 22 2021 Petr Lautrbach - 3.3-1 - SELinux userspace 3.3 release