ab1324774d
- xserver-1.6.0-selinux-raw.patch: Deal in raw contexts, to avoid paying the price for setrans on every object. - xserver-1.6.0-primary.patch: Try harder to figure out what the primary video device is on machines with multiple GPUs. - xserver-1.6.0-selinux-destroy.patch: Don't bother relabeling objects that are on the way to destruction.
226 lines
8.1 KiB
Diff
226 lines
8.1 KiB
Diff
From 252522d2caa87dbfb510436a56332bd6e86b1a96 Mon Sep 17 00:00:00 2001
|
|
From: Adam Jackson <ajax@redhat.com>
|
|
Date: Mon, 2 Mar 2009 18:31:18 -0500
|
|
Subject: [PATCH] selinux raw patch
|
|
|
|
---
|
|
Xext/xselinux.c | 64 +++++++++++++++++++++++++++---------------------------
|
|
1 files changed, 32 insertions(+), 32 deletions(-)
|
|
|
|
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
|
|
index 8e026be..6085983 100644
|
|
--- a/Xext/xselinux.c
|
|
+++ b/Xext/xselinux.c
|
|
@@ -186,19 +186,19 @@ SELinuxAtomToSIDLookup(Atom atom, SELinuxObjectRec *obj, int map, int polymap)
|
|
obj->poly = 1;
|
|
|
|
/* Look in the mappings of names to contexts */
|
|
- if (selabel_lookup(label_hnd, &ctx, name, map) == 0) {
|
|
+ if (selabel_lookup_raw(label_hnd, &ctx, name, map) == 0) {
|
|
obj->poly = 0;
|
|
} else if (errno != ENOENT) {
|
|
ErrorF("SELinux: a property label lookup failed!\n");
|
|
return BadValue;
|
|
- } else if (selabel_lookup(label_hnd, &ctx, name, polymap) < 0) {
|
|
+ } else if (selabel_lookup_raw(label_hnd, &ctx, name, polymap) < 0) {
|
|
ErrorF("SELinux: a property label lookup failed!\n");
|
|
return BadValue;
|
|
}
|
|
|
|
/* Get a SID for context */
|
|
- if (avc_context_to_sid(ctx, &obj->sid) < 0) {
|
|
- ErrorF("SELinux: a context_to_SID call failed!\n");
|
|
+ if (avc_context_to_sid_raw(ctx, &obj->sid) < 0) {
|
|
+ ErrorF("SELinux: a context_to_SID_raw call failed!\n");
|
|
rc = BadAlloc;
|
|
}
|
|
|
|
@@ -343,7 +343,7 @@ SELinuxEventToSID(unsigned type, security_id_t sid_of_window,
|
|
SELinuxObjectRec *sid_return)
|
|
{
|
|
const char *name = LookupEventName(type);
|
|
- security_context_t con;
|
|
+ security_context_t ctx;
|
|
type &= 127;
|
|
|
|
if (type >= numKnownEvents) {
|
|
@@ -359,16 +359,16 @@ SELinuxEventToSID(unsigned type, security_id_t sid_of_window,
|
|
|
|
if (!knownEvents[type]) {
|
|
/* Look in the mappings of event names to contexts */
|
|
- if (selabel_lookup(label_hnd, &con, name, SELABEL_X_EVENT) < 0) {
|
|
+ if (selabel_lookup_raw(label_hnd, &ctx, name, SELABEL_X_EVENT) < 0) {
|
|
ErrorF("SELinux: an event label lookup failed!\n");
|
|
return BadValue;
|
|
}
|
|
/* Get a SID for context */
|
|
- if (avc_context_to_sid(con, knownEvents + type) < 0) {
|
|
- ErrorF("SELinux: a context_to_SID call failed!\n");
|
|
+ if (avc_context_to_sid_raw(ctx, knownEvents + type) < 0) {
|
|
+ ErrorF("SELinux: a context_to_SID_raw call failed!\n");
|
|
return BadAlloc;
|
|
}
|
|
- freecon(con);
|
|
+ freecon(ctx);
|
|
}
|
|
|
|
/* Perform a transition to obtain the final SID */
|
|
@@ -474,7 +474,7 @@ SELinuxLabelClient(ClientPtr client)
|
|
/* Try to get a context from the socket */
|
|
if (fd < 0 || getpeercon_raw(fd, &ctx) < 0) {
|
|
/* Otherwise, fall back to a default context */
|
|
- if (selabel_lookup(label_hnd, &ctx, "remote", SELABEL_X_CLIENT) < 0)
|
|
+ if (selabel_lookup_raw(label_hnd, &ctx, "remote", SELABEL_X_CLIENT) < 0)
|
|
FatalError("SELinux: failed to look up remote-client context\n");
|
|
}
|
|
|
|
@@ -509,8 +509,8 @@ SELinuxLabelClient(ClientPtr client)
|
|
|
|
finish:
|
|
/* Get a SID from the context */
|
|
- if (avc_context_to_sid(ctx, &subj->sid) < 0)
|
|
- FatalError("SELinux: client %d: context_to_sid(%s) failed\n",
|
|
+ if (avc_context_to_sid_raw(ctx, &subj->sid) < 0)
|
|
+ FatalError("SELinux: client %d: context_to_sid_raw(%s) failed\n",
|
|
client->index, ctx);
|
|
|
|
sidget(obj->sid = subj->sid);
|
|
@@ -541,7 +541,7 @@ SELinuxLabelInitial(void)
|
|
FatalError("SELinux: couldn't get context of X server process\n");
|
|
|
|
/* Get a SID from the context */
|
|
- if (avc_context_to_sid(ctx, &subj->sid) < 0)
|
|
+ if (avc_context_to_sid_raw(ctx, &subj->sid) < 0)
|
|
FatalError("SELinux: serverClient: context_to_sid(%s) failed\n", ctx);
|
|
|
|
sidget(obj->sid = subj->sid);
|
|
@@ -827,20 +827,20 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|
/* XXX there should be a separate callback for this */
|
|
if (obj->sid == unlabeled_sid) {
|
|
const char *name = rec->ext->name;
|
|
- security_context_t con;
|
|
+ security_context_t ctx;
|
|
security_id_t sid;
|
|
|
|
serv = dixLookupPrivate(&serverClient->devPrivates, subjectKey);
|
|
|
|
/* Look in the mappings of extension names to contexts */
|
|
- if (selabel_lookup(label_hnd, &con, name, SELABEL_X_EXT) < 0) {
|
|
+ if (selabel_lookup_raw(label_hnd, &ctx, name, SELABEL_X_EXT) < 0) {
|
|
ErrorF("SELinux: a property label lookup failed!\n");
|
|
rec->status = BadValue;
|
|
return;
|
|
}
|
|
/* Get a SID for context */
|
|
- if (avc_context_to_sid(con, &sid) < 0) {
|
|
- ErrorF("SELinux: a context_to_SID call failed!\n");
|
|
+ if (avc_context_to_sid_raw(ctx, &sid) < 0) {
|
|
+ ErrorF("SELinux: a context_to_SID_raw call failed!\n");
|
|
rec->status = BadAlloc;
|
|
return;
|
|
}
|
|
@@ -851,11 +851,11 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|
if (avc_compute_create(serv->sid, sid, SECCLASS_X_EXTENSION,
|
|
&obj->sid) < 0) {
|
|
ErrorF("SELinux: a SID transition call failed!\n");
|
|
- freecon(con);
|
|
+ freecon(ctx);
|
|
rec->status = BadValue;
|
|
return;
|
|
}
|
|
- freecon(con);
|
|
+ freecon(ctx);
|
|
}
|
|
|
|
/* Perform the security check */
|
|
@@ -1156,7 +1156,7 @@ SELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|
|
|
if (subj->sid) {
|
|
security_context_t ctx;
|
|
- int rc = avc_sid_to_context(subj->sid, &ctx);
|
|
+ int rc = avc_sid_to_context_raw(subj->sid, &ctx);
|
|
if (rc < 0)
|
|
FatalError("SELinux: Failed to get security context!\n");
|
|
rc = dixChangeWindowProperty(serverClient,
|
|
@@ -1172,7 +1172,7 @@ SELinuxResourceState(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|
|
|
if (obj->sid) {
|
|
security_context_t ctx;
|
|
- int rc = avc_sid_to_context(obj->sid, &ctx);
|
|
+ int rc = avc_sid_to_context_raw(obj->sid, &ctx);
|
|
if (rc < 0)
|
|
FatalError("SELinux: Failed to get security context!\n");
|
|
rc = dixChangeWindowProperty(serverClient,
|
|
@@ -1288,7 +1288,7 @@ SELinuxSendContextReply(ClientPtr client, security_id_t sid)
|
|
int len = 0;
|
|
|
|
if (sid) {
|
|
- if (avc_sid_to_context(sid, &ctx) < 0)
|
|
+ if (avc_sid_to_context_raw(sid, &ctx) < 0)
|
|
return BadValue;
|
|
len = strlen(ctx) + 1;
|
|
}
|
|
@@ -1347,9 +1347,9 @@ ProcSELinuxSetCreateContext(ClientPtr client, unsigned offset)
|
|
*pSid = NULL;
|
|
|
|
if (stuff->context_len > 0) {
|
|
- if (security_check_context(ctx) < 0)
|
|
+ if (security_check_context_raw(ctx) < 0)
|
|
return BadValue;
|
|
- if (avc_context_to_sid(ctx, pSid) < 0)
|
|
+ if (avc_context_to_sid_raw(ctx, pSid) < 0)
|
|
return BadValue;
|
|
}
|
|
return Success;
|
|
@@ -1393,9 +1393,9 @@ ProcSELinuxSetDeviceContext(ClientPtr client)
|
|
if (rc != Success)
|
|
return rc;
|
|
|
|
- if (security_check_context(ctx) < 0)
|
|
+ if (security_check_context_raw(ctx) < 0)
|
|
return BadValue;
|
|
- if (avc_context_to_sid(ctx, &sid) < 0)
|
|
+ if (avc_context_to_sid_raw(ctx, &sid) < 0)
|
|
return BadValue;
|
|
|
|
subj = dixLookupPrivate(&dev->devPrivates, subjectKey);
|
|
@@ -1511,9 +1511,9 @@ SELinuxPopulateItem(SELinuxListItemRec *i, PrivateRec **privPtr, CARD32 id,
|
|
SELinuxObjectRec *obj = dixLookupPrivate(privPtr, objectKey);
|
|
SELinuxObjectRec *data = dixLookupPrivate(privPtr, dataKey);
|
|
|
|
- if (avc_sid_to_context(obj->sid, &i->octx) < 0)
|
|
+ if (avc_sid_to_context_raw(obj->sid, &i->octx) < 0)
|
|
return BadValue;
|
|
- if (avc_sid_to_context(data->sid, &i->dctx) < 0)
|
|
+ if (avc_sid_to_context_raw(data->sid, &i->dctx) < 0)
|
|
return BadValue;
|
|
|
|
i->id = id;
|
|
@@ -1941,7 +1941,7 @@ SELinuxExtensionInit(INITARGS)
|
|
ExtensionEntry *extEntry;
|
|
struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 };
|
|
struct selinux_opt avc_option = { AVC_OPT_SETENFORCE, (char *)0 };
|
|
- security_context_t con;
|
|
+ security_context_t ctx;
|
|
int ret = TRUE;
|
|
|
|
/* Check SELinux mode on system */
|
|
@@ -1988,11 +1988,11 @@ SELinuxExtensionInit(INITARGS)
|
|
if (!label_hnd)
|
|
FatalError("SELinux: Failed to open x_contexts mapping in policy\n");
|
|
|
|
- if (security_get_initial_context("unlabeled", &con) < 0)
|
|
+ if (security_get_initial_context_raw("unlabeled", &ctx) < 0)
|
|
FatalError("SELinux: Failed to look up unlabeled context\n");
|
|
- if (avc_context_to_sid(con, &unlabeled_sid) < 0)
|
|
+ if (avc_context_to_sid_raw(ctx, &unlabeled_sid) < 0)
|
|
FatalError("SELinux: a context_to_SID call failed!\n");
|
|
- freecon(con);
|
|
+ freecon(ctx);
|
|
|
|
/* Prepare for auditing */
|
|
audit_fd = audit_open();
|
|
--
|
|
1.6.1.3
|
|
|