Projects
openEuler:Mainline
libselinux
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 8
View file
_service:tar_scm:libselinux.spec
Changed
@@ -1,20 +1,18 @@ %global ruby_inc %(pkg-config --cflags ruby) -%global libsepol_version 3.4 +%global libsepol_version 3.5 Name: libselinux -Version: 3.4 +Version: 3.5 Release: 1 License: Public Domain Summary: SELinux library and simple utilities Url: https://github.com/SELinuxProject/selinux/wiki Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz -Patch6000: backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch - Patch9000: do-malloc-trim-after-load-policy.patch BuildRequires: gcc python3-devel systemd swig pcre2-devel xz-devel -BuildRequires: ruby-devel libsepol-static +BuildRequires: ruby-devel libsepol-static python3-pip Requires: libsepol >= %{libsepol_version} pcre2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -102,7 +100,7 @@ %license LICENSE %{_libdir}/libselinux.so.* %{_sbindir}/{selabel_lookup_best_match,selabel_partial_match,selinux_check_access} -%{_sbindir}/{avcstat,getenforce,getsebool,matchpathcon,sefcontext_compile,selinuxconlist} +%{_sbindir}/{avcstat,getenforce,getpidprevcon,getsebool,matchpathcon,sefcontext_compile,selinuxconlist} %{_sbindir}/{selinuxdefcon,selinuxexeccon,selinuxenabled,setenforce,selabel_digest,selabel_lookup} %{_sbindir}/{selabel_get_digests_all_partial_matches,validatetrans} %dir %{_rundir}/setrans/ @@ -116,7 +114,7 @@ %files -n python3-libselinux %{python3_sitearch}/selinux/ -%{python3_sitearch}/selinux-%{version}-* +%{python3_sitearch}/selinux-%{version}* %{python3_sitearch}/_selinux.*.so %files ruby @@ -130,6 +128,9 @@ %{_mandir}/ru/man8/* %changelog +* Mon Jul 17 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.5-1 +- update version to 3.5 + * Mon Jan 30 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.4-1 - update version to 3.4
View file
_service:tar_scm:backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch
Deleted
@@ -1,36 +0,0 @@ -From 956bda08f6183078f13b70f6aa27d0529a3ec20a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> -Date: Tue, 7 Jun 2022 19:00:35 +0200 -Subject: PATCH libselinux: restorecon: avoid printing NULL pointer -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `curcon` is NULL in case the file has no current security -context. Most C standard libraries handle it fine, avoid it nonetheless -for standard conformance. - -Signed-off-by: Christian Göttsche <cgzones@googlemail.com> -Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> ---- - src/selinux_restorecon.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c -index 66e6a4a2..2d24559f 100644 ---- a/src/selinux_restorecon.c -+++ b/src/selinux_restorecon.c -@@ -744,7 +744,9 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, - selinux_log(SELINUX_INFO, - "%s %s from %s to %s\n", - updated ? "Relabeled" : "Would relabel", -- pathname, curcon, newcon); -+ pathname, -+ curcon ? curcon : "<no context>", -+ newcon); - - if (flags->syslog_changes && !flags->nochange) { - if (curcon) --- -2.27.0 -
View file
_service:tar_scm:libselinux-3.4.tar.gz/VERSION -> _service:tar_scm:libselinux-3.5.tar.gz/VERSION
Changed
@@ -1,1 +1,1 @@ -3.4 +3.5
View file
_service:tar_scm:libselinux-3.4.tar.gz/include/selinux/avc.h -> _service:tar_scm:libselinux-3.5.tar.gz/include/selinux/avc.h
Changed
@@ -24,7 +24,7 @@ }; typedef struct security_id *security_id_t; -#define SECSID_WILD (security_id_t)NULL /* unspecified SID */ +#define SECSID_WILD ((security_id_t)NULL) /* unspecified SID */ /** * avc_sid_to_context - get copy of context corresponding to SID.
View file
_service:tar_scm:libselinux-3.4.tar.gz/include/selinux/context.h -> _service:tar_scm:libselinux-3.5.tar.gz/include/selinux/context.h
Changed
@@ -17,7 +17,7 @@ /* Return a new context initialized to a context string */ - extern context_t context_new(const char *); + extern context_t context_new(const char *str); /* * Return a pointer to the string value of the context_t @@ -25,24 +25,24 @@ * for the same context_t* */ - extern char *context_str(context_t); + extern const char *context_str(context_t con); /* Free the storage used by a context */ - extern void context_free(context_t); + extern void context_free(context_t con); /* Get a pointer to the string value of a context component */ - extern const char *context_type_get(context_t); - extern const char *context_range_get(context_t); - extern const char *context_role_get(context_t); - extern const char *context_user_get(context_t); + extern const char *context_type_get(context_t con); + extern const char *context_range_get(context_t con); + extern const char *context_role_get(context_t con); + extern const char *context_user_get(context_t con); /* Set a context component. Returns nonzero if unsuccessful */ - extern int context_type_set(context_t, const char *); - extern int context_range_set(context_t, const char *); - extern int context_role_set(context_t, const char *); - extern int context_user_set(context_t, const char *); + extern int context_type_set(context_t con, const char *type); + extern int context_range_set(context_t con, const char *range); + extern int context_role_set(context_t con, const char *role); + extern int context_user_set(context_t con, const char *user); #ifdef __cplusplus }
View file
_service:tar_scm:libselinux-3.4.tar.gz/include/selinux/selinux.h -> _service:tar_scm:libselinux-3.5.tar.gz/include/selinux/selinux.h
Changed
@@ -54,6 +54,11 @@ extern int getprevcon(char ** con); extern int getprevcon_raw(char ** con); +/* Get previous context (prior to last exec) of process identified by pid, and + set *con to refer to it. Caller must free via freecon. */ +extern int getpidprevcon(pid_t pid, char ** con); +extern int getpidprevcon_raw(pid_t pid, char ** con); + /* Get exec context, and set *con to refer to it. Sets *con to NULL if no exec context has been set, i.e. using default. If non-NULL, caller must free via freecon. */ @@ -279,7 +284,7 @@ const char *newcon); /* Load a policy configuration. */ -extern int security_load_policy(void *data, size_t len); +extern int security_load_policy(const void *data, size_t len); /* Get the context of an initial kernel security identifier by name. Caller must free via freecon */
View file
_service:tar_scm:libselinux-3.5.tar.gz/man/man3/context_str.3
Added
@@ -0,0 +1,1 @@ +.so man3/context_new.3
View file
_service:tar_scm:libselinux-3.4.tar.gz/man/man3/getcon.3 -> _service:tar_scm:libselinux-3.5.tar.gz/man/man3/getcon.3
Changed
@@ -23,6 +23,10 @@ .sp .BI "int getpidcon_raw(pid_t " pid ", char **" context ); .sp +.BI "int getpidprevcon(pid_t " pid ", char **" context ); +.sp +.BI "int getpidprevcon_raw(pid_t " pid ", char **" context ); +.sp .BI "int getpeercon(int " fd ", char **" context ); .sp .BI "int getpeercon_raw(int " fd ", char **" context ); @@ -51,6 +55,11 @@ .BR freecon (). .TP +.BR getpidprevcon () +returns the process context before the last exec for the specified PID, which must be free'd with +.BR freecon (). + +.TP .BR getpeercon () retrieves the context of the peer socket, which must be free'd with .BR freecon (). @@ -125,6 +134,7 @@ .BR getcon_raw (), .BR getprevcon_raw (), .BR getpidcon_raw (), +.BR getpidprevcon_raw (), .BR getpeercon_raw () and .BR setcon_raw () @@ -139,5 +149,9 @@ .I *context to NULL if and only if SELinux is not enabled. +Querying a foreign process via its PID, e.g. \fBgetpidcon\fR() or +\fBgetpidprevcon\fR(), is inherently racy and therefore should never be relied +upon for security purposes. + .SH "SEE ALSO" .BR selinux "(8), " setexeccon "(3)"
View file
_service:tar_scm:libselinux-3.5.tar.gz/man/man3/getpidprevcon.3
Added
@@ -0,0 +1,1 @@ +.so man3/getcon.3
View file
_service:tar_scm:libselinux-3.5.tar.gz/man/man3/getpidprevcon_raw.3
Added
@@ -0,0 +1,1 @@ +.so man3/getcon.3
View file
_service:tar_scm:libselinux-3.5.tar.gz/man/man3/security_get_checkreqprot.3
Added
@@ -0,0 +1,1 @@ +.so man3/security_getenforce.3
View file
_service:tar_scm:libselinux-3.4.tar.gz/man/man3/security_load_policy.3 -> _service:tar_scm:libselinux-3.5.tar.gz/man/man3/security_load_policy.3
Changed
@@ -5,7 +5,7 @@ .SH "SYNOPSIS" .B #include <selinux/selinux.h> .sp -.BI "int security_load_policy(void *" data ", size_t "len ); +.BI "int security_load_policy(const void *" data ", size_t "len ); .sp .BI "int selinux_mkload_policy(int " preservebools ");" .sp
View file
_service:tar_scm:libselinux-3.5.tar.gz/man/man3/security_set_boolean_list.3
Added
@@ -0,0 +1,1 @@ +.so man3/security_load_booleans.3
View file
_service:tar_scm:libselinux-3.5.tar.gz/man/man3/selinux_sepgsql_context_path.3
Added
@@ -0,0 +1,1 @@ +.so man3/selinux_binary_policy_path.3
View file
_service:tar_scm:libselinux-3.5.tar.gz/man/man3/setexecfilecon.3
Added
@@ -0,0 +1,1 @@ +.so man3/getexeccon.3
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/.gitignore -> _service:tar_scm:libselinux-3.5.tar.gz/src/.gitignore
Changed
@@ -1,3 +1,4 @@ selinux.py selinuxswig_python_wrap.c selinuxswig_ruby_wrap.c +selinux.egg-info/
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/Makefile -> _service:tar_scm:libselinux-3.5.tar.gz/src/Makefile
Changed
@@ -14,7 +14,7 @@ INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))") +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))") PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES0)') RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG"rubyarchhdrdir" + " -I" + RbConfig::CONFIG"rubyhdrdir"') RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG"libdir" + " -L" + RbConfig::CONFIG"archlibdir" + " " + RbConfig::CONFIG"LIBRUBYARG_SHARED"') @@ -86,7 +86,7 @@ -Wno-missing-field-initializers -Wno-sign-compare \ -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) \ -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \ - -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ + -fasynchronous-unwind-tables -fdiagnostics-show-option \ -Werror -Wno-aggregate-return -Wno-redundant-decls \ $(EXTRA_CFLAGS) @@ -103,6 +103,12 @@ override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) +# check for strlcpy(3) availability +H := \# +ifeq (yes,$(shell printf '${H}include <string.h>\nint main(void){char*d,*s;strlcpy(d, s, 0);return 0;}' | $(CC) -x c -o /dev/null - >/dev/null 2>&1 && echo yes)) +override CFLAGS += -DHAVE_STRLCPY +endif + SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations \ -Wno-deprecated-declarations @@ -181,7 +187,7 @@ ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET) install-pywrap: pywrap - $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS) + $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) . install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT) @@ -195,7 +201,7 @@ clean-pywrap: -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) $(PYTHON) setup.py clean - -rm -rf build *~ \#* *pyc .#* + -rm -rf build *~ \#* *pyc .#* selinux.egg-info/ clean-rubywrap: -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/audit2why.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/audit2why.c
Changed
@@ -191,26 +191,17 @@ static int __policy_init(const char *init_path) { - FILE *fp; - char pathPATH_MAX; + FILE *fp = NULL; + const char *curpolicy; char errormsgPATH_MAX+1024+20; struct sepol_policy_file *pf = NULL; int rc; unsigned int cnt; - pathPATH_MAX-1 = '\0'; if (init_path) { - strncpy(path, init_path, PATH_MAX-1); - fp = fopen(path, "re"); - if (!fp) { - snprintf(errormsg, sizeof(errormsg), - "unable to open %s: %m\n", - path); - PyErr_SetString( PyExc_ValueError, errormsg); - return 1; - } + curpolicy = init_path; } else { - const char *curpolicy = selinux_current_policy_path(); + curpolicy = selinux_current_policy_path(); if (!curpolicy) { /* SELinux disabled, must use -p option. */ snprintf(errormsg, sizeof(errormsg), @@ -218,14 +209,15 @@ PyErr_SetString( PyExc_ValueError, errormsg); return 1; } - fp = fopen(curpolicy, "re"); - if (!fp) { - snprintf(errormsg, sizeof(errormsg), - "unable to open %s: %m\n", - curpolicy); - PyErr_SetString( PyExc_ValueError, errormsg); - return 1; - } + } + + fp = fopen(curpolicy, "re"); + if (!fp) { + snprintf(errormsg, sizeof(errormsg), + "unable to open %s: %m\n", + curpolicy); + PyErr_SetString( PyExc_ValueError, errormsg); + return 1; } avc = calloc(sizeof(struct avc_t), 1); @@ -243,18 +235,17 @@ snprintf(errormsg, sizeof(errormsg), "policydb_init failed: %m\n"); PyErr_SetString( PyExc_RuntimeError, errormsg); - fclose(fp); - return 1; + goto err; } sepol_policy_file_set_fp(pf, fp); if (sepol_policydb_read(avc->policydb, pf)) { snprintf(errormsg, sizeof(errormsg), - "invalid binary policy %s\n", path); + "invalid binary policy %s\n", curpolicy); PyErr_SetString( PyExc_ValueError, errormsg); - fclose(fp); - return 1; + goto err; } fclose(fp); + fp = NULL; sepol_set_policydb(&avc->policydb->p); avc->handle = sepol_handle_create(); /* Turn off messages */ @@ -264,13 +255,13 @@ avc->policydb, &cnt); if (rc < 0) { PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n"); - return 1; + goto err; } boollist = calloc(cnt, sizeof(*boollist)); if (!boollist) { PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); - return 1; + goto err; } sepol_bool_iterate(avc->handle, avc->policydb, @@ -281,11 +272,26 @@ rc = sepol_sidtab_init(&sidtab); if (rc < 0) { PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n"); - free(boollist); - return 1; + goto err; } sepol_set_sidtab(&sidtab); return 0; + +err: + if (boollist) + free(boollist); + if (avc){ + if (avc->handle) + sepol_handle_destroy(avc->handle); + if (avc->policydb) + sepol_policydb_free(avc->policydb); + free(avc); + } + if (pf) + sepol_policy_file_free(pf); + if (fp) + fclose(fp); + return 1; } static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/avc.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/avc.c
Changed
@@ -725,7 +725,6 @@ if (denied) log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1); - log_append(avc_audit_buf, "\n"); avc_log(SELINUX_AVC, "%s", avc_audit_buf); avc_release_lock(avc_log_lock);
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/avc_internal.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/avc_internal.c
Changed
@@ -51,7 +51,6 @@ int avc_running = 0; int avc_enforcing = 1; int avc_setenforce = 0; -int avc_netlink_trouble = 0; /* process setenforce events for netlink and sestatus */ int avc_process_setenforce(int enforcing) @@ -295,7 +294,6 @@ close(fd); fd = -1; - avc_netlink_trouble = 1; avc_log(SELINUX_ERROR, "%s: netlink thread: errors encountered, terminating\n", avc_prefix);
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/avc_internal.h -> _service:tar_scm:libselinux-3.5.tar.gz/src/avc_internal.h
Changed
@@ -180,7 +180,4 @@ security_class_t tclass, access_vector_t perms, uint32_t seqno, uint32_t enable) ; -/* netlink kernel message code */ -extern int avc_netlink_trouble ; - #endif /* _SELINUX_AVC_INTERNAL_H_ */
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/booleans.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/booleans.c
Changed
@@ -7,7 +7,6 @@ #ifndef DISABLE_BOOL -#include <assert.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> @@ -132,7 +131,8 @@ ptr++; *ptr = '\0'; - sub = strdup(dst); + if (!strchr(dst, '/')) + sub = strdup(dst); break; } @@ -147,12 +147,12 @@ static int bool_open(const char *name, int flag) { char *fname = NULL; char *alt_name = NULL; - int len; + size_t len; int fd = -1; int ret; char *ptr; - if (!name) { + if (!name || strchr(name, '/')) { errno = EINVAL; return -1; } @@ -164,9 +164,8 @@ return -1; ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name); - if (ret < 0) + if (ret < 0 || (size_t)ret >= len) goto out; - assert(ret < len); fd = open(fname, flag); if (fd >= 0 || errno != ENOENT) @@ -184,9 +183,8 @@ fname = ptr; ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, alt_name); - if (ret < 0) + if (ret < 0 || (size_t)ret >= len) goto out; - assert(ret < len); fd = open(fname, flag); out:
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/canonicalize_context.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/canonicalize_context.c
Changed
@@ -33,7 +33,11 @@ ret = -1; goto out; } - strncpy(buf, con, size); + if (strlcpy(buf, con, size) >= size) { + errno = EOVERFLOW; + ret = -1; + goto out2; + } ret = write(fd, buf, strlen(buf) + 1); if (ret < 0)
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/compute_av.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_av.c
Changed
@@ -40,8 +40,14 @@ } kclass = unmap_class(tclass); - snprintf(buf, len, "%s %s %hu %x", scon, tcon, + + ret = snprintf(buf, len, "%s %s %hu %x", scon, tcon, kclass, unmap_perm(tclass, requested)); + if (ret < 0 || (size_t)ret >= len) { + errno = EOVERFLOW; + ret = -1; + goto out2; + } ret = write(fd, buf, strlen(buf)); if (ret < 0)
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/compute_create.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_create.c
Changed
@@ -75,8 +75,15 @@ ret = -1; goto out; } + len = snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); + if (len < 0 || (size_t)len >= size) { + errno = EOVERFLOW; + ret = -1; + goto out2; + } + if (objname && object_name_encode(objname, buf + len, size - len) < 0) { errno = ENAMETOOLONG;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/compute_member.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_member.c
Changed
@@ -36,7 +36,13 @@ ret = -1; goto out; } - snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); + + ret = snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); + if (ret < 0 || (size_t)ret >= size) { + errno = EOVERFLOW; + ret = -1; + goto out2; + } ret = write(fd, buf, strlen(buf)); if (ret < 0)
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/compute_relabel.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_relabel.c
Changed
@@ -36,7 +36,13 @@ ret = -1; goto out; } - snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); + + ret = snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); + if (ret < 0 || (size_t)ret >= size) { + errno = EOVERFLOW; + ret = -1; + goto out2; + } ret = write(fd, buf, strlen(buf)); if (ret < 0)
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/compute_user.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_user.c
Changed
@@ -38,7 +38,13 @@ ret = -1; goto out; } - snprintf(buf, size, "%s %s", scon, user); + + ret = snprintf(buf, size, "%s %s", scon, user); + if (ret < 0 || (size_t)ret >= size) { + errno = EOVERFLOW; + ret = -1; + goto out2; + } ret = write(fd, buf, strlen(buf)); if (ret < 0)
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/context.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/context.c
Changed
@@ -68,11 +68,9 @@ for (p = tok; *p; p++) { /* empty */ } } - n->componenti = (char *)malloc(p - tok + 1); + n->componenti = strndup(tok, p - tok); if (n->componenti == 0) goto err; - strncpy(n->componenti, tok, p - tok); - n->componentip - tok = '\0'; tok = *p ? p + 1 : p; } return result; @@ -116,7 +114,7 @@ /* * Return a pointer to the string value of the context. */ -char *context_str(context_t context) +const char *context_str(context_t context) { context_private_t *n = context->ptr; int i; @@ -149,19 +147,18 @@ char *t = NULL; const char *p; if (str) { - t = (char *)malloc(strlen(str) + 1); - if (!t) { - return -1; - } for (p = str; *p; p++) { if (*p == '\t' || *p == '\n' || *p == '\r' || ((*p == ':' || *p == ' ') && idx != COMP_RANGE)) { - free(t); errno = EINVAL; return -1; } } - strcpy(t, str); + + t = strdup(str); + if (!t) { + return -1; + } } conditional_free(&n->componentidx); n->componentidx = t;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/fgetfilecon.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/fgetfilecon.c
Changed
@@ -26,7 +26,10 @@ snprintf(buf, sizeof(buf), "/proc/self/fd/%d", fd); errno = saved_errno; - return getxattr(buf, name, value, size); + ret = getxattr(buf, name, value, size); + if (ret < 0 && errno == ENOENT) + errno = EBADF; + return ret; } int fgetfilecon_raw(int fd, char ** context)
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/fsetfilecon.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/fsetfilecon.c
Changed
@@ -25,7 +25,10 @@ snprintf(buf, sizeof(buf), "/proc/self/fd/%d", fd); errno = saved_errno; - return setxattr(buf, name, value, size, flags); + rc = setxattr(buf, name, value, size, flags); + if (rc < 0 && errno == ENOENT) + errno = EBADF; + return rc; } int fsetfilecon_raw(int fd, const char * context)
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/get_context_list.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/get_context_list.c
Changed
@@ -143,6 +143,7 @@ char *linerole, *linetype; char **new_reachable = NULL; char *usercon_str; + const char *usercon_str2; context_t con; context_t usercon; @@ -257,20 +258,20 @@ rc = -1; goto out; } - usercon_str = context_str(usercon); - if (!usercon_str) { + usercon_str2 = context_str(usercon); + if (!usercon_str2) { context_free(usercon); rc = -1; goto out; } /* check whether usercon is already in reachable */ - if (is_in_reachable(*reachable, usercon_str)) { + if (is_in_reachable(*reachable, usercon_str2)) { context_free(usercon); start = end; continue; } - if (security_check_context(usercon_str) == 0) { + if (security_check_context(usercon_str2) == 0) { new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *)); if (!new_reachable) { context_free(usercon); @@ -278,7 +279,7 @@ goto out; } *reachable = new_reachable; - new_reachable*nreachable = strdup(usercon_str); + new_reachable*nreachable = strdup(usercon_str2); if (new_reachable*nreachable == NULL) { context_free(usercon); rc = -1;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/get_default_type.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/get_default_type.c
Changed
@@ -62,10 +62,9 @@ return -1; } - t = malloc(strlen(buf) - len); + t = strndup(ptr, strlen(buf) - len - 1); if (!t) return -1; - strcpy(t, ptr); *type = t; return 0; }
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/get_initial_context.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/get_initial_context.c
Changed
@@ -23,8 +23,17 @@ return -1; } - snprintf(path, sizeof path, "%s%s%s", - selinux_mnt, SELINUX_INITCON_DIR, name); + if (strchr(name, '/')) { + errno = EINVAL; + return -1; + } + + ret = snprintf(path, sizeof path, "%s%s%s", selinux_mnt, SELINUX_INITCON_DIR, name); + if (ret < 0 || (size_t)ret >= sizeof path) { + errno = EOVERFLOW; + return -1; + } + fd = open(path, O_RDONLY | O_CLOEXEC); if (fd < 0) return -1;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/label_db.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/label_db.c
Changed
@@ -31,7 +31,7 @@ * For example: * ---------------------------------------- * # - * # It is an example specfile for database obejcts + * # It is an example specfile for database objects * # * db_database template1 system_u:object_r:sepgsql_db_t:s0 * @@ -293,6 +293,11 @@ return NULL; } rec->spec_file = strdup(path); + if (!rec->spec_file) { + free(catalog); + fclose(filp); + return NULL; + } /* * Parse for each lines @@ -322,18 +327,19 @@ if (process_line(path, line_buf, ++line_num, catalog) < 0) goto out_error; } - free(line_buf); if (digest_add_specfile(rec->digest, filp, NULL, sb.st_size, path) < 0) goto out_error; digest_gen_hash(rec->digest); + free(line_buf); fclose(filp); return catalog; out_error: + free(line_buf); for (i = 0; i < catalog->nspec; i++) { spec_t *spec = &catalog->specsi;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/libselinux.map -> _service:tar_scm:libselinux-3.5.tar.gz/src/libselinux.map
Changed
@@ -246,3 +246,9 @@ selinux_restorecon_get_skipped_errors; selinux_restorecon_parallel; } LIBSELINUX_1.0; + +LIBSELINUX_3.5 { + global: + getpidprevcon; + getpidprevcon_raw; +} LIBSELINUX_3.4;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/load_policy.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/load_policy.c
Changed
@@ -23,7 +23,7 @@ #define MNT_DETACH 2 #endif -int security_load_policy(void *data, size_t len) +int security_load_policy(const void *data, size_t len) { char pathPATH_MAX; int fd, ret;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/matchpathcon.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/matchpathcon.c
Changed
@@ -215,10 +215,9 @@ if (ret < 0 || sb.st_ino != ino) { fl->specind = specind; free(fl->file); - fl->file = malloc(strlen(file) + 1); + fl->file = strdup(file); if (!fl->file) goto oom; - strcpy(fl->file, file); return fl->specind; } @@ -232,10 +231,9 @@ __FUNCTION__, file, fl->file, con_arrayfl->specind); free(fl->file); - fl->file = malloc(strlen(file) + 1); + fl->file = strdup(file); if (!fl->file) goto oom; - strcpy(fl->file, file); return fl->specind; } @@ -248,10 +246,9 @@ goto oom; fl->ino = ino; fl->specind = specind; - fl->file = malloc(strlen(file) + 1); + fl->file = strdup(file); if (!fl->file) goto oom_freefl; - strcpy(fl->file, file); fl->next = prevfl->next; prevfl->next = fl; return fl->specind;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/procattr.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/procattr.c
Changed
@@ -11,11 +11,14 @@ #define UNSET (char *) -1 +/* Cached values so that when a thread calls set*con() then gen*con(), the value + * which was set is directly returned. + */ static __thread char *prev_current = UNSET; -static __thread char * prev_exec = UNSET; -static __thread char * prev_fscreate = UNSET; -static __thread char * prev_keycreate = UNSET; -static __thread char * prev_sockcreate = UNSET; +static __thread char *prev_exec = UNSET; +static __thread char *prev_fscreate = UNSET; +static __thread char *prev_keycreate = UNSET; +static __thread char *prev_sockcreate = UNSET; static pthread_once_t once = PTHREAD_ONCE_INIT; static pthread_key_t destructor_key; @@ -111,43 +114,18 @@ return fd; } -static int getprocattrcon_raw(char ** context, - pid_t pid, const char *attr) +static int getprocattrcon_raw(char **context, pid_t pid, const char *attr, + const char *prev_context) { char *buf; size_t size; int fd; ssize_t ret; int errno_hold; - char * prev_context; __selinux_once(once, init_procattr); init_thread_destructor(); - switch (attr0) { - case 'c': - prev_context = prev_current; - break; - case 'e': - prev_context = prev_exec; - break; - case 'f': - prev_context = prev_fscreate; - break; - case 'k': - prev_context = prev_keycreate; - break; - case 's': - prev_context = prev_sockcreate; - break; - case 'p': - prev_context = NULL; - break; - default: - errno = ENOENT; - return -1; - } - if (prev_context && prev_context != UNSET) { *context = strdup(prev_context); if (!(*context)) { @@ -194,13 +172,13 @@ return ret; } -static int getprocattrcon(char ** context, - pid_t pid, const char *attr) +static int getprocattrcon(char **context, pid_t pid, const char *attr, + const char *prev_context) { int ret; char * rcontext; - ret = getprocattrcon_raw(&rcontext, pid, attr); + ret = getprocattrcon_raw(&rcontext, pid, attr, prev_context); if (!ret) { ret = selinux_raw_to_trans_context(rcontext, context); @@ -210,45 +188,24 @@ return ret; } -static int setprocattrcon_raw(const char * context, - pid_t pid, const char *attr) +static int setprocattrcon_raw(const char *context, const char *attr, + char **prev_context) { int fd; ssize_t ret; int errno_hold; - char **prev_context, *context2 = NULL; + char *context2 = NULL; __selinux_once(once, init_procattr); init_thread_destructor(); - switch (attr0) { - case 'c': - prev_context = &prev_current; - break; - case 'e': - prev_context = &prev_exec; - break; - case 'f': - prev_context = &prev_fscreate; - break; - case 'k': - prev_context = &prev_keycreate; - break; - case 's': - prev_context = &prev_sockcreate; - break; - default: - errno = ENOENT; - return -1; - } - if (!context && !*prev_context) return 0; if (context && *prev_context && *prev_context != UNSET && !strcmp(context, *prev_context)) return 0; - fd = openattr(pid, attr, O_RDWR | O_CLOEXEC); + fd = openattr(0, attr, O_RDWR | O_CLOEXEC); if (fd < 0) return -1; if (context) { @@ -279,8 +236,8 @@ } } -static int setprocattrcon(const char * context, - pid_t pid, const char *attr) +static int setprocattrcon(const char *context, const char *attr, + char **prev_context) { int ret; char * rcontext; @@ -288,62 +245,76 @@ if (selinux_trans_to_raw_context(context, &rcontext)) return -1; - ret = setprocattrcon_raw(rcontext, pid, attr); + ret = setprocattrcon_raw(rcontext, attr, prev_context); freecon(rcontext); return ret; } -#define getselfattr_def(fn, attr) \ +#define getselfattr_def(fn, attr, prev_context) \ int get##fn##_raw(char **c) \ { \ - return getprocattrcon_raw(c, 0, #attr); \ + return getprocattrcon_raw(c, 0, attr, prev_context); \ } \ int get##fn(char **c) \ { \ - return getprocattrcon(c, 0, #attr); \ + return getprocattrcon(c, 0, attr, prev_context); \ } -#define setselfattr_def(fn, attr) \ +#define setselfattr_def(fn, attr, prev_context) \ int set##fn##_raw(const char * c) \ { \ - return setprocattrcon_raw(c, 0, #attr); \ + return setprocattrcon_raw(c, attr, &prev_context); \ } \ int set##fn(const char * c) \ { \ - return setprocattrcon(c, 0, #attr); \ + return setprocattrcon(c, attr, &prev_context); \ } -#define all_selfattr_def(fn, attr) \ - getselfattr_def(fn, attr) \ - setselfattr_def(fn, attr) +#define all_selfattr_def(fn, attr, prev_context) \ + getselfattr_def(fn, attr, prev_context) \ + setselfattr_def(fn, attr, prev_context) -#define getpidattr_def(fn, attr) \ - int get##fn##_raw(pid_t pid, char **c) \ - { \ - if (pid <= 0) { \ - errno = EINVAL; \ - return -1; \ - } else { \ - return getprocattrcon_raw(c, pid, #attr); \ - } \ - } \ - int get##fn(pid_t pid, char **c) \ - { \ - if (pid <= 0) { \ - errno = EINVAL; \ - return -1; \ - } else { \ - return getprocattrcon(c, pid, #attr); \ - } \ +all_selfattr_def(con, "current", prev_current) + getselfattr_def(prevcon, "prev", NULL) + all_selfattr_def(execcon, "exec", prev_exec) + all_selfattr_def(fscreatecon, "fscreate", prev_fscreate) + all_selfattr_def(sockcreatecon, "sockcreate", prev_sockcreate) + all_selfattr_def(keycreatecon, "keycreate", prev_keycreate) + +int getpidcon_raw(pid_t pid, char **c) +{ + if (pid <= 0) { + errno = EINVAL; + return -1; + } + return getprocattrcon_raw(c, pid, "current", NULL); +} + +int getpidcon(pid_t pid, char **c) +{ + if (pid <= 0) { + errno = EINVAL; + return -1; } + return getprocattrcon(c, pid, "current", NULL); +} -all_selfattr_def(con, current) - getpidattr_def(pidcon, current) - getselfattr_def(prevcon, prev) - all_selfattr_def(execcon, exec) - all_selfattr_def(fscreatecon, fscreate) - all_selfattr_def(sockcreatecon, sockcreate) - all_selfattr_def(keycreatecon, keycreate) +int getpidprevcon_raw(pid_t pid, char **c) +{ + if (pid <= 0) { + errno = EINVAL; + return -1; + } + return getprocattrcon_raw(c, pid, "prev", NULL); +} +int getpidprevcon(pid_t pid, char **c) +{ + if (pid <= 0) { + errno = EINVAL; + return -1; + } + return getprocattrcon(c, pid, "prev", NULL); +}
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/query_user_context.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/query_user_context.c
Changed
@@ -115,7 +115,7 @@ int mls_enabled = is_selinux_mls_enabled(); context_t new_context; /* The new context chosen by the user */ - char *user_context = NULL; /* String value of the user's context */ + const char *user_context = NULL; /* String value of the user's context */ int done = 0; /* true if a valid sid has been obtained */ /* Initialize the context. How this is done depends on whether
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/regex.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/regex.c
Changed
@@ -60,11 +60,13 @@ struct regex_data { pcre2_code *regex; /* compiled regular expression */ +#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH /* * match data block required for the compiled * pattern in pcre2 */ pcre2_match_data *match_data; +#endif pthread_mutex_t match_mutex; }; @@ -84,11 +86,13 @@ goto err; } +#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH (*regex)->match_data = pcre2_match_data_create_from_pattern((*regex)->regex, NULL); if (!(*regex)->match_data) { goto err; } +#endif return 0; err: @@ -138,10 +142,12 @@ if (rc != 1) goto err; +#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH (*regex)->match_data = pcre2_match_data_create_from_pattern((*regex)->regex, NULL); if (!(*regex)->match_data) goto err; +#endif *regex_compiled = true; } @@ -167,7 +173,7 @@ PCRE2_UCHAR *bytes = NULL; if (do_write_precompregex) { - /* encode the patter for serialization */ + /* encode the pattern for serialization */ rc = pcre2_serialize_encode((const pcre2_code **)®ex->regex, 1, &bytes, &serialized_size, NULL); if (rc != 1) { @@ -203,8 +209,12 @@ if (regex) { if (regex->regex) pcre2_code_free(regex->regex); + +#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH if (regex->match_data) pcre2_match_data_free(regex->match_data); +#endif + __pthread_mutex_destroy(®ex->match_mutex); free(regex); } @@ -213,10 +223,30 @@ int regex_match(struct regex_data *regex, char const *subject, int partial) { int rc; + pcre2_match_data *match_data; __pthread_mutex_lock(®ex->match_mutex); + +#ifdef AGGRESSIVE_FREE_AFTER_REGEX_MATCH + match_data = pcre2_match_data_create_from_pattern( + regex->regex, NULL); + if (match_data == NULL) { + __pthread_mutex_unlock(®ex->match_mutex); + return REGEX_ERROR; + } +#else + match_data = regex->match_data; +#endif + rc = pcre2_match( regex->regex, (PCRE2_SPTR)subject, PCRE2_ZERO_TERMINATED, 0, - partial ? PCRE2_PARTIAL_SOFT : 0, regex->match_data, NULL); + partial ? PCRE2_PARTIAL_SOFT : 0, match_data, NULL); + +#ifdef AGGRESSIVE_FREE_AFTER_REGEX_MATCH + // pcre2_match allocates heap and it won't be freed until + // pcre2_match_data_free, resulting in heap overhead. + pcre2_match_data_free(match_data); +#endif + __pthread_mutex_unlock(®ex->match_mutex); if (rc > 0) return REGEX_MATCH; @@ -257,6 +287,9 @@ { struct regex_data *regex_data = (struct regex_data *)calloc(1, sizeof(struct regex_data)); + if (!regex_data) + return NULL; + __pthread_mutex_init(®ex_data->match_mutex, NULL); return regex_data; }
View file
_service:tar_scm:libselinux-3.5.tar.gz/src/selinux_internal.c
Added
@@ -0,0 +1,18 @@ +#include "selinux_internal.h" + +#include <string.h> + + +#ifndef HAVE_STRLCPY +size_t strlcpy(char *dest, const char *src, size_t size) +{ + size_t ret = strlen(src); + + if (size) { + size_t len = (ret >= size) ? size - 1 : ret; + memcpy(dest, src, len); + destlen = '\0'; + } + return ret; +} +#endif /* HAVE_STRLCPY */
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/selinux_internal.h -> _service:tar_scm:libselinux-3.5.tar.gz/src/selinux_internal.h
Changed
@@ -1,3 +1,6 @@ +#ifndef SELINUX_INTERNAL_H_ +#define SELINUX_INTERNAL_H_ + #include <selinux/selinux.h> #include <pthread.h> @@ -90,3 +93,9 @@ #define SELINUXCONFIG SELINUXDIR "config" extern int has_selinux_config ; + +#ifndef HAVE_STRLCPY +size_t strlcpy(char *dest, const char *src, size_t size); +#endif + +#endif /* SELINUX_INTERNAL_H_ */
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/selinux_restorecon.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/selinux_restorecon.c
Changed
@@ -432,10 +432,11 @@ * that matched. */ static int filespec_add(ino_t ino, const char *con, const char *file, - struct rest_flags *flags) + const struct rest_flags *flags) { file_spec_t *prevfl, *fl; - int h, ret; + uint32_t h; + int ret; struct stat64 sb; __pthread_mutex_lock(&fl_mutex); @@ -524,7 +525,8 @@ static void filespec_eval(void) { file_spec_t *fl; - int h, used, nel, len, longest; + uint32_t h; + size_t used, nel, len, longest; if (!fl_head) return; @@ -544,7 +546,7 @@ } selinux_log(SELINUX_INFO, - "filespec hash table stats: %d elements, %d/%d buckets used, longest chain length %d\n", + "filespec hash table stats: %zu elements, %zu/%zu buckets used, longest chain length %zu\n", nel, used, HASH_BUCKETS, longest); } #else @@ -559,7 +561,7 @@ static void filespec_destroy(void) { file_spec_t *fl, *tmp; - int h; + uint32_t h; if (!fl_head) return; @@ -623,16 +625,14 @@ return rc; } -static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool first) +static int restorecon_sb(const char *pathname, const struct stat *sb, + const struct rest_flags *flags, bool first) { char *newcon = NULL; char *curcon = NULL; char *newtypecon = NULL; - int fd = -1, rc; - struct stat stat_buf; - bool updated = false; + int rc; const char *lookup_path = pathname; - float pc; if (rootpath) { if (strncmp(rootpath, lookup_path, rootpathlen) != 0) { @@ -644,21 +644,13 @@ lookup_path += rootpathlen; } - fd = open(pathname, O_PATH | O_NOFOLLOW | O_EXCL); - if (fd < 0) - goto err; - - rc = fstat(fd, &stat_buf); - if (rc < 0) - goto err; - if (rootpath != NULL && lookup_path0 == '\0') /* this is actually the root dir of the alt root. */ rc = selabel_lookup_raw(fc_sehandle, &newcon, "/", - stat_buf.st_mode); + sb->st_mode & S_IFMT); else rc = selabel_lookup_raw(fc_sehandle, &newcon, lookup_path, - stat_buf.st_mode); + sb->st_mode & S_IFMT); if (rc < 0) { if (errno == ENOENT) { @@ -667,10 +659,10 @@ "Warning no default label for %s\n", lookup_path); - goto out; /* no match, but not an error */ + return 0; /* no match, but not an error */ } - goto err; + return -1; } if (flags->progress) { @@ -678,7 +670,7 @@ fc_count++; if (fc_count % STAR_COUNT == 0) { if (flags->mass_relabel && efile_count > 0) { - pc = (fc_count < efile_count) ? (100.0 * + float pc = (fc_count < efile_count) ? (100.0 * fc_count / efile_count) : 100; fprintf(stdout, "\r%-.1f%%", (double)pc); } else { @@ -690,17 +682,19 @@ } if (flags->add_assoc) { - rc = filespec_add(stat_buf.st_ino, newcon, pathname, flags); + rc = filespec_add(sb->st_ino, newcon, pathname, flags); if (rc < 0) { selinux_log(SELINUX_ERROR, "filespec_add error: %s\n", pathname); - goto out1; + freecon(newcon); + return -1; } if (rc > 0) { /* Already an association and it took precedence. */ - goto out; + freecon(newcon); + return 0; } } @@ -708,7 +702,7 @@ selinux_log(SELINUX_INFO, "%s matched by %s\n", pathname, newcon); - if (fgetfilecon_raw(fd, &curcon) < 0) { + if (lgetfilecon_raw(pathname, &curcon) < 0) { if (errno != ENODATA) goto err; @@ -716,6 +710,8 @@ } if (curcon == NULL || strcmp(curcon, newcon) != 0) { + bool updated = false; + if (!flags->set_specctx && curcon && (is_context_customizable(curcon) > 0)) { if (flags->verbose) { @@ -741,7 +737,7 @@ } if (!flags->nochange) { - if (fsetfilecon(fd, newcon) < 0) + if (lsetfilecon(pathname, newcon) < 0) goto err; updated = true; } @@ -750,7 +746,9 @@ selinux_log(SELINUX_INFO, "%s %s from %s to %s\n", updated ? "Relabeled" : "Would relabel", - pathname, curcon, newcon); + pathname, + curcon ? curcon : "<no context>", + newcon); if (flags->syslog_changes && !flags->nochange) { if (curcon) @@ -766,8 +764,6 @@ out: rc = 0; out1: - if (fd >= 0) - close(fd); freecon(curcon); freecon(newcon); return rc; @@ -865,6 +861,7 @@ FTSENT *ftsent; int error; char ent_pathPATH_MAX; + struct stat ent_st; bool first = false; if (state->parallel) @@ -961,12 +958,21 @@ } /* fall through */ default: - strcpy(ent_path, ftsent->fts_path); + if (strlcpy(ent_path, ftsent->fts_path, sizeof(ent_path)) >= sizeof(ent_path)) { + selinux_log(SELINUX_ERROR, + "Path name too long on %s.\n", + ftsent->fts_path); + errno = ENAMETOOLONG; + state->error = -1; + state->abort = true; + goto finish; + } + ent_st = *ftsent->fts_statp; if (state->parallel) pthread_mutex_unlock(&state->mutex); - error = restorecon_sb(ent_path, &state->flags, + error = restorecon_sb(ent_path, &ent_st, &state->flags, first); if (state->parallel) { @@ -1104,6 +1110,10 @@ pathname = realpath(pathname_orig, NULL); if (!pathname) { free(basename_cpy); + /* missing parent directory */ + if (state.flags.ignore_noent && errno == ENOENT) { + return 0; + } goto realpatherr; } } else { @@ -1117,6 +1127,9 @@ free(dirname_cpy); if (!pathdnamer) { free(basename_cpy); + if (state.flags.ignore_noent && errno == ENOENT) { + return 0; + } goto realpatherr; } if (!strcmp(pathdnamer, "/")) @@ -1162,7 +1175,7 @@ goto cleanup; } - error = restorecon_sb(pathname, &state.flags, true); + error = restorecon_sb(pathname, &sb, &state.flags, true); goto cleanup; }
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/sestatus.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/sestatus.c
Changed
@@ -343,7 +343,6 @@ if (avc_using_threads) { fallback_netlink_thread = avc_create_thread(&avc_netlink_loop); - avc_netlink_trouble = 0; } fallback_sequence = 0;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/setrans_client.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/setrans_client.c
Changed
@@ -66,7 +66,13 @@ memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path)); + + if (strlcpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { + close(fd); + errno = EOVERFLOW; + return -1; + } + if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) { close(fd); return -1;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/setup.py -> _service:tar_scm:libselinux-3.5.tar.gz/src/setup.py
Changed
@@ -1,10 +1,10 @@ #!/usr/bin/python3 -from distutils.core import Extension, setup +from setuptools import Extension, setup setup( name="selinux", - version="3.4", + version="3.5", description="SELinux python 3 bindings", author="SELinux Project", author_email="selinux@vger.kernel.org",
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/sha1.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/sha1.c
Changed
@@ -11,7 +11,7 @@ // Modified to: // - stop symbols being exported for libselinux shared library - October 2015 // Richard Haines <richard_c_haines@btinternet.com> -// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses. +// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment issues. // Fixes: // sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 -Werror,-Wcast-align // CHAR64LONG16* block = (CHAR64LONG16*) workspace;
View file
_service:tar_scm:libselinux-3.4.tar.gz/src/stringrep.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/stringrep.c
Changed
@@ -63,6 +63,9 @@ return NULL; } + if (strchr(s, '/') != NULL) + return NULL; + /* allocate a node */ node = malloc(sizeof(struct discover_class_node)); if (node == NULL) @@ -79,7 +82,10 @@ goto err2; /* load up class index */ - snprintf(path, sizeof path, "%s/class/%s/index", selinux_mnt,s); + ret = snprintf(path, sizeof path, "%s/class/%s/index", selinux_mnt,s); + if (ret < 0 || (size_t)ret >= sizeof path) + goto err3; + fd = open(path, O_RDONLY | O_CLOEXEC); if (fd < 0) goto err3; @@ -94,7 +100,10 @@ goto err3; /* load up permission indices */ - snprintf(path, sizeof path, "%s/class/%s/perms",selinux_mnt,s); + ret = snprintf(path, sizeof path, "%s/class/%s/perms",selinux_mnt,s); + if (ret < 0 || (size_t)ret >= sizeof path) + goto err3; + dir = opendir(path); if (dir == NULL) goto err3; @@ -104,7 +113,10 @@ unsigned int value; struct stat m; - snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name); + ret = snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name); + if (ret < 0 || (size_t)ret >= sizeof path) + goto err4; + fd = open(path, O_RDONLY | O_CLOEXEC); if (fd < 0) goto err4;
View file
_service:tar_scm:libselinux-3.4.tar.gz/utils/.gitignore -> _service:tar_scm:libselinux-3.5.tar.gz/utils/.gitignore
Changed
@@ -9,6 +9,7 @@ getenforce getfilecon getpidcon +getpidprevcon getsebool getseuser matchpathcon
View file
_service:tar_scm:libselinux-3.4.tar.gz/utils/Makefile -> _service:tar_scm:libselinux-3.5.tar.gz/utils/Makefile
Changed
@@ -32,7 +32,7 @@ -Wno-missing-field-initializers -Wno-sign-compare \ -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 \ -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \ - -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ + -fasynchronous-unwind-tables -fdiagnostics-show-option \ -Werror -Wno-aggregate-return -Wno-redundant-decls -Wstrict-overflow=5 \ $(EXTRA_CFLAGS)
View file
_service:tar_scm:libselinux-3.4.tar.gz/utils/compute_create.c -> _service:tar_scm:libselinux-3.5.tar.gz/utils/compute_create.c
Changed
@@ -10,10 +10,11 @@ { char *buf; security_class_t tclass; + const char *objname; int ret; - if (argc != 4) { - fprintf(stderr, "usage: %s scontext tcontext tclass\n", + if (argc != 4 && argc != 5) { + fprintf(stderr, "usage: %s scontext tcontext tclass objname\n", argv0); exit(1); } @@ -34,7 +35,9 @@ exit(2); } - ret = security_compute_create(argv1, argv2, tclass, &buf); + objname = (argc == 5) ? argv4 : NULL; + + ret = security_compute_create_name(argv1, argv2, tclass, objname, &buf); if (ret < 0) { fprintf(stderr, "%s: security_compute_create failed: %s\n", argv0, strerror(errno));
View file
_service:tar_scm:libselinux-3.5.tar.gz/utils/getpidprevcon.c
Added
@@ -0,0 +1,33 @@ +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <selinux/selinux.h> + +int main(int argc, char **argv) +{ + pid_t pid; + char *buf; + int rc; + + if (argc != 2) { + fprintf(stderr, "usage: %s pid\n", argv0); + exit(1); + } + + if (sscanf(argv1, "%d", &pid) != 1) { + fprintf(stderr, "%s: invalid pid %s\n", argv0, argv1); + exit(2); + } + + rc = getpidprevcon(pid, &buf); + if (rc < 0) { + fprintf(stderr, "%s: getpidprevcon() failed: %s\n", argv0, strerror(errno)); + exit(3); + } + + printf("%s\n", buf); + freecon(buf); + exit(EXIT_SUCCESS); +}
View file
_service:tar_scm:libselinux-3.4.tar.gz/utils/selabel_lookup_best_match.c -> _service:tar_scm:libselinux-3.5.tar.gz/utils/selabel_lookup_best_match.c
Changed
@@ -30,7 +30,7 @@ exit(1); } -static mode_t string_to_mode(char *s) +static mode_t string_to_mode(const char *s) { switch (s0) { case 'b': @@ -53,7 +53,7 @@ int main(int argc, char **argv) { - int raw = 0, mode = 0, rc, opt, i, num_links, string_len; + int raw = 0, mode = 0, rc, opt, i, num_links; char *validate = NULL, *path = NULL, *context = NULL, *file = NULL; char **links = NULL; @@ -101,13 +101,11 @@ } for (i = optind, num_links = 0; i < argc; i++, num_links++) { - string_len = strlen(argvi) + 1; - linksnum_links = malloc(string_len); + linksnum_links = strdup(argvi); if (!linksnum_links) { - fprintf(stderr, "ERROR: malloc failed.\n"); + fprintf(stderr, "ERROR: strdup failed.\n"); exit(1); } - strcpy(linksnum_links, argvi); } }
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2