开源软件构建与测试

_service:tar_scm:libselinux.spec Changed

@@ -1,20 +1,18 @@
 %global ruby_inc %(pkg-config --cflags ruby)
-%global libsepol_version 3.4
+%global libsepol_version 3.5
 
 Name:    libselinux
-Version: 3.4
+Version: 3.5
 Release: 1
 License: Public Domain
 Summary: SELinux library and simple utilities
 Url:     https://github.com/SELinuxProject/selinux/wiki
 Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz
 
-Patch6000: backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch
-
 Patch9000: do-malloc-trim-after-load-policy.patch
 
 BuildRequires: gcc python3-devel systemd swig pcre2-devel xz-devel
-BuildRequires: ruby-devel libsepol-static
+BuildRequires: ruby-devel libsepol-static python3-pip
 
 Requires:  libsepol >= %{libsepol_version} pcre2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@@ -102,7 +100,7 @@
 %license LICENSE
 %{_libdir}/libselinux.so.*
 %{_sbindir}/{selabel_lookup_best_match,selabel_partial_match,selinux_check_access}
-%{_sbindir}/{avcstat,getenforce,getsebool,matchpathcon,sefcontext_compile,selinuxconlist}
+%{_sbindir}/{avcstat,getenforce,getpidprevcon,getsebool,matchpathcon,sefcontext_compile,selinuxconlist}
 %{_sbindir}/{selinuxdefcon,selinuxexeccon,selinuxenabled,setenforce,selabel_digest,selabel_lookup}
 %{_sbindir}/{selabel_get_digests_all_partial_matches,validatetrans}
 %dir %{_rundir}/setrans/
@@ -116,7 +114,7 @@
 
 %files -n python3-libselinux
 %{python3_sitearch}/selinux/
-%{python3_sitearch}/selinux-%{version}-*
+%{python3_sitearch}/selinux-%{version}*
 %{python3_sitearch}/_selinux.*.so
 
 %files ruby
@@ -130,6 +128,9 @@
 %{_mandir}/ru/man8/*
 
 %changelog
+* Mon Jul 17 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.5-1
+- update version to 3.5
+
 * Mon Jan 30 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.4-1
 - update version to 3.4

_service:tar_scm:backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch Deleted

@@ -1,36 +0,0 @@
-From 956bda08f6183078f13b70f6aa27d0529a3ec20a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Tue, 7 Jun 2022 19:00:35 +0200
-Subject: PATCH libselinux: restorecon: avoid printing NULL pointer
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `curcon` is NULL in case the file has no current security
-context.  Most C standard libraries handle it fine, avoid it nonetheless
-for standard conformance.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- src/selinux_restorecon.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
-index 66e6a4a2..2d24559f 100644
---- a/src/selinux_restorecon.c
-+++ b/src/selinux_restorecon.c
-@@ -744,7 +744,9 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
- 			selinux_log(SELINUX_INFO,
- 				    "%s %s from %s to %s\n",
- 				    updated ? "Relabeled" : "Would relabel",
--				    pathname, curcon, newcon);
-+				    pathname,
-+				    curcon ? curcon : "<no context>",
-+				    newcon);
- 
- 		if (flags->syslog_changes && !flags->nochange) {
- 			if (curcon)
--- 
-2.27.0
-

_service:tar_scm:libselinux-3.4.tar.gz/VERSION -> _service:tar_scm:libselinux-3.5.tar.gz/VERSION Changed

_service:tar_scm:libselinux-3.4.tar.gz/include/selinux/avc.h -> _service:tar_scm:libselinux-3.5.tar.gz/include/selinux/avc.h Changed

_service:tar_scm:libselinux-3.4.tar.gz/include/selinux/context.h -> _service:tar_scm:libselinux-3.5.tar.gz/include/selinux/context.h Changed

@@ -17,7 +17,7 @@
 
 /* Return a new context initialized to a context string */
 
-	extern context_t context_new(const char *);
+	extern context_t context_new(const char *str);
 
 /* 
  * Return a pointer to the string value of the context_t
@@ -25,24 +25,24 @@
  * for the same context_t*
  */
 
-	extern char *context_str(context_t);
+	extern const char *context_str(context_t con);
 
 /* Free the storage used by a context */
-	extern void context_free(context_t);
+	extern void context_free(context_t con);
 
 /* Get a pointer to the string value of a context component */
 
-	extern const char *context_type_get(context_t);
-	extern const char *context_range_get(context_t);
-	extern const char *context_role_get(context_t);
-	extern const char *context_user_get(context_t);
+	extern const char *context_type_get(context_t con);
+	extern const char *context_range_get(context_t con);
+	extern const char *context_role_get(context_t con);
+	extern const char *context_user_get(context_t con);
 
 /* Set a context component.  Returns nonzero if unsuccessful */
 
-	extern int context_type_set(context_t, const char *);
-	extern int context_range_set(context_t, const char *);
-	extern int context_role_set(context_t, const char *);
-	extern int context_user_set(context_t, const char *);
+	extern int context_type_set(context_t con, const char *type);
+	extern int context_range_set(context_t con, const char *range);
+	extern int context_role_set(context_t con, const char *role);
+	extern int context_user_set(context_t con, const char *user);
 
 #ifdef __cplusplus
 }

_service:tar_scm:libselinux-3.4.tar.gz/include/selinux/selinux.h -> _service:tar_scm:libselinux-3.5.tar.gz/include/selinux/selinux.h Changed

_service:tar_scm:libselinux-3.5.tar.gz/man/man3/context_str.3 Added

_service:tar_scm:libselinux-3.4.tar.gz/man/man3/getcon.3 -> _service:tar_scm:libselinux-3.5.tar.gz/man/man3/getcon.3 Changed

@@ -23,6 +23,10 @@
 .sp
 .BI "int getpidcon_raw(pid_t " pid ", char **" context );
 .sp
+.BI "int getpidprevcon(pid_t " pid ", char **" context );
+.sp
+.BI "int getpidprevcon_raw(pid_t " pid ", char **" context );
+.sp
 .BI "int getpeercon(int " fd ", char **" context );
 .sp
 .BI "int getpeercon_raw(int " fd ", char **" context );
@@ -51,6 +55,11 @@
 .BR freecon ().
 
 .TP
+.BR getpidprevcon ()
+returns the process context before the last exec for the specified PID, which must be free'd with
+.BR freecon ().
+
+.TP
 .BR getpeercon ()
 retrieves the context of the peer socket, which must be free'd with
 .BR freecon ().
@@ -125,6 +134,7 @@
 .BR getcon_raw (),
 .BR getprevcon_raw (),
 .BR getpidcon_raw (),
+.BR getpidprevcon_raw (),
 .BR getpeercon_raw ()
 and
 .BR setcon_raw ()
@@ -139,5 +149,9 @@
 .I *context
 to NULL if and only if SELinux is not enabled.
 
+Querying a foreign process via its PID, e.g. \fBgetpidcon\fR() or
+\fBgetpidprevcon\fR(), is inherently racy and therefore should never be relied
+upon for security purposes.
+
 .SH "SEE ALSO"
 .BR selinux "(8), " setexeccon "(3)"

_service:tar_scm:libselinux-3.5.tar.gz/man/man3/getpidprevcon.3 Added

_service:tar_scm:libselinux-3.5.tar.gz/man/man3/getpidprevcon_raw.3 Added

_service:tar_scm:libselinux-3.5.tar.gz/man/man3/security_get_checkreqprot.3 Added

_service:tar_scm:libselinux-3.4.tar.gz/man/man3/security_load_policy.3 -> _service:tar_scm:libselinux-3.5.tar.gz/man/man3/security_load_policy.3 Changed

_service:tar_scm:libselinux-3.5.tar.gz/man/man3/security_set_boolean_list.3 Added

_service:tar_scm:libselinux-3.5.tar.gz/man/man3/selinux_sepgsql_context_path.3 Added

_service:tar_scm:libselinux-3.5.tar.gz/man/man3/setexecfilecon.3 Added

_service:tar_scm:libselinux-3.4.tar.gz/src/.gitignore -> _service:tar_scm:libselinux-3.5.tar.gz/src/.gitignore Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/Makefile -> _service:tar_scm:libselinux-3.5.tar.gz/src/Makefile Changed

@@ -14,7 +14,7 @@
 INCLUDEDIR ?= $(PREFIX)/include
 PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
 PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
-PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
 PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES0)')
 RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG"rubyarchhdrdir" + " -I" + RbConfig::CONFIG"rubyhdrdir"')
 RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG"libdir" + " -L" + RbConfig::CONFIG"archlibdir" + " " + RbConfig::CONFIG"LIBRUBYARG_SHARED"')
@@ -86,7 +86,7 @@
           -Wno-missing-field-initializers -Wno-sign-compare \
           -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) \
           -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \
-          -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \
+          -fasynchronous-unwind-tables -fdiagnostics-show-option \
           -Werror -Wno-aggregate-return -Wno-redundant-decls \
           $(EXTRA_CFLAGS)
 
@@ -103,6 +103,12 @@
 
 override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
 
+# check for strlcpy(3) availability
+H := \#
+ifeq (yes,$(shell printf '${H}include <string.h>\nint main(void){char*d,*s;strlcpy(d, s, 0);return 0;}' | $(CC) -x c -o /dev/null - >/dev/null 2>&1 && echo yes))
+override CFLAGS += -DHAVE_STRLCPY
+endif
+
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
 		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations \
 		-Wno-deprecated-declarations
@@ -181,7 +187,7 @@
 	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
 
 install-pywrap: pywrap
-	$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS)
+	$(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
 	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
 	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
 
@@ -195,7 +201,7 @@
 clean-pywrap:
 	-rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
 	$(PYTHON) setup.py clean
-	-rm -rf build *~ \#* *pyc .#*
+	-rm -rf build *~ \#* *pyc .#* selinux.egg-info/
 
 clean-rubywrap:
 	-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)

_service:tar_scm:libselinux-3.4.tar.gz/src/audit2why.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/audit2why.c Changed

@@ -191,26 +191,17 @@
 
 static int __policy_init(const char *init_path)
 {
-	FILE *fp;
-	char pathPATH_MAX;
+	FILE *fp = NULL;
+	const char *curpolicy;
 	char errormsgPATH_MAX+1024+20;
 	struct sepol_policy_file *pf = NULL;
 	int rc;
 	unsigned int cnt;
 
-	pathPATH_MAX-1 = '\0';
 	if (init_path) {
-		strncpy(path, init_path, PATH_MAX-1);
-		fp = fopen(path, "re");
-		if (!fp) {
-			snprintf(errormsg, sizeof(errormsg), 
-				 "unable to open %s:  %m\n",
-				 path);
-			PyErr_SetString( PyExc_ValueError, errormsg);
-			return 1;
-		}
+		curpolicy = init_path;
 	} else {
-		const char *curpolicy = selinux_current_policy_path();
+		curpolicy = selinux_current_policy_path();
 		if (!curpolicy) {
 			/* SELinux disabled, must use -p option. */
 			snprintf(errormsg, sizeof(errormsg),
@@ -218,14 +209,15 @@
 			PyErr_SetString( PyExc_ValueError, errormsg);
 			return 1;
 		}
-		fp = fopen(curpolicy, "re");
-		if (!fp) {
-			snprintf(errormsg, sizeof(errormsg), 
-				 "unable to open %s:  %m\n",
-				 curpolicy);
-			PyErr_SetString( PyExc_ValueError, errormsg);
-			return 1;
-		}
+	}
+
+	fp = fopen(curpolicy, "re");
+	if (!fp) {
+		snprintf(errormsg, sizeof(errormsg),
+			 "unable to open %s:  %m\n",
+			 curpolicy);
+		PyErr_SetString( PyExc_ValueError, errormsg);
+		return 1;
 	}
 
 	avc = calloc(sizeof(struct avc_t), 1);
@@ -243,18 +235,17 @@
 		snprintf(errormsg, sizeof(errormsg), 
 			 "policydb_init failed: %m\n");
 		PyErr_SetString( PyExc_RuntimeError, errormsg);
-		fclose(fp);
-		return 1;
+		goto err;
 	}
 	sepol_policy_file_set_fp(pf, fp);	
 	if (sepol_policydb_read(avc->policydb, pf)) {
 		snprintf(errormsg, sizeof(errormsg), 
-			 "invalid binary policy %s\n", path);
+			 "invalid binary policy %s\n", curpolicy);
 		PyErr_SetString( PyExc_ValueError, errormsg);
-		fclose(fp);
-		return 1;
+		goto err;
 	}
 	fclose(fp);
+	fp = NULL;
 	sepol_set_policydb(&avc->policydb->p);
 	avc->handle = sepol_handle_create();
 	/* Turn off messages */
@@ -264,13 +255,13 @@
 			      avc->policydb, &cnt);
 	if (rc < 0) {
 		PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n");
-		return 1;
+		goto err;
 	}
 
 	boollist = calloc(cnt, sizeof(*boollist));
 	if (!boollist) {
 		PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
-		return 1;
+		goto err;
 	}
 
 	sepol_bool_iterate(avc->handle, avc->policydb,
@@ -281,11 +272,26 @@
 	rc = sepol_sidtab_init(&sidtab);
 	if (rc < 0) {
 		PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n");
-		free(boollist);
-		return 1;
+		goto err;
 	}
 	sepol_set_sidtab(&sidtab);
 	return 0;
+
+err:
+	if (boollist)
+		free(boollist);
+	if (avc){
+		if (avc->handle)
+			sepol_handle_destroy(avc->handle);
+		if (avc->policydb)
+			sepol_policydb_free(avc->policydb);
+		free(avc);
+	}
+	if (pf)
+		sepol_policy_file_free(pf);
+	if (fp)
+		fclose(fp);
+	return 1;
 }
 
 static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {

_service:tar_scm:libselinux-3.4.tar.gz/src/avc.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/avc.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/avc_internal.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/avc_internal.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/avc_internal.h -> _service:tar_scm:libselinux-3.5.tar.gz/src/avc_internal.h Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/booleans.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/booleans.c Changed

@@ -7,7 +7,6 @@
 
 #ifndef DISABLE_BOOL
 
-#include <assert.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
@@ -132,7 +131,8 @@
 			ptr++;
 		*ptr = '\0';
 
-		sub = strdup(dst);
+		if (!strchr(dst, '/'))
+			sub = strdup(dst);
 
 		break;
 	}
@@ -147,12 +147,12 @@
 static int bool_open(const char *name, int flag) {
 	char *fname = NULL;
 	char *alt_name = NULL;
-	int len;
+	size_t len;
 	int fd = -1;
 	int ret;
 	char *ptr;
 
-	if (!name) {
+	if (!name || strchr(name, '/')) {
 		errno = EINVAL;
 		return -1;
 	}
@@ -164,9 +164,8 @@
 		return -1;
 
 	ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name);
-	if (ret < 0)
+	if (ret < 0 || (size_t)ret >= len)
 		goto out;
-	assert(ret < len);
 
 	fd = open(fname, flag);
 	if (fd >= 0 || errno != ENOENT)
@@ -184,9 +183,8 @@
 	fname = ptr;
 
 	ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, alt_name);
-	if (ret < 0)
+	if (ret < 0 || (size_t)ret >= len)
 		goto out;
-	assert(ret < len);
 
 	fd = open(fname, flag);
 out:

_service:tar_scm:libselinux-3.4.tar.gz/src/canonicalize_context.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/canonicalize_context.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/compute_av.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_av.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/compute_create.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_create.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/compute_member.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_member.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/compute_relabel.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_relabel.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/compute_user.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/compute_user.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/context.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/context.c Changed

@@ -68,11 +68,9 @@
 			for (p = tok; *p; p++) {	/* empty */
 			}
 		}
-		n->componenti = (char *)malloc(p - tok + 1);
+		n->componenti = strndup(tok, p - tok);
 		if (n->componenti == 0)
 			goto err;
-		strncpy(n->componenti, tok, p - tok);
-		n->componentip - tok = '\0';
 		tok = *p ? p + 1 : p;
 	}
 	return result;
@@ -116,7 +114,7 @@
 /*
  * Return a pointer to the string value of the context.
  */
-char *context_str(context_t context)
+const char *context_str(context_t context)
 {
 	context_private_t *n = context->ptr;
 	int i;
@@ -149,19 +147,18 @@
 	char *t = NULL;
 	const char *p;
 	if (str) {
-		t = (char *)malloc(strlen(str) + 1);
-		if (!t) {
-			return -1;
-		}
 		for (p = str; *p; p++) {
 			if (*p == '\t' || *p == '\n' || *p == '\r' ||
 			    ((*p == ':' || *p == ' ') && idx != COMP_RANGE)) {
-				free(t);
 				errno = EINVAL;
 				return -1;
 			}
 		}
-		strcpy(t, str);
+
+		t = strdup(str);
+		if (!t) {
+			return -1;
+		}
 	}
 	conditional_free(&n->componentidx);
 	n->componentidx = t;

_service:tar_scm:libselinux-3.4.tar.gz/src/fgetfilecon.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/fgetfilecon.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/fsetfilecon.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/fsetfilecon.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/get_context_list.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/get_context_list.c Changed

@@ -143,6 +143,7 @@
 	char *linerole, *linetype;
 	char **new_reachable = NULL;
 	char *usercon_str;
+	const char *usercon_str2;
 	context_t con;
 	context_t usercon;
 
@@ -257,20 +258,20 @@
 			rc = -1;
 			goto out;
 		}
-		usercon_str = context_str(usercon);
-		if (!usercon_str) {
+		usercon_str2 = context_str(usercon);
+		if (!usercon_str2) {
 			context_free(usercon);
 			rc = -1;
 			goto out;
 		}
 
 		/* check whether usercon is already in reachable */
-		if (is_in_reachable(*reachable, usercon_str)) {
+		if (is_in_reachable(*reachable, usercon_str2)) {
 			context_free(usercon);
 			start = end;
 			continue;
 		}
-		if (security_check_context(usercon_str) == 0) {
+		if (security_check_context(usercon_str2) == 0) {
 			new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
 			if (!new_reachable) {
 				context_free(usercon);
@@ -278,7 +279,7 @@
 				goto out;
 			}
 			*reachable = new_reachable;
-			new_reachable*nreachable = strdup(usercon_str);
+			new_reachable*nreachable = strdup(usercon_str2);
 			if (new_reachable*nreachable == NULL) {
 				context_free(usercon);
 				rc = -1;

_service:tar_scm:libselinux-3.4.tar.gz/src/get_default_type.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/get_default_type.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/get_initial_context.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/get_initial_context.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/label_db.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/label_db.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/libselinux.map -> _service:tar_scm:libselinux-3.5.tar.gz/src/libselinux.map Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/load_policy.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/load_policy.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/matchpathcon.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/matchpathcon.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/procattr.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/procattr.c Changed

@@ -11,11 +11,14 @@
 
 #define UNSET (char *) -1
 
+/* Cached values so that when a thread calls set*con() then gen*con(), the value
+ * which was set is directly returned.
+ */
 static __thread char *prev_current = UNSET;
-static __thread char * prev_exec = UNSET;
-static __thread char * prev_fscreate = UNSET;
-static __thread char * prev_keycreate = UNSET;
-static __thread char * prev_sockcreate = UNSET;
+static __thread char *prev_exec = UNSET;
+static __thread char *prev_fscreate = UNSET;
+static __thread char *prev_keycreate = UNSET;
+static __thread char *prev_sockcreate = UNSET;
 
 static pthread_once_t once = PTHREAD_ONCE_INIT;
 static pthread_key_t destructor_key;
@@ -111,43 +114,18 @@
 	return fd;
 }
 
-static int getprocattrcon_raw(char ** context,
-			      pid_t pid, const char *attr)
+static int getprocattrcon_raw(char **context, pid_t pid, const char *attr,
+			      const char *prev_context)
 {
 	char *buf;
 	size_t size;
 	int fd;
 	ssize_t ret;
 	int errno_hold;
-	char * prev_context;
 
 	__selinux_once(once, init_procattr);
 	init_thread_destructor();
 
-	switch (attr0) {
-		case 'c':
-			prev_context = prev_current;
-			break;
-		case 'e':
-			prev_context = prev_exec;
-			break;
-		case 'f':
-			prev_context = prev_fscreate;
-			break;
-		case 'k':
-			prev_context = prev_keycreate;
-			break;
-		case 's':
-			prev_context = prev_sockcreate;
-			break;
-		case 'p':
-			prev_context = NULL;
-			break;
-		default:
-			errno = ENOENT;
-			return -1;
-	}
-
 	if (prev_context && prev_context != UNSET) {
 		*context = strdup(prev_context);
 		if (!(*context)) {
@@ -194,13 +172,13 @@
 	return ret;
 }
 
-static int getprocattrcon(char ** context,
-			  pid_t pid, const char *attr)
+static int getprocattrcon(char **context, pid_t pid, const char *attr,
+			  const char *prev_context)
 {
 	int ret;
 	char * rcontext;
 
-	ret = getprocattrcon_raw(&rcontext, pid, attr);
+	ret = getprocattrcon_raw(&rcontext, pid, attr, prev_context);
 
 	if (!ret) {
 		ret = selinux_raw_to_trans_context(rcontext, context);
@@ -210,45 +188,24 @@
 	return ret;
 }
 
-static int setprocattrcon_raw(const char * context,
-			      pid_t pid, const char *attr)
+static int setprocattrcon_raw(const char *context, const char *attr,
+			      char **prev_context)
 {
 	int fd;
 	ssize_t ret;
 	int errno_hold;
-	char **prev_context, *context2 = NULL;
+	char *context2 = NULL;
 
 	__selinux_once(once, init_procattr);
 	init_thread_destructor();
 
-	switch (attr0) {
-		case 'c':
-			prev_context = &prev_current;
-			break;
-		case 'e':
-			prev_context = &prev_exec;
-			break;
-		case 'f':
-			prev_context = &prev_fscreate;
-			break;
-		case 'k':
-			prev_context = &prev_keycreate;
-			break;
-		case 's':
-			prev_context = &prev_sockcreate;
-			break;
-		default:
-			errno = ENOENT;
-			return -1;
-	}
-
 	if (!context && !*prev_context)
 		return 0;
 	if (context && *prev_context && *prev_context != UNSET
 	    && !strcmp(context, *prev_context))
 		return 0;
 
-	fd = openattr(pid, attr, O_RDWR | O_CLOEXEC);
+	fd = openattr(0, attr, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
 		return -1;
 	if (context) {
@@ -279,8 +236,8 @@
 	}
 }
 
-static int setprocattrcon(const char * context,
-			  pid_t pid, const char *attr)
+static int setprocattrcon(const char *context, const char *attr,
+			  char **prev_context)
 {
 	int ret;
 	char * rcontext;
@@ -288,62 +245,76 @@
 	if (selinux_trans_to_raw_context(context, &rcontext))
 		return -1;
 
-	ret = setprocattrcon_raw(rcontext, pid, attr);
+	ret = setprocattrcon_raw(rcontext, attr, prev_context);
 
 	freecon(rcontext);
 
 	return ret;
 }
 
-#define getselfattr_def(fn, attr) \
+#define getselfattr_def(fn, attr, prev_context) \
 	int get##fn##_raw(char **c) \
 	{ \
-		return getprocattrcon_raw(c, 0, #attr); \
+		return getprocattrcon_raw(c, 0, attr, prev_context); \
 	} \
 	int get##fn(char **c) \
 	{ \
-		return getprocattrcon(c, 0, #attr); \
+		return getprocattrcon(c, 0, attr, prev_context); \
 	}
 
-#define setselfattr_def(fn, attr) \
+#define setselfattr_def(fn, attr, prev_context) \
 	int set##fn##_raw(const char * c) \
 	{ \
-		return setprocattrcon_raw(c, 0, #attr); \
+		return setprocattrcon_raw(c, attr, &prev_context); \
 	} \
 	int set##fn(const char * c) \
 	{ \
-		return setprocattrcon(c, 0, #attr); \
+		return setprocattrcon(c, attr, &prev_context); \
 	}
 
-#define all_selfattr_def(fn, attr) \
-	getselfattr_def(fn, attr)	 \
-	setselfattr_def(fn, attr)
+#define all_selfattr_def(fn, attr, prev_context) \
+	getselfattr_def(fn, attr, prev_context)	 \
+	setselfattr_def(fn, attr, prev_context)
 
-#define getpidattr_def(fn, attr) \
-	int get##fn##_raw(pid_t pid, char **c)	\
-	{ \
-		if (pid <= 0) { \
-			errno = EINVAL; \
-			return -1; \
-		} else { \
-			return getprocattrcon_raw(c, pid, #attr); \
-		} \
-	} \
-	int get##fn(pid_t pid, char **c)	\
-	{ \

_service:tar_scm:libselinux-3.4.tar.gz/src/query_user_context.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/query_user_context.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/regex.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/regex.c Changed

@@ -60,11 +60,13 @@
 
 struct regex_data {
 	pcre2_code *regex; /* compiled regular expression */
+#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
 	/*
 	 * match data block required for the compiled
 	 * pattern in pcre2
 	 */
 	pcre2_match_data *match_data;
+#endif
 	pthread_mutex_t match_mutex;
 };
 
@@ -84,11 +86,13 @@
 		goto err;
 	}
 
+#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
 	(*regex)->match_data =
 	    pcre2_match_data_create_from_pattern((*regex)->regex, NULL);
 	if (!(*regex)->match_data) {
 		goto err;
 	}
+#endif
 	return 0;
 
 err:
@@ -138,10 +142,12 @@
 		if (rc != 1)
 			goto err;
 
+#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
 		(*regex)->match_data =
 		    pcre2_match_data_create_from_pattern((*regex)->regex, NULL);
 		if (!(*regex)->match_data)
 			goto err;
+#endif
 
 		*regex_compiled = true;
 	}
@@ -167,7 +173,7 @@
 	PCRE2_UCHAR *bytes = NULL;
 
 	if (do_write_precompregex) {
-		/* encode the patter for serialization */
+		/* encode the pattern for serialization */
 		rc = pcre2_serialize_encode((const pcre2_code **)&regex->regex,
 					    1, &bytes, &serialized_size, NULL);
 		if (rc != 1) {
@@ -203,8 +209,12 @@
 	if (regex) {
 		if (regex->regex)
 			pcre2_code_free(regex->regex);
+
+#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
 		if (regex->match_data)
 			pcre2_match_data_free(regex->match_data);
+#endif
+
 		__pthread_mutex_destroy(&regex->match_mutex);
 		free(regex);
 	}
@@ -213,10 +223,30 @@
 int regex_match(struct regex_data *regex, char const *subject, int partial)
 {
 	int rc;
+	pcre2_match_data *match_data;
 	__pthread_mutex_lock(&regex->match_mutex);
+
+#ifdef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
+	match_data = pcre2_match_data_create_from_pattern(
+	    regex->regex, NULL);
+	if (match_data == NULL) {
+		__pthread_mutex_unlock(&regex->match_mutex);
+		return REGEX_ERROR;
+	}
+#else
+	match_data = regex->match_data;
+#endif
+
 	rc = pcre2_match(
 	    regex->regex, (PCRE2_SPTR)subject, PCRE2_ZERO_TERMINATED, 0,
-	    partial ? PCRE2_PARTIAL_SOFT : 0, regex->match_data, NULL);
+	    partial ? PCRE2_PARTIAL_SOFT : 0, match_data, NULL);
+
+#ifdef AGGRESSIVE_FREE_AFTER_REGEX_MATCH
+	// pcre2_match allocates heap and it won't be freed until
+	// pcre2_match_data_free, resulting in heap overhead.
+	pcre2_match_data_free(match_data);
+#endif
+
 	__pthread_mutex_unlock(&regex->match_mutex);
 	if (rc > 0)
 		return REGEX_MATCH;
@@ -257,6 +287,9 @@
 {
 	struct regex_data *regex_data =
 		(struct regex_data *)calloc(1, sizeof(struct regex_data));
+	if (!regex_data)
+		return NULL;
+
 	__pthread_mutex_init(&regex_data->match_mutex, NULL);
 	return regex_data;
 }

_service:tar_scm:libselinux-3.5.tar.gz/src/selinux_internal.c Added

_service:tar_scm:libselinux-3.4.tar.gz/src/selinux_internal.h -> _service:tar_scm:libselinux-3.5.tar.gz/src/selinux_internal.h Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/selinux_restorecon.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/selinux_restorecon.c Changed

@@ -432,10 +432,11 @@
  * that matched.
  */
 static int filespec_add(ino_t ino, const char *con, const char *file,
-			struct rest_flags *flags)
+			const struct rest_flags *flags)
 {
 	file_spec_t *prevfl, *fl;
-	int h, ret;
+	uint32_t h;
+	int ret;
 	struct stat64 sb;
 
 	__pthread_mutex_lock(&fl_mutex);
@@ -524,7 +525,8 @@
 static void filespec_eval(void)
 {
 	file_spec_t *fl;
-	int h, used, nel, len, longest;
+	uint32_t h;
+	size_t used, nel, len, longest;
 
 	if (!fl_head)
 		return;
@@ -544,7 +546,7 @@
 	}
 
 	selinux_log(SELINUX_INFO,
-		     "filespec hash table stats: %d elements, %d/%d buckets used, longest chain length %d\n",
+		     "filespec hash table stats: %zu elements, %zu/%zu buckets used, longest chain length %zu\n",
 		     nel, used, HASH_BUCKETS, longest);
 }
 #else
@@ -559,7 +561,7 @@
 static void filespec_destroy(void)
 {
 	file_spec_t *fl, *tmp;
-	int h;
+	uint32_t h;
 
 	if (!fl_head)
 		return;
@@ -623,16 +625,14 @@
 	return rc;
 }
 
-static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool first)
+static int restorecon_sb(const char *pathname, const struct stat *sb,
+			    const struct rest_flags *flags, bool first)
 {
 	char *newcon = NULL;
 	char *curcon = NULL;
 	char *newtypecon = NULL;
-	int fd = -1, rc;
-	struct stat stat_buf;
-	bool updated = false;
+	int rc;
 	const char *lookup_path = pathname;
-	float pc;
 
 	if (rootpath) {
 		if (strncmp(rootpath, lookup_path, rootpathlen) != 0) {
@@ -644,21 +644,13 @@
 		lookup_path += rootpathlen;
 	}
 
-	fd = open(pathname, O_PATH | O_NOFOLLOW | O_EXCL);
-	if (fd < 0)
-		goto err;
-
-	rc = fstat(fd, &stat_buf);
-	if (rc < 0)
-		goto err;
-
 	if (rootpath != NULL && lookup_path0 == '\0')
 		/* this is actually the root dir of the alt root. */
 		rc = selabel_lookup_raw(fc_sehandle, &newcon, "/",
-						    stat_buf.st_mode);
+						    sb->st_mode & S_IFMT);
 	else
 		rc = selabel_lookup_raw(fc_sehandle, &newcon, lookup_path,
-						    stat_buf.st_mode);
+						    sb->st_mode & S_IFMT);
 
 	if (rc < 0) {
 		if (errno == ENOENT) {
@@ -667,10 +659,10 @@
 					    "Warning no default label for %s\n",
 					    lookup_path);
 
-			goto out; /* no match, but not an error */
+			return 0; /* no match, but not an error */
 		}
 
-		goto err;
+		return -1;
 	}
 
 	if (flags->progress) {
@@ -678,7 +670,7 @@
 		fc_count++;
 		if (fc_count % STAR_COUNT == 0) {
 			if (flags->mass_relabel && efile_count > 0) {
-				pc = (fc_count < efile_count) ? (100.0 *
+				float pc = (fc_count < efile_count) ? (100.0 *
 					     fc_count / efile_count) : 100;
 				fprintf(stdout, "\r%-.1f%%", (double)pc);
 			} else {
@@ -690,17 +682,19 @@
 	}
 
 	if (flags->add_assoc) {
-		rc = filespec_add(stat_buf.st_ino, newcon, pathname, flags);
+		rc = filespec_add(sb->st_ino, newcon, pathname, flags);
 
 		if (rc < 0) {
 			selinux_log(SELINUX_ERROR,
 				    "filespec_add error: %s\n", pathname);
-			goto out1;
+			freecon(newcon);
+			return -1;
 		}
 
 		if (rc > 0) {
 			/* Already an association and it took precedence. */
-			goto out;
+			freecon(newcon);
+			return 0;
 		}
 	}
 
@@ -708,7 +702,7 @@
 		selinux_log(SELINUX_INFO, "%s matched by %s\n",
 			    pathname, newcon);
 
-	if (fgetfilecon_raw(fd, &curcon) < 0) {
+	if (lgetfilecon_raw(pathname, &curcon) < 0) {
 		if (errno != ENODATA)
 			goto err;
 
@@ -716,6 +710,8 @@
 	}
 
 	if (curcon == NULL || strcmp(curcon, newcon) != 0) {
+		bool updated = false;
+
 		if (!flags->set_specctx && curcon &&
 				    (is_context_customizable(curcon) > 0)) {
 			if (flags->verbose) {
@@ -741,7 +737,7 @@
 		}
 
 		if (!flags->nochange) {
-			if (fsetfilecon(fd, newcon) < 0)
+			if (lsetfilecon(pathname, newcon) < 0)
 				goto err;
 			updated = true;
 		}
@@ -750,7 +746,9 @@
 			selinux_log(SELINUX_INFO,
 				    "%s %s from %s to %s\n",
 				    updated ? "Relabeled" : "Would relabel",
-				    pathname, curcon, newcon);
+				    pathname,
+				    curcon ? curcon : "<no context>",
+				    newcon);
 
 		if (flags->syslog_changes && !flags->nochange) {
 			if (curcon)
@@ -766,8 +764,6 @@
 out:
 	rc = 0;
 out1:
-	if (fd >= 0)
-		close(fd);
 	freecon(curcon);
 	freecon(newcon);
 	return rc;
@@ -865,6 +861,7 @@
 	FTSENT *ftsent;
 	int error;
 	char ent_pathPATH_MAX;
+	struct stat ent_st;
 	bool first = false;
 
 	if (state->parallel)
@@ -961,12 +958,21 @@
 			}
 			/* fall through */
 		default:
-			strcpy(ent_path, ftsent->fts_path);
+			if (strlcpy(ent_path, ftsent->fts_path, sizeof(ent_path)) >= sizeof(ent_path)) {
+				selinux_log(SELINUX_ERROR,
+					    "Path name too long on %s.\n",
+					    ftsent->fts_path);
+				errno = ENAMETOOLONG;
+				state->error = -1;
+				state->abort = true;
+				goto finish;
+			}

_service:tar_scm:libselinux-3.4.tar.gz/src/sestatus.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/sestatus.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/setrans_client.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/setrans_client.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/setup.py -> _service:tar_scm:libselinux-3.5.tar.gz/src/setup.py Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/sha1.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/sha1.c Changed

_service:tar_scm:libselinux-3.4.tar.gz/src/stringrep.c -> _service:tar_scm:libselinux-3.5.tar.gz/src/stringrep.c Changed

@@ -63,6 +63,9 @@
 		return NULL;
 	}
 
+	if (strchr(s, '/') != NULL)
+		return NULL;
+
 	/* allocate a node */
 	node = malloc(sizeof(struct discover_class_node));
 	if (node == NULL)
@@ -79,7 +82,10 @@
 		goto err2;
 
 	/* load up class index */
-	snprintf(path, sizeof path, "%s/class/%s/index", selinux_mnt,s);
+	ret = snprintf(path, sizeof path, "%s/class/%s/index", selinux_mnt,s);
+	if (ret < 0 || (size_t)ret >= sizeof path)
+		goto err3;
+
 	fd = open(path, O_RDONLY | O_CLOEXEC);
 	if (fd < 0)
 		goto err3;
@@ -94,7 +100,10 @@
 		goto err3;
 
 	/* load up permission indices */
-	snprintf(path, sizeof path, "%s/class/%s/perms",selinux_mnt,s);
+	ret = snprintf(path, sizeof path, "%s/class/%s/perms",selinux_mnt,s);
+	if (ret < 0 || (size_t)ret >= sizeof path)
+		goto err3;
+
 	dir = opendir(path);
 	if (dir == NULL)
 		goto err3;
@@ -104,7 +113,10 @@
 		unsigned int value;
 		struct stat m;
 
-		snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
+		ret = snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
+		if (ret < 0 || (size_t)ret >= sizeof path)
+			goto err4;
+
 		fd = open(path, O_RDONLY | O_CLOEXEC);
 		if (fd < 0)
 			goto err4;

_service:tar_scm:libselinux-3.4.tar.gz/utils/.gitignore -> _service:tar_scm:libselinux-3.5.tar.gz/utils/.gitignore Changed

_service:tar_scm:libselinux-3.4.tar.gz/utils/Makefile -> _service:tar_scm:libselinux-3.5.tar.gz/utils/Makefile Changed

_service:tar_scm:libselinux-3.4.tar.gz/utils/compute_create.c -> _service:tar_scm:libselinux-3.5.tar.gz/utils/compute_create.c Changed

_service:tar_scm:libselinux-3.5.tar.gz/utils/getpidprevcon.c Added

_service:tar_scm:libselinux-3.4.tar.gz/utils/selabel_lookup_best_match.c -> _service:tar_scm:libselinux-3.5.tar.gz/utils/selabel_lookup_best_match.c Changed

Changes of Revision 8