|
|
|
@ -21,8 +21,8 @@ index 24673dd..41507e4 100644
@@ -21,8 +21,8 @@ index 24673dd..41507e4 100644
|
|
|
|
|
+ * procattr: return error on invalid pid_t input, from Daniel Cashman. |
|
|
|
|
+ |
|
|
|
|
2.5 2016-02-23 |
|
|
|
|
* selinux_restorecon.3 man page corrections, from Richard Haines. |
|
|
|
|
* Add selinux_restorecon function, from Richard Haines. |
|
|
|
|
* selinux_restorecon.3 man page corrections, from Richard Haines. |
|
|
|
|
* Add selinux_restorecon function, from Richard Haines. |
|
|
|
|
diff --git libselinux-2.5/Makefile libselinux-2.5/Makefile |
|
|
|
|
index 6142b60..bdf9de8 100644 |
|
|
|
|
--- libselinux-2.5/Makefile |
|
|
|
@ -739,84 +739,84 @@ index 12745b3..7aca3f0 100644
@@ -739,84 +739,84 @@ index 12745b3..7aca3f0 100644
|
|
|
|
|
--- libselinux-2.5/src/audit2why.c |
|
|
|
|
+++ libselinux-2.5/src/audit2why.c |
|
|
|
|
@@ -206,7 +206,7 @@ static int __policy_init(const char *init_path) |
|
|
|
|
"unable to open %s: %s\n", |
|
|
|
|
path, strerror(errno)); |
|
|
|
|
PyErr_SetString( PyExc_ValueError, errormsg); |
|
|
|
|
"unable to open %s: %s\n", |
|
|
|
|
path, strerror(errno)); |
|
|
|
|
PyErr_SetString( PyExc_ValueError, errormsg); |
|
|
|
|
- return 1; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
} else { |
|
|
|
|
const char *curpolicy = selinux_current_policy_path(); |
|
|
|
|
} |
|
|
|
|
} else { |
|
|
|
|
const char *curpolicy = selinux_current_policy_path(); |
|
|
|
|
@@ -215,7 +215,7 @@ static int __policy_init(const char *init_path) |
|
|
|
|
snprintf(errormsg, sizeof(errormsg), |
|
|
|
|
"You must specify the -p option with the path to the policy file.\n"); |
|
|
|
|
PyErr_SetString( PyExc_ValueError, errormsg); |
|
|
|
|
snprintf(errormsg, sizeof(errormsg), |
|
|
|
|
"You must specify the -p option with the path to the policy file.\n"); |
|
|
|
|
PyErr_SetString( PyExc_ValueError, errormsg); |
|
|
|
|
- return 1; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
fp = fopen(curpolicy, "r"); |
|
|
|
|
if (!fp) { |
|
|
|
|
} |
|
|
|
|
fp = fopen(curpolicy, "r"); |
|
|
|
|
if (!fp) { |
|
|
|
|
@@ -224,7 +224,7 @@ static int __policy_init(const char *init_path) |
|
|
|
|
curpolicy, |
|
|
|
|
strerror(errno)); |
|
|
|
|
PyErr_SetString( PyExc_ValueError, errormsg); |
|
|
|
|
curpolicy, |
|
|
|
|
strerror(errno)); |
|
|
|
|
PyErr_SetString( PyExc_ValueError, errormsg); |
|
|
|
|
- return 1; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@@ -232,7 +232,7 @@ static int __policy_init(const char *init_path) |
|
|
|
|
if (!avc) { |
|
|
|
|
PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); |
|
|
|
|
fclose(fp); |
|
|
|
|
if (!avc) { |
|
|
|
|
PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); |
|
|
|
|
fclose(fp); |
|
|
|
|
- return 1; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/* Set up a policydb directly so that we can mutate it later |
|
|
|
|
/* Set up a policydb directly so that we can mutate it later |
|
|
|
|
@@ -244,7 +244,7 @@ static int __policy_init(const char *init_path) |
|
|
|
|
"policydb_init failed: %s\n", strerror(errno)); |
|
|
|
|
PyErr_SetString( PyExc_RuntimeError, errormsg); |
|
|
|
|
fclose(fp); |
|
|
|
|
"policydb_init failed: %s\n", strerror(errno)); |
|
|
|
|
PyErr_SetString( PyExc_RuntimeError, errormsg); |
|
|
|
|
fclose(fp); |
|
|
|
|
- return 1; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
sepol_policy_file_set_fp(pf, fp); |
|
|
|
|
if (sepol_policydb_read(avc->policydb, pf)) { |
|
|
|
|
} |
|
|
|
|
sepol_policy_file_set_fp(pf, fp); |
|
|
|
|
if (sepol_policydb_read(avc->policydb, pf)) { |
|
|
|
|
@@ -252,7 +252,7 @@ static int __policy_init(const char *init_path) |
|
|
|
|
"invalid binary policy %s\n", path); |
|
|
|
|
PyErr_SetString( PyExc_ValueError, errormsg); |
|
|
|
|
fclose(fp); |
|
|
|
|
"invalid binary policy %s\n", path); |
|
|
|
|
PyErr_SetString( PyExc_ValueError, errormsg); |
|
|
|
|
fclose(fp); |
|
|
|
|
- return 1; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
fclose(fp); |
|
|
|
|
sepol_set_policydb(&avc->policydb->p); |
|
|
|
|
} |
|
|
|
|
fclose(fp); |
|
|
|
|
sepol_set_policydb(&avc->policydb->p); |
|
|
|
|
@@ -264,13 +264,13 @@ static int __policy_init(const char *init_path) |
|
|
|
|
avc->policydb, &cnt); |
|
|
|
|
if (rc < 0) { |
|
|
|
|
PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n"); |
|
|
|
|
avc->policydb, &cnt); |
|
|
|
|
if (rc < 0) { |
|
|
|
|
PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n"); |
|
|
|
|
- return 1; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
boollist = calloc(cnt, sizeof(*boollist)); |
|
|
|
|
if (!boollist) { |
|
|
|
|
PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); |
|
|
|
|
boollist = calloc(cnt, sizeof(*boollist)); |
|
|
|
|
if (!boollist) { |
|
|
|
|
PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); |
|
|
|
|
- return 1; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
sepol_bool_iterate(avc->handle, avc->policydb, |
|
|
|
|
sepol_bool_iterate(avc->handle, avc->policydb, |
|
|
|
|
@@ -282,7 +282,7 @@ static int __policy_init(const char *init_path) |
|
|
|
|
if (rc < 0) { |
|
|
|
|
PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n"); |
|
|
|
|
free(boollist); |
|
|
|
|
if (rc < 0) { |
|
|
|
|
PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n"); |
|
|
|
|
free(boollist); |
|
|
|
|
- return 1; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
sepol_set_sidtab(&sidtab); |
|
|
|
|
return 0; |
|
|
|
|
} |
|
|
|
|
sepol_set_sidtab(&sidtab); |
|
|
|
|
return 0; |
|
|
|
|
@@ -298,6 +298,8 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { |
|
|
|
|
if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) |
|
|
|
|
return NULL; |
|
|
|
@ -827,167 +827,167 @@ index 12745b3..7aca3f0 100644
@@ -827,167 +827,167 @@ index 12745b3..7aca3f0 100644
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@@ -343,8 +345,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args |
|
|
|
|
if (rc < 0) |
|
|
|
|
RETURN(BADTCON) |
|
|
|
|
if (rc < 0) |
|
|
|
|
RETURN(BADTCON) |
|
|
|
|
|
|
|
|
|
- tclass = string_to_security_class(tclassstr); |
|
|
|
|
- if (!tclass) |
|
|
|
|
+ rc = sepol_string_to_security_class(tclassstr, &tclass); |
|
|
|
|
+ if (rc < 0) |
|
|
|
|
RETURN(BADTCLASS) |
|
|
|
|
RETURN(BADTCLASS) |
|
|
|
|
|
|
|
|
|
/* Convert the permission list to an AV. */ |
|
|
|
|
/* Convert the permission list to an AV. */ |
|
|
|
|
@@ -365,8 +367,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args |
|
|
|
|
permstr = PyString_AsString( strObj ); |
|
|
|
|
permstr = PyString_AsString( strObj ); |
|
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
- perm = string_to_av_perm(tclass, permstr); |
|
|
|
|
- if (!perm) |
|
|
|
|
+ rc = sepol_string_to_av_perm(tclass, permstr, &perm); |
|
|
|
|
+ if (rc < 0) |
|
|
|
|
RETURN(BADPERM) |
|
|
|
|
RETURN(BADPERM) |
|
|
|
|
|
|
|
|
|
av |= perm; |
|
|
|
|
av |= perm; |
|
|
|
|
diff --git libselinux-2.5/src/avc_sidtab.c libselinux-2.5/src/avc_sidtab.c |
|
|
|
|
index 9669264..c775430 100644 |
|
|
|
|
--- libselinux-2.5/src/avc_sidtab.c |
|
|
|
|
+++ libselinux-2.5/src/avc_sidtab.c |
|
|
|
|
@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s, |
|
|
|
|
int hvalue, rc = 0; |
|
|
|
|
struct sidtab_node *cur; |
|
|
|
|
int hvalue, rc = 0; |
|
|
|
|
struct sidtab_node *cur; |
|
|
|
|
|
|
|
|
|
+ if (! ctx) { |
|
|
|
|
+ errno=EINVAL; |
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ |
|
|
|
|
*sid = NULL; |
|
|
|
|
hvalue = sidtab_hash(ctx); |
|
|
|
|
*sid = NULL; |
|
|
|
|
hvalue = sidtab_hash(ctx); |
|
|
|
|
|
|
|
|
|
diff --git libselinux-2.5/src/booleans.c libselinux-2.5/src/booleans.c |
|
|
|
|
index 4b39a28..6a96b4a 100644 |
|
|
|
|
--- libselinux-2.5/src/booleans.c |
|
|
|
|
+++ libselinux-2.5/src/booleans.c |
|
|
|
|
@@ -53,6 +53,7 @@ int security_get_boolean_names(char ***names, int *len) |
|
|
|
|
snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR); |
|
|
|
|
*len = scandir(path, &namelist, &filename_select, alphasort); |
|
|
|
|
if (*len <= 0) { |
|
|
|
|
snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR); |
|
|
|
|
*len = scandir(path, &namelist, &filename_select, alphasort); |
|
|
|
|
if (*len <= 0) { |
|
|
|
|
+ errno = ENOENT; |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c |
|
|
|
|
index 7cf3139..364a746 100644 |
|
|
|
|
--- libselinux-2.5/src/canonicalize_context.c |
|
|
|
|
+++ libselinux-2.5/src/canonicalize_context.c |
|
|
|
|
@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con, |
|
|
|
|
size_t size; |
|
|
|
|
int fd, ret; |
|
|
|
|
size_t size; |
|
|
|
|
int fd, ret; |
|
|
|
|
|
|
|
|
|
+ if (! con) { |
|
|
|
|
+ errno=EINVAL; |
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ |
|
|
|
|
if (!selinux_mnt) { |
|
|
|
|
errno = ENOENT; |
|
|
|
|
return -1; |
|
|
|
|
if (!selinux_mnt) { |
|
|
|
|
errno = ENOENT; |
|
|
|
|
return -1; |
|
|
|
|
diff --git libselinux-2.5/src/check_context.c libselinux-2.5/src/check_context.c |
|
|
|
|
index 52063fa..234749c 100644 |
|
|
|
|
--- libselinux-2.5/src/check_context.c |
|
|
|
|
+++ libselinux-2.5/src/check_context.c |
|
|
|
|
@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con) |
|
|
|
|
char path[PATH_MAX]; |
|
|
|
|
int fd, ret; |
|
|
|
|
char path[PATH_MAX]; |
|
|
|
|
int fd, ret; |
|
|
|
|
|
|
|
|
|
+ if (! con) { |
|
|
|
|
+ errno=EINVAL; |
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ |
|
|
|
|
if (!selinux_mnt) { |
|
|
|
|
errno = ENOENT; |
|
|
|
|
return -1; |
|
|
|
|
if (!selinux_mnt) { |
|
|
|
|
errno = ENOENT; |
|
|
|
|
return -1; |
|
|
|
|
diff --git libselinux-2.5/src/compute_av.c libselinux-2.5/src/compute_av.c |
|
|
|
|
index 937e5c3..35ace7f 100644 |
|
|
|
|
--- libselinux-2.5/src/compute_av.c |
|
|
|
|
+++ libselinux-2.5/src/compute_av.c |
|
|
|
|
@@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const char * scon, |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
+ if ((! scon) || (! tcon)) { |
|
|
|
|
+ errno=EINVAL; |
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ |
|
|
|
|
snprintf(path, sizeof path, "%s/access", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
snprintf(path, sizeof path, "%s/access", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
diff --git libselinux-2.5/src/compute_create.c libselinux-2.5/src/compute_create.c |
|
|
|
|
index 9559d42..14a65d1 100644 |
|
|
|
|
--- libselinux-2.5/src/compute_create.c |
|
|
|
|
+++ libselinux-2.5/src/compute_create.c |
|
|
|
|
@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon, |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
+ if ((! scon) || (! tcon)) { |
|
|
|
|
+ errno=EINVAL; |
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ |
|
|
|
|
snprintf(path, sizeof path, "%s/create", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
snprintf(path, sizeof path, "%s/create", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
diff --git libselinux-2.5/src/compute_member.c libselinux-2.5/src/compute_member.c |
|
|
|
|
index 1fc7e41..065d996 100644 |
|
|
|
|
--- libselinux-2.5/src/compute_member.c |
|
|
|
|
+++ libselinux-2.5/src/compute_member.c |
|
|
|
|
@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon, |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
+ if ((! scon) || (! tcon)) { |
|
|
|
|
+ errno=EINVAL; |
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ |
|
|
|
|
snprintf(path, sizeof path, "%s/member", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
snprintf(path, sizeof path, "%s/member", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
diff --git libselinux-2.5/src/compute_relabel.c libselinux-2.5/src/compute_relabel.c |
|
|
|
|
index 4615aee..cc77f36 100644 |
|
|
|
|
--- libselinux-2.5/src/compute_relabel.c |
|
|
|
|
+++ libselinux-2.5/src/compute_relabel.c |
|
|
|
|
@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon, |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
+ if ((! scon) || (! tcon)) { |
|
|
|
|
+ errno=EINVAL; |
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ |
|
|
|
|
snprintf(path, sizeof path, "%s/relabel", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
snprintf(path, sizeof path, "%s/relabel", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
diff --git libselinux-2.5/src/compute_user.c libselinux-2.5/src/compute_user.c |
|
|
|
|
index b37c5d3..7703c26 100644 |
|
|
|
|
--- libselinux-2.5/src/compute_user.c |
|
|
|
|
+++ libselinux-2.5/src/compute_user.c |
|
|
|
|
@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon, |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
+ if (! scon) { |
|
|
|
|
+ errno=EINVAL; |
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ |
|
|
|
|
snprintf(path, sizeof path, "%s/user", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
snprintf(path, sizeof path, "%s/user", selinux_mnt); |
|
|
|
|
fd = open(path, O_RDWR); |
|
|
|
|
if (fd < 0) |
|
|
|
|
diff --git libselinux-2.5/src/exception.sh libselinux-2.5/src/exception.sh |
|
|
|
|
index b7cff7e..a58bf3f 100755 |
|
|
|
|
--- libselinux-2.5/src/exception.sh |
|
|
|
@ -1028,9 +1028,9 @@ index 52707d0..0cbe12d 100644
@@ -1028,9 +1028,9 @@ index 52707d0..0cbe12d 100644
|
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); |
|
|
|
|
if (rc < 0 && errno == ENOTSUP) { |
|
|
|
|
char * ccontext = NULL; |
|
|
|
|
int err = errno; |
|
|
|
|
if (rc < 0 && errno == ENOTSUP) { |
|
|
|
|
char * ccontext = NULL; |
|
|
|
|
int err = errno; |
|
|
|
|
diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c |
|
|
|
|
index 3db4de0..3c687a2 100644 |
|
|
|
|
--- libselinux-2.5/src/init.c |
|
|
|
@ -1049,14 +1049,14 @@ index 3db4de0..3c687a2 100644
@@ -1049,14 +1049,14 @@ index 3db4de0..3c687a2 100644
|
|
|
|
|
{ |
|
|
|
|
- int exists = 0, mnt_rc = 0; |
|
|
|
|
+ int exists = 0; |
|
|
|
|
FILE *fp = NULL; |
|
|
|
|
char *buf = NULL; |
|
|
|
|
size_t len; |
|
|
|
|
ssize_t num; |
|
|
|
|
FILE *fp = NULL; |
|
|
|
|
char *buf = NULL; |
|
|
|
|
size_t len; |
|
|
|
|
ssize_t num; |
|
|
|
|
|
|
|
|
|
- mnt_rc = mount("proc", "/proc", "proc", 0, 0); |
|
|
|
|
- |
|
|
|
|
fp = fopen("/proc/filesystems", "r"); |
|
|
|
|
fp = fopen("/proc/filesystems", "r"); |
|
|
|
|
- if (!fp) { |
|
|
|
|
- exists = 1; /* Fail as if it exists */ |
|
|
|
|
- goto out; |
|
|
|
@ -1064,13 +1064,13 @@ index 3db4de0..3c687a2 100644
@@ -1064,13 +1064,13 @@ index 3db4de0..3c687a2 100644
|
|
|
|
|
- |
|
|
|
|
+ if (!fp) |
|
|
|
|
+ return 1; /* Fail as if it exists */ |
|
|
|
|
__fsetlocking(fp, FSETLOCKING_BYCALLER); |
|
|
|
|
__fsetlocking(fp, FSETLOCKING_BYCALLER); |
|
|
|
|
|
|
|
|
|
num = getline(&buf, &len, fp); |
|
|
|
|
num = getline(&buf, &len, fp); |
|
|
|
|
@@ -84,14 +78,6 @@ int selinuxfs_exists(void) |
|
|
|
|
|
|
|
|
|
free(buf); |
|
|
|
|
fclose(fp); |
|
|
|
|
free(buf); |
|
|
|
|
fclose(fp); |
|
|
|
|
- |
|
|
|
|
-out: |
|
|
|
|
-#ifndef MNT_DETACH |
|
|
|
@ -1079,7 +1079,7 @@ index 3db4de0..3c687a2 100644
@@ -1079,7 +1079,7 @@ index 3db4de0..3c687a2 100644
|
|
|
|
|
- if (mnt_rc == 0) |
|
|
|
|
- umount2("/proc", MNT_DETACH); |
|
|
|
|
- |
|
|
|
|
return exists; |
|
|
|
|
return exists; |
|
|
|
|
} |
|
|
|
|
hidden_def(selinuxfs_exists) |
|
|
|
|
diff --git libselinux-2.5/src/label_file.c libselinux-2.5/src/label_file.c |
|
|
|
@ -1087,9 +1087,9 @@ index 071d902..c89bb35 100644
@@ -1087,9 +1087,9 @@ index 071d902..c89bb35 100644
|
|
|
|
|
--- libselinux-2.5/src/label_file.c |
|
|
|
|
+++ libselinux-2.5/src/label_file.c |
|
|
|
|
@@ -388,18 +388,21 @@ static int load_mmap(struct selabel_handle *rec, const char *path, |
|
|
|
|
rc = -1; |
|
|
|
|
goto err; |
|
|
|
|
} |
|
|
|
|
rc = -1; |
|
|
|
|
goto err; |
|
|
|
|
} |
|
|
|
|
- spec->lsd.study_data = (void *)mmap_area->next_addr; |
|
|
|
|
- spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA; |
|
|
|
|
- rc = next_entry(NULL, mmap_area, entry_len); |
|
|
|
@ -1116,9 +1116,9 @@ index 071d902..c89bb35 100644
@@ -1116,9 +1116,9 @@ index 071d902..c89bb35 100644
|
|
|
|
|
+ rc = -1; |
|
|
|
|
+ goto err; |
|
|
|
|
+ } |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
data->nspec++; |
|
|
|
|
data->nspec++; |
|
|
|
|
diff --git libselinux-2.5/src/label_file.h libselinux-2.5/src/label_file.h |
|
|
|
|
index 72fed1f..6d1e890 100644 |
|
|
|
|
--- libselinux-2.5/src/label_file.h |
|
|
|
@ -1136,7 +1136,7 @@ index 72fed1f..6d1e890 100644
@@ -1136,7 +1136,7 @@ index 72fed1f..6d1e890 100644
|
|
|
|
|
+ else |
|
|
|
|
+ return NULL; |
|
|
|
|
+ } else |
|
|
|
|
return spec->sd; |
|
|
|
|
return spec->sd; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c |
|
|
|
@ -1153,37 +1153,37 @@ index 21ee58b..4f39fc7 100644
@@ -1153,37 +1153,37 @@ index 21ee58b..4f39fc7 100644
|
|
|
|
|
+ |
|
|
|
|
int security_load_policy(void *data, size_t len) |
|
|
|
|
{ |
|
|
|
|
char path[PATH_MAX]; |
|
|
|
|
char path[PATH_MAX]; |
|
|
|
|
@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce) |
|
|
|
|
fclose(cfg); |
|
|
|
|
free(buf); |
|
|
|
|
} |
|
|
|
|
fclose(cfg); |
|
|
|
|
free(buf); |
|
|
|
|
} |
|
|
|
|
-#ifndef MNT_DETACH |
|
|
|
|
-#define MNT_DETACH 2 |
|
|
|
|
-#endif |
|
|
|
|
- if (rc == 0) |
|
|
|
|
- umount2("/proc", MNT_DETACH); |
|
|
|
|
|
|
|
|
|
/* |
|
|
|
|
* Determine the final desired mode. |
|
|
|
|
/* |
|
|
|
|
* Determine the final desired mode. |
|
|
|
|
@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce) |
|
|
|
|
/* Only emit this error if selinux was not disabled */ |
|
|
|
|
fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); |
|
|
|
|
} |
|
|
|
|
/* Only emit this error if selinux was not disabled */ |
|
|
|
|
fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); |
|
|
|
|
} |
|
|
|
|
+ |
|
|
|
|
+ if (rc == 0) |
|
|
|
|
+ umount2("/proc", MNT_DETACH); |
|
|
|
|
|
|
|
|
|
goto noload; |
|
|
|
|
} |
|
|
|
|
set_selinuxmnt(mntpoint); |
|
|
|
|
goto noload; |
|
|
|
|
} |
|
|
|
|
set_selinuxmnt(mntpoint); |
|
|
|
|
|
|
|
|
|
+ if (rc == 0) |
|
|
|
|
+ umount2("/proc", MNT_DETACH); |
|
|
|
|
+ |
|
|
|
|
/* |
|
|
|
|
* Note: The following code depends on having selinuxfs |
|
|
|
|
* already mounted and selinuxmnt set above. |
|
|
|
|
/* |
|
|
|
|
* Note: The following code depends on having selinuxfs |
|
|
|
|
* already mounted and selinuxmnt set above. |
|
|
|
|
diff --git libselinux-2.5/src/lsetfilecon.c libselinux-2.5/src/lsetfilecon.c |
|
|
|
|
index 1d3b28a..ea6d70b 100644 |
|
|
|
|
--- libselinux-2.5/src/lsetfilecon.c |
|
|
|
@ -1201,9 +1201,9 @@ index 1d3b28a..ea6d70b 100644
@@ -1201,9 +1201,9 @@ index 1d3b28a..ea6d70b 100644
|
|
|
|
|
+ } |
|
|
|
|
+ |
|
|
|
|
+ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); |
|
|
|
|
if (rc < 0 && errno == ENOTSUP) { |
|
|
|
|
char * ccontext = NULL; |
|
|
|
|
int err = errno; |
|
|
|
|
if (rc < 0 && errno == ENOTSUP) { |
|
|
|
|
char * ccontext = NULL; |
|
|
|
|
int err = errno; |
|
|
|
|
diff --git libselinux-2.5/src/matchpathcon.c libselinux-2.5/src/matchpathcon.c |
|
|
|
|
index 5b495a0..d92ed79 100644 |
|
|
|
|
--- libselinux-2.5/src/matchpathcon.c |
|
|
|
@ -1218,16 +1218,16 @@ index 5b495a0..d92ed79 100644
@@ -1218,16 +1218,16 @@ index 5b495a0..d92ed79 100644
|
|
|
|
|
#include "callbacks.h" |
|
|
|
|
@@ -62,7 +63,7 @@ static void |
|
|
|
|
{ |
|
|
|
|
va_list ap; |
|
|
|
|
va_start(ap, fmt); |
|
|
|
|
va_list ap; |
|
|
|
|
va_start(ap, fmt); |
|
|
|
|
- vfprintf(stderr, fmt, ap); |
|
|
|
|
+ vsyslog(LOG_ERR, fmt, ap); |
|
|
|
|
va_end(ap); |
|
|
|
|
va_end(ap); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@@ -361,12 +362,6 @@ int realpath_not_final(const char *name, char *resolved_path) |
|
|
|
|
goto out; |
|
|
|
|
} |
|
|
|
|
goto out; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
- /* strip leading // */ |
|
|
|
|
- while (tmp_path[len] && tmp_path[len] == '/' && |
|
|
|
@ -1235,13 +1235,13 @@ index 5b495a0..d92ed79 100644
@@ -1235,13 +1235,13 @@ index 5b495a0..d92ed79 100644
|
|
|
|
|
- tmp_path++; |
|
|
|
|
- len++; |
|
|
|
|
- } |
|
|
|
|
last_component = strrchr(tmp_path, '/'); |
|
|
|
|
last_component = strrchr(tmp_path, '/'); |
|
|
|
|
|
|
|
|
|
if (last_component == tmp_path) { |
|
|
|
|
if (last_component == tmp_path) { |
|
|
|
|
@@ -470,6 +465,17 @@ int selinux_file_context_verify(const char *path, mode_t mode) |
|
|
|
|
char * con = NULL; |
|
|
|
|
char * fcontext = NULL; |
|
|
|
|
int rc = 0; |
|
|
|
|
char * con = NULL; |
|
|
|
|
char * fcontext = NULL; |
|
|
|
|
int rc = 0; |
|
|
|
|
+ char stackpath[PATH_MAX + 1]; |
|
|
|
|
+ char *p = NULL; |
|
|
|
|
+ |
|
|
|
@ -1254,38 +1254,38 @@ index 5b495a0..d92ed79 100644
@@ -1254,38 +1254,38 @@ index 5b495a0..d92ed79 100644
|
|
|
|
|
+ path = p; |
|
|
|
|
+ } |
|
|
|
|
|
|
|
|
|
rc = lgetfilecon_raw(path, &con); |
|
|
|
|
if (rc == -1) { |
|
|
|
|
rc = lgetfilecon_raw(path, &con); |
|
|
|
|
if (rc == -1) { |
|
|
|
|
diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c |
|
|
|
|
index 527a0a5..eee4612 100644 |
|
|
|
|
--- libselinux-2.5/src/procattr.c |
|
|
|
|
+++ libselinux-2.5/src/procattr.c |
|
|
|
|
@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags) |
|
|
|
|
char *path; |
|
|
|
|
pid_t tid; |
|
|
|
|
char *path; |
|
|
|
|
pid_t tid; |
|
|
|
|
|
|
|
|
|
- if (pid > 0) |
|
|
|
|
+ if (pid > 0) { |
|
|
|
|
rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr); |
|
|
|
|
rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr); |
|
|
|
|
- else { |
|
|
|
|
+ } else if (pid == 0) { |
|
|
|
|
rc = asprintf(&path, "/proc/thread-self/attr/%s", attr); |
|
|
|
|
if (rc < 0) |
|
|
|
|
return -1; |
|
|
|
|
rc = asprintf(&path, "/proc/thread-self/attr/%s", attr); |
|
|
|
|
if (rc < 0) |
|
|
|
|
return -1; |
|
|
|
|
@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags) |
|
|
|
|
free(path); |
|
|
|
|
tid = gettid(); |
|
|
|
|
rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr); |
|
|
|
|
free(path); |
|
|
|
|
tid = gettid(); |
|
|
|
|
rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr); |
|
|
|
|
+ } else { |
|
|
|
|
+ errno = EINVAL; |
|
|
|
|
+ return -1; |
|
|
|
|
} |
|
|
|
|
if (rc < 0) |
|
|
|
|
return -1; |
|
|
|
|
} |
|
|
|
|
if (rc < 0) |
|
|
|
|
return -1; |
|
|
|
|
@@ -303,11 +306,21 @@ static int setprocattrcon(const char * context, |
|
|
|
|
#define getpidattr_def(fn, attr) \ |
|
|
|
|
int get##fn##_raw(pid_t pid, char **c) \ |
|
|
|
|
{ \ |
|
|
|
|
int get##fn##_raw(pid_t pid, char **c) \ |
|
|
|
|
{ \ |
|
|
|
|
- return getprocattrcon_raw(c, pid, #attr); \ |
|
|
|
|
+ if (pid <= 0) { \ |
|
|
|
|
+ errno = EINVAL; \ |
|
|
|
@ -1293,9 +1293,9 @@ index 527a0a5..eee4612 100644
@@ -1293,9 +1293,9 @@ index 527a0a5..eee4612 100644
|
|
|
|
|
+ } else { \ |
|
|
|
|
+ return getprocattrcon_raw(c, pid, #attr); \ |
|
|
|
|
+ } \ |
|
|
|
|
} \ |
|
|
|
|
int get##fn(pid_t pid, char **c) \ |
|
|
|
|
{ \ |
|
|
|
|
} \ |
|
|
|
|
int get##fn(pid_t pid, char **c) \ |
|
|
|
|
{ \ |
|
|
|
|
- return getprocattrcon(c, pid, #attr); \ |
|
|
|
|
+ if (pid <= 0) { \ |
|
|
|
|
+ errno = EINVAL; \ |
|
|
|
@ -1303,7 +1303,7 @@ index 527a0a5..eee4612 100644
@@ -1303,7 +1303,7 @@ index 527a0a5..eee4612 100644
|
|
|
|
|
+ } else { \ |
|
|
|
|
+ return getprocattrcon(c, pid, #attr); \ |
|
|
|
|
+ } \ |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
all_selfattr_def(con, current) |
|
|
|
|
diff --git libselinux-2.5/src/selinux_config.c libselinux-2.5/src/selinux_config.c |
|
|
|
@ -1333,7 +1333,7 @@ index bec5f3b..c519a77 100644
@@ -1333,7 +1333,7 @@ index bec5f3b..c519a77 100644
|
|
|
|
|
+ |
|
|
|
|
const char *selinux_systemd_contexts_path(void) |
|
|
|
|
{ |
|
|
|
|
return get_path(SYSTEMD_CONTEXTS); |
|
|
|
|
return get_path(SYSTEMD_CONTEXTS); |
|
|
|
|
diff --git libselinux-2.5/src/selinux_internal.h libselinux-2.5/src/selinux_internal.h |
|
|
|
|
index 46566f6..9b9145c 100644 |
|
|
|
|
--- libselinux-2.5/src/selinux_internal.h |
|
|
|
@ -1351,23 +1351,23 @@ index 17ed6fe..d2c2402 100644
@@ -1351,23 +1351,23 @@ index 17ed6fe..d2c2402 100644
|
|
|
|
|
--- libselinux-2.5/src/selinux_restorecon.c |
|
|
|
|
+++ libselinux-2.5/src/selinux_restorecon.c |
|
|
|
|
@@ -245,25 +245,41 @@ int selinux_restorecon(const char *pathname_orig, |
|
|
|
|
* realpath of containing dir, then appending last component name. |
|
|
|
|
*/ |
|
|
|
|
if (userealpath) { |
|
|
|
|
* realpath of containing dir, then appending last component name. |
|
|
|
|
*/ |
|
|
|
|
if (userealpath) { |
|
|
|
|
- pathbname = basename((char *)pathname_orig); |
|
|
|
|
+ char *basename_cpy = strdup(pathname_orig); |
|
|
|
|
+ if (!basename_cpy) |
|
|
|
|
+ goto realpatherr; |
|
|
|
|
+ pathbname = basename(basename_cpy); |
|
|
|
|
if (!strcmp(pathbname, "/") || !strcmp(pathbname, ".") || |
|
|
|
|
!strcmp(pathbname, "..")) { |
|
|
|
|
pathname = realpath(pathname_orig, NULL); |
|
|
|
|
if (!strcmp(pathbname, "/") || !strcmp(pathbname, ".") || |
|
|
|
|
!strcmp(pathbname, "..")) { |
|
|
|
|
pathname = realpath(pathname_orig, NULL); |
|
|
|
|
- if (!pathname) |
|
|
|
|
+ if (!pathname) { |
|
|
|
|
+ free(basename_cpy); |
|
|
|
|
goto realpatherr; |
|
|
|
|
goto realpatherr; |
|
|
|
|
+ } |
|
|
|
|
} else { |
|
|
|
|
} else { |
|
|
|
|
- pathdname = dirname((char *)pathname_orig); |
|
|
|
|
+ char *dirname_cpy = strdup(pathname_orig); |
|
|
|
|
+ if (!dirname_cpy) { |
|
|
|
@ -1375,28 +1375,28 @@ index 17ed6fe..d2c2402 100644
@@ -1375,28 +1375,28 @@ index 17ed6fe..d2c2402 100644
|
|
|
|
|
+ goto realpatherr; |
|
|
|
|
+ } |
|
|
|
|
+ pathdname = dirname(dirname_cpy); |
|
|
|
|
pathdnamer = realpath(pathdname, NULL); |
|
|
|
|
pathdnamer = realpath(pathdname, NULL); |
|
|
|
|
- if (!pathdnamer) |
|
|
|
|
+ free(dirname_cpy); |
|
|
|
|
+ if (!pathdnamer) { |
|
|
|
|
+ free(basename_cpy); |
|
|
|
|
goto realpatherr; |
|
|
|
|
goto realpatherr; |
|
|
|
|
+ } |
|
|
|
|
if (!strcmp(pathdnamer, "/")) |
|
|
|
|
error = asprintf(&pathname, "/%s", pathbname); |
|
|
|
|
else |
|
|
|
|
error = asprintf(&pathname, "%s/%s", |
|
|
|
|
pathdnamer, pathbname); |
|
|
|
|
if (!strcmp(pathdnamer, "/")) |
|
|
|
|
error = asprintf(&pathname, "/%s", pathbname); |
|
|
|
|
else |
|
|
|
|
error = asprintf(&pathname, "%s/%s", |
|
|
|
|
pathdnamer, pathbname); |
|
|
|
|
- if (error < 0) |
|
|
|
|
+ if (error < 0) { |
|
|
|
|
+ free(basename_cpy); |
|
|
|
|
goto oom; |
|
|
|
|
goto oom; |
|
|
|
|
+ } |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
+ free(basename_cpy); |
|
|
|
|
} else { |
|
|
|
|
pathname = strdup(pathname_orig); |
|
|
|
|
if (!pathname) |
|
|
|
|
} else { |
|
|
|
|
pathname = strdup(pathname_orig); |
|
|
|
|
if (!pathname) |
|
|
|
|
diff --git libselinux-2.5/src/selinuxswig_python.i libselinux-2.5/src/selinuxswig_python.i |
|
|
|
|
index 8cea18d..592d70c 100644 |
|
|
|
|
--- libselinux-2.5/src/selinuxswig_python.i |
|
|
|
@ -1421,14 +1421,14 @@ index e72ba0d..9c821f8 100644
@@ -1421,14 +1421,14 @@ index e72ba0d..9c821f8 100644
|
|
|
|
|
--- libselinux-2.5/src/setexecfilecon.c |
|
|
|
|
+++ libselinux-2.5/src/setexecfilecon.c |
|
|
|
|
@@ -45,7 +45,7 @@ int setexecfilecon(const char *filename, const char *fallback_type) |
|
|
|
|
goto out; |
|
|
|
|
goto out; |
|
|
|
|
out: |
|
|
|
|
|
|
|
|
|
- if (rc < 0 && security_getenforce() == 0) |
|
|
|
|
+ if (rc < 0 && security_getenforce() < 1) |
|
|
|
|
rc = 0; |
|
|
|
|
rc = 0; |
|
|
|
|
|
|
|
|
|
context_free(con); |
|
|
|
|
context_free(con); |
|
|
|
|
diff --git libselinux-2.5/src/setfilecon.c libselinux-2.5/src/setfilecon.c |
|
|
|
|
index d05969c..3f0200e 100644 |
|
|
|
|
--- libselinux-2.5/src/setfilecon.c |
|
|
|
@ -1445,9 +1445,9 @@ index d05969c..3f0200e 100644
@@ -1445,9 +1445,9 @@ index d05969c..3f0200e 100644
|
|
|
|
|
+ return -1; |
|
|
|
|
+ } |
|
|
|
|
+ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); |
|
|
|
|
if (rc < 0 && errno == ENOTSUP) { |
|
|
|
|
char * ccontext = NULL; |
|
|
|
|
int err = errno; |
|
|
|
|
if (rc < 0 && errno == ENOTSUP) { |
|
|
|
|
char * ccontext = NULL; |
|
|
|
|
int err = errno; |
|
|
|
|
diff --git libselinux-2.5/utils/.gitignore libselinux-2.5/utils/.gitignore |
|
|
|
|
index 060eaab..ed3bf0b 100644 |
|
|
|
|
--- libselinux-2.5/utils/.gitignore |
|
|
|
@ -1493,19 +1493,19 @@ index d1f1348..0288feb 100644
@@ -1493,19 +1493,19 @@ index d1f1348..0288feb 100644
|
|
|
|
|
@@ -15,7 +15,7 @@ |
|
|
|
|
static void usage(const char *progname) |
|
|
|
|
{ |
|
|
|
|
fprintf(stderr, |
|
|
|
|
fprintf(stderr, |
|
|
|
|
- "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n", |
|
|
|
|
+ "usage: %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n", |
|
|
|
|
progname); |
|
|
|
|
exit(1); |
|
|
|
|
progname); |
|
|
|
|
exit(1); |
|
|
|
|
} |
|
|
|
|
diff --git libselinux-2.5/utils/sefcontext_compile.c libselinux-2.5/utils/sefcontext_compile.c |
|
|
|
|
index d2578b6..fd6fb78 100644 |
|
|
|
|
--- libselinux-2.5/utils/sefcontext_compile.c |
|
|
|
|
+++ libselinux-2.5/utils/sefcontext_compile.c |
|
|
|
|
@@ -228,10 +228,13 @@ static int write_binary_file(struct saved_data *data, int fd) |
|
|
|
|
if (len != to_write) |
|
|
|
|
goto err; |
|
|
|
|
if (len != to_write) |
|
|
|
|
goto err; |
|
|
|
|
|
|
|
|
|
- /* determine the size of the pcre study info */ |
|
|
|
|
- rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size); |
|
|
|
@ -1519,11 +1519,11 @@ index d2578b6..fd6fb78 100644
@@ -1519,11 +1519,11 @@ index d2578b6..fd6fb78 100644
|
|
|
|
|
+ } else |
|
|
|
|
+ size = 0; |
|
|
|
|
|
|
|
|
|
/* write the number of bytes in the pcre study data */ |
|
|
|
|
to_write = size; |
|
|
|
|
/* write the number of bytes in the pcre study data */ |
|
|
|
|
to_write = size; |
|
|
|
|
@@ -239,10 +242,12 @@ static int write_binary_file(struct saved_data *data, int fd) |
|
|
|
|
if (len != 1) |
|
|
|
|
goto err; |
|
|
|
|
if (len != 1) |
|
|
|
|
goto err; |
|
|
|
|
|
|
|
|
|
- /* write the actual pcre study data as a char array */ |
|
|
|
|
- len = fwrite(sd->study_data, 1, to_write, bin_file); |
|
|
|
@ -1535,6 +1535,6 @@ index d2578b6..fd6fb78 100644
@@ -1535,6 +1535,6 @@ index d2578b6..fd6fb78 100644
|
|
|
|
|
+ if (len != to_write) |
|
|
|
|
+ goto err; |
|
|
|
|
+ } |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
rc = 0; |
|
|
|
|
rc = 0; |
|
|
|
|