[libselinux] Verify context is not null when passed into lsetfilecon_raw
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Dec 23 14:54:19 UTC 2013
commit e61de3d8f05d2d2bd3ffc452f24b46c8f866f549
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Dec 23 09:53:25 2013 -0500
Verify context is not null when passed into lsetfilecon_raw
libselinux-rhat.patch | 340 +++----------------------------------------------
libselinux.spec | 5 +-
2 files changed, 23 insertions(+), 322 deletions(-)
---
diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch
index bf75861..4a55e0a 100644
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@@ -1,324 +1,3 @@
-diff --git a/libselinux/Makefile b/libselinux/Makefile
-index fd4f0b1..51469bc 100644
---- a/libselinux/Makefile
-+++ b/libselinux/Makefile
-@@ -1,4 +1,4 @@
--SUBDIRS = src include utils man
-+SUBDIRS = src include utils man golang
-
- DISABLE_AVC ?= n
- DISABLE_SETRANS ?= n
-diff --git a/libselinux/golang/Makefile b/libselinux/golang/Makefile
-new file mode 100644
-index 0000000..e0be66f
---- /dev/null
-+++ b/libselinux/golang/Makefile
-@@ -0,0 +1,17 @@
-+# Installation directories.
-+PREFIX ?= $(DESTDIR)/usr
-+GODIR ?= $(PREFIX)/share/gocode/src/selinux
-+
-+all:
-+
-+install:
-+ [ -d $(GODIR) ] || mkdir -p $(GODIR)
-+ install -m 644 selinux.go $(GODIR)
-+
-+test:
-+
-+clean:
-+
-+indent:
-+
-+relabel:
-diff --git a/libselinux/golang/selinux.go b/libselinux/golang/selinux.go
-new file mode 100644
-index 0000000..018c955
---- /dev/null
-+++ b/libselinux/golang/selinux.go
-@@ -0,0 +1,282 @@
-+package selinux
-+
-+/*
-+ The selinux package is a go bindings to libselinux required to add selinux
-+ support to docker.
-+
-+ Author Dan Walsh <dwalsh at redhat.com>
-+
-+ Used some ideas/code from the go-ini packages https://github.com/vaughan0
-+ By Vaughan Newton
-+*/
-+
-+// #cgo pkg-config: libselinux
-+// #include <selinux/selinux.h>
-+// #include <stdlib.h>
-+import "C"
-+import (
-+ "encoding/binary"
-+ "crypto/rand"
-+ "unsafe"
-+ "fmt"
-+ "bufio"
-+ "regexp"
-+ "io"
-+ "os"
-+ "strings"
-+)
-+
-+var (
-+ assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
-+ mcs_list = make(map[string]bool)
-+)
-+
-+func Matchpathcon(path string, mode int) (string, error) {
-+ var con C.security_context_t
-+ var scon string
-+ rc, err := C.matchpathcon(C.CString(path),C.mode_t(mode), &con)
-+ if rc == 0 {
-+ scon = C.GoString(con)
-+ C.free(unsafe.Pointer(con))
-+ }
-+ return scon, err
-+}
-+
-+func Setfilecon(path,scon string) (int, error) {
-+ rc, err := C.lsetfilecon(C.CString(path),C.CString(scon))
-+ return int(rc), err
-+}
-+
-+func Setexeccon(scon string) (int, error) {
-+ var val *C.char
-+ if ! Selinux_enabled() {
-+ return 0, nil
-+ }
-+ if scon != "" {
-+ val = C.CString(scon)
-+ } else {
-+ val = nil
-+ }
-+ rc, err := C.setexeccon(val)
-+ return int(rc), err
-+}
-+
-+type Context struct {
-+ con []string
-+}
-+func (c *Context) Set_user(user string) {
-+ c.con[0]=user
-+}
-+func (c *Context) Get_user() string {
-+ return c.con[0]
-+}
-+func (c *Context) Set_role(role string) {
-+ c.con[1]=role
-+}
-+func (c *Context) Get_role() string {
-+ return c.con[1]
-+}
-+func (c *Context) Set_type(setype string) {
-+ c.con[2]=setype
-+}
-+func (c *Context) Get_type() string {
-+ return c.con[2]
-+}
-+func (c *Context) Set_level(mls string) {
-+ c.con[3]=mls
-+}
-+func (c *Context) Get_level() string {
-+ return c.con[3]
-+}
-+func (c *Context) Get() string{
-+ return strings.Join(c.con,":")
-+}
-+func (c *Context) Set(scon string) {
-+ c.con = strings.SplitN(scon,":",4)
-+}
-+func New_context(scon string) Context {
-+ var con Context
-+ con.Set(scon)
-+ return con
-+}
-+
-+func Is_selinux_enabled() bool {
-+ b := C.is_selinux_enabled()
-+ if b > 0 {
-+ return true;
-+ }
-+ return false
-+}
-+
-+func Selinux_enabled() bool {
-+ b := C.is_selinux_enabled()
-+ if b > 0 {
-+ return true;
-+ }
-+ return false
-+}
-+
-+const (
-+ Enforcing = 1
-+ Permissive = 0
-+ Disabled = -1
-+)
-+
-+func Selinux_getenforce() int {
-+ return int(C.security_getenforce())
-+}
-+
-+func Selinux_getenforcemode() (int) {
-+ var enforce C.int
-+ C.selinux_getenforcemode(&enforce)
-+ return int(enforce)
-+}
-+
-+func mcs_add(mcs string) {
-+ mcs_list[mcs] = true
-+}
-+
-+func mcs_delete(mcs string) {
-+ mcs_list[mcs] = false
-+}
-+
-+func mcs_exists(mcs string) bool {
-+ return mcs_list[mcs]
-+}
-+
-+func uniq_mcs(catRange uint32) string {
-+ var n uint32
-+ var c1,c2 uint32
-+ var mcs string
-+ for ;; {
-+ binary.Read(rand.Reader, binary.LittleEndian, &n)
-+ c1 = n % catRange
-+ binary.Read(rand.Reader, binary.LittleEndian, &n)
-+ c2 = n % catRange
-+ if c1 == c2 {
-+ continue
-+ } else {
-+ if c1 > c2 {
-+ t := c1
-+ c1 = c2
-+ c2 = t
-+ }
-+ }
-+ mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
-+ if mcs_exists(mcs) {
-+ continue
-+ }
-+ mcs_add(mcs)
-+ break
-+ }
-+ return mcs
-+}
-+func free_context(process_label string) {
-+ var scon Context
-+ scon = New_context(process_label)
-+ mcs_delete(scon.Get_level())
-+}
-+
-+func Get_lxc_contexts() (process_label string, file_label string) {
-+ var val, key string
-+ var bufin *bufio.Reader
-+ if ! Selinux_enabled() {
-+ return
-+ }
-+ lxc_path := C.GoString(C.selinux_lxc_contexts_path())
-+ file_label = "system_u:object_r:svirt_sandbox_file_t:s0"
-+ process_label = "system_u:system_r:svirt_lxc_net_t:s0"
-+
-+ in, err := os.Open(lxc_path)
-+ if err != nil {
-+ goto exit
-+ }
-+
-+ defer in.Close()
-+ bufin = bufio.NewReader(in)
-+
-+ for done := false; !done; {
-+ var line string
-+ if line, err = bufin.ReadString('\n'); err != nil {
-+ if err == io.EOF {
-+ done = true
-+ } else {
-+ goto exit
-+ }
-+ }
-+ line = strings.TrimSpace(line)
-+ if len(line) == 0 {
-+ // Skip blank lines
-+ continue
-+ }
-+ if line[0] == ';' || line[0] == '#' {
-+ // Skip comments
-+ continue
-+ }
-+ if groups := assignRegex.FindStringSubmatch(line); groups != nil {
-+ key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
-+ if key == "process" {
-+ process_label = strings.Trim(val,"\"")
-+ }
-+ if key == "file" {
-+ file_label = strings.Trim(val,"\"")
-+ }
-+ }
-+ }
-+exit:
-+ var scon Context
-+ mcs := uniq_mcs(1024)
-+ scon = New_context(process_label)
-+ scon.Set_level(mcs)
-+ process_label = scon.Get()
-+ scon = New_context(file_label)
-+ scon.Set_level(mcs)
-+ file_label = scon.Get()
-+ return process_label, file_label
-+}
-+
-+func CopyLevel (src, dest string) (string, error) {
-+ if ! Selinux_enabled() {
-+ return "", nil
-+ }
-+ if src == "" {
-+ return "", nil
-+ }
-+ rc, err := C.security_check_context(C.CString(src))
-+ if rc != 0 {
-+ return "", err
-+ }
-+ rc, err = C.security_check_context(C.CString(dest))
-+ if rc != 0 {
-+ return "", err
-+ }
-+ scon := New_context(src)
-+ tcon := New_context(dest)
-+ tcon.Set_level(scon.Get_level())
-+ return tcon.Get(), nil
-+}
-+
-+func Test() {
-+ var plabel,flabel string
-+ if ! Selinux_enabled() {
-+ return
-+ }
-+
-+ plabel, flabel = Get_lxc_contexts()
-+ fmt.Println(plabel)
-+ fmt.Println(flabel)
-+ free_context(plabel)
-+ plabel, flabel = Get_lxc_contexts()
-+ fmt.Println(plabel)
-+ fmt.Println(flabel)
-+ free_context(plabel)
-+ if Selinux_enabled() {
-+ fmt.Println("Enabled")
-+ } else {
-+ fmt.Println("Disabled")
-+ }
-+ fmt.Println(Selinux_getenforce())
-+ fmt.Println(Selinux_getenforcemode())
-+ flabel,_ = Matchpathcon("/home/dwalsh/.emacs", 0)
-+ fmt.Println(flabel)
-+}
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 02dd829..6dfdb46 100644
--- a/libselinux/src/Makefile
@@ -520,6 +199,25 @@ index e419f1a..fdeca93 100644
/* Runtime disable of SELinux. */
rc = security_disable();
if (rc == 0) {
+diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
+index fd9bb26..932fc62 100644
+--- a/libselinux/src/lsetfilecon.c
++++ b/libselinux/src/lsetfilecon.c
+@@ -9,7 +9,13 @@
+
+ int lsetfilecon_raw(const char *path, const security_context_t context)
+ {
+- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
++ int rc;
++ if (! context) {
++ errno=EINVAL;
++ return -1;
++ }
++
++ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+ 0);
+ if (rc < 0 && errno == ENOTSUP) {
+ security_context_t ccontext = NULL;
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 2d7369e..2a00807 100644
--- a/libselinux/src/matchpathcon.c
diff --git a/libselinux.spec b/libselinux.spec
index ce9b775..9c86123 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -10,7 +10,7 @@
Summary: SELinux library and simple utilities
Name: libselinux
Version: 2.2.1
-Release: 4%{?dist}
+Release: 5%{?dist}
License: Public Domain
Group: System Environment/Libraries
Source: %{name}-%{version}.tgz
@@ -243,6 +243,9 @@ rm -rf %{buildroot}
%{ruby_sitearch}/selinux.so
%changelog
+* Mon Dec 23 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.1-5
+- Verify context is not null when passed into lsetfilecon_raw
+
* Wed Dec 18 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.1-4
- Mv selinux.go to /usr/share/gocode/src/selinux
More information about the scm-commits
mailing list