[libselinux/f20: 1/2] Add additional go bindings for get*con calls
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Feb 14 14:27:56 UTC 2014
commit 9ca30046f8c9bb2c884cc3c31c370112a5970b6a
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Feb 14 09:26:28 2014 -0500
Add additional go bindings for get*con calls
- Add go bindings test command
- Modify man pages of set*con calls to mention that they are thread specific
.gitignore | 1 +
libselinux-rhat.patch | 378 ++++++++++++++++++++++++++++++++++++++++++++++---
libselinux.spec | 31 ++++-
sources | 2 +-
4 files changed, 388 insertions(+), 24 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 2e9cec3..84665d1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -197,3 +197,4 @@ libselinux-2.0.96.tgz
/libselinux-2.1.13.tgz
/libselinux-2.2.tgz
/libselinux-2.2.1.tgz
+/libselinux-2.2.2.tgz
diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch
index bf75861..9c2b6e7 100644
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@@ -10,14 +10,14 @@ index fd4f0b1..51469bc 100644
DISABLE_SETRANS ?= n
diff --git a/libselinux/golang/Makefile b/libselinux/golang/Makefile
new file mode 100644
-index 0000000..e0be66f
+index 0000000..b75677b
--- /dev/null
+++ b/libselinux/golang/Makefile
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,22 @@
+# Installation directories.
+PREFIX ?= $(DESTDIR)/usr
-+GODIR ?= $(PREFIX)/share/gocode/src/selinux
-+
++LIBDIR ?= $(DESTDIR)/usr/lib
++GODIR ?= $(LIBDIR)/golang/src/pkg/github.com/selinux
+all:
+
+install:
@@ -25,18 +25,23 @@ index 0000000..e0be66f
+ install -m 644 selinux.go $(GODIR)
+
+test:
++ @mkdir selinux
++ @cp selinux.go selinux
++ GOPATH=$(pwd) go run test.go
++ @rm -rf selinux
+
+clean:
-+
++ @rm -f *~
++ @rm -rf selinux
+indent:
+
+relabel:
diff --git a/libselinux/golang/selinux.go b/libselinux/golang/selinux.go
new file mode 100644
-index 0000000..018c955
+index 0000000..6cee26a
--- /dev/null
+++ b/libselinux/golang/selinux.go
-@@ -0,0 +1,282 @@
+@@ -0,0 +1,378 @@
+package selinux
+
+/*
@@ -86,6 +91,74 @@ index 0000000..018c955
+ return int(rc), err
+}
+
++func Getfilecon(path string) (string, error) {
++ var scon C.security_context_t
++ var fcon string
++ rc, err := C.lgetfilecon(C.CString(path),&scon)
++ if (rc >= 0) {
++ fcon = C.GoString(scon)
++ err = nil
++ }
++ return fcon, err
++}
++
++func Setfscreatecon(scon string) (int, error) {
++ var (
++ rc C.int
++ err error
++ )
++ if (scon != "") {
++ rc, err = C.setfscreatecon(C.CString(scon))
++ } else {
++ rc, err = C.setfscreatecon(nil)
++ }
++ return int(rc), err
++}
++
++func Getfscreatecon() (string, error) {
++ var scon C.security_context_t
++ var fcon string
++ rc, err := C.getfscreatecon(&scon)
++ if (rc >= 0) {
++ fcon = C.GoString(scon)
++ err = nil
++ C.freecon(scon)
++ }
++ return fcon, err
++}
++
++func Getcon() (string) {
++ var pcon C.security_context_t
++ C.getcon(&pcon)
++ scon := C.GoString(pcon)
++ C.freecon(pcon)
++ return scon
++}
++
++func Getpidcon(pid int) (string, error) {
++ var pcon C.security_context_t
++ var scon string
++ rc, err := C.getpidcon(C.pid_t(pid), &pcon)
++ if (rc >= 0) {
++ scon = C.GoString(pcon)
++ C.freecon(pcon)
++ err = nil
++ }
++ return scon, err
++}
++
++func Getpeercon(socket int) (string, error) {
++ var pcon C.security_context_t
++ var scon string
++ rc, err := C.getpeercon(C.int(socket), &pcon)
++ if (rc >= 0) {
++ scon = C.GoString(pcon)
++ C.freecon(pcon)
++ err = nil
++ }
++ return scon, err
++}
++
+func Setexeccon(scon string) (int, error) {
+ var val *C.char
+ if ! Selinux_enabled() {
@@ -183,6 +256,24 @@ index 0000000..018c955
+ return mcs_list[mcs]
+}
+
++func Int_to_mcs(id int, catRange uint32) string {
++ if ((id < 1) || (id >523776)) {
++ return "";
++ }
++
++ SETSIZE := int(catRange);
++ TIER := SETSIZE;
++
++ ORD := id;
++ for ;ORD > TIER; {
++ ORD = ORD - TIER;
++ TIER -= 1;
++ }
++ TIER = SETSIZE - TIER;
++ ORD = ORD + TIER;
++ return fmt.Sprintf("s0:c%d,c%d", TIER, ORD);
++}
++
+func uniq_mcs(catRange uint32) string {
+ var n uint32
+ var c1,c2 uint32
@@ -264,7 +355,7 @@ index 0000000..018c955
+ }
+exit:
+ var scon Context
-+ mcs := uniq_mcs(1024)
++ mcs := Int_to_mcs(os.Getpid(), 1024)
+ scon = New_context(process_label)
+ scon.Set_level(mcs)
+ process_label = scon.Get()
@@ -314,11 +405,83 @@ index 0000000..018c955
+ } else {
+ fmt.Println("Disabled")
+ }
-+ fmt.Println(Selinux_getenforce())
-+ fmt.Println(Selinux_getenforcemode())
++ fmt.Println("getenforce ", Selinux_getenforce())
++ fmt.Println("getenforcemode ", Selinux_getenforcemode())
+ flabel,_ = Matchpathcon("/home/dwalsh/.emacs", 0)
+ fmt.Println(flabel)
++ pid := os.Getpid()
++ fmt.Printf("PID:%d MCS:%s\n", pid, Int_to_mcs(pid, 1023))
++ fmt.Println(Getcon())
++ fmt.Println(Getfilecon("/etc/passwd"))
++ fmt.Println(Getpidcon(1))
++ Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0")
++ fmt.Println(Getfscreatecon())
++ Setfscreatecon("")
++ fmt.Println(Getfscreatecon())
++ fmt.Println(Getpidcon(1))
+}
+diff --git a/libselinux/golang/test.go b/libselinux/golang/test.go
+new file mode 100644
+index 0000000..fed6de8
+--- /dev/null
++++ b/libselinux/golang/test.go
+@@ -0,0 +1,9 @@
++package main
++
++import (
++ "./selinux"
++)
++
++func main() {
++ selinux.Test()
++}
+diff --git a/libselinux/man/man3/getfscreatecon.3 b/libselinux/man/man3/getfscreatecon.3
+index c7675be..677ece4 100644
+--- a/libselinux/man/man3/getfscreatecon.3
++++ b/libselinux/man/man3/getfscreatecon.3
+@@ -49,6 +49,11 @@ Signal handlers that perform a
+ must take care to
+ save, reset, and restore the fscreate context to avoid unexpected behavior.
+ .
++
++.br
++.B Note:
++Contexts are thread specific.
++
+ .SH "RETURN VALUE"
+ On error \-1 is returned.
+ On success 0 is returned.
+diff --git a/libselinux/man/man3/getkeycreatecon.3 b/libselinux/man/man3/getkeycreatecon.3
+index d6a118c..b503535 100644
+--- a/libselinux/man/man3/getkeycreatecon.3
++++ b/libselinux/man/man3/getkeycreatecon.3
+@@ -48,6 +48,10 @@ Signal handlers that perform a
+ .BR setkeycreatecon ()
+ must take care to
+ save, reset, and restore the keycreate context to avoid unexpected behavior.
++
++.br
++.B Note:
++Contexts are thread specific.
+ .
+ .SH "RETURN VALUE"
+ On error \-1 is returned.
+diff --git a/libselinux/man/man3/getsockcreatecon.3 b/libselinux/man/man3/getsockcreatecon.3
+index 99e9436..673738c 100644
+--- a/libselinux/man/man3/getsockcreatecon.3
++++ b/libselinux/man/man3/getsockcreatecon.3
+@@ -49,6 +49,11 @@ Signal handlers that perform a
+ must take care to
+ save, reset, and restore the sockcreate context to avoid unexpected behavior.
+ .
++
++.br
++.B Note:
++Contexts are thread specific.
++
+ .SH "RETURN VALUE"
+ On error \-1 is returned.
+ On success 0 is returned.
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 02dd829..6dfdb46 100644
--- a/libselinux/src/Makefile
@@ -332,8 +495,155 @@ index 02dd829..6dfdb46 100644
ln -sf $@ $(TARGET)
$(LIBPC): $(LIBPC).in ../VERSION
+diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
+index 0b696bb..506e236 100644
+--- a/libselinux/src/avc_sidtab.c
++++ b/libselinux/src/avc_sidtab.c
+@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
+ int hvalue, rc = 0;
+ struct sidtab_node *cur;
+
++ if (! ctx) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ *sid = NULL;
+ hvalue = sidtab_hash(ctx);
+
+diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
+index 176c45a..6075025 100644
+--- a/libselinux/src/canonicalize_context.c
++++ b/libselinux/src/canonicalize_context.c
+@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const security_context_t con,
+ size_t size;
+ int fd, ret;
+
++ if (! con) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ if (!selinux_mnt) {
+ errno = ENOENT;
+ return -1;
+diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
+index 33ab5e3..1277bdd 100644
+--- a/libselinux/src/check_context.c
++++ b/libselinux/src/check_context.c
+@@ -14,6 +14,11 @@ int security_check_context_raw(const security_context_t con)
+ char path[PATH_MAX];
+ int fd, ret;
+
++ if (! con) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ if (!selinux_mnt) {
+ errno = ENOENT;
+ return -1;
+diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
+index 5962c0b..61ea454 100644
+--- a/libselinux/src/compute_av.c
++++ b/libselinux/src/compute_av.c
+@@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const security_context_t scon,
+ return -1;
+ }
+
++ if ((! scon) || (! tcon)) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/access", selinux_mnt);
+ fd = open(path, O_RDWR);
+ if (fd < 0)
+diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
+index 3c05be3..34a1ccd 100644
+--- a/libselinux/src/compute_create.c
++++ b/libselinux/src/compute_create.c
+@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const security_context_t scon,
+ return -1;
+ }
+
++ if ((! scon) || (! tcon)) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/create", selinux_mnt);
+ fd = open(path, O_RDWR);
+ if (fd < 0)
+diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
+index dad0a77..7850986 100644
+--- a/libselinux/src/compute_member.c
++++ b/libselinux/src/compute_member.c
+@@ -25,6 +25,11 @@ int security_compute_member_raw(const security_context_t scon,
+ return -1;
+ }
+
++ if ((! scon) || (! tcon)) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/member", selinux_mnt);
+ fd = open(path, O_RDWR);
+ if (fd < 0)
+diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
+index 656f00a..2560e78 100644
+--- a/libselinux/src/compute_relabel.c
++++ b/libselinux/src/compute_relabel.c
+@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const security_context_t scon,
+ return -1;
+ }
+
++ if ((! scon) || (! tcon)) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
+ fd = open(path, O_RDWR);
+ if (fd < 0)
+diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
+index 3b39ddd..af20735 100644
+--- a/libselinux/src/compute_user.c
++++ b/libselinux/src/compute_user.c
+@@ -24,6 +24,11 @@ int security_compute_user_raw(const security_context_t scon,
+ return -1;
+ }
+
++ if (! scon) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/user", selinux_mnt);
+ fd = open(path, O_RDWR);
+ if (fd < 0)
+diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
+index 9963f7a..37f9d74 100644
+--- a/libselinux/src/fsetfilecon.c
++++ b/libselinux/src/fsetfilecon.c
+@@ -9,8 +9,12 @@
+
+ int fsetfilecon_raw(int fd, const security_context_t context)
+ {
+- int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+- 0);
++ int rc;
++ if (! context) {
++ errno=EINVAL;
++ return -1;
++ }
++ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ if (rc < 0 && errno == ENOTSUP) {
+ security_context_t ccontext = NULL;
+ int err = errno;
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
-index e419f1a..fdeca93 100644
+index e419f1a..275672d 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -16,6 +16,82 @@
@@ -511,15 +821,26 @@ index e419f1a..fdeca93 100644
close:
close(fd);
dlclose:
-@@ -410,7 +494,7 @@ int selinux_init_load_policy(int *enforce)
- * already mounted and selinuxmnt set above.
- */
+diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
+index fd9bb26..af2d88c 100644
+--- a/libselinux/src/lsetfilecon.c
++++ b/libselinux/src/lsetfilecon.c
+@@ -9,8 +9,13 @@
-- if (seconfig == -1) {
-+ if (*enforce == -1) {
- /* Runtime disable of SELinux. */
- rc = security_disable();
- if (rc == 0) {
+ int lsetfilecon_raw(const char *path, const security_context_t context)
+ {
+- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+- 0);
++ int rc;
++ if (! context) {
++ errno=EINVAL;
++ return -1;
++ }
++
++ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ if (rc < 0 && errno == ENOTSUP) {
+ security_context_t ccontext = NULL;
+ int err = errno;
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 2d7369e..2a00807 100644
--- a/libselinux/src/matchpathcon.c
@@ -541,3 +862,22 @@ index 2d7369e..2a00807 100644
va_end(ap);
}
+diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
+index 50cb228..e617039 100644
+--- a/libselinux/src/setfilecon.c
++++ b/libselinux/src/setfilecon.c
+@@ -9,8 +9,12 @@
+
+ int setfilecon_raw(const char *path, const security_context_t context)
+ {
+- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+- 0);
++ int rc;
++ if (! context) {
++ errno=EINVAL;
++ return -1;
++ }
++ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ if (rc < 0 && errno == ENOTSUP) {
+ security_context_t ccontext = NULL;
+ int err = errno;
diff --git a/libselinux.spec b/libselinux.spec
index ce9b775..cb9460c 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -9,7 +9,7 @@
Summary: SELinux library and simple utilities
Name: libselinux
-Version: 2.2.1
+Version: 2.2.2
Release: 4%{?dist}
License: Public Domain
Group: System Environment/Libraries
@@ -191,7 +191,7 @@ rm -rf %{buildroot}
%files
%defattr(-,root,root,-)
%{_libdir}/libselinux.so.*
-/var/run/setrans
+%ghost /var/run/setrans
%{_sbindir}/sefcontext_compile
%{_prefix}/lib/tmpfiles.d/libselinux.conf
@@ -213,9 +213,9 @@ rm -rf %{buildroot}
%defattr(-,root,root,-)
%{_libdir}/libselinux.so
%{_libdir}/pkgconfig/libselinux.pc
+%dir %{_libdir}/golang/src/pkg/github.com/selinux
+%{_libdir}/golang/src/pkg/github.com/selinux/selinux.go
%dir %{_includedir}/selinux
-%dir %{_datadir}/gocode/src/selinux
-%{_datadir}/gocode/src/selinux/selinux.go
%{_includedir}/selinux/*
%{_mandir}/man3/*
@@ -243,6 +243,29 @@ rm -rf %{buildroot}
%{ruby_sitearch}/selinux.so
%changelog
+* Fri Feb 14 2014 Dan Walsh <dwalsh at redhat.com> - 2.2.2-4
+- Add additional go bindings for get*con calls
+- Add go bindings test command
+- Modify man pages of set*con calls to mention that they are thread specific
+
+* Fri Jan 24 2014 Dan Walsh <dwalsh at redhat.com> - 2.2.2-3
+- Move selinux.go to /usr/lib64/golang/src/pkg/github.com/selinux/selinux.go
+- Add Int_to_mcs function to generate MCS labels from integers.
+
+* Tue Jan 14 2014 Dan Walsh <dwalsh at redhat.com> - 2.2.2-2
+- Add ghost flag for /var/run/setrans
+
+* Mon Jan 6 2014 Dan Walsh <dwalsh at redhat.com> - 2.2.2-1
+- Update to upstream
+ * Fix userspace AVC handling of per-domain permissive mode.
+- Verify context is not null when passed into *setfilecon_raw
+
+* Fri Dec 27 2013 Adam Williamson <awilliam at redhat.com> - 2.2.1-6
+- revert unexplained change to rhat.patch which broke SELinux disablement
+
+* Mon Dec 23 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.1-5
+- Verify context is not null when passed into lsetfilecon_raw
+
* Wed Dec 18 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.1-4
- Mv selinux.go to /usr/share/gocode/src/selinux
diff --git a/sources b/sources
index 0d56678..a598d56 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-ada793adfb5683672f9cc8a99447939d libselinux-2.2.1.tgz
+323a0d0b3cb0ec4e67c4f161207a90d1 libselinux-2.2.2.tgz
More information about the scm-commits
mailing list