rpms
/
findutils
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
findutils/findutils-selinux.patch

440 lines
13 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

--- findutils-4.2.27/find/parser.c.selinux 2005-12-04 03:07:52.000000000 +0100
+++ findutils-4.2.27/find/parser.c 2006-01-12 07:36:36.000000000 +0100
@@ -47,6 +47,10 @@
/* We need <unistd.h> for isatty(). */
#include <unistd.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /*WITH_SELINUX*/
+
#if ENABLE_NLS
# include <libintl.h>
# define _(Text) gettext (Text)
@@ -147,6 +151,9 @@
static boolean parse_warn PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
static boolean parse_xtype PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
static boolean parse_quit PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
+#ifdef WITH_SELINUX
+static boolean parse_scontext PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
+#endif /*WITH_SELINUX*/
@@ -298,6 +305,8 @@
{ARG_TEST, "-help", parse_help, NULL}, /* GNU */
{ARG_TEST, "version", parse_version, NULL}, /* GNU */
{ARG_TEST, "-version", parse_version, NULL}, /* GNU */
+ {ARG_TEST, "context", parse_scontext, pred_scontext}, /* SELinux */
+ {ARG_TEST, "-context", parse_scontext, pred_scontext}, /* SELinux */
{0, 0, 0, 0}
};
@@ -803,6 +812,10 @@
-nouser -nogroup -path PATTERN -perm [+-]MODE -regex PATTERN\n\
-wholename PATTERN -size N[bcwkMG] -true -type [bcdpflsD] -uid N\n\
-used N -user NAME -xtype [bcdpfls]\n"));
+#ifdef WITH_SELINUX
+ puts (_("\
+ -context CONTEXT\n"));
+#endif /*WITH_SELINUX*/
puts (_("\
actions: -delete -print0 -printf FORMAT -fprintf FILE FORMAT -print \n\
-fprint0 FILE -fprint FILE -ls -fls FILE -prune -quit\n\
@@ -1727,6 +1740,29 @@
exit (0);
}
+#ifdef WITH_SELINUX
+
+static boolean
+parse_scontext ( const struct parser_table* entry, char **argv, int *arg_ptr)
+{
+ struct predicate *our_pred;
+
+ if ( (argv == NULL) || (argv[*arg_ptr] == NULL) )
+ return( false );
+
+ our_pred = insert_primary(entry);
+ our_pred->need_stat = false;
+#ifdef DEBUG
+ our_pred->p_name = find_pred_name (pred_scontext);
+#endif /*DEBUG*/
+ our_pred->args.scontext = argv[*arg_ptr];;
+
+ (*arg_ptr)++;
+ return( true );
+}
+
+#endif /*WITH_SELINUX*/
+
static boolean
parse_xdev (const struct parser_table* entry, char **argv, int *arg_ptr)
{
@@ -1964,7 +2000,11 @@
if (*scan2 == '.')
for (scan2++; ISDIGIT (*scan2); scan2++)
/* Do nothing. */ ;
+#ifdef WITH_SELINUX
+ if (strchr ("abcdDfFgGhHiklmMnpPstuUyYZ", *scan2))
+#else /* WITH_SELINUX */
if (strchr ("abcdDfFgGhHiklmMnpPstuUyY", *scan2))
+#endif /* WITH_SELINUX */
{
segmentp = make_segment (segmentp, format, scan2 - format,
(int) *scan2);
@@ -2046,6 +2086,9 @@
case 'H': /* ARGV element file was found under */
case 'p': /* pathname */
case 'P': /* pathname with ARGV element stripped */
+#ifdef WITH_SELINUX
+ case 'Z': /* SELinux security context */
+#endif /* WITH_SELINUX */
*fmt++ = 's';
break;
--- findutils-4.2.27/find/defs.h.selinux 2005-09-04 19:59:34.000000000 +0200
+++ findutils-4.2.27/find/defs.h 2006-01-12 07:36:19.000000000 +0100
@@ -131,6 +131,10 @@
#define MODE_RWX (S_IXUSR | S_IXGRP | S_IXOTH | MODE_RW)
#define MODE_ALL (S_ISUID | S_ISGID | S_ISVTX | MODE_RWX)
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /*WITH_SELINUX*/
+
#if 1
#include <stdbool.h>
typedef bool boolean;
@@ -320,6 +324,9 @@
struct dir_id fileid; /* samefile */
mode_t type; /* type */
FILE *stream; /* ls fls fprint0 */
+#ifdef WITH_SELINUX
+ security_context_t scontext; /* scontext */
+#endif /*WITH_SELINUX*/
struct format_val printf_vec; /* printf fprintf fprint */
} args;
@@ -479,6 +486,9 @@
boolean pred_used PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
boolean pred_user PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
boolean pred_xtype PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
+#ifdef WITH_SELINUX
+boolean pred_scontext PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr));
+#endif /* WITH_SELINUX */
@@ -568,6 +578,10 @@
* can be changed with the positional option, -regextype.
*/
int regex_options;
+
+#ifdef WITH_SELINUX
+ int (*x_getfilecon) ();
+#endif /* WITH_SELINUX */
};
extern struct options options;
--- findutils-4.2.27/find/Makefile.am.selinux 2005-07-03 18:07:08.000000000 +0200
+++ findutils-4.2.27/find/Makefile.am 2006-01-12 07:36:19.000000000 +0100
@@ -5,8 +5,9 @@
# regexprops_SOURCES = regexprops.c
find_SOURCES = find.c fstype.c parser.c pred.c tree.c util.c version.c
EXTRA_DIST = defs.h $(man_MANS)
+DEFS = @DEFS@ -I. -I$(srcdir) -I.. -DWITH_SELINUX
INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib -I../intl -DLOCALEDIR=\"$(localedir)\"
-LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@
+LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ -lselinux
man_MANS = find.1
SUBDIRS = testsuite
--- findutils-4.2.27/find/find.1.selinux 2005-12-05 18:05:02.000000000 +0100
+++ findutils-4.2.27/find/find.1 2006-01-12 07:36:19.000000000 +0100
@@ -483,6 +483,9 @@
link to a file of type \fIc\fR; if the \-L option has been given, true
if \fIc\fR is `l'. In other words, for symbolic links, \-xtype checks
the type of the file that \-type does not check.
+.IP "\-context \fIscontext\fR"
+.IP "\--context \fIscontext\fR"
+(SELinux only) File has the security context \fIscontext\fR.
.SS ACTIONS
.IP "\-delete\fR"
@@ -785,6 +788,8 @@
File's type (like in ls \-l), U=unknown type (shouldn't happen)
.IP %Y
File's type (like %y), plus follow symlinks: L=loop, N=nonexistent
+.IP %Z
+(SELinux only) file's security context.
.PP
A `%' character followed by any other character is discarded (but the
other character is printed).
--- findutils-4.2.27/find/find.c.selinux 2005-11-11 08:41:37.000000000 +0100
+++ findutils-4.2.27/find/find.c 2006-01-12 07:36:19.000000000 +0100
@@ -244,6 +244,93 @@
{
return lstat(name, p);
}
+#ifdef WITH_SELINUX
+
+static int
+fallback_getfilecon(const char *name, security_context_t *p, int prev_rv)
+{
+ /* Our original getfilecon() call failed. Perhaps we can't follow a
+ * symbolic link. If that might be the problem, lgetfilecon() the link.
+ * Otherwise, admit defeat.
+ */
+ switch (errno)
+ {
+ case ENOENT:
+ case ENOTDIR:
+#ifdef DEBUG_STAT
+ fprintf(stderr, "fallback_getfilecon(): getfilecon(%s) failed; falling back on lgetfilecon()\n", name);
+#endif
+ return lgetfilecon(name, p);
+
+ case EACCES:
+ case EIO:
+ case ELOOP:
+ case ENAMETOOLONG:
+#ifdef EOVERFLOW
+ case EOVERFLOW: /* EOVERFLOW is not #defined on UNICOS. */
+#endif
+ default:
+ return prev_rv;
+ }
+}
+
+
+/* optionh_getfilecon() implements the getfilecon operation when the
+ * -H option is in effect.
+ *
+ * If the item to be examined is a command-line argument, we follow
+ * symbolic links. If the getfilecon() call fails on the command-line
+ * item, we fall back on the properties of the symbolic link.
+ *
+ * If the item to be examined is not a command-line argument, we
+ * examine the link itself.
+ */
+int
+optionh_getfilecon(const char *name, security_context_t *p)
+{
+ if (0 == state.curdepth)
+ {
+ /* This file is from the command line; deference the link (if it
+ * is a link).
+ */
+ int rv = getfilecon(name, p);
+ if (0 == rv)
+ return 0; /* success */
+ else
+ return fallback_getfilecon(name, p, rv);
+ }
+ else
+ {
+ /* Not a file on the command line; do not derefernce the link.
+ */
+ return lgetfilecon(name, p);
+ }
+}
+
+/* optionl_getfilecon() implements the getfilecon operation when the
+ * -L option is in effect. That option makes us examine the thing the
+ * symbolic link points to, not the symbolic link itself.
+ */
+int
+optionl_getfilecon(const char *name, security_context_t *p)
+{
+ int rv = getfilecon(name, p);
+ if (0 == rv)
+ return 0; /* normal case. */
+ else
+ return fallback_getfilecon(name, p, rv);
+}
+
+/* optionp_getfilecon() implements the stat operation when the -P
+ * option is in effect (this is also the default). That option makes
+ * us examine the symbolic link itself, not the thing it points to.
+ */
+int
+optionp_getfilecon(const char *name, security_context_t *p)
+{
+ return lgetfilecon(name, p);
+}
+#endif /* WITH_SELINUX */
#ifdef DEBUG_STAT
static uintmax_t stat_count = 0u;
@@ -272,11 +359,17 @@
{
case SYMLINK_ALWAYS_DEREF: /* -L */
options.xstat = optionl_stat;
+#ifdef WITH_SELINUX
+ options.x_getfilecon = optionl_getfilecon;
+#endif /* WITH_SELINUX */
options.no_leaf_check = true;
break;
case SYMLINK_NEVER_DEREF: /* -P (default) */
options.xstat = optionp_stat;
+#ifdef WITH_SELINUX
+ options.x_getfilecon = optionp_getfilecon;
+#endif /* WITH_SELINUX */
/* Can't turn no_leaf_check off because the user might have specified
* -noleaf anyway
*/
@@ -284,6 +377,9 @@
case SYMLINK_DEREF_ARGSONLY: /* -H */
options.xstat = optionh_stat;
+#ifdef WITH_SELINUX
+ options.x_getfilecon = optionh_getfilecon;
+#endif /* WITH_SELINUX */
options.no_leaf_check = true;
}
@@ -389,6 +485,9 @@
int
main (int argc, char **argv)
{
+#ifdef WITH_SELINUX
+ int is_selinux_enabled_flag = is_selinux_enabled()>0;
+#endif /* WITH_SELINUX */
int i;
const struct parser_table *entry_close, *entry_print, *entry_open;
const struct parser_table *parse_entry; /* Pointer to the parsing table entry for this expression. */
@@ -538,6 +637,14 @@
if (strchr ("-!(),", argv[i][0]) == NULL)
usage (_("paths must precede expression"));
predicate_name = argv[i];
+#ifdef WITH_SELINUX
+ if (! is_selinux_enabled_flag) {
+ if ((strncmp(predicate_name,"-context",strlen("-context"))==0) ||
+ (strncmp(predicate_name,"--context",strlen("--context"))==0)) {
+ error (1, 0,_("Error: invalid predicate %s: the kernel is not selinux-enabled.\n"),predicate_name);
+ }
+ }
+#endif
parse_entry = find_parser (predicate_name);
if (parse_entry == NULL)
{
@@ -1807,7 +1914,7 @@
static void
process_dir (char *pathname, char *name, int pathlen, struct stat *statp, char *parent)
{
- int subdirs_left; /* Number of unexamined subdirs in PATHNAME. */
+ int subdirs_left=0; /* Number of unexamined subdirs in PATHNAME. */
boolean subdirs_unreliable; /* if true, cannot use dir link count as subdir limif (if false, it may STILL be unreliable) */
int idx; /* Which entry are we on? */
struct stat stat_buf;
--- findutils-4.2.27/find/util.c.selinux 2005-07-01 23:45:18.000000000 +0200
+++ findutils-4.2.27/find/util.c 2006-01-12 07:36:19.000000000 +0100
@@ -78,6 +78,9 @@
last_pred->need_stat = true;
last_pred->need_type = true;
last_pred->args.str = NULL;
+#ifdef WITH_SELINUX
+ last_pred->args.scontext = NULL;
+#endif
last_pred->pred_next = NULL;
last_pred->pred_left = NULL;
last_pred->pred_right = NULL;
--- findutils-4.2.27/find/pred.c.selinux 2005-11-30 07:17:15.000000000 +0100
+++ findutils-4.2.27/find/pred.c 2006-01-12 07:36:28.000000000 +0100
@@ -38,6 +38,14 @@
#include "buildcmd.h"
#include "yesno.h"
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /*WITH_SELINUX*/
+
+#ifndef FNM_CASEFOLD
+#define FNM_CASEFOLD (1<<4)
+#endif /*FNM_CASEFOLD*/
+
#if ENABLE_NLS
# include <libintl.h>
# define _(Text) gettext (Text)
@@ -83,7 +91,6 @@
-
/* Get or fake the disk device blocksize.
Usually defined by sys/param.h (if at all). */
#ifndef DEV_BSIZE
@@ -215,6 +222,9 @@
{pred_used, "used "},
{pred_user, "user "},
{pred_xtype, "xtype "},
+#ifdef WITH_SELINUX
+ {pred_scontext, "context"},
+#endif /*WITH_SELINUX*/
{0, "none "}
};
@@ -903,6 +913,25 @@
mode_to_filetype(stat_buf->st_mode & S_IFMT));
}
break;
+#ifdef WITH_SELINUX
+ case 'Z': /* SELinux security context */
+ {
+ security_context_t scontext;
+ int rv;
+ rv = (*options.x_getfilecon)(state.rel_pathname, &scontext);
+
+ if ( rv < 0 ) {
+ (void) fprintf(stderr, "getfileconf(%s): %s",
+ pathname, strerror(errno));
+ (void) fflush(stderr);
+ }
+ else {
+ (void) fprintf (fp, segment->text, scontext);
+ freecon(scontext);
+ }
+ }
+ break ;
+#endif /* WITH_SELINUX */
}
}
return true;
@@ -1493,6 +1522,34 @@
*/
return (pred_type (pathname, &sbuf, pred_ptr));
}
+
+
+#ifdef WITH_SELINUX
+
+boolean
+pred_scontext ( pathname, stat_buf, pred_ptr )
+ char *pathname;
+ struct stat *stat_buf;
+ struct predicate *pred_ptr;
+{
+ int rv;
+ security_context_t scontext;
+
+ rv = (* options.x_getfilecon)(state.rel_pathname, &scontext);
+
+ if ( rv < 0 ) {
+ (void) fprintf(stderr, "getfilecon(%s): %s\n", pathname, strerror(errno));
+ (void) fflush(stderr);
+ return ( false );
+ }
+
+ rv = (fnmatch(pred_ptr->args.scontext, scontext,0)==0);
+ freecon(scontext);
+ return rv;
+}
+
+#endif /*WITH_SELINUX*/
+
/* 1) fork to get a child; parent remembers the child pid
2) child execs the command requested
Reference in New Issue View Git Blame Copy Permalink