libselinux-2.5-3

- Fix location of selinuxfs mount point - Only mount /proc if necessary - procattr: return einval for <= 0 pid args - procattr: return error on invalid pid_t input
2016-04-08 20:35:44 +02:00 · 2016-04-08 20:35:44 +02:00 · d11c40ba8a
parent 408641d228
commit d11c40ba8a
2 changed files with 153 additions and 2 deletions
--- a/libselinux-fedora.patch
+++ b/libselinux-fedora.patch
@ -1,3 +1,16 @@
+diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog
+index 24673dd..1d6ac57 100644
+--- libselinux-2.5/ChangeLog
+++ libselinux-2.5/ChangeLog
+@@ -1,3 +1,8 @@
+	* Fix location of selinuxfs mount point, from Dan Walsh.
+	* Only mount /proc if necessary, from Stephen Smalley.
+	* procattr: return einval for <= 0 pid args, from Daniel Cashman.
+	* procattr: return error on invalid pid_t input, from Daniel Cashman.
+
+ 2.5 2016-02-23
+ 	* selinux_restorecon.3 man page corrections, from Richard Haines.
+ 	* Add selinux_restorecon function, from Richard Haines.
 diff --git libselinux-2.5/Makefile libselinux-2.5/Makefile
 index 6142b60..bdf9de8 100644
 --- libselinux-2.5/Makefile
@ -469,6 +482,54 @@ index 0000000..fed6de8
 +func main() {
 +	selinux.Test()
 +}
+diff --git libselinux-2.5/man/man3/security_disable.3 libselinux-2.5/man/man3/security_disable.3
+index c75ce0d..072923c 100644
+--- libselinux-2.5/man/man3/security_disable.3
+++ libselinux-2.5/man/man3/security_disable.3
+@@ -12,7 +12,7 @@ security_disable \- disable the SELinux kernel code at runtime
+ disables the SELinux kernel code, unregisters selinuxfs from
+ .IR /proc/filesystems ,
+ and then unmounts
+-.IR /selinux .
+.IR /sys/fs/selinux .
+ .sp
+ This function can only be called at runtime and prior to the initial policy
+ load. After the initial policy load, the SELinux kernel code cannot be disabled,
+diff --git libselinux-2.5/man/man3/selinux_status_open.3 libselinux-2.5/man/man3/selinux_status_open.3
+index f779dd9..2d44be5 100644
+--- libselinux-2.5/man/man3/selinux_status_open.3
+++ libselinux-2.5/man/man3/selinux_status_open.3
+@@ -23,7 +23,7 @@ without invocation of system calls
+ .SH "DESCRIPTION"
+ Linux 2.6.37 or later provides a SELinux kernel status page; being mostly
+ placed on
+-.I /selinux/status
+.I /sys/fs/selinux/status
+ entry. It enables userspace applications to mmap this page with read-only
+ mode, then it informs some status without system call invocations.
+ .sp
+@@ -38,7 +38,7 @@ without system-call invocation or worker thread for monitoring.
+ .BR selinux_status_open ()
+ tries to
+ .BR open (2)
+-.I /selinux/status
+.I /sys/fs/selinux/status
+ and
+ .BR mmap (2)
+ it in read-only mode. The file-descriptor and pointer to the page shall
+diff --git libselinux-2.5/man/man8/avcstat.8 libselinux-2.5/man/man8/avcstat.8
+index 204687d..2c4bce1 100644
+--- libselinux-2.5/man/man8/avcstat.8
+++ libselinux-2.5/man/man8/avcstat.8
+@@ -25,7 +25,7 @@ Display the cumulative values.
+ .TP
+ .B \-f
+ Specifies the location of the AVC statistics file, defaulting to
+-.IR /selinux/avc/cache_stats .
+.IR /sys/fs/selinux/avc/cache_stats .
+ .
+ .SH AUTHOR
+ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 diff --git libselinux-2.5/man/man8/selinux.8 libselinux-2.5/man/man8/selinux.8
 index 6f1034b..c9f188c 100644
 --- libselinux-2.5/man/man8/selinux.8
@ -636,6 +697,40 @@ index 52707d0..0cbe12d 100644
 	if (rc < 0 && errno == ENOTSUP) {
 		char * ccontext = NULL;
 		int err = errno;
+diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c
+index 3db4de0..3530594 100644
+--- libselinux-2.5/src/init.c
+++ libselinux-2.5/src/init.c
+@@ -12,6 +12,7 @@
+ #include <stdint.h>
+ #include <limits.h>
+ #include <sys/mount.h>
+#include <linux/magic.h>
+ 
+ #include "dso.h"
+ #include "policy.h"
+@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
+ 
+ int selinuxfs_exists(void)
+ {
+-	int exists = 0, mnt_rc = 0;
+	int exists = 0, mnt_rc = -1, rc;
+	struct statfs sb;
+ 	FILE *fp = NULL;
+ 	char *buf = NULL;
+ 	size_t len;
+ 	ssize_t num;
+ 
+-	mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+	do {
+		rc = statfs("/proc", &sb);
+	} while (rc < 0 && errno == EINTR);
+
+	if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
+		mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+ 
+ 	fp = fopen("/proc/filesystems", "r");
+ 	if (!fp) {
 diff --git libselinux-2.5/src/lsetfilecon.c libselinux-2.5/src/lsetfilecon.c
 index 1d3b28a..ea6d70b 100644
 --- libselinux-2.5/src/lsetfilecon.c
@ -677,6 +772,56 @@ index 5b495a0..3868711 100644
 	va_end(ap);
 }
 
+diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c
+index 527a0a5..eee4612 100644
+--- libselinux-2.5/src/procattr.c
+++ libselinux-2.5/src/procattr.c
+@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
+ 	char *path;
+ 	pid_t tid;
+ 
+-	if (pid > 0)
+	if (pid > 0) {
+ 		rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
+-	else {
+	} else if (pid == 0) {
+ 		rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
+ 		if (rc < 0)
+ 			return -1;
+@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
+ 		free(path);
+ 		tid = gettid();
+ 		rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
+	} else {
+		errno = EINVAL;
+		return -1;
+ 	}
+ 	if (rc < 0)
+ 		return -1;
+@@ -303,11 +306,21 @@ static int setprocattrcon(const char * context,
+ #define getpidattr_def(fn, attr) \
+ 	int get##fn##_raw(pid_t pid, char **c)	\
+ 	{ \
+-		return getprocattrcon_raw(c, pid, #attr); \
+		if (pid <= 0) { \
+			errno = EINVAL; \
+			return -1; \
+		} else { \
+			return getprocattrcon_raw(c, pid, #attr); \
+		} \
+ 	} \
+ 	int get##fn(pid_t pid, char **c)	\
+ 	{ \
+-		return getprocattrcon(c, pid, #attr); \
+		if (pid <= 0) { \
+			errno = EINVAL; \
+			return -1; \
+		} else { \
+			return getprocattrcon(c, pid, #attr); \
+		} \
+ 	}
+ 
+ all_selfattr_def(con, current)
 diff --git libselinux-2.5/src/setfilecon.c libselinux-2.5/src/setfilecon.c
 index d05969c..3f0200e 100644
 --- libselinux-2.5/src/setfilecon.c
--- a/libselinux.spec
+++ b/libselinux.spec
@ -9,7 +9,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.5
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -20,7 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libselinux
-# HEAD https://github.com/fedora-selinux/selinux/commit/51852c78f110223be57cd9776069f14703ab49f9
+# HEAD https://github.com/fedora-selinux/selinux/commit/4bfb84c7ff7b33cf06b9a6b2317d24054b9db562
 Patch1: libselinux-fedora.patch
 BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
 %if 0%{?with_python3}
@ -255,6 +255,12 @@ rm -rf %{buildroot}
 %{ruby_vendorarchdir}/selinux.so

 %changelog
+* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
+- Fix location of selinuxfs mount point
+- Only mount /proc if necessary
+- procattr: return einval for <= 0 pid args
+- procattr: return error on invalid pid_t input
+
 * Sat Feb 27 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-2
 - Use fully versioned arch-specific requires