libselinux/libselinux-rhat.patch
2013-12-17 11:07:44 -05:00

544 lines
12 KiB
Diff

diff --git a/libselinux/Makefile b/libselinux/Makefile
index fd4f0b1..51469bc 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = src include utils man
+SUBDIRS = src include utils man golang
DISABLE_AVC ?= n
DISABLE_SETRANS ?= n
diff --git a/libselinux/golang/Makefile b/libselinux/golang/Makefile
new file mode 100644
index 0000000..a5f0692
--- /dev/null
+++ b/libselinux/golang/Makefile
@@ -0,0 +1,17 @@
+# Installation directories.
+PREFIX ?= $(DESTDIR)/usr
+GODIR ?= $(PREFIX)/share/gocode/selinux
+
+all:
+
+install:
+ [ -d $(GODIR) ] || mkdir -p $(GODIR)
+ install -m 644 selinux.go $(GODIR)
+
+test:
+
+clean:
+
+indent:
+
+relabel:
diff --git a/libselinux/golang/selinux.go b/libselinux/golang/selinux.go
new file mode 100644
index 0000000..018c955
--- /dev/null
+++ b/libselinux/golang/selinux.go
@@ -0,0 +1,282 @@
+package selinux
+
+/*
+ The selinux package is a go bindings to libselinux required to add selinux
+ support to docker.
+
+ Author Dan Walsh <dwalsh@redhat.com>
+
+ Used some ideas/code from the go-ini packages https://github.com/vaughan0
+ By Vaughan Newton
+*/
+
+// #cgo pkg-config: libselinux
+// #include <selinux/selinux.h>
+// #include <stdlib.h>
+import "C"
+import (
+ "encoding/binary"
+ "crypto/rand"
+ "unsafe"
+ "fmt"
+ "bufio"
+ "regexp"
+ "io"
+ "os"
+ "strings"
+)
+
+var (
+ assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
+ mcs_list = make(map[string]bool)
+)
+
+func Matchpathcon(path string, mode int) (string, error) {
+ var con C.security_context_t
+ var scon string
+ rc, err := C.matchpathcon(C.CString(path),C.mode_t(mode), &con)
+ if rc == 0 {
+ scon = C.GoString(con)
+ C.free(unsafe.Pointer(con))
+ }
+ return scon, err
+}
+
+func Setfilecon(path,scon string) (int, error) {
+ rc, err := C.lsetfilecon(C.CString(path),C.CString(scon))
+ return int(rc), err
+}
+
+func Setexeccon(scon string) (int, error) {
+ var val *C.char
+ if ! Selinux_enabled() {
+ return 0, nil
+ }
+ if scon != "" {
+ val = C.CString(scon)
+ } else {
+ val = nil
+ }
+ rc, err := C.setexeccon(val)
+ return int(rc), err
+}
+
+type Context struct {
+ con []string
+}
+func (c *Context) Set_user(user string) {
+ c.con[0]=user
+}
+func (c *Context) Get_user() string {
+ return c.con[0]
+}
+func (c *Context) Set_role(role string) {
+ c.con[1]=role
+}
+func (c *Context) Get_role() string {
+ return c.con[1]
+}
+func (c *Context) Set_type(setype string) {
+ c.con[2]=setype
+}
+func (c *Context) Get_type() string {
+ return c.con[2]
+}
+func (c *Context) Set_level(mls string) {
+ c.con[3]=mls
+}
+func (c *Context) Get_level() string {
+ return c.con[3]
+}
+func (c *Context) Get() string{
+ return strings.Join(c.con,":")
+}
+func (c *Context) Set(scon string) {
+ c.con = strings.SplitN(scon,":",4)
+}
+func New_context(scon string) Context {
+ var con Context
+ con.Set(scon)
+ return con
+}
+
+func Is_selinux_enabled() bool {
+ b := C.is_selinux_enabled()
+ if b > 0 {
+ return true;
+ }
+ return false
+}
+
+func Selinux_enabled() bool {
+ b := C.is_selinux_enabled()
+ if b > 0 {
+ return true;
+ }
+ return false
+}
+
+const (
+ Enforcing = 1
+ Permissive = 0
+ Disabled = -1
+)
+
+func Selinux_getenforce() int {
+ return int(C.security_getenforce())
+}
+
+func Selinux_getenforcemode() (int) {
+ var enforce C.int
+ C.selinux_getenforcemode(&enforce)
+ return int(enforce)
+}
+
+func mcs_add(mcs string) {
+ mcs_list[mcs] = true
+}
+
+func mcs_delete(mcs string) {
+ mcs_list[mcs] = false
+}
+
+func mcs_exists(mcs string) bool {
+ return mcs_list[mcs]
+}
+
+func uniq_mcs(catRange uint32) string {
+ var n uint32
+ var c1,c2 uint32
+ var mcs string
+ for ;; {
+ binary.Read(rand.Reader, binary.LittleEndian, &n)
+ c1 = n % catRange
+ binary.Read(rand.Reader, binary.LittleEndian, &n)
+ c2 = n % catRange
+ if c1 == c2 {
+ continue
+ } else {
+ if c1 > c2 {
+ t := c1
+ c1 = c2
+ c2 = t
+ }
+ }
+ mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
+ if mcs_exists(mcs) {
+ continue
+ }
+ mcs_add(mcs)
+ break
+ }
+ return mcs
+}
+func free_context(process_label string) {
+ var scon Context
+ scon = New_context(process_label)
+ mcs_delete(scon.Get_level())
+}
+
+func Get_lxc_contexts() (process_label string, file_label string) {
+ var val, key string
+ var bufin *bufio.Reader
+ if ! Selinux_enabled() {
+ return
+ }
+ lxc_path := C.GoString(C.selinux_lxc_contexts_path())
+ file_label = "system_u:object_r:svirt_sandbox_file_t:s0"
+ process_label = "system_u:system_r:svirt_lxc_net_t:s0"
+
+ in, err := os.Open(lxc_path)
+ if err != nil {
+ goto exit
+ }
+
+ defer in.Close()
+ bufin = bufio.NewReader(in)
+
+ for done := false; !done; {
+ var line string
+ if line, err = bufin.ReadString('\n'); err != nil {
+ if err == io.EOF {
+ done = true
+ } else {
+ goto exit
+ }
+ }
+ line = strings.TrimSpace(line)
+ if len(line) == 0 {
+ // Skip blank lines
+ continue
+ }
+ if line[0] == ';' || line[0] == '#' {
+ // Skip comments
+ continue
+ }
+ if groups := assignRegex.FindStringSubmatch(line); groups != nil {
+ key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
+ if key == "process" {
+ process_label = strings.Trim(val,"\"")
+ }
+ if key == "file" {
+ file_label = strings.Trim(val,"\"")
+ }
+ }
+ }
+exit:
+ var scon Context
+ mcs := uniq_mcs(1024)
+ scon = New_context(process_label)
+ scon.Set_level(mcs)
+ process_label = scon.Get()
+ scon = New_context(file_label)
+ scon.Set_level(mcs)
+ file_label = scon.Get()
+ return process_label, file_label
+}
+
+func CopyLevel (src, dest string) (string, error) {
+ if ! Selinux_enabled() {
+ return "", nil
+ }
+ if src == "" {
+ return "", nil
+ }
+ rc, err := C.security_check_context(C.CString(src))
+ if rc != 0 {
+ return "", err
+ }
+ rc, err = C.security_check_context(C.CString(dest))
+ if rc != 0 {
+ return "", err
+ }
+ scon := New_context(src)
+ tcon := New_context(dest)
+ tcon.Set_level(scon.Get_level())
+ return tcon.Get(), nil
+}
+
+func Test() {
+ var plabel,flabel string
+ if ! Selinux_enabled() {
+ return
+ }
+
+ plabel, flabel = Get_lxc_contexts()
+ fmt.Println(plabel)
+ fmt.Println(flabel)
+ free_context(plabel)
+ plabel, flabel = Get_lxc_contexts()
+ fmt.Println(plabel)
+ fmt.Println(flabel)
+ free_context(plabel)
+ if Selinux_enabled() {
+ fmt.Println("Enabled")
+ } else {
+ fmt.Println("Disabled")
+ }
+ fmt.Println(Selinux_getenforce())
+ fmt.Println(Selinux_getenforcemode())
+ flabel,_ = Matchpathcon("/home/dwalsh/.emacs", 0)
+ fmt.Println(flabel)
+}
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 02dd829..6dfdb46 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -114,7 +114,7 @@ $(LIBA): $(OBJS)
$(RANLIB) $@
$(LIBSO): $(LOBJS)
- $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
+ $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -llzma -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
ln -sf $@ $(TARGET)
$(LIBPC): $(LIBPC).in ../VERSION
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index e419f1a..fdeca93 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -16,6 +16,82 @@
#include <dlfcn.h>
#include "policy.h"
#include <limits.h>
+#include <lzma.h>
+
+static char *lzmaread(int fd, size_t *rsize) {
+ int capacity = 64*1024;
+ char *buf = NULL;
+ int tmpsize = 8 * 1024;
+ unsigned char tmp[tmpsize];
+ unsigned char tmp_out[tmpsize];
+ size_t size = 0;
+ lzma_stream strm = LZMA_STREAM_INIT;
+ lzma_action action = LZMA_RUN;
+ lzma_ret ret;
+
+ FILE *stream = fdopen (fd, "r");
+ if (!stream) {
+ return NULL;
+ }
+ ret = lzma_stream_decoder(&strm, UINT64_MAX,
+ LZMA_CONCATENATED);
+
+ strm.avail_in = 0;
+ strm.next_out = tmp_out;
+ strm.avail_out = tmpsize;
+
+ buf = (char *) malloc (capacity);
+ if (!buf)
+ goto err;
+
+ while (1) {
+ if (strm.avail_in == 0) {
+ strm.next_in = tmp;
+ strm.avail_in = fread(tmp, 1, tmpsize, stream);
+
+ if (ferror(stream)) {
+ // POSIX says that fread() sets errno if
+ // an error occurred. ferror() doesn't
+ // touch errno.
+ goto err;
+ }
+ if (feof(stream)) action = LZMA_FINISH;
+ }
+
+ ret = lzma_code(&strm, action);
+
+ // Write and check write error before checking decoder error.
+ // This way as much data as possible gets written to output
+ // even if decoder detected an error.
+ if (strm.avail_out == 0 || ret != LZMA_OK) {
+ const size_t num = tmpsize - strm.avail_out;
+ if (num > capacity) {
+ buf = (char*) realloc (buf, size*2);
+ capacity = size;
+ }
+ memcpy (buf+size, tmp_out, num);
+ capacity -= num;
+ size += num;
+ strm.next_out = tmp_out;
+ strm.avail_out = tmpsize;
+ }
+ if (ret != LZMA_OK) {
+ if (ret == LZMA_STREAM_END) {
+ break;
+ } else {
+ goto err;
+ }
+ }
+ }
+ *rsize = size;
+
+ goto exit;
+err:
+ free(buf); buf = NULL;
+exit:
+ lzma_end(&strm);
+ return buf;
+}
int security_load_policy(void *data, size_t len)
{
@@ -55,7 +131,7 @@ int selinux_mkload_policy(int preservebools)
struct stat sb;
struct utsname uts;
size_t size;
- void *map, *data;
+ void *map = NULL, *data=NULL;
int fd, rc = -1, prot;
sepol_policydb_t *policydb;
sepol_policy_file_t *pf;
@@ -181,24 +257,28 @@ checkbool:
goto dlclose;
}
- if (fstat(fd, &sb) < 0) {
- fprintf(stderr,
- "SELinux: Could not stat policy file %s: %s\n",
- path, strerror(errno));
- goto close;
- }
-
- prot = PROT_READ;
- if (setlocaldefs || preservebools)
- prot |= PROT_WRITE;
+ data = lzmaread(fd,&size);
- size = sb.st_size;
- data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
- if (map == MAP_FAILED) {
- fprintf(stderr,
- "SELinux: Could not map policy file %s: %s\n",
+ if (!data) {
+ if (fstat(fd, &sb) < 0) {
+ fprintf(stderr,
+ "SELinux: Could not stat policy file %s: %s\n",
path, strerror(errno));
- goto close;
+ goto close;
+ }
+
+ prot = PROT_READ;
+ if (setlocaldefs || preservebools)
+ prot |= PROT_WRITE;
+
+ size = sb.st_size;
+ data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
+ if (map == MAP_FAILED) {
+ fprintf(stderr,
+ "SELinux: Could not map policy file %s: %s\n",
+ path, strerror(errno));
+ goto close;
+ }
}
if (vers > kernvers && usesepol) {
@@ -210,6 +290,8 @@ checkbool:
goto unmap;
}
policy_file_set_mem(pf, data, size);
+ if (!map)
+ free(data);
if (policydb_read(policydb, pf)) {
policy_file_free(pf);
policydb_free(policydb);
@@ -223,7 +305,8 @@ checkbool:
path);
policy_file_free(pf);
policydb_free(policydb);
- munmap(map, sb.st_size);
+ if (map)
+ munmap(map, sb.st_size);
close(fd);
vers--;
goto search;
@@ -275,7 +358,7 @@ checkbool:
#endif
}
-
+
rc = security_load_policy(data, size);
if (rc)
@@ -286,7 +369,8 @@ checkbool:
unmap:
if (data != map)
free(data);
- munmap(map, sb.st_size);
+ if (map)
+ munmap(map, sb.st_size);
close:
close(fd);
dlclose:
@@ -410,7 +494,7 @@ int selinux_init_load_policy(int *enforce)
* already mounted and selinuxmnt set above.
*/
- if (seconfig == -1) {
+ if (*enforce == -1) {
/* Runtime disable of SELinux. */
rc = security_disable();
if (rc == 0) {
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 2d7369e..2a00807 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -2,6 +2,7 @@
#include <string.h>
#include <errno.h>
#include <stdio.h>
+#include <syslog.h>
#include "selinux_internal.h"
#include "label_internal.h"
#include "callbacks.h"
@@ -62,7 +63,7 @@ static void
{
va_list ap;
va_start(ap, fmt);
- vfprintf(stderr, fmt, ap);
+ vsyslog(LOG_ERR, fmt, ap);
va_end(ap);
}