libsemanage-3.5-2
- Include more parameters in the module checksum
This commit is contained in:
Petr Lautrbach
parent
7501bde863
commit
b124ac62b7
103
0001-libsemanage-include-more-parameters-in-the-module-ch.patch
Normal file
103
0001-libsemanage-include-more-parameters-in-the-module-ch.patch
Normal file
@ -0,0 +1,103 @@
|
||||
From a6b472835502d5fc9fc263db07de69527943ac91 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Wed, 8 Mar 2023 10:46:42 +0100
|
||||
Subject: [PATCH] libsemanage: include more parameters in the module checksum
|
||||
Content-type: text/plain
|
||||
|
||||
The check_ext_changes option currently assumes that as long as the
|
||||
module content is unchanged, it is safe to assume that the policy.linked
|
||||
file doesn't need to be rebuilt. However, there are some additional
|
||||
parameters that can affect the content of this policy file, namely:
|
||||
* the disable_dontaudit and preserve_tunables flags
|
||||
* the target_platform and policyvers configuration values
|
||||
|
||||
Include these in the checksum so that the option works correctly when
|
||||
only some of these input values are changed versus the current state.
|
||||
|
||||
Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally")
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
libsemanage/src/direct_api.c | 31 +++++++++++++++++++++++++++++--
|
||||
1 file changed, 29 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
|
||||
index 7aa081abb3b7..d740070d538e 100644
|
||||
--- a/libsemanage/src/direct_api.c
|
||||
+++ b/libsemanage/src/direct_api.c
|
||||
@@ -863,6 +863,14 @@ static void update_checksum_with_len(Sha256Context *context, size_t s)
|
||||
Sha256Update(context, buffer, 8);
|
||||
}
|
||||
|
||||
+static void update_checksum_with_bool(Sha256Context *context, bool b)
|
||||
+{
|
||||
+ uint8_t byte;
|
||||
+
|
||||
+ byte = b ? UINT8_C(1) : UINT8_C(0);
|
||||
+ Sha256Update(context, &byte, 1);
|
||||
+}
|
||||
+
|
||||
static int semanage_compile_module(semanage_handle_t *sh,
|
||||
semanage_module_info_t *modinfo,
|
||||
Sha256Context *context)
|
||||
@@ -977,13 +985,21 @@ static int modinfo_cmp(const void *a, const void *b)
|
||||
return strcmp(ma->name, mb->name);
|
||||
}
|
||||
|
||||
+struct extra_checksum_params {
|
||||
+ int disable_dontaudit;
|
||||
+ int preserve_tunables;
|
||||
+ int target_platform;
|
||||
+ int policyvers;
|
||||
+};
|
||||
+
|
||||
static int semanage_compile_hll_modules(semanage_handle_t *sh,
|
||||
semanage_module_info_t *modinfos,
|
||||
int num_modinfos,
|
||||
+ const struct extra_checksum_params *extra,
|
||||
char *cil_checksum)
|
||||
{
|
||||
/* to be incremented when checksum input data format changes */
|
||||
- static const size_t CHECKSUM_EPOCH = 1;
|
||||
+ static const size_t CHECKSUM_EPOCH = 2;
|
||||
|
||||
int i, status = 0;
|
||||
char cil_path[PATH_MAX];
|
||||
@@ -1000,6 +1016,10 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh,
|
||||
|
||||
Sha256Initialise(&context);
|
||||
update_checksum_with_len(&context, CHECKSUM_EPOCH);
|
||||
+ update_checksum_with_bool(&context, !!extra->disable_dontaudit);
|
||||
+ update_checksum_with_bool(&context, !!extra->preserve_tunables);
|
||||
+ update_checksum_with_len(&context, (size_t)extra->target_platform);
|
||||
+ update_checksum_with_len(&context, (size_t)extra->policyvers);
|
||||
|
||||
/* prefix with module count to avoid collisions */
|
||||
update_checksum_with_len(&context, num_modinfos);
|
||||
@@ -1134,6 +1154,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
||||
mode_t mask = umask(0077);
|
||||
struct stat sb;
|
||||
char modules_checksum[CHECKSUM_CONTENT_SIZE + 1 /* '\0' */];
|
||||
+ struct extra_checksum_params extra;
|
||||
|
||||
int do_rebuild, do_write_kernel, do_install;
|
||||
int fcontexts_modified, ports_modified, seusers_modified,
|
||||
@@ -1274,8 +1295,14 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
+ extra = (struct extra_checksum_params){
|
||||
+ .disable_dontaudit = sepol_get_disable_dontaudit(sh->sepolh),
|
||||
+ .preserve_tunables = sepol_get_preserve_tunables(sh->sepolh),
|
||||
+ .target_platform = sh->conf->target_platform,
|
||||
+ .policyvers = sh->conf->policyvers,
|
||||
+ };
|
||||
retval = semanage_compile_hll_modules(sh, modinfos, num_modinfos,
|
||||
- modules_checksum);
|
||||
+ &extra, modules_checksum);
|
||||
if (retval < 0) {
|
||||
ERR(sh, "Failed to compile hll files into cil files.\n");
|
||||
goto cleanup;
|
||||
--
|
||||
2.40.0
|
||||
|
||||
@ -4,12 +4,13 @@
|
||||
Summary: SELinux binary policy manipulation library
|
||||
Name: libsemanage
|
||||
Version: 3.5
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: LGPL-2.1-or-later
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/libsemanage-3.5.tar.gz
|
||||
# git format-patch -N 3.5 -- libsemanage
|
||||
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||
# Patch list start
|
||||
Patch0001: 0001-libsemanage-include-more-parameters-in-the-module-ch.patch
|
||||
# Patch list end
|
||||
URL: https://github.com/SELinuxProject/selinux/wiki
|
||||
Source1: semanage.conf
|
||||
@ -154,6 +155,9 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/semanage.conf
|
||||
%{_libexecdir}/selinux/semanage_migrate_store
|
||||
|
||||
%changelog
|
||||
* Fri Mar 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-2
|
||||
- Include more parameters in the module checksum (#2173959)
|
||||
|
||||
* Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
|
||||
- SELinux userspace 3.5 release
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user