Backport few upstrem fixes from master

Resolves: upstream#3297 Fix issue with IPA + SELinux in containers Resolves: upstream#3360 Do not leak selinux context on clients destruction (cherry picked from commit 22e5820a7b)
2017-04-06 16:03:16 +02:00 · 2017-04-06 16:03:16 +02:00 · 39f9584222
commit 39f9584222
parent 9c697fc1c9
3 changed files with 287 additions and 1 deletions
--- a/0001-responders-do-not-leak-selinux-context-on-clients-de.patch
+++ b/0001-responders-do-not-leak-selinux-context-on-clients-de.patch
@ -0,0 +1,68 @@
+From 05c2c3047912fca1c1a35ab1c8d3157b05383495 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 3 Apr 2017 12:56:01 +0200
+Subject: [PATCH] responders: do not leak selinux context on clients
+ destruction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The SELinux context created in get_client_cred is not talloc bound and
+we were leaking it if available with each client's destruction.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3360
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ src/responder/common/responder_common.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
+index 154d7dc7718c437d10e152fcba98161e2034fb14..67e1deefdfde19c95a68029b11099579d851513f 100644
+--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
+@@ -97,7 +97,7 @@ static errno_t get_client_cred(struct cli_ctx *cctx)
+     SEC_CTX secctx;
+     int ret;
+ 
+-    cctx->creds = talloc(cctx, struct cli_creds);
+    cctx->creds = talloc_zero(cctx, struct cli_creds);
+     if (!cctx->creds) return ENOMEM;
+ 
+ #ifdef HAVE_UCRED
+@@ -464,6 +464,22 @@ static void client_fd_handler(struct tevent_context *ev,
+ 
+ static errno_t setup_client_idle_timer(struct cli_ctx *cctx);
+ 
+static int cli_ctx_destructor(struct cli_ctx *cctx)
+{
+    if (cctx->creds == NULL) {
+        return 0;
+    }
+
+    if (cctx->creds->selinux_ctx == NULL) {
+        return 0;
+    }
+
+    SELINUX_context_free(cctx->creds->selinux_ctx);
+    cctx->creds->selinux_ctx = NULL;
+
+    return 0;
+}
+
+ struct accept_fd_ctx {
+     struct resp_ctx *rctx;
+     bool is_private;
+@@ -520,6 +536,8 @@ static void accept_fd_handler(struct tevent_context *ev,
+         return;
+     }
+ 
+    talloc_set_destructor(cctx, cli_ctx_destructor);
+
+     len = sizeof(cctx->addr);
+     cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
+     if (cctx->cfd == -1) {
+-- 
+2.12.2
+
--- a/0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
+++ b/0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
@ -0,0 +1,210 @@
+From 78a08d30b5fbf6e1e3b589e0cf67022e0c1faa33 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Wed, 8 Feb 2017 12:01:37 +0100
+Subject: [PATCH] selinux: Do not fail if SELinux is not managed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Previously we failed if semanage_is_managed returned 0 or -1 (not
+managed or error). With this patch we only fail in case of error and
+continue normally if selinux is not managed by libsemanage at all.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/3297
+
+Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
+---
+ Makefile.am                       |  1 +
+ src/providers/ipa/selinux_child.c |  9 ++++--
+ src/util/sss_semanage.c           | 61 +++++++++++++++++++++++++--------------
+ src/util/util_errors.c            |  1 +
+ src/util/util_errors.h            |  1 +
+ 5 files changed, 49 insertions(+), 24 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 5264183cd199be464e5e99d2ab31ba4fcd77c5ec..d45c0ff757dfae378c71c6f8850fddce2c61cad8 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -4040,6 +4040,7 @@ selinux_child_SOURCES = \
+     src/util/atomic_io.c \
+     src/util/util.c \
+     src/util/util_ext.c \
+    src/util/util_errors.c
+     $(NULL)
+ selinux_child_CFLAGS = \
+     $(AM_CFLAGS) \
+diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
+index 380005c7ad3269fc8113c62ceef30b076455b5dd..f8dd3954a7244df2dcbb910aabf8888f41306c09 100644
+--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
+@@ -174,14 +174,19 @@ static bool seuser_needs_update(struct input_buffer *ibuf)
+ 
+     ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range);
+     DEBUG(SSSDBG_TRACE_INTERNAL,
+-          "get_seuser: ret: %d seuser: %s mls: %s\n",
+-          ret, db_seuser ? db_seuser : "unknown",
+          "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n",
+          ret, sss_strerror(ret),
+          db_seuser ? db_seuser : "unknown",
+           db_mls_range ? db_mls_range : "unknown");
+     if (ret == EOK && db_seuser && db_mls_range &&
+             strcmp(db_seuser, ibuf->seuser) == 0 &&
+             strcmp(db_mls_range, ibuf->mls_range) == 0) {
+         needs_update = false;
+     }
+    /* OR */
+    if (ret == ERR_SELINUX_NOT_MANAGED) {
+        needs_update = false;
+    }
+ 
+     talloc_free(db_seuser);
+     talloc_free(db_mls_range);
+diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
+index fe06bee1dfec3abca3aa3cd5e85e55386ac11343..0da97aad4d8eba733b131c2749932e03ca4242c4 100644
+--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
+@@ -73,7 +73,7 @@ static void sss_semanage_close(semanage_handle_t *handle)
+     semanage_handle_destroy(handle);
+ }
+ 
+-static semanage_handle_t *sss_semanage_init(void)
+static int sss_semanage_init(semanage_handle_t **_handle)
+ {
+     int ret;
+     semanage_handle_t *handle = NULL;
+@@ -81,7 +81,8 @@ static semanage_handle_t *sss_semanage_init(void)
+     handle = semanage_handle_create();
+     if (!handle) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
+-        return NULL;
+        ret = EIO;
+        goto done;
+     }
+ 
+     semanage_msg_set_callback(handle,
+@@ -89,28 +90,41 @@ static semanage_handle_t *sss_semanage_init(void)
+                               NULL);
+ 
+     ret = semanage_is_managed(handle);
+-    if (ret != 1) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");
+-        goto fail;
+    if (ret == 0) {
+        DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n");
+        ret = ERR_SELINUX_NOT_MANAGED;
+        goto done;
+    } else if (ret == -1) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Call to semanage_is_managed failed\n");
+        ret = EIO;
+        goto done;
+     }
+ 
+     ret = semanage_access_check(handle);
+     if (ret < SEMANAGE_CAN_READ) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
+-        goto fail;
+        ret = EACCES;
+        goto done;
+     }
+ 
+     ret = semanage_connect(handle);
+     if (ret != 0) {
+         DEBUG(SSSDBG_CRIT_FAILURE,
+               "Cannot estabilish SELinux management connection\n");
+-        goto fail;
+        ret = EIO;
+        goto done;
+     }
+ 
+-    return handle;
+-fail:
+-    sss_semanage_close(handle);
+-    return NULL;
+    ret = EOK;
+
+done:
+    if (ret != EOK) {
+        sss_semanage_close(handle);
+    } else {
+        *_handle = handle;
+    }
+
+    return ret;
+ }
+ 
+ static int sss_semanage_user_add(semanage_handle_t *handle,
+@@ -228,10 +242,11 @@ int set_seuser(const char *login_name, const char *seuser_name,
+         return EOK;
+     }
+ 
+-    handle = sss_semanage_init();
+-    if (!handle) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
+-        ret = EIO;
+    ret = sss_semanage_init(&handle);
+    if (ret == ERR_SELINUX_NOT_MANAGED) {
+        goto done;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
+         goto done;
+     }
+ 
+@@ -295,10 +310,11 @@ int del_seuser(const char *login_name)
+     int ret;
+     int exists = 0;
+ 
+-    handle = sss_semanage_init();
+-    if (!handle) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
+-        ret = EIO;
+    ret = sss_semanage_init(&handle);
+    if (ret == ERR_SELINUX_NOT_MANAGED) {
+        goto done;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
+         goto done;
+     }
+ 
+@@ -377,10 +393,11 @@ int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
+     semanage_seuser_t *sm_user = NULL;
+     semanage_seuser_key_t *sm_key = NULL;
+ 
+-    sm_handle = sss_semanage_init();
+-    if (sm_handle == NULL) {
+    ret = sss_semanage_init(&sm_handle);
+    if (ret == ERR_SELINUX_NOT_MANAGED) {
+        goto done;
+    } else if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
+-        ret = EIO;
+         goto done;
+     }
+ 
+diff --git a/src/util/util_errors.c b/src/util/util_errors.c
+index 466a3b4062f39b29d831a5d8a62dc8d576eb2e97..97eaf160f20bcc8cfe52254070a2d182e19addd4 100644
+--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
+@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
+     { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
+     { "LDAP search returned a referral" }, /* ERR_REFERRAL */
+     { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
+    { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
+     { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
+     { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
+     { "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
+diff --git a/src/util/util_errors.h b/src/util/util_errors.h
+index 2f90c0a5d65325a431a8e4d9a480170808c9198e..4a250bf0339ba689680c155fa8e6d43f42c2467e 100644
+--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
+@@ -97,6 +97,7 @@ enum sssd_errors {
+     ERR_NO_SYSBUS,
+     ERR_REFERRAL,
+     ERR_SELINUX_CONTEXT,
+    ERR_SELINUX_NOT_MANAGED,
+     ERR_REGEX_NOMATCH,
+     ERR_TIMESPEC_NOT_SUPPORTED,
+     ERR_INVALID_CONFIG,
+-- 
+2.12.2
+
--- a/sssd.spec
+++ b/sssd.spec
@ -30,7 +30,7 @@

 Name: sssd
 Version: 1.15.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -39,6 +39,9 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

 ### Patches ###
+Patch0001: 0001-responders-do-not-leak-selinux-context-on-clients-de.patch
+patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
+
 Patch0502:  0502-SYSTEMD-Use-capabilities.patch

 ### Dependencies ###
@ -1154,6 +1157,11 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so

 %changelog
+* Thu Apr 06 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.2-2
+- Backport few upstrem fixes from master
+- Resolves: upstream#3297 Fix issue with IPA + SELinux in containers
+- Resolves: upstream#3360 Do not leak selinux context on clients destruction
+
 * Thu Mar 16 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.2-1
 - New upstream release 1.15.2
 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html