diff options
Diffstat (limited to '0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch')
| -rw-r--r-- | 0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch | 130 |
1 files changed, 0 insertions, 130 deletions
diff --git a/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch b/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch deleted file mode 100644 index 5b666bebf50e..000000000000 --- a/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch +++ /dev/null @@ -1,130 +0,0 @@ -From e4057752bc98451232d402364dc6dc9dff2a5e60 Mon Sep 17 00:00:00 2001 -From: Stephen Smalley <sds@tycho.nsa.gov> -Date: Fri, 13 May 2016 11:59:47 -0400 -Subject: [PATCH 2/2] Avoid mounting /proc outside of - selinux_init_load_policy(). - -Temporarily mounting /proc within selinuxfs_exists() can cause -problems since it can be called by a libselinux constructor and -therefore may be invoked by every program linked with libselinux. -Since this was only motivated originally by a situation where -selinuxfs_exists() was called from selinux_init_load_policy() -before /proc was mounted, fix it in selinux_init_load_policy() instead. - -This reverts commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf -("libselinux: only mount /proc if necessary") and -commit 9df498884665d79474b79f0f30d1cd67df11bd3e -("libselinux: Mount procfs before checking /proc/filesystems"). - -Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> ---- - libselinux/src/init.c | 27 +++------------------------ - libselinux/src/load_policy.c | 15 ++++++++++----- - 2 files changed, 13 insertions(+), 29 deletions(-) - -diff --git a/libselinux/src/init.c b/libselinux/src/init.c -index 35305942970f..3c687a29d7ff 100644 ---- a/libselinux/src/init.c -+++ b/libselinux/src/init.c -@@ -11,8 +11,6 @@ - #include <sys/vfs.h> - #include <stdint.h> - #include <limits.h> --#include <sys/mount.h> --#include <linux/magic.h> - - #include "dso.h" - #include "policy.h" -@@ -58,26 +56,15 @@ static int verify_selinuxmnt(const char *mnt) - - int selinuxfs_exists(void) - { -- int exists = 0, mnt_rc = -1, rc; -- struct statfs sb; -+ int exists = 0; - FILE *fp = NULL; - char *buf = NULL; - size_t len; - ssize_t num; - -- do { -- rc = statfs("/proc", &sb); -- } while (rc < 0 && errno == EINTR); -- -- if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC)) -- mnt_rc = mount("proc", "/proc", "proc", 0, 0); -- - fp = fopen("/proc/filesystems", "r"); -- if (!fp) { -- exists = 1; /* Fail as if it exists */ -- goto out; -- } -- -+ if (!fp) -+ return 1; /* Fail as if it exists */ - __fsetlocking(fp, FSETLOCKING_BYCALLER); - - num = getline(&buf, &len, fp); -@@ -91,14 +78,6 @@ int selinuxfs_exists(void) - - free(buf); - fclose(fp); -- --out: --#ifndef MNT_DETACH --#define MNT_DETACH 2 --#endif -- if (mnt_rc == 0) -- umount2("/proc", MNT_DETACH); -- - return exists; - } - hidden_def(selinuxfs_exists) -diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c -index 21ee58b2e4d7..4f39fc78d7bf 100644 ---- a/libselinux/src/load_policy.c -+++ b/libselinux/src/load_policy.c -@@ -17,6 +17,10 @@ - #include "policy.h" - #include <limits.h> - -+#ifndef MNT_DETACH -+#define MNT_DETACH 2 -+#endif -+ - int security_load_policy(void *data, size_t len) - { - char path[PATH_MAX]; -@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce) - fclose(cfg); - free(buf); - } --#ifndef MNT_DETACH --#define MNT_DETACH 2 --#endif -- if (rc == 0) -- umount2("/proc", MNT_DETACH); - - /* - * Determine the final desired mode. -@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce) - /* Only emit this error if selinux was not disabled */ - fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); - } -+ -+ if (rc == 0) -+ umount2("/proc", MNT_DETACH); - - goto noload; - } - set_selinuxmnt(mntpoint); - -+ if (rc == 0) -+ umount2("/proc", MNT_DETACH); -+ - /* - * Note: The following code depends on having selinuxfs - * already mounted and selinuxmnt set above. --- -2.9.3 - |