summarylogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.SRCINFO10
-rw-r--r--0001-libselinux-only-mount-proc-if-necessary.patch54
-rw-r--r--0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch130
-rw-r--r--PKGBUILD15
4 files changed, 202 insertions, 7 deletions
diff --git a/.SRCINFO b/.SRCINFO
index d1aa91e4eabc..245bdbf7796d 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,9 +1,7 @@
-# Generated by makepkg 5.0.0
-# Sat Feb 27 11:50:45 UTC 2016
pkgbase = libselinux
pkgdesc = SELinux library and simple utilities
pkgver = 2.5
- pkgrel = 1
+ pkgrel = 2
url = http://userspace.selinuxproject.org
arch = i686
arch = x86_64
@@ -20,13 +18,17 @@ pkgbase = libselinux
optdepends = python2: python2 bindings
optdepends = python: python bindings
optdepends = ruby: ruby bindings
- provides = selinux-usr-libselinux=2.5-1
+ provides = selinux-usr-libselinux=2.5-2
conflicts = selinux-usr-libselinux
options = !emptydirs
source = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-2.5.tar.gz
source = libselinux.tmpfiles.d
+ source = 0001-libselinux-only-mount-proc-if-necessary.patch
+ source = 0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch
sha256sums = 94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f
sha256sums = afe23890fb2e12e6756e5d81bad3c3da33f38a95d072731c0422fbeb0b1fa1fc
+ sha256sums = da3ed20d45b7656c25411bcc31109a78b64265978839bbc06b25151a7231611c
+ sha256sums = 1d20ae0d6fb39dd93258388297206980cb530b04511c4b16db247e05c84804a8
pkgname = libselinux
diff --git a/0001-libselinux-only-mount-proc-if-necessary.patch b/0001-libselinux-only-mount-proc-if-necessary.patch
new file mode 100644
index 000000000000..eb718a20d82f
--- /dev/null
+++ b/0001-libselinux-only-mount-proc-if-necessary.patch
@@ -0,0 +1,54 @@
+From fb2c271e1903ca11320b9bfad747f55fb2b1535f Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Mon, 29 Feb 2016 10:10:55 -0500
+Subject: [PATCH 1/2] libselinux: only mount /proc if necessary
+
+Commit 9df498884665d ("libselinux: Mount procfs before checking
+/proc/filesystems") changed selinuxfs_exists() to always try
+mounting /proc before reading /proc/filesystems. However, this is
+unnecessary if /proc is already mounted and can produce avc denials
+if the process is not allowed to perform the mount. Check first
+to see if /proc is already present and only try the mount if it is not.
+
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ libselinux/src/init.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/src/init.c b/libselinux/src/init.c
+index 3db4de06aa7e..35305942970f 100644
+--- a/libselinux/src/init.c
++++ b/libselinux/src/init.c
+@@ -12,6 +12,7 @@
+ #include <stdint.h>
+ #include <limits.h>
+ #include <sys/mount.h>
++#include <linux/magic.h>
+
+ #include "dso.h"
+ #include "policy.h"
+@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
+
+ int selinuxfs_exists(void)
+ {
+- int exists = 0, mnt_rc = 0;
++ int exists = 0, mnt_rc = -1, rc;
++ struct statfs sb;
+ FILE *fp = NULL;
+ char *buf = NULL;
+ size_t len;
+ ssize_t num;
+
+- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
++ do {
++ rc = statfs("/proc", &sb);
++ } while (rc < 0 && errno == EINTR);
++
++ if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
++ mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+
+ fp = fopen("/proc/filesystems", "r");
+ if (!fp) {
+--
+2.9.3
+
diff --git a/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch b/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch
new file mode 100644
index 000000000000..5b666bebf50e
--- /dev/null
+++ b/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch
@@ -0,0 +1,130 @@
+From e4057752bc98451232d402364dc6dc9dff2a5e60 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Fri, 13 May 2016 11:59:47 -0400
+Subject: [PATCH 2/2] Avoid mounting /proc outside of
+ selinux_init_load_policy().
+
+Temporarily mounting /proc within selinuxfs_exists() can cause
+problems since it can be called by a libselinux constructor and
+therefore may be invoked by every program linked with libselinux.
+Since this was only motivated originally by a situation where
+selinuxfs_exists() was called from selinux_init_load_policy()
+before /proc was mounted, fix it in selinux_init_load_policy() instead.
+
+This reverts commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf
+("libselinux: only mount /proc if necessary") and
+commit 9df498884665d79474b79f0f30d1cd67df11bd3e
+("libselinux: Mount procfs before checking /proc/filesystems").
+
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ libselinux/src/init.c | 27 +++------------------------
+ libselinux/src/load_policy.c | 15 ++++++++++-----
+ 2 files changed, 13 insertions(+), 29 deletions(-)
+
+diff --git a/libselinux/src/init.c b/libselinux/src/init.c
+index 35305942970f..3c687a29d7ff 100644
+--- a/libselinux/src/init.c
++++ b/libselinux/src/init.c
+@@ -11,8 +11,6 @@
+ #include <sys/vfs.h>
+ #include <stdint.h>
+ #include <limits.h>
+-#include <sys/mount.h>
+-#include <linux/magic.h>
+
+ #include "dso.h"
+ #include "policy.h"
+@@ -58,26 +56,15 @@ static int verify_selinuxmnt(const char *mnt)
+
+ int selinuxfs_exists(void)
+ {
+- int exists = 0, mnt_rc = -1, rc;
+- struct statfs sb;
++ int exists = 0;
+ FILE *fp = NULL;
+ char *buf = NULL;
+ size_t len;
+ ssize_t num;
+
+- do {
+- rc = statfs("/proc", &sb);
+- } while (rc < 0 && errno == EINTR);
+-
+- if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
+- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+-
+ fp = fopen("/proc/filesystems", "r");
+- if (!fp) {
+- exists = 1; /* Fail as if it exists */
+- goto out;
+- }
+-
++ if (!fp)
++ return 1; /* Fail as if it exists */
+ __fsetlocking(fp, FSETLOCKING_BYCALLER);
+
+ num = getline(&buf, &len, fp);
+@@ -91,14 +78,6 @@ int selinuxfs_exists(void)
+
+ free(buf);
+ fclose(fp);
+-
+-out:
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+- if (mnt_rc == 0)
+- umount2("/proc", MNT_DETACH);
+-
+ return exists;
+ }
+ hidden_def(selinuxfs_exists)
+diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
+index 21ee58b2e4d7..4f39fc78d7bf 100644
+--- a/libselinux/src/load_policy.c
++++ b/libselinux/src/load_policy.c
+@@ -17,6 +17,10 @@
+ #include "policy.h"
+ #include <limits.h>
+
++#ifndef MNT_DETACH
++#define MNT_DETACH 2
++#endif
++
+ int security_load_policy(void *data, size_t len)
+ {
+ char path[PATH_MAX];
+@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce)
+ fclose(cfg);
+ free(buf);
+ }
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+- if (rc == 0)
+- umount2("/proc", MNT_DETACH);
+
+ /*
+ * Determine the final desired mode.
+@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce)
+ /* Only emit this error if selinux was not disabled */
+ fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno));
+ }
++
++ if (rc == 0)
++ umount2("/proc", MNT_DETACH);
+
+ goto noload;
+ }
+ set_selinuxmnt(mntpoint);
+
++ if (rc == 0)
++ umount2("/proc", MNT_DETACH);
++
+ /*
+ * Note: The following code depends on having selinuxfs
+ * already mounted and selinuxmnt set above.
+--
+2.9.3
+
diff --git a/PKGBUILD b/PKGBUILD
index 95eb4457b9b6..ee95fe76d635 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -6,7 +6,7 @@
pkgname=libselinux
pkgver=2.5
-pkgrel=1
+pkgrel=2
pkgdesc="SELinux library and simple utilities"
arch=('i686' 'x86_64' 'armv6h')
url='http://userspace.selinuxproject.org'
@@ -21,14 +21,23 @@ conflicts=("selinux-usr-${pkgname}")
provides=("selinux-usr-${pkgname}=${pkgver}-${pkgrel}")
options=(!emptydirs)
source=("https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/${pkgname}-${pkgver}.tar.gz"
- "libselinux.tmpfiles.d")
+ "libselinux.tmpfiles.d"
+ "0001-libselinux-only-mount-proc-if-necessary.patch"
+ "0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch")
sha256sums=('94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f'
- 'afe23890fb2e12e6756e5d81bad3c3da33f38a95d072731c0422fbeb0b1fa1fc')
+ 'afe23890fb2e12e6756e5d81bad3c3da33f38a95d072731c0422fbeb0b1fa1fc'
+ 'da3ed20d45b7656c25411bcc31109a78b64265978839bbc06b25151a7231611c'
+ '1d20ae0d6fb39dd93258388297206980cb530b04511c4b16db247e05c84804a8')
prepare() {
cd "${pkgname}-${pkgver}"
sed -i 's|pkg-config --cflags ruby|pkg-config --cflags ruby-$(RUBYLIBVER)|' src/Makefile
sed -i 's|site_ruby|vendor_ruby|' src/Makefile
+
+ # Backport commits to fix issues when SELinux is disabled
+ # https://github.com/systemd/systemd/issues/3962#issuecomment-239827399
+ patch -Np2 -i "../0001-libselinux-only-mount-proc-if-necessary.patch"
+ patch -Np2 -i "../0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch"
}
build() {