diff options
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | 0001-libselinux-only-mount-proc-if-necessary.patch | 54 | ||||
-rw-r--r-- | 0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch | 130 | ||||
-rw-r--r-- | PKGBUILD | 15 |
4 files changed, 202 insertions, 7 deletions
@@ -1,9 +1,7 @@ -# Generated by makepkg 5.0.0 -# Sat Feb 27 11:50:45 UTC 2016 pkgbase = libselinux pkgdesc = SELinux library and simple utilities pkgver = 2.5 - pkgrel = 1 + pkgrel = 2 url = http://userspace.selinuxproject.org arch = i686 arch = x86_64 @@ -20,13 +18,17 @@ pkgbase = libselinux optdepends = python2: python2 bindings optdepends = python: python bindings optdepends = ruby: ruby bindings - provides = selinux-usr-libselinux=2.5-1 + provides = selinux-usr-libselinux=2.5-2 conflicts = selinux-usr-libselinux options = !emptydirs source = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-2.5.tar.gz source = libselinux.tmpfiles.d + source = 0001-libselinux-only-mount-proc-if-necessary.patch + source = 0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch sha256sums = 94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f sha256sums = afe23890fb2e12e6756e5d81bad3c3da33f38a95d072731c0422fbeb0b1fa1fc + sha256sums = da3ed20d45b7656c25411bcc31109a78b64265978839bbc06b25151a7231611c + sha256sums = 1d20ae0d6fb39dd93258388297206980cb530b04511c4b16db247e05c84804a8 pkgname = libselinux diff --git a/0001-libselinux-only-mount-proc-if-necessary.patch b/0001-libselinux-only-mount-proc-if-necessary.patch new file mode 100644 index 000000000000..eb718a20d82f --- /dev/null +++ b/0001-libselinux-only-mount-proc-if-necessary.patch @@ -0,0 +1,54 @@ +From fb2c271e1903ca11320b9bfad747f55fb2b1535f Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <sds@tycho.nsa.gov> +Date: Mon, 29 Feb 2016 10:10:55 -0500 +Subject: [PATCH 1/2] libselinux: only mount /proc if necessary + +Commit 9df498884665d ("libselinux: Mount procfs before checking +/proc/filesystems") changed selinuxfs_exists() to always try +mounting /proc before reading /proc/filesystems. However, this is +unnecessary if /proc is already mounted and can produce avc denials +if the process is not allowed to perform the mount. Check first +to see if /proc is already present and only try the mount if it is not. + +Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> +--- + libselinux/src/init.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/libselinux/src/init.c b/libselinux/src/init.c +index 3db4de06aa7e..35305942970f 100644 +--- a/libselinux/src/init.c ++++ b/libselinux/src/init.c +@@ -12,6 +12,7 @@ + #include <stdint.h> + #include <limits.h> + #include <sys/mount.h> ++#include <linux/magic.h> + + #include "dso.h" + #include "policy.h" +@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt) + + int selinuxfs_exists(void) + { +- int exists = 0, mnt_rc = 0; ++ int exists = 0, mnt_rc = -1, rc; ++ struct statfs sb; + FILE *fp = NULL; + char *buf = NULL; + size_t len; + ssize_t num; + +- mnt_rc = mount("proc", "/proc", "proc", 0, 0); ++ do { ++ rc = statfs("/proc", &sb); ++ } while (rc < 0 && errno == EINTR); ++ ++ if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC)) ++ mnt_rc = mount("proc", "/proc", "proc", 0, 0); + + fp = fopen("/proc/filesystems", "r"); + if (!fp) { +-- +2.9.3 + diff --git a/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch b/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch new file mode 100644 index 000000000000..5b666bebf50e --- /dev/null +++ b/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch @@ -0,0 +1,130 @@ +From e4057752bc98451232d402364dc6dc9dff2a5e60 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <sds@tycho.nsa.gov> +Date: Fri, 13 May 2016 11:59:47 -0400 +Subject: [PATCH 2/2] Avoid mounting /proc outside of + selinux_init_load_policy(). + +Temporarily mounting /proc within selinuxfs_exists() can cause +problems since it can be called by a libselinux constructor and +therefore may be invoked by every program linked with libselinux. +Since this was only motivated originally by a situation where +selinuxfs_exists() was called from selinux_init_load_policy() +before /proc was mounted, fix it in selinux_init_load_policy() instead. + +This reverts commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf +("libselinux: only mount /proc if necessary") and +commit 9df498884665d79474b79f0f30d1cd67df11bd3e +("libselinux: Mount procfs before checking /proc/filesystems"). + +Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> +--- + libselinux/src/init.c | 27 +++------------------------ + libselinux/src/load_policy.c | 15 ++++++++++----- + 2 files changed, 13 insertions(+), 29 deletions(-) + +diff --git a/libselinux/src/init.c b/libselinux/src/init.c +index 35305942970f..3c687a29d7ff 100644 +--- a/libselinux/src/init.c ++++ b/libselinux/src/init.c +@@ -11,8 +11,6 @@ + #include <sys/vfs.h> + #include <stdint.h> + #include <limits.h> +-#include <sys/mount.h> +-#include <linux/magic.h> + + #include "dso.h" + #include "policy.h" +@@ -58,26 +56,15 @@ static int verify_selinuxmnt(const char *mnt) + + int selinuxfs_exists(void) + { +- int exists = 0, mnt_rc = -1, rc; +- struct statfs sb; ++ int exists = 0; + FILE *fp = NULL; + char *buf = NULL; + size_t len; + ssize_t num; + +- do { +- rc = statfs("/proc", &sb); +- } while (rc < 0 && errno == EINTR); +- +- if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC)) +- mnt_rc = mount("proc", "/proc", "proc", 0, 0); +- + fp = fopen("/proc/filesystems", "r"); +- if (!fp) { +- exists = 1; /* Fail as if it exists */ +- goto out; +- } +- ++ if (!fp) ++ return 1; /* Fail as if it exists */ + __fsetlocking(fp, FSETLOCKING_BYCALLER); + + num = getline(&buf, &len, fp); +@@ -91,14 +78,6 @@ int selinuxfs_exists(void) + + free(buf); + fclose(fp); +- +-out: +-#ifndef MNT_DETACH +-#define MNT_DETACH 2 +-#endif +- if (mnt_rc == 0) +- umount2("/proc", MNT_DETACH); +- + return exists; + } + hidden_def(selinuxfs_exists) +diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c +index 21ee58b2e4d7..4f39fc78d7bf 100644 +--- a/libselinux/src/load_policy.c ++++ b/libselinux/src/load_policy.c +@@ -17,6 +17,10 @@ + #include "policy.h" + #include <limits.h> + ++#ifndef MNT_DETACH ++#define MNT_DETACH 2 ++#endif ++ + int security_load_policy(void *data, size_t len) + { + char path[PATH_MAX]; +@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce) + fclose(cfg); + free(buf); + } +-#ifndef MNT_DETACH +-#define MNT_DETACH 2 +-#endif +- if (rc == 0) +- umount2("/proc", MNT_DETACH); + + /* + * Determine the final desired mode. +@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce) + /* Only emit this error if selinux was not disabled */ + fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); + } ++ ++ if (rc == 0) ++ umount2("/proc", MNT_DETACH); + + goto noload; + } + set_selinuxmnt(mntpoint); + ++ if (rc == 0) ++ umount2("/proc", MNT_DETACH); ++ + /* + * Note: The following code depends on having selinuxfs + * already mounted and selinuxmnt set above. +-- +2.9.3 + @@ -6,7 +6,7 @@ pkgname=libselinux pkgver=2.5 -pkgrel=1 +pkgrel=2 pkgdesc="SELinux library and simple utilities" arch=('i686' 'x86_64' 'armv6h') url='http://userspace.selinuxproject.org' @@ -21,14 +21,23 @@ conflicts=("selinux-usr-${pkgname}") provides=("selinux-usr-${pkgname}=${pkgver}-${pkgrel}") options=(!emptydirs) source=("https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/${pkgname}-${pkgver}.tar.gz" - "libselinux.tmpfiles.d") + "libselinux.tmpfiles.d" + "0001-libselinux-only-mount-proc-if-necessary.patch" + "0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch") sha256sums=('94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f' - 'afe23890fb2e12e6756e5d81bad3c3da33f38a95d072731c0422fbeb0b1fa1fc') + 'afe23890fb2e12e6756e5d81bad3c3da33f38a95d072731c0422fbeb0b1fa1fc' + 'da3ed20d45b7656c25411bcc31109a78b64265978839bbc06b25151a7231611c' + '1d20ae0d6fb39dd93258388297206980cb530b04511c4b16db247e05c84804a8') prepare() { cd "${pkgname}-${pkgver}" sed -i 's|pkg-config --cflags ruby|pkg-config --cflags ruby-$(RUBYLIBVER)|' src/Makefile sed -i 's|site_ruby|vendor_ruby|' src/Makefile + + # Backport commits to fix issues when SELinux is disabled + # https://github.com/systemd/systemd/issues/3962#issuecomment-239827399 + patch -Np2 -i "../0001-libselinux-only-mount-proc-if-necessary.patch" + patch -Np2 -i "../0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch" } build() { |