libselinux: procattr fixes

selinux upstream commits c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c and f77021d720f12767576c25d751c75cacd7478614 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Philip Tricca <flihp@twobit.us>
author: Stephen Smalley <sds@tycho.nsa.gov> 2016-03-07 15:52:52 -0500
committer: Philip Tricca <flihp@twobit.us> 2016-03-17 02:37:55 +0000
commit: 39b93f85885876e1e9056c332c240cd15fc80473 (patch)
tree: f16de1323c79482f2dda03bac2e535b2e7f59904
parent: b78255b9be39a280595d13bf0f9f23ae91920669 (diff)
download: meta-selinux-39b93f85885876e1e9056c332c240cd15fc80473.tar.gz
3 files changed, 89 insertions, 0 deletions
diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
new file mode 100644
index 0000000..cfac80e
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
@@ -0,0 +1,47 @@
+From c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c Mon Sep 17 00:00:00 2001
+From: dcashman <dcashman@android.com>
+Date: Tue, 23 Feb 2016 12:24:00 -0800
+Subject: libselinux: procattr: return einval for <= 0 pid args.
+getpidcon documentation does not specify that a pid of 0 refers to the
+current process, and getcon exists specifically to provide this
+functionality, and getpidcon(getpid()) would provide it as well.
+Disallow pid values <= 0 that may lead to unintended behavior in
+userspace object managers.
+Signed-off-by: Daniel Cashman <dcashman@android.com>
+---
+ src/procattr.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+diff --git a/src/procattr.c b/src/procattr.c
+index c20f003..eee4612 100644
+--- a/src/procattr.c
+++ b/src/procattr.c
+@@ -306,11 +306,21 @@ static int setprocattrcon(const char * context,
+ #define getpidattr_def(fn, attr) \
+        int get##fn##_raw(pid_t pid, char **c)  \
+        { \
+-               return getprocattrcon_raw(c, pid, #attr); \
+               if (pid <= 0) { \
+                       errno = EINVAL; \
+                       return -1; \
+               } else { \
+                       return getprocattrcon_raw(c, pid, #attr); \
+               } \
+        } \
+        int get##fn(pid_t pid, char **c)        \
+        { \
+-               return getprocattrcon(c, pid, #attr); \
+               if (pid <= 0) { \
+                       errno = EINVAL; \
+                       return -1; \
+               } else { \
+                       return getprocattrcon(c, pid, #attr); \
+               } \
+        }
+ 
+ all_selfattr_def(con, current)
+-- 
+2.4.3
diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
new file mode 100644
index 0000000..0717d67
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
@@ -0,0 +1,40 @@
+From f77021d720f12767576c25d751c75cacd7478614 Mon Sep 17 00:00:00 2001
+From: dcashman <dcashman@android.com>
+Date: Tue, 23 Feb 2016 12:23:59 -0800
+Subject: libselinux: procattr: return error on invalid pid_t
+ input.
+Signed-off-by: Daniel Cashman <dcashman@android.com>
+---
+ src/procattr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/src/procattr.c b/src/procattr.c
+index 527a0a5..c20f003 100644
+--- a/src/procattr.c
+++ b/src/procattr.c
+@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
+        char *path;
+        pid_t tid;
+ 
+-       if (pid > 0)
+       if (pid > 0) {
+                rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
+-       else {
+       } else if (pid == 0) {
+                rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
+                if (rc < 0)
+                        return -1;
+@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
+                free(path);
+                tid = gettid();
+                rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
+       } else {
+               errno = EINVAL;
+               return -1;
+        }
+        if (rc < 0)
+                return -1;
+-- 
+2.4.3
diff --git a/recipes-security/selinux/libselinux_2.5.bb b/recipes-security/selinux/libselinux_2.5.bb
index 0e2d864..0284494 100644
--- a/recipes-security/selinux/libselinux_2.5.bb
+++ b/recipes-security/selinux/libselinux_2.5.bb
@@ -11,6 +11,8 @@ SRC_URI += "\
        file://libselinux-make-O_CLOEXEC-optional.patch \
        file://libselinux-make-SOCK_CLOEXEC-optional.patch \
        file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+        file://libselinux-procattr-return-einval-for-0-pid.patch \
+        file://libselinux-procattr-return-error-on-invalid-pid.patch \
        file://libselinux-only-mount-proc-if-necessary.patch \
        file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
        "
author	Stephen Smalley <sds@tycho.nsa.gov>	2016-03-07 15:52:52 -0500
committer	Philip Tricca <flihp@twobit.us>	2016-03-17 02:37:55 +0000
commit	39b93f85885876e1e9056c332c240cd15fc80473 (patch)
tree	f16de1323c79482f2dda03bac2e535b2e7f59904
parent	b78255b9be39a280595d13bf0f9f23ae91920669 (diff)
download	meta-selinux-39b93f85885876e1e9056c332c240cd15fc80473.tar.gz

diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch new file mode 100644 index 0000000..cfac80e --- /dev/null +++ b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
@@ -0,0 +1,47 @@
		1	From c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c Mon Sep 17 00:00:00 2001
		2	From: dcashman <dcashman@android.com>
		3	Date: Tue, 23 Feb 2016 12:24:00 -0800
		4	Subject: libselinux: procattr: return einval for <= 0 pid args.
		5
		6	getpidcon documentation does not specify that a pid of 0 refers to the
		7	current process, and getcon exists specifically to provide this
		8	functionality, and getpidcon(getpid()) would provide it as well.
		9	Disallow pid values <= 0 that may lead to unintended behavior in
		10	userspace object managers.
		11
		12	Signed-off-by: Daniel Cashman <dcashman@android.com>
		13	---
		14	src/procattr.c \| 14 ++++++++++++--
		15	1 file changed, 12 insertions(+), 2 deletions(-)
		16
		17	diff --git a/src/procattr.c b/src/procattr.c
		18	index c20f003..eee4612 100644
		19	--- a/src/procattr.c
		20	+++ b/src/procattr.c
		21	@@ -306,11 +306,21 @@ static int setprocattrcon(const char * context,
		22	#define getpidattr_def(fn, attr) \
		23	int get##fn##_raw(pid_t pid, char **c) \
		24	{ \
		25	- return getprocattrcon_raw(c, pid, #attr); \
		26	+ if (pid <= 0) { \
		27	+ errno = EINVAL; \
		28	+ return -1; \
		29	+ } else { \
		30	+ return getprocattrcon_raw(c, pid, #attr); \
		31	+ } \
		32	} \
		33	int get##fn(pid_t pid, char **c) \
		34	{ \
		35	- return getprocattrcon(c, pid, #attr); \
		36	+ if (pid <= 0) { \
		37	+ errno = EINVAL; \
		38	+ return -1; \
		39	+ } else { \
		40	+ return getprocattrcon(c, pid, #attr); \
		41	+ } \
		42	}
		43
		44	all_selfattr_def(con, current)
		45	--
		46	2.4.3
		47


diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch new file mode 100644 index 0000000..0717d67 --- /dev/null +++ b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
@@ -0,0 +1,40 @@
		1	From f77021d720f12767576c25d751c75cacd7478614 Mon Sep 17 00:00:00 2001
		2	From: dcashman <dcashman@android.com>
		3	Date: Tue, 23 Feb 2016 12:23:59 -0800
		4	Subject: libselinux: procattr: return error on invalid pid_t
		5	input.
		6
		7	Signed-off-by: Daniel Cashman <dcashman@android.com>
		8	---
		9	src/procattr.c \| 7 +++++--
		10	1 file changed, 5 insertions(+), 2 deletions(-)
		11
		12	diff --git a/src/procattr.c b/src/procattr.c
		13	index 527a0a5..c20f003 100644
		14	--- a/src/procattr.c
		15	+++ b/src/procattr.c
		16	@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
		17	char *path;
		18	pid_t tid;
		19
		20	- if (pid > 0)
		21	+ if (pid > 0) {
		22	rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
		23	- else {
		24	+ } else if (pid == 0) {
		25	rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
		26	if (rc < 0)
		27	return -1;
		28	@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
		29	free(path);
		30	tid = gettid();
		31	rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
		32	+ } else {
		33	+ errno = EINVAL;
		34	+ return -1;
		35	}
		36	if (rc < 0)
		37	return -1;
		38	--
		39	2.4.3
		40


diff --git a/recipes-security/selinux/libselinux_2.5.bb b/recipes-security/selinux/libselinux_2.5.bb index 0e2d864..0284494 100644 --- a/recipes-security/selinux/libselinux_2.5.bb +++ b/recipes-security/selinux/libselinux_2.5.bb
@@ -11,6 +11,8 @@ SRC_URI += "\
11	file://libselinux-make-O_CLOEXEC-optional.patch \	11	file://libselinux-make-O_CLOEXEC-optional.patch \
12	file://libselinux-make-SOCK_CLOEXEC-optional.patch \	12	file://libselinux-make-SOCK_CLOEXEC-optional.patch \
13	file://libselinux-define-FD_CLOEXEC-as-necessary.patch \	13	file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
		14	file://libselinux-procattr-return-einval-for-0-pid.patch \
		15	file://libselinux-procattr-return-error-on-invalid-pid.patch \
14	file://libselinux-only-mount-proc-if-necessary.patch \	16	file://libselinux-only-mount-proc-if-necessary.patch \
15	file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \	17	file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
16	"	18	"