libselinux: Only mount /proc if necessary

selinux upstream commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Philip Tricca <flihp@twobit.us>
author: Stephen Smalley <sds@tycho.nsa.gov> 2016-03-07 15:52:51 -0500
committer: Philip Tricca <flihp@twobit.us> 2016-03-17 02:37:00 +0000
commit: b78255b9be39a280595d13bf0f9f23ae91920669 (patch)
tree: f7c7ccc6c88bc9808c86fa2b77cadc1e5c03c6c0
parent: 5f0182e2e1c4da1f27d437f458be9bdc8ecade00 (diff)
download: meta-selinux-b78255b9be39a280595d13bf0f9f23ae91920669.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
new file mode 100644
index 0000000..ab157b6
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
@@ -0,0 +1,54 @@
+From 0d9368ee5af662a99cf123407884ba0e42053c68 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Mon, 29 Feb 2016 10:10:55 -0500
+Subject: [PATCH] libselinux: only mount /proc if necessary
+Commit 9df498884665d ("libselinux: Mount procfs before checking
+/proc/filesystems") changed selinuxfs_exists() to always try
+mounting /proc before reading /proc/filesystems.  However, this is
+unnecessary if /proc is already mounted and can produce avc denials
+if the process is not allowed to perform the mount.  Check first
+to see if /proc is already present and only try the mount if it is not.
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ src/init.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+diff --git a/src/init.c b/src/init.c
+index 3db4de0..3530594 100644
+--- a/src/init.c
+++ b/src/init.c
+@@ -12,6 +12,7 @@
+ #include <stdint.h>
+ #include <limits.h>
+ #include <sys/mount.h>
+#include <linux/magic.h>
+ 
+ #include "dso.h"
+ #include "policy.h"
+@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
+ 
+ int selinuxfs_exists(void)
+ {
+-       int exists = 0, mnt_rc = 0;
+       int exists = 0, mnt_rc = -1, rc;
+       struct statfs sb;
+        FILE *fp = NULL;
+        char *buf = NULL;
+        size_t len;
+        ssize_t num;
+ 
+-       mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+       do {
+               rc = statfs("/proc", &sb);
+       } while (rc < 0 && errno == EINTR);
+
+       if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
+               mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+ 
+        fp = fopen("/proc/filesystems", "r");
+        if (!fp) {
+-- 
+2.4.3
diff --git a/recipes-security/selinux/libselinux_2.5.bb b/recipes-security/selinux/libselinux_2.5.bb
index a744b2f..0e2d864 100644
--- a/recipes-security/selinux/libselinux_2.5.bb
+++ b/recipes-security/selinux/libselinux_2.5.bb
@@ -11,5 +11,6 @@ SRC_URI += "\
        file://libselinux-make-O_CLOEXEC-optional.patch \
        file://libselinux-make-SOCK_CLOEXEC-optional.patch \
        file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+        file://libselinux-only-mount-proc-if-necessary.patch \
        file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
        "
author	Stephen Smalley <sds@tycho.nsa.gov>	2016-03-07 15:52:51 -0500
committer	Philip Tricca <flihp@twobit.us>	2016-03-17 02:37:00 +0000
commit	b78255b9be39a280595d13bf0f9f23ae91920669 (patch)
tree	f7c7ccc6c88bc9808c86fa2b77cadc1e5c03c6c0
parent	5f0182e2e1c4da1f27d437f458be9bdc8ecade00 (diff)
download	meta-selinux-b78255b9be39a280595d13bf0f9f23ae91920669.tar.gz

diff --git a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch new file mode 100644 index 0000000..ab157b6 --- /dev/null +++ b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
@@ -0,0 +1,54 @@
		1	From 0d9368ee5af662a99cf123407884ba0e42053c68 Mon Sep 17 00:00:00 2001
		2	From: Stephen Smalley <sds@tycho.nsa.gov>
		3	Date: Mon, 29 Feb 2016 10:10:55 -0500
		4	Subject: [PATCH] libselinux: only mount /proc if necessary
		5
		6	Commit 9df498884665d ("libselinux: Mount procfs before checking
		7	/proc/filesystems") changed selinuxfs_exists() to always try
		8	mounting /proc before reading /proc/filesystems. However, this is
		9	unnecessary if /proc is already mounted and can produce avc denials
		10	if the process is not allowed to perform the mount. Check first
		11	to see if /proc is already present and only try the mount if it is not.
		12
		13	Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
		14	---
		15	src/init.c \| 11 +++++++++--
		16	1 file changed, 9 insertions(+), 2 deletions(-)
		17
		18	diff --git a/src/init.c b/src/init.c
		19	index 3db4de0..3530594 100644
		20	--- a/src/init.c
		21	+++ b/src/init.c
		22	@@ -12,6 +12,7 @@
		23	#include <stdint.h>
		24	#include <limits.h>
		25	#include <sys/mount.h>
		26	+#include <linux/magic.h>
		27
		28	#include "dso.h"
		29	#include "policy.h"
		30	@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
		31
		32	int selinuxfs_exists(void)
		33	{
		34	- int exists = 0, mnt_rc = 0;
		35	+ int exists = 0, mnt_rc = -1, rc;
		36	+ struct statfs sb;
		37	FILE *fp = NULL;
		38	char *buf = NULL;
		39	size_t len;
		40	ssize_t num;
		41
		42	- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
		43	+ do {
		44	+ rc = statfs("/proc", &sb);
		45	+ } while (rc < 0 && errno == EINTR);
		46	+
		47	+ if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
		48	+ mnt_rc = mount("proc", "/proc", "proc", 0, 0);
		49
		50	fp = fopen("/proc/filesystems", "r");
		51	if (!fp) {
		52	--
		53	2.4.3
		54


diff --git a/recipes-security/selinux/libselinux_2.5.bb b/recipes-security/selinux/libselinux_2.5.bb index a744b2f..0e2d864 100644 --- a/recipes-security/selinux/libselinux_2.5.bb +++ b/recipes-security/selinux/libselinux_2.5.bb
@@ -11,5 +11,6 @@ SRC_URI += "\
11	file://libselinux-make-O_CLOEXEC-optional.patch \	11	file://libselinux-make-O_CLOEXEC-optional.patch \
12	file://libselinux-make-SOCK_CLOEXEC-optional.patch \	12	file://libselinux-make-SOCK_CLOEXEC-optional.patch \
13	file://libselinux-define-FD_CLOEXEC-as-necessary.patch \	13	file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
		14	file://libselinux-only-mount-proc-if-necessary.patch \
14	file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \	15	file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
15	"	16	"