libselinux: uprev to 2.6 (20161014)

* rebase patch: - libselinux-make-O_CLOEXEC-optional.patch * cleanup patches: - libselinux-only-mount-proc-if-necessary.patch - libselinux-procattr-return-einval-for-0-pid.patch - libselinux-procattr-return-error-on-invalid-pid.patch * other fixes: - remove useless variables according to latest Makefile - update FILES_${PN}-python to match the installed file: '${libdir}/python2.7/site-packages/_selinux.so'. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Wenzong Fan <wenzong.fan@windriver.com> 2017-01-05 00:23:20 -0800
committer: Joe MacDonald <joe_macdonald@mentor.com> 2017-01-05 10:18:30 -0500
commit: eba0f0ff8c1365aa12ead3498d812b9dbffa3f49 (patch)
tree: 9dfb479c201cbe5fdaef97ce5d90c543213ecb32
parent: c42ac83a7794730a8c9ecfaa16018b8706c59ecb (diff)
download: meta-selinux-eba0f0ff8c1365aa12ead3498d812b9dbffa3f49.tar.gz
6 files changed, 44 insertions, 194 deletions
diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc
index d571a7c..ad00d10 100644
--- a/recipes-security/selinux/libselinux.inc
+++ b/recipes-security/selinux/libselinux.inc
@@ -10,7 +10,7 @@ inherit lib_package pythonnative
 DEPENDS += "libsepol python libpcre swig-native"
 PACKAGES += "${PN}-python"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/*"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
 FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*"
 def get_policyconfigarch(d):
@@ -27,17 +27,12 @@ do_compile_append() {
    oe_runmake pywrap -j1 \
            INCLUDEDIR='${STAGING_INCDIR}' \
            LIBDIR='${STAGING_LIBDIR}' \
-            PYLIBVER='python${PYTHON_BASEVERSION}' \
+            PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}'
-            PYINC='-I${STAGING_INCDIR}/$(PYLIBVER)' \
-            PYLIB='-L${STAGING_LIBDIR}/$(PYLIBVER) -l$(PYLIBVER)' \
-            PYTHONLIBDIR='${PYLIB}'
 }
 do_install_append() {
    oe_runmake install-pywrap swigify \
-            DESTDIR=${D} \
+            PYSITEDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
-            PYLIBVER='python${PYTHON_BASEVERSION}' \
-            PYLIBDIR='${D}/${libdir}/$(PYLIBVER)'
    rm -rf ${D}${base_sbindir}
 }
diff --git a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
index 98d31cc..a041dd3 100644
--- a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
+++ b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
@@ -17,37 +17,18 @@ produce curious AVC Denied messages.
 Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
 Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 ---
- src/label_file.c |    8 +++++++-
+ src/procattr.c  | 16 ++++++++++++++--
- src/procattr.c   |    8 +++++++-
+ src/sestatus.c  |  8 +++++++-
- src/sestatus.c   |    8 +++++++-
+ src/stringrep.c |  8 +++++++-
- src/stringrep.c  |    8 +++++++-
+ 3 files changed, 28 insertions(+), 4 deletions(-)
- 4 files changed, 28 insertions(+), 4 deletions(-)
-Index: libselinux-2.5/src/label_file.c
+diff --git a/src/procattr.c b/src/procattr.c
-===================================================================
+index 7efcd7e..3007876 100644
--- libselinux-2.5.orig/src/label_file.c        2016-02-25 13:10:00.159980383 -0500
+--- a/src/procattr.c
-+++ libselinux-2.5/src/label_file.c     2016-02-25 13:10:00.155980383 -0500
+++ b/src/procattr.c
-@@ -124,7 +124,13 @@
+@@ -79,7 +79,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
-                        return -1;
-        }
- 
-       mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC);
-+       mmapfd = open(mmap_path, O_RDONLY 
-+#ifdef O_CLOEXEC
-+                 | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+                 );
-        if (mmapfd < 0)
-                return -1;
- 
-Index: libselinux-2.5/src/procattr.c
-===================================================================
--- libselinux-2.5.orig/src/procattr.c  2016-02-25 13:10:00.159980383 -0500
-+++ libselinux-2.5/src/procattr.c       2016-02-25 13:11:58.527980013 -0500
-@@ -76,7 +76,13 @@
                rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
                if (rc < 0)
                        return -1;
@@ -62,11 +43,26 @@ Index: libselinux-2.5/src/procattr.c
                if (fd >= 0 || errno != ENOENT)
                        goto out;
                free(path);
-Index: libselinux-2.5/src/sestatus.c
+@@ -92,7 +98,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
-===================================================================
+        if (rc < 0)
--- libselinux-2.5.orig/src/sestatus.c  2016-02-25 13:10:00.159980383 -0500
+                return -1;
-+++ libselinux-2.5/src/sestatus.c       2016-02-25 13:10:00.155980383 -0500
+ 
-@@ -268,7 +268,13 @@
+-       fd = open(path, flags | O_CLOEXEC);
+       fd = open(path, flags
+#ifdef O_CLOEXEC
+                 | O_CLOEXEC
+#else
+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
+#endif
+               );
+ out:
+        free(path);
+        return fd;
+diff --git a/src/sestatus.c b/src/sestatus.c
+index ed29dc5..0cb15b6 100644
+--- a/src/sestatus.c
+++ b/src/sestatus.c
+@@ -268,7 +268,13 @@ int selinux_status_open(int fallback)
                return -1;
 
        snprintf(path, sizeof(path), "%s/status", selinux_mnt);
@@ -81,11 +77,11 @@ Index: libselinux-2.5/src/sestatus.c
        if (fd < 0)
                goto error;
 
-Index: libselinux-2.5/src/stringrep.c
+diff --git a/src/stringrep.c b/src/stringrep.c
-===================================================================
+index 2dbec2b..de2a70b 100644
--- libselinux-2.5.orig/src/stringrep.c 2016-02-25 13:10:00.159980383 -0500
+--- a/src/stringrep.c
-+++ libselinux-2.5/src/stringrep.c      2016-02-25 13:10:00.155980383 -0500
+++ b/src/stringrep.c
-@@ -105,7 +105,13 @@
+@@ -105,7 +105,13 @@ static struct discover_class_node * discover_class(const char *s)
                struct stat m;
 
                snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
@@ -100,3 +96,6 @@ Index: libselinux-2.5/src/stringrep.c
                if (fd < 0)
                        goto err4;
 
+-- 
+2.7.4
diff --git a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
deleted file mode 100644
index ab157b6..0000000
--- a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 0d9368ee5af662a99cf123407884ba0e42053c68 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <sds@tycho.nsa.gov>
-Date: Mon, 29 Feb 2016 10:10:55 -0500
-Subject: [PATCH] libselinux: only mount /proc if necessary
-Commit 9df498884665d ("libselinux: Mount procfs before checking
-/proc/filesystems") changed selinuxfs_exists() to always try
-mounting /proc before reading /proc/filesystems.  However, this is
-unnecessary if /proc is already mounted and can produce avc denials
-if the process is not allowed to perform the mount.  Check first
-to see if /proc is already present and only try the mount if it is not.
-Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
- src/init.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-diff --git a/src/init.c b/src/init.c
-index 3db4de0..3530594 100644
--- a/src/init.c
-+++ b/src/init.c
-@@ -12,6 +12,7 @@
- #include <stdint.h>
- #include <limits.h>
- #include <sys/mount.h>
-+#include <linux/magic.h>
- 
- #include "dso.h"
- #include "policy.h"
-@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
- 
- int selinuxfs_exists(void)
- {
-       int exists = 0, mnt_rc = 0;
-+       int exists = 0, mnt_rc = -1, rc;
-+       struct statfs sb;
-        FILE *fp = NULL;
-        char *buf = NULL;
-        size_t len;
-        ssize_t num;
- 
-       mnt_rc = mount("proc", "/proc", "proc", 0, 0);
-+       do {
-+               rc = statfs("/proc", &sb);
-+       } while (rc < 0 && errno == EINTR);
-+
-+       if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
-+               mnt_rc = mount("proc", "/proc", "proc", 0, 0);
- 
-        fp = fopen("/proc/filesystems", "r");
-        if (!fp) {
-- 
-2.4.3
diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
deleted file mode 100644
index cfac80e..0000000
--- a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c Mon Sep 17 00:00:00 2001
-From: dcashman <dcashman@android.com>
-Date: Tue, 23 Feb 2016 12:24:00 -0800
-Subject: libselinux: procattr: return einval for <= 0 pid args.
-getpidcon documentation does not specify that a pid of 0 refers to the
-current process, and getcon exists specifically to provide this
-functionality, and getpidcon(getpid()) would provide it as well.
-Disallow pid values <= 0 that may lead to unintended behavior in
-userspace object managers.
-Signed-off-by: Daniel Cashman <dcashman@android.com>
---
- src/procattr.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-diff --git a/src/procattr.c b/src/procattr.c
-index c20f003..eee4612 100644
--- a/src/procattr.c
-+++ b/src/procattr.c
-@@ -306,11 +306,21 @@ static int setprocattrcon(const char * context,
- #define getpidattr_def(fn, attr) \
-        int get##fn##_raw(pid_t pid, char **c)  \
-        { \
-               return getprocattrcon_raw(c, pid, #attr); \
-+               if (pid <= 0) { \
-+                       errno = EINVAL; \
-+                       return -1; \
-+               } else { \
-+                       return getprocattrcon_raw(c, pid, #attr); \
-+               } \
-        } \
-        int get##fn(pid_t pid, char **c)        \
-        { \
-               return getprocattrcon(c, pid, #attr); \
-+               if (pid <= 0) { \
-+                       errno = EINVAL; \
-+                       return -1; \
-+               } else { \
-+                       return getprocattrcon(c, pid, #attr); \
-+               } \
-        }
- 
- all_selfattr_def(con, current)
-- 
-2.4.3
diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
deleted file mode 100644
index 0717d67..0000000
--- a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From f77021d720f12767576c25d751c75cacd7478614 Mon Sep 17 00:00:00 2001
-From: dcashman <dcashman@android.com>
-Date: Tue, 23 Feb 2016 12:23:59 -0800
-Subject: libselinux: procattr: return error on invalid pid_t
- input.
-Signed-off-by: Daniel Cashman <dcashman@android.com>
---
- src/procattr.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-diff --git a/src/procattr.c b/src/procattr.c
-index 527a0a5..c20f003 100644
--- a/src/procattr.c
-+++ b/src/procattr.c
-@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
-        char *path;
-        pid_t tid;
- 
-       if (pid > 0)
-+       if (pid > 0) {
-                rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
-       else {
-+       } else if (pid == 0) {
-                rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
-                if (rc < 0)
-                        return -1;
-@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
-                free(path);
-                tid = gettid();
-                rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
-+       } else {
-+               errno = EINVAL;
-+               return -1;
-        }
-        if (rc < 0)
-                return -1;
-- 
-2.4.3
diff --git a/recipes-security/selinux/libselinux_2.5.bb b/recipes-security/selinux/libselinux_2.6.bb
index 0284494..b9ad231 100644
--- a/recipes-security/selinux/libselinux_2.5.bb
+++ b/recipes-security/selinux/libselinux_2.6.bb
@@ -1,18 +1,15 @@
-include selinux_20160223.inc
+include selinux_20161014.inc
 include ${BPN}.inc
 LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
-SRC_URI[md5sum] = "d1399f5c2fd2fbe0e9603d5143b30367"
+SRC_URI[md5sum] = "0e066ba6d6e590ba4b53eed64905d901"
-SRC_URI[sha256sum] = "94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f"
+SRC_URI[sha256sum] = "4ea2dde50665c202253ba5caac7738370ea0337c47b251ba981c60d24e1a118a"
 SRC_URI += "\
        file://libselinux-drop-Wno-unused-but-set-variable.patch \
        file://libselinux-make-O_CLOEXEC-optional.patch \
        file://libselinux-make-SOCK_CLOEXEC-optional.patch \
        file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
-        file://libselinux-procattr-return-einval-for-0-pid.patch \
-        file://libselinux-procattr-return-error-on-invalid-pid.patch \
-        file://libselinux-only-mount-proc-if-necessary.patch \
        file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
        "
author	Wenzong Fan <wenzong.fan@windriver.com>	2017-01-05 00:23:20 -0800
committer	Joe MacDonald <joe_macdonald@mentor.com>	2017-01-05 10:18:30 -0500
commit	eba0f0ff8c1365aa12ead3498d812b9dbffa3f49 (patch)
tree	9dfb479c201cbe5fdaef97ce5d90c543213ecb32
parent	c42ac83a7794730a8c9ecfaa16018b8706c59ecb (diff)
download	meta-selinux-eba0f0ff8c1365aa12ead3498d812b9dbffa3f49.tar.gz

diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc index d571a7c..ad00d10 100644 --- a/recipes-security/selinux/libselinux.inc +++ b/recipes-security/selinux/libselinux.inc
@@ -10,7 +10,7 @@ inherit lib_package pythonnative
10	DEPENDS += "libsepol python libpcre swig-native"	10	DEPENDS += "libsepol python libpcre swig-native"
11		11
12	PACKAGES += "${PN}-python"	12	PACKAGES += "${PN}-python"
13	FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/*"	13	FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
14	FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*"	14	FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*"
15		15
16	def get_policyconfigarch(d):	16	def get_policyconfigarch(d):
@@ -27,17 +27,12 @@ do_compile_append() {
27	oe_runmake pywrap -j1 \	27	oe_runmake pywrap -j1 \
28	INCLUDEDIR='${STAGING_INCDIR}' \	28	INCLUDEDIR='${STAGING_INCDIR}' \
29	LIBDIR='${STAGING_LIBDIR}' \	29	LIBDIR='${STAGING_LIBDIR}' \
30	PYLIBVER='python${PYTHON_BASEVERSION}' \	30	PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}'
31	PYINC='-I${STAGING_INCDIR}/$(PYLIBVER)' \
32	PYLIB='-L${STAGING_LIBDIR}/$(PYLIBVER) -l$(PYLIBVER)' \
33	PYTHONLIBDIR='${PYLIB}'
34	}	31	}
35		32
36	do_install_append() {	33	do_install_append() {
37	oe_runmake install-pywrap swigify \	34	oe_runmake install-pywrap swigify \
38	DESTDIR=${D} \	35	PYSITEDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
39	PYLIBVER='python${PYTHON_BASEVERSION}' \
40	PYLIBDIR='${D}/${libdir}/$(PYLIBVER)'
41	rm -rf ${D}${base_sbindir}	36	rm -rf ${D}${base_sbindir}
42	}	37	}
43		38


diff --git a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch index 98d31cc..a041dd3 100644 --- a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch +++ b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
@@ -17,37 +17,18 @@ produce curious AVC Denied messages.
17	Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]	17	Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
18		18
19	Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>	19	Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
		20	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
20	---	21	---
21	src/label_file.c \| 8 +++++++-	22	src/procattr.c \| 16 ++++++++++++++--
22	src/procattr.c \| 8 +++++++-	23	src/sestatus.c \| 8 +++++++-
23	src/sestatus.c \| 8 +++++++-	24	src/stringrep.c \| 8 +++++++-
24	src/stringrep.c \| 8 +++++++-	25	3 files changed, 28 insertions(+), 4 deletions(-)
25	4 files changed, 28 insertions(+), 4 deletions(-)
26		26
27	Index: libselinux-2.5/src/label_file.c	27	diff --git a/src/procattr.c b/src/procattr.c
28	===================================================================	28	index 7efcd7e..3007876 100644
29	--- libselinux-2.5.orig/src/label_file.c 2016-02-25 13:10:00.159980383 -0500	29	--- a/src/procattr.c
30	+++ libselinux-2.5/src/label_file.c 2016-02-25 13:10:00.155980383 -0500	30	+++ b/src/procattr.c
31	@@ -124,7 +124,13 @@	31	@@ -79,7 +79,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
32	return -1;
33	}
34
35	- mmapfd = open(mmap_path, O_RDONLY \| O_CLOEXEC);
36	+ mmapfd = open(mmap_path, O_RDONLY
37	+#ifdef O_CLOEXEC
38	+ \| O_CLOEXEC
39	+#else
40	+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
41	+#endif
42	+ );
43	if (mmapfd < 0)
44	return -1;
45
46	Index: libselinux-2.5/src/procattr.c
47	===================================================================
48	--- libselinux-2.5.orig/src/procattr.c 2016-02-25 13:10:00.159980383 -0500
49	+++ libselinux-2.5/src/procattr.c 2016-02-25 13:11:58.527980013 -0500
50	@@ -76,7 +76,13 @@
51	rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);	32	rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
52	if (rc < 0)	33	if (rc < 0)
53	return -1;	34	return -1;
@@ -62,11 +43,26 @@ Index: libselinux-2.5/src/procattr.c
62	if (fd >= 0 \|\| errno != ENOENT)	43	if (fd >= 0 \|\| errno != ENOENT)
63	goto out;	44	goto out;
64	free(path);	45	free(path);
65	Index: libselinux-2.5/src/sestatus.c	46	@@ -92,7 +98,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
66	===================================================================	47	if (rc < 0)
67	--- libselinux-2.5.orig/src/sestatus.c 2016-02-25 13:10:00.159980383 -0500	48	return -1;
68	+++ libselinux-2.5/src/sestatus.c 2016-02-25 13:10:00.155980383 -0500	49
69	@@ -268,7 +268,13 @@	50	- fd = open(path, flags \| O_CLOEXEC);
		51	+ fd = open(path, flags
		52	+#ifdef O_CLOEXEC
		53	+ \| O_CLOEXEC
		54	+#else
		55	+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
		56	+#endif
		57	+ );
		58	out:
		59	free(path);
		60	return fd;
		61	diff --git a/src/sestatus.c b/src/sestatus.c
		62	index ed29dc5..0cb15b6 100644
		63	--- a/src/sestatus.c
		64	+++ b/src/sestatus.c
		65	@@ -268,7 +268,13 @@ int selinux_status_open(int fallback)
70	return -1;	66	return -1;
71		67
72	snprintf(path, sizeof(path), "%s/status", selinux_mnt);	68	snprintf(path, sizeof(path), "%s/status", selinux_mnt);
@@ -81,11 +77,11 @@ Index: libselinux-2.5/src/sestatus.c
81	if (fd < 0)	77	if (fd < 0)
82	goto error;	78	goto error;
83		79
84	Index: libselinux-2.5/src/stringrep.c	80	diff --git a/src/stringrep.c b/src/stringrep.c
85	===================================================================	81	index 2dbec2b..de2a70b 100644
86	--- libselinux-2.5.orig/src/stringrep.c 2016-02-25 13:10:00.159980383 -0500	82	--- a/src/stringrep.c
87	+++ libselinux-2.5/src/stringrep.c 2016-02-25 13:10:00.155980383 -0500	83	+++ b/src/stringrep.c
88	@@ -105,7 +105,13 @@	84	@@ -105,7 +105,13 @@ static struct discover_class_node * discover_class(const char *s)
89	struct stat m;	85	struct stat m;
90		86
91	snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);	87	snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
@@ -100,3 +96,6 @@ Index: libselinux-2.5/src/stringrep.c
100	if (fd < 0)	96	if (fd < 0)
101	goto err4;	97	goto err4;
102		98
		99	--
		100	2.7.4
		101


diff --git a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch deleted file mode 100644 index ab157b6..0000000 --- a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch +++ /dev/null
@@ -1,54 +0,0 @@
1	From 0d9368ee5af662a99cf123407884ba0e42053c68 Mon Sep 17 00:00:00 2001
2	From: Stephen Smalley <sds@tycho.nsa.gov>
3	Date: Mon, 29 Feb 2016 10:10:55 -0500
4	Subject: [PATCH] libselinux: only mount /proc if necessary
5
6	Commit 9df498884665d ("libselinux: Mount procfs before checking
7	/proc/filesystems") changed selinuxfs_exists() to always try
8	mounting /proc before reading /proc/filesystems. However, this is
9	unnecessary if /proc is already mounted and can produce avc denials
10	if the process is not allowed to perform the mount. Check first
11	to see if /proc is already present and only try the mount if it is not.
12
13	Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
14	---
15	src/init.c \| 11 +++++++++--
16	1 file changed, 9 insertions(+), 2 deletions(-)
17
18	diff --git a/src/init.c b/src/init.c
19	index 3db4de0..3530594 100644
20	--- a/src/init.c
21	+++ b/src/init.c
22	@@ -12,6 +12,7 @@
23	#include <stdint.h>
24	#include <limits.h>
25	#include <sys/mount.h>
26	+#include <linux/magic.h>
27
28	#include "dso.h"
29	#include "policy.h"
30	@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
31
32	int selinuxfs_exists(void)
33	{
34	- int exists = 0, mnt_rc = 0;
35	+ int exists = 0, mnt_rc = -1, rc;
36	+ struct statfs sb;
37	FILE *fp = NULL;
38	char *buf = NULL;
39	size_t len;
40	ssize_t num;
41
42	- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
43	+ do {
44	+ rc = statfs("/proc", &sb);
45	+ } while (rc < 0 && errno == EINTR);
46	+
47	+ if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
48	+ mnt_rc = mount("proc", "/proc", "proc", 0, 0);
49
50	fp = fopen("/proc/filesystems", "r");
51	if (!fp) {
52	--
53	2.4.3
54


diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch deleted file mode 100644 index cfac80e..0000000 --- a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch +++ /dev/null
@@ -1,47 +0,0 @@
1	From c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c Mon Sep 17 00:00:00 2001
2	From: dcashman <dcashman@android.com>
3	Date: Tue, 23 Feb 2016 12:24:00 -0800
4	Subject: libselinux: procattr: return einval for <= 0 pid args.
5
6	getpidcon documentation does not specify that a pid of 0 refers to the
7	current process, and getcon exists specifically to provide this
8	functionality, and getpidcon(getpid()) would provide it as well.
9	Disallow pid values <= 0 that may lead to unintended behavior in
10	userspace object managers.
11
12	Signed-off-by: Daniel Cashman <dcashman@android.com>
13	---
14	src/procattr.c \| 14 ++++++++++++--
15	1 file changed, 12 insertions(+), 2 deletions(-)
16
17	diff --git a/src/procattr.c b/src/procattr.c
18	index c20f003..eee4612 100644
19	--- a/src/procattr.c
20	+++ b/src/procattr.c
21	@@ -306,11 +306,21 @@ static int setprocattrcon(const char * context,
22	#define getpidattr_def(fn, attr) \
23	int get##fn##_raw(pid_t pid, char **c) \
24	{ \
25	- return getprocattrcon_raw(c, pid, #attr); \
26	+ if (pid <= 0) { \
27	+ errno = EINVAL; \
28	+ return -1; \
29	+ } else { \
30	+ return getprocattrcon_raw(c, pid, #attr); \
31	+ } \
32	} \
33	int get##fn(pid_t pid, char **c) \
34	{ \
35	- return getprocattrcon(c, pid, #attr); \
36	+ if (pid <= 0) { \
37	+ errno = EINVAL; \
38	+ return -1; \
39	+ } else { \
40	+ return getprocattrcon(c, pid, #attr); \
41	+ } \
42	}
43
44	all_selfattr_def(con, current)
45	--
46	2.4.3
47


diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch deleted file mode 100644 index 0717d67..0000000 --- a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch +++ /dev/null
@@ -1,40 +0,0 @@
1	From f77021d720f12767576c25d751c75cacd7478614 Mon Sep 17 00:00:00 2001
2	From: dcashman <dcashman@android.com>
3	Date: Tue, 23 Feb 2016 12:23:59 -0800
4	Subject: libselinux: procattr: return error on invalid pid_t
5	input.
6
7	Signed-off-by: Daniel Cashman <dcashman@android.com>
8	---
9	src/procattr.c \| 7 +++++--
10	1 file changed, 5 insertions(+), 2 deletions(-)
11
12	diff --git a/src/procattr.c b/src/procattr.c
13	index 527a0a5..c20f003 100644
14	--- a/src/procattr.c
15	+++ b/src/procattr.c
16	@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
17	char *path;
18	pid_t tid;
19
20	- if (pid > 0)
21	+ if (pid > 0) {
22	rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
23	- else {
24	+ } else if (pid == 0) {
25	rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
26	if (rc < 0)
27	return -1;
28	@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
29	free(path);
30	tid = gettid();
31	rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
32	+ } else {
33	+ errno = EINVAL;
34	+ return -1;
35	}
36	if (rc < 0)
37	return -1;
38	--
39	2.4.3
40


diff --git a/recipes-security/selinux/libselinux_2.5.bb b/recipes-security/selinux/libselinux_2.6.bb index 0284494..b9ad231 100644 --- a/recipes-security/selinux/libselinux_2.5.bb +++ b/recipes-security/selinux/libselinux_2.6.bb
@@ -1,18 +1,15 @@
1	include selinux_20160223.inc	1	include selinux_20161014.inc
2	include ${BPN}.inc	2	include ${BPN}.inc
3		3
4	LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"	4	LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
5		5
6	SRC_URI[md5sum] = "d1399f5c2fd2fbe0e9603d5143b30367"	6	SRC_URI[md5sum] = "0e066ba6d6e590ba4b53eed64905d901"
7	SRC_URI[sha256sum] = "94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f"	7	SRC_URI[sha256sum] = "4ea2dde50665c202253ba5caac7738370ea0337c47b251ba981c60d24e1a118a"
8		8
9	SRC_URI += "\	9	SRC_URI += "\
10	file://libselinux-drop-Wno-unused-but-set-variable.patch \	10	file://libselinux-drop-Wno-unused-but-set-variable.patch \
11	file://libselinux-make-O_CLOEXEC-optional.patch \	11	file://libselinux-make-O_CLOEXEC-optional.patch \
12	file://libselinux-make-SOCK_CLOEXEC-optional.patch \	12	file://libselinux-make-SOCK_CLOEXEC-optional.patch \
13	file://libselinux-define-FD_CLOEXEC-as-necessary.patch \	13	file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
14	file://libselinux-procattr-return-einval-for-0-pid.patch \
15	file://libselinux-procattr-return-error-on-invalid-pid.patch \
16	file://libselinux-only-mount-proc-if-necessary.patch \
17	file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \	14	file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
18	"	15	"