diff options
| author | Wenzong Fan <wenzong.fan@windriver.com> | 2017-09-04 22:59:47 -0700 |
|---|---|---|
| committer | Mark Hatle <mark.hatle@windriver.com> | 2017-09-13 19:48:51 -0500 |
| commit | 9a07ac84248c97ea7adebebbf11d28bf9872b77f (patch) | |
| tree | ae966e143d6468e5ab177a58b4498b7fb0a8ad2e /recipes-security/selinux/restorecond | |
| parent | d8d6ac6a5de6cc37e61ed48ea3a91c138bc4d213 (diff) | |
| download | meta-selinux-9a07ac84248c97ea7adebebbf11d28bf9872b77f.tar.gz | |
restorecond: add package 2.7 (20170804)
Move policycoreutils/restorecond to restorecond:
* Move and rebase patch:
- policycoreutils-make-O_CLOEXEC-optional.patch
* Cleanup policycoreutils_2.7.bb.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Update policycoreutils_git.bb
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Diffstat (limited to 'recipes-security/selinux/restorecond')
| -rw-r--r-- | recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch new file mode 100644 index 0000000..ab1a10a --- /dev/null +++ b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | Subject: [PATCH] policycoreutils: make O_CLOEXEC optional | ||
| 2 | |||
| 3 | Various commits in the selinux tree in the current release added O_CLOEXEC | ||
| 4 | to open() calls in an attempt to address file descriptor leaks as | ||
| 5 | described: | ||
| 6 | |||
| 7 | http://danwalsh.livejournal.com/53603.html | ||
| 8 | |||
| 9 | However O_CLOEXEC isn't available on all platforms, so make it a | ||
| 10 | compile-time option and generate a warning when it is not available. The | ||
| 11 | actual impact of leaking these file descriptors is minimal, though it does | ||
| 12 | produce curious AVC Denied messages. | ||
| 13 | |||
| 14 | Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] | ||
| 15 | |||
| 16 | Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> | ||
| 17 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
| 18 | --- | ||
| 19 | user.c | 8 +++++++- | ||
| 20 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
| 21 | |||
| 22 | diff --git a/user.c b/user.c | ||
| 23 | index 2c28676..6235772 100644 | ||
| 24 | --- a/user.c | ||
| 25 | +++ b/user.c | ||
| 26 | @@ -202,7 +202,13 @@ static int local_server() { | ||
| 27 | perror("asprintf"); | ||
| 28 | return -1; | ||
| 29 | } | ||
| 30 | - local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
| 31 | + local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | ||
| 32 | + #ifdef O_CLOEXEC | ||
| 33 | + | O_CLOEXEC | ||
| 34 | + #else | ||
| 35 | + #warning O_CLOEXEC undefined on this platform, this may leak file descriptors | ||
| 36 | + #endif | ||
| 37 | + , S_IRUSR | S_IWUSR); | ||
| 38 | if (debug_mode) | ||
| 39 | g_warning ("Lock file: %s", ptr); | ||
| 40 | |||
| 41 | -- | ||
| 42 | 1.7.9.5 | ||
| 43 | |||