From 0e405f98266b48969c2173d032878cc6b2893fcb Mon Sep 17 00:00:00 2001
From: Joe MacDonald <joe.macdonald@windriver.com>
Date: Tue, 15 Oct 2013 10:27:27 -0400
Subject: libselinux / libsemanage: work around FD_CLOEXEC and SOCK_CLOEXEC
 absence

[ CQID: WIND00438478 ]
[ CQID: WIND00439485 ]

Turns out some of the truly old hosts don't even really recognize
FD_CLOEXEC and most of the older ones don't know about SOCK_CLOEXEC.  Work
around each (define FD_CLOEXEC to something sensible, simply don't use
SOCK_CLOEXEC, produce warnings in either event).

Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 ...libselinux-define-FD_CLOEXEC-as-necessary.patch | 35 +++++++++++++++++++
 .../libselinux-make-SOCK_CLOEXEC-optional.patch    | 40 ++++++++++++++++++++++
 recipes-security/selinux/libselinux_2.1.13.bb      |  2 ++
 ...ibsemanage-define-FD_CLOEXEC-as-necessary.patch | 35 +++++++++++++++++++
 recipes-security/selinux/libsemanage_2.1.10.bb     |  1 +
 5 files changed, 113 insertions(+)
 create mode 100644 recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
 create mode 100644 recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
 create mode 100644 recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch

diff --git a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
new file mode 100644
index 0000000..1fa1fba
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch
@@ -0,0 +1,35 @@
+From 9a843a025fb0eaad537eb9dce28da539cf2cb9c2 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Tue, 15 Oct 2013 10:14:41 -0400
+Subject: [PATCH 2/3] libselinux: define FD_CLOEXEC as necessary
+
+In truly old systems, even FD_CLOEXEC may not be defined.  Produce a
+warning and duplicate the #define for FD_CLOEXEC found in
+asm-generic/fcntl.h on more modern platforms.
+
+Uptream-Status: Inappropriate
+
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ libselinux/src/setrans_client.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/setrans_client.c b/src/setrans_client.c
+index f9065bd..e07a779 100644
+--- a/src/setrans_client.c
++++ b/src/setrans_client.c
+@@ -38,6 +38,11 @@ static pthread_key_t destructor_key;
+ static int destructor_key_initialized = 0;
+ static __thread char destructor_initialized;
+ 
++#ifndef FD_CLOEXEC
++#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
++#define FD_CLOEXEC 1
++#endif
++
+ /*
+  * setransd_open
+  *
+-- 
+1.7.10.4
+
diff --git a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
new file mode 100644
index 0000000..14f0ce9
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch
@@ -0,0 +1,40 @@
+From 193d42c8312cb8b189745696065b3aa5bbcc6968 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Tue, 15 Oct 2013 10:07:43 -0400
+Subject: [PATCH 1/3] libselinux: make SOCK_CLOEXEC optional
+
+libselinux/src/setrans_client.c checks for the existence of SOCK_CLOEXEC
+before using it, however libselinux/src/avc_internal.c does not.  Since
+SOCK_CLOEXEC suffers the same problem as O_CLOEXEC on some older
+platforms, we need to ensure we protect the references it it in the same
+way.
+
+Uptream-Status: Inappropriate
+
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ libselinux/src/avc_internal.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/avc_internal.c b/libselinux/src/avc_internal.c
+index f735e73..eb0599a 100644
+--- a/src/avc_internal.c
++++ b/src/avc_internal.c
+@@ -60,7 +60,13 @@ int avc_netlink_open(int blocking)
+ 	int len, rc = 0;
+ 	struct sockaddr_nl addr;
+ 
+-	fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX);
++	fd = socket(PF_NETLINK, SOCK_RAW
++#ifdef SOCK_CLOEXEC
++               | SOCK_CLOEXEC
++#else
++#warning SOCK_CLOEXEC undefined on this platform, this may leak file descriptors
++#endif
++               , NETLINK_SELINUX);
+ 	if (fd < 0) {
+ 		rc = fd;
+ 		goto out;
+-- 
+1.7.10.4
+
diff --git a/recipes-security/selinux/libselinux_2.1.13.bb b/recipes-security/selinux/libselinux_2.1.13.bb
index 28b1ff1..caed650 100644
--- a/recipes-security/selinux/libselinux_2.1.13.bb
+++ b/recipes-security/selinux/libselinux_2.1.13.bb
@@ -13,4 +13,6 @@ SRC_URI += "\
         file://libselinux-pcre-link-order.patch \
         file://libselinux-drop-Wno-unused-but-set-variable.patch \
         file://libselinux-make-O_CLOEXEC-optional.patch \
+        file://libselinux-make-SOCK_CLOEXEC-optional.patch \
+        file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
         "
diff --git a/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
new file mode 100644
index 0000000..7be4381
--- /dev/null
+++ b/recipes-security/selinux/libsemanage/libsemanage-define-FD_CLOEXEC-as-necessary.patch
@@ -0,0 +1,35 @@
+From e783080f30e00d00800ff3491d88c62b2a1c637b Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe.macdonald@windriver.com>
+Date: Tue, 15 Oct 2013 10:17:38 -0400
+Subject: [PATCH 3/3] libsemanage: define FD_CLOEXEC as necessary
+
+In truly old systems, even FD_CLOEXEC may not be defined.  Produce a
+warning and duplicate the #define for FD_CLOEXEC found in
+asm-generic/fcntl.h on more modern platforms.
+
+Uptream-Status: Inappropriate
+
+Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com>
+---
+ libsemanage/src/semanage_store.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
+index 57ef49f..488a14a 100644
+--- a/libsemanage/src/semanage_store.c
++++ b/libsemanage/src/semanage_store.c
+@@ -65,6 +65,11 @@ static const char *DISABLESTR="disabled";
+ 
+ #define TRUE 1
+ 
++#ifndef FD_CLOEXEC
++#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors
++#define FD_CLOEXEC 1
++#endif
++
+ enum semanage_file_defs {
+ 	SEMANAGE_ROOT,
+ 	SEMANAGE_TRANS_LOCK,
+-- 
+1.7.10.4
+
diff --git a/recipes-security/selinux/libsemanage_2.1.10.bb b/recipes-security/selinux/libsemanage_2.1.10.bb
index dcd3037..900d608 100644
--- a/recipes-security/selinux/libsemanage_2.1.10.bb
+++ b/recipes-security/selinux/libsemanage_2.1.10.bb
@@ -13,4 +13,5 @@ SRC_URI += "\
 	file://libsemanage-fix-path-len-limit.patch \
 	file://libsemanage-fix-path-nologin.patch \
 	file://libsemanage-drop-Wno-unused-but-set-variable.patch \
+	file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \
 	"
-- 
cgit v1.2.3-54-g00ecf