From b78b413a24cf97f5ebda73bcf36fcb15ffbe1abf Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sat, 13 Mar 2021 13:50:31 +0800 Subject: libselinux: update to 3.2 * Merge inc file into bb file. * Drop obsolete patches: 0001-libselinux-do-not-define-gettid-for-musl.patch libselinux-define-FD_CLOEXEC-as-necessary.patch libselinux-make-O_CLOEXEC-optional.patch libselinux-make-SOCK_CLOEXEC-optional.patch Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- recipes-security/selinux/libselinux.inc | 24 ------ ...-libselinux-do-not-define-gettid-for-musl.patch | 47 ---------- ...libselinux-define-FD_CLOEXEC-as-necessary.patch | 33 -------- .../libselinux-make-O_CLOEXEC-optional.patch | 99 ---------------------- .../libselinux-make-SOCK_CLOEXEC-optional.patch | 38 --------- recipes-security/selinux/libselinux_3.1.bb | 17 ---- recipes-security/selinux/libselinux_3.2.bb | 29 +++++++ 7 files changed, 29 insertions(+), 258 deletions(-) delete mode 100644 recipes-security/selinux/libselinux.inc delete mode 100644 recipes-security/selinux/libselinux/0001-libselinux-do-not-define-gettid-for-musl.patch delete mode 100644 recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch delete mode 100644 recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch delete mode 100644 recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch delete mode 100644 recipes-security/selinux/libselinux_3.1.bb create mode 100644 recipes-security/selinux/libselinux_3.2.bb diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc deleted file mode 100644 index fe8c087..0000000 --- a/recipes-security/selinux/libselinux.inc +++ /dev/null @@ -1,24 +0,0 @@ -SUMMARY = "SELinux library and simple utilities" -DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ -process and file security contexts and to obtain security policy \ -decisions. Required for any applications that use the SELinux API." -SECTION = "base" -LICENSE = "PD" - -inherit lib_package python3native - -DEPENDS += "libsepol libpcre" -DEPENDS_append_libc-musl = " fts" - -def get_policyconfigarch(d): - import re - target = d.getVar('TARGET_ARCH') - p = re.compile('i.86') - target = p.sub('i386',target) - return "ARCH=%s" % (target) -EXTRA_OEMAKE += "${@get_policyconfigarch(d)}" - -EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'" -EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts" - -BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libselinux/0001-libselinux-do-not-define-gettid-for-musl.patch b/recipes-security/selinux/libselinux/0001-libselinux-do-not-define-gettid-for-musl.patch deleted file mode 100644 index 5d6e409..0000000 --- a/recipes-security/selinux/libselinux/0001-libselinux-do-not-define-gettid-for-musl.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 5f6f4a095bc82b29c3871d4d8a15d9c16cef39ef Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 6 Jan 2021 10:42:11 +0800 -Subject: [PATCH] libselinux: do not define gettid() for musl - -The musl has implemented gettid() function: -http://git.musl-libc.org/cgit/musl/commit/?id=d49cf07541bb54a5ac7aec1feec8514db33db8ea - -Fixes: -procattr.c:38:14: error: static declaration of 'gettid' follows non-static declaration - 38 | static pid_t gettid(void) - | ^~~~~~ -In file included from procattr.c:2: -/build/tmp/work/core2-32-poky-linux-musl/libselinux/3.1-r0/recipe-sysroot/usr/include/unistd.h:194:7: -note: previous declaration of 'gettid' was here - 194 | pid_t gettid(void); - | ^~~~~~ - -Upstream-Status: Pending - -Signed-off-by: Yi Zhao ---- - src/procattr.c | 8 +------- - 1 file changed, 1 insertion(+), 7 deletions(-) - -diff --git a/src/procattr.c b/src/procattr.c -index 926ee54..519e515 100644 ---- a/src/procattr.c -+++ b/src/procattr.c -@@ -24,13 +24,7 @@ static __thread char destructor_initialized; - - /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and - * has a definition for it */ --#ifdef __BIONIC__ -- #define OVERRIDE_GETTID 0 --#elif !defined(__GLIBC_PREREQ) -- #define OVERRIDE_GETTID 1 --#elif !__GLIBC_PREREQ(2,30) -- #define OVERRIDE_GETTID 1 --#else -+#if !defined(__GLIBC_) - #define OVERRIDE_GETTID 0 - #endif - --- -2.17.1 - diff --git a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch b/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch deleted file mode 100644 index 25d4b24..0000000 --- a/recipes-security/selinux/libselinux/libselinux-define-FD_CLOEXEC-as-necessary.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d0aaf391ab30b253aa22ef6547a039bcac840fc6 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Tue, 15 Oct 2013 10:14:41 -0400 -Subject: [PATCH] libselinux: define FD_CLOEXEC as necessary - -In truly old systems, even FD_CLOEXEC may not be defined. Produce a -warning and duplicate the #define for FD_CLOEXEC found in -asm-generic/fcntl.h on more modern platforms. - -Upstream-Status: Inappropriate - -Signed-off-by: Joe MacDonald - ---- - src/setrans_client.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/setrans_client.c b/src/setrans_client.c -index fa188a8..a94f02c 100644 ---- a/src/setrans_client.c -+++ b/src/setrans_client.c -@@ -39,6 +39,11 @@ static pthread_key_t destructor_key; - static int destructor_key_initialized = 0; - static __thread char destructor_initialized; - -+#ifndef FD_CLOEXEC -+#warning FD_CLOEXEC undefined on this platform, this may leak file descriptors -+#define FD_CLOEXEC 1 -+#endif -+ - /* - * setransd_open - * diff --git a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch deleted file mode 100644 index 1d6f3a7..0000000 --- a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 802d224953294463fa9bc793e46f664ecfea057a Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Fri, 11 Oct 2013 09:56:25 -0400 -Subject: [PATCH] libselinux: make O_CLOEXEC optional - -Various commits in the selinux tree in the current release added O_CLOEXEC -to open() calls in an attempt to address file descriptor leaks as -described: - - http://danwalsh.livejournal.com/53603.html - -However O_CLOEXEC isn't available on all platforms, so make it a -compile-time option and generate a warning when it is not available. The -actual impact of leaking these file descriptors is minimal, though it does -produce curious AVC Denied messages. - -Upstream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] - -Signed-off-by: Joe MacDonald -Signed-off-by: Wenzong Fan - ---- - src/procattr.c | 16 ++++++++++++++-- - src/sestatus.c | 8 +++++++- - src/stringrep.c | 8 +++++++- - 3 files changed, 28 insertions(+), 4 deletions(-) - -diff --git a/src/procattr.c b/src/procattr.c -index 48dd8af..8bf8432 100644 ---- a/src/procattr.c -+++ b/src/procattr.c -@@ -79,7 +79,13 @@ static int openattr(pid_t pid, const char *attr, int flags) - rc = asprintf(&path, "/proc/thread-self/attr/%s", attr); - if (rc < 0) - return -1; -- fd = open(path, flags | O_CLOEXEC); -+ fd = open(path, flags -+#ifdef O_CLOEXEC -+ | O_CLOEXEC -+#else -+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ ); - if (fd >= 0 || errno != ENOENT) - goto out; - free(path); -@@ -92,7 +98,13 @@ static int openattr(pid_t pid, const char *attr, int flags) - if (rc < 0) - return -1; - -- fd = open(path, flags | O_CLOEXEC); -+ fd = open(path, flags -+#ifdef O_CLOEXEC -+ | O_CLOEXEC -+#else -+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ ); - out: - free(path); - return fd; -diff --git a/src/sestatus.c b/src/sestatus.c -index ed29dc5..0cb15b6 100644 ---- a/src/sestatus.c -+++ b/src/sestatus.c -@@ -268,7 +268,13 @@ int selinux_status_open(int fallback) - return -1; - - snprintf(path, sizeof(path), "%s/status", selinux_mnt); -- fd = open(path, O_RDONLY | O_CLOEXEC); -+ fd = open(path, O_RDONLY -+#ifdef O_CLOEXEC -+ | O_CLOEXEC -+#else -+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ ); - if (fd < 0) - goto error; - -diff --git a/src/stringrep.c b/src/stringrep.c -index 2d83f96..17e9232 100644 ---- a/src/stringrep.c -+++ b/src/stringrep.c -@@ -105,7 +105,13 @@ static struct discover_class_node * discover_class(const char *s) - struct stat m; - - snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name); -- fd = open(path, O_RDONLY | O_CLOEXEC); -+ fd = open(path, O_RDONLY -+#ifdef O_CLOEXEC -+ | O_CLOEXEC -+#else -+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ ); - if (fd < 0) - goto err4; - diff --git a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch deleted file mode 100644 index 77a9136..0000000 --- a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e630805d15a3b8d09330353f87a7e4a9fcc9998a Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Tue, 15 Oct 2013 10:07:43 -0400 -Subject: [PATCH] libselinux: make SOCK_CLOEXEC optional - -libselinux/src/setrans_client.c checks for the existence of SOCK_CLOEXEC -before using it, however libselinux/src/avc_internal.c does not. Since -SOCK_CLOEXEC suffers the same problem as O_CLOEXEC on some older -platforms, we need to ensure we protect the references it it in the same -way. - -Upstream-Status: Inappropriate - -Signed-off-by: Joe MacDonald - ---- - src/avc_internal.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/avc_internal.c b/src/avc_internal.c -index 49cecc9..148cc83 100644 ---- a/src/avc_internal.c -+++ b/src/avc_internal.c -@@ -60,7 +60,13 @@ int avc_netlink_open(int blocking) - int len, rc = 0; - struct sockaddr_nl addr; - -- fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX); -+ fd = socket(PF_NETLINK, SOCK_RAW -+#ifdef SOCK_CLOEXEC -+ | SOCK_CLOEXEC -+#else -+#warning SOCK_CLOEXEC undefined on this platform, this may leak file descriptors -+#endif -+ , NETLINK_SELINUX); - if (fd < 0) { - rc = fd; - goto out; diff --git a/recipes-security/selinux/libselinux_3.1.bb b/recipes-security/selinux/libselinux_3.1.bb deleted file mode 100644 index 9d1cda5..0000000 --- a/recipes-security/selinux/libselinux_3.1.bb +++ /dev/null @@ -1,17 +0,0 @@ -require selinux_20200710.inc -require ${BPN}.inc - -LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" - -SRC_URI[md5sum] = "693680c021feb69a4b258b0370021461" -SRC_URI[sha256sum] = "ea5dcbb4d859e3f999c26a13c630da2f16dff9462e3cc8cb7b458ac157d112e7" - -SRC_URI += "\ - file://libselinux-make-O_CLOEXEC-optional.patch \ - file://libselinux-make-SOCK_CLOEXEC-optional.patch \ - file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ - " - -SRC_URI_append_libc-musl = " \ - file://0001-libselinux-do-not-define-gettid-for-musl.patch \ - " diff --git a/recipes-security/selinux/libselinux_3.2.bb b/recipes-security/selinux/libselinux_3.2.bb new file mode 100644 index 0000000..5acd576 --- /dev/null +++ b/recipes-security/selinux/libselinux_3.2.bb @@ -0,0 +1,29 @@ +SUMMARY = "SELinux library and simple utilities" +DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ +process and file security contexts and to obtain security policy \ +decisions. Required for any applications that use the SELinux API." +SECTION = "base" +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" + +require selinux_common.inc + +inherit lib_package python3native + +DEPENDS += "libsepol libpcre" +DEPENDS_append_libc-musl = " fts" + +S = "${WORKDIR}/git/libselinux" + +def get_policyconfigarch(d): + import re + target = d.getVar('TARGET_ARCH') + p = re.compile('i.86') + target = p.sub('i386',target) + return "ARCH=%s" % (target) + +EXTRA_OEMAKE += "${@get_policyconfigarch(d)}" +EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'" +EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts" + +BBCLASSEXTEND = "native" -- cgit v1.2.3-54-g00ecf