From 0e405f98266b48969c2173d032878cc6b2893fcb Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Tue, 15 Oct 2013 10:27:27 -0400 Subject: libselinux / libsemanage: work around FD_CLOEXEC and SOCK_CLOEXEC absence [ CQID: WIND00438478 ] [ CQID: WIND00439485 ] Turns out some of the truly old hosts don't even really recognize FD_CLOEXEC and most of the older ones don't know about SOCK_CLOEXEC. Work around each (define FD_CLOEXEC to something sensible, simply don't use SOCK_CLOEXEC, produce warnings in either event). Signed-off-by: Joe MacDonald Signed-off-by: Randy MacLeod Signed-off-by: Jackie Huang Signed-off-by: Mark Hatle --- .../libselinux-make-SOCK_CLOEXEC-optional.patch | 40 ++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch (limited to 'recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch') diff --git a/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch new file mode 100644 index 0000000..14f0ce9 --- /dev/null +++ b/recipes-security/selinux/libselinux/libselinux-make-SOCK_CLOEXEC-optional.patch @@ -0,0 +1,40 @@ +From 193d42c8312cb8b189745696065b3aa5bbcc6968 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Tue, 15 Oct 2013 10:07:43 -0400 +Subject: [PATCH 1/3] libselinux: make SOCK_CLOEXEC optional + +libselinux/src/setrans_client.c checks for the existence of SOCK_CLOEXEC +before using it, however libselinux/src/avc_internal.c does not. Since +SOCK_CLOEXEC suffers the same problem as O_CLOEXEC on some older +platforms, we need to ensure we protect the references it it in the same +way. + +Uptream-Status: Inappropriate + +Signed-off-by: Joe MacDonald +--- + libselinux/src/avc_internal.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/avc_internal.c b/libselinux/src/avc_internal.c +index f735e73..eb0599a 100644 +--- a/src/avc_internal.c ++++ b/src/avc_internal.c +@@ -60,7 +60,13 @@ int avc_netlink_open(int blocking) + int len, rc = 0; + struct sockaddr_nl addr; + +- fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX); ++ fd = socket(PF_NETLINK, SOCK_RAW ++#ifdef SOCK_CLOEXEC ++ | SOCK_CLOEXEC ++#else ++#warning SOCK_CLOEXEC undefined on this platform, this may leak file descriptors ++#endif ++ , NETLINK_SELINUX); + if (fd < 0) { + rc = fd; + goto out; +-- +1.7.10.4 + -- cgit v1.2.3-54-g00ecf