From 9a07ac84248c97ea7adebebbf11d28bf9872b77f Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Mon, 4 Sep 2017 22:59:47 -0700 Subject: restorecond: add package 2.7 (20170804) Move policycoreutils/restorecond to restorecond: * Move and rebase patch: - policycoreutils-make-O_CLOEXEC-optional.patch * Cleanup policycoreutils_2.7.bb. Signed-off-by: Wenzong Fan Update policycoreutils_git.bb Signed-off-by: Mark Hatle --- .../policycoreutils-make-O_CLOEXEC-optional.patch | 43 ++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch (limited to 'recipes-security/selinux/restorecond') diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch new file mode 100644 index 0000000..ab1a10a --- /dev/null +++ b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch @@ -0,0 +1,43 @@ +Subject: [PATCH] policycoreutils: make O_CLOEXEC optional + +Various commits in the selinux tree in the current release added O_CLOEXEC +to open() calls in an attempt to address file descriptor leaks as +described: + + http://danwalsh.livejournal.com/53603.html + +However O_CLOEXEC isn't available on all platforms, so make it a +compile-time option and generate a warning when it is not available. The +actual impact of leaking these file descriptors is minimal, though it does +produce curious AVC Denied messages. + +Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] + +Signed-off-by: Joe MacDonald +Signed-off-by: Wenzong Fan +--- + user.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/user.c b/user.c +index 2c28676..6235772 100644 +--- a/user.c ++++ b/user.c +@@ -202,7 +202,13 @@ static int local_server() { + perror("asprintf"); + return -1; + } +- local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); ++ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW ++ #ifdef O_CLOEXEC ++ | O_CLOEXEC ++ #else ++ #warning O_CLOEXEC undefined on this platform, this may leak file descriptors ++ #endif ++ , S_IRUSR | S_IWUSR); + if (debug_mode) + g_warning ("Lock file: %s", ptr); + +-- +1.7.9.5 + -- cgit v1.2.3-54-g00ecf