[yocto] [meta-selinux 2/2] libselinux: backport procfs mount fix
Ioan-Adrian Ratiu
adrian.ratiu at ni.com
Thu Feb 4 06:14:40 PST 2016
libselinux 20160107 ships this change (git commit id 9df49888)
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu at ni.com>
---
.../libselinux-mount-procfs-before-check.patch | 74 ++++++++++++++++++++++
recipes-security/selinux/libselinux_2.4.bb | 1 +
recipes-security/selinux/libselinux_git.bb | 1 +
3 files changed, 76 insertions(+)
create mode 100644 recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch
diff --git a/recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch b/recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch
new file mode 100644
index 0000000..dc27aaa
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch
@@ -0,0 +1,74 @@
+commit 9df498884665d79474b79f0f30d1cd67df11bd3e
+Author: Ben Shelton <ben.shelton at ni.com>
+Date: Wed Apr 15 15:56:57 2015 -0500
+
+ libselinux: Mount procfs before checking /proc/filesystems
+
+ In the case where the SELinux security module is not loaded in the
+ kernel and it's early enough in the boot process that /proc has not yet
+ been mounted, selinuxfs_exists() will incorrectly return 1, and
+ selinux_init_load_policy() will print a message like this to the
+ console:
+
+ Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory
+
+ To fix this, mount the procfs before attempting to open
+ /proc/filesystems, and unmount it when done if it was initially not
+ mounted. This is the same thing that selinux_init_load_policy() does
+ when reading /proc/cmdline.
+
+ Signed-off-by: Ben Shelton <ben.shelton at ni.com>
+
+Upstream-Status: Accepted
+
+diff --git a/src/init.c b/src/init.c
+index 6d1ef33..179e0d0 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -11,6 +11,7 @@
+ #include <sys/vfs.h>
+ #include <stdint.h>
+ #include <limits.h>
++#include <sys/mount.h>
+
+ #include "dso.h"
+ #include "policy.h"
+@@ -54,15 +55,20 @@ static int verify_selinuxmnt(const char *mnt)
+
+ int selinuxfs_exists(void)
+ {
+- int exists = 0;
++ int exists = 0, mnt_rc = 0;
+ FILE *fp = NULL;
+ char *buf = NULL;
+ size_t len;
+ ssize_t num;
+
++ mnt_rc = mount("proc", "/proc", "proc", 0, 0);
++
+ fp = fopen("/proc/filesystems", "r");
+- if (!fp)
+- return 1; /* Fail as if it exists */
++ if (!fp) {
++ exists = 1; /* Fail as if it exists */
++ goto out;
++ }
++
+ __fsetlocking(fp, FSETLOCKING_BYCALLER);
+
+ num = getline(&buf, &len, fp);
+@@ -76,6 +82,14 @@ int selinuxfs_exists(void)
+
+ free(buf);
+ fclose(fp);
++
++out:
++#ifndef MNT_DETACH
++#define MNT_DETACH 2
++#endif
++ if (mnt_rc == 0)
++ umount2("/proc", MNT_DETACH);
++
+ return exists;
+ }
+ hidden_def(selinuxfs_exists)
diff --git a/recipes-security/selinux/libselinux_2.4.bb b/recipes-security/selinux/libselinux_2.4.bb
index e084df2..86ff44c 100644
--- a/recipes-security/selinux/libselinux_2.4.bb
+++ b/recipes-security/selinux/libselinux_2.4.bb
@@ -12,4 +12,5 @@ SRC_URI += "\
file://libselinux-make-SOCK_CLOEXEC-optional.patch \
file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
file://libselinux-get-pywrap-depends-on-selinux.py.patch \
+ file://libselinux-mount-procfs-before-check.patch \
"
diff --git a/recipes-security/selinux/libselinux_git.bb b/recipes-security/selinux/libselinux_git.bb
index 4efab86..33d9e00 100644
--- a/recipes-security/selinux/libselinux_git.bb
+++ b/recipes-security/selinux/libselinux_git.bb
@@ -12,4 +12,5 @@ SRC_URI += "\
file://libselinux-make-SOCK_CLOEXEC-optional.patch \
file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
file://libselinux-get-pywrap-depends-on-selinux.py.patch \
+ file://libselinux-mount-procfs-before-check.patch \
"
--
2.7.0
More information about the yocto
mailing list