[yocto] [PATCH 12/13] libselinux: Only mount /proc if necessary
Stephen Smalley
sds at tycho.nsa.gov
Mon Mar 7 12:52:51 PST 2016
selinux upstream commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf
Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
---
.../libselinux-only-mount-proc-if-necessary.patch | 54 ++++++++++++++++++++++
recipes-security/selinux/libselinux_2.5.bb | 1 +
2 files changed, 55 insertions(+)
create mode 100644 recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
diff --git a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
new file mode 100644
index 0000000..ab157b6
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
@@ -0,0 +1,54 @@
+From 0d9368ee5af662a99cf123407884ba0e42053c68 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds at tycho.nsa.gov>
+Date: Mon, 29 Feb 2016 10:10:55 -0500
+Subject: [PATCH] libselinux: only mount /proc if necessary
+
+Commit 9df498884665d ("libselinux: Mount procfs before checking
+/proc/filesystems") changed selinuxfs_exists() to always try
+mounting /proc before reading /proc/filesystems. However, this is
+unnecessary if /proc is already mounted and can produce avc denials
+if the process is not allowed to perform the mount. Check first
+to see if /proc is already present and only try the mount if it is not.
+
+Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
+---
+ src/init.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/init.c b/src/init.c
+index 3db4de0..3530594 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -12,6 +12,7 @@
+ #include <stdint.h>
+ #include <limits.h>
+ #include <sys/mount.h>
++#include <linux/magic.h>
+
+ #include "dso.h"
+ #include "policy.h"
+@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
+
+ int selinuxfs_exists(void)
+ {
+- int exists = 0, mnt_rc = 0;
++ int exists = 0, mnt_rc = -1, rc;
++ struct statfs sb;
+ FILE *fp = NULL;
+ char *buf = NULL;
+ size_t len;
+ ssize_t num;
+
+- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
++ do {
++ rc = statfs("/proc", &sb);
++ } while (rc < 0 && errno == EINTR);
++
++ if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
++ mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+
+ fp = fopen("/proc/filesystems", "r");
+ if (!fp) {
+--
+2.4.3
+
diff --git a/recipes-security/selinux/libselinux_2.5.bb b/recipes-security/selinux/libselinux_2.5.bb
index a744b2f..0e2d864 100644
--- a/recipes-security/selinux/libselinux_2.5.bb
+++ b/recipes-security/selinux/libselinux_2.5.bb
@@ -11,5 +11,6 @@ SRC_URI += "\
file://libselinux-make-O_CLOEXEC-optional.patch \
file://libselinux-make-SOCK_CLOEXEC-optional.patch \
file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+ file://libselinux-only-mount-proc-if-necessary.patch \
file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
"
--
2.4.3
More information about the yocto
mailing list