[yocto] [meta-selinux][PATCH 3/9] libselinux: uprev to 2.6 (20161014)
wenzong.fan at windriver.com
wenzong.fan at windriver.com
Thu Jan 5 00:23:20 PST 2017
From: Wenzong Fan <wenzong.fan at windriver.com>
* rebase patch:
- libselinux-make-O_CLOEXEC-optional.patch
* cleanup patches:
- libselinux-only-mount-proc-if-necessary.patch
- libselinux-procattr-return-einval-for-0-pid.patch
- libselinux-procattr-return-error-on-invalid-pid.patch
* other fixes:
- remove useless variables according to latest Makefile
- update FILES_${PN}-python to match the installed file:
'${libdir}/python2.7/site-packages/_selinux.so'.
Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
recipes-security/selinux/libselinux.inc | 11 +---
.../libselinux-make-O_CLOEXEC-optional.patch | 77 +++++++++++-----------
.../libselinux-only-mount-proc-if-necessary.patch | 54 ---------------
...bselinux-procattr-return-einval-for-0-pid.patch | 47 -------------
...inux-procattr-return-error-on-invalid-pid.patch | 40 -----------
.../{libselinux_2.5.bb => libselinux_2.6.bb} | 9 +--
6 files changed, 44 insertions(+), 194 deletions(-)
delete mode 100644 recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
delete mode 100644 recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
delete mode 100644 recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
rename recipes-security/selinux/{libselinux_2.5.bb => libselinux_2.6.bb} (54%)
diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc
index d571a7c..ad00d10 100644
--- a/recipes-security/selinux/libselinux.inc
+++ b/recipes-security/selinux/libselinux.inc
@@ -10,7 +10,7 @@ inherit lib_package pythonnative
DEPENDS += "libsepol python libpcre swig-native"
PACKAGES += "${PN}-python"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/*"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*"
def get_policyconfigarch(d):
@@ -27,17 +27,12 @@ do_compile_append() {
oe_runmake pywrap -j1 \
INCLUDEDIR='${STAGING_INCDIR}' \
LIBDIR='${STAGING_LIBDIR}' \
- PYLIBVER='python${PYTHON_BASEVERSION}' \
- PYINC='-I${STAGING_INCDIR}/$(PYLIBVER)' \
- PYLIB='-L${STAGING_LIBDIR}/$(PYLIBVER) -l$(PYLIBVER)' \
- PYTHONLIBDIR='${PYLIB}'
+ PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}'
}
do_install_append() {
oe_runmake install-pywrap swigify \
- DESTDIR=${D} \
- PYLIBVER='python${PYTHON_BASEVERSION}' \
- PYLIBDIR='${D}/${libdir}/$(PYLIBVER)'
+ PYSITEDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
rm -rf ${D}${base_sbindir}
}
diff --git a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
index 98d31cc..a041dd3 100644
--- a/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
+++ b/recipes-security/selinux/libselinux/libselinux-make-O_CLOEXEC-optional.patch
@@ -17,37 +17,18 @@ produce curious AVC Denied messages.
Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
Signed-off-by: Joe MacDonald <joe.macdonald at windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
- src/label_file.c | 8 +++++++-
- src/procattr.c | 8 +++++++-
- src/sestatus.c | 8 +++++++-
- src/stringrep.c | 8 +++++++-
- 4 files changed, 28 insertions(+), 4 deletions(-)
+ src/procattr.c | 16 ++++++++++++++--
+ src/sestatus.c | 8 +++++++-
+ src/stringrep.c | 8 +++++++-
+ 3 files changed, 28 insertions(+), 4 deletions(-)
-Index: libselinux-2.5/src/label_file.c
-===================================================================
---- libselinux-2.5.orig/src/label_file.c 2016-02-25 13:10:00.159980383 -0500
-+++ libselinux-2.5/src/label_file.c 2016-02-25 13:10:00.155980383 -0500
-@@ -124,7 +124,13 @@
- return -1;
- }
-
-- mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC);
-+ mmapfd = open(mmap_path, O_RDONLY
-+#ifdef O_CLOEXEC
-+ | O_CLOEXEC
-+#else
-+#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
-+#endif
-+ );
- if (mmapfd < 0)
- return -1;
-
-Index: libselinux-2.5/src/procattr.c
-===================================================================
---- libselinux-2.5.orig/src/procattr.c 2016-02-25 13:10:00.159980383 -0500
-+++ libselinux-2.5/src/procattr.c 2016-02-25 13:11:58.527980013 -0500
-@@ -76,7 +76,13 @@
+diff --git a/src/procattr.c b/src/procattr.c
+index 7efcd7e..3007876 100644
+--- a/src/procattr.c
++++ b/src/procattr.c
+@@ -79,7 +79,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
if (rc < 0)
return -1;
@@ -62,11 +43,26 @@ Index: libselinux-2.5/src/procattr.c
if (fd >= 0 || errno != ENOENT)
goto out;
free(path);
-Index: libselinux-2.5/src/sestatus.c
-===================================================================
---- libselinux-2.5.orig/src/sestatus.c 2016-02-25 13:10:00.159980383 -0500
-+++ libselinux-2.5/src/sestatus.c 2016-02-25 13:10:00.155980383 -0500
-@@ -268,7 +268,13 @@
+@@ -92,7 +98,13 @@ static int openattr(pid_t pid, const char *attr, int flags)
+ if (rc < 0)
+ return -1;
+
+- fd = open(path, flags | O_CLOEXEC);
++ fd = open(path, flags
++#ifdef O_CLOEXEC
++ | O_CLOEXEC
++#else
++#warning O_CLOEXEC undefined on this platform, this may leak file descriptors
++#endif
++ );
+ out:
+ free(path);
+ return fd;
+diff --git a/src/sestatus.c b/src/sestatus.c
+index ed29dc5..0cb15b6 100644
+--- a/src/sestatus.c
++++ b/src/sestatus.c
+@@ -268,7 +268,13 @@ int selinux_status_open(int fallback)
return -1;
snprintf(path, sizeof(path), "%s/status", selinux_mnt);
@@ -81,11 +77,11 @@ Index: libselinux-2.5/src/sestatus.c
if (fd < 0)
goto error;
-Index: libselinux-2.5/src/stringrep.c
-===================================================================
---- libselinux-2.5.orig/src/stringrep.c 2016-02-25 13:10:00.159980383 -0500
-+++ libselinux-2.5/src/stringrep.c 2016-02-25 13:10:00.155980383 -0500
-@@ -105,7 +105,13 @@
+diff --git a/src/stringrep.c b/src/stringrep.c
+index 2dbec2b..de2a70b 100644
+--- a/src/stringrep.c
++++ b/src/stringrep.c
+@@ -105,7 +105,13 @@ static struct discover_class_node * discover_class(const char *s)
struct stat m;
snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name);
@@ -100,3 +96,6 @@ Index: libselinux-2.5/src/stringrep.c
if (fd < 0)
goto err4;
+--
+2.7.4
+
diff --git a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
deleted file mode 100644
index ab157b6..0000000
--- a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 0d9368ee5af662a99cf123407884ba0e42053c68 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <sds at tycho.nsa.gov>
-Date: Mon, 29 Feb 2016 10:10:55 -0500
-Subject: [meta-selinux][PATCH] libselinux: only mount /proc if necessary
-
-Commit 9df498884665d ("libselinux: Mount procfs before checking
-/proc/filesystems") changed selinuxfs_exists() to always try
-mounting /proc before reading /proc/filesystems. However, this is
-unnecessary if /proc is already mounted and can produce avc denials
-if the process is not allowed to perform the mount. Check first
-to see if /proc is already present and only try the mount if it is not.
-
-Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
----
- src/init.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/src/init.c b/src/init.c
-index 3db4de0..3530594 100644
---- a/src/init.c
-+++ b/src/init.c
-@@ -12,6 +12,7 @@
- #include <stdint.h>
- #include <limits.h>
- #include <sys/mount.h>
-+#include <linux/magic.h>
-
- #include "dso.h"
- #include "policy.h"
-@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
-
- int selinuxfs_exists(void)
- {
-- int exists = 0, mnt_rc = 0;
-+ int exists = 0, mnt_rc = -1, rc;
-+ struct statfs sb;
- FILE *fp = NULL;
- char *buf = NULL;
- size_t len;
- ssize_t num;
-
-- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
-+ do {
-+ rc = statfs("/proc", &sb);
-+ } while (rc < 0 && errno == EINTR);
-+
-+ if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
-+ mnt_rc = mount("proc", "/proc", "proc", 0, 0);
-
- fp = fopen("/proc/filesystems", "r");
- if (!fp) {
---
-2.4.3
-
diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
deleted file mode 100644
index cfac80e..0000000
--- a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c Mon Sep 17 00:00:00 2001
-From: dcashman <dcashman at android.com>
-Date: Tue, 23 Feb 2016 12:24:00 -0800
-Subject: libselinux: procattr: return einval for <= 0 pid args.
-
-getpidcon documentation does not specify that a pid of 0 refers to the
-current process, and getcon exists specifically to provide this
-functionality, and getpidcon(getpid()) would provide it as well.
-Disallow pid values <= 0 that may lead to unintended behavior in
-userspace object managers.
-
-Signed-off-by: Daniel Cashman <dcashman at android.com>
----
- src/procattr.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/src/procattr.c b/src/procattr.c
-index c20f003..eee4612 100644
---- a/src/procattr.c
-+++ b/src/procattr.c
-@@ -306,11 +306,21 @@ static int setprocattrcon(const char * context,
- #define getpidattr_def(fn, attr) \
- int get##fn##_raw(pid_t pid, char **c) \
- { \
-- return getprocattrcon_raw(c, pid, #attr); \
-+ if (pid <= 0) { \
-+ errno = EINVAL; \
-+ return -1; \
-+ } else { \
-+ return getprocattrcon_raw(c, pid, #attr); \
-+ } \
- } \
- int get##fn(pid_t pid, char **c) \
- { \
-- return getprocattrcon(c, pid, #attr); \
-+ if (pid <= 0) { \
-+ errno = EINVAL; \
-+ return -1; \
-+ } else { \
-+ return getprocattrcon(c, pid, #attr); \
-+ } \
- }
-
- all_selfattr_def(con, current)
---
-2.4.3
-
diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
deleted file mode 100644
index 0717d67..0000000
--- a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From f77021d720f12767576c25d751c75cacd7478614 Mon Sep 17 00:00:00 2001
-From: dcashman <dcashman at android.com>
-Date: Tue, 23 Feb 2016 12:23:59 -0800
-Subject: libselinux: procattr: return error on invalid pid_t
- input.
-
-Signed-off-by: Daniel Cashman <dcashman at android.com>
----
- src/procattr.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/src/procattr.c b/src/procattr.c
-index 527a0a5..c20f003 100644
---- a/src/procattr.c
-+++ b/src/procattr.c
-@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
- char *path;
- pid_t tid;
-
-- if (pid > 0)
-+ if (pid > 0) {
- rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
-- else {
-+ } else if (pid == 0) {
- rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
- if (rc < 0)
- return -1;
-@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
- free(path);
- tid = gettid();
- rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
-+ } else {
-+ errno = EINVAL;
-+ return -1;
- }
- if (rc < 0)
- return -1;
---
-2.4.3
-
diff --git a/recipes-security/selinux/libselinux_2.5.bb b/recipes-security/selinux/libselinux_2.6.bb
similarity index 54%
rename from recipes-security/selinux/libselinux_2.5.bb
rename to recipes-security/selinux/libselinux_2.6.bb
index 0284494..b9ad231 100644
--- a/recipes-security/selinux/libselinux_2.5.bb
+++ b/recipes-security/selinux/libselinux_2.6.bb
@@ -1,18 +1,15 @@
-include selinux_20160223.inc
+include selinux_20161014.inc
include ${BPN}.inc
LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
-SRC_URI[md5sum] = "d1399f5c2fd2fbe0e9603d5143b30367"
-SRC_URI[sha256sum] = "94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f"
+SRC_URI[md5sum] = "0e066ba6d6e590ba4b53eed64905d901"
+SRC_URI[sha256sum] = "4ea2dde50665c202253ba5caac7738370ea0337c47b251ba981c60d24e1a118a"
SRC_URI += "\
file://libselinux-drop-Wno-unused-but-set-variable.patch \
file://libselinux-make-O_CLOEXEC-optional.patch \
file://libselinux-make-SOCK_CLOEXEC-optional.patch \
file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
- file://libselinux-procattr-return-einval-for-0-pid.patch \
- file://libselinux-procattr-return-error-on-invalid-pid.patch \
- file://libselinux-only-mount-proc-if-necessary.patch \
file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
"
--
2.7.4
More information about the yocto
mailing list