[people/ms/ipfire-3.x.git] / libselinux / patches / libselinux-rhat.patch

diff -Nur a/include/selinux/label.h b/include/selinux/label.h
--- a/include/selinux/label.h	2011-11-04 13:57:24.000000000 +0100
+++ b/include/selinux/label.h	2011-11-27 18:45:27.080551748 +0100
@@ -46,8 +46,10 @@
 #define SELABEL_OPT_PATH	3
 /* select a subset of the search space as an optimization (file backend) */
 #define SELABEL_OPT_SUBSET	4
+/* like subset, but an array of subsets */
+#define SELABEL_OPT_PREFIXES	5
 /* total number of options */
-#define SELABEL_NOPT		5
+#define SELABEL_NOPT		6
 
 /*
  * Label operations
diff -Nur a/include/selinux/selinux.h b/include/selinux/selinux.h
--- a/include/selinux/selinux.h	2011-11-04 13:57:24.000000000 +0100
+++ b/include/selinux/selinux.h	2011-11-27 18:45:27.081551748 +0100
@@ -139,7 +139,10 @@
 /* Structure for passing options, used by AVC and label subsystems */
 struct selinux_opt {
 	int type;
-	const char *value;
+	union {
+		const char *value;
+		const char **values;
+	};
 };
 
 /* Callback facilities */
@@ -410,6 +413,11 @@
    regexes that have stems that are prefixes of 'prefix'. */
 extern int matchpathcon_init_prefix(const char *path, const char *prefix);
 
+/* Same as matchpathcon_init, but only load entries with
+ * regexes that have stems that are prefixes of the 'prefixes'
+ * array of entries.  The last entry must be NULL. */
+extern int matchpathcon_init_prefixes(const char *patch, const char **prefixes);
+
 /* Free the memory allocated by matchpathcon_init. */
 extern void matchpathcon_fini(void);
 
diff -Nur a/man/man3/matchpathcon.3 b/man/man3/matchpathcon.3
--- a/man/man3/matchpathcon.3	2011-11-04 13:57:24.000000000 +0100
+++ b/man/man3/matchpathcon.3	2011-11-27 18:45:27.082551748 +0100
@@ -8,7 +8,9 @@
 
 .BI "int matchpathcon_init(const char *" path ");"
 
-.BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");"
+.BI "int matchpathcon_init_prefix(const char *" path ", const char *" prefix ");"
+
+.BI "int matchpathcon_init_prefixes(const char *" path ", const char **" prefixes ");"
 
 .BI "int matchpathcon_fini(void);"
 .sp
@@ -50,6 +52,14 @@
 .I prefix.
 
 .sp
+.B matchpathcon_init_prefixes
+is the same as
+.B matchpathcon_init_prefix
+but takes an array of
+.I prefixes
+instead of a single prefix.  The last entry in the array must be NULL.
+
+.sp
 .B matchpathcon_fini
 frees the memory allocated by a prior call to
 .B matchpathcon_init.
diff -Nur a/man/man3/selabel_open.3 b/man/man3/selabel_open.3
--- a/man/man3/selabel_open.3	2011-11-04 13:57:24.000000000 +0100
+++ b/man/man3/selabel_open.3	2011-11-27 18:45:27.082551748 +0100
@@ -66,6 +66,13 @@
 is used; a custom validation function can be provided via
 .BR selinux_set_callback (3).
 Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
+.TP
+.B SELABEL_OPT_SUBSET
+A ":" separates string of path prefixes that tell the system to only loads entries with regular expressions that could match this strings. For example "/dev:/var/run:/tmp".  This option can cause the system to use less memory and work faster, but you should only use paths that begin with a prefix.
+.TP
+.B SELABEL_OPT_PATH
+A string representing an alternate path the the regular expressions.
+.sp
 
 .SH "BACKENDS"
 
@@ -99,4 +106,3 @@
 .BR selabel_stats (3),
 .BR selinux_set_callback (3),
 .BR selinux (8)
-
diff -Nur a/src/callbacks.c b/src/callbacks.c
--- a/src/callbacks.c	2011-11-04 13:57:23.000000000 +0100
+++ b/src/callbacks.c	2011-11-27 18:45:27.083551748 +0100
@@ -16,6 +16,7 @@
 {
 	int rc;
 	va_list ap;
+	if (is_selinux_enabled() == 0) return 0;
 	va_start(ap, fmt);
 	rc = vfprintf(stderr, fmt, ap);
 	va_end(ap);
diff -Nur a/src/label_file.c b/src/label_file.c
--- a/src/label_file.c	2011-11-04 13:57:23.000000000 +0100
+++ b/src/label_file.c	2011-11-27 18:45:27.084551748 +0100
@@ -27,6 +27,7 @@
  * Internals, mostly moved over from matchpathcon.c
  */
 
+#define MAX_PREFIX 100
 /* A file security context specification. */
 typedef struct spec {
 	struct selabel_lookup_rec lr;	/* holds contexts for lookup result */
@@ -276,7 +277,7 @@
 
 
 static int process_line(struct selabel_handle *rec,
-			const char *path, const char *prefix,
+			const char *path, const char **prefix_array,
 			char *line_buf, int pass, unsigned lineno)
 {
 	int items, len;
@@ -310,12 +311,24 @@
 	}
 
 	len = get_stem_from_spec(regex);
-	if (len && prefix && strncmp(prefix, regex, len)) {
-		/* Stem of regex does not match requested prefix, discard. */
-		free(regex);
-		free(type);
-		free(context);
-		return 0;
+	if (len && prefix_array[0]) {
+		int i = 0;
+		int found = 0;
+		while (i < MAX_PREFIX && prefix_array[i]) {
+			if (strncmp(prefix_array[i], regex, len) == 0) {
+				found = 1;
+				break;
+			}
+			i++;
+		}
+
+		if (! found) {
+			/* Stem of regex does not match requested prefix, discard. */
+			free(regex);
+			free(type);
+			free(context);
+			return 0;
+		}
 	}
 
 	if (pass == 1) {
@@ -397,7 +410,8 @@
 {
 	struct saved_data *data = (struct saved_data *)rec->data;
 	const char *path = NULL;
-	const char *prefix = NULL;
+	const char *static_prefix_array[2] = {NULL, };
+	const char **prefix_array = static_prefix_array;
 	FILE *fp;
 	FILE *localfp = NULL;
 	FILE *homedirfp = NULL;
@@ -418,7 +432,10 @@
 			path = opts[n].value;
 			break;
 		case SELABEL_OPT_SUBSET:
-			prefix = opts[n].value;
+			static_prefix_array[0] = opts[n].value;
+			break;
+		case SELABEL_OPT_PREFIXES:
+			prefix_array = opts[n].values;
 			break;
 		case SELABEL_OPT_BASEONLY:
 			baseonly = !!opts[n].value;
@@ -480,7 +497,7 @@
 		while (getline(&line_buf, &line_len, fp) > 0) {
 			if (data->nspec >= maxnspec)
 				break;
-			status = process_line(rec, path, prefix, line_buf, pass, ++lineno);
+			status = process_line(rec, path, prefix_array, line_buf, pass, ++lineno);
 			if (status)
 				goto finish;
 		}
@@ -496,7 +513,7 @@
 			while (getline(&line_buf, &line_len, homedirfp) > 0) {
 				if (data->nspec >= maxnspec)
 					break;
-				status = process_line(rec, homedir_path, prefix, line_buf, pass, ++lineno);
+				status = process_line(rec, homedir_path, prefix_array, line_buf, pass, ++lineno);
 				if (status)
 					goto finish;
 			}
@@ -506,7 +523,7 @@
 			while (getline(&line_buf, &line_len, localfp) > 0) {
 				if (data->nspec >= maxnspec)
 					break;
-				status = process_line(rec, local_path, prefix, line_buf, pass, ++lineno);
+				status = process_line(rec, local_path, prefix_array, line_buf, pass, ++lineno);
 				if (status)
 					goto finish;
 			}
diff -Nur a/src/matchpathcon.c b/src/matchpathcon.c
--- a/src/matchpathcon.c	2011-11-04 13:57:23.000000000 +0100
+++ b/src/matchpathcon.c	2011-11-27 18:45:27.085551748 +0100
@@ -2,6 +2,7 @@
 #include <string.h>
 #include <errno.h>
 #include <stdio.h>
+#include <syslog.h>
 #include "selinux_internal.h"
 #include "label_internal.h"
 #include "callbacks.h"
@@ -62,7 +63,7 @@
 {
 	va_list ap;
 	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
+	vsyslog(LOG_ERR, fmt, ap);
 	va_end(ap);
 }
 
@@ -304,7 +305,7 @@
 		destructor_key_initialized = 1;
 }
 
-int matchpathcon_init_prefix(const char *path, const char *subset)
+int matchpathcon_init_prefixes(const char *path, const char **prefixes)
 {
 	if (!mycanoncon)
 		mycanoncon = default_canoncon;
@@ -312,15 +313,22 @@
 	__selinux_once(once, matchpathcon_init_once);
 	__selinux_setspecific(destructor_key, (void *)1);
 
-	options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
-	options[SELABEL_OPT_SUBSET].value = subset;
+	options[SELABEL_OPT_PREFIXES].type = SELABEL_OPT_PREFIXES;
+	options[SELABEL_OPT_PREFIXES].values = prefixes;
 	options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
 	options[SELABEL_OPT_PATH].value = path;
 
 	hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
 	return hnd ? 0 : -1;
 }
+hidden_def(matchpathcon_init_prefixes)
 
+int matchpathcon_init_prefix(const char *path, const char *prefix)
+{
+	const char *prefixes[2] = { prefix, NULL };
+
+	return matchpathcon_init_prefixes(path, prefixes);
+}
 hidden_def(matchpathcon_init_prefix)
 
 int matchpathcon_init(const char *path)
diff -Nur a/src/selinux_internal.h b/src/selinux_internal.h
--- a/src/selinux_internal.h	2011-11-04 13:57:23.000000000 +0100
+++ b/src/selinux_internal.h	2011-11-27 18:45:27.086551748 +0100
@@ -80,6 +80,7 @@
     hidden_proto(selinux_path)
     hidden_proto(selinux_check_passwd_access)
     hidden_proto(selinux_check_securetty_context)
+    hidden_proto(matchpathcon_init_prefixes)
     hidden_proto(matchpathcon_init_prefix)
     hidden_proto(selinux_users_path)
     hidden_proto(selinux_usersconf_path);
Commit	Line	Data
9c27a234 SS	1	diff -Nur a/include/selinux/label.h b/include/selinux/label.h
	2	--- a/include/selinux/label.h 2011-11-04 13:57:24.000000000 +0100
	3	+++ b/include/selinux/label.h 2011-11-27 18:45:27.080551748 +0100
	4	@@ -46,8 +46,10 @@
	5	#define SELABEL_OPT_PATH 3
	6	/* select a subset of the search space as an optimization (file backend) */
	7	#define SELABEL_OPT_SUBSET 4
	8	+/* like subset, but an array of subsets */
	9	+#define SELABEL_OPT_PREFIXES 5
	10	/* total number of options */
	11	-#define SELABEL_NOPT 5
	12	+#define SELABEL_NOPT 6
	13
	14	/*
	15	* Label operations
	16	diff -Nur a/include/selinux/selinux.h b/include/selinux/selinux.h
	17	--- a/include/selinux/selinux.h 2011-11-04 13:57:24.000000000 +0100
	18	+++ b/include/selinux/selinux.h 2011-11-27 18:45:27.081551748 +0100
	19	@@ -139,7 +139,10 @@
	20	/* Structure for passing options, used by AVC and label subsystems */
	21	struct selinux_opt {
	22	int type;
	23	- const char *value;
	24	+ union {
	25	+ const char *value;
	26	+ const char **values;
	27	+ };
	28	};
	29
	30	/* Callback facilities */
	31	@@ -410,6 +413,11 @@
	32	regexes that have stems that are prefixes of 'prefix'. */
	33	extern int matchpathcon_init_prefix(const char path, const char prefix);
	34
	35	+/* Same as matchpathcon_init, but only load entries with
	36	+ * regexes that have stems that are prefixes of the 'prefixes'
	37	+ * array of entries. The last entry must be NULL. */
	38	+extern int matchpathcon_init_prefixes(const char patch, const char *prefixes);
	39	+
	40	/* Free the memory allocated by matchpathcon_init. */
	41	extern void matchpathcon_fini(void);
	42
	43	diff -Nur a/man/man3/matchpathcon.3 b/man/man3/matchpathcon.3
	44	--- a/man/man3/matchpathcon.3 2011-11-04 13:57:24.000000000 +0100
	45	+++ b/man/man3/matchpathcon.3 2011-11-27 18:45:27.082551748 +0100
	46	@@ -8,7 +8,9 @@
	47
	48	.BI "int matchpathcon_init(const char *" path ");"
	49
	50	-.BI "int matchpathcon_init_prefix(const char " path ", const char " subset ");"
	51	+.BI "int matchpathcon_init_prefix(const char " path ", const char " prefix ");"
	52	+
	53	+.BI "int matchpathcon_init_prefixes(const char " path ", const char *" prefixes ");"
	54
	55	.BI "int matchpathcon_fini(void);"
	56	.sp
	57	@@ -50,6 +52,14 @@
	58	.I prefix.
	59
	60	.sp
	61	+.B matchpathcon_init_prefixes
	62	+is the same as
	63	+.B matchpathcon_init_prefix
	64	+but takes an array of
65	+.I prefixes
66	+instead of a single prefix. The last entry in the array must be NULL.
67	+
68	+.sp
69	.B matchpathcon_fini
70	frees the memory allocated by a prior call to
71	.B matchpathcon_init.
72	diff -Nur a/man/man3/selabel_open.3 b/man/man3/selabel_open.3
73	--- a/man/man3/selabel_open.3 2011-11-04 13:57:24.000000000 +0100
74	+++ b/man/man3/selabel_open.3 2011-11-27 18:45:27.082551748 +0100
75	@@ -66,6 +66,13 @@
76	is used; a custom validation function can be provided via
77	.BR selinux_set_callback (3).
78	Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
79	+.TP
80	+.B SELABEL_OPT_SUBSET
81	+A ":" separates string of path prefixes that tell the system to only loads entries with regular expressions that could match this strings. For example "/dev:/var/run:/tmp". This option can cause the system to use less memory and work faster, but you should only use paths that begin with a prefix.
82	+.TP
83	+.B SELABEL_OPT_PATH
84	+A string representing an alternate path the the regular expressions.
85	+.sp
86
87	.SH "BACKENDS"
88
89	@@ -99,4 +106,3 @@
90	.BR selabel_stats (3),
91	.BR selinux_set_callback (3),
92	.BR selinux (8)
93	-
94	diff -Nur a/src/callbacks.c b/src/callbacks.c
95	--- a/src/callbacks.c 2011-11-04 13:57:23.000000000 +0100
96	+++ b/src/callbacks.c 2011-11-27 18:45:27.083551748 +0100
97	@@ -16,6 +16,7 @@
98	{
99	int rc;
100	va_list ap;
101	+ if (is_selinux_enabled() == 0) return 0;
102	va_start(ap, fmt);
103	rc = vfprintf(stderr, fmt, ap);
104	va_end(ap);
105	diff -Nur a/src/label_file.c b/src/label_file.c
106	--- a/src/label_file.c 2011-11-04 13:57:23.000000000 +0100
107	+++ b/src/label_file.c 2011-11-27 18:45:27.084551748 +0100
108	@@ -27,6 +27,7 @@
109	* Internals, mostly moved over from matchpathcon.c
110	*/
111
112	+#define MAX_PREFIX 100
113	/* A file security context specification. */
114	typedef struct spec {
115	struct selabel_lookup_rec lr; /* holds contexts for lookup result */
116	@@ -276,7 +277,7 @@
117
118
119	static int process_line(struct selabel_handle *rec,
120	- const char path, const char prefix,
121	+ const char path, const char *prefix_array,
122	char *line_buf, int pass, unsigned lineno)
123	{
124	int items, len;
125	@@ -310,12 +311,24 @@
126	}
127
128	len = get_stem_from_spec(regex);
129	- if (len && prefix && strncmp(prefix, regex, len)) {
130	- /* Stem of regex does not match requested prefix, discard. */
131	- free(regex);
132	- free(type);
133	- free(context);
134	- return 0;
135	+ if (len && prefix_array[0]) {
136	+ int i = 0;
137	+ int found = 0;
138	+ while (i < MAX_PREFIX && prefix_array[i]) {
139	+ if (strncmp(prefix_array[i], regex, len) == 0) {
140	+ found = 1;
141	+ break;
142	+ }
143	+ i++;
144	+ }
145	+
146	+ if (! found) {
147	+ /* Stem of regex does not match requested prefix, discard. */
148	+ free(regex);
149	+ free(type);
150	+ free(context);
151	+ return 0;
152	+ }
153	}
154
155	if (pass == 1) {
156	@@ -397,7 +410,8 @@
157	{
158	struct saved_data data = (struct saved_data )rec->data;
159	const char *path = NULL;
160	- const char *prefix = NULL;
161	+ const char *static_prefix_array[2] = {NULL, };
162	+ const char **prefix_array = static_prefix_array;
163	FILE *fp;
164	FILE *localfp = NULL;
165	FILE *homedirfp = NULL;
166	@@ -418,7 +432,10 @@
167	path = opts[n].value;
168	break;
169	case SELABEL_OPT_SUBSET:
170	- prefix = opts[n].value;
171	+ static_prefix_array[0] = opts[n].value;
172	+ break;
173	+ case SELABEL_OPT_PREFIXES:
174	+ prefix_array = opts[n].values;
175	break;
176	case SELABEL_OPT_BASEONLY:
177	baseonly = !!opts[n].value;
178	@@ -480,7 +497,7 @@
179	while (getline(&line_buf, &line_len, fp) > 0) {
180	if (data->nspec >= maxnspec)
181	break;
182	- status = process_line(rec, path, prefix, line_buf, pass, ++lineno);
183	+ status = process_line(rec, path, prefix_array, line_buf, pass, ++lineno);
184	if (status)
185	goto finish;
186	}
187	@@ -496,7 +513,7 @@
188	while (getline(&line_buf, &line_len, homedirfp) > 0) {
189	if (data->nspec >= maxnspec)
190	break;
191	- status = process_line(rec, homedir_path, prefix, line_buf, pass, ++lineno);
192	+ status = process_line(rec, homedir_path, prefix_array, line_buf, pass, ++lineno);
193	if (status)
194	goto finish;
195	}
196	@@ -506,7 +523,7 @@
197	while (getline(&line_buf, &line_len, localfp) > 0) {
198	if (data->nspec >= maxnspec)
199	break;
200	- status = process_line(rec, local_path, prefix, line_buf, pass, ++lineno);
201	+ status = process_line(rec, local_path, prefix_array, line_buf, pass, ++lineno);
202	if (status)
203	goto finish;
204	}
205	diff -Nur a/src/matchpathcon.c b/src/matchpathcon.c
206	--- a/src/matchpathcon.c 2011-11-04 13:57:23.000000000 +0100
207	+++ b/src/matchpathcon.c 2011-11-27 18:45:27.085551748 +0100
208	@@ -2,6 +2,7 @@
209	#include <string.h>
210	#include <errno.h>
211	#include <stdio.h>
212	+#include <syslog.h>
213	#include "selinux_internal.h"
214	#include "label_internal.h"
215	#include "callbacks.h"
216	@@ -62,7 +63,7 @@
217	{
218	va_list ap;
219	va_start(ap, fmt);
220	- vfprintf(stderr, fmt, ap);
221	+ vsyslog(LOG_ERR, fmt, ap);
222	va_end(ap);
223	}
224
225	@@ -304,7 +305,7 @@
226	destructor_key_initialized = 1;
227	}
228
229	-int matchpathcon_init_prefix(const char path, const char subset)
230	+int matchpathcon_init_prefixes(const char path, const char *prefixes)
231	{
232	if (!mycanoncon)
233	mycanoncon = default_canoncon;
234	@@ -312,15 +313,22 @@
235	__selinux_once(once, matchpathcon_init_once);
236	__selinux_setspecific(destructor_key, (void *)1);
237
238	- options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
239	- options[SELABEL_OPT_SUBSET].value = subset;
240	+ options[SELABEL_OPT_PREFIXES].type = SELABEL_OPT_PREFIXES;
241	+ options[SELABEL_OPT_PREFIXES].values = prefixes;
242	options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
243	options[SELABEL_OPT_PATH].value = path;
244
245	hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
246	return hnd ? 0 : -1;
247	}
248	+hidden_def(matchpathcon_init_prefixes)
249
250	+int matchpathcon_init_prefix(const char path, const char prefix)
251	+{
252	+ const char *prefixes[2] = { prefix, NULL };
253	+
254	+ return matchpathcon_init_prefixes(path, prefixes);
255	+}
256	hidden_def(matchpathcon_init_prefix)
257
258	int matchpathcon_init(const char *path)
259	diff -Nur a/src/selinux_internal.h b/src/selinux_internal.h
260	--- a/src/selinux_internal.h 2011-11-04 13:57:23.000000000 +0100
261	+++ b/src/selinux_internal.h 2011-11-27 18:45:27.086551748 +0100
262	@@ -80,6 +80,7 @@
263	hidden_proto(selinux_path)
264	hidden_proto(selinux_check_passwd_access)
265	hidden_proto(selinux_check_securetty_context)
266	+ hidden_proto(matchpathcon_init_prefixes)
267	hidden_proto(matchpathcon_init_prefix)
268	hidden_proto(selinux_users_path)
269	hidden_proto(selinux_usersconf_path);