[PATCH] selinux support on mkswap applet

Thu, 18 Oct 2007 03:41:53 -0700 

Hi,

The attached patch enables to relabel the security context of
regular files to "swapfile_t", when mkswap attempt to initialize
a regular file as a swap.

The reason of this extension is that swapfile can store memory
regions of any processes, and there is a possibility to leak
unintentional infomation via swap using regular file.
Therefore, we have to relabel swapfile to separate any other
regular file.

Thanks,

P.S  Don't forget my former patch for passwd/chpasswd applets. :-)
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <[EMAIL PROTECTED]>

Index: busybox/util-linux/mkswap.c
===================================================================
--- busybox/util-linux/mkswap.c	(revision 20280)
+++ busybox/util-linux/mkswap.c	(working copy)
@@ -8,6 +8,48 @@
 
 #include "libbb.h"
 
+#if ENABLE_SELINUX
+#define SELINUX_SWAPFILE_TYPE	"swapfile_t"
+
+static void mkswap_selinux_setcontext(int fd, const char *path)
+{
+	struct stat stbuf;
+
+	if (!is_selinux_enabled())
+		return;
+
+	if (fstat(fd, &stbuf) < 0)
+		bb_perror_msg_and_die("fstat failed");
+	if (S_ISREG(stbuf.st_mode)) {
+		security_context_t newcon, oldcon = NULL;
+		context_t context;
+
+		if (fgetfilecon_raw(fd, &oldcon) < 0) {
+			if (errno != ENODATA)
+				goto error;
+			if (matchpathcon(path, stbuf.st_mode, &oldcon) < 0)
+				goto error;
+		}
+		context = context_new(oldcon);
+		if (!context || context_type_set(context, SELINUX_SWAPFILE_TYPE))
+			goto error;
+		newcon = context_str(context);
+		if (!newcon)
+			goto error;
+		if (strcmp(oldcon, newcon) != 0 && fsetfilecon_raw(fd, newcon) < 0)
+			goto error;
+		if (ENABLE_FEATURE_CLEAN_UP) {
+			context_free(context);
+			freecon(oldcon);
+		}
+	}
+	return;
+error:
+	bb_perror_msg_and_die("SELinux relabeling failed");
+}
+#else
+#define mkswap_selinux_setcontext(fd, path)
+#endif
 int mkswap_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
 int mkswap_main(int argc, char **argv)
 {
@@ -26,6 +68,7 @@
 	pagesize = getpagesize();
 	printf("Setting up swapspace version 1, size = %"OFF_FMT"d bytes\n",
 			len - pagesize);
+	mkswap_selinux_setcontext(fd, argv[1]);
 
 	// Make a header.
 

_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox

Reply via email to