Re: [PATCH] selinux support on mkswap applet

Thu, 24 Apr 2008 03:52:51 -0700 

On Thu, Oct 18, 2007 at 07:41:09PM +0900, KaiGai Kohei wrote:
>Hi,
>
>The attached patch enables to relabel the security context of
>regular files to "swapfile_t", when mkswap attempt to initialize
>a regular file as a swap.
>
>The reason of this extension is that swapfile can store memory
>regions of any processes, and there is a possibility to leak
>unintentional infomation via swap using regular file.
>Therefore, we have to relabel swapfile to separate any other
>regular file.
>
>Thanks,
>
>P.S  Don't forget my former patch for passwd/chpasswd applets. :-)
>-- 
>OSS Platform Development Division, NEC
>KaiGai Kohei <[EMAIL PROTECTED]>

>Index: busybox/util-linux/mkswap.c
>===================================================================
>--- busybox/util-linux/mkswap.c        (revision 20280)
>+++ busybox/util-linux/mkswap.c        (working copy)
>@@ -8,6 +8,48 @@
> 
> #include "libbb.h"
> 
>+#if ENABLE_SELINUX
>+#define SELINUX_SWAPFILE_TYPE "swapfile_t"
>+
>+static void mkswap_selinux_setcontext(int fd, const char *path)
>+{
>+      struct stat stbuf;
>+
>+      if (!is_selinux_enabled())
>+              return;
>+
>+      if (fstat(fd, &stbuf) < 0)
>+              bb_perror_msg_and_die("fstat failed");
>+      if (S_ISREG(stbuf.st_mode)) {
>+              security_context_t newcon, oldcon = NULL;
>+              context_t context;
>+
>+              if (fgetfilecon_raw(fd, &oldcon) < 0) {
>+                      if (errno != ENODATA)
>+                              goto error;
>+                      if (matchpathcon(path, stbuf.st_mode, &oldcon) < 0)
>+                              goto error;
>+              }
>+              context = context_new(oldcon);
>+              if (!context || context_type_set(context, 
>SELINUX_SWAPFILE_TYPE))
>+                      goto error;
>+              newcon = context_str(context);
>+              if (!newcon)
>+                      goto error;
>+              if (strcmp(oldcon, newcon) != 0 && fsetfilecon_raw(fd, newcon) 
>< 0)

That didn't work out for me;
$ egrep "(hidden|fsetfilecon)" libselinux-2.0.59/src/fsetfilecon.c
int fsetfilecon_raw(int fd, security_context_t context)
hidden_def(fsetfilecon_raw)
int fsetfilecon(int fd, security_context_t context)
        ret = fsetfilecon_raw(fd, rcontext);
$ 

Strangely enough i see it in the static library but not in the dynamic.
I've changed this to:
http://www.busybox.net/cgi-bin/viewcvs.cgi/trunk/busybox/util-linux/mkswap.c?rev=21829&r1=21005&r2=21829&makepatch=1&diff_format=u
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox

Reply via email to