Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libselinux for openSUSE:Factory
checked in at 2024-07-12 17:04:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libselinux (Old)
and /work/SRC/openSUSE:Factory/.libselinux.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libselinux"
Fri Jul 12 17:04:25 2024 rev:79 rq:1186963 version:3.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/libselinux/libselinux-bindings.changes
2024-01-08 23:43:50.099198946 +0100
+++
/work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux-bindings.changes
2024-07-12 17:04:35.948021609 +0200
@@ -1,0 +2,22 @@
+Mon Jul 1 07:53:14 UTC 2024 - Cathy Hu <[email protected]>
+
+- Update to version 3.7
+ https://github.com/SELinuxProject/selinux/releases/tag/3.7
+ * User-visible changes
+ * libselinux/utils/selabel_digest: drop unsupported option -d
+ * libselinux/utils: improve compute_av output
+ * libselinux: fail selabel_open(3) on invalid option
+ * Improved man pages
+ * Improvements
+ * libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
+ * libselinux: enable usage with pedantic UB sanitizers
+ * libselinux: support huge passwd/group entries
+ * Bugfixes:
+ * libselinux/utils/selabel_digest: avoid buffer overflow
+ * libselinux: avoid pointer dereference before check
+ * libselinux/utils/selabel_digest: pass BASEONLY only for file backend
+ * libselinux: free empty scandir(3) result
+ * libselinux: free data on selabel open failure
+ * libselinux: use reentrant strtok_r(3)
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/libselinux/libselinux.changes 2024-01-08
23:43:50.139200400 +0100
+++ /work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux.changes
2024-07-12 17:04:36.052025431 +0200
@@ -1,0 +2,29 @@
+Thu Jul 11 19:47:41 UTC 2024 - Cathy Hu <[email protected]>
+
+- Fix segfault caused by upstream changes in selabel_open():
+ libselinux-set-free-d-data-to-NULL.patch
+ Can be removed once it is upstream.
+
+-------------------------------------------------------------------
+Mon Jul 1 07:53:14 UTC 2024 - Cathy Hu <[email protected]>
+
+- Update to version 3.7
+ https://github.com/SELinuxProject/selinux/releases/tag/3.7
+ * User-visible changes
+ * libselinux/utils/selabel_digest: drop unsupported option -d
+ * libselinux/utils: improve compute_av output
+ * libselinux: fail selabel_open(3) on invalid option
+ * Improved man pages
+ * Improvements
+ * libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
+ * libselinux: enable usage with pedantic UB sanitizers
+ * libselinux: support huge passwd/group entries
+ * Bugfixes:
+ * libselinux/utils/selabel_digest: avoid buffer overflow
+ * libselinux: avoid pointer dereference before check
+ * libselinux/utils/selabel_digest: pass BASEONLY only for file backend
+ * libselinux: free empty scandir(3) result
+ * libselinux: free data on selabel open failure
+ * libselinux: use reentrant strtok_r(3)
+
+-------------------------------------------------------------------
Old:
----
libselinux-3.6.tar.gz
libselinux-3.6.tar.gz.asc
New:
----
libselinux-3.7.tar.gz
libselinux-3.7.tar.gz.asc
libselinux-set-free-d-data-to-NULL.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux.changes-- Fix
segfault caused by upstream changes in selabel_open():
/work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux.changes:
libselinux-set-free-d-data-to-NULL.patch
/work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux.changes- Can be
removed once it is upstream.
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libselinux-bindings.spec ++++++
--- /var/tmp/diff_new_pack.BzdPd8/_old 2024-07-12 17:04:36.964058940 +0200
+++ /var/tmp/diff_new_pack.BzdPd8/_new 2024-07-12 17:04:36.964058940 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libselinux-bindings
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,10 +18,10 @@
%{?sle15allpythons}
%define python_subpackage_only 1
-%define libsepol_ver 3.6
+%define libsepol_ver 3.7
%define upname libselinux
Name: libselinux-bindings
-Version: 3.6
+Version: 3.7
Release: 0
Summary: SELinux runtime library and utilities
License: SUSE-Public-Domain
++++++ libselinux.spec ++++++
--- /var/tmp/diff_new_pack.BzdPd8/_old 2024-07-12 17:04:36.996060116 +0200
+++ /var/tmp/diff_new_pack.BzdPd8/_new 2024-07-12 17:04:37.000060263 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libselinux
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,9 +16,9 @@
#
-%define libsepol_ver 3.6
+%define libsepol_ver 3.7
Name: libselinux
-Version: 3.6
+Version: 3.7
Release: 0
Summary: SELinux runtime library and utilities
License: SUSE-Public-Domain
@@ -36,6 +36,9 @@
# Make linking working even when default pkg-config doesnât provide
-lpython<ver>
Patch6: python3.8-compat.patch
Patch7: swig4_moduleimport.patch
+# Fixes segfault in 3.7, please remove once this is upstream:
+#
https://lore.kernel.org/selinux/cap+jozqcu0srfss921ew42ohxsaqrygits56_h9j2yfw0cy...@mail.gmail.com/T/#t
+Patch8: libselinux-set-free-d-data-to-NULL.patch
BuildRequires: fdupes
BuildRequires: libsepol-devel >= %{libsepol_ver}
BuildRequires: libsepol-devel-static >= %{libsepol_ver}
++++++ libselinux-3.6.tar.gz -> libselinux-3.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/VERSION new/libselinux-3.7/VERSION
--- old/libselinux-3.6/VERSION 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/VERSION 2024-06-26 17:30:41.000000000 +0200
@@ -1 +1 @@
-3.6
+3.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/include/selinux/avc.h
new/libselinux-3.7/include/selinux/avc.h
--- old/libselinux-3.6/include/selinux/avc.h 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/include/selinux/avc.h 2024-06-26 17:30:41.000000000
+0200
@@ -215,7 +215,7 @@
* is set to "avc" and any callbacks desired should be specified via
* selinux_set_callback(). Available options are listed above.
*/
-extern int avc_open(struct selinux_opt *opts, unsigned nopts);
+extern int avc_open(const struct selinux_opt *opts, unsigned nopts);
/**
* avc_cleanup - Remove unused SIDs and AVC entries.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/include/selinux/selinux.h
new/libselinux-3.7/include/selinux/selinux.h
--- old/libselinux-3.6/include/selinux/selinux.h 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/include/selinux/selinux.h 2024-06-26
17:30:41.000000000 +0200
@@ -413,7 +413,7 @@
* starting at 1, and have one security_class_mapping structure entry
* per define.
*/
-extern int selinux_set_mapping(struct security_class_mapping *map);
+extern int selinux_set_mapping(const struct security_class_mapping *map);
/* Common helpers */
@@ -443,7 +443,11 @@
/* Set the function used by matchpathcon_init when displaying
errors about the file_contexts configuration. If not set,
then this defaults to fprintf(stderr, fmt, ...). */
-extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...));
+extern void set_matchpathcon_printf(void
+#ifdef __GNUC__
+ __attribute__ ((format(printf, 1, 2)))
+#endif
+ (*f) (const char *fmt, ...));
/* Set the function used by matchpathcon_init when checking the
validity of a context in the file contexts configuration. If not set,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/avc_context_to_sid.3
new/libselinux-3.7/man/man3/avc_context_to_sid.3
--- old/libselinux-3.6/man/man3/avc_context_to_sid.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/avc_context_to_sid.3 2024-06-26
17:30:41.000000000 +0200
@@ -10,7 +10,7 @@
.br
.B #include <selinux/avc.h>
.sp
-.BI "int avc_context_to_sid(char *" ctx ", security_id_t *" sid ");"
+.BI "int avc_context_to_sid(const char *" ctx ", security_id_t *" sid ");"
.sp
.BI "int avc_sid_to_context(security_id_t " sid ", char **" ctx ");"
.sp
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/avc_open.3
new/libselinux-3.7/man/man3/avc_open.3
--- old/libselinux-3.6/man/man3/avc_open.3 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/man/man3/avc_open.3 2024-06-26 17:30:41.000000000
+0200
@@ -10,7 +10,7 @@
.br
.B #include <selinux/avc.h>
.sp
-.BI "int avc_open(struct selinux_opt *" options ", unsigned " nopt ");"
+.BI "int avc_open(const struct selinux_opt *" options ", unsigned " nopt ");"
.sp
.BI "void avc_destroy(void);"
.sp
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/getfscreatecon.3
new/libselinux-3.7/man/man3/getfscreatecon.3
--- old/libselinux-3.6/man/man3/getfscreatecon.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/getfscreatecon.3 2024-06-26
17:30:41.000000000 +0200
@@ -9,9 +9,9 @@
.sp
.BI "int getfscreatecon_raw(char **" con );
.sp
-.BI "int setfscreatecon(char *" context );
+.BI "int setfscreatecon(const char *" context );
.sp
-.BI "int setfscreatecon_raw(char *" context );
+.BI "int setfscreatecon_raw(const char *" context );
.
.SH "DESCRIPTION"
.BR getfscreatecon ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/getkeycreatecon.3
new/libselinux-3.7/man/man3/getkeycreatecon.3
--- old/libselinux-3.6/man/man3/getkeycreatecon.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/getkeycreatecon.3 2024-06-26
17:30:41.000000000 +0200
@@ -9,9 +9,9 @@
.sp
.BI "int getkeycreatecon_raw(char **" con );
.sp
-.BI "int setkeycreatecon(char *" context );
+.BI "int setkeycreatecon(const char *" context );
.sp
-.BI "int setkeycreatecon_raw(char *" context );
+.BI "int setkeycreatecon_raw(const char *" context );
.
.SH "DESCRIPTION"
.BR getkeycreatecon ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/getsockcreatecon.3
new/libselinux-3.7/man/man3/getsockcreatecon.3
--- old/libselinux-3.6/man/man3/getsockcreatecon.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/getsockcreatecon.3 2024-06-26
17:30:41.000000000 +0200
@@ -9,9 +9,9 @@
.sp
.BI "int getsockcreatecon_raw(char **" con );
.sp
-.BI "int setsockcreatecon(char *" context );
+.BI "int setsockcreatecon(const char *" context );
.sp
-.BI "int setsockcreatecon_raw(char *" context );
+.BI "int setsockcreatecon_raw(const char *" context );
.
.SH "DESCRIPTION"
.BR getsockcreatecon ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/init_selinuxmnt.3
new/libselinux-3.7/man/man3/init_selinuxmnt.3
--- old/libselinux-3.6/man/man3/init_selinuxmnt.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/init_selinuxmnt.3 2024-06-26
17:30:41.000000000 +0200
@@ -7,7 +7,7 @@
.sp
.BI "static void fini_selinuxmnt(void);"
.sp
-.BI "void set_selinuxmnt(char *" mnt ");"
+.BI "void set_selinuxmnt(const char *" mnt ");"
.
.SH "DESCRIPTION"
.BR init_selinuxmnt ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/is_context_customizable.3
new/libselinux-3.7/man/man3/is_context_customizable.3
--- old/libselinux-3.6/man/man3/is_context_customizable.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/is_context_customizable.3 2024-06-26
17:30:41.000000000 +0200
@@ -5,7 +5,7 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.BI "int is_context_customizable(char *" scon );
+.BI "int is_context_customizable(const char *" scon );
.
.SH "DESCRIPTION"
This function checks whether the type of scon is in the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/is_selinux_enabled.3
new/libselinux-3.7/man/man3/is_selinux_enabled.3
--- old/libselinux-3.6/man/man3/is_selinux_enabled.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/is_selinux_enabled.3 2024-06-26
17:30:41.000000000 +0200
@@ -8,9 +8,9 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.B int is_selinux_enabled();
+.B int is_selinux_enabled(void);
.sp
-.B int is_selinux_mls_enabled();
+.B int is_selinux_mls_enabled(void);
.
.SH "DESCRIPTION"
.BR is_selinux_enabled ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/security_policyvers.3
new/libselinux-3.7/man/man3/security_policyvers.3
--- old/libselinux-3.6/man/man3/security_policyvers.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_policyvers.3 2024-06-26
17:30:41.000000000 +0200
@@ -4,7 +4,7 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.B int security_policyvers();
+.B int security_policyvers(void);
.
.SH "DESCRIPTION"
.BR security_policyvers ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/security_validatetrans.3
new/libselinux-3.7/man/man3/security_validatetrans.3
--- old/libselinux-3.6/man/man3/security_validatetrans.3 1970-01-01
01:00:00.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_validatetrans.3 2024-06-26
17:30:41.000000000 +0200
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/security_validatetrans.c
new/libselinux-3.7/man/man3/security_validatetrans.c
--- old/libselinux-3.6/man/man3/security_validatetrans.c 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_validatetrans.c 1970-01-01
01:00:00.000000000 +0100
@@ -1 +0,0 @@
-.so man3/security_compute_av.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/security_validatetrans_raw.3
new/libselinux-3.7/man/man3/security_validatetrans_raw.3
--- old/libselinux-3.6/man/man3/security_validatetrans_raw.3 1970-01-01
01:00:00.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_validatetrans_raw.3 2024-06-26
17:30:41.000000000 +0200
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/security_validatetrans_raw.c
new/libselinux-3.7/man/man3/security_validatetrans_raw.c
--- old/libselinux-3.6/man/man3/security_validatetrans_raw.c 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_validatetrans_raw.c 1970-01-01
01:00:00.000000000 +0100
@@ -1 +0,0 @@
-.so man3/security_compute_av.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/selabel_lookup.3
new/libselinux-3.7/man/man3/selabel_lookup.3
--- old/libselinux-3.6/man/man3/selabel_lookup.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selabel_lookup.3 2024-06-26
17:30:41.000000000 +0200
@@ -64,7 +64,8 @@
.I key
and/or
.I type
-inputs are invalid, or the context being returned failed validation.
+inputs are invalid, or the context being returned failed validation, or a
+regular expression in the database failed to compile.
.TP
.B ENOMEM
An attempt to allocate memory failed.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/selabel_lookup_best_match.3
new/libselinux-3.7/man/man3/selabel_lookup_best_match.3
--- old/libselinux-3.6/man/man3/selabel_lookup_best_match.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selabel_lookup_best_match.3 2024-06-26
17:30:41.000000000 +0200
@@ -78,7 +78,8 @@
.I key
and/or
.I type
-inputs are invalid, or the context being returned failed validation.
+inputs are invalid, or the context being returned failed validation, or a
+regular expression in the database failed to compile.
.TP
.B ENOMEM
An attempt to allocate memory failed.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/libselinux-3.6/man/man3/selinux_check_securetty_context.3
new/libselinux-3.7/man/man3/selinux_check_securetty_context.3
--- old/libselinux-3.6/man/man3/selinux_check_securetty_context.3
2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selinux_check_securetty_context.3
2024-06-26 17:30:41.000000000 +0200
@@ -5,12 +5,12 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.BI "int selinux_check_securetty_context(char *" tty_context );
+.BI "int selinux_check_securetty_context(const char *" tty_context );
.
.SH "DESCRIPTION"
.BR selinux_check_securetty_context ()
returns 0 if tty_context is a securetty context,
-returns < 0 otherwise.
+returns < 0 otherwise.
.
.SH "SEE ALSO"
.BR selinux "(8)"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/libselinux-3.6/man/man3/selinux_raw_context_to_color.3
new/libselinux-3.7/man/man3/selinux_raw_context_to_color.3
--- old/libselinux-3.6/man/man3/selinux_raw_context_to_color.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selinux_raw_context_to_color.3 2024-06-26
17:30:41.000000000 +0200
@@ -5,7 +5,7 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.BI "int selinux_raw_context_to_color(char *" raw ", "
+.BI "int selinux_raw_context_to_color(const char *" raw ", "
.RS
.BI "char **" color_str ");"
.RE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/man/man3/selinux_set_mapping.3
new/libselinux-3.7/man/man3/selinux_set_mapping.3
--- old/libselinux-3.6/man/man3/selinux_set_mapping.3 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selinux_set_mapping.3 2024-06-26
17:30:41.000000000 +0200
@@ -15,7 +15,7 @@
};
.fi
.sp
-.BI "int selinux_set_mapping(struct security_class_mapping *" map ");"
+.BI "int selinux_set_mapping(const struct security_class_mapping *" map ");"
.
.SH "DESCRIPTION"
.BR selinux_set_mapping ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/Makefile
new/libselinux-3.7/src/Makefile
--- old/libselinux-3.6/src/Makefile 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/Makefile 2024-06-26 17:30:41.000000000 +0200
@@ -104,13 +104,13 @@
# check for strlcpy(3) availability
H := \#
-ifeq (yes,$(shell printf '${H}include <string.h>\nint
main(void){char*d,*s;strlcpy(d, s, 0);return 0;}' | $(CC) -x c -o /dev/null -
>/dev/null 2>&1 && echo yes))
+ifeq (yes,$(shell printf '${H}include <string.h>\nint main(void){char
d[2];const char *s="a";return (size_t)strlcpy(d,s,sizeof(d))>=sizeof(d);}' |
$(CC) $(CFLAGS) $(LDFLAGS) -x c -o /dev/null - >/dev/null 2>&1 && echo yes))
override CFLAGS += -DHAVE_STRLCPY
endif
# check for reallocarray(3) availability
H := \#
-ifeq (yes,$(shell printf '${H}include <stdlib.h>\nint
main(void){reallocarray(NULL, 0, 0);return 0;}' | $(CC) -x c -o /dev/null -
>/dev/null 2>&1 && echo yes))
+ifeq (yes,$(shell printf '${H}include <stdlib.h>\nint main(void){return
reallocarray(NULL,0,0)==NULL;}' | $(CC) $(CFLAGS) $(LDFLAGS) -x c -o /dev/null
- >/dev/null 2>&1 && echo yes))
override CFLAGS += -DHAVE_REALLOCARRAY
endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/audit2why.c
new/libselinux-3.7/src/audit2why.c
--- old/libselinux-3.6/src/audit2why.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/audit2why.c 2024-06-26 17:30:41.000000000 +0200
@@ -148,7 +148,7 @@
sepol_bool_free(boolean);
if (fcnt > 0) {
- *bools = calloc(sizeof(struct boolean_t), fcnt + 1);
+ *bools = calloc(fcnt + 1, sizeof(struct boolean_t));
if (!*bools) {
PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
free(foundlist);
@@ -226,7 +226,7 @@
return 1;
}
- avc = calloc(sizeof(struct avc_t), 1);
+ avc = calloc(1, sizeof(struct avc_t));
if (!avc) {
PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
fclose(fp);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/avc.c new/libselinux-3.7/src/avc.c
--- old/libselinux-3.6/src/avc.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/avc.c 2024-06-26 17:30:41.000000000 +0200
@@ -225,17 +225,19 @@
return rc;
}
-int avc_open(struct selinux_opt *opts, unsigned nopts)
+int avc_open(const struct selinux_opt *opts, unsigned nopts)
{
avc_setenforce = 0;
- while (nopts--)
+ while (nopts) {
+ nopts--;
switch(opts[nopts].type) {
case AVC_OPT_SETENFORCE:
avc_setenforce = 1;
avc_enforcing = !!opts[nopts].value;
break;
}
+ }
return avc_init_internal("avc", NULL, NULL, NULL, NULL);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/avc_sidtab.c
new/libselinux-3.7/src/avc_sidtab.c
--- old/libselinux-3.6/src/avc_sidtab.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/avc_sidtab.c 2024-06-26 17:30:41.000000000 +0200
@@ -13,6 +13,7 @@
#include "avc_sidtab.h"
#include "avc_internal.h"
+ignore_unsigned_overflow_
static inline unsigned sidtab_hash(const char * key)
{
unsigned int hash = 5381;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/booleans.c
new/libselinux-3.7/src/booleans.c
--- old/libselinux-3.6/src/booleans.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/booleans.c 2024-06-26 17:30:41.000000000 +0200
@@ -53,7 +53,11 @@
snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
*len = scandir(path, &namelist, &filename_select, alphasort);
- if (*len <= 0) {
+ if (*len < 0) {
+ return -1;
+ }
+ if (*len == 0) {
+ free(namelist);
errno = ENOENT;
return -1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/get_context_list.c
new/libselinux-3.7/src/get_context_list.c
--- old/libselinux-3.6/src/get_context_list.c 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/src/get_context_list.c 2024-06-26 17:30:41.000000000
+0200
@@ -7,7 +7,9 @@
#include <string.h>
#include <ctype.h>
#include <pwd.h>
+
#include "selinux_internal.h"
+#include "callbacks.h"
#include "context_internal.h"
#include "get_context_list_internal.h"
@@ -128,7 +130,7 @@
}
static int get_context_user(FILE * fp,
- const char * fromcon,
+ context_t fromcon,
const char * user,
char ***reachable,
unsigned int *nreachable)
@@ -144,7 +146,6 @@
char **new_reachable = NULL;
char *usercon_str;
const char *usercon_str2;
- context_t con;
context_t usercon;
int rc;
@@ -153,14 +154,10 @@
/* Extract the role and type of the fromcon for matching.
User identity and MLS range can be variable. */
- con = context_new(fromcon);
- if (!con)
- return -1;
- fromrole = context_role_get(con);
- fromtype = context_type_get(con);
- fromlevel = context_range_get(con);
+ fromrole = context_role_get(fromcon);
+ fromtype = context_type_get(fromcon);
+ fromlevel = context_range_get(fromcon);
if (!fromrole || !fromtype) {
- context_free(con);
return -1;
}
@@ -224,7 +221,7 @@
/* Check whether a new context is valid */
if (SIZE_MAX - user_len < strlen(start) + 2) {
- fprintf(stderr, "%s: one of partial contexts is too
big\n", __FUNCTION__);
+ selinux_log(SELINUX_ERROR, "%s: one of partial contexts
is too big\n", __FUNCTION__);
errno = EINVAL;
rc = -1;
goto out;
@@ -245,7 +242,7 @@
rc = -1;
goto out;
}
- fprintf(stderr,
+ selinux_log(SELINUX_ERROR,
"%s: can't create a context from %s,
skipping\n",
__FUNCTION__, usercon_str);
free(usercon_str);
@@ -294,7 +291,6 @@
rc = 0;
out:
- context_free(con);
free(line);
return rc;
}
@@ -416,6 +412,7 @@
char *fname = NULL;
size_t fname_len;
const char *user_contexts_path = selinux_user_contexts_path();
+ context_t con = NULL;
if (!fromcon) {
/* Get the current context and use it for the starting context
*/
@@ -425,6 +422,10 @@
fromcon = backup_fromcon;
}
+ con = context_new(fromcon);
+ if (!con)
+ goto failsafe;
+
/* Determine the ordering to apply from the optional per-user config
and from the global config. */
fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -435,11 +436,11 @@
fp = fopen(fname, "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_user(fp, fromcon, user, &reachable,
&nreachable);
+ rc = get_context_user(fp, con, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
- fprintf(stderr,
+ selinux_log(SELINUX_ERROR,
"%s: error in processing configuration file
%s\n",
__FUNCTION__, fname);
/* Fall through, try global config */
@@ -449,10 +450,10 @@
fp = fopen(selinux_default_context_path(), "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_user(fp, fromcon, user, &reachable,
&nreachable);
+ rc = get_context_user(fp, con, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
- fprintf(stderr,
+ selinux_log(SELINUX_ERROR,
"%s: error in processing configuration file
%s\n",
__FUNCTION__, selinux_default_context_path());
/* Fall through */
@@ -470,6 +471,7 @@
else
freeconary(reachable);
+ context_free(con);
freecon(backup_fromcon);
return rc;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/is_customizable_type.c
new/libselinux-3.7/src/is_customizable_type.c
--- old/libselinux-3.6/src/is_customizable_type.c 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/is_customizable_type.c 2024-06-26
17:30:41.000000000 +0200
@@ -39,9 +39,7 @@
}
if (ctr) {
- list =
- (char **) calloc(sizeof(char *),
- ctr + 1);
+ list = calloc(ctr + 1, sizeof(char *));
if (list) {
i = 0;
while (fgets_unlocked(buf, selinux_page_size, fp)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/label.c
new/libselinux-3.7/src/label.c
--- old/libselinux-3.6/src/label.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label.c 2024-06-26 17:30:41.000000000 +0200
@@ -60,9 +60,10 @@
{
struct selabel_digest *digest = NULL;
- while (n--) {
+ while (n) {
+ n--;
if (opts[n].type == SELABEL_OPT_DIGEST &&
- opts[n].value == (char *)1) {
+ !!opts[n].value) {
digest = calloc(1, sizeof(*digest));
if (!digest)
goto err;
@@ -112,9 +113,11 @@
static inline int selabel_is_validate_set(const struct selinux_opt *opts,
unsigned n)
{
- while (n--)
+ while (n) {
+ n--;
if (opts[n].type == SELABEL_OPT_VALIDATE)
return !!opts[n].value;
+ }
return 0;
}
@@ -222,10 +225,7 @@
rec->digest = selabel_is_digest_set(opts, nopts);
if ((*initfuncs[backend])(rec, opts, nopts)) {
- if (rec->digest)
- selabel_digest_fini(rec->digest);
- free(rec->spec_file);
- free(rec);
+ selabel_close(rec);
rec = NULL;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/label_backends_android.c
new/libselinux-3.7/src/label_backends_android.c
--- old/libselinux-3.6/src/label_backends_android.c 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label_backends_android.c 2024-06-26
17:30:41.000000000 +0200
@@ -152,12 +152,21 @@
struct stat sb;
/* Process arguments */
- while (n--)
+ while (n) {
+ n--;
switch (opts[n].type) {
case SELABEL_OPT_PATH:
path = opts[n].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ errno = EINVAL;
+ return -1;
}
+ }
if (!path)
return -1;
@@ -237,6 +246,9 @@
struct spec *spec;
unsigned int i;
+ if (!data)
+ return;
+
for (i = 0; i < data->nspec; i++) {
spec = &data->spec_arr[i];
free(spec->property_key);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/label_db.c
new/libselinux-3.7/src/label_db.c
--- old/libselinux-3.6/src/label_db.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label_db.c 2024-06-26 17:30:41.000000000 +0200
@@ -178,6 +178,9 @@
spec_t *spec;
unsigned int i;
+ if (!catalog)
+ return;
+
for (i = 0; i < catalog->nspec; i++) {
spec = &catalog->specs[i];
free(spec->key);
@@ -263,11 +266,20 @@
* the default one. If RDBMS is not SE-PostgreSQL, it may need to
* specify an explicit specfile for database objects.
*/
- while (nopts--) {
+ while (nopts) {
+ nopts--;
switch (opts[nopts].type) {
case SELABEL_OPT_PATH:
path = opts[nopts].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ free(catalog);
+ errno = EINVAL;
+ return NULL;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/label_file.c
new/libselinux-3.7/src/label_file.c
--- old/libselinux-3.6/src/label_file.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label_file.c 2024-06-26 17:30:41.000000000 +0200
@@ -68,7 +68,7 @@
/*
* hash calculation and key comparison of hash table
*/
-
+ignore_unsigned_overflow_
static unsigned int symhash(hashtab_t h, const_hashtab_key_t key)
{
const struct chkdups_key *k = (const struct chkdups_key *)key;
@@ -801,7 +801,8 @@
int status = -1, baseonly = 0;
/* Process arguments */
- while (n--)
+ while (n) {
+ n--;
switch(opts[n].type) {
case SELABEL_OPT_PATH:
path = opts[n].value;
@@ -812,7 +813,15 @@
case SELABEL_OPT_BASEONLY:
baseonly = !!opts[n].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ errno = EINVAL;
+ return -1;
}
+ }
#if !defined(BUILD_HOST) && !defined(ANDROID)
char subs_file[PATH_MAX + 1];
@@ -895,6 +904,9 @@
struct stem *stem;
unsigned int i;
+ if (!data)
+ return;
+
selabel_subs_fini(data->subs);
selabel_subs_fini(data->dist_subs);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/label_media.c
new/libselinux-3.7/src/label_media.c
--- old/libselinux-3.6/src/label_media.c 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/src/label_media.c 2024-06-26 17:30:41.000000000
+0200
@@ -80,12 +80,21 @@
struct stat sb;
/* Process arguments */
- while (n--)
+ while (n) {
+ n--;
switch(opts[n].type) {
case SELABEL_OPT_PATH:
path = opts[n].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ errno = EINVAL;
+ return -1;
}
+}
/* Open the specification file. */
if (!path)
@@ -155,9 +164,14 @@
static void close(struct selabel_handle *rec)
{
struct saved_data *data = (struct saved_data *)rec->data;
- struct spec *spec, *spec_arr = data->spec_arr;
+ struct spec *spec, *spec_arr;
unsigned int i;
+ if (!data)
+ return;
+
+ spec_arr = data->spec_arr;
+
for (i = 0; i < data->nspec; i++) {
spec = &spec_arr[i];
free(spec->key);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/label_x.c
new/libselinux-3.7/src/label_x.c
--- old/libselinux-3.6/src/label_x.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label_x.c 2024-06-26 17:30:41.000000000 +0200
@@ -107,12 +107,21 @@
struct stat sb;
/* Process arguments */
- while (n--)
+ while (n) {
+ n--;
switch(opts[n].type) {
case SELABEL_OPT_PATH:
path = opts[n].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ errno = EINVAL;
+ return -1;
}
+ }
/* Open the specification file. */
if (!path)
@@ -182,9 +191,14 @@
static void close(struct selabel_handle *rec)
{
struct saved_data *data = (struct saved_data *)rec->data;
- struct spec *spec, *spec_arr = data->spec_arr;
+ struct spec *spec, *spec_arr;
unsigned int i;
+ if (!data)
+ return;
+
+ spec_arr = data->spec_arr;
+
for (i = 0; i < data->nspec; i++) {
spec = &spec_arr[i];
free(spec->key);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/mapping.c
new/libselinux-3.7/src/mapping.c
--- old/libselinux-3.6/src/mapping.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/mapping.c 2024-06-26 17:30:41.000000000 +0200
@@ -31,7 +31,7 @@
*/
int
-selinux_set_mapping(struct security_class_mapping *map)
+selinux_set_mapping(const struct security_class_mapping *map)
{
size_t size = sizeof(struct selinux_mapping);
security_class_t i, j;
@@ -64,7 +64,7 @@
/* Store the raw class and permission values */
j = 0;
while (map[j].name) {
- struct security_class_mapping *p_in = map + (j++);
+ const struct security_class_mapping *p_in = map + (j++);
struct selinux_mapping *p_out = current_mapping + j;
p_out->value = string_to_security_class(p_in->name);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/selinux_internal.h
new/libselinux-3.7/src/selinux_internal.h
--- old/libselinux-3.6/src/selinux_internal.h 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/src/selinux_internal.h 2024-06-26 17:30:41.000000000
+0200
@@ -102,4 +102,15 @@
void *reallocarray(void *ptr, size_t nmemb, size_t size);
#endif
+/* Use to ignore intentional unsigned under- and overflows while running under
UBSAN. */
+#if defined(__clang__) && defined(__clang_major__) && (__clang_major__ >= 4)
+#if (__clang_major__ >= 12)
+#define ignore_unsigned_overflow_
__attribute__((no_sanitize("unsigned-integer-overflow", "unsigned-shift-base")))
+#else
+#define ignore_unsigned_overflow_
__attribute__((no_sanitize("unsigned-integer-overflow")))
+#endif
+#else
+#define ignore_unsigned_overflow_
+#endif
+
#endif /* SELINUX_INTERNAL_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/selinux_restorecon.c
new/libselinux-3.7/src/selinux_restorecon.c
--- old/libselinux-3.6/src/selinux_restorecon.c 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/src/selinux_restorecon.c 2024-06-26 17:30:41.000000000
+0200
@@ -243,7 +243,7 @@
int index = 0, found = 0;
uint64_t nfile = 0;
char *mount_info[4];
- char *buf = NULL, *item;
+ char *buf = NULL, *item, *saveptr;
/* Check to see if the kernel supports seclabel */
if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
@@ -258,13 +258,14 @@
while (getline(&buf, &len, fp) != -1) {
found = 0;
index = 0;
- item = strtok(buf, " ");
+ saveptr = NULL;
+ item = strtok_r(buf, " ", &saveptr);
while (item != NULL) {
mount_info[index] = item;
index++;
if (index == 4)
break;
- item = strtok(NULL, " ");
+ item = strtok_r(NULL, " ", &saveptr);
}
if (index < 4) {
selinux_log(SELINUX_ERROR,
@@ -276,14 +277,15 @@
/* Remove pre-existing entry */
remove_exclude(mount_info[1]);
- item = strtok(mount_info[3], ",");
+ saveptr = NULL;
+ item = strtok_r(mount_info[3], ",", &saveptr);
while (item != NULL) {
if (strcmp(item, "seclabel") == 0) {
found = 1;
nfile += file_system_count(mount_info[1]);
break;
}
- item = strtok(NULL, ",");
+ item = strtok_r(NULL, ",", &saveptr);
}
/* Exclude mount points without the seclabel option */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/setup.py
new/libselinux-3.7/src/setup.py
--- old/libselinux-3.6/src/setup.py 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/setup.py 2024-06-26 17:30:41.000000000 +0200
@@ -4,7 +4,7 @@
setup(
name="selinux",
- version="3.6",
+ version="3.7",
description="SELinux python 3 bindings",
author="SELinux Project",
author_email="[email protected]",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/seusers.c
new/libselinux-3.7/src/seusers.c
--- old/libselinux-3.6/src/seusers.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/seusers.c 2024-06-26 17:30:41.000000000 +0200
@@ -6,9 +6,13 @@
#include <stdio_ext.h>
#include <ctype.h>
#include <errno.h>
+#include <limits.h>
+
#include <selinux/selinux.h>
#include <selinux/context.h>
+
#include "selinux_internal.h"
+#include "callbacks.h"
/* Process line from seusers.conf and split into its fields.
Returns 0 on success, -1 on comments, and -2 on error. */
@@ -95,17 +99,32 @@
static gid_t get_default_gid(const char *name) {
struct passwd pwstorage, *pwent = NULL;
- gid_t gid = -1;
+ gid_t gid = (gid_t)-1;
/* Allocate space for the getpwnam_r buffer */
+ char *rbuf = NULL;
long rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
- if (rbuflen <= 0) return -1;
- char *rbuf = malloc(rbuflen);
- if (rbuf == NULL) return -1;
-
- int retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
- if (retval == 0 && pwent) {
- gid = pwent->pw_gid;
+ if (rbuflen <= 0)
+ rbuflen = 1024;
+
+ for (;;) {
+ int rc;
+
+ rbuf = malloc(rbuflen);
+ if (rbuf == NULL)
+ break;
+
+ rc = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
+ if (rc == ERANGE && rbuflen < LONG_MAX / 2) {
+ free(rbuf);
+ rbuflen *= 2;
+ continue;
+ }
+ if (rc == 0 && pwent)
+ gid = pwent->pw_gid;
+
+ break;
}
+
free(rbuf);
return gid;
}
@@ -118,7 +137,7 @@
long rbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
if (rbuflen <= 0)
- return 0;
+ rbuflen = 1024;
char *rbuf;
while(1) {
@@ -127,7 +146,7 @@
return 0;
int retval = getgrnam_r(group, &gbuf, rbuf,
rbuflen, &grent);
- if ( retval == ERANGE )
+ if (retval == ERANGE && rbuflen < LONG_MAX / 2)
{
free(rbuf);
rbuflen = rbuflen * 2;
@@ -197,8 +216,8 @@
if (rc == -1)
continue; /* comment, skip */
if (rc == -2) {
- fprintf(stderr, "%s: error on line %lu, skipping...\n",
- selinux_usersconf_path(), lineno);
+ selinux_log(SELINUX_ERROR, "%s: error on line %lu,
skipping...\n",
+ selinux_usersconf_path(),
lineno);
continue;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/sha1.c
new/libselinux-3.7/src/sha1.c
--- old/libselinux-3.6/src/sha1.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/sha1.c 2024-06-26 17:30:41.000000000 +0200
@@ -26,6 +26,8 @@
#include "sha1.h"
#include <memory.h>
+#include "selinux_internal.h"
+
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// TYPES
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -62,6 +64,7 @@
//
// Hash a single 512-bit block. This is the core of the algorithm
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+ignore_unsigned_overflow_
static
void
TransformFunction
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/src/stringrep.c
new/libselinux-3.7/src/stringrep.c
--- old/libselinux-3.6/src/stringrep.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/stringrep.c 2024-06-26 17:30:41.000000000 +0200
@@ -337,13 +337,15 @@
printf(" {");
- while (av) {
+ for (;;) {
if (av & bit) {
permstr = security_av_perm_to_string(tclass, bit);
if (!permstr)
break;
printf(" %s", permstr);
av &= ~bit;
+ if (!av)
+ break;
}
bit <<= 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/utils/compute_av.c
new/libselinux-3.7/utils/compute_av.c
--- old/libselinux-3.6/utils/compute_av.c 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/utils/compute_av.c 2024-06-26 17:30:41.000000000
+0200
@@ -44,10 +44,14 @@
print_access_vector(tclass, avd.allowed);
printf("\n");
- if (avd.decided != ~0U) {
+ if (~avd.decided) {
printf("decided=");
print_access_vector(tclass, avd.decided);
printf("\n");
+
+ printf("undecided=");
+ print_access_vector(tclass, ~avd.decided);
+ printf("\n");
}
if (avd.auditallow) {
@@ -56,10 +60,14 @@
printf("\n");
}
- if (avd.auditdeny != ~0U) {
- printf("auditdeny");
+ if (~avd.auditdeny) {
+ printf("auditdeny=");
print_access_vector(tclass, avd.auditdeny);
printf("\n");
+
+ printf("dontaudit=");
+ print_access_vector(tclass, ~avd.auditdeny);
+ printf("\n");
}
exit(EXIT_SUCCESS);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/utils/getconlist.c
new/libselinux-3.7/utils/getconlist.c
--- old/libselinux-3.6/utils/getconlist.c 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/utils/getconlist.c 2024-06-26 17:30:41.000000000
+0200
@@ -19,8 +19,9 @@
int main(int argc, char **argv)
{
- char **list, *cur_context = NULL;
- char *user = NULL, *level = NULL;
+ char **list;
+ const char *cur_context, *user;
+ char *cur_con = NULL, *level = NULL;
int ret, i, opt;
while ((opt = getopt(argc, argv, "l:")) > 0) {
@@ -54,11 +55,12 @@
/* If a context wasn't passed, use the current context. */
if (((argc - optind) < 2)) {
- if (getcon(&cur_context) < 0) {
+ if (getcon(&cur_con) < 0) {
fprintf(stderr, "Couldn't get current context: %s\n",
strerror(errno));
free(level);
return 2;
}
+ cur_context = cur_con;
} else {
cur_context = argv[optind + 1];
if (security_check_context(cur_context) != 0) {
@@ -82,10 +84,12 @@
} else {
fprintf(stderr, "get_ordered_context_list%s failure: %d(%s)\n",
level ? "_with_level" : "", errno, strerror(errno));
+ free(cur_con);
free(level);
return 4;
}
+ free(cur_con);
free(level);
return 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/utils/getdefaultcon.c
new/libselinux-3.7/utils/getdefaultcon.c
--- old/libselinux-3.6/utils/getdefaultcon.c 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/utils/getdefaultcon.c 2024-06-26 17:30:41.000000000
+0200
@@ -19,8 +19,9 @@
int main(int argc, char **argv)
{
- char * usercon = NULL, *cur_context = NULL;
- char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL,
*dlevel=NULL;
+ const char *cur_context, *user;
+ char *usercon = NULL, *cur_con = NULL;
+ char *level = NULL, *role=NULL, *seuser=NULL, *dlevel=NULL;
char *service = NULL;
int ret, opt;
int verbose = 0;
@@ -54,6 +55,9 @@
if (!is_selinux_enabled()) {
fprintf(stderr,
"%s may be used only on a SELinux kernel.\n", argv[0]);
+ free(level);
+ free(role);
+ free(service);
return 1;
}
@@ -61,15 +65,23 @@
/* If a context wasn't passed, use the current context. */
if ((argc - optind) < 2) {
- if (getcon(&cur_context) < 0) {
+ if (getcon(&cur_con) < 0) {
fprintf(stderr, "%s: couldn't get current context:
%s\n", argv[0], strerror(errno));
+ free(level);
+ free(role);
+ free(service);
return 2;
}
+ cur_context = cur_con;
} else
cur_context = argv[optind + 1];
if (security_check_context(cur_context)) {
fprintf(stderr, "%s: invalid from context '%s'\n", argv[0],
cur_context);
+ free(cur_con);
+ free(level);
+ free(role);
+ free(service);
return 3;
}
@@ -101,6 +113,8 @@
if (level != dlevel) free(level);
free(dlevel);
free(usercon);
+ free(cur_con);
+ free(service);
return ret >= 0;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/utils/sefcontext_compile.c
new/libselinux-3.7/utils/sefcontext_compile.c
--- old/libselinux-3.6/utils/sefcontext_compile.c 2023-12-13
15:46:22.000000000 +0100
+++ new/libselinux-3.7/utils/sefcontext_compile.c 2024-06-26
17:30:41.000000000 +0200
@@ -189,7 +189,7 @@
if (len != 1)
goto err;
- /* original context strin (including nul) */
+ /* original context string (including nul) */
len = fwrite(context, sizeof(char), to_write, bin_file);
if (len != to_write)
goto err;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/utils/selabel_digest.c
new/libselinux-3.7/utils/selabel_digest.c
--- old/libselinux-3.6/utils/selabel_digest.c 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/utils/selabel_digest.c 2024-06-26 17:30:41.000000000
+0200
@@ -6,12 +6,10 @@
#include <selinux/selinux.h>
#include <selinux/label.h>
-static size_t digest_len;
-
static __attribute__ ((__noreturn__)) void usage(const char *progname)
{
fprintf(stderr,
- "usage: %s -b backend [-d] [-v] [-B] [-i] [-f file]\n\n"
+ "usage: %s -b backend [-v] [-B] [-i] [-f file]\n\n"
"Where:\n\t"
"-b The backend - \"file\", \"media\", \"x\", \"db\" or "
"\"prop\"\n\t"
@@ -25,11 +23,11 @@
exit(1);
}
-static int run_check_digest(char *cmd, char *selabel_digest)
+static int run_check_digest(const char *cmd, const char *selabel_digest,
size_t digest_len)
{
FILE *fp;
char files_digest[128];
- char *files_ptr;
+ const char *files_ptr;
int rc = 0;
fp = popen(cmd, "r");
@@ -64,17 +62,17 @@
char *baseonly = NULL, *file = NULL, *digest = (char *)1;
char **specfiles = NULL;
unsigned char *sha1_digest = NULL;
- size_t i, num_specfiles;
+ size_t digest_len, i, num_specfiles;
char cmd_buf[4096];
char *cmd_ptr;
- char *sha1_buf;
+ char *sha1_buf = NULL;
struct selabel_handle *hnd;
struct selinux_opt selabel_option[] = {
{ SELABEL_OPT_PATH, file },
- { SELABEL_OPT_BASEONLY, baseonly },
- { SELABEL_OPT_DIGEST, digest }
+ { SELABEL_OPT_DIGEST, digest },
+ { SELABEL_OPT_BASEONLY, baseonly }
};
if (argc < 3)
@@ -121,10 +119,10 @@
memset(cmd_buf, 0, sizeof(cmd_buf));
selabel_option[0].value = file;
- selabel_option[1].value = baseonly;
- selabel_option[2].value = digest;
+ selabel_option[1].value = digest;
+ selabel_option[2].value = baseonly;
- hnd = selabel_open(backend, selabel_option, 3);
+ hnd = selabel_open(backend, selabel_option, backend == SELABEL_CTX_FILE
? 3 : 2);
if (!hnd) {
switch (errno) {
case EOVERFLOW:
@@ -169,23 +167,50 @@
printf("calculated using the following specfile(s):\n");
if (specfiles) {
- cmd_ptr = &cmd_buf[0];
- sprintf(cmd_ptr, "/usr/bin/cat ");
- cmd_ptr = &cmd_buf[0] + strlen(cmd_buf);
+ size_t cmd_rem = sizeof(cmd_buf);
+ int ret;
+
+ if (validate) {
+ cmd_ptr = &cmd_buf[0];
+ ret = snprintf(cmd_ptr, cmd_rem, "/usr/bin/cat ");
+ if (ret < 0 || (size_t)ret >= cmd_rem) {
+ fprintf(stderr, "Could not format validate
command\n");
+ rc = -1;
+ goto err;
+ }
+ cmd_ptr += ret;
+ cmd_rem -= ret;
+ }
for (i = 0; i < num_specfiles; i++) {
- sprintf(cmd_ptr, "%s ", specfiles[i]);
- cmd_ptr += strlen(specfiles[i]) + 1;
+ if (validate) {
+ ret = snprintf(cmd_ptr, cmd_rem, "%s ",
specfiles[i]);
+ if (ret < 0 || (size_t)ret >= cmd_rem) {
+ fprintf(stderr, "Could not format
validate command\n");
+ rc = -1;
+ goto err;
+ }
+ cmd_ptr += ret;
+ cmd_rem -= ret;
+ }
+
printf("%s\n", specfiles[i]);
}
- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
- if (validate)
- rc = run_check_digest(cmd_buf, sha1_buf);
+ if (validate) {
+ ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl
dgst -sha1 -hex");
+ if (ret < 0 || (size_t)ret >= cmd_rem) {
+ fprintf(stderr, "Could not format validate
command\n");
+ rc = -1;
+ goto err;
+ }
+
+ rc = run_check_digest(cmd_buf, sha1_buf, digest_len);
+ }
}
- free(sha1_buf);
err:
+ free(sha1_buf);
selabel_close(hnd);
return rc;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.6/utils/selinuxexeccon.c
new/libselinux-3.7/utils/selinuxexeccon.c
--- old/libselinux-3.6/utils/selinuxexeccon.c 2023-12-13 15:46:22.000000000
+0100
+++ new/libselinux-3.7/utils/selinuxexeccon.c 2024-06-26 17:30:41.000000000
+0200
@@ -45,6 +45,7 @@
con = strdup(argv[2]);
if (security_check_context(con)) {
fprintf(stderr, "%s: invalid from context '%s'\n",
argv[0], con);
+ free(con);
return -1;
}
}
++++++ libselinux-set-free-d-data-to-NULL.patch ++++++
Index: libselinux-3.7/src/label_backends_android.c
===================================================================
--- libselinux-3.7.orig/src/label_backends_android.c
+++ libselinux-3.7/src/label_backends_android.c
@@ -260,6 +260,7 @@ static void closef(struct selabel_handle
free(data->spec_arr);
free(data);
+ rec->data = NULL;
}
static struct selabel_lookup_rec *property_lookup(struct selabel_handle *rec,
Index: libselinux-3.7/src/label_file.c
===================================================================
--- libselinux-3.7.orig/src/label_file.c
+++ libselinux-3.7/src/label_file.c
@@ -942,6 +942,7 @@ static void closef(struct selabel_handle
free(last_area);
}
free(data);
+ rec->data = NULL;
}
// Finds all the matches of |key| in the given context. Returns the result in
Index: libselinux-3.7/src/label_media.c
===================================================================
--- libselinux-3.7.orig/src/label_media.c
+++ libselinux-3.7/src/label_media.c
@@ -183,6 +183,7 @@ static void close(struct selabel_handle
free(spec_arr);
free(data);
+ rec->data = NULL;
}
static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
Index: libselinux-3.7/src/label_x.c
===================================================================
--- libselinux-3.7.orig/src/label_x.c
+++ libselinux-3.7/src/label_x.c
@@ -210,6 +210,7 @@ static void close(struct selabel_handle
free(spec_arr);
free(data);
+ rec->data = NULL;
}
static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
