commit: 51e0f47c21ea17e9dd93961e4bc1aa560927865a Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> AuthorDate: Thu Sep 15 09:30:39 2016 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Thu Sep 15 09:45:05 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51e0f47c
sys-libs/libselinux: backport patches to 2.5-r1 Avoid mounting /proc outside of selinux_init_load_policy() Fix compat issue with swig 3.0.10 https://bugs.gentoo.org/587712 Package-Manager: portage-2.2.28 ...nux-2.5-0001-only-mount-proc-if-necessary.patch | 54 +++++++++ ...ing-proc-outside-of-selinux_init_load_pol.patch | 129 +++++++++++++++++++++ ...5-0003-Change-the-location-of-_selinux.so.patch | 44 +++++++ ...elinux-9999.ebuild => libselinux-2.5-r1.ebuild} | 6 +- sys-libs/libselinux/libselinux-9999.ebuild | 2 +- 5 files changed, 233 insertions(+), 2 deletions(-) diff --git a/sys-libs/libselinux/files/libselinux-2.5-0001-only-mount-proc-if-necessary.patch b/sys-libs/libselinux/files/libselinux-2.5-0001-only-mount-proc-if-necessary.patch new file mode 100644 index 00000000..dfa6a0f --- /dev/null +++ b/sys-libs/libselinux/files/libselinux-2.5-0001-only-mount-proc-if-necessary.patch @@ -0,0 +1,54 @@ +From 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <s...@tycho.nsa.gov> +Date: Mon, 29 Feb 2016 10:10:55 -0500 +Subject: [PATCH] libselinux: only mount /proc if necessary + +Commit 9df498884665d ("libselinux: Mount procfs before checking +/proc/filesystems") changed selinuxfs_exists() to always try +mounting /proc before reading /proc/filesystems. However, this is +unnecessary if /proc is already mounted and can produce avc denials +if the process is not allowed to perform the mount. Check first +to see if /proc is already present and only try the mount if it is not. + +Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> +--- + libselinux/src/init.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/libselinux/src/init.c b/libselinux/src/init.c +index 3db4de0..3530594 100644 +--- libselinux/src/init.c ++++ libselinux/src/init.c +@@ -12,6 +12,7 @@ + #include <stdint.h> + #include <limits.h> + #include <sys/mount.h> ++#include <linux/magic.h> + + #include "dso.h" + #include "policy.h" +@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt) + + int selinuxfs_exists(void) + { +- int exists = 0, mnt_rc = 0; ++ int exists = 0, mnt_rc = -1, rc; ++ struct statfs sb; + FILE *fp = NULL; + char *buf = NULL; + size_t len; + ssize_t num; + +- mnt_rc = mount("proc", "/proc", "proc", 0, 0); ++ do { ++ rc = statfs("/proc", &sb); ++ } while (rc < 0 && errno == EINTR); ++ ++ if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC)) ++ mnt_rc = mount("proc", "/proc", "proc", 0, 0); + + fp = fopen("/proc/filesystems", "r"); + if (!fp) { +-- +2.7.3 + diff --git a/sys-libs/libselinux/files/libselinux-2.5-0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch b/sys-libs/libselinux/files/libselinux-2.5-0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch new file mode 100644 index 00000000..c811450 --- /dev/null +++ b/sys-libs/libselinux/files/libselinux-2.5-0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch @@ -0,0 +1,129 @@ +From 32773a99b1f0cf2b61b5f5a33359684b18aab1ed Mon Sep 17 00:00:00 2001 +From: Stephen Smalley <s...@tycho.nsa.gov> +Date: Fri, 13 May 2016 11:59:47 -0400 +Subject: [PATCH] Avoid mounting /proc outside of selinux_init_load_policy(). + +Temporarily mounting /proc within selinuxfs_exists() can cause +problems since it can be called by a libselinux constructor and +therefore may be invoked by every program linked with libselinux. +Since this was only motivated originally by a situation where +selinuxfs_exists() was called from selinux_init_load_policy() +before /proc was mounted, fix it in selinux_init_load_policy() instead. + +This reverts commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf +("libselinux: only mount /proc if necessary") and +commit 9df498884665d79474b79f0f30d1cd67df11bd3e +("libselinux: Mount procfs before checking /proc/filesystems"). + +Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> +--- + libselinux/src/init.c | 27 +++------------------------ + libselinux/src/load_policy.c | 15 ++++++++++----- + 2 files changed, 13 insertions(+), 29 deletions(-) + +diff --git a/libselinux/src/init.c b/libselinux/src/init.c +index 3530594..3c687a2 100644 +--- libselinux/src/init.c ++++ libselinux/src/init.c +@@ -11,8 +11,6 @@ + #include <sys/vfs.h> + #include <stdint.h> + #include <limits.h> +-#include <sys/mount.h> +-#include <linux/magic.h> + + #include "dso.h" + #include "policy.h" +@@ -58,26 +56,15 @@ static int verify_selinuxmnt(const char *mnt) + + int selinuxfs_exists(void) + { +- int exists = 0, mnt_rc = -1, rc; +- struct statfs sb; ++ int exists = 0; + FILE *fp = NULL; + char *buf = NULL; + size_t len; + ssize_t num; + +- do { +- rc = statfs("/proc", &sb); +- } while (rc < 0 && errno == EINTR); +- +- if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC)) +- mnt_rc = mount("proc", "/proc", "proc", 0, 0); +- + fp = fopen("/proc/filesystems", "r"); +- if (!fp) { +- exists = 1; /* Fail as if it exists */ +- goto out; +- } +- ++ if (!fp) ++ return 1; /* Fail as if it exists */ + __fsetlocking(fp, FSETLOCKING_BYCALLER); + + num = getline(&buf, &len, fp); +@@ -91,14 +78,6 @@ int selinuxfs_exists(void) + + free(buf); + fclose(fp); +- +-out: +-#ifndef MNT_DETACH +-#define MNT_DETACH 2 +-#endif +- if (mnt_rc == 0) +- umount2("/proc", MNT_DETACH); +- + return exists; + } + hidden_def(selinuxfs_exists) +diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c +index 21ee58b..4f39fc7 100644 +--- libselinux/src/load_policy.c ++++ libselinux/src/load_policy.c +@@ -17,6 +17,10 @@ + #include "policy.h" + #include <limits.h> + ++#ifndef MNT_DETACH ++#define MNT_DETACH 2 ++#endif ++ + int security_load_policy(void *data, size_t len) + { + char path[PATH_MAX]; +@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce) + fclose(cfg); + free(buf); + } +-#ifndef MNT_DETACH +-#define MNT_DETACH 2 +-#endif +- if (rc == 0) +- umount2("/proc", MNT_DETACH); + + /* + * Determine the final desired mode. +@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce) + /* Only emit this error if selinux was not disabled */ + fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); + } ++ ++ if (rc == 0) ++ umount2("/proc", MNT_DETACH); + + goto noload; + } + set_selinuxmnt(mntpoint); + ++ if (rc == 0) ++ umount2("/proc", MNT_DETACH); ++ + /* + * Note: The following code depends on having selinuxfs + * already mounted and selinuxmnt set above. +-- +2.7.3 + diff --git a/sys-libs/libselinux/files/libselinux-2.5-0003-Change-the-location-of-_selinux.so.patch b/sys-libs/libselinux/files/libselinux-2.5-0003-Change-the-location-of-_selinux.so.patch new file mode 100644 index 00000000..542acfd --- /dev/null +++ b/sys-libs/libselinux/files/libselinux-2.5-0003-Change-the-location-of-_selinux.so.patch @@ -0,0 +1,44 @@ +From a9604c30a5e2f71007d31aa6ba41cf7b95d94822 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach <plaut...@redhat.com> +Date: Mon, 27 Jun 2016 10:46:13 +0200 +Subject: [PATCH] libselinux: Change the location of _selinux.so + +There was a change in swig-3.10 to use importlib instead of imp. While +the implementation with imp looked for _selinux.so also into the same directory +as __init__.py is, a new module with importlib searchs only standard paths. +It means that we need to move _selinux.so from $(PYLIBDIR)/site-packages/selinux/ +to $(PYLIBDIR)/site-packages/. + +Fixes: +>>> import selinux +Traceback (most recent call last): + File "<stdin>", line 1, in <module> + File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 21, in <module> + _selinux = swig_import_helper() + File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 20, in swig_import_helper + return importlib.import_module('_selinux') + File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module + __import__(name) +ImportError: No module named _selinux + +Signed-off-by: Petr Lautrbach <plaut...@redhat.com> +--- + libselinux/src/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index d94163e..37d01af 100644 +--- libselinux/src/Makefile ++++ libselinux/src/Makefile +@@ -156,7 +156,7 @@ install: all + + install-pywrap: pywrap + test -d $(PYLIBDIR)/site-packages/selinux || install -m 755 -d $(PYLIBDIR)/site-packages/selinux +- install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/selinux/_selinux.so ++ install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/_selinux.so + install -m 755 $(AUDIT2WHYSO) $(PYLIBDIR)/site-packages/selinux/audit2why.so + install -m 644 $(SWIGPYOUT) $(PYLIBDIR)/site-packages/selinux/__init__.py + +-- +2.7.3 + diff --git a/sys-libs/libselinux/libselinux-9999.ebuild b/sys-libs/libselinux/libselinux-2.5-r1.ebuild similarity index 93% copy from sys-libs/libselinux/libselinux-9999.ebuild copy to sys-libs/libselinux/libselinux-2.5-r1.ebuild index e686746..51e5c29 100644 --- a/sys-libs/libselinux/libselinux-9999.ebuild +++ b/sys-libs/libselinux/libselinux-2.5-r1.ebuild @@ -11,7 +11,7 @@ inherit multilib python-r1 toolchain-funcs multilib-minimal MY_P="${P//_/-}" SEPOL_VER="${PV}" -MY_RELEASEDATE="20150202" +MY_RELEASEDATE="20160223" DESCRIPTION="SELinux userland library" HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"; @@ -48,6 +48,10 @@ src_prepare() { # If needed for live builds, place them in /etc/portage/patches eapply "${FILESDIR}/0005-use-ruby-include-with-rubylibver.patch" eapply "${FILESDIR}/0007-build-related-fixes-bug-500674-for-2.5.patch" + + eapply "${FILESDIR}/libselinux-2.5-0001-only-mount-proc-if-necessary.patch" + eapply "${FILESDIR}/libselinux-2.5-0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch" + eapply "${FILESDIR}/libselinux-2.5-0003-Change-the-location-of-_selinux.so.patch" fi eapply_user diff --git a/sys-libs/libselinux/libselinux-9999.ebuild b/sys-libs/libselinux/libselinux-9999.ebuild index e686746..54de3c9 100644 --- a/sys-libs/libselinux/libselinux-9999.ebuild +++ b/sys-libs/libselinux/libselinux-9999.ebuild @@ -11,7 +11,7 @@ inherit multilib python-r1 toolchain-funcs multilib-minimal MY_P="${P//_/-}" SEPOL_VER="${PV}" -MY_RELEASEDATE="20150202" +MY_RELEASEDATE="20160223" DESCRIPTION="SELinux userland library" HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki";
