Re: [Open-scap] fix process58 for Ubuntu

Thu, 07 Sep 2017 03:12:08 -0700 

On Tue, Sep 05, 2017 at 04:05:50PM +0200, Bruno Ducrot wrote:
> Hi there,
> 
> Compiling OpenSCAP 1.2.15 under a Ubuntu Xenial.  The probe for
> process58 will segfault.  A possible fix for that could be :

Could you share a backtrace from the segfaulted probe?

> diff -Nur openscap-1.2.15/src/OVAL/probes/unix/process58.c 
> openscap-fix-process58-1.2.15/src/OVAL/probes/unix/process58.c
> --- openscap-1.2.15.orig/src/OVAL/probes/unix/process58.c     2017-08-25 
> 14:24:01.000000000 +0200
> +++ openscap-1.2.15/src/OVAL/probes/unix/process58.c  2017-09-05 
> 15:55:04.442257234 +0200
> @@ -247,10 +247,11 @@
>               dW("Can't get selinux context for process %d", pid);
>               return NULL;
>       }
> -     context = context_new(pid_context);
> -     selinux_label = strdup(context_type_get(context));
> -     context_free(context);
> -     freecon(pid_context);
> +     // context = context_new(pid_context);
> +     // selinux_label = strdup(context_type_get(context));
> +     // context_free(context);
> +     // freecon(pid_context);
> +     selinux_label = strdup(pid_context);
>       return selinux_label;
>  
>  #else
> 
> 
> I guess that fix is incorrect and shouldn't be merged as is.

The problem with this patch is that it changes the meaning of the return
value. The original code returned only SELinux type associated to a
process, e.g.  init_t, while with this change it would be the whole
SELinux context, e.g. system_u:system_r:init_t:s0. See
https://github.com/OpenSCAP/openscap/commit/4f3d1718f

> The real problem is, I think, with an API change in libselinux.
> I don't know however how to fix that in a way that could be merged
> mainstream.

I don't think there was an API change related to getpidcon(),
context_new() or context_type_get() in libselinux recently.

The problem seems to be in missing check of return values of these
functions.

Petr

> -- 
> Bruno Ducrot
> 
> -- Which is worse: ignorance or apathy?
> -- Don't know.  Don't care.
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Reply via email to