On Thu, Sep 07, 2017 at 12:01:34PM +0200, Petr Lautrbach wrote: > On Tue, Sep 05, 2017 at 04:05:50PM +0200, Bruno Ducrot wrote: > > Hi there, > > > > Compiling OpenSCAP 1.2.15 under a Ubuntu Xenial. The probe for > > process58 will segfault. A possible fix for that could be : > > Could you share a backtrace from the segfaulted probe?
(gdb) bt #0 0x00007f15bf57f000 in ?? () #1 0x000000000040616a in get_selinux_label (pid=1) at unix/process58.c:251 #2 read_process (cmd_ent=cmd_ent@entry=0x7f15a8000b50, pid_ent=pid_ent@entry=0x7f15a8000960, ctx=ctx@entry=0x7f15afffed50) at unix/process58.c:601 #3 0x000000000040676e in probe_main (ctx=ctx@entry=0x7f15afffed50, arg=<optimized out>) at unix/process58.c:640 #4 0x000000000040a120 in probe_worker (probe=0x7fff958bdd90, msg_in=<optimized out>, ret=0x7f15afffedd4) at worker.c:952 #5 0x0000000000409c47 in probe_worker_runfn (arg=0x7f15b0000df0) at worker.c:56 #6 0x00007f15bebd86ba in ?? () #7 0x0000000000000000 in ?? () > The problem with this patch is that it changes the meaning of the return > value. The original code returned only SELinux type associated to a > process, e.g. init_t, while with this change it would be the whole > SELinux context, e.g. system_u:system_r:init_t:s0. See > https://github.com/OpenSCAP/openscap/commit/4f3d1718f Well. Under Ubuntu, the security context happens > > > The real problem is, I think, with an API change in libselinux. > > I don't know however how to fix that in a way that could be merged > > mainstream. > > I don't think there was an API change related to getpidcon(), > context_new() or context_type_get() in libselinux recently. > > The problem seems to be in missing check of return values of these > functions. > I see. I had mistaken myself indeed. Well, continuing with gdb : (gdb) frame 1 #1 0x000000000040616a in get_selinux_label (pid=1) at unix/process58.c:251 251 selinux_label = strdup(context_type_get(context)); (gdb) print context $1 = (context_t) 0x0 Ah, context is NULL. The patch below fix the segfault. --- openscap-1.2.15/src/OVAL/probes/unix/process58.c 2017/09/07 17:19:46 1.1 +++ openscap-1.2.15/src/OVAL/probes/unix/process58.c 2017/09/07 17:43:47 @@ -248,6 +248,10 @@ return NULL; } context = context_new(pid_context); + if (context == NULL) { + /* Another LSM is in use */ + return NULL; + } selinux_label = strdup(context_type_get(context)); context_free(context); freecon(pid_context); Cheers, -- Bruno Ducrot -- Which is worse: ignorance or apathy? -- Don't know. Don't care. _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
