Hi, Thanks for the patch. I have included it in upstream. https://github.com/OpenSCAP/openscap/commit/0844e5fa6fb6624882b50e6915ecb3393559b4cc
I tried to reproduce this yesterday, but I wasn't successful. Do I understand it well that this happens only if SELinux is not in use? Regards Jan Černý Security Technologies | Red Hat, Inc. ----- Original Message ----- > From: "Bruno Ducrot" <[email protected]> > To: "Petr Lautrbach" <[email protected]> > Cc: [email protected] > Sent: Thursday, September 7, 2017 7:47:56 PM > Subject: Re: [Open-scap] fix process58 for Ubuntu > > On Thu, Sep 07, 2017 at 12:01:34PM +0200, Petr Lautrbach wrote: > > On Tue, Sep 05, 2017 at 04:05:50PM +0200, Bruno Ducrot wrote: > > > Hi there, > > > > > > Compiling OpenSCAP 1.2.15 under a Ubuntu Xenial. The probe for > > > process58 will segfault. A possible fix for that could be : > > > > Could you share a backtrace from the segfaulted probe? > > (gdb) bt > #0 0x00007f15bf57f000 in ?? () > #1 0x000000000040616a in get_selinux_label (pid=1) at unix/process58.c:251 > #2 read_process (cmd_ent=cmd_ent@entry=0x7f15a8000b50, > pid_ent=pid_ent@entry=0x7f15a8000960, ctx=ctx@entry=0x7f15afffed50) at > unix/process58.c:601 > #3 0x000000000040676e in probe_main (ctx=ctx@entry=0x7f15afffed50, > arg=<optimized out>) at unix/process58.c:640 > #4 0x000000000040a120 in probe_worker (probe=0x7fff958bdd90, > msg_in=<optimized out>, ret=0x7f15afffedd4) at worker.c:952 > #5 0x0000000000409c47 in probe_worker_runfn (arg=0x7f15b0000df0) at > worker.c:56 > #6 0x00007f15bebd86ba in ?? () > #7 0x0000000000000000 in ?? () > > > > The problem with this patch is that it changes the meaning of the return > > value. The original code returned only SELinux type associated to a > > process, e.g. init_t, while with this change it would be the whole > > SELinux context, e.g. system_u:system_r:init_t:s0. See > > https://github.com/OpenSCAP/openscap/commit/4f3d1718f > > Well. Under Ubuntu, the security context happens > > > > > The real problem is, I think, with an API change in libselinux. > > > I don't know however how to fix that in a way that could be merged > > > mainstream. > > > > I don't think there was an API change related to getpidcon(), > > context_new() or context_type_get() in libselinux recently. > > > > The problem seems to be in missing check of return values of these > > functions. > > > > I see. I had mistaken myself indeed. > > Well, continuing with gdb : > > (gdb) frame 1 > #1 0x000000000040616a in get_selinux_label (pid=1) at > unix/process58.c:251 > 251 selinux_label = strdup(context_type_get(context)); > (gdb) print context > $1 = (context_t) 0x0 > > Ah, context is NULL. > > The patch below fix the segfault. > > --- openscap-1.2.15/src/OVAL/probes/unix/process58.c 2017/09/07 17:19:46 > 1.1 > +++ openscap-1.2.15/src/OVAL/probes/unix/process58.c 2017/09/07 17:43:47 > @@ -248,6 +248,10 @@ > return NULL; > } > context = context_new(pid_context); > + if (context == NULL) { > + /* Another LSM is in use */ > + return NULL; > + } > selinux_label = strdup(context_type_get(context)); > context_free(context); > freecon(pid_context); > > Cheers, > > -- > Bruno Ducrot > > -- Which is worse: ignorance or apathy? > -- Don't know. Don't care. > > _______________________________________________ > Open-scap-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/open-scap-list > _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
