libselinux 20160107 ships this change (git commit id 9df49888) Signed-off-by: Ioan-Adrian Ratiu <[email protected]> --- .../libselinux-mount-procfs-before-check.patch | 74 ++++++++++++++++++++++ recipes-security/selinux/libselinux_2.4.bb | 1 + recipes-security/selinux/libselinux_git.bb | 1 + 3 files changed, 76 insertions(+) create mode 100644 recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch
diff --git a/recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch b/recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch new file mode 100644 index 0000000..dc27aaa --- /dev/null +++ b/recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch @@ -0,0 +1,74 @@ +commit 9df498884665d79474b79f0f30d1cd67df11bd3e +Author: Ben Shelton <[email protected]> +Date: Wed Apr 15 15:56:57 2015 -0500 + + libselinux: Mount procfs before checking /proc/filesystems + + In the case where the SELinux security module is not loaded in the + kernel and it's early enough in the boot process that /proc has not yet + been mounted, selinuxfs_exists() will incorrectly return 1, and + selinux_init_load_policy() will print a message like this to the + console: + + Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory + + To fix this, mount the procfs before attempting to open + /proc/filesystems, and unmount it when done if it was initially not + mounted. This is the same thing that selinux_init_load_policy() does + when reading /proc/cmdline. + + Signed-off-by: Ben Shelton <[email protected]> + +Upstream-Status: Accepted + +diff --git a/src/init.c b/src/init.c +index 6d1ef33..179e0d0 100644 +--- a/src/init.c ++++ b/src/init.c +@@ -11,6 +11,7 @@ + #include <sys/vfs.h> + #include <stdint.h> + #include <limits.h> ++#include <sys/mount.h> + + #include "dso.h" + #include "policy.h" +@@ -54,15 +55,20 @@ static int verify_selinuxmnt(const char *mnt) + + int selinuxfs_exists(void) + { +- int exists = 0; ++ int exists = 0, mnt_rc = 0; + FILE *fp = NULL; + char *buf = NULL; + size_t len; + ssize_t num; + ++ mnt_rc = mount("proc", "/proc", "proc", 0, 0); ++ + fp = fopen("/proc/filesystems", "r"); +- if (!fp) +- return 1; /* Fail as if it exists */ ++ if (!fp) { ++ exists = 1; /* Fail as if it exists */ ++ goto out; ++ } ++ + __fsetlocking(fp, FSETLOCKING_BYCALLER); + + num = getline(&buf, &len, fp); +@@ -76,6 +82,14 @@ int selinuxfs_exists(void) + + free(buf); + fclose(fp); ++ ++out: ++#ifndef MNT_DETACH ++#define MNT_DETACH 2 ++#endif ++ if (mnt_rc == 0) ++ umount2("/proc", MNT_DETACH); ++ + return exists; + } + hidden_def(selinuxfs_exists) diff --git a/recipes-security/selinux/libselinux_2.4.bb b/recipes-security/selinux/libselinux_2.4.bb index e084df2..86ff44c 100644 --- a/recipes-security/selinux/libselinux_2.4.bb +++ b/recipes-security/selinux/libselinux_2.4.bb @@ -12,4 +12,5 @@ SRC_URI += "\ file://libselinux-make-SOCK_CLOEXEC-optional.patch \ file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ file://libselinux-get-pywrap-depends-on-selinux.py.patch \ + file://libselinux-mount-procfs-before-check.patch \ " diff --git a/recipes-security/selinux/libselinux_git.bb b/recipes-security/selinux/libselinux_git.bb index 4efab86..33d9e00 100644 --- a/recipes-security/selinux/libselinux_git.bb +++ b/recipes-security/selinux/libselinux_git.bb @@ -12,4 +12,5 @@ SRC_URI += "\ file://libselinux-make-SOCK_CLOEXEC-optional.patch \ file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ file://libselinux-get-pywrap-depends-on-selinux.py.patch \ + file://libselinux-mount-procfs-before-check.patch \ " -- 2.7.0 -- _______________________________________________ yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/yocto
