Attachment 594237 Details for Bug 835146 – LibSELinux patch for readonly mountpoint support

[patch] LibSELinux patch for readonly mountpoint support

libselinux-2.0.94_mntreadonly.patch (text/plain), 4.99 KB, created by Giuseppe Ragusa on 2012-06-25 16:48:56 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Giuseppe Ragusa

Created: 2012-06-25 16:48:56 UTC

Size: 4.99 KB

patch

obsolete

>Index: libselinux/src/enabled.c
>===================================================================
>--- libselinux/src/enabled.c (revision 13cd4c8960688af11ad23b4c946149015c80d549)
>+++ libselinux/src/enabled.c (revision e3cab998b48ab293a9962faf9779d70ca339c65d)
>@@ -12,8 +12,4 @@
> int is_selinux_enabled(void)
> {
>-	char *buf=NULL;
>-	FILE *fp;
>-	ssize_t num;
>-	size_t len;
> 	int enabled = 0;
> 	security_context_t con;
>@@ -33,35 +29,6 @@
> 			freecon(con);
> 		}
>-		return enabled;
>         }
> 
>-	/* Drop back to detecting it the long way. */
>-	fp = fopen("/proc/filesystems", "r");
>-	if (!fp)
>-		return -1;
>-
>-	__fsetlocking(fp, FSETLOCKING_BYCALLER);
>-	while ((num = getline(&buf, &len, fp)) != -1) {
>-		if (strstr(buf, "selinuxfs")) {
>-			enabled = 1;
>-			break;
>-		}
>-	}
>-
>-	if (num < 0)
>-		goto out;
>-
>-	/* Since an selinux file system is available, we consider
>-	 * selinux enabled. If getcon_raw fails, selinux is still
>-	 * enabled. We only consider it disabled if no policy is loaded. */
>-	if (getcon_raw(&con) == 0) {
>-		if (!strcmp(con, "kernel"))
>-			enabled = 0;
>-		freecon(con);
>-	}
>-
>-      out:
>-	free(buf);
>-	fclose(fp);
> 	return enabled;
> }
>Index: libselinux/src/init.c
>===================================================================
>--- libselinux/src/init.c (revision 1629d2f89a8c5f758413b87b94740aaaa5f21144)
>+++ libselinux/src/init.c (revision e3cab998b48ab293a9962faf9779d70ca339c65d)
>@@ -8,4 +8,5 @@
> #include <stdio_ext.h>
> #include <dlfcn.h>
>+#include <sys/statvfs.h>
> #include <sys/vfs.h>
> #include <stdint.h>
>@@ -21,10 +22,39 @@
> int obj_class_compat = 1;
> 
>+/* Verify the mount point for selinux file system has a selinuxfs.
>+   If the file system:
>+   * Exist,
>+   * Is mounted with an selinux file system,
>+   * The file system is read/write
>+   * then set this as the default file system.
>+*/
>+static int verify_selinuxmnt(char *mnt)
>+{
>+	struct statfs sfbuf;
>+	int rc;
>+
>+	do {
>+		rc = statfs(mnt, &sfbuf);
>+	} while (rc < 0 && errno == EINTR);
>+	if (rc == 0) {
>+		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
>+			struct statvfs vfsbuf;
>+			rc = statvfs(mnt, &vfsbuf);
>+			if (rc == 0) {
>+				if (!(vfsbuf.f_flag & ST_RDONLY)) {
>+					set_selinuxmnt(mnt);
>+				}
>+				return 0;
>+			}
>+		}
>+	}
>+
>+	return -1;
>+}
>+
> static void init_selinuxmnt(void)
> {
> 	char *buf=NULL, *p;
> 	FILE *fp=NULL;
>-	struct statfs sfbuf;
>-	int rc;
> 	size_t len;
> 	ssize_t num;
>@@ -34,15 +64,7 @@
> 		return;
> 
>-	/* We check to see if the preferred mount point for selinux file
>-	 * system has a selinuxfs. */
>-	do {
>-		rc = statfs(SELINUXMNT, &sfbuf);
>-	} while (rc < 0 && errno == EINTR);
>-	if (rc == 0) {
>-		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
>-			selinux_mnt = strdup(SELINUXMNT);
>-			return;
>-		}
>-	} 
>+	if (verify_selinuxmnt(SELINUXMNT) == 0) return;
>+
>+	if (verify_selinuxmnt(NEWSELINUXMNT) == 0) return;
> 
> 	/* Drop back to detecting it the long way. */
>@@ -53,5 +75,5 @@
> 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
> 	while ((num = getline(&buf, &len, fp)) != -1) {
>-		if (strstr(buf, "selinuxfs")) {
>+		if (strstr(buf, SELINUXFS)) {
> 			exists = 1;
> 			break;
>@@ -80,5 +102,5 @@
> 		if (!tmp)
> 			goto out;
>-		if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
>+		if (!strncmp(tmp + 1, SELINUXFS" ", strlen(SELINUXFS)+1)) {
> 			*tmp = '\0';
> 			break;
>@@ -88,5 +110,5 @@
> 	/* If we found something, dup it */
> 	if (num > 0)
>-		selinux_mnt = strdup(p);
>+		verify_selinuxmnt(p);
> 
>       out:
>Index: libselinux/src/load_policy.c
>===================================================================
>--- libselinux-2.0.94/src/load_policy.c	2012-03-03 19:27:58.000000000 +0100
>+++ libselinux-2.0.94/src/load_policy.c.new	2012-03-03 19:36:55.000000000 +0100
>@@ -369,7 +369,17 @@
> 	 * Check for the existence of SELinux via selinuxfs, and 
> 	 * mount it if present for use in the calls below.  
> 	 */
>-	if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
>+ 	char *mntpoint = NULL;
>+ 	if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
>+ 		mntpoint = SELINUXMNT;
>+ 	} else {
>+ 		/* check new mountpoint */
>+ 		if (mount(SELINUXFS, NEWSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
>+ 			mntpoint = NEWSELINUXMNT;
>+ 		}
>+ 	}
>+ 
>+ 	if (! mntpoint ) {
> 		if (errno == ENODEV) {
> 			/*
> 			 * SELinux was disabled in the kernel, either
>Index: libselinux/src/policy.h
>===================================================================
>--- libselinux/src/policy.h (revision 13cd4c8960688af11ad23b4c946149015c80d549)
>+++ libselinux/src/policy.h (revision e3cab998b48ab293a9962faf9779d70ca339c65d)
>@@ -10,9 +10,13 @@
> #define INITCONTEXTLEN 255
> 
>+/* selinux file system type */
>+#define SELINUXFS "selinuxfs"
>+
> /* selinuxfs magic number */
> #define SELINUX_MAGIC 0xf97cff8c
> 
> /* Preferred selinux mount location */
>-#define SELINUXMNT "/selinux"
>+#define SELINUXMNT "/selinux"
>+#define NEWSELINUXMNT "/sys/fs/selinux"
> 
> /* selinuxfs mount point */

Actions: View | Diff

Attachments on bug 835146: 594237