SE Linux patch(Re: [BusyBox] SE Linux)

Rob Landley rob at landley.net
Mon May 2 19:17:01 UTC 2005 

On Friday 04 February 2005 05:13 pm, Takeharu KATO wrote:
> Hi John:
>
> Sorry,I found a bug the patch I send before.
> The patch break compilation of top command of busybox in the case of
> selinux support off.
>
> Please use the patch attached with this mail.

Okay, since this came up again...  I dont' use selinux, but I do commit things 
to the busybox repository (until Erik screams about it, anyway), so lemme 
read the patch...

> >  #ifdef CONFIG_SELINUX
> > -	if(is_flask_enabled_flag) {

In theory when the whole #ifdef is surrounded by an #if statement like that, 
the #ifdef #endif could be replaced with a #define hidden in a header 
somewhere that allows the compiler's dead code elimination to handle things.  
Just a comment...

> >  #ifdef CONFIG_SELINUX
> > -	while ((p = procps_scan(0, 0, NULL)) != 0) {
> > +	security_context_t sid=NULL;
> > +	while ((p = procps_scan(0, 0,&sid)) != 0) {
> >  #else
> >  	while ((p = procps_scan(0)) != 0) {
> >  #endif

Changing curly bracket nesting levels in a #ifdef is a bit disturbing.  (Aside 
from confusing some syntax aware editors...)

> >  #ifdef CONFIG_SELINUX
> >  		if(use_selinux)
> >  		{
> > -			if(fstat_secure(fileno(fp), &sb, sid))
> > -				continue;
> > +			if (is_selinux_enabled()) {
> > +					if (getpidcon(pid,sid)<0)
> > +							continue;
> > +			}
> >  		}
> > -		else
> >  #endif

Again the if() wrapped #ifdef...

> >  	syslog(LOG_INFO, "System Maintenance Mode\n");
> > -	run_shell(pwent.pw_shell, 1, 0, 0);
> > +#ifdef CONFIG_SELINUX
> > +	getcon(&sid);
> > +#endif
> > +	run_shell(pwent.pw_shell, 1, 0, 0
> > +#ifdef CONFIG_SELINUX
> > +	, sid
> > +#endif
> > +		  );
> >  	return (0);
> >  }

This part makes my eyeballs hurt.  You're changing the number of arguments of 
run_shell depending on a config option.  Is there some way to make sid a 
global, or have it re-query it or something?

Oh the whole, I suppose it doesn't look worse than what's already there.  It's 
fairly intrusive #ifdeffery and looks like the whole thing could use a 
cleanup pass, but that's not new in this patch...

If there's consensus that this is ok, I can apply it...

Rob

More information about the busybox mailing list