selinux-patch for 1.01 - checked warnings
Jan-Simon Möller
dl9pf at gmx.de
Tue Sep 13 13:44:37 UTC 2005
Hi folks!
I checked the warnings found when the (missing) selinux-patch from svn is
applied.
Here my patch for review ...
diff -Nru -x .svn busybox-1.01/coreutils/id.c
busybox-1.01_selinux/coreutils/id.c
--- busybox-1.01/coreutils/id.c 2005-08-17 03:29:14.000000000 +0200
+++ busybox-1.01_selinux/coreutils/id.c 2005-09-05 17:48:48.000000000 +0200
@@ -32,8 +32,7 @@
#include <sys/types.h>
#ifdef CONFIG_SELINUX
-#include <proc_secure.h>
-#include <flask_util.h>
+#include <selinux/selinux.h>
#endif
#define PRINT_REAL 1
@@ -61,9 +60,7 @@
gid_t gid;
unsigned long flags;
short status;
-#ifdef CONFIG_SELINUX
- int is_flask_enabled_flag = is_flask_enabled();
-#endif
+
bb_opt_complementaly = "u~g:g~u";
flags = bb_getopt_ulflags(argc, argv, "rnug");
@@ -110,13 +107,20 @@
/* my_getgrgid doesn't exit on failure here */
status|=printf_full(gid, my_getgrgid(NULL, gid, 0), 'g');
#ifdef CONFIG_SELINUX
- if(is_flask_enabled_flag) {
- security_id_t mysid = getsecsid();
- char context[80];
- int len = sizeof(context);
- context[0] = '\0';
- if(security_sid_to_context(mysid, context, &len))
- strcpy(context, "unknown");
+ if ( is_selinux_enabled() ) {
+ security_context_t mysid;
+ char context[80];
+ int len = sizeof(context);
+
+ getcon(&mysid);
+ context[0] = '\0';
+ if (mysid) {
+ len = strlen(mysid)+1;
+ safe_strncpy(context, mysid, len);
+ freecon(mysid);
+ }else{
+ safe_strncpy(context, "unknown",8);
+ }
bb_printf(" context=%s", context);
}
#endif
diff -Nru -x .svn busybox-1.01/coreutils/ls.c
busybox-1.01_selinux/coreutils/ls.c
--- busybox-1.01/coreutils/ls.c 2005-08-17 03:29:14.000000000 +0200
+++ busybox-1.01_selinux/coreutils/ls.c 2005-09-05 17:48:48.000000000 +0200
@@ -64,9 +64,7 @@
#include <sys/sysmacros.h> /* major() and minor() */
#include "busybox.h"
#ifdef CONFIG_SELINUX
-#include <fs_secure.h>
-#include <flask_util.h>
-#include <ss.h>
+#include <selinux/selinux.h>
#endif
#ifdef CONFIG_FEATURE_LS_TIMESTAMPS
@@ -182,7 +180,7 @@
char *fullname; /* the dir entry name */
struct stat dstat; /* the file stat info */
#ifdef CONFIG_SELINUX
- security_id_t sid;
+ security_context_t sid;
#endif
struct dnode *next; /* point at the next node */
};
@@ -194,9 +192,10 @@
static unsigned int all_fmt;
-#ifdef CONFIG_SELINUX
-static int is_flask_enabled_flag;
-#endif
+//#ifdef CONFIG_SELINUX
+//static int selinux_enabled=0;
+//#endif
+//jsm
#ifdef CONFIG_FEATURE_AUTOWIDTH
static int terminal_width = TERMINAL_WIDTH;
@@ -213,18 +212,19 @@
struct stat dstat;
struct dnode *cur;
#ifdef CONFIG_SELINUX
- security_id_t sid;
+ security_context_t sid=NULL;
#endif
int rc;
#ifdef CONFIG_FEATURE_LS_FOLLOWLINKS
if (all_fmt & FOLLOW_LINKS) {
#ifdef CONFIG_SELINUX
- if(is_flask_enabled_flag)
- rc = stat_secure(fullname, &dstat, &sid);
- else
+ if (is_selinux_enabled()) {
+ rc=0; /* Set the number which means success before hand.
*/
+ rc = getfilecon(fullname,&sid);
+ }
#endif
- rc = stat(fullname, &dstat);
+ rc = stat(fullname, &dstat);
if(rc)
{
bb_perror_msg("%s", fullname);
@@ -235,9 +235,12 @@
#endif
{
#ifdef CONFIG_SELINUX
- if(is_flask_enabled_flag)
- rc = lstat_secure(fullname, &dstat, &sid);
- else
+ if (is_selinux_enabled()) {
+ rc=0; /* Set the number which means success before hand.
*/
+ rc = lgetfilecon(fullname,&sid);
+ }
+
+
#endif
rc = lstat(fullname, &dstat);
if(rc)
@@ -736,12 +739,16 @@
#ifdef CONFIG_SELINUX
case LIST_CONTEXT:
{
- char context[64];
- int len = sizeof(context);
- if(security_sid_to_context(dn->sid, context,
&len))
- {
- strcpy(context, "unknown");
- len = 7;
+ char context[80];
+ int len = 0;
+
+ if (dn->sid) {
+ /* I assume sid initilized with NULL */
+ len = (strlen(dn->sid)+1);
+ safe_strncpy(context, dn->sid, len);
+ freecon(dn->sid);
+ }else {
+ safe_strncpy(context, "unknown",8);
}
printf("%-32s ", context);
column += MAX(33, len);
@@ -963,9 +970,6 @@
char *terminal_width_str = NULL;
#endif
-#ifdef CONFIG_SELINUX
- is_flask_enabled_flag = is_flask_enabled();
-#endif
all_fmt = LIST_SHORT | DISP_NORMAL | STYLE_AUTO
#ifdef CONFIG_FEATURE_LS_TIMESTAMPS
diff -Nru -x .svn busybox-1.01/include/libbb.h
busybox-1.01_selinux/include/libbb.h
--- busybox-1.01/include/libbb.h 2005-08-17 03:29:15.000000000 +0200
+++ busybox-1.01_selinux/include/libbb.h 2005-09-05 17:48:48.000000000
+0200
@@ -44,7 +44,7 @@
#include "config.h"
#ifdef CONFIG_SELINUX
-#include <proc_secure.h>
+#include <selinux/selinux.h>
#endif
#include "pwd_.h"
@@ -424,11 +424,12 @@
#define FAIL_DELAY 3
extern void change_identity ( const struct passwd *pw );
extern const char *change_identity_e2str ( const struct passwd *pw );
-extern void run_shell ( const char *shell, int loginshell, const char
*command, const char **additional_args
+extern void run_shell ( const char *shell, int loginshell, const char
*command, const char **additional_args);
#ifdef CONFIG_SELINUX
- , security_id_t sid
+extern void renew_current_security_context(void);
+extern void set_current_security_context(security_context_t sid);
#endif
-);
+
extern int run_parts(char **args, const unsigned char test_mode, char **env);
extern int restricted_shell ( const char *shell );
extern void setup_environment ( const char *shell, int loginshell, int
changeenv, const struct passwd *pw );
@@ -459,11 +460,7 @@
char short_cmd[16];
} procps_status_t;
-extern procps_status_t * procps_scan(int save_user_arg0
-#ifdef CONFIG_SELINUX
- , int use_selinux, security_id_t *sid
-#endif
-);
+extern procps_status_t * procps_scan(int save_user_arg0);
extern unsigned short compare_string_array(const char *string_array[], const
char *key);
extern int my_query_module(const char *name, int which, void **buf, size_t
*bufsize, size_t *ret);
diff -Nru -x .svn busybox-1.01/.indent.pro busybox-1.01_selinux/.indent.pro
--- busybox-1.01/.indent.pro 2005-08-17 03:29:17.000000000 +0200
+++ busybox-1.01_selinux/.indent.pro 1970-01-01 01:00:00.000000000 +0100
@@ -1,33 +0,0 @@
---blank-lines-after-declarations
---blank-lines-after-procedures
---break-before-boolean-operator
---no-blank-lines-after-commas
---braces-on-if-line
---braces-on-struct-decl-line
---comment-indentation25
---declaration-comment-column25
---no-comment-delimiters-on-blank-lines
---cuddle-else
---continuation-indentation4
---case-indentation0
---else-endif-column33
---space-after-cast
---line-comments-indentation0
---declaration-indentation1
---dont-format-first-column-comments
---dont-format-comments
---honour-newlines
---indent-level4
-/* changed from 0 to 4 */
---parameter-indentation4
---line-length78 /* changed from 75 */
---continue-at-parentheses
---no-space-after-function-call-names
---dont-break-procedure-type
---dont-star-comments
---leave-optional-blank-lines
---dont-space-special-semicolon
---tab-size4
-/* additions by Mark */
---case-brace-indentation0
---leave-preprocessor-space
diff -Nru -x .svn busybox-1.01/libbb/find_pid_by_name.c
busybox-1.01_selinux/libbb/find_pid_by_name.c
--- busybox-1.01/libbb/find_pid_by_name.c 2005-08-17 03:29:14.000000000
+0200
+++ busybox-1.01_selinux/libbb/find_pid_by_name.c 2005-09-05
17:48:48.000000000 +0200
@@ -45,11 +45,8 @@
procps_status_t * p;
pidList = xmalloc(sizeof(long));
-#ifdef CONFIG_SELINUX
- while ((p = procps_scan(0, 0, NULL)) != 0) {
-#else
- while ((p = procps_scan(0)) != 0) {
-#endif
+ while ((p = procps_scan(0)) != 0)
+ {
if (strncmp(p->short_cmd, pidName, COMM_LEN-1) == 0) {
pidList=xrealloc( pidList, sizeof(long) * (i+2));
pidList[i++]=p->pid;
diff -Nru -x .svn busybox-1.01/libbb/procps.c
busybox-1.01_selinux/libbb/procps.c
--- busybox-1.01/libbb/procps.c 2005-08-17 03:29:14.000000000 +0200
+++ busybox-1.01_selinux/libbb/procps.c 2005-09-05 17:48:48.000000000 +0200
@@ -16,11 +16,7 @@
#include "libbb.h"
-extern procps_status_t * procps_scan(int save_user_arg0
-#ifdef CONFIG_SELINUX
- , int use_selinux , security_id_t *sid
-#endif
- )
+extern procps_status_t * procps_scan(int save_user_arg0)
{
static DIR *dir;
struct dirent *entry;
@@ -62,14 +58,7 @@
sprintf(status, "/proc/%d/stat", pid);
if((fp = fopen(status, "r")) == NULL)
continue;
-#ifdef CONFIG_SELINUX
- if(use_selinux)
- {
- if(fstat_secure(fileno(fp), &sb, sid))
- continue;
- }
- else
-#endif
+
name = fgets(buf, sizeof(buf), fp);
fclose(fp);
if(name == NULL)
diff -Nru -x .svn busybox-1.01/libbb/run_shell.c
busybox-1.01_selinux/libbb/run_shell.c
--- busybox-1.01/libbb/run_shell.c 2005-08-17 03:29:14.000000000 +0200
+++ busybox-1.01_selinux/libbb/run_shell.c 2005-09-05 17:48:48.000000000
+0200
@@ -37,19 +37,42 @@
#include <ctype.h>
#include "libbb.h"
#ifdef CONFIG_SELINUX
-#include <proc_secure.h>
+#include <selinux/selinux.h>
#endif
+#ifdef CONFIG_SELINUX
+static security_context_t current_sid=NULL;
+
+void
+renew_current_security_context(void)
+{
+ if (current_sid)
+ freecon(current_sid); /* Release old context */
+
+ getcon(¤t_sid); /* update */
+
+ return;
+}
+void
+set_current_security_context(security_context_t sid)
+{
+ if (current_sid)
+ freecon(current_sid); /* Release old context */
+
+ current_sid=sid;
+
+ return;
+}
+
+#endif
+
+
/* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
If COMMAND is nonzero, pass it to the shell with the -c option.
If ADDITIONAL_ARGS is nonzero, pass it to the shell as more
arguments. */
-void run_shell ( const char *shell, int loginshell, const char *command,
const char **additional_args
-#ifdef CONFIG_SELINUX
- , security_id_t sid
-#endif
-)
+void run_shell ( const char *shell, int loginshell, const char *command,
const char **additional_args )
{
const char **args;
int argno = 1;
@@ -78,9 +101,10 @@
}
args [argno] = 0;
#ifdef CONFIG_SELINUX
- if(sid)
- execve_secure(shell, (char **) args, environ, sid);
- else
+ if ( (current_sid) && (!setexeccon(current_sid)) ) {
+ freecon(current_sid);
+ execve(shell, (char **) args, environ);
+ } else
#endif
execv ( shell, (char **) args );
bb_perror_msg_and_die ( "cannot run %s", shell );
diff -Nru -x .svn busybox-1.01/loginutils/login.c
busybox-1.01_selinux/loginutils/login.c
--- busybox-1.01/loginutils/login.c 2005-08-17 03:29:15.000000000 +0200
+++ busybox-1.01_selinux/loginutils/login.c 2005-09-05 17:48:49.000000000
+0200
@@ -17,10 +17,10 @@
#include "busybox.h"
#ifdef CONFIG_SELINUX
-#include <flask_util.h>
-#include <get_sid_list.h>
-#include <proc_secure.h>
-#include <fs_secure.h>
+#include <selinux/selinux.h> /* for is_selinux_enabled() */
+#include <selinux/get_context_list.h> /* for get_default_context() */
+#include <selinux/flask.h> /* for security class definitions */
+#include <errno.h>
#endif
#ifdef CONFIG_FEATURE_UTMP
@@ -79,8 +79,7 @@
char *opt_host = 0;
int alarmstarted = 0;
#ifdef CONFIG_SELINUX
- int flask_enabled = is_flask_enabled();
- security_id_t sid = 0, old_tty_sid, new_tty_sid;
+ security_context_t stat_sid = NULL, sid = NULL, old_tty_sid = NULL,
new_tty_sid = NULL;
#endif
username[0]=0;
@@ -225,41 +224,48 @@
#ifdef CONFIG_FEATURE_UTMP
setutmp ( username, tty );
#endif
+
+ if ( *tty != '/' )
+ snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty);
+ else
+ safe_strncpy ( full_tty, tty, sizeof( full_tty ) - 1 );
+
+
#ifdef CONFIG_SELINUX
- if (flask_enabled)
+ if (is_selinux_enabled())
{
struct stat st;
+ int rc;
- if (get_default_sid(username, 0, &sid))
+ if (get_default_context(username, NULL, &sid))
{
fprintf(stderr, "Unable to get SID for %s\n",
username);
exit(1);
}
- if (stat_secure(tty, &st, &old_tty_sid))
+ rc = getfilecon(full_tty,&stat_sid);
+ freecon(stat_sid);
+ if ((rc<0) || (stat(full_tty, &st)<0))
{
- fprintf(stderr, "stat_secure(%.100s) failed:
%.100s\n", tty, strerror(errno));
+ fprintf(stderr, "stat_secure(%.100s) failed:
%.100s\n", full_tty, strerror(errno));
return EXIT_FAILURE;
}
- if (security_change_sid (sid, old_tty_sid, SECCLASS_CHR_FILE,
&new_tty_sid) != 0)
+ if (security_compute_relabel (sid, old_tty_sid,
SECCLASS_CHR_FILE, &new_tty_sid) != 0)
{
- fprintf(stderr, "security_change_sid(%.100s) failed:
%.100s\n", tty, strerror(errno));
- return EXIT_FAILURE;
- }
- if(chsid(tty, new_tty_sid) != 0)
- {
- fprintf(stderr, "chsid(%.100s, %d) failed: %.100s\n",
tty, new_tty_sid, strerror(errno));
+ fprintf(stderr, "security_change_sid(%.100s) failed:
%.100s\n", full_tty, strerror(errno));
return EXIT_FAILURE;
}
+ if(setfilecon(full_tty, new_tty_sid) != 0)
+ {
+// ausgabeformat für new_tty_sid !
+// fprintf(stderr, "chsid(%.100s, %d) failed: %.100s\n",
full_tty, new_tty_sid, strerror(errno));
+ fprintf(stderr, "chsid(%.100s, %s) failed: %.100s\n",
full_tty, new_tty_sid, strerror(errno));
+ return EXIT_FAILURE;
+ }
+ freecon(sid);
+ freecon(old_tty_sid);
+ freecon(new_tty_sid);
}
- else
- sid = 0;
#endif
-
- if ( *tty != '/' )
- snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty);
- else
- safe_strncpy ( full_tty, tty, sizeof( full_tty ) - 1 );
-
if ( !is_my_tty ( full_tty ))
syslog ( LOG_ERR, "unable to determine TTY name, got %s\n",
full_tty );
@@ -279,11 +285,11 @@
if ( pw-> pw_uid == 0 )
syslog ( LOG_INFO, "root login %s\n", fromhost );
- run_shell ( tmp, 1, 0, 0
+
#ifdef CONFIG_SELINUX
- , sid
+ set_current_security_context(sid);
#endif
- ); /* exec the shell finally. */
+ run_shell ( tmp, 1, 0, 0); /* exec the shell finally. */
return EXIT_FAILURE;
}
diff -Nru -x .svn busybox-1.01/loginutils/su.c
busybox-1.01_selinux/loginutils/su.c
--- busybox-1.01/loginutils/su.c 2005-08-17 03:29:15.000000000 +0200
+++ busybox-1.01_selinux/loginutils/su.c 2005-09-05 17:48:49.000000000
+0200
@@ -147,11 +147,11 @@
change_identity ( pw );
setup_environment ( opt_shell, opt_loginshell, !opt_preserve, pw );
- run_shell ( opt_shell, opt_loginshell, opt_command, (const
char**)opt_args
+
#ifdef CONFIG_SELINUX
- , 0
+ set_current_security_context(NULL);
#endif
- );
+ run_shell ( opt_shell, opt_loginshell, opt_command, (const
char**)opt_args);
return EXIT_FAILURE;
}
diff -Nru -x .svn busybox-1.01/loginutils/sulogin.c
busybox-1.01_selinux/loginutils/sulogin.c
--- busybox-1.01/loginutils/sulogin.c 2005-08-17 03:29:15.000000000 +0200
+++ busybox-1.01_selinux/loginutils/sulogin.c 2005-09-05 17:48:49.000000000
+0200
@@ -153,6 +153,12 @@
puts("Entering System Maintenance Mode\n");
fflush(stdout);
syslog(LOG_INFO, "System Maintenance Mode\n");
+
+#ifdef CONFIG_SELINUX
+ renew_current_security_context();
+#endif
+
run_shell(pwent.pw_shell, 1, 0, 0);
+
return (0);
}
diff -Nru -x .svn busybox-1.01/Makefile busybox-1.01_selinux/Makefile
--- busybox-1.01/Makefile 2005-08-17 03:29:17.000000000 +0200
+++ busybox-1.01_selinux/Makefile 2005-09-05 17:48:51.000000000 +0200
@@ -47,8 +47,7 @@
SRC_DIRS:=$(patsubst %,$(top_srcdir)/%,$(DIRS))
ifeq ($(strip $(CONFIG_SELINUX)),y)
-CFLAGS += -I/usr/include/selinux
-LIBRARIES += -lsecure
+LIBRARIES += -lselinux
endif
CONFIG_CONFIG_IN = $(top_srcdir)/sysdeps/$(TARGET_OS)/Config.in
diff -Nru -x .svn busybox-1.01/procps/ps.c busybox-1.01_selinux/procps/ps.c
--- busybox-1.01/procps/ps.c 2005-08-17 03:29:16.000000000 +0200
+++ busybox-1.01_selinux/procps/ps.c 2005-09-05 17:48:51.000000000 +0200
@@ -31,9 +31,7 @@
#include <sys/ioctl.h>
#include "busybox.h"
#ifdef CONFIG_SELINUX
-#include <fs_secure.h>
-#include <ss.h>
-#include <flask_util.h> /* for is_flask_enabled() */
+#include <selinux/selinux.h> /* for is_flask_enabled() */
#endif
static const int TERMINAL_WIDTH = 79; /* not 80 in case terminal has
linefold bug */
@@ -48,8 +46,8 @@
#ifdef CONFIG_SELINUX
int use_selinux = 0;
- security_id_t sid;
- if(is_flask_enabled() && argv[1] && !strcmp(argv[1], "-c") )
+ security_context_t sid=NULL;
+ if(is_selinux_enabled() && argv[1] && !strcmp(argv[1], "-c") )
use_selinux = 1;
#endif
@@ -58,34 +56,42 @@
terminal_width--;
#ifdef CONFIG_SELINUX
- if(use_selinux)
+ if (use_selinux)
printf(" PID Context Stat
Command\n");
else
#endif
- printf(" PID Uid VmSize Stat Command\n");
-#ifdef CONFIG_SELINUX
- while ((p = procps_scan(1, use_selinux, &sid)) != 0) {
-#else
- while ((p = procps_scan(1)) != 0) {
-#endif
+ printf(" PID Uid VmSize Stat Command\n");
+
+ while ((p = procps_scan(1)) != 0) {
char *namecmd = p->cmd;
#ifdef CONFIG_SELINUX
- if(use_selinux)
+ if (use_selinux)
{
char sbuf[128];
len = sizeof(sbuf);
- if(security_sid_to_context(sid,
(security_context_t)&sbuf, &len))
- strcpy(sbuf, "unknown");
-
+ if (is_selinux_enabled()) {
+ if (getpidcon(p->pid,&sid)<0)
+ sid=NULL;
+ }
+
+ if (sid) {
+ /* I assume sid initilized with NULL */
+ len = strlen(sid)+1;
+ safe_strncpy(sbuf, sid, len);
+ freecon(sid);
+ sid=NULL;
+ }else {
+ safe_strncpy(sbuf, "unknown",7);
+ }
len = printf("%5d %-32s %s ", p->pid, sbuf, p->state);
}
else
#endif
- if(p->rss == 0)
- len = printf("%5d %-8s %s ", p->pid, p->user,
p->state);
- else
- len = printf("%5d %-8s %6ld %s ", p->pid, p->user,
p->rss, p->state);
+ if(p->rss == 0)
+ len = printf("%5d %-8s %s ", p->pid, p->user,
p->state);
+ else
+ len = printf("%5d %-8s %6ld %s ", p->pid, p->user, p->rss,
p->state);
i = terminal_width-len;
if(namecmd != 0 && namecmd[0] != 0) {
diff -Nru -x .svn busybox-1.01/procps/top.c busybox-1.01_selinux/procps/top.c
--- busybox-1.01/procps/top.c 2005-08-17 03:29:16.000000000 +0200
+++ busybox-1.01_selinux/procps/top.c 2005-09-05 17:48:51.000000000 +0200
@@ -513,11 +513,7 @@
/* read process IDs & status for all the processes */
procps_status_t * p;
-#ifdef CONFIG_SELINUX
- while ((p = procps_scan(0, 0, NULL) ) != 0) {
-#else
while ((p = procps_scan(0)) != 0) {
-#endif
int n = ntop;
top = xrealloc(top, (++ntop)*sizeof(procps_status_t));
Bye
JSM
-------------- next part --------------
A non-text attachment was scrubbed...
Name: busybox_1.01_selinux.patch.bz2
Type: application/x-bzip2
Size: 4613 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20050913/9ef88654/attachment.bin
More information about the busybox
mailing list