[PATCH] selinux support on mkswap applet

Bernhard Fischer rep.dot.nop at gmail.com
Thu Apr 24 10:51:54 UTC 2008


On Thu, Oct 18, 2007 at 07:41:09PM +0900, KaiGai Kohei wrote:
>Hi,
>
>The attached patch enables to relabel the security context of
>regular files to "swapfile_t", when mkswap attempt to initialize
>a regular file as a swap.
>
>The reason of this extension is that swapfile can store memory
>regions of any processes, and there is a possibility to leak
>unintentional infomation via swap using regular file.
>Therefore, we have to relabel swapfile to separate any other
>regular file.
>
>Thanks,
>
>P.S  Don't forget my former patch for passwd/chpasswd applets. :-)
>-- 
>OSS Platform Development Division, NEC
>KaiGai Kohei <kaigai at ak.jp.nec.com>

>Index: busybox/util-linux/mkswap.c
>===================================================================
>--- busybox/util-linux/mkswap.c	(revision 20280)
>+++ busybox/util-linux/mkswap.c	(working copy)
>@@ -8,6 +8,48 @@
> 
> #include "libbb.h"
> 
>+#if ENABLE_SELINUX
>+#define SELINUX_SWAPFILE_TYPE	"swapfile_t"
>+
>+static void mkswap_selinux_setcontext(int fd, const char *path)
>+{
>+	struct stat stbuf;
>+
>+	if (!is_selinux_enabled())
>+		return;
>+
>+	if (fstat(fd, &stbuf) < 0)
>+		bb_perror_msg_and_die("fstat failed");
>+	if (S_ISREG(stbuf.st_mode)) {
>+		security_context_t newcon, oldcon = NULL;
>+		context_t context;
>+
>+		if (fgetfilecon_raw(fd, &oldcon) < 0) {
>+			if (errno != ENODATA)
>+				goto error;
>+			if (matchpathcon(path, stbuf.st_mode, &oldcon) < 0)
>+				goto error;
>+		}
>+		context = context_new(oldcon);
>+		if (!context || context_type_set(context, SELINUX_SWAPFILE_TYPE))
>+			goto error;
>+		newcon = context_str(context);
>+		if (!newcon)
>+			goto error;
>+		if (strcmp(oldcon, newcon) != 0 && fsetfilecon_raw(fd, newcon) < 0)

That didn't work out for me;
$ egrep "(hidden|fsetfilecon)" libselinux-2.0.59/src/fsetfilecon.c
int fsetfilecon_raw(int fd, security_context_t context)
hidden_def(fsetfilecon_raw)
int fsetfilecon(int fd, security_context_t context)
	ret = fsetfilecon_raw(fd, rcontext);
$ 

Strangely enough i see it in the static library but not in the dynamic.
I've changed this to:
http://www.busybox.net/cgi-bin/viewcvs.cgi/trunk/busybox/util-linux/mkswap.c?rev=21829&r1=21005&r2=21829&makepatch=1&diff_format=u



More information about the busybox mailing list