[PATCH] selinux support on mkswap applet
Bernhard Fischer
rep.dot.nop at gmail.com
Thu Apr 24 10:51:54 UTC 2008
On Thu, Oct 18, 2007 at 07:41:09PM +0900, KaiGai Kohei wrote:
>Hi,
>
>The attached patch enables to relabel the security context of
>regular files to "swapfile_t", when mkswap attempt to initialize
>a regular file as a swap.
>
>The reason of this extension is that swapfile can store memory
>regions of any processes, and there is a possibility to leak
>unintentional infomation via swap using regular file.
>Therefore, we have to relabel swapfile to separate any other
>regular file.
>
>Thanks,
>
>P.S Don't forget my former patch for passwd/chpasswd applets. :-)
>--
>OSS Platform Development Division, NEC
>KaiGai Kohei <kaigai at ak.jp.nec.com>
>Index: busybox/util-linux/mkswap.c
>===================================================================
>--- busybox/util-linux/mkswap.c (revision 20280)
>+++ busybox/util-linux/mkswap.c (working copy)
>@@ -8,6 +8,48 @@
>
> #include "libbb.h"
>
>+#if ENABLE_SELINUX
>+#define SELINUX_SWAPFILE_TYPE "swapfile_t"
>+
>+static void mkswap_selinux_setcontext(int fd, const char *path)
>+{
>+ struct stat stbuf;
>+
>+ if (!is_selinux_enabled())
>+ return;
>+
>+ if (fstat(fd, &stbuf) < 0)
>+ bb_perror_msg_and_die("fstat failed");
>+ if (S_ISREG(stbuf.st_mode)) {
>+ security_context_t newcon, oldcon = NULL;
>+ context_t context;
>+
>+ if (fgetfilecon_raw(fd, &oldcon) < 0) {
>+ if (errno != ENODATA)
>+ goto error;
>+ if (matchpathcon(path, stbuf.st_mode, &oldcon) < 0)
>+ goto error;
>+ }
>+ context = context_new(oldcon);
>+ if (!context || context_type_set(context, SELINUX_SWAPFILE_TYPE))
>+ goto error;
>+ newcon = context_str(context);
>+ if (!newcon)
>+ goto error;
>+ if (strcmp(oldcon, newcon) != 0 && fsetfilecon_raw(fd, newcon) < 0)
That didn't work out for me;
$ egrep "(hidden|fsetfilecon)" libselinux-2.0.59/src/fsetfilecon.c
int fsetfilecon_raw(int fd, security_context_t context)
hidden_def(fsetfilecon_raw)
int fsetfilecon(int fd, security_context_t context)
ret = fsetfilecon_raw(fd, rcontext);
$
Strangely enough i see it in the static library but not in the dynamic.
I've changed this to:
http://www.busybox.net/cgi-bin/viewcvs.cgi/trunk/busybox/util-linux/mkswap.c?rev=21829&r1=21005&r2=21829&makepatch=1&diff_format=u
More information about the busybox
mailing list