[PATCH] tar: add selinux context support on create

Sun May 18 16:14:49 UTC 2014

From: Tanguy Pruvot <tanguy.pruvot at gmail.com>
Date: Sat, 17 May 2014 17:27:40 +0200
Subject: [PATCH] tar: add selinux context support on create

No flag is required for the moment, it will add them
to the tar if selinux is enabled on the machine.

patchset 5: prefer lgetfilecon to get selinux context

Signed-off-by: Tanguy Pruvot <tanguy.pruvot at gmail.com>

Change-Id: Ic7a39ee03087ed19e814b138ec6d70cdadb605cd
---
 archival/tar.c       |   39 +++++++++++++++++++++++++++++++++++++++
 include/bb_archive.h |    2 +-
 2 files changed, 40 insertions(+), 1 deletions(-)

diff --git a/archival/tar.c b/archival/tar.c
index aa02d35..e4a0710 100644
--- a/archival/tar.c
+++ b/archival/tar.c
@@ -210,6 +210,7 @@ enum {
  CONTTYPE = '7', /* reserved */
  GNULONGLINK = 'K', /* GNU long (>100 chars) link name */
  GNULONGNAME = 'L', /* GNU long (>100 chars) file name */
+ EXTTYPE = 'x', /* ext metadata for next file, store selinux_context */
 };

 /* Might be faster (and bigger) if the dev/ino were stored in numeric
order;) */
@@ -351,6 +352,32 @@ static void writeLongname(int fd, int type, const char
*name, int dir)
 }
 #endif

+#if ENABLE_FEATURE_TAR_SELINUX
+# define SELINUX_CONTEXT_KEYWORD "RHT.security.selinux"
+/* Write 2 blocks : extended file header + selinux context */
+static void writeSeHeader(int fd, const char *con,
+ struct tar_header_t *header)
+{
+ char block[TAR_BLOCK_SIZE];
+ struct tar_header_t hd;
+
+ int sz = sizeof(SELINUX_CONTEXT_KEYWORD) + strlen(con) + 4;
+ if (sz >= 100) sz++; /* another ascii digit for size */
+
+ memset(&block, 0, TAR_BLOCK_SIZE);
+ sprintf(block, "%d %s=%s\n", sz, SELINUX_CONTEXT_KEYWORD, con);
+
+ /* write duplicated file entry */
+ memcpy(&hd, header, sizeof(hd));
+ hd.typeflag = EXTTYPE;
+ PUT_OCTAL(hd.size, sz);
+ chksum_and_xwrite(fd, &hd);
+
+ /* write selinux context */
+ xwrite(fd, &block, TAR_BLOCK_SIZE);
+}
+#endif
+
 /* Write out a tar header for the specified file/directory/whatever */
 static int writeTarHeader(struct TarBallInfo *tbInfo,
  const char *header_name, const char *fileName, struct stat *statbuf)
@@ -468,6 +495,18 @@ static int writeTarHeader(struct TarBallInfo *tbInfo,
  header_name, S_ISDIR(statbuf->st_mode));
 #endif

+#if ENABLE_FEATURE_TAR_SELINUX
+ if (is_selinux_enabled()) {
+ security_context_t sid;
+ lgetfilecon(fileName, &sid);
+ if (sid) {
+ // optional extended block
+ writeSeHeader(tbInfo->tarFd, sid, &header);
+ freecon(sid);
+ }
+ }
+#endif
+
  /* Now write the header out to disk */
  chksum_and_xwrite(tbInfo->tarFd, &header);

diff --git a/include/bb_archive.h b/include/bb_archive.h
index b82cfd8..d796fcd 100644
--- a/include/bb_archive.h
+++ b/include/bb_archive.h
@@ -146,7 +146,7 @@ typedef struct tar_header_t {     /* byte offset */
  /* Normally it's defined as magic[6] followed by
  * version[2], but we put them together to save code.
  */
- char magic[8];            /* 257-264 */
+ char magic[8];            /* 257-264 (magic 6 + version 2) */
  char uname[32];           /* 265-296 */
  char gname[32];           /* 297-328 */
  char devmajor[8];         /* 329-336 */
-- 
1.7.2.5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20140518/a664ec87/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-tar-add-selinux-context-support-on-create.patch
Type: application/octet-stream
Size: 3203 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20140518/a664ec87/attachment.obj>
