Date: Wed, 25 Oct 2006 20:42:54 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 108426 for review Message-ID: <200610252042.k9PKgsAo071417@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=108426 Change 108426 by millert@millert_macbook on 2006/10/25 20:42:34 Update to libselinux-1.32 from the NSA web site. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/ChangeLog#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/VERSION#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/include/selinux/av_permissions.h#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/include/selinux/avc.h#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/src/avc.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/src/setrans_client.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/ChangeLog#4 (text+ko) ==== @@ -1,3 +1,18 @@ +1.32 2006-10-17 + * Updated version for release. + +1.30.30 2006-10-05 + * Merged patch from Darrel Goeddel to always use untranslated + contexts in the userspace AVC. + +1.30.29 2006-09-29 + * Merged av_permissions.h update from Steve Grubb, + adding setsockcreate and polmatch definitions. + +1.30.28 2006-09-13 + * Merged patch from Steve Smalley to fix SIGPIPE in setrans_client + * Merged c++ class identifier fix from Joe Nall. + 1.30.27 2006-08-24 * Merged patch to not log avc stats upon a reset from Steve Grubb. * Applied patch to revert compat_net setting upon policy load. ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/Makefile#3 (text+ko) ==== @@ -21,4 +21,4 @@ $(MAKE) -C src $@ $(MAKE) -C utils clean -test:+test: ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/VERSION#4 (text+ko) ==== @@ -1,1 +1,1 @@ -1.30.27 +1.32 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/include/selinux/av_permissions.h#3 (text+ko) ==== @@ -468,6 +468,7 @@ #define PROCESS__EXECSTACK 0x04000000UL #define PROCESS__EXECHEAP 0x08000000UL #define PROCESS__SETKEYCREATE 0x10000000UL +#define PROCESS__SETSOCKCREATE 0x20000000UL #define IPC__CREATE 0x00000001UL #define IPC__DESTROY 0x00000002UL @@ -910,6 +911,7 @@ #define ASSOCIATION__SENDTO 0x00000001UL #define ASSOCIATION__RECVFROM 0x00000002UL #define ASSOCIATION__SETCONTEXT 0x00000004UL +#define ASSOCIATION__POLMATCH 0x00000008UL #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL #define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/include/selinux/avc.h#3 (text+ko) ==== @@ -38,6 +38,7 @@ * available to make the copy, or %EINVAL if the input SID is invalid. */ int avc_sid_to_context(security_id_t sid, security_context_t * ctx); + int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx); /** * avc_context_to_sid - get SID for context. @@ -51,6 +52,7 @@ * returning %0 on success or -%1 on error with @errno set. */ int avc_context_to_sid(security_context_t ctx, security_id_t * sid); + int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid); /** * sidget - increment SID reference counter. @@ -120,7 +122,7 @@ void (*func_log) (const char *fmt, ...); /* store a string representation of auditdata (corresponding to the given security class) into msgbuf. */ - void (*func_audit) (void *auditdata, security_class_t class, + void (*func_audit) (void *auditdata, security_class_t cls, char *msgbuf, size_t msgbufsize); }; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/src/avc.c#5 (text+ko) ==== @@ -205,7 +205,7 @@ & (AVC_CACHE_SLOTS - 1); } -int avc_context_to_sid(security_context_t ctx, security_id_t * sid) +int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid) { int rc; avc_get_lock(avc_lock); @@ -216,7 +216,22 @@ return rc; } -int avc_sid_to_context(security_id_t sid, security_context_t * ctx) +int avc_context_to_sid(security_context_t ctx, security_id_t * sid) +{ + int ret; + security_context_t rctx; + + if (selinux_trans_to_raw_context(ctx, &rctx)) + return -1; + + ret = avc_context_to_sid_raw(rctx, sid); + + freecon(rctx); + + return ret; +} + +int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx) { int rc; *ctx = NULL; @@ -232,6 +247,21 @@ return rc; } +int avc_sid_to_context(security_id_t sid, security_context_t * ctx) +{ + int ret; + security_context_t rctx; + + ret = avc_sid_to_context_raw(sid, &rctx); + + if (ret == 0) { + ret = selinux_raw_to_trans_context(rctx, ctx); + freecon(rctx); + } + + return ret; +} + int sidget(security_id_t sid) { int rc; @@ -943,8 +973,9 @@ rc = -1; goto out; } - rc = security_compute_av(ssid->ctx, tsid->ctx, tclass, - requested, &entry.avd); + rc = security_compute_av_raw(ssid->ctx, tsid->ctx, + tclass, requested, + &entry.avd); if (rc) goto out; rc = avc_insert(ssid, tsid, tclass, &entry, aeref); ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/src/setrans_client.c#2 (text+ko) ==== @@ -59,11 +59,12 @@ static int send_request(int fd, uint32_t function, const char *data1, const char *data2) { - struct iovec req_hdr[3]; + struct msghdr msgh; + struct iovec iov[5]; uint32_t data1_size; uint32_t data2_size; - struct iovec req_data[2]; - ssize_t count; + ssize_t count, expected; + unsigned int i; if (fd < 0) return -1; @@ -76,28 +77,28 @@ data1_size = strlen(data1) + 1; data2_size = strlen(data2) + 1; - req_hdr[0].iov_base = &function; - req_hdr[0].iov_len = sizeof(function); - req_hdr[1].iov_base = &data1_size; - req_hdr[1].iov_len = sizeof(data1_size); - req_hdr[2].iov_base = &data2_size; - req_hdr[2].iov_len = sizeof(data2_size); + iov[0].iov_base = &function; + iov[0].iov_len = sizeof(function); + iov[1].iov_base = &data1_size; + iov[1].iov_len = sizeof(data1_size); + iov[2].iov_base = &data2_size; + iov[2].iov_len = sizeof(data2_size); + iov[3].iov_base = (char *)data1; + iov[3].iov_len = data1_size; + iov[4].iov_base = (char *)data2; + iov[4].iov_len = data2_size; + memset(&msgh, 0, sizeof(msgh)); + msgh.msg_iov = iov; + msgh.msg_iovlen = sizeof(iov) / sizeof(iov[0]); - while (((count = writev(fd, req_hdr, 3)) < 0) && (errno == EINTR)) ; - if (count != (sizeof(function) + sizeof(data1_size) + - sizeof(data2_size))) { - return -1; - } + expected = 0; + for (i = 0; i < sizeof(iov) / sizeof(iov[0]); i++) + expected += iov[i].iov_len; - req_data[0].iov_base = (char *)data1; - req_data[0].iov_len = data1_size; - req_data[1].iov_base = (char *)data2; - req_data[1].iov_len = data2_size; - - while (((count = writev(fd, req_data, 2)) < 0) && (errno == EINTR)) ; - if (count < 0 || (uint32_t) count != (data1_size + data2_size)) { + while (((count = sendmsg(fd, &msgh, 0)) < 0) + && (errno == EINTR)) ; + if (count < 0 || count != expected) return -1; - } return 0; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610252042.k9PKgsAo071417>