From 1f94f8811aac8ed385e4d7c88d4f404a7af04559094419461dc90387bf592ae4 Mon Sep 17 00:00:00 2001
From: Johannes Segitz <jsegitz@suse.com>
Date: Tue, 26 Jul 2016 12:15:13 +0000
Subject: [PATCH] Accepting request 414915 from
 home:elvigia:branches:security:SELinux

- -devel static subpackage requires libpcre-devel and libsepol-devel

- Avoid mounting /proc outside of selinux_init_load_policy().
  (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
  among other things systemd seccomp sandboxing otherwise all
  filters must allow mount(2)
  (libselinux-proc-mount-only-if-needed.patch)

OBS-URL: https://build.opensuse.org/request/show/414915
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=87
---
 libselinux-proc-mount-only-if-needed.patch | 93 ++++++++++++++++++++++
 libselinux.changes                         | 15 ++++
 libselinux.spec                            |  6 +-
 3 files changed, 113 insertions(+), 1 deletion(-)
 create mode 100644 libselinux-proc-mount-only-if-needed.patch

diff --git a/libselinux-proc-mount-only-if-needed.patch b/libselinux-proc-mount-only-if-needed.patch
new file mode 100644
index 0000000..383e72c
--- /dev/null
+++ b/libselinux-proc-mount-only-if-needed.patch
@@ -0,0 +1,93 @@
+Index: libselinux-2.5/src/init.c
+===================================================================
+--- libselinux-2.5.orig/src/init.c
++++ libselinux-2.5/src/init.c
+@@ -11,7 +11,6 @@
+ #include <sys/vfs.h>
+ #include <stdint.h>
+ #include <limits.h>
+-#include <sys/mount.h>
+ 
+ #include "dso.h"
+ #include "policy.h"
+@@ -57,20 +56,18 @@ static int verify_selinuxmnt(const char
+ 
+ int selinuxfs_exists(void)
+ {
+-	int exists = 0, mnt_rc = 0;
++	int exists = 0;
+ 	FILE *fp = NULL;
+ 	char *buf = NULL;
+ 	size_t len;
+ 	ssize_t num;
+ 
+-	mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+ 
+ 	fp = fopen("/proc/filesystems", "r");
+-	if (!fp) {
+-		exists = 1; /* Fail as if it exists */
+-		goto out;
+-	}
+ 
++	if (!fp)
++		return 1; /* Fail as if it exists */
++	
+ 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 
+ 	num = getline(&buf, &len, fp);
+@@ -85,13 +82,6 @@ int selinuxfs_exists(void)
+ 	free(buf);
+ 	fclose(fp);
+ 
+-out:
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (mnt_rc == 0)
+-		umount2("/proc", MNT_DETACH);
+-
+ 	return exists;
+ }
+ hidden_def(selinuxfs_exists)
+Index: libselinux-2.5/src/load_policy.c
+===================================================================
+--- libselinux-2.5.orig/src/load_policy.c
++++ libselinux-2.5/src/load_policy.c
+@@ -17,6 +17,10 @@
+ #include "policy.h"
+ #include <limits.h>
+ 
++#ifndef MNT_DETACH
++#define MNT_DETACH 2
++#endif
++
+ int security_load_policy(void *data, size_t len)
+ {
+ 	char path[PATH_MAX];
+@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforc
+ 		fclose(cfg);
+ 		free(buf);
+ 	}
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (rc == 0)
+-		umount2("/proc", MNT_DETACH);
+ 
+ 	/* 
+ 	 * Determine the final desired mode.
+@@ -402,9 +401,13 @@ int selinux_init_load_policy(int *enforc
+ 		}
+                 
+ 		goto noload;
++		if (rc == 0)
++			umount2("/proc", MNT_DETACH);
+ 	}
+ 	set_selinuxmnt(mntpoint);
+-
++	
++		if (rc == 0)
++			umount2("/proc", MNT_DETACH);
+ 	/*
+ 	 * Note:  The following code depends on having selinuxfs 
+ 	 * already mounted and selinuxmnt set above.
diff --git a/libselinux.changes b/libselinux.changes
index c08ec5a..312fe28 100644
--- a/libselinux.changes
+++ b/libselinux.changes
@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org
+
+- -devel static subpackage requires libpcre-devel and libsepol-devel
+
+
+-------------------------------------------------------------------
+Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org
+
+- Avoid mounting /proc outside of selinux_init_load_policy().
+  (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
+  among other things systemd seccomp sandboxing otherwise all
+  filters must allow mount(2)
+  (libselinux-proc-mount-only-if-needed.patch)
+
 -------------------------------------------------------------------
 Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com
 
diff --git a/libselinux.spec b/libselinux.spec
index e8071bc..798046a 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -32,6 +32,8 @@ Source2:        baselibs.conf
 Patch1:         %{name}-2.2-ruby.patch
 # PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path
 Patch2:         python-selinux-swig-3.10.patch
+# PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy().
+Patch3:         libselinux-proc-mount-only-if-needed.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  fdupes
 BuildRequires:  libsepol-devel >= %{libsepol_ver}
@@ -113,6 +115,8 @@ necessary to develop your own software using libselinux.
 Summary:        Static development Include Files and Libraries for SELinux
 Group:          Development/Libraries/C and C++
 Requires:       libselinux-devel = %{version}
+Requires:       pkgconfig(libpcre)
+Requires:       pkgconfig(libsepol)
 
 %description devel-static
 This package contains the static development files, which are
@@ -123,7 +127,7 @@ necessary to develop your own software using libselinux.
 %setup -q
 %patch1
 %patch2 -p1
-
+%patch3 -p1
 %build
 make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS"