Accepting request 414915 from home:elvigia:branches:security:SELinux

- -devel static subpackage requires libpcre-devel and libsepol-devel - Avoid mounting /proc outside of selinux_init_load_policy(). (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes among other things systemd seccomp sandboxing otherwise all filters must allow mount(2) (libselinux-proc-mount-only-if-needed.patch) OBS-URL: https://build.opensuse.org/request/show/414915 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=87
2016-07-26 12:15:13 +00:00 · 2016-07-26 12:15:13 +00:00 · 1f94f8811a
commit 1f94f8811a
parent 2aadb1f9f1
3 changed files with 113 additions and 1 deletions
--- a/libselinux-proc-mount-only-if-needed.patch
+++ b/libselinux-proc-mount-only-if-needed.patch
@ -0,0 +1,93 @@
+Index: libselinux-2.5/src/init.c
+===================================================================
+--- libselinux-2.5.orig/src/init.c
+++ libselinux-2.5/src/init.c
+@@ -11,7 +11,6 @@
+ #include <sys/vfs.h>
+ #include <stdint.h>
+ #include <limits.h>
+-#include <sys/mount.h>
+ 
+ #include "dso.h"
+ #include "policy.h"
+@@ -57,20 +56,18 @@ static int verify_selinuxmnt(const char
+ 
+ int selinuxfs_exists(void)
+ {
+-	int exists = 0, mnt_rc = 0;
+	int exists = 0;
+ 	FILE *fp = NULL;
+ 	char *buf = NULL;
+ 	size_t len;
+ 	ssize_t num;
+ 
+-	mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+ 
+ 	fp = fopen("/proc/filesystems", "r");
+-	if (!fp) {
+-		exists = 1; /* Fail as if it exists */
+-		goto out;
+-	}
+ 
+	if (!fp)
+		return 1; /* Fail as if it exists */
+	
+ 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 
+ 	num = getline(&buf, &len, fp);
+@@ -85,13 +82,6 @@ int selinuxfs_exists(void)
+ 	free(buf);
+ 	fclose(fp);
+ 
+-out:
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (mnt_rc == 0)
+-		umount2("/proc", MNT_DETACH);
+-
+ 	return exists;
+ }
+ hidden_def(selinuxfs_exists)
+Index: libselinux-2.5/src/load_policy.c
+===================================================================
+--- libselinux-2.5.orig/src/load_policy.c
+++ libselinux-2.5/src/load_policy.c
+@@ -17,6 +17,10 @@
+ #include "policy.h"
+ #include <limits.h>
+ 
+#ifndef MNT_DETACH
+#define MNT_DETACH 2
+#endif
+
+ int security_load_policy(void *data, size_t len)
+ {
+ 	char path[PATH_MAX];
+@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforc
+ 		fclose(cfg);
+ 		free(buf);
+ 	}
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (rc == 0)
+-		umount2("/proc", MNT_DETACH);
+ 
+ 	/* 
+ 	 * Determine the final desired mode.
+@@ -402,9 +401,13 @@ int selinux_init_load_policy(int *enforc
+ 		}
+                 
+ 		goto noload;
+		if (rc == 0)
+			umount2("/proc", MNT_DETACH);
+ 	}
+ 	set_selinuxmnt(mntpoint);
+-
+	
+		if (rc == 0)
+			umount2("/proc", MNT_DETACH);
+ 	/*
+ 	 * Note:  The following code depends on having selinuxfs 
+ 	 * already mounted and selinuxmnt set above.
--- a/libselinux.changes
+++ b/libselinux.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org
+
+- -devel static subpackage requires libpcre-devel and libsepol-devel
+
+
+-------------------------------------------------------------------
+Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org
+
+- Avoid mounting /proc outside of selinux_init_load_policy().
+  (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
+  among other things systemd seccomp sandboxing otherwise all
+  filters must allow mount(2)
+  (libselinux-proc-mount-only-if-needed.patch)
+
 -------------------------------------------------------------------
 Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com

--- a/libselinux.spec
+++ b/libselinux.spec
@ -32,6 +32,8 @@ Source2:        baselibs.conf
 Patch1:         %{name}-2.2-ruby.patch
 # PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path
 Patch2:         python-selinux-swig-3.10.patch
+# PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy().
+Patch3:         libselinux-proc-mount-only-if-needed.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  fdupes
 BuildRequires:  libsepol-devel >= %{libsepol_ver}
@ -113,6 +115,8 @@ necessary to develop your own software using libselinux.
 Summary:        Static development Include Files and Libraries for SELinux
 Group:          Development/Libraries/C and C++
 Requires:       libselinux-devel = %{version}
+Requires:       pkgconfig(libpcre)
+Requires:       pkgconfig(libsepol)

 %description devel-static
 This package contains the static development files, which are
@ -123,7 +127,7 @@ necessary to develop your own software using libselinux.
 %setup -q
 %patch1
 %patch2 -p1
-
+%patch3 -p1
 %build
 make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS"