diff --git a/backport-libselinux-Fix-potential-undefined-shifts.patch b/backport-libselinux-Fix-potential-undefined-shifts.patch deleted file mode 100644 index 38c67ea7883c6a72b725a1c79a25a208d1b0bcdf..0000000000000000000000000000000000000000 --- a/backport-libselinux-Fix-potential-undefined-shifts.patch +++ /dev/null @@ -1,135 +0,0 @@ -From c3ad59cc975d4848b6af37cbcb5caeb6fcb9bdb4 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Fri, 8 Oct 2021 15:07:36 -0400 -Reference:https://github.com/SELinuxProject/selinux/commit/c3ad59cc975d4848b6af37cbcb5caeb6fcb9bdb4 -Conflict:adapter filepath -Subject: [PATCH] libselinux: Fix potential undefined shifts - -An expression of the form "1 << x" is undefined if x == 31 because -the "1" is an int and cannot be left shifted by 31. - -Instead, use "UINT32_C(1) << x" which will be an unsigned int of -at least 32 bits. - -Signed-off-by: James Carter -Signed-off-by: lujie42 ---- - src/mapping.c | 22 +++++++++++----------- - src/stringrep.c | 8 ++++---- - 2 files changed, 15 insertions(+), 15 deletions(-) - -diff --git a/src/mapping.c b/src/mapping.c -index 96395fd4..dd2f1039 100644 ---- a/src/mapping.c -+++ b/src/mapping.c -@@ -144,9 +144,9 @@ unmap_perm(security_class_t tclass, access_vector_t tperm) - access_vector_t kperm = 0; - - for (i = 0; i < current_mapping[tclass].num_perms; i++) -- if (tperm & (1<allowed & mapping->perms[i]) -- result |= 1<perms[i]) -- result |= 1<allowed = result; - - for (i = 0, result = 0; i < n; i++) { - if (avd->decided & mapping->perms[i]) -- result |= 1<perms[i]) -- result |= 1<decided = result; - - for (i = 0, result = 0; i < n; i++) - if (avd->auditallow & mapping->perms[i]) -- result |= 1<auditallow = result; - - for (i = 0, result = 0; i < n; i++) { - if (avd->auditdeny & mapping->perms[i]) -- result |= 1<perms[i]) -- result |= 1<auditdeny = result; - } - } -diff --git a/src/stringrep.c b/src/stringrep.c -index 012a740a..2fe69f43 100644 ---- a/src/stringrep.c -+++ b/src/stringrep.c -@@ -229,7 +229,7 @@ access_vector_t string_to_av_perm(security_class_t tclass, const char *s) - size_t i; - for (i = 0; i < MAXVECTORS && node->perms[i] != NULL; i++) - if (strcmp(node->perms[i],s) == 0) -- return map_perm(tclass, 1<perms[i]; - - return NULL; -@@ -279,7 +279,7 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res) - /* first pass computes the required length */ - for (i = 0; tmp; tmp >>= 1, i++) { - if (tmp & 1) { -- str = security_av_perm_to_string(tclass, av & (1<>= 1, i++) { - if (tmp & 1) { -- str = security_av_perm_to_string(tclass, av & (1< -Date: Mon, 15 Feb 2021 14:05:53 +0100 -Reference:https://github.com/SELinuxProject/selinux/commit/142826a38e974b54a45022c0a0a8dce13a8225 -Conflict:adapter filepath -Subject: [PATCH] libselinux: fix segfault in add_xattr_entry() - -When selabel_get_digests_all_partial_matches(), resp -get_digests_all_partial_matches() doesn't find a match, -calculated_digest is not initialized and followup memcmp() could -segfault. Given that calculated_digest and xattr_digest are already -compared in get_digests_all_partial_matches() and the function returns -true or false based on this comparison, it's not necessary to compare -these values again. - -Fixes: - # cd /root - # mkdir tmp - # restorecon -D -Rv tmp # create security.sehash attribute - # restorecon_xattr -d -v tmp - specfiles SHA1 digest: afc752f47d489f3e82ac1da8fd247a2e1a6af5f8 - calculated using the following specfile(s): - /etc/selinux/targeted/contexts/files/file_contexts.subs_dist - /etc/selinux/targeted/contexts/files/file_contexts.subs - /etc/selinux/targeted/contexts/files/file_contexts.bin - /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin - /etc/selinux/targeted/contexts/files/file_contexts.local.bin - - Segmentation fault (core dumped) - -Signed-off-by: Petr Lautrbach -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/selinux_restorecon.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c -index 6993be6..63fb8dc 100644 ---- a/src/selinux_restorecon.c -+++ b/src/selinux_restorecon.c -@@ -297,6 +297,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, - char *sha1_buf = NULL; - size_t i, digest_len = 0; - int rc, digest_result; -+ bool match; - struct dir_xattr *new_entry; - uint8_t *xattr_digest = NULL; - uint8_t *calculated_digest = NULL; -@@ -306,9 +307,9 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, - return -1; - } - -- selabel_get_digests_all_partial_matches(fc_sehandle, directory, -- &calculated_digest, -- &xattr_digest, &digest_len); -+ match = selabel_get_digests_all_partial_matches(fc_sehandle, directory, -+ &calculated_digest, &xattr_digest, -+ &digest_len); - - if (!xattr_digest || !digest_len) { - free(calculated_digest); -@@ -326,11 +327,10 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, - for (i = 0; i < digest_len; i++) - sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]); - -- rc = memcmp(calculated_digest, xattr_digest, digest_len); -- digest_result = rc ? NOMATCH : MATCH; -+ digest_result = match ? MATCH : NOMATCH; - -- if ((delete_nonmatch && rc != 0) || delete_all) { -- digest_result = rc ? DELETED_NOMATCH : DELETED_MATCH; -+ if ((delete_nonmatch && !match) || delete_all) { -+ digest_result = match ? DELETED_MATCH : DELETED_NOMATCH; - rc = removexattr(directory, RESTORECON_PARTIAL_MATCH_DIGEST); - if (rc) { - selinux_log(SELINUX_ERROR, --- -1.8.3.1 - diff --git a/backport-libselinux-getconlist-free-memory-on-multiple-level-.patch b/backport-libselinux-getconlist-free-memory-on-multiple-level-.patch deleted file mode 100644 index 35c503a693247fd83df3367748c1b0acb2f084c8..0000000000000000000000000000000000000000 --- a/backport-libselinux-getconlist-free-memory-on-multiple-level-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d0e16077d4ded64bbc878d29e0dc22b1f5e0912f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:55 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/d0e16077d4ded64bbc878d29e0dc22b1f5e0912f -Conflict:adapter filepath -Subject: [PATCH] libselinux: getconlist: free memory on multiple level - arguments -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not leak memory if the program argument `l` got passed more than -once. - -Found by clang-analyzer. - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/utils/getconlist.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/utils/getconlist.c b/utils/getconlist.c -index 76654b7..0bb2846 100644 ---- a/utils/getconlist.c -+++ b/utils/getconlist.c -@@ -26,6 +26,7 @@ int main(int argc, char **argv) - while ((opt = getopt(argc, argv, "l:")) > 0) { - switch (opt) { - case 'l': -+ free(level); - level = strdup(optarg); - if (!level) { - fprintf(stderr, "memory allocation failure: %d(%s)\n", --- -1.8.3.1 - diff --git a/backport-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch b/backport-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch deleted file mode 100644 index 7b78a7a4e08abcaf9dca25935a1051bb2e8d6b5d..0000000000000000000000000000000000000000 --- a/backport-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch +++ /dev/null @@ -1,54 +0,0 @@ -From db69a3d3622005d3ffd62498eac8da1ded264874 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:07 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/db69a3d3622005d3ffd62498eac8da1ded264874 -Conflict:adapter filepath -Subject: [PATCH] libselinux: getdefaultcon: free memory on multiple same - arguments -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not leak memory if program arguments get specified more than once. - -Found by clang-anlyzer. - -getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'level' [unix.Malloc] - fprintf(stderr, - ^~~~~~~~~~~~~~~ -getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'role' [unix.Malloc] - fprintf(stderr, - ^~~~~~~~~~~~~~~ -getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'service' [unix.Malloc] - fprintf(stderr, - ^~~~~~~~~~~~~~~ - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/utils/getdefaultcon.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/utils/getdefaultcon.c b/utils/getdefaultcon.c -index 96a5a8c..957c1cb 100644 ---- a/utils/getdefaultcon.c -+++ b/utils/getdefaultcon.c -@@ -28,12 +28,15 @@ int main(int argc, char **argv) - while ((opt = getopt(argc, argv, "l:r:s:v")) > 0) { - switch (opt) { - case 'l': -+ free(level); - level = strdup(optarg); - break; - case 'r': -+ free(role); - role = strdup(optarg); - break; - case 's': -+ free(service); - service = strdup(optarg); - break; - case 'v': --- -1.8.3.1 - diff --git a/backport-libselinux-init_selinux_config-free-resources-on-err.patch b/backport-libselinux-init_selinux_config-free-resources-on-err.patch deleted file mode 100644 index 59c4c668fcf236d4a1a82562464508b8f395893a..0000000000000000000000000000000000000000 --- a/backport-libselinux-init_selinux_config-free-resources-on-err.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9ab27e21800e8b5589eef0fa9242042567e9bc78 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:13 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/9ab27e21800e8b5589eef0fa9242042567e9bc78 -Conflict:adapter filepath -Subject: [PATCH] libselinux: init_selinux_config(): free resources on error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by Infer. - -selinux_config.c:181: error: Resource Leak - resource of type `_IO_FILE` acquired by call to `fopen()` at line 165, column 7 is not released after line 181, column 6. - 179. type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1); - 180. if (!type) - 181. return; - ^ - 182. end = type + strlen(type) - 1; - 183. while ((end > type) && - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/selinux_config.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/selinux_config.c b/src/selinux_config.c -index 6c52389..97f81a8 100644 ---- a/src/selinux_config.c -+++ b/src/selinux_config.c -@@ -177,8 +177,11 @@ static void init_selinux_config(void) - if (!strncasecmp(buf_p, SELINUXTYPETAG, - sizeof(SELINUXTYPETAG) - 1)) { - type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1); -- if (!type) -+ if (!type) { -+ free(line_buf); -+ fclose(fp); - return; -+ } - end = type + strlen(type) - 1; - while ((end > type) && - (isspace(*end) || iscntrl(*end))) { -@@ -187,6 +190,8 @@ static void init_selinux_config(void) - } - if (setpolicytype(type) != 0) { - free(type); -+ free(line_buf); -+ fclose(fp); - return; - } - free(type); --- -1.8.3.1 - diff --git a/backport-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch b/backport-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch deleted file mode 100644 index ea4dc24bb72e25e712298010944057ca22fc5805..0000000000000000000000000000000000000000 --- a/backport-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e1999379dfc6d12abb9fa454ac01d4239baf361f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:19 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/e1999379dfc6d12abb9fa454ac01d4239baf361f -Conflict:adapter filepath -Subject: [PATCH] libselinux: label_db::db_init(): open file with CLOEXEC mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Open the file stream with the `e` flag, so that the underlying file -descriptor gets closed on an exec in a potential sibling thread. - -Also drop the flag `b`, since it is ignored on POSIX systems. - -Found by clang-tidy. - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/label_db.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/label_db.c b/src/label_db.c -index fba96c9..94c05c6 100644 ---- a/src/label_db.c -+++ b/src/label_db.c -@@ -277,7 +277,7 @@ db_init(const struct selinux_opt *opts, unsigned nopts, - if (!path) - path = selinux_sepgsql_context_path(); - -- if ((filp = fopen(path, "rb")) == NULL) { -+ if ((filp = fopen(path, "re")) == NULL) { - free(catalog); - return NULL; - } --- -1.8.3.1 - diff --git a/backport-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch b/backport-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch deleted file mode 100644 index b48dfb4363af47bccac7a6160b616e1fdf3c2b4d..0000000000000000000000000000000000000000 --- a/backport-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch +++ /dev/null @@ -1,51 +0,0 @@ -From bc0a0327ca6e47400e161f6d1e70e08cb350a36f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:15 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/bc0a0327ca6e47400e161f6d1e70e08cb350a36f -Conflict:adapter filepath -Subject: [PATCH] libselinux: label_file::init(): do not pass NULL to strdup -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If any of the build flags `BUILD_HOST` or `ANDROID` is set and the -caller did not pass an option of type `SELABEL_OPT_PATH`, the variable -`path` might be not set. -Add a check to avoid calling `strdup()` with a NULL pointer. - -Found by cppcheck. - -src/label_file.c:759:26: warning: Possible null pointer dereference: path [nullPointer] - rec->spec_file = strdup(path); - ^ -src/label_file.c:713:21: note: Assignment 'path=NULL', assigned value is 0 - const char *path = NULL; - ^ -src/label_file.c:759:26: note: Null pointer dereference - rec->spec_file = strdup(path); - ^ - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/label_file.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/label_file.c b/src/label_file.c -index b080fcf..4268b52 100644 ---- a/src/label_file.c -+++ b/src/label_file.c -@@ -756,6 +756,10 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts, - } - - #endif -+ -+ if (!path) -+ goto finish; -+ - rec->spec_file = strdup(path); - - /* --- -1.8.3.1 - diff --git a/backport-libselinux-make-selinux_status_open-3-reentrant.patch b/backport-libselinux-make-selinux_status_open-3-reentrant.patch deleted file mode 100644 index c0a3d227efa3c6cfd3eca4980cc03ed4d736ed5e..0000000000000000000000000000000000000000 --- a/backport-libselinux-make-selinux_status_open-3-reentrant.patch +++ /dev/null @@ -1,42 +0,0 @@ -From c5a699046f4a08a554d2da9121924fc80bf27cba Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 10 May 2021 12:56:47 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/c5a699046f4a08a554d2da9121924fc80bf27cba -Conflict:adapter filepath and context -Subject: [PATCH] libselinux: make selinux_status_open(3) reentrant -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not mmap the status page again if `selinux_status_open(3)` has already -been called with success. - -`selinux_status_open(3)` might be called unintentionally multiple times, -e.g. once to manually be able to call `selinux_status_getenforce(3)` and -once indirectly through `selinux_check_access(3)` -(since libselinux 3.2). - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/sestatus.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/sestatus.c b/src/sestatus.c -index 12b015e..531a522 100644 ---- a/src/sestatus.c -+++ b/src/sestatus.c -@@ -282,6 +282,10 @@ int selinux_status_open(int fallback) - char path[PATH_MAX]; - long pagesize; - -+ if (selinux_status != NULL) { -+ return 0; -+ } -+ - if (!selinux_mnt) { - errno = ENOENT; - return -1; --- -1.8.3.1 - diff --git a/backport-libselinux-matchmediacon-close-file-on-error.patch b/backport-libselinux-matchmediacon-close-file-on-error.patch deleted file mode 100644 index bec577b29ed072193a3053648d299748f8924fa3..0000000000000000000000000000000000000000 --- a/backport-libselinux-matchmediacon-close-file-on-error.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 0280a2a70c35c5c319f82f37a685424706b03ad4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:11 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/0280a2a70c35c5c319f82f37a685424706b03ad4 -Conflict:adapter filepath -Subject: [PATCH] libselinux: matchmediacon(): close file on error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by Infer. - -matchmediacon.c:25: error: Resource Leak - resource of type `_IO_FILE` acquired to `return` by call to `fopen()` at line 21, column 16 is not released after line 25, column 4. - 23. while (!feof_unlocked(infile)) { - 24. if (!fgets_unlocked(current_line, sizeof(current_line), infile)) { - 25. return -1; - ^ - 26. } - 27. if (current_line[strlen(current_line) - 1]) - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/matchmediacon.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/matchmediacon.c b/src/matchmediacon.c -index 23d01af..d3d9504 100644 ---- a/src/matchmediacon.c -+++ b/src/matchmediacon.c -@@ -22,6 +22,7 @@ int matchmediacon(const char *media, char ** con) - return -1; - while (!feof_unlocked(infile)) { - if (!fgets_unlocked(current_line, sizeof(current_line), infile)) { -+ fclose(infile); - return -1; - } - if (current_line[strlen(current_line) - 1]) --- -1.8.3.1 - diff --git a/backport-libselinux-matchpathcon-free-memory-on-realloc-failu.patch b/backport-libselinux-matchpathcon-free-memory-on-realloc-failu.patch deleted file mode 100644 index 8e50cddb164000de7c7fdeb05bea36b8d7c6f0c0..0000000000000000000000000000000000000000 --- a/backport-libselinux-matchpathcon-free-memory-on-realloc-failu.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 65f1ccbecc30d31e66126e470d404b757eb9898e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:17 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/65f1ccbecc30d31e66126e470d404b757eb9898e -Conflict:adapter filepath -Subject: [PATCH] libselinux: matchpathcon: free memory on realloc failure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case `realloc()` fails and returns NULL, free the passed array, -instead of just setting the size helper variables to 0. - -Also free the string contents in `free_array_elts()` of the array -`con_array`, instead of just the array of pointers. - -Found by cppcheck. - -src/matchpathcon.c:86:4: error: Common realloc mistake: 'con_array' nulled but not freed upon failure [memleakOnRealloc] - con_array = (char **)realloc(con_array, sizeof(char*) * - ^ - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/matchpathcon.c | 26 ++++++++++++++++---------- - 1 file changed, 16 insertions(+), 10 deletions(-) - -diff --git a/src/matchpathcon.c b/src/matchpathcon.c -index 9e1fab5..075a3fb 100644 ---- a/src/matchpathcon.c -+++ b/src/matchpathcon.c -@@ -78,17 +78,30 @@ static pthread_once_t once = PTHREAD_ONCE_INIT; - static pthread_key_t destructor_key; - static int destructor_key_initialized = 0; - -+static void free_array_elts(void) -+{ -+ int i; -+ for (i = 0; i < con_array_used; i++) -+ free(con_array[i]); -+ free(con_array); -+ -+ con_array_size = con_array_used = 0; -+ con_array = NULL; -+} -+ - static int add_array_elt(char *con) - { -+ char **tmp; - if (con_array_size) { - while (con_array_used >= con_array_size) { - con_array_size *= 2; -- con_array = (char **)realloc(con_array, sizeof(char*) * -+ tmp = (char **)realloc(con_array, sizeof(char*) * - con_array_size); -- if (!con_array) { -- con_array_size = con_array_used = 0; -+ if (!tmp) { -+ free_array_elts(); - return -1; - } -+ con_array = tmp; - } - } else { - con_array_size = 1000; -@@ -105,13 +118,6 @@ static int add_array_elt(char *con) - return con_array_used++; - } - --static void free_array_elts(void) --{ -- con_array_size = con_array_used = 0; -- free(con_array); -- con_array = NULL; --} -- - void set_matchpathcon_invalidcon(int (*f) (const char *p, unsigned l, char *c)) - { - myinvalidcon = f; --- -1.8.3.1 - diff --git a/backport-libselinux-selabel_get_digests_all_partial_matches-f.patch b/backport-libselinux-selabel_get_digests_all_partial_matches-f.patch deleted file mode 100644 index fb4b28e08f6a85064a9b9ce9efb0b7198c0f6704..0000000000000000000000000000000000000000 --- a/backport-libselinux-selabel_get_digests_all_partial_matches-f.patch +++ /dev/null @@ -1,54 +0,0 @@ -From d0c02882b7fdcf5e6478f9a82ac2946174f4bca4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:10:53 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/d0c02882b7fdcf5e6478f9a82ac2946174f4bca4 -Conflict:adapter filepath -Subject: [PATCH] libselinux: selabel_get_digests_all_partial_matches: free - memory after FTS_D block -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Free all memory from `selabel_get_digests_all_partial_matches()` in case -of success and failure. - -Found by clang-analyzer. - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/utils/selabel_get_digests_all_partial_matches.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/utils/selabel_get_digests_all_partial_matches.c b/utils/selabel_get_digests_all_partial_matches.c -index 0c2edc6..e28833d 100644 ---- a/utils/selabel_get_digests_all_partial_matches.c -+++ b/utils/selabel_get_digests_all_partial_matches.c -@@ -128,7 +128,7 @@ int main(int argc, char **argv) - printf("No SHA1 digest available for: %s\n", - ftsent->fts_path); - printf("as file_context entry is \"<>\"\n"); -- break; -+ goto cleanup; - } - - printf("The file_context entries for: %s\n", -@@ -149,11 +149,11 @@ int main(int argc, char **argv) - xattr_digest[i]); - printf("%s\n", sha1_buf); - } -- -- free(xattr_digest); -- free(calculated_digest); -- free(sha1_buf); - } -+ cleanup: -+ free(xattr_digest); -+ free(calculated_digest); -+ free(sha1_buf); - break; - } - default: --- -1.8.3.1 - diff --git a/backport-libselinux-selinux_check_passwd_access_internal-resp.patch b/backport-libselinux-selinux_check_passwd_access_internal-resp.patch deleted file mode 100644 index f864442a4bbae22157a8104382b53c8a6b4a404f..0000000000000000000000000000000000000000 --- a/backport-libselinux-selinux_check_passwd_access_internal-resp.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a88d24522fe74100478122c298aa4ace1af876fd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 10 May 2021 12:12:38 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/a88d24522fe74100478122c298aa4ace1af876fd -Conflict:adapter filepath -Subject: [PATCH] libselinux: selinux_check_passwd_access_internal(): respect - deny_unknown -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -`selinux_check_passwd_access_internal()`, and thereby -`checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not -respect the policy defined setting of `deny_unknown`, like -`selinux_check_access(3)` does. -This means in case the security class `passwd` is not defined, success -is returned instead of failure, i.e. permission denied. - -Most policies should define the `passwd` class and the two affected -public functions are marked deprecated. - -Align the behavior with `selinux_check_access(3)` and respect -the deny_unknown setting in case the security class is not defined. - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/checkAccess.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/checkAccess.c b/src/checkAccess.c -index b337ea6..022cd6b 100644 ---- a/src/checkAccess.c -+++ b/src/checkAccess.c -@@ -78,7 +78,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested) - passwd_class = string_to_security_class("passwd"); - if (passwd_class == 0) { - freecon(user_context); -- return 0; -+ if (security_deny_unknown() == 0) -+ return 0; -+ return -1; - } - - retval = security_compute_av_raw(user_context, --- -1.8.3.1 - diff --git a/backport-libselinux-selinux_status_open-return-1-in-fallback-.patch b/backport-libselinux-selinux_status_open-return-1-in-fallback-.patch deleted file mode 100644 index e488c36e5dc81b996cd620189f877abadd3bd01c..0000000000000000000000000000000000000000 --- a/backport-libselinux-selinux_status_open-return-1-in-fallback-.patch +++ /dev/null @@ -1,39 +0,0 @@ -From ed2e4db2f9941e01e65248ce5f0a9e49f3efd130 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 1 Jun 2021 17:05:23 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/ed2e4db2f9941e01e65248ce5f0a9e49f3efd130 -Conflict:adapter filepath and context -Subject: [PATCH] libselinux: selinux_status_open: return 1 in fallback mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case of a recurring call to `selinux_status_open(3)`, which -previously has been opened in fallback mode, return `1` according to its -documentation. - -Fixes: c5a699046f4 ("libselinux: make selinux_status_open(3) reentrant") - -Signed-off-by: Christian Göttsche -Acked-by: Petr Lautrbach -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/sestatus.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/sestatus.c b/src/sestatus.c -index 531a522..89c1f62 100644 ---- a/src/sestatus.c -+++ b/src/sestatus.c -@@ -283,7 +283,7 @@ int selinux_status_open(int fallback) - long pagesize; - - if (selinux_status != NULL) { -- return 0; -+ return (selinux_status == MAP_FAILED) ? 1 : 0; - } - - if (!selinux_mnt) { --- -1.8.3.1 - diff --git a/backport-libselinux-store_stem-do-not-free-possible-non-heap-.patch b/backport-libselinux-store_stem-do-not-free-possible-non-heap-.patch deleted file mode 100644 index 130a05333ffe73b9c65ef9ee4fc4f229f33cf7b4..0000000000000000000000000000000000000000 --- a/backport-libselinux-store_stem-do-not-free-possible-non-heap-.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 6e5d16a012e1845774da106846b87090d39ea8f3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 3 May 2021 17:11:09 +0200 -Reference:https://github.com/SELinuxProject/selinux/commit/6e5d16a012e1845774da106846b87090d39ea8f3 -Conflict:adapter filepath -Subject: [PATCH] libselinux: store_stem(): do not free possible non-heap - object -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -GCC 11 complains: - -In file included from label_file.c:24: -In function ‘store_stem’, - inlined from ‘load_mmap’ at label_file.c:277:12, - inlined from ‘process_file’ at label_file.c:551:5: -label_file.h:289:25: error: ‘free’ called on pointer ‘*mmap_area.next_addr’ with nonzero offset 4 [-Werror=free-nonheap-object] - 289 | free(buf); - | ^~~~~~~~~ - -Free the pointer on failure at the caller instead of inside `store_stem()`. - -Signed-off-by: Christian Göttsche -Signed-off-by: luhuaxin <1539327763@qq.com> ---- - libselinux/src/label_file.h | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/label_file.h b/src/label_file.h -index baed334..9f63370 100644 ---- a/src/label_file.h -+++ b/src/label_file.h -@@ -286,7 +286,6 @@ static inline int store_stem(struct saved_data *data, char *buf, int stem_len) - tmp_arr = realloc(data->stem_arr, - sizeof(*tmp_arr) * alloc_stems); - if (!tmp_arr) { -- free(buf); - return -1; - } - data->alloc_stems = alloc_stems; -@@ -308,6 +307,7 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf) - int stem_len = get_stem_from_spec(buf); - int stemid; - char *stem; -+ int r; - - if (!stem_len) - return -1; -@@ -321,7 +321,11 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf) - if (!stem) - return -1; - -- return store_stem(data, stem, stem_len); -+ r = store_stem(data, stem, stem_len); -+ if (r < 0) -+ free(stem); -+ -+ return r; - } - - /* This will always check for buffer over-runs and either read the next entry --- -1.8.3.1 - diff --git a/libselinux-3.1.tar.gz b/libselinux-3.1.tar.gz deleted file mode 100644 index 5ef98b716c20173931530538f48ae71d3d489f3d..0000000000000000000000000000000000000000 Binary files a/libselinux-3.1.tar.gz and /dev/null differ diff --git a/libselinux-3.3.tar.gz b/libselinux-3.3.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..200b297e794cdbff714e03bf2647e045720b5404 Binary files /dev/null and b/libselinux-3.3.tar.gz differ diff --git a/libselinux.spec b/libselinux.spec index 6974eb87efdb6af90c0ac1fbc1692d210f1f74ce..fd737ec6207fb7da08bc8f4778d68347422e6cec 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,30 +1,13 @@ %global ruby_inc %(pkg-config --cflags ruby) -%global libsepol_version 3.1 +%global libsepol_version 3.3 Name: libselinux -Version: 3.1 -Release: 5 +Version: 3.3 +Release: 1 License: Public Domain Summary: SELinux library and simple utilities Url: https://github.com/SELinuxProject/selinux/wiki -Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libselinux-3.1.tar.gz - -#Patch0: libselinux-Use-Python-distutils-to-install-SELinux-p.patch - -Patch6000: backport-libselinux-fix-segfault-in-add_xattr_entry.patch -Patch6001: backport-libselinux-selinux_check_passwd_access_internal-resp.patch -Patch6002: backport-libselinux-selabel_get_digests_all_partial_matches-f.patch -Patch6003: backport-libselinux-getconlist-free-memory-on-multiple-level-.patch -Patch6004: backport-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch -Patch6005: backport-libselinux-store_stem-do-not-free-possible-non-heap-.patch -Patch6006: backport-libselinux-matchmediacon-close-file-on-error.patch -Patch6007: backport-libselinux-init_selinux_config-free-resources-on-err.patch -Patch6008: backport-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch -Patch6009: backport-libselinux-matchpathcon-free-memory-on-realloc-failu.patch -Patch6010: backport-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch -Patch6011: backport-libselinux-make-selinux_status_open-3-reentrant.patch -Patch6012: backport-libselinux-selinux_status_open-return-1-in-fallback-.patch -Patch6013: backport-libselinux-Fix-potential-undefined-shifts.patch +Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz Patch9000: do-malloc-trim-after-load-policy.patch @@ -145,6 +128,9 @@ mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist %{_mandir}/ru/man8/* %changelog +* Wed Dec 8 2021 lujie - 3.3-1 +- update libselinux-3.1 to libselinux-3.3 + * Tue Nov 16 2021 luhuaxin <1539327763@qq.com> - 3.1-5 - backport upstream patches