diff --git a/backport-libselinux-Close-leaked-FILEs.patch b/backport-libselinux-Close-leaked-FILEs.patch deleted file mode 100644 index 9e6fb2d98910784d6578e2125e005e4fad90e929..0000000000000000000000000000000000000000 --- a/backport-libselinux-Close-leaked-FILEs.patch +++ /dev/null @@ -1,55 +0,0 @@ -From c1a8da6e4a2b53ea346d4493346cde7c0a5a5f49 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 11 Mar 2022 12:53:30 +0100 -Subject: [PATCH] libselinux: Close leaked FILEs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes: -label_media.c:94:24: warning: leak of FILE ‘fopen (path_28, "re")’ [CWE-775] [-Wanalyzer-file-leak] -label_x.c:121:24: warning: leak of FILE ‘fopen (path_28, "re")’ [CWE-775] [-Wanalyzer-file-leak] - -Signed-off-by: Petr Lautrbach ---- - src/label_media.c | 4 ++-- - src/label_x.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/label_media.c b/src/label_media.c -index eb27deaf..3137c18e 100644 ---- a/src/label_media.c -+++ b/src/label_media.c -@@ -95,10 +95,10 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts, - __fsetlocking(fp, FSETLOCKING_BYCALLER); - - if (fstat(fileno(fp), &sb) < 0) -- return -1; -+ goto finish; - if (!S_ISREG(sb.st_mode)) { - errno = EINVAL; -- return -1; -+ goto finish; - } - rec->spec_file = strdup(path); - -diff --git a/src/label_x.c b/src/label_x.c -index e9fa063f..e6e8d9f6 100644 ---- a/src/label_x.c -+++ b/src/label_x.c -@@ -122,10 +122,10 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts, - __fsetlocking(fp, FSETLOCKING_BYCALLER); - - if (fstat(fileno(fp), &sb) < 0) -- return -1; -+ goto finish; - if (!S_ISREG(sb.st_mode)) { - errno = EINVAL; -- return -1; -+ goto finish; - } - rec->spec_file = strdup(path); - --- -2.27.0 - diff --git a/backport-libselinux-free-memory-in-error-branch.patch b/backport-libselinux-free-memory-in-error-branch.patch deleted file mode 100644 index 38b96bd80f5e32b323560aa11715763ca49e6fa1..0000000000000000000000000000000000000000 --- a/backport-libselinux-free-memory-in-error-branch.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 8266fd9401b920bd3552410ebe215069891c373f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 10 May 2022 19:45:51 +0200 -Subject: [PATCH] libselinux: free memory in error branch -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case the allocation for the filename fails, free the memory of the context. - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - src/selinux_restorecon.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c -index 12b85101..c8db26c2 100644 ---- a/src/selinux_restorecon.c -+++ b/src/selinux_restorecon.c -@@ -487,11 +487,13 @@ static int filespec_add(ino_t ino, const char *con, const char *file, - goto oom_freefl; - fl->file = strdup(file); - if (!fl->file) -- goto oom_freefl; -+ goto oom_freeflcon; - fl->next = prevfl->next; - prevfl->next = fl; - return 0; - -+oom_freeflcon: -+ free(fl->con); - oom_freefl: - free(fl); - oom: --- -2.27.0 - diff --git a/backport-libselinux-free-memory-on-selabel_open-3-failure.patch b/backport-libselinux-free-memory-on-selabel_open-3-failure.patch deleted file mode 100644 index 84996bc8509a3bcaf640778a3f609bdc89372473..0000000000000000000000000000000000000000 --- a/backport-libselinux-free-memory-on-selabel_open-3-failure.patch +++ /dev/null @@ -1,34 +0,0 @@ -From b9a4d13a300665098f04bf5108929ea54668b1bf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 13 Apr 2022 17:56:32 +0200 -Subject: [PATCH] libselinux: free memory on selabel_open(3) failure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If selabel_open(3) fails, e.g. when a specfile has the wrong file -permissions, free the memory allocated for digests. - -Fixes: e40bbea9 ("libselinux: Add selabel_digest function") -Acked-by: James Carter -Signed-off-by: Christian Göttsche ---- - src/label.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/label.c b/src/label.c -index a03192e5..586e5e5e 100644 ---- a/src/label.c -+++ b/src/label.c -@@ -226,6 +226,8 @@ struct selabel_handle *selabel_open(unsigned int backend, - rec->digest = selabel_is_digest_set(opts, nopts, rec->digest); - - if ((*initfuncs[backend])(rec, opts, nopts)) { -+ if (rec->digest) -+ selabel_digest_fini(rec->digest); - free(rec->spec_file); - free(rec); - rec = NULL; --- -2.27.0 - diff --git a/backport-libselinux-restorecon-misc-tweaks.patch b/backport-libselinux-restorecon-misc-tweaks.patch deleted file mode 100644 index d2752b43e71c66556fe347156cc42102c70c3812..0000000000000000000000000000000000000000 --- a/backport-libselinux-restorecon-misc-tweaks.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 657420d67fcca479fa495b09c540b3cecb539e9e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 11 May 2022 20:42:23 +0200 -Subject: [PATCH] libselinux: restorecon: misc tweaks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -* mark read-only parameters const -* check for overflow when adding exclude directory -* use 64 bit integer for file counting -* avoid implicit conversions - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - src/selinux_restorecon.c | 26 +++++++++++++++++--------- - 1 file changed, 17 insertions(+), 9 deletions(-) - -diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c -index e6192912..c158ead8 100644 ---- a/src/selinux_restorecon.c -+++ b/src/selinux_restorecon.c -@@ -44,7 +44,7 @@ - static struct selabel_handle *fc_sehandle = NULL; - static bool selabel_no_digest; - static char *rootpath = NULL; --static int rootpathlen; -+static size_t rootpathlen; - - /* Information on excluded fs and directories. */ - struct edir { -@@ -55,7 +55,7 @@ struct edir { - }; - #define CALLER_EXCLUDED true - static bool ignore_mounts; --static int exclude_non_seclabel_mounts(void); -+static uint64_t exclude_non_seclabel_mounts(void); - static int exclude_count = 0; - static struct edir *exclude_lst = NULL; - static uint64_t fc_count = 0; /* Number of files processed so far */ -@@ -169,6 +169,12 @@ static int add_exclude(const char *directory, bool who) - return -1; - } - -+ if (exclude_count >= INT_MAX - 1) { -+ selinux_log(SELINUX_ERROR, "Too many directory excludes: %d.\n", exclude_count); -+ errno = EOVERFLOW; -+ return -1; -+ } -+ - tmp_list = realloc(exclude_lst, - sizeof(struct edir) * (exclude_count + 1)); - if (!tmp_list) -@@ -211,10 +217,10 @@ static int check_excluded(const char *file) - return 0; - } - --static int file_system_count(char *name) -+static uint64_t file_system_count(const char *name) - { - struct statvfs statvfs_buf; -- int nfile = 0; -+ uint64_t nfile = 0; - - memset(&statvfs_buf, 0, sizeof(statvfs_buf)); - if (!statvfs(name, &statvfs_buf)) -@@ -230,12 +236,13 @@ static int file_system_count(char *name) - * that support security labels have the seclabel option, return - * approximate total file count. - */ --static int exclude_non_seclabel_mounts(void) -+static uint64_t exclude_non_seclabel_mounts(void) - { - struct utsname uts; - FILE *fp; - size_t len; -- int index = 0, found = 0, nfile = 0; -+ int index = 0, found = 0; -+ uint64_t nfile = 0; - char *mount_info[4]; - char *buf = NULL, *item; - -@@ -300,7 +307,8 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, - { - char *sha1_buf = NULL; - size_t i, digest_len = 0; -- int rc, digest_result; -+ int rc; -+ enum digest_result digest_result; - bool match; - struct dir_xattr *new_entry; - uint8_t *xattr_digest = NULL; -@@ -573,7 +581,7 @@ static void filespec_destroy(void) - * Called if SELINUX_RESTORECON_SET_SPECFILE_CTX is not set to check if - * the type components differ, updating newtypecon if so. - */ --static int compare_types(char *curcon, char *newcon, char **newtypecon) -+static int compare_types(const char *curcon, const char *newcon, char **newtypecon) - { - int types_differ = 0; - context_t cona; -@@ -1398,7 +1406,7 @@ void selinux_restorecon_set_exclude_list(const char **exclude_list) - /* selinux_restorecon_set_alt_rootpath(3) sets an alternate rootpath. */ - int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath) - { -- int len; -+ size_t len; - - /* This should be NULL on first use */ - if (rootpath) --- -2.27.0 - diff --git a/libselinux-3.3.tar.gz b/libselinux-3.3.tar.gz deleted file mode 100644 index 200b297e794cdbff714e03bf2647e045720b5404..0000000000000000000000000000000000000000 Binary files a/libselinux-3.3.tar.gz and /dev/null differ diff --git a/libselinux-3.4.tar.gz b/libselinux-3.4.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..487d79aa79e276b53f80ab5ff1009adf31989b9e Binary files /dev/null and b/libselinux-3.4.tar.gz differ diff --git a/libselinux.spec b/libselinux.spec index 64ebb1580bc9b7e656064fd6379848b1a067c6d5..baa653a0061a047635cddbf85a656d1c66f8440d 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,19 +1,15 @@ %global ruby_inc %(pkg-config --cflags ruby) -%global libsepol_version 3.3 +%global libsepol_version 3.4 Name: libselinux -Version: 3.3 -Release: 2 +Version: 3.4 +Release: 1 License: Public Domain Summary: SELinux library and simple utilities Url: https://github.com/SELinuxProject/selinux/wiki -Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz -Patch6000: backport-libselinux-Close-leaked-FILEs.patch -Patch6001: backport-libselinux-free-memory-on-selabel_open-3-failure.patch -Patch6002: backport-libselinux-restorecon-misc-tweaks.patch -Patch6003: backport-libselinux-free-memory-in-error-branch.patch -Patch6004: backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch +Patch6000: backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch Patch9000: do-malloc-trim-after-load-policy.patch @@ -134,6 +130,9 @@ mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist %{_mandir}/ru/man8/* %changelog +* Mon Jan 30 2023 zhangguangzhi - 3.4-1 +- update version to 3.4 + * Sun Oct 9 2022 lujie - 3.3-2 - backport upstream patches