diff --git a/backport-libselinux-Close-old-selabel-handle-when-setting-a-n.patch b/backport-libselinux-Close-old-selabel-handle-when-setting-a-n.patch new file mode 100644 index 0000000000000000000000000000000000000000..212dd45394df155958715d2b5ffcf9eaab91d826 --- /dev/null +++ b/backport-libselinux-Close-old-selabel-handle-when-setting-a-n.patch @@ -0,0 +1,32 @@ +From 45fdf23c7b37cfc776def253c0d5bfa1b0758c24 Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Wed, 22 Jan 2025 10:58:27 -0500 +Subject: [PATCH] libselinux: Close old selabel handle when setting a new one + +In selinux_restorecon_set_sehandle(), close the old selabel handle +(if it exists) before setting the new one. + +Signed-off-by: James Carter +Acked-by: Petr Lautrbach +--- + src/selinux_restorecon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c +index bc6ed935..ab1c5216 100644 +--- a/src/selinux_restorecon.c ++++ b/src/selinux_restorecon.c +@@ -1367,6 +1367,10 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl) + unsigned char *fc_digest; + size_t num_specfiles, fc_digest_len; + ++ if (fc_sehandle) { ++ selabel_close(fc_sehandle); ++ } ++ + fc_sehandle = hndl; + if (!fc_sehandle) + return; +-- +2.33.0 + diff --git a/backport-libselinux-avoid-logs-in-get_ordered_context_list-wi.patch b/backport-libselinux-avoid-logs-in-get_ordered_context_list-wi.patch new file mode 100644 index 0000000000000000000000000000000000000000..03e019a3d3cc0e79507484725f3994ea35e5c990 --- /dev/null +++ b/backport-libselinux-avoid-logs-in-get_ordered_context_list-wi.patch @@ -0,0 +1,120 @@ +From 6e2f7033406aeccc1fb93e580be8120f113520a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 22 Mar 2024 15:50:19 +0100 +Subject: [PATCH] libselinux: avoid logs in get_ordered_context_list() without + policy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If no policy has been loaded yet and thus the current context is still +"kernel" avoid logging failures in get_ordered_context_list(), like: + + get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/users/root + get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/default_contexts + +Move the context parsing from get_context_user() to its caller +get_ordered_context_list(), so an invalid context is not treated as an +get_context_user() failure and not logged. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + src/get_context_list.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/src/get_context_list.c b/src/get_context_list.c +index 7e23be05..0ad24654 100644 +--- a/src/get_context_list.c ++++ b/src/get_context_list.c +@@ -130,7 +130,7 @@ static int is_in_reachable(char **reachable, const char *usercon_str) + } + + static int get_context_user(FILE * fp, +- const char * fromcon, ++ context_t fromcon, + const char * user, + char ***reachable, + unsigned int *nreachable) +@@ -146,7 +146,6 @@ static int get_context_user(FILE * fp, + char **new_reachable = NULL; + char *usercon_str; + const char *usercon_str2; +- context_t con; + context_t usercon; + + int rc; +@@ -155,14 +154,10 @@ static int get_context_user(FILE * fp, + + /* Extract the role and type of the fromcon for matching. + User identity and MLS range can be variable. */ +- con = context_new(fromcon); +- if (!con) +- return -1; +- fromrole = context_role_get(con); +- fromtype = context_type_get(con); +- fromlevel = context_range_get(con); ++ fromrole = context_role_get(fromcon); ++ fromtype = context_type_get(fromcon); ++ fromlevel = context_range_get(fromcon); + if (!fromrole || !fromtype) { +- context_free(con); + return -1; + } + +@@ -296,7 +291,6 @@ static int get_context_user(FILE * fp, + rc = 0; + + out: +- context_free(con); + free(line); + return rc; + } +@@ -418,6 +412,7 @@ int get_ordered_context_list(const char *user, + char *fname = NULL; + size_t fname_len; + const char *user_contexts_path = selinux_user_contexts_path(); ++ context_t con = NULL; + + if (!fromcon) { + /* Get the current context and use it for the starting context */ +@@ -427,6 +422,10 @@ int get_ordered_context_list(const char *user, + fromcon = backup_fromcon; + } + ++ con = context_new(fromcon); ++ if (!con) ++ goto failsafe; ++ + /* Determine the ordering to apply from the optional per-user config + and from the global config. */ + fname_len = strlen(user_contexts_path) + strlen(user) + 2; +@@ -437,7 +436,7 @@ int get_ordered_context_list(const char *user, + fp = fopen(fname, "re"); + if (fp) { + __fsetlocking(fp, FSETLOCKING_BYCALLER); +- rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); ++ rc = get_context_user(fp, con, user, &reachable, &nreachable); + + fclose(fp); + if (rc < 0 && errno != ENOENT) { +@@ -451,7 +450,7 @@ int get_ordered_context_list(const char *user, + fp = fopen(selinux_default_context_path(), "re"); + if (fp) { + __fsetlocking(fp, FSETLOCKING_BYCALLER); +- rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); ++ rc = get_context_user(fp, con, user, &reachable, &nreachable); + fclose(fp); + if (rc < 0 && errno != ENOENT) { + fprintf(stderr, +@@ -472,6 +471,7 @@ int get_ordered_context_list(const char *user, + else + freeconary(reachable); + ++ context_free(con); + freecon(backup_fromcon); + + return rc; +-- +2.33.0 + diff --git a/backport-libselinux-avoid-pointer-dereference-before-check.patch b/backport-libselinux-avoid-pointer-dereference-before-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..c2b4ccfe3305b12c0deda8ba12c988417112e2d8 --- /dev/null +++ b/backport-libselinux-avoid-pointer-dereference-before-check.patch @@ -0,0 +1,67 @@ +From 2b6f639a5209f70a6c065f57bfd4b2bf3e28dbe4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Mon, 29 Apr 2024 18:39:00 +0200 +Subject: [PATCH] libselinux: avoid pointer dereference before check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since commit 5876aca0 ("libselinux: free data on selabel open failure") +the close handler of label backends must support partial initialized +state, e.g. ->data being NULL. Thus checks for NULL were added, but in +two cases the pointers in question were already dereferenced before. + +Reorder the dereference after the NULL-checks. + +Fixes: 5876aca0 ("libselinux: free data on selabel open failure") +Reported-by: Cppcheck +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + src/label_media.c | 4 +++- + src/label_x.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/label_media.c b/src/label_media.c +index 94a58062..852aeada 100644 +--- a/src/label_media.c ++++ b/src/label_media.c +@@ -164,12 +164,14 @@ finish: + static void close(struct selabel_handle *rec) + { + struct saved_data *data = (struct saved_data *)rec->data; +- struct spec *spec, *spec_arr = data->spec_arr; ++ struct spec *spec, *spec_arr; + unsigned int i; + + if (!data) + return; + ++ spec_arr = data->spec_arr; ++ + for (i = 0; i < data->nspec; i++) { + spec = &spec_arr[i]; + free(spec->key); +diff --git a/src/label_x.c b/src/label_x.c +index f994eefa..a8decc7a 100644 +--- a/src/label_x.c ++++ b/src/label_x.c +@@ -191,12 +191,14 @@ finish: + static void close(struct selabel_handle *rec) + { + struct saved_data *data = (struct saved_data *)rec->data; +- struct spec *spec, *spec_arr = data->spec_arr; ++ struct spec *spec, *spec_arr; + unsigned int i; + + if (!data) + return; + ++ spec_arr = data->spec_arr; ++ + for (i = 0; i < data->nspec; i++) { + spec = &spec_arr[i]; + free(spec->key); +-- +2.33.0 + diff --git a/backport-libselinux-free-data-on-selabel-open-failure.patch b/backport-libselinux-free-data-on-selabel-open-failure.patch new file mode 100644 index 0000000000000000000000000000000000000000..bf52d8ce802032d10b83ab65a2883a9e5a3245a2 --- /dev/null +++ b/backport-libselinux-free-data-on-selabel-open-failure.patch @@ -0,0 +1,120 @@ +From 5876aca0484f3b45636ef6337f06b914a8769cb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 13 Mar 2024 12:10:24 +0100 +Subject: [PATCH] libselinux: free data on selabel open failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case the init function for a selabel backend fails, free the possible +already allocated data: + + Direct leak of 16 byte(s) in 1 object(s) allocated from: + #0 0x5e7e2bf001e3 in malloc (/tmp/destdir/usr/sbin/selabel_digest+0xc71e3) + #1 0x7233764baa65 in selabel_media_init /home/christian/Coding/workspaces/selinux/libselinux/src/label_media.c:226:30 + #2 0x7233764ac1fe in selabel_open /home/christian/Coding/workspaces/selinux/libselinux/src/label.c:227:6 + #3 0x5e7e2bf3ebfc in main /home/christian/Coding/workspaces/selinux/libselinux/utils/selabel_digest.c:125:8 + #4 0x7233761856c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 + + SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s). + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + src/label.c | 5 +---- + src/label_backends_android.c | 3 +++ + src/label_db.c | 3 +++ + src/label_file.c | 3 +++ + src/label_media.c | 3 +++ + src/label_x.c | 3 +++ + 6 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/src/label.c b/src/label.c +index d2e703ef..06d743ec 100644 +--- a/src/label.c ++++ b/src/label.c +@@ -225,10 +225,7 @@ struct selabel_handle *selabel_open(unsigned int backend, + rec->digest = selabel_is_digest_set(opts, nopts, rec->digest); + + if ((*initfuncs[backend])(rec, opts, nopts)) { +- if (rec->digest) +- selabel_digest_fini(rec->digest); +- free(rec->spec_file); +- free(rec); ++ selabel_close(rec); + rec = NULL; + } + +diff --git a/src/label_backends_android.c b/src/label_backends_android.c +index 33a17236..49a87686 100644 +--- a/src/label_backends_android.c ++++ b/src/label_backends_android.c +@@ -246,6 +246,9 @@ static void closef(struct selabel_handle *rec) + struct spec *spec; + unsigned int i; + ++ if (!data) ++ return; ++ + for (i = 0; i < data->nspec; i++) { + spec = &data->spec_arr[i]; + free(spec->property_key); +diff --git a/src/label_db.c b/src/label_db.c +index 2ff10b2f..40d5fc4a 100644 +--- a/src/label_db.c ++++ b/src/label_db.c +@@ -178,6 +178,9 @@ db_close(struct selabel_handle *rec) + spec_t *spec; + unsigned int i; + ++ if (!catalog) ++ return; ++ + for (i = 0; i < catalog->nspec; i++) { + spec = &catalog->specs[i]; + free(spec->key); +diff --git a/src/label_file.c b/src/label_file.c +index 3b2bda97..2732972e 100644 +--- a/src/label_file.c ++++ b/src/label_file.c +@@ -904,6 +904,9 @@ static void closef(struct selabel_handle *rec) + struct stem *stem; + unsigned int i; + ++ if (!data) ++ return; ++ + selabel_subs_fini(data->subs); + selabel_subs_fini(data->dist_subs); + +diff --git a/src/label_media.c b/src/label_media.c +index fad5ea6d..94a58062 100644 +--- a/src/label_media.c ++++ b/src/label_media.c +@@ -167,6 +167,9 @@ static void close(struct selabel_handle *rec) + struct spec *spec, *spec_arr = data->spec_arr; + unsigned int i; + ++ if (!data) ++ return; ++ + for (i = 0; i < data->nspec; i++) { + spec = &spec_arr[i]; + free(spec->key); +diff --git a/src/label_x.c b/src/label_x.c +index bf569ca5..f994eefa 100644 +--- a/src/label_x.c ++++ b/src/label_x.c +@@ -194,6 +194,9 @@ static void close(struct selabel_handle *rec) + struct spec *spec, *spec_arr = data->spec_arr; + unsigned int i; + ++ if (!data) ++ return; ++ + for (i = 0; i < data->nspec; i++) { + spec = &spec_arr[i]; + free(spec->key); +-- +2.33.0 + diff --git a/backport-libselinux-free-empty-scandir-3-result.patch b/backport-libselinux-free-empty-scandir-3-result.patch new file mode 100644 index 0000000000000000000000000000000000000000..7176f4b4f2b91e08292e16fd972e6f0a0a61dbf8 --- /dev/null +++ b/backport-libselinux-free-empty-scandir-3-result.patch @@ -0,0 +1,41 @@ +From c8b1f5928236e9ed3192a4393cb563cb718ccca4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Mon, 29 Apr 2024 18:38:59 +0200 +Subject: [PATCH] libselinux: free empty scandir(3) result +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case scandir(3) finds no entries still free the returned result to +avoid leaking it. + +Also do not override errno in case of a failure. + +Reported.by: Cppcheck + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + src/booleans.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/booleans.c b/src/booleans.c +index c557df65..1ede8e2d 100644 +--- a/src/booleans.c ++++ b/src/booleans.c +@@ -53,7 +53,11 @@ int security_get_boolean_names(char ***names, int *len) + + snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR); + *len = scandir(path, &namelist, &filename_select, alphasort); +- if (*len <= 0) { ++ if (*len < 0) { ++ return -1; ++ } ++ if (*len == 0) { ++ free(namelist); + errno = ENOENT; + return -1; + } +-- +2.33.0 + diff --git a/backport-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch b/backport-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch new file mode 100644 index 0000000000000000000000000000000000000000..1dc94f77a05402c04a2d1bf02be5024c0ab844fb --- /dev/null +++ b/backport-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch @@ -0,0 +1,40 @@ +From f18f9e5ea155015b4b2ad6c9ba6ce5e0e3b30646 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 25 Oct 2024 20:30:14 +0200 +Subject: [PATCH] libselinux/matchpathcon: RESOURCE_LEAK: Variable "con" + +Fixes: + Error: RESOURCE_LEAK (CWE-772): + libselinux-3.6/src/matchpathcon.c:519: alloc_arg: "lgetfilecon_raw" allocates memory that is stored into "con". [Note: The source code implementation of the function has been overridden by a user model.] + libselinux-3.6/src/matchpathcon.c:528: leaked_storage: Variable "con" going out of scope leaks the storage it points to. + \# 526| + \# 527| if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)) + \# 528|-> return -1; + \# 529| + \# 530| if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) { + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + src/matchpathcon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/matchpathcon.c b/src/matchpathcon.c +index e44734c3..967520e4 100644 +--- a/src/matchpathcon.c ++++ b/src/matchpathcon.c +@@ -524,8 +524,10 @@ int selinux_file_context_verify(const char *path, mode_t mode) + return 0; + } + +- if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)) ++ if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)){ ++ freecon(con); + return -1; ++ } + + if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) { + if (errno != ENOENT) +-- +2.33.0 + diff --git a/backport-libselinux-set-free-d-data-to-NULL.patch b/backport-libselinux-set-free-d-data-to-NULL.patch new file mode 100644 index 0000000000000000000000000000000000000000..8cb2fee8479478bdf38fb2394a0852abd4a8ac55 --- /dev/null +++ b/backport-libselinux-set-free-d-data-to-NULL.patch @@ -0,0 +1,78 @@ +From f398662ea19d2cf6db6cb791e3b787889e5af883 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 9 Jul 2024 21:23:46 +0200 +Subject: [PATCH] libselinux: set free'd data to NULL + +Fixes segfault in selabel_open() on systems with SELinux disabled and without any +SELinux policy installed introduced by commit 5876aca0484f ("libselinux: free +data on selabel open failure"): + + $ sestatus + SELinux status: disabled + + $ cat /etc/selinux/config + cat: /etc/selinux/config: No such file or directory + + $ matchpathcon /abc + [1] 907999 segmentation fault (core dumped) matchpathcon /abc + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + src/label_backends_android.c | 1 + + src/label_file.c | 1 + + src/label_media.c | 1 + + src/label_x.c | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/src/label_backends_android.c b/src/label_backends_android.c +index 49a87686..5bad24f2 100644 +--- a/src/label_backends_android.c ++++ b/src/label_backends_android.c +@@ -260,6 +260,7 @@ static void closef(struct selabel_handle *rec) + free(data->spec_arr); + + free(data); ++ rec->data = NULL; + } + + static struct selabel_lookup_rec *property_lookup(struct selabel_handle *rec, +diff --git a/src/label_file.c b/src/label_file.c +index 2732972e..59c9f2ef 100644 +--- a/src/label_file.c ++++ b/src/label_file.c +@@ -942,6 +942,7 @@ static void closef(struct selabel_handle *rec) + free(last_area); + } + free(data); ++ rec->data = NULL; + } + + // Finds all the matches of |key| in the given context. Returns the result in +diff --git a/src/label_media.c b/src/label_media.c +index 852aeada..bae065c1 100644 +--- a/src/label_media.c ++++ b/src/label_media.c +@@ -183,6 +183,7 @@ static void close(struct selabel_handle *rec) + free(spec_arr); + + free(data); ++ rec->data = NULL; + } + + static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, +diff --git a/src/label_x.c b/src/label_x.c +index a8decc7a..ddae4f6c 100644 +--- a/src/label_x.c ++++ b/src/label_x.c +@@ -210,6 +210,7 @@ static void close(struct selabel_handle *rec) + free(spec_arr); + + free(data); ++ rec->data = NULL; + } + + static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, +-- +2.33.0 + diff --git a/backport-libselinux-utils-selabel_digest-avoid-buffer-overflo.patch b/backport-libselinux-utils-selabel_digest-avoid-buffer-overflo.patch new file mode 100644 index 0000000000000000000000000000000000000000..9645bc384f01282b6246182b6bcdb433dfd6edfd --- /dev/null +++ b/backport-libselinux-utils-selabel_digest-avoid-buffer-overflo.patch @@ -0,0 +1,92 @@ +From 994b9b205e36f3cc849b75f075e057686f3f9cd8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 13 Mar 2024 12:10:23 +0100 +Subject: [PATCH] libselinux/utils/selabel_digest: avoid buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case the specfiles have very long paths or there are too many abort +instead of writing past the stack buffer. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + utils/selabel_digest.c | 45 ++++++++++++++++++++++++------- + 1 file changed, 36 insertions(+), 9 deletions(-) + +diff --git a/utils/selabel_digest.c b/utils/selabel_digest.c +index db0d443a..64051070 100644 +--- a/utils/selabel_digest.c ++++ b/utils/selabel_digest.c +@@ -66,7 +66,7 @@ int main(int argc, char **argv) + + char cmd_buf[4096]; + char *cmd_ptr; +- char *sha1_buf; ++ char *sha1_buf = NULL; + + struct selabel_handle *hnd; + struct selinux_opt selabel_option[] = { +@@ -167,23 +167,50 @@ int main(int argc, char **argv) + printf("calculated using the following specfile(s):\n"); + + if (specfiles) { +- cmd_ptr = &cmd_buf[0]; +- sprintf(cmd_ptr, "/usr/bin/cat "); +- cmd_ptr = &cmd_buf[0] + strlen(cmd_buf); ++ size_t cmd_rem = sizeof(cmd_buf); ++ int ret; ++ ++ if (validate) { ++ cmd_ptr = &cmd_buf[0]; ++ ret = snprintf(cmd_ptr, cmd_rem, "/usr/bin/cat "); ++ if (ret < 0 || (size_t)ret >= cmd_rem) { ++ fprintf(stderr, "Could not format validate command\n"); ++ rc = -1; ++ goto err; ++ } ++ cmd_ptr += ret; ++ cmd_rem -= ret; ++ } + + for (i = 0; i < num_specfiles; i++) { +- sprintf(cmd_ptr, "%s ", specfiles[i]); +- cmd_ptr += strlen(specfiles[i]) + 1; ++ if (validate) { ++ ret = snprintf(cmd_ptr, cmd_rem, "%s ", specfiles[i]); ++ if (ret < 0 || (size_t)ret >= cmd_rem) { ++ fprintf(stderr, "Could not format validate command\n"); ++ rc = -1; ++ goto err; ++ } ++ cmd_ptr += ret; ++ cmd_rem -= ret; ++ } ++ + printf("%s\n", specfiles[i]); + } +- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex"); + +- if (validate) ++ if (validate) { ++ ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha1 -hex"); ++ if (ret < 0 || (size_t)ret >= cmd_rem) { ++ fprintf(stderr, "Could not format validate command\n"); ++ rc = -1; ++ goto err; ++ } ++ + rc = run_check_digest(cmd_buf, sha1_buf); ++ } + } + +- free(sha1_buf); + err: ++ free(sha1_buf); + selabel_close(hnd); + return rc; + } +-- +2.33.0 + diff --git a/backport-libselinux-utils-selabel_digest-drop-unsupported-opt.patch b/backport-libselinux-utils-selabel_digest-drop-unsupported-opt.patch new file mode 100644 index 0000000000000000000000000000000000000000..c16c2fd89201a6752036e0f530d379dae6cdcc6e --- /dev/null +++ b/backport-libselinux-utils-selabel_digest-drop-unsupported-opt.patch @@ -0,0 +1,32 @@ +From c774f15a4a726eb57b9815a55980eb81d09ad9c2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 13 Mar 2024 12:10:21 +0100 +Subject: [PATCH] libselinux/utils/selabel_digest: drop unsupported option -d +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The command line option -d is not supported, drop from usage message. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + utils/selabel_digest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/utils/selabel_digest.c b/utils/selabel_digest.c +index bf22b472..50f55311 100644 +--- a/utils/selabel_digest.c ++++ b/utils/selabel_digest.c +@@ -11,7 +11,7 @@ static size_t digest_len; + static __attribute__ ((__noreturn__)) void usage(const char *progname) + { + fprintf(stderr, +- "usage: %s -b backend [-d] [-v] [-B] [-i] [-f file]\n\n" ++ "usage: %s -b backend [-v] [-B] [-i] [-f file]\n\n" + "Where:\n\t" + "-b The backend - \"file\", \"media\", \"x\", \"db\" or " + "\"prop\"\n\t" +-- +2.33.0 + diff --git a/libselinux.spec b/libselinux.spec index 191eb992ab8ba537c6dd67963222f5fb13583f9c..ea7db0f082e019e9bd22be4dd7c8641cae1c9bcd 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -3,7 +3,7 @@ Name: libselinux Version: 3.5 -Release: 4 +Release: 5 License: Public Domain Summary: SELinux library and simple utilities Url: https://github.com/SELinuxProject/selinux/wiki @@ -16,6 +16,15 @@ Patch0004: backport-libselinux-reorder-calloc-3-arguments.patch Patch0005: backport-libselinux-Fix-ordering-of-arguments-to-calloc.patch Patch0006: backport-libselinux-use-reentrant-strtok_r-3.patch Patch0007: backport-libselinux-fix-swig-bindings-for-4.3.0.patch +Patch0008: backport-libselinux-utils-selabel_digest-drop-unsupported-opt.patch +Patch0009: backport-libselinux-utils-selabel_digest-avoid-buffer-overflo.patch +Patch0010: backport-libselinux-free-data-on-selabel-open-failure.patch +Patch0011: backport-libselinux-avoid-logs-in-get_ordered_context_list-wi.patch +Patch0012: backport-libselinux-free-empty-scandir-3-result.patch +Patch0013: backport-libselinux-avoid-pointer-dereference-before-check.patch +Patch0014: backport-libselinux-set-free-d-data-to-NULL.patch +Patch0015: backport-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch +Patch0016: backport-libselinux-Close-old-selabel-handle-when-setting-a-n.patch Patch9000: do-malloc-trim-after-load-policy.patch @@ -133,6 +142,9 @@ mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist %lang(ru) %{_mandir}/ru/man8/* %changelog +* Fri Mar 14 2025 yixiangzhike - 3.5-5 +- backport upstream patches + * Wed Jan 22 2025 Funda Wang - 3.5-4 - add upstream patch fixing build with swig 4.3.0 - drop useless buildroot cleanup and ldconfig scriptlets