mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-25 15:32:07 +00:00
Revert "libselinux: verify file_contexts when using restorecon"
This reverts commit 814631d3ae
.
As reported by Petr Lautrbach, this commit changed the behavior
of selabel_open() when SELABEL_OPT_VALIDATE is 0, and this would
be an API change.
Reported-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
f04d64012a
commit
87a58b6b4e
@ -121,11 +121,12 @@ static inline int selabel_is_validate_set(const struct selinux_opt *opts,
|
||||
return 0;
|
||||
}
|
||||
|
||||
int selabel_validate(struct selabel_lookup_rec *contexts)
|
||||
int selabel_validate(struct selabel_handle *rec,
|
||||
struct selabel_lookup_rec *contexts)
|
||||
{
|
||||
int rc = 0;
|
||||
|
||||
if (contexts->validated)
|
||||
if (!rec->validating || contexts->validated)
|
||||
goto out;
|
||||
|
||||
rc = selinux_validate(&contexts->ctx_raw);
|
||||
@ -142,7 +143,7 @@ static int selabel_fini(struct selabel_handle *rec,
|
||||
struct selabel_lookup_rec *lr,
|
||||
int translating)
|
||||
{
|
||||
if (compat_validate(lr, rec->spec_file, lr->lineno))
|
||||
if (compat_validate(rec, lr, rec->spec_file, lr->lineno))
|
||||
return -1;
|
||||
|
||||
if (translating && !lr->ctx_trans &&
|
||||
|
@ -122,7 +122,7 @@ static int process_line(struct selabel_handle *rec,
|
||||
spec_arr[nspec].lr.ctx_raw = context;
|
||||
|
||||
if (rec->validating) {
|
||||
if (selabel_validate(&spec_arr[nspec].lr) < 0) {
|
||||
if (selabel_validate(rec, &spec_arr[nspec].lr) < 0) {
|
||||
selinux_log(SELINUX_ERROR,
|
||||
"%s: line %u has invalid context %s\n",
|
||||
path, lineno, spec_arr[nspec].lr.ctx_raw);
|
||||
|
@ -328,7 +328,7 @@ end_arch_check:
|
||||
spec->lr.ctx_raw = str_buf;
|
||||
|
||||
if (strcmp(spec->lr.ctx_raw, "<<none>>") && rec->validating) {
|
||||
if (selabel_validate(&spec->lr) < 0) {
|
||||
if (selabel_validate(rec, &spec->lr) < 0) {
|
||||
selinux_log(SELINUX_ERROR,
|
||||
"%s: context %s is invalid\n",
|
||||
path, spec->lr.ctx_raw);
|
||||
|
@ -509,7 +509,7 @@ static inline int process_line(struct selabel_handle *rec,
|
||||
spec_hasMetaChars(&spec_arr[nspec]);
|
||||
|
||||
if (strcmp(context, "<<none>>") && rec->validating)
|
||||
return compat_validate(&spec_arr[nspec].lr, path, lineno);
|
||||
return compat_validate(rec, &spec_arr[nspec].lr, path, lineno);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -112,7 +112,8 @@ struct selabel_handle {
|
||||
* Validation function
|
||||
*/
|
||||
extern int
|
||||
selabel_validate(struct selabel_lookup_rec *contexts) hidden;
|
||||
selabel_validate(struct selabel_handle *rec,
|
||||
struct selabel_lookup_rec *contexts) hidden;
|
||||
|
||||
/*
|
||||
* Compatibility support
|
||||
@ -127,7 +128,8 @@ extern void __attribute__ ((format(printf, 1, 2)))
|
||||
selinux_log(type, fmt);
|
||||
|
||||
extern int
|
||||
compat_validate(struct selabel_lookup_rec *contexts,
|
||||
compat_validate(struct selabel_handle *rec,
|
||||
struct selabel_lookup_rec *contexts,
|
||||
const char *path, unsigned lineno) hidden;
|
||||
|
||||
/*
|
||||
|
@ -35,7 +35,8 @@ void set_matchpathcon_printf(void (*f) (const char *fmt, ...))
|
||||
myprintf_compat = 1;
|
||||
}
|
||||
|
||||
int compat_validate(struct selabel_lookup_rec *contexts,
|
||||
int compat_validate(struct selabel_handle *rec,
|
||||
struct selabel_lookup_rec *contexts,
|
||||
const char *path, unsigned lineno)
|
||||
{
|
||||
int rc;
|
||||
@ -46,7 +47,7 @@ int compat_validate(struct selabel_lookup_rec *contexts,
|
||||
else if (mycanoncon)
|
||||
rc = mycanoncon(path, lineno, ctx);
|
||||
else {
|
||||
rc = selabel_validate(contexts);
|
||||
rc = selabel_validate(rec, contexts);
|
||||
if (rc < 0) {
|
||||
if (lineno) {
|
||||
COMPAT_LOG(SELINUX_WARNING,
|
||||
|
Loading…
Reference in New Issue
Block a user