Commit Graph

3596 Commits

Author SHA1 Message Date
Christian Göttsche
f174045525 libsepol: optimize ebitmap_xor
Iterate on nodes instead of single bits to save node resolution for each
single bit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:25 -04:00
Christian Göttsche
efcd008148 libsepol: optimize ebitmap_and
Iterate on nodes instead of single bits to save node resolution for each
single bit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:22 -04:00
Christian Göttsche
12a8a00bf2 libsepol: optimize ebitmap_not
Iterate on nodes instead of single bits to save node resolution for each
single bit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:19 -04:00
Christian Göttsche
bc8f7b502b libsepol/cil: use ebitmap_init_range
Especially in the case of __cil_permissionx_expr_range_to_bitmap_helper()
it substitutes hundreds of thousand of calls to ebitmap_set_bit() during
semodule(8) on a policy widely using extended permissions.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:15 -04:00
Christian Göttsche
6f9e682c15 libsepol: add ebitmap_init_range
Add an initializer for ebitmaps that sets all bits in a given range to
save node traversals for each bit to set, compared to calling
ebitmap_init() followed by iterating ebitmap_set_bit().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:13 -04:00
Christian Göttsche
490cd409e3 libsepol/tests: add ebitmap tests
Preparation for several ebitmap related optimizations.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:10 -04:00
Christian Göttsche
65b3f695be libsepol: enclose macro parameters and replacement lists in parentheses
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:06 -04:00
Christian Göttsche
85e73a22ff libsepol: include necessary headers in headers
Include policydb header file required for typedef policydb_t.

This is for example helpful when working with an IDE, which needs to
resolve those symbols.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:03 -04:00
Christian Göttsche
12beafe7ce libsepol: break circular include
Since `struct type_set` is forward declared including
policydb/policydb.h is not necessary and creates a circular include.

Also drop the unnecessary forward declaration of `struct policydb`.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:52:00 -04:00
Christian Göttsche
ba9820a002 libselinux: set errno to EBADF on O_PATH emulation ENOENT failure
When the O_PATH emulation fails due to getxattr(2)/setxattr(2) failing
with ENOENT, e.g. because no procfs being available, override the errno
value to EBADF.  This avoids confusion to the caller as it would suggest
the target of the operation does not exist, which is not the case:

    setfiles: Could not set context for /:  No such file or directory

Fixes: a782abf2 ("libselinux: emulate O_PATH support in fgetfilecon/fsetfilecon")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-09 09:51:55 -04:00
Elijah Conners
ebb4a170c0 python: remove IOError in certain cases
In certain cases, IOError caused the much more general exception OSError
to be unreachable.

Signed-off-by: Elijah Conners <business@elijahpepe.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2022-07-19 11:10:08 +02:00
Christian Göttsche
2651989d3b libsepol: do not modify policy during write
Do not modify the in memory default_range value of a class datum while
writing a policy.

While on it fix indentation.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:27 -04:00
Christian Göttsche
36bf1be1ca libsepol/utils: improve wording
A request is denied with SEPOL_COMPUTEAV_RBAC if the source role is not
allowed to transition to the target role, granted via a

    allow source_role target_role;

statement.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:24 -04:00
Nicolas Iooss
301cd64636 CircleCI: do not add Debian-specific parameter when invoking setup.py
Runners on https://circleci.com/ use a custom version of Python without
Debian-specific patches which added option --install-layout=deb. This
leads to the following error:

    error: option --install-layout not recognized

Fix this by creating a new environment variable dedicated to detect
CircleCI platform.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:21 -04:00
Nicolas Iooss
d2fecbb97b libsepol: initialize s in constraint_expr_eval_reason
clang's static analyzer reports that s[0] can be uninitialized when used
in:

    sprintf(tmp_buf, "%s %s\n",
                    xcontext ? "Validatetrans" : "Constraint",
                    s[0] ? "GRANTED" : "DENIED");

Silence this false-positive issue by making s always initialized.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:18 -04:00
Christian Göttsche
f505a73b06 libsepol: avoid potential NULL dereference on optional parameter
The parameter `reason` of `context_struct_compute_av()` is optional and
can be passed in as NULL, like from `type_attribute_bounds_av()`.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-07-06 15:57:15 -04:00
Christian Göttsche
956bda08f6
libselinux: restorecon: avoid printing NULL pointer
The variable `curcon` is NULL in case the file has no current security
context.  Most C standard libraries handle it fine, avoid it nonetheless
for standard conformance.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2022-06-30 21:11:01 +02:00
Ondrej Mosnacek
8cc529af51
semodule: rename --rebuild-if-modules-changed to --refresh
After the last commit this option's name and description no longer
matches the semantic, so give it a new one and update the descriptions.
The old name is still recognized and aliased to the new one for
backwards compatibility.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2022-06-30 21:09:28 +02:00
Ondrej Mosnacek
bdbe52be1b
libsemanage: always write kernel policy when check_ext_changes is specified
For the use case of rebuilding the policy after package updates, we need
the check_ext_changes operation to always do at least the do_write_kernel
step, because the various semanage dbs may have also changed content
relative to the current binary policy. As this step is itself relatively
fast, we can do it unconditionally.

Fixes: 286a679fad ("libsemanage: optionally rebuild policy when modules are changed externally")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2022-06-30 21:09:00 +02:00
Vit Mojzis
344463076b gettext: handle unsupported languages properly
With "fallback=True" gettext.translation behaves the same as
gettext.install and uses NullTranslations in case the
translation file for given language was not found (as opposed to
throwing an exception).

Fixes:
  # LANG is set to any "unsupported" language, e.g. en_US.UTF-8
  $ chcat --help
  Traceback (most recent call last):
  File "/usr/bin/chcat", line 39, in <module>
    t = gettext.translation(PROGNAME,
  File "/usr/lib64/python3.9/gettext.py", line 592, in translation
    raise FileNotFoundError(ENOENT,
  FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python'

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2022-06-29 15:51:07 +02:00
Christian Göttsche
25e9c91a8b checkpolicy: error out if required permission would exceed limit
A require statement for a class permission adds that permission to the
class representation for the current module.  In case the resulting
class would have more than the supported amount of 32 permissions
assigned the resulting binary module will fail to load at link-time
without an informative error message (since [1]).

Bail out if adding a permission would result in a class having more than
the supported amount of 32 permissions assigned.

[1]: 97af65f696

Closes: https://github.com/SELinuxProject/selinux/issues/356
Reported-by: Julie Pichon
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-21 15:20:58 +02:00
Christian Göttsche
88a703399f libsepol: fix validation of user declarations in modules
Users are allowed to be declared in modules. Modules do not get expanded
leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel`
empty.
Do no validate the expanded range and level for modular polices.

Reported-by: bauen1 <j2468h@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:59:07 -04:00
Petr Lautrbach
3f23f07f01 libsepol: Drop unused assignment
Fixes:
cil/src/cil_build_ast.c:4622:4: warning[deadcode.DeadStores]: Value stored to 'rc' is never read

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:59:01 -04:00
Christian Göttsche
c14a86af9a python/audit2allow: close file stream on error
sepolgen-ifgen-attr-helper.c: In function ‘load_policy’:
    sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak]
      196 |                 fprintf(stderr, "Out of memory!\n");
          |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:58:54 -04:00
Christian Göttsche
c760a2bff6 libselinux: declare parameter of security_load_policy(3) const
security_load_policy(3) takes a read-only memory address for a binary
policy to be loaded.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:58:48 -04:00
Christian Göttsche
a6c572b1af libselinux: name parameters in context.h
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:58:41 -04:00
Christian Göttsche
29e5233d85 libselinux: enclose macro definition in parenthesis
Avoid potential precedence issues.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:58:35 -04:00
Christian Göttsche
90bc03b732 libselinux: add man page redirections
The following interfaces are documented but do not have a redirection:

  - context_str(3)
  - security_get_checkreqprot(3)
  - security_set_boolean_list(3)
  - selinux_sepgsql_context_path(3)
  - setexecfilecon(3)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-15 08:58:00 -04:00
Christian Göttsche
1eb6229a48 libselinux: check for truncations
Check for truncations when building or copying strings involving user
input.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-06-08 08:48:53 -04:00
Christian Göttsche
7d5a89314b libselinux: introduce strlcpy
To copy string safely, by always NULL-terminating them, and provide an
easy way to check for truncation introduce the nonstandard function
strlcpy(3).  Use the system implementation if available.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-06-08 08:48:47 -04:00
Christian Göttsche
2b7da16595 libselinux: add header guard for internal header
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-06-08 08:48:43 -04:00
Christian Göttsche
31e3537624 libselinux: simplify policy path logic to avoid uninitialized read
In case the function __policy_init() gets called with a NULL pointer,
the stack variable path remains uninitialized (except at its last
index).  If parsing the binary policy fails in sepol_policydb_read() the
error branch would access those uninitialized memory.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-06-08 08:48:40 -04:00
Vit Mojzis
abaf812c38 python: Split "semanage import" into two transactions
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.

Fixes:
  # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
  # semanage export | semanage import
  ValueError: Port tcp/3024 already defined

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2022-06-06 16:16:27 -04:00
Nicolas Iooss
c8ba7968b3 libselinux: do not return the cached prev_current value when using getpidcon()
libselinux implements a cache mechanism for get*con() functions, such
that when a thread calls setcon(...) then getcon(...), the context is
directly returned. Unfortunately, getpidcon(pid, &context) uses the same
cached variable, so when a program uses setcon("something"), all later
calls to getpidcon(pid, ...) returns "something". This is a bug.

Here is a program which illustrates this bug:

    #include <stdio.h>
    #include <selinux/selinux.h>

    int main() {
        char *context = "";
        if (getpidcon(1, &context) < 0) {
            perror("getpidcon(1)");
        }
        printf("getpidcon(1) = %s\n", context);

        if (getcon(&context) < 0) {
            perror("getcon()");
        }
        printf("getcon() = %s\n", context);
        if (setcon(context) < 0) {
            perror("setcon()");
        }
        if (getpidcon(1, &context) < 0) {
            perror("getpidcon(1)");
        }
        printf("getpidcon(1) = %s\n", context);

        return 0;
    }

On an Arch Linux system using unconfined user, this program displays:

    getpidcon(1) = system_u:system_r:init_t
    getcon() = unconfined_u:unconfined_r:unconfined_t
    getpidcon(1) = unconfined_u:unconfined_r:unconfined_t

With this commit, this program displays:

    getpidcon(1) = system_u:system_r:init_t
    getcon() = unconfined_u:unconfined_r:unconfined_t
    getpidcon(1) = system_u:system_r:init_t

This bug was present in the first commit of
https://github.com/SELinuxProject/selinux git history. It was reported
in https://lore.kernel.org/selinux/20220121084012.GS7643@suse.com/ and a
patch to fix it was sent in
https://patchwork.kernel.org/project/selinux/patch/20220127130741.31940-1-jsegitz@suse.de/
without a clear explanation. This patch added pid checks, which made
sense but were difficult to read. Instead, it is possible to change the
way the functions are called so that they directly know which cache
variable to use.

Moreover, as the code is not clear at all (I spent too much time trying
to understand what the switch did and what the thread-local variable
contained), this commit also reworks libselinux/src/procattr.c to:
- not use hard-to-understand switch/case constructions on strings (they
  are replaced by a new argument filled by macros)
- remove getpidattr_def macro (it was only used once, for pidcon, and
  the code is clearer with one less macro)
- remove the pid parameter of setprocattrcon() and setprocattrcon_raw()
  (it is always zero)

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: Johannes Segitz <jsegitz@suse.de>
2022-06-06 16:16:17 -04:00
Petr Lautrbach
de285252a1 Revert "libselinux: restorecon: pin file to avoid TOCTOU issues"
This reverts commit 7e979b56fd.

The reverted commit broke `setfiles` when it's run from a chroot
without /proc mounted, e.g.

    # chroot /mnt/sysimage

    chroot# setfiles -e /proc -e /sys /sys /etc/selinux/targeted/contexts/files/file_contexts /
    [strace]
    openat(AT_FDCWD, "/", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 3
    newfstatat(3, "", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_EMPTY_PATH) = 0
    mmap(NULL, 2101248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1697c91000
    fgetxattr(3, "security.selinux", 0x55be8881d3f0, 255) = -1 EBADF (Bad file descriptor)
    fcntl(3, F_GETFL)                       = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH)
    getxattr("/proc/self/fd/3", "security.selinux", 0x55be8881d3f0, 255) = -1 ENOENT (No such file or directory)
    [/strace]
    setfiles: Could not set context for /:  No such file or directory

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-02 08:32:42 -04:00
Christian Göttsche
6d02b2fa29 semodule: avoid toctou on output module
Do not check for file existence and open afterwards, open with the
exclusive flag (supported in Glibc and musl 0.9.6 and also standardized
in C11).

Found by GitHub CodeQL.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2022-06-02 08:31:07 -04:00
Christian Göttsche
dd98fa3227 libselinux: declare return value of context_str(3) const
context_str(3) returns a string representation of the given context.
This string is owned by the context and free'd on context_free(3).
Declare it const, as already done in the man page, since it must not be
free'd by the caller.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2022-06-02 08:29:01 -04:00
Petr Lautrbach
0a8c177dac
Update VERSIONs to 3.4 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-18 16:51:03 +02:00
Christian Göttsche
ed4cd8772a ci: declare git repository a safe directory
Since version 2.35.2, due to CVE-2022-24765, git refuses to operate by
default on a repository owned by a different user.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-18 12:31:31 +02:00
Christian Göttsche
822ad96c3f libselinux: update man page of setfilecon(3) family about context parameter
The family of setfilecon(3) functions take the context as a read-only
`const char *` parameter.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-05-17 13:52:31 +02:00
Ondrej Mosnacek
9e096e6ef0 libsepol,checkpolicy: add support for self keyword in type transitions
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the TE language level and adds the support to the module policydb
format. Note that changing the kernel policydb format is not necessary
at all, as type transitions are always expanded in the kernel policydb.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:37:17 -04:00
Ondrej Mosnacek
539b066036 libsepol/cil: add support for self keyword in type transitions
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the CIL level. It also adds basic coverage for the such 'self' rules
to the secilc test policy.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:37:05 -04:00
Christian Göttsche
0c407c3f1d libselinux/utils: print errno on failure
Print error description on failure after functions known to set errno.

Also mention the library function name in getenforce, policyvers and
setenforce instead of the program name twice.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:31:15 -04:00
Vit Mojzis
b14d5de5b4 gettext: set _ on module level instead of builtins namespace
Some calls to "_" where unsuccessful because the function was
initialized with a different translation domain than the string.
e.g. selinux-polgengui calls functions from sepolicy.generate, which end
up printing untranslated strings because polgengui uses selinux-gui
domain while sepolicy uses selinux-python

- Set "_" in module namespace instead of "builtins"
- Set the whole "sepolicy.generate()" confirmation as translatable
- Drop "codeset" parameter since it is deprecated

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:29:54 -04:00
Christian Göttsche
88d43a8dc2 libselinux: preserve errno in selinux_log()
selinux_log() is used in many error branches, where the caller might
expect errno to bet set, e.g. label_file.c::lookup_all():

    if (match_count) {
		*match_count = 0;
		result = calloc(data->nspec, sizeof(struct spec*));
	} else {
		result = calloc(1, sizeof(struct spec*));
	}
	if (!result) {
		selinux_log(SELINUX_ERROR, "Failed to allocate %zu bytes of data\n",
			    data->nspec * sizeof(struct spec*));
		goto finish;
	}

Preserve errno in the macro wrapper itself, also preventing accidental
errno modifications in client specified SELINUX_CB_LOG callbacks.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:28:35 -04:00
Christian Göttsche
8266fd9401 libselinux: free memory in error branch
In case the allocation for the filename fails, free the memory of the context.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:24:42 -04:00
Christian Göttsche
7e979b56fd libselinux: restorecon: pin file to avoid TOCTOU issues
Pin the file to operate on in restorecon_sb() to prevent symlink attacks
in between the label database lookup, the current context query and the
final context write.  Also don't use the file information from
fts_read(3), which might also be out of sync.

Due to querying file information twice, one in fts_read(3) needed for
the cross device check and one on the pinned file descriptor for the
database lookup, there is a slight slowdown:

    [current]
    Time (mean ± σ):     14.456 s ±  0.306 s    [User: 45.863 s, System: 4.463 s]
    Range (min … max):   14.275 s … 15.294 s    10 runs

    [changed]
    Time (mean ± σ):     15.843 s ±  0.045 s    [User: 46.274 s, System: 9.495 s]
    Range (min … max):   15.787 s … 15.916 s    10 runs

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:21:47 -04:00
Christian Göttsche
aaa49acac9 libselinux: restorecon: forward error if not ENOENT
selabel_lookup_raw(3) can fail for other reasons than no corresponding
context found, e.g. ENOMEM or EINVAL for invalid key or type.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:21:47 -04:00
Christian Göttsche
657420d67f libselinux: restorecon: misc tweaks
* mark read-only parameters const
* check for overflow when adding exclude directory
* use 64 bit integer for file counting
* avoid implicit conversions

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:21:47 -04:00
Christian Göttsche
a782abf226 libselinux: emulate O_PATH support in fgetfilecon/fsetfilecon
Operating on a file descriptor avoids TOCTOU issues and one opened via
O_PATH avoids the requirement of having read access to the file.  Since
Linux does not natively support file descriptors opened via O_PATH in
fgetxattr(2) and at least glibc and musl does not emulate O_PATH support
in their implementations, fgetfilecon(3) and fsetfilecon(3) also do not
currently support file descriptors opened with O_PATH.

Inspired by CVE-2013-4392: https://github.com/systemd/systemd/pull/8583
Implementation adapted from: 2825f10b7f%5E%21/

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:21:47 -04:00