mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-25 23:42:05 +00:00
00548bd9b6
There are two problems with lookup_common() and therefore selabel_lookup() and related functions that this patch fixes: 1) A race with the lazy compilation of regexes. Since the struct regex_data is allocated and assigned immediately to the parent struct spec, it's possible for a second thread to see that this pointer is non-NULL before the regex compilation has finished. This typically results in a -1 return from selabel_lookup() with ENOENT as errno. This is fixed by adding synchronization in compile_regex(). 2) A race with PCRE2 regex_match(). A struct pcre2_match_data is created once and used for all regex matches for a given regex. This is problematic if two threads are attempting to evaluate the same regex simultaneously. This typically results in a successful return from selabel_lookup() but with an erroneous selabel. This is fixed by adding a pthread_mutex within regex_match() for PCRE2. Note, on my system, creating new matchdata takes roughly an order of magnitude more time than locking a non-contended pthread_mutex. I don't believe programs will have enough contention on this lock to justify that cost. Bug: 63861738 Test: ueventd unit tests Change-Id: I13bf782d81d0a0b896d444e396f307ad0dbacb6a |
||
|---|---|---|
| checkpolicy | ||
| dbus | ||
| gui | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| mcstrans | ||
| policycoreutils | ||
| python | ||
| restorecond | ||
| sandbox | ||
| scripts | ||
| secilc | ||
| semodule-utils | ||
| .gitignore | ||
| .travis.yml | ||
| CleanSpec.mk | ||
| Makefile | ||
| README | ||
Please submit all bug reports and patches to selinux@tycho.nsa.gov. Subscribe via selinux-join@tycho.nsa.gov. Build dependencies on Fedora: yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig xmlto redhat-rpm-config To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. To install libsepol on macOS (mainly for policy analysis): cd libsepol; make DESTDIR=/usr/local PREFIX=/usr/local install This requires GNU coreutils (brew install coreutils).