[yocto] [PATCH 13/13] libselinux: procattr fixes

Stephen Smalley sds at tycho.nsa.gov
Mon Mar 7 12:52:52 PST 2016 

selinux upstream commits c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c
and f77021d720f12767576c25d751c75cacd7478614

Signed-off-by: Stephen Smalley <sds at tycho.nsa.gov>
---
 ...bselinux-procattr-return-einval-for-0-pid.patch | 47 ++++++++++++++++++++++
 ...inux-procattr-return-error-on-invalid-pid.patch | 40 ++++++++++++++++++
 recipes-security/selinux/libselinux_2.5.bb         |  2 +
 3 files changed, 89 insertions(+)
 create mode 100644 recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
 create mode 100644 recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch

diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
new file mode 100644
index 0000000..cfac80e
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
@@ -0,0 +1,47 @@
+From c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c Mon Sep 17 00:00:00 2001
+From: dcashman <dcashman at android.com>
+Date: Tue, 23 Feb 2016 12:24:00 -0800
+Subject: libselinux: procattr: return einval for <= 0 pid args.
+
+getpidcon documentation does not specify that a pid of 0 refers to the
+current process, and getcon exists specifically to provide this
+functionality, and getpidcon(getpid()) would provide it as well.
+Disallow pid values <= 0 that may lead to unintended behavior in
+userspace object managers.
+
+Signed-off-by: Daniel Cashman <dcashman at android.com>
+---
+ src/procattr.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/src/procattr.c b/src/procattr.c
+index c20f003..eee4612 100644
+--- a/src/procattr.c
++++ b/src/procattr.c
+@@ -306,11 +306,21 @@ static int setprocattrcon(const char * context,
+ #define getpidattr_def(fn, attr) \
+ 	int get##fn##_raw(pid_t pid, char **c)	\
+ 	{ \
+-		return getprocattrcon_raw(c, pid, #attr); \
++		if (pid <= 0) { \
++			errno = EINVAL; \
++			return -1; \
++		} else { \
++			return getprocattrcon_raw(c, pid, #attr); \
++		} \
+ 	} \
+ 	int get##fn(pid_t pid, char **c)	\
+ 	{ \
+-		return getprocattrcon(c, pid, #attr); \
++		if (pid <= 0) { \
++			errno = EINVAL; \
++			return -1; \
++		} else { \
++			return getprocattrcon(c, pid, #attr); \
++		} \
+ 	}
+ 
+ all_selfattr_def(con, current)
+-- 
+2.4.3
+
diff --git a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
new file mode 100644
index 0000000..0717d67
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
@@ -0,0 +1,40 @@
+From f77021d720f12767576c25d751c75cacd7478614 Mon Sep 17 00:00:00 2001
+From: dcashman <dcashman at android.com>
+Date: Tue, 23 Feb 2016 12:23:59 -0800
+Subject: libselinux: procattr: return error on invalid pid_t
+ input.
+
+Signed-off-by: Daniel Cashman <dcashman at android.com>
+---
+ src/procattr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/procattr.c b/src/procattr.c
+index 527a0a5..c20f003 100644
+--- a/src/procattr.c
++++ b/src/procattr.c
+@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
+ 	char *path;
+ 	pid_t tid;
+ 
+-	if (pid > 0)
++	if (pid > 0) {
+ 		rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
+-	else {
++	} else if (pid == 0) {
+ 		rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
+ 		if (rc < 0)
+ 			return -1;
+@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
+ 		free(path);
+ 		tid = gettid();
+ 		rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
++	} else {
++		errno = EINVAL;
++		return -1;
+ 	}
+ 	if (rc < 0)
+ 		return -1;
+-- 
+2.4.3
+
diff --git a/recipes-security/selinux/libselinux_2.5.bb b/recipes-security/selinux/libselinux_2.5.bb
index 0e2d864..0284494 100644
--- a/recipes-security/selinux/libselinux_2.5.bb
+++ b/recipes-security/selinux/libselinux_2.5.bb
@@ -11,6 +11,8 @@ SRC_URI += "\
         file://libselinux-make-O_CLOEXEC-optional.patch \
         file://libselinux-make-SOCK_CLOEXEC-optional.patch \
         file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+        file://libselinux-procattr-return-einval-for-0-pid.patch \
+        file://libselinux-procattr-return-error-on-invalid-pid.patch \
         file://libselinux-only-mount-proc-if-necessary.patch \
         file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
         "
-- 
2.4.3

More information about the yocto mailing list