proc if necessary

Stephen Smalley Mon, 07 Mar 2016 13:06:50 -0800

selinux upstream commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf

Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
 .../libselinux-only-mount-proc-if-necessary.patch  | 54 ++++++++++++++++++++++
 recipes-security/selinux/libselinux_2.5.bb         |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 
recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch


diff --git 
a/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
 
b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
new file mode 100644
index 0000000..ab157b6
--- /dev/null
+++ 
b/recipes-security/selinux/libselinux/libselinux-only-mount-proc-if-necessary.patch
@@ -0,0 +1,54 @@
+From 0d9368ee5af662a99cf123407884ba0e42053c68 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <s...@tycho.nsa.gov>
+Date: Mon, 29 Feb 2016 10:10:55 -0500
+Subject: [PATCH] libselinux: only mount /proc if necessary
+
+Commit 9df498884665d ("libselinux: Mount procfs before checking
+/proc/filesystems") changed selinuxfs_exists() to always try
+mounting /proc before reading /proc/filesystems.  However, this is
+unnecessary if /proc is already mounted and can produce avc denials
+if the process is not allowed to perform the mount.  Check first
+to see if /proc is already present and only try the mount if it is not.
+
+Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
+---
+ src/init.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/init.c b/src/init.c
+index 3db4de0..3530594 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -12,6 +12,7 @@
+ #include <stdint.h>
+ #include <limits.h>
+ #include <sys/mount.h>
++#include <linux/magic.h>
+ 
+ #include "dso.h"
+ #include "policy.h"
+@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
+ 
+ int selinuxfs_exists(void)
+ {
+-      int exists = 0, mnt_rc = 0;
++      int exists = 0, mnt_rc = -1, rc;
++      struct statfs sb;
+       FILE *fp = NULL;
+       char *buf = NULL;
+       size_t len;
+       ssize_t num;
+ 
+-      mnt_rc = mount("proc", "/proc", "proc", 0, 0);
++      do {
++              rc = statfs("/proc", &sb);
++      } while (rc < 0 && errno == EINTR);
++
++      if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
++              mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+ 
+       fp = fopen("/proc/filesystems", "r");
+       if (!fp) {
+-- 
+2.4.3
+
diff --git a/recipes-security/selinux/libselinux_2.5.bb 
b/recipes-security/selinux/libselinux_2.5.bb
index a744b2f..0e2d864 100644
--- a/recipes-security/selinux/libselinux_2.5.bb
+++ b/recipes-security/selinux/libselinux_2.5.bb
@@ -11,5 +11,6 @@ SRC_URI += "\
         file://libselinux-make-O_CLOEXEC-optional.patch \
         file://libselinux-make-SOCK_CLOEXEC-optional.patch \
         file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+        file://libselinux-only-mount-proc-if-necessary.patch \
         file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
         "
-- 
2.4.3

-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [PATCH 12/13] libselinux: Only mount /proc if necessary

Reply via email to