selinux upstream commits c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c
and f77021d720f12767576c25d751c75cacd7478614

Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
 ...bselinux-procattr-return-einval-for-0-pid.patch | 47 ++++++++++++++++++++++
 ...inux-procattr-return-error-on-invalid-pid.patch | 40 ++++++++++++++++++
 recipes-security/selinux/libselinux_2.5.bb         |  2 +
 3 files changed, 89 insertions(+)
 create mode 100644 
recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
 create mode 100644 
recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch

diff --git 
a/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
 
b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
new file mode 100644
index 0000000..cfac80e
--- /dev/null
+++ 
b/recipes-security/selinux/libselinux/libselinux-procattr-return-einval-for-0-pid.patch
@@ -0,0 +1,47 @@
+From c7cf5d8aa061b9616bf9d5e91139ce4fb40f532c Mon Sep 17 00:00:00 2001
+From: dcashman <dcash...@android.com>
+Date: Tue, 23 Feb 2016 12:24:00 -0800
+Subject: libselinux: procattr: return einval for <= 0 pid args.
+
+getpidcon documentation does not specify that a pid of 0 refers to the
+current process, and getcon exists specifically to provide this
+functionality, and getpidcon(getpid()) would provide it as well.
+Disallow pid values <= 0 that may lead to unintended behavior in
+userspace object managers.
+
+Signed-off-by: Daniel Cashman <dcash...@android.com>
+---
+ src/procattr.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/src/procattr.c b/src/procattr.c
+index c20f003..eee4612 100644
+--- a/src/procattr.c
++++ b/src/procattr.c
+@@ -306,11 +306,21 @@ static int setprocattrcon(const char * context,
+ #define getpidattr_def(fn, attr) \
+       int get##fn##_raw(pid_t pid, char **c)  \
+       { \
+-              return getprocattrcon_raw(c, pid, #attr); \
++              if (pid <= 0) { \
++                      errno = EINVAL; \
++                      return -1; \
++              } else { \
++                      return getprocattrcon_raw(c, pid, #attr); \
++              } \
+       } \
+       int get##fn(pid_t pid, char **c)        \
+       { \
+-              return getprocattrcon(c, pid, #attr); \
++              if (pid <= 0) { \
++                      errno = EINVAL; \
++                      return -1; \
++              } else { \
++                      return getprocattrcon(c, pid, #attr); \
++              } \
+       }
+ 
+ all_selfattr_def(con, current)
+-- 
+2.4.3
+
diff --git 
a/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
 
b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
new file mode 100644
index 0000000..0717d67
--- /dev/null
+++ 
b/recipes-security/selinux/libselinux/libselinux-procattr-return-error-on-invalid-pid.patch
@@ -0,0 +1,40 @@
+From f77021d720f12767576c25d751c75cacd7478614 Mon Sep 17 00:00:00 2001
+From: dcashman <dcash...@android.com>
+Date: Tue, 23 Feb 2016 12:23:59 -0800
+Subject: libselinux: procattr: return error on invalid pid_t
+ input.
+
+Signed-off-by: Daniel Cashman <dcash...@android.com>
+---
+ src/procattr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/procattr.c b/src/procattr.c
+index 527a0a5..c20f003 100644
+--- a/src/procattr.c
++++ b/src/procattr.c
+@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
+       char *path;
+       pid_t tid;
+ 
+-      if (pid > 0)
++      if (pid > 0) {
+               rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
+-      else {
++      } else if (pid == 0) {
+               rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
+               if (rc < 0)
+                       return -1;
+@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
+               free(path);
+               tid = gettid();
+               rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
++      } else {
++              errno = EINVAL;
++              return -1;
+       }
+       if (rc < 0)
+               return -1;
+-- 
+2.4.3
+
diff --git a/recipes-security/selinux/libselinux_2.5.bb 
b/recipes-security/selinux/libselinux_2.5.bb
index 0e2d864..0284494 100644
--- a/recipes-security/selinux/libselinux_2.5.bb
+++ b/recipes-security/selinux/libselinux_2.5.bb
@@ -11,6 +11,8 @@ SRC_URI += "\
         file://libselinux-make-O_CLOEXEC-optional.patch \
         file://libselinux-make-SOCK_CLOEXEC-optional.patch \
         file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+        file://libselinux-procattr-return-einval-for-0-pid.patch \
+        file://libselinux-procattr-return-error-on-invalid-pid.patch \
         file://libselinux-only-mount-proc-if-necessary.patch \
         file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
         "
-- 
2.4.3

-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Reply via email to