From patchwork Tue Jul 26 08:45:16 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Richard Haines X-Patchwork-Id: 9247929 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3399A6077C for ; Tue, 26 Jul 2016 08:59:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 231251FFB9 for ; Tue, 26 Jul 2016 08:59:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 17B7B20649; Tue, 26 Jul 2016 08:59:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 47C5B205A4 for ; Tue, 26 Jul 2016 08:59:47 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,423,1464652800"; d="scan'208";a="17928126" IronPort-PHdr: =?us-ascii?q?9a23=3Ah7b4Vx3dWydo0lHWsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?segQKPad9pjvdHbS+e9qxAeQG96Ks7Qa0KGO4+jJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL2PbrnD61zMOABK3bVMz?= =?us-ascii?q?fbWtXNCJxJznn8mJuLTrKz1SgzS8Zb4gZD6Xli728vcsvI15N6wqwQHIqHYbM8?= =?us-ascii?q?5fxGdvOE7B102kvpT4wYRnuxh0l7phspcYEPayQ6NtVrFcDTI7I0gp9cbrsl/F?= =?us-ascii?q?VgLJ6XwCAUsMlR8dOQnO7BjgUt/Ruyr8u/E1jDObNs3/V7wDUgOi5qZtRQTAgj?= =?us-ascii?q?sGMSI06mfalop7i6cN80HpnAB234OBONLdD/F5ZK6IOIpCSA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2HHAwCQJZdX/wHyM5BeHAEBgyGBUrRChXM5IIc4TAEBAQE?= =?us-ascii?q?BAQICWieCMgQDEAg5CjIBAQEBAQEBAQEBAQEBAQEaAghIAQEhAjcGAQ0gDAIDC?= =?us-ascii?q?QIFEikICAMBLRUfCwUYBId1AQMXBK1WBYEChR2DHAMIhB+JG4FPEQGCZQuDBwW?= =?us-ascii?q?II5EOjn2JaYVUSI9dVIFLOA0cgU1thw2BNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 26 Jul 2016 08:59:44 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6Q8xgcL006610; Tue, 26 Jul 2016 04:59:43 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u6Q8jcb3072294 for ; Tue, 26 Jul 2016 04:45:38 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6Q8jchN005075 for ; Tue, 26 Jul 2016 04:45:38 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1AaAgDSIZdXh9sAFEFeHAEBhHOlXASOYoInhAyGHYEzTAEBAQEBARMBAQEKCwkJGYUPQwE4ARWBO4gWAQMXBK1dBYEChR2CdiYDCIQfiRuERguDBwWII5EOjn2PPUiPXYITRA0RC4FNbYhCAQEB X-IPAS-Result: A1AaAgDSIZdXh9sAFEFeHAEBhHOlXASOYoInhAyGHYEzTAEBAQEBARMBAQEKCwkJGYUPQwE4ARWBO4gWAQMXBK1dBYEChR2CdiYDCIQfiRuERguDBwWII5EOjn2PPUiPXYITRA0RC4FNbYhCAQEB X-IronPort-AV: E=Sophos;i="5.28,423,1464667200"; d="scan'208";a="5602568" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 26 Jul 2016 04:45:27 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AAV0BoRW32Jw3xJCocI9f6lwtQ+/V8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYZhCAt8tkgFKBZ4jH8fUM07OQ6PG4HzJbqs7b+Fk5M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?= =?us-ascii?q?K/jvHcaK1oLshrj0pcaYO18ArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?= =?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Lpyv/JHBL73e6U+UKxwECUtM2dz4tbi8xbE?= =?us-ascii?q?U1ih/HwZB18XmRpBGQSNzBj7WJrq+n/gt+F90TOWCsbBTbk1Xzm5x613SRn0hT?= =?us-ascii?q?0BOiJ/+2bS3J8jxJlHqQ6s8kQsi7XfZ5uYYaJz?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ELAgDSIZdXh9sAFEFeHAEBhHOlXASOY?= =?us-ascii?q?oIng0xAhh2BM0wBAQEBAQECAg8BAQEKCwkJGS+CMhUKOQoyAQEBAQEBAQEBAQE?= =?us-ascii?q?BAQEBGgIISAEBHUMBOAEVgTuIFgEDFwStXQWBAoUdgnYmAwiEH4kbhEYLgwcFi?= =?us-ascii?q?CORDo59jz1Ij12CE0QNEQuBTW2IQgEBAQ?= X-IPAS-Result: =?us-ascii?q?A0ELAgDSIZdXh9sAFEFeHAEBhHOlXASOYoIng0xAhh2BM0w?= =?us-ascii?q?BAQEBAQECAg8BAQEKCwkJGS+CMhUKOQoyAQEBAQEBAQEBAQEBAQEBGgIISAEBH?= =?us-ascii?q?UMBOAEVgTuIFgEDFwStXQWBAoUdgnYmAwiEH4kbhEYLgwcFiCORDo59jz1Ij12?= =?us-ascii?q?CE0QNEQuBTW2IQgEBAQ?= X-IronPort-AV: E=Sophos;i="5.28,423,1464652800"; d="scan'208";a="17928017" Received: from rgout0406.bt.lon5.cpcloud.co.uk ([65.20.0.219]) by emsm-gh1-uea11.nsa.gov with ESMTP; 26 Jul 2016 08:45:25 +0000 X-OWM-Source-IP: 81.132.47.172 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2016.7.26.75417:17:7.944, ip=81.132.47.172, rules=__HAS_FROM, __FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_CC_HDR, __HAS_MSGID, __SANE_MSGID, __HAS_X_MAILER, __ANY_URI, __FRAUD_BODY_WEBMAIL, __URI_NO_WWW, BODY_SIZE_5000_5999, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, HTML_00_01, HTML_00_10, RDNS_SUSP_GENERIC, __FRAUD_WEBMAIL, __PHISH_SPEAR_STRUCTURE_1, MULTIPLE_RCPTS_RND, RDNS_SUSP, BODY_SIZE_7000_LESS, NO_URI_HTTPS, LEGITIMATE_NEGATE Received: from localhost.localdomain (81.132.47.172) by rgout04.bt.lon5.cpcloud.co.uk (8.6.122.06) (authenticated as richard_c_haines@btinternet.com) id 579719AF00018119; Tue, 26 Jul 2016 09:45:23 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btcpcloud; t=1469522725; bh=cJDZHtHAs+afHpbZFbqMrBUYXJ6AU286Uwf2/aN0Rb0=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer; b=GjylIm9qcM7izKbwl1Bfovcx0x+s1f36hQBSscV8uZM3aVXccq8w68hZbuIVno7gZRJ9MJOfDFSMLZ/sjvXIEbv5B+UonqlsfObCi6hVixkMzonMiXWlWGv0kmd1JM+m2FDB+DXt914qXnW+xJe89RSKTBmas2M9xcshpFS7/kc= From: Richard Haines To: selinux@tycho.nsa.gov Subject: [PATCH V3 4/4] policycoreutils: restorecond - Modify to use selinux_restorecon Date: Tue, 26 Jul 2016 09:45:16 +0100 Message-Id: <1469522716-3306-1-git-send-email-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.7.4 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Modify restorecond to make use of the libselinux selinux_restorecon* set of functions. Also removed obsolete matchpathcon* functions. Signed-off-by: Richard Haines --- V3 - Add this new patch to the set. policycoreutils/restorecond/restorecond.c | 45 ++++++++++++------------------- policycoreutils/restorecond/restorecond.h | 2 ++ policycoreutils/restorecond/watch.c | 25 ++++++++++------- 3 files changed, 34 insertions(+), 38 deletions(-) diff --git a/policycoreutils/restorecond/restorecond.c b/policycoreutils/restorecond/restorecond.c index 8f847b6..7746427 100644 --- a/policycoreutils/restorecond/restorecond.c +++ b/policycoreutils/restorecond/restorecond.c @@ -42,6 +42,11 @@ * */ +/* + * Note that the restorecond(8) service build links with functions provided + * by ../setfiles/restore.c + */ + #define _GNU_SOURCE #include #include @@ -68,7 +73,7 @@ static int master_fd = -1; static const char *server_watch_file = "/etc/selinux/restorecond.conf"; static const char *user_watch_file = "/etc/selinux/restorecond_user.conf"; static const char *watch_file; -static struct restore_opts r_opts; +struct restore_opts r_opts; #include @@ -81,7 +86,7 @@ static void done(void) { watch_list_free(master_fd); close(master_fd); utmpwatcher_free(); - matchpathcon_fini(); + selabel_close(r_opts.hnd); } static const char *pidfile = "/var/run/restorecond.pid"; @@ -140,30 +145,17 @@ int main(int argc, char **argv) int opt; struct sigaction sa; - memset(&r_opts, 0, sizeof(r_opts)); + /* If we are not running SELinux then just exit */ + if (is_selinux_enabled() != 1) + return 0; - r_opts.progress = 0; - r_opts.count = 0; - r_opts.debug = 0; - r_opts.change = 1; - r_opts.verbose = 0; - r_opts.logging = 0; - r_opts.rootpath = NULL; - r_opts.rootpathlen = 0; - r_opts.outfile = NULL; - r_opts.force = 0; - r_opts.hard_links = 0; - r_opts.abort_on_error = 0; - r_opts.add_assoc = 0; - r_opts.expand_realpath = 0; - r_opts.fts_flags = FTS_PHYSICAL; - r_opts.selabel_opt_validate = NULL; - r_opts.selabel_opt_path = NULL; - r_opts.ignore_enoent = 1; + /* Set all options to zero/NULL except for ignore_noent & digest. */ + memset(&r_opts, 0, sizeof(r_opts)); + r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY; + r_opts.ignore_digest = SELINUX_RESTORECON_IGNORE_DIGEST; + /* As r_opts.selabel_opt_digest = NULL, no digest will be requested. */ restore_init(&r_opts); - /* If we are not running SELinux then just exit */ - if (is_selinux_enabled() != 1) return 0; /* Register sighandlers */ sa.sa_flags = 0; @@ -171,9 +163,6 @@ int main(int argc, char **argv) sigemptyset(&sa.sa_mask); sigaction(SIGTERM, &sa, NULL); - set_matchpathcon_flags(MATCHPATHCON_NOTRANS); - - exclude_non_seclabel_mounts(); atexit( done ); while ((opt = getopt(argc, argv, "hdf:uv")) > 0) { switch (opt) { @@ -191,7 +180,7 @@ int main(int argc, char **argv) exit(0); break; case 'v': - r_opts.verbose++; + r_opts.verbose = SELINUX_RESTORECON_VERBOSE; break; case '?': usage(argv[0]); @@ -230,7 +219,7 @@ int main(int argc, char **argv) watch_list_free(master_fd); close(master_fd); - matchpathcon_fini(); + if (pidfile) unlink(pidfile); diff --git a/policycoreutils/restorecond/restorecond.h b/policycoreutils/restorecond/restorecond.h index 6adc087..a6be584 100644 --- a/policycoreutils/restorecond/restorecond.h +++ b/policycoreutils/restorecond/restorecond.h @@ -42,4 +42,6 @@ extern int watch_list_find(int wd, const char *file); extern void watch_list_free(int fd); extern int watch_list_isempty(void); +extern struct restore_opts r_opts; + #endif diff --git a/policycoreutils/restorecond/watch.c b/policycoreutils/restorecond/watch.c index 10978cb..bdfc99d 100644 --- a/policycoreutils/restorecond/watch.c +++ b/policycoreutils/restorecond/watch.c @@ -25,7 +25,6 @@ /* reasonable guess as to size of 1024 events */ #define BUF_LEN (1024 * (EVENT_SIZE + 16)) - struct watchList { struct watchList *next; int wd; @@ -49,20 +48,23 @@ void watch_list_add(int fd, const char *path) char *file = basename(x); char *dir = dirname(x); ptr = firstDir; - - if (exclude(path)) goto end; + int len; globbuf.gl_offs = 1; if (glob(path, GLOB_TILDE | GLOB_PERIOD, NULL, &globbuf) >= 0) { - for (i=0; i < globbuf.gl_pathc; i++) { - int len = strlen(globbuf.gl_pathv[i]) -2; - if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue; - if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue; - if (process_one_realpath(globbuf.gl_pathv[i], 0) > 0) - process_one_realpath(globbuf.gl_pathv[i], 1); + for (i = 0; i < globbuf.gl_pathc; i++) { + len = strlen(globbuf.gl_pathv[i]) - 2; + if (len > 0 && + strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) + continue; + if (len > 0 && + strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) + continue; + selinux_restorecon(globbuf.gl_pathv[i], + r_opts.restorecon_flags); } globfree(&globbuf); } @@ -114,7 +116,9 @@ end: int watch_list_find(int wd, const char *file) { struct watchList *ptr = NULL; + ptr = firstDir; + if (debug_mode) printf("%d: File=%s\n", wd, file); while (ptr != NULL) { @@ -126,7 +130,8 @@ int watch_list_find(int wd, const char *file) 0) exitApp("Error allocating memory."); - process_one_realpath(path, 0); + selinux_restorecon(path, + r_opts.restorecon_flags); free(path); return 0; }