| Message ID | 20201004140339.1896260-1-nicolas.iooss@m4x.org (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] libselinux: convert matchpathcon to selabel_lookup() | expand |
On Sun, Oct 04, 2020 at 04:03:39PM +0200, Nicolas Iooss wrote: > Function matchpathcon() is deprecated in favor of selabel_lookup() but > program "matchpathcon" is much easier to use than "selabel_loopkup" to > find the file context which would be applied to some files and > directories. > > More precisely: > > matchpathcon /path/to/my/file > > is easier to type and remember than: > > selabel_lookup -b file -k /path/to/my/file > > It also allows performing multiple context searches in one command, > where selabel_lookup cannot use multiple -k options. > > Migrate matchpathcon to the preferred API. > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> Thanks for this! Travis run https://travis-ci.org/github/bachradsusi/SELinuxProject-selinux/builds/735357374 Acked-by: Petr Lautrbach <plautrba@redhat.com> > --- > libselinux/utils/Makefile | 2 - > libselinux/utils/matchpathcon.c | 87 ++++++++++++++------------------- > 2 files changed, 38 insertions(+), 51 deletions(-) > > diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile > index aa2d3e1b144f..b018a08acbe0 100644 > --- a/libselinux/utils/Makefile > +++ b/libselinux/utils/Makefile > @@ -56,8 +56,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol > > sefcontext_compile: sefcontext_compile.o ../src/regex.o > > -matchpathcon: CFLAGS += -Wno-deprecated-declarations > - > all: $(TARGETS) > > install: all > diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c > index cc018d213f4c..a07e160dee71 100644 > --- a/libselinux/utils/matchpathcon.c > +++ b/libselinux/utils/matchpathcon.c > @@ -1,15 +1,14 @@ > -#include <unistd.h> > -#include <stdio.h> > -#include <stdlib.h> > -#include <getopt.h> > #include <errno.h> > -#include <string.h> > +#include <getopt.h> > #include <limits.h> > -#include <sys/types.h> > -#include <sys/stat.h> > +#include <selinux/label.h> > #include <selinux/selinux.h> > -#include <limits.h> > +#include <stdio.h> > #include <stdlib.h> > +#include <string.h> > +#include <sys/stat.h> > +#include <sys/types.h> > +#include <unistd.h> > > static __attribute__ ((__noreturn__)) void usage(const char *progname) > { > @@ -19,15 +18,21 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) > exit(1); > } > > -static int printmatchpathcon(const char *path, int header, int mode) > +static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int header, int mode, int notrans) > { > - char *buf; > - int rc = matchpathcon(path, mode, &buf); > + char *buf = NULL; > + int rc; > + > + if (notrans) { > + rc = selabel_lookup_raw(hnd, &buf, path, mode); > + } else { > + rc = selabel_lookup(hnd, &buf, path, mode); > + } > if (rc < 0) { > if (errno == ENOENT) { > buf = strdup("<<none>>"); > } else { > - fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, > + fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path, > strerror(errno)); > return 1; > } > @@ -66,15 +71,14 @@ static mode_t string_to_mode(char *s) > > int main(int argc, char **argv) > { > - int i, init = 0, force_mode = 0; > + int i, force_mode = 0; > int header = 1, opt; > int verify = 0; > int notrans = 0; > int error = 0; > int quiet = 0; > - > - fprintf(stderr, > - "Deprecated, use selabel_lookup\n"); > + struct selabel_handle *hnd; > + struct selinux_opt options[SELABEL_NOPT] = {}; > > if (argc < 2) > usage(argv[0]); > @@ -96,23 +100,10 @@ int main(int argc, char **argv) > break; > case 'N': > notrans = 1; > - set_matchpathcon_flags(MATCHPATHCON_NOTRANS); > break; > case 'f': > - if (init) { > - fprintf(stderr, > - "%s: -f and -p are exclusive\n", > - argv[0]); > - exit(1); > - } > - init = 1; > - if (matchpathcon_init(optarg)) { > - fprintf(stderr, > - "Error while processing %s: %s\n", > - optarg, > - errno ? strerror(errno) : "invalid"); > - exit(1); > - } > + options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH; > + options[SELABEL_OPT_PATH].value = optarg; > break; > case 'P': > if (selinux_set_policy_root(optarg) < 0 ) { > @@ -124,20 +115,11 @@ int main(int argc, char **argv) > } > break; > case 'p': > - if (init) { > - fprintf(stderr, > - "%s: -f and -p are exclusive\n", > - argv[0]); > - exit(1); > - } > - init = 1; > - if (matchpathcon_init_prefix(NULL, optarg)) { > - fprintf(stderr, > - "Error while processing %s: %s\n", > - optarg, > - errno ? strerror(errno) : "invalid"); > - exit(1); > - } > + // This option has been deprecated since libselinux 2.5 (2016): > + // https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6 > + fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]); > + options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET; > + options[SELABEL_OPT_SUBSET].value = optarg; > break; > case 'q': > quiet = 1; > @@ -146,6 +128,13 @@ int main(int argc, char **argv) > usage(argv[0]); > } > } > + hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT); > + if (!hnd) { > + fprintf(stderr, > + "Error while opening file contexts database: %s\n", > + strerror(errno)); > + return -1; > + } > for (i = optind; i < argc; i++) { > int rc, mode = 0; > struct stat buf; > @@ -185,19 +174,19 @@ int main(int argc, char **argv) > if (rc >= 0) { > printf("%s has context %s, should be ", > path, con); > - printmatchpathcon(path, 0, mode); > + printmatchpathcon(hnd, path, 0, mode, notrans); > freecon(con); > } else { > printf > ("actual context unknown: %s, should be ", > strerror(errno)); > - printmatchpathcon(path, 0, mode); > + printmatchpathcon(hnd, path, 0, mode, notrans); > } > } > } else { > - error |= printmatchpathcon(path, header, mode); > + error |= printmatchpathcon(hnd, path, header, mode, notrans); > } > } > - matchpathcon_fini(); > + selabel_close(hnd); > return error; > } > -- > 2.28.0 >
On Tue, Oct 13, 2020 at 04:48:05PM +0200, Petr Lautrbach wrote: > On Sun, Oct 04, 2020 at 04:03:39PM +0200, Nicolas Iooss wrote: > > Function matchpathcon() is deprecated in favor of selabel_lookup() but > > program "matchpathcon" is much easier to use than "selabel_loopkup" to > > find the file context which would be applied to some files and > > directories. > > > > More precisely: > > > > matchpathcon /path/to/my/file > > > > is easier to type and remember than: > > > > selabel_lookup -b file -k /path/to/my/file > > > > It also allows performing multiple context searches in one command, > > where selabel_lookup cannot use multiple -k options. > > > > Migrate matchpathcon to the preferred API. > > > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> > > > Thanks for this! > > Travis run https://travis-ci.org/github/bachradsusi/SELinuxProject-selinux/builds/735357374 > > Acked-by: Petr Lautrbach <plautrba@redhat.com> > It's merged now. > > > --- > > libselinux/utils/Makefile | 2 - > > libselinux/utils/matchpathcon.c | 87 ++++++++++++++------------------- > > 2 files changed, 38 insertions(+), 51 deletions(-) > > > > diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile > > index aa2d3e1b144f..b018a08acbe0 100644 > > --- a/libselinux/utils/Makefile > > +++ b/libselinux/utils/Makefile > > @@ -56,8 +56,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol > > > > sefcontext_compile: sefcontext_compile.o ../src/regex.o > > > > -matchpathcon: CFLAGS += -Wno-deprecated-declarations > > - > > all: $(TARGETS) > > > > install: all > > diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c > > index cc018d213f4c..a07e160dee71 100644 > > --- a/libselinux/utils/matchpathcon.c > > +++ b/libselinux/utils/matchpathcon.c > > @@ -1,15 +1,14 @@ > > -#include <unistd.h> > > -#include <stdio.h> > > -#include <stdlib.h> > > -#include <getopt.h> > > #include <errno.h> > > -#include <string.h> > > +#include <getopt.h> > > #include <limits.h> > > -#include <sys/types.h> > > -#include <sys/stat.h> > > +#include <selinux/label.h> > > #include <selinux/selinux.h> > > -#include <limits.h> > > +#include <stdio.h> > > #include <stdlib.h> > > +#include <string.h> > > +#include <sys/stat.h> > > +#include <sys/types.h> > > +#include <unistd.h> > > > > static __attribute__ ((__noreturn__)) void usage(const char *progname) > > { > > @@ -19,15 +18,21 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) > > exit(1); > > } > > > > -static int printmatchpathcon(const char *path, int header, int mode) > > +static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int header, int mode, int notrans) > > { > > - char *buf; > > - int rc = matchpathcon(path, mode, &buf); > > + char *buf = NULL; > > + int rc; > > + > > + if (notrans) { > > + rc = selabel_lookup_raw(hnd, &buf, path, mode); > > + } else { > > + rc = selabel_lookup(hnd, &buf, path, mode); > > + } > > if (rc < 0) { > > if (errno == ENOENT) { > > buf = strdup("<<none>>"); > > } else { > > - fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, > > + fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path, > > strerror(errno)); > > return 1; > > } > > @@ -66,15 +71,14 @@ static mode_t string_to_mode(char *s) > > > > int main(int argc, char **argv) > > { > > - int i, init = 0, force_mode = 0; > > + int i, force_mode = 0; > > int header = 1, opt; > > int verify = 0; > > int notrans = 0; > > int error = 0; > > int quiet = 0; > > - > > - fprintf(stderr, > > - "Deprecated, use selabel_lookup\n"); > > + struct selabel_handle *hnd; > > + struct selinux_opt options[SELABEL_NOPT] = {}; > > > > if (argc < 2) > > usage(argv[0]); > > @@ -96,23 +100,10 @@ int main(int argc, char **argv) > > break; > > case 'N': > > notrans = 1; > > - set_matchpathcon_flags(MATCHPATHCON_NOTRANS); > > break; > > case 'f': > > - if (init) { > > - fprintf(stderr, > > - "%s: -f and -p are exclusive\n", > > - argv[0]); > > - exit(1); > > - } > > - init = 1; > > - if (matchpathcon_init(optarg)) { > > - fprintf(stderr, > > - "Error while processing %s: %s\n", > > - optarg, > > - errno ? strerror(errno) : "invalid"); > > - exit(1); > > - } > > + options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH; > > + options[SELABEL_OPT_PATH].value = optarg; > > break; > > case 'P': > > if (selinux_set_policy_root(optarg) < 0 ) { > > @@ -124,20 +115,11 @@ int main(int argc, char **argv) > > } > > break; > > case 'p': > > - if (init) { > > - fprintf(stderr, > > - "%s: -f and -p are exclusive\n", > > - argv[0]); > > - exit(1); > > - } > > - init = 1; > > - if (matchpathcon_init_prefix(NULL, optarg)) { > > - fprintf(stderr, > > - "Error while processing %s: %s\n", > > - optarg, > > - errno ? strerror(errno) : "invalid"); > > - exit(1); > > - } > > + // This option has been deprecated since libselinux 2.5 (2016): > > + // https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6 > > + fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]); > > + options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET; > > + options[SELABEL_OPT_SUBSET].value = optarg; > > break; > > case 'q': > > quiet = 1; > > @@ -146,6 +128,13 @@ int main(int argc, char **argv) > > usage(argv[0]); > > } > > } > > + hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT); > > + if (!hnd) { > > + fprintf(stderr, > > + "Error while opening file contexts database: %s\n", > > + strerror(errno)); > > + return -1; > > + } > > for (i = optind; i < argc; i++) { > > int rc, mode = 0; > > struct stat buf; > > @@ -185,19 +174,19 @@ int main(int argc, char **argv) > > if (rc >= 0) { > > printf("%s has context %s, should be ", > > path, con); > > - printmatchpathcon(path, 0, mode); > > + printmatchpathcon(hnd, path, 0, mode, notrans); > > freecon(con); > > } else { > > printf > > ("actual context unknown: %s, should be ", > > strerror(errno)); > > - printmatchpathcon(path, 0, mode); > > + printmatchpathcon(hnd, path, 0, mode, notrans); > > } > > } > > } else { > > - error |= printmatchpathcon(path, header, mode); > > + error |= printmatchpathcon(hnd, path, header, mode, notrans); > > } > > } > > - matchpathcon_fini(); > > + selabel_close(hnd); > > return error; > > } > > -- > > 2.28.0 > >
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile index aa2d3e1b144f..b018a08acbe0 100644 --- a/libselinux/utils/Makefile +++ b/libselinux/utils/Makefile @@ -56,8 +56,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol sefcontext_compile: sefcontext_compile.o ../src/regex.o -matchpathcon: CFLAGS += -Wno-deprecated-declarations - all: $(TARGETS) install: all diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c index cc018d213f4c..a07e160dee71 100644 --- a/libselinux/utils/matchpathcon.c +++ b/libselinux/utils/matchpathcon.c @@ -1,15 +1,14 @@ -#include <unistd.h> -#include <stdio.h> -#include <stdlib.h> -#include <getopt.h> #include <errno.h> -#include <string.h> +#include <getopt.h> #include <limits.h> -#include <sys/types.h> -#include <sys/stat.h> +#include <selinux/label.h> #include <selinux/selinux.h> -#include <limits.h> +#include <stdio.h> #include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> static __attribute__ ((__noreturn__)) void usage(const char *progname) { @@ -19,15 +18,21 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) exit(1); } -static int printmatchpathcon(const char *path, int header, int mode) +static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int header, int mode, int notrans) { - char *buf; - int rc = matchpathcon(path, mode, &buf); + char *buf = NULL; + int rc; + + if (notrans) { + rc = selabel_lookup_raw(hnd, &buf, path, mode); + } else { + rc = selabel_lookup(hnd, &buf, path, mode); + } if (rc < 0) { if (errno == ENOENT) { buf = strdup("<<none>>"); } else { - fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, + fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path, strerror(errno)); return 1; } @@ -66,15 +71,14 @@ static mode_t string_to_mode(char *s) int main(int argc, char **argv) { - int i, init = 0, force_mode = 0; + int i, force_mode = 0; int header = 1, opt; int verify = 0; int notrans = 0; int error = 0; int quiet = 0; - - fprintf(stderr, - "Deprecated, use selabel_lookup\n"); + struct selabel_handle *hnd; + struct selinux_opt options[SELABEL_NOPT] = {}; if (argc < 2) usage(argv[0]); @@ -96,23 +100,10 @@ int main(int argc, char **argv) break; case 'N': notrans = 1; - set_matchpathcon_flags(MATCHPATHCON_NOTRANS); break; case 'f': - if (init) { - fprintf(stderr, - "%s: -f and -p are exclusive\n", - argv[0]); - exit(1); - } - init = 1; - if (matchpathcon_init(optarg)) { - fprintf(stderr, - "Error while processing %s: %s\n", - optarg, - errno ? strerror(errno) : "invalid"); - exit(1); - } + options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH; + options[SELABEL_OPT_PATH].value = optarg; break; case 'P': if (selinux_set_policy_root(optarg) < 0 ) { @@ -124,20 +115,11 @@ int main(int argc, char **argv) } break; case 'p': - if (init) { - fprintf(stderr, - "%s: -f and -p are exclusive\n", - argv[0]); - exit(1); - } - init = 1; - if (matchpathcon_init_prefix(NULL, optarg)) { - fprintf(stderr, - "Error while processing %s: %s\n", - optarg, - errno ? strerror(errno) : "invalid"); - exit(1); - } + // This option has been deprecated since libselinux 2.5 (2016): + // https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6 + fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]); + options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET; + options[SELABEL_OPT_SUBSET].value = optarg; break; case 'q': quiet = 1; @@ -146,6 +128,13 @@ int main(int argc, char **argv) usage(argv[0]); } } + hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT); + if (!hnd) { + fprintf(stderr, + "Error while opening file contexts database: %s\n", + strerror(errno)); + return -1; + } for (i = optind; i < argc; i++) { int rc, mode = 0; struct stat buf; @@ -185,19 +174,19 @@ int main(int argc, char **argv) if (rc >= 0) { printf("%s has context %s, should be ", path, con); - printmatchpathcon(path, 0, mode); + printmatchpathcon(hnd, path, 0, mode, notrans); freecon(con); } else { printf ("actual context unknown: %s, should be ", strerror(errno)); - printmatchpathcon(path, 0, mode); + printmatchpathcon(hnd, path, 0, mode, notrans); } } } else { - error |= printmatchpathcon(path, header, mode); + error |= printmatchpathcon(hnd, path, header, mode, notrans); } } - matchpathcon_fini(); + selabel_close(hnd); return error; }
Function matchpathcon() is deprecated in favor of selabel_lookup() but program "matchpathcon" is much easier to use than "selabel_loopkup" to find the file context which would be applied to some files and directories. More precisely: matchpathcon /path/to/my/file is easier to type and remember than: selabel_lookup -b file -k /path/to/my/file It also allows performing multiple context searches in one command, where selabel_lookup cannot use multiple -k options. Migrate matchpathcon to the preferred API. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> --- libselinux/utils/Makefile | 2 - libselinux/utils/matchpathcon.c | 87 ++++++++++++++------------------- 2 files changed, 38 insertions(+), 51 deletions(-)