diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2021-03-13 13:50:38 +0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2021-03-17 09:39:50 -0400 |
commit | 42fc24c32b0036d63165f2416eaf1ca4605a1d94 (patch) | |
tree | e791676d1061b450806f7815bd9970d22205fb2c | |
parent | 45e06de91f71020cebdad19dc0337315127da3e0 (diff) | |
download | meta-selinux-42fc24c32b0036d63165f2416eaf1ca4605a1d94.tar.gz |
restorecond: update to 3.2
* Merge inc file into bb file.
* Drop obsolete patches:
policycoreutils-make-O_CLOEXEC-optional.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
-rw-r--r-- | recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch | 48 | ||||
-rw-r--r-- | recipes-security/selinux/restorecond_3.1.bb | 7 | ||||
-rw-r--r-- | recipes-security/selinux/restorecond_3.2.bb (renamed from recipes-security/selinux/restorecond.inc) | 7 |
3 files changed, 4 insertions, 58 deletions
diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch deleted file mode 100644 index 83250eb..0000000 --- a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch +++ /dev/null | |||
@@ -1,48 +0,0 @@ | |||
1 | From 4adc1c02e4da42f64249c05534875e732f043693 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe_macdonald@mentor.com> | ||
3 | Date: Wed, 6 Nov 2019 23:17:50 +0800 | ||
4 | Subject: [PATCH] policycoreutils: make O_CLOEXEC optional | ||
5 | |||
6 | Various commits in the selinux tree in the current release added | ||
7 | O_CLOEXEC to open() calls in an attempt to address file descriptor leaks | ||
8 | as described: | ||
9 | |||
10 | http://danwalsh.livejournal.com/53603.html | ||
11 | |||
12 | However O_CLOEXEC isn't available on all platforms, so make it a | ||
13 | compile-time option and generate a warning when it is not available. | ||
14 | The actual impact of leaking these file descriptors is minimal, though | ||
15 | it does produce curious AVC Denied messages. | ||
16 | |||
17 | Upstream-Status: Inappropriate | ||
18 | [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] | ||
19 | |||
20 | Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> | ||
21 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
22 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
23 | --- | ||
24 | user.c | 8 +++++++- | ||
25 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/user.c b/user.c | ||
28 | index 714aae7..bbf018e 100644 | ||
29 | --- a/user.c | ||
30 | +++ b/user.c | ||
31 | @@ -202,7 +202,13 @@ static int local_server(void) { | ||
32 | perror("asprintf"); | ||
33 | return -1; | ||
34 | } | ||
35 | - local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
36 | + local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | ||
37 | + #ifdef O_CLOEXEC | ||
38 | + | O_CLOEXEC | ||
39 | + #else | ||
40 | + #warning O_CLOEXEC undefined on this platform, this may leak file descriptors | ||
41 | + #endif | ||
42 | + , S_IRUSR | S_IWUSR); | ||
43 | if (debug_mode) | ||
44 | g_warning ("Lock file: %s", ptr); | ||
45 | |||
46 | -- | ||
47 | 2.7.4 | ||
48 | |||
diff --git a/recipes-security/selinux/restorecond_3.1.bb b/recipes-security/selinux/restorecond_3.1.bb deleted file mode 100644 index d4e0d06..0000000 --- a/recipes-security/selinux/restorecond_3.1.bb +++ /dev/null | |||
@@ -1,7 +0,0 @@ | |||
1 | require selinux_20200710.inc | ||
2 | require ${BPN}.inc | ||
3 | |||
4 | LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" | ||
5 | |||
6 | SRC_URI[md5sum] = "8daf761739a150a7a29bb491726a6cd9" | ||
7 | SRC_URI[sha256sum] = "82ca45099685a45d718f11f8859963c1ba83d98e510312cbf0b7dc5664c60ad0" | ||
diff --git a/recipes-security/selinux/restorecond.inc b/recipes-security/selinux/restorecond_3.2.bb index a5b1635..d9def9a 100644 --- a/recipes-security/selinux/restorecond.inc +++ b/recipes-security/selinux/restorecond_3.2.bb | |||
@@ -4,12 +4,11 @@ The restorecond daemon uses inotify to watch files listed in the \ | |||
4 | /etc/selinux/restorecond.conf, when they are created, this daemon \ | 4 | /etc/selinux/restorecond.conf, when they are created, this daemon \ |
5 | will make sure they have the correct file context associated with \ | 5 | will make sure they have the correct file context associated with \ |
6 | the policy." | 6 | the policy." |
7 | |||
8 | SECTION = "base" | 7 | SECTION = "base" |
9 | LICENSE = "GPLv2+" | 8 | LICENSE = "GPLv2+" |
9 | LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" | ||
10 | 10 | ||
11 | SRC_URI += "file://policycoreutils-make-O_CLOEXEC-optional.patch \ | 11 | require selinux_common.inc |
12 | " | ||
13 | 12 | ||
14 | inherit systemd update-rc.d | 13 | inherit systemd update-rc.d |
15 | 14 | ||
@@ -19,6 +18,8 @@ EXTRA_OEMAKE += "SYSTEMDSYSTEMUNITDIR=${systemd_system_unitdir} \ | |||
19 | SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \ | 18 | SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \ |
20 | " | 19 | " |
21 | 20 | ||
21 | S = "${WORKDIR}/git/restorecond" | ||
22 | |||
22 | FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ | 23 | FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ |
23 | ${systemd_user_unitdir}/* \ | 24 | ${systemd_user_unitdir}/* \ |
24 | " | 25 | " |