diff options
Diffstat (limited to 'recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch')
-rw-r--r-- | recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch new file mode 100644 index 0000000..aaaa1e5 --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From dca6a89058d818827d6f1c80c9b6abb46002b855 Mon Sep 17 00:00:00 2001 | ||
2 | From: Joe MacDonald <joe.macdonald@windriver.com> | ||
3 | Date: Fri, 11 Oct 2013 09:55:43 -0400 | ||
4 | Subject: [PATCH 1/2] policycoreutils: make O_CLOEXEC optional | ||
5 | |||
6 | Various commits in the selinux tree in the current release added O_CLOEXEC | ||
7 | to open() calls in an attempt to address file descriptor leaks as | ||
8 | described: | ||
9 | |||
10 | http://danwalsh.livejournal.com/53603.html | ||
11 | |||
12 | However O_CLOEXEC isn't available on all platforms, so make it a | ||
13 | compile-time option and generate a warning when it is not available. The | ||
14 | actual impact of leaking these file descriptors is minimal, though it does | ||
15 | produce curious AVC Denied messages. | ||
16 | |||
17 | Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] | ||
18 | |||
19 | Signed-off-by: Joe MacDonald <joe.macdonald@windriver.com> | ||
20 | --- | ||
21 | restorecond/user.c | 8 +++++++- | ||
22 | 1 file changed, 7 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/restorecond/user.c b/restorecond/user.c | ||
25 | index 00a646f..50f3ab6 100644 | ||
26 | --- a/restorecond/user.c | ||
27 | +++ b/restorecond/user.c | ||
28 | @@ -201,7 +201,13 @@ static int local_server() { | ||
29 | perror("asprintf"); | ||
30 | return -1; | ||
31 | } | ||
32 | - int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); | ||
33 | + int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | ||
34 | +#ifdef O_CLOEXEC | ||
35 | + | O_CLOEXEC | ||
36 | +#else | ||
37 | +#warning O_CLOEXEC undefined on this platform, this may leak file descriptors | ||
38 | +#endif | ||
39 | + , S_IRUSR | S_IWUSR); | ||
40 | if (debug_mode) | ||
41 | g_warning ("Lock file: %s", ptr); | ||
42 | |||
43 | -- | ||
44 | 1.7.10.4 | ||
45 | |||