PERFORCE change 108426 for review

Wed Oct 25 13:49:25 PDT 2006

http://perforce.freebsd.org/chv.cgi?CH=108426

Change 108426 by millert at millert_macbook on 2006/10/25 20:42:34

	Update to libselinux-1.32 from the NSA web site.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/ChangeLog#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/VERSION#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/include/selinux/av_permissions.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/include/selinux/avc.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/src/avc.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/src/setrans_client.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/ChangeLog#4 (text+ko) ====

@@ -1,3 +1,18 @@
+1.32 2006-10-17
+	* Updated version for release.
+
+1.30.30 2006-10-05
+	* Merged patch from Darrel Goeddel to always use untranslated
+	  contexts in the userspace AVC.
+
+1.30.29 2006-09-29
+	* Merged av_permissions.h update from Steve Grubb,
+	  adding setsockcreate and polmatch definitions.
+
+1.30.28 2006-09-13
+	* Merged patch from Steve Smalley to fix SIGPIPE in setrans_client
+	* Merged c++ class identifier fix from Joe Nall.
+
 1.30.27 2006-08-24
 	* Merged patch to not log avc stats upon a reset from Steve Grubb.
 	* Applied patch to revert compat_net setting upon policy load.

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/Makefile#3 (text+ko) ====

@@ -21,4 +21,4 @@
 	$(MAKE) -C src $@
 	$(MAKE) -C utils clean
 
-test:+test:

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/VERSION#4 (text+ko) ====

@@ -1,1 +1,1 @@
-1.30.27
+1.32

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/include/selinux/av_permissions.h#3 (text+ko) ====

@@ -468,6 +468,7 @@
 #define PROCESS__EXECSTACK                        0x04000000UL
 #define PROCESS__EXECHEAP                         0x08000000UL
 #define PROCESS__SETKEYCREATE                     0x10000000UL
+#define PROCESS__SETSOCKCREATE                    0x20000000UL
 
 #define IPC__CREATE                               0x00000001UL
 #define IPC__DESTROY                              0x00000002UL
@@ -910,6 +911,7 @@
 #define ASSOCIATION__SENDTO                       0x00000001UL
 #define ASSOCIATION__RECVFROM                     0x00000002UL
 #define ASSOCIATION__SETCONTEXT                   0x00000004UL
+#define ASSOCIATION__POLMATCH                     0x00000008UL
 
 #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL
 #define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/include/selinux/avc.h#3 (text+ko) ====

@@ -38,6 +38,7 @@
  * available to make the copy, or %EINVAL if the input SID is invalid.
  */
 	int avc_sid_to_context(security_id_t sid, security_context_t * ctx);
+	int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx);
 
 /**
  * avc_context_to_sid - get SID for context.
@@ -51,6 +52,7 @@
  * returning %0 on success or -%1 on error with @errno set.  
  */
 	int avc_context_to_sid(security_context_t ctx, security_id_t * sid);
+	int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid);
 
 /**
  * sidget - increment SID reference counter.
@@ -120,7 +122,7 @@
 		void (*func_log) (const char *fmt, ...);
 		/* store a string representation of auditdata (corresponding
 		   to the given security class) into msgbuf. */
-		void (*func_audit) (void *auditdata, security_class_t class,
+		void (*func_audit) (void *auditdata, security_class_t cls,
 				    char *msgbuf, size_t msgbufsize);
 	};
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/src/avc.c#5 (text+ko) ====

@@ -205,7 +205,7 @@
 	    & (AVC_CACHE_SLOTS - 1);
 }
 
-int avc_context_to_sid(security_context_t ctx, security_id_t * sid)
+int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid)
 {
 	int rc;
 	avc_get_lock(avc_lock);
@@ -216,7 +216,22 @@
 	return rc;
 }
 
-int avc_sid_to_context(security_id_t sid, security_context_t * ctx)
+int avc_context_to_sid(security_context_t ctx, security_id_t * sid)
+{
+	int ret;
+	security_context_t rctx;
+
+	if (selinux_trans_to_raw_context(ctx, &rctx))
+		return -1;
+
+	ret = avc_context_to_sid_raw(rctx, sid);
+
+	freecon(rctx);
+
+	return ret;
+}
+
+int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx)
 {
 	int rc;
 	*ctx = NULL;
@@ -232,6 +247,21 @@
 	return rc;
 }
 
+int avc_sid_to_context(security_id_t sid, security_context_t * ctx)
+{
+	int ret;
+	security_context_t rctx;
+
+	ret = avc_sid_to_context_raw(sid, &rctx);
+
+	if (ret == 0) {
+		ret = selinux_raw_to_trans_context(rctx, ctx);
+		freecon(rctx);
+	}
+
+	return ret;
+}
+
 int sidget(security_id_t sid)
 {
 	int rc;
@@ -943,8 +973,9 @@
 				rc = -1;
 				goto out;
 			}
-			rc = security_compute_av(ssid->ctx, tsid->ctx, tclass,
-						 requested, &entry.avd);
+			rc = security_compute_av_raw(ssid->ctx, tsid->ctx,
+						     tclass, requested,
+						     &entry.avd);
 			if (rc)
 				goto out;
 			rc = avc_insert(ssid, tsid, tclass, &entry, aeref);

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/libselinux/src/setrans_client.c#2 (text+ko) ====

@@ -59,11 +59,12 @@
 static int
 send_request(int fd, uint32_t function, const char *data1, const char *data2)
 {
-	struct iovec req_hdr[3];
+	struct msghdr msgh;
+	struct iovec iov[5];
 	uint32_t data1_size;
 	uint32_t data2_size;
-	struct iovec req_data[2];
-	ssize_t count;
+	ssize_t count, expected;
+	unsigned int i;
 
 	if (fd < 0)
 		return -1;
@@ -76,28 +77,28 @@
 	data1_size = strlen(data1) + 1;
 	data2_size = strlen(data2) + 1;
 
-	req_hdr[0].iov_base = &function;
-	req_hdr[0].iov_len = sizeof(function);
-	req_hdr[1].iov_base = &data1_size;
-	req_hdr[1].iov_len = sizeof(data1_size);
-	req_hdr[2].iov_base = &data2_size;
-	req_hdr[2].iov_len = sizeof(data2_size);
+	iov[0].iov_base = &function;
+	iov[0].iov_len = sizeof(function);
+	iov[1].iov_base = &data1_size;
+	iov[1].iov_len = sizeof(data1_size);
+	iov[2].iov_base = &data2_size;
+	iov[2].iov_len = sizeof(data2_size);
+	iov[3].iov_base = (char *)data1;
+	iov[3].iov_len = data1_size;
+	iov[4].iov_base = (char *)data2;
+	iov[4].iov_len = data2_size;
+	memset(&msgh, 0, sizeof(msgh));
+	msgh.msg_iov = iov;
+	msgh.msg_iovlen = sizeof(iov) / sizeof(iov[0]);
 
-	while (((count = writev(fd, req_hdr, 3)) < 0) && (errno == EINTR)) ;
-	if (count != (sizeof(function) + sizeof(data1_size) +
-		      sizeof(data2_size))) {
-		return -1;
-	}
+	expected = 0;
+	for (i = 0; i < sizeof(iov) / sizeof(iov[0]); i++)
+		expected += iov[i].iov_len;
 
-	req_data[0].iov_base = (char *)data1;
-	req_data[0].iov_len = data1_size;
-	req_data[1].iov_base = (char *)data2;
-	req_data[1].iov_len = data2_size;
-
-	while (((count = writev(fd, req_data, 2)) < 0) && (errno == EINTR)) ;
-	if (count < 0 || (uint32_t) count != (data1_size + data2_size)) {
+	while (((count = sendmsg(fd, &msgh, 0)) < 0)
+	       && (errno == EINTR)) ;
+	if (count < 0 || count != expected)
 		return -1;
-	}
 
 	return 0;
 }
