HEADS-UP: libselinux will disallow getpidcon() with pid == 0

Petr Lautrbach <plautrba@xxxxxxxxxx> · Wed, 24 Feb 2016 17:42:40 +0100

Hi,

libselinux upstream plans to disallow to use getpidcon(0, ) in sense of
getpidcon(getpid(), )

This behavior has never been documented and it's implementation is
considered error prone.

There seems to be no such case in Fedora but if your project uses
getpidcon() with pid == 0 to get the context of the current process,
please replace it with getcon().

Thanks,

Petr

-------- Forwarded Message --------
Subject: getpidcon with pid == 0 (Was: Re: [PATCH 2/2] libselinux:
procattr: return einval for <= 0 pid args.)
Date: Wed, 24 Feb 2016 09:49:16 -0500
From: Stephen Smalley <sds@xxxxxxxxxxxxx>
Organization: National Security Agency
To: Daniel Cashman <dcashman@xxxxxxxxxxx>, selinux@xxxxxxxxxxxxx

On 02/23/2016 03:24 PM, Daniel Cashman wrote:
> From: dcashman <dcashman@xxxxxxxxxxx>
>
> getpidcon documentation does not specify that a pid of 0 refers to the
> current process, and getcon exists specifically to provide this
> functionality, and getpidcon(getpid()) would provide it as well.
> Disallow pid values <= 0 that may lead to unintended behavior in
> userspace object managers.

I'll try to see if there are any legitimate users of getpidcon with pid
== 0.  If anyone on the list knows of one, please speak up.

>
> Signed-off-by: Daniel Cashman <dcashman@xxxxxxxxxxx>
> ---
>   libselinux/src/procattr.c | 14 ++++++++++++--
>   1 file changed, 12 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
> index c20f003..eee4612 100644
> --- a/libselinux/src/procattr.c
> +++ b/libselinux/src/procattr.c
> @@ -306,11 +306,21 @@ static int setprocattrcon(const char * context,
>   #define getpidattr_def(fn, attr) \
>   	int get##fn##_raw(pid_t pid, char **c)	\
>   	{ \
> -		return getprocattrcon_raw(c, pid, #attr); \
> +		if (pid <= 0) { \
> +			errno = EINVAL; \
> +			return -1; \
> +		} else { \
> +			return getprocattrcon_raw(c, pid, #attr); \
> +		} \
>   	} \
>   	int get##fn(pid_t pid, char **c)	\
>   	{ \
> -		return getprocattrcon(c, pid, #attr); \
> +		if (pid <= 0) { \
> +			errno = EINVAL; \
> +			return -1; \
> +		} else { \
> +			return getprocattrcon(c, pid, #attr); \
> +		} \
>   	}
>
>   all_selfattr_def(con, current)
>

Attachment:
signature.asc

Description: OpenPGP digital signature
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx