Re: [PATCH] libselinux: Fix binary file labels for regexes with metachars

[Jeffrey Vander Stoep <jeffv@xxxxxxxxxx>]

Stephen, did you apply v1 or v2 of my patch? Sounds like v1 is what we want.

On Mon, Jul 6, 2015 at 8:26 AM Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> wrote:

> On Monday, 6 July 2015, 16:03, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> > On 07/04/2015 06:57 AM, Richard Haines wrote:
>>  File labels assigned using the lookup_best_match() function do not
>>  assign the best match if its regex contains metacharacters in the
>>  binary file_contexts file version.
>>
>>  This change adds a new entry in the binary file with the calculated
>>  prefix length that is then read when processing the file. This fix
>>  also bumps SELINUX_COMPILED_FCONTEXT_MAX_VERS.
>>
>>  This patch relies on patch [1] that fixes the same problem
>>  for text based file_contexts files.
>>
>>  [1] http://marc.info/?l=selinux&m=143576498713964&w=2
>>
>>  Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
>>  ---
>>   libselinux/src/label_file.c           | 11 ++++++++++-
>>   libselinux/src/label_file.h           |  3 ++-
>>   libselinux/utils/sefcontext_compile.c |  8 ++++++++
>>   3 files changed, 20 insertions(+), 2 deletions(-)
>>
>>  diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
>>  index 4faf808..b4ee15d 100644
>>  --- a/libselinux/src/label_file.c
>>  +++ b/libselinux/src/label_file.c
>>  @@ -261,7 +261,7 @@ static int load_mmap(struct selabel_handle *rec, const
> char *path,
>>       for (i = 0; i < regex_array_len; i++) {
>>           struct spec *spec;
>>           int32_t stem_id, meta_chars;
>>  -        uint32_t mode = 0;
>>  +        uint32_t mode = 0, prefix_len = 0;
>>
>>           rc = grow_specs(data);
>>           if (rc < 0)
>>  @@ -337,6 +337,15 @@ static int load_mmap(struct selabel_handle *rec, const
> char *path,
>>               goto err;
>>
>>           spec->hasMetaChars = meta_chars;
>>  +        /* and prefix length for use by selabel_lookup_best_match */
>>  +        if (version >= SELINUX_COMPILED_FCONTEXT_PREFIX_LEN) {
>>  +            rc = next_entry(&prefix_len, mmap_area,
>>  +                        sizeof(uint32_t));
>>  +            if (rc < 0)
>>  +                goto err;
>>  +
>>  +            spec->prefix_len = prefix_len;
>>  +        }
>
> Not opposed, but wondering if it is worth storing this versus just
> recomputing it by calling spec_hasMetaChars() again.  I suppose it is
> consistent with the fact that we were storing hasMetaChars in the binary

> file in the first place though...

I was just going to recalc by calling spec_hasMetaChars() but that also sets
spec->hasMetaChars, so I thought I would add the already calc value for
consistancy.

I could just recalc if you would prefer this !!! And remove the hasMetaChars
entry in the binary file ???

>
>>
>>           /* Process regex and study_data entries */
>>           rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
>>  diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
>>  index 73bcbba..1818dd6 100644
>>  --- a/libselinux/src/label_file.h
>>  +++ b/libselinux/src/label_file.h
>>  @@ -12,8 +12,9 @@
>>   #define SELINUX_COMPILED_FCONTEXT_NOPCRE_VERS    1
>>   #define SELINUX_COMPILED_FCONTEXT_PCRE_VERS    2
>>   #define SELINUX_COMPILED_FCONTEXT_MODE        3
>>  +#define SELINUX_COMPILED_FCONTEXT_PREFIX_LEN    4
>>
>>  -#define SELINUX_COMPILED_FCONTEXT_MAX_VERS
> SELINUX_COMPILED_FCONTEXT_MODE
>>  +#define SELINUX_COMPILED_FCONTEXT_MAX_VERS
> SELINUX_COMPILED_FCONTEXT_PREFIX_LEN
>>
>>   /* Prior to version 8.20, libpcre did not have pcre_free_study() */
>>   #if (PCRE_MAJOR < 8 || (PCRE_MAJOR == 8 && PCRE_MINOR < 20))
>>  diff --git a/libselinux/utils/sefcontext_compile.c
> b/libselinux/utils/sefcontext_compile.c
>>  index a93105d..4160632 100644
>>  --- a/libselinux/utils/sefcontext_compile.c
>>  +++ b/libselinux/utils/sefcontext_compile.c
>>  @@ -68,6 +68,7 @@ out:
>>    *           mode_t for <= SELINUX_COMPILED_FCONTEXT_PCRE_VERS
>>    *    s32  - stemid associated with the regex
>>    *    u32  - spec has meta characters
>>  + *    u32  - The specs prefix_len if >=
> SELINUX_COMPILED_FCONTEXT_PREFIX_LEN
>>    *    u32  - data length of the pcre regex
>>    *    char - a bufer holding the raw pcre regex info
>>    *    u32  - data length of the pcre regex study daya
>>  @@ -141,6 +142,7 @@ static int write_binary_file(struct saved_data *data,
> int fd)
>>           char *context = specs[i].lr.ctx_raw;
>>           char *regex_str = specs[i].regex_str;
>>           mode_t mode = specs[i].mode;
>>  +        size_t prefix_len = specs[i].prefix_len;
>>           int32_t stem_id = specs[i].stem_id;
>>           pcre *re = specs[i].regex;
>>           pcre_extra *sd = get_pcre_extra(&specs[i]);
>>  @@ -186,6 +188,12 @@ static int write_binary_file(struct saved_data *data,
> int fd)
>>           if (len != 1)
>>               goto err;
>>
>>  +        /* For SELINUX_COMPILED_FCONTEXT_PREFIX_LEN */
>>  +        to_write = prefix_len;
>>  +        len = fwrite(&to_write, sizeof(to_write), 1, bin_file);
>>  +        if (len != 1)
>>  +            goto err;
>>  +
>>           /* determine the size of the pcre data in bytes */
>>           rc = pcre_fullinfo(re, NULL, PCRE_INFO_SIZE, &size);
>>           if (rc < 0)
>>
>
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.