Re: [PATCH] label_file.c: Fix MAC build

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/10/20 3:49 PM, Stephen Smalley wrote:

On 2/7/20 6:00 PM, Nick Kralevich wrote:

On Android, the label_file.c file is compiled for all platforms,
including OSX. OSX has a slightly different prototype for the
getxattr function.
ssize_t getxattr(const char *path, const char *name, void *value, size_t size, u_int32_t position, int options); 

which causes a compile error when compiling libselinux on OSX.

   ```
   external/selinux/libselinux/src/label_file.c:1038:37: error: too few arguments to function call, expected 6, have 4 
                                        read_digest, SHA1_HASH_SIZE);
                                                                 ^
/Applications/Xcode9.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include/sys/xattr.h:61:1: note: 'getxattr' declared here    ssize_t getxattr(const char *path, const char *name, void *value, size_t size, u_int32_t position, int options); 
   ^
   1 error generated.
   ```

On OSX builds, add the additional arguments so that the code compiles.

As both SELinux labels and the restorecon partial digest are stored in
extended attributes, it's theoretically possible that someone
could assign SELinux labels and hash digests on OSX filesystems.
Doing so would be extremely weird and completely untested, but
theoretically possible.

Signed-off-by: Nick Kralevich <nnk@xxxxxxxxxx>
Wondering why the getxattr() call isn't done in the selinux_restorecon code instead, or why this is needed as a separate selabel_ interface at all. Probably too late though to change it though without breaking API/ABI. 

Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
This is now applied. Unless there is a real reason to export it outside libselinux, we may wish to remove selabel_get_digests_all_partial_matches() from label.h and the man pages, drop the sample util, possibly add a selinux_log() deprecation warning to the selabel_get_digests_all_partial_matches() function to discourage any further use, and switch selinux_restorecon over to using its own private copy of the same logic. Then maybe someday we can drop it, but that would technically be an ABI break even if there are no other users beyond the sample util.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux