The standard function `strerror(3)` is not thread safe. This does not only affect the concurrent usage of libselinux itself but also with other `strerror(3)` linked libraries. Use the thread safe GNU extension format specifier `%m`[1]. libselinux already uses the GNU extension format specifier `%ms`. [1]: https://www.gnu.org/software/libc/manual/html_node/Other-Output-Conversions.html Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- libsepol/src/ibpkey_record.c | 7 +++---- libsepol/src/kernel_to_cil.c | 11 +++++------ libsepol/src/kernel_to_conf.c | 11 +++++------ libsepol/src/module.c | 8 ++++++-- libsepol/src/module_to_cil.c | 11 +++++------ libsepol/src/node_record.c | 10 ++++------ libsepol/src/services.c | 2 +- 7 files changed, 29 insertions(+), 31 deletions(-) diff --git a/libsepol/src/ibpkey_record.c b/libsepol/src/ibpkey_record.c index 6f7aa656..d95e95fe 100644 --- a/libsepol/src/ibpkey_record.c +++ b/libsepol/src/ibpkey_record.c @@ -38,8 +38,8 @@ static int ibpkey_parse_subnet_prefix(sepol_handle_t *handle, struct in6_addr in_addr; if (inet_pton(AF_INET6, subnet_prefix_str, &in_addr) <= 0) { - ERR(handle, "could not parse IPv6 address for ibpkey subnet prefix %s: %s", - subnet_prefix_str, strerror(errno)); + ERR(handle, "could not parse IPv6 address for ibpkey subnet prefix %s: %m", + subnet_prefix_str); return STATUS_ERR; } @@ -64,8 +64,7 @@ static int ibpkey_expand_subnet_prefix(sepol_handle_t *handle, if (inet_ntop(AF_INET6, &addr, subnet_prefix_str, INET6_ADDRSTRLEN) == NULL) { ERR(handle, - "could not expand IPv6 address to string: %s", - strerror(errno)); + "could not expand IPv6 address to string: %m"); return STATUS_ERR; } diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index 336d53b0..81427e65 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -2779,13 +2779,13 @@ static int write_selinux_node_rules_to_cil(FILE *out, struct policydb *pdb) for (node = pdb->ocontexts[4]; node != NULL; node = node->next) { if (inet_ntop(AF_INET, &node->u.node.addr, addr, INET_ADDRSTRLEN) == NULL) { - sepol_log_err("Nodecon address is invalid: %s", strerror(errno)); + sepol_log_err("Nodecon address is invalid: %m"); rc = -1; goto exit; } if (inet_ntop(AF_INET, &node->u.node.mask, mask, INET_ADDRSTRLEN) == NULL) { - sepol_log_err("Nodecon mask is invalid: %s", strerror(errno)); + sepol_log_err("Nodecon mask is invalid: %m"); rc = -1; goto exit; } @@ -2819,13 +2819,13 @@ static int write_selinux_node6_rules_to_cil(FILE *out, struct policydb *pdb) for (node = pdb->ocontexts[6]; node != NULL; node = node->next) { if (inet_ntop(AF_INET6, &node->u.node6.addr, addr, INET6_ADDRSTRLEN) == NULL) { - sepol_log_err("Nodecon address is invalid: %s", strerror(errno)); + sepol_log_err("Nodecon address is invalid: %m"); rc = -1; goto exit; } if (inet_ntop(AF_INET6, &node->u.node6.mask, mask, INET6_ADDRSTRLEN) == NULL) { - sepol_log_err("Nodecon mask is invalid: %s", strerror(errno)); + sepol_log_err("Nodecon mask is invalid: %m"); rc = -1; goto exit; } @@ -2867,8 +2867,7 @@ static int write_selinux_ibpkey_rules_to_cil(FILE *out, struct policydb *pdb) if (inet_ntop(AF_INET6, &subnet_prefix.s6_addr, subnet_prefix_str, INET6_ADDRSTRLEN) == NULL) { - sepol_log_err("ibpkeycon subnet_prefix is invalid: %s", - strerror(errno)); + sepol_log_err("ibpkeycon subnet_prefix is invalid: %m"); rc = -1; goto exit; } diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index cb8e1380..179f0ad1 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -2652,13 +2652,13 @@ static int write_selinux_node_rules_to_conf(FILE *out, struct policydb *pdb) for (node = pdb->ocontexts[4]; node != NULL; node = node->next) { if (inet_ntop(AF_INET, &node->u.node.addr, addr, INET_ADDRSTRLEN) == NULL) { - sepol_log_err("Nodecon address is invalid: %s", strerror(errno)); + sepol_log_err("Nodecon address is invalid: %m"); rc = -1; goto exit; } if (inet_ntop(AF_INET, &node->u.node.mask, mask, INET_ADDRSTRLEN) == NULL) { - sepol_log_err("Nodecon mask is invalid: %s", strerror(errno)); + sepol_log_err("Nodecon mask is invalid: %m"); rc = -1; goto exit; } @@ -2693,13 +2693,13 @@ static int write_selinux_node6_rules_to_conf(FILE *out, struct policydb *pdb) for (node6 = pdb->ocontexts[6]; node6 != NULL; node6 = node6->next) { if (inet_ntop(AF_INET6, &node6->u.node6.addr, addr, INET6_ADDRSTRLEN) == NULL) { - sepol_log_err("Nodecon address is invalid: %s", strerror(errno)); + sepol_log_err("Nodecon address is invalid: %m"); rc = -1; goto exit; } if (inet_ntop(AF_INET6, &node6->u.node6.mask, mask, INET6_ADDRSTRLEN) == NULL) { - sepol_log_err("Nodecon mask is invalid: %s", strerror(errno)); + sepol_log_err("Nodecon mask is invalid: %m"); rc = -1; goto exit; } @@ -2741,8 +2741,7 @@ static int write_selinux_ibpkey_rules_to_conf(FILE *out, struct policydb *pdb) if (inet_ntop(AF_INET6, &subnet_prefix.s6_addr, subnet_prefix_str, INET6_ADDRSTRLEN) == NULL) { - sepol_log_err("ibpkeycon address is invalid: %s", - strerror(errno)); + sepol_log_err("ibpkeycon address is invalid: %m"); rc = -1; goto exit; } diff --git a/libsepol/src/module.c b/libsepol/src/module.c index 9b53bc47..02a5de2c 100644 --- a/libsepol/src/module.c +++ b/libsepol/src/module.c @@ -796,7 +796,9 @@ int sepol_module_package_info(struct sepol_policy_file *spf, int *type, len = le32_to_cpu(buf[0]); if (str_read(name, file, len)) { - ERR(file->handle, "%s", strerror(errno)); + ERR(file->handle, + "cannot read module name (at section %u): %m", + i); goto cleanup; } @@ -809,7 +811,9 @@ int sepol_module_package_info(struct sepol_policy_file *spf, int *type, } len = le32_to_cpu(buf[0]); if (str_read(version, file, len)) { - ERR(file->handle, "%s", strerror(errno)); + ERR(file->handle, + "cannot read module version (at section %u): %m", + i); goto cleanup; } seen |= SEEN_MOD; diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 21d8e5db..9c7e3d3a 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -2668,8 +2668,7 @@ static int ocontext_selinux_ibpkey_to_cil(struct policydb *pdb, if (inet_ntop(AF_INET6, &subnet_prefix.s6_addr, subnet_prefix_str, INET6_ADDRSTRLEN) == NULL) { - log_err("ibpkeycon subnet_prefix is invalid: %s", - strerror(errno)); + log_err("ibpkeycon subnet_prefix is invalid: %m"); rc = -1; goto exit; } @@ -2714,13 +2713,13 @@ static int ocontext_selinux_node_to_cil(struct policydb *pdb, struct ocontext *n for (node = nodes; node != NULL; node = node->next) { if (inet_ntop(AF_INET, &node->u.node.addr, addr, INET_ADDRSTRLEN) == NULL) { - log_err("Nodecon address is invalid: %s", strerror(errno)); + log_err("Nodecon address is invalid: %m"); rc = -1; goto exit; } if (inet_ntop(AF_INET, &node->u.node.mask, mask, INET_ADDRSTRLEN) == NULL) { - log_err("Nodecon mask is invalid: %s", strerror(errno)); + log_err("Nodecon mask is invalid: %m"); rc = -1; goto exit; } @@ -2746,13 +2745,13 @@ static int ocontext_selinux_node6_to_cil(struct policydb *pdb, struct ocontext * for (node = nodes; node != NULL; node = node->next) { if (inet_ntop(AF_INET6, &node->u.node6.addr, addr, INET6_ADDRSTRLEN) == NULL) { - log_err("Nodecon address is invalid: %s", strerror(errno)); + log_err("Nodecon address is invalid: %m"); rc = -1; goto exit; } if (inet_ntop(AF_INET6, &node->u.node6.mask, mask, INET6_ADDRSTRLEN) == NULL) { - log_err("Nodecon mask is invalid: %s", strerror(errno)); + log_err("Nodecon mask is invalid: %m"); rc = -1; goto exit; } diff --git a/libsepol/src/node_record.c b/libsepol/src/node_record.c index 9ef429da..2e575bf1 100644 --- a/libsepol/src/node_record.c +++ b/libsepol/src/node_record.c @@ -53,7 +53,7 @@ static int node_parse_addr(sepol_handle_t * handle, if (inet_pton(AF_INET, addr_str, &in_addr) <= 0) { ERR(handle, "could not parse IPv4 address " - "%s: %s", addr_str, strerror(errno)); + "%s: %m", addr_str); return STATUS_ERR; } @@ -66,7 +66,7 @@ static int node_parse_addr(sepol_handle_t * handle, if (inet_pton(AF_INET6, addr_str, &in_addr) <= 0) { ERR(handle, "could not parse IPv6 address " - "%s: %s", addr_str, strerror(errno)); + "%s: %m", addr_str); return STATUS_ERR; } @@ -147,8 +147,7 @@ static int node_expand_addr(sepol_handle_t * handle, INET_ADDRSTRLEN) == NULL) { ERR(handle, - "could not expand IPv4 address to string: %s", - strerror(errno)); + "could not expand IPv4 address to string: %m"); return STATUS_ERR; } break; @@ -163,8 +162,7 @@ static int node_expand_addr(sepol_handle_t * handle, INET6_ADDRSTRLEN) == NULL) { ERR(handle, - "could not expand IPv6 address to string: %s", - strerror(errno)); + "could not expand IPv6 address to string: %m"); return STATUS_ERR; } break; diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 47a3dc14..673b3971 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -145,7 +145,7 @@ int sepol_set_policydb_from_file(FILE * fp) } if (policydb_read(&mypolicydb, &pf, 0)) { policydb_destroy(&mypolicydb); - ERR(NULL, "can't read binary policy: %s", strerror(errno)); + ERR(NULL, "can't read binary policy: %m"); return -1; } policydb = &mypolicydb; -- 2.32.0
