Re: [PATCH] libselinux: Cached security context not accurate

Petr Lautrbach <plautrba@xxxxxxxxxx> · Tue, 25 Jan 2022 16:06:43 +0100

Johannes Segitz <jsegitz@xxxxxxx> writes:

> On Fri, Jan 21, 2022 at 01:06:16PM +0100, Christian Göttsche wrote:
>> Wouldn't it make logically more sense to first check if pid is zero
>> and then check if the cache is set, cause we never want to access the
>> cache if not operating on out own process?
>
> Yes, I changed that
>
>> Also isn't setprocattrcon_raw() affected too?
>
> Of course. I managed to attach the wrong file that only had the change for
> getprocattrcon_raw. Attached is the full patch

Hello,

thanks for the patch. I have only comments on the format.

The best way how to send a patch to the mailing list is to use `git send-email`, e.g.

   $ git send-email --from='Johannes Segitz <jsegitz@xxxxxxx>' --to=selinux@xxxxxxxxxxxxxxx --smtp-server=your.smtp.server --confirm=auto -1

Also as stated in CONTRIBUTING.md, the patch description must have signed-off.
See
https://github.com/SELinuxProject/selinux/pull/336/checks?check_run_id=4559976491
for the guidance.

Petr

> Johannes
> -- 
> GPG Key                EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
> Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
> SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg
> Geschäftsführer: Ivo Totev (HRB 36809, AG Nürnberg)
> Index: libselinux-3.3/src/procattr.c
> ===================================================================
> --- libselinux-3.3.orig/src/procattr.c
> +++ libselinux-3.3/src/procattr.c
> @@ -148,7 +148,7 @@ static int getprocattrcon_raw(char ** co
>  			return -1;
>  	}
>  
> -	if (prev_context && prev_context != UNSET) {
> +	if (pid == 0 && prev_context && prev_context != UNSET) {
>  		*context = strdup(prev_context);
>  		if (!(*context)) {
>  			return -1;
> @@ -242,9 +242,9 @@ static int setprocattrcon_raw(const char
>  			return -1;
>  	}
>  
> -	if (!context && !*prev_context)
> +	if (pid == 0 && !context && !*prev_context)
>  		return 0;
> -	if (context && *prev_context && *prev_context != UNSET
> +	if (pid == 0 && context && *prev_context && *prev_context != UNSET
>  	    && !strcmp(context, *prev_context))
>  		return 0;
>  
> @@ -272,9 +272,11 @@ out:
>  		free(context2);
>  		return -1;
>  	} else {
> -		if (*prev_context != UNSET)
> -			free(*prev_context);
> -		*prev_context = context2;
> +		if (pid == 0) {
> +			if (*prev_context != UNSET)
> +				free(*prev_context);
> +			*prev_context = context2;
> +		}
>  		return 0;
>  	}
>  }