From 20e23c701c4710a37b446bca4ecd5d78e85b61c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 1 Dec 2020 11:38:55 +0400 Subject: [PATCH 1/4] =?UTF-8?q?gio:=20=E2=80=98security=5Fcontext=5Ft?= =?UTF-8?q?=E2=80=99=20is=20deprecated?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9 "we found that the const security_context_t declarations in libselinux are incorrect; const char * was intended, but const security_context_t translates to char * const and triggers warnings on passing const char * from the caller. Easiest fix is to replace them all with const char *." And later marked deprecated in commit: https://github.com/SELinuxProject/selinux/commit/7a124ca2758136f49cc38efc26fb1a2d385ecfd9 Signed-off-by: Marc-André Lureau --- gio/glocalfileinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gio/glocalfileinfo.c b/gio/glocalfileinfo.c index a4abef0891..32a26d1b2c 100644 --- a/gio/glocalfileinfo.c +++ b/gio/glocalfileinfo.c @@ -2715,7 +2715,7 @@ set_selinux_context (char *filename, } if (is_selinux_enabled ()) { - security_context_t val_s; + char *val_s; val_s = g_strdup (val); -- GitLab From 7bd1e09c4243db605e0c83c0f7382628e671004e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 1 Dec 2020 13:08:30 +0400 Subject: [PATCH 2/4] build-sys: bump libselinux requirement to >=2.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The function declaration we use changed a bit since then. In particular, some arguments became const. See following commit. libselinux-2.2 was released on 20131030, and is widely available in all major stable distributions. Signed-off-by: Marc-André Lureau --- meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meson.build b/meson.build index ad7f887fb8..37f8f347af 100644 --- a/meson.build +++ b/meson.build @@ -2063,7 +2063,7 @@ endif selinux_dep = [] if host_system == 'linux' - selinux_dep = dependency('libselinux', required: get_option('selinux')) + selinux_dep = dependency('libselinux', version: '>=2.2', required: get_option('selinux')) glib_conf.set('HAVE_SELINUX', selinux_dep.found()) endif -- GitLab From f9cc77da73a0ad2ebe5998aa3c5509e3ab941510 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 1 Dec 2020 12:57:58 +0400 Subject: [PATCH 3/4] gio: remove unnecessary strdup and fix potential leak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit setfilecon_raw() takes a const argument since libselinux 2.2 (commit https://github.com/SELinuxProject/selinux/commit/6a17cfaafcdab82c9909eccff56968913b36a631) Signed-off-by: Marc-André Lureau --- gio/glocalfileinfo.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/gio/glocalfileinfo.c b/gio/glocalfileinfo.c index 32a26d1b2c..987ed280e6 100644 --- a/gio/glocalfileinfo.c +++ b/gio/glocalfileinfo.c @@ -2715,11 +2715,7 @@ set_selinux_context (char *filename, } if (is_selinux_enabled ()) { - char *val_s; - - val_s = g_strdup (val); - - if (setfilecon_raw (filename, val_s) < 0) + if (setfilecon_raw (filename, val) < 0) { int errsv = errno; @@ -2729,7 +2725,6 @@ set_selinux_context (char *filename, g_strerror (errsv)); return FALSE; } - g_free (val_s); } else { g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, _("SELinux is not enabled on this system")); -- GitLab From 3f18b77fb346a5e49a1815978c39da7a4009cb29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 1 Dec 2020 13:20:11 +0400 Subject: [PATCH 4/4] gio: fix set_selinux_context coding style MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mostly for cosmetic and readability, follow more closely the glib-style. Signed-off-by: Marc-André Lureau --- gio/glocalfileinfo.c | 47 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/gio/glocalfileinfo.c b/gio/glocalfileinfo.c index 987ed280e6..4228d34578 100644 --- a/gio/glocalfileinfo.c +++ b/gio/glocalfileinfo.c @@ -2699,8 +2699,8 @@ set_mtime_atime (char *filename, #ifdef HAVE_SELINUX static gboolean set_selinux_context (char *filename, - const GFileAttributeValue *value, - GError **error) + const GFileAttributeValue *value, + GError **error) { const char *val; @@ -2708,29 +2708,30 @@ set_selinux_context (char *filename, return FALSE; if (val == NULL) - { - g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, - _("SELinux context must be non-NULL")); - return FALSE; - } + { + g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, + _("SELinux context must be non-NULL")); + return FALSE; + } - if (is_selinux_enabled ()) { - if (setfilecon_raw (filename, val) < 0) - { - int errsv = errno; + if (!is_selinux_enabled ()) + { + g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, + _("SELinux is not enabled on this system")); + return FALSE; + } + + if (setfilecon_raw (filename, val) < 0) + { + int errsv = errno; - g_set_error (error, G_IO_ERROR, - g_io_error_from_errno (errsv), - _("Error setting SELinux context: %s"), - g_strerror (errsv)); - return FALSE; - } - } else { - g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_INVALID_ARGUMENT, - _("SELinux is not enabled on this system")); - return FALSE; - } - + g_set_error (error, G_IO_ERROR, + g_io_error_from_errno (errsv), + _("Error setting SELinux context: %s"), + g_strerror (errsv)); + return FALSE; + } + return TRUE; } #endif -- GitLab