ping: fix breakage from -I fix

passwd: SELinux support by KaiGai Kohei <kaigai@ak.jp.nec.com>
author: Denis Vlasenko <vda.linux@googlemail.com> 2007-10-20 02:00:49 +0000
committer: Denis Vlasenko <vda.linux@googlemail.com> 2007-10-20 02:00:49 +0000
commit: 2edbc2ab85b96fb01a3862db09df12f40d4382cd (patch)
tree: 0637a680a89fb11a986e59657875adda2546ec18
parent: aa7a888e423fc85daa8af0ac3aabe8fc7af86312 (diff)
download: busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.tar.gz
busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.tar.bz2
busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.zip
4 files changed, 50 insertions, 2 deletions
diff --git a/include/libbb.h b/include/libbb.h
index af385e232..71f439fa9 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -44,6 +44,8 @@
 #if ENABLE_SELINUX
 #include <selinux/selinux.h>
 #include <selinux/context.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
 #endif
 #if ENABLE_LOCALE_SUPPORT
@@ -818,6 +820,9 @@ extern void set_current_security_context(security_context_t sid);
 extern context_t set_security_context_component(security_context_t cur_context,
                                                char *user, char *role, char *type, char *range);
 extern void setfscreatecon_or_die(security_context_t scontext);
+extern void selinux_preserve_fcontext(int fdesc);
+#else
+#define selinux_preserve_fcontext(fdesc) ((void)0)
 #endif
 extern void selinux_or_die(void);
 extern int restricted_shell(const char *shell);
diff --git a/libbb/selinux_common.c b/libbb/selinux_common.c
index ff076f6f0..7478cc7b5 100644
--- a/libbb/selinux_common.c
+++ b/libbb/selinux_common.c
@@ -38,3 +38,17 @@ void setfscreatecon_or_die(security_context_t scontext)
                                "file creation context to %s", scontext);
        }
 }
+void selinux_preserve_fcontext(int fdesc)
+{
+        security_context_t context;
+        if (fgetfilecon(fdesc, &context) < 0) {
+                if (errno == ENODATA || errno == ENOTSUP)
+                        return;
+                bb_perror_msg_and_die("fgetfilecon failed");
+        }
+        setfscreatecon_or_die(context);
+        freecon(context);
+}
diff --git a/libbb/update_passwd.c b/libbb/update_passwd.c
index 8914b8b45..388adf81f 100644
--- a/libbb/update_passwd.c
+++ b/libbb/update_passwd.c
@@ -11,6 +11,31 @@
 #include "libbb.h"
+#if ENABLE_SELINUX
+static void check_selinux_update_passwd(const char *username)
+{
+        security_context_t context;
+        char *seuser;
+        if (getuid() != (uid_t)0 || is_selinux_enabled() == 0)
+                return;         /* No need to check */
+        if (getprevcon_raw(&context) < 0)
+                bb_perror_msg_and_die("getprevcon failed");
+        seuser = strtok(context, ":");
+        if (!seuser)
+                bb_error_msg_and_die("invalid context '%s'", context);
+        if (strcmp(seuser, username) != 0) {
+                if (checkPasswdAccess(PASSWD__PASSWD) != 0)
+                        bb_error_msg_and_die("SELinux: access denied");
+        }
+        if (ENABLE_FEATURE_CLEAN_UP)
+                freecon(context);
+}
+#else
+#define check_selinux_update_passwd(username) ((void)0)
+#endif
 int update_passwd(const char *filename, const char *username,
                        const char *new_pw)
 {
@@ -27,6 +52,8 @@ int update_passwd(const char *filename, const char *username,
        int cnt = 0;
        int ret = -1; /* failure */
+        check_selinux_update_passwd(username);
        /* New passwd file, "/etc/passwd+" for now */
        fnamesfx = xasprintf("%s+", filename);
        sfx_char = &fnamesfx[strlen(fnamesfx)-1];
@@ -38,6 +65,8 @@ int update_passwd(const char *filename, const char *username,
                goto free_mem;
        old_fd = fileno(old_fp);
+        selinux_preserve_fcontext(old_fd);
        /* Try to create "/etc/passwd+". Wait if it exists. */
        i = 30;
        do {
diff --git a/networking/ping.c b/networking/ping.c
index bd98a21e6..0de1b33f7 100644
--- a/networking/ping.c
+++ b/networking/ping.c
@@ -540,7 +540,7 @@ static void ping4(len_and_sockaddr *lsa)
                xbind(pingsock, &source_lsa->sa, source_lsa->len);
        }
        if (opt_I)
-                setsockopt(pingsock, SOL_SOCKET, SO_BINDTODEVICE, device, strlen(opt_I) + 1);
+                setsockopt(pingsock, SOL_SOCKET, SO_BINDTODEVICE, opt_I, strlen(opt_I) + 1);
        /* enable broadcast pings */
        setsockopt_broadcast(pingsock);
@@ -589,7 +589,7 @@ static void ping6(len_and_sockaddr *lsa)
        if (source_lsa)
                xbind(pingsock, &source_lsa->sa, source_lsa->len);
        if (opt_I)
-                setsockopt(pingsock, SOL_SOCKET, SO_BINDTODEVICE, device, strlen(opt_I) + 1);
+                setsockopt(pingsock, SOL_SOCKET, SO_BINDTODEVICE, opt_I, strlen(opt_I) + 1);
 #ifdef ICMP6_FILTER
        {
author	Denis Vlasenko <vda.linux@googlemail.com>	2007-10-20 02:00:49 +0000
committer	Denis Vlasenko <vda.linux@googlemail.com>	2007-10-20 02:00:49 +0000
commit	2edbc2ab85b96fb01a3862db09df12f40d4382cd (patch)
tree	0637a680a89fb11a986e59657875adda2546ec18
parent	aa7a888e423fc85daa8af0ac3aabe8fc7af86312 (diff)
download	busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.tar.gz busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.tar.bz2 busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.zip

diff --git a/include/libbb.h b/include/libbb.h index af385e232..71f439fa9 100644 --- a/include/libbb.h +++ b/include/libbb.h
@@ -44,6 +44,8 @@
44	#if ENABLE_SELINUX	44	#if ENABLE_SELINUX
45	#include <selinux/selinux.h>	45	#include <selinux/selinux.h>
46	#include <selinux/context.h>	46	#include <selinux/context.h>
		47	#include <selinux/flask.h>
		48	#include <selinux/av_permissions.h>
47	#endif	49	#endif
48		50
49	#if ENABLE_LOCALE_SUPPORT	51	#if ENABLE_LOCALE_SUPPORT
@@ -818,6 +820,9 @@ extern void set_current_security_context(security_context_t sid);
818	extern context_t set_security_context_component(security_context_t cur_context,	820	extern context_t set_security_context_component(security_context_t cur_context,
819	char user, char role, char type, char range);	821	char user, char role, char type, char range);
820	extern void setfscreatecon_or_die(security_context_t scontext);	822	extern void setfscreatecon_or_die(security_context_t scontext);
		823	extern void selinux_preserve_fcontext(int fdesc);
		824	#else
		825	#define selinux_preserve_fcontext(fdesc) ((void)0)
821	#endif	826	#endif
822	extern void selinux_or_die(void);	827	extern void selinux_or_die(void);
823	extern int restricted_shell(const char *shell);	828	extern int restricted_shell(const char *shell);


diff --git a/libbb/selinux_common.c b/libbb/selinux_common.c index ff076f6f0..7478cc7b5 100644 --- a/libbb/selinux_common.c +++ b/libbb/selinux_common.c
@@ -38,3 +38,17 @@ void setfscreatecon_or_die(security_context_t scontext)
38	"file creation context to %s", scontext);	38	"file creation context to %s", scontext);
39	}	39	}
40	}	40	}
		41
		42	void selinux_preserve_fcontext(int fdesc)
		43	{
		44	security_context_t context;
		45
		46	if (fgetfilecon(fdesc, &context) < 0) {
		47	if (errno == ENODATA \|\| errno == ENOTSUP)
		48	return;
		49	bb_perror_msg_and_die("fgetfilecon failed");
		50	}
		51	setfscreatecon_or_die(context);
		52	freecon(context);
		53	}
		54


diff --git a/libbb/update_passwd.c b/libbb/update_passwd.c index 8914b8b45..388adf81f 100644 --- a/libbb/update_passwd.c +++ b/libbb/update_passwd.c
@@ -11,6 +11,31 @@
11		11
12	#include "libbb.h"	12	#include "libbb.h"
13		13
		14	#if ENABLE_SELINUX
		15	static void check_selinux_update_passwd(const char *username)
		16	{
		17	security_context_t context;
		18	char *seuser;
		19
		20	if (getuid() != (uid_t)0 \|\| is_selinux_enabled() == 0)
		21	return; /* No need to check */
		22
		23	if (getprevcon_raw(&context) < 0)
		24	bb_perror_msg_and_die("getprevcon failed");
		25	seuser = strtok(context, ":");
		26	if (!seuser)
		27	bb_error_msg_and_die("invalid context '%s'", context);
		28	if (strcmp(seuser, username) != 0) {
		29	if (checkPasswdAccess(PASSWD__PASSWD) != 0)
		30	bb_error_msg_and_die("SELinux: access denied");
		31	}
		32	if (ENABLE_FEATURE_CLEAN_UP)
		33	freecon(context);
		34	}
		35	#else
		36	#define check_selinux_update_passwd(username) ((void)0)
		37	#endif
		38
14	int update_passwd(const char filename, const char username,	39	int update_passwd(const char filename, const char username,
15	const char *new_pw)	40	const char *new_pw)
16	{	41	{
@@ -27,6 +52,8 @@ int update_passwd(const char filename, const char username,
27	int cnt = 0;	52	int cnt = 0;
28	int ret = -1; /* failure */	53	int ret = -1; /* failure */
29		54
		55	check_selinux_update_passwd(username);
		56
30	/* New passwd file, "/etc/passwd+" for now */	57	/* New passwd file, "/etc/passwd+" for now */
31	fnamesfx = xasprintf("%s+", filename);	58	fnamesfx = xasprintf("%s+", filename);
32	sfx_char = &fnamesfx[strlen(fnamesfx)-1];	59	sfx_char = &fnamesfx[strlen(fnamesfx)-1];
@@ -38,6 +65,8 @@ int update_passwd(const char filename, const char username,
38	goto free_mem;	65	goto free_mem;
39	old_fd = fileno(old_fp);	66	old_fd = fileno(old_fp);
40		67
		68	selinux_preserve_fcontext(old_fd);
		69
41	/* Try to create "/etc/passwd+". Wait if it exists. */	70	/* Try to create "/etc/passwd+". Wait if it exists. */
42	i = 30;	71	i = 30;
43	do {	72	do {


diff --git a/networking/ping.c b/networking/ping.c index bd98a21e6..0de1b33f7 100644 --- a/networking/ping.c +++ b/networking/ping.c
@@ -540,7 +540,7 @@ static void ping4(len_and_sockaddr *lsa)
540	xbind(pingsock, &source_lsa->sa, source_lsa->len);	540	xbind(pingsock, &source_lsa->sa, source_lsa->len);
541	}	541	}
542	if (opt_I)	542	if (opt_I)
543	setsockopt(pingsock, SOL_SOCKET, SO_BINDTODEVICE, device, strlen(opt_I) + 1);	543	setsockopt(pingsock, SOL_SOCKET, SO_BINDTODEVICE, opt_I, strlen(opt_I) + 1);
544		544
545	/* enable broadcast pings */	545	/* enable broadcast pings */
546	setsockopt_broadcast(pingsock);	546	setsockopt_broadcast(pingsock);
@@ -589,7 +589,7 @@ static void ping6(len_and_sockaddr *lsa)
589	if (source_lsa)	589	if (source_lsa)
590	xbind(pingsock, &source_lsa->sa, source_lsa->len);	590	xbind(pingsock, &source_lsa->sa, source_lsa->len);
591	if (opt_I)	591	if (opt_I)
592	setsockopt(pingsock, SOL_SOCKET, SO_BINDTODEVICE, device, strlen(opt_I) + 1);	592	setsockopt(pingsock, SOL_SOCKET, SO_BINDTODEVICE, opt_I, strlen(opt_I) + 1);
593		593
594	#ifdef ICMP6_FILTER	594	#ifdef ICMP6_FILTER
595	{	595	{