Refactor the way to convert selinux label to shared mode

Signed-off-by: wujing <wujing50@huawei.com>
2022-04-15 11:17:33 +08:00 · 2022-04-15 11:17:33 +08:00 · 9bb9704b12
commit 9bb9704b12
parent 7f33de3094
3 changed files with 116 additions and 1 deletions
--- a/0040-refactor-the-way-to-convert-selinux-label-to-shared.path
+++ b/0040-refactor-the-way-to-convert-selinux-label-to-shared.path
@ -0,0 +1,107 @@
+From 70e7dd0da58071557c897fbce2f48c8169633a54 Mon Sep 17 00:00:00 2001
+From: wujing <wujing50@huawei.com>
+Date: Fri, 15 Apr 2022 11:11:38 +0800
+Subject: [PATCH] Refactor the way to convert selinux label to shared mode
+
+Signed-off-by: wujing <wujing50@huawei.com>
+---
+ src/lxc/lsm/selinux.c | 58 ++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 46 insertions(+), 12 deletions(-)
+
+diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
+index 79697c5..0a1e205 100644
+--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
+@@ -230,15 +230,11 @@ static int selinux_chcon(const char *fpath, const char *label, bool recurse)
+ {
+ 	struct stat s_buf;
+ 
+-	if (fpath == NULL) {
+-		ERROR("Empty file path");
+	if (fpath == NULL || label == NULL) {
+		ERROR("Invalid parameters!");
+ 		return -1;
+ 	}
+ 
+-	if (label == NULL) {
+-		return 0;
+-	}
+-
+ 	if (bad_prefix(fpath) != 0) {
+ 		return -1;
+ 	}
+@@ -257,6 +253,42 @@ static int selinux_chcon(const char *fpath, const char *label, bool recurse)
+ 	return 0;
+ }
+ 
+/*
+ * convert_context_to_share_mode: set sensitivity to s0 and remove categories
+ * user:role:type:sensitivity[:categories] => user:role:type:s0
+ *
+ * @label   : label string
+ *
+ * Returns label with share mode on success, NULL on failure
+ */
+static char *convert_context_to_share_mode(const char *label) {
+	__do_free char *converted_label = strdup(label);
+	char *s = converted_label;
+	const char *shared_level = "s0";
+	int cnt = 0;
+
+	// selinux label format: user:role:type:sensitivity[:categories]
+	// locates the ":" position in front of the sensitivity
+	while (cnt++ < 3 && (s = strchr(s, ':')) != NULL) {
+		s++;
+	}
+
+	// make sure sensitivity can set s0 value
+	if (s == NULL || strlen(s) < strlen(shared_level)) {
+		ERROR("Invalid selinux file context: %s", label);	
+		return NULL;
+	}
+
+	if (strcmp(s, shared_level) == 0) {
+		return move_ptr(converted_label);
+	}
+
+	*s = '\0';
+	strcat(converted_label, shared_level);
+
+	return move_ptr(converted_label);
+}
+
+ /*
+  * selinux_relabel: Relabel changes the label of path to the filelabel string.
+  * It changes the MCS label to s0 if shared is true.
+@@ -280,20 +312,22 @@ static int selinux_relabel(const char *path, const char *label, bool shared)
+ 		return 0;
+ 	}
+ 
+-	tmp_file_label = strdup(label);
+ 	if (is_exclude_relabel_path(path)) {
+ 		ERROR("SELinux relabeling of %s is not allowed", path);
+ 		return -1;
+ 	}
+ 
+ 	if (shared) {
+-		context_t c = context_new(label);
+-		context_range_set(c, "s0");
+-		free(tmp_file_label);
+-		tmp_file_label = strdup(context_str(c));
+-		context_free(c);
+		tmp_file_label = convert_context_to_share_mode(label);
+		if (tmp_file_label == NULL) {
+			ERROR("Failed to convert context to share mode: %s", label);
+			return -1;
+		}
+	} else {
+		tmp_file_label = strdup(label);
+ 	}
+ 
+
+ 	if (selinux_chcon(path, tmp_file_label, true) != 0) {
+ 		ERROR("Failed to modify %s's selinux context: %s", path, tmp_file_label);
+ 		return -1;
+-- 
+2.35.1
+
--- a/lxc.spec
+++ b/lxc.spec
@ -1,4 +1,4 @@
-%global _release 2022040901
+%global _release 2022041501

 Name:           lxc
 Version:        4.0.3
@ -47,6 +47,7 @@ Patch0036:	0036-compile-in-android-env.patch
 Patch0037:	0037-fix-always-print-and-temp-len.patch
 Patch0038:	0038-just-print-error-when-new-lock-failed.patch
 Patch0039:	0039-fix-bug-of-memory-free.patch
+Patch0040:	0040-refactor-the-way-to-convert-selinux-label-to-shared.path

 BuildRequires:  systemd-units git libtool graphviz docbook2X doxygen chrpath
 BuildRequires:  pkgconfig(libseccomp)
@ -218,6 +219,12 @@ make check
 %{_mandir}/*/man7/%{name}*

 %changelog
+* Fri Apr 15 2022 wujing<wujing50@huawei.com> - 4.0.3-2022041501
+- Type:refactor
+- ID:NA
+- SUG:NA
+- DESC: refactor the way to convert selinux label to shared mode
+
 * Sat Apr 09 2022 wujing<wujing50@huawei.com> - 4.0.3-2022040901
 - Type:bugfix
 - ID:NA
--- a/series.conf
+++ b/series.conf
@ -37,3 +37,4 @@
 0037-fix-always-print-and-temp-len.patch
 0038-just-print-error-when-new-lock-failed.patch
 0039-fix-bug-of-memory-free.patch
+0040-refactor-the-way-to-convert-selinux-label-to-shared.path