[PATCH 1/1] libselinux: convert matchpathcon to selabel_lookup()

* [PATCH 1/1] libselinux: convert matchpathcon to selabel_lookup()
@ 2020-10-04 14:03 Nicolas Iooss
  2020-10-13 14:48 ` Petr Lautrbach
  0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Iooss @ 2020-10-04 14:03 UTC (permalink / raw)
  To: selinux

Function matchpathcon() is deprecated in favor of selabel_lookup() but
program "matchpathcon" is much easier to use than "selabel_loopkup" to
find the file context which would be applied to some files and
directories.

More precisely:

    matchpathcon /path/to/my/file

is easier to type and remember than:

    selabel_lookup -b file -k /path/to/my/file

It also allows performing multiple context searches in one command,
where selabel_lookup cannot use multiple -k options.

Migrate matchpathcon to the preferred API.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libselinux/utils/Makefile       |  2 -
 libselinux/utils/matchpathcon.c | 87 ++++++++++++++-------------------
 2 files changed, 38 insertions(+), 51 deletions(-)

diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index aa2d3e1b144f..b018a08acbe0 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -56,8 +56,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
 
 sefcontext_compile: sefcontext_compile.o ../src/regex.o
 
-matchpathcon: CFLAGS += -Wno-deprecated-declarations
-
 all: $(TARGETS)
 
 install: all
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index cc018d213f4c..a07e160dee71 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -1,15 +1,14 @@
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <getopt.h>
 #include <errno.h>
-#include <string.h>
+#include <getopt.h>
 #include <limits.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+#include <selinux/label.h>
 #include <selinux/selinux.h>
-#include <limits.h>
+#include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 static __attribute__ ((__noreturn__)) void usage(const char *progname)
 {
@@ -19,15 +18,21 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
 	exit(1);
 }
 
-static int printmatchpathcon(const char *path, int header, int mode)
+static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int header, int mode, int notrans)
 {
-	char *buf;
-	int rc = matchpathcon(path, mode, &buf);
+	char *buf = NULL;
+	int rc;
+
+	if (notrans) {
+		rc = selabel_lookup_raw(hnd, &buf, path, mode);
+	} else {
+		rc = selabel_lookup(hnd, &buf, path, mode);
+	}
 	if (rc < 0) {
 		if (errno == ENOENT) {
 			buf = strdup("<<none>>");
 		} else {
-			fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
+			fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path,
 				strerror(errno));
 			return 1;
 		}
@@ -66,15 +71,14 @@ static mode_t string_to_mode(char *s)
 
 int main(int argc, char **argv)
 {
-	int i, init = 0, force_mode = 0;
+	int i, force_mode = 0;
 	int header = 1, opt;
 	int verify = 0;
 	int notrans = 0;
 	int error = 0;
 	int quiet = 0;
-
-	fprintf(stderr,
-		"Deprecated, use selabel_lookup\n");
+	struct selabel_handle *hnd;
+	struct selinux_opt options[SELABEL_NOPT] = {};
 
 	if (argc < 2)
 		usage(argv[0]);
@@ -96,23 +100,10 @@ int main(int argc, char **argv)
 			break;
 		case 'N':
 			notrans = 1;
-			set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
 			break;
 		case 'f':
-			if (init) {
-				fprintf(stderr,
-					"%s:  -f and -p are exclusive\n",
-					argv[0]);
-				exit(1);
-			}
-			init = 1;
-			if (matchpathcon_init(optarg)) {
-				fprintf(stderr,
-					"Error while processing %s:  %s\n",
-					optarg,
-					errno ? strerror(errno) : "invalid");
-				exit(1);
-			}
+			options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
+			options[SELABEL_OPT_PATH].value = optarg;
 			break;
 		case 'P':
 			if (selinux_set_policy_root(optarg) < 0 ) {
@@ -124,20 +115,11 @@ int main(int argc, char **argv)
 			}
 			break;
 		case 'p':
-			if (init) {
-				fprintf(stderr,
-					"%s:  -f and -p are exclusive\n",
-					argv[0]);
-				exit(1);
-			}
-			init = 1;
-			if (matchpathcon_init_prefix(NULL, optarg)) {
-				fprintf(stderr,
-					"Error while processing %s:  %s\n",
-					optarg,
-					errno ? strerror(errno) : "invalid");
-				exit(1);
-			}
+			// This option has been deprecated since libselinux 2.5 (2016):
+			// https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6
+			fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]);
+			options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
+			options[SELABEL_OPT_SUBSET].value = optarg;
 			break;
 		case 'q':
 			quiet = 1;
@@ -146,6 +128,13 @@ int main(int argc, char **argv)
 			usage(argv[0]);
 		}
 	}
+	hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
+	if (!hnd) {
+		fprintf(stderr,
+			"Error while opening file contexts database: %s\n",
+			strerror(errno));
+		return -1;
+	}
 	for (i = optind; i < argc; i++) {
 		int rc, mode = 0;
 		struct stat buf;
@@ -185,19 +174,19 @@ int main(int argc, char **argv)
 				if (rc >= 0) {
 					printf("%s has context %s, should be ",
 					       path, con);
-					printmatchpathcon(path, 0, mode);
+					printmatchpathcon(hnd, path, 0, mode, notrans);
 					freecon(con);
 				} else {
 					printf
 					    ("actual context unknown: %s, should be ",
 					     strerror(errno));
-					printmatchpathcon(path, 0, mode);
+					printmatchpathcon(hnd, path, 0, mode, notrans);
 				}
 			}
 		} else {
-			error |= printmatchpathcon(path, header, mode);
+			error |= printmatchpathcon(hnd, path, header, mode, notrans);
 		}
 	}
-	matchpathcon_fini();
+	selabel_close(hnd);
 	return error;
 }
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread