SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] label_file.c: Fix MAC build
@ 2020-02-07 23:00 Nick Kralevich
  2020-02-10 20:49 ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Nick Kralevich @ 2020-02-07 23:00 UTC (permalink / raw)
  To: selinux; +Cc: Nick Kralevich

On Android, the label_file.c file is compiled for all platforms,
including OSX. OSX has a slightly different prototype for the
getxattr function.

ssize_t getxattr(const char *path, const char *name, void *value, size_t size, u_int32_t position, int options);

which causes a compile error when compiling libselinux on OSX.

  ```
  external/selinux/libselinux/src/label_file.c:1038:37: error: too few arguments to function call, expected 6, have 4
                                       read_digest, SHA1_HASH_SIZE);
                                                                ^
  /Applications/Xcode9.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include/sys/xattr.h:61:1: note: 'getxattr' declared here
  ssize_t getxattr(const char *path, const char *name, void *value, size_t size, u_int32_t position, int options);
  ^
  1 error generated.
  ```

On OSX builds, add the additional arguments so that the code compiles.

As both SELinux labels and the restorecon partial digest are stored in
extended attributes, it's theoretically possible that someone
could assign SELinux labels and hash digests on OSX filesystems.
Doing so would be extremely weird and completely untested, but
theoretically possible.

Signed-off-by: Nick Kralevich <nnk@google.com>
---
 libselinux/src/label_file.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 300625c2..f2aaf3ba 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -985,7 +985,11 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
 {
 	uint8_t read_digest[SHA1_HASH_SIZE];
 	ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST,
-				     read_digest, SHA1_HASH_SIZE);
+				     read_digest, SHA1_HASH_SIZE
+#ifdef __APPLE__
+				     , 0, 0
+#endif /* __APPLE __ */
+				    );
 	uint8_t hash_digest[SHA1_HASH_SIZE];
 	bool status = selabel_hash_all_partial_matches(rec, pathname,
 						       hash_digest);
-- 
2.25.0.225.g125e21ebc7-goog


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] label_file.c: Fix MAC build
  2020-02-07 23:00 [PATCH] label_file.c: Fix MAC build Nick Kralevich
@ 2020-02-10 20:49 ` Stephen Smalley
  2020-02-11 14:53   ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2020-02-10 20:49 UTC (permalink / raw)
  To: Nick Kralevich, selinux, Richard Haines

On 2/7/20 6:00 PM, Nick Kralevich wrote:
> On Android, the label_file.c file is compiled for all platforms,
> including OSX. OSX has a slightly different prototype for the
> getxattr function.
> 
> ssize_t getxattr(const char *path, const char *name, void *value, size_t size, u_int32_t position, int options);
> 
> which causes a compile error when compiling libselinux on OSX.
> 
>    ```
>    external/selinux/libselinux/src/label_file.c:1038:37: error: too few arguments to function call, expected 6, have 4
>                                         read_digest, SHA1_HASH_SIZE);
>                                                                  ^
>    /Applications/Xcode9.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include/sys/xattr.h:61:1: note: 'getxattr' declared here
>    ssize_t getxattr(const char *path, const char *name, void *value, size_t size, u_int32_t position, int options);
>    ^
>    1 error generated.
>    ```
> 
> On OSX builds, add the additional arguments so that the code compiles.
> 
> As both SELinux labels and the restorecon partial digest are stored in
> extended attributes, it's theoretically possible that someone
> could assign SELinux labels and hash digests on OSX filesystems.
> Doing so would be extremely weird and completely untested, but
> theoretically possible.
> 
> Signed-off-by: Nick Kralevich <nnk@google.com>

Wondering why the getxattr() call isn't done in the selinux_restorecon 
code instead, or why this is needed as a separate selabel_ interface at 
all. Probably too late though to change it though without breaking API/ABI.

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

> ---
>   libselinux/src/label_file.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> index 300625c2..f2aaf3ba 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -985,7 +985,11 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
>   {
>   	uint8_t read_digest[SHA1_HASH_SIZE];
>   	ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST,
> -				     read_digest, SHA1_HASH_SIZE);
> +				     read_digest, SHA1_HASH_SIZE
> +#ifdef __APPLE__
> +				     , 0, 0
> +#endif /* __APPLE __ */
> +				    );
>   	uint8_t hash_digest[SHA1_HASH_SIZE];
>   	bool status = selabel_hash_all_partial_matches(rec, pathname,
>   						       hash_digest);
> 

q

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] label_file.c: Fix MAC build
  2020-02-10 20:49 ` Stephen Smalley
@ 2020-02-11 14:53   ` Stephen Smalley
  0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2020-02-11 14:53 UTC (permalink / raw)
  To: Nick Kralevich, selinux, Richard Haines

On 2/10/20 3:49 PM, Stephen Smalley wrote:
> On 2/7/20 6:00 PM, Nick Kralevich wrote:
>> On Android, the label_file.c file is compiled for all platforms,
>> including OSX. OSX has a slightly different prototype for the
>> getxattr function.
>>
>> ssize_t getxattr(const char *path, const char *name, void *value, 
>> size_t size, u_int32_t position, int options);
>>
>> which causes a compile error when compiling libselinux on OSX.
>>
>>    ```
>>    external/selinux/libselinux/src/label_file.c:1038:37: error: too 
>> few arguments to function call, expected 6, have 4
>>                                         read_digest, SHA1_HASH_SIZE);
>>                                                                  ^
>>    
>> /Applications/Xcode9.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/usr/include/sys/xattr.h:61:1: 
>> note: 'getxattr' declared here
>>    ssize_t getxattr(const char *path, const char *name, void *value, 
>> size_t size, u_int32_t position, int options);
>>    ^
>>    1 error generated.
>>    ```
>>
>> On OSX builds, add the additional arguments so that the code compiles.
>>
>> As both SELinux labels and the restorecon partial digest are stored in
>> extended attributes, it's theoretically possible that someone
>> could assign SELinux labels and hash digests on OSX filesystems.
>> Doing so would be extremely weird and completely untested, but
>> theoretically possible.
>>
>> Signed-off-by: Nick Kralevich <nnk@google.com>
> 
> Wondering why the getxattr() call isn't done in the selinux_restorecon 
> code instead, or why this is needed as a separate selabel_ interface at 
> all. Probably too late though to change it though without breaking API/ABI.
> 
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

This is now applied.  Unless there is a real reason to export it outside 
libselinux, we may wish to remove 
selabel_get_digests_all_partial_matches() from label.h and the man 
pages, drop the sample util, possibly add a selinux_log() deprecation 
warning to the selabel_get_digests_all_partial_matches() function to 
discourage any further use, and switch selinux_restorecon over to using 
its own private copy of the same logic.  Then maybe someday we can drop 
it, but that would technically be an ABI break even if there are no 
other users beyond the sample util.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-07 23:00 [PATCH] label_file.c: Fix MAC build Nick Kralevich
2020-02-10 20:49 ` Stephen Smalley
2020-02-11 14:53   ` Stephen Smalley

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git