--- busybox-1.00.rc1/libbb/procps.c.selinux 2004-01-27 21:17:39.000000000 +0100 +++ busybox-1.00.rc1/libbb/procps.c 2004-09-17 17:55:37.424353869 +0200 @@ -18,7 +18,7 @@ extern procps_status_t * procps_scan(int save_user_arg0 #ifdef CONFIG_SELINUX - , int use_selinux , security_id_t *sid + , int use_selinux , security_context_t *scontext #endif ) { @@ -62,11 +62,12 @@ sprintf(status, "/proc/%d/stat", pid); if((fp = fopen(status, "r")) == NULL) continue; + if(fstat(fileno(fp), &sb)) + continue; #ifdef CONFIG_SELINUX if(use_selinux) { - if(fstat_secure(fileno(fp), &sb, sid)) - continue; + getpidcon(pid,scontext); } else #endif --- busybox-1.00.rc1/libbb/run_shell.c.selinux 2004-03-15 09:28:43.000000000 +0100 +++ busybox-1.00.rc1/libbb/run_shell.c 2004-09-17 17:55:37.424353869 +0200 @@ -36,9 +36,6 @@ #include #include #include "libbb.h" -#ifdef CONFIG_SELINUX -#include -#endif /* Run SHELL, or DEFAULT_SHELL if SHELL is empty. If COMMAND is nonzero, pass it to the shell with the -c option. @@ -47,7 +44,7 @@ void run_shell ( const char *shell, int loginshell, const char *command, const char **additional_args #ifdef CONFIG_SELINUX - , security_id_t sid + , security_context_t scontext #endif ) { @@ -78,9 +75,10 @@ } args [argno] = 0; #ifdef CONFIG_SELINUX - if(sid) - execve_secure(shell, (char **) args, environ, sid); - else + if(scontext) + if (setexeccon(scontext) != 0) { + bb_perror_msg_and_die ( "cannot run %s as %s", shell, scontext); + } #endif execv ( shell, (char **) args ); bb_perror_msg_and_die ( "cannot run %s", shell ); --- /dev/null 2004-09-17 16:10:16.760017320 +0200 +++ busybox-1.00.rc1/selinux/Makefile.in 2004-09-17 17:55:37.421354239 +0200 @@ -0,0 +1,32 @@ +# Makefile for busybox +# +# Copyright (C) 2003 by Dan Walsh +# Copyright (C) 1999-2003 by Erik Andersen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +SELINUX_AR:=selinux.a +ifndef $(SELINUX_DIR) +SELINUX_DIR:=$(TOPDIR)selinux/ +endif + +SELINUX-y:= +SELINUX-$(CONFIG_LOAD_POLICY) += load_policy.o +libraries-y+=$(SELINUX_DIR)$(SELINUX_AR) + +$(SELINUX_DIR)$(SELINUX_AR): $(patsubst %,$(SELINUX_DIR)%, $(SELINUX-y)) + $(AR) -ro $@ $(patsubst %,$(SELINUX_DIR)%, $(SELINUX-y)) + --- /dev/null 2004-09-17 16:10:16.760017320 +0200 +++ busybox-1.00.rc1/selinux/load_policy.c 2004-09-17 17:55:37.419354485 +0200 @@ -0,0 +1,55 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include /* for setlocale() */ +#include /* for gettext() */ +#define _(msgid) gettext (msgid) +#ifndef PACKAGE +#define PACKAGE "policycoreutils" /* the name of this package lang translation */ +#endif + +extern int load_policy_main(int argc, char **argv) +{ + int fd, ret; + struct stat sb; + void *map; + + if (argc != 2) { + fprintf(stderr, _("usage: %s policyfile\n"), argv[0]); + return 1; + } + + fd = open(argv[1], O_RDONLY); + if (fd < 0) { + fprintf(stderr, _("Can't open '%s': %s\n"), + argv[1], strerror(errno)); + return 2; + } + + if (fstat(fd, &sb) < 0) { + fprintf(stderr, _("Can't stat '%s': %s\n"), + argv[1], strerror(errno)); + return 2; + } + + map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0); + if (map == MAP_FAILED) { + fprintf(stderr, _("Can't map '%s': %s\n"), + argv[1], strerror(errno)); + return 2; + } + + ret = security_load_policy(map, sb.st_size); + if (ret < 0) { + fprintf(stderr, _("%s: security_load_policy failed\n"), argv[0]); + return 3; + } + return EXIT_SUCCESS; +} --- /dev/null 2004-09-17 16:10:16.760017320 +0200 +++ busybox-1.00.rc1/selinux/Config.in 2004-09-17 17:55:37.420354362 +0200 @@ -0,0 +1,16 @@ +# +# For a description of the syntax of this configuration file, +# see scripts/kbuild/config-language.txt. +# + +menu "Selinux Utilities" + +if CONFIG_SELINUX +config CONFIG_LOAD_POLICY + bool "load_policy" + default n + help + Enable support for loading SE Linux into the kernel. +endif +endmenu + --- /dev/null 2004-09-17 16:10:16.760017320 +0200 +++ busybox-1.00.rc1/selinux/Makefile 2004-09-17 17:55:37.420354362 +0200 @@ -0,0 +1,30 @@ +# Makefile for busybox +# +# Copyright (C) 1999-2003 by Erik Andersen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +TOPDIR:= ../ +SELINUX_DIR:=./ +include $(TOPDIR).config +include $(TOPDIR)Rules.mak +include Makefile.in +all: $(libraries-y) +-include $(TOPDIR).depend + +clean: + rm -f *.o *.a $(AR_TARGET) + --- busybox-1.00.rc1/coreutils/ls.c.selinux 2004-03-27 11:02:42.000000000 +0100 +++ busybox-1.00.rc1/coreutils/ls.c 2004-09-17 17:58:21.999101125 +0200 @@ -63,9 +63,7 @@ #include #include "busybox.h" #ifdef CONFIG_SELINUX -#include -#include -#include +#include #endif #ifdef CONFIG_FEATURE_LS_TIMESTAMPS @@ -186,7 +184,7 @@ char *fullname; /* the dir entry name */ struct stat dstat; /* the file stat info */ #ifdef CONFIG_SELINUX - security_id_t sid; + security_context_t scontext; #endif struct dnode *next; /* point at the next node */ }; @@ -199,7 +197,7 @@ static unsigned int all_fmt; #ifdef CONFIG_SELINUX -static int is_flask_enabled_flag; +static int is_selinux_enabled_flag; #endif #ifdef CONFIG_FEATURE_AUTOWIDTH @@ -217,18 +215,18 @@ struct stat dstat; struct dnode *cur; #ifdef CONFIG_SELINUX - security_id_t sid; + security_context_t scontext; #endif int rc; #ifdef CONFIG_FEATURE_LS_FOLLOWLINKS if (all_fmt & FOLLOW_LINKS) { #ifdef CONFIG_SELINUX - if(is_flask_enabled_flag) - rc = stat_secure(fullname, &dstat, &sid); - else + scontext = NULL; + if(is_selinux_enabled_flag) + getfilecon(fullname, &scontext); #endif - rc = stat(fullname, &dstat); + rc = stat(fullname, &dstat); if(rc) { bb_perror_msg("%s", fullname); @@ -239,11 +237,11 @@ #endif { #ifdef CONFIG_SELINUX - if(is_flask_enabled_flag) - rc = lstat_secure(fullname, &dstat, &sid); - else + scontext = NULL; + if(is_selinux_enabled_flag) + lgetfilecon(fullname, &scontext); #endif - rc = lstat(fullname, &dstat); + rc = lstat(fullname, &dstat); if(rc) { bb_perror_msg("%s", fullname); @@ -257,7 +255,7 @@ cur->name = name; cur->dstat = dstat; #ifdef CONFIG_SELINUX - cur->sid = sid; + cur->scontext = scontext; #endif return cur; } @@ -361,6 +359,9 @@ cur = dnp[0]; while (cur != NULL) { free(cur->fullname); /* free the filename */ +#ifdef CONFIG_SELINUX + if (cur->scontext) freecon(cur->scontext); +#endif next = cur->next; free(cur); /* free the dnode */ cur = next; @@ -740,15 +741,10 @@ #ifdef CONFIG_SELINUX case LIST_CONTEXT: { - char context[64]; - int len = sizeof(context); - if(security_sid_to_context(dn->sid, context, &len)) - { - strcpy(context, "unknown"); - len = 7; - } - printf("%-32s ", context); - column += MAX(33, len); + if (dn->scontext) { + printf("%-32s ", dn->scontext); + column += MAX(33, strlen(dn->scontext)); + } } break; #endif @@ -857,7 +853,7 @@ #endif #ifdef CONFIG_SELINUX -# define LS_STR_SELINUX "K" +# define LS_STR_SELINUX "Z" #else # define LS_STR_SELINUX "" #endif @@ -897,9 +893,9 @@ DISP_ROWS, /* x */ DISP_HIDDEN, /* A */ #ifdef CONFIG_SELINUX - LIST_CONTEXT, /* k */ + LIST_CONTEXT, /* Z */ #else - 0, /* k - ingored */ + 0, /* Z - ingored */ #endif #ifdef CONFIG_FEATURE_LS_TIMESTAMPS # ifdef CONFIG_FEATURE_LS_SORTFILES @@ -968,7 +964,7 @@ #endif #ifdef CONFIG_SELINUX - is_flask_enabled_flag = is_flask_enabled(); + is_selinux_enabled_flag = is_selinux_enabled()>0; #endif all_fmt = LIST_SHORT | DISP_NORMAL | STYLE_AUTO --- busybox-1.00.rc1/coreutils/id.c.selinux 2004-03-15 09:28:20.000000000 +0100 +++ busybox-1.00.rc1/coreutils/id.c 2004-09-17 17:55:37.425353746 +0200 @@ -29,8 +29,7 @@ #include #include #ifdef CONFIG_SELINUX -#include -#include +#include #endif #define JUST_USER 1 @@ -45,7 +44,7 @@ int uid, gid; int flags; #ifdef CONFIG_SELINUX - int is_flask_enabled_flag = is_flask_enabled(); + int is_selinux_enabled_flag = is_selinux_enabled()>0; #endif flags = bb_getopt_ulflags(argc, argv, "ugrn"); @@ -88,15 +87,12 @@ } else { #ifdef CONFIG_SELINUX printf("uid=%ld(%s) gid=%ld(%s)", pwnam, user, grnam, group); - if(is_flask_enabled_flag) + if(is_selinux_enabled_flag) { - security_id_t mysid = getsecsid(); - char context[80]; - int len = sizeof(context); - context[0] = '\0'; - if(security_sid_to_context(mysid, context, &len)) - strcpy(context, "unknown"); - printf(" context=%s\n", context); + security_context_t scontext; + getcon(&scontext); + printf(" context=%s\n", scontext); + freecon(scontext); } else printf("\n"); --- busybox-1.00.rc1/procps/ps.c.selinux 2004-03-15 09:29:03.000000000 +0100 +++ busybox-1.00.rc1/procps/ps.c 2004-09-17 17:55:37.421354239 +0200 @@ -31,9 +31,7 @@ #include #include "busybox.h" #ifdef CONFIG_SELINUX -#include -#include -#include /* for is_flask_enabled() */ +#include #endif static const int TERMINAL_WIDTH = 79; /* not 80 in case terminal has linefold bug */ @@ -48,8 +46,8 @@ #ifdef CONFIG_SELINUX int use_selinux = 0; - security_id_t sid; - if(is_flask_enabled() && argv[1] && !strcmp(argv[1], "-c") ) + security_context_t scontext; + if(is_selinux_enabled()>0 && argv[1] && !strcmp(argv[1], "-Z") ) use_selinux = 1; #endif @@ -59,12 +57,12 @@ #ifdef CONFIG_SELINUX if(use_selinux) - printf(" PID Context Stat Command\n"); + printf(" Context Stat Command\n"); else #endif printf(" PID Uid VmSize Stat Command\n"); #ifdef CONFIG_SELINUX - while ((p = procps_scan(1, use_selinux, &sid)) != 0) { + while ((p = procps_scan(1, use_selinux, &scontext)) != 0) { #else while ((p = procps_scan(1)) != 0) { #endif @@ -73,12 +71,8 @@ #ifdef CONFIG_SELINUX if(use_selinux) { - char sbuf[128]; - len = sizeof(sbuf); - if(security_sid_to_context(sid, (security_context_t)&sbuf, &len)) - strcpy(sbuf, "unknown"); - - len = printf("%5d %-32s %s ", p->pid, sbuf, p->state); + len = printf("%-32s %s ", scontext, p->state); + freecon(scontext); } else #endif --- busybox-1.00.rc1/sysdeps/linux/defconfig.selinux 2004-07-20 08:06:56.000000000 +0200 +++ busybox-1.00.rc1/sysdeps/linux/defconfig 2004-09-17 17:55:37.414355100 +0200 @@ -16,7 +16,8 @@ CONFIG_FEATURE_DEVPTS=y # CONFIG_FEATURE_CLEAN_UP is not set # CONFIG_FEATURE_SUID is not set -# CONFIG_SELINUX is not set +CONFIG_SELINUX=y +CONFIG_LOAD_POLICY=y # # Build Options --- busybox-1.00.rc1/sysdeps/linux/Config.in.selinux 2004-05-25 13:30:22.000000000 +0200 +++ busybox-1.00.rc1/sysdeps/linux/Config.in 2004-09-17 17:55:37.413355223 +0200 @@ -232,6 +232,7 @@ source shell/Config.in source sysklogd/Config.in source util-linux/Config.in +source selinux/Config.in menu 'Debugging Options' --- busybox-1.00.rc1/include/libbb.h.selinux 2004-06-22 12:07:15.000000000 +0200 +++ busybox-1.00.rc1/include/libbb.h 2004-09-17 17:55:37.418354608 +0200 @@ -43,7 +43,7 @@ #include "config.h" #ifdef CONFIG_SELINUX -#include +#include #endif #include "pwd_.h" @@ -423,7 +423,7 @@ extern const char *change_identity_e2str ( const struct passwd *pw ); extern void run_shell ( const char *shell, int loginshell, const char *command, const char **additional_args #ifdef CONFIG_SELINUX - , security_id_t sid + , security_context_t scontext #endif ); extern int run_parts(char **args, const unsigned char test_mode, char **env); @@ -458,7 +458,7 @@ extern procps_status_t * procps_scan(int save_user_arg0 #ifdef CONFIG_SELINUX - , int use_selinux, security_id_t *sid + , int use_selinux, security_context_t *scontext #endif ); extern unsigned short compare_string_array(const char *string_array[], const char *key); --- busybox-1.00.rc1/include/usage.h.selinux 2004-06-05 09:58:17.000000000 +0200 +++ busybox-1.00.rc1/include/usage.h 2004-09-17 17:55:37.416354854 +0200 @@ -1037,7 +1037,7 @@ #define id_full_usage \ "Print information for USERNAME or the current user\n\n" \ "Options:\n" \ - USAGE_SELINUX("\t-c\tprints only the security context\n") \ + USAGE_SELINUX("\t-Z\tprints only the security context\n") \ "\t-g\tprints only the group ID\n" \ "\t-u\tprints only the user ID\n" \ "\t-n\tprint a name instead of a number\n" \ @@ -1498,7 +1498,7 @@ #endif #define ls_trivial_usage \ - "[-1Aa" USAGE_LS_TIMESTAMPS("c") "Cd" USAGE_LS_TIMESTAMPS("e") USAGE_LS_FILETYPES("F") "iln" USAGE_LS_FILETYPES("p") USAGE_LS_FOLLOWLINKS("L") USAGE_LS_RECURSIVE("R") USAGE_LS_SORTFILES("rS") "s" USAGE_AUTOWIDTH("T") USAGE_LS_TIMESTAMPS("tu") USAGE_LS_SORTFILES("v") USAGE_AUTOWIDTH("w") "x" USAGE_LS_SORTFILES("X") USAGE_HUMAN_READABLE("h") USAGE_NOT_HUMAN_READABLE("") "k" USAGE_SELINUX("K") "] [filenames...]" + "[-1Aa" USAGE_LS_TIMESTAMPS("c") "Cd" USAGE_LS_TIMESTAMPS("e") USAGE_LS_FILETYPES("F") "iln" USAGE_LS_FILETYPES("p") USAGE_LS_FOLLOWLINKS("L") USAGE_LS_RECURSIVE("R") USAGE_LS_SORTFILES("rS") "s" USAGE_AUTOWIDTH("T") USAGE_LS_TIMESTAMPS("tu") USAGE_LS_SORTFILES("v") USAGE_AUTOWIDTH("w") "x" USAGE_LS_SORTFILES("X") USAGE_HUMAN_READABLE("h") USAGE_NOT_HUMAN_READABLE("") "k" USAGE_SELINUX("Z") "] [filenames...]" #define ls_full_usage \ "List directory contents\n\n" \ "Options:\n" \ @@ -1528,8 +1528,7 @@ USAGE_LS_SORTFILES("\t-X\tsort the listing by extension\n") \ USAGE_HUMAN_READABLE( \ "\t-h\tprint sizes in human readable format (e.g., 1K 243M 2G )\n") \ - USAGE_SELINUX("\t-k\tprint security context\n") \ - USAGE_SELINUX("\t-K\tprint security context in long format\n") + USAGE_SELINUX("\t-Z\tprint security context\n") #define lsmod_trivial_usage \ "" @@ -1918,12 +1917,20 @@ #define USAGE_NONSELINUX(a) a #endif +#define load_policy_trivial_usage \ + "" +#define load_policy_full_usage \ + "load SELinux policy\n" + +#define load_policy_example_usage \ + "$ load_policy /etc/selinux/strict/policy/policy.17\n" + #define ps_trivial_usage \ "" #define ps_full_usage \ "Report process status\n" \ USAGE_NONSELINUX("\n\tThis version of ps accepts no options.") \ - USAGE_SELINUX("\nOptions:\n\t-c\tshow SE Linux context") + USAGE_SELINUX("\nOptions:\n\t-Z\tshow SELinux context") #define ps_example_usage \ "$ ps\n" \ --- busybox-1.00.rc1/include/applets.h.selinux 2004-05-26 12:28:31.000000000 +0200 +++ busybox-1.00.rc1/include/applets.h 2004-09-17 17:55:37.419354485 +0200 @@ -331,6 +331,9 @@ #ifdef CONFIG_LN APPLET(ln, ln_main, _BB_DIR_BIN, _BB_SUID_NEVER) #endif +#ifdef CONFIG_LOAD_POLICY + APPLET(load_policy, load_policy_main, _BB_DIR_SBIN, _BB_SUID_NEVER) +#endif #ifdef CONFIG_LOADFONT APPLET(loadfont, loadfont_main, _BB_DIR_USR_BIN, _BB_SUID_NEVER) #endif --- busybox-1.00.rc1/Makefile.selinux 2004-07-20 08:04:28.000000000 +0200 +++ busybox-1.00.rc1/Makefile 2004-09-17 17:55:37.412355346 +0200 @@ -29,11 +29,10 @@ DIRS:=applets archival archival/libunarchive coreutils console-tools \ debianutils editors findutils init miscutils modutils networking \ networking/libiproute networking/udhcp procps loginutils shell \ - sysklogd util-linux libpwdgrp coreutils/libcoreutils libbb + sysklogd util-linux libpwdgrp coreutils/libcoreutils libbb selinux ifeq ($(strip $(CONFIG_SELINUX)),y) -CFLAGS += -I/usr/include/selinux -LIBRARIES += -lsecure +LIBRARIES += -lselinux endif CONFIG_CONFIG_IN = sysdeps/$(TARGET_OS)/Config.in --- busybox-1.00.rc1/loginutils/su.c.selinux 2004-03-15 09:28:46.000000000 +0100 +++ busybox-1.00.rc1/loginutils/su.c 2004-09-17 17:55:37.422354115 +0200 @@ -149,7 +149,7 @@ setup_environment ( opt_shell, opt_loginshell, !opt_preserve, pw ); run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args #ifdef CONFIG_SELINUX - , 0 + , NULL #endif ); --- busybox-1.00.rc1/loginutils/login.c.selinux 2004-04-14 19:51:19.000000000 +0200 +++ busybox-1.00.rc1/loginutils/login.c 2004-09-17 17:55:37.423353992 +0200 @@ -17,10 +17,7 @@ #include "busybox.h" #ifdef CONFIG_SELINUX -#include -#include -#include -#include +#include #endif #ifdef CONFIG_FEATURE_U_W_TMP @@ -79,8 +76,8 @@ char *opt_host = 0; int alarmstarted = 0; #ifdef CONFIG_SELINUX - int flask_enabled = is_flask_enabled(); - security_id_t sid = 0, old_tty_sid, new_tty_sid; + int selinux_enabled = is_selinux_enabled()>0; + security_context_t scontext = NULL, old_tty_scontext, new_tty_scontext; #endif username[0]=0; @@ -226,33 +223,33 @@ setutmp ( username, tty ); #endif #ifdef CONFIG_SELINUX - if (flask_enabled) + if (selinux_enabled) { struct stat st; - if (get_default_sid(username, 0, &sid)) + if (getprevcon(username, &scontext)) { - fprintf(stderr, "Unable to get SID for %s\n", username); + fprintf(stderr, "Unable to get Security context for %s\n", username); exit(1); } - if (stat_secure(tty, &st, &old_tty_sid)) + if (getfilecon(tty, &old_tty_scontext)) { - fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", tty, strerror(errno)); + fprintf(stderr, "getfilecon(%.100s) failed: %.100s\n", tty, strerror(errno)); return EXIT_FAILURE; } - if (security_change_sid (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0) + if (security_change_scontext (scontext, old_tty_scontext, SECCLASS_CHR_FILE, &new_tty_scontext) != 0) { - fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", tty, strerror(errno)); + fprintf(stderr, "security_change_scontext(%.100s) failed: %.100s\n", tty, strerror(errno)); return EXIT_FAILURE; } - if(chsid(tty, new_tty_sid) != 0) + if(setfilecon(tty, new_tty_scontext) != 0) { - fprintf(stderr, "chsid(%.100s, %d) failed: %.100s\n", tty, new_tty_sid, strerror(errno)); + fprintf(stderr, "chscontext(%.100s, %d) failed: %.100s\n", tty, new_tty_scontext, strerror(errno)); return EXIT_FAILURE; } } else - sid = 0; + scontext = NULL; #endif if ( *tty != '/' ) @@ -281,7 +278,7 @@ syslog ( LOG_INFO, "root login %s\n", fromhost ); run_shell ( tmp, 1, 0, 0 #ifdef CONFIG_SELINUX - , sid + , scontext #endif ); /* exec the shell finally. */