[meego-commits] 24907: Changes to MeeGo:1.2:oss/rpm
ereshetova
no_reply at build.meego.com
Tue Jun 12 08:34:32 UTC 2012
Hi,
I have made the following changes to rpm in project MeeGo:1.2:oss. Please review and accept ASAP.
Thank You,
ereshetova
[This message was auto-generated]
---
Request #24907:
submit: home:ereshetova:branches:MeeGo:1.2:oss/rpm(r5)(cleanup) -> MeeGo:1.2:oss/rpm
Message:
Fixes on specified in changes bugs.
State: new 2012-06-12T00:30:53 ereshetova
Comment: None
changes files:
--------------
--- rpm.changes
+++ rpm.changes
@@ -0,0 +1,3 @@
+* Mon June 12 2011 Elena Reshetova <elena.reshetova at intel.com> - 4.8.1
+- Fixng rpm-security-plugin bugs (PTSEC-19, PTSEC-20, PTSEC-21)
+
spec files:
-----------
other changes:
--------------
++++++ security_4.8.1.patch
--- security_4.8.1.patch
+++ security_4.8.1.patch
@@ -1433,7 +1433,7 @@
diff --git a/security/msm.c b/security/msm.c
--- a/security/msm.c
+++ b/security/msm.c
-@@ -0,0 +1,871 @@
+@@ -0,0 +1,880 @@
+/*
+ * This file is part of MSM security plugin
+ * Greatly based on the code of MSSF security plugin
@@ -1525,7 +1525,7 @@
+ return RPMRC_FAIL;
+ }
+ } else {
-+ /* Do not allow plugin to proceed if the policy is missing */
++ /* Do not allow plug-in to proceed without security policy existing */
+ rpmlog(RPMLOG_ERR, "Failed to process sw sources from %s\n",
+ DEVICE_SECURITY_POLICY);
+ return RPMRC_FAIL;
@@ -1737,7 +1737,7 @@
+ else { // for now in case default sw source isn't there yet, allow to think that it is coming from root
+ current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)"root");
+ if (current)
-+ rpmlog(RPMLOG_INFO, "using _root_ sw source now for testing\n");
++ rpmlog(RPMLOG_INFO, "using _root_ sw source now for testing\n");
+ }
+ }
+
@@ -1860,16 +1860,14 @@
+ }
+ headerFree(h);
+ }
-+/* if (!current) {
++ /* if (!current) {
+ rpmlog(RPMLOG_INFO, "no sw source for removing %s\n", rpmteN(ctx->te));
-+ goto exit;
-+ }
-+*/
++ goto exit;
++ }*/
+ }
+
+ if (!current) {
-+ /* this means that verify hook has not been called during installation
-+ or we are trying to upgrade the package that has been previously installed without security plugin */
++ /* this means that verify hook has not been called */
+ current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)"_default_");
+ if (current)
+ rpmlog(RPMLOG_INFO, "using _default_ sw source\n");
@@ -1961,6 +1959,7 @@
+ }
+
+ rpmlog(RPMLOG_DEBUG, "Starting the security setup...\n");
++ unsigned int smackLabel = 0;
+
+ if (rootSWSource || ctx->mfx->sw_source) {
+ if (ctx->mfx->sw_sources) {
@@ -1973,6 +1972,8 @@
+ }
+ }
+ if (ctx->mfx->define) {
++ if (ctx->mfx->define->name)
++ smackLabel = 1;
+ ret = msmSetupDefine(ctx->smack_accesses, ctx->mfx);
+ if (ret) {
+ rpmlog(RPMLOG_ERR, "AC domain setup failed for %s\n",
@@ -1982,6 +1983,8 @@
+ }
+ }
+ if (ctx->mfx->request) {
++ if (ctx->mfx->request->ac_domain)
++ smackLabel = 1;
+ ret = msmSetupRequests(ctx->mfx);
+ if (ret) {
+ rpmlog(RPMLOG_ERR, "Request setup failed for %s\n",
@@ -2010,6 +2013,12 @@
+ goto fail;
+ }
+ }
++/* last check is needed in order to catch in advance the situation when no ac domain defined or requested */
++ if (smackLabel == 0) {
++ rpmlog(RPMLOG_ERR, "No ac domain defined or requested for package %s. Impossible to assign the package to an ac domain. Stop the installation.\n", rpmteN(ctx->te));
++ msmCancelPackage(ctx->mfx->name);
++ goto fail;
++ }
+ }
+
+
@@ -2161,7 +2170,7 @@
+ }
+
+ if (!ctx->mfx){
-+ rpmlog(RPMLOG_INFO, "Manifest is missing while it should be present for the package %s\n",
++ rpmlog(RPMLOG_ERR, "Manifest is missing while it should be present for the package %s\n",
+ rpmteN(ctx->te));
+ goto exit;
+ }
@@ -4457,7 +4466,7 @@
diff --git a/security/msmxattr.c b/security/msmxattr.c
--- a/security/msmxattr.c
+++ b/security/msmxattr.c
-@@ -0,0 +1,1292 @@
+@@ -0,0 +1,1291 @@
+/*
+ * This file is part of MSM security plugin
+ * Greatly based on the code of MSSF security plugin
@@ -5432,7 +5441,6 @@
+ return 0;
+
+}
-+
+int msmSetupPackages(struct smack_accesses *smack_accesses, package_x *packages, sw_source_x *sw_source)
+{
+ package_x *package, *first = NULL;
@@ -5545,8 +5553,6 @@
+ pclose(pipe);
+ return result;
+}
-+
-+
+int msmSetFilesystemLabels(manifest_x *mfx) {
+ file_x *file;
+ provide_x *provide;
@@ -5575,8 +5581,8 @@
+ }
+ len = strlen(filesystem->path);
+ if (len > match) {
-+ if (!strncmp(file->path, filesystem->path, len)) {
-+ /* partial match */
++ if ((!strncmp(file->path, filesystem->path, len)) && (filesystem->type)) {
++ /* partial match and the directory marked as transmutable*/
+ label = filesystem->label;
+ exec_label = filesystem->exec_label;
+ match = len;
@@ -5584,18 +5590,17 @@
+ }
+ }
+ }
++ match = 0;
+ } else
-+
+ return -1;
+ found:
-+
+ if ((!label) || (!exec_label)) {
+ /* no match, use default label of AC domain */
+ if (mfx->request) { //AC domain is requested in manifest
-+ if (mfx->request->ac_domain)
++ if (mfx->request->ac_domain) {
+ if (!label) label = mfx->request->ac_domain;
+ if (!exec_label) exec_label = mfx->request->ac_domain;
-+ else {
++ } else {
+ rpmlog(RPMLOG_ERR, "Request for AC domain is empty. Can't identify default file label\n");
+ return -1;
+ }
@@ -5612,6 +5617,8 @@
+ return -1;
+ }
+ }
++
++
+ fd = open(file->path, O_RDONLY);
+ if (fd == -1) {
+ rpmlog(RPMLOG_ERR, "Failed to open %s: %s\n",
@@ -5660,15 +5667,17 @@
+ at_true, file->path, strerror(errno));
+ }
+ } else {
-+ rpmlog(RPMLOG_INFO, "An attempt to setup a transmute attr for a non-directory, path %s\n",
++ rpmlog(RPMLOG_DEBUG, "No setting up of transmute attr for a non-directory, path %s\n",
+ file->path);
+ }
+
+ }
++
+ next:
+ close(fd);
+ label = NULL;
+ exec_label = NULL;
++
+ }
+ return 0;
+}
More information about the MeeGo-commits
mailing list