From 1add5db5feaafe7cbc41f2896f5c2887c96bff92 Mon Sep 17 00:00:00 2001

From: Chris Leech <cleech@redhat.com>

Date: Sun, 16 Aug 2015 21:00:58 -0700

Subject: [PATCH] lldpad: switch from sysv to posix shared memory apis

The use of SysV shared memory, to pass state between running instances of

lldpad in the initramfs and then from the root fs, is difficult to work

with from a security policy.  When lldpad runs in the initramfs there is

no security policy loaded.  Then when it's restarted after an SELinux

policy has been loaded, there is no way to correct the context on the

already existing shared memory segment.  This would result in the need

for an overly permissive policy for lldpad.

By switching to POSIX APIs the segment is mapped from a tmpfs file with

a directory entry under /dev/shm/.  This lets us add a file contents

entry to the SELinux policy that matches that path, and a proper

security context can be restored to it before restarting lldpad.

Signed-off-by: Chris Leech <cleech@redhat.com>

Signed-off-by: John Fastabend <john.r.fastabend@intel.com>

---

 Makefile.am          |   2 +-

 include/lldpad_shm.h |   2 +-

 lldpad_shm.c         | 169 ++++++++++++++++++++++++++++++---------------------

 3 files changed, 103 insertions(+), 70 deletions(-)

diff --git a/Makefile.am b/Makefile.am

index 84d68ee..551d4c7 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -17,7 +17,7 @@ parse_cli.o: CFLAGS+=-U_FORTIFY_SOURCE -Wno-error

 ## system requires a shared libconfig

 AM_CFLAGS = -Wall -Werror -Wextra -Wformat=2 $(LIBCONFIG_CFLAGS) $(LIBNL_CFLAGS)

-AM_LDFLAGS = $(LIBCONFIG_LIBS) $(LIBNL_LIBS)

+AM_LDFLAGS = $(LIBCONFIG_LIBS) $(LIBNL_LIBS) -lrt

 ## header files to be installed, for programs using the client interface to lldpad 

 lldpad_includedir= ${includedir}/lldpad

diff --git a/include/lldpad_shm.h b/include/lldpad_shm.h

index 00d20eb..587b555 100644

--- a/include/lldpad_shm.h

+++ b/include/lldpad_shm.h

@@ -31,7 +31,7 @@

 #include "lldpad.h"

 #include "lldp_rtnl.h"

-#define LLDPAD_SHM_KEY ((('l'<<24) | ('l'<<16) | ('d'<<8) | ('p')) + 'a' + 'd' + 1)

+#define LLDPAD_SHM_PATH "/lldpad.state"

 #define LLDPAD_SHM_SIZE 4096

 /* PID value used to indicate pid field is uninitialized */

diff --git a/lldpad_shm.c b/lldpad_shm.c

index 4afcf73..d8bc0c5 100644

--- a/lldpad_shm.c

+++ b/lldpad_shm.c

@@ -29,7 +29,9 @@

 #include <string.h>

 #include <syslog.h>

 #include <sys/ipc.h>

-#include <sys/shm.h>

+#include <sys/mman.h>

+#include <sys/stat.h>

+#include <fcntl.h>

 #include <sys/types.h>

 #include <unistd.h>

 #include <errno.h>

@@ -39,16 +41,7 @@

 void mark_lldpad_shm_for_removal()

 {

-	int shmid;

-	struct shmid_ds shminfo;

-

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

-

-	if (shmid < 0)

-		return;

-

-	if (shmctl(shmid, IPC_RMID, &shminfo) < 0)

-		return;

+	shm_unlink(LLDPAD_SHM_PATH);

 }

 /* return: 1 = success, 0 = failed */

@@ -101,16 +94,21 @@ int lldpad_shm_get_msap(const char *device_name, int type, char *info, size_t *l

 	unsigned num_entries;

 	int version;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

-	if (shmid < 0 && errno == ENOENT)

-		shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE,

-			IPC_CREAT | IPC_EXCL | 0x180);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);

 	if (shmid < 0)

 		return rval;

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

-	if ((long) shmaddr == -1)

+	if (ftruncate(shmid, LLDPAD_SHM_SIZE)) {

+		close(shmid);

+		return rval;

+	}

+

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

+	close(shmid);

+	if (shmaddr == MAP_FAILED)

 		return rval;

 	version = (shmaddr->num_entries & SHM_VER_MASK) >> SHM_VER_SHIFT;

@@ -147,7 +145,7 @@ int lldpad_shm_get_msap(const char *device_name, int type, char *info, size_t *l

 		rval = 1;

 	}

 done:

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return rval;

 }

@@ -162,16 +160,21 @@ int lldpad_shm_set_msap(const char *device_name, int type, char *info, size_t le

 	int version;

 	unsigned num_entries;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

-	if (shmid < 0 && errno == ENOENT)

-		shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE,

-			IPC_CREAT | IPC_EXCL | 0x180);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);

 	if (shmid < 0)

 		return rval;

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

-	if ((long) shmaddr == -1)

+	if (ftruncate(shmid, LLDPAD_SHM_SIZE)) {

+		close(shmid);

+		return rval;

+	}

+

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

+	close(shmid);

+	if (shmaddr == MAP_FAILED)

 		return rval;

 	version = (shmaddr->num_entries & SHM_VER_MASK) >> SHM_VER_SHIFT;

@@ -212,7 +215,7 @@ int lldpad_shm_set_msap(const char *device_name, int type, char *info, size_t le

 	}

 done:

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return rval;

 }

@@ -226,16 +229,21 @@ int lldpad_shm_get_dcbx(const char *device_name)

 	unsigned num_entries;

 	int version;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

-	if (shmid < 0 && errno == ENOENT)

-		shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE,

-			IPC_CREAT | IPC_EXCL | 0x180);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);

 	if (shmid < 0)

 		return rval;

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

-	if ((long) shmaddr == -1)

+	if (ftruncate(shmid, LLDPAD_SHM_SIZE)) {

+		close(shmid);

+		return rval;

+	}

+

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

+	close(shmid);

+	if (shmaddr == MAP_FAILED)

 		return rval;

 	version = (shmaddr->num_entries & SHM_VER_MASK) >> SHM_VER_SHIFT;

@@ -264,7 +272,7 @@ int lldpad_shm_get_dcbx(const char *device_name)

 	}

 done:

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return rval;

 }

@@ -279,16 +287,21 @@ int lldpad_shm_set_dcbx(const char *device_name, int dcbx_mode)

 	unsigned num_entries;

 	int version;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

-	if (shmid < 0 && errno == ENOENT)

-		shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE,

-			IPC_CREAT | IPC_EXCL | 0x180);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);

 	if (shmid < 0)

 		return rval;

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

-	if ((long) shmaddr == -1)

+	if (ftruncate(shmid, LLDPAD_SHM_SIZE)) {

+		close(shmid);

+		return rval;

+	}

+

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

+	close(shmid);

+	if (shmaddr == MAP_FAILED)

 		return rval;

 	version = (shmaddr->num_entries & SHM_VER_MASK) >> SHM_VER_SHIFT;

@@ -330,7 +343,7 @@ int lldpad_shm_set_dcbx(const char *device_name, int dcbx_mode)

 	}

 done:

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return rval;

 }

@@ -346,16 +359,21 @@ pid_t lldpad_shm_getpid()

 	pid_t rval = -1;

 	int version;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

-	if (shmid < 0 && errno == ENOENT)

-		shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE,

-			IPC_CREAT | IPC_EXCL | 0x180);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);

 	if (shmid < 0)

 		return rval;

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

-	if ((long) shmaddr == -1)

+	if (ftruncate(shmid, LLDPAD_SHM_SIZE)) {

+		close(shmid);

+		return rval;

+	}

+

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

+	close(shmid);

+	if (shmaddr == MAP_FAILED)

 		return rval;

 	version = (shmaddr->num_entries & SHM_VER_MASK) >> SHM_VER_SHIFT;

@@ -366,7 +384,7 @@ pid_t lldpad_shm_getpid()

 	rval = shmaddr->pid;

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return rval;

 }

@@ -379,13 +397,16 @@ int lldpad_shm_setpid(pid_t pid)

 	pid_t rval = 0;

 	int version;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR, S_IRUSR | S_IWUSR);

 	if (shmid < 0)

 		return rval;

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

-	if ((long) shmaddr == -1)

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

+	close(shmid);

+	if (shmaddr == MAP_FAILED)

 		return rval;

 	version = (shmaddr->num_entries & SHM_VER_MASK) >> SHM_VER_SHIFT;

@@ -396,7 +417,7 @@ int lldpad_shm_setpid(pid_t pid)

 	shmaddr->pid = pid;

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return 1;

 }

@@ -410,13 +431,16 @@ int clear_dcbx_state()

 	int version;

 	unsigned num_entries;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR, S_IRUSR | S_IWUSR);

 	if (shmid < 0)

 		return 0;

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

-	if ((long) shmaddr == -1)

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

+	close(shmid);

+	if (shmaddr == MAP_FAILED)

 		return 0;

 	version = (shmaddr->num_entries & SHM_VER_MASK) >> SHM_VER_SHIFT;

@@ -437,7 +461,7 @@ int clear_dcbx_state()

 				sizeof(dcbx_state));

 done:

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return 1;

 }

@@ -451,13 +475,16 @@ int set_dcbx_state(const char *device_name, dcbx_state *state)

 	int version;

 	unsigned num_entries;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR, S_IRUSR | S_IWUSR);

 	if (shmid < 0)

 		return rval;

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

-	if ((long) shmaddr == -1)

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

+	close(shmid);

+	if (shmaddr == MAP_FAILED)

 		return rval;

 	version = (shmaddr->num_entries & SHM_VER_MASK) >> SHM_VER_SHIFT;

@@ -487,7 +514,7 @@ int set_dcbx_state(const char *device_name, dcbx_state *state)

 	}

 done:

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return rval;

 }

@@ -505,13 +532,16 @@ int get_dcbx_state(const char *device_name, dcbx_state *state)

 	int version;

 	unsigned num_entries;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR, S_IRUSR | S_IWUSR);

 	if (shmid < 0)

 		return rval;

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

-	if ((long) shmaddr == -1)

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

+	close(shmid);

+	if (shmaddr == MAP_FAILED)

 		return rval;

 	version = (shmaddr->num_entries & SHM_VER_MASK) >> SHM_VER_SHIFT;

@@ -537,7 +567,7 @@ int get_dcbx_state(const char *device_name, dcbx_state *state)

 		}

 done:

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return rval;

 }

@@ -562,17 +592,20 @@ int print_lldpad_shm()

 	int ent_size;

 	struct lldpad_shm_entry *entry_ptr = NULL;

-	shmid = shmget(LLDPAD_SHM_KEY, LLDPAD_SHM_SIZE, 0);

+	shmid = shm_open(LLDPAD_SHM_PATH, O_RDWR, S_IRUSR | S_IWUSR);

 	if (shmid < 0) {

-		printf("failed to shmget\n");

+		printf("failed to shm_open\n");

 		return rval;

 	}

-	shmaddr = (struct lldpad_shm_tbl *)shmat(shmid, NULL, 0);

+	shmaddr = (struct lldpad_shm_tbl *) mmap(NULL, LLDPAD_SHM_SIZE,

+			                         PROT_READ | PROT_WRITE,

+						 MAP_SHARED, shmid, 0);

 	shmaddr_ver0 = (struct lldpad_shm_tbl_ver0 *)shmaddr;

-	if ((long) shmaddr == -1) {

-		printf("failed to shmat\n");

+	close(shmid);

+	if (shmaddr == MAP_FAILED) {

+		printf("failed to mmap\n");

 		return rval;

 	}

@@ -633,7 +666,7 @@ int print_lldpad_shm()

 	rval = 1;

 done:

-	shmdt(shmaddr);

+	munmap(shmaddr, LLDPAD_SHM_SIZE);

 	return rval;

 }

-- 

2.5.0