|
 |
900687 |
From e90a98395a8c4bc265067519c450360481dff1f3 Mon Sep 17 00:00:00 2001
|
|
|
900687 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
900687 |
Date: Tue, 11 Oct 2016 18:41:56 +0200
|
|
|
900687 |
Subject: [PATCH 1/2] copyTruncate: factor out handling of SELinux context
|
|
|
900687 |
|
|
|
900687 |
... to separate functions
|
|
|
900687 |
|
|
|
900687 |
Closes #72
|
|
|
900687 |
|
|
|
900687 |
Upstream-commit: c5bff8adcece162746c68834fa1526dd45ca7bd0
|
|
|
900687 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
900687 |
---
|
|
|
900687 |
logrotate.c | 117 ++++++++++++++++++++++++++++++++++++++----------------------
|
|
|
900687 |
1 file changed, 74 insertions(+), 43 deletions(-)
|
|
|
900687 |
|
|
|
900687 |
diff --git a/logrotate.c b/logrotate.c
|
|
|
900687 |
index 2abac3d..6270995 100644
|
|
|
900687 |
--- a/logrotate.c
|
|
|
900687 |
+++ b/logrotate.c
|
|
|
900687 |
@@ -251,6 +251,72 @@ static unsigned hashIndex(const char *fn)
|
|
|
900687 |
return hash % hashSize;
|
|
|
900687 |
}
|
|
|
900687 |
|
|
|
900687 |
+static int setSecCtx(int fdSrc, const char *src, void **pPrevCtx)
|
|
|
900687 |
+{
|
|
|
900687 |
+#ifdef WITH_SELINUX
|
|
|
900687 |
+ security_context_t srcCtx;
|
|
|
900687 |
+ *pPrevCtx = NULL;
|
|
|
900687 |
+
|
|
|
900687 |
+ if (!selinux_enabled)
|
|
|
900687 |
+ /* pretend success */
|
|
|
900687 |
+ return 0;
|
|
|
900687 |
+
|
|
|
900687 |
+ /* read security context of fdSrc */
|
|
|
900687 |
+ if (fgetfilecon_raw(fdSrc, &srcCtx) < 0) {
|
|
|
900687 |
+ if (errno == ENOTSUP)
|
|
|
900687 |
+ /* pretend success */
|
|
|
900687 |
+ return 0;
|
|
|
900687 |
+
|
|
|
900687 |
+ message(MESS_ERROR, "getting file context %s: %s\n", src,
|
|
|
900687 |
+ strerror(errno));
|
|
|
900687 |
+ return selinux_enforce;
|
|
|
900687 |
+ }
|
|
|
900687 |
+
|
|
|
900687 |
+ /* save default security context for restoreSecCtx() */
|
|
|
900687 |
+ if (getfscreatecon_raw((security_context_t *)pPrevCtx) < 0) {
|
|
|
900687 |
+ message(MESS_ERROR, "getting default context: %s\n", strerror(errno));
|
|
|
900687 |
+ return selinux_enforce;
|
|
|
900687 |
+ }
|
|
|
900687 |
+
|
|
|
900687 |
+ /* set default security context to match fdSrc */
|
|
|
900687 |
+ if (setfscreatecon_raw(srcCtx) < 0) {
|
|
|
900687 |
+ message(MESS_ERROR, "setting default context to %s: %s\n", srcCtx,
|
|
|
900687 |
+ strerror(errno));
|
|
|
900687 |
+ freecon(srcCtx);
|
|
|
900687 |
+ return selinux_enforce;
|
|
|
900687 |
+ }
|
|
|
900687 |
+
|
|
|
900687 |
+ message(MESS_DEBUG, "set default create context to %s\n", srcCtx);
|
|
|
900687 |
+ freecon(srcCtx);
|
|
|
900687 |
+#else
|
|
|
900687 |
+ (void) fdSrc;
|
|
|
900687 |
+ (void) src;
|
|
|
900687 |
+ (void) pPrevCtx;
|
|
|
900687 |
+#endif
|
|
|
900687 |
+ return 0;
|
|
|
900687 |
+}
|
|
|
900687 |
+
|
|
|
900687 |
+static void restoreSecCtx(void **pPrevCtx)
|
|
|
900687 |
+{
|
|
|
900687 |
+#ifdef WITH_SELINUX
|
|
|
900687 |
+ const security_context_t prevCtx = (security_context_t) *pPrevCtx;
|
|
|
900687 |
+ if (!prevCtx)
|
|
|
900687 |
+ /* no security context saved for restoration */
|
|
|
900687 |
+ return;
|
|
|
900687 |
+
|
|
|
900687 |
+ /* set default security context to the previously stored one */
|
|
|
900687 |
+ if (selinux_enabled && setfscreatecon_raw(prevCtx) < 0)
|
|
|
900687 |
+ message(MESS_ERROR, "setting default context to %s: %s\n", prevCtx,
|
|
|
900687 |
+ strerror(errno));
|
|
|
900687 |
+
|
|
|
900687 |
+ /* free the memory allocated to save the security context */
|
|
|
900687 |
+ freecon(prevCtx);
|
|
|
900687 |
+ *pPrevCtx = NULL;
|
|
|
900687 |
+#else
|
|
|
900687 |
+ (void) pPrevCtx;
|
|
|
900687 |
+#endif
|
|
|
900687 |
+}
|
|
|
900687 |
+
|
|
|
900687 |
static struct logState *newState(const char *fn)
|
|
|
900687 |
{
|
|
|
900687 |
struct tm now = *localtime(&nowSecs);
|
|
|
900687 |
@@ -679,6 +745,7 @@ static int copyTruncate(char *currLog, char *saveLog, struct stat *sb,
|
|
|
900687 |
{
|
|
|
900687 |
char buf[BUFSIZ];
|
|
|
900687 |
int fdcurr = -1, fdsave = -1;
|
|
|
900687 |
+ void *prevCtx;
|
|
|
900687 |
ssize_t cnt;
|
|
|
900687 |
|
|
|
900687 |
message(MESS_DEBUG, "copying %s to %s\n", currLog, saveLog);
|
|
|
900687 |
@@ -689,48 +756,18 @@ static int copyTruncate(char *currLog, char *saveLog, struct stat *sb,
|
|
|
900687 |
strerror(errno));
|
|
|
900687 |
return 1;
|
|
|
900687 |
}
|
|
|
900687 |
-#ifdef WITH_SELINUX
|
|
|
900687 |
- if (selinux_enabled) {
|
|
|
900687 |
- security_context_t oldContext;
|
|
|
900687 |
- if (fgetfilecon_raw(fdcurr, &oldContext) >= 0) {
|
|
|
900687 |
- if (getfscreatecon_raw(&prev_context) < 0) {
|
|
|
900687 |
- message(MESS_ERROR,
|
|
|
900687 |
- "getting default context: %s\n",
|
|
|
900687 |
- strerror(errno));
|
|
|
900687 |
- if (selinux_enforce) {
|
|
|
900687 |
- freecon(oldContext);
|
|
|
900687 |
- close(fdcurr);
|
|
|
900687 |
- return 1;
|
|
|
900687 |
- }
|
|
|
900687 |
- }
|
|
|
900687 |
- if (setfscreatecon_raw(oldContext) < 0) {
|
|
|
900687 |
- message(MESS_ERROR,
|
|
|
900687 |
- "setting file context %s to %s: %s\n",
|
|
|
900687 |
- saveLog, oldContext, strerror(errno));
|
|
|
900687 |
- if (selinux_enforce) {
|
|
|
900687 |
- freecon(oldContext);
|
|
|
900687 |
- close(fdcurr);
|
|
|
900687 |
- return 1;
|
|
|
900687 |
- }
|
|
|
900687 |
- }
|
|
|
900687 |
- message(MESS_DEBUG, "set default create context\n");
|
|
|
900687 |
- freecon(oldContext);
|
|
|
900687 |
- } else {
|
|
|
900687 |
- if (errno != ENOTSUP) {
|
|
|
900687 |
- message(MESS_ERROR, "getting file context %s: %s\n",
|
|
|
900687 |
- currLog, strerror(errno));
|
|
|
900687 |
- if (selinux_enforce) {
|
|
|
900687 |
- return 1;
|
|
|
900687 |
- }
|
|
|
900687 |
- }
|
|
|
900687 |
- }
|
|
|
900687 |
+
|
|
|
900687 |
+ if (setSecCtx(fdcurr, currLog, &prevCtx) != 0) {
|
|
|
900687 |
+ /* error msg already printed */
|
|
|
900687 |
+ close(fdcurr);
|
|
|
900687 |
+ return 1;
|
|
|
900687 |
}
|
|
|
900687 |
-#endif
|
|
|
900687 |
#ifdef WITH_ACL
|
|
|
900687 |
if ((prev_acl = acl_get_fd(fdcurr)) == NULL) {
|
|
|
900687 |
if (!ACL_NOT_WELL_SUPPORTED(errno)) {
|
|
|
900687 |
message(MESS_ERROR, "getting file ACL %s: %s\n",
|
|
|
900687 |
currLog, strerror(errno));
|
|
|
900687 |
+ restoreSecCtx(&prevCtx);
|
|
|
900687 |
close(fdcurr);
|
|
|
900687 |
return 1;
|
|
|
900687 |
}
|
|
|
900687 |
@@ -738,13 +775,7 @@ static int copyTruncate(char *currLog, char *saveLog, struct stat *sb,
|
|
|
900687 |
#endif /* WITH_ACL */
|
|
|
900687 |
fdsave =
|
|
|
900687 |
createOutputFile(saveLog, O_WRONLY | O_CREAT, sb, prev_acl, 0);
|
|
|
900687 |
-#ifdef WITH_SELINUX
|
|
|
900687 |
- if (selinux_enabled) {
|
|
|
900687 |
- setfscreatecon_raw(prev_context);
|
|
|
900687 |
- freecon(prev_context);
|
|
|
900687 |
- prev_context = NULL;
|
|
|
900687 |
- }
|
|
|
900687 |
-#endif
|
|
|
900687 |
+ restoreSecCtx(&prevCtx);
|
|
|
900687 |
#ifdef WITH_ACL
|
|
|
900687 |
if (prev_acl) {
|
|
|
900687 |
acl_free(prev_acl);
|
|
|
900687 |
--
|
|
|
900687 |
2.7.4
|
|
|
900687 |
|
|
|
900687 |
|
|
|
900687 |
From 0ed7a45533a3d9d2237c742a2de03faba1b2e35f Mon Sep 17 00:00:00 2001
|
|
|
900687 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
900687 |
Date: Tue, 11 Oct 2016 18:53:18 +0200
|
|
|
900687 |
Subject: [PATCH 2/2] compressLogFile: explicitly preserve SELinux context
|
|
|
900687 |
|
|
|
900687 |
If we use options 'compress' and 'sharedscripts' together, the rotated
|
|
|
900687 |
(and compressed) log files may end up with a wrong security context in
|
|
|
900687 |
case multiple files with different security contexts are rotated in a
|
|
|
900687 |
row.
|
|
|
900687 |
|
|
|
900687 |
Closes #72
|
|
|
900687 |
|
|
|
900687 |
Upstream-commit: 57458d5424eebf0c7912eefe955e4d7b0f49fd15
|
|
|
900687 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
900687 |
---
|
|
|
900687 |
logrotate.c | 9 +++++++++
|
|
|
900687 |
1 file changed, 9 insertions(+)
|
|
|
900687 |
|
|
|
900687 |
diff --git a/logrotate.c b/logrotate.c
|
|
|
900687 |
index 6270995..20f6ea5 100644
|
|
|
900687 |
--- a/logrotate.c
|
|
|
900687 |
+++ b/logrotate.c
|
|
|
900687 |
@@ -558,6 +558,7 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
|
|
|
900687 |
int outFile;
|
|
|
900687 |
int i;
|
|
|
900687 |
int status;
|
|
|
900687 |
+ void *prevCtx;
|
|
|
900687 |
|
|
|
900687 |
message(MESS_DEBUG, "compressing log with: %s\n", log->compress_prog);
|
|
|
900687 |
if (debug)
|
|
|
900687 |
@@ -578,11 +579,18 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
|
|
|
900687 |
return 1;
|
|
|
900687 |
}
|
|
|
900687 |
|
|
|
900687 |
+ if (setSecCtx(inFile, name, &prevCtx) != 0) {
|
|
|
900687 |
+ /* error msg already printed */
|
|
|
900687 |
+ close(inFile);
|
|
|
900687 |
+ return 1;
|
|
|
900687 |
+ }
|
|
|
900687 |
+
|
|
|
900687 |
#ifdef WITH_ACL
|
|
|
900687 |
if ((prev_acl = acl_get_fd(inFile)) == NULL) {
|
|
|
900687 |
if (!ACL_NOT_WELL_SUPPORTED(errno)) {
|
|
|
900687 |
message(MESS_ERROR, "getting file ACL %s: %s\n",
|
|
|
900687 |
name, strerror(errno));
|
|
|
900687 |
+ restoreSecCtx(&prevCtx);
|
|
|
900687 |
close(inFile);
|
|
|
900687 |
return 1;
|
|
|
900687 |
}
|
|
|
900687 |
@@ -591,6 +599,7 @@ static int compressLogFile(char *name, struct logInfo *log, struct stat *sb)
|
|
|
900687 |
|
|
|
900687 |
outFile =
|
|
|
900687 |
createOutputFile(compressedName, O_RDWR | O_CREAT, sb, prev_acl, 0);
|
|
|
900687 |
+ restoreSecCtx(&prevCtx);
|
|
|
900687 |
#ifdef WITH_ACL
|
|
|
900687 |
if (prev_acl) {
|
|
|
900687 |
acl_free(prev_acl);
|
|
|
900687 |
--
|
|
|
900687 |
2.7.4
|
|
|
900687 |
|