diff --git a/.netlabel_tools.metadata b/.netlabel_tools.metadata new file mode 100644 index 0000000..ec9707f --- /dev/null +++ b/.netlabel_tools.metadata @@ -0,0 +1 @@ +00d9070a2d60d8cdce2a0bd362c3af8d510d0231 SOURCES/netlabel_tools-0.20.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/netlabelctl-addr_parse_fix.patch b/SOURCES/netlabelctl-addr_parse_fix.patch new file mode 100644 index 0000000..5d586af --- /dev/null +++ b/SOURCES/netlabelctl-addr_parse_fix.patch @@ -0,0 +1,77 @@ +netlabelctl: add additional validation code to the network address parser + +From: Paul Moore + +It is possible to use network masks with non-integer values or integer +values greater than the size of the network address, this patch fixes +this. + +Signed-off-by: Paul Moore +--- + netlabelctl/main.c | 39 ++++++++++++++++++++++++++++++++++++--- + 1 file changed, 36 insertions(+), 3 deletions(-) + +diff --git a/netlabelctl/main.c b/netlabelctl/main.c +index 4479bbf..6c4ab7f 100644 +--- a/netlabelctl/main.c ++++ b/netlabelctl/main.c +@@ -210,7 +210,30 @@ void nlctl_addr_print(const struct nlbl_netaddr *addr) + } + + /** +- * Add a domain mapping to NetLabel ++ * Parse an unsigned interger number ++ * @param str the number string ++ * @param num pointer to number to return ++ * ++ * Parse an unsigned integer number string and returns the value in @num. ++ * Returns zero on success, negative values on failure. ++ * ++ */ ++static int _nlctl_num_parse(char *str, uint32_t *num) ++{ ++ char *spot = str; ++ ++ while (*spot != '\0') { ++ if (*spot < '0' || *spot > '9') ++ return -EINVAL; ++ spot++; ++ } ++ ++ *num = atoi(str); ++ return 0; ++} ++ ++/** ++ * Parse a network address/mask pair + * @param addr_str the IP address/mask in string format + * @param addr the IP address/mask in native NetLabel format + * +@@ -240,7 +263,12 @@ int nlctl_addr_parse(char *addr_str, struct nlbl_netaddr *addr) + ret_val = inet_pton(AF_INET, addr_str, &addr->addr.v4); + if (ret_val > 0) { + addr->type = AF_INET; +- iter_a = (mask ? atoi(mask) : 32); ++ if (mask != NULL) { ++ ret_val = _nlctl_num_parse(mask, &iter_a); ++ if (ret_val < 0 || iter_a > 32) ++ return -EINVAL; ++ } else ++ iter_a = 32; + for (; iter_a > 0; iter_a--) { + addr->mask.v4.s_addr >>= 1; + addr->mask.v4.s_addr |= 0x80000000; +@@ -253,7 +281,12 @@ int nlctl_addr_parse(char *addr_str, struct nlbl_netaddr *addr) + ret_val = inet_pton(AF_INET6, addr_str, &addr->addr.v6); + if (ret_val > 0) { + addr->type = AF_INET6; +- iter_a = (mask ? atoi(mask) : 128); ++ if (mask != NULL) { ++ ret_val = _nlctl_num_parse(mask, &iter_a); ++ if (ret_val < 0 || iter_a > 128) ++ return -EINVAL; ++ } else ++ iter_a = 128; + for (iter_b = 0; iter_a > 0 && iter_b < 4; iter_b++) { + for (; iter_a > 0 && + addr->mask.v6.s6_addr32[iter_b] < 0xffffffff; diff --git a/SPECS/netlabel_tools.spec b/SPECS/netlabel_tools.spec new file mode 100644 index 0000000..df8f376 --- /dev/null +++ b/SPECS/netlabel_tools.spec @@ -0,0 +1,163 @@ +Summary: Tools to manage the Linux NetLabel subsystem +Name: netlabel_tools +Version: 0.20 +Release: 1%{?dist} +License: GPLv2 +Group: System Environment/Daemons +URL: http://netlabel.sf.net/ +Source0: http://downloads.sourceforge.net/netlabel/%{name}-%{version}.tar.gz +BuildRoot: %{_tmppath}/%{name}-%{version} +Requires: kernel >= 2.6.19 +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +BuildRequires: kernel-headers >= 2.6.19 +BuildRequires: libnl-devel +BuildRequires: doxygen +BuildRequires: systemd + +Patch01: netlabelctl-addr_parse_fix.patch + +%description +NetLabel is a kernel subsystem which implements explicit packet labeling +protocols such as CIPSO for Linux. Packet labeling is used in secure networks +to mark packets with the security attributes of the data they contain. This +package provides the necessary user space tools to query and configure the +kernel subsystem. + +%prep +%setup -q + +%patch01 -p1 + +%build +./configure --prefix="%{_prefix}" --libdir="%{_libdir}" --enable-systemd +make V=1 %{?_smp_mflags} + +%install +rm -rf "%{buildroot}" +mkdir -p "%{buildroot}/etc" +mkdir -p "%{buildroot}/%{_sbindir}" +mkdir -p "%{buildroot}/%{_unitdir}" +mkdir -p "%{buildroot}/%{_mandir}" +make V=1 DESTDIR="%{buildroot}" install + +%preun +%systemd_preun netlabel.service + +%postun +%systemd_postun + +%post +%systemd_post netlabel.service + +%files +%defattr(-,root,root) +%doc README CHANGELOG LICENSE +%attr(0644,root,root) %{_mandir}/man8/* +%attr(0755,root,root) %{_sbindir}/netlabelctl +%attr(0755,root,root) %{_sbindir}/netlabel-config +%attr(0644,root,root) %{_unitdir}/netlabel.service +%attr(0644,root,root) %config(noreplace) /etc/netlabel.rules + +%changelog +* Fri Oct 25 2013 Paul Moore - 0.20-1 +- Add input validation on network address masks (#1003909) + +* Mon Jun 3 2013 Paul Moore - 0.20-0 +- Version bump to match latest upstream +- Cleanups in the specfile due to changes in the upstream package + +* Thu Feb 14 2013 Fedora Release Engineering - 0.19-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Jul 20 2012 Fedora Release Engineering - 0.19-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jan 13 2012 Fedora Release Engineering - 0.19-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.19-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jun 17 2010 Peter Vrabec - 0.19-8 +- fixing return codes (#602291) + +* Wed Jun 16 2010 Peter Vrabec - 0.19-7 +- make initscript LSB compliant (#522818) +- show version of netlabelctl and libnetlabel in help (#602577) + +* Wed Sep 23 2009 Peter Vrabec 0.19-6 +- make initscript LSB compliant (#522818) + +* Wed Sep 23 2009 Peter Vrabec 0.19-5 +- increase rel. number + +* Wed Sep 23 2009 Peter Vrabec 0.19-4 +- fix license tag in spec (#524310) + +* Sat Jul 25 2009 Fedora Release Engineering - 0.19-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 0.19-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Jan 08 2009 Peter Vrabec - 0.19-1 +- upgrade (#478903) + +* Mon Oct 27 2008 Peter Vrabec - 0.18-1 +- upgrade (#439833) + +* Mon Aug 11 2008 Tom "spot" Callaway - 0.17-8 +- fix license tag + +* Mon Feb 11 2008 Steve Conklin - 0.17-7 +- New patch for bz#431766 to resolve conflicts + +* Thu Feb 7 2008 Steve Conklin - 0.17-6 +- Various fixes to follow upstream +- Resolves bz#431765 The example configuration file is invalid +- Resolves bz#431766 The netlabelctl command fails to run due to newer libnl package +- Resolves bz#431767 The url listed in the netlabel_tools package is wrong + +* Mon Oct 16 2006 James Antill - 0.17-3 +- Add upstream patch. +- s/p1/p0/ for upstream patch. + +* Sat Oct 14 2006 Steve Grubb - 0.17-3 +- Add init scripts and default rules + +* Sun Oct 1 2006 James Antill - 0.17-2 +- Upgrade to latest upstream. + +* Tue Aug 29 2006 James Antill - 0.16-5 +- Fix install calls for mock. + +* Tue Aug 29 2006 James Antill - 0.16-4 +- Fix more reviewing problems, building on newer kernel-headers. +- Add URL tag. + +* Fri Aug 18 2006 James Antill - 0.16-3 +- Fix minor review problems. +- Added BuildRequires for kernel headers (netlink). + +* Fri Aug 18 2006 James Antill - 0.16-2 +- Use root as owner. +- Contribute to fedora extras. + +* Thu Aug 3 2006 Paul Moore 0.16-1 +- Bumped version number. + +* Thu Jul 6 2006 Paul Moore 0.15-1 +- Bumped version number. + +* Mon Jun 26 2006 Paul Moore 0.14-1 +- Bumped version number. +- Changes related to including the version number in the path name. +- Changed the netlabelctl perms from 0750 to 0755. +- Removed the patch. (included in the base with edits) +- Updated the description. + +* Fri Jun 23 2006 Steve Grubb 0.13-1 +- Initial build. +