diff options
-rw-r--r-- | configure.ac | 7 | ||||
-rw-r--r-- | plugins/msm-plugin.c | 6 | ||||
-rw-r--r-- | plugins/msmxattr.c | 39 | ||||
-rw-r--r-- | scripts/find-debuginfo.sh | 34 |
4 files changed, 73 insertions, 13 deletions
diff --git a/configure.ac b/configure.ac index e5a11e7cc..c64923906 100644 --- a/configure.ac +++ b/configure.ac @@ -719,6 +719,13 @@ AC_SUBST(WITH_MSM_LIB) AC_SUBST(WITH_MSM_INCLUDE) AM_CONDITIONAL(MSM,[test "$with_msm" = yes]) +#domain checks enabling/disabling for security plugin +AC_ARG_ENABLE(dchecks, [AS_HELP_STRING([--disable-dchecks],[build without domain checks])],,[enable_dchecks=yes]) +AS_IF([test "$enable_dchecks" = yes],[ + AC_DEFINE(ENABLE_DCHECKS, 1, [Build with domain checks]) +]) +AM_CONDITIONAL(ENABLE_DCHECKS,[test "$enable_dchecks" = yes]) + # libcap WITH_CAP_LIB= diff --git a/plugins/msm-plugin.c b/plugins/msm-plugin.c index 405a19597..cc79bd00e 100644 --- a/plugins/msm-plugin.c +++ b/plugins/msm-plugin.c @@ -109,6 +109,12 @@ rpmRC PLUGINHOOK_INIT_FUNC(rpmts _ts, const char *name, const char *opts) return RPMRC_FAIL; } +#ifndef ENABLE_DCHECKS + rpmlog(RPMLOG_DEBUG, "ENABLE_DCHECKS is undefined!\n"); +#else + rpmlog(RPMLOG_DEBUG, "ENABLE_DCHECKS is defined!\n"); +#endif + rpmlog(RPMLOG_DEBUG, "reading device security policy from %s\n", fullPath); root = msmProcessDevSecPolicyXml(fullPath); diff --git a/plugins/msmxattr.c b/plugins/msmxattr.c index 75aca54d9..fc8af6b4f 100644 --- a/plugins/msmxattr.c +++ b/plugins/msmxattr.c @@ -720,7 +720,11 @@ int msmSetupRequests(manifest_x *mfx) HASH_FIND(hh, all_ac_domains, mfx->request->ac_domain, strlen(mfx->request->ac_domain), defined_ac_domain); if (!defined_ac_domain){ // request for a undefined domain. rpmlog(RPMLOG_ERR, "Request for a domain name %s that hasn't been yet defined by any package\n", mfx->request->ac_domain); +#ifdef ENABLE_DCHECKS return -1; +#else + return 0; +#endif } //now check that the package can join the requested AC domain if (mfx->define){ @@ -730,15 +734,24 @@ int msmSetupRequests(manifest_x *mfx) return 0; } //need to check if developer allowed other packages to join this domain - if (msmCheckDomainJoinPossibility(mfx, defined_ac_domain) < 0 ) - return -1; + if (msmCheckDomainJoinPossibility(mfx, defined_ac_domain) < 0) { +#ifdef ENABLE_DCHECKS + return -1; +#else + return 0; +#endif + } // now checking if security policy allows to join this domain if (msmIsRequestAllowed(mfx, defined_ac_domain)) { rpmlog(RPMLOG_DEBUG, "Request for a domain name %s is allowed based on package sw source\n", mfx->request->ac_domain); return 0; } else { rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed based on package sw source\n", mfx->request->ac_domain); +#ifdef ENABLE_DCHECKS return -1; +#else + return 0; +#endif } } @@ -875,8 +888,11 @@ int msmSetupDefine(struct smack_accesses *smack_accesses, manifest_x *mfx) if (mfx->define->d_requests) { for (d_request = mfx->define->d_requests; d_request; d_request = d_request->prev) { // first check if the current's package sw source can grant access to requested domain - if (msmCheckDomainRequestOrPermit(mfx, d_request->label_name) < 0) + if (msmCheckDomainRequestOrPermit(mfx, d_request->label_name) < 0) { +#ifdef ENABLE_DCHECKS return -1; +#endif + } if (smack_accesses_add(smack_accesses, mfx->define->name, d_request->label_name, d_request->ac_type) < 0) { rpmlog(RPMLOG_ERR, "Failed to set smack rules for domain requests\n"); return -1; @@ -887,13 +903,19 @@ int msmSetupDefine(struct smack_accesses *smack_accesses, manifest_x *mfx) if (mfx->define->d_permits) { for (d_permit = mfx->define->d_permits; d_permit; d_permit = d_permit->prev) { // first check if the current's package sw source can grant access to permited domain - if (msmCheckDomainRequestOrPermit(mfx, d_permit->label_name) < 0) + if (msmCheckDomainRequestOrPermit(mfx, d_permit->label_name) < 0) { +#ifdef ENABLE_DCHECKS return -1; +#endif + } if (!d_permit->to_label_name) ret = smack_accesses_add(smack_accesses, d_permit->label_name, mfx->define->name, d_permit->ac_type); else { - if (msmCheckLabelProvisioning(mfx, d_permit->to_label_name) < 0) + if (msmCheckLabelProvisioning(mfx, d_permit->to_label_name) < 0) { +#ifdef ENABLE_DCHECKS return -1; +#endif + } ret = smack_accesses_add(smack_accesses, d_permit->label_name, d_permit->to_label_name, d_permit->ac_type); } if (ret < 0) { @@ -1153,7 +1175,8 @@ int msmSetFileXAttributes(manifest_x *mfx, const char* filepath, magic_t cookie) goto found; } len = strlen(filesystem->path); - rpmlog(RPMLOG_DEBUG, "filesystem->path: %s, length %d\n", filesystem->path, len); + rpmlog(RPMLOG_DEBUG, "filepath: %s, filesystem->type %s\n", filepath, filesystem->type); + rpmlog(RPMLOG_DEBUG, "filesystem->path: %s, length %d, match %d\n", filesystem->path, len, match); rpmlog(RPMLOG_DEBUG, "filesystem->path + len - 1: %s\n", filesystem->path + len - 1); if (len > match) { if ((!strncmp(filepath, filesystem->path, len)) && (filesystem->type)) { @@ -1180,8 +1203,8 @@ int msmSetFileXAttributes(manifest_x *mfx, const char* filepath, magic_t cookie) if (exec_label) { execLabeldefined = 1; if ((strcmp(exec_label, "none") == 0) - || (strcmp(exec_label, mfx->request->ac_domain) == 0) - || (strcmp(exec_label, mfx->define->name) == 0)) { + || ( (mfx->request) && (mfx->request->ac_domain) && (strcmp(exec_label, mfx->request->ac_domain) == 0)) + || ( (mfx->define) && (mfx->define->name) && (strcmp(exec_label, mfx->define->name) == 0))) { // these labels are allowed } else { // ignore all other exec labels, because they aren't allowed for security reasons diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh index 50ceb18ef..c73f06bf0 100644 --- a/scripts/find-debuginfo.sh +++ b/scripts/find-debuginfo.sh @@ -294,12 +294,36 @@ while read nlinks inum f; do esac mkdir -p "${debugdn}" - if test -w "$f"; then - strip_to_debug "${debugfn}" "$f" + if [ -e "${BUILDDIR}/Kconfig" ] ; then + mode=$(stat -c %a "$f") + chmod +w "$f" + objcopy --only-keep-debug $f $debugfn || : + ( + shopt -s extglob + strip_option="--strip-all" + case "$f" in + *.ko) + strip_option="--strip-debug" ;; + *$STRIP_KEEP_SYMTAB*) + if test -n "$STRIP_KEEP_SYMTAB"; then + strip_option="--strip-debug" + fi + ;; + esac + if test "$NO_DEBUGINFO_STRIP_DEBUG" = true ; then + strip_option= + fi + objcopy --add-gnu-debuglink=$debugfn -R .comment -R .GCC.command.line $strip_option $f + chmod $mode $f + ) || : else - chmod u+w "$f" - strip_to_debug "${debugfn}" "$f" - chmod u-w "$f" + if test -w "$f"; then + strip_to_debug "${debugfn}" "$f" + else + chmod u+w "$f" + strip_to_debug "${debugfn}" "$f" + chmod u-w "$f" + fi fi if [ -n "$id" ]; then |