summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configure.ac7
-rw-r--r--plugins/msm-plugin.c6
-rw-r--r--plugins/msmxattr.c39
-rw-r--r--scripts/find-debuginfo.sh34
4 files changed, 73 insertions, 13 deletions
diff --git a/configure.ac b/configure.ac
index e5a11e7cc..c64923906 100644
--- a/configure.ac
+++ b/configure.ac
@@ -719,6 +719,13 @@ AC_SUBST(WITH_MSM_LIB)
AC_SUBST(WITH_MSM_INCLUDE)
AM_CONDITIONAL(MSM,[test "$with_msm" = yes])
+#domain checks enabling/disabling for security plugin
+AC_ARG_ENABLE(dchecks, [AS_HELP_STRING([--disable-dchecks],[build without domain checks])],,[enable_dchecks=yes])
+AS_IF([test "$enable_dchecks" = yes],[
+ AC_DEFINE(ENABLE_DCHECKS, 1, [Build with domain checks])
+])
+AM_CONDITIONAL(ENABLE_DCHECKS,[test "$enable_dchecks" = yes])
+
# libcap
WITH_CAP_LIB=
diff --git a/plugins/msm-plugin.c b/plugins/msm-plugin.c
index 405a19597..cc79bd00e 100644
--- a/plugins/msm-plugin.c
+++ b/plugins/msm-plugin.c
@@ -109,6 +109,12 @@ rpmRC PLUGINHOOK_INIT_FUNC(rpmts _ts, const char *name, const char *opts)
return RPMRC_FAIL;
}
+#ifndef ENABLE_DCHECKS
+ rpmlog(RPMLOG_DEBUG, "ENABLE_DCHECKS is undefined!\n");
+#else
+ rpmlog(RPMLOG_DEBUG, "ENABLE_DCHECKS is defined!\n");
+#endif
+
rpmlog(RPMLOG_DEBUG, "reading device security policy from %s\n", fullPath);
root = msmProcessDevSecPolicyXml(fullPath);
diff --git a/plugins/msmxattr.c b/plugins/msmxattr.c
index 75aca54d9..fc8af6b4f 100644
--- a/plugins/msmxattr.c
+++ b/plugins/msmxattr.c
@@ -720,7 +720,11 @@ int msmSetupRequests(manifest_x *mfx)
HASH_FIND(hh, all_ac_domains, mfx->request->ac_domain, strlen(mfx->request->ac_domain), defined_ac_domain);
if (!defined_ac_domain){ // request for a undefined domain.
rpmlog(RPMLOG_ERR, "Request for a domain name %s that hasn't been yet defined by any package\n", mfx->request->ac_domain);
+#ifdef ENABLE_DCHECKS
return -1;
+#else
+ return 0;
+#endif
}
//now check that the package can join the requested AC domain
if (mfx->define){
@@ -730,15 +734,24 @@ int msmSetupRequests(manifest_x *mfx)
return 0;
}
//need to check if developer allowed other packages to join this domain
- if (msmCheckDomainJoinPossibility(mfx, defined_ac_domain) < 0 )
- return -1;
+ if (msmCheckDomainJoinPossibility(mfx, defined_ac_domain) < 0) {
+#ifdef ENABLE_DCHECKS
+ return -1;
+#else
+ return 0;
+#endif
+ }
// now checking if security policy allows to join this domain
if (msmIsRequestAllowed(mfx, defined_ac_domain)) {
rpmlog(RPMLOG_DEBUG, "Request for a domain name %s is allowed based on package sw source\n", mfx->request->ac_domain);
return 0;
} else {
rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed based on package sw source\n", mfx->request->ac_domain);
+#ifdef ENABLE_DCHECKS
return -1;
+#else
+ return 0;
+#endif
}
}
@@ -875,8 +888,11 @@ int msmSetupDefine(struct smack_accesses *smack_accesses, manifest_x *mfx)
if (mfx->define->d_requests) {
for (d_request = mfx->define->d_requests; d_request; d_request = d_request->prev) {
// first check if the current's package sw source can grant access to requested domain
- if (msmCheckDomainRequestOrPermit(mfx, d_request->label_name) < 0)
+ if (msmCheckDomainRequestOrPermit(mfx, d_request->label_name) < 0) {
+#ifdef ENABLE_DCHECKS
return -1;
+#endif
+ }
if (smack_accesses_add(smack_accesses, mfx->define->name, d_request->label_name, d_request->ac_type) < 0) {
rpmlog(RPMLOG_ERR, "Failed to set smack rules for domain requests\n");
return -1;
@@ -887,13 +903,19 @@ int msmSetupDefine(struct smack_accesses *smack_accesses, manifest_x *mfx)
if (mfx->define->d_permits) {
for (d_permit = mfx->define->d_permits; d_permit; d_permit = d_permit->prev) {
// first check if the current's package sw source can grant access to permited domain
- if (msmCheckDomainRequestOrPermit(mfx, d_permit->label_name) < 0)
+ if (msmCheckDomainRequestOrPermit(mfx, d_permit->label_name) < 0) {
+#ifdef ENABLE_DCHECKS
return -1;
+#endif
+ }
if (!d_permit->to_label_name)
ret = smack_accesses_add(smack_accesses, d_permit->label_name, mfx->define->name, d_permit->ac_type);
else {
- if (msmCheckLabelProvisioning(mfx, d_permit->to_label_name) < 0)
+ if (msmCheckLabelProvisioning(mfx, d_permit->to_label_name) < 0) {
+#ifdef ENABLE_DCHECKS
return -1;
+#endif
+ }
ret = smack_accesses_add(smack_accesses, d_permit->label_name, d_permit->to_label_name, d_permit->ac_type);
}
if (ret < 0) {
@@ -1153,7 +1175,8 @@ int msmSetFileXAttributes(manifest_x *mfx, const char* filepath, magic_t cookie)
goto found;
}
len = strlen(filesystem->path);
- rpmlog(RPMLOG_DEBUG, "filesystem->path: %s, length %d\n", filesystem->path, len);
+ rpmlog(RPMLOG_DEBUG, "filepath: %s, filesystem->type %s\n", filepath, filesystem->type);
+ rpmlog(RPMLOG_DEBUG, "filesystem->path: %s, length %d, match %d\n", filesystem->path, len, match);
rpmlog(RPMLOG_DEBUG, "filesystem->path + len - 1: %s\n", filesystem->path + len - 1);
if (len > match) {
if ((!strncmp(filepath, filesystem->path, len)) && (filesystem->type)) {
@@ -1180,8 +1203,8 @@ int msmSetFileXAttributes(manifest_x *mfx, const char* filepath, magic_t cookie)
if (exec_label) {
execLabeldefined = 1;
if ((strcmp(exec_label, "none") == 0)
- || (strcmp(exec_label, mfx->request->ac_domain) == 0)
- || (strcmp(exec_label, mfx->define->name) == 0)) {
+ || ( (mfx->request) && (mfx->request->ac_domain) && (strcmp(exec_label, mfx->request->ac_domain) == 0))
+ || ( (mfx->define) && (mfx->define->name) && (strcmp(exec_label, mfx->define->name) == 0))) {
// these labels are allowed
} else {
// ignore all other exec labels, because they aren't allowed for security reasons
diff --git a/scripts/find-debuginfo.sh b/scripts/find-debuginfo.sh
index 50ceb18ef..c73f06bf0 100644
--- a/scripts/find-debuginfo.sh
+++ b/scripts/find-debuginfo.sh
@@ -294,12 +294,36 @@ while read nlinks inum f; do
esac
mkdir -p "${debugdn}"
- if test -w "$f"; then
- strip_to_debug "${debugfn}" "$f"
+ if [ -e "${BUILDDIR}/Kconfig" ] ; then
+ mode=$(stat -c %a "$f")
+ chmod +w "$f"
+ objcopy --only-keep-debug $f $debugfn || :
+ (
+ shopt -s extglob
+ strip_option="--strip-all"
+ case "$f" in
+ *.ko)
+ strip_option="--strip-debug" ;;
+ *$STRIP_KEEP_SYMTAB*)
+ if test -n "$STRIP_KEEP_SYMTAB"; then
+ strip_option="--strip-debug"
+ fi
+ ;;
+ esac
+ if test "$NO_DEBUGINFO_STRIP_DEBUG" = true ; then
+ strip_option=
+ fi
+ objcopy --add-gnu-debuglink=$debugfn -R .comment -R .GCC.command.line $strip_option $f
+ chmod $mode $f
+ ) || :
else
- chmod u+w "$f"
- strip_to_debug "${debugfn}" "$f"
- chmod u-w "$f"
+ if test -w "$f"; then
+ strip_to_debug "${debugfn}" "$f"
+ else
+ chmod u+w "$f"
+ strip_to_debug "${debugfn}" "$f"
+ chmod u-w "$f"
+ fi
fi
if [ -n "$id" ]; then