- dropped pre-cvs changelog

[packages/findutils.git] / findutils-selinux.patch

diff -up findutils-4.4.2/configure.ac_old findutils-4.4.2/configure.ac
--- findutils-4.4.2/configure.ac_old    2009-07-01 10:24:04.000000000 +0200
+++ findutils-4.4.2/configure.ac        2009-07-01 10:24:46.000000000 +0200
@@ -114,6 +114,16 @@ AC_CHECK_LIB([m],[fabs],[FINDLIBS="-lm $
   AC_DEFINE_UNQUOTED(HAVE_FABS_IN_LIBM,1,[fabs is defined in -lm]))
 AC_SUBST([FINDLIBS])
 
+AC_ARG_WITH([selinux],
+           AS_HELP_STRING([--without-selinux], [disable SELinux support]),
+           [:],
+[AC_CHECK_LIB([selinux], [is_selinux_enabled],
+             [with_selinux=yes], [with_selinux=no])])
+if test x$with_selinux != xno; then
+   AC_DEFINE([WITH_SELINUX], [1], [Define to support SELinux])
+   AC_SUBST([LIBSELINUX], [-lselinux])
+fi
+
 dnl Checks for header files.
 AC_HEADER_STDC
 dnl Assume unistd.h is present - coreutils does too.
diff -up findutils-4.4.2/doc/find.texi_old findutils-4.4.2/doc/find.texi
--- findutils-4.4.2/doc/find.texi_old   2009-07-01 10:25:09.000000000 +0200
+++ findutils-4.4.2/doc/find.texi       2009-07-01 10:26:37.000000000 +0200
@@ -7,7 +7,6 @@
 @c %**end of header
 
 @include version.texi
-@include ../locate/dblocation.texi
 
 @iftex
 @finalout
@@ -1242,6 +1241,14 @@ situation.
 
 @end deffn
 
+@deffn Test -context pattern
+True if file's SELinux context matches the pattern @var{pattern}.
+The pattern uses shell glob matching.
+
+This predicate is supported only on @code{find} versions compiled with
+SELinux support and only when SELinux is enabled.
+@end deffn
+
 @node Contents
 @section Contents
 
@@ -1826,6 +1833,9 @@ value used for BLOCKSIZE is system-depen
 bytes.  If the file size is zero, the value printed is undefined.  On
 systems which lack support for st_blocks, a file's sparseness is
 assumed to be 1.0.
+@item %Z
+File's SELinux context, or empty string if the file has no SELinux context
+or this version of find does not support SELinux.
 @end table
 
 @node Location Directives
diff -up findutils-4.4.2/find/defs.h_old findutils-4.4.2/find/defs.h
--- findutils-4.4.2/find/defs.h_old     2009-07-01 12:38:32.000000000 +0200
+++ findutils-4.4.2/find/defs.h 2009-07-01 12:52:47.000000000 +0200
@@ -91,6 +91,9 @@ int get_statinfo PARAMS((const char *pat
 #define MODE_RWX       (S_IXUSR | S_IXGRP | S_IXOTH | MODE_RW)
 #define MODE_ALL       (S_ISUID | S_ISGID | S_ISVTX | MODE_RWX)
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
 
 struct predicate;
 struct options;
@@ -315,6 +318,9 @@ struct predicate
     struct samefile_file_id samefileid; /* samefile */
     mode_t type;               /* type */
     struct format_val printf_vec; /* printf fprintf fprint ls fls print0 fprint0 print */
+#ifdef WITH_SELINUX
+    security_context_t scontext; /* scontext */
+#endif
   } args;
 
   /* The next predicate in the user input sequence,
@@ -459,6 +465,9 @@ PREDICATEFUNCTION pred_used;
 PREDICATEFUNCTION pred_user;
 PREDICATEFUNCTION pred_writable;
 PREDICATEFUNCTION pred_xtype;
+#ifdef WITH_SELINUX
+PREDICATEFUNCTION pred_context;
+#endif
 
 
 
@@ -601,6 +610,10 @@ struct options
    */
   int regex_options;
 
+#ifdef WITH_SELINUX
+  int (*x_getfilecon) ();
+#endif
+
   /* Optimisation level.  One is the default. 
    */
   unsigned short optimisation_level;
diff -up findutils-4.4.2/find/find.1_old findutils-4.4.2/find/find.1
--- findutils-4.4.2/find/find.1_old     2009-07-01 10:30:04.000000000 +0200
+++ findutils-4.4.2/find/find.1 2009-07-01 10:30:59.000000000 +0200
@@ -933,6 +933,8 @@ if \fIc\fR is `l'.  In other words, for 
 checks the type of the file that 
 .B \-type
 does not check.
+.IP "\-context \fIpattern\fR"
+(SELinux only) Security context of the file matches glob \fIpattern\fR.
 
 .SS ACTIONS
 .IP "\-delete\fR"
@@ -1354,6 +1356,8 @@ File's type (like in 
 U=unknown type (shouldn't happen)
 .IP %Y
 File's type (like %y), plus follow symlinks: L=loop, N=nonexistent
+.IP %Z
+(SELinux only) file's security context.
 .PP
 A `%' character followed by any other character is discarded, but the
 other character is printed (don't rely on this, as further format
diff -up findutils-4.4.2/find/find.c_old findutils-4.4.2/find/find.c
--- findutils-4.4.2/find/find.c_old     2009-07-01 10:26:53.000000000 +0200
+++ findutils-4.4.2/find/find.c 2009-07-01 10:29:52.000000000 +0200
@@ -120,6 +120,36 @@ int get_current_dirfd(void)
   return AT_FDCWD;
 }
 
+#ifdef WITH_SELINUX
+static int
+fallback_getfilecon(const char *name, security_context_t *p, int prev_rv)
+{
+  /* Our original getfilecon() call failed.  Perhaps we can't follow a
+   * symbolic link.  If that might be the problem, lgetfilecon() the link.
+   * Otherwise, admit defeat.
+   */
+  switch (errno)
+    {
+    case ENOENT:
+    case ENOTDIR:
+#ifdef DEBUG_STAT
+      fprintf(stderr, "fallback_getfilecon(): getfilecon(%s) failed; falling back on lgetfilecon()\n", name);
+#endif
+      return lgetfilecon(name, p);
+
+    case EACCES:
+    case EIO:
+    case ELOOP:
+    case ENAMETOOLONG:
+#ifdef EOVERFLOW
+    case EOVERFLOW:        /* EOVERFLOW is not #defined on UNICOS. */
+#endif
+    default:
+      return prev_rv;         
+    }
+}
+#endif /* WITH_SELINUX */
+
 \f
 int
 main (int argc, char **argv)
@@ -1270,7 +1300,7 @@ process_path (char *pathname, char *name
 static void
 process_dir (char *pathname, char *name, int pathlen, const struct stat *statp, char *parent)
 {
-  int subdirs_left;            /* Number of unexamined subdirs in PATHNAME. */
+  int subdirs_left = 0;                /* Number of unexamined subdirs in PATHNAME. */
   boolean subdirs_unreliable;  /* if true, cannot use dir link count as subdir limif (if false, it may STILL be unreliable) */
   unsigned int idx;            /* Which entry are we on? */
   struct stat stat_buf;
diff -up findutils-4.4.2/find/Makefile.am_old findutils-4.4.2/find/Makefile.am
--- findutils-4.4.2/find/Makefile.am_old        2009-07-01 10:35:04.000000000 +0200
+++ findutils-4.4.2/find/Makefile.am    2009-07-01 10:35:37.000000000 +0200
@@ -26,7 +26,7 @@ endif
 
 EXTRA_DIST = defs.h $(man_MANS)
 INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib -I../intl -DLOCALEDIR=\"$(localedir)\"
-LDADD = ./libfindtools.a ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ @LIB_CLOCK_GETTIME@ @FINDLIBS@
+LDADD = ./libfindtools.a ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ @LIB_CLOCK_GETTIME@ @FINDLIBS@ @LIBSELINUX@
 man_MANS = find.1
 SUBDIRS = . testsuite
 
diff -up findutils-4.4.2/find/parser.c_old findutils-4.4.2/find/parser.c
--- findutils-4.4.2/find/parser.c_old   2009-07-01 10:35:43.000000000 +0200
+++ findutils-4.4.2/find/parser.c       2009-07-01 12:38:19.000000000 +0200
@@ -53,6 +53,10 @@
 #include <unistd.h>
 #include <sys/stat.h>
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #if ENABLE_NLS
 # include <libintl.h>
 # define _(Text) gettext (Text)
@@ -155,6 +159,9 @@ static boolean parse_noignore_race PARAM
 static boolean parse_warn          PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
 static boolean parse_xtype         PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
 static boolean parse_quit          PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
+#ifdef WITH_SELINUX
+static boolean parse_context       PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
+#endif
 
 boolean parse_print             PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
 
@@ -251,6 +258,9 @@ static struct parser_table const parse_t
   PARSE_TEST       ("cmin",                  cmin),         /* GNU */
   PARSE_TEST       ("cnewer",                cnewer),       /* GNU */
   {ARG_TEST,       "ctime",                  parse_time, pred_ctime}, /* POSIX */
+#ifdef WITH_SELINUX
+  PARSE_TEST       ("context",               context),      /* GNU */
+#endif
   PARSE_POSOPT     ("daystart",              daystart),             /* GNU */
   PARSE_ACTION     ("delete",                delete), /* GNU, Mac OS, FreeBSD */
   PARSE_OPTION     ("d",                     d), /* Mac OS X, FreeBSD, NetBSD, OpenBSD, but deprecated  in favour of -depth */
@@ -347,6 +357,89 @@ static struct parser_table const parse_t
 static const char *first_nonoption_arg = NULL;
 static const struct parser_table *noop = NULL;
 
+#ifdef WITH_SELINUX
+static int
+fallback_getfilecon(const char *name, security_context_t *p, int prev_rv)
+{
+  /* Our original getfilecon() call failed.  Perhaps we can't follow a
+   * symbolic link.  If that might be the problem, lgetfilecon() the link.
+   * Otherwise, admit defeat.
+   */
+  switch (errno)
+    {
+    case ENOENT:
+    case ENOTDIR:
+#ifdef DEBUG_STAT
+      fprintf(stderr, "fallback_getfilecon(): getfilecon(%s) failed; falling back on lgetfilecon()\n", name);
+#endif
+      return lgetfilecon(name, p);
+
+    case EACCES:
+    case EIO:
+    case ELOOP:
+    case ENAMETOOLONG:
+#ifdef EOVERFLOW
+    case EOVERFLOW:        /* EOVERFLOW is not #defined on UNICOS. */
+#endif
+    default:
+      return prev_rv;         
+    }
+}
+
+/* optionh_getfilecon() implements the getfilecon operation when the
+ * -H option is in effect.
+ *
+ * If the item to be examined is a command-line argument, we follow
+ * symbolic links.  If the getfilecon() call fails on the command-line
+ * item, we fall back on the properties of the symbolic link.
+ *
+ * If the item to be examined is not a command-line argument, we
+ * examine the link itself.
+ */
+int
+optionh_getfilecon(const char *name, security_context_t *p)
+{
+  if (0 == state.curdepth)
+    {
+      /* This file is from the command line; deference the link (if it
+       * is a link).
+       */
+      int rv = getfilecon(name, p);
+      if (0 == rv)
+       return 0;               /* success */
+      else
+       return fallback_getfilecon(name, p, rv);
+    }
+  else
+    {
+      /* Not a file on the command line; do not derefernce the link.
+       */
+      return lgetfilecon(name, p);
+    }
+}
+/* optionl_getfilecon() implements the getfilecon operation when the
+ * -L option is in effect.  That option makes us examine the thing the
+ * symbolic link points to, not the symbolic link itself.
+ */
+int
+optionl_getfilecon(const char *name, security_context_t *p)
+{
+  int rv = getfilecon(name, p);
+  if (0 == rv)
+    return 0;                  /* normal case. */
+  else
+    return fallback_getfilecon(name, p, rv);
+}
+/* optionp_getfilecon() implements the stat operation when the -P
+ * option is in effect (this is also the default).  That option makes
+ * us examine the symbolic link itself, not the thing it points to.
+ */
+int
+optionp_getfilecon(const char *name, security_context_t *p)
+{
+  return lgetfilecon(name, p);
+}
+#endif /* WITH_SELINUX */
 
 void
 check_option_combinations(const struct predicate *p)
@@ -450,11 +543,17 @@ set_follow_state(enum SymlinkOption opt)
        {
        case SYMLINK_ALWAYS_DEREF:  /* -L */
          options.xstat = optionl_stat;
+#ifdef WITH_SELINUX
+         options.x_getfilecon = optionl_getfilecon;
+#endif
          options.no_leaf_check = true;
          break;
 
        case SYMLINK_NEVER_DEREF:       /* -P (default) */
          options.xstat = optionp_stat;
+#ifdef WITH_SELINUX
+         options.x_getfilecon = optionp_getfilecon;
+#endif
          /* Can't turn no_leaf_check off because the user might have specified
           * -noleaf anyway
           */
@@ -462,6 +561,9 @@ set_follow_state(enum SymlinkOption opt)
 
        case SYMLINK_DEREF_ARGSONLY: /* -H */
          options.xstat = optionh_stat;
+#ifdef WITH_SELINUX
+         options.x_getfilecon = optionh_getfilecon;
+#endif
          options.no_leaf_check = true;
        }
     }
@@ -1127,8 +1229,12 @@ tests (N can be +N or -N or N): -amin N 
       -nouser -nogroup -path PATTERN -perm [+-]MODE -regex PATTERN\n\
       -readable -writable -executable\n\
       -wholename PATTERN -size N[bcwkMG] -true -type [bcdpflsD] -uid N\n\
-      -used N -user NAME -xtype [bcdpfls]\n"));
+      -used N -user NAME -xtype [bcdpfls]"));
+#ifdef WITH_SELINUX
   puts (_("\
+      -context CONTEXT\n"));
+#endif
+  puts (_("\n\
 actions: -delete -print0 -printf FORMAT -fprintf FILE FORMAT -print \n\
       -fprint0 FILE -fprint FILE -ls -fls FILE -prune -quit\n\
       -exec COMMAND ; -exec COMMAND {} + -ok COMMAND ;\n\
@@ -2518,6 +2624,10 @@ parse_version (const struct parser_table
   printf("LEAF_OPTIMISATION ");
   ++features;
 #endif
+#if defined(WITH_SELINUX)
+  printf("SELINUX ");
+  ++features;
+#endif
 
   flags = 0;
   if (is_fts_enabled(&flags))
@@ -2552,6 +2662,32 @@ parse_version (const struct parser_table
   exit (0);
 }
 
+#ifdef WITH_SELINUX
+static boolean
+parse_context (const struct parser_table* entry, char **argv, int *arg_ptr)
+{
+  struct predicate *our_pred;
+
+  if ((argv == NULL) || (argv[*arg_ptr] == NULL))
+    return false;
+
+  if (is_selinux_enabled() <= 0)
+    {
+      error (1, 0, _("invalid predicate -context: SELinux is not enabled."));
+      return false;
+    }
+  our_pred = insert_primary (entry);
+  our_pred->need_stat = false;
+#ifdef DEBUG
+  our_pred->p_name = find_pred_name (pred_context);
+#endif /*DEBUG*/
+  our_pred->args.scontext = argv[*arg_ptr];
+
+  (*arg_ptr)++;
+  return true;
+}
+#endif /* WITH_SELINUX */
+
 static boolean
 parse_xdev (const struct parser_table* entry, char **argv, int *arg_ptr)
 {
@@ -2803,7 +2939,7 @@ insert_fprintf (struct format_val *vec,
          if (*scan2 == '.')
            for (scan2++; ISDIGIT (*scan2); scan2++)
              /* Do nothing. */ ;
-         if (strchr ("abcdDfFgGhHiklmMnpPsStuUyY", *scan2))
+         if (strchr ("abcdDfFgGhHiklmMnpPsStuUyYZ", *scan2))
            {
              segmentp = make_segment (segmentp, format, scan2 - format,
                                       KIND_FORMAT, *scan2, 0,
@@ -2930,6 +3066,7 @@ make_segment (struct segment **segment,
     case 'h':                  /* leading directories part of path */
     case 'p':                  /* pathname */
     case 'P':                  /* pathname with ARGV element stripped */
+    case 'Z':                  /* SELinux security context */
       *fmt++ = 's';
       break;
 
diff -up findutils-4.4.2/find/pred.c_old findutils-4.4.2/find/pred.c
--- findutils-4.4.2/find/pred.c_old     2009-07-01 10:31:11.000000000 +0200
+++ findutils-4.4.2/find/pred.c 2009-07-01 10:33:45.000000000 +0200
@@ -48,6 +48,10 @@
 #include "error.h"
 #include "verify.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /*WITH_SELINUX*/
+
 #if ENABLE_NLS
 # include <libintl.h>
 # define _(Text) gettext (Text)
@@ -230,6 +234,9 @@ struct pred_assoc pred_table[] =
   {pred_user, "user    "},
   {pred_writable, "writable "},
   {pred_xtype, "xtype   "},
+#ifdef WITH_SELINUX
+  {pred_context, "context"},
+#endif /*WITH_SELINUX*/
   {0, "none    "}
 };
 #endif
@@ -1054,6 +1061,27 @@ do_fprintf(struct format_val *dest,
                             mode_to_filetype(stat_buf->st_mode & S_IFMT));
          }
          break;
+       case 'Z':               /* SELinux security context */
+#ifdef WITH_SELINUX
+         {
+           security_context_t scontext;
+           int rv;
+           rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
+
+           if (rv < 0)
+             {
+               fprintf (stderr, "getfilecon(%s): %s", pathname,
+                        strerror(errno));
+               fflush (stderr);
+             }
+           else
+             {
+               checked_fprintf (dest, segment->text, scontext);
+               freecon (scontext);
+             }
+         }
+#endif /* WITH_SELINUX */
+         break;
        }
       /* end of KIND_FORMAT case */
       break;
@@ -1844,6 +1872,32 @@ pred_xtype (const char *pathname, struct
    */
   return (pred_type (pathname, &sbuf, pred_ptr));
 }
+  
+#ifdef WITH_SELINUX
+
+boolean
+pred_context (const char *pathname, struct stat *stat_buf,
+             struct predicate *pred_ptr)
+{
+  int rv;
+  security_context_t scontext;
+
+  rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
+
+  if (rv < 0)
+    {
+      fprintf (stderr, "getfilecon(%s): %s\n", pathname, strerror(errno));
+      fflush (stderr);
+      return false;
+    }
+
+  rv = (fnmatch (pred_ptr->args.scontext, scontext, 0) == 0);
+  freecon (scontext);
+  return rv;
+}
+
+#endif /*WITH_SELINUX*/
+
 \f
 /*  1) fork to get a child; parent remembers the child pid
     2) child execs the command requested
diff -up findutils-4.4.2/find/tree.c_old findutils-4.4.2/find/tree.c
--- findutils-4.4.2/find/tree.c_old     2009-07-01 10:33:57.000000000 +0200
+++ findutils-4.4.2/find/tree.c 2009-07-01 10:34:54.000000000 +0200
@@ -953,7 +953,8 @@ static struct pred_cost_lookup costlooku
     { pred_used      ,  NeedsStatInfo        },
     { pred_user      ,  NeedsStatInfo        },
     { pred_writable  ,  NeedsAccessInfo      },
-    { pred_xtype     ,  NeedsType            } /* roughly correct unless most files are symlinks */
+    { pred_xtype     ,  NeedsType            }, /* roughly correct unless most files are symlinks */
+    { pred_context   ,  NeedsNothing         } /* remove warning only:) */
   };
 static int pred_table_sorted = 0;
 \f
@@ -1434,6 +1435,9 @@ get_new_pred (const struct parser_table 
   last_pred->need_stat = true;
   last_pred->need_type = true;
   last_pred->args.str = NULL;
+#ifdef WITH_SELINUX
+  last_pred->args.scontext = NULL;
+#endif
   last_pred->pred_next = NULL;
   last_pred->pred_left = NULL;
   last_pred->pred_right = NULL;