From 14a3d93cbf99e586063abb7e9bf2b681fd854306 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Jan=20R=C4=99korajski?= <baggins@pld-linux.org>
Date: Wed, 10 Oct 2007 15:14:11 +0000
Subject: [PATCH] - patches from FC, descriptions inside

Changed files:
    nss_db-enoent.patch -> 1.1
    nss_db-initialize.patch -> 1.1
    nss_db-selinux.patch -> 1.1
    nss_db-uniqdb.patch -> 1.1
---
 nss_db-enoent.patch     |  16 +++++
 nss_db-initialize.patch |  12 ++++
 nss_db-selinux.patch    | 149 ++++++++++++++++++++++++++++++++++++++++
 nss_db-uniqdb.patch     |  19 +++++
 4 files changed, 196 insertions(+)
 create mode 100644 nss_db-enoent.patch
 create mode 100644 nss_db-initialize.patch
 create mode 100644 nss_db-selinux.patch
 create mode 100644 nss_db-uniqdb.patch

diff --git a/nss_db-enoent.patch b/nss_db-enoent.patch
new file mode 100644
index 0000000..ac6a8f8
--- /dev/null
+++ b/nss_db-enoent.patch
@@ -0,0 +1,16 @@
+Set errno to ENOENT so that we return it as an error in case a particular
+lookup fails.  The glibc NSS layer checks our return code and kicks errno
+back to the caller.  If we don't set it, anywhere, on error, then the
+previous error is returned.  That can be ERANGE, which would cause NSS to
+allocate a larger buffer and try again.  For no-such-key errors, this was
+exactly what was happening, and it could result in an out-of-memory error.
+--- nss_db-2.2/src/db-XXX.c	Tue Apr 26 13:07:23 2005
++++ nss_db-2.2/src/db-XXX.c	Tue Apr 26 13:07:18 2005
+@@ -122,6 +122,7 @@
+     }
+ 
+   /* Succeed iff it matches a value that parses correctly.  */
++  *errnop = ENOENT;
+   value.flags = 0;
+   err = db->get (db, NULL, key, &value, 0);
+   if (err)
diff --git a/nss_db-initialize.patch b/nss_db-initialize.patch
new file mode 100644
index 0000000..58c724d
--- /dev/null
+++ b/nss_db-initialize.patch
@@ -0,0 +1,12 @@
+Initialize all of the fields of the key to zeroes, so that we don't pass
+garbage keys in to later versions of Berkeley DB.
+--- nss_db-2.2/src/db-XXX.c	2005-03-29 16:13:57.103516704 -0500
++++ nss_db-2.2/src/db-XXX.c	2005-03-29 16:13:47.108821931 -0500
+@@ -225,6 +225,7 @@
+   DBT key;								      \
+   enum nss_status status;						      \
+   const size_t size = (keysize) + 1;					      \
++  memset(&key, 0, sizeof(key));						      \
+   key.data = alloca (size);						      \
+   key.size = KEYPRINTF keypattern;					      \
+   key.flags = 0;							      \
diff --git a/nss_db-selinux.patch b/nss_db-selinux.patch
new file mode 100644
index 0000000..7000025
--- /dev/null
+++ b/nss_db-selinux.patch
@@ -0,0 +1,149 @@
+Set the SELinux file creation context when opening databases for write access.
+Note that this does *not* change the context of existing files.
+
+--- nss_db-2.2/configure.in	2004-10-20 13:41:04.301436568 -0400
++++ nss_db-2.2/configure.in	2004-10-20 13:51:52.913832496 -0400
+@@ -73,6 +73,43 @@
+ *** Unsupported Berkeley DB version detected.])
+ fi
+ 
++AC_ARG_WITH(selinux,AC_HELP_STRING(--with-selinux,[enable SELinux support [[default=auto]]]),
++selinux=$withval,
++selinux=auto)
++
++libsave="$LIBS"
++if test x$selinux != no ; then
++  AC_CHECK_HEADERS(selinux/selinux.h)
++  if test x$ac_cv_header_selinux_selinux_h = xno ; then
++    if test x$selinux = xyes ; then
++      AC_MSG_ERROR([SELinux not detected])
++    else
++      AC_MSG_WARN([SELinux not detected])
++      selinux=no
++    fi
++  fi
++fi
++
++if test x$selinux != no ; then
++  AC_CHECK_FUNC(setfscreatecon,,[AC_CHECK_LIB(selinux,setfscreatecon)])
++  if test x$ac_cv_func_setfscreatecon = xno ; then
++    if test x$ac_cv_lib_selinux_setfscreatecon = xno ; then
++      if test x$selinux = xyes ; then
++        AC_MSG_ERROR([SELinux not detected])
++      else
++        AC_MSG_WARN([SELinux not detected])
++        selinux=no
++      fi
++    fi
++  fi
++fi
++if test x$selinux != no ; then
++  AC_DEFINE(SELINUX,1,[Define to have makedb set SELinux file contexts on created files.])
++fi
++
++SELINUX_LIBS="$LIBS"
++LIBS="$libsave"
++
+ AC_CANONICAL_HOST
+ slibdir=NONE
+ case "$host" in
+@@ -100,5 +137,6 @@
+ 
+ AC_SUBST(DB_CFLAGS)
+ AC_SUBST(DB_LIBS)
++AC_SUBST(SELINUX_LIBS)
+ AC_SUBST(slibdir)
+ AC_OUTPUT(Makefile)
+--- nss_db-2.2/src/Makefile.am	2004-10-20 13:47:22.207986040 -0400
++++ nss_db-2.2/src/Makefile.am	2004-10-20 13:48:46.242210896 -0400
+@@ -28,7 +28,7 @@
+ 
+ bin_PROGRAMS = makedb
+ makedb_SOURCES = makedb.c
+-makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@
++makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@ @SELINUX_LIBS@
+ 
+ # To mimmick the old glibc installation as closely as possible, we
+ # shuffle the installed library and the links to it around a bit,
+--- nss_db-2.2/src/makedb.c	2004-10-20 13:52:02.814327392 -0400
++++ nss_db-2.2/src/makedb.c	2004-10-20 14:06:07.605899552 -0400
+@@ -32,6 +32,10 @@
+ #include <string.h>
+ #include <sys/stat.h>
+ 
++#ifdef SELINUX
++#include <selinux/selinux.h>
++#endif
++
+ #include "db-compat.h"
+ 
+ #define N_(Text) Text
+@@ -95,6 +99,12 @@
+ 			  int to_lowercase, int be_quiet);
+ static int print_database (DB *db);
+ 
++#ifdef SELINUX
++/* Set the SELinux file creation context for the given file. */
++static void set_file_creation_context (const char *outname, mode_t mode);
++#else
++#define set_file_creation_context(_outname,_mode)
++#endif
+ 
+ int
+ main (int argc, char *argv[])
+@@ -176,8 +186,10 @@
+ 
+   /* Open output file.  This must not be standard output so we don't
+      handle "-" and "/dev/stdout" special.  */
++  set_file_creation_context (output_name, mode);
+   status = db_open (output_name, DB_BTREE, DB_CREATE | DB_TRUNCATE, mode,
+ 		    NULL, NULL, &db_file);
++  set_file_creation_context (NULL, 0);
+   if (status)
+     error (EXIT_FAILURE, 0, gettext ("cannot open output file `%s': %s"),
+ 	   output_name, db_strerror (status));
+@@ -388,3 +400,44 @@
+ 
+   return EXIT_SUCCESS;
+ }
++
++
++#ifdef SELINUX
++static void
++set_file_creation_context (const char *outname, mode_t mode)
++{
++  static int enabled = -1;
++  security_context_t ctx;
++  /* Handle the "reset the context" case. */
++  if (outname == NULL)
++    {
++      setfscreatecon (NULL);
++      return;
++    }
++  /* Check if SELinux is enabled, and remember. */
++  if (enabled == -1)
++    {
++      enabled = is_selinux_enabled ();
++    }
++  if (enabled == 0)
++    {
++      return;
++    }
++  /* Determine the context which the file should have. */
++  ctx = NULL;
++  if (matchpathcon (outname, S_IFREG | mode, &ctx) != 0)
++    {
++      error (EXIT_FAILURE, 0,
++             gettext ("cannot determine file context for `%s'"), outname);
++    }
++  if (ctx != NULL)
++    {
++      if (setfscreatecon (ctx) != 0)
++        {
++          error (EXIT_FAILURE, 0,
++                 gettext ("cannot set file creation context for `%s'"), outname);
++        }
++      freecon (ctx);
++    }
++}
++#endif
diff --git a/nss_db-uniqdb.patch b/nss_db-uniqdb.patch
new file mode 100644
index 0000000..223376e
--- /dev/null
+++ b/nss_db-uniqdb.patch
@@ -0,0 +1,19 @@
+Use AC_TRY_LINK to correctly detect db_version in a copy of libdb which has
+been built with the --with-uniquename flag.
+--- nss_db-2.2/configure.in	2003-12-02 16:22:42.000000000 -0500
++++ nss_db-2.2/configure.in	2003-12-02 16:22:37.000000000 -0500
+@@ -43,8 +43,12 @@
+ AC_CHECK_HEADER(db.h,, AC_MSG_ERROR([
+ *** Could not find Berkeley DB headers.]))
+ 
+-AC_CHECK_LIB(db, db_version,, AC_MSG_ERROR([
+-*** Could not find Berkeley DB library.]))
++AC_CHECK_LIB(db, db_version,,[
++libsave="$LIBS"
++LIBS="$LIBS $DB_LIBS -ldb"
++AC_MSG_CHECKING([for db_version in -ldb using the linker])
++AC_TRY_LINK([#include <db.h>],[db_version(0,0,0);],[libsave="$libsave -ldb";AC_MSG_RESULT([yes])],[AC_MSG_RESULT([no]);AC_MSG_ERROR([*** Could not find Berkeley DB library.])])
++LIBS="$libsave"])
+ 
+ AC_CACHE_CHECK([Berkeley DB version], nss_db_cv_db_version,
+   [AC_TRY_CPP(
-- 
2.44.0