]>
Commit | Line | Data |
---|---|---|
3ab71051 ER |
1 | To: vim-dev@vim.org |
2 | Subject: Patch 7.1.296 | |
3 | Fcc: outbox | |
4 | From: Bram Moolenaar <Bram@moolenaar.net> | |
5 | Mime-Version: 1.0 | |
6 | Content-Type: text/plain; charset=ISO-8859-1 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ------------ | |
9 | ||
10 | Patch 7.1.296 | |
11 | Problem: SELinux is not supported. | |
12 | Solution: Detect the selinux library and use mch_copy_sec(). (James Vega) | |
13 | Files: src/auto/configure, src/config.h.in, src/configure.in, | |
14 | src/fileio.c, src/memfile.c, src/os_unix.c, src/proto/os_unix.pro | |
15 | ||
16 | ||
17 | *** ../vim-7.1.295/src/auto/configure Wed Feb 20 12:43:05 2008 | |
18 | --- src/auto/configure Wed May 7 18:16:09 2008 | |
19 | *************** | |
20 | *** 845,850 **** | |
21 | --- 845,851 ---- | |
22 | --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) | |
23 | --enable-FEATURE[=ARG] include FEATURE [ARG=yes] | |
24 | --disable-darwin Disable Darwin (Mac OS X) support. | |
25 | + --disable-selinux Don't check for SELinux support. | |
26 | --disable-xsmp Disable XSMP session management | |
27 | --disable-xsmp-interact Disable XSMP interaction | |
28 | --enable-mzschemeinterp Include MzScheme interpreter. | |
29 | *************** | |
30 | *** 3611,3616 **** | |
31 | --- 3612,3705 ---- | |
32 | esac | |
33 | fi | |
34 | ||
35 | + echo "$as_me:$LINENO: checking --disable-selinux argument" >&5 | |
36 | + echo $ECHO_N "checking --disable-selinux argument... $ECHO_C" >&6 | |
37 | + # Check whether --enable-selinux or --disable-selinux was given. | |
38 | + if test "${enable_selinux+set}" = set; then | |
39 | + enableval="$enable_selinux" | |
40 | + | |
41 | + else | |
42 | + enable_selinux="yes" | |
43 | + fi; | |
44 | + if test "$enable_selinux" = "yes"; then | |
45 | + echo "$as_me:$LINENO: result: no" >&5 | |
46 | + echo "${ECHO_T}no" >&6 | |
47 | + echo "$as_me:$LINENO: checking for is_selinux_enabled in -lselinux" >&5 | |
48 | + echo $ECHO_N "checking for is_selinux_enabled in -lselinux... $ECHO_C" >&6 | |
49 | + if test "${ac_cv_lib_selinux_is_selinux_enabled+set}" = set; then | |
50 | + echo $ECHO_N "(cached) $ECHO_C" >&6 | |
51 | + else | |
52 | + ac_check_lib_save_LIBS=$LIBS | |
53 | + LIBS="-lselinux $LIBS" | |
54 | + cat >conftest.$ac_ext <<_ACEOF | |
55 | + /* confdefs.h. */ | |
56 | + _ACEOF | |
57 | + cat confdefs.h >>conftest.$ac_ext | |
58 | + cat >>conftest.$ac_ext <<_ACEOF | |
59 | + /* end confdefs.h. */ | |
60 | + | |
61 | + /* Override any gcc2 internal prototype to avoid an error. */ | |
62 | + #ifdef __cplusplus | |
63 | + extern "C" | |
64 | + #endif | |
65 | + /* We use char because int might match the return type of a gcc2 | |
66 | + builtin and then its argument prototype would still apply. */ | |
67 | + char is_selinux_enabled (); | |
68 | + int | |
69 | + main () | |
70 | + { | |
71 | + is_selinux_enabled (); | |
72 | + ; | |
73 | + return 0; | |
74 | + } | |
75 | + _ACEOF | |
76 | + rm -f conftest.$ac_objext conftest$ac_exeext | |
77 | + if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 | |
78 | + (eval $ac_link) 2>conftest.er1 | |
79 | + ac_status=$? | |
80 | + grep -v '^ *+' conftest.er1 >conftest.err | |
81 | + rm -f conftest.er1 | |
82 | + cat conftest.err >&5 | |
83 | + echo "$as_me:$LINENO: \$? = $ac_status" >&5 | |
84 | + (exit $ac_status); } && | |
85 | + { ac_try='test -z "$ac_c_werror_flag" | |
86 | + || test ! -s conftest.err' | |
87 | + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 | |
88 | + (eval $ac_try) 2>&5 | |
89 | + ac_status=$? | |
90 | + echo "$as_me:$LINENO: \$? = $ac_status" >&5 | |
91 | + (exit $ac_status); }; } && | |
92 | + { ac_try='test -s conftest$ac_exeext' | |
93 | + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 | |
94 | + (eval $ac_try) 2>&5 | |
95 | + ac_status=$? | |
96 | + echo "$as_me:$LINENO: \$? = $ac_status" >&5 | |
97 | + (exit $ac_status); }; }; then | |
98 | + ac_cv_lib_selinux_is_selinux_enabled=yes | |
99 | + else | |
100 | + echo "$as_me: failed program was:" >&5 | |
101 | + sed 's/^/| /' conftest.$ac_ext >&5 | |
102 | + | |
103 | + ac_cv_lib_selinux_is_selinux_enabled=no | |
104 | + fi | |
105 | + rm -f conftest.err conftest.$ac_objext \ | |
106 | + conftest$ac_exeext conftest.$ac_ext | |
107 | + LIBS=$ac_check_lib_save_LIBS | |
108 | + fi | |
109 | + echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_is_selinux_enabled" >&5 | |
110 | + echo "${ECHO_T}$ac_cv_lib_selinux_is_selinux_enabled" >&6 | |
111 | + if test $ac_cv_lib_selinux_is_selinux_enabled = yes; then | |
112 | + LIBS="$LIBS -lselinux" | |
113 | + cat >>confdefs.h <<\_ACEOF | |
114 | + #define HAVE_SELINUX 1 | |
115 | + _ACEOF | |
116 | + | |
117 | + fi | |
118 | + | |
119 | + else | |
120 | + echo "$as_me:$LINENO: result: yes" >&5 | |
121 | + echo "${ECHO_T}yes" >&6 | |
122 | + fi | |
123 | ||
124 | ||
125 | echo "$as_me:$LINENO: checking --with-features argument" >&5 | |
126 | *** ../vim-7.1.295/src/config.h.in Tue May 1 13:37:23 2007 | |
127 | --- src/config.h.in Wed May 7 18:10:49 2008 | |
128 | *************** | |
129 | *** 156,161 **** | |
130 | --- 156,162 ---- | |
131 | #undef HAVE_READLINK | |
132 | #undef HAVE_RENAME | |
133 | #undef HAVE_SELECT | |
134 | + #undef HAVE_SELINUX | |
135 | #undef HAVE_SETENV | |
136 | #undef HAVE_SETPGID | |
137 | #undef HAVE_SETSID | |
138 | *** ../vim-7.1.295/src/configure.in Wed Feb 20 12:43:05 2008 | |
139 | --- src/configure.in Wed May 7 18:15:40 2008 | |
140 | *************** | |
141 | *** 299,304 **** | |
142 | --- 299,317 ---- | |
143 | esac | |
144 | fi | |
145 | ||
146 | + dnl Link with -lselinux for SELinux stuff; if not found | |
147 | + AC_MSG_CHECKING(--disable-selinux argument) | |
148 | + AC_ARG_ENABLE(selinux, | |
149 | + [ --disable-selinux Don't check for SELinux support.], | |
150 | + , enable_selinux="yes") | |
151 | + if test "$enable_selinux" = "yes"; then | |
152 | + AC_MSG_RESULT(no) | |
153 | + AC_CHECK_LIB(selinux, is_selinux_enabled, | |
154 | + [LIBS="$LIBS -lselinux" | |
155 | + AC_DEFINE(HAVE_SELINUX)]) | |
156 | + else | |
157 | + AC_MSG_RESULT(yes) | |
158 | + fi | |
159 | ||
160 | dnl Check user requested features. | |
161 | ||
162 | *** ../vim-7.1.295/src/fileio.c Tue Mar 11 22:01:16 2008 | |
163 | --- src/fileio.c Wed May 7 18:17:45 2008 | |
164 | *************** | |
165 | *** 3651,3656 **** | |
166 | --- 3660,3668 ---- | |
167 | ) | |
168 | mch_setperm(backup, | |
169 | (perm & 0707) | ((perm & 07) << 3)); | |
170 | + # ifdef HAVE_SELINUX | |
171 | + mch_copy_sec(fname, backup); | |
172 | + # endif | |
173 | #endif | |
174 | ||
175 | /* | |
176 | *************** | |
177 | *** 3687,3692 **** | |
178 | --- 3699,3707 ---- | |
179 | #ifdef HAVE_ACL | |
180 | mch_set_acl(backup, acl); | |
181 | #endif | |
182 | + #ifdef HAVE_SELINUX | |
183 | + mch_copy_sec(fname, backup); | |
184 | + #endif | |
185 | break; | |
186 | } | |
187 | } | |
188 | *************** | |
189 | *** 4309,4314 **** | |
190 | --- 4324,4335 ---- | |
191 | } | |
192 | #endif | |
193 | ||
194 | + #ifdef HAVE_SELINUX | |
195 | + /* Probably need to set the security context. */ | |
196 | + if (!backup_copy) | |
197 | + mch_copy_sec(backup, wfname); | |
198 | + #endif | |
199 | + | |
200 | #ifdef UNIX | |
201 | /* When creating a new file, set its owner/group to that of the original | |
202 | * file. Get the new device and inode number. */ | |
203 | *** ../vim-7.1.295/src/memfile.c Fri May 11 20:15:45 2007 | |
204 | --- src/memfile.c Wed May 7 18:10:49 2008 | |
205 | *************** | |
206 | *** 1346,1350 **** | |
207 | --- 1346,1355 ---- | |
208 | mfp->mf_ffname = NULL; | |
209 | } | |
210 | else | |
211 | + { | |
212 | + #ifdef HAVE_SELINUX | |
213 | + mch_copy_sec(fname, mfp->mf_fname); | |
214 | + #endif | |
215 | mch_hide(mfp->mf_fname); /* try setting the 'hidden' flag */ | |
216 | + } | |
217 | } | |
218 | *** ../vim-7.1.295/src/os_unix.c Wed Mar 12 13:16:37 2008 | |
219 | --- src/os_unix.c Wed May 7 18:24:46 2008 | |
220 | *************** | |
221 | *** 45,50 **** | |
222 | --- 45,55 ---- | |
223 | # include <X11/SM/SMlib.h> | |
224 | #endif | |
225 | ||
226 | + #ifdef HAVE_SELINUX | |
227 | + # include <selinux/selinux.h> | |
228 | + static int selinux_enabled = -1; | |
229 | + #endif | |
230 | + | |
231 | /* | |
232 | * Use this prototype for select, some include files have a wrong prototype | |
233 | */ | |
234 | *************** | |
235 | *** 2557,2562 **** | |
236 | --- 2562,2623 ---- | |
237 | } vim_acl_solaris_T; | |
238 | # endif | |
239 | ||
240 | + #if defined(HAVE_SELINUX) || defined(PROTO) | |
241 | + /* | |
242 | + * Copy security info from "from_file" to "to_file". | |
243 | + */ | |
244 | + void | |
245 | + mch_copy_sec(from_file, to_file) | |
246 | + char_u *from_file; | |
247 | + char_u *to_file; | |
248 | + { | |
249 | + if (from_file == NULL) | |
250 | + return; | |
251 | + | |
252 | + if (selinux_enabled == -1) | |
253 | + selinux_enabled = is_selinux_enabled(); | |
254 | + | |
255 | + if (selinux_enabled > 0) | |
256 | + { | |
257 | + security_context_t from_context = NULL; | |
258 | + security_context_t to_context = NULL; | |
259 | + | |
260 | + if (getfilecon((char *)from_file, &from_context) < 0) | |
261 | + { | |
262 | + /* If the filesystem doesn't support extended attributes, | |
263 | + the original had no special security context and the | |
264 | + target cannot have one either. */ | |
265 | + if (errno == EOPNOTSUPP) | |
266 | + return; | |
267 | + | |
268 | + MSG_PUTS(_("\nCould not get security context for ")); | |
269 | + msg_outtrans(from_file); | |
270 | + msg_putchar('\n'); | |
271 | + return; | |
272 | + } | |
273 | + if (getfilecon((char *)to_file, &to_context) < 0) | |
274 | + { | |
275 | + MSG_PUTS(_("\nCould not get security context for ")); | |
276 | + msg_outtrans(to_file); | |
277 | + msg_putchar('\n'); | |
278 | + freecon (from_context); | |
279 | + return ; | |
280 | + } | |
281 | + if (strcmp(from_context, to_context) != 0) | |
282 | + { | |
283 | + if (setfilecon((char *)to_file, from_context) < 0) | |
284 | + { | |
285 | + MSG_PUTS(_("\nCould not set security context for ")); | |
286 | + msg_outtrans(to_file); | |
287 | + msg_putchar('\n'); | |
288 | + } | |
289 | + } | |
290 | + freecon(to_context); | |
291 | + freecon(from_context); | |
292 | + } | |
293 | + } | |
294 | + #endif /* HAVE_SELINUX */ | |
295 | + | |
296 | /* | |
297 | * Return a pointer to the ACL of file "fname" in allocated memory. | |
298 | * Return NULL if the ACL is not available for whatever reason. | |
299 | *** ../vim-7.1.295/src/proto/os_unix.pro Sat May 5 20:23:37 2007 | |
300 | --- src/proto/os_unix.pro Wed May 7 18:25:14 2008 | |
301 | *************** | |
302 | *** 34,39 **** | |
303 | --- 34,40 ---- | |
304 | void fname_case __ARGS((char_u *name, int len)); | |
305 | long mch_getperm __ARGS((char_u *name)); | |
306 | int mch_setperm __ARGS((char_u *name, long perm)); | |
307 | + void mch_copy_sec __ARGS((char_u *from_file, char_u *to_file)); | |
308 | vim_acl_T mch_get_acl __ARGS((char_u *fname)); | |
309 | void mch_set_acl __ARGS((char_u *fname, vim_acl_T aclent)); | |
310 | void mch_free_acl __ARGS((vim_acl_T aclent)); | |
311 | *** ../vim-7.1.295/src/version.c Wed May 7 17:39:17 2008 | |
312 | --- src/version.c Wed May 7 18:50:01 2008 | |
313 | *************** | |
314 | *** 668,669 **** | |
315 | --- 673,676 ---- | |
316 | { /* Add new patch number below this line */ | |
317 | + /**/ | |
318 | + 296, | |
319 | /**/ | |
320 | ||
321 | -- | |
322 | Michael: There is no such thing as a dump question. | |
323 | Bernard: Sure there is. For example "what is a core dump?" | |
324 | ||
325 | /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ | |
326 | /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ | |
327 | \\\ download, build and distribute -- http://www.A-A-P.org /// | |
328 | \\\ help me help AIDS victims -- http://ICCF-Holland.org /// |