'[PATCH] tar: only include selinux context with -p opt'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    [PATCH] tar: only include selinux context with -p opt
From:       Tanguy Pruvot <tanguy.pruvot () gmail ! com>
Date:       2014-05-29 16:01:07
Message-ID: CACOx48rHe8pYTi+orUJYwt3XJTR0BVs1Z=DW5MgAh8kq6JgM9Q () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Without answer, i added -p to store selinux contexts (its for android 4.3+)

[Attachment #5 (text/html)]

<div dir="ltr">Without answer, i added -p to store selinux contexts (its for android 4.3+)</div>

--001a113a665a6cedba04fa8c09d2--
["0001-tar-add-selinux-context-support-on-create.patch" (application/octet-stream)]

From 2c2a59a6c44c965daa54f2a0eb949d38c93ac691 Mon Sep 17 00:00:00 2001
From: Tanguy Pruvot <tanguy.pruvot@gmail.com>
Date: Sat, 17 May 2014 17:27:40 +0200
Subject: [PATCH 1/2] tar: add selinux context support on create

No flag is required for the moment, it will add them
to the tar if selinux is enabled on the machine.

Signed-off-by: Tanguy Pruvot <tanguy.pruvot@gmail.com>

Change-Id: Ic7a39ee03087ed19e814b138ec6d70cdadb605cd
---
 archival/libarchive/data_extract_to_command.c |    2 +-
 archival/tar.c                                |   41 +++++++++++++++++++++++++
 include/bb_archive.h                          |    2 +-
 3 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/archival/libarchive/data_extract_to_command.c \
b/archival/libarchive/data_extract_to_command.c index 5b32c2e..4249c23 100644
--- a/archival/libarchive/data_extract_to_command.c
+++ b/archival/libarchive/data_extract_to_command.c
@@ -63,7 +63,7 @@ void FAST_FUNC data_extract_to_command(archive_handle_t \
*archive_handle)  {
 	file_header_t *file_header = archive_handle->file_header;
 
-#if 0 /* do we need this? ENABLE_FEATURE_TAR_SELINUX */
+#if ENABLE_FEATURE_TAR_SELINUX
 	char *sctx = archive_handle->tar__sctx[PAX_NEXT_FILE];
 	if (!sctx)
 		sctx = archive_handle->tar__sctx[PAX_GLOBAL];
diff --git a/archival/tar.c b/archival/tar.c
index aa02d35..be2bb09 100644
--- a/archival/tar.c
+++ b/archival/tar.c
@@ -210,6 +210,7 @@ enum {
 	CONTTYPE = '7',		/* reserved */
 	GNULONGLINK = 'K',	/* GNU long (>100 chars) link name */
 	GNULONGNAME = 'L',	/* GNU long (>100 chars) file name */
+	EXTTYPE = 'x',		/* ext metadata for next file, store selinux_context */
 };
 
 /* Might be faster (and bigger) if the dev/ino were stored in numeric order;) */
@@ -351,6 +352,34 @@ static void writeLongname(int fd, int type, const char *name, \
int dir)  }
 #endif
 
+#if ENABLE_FEATURE_TAR_SELINUX
+# define SELINUX_CONTEXT_KEYWORD "RHT.security.selinux"
+/* Write 2 blocks : extended file header + selinux context */
+static int writeSeHeader(int fd, const char *con, struct tar_header_t *header)
+{
+	char block[TAR_BLOCK_SIZE];
+	struct tar_header_t hd;
+
+	int sz = sizeof(SELINUX_CONTEXT_KEYWORD) + 4 + strlen(con);
+	if (sz >= 100) sz++; /* another ascii digit for size */
+	if (sz > TAR_BLOCK_SIZE)
+		return FALSE;
+
+	memset(&block, 0, TAR_BLOCK_SIZE);
+	sprintf(block, "%d %s=%s\n", sz, SELINUX_CONTEXT_KEYWORD, con);
+
+	/* write duplicated file entry */
+	memcpy(&hd, header, sizeof(hd));
+	hd.typeflag = EXTTYPE;
+	PUT_OCTAL(hd.size, sz);
+	chksum_and_xwrite(fd, &hd);
+
+	/* write selinux context */
+	xwrite(fd, &block, TAR_BLOCK_SIZE);
+	return TRUE;
+}
+#endif
+
 /* Write out a tar header for the specified file/directory/whatever */
 static int writeTarHeader(struct TarBallInfo *tbInfo,
 		const char *header_name, const char *fileName, struct stat *statbuf)
@@ -468,6 +497,18 @@ static int writeTarHeader(struct TarBallInfo *tbInfo,
 				header_name, S_ISDIR(statbuf->st_mode));
 #endif
 
+#if ENABLE_FEATURE_TAR_SELINUX
+	if (is_selinux_enabled()) {
+		security_context_t sid;
+		lgetfilecon(fileName, &sid);
+		if (sid) {
+			// optional extended block
+			writeSeHeader(tbInfo->tarFd, sid, &header);
+			freecon(sid);
+		}
+	}
+#endif
+
 	/* Now write the header out to disk */
 	chksum_and_xwrite(tbInfo->tarFd, &header);
 
diff --git a/include/bb_archive.h b/include/bb_archive.h
index b82cfd8..d796fcd 100644
--- a/include/bb_archive.h
+++ b/include/bb_archive.h
@@ -146,7 +146,7 @@ typedef struct tar_header_t {     /* byte offset */
 	/* Normally it's defined as magic[6] followed by
 	 * version[2], but we put them together to save code.
 	 */
-	char magic[8];            /* 257-264 */
+	char magic[8];            /* 257-264 (magic 6 + version 2) */
 	char uname[32];           /* 265-296 */
 	char gname[32];           /* 297-328 */
 	char devmajor[8];         /* 329-336 */
-- 
1.7.2.5


["0002-tar-only-include-selinux-context-with-p-opt.patch" (application/octet-stream)]

From 1e1154804d738a282cf86bf089bc58d990b4adad Mon Sep 17 00:00:00 2001
From: Tanguy Pruvot <tanguy.pruvot@gmail.com>
Date: Thu, 29 May 2014 17:04:08 +0200
Subject: [PATCH 2/2] tar: only include selinux context with -p opt

Change-Id: I22134071cca5ac9fd66cff2cd1ddd09ff3d5c1bb
---
 archival/tar.c       |   21 ++++++++++++++++++---
 include/bb_archive.h |    3 +++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/archival/tar.c b/archival/tar.c
index be2bb09..0155825 100644
--- a/archival/tar.c
+++ b/archival/tar.c
@@ -162,8 +162,8 @@
 
 #if !ENABLE_FEATURE_SEAMLESS_GZ && !ENABLE_FEATURE_SEAMLESS_BZ2
 /* Do not pass gzip flag to writeTarFile() */
-#define writeTarFile(tar_fd, verboseFlag, recurseFlags, include, exclude, gzip) \
-	writeTarFile(tar_fd, verboseFlag, recurseFlags, include, exclude)
+#define writeTarFile(tar_fd, verboseFlag, recurseFlags, optFlags, include, exclude, gzip) \
+	writeTarFile(tar_fd, verboseFlag, optFlags, recurseFlags, include, exclude)
 #endif
 
 
@@ -187,6 +187,8 @@ typedef struct TarBallInfo {
 	int tarFd;                      /* Open-for-write file descriptor
 	                                 * for the tarball */
 	int verboseFlag;                /* Whether to print extra stuff or not */
+	unsigned optFlags;              /* all command line flags */
+
 	const llist_t *excludeList;     /* List of files to not include */
 	HardLinkInfo *hlInfoHead;       /* Hard Link Tracking Information */
 	HardLinkInfo *hlInfo;           /* Hard Link Info for the current file */
@@ -498,7 +500,7 @@ static int writeTarHeader(struct TarBallInfo *tbInfo,
 #endif
 
 #if ENABLE_FEATURE_TAR_SELINUX
-	if (is_selinux_enabled()) {
+	if (is_selinux_enabled() && (tbInfo->optFlags & ARCHIVE_STORE_SELINUX)) {
 		security_context_t sid;
 		lgetfilecon(fileName, &sid);
 		if (sid) {
@@ -741,6 +743,7 @@ static void NOINLINE vfork_compressor(int tar_fd, int gzip)
 
 /* gcc 4.2.1 inlines it, making code bigger */
 static NOINLINE int writeTarFile(int tar_fd, int verboseFlag,
+	unsigned optFlags,
 	int recurseFlags, const llist_t *include,
 	const llist_t *exclude, int gzip)
 {
@@ -750,6 +753,7 @@ static NOINLINE int writeTarFile(int tar_fd, int verboseFlag,
 	tbInfo.hlInfoHead = NULL;
 	tbInfo.tarFd = tar_fd;
 	tbInfo.verboseFlag = verboseFlag;
+	tbInfo.optFlags = optFlags;
 
 	/* Store the stat info for the tarball's file, so
 	 * can avoid including the tarball into itself....  */
@@ -804,6 +808,7 @@ static NOINLINE int writeTarFile(int tar_fd, int verboseFlag,
 }
 #else
 int writeTarFile(int tar_fd, int verboseFlag,
+	unsigned optFlags,
 	int recurseFlags, const llist_t *include,
 	const llist_t *exclude, int gzip);
 #endif /* FEATURE_TAR_CREATE */
@@ -839,6 +844,7 @@ static llist_t *append_file_list_to_list(llist_t *list)
 //usage:	IF_FEATURE_SEAMLESS_LZMA("a")
 //usage:	IF_FEATURE_TAR_CREATE("h")
 //usage:	IF_FEATURE_TAR_NOPRESERVE_TIME("m")
+//usage:	IF_FEATURE_TAR_SELINUX("p")
 //usage:	"vO] "
 //usage:	IF_FEATURE_TAR_FROM("[-X FILE] [-T FILE] ")
 //usage:	"[-f TARFILE] [-C DIR] [FILE]..."
@@ -884,6 +890,9 @@ static llist_t *append_file_list_to_list(llist_t *list)
 //usage:     "\n	X	File with names to exclude"
 //usage:     "\n	T	File with names to include"
 //usage:	)
+//usage:	IF_FEATURE_TAR_SELINUX(
+//usage:     "\n	p	Store SELinux contexts"
+//usage:	)
 //usage:
 //usage:#define tar_example_usage
 //usage:       "$ zcat /tmp/tarball.tar.gz | tar -xf -\n"
@@ -1119,6 +1128,11 @@ int tar_main(int argc UNUSED_PARAM, char **argv)
 	if (opt & OPT_NOPRESERVE_PERM)
 		tar_handle->ah_flags |= ARCHIVE_DONT_RESTORE_PERM;
 
+#if ENABLE_FEATURE_TAR_SELINUX
+	if (opt & OPT_P)
+		tar_handle->ah_flags |= ARCHIVE_STORE_SELINUX;
+#endif
+
 	if (opt & OPT_OVERWRITE) {
 		tar_handle->ah_flags &= ~ARCHIVE_UNLINK_OLD;
 		tar_handle->ah_flags |= ARCHIVE_O_TRUNC;
@@ -1205,6 +1219,7 @@ int tar_main(int argc UNUSED_PARAM, char **argv)
 #endif
 		/* NB: writeTarFile() closes tar_handle->src_fd */
 		return writeTarFile(tar_handle->src_fd, verboseFlag,
+				tar_handle->ah_flags,
 				(opt & OPT_DEREFERENCE ? ACTION_FOLLOWLINKS : 0)
 				| (opt & OPT_NORECURSION ? 0 : ACTION_RECURSE),
 				tar_handle->accept,
diff --git a/include/bb_archive.h b/include/bb_archive.h
index d796fcd..fc976f2 100644
--- a/include/bb_archive.h
+++ b/include/bb_archive.h
@@ -125,6 +125,9 @@ typedef struct archive_handle_t {
 #if ENABLE_RPM
 #define ARCHIVE_REPLACE_VIA_RENAME  (1 << 10)
 #endif
+#if ENABLE_FEATURE_TAR_SELINUX
+#define ARCHIVE_STORE_SELINUX		(1 << 15)
+#endif
 
 
 /* POSIX tar Header Block, from POSIX 1003.1-1990  */
-- 
1.7.2.5



_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

[prev in list] [next in list] [prev in thread] [next in thread] 
