diff --git a/backport-libsepol-Support-nlmsg-xperms-in-assertions.patch b/backport-libsepol-Support-nlmsg-xperms-in-assertions.patch new file mode 100644 index 0000000000000000000000000000000000000000..41a22a3faef0e6a1e2e1482e5b71b48fdc8c096f --- /dev/null +++ b/backport-libsepol-Support-nlmsg-xperms-in-assertions.patch @@ -0,0 +1,79 @@ +From 9a87e60fd52d288eee64ff3485c76b3988f36394 Mon Sep 17 00:00:00 2001 +From: changhan +Date: Mon, 21 Apr 2025 10:25:53 +0800 +Subject: [PATCH] libsepol-Support-nlmsg-xperms-in-assertions + +Reference:https://github.com/SELinuxProject/selinux/commit/b33da68f7a67e1dac467e7f0f405052be5e11bc7 + +--- + libsepol/src/assertion.c | 16 ++++++++++++++-- + libsepol/src/optimize.c | 5 +++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/slibsepol/rc/assertion.c b/libsepol/src/assertion.c +index 161874c..65ab67e 100644 +--- a/libsepol/src/assertion.c ++++ b/libsepol/src/assertion.c +@@ -106,6 +106,10 @@ static int check_extended_permissions(av_extended_perms_t *neverallow, avtab_ext + } else if ((neverallow->specified == AVRULE_XPERMS_IOCTLDRIVER) + && (allow->specified == AVTAB_XPERMS_IOCTLDRIVER)) { + rc = extended_permissions_and(neverallow->perms, allow->perms); ++ } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) ++ && (allow->specified == AVTAB_XPERMS_NLMSG)) { ++ if (neverallow->driver == allow->driver) ++ rc = extended_permissions_and(neverallow->perms, allow->perms); + } + + return rc; +@@ -138,6 +142,12 @@ static void extended_permissions_violated(avtab_extended_perms_t *result, + result->specified = AVTAB_XPERMS_IOCTLDRIVER; + for (i = 0; i < EXTENDED_PERMS_LEN; i++) + result->perms[i] = neverallow->perms[i] & allow->perms[i]; ++ } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) ++ && (allow->specified == AVTAB_XPERMS_NLMSG)) { ++ result->specified = AVTAB_XPERMS_NLMSG; ++ result->driver = allow->driver; ++ for (i = 0; i < EXTENDED_PERMS_LEN; i++) ++ result->perms[i] = neverallow->perms[i] & allow->perms[i]; + } + } + +@@ -172,7 +182,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, + node = avtab_search_node_next(node, tmp_key.specified)) { + xperms = node->datum.xperms; + if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) +- && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) ++ && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER) ++ && (xperms->specified != AVTAB_XPERMS_NLMSG)) + continue; + found_xperm = 1; + rc = check_extended_permissions(avrule->xperms, xperms); +@@ -348,7 +359,8 @@ static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t + xperms = node->datum.xperms; + + if ((xperms->specified != AVTAB_XPERMS_IOCTLFUNCTION) +- && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER)) ++ && (xperms->specified != AVTAB_XPERMS_IOCTLDRIVER) ++ && (xperms->specified != AVTAB_XPERMS_NLMSG)) + continue; + rc = check_extended_permissions(neverallow_xperms, xperms); + if (rc) +diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c +index a38025e..dd18965 100644 +--- a/libsepol/src/optimize.c ++++ b/libsepol/src/optimize.c +@@ -189,6 +189,11 @@ static int process_avtab_datum(uint16_t specified, + + if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER) + return process_xperms(x1->perms, x2->perms); ++ } else if (x1->specified == AVTAB_XPERMS_NLMSG ++ && x2->specified == AVTAB_XPERMS_NLMSG) { ++ if (x1->driver != x2->driver) ++ return 0; ++ return process_xperms(x1->perms, x2->perms); + } + return 0; + } +-- +2.33.0 + diff --git a/libsepol.spec b/libsepol.spec index 5d7a68e89486790f35404d5cfa1b0b43a93c3777..7bb2103e6f43aab632801d0ac9c5c79fdd1e394e 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,6 +1,6 @@ Name: libsepol Version: 3.5 -Release: 5 +Release: 6 Summary: SELinux binary policy manipulation library License: LGPLv2+ URL: https://github.com/SELinuxProject/selinux/wiki/Releases @@ -40,6 +40,7 @@ Patch0031: backport-libsepol-Initialize-strs-on-declaration.patch Patch0032: backport-libsepol-mls-Do-not-destroy-context-on-memory-error.patch Patch0033: backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch Patch0034: backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch +Patch0035: backport-libsepol-Support-nlmsg-xperms-in-assertions.patch BuildRequires: gcc flex @@ -100,6 +101,9 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install %{_mandir}/man3/* %changelog +* Mon Apr 21 2025 changhan - 3.5-6 +- backport libsepol: Support nlmsg xperms in assertions + * Tue Mar 18 2025 Linux_zhang - 3.5-5 - backport patches from upstream