diff --git a/0001-util-selinux-try-opening-the-status-page.patch b/0001-util-selinux-try-opening-the-status-page.patch deleted file mode 100644 index 781adb9..0000000 --- a/0001-util-selinux-try-opening-the-status-page.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 7b38bd76b3fe30ce7312ff98e62e32f14506dcbf Mon Sep 17 00:00:00 2001 -From: David Rheinsberg -Date: Mon, 12 Jun 2023 12:03:43 +0200 -Subject: [PATCH 1/3] util/selinux: try opening the status page - -Try opening the selinux status page for faster access to selinux status -values. If running on older kernels without the status page, simply -avoid using it. - -Signed-off-by: David Rheinsberg ---- - src/util/selinux.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/src/util/selinux.c b/src/util/selinux.c -index 6b0e8fa..5144ff5 100644 ---- a/src/util/selinux.c -+++ b/src/util/selinux.c -@@ -27,6 +27,7 @@ struct BusSELinuxName { - typedef struct BusSELinuxName BusSELinuxName; - - static bool bus_selinux_avc_open; -+static bool bus_selinux_status_open; - - /** bus_selinux_is_enabled() - checks if SELinux is currently enabled - * -@@ -344,6 +345,29 @@ int bus_selinux_init_global(void) { - bus_selinux_avc_open = true; - } - -+ if (!bus_selinux_status_open) { -+ r = selinux_status_open(0); -+ if (r == 0) { -+ /* -+ * The status page was successfully opened and can now -+ * be used for faster selinux status-checks. -+ */ -+ bus_selinux_status_open = true; -+ } else if (r > 0) { -+ /* -+ * >0 indicates success but with the netlink-fallback. -+ * We didn't request the netlink-fallback, so close the -+ * status-page again and treat it as unavailable. -+ */ -+ selinux_status_close(); -+ } else { -+ /* -+ * If the status page could not be opened, treat it as -+ * unavailable and use the slower fallback functions. -+ */ -+ } -+ } -+ - selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback)bus_selinux_log); - - /* XXX: set audit callback to get more metadata in the audit log? */ -@@ -362,6 +386,11 @@ void bus_selinux_deinit_global(void) { - if (!is_selinux_enabled()) - return; - -+ if (bus_selinux_status_open) { -+ selinux_status_close(); -+ bus_selinux_status_open = false; -+ } -+ - if (bus_selinux_avc_open) { - avc_destroy(); - bus_selinux_avc_open = false; --- -2.41.0 - diff --git a/0002-util-selinux-provide-helper-to-check-enforcing-mode.patch b/0002-util-selinux-provide-helper-to-check-enforcing-mode.patch deleted file mode 100644 index 2e5226d..0000000 --- a/0002-util-selinux-provide-helper-to-check-enforcing-mode.patch +++ /dev/null @@ -1,72 +0,0 @@ -From dd58d08ffaa75d43edbc02be64c38a7ec308d630 Mon Sep 17 00:00:00 2001 -From: David Rheinsberg -Date: Mon, 12 Jun 2023 12:04:47 +0200 -Subject: [PATCH 2/3] util/selinux: provide helper to check enforcing mode - -Add a new helper to check the selinux enforcing mode. This will be used -in follow-ups to avoid AVC denials in permissive mode. - -Signed-off-by: David Rheinsberg ---- - src/util/selinux-fallback.c | 4 ++++ - src/util/selinux.c | 16 ++++++++++++++++ - src/util/selinux.h | 1 + - 3 files changed, 21 insertions(+) - -diff --git a/src/util/selinux-fallback.c b/src/util/selinux-fallback.c -index ec4d458..0654a07 100644 ---- a/src/util/selinux-fallback.c -+++ b/src/util/selinux-fallback.c -@@ -16,6 +16,10 @@ bool bus_selinux_is_enabled(void) { - return false; - } - -+bool bus_selinux_is_enforcing(void) { -+ return false; -+} -+ - const char *bus_selinux_policy_root(void) { - return NULL; - } -diff --git a/src/util/selinux.c b/src/util/selinux.c -index 5144ff5..082502b 100644 ---- a/src/util/selinux.c -+++ b/src/util/selinux.c -@@ -37,6 +37,22 @@ bool bus_selinux_is_enabled(void) { - return is_selinux_enabled(); - } - -+/** -+ * bus_selinux_is_enforcing() - checks if SELinux is in enforcing mode -+ * -+ * If selinux is not enabled or otherwise unavailable, this will return true. -+ * That is, this will only return false, if selinux is enabled and in -+ * permissive mode. -+ * -+ * Returns: true if SELinux is in enforcing mode, false otherwise. -+ */ -+bool bus_selinux_is_enforcing(void) { -+ if (bus_selinux_status_open) -+ return selinux_status_getenforce() != 0; -+ else -+ return security_getenforce() != 0; -+} -+ - /** - * bus_selinux_policy_root() - the root directory where the current SELinux policy can be found - * -diff --git a/src/util/selinux.h b/src/util/selinux.h -index 9a71e90..435c8a8 100644 ---- a/src/util/selinux.h -+++ b/src/util/selinux.h -@@ -16,6 +16,7 @@ enum { - }; - - bool bus_selinux_is_enabled(void); -+bool bus_selinux_is_enforcing(void); - const char *bus_selinux_policy_root(void); - - int bus_selinux_registry_new(BusSELinuxRegistry **registryp, const char *fallback_context); --- -2.41.0 - diff --git a/0003-util-selinux-follow-permissive-mode.patch b/0003-util-selinux-follow-permissive-mode.patch deleted file mode 100644 index 057e67d..0000000 --- a/0003-util-selinux-follow-permissive-mode.patch +++ /dev/null @@ -1,39 +0,0 @@ -From d5aafc56115981aec211a93481dda65ba37a4965 Mon Sep 17 00:00:00 2001 -From: David Rheinsberg -Date: Mon, 12 Jun 2023 12:09:12 +0200 -Subject: [PATCH 3/3] util/selinux: follow permissive mode - -Make sure to follow the rules of enforcing/permissive mode and avoid -operation denials in permissive mode. - -Reported-by: Daan De Meyer -Signed-off-by: David Rheinsberg ---- - src/util/selinux.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/util/selinux.c b/src/util/selinux.c -index 082502b..ea6af75 100644 ---- a/src/util/selinux.c -+++ b/src/util/selinux.c -@@ -241,7 +241,7 @@ int bus_selinux_check_own(BusSELinuxRegistry *registry, - "dbus", - "acquire_svc", - NULL); -- if (r < 0) { -+ if (r < 0 && bus_selinux_is_enforcing()) { - /* - * Treat unknown contexts (possibly due to policy reload) - * as access denied. -@@ -288,7 +288,7 @@ int bus_selinux_check_send(BusSELinuxRegistry *registry, - "dbus", - "send_msg", - NULL); -- if (r < 0) { -+ if (r < 0 && bus_selinux_is_enforcing()) { - /* - * Treat unknown contexts (possibly due to policy reload) - * as access denied. --- -2.41.0 -