termux/termux-packages
0
0
Fork 0
mirror of https://github.com/termux/termux-packages.git synced 2025-09-23 17:12:30 +00:00
Code Activity
Files
fix-build-all
termux-packages/packages/coreutils/selinux.patch

177 lines
6.5 KiB
Diff
Raw Permalink Blame History

diff --git a/src/cp.c b/src/cp.c
index a0ec06714..da3f6a8a7 100644
--- a/src/cp.c
+++ b/src/cp.c
@@ -993,7 +993,7 @@ main (int argc, char **argv)
atexit (close_stdin);
- selinux_enabled = (0 < is_selinux_enabled ());
+ selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0);
cp_option_init (&x);
while ((c = getopt_long (argc, argv, "abdfHilLnprst:uvxPRS:TZ",
@@ -1174,7 +1174,7 @@ main (int argc, char **argv)
{
error (0, 0,
_("warning: ignoring --context; "
- "it requires an SELinux-enabled kernel"));
+ "it requires an SELinux-enabled kernel and root access"));
}
break;
@@ -1253,7 +1253,7 @@ main (int argc, char **argv)
if (x.require_preserve_context && ! selinux_enabled)
error (EXIT_FAILURE, 0,
_("cannot preserve security context "
- "without an SELinux-enabled kernel"));
+ "without an SELinux-enabled kernel and root access"));
/* FIXME: This handles new files. But what about existing files?
I.e., if updating a tree, new files would have the specified context,
diff --git a/src/install.c b/src/install.c
index b3b26abdb..11caa873b 100644
--- a/src/install.c
+++ b/src/install.c
@@ -325,6 +325,10 @@ setdefaultfilecon (char const *file)
struct stat st;
char *scontext_raw = nullptr;
+ /* NOTE: Return early, before `install`'s selinux logic,
+ * because we do not have suitable workaround for it */
+ return;
+
if (selinux_enabled != 1)
{
/* Indicate no context found. */
@@ -789,7 +793,7 @@ main (int argc, char **argv)
bool strip_program_specified = false;
char const *scontext = nullptr;
/* set iff kernel has extra selinux system calls */
- selinux_enabled = (0 < is_selinux_enabled ());
+ selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0);
initialize_main (&argc, &argv);
set_program_name (argv[0]);
@@ -876,7 +880,7 @@ main (int argc, char **argv)
if (! selinux_enabled)
{
error (0, 0, _("WARNING: ignoring --preserve-context; "
- "this kernel is not SELinux-enabled"));
+ "this kernel is not SELinux-enabled, or you are using Termux and not running as root"));
break;
}
x.preserve_security_context = true;
@@ -902,7 +906,7 @@ main (int argc, char **argv)
{
error (0, 0,
_("warning: ignoring --context; "
- "it requires an SELinux-enabled kernel"));
+ "it requires an SELinux-enabled kernel and root access"));
}
break;
case_GETOPT_HELP_CHAR;
diff --git a/src/mkdir.c b/src/mkdir.c
index df4c81976..7225c21b7 100644
--- a/src/mkdir.c
+++ b/src/mkdir.c
@@ -228,7 +228,7 @@ main (int argc, char **argv)
/* We don't yet support -Z to restore context with SMACK. */
scontext = optarg;
}
- else if (is_selinux_enabled () > 0)
+ else if (is_selinux_enabled () > 0 && geteuid () == 0)
{
if (optarg)
scontext = optarg;
@@ -244,7 +244,7 @@ main (int argc, char **argv)
{
error (0, 0,
_("warning: ignoring --context; "
- "it requires an SELinux/SMACK-enabled kernel"));
+ "it requires an SELinux/SMACK-enabled kernel and root access"));
}
break;
case_GETOPT_HELP_CHAR;
diff --git a/src/mkfifo.c b/src/mkfifo.c
index 52bfa566a..fad605386 100644
--- a/src/mkfifo.c
+++ b/src/mkfifo.c
@@ -102,7 +102,7 @@ main (int argc, char **argv)
/* We don't yet support -Z to restore context with SMACK. */
scontext = optarg;
}
- else if (is_selinux_enabled () > 0)
+ else if (is_selinux_enabled () > 0 && geteuid () == 0)
{
if (optarg)
scontext = optarg;
@@ -118,7 +118,7 @@ main (int argc, char **argv)
{
error (0, 0,
_("warning: ignoring --context; "
- "it requires an SELinux/SMACK-enabled kernel"));
+ "it requires an SELinux/SMACK-enabled kernel and root access"));
}
break;
case_GETOPT_HELP_CHAR;
diff --git a/src/mknod.c b/src/mknod.c
index 6bfa0f7f7..6ff36f21c 100644
--- a/src/mknod.c
+++ b/src/mknod.c
@@ -119,7 +119,7 @@ main (int argc, char **argv)
/* We don't yet support -Z to restore context with SMACK. */
scontext = optarg;
}
- else if (is_selinux_enabled () > 0)
+ else if (is_selinux_enabled () > 0 && geteuid () == 0)
{
if (optarg)
scontext = optarg;
@@ -135,7 +135,7 @@ main (int argc, char **argv)
{
error (0, 0,
_("warning: ignoring --context; "
- "it requires an SELinux/SMACK-enabled kernel"));
+ "it requires an SELinux/SMACK-enabled kernel and root access"));
}
break;
case_GETOPT_HELP_CHAR;
diff --git a/src/mv.c b/src/mv.c
index cf1ac56e8..4b68574e0 100644
--- a/src/mv.c
+++ b/src/mv.c
@@ -120,7 +120,7 @@ rm_option_init (struct rm_options *x)
static void
cp_option_init (struct cp_options *x)
{
- bool selinux_enabled = (0 < is_selinux_enabled ());
+ bool selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0);
cp_options_default (x);
x->copy_as_regular = false; /* FIXME: maybe make this an option */
@@ -326,7 +326,7 @@ main (int argc, char **argv)
bool no_target_directory = false;
int n_files;
char **file;
- bool selinux_enabled = (0 < is_selinux_enabled ());
+ bool selinux_enabled = (0 < is_selinux_enabled () && geteuid () == 0);
initialize_main (&argc, &argv);
set_program_name (argv[0]);
diff --git a/src/runcon.c b/src/runcon.c
index 32c419427..b62538a41 100644
--- a/src/runcon.c
+++ b/src/runcon.c
@@ -190,8 +190,8 @@ main (int argc, char **argv)
usage (EXIT_CANCELED);
}
- if (is_selinux_enabled () != 1)
- error (EXIT_CANCELED, 0, _("%s may be used only on a SELinux kernel"),
+ if (is_selinux_enabled () != 1 || geteuid () != 0)
+ error (EXIT_CANCELED, 0, _("%s may be used only on a SELinux kernel and must be run as root"),
program_name);
if (context)
View Git Blame Copy Permalink