about summary refs log tree commit diff homepage
diff options
context:
space:
mode:
authorLaszlo Szekeres <inbox@lszekeres.com>2016-03-04 20:33:06 -0500
committerLaszlo Szekeres <inbox@lszekeres.com>2016-03-05 19:11:33 -0500
commit45d8a085662f7689c0b6978cf2e33845f6095000 (patch)
treeabc0a627026a33ccbf6e2bfa58613edd8969debf
parentf244db54bfc37f5cc1d831f54c74e818e69bd28c (diff)
downloadklee-45d8a085662f7689c0b6978cf2e33845f6095000.tar.gz
Fix SELinux signatures in runtime
The SELinux function signatures have changed between version 2.2 and
2.3. In particular, the type of the "security context" parameter was
changed from char * to const char *, with the following patch:
SELinuxProject/selinux@9eb9c9327563014ad6a807814e7975424642d5b9.

Recent Linux distributions (e.g. Ubuntu 15.10) ship with the updated
version of libselinux. This change makes the SELinux runtime compatible
with the newer versions of the library by replacing security_context_t
with its original char * definition and defining it as const only if the
installed library does so. Whether the system uses const char * types is
detected with the configure script.

Fixes klee/klee#303.
-rw-r--r--.travis.yml2
-rw-r--r--autoconf/configure.ac23
-rwxr-xr-xconfigure76
-rw-r--r--include/klee/Config/config.h.in4
-rw-r--r--runtime/POSIX/selinux.c18
5 files changed, 93 insertions, 30 deletions
diff --git a/.travis.yml b/.travis.yml
index b64754eb..9af267c5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -87,7 +87,7 @@ before_install:
     ###########################################################################
     # Install stuff
     ###########################################################################
-    - sudo apt-get install gcc-4.8 g++-4.8 libcap-dev cmake
+    - sudo apt-get install gcc-4.8 g++-4.8 libcap-dev libselinux1-dev cmake
     # Make gcc4.8 the default gcc version
     - sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.8 20
     - sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-4.8 20
diff --git a/autoconf/configure.ac b/autoconf/configure.ac
index bb391329..01c2c809 100644
--- a/autoconf/configure.ac
+++ b/autoconf/configure.ac
@@ -534,12 +534,31 @@ if test "x${have_cap}" = xno; then
 capability checking support for klee-replay.])
 fi
 
-AC_LANG_POP([C])
-
 AC_CHECK_HEADERS([selinux/selinux.h],
         AC_SUBST(HAVE_SELINUX, 1),
         AC_SUBST(HAVE_SELINUX, 0))
 
+if test "$HAVE_SELINUX" = "1"; then
+   # Test what function signature we need to use for SELinux. The signatures
+   # have changed between 2.2 and 2.3. In particular, the type of the "security
+   # context" parameter was changed from char * to const char *, with this
+   # patch: [PATCH] Get rid of security_context_t and fix const declarations.
+   # [http://www.spinics.net/lists/selinux/msg14827.html]
+   AC_CACHE_CHECK([for selinux security context type constness],
+                  [klee_cv_sel_ctx_const],
+   [AC_COMPILE_IFELSE(
+     [AC_LANG_PROGRAM([[
+#include <selinux/selinux.h>
+int setcon(char *context);]])],
+     [klee_cv_sel_ctx_const=''],
+     [klee_cv_sel_ctx_const='const'])])
+   AC_DEFINE_UNQUOTED([KLEE_SELINUX_CTX_CONST], [$klee_cv_sel_ctx_const],
+     [Define to empty or 'const' depending on how SELinux qualifies its
+      security context parameters.])
+fi
+
+AC_LANG_POP([C])
+
 dnl **************************************************************************
 dnl Test for features
 dnl **************************************************************************
diff --git a/configure b/configure
index d4ef1048..ee5593d2 100755
--- a/configure
+++ b/configure
@@ -4634,6 +4634,63 @@ $as_echo "$as_me: WARNING: Library cap and its header file sys/capability.h not
 capability checking support for klee-replay." >&2;}
 fi
 
+for ac_header in selinux/selinux.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default"
+if test "x$ac_cv_header_selinux_selinux_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SELINUX_SELINUX_H 1
+_ACEOF
+ HAVE_SELINUX=1
+
+else
+  HAVE_SELINUX=0
+
+fi
+
+done
+
+
+if test "$HAVE_SELINUX" = "1"; then
+   # Test what function signature we need to use for SELinux. The signatures
+   # have changed between 2.2 and 2.3. In particular, the type of the "security
+   # context" parameter was changed from char * to const char *, with this
+   # patch: [PATCH] Get rid of security_context_t and fix const declarations.
+   # [http://www.spinics.net/lists/selinux/msg14827.html]
+   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for selinux security context type constness" >&5
+$as_echo_n "checking for selinux security context type constness... " >&6; }
+if ${klee_cv_sel_ctx_const+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <selinux/selinux.h>
+int setcon(char *context);
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  klee_cv_sel_ctx_const=''
+else
+  klee_cv_sel_ctx_const='const'
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $klee_cv_sel_ctx_const" >&5
+$as_echo "$klee_cv_sel_ctx_const" >&6; }
+
+cat >>confdefs.h <<_ACEOF
+#define KLEE_SELINUX_CTX_CONST $klee_cv_sel_ctx_const
+_ACEOF
+
+fi
+
 ac_ext=cpp
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -4641,6 +4698,7 @@ ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ex
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 
 
+
 ac_ext=cpp
 ac_cpp='$CXXCPP $CPPFLAGS'
 ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -4775,24 +4833,6 @@ ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ex
 ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 
 
-for ac_header in selinux/selinux.h
-do :
-  ac_fn_cxx_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default"
-if test "x$ac_cv_header_selinux_selinux_h" = xyes; then :
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_SELINUX_SELINUX_H 1
-_ACEOF
- HAVE_SELINUX=1
-
-else
-  HAVE_SELINUX=0
-
-fi
-
-done
-
-
-
 for ac_header in malloc/malloc.h
 do :
   ac_fn_cxx_check_header_mongrel "$LINENO" "malloc/malloc.h" "ac_cv_header_malloc_malloc_h" "$ac_includes_default"
diff --git a/include/klee/Config/config.h.in b/include/klee/Config/config.h.in
index 9adf7306..008b2f90 100644
--- a/include/klee/Config/config.h.in
+++ b/include/klee/Config/config.h.in
@@ -69,6 +69,10 @@
 /* Z3 needs a Z3_context passed to Z3_get_error_msg() */
 #undef HAVE_Z3_GET_ERROR_MSG_NEEDS_CONTEXT
 
+/* Define to empty or 'const' depending on how SELinux qualifies its security
+   context parameters. */
+#undef KLEE_SELINUX_CTX_CONST
+
 /* LLVM version is release (instead of development) */
 #undef LLVM_IS_RELEASE
 
diff --git a/runtime/POSIX/selinux.c b/runtime/POSIX/selinux.c
index 38acba6c..c07aa7d9 100644
--- a/runtime/POSIX/selinux.c
+++ b/runtime/POSIX/selinux.c
@@ -23,7 +23,7 @@
 int exe_selinux = 1;
 
 /* NULL is the default policy behavior */
-security_context_t create_con = NULL;
+KLEE_SELINUX_CTX_CONST char *create_con = NULL;
 
 
 int is_selinux_enabled() {
@@ -33,13 +33,13 @@ int is_selinux_enabled() {
 
 /***/
 
-int getfscreatecon(security_context_t *context) {
-  *context = create_con;
+int getfscreatecon(char **context) {
+  *context = (char *)create_con;
   return 0;
 }
 
 
-int setfscreatecon(security_context_t context) {
+int setfscreatecon(KLEE_SELINUX_CTX_CONST char *context) {
   if (context == NULL) {
     create_con = context;
     return 0;
@@ -56,7 +56,7 @@ int setfscreatecon(security_context_t context) {
 
 /***/
 
-int setfilecon(const char *path, security_context_t con) {
+int setfilecon(const char *path, KLEE_SELINUX_CTX_CONST char *con) {
   if (con)
     return 0;
   
@@ -64,17 +64,17 @@ int setfilecon(const char *path, security_context_t con) {
   return -1;  
 }
 
-int lsetfilecon(const char *path, security_context_t con) {
+int lsetfilecon(const char *path, KLEE_SELINUX_CTX_CONST char *con) {
   return setfilecon(path, con);
 }
 
-int fsetfilecon(int fd, security_context_t con) {
+int fsetfilecon(int fd, KLEE_SELINUX_CTX_CONST char *con) {
   return setfilecon("", con);
 }
 
 /***/
 
-void freecon(security_context_t con) {}
-void freeconary(security_context_t *con) {}
+void freecon(char *con) {}
+void freeconary(char **con) {}
 
 #endif