[PATCH 1/2] libselinux: Add selinux_restorecon option to treat conflicting specifications as an error.

[PATCH 1/2] libselinux: Add selinux_restorecon option to treat conflicting specifications as an error.

[Chris PeBenito]

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 libselinux/include/selinux/restorecon.h  | 37 ++++++++++++++----------
 libselinux/man/man3/selinux_restorecon.3 |  4 +++
 libselinux/src/selinux_restorecon.c      | 13 +++++++--
 3 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
index 754b8645..466de39a 100644
--- a/libselinux/include/selinux/restorecon.h
+++ b/libselinux/include/selinux/restorecon.h
@@ -30,77 +30,82 @@ extern int selinux_restorecon(const char *pathname,
  * Force the checking of labels even if the stored SHA1 digest
  * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).
  */
-#define SELINUX_RESTORECON_IGNORE_DIGEST		0x0001
+#define SELINUX_RESTORECON_IGNORE_DIGEST		0x00001
 /*
  * Do not change file labels.
  */
-#define SELINUX_RESTORECON_NOCHANGE			0x0002
+#define SELINUX_RESTORECON_NOCHANGE			0x00002
 /*
  * If set, change file label to that in spec file.
  * If not, only change type component to that in spec file.
  */
-#define SELINUX_RESTORECON_SET_SPECFILE_CTX		0x0004
+#define SELINUX_RESTORECON_SET_SPECFILE_CTX		0x00004
 /*
  * Recursively descend directories.
  */
-#define SELINUX_RESTORECON_RECURSE			0x0008
+#define SELINUX_RESTORECON_RECURSE			0x00008
 /*
  * Log changes to selinux log. Note that if VERBOSE and
  * PROGRESS are set, then PROGRESS will take precedence.
  */
-#define SELINUX_RESTORECON_VERBOSE			0x0010
+#define SELINUX_RESTORECON_VERBOSE			0x00010
 /*
  * If SELINUX_RESTORECON_PROGRESS is true and
  * SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete,
  * else output the number of files in 1k blocks processed to stdout.
  */
-#define SELINUX_RESTORECON_PROGRESS			0x0020
+#define SELINUX_RESTORECON_PROGRESS			0x00020
 /*
  * Convert passed-in pathname to canonical pathname.
  */
-#define SELINUX_RESTORECON_REALPATH			0x0040
+#define SELINUX_RESTORECON_REALPATH			0x00040
 /*
  * Prevent descending into directories that have a different
  * device number than the pathname from which the descent began.
  */
-#define SELINUX_RESTORECON_XDEV				0x0080
+#define SELINUX_RESTORECON_XDEV				0x00080
 /*
  * Attempt to add an association between an inode and a specification.
  * If there is already an association for the inode and it conflicts
  * with the specification, then use the last matching specification.
  */
-#define SELINUX_RESTORECON_ADD_ASSOC			0x0100
+#define SELINUX_RESTORECON_ADD_ASSOC			0x00100
 /*
  * Abort on errors during the file tree walk.
  */
-#define SELINUX_RESTORECON_ABORT_ON_ERROR		0x0200
+#define SELINUX_RESTORECON_ABORT_ON_ERROR		0x00200
 /*
  * Log any label changes to syslog.
  */
-#define SELINUX_RESTORECON_SYSLOG_CHANGES		0x0400
+#define SELINUX_RESTORECON_SYSLOG_CHANGES		0x00400
 /*
  * Log what spec matched each file.
  */
-#define SELINUX_RESTORECON_LOG_MATCHES			0x0800
+#define SELINUX_RESTORECON_LOG_MATCHES			0x00800
 /*
  * Ignore files that do not exist.
  */
-#define SELINUX_RESTORECON_IGNORE_NOENTRY		0x1000
+#define SELINUX_RESTORECON_IGNORE_NOENTRY		0x01000
 /*
  * Do not read /proc/mounts to obtain a list of non-seclabel
  * mounts to be excluded from relabeling checks.
  */
-#define SELINUX_RESTORECON_IGNORE_MOUNTS		0x2000
+#define SELINUX_RESTORECON_IGNORE_MOUNTS		0x02000
 /*
  * Set if there is a mass relabel required.
  * See SELINUX_RESTORECON_PROGRESS flag for details.
  */
-#define SELINUX_RESTORECON_MASS_RELABEL			0x4000
+#define SELINUX_RESTORECON_MASS_RELABEL			0x04000
 /*
  * Set if no digest is to be read or written (as only processes
  * running with CAP_SYS_ADMIN can read/write digests).
  */
-#define SELINUX_RESTORECON_SKIP_DIGEST			0x8000
+#define SELINUX_RESTORECON_SKIP_DIGEST			0x08000
+
+/*
+ * Set to treat conflicting specifications as errors.
+ */
+#define SELINUX_RESTORECON_CONFLICT_ERROR		0x10000
 
 /**
  * selinux_restorecon_set_sehandle - Set the global fc handle.
diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
index f6e5f2d7..ad637406 100644
--- a/libselinux/man/man3/selinux_restorecon.3
+++ b/libselinux/man/man3/selinux_restorecon.3
@@ -152,6 +152,10 @@ Setting
 .B SELINUX_RESTORECON_IGNORE_MOUNTS
 is useful where there is a non-seclabel fs mounted with a seclabel fs mounted
 on a directory below this.
+.sp
+.B SELINUX_RESTORECON_CONFLICT_ERROR
+to treat conflicting specifications, such as where two hardlinks for the
+same inode have different contexts, as errors.
 .RE
 .sp
 The behavior regarding the checking and updating of the SHA1 digest described
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 028d8924..91dfeb66 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -81,6 +81,7 @@ struct rest_flags {
 	bool log_matches;
 	bool ignore_noent;
 	bool warnonnomatch;
+	bool conflicterror;
 };
 
 static void restorecon_init(void)
@@ -418,7 +419,8 @@ static file_spec_t *fl_head;
  * different context that matched the inode, then use the first context
  * that matched.
  */
-static int filespec_add(ino_t ino, const char *con, const char *file)
+static int filespec_add(ino_t ino, const char *con, const char *file,
+			struct rest_flags *flags)
 {
 	file_spec_t *prevfl, *fl;
 	int h, ret;
@@ -458,6 +460,11 @@ static int filespec_add(ino_t ino, const char *con, const char *file)
 			fl->file = strdup(file);
 			if (!fl->file)
 				goto oom;
+			if (flags->conflicterror) {
+				selinux_log(SELINUX_ERROR,
+				"treating conflicting specifications as an error.\n");
+				return -1;
+			}
 			return 1;
 		}
 
@@ -645,7 +652,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
 	}
 
 	if (flags->add_assoc) {
-		rc = filespec_add(sb->st_ino, newcon, pathname);
+		rc = filespec_add(sb->st_ino, newcon, pathname, flags);
 
 		if (rc < 0) {
 			selinux_log(SELINUX_ERROR,
@@ -833,6 +840,8 @@ int selinux_restorecon(const char *pathname_orig,
 	flags.ignore_noent = (restorecon_flags &
 		   SELINUX_RESTORECON_IGNORE_NOENTRY) ? true : false;
 	flags.warnonnomatch = true;
+	flags.conflicterror = (restorecon_flags &
+		   SELINUX_RESTORECON_CONFLICT_ERROR) ? true : false;
 	ignore_mounts = (restorecon_flags &
 		   SELINUX_RESTORECON_IGNORE_MOUNTS) ? true : false;
 	bool ignore_digest = (restorecon_flags &
-- 
2.21.1

[PATCH 2/2] setfiles: Add -E option to treat conflicting specifications as errors.

[Chris PeBenito]

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policycoreutils/setfiles/restore.c  |  2 +-
 policycoreutils/setfiles/restore.h  |  1 +
 policycoreutils/setfiles/setfiles.8 |  5 +++++
 policycoreutils/setfiles/setfiles.c | 10 +++++++---
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index d3335d1a..9d688c60 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -41,7 +41,7 @@ void restore_init(struct restore_opts *opts)
 			   opts->xdev | opts->abort_on_error |
 			   opts->syslog_changes | opts->log_matches |
 			   opts->ignore_noent | opts->ignore_mounts |
-			   opts->mass_relabel;
+			   opts->mass_relabel | opts->conflict_error;
 
 	/* Use setfiles, restorecon and restorecond own handles */
 	selinux_restorecon_set_sehandle(opts->hnd);
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
index b64042a6..ac6ad680 100644
--- a/policycoreutils/setfiles/restore.h
+++ b/policycoreutils/setfiles/restore.h
@@ -34,6 +34,7 @@ struct restore_opts {
 	unsigned int log_matches;
 	unsigned int ignore_noent;
 	unsigned int ignore_mounts;
+	unsigned int conflict_error;
 	/* restorecon_flags holds | of above for restore_init() */
 	unsigned int restorecon_flags;
 	char *rootpath;
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index c9f8be06..0188a75a 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -12,6 +12,7 @@ setfiles \- set SELinux file security contexts.
 .RB [ \-n ]
 .RB [ \-e
 .IR directory ]
+.RB [ \-E ]
 .RB [ \-p ]
 .RB [ \-s ]
 .RB [ \-v ]
@@ -62,6 +63,10 @@ after ABORT_ON_ERRORS errors).
 .BI \-e \ directory
 directory to exclude (repeat option for more than one directory).
 .TP
+.BI \-E
+treat conflicting specifications as errors, such as where two hardlinks for
+the same inode have different contexts.
+.TP
 .BI \-f \ infilename
 .I infilename
 contains a list of files to be processed. Use
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index bc83c27b..16bd592c 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -48,8 +48,8 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
 			name, name);
 	} else {
 		fprintf(stderr,
-			"usage:  %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
-			"usage:  %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
+			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
+			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
 			"usage:  %s -s [-diIDlmnpqvFW] spec_file\n"
 			"usage:  %s -c policyfile spec_file\n",
 			name, name, name, name);
@@ -169,7 +169,7 @@ int main(int argc, char **argv)
 	const char *base;
 	int errors = 0;
 	const char *ropts = "e:f:hiIDlmno:pqrsvFRW0";
-	const char *sopts = "c:de:f:hiIDlmno:pqr:svFR:W0";
+	const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0";
 	const char *opts;
 	union selinux_callback cb;
 
@@ -313,6 +313,10 @@ int main(int argc, char **argv)
 			r_opts.syslog_changes =
 					   SELINUX_RESTORECON_SYSLOG_CHANGES;
 			break;
+		case 'E':
+			r_opts.conflict_error =
+					   SELINUX_RESTORECON_CONFLICT_ERROR;
+			break;
 		case 'F':
 			r_opts.set_specctx =
 					   SELINUX_RESTORECON_SET_SPECFILE_CTX;
-- 
2.21.1