SOURCES: nss_db-enoent.patch (NEW), nss_db-initialize.patch (NEW), ...
baggins
baggins at pld-linux.org
Wed Oct 10 17:14:16 CEST 2007
Author: baggins Date: Wed Oct 10 15:14:16 2007 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- patches from FC, descriptions inside
---- Files affected:
SOURCES:
nss_db-enoent.patch (NONE -> 1.1) (NEW), nss_db-initialize.patch (NONE -> 1.1) (NEW), nss_db-selinux.patch (NONE -> 1.1) (NEW), nss_db-uniqdb.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/nss_db-enoent.patch
diff -u /dev/null SOURCES/nss_db-enoent.patch:1.1
--- /dev/null Wed Oct 10 17:14:16 2007
+++ SOURCES/nss_db-enoent.patch Wed Oct 10 17:14:11 2007
@@ -0,0 +1,16 @@
+Set errno to ENOENT so that we return it as an error in case a particular
+lookup fails. The glibc NSS layer checks our return code and kicks errno
+back to the caller. If we don't set it, anywhere, on error, then the
+previous error is returned. That can be ERANGE, which would cause NSS to
+allocate a larger buffer and try again. For no-such-key errors, this was
+exactly what was happening, and it could result in an out-of-memory error.
+--- nss_db-2.2/src/db-XXX.c Tue Apr 26 13:07:23 2005
++++ nss_db-2.2/src/db-XXX.c Tue Apr 26 13:07:18 2005
+@@ -122,6 +122,7 @@
+ }
+
+ /* Succeed iff it matches a value that parses correctly. */
++ *errnop = ENOENT;
+ value.flags = 0;
+ err = db->get (db, NULL, key, &value, 0);
+ if (err)
================================================================
Index: SOURCES/nss_db-initialize.patch
diff -u /dev/null SOURCES/nss_db-initialize.patch:1.1
--- /dev/null Wed Oct 10 17:14:16 2007
+++ SOURCES/nss_db-initialize.patch Wed Oct 10 17:14:11 2007
@@ -0,0 +1,12 @@
+Initialize all of the fields of the key to zeroes, so that we don't pass
+garbage keys in to later versions of Berkeley DB.
+--- nss_db-2.2/src/db-XXX.c 2005-03-29 16:13:57.103516704 -0500
++++ nss_db-2.2/src/db-XXX.c 2005-03-29 16:13:47.108821931 -0500
+@@ -225,6 +225,7 @@
+ DBT key; \
+ enum nss_status status; \
+ const size_t size = (keysize) + 1; \
++ memset(&key, 0, sizeof(key)); \
+ key.data = alloca (size); \
+ key.size = KEYPRINTF keypattern; \
+ key.flags = 0; \
================================================================
Index: SOURCES/nss_db-selinux.patch
diff -u /dev/null SOURCES/nss_db-selinux.patch:1.1
--- /dev/null Wed Oct 10 17:14:16 2007
+++ SOURCES/nss_db-selinux.patch Wed Oct 10 17:14:11 2007
@@ -0,0 +1,149 @@
+Set the SELinux file creation context when opening databases for write access.
+Note that this does *not* change the context of existing files.
+
+--- nss_db-2.2/configure.in 2004-10-20 13:41:04.301436568 -0400
++++ nss_db-2.2/configure.in 2004-10-20 13:51:52.913832496 -0400
+@@ -73,6 +73,43 @@
+ *** Unsupported Berkeley DB version detected.])
+ fi
+
++AC_ARG_WITH(selinux,AC_HELP_STRING(--with-selinux,[enable SELinux support [[default=auto]]]),
++selinux=$withval,
++selinux=auto)
++
++libsave="$LIBS"
++if test x$selinux != no ; then
++ AC_CHECK_HEADERS(selinux/selinux.h)
++ if test x$ac_cv_header_selinux_selinux_h = xno ; then
++ if test x$selinux = xyes ; then
++ AC_MSG_ERROR([SELinux not detected])
++ else
++ AC_MSG_WARN([SELinux not detected])
++ selinux=no
++ fi
++ fi
++fi
++
++if test x$selinux != no ; then
++ AC_CHECK_FUNC(setfscreatecon,,[AC_CHECK_LIB(selinux,setfscreatecon)])
++ if test x$ac_cv_func_setfscreatecon = xno ; then
++ if test x$ac_cv_lib_selinux_setfscreatecon = xno ; then
++ if test x$selinux = xyes ; then
++ AC_MSG_ERROR([SELinux not detected])
++ else
++ AC_MSG_WARN([SELinux not detected])
++ selinux=no
++ fi
++ fi
++ fi
++fi
++if test x$selinux != no ; then
++ AC_DEFINE(SELINUX,1,[Define to have makedb set SELinux file contexts on created files.])
++fi
++
++SELINUX_LIBS="$LIBS"
++LIBS="$libsave"
++
+ AC_CANONICAL_HOST
+ slibdir=NONE
+ case "$host" in
+@@ -100,5 +137,6 @@
+
+ AC_SUBST(DB_CFLAGS)
+ AC_SUBST(DB_LIBS)
++AC_SUBST(SELINUX_LIBS)
+ AC_SUBST(slibdir)
+ AC_OUTPUT(Makefile)
+--- nss_db-2.2/src/Makefile.am 2004-10-20 13:47:22.207986040 -0400
++++ nss_db-2.2/src/Makefile.am 2004-10-20 13:48:46.242210896 -0400
+@@ -28,7 +28,7 @@
+
+ bin_PROGRAMS = makedb
+ makedb_SOURCES = makedb.c
+-makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@
++makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@ @SELINUX_LIBS@
+
+ # To mimmick the old glibc installation as closely as possible, we
+ # shuffle the installed library and the links to it around a bit,
+--- nss_db-2.2/src/makedb.c 2004-10-20 13:52:02.814327392 -0400
++++ nss_db-2.2/src/makedb.c 2004-10-20 14:06:07.605899552 -0400
+@@ -32,6 +32,10 @@
+ #include <string.h>
+ #include <sys/stat.h>
+
++#ifdef SELINUX
++#include <selinux/selinux.h>
++#endif
++
+ #include "db-compat.h"
+
+ #define N_(Text) Text
+@@ -95,6 +99,12 @@
+ int to_lowercase, int be_quiet);
+ static int print_database (DB *db);
+
++#ifdef SELINUX
++/* Set the SELinux file creation context for the given file. */
++static void set_file_creation_context (const char *outname, mode_t mode);
++#else
++#define set_file_creation_context(_outname,_mode)
++#endif
+
+ int
+ main (int argc, char *argv[])
+@@ -176,8 +186,10 @@
+
+ /* Open output file. This must not be standard output so we don't
+ handle "-" and "/dev/stdout" special. */
++ set_file_creation_context (output_name, mode);
+ status = db_open (output_name, DB_BTREE, DB_CREATE | DB_TRUNCATE, mode,
+ NULL, NULL, &db_file);
++ set_file_creation_context (NULL, 0);
+ if (status)
+ error (EXIT_FAILURE, 0, gettext ("cannot open output file `%s': %s"),
+ output_name, db_strerror (status));
+@@ -388,3 +400,44 @@
+
+ return EXIT_SUCCESS;
+ }
++
++
++#ifdef SELINUX
++static void
++set_file_creation_context (const char *outname, mode_t mode)
++{
++ static int enabled = -1;
++ security_context_t ctx;
++ /* Handle the "reset the context" case. */
++ if (outname == NULL)
++ {
++ setfscreatecon (NULL);
++ return;
++ }
++ /* Check if SELinux is enabled, and remember. */
++ if (enabled == -1)
++ {
++ enabled = is_selinux_enabled ();
++ }
++ if (enabled == 0)
++ {
++ return;
++ }
++ /* Determine the context which the file should have. */
++ ctx = NULL;
++ if (matchpathcon (outname, S_IFREG | mode, &ctx) != 0)
++ {
++ error (EXIT_FAILURE, 0,
++ gettext ("cannot determine file context for `%s'"), outname);
++ }
++ if (ctx != NULL)
++ {
++ if (setfscreatecon (ctx) != 0)
++ {
++ error (EXIT_FAILURE, 0,
++ gettext ("cannot set file creation context for `%s'"), outname);
++ }
++ freecon (ctx);
++ }
++}
++#endif
================================================================
Index: SOURCES/nss_db-uniqdb.patch
diff -u /dev/null SOURCES/nss_db-uniqdb.patch:1.1
--- /dev/null Wed Oct 10 17:14:16 2007
+++ SOURCES/nss_db-uniqdb.patch Wed Oct 10 17:14:11 2007
@@ -0,0 +1,19 @@
+Use AC_TRY_LINK to correctly detect db_version in a copy of libdb which has
+been built with the --with-uniquename flag.
+--- nss_db-2.2/configure.in 2003-12-02 16:22:42.000000000 -0500
++++ nss_db-2.2/configure.in 2003-12-02 16:22:37.000000000 -0500
+@@ -43,8 +43,12 @@
+ AC_CHECK_HEADER(db.h,, AC_MSG_ERROR([
+ *** Could not find Berkeley DB headers.]))
+
+-AC_CHECK_LIB(db, db_version,, AC_MSG_ERROR([
+-*** Could not find Berkeley DB library.]))
++AC_CHECK_LIB(db, db_version,,[
++libsave="$LIBS"
++LIBS="$LIBS $DB_LIBS -ldb"
++AC_MSG_CHECKING([for db_version in -ldb using the linker])
++AC_TRY_LINK([#include <db.h>],[db_version(0,0,0);],[libsave="$libsave -ldb";AC_MSG_RESULT([yes])],[AC_MSG_RESULT([no]);AC_MSG_ERROR([*** Could not find Berkeley DB library.])])
++LIBS="$libsave"])
+
+ AC_CACHE_CHECK([Berkeley DB version], nss_db_cv_db_version,
+ [AC_TRY_CPP(
================================================================
More information about the pld-cvs-commit
mailing list