!37 [sync] PR-36: backport patch

From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-libselinux-Fix-potential-undefined-shifts.patch

@@ -0,0 +1,135 @@
+From c3ad59cc975d4848b6af37cbcb5caeb6fcb9bdb4 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Fri, 8 Oct 2021 15:07:36 -0400
+Reference:https://github.com/SELinuxProject/selinux/commit/c3ad59cc975d4848b6af37cbcb5caeb6fcb9bdb4
+Conflict:adapter filepath
+Subject: [PATCH] libselinux: Fix potential undefined shifts
+
+An expression of the form "1 << x" is undefined if x == 31 because
+the "1" is an int and cannot be left shifted by 31.
+
+Instead, use "UINT32_C(1) << x" which will be an unsigned int of
+at least 32 bits.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+Signed-off-by: lujie42  <lujie42@huawei.com>
+---
+ src/mapping.c   | 22 +++++++++++-----------
+ src/stringrep.c |  8 ++++----
+ 2 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/src/mapping.c b/src/mapping.c
+index 96395fd4..dd2f1039 100644
+--- a/src/mapping.c
++++ b/src/mapping.c
+@@ -144,9 +144,9 @@ unmap_perm(security_class_t tclass, access_vector_t tperm)
+ 		access_vector_t kperm = 0;
+ 
+ 		for (i = 0; i < current_mapping[tclass].num_perms; i++)
+-			if (tperm & (1<<i)) {
++			if (tperm & (UINT32_C(1)<<i)) {
+ 				kperm |= current_mapping[tclass].perms[i];
+-				tperm &= ~(1<<i);
++				tperm &= ~(UINT32_C(1)<<i);
+ 			}
+ 		return kperm;
+ 	}
+@@ -191,7 +191,7 @@ map_perm(security_class_t tclass, access_vector_t kperm)
+ 
+ 		for (i = 0; i < current_mapping[tclass].num_perms; i++)
+ 			if (kperm & current_mapping[tclass].perms[i]) {
+-				tperm |= 1<<i;
++				tperm |= UINT32_C(1)<<i;
+ 				kperm &= ~current_mapping[tclass].perms[i];
+ 			}
+ 
+@@ -216,30 +216,30 @@ map_decision(security_class_t tclass, struct av_decision *avd)
+ 
+ 		for (i = 0, result = 0; i < n; i++) {
+ 			if (avd->allowed & mapping->perms[i])
+-				result |= 1<<i;
++				result |= UINT32_C(1)<<i;
+ 			else if (allow_unknown && !mapping->perms[i])
+-				result |= 1<<i;
++				result |= UINT32_C(1)<<i;
+ 		}
+ 		avd->allowed = result;
+ 
+ 		for (i = 0, result = 0; i < n; i++) {
+ 			if (avd->decided & mapping->perms[i])
+-				result |= 1<<i;
++				result |= UINT32_C(1)<<i;
+ 			else if (allow_unknown && !mapping->perms[i])
+-				result |= 1<<i;
++				result |= UINT32_C(1)<<i;
+ 		}
+ 		avd->decided = result;
+ 
+ 		for (i = 0, result = 0; i < n; i++)
+ 			if (avd->auditallow & mapping->perms[i])
+-				result |= 1<<i;
++				result |= UINT32_C(1)<<i;
+ 		avd->auditallow = result;
+ 
+ 		for (i = 0, result = 0; i < n; i++) {
+ 			if (avd->auditdeny & mapping->perms[i])
+-				result |= 1<<i;
++				result |= UINT32_C(1)<<i;
+ 			else if (!allow_unknown && !mapping->perms[i])
+-				result |= 1<<i;
++				result |= UINT32_C(1)<<i;
+ 		}
+ 
+ 		/*
+@@ -248,7 +248,7 @@ map_decision(security_class_t tclass, struct av_decision *avd)
+ 		 * a bug in the object manager.
+ 		 */
+ 		for (; i < (sizeof(result)*8); i++)
+-			result |= 1<<i;
++			result |= UINT32_C(1)<<i;
+ 		avd->auditdeny = result;
+ 	}
+ }
+diff --git a/src/stringrep.c b/src/stringrep.c
+index 012a740a..2fe69f43 100644
+--- a/src/stringrep.c
++++ b/src/stringrep.c
+@@ -229,7 +229,7 @@ access_vector_t string_to_av_perm(security_class_t tclass, const char *s)
+ 		size_t i;
+ 		for (i = 0; i < MAXVECTORS && node->perms[i] != NULL; i++)
+ 			if (strcmp(node->perms[i],s) == 0)
+-				return map_perm(tclass, 1<<i);
++				return map_perm(tclass, UINT32_C(1)<<i);
+ 	}
+ 
+ 	errno = EINVAL;
+@@ -261,7 +261,7 @@ const char *security_av_perm_to_string(security_class_t tclass,
+ 	node = get_class_cache_entry_value(tclass);
+ 	if (av && node)
+ 		for (i = 0; i<MAXVECTORS; i++)
+-			if ((1<<i) & av)
++			if ((UINT32_C(1)<<i) & av)
+ 				return node->perms[i];
+ 
+ 	return NULL;
+@@ -279,7 +279,7 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res)
+ 	/* first pass computes the required length */
+ 	for (i = 0; tmp; tmp >>= 1, i++) {
+ 		if (tmp & 1) {
+-			str = security_av_perm_to_string(tclass, av & (1<<i));
++			str = security_av_perm_to_string(tclass, av & (UINT32_C(1)<<i));
+ 			if (str)
+ 				len += strlen(str) + 1;
+ 		}
+@@ -303,7 +303,7 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res)
+ 	ptr += sprintf(ptr, "{ ");
+ 	for (i = 0; tmp; tmp >>= 1, i++) {
+ 		if (tmp & 1) {
+-			str = security_av_perm_to_string(tclass, av & (1<<i));
++			str = security_av_perm_to_string(tclass, av & (UINT32_C(1)<<i));
+ 			if (str)
+ 				ptr += sprintf(ptr, "%s ", str);
+ 		}
+-- 
+1.8.3.1
+

backport-libselinux-correctly-hash-specfiles-larger-than-4G.patch

@@ -0,0 +1,66 @@
+From e17619792fa1e342c7f0a819077129adff438cd1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 13 Apr 2022 17:56:33 +0200
+Subject: [PATCH] libselinux: correctly hash specfiles larger than 4G
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The internal Sha1Update() functions only handles buffers up to a size of
+UINT32_MAX, due to its usage of the type uint32_t.  This causes issues
+when processing more than UINT32_MAX bytes, e.g. with a specfile larger
+than 4G.  0aa974a4 ("libselinux: limit has buffer size") tried to
+address this issue, but failed since the overflow check
+
+    if (digest->hashbuf_size + buf_len < digest->hashbuf_size) {
+
+will be done in the widest common type, which is size_t, the type of
+`buf_len`.
+
+Revert the type of `hashbuf_size` to size_t and instead process the data
+in blocks of supported size.
+
+Acked-by: James Carter <jwcart2@gmail.com>
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Reverts: 0aa974a4 ("libselinux: limit has buffer size")
+
+Reference:https://github.com/SELinuxProjrct/selinux/commit/e17619792fa1e342c7f0a819077129adff438cd1
+Confilict delete modified label_internal.h
+---
+ libselinux/src/label_support.c  | 14 +++++++++++++-
+ 1 files changed, 13 insertions(+), 1 deletions(-)
+
+diff --git a/src/label_support.c b/src/label_support.c
+index 94ed6e42..54fd49a5 100644
+--- a/src/label_support.c
++++ b/src/label_support.c
+@@ -116,13 +116,25 @@ int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+ void  digest_gen_hash(struct selabel_digest *digest)
+ {
+ 	Sha1Context context;
++	size_t remaining_size;
++	const unsigned char *ptr;
+ 
+ 	/* If SELABEL_OPT_DIGEST not set then just return */
+ 	if (!digest)
+ 		return;
+ 
+ 	Sha1Initialise(&context);
+-	Sha1Update(&context, digest->hashbuf, digest->hashbuf_size);
++
++	/* Process in blocks of UINT32_MAX bytes */
++	remaining_size = digest->hashbuf_size;
++	ptr = digest->hashbuf;
++	while (remaining_size > UINT32_MAX) {
++		Sha1Update(&context, ptr, UINT32_MAX);
++		remaining_size -= UINT32_MAX;
++		ptr += UINT32_MAX;
++	}
++	Sha1Update(&context, ptr, remaining_size);
++
+ 	Sha1Finalise(&context, (SHA1_HASH *)digest->digest);
+ 	free(digest->hashbuf);
+ 	digest->hashbuf = NULL;
+-- 
+2.27.0
+

backport-libselinux-fix-segfault-in-add_xattr_entry.patch

@@ -0,0 +1,79 @@
+From 142826a38e974b54a45022c0a0a8dce13a8225dc Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 15 Feb 2021 14:05:53 +0100
+Reference:https://github.com/SELinuxProject/selinux/commit/142826a38e974b54a45022c0a0a8dce13a8225
+Conflict:adapter filepath
+Subject: [PATCH] libselinux: fix segfault in add_xattr_entry()
+
+When selabel_get_digests_all_partial_matches(), resp
+get_digests_all_partial_matches() doesn't find a match,
+calculated_digest is not initialized and followup memcmp() could
+segfault. Given that calculated_digest and xattr_digest are already
+compared in get_digests_all_partial_matches() and the function returns
+true or false based on this comparison, it's not necessary to compare
+these values again.
+
+Fixes:
+    # cd /root
+    # mkdir tmp
+    # restorecon -D -Rv tmp  # create security.sehash attribute
+    # restorecon_xattr -d -v tmp
+    specfiles SHA1 digest: afc752f47d489f3e82ac1da8fd247a2e1a6af5f8
+    calculated using the following specfile(s):
+    /etc/selinux/targeted/contexts/files/file_contexts.subs_dist
+    /etc/selinux/targeted/contexts/files/file_contexts.subs
+    /etc/selinux/targeted/contexts/files/file_contexts.bin
+    /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin
+    /etc/selinux/targeted/contexts/files/file_contexts.local.bin
+
+    Segmentation fault (core dumped)
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+Signed-off-by: l00564439 <luhuaxin1@huawei.com>
+---
+ libselinux/src/selinux_restorecon.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
+index 6993be6f..63fb8dc5 100644
+--- a/src/selinux_restorecon.c
++++ b/src/selinux_restorecon.c
+@@ -297,6 +297,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 	char *sha1_buf = NULL;
+ 	size_t i, digest_len = 0;
+ 	int rc, digest_result;
++	bool match;
+ 	struct dir_xattr *new_entry;
+ 	uint8_t *xattr_digest = NULL;
+ 	uint8_t *calculated_digest = NULL;
+@@ -306,9 +307,9 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 		return -1;
+ 	}
+ 
+-	selabel_get_digests_all_partial_matches(fc_sehandle, directory,
+-						&calculated_digest,
+-						&xattr_digest, &digest_len);
++	match = selabel_get_digests_all_partial_matches(fc_sehandle, directory,
++								&calculated_digest, &xattr_digest,
++								&digest_len);
+ 
+ 	if (!xattr_digest || !digest_len) {
+ 		free(calculated_digest);
+@@ -326,11 +327,10 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 	for (i = 0; i < digest_len; i++)
+ 		sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);
+ 
+-	rc = memcmp(calculated_digest, xattr_digest, digest_len);
+-	digest_result = rc ? NOMATCH : MATCH;
++	digest_result = match ? MATCH : NOMATCH;
+ 
+-	if ((delete_nonmatch && rc != 0) || delete_all) {
+-		digest_result = rc ? DELETED_NOMATCH : DELETED_MATCH;
++	if ((delete_nonmatch && !match) || delete_all) {
++		digest_result = match ? DELETED_MATCH : DELETED_NOMATCH;
+ 		rc = removexattr(directory, RESTORECON_PARTIAL_MATCH_DIGEST);
+ 		if (rc) {
+ 			selinux_log(SELINUX_ERROR,
+-- 
+2.23.0
+

do-malloc-trim-after-load-policy.patch

@@ -0,0 +1,35 @@
+From 3d5049f849226d54070651fdf96019d263c38363 Mon Sep 17 00:00:00 2001
+From: luhuaxin <1539327763@qq.com>
+Date: Wed, 2 Jun 2021 16:24:47 +0800
+Subject: [PATCH] do malloc trim after load policy
+
+---
+ src/load_policy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/load_policy.c b/src/load_policy.c
+index 2aea826..ace898c 100644
+--- a/src/load_policy.c
++++ b/src/load_policy.c
+@@ -18,6 +18,7 @@
+ #include <dlfcn.h>
+ #include "policy.h"
+ #include <limits.h>
++#include <malloc.h>
+ 
+ #ifndef MNT_DETACH
+ #define MNT_DETACH 2
+@@ -365,7 +366,9 @@ int selinux_init_load_policy(int *enforce)
+ 	}
+ 
+ 	/* Load the policy. */
+-	return selinux_mkload_policy(0);
++	rc = selinux_mkload_policy(0);
++	malloc_trim(0);
++	return rc;
+ 
+       noload:
+ 	/*
+-- 
+1.8.3.1
+

libselinux.spec

@@ -1,14 +1,19 @@
 %global ruby_inc %(pkg-config --cflags ruby)
-%global libsepol_version 2.8
+%global libsepol_version 3.1
 
 Name:    libselinux
 Version: 3.1
-Release: 2
+Release: 7
 License: Public Domain
 Summary: SELinux library and simple utilities
 Url:     https://github.com/SELinuxProject/selinux/wiki
 Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libselinux-3.1.tar.gz
 Patch0:  Fix-import-error-in-python2-package.patch
+Patch1: do-malloc-trim-after-load-policy.patch
+
+Patch6000: backport-libselinux-Fix-potential-undefined-shifts.patch 
+Patch6001: backport-libselinux-fix-segfault-in-add_xattr_entry.patch
+Patch6002: backport-libselinux-correctly-hash-specfiles-larger-than-4G.patch
 
 BuildRequires: gcc python3-devel systemd swig pcre2-devel xz-devel
 BuildRequires: python2-devel ruby-devel libsepol-static >= %{libsepol_version}
@@ -62,7 +67,13 @@ Provides: ruby(selinux)
 The libselinux-ruby package contains the ruby bindings for developing
 SELinux applications.
 
-%package_help
+%package help
+Summary:	Documents for %{name}
+Buildarch: 	noarch
+Requires:	man info
+
+%description help
+Man pages and other related documents for %{name}
 
 %prep
 %autosetup -p 1 -n libselinux-%{version}
@@ -144,6 +155,21 @@ mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
 %{_mandir}/ru/man8/*
 
 %changelog
+* Tue Apr 11 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.1-7
+- backport patch
+
+* Thu Sep 1 2022 lujie <lujie54@huawei.com> - 3.1-6
+- update requires libsepol version 3.1
+
+* Fri Jul 1 2022 lujie <lujie54@huawei.com> - 3.1-5
+- fix segfault in add_xattr_entry()
+
+* Tue Nov 16 2021 lujie <lujie42@huawei.com> - 3.1-4
+- fix potential undefined shifts
+
+* Wed Jul 2 2021 luhuaxin <1539327763@qq.com> - 3.1-3
+- do malloc trim after load policy
+
 * Thu May 13 2021 weidong<weidong@uniontech.com> - 3.1-2
 - Fix import error in python2-selinux