mirror of
https://sourceware.org/git/glibc.git
synced 2024-12-26 20:51:11 +00:00
0699f766b1
The SELinux team has indicated to me that glibc's SELinux checks in nscd are not being carried out as they would expect the API to be used today. They would like to move away from static header defines for class and permissions and instead use dynamic checks at runtime that provide an answer which is dependent on the runtime status of SELinux i.e. more dynamic. The following patch is a minimal change that moves us forward in this direction. It does the following: * Stop checking for SELinux headers that define NSCD__SHMEMHOST. Check only for the presence or absence of the library. * Don't encode the specific SELinux permission constants into a table at build time, and instead use the symbolic name for the permission as expected. * Lookup the "What do we do if we don't know this permission?" policy and use that if we find SELinux's policy is older than the glibc policy e.g. we make a request for a permission that SELinux doesn't know about. * Lastly, translate the class and permission and then make the permission check. This is done every time we lookup a permission, and this is the expected way to use the API. SELinux will optimize this for us, and we expect the network latencies to hide these extra library calls. Tested on x86, x86-64, and via Fedora Rawhide since November 2013. See: https://sourceware.org/ml/libc-alpha/2014-04/msg00179.html |
||
|---|---|---|
| argp | ||
| assert | ||
| benchtests | ||
| bits | ||
| catgets | ||
| conf | ||
| conform | ||
| crypt | ||
| csu | ||
| ctype | ||
| debug | ||
| dirent | ||
| dlfcn | ||
| elf | ||
| gmon | ||
| gnulib | ||
| grp | ||
| gshadow | ||
| hesiod | ||
| hurd | ||
| iconv | ||
| iconvdata | ||
| include | ||
| inet | ||
| intl | ||
| io | ||
| libidn | ||
| libio | ||
| locale | ||
| localedata | ||
| login | ||
| mach | ||
| malloc | ||
| manual | ||
| math | ||
| misc | ||
| nis | ||
| nptl | ||
| nptl_db | ||
| nscd | ||
| nss | ||
| po | ||
| ports | ||
| posix | ||
| pwd | ||
| resolv | ||
| resource | ||
| rt | ||
| scripts | ||
| setjmp | ||
| shadow | ||
| signal | ||
| socket | ||
| soft-fp | ||
| stdio-common | ||
| stdlib | ||
| streams | ||
| string | ||
| sunrpc | ||
| sysdeps | ||
| sysvipc | ||
| termios | ||
| time | ||
| timezone | ||
| wcsmbs | ||
| wctype | ||
| .gitattributes | ||
| .gitignore | ||
| abi-tags | ||
| aclocal.m4 | ||
| BUGS | ||
| CANCEL-FCT-WAIVE | ||
| CANCEL-FILE-WAIVE | ||
| ChangeLog | ||
| ChangeLog.1 | ||
| ChangeLog.2 | ||
| ChangeLog.3 | ||
| ChangeLog.4 | ||
| ChangeLog.5 | ||
| ChangeLog.6 | ||
| ChangeLog.7 | ||
| ChangeLog.8 | ||
| ChangeLog.9 | ||
| ChangeLog.10 | ||
| ChangeLog.11 | ||
| ChangeLog.12 | ||
| ChangeLog.13 | ||
| ChangeLog.14 | ||
| ChangeLog.15 | ||
| ChangeLog.16 | ||
| ChangeLog.17 | ||
| config.h.in | ||
| config.make.in | ||
| configure | ||
| configure.ac | ||
| CONFORMANCE | ||
| COPYING | ||
| COPYING.LIB | ||
| cppflags-iterator.mk | ||
| extra-lib.mk | ||
| extra-modules.mk | ||
| INSTALL | ||
| libc-abis | ||
| LICENSES | ||
| Makeconfig | ||
| Makefile | ||
| Makefile.in | ||
| Makerules | ||
| NAMESPACE | ||
| NEWS | ||
| o-iterator.mk | ||
| PROJECTS | ||
| README | ||
| Rules | ||
| shlib-versions | ||
| test-skeleton.c | ||
| version.h | ||
| WUR-REPORT | ||
This directory contains the sources of the GNU C Library. See the file "version.h" for what release version you have. The GNU C Library is the standard system C library for all GNU systems, and is an important part of what makes up a GNU system. It provides the system API for all programs written in C and C-compatible languages such as C++ and Objective C; the runtime facilities of other programming languages use the C library to access the underlying operating system. In GNU/Linux systems, the C library works with the Linux kernel to implement the operating system behavior seen by user applications. In GNU/Hurd systems, it works with a microkernel and Hurd servers. The GNU C Library implements much of the POSIX.1 functionality in the GNU/Hurd system, using configurations i[4567]86-*-gnu. The current GNU/Hurd support requires out-of-tree patches that will eventually be incorporated into an official GNU C Library release. When working with Linux kernels, this version of the GNU C Library requires Linux kernel version 2.6.16 or later. Also note that the shared version of the libgcc_s library must be installed for the pthread library to work correctly. The GNU C Library supports these configurations for using Linux kernels: aarch64*-*-linux-gnu alpha*-*-linux-gnu arm-*-linux-gnueabi i[4567]86-*-linux-gnu x86_64-*-linux-gnu Can build either x86_64 or x32 ia64-*-linux-gnu m68k-*-linux-gnu microblaze*-*-linux-gnu mips-*-linux-gnu mips64-*-linux-gnu powerpc-*-linux-gnu Hardware or software floating point, BE only. powerpc64*-*-linux-gnu Big-endian and little-endian. s390-*-linux-gnu s390x-*-linux-gnu sh[34]-*-linux-gnu sparc*-*-linux-gnu sparc64*-*-linux-gnu tilegx-*-linux-gnu tilepro-*-linux-gnu The code for other CPU configurations supported by volunteers outside of the core glibc maintenance effort is contained in the `ports' add-on, located in the `ports' subdirectory of the source tree. hppa-*-linux-gnu Not currently functional without patches. If you are interested in doing a port, please contact the glibc maintainers; see http://www.gnu.org/software/libc/ for more information. See the file INSTALL to find out how to configure, build, and install the GNU C Library. You might also consider reading the WWW pages for the C library at http://www.gnu.org/software/libc/. The GNU C Library is (almost) completely documented by the Texinfo manual found in the `manual/' subdirectory. The manual is still being updated and contains some known errors and omissions; we regret that we do not have the resources to work on the manual as much as we would like. For corrections to the manual, please file a bug in the `manual' component, following the bug-reporting instructions below. Please be sure to check the manual in the current development sources to see if your problem has already been corrected. Please see http://www.gnu.org/software/libc/bugs.html for bug reporting information. We are now using the Bugzilla system to track all bug reports. This web page gives detailed information on how to report bugs properly. The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 2000-2013, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually.