libselinux: Compiled file context files and the original should have the same permissions

Currently the compiled file context files can end up with different permissions then the original. This can lead to non priv users not being able to read the compiled versions.
2024-11-28 22:10:34 +00:00 · 2014-08-16 07:37:42 -04:00 · 2014-08-16 07:37:42 -04:00 · 70b23853a8
commit 70b23853a8
parent 52623801c4
1 changed files with 15 additions and 0 deletions
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@ -4,6 +4,9 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>

 #include <linux/limits.h>

@ -334,6 +337,7 @@ int main(int argc, char *argv[])
 	int rc;
 	char *tmp= NULL;
 	int fd;
+	struct stat buf;

 	if (argc != 2) {
 		fprintf(stderr, "usage: %s input_file\n", argv[0]);
@ -344,6 +348,11 @@ int main(int argc, char *argv[])

 	path = argv[1];

+	if (stat(path, &buf) < 0) {
+		fprintf(stderr, "Can not stat: %s: %m\n", path);
+		exit(EXIT_FAILURE);
+	}
+
 	rc = process_file(&data, path);
 	if (rc < 0)
 		return rc;
@ -363,6 +372,12 @@ int main(int argc, char *argv[])
 	if (fd < 0)
 		goto err;

+	rc = fchmod(fd, buf.st_mode);
+	if (rc < 0) {
+		perror("fchmod failed to set permission on compiled regexs");
+		goto err;
+	}
+
 	rc = write_binary_file(&data, fd);

 	if (rc < 0)