libselinux/backport-libselinux-filter-arguments-with-path-separators.patch

From d31280c26e066d68c3061fc24f5951829f641e81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 14 Nov 2022 20:32:08 +0100
Subject: [PATCH] libselinux: filter arguments with path separators
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Boolean names, taken by security_get_boolean_pending(3),
security_get_boolean_active(3) and security_set_boolean(3), as well as
user names, taken by security_get_initial_context(3), are used in path
constructions.  Ensure they do not contain path separators to avoid
unwanted path traversal.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
 libselinux/src/booleans.c            | 5 +++--
 libselinux/src/get_initial_context.c | 5 +++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/booleans.c b/src/booleans.c
index dbcccd70..e34b39ff 100644
--- a/src/booleans.c
+++ b/src/booleans.c
@@ -131,7 +131,8 @@ char *selinux_boolean_sub(const char *name)
 			ptr++;
 		*ptr = '\0';
 
-		sub = strdup(dst);
+		if (!strchr(dst, '/'))
+			sub = strdup(dst);
 
 		break;
 	}
@@ -151,7 +152,7 @@ static int bool_open(const char *name, int flag) {
 	int ret;
 	char *ptr;
 
-	if (!name) {
+	if (!name || strchr(name, '/')) {
 		errno = EINVAL;
 		return -1;
 	}
diff --git a/src/get_initial_context.c b/src/get_initial_context.c
index 87c8adfa..0f25ba3f 100644
--- a/src/get_initial_context.c
+++ b/src/get_initial_context.c
@@ -23,6 +23,11 @@ int security_get_initial_context_raw(const char * name, char ** con)
 		return -1;
 	}
 
+	if (strchr(name, '/')) {
+		errno = EINVAL;
+		return -1;
+	}
+
 	ret = snprintf(path, sizeof path, "%s%s%s", selinux_mnt, SELINUX_INITCON_DIR, name);
 	if (ret < 0 || (size_t)ret >= sizeof path) {
 		errno = EOVERFLOW;
-- 
2.27.0