From patchwork Sun May  1 18:37:58 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dominick Grift <dominick.grift@defensec.nl>
X-Patchwork-Id: 1624927
X-Patchwork-Delegate: daniel@makrotopia.org
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Mht+c1Gs;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=defensec.nl header.i=@defensec.nl header.a=rsa-sha256
 header.s=default header.b=SeDzrckU;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Krw5Z2s3pz9sCq
	for <incoming@patchwork.ozlabs.org>; Mon,  2 May 2022 04:40:33 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=KqRZxFR97QlmxRYr5txHCmiU2siJ4dP0algQgWC+PRA=; b=Mht+c1GsaThRdn
	o9sZVFJ2odKdkGB0nVVUFR59JdK0I6QemeaEzf4+21ahbGWy9CMw+lLSsP2XE+JqA6vFI7uGVKWoU
	lntNT4729zUyHW4revoUdLLCwDU+XtuCAQL2tZRoSzaFgBRPMzJWLfW5uLiM4XuaVVuow5DDb/Fct
	zc3zuuQJXc+gGFKL+acaoXCrHzeLh62aQI4hwgRXQTKpTt8xFDpQo9kUcuKeK/6RpkuDeszANIbfJ
	VuckIew9azN/grTNtTdJ8+dggmsFaSuRXuDpm1olfJdLn7+NZYY/9lnvtahayd3ej7XEQsY5/ImQX
	U73p1Pob7g880VF4ud0w==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1nlESh-00Gipd-D6; Sun, 01 May 2022 18:38:27 +0000
Received: from markus.defensec.nl ([45.80.168.93])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1nlESd-00Giog-SH
 for openwrt-devel@lists.openwrt.org; Sun, 01 May 2022 18:38:25 +0000
Received: from brutus.. (brutus.lan [IPv6:2a10:3781:2099::438])
 by markus.defensec.nl (Postfix) with ESMTPSA id 76BE2FC135E;
 Sun,  1 May 2022 20:38:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl;
 s=default; t=1651430301;
 bh=amY4l75ClM/fqJ7zZnN6Ef+3R9NG7cGjbLQ5kiWcaag=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
 b=SeDzrckUCttewM+lGg/Ni7mmHW5IP7XdU0pCQDRyR8PWazFGAd8JIwGZK4+oN/Ar3
 +FfE7d4TIV+nr5516eiHq4pHapA1ywC3KMvH/0qj+OdSRaJRMYG9D4wGyPs7ywzEs8
 nib9Y5kxbdk51+oGJvjKqf5qHoLuMHeAlyaxENXY=
From: Dominick Grift <dominick.grift@defensec.nl>
To: openwrt-devel@lists.openwrt.org
Cc: Dominick Grift <dominick.grift@defensec.nl>
Subject: [PATCH v2] Addresses sed in-place without SELinux awareness
Date: Sun,  1 May 2022 20:37:58 +0200
Message-Id: <20220501183758.184326-1-dominick.grift@defensec.nl>
X-Mailer: git-send-email 2.36.0
In-Reply-To: <20220501175404.182574-1-dominick.grift@defensec.nl>
References: <20220501175404.182574-1-dominick.grift@defensec.nl>
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220501_113824_129168_54A76153 
X-CRM114-Status: UNSURE (   6.22  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -0.9 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: sed(1) in busybox does not support this functionality:
 https://git.savannah.gnu.org/cgit/sed.git/tree/sed/execute.c#n598
 This causes /etc/group to become mislabeled when a package requests that
 a uid/gid be added on OpenWrt with SELinux
 Content analysis details:   (-0.9 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/,
 low trust [45.80.168.93 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

sed(1) in busybox does not support this functionality:
https://git.savannah.gnu.org/cgit/sed.git/tree/sed/execute.c#n598

This causes /etc/group to become mislabeled when a package requests that a uid/gid be added on OpenWrt with SELinux

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---

v2: fixes missing $IPKG_INSTROOT and avoids potential issues in set -e environments

 package/base-files/files/lib/functions.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package/base-files/files/lib/functions.sh b/package/base-files/files/lib/functions.sh
index ee0c33845c..942020ec0a 100644
--- a/package/base-files/files/lib/functions.sh
+++ b/package/base-files/files/lib/functions.sh
@@ -387,6 +387,9 @@ group_add_user() {
 	[ -n "$IPKG_INSTROOT" ] || lock /var/lock/passwd
 	sed -i "s/$grp/$grp$delim$2/g" ${IPKG_INSTROOT}/etc/group
 	[ -n "$IPKG_INSTROOT" ] || lock -u /var/lock/passwd
+	if [ -x /usr/sbin/selinuxenabled ] && selinuxenabled; then
+		restorecon ${IPKG_INSTROOT}/etc/group
+	fi
 }
 
 user_add() {