Re: [PATCH 3/3] Thread/Child-Domain Assignment (rev.6)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

KaiGai Kohei wrote:
> Joshua Brindle wrote:
>> KaiGai Kohei wrote:
>>> Joshua Brindle wrote:
>>>> KaiGai Kohei wrote:
>>>>> The attached patch for libsepol add suport for a new policy version
>>>>> named as (MOD_)POLICYDB_VERSION_BOUNDARY.
>>>>> Userspace hierarchy checks are reworked in this revision.
>>>>>
>> I'm seeing a couple problems. First when writing out the policy
>> it doesn't seem to respect policyvers, I told it to generate
>> a version 23 and it still made a 24.
> 
> Are you saying a configuration of "policy-version = 23" at semanage.conf
> is ignored? I could not reproduce it in my environment.
> Could you tell me the steps to reproduce it?
> 
> I injected several printf()'s, but it shows a proper policyvers
> which reflects semanage.conf correctly.
> 
>> Second it is failing to downgrade the 24 to 23 since my kernel doesn't support 24.
> 

I'm not sure why this wasn't happening to you but from what I can tell the new patch was returning from type_write when an attribute was passed in, however the length of the table was not updated. This caused policydb_read to read over the edge of the type symbol table, resulting in badness.

Rather than trying to calculate the length without attributes I just removed the attribute check. This causes attributes to be written for all versions, but this should not cause any problems at all.

Do you have a problem with this Stephen?

index 6f1f655..d2c2c32 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -954,15 +954,6 @@ static int type_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
 
        typdatum = (type_datum_t *) datum;
 
-       /*
-        * The kernel policy version less than 24 (= POLICYDB_VERSION_BOUNDARY)
-        * does not support to load entries of attribute, so we skip to write it.
-        */
-       if (p->policy_type == POLICY_KERN
-           && p->policyvers < POLICYDB_VERSION_BOUNDARY
-           && typdatum->flavor == TYPE_ATTRIB)
-               return POLICYDB_SUCCESS;
-
        len = strlen(key);
        items = 0;
        buf[items++] = cpu_to_le32(len);

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux