[PATCH] Load the initial SIDs upon every policy load

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen,

attached please find the tiny patch for always loading the initial SIDs.
Should I say "for review" ? It relies on SECINITSID_NUM which at the
moment is statically defined in flask.h (and represents the maximum
initial SID).

Author: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
Date:   Mon Feb 02 22:11:05 2010 +0100

    Always load the initial SIDs, even in the case of a policy
    reload and not just at the initial policy load. This comes
    particularly handy after the introduction of a recent
    patch for enabling runtime switching between different
    policy types, although this patch is in theory independent
    from that feature.

    Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>

---

 security/selinux/ss/services.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-isids/security/selinux/ss/services.c	2010-02-02 22:09:47.809993219 +0100
@@ -1506,7 +1506,10 @@ static int clone_sid(u32 sid,
 {
 	struct sidtab *s = arg;
 
-	return sidtab_insert(s, sid, context);
+	if (sid > SECINITSID_NUM)
+		return sidtab_insert(s, sid, context);
+	else
+		return 0;
 }
 
 static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1552,7 +1555,10 @@ static int convert_context(u32 key,
 	struct user_datum *usrdatum;
 	char *s;
 	u32 len;
-	int rc;
+	int rc = 0;
+
+	if (key <= SECINITSID_NUM)
+		goto out;
 
 	args = p;
 
@@ -1712,9 +1718,9 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;
 
-	if (sidtab_init(&newsidtab)) {
+	if (policydb_load_isids(&newpolicydb, &newsidtab)) {
 		policydb_destroy(&newpolicydb);
-		return -ENOMEM;
+		return -EINVAL;
 	}
 
 	if (selinux_set_mapping(&newpolicydb, secclass_map,


Author: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
Date:   Mon Feb 02 22:11:05 2010 +0100

    Always load the initial SIDs, even in the case of a policy
    reload and not just at the initial policy load. This comes
    particularly handy after the introduction of a recent
    patch for enabling runtime switching between different
    policy types, although this patch is in theory independent
    from that feature.

    Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>

---

 security/selinux/ss/services.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- security-testing-2.6/security/selinux/ss/services.c	2010-01-29 02:02:47.742042805 +0100
+++ security-testing-2.6-isids/security/selinux/ss/services.c	2010-02-02 22:09:47.809993219 +0100
@@ -1506,7 +1506,10 @@ static int clone_sid(u32 sid,
 {
 	struct sidtab *s = arg;
 
-	return sidtab_insert(s, sid, context);
+	if (sid > SECINITSID_NUM)
+		return sidtab_insert(s, sid, context);
+	else
+		return 0;
 }
 
 static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1552,7 +1555,10 @@ static int convert_context(u32 key,
 	struct user_datum *usrdatum;
 	char *s;
 	u32 len;
-	int rc;
+	int rc = 0;
+
+	if (key <= SECINITSID_NUM)
+		goto out;
 
 	args = p;
 
@@ -1712,9 +1718,9 @@ int security_load_policy(void *data, siz
 	if (policydb_read(&newpolicydb, fp))
 		return -EINVAL;
 
-	if (sidtab_init(&newsidtab)) {
+	if (policydb_load_isids(&newpolicydb, &newsidtab)) {
 		policydb_destroy(&newpolicydb);
-		return -ENOMEM;
+		return -EINVAL;
 	}
 
 	if (selinux_set_mapping(&newpolicydb, secclass_map,
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux