From 2821e827ecf5e8961a5d3750520caf8b7f09027c Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@xxxxxxxxxxxxx>
Date: Mon, 23 Dec 2013 14:03:31 -0500
Subject: [PATCH] Fix a bug in the userspace AVC that broke per-domain
permissive mode.
Failure to copy the entire av_decision structure, including the
flags field, would prevent preservation of the SELINUX_AVD_FLAGS_PERMISSIVE
flag and thus cause per-domain permissive to not be honored for userspace
permission checks.
Also ensure that we clear the entire structure.
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
libselinux/src/avc.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index f14eeb7..ccac699 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -336,11 +336,7 @@ static inline struct avc_node *avc_reclaim_node(void)
static inline void avc_clear_avc_entry(struct avc_entry *ae)
{
- ae->ssid = ae->tsid = ae->create_sid = NULL;
- ae->tclass = 0;
- ae->avd.allowed = ae->avd.decided = 0;
- ae->avd.auditallow = ae->avd.auditdeny = 0;
- ae->used = 0;
+ memset(ae, 0, sizeof *ae);
}
static inline struct avc_node *avc_claim_node(security_id_t ssid,
@@ -488,11 +484,7 @@ static int avc_insert(security_id_t ssid, security_id_t tsid,
goto out;
}
- node->ae.avd.allowed = ae->avd.allowed;
- node->ae.avd.decided = ae->avd.decided;
- node->ae.avd.auditallow = ae->avd.auditallow;
- node->ae.avd.auditdeny = ae->avd.auditdeny;
- node->ae.avd.seqno = ae->avd.seqno;
+ memcpy(&node->ae.avd, &ae->avd, sizeof ae->avd);
aeref->ae = &node->ae;
out:
return rc;
--
1.8.3.1
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
