On Thu, Jun 23, 2016 at 3:52 PM, Dan Jurgens <danielj@xxxxxxxxxxxx> wrote: > From: Daniel Jurgens <danielj@xxxxxxxxxxxx> > > Support for Infiniband requires the addition of two new object contexts, > one for infiniband PKeys and another IB End Ports. Added handlers to read > and write the new ocontext types when reading or writing a binary policy > representation. > > Signed-off-by: Daniel Jurgens <danielj@xxxxxxxxxxxx> > Reviewed-by: Eli Cohen <eli@xxxxxxxxxxxx> > --- > security/selinux/include/security.h | 3 +- > security/selinux/ss/policydb.c | 129 +++++++++++++++++++++++++++++++----- > security/selinux/ss/policydb.h | 27 +++++--- > 3 files changed, 135 insertions(+), 24 deletions(-) ... > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c > index 992a315..78b819c 100644 > --- a/security/selinux/ss/policydb.c > +++ b/security/selinux/ss/policydb.c > @@ -2219,6 +2229,58 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info, > goto out; > break; > } > + case OCON_PKEY: { > + rc = next_entry(nodebuf, fp, sizeof(u32) * 6); > + if (rc) > + goto out; > + > + c->u.pkey.subnet_prefix = be64_to_cpu(*((__be64 *)nodebuf)); > + /* The subnet prefix is stored as an IPv6 > + * address in the policy. > + * > + * Check that the lower 2 DWORDS are 0. > + */ Any particular reason why you reusing an IPv6 address format here? Why not use a u64 for the prefix and u16/u32 fields for the partition keys? > + if (nodebuf[2] || nodebuf[3]) { > + rc = -EINVAL; > + goto out; > + } > + > + if (nodebuf[4] > 0xffff || > + nodebuf[5] > 0xffff) { > + rc = -EINVAL; > + goto out; > + } > + > + c->u.pkey.low_pkey = le32_to_cpu(nodebuf[4]); > + c->u.pkey.high_pkey = le32_to_cpu(nodebuf[5]); > + > + rc = context_read_and_validate(&c->context[0], > + p, > + fp); > + if (rc) > + goto out; > + break; > + } > + case OCON_IB_END_PORT: This is a little bit of bikeshedding, but is there such thing as an IB "port" that isn't an *end* "port"? Could we simply use OCON_IB_PORT? > + rc = next_entry(buf, fp, sizeof(u32) * 2); > + if (rc) > + goto out; > + len = le32_to_cpu(buf[0]); > + > + rc = str_read(&c->u.ib_end_port.dev_name, GFP_KERNEL, > + fp, > + len); > + if (rc) > + goto out; > + > + c->u.ib_end_port.port = le32_to_cpu(buf[1]); No range checking on the port value like you do on the partition keys above? > + rc = context_read_and_validate(&c->context[0], > + p, > + fp); > + if (rc) > + goto out; > + break; > } > } > } -- paul moore security @ redhat _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.