On 5/9/19 4:42 AM, Petr Lautrbach wrote:
get_ordered_context_list() code used to ask the kernel to compute the complete set of reachable contexts using /sys/fs/selinux/user aka security_compute_user(). This set can be so huge so that it doesn't fit into a kernel page and security_compute_user() fails. Even if it doesn't fail, get_ordered_context_list() throws away the vast majority of the returned contexts because they don't match anything in /etc/selinux/targeted/contexts/default_contexts or /etc/selinux/targeted/contexts/users/ get_ordered_context_list() is rewritten to compute set of contexts based on /etc/selinux/targeted/contexts/users/ and /etc/selinux/targeted/contexts/default_contexts files and to return only valid contexts, using security_check_context(), from this set. Fixes: https://github.com/SELinuxProject/selinux/issues/28 Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx> --- libselinux/src/get_context_list.c | 185 ++++++++++-------------------- 1 file changed, 60 insertions(+), 125 deletions(-) diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c index 689e4658..a36c6253 100644 --- a/libselinux/src/get_context_list.c +++ b/libselinux/src/get_context_list.c @@ -180,7 +143,8 @@ static int get_context_order(FILE * fp, return -1; fromrole = context_role_get(con); fromtype = context_type_get(con); - if (!fromrole || !fromtype) { + fromlevel = context_range_get(con); + if (!fromrole || !fromtype || !fromlevel) { context_free(con); return -1; }
One caveat here: MLS is still optional for SELinux and IIRC Gentoo doesn't enable it, so the from-context may not have any level and context_range_get() can legitimately return NULL in that case. context_range_set(con, NULL) is also legitimate and won't cause any errors. So you don't need to check that fromlevel is non-NULL as long as you are only using it later in context_range_set().
