On Mon, May 2, 2022 at 10:43 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > The arrays for the policy capability names, the initial sid identifiers > and the class and permission names are not changed at runtime. Declare > them const to avoid accidental modification. > > Do not override the classmap and the initial sid list in the build time > script genheaders. > > Check flose(3) is successful in genheaders.c, otherwise the written data > might be corrupted or incomplete. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > v2: > Drop const exemption for genheaders script by rewriting stoupperx(). > v3: > - Declare some additional data array const > - Do not use static buffer in genheaders.c::stoupperx() > - Check fclose(3) in genheaders.c > --- > scripts/selinux/genheaders/genheaders.c | 75 +++++++++++-------- > scripts/selinux/mdp/mdp.c | 4 +- > security/selinux/avc.c | 2 +- > security/selinux/include/avc_ss.h | 2 +- > security/selinux/include/classmap.h | 2 +- > .../selinux/include/initial_sid_to_string.h | 4 +- > security/selinux/include/policycap.h | 2 +- > security/selinux/include/policycap_names.h | 2 +- > security/selinux/ss/avtab.c | 2 +- > security/selinux/ss/policydb.c | 36 ++++----- > security/selinux/ss/services.c | 4 +- > 11 files changed, 72 insertions(+), 63 deletions(-) Thanks this revision is much better, merged into selinux/next. I did have to apply parts of this patch manually, so if you notice anything wrong with the commit please let me know. -- paul-moore.com
