On Tue, Oct 23, 2018 at 3:02 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> Do the LE conversions before doing the Infiniband-related range checks.
> The incorrect checks are otherwise causing a failure to load any policy
> with an ibendportcon rule on BE systems. This can be reproduced by
> running (on e.g. ppc64):
>
> cat >my_module.cil <<EOF
> (type test_ibendport_t)
> (roletype object_r test_ibendport_t)
> (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0))))
> EOF
> semodule -i my_module.cil
>
> Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to
> use a correctly aligned buffer.
>
> Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32)
> should be used instead.
>
> Tested internally on a ppc64 machine with a RHEL 7 kernel with this
> patch applied.
>
> Cc: Daniel Jurgens <danielj@xxxxxxxxxxxx>
> Cc: Eli Cohen <eli@xxxxxxxxxxxx>
> Cc: James Morris <jmorris@xxxxxxxxx>
> Cc: Doug Ledford <dledford@xxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # 4.13+
> Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support")
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
> security/selinux/ss/policydb.c | 51 ++++++++++++++++++++++++----------
> 1 file changed, 36 insertions(+), 15 deletions(-)
>
> Changes in v6:
> - use U8_MAX as the limit for ibendport.port value to emphasize that it
> is an 8-bit value
>
> Changes in v5:
> - defer also assignment to 8-bit ibendport.port
>
> Changes in v4:
> - defer assignment to 16-bit struct fields to after the range check
>
> Changes in v3:
> - use separate buffer for the 64-bit subnet_prefix
> - add comments on the byte ordering of subnet_prefix
> - deduplicate the le32_to_cpu() calls from checks
>
> Changes in v2:
> - add reproducer to commit message
> - update e-mail address of James Morris
> - better Cc also the old SELinux ML
You know what they say: sixth time is the charm :)
Merged into selinux/next, thanks all.
--
paul moore
www.paul-moore.com
