* [PATCH v2] flask: sort io{port,mem}con entries
@ 2018-10-05 16:33 Daniel De Graaf
2018-10-05 23:22 ` nicolas.poirot
2018-10-05 23:38 ` nicolas.poirot
0 siblings, 2 replies; 3+ messages in thread
From: Daniel De Graaf @ 2018-10-05 16:33 UTC (permalink / raw)
To: xen-devel, Nicolas Poirot; +Cc: George Dunlap, Daniel De Graaf, Jan Beulich
These entries are not always sorted by checkpolicy, so sort them during
policy load (as is already done for later ocontext additions).
Reported-by: Nicolas Poirot <nicolas.poirot@bertin.fr>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
xen/xsm/flask/ss/policydb.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
index 3a12d96ef9..9426164353 100644
--- a/xen/xsm/flask/ss/policydb.c
+++ b/xen/xsm/flask/ss/policydb.c
@@ -1737,7 +1737,7 @@ int policydb_read(struct policydb *p, void *fp)
{
struct role_allow *ra, *lra;
struct role_trans *tr, *ltr;
- struct ocontext *l, *c /*, *newc*/;
+ struct ocontext *l, *c, **pn;
int i, j, rc;
__le32 buf[8];
u32 len, /*len2,*/ config, nprim, nel /*, nel2*/;
@@ -1994,6 +1994,7 @@ int policydb_read(struct policydb *p, void *fp)
if ( rc < 0 )
goto bad;
nel = le32_to_cpu(buf[0]);
+ pn = &p->ocontexts[i];
l = NULL;
for ( j = 0; j < nel; j++ )
{
@@ -2003,11 +2004,6 @@ int policydb_read(struct policydb *p, void *fp)
rc = -ENOMEM;
goto bad;
}
- if ( l )
- l->next = c;
- else
- p->ocontexts[i] = c;
- l = c;
rc = -EINVAL;
switch ( i )
{
@@ -2050,6 +2046,18 @@ int policydb_read(struct policydb *p, void *fp)
rc = context_read_and_validate(&c->context, p, fp);
if ( rc )
goto bad;
+
+ if ( *pn || ( l && l->u.ioport.high_ioport >= c->u.ioport.low_ioport ) )
+ {
+ pn = &p->ocontexts[i];
+ l = *pn;
+ while ( l && l->u.ioport.high_ioport < c->u.ioport.low_ioport ) {
+ pn = &l->next;
+ l = *pn;
+ }
+ c->next = l;
+ }
+ l = c;
break;
case OCON_IOMEM:
if ( p->target_type != TARGET_XEN )
@@ -2078,6 +2086,18 @@ int policydb_read(struct policydb *p, void *fp)
rc = context_read_and_validate(&c->context, p, fp);
if ( rc )
goto bad;
+
+ if ( *pn || ( l && l->u.iomem.high_iomem >= c->u.iomem.low_iomem ) )
+ {
+ pn = &p->ocontexts[i];
+ l = *pn;
+ while ( l && l->u.iomem.high_iomem < c->u.iomem.low_iomem ) {
+ pn = &l->next;
+ l = *pn;
+ }
+ c->next = l;
+ }
+ l = c;
break;
case OCON_DEVICE:
if ( p->target_type != TARGET_XEN )
@@ -2123,6 +2143,9 @@ int policydb_read(struct policydb *p, void *fp)
rc = -EINVAL;
goto bad;
}
+
+ *pn = c;
+ pn = &c->next;
}
}
--
2.14.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] flask: sort io{port,mem}con entries
2018-10-05 16:33 [PATCH v2] flask: sort io{port,mem}con entries Daniel De Graaf
@ 2018-10-05 23:22 ` nicolas.poirot
2018-10-05 23:38 ` nicolas.poirot
1 sibling, 0 replies; 3+ messages in thread
From: nicolas.poirot @ 2018-10-05 23:22 UTC (permalink / raw)
Cc: xen-devel, Daniel De Graaf, George Dunlap, Jan Beulich
> -----Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote: -----
> To: xen-devel@lists.xenproject.org, Nicolas Poirot <nicolas.poirot@bertin.fr>
> From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Date: 10/05/2018 06:33PM
> Cc: George Dunlap <dunlapg@umich.edu>, Jan Beulich <JBeulich@suse.com>, Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Subject: [PATCH v2] flask: sort io{port,mem}con entries
>
> These entries are not always sorted by checkpolicy, so sort them during
> policy load (as is already done for later ocontext additions).
>
> Reported-by: Nicolas Poirot <nicolas.poirot@bertin.fr>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ---
> xen/xsm/flask/ss/policydb.c | 35 +++++++++++++++++++++++++++++------
> 1 file changed, 29 insertions(+), 6 deletions(-)
>
> diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
> index 3a12d96ef9..9426164353 100644
> --- a/xen/xsm/flask/ss/policydb.c
> +++ b/xen/xsm/flask/ss/policydb.c
> @@ -1737,7 +1737,7 @@ int policydb_read(struct policydb *p, void *fp)
> {
> struct role_allow *ra, *lra;
> struct role_trans *tr, *ltr;
> - struct ocontext *l, *c /*, *newc*/;
> + struct ocontext *l, *c, **pn;
> int i, j, rc;
> __le32 buf[8];
> u32 len, /*len2,*/ config, nprim, nel /*, nel2*/;
> @@ -1994,6 +1994,7 @@ int policydb_read(struct policydb *p, void *fp)
> if ( rc < 0 )
> goto bad;
> nel = le32_to_cpu(buf[0]);
> + pn = &p->ocontexts[i];
> l = NULL;
> for ( j = 0; j < nel; j++ )
> {
> @@ -2003,11 +2004,6 @@ int policydb_read(struct policydb *p, void *fp)
> rc = -ENOMEM;
> goto bad;
> }
> - if ( l )
> - l->next = c;
> - else
> - p->ocontexts[i] = c;
> - l = c;
> rc = -EINVAL;
> switch ( i )
> {
> @@ -2050,6 +2046,18 @@ int policydb_read(struct policydb *p, void *fp)
> rc = context_read_and_validate(&c->context, p, fp);
> if ( rc )
> goto bad;
> +
> + if ( *pn || ( l && l->u.ioport.high_ioport >= c->u.ioport.low_ioport ) )
> + {
> + pn = &p->ocontexts[i];
> + l = *pn;
> + while ( l && l->u.ioport.high_ioport < c->u.ioport.low_ioport ) {
> + pn = &l->next;
> + l = *pn;
> + }
> + c->next = l;
> + }
> + l = c;
> break;
> case OCON_IOMEM:
> if ( p->target_type != TARGET_XEN )
> @@ -2078,6 +2086,18 @@ int policydb_read(struct policydb *p, void *fp)
> rc = context_read_and_validate(&c->context, p, fp);
> if ( rc )
> goto bad;
> +
> + if ( *pn || ( l && l->u.iomem.high_iomem >= c->u.iomem.low_iomem ) )
> + {
> + pn = &p->ocontexts[i];
> + l = *pn;
> + while ( l && l->u.iomem.high_iomem < c->u.iomem.low_iomem ) {
> + pn = &l->next;
> + l = *pn;
> + }
> + c->next = l;
> + }
> + l = c;
> break;
> case OCON_DEVICE:
> if ( p->target_type != TARGET_XEN )
> @@ -2123,6 +2143,9 @@ int policydb_read(struct policydb *p, void *fp)
> rc = -EINVAL;
> goto bad;
> }
> +
> + *pn = c;
> + pn = &c->next;
> }
> }
>
> --
> 2.14.4
Tested in the same conditions as the previous patch, looks good.
Thank you.
Tested-by: Nicolas Poirot <nicolas.poirot@bertin.fr>
Reviewed-by: Nicolas Poirot <nicolas.poirot@bertin.fr>
1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] flask: sort io{port,mem}con entries
2018-10-05 16:33 [PATCH v2] flask: sort io{port,mem}con entries Daniel De Graaf
2018-10-05 23:22 ` nicolas.poirot
@ 2018-10-05 23:38 ` nicolas.poirot
1 sibling, 0 replies; 3+ messages in thread
From: nicolas.poirot @ 2018-10-05 23:38 UTC (permalink / raw)
Cc: xen-devel, Daniel De Graaf, George Dunlap, Jan Beulich
> -----Daniel De Graaf <dgdegra@tycho.nsa.gov> wrote: -----
> To: xen-devel@lists.xenproject.org, Nicolas Poirot <nicolas.poirot@bertin.fr>
> From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Date: 05/10/2018 18:33
> Cc: George Dunlap <dunlapg@umich.edu>, Jan Beulich <JBeulich@suse.com>, Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Subject: [PATCH v2] flask: sort io{port,mem}con entries
>
> These entries are not always sorted by checkpolicy, so sort them during
> policy load (as is already done for later ocontext additions).
>
> Reported-by: Nicolas Poirot <nicolas.poirot@bertin.fr>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ---
> xen/xsm/flask/ss/policydb.c | 35 +++++++++++++++++++++++++++++------
> 1 file changed, 29 insertions(+), 6 deletions(-)
>
> diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
> index 3a12d96ef9..9426164353 100644
> --- a/xen/xsm/flask/ss/policydb.c
> +++ b/xen/xsm/flask/ss/policydb.c
> @@ -1737,7 +1737,7 @@ int policydb_read(struct policydb *p, void *fp)
> {
> struct role_allow *ra, *lra;
> struct role_trans *tr, *ltr;
> - struct ocontext *l, *c /*, *newc*/;
> + struct ocontext *l, *c, **pn;
> int i, j, rc;
> __le32 buf[8];
> u32 len, /*len2,*/ config, nprim, nel /*, nel2*/;
> @@ -1994,6 +1994,7 @@ int policydb_read(struct policydb *p, void *fp)
> if ( rc < 0 )
> goto bad;
> nel = le32_to_cpu(buf[0]);
> + pn = &p->ocontexts[i];
> l = NULL;
> for ( j = 0; j < nel; j++ )
> {
> @@ -2003,11 +2004,6 @@ int policydb_read(struct policydb *p, void *fp)
> rc = -ENOMEM;
> goto bad;
> }
> - if ( l )
> - l->next = c;
> - else
> - p->ocontexts[i] = c;
> - l = c;
> rc = -EINVAL;
> switch ( i )
> {
> @@ -2050,6 +2046,18 @@ int policydb_read(struct policydb *p, void *fp)
> rc = context_read_and_validate(&c->context, p, fp);
> if ( rc )
> goto bad;
> +
> + if ( *pn || ( l && l->u.ioport.high_ioport >= c->u.ioport.low_ioport ) )
> + {
> + pn = &p->ocontexts[i];
> + l = *pn;
> + while ( l && l->u.ioport.high_ioport < c->u.ioport.low_ioport ) {
> + pn = &l->next;
> + l = *pn;
> + }
> + c->next = l;
> + }
> + l = c;
> break;
> case OCON_IOMEM:
> if ( p->target_type != TARGET_XEN )
> @@ -2078,6 +2086,18 @@ int policydb_read(struct policydb *p, void *fp)
> rc = context_read_and_validate(&c->context, p, fp);
> if ( rc )
> goto bad;
> +
> + if ( *pn || ( l && l->u.iomem.high_iomem >= c->u.iomem.low_iomem ) )
> + {
> + pn = &p->ocontexts[i];
> + l = *pn;
> + while ( l && l->u.iomem.high_iomem < c->u.iomem.low_iomem ) {
> + pn = &l->next;
> + l = *pn;
> + }
> + c->next = l;
> + }
> + l = c;
> break;
> case OCON_DEVICE:
> if ( p->target_type != TARGET_XEN )
> @@ -2123,6 +2143,9 @@ int policydb_read(struct policydb *p, void *fp)
> rc = -EINVAL;
> goto bad;
> }
> +
> + *pn = c;
> + pn = &c->next;
> }
> }
>
> --
> 2.14.4
Tested on the same conditions as the previous patch, looks good.
Thank you.
Tested-by: Nicolas Poirot <nicolas.poirot@bertin.fr>
Reviewed-by: Nicolas Poirot <nicolas.poirot@bertin.fr>
1
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-10-05 23:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-05 16:33 [PATCH v2] flask: sort io{port,mem}con entries Daniel De Graaf
2018-10-05 23:22 ` nicolas.poirot
2018-10-05 23:38 ` nicolas.poirot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.