From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Ondrej Mosnacek <omosnace@redhat.com>
Subject: [RFC PATCH v2 2/4] [squash] do not store entry for SECSID_NULL
Date: Tue, 27 Nov 2018 11:36:03 +0100 [thread overview]
Message-ID: <20181127103605.32765-3-omosnace@redhat.com> (raw)
In-Reply-To: <20181127103605.32765-1-omosnace@redhat.com>
This patch is kept separate only for review. Eventually it will be
folded into the previous patch.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
security/selinux/ss/policydb.c | 2 +-
security/selinux/ss/sidtab.c | 25 ++++++++++++++++---------
security/selinux/ss/sidtab.h | 3 ++-
3 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 59359fa0bd74..a50d625e7946 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -912,7 +912,7 @@ int policydb_load_isids(struct policydb *p, struct sidtab *s)
sidtab_destroy(s);
goto out;
}
- if (c->sid[0] > SECINITSID_NUM) {
+ if (c->sid[0] == SECSID_NULL || c->sid[0] > SECINITSID_NUM) {
pr_err("SELinux: Initial SID %s out of range.\n",
c->u.name);
sidtab_destroy(s);
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index fd8115b211a6..e157d8240cf1 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -23,7 +23,7 @@ int sidtab_init(struct sidtab *s)
if (!s->htable)
return -ENOMEM;
- for (i = 0; i <= SECINITSID_NUM; i++)
+ for (i = 0; i < SECINITSID_NUM; i++)
s->isids[i].set = 0;
for (i = 0; i < SIDTAB_SIZE; i++)
@@ -86,8 +86,15 @@ static int sidtab_insert(struct sidtab *s, u32 sid, struct context *context)
int sidtab_set_initial(struct sidtab *s, u32 sid, struct context *context)
{
- struct sidtab_isid_entry *entry = &s->isids[sid];
- int rc = context_cpy(&entry->context, context);
+ struct sidtab_isid_entry *entry;
+ int rc;
+
+ if (sid == 0 || sid > SECINITSID_NUM)
+ return -EINVAL;
+
+ entry = &s->isids[sid - 1];
+
+ rc = context_cpy(&entry->context, context);
if (rc)
return rc;
@@ -116,19 +123,19 @@ static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force)
struct context *context;
struct sidtab_isid_entry *entry;
- if (!s)
+ if (!s || sid == 0)
return NULL;
if (sid > SECINITSID_NUM) {
context = sidtab_lookup(s, sid - (SECINITSID_NUM + 1));
} else {
- entry = &s->isids[sid];
+ entry = &s->isids[sid - 1];
context = entry->set ? &entry->context : NULL;
}
if (context && (!context->len || force))
return context;
- entry = &s->isids[SECINITSID_UNLABELED];
+ entry = &s->isids[SECINITSID_UNLABELED - 1];
return entry->set ? &entry->context : NULL;
}
@@ -283,11 +290,11 @@ int sidtab_context_to_sid(struct sidtab *s, struct context *context, u32 *sid)
int rc;
u32 i;
- for (i = 0; i <= SECINITSID_NUM; i++) {
+ for (i = 0; i < SECINITSID_NUM; i++) {
struct sidtab_isid_entry *entry = &s->isids[i];
if (entry->set && context_cmp(context, &entry->context)) {
- *sid = i;
+ *sid = i + 1;
return 0;
}
}
@@ -334,7 +341,7 @@ void sidtab_destroy(struct sidtab *s)
if (!s)
return;
- for (i = 0; i <= SECINITSID_NUM; i++)
+ for (i = 0; i < SECINITSID_NUM; i++)
if (s->isids[i].set)
context_destroy(&s->isids[i].context);
diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h
index dc0a80bc8894..e657ae6bf996 100644
--- a/security/selinux/ss/sidtab.h
+++ b/security/selinux/ss/sidtab.h
@@ -36,7 +36,8 @@ struct sidtab {
struct sidtab_node *cache[SIDTAB_CACHE_LEN];
spinlock_t lock;
- struct sidtab_isid_entry isids[SECINITSID_NUM + 1];
+ /* index == SID - 1 (no entry for SECSID_NULL) */
+ struct sidtab_isid_entry isids[SECINITSID_NUM];
};
int sidtab_init(struct sidtab *s);
--
2.19.1
next prev parent reply other threads:[~2018-11-27 10:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-27 10:36 [RFC PATCH v2 0/4] Fix ENOMEM errors during policy reload Ondrej Mosnacek
2018-11-27 10:36 ` [RFC PATCH v2 1/4] selinux: use separate table for initial SID lookup Ondrej Mosnacek
2018-11-27 10:36 ` Ondrej Mosnacek [this message]
2018-11-27 17:00 ` [RFC PATCH v2 2/4] [squash] do not store entry for SECSID_NULL Stephen Smalley
2018-11-27 17:14 ` Stephen Smalley
2018-11-27 19:45 ` Ondrej Mosnacek
2018-11-28 12:07 ` Ondrej Mosnacek
2018-11-27 10:36 ` [RFC PATCH v2 3/4] selinux: overhaul sidtab to fix bug and improve performance Ondrej Mosnacek
2018-11-27 19:41 ` Stephen Smalley
2018-11-27 20:03 ` Ondrej Mosnacek
2018-11-27 10:36 ` [RFC PATCH v2 4/4] [squash] add back reverse lookup cache to sidtab Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181127103605.32765-3-omosnace@redhat.com \
--to=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).