Skip to content

Commit 2ae3ba3

Browse files
KaiGai KoheiJames Morris
KaiGai Kohei
authored and
James Morris
committed
selinux: libsepol: remove dead code in check_avtab_hierarchy_callback()
This patch revert the commit of 7d52a15 which removed a part of type_attribute_bounds_av as a dead code. However, at that time, we didn't find out the target side boundary allows to handle some of pseudo /proc/<pid>/* entries with its process's security context well. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> -- security/selinux/ss/services.c | 43 ++++++++++++++++++++++++++++++++++++--- 1 files changed, 39 insertions(+), 4 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
1 parent 1708000 commit 2ae3ba3

File tree

1 file changed

+39
-4
lines changed

1 file changed

+39
-4
lines changed

security/selinux/ss/services.c

Lines changed: 39 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -525,14 +525,16 @@ static void type_attribute_bounds_av(struct context *scontext,
525525
u16 tclass,
526526
struct av_decision *avd)
527527
{
528+
struct context lo_scontext;
529+
struct context lo_tcontext;
530+
struct av_decision lo_avd;
528531
struct type_datum *source
529532
= policydb.type_val_to_struct[scontext->type - 1];
533+
struct type_datum *target
534+
= policydb.type_val_to_struct[tcontext->type - 1];
535+
u32 masked = 0;
530536

531537
if (source->bounds) {
532-
struct context lo_scontext;
533-
struct av_decision lo_avd;
534-
u32 masked;
535-
536538
memset(&lo_avd, 0, sizeof(lo_avd));
537539

538540
memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
@@ -545,7 +547,40 @@ static void type_attribute_bounds_av(struct context *scontext,
545547
if ((lo_avd.allowed & avd->allowed) == avd->allowed)
546548
return; /* no masked permission */
547549
masked = ~lo_avd.allowed & avd->allowed;
550+
}
551+
552+
if (target->bounds) {
553+
memset(&lo_avd, 0, sizeof(lo_avd));
554+
555+
memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
556+
lo_tcontext.type = target->bounds;
557+
558+
context_struct_compute_av(scontext,
559+
&lo_tcontext,
560+
tclass,
561+
&lo_avd);
562+
if ((lo_avd.allowed & avd->allowed) == avd->allowed)
563+
return; /* no masked permission */
564+
masked = ~lo_avd.allowed & avd->allowed;
565+
}
566+
567+
if (source->bounds && target->bounds) {
568+
memset(&lo_avd, 0, sizeof(lo_avd));
569+
/*
570+
* lo_scontext and lo_tcontext are already
571+
* set up.
572+
*/
573+
574+
context_struct_compute_av(&lo_scontext,
575+
&lo_tcontext,
576+
tclass,
577+
&lo_avd);
578+
if ((lo_avd.allowed & avd->allowed) == avd->allowed)
579+
return; /* no masked permission */
580+
masked = ~lo_avd.allowed & avd->allowed;
581+
}
548582

583+
if (masked) {
549584
/* mask violated permissions */
550585
avd->allowed &= ~masked;
551586

0 commit comments

Comments
 (0)