• Jann Horn's avatar
    selinux: refactor mls_context_to_sid() and make it stricter · 95ffe194
    Jann Horn authored
    The intended behavior change for this patch is to reject any MLS strings
    that contain (trailing) garbage if p->mls_enabled is true.
    
    As suggested by Paul Moore, change mls_context_to_sid() so that the two
    parts of the range are extracted before the rest of the parsing. Because
    now we don't have to scan for two different separators simultaneously
    everywhere, we can actually switch to strchr() everywhere instead of the
    open-coded loops that scan for two separators at once.
    
    mls_context_to_sid() used to signal how much of the input string was parsed
    by updating `*scontext`. However, there is actually no case in which
    mls_context_to_sid() only parses a subset of the input and still returns
    a success (other than the buggy case with a second '-' in which it
    incorrectly claims to have consumed the entire string). Turn `scontext`
    into a simple pointer argument and stop redundantly checking whether the
    entire input was consumed in string_to_context_struct(). This also lets us
    remove the `scontext_len` argument from `string_to_context_struct()`.
    Signed-off-by: default avatarJann Horn <jannh@google.com>
    [PM: minor merge fuzz in convert_context()]
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    95ffe194
mls.c 15.6 KB