Commit 22afd83b authored by Stephen D. Smalley's avatar Stephen D. Smalley Committed by Linus Torvalds

[PATCH] SELinux: fix setting of loaded policy version

This patch fixes a different bug in the code for SELinux policy loading.
It ensures that the loaded policy version number is not updated until the
new policy is successfully committed.  It also fixes the type on the loaded
policy version.
Signed-off-by: default avatarStephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent f6444489
...@@ -73,7 +73,7 @@ ...@@ -73,7 +73,7 @@
#define XATTR_SELINUX_SUFFIX "selinux" #define XATTR_SELINUX_SUFFIX "selinux"
#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
extern int policydb_loaded_version; extern unsigned int policydb_loaded_version;
extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
......
...@@ -38,8 +38,6 @@ static char *symtab_name[SYM_NUM] = { ...@@ -38,8 +38,6 @@ static char *symtab_name[SYM_NUM] = {
}; };
#endif #endif
int policydb_loaded_version;
static unsigned int symtab_sizes[SYM_NUM] = { static unsigned int symtab_sizes[SYM_NUM] = {
2, 2,
32, 32,
...@@ -1100,7 +1098,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1100,7 +1098,7 @@ int policydb_read(struct policydb *p, void *fp)
struct role_trans *tr, *ltr; struct role_trans *tr, *ltr;
struct ocontext *l, *c, *newc; struct ocontext *l, *c, *newc;
struct genfs *genfs_p, *genfs, *newgenfs; struct genfs *genfs_p, *genfs, *newgenfs;
int i, j, rc, r_policyvers = 0; int i, j, rc;
u32 buf[8], len, len2, config, nprim, nel, nel2; u32 buf[8], len, len2, config, nprim, nel, nel2;
char *policydb_str; char *policydb_str;
struct policydb_compat_info *info; struct policydb_compat_info *info;
...@@ -1165,9 +1163,9 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1165,9 +1163,9 @@ int policydb_read(struct policydb *p, void *fp)
for (i = 0; i < 4; i++) for (i = 0; i < 4; i++)
buf[i] = le32_to_cpu(buf[i]); buf[i] = le32_to_cpu(buf[i]);
r_policyvers = buf[0]; p->policyvers = buf[0];
if (r_policyvers < POLICYDB_VERSION_MIN || if (p->policyvers < POLICYDB_VERSION_MIN ||
r_policyvers > POLICYDB_VERSION_MAX) { p->policyvers > POLICYDB_VERSION_MAX) {
printk(KERN_ERR "security: policydb version %d does not match " printk(KERN_ERR "security: policydb version %d does not match "
"my version range %d-%d\n", "my version range %d-%d\n",
buf[0], POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); buf[0], POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
...@@ -1183,10 +1181,10 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1183,10 +1181,10 @@ int policydb_read(struct policydb *p, void *fp)
} }
info = policydb_lookup_compat(r_policyvers); info = policydb_lookup_compat(p->policyvers);
if (!info) { if (!info) {
printk(KERN_ERR "security: unable to find policy compat info " printk(KERN_ERR "security: unable to find policy compat info "
"for version %d\n", r_policyvers); "for version %d\n", p->policyvers);
goto bad; goto bad;
} }
...@@ -1220,7 +1218,7 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1220,7 +1218,7 @@ int policydb_read(struct policydb *p, void *fp)
if (rc) if (rc)
goto bad; goto bad;
if (r_policyvers >= POLICYDB_VERSION_BOOL) { if (p->policyvers >= POLICYDB_VERSION_BOOL) {
rc = cond_read_list(p, fp); rc = cond_read_list(p, fp);
if (rc) if (rc)
goto bad; goto bad;
...@@ -1507,7 +1505,6 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -1507,7 +1505,6 @@ int policydb_read(struct policydb *p, void *fp)
rc = 0; rc = 0;
out: out:
policydb_loaded_version = r_policyvers;
return rc; return rc;
bad_newc: bad_newc:
ocontext_destroy(newc,OCON_FSUSE); ocontext_destroy(newc,OCON_FSUSE);
......
...@@ -246,6 +246,8 @@ struct policydb { ...@@ -246,6 +246,8 @@ struct policydb {
struct ebitmap trustedwriters; struct ebitmap trustedwriters;
struct ebitmap trustedobjects; struct ebitmap trustedobjects;
#endif #endif
unsigned int policyvers;
}; };
extern int policydb_init(struct policydb *p); extern int policydb_init(struct policydb *p);
......
...@@ -40,7 +40,7 @@ ...@@ -40,7 +40,7 @@
#include "mls.h" #include "mls.h"
extern void selnl_notify_policyload(u32 seqno); extern void selnl_notify_policyload(u32 seqno);
extern int policydb_loaded_version; unsigned int policydb_loaded_version;
static rwlock_t policy_rwlock = RW_LOCK_UNLOCKED; static rwlock_t policy_rwlock = RW_LOCK_UNLOCKED;
#define POLICY_RDLOCK read_lock(&policy_rwlock) #define POLICY_RDLOCK read_lock(&policy_rwlock)
...@@ -1047,6 +1047,7 @@ int security_load_policy(void *data, size_t len) ...@@ -1047,6 +1047,7 @@ int security_load_policy(void *data, size_t len)
avtab_cache_destroy(); avtab_cache_destroy();
return -EINVAL; return -EINVAL;
} }
policydb_loaded_version = policydb.policyvers;
ss_initialized = 1; ss_initialized = 1;
LOAD_UNLOCK; LOAD_UNLOCK;
...@@ -1095,7 +1096,7 @@ int security_load_policy(void *data, size_t len) ...@@ -1095,7 +1096,7 @@ int security_load_policy(void *data, size_t len)
memcpy(&policydb, &newpolicydb, sizeof policydb); memcpy(&policydb, &newpolicydb, sizeof policydb);
sidtab_set(&sidtab, &newsidtab); sidtab_set(&sidtab, &newsidtab);
seqno = ++latest_granting; seqno = ++latest_granting;
policydb_loaded_version = policydb.policyvers;
POLICY_WRUNLOCK; POLICY_WRUNLOCK;
LOAD_UNLOCK; LOAD_UNLOCK;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment