diff options
author | Paul Moore <pmoore@redhat.com> | 2014-08-01 11:17:17 -0400 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2014-08-01 11:17:17 -0400 |
commit | 4b8feff251da3d7058b5779e21b33a85c686b974 (patch) | |
tree | 600fb14c92a11abf730e9f26236d33ba5ae9c278 /include/net | |
parent | 41c3bd2039e0d7b3dc32313141773f20716ec524 (diff) |
netlabel: fix the horribly broken catmap functions
The NetLabel secattr catmap functions, and the SELinux import/export
glue routines, were broken in many horrible ways and the SELinux glue
code fiddled with the NetLabel catmap structures in ways that we
probably shouldn't allow. At some point this "worked", but that was
likely due to a bit of dumb luck and sub-par testing (both inflicted
by yours truly). This patch corrects these problems by basically
gutting the code in favor of something less obtuse and restoring the
NetLabel abstractions in the SELinux catmap glue code.
Everything is working now, and if it decides to break itself in the
future this code will be much easier to debug than the code it
replaces.
One noteworthy side effect of the changes is that it is no longer
necessary to allocate a NetLabel catmap before calling one of the
NetLabel APIs to set a bit in the catmap. NetLabel will automatically
allocate the catmap nodes when needed, resulting in less allocations
when the lowest bit is greater than 255 and less code in the LSMs.
Cc: stable@vger.kernel.org
Reported-by: Christian Evans <frodox@zoho.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Tested-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/netlabel.h | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/include/net/netlabel.h b/include/net/netlabel.h index 1c40d658d008..bda7a121f31e 100644 --- a/include/net/netlabel.h +++ b/include/net/netlabel.h @@ -285,11 +285,11 @@ static inline void netlbl_secattr_catmap_free( { struct netlbl_lsm_secattr_catmap *iter; - do { + while (catmap) { iter = catmap; catmap = catmap->next; kfree(iter); - } while (catmap); + } } /** @@ -394,6 +394,9 @@ int netlbl_secattr_catmap_walk(struct netlbl_lsm_secattr_catmap *catmap, u32 offset); int netlbl_secattr_catmap_walk_rng(struct netlbl_lsm_secattr_catmap *catmap, u32 offset); +int netlbl_secattr_catmap_getlong(struct netlbl_lsm_secattr_catmap *catmap, + u32 *offset, + unsigned long *bitmap); int netlbl_secattr_catmap_setbit(struct netlbl_lsm_secattr_catmap **catmap, u32 bit, gfp_t flags); @@ -401,6 +404,10 @@ int netlbl_secattr_catmap_setrng(struct netlbl_lsm_secattr_catmap **catmap, u32 start, u32 end, gfp_t flags); +int netlbl_secattr_catmap_setlong(struct netlbl_lsm_secattr_catmap **catmap, + u32 offset, + unsigned long bitmap, + gfp_t flags); /* * LSM protocol operations (NetLabel LSM/kernel API) @@ -504,6 +511,13 @@ static inline int netlbl_secattr_catmap_walk_rng( { return -ENOENT; } +static inline int netlbl_secattr_catmap_getlong( + struct netlbl_lsm_secattr_catmap *catmap, + u32 *offset, + unsigned long *bitmap) +{ + return 0; +} static inline int netlbl_secattr_catmap_setbit( struct netlbl_lsm_secattr_catmap **catmap, u32 bit, @@ -519,6 +533,14 @@ static inline int netlbl_secattr_catmap_setrng( { return 0; } +static int netlbl_secattr_catmap_setlong( + struct netlbl_lsm_secattr_catmap **catmap, + u32 offset, + unsigned long bitmap, + gfp_t flags) +{ + return 0; +} static inline int netlbl_enabled(void) { return 0; |