aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2007-04-19 14:16:19 -0400
committerJames Morris <jmorris@namei.org>2007-04-26 01:36:13 -0400
commite900a7d90ae1486ac95c10e0b7337fc2c2eda529 (patch)
tree924c8b62c3c02d600a02c87bd2a7ed44d39a808b
parentbce34bc0eef03c68b5c49a3cc5bc77c84760cfe2 (diff)
selinux: preserve boolean values across policy reloads
At present, the userland policy loading code has to go through contortions to preserve boolean values across policy reloads, and cannot do so atomically. As this is what we always want to do for reloads, let the kernel preserve them instead. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Karl MacMillan <kmacmillan@mentalrootkit.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/ss/services.c38
1 files changed, 38 insertions, 0 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 21b8318979e3..40660ffd49b6 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1257,6 +1257,7 @@ bad:
1257} 1257}
1258 1258
1259extern void selinux_complete_init(void); 1259extern void selinux_complete_init(void);
1260static int security_preserve_bools(struct policydb *p);
1260 1261
1261/** 1262/**
1262 * security_load_policy - Load a security policy configuration. 1263 * security_load_policy - Load a security policy configuration.
@@ -1333,6 +1334,12 @@ int security_load_policy(void *data, size_t len)
1333 goto err; 1334 goto err;
1334 } 1335 }
1335 1336
1337 rc = security_preserve_bools(&newpolicydb);
1338 if (rc) {
1339 printk(KERN_ERR "security: unable to preserve booleans\n");
1340 goto err;
1341 }
1342
1336 /* Clone the SID table. */ 1343 /* Clone the SID table. */
1337 sidtab_shutdown(&sidtab); 1344 sidtab_shutdown(&sidtab);
1338 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { 1345 if (sidtab_map(&sidtab, clone_sid, &newsidtab)) {
@@ -1890,6 +1897,37 @@ out:
1890 return rc; 1897 return rc;
1891} 1898}
1892 1899
1900static int security_preserve_bools(struct policydb *p)
1901{
1902 int rc, nbools = 0, *bvalues = NULL, i;
1903 char **bnames = NULL;
1904 struct cond_bool_datum *booldatum;
1905 struct cond_node *cur;
1906
1907 rc = security_get_bools(&nbools, &bnames, &bvalues);
1908 if (rc)
1909 goto out;
1910 for (i = 0; i < nbools; i++) {
1911 booldatum = hashtab_search(p->p_bools.table, bnames[i]);
1912 if (booldatum)
1913 booldatum->state = bvalues[i];
1914 }
1915 for (cur = p->cond_list; cur != NULL; cur = cur->next) {
1916 rc = evaluate_cond_node(p, cur);
1917 if (rc)
1918 goto out;
1919 }
1920
1921out:
1922 if (bnames) {
1923 for (i = 0; i < nbools; i++)
1924 kfree(bnames[i]);
1925 }
1926 kfree(bnames);
1927 kfree(bvalues);
1928 return rc;
1929}
1930
1893/* 1931/*
1894 * security_sid_mls_copy() - computes a new sid based on the given 1932 * security_sid_mls_copy() - computes a new sid based on the given
1895 * sid and the mls portion of mls_sid. 1933 * sid and the mls portion of mls_sid.