diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2007-04-19 14:16:19 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2007-04-26 01:36:13 -0400 |
commit | e900a7d90ae1486ac95c10e0b7337fc2c2eda529 (patch) | |
tree | 924c8b62c3c02d600a02c87bd2a7ed44d39a808b | |
parent | bce34bc0eef03c68b5c49a3cc5bc77c84760cfe2 (diff) |
selinux: preserve boolean values across policy reloads
At present, the userland policy loading code has to go through contortions to preserve
boolean values across policy reloads, and cannot do so atomically.
As this is what we always want to do for reloads, let the kernel preserve them instead.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/ss/services.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 21b8318979e3..40660ffd49b6 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -1257,6 +1257,7 @@ bad: | |||
1257 | } | 1257 | } |
1258 | 1258 | ||
1259 | extern void selinux_complete_init(void); | 1259 | extern void selinux_complete_init(void); |
1260 | static int security_preserve_bools(struct policydb *p); | ||
1260 | 1261 | ||
1261 | /** | 1262 | /** |
1262 | * security_load_policy - Load a security policy configuration. | 1263 | * security_load_policy - Load a security policy configuration. |
@@ -1333,6 +1334,12 @@ int security_load_policy(void *data, size_t len) | |||
1333 | goto err; | 1334 | goto err; |
1334 | } | 1335 | } |
1335 | 1336 | ||
1337 | rc = security_preserve_bools(&newpolicydb); | ||
1338 | if (rc) { | ||
1339 | printk(KERN_ERR "security: unable to preserve booleans\n"); | ||
1340 | goto err; | ||
1341 | } | ||
1342 | |||
1336 | /* Clone the SID table. */ | 1343 | /* Clone the SID table. */ |
1337 | sidtab_shutdown(&sidtab); | 1344 | sidtab_shutdown(&sidtab); |
1338 | if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { | 1345 | if (sidtab_map(&sidtab, clone_sid, &newsidtab)) { |
@@ -1890,6 +1897,37 @@ out: | |||
1890 | return rc; | 1897 | return rc; |
1891 | } | 1898 | } |
1892 | 1899 | ||
1900 | static int security_preserve_bools(struct policydb *p) | ||
1901 | { | ||
1902 | int rc, nbools = 0, *bvalues = NULL, i; | ||
1903 | char **bnames = NULL; | ||
1904 | struct cond_bool_datum *booldatum; | ||
1905 | struct cond_node *cur; | ||
1906 | |||
1907 | rc = security_get_bools(&nbools, &bnames, &bvalues); | ||
1908 | if (rc) | ||
1909 | goto out; | ||
1910 | for (i = 0; i < nbools; i++) { | ||
1911 | booldatum = hashtab_search(p->p_bools.table, bnames[i]); | ||
1912 | if (booldatum) | ||
1913 | booldatum->state = bvalues[i]; | ||
1914 | } | ||
1915 | for (cur = p->cond_list; cur != NULL; cur = cur->next) { | ||
1916 | rc = evaluate_cond_node(p, cur); | ||
1917 | if (rc) | ||
1918 | goto out; | ||
1919 | } | ||
1920 | |||
1921 | out: | ||
1922 | if (bnames) { | ||
1923 | for (i = 0; i < nbools; i++) | ||
1924 | kfree(bnames[i]); | ||
1925 | } | ||
1926 | kfree(bnames); | ||
1927 | kfree(bvalues); | ||
1928 | return rc; | ||
1929 | } | ||
1930 | |||
1893 | /* | 1931 | /* |
1894 | * security_sid_mls_copy() - computes a new sid based on the given | 1932 | * security_sid_mls_copy() - computes a new sid based on the given |
1895 | * sid and the mls portion of mls_sid. | 1933 | * sid and the mls portion of mls_sid. |