aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
diff options
context:
space:
mode:
authorKaiGai Kohei <kaigai@ak.jp.nec.com>2010-02-16 18:49:41 -0500
committerJames Morris <jmorris@namei.org>2010-02-21 16:27:41 -0500
commit2ae3ba39389b51d8502123de0a59374bec899c4d (patch)
tree54c552fa9fa6c17b769f6aca3fd438e542b504a4 /security/selinux/ss
parent170800088666963de1111d62fb503889c8c82eda (diff)
selinux: libsepol: remove dead code in check_avtab_hierarchy_callback()
This patch revert the commit of 7d52a155e38d5a165759dbbee656455861bf7801 which removed a part of type_attribute_bounds_av as a dead code. However, at that time, we didn't find out the target side boundary allows to handle some of pseudo /proc/<pid>/* entries with its process's security context well. Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> -- security/selinux/ss/services.c | 43 ++++++++++++++++++++++++++++++++++++--- 1 files changed, 39 insertions(+), 4 deletions(-) Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/ss')
-rw-r--r--security/selinux/ss/services.c43
1 files changed, 39 insertions, 4 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 0e5c3a422a8e..cf27b3ee1a95 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -525,14 +525,16 @@ static void type_attribute_bounds_av(struct context *scontext,
525 u16 tclass, 525 u16 tclass,
526 struct av_decision *avd) 526 struct av_decision *avd)
527{ 527{
528 struct context lo_scontext;
529 struct context lo_tcontext;
530 struct av_decision lo_avd;
528 struct type_datum *source 531 struct type_datum *source
529 = policydb.type_val_to_struct[scontext->type - 1]; 532 = policydb.type_val_to_struct[scontext->type - 1];
533 struct type_datum *target
534 = policydb.type_val_to_struct[tcontext->type - 1];
535 u32 masked = 0;
530 536
531 if (source->bounds) { 537 if (source->bounds) {
532 struct context lo_scontext;
533 struct av_decision lo_avd;
534 u32 masked;
535
536 memset(&lo_avd, 0, sizeof(lo_avd)); 538 memset(&lo_avd, 0, sizeof(lo_avd));
537 539
538 memcpy(&lo_scontext, scontext, sizeof(lo_scontext)); 540 memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
@@ -545,7 +547,40 @@ static void type_attribute_bounds_av(struct context *scontext,
545 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 547 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
546 return; /* no masked permission */ 548 return; /* no masked permission */
547 masked = ~lo_avd.allowed & avd->allowed; 549 masked = ~lo_avd.allowed & avd->allowed;
550 }
551
552 if (target->bounds) {
553 memset(&lo_avd, 0, sizeof(lo_avd));
554
555 memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
556 lo_tcontext.type = target->bounds;
557
558 context_struct_compute_av(scontext,
559 &lo_tcontext,
560 tclass,
561 &lo_avd);
562 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
563 return; /* no masked permission */
564 masked = ~lo_avd.allowed & avd->allowed;
565 }
566
567 if (source->bounds && target->bounds) {
568 memset(&lo_avd, 0, sizeof(lo_avd));
569 /*
570 * lo_scontext and lo_tcontext are already
571 * set up.
572 */
573
574 context_struct_compute_av(&lo_scontext,
575 &lo_tcontext,
576 tclass,
577 &lo_avd);
578 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
579 return; /* no masked permission */
580 masked = ~lo_avd.allowed & avd->allowed;
581 }
548 582
583 if (masked) {
549 /* mask violated permissions */ 584 /* mask violated permissions */
550 avd->allowed &= ~masked; 585 avd->allowed &= ~masked;
551 586