summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorGuido Trentalancia <guido@trentalancia.com>2010-02-03 17:06:01 +0100
committerJames Morris <jmorris@namei.org>2010-02-03 22:48:17 +0100
commit42596eafdd75257a640f64701b9b07090bcd84b0 (patch)
treed5c4eb801d70ddd00a7a03814833d99cabf38962 /security
parentselinux: Only audit permissions specified in policy (diff)
downloadlinux-42596eafdd75257a640f64701b9b07090bcd84b0.tar.xz
linux-42596eafdd75257a640f64701b9b07090bcd84b0.zip
selinux: load the initial SIDs upon every policy load
Always load the initial SIDs, even in the case of a policy reload and not just at the initial policy load. This comes particularly handy after the introduction of a recent patch for enabling runtime switching between different policy types, although this patch is in theory independent from that feature. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/ss/services.c16
1 files changed, 12 insertions, 4 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4a2bf212057b..2abbc49914e6 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1506,7 +1506,10 @@ static int clone_sid(u32 sid,
{
struct sidtab *s = arg;
- return sidtab_insert(s, sid, context);
+ if (sid > SECINITSID_NUM)
+ return sidtab_insert(s, sid, context);
+ else
+ return 0;
}
static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1552,7 +1555,10 @@ static int convert_context(u32 key,
struct user_datum *usrdatum;
char *s;
u32 len;
- int rc;
+ int rc = 0;
+
+ if (key <= SECINITSID_NUM)
+ goto out;
args = p;
@@ -1712,9 +1718,11 @@ int security_load_policy(void *data, size_t len)
if (policydb_read(&newpolicydb, fp))
return -EINVAL;
- if (sidtab_init(&newsidtab)) {
+ rc = policydb_load_isids(&newpolicydb, &newsidtab);
+ if (rc) {
+ printk(KERN_ERR "SELinux: unable to load the initial SIDs\n");
policydb_destroy(&newpolicydb);
- return -ENOMEM;
+ return rc;
}
if (selinux_set_mapping(&newpolicydb, secclass_map,