| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230728155501.39632-4-cgzones@googlemail.com>
Date: Fri, 28 Jul 2023 17:54:55 +0200
From: Christian Göttsche <cgzones@...glemail.com>
To: selinux@...r.kernel.org
Cc: Paul Moore <paul@...l-moore.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Paris <eparis@...isplace.org>,
Ondrej Mosnacek <omosnace@...hat.com>,
"GONG, Ruiqi" <gongruiqi1@...wei.com>, linux-kernel@...r.kernel.org
Subject: [PATCH v2 5/9] selinux: services: update type for number of class permissions
Security classes have only up to 32 permissions, hence using an u16 is
sufficient (while improving padding in struct selinux_mapping).
Also use a fixed sized cast in a bit shift to avoid (well defined)
overflows on architectures where sizeof(unsigned int) != sizeof(u32)
resulting in no bits set.
Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
---
v2:
update commit description:
- mention struct selinux_mapping in the padding argument
(currently between the first and second member there are 2 bytes
padding)
- mention overflow in the cast argument and the result of setting
no bits due to it
---
security/selinux/ss/services.c | 6 +++---
security/selinux/ss/services.h | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 2c5be06fbada..cf4b87ec4a0e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -97,7 +97,6 @@ static int selinux_set_mapping(struct policydb *pol,
struct selinux_map *out_map)
{
u16 i, j;
- unsigned k;
bool print_unknown_handle = false;
/* Find number of classes in the input mapping */
@@ -117,6 +116,7 @@ static int selinux_set_mapping(struct policydb *pol,
while (map[j].name) {
const struct security_class_mapping *p_in = map + (j++);
struct selinux_mapping *p_out = out_map->mapping + j;
+ u16 k;
/* An empty class string skips ahead */
if (!strcmp(p_in->name, "")) {
@@ -202,7 +202,7 @@ static void map_decision(struct selinux_map *map,
{
if (tclass < map->size) {
struct selinux_mapping *mapping = &map->mapping[tclass];
- unsigned int i, n = mapping->num_perms;
+ u16 i, n = mapping->num_perms;
u32 result;
for (i = 0, result = 0; i < n; i++) {
@@ -230,7 +230,7 @@ static void map_decision(struct selinux_map *map,
* should audit that denial
*/
for (; i < (sizeof(u32)*8); i++)
- result |= 1<<i;
+ result |= 1<<((u32)i);
avd->auditdeny = result;
}
}
diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
index ed2ee6600467..d24b0a3d198e 100644
--- a/security/selinux/ss/services.h
+++ b/security/selinux/ss/services.h
@@ -12,7 +12,7 @@
/* Mapping for a single class */
struct selinux_mapping {
u16 value; /* policy value for class */
- unsigned int num_perms; /* number of permissions in class */
+ u16 num_perms; /* number of permissions in class */
u32 perms[sizeof(u32) * 8]; /* policy values for permissions */
};
--
2.40.1
Powered by blists - more mailing lists