lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEjxPJ7ZpsmbV3AiEdEOCvUQBDAojn9XUhC6pzeOapPSYc2-Cw@mail.gmail.com>
Date: Wed, 14 May 2025 14:24:22 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: cgzones@...glemail.com
Cc: selinux@...r.kernel.org, Paul Moore <paul@...l-moore.com>, 
	Ondrej Mosnacek <omosnace@...hat.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 08/14] selinux: reorder policydb_index()

On Sun, May 11, 2025 at 1:31 PM Christian Göttsche
<cgoettsche@...tendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@...glemail.com>
>
> Index as soon as possible to enable isvalid() checks to fail on gaps.
>
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>

Acked-by: Stephen Smalley <stephen.smalley.work@...il.com>

> ---
>  security/selinux/ss/policydb.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 27f6809b562a..326d82f8db8c 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -728,7 +728,6 @@ static int policydb_index(struct policydb *p)
>         pr_debug("SELinux:  %d classes, %d rules\n", p->p_classes.nprim,
>                  p->te_avtab.nel);
>
> -       avtab_hash_eval(&p->te_avtab, "rules");
>         symtab_hash_eval(p->symtab);
>
>         p->class_val_to_struct = kcalloc(p->p_classes.nprim,
> @@ -2799,6 +2798,10 @@ int policydb_read(struct policydb *p, struct policy_file *fp)
>                 p->symtab[i].nprim = nprim;
>         }
>
> +       rc = policydb_index(p);
> +       if (rc)
> +               goto bad;
> +
>         rc = -EINVAL;
>         p->process_class = string_to_security_class(p, "process");
>         if (!p->process_class) {
> @@ -2810,6 +2813,8 @@ int policydb_read(struct policydb *p, struct policy_file *fp)
>         if (rc)
>                 goto bad;
>
> +       avtab_hash_eval(&p->te_avtab, "rules");
> +
>         if (p->policyvers >= POLICYDB_VERSION_BOOL) {
>                 rc = cond_read_list(p, fp);
>                 if (rc)
> @@ -2907,10 +2912,6 @@ int policydb_read(struct policydb *p, struct policy_file *fp)
>         if (rc)
>                 goto bad;
>
> -       rc = policydb_index(p);
> -       if (rc)
> -               goto bad;
> -
>         rc = -EINVAL;
>         perm = string_to_av_perm(p, p->process_class, "transition");
>         if (!perm) {
> --
> 2.49.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ