[PATCH v7 06/17] selinux: Fix a problem in security_netlbl_sid_to_secattr()

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Paul Moore <paul.moore@hp.com>
To: selinux@tycho.nsa.gov, netdev@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [PATCH v7 06/17] selinux: Fix a problem in security_netlbl_sid_to_secattr()
Date: Mon, 06 Oct 2008 15:20:23 -0400	[thread overview]
Message-ID: <20081006192022.15686.68332.stgit@flek.lan> (raw)
In-Reply-To: <20081006191516.15686.80823.stgit@flek.lan>

Currently when SELinux fails to allocate memory in
security_netlbl_sid_to_secattr() the NetLabel LSM domain field is set to
NULL which triggers the default NetLabel LSM domain mapping which may not
always be the desired mapping.  This patch fixes this by returning an error
when the kernel is unable to allocate memory.  This could result in more
failures on a system with heavy memory pressure but it is the "correct"
thing to do.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
---

 security/selinux/ss/services.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8551952..c8f688a 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2785,7 +2785,7 @@ netlbl_secattr_to_sid_return_cleanup:
  */
 int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
 {
-	int rc = -ENOENT;
+	int rc;
 	struct context *ctx;
 
 	if (!ss_initialized)
@@ -2793,10 +2793,16 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr)
 
 	read_lock(&policy_rwlock);
 	ctx = sidtab_search(&sidtab, sid);
-	if (ctx == NULL)
+	if (ctx == NULL) {
+		rc = -ENOENT;
 		goto netlbl_sid_to_secattr_failure;
+	}
 	secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1],
 				  GFP_ATOMIC);
+	if (secattr->domain == NULL) {
+		rc = -ENOMEM;
+		goto netlbl_sid_to_secattr_failure;
+	}
 	secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY;
 	mls_export_netlbl_lvl(ctx, secattr);
 	rc = mls_export_netlbl_cat(ctx, secattr);

next prev parent reply	other threads:[~2008-10-06 19:20 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-06 19:19 [PATCH v7 00/17] Labeled networking patches for 2.6.28 Paul Moore
2008-10-06 19:19 ` [PATCH v7 01/17] netlabel: Fix some sparse warnings Paul Moore
2008-10-10 21:45   ` James Morris
2008-10-06 19:19 ` [PATCH v7 02/17] selinux: Cleanup the NetLabel glue code Paul Moore
2008-10-06 19:20 ` [PATCH v7 03/17] selinux: Correctly handle IPv4 packets on IPv6 sockets in all cases Paul Moore
2008-10-06 19:20 ` [PATCH v7 04/17] netlabel: Remove unneeded in-kernel API functions Paul Moore
2008-10-06 19:20 ` [PATCH v7 05/17] selinux: Better local/forward check in selinux_ip_postroute() Paul Moore
2008-10-06 19:20 ` Paul Moore [this message]
2008-10-06 19:20 ` [PATCH v7 07/17] selinux: Fix missing calls to netlbl_skbuff_err() Paul Moore
2008-10-06 19:20 ` [PATCH v7 08/17] smack: " Paul Moore
2008-10-06 19:20 ` [PATCH v7 09/17] netlabel: Replace protocol/NetLabel linking with refrerence counts Paul Moore
2008-10-06 19:20 ` [PATCH v7 10/17] netlabel: Add a generic way to create ordered linked lists of network addrs Paul Moore
2008-10-06 19:20 ` [PATCH v7 11/17] netlabel: Add network address selectors to the NetLabel/LSM domain mapping Paul Moore
2008-10-06 19:21 ` [PATCH v7 12/17] netlabel: Add functionality to set the security attributes of a packet Paul Moore
2008-10-06 19:21 ` [PATCH v7 13/17] selinux: Set socket NetLabel based on connection endpoint Paul Moore
2008-10-06 19:21 ` [PATCH v7 14/17] selinux: Cache NetLabel secattrs in the socket's security struct Paul Moore
2008-10-06 19:21 ` [PATCH v7 15/17] netlabel: Changes to the NetLabel security attributes to allow LSMs to pass full contexts Paul Moore
2008-10-06 19:21 ` [PATCH v7 16/17] cipso: Add support for native local labeling and fixup mapping names Paul Moore
2008-10-06 19:21 ` [PATCH v7 17/17] netlabel: Add configuration support for local labeling Paul Moore

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8551952 dfblob:c8f688a )
 OR (
bs:"[PATCH v7 06/17] selinux: Fix a problem in security_netlbl_sid_to_secattr()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20081006192022.15686.68332.stgit@flek.lan \
    --to=paul.moore@hp.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).