From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: [PATCH v7 06/17] selinux: Fix a problem in security_netlbl_sid_to_secattr() Date: Mon, 06 Oct 2008 15:20:23 -0400 Message-ID: <20081006192022.15686.68332.stgit@flek.lan> References: <20081006191516.15686.80823.stgit@flek.lan> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: selinux@tycho.nsa.gov, netdev@vger.kernel.org, linux-security-module@vger.kernel.org Return-path: Received: from g1t0026.austin.hp.com ([15.216.28.33]:16886 "EHLO g1t0026.austin.hp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752589AbYJFTUZ (ORCPT ); Mon, 6 Oct 2008 15:20:25 -0400 In-Reply-To: <20081006191516.15686.80823.stgit@flek.lan> Sender: netdev-owner@vger.kernel.org List-ID: Currently when SELinux fails to allocate memory in security_netlbl_sid_to_secattr() the NetLabel LSM domain field is set to NULL which triggers the default NetLabel LSM domain mapping which may not always be the desired mapping. This patch fixes this by returning an error when the kernel is unable to allocate memory. This could result in more failures on a system with heavy memory pressure but it is the "correct" thing to do. Signed-off-by: Paul Moore Acked-by: James Morris --- security/selinux/ss/services.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 8551952..c8f688a 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2785,7 +2785,7 @@ netlbl_secattr_to_sid_return_cleanup: */ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) { - int rc = -ENOENT; + int rc; struct context *ctx; if (!ss_initialized) @@ -2793,10 +2793,16 @@ int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) read_lock(&policy_rwlock); ctx = sidtab_search(&sidtab, sid); - if (ctx == NULL) + if (ctx == NULL) { + rc = -ENOENT; goto netlbl_sid_to_secattr_failure; + } secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], GFP_ATOMIC); + if (secattr->domain == NULL) { + rc = -ENOMEM; + goto netlbl_sid_to_secattr_failure; + } secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY; mls_export_netlbl_lvl(ctx, secattr); rc = mls_export_netlbl_cat(ctx, secattr);