X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=security%2Fselinux%2Fss%2Fservices.c;h=cad425719719327b587210e10366205d35872884;hb=c7b5ebbddf7bcd3651947760f423e3783bbe6573;hp=21ab4c975f6064730787f33cbfb4442db76fe72c;hpb=9213980e6a70d8473e0ffd4b39ab5b6caaba9ff5;p=linux-2.6.git diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 21ab4c975..cad425719 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -40,6 +40,7 @@ #include "mls.h" extern void selnl_notify_policyload(u32 seqno); +extern int policydb_loaded_version; static rwlock_t policy_rwlock = RW_LOCK_UNLOCKED; #define POLICY_RDLOCK read_lock(&policy_rwlock) @@ -203,6 +204,17 @@ static int context_struct_compute_av(struct context *scontext, struct avtab_datum *avdatum; struct class_datum *tclass_datum; + /* + * Remap extended Netlink classes for old policy versions. + * Do this here rather than socket_type_to_security_class() + * in case a newer policy version is loaded, allowing sockets + * to remain in the correct class. + */ + if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS) + if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET && + tclass <= SECCLASS_NETLINK_DNRT_SOCKET) + tclass = SECCLASS_NETLINK_SOCKET; + if (!tclass || tclass > policydb.p_classes.nprim) { printk(KERN_ERR "security_compute_av: unrecognized class %d\n", tclass); @@ -296,7 +308,7 @@ int security_compute_av(u32 ssid, u32 requested, struct av_decision *avd) { - struct context *scontext = 0, *tcontext = 0; + struct context *scontext = NULL, *tcontext = NULL; int rc = 0; if (!ss_initialized) { @@ -343,7 +355,7 @@ int context_struct_to_string(struct context *context, char **scontext, u32 *scon { char *scontextp; - *scontext = 0; + *scontext = NULL; *scontext_len = 0; /* Compute the size of the context. */ @@ -588,8 +600,8 @@ static int security_compute_sid(u32 ssid, u32 specified, u32 *out_sid) { - struct context *scontext = 0, *tcontext = 0, newcontext; - struct role_trans *roletr = 0; + struct context *scontext = NULL, *tcontext = NULL, newcontext; + struct role_trans *roletr = NULL; struct avtab_key avkey; struct avtab_datum *avdatum; struct avtab_node *node; @@ -1022,6 +1034,7 @@ int security_load_policy(void *data, size_t len) LOAD_LOCK; if (!ss_initialized) { + avtab_cache_init(); if (policydb_read(&policydb, fp)) { LOAD_UNLOCK; return -EINVAL;