diff options
| author | Christian Göttsche <cgzones@googlemail.com> | 2024-12-16 17:40:07 +0100 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2025-01-07 23:14:40 -0500 |
| commit | 01c2253a0fbdccb58cd79d4ff9ab39964bfb4474 (patch) | |
| tree | 24cd624adbbbee8ecad185613a68ab458ec9b14d /security | |
| parent | 749153636643aaa793f14e84e864fdaf5ed0620d (diff) | |
| download | linux-01c2253a0fbdccb58cd79d4ff9ab39964bfb4474.tar.gz linux-01c2253a0fbdccb58cd79d4ff9ab39964bfb4474.tar.bz2 linux-01c2253a0fbdccb58cd79d4ff9ab39964bfb4474.zip | |
selinux: make more use of str_read() when loading the policy
Simplify the call sites, and enable future string validation in a single
place.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: subject tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/ss/conditional.c | 10 | ||||
| -rw-r--r-- | security/selinux/ss/policydb.c | 22 | ||||
| -rw-r--r-- | security/selinux/ss/policydb.h | 2 |
3 files changed, 12 insertions, 22 deletions
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index d8dcaf2ca88f..1bebfcb9c6a1 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -230,17 +230,11 @@ int cond_read_bool(struct policydb *p, struct symtab *s, struct policy_file *fp) goto err; len = le32_to_cpu(buf[2]); - if (((len == 0) || (len == (u32)-1))) - goto err; - rc = -ENOMEM; - key = kmalloc(len + 1, GFP_KERNEL); - if (!key) - goto err; - rc = next_entry(key, fp, len); + rc = str_read(&key, GFP_KERNEL, fp, len); if (rc) goto err; - key[len] = '\0'; + rc = symtab_insert(s, key, booldatum); if (rc) goto err; diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 0850ea6ae018..9ea971943713 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -1093,7 +1093,7 @@ out: * binary representation file. */ -static int str_read(char **strp, gfp_t flags, struct policy_file *fp, u32 len) +int str_read(char **strp, gfp_t flags, struct policy_file *fp, u32 len) { int rc; char *str; @@ -2473,24 +2473,18 @@ int policydb_read(struct policydb *p, struct policy_file *fp) goto bad; } - rc = -ENOMEM; - policydb_str = kmalloc(len + 1, GFP_KERNEL); - if (!policydb_str) { - pr_err("SELinux: unable to allocate memory for policydb " - "string of length %d\n", - len); - goto bad; - } - - rc = next_entry(policydb_str, fp, len); + rc = str_read(&policydb_str, GFP_KERNEL, fp, len); if (rc) { - pr_err("SELinux: truncated policydb string identifier\n"); - kfree(policydb_str); + if (rc == -ENOMEM) { + pr_err("SELinux: unable to allocate memory for policydb string of length %d\n", + len); + } else { + pr_err("SELinux: truncated policydb string identifier\n"); + } goto bad; } rc = -EINVAL; - policydb_str[len] = '\0'; if (strcmp(policydb_str, POLICYDB_STRING)) { pr_err("SELinux: policydb string %s does not match " "my string %s\n", diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h index 80d1fa7e4995..25650224b6e7 100644 --- a/security/selinux/ss/policydb.h +++ b/security/selinux/ss/policydb.h @@ -386,6 +386,8 @@ static inline char *sym_name(struct policydb *p, unsigned int sym_num, return p->sym_val_to_name[sym_num][element_nr]; } +extern int str_read(char **strp, gfp_t flags, struct policy_file *fp, u32 len); + extern u16 string_to_security_class(struct policydb *p, const char *name); extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name); |