On Tue, Nov 13, 2018 at 4:10 PM Stephen Smalley wrote:
> On 11/12/18 6:44 AM, Ondrej Mosnacek wrote:
> > This function has only two callers, but only one of them actually needs
> > the special logic at the beginning. Factoring this logic out into
> > string_to_context_struct() allows us to drop
On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
This patch is non-functional and moves handling of initial SIDs into a
separate table. Note that the SIDs stored in the main table are now
shifted by SECINITSID_NUM and converted to/from the actual SIDs
transparently by helper functions.
When you say
On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
This is a purely cosmetic change that encapsulates the three-step sidtab
conversion logic (shutdown -> clone -> map) into a single function
defined in sidtab.c (as opposed to services.c).
Signed-off-by: Ondrej Mosnacek
Acked-by: Stephen Smalley
On 11/12/18 6:44 AM, Ondrej Mosnacek wrote:
This function has only two callers, but only one of them actually needs
the special logic at the beginning. Factoring this logic out into
string_to_context_struct() allows us to drop the arguments 'oldc', 's',
and 'def_sid'.
Signed-off-by: Ondrej
This patch is non-functional and moves handling of initial SIDs into a
separate table. Note that the SIDs stored in the main table are now
shifted by SECINITSID_NUM and converted to/from the actual SIDs
transparently by helper functions.
This change doesn't make much sense on its own, but it
Before this patch, during a policy reload the sidtab would become frozen
and trying to map a new context to SID would be unable to add a new
entry to sidtab and fail with -ENOMEM.
Such failures are usually propagated into userspace, which has no way of
distignuishing them from actual allocation
This patchset is an alternative, hopefully better (but also more risky),
solution of the ENOMEM problem ([1]) that I first tried to solve in [2].
In this version I encapsulate the initial SID table within sidtab and
also switch back from converting the sidtab in-place to converting into
a new
This is a purely cosmetic change that encapsulates the three-step sidtab
conversion logic (shutdown -> clone -> map) into a single function
defined in sidtab.c (as opposed to services.c).
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/services.c | 22 +--