On Tue, Oct 23, 2018 at 3:02 AM Ondrej Mosnacek <[email protected]> wrote: > Do the LE conversions before doing the Infiniband-related range checks. > The incorrect checks are otherwise causing a failure to load any policy > with an ibendportcon rule on BE systems. This can be reproduced by > running (on e.g. ppc64): > > cat >my_module.cil <<EOF > (type test_ibendport_t) > (roletype object_r test_ibendport_t) > (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0)))) > EOF > semodule -i my_module.cil > > Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to > use a correctly aligned buffer. > > Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32) > should be used instead. > > Tested internally on a ppc64 machine with a RHEL 7 kernel with this > patch applied. > > Cc: Daniel Jurgens <[email protected]> > Cc: Eli Cohen <[email protected]> > Cc: James Morris <[email protected]> > Cc: Doug Ledford <[email protected]> > Cc: <[email protected]> # 4.13+ > Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband > support") > Signed-off-by: Ondrej Mosnacek <[email protected]> > --- > security/selinux/ss/policydb.c | 51 ++++++++++++++++++++++++---------- > 1 file changed, 36 insertions(+), 15 deletions(-) > > Changes in v6: > - use U8_MAX as the limit for ibendport.port value to emphasize that it > is an 8-bit value > > Changes in v5: > - defer also assignment to 8-bit ibendport.port > > Changes in v4: > - defer assignment to 16-bit struct fields to after the range check > > Changes in v3: > - use separate buffer for the 64-bit subnet_prefix > - add comments on the byte ordering of subnet_prefix > - deduplicate the le32_to_cpu() calls from checks > > Changes in v2: > - add reproducer to commit message > - update e-mail address of James Morris > - better Cc also the old SELinux ML
You know what they say: sixth time is the charm :) Merged into selinux/next, thanks all. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
