| policydb.c (44f10dbefd5e41b3385af91f855a57aa2afaf40e) | policydb.c (5b0eea835d4e9cb5229e696c5763929fc2394f39) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the policy database. 4 * 5 * Author : Stephen Smalley, <sds@tycho.nsa.gov> 6 */ 7 8/* --- 849 unchanged lines hidden (view full) --- 858 859/* 860 * Load the initial SIDs specified in a policy database 861 * structure into a SID table. 862 */ 863int policydb_load_isids(struct policydb *p, struct sidtab *s) 864{ 865 struct ocontext *head, *c; | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the policy database. 4 * 5 * Author : Stephen Smalley, <sds@tycho.nsa.gov> 6 */ 7 8/* --- 849 unchanged lines hidden (view full) --- 858 859/* 860 * Load the initial SIDs specified in a policy database 861 * structure into a SID table. 862 */ 863int policydb_load_isids(struct policydb *p, struct sidtab *s) 864{ 865 struct ocontext *head, *c; |
| 866 bool isid_init_supported = ebitmap_get_bit(&p->policycaps, 867 POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT); |
|
| 866 int rc; 867 868 rc = sidtab_init(s); 869 if (rc) { 870 pr_err("SELinux: out of memory on SID table init\n"); 871 return rc; 872 } 873 --- 7 unchanged lines hidden (view full) --- 881 sidtab_destroy(s); 882 return -EINVAL; 883 } 884 885 /* Ignore initial SIDs unused by this kernel. */ 886 if (!name) 887 continue; 888 | 868 int rc; 869 870 rc = sidtab_init(s); 871 if (rc) { 872 pr_err("SELinux: out of memory on SID table init\n"); 873 return rc; 874 } 875 --- 7 unchanged lines hidden (view full) --- 883 sidtab_destroy(s); 884 return -EINVAL; 885 } 886 887 /* Ignore initial SIDs unused by this kernel. */ 888 if (!name) 889 continue; 890 |
| 891 /* 892 * Also ignore SECINITSID_INIT if the policy doesn't declare 893 * support for it 894 */ 895 if (sid == SECINITSID_INIT && !isid_init_supported) 896 continue; 897 |
|
| 889 rc = sidtab_set_initial(s, sid, &c->context[0]); 890 if (rc) { 891 pr_err("SELinux: unable to load initial SID %s.\n", 892 name); 893 sidtab_destroy(s); 894 return rc; 895 } | 898 rc = sidtab_set_initial(s, sid, &c->context[0]); 899 if (rc) { 900 pr_err("SELinux: unable to load initial SID %s.\n", 901 name); 902 sidtab_destroy(s); 903 return rc; 904 } |
| 905 906 /* 907 * If the policy doesn't support the "userspace_initial_context" 908 * capability, set SECINITSID_INIT to the same context as 909 * SECINITSID_KERNEL. This ensures the same behavior as before 910 * the reintroduction of SECINITSID_INIT, where all tasks 911 * started before policy load would initially get the context 912 * corresponding to SECINITSID_KERNEL. 913 */ 914 if (sid == SECINITSID_KERNEL && !isid_init_supported) { 915 rc = sidtab_set_initial(s, SECINITSID_INIT, &c->context[0]); 916 if (rc) { 917 pr_err("SELinux: unable to load initial SID %s.\n", 918 name); 919 sidtab_destroy(s); 920 return rc; 921 } 922 } |
|
| 896 } 897 return 0; 898} 899 900int policydb_class_isvalid(struct policydb *p, unsigned int class) 901{ 902 if (!class || class > p->p_classes.nprim) 903 return 0; --- 2832 unchanged lines hidden --- | 923 } 924 return 0; 925} 926 927int policydb_class_isvalid(struct policydb *p, unsigned int class) 928{ 929 if (!class || class > p->p_classes.nprim) 930 return 0; --- 2832 unchanged lines hidden --- |