| policydb.c (a67d2a14a77eed5dbdace1801bf2255962121bdb) | policydb.c (ae254858ce0745aba25d107159b580ab5fdada5b) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the policy database. 4 * 5 * Author : Stephen Smalley, <stephen.smalley.work@gmail.com> 6 */ 7 8/* --- 843 unchanged lines hidden (view full) --- 852 853/* 854 * Load the initial SIDs specified in a policy database 855 * structure into a SID table. 856 */ 857int policydb_load_isids(struct policydb *p, struct sidtab *s) 858{ 859 struct ocontext *head, *c; | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Implementation of the policy database. 4 * 5 * Author : Stephen Smalley, <stephen.smalley.work@gmail.com> 6 */ 7 8/* --- 843 unchanged lines hidden (view full) --- 852 853/* 854 * Load the initial SIDs specified in a policy database 855 * structure into a SID table. 856 */ 857int policydb_load_isids(struct policydb *p, struct sidtab *s) 858{ 859 struct ocontext *head, *c; |
| 860 bool isid_init_supported = ebitmap_get_bit(&p->policycaps, 861 POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT); |
|
| 860 int rc; 861 862 rc = sidtab_init(s); 863 if (rc) { 864 pr_err("SELinux: out of memory on SID table init\n"); 865 return rc; 866 } 867 --- 7 unchanged lines hidden (view full) --- 875 sidtab_destroy(s); 876 return -EINVAL; 877 } 878 879 /* Ignore initial SIDs unused by this kernel. */ 880 if (!name) 881 continue; 882 | 862 int rc; 863 864 rc = sidtab_init(s); 865 if (rc) { 866 pr_err("SELinux: out of memory on SID table init\n"); 867 return rc; 868 } 869 --- 7 unchanged lines hidden (view full) --- 877 sidtab_destroy(s); 878 return -EINVAL; 879 } 880 881 /* Ignore initial SIDs unused by this kernel. */ 882 if (!name) 883 continue; 884 |
| 885 /* 886 * Also ignore SECINITSID_INIT if the policy doesn't declare 887 * support for it 888 */ 889 if (sid == SECINITSID_INIT && !isid_init_supported) 890 continue; 891 |
|
| 883 rc = sidtab_set_initial(s, sid, &c->context[0]); 884 if (rc) { 885 pr_err("SELinux: unable to load initial SID %s.\n", 886 name); 887 sidtab_destroy(s); 888 return rc; 889 } | 892 rc = sidtab_set_initial(s, sid, &c->context[0]); 893 if (rc) { 894 pr_err("SELinux: unable to load initial SID %s.\n", 895 name); 896 sidtab_destroy(s); 897 return rc; 898 } |
| 899 900 /* 901 * If the policy doesn't support the "userspace_initial_context" 902 * capability, set SECINITSID_INIT to the same context as 903 * SECINITSID_KERNEL. This ensures the same behavior as before 904 * the reintroduction of SECINITSID_INIT, where all tasks 905 * started before policy load would initially get the context 906 * corresponding to SECINITSID_KERNEL. 907 */ 908 if (sid == SECINITSID_KERNEL && !isid_init_supported) { 909 rc = sidtab_set_initial(s, SECINITSID_INIT, &c->context[0]); 910 if (rc) { 911 pr_err("SELinux: unable to load initial SID %s.\n", 912 name); 913 sidtab_destroy(s); 914 return rc; 915 } 916 } |
|
| 890 } 891 return 0; 892} 893 894int policydb_class_isvalid(struct policydb *p, unsigned int class) 895{ 896 if (!class || class > p->p_classes.nprim) 897 return 0; --- 2837 unchanged lines hidden --- | 917 } 918 return 0; 919} 920 921int policydb_class_isvalid(struct policydb *p, unsigned int class) 922{ 923 if (!class || class > p->p_classes.nprim) 924 return 0; --- 2837 unchanged lines hidden --- |