review.tizen.org Git - platform/kernel/linux-stable.git/commit

author	Paul Moore <pmoore@redhat.com>
	Fri, 1 Aug 2014 15:17:17 +0000 (11:17 -0400)
committer	Rafal Krypa <r.krypa@samsung.com>
	Tue, 22 Mar 2016 11:49:04 +0000 (12:49 +0100)
commit	f41d33d0c20f90af82832113be7f5728f0bb83f4
tree	b696945008f963914bf912854410e03405f4ef81	tree \| snapshot
parent	7af0ba2cb6fbbf9b29a73a58ec5bffd6e4adde47	commit \| diff

BACKPORT: netlabel: fix the horribly broken catmap functions

The NetLabel secattr catmap functions, and the SELinux import/export
glue routines, were broken in many horrible ways and the SELinux glue
code fiddled with the NetLabel catmap structures in ways that we
probably shouldn't allow.  At some point this "worked", but that was
likely due to a bit of dumb luck and sub-par testing (both inflicted
by yours truly).  This patch corrects these problems by basically
gutting the code in favor of something less obtuse and restoring the
NetLabel abstractions in the SELinux catmap glue code.

Everything is working now, and if it decides to break itself in the
future this code will be much easier to debug than the code it
replaces.

One noteworthy side effect of the changes is that it is no longer
necessary to allocate a NetLabel catmap before calling one of the
NetLabel APIs to set a bit in the catmap.  NetLabel will automatically
allocate the catmap nodes when needed, resulting in less allocations
when the lowest bit is greater than 255 and less code in the LSMs.

Cc: stable@vger.kernel.org
Reported-by: Christian Evans <frodox@zoho.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Tested-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry-picked from upstream 4b8feff251da3d7058b5779e21b33a85c686b974)

include/net/netlabel.h		diff \| blob \| history
net/ipv4/cipso_ipv4.c		diff \| blob \| history
net/netlabel/netlabel_kapi.c		diff \| blob \| history
security/selinux/ss/ebitmap.c		diff \| blob \| history
security/smack/smack_access.c		diff \| blob \| history