From: Linus Torvalds Date: Tue, 13 Dec 2022 17:32:05 +0000 (-0800) Subject: Merge tag 'selinux-pr-20221212' of git://git.kernel.org/pub/scm/linux/kernel/git... X-Git-Tag: v6.6.17~5969 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=57888f7b952d3f2696f82a701f1b3d9de7e346d3;p=platform%2Fkernel%2Flinux-rpi.git Merge tag 'selinux-pr-20221212' of git://git./linux/kernel/git/pcmoore/selinux Pull selinux updates from Paul Moore: "Two SELinux patches: one increases the sleep time on deprecated functionality, and one removes the indirect calls in the sidtab context conversion code" * tag 'selinux-pr-20221212' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: remove the sidtab context conversion indirect calls selinux: increase the deprecation sleep for checkreqprot and runtime disable --- 57888f7b952d3f2696f82a701f1b3d9de7e346d3 diff --cc security/selinux/ss/services.c index 64a6a37,e63c4f9..0092b29 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@@ -2014,18 -2008,20 +2008,22 @@@ static inline int convert_context_handl return 0; } - /* - * Convert the values in the security context - * structure `oldc' from the values specified - * in the policy `p->oldp' to the values specified - * in the policy `p->newp', storing the new context - * in `newc'. Verify that the context is valid - * under the new policy. + /** + * services_convert_context - Convert a security context across policies. + * @args: populated convert_context_args struct + * @oldc: original context + * @newc: converted context ++ * @gfp_flags: allocation flags + * + * Convert the values in the security context structure @oldc from the values + * specified in the policy @args->oldp to the values specified in the policy + * @args->newp, storing the new context in @newc, and verifying that the + * context is valid under the new policy. */ - static int convert_context(struct context *oldc, struct context *newc, void *p, - gfp_t gfp_flags) + int services_convert_context(struct convert_context_args *args, - struct context *oldc, struct context *newc) ++ struct context *oldc, struct context *newc, ++ gfp_t gfp_flags) { - struct convert_context_args *args; struct ocontext *oc; struct role_datum *role; struct type_datum *typdatum; @@@ -2034,10 -2030,8 +2032,8 @@@ u32 len; int rc; - args = p; - if (oldc->str) { - s = kstrdup(oldc->str, GFP_KERNEL); + s = kstrdup(oldc->str, gfp_flags); if (!s) return -ENOMEM; diff --cc security/selinux/ss/services.h index 9555ad0,6348c95..c430162 --- a/security/selinux/ss/services.h +++ b/security/selinux/ss/services.h @@@ -29,10 -29,18 +29,19 @@@ struct selinux_policy u32 latest_granting; } __randomize_layout; - void services_compute_xperms_drivers(struct extended_perms *xperms, - struct avtab_node *node); + struct convert_context_args { + struct selinux_state *state; + struct policydb *oldp; + struct policydb *newp; + }; + void services_compute_xperms_drivers(struct extended_perms *xperms, + struct avtab_node *node); void services_compute_xperms_decision(struct extended_perms_decision *xpermd, - struct avtab_node *node); + struct avtab_node *node); + + int services_convert_context(struct convert_context_args *args, - struct context *oldc, struct context *newc); ++ struct context *oldc, struct context *newc, ++ gfp_t gfp_flags); #endif /* _SS_SERVICES_H_ */ diff --cc security/selinux/ss/sidtab.c index db5cce3,1c3d2cd..38d2517 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@@ -324,8 -327,8 +327,9 @@@ int sidtab_context_to_sid(struct sidta goto out_unlock; } - rc = convert->func(context, &dst_convert->context, - convert->args, GFP_ATOMIC); + rc = services_convert_context(convert->args, - context, &dst_convert->context); ++ context, &dst_convert->context, ++ GFP_ATOMIC); if (rc) { context_destroy(&dst->context); goto out_unlock; @@@ -402,9 -405,9 +406,10 @@@ static int sidtab_convert_tree(union si } i = 0; while (i < SIDTAB_LEAF_ENTRIES && *pos < count) { - rc = convert->func(&esrc->ptr_leaf->entries[i].context, - &edst->ptr_leaf->entries[i].context, - convert->args, GFP_KERNEL); + rc = services_convert_context(convert->args, + &esrc->ptr_leaf->entries[i].context, - &edst->ptr_leaf->entries[i].context); ++ &edst->ptr_leaf->entries[i].context, ++ GFP_KERNEL); if (rc) return rc; (*pos)++;