From 59666ba9696046d273554644ca2739ce0c9a2fc6 Mon Sep 17 00:00:00 2001 From: Jan Cybulski Date: Mon, 7 Oct 2013 15:28:51 +0200 Subject: [PATCH] Revert "SMACK: netework label match fix" This reverts commit 1b2029c38121a0c7f208df9774ed997a3af2efda. Change-Id: I3696bf55ff92cee1e2b73ad6827f71c67f828781 --- security/smack/smack.h | 8 ++------ security/smack/smack_lsm.c | 30 ++++++------------------------ security/smack/smackfs.c | 2 +- 3 files changed, 9 insertions(+), 31 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index c6760d6..156fdf9 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -160,13 +160,9 @@ struct smack_known { #define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */ #define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */ #define SMACK_CIPSO_MAPPED_DEFAULT 251 /* Also arbitrary */ +#define SMACK_CIPSO_MAXCATVAL 63 /* Bigger gets harder */ #define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */ -/* - * CIPSO 2.2 standard is 239, but Smack wants to use the - * categories in a structured way that limits the value to - * the bits in 23 bytes, hence the unusual number. - */ -#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */ +#define SMACK_CIPSO_MAXCATNUM 239 /* CIPSO 2.2 standard */ /* * Flag for transmute access diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 18ac646..4e98d66 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2823,8 +2823,6 @@ static char *smack_from_secattr(struct netlbl_lsm_secattr *sap, struct smack_known *kp; char *sp; int found = 0; - int acat; - int kcat; if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { /* @@ -2841,28 +2839,12 @@ static char *smack_from_secattr(struct netlbl_lsm_secattr *sap, list_for_each_entry(kp, &smack_known_list, list) { if (sap->attr.mls.lvl != kp->smk_netlabel.attr.mls.lvl) continue; - /* - * Compare the catsets. Use the netlbl APIs. - */ - if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { - if ((kp->smk_netlabel.flags & - NETLBL_SECATTR_MLS_CAT) == 0) - found = 1; - break; - } - for (acat = -1, kcat = -1; acat == kcat; ) { - acat = netlbl_secattr_catmap_walk( - sap->attr.mls.cat, acat + 1); - kcat = netlbl_secattr_catmap_walk( - kp->smk_netlabel.attr.mls.cat, - kcat + 1); - if (acat < 0 || kcat < 0) - break; - } - if (acat == kcat) { - found = 1; - break; - } + if (memcmp(sap->attr.mls.cat, + kp->smk_netlabel.attr.mls.cat, + SMK_CIPSOLEN) != 0) + continue; + found = 1; + break; } rcu_read_unlock(); diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 84e0bfc..ec1e236 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -900,7 +900,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, for (i = 0; i < catlen; i++) { rule += SMK_DIGITLEN; ret = sscanf(rule, "%u", &cat); - if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) + if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL) goto out; smack_catset_bit(cat, mapcatset); -- 2.7.4