]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 259915b)
selinux: reorder policydb_index()
authorChristian Göttsche <cgzones@googlemail.com>
Sun, 11 May 2025 17:30:08 +0000 (19:30 +0200)
committerPaul Moore <paul@paul-moore.com>
Wed, 6 May 2026 23:43:20 +0000 (19:43 -0400)
Index as soon as possible to enable isvalid() checks to fail on gaps.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/ss/policydb.c patch | blob | blame | history

diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 6bb66eda9fc01546eb4589c39f126bba6fba2943..35a6708284db63add0c423d29170b3b58e690fb3 100644 (file)
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -733,7 +733,6 @@ static int policydb_index(struct policydb *p)
        pr_debug("SELinux:  %d classes, %d rules\n", p->p_classes.nprim,
                 p->te_avtab.nel);
 
-       avtab_hash_eval(&p->te_avtab, "rules");
        symtab_hash_eval(p->symtab);
 
        p->class_val_to_struct = kzalloc_objs(*p->class_val_to_struct,
@@ -2744,6 +2743,10 @@ int policydb_read(struct policydb *p, struct policy_file *fp)
                p->symtab[i].nprim = nprim;
        }
 
+       rc = policydb_index(p);
+       if (rc)
+               goto bad;
+
        rc = -EINVAL;
        p->process_class = string_to_security_class(p, "process");
        if (!p->process_class) {
@@ -2755,6 +2758,8 @@ int policydb_read(struct policydb *p, struct policy_file *fp)
        if (rc)
                goto bad;
 
+       avtab_hash_eval(&p->te_avtab, "rules");
+
        if (p->policyvers >= POLICYDB_VERSION_BOOL) {
                rc = cond_read_list(p, fp);
                if (rc)
@@ -2852,10 +2857,6 @@ int policydb_read(struct policydb *p, struct policy_file *fp)
        if (rc)
                goto bad;
 
-       rc = policydb_index(p);
-       if (rc)
-               goto bad;
-
        rc = -EINVAL;
        perm = string_to_av_perm(p, p->process_class, "transition");
        if (!perm) {
A mirror of Linus' kernel repository