diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-05-15 18:36:30 +0300 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-05-15 18:36:30 +0300 |
| commit | ccae19c6239ae810242d2edc03b02bdcc12fc5ab (patch) | |
| tree | d7c80eb5d825d9905b31c024eb9c3c298dd5334b /security/selinux/ss/policydb.c | |
| parent | 4cd4e4b88100a33d96ec4f83bdb0e4e754e24c97 (diff) | |
| parent | 581646c3fb98494009671f6d347ea125bc0e663a (diff) | |
| download | linux-ccae19c6239ae810242d2edc03b02bdcc12fc5ab.tar.xz | |
Merge tag 'selinux-pr-20240513' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore:
- Attempt to pre-allocate the SELinux status page so it doesn't appear
to userspace that we are skipping SELinux policy sequence numbers
- Reject invalid SELinux policy bitmaps with an error at policy load
time
- Consistently use the same type, u32, for ebitmap offsets
- Improve the "symhash" hash function for better distribution on common
policies
- Correct a number of printk format specifiers in the ebitmap code
- Improved error checking in sel_write_load()
- Ensure we have a proper return code in the
filename_trans_read_helper_compat() function
- Make better use of the current_sid() helper function
- Allow for more hash table statistics when debugging is enabled
- Migrate from printk_ratelimit() to pr_warn_ratelimited()
- Miscellaneous cleanups and tweaks to selinux_lsm_getattr()
- More consitification work in the conditional policy space
* tag 'selinux-pr-20240513' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: constify source policy in cond_policydb_dup()
selinux: avoid printk_ratelimit()
selinux: pre-allocate the status page
selinux: clarify return code in filename_trans_read_helper_compat()
selinux: use u32 as bit position type in ebitmap code
selinux: improve symtab string hashing
selinux: dump statistics for more hash tables
selinux: make more use of current_sid()
selinux: update numeric format specifiers for ebitmaps
selinux: improve error checking in sel_write_load()
selinux: cleanup selinux_lsm_getattr()
selinux: reject invalid ebitmaps
Diffstat (limited to 'security/selinux/ss/policydb.c')
| -rw-r--r-- | security/selinux/ss/policydb.c | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 3d22d5baa829..383f3ae82a73 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -672,14 +672,16 @@ static int (*const index_f[SYM_NUM])(void *key, void *datum, void *datap) = { /* clang-format on */ #ifdef CONFIG_SECURITY_SELINUX_DEBUG -static void hash_eval(struct hashtab *h, const char *hash_name) +static void hash_eval(struct hashtab *h, const char *hash_name, + const char *hash_details) { struct hashtab_info info; hashtab_stat(h, &info); pr_debug( - "SELinux: %s: %d entries and %d/%d buckets used, longest chain length %d, sum of chain length^2 %llu\n", - hash_name, h->nel, info.slots_used, h->size, info.max_chain_len, + "SELinux: %s%s%s: %d entries and %d/%d buckets used, longest chain length %d, sum of chain length^2 %llu\n", + hash_name, hash_details ? "@" : "", hash_details ?: "", h->nel, + info.slots_used, h->size, info.max_chain_len, info.chain2_len_sum); } @@ -688,11 +690,12 @@ static void symtab_hash_eval(struct symtab *s) int i; for (i = 0; i < SYM_NUM; i++) - hash_eval(&s[i].table, symtab_name[i]); + hash_eval(&s[i].table, symtab_name[i], NULL); } #else -static inline void hash_eval(struct hashtab *h, const char *hash_name) +static inline void hash_eval(struct hashtab *h, const char *hash_name, + const char *hash_details) { } static inline void symtab_hash_eval(struct symtab *s) @@ -1178,6 +1181,8 @@ static int common_read(struct policydb *p, struct symtab *s, void *fp) goto bad; } + hash_eval(&comdatum->permissions.table, "common_permissions", key); + rc = symtab_insert(s, key, comdatum); if (rc) goto bad; @@ -1358,6 +1363,8 @@ static int class_read(struct policydb *p, struct symtab *s, void *fp) goto bad; } + hash_eval(&cladatum->permissions.table, "class_permissions", key); + rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp); if (rc) goto bad; @@ -1898,7 +1905,7 @@ static int range_read(struct policydb *p, void *fp) rt = NULL; r = NULL; } - hash_eval(&p->range_tr, "rangetr"); + hash_eval(&p->range_tr, "rangetr", NULL); rc = 0; out: kfree(rt); @@ -1943,6 +1950,7 @@ static int filename_trans_read_helper_compat(struct policydb *p, void *fp) if (unlikely(ebitmap_get_bit(&datum->stypes, stype - 1))) { /* conflicting/duplicate rules are ignored */ datum = NULL; + rc = 0; goto out; } if (likely(datum->otype == otype)) @@ -2116,7 +2124,7 @@ static int filename_trans_read(struct policydb *p, void *fp) return rc; } } - hash_eval(&p->filename_trans, "filenametr"); + hash_eval(&p->filename_trans, "filenametr", NULL); return 0; } @@ -2649,6 +2657,8 @@ int policydb_read(struct policydb *p, void *fp) rtd = NULL; } + hash_eval(&p->role_tr, "roletr", NULL); + rc = next_entry(buf, fp, sizeof(u32)); if (rc) goto bad; |