summaryrefslogtreecommitdiff
path: root/security/smack/smackfs.c
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2013-06-29 00:47:07 +0400
committerCasey Schaufler <casey@schaufler-ca.com>2013-08-02 07:04:02 +0400
commit677264e8fb73ea35a508700e19ce76c527576d1c (patch)
tree907b50534365824858c1df15dbfb4249c1079e4f /security/smack/smackfs.c
parent4d7cf4a1f49f76f4069114ee08be75cd68c37c5a (diff)
downloadlinux-677264e8fb73ea35a508700e19ce76c527576d1c.tar.xz
Smack: network label match fix
The Smack code that matches incoming CIPSO tags with Smack labels reaches through the NetLabel interfaces and compares the network data with the CIPSO header associated with a Smack label. This was done in a ill advised attempt to optimize performance. It works so long as the categories fit in a single capset, but this isn't always the case. This patch changes the Smack code to use the appropriate NetLabel interfaces to compare the incoming CIPSO header with the CIPSO header associated with a label. It will always match the CIPSO headers correctly. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smackfs.c')
-rw-r--r--security/smack/smackfs.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 269b270c6473..a07e93f00a0f 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -890,7 +890,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
for (i = 0; i < catlen; i++) {
rule += SMK_DIGITLEN;
ret = sscanf(rule, "%u", &cat);
- if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL)
+ if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
goto out;
smack_catset_bit(cat, mapcatset);