diff options
author | Casey Schaufler <casey@schaufler-ca.com> | 2013-06-29 00:47:07 +0400 |
---|---|---|
committer | Casey Schaufler <casey@schaufler-ca.com> | 2013-08-02 07:04:02 +0400 |
commit | 677264e8fb73ea35a508700e19ce76c527576d1c (patch) | |
tree | 907b50534365824858c1df15dbfb4249c1079e4f /security/smack/smackfs.c | |
parent | 4d7cf4a1f49f76f4069114ee08be75cd68c37c5a (diff) | |
download | linux-677264e8fb73ea35a508700e19ce76c527576d1c.tar.xz |
Smack: network label match fix
The Smack code that matches incoming CIPSO tags with Smack labels
reaches through the NetLabel interfaces and compares the network
data with the CIPSO header associated with a Smack label. This was
done in a ill advised attempt to optimize performance. It works
so long as the categories fit in a single capset, but this isn't
always the case.
This patch changes the Smack code to use the appropriate NetLabel
interfaces to compare the incoming CIPSO header with the CIPSO
header associated with a label. It will always match the CIPSO
headers correctly.
Targeted for git://git.gitorious.org/smack-next/kernel.git
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smackfs.c')
-rw-r--r-- | security/smack/smackfs.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 269b270c6473..a07e93f00a0f 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -890,7 +890,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, for (i = 0; i < catlen; i++) { rule += SMK_DIGITLEN; ret = sscanf(rule, "%u", &cat); - if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL) + if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) goto out; smack_catset_bit(cat, mapcatset); |