diff options
| author | Christian Göttsche <cgzones@googlemail.com> | 2025-05-11 19:30:08 +0200 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2026-05-06 19:43:20 -0400 |
| commit | ecf41f6218b58c72f1511e395e480f70a9f44889 (patch) | |
| tree | 63dad8808512953a1c0344b08895c8c1d88e5a58 /security | |
| parent | 259915b053b88bae525024f85f36e49c1f903a4b (diff) | |
| download | linux-next-history-ecf41f6218b58c72f1511e395e480f70a9f44889.tar.gz | |
selinux: reorder policydb_index()
Index as soon as possible to enable isvalid() checks to fail on gaps.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/ss/policydb.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 6bb66eda9fc01..35a6708284db6 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -733,7 +733,6 @@ static int policydb_index(struct policydb *p) pr_debug("SELinux: %d classes, %d rules\n", p->p_classes.nprim, p->te_avtab.nel); - avtab_hash_eval(&p->te_avtab, "rules"); symtab_hash_eval(p->symtab); p->class_val_to_struct = kzalloc_objs(*p->class_val_to_struct, @@ -2744,6 +2743,10 @@ int policydb_read(struct policydb *p, struct policy_file *fp) p->symtab[i].nprim = nprim; } + rc = policydb_index(p); + if (rc) + goto bad; + rc = -EINVAL; p->process_class = string_to_security_class(p, "process"); if (!p->process_class) { @@ -2755,6 +2758,8 @@ int policydb_read(struct policydb *p, struct policy_file *fp) if (rc) goto bad; + avtab_hash_eval(&p->te_avtab, "rules"); + if (p->policyvers >= POLICYDB_VERSION_BOOL) { rc = cond_read_list(p, fp); if (rc) @@ -2852,10 +2857,6 @@ int policydb_read(struct policydb *p, struct policy_file *fp) if (rc) goto bad; - rc = policydb_index(p); - if (rc) - goto bad; - rc = -EINVAL; perm = string_to_av_perm(p, p->process_class, "transition"); if (!perm) { |