|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH] flask: Add check for io{port,mem}con sorting
These entries are not always sorted by checkpolicy. Enforce the sorting
(which can be done manually if using an unpatched checkpolicy) when
loading the policy so that later uses by the security server do not
incorrectly use the initial sid.
Reported-by: Nicolas Poirot <nicolas.poirot@xxxxxxxxx>
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
xen/xsm/flask/ss/policydb.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
index 3a12d96ef9..fcf63693b9 100644
--- a/xen/xsm/flask/ss/policydb.c
+++ b/xen/xsm/flask/ss/policydb.c
@@ -2007,7 +2007,6 @@ int policydb_read(struct policydb *p, void *fp)
l->next = c;
else
p->ocontexts[i] = c;
- l = c;
rc = -EINVAL;
switch ( i )
{
@@ -2050,6 +2049,12 @@ int policydb_read(struct policydb *p, void *fp)
rc = context_read_and_validate(&c->context, p, fp);
if ( rc )
goto bad;
+ if ( l && l->u.ioport.high_ioport > c->u.ioport.low_ioport )
+ {
+ printk(KERN_ERR
+ "Flask: Invalid policy, ioportcon not sorted\n");
+ goto bad;
+ }
break;
case OCON_IOMEM:
if ( p->target_type != TARGET_XEN )
@@ -2078,6 +2083,12 @@ int policydb_read(struct policydb *p, void *fp)
rc = context_read_and_validate(&c->context, p, fp);
if ( rc )
goto bad;
+ if ( l && l->u.iomem.high_iomem > c->u.iomem.low_iomem )
+ {
+ printk(KERN_ERR
+ "Flask: Invalid policy, iomemcon not sorted\n");
+ goto bad;
+ }
break;
case OCON_DEVICE:
if ( p->target_type != TARGET_XEN )
@@ -2123,6 +2134,7 @@ int policydb_read(struct policydb *p, void *fp)
rc = -EINVAL;
goto bad;
}
+ l = c;
}
}
--
2.14.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |