• Paul Moore's avatar
    netlabel: fix the horribly broken catmap functions · 4b8feff2
    Paul Moore authored
    The NetLabel secattr catmap functions, and the SELinux import/export
    glue routines, were broken in many horrible ways and the SELinux glue
    code fiddled with the NetLabel catmap structures in ways that we
    probably shouldn't allow.  At some point this "worked", but that was
    likely due to a bit of dumb luck and sub-par testing (both inflicted
    by yours truly).  This patch corrects these problems by basically
    gutting the code in favor of something less obtuse and restoring the
    NetLabel abstractions in the SELinux catmap glue code.
    
    Everything is working now, and if it decides to break itself in the
    future this code will be much easier to debug than the code it
    replaces.
    
    One noteworthy side effect of the changes is that it is no longer
    necessary to allocate a NetLabel catmap before calling one of the
    NetLabel APIs to set a bit in the catmap.  NetLabel will automatically
    allocate the catmap nodes when needed, resulting in less allocations
    when the lowest bit is greater than 255 and less code in the LSMs.
    
    Cc: stable@vger.kernel.org
    Reported-by: default avatarChristian Evans <frodox@zoho.com>
    Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
    Tested-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    4b8feff2
netlabel.h 17.8 KB