Venkat Yekkirala wrote:
> +/*
> + * security_sid_compare() - compares two given sid contexts.
> + * Returns 1 if they are equal, 0 otherwise.
> + */
> +int security_sid_compare(u32 sid1, u32 sid2)
> +{
> + struct context *context1;
> + struct context *context2;
> + int rc;
> +
> + if (!ss_initialized)
> + return 1;
> +
> + if (sid1 == sid2)
> + return 1;
> + else if (sid1 > SECINITSID_NUM && sid2 > SECINITSID_NUM)
> + return 0;
> +
> + /* explicit comparison in order */
> +
> + POLICY_RDLOCK;
> + context1 = sidtab_search(&sidtab, sid1);
> + if (!context1) {
> + printk(KERN_ERR "security_sid_compare: unrecognized SID "
> + "%u\n", sid1);
> + rc = 0;
> + goto out_unlock;
> + }
> +
> + context2 = sidtab_search(&sidtab, sid2);
> + if (!context2) {
> + printk(KERN_ERR "security_sid_compare: unrecognized SID "
> + "%u\n", sid2);
> + rc = 0;
> + goto out_unlock;
> + }
> +
> + rc = context_cmp(context1, context2);
> +
> +out_unlock:
> + POLICY_RDUNLOCK;
> + return rc;
> +}
I understand wanting a generic LSM interface to do secid token comparisons, but
in the SELinux implementation of this function I think we can get away with only
a simple "sid1 == sid2" since the security server shouldn't be creating
duplicate SID/secid values for identical contexts, I think. Did you run into
something in testing that would indicate otherwise?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
