Re: [Xen-devel] [PATCH v2] flask: sort io{port,mem}con entries
> -Daniel De Graaf wrote: - > To: xen-devel@lists.xenproject.org, Nicolas Poirot > From: Daniel De Graaf > Date: 05/10/2018 18:33 > Cc: George Dunlap , Jan Beulich , > Daniel De Graaf > Subject: [PATCH v2] flask: sort io{port,mem}con entries > > These entries are not always sorted by checkpolicy, so sort them during > policy load (as is already done for later ocontext additions). > > Reported-by: Nicolas Poirot > Signed-off-by: Daniel De Graaf > --- > xen/xsm/flask/ss/policydb.c | 35 +-- > 1 file changed, 29 insertions(+), 6 deletions(-) > > diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c > index 3a12d96ef9..9426164353 100644 > --- a/xen/xsm/flask/ss/policydb.c > +++ b/xen/xsm/flask/ss/policydb.c > @@ -1737,7 +1737,7 @@ int policydb_read(struct policydb *p, void *fp) > { > struct role_allow *ra, *lra; > struct role_trans *tr, *ltr; > -struct ocontext *l, *c /*, *newc*/; > +struct ocontext *l, *c, **pn; > int i, j, rc; > __le32 buf[8]; > u32 len, /*len2,*/ config, nprim, nel /*, nel2*/; > @@ -1994,6 +1994,7 @@ int policydb_read(struct policydb *p, void *fp) > if ( rc < 0 ) > goto bad; > nel = le32_to_cpu(buf[0]); > +pn = >ocontexts[i]; > l = NULL; > for ( j = 0; j < nel; j++ ) > { > @@ -2003,11 +2004,6 @@ int policydb_read(struct policydb *p, void *fp) > rc = -ENOMEM; > goto bad; > } > -if ( l ) > -l->next = c; > -else > -p->ocontexts[i] = c; > -l = c; > rc = -EINVAL; > switch ( i ) > { > @@ -2050,6 +2046,18 @@ int policydb_read(struct policydb *p, void *fp) > rc = context_read_and_validate(>context, p, fp); > if ( rc ) > goto bad; > + > +if ( *pn || ( l && l->u.ioport.high_ioport >= > c->u.ioport.low_ioport ) ) > +{ > +pn = >ocontexts[i]; > +l = *pn; > +while ( l && l->u.ioport.high_ioport < > c->u.ioport.low_ioport ) { > +pn = >next; > +l = *pn; > +} > +c->next = l; > +} > +l = c; > break; > case OCON_IOMEM: > if ( p->target_type != TARGET_XEN ) > @@ -2078,6 +2086,18 @@ int policydb_read(struct policydb *p, void *fp) > rc = context_read_and_validate(>context, p, fp); > if ( rc ) > goto bad; > + > +if ( *pn || ( l && l->u.iomem.high_iomem >= > c->u.iomem.low_iomem ) ) > +{ > +pn = >ocontexts[i]; > +l = *pn; > +while ( l && l->u.iomem.high_iomem < > c->u.iomem.low_iomem ) { > +pn = >next; > +l = *pn; > +} > +c->next = l; > +} > +l = c; > break; > case OCON_DEVICE: > if ( p->target_type != TARGET_XEN ) > @@ -2123,6 +2143,9 @@ int policydb_read(struct policydb *p, void *fp) > rc = -EINVAL; > goto bad; > } > + > +*pn = c; > +pn = >next; > } > } > > -- > 2.14.4 Tested on the same conditions as the previous patch, looks good. Thank you. Tested-by: Nicolas Poirot Reviewed-by: Nicolas Poirot 1 ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
Re: [Xen-devel] [PATCH v2] flask: sort io{port,mem}con entries
> -Daniel De Graaf wrote: - > To: xen-devel@lists.xenproject.org, Nicolas Poirot > From: Daniel De Graaf > Date: 10/05/2018 06:33PM > Cc: George Dunlap , Jan Beulich , > Daniel De Graaf > Subject: [PATCH v2] flask: sort io{port,mem}con entries > > These entries are not always sorted by checkpolicy, so sort them during > policy load (as is already done for later ocontext additions). > > Reported-by: Nicolas Poirot > Signed-off-by: Daniel De Graaf > --- > xen/xsm/flask/ss/policydb.c | 35 +-- > 1 file changed, 29 insertions(+), 6 deletions(-) > > diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c > index 3a12d96ef9..9426164353 100644 > --- a/xen/xsm/flask/ss/policydb.c > +++ b/xen/xsm/flask/ss/policydb.c > @@ -1737,7 +1737,7 @@ int policydb_read(struct policydb *p, void *fp) > { > struct role_allow *ra, *lra; > struct role_trans *tr, *ltr; > - struct ocontext *l, *c /*, *newc*/; > + struct ocontext *l, *c, **pn; > int i, j, rc; > __le32 buf[8]; > u32 len, /*len2,*/ config, nprim, nel /*, nel2*/; > @@ -1994,6 +1994,7 @@ int policydb_read(struct policydb *p, void *fp) > if ( rc < 0 ) > goto bad; > nel = le32_to_cpu(buf[0]); > + pn = >ocontexts[i]; > l = NULL; > for ( j = 0; j < nel; j++ ) > { > @@ -2003,11 +2004,6 @@ int policydb_read(struct policydb *p, void *fp) > rc = -ENOMEM; > goto bad; > } > - if ( l ) > - l->next = c; > - else > - p->ocontexts[i] = c; > - l = c; > rc = -EINVAL; > switch ( i ) > { > @@ -2050,6 +2046,18 @@ int policydb_read(struct policydb *p, void *fp) > rc = context_read_and_validate(>context, p, fp); > if ( rc ) > goto bad; > + > + if ( *pn || ( l && l->u.ioport.high_ioport >= > c->u.ioport.low_ioport ) ) > + { > + pn = >ocontexts[i]; > + l = *pn; > + while ( l && l->u.ioport.high_ioport < > c->u.ioport.low_ioport ) { > + pn = >next; > + l = *pn; > + } > + c->next = l; > + } > + l = c; > break; > case OCON_IOMEM: > if ( p->target_type != TARGET_XEN ) > @@ -2078,6 +2086,18 @@ int policydb_read(struct policydb *p, void *fp) > rc = context_read_and_validate(>context, p, fp); > if ( rc ) > goto bad; > + > + if ( *pn || ( l && l->u.iomem.high_iomem >= > c->u.iomem.low_iomem ) ) > + { > + pn = >ocontexts[i]; > + l = *pn; > + while ( l && l->u.iomem.high_iomem < > c->u.iomem.low_iomem ) { > + pn = >next; > + l = *pn; > + } > + c->next = l; > + } > + l = c; > break; > case OCON_DEVICE: > if ( p->target_type != TARGET_XEN ) > @@ -2123,6 +2143,9 @@ int policydb_read(struct policydb *p, void *fp) > rc = -EINVAL; > goto bad; > } > + > + *pn = c; > + pn = >next; > } > } > > -- > 2.14.4 Tested in the same conditions as the previous patch, looks good. Thank you. Tested-by: Nicolas Poirot Reviewed-by: Nicolas Poirot 1 ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
[Xen-devel] [PATCH v2] flask: sort io{port,mem}con entries
These entries are not always sorted by checkpolicy, so sort them during policy load (as is already done for later ocontext additions). Reported-by: Nicolas Poirot Signed-off-by: Daniel De Graaf --- xen/xsm/flask/ss/policydb.c | 35 +-- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c index 3a12d96ef9..9426164353 100644 --- a/xen/xsm/flask/ss/policydb.c +++ b/xen/xsm/flask/ss/policydb.c @@ -1737,7 +1737,7 @@ int policydb_read(struct policydb *p, void *fp) { struct role_allow *ra, *lra; struct role_trans *tr, *ltr; -struct ocontext *l, *c /*, *newc*/; +struct ocontext *l, *c, **pn; int i, j, rc; __le32 buf[8]; u32 len, /*len2,*/ config, nprim, nel /*, nel2*/; @@ -1994,6 +1994,7 @@ int policydb_read(struct policydb *p, void *fp) if ( rc < 0 ) goto bad; nel = le32_to_cpu(buf[0]); +pn = >ocontexts[i]; l = NULL; for ( j = 0; j < nel; j++ ) { @@ -2003,11 +2004,6 @@ int policydb_read(struct policydb *p, void *fp) rc = -ENOMEM; goto bad; } -if ( l ) -l->next = c; -else -p->ocontexts[i] = c; -l = c; rc = -EINVAL; switch ( i ) { @@ -2050,6 +2046,18 @@ int policydb_read(struct policydb *p, void *fp) rc = context_read_and_validate(>context, p, fp); if ( rc ) goto bad; + +if ( *pn || ( l && l->u.ioport.high_ioport >= c->u.ioport.low_ioport ) ) +{ +pn = >ocontexts[i]; +l = *pn; +while ( l && l->u.ioport.high_ioport < c->u.ioport.low_ioport ) { +pn = >next; +l = *pn; +} +c->next = l; +} +l = c; break; case OCON_IOMEM: if ( p->target_type != TARGET_XEN ) @@ -2078,6 +2086,18 @@ int policydb_read(struct policydb *p, void *fp) rc = context_read_and_validate(>context, p, fp); if ( rc ) goto bad; + +if ( *pn || ( l && l->u.iomem.high_iomem >= c->u.iomem.low_iomem ) ) +{ +pn = >ocontexts[i]; +l = *pn; +while ( l && l->u.iomem.high_iomem < c->u.iomem.low_iomem ) { +pn = >next; +l = *pn; +} +c->next = l; +} +l = c; break; case OCON_DEVICE: if ( p->target_type != TARGET_XEN ) @@ -2123,6 +2143,9 @@ int policydb_read(struct policydb *p, void *fp) rc = -EINVAL; goto bad; } + +*pn = c; +pn = >next; } } -- 2.14.4 ___ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel