summaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2008-06-09 16:03:56 -0400
committerJames Morris <jmorris@namei.org>2008-07-14 15:01:59 +1000
commit22df4adb049a5cbb340dd935f5bbfa1ab3947562 (patch)
tree28dead43dd9eb81768e143ced4e9cd45c6a0246f /security/selinux
parent89abd0acf0335f3f760a3c0698d43bb1eaa83e44 (diff)
downloadkernel-crypto-22df4adb049a5cbb340dd935f5bbfa1ab3947562.tar.gz
kernel-crypto-22df4adb049a5cbb340dd935f5bbfa1ab3947562.tar.xz
kernel-crypto-22df4adb049a5cbb340dd935f5bbfa1ab3947562.zip
selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine)
On Mon, 2008-06-09 at 01:24 -0700, Andrew Morton wrote: > Getting a few of these with FC5: > > SELinux: context_struct_compute_av: unrecognized class 69 > SELinux: context_struct_compute_av: unrecognized class 69 > > one came out when I logged in. > > No other symptoms, yet. Change handling of invalid classes by SELinux, reporting class values unknown to the kernel as errors (w/ ratelimit applied) and handling class values unknown to policy as normal denials. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/ss/services.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 543fd0f31b3..04c0b70c801 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -407,9 +407,19 @@ static int context_struct_compute_av(struct context *scontext,
return 0;
inval_class:
- printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", __func__,
- tclass);
- return -EINVAL;
+ if (!tclass || tclass > kdefs->cts_len ||
+ !kdefs->class_to_string[tclass]) {
+ if (printk_ratelimit())
+ printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
+ __func__, tclass);
+ return -EINVAL;
+ }
+
+ /*
+ * Known to the kernel, but not to the policy.
+ * Handle as a denial (allowed is 0).
+ */
+ return 0;
}
/*