[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v2] flask: sort io{port,mem}con entries


  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx, Nicolas Poirot <nicolas.poirot@xxxxxxxxx>
  • From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Date: Fri, 5 Oct 2018 12:33:11 -0400
  • Cc: George Dunlap <dunlapg@xxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
  • Delivery-date: Fri, 05 Oct 2018 16:33:31 +0000
  • Ironport-phdr: 9a23:86OGWx89m9fYuv9uRHKM819IXTAuvvDOBiVQ1KB+0+gUIJqq85mqBkHD//Il1AaPAd2Eraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HRbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyaOuB+fqfAdt0EQ2RPUNtaWyhYDo+ic4cDCuwMNvtaoYbgvVsDtRuwCxexCu3hyTFGgWT70bEm3+k7DQ3LxhAsE84IvX/JrNv1LqASUeWtwafG1zrDafJW1in56IPVfB4uv+yHU7NqccXL00YvGR7Og1KNpozqIjyayOsNs3KB4Od7SeKui3IoqwF2ojS1wMcskZPGipgaylDD6yV02YA4LsC7Rk5jedOoDZRdui6AO4Z2X88uWX9ktSkkxrEcpJK2ejUBxo49yB7FcfOHdpCF4hfkVOmMPzh1nGlleLejhxaq9kig1/H8WtG00FlUqipFlcHBtmwX2BzJ68iHV+B98l292TePyw/T6uZELVoylaXHMJ4u3qQ8lp8SsUTHBiP2mUP2g7GKdkg85+Sl5Ovqbq/mq5OBLYN4lA7zPro0lsCiGeg4NxIBX2mf+eSyzr3j+kj5Ta1Xgf05j6bWrp/aJd4BqaOiHw9U0pos6xa4Dzu81tQYhmMIIEhKeBKAkYjlI0vOL+zgDfejn1Ssly9myfTbM7L/H5XNKnnDn6vhfbtm8E5c1REzws5F651IDbEBJer5WlXtu9zAEh85Lwu0zv76B9Vg0IMeXXiAAreWMK7JrF+I4+MvLPWMZIMPpjnyNuUl7eb0jXAlgV8dYbWp3ZwPZXC+H/RpP0KZYX72jdcaC2sKpg0+TO3wiF2FTT5efG29ULwm5jEnCYKmC53PRo63gLaZxie0AoVWZnxaClCLCXrpeJuLW/EVZC2PPMBhjCILVby6Ro8l1BGurxP6y6F9Iuvb5CIYs4rj1MJy5+3Rix496SB0A96a02GXQGEn1l8PEi872uVzrFJwzn+H0LNkmLpIGNpL/fRLXwwmc5nGwKgyLdH5XQbIZZ+xT1e8RcnuVTcwRdU1ysRIe0F8AdK+phrOxTarBfkbjerYKoYz9/fw1n7wKsI153uO+7MohlduFsdAOWCpnKdX6xnYB4mPlV6Q0amta/JPj2b26G6fwD/W7wljWwlqXPCABCpHaw==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

These entries are not always sorted by checkpolicy, so sort them during
policy load (as is already done for later ocontext additions).

Reported-by: Nicolas Poirot <nicolas.poirot@xxxxxxxxx>
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
 xen/xsm/flask/ss/policydb.c | 35 +++++++++++++++++++++++++++++------
 1 file changed, 29 insertions(+), 6 deletions(-)

diff --git a/xen/xsm/flask/ss/policydb.c b/xen/xsm/flask/ss/policydb.c
index 3a12d96ef9..9426164353 100644
--- a/xen/xsm/flask/ss/policydb.c
+++ b/xen/xsm/flask/ss/policydb.c
@@ -1737,7 +1737,7 @@ int policydb_read(struct policydb *p, void *fp)
 {
     struct role_allow *ra, *lra;
     struct role_trans *tr, *ltr;
-    struct ocontext *l, *c /*, *newc*/;
+    struct ocontext *l, *c, **pn;
     int i, j, rc;
     __le32 buf[8];
     u32 len, /*len2,*/ config, nprim, nel /*, nel2*/;
@@ -1994,6 +1994,7 @@ int policydb_read(struct policydb *p, void *fp)
         if ( rc < 0 )
             goto bad;
         nel = le32_to_cpu(buf[0]);
+        pn = &p->ocontexts[i];
         l = NULL;
         for ( j = 0; j < nel; j++ )
         {
@@ -2003,11 +2004,6 @@ int policydb_read(struct policydb *p, void *fp)
                 rc = -ENOMEM;
                 goto bad;
             }
-            if ( l )
-                l->next = c;
-            else
-                p->ocontexts[i] = c;
-            l = c;
             rc = -EINVAL;
             switch ( i )
             {
@@ -2050,6 +2046,18 @@ int policydb_read(struct policydb *p, void *fp)
                 rc = context_read_and_validate(&c->context, p, fp);
                 if ( rc )
                     goto bad;
+
+                if ( *pn || ( l && l->u.ioport.high_ioport >= 
c->u.ioport.low_ioport ) )
+                {
+                    pn = &p->ocontexts[i];
+                    l = *pn;
+                    while ( l && l->u.ioport.high_ioport < 
c->u.ioport.low_ioport ) {
+                        pn = &l->next;
+                        l = *pn;
+                    }
+                    c->next = l;
+                }
+                l = c;
                 break;
             case OCON_IOMEM:
                 if ( p->target_type != TARGET_XEN )
@@ -2078,6 +2086,18 @@ int policydb_read(struct policydb *p, void *fp)
                 rc = context_read_and_validate(&c->context, p, fp);
                 if ( rc )
                     goto bad;
+
+                if ( *pn || ( l && l->u.iomem.high_iomem >= 
c->u.iomem.low_iomem ) )
+                {
+                    pn = &p->ocontexts[i];
+                    l = *pn;
+                    while ( l && l->u.iomem.high_iomem < c->u.iomem.low_iomem 
) {
+                        pn = &l->next;
+                        l = *pn;
+                    }
+                    c->next = l;
+                }
+                l = c;
                 break;
             case OCON_DEVICE:
                 if ( p->target_type != TARGET_XEN )
@@ -2123,6 +2143,9 @@ int policydb_read(struct policydb *p, void *fp)
                 rc = -EINVAL;
                 goto bad;
             }
+
+            *pn = c;
+            pn = &c->next;
         }
     }
 
-- 
2.14.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.