leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

selinux: do not allocate ancillary buffer on first load

Browse Source 
In security_load_policy(), we can defer allocating the newpolicydb
ancillary array to after checking state->initialized, thereby avoiding
the pointless allocation when loading policy the first time.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
[PM: merged portions by hand]
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Ondrej Mosnacek
2020-01-16 13:04:34 +01:00
committed by Paul Moore
parent cb89e24658
commit dd89b9d9f3
1 changed files with 13 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
security/selinux/ss/services.c
View File

@@ -2183,26 +2183,17 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
int rc = 0; int rc = 0;
struct policy_file file = { data, len }, *fp = &file; struct policy_file file = { data, len }, *fp = &file;
oldpolicydb = kcalloc(2, sizeof(*oldpolicydb), GFP_KERNEL);
if (!oldpolicydb) {
rc = -ENOMEM;
goto out;
}
newpolicydb = oldpolicydb + 1;
policydb = &state->ss->policydb; policydb = &state->ss->policydb;
newsidtab = kmalloc(sizeof(*newsidtab), GFP_KERNEL); newsidtab = kmalloc(sizeof(*newsidtab), GFP_KERNEL);
if (!newsidtab) { if (!newsidtab)
rc = -ENOMEM; return -ENOMEM;
goto out;
}
if (!selinux_initialized(state)) { if (!selinux_initialized(state)) {
rc = policydb_read(policydb, fp); rc = policydb_read(policydb, fp);
if (rc) { if (rc) {
kfree(newsidtab); kfree(newsidtab);
goto out; return rc;
} }
policydb->len = len; policydb->len = len;
@@ -2211,14 +2202,14 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
if (rc) { if (rc) {
kfree(newsidtab); kfree(newsidtab);
policydb_destroy(policydb); policydb_destroy(policydb);
goto out; return rc;
} }
rc = policydb_load_isids(policydb, newsidtab); rc = policydb_load_isids(policydb, newsidtab);
if (rc) { if (rc) {
kfree(newsidtab); kfree(newsidtab);
policydb_destroy(policydb); policydb_destroy(policydb);
goto out; return rc;
} }
state->ss->sidtab = newsidtab; state->ss->sidtab = newsidtab;
@@ -2231,9 +2222,16 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
selinux_status_update_policyload(state, seqno); selinux_status_update_policyload(state, seqno);
selinux_netlbl_cache_invalidate(); selinux_netlbl_cache_invalidate();
selinux_xfrm_notify_policyload(); selinux_xfrm_notify_policyload();
goto out; return 0;
} }
oldpolicydb = kcalloc(2, sizeof(*oldpolicydb), GFP_KERNEL);
if (!oldpolicydb) {
kfree(newsidtab);
return -ENOMEM;
}
newpolicydb = oldpolicydb + 1;
rc = policydb_read(newpolicydb, fp); rc = policydb_read(newpolicydb, fp);
if (rc) { if (rc) {
kfree(newsidtab); kfree(newsidtab);