On Tue, Oct 23, 2018 at 3:02 AM Ondrej Mosnacek omosnace@redhat.com wrote:
Do the LE conversions before doing the Infiniband-related range checks. The incorrect checks are otherwise causing a failure to load any policy with an ibendportcon rule on BE systems. This can be reproduced by running (on e.g. ppc64):
cat >my_module.cil <<EOF (type test_ibendport_t) (roletype object_r test_ibendport_t) (ibendportcon mlx4_0 1 (system_u object_r test_ibendport_t ((s0) (s0)))) EOF semodule -i my_module.cil
Also, fix loading/storing the 64-bit subnet prefix for OCON_IBPKEY to use a correctly aligned buffer.
Finally, do not use the 'nodebuf' (u32) buffer where 'buf' (__le32) should be used instead.
Tested internally on a ppc64 machine with a RHEL 7 kernel with this patch applied.
Cc: Daniel Jurgens danielj@mellanox.com Cc: Eli Cohen eli@mellanox.com Cc: James Morris jmorris@namei.org Cc: Doug Ledford dledford@redhat.com Cc: stable@vger.kernel.org # 4.13+ Fixes: a806f7a1616f ("selinux: Create policydb version for Infiniband support") Signed-off-by: Ondrej Mosnacek omosnace@redhat.com
security/selinux/ss/policydb.c | 51 ++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 15 deletions(-)
Changes in v6:
- use U8_MAX as the limit for ibendport.port value to emphasize that it is an 8-bit value
Changes in v5:
- defer also assignment to 8-bit ibendport.port
Changes in v4:
- defer assignment to 16-bit struct fields to after the range check
Changes in v3:
- use separate buffer for the 64-bit subnet_prefix
- add comments on the byte ordering of subnet_prefix
- deduplicate the le32_to_cpu() calls from checks
Changes in v2:
- add reproducer to commit message
- update e-mail address of James Morris
- better Cc also the old SELinux ML
You know what they say: sixth time is the charm :)
Merged into selinux/next, thanks all.