[RFC PATCH v2 17/22] selinux: reorder policydb_index()
From: Christian Göttsche
Date: Mon Dec 16 2024 - 11:47:32 EST
From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Index as soon as possible to enable isvalid() checks to fail on gaps.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
security/selinux/ss/policydb.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index b4381a0b93f6..348cbe36502e 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -728,7 +728,6 @@ static int policydb_index(struct policydb *p)
pr_debug("SELinux: %d classes, %d rules\n", p->p_classes.nprim,
p->te_avtab.nel);
- avtab_hash_eval(&p->te_avtab, "rules");
symtab_hash_eval(p->symtab);
p->class_val_to_struct = kcalloc(p->p_classes.nprim,
@@ -2791,6 +2790,10 @@ int policydb_read(struct policydb *p, struct policy_file *fp)
p->symtab[i].nprim = nprim;
}
+ rc = policydb_index(p);
+ if (rc)
+ goto bad;
+
rc = -EINVAL;
p->process_class = string_to_security_class(p, "process");
if (!p->process_class) {
@@ -2802,6 +2805,8 @@ int policydb_read(struct policydb *p, struct policy_file *fp)
if (rc)
goto bad;
+ avtab_hash_eval(&p->te_avtab, "rules");
+
if (p->policyvers >= POLICYDB_VERSION_BOOL) {
rc = cond_read_list(p, fp);
if (rc)
@@ -2898,10 +2903,6 @@ int policydb_read(struct policydb *p, struct policy_file *fp)
if (rc)
goto bad;
- rc = policydb_index(p);
- if (rc)
- goto bad;
-
rc = -EINVAL;
perm = string_to_av_perm(p, p->process_class, "transition");
if (!perm) {
--
2.45.2