aboutsummaryrefslogtreecommitdiff
path: root/security/selinux/ss/services.c
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2010-11-29 15:47:09 -0500
committerEric Paris <eparis@redhat.com>2010-11-30 17:28:57 -0500
commit23bdecb000c806cf4ec52764499a600f7200d7a9 (patch)
treef13a523f6bec22c5e7ec58ea02a4988aefe7c8ac /security/selinux/ss/services.c
parentc41ab6a1b9028de33e74101cb0aae13098a56fdb (diff)
selinux: convert type_val_to_struct to flex_array
In rawhide type_val_to_struct will allocate 26848 bytes, an order 3 allocations. While this hasn't been seen to fail it isn't outside the realm of possibiliy on systems with severe memory fragmentation. Convert to flex_array so no allocation will ever be bigger than PAGE_SIZE. Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux/ss/services.c')
-rw-r--r--security/selinux/ss/services.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ab6dbce5fd2..afcbc19817f 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -530,12 +530,18 @@ static void type_attribute_bounds_av(struct context *scontext,
struct context lo_scontext;
struct context lo_tcontext;
struct av_decision lo_avd;
- struct type_datum *source
- = policydb.type_val_to_struct[scontext->type - 1];
- struct type_datum *target
- = policydb.type_val_to_struct[tcontext->type - 1];
+ struct type_datum *source;
+ struct type_datum *target;
u32 masked = 0;
+ source = flex_array_get_ptr(policydb.type_val_to_struct_array,
+ scontext->type - 1);
+ BUG_ON(!source);
+
+ target = flex_array_get_ptr(policydb.type_val_to_struct_array,
+ tcontext->type - 1);
+ BUG_ON(!target);
+
if (source->bounds) {
memset(&lo_avd, 0, sizeof(lo_avd));
@@ -828,7 +834,8 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
index = new_context->type;
while (true) {
- type = policydb.type_val_to_struct[index - 1];
+ type = flex_array_get_ptr(policydb.type_val_to_struct_array,
+ index - 1);
BUG_ON(!type);
/* not bounded anymore */