[RFC PATCH] selinux: ensure we cleanup the internal AVC counters on error in avc_insert()

Paul Moore paul at paul-moore.com
Tue Dec 10 01:54:43 UTC 2019

On Mon, Dec 9, 2019 at 8:53 PM Paul Moore <paul at paul-moore.com> wrote:
> In AVC insert we don't call avc_node_kill() when avc_xperms_populate()
> fails, resulting in the avc->avc_cache.active_nodes counter having a
> false value.  This patch corrects this problem and does some cleanup
> in avc_insert() while we are there.
> Reported-by: rsiddoji at codeaurora.org
> Suggested-by: Stephen Smalley <sds at tycho.nsa.gov>
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
>  security/selinux/avc.c |   51 +++++++++++++++++++++++-------------------------
>  1 file changed, 24 insertions(+), 27 deletions(-)

FYI, only compiled tested, thus the RFC.

paul moore

More information about the Linux-security-module-archive mailing list