[RFC PATCH] selinux: ensure we cleanup the internal AVC counters on error in avc_insert()
Paul Moore
paul at paul-moore.com
Tue Dec 10 01:54:43 UTC 2019
On Mon, Dec 9, 2019 at 8:53 PM Paul Moore <paul at paul-moore.com> wrote:
> In AVC insert we don't call avc_node_kill() when avc_xperms_populate()
> fails, resulting in the avc->avc_cache.active_nodes counter having a
> false value. This patch corrects this problem and does some cleanup
> in avc_insert() while we are there.
>
> Reported-by: rsiddoji at codeaurora.org
> Suggested-by: Stephen Smalley <sds at tycho.nsa.gov>
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
> security/selinux/avc.c | 51 +++++++++++++++++++++++-------------------------
> 1 file changed, 24 insertions(+), 27 deletions(-)
FYI, only compiled tested, thus the RFC.
--
paul moore
www.paul-moore.com
More information about the Linux-security-module-archive
mailing list