From 4c443d1b558b21520bd8fd6140b85cee0756becd Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 16 May 2005 21:53:52 -0700 Subject: [PATCH] selinux: fix avc_alloc_node() oom with no policy loaded This patch should fix the avc_alloc_node() oom condition that Andrew reported when no policy is loaded in SELinux. Prior to this patch, when no policy was loaded, the SELinux "security server" (policy engine) was only returning allowed decisions for the requested permissions for each access check. This caused the cache to thrash when trying to use SELinux for real work with no policy loaded (typically, the no policy loaded state is only for bootstrapping to the point where we can load an initial policy). This patch changes the SELinux security server to return the complete allowed access vector at once, and then to reset the cache after the initial policy load to flush the initial cache state created during bootstrapping. Signed-off-by: Stephen Smalley Signed-off-by: James Morris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- security/selinux/ss/services.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'security') diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 5a820cf88c9..8449d667b06 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -476,8 +476,8 @@ int security_compute_av(u32 ssid, int rc = 0; if (!ss_initialized) { - avd->allowed = requested; - avd->decided = requested; + avd->allowed = 0xffffffff; + avd->decided = 0xffffffff; avd->auditallow = 0; avd->auditdeny = 0xffffffff; avd->seqno = latest_granting; @@ -1196,9 +1196,11 @@ int security_load_policy(void *data, size_t len) } policydb_loaded_version = policydb.policyvers; ss_initialized = 1; - + seqno = ++latest_granting; LOAD_UNLOCK; selinux_complete_init(); + avc_ss_reset(seqno); + selnl_notify_policyload(seqno); return 0; } -- cgit v1.2.3