On 03.08.2022 17:17, Daniel P. Smith wrote:
> Changes in v11:
> - put back dom0_created variable in flask_domain_create() to ensure the
> enforcement that dom0_t is a singleton label
Stale patch or bad rev log?
> @@ -548,22 +556,19 @@ static int cf_check flask_domain_create(struct domain
> *d, uint32_t ssidref)
> {
> int rc;
> struct domain_security_struct *dsec = d->ssid;
> - static int dom0_created = 0;
The variable is going away here, and it is not re-appearing elsewhere.
Jan
> - if ( is_idle_domain(current->domain) && !dom0_created )
> - {
> - dsec->sid = SECINITSID_DOM0;
> - dom0_created = 1;
> - }
> - else
> - {
> - rc = avc_current_has_perm(ssidref, SECCLASS_DOMAIN,
> - DOMAIN__CREATE, NULL);
> - if ( rc )
> - return rc;
> + /*
> + * If the null label is passed, then use the label from security context
> + * allocation.
> + */
> + if ( ssidref == 0 )
> + ssidref = dsec->sid;
>
> - dsec->sid = ssidref;
> - }
> + rc = avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE,
> NULL);
> + if ( rc )
> + return rc;
> +
> + dsec->sid = ssidref;
> dsec->self_sid = dsec->sid;
>
> rc = security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN,
