On 8/3/22 11:26, Jan Beulich wrote:
> On 03.08.2022 17:17, Daniel P. Smith wrote:
>> Changes in v11:
>> - put back dom0_created variable in flask_domain_create() to ensure the
>> enforcement that dom0_t is a singleton label
>
> Stale patch or bad rev log?
Nope, having a bad day. Staged the change but didn't amend commit it
before my usual sequence of test and cut patch. My apologies.
>> @@ -548,22 +556,19 @@ static int cf_check flask_domain_create(struct domain
>> *d, uint32_t ssidref)
>> {
>> int rc;
>> struct domain_security_struct *dsec = d->ssid;
>> - static int dom0_created = 0;
>
> The variable is going away here, and it is not re-appearing elsewhere.
>
> Jan
>
>> - if ( is_idle_domain(current->domain) && !dom0_created )
>> - {
>> - dsec->sid = SECINITSID_DOM0;
>> - dom0_created = 1;
>> - }
>> - else
>> - {
>> - rc = avc_current_has_perm(ssidref, SECCLASS_DOMAIN,
>> - DOMAIN__CREATE, NULL);
>> - if ( rc )
>> - return rc;
>> + /*
>> + * If the null label is passed, then use the label from security context
>> + * allocation.
>> + */
>> + if ( ssidref == 0 )
>> + ssidref = dsec->sid;
>>
>> - dsec->sid = ssidref;
>> - }
>> + rc = avc_current_has_perm(ssidref, SECCLASS_DOMAIN, DOMAIN__CREATE,
>> NULL);
>> + if ( rc )
>> + return rc;
>> +
>> + dsec->sid = ssidref;
>> dsec->self_sid = dsec->sid;
>>
>> rc = security_transition_sid(dsec->sid, dsec->sid, SECCLASS_DOMAIN,
>
