SELinux: deterministic ordering of range transition rules

Range transition rules are placed in the hash table in an (almost) arbitrary order. This patch inserts them in a fixed order to make policy retrival more predictable. Signed-off-by: N Eric Paris <eparis@redhat.com> Signed-off-by: N James Morris <jmorris@namei.org>

SELinux: deterministic ordering of range transition rules
Range transition rules are placed in the hash table in an (almost) arbitrary order. This patch inserts them in a fixed order to make policy retrival more predictable. Signed-off-by: N Eric Paris <eparis@redhat.com> Signed-off-by: N James Morris <jmorris@namei.org>
4419aae1 · Eric Paris · James Morris · b28efd54 · 4419aae1
隐藏空白更改
内联并排

Showing with 13 addition and 3 deletion

security/selinux/ss/policydb.c security/selinux/ss/policydb.c +13 -3

未找到文件。
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -185,9 +185,19 @@ static u32 rangetr_hash(struct hashtab *h, const void *k)
 static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2)
 {
 	const struct range_trans *key1 = k1, *key2 = k2;
-	return (key1->source_type != key2->source_type ||
-		key1->target_type != key2->target_type ||
-		key1->target_class != key2->target_class);
+	int v;
+
+	v = key1->source_type - key2->source_type;
+	if (v)
+		return v;
+
+	v = key1->target_type - key2->target_type;
+	if (v)
+		return v;
+
+	v = key1->target_class - key2->target_class;
+
+	return v;
 }

 /*