From: Richard W.M. Jones rjo...@redhat.com
According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
---
src/security/security_selinux.c | 129 ++--
1 file changed, 83 insertions(+), 46 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a3ef728..d1f80b2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -63,6 +63,9 @@ struct _virSecuritySELinuxData {
char *content_context;
virHashTablePtr mcs;
bool skipAllLabel;
+#if HAVE_SELINUX_LABEL_H
+struct selabel_handle *label_handle;
+#endif
};
struct _virSecuritySELinuxCallbackData {
@@ -367,12 +370,21 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
data-skipAllLabel = true;
+#if HAVE_SELINUX_LABEL_H
+data-label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+if (!data-label_handle) {
+virReportSystemError(errno,
+ _(cannot open SELinux label_handle));
+return -1;
+}
+#endif
+
selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
if (!selinux_conf) {
virReportSystemError(errno,
_(cannot open SELinux lxc contexts file '%s'),
selinux_lxc_contexts_path());
-return -1;
+goto error;
}
scon = virConfGetValue(selinux_conf, process);
@@ -418,6 +430,9 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
return 0;
error:
+#if HAVE_SELINUX_LABEL_H
+selabel_close(data-label_handle);
+#endif
virConfFree(selinux_conf);
VIR_FREE(data-domain_context);
VIR_FREE(data-file_context);
@@ -444,6 +459,15 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
data-skipAllLabel = false;
+#if HAVE_SELINUX_LABEL_H
+data-label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+if (!data-label_handle) {
+virReportSystemError(errno,
+ _(cannot open SELinux label_handle));
+return -1;
+}
+#endif
+
if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT,
(data-domain_context)) 0) {
virReportSystemError(errno,
_(cannot read SELinux virtual domain context
file '%s'),
@@ -499,6 +523,9 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
return 0;
error:
+#if HAVE_SELINUX_LABEL_H
+selabel_close(data-label_handle);
+#endif
VIR_FREE(data-domain_context);
VIR_FREE(data-alt_domain_context);
VIR_FREE(data-file_context);
@@ -763,6 +790,10 @@
virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr)
if (!data)
return 0;
+#if HAVE_SELINUX_LABEL_H
+selabel_close(data-label_handle);
+#endif
+
virHashFree(data-mcs);
VIR_FREE(data-domain_context);
@@ -937,18 +968,13 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
/* Set fcon to the appropriate label for path and mode, or return -1. */
static int
-getContext(const char *newpath, mode_t mode, security_context_t *fcon)
+getContext(virSecurityManagerPtr mgr,
+ const char *newpath, mode_t mode, security_context_t *fcon)
{
#if HAVE_SELINUX_LABEL_H
-struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
-int ret;
-
-if (handle == NULL)
-return -1;
+virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
-ret = selabel_lookup_raw(handle, fcon, newpath, mode);
-selabel_close(handle);
-return ret;
+return selabel_lookup_raw(data-label_handle, fcon, newpath, mode);
#else
return matchpathcon(newpath, mode, fcon);
#endif
@@ -958,7 +984,8 @@ getContext(const char *newpath, mode_t mode,
security_context_t *fcon)
/* This method shouldn't raise errors, since they'll overwrite
* errors that the caller(s) are already dealing with */
static int
-virSecuritySELinuxRestoreSecurityFileLabel(const char *path)
+virSecuritySELinuxRestoreSecurityFileLabel(virSecurityManagerPtr mgr,
+ const char *path)
{
struct stat buf;
security_context_t fcon = NULL;
@@ -980,7 +1007,7 @@ virSecuritySELinuxRestoreSecurityFileLabel(const char
*path)
goto err;
}
-if (getContext(newpath, buf.st_mode, fcon) 0) {
+if (getContext(mgr, newpath, buf.st_mode, fcon) 0) {
/* Any user created path likely does not have a default label,
* which makes this an expected non error
*/
@@ -997,7 +1024,7 @@ err:
}
static int
-virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
+virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainDiskDefPtr disk,