subject:"\[libvirt\] \[PATCH v3 2\/2\] selinux\: Only create the selabel

[libvirt] [PATCH v3 2/2] selinux: Only create the selabel_handle once.

2013-01-24 Thread Richard W.M. Jones

From: Richard W.M. Jones rjo...@redhat.com

According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
---
 src/security/security_selinux.c | 129 ++--
 1 file changed, 83 insertions(+), 46 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a3ef728..d1f80b2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -63,6 +63,9 @@ struct _virSecuritySELinuxData {
 char *content_context;
 virHashTablePtr mcs;
 bool skipAllLabel;
+#if HAVE_SELINUX_LABEL_H
+struct selabel_handle *label_handle;
+#endif
 };
 
 struct _virSecuritySELinuxCallbackData {
@@ -367,12 +370,21 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
 
 data-skipAllLabel = true;
 
+#if HAVE_SELINUX_LABEL_H
+data-label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+if (!data-label_handle) {
+virReportSystemError(errno,
+ _(cannot open SELinux label_handle));
+return -1;
+}
+#endif
+
 selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
 if (!selinux_conf) {
 virReportSystemError(errno,
  _(cannot open SELinux lxc contexts file '%s'),
  selinux_lxc_contexts_path());
-return -1;
+goto error;
 }
 
 scon = virConfGetValue(selinux_conf, process);
@@ -418,6 +430,9 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
 return 0;
 
 error:
+#if HAVE_SELINUX_LABEL_H
+selabel_close(data-label_handle);
+#endif
 virConfFree(selinux_conf);
 VIR_FREE(data-domain_context);
 VIR_FREE(data-file_context);
@@ -444,6 +459,15 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
 
 data-skipAllLabel = false;
 
+#if HAVE_SELINUX_LABEL_H
+data-label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+if (!data-label_handle) {
+virReportSystemError(errno,
+ _(cannot open SELinux label_handle));
+return -1;
+}
+#endif
+
 if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, 
(data-domain_context))  0) {
 virReportSystemError(errno,
  _(cannot read SELinux virtual domain context 
file '%s'),
@@ -499,6 +523,9 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
 return 0;
 
 error:
+#if HAVE_SELINUX_LABEL_H
+selabel_close(data-label_handle);
+#endif
 VIR_FREE(data-domain_context);
 VIR_FREE(data-alt_domain_context);
 VIR_FREE(data-file_context);
@@ -763,6 +790,10 @@ 
virSecuritySELinuxSecurityDriverClose(virSecurityManagerPtr mgr)
 if (!data)
 return 0;
 
+#if HAVE_SELINUX_LABEL_H
+selabel_close(data-label_handle);
+#endif
+
 virHashFree(data-mcs);
 
 VIR_FREE(data-domain_context);
@@ -937,18 +968,13 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
 
 /* Set fcon to the appropriate label for path and mode, or return -1.  */
 static int
-getContext(const char *newpath, mode_t mode, security_context_t *fcon)
+getContext(virSecurityManagerPtr mgr,
+   const char *newpath, mode_t mode, security_context_t *fcon)
 {
 #if HAVE_SELINUX_LABEL_H
-struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
-int ret;
-
-if (handle == NULL)
-return -1;
+virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
 
-ret = selabel_lookup_raw(handle, fcon, newpath, mode);
-selabel_close(handle);
-return ret;
+return selabel_lookup_raw(data-label_handle, fcon, newpath, mode);
 #else
 return matchpathcon(newpath, mode, fcon);
 #endif
@@ -958,7 +984,8 @@ getContext(const char *newpath, mode_t mode, 
security_context_t *fcon)
 /* This method shouldn't raise errors, since they'll overwrite
  * errors that the caller(s) are already dealing with */
 static int
-virSecuritySELinuxRestoreSecurityFileLabel(const char *path)
+virSecuritySELinuxRestoreSecurityFileLabel(virSecurityManagerPtr mgr,
+   const char *path)
 {
 struct stat buf;
 security_context_t fcon = NULL;
@@ -980,7 +1007,7 @@ virSecuritySELinuxRestoreSecurityFileLabel(const char 
*path)
 goto err;
 }
 
-if (getContext(newpath, buf.st_mode, fcon)  0) {
+if (getContext(mgr, newpath, buf.st_mode, fcon)  0) {
 /* Any user created path likely does not have a default label,
  * which makes this an expected non error
  */
@@ -997,7 +1024,7 @@ err:
 }
 
 static int
-virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr 
ATTRIBUTE_UNUSED,
+virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainDiskDefPtr disk,

Re: [libvirt] [PATCH v3 2/2] selinux: Only create the selabel_handle once.

2013-01-24 Thread Daniel P. Berrange

On Thu, Jan 24, 2013 at 10:10:58AM +, Richard W.M. Jones wrote:
 From: Richard W.M. Jones rjo...@redhat.com
 
 According to Eric Paris this is slightly more efficient because it
 only loads the regular expressions in libselinux once.
 ---
  src/security/security_selinux.c | 129 
 ++--
  1 file changed, 83 insertions(+), 46 deletions(-)
 
 diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
 index a3ef728..d1f80b2 100644
 --- a/src/security/security_selinux.c
 +++ b/src/security/security_selinux.c
 @@ -63,6 +63,9 @@ struct _virSecuritySELinuxData {
  char *content_context;
  virHashTablePtr mcs;
  bool skipAllLabel;
 +#if HAVE_SELINUX_LABEL_H
 +struct selabel_handle *label_handle;
 +#endif
  };
  
  struct _virSecuritySELinuxCallbackData {
 @@ -367,12 +370,21 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr 
 mgr)
  
  data-skipAllLabel = true;
  
 +#if HAVE_SELINUX_LABEL_H
 +data-label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 +if (!data-label_handle) {
 +virReportSystemError(errno,
 + _(cannot open SELinux label_handle));

This is missing %s,

 +return -1;
 +}
 +#endif
 +
  selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
  if (!selinux_conf) {
  virReportSystemError(errno,
   _(cannot open SELinux lxc contexts file '%s'),
   selinux_lxc_contexts_path());
 -return -1;
 +goto error;
  }
  
  scon = virConfGetValue(selinux_conf, process);
 @@ -418,6 +430,9 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
  return 0;
  
  error:
 +#if HAVE_SELINUX_LABEL_H
 +selabel_close(data-label_handle);
 +#endif
  virConfFree(selinux_conf);
  VIR_FREE(data-domain_context);
  VIR_FREE(data-file_context);
 @@ -444,6 +459,15 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr 
 mgr)
  
  data-skipAllLabel = false;
  
 +#if HAVE_SELINUX_LABEL_H
 +data-label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 +if (!data-label_handle) {
 +virReportSystemError(errno,
 + _(cannot open SELinux label_handle));

This is missing %s,

Rest of the patch looks fine though.

Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH v3 2/2] selinux: Only create the selabel_handle once.

Re: [libvirt] [PATCH v3 2/2] selinux: Only create the selabel_handle once.

2 matches

Site Navigation

Mail list logo

Footer information