Re: [RFC PATCH 1/3] selinux: refactor sidtab conversion
On Tue, Nov 20, 2018 at 10:47 PM Paul Moore wrote: > On Tue, Nov 13, 2018 at 8:53 AM Ondrej Mosnacek wrote: > > This is a purely cosmetic change that encapsulates the three-step sidtab > > conversion logic (shutdown -> clone -> map) into a single function > > defined in sidtab.c (as opposed to services.c). > > > > Signed-off-by: Ondrej Mosnacek > > --- > > security/selinux/ss/services.c | 22 +-- > > security/selinux/ss/sidtab.c | 50 -- > > security/selinux/ss/sidtab.h | 11 > > 3 files changed, 42 insertions(+), 41 deletions(-) > > Merged into selinux/next with some whitespace fixes (inherited from > code you cut n' pasted). Please remember to run your patches through > scripts/checkpatch.pl before submission. Damn, I still haven't set up that commit hook... Done now, seems to work fine. Sorry for not having done that sooner and thanks for nagging me about it :) -- Ondrej Mosnacek Associate Software Engineer, Security Technologies Red Hat, Inc. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [RFC PATCH 1/3] selinux: refactor sidtab conversion
On Tue, Nov 13, 2018 at 8:53 AM Ondrej Mosnacek wrote: > This is a purely cosmetic change that encapsulates the three-step sidtab > conversion logic (shutdown -> clone -> map) into a single function > defined in sidtab.c (as opposed to services.c). > > Signed-off-by: Ondrej Mosnacek > --- > security/selinux/ss/services.c | 22 +-- > security/selinux/ss/sidtab.c | 50 -- > security/selinux/ss/sidtab.h | 11 > 3 files changed, 42 insertions(+), 41 deletions(-) Merged into selinux/next with some whitespace fixes (inherited from code you cut n' pasted). Please remember to run your patches through scripts/checkpatch.pl before submission. -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [RFC PATCH 1/3] selinux: refactor sidtab conversion
On 11/13/18 8:52 AM, Ondrej Mosnacek wrote:
This is a purely cosmetic change that encapsulates the three-step sidtab
conversion logic (shutdown -> clone -> map) into a single function
defined in sidtab.c (as opposed to services.c).
Signed-off-by: Ondrej Mosnacek
Acked-by: Stephen Smalley
---
security/selinux/ss/services.c | 22 +--
security/selinux/ss/sidtab.c | 50 --
security/selinux/ss/sidtab.h | 11
3 files changed, 42 insertions(+), 41 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 12e414394530..7337db24a6a8 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1880,19 +1880,6 @@ int security_change_sid(struct selinux_state *state,
out_sid, false);
}
-/* Clone the SID into the new SID table. */
-static int clone_sid(u32 sid,
-struct context *context,
-void *arg)
-{
- struct sidtab *s = arg;
-
- if (sid > SECINITSID_NUM)
- return sidtab_insert(s, sid, context);
- else
- return 0;
-}
-
static inline int convert_context_handle_invalid_context(
struct selinux_state *state,
struct context *context)
@@ -2186,13 +2173,6 @@ int security_load_policy(struct selinux_state *state,
void *data, size_t len)
goto err;
}
- /* Clone the SID table. */
- sidtab_shutdown(sidtab);
-
- rc = sidtab_map(sidtab, clone_sid, );
- if (rc)
- goto err;
-
/*
* Convert the internal representations of contexts
* in the new SID table.
@@ -2200,7 +2180,7 @@ int security_load_policy(struct selinux_state *state,
void *data, size_t len)
args.state = state;
args.oldp = policydb;
args.newp = newpolicydb;
- rc = sidtab_map(, convert_context, );
+ rc = sidtab_convert(sidtab, , convert_context, );
if (rc) {
pr_err("SELinux: unable to convert the internal"
" representation of contexts in the new SID"
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index fd75a12fa8fc..e66a2ab3d1c2 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -116,11 +116,11 @@ struct context *sidtab_search_force(struct sidtab *s, u32
sid)
return sidtab_search_core(s, sid, 1);
}
-int sidtab_map(struct sidtab *s,
- int (*apply) (u32 sid,
-struct context *context,
-void *args),
- void *args)
+static int sidtab_map(struct sidtab *s,
+ int (*apply) (u32 sid,
+ struct context *context,
+ void *args),
+ void *args)
{
int i, rc = 0;
struct sidtab_node *cur;
@@ -141,6 +141,37 @@ out:
return rc;
}
+/* Clone the SID into the new SID table. */
+static int clone_sid(u32 sid, struct context *context, void *arg)
+{
+ struct sidtab *s = arg;
+
+ if (sid > SECINITSID_NUM)
+ return sidtab_insert(s, sid, context);
+ else
+ return 0;
+}
+
+int sidtab_convert(struct sidtab *s, struct sidtab *news,
+ int (*convert) (u32 sid,
+ struct context *context,
+ void *args),
+ void *args)
+{
+ unsigned long flags;
+ int rc;
+
+ spin_lock_irqsave(>lock, flags);
+ s->shutdown = 1;
+ spin_unlock_irqrestore(>lock, flags);
+
+ rc = sidtab_map(s, clone_sid, news);
+ if (rc)
+ return rc;
+
+ return sidtab_map(news, convert, args);
+}
+
static void sidtab_update_cache(struct sidtab *s, struct sidtab_node *n, int
loc)
{
BUG_ON(loc >= SIDTAB_CACHE_LEN);
@@ -295,12 +326,3 @@ void sidtab_set(struct sidtab *dst, struct sidtab *src)
dst->cache[i] = NULL;
spin_unlock_irqrestore(>lock, flags);
}
-
-void sidtab_shutdown(struct sidtab *s)
-{
- unsigned long flags;
-
- spin_lock_irqsave(>lock, flags);
- s->shutdown = 1;
- spin_unlock_irqrestore(>lock, flags);
-}
diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h
index a1a1d2617b6f..26c74fe7afc0 100644
--- a/security/selinux/ss/sidtab.h
+++ b/security/selinux/ss/sidtab.h
@@ -37,11 +37,11 @@ int sidtab_insert(struct sidtab *s, u32 sid, struct context
*context);
struct context *sidtab_search(struct sidtab *s, u32 sid);
struct context *sidtab_search_force(struct sidtab *s, u32 sid);
-int sidtab_map(struct sidtab *s,
- int (*apply) (u32 sid,
-struct context *context,
-void *args),
- void *args);
+int sidtab_convert(struct sidtab *s, struct sidtab *news,
[RFC PATCH 1/3] selinux: refactor sidtab conversion
This is a purely cosmetic change that encapsulates the three-step sidtab
conversion logic (shutdown -> clone -> map) into a single function
defined in sidtab.c (as opposed to services.c).
Signed-off-by: Ondrej Mosnacek
---
security/selinux/ss/services.c | 22 +--
security/selinux/ss/sidtab.c | 50 --
security/selinux/ss/sidtab.h | 11
3 files changed, 42 insertions(+), 41 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 12e414394530..7337db24a6a8 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1880,19 +1880,6 @@ int security_change_sid(struct selinux_state *state,
out_sid, false);
}
-/* Clone the SID into the new SID table. */
-static int clone_sid(u32 sid,
-struct context *context,
-void *arg)
-{
- struct sidtab *s = arg;
-
- if (sid > SECINITSID_NUM)
- return sidtab_insert(s, sid, context);
- else
- return 0;
-}
-
static inline int convert_context_handle_invalid_context(
struct selinux_state *state,
struct context *context)
@@ -2186,13 +2173,6 @@ int security_load_policy(struct selinux_state *state,
void *data, size_t len)
goto err;
}
- /* Clone the SID table. */
- sidtab_shutdown(sidtab);
-
- rc = sidtab_map(sidtab, clone_sid, );
- if (rc)
- goto err;
-
/*
* Convert the internal representations of contexts
* in the new SID table.
@@ -2200,7 +2180,7 @@ int security_load_policy(struct selinux_state *state,
void *data, size_t len)
args.state = state;
args.oldp = policydb;
args.newp = newpolicydb;
- rc = sidtab_map(, convert_context, );
+ rc = sidtab_convert(sidtab, , convert_context, );
if (rc) {
pr_err("SELinux: unable to convert the internal"
" representation of contexts in the new SID"
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index fd75a12fa8fc..e66a2ab3d1c2 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -116,11 +116,11 @@ struct context *sidtab_search_force(struct sidtab *s, u32
sid)
return sidtab_search_core(s, sid, 1);
}
-int sidtab_map(struct sidtab *s,
- int (*apply) (u32 sid,
-struct context *context,
-void *args),
- void *args)
+static int sidtab_map(struct sidtab *s,
+ int (*apply) (u32 sid,
+ struct context *context,
+ void *args),
+ void *args)
{
int i, rc = 0;
struct sidtab_node *cur;
@@ -141,6 +141,37 @@ out:
return rc;
}
+/* Clone the SID into the new SID table. */
+static int clone_sid(u32 sid, struct context *context, void *arg)
+{
+ struct sidtab *s = arg;
+
+ if (sid > SECINITSID_NUM)
+ return sidtab_insert(s, sid, context);
+ else
+ return 0;
+}
+
+int sidtab_convert(struct sidtab *s, struct sidtab *news,
+ int (*convert) (u32 sid,
+ struct context *context,
+ void *args),
+ void *args)
+{
+ unsigned long flags;
+ int rc;
+
+ spin_lock_irqsave(>lock, flags);
+ s->shutdown = 1;
+ spin_unlock_irqrestore(>lock, flags);
+
+ rc = sidtab_map(s, clone_sid, news);
+ if (rc)
+ return rc;
+
+ return sidtab_map(news, convert, args);
+}
+
static void sidtab_update_cache(struct sidtab *s, struct sidtab_node *n, int
loc)
{
BUG_ON(loc >= SIDTAB_CACHE_LEN);
@@ -295,12 +326,3 @@ void sidtab_set(struct sidtab *dst, struct sidtab *src)
dst->cache[i] = NULL;
spin_unlock_irqrestore(>lock, flags);
}
-
-void sidtab_shutdown(struct sidtab *s)
-{
- unsigned long flags;
-
- spin_lock_irqsave(>lock, flags);
- s->shutdown = 1;
- spin_unlock_irqrestore(>lock, flags);
-}
diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h
index a1a1d2617b6f..26c74fe7afc0 100644
--- a/security/selinux/ss/sidtab.h
+++ b/security/selinux/ss/sidtab.h
@@ -37,11 +37,11 @@ int sidtab_insert(struct sidtab *s, u32 sid, struct context
*context);
struct context *sidtab_search(struct sidtab *s, u32 sid);
struct context *sidtab_search_force(struct sidtab *s, u32 sid);
-int sidtab_map(struct sidtab *s,
- int (*apply) (u32 sid,
-struct context *context,
-void *args),
- void *args);
+int sidtab_convert(struct sidtab *s, struct sidtab *news,
+ int (*apply) (u32 sid,
+struct context
