Re: [PATCH v3] selinux: simplify mls_context_to_sid()

On Tue, Nov 13, 2018 at 4:10 PM Stephen Smalley wrote: > On 11/12/18 6:44 AM, Ondrej Mosnacek wrote: > > This function has only two callers, but only one of them actually needs > > the special logic at the beginning. Factoring this logic out into > > string_to_context_struct() allows us to drop

Re: [RFC PATCH 2/3] selinux: use separate table for initial SID lookup

On 11/13/18 8:52 AM, Ondrej Mosnacek wrote: This patch is non-functional and moves handling of initial SIDs into a separate table. Note that the SIDs stored in the main table are now shifted by SECINITSID_NUM and converted to/from the actual SIDs transparently by helper functions. When you say

Re: [RFC PATCH 1/3] selinux: refactor sidtab conversion

On 11/13/18 8:52 AM, Ondrej Mosnacek wrote: This is a purely cosmetic change that encapsulates the three-step sidtab conversion logic (shutdown -> clone -> map) into a single function defined in sidtab.c (as opposed to services.c). Signed-off-by: Ondrej Mosnacek Acked-by: Stephen Smalley

Re: [PATCH v3] selinux: simplify mls_context_to_sid()

On 11/12/18 6:44 AM, Ondrej Mosnacek wrote: This function has only two callers, but only one of them actually needs the special logic at the beginning. Factoring this logic out into string_to_context_struct() allows us to drop the arguments 'oldc', 's', and 'def_sid'. Signed-off-by: Ondrej

[RFC PATCH 2/3] selinux: use separate table for initial SID lookup

This patch is non-functional and moves handling of initial SIDs into a separate table. Note that the SIDs stored in the main table are now shifted by SECINITSID_NUM and converted to/from the actual SIDs transparently by helper functions. This change doesn't make much sense on its own, but it

[RFC PATCH 3/3] selinux: overhaul sidtab to fix bug and improve performance

Before this patch, during a policy reload the sidtab would become frozen and trying to map a new context to SID would be unable to add a new entry to sidtab and fail with -ENOMEM. Such failures are usually propagated into userspace, which has no way of distignuishing them from actual allocation

[RFC PATCH 0/3] Fix ENOMEM errors during policy reload

This patchset is an alternative, hopefully better (but also more risky), solution of the ENOMEM problem ([1]) that I first tried to solve in [2]. In this version I encapsulate the initial SID table within sidtab and also switch back from converting the sidtab in-place to converting into a new

[RFC PATCH 1/3] selinux: refactor sidtab conversion

This is a purely cosmetic change that encapsulates the three-step sidtab conversion logic (shutdown -> clone -> map) into a single function defined in sidtab.c (as opposed to services.c). Signed-off-by: Ondrej Mosnacek --- security/selinux/ss/services.c | 22 +--