SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>,
	selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Subject: Re: [PATCH 2/6] selinux: simplify security_preserve_bools()
Date: Thu, 16 Jan 2020 11:42:31 -0500
Message-ID: <1aa7f437-7b34-4097-2af8-6f519e16d916@tycho.nsa.gov> (raw)
In-Reply-To: <20200116120439.303034-3-omosnace@redhat.com>

On 1/16/20 7:04 AM, Ondrej Mosnacek wrote:
> First, evaluate_cond_node() never returns an error. Make it just return
> void.
> 
> Second, drop the use of security_get_bools() from
> security_preserve_bools() and read from the old policydb directly. This
> saves some useless allocations and together with the first change makes
> security_preserve_bools() no longer possibly return an error. Again the
> return type is changed to void.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Dropping use of security_get_bools() means we are no longer reading the 
boolean values with the policy read-lock held so they could in theory 
change underneath us.  However, this is presently prevented via the 
fsi->mutex taken by selinuxfs so I believe this is safe.

Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>

> ---
>   security/selinux/ss/conditional.c |  3 +-
>   security/selinux/ss/conditional.h |  2 +-
>   security/selinux/ss/services.c    | 52 ++++++++++---------------------
>   3 files changed, 18 insertions(+), 39 deletions(-)
> 
> diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> index 70c378ee1a2f..04593062008d 100644
> --- a/security/selinux/ss/conditional.c
> +++ b/security/selinux/ss/conditional.c
> @@ -85,7 +85,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
>    * list appropriately. If the result of the expression is undefined
>    * all of the rules are disabled for safety.
>    */
> -int evaluate_cond_node(struct policydb *p, struct cond_node *node)
> +void evaluate_cond_node(struct policydb *p, struct cond_node *node)
>   {
>   	int new_state;
>   	struct cond_av_list *cur;
> @@ -111,7 +111,6 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
>   				cur->node->key.specified |= AVTAB_ENABLED;
>   		}
>   	}
> -	return 0;
>   }
>   
>   int cond_policydb_init(struct policydb *p)
> diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h
> index ec846e45904c..d86ef286ca84 100644
> --- a/security/selinux/ss/conditional.h
> +++ b/security/selinux/ss/conditional.h
> @@ -75,6 +75,6 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
>   		struct av_decision *avd, struct extended_perms *xperms);
>   void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
>   		struct extended_perms_decision *xpermd);
> -int evaluate_cond_node(struct policydb *p, struct cond_node *node);
> +void evaluate_cond_node(struct policydb *p, struct cond_node *node);
>   
>   #endif /* _CONDITIONAL_H_ */
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 42ca9f6dbbf4..b9eda7d89e22 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -2157,8 +2157,8 @@ static void security_load_policycaps(struct selinux_state *state)
>   	}
>   }
>   
> -static int security_preserve_bools(struct selinux_state *state,
> -				   struct policydb *newpolicydb);
> +static void security_preserve_bools(struct policydb *oldpolicydb,
> +				    struct policydb *newpolicydb);
>   
>   /**
>    * security_load_policy - Load a security policy configuration.
> @@ -2257,11 +2257,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
>   	if (rc)
>   		goto err;
>   
> -	rc = security_preserve_bools(state, newpolicydb);
> -	if (rc) {
> -		pr_err("SELinux:  unable to preserve booleans\n");
> -		goto err;
> -	}
> +	security_preserve_bools(policydb, newpolicydb);
>   
>   	oldsidtab = state->ss->sidtab;
>   
> @@ -2958,11 +2954,8 @@ int security_set_bools(struct selinux_state *state, int len, int *values)
>   			policydb->bool_val_to_struct[i]->state = 0;
>   	}
>   
> -	for (cur = policydb->cond_list; cur; cur = cur->next) {
> -		rc = evaluate_cond_node(policydb, cur);
> -		if (rc)
> -			goto out;
> -	}
> +	for (cur = policydb->cond_list; cur; cur = cur->next)
> +		evaluate_cond_node(policydb, cur);
>   
>   	seqno = ++state->ss->latest_granting;
>   	rc = 0;
> @@ -2999,36 +2992,23 @@ out:
>   	return rc;
>   }
>   
> -static int security_preserve_bools(struct selinux_state *state,
> -				   struct policydb *policydb)
> +static void security_preserve_bools(struct policydb *oldpolicydb,
> +				    struct policydb *newpolicydb)
>   {
> -	int rc, nbools = 0, *bvalues = NULL, i;
> -	char **bnames = NULL;
>   	struct cond_bool_datum *booldatum;
>   	struct cond_node *cur;
> +	int i;
>   
> -	rc = security_get_bools(state, &nbools, &bnames, &bvalues);
> -	if (rc)
> -		goto out;
> -	for (i = 0; i < nbools; i++) {
> -		booldatum = hashtab_search(policydb->p_bools.table, bnames[i]);
> -		if (booldatum)
> -			booldatum->state = bvalues[i];
> -	}
> -	for (cur = policydb->cond_list; cur; cur = cur->next) {
> -		rc = evaluate_cond_node(policydb, cur);
> -		if (rc)
> -			goto out;
> -	}
> +	for (i = 0; i < oldpolicydb->p_bools.nprim; i++) {
> +		const char *name = sym_name(oldpolicydb, SYM_BOOLS, i);
> +		int value = oldpolicydb->bool_val_to_struct[i]->state;
>   
> -out:
> -	if (bnames) {
> -		for (i = 0; i < nbools; i++)
> -			kfree(bnames[i]);
> +		booldatum = hashtab_search(newpolicydb->p_bools.table, name);
> +		if (booldatum)
> +			booldatum->state = value;
>   	}
> -	kfree(bnames);
> -	kfree(bvalues);
> -	return rc;
> +	for (cur = newpolicydb->cond_list; cur; cur = cur->next)
> +		evaluate_cond_node(newpolicydb, cur);
>   }
>   
>   /*
> 


  reply index

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 12:04 [PATCH 0/6] selinux: Assorted simplifications and cleanups Ondrej Mosnacek
2020-01-16 12:04 ` [PATCH 1/6] selinux: do not allocate ancillary buffer on first load Ondrej Mosnacek
2020-01-16 16:02   ` Stephen Smalley
2020-01-16 16:18     ` Ondrej Mosnacek
2020-01-16 21:57       ` Paul Moore
2020-01-16 16:34   ` Stephen Smalley
2020-01-16 12:04 ` [PATCH 2/6] selinux: simplify security_preserve_bools() Ondrej Mosnacek
2020-01-16 16:42   ` Stephen Smalley [this message]
2020-01-16 22:28     ` Paul Moore
2020-01-16 12:04 ` [PATCH 3/6] selinux: convert cond_list to array Ondrej Mosnacek
2020-01-16 17:07   ` Stephen Smalley
2020-01-16 12:04 ` [PATCH 4/6] selinux: convert cond_av_list " Ondrej Mosnacek
2020-01-16 17:13   ` Stephen Smalley
2020-01-16 12:04 ` [PATCH 5/6] selinux: convert cond_expr " Ondrej Mosnacek
2020-01-16 17:17   ` Stephen Smalley
2020-01-16 12:04 ` [PATCH 6/6] selinux: generalize evaluate_cond_node() Ondrej Mosnacek
2020-01-16 17:18   ` Stephen Smalley
2020-01-16 23:09 ` [PATCH 0/6] selinux: Assorted simplifications and cleanups Casey Schaufler
2020-01-16 23:59   ` Paul Moore
2020-01-17  0:49     ` Casey Schaufler
2020-01-17  0:56       ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1aa7f437-7b34-4097-2af8-6f519e16d916@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git