SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH 2/6] selinux: simplify security_preserve_bools()
Date: Thu, 16 Jan 2020 13:04:35 +0100
Message-ID: <20200116120439.303034-3-omosnace@redhat.com> (raw)
In-Reply-To: <20200116120439.303034-1-omosnace@redhat.com>

First, evaluate_cond_node() never returns an error. Make it just return
void.

Second, drop the use of security_get_bools() from
security_preserve_bools() and read from the old policydb directly. This
saves some useless allocations and together with the first change makes
security_preserve_bools() no longer possibly return an error. Again the
return type is changed to void.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 security/selinux/ss/conditional.c |  3 +-
 security/selinux/ss/conditional.h |  2 +-
 security/selinux/ss/services.c    | 52 ++++++++++---------------------
 3 files changed, 18 insertions(+), 39 deletions(-)

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 70c378ee1a2f..04593062008d 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -85,7 +85,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
  * list appropriately. If the result of the expression is undefined
  * all of the rules are disabled for safety.
  */
-int evaluate_cond_node(struct policydb *p, struct cond_node *node)
+void evaluate_cond_node(struct policydb *p, struct cond_node *node)
 {
 	int new_state;
 	struct cond_av_list *cur;
@@ -111,7 +111,6 @@ int evaluate_cond_node(struct policydb *p, struct cond_node *node)
 				cur->node->key.specified |= AVTAB_ENABLED;
 		}
 	}
-	return 0;
 }
 
 int cond_policydb_init(struct policydb *p)
diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h
index ec846e45904c..d86ef286ca84 100644
--- a/security/selinux/ss/conditional.h
+++ b/security/selinux/ss/conditional.h
@@ -75,6 +75,6 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
 		struct av_decision *avd, struct extended_perms *xperms);
 void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
 		struct extended_perms_decision *xpermd);
-int evaluate_cond_node(struct policydb *p, struct cond_node *node);
+void evaluate_cond_node(struct policydb *p, struct cond_node *node);
 
 #endif /* _CONDITIONAL_H_ */
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 42ca9f6dbbf4..b9eda7d89e22 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2157,8 +2157,8 @@ static void security_load_policycaps(struct selinux_state *state)
 	}
 }
 
-static int security_preserve_bools(struct selinux_state *state,
-				   struct policydb *newpolicydb);
+static void security_preserve_bools(struct policydb *oldpolicydb,
+				    struct policydb *newpolicydb);
 
 /**
  * security_load_policy - Load a security policy configuration.
@@ -2257,11 +2257,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
 	if (rc)
 		goto err;
 
-	rc = security_preserve_bools(state, newpolicydb);
-	if (rc) {
-		pr_err("SELinux:  unable to preserve booleans\n");
-		goto err;
-	}
+	security_preserve_bools(policydb, newpolicydb);
 
 	oldsidtab = state->ss->sidtab;
 
@@ -2958,11 +2954,8 @@ int security_set_bools(struct selinux_state *state, int len, int *values)
 			policydb->bool_val_to_struct[i]->state = 0;
 	}
 
-	for (cur = policydb->cond_list; cur; cur = cur->next) {
-		rc = evaluate_cond_node(policydb, cur);
-		if (rc)
-			goto out;
-	}
+	for (cur = policydb->cond_list; cur; cur = cur->next)
+		evaluate_cond_node(policydb, cur);
 
 	seqno = ++state->ss->latest_granting;
 	rc = 0;
@@ -2999,36 +2992,23 @@ out:
 	return rc;
 }
 
-static int security_preserve_bools(struct selinux_state *state,
-				   struct policydb *policydb)
+static void security_preserve_bools(struct policydb *oldpolicydb,
+				    struct policydb *newpolicydb)
 {
-	int rc, nbools = 0, *bvalues = NULL, i;
-	char **bnames = NULL;
 	struct cond_bool_datum *booldatum;
 	struct cond_node *cur;
+	int i;
 
-	rc = security_get_bools(state, &nbools, &bnames, &bvalues);
-	if (rc)
-		goto out;
-	for (i = 0; i < nbools; i++) {
-		booldatum = hashtab_search(policydb->p_bools.table, bnames[i]);
-		if (booldatum)
-			booldatum->state = bvalues[i];
-	}
-	for (cur = policydb->cond_list; cur; cur = cur->next) {
-		rc = evaluate_cond_node(policydb, cur);
-		if (rc)
-			goto out;
-	}
+	for (i = 0; i < oldpolicydb->p_bools.nprim; i++) {
+		const char *name = sym_name(oldpolicydb, SYM_BOOLS, i);
+		int value = oldpolicydb->bool_val_to_struct[i]->state;
 
-out:
-	if (bnames) {
-		for (i = 0; i < nbools; i++)
-			kfree(bnames[i]);
+		booldatum = hashtab_search(newpolicydb->p_bools.table, name);
+		if (booldatum)
+			booldatum->state = value;
 	}
-	kfree(bnames);
-	kfree(bvalues);
-	return rc;
+	for (cur = newpolicydb->cond_list; cur; cur = cur->next)
+		evaluate_cond_node(newpolicydb, cur);
 }
 
 /*
-- 
2.24.1


  parent reply index

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 12:04 [PATCH 0/6] selinux: Assorted simplifications and cleanups Ondrej Mosnacek
2020-01-16 12:04 ` [PATCH 1/6] selinux: do not allocate ancillary buffer on first load Ondrej Mosnacek
2020-01-16 16:02   ` Stephen Smalley
2020-01-16 16:18     ` Ondrej Mosnacek
2020-01-16 21:57       ` Paul Moore
2020-01-16 16:34   ` Stephen Smalley
2020-01-16 12:04 ` Ondrej Mosnacek [this message]
2020-01-16 16:42   ` [PATCH 2/6] selinux: simplify security_preserve_bools() Stephen Smalley
2020-01-16 22:28     ` Paul Moore
2020-01-16 12:04 ` [PATCH 3/6] selinux: convert cond_list to array Ondrej Mosnacek
2020-01-16 17:07   ` Stephen Smalley
2020-01-16 12:04 ` [PATCH 4/6] selinux: convert cond_av_list " Ondrej Mosnacek
2020-01-16 17:13   ` Stephen Smalley
2020-01-16 12:04 ` [PATCH 5/6] selinux: convert cond_expr " Ondrej Mosnacek
2020-01-16 17:17   ` Stephen Smalley
2020-01-16 12:04 ` [PATCH 6/6] selinux: generalize evaluate_cond_node() Ondrej Mosnacek
2020-01-16 17:18   ` Stephen Smalley
2020-01-16 23:09 ` [PATCH 0/6] selinux: Assorted simplifications and cleanups Casey Schaufler
2020-01-16 23:59   ` Paul Moore
2020-01-17  0:49     ` Casey Schaufler
2020-01-17  0:56       ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200116120439.303034-3-omosnace@redhat.com \
    --to=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git