From: Stephen Smalley <sds@tycho.nsa.gov> To: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org, Paul Moore <paul@paul-moore.com> Subject: Re: [PATCH 1/6] selinux: do not allocate ancillary buffer on first load Date: Thu, 16 Jan 2020 11:02:55 -0500 Message-ID: <e2af6353-25a0-30ea-8d81-30ec0d67e7d2@tycho.nsa.gov> (raw) In-Reply-To: <20200116120439.303034-2-omosnace@redhat.com> On 1/16/20 7:04 AM, Ondrej Mosnacek wrote: > In security_load_policy(), we can defer allocating the newpolicydb > ancillary array to after checking state->initialized, thereby avoiding > the pointless allocation when loading policy the first time. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> What are these relative to, because they don't apply for me on selinux/next? In particular they conflict with your 'treat atomic flags more carefully' patch. > --- > security/selinux/ss/services.c | 28 +++++++++++++--------------- > 1 file changed, 13 insertions(+), 15 deletions(-) > > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > index 55cf42945cba..42ca9f6dbbf4 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -2183,26 +2183,17 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) > int rc = 0; > struct policy_file file = { data, len }, *fp = &file; > > - oldpolicydb = kcalloc(2, sizeof(*oldpolicydb), GFP_KERNEL); > - if (!oldpolicydb) { > - rc = -ENOMEM; > - goto out; > - } > - newpolicydb = oldpolicydb + 1; > - > policydb = &state->ss->policydb; > > newsidtab = kmalloc(sizeof(*newsidtab), GFP_KERNEL); > - if (!newsidtab) { > - rc = -ENOMEM; > - goto out; > - } > + if (!newsidtab) > + return -ENOMEM; > > if (!state->initialized) { > rc = policydb_read(policydb, fp); > if (rc) { > kfree(newsidtab); > - goto out; > + return rc; > } > > policydb->len = len; > @@ -2211,14 +2202,14 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) > if (rc) { > kfree(newsidtab); > policydb_destroy(policydb); > - goto out; > + return rc; > } > > rc = policydb_load_isids(policydb, newsidtab); > if (rc) { > kfree(newsidtab); > policydb_destroy(policydb); > - goto out; > + return rc; > } > > state->ss->sidtab = newsidtab; > @@ -2231,9 +2222,16 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) > selinux_status_update_policyload(state, seqno); > selinux_netlbl_cache_invalidate(); > selinux_xfrm_notify_policyload(); > - goto out; > + return 0; > } > > + oldpolicydb = kcalloc(2, sizeof(*oldpolicydb), GFP_KERNEL); > + if (!oldpolicydb) { > + kfree(newsidtab); > + return -ENOMEM; > + } > + newpolicydb = oldpolicydb + 1; > + > rc = policydb_read(newpolicydb, fp); > if (rc) { > kfree(newsidtab); >
next prev parent reply index Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-01-16 12:04 [PATCH 0/6] selinux: Assorted simplifications and cleanups Ondrej Mosnacek 2020-01-16 12:04 ` [PATCH 1/6] selinux: do not allocate ancillary buffer on first load Ondrej Mosnacek 2020-01-16 16:02 ` Stephen Smalley [this message] 2020-01-16 16:18 ` Ondrej Mosnacek 2020-01-16 21:57 ` Paul Moore 2020-01-16 16:34 ` Stephen Smalley 2020-01-16 12:04 ` [PATCH 2/6] selinux: simplify security_preserve_bools() Ondrej Mosnacek 2020-01-16 16:42 ` Stephen Smalley 2020-01-16 22:28 ` Paul Moore 2020-01-16 12:04 ` [PATCH 3/6] selinux: convert cond_list to array Ondrej Mosnacek 2020-01-16 17:07 ` Stephen Smalley 2020-01-16 12:04 ` [PATCH 4/6] selinux: convert cond_av_list " Ondrej Mosnacek 2020-01-16 17:13 ` Stephen Smalley 2020-01-16 12:04 ` [PATCH 5/6] selinux: convert cond_expr " Ondrej Mosnacek 2020-01-16 17:17 ` Stephen Smalley 2020-01-16 12:04 ` [PATCH 6/6] selinux: generalize evaluate_cond_node() Ondrej Mosnacek 2020-01-16 17:18 ` Stephen Smalley 2020-01-16 23:09 ` [PATCH 0/6] selinux: Assorted simplifications and cleanups Casey Schaufler 2020-01-16 23:59 ` Paul Moore 2020-01-17 0:49 ` Casey Schaufler 2020-01-17 0:56 ` Paul Moore
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=e2af6353-25a0-30ea-8d81-30ec0d67e7d2@tycho.nsa.gov \ --to=sds@tycho.nsa.gov \ --cc=omosnace@redhat.com \ --cc=paul@paul-moore.com \ --cc=selinux@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
SELinux Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \ selinux@vger.kernel.org public-inbox-index selinux Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.selinux AGPL code for this site: git clone https://public-inbox.org/public-inbox.git