[PATCH] libselinux: simplify procattr cache

[PATCH] libselinux: simplify procattr cache

[Stephen Smalley]

https://github.com/systemd/systemd/issues/475 identified a problem
in libselinux with using getpid(3) rather than getpid(2) due to direct
use of the clone() system call by systemd.  We could change libselinux
to use getpid(2) instead, but this would impose a getpid(2) system call
overhead on each get*con() or set*con() call.  Rather than do this,
we can instead simplify the procattr cache and get rid of the
caching of the pid and tid entirely, along with the atfork handler.
With commit 3430519109c0423a49b9350aa8444beec798d5a7 ("use
/proc/thread-self when available"), we only need the tid when
on Linux < 3.17, so we can just always call gettid() in that case (as
done prior to the procattr cache) and drop the cached tid. The cached
pid and atfork handlers were only needed to reset the cached tid, so
those can also be dropped. The rest of the cached attributes are not
reset by the kernel on fork, only on exec, so we do not need to
flush them upon fork/clone.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 libselinux/src/procattr.c | 34 +++-------------------------------
 1 file changed, 3 insertions(+), 31 deletions(-)

diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
index e444571..527a0a5 100644
--- a/libselinux/src/procattr.c
+++ b/libselinux/src/procattr.c
@@ -11,8 +11,6 @@
 
 #define UNSET (char *) -1
 
-static __thread pid_t cpid;
-static __thread pid_t tid;
 static __thread char *prev_current = UNSET;
 static __thread char * prev_exec = UNSET;
 static __thread char * prev_fscreate = UNSET;
@@ -24,15 +22,6 @@ static pthread_key_t destructor_key;
 static int destructor_key_initialized = 0;
 static __thread char destructor_initialized;
 
-extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
-extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
-
-static int __selinux_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
-{
-  return __register_atfork (prepare, parent, child,
-                            &__dso_handle == NULL ? NULL : __dso_handle);
-}
-
 static pid_t gettid(void)
 {
 	return syscall(__NR_gettid);
@@ -52,14 +41,6 @@ static void procattr_thread_destructor(void __attribute__((unused)) *unused)
 		free(prev_sockcreate);
 }
 
-static void free_procattr(void)
-{
-	procattr_thread_destructor(NULL);
-	tid = 0;
-	cpid = getpid();
-	prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = UNSET;
-}
-
 void __attribute__((destructor)) procattr_destructor(void);
 
 void hidden __attribute__((destructor)) procattr_destructor(void)
@@ -79,7 +60,6 @@ static inline void init_thread_destructor(void)
 static void init_procattr(void)
 {
 	if (__selinux_key_create(&destructor_key, procattr_thread_destructor) == 0) {
-		__selinux_atfork(NULL, NULL, free_procattr);
 		destructor_key_initialized = 1;
 	}
 }
@@ -88,9 +68,7 @@ static int openattr(pid_t pid, const char *attr, int flags)
 {
 	int fd, rc;
 	char *path;
-
-	if (cpid != getpid())
-		free_procattr();
+	pid_t tid;
 
 	if (pid > 0)
 		rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
@@ -101,8 +79,8 @@ static int openattr(pid_t pid, const char *attr, int flags)
 		fd = open(path, flags | O_CLOEXEC);
 		if (fd >= 0 || errno != ENOENT)
 			goto out;
-		if (!tid)
-			tid = gettid();
+		free(path);
+		tid = gettid();
 		rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
 	}
 	if (rc < 0)
@@ -127,9 +105,6 @@ static int getprocattrcon_raw(char ** context,
 	__selinux_once(once, init_procattr);
 	init_thread_destructor();
 
-	if (cpid != getpid())
-		free_procattr();
-
 	switch (attr[0]) {
 		case 'c':
 			prev_context = prev_current;
@@ -227,9 +202,6 @@ static int setprocattrcon_raw(const char * context,
 	__selinux_once(once, init_procattr);
 	init_thread_destructor();
 
-	if (cpid != getpid())
-		free_procattr();
-
 	switch (attr[0]) {
 		case 'c':
 			prev_context = &prev_current;
-- 
2.1.0

Re: [PATCH] libselinux: simplify procattr cache

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, Jul 20, 2015 at 01:11:06PM -0400, Stephen Smalley wrote:
> https://github.com/systemd/systemd/issues/475 identified a problem
> in libselinux with using getpid(3) rather than getpid(2) due to direct
> use of the clone() system call by systemd.  We could change libselinux
> to use getpid(2) instead, but this would impose a getpid(2) system call
> overhead on each get*con() or set*con() call.  Rather than do this,
> we can instead simplify the procattr cache and get rid of the
> caching of the pid and tid entirely, along with the atfork handler.
> With commit 3430519109c0423a49b9350aa8444beec798d5a7 ("use
> /proc/thread-self when available"), we only need the tid when
> on Linux < 3.17, so we can just always call gettid() in that case (as
> done prior to the procattr cache) and drop the cached tid. The cached
> pid and atfork handlers were only needed to reset the cached tid, so
> those can also be dropped. The rest of the cached attributes are not
> reset by the kernel on fork, only on exec, so we do not need to
> flush them upon fork/clone.

Today i tried out these two patches (I basically updated the procattr.c
in Fedoras' libselinux myself because It took them too long) However, this seems to not
fix the systemd-nspawn issue for me (at least not by itself). I do not know whether that is due to
libselinux or to systemd-nspawn, but the error message is still exactly
the same.

> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  libselinux/src/procattr.c | 34 +++-------------------------------
>  1 file changed, 3 insertions(+), 31 deletions(-)
> 
> diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
> index e444571..527a0a5 100644
> --- a/libselinux/src/procattr.c
> +++ b/libselinux/src/procattr.c
> @@ -11,8 +11,6 @@
>  
>  #define UNSET (char *) -1
>  
> -static __thread pid_t cpid;
> -static __thread pid_t tid;
>  static __thread char *prev_current = UNSET;
>  static __thread char * prev_exec = UNSET;
>  static __thread char * prev_fscreate = UNSET;
> @@ -24,15 +22,6 @@ static pthread_key_t destructor_key;
>  static int destructor_key_initialized = 0;
>  static __thread char destructor_initialized;
>  
> -extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
> -extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
> -
> -static int __selinux_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
> -{
> -  return __register_atfork (prepare, parent, child,
> -                            &__dso_handle == NULL ? NULL : __dso_handle);
> -}
> -
>  static pid_t gettid(void)
>  {
>  	return syscall(__NR_gettid);
> @@ -52,14 +41,6 @@ static void procattr_thread_destructor(void __attribute__((unused)) *unused)
>  		free(prev_sockcreate);
>  }
>  
> -static void free_procattr(void)
> -{
> -	procattr_thread_destructor(NULL);
> -	tid = 0;
> -	cpid = getpid();
> -	prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = UNSET;
> -}
> -
>  void __attribute__((destructor)) procattr_destructor(void);
>  
>  void hidden __attribute__((destructor)) procattr_destructor(void)
> @@ -79,7 +60,6 @@ static inline void init_thread_destructor(void)
>  static void init_procattr(void)
>  {
>  	if (__selinux_key_create(&destructor_key, procattr_thread_destructor) == 0) {
> -		__selinux_atfork(NULL, NULL, free_procattr);
>  		destructor_key_initialized = 1;
>  	}
>  }
> @@ -88,9 +68,7 @@ static int openattr(pid_t pid, const char *attr, int flags)
>  {
>  	int fd, rc;
>  	char *path;
> -
> -	if (cpid != getpid())
> -		free_procattr();
> +	pid_t tid;
>  
>  	if (pid > 0)
>  		rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
> @@ -101,8 +79,8 @@ static int openattr(pid_t pid, const char *attr, int flags)
>  		fd = open(path, flags | O_CLOEXEC);
>  		if (fd >= 0 || errno != ENOENT)
>  			goto out;
> -		if (!tid)
> -			tid = gettid();
> +		free(path);
> +		tid = gettid();
>  		rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
>  	}
>  	if (rc < 0)
> @@ -127,9 +105,6 @@ static int getprocattrcon_raw(char ** context,
>  	__selinux_once(once, init_procattr);
>  	init_thread_destructor();
>  
> -	if (cpid != getpid())
> -		free_procattr();
> -
>  	switch (attr[0]) {
>  		case 'c':
>  			prev_context = prev_current;
> @@ -227,9 +202,6 @@ static int setprocattrcon_raw(const char * context,
>  	__selinux_once(once, init_procattr);
>  	init_thread_destructor();
>  
> -	if (cpid != getpid())
> -		free_procattr();
> -
>  	switch (attr[0]) {
>  		case 'c':
>  			prev_context = &prev_current;
> -- 
> 2.1.0
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJV4eWSAAoJENAR6kfG5xmc6EgL/02rifa4do5K4z1dQfloq7T6
mPG7DUBOkwiE1K6GA7qBQ13yKdgKmYwBoisKITy15FlACyWyVJfx2YkcTojdq0OD
Gl4kzcR57USk6DmJ1d3EAcxUjFrcZLqlhSrXexyq/uF4XRikBjGRyq1TP9fuIMLI
IcZ9eNLHQdGOj2mxMgwnvv4B15d19VhzzLbBJJJnsaUw+4yiM+LSK2fqAQxs9ERr
FA3Phv/ZkJzk2bWvU3EShVwzm70HXkkHgqoVu/EEbncEaLOr2ACu3sU/lAv7hEcZ
lWFM5WRy0RG0SAI2vQgKMWoUPuioLNFFDo7iQRINh2Z03O2pHfEe+jTpbuo3Ecoy
vOcq2410dXDZf2K/f7YMZkLl5mtcGl4fjAnIPUI1wqJr99M7Hs9BI0PeyGKLMKkY
m2b+XMnAvZx4T3FvQ6jZ1W+egwgVOX3feD9r2BRNjeqplNzmyTxHH8FhNmgC2Nev
j/Z1i5UjpUhLejN9Mfun/+pSKFL8pk/uC8sr91cJpA==
=CBla
-----END PGP SIGNATURE-----

Re: [PATCH] libselinux: simplify procattr cache

[Stephen Smalley]

On 08/29/2015 01:02 PM, Dominick Grift wrote:
> On Mon, Jul 20, 2015 at 01:11:06PM -0400, Stephen Smalley wrote:
>> https://github.com/systemd/systemd/issues/475 identified a problem
>> in libselinux with using getpid(3) rather than getpid(2) due to direct
>> use of the clone() system call by systemd.  We could change libselinux
>> to use getpid(2) instead, but this would impose a getpid(2) system call
>> overhead on each get*con() or set*con() call.  Rather than do this,
>> we can instead simplify the procattr cache and get rid of the
>> caching of the pid and tid entirely, along with the atfork handler.
>> With commit 3430519109c0423a49b9350aa8444beec798d5a7 ("use
>> /proc/thread-self when available"), we only need the tid when
>> on Linux < 3.17, so we can just always call gettid() in that case (as
>> done prior to the procattr cache) and drop the cached tid. The cached
>> pid and atfork handlers were only needed to reset the cached tid, so
>> those can also be dropped. The rest of the cached attributes are not
>> reset by the kernel on fork, only on exec, so we do not need to
>> flush them upon fork/clone.
> 
> Today i tried out these two patches (I basically updated the procattr.c
> in Fedoras' libselinux myself because It took them too long) However, this seems to not
> fix the systemd-nspawn issue for me (at least not by itself). I do not know whether that is due to
> libselinux or to systemd-nspawn, but the error message is still exactly
> the same.

Can you provide a reproducer, along with information on what version of
Fedora, systemd, etc you are using?

> 
> 
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>>  libselinux/src/procattr.c | 34 +++-------------------------------
>>  1 file changed, 3 insertions(+), 31 deletions(-)
> 
>> diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
>> index e444571..527a0a5 100644
>> --- a/libselinux/src/procattr.c
>> +++ b/libselinux/src/procattr.c
>> @@ -11,8 +11,6 @@
> 
>>  #define UNSET (char *) -1
> 
>> -static __thread pid_t cpid;
>> -static __thread pid_t tid;
>>  static __thread char *prev_current = UNSET;
>>  static __thread char * prev_exec = UNSET;
>>  static __thread char * prev_fscreate = UNSET;
>> @@ -24,15 +22,6 @@ static pthread_key_t destructor_key;
>>  static int destructor_key_initialized = 0;
>>  static __thread char destructor_initialized;
> 
>> -extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
>> -extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
>> -
>> -static int __selinux_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
>> -{
>> -  return __register_atfork (prepare, parent, child,
>> -                            &__dso_handle == NULL ? NULL : __dso_handle);
>> -}
>> -
>>  static pid_t gettid(void)
>>  {
>>  	return syscall(__NR_gettid);
>> @@ -52,14 +41,6 @@ static void procattr_thread_destructor(void __attribute__((unused)) *unused)
>>  		free(prev_sockcreate);
>>  }
> 
>> -static void free_procattr(void)
>> -{
>> -	procattr_thread_destructor(NULL);
>> -	tid = 0;
>> -	cpid = getpid();
>> -	prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = UNSET;
>> -}
>> -
>>  void __attribute__((destructor)) procattr_destructor(void);
> 
>>  void hidden __attribute__((destructor)) procattr_destructor(void)
>> @@ -79,7 +60,6 @@ static inline void init_thread_destructor(void)
>>  static void init_procattr(void)
>>  {
>>  	if (__selinux_key_create(&destructor_key, procattr_thread_destructor) == 0) {
>> -		__selinux_atfork(NULL, NULL, free_procattr);
>>  		destructor_key_initialized = 1;
>>  	}
>>  }
>> @@ -88,9 +68,7 @@ static int openattr(pid_t pid, const char *attr, int flags)
>>  {
>>  	int fd, rc;
>>  	char *path;
>> -
>> -	if (cpid != getpid())
>> -		free_procattr();
>> +	pid_t tid;
> 
>>  	if (pid > 0)
>>  		rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
>> @@ -101,8 +79,8 @@ static int openattr(pid_t pid, const char *attr, int flags)
>>  		fd = open(path, flags | O_CLOEXEC);
>>  		if (fd >= 0 || errno != ENOENT)
>>  			goto out;
>> -		if (!tid)
>> -			tid = gettid();
>> +		free(path);
>> +		tid = gettid();
>>  		rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
>>  	}
>>  	if (rc < 0)
>> @@ -127,9 +105,6 @@ static int getprocattrcon_raw(char ** context,
>>  	__selinux_once(once, init_procattr);
>>  	init_thread_destructor();
> 
>> -	if (cpid != getpid())
>> -		free_procattr();
>> -
>>  	switch (attr[0]) {
>>  		case 'c':
>>  			prev_context = prev_current;
>> @@ -227,9 +202,6 @@ static int setprocattrcon_raw(const char * context,
>>  	__selinux_once(once, init_procattr);
>>  	init_thread_destructor();
> 
>> -	if (cpid != getpid())
>> -		free_procattr();
>> -
>>  	switch (attr[0]) {
>>  		case 'c':
>>  			prev_context = &prev_current;
>> -- 
>> 2.1.0
> 
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 

Re: [PATCH] libselinux: simplify procattr cache

[Stephen Smalley]

On 08/31/2015 09:25 AM, Stephen Smalley wrote:
> On 08/29/2015 01:02 PM, Dominick Grift wrote:
>> On Mon, Jul 20, 2015 at 01:11:06PM -0400, Stephen Smalley wrote:
>>> https://github.com/systemd/systemd/issues/475 identified a problem
>>> in libselinux with using getpid(3) rather than getpid(2) due to direct
>>> use of the clone() system call by systemd.  We could change libselinux
>>> to use getpid(2) instead, but this would impose a getpid(2) system call
>>> overhead on each get*con() or set*con() call.  Rather than do this,
>>> we can instead simplify the procattr cache and get rid of the
>>> caching of the pid and tid entirely, along with the atfork handler.
>>> With commit 3430519109c0423a49b9350aa8444beec798d5a7 ("use
>>> /proc/thread-self when available"), we only need the tid when
>>> on Linux < 3.17, so we can just always call gettid() in that case (as
>>> done prior to the procattr cache) and drop the cached tid. The cached
>>> pid and atfork handlers were only needed to reset the cached tid, so
>>> those can also be dropped. The rest of the cached attributes are not
>>> reset by the kernel on fork, only on exec, so we do not need to
>>> flush them upon fork/clone.
>>
>> Today i tried out these two patches (I basically updated the procattr.c
>> in Fedoras' libselinux myself because It took them too long) However, this seems to not
>> fix the systemd-nspawn issue for me (at least not by itself). I do not know whether that is due to
>> libselinux or to systemd-nspawn, but the error message is still exactly
>> the same.
> 
> Can you provide a reproducer, along with information on what version of
> Fedora, systemd, etc you are using?

For me, the example from the systemd-nspawn man page of:

# chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z
system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh

On F22: succeeded (no change required to libselinux),

On F23: failed with
setexeccon("system_u:system_r:svirt_lxc_net_t:s0:c0,c1") failed: No such
file or directory
with libselinux-2.4-1.fc23

But if I install upstream SELinux userspace, ala
# cd selinux
# make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel

It then succeeds:
# systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z
system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
Spawning container container on /srv/container.
Press ^] three times within 1s to kill container.
sh-4.3#

>From outside the container:
# ps -eZ | grep svirt
system_u:system_r:svirt_lxc_net_t:s0:c0,c1 11950 pts/3 00:00:00 sh

So it appears to fix the problem there.

Re: [PATCH] libselinux: simplify procattr cache

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, Aug 31, 2015 at 09:49:54AM -0400, Stephen Smalley wrote:
> On 08/31/2015 09:25 AM, Stephen Smalley wrote:
<snip>

> 
> For me, the example from the systemd-nspawn man page of:
> 
> # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
> # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z
> system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
> 
> On F22: succeeded (no change required to libselinux),
> 
> On F23: failed with
> setexeccon("system_u:system_r:svirt_lxc_net_t:s0:c0,c1") failed: No such
> file or directory
> with libselinux-2.4-1.fc23
> 
> But if I install upstream SELinux userspace, ala
> # cd selinux
> # make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
> 
> It then succeeds:
> # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z
> system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
> Spawning container container on /srv/container.
> Press ^] three times within 1s to kill container.
> sh-4.3#
> 
> From outside the container:
> # ps -eZ | grep svirt
> system_u:system_r:svirt_lxc_net_t:s0:c0,c1 11950 pts/3 00:00:00 sh
> 
> So it appears to fix the problem there.

Okay, thanks. I think it is better for me to just wait for an updated
libselinux package in Fedora Rawhide (please Fedora give us rawhide
users something recent to work with).

I basically just "synced" the procattr.c file provided by
upstream libselinux HEAD with fedora's latest libselinux in Rawhide.

Using the remainder of SELinux user space as is provided by
Fedora, and using systemd v225. Maybe the functionality depends somehow
on changes elsewhere in SELinux user space instead of just procattr.c

Aug 31 16:23:34 d30 systemd-nspawn[23531]:
setexeccon("sys.id:sys.role:sd_nspawn_container.subj:s0") failed:
Invalid argument

Maybe i made a mistake somewhere else.

You have tested it and confirmed that it works so I trust that it is
fixed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJV5GOUAAoJENAR6kfG5xmcWTcL/RF4+0cd2y4tsJ1NOLFPcSk+
ozR1lOJa99PB9X/VAblW10znPdBgyG2DWcIUX5qCqd5QgrRP4TGuVD2XDoEVQieL
vL/Xy281i7fk171hk/Y4KlIhker2EbZeni1uK5zWUaRe+QIsqcU04HaLSv2vNZmt
1O+PQjoS6CEyZdZe6Y3ruPtst9cdp6z/pyD6UsKOadgQJMa3bqMJBHfNrpTALL27
VFHOGU7xNXa3acEBfHpGf6t831qmeWX5buVjdKUu09NunRz+Kg7mC8p/qtUOc+69
ysPZY53zLWe+Zho5NyjD9hNOC04Izq7ZibMaOpet/5zSNaeB2yCpe78rRdhT0WQ3
gubGXVwZ6AA9VjMTchW7/ZinCnzixChAASyJvrVUXhcPlpREYrWR+Wh7n8KX/bgJ
e/QmD60ynRcXcJz1+wLehW0kPdiTY1nHewM4S13q/R3r1J3/XVFhQcsjkwxANW00
rd7JF8/q5/HeNy5kU+9MK46uKC7fR3RVByh+o9VkUA==
=UNg+
-----END PGP SIGNATURE-----

Re: [PATCH] libselinux: simplify procattr cache

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, Aug 31, 2015 at 09:49:54AM -0400, Stephen Smalley wrote:
> On 08/31/2015 09:25 AM, Stephen Smalley wrote:
> > On 08/29/2015 01:02 PM, Dominick Grift wrote:
> >> On Mon, Jul 20, 2015 at 01:11:06PM -0400, Stephen Smalley wrote:
> >>> https://github.com/systemd/systemd/issues/475 identified a problem
> >>> in libselinux with using getpid(3) rather than getpid(2) due to direct
> >>> use of the clone() system call by systemd.  We could change libselinux
> >>> to use getpid(2) instead, but this would impose a getpid(2) system call
> >>> overhead on each get*con() or set*con() call.  Rather than do this,
> >>> we can instead simplify the procattr cache and get rid of the
> >>> caching of the pid and tid entirely, along with the atfork handler.
> >>> With commit 3430519109c0423a49b9350aa8444beec798d5a7 ("use
> >>> /proc/thread-self when available"), we only need the tid when
> >>> on Linux < 3.17, so we can just always call gettid() in that case (as
> >>> done prior to the procattr cache) and drop the cached tid. The cached
> >>> pid and atfork handlers were only needed to reset the cached tid, so
> >>> those can also be dropped. The rest of the cached attributes are not
> >>> reset by the kernel on fork, only on exec, so we do not need to
> >>> flush them upon fork/clone.
> >>
> >> Today i tried out these two patches (I basically updated the procattr.c
> >> in Fedoras' libselinux myself because It took them too long) However, this seems to not
> >> fix the systemd-nspawn issue for me (at least not by itself). I do not know whether that is due to
> >> libselinux or to systemd-nspawn, but the error message is still exactly
> >> the same.
> > 
> > Can you provide a reproducer, along with information on what version of
> > Fedora, systemd, etc you are using?
> 
> For me, the example from the systemd-nspawn man page of:
> 
> # chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container
> # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z
> system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
> 
> On F22: succeeded (no change required to libselinux),
> 
> On F23: failed with
> setexeccon("system_u:system_r:svirt_lxc_net_t:s0:c0,c1") failed: No such
> file or directory
> with libselinux-2.4-1.fc23
> 
> But if I install upstream SELinux userspace, ala
> # cd selinux
> # make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
> 
> It then succeeds:
> # systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z
> system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
> Spawning container container on /srv/container.
> Press ^] three times within 1s to kill container.
> sh-4.3#
> 
> From outside the container:
> # ps -eZ | grep svirt
> system_u:system_r:svirt_lxc_net_t:s0:c0,c1 11950 pts/3 00:00:00 sh
> 
> So it appears to fix the problem there.

Yes sorry. It does work. I forgot to allow sys.role access to
sd_nspawn_container.subj and i did not see journald logging any
selinux_err for it... did a seinfo -xrsys.role | grep
sd_nspawn_container.subj and noticed it did not turn up.

unfortunate chain of events where this bug appeared in the same time
with me porting to a v2 policy.

So yes confirmed fixed

> 
> 
> 
> 
> 
> 
> 
> 
> 

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJV5G2OAAoJENAR6kfG5xmcDPIMAKjmRuIJRKtq+SlaTt5dT13n
chy9Wy50dj3jE8aG1d7NxakV+hsLw9H/hHWdfz13FfIjaeUt9tZDtlZSs3jJKJSn
ME2OVycLSYeZaG/8XipK2M7dTZyaqoMVF5wAZMT/YUgJQlUXQudF2AMSOgU1AGmW
qMA7pEa41+x1SupZOsXt1AF/CeQWcYqZeLERTYMtWLq739dfpruyxJ3ko2p5SSrX
qgrxJj4mgtzBQj/Zocb5TO8kBK1zq1f+FD106eYmIKQDyKQlyEoqi14wDVee0Kiu
EPu5IuVtda2ZGz9AdZKym3wUk0Ae/SxUxQky9MZrX7wM7/2C1Q4cNqEPjEsidnnm
4FBAmgiMCwrQyulCKCILbuzNOfJVWLPYvdmMsTrbrqdzsyutbm5Avdl7jfJlk73F
+Ia5DEA0RMIJcJu7CioRoFvd7X01rfBy2CGFKHCwtOAj2vidtXnx5xIW51HFIxp7
ar6KKPHfh6OTMqH9YxeuMnQ1/bQu1imQ+UrtGO7HwA==
=5viY
-----END PGP SIGNATURE-----