[PATCH 0/1] libsepol/cil: create role/user caches for context validation

[PATCH 0/1] libsepol/cil: create role/user caches for context validation

[Gary Tierney]

This patch sets up the role/user caches used in context_is_valid() when a cildb
is compiled to a binary policy.  Previously, it seems like these would only
available when a binary policy had been loaded from file as opposed to rebuilt
from source.

Gary Tierney (1):
  libsepol/cil: create user and role caches when building binary policy

 libsepol/cil/src/cil_binary.c              | 7 +++++++
 libsepol/include/sepol/policydb/policydb.h | 8 ++++++++
 2 files changed, 15 insertions(+)

-- 
2.4.11

[PATCH 1/1] libsepol/cil: create user and role caches when building binary policy

[Gary Tierney]

Pre-expands the role and user caches used in context validation when
conerting a cildb to a binary policydb.  This is currently only done
when loading a binary policy and prevents context validation from
working correctly with a newly built policy (i.e., when semanage builds
a new policy and then runs genhomedircon).

Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
---
 libsepol/cil/src/cil_binary.c              | 7 +++++++
 libsepol/include/sepol/policydb/policydb.h | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index cc73648..200101e 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -4794,6 +4794,13 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
 
 	}
 
+	/* This pre-expands the roles and users for context validity checking */
+	if (hashtab_map(pdb->p_roles.table, policydb_role_cache, pdb))
+		return -1;
+
+	if (hashtab_map(pdb->p_users.table, policydb_user_cache, pdb))
+		return -1;
+
 	rc = SEPOL_OK;
 
 exit:
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 26cec13..d99fcf4 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -608,6 +608,14 @@ extern int policydb_index_bools(policydb_t * p);
 extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
 				 unsigned int verbose);
 
+extern int policydb_role_cache(hashtab_key_t key,
+			       hashtab_datum_t datum,
+			       void *arg);
+
+extern int policydb_user_cache(hashtab_key_t key,
+			       hashtab_datum_t datum,
+			       void *arg);
+
 extern int policydb_reindex_users(policydb_t * p);
 
 extern void policydb_destroy(policydb_t * p);
-- 
2.4.11

Re: [PATCH 1/1] libsepol/cil: create user and role caches when building binary policy

[Gary Tierney]

[-- Attachment #1: Type: text/plain, Size: 2615 bytes --]

On Mon, Oct 03, 2016 at 11:46:19AM +0100, Gary Tierney wrote:
> Pre-expands the role and user caches used in context validation when
> conerting a cildb to a binary policydb.  This is currently only done
> when loading a binary policy and prevents context validation from
> working correctly with a newly built policy (i.e., when semanage builds
> a new policy and then runs genhomedircon).
> 
> Also adds declarations for the hashtable mapping functions used:
> policydb_role_cache and policydb_user_cache().
> 
> Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> ---
>  libsepol/cil/src/cil_binary.c              | 7 +++++++
>  libsepol/include/sepol/policydb/policydb.h | 8 ++++++++
>  2 files changed, 15 insertions(+)
> 
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index cc73648..200101e 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -4794,6 +4794,13 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
>  
>  	}
>  
> +	/* This pre-expands the roles and users for context validity checking */
> +	if (hashtab_map(pdb->p_roles.table, policydb_role_cache, pdb))
> +		return -1;
> +
> +	if (hashtab_map(pdb->p_users.table, policydb_user_cache, pdb))
> +		return -1;
> +
>  	rc = SEPOL_OK;
>  
>  exit:
> diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
> index 26cec13..d99fcf4 100644
> --- a/libsepol/include/sepol/policydb/policydb.h
> +++ b/libsepol/include/sepol/policydb/policydb.h
> @@ -608,6 +608,14 @@ extern int policydb_index_bools(policydb_t * p);
>  extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
>  				 unsigned int verbose);
>  
> +extern int policydb_role_cache(hashtab_key_t key,
> +			       hashtab_datum_t datum,
> +			       void *arg);
> +
> +extern int policydb_user_cache(hashtab_key_t key,
> +			       hashtab_datum_t datum,
> +			       void *arg);
> +
>  extern int policydb_reindex_users(policydb_t * p);
>  
>  extern void policydb_destroy(policydb_t * p);
> -- 
> 2.4.11
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Ah, that return should be a goto.  Sending a v2.

-- 
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 473 bytes --]