[PATCH] libselinux: always store raw contexts in the avc sidtab

[Darrel Goeddel <dgoeddel@TrustedCS.com>]

Always store raw contexts in the avc sidtab.  This is accomplished by
providing functions to deal with raw contexts when converting contexts
to sids and vice versa.  The security_compute_av is also switch to the raw
version because the contexts will now all be raw.  When the raw context is
being converted to a sid, there will be no overhead.  When a translated context
is converted, there will be a translation to raw for storage.  There conversion
back from sid to context via avc_context_to_sid() will translate the context,
while avc_context_to_sid_raw() will not.  These functions make it easy to
optimize some code paths be removing translations for contexts that will never
be presented to the user.

Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>

___

Note that I will be posting some patches for comment that make use of these
new functions in RedHat's context translation daemon.

 include/selinux/avc.h |    2 ++
 src/avc.c             |   39 +++++++++++++++++++++++++++++++++++----
 2 files changed, 37 insertions(+), 4 deletions(-)


diff -ruNp --exclude=.svn selinux-base/libselinux/include/selinux/avc.h selinux/libselinux/include/selinux/avc.h
--- selinux-base/libselinux/include/selinux/avc.h	2006-10-03 05:08:16.000000000 -0500
+++ selinux/libselinux/include/selinux/avc.h	2006-10-05 03:25:59.000000000 -0500
@@ -38,6 +38,7 @@ extern "C" {
  * available to make the copy, or %EINVAL if the input SID is invalid.
  */
 	int avc_sid_to_context(security_id_t sid, security_context_t * ctx);
+	int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx);
 
 /**
  * avc_context_to_sid - get SID for context.
@@ -51,6 +52,7 @@ extern "C" {
  * returning %0 on success or -%1 on error with @errno set.  
  */
 	int avc_context_to_sid(security_context_t ctx, security_id_t * sid);
+	int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid);
 
 /**
  * sidget - increment SID reference counter.
diff -ruNp --exclude=.svn selinux-base/libselinux/src/avc.c selinux/libselinux/src/avc.c
--- selinux-base/libselinux/src/avc.c	2006-10-03 05:08:17.000000000 -0500
+++ selinux/libselinux/src/avc.c	2006-10-05 03:25:58.000000000 -0500
@@ -203,7 +203,7 @@ static inline int avc_hash(security_id_t
 	    & (AVC_CACHE_SLOTS - 1);
 }
 
-int avc_context_to_sid(security_context_t ctx, security_id_t * sid)
+int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid)
 {
 	int rc;
 	avc_get_lock(avc_lock);
@@ -214,7 +214,22 @@ int avc_context_to_sid(security_context_
 	return rc;
 }
 
-int avc_sid_to_context(security_id_t sid, security_context_t * ctx)
+int avc_context_to_sid(security_context_t ctx, security_id_t * sid)
+{
+	int ret;
+	security_context_t rctx;
+
+	if (selinux_trans_to_raw_context(ctx, &rctx))
+		return -1;
+
+	ret = avc_context_to_sid_raw(rctx, sid);
+
+	freecon(rctx);
+
+	return ret;
+}
+
+int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx)
 {
 	int rc;
 	*ctx = NULL;
@@ -230,6 +245,21 @@ int avc_sid_to_context(security_id_t sid
 	return rc;
 }
 
+int avc_sid_to_context(security_id_t sid, security_context_t * ctx)
+{
+	int ret;
+	security_context_t rctx;
+
+	ret = avc_sid_to_context_raw(sid, &rctx);
+
+	if (ret == 0) {
+		ret = selinux_raw_to_trans_context(rctx, ctx);
+		freecon(rctx);
+	}
+
+	return ret;
+}
+
 int sidget(security_id_t sid)
 {
 	int rc;
@@ -935,8 +965,9 @@ int avc_has_perm_noaudit(security_id_t s
 				rc = -1;
 				goto out;
 			}
-			rc = security_compute_av(ssid->ctx, tsid->ctx, tclass,
-						 requested, &entry.avd);
+			rc = security_compute_av_raw(ssid->ctx, tsid->ctx,
+						     tclass, requested,
+						     &entry.avd);
 			if (rc)
 				goto out;
 			rc = avc_insert(ssid, tsid, tclass, &entry, aeref);

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.