[PATCH] libselinux: always store raw contexts in the avc sidtab

[PATCH] libselinux: always store raw contexts in the avc sidtab

[Darrel Goeddel]

Always store raw contexts in the avc sidtab.  This is accomplished by
providing functions to deal with raw contexts when converting contexts
to sids and vice versa.  The security_compute_av is also switch to the raw
version because the contexts will now all be raw.  When the raw context is
being converted to a sid, there will be no overhead.  When a translated context
is converted, there will be a translation to raw for storage.  There conversion
back from sid to context via avc_context_to_sid() will translate the context,
while avc_context_to_sid_raw() will not.  These functions make it easy to
optimize some code paths be removing translations for contexts that will never
be presented to the user.

Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>

___

Note that I will be posting some patches for comment that make use of these
new functions in RedHat's context translation daemon.

 include/selinux/avc.h |    2 ++
 src/avc.c             |   39 +++++++++++++++++++++++++++++++++++----
 2 files changed, 37 insertions(+), 4 deletions(-)


diff -ruNp --exclude=.svn selinux-base/libselinux/include/selinux/avc.h selinux/libselinux/include/selinux/avc.h
--- selinux-base/libselinux/include/selinux/avc.h	2006-10-03 05:08:16.000000000 -0500
+++ selinux/libselinux/include/selinux/avc.h	2006-10-05 03:25:59.000000000 -0500
@@ -38,6 +38,7 @@ extern "C" {
  * available to make the copy, or %EINVAL if the input SID is invalid.
  */
 	int avc_sid_to_context(security_id_t sid, security_context_t * ctx);
+	int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx);
 
 /**
  * avc_context_to_sid - get SID for context.
@@ -51,6 +52,7 @@ extern "C" {
  * returning %0 on success or -%1 on error with @errno set.  
  */
 	int avc_context_to_sid(security_context_t ctx, security_id_t * sid);
+	int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid);
 
 /**
  * sidget - increment SID reference counter.
diff -ruNp --exclude=.svn selinux-base/libselinux/src/avc.c selinux/libselinux/src/avc.c
--- selinux-base/libselinux/src/avc.c	2006-10-03 05:08:17.000000000 -0500
+++ selinux/libselinux/src/avc.c	2006-10-05 03:25:58.000000000 -0500
@@ -203,7 +203,7 @@ static inline int avc_hash(security_id_t
 	    & (AVC_CACHE_SLOTS - 1);
 }
 
-int avc_context_to_sid(security_context_t ctx, security_id_t * sid)
+int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid)
 {
 	int rc;
 	avc_get_lock(avc_lock);
@@ -214,7 +214,22 @@ int avc_context_to_sid(security_context_
 	return rc;
 }
 
-int avc_sid_to_context(security_id_t sid, security_context_t * ctx)
+int avc_context_to_sid(security_context_t ctx, security_id_t * sid)
+{
+	int ret;
+	security_context_t rctx;
+
+	if (selinux_trans_to_raw_context(ctx, &rctx))
+		return -1;
+
+	ret = avc_context_to_sid_raw(rctx, sid);
+
+	freecon(rctx);
+
+	return ret;
+}
+
+int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx)
 {
 	int rc;
 	*ctx = NULL;
@@ -230,6 +245,21 @@ int avc_sid_to_context(security_id_t sid
 	return rc;
 }
 
+int avc_sid_to_context(security_id_t sid, security_context_t * ctx)
+{
+	int ret;
+	security_context_t rctx;
+
+	ret = avc_sid_to_context_raw(sid, &rctx);
+
+	if (ret == 0) {
+		ret = selinux_raw_to_trans_context(rctx, ctx);
+		freecon(rctx);
+	}
+
+	return ret;
+}
+
 int sidget(security_id_t sid)
 {
 	int rc;
@@ -935,8 +965,9 @@ int avc_has_perm_noaudit(security_id_t s
 				rc = -1;
 				goto out;
 			}
-			rc = security_compute_av(ssid->ctx, tsid->ctx, tclass,
-						 requested, &entry.avd);
+			rc = security_compute_av_raw(ssid->ctx, tsid->ctx,
+						     tclass, requested,
+						     &entry.avd);
 			if (rc)
 				goto out;
 			rc = avc_insert(ssid, tsid, tclass, &entry, aeref);

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] libselinux: always store raw contexts in the avc sidtab

[Joshua Brindle]

Darrel Goeddel wrote:
> Always store raw contexts in the avc sidtab.  This is accomplished by
> providing functions to deal with raw contexts when converting contexts
> to sids and vice versa.  The security_compute_av is also switch to the 
> raw
> version because the contexts will now all be raw.  When the raw 
> context is
> being converted to a sid, there will be no overhead.  When a 
> translated context
> is converted, there will be a translation to raw for storage.  There 
> conversion
> back from sid to context via avc_context_to_sid() will translate the 
> context,
> while avc_context_to_sid_raw() will not.  These functions make it easy to
> optimize some code paths be removing translations for contexts that 
> will never
> be presented to the user.
>
> Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
>
> ___
>
> Note that I will be posting some patches for comment that make use of 
> these
> new functions in RedHat's context translation daemon.
>
> include/selinux/avc.h |    2 ++
> src/avc.c             |   39 +++++++++++++++++++++++++++++++++++----
> 2 files changed, 37 insertions(+), 4 deletions(-)
>
>
> diff -ruNp --exclude=.svn 
> selinux-base/libselinux/include/selinux/avc.h 
> selinux/libselinux/include/selinux/avc.h
> --- selinux-base/libselinux/include/selinux/avc.h    2006-10-03 
> 05:08:16.000000000 -0500
> +++ selinux/libselinux/include/selinux/avc.h    2006-10-05 
> 03:25:59.000000000 -0500
> @@ -38,6 +38,7 @@ extern "C" {
>  * available to make the copy, or %EINVAL if the input SID is invalid.
>  */
>     int avc_sid_to_context(security_id_t sid, security_context_t * ctx);
> +    int avc_sid_to_context_raw(security_id_t sid, security_context_t 
> * ctx);
>
> /**
>  * avc_context_to_sid - get SID for context.
> @@ -51,6 +52,7 @@ extern "C" {
>  * returning %0 on success or -%1 on error with @errno set.   */
>     int avc_context_to_sid(security_context_t ctx, security_id_t * sid);
> +    int avc_context_to_sid_raw(security_context_t ctx, security_id_t 
> * sid);
>
> /**
>  * sidget - increment SID reference counter.
> diff -ruNp --exclude=.svn selinux-base/libselinux/src/avc.c 
> selinux/libselinux/src/avc.c
> --- selinux-base/libselinux/src/avc.c    2006-10-03 05:08:17.000000000 
> -0500
> +++ selinux/libselinux/src/avc.c    2006-10-05 03:25:58.000000000 -0500
> @@ -203,7 +203,7 @@ static inline int avc_hash(security_id_t
>         & (AVC_CACHE_SLOTS - 1);
> }
>
> -int avc_context_to_sid(security_context_t ctx, security_id_t * sid)
> +int avc_context_to_sid_raw(security_context_t ctx, security_id_t * sid)
> {
>     int rc;
>     avc_get_lock(avc_lock);
> @@ -214,7 +214,22 @@ int avc_context_to_sid(security_context_
>     return rc;
> }
>
> -int avc_sid_to_context(security_id_t sid, security_context_t * ctx)
> +int avc_context_to_sid(security_context_t ctx, security_id_t * sid)
> +{
> +    int ret;
> +    security_context_t rctx;
> +
> +    if (selinux_trans_to_raw_context(ctx, &rctx))
> +        return -1;
> +
> +    ret = avc_context_to_sid_raw(rctx, sid);
> +
> +    freecon(rctx);
> +
> +    return ret;
> +}
> +
> +int avc_sid_to_context_raw(security_id_t sid, security_context_t * ctx)
> {
>     int rc;
>     *ctx = NULL;
> @@ -230,6 +245,21 @@ int avc_sid_to_context(security_id_t sid
>     return rc;
> }
>
> +int avc_sid_to_context(security_id_t sid, security_context_t * ctx)
> +{
> +    int ret;
> +    security_context_t rctx;
> +
> +    ret = avc_sid_to_context_raw(sid, &rctx);
> +
> +    if (ret == 0) {
> +        ret = selinux_raw_to_trans_context(rctx, ctx);
> +        freecon(rctx);
> +    }
> +
> +    return ret;
> +}
> +
> int sidget(security_id_t sid)
> {
>     int rc;
> @@ -935,8 +965,9 @@ int avc_has_perm_noaudit(security_id_t s
>                 rc = -1;
>                 goto out;
>             }
> -            rc = security_compute_av(ssid->ctx, tsid->ctx, tclass,
> -                         requested, &entry.avd);
> +            rc = security_compute_av_raw(ssid->ctx, tsid->ctx,
> +                             tclass, requested,
> +                             &entry.avd);
>             if (rc)
>                 goto out;
>             rc = avc_insert(ssid, tsid, tclass, &entry, aeref);
Acked-By: Joshua Brindle <jbrindle@tresys.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] libselinux: always store raw contexts in the avc sidtab

[Joshua Brindle]

Darrel Goeddel wrote:
> Always store raw contexts in the avc sidtab.  This is accomplished by
> providing functions to deal with raw contexts when converting contexts
> to sids and vice versa.  The security_compute_av is also switch to the raw
> version because the contexts will now all be raw.  When the raw context is
> being converted to a sid, there will be no overhead.  When a translated 
> context
> is converted, there will be a translation to raw for storage.  There 
> conversion
> back from sid to context via avc_context_to_sid() will translate the 
> context,
> while avc_context_to_sid_raw() will not.  These functions make it easy to
> optimize some code paths be removing translations for contexts that will 
> never
> be presented to the user.
> 
> Signed-off-by: Darrel Goeddel <dgoeddel@trustedcs.com>
> 

Thanks, merged as of libselinux 1.30.30

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.