Re: [PATCH 2/3 v3] libsepol: add function to generate CIL from a module policydb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Lawrence <slawrence@tresys.com>
To: James Carter <jwcart2@tycho.nsa.gov>, <selinux@tycho.nsa.gov>
Subject: Re: [PATCH 2/3 v3] libsepol: add function to generate CIL from a module policydb
Date: Wed, 1 Apr 2015 08:13:54 -0400	[thread overview]
Message-ID: <551BE102.30300@tresys.com> (raw)
In-Reply-To: <551AF895.1040100@tycho.nsa.gov>

On 03/31/2015 03:42 PM, James Carter wrote:
> On 03/31/2015 03:26 PM, Steve Lawrence wrote:
>> On 03/31/2015 01:18 PM, James Carter wrote:
>>> Add a new function, sepol_module_policydb_to_cil, that generates
>>> CIL from a module (not kernel) policydb. Refactor
>>> sepol_module_package_to_cil() to use the new function.
>>>
>>> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
>>> ---
>>>   libsepol/include/sepol/module_to_cil.h |   2 +
>>>   libsepol/src/module_to_cil.c           | 367
>>> ++++++++++++++++++++++-----------
>>>   2 files changed, 254 insertions(+), 115 deletions(-)
>>>
>>> diff --git a/libsepol/include/sepol/module_to_cil.h
>>> b/libsepol/include/sepol/module_to_cil.h
>>> index 1d0225c..18bb3bf 100644
>>> --- a/libsepol/include/sepol/module_to_cil.h
>>> +++ b/libsepol/include/sepol/module_to_cil.h
>>> @@ -1,6 +1,8 @@
>>>   #include <stdlib.h>
>>>
>>>   #include <sepol/module.h>
>>> +#include <sepol/policydb/policydb.h>
>>>
>>> +int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int
>>> linked);
>>>   int sepol_module_package_to_cil(FILE *fp, struct
>>> sepol_module_package *mod_pkg);
>>>   int sepol_ppfile_to_module_package(FILE *fp, struct
>>> sepol_module_package **mod_pkg);
>>
>> One potential issue with these functions is that they aren't thread safe
>> due to the use of globals with role_list and typealias_lists. When pp
>> was a single binary this wasn't a big deal (and greatly simplified the
>> code), but now that it's part of libsepol it could potentially cause
>> issues. Not sure if it's worth the complexity to change it so either
>> they aren't global variables, or make them thread local variables.
>> Alternatively, we could just document the functions as not thread safe.
> 
> I was initially going to remove the globals but I wasn't sure if they
> were a problem and I wanted to minimize the changes to the code to make
> review easier.
> 
> I am willing to convert them. Should I do that as a part of this patch set?
> Jim
> 
> 

I don't think it needs to be done as part of this patchset. The only
things using these functions are checkpolicy and pp, which aren't
threaded, so there's no potential for problems at the moment.

- Steve

next prev parent reply	other threads:[~2015-04-01 12:13 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-31 17:17 [PATCH 0/3 v3] libsepol, policycoreutils, and checkpolicy: Add support for generating CIL to libsepol and checkpolicy James Carter
2015-03-31 17:17 ` [PATCH 1/3 v3] libsepol, policycoreutils: Move functions to convert a module package to CIL James Carter
2015-03-31 17:18 ` [PATCH 2/3 v3] libsepol: add function to generate CIL from a module policydb James Carter
2015-03-31 19:26   ` Steve Lawrence
2015-03-31 19:42     ` James Carter
2015-04-01 12:13       ` Steve Lawrence [this message]
2015-03-31 17:18 ` [PATCH 3/3 v3] checkpolicy: Add support for generating CIL James Carter
2015-03-31 19:20   ` Steve Lawrence
2015-03-31 19:28     ` James Carter
2015-03-31 19:15 ` [PATCH 0/3 v3] libsepol, policycoreutils, and checkpolicy: Add support for generating CIL to libsepol and checkpolicy Yuli Khodorkovskiy
2015-03-31 19:25   ` James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=551BE102.30300@tresys.com \
    --to=slawrence@tresys.com \
    --cc=jwcart2@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.