[PATCH v2 0/1] libsepol/cil: create role/user caches for context validation

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2 0/1] libsepol/cil: create role/user caches for context validation
@ 2016-10-03 11:44 Gary Tierney
  2016-10-03 11:44 ` [PATCH v2 1/1] libsepol/cil: create user and role caches when building binary policy Gary Tierney
  0 siblings, 1 reply; 3+ messages in thread
From: Gary Tierney @ 2016-10-03 11:44 UTC (permalink / raw)
  To: selinux

This patch sets up the role/user caches used in context_is_valid() when a cildb
is compiled to a binary policy.  Previously, it seems like these would only
available when a binary policy had been loaded from file as opposed to rebuilt
from source.

Gary Tierney (1):
  libsepol/cil: create user and role caches when building binary policy

 libsepol/cil/src/cil_binary.c              | 13 +++++++++++++
 libsepol/include/sepol/policydb/policydb.h |  8 ++++++++
 2 files changed, 21 insertions(+)

-- 
2.4.11

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH v2 1/1] libsepol/cil: create user and role caches when building binary policy
  2016-10-03 11:44 [PATCH v2 0/1] libsepol/cil: create role/user caches for context validation Gary Tierney
@ 2016-10-03 11:44 ` Gary Tierney
  2016-10-03 19:11   ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: Gary Tierney @ 2016-10-03 11:44 UTC (permalink / raw)
  To: selinux

Pre-expands the role and user caches used in context validation when
conerting a cildb to a binary policydb.  This is currently only done
when loading a binary policy and prevents context validation from
working correctly with a newly built policy (i.e., when semanage builds
a new policy and then runs genhomedircon).

Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
---
 libsepol/cil/src/cil_binary.c              | 13 +++++++++++++
 libsepol/include/sepol/policydb/policydb.h |  8 ++++++++
 2 files changed, 21 insertions(+)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index cc73648..5402272 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -4794,6 +4794,19 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
 
 	}
 
+	/* This pre-expands the roles and users for context validity checking */
+	if (hashtab_map(pdb->p_roles.table, policydb_role_cache, pdb)) {
+		cil_log(CIL_INFO, "Failure creating roles cache");
+		rc = SEPOL_ERR;
+		goto exit;
+    }
+
+	if (hashtab_map(pdb->p_users.table, policydb_user_cache, pdb)) {
+		cil_log(CIL_INFO, "Failure creating users cache");
+		rc = SEPOL_ERR;
+		goto exit;
+	}
+
 	rc = SEPOL_OK;
 
 exit:
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 26cec13..d99fcf4 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -608,6 +608,14 @@ extern int policydb_index_bools(policydb_t * p);
 extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
 				 unsigned int verbose);
 
+extern int policydb_role_cache(hashtab_key_t key,
+			       hashtab_datum_t datum,
+			       void *arg);
+
+extern int policydb_user_cache(hashtab_key_t key,
+			       hashtab_datum_t datum,
+			       void *arg);
+
 extern int policydb_reindex_users(policydb_t * p);
 
 extern void policydb_destroy(policydb_t * p);
-- 
2.4.11

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v2 1/1] libsepol/cil: create user and role caches when building binary policy
  2016-10-03 11:44 ` [PATCH v2 1/1] libsepol/cil: create user and role caches when building binary policy Gary Tierney
@ 2016-10-03 19:11   ` James Carter
  0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2016-10-03 19:11 UTC (permalink / raw)
  To: Gary Tierney, selinux

On 10/03/2016 07:44 AM, Gary Tierney wrote:
> Pre-expands the role and user caches used in context validation when
> conerting a cildb to a binary policydb.  This is currently only done
> when loading a binary policy and prevents context validation from
> working correctly with a newly built policy (i.e., when semanage builds
> a new policy and then runs genhomedircon).
>
> Also adds declarations for the hashtable mapping functions used:
> policydb_role_cache and policydb_user_cache().
>
> Signed-off-by: Gary Tierney <gary.tierney@gmx.com>

Applied.

Thanks,
Jim

> ---
>  libsepol/cil/src/cil_binary.c              | 13 +++++++++++++
>  libsepol/include/sepol/policydb/policydb.h |  8 ++++++++
>  2 files changed, 21 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index cc73648..5402272 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -4794,6 +4794,19 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
>
>  	}
>
> +	/* This pre-expands the roles and users for context validity checking */
> +	if (hashtab_map(pdb->p_roles.table, policydb_role_cache, pdb)) {
> +		cil_log(CIL_INFO, "Failure creating roles cache");
> +		rc = SEPOL_ERR;
> +		goto exit;
> +    }
> +
> +	if (hashtab_map(pdb->p_users.table, policydb_user_cache, pdb)) {
> +		cil_log(CIL_INFO, "Failure creating users cache");
> +		rc = SEPOL_ERR;
> +		goto exit;
> +	}
> +
>  	rc = SEPOL_OK;
>
>  exit:
> diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
> index 26cec13..d99fcf4 100644
> --- a/libsepol/include/sepol/policydb/policydb.h
> +++ b/libsepol/include/sepol/policydb/policydb.h
> @@ -608,6 +608,14 @@ extern int policydb_index_bools(policydb_t * p);
>  extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
>  				 unsigned int verbose);
>
> +extern int policydb_role_cache(hashtab_key_t key,
> +			       hashtab_datum_t datum,
> +			       void *arg);
> +
> +extern int policydb_user_cache(hashtab_key_t key,
> +			       hashtab_datum_t datum,
> +			       void *arg);
> +
>  extern int policydb_reindex_users(policydb_t * p);
>
>  extern void policydb_destroy(policydb_t * p);
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-10-03 19:11 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-03 11:44 [PATCH v2 0/1] libsepol/cil: create role/user caches for context validation Gary Tierney
2016-10-03 11:44 ` [PATCH v2 1/1] libsepol/cil: create user and role caches when building binary policy Gary Tierney
2016-10-03 19:11   ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.