selinux: convert cond_list to array · tjh.dev/kernel@60abd31

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

selinux: convert cond_list to array

Since it is fixed-size after allocation and we know the size beforehand,
using a plain old array is simpler and more efficient.

While there, also fix signedness of some related variables/parameters.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Ondrej Mosnacek and committed by

Paul Moore 6 years ago 60abd318 8d269a8e

+43 -59

7 changed files

expand all

security

selinux

include

conditional.h

selinuxfs.c

conditional.c

conditional.h

policydb.c

policydb.h

services.c

+3 -5

security/selinux/include/conditional.h

··· 14 14 #include "security.h" 15 15 16 16 int security_get_bools(struct selinux_state *state, 17 - int *len, char ***names, int **values); 17 + u32 *len, char ***names, int **values); 18 18 19 - int security_set_bools(struct selinux_state *state, 20 - int len, int *values); 19 + int security_set_bools(struct selinux_state *state, u32 len, int *values); 21 20 22 - int security_get_bool_value(struct selinux_state *state, 23 - int index); 21 + int security_get_bool_value(struct selinux_state *state, u32 index); 24 22 25 23 #endif

+2 -2

security/selinux/selinuxfs.c

··· 1335 1335 1336 1336 static int sel_make_bools(struct selinux_fs_info *fsi) 1337 1337 { 1338 - int i, ret; 1338 + int ret; 1339 1339 ssize_t len; 1340 1340 struct dentry *dentry = NULL; 1341 1341 struct dentry *dir = fsi->bool_dir; 1342 1342 struct inode *inode = NULL; 1343 1343 struct inode_security_struct *isec; 1344 1344 char **names = NULL, *page; 1345 - int num; 1345 + u32 i, num; 1346 1346 int *values = NULL; 1347 1347 u32 sid; 1348 1348

+20 -34

security/selinux/ss/conditional.c

··· 119 119 120 120 p->bool_val_to_struct = NULL; 121 121 p->cond_list = NULL; 122 + p->cond_list_len = 0; 122 123 123 124 rc = avtab_init(&p->te_cond_avtab); 124 125 if (rc) ··· 148 147 } 149 148 cond_av_list_destroy(node->true_list); 150 149 cond_av_list_destroy(node->false_list); 151 - kfree(node); 152 150 } 153 151 154 - static void cond_list_destroy(struct cond_node *list) 152 + static void cond_list_destroy(struct policydb *p) 155 153 { 156 - struct cond_node *next, *cur; 154 + u32 i; 157 155 158 - if (list == NULL) 159 - return; 160 - 161 - for (cur = list; cur; cur = next) { 162 - next = cur->next; 163 - cond_node_destroy(cur); 164 - } 156 + for (i = 0; i < p->cond_list_len; i++) 157 + cond_node_destroy(&p->cond_list[i]); 158 + kfree(p->cond_list); 165 159 } 166 160 167 161 void cond_policydb_destroy(struct policydb *p) 168 162 { 169 163 kfree(p->bool_val_to_struct); 170 164 avtab_destroy(&p->te_cond_avtab); 171 - cond_list_destroy(p->cond_list); 165 + cond_list_destroy(p); 172 166 } 173 167 174 168 int cond_init_bool_indexes(struct policydb *p) ··· 443 447 444 448 int cond_read_list(struct policydb *p, void *fp) 445 449 { 446 - struct cond_node *node, *last = NULL; 447 450 __le32 buf[1]; 448 451 u32 i, len; 449 452 int rc; ··· 453 458 454 459 len = le32_to_cpu(buf[0]); 455 460 461 + p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL); 462 + if (!p->cond_list) 463 + return rc; 464 + 456 465 rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel); 457 466 if (rc) 458 467 goto err; 459 468 460 - for (i = 0; i < len; i++) { 461 - rc = -ENOMEM; 462 - node = kzalloc(sizeof(*node), GFP_KERNEL); 463 - if (!node) 464 - goto err; 469 + p->cond_list_len = len; 465 470 466 - rc = cond_read_node(p, node, fp); 471 + for (i = 0; i < len; i++) { 472 + rc = cond_read_node(p, &p->cond_list[i], fp); 467 473 if (rc) 468 474 goto err; 469 - 470 - if (i == 0) 471 - p->cond_list = node; 472 - else 473 - last->next = node; 474 - last = node; 475 475 } 476 476 return 0; 477 477 err: 478 - cond_list_destroy(p->cond_list); 478 + cond_list_destroy(p); 479 479 p->cond_list = NULL; 480 480 return rc; 481 481 } ··· 575 585 return 0; 576 586 } 577 587 578 - int cond_write_list(struct policydb *p, struct cond_node *list, void *fp) 588 + int cond_write_list(struct policydb *p, void *fp) 579 589 { 580 - struct cond_node *cur; 581 - u32 len; 590 + u32 i; 582 591 __le32 buf[1]; 583 592 int rc; 584 593 585 - len = 0; 586 - for (cur = list; cur != NULL; cur = cur->next) 587 - len++; 588 - buf[0] = cpu_to_le32(len); 594 + buf[0] = cpu_to_le32(p->cond_list_len); 589 595 rc = put_entry(buf, sizeof(u32), 1, fp); 590 596 if (rc) 591 597 return rc; 592 598 593 - for (cur = list; cur != NULL; cur = cur->next) { 594 - rc = cond_write_node(p, cur, fp); 599 + for (i = 0; i < p->cond_list_len; i++) { 600 + rc = cond_write_node(p, &p->cond_list[i], fp); 595 601 if (rc) 596 602 return rc; 597 603 }

+1 -2

security/selinux/ss/conditional.h

··· 55 55 struct cond_expr *expr; 56 56 struct cond_av_list *true_list; 57 57 struct cond_av_list *false_list; 58 - struct cond_node *next; 59 58 }; 60 59 61 60 int cond_policydb_init(struct policydb *p); ··· 68 69 int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp); 69 70 int cond_read_list(struct policydb *p, void *fp); 70 71 int cond_write_bool(void *key, void *datum, void *ptr); 71 - int cond_write_list(struct policydb *p, struct cond_node *list, void *fp); 72 + int cond_write_list(struct policydb *p, void *fp); 72 73 73 74 void cond_compute_av(struct avtab *ctab, struct avtab_key *key, 74 75 struct av_decision *avd, struct extended_perms *xperms);

+1 -1

security/selinux/ss/policydb.c

··· 3483 3483 if (rc) 3484 3484 return rc; 3485 3485 3486 - rc = cond_write_list(p, p->cond_list, fp); 3486 + rc = cond_write_list(p, fp); 3487 3487 if (rc) 3488 3488 return rc; 3489 3489

+2 -1

security/selinux/ss/policydb.h

··· 272 272 struct cond_bool_datum **bool_val_to_struct; 273 273 /* type enforcement conditional access vectors and transitions */ 274 274 struct avtab te_cond_avtab; 275 - /* linked list indexing te_cond_avtab by conditional */ 275 + /* array indexing te_cond_avtab by conditional */ 276 276 struct cond_node *cond_list; 277 + u32 cond_list_len; 277 278 278 279 /* role allows */ 279 280 struct role_allow *role_allow;

+14 -14

security/selinux/ss/services.c

··· 2867 2867 } 2868 2868 2869 2869 int security_get_bools(struct selinux_state *state, 2870 - int *len, char ***names, int **values) 2870 + u32 *len, char ***names, int **values) 2871 2871 { 2872 2872 struct policydb *policydb; 2873 - int i, rc; 2873 + u32 i; 2874 + int rc; 2874 2875 2875 2876 if (!selinux_initialized(state)) { 2876 2877 *len = 0; ··· 2925 2924 } 2926 2925 2927 2926 2928 - int security_set_bools(struct selinux_state *state, int len, int *values) 2927 + int security_set_bools(struct selinux_state *state, u32 len, int *values) 2929 2928 { 2930 2929 struct policydb *policydb; 2931 - int i, rc; 2932 - int lenp, seqno = 0; 2933 - struct cond_node *cur; 2930 + int rc; 2931 + u32 i, lenp, seqno = 0; 2934 2932 2935 2933 write_lock_irq(&state->ss->policy_rwlock); 2936 2934 ··· 2957 2957 policydb->bool_val_to_struct[i]->state = 0; 2958 2958 } 2959 2959 2960 - for (cur = policydb->cond_list; cur; cur = cur->next) 2961 - evaluate_cond_node(policydb, cur); 2960 + for (i = 0; i < policydb->cond_list_len; i++) 2961 + evaluate_cond_node(policydb, &policydb->cond_list[i]); 2962 2962 2963 2963 seqno = ++state->ss->latest_granting; 2964 2964 rc = 0; ··· 2974 2974 } 2975 2975 2976 2976 int security_get_bool_value(struct selinux_state *state, 2977 - int index) 2977 + u32 index) 2978 2978 { 2979 2979 struct policydb *policydb; 2980 2980 int rc; 2981 - int len; 2981 + u32 len; 2982 2982 2983 2983 read_lock(&state->ss->policy_rwlock); 2984 2984 ··· 2998 2998 static int security_preserve_bools(struct selinux_state *state, 2999 2999 struct policydb *policydb) 3000 3000 { 3001 - int rc, nbools = 0, *bvalues = NULL, i; 3001 + int rc, *bvalues = NULL; 3002 3002 char **bnames = NULL; 3003 3003 struct cond_bool_datum *booldatum; 3004 - struct cond_node *cur; 3004 + u32 i, nbools = 0; 3005 3005 3006 3006 rc = security_get_bools(state, &nbools, &bnames, &bvalues); 3007 3007 if (rc) ··· 3011 3011 if (booldatum) 3012 3012 booldatum->state = bvalues[i]; 3013 3013 } 3014 - for (cur = policydb->cond_list; cur; cur = cur->next) 3015 - evaluate_cond_node(policydb, cur); 3014 + for (i = 0; i < policydb->cond_list_len; i++) 3015 + evaluate_cond_node(policydb, &policydb->cond_list[i]); 3016 3016 3017 3017 out: 3018 3018 if (bnames) {