Menu
▾
▴
selinux-commits — Commits to the subversion repo
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(24) |
Sep
(38) |
Oct
(29) |
Nov
(40) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(88) |
Feb
(66) |
Mar
(44) |
Apr
(104) |
May
(35) |
Jun
(34) |
Jul
(12) |
Aug
(42) |
Sep
(84) |
Oct
(34) |
Nov
(30) |
Dec
(22) |
| 2008 |
Jan
(60) |
Feb
(54) |
Mar
(32) |
Apr
(14) |
May
(16) |
Jun
(26) |
Jul
(22) |
Aug
(12) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <ew...@us...> - 2008-02-08 18:03:54
|
Revision: 2800
http://selinux.svn.sourceforge.net/selinux/?rev=2800&view=rev
Author: ewalsh
Date: 2008-02-08 10:03:06 -0800 (Fri, 08 Feb 2008)
Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libselinux: avc_compute_member convenience function
Date: Thu, 07 Feb 2008 17:42:31 -0500
avc_compute_member function, same as security_compute_member but takes
userspace AVC SID's. Includes man page.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/avc.h
trunk/libselinux/man/man3/avc_compute_create.3
trunk/libselinux/src/avc.c
Added Paths:
-----------
trunk/libselinux/man/man3/avc_compute_member.3
Modified: trunk/libselinux/include/selinux/avc.h
===================================================================
--- trunk/libselinux/include/selinux/avc.h 2008-02-08 16:18:54 UTC (rev 2799)
+++ trunk/libselinux/include/selinux/avc.h 2008-02-08 18:03:06 UTC (rev 2800)
@@ -322,6 +322,24 @@
security_id_t tsid,
security_class_t tclass, security_id_t * newsid);
+/**
+ * avc_compute_member - Compute SID for polyinstantation.
+ * @ssid: source security identifier
+ * @tsid: target security identifier
+ * @tclass: target security class
+ * @newsid: pointer to SID reference
+ *
+ * Call the security server to obtain a context for labeling an
+ * object instance. Look up the context in the SID table, making
+ * a new entry if not found. Increment the reference counter
+ * for the SID. Store a pointer to the SID structure into the
+ * memory referenced by @newsid, returning %0 on success or -%1 on
+ * error with @errno set.
+ */
+int avc_compute_member(security_id_t ssid,
+ security_id_t tsid,
+ security_class_t tclass, security_id_t * newsid);
+
/*
* security event callback facility
*/
Modified: trunk/libselinux/man/man3/avc_compute_create.3
===================================================================
--- trunk/libselinux/man/man3/avc_compute_create.3 2008-02-08 16:18:54 UTC (rev 2799)
+++ trunk/libselinux/man/man3/avc_compute_create.3 2008-02-08 18:03:06 UTC (rev 2800)
@@ -3,7 +3,7 @@
.\" Author: Eamon Walsh (ew...@ty...) 2007
.TH "avc_compute_create" "3" "30 Mar 2007" "" "SELinux API documentation"
.SH "NAME"
-avc_compute_create \- obtain SELinux label for new object.
+avc_compute_create, avc_compute_member \- obtain SELinux label for new object.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
@@ -12,15 +12,25 @@
.BI "int avc_compute_create(security_id_t " ssid ", security_id_t " tsid ,
.in +\w'int avc_compute_create('u
.BI "security_class_t " tclass ", security_id_t *" newsid ");"
+.sp
.in
+.BI "int avc_compute_member(security_id_t " ssid ", security_id_t " tsid ,
+.in +\w'int avc_compute_member('u
+.BI "security_class_t " tclass ", security_id_t *" newsid ");"
+.in
.SH "DESCRIPTION"
.B avc_compute_create
is used to compute a SID to use for labeling a new object in a particular class based on a SID pair. This call is identical to
.BR security_compute_create ,
but does not require converting from userspace SID's to contexts and back again.
-.B avc_compute_create
-returns a SID for the computed context in the memory referenced by
+.B avc_compute_member
+is used to compute a SID to use for labeling a polyinstantiated object instance of a particular class based on a SID pair. This call is identical to
+.BR security_compute_member ,
+but does not require converting from userspace SID's to contexts and back again.
+
+These functions
+return a SID for the computed context in the memory referenced by
.IR sid ,
incrementing its reference count by 1.
Added: trunk/libselinux/man/man3/avc_compute_member.3
===================================================================
--- trunk/libselinux/man/man3/avc_compute_member.3 (rev 0)
+++ trunk/libselinux/man/man3/avc_compute_member.3 2008-02-08 18:03:06 UTC (rev 2800)
@@ -0,0 +1 @@
+.so man3/avc_compute_create.3
Modified: trunk/libselinux/src/avc.c
===================================================================
--- trunk/libselinux/src/avc.c 2008-02-08 16:18:54 UTC (rev 2799)
+++ trunk/libselinux/src/avc.c 2008-02-08 18:03:06 UTC (rev 2800)
@@ -906,6 +906,31 @@
return rc;
}
+int avc_compute_member(security_id_t ssid, security_id_t tsid,
+ security_class_t tclass, security_id_t *newsid)
+{
+ int rc;
+ *newsid = NULL;
+ avc_get_lock(avc_lock);
+ if (ssid->refcnt > 0 && tsid->refcnt > 0) {
+ security_context_t ctx = NULL;
+ rc = security_compute_member_raw(ssid->ctx, tsid->ctx, tclass,
+ &ctx);
+ if (rc)
+ goto out;
+ rc = sidtab_context_to_sid(&avc_sidtab, ctx, newsid);
+ if (!rc)
+ (*newsid)->refcnt++;
+ freecon(ctx);
+ } else {
+ errno = EINVAL; /* bad reference count */
+ rc = -1;
+ }
+out:
+ avc_release_lock(avc_lock);
+ return rc;
+}
+
int avc_add_callback(int (*callback) (uint32_t event, security_id_t ssid,
security_id_t tsid,
security_class_t tclass,
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-08 16:18:56
|
Revision: 2799
http://selinux.svn.sourceforge.net/selinux/?rev=2799&view=rev
Author: ssmalley
Date: 2008-02-08 08:18:54 -0800 (Fri, 08 Feb 2008)
Log Message:
-----------
updated policycoreutils to version 2.0.43
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2008-02-08 16:14:55 UTC (rev 2798)
+++ trunk/policycoreutils/ChangeLog 2008-02-08 16:18:54 UTC (rev 2799)
@@ -1,3 +1,6 @@
+2.0.43 2008-02-08
+ * Merged fix fixfiles option processing from Vaclav Ovsik.
+
2.0.42 2008-02-02
* Make semodule_expand use sepol_set_expand_consume_base to reduce
peak memory usage.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2008-02-08 16:14:55 UTC (rev 2798)
+++ trunk/policycoreutils/VERSION 2008-02-08 16:18:54 UTC (rev 2799)
@@ -1 +1 @@
-2.0.42
+2.0.43
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-08 16:14:58
|
Revision: 2798
http://selinux.svn.sourceforge.net/selinux/?rev=2798&view=rev
Author: ssmalley
Date: 2008-02-08 08:14:55 -0800 (Fri, 08 Feb 2008)
Log Message:
-----------
Author: V?\195?\161clav Ovs?\195?\173k
Email: vaclav.ovsik@i.cz
Subject: fixfiles: broken option processing?
Date: Fri, 8 Feb 2008 09:29:22 +0100
On Thu, Feb 07, 2008 at 04:28:03PM -0500, Stephen Smalley wrote:
> Hmm..the shifting of arguments was introduced in r2699 from Dan Walsh
> (cc'd), diff is below. Also relevant are r2736, r2750 and r2760.
>
> I'd agree that we don't want to break existing usage, but I'm not sure
> what the least intrusive and cleanest fix is.
Ok. What about this patch :)
The interpreter is changed to /bin/bash. There are bashisms (getopts,
PIPESTATUS...), so this can't be interpreted by /bin/sh.
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/policycoreutils/scripts/fixfiles
Modified: trunk/policycoreutils/scripts/fixfiles
===================================================================
--- trunk/policycoreutils/scripts/fixfiles 2008-02-08 16:13:33 UTC (rev 2797)
+++ trunk/policycoreutils/scripts/fixfiles 2008-02-08 16:14:55 UTC (rev 2798)
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
# fixfiles
#
# Script to restore labels on a SELinux box
@@ -201,27 +201,21 @@
case "$i" in
f)
fullFlag=1
- shift 1
;;
R)
RPMFILES=$OPTARG
- shift 2
;;
o)
OUTFILES=$OPTARG
- shift 2
;;
l)
LOGFILE=$OPTARG
- shift 2
;;
C)
PREFC=$OPTARG
- shift 2
;;
F)
FORCEFLAG="-F"
- shift 1
;;
*)
usage
@@ -229,17 +223,22 @@
esac
done
+# Move out processed options from arguments
+shift $(( OPTIND - 1 ))
+
# Check for the command
command=$1
if [ -z $command ]; then
usage
fi
+# Move out command from arguments
+shift
+
#
# check if they specified both DIRS and RPMFILES
#
-shift 1
if [ ! -z "$RPMFILES" ]; then
process $command
if [ $# -gt 0 ]; then
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-08 16:13:45
|
Revision: 2797
http://selinux.svn.sourceforge.net/selinux/?rev=2797&view=rev
Author: ssmalley
Date: 2008-02-08 08:13:33 -0800 (Fri, 08 Feb 2008)
Log Message:
-----------
updated libselinux to version 2.0.54
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2008-02-08 16:12:29 UTC (rev 2796)
+++ trunk/libselinux/ChangeLog 2008-02-08 16:13:33 UTC (rev 2797)
@@ -1,3 +1,6 @@
+2.0.54 2008-02-08
+ * Provide more error reporting on load policy failures from Stephen Smalley.
+
2.0.53 2008-02-07
* Merged new X label "poly_prop" namespace from Eamon Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2008-02-08 16:12:29 UTC (rev 2796)
+++ trunk/libselinux/VERSION 2008-02-08 16:13:33 UTC (rev 2797)
@@ -1 +1 @@
-2.0.53
+2.0.54
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-08 16:13:43
|
Revision: 2796
http://selinux.svn.sourceforge.net/selinux/?rev=2796&view=rev
Author: ssmalley
Date: 2008-02-08 08:12:29 -0800 (Fri, 08 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: provide more error reporting on load policy failures
Date: Thu, 07 Feb 2008 14:31:06 -0500
Provide more error reporting on load policy failures. John Reiser has
previously encountered failures where it would have helped to see the
policy file, and David Quigley recently noted that no output is provided
by init in the case where policy cannot be loaded and the system is in
permissive mode.
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-by: Joshua Brindle <me...@ma...>
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2008-02-07 22:07:27 UTC (rev 2795)
+++ trunk/libselinux/src/load_policy.c 2008-02-08 16:12:29 UTC (rev 2796)
@@ -46,7 +46,7 @@
int selinux_mkload_policy(int preservebools)
{
int kernvers = security_policyvers();
- int vers = kernvers, minvers = DEFAULT_POLICY_VERSION;
+ int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION, vers;
int setlocaldefs = load_setlocaldefs;
char path[PATH_MAX], **names;
struct stat sb;
@@ -128,7 +128,7 @@
#endif
if (usesepol) {
- vers = vers_max();
+ maxvers = vers_max();
minvers = vers_min();
}
@@ -157,6 +157,7 @@
if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
preservebools = 0;
+ vers = maxvers;
search:
snprintf(path, sizeof(path), "%s.%d",
selinux_binary_policy_path(), vers);
@@ -168,11 +169,19 @@
selinux_binary_policy_path(), vers);
fd = open(path, O_RDONLY);
}
- if (fd < 0)
+ if (fd < 0) {
+ fprintf(stderr,
+ "SELinux: Could not open policy file <= %s.%d: %s\n",
+ selinux_binary_policy_path(), maxvers, strerror(errno));
goto dlclose;
+ }
- if (fstat(fd, &sb) < 0)
+ if (fstat(fd, &sb) < 0) {
+ fprintf(stderr,
+ "SELinux: Could not stat policy file %s: %s\n",
+ path, strerror(errno));
goto close;
+ }
prot = PROT_READ;
if (setlocaldefs || preservebools)
@@ -180,8 +189,12 @@
size = sb.st_size;
data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
- if (map == MAP_FAILED)
+ if (map == MAP_FAILED) {
+ fprintf(stderr,
+ "SELinux: Could not map policy file %s: %s\n",
+ path, strerror(errno));
goto close;
+ }
if (vers > kernvers && usesepol) {
/* Need to downgrade to kernel-supported version. */
@@ -200,6 +213,9 @@
if (policydb_set_vers(policydb, kernvers) ||
policydb_to_image(NULL, policydb, &data, &size)) {
/* Downgrade failed, keep searching. */
+ fprintf(stderr,
+ "SELinux: Could not downgrade policy file %s, searching for an older version.\n",
+ path);
policy_file_free(pf);
policydb_free(policydb);
munmap(map, sb.st_size);
@@ -254,6 +270,11 @@
rc = security_load_policy(data, size);
+
+ if (rc)
+ fprintf(stderr,
+ "SELinux: Could not load policy file %s: %s\n",
+ path, strerror(errno));
unmap:
if (data != map)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2008-02-07 23:00:06
|
Revision: 2795
http://selinux.svn.sourceforge.net/selinux/?rev=2795&view=rev
Author: ewalsh
Date: 2008-02-07 14:07:27 -0800 (Thu, 07 Feb 2008)
Log Message:
-----------
updated libselinux to version 2.0.53
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2008-02-07 22:06:37 UTC (rev 2794)
+++ trunk/libselinux/ChangeLog 2008-02-07 22:07:27 UTC (rev 2795)
@@ -1,3 +1,6 @@
+2.0.53 2008-02-07
+ * Merged new X label "poly_prop" namespace from Eamon Walsh.
+
2.0.52 2008-02-06
* Disable setlocaldefs if no local boolean or users files are present from Stephen Smalley.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2008-02-07 22:06:37 UTC (rev 2794)
+++ trunk/libselinux/VERSION 2008-02-07 22:07:27 UTC (rev 2795)
@@ -1 +1 @@
-2.0.52
+2.0.53
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2008-02-07 22:08:59
|
Revision: 2794
http://selinux.svn.sourceforge.net/selinux/?rev=2794&view=rev
Author: ewalsh
Date: 2008-02-07 14:06:37 -0800 (Thu, 07 Feb 2008)
Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libselinux: add "poly_property" type to X contexts backend
Date: Tue, 05 Feb 2008 16:30:46 -0500
This patch adds a poly_property type to the X contexts backend, so that
the X Flask module can be informed which properties to polyinstantiate.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/label.h
trunk/libselinux/src/label_x.c
Modified: trunk/libselinux/include/selinux/label.h
===================================================================
--- trunk/libselinux/include/selinux/label.h 2008-02-06 18:57:45 UTC (rev 2793)
+++ trunk/libselinux/include/selinux/label.h 2008-02-07 22:06:37 UTC (rev 2794)
@@ -113,6 +113,7 @@
#define SELABEL_X_CLIENT 3
#define SELABEL_X_EVENT 4
#define SELABEL_X_SELN 5
+#define SELABEL_X_POLYPROP 6
#ifdef __cplusplus
Modified: trunk/libselinux/src/label_x.c
===================================================================
--- trunk/libselinux/src/label_x.c 2008-02-06 18:57:45 UTC (rev 2793)
+++ trunk/libselinux/src/label_x.c 2008-02-07 22:06:37 UTC (rev 2794)
@@ -69,6 +69,8 @@
data->spec_arr[data->nspec].type = SELABEL_X_EVENT;
else if (!strcmp(type, "selection"))
data->spec_arr[data->nspec].type = SELABEL_X_SELN;
+ else if (!strcmp(type, "poly_property"))
+ data->spec_arr[data->nspec].type = SELABEL_X_POLYPROP;
else {
selinux_log(SELINUX_WARNING,
"%s: line %d has invalid object type %s\n",
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-06 18:57:47
|
Revision: 2793
http://selinux.svn.sourceforge.net/selinux/?rev=2793&view=rev
Author: ssmalley
Date: 2008-02-06 10:57:45 -0800 (Wed, 06 Feb 2008)
Log Message:
-----------
updated libselinux to version 2.0.52
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2008-02-06 18:57:01 UTC (rev 2792)
+++ trunk/libselinux/ChangeLog 2008-02-06 18:57:45 UTC (rev 2793)
@@ -1,3 +1,6 @@
+2.0.52 2008-02-06
+ * Disable setlocaldefs if no local boolean or users files are present from Stephen Smalley.
+
2.0.51 2008-02-05
* Skip userspace preservebools processing for Linux >= 2.6.22 from Stephen Smalley.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2008-02-06 18:57:01 UTC (rev 2792)
+++ trunk/libselinux/VERSION 2008-02-06 18:57:45 UTC (rev 2793)
@@ -1 +1 @@
-2.0.51
+2.0.52
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-06 18:57:03
|
Revision: 2792
http://selinux.svn.sourceforge.net/selinux/?rev=2792&view=rev
Author: ssmalley
Date: 2008-02-06 10:57:01 -0800 (Wed, 06 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: disable setlocaldefs if no local boolean or user files exist
Date: Wed, 06 Feb 2008 10:26:32 -0500
If there are no local boolean or user files present, then the libselinux
load policy logic can disable setlocaldefs early and thus avoid creating
a writable mapping of the policy as well as avoiding the overhead of
calling the sepol functions for manipulating local boolean and user
files altogether. This is cleaner than changing the default for the
config option, as it will fall back to compatibility behavior for older
distributions. Thus, this change should not change behavior for RHEL 4.
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-by: Todd C. Miller <tm...@tr...>
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2008-02-06 15:08:20 UTC (rev 2791)
+++ trunk/libselinux/src/load_policy.c 2008-02-06 18:57:01 UTC (rev 2792)
@@ -47,6 +47,7 @@
{
int kernvers = security_policyvers();
int vers = kernvers, minvers = DEFAULT_POLICY_VERSION;
+ int setlocaldefs = load_setlocaldefs;
char path[PATH_MAX], **names;
struct stat sb;
struct utsname uts;
@@ -131,13 +132,29 @@
minvers = vers_min();
}
+ /*
+ * Check whether we need to support local boolean and user definitions.
+ */
+ if (setlocaldefs) {
+ if (access(selinux_booleans_path(), F_OK) == 0)
+ goto checkbool;
+ snprintf(path, sizeof path, "%s.local", selinux_booleans_path());
+ if (access(path, F_OK) == 0)
+ goto checkbool;
+ snprintf(path, sizeof path, "%s/local.users", selinux_users_path());
+ if (access(path, F_OK) == 0)
+ goto checkbool;
+ /* No local definition files, so disable setlocaldefs. */
+ setlocaldefs = 0;
+ }
+checkbool:
/*
* As of Linux 2.6.22, the kernel preserves boolean
* values across a reload, so we do not need to
* preserve them in userspace.
*/
- if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
+ if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
preservebools = 0;
search:
@@ -158,7 +175,7 @@
goto close;
prot = PROT_READ;
- if (load_setlocaldefs || preservebools)
+ if (setlocaldefs || preservebools)
prot |= PROT_WRITE;
size = sb.st_size;
@@ -195,7 +212,7 @@
}
if (usesepol) {
- if (load_setlocaldefs) {
+ if (setlocaldefs) {
void *olddata = data;
size_t oldsize = size;
rc = genusers(olddata, oldsize, selinux_users_path(),
@@ -228,7 +245,7 @@
free(names[i]);
free(names);
}
- } else if (load_setlocaldefs) {
+ } else if (setlocaldefs) {
(void)genbools(data, size,
(char *)selinux_booleans_path());
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-02-06 15:08:23
|
Revision: 2791
http://selinux.svn.sourceforge.net/selinux/?rev=2791&view=rev
Author: millertc
Date: 2008-02-06 07:08:20 -0800 (Wed, 06 Feb 2008)
Log Message:
-----------
Author: own...@ty...
Email: own...@ty...
Subject: RE: genhomedircon is broken in libsemanage
James Antill wrote:
> Mostly FYI, although there is one minor error dealing with a malloc()
> error case.
Thanks for the feedback. I wasn't sure from the ustr API docs whether
the add/del functions applied to the end of the string. The following
diff addresses the things you pointed out.
Signed-off-by: Todd C. Miller <tm...@tr...>
- todd
genhomedircon.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
Modified Paths:
--------------
trunk/libsemanage/src/genhomedircon.c
Modified: trunk/libsemanage/src/genhomedircon.c
===================================================================
--- trunk/libsemanage/src/genhomedircon.c 2008-02-05 21:18:52 UTC (rev 2790)
+++ trunk/libsemanage/src/genhomedircon.c 2008-02-06 15:08:20 UTC (rev 2791)
@@ -176,25 +176,24 @@
expr = ustr_dup_cstr("^");
if (expr == USTR_NULL)
goto done;
- ustr_ins_cstr(&expr, 1, oexpr);
- if (expr == USTR_NULL)
+ if (!ustr_add_cstr(&expr, oexpr))
goto done;
/* Strip off trailing ".+" or ".*" */
if (ustr_cmp_suffix_cstr_eq(expr, ".+") ||
ustr_cmp_suffix_cstr_eq(expr, ".*")) {
- if (!ustr_del_subustr(&expr, ustr_len(expr) - 1, 2))
+ if (!ustr_del(&expr, 2))
goto done;
}
/* Strip off trailing "(/.*)?" */
if (ustr_cmp_suffix_cstr_eq(expr, "(/.*)?")) {
- if (!ustr_del_subustr(&expr, ustr_len(expr) - 5, 6))
+ if (!ustr_del(&expr, 6))
goto done;
}
/* Append pattern to eat up trailing slashes */
- if (!ustr_ins_cstr(&expr, ustr_len(expr), "/*$"))
+ if (!ustr_add_cstr(&expr, "/*$"))
goto done;
/* Check dir against expr */
@@ -207,8 +206,7 @@
retval = 0;
done:
- if (expr)
- ustr_free(expr);
+ ustr_free(expr);
return retval;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-05 21:18:53
|
Revision: 2790
http://selinux.svn.sourceforge.net/selinux/?rev=2790&view=rev
Author: ssmalley
Date: 2008-02-05 13:18:52 -0800 (Tue, 05 Feb 2008)
Log Message:
-----------
updated libselinux to version 2.0.51
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2008-02-05 21:17:02 UTC (rev 2789)
+++ trunk/libselinux/ChangeLog 2008-02-05 21:18:52 UTC (rev 2790)
@@ -1,3 +1,6 @@
+2.0.51 2008-02-05
+ * Skip userspace preservebools processing for Linux >= 2.6.22 from Stephen Smalley.
+
2.0.50 2008-01-28
* Merged fix for audit2why from Dan Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2008-02-05 21:17:02 UTC (rev 2789)
+++ trunk/libselinux/VERSION 2008-02-05 21:18:52 UTC (rev 2790)
@@ -1 +1 @@
-2.0.50
+2.0.51
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-05 21:17:12
|
Revision: 2789
http://selinux.svn.sourceforge.net/selinux/?rev=2789&view=rev
Author: ssmalley
Date: 2008-02-05 13:17:02 -0800 (Tue, 05 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: don't preservebools for Linux >= 2.6.22
Date: Tue, 05 Feb 2008 10:42:25 -0500
Since Linux >= 2.6.22 includes the logic to automatically preserve
active boolean values across a policy reload, the libselinux load policy
logic can check the kernel version and skip the userspace preservebools
processing in that case. This is cleaner than introducing a config
option to /etc/selinux/config, as it will auto-detect the support and
fall back to the compatibility behavior for older kernels. Thus,
this change does not change behavior for RHEL 5 or Debian etch.
Signed-off-by: Stephen D. Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/src/load_policy.c
Modified: trunk/libselinux/src/load_policy.c
===================================================================
--- trunk/libselinux/src/load_policy.c 2008-02-05 18:59:53 UTC (rev 2788)
+++ trunk/libselinux/src/load_policy.c 2008-02-05 21:17:02 UTC (rev 2789)
@@ -3,6 +3,7 @@
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/mount.h>
+#include <sys/utsname.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
@@ -48,6 +49,7 @@
int vers = kernvers, minvers = DEFAULT_POLICY_VERSION;
char path[PATH_MAX], **names;
struct stat sb;
+ struct utsname uts;
size_t size;
void *map, *data;
int fd, rc = -1, *values, len, i, prot;
@@ -129,6 +131,15 @@
minvers = vers_min();
}
+
+ /*
+ * As of Linux 2.6.22, the kernel preserves boolean
+ * values across a reload, so we do not need to
+ * preserve them in userspace.
+ */
+ if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
+ preservebools = 0;
+
search:
snprintf(path, sizeof(path), "%s.%d",
selinux_binary_policy_path(), vers);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-05 18:59:57
|
Revision: 2788
http://selinux.svn.sourceforge.net/selinux/?rev=2788&view=rev
Author: ssmalley
Date: 2008-02-05 10:59:53 -0800 (Tue, 05 Feb 2008)
Log Message:
-----------
updated libsepol to version 1.16.11
Modified Paths:
--------------
branches/stable/1_0/libsepol/ChangeLog
branches/stable/1_0/libsepol/VERSION
Modified: branches/stable/1_0/libsepol/ChangeLog
===================================================================
--- branches/stable/1_0/libsepol/ChangeLog 2008-02-05 18:56:39 UTC (rev 2787)
+++ branches/stable/1_0/libsepol/ChangeLog 2008-02-05 18:59:53 UTC (rev 2788)
@@ -1,3 +1,6 @@
+1.16.11 2008-02-05
+ * Merge r2520 from trunk: bug fix for disable dontaudit support.
+
1.16.10 2007-11-05
* Allow handle_unknown to be overridden by semanage.conf from Stephen Smalley.
Modified: branches/stable/1_0/libsepol/VERSION
===================================================================
--- branches/stable/1_0/libsepol/VERSION 2008-02-05 18:56:39 UTC (rev 2787)
+++ branches/stable/1_0/libsepol/VERSION 2008-02-05 18:59:53 UTC (rev 2788)
@@ -1 +1 @@
-1.16.10
+1.16.11
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-05 18:56:48
|
Revision: 2787
http://selinux.svn.sourceforge.net/selinux/?rev=2787&view=rev
Author: ssmalley
Date: 2008-02-05 10:56:39 -0800 (Tue, 05 Feb 2008)
Log Message:
-----------
applied r2519:2520 from trunk
Modified Paths:
--------------
branches/stable/1_0/libsepol/src/expand.c
Modified: branches/stable/1_0/libsepol/src/expand.c
===================================================================
--- branches/stable/1_0/libsepol/src/expand.c 2008-02-04 20:57:26 UTC (rev 2786)
+++ branches/stable/1_0/libsepol/src/expand.c 2008-02-05 18:56:39 UTC (rev 2787)
@@ -1366,7 +1366,7 @@
} else if (specified & AVRULE_AUDITDENY) {
spec = AVTAB_AUDITDENY;
} else if (specified & AVRULE_DONTAUDIT) {
- if (handle->disable_dontaudit)
+ if (handle && handle->disable_dontaudit)
return EXPAND_RULE_SUCCESS;
spec = AVTAB_AUDITDENY;
} else if (specified & AVRULE_NEVERALLOW) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 20:57:29
|
Revision: 2786
http://selinux.svn.sourceforge.net/selinux/?rev=2786&view=rev
Author: ssmalley
Date: 2008-02-04 12:57:26 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
updated libsemanage to version 2.0.23
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2008-02-04 20:55:18 UTC (rev 2785)
+++ trunk/libsemanage/ChangeLog 2008-02-04 20:57:26 UTC (rev 2786)
@@ -1,3 +1,6 @@
+2.0.23 2008-02-04
+ * Use vfork rather than fork for libsemanage helpers to reduce memory overhead as suggested by Todd Miller.
+
2.0.22 2008-02-04
* Free policydb before fork from Joshua Brindle.
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2008-02-04 20:55:18 UTC (rev 2785)
+++ trunk/libsemanage/VERSION 2008-02-04 20:57:26 UTC (rev 2786)
@@ -1 +1 @@
-2.0.22
+2.0.23
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 20:55:20
|
Revision: 2785
http://selinux.svn.sourceforge.net/selinux/?rev=2785&view=rev
Author: ssmalley
Date: 2008-02-04 12:55:18 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: RE: [PATCH] libsemanage: free policydb before fork
Date: Mon, 04 Feb 2008 11:41:35 -0500
On Mon, 2008-02-04 at 10:14 -0500, Todd Miller wrote:
> Joshua Brindle wrote:
> > While testing the recent memory-related patches on a low memory
> > machine (512m total) I found that semodule still failed. It turns out
> > that fork() requires enough free ram for the amount of private dirty
> > memory in the parent process to succeed (even if it is never written
> > to in the child process).
>
> I would suggest trying to use vfork() instead of fork() in
> semanage_exec_prog().
> This should result in less of the parent's memory being copied into the
> child.
> You would also have to change the exit() following execve() failure to
> _exit()
> but that should be it.
Ok, patch below makes this change.
That's identical to what I have in my tree. Works fine here.
Acked-By: Todd C. Miller <tm...@tr...>
Modified Paths:
--------------
trunk/libsemanage/src/semanage_store.c
Modified: trunk/libsemanage/src/semanage_store.c
===================================================================
--- trunk/libsemanage/src/semanage_store.c 2008-02-04 20:34:39 UTC (rev 2784)
+++ trunk/libsemanage/src/semanage_store.c 2008-02-04 20:55:18 UTC (rev 2785)
@@ -911,14 +911,14 @@
/* no need to use pthread_atfork() -- child will not be using
* any mutexes. */
- if ((forkval = fork()) == -1) {
+ if ((forkval = vfork()) == -1) {
ERR(sh, "Error while forking process.");
return -1;
} else if (forkval == 0) {
/* child process. file descriptors will be closed
* because they were set as close-on-exec. */
execve(e->path, argv, NULL);
- exit(EXIT_FAILURE); /* if execve() failed */
+ _exit(EXIT_FAILURE); /* if execve() failed */
} else {
/* parent process. wait for child to finish */
int status = 0;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mil...@us...> - 2008-02-04 20:34:42
|
Revision: 2784
http://selinux.svn.sourceforge.net/selinux/?rev=2784&view=rev
Author: millertc
Date: 2008-02-04 12:34:39 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
Prevent flex from generating an input() function that we never use.
Avoids a gcc warning.
Signed-off-by: Todd C. Miller <tm...@tr...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/checkpolicy/policy_scan.l
trunk/libsemanage/src/conf-scan.l
Modified: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk/checkpolicy/policy_scan.l 2008-02-04 16:34:48 UTC (rev 2783)
+++ trunk/checkpolicy/policy_scan.l 2008-02-04 20:34:39 UTC (rev 2784)
@@ -43,7 +43,7 @@
unsigned int policydb_errors = 0;
%}
-%option nounput
+%option noinput nounput
%array
letter [A-Za-z]
Modified: trunk/libsemanage/src/conf-scan.l
===================================================================
--- trunk/libsemanage/src/conf-scan.l 2008-02-04 16:34:48 UTC (rev 2783)
+++ trunk/libsemanage/src/conf-scan.l 2008-02-04 20:34:39 UTC (rev 2784)
@@ -32,7 +32,7 @@
%}
%option stack prefix="semanage_"
-%option nounput noyy_push_state noyy_pop_state noyy_top_state
+%option noinput nounput noyy_push_state noyy_pop_state noyy_top_state
%x arg
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 16:34:52
|
Revision: 2783
http://selinux.svn.sourceforge.net/selinux/?rev=2783&view=rev
Author: ssmalley
Date: 2008-02-04 08:34:48 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
updated libsemanage to version 2.0.22
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2008-02-04 16:33:54 UTC (rev 2782)
+++ trunk/libsemanage/ChangeLog 2008-02-04 16:34:48 UTC (rev 2783)
@@ -1,3 +1,6 @@
+2.0.22 2008-02-04
+ * Free policydb before fork from Joshua Brindle.
+
2.0.21 2008-02-04
* Drop the base module immediately after expanding to permit memory re-use from Stephen Smalley.
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2008-02-04 16:33:54 UTC (rev 2782)
+++ trunk/libsemanage/VERSION 2008-02-04 16:34:48 UTC (rev 2783)
@@ -1 +1 @@
-2.0.21
+2.0.22
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 16:33:59
|
Revision: 2782
http://selinux.svn.sourceforge.net/selinux/?rev=2782&view=rev
Author: ssmalley
Date: 2008-02-04 08:33:54 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
Author: Joshua Brindle
Email: me...@ma...
Subject: libsemanage: free policydb before fork
Date: Sat, 02 Feb 2008 22:12:31 -0500
While testing the recent memory-related patches on a low memory machine
(512m total) I found that semodule still failed. It turns out that
fork() requires enough free ram for the amount of private dirty memory
in the parent process to succeed (even if it is never written to in the
child process). This patch moves the genhomedircon call to outside of
semanage_sandbox_install so that the policydb can be freed before any
forks happen. With this patch and the prior ones semodule runs fine on a
512m machine.
Signed-off-By: Joshua Brindle <me...@ma...>
Modified Paths:
--------------
trunk/libsemanage/src/direct_api.c
trunk/libsemanage/src/semanage_store.c
trunk/libsemanage/src/semanage_store.h
trunk/scripts/selinux-maint
Modified: trunk/libsemanage/src/direct_api.c
===================================================================
--- trunk/libsemanage/src/direct_api.c 2008-02-04 15:42:17 UTC (rev 2781)
+++ trunk/libsemanage/src/direct_api.c 2008-02-04 16:33:54 UTC (rev 2782)
@@ -41,6 +41,7 @@
#include "boolean_internal.h"
#include "fcontext_internal.h"
#include "node_internal.h"
+#include "genhomedircon.h"
#include "debug.h"
#include "handle.h"
@@ -704,8 +705,27 @@
if (retval < 0)
goto cleanup;
+ /* run genhomedircon if its enabled, this should be the last operation
+ * which requires the out policydb */
+ if (!sh->conf->disable_genhomedircon) {
+ if ((retval =
+ semanage_genhomedircon(sh, out, 1)) != 0) {
+ ERR(sh, "semanage_genhomedircon returned error code %d.",
+ retval);
+ goto cleanup;
+ }
+ } else {
+ WARN(sh, "WARNING: genhomedircon is disabled. \
+ See /etc/selinux/semanage.conf if you need to enable it.");
+ }
+
+ /* free out, if we don't free it before calling semanage_install_sandbox
+ * then fork() may fail on low memory machines */
+ sepol_policydb_free(out);
+ out = NULL;
+
if (sh->do_rebuild || modified) {
- retval = semanage_install_sandbox(sh, out);
+ retval = semanage_install_sandbox(sh);
}
cleanup:
Modified: trunk/libsemanage/src/semanage_store.c
===================================================================
--- trunk/libsemanage/src/semanage_store.c 2008-02-04 15:42:17 UTC (rev 2781)
+++ trunk/libsemanage/src/semanage_store.c 2008-02-04 16:33:54 UTC (rev 2782)
@@ -34,7 +34,6 @@
#include "semanage_store.h"
#include "database_policydb.h"
#include "handle.h"
-#include "genhomedircon.h"
#include <selinux/selinux.h>
#include <sepol/policydb.h>
@@ -1279,8 +1278,7 @@
* should be placed within a mutex lock to ensure that it runs
* atomically. Returns commit number on success, -1 on error.
*/
-int semanage_install_sandbox(semanage_handle_t * sh,
- sepol_policydb_t * policydb)
+int semanage_install_sandbox(semanage_handle_t * sh)
{
int retval = -1, commit_num = -1;
@@ -1293,17 +1291,6 @@
ERR(sh, "No setfiles program specified in configuration file.");
goto cleanup;
}
- if (!sh->conf->disable_genhomedircon) {
- if ((retval =
- semanage_genhomedircon(sh, policydb, TRUE)) != 0) {
- ERR(sh, "semanage_genhomedircon returned error code %d.",
- retval);
- goto cleanup;
- }
- } else {
- WARN(sh, "WARNING: genhomedircon is disabled. \
-See /etc/selinux/semanage.conf if you need to enable it.");
- }
if ((commit_num = semanage_commit_sandbox(sh)) < 0) {
retval = commit_num;
Modified: trunk/libsemanage/src/semanage_store.h
===================================================================
--- trunk/libsemanage/src/semanage_store.h 2008-02-04 15:42:17 UTC (rev 2781)
+++ trunk/libsemanage/src/semanage_store.h 2008-02-04 16:33:54 UTC (rev 2782)
@@ -100,8 +100,7 @@
int semanage_write_policydb(semanage_handle_t * sh,
sepol_policydb_t * policydb);
-int semanage_install_sandbox(semanage_handle_t * sh,
- sepol_policydb_t * policydb);
+int semanage_install_sandbox(semanage_handle_t * sh);
int semanage_verify_modules(semanage_handle_t * sh,
char **module_filenames, int num_modules);
Modified: trunk/scripts/selinux-maint
===================================================================
--- trunk/scripts/selinux-maint 2008-02-04 15:42:17 UTC (rev 2781)
+++ trunk/scripts/selinux-maint 2008-02-04 16:33:54 UTC (rev 2782)
@@ -104,13 +104,13 @@
os.chdir(patch_dir)
patchfd = open(patch_name)
- retcode = subprocess.call(["patch", patch_level, "--dry-run"], stdin=patchfd)
+ retcode = subprocess.call(["patch", patch_level, "--dry-run", "-l"], stdin=patchfd)
resp = raw_input("apply [y/n]: ")
if resp != "y":
sys.exit(0)
patchfd = open(patch_name)
- patch_output = subprocess.Popen(["patch", patch_level], stdin=patchfd,
+ patch_output = subprocess.Popen(["patch", patch_level, "-l"], stdin=patchfd,
stdout=subprocess.PIPE).communicate()[0]
status_output = subprocess.Popen(["svn", "status"], stdout=subprocess.PIPE).communicate()[0]
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 15:59:48
|
Revision: 2777
http://selinux.svn.sourceforge.net/selinux/?rev=2777&view=rev
Author: ssmalley
Date: 2008-02-04 07:24:49 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsepol: tune avtab to reduce memory usage
Date: Fri, 01 Feb 2008 08:58:56 -0500
Port of Yuichi Nakamura's tune avtab to reduce memory usage patch
from the kernel avtab to libsepol.
This patch decides the number of hash slots dynamically based on the
number of rules. It also avoids allocating the avtab altogether when
reading policy modules, as they don't need it.
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-By: Joshua Brindle <me...@ma...>
Modified Paths:
--------------
trunk/checkpolicy/test/dispol.c
trunk/libsepol/include/sepol/policydb/avtab.h
trunk/libsepol/src/avtab.c
trunk/libsepol/src/conditional.c
trunk/libsepol/src/expand.c
trunk/libsepol/src/policydb.c
trunk/libsepol/src/write.c
Modified: trunk/checkpolicy/test/dispol.c
===================================================================
--- trunk/checkpolicy/test/dispol.c 2008-02-02 15:40:55 UTC (rev 2776)
+++ trunk/checkpolicy/test/dispol.c 2008-02-04 15:24:49 UTC (rev 2777)
@@ -169,7 +169,7 @@
}
/* hmm...should have used avtab_map. */
- for (i = 0; i < AVTAB_SIZE; i++) {
+ for (i = 0; i < expa.nslot; i++) {
for (cur = expa.htable[i]; cur; cur = cur->next) {
render_av_rule(&cur->key, &cur->datum, what, p, fp);
}
Modified: trunk/libsepol/include/sepol/policydb/avtab.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/avtab.h 2008-02-02 15:40:55 UTC (rev 2776)
+++ trunk/libsepol/include/sepol/policydb/avtab.h 2008-02-04 15:24:49 UTC (rev 2777)
@@ -1,6 +1,11 @@
/* Author : Stephen Smalley, <sd...@ep...> */
+/*
+ * Updated: Yuichi Nakamura <yn...@hi...>
+ * Tuned number of hash slots for avtab to reduce memory usage
+ */
+
/* Updated: Frank Mayer <ma...@tr...> and Karl MacMillan <kma...@tr...>
*
* Added conditional policy language extensions
@@ -75,10 +80,12 @@
typedef struct avtab {
avtab_ptr_t *htable;
uint32_t nel; /* number of elements */
+ uint32_t nslot; /* number of hash slots */
+ uint16_t mask; /* mask to compute hash func */
} avtab_t;
extern int avtab_init(avtab_t *);
-
+extern int avtab_alloc(avtab_t *, uint32_t);
extern int avtab_insert(avtab_t * h, avtab_key_t * k, avtab_datum_t * d);
extern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k);
@@ -110,12 +117,11 @@
extern avtab_ptr_t avtab_search_node_next(avtab_ptr_t node, int specified);
-#define AVTAB_HASH_BITS 15
-#define AVTAB_HASH_BUCKETS (1 << AVTAB_HASH_BITS)
-#define AVTAB_HASH_MASK (AVTAB_HASH_BUCKETS-1)
+#define MAX_AVTAB_HASH_BITS 13
+#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
+#define MAX_AVTAB_HASH_MASK (MAX_AVTAB_HASH_BUCKETS-1)
+#define MAX_AVTAB_SIZE MAX_AVTAB_HASH_BUCKETS
-#define AVTAB_SIZE AVTAB_HASH_BUCKETS
-
#endif /* _AVTAB_H_ */
/* FLASK */
Modified: trunk/libsepol/src/avtab.c
===================================================================
--- trunk/libsepol/src/avtab.c 2008-02-02 15:40:55 UTC (rev 2776)
+++ trunk/libsepol/src/avtab.c 2008-02-04 15:24:49 UTC (rev 2777)
@@ -1,6 +1,11 @@
/* Author : Stephen Smalley, <sd...@ep...> */
+/*
+ * Updated: Yuichi Nakamura <yn...@hi...>
+ * Tuned number of hash slots for avtab to reduce memory usage
+ */
+
/* Updated: Frank Mayer <ma...@tr...>
* and Karl MacMillan <kma...@me...>
*
@@ -44,11 +49,11 @@
#include "debug.h"
#include "private.h"
-#define AVTAB_HASH(keyp) \
-((keyp->target_class + \
- (keyp->target_type << 2) + \
- (keyp->source_type << 9)) & \
- AVTAB_HASH_MASK)
+static inline int avtab_hash(struct avtab_key *keyp, uint16_t mask)
+{
+ return ((keyp->target_class + (keyp->target_type << 2) +
+ (keyp->source_type << 9)) & mask);
+}
static avtab_ptr_t
avtab_insert_node(avtab_t * h, int hvalue, avtab_ptr_t prev, avtab_key_t * key,
@@ -80,10 +85,10 @@
uint16_t specified =
key->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
- if (!h)
+ if (!h || !h->htable)
return SEPOL_ENOMEM;
- hvalue = AVTAB_HASH(key);
+ hvalue = avtab_hash(key, h->mask);
for (prev = NULL, cur = h->htable[hvalue];
cur; prev = cur, cur = cur->next) {
if (key->source_type == cur->key.source_type &&
@@ -121,9 +126,9 @@
uint16_t specified =
key->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
- if (!h)
+ if (!h || !h->htable)
return NULL;
- hvalue = AVTAB_HASH(key);
+ hvalue = avtab_hash(key, h->mask);
for (prev = NULL, cur = h->htable[hvalue];
cur; prev = cur, cur = cur->next) {
if (key->source_type == cur->key.source_type &&
@@ -153,10 +158,10 @@
uint16_t specified =
key->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
- if (!h)
+ if (!h || !h->htable)
return NULL;
- hvalue = AVTAB_HASH(key);
+ hvalue = avtab_hash(key, h->mask);
for (cur = h->htable[hvalue]; cur; cur = cur->next) {
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
@@ -188,10 +193,10 @@
uint16_t specified =
key->specified & ~(AVTAB_ENABLED | AVTAB_ENABLED_OLD);
- if (!h)
+ if (!h || !h->htable)
return NULL;
- hvalue = AVTAB_HASH(key);
+ hvalue = avtab_hash(key, h->mask);
for (cur = h->htable[hvalue]; cur; cur = cur->next) {
if (key->source_type == cur->key.source_type &&
key->target_type == cur->key.target_type &&
@@ -242,13 +247,13 @@
void avtab_destroy(avtab_t * h)
{
- int i;
+ unsigned int i;
avtab_ptr_t cur, temp;
if (!h || !h->htable)
return;
- for (i = 0; i < AVTAB_SIZE; i++) {
+ for (i = 0; i < h->nslot; i++) {
cur = h->htable[i];
while (cur != NULL) {
temp = cur;
@@ -259,19 +264,22 @@
}
free(h->htable);
h->htable = NULL;
+ h->nslot = 0;
+ h->mask = 0;
}
int avtab_map(avtab_t * h,
int (*apply) (avtab_key_t * k,
avtab_datum_t * d, void *args), void *args)
{
- int i, ret;
+ unsigned int i;
+ int ret;
avtab_ptr_t cur;
if (!h)
return 0;
- for (i = 0; i < AVTAB_SIZE; i++) {
+ for (i = 0; i < h->nslot; i++) {
cur = h->htable[i];
while (cur != NULL) {
ret = apply(&cur->key, &cur->datum, args);
@@ -285,25 +293,50 @@
int avtab_init(avtab_t * h)
{
- int i;
+ h->htable = NULL;
+ h->nel = 0;
+ return 0;
+}
- h->htable = malloc(sizeof(avtab_ptr_t) * AVTAB_SIZE);
+int avtab_alloc(avtab_t *h, uint32_t nrules)
+{
+ uint16_t mask = 0;
+ uint32_t shift = 0;
+ uint32_t work = nrules;
+ uint32_t nslot = 0;
+
+ if (nrules == 0)
+ goto out;
+
+ while (work) {
+ work = work >> 1;
+ shift++;
+ }
+ if (shift > 2)
+ shift = shift - 2;
+ nslot = 1 << shift;
+ if (nslot > MAX_AVTAB_SIZE)
+ nslot = MAX_AVTAB_SIZE;
+ mask = nslot - 1;
+
+ h->htable = calloc(nslot, sizeof(avtab_ptr_t));
if (!h->htable)
return -1;
- for (i = 0; i < AVTAB_SIZE; i++)
- h->htable[i] = (avtab_ptr_t) NULL;
+out:
h->nel = 0;
+ h->nslot = nslot;
+ h->mask = mask;
return 0;
}
void avtab_hash_eval(avtab_t * h, char *tag)
{
- int i, chain_len, slots_used, max_chain_len;
+ unsigned int i, chain_len, slots_used, max_chain_len;
avtab_ptr_t cur;
slots_used = 0;
max_chain_len = 0;
- for (i = 0; i < AVTAB_SIZE; i++) {
+ for (i = 0; i < h->nslot; i++) {
cur = h->htable[i];
if (cur) {
slots_used++;
@@ -320,7 +353,7 @@
printf
("%s: %d entries and %d/%d buckets used, longest chain length %d\n",
- tag, h->nel, slots_used, AVTAB_SIZE, max_chain_len);
+ tag, h->nel, slots_used, h->nslot, max_chain_len);
}
/* Ordering of datums in the original avtab format in the policy file. */
@@ -471,6 +504,13 @@
ERR(fp->handle, "table is empty");
goto bad;
}
+
+ rc = avtab_alloc(a, nel);
+ if (rc) {
+ ERR(fp->handle, "out of memory");
+ goto bad;
+ }
+
for (i = 0; i < nel; i++) {
rc = avtab_read_item(fp, vers, a, avtab_insertf, NULL);
if (rc) {
Modified: trunk/libsepol/src/conditional.c
===================================================================
--- trunk/libsepol/src/conditional.c 2008-02-02 15:40:55 UTC (rev 2776)
+++ trunk/libsepol/src/conditional.c 2008-02-04 15:24:49 UTC (rev 2777)
@@ -829,6 +829,10 @@
len = le32_to_cpu(buf[0]);
+ rc = avtab_alloc(&p->te_cond_avtab, p->te_avtab.nel);
+ if (rc)
+ goto err;
+
for (i = 0; i < len; i++) {
node = malloc(sizeof(cond_node_t));
if (!node)
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2008-02-02 15:40:55 UTC (rev 2776)
+++ trunk/libsepol/src/expand.c 2008-02-04 15:24:49 UTC (rev 2777)
@@ -2138,6 +2138,16 @@
avrule_block_t *prevblock;
int retval = -1;
+ if (avtab_alloc(&state->out->te_avtab, MAX_AVTAB_SIZE)) {
+ ERR(state->handle, "Out of Memory!");
+ return -1;
+ }
+
+ if (avtab_alloc(&state->out->te_cond_avtab, MAX_AVTAB_SIZE)) {
+ ERR(state->handle, "Out of Memory!");
+ return -1;
+ }
+
while (curblock) {
avrule_decl_t *decl = curblock->enabled;
avrule_t *cur_avrule;
@@ -2560,6 +2570,11 @@
{
struct expand_avtab_data data;
+ if (avtab_alloc(expa, MAX_AVTAB_SIZE)) {
+ ERR(NULL, "Out of memory!");
+ return -1;
+ }
+
data.expa = expa;
data.p = p;
return avtab_map(a, expand_avtab_node, &data);
@@ -2688,6 +2703,11 @@
avtab_ptr_t node;
int rc;
+ if (avtab_alloc(expa, MAX_AVTAB_SIZE)) {
+ ERR(NULL, "Out of memory!");
+ return -1;
+ }
+
*newl = NULL;
for (cur = l; cur; cur = cur->next) {
node = cur->node;
Modified: trunk/libsepol/src/policydb.c
===================================================================
--- trunk/libsepol/src/policydb.c 2008-02-02 15:40:55 UTC (rev 2776)
+++ trunk/libsepol/src/policydb.c 2008-02-04 15:24:49 UTC (rev 2777)
@@ -492,17 +492,14 @@
rc = roles_init(p);
if (rc)
- goto out_free_avtab;
+ goto out_free_symtab;
rc = cond_policydb_init(p);
if (rc)
- goto out_free_avtab;
+ goto out_free_symtab;
out:
return rc;
- out_free_avtab:
- avtab_destroy(&p->te_avtab);
-
out_free_symtab:
for (i = 0; i < SYM_NUM; i++) {
hashtab_destroy(p->symtab[i].table);
Modified: trunk/libsepol/src/write.c
===================================================================
--- trunk/libsepol/src/write.c 2008-02-02 15:40:55 UTC (rev 2776)
+++ trunk/libsepol/src/write.c 2008-02-04 15:24:49 UTC (rev 2777)
@@ -229,9 +229,9 @@
static inline void avtab_reset_merged(avtab_t * a)
{
- int i;
+ unsigned int i;
avtab_ptr_t cur;
- for (i = 0; i < AVTAB_SIZE; i++) {
+ for (i = 0; i < a->nslot; i++) {
for (cur = a->htable[i]; cur; cur = cur->next)
cur->merged = 0;
}
@@ -239,7 +239,8 @@
static int avtab_write(struct policydb *p, avtab_t * a, struct policy_file *fp)
{
- int i, rc;
+ unsigned int i;
+ int rc;
avtab_t expa;
avtab_ptr_t cur;
uint32_t nel;
@@ -269,7 +270,7 @@
return POLICYDB_ERROR;
}
- for (i = 0; i < AVTAB_SIZE; i++) {
+ for (i = 0; i < a->nslot; i++) {
for (cur = a->htable[i]; cur; cur = cur->next) {
/* If old format, compute final nel.
If new format, write out the items. */
@@ -290,7 +291,7 @@
goto out;
}
avtab_reset_merged(a);
- for (i = 0; i < AVTAB_SIZE; i++) {
+ for (i = 0; i < a->nslot; i++) {
for (cur = a->htable[i]; cur; cur = cur->next) {
if (avtab_write_item(p, cur, fp, 1, 1, NULL)) {
rc = -1;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 15:42:20
|
Revision: 2781
http://selinux.svn.sourceforge.net/selinux/?rev=2781&view=rev
Author: ssmalley
Date: 2008-02-04 07:42:17 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
updated libsemanage to version 2.0.21
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2008-02-04 15:41:21 UTC (rev 2780)
+++ trunk/libsemanage/ChangeLog 2008-02-04 15:42:17 UTC (rev 2781)
@@ -1,6 +1,9 @@
+2.0.21 2008-02-04
+ * Drop the base module immediately after expanding to permit memory re-use from Stephen Smalley.
+
2.0.12 2008-02-02
* Use sepol_set_expand_consume_base to reduce peak memory usage when
- using semodule
+ using semodule from Joshua Brindle.
2.0.19 2008-01-31
* Fix genhomedircon to not override a file context with a homedir context from Todd Miller.
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2008-02-04 15:41:21 UTC (rev 2780)
+++ trunk/libsemanage/VERSION 2008-02-04 15:42:17 UTC (rev 2781)
@@ -1 +1 @@
-2.0.20
+2.0.21
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 15:41:25
|
Revision: 2780
http://selinux.svn.sourceforge.net/selinux/?rev=2780&view=rev
Author: ssmalley
Date: 2008-02-04 07:41:21 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsemanage: free base immediately after expand
Date: Fri, 01 Feb 2008 09:11:06 -0500
Drop the base module immediately after expanding, so that the memory can
be reused for the remainder of the transaction.
Signed-off-by: Stephen Smalley <sd...@ty...>
Acked-By: Joshua Brindle <me...@ma...>
Acked-By: Todd C. Miller <tm...@tr...>
Modified Paths:
--------------
trunk/libsemanage/src/direct_api.c
Modified: trunk/libsemanage/src/direct_api.c
===================================================================
--- trunk/libsemanage/src/direct_api.c 2008-02-04 15:26:35 UTC (rev 2779)
+++ trunk/libsemanage/src/direct_api.c 2008-02-04 15:41:21 UTC (rev 2780)
@@ -642,6 +642,9 @@
retval = semanage_expand_sandbox(sh, base, &out);
if (retval < 0)
goto cleanup;
+
+ sepol_module_package_free(base);
+ base = NULL;
dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,
out);
@@ -718,7 +721,6 @@
dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
free(mod_filenames);
- sepol_module_package_free(base);
sepol_policydb_free(out);
semanage_release_trans_lock(sh);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 15:26:39
|
Revision: 2779
http://selinux.svn.sourceforge.net/selinux/?rev=2779&view=rev
Author: ssmalley
Date: 2008-02-04 07:26:35 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
updated checkpolicy to version 2.0.9
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2008-02-04 15:25:47 UTC (rev 2778)
+++ trunk/checkpolicy/ChangeLog 2008-02-04 15:26:35 UTC (rev 2779)
@@ -1,3 +1,6 @@
+2.0.9 2008-02-04
+ * Update dispol for libsepol avtab changes from Stephen Smalley.
+
2.0.8 2008-01-24
* Deprecate role dominance in parser.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2008-02-04 15:25:47 UTC (rev 2778)
+++ trunk/checkpolicy/VERSION 2008-02-04 15:26:35 UTC (rev 2779)
@@ -1 +1 @@
-2.0.8
+2.0.9
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-02-04 15:26:35
|
Revision: 2778
http://selinux.svn.sourceforge.net/selinux/?rev=2778&view=rev
Author: ssmalley
Date: 2008-02-04 07:25:47 -0800 (Mon, 04 Feb 2008)
Log Message:
-----------
updated libsepol to version 2.0.20
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-02-04 15:24:49 UTC (rev 2777)
+++ trunk/libsepol/ChangeLog 2008-02-04 15:25:47 UTC (rev 2778)
@@ -1,6 +1,9 @@
+2.0.20 2008-02-04
+ * Port of Yuichi Nakamura's tune avtab to reduce memory usage patch from the kernel avtab to libsepol from Stephen Smalley.
+
2.0.19 2008-02-02
* Add support for consuming avrule_blocks during expansion to reduce
- peak memory usage.
+ peak memory usage from Joshua Brindle.
2.0.18 2008-01-02
* Added support for policy capabilities from Todd Miller.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-02-04 15:24:49 UTC (rev 2777)
+++ trunk/libsepol/VERSION 2008-02-04 15:25:47 UTC (rev 2778)
@@ -1 +1 @@
-2.0.19
+2.0.20
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <mad...@us...> - 2008-02-02 15:40:58
|
Revision: 2776
http://selinux.svn.sourceforge.net/selinux/?rev=2776&view=rev
Author: madmethod
Date: 2008-02-02 07:40:55 -0800 (Sat, 02 Feb 2008)
Log Message:
-----------
bump policycoreutils, libsemanage, libsepol
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2008-02-02 15:36:53 UTC (rev 2775)
+++ trunk/libsemanage/ChangeLog 2008-02-02 15:40:55 UTC (rev 2776)
@@ -1,3 +1,7 @@
+2.0.12 2008-02-02
+ * Use sepol_set_expand_consume_base to reduce peak memory usage when
+ using semodule
+
2.0.19 2008-01-31
* Fix genhomedircon to not override a file context with a homedir context from Todd Miller.
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2008-02-02 15:36:53 UTC (rev 2775)
+++ trunk/libsemanage/VERSION 2008-02-02 15:40:55 UTC (rev 2776)
@@ -1 +1 @@
-2.0.19
+2.0.20
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2008-02-02 15:36:53 UTC (rev 2775)
+++ trunk/libsepol/ChangeLog 2008-02-02 15:40:55 UTC (rev 2776)
@@ -1,3 +1,7 @@
+2.0.19 2008-02-02
+ * Add support for consuming avrule_blocks during expansion to reduce
+ peak memory usage.
+
2.0.18 2008-01-02
* Added support for policy capabilities from Todd Miller.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2008-02-02 15:36:53 UTC (rev 2775)
+++ trunk/libsepol/VERSION 2008-02-02 15:40:55 UTC (rev 2776)
@@ -1 +1 @@
-2.0.18
+2.0.19
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2008-02-02 15:36:53 UTC (rev 2775)
+++ trunk/policycoreutils/ChangeLog 2008-02-02 15:40:55 UTC (rev 2776)
@@ -1,3 +1,7 @@
+2.0.42 2008-02-02
+ * Make semodule_expand use sepol_set_expand_consume_base to reduce
+ peak memory usage.
+
2.0.41 2008-01-28
* Merged audit2why fix and semanage boolean --on/--off/-1/-0 support from Dan Walsh.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2008-02-02 15:36:53 UTC (rev 2775)
+++ trunk/policycoreutils/VERSION 2008-02-02 15:40:55 UTC (rev 2776)
@@ -1 +1 @@
-2.0.41
+2.0.42
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
