Re: [PATCH] selinux: Only create the selabel_handle once.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/23/2013 01:12 PM, Richard W.M. Jones wrote:
> From: "Richard W.M. Jones" <rjones@xxxxxxxxxx>
> 
> According to Eric Paris this is slightly more efficient because it
> only loads the regular expressions in libselinux once.

The idea seems reasonable, but I think the patch deserves a v2 for
implementation reasons.

> ---
>  src/security/security_selinux.c | 20 +++++++++++++-------
>  1 file changed, 13 insertions(+), 7 deletions(-)
> 
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index a3ef728..8b88785 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -935,20 +935,26 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
>      return 0;
>  }
>  
> +#if HAVE_SELINUX_LABEL_H
> +static struct selabel_handle *sehandle = NULL;
> +static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER;

Rather than open-coding this, why not use VIR_ONCE_GLOBAL_INIT()?

> +
> +static void
> +seHandleInit (void)
> +{
> +    sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
> +}

Besides, this function should typically return int rather than void, and
by returning -1 if sehandle is NULL,...

> +#endif
> +
>  /* Set fcon to the appropriate label for path and mode, or return -1.  */
>  static int
>  getContext(const char *newpath, mode_t mode, security_context_t *fcon)
>  {
>  #if HAVE_SELINUX_LABEL_H
> -    struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
> -    int ret;
> -
> -    if (handle == NULL)
> +    if (virOnce(&sehandleonce, seHandleInit) < 0 || sehandle == NULL)

...then you can simplify this code.

>          return -1;
>  
> -    ret = selabel_lookup_raw(handle, fcon, newpath, mode);
> -    selabel_close(handle);
> -    return ret;
> +    return selabel_lookup_raw(sehandle, fcon, newpath, mode);
>  #else
>      return matchpathcon(newpath, mode, fcon);
>  #endif
> 

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]