--- James Morris <jmorris@xxxxxxxxx> wrote:
> On Fri, 16 Nov 2007, David P. Quigley wrote:
>
>
> > +#ifdef CONFIG_SECURITY
> > +#define nfs_fattr_alloc(fattr) \
> > +{ \
> > + (fattr)->label = kmalloc(NFS_MAXLABELLEN, GFP_ATOMIC); \
> > + (fattr)->label_len = NFS_MAXLABELLEN; \
> > + memset((fattr)->label, 0, NFS_MAXLABELLEN); \
> > +}
>
> These should be normal functions, perhaps in their own file which is
> conditionally built (and containing other label-specific code).
>
> You need to check the return of kmalloc().
>
> I suggest passing a gfp_t parameter to the allocation function to allow
> the caller to determine the allocation flags (unless you know it will
> always be GFP_ATOMIC).
>
> Use kzalloc() instead of kmalloc() + memset().
>
> It seems wasteful to always allocate the maximum sized label.
You could have a look at the smack_import() scheme. If you're
looking at a gazillion enormous, short lived labels on a system
it would be a bad choice, but even if you're labeling every file
differently (please say you're not) you may find it a better
mechanism. Your label lifecycle management issues go "poof".
Just a thought.
Casey Schaufler
casey@xxxxxxxxxxxxxxxx
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
