On Wednesday, April 13, 2016 10:30:26 PM Daniel Jurgens wrote:
> On 4/13/2016 4:43 PM, Paul Moore wrote:
> > From: Paul Moore <paul@xxxxxxxxxxxxxx>
> >
> > Even if we are under memory pressure and can't allocate a new cache
> > node we can still return the port/node/iface value we looked up from
> > the policy.
> >
> > Reported-by: Greg <gkubok@xxxxxxxxx>
> > Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> > ---
> >
> > security/selinux/netif.c | 35 +++++++++++++----------------------
> > security/selinux/netnode.c | 31 +++++++++++++++++--------------
> > security/selinux/netport.c | 19 ++++++++-----------
> > 3 files changed, 38 insertions(+), 47 deletions(-)
> >
> > diff --git a/security/selinux/netif.c b/security/selinux/netif.c
> > index e607b44..5c3bfa4 100644
> > --- a/security/selinux/netif.c
> > +++ b/security/selinux/netif.c
> > @@ -91,18 +91,16 @@ static inline struct sel_netif *sel_netif_find(const
> > struct net *ns,>
> > * zero on success, negative values on failure.
> > *
> > */
> >
> > -static int sel_netif_insert(struct sel_netif *netif)
> > +static void sel_netif_insert(struct sel_netif *netif)
> >
> > {
> >
> > int idx;
> >
> > if (sel_netif_total >= SEL_NETIF_HASH_MAX)
> >
> > - return -ENOSPC;
> > + return;
> >
> > idx = sel_netif_hashfn(netif->nsec.ns, netif->nsec.ifindex);
> > list_add_rcu(&netif->list, &sel_netif_hash[idx]);
> > sel_netif_total++;
> >
> > -
> > - return 0;
> >
> > }
> >
> > /**
> >
> > @@ -135,7 +133,7 @@ static void sel_netif_destroy(struct sel_netif *netif)
> >
> > */
> >
> > static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
> > {
> >
> > - int ret;
> > + int ret = 0;
> >
> > struct sel_netif *netif;
> > struct sel_netif *new = NULL;
> > struct net_device *dev;
> >
> > @@ -155,34 +153,27 @@ static int sel_netif_sid_slow(struct net *ns, int
> > ifindex, u32 *sid)>
> > netif = sel_netif_find(ns, ifindex);
>
> I know this is out of context for this patch, but isn't this find
> redundant? It was already checked in sel_netif_sid.
The first time we do the cache lookup it is only with the RCU read lock held,
we need to do another lookup once we are holding the spinlock.
--
paul moore
security @ redhat
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
