Re: [PATCH 1/6] selinux: do not allocate ancillary buffer on first load

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/16/20 7:04 AM, Ondrej Mosnacek wrote:
In security_load_policy(), we can defer allocating the newpolicydb
ancillary array to after checking state->initialized, thereby avoiding
the pointless allocation when loading policy the first time.

Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

Reviewed-by: Stephen Smalley <sds@xxxxxxxxxxxxx>

---
  security/selinux/ss/services.c | 28 +++++++++++++---------------
  1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 55cf42945cba..42ca9f6dbbf4 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2183,26 +2183,17 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
  	int rc = 0;
  	struct policy_file file = { data, len }, *fp = &file;
- oldpolicydb = kcalloc(2, sizeof(*oldpolicydb), GFP_KERNEL);
-	if (!oldpolicydb) {
-		rc = -ENOMEM;
-		goto out;
-	}
-	newpolicydb = oldpolicydb + 1;
-
  	policydb = &state->ss->policydb;
newsidtab = kmalloc(sizeof(*newsidtab), GFP_KERNEL);
-	if (!newsidtab) {
-		rc = -ENOMEM;
-		goto out;
-	}
+	if (!newsidtab)
+		return -ENOMEM;
if (!state->initialized) {
  		rc = policydb_read(policydb, fp);
  		if (rc) {
  			kfree(newsidtab);
-			goto out;
+			return rc;
  		}
policydb->len = len;
@@ -2211,14 +2202,14 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
  		if (rc) {
  			kfree(newsidtab);
  			policydb_destroy(policydb);
-			goto out;
+			return rc;
  		}
rc = policydb_load_isids(policydb, newsidtab);
  		if (rc) {
  			kfree(newsidtab);
  			policydb_destroy(policydb);
-			goto out;
+			return rc;
  		}
state->ss->sidtab = newsidtab;
@@ -2231,9 +2222,16 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
  		selinux_status_update_policyload(state, seqno);
  		selinux_netlbl_cache_invalidate();
  		selinux_xfrm_notify_policyload();
-		goto out;
+		return 0;
  	}
+ oldpolicydb = kcalloc(2, sizeof(*oldpolicydb), GFP_KERNEL);
+	if (!oldpolicydb) {
+		kfree(newsidtab);
+		return -ENOMEM;
+	}
+	newpolicydb = oldpolicydb + 1;
+
  	rc = policydb_read(newpolicydb, fp);
  	if (rc) {
  		kfree(newsidtab);





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux