Re: [PATCH v2 2/5] selinux: convert cond_list to array

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/17/20 3:58 AM, Ondrej Mosnacek wrote:
Since it is fixed-size after allocation and we know the size beforehand,
using a plain old array is simpler and more efficient.

While there, also fix signedness of some related variables/parameters.

Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

Reviewed-by: Stephen Smalley <sds@xxxxxxxxxxxxx>

---
  security/selinux/include/conditional.h |  6 +--
  security/selinux/selinuxfs.c           |  4 +-
  security/selinux/ss/conditional.c      | 54 ++++++++++----------------
  security/selinux/ss/conditional.h      |  3 +-
  security/selinux/ss/policydb.c         |  2 +-
  security/selinux/ss/policydb.h         |  3 +-
  security/selinux/ss/services.c         | 28 ++++++-------
  7 files changed, 43 insertions(+), 57 deletions(-)

diff --git a/security/selinux/include/conditional.h b/security/selinux/include/conditional.h
index 0ab316f61da0..ffb9a33341f8 100644
--- a/security/selinux/include/conditional.h
+++ b/security/selinux/include/conditional.h
@@ -14,12 +14,12 @@
  #include "security.h"
int security_get_bools(struct selinux_state *state,
-		       int *len, char ***names, int **values);
+		       u32 *len, char ***names, int **values);
int security_set_bools(struct selinux_state *state,
-		       int len, int *values);
+		       u32 len, int *values);
int security_get_bool_value(struct selinux_state *state,
-			    int index);
+			    u32 index);
#endif
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 79c710911a3c..296ce86e8b1f 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1327,14 +1327,14 @@ static void sel_remove_entries(struct dentry *de)
static int sel_make_bools(struct selinux_fs_info *fsi)
  {
-	int i, ret;
+	int ret;
  	ssize_t len;
  	struct dentry *dentry = NULL;
  	struct dentry *dir = fsi->bool_dir;
  	struct inode *inode = NULL;
  	struct inode_security_struct *isec;
  	char **names = NULL, *page;
-	int num;
+	u32 i, num;
  	int *values = NULL;
  	u32 sid;
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 04593062008d..c8a02c9b23ee 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -119,6 +119,7 @@ int cond_policydb_init(struct policydb *p)
p->bool_val_to_struct = NULL;
  	p->cond_list = NULL;
+	p->cond_list_len = 0;
rc = avtab_init(&p->te_cond_avtab);
  	if (rc)
@@ -147,27 +148,22 @@ static void cond_node_destroy(struct cond_node *node)
  	}
  	cond_av_list_destroy(node->true_list);
  	cond_av_list_destroy(node->false_list);
-	kfree(node);
  }
-static void cond_list_destroy(struct cond_node *list)
+static void cond_list_destroy(struct policydb *p)
  {
-	struct cond_node *next, *cur;
+	u32 i;
- if (list == NULL)
-		return;
-
-	for (cur = list; cur; cur = next) {
-		next = cur->next;
-		cond_node_destroy(cur);
-	}
+	for (i = 0; i < p->cond_list_len; i++)
+		cond_node_destroy(&p->cond_list[i]);
+	kfree(p->cond_list);
  }
void cond_policydb_destroy(struct policydb *p)
  {
  	kfree(p->bool_val_to_struct);
  	avtab_destroy(&p->te_cond_avtab);
-	cond_list_destroy(p->cond_list);
+	cond_list_destroy(p);
  }
int cond_init_bool_indexes(struct policydb *p)
@@ -447,7 +443,6 @@ err:
int cond_read_list(struct policydb *p, void *fp)
  {
-	struct cond_node *node, *last = NULL;
  	__le32 buf[1];
  	u32 i, len;
  	int rc;
@@ -458,29 +453,24 @@ int cond_read_list(struct policydb *p, void *fp)
len = le32_to_cpu(buf[0]); + p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL);
+	if (!p->cond_list)
+		return rc;
+
  	rc = avtab_alloc(&(p->te_cond_avtab), p->te_avtab.nel);
  	if (rc)
  		goto err;
for (i = 0; i < len; i++) {
-		rc = -ENOMEM;
-		node = kzalloc(sizeof(*node), GFP_KERNEL);
-		if (!node)
-			goto err;
-
-		rc = cond_read_node(p, node, fp);
+		rc = cond_read_node(p, &p->cond_list[i], fp);
  		if (rc)
  			goto err;
-
-		if (i == 0)
-			p->cond_list = node;
-		else
-			last->next = node;
-		last = node;
  	}
+
+	p->cond_list_len = len;
  	return 0;
  err:
-	cond_list_destroy(p->cond_list);
+	cond_list_destroy(p);
  	p->cond_list = NULL;
  	return rc;
  }
@@ -585,23 +575,19 @@ static int cond_write_node(struct policydb *p, struct cond_node *node,
  	return 0;
  }
-int cond_write_list(struct policydb *p, struct cond_node *list, void *fp)
+int cond_write_list(struct policydb *p, void *fp)
  {
-	struct cond_node *cur;
-	u32 len;
+	u32 i;
  	__le32 buf[1];
  	int rc;
- len = 0;
-	for (cur = list; cur != NULL; cur = cur->next)
-		len++;
-	buf[0] = cpu_to_le32(len);
+	buf[0] = cpu_to_le32(p->cond_list_len);
  	rc = put_entry(buf, sizeof(u32), 1, fp);
  	if (rc)
  		return rc;
- for (cur = list; cur != NULL; cur = cur->next) {
-		rc = cond_write_node(p, cur, fp);
+	for (i = 0; i < p->cond_list_len; i++) {
+		rc = cond_write_node(p, &p->cond_list[i], fp);
  		if (rc)
  			return rc;
  	}
diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h
index d86ef286ca84..e474bdd3a0ed 100644
--- a/security/selinux/ss/conditional.h
+++ b/security/selinux/ss/conditional.h
@@ -55,7 +55,6 @@ struct cond_node {
  	struct cond_expr *expr;
  	struct cond_av_list *true_list;
  	struct cond_av_list *false_list;
-	struct cond_node *next;
  };
int cond_policydb_init(struct policydb *p);
@@ -69,7 +68,7 @@ int cond_index_bool(void *key, void *datum, void *datap);
  int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp);
  int cond_read_list(struct policydb *p, void *fp);
  int cond_write_bool(void *key, void *datum, void *ptr);
-int cond_write_list(struct policydb *p, struct cond_node *list, void *fp);
+int cond_write_list(struct policydb *p, void *fp);
void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
  		struct av_decision *avd, struct extended_perms *xperms);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 2aa7f2e1a8e7..8ac9b9ffc83c 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -3483,7 +3483,7 @@ int policydb_write(struct policydb *p, void *fp)
  	if (rc)
  		return rc;
- rc = cond_write_list(p, p->cond_list, fp);
+	rc = cond_write_list(p, fp);
  	if (rc)
  		return rc;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 69b24191fa38..6459616f8487 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -272,8 +272,9 @@ struct policydb {
  	struct cond_bool_datum **bool_val_to_struct;
  	/* type enforcement conditional access vectors and transitions */
  	struct avtab te_cond_avtab;
-	/* linked list indexing te_cond_avtab by conditional */
+	/* array indexing te_cond_avtab by conditional */
  	struct cond_node *cond_list;
+	u32 cond_list_len;
/* role allows */
  	struct role_allow *role_allow;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ff43a35bb874..8fc8ec317bb6 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2868,10 +2868,11 @@ out:
  }
int security_get_bools(struct selinux_state *state,
-		       int *len, char ***names, int **values)
+		       u32 *len, char ***names, int **values)
  {
  	struct policydb *policydb;
-	int i, rc;
+	u32 i;
+	int rc;
if (!selinux_initialized(state)) {
  		*len = 0;
@@ -2925,12 +2926,11 @@ err:
  }
-int security_set_bools(struct selinux_state *state, int len, int *values)
+int security_set_bools(struct selinux_state *state, u32 len, int *values)
  {
  	struct policydb *policydb;
-	int i, rc;
-	int lenp, seqno = 0;
-	struct cond_node *cur;
+	int rc;
+	u32 i, lenp, seqno = 0;
write_lock_irq(&state->ss->policy_rwlock); @@ -2958,8 +2958,8 @@ int security_set_bools(struct selinux_state *state, int len, int *values)
  			policydb->bool_val_to_struct[i]->state = 0;
  	}
- for (cur = policydb->cond_list; cur; cur = cur->next)
-		evaluate_cond_node(policydb, cur);
+	for (i = 0; i < policydb->cond_list_len; i++)
+		evaluate_cond_node(policydb, &policydb->cond_list[i]);
seqno = ++state->ss->latest_granting;
  	rc = 0;
@@ -2975,11 +2975,11 @@ out:
  }
int security_get_bool_value(struct selinux_state *state,
-			    int index)
+			    u32 index)
  {
  	struct policydb *policydb;
  	int rc;
-	int len;
+	u32 len;
read_lock(&state->ss->policy_rwlock); @@ -2999,10 +2999,10 @@ out:
  static int security_preserve_bools(struct selinux_state *state,
  				   struct policydb *policydb)
  {
-	int rc, nbools = 0, *bvalues = NULL, i;
+	int rc, *bvalues = NULL;
  	char **bnames = NULL;
  	struct cond_bool_datum *booldatum;
-	struct cond_node *cur;
+	u32 i, nbools = 0;
rc = security_get_bools(state, &nbools, &bnames, &bvalues);
  	if (rc)
@@ -3012,8 +3012,8 @@ static int security_preserve_bools(struct selinux_state *state,
  		if (booldatum)
  			booldatum->state = bvalues[i];
  	}
-	for (cur = policydb->cond_list; cur; cur = cur->next)
-		evaluate_cond_node(policydb, cur);
+	for (i = 0; i < policydb->cond_list_len; i++)
+		evaluate_cond_node(policydb, &policydb->cond_list[i]);
out:
  	if (bnames) {





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux