Reinterpret the currently unused - and always initialized to 1 - member
refcnt of the struct security_id to hold a unique number identifying
the sidtab entry. This identifier can be used instead of the full
context string within other data structures to minimize memory usage.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
v2:
add patch
---
libselinux/include/selinux/avc.h | 2 +-
libselinux/src/avc_sidtab.c | 9 +++++++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index 4bbd2382..361c5611 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -20,7 +20,7 @@ extern "C" {
*/
struct security_id {
char * ctx;
- unsigned int refcnt;
+ unsigned int id;
};
typedef struct security_id *security_id_t;
diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
index fce5bddf..9475dcb0 100644
--- a/libselinux/src/avc_sidtab.c
+++ b/libselinux/src/avc_sidtab.c
@@ -4,6 +4,7 @@
* Author : Eamon Walsh, <ewalsh@xxxxxxxxxxxxxx>
*/
#include <errno.h>
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
@@ -50,6 +51,11 @@ int sidtab_insert(struct sidtab *s, const char * ctx)
struct sidtab_node *newnode;
char * newctx;
+ if (s->nel >= UINT_MAX - 1) {
+ rc = -1;
+ goto out;
+ }
+
newnode = (struct sidtab_node *)avc_malloc(sizeof(*newnode));
if (!newnode) {
rc = -1;
@@ -65,9 +71,8 @@ int sidtab_insert(struct sidtab *s, const char * ctx)
hvalue = sidtab_hash(newctx);
newnode->next = s->htable[hvalue];
newnode->sid_s.ctx = newctx;
- newnode->sid_s.refcnt = 1; /* unused */
+ newnode->sid_s.id = ++s->nel;
s->htable[hvalue] = newnode;
- s->nel++;
out:
return rc;
}
--
2.43.0
