On Sat, Jun 8, 2024 at 1:21 PM Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Perform the lookup whether the class is in the current scope once, and
> not for every permission.
> This also ensures the class is checked to be in the current scope if
> there are no permissions attached.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> libsepol/src/link.c | 38 ++++++++++++++++++--------------------
> 1 file changed, 18 insertions(+), 20 deletions(-)
>
> diff --git a/libsepol/src/link.c b/libsepol/src/link.c
> index b8272308..a6f2a251 100644
> --- a/libsepol/src/link.c
> +++ b/libsepol/src/link.c
> @@ -1925,7 +1925,7 @@ static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *varg)
> * Note that if a declaration had no requirement at all (e.g., an ELSE
> * block) this returns 1. */
> static int is_decl_requires_met(link_state_t * state,
> - avrule_decl_t * decl,
> + const avrule_decl_t * decl,
> struct missing_requirement *req)
> {
> /* (This algorithm is very unoptimized. It performs many
> @@ -1933,9 +1933,9 @@ static int is_decl_requires_met(link_state_t * state,
> * which symbols have been verified, so that they do not need
> * to be re-checked.) */
> unsigned int i, j;
> - ebitmap_t *bitmap;
> - char *id, *perm_id;
> - policydb_t *pol = state->base;
> + const ebitmap_t *bitmap;
> + const char *id, *perm_id;
> + const policydb_t *pol = state->base;
> ebitmap_node_t *node;
>
> /* check that all symbols have been satisfied */
> @@ -1961,27 +1961,25 @@ static int is_decl_requires_met(link_state_t * state,
> }
> /* check that all classes and permissions have been satisfied */
> for (i = 0; i < decl->required.class_perms_len; i++) {
> + const class_datum_t *cladatum = pol->class_val_to_struct[i];
> + const scope_datum_t *scope;
> +
> + bitmap = &decl->required.class_perms_map[i];
> + id = pol->p_class_val_to_name[i];
> +
> +
> + scope = hashtab_search(state->base->p_classes_scope.table, id);
> + if (scope == NULL) {
> + ERR(state->handle,
> + "Could not find scope information for class %s",
> + id);
> + return -1;
> + }
>
> - bitmap = decl->required.class_perms_map + i;
> ebitmap_for_each_positive_bit(bitmap, node, j) {
> struct find_perm_arg fparg;
> - class_datum_t *cladatum;
> uint32_t perm_value = j + 1;
> int rc;
> - scope_datum_t *scope;
> -
> - id = pol->p_class_val_to_name[i];
> - cladatum = pol->class_val_to_struct[i];
> -
> - scope =
> - hashtab_search(state->base->p_classes_scope.table,
> - id);
> - if (scope == NULL) {
> - ERR(state->handle,
> - "Could not find scope information for class %s",
> - id);
> - return -1;
> - }
>
> fparg.valuep = perm_value;
> fparg.key = NULL;
> --
> 2.45.1
>
>
