On Tue, Jun 11, 2024 at 2:27 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Sat, Jun 8, 2024 at 1:21 PM Christian Göttsche
> <cgoettsche@xxxxxxxxxxxxx> wrote:
> >
> > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> >
> > Perform the lookup whether the class is in the current scope once, and
> > not for every permission.
> > This also ensures the class is checked to be in the current scope if
> > there are no permissions attached.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
These two patches have been merged.
Thanks,
Jim
> > ---
> > libsepol/src/link.c | 38 ++++++++++++++++++--------------------
> > 1 file changed, 18 insertions(+), 20 deletions(-)
> >
> > diff --git a/libsepol/src/link.c b/libsepol/src/link.c
> > index b8272308..a6f2a251 100644
> > --- a/libsepol/src/link.c
> > +++ b/libsepol/src/link.c
> > @@ -1925,7 +1925,7 @@ static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *varg)
> > * Note that if a declaration had no requirement at all (e.g., an ELSE
> > * block) this returns 1. */
> > static int is_decl_requires_met(link_state_t * state,
> > - avrule_decl_t * decl,
> > + const avrule_decl_t * decl,
> > struct missing_requirement *req)
> > {
> > /* (This algorithm is very unoptimized. It performs many
> > @@ -1933,9 +1933,9 @@ static int is_decl_requires_met(link_state_t * state,
> > * which symbols have been verified, so that they do not need
> > * to be re-checked.) */
> > unsigned int i, j;
> > - ebitmap_t *bitmap;
> > - char *id, *perm_id;
> > - policydb_t *pol = state->base;
> > + const ebitmap_t *bitmap;
> > + const char *id, *perm_id;
> > + const policydb_t *pol = state->base;
> > ebitmap_node_t *node;
> >
> > /* check that all symbols have been satisfied */
> > @@ -1961,27 +1961,25 @@ static int is_decl_requires_met(link_state_t * state,
> > }
> > /* check that all classes and permissions have been satisfied */
> > for (i = 0; i < decl->required.class_perms_len; i++) {
> > + const class_datum_t *cladatum = pol->class_val_to_struct[i];
> > + const scope_datum_t *scope;
> > +
> > + bitmap = &decl->required.class_perms_map[i];
> > + id = pol->p_class_val_to_name[i];
> > +
> > +
> > + scope = hashtab_search(state->base->p_classes_scope.table, id);
> > + if (scope == NULL) {
> > + ERR(state->handle,
> > + "Could not find scope information for class %s",
> > + id);
> > + return -1;
> > + }
> >
> > - bitmap = decl->required.class_perms_map + i;
> > ebitmap_for_each_positive_bit(bitmap, node, j) {
> > struct find_perm_arg fparg;
> > - class_datum_t *cladatum;
> > uint32_t perm_value = j + 1;
> > int rc;
> > - scope_datum_t *scope;
> > -
> > - id = pol->p_class_val_to_name[i];
> > - cladatum = pol->class_val_to_struct[i];
> > -
> > - scope =
> > - hashtab_search(state->base->p_classes_scope.table,
> > - id);
> > - if (scope == NULL) {
> > - ERR(state->handle,
> > - "Could not find scope information for class %s",
> > - id);
> > - return -1;
> > - }
> >
> > fparg.valuep = perm_value;
> > fparg.key = NULL;
> > --
> > 2.45.1
> >
> >
