| Message ID | 20230814132025.45364-22-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | c81c76cb6bf4 |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | libselinux: rework selabel_file(5) database | expand |
On Mon, Aug 14, 2023 at 9:42 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Move the check whether to validate or not to the caller, to avoid all > having to carry the complete selabel_handle around. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libselinux/src/label.c | 5 ++--- > libselinux/src/label_backends_android.c | 2 +- > libselinux/src/label_file.c | 2 +- > libselinux/src/label_internal.h | 3 +-- > libselinux/src/matchpathcon.c | 7 ++++--- > 5 files changed, 9 insertions(+), 10 deletions(-) > > diff --git a/libselinux/src/label.c b/libselinux/src/label.c > index 9a972f79..1ea9bdcd 100644 > --- a/libselinux/src/label.c > +++ b/libselinux/src/label.c > @@ -119,12 +119,11 @@ static inline int selabel_is_validate_set(const struct selinux_opt *opts, > return 0; > } > > -int selabel_validate(const struct selabel_handle *rec, > - struct selabel_lookup_rec *contexts) > +int selabel_validate(struct selabel_lookup_rec *contexts) > { > int rc = 0; > > - if (!rec->validating || contexts->validated) > + if (contexts->validated) > goto out; > > rc = selinux_validate(&contexts->ctx_raw); > diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c > index 6494f3cd..cd3875fc 100644 > --- a/libselinux/src/label_backends_android.c > +++ b/libselinux/src/label_backends_android.c > @@ -126,7 +126,7 @@ static int process_line(struct selabel_handle *rec, > spec_arr[nspec].lr.ctx_raw = context; > > if (rec->validating) { > - if (selabel_validate(rec, &spec_arr[nspec].lr) < 0) { > + if (selabel_validate(&spec_arr[nspec].lr) < 0) { > selinux_log(SELINUX_ERROR, > "%s: line %u has invalid context %s\n", > path, lineno, spec_arr[nspec].lr.ctx_raw); > diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c > index a5677411..64b58d42 100644 > --- a/libselinux/src/label_file.c > +++ b/libselinux/src/label_file.c > @@ -404,7 +404,7 @@ end_arch_check: > spec->lr.ctx_raw = str_buf; > > if (strcmp(spec->lr.ctx_raw, "<<none>>") && rec->validating) { > - if (selabel_validate(rec, &spec->lr) < 0) { > + if (selabel_validate(&spec->lr) < 0) { > selinux_log(SELINUX_ERROR, > "%s: context %s is invalid\n", > path, spec->lr.ctx_raw); > diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h > index bc5a6928..ea60cd9a 100644 > --- a/libselinux/src/label_internal.h > +++ b/libselinux/src/label_internal.h > @@ -118,8 +118,7 @@ struct selabel_handle { > * Validation function > */ > extern int > -selabel_validate(const struct selabel_handle *rec, > - struct selabel_lookup_rec *contexts) ; > +selabel_validate(struct selabel_lookup_rec *contexts); > > /* > * Compatibility support > diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c > index 971ace62..4ed25ce9 100644 > --- a/libselinux/src/matchpathcon.c > +++ b/libselinux/src/matchpathcon.c > @@ -46,8 +46,8 @@ int compat_validate(const struct selabel_handle *rec, > rc = myinvalidcon(path, lineno, *ctx); > else if (mycanoncon) > rc = mycanoncon(path, lineno, ctx); > - else { > - rc = selabel_validate(rec, contexts); > + else if (rec->validating) { > + rc = selabel_validate(contexts); > if (rc < 0) { > if (lineno) { > COMPAT_LOG(SELINUX_WARNING, > @@ -58,7 +58,8 @@ int compat_validate(const struct selabel_handle *rec, > "%s: has invalid context %s\n", path, *ctx); > } > } > - } > + } else > + rc = 0; > > return rc ? -1 : 0; > } > -- > 2.40.1 >
On Wed, Oct 11, 2023 at 2:49 PM James Carter <jwcart2@gmail.com> wrote: > > On Mon, Aug 14, 2023 at 9:42 AM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Move the check whether to validate or not to the caller, to avoid all > > having to carry the complete selabel_handle around. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > libselinux/src/label.c | 5 ++--- > > libselinux/src/label_backends_android.c | 2 +- > > libselinux/src/label_file.c | 2 +- > > libselinux/src/label_internal.h | 3 +-- > > libselinux/src/matchpathcon.c | 7 ++++--- > > 5 files changed, 9 insertions(+), 10 deletions(-) > > > > diff --git a/libselinux/src/label.c b/libselinux/src/label.c > > index 9a972f79..1ea9bdcd 100644 > > --- a/libselinux/src/label.c > > +++ b/libselinux/src/label.c > > @@ -119,12 +119,11 @@ static inline int selabel_is_validate_set(const struct selinux_opt *opts, > > return 0; > > } > > > > -int selabel_validate(const struct selabel_handle *rec, > > - struct selabel_lookup_rec *contexts) > > +int selabel_validate(struct selabel_lookup_rec *contexts) > > { > > int rc = 0; > > > > - if (!rec->validating || contexts->validated) > > + if (contexts->validated) > > goto out; > > > > rc = selinux_validate(&contexts->ctx_raw); > > diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c > > index 6494f3cd..cd3875fc 100644 > > --- a/libselinux/src/label_backends_android.c > > +++ b/libselinux/src/label_backends_android.c > > @@ -126,7 +126,7 @@ static int process_line(struct selabel_handle *rec, > > spec_arr[nspec].lr.ctx_raw = context; > > > > if (rec->validating) { > > - if (selabel_validate(rec, &spec_arr[nspec].lr) < 0) { > > + if (selabel_validate(&spec_arr[nspec].lr) < 0) { > > selinux_log(SELINUX_ERROR, > > "%s: line %u has invalid context %s\n", > > path, lineno, spec_arr[nspec].lr.ctx_raw); > > diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c > > index a5677411..64b58d42 100644 > > --- a/libselinux/src/label_file.c > > +++ b/libselinux/src/label_file.c > > @@ -404,7 +404,7 @@ end_arch_check: > > spec->lr.ctx_raw = str_buf; > > > > if (strcmp(spec->lr.ctx_raw, "<<none>>") && rec->validating) { > > - if (selabel_validate(rec, &spec->lr) < 0) { > > + if (selabel_validate(&spec->lr) < 0) { > > selinux_log(SELINUX_ERROR, > > "%s: context %s is invalid\n", > > path, spec->lr.ctx_raw); > > diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h > > index bc5a6928..ea60cd9a 100644 > > --- a/libselinux/src/label_internal.h > > +++ b/libselinux/src/label_internal.h > > @@ -118,8 +118,7 @@ struct selabel_handle { > > * Validation function > > */ > > extern int > > -selabel_validate(const struct selabel_handle *rec, > > - struct selabel_lookup_rec *contexts) ; > > +selabel_validate(struct selabel_lookup_rec *contexts); > > > > /* > > * Compatibility support > > diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c > > index 971ace62..4ed25ce9 100644 > > --- a/libselinux/src/matchpathcon.c > > +++ b/libselinux/src/matchpathcon.c > > @@ -46,8 +46,8 @@ int compat_validate(const struct selabel_handle *rec, > > rc = myinvalidcon(path, lineno, *ctx); > > else if (mycanoncon) > > rc = mycanoncon(path, lineno, ctx); > > - else { > > - rc = selabel_validate(rec, contexts); > > + else if (rec->validating) { > > + rc = selabel_validate(contexts); > > if (rc < 0) { > > if (lineno) { > > COMPAT_LOG(SELINUX_WARNING, > > @@ -58,7 +58,8 @@ int compat_validate(const struct selabel_handle *rec, > > "%s: has invalid context %s\n", path, *ctx); > > } > > } > > - } > > + } else > > + rc = 0; > > > > return rc ? -1 : 0; > > } > > -- > > 2.40.1 > >
diff --git a/libselinux/src/label.c b/libselinux/src/label.c index 9a972f79..1ea9bdcd 100644 --- a/libselinux/src/label.c +++ b/libselinux/src/label.c @@ -119,12 +119,11 @@ static inline int selabel_is_validate_set(const struct selinux_opt *opts, return 0; } -int selabel_validate(const struct selabel_handle *rec, - struct selabel_lookup_rec *contexts) +int selabel_validate(struct selabel_lookup_rec *contexts) { int rc = 0; - if (!rec->validating || contexts->validated) + if (contexts->validated) goto out; rc = selinux_validate(&contexts->ctx_raw); diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c index 6494f3cd..cd3875fc 100644 --- a/libselinux/src/label_backends_android.c +++ b/libselinux/src/label_backends_android.c @@ -126,7 +126,7 @@ static int process_line(struct selabel_handle *rec, spec_arr[nspec].lr.ctx_raw = context; if (rec->validating) { - if (selabel_validate(rec, &spec_arr[nspec].lr) < 0) { + if (selabel_validate(&spec_arr[nspec].lr) < 0) { selinux_log(SELINUX_ERROR, "%s: line %u has invalid context %s\n", path, lineno, spec_arr[nspec].lr.ctx_raw); diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index a5677411..64b58d42 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -404,7 +404,7 @@ end_arch_check: spec->lr.ctx_raw = str_buf; if (strcmp(spec->lr.ctx_raw, "<<none>>") && rec->validating) { - if (selabel_validate(rec, &spec->lr) < 0) { + if (selabel_validate(&spec->lr) < 0) { selinux_log(SELINUX_ERROR, "%s: context %s is invalid\n", path, spec->lr.ctx_raw); diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h index bc5a6928..ea60cd9a 100644 --- a/libselinux/src/label_internal.h +++ b/libselinux/src/label_internal.h @@ -118,8 +118,7 @@ struct selabel_handle { * Validation function */ extern int -selabel_validate(const struct selabel_handle *rec, - struct selabel_lookup_rec *contexts) ; +selabel_validate(struct selabel_lookup_rec *contexts); /* * Compatibility support diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c index 971ace62..4ed25ce9 100644 --- a/libselinux/src/matchpathcon.c +++ b/libselinux/src/matchpathcon.c @@ -46,8 +46,8 @@ int compat_validate(const struct selabel_handle *rec, rc = myinvalidcon(path, lineno, *ctx); else if (mycanoncon) rc = mycanoncon(path, lineno, ctx); - else { - rc = selabel_validate(rec, contexts); + else if (rec->validating) { + rc = selabel_validate(contexts); if (rc < 0) { if (lineno) { COMPAT_LOG(SELINUX_WARNING, @@ -58,7 +58,8 @@ int compat_validate(const struct selabel_handle *rec, "%s: has invalid context %s\n", path, *ctx); } } - } + } else + rc = 0; return rc ? -1 : 0; }
Move the check whether to validate or not to the caller, to avoid all having to carry the complete selabel_handle around. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libselinux/src/label.c | 5 ++--- libselinux/src/label_backends_android.c | 2 +- libselinux/src/label_file.c | 2 +- libselinux/src/label_internal.h | 3 +-- libselinux/src/matchpathcon.c | 7 ++++--- 5 files changed, 9 insertions(+), 10 deletions(-)