From patchwork Mon Oct  3 11:44:50 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gary Tierney <gary.tierney@gmx.com>
X-Patchwork-Id: 9360489
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9016C601C0 for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 11:50:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7F3A2288D6
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 11:50:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6F3E22892F; Mon,  3 Oct 2016 11:50:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,FREEMAIL_FROM
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id B3E69288D6
	for <patchwork-selinux@patchwork.kernel.org>;
	Mon,  3 Oct 2016 11:50:42 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,289,1473120000"; d="scan'208";a="18197546"
IronPort-PHdr: =?us-ascii?q?9a23=3AMf4Rlh03dgQx7oU+smDT+DRfVm0co7zxezQtwd8Z?=
	=?us-ascii?q?segfLfad9pjvdHbS+e9qxAeQG96KsbQe1qGK6ejJYi8p2d65qncMcZhBBVcuqP?=
	=?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL2PbrnD61zMOABK3bVMz?=
	=?us-ascii?q?fbWvXNSPxJjtn8mJuLTrKz1SgzS8Zb4gZD6Xli728vcsvI15N6wqwQHIqHYbM8?=
	=?us-ascii?q?5fxGdvOE7B102kvpT4wYRnuxh0l7phspcYEPbMRYoTCPl4AC5jCH0u/MDgqVzH?=
	=?us-ascii?q?ShTHpiZdAVMsvDENRijJ9lTBQ4zpvyDm/qongGjJdfHxGKs5XTWk8rdDVA7jiC?=
	=?us-ascii?q?BBMSUwtm7QlJ9elqVe9T2ovQ03/4/ZeoeYJbIqcarHbJUGRGdbWMtAfyNEEsW3?=
	=?us-ascii?q?aI5ZXLlJBvpRs4So/whGlhC5HwT5Xb7i?=
X-IPAS-Result: =?us-ascii?q?A2F5BAAYRfJX/wHyM5BdGwEBAQMBAQEJAQEBFwYMgxQBAQE?=
	=?us-ascii?q?BAR6BU7pRIodsTAEBAQEBAQEBAgECWyeCMgQDAxWCEQIEAQIkExQgDgMJAQEXJ?=
	=?us-ascii?q?wIICAMBLRURDgsFGASIEQEDFwSjQ5QZAYRWhjiCBYUXgU8RAWiFEgEEmXiBZZg?=
	=?us-ascii?q?LhXOQbFSDIBwYgTlxhSgNFwdagSgBAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 03 Oct 2016 11:50:40 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93BoKpG011212;
	Mon, 3 Oct 2016 07:50:24 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u93BoI0n118509 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Mon, 3 Oct 2016 07:50:18 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u93BoIBW011209
	for <selinux@tycho.nsa.gov>; Mon, 3 Oct 2016 07:50:18 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1CYAQAYRfJXhxYR49RdHAEFAQsBgz4BAQEBAYFxpH4EkUOEFYYeAoFlTAECAQEBAQECEwEBAQgNCQkZhRECAQMnYj8SVxmIMgEDG6NDlBkBhCUxhjiCBYUXgkmFEgWZeIFlnX6QbIN0EQsYgTlxhSgrggIBAQE
X-IPAS-Result: 
 A1CYAQAYRfJXhxYR49RdHAEFAQsBgz4BAQEBAYFxpH4EkUOEFYYeAoFlTAECAQEBAQECEwEBAQgNCQkZhRECAQMnYj8SVxmIMgEDG6NDlBkBhCUxhjiCBYUXgkmFEgWZeIFlnX6QbIN0EQsYgTlxhSgrggIBAQE
X-IronPort-AV: E=Sophos;i="5.31,289,1473134400"; d="scan'208";a="5741375"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 03 Oct 2016 07:50:17 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3ARuiCCBSP+7nu32Q4EM1LNdml4dpsv+yvbD5Q0YIu?=
	=?us-ascii?q?jvd0So/mwa64bBeN2/xhgRfzUJnB7Loc0qyN4vqmAzFLvczJmUtBWaQEbwUCh8?=
	=?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?=
	=?us-ascii?q?Ov7yUtaLyZ/mjaboptaPOU1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?=
	=?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD88Qb2eUFFIX2ZeEDUKdAAT86dmQy+4Wr6FiQ?=
	=?us-ascii?q?ezGhzT5ZcmkM1yFVGBDI5w2yHs2p83iyiu0owySePMvrXZgoSD+i6OFtUxauhy?=
	=?us-ascii?q?AZZBAj92SCpcVqnepnoR+7oRFui9rbaZuEcuZ/c7nbcMIySm9RGM1WUnoSUcuH?=
	=?us-ascii?q?c4ITAr9Zbq5jpI7nqg5U8BY=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0H0AAAYRfJXhxYR49RdHAEFAQsBGBgNg?=
	=?us-ascii?q?wEBAQEBAYFxpH4EkUOEFYYeAoFlTAEBAQEBAQEBAgECEAEBAQgNCQkZL4IyBAM?=
	=?us-ascii?q?DFYIRAgEDJ2I/ElcZiDIBAxujQ5QZAYQlMYY4ggWFF4JJhRIFmXiBZZ1+kGyDd?=
	=?us-ascii?q?BELGIE5cYUoK0IDAYE8AQEB?=
X-IPAS-Result: =?us-ascii?q?A0H0AAAYRfJXhxYR49RdHAEFAQsBGBgNgwEBAQEBAYFxpH4?=
	=?us-ascii?q?EkUOEFYYeAoFlTAEBAQEBAQEBAgECEAEBAQgNCQkZL4IyBAMDFYIRAgEDJ2I/E?=
	=?us-ascii?q?lcZiDIBAxujQ5QZAYQlMYY4ggWFF4JJhRIFmXiBZZ1+kGyDdBELGIE5cYUoK0I?=
	=?us-ascii?q?DAYE8AQEB?=
X-IronPort-AV: E=Sophos;i="5.31,289,1473120000"; d="scan'208";a="18197538"
Received: from mout.gmx.net ([212.227.17.22])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	03 Oct 2016 11:50:16 +0000
Received: from workstation.home ([86.151.246.244]) by mail.gmx.com (mrgmx102)
	with ESMTPSA (Nemesis) id 0LlXnX-1bImzd3Vo7-00bJnL for
	<selinux@tycho.nsa.gov>; Mon, 03 Oct 2016 13:45:15 +0200
From: Gary Tierney <gary.tierney@gmx.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH v2 1/1] libsepol/cil: create user and role caches when
	building binary policy
Date: Mon,  3 Oct 2016 12:44:50 +0100
Message-Id: 
 <357ffe964dc8190d1945d6147e241bce587a0004.1475494730.git.gary.tierney@gmx.com>
X-Mailer: git-send-email 2.4.11
In-Reply-To: <cover.1475494730.git.gary.tierney@gmx.com>
References: <cover.1475494730.git.gary.tierney@gmx.com>
In-Reply-To: <cover.1475494730.git.gary.tierney@gmx.com>
References: <cover.1475494730.git.gary.tierney@gmx.com>
X-Provags-ID: V03:K0:R5zIBLukxJdrA8r2ZR7x0pKp4pGHo+F3QMBkSLA5cGOlP3BJfH5
	m6CEwFhlsxkZOAC1Zmu7K+/ov4LRw/NZhdT06rREBJqhyzidBhui7KsuR5s9h7BVm/pQSnO
	hdBXDOfbR0oXPZHMFWLQfI/xhRJgHwNTZYWqpldJ/Rbc+46kKd15W4fpZcL73GNW6XDJjU8
	gVBokGjmqdDosbSoXy5HQ==
X-UI-Out-Filterresults: notjunk:1; V01:K0:IlUZ61iAWF8=:ueMrbTiSJyrJNN17guMcpT
	WOu+Ag912BFQ7pDA1zRwkcALRfdBznHrgtFMloUNYAcri5VzLi1NrEzkHd7Ot78rcqIx46q1N
	qPXJKQOZrFRziMv9pGYS8cmerqiDSgXizWRcUd0VPY1CTkjFnt3cRgyqp0xjlfEeWv4YiQCme
	tHeL/TAXsTdmT9YT6ujbH78aUXfhFcQevA0ocRdTMK70R0nAGrJ2VEi5tZNVYCtOKBASZLHIV
	cNFwhm3ihMbsHAGtQCXQw+4zrGrX+RXVZr7hi6mX24WMSbr+nw7aHw0mfUzDgktP8K4PJADNb
	Uib03vBB8VW6VeakXXNJJlLZrCK+xDJAVE5J12yUvrDrq8eiByQXiGJwELp0XIo/mbj2h58vO
	YhcGA1Q6v80MEFRIQEK9ZZE2x+I/TvJAB3vMSApLbS+5WBNKISH9SNbx+ufeWGyOyfbpbhAXc
	LHTg1W2zzaECzKwa9pYZKn+KYppG/x8d2cJrsZHjdzO2EMnV66zBDtmEL7kieNi3bRv+Ciidv
	DaB+PlCkm9GV8WUHP228ApvDUCG707isUK3UfJStkghRsql3Ytzre2DPd14F00K5ojiFwXsjQ
	HCNSv98iYhkyO6mH20RarCHhJUsTAUd+spuUjy9z+brqbiaort6Qa3UlJ36i/W9na3v7QYkHs
	MqoWfMGa/AI9C4KfxqnEZmX8Gf+guAN4mLOtBIrIjg4YJLFzlH+U1mAeDHVY8vibDpxBtuGEO
	oVFgqFr6j7rWRMCRMw4aeRuMjgUtYidBwj43Jns1WrJwC2utXE21wNLqJDg=
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Pre-expands the role and user caches used in context validation when
conerting a cildb to a binary policydb.  This is currently only done
when loading a binary policy and prevents context validation from
working correctly with a newly built policy (i.e., when semanage builds
a new policy and then runs genhomedircon).

Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
---
 libsepol/cil/src/cil_binary.c              | 13 +++++++++++++
 libsepol/include/sepol/policydb/policydb.h |  8 ++++++++
 2 files changed, 21 insertions(+)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index cc73648..5402272 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -4794,6 +4794,19 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
 
 	}
 
+	/* This pre-expands the roles and users for context validity checking */
+	if (hashtab_map(pdb->p_roles.table, policydb_role_cache, pdb)) {
+		cil_log(CIL_INFO, "Failure creating roles cache");
+		rc = SEPOL_ERR;
+		goto exit;
+    }
+
+	if (hashtab_map(pdb->p_users.table, policydb_user_cache, pdb)) {
+		cil_log(CIL_INFO, "Failure creating users cache");
+		rc = SEPOL_ERR;
+		goto exit;
+	}
+
 	rc = SEPOL_OK;
 
 exit:
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index 26cec13..d99fcf4 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -608,6 +608,14 @@ extern int policydb_index_bools(policydb_t * p);
 extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
 				 unsigned int verbose);
 
+extern int policydb_role_cache(hashtab_key_t key,
+			       hashtab_datum_t datum,
+			       void *arg);
+
+extern int policydb_user_cache(hashtab_key_t key,
+			       hashtab_datum_t datum,
+			       void *arg);
+
 extern int policydb_reindex_users(policydb_t * p);
 
 extern void policydb_destroy(policydb_t * p);