From patchwork Sat Jun 8 17:21:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13691059 X-Patchwork-Delegate: plautrba@redhat.com Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D736134AC for ; Sat, 8 Jun 2024 17:21:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717867310; cv=none; b=qBKJlQfNCex+YaBL5iLeBbX9ae0xxsVttm11eSVVBXmwrdiRZmpJ9Nn9LEh7zRplPkUJx2nIxkUCuXIrJAWTWv2L7pNaKCySxtpfRdRv9cskKQ+8ZtNt7A4/17qFRy9MgdEkXRTJQhF1OAdcavpELPKVS8bh7/tL3MGC/lBFcFM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717867310; c=relaxed/simple; bh=tjEhWkNG+fhkzYSFEX86MWxP5lgar0USYmBYQPvxR+I=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=V8FQO5A+N5t/te7U+bnR7apERvlzlqCowGdPFs4CkVZjQJHdbiQi9mZOABUymFI2CxvTughQoUAvyDCrpgH46vWvpmbHh+9k5/+LOf4omj4qehikJqPBqDIv9OKs329YdpnQnIwqq/bgVLhGpRAZdvrj1Pc62dL/kqZP+O1m2l4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=D+NiwjB/; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="D+NiwjB/" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1717867306; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pPM1nSCsZ7RCT4H7ex8RC5zWKEtEXmxBurv3IZ82uog=; b=D+NiwjB/vUVMbrkqtH+OP8pFqXKpK6fdGNHsGwm5i13HRf809vjASMsaCgZctgkqOBLDqF CRhjONA0fUXd+b8DAUbTHwOl7fQ2wf2016nEfMd1xB9mFGcN0qbuQFWOXfG697Ot0kCAKi kEZoiBjK+1ECGJlK6/8MkP8Qj5kvTqJRUCMqlgOmY0PK5w4I+Opl664henNSAg43yZGwds NaQTHUp1GnEBYMv2miM7NdUFFDmFDma+It3r39MJxNWIU6KesumQ2gENpIFJjv4wTkw1L3 MW/b8A5R9ZegN8/DtDmgpcGpawXdOQEBUztMTd3V+UaUfahuuuA+ExQ40KvOpA== To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= Subject: [PATCH 1/2] libsepol: move unchanged data out of loop Date: Sat, 8 Jun 2024 19:21:41 +0200 Message-ID: <20240608172142.138894-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche Perform the lookup whether the class is in the current scope once, and not for every permission. This also ensures the class is checked to be in the current scope if there are no permissions attached. Signed-off-by: Christian Göttsche Acked-by: James Carter --- libsepol/src/link.c | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/libsepol/src/link.c b/libsepol/src/link.c index b8272308..a6f2a251 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -1925,7 +1925,7 @@ static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *varg) * Note that if a declaration had no requirement at all (e.g., an ELSE * block) this returns 1. */ static int is_decl_requires_met(link_state_t * state, - avrule_decl_t * decl, + const avrule_decl_t * decl, struct missing_requirement *req) { /* (This algorithm is very unoptimized. It performs many @@ -1933,9 +1933,9 @@ static int is_decl_requires_met(link_state_t * state, * which symbols have been verified, so that they do not need * to be re-checked.) */ unsigned int i, j; - ebitmap_t *bitmap; - char *id, *perm_id; - policydb_t *pol = state->base; + const ebitmap_t *bitmap; + const char *id, *perm_id; + const policydb_t *pol = state->base; ebitmap_node_t *node; /* check that all symbols have been satisfied */ @@ -1961,27 +1961,25 @@ static int is_decl_requires_met(link_state_t * state, } /* check that all classes and permissions have been satisfied */ for (i = 0; i < decl->required.class_perms_len; i++) { + const class_datum_t *cladatum = pol->class_val_to_struct[i]; + const scope_datum_t *scope; + + bitmap = &decl->required.class_perms_map[i]; + id = pol->p_class_val_to_name[i]; + + + scope = hashtab_search(state->base->p_classes_scope.table, id); + if (scope == NULL) { + ERR(state->handle, + "Could not find scope information for class %s", + id); + return -1; + } - bitmap = decl->required.class_perms_map + i; ebitmap_for_each_positive_bit(bitmap, node, j) { struct find_perm_arg fparg; - class_datum_t *cladatum; uint32_t perm_value = j + 1; int rc; - scope_datum_t *scope; - - id = pol->p_class_val_to_name[i]; - cladatum = pol->class_val_to_struct[i]; - - scope = - hashtab_search(state->base->p_classes_scope.table, - id); - if (scope == NULL) { - ERR(state->handle, - "Could not find scope information for class %s", - id); - return -1; - } fparg.valuep = perm_value; fparg.key = NULL; From patchwork Sat Jun 8 17:21:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13691060 X-Patchwork-Delegate: plautrba@redhat.com Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6EFC0134B1 for ; Sat, 8 Jun 2024 17:21:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717867310; cv=none; b=VTlyHDHsQHoCpGJXV9sJ6mlYZaHtwUMbexpUYdw1Tz9cSnUeq5lpcCIHKXCCKHmqTPdweVztpjFk6gNA1dqwtUIjiaaSSvW8W729UooqUSxgvvUd2YBokZVFbVFXSm09zDyjcChSPtacP0+UFPhLuCKQr/su0SgSXcE7FclQYEQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717867310; c=relaxed/simple; bh=JKMtwY4NVya2ufeH26+t3bTMJEMmtYRcmEvfc0ZhivA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=KXfpntl9igHlDNGHO7NYo4qXmKqr+R2CbuDJGYDwiokmnPak+H3+D8pECS+t6ZjSjrEn0BjDmY4qX+4xiTO5aAZBK3ZNOrcsZLtVLjF7NzThaDz086VvHbQQ81tMAJvYB2Imo07mnEvF3puIDPPwXPgaiMlDxveLhHqMvC02faM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=ZGPvbOd3; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="ZGPvbOd3" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1717867306; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wg5WIczUZnoXmBEzGYkQbz7XRgWsYtpyjZ1CtL/ViZw=; b=ZGPvbOd3OujiYZxm4lpemzNGFGMp18opY6zWFzsWaOh+TGhWlLWoEobk0h/C2N1EkbTajZ NrTUHHgIpVmjeyCHpgk84aWceuh8BYvzzUXY7qdyyYe3KVJ8FEq2Mbau36ZrjkYBXUkANO /FNaSVgxRT8vaCqpCQH7V0kdPZfNkRl5jlicvux2BzLKSAxhJANsu7fUkhOJTcUlDvzchX m4/fFfY2xGVa2guyb1zg7FNn6H6OSzmyTmGCyp+5tij5i0mzoob6XC7c5pLC8jvx9wkamF GmbL/h1iNwDQKA14fVtPl/J+g9PVs/IKEqiJjFiNjtfCp206BTPUmJUnsM1NZw== To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= Subject: [PATCH 2/2] libsepol: rework permission enabled check Date: Sat, 8 Jun 2024 19:21:42 +0200 Message-ID: <20240608172142.138894-2-cgoettsche@seltendoof.de> In-Reply-To: <20240608172142.138894-1-cgoettsche@seltendoof.de> References: <20240608172142.138894-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche Check the class is defined once, and not for every permission via is_perm_enabled(). Also pass the class datum to avoid an unnecessary name lookup. Signed-off-by: Christian Göttsche Acked-by: James Carter --- .../include/sepol/policydb/avrule_block.h | 4 +-- libsepol/src/avrule_block.c | 27 +++++++------------ libsepol/src/link.c | 6 ++++- 3 files changed, 17 insertions(+), 20 deletions(-) diff --git a/libsepol/include/sepol/policydb/avrule_block.h b/libsepol/include/sepol/policydb/avrule_block.h index 27047d43..18a1dc78 100644 --- a/libsepol/include/sepol/policydb/avrule_block.h +++ b/libsepol/include/sepol/policydb/avrule_block.h @@ -35,8 +35,8 @@ extern avrule_decl_t *get_avrule_decl(policydb_t * p, uint32_t decl_id); extern cond_list_t *get_decl_cond_list(policydb_t * p, avrule_decl_t * decl, cond_list_t * cond); -extern int is_id_enabled(char *id, policydb_t * p, int symbol_table); -extern int is_perm_enabled(char *class_id, char *perm_id, policydb_t * p); +extern int is_id_enabled(const char *id, const policydb_t * p, int symbol_table); +extern int is_perm_existent(const class_datum_t *cladatum, const char *perm_id); #ifdef __cplusplus } diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c index dcfce8b8..547021e9 100644 --- a/libsepol/src/avrule_block.c +++ b/libsepol/src/avrule_block.c @@ -152,11 +152,11 @@ cond_list_t *get_decl_cond_list(policydb_t * p, avrule_decl_t * decl, * marked as SCOPE_DECL, and any of its declaring block has been enabled, * then return 1. Otherwise return 0. Can only be called after the * decl_val_to_struct index has been created */ -int is_id_enabled(char *id, policydb_t * p, int symbol_table) +int is_id_enabled(const char *id, const policydb_t * p, int symbol_table) { - scope_datum_t *scope = + const scope_datum_t *scope = (scope_datum_t *) hashtab_search(p->scope[symbol_table].table, id); - avrule_decl_t *decl; + const avrule_decl_t *decl; uint32_t len; if (scope == NULL) { @@ -189,21 +189,14 @@ int is_id_enabled(char *id, policydb_t * p, int symbol_table) return 0; } -/* Check if a particular permission is present within the given class, - * and that the class is enabled. Returns 1 if both conditions are - * true, 0 if neither could be found or if the class id disabled. */ -int is_perm_enabled(char *class_id, char *perm_id, policydb_t * p) +/* Check if a particular permission is present within the given class. + * Whether the class is enabled is NOT checked. + * Returns 1 if both conditions are true, + * 0 if neither could be found or if the class id disabled. */ +int is_perm_existent(const class_datum_t *cladatum, const char *perm_id) { - class_datum_t *cladatum; - perm_datum_t *perm; - if (!is_id_enabled(class_id, p, SYM_CLASSES)) { - return 0; - } - cladatum = - (class_datum_t *) hashtab_search(p->p_classes.table, class_id); - if (cladatum == NULL) { - return 0; - } + const perm_datum_t *perm; + perm = hashtab_search(cladatum->permissions.table, perm_id); if (perm == NULL && cladatum->comdatum != 0) { /* permission was not in this class. before giving diff --git a/libsepol/src/link.c b/libsepol/src/link.c index a6f2a251..9281a986 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -1968,6 +1968,10 @@ static int is_decl_requires_met(link_state_t * state, id = pol->p_class_val_to_name[i]; + if (!is_id_enabled(id, state->base, SYM_CLASSES)) { + return 0; + } + scope = hashtab_search(state->base->p_classes_scope.table, id); if (scope == NULL) { ERR(state->handle, @@ -1994,7 +1998,7 @@ static int is_decl_requires_met(link_state_t * state, perm_id = fparg.key; assert(perm_id != NULL); - if (!is_perm_enabled(id, perm_id, state->base)) { + if (!is_perm_existent(cladatum, perm_id)) { if (req != NULL) { req->symbol_type = SYM_CLASSES; req->symbol_value = i + 1;