frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xselinux: Remove reference counting calls for SID objects. 

Starting with libselinux 2.0.86, SID objects are no longer
reference counted and the sidput() and sidget() calls are no-ops.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Reviewed-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Eamon Walsh 2010-01-06 12:52:51 -05:00
parent 0c4b75a089
commit eb9210097e
3 changed files with 20 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Xext/xselinux_ext.c
View File

@ -132,7 +132,6 @@ ProcSELinuxSetCreateContext(ClientPtr client, unsigned offset)
ptr = dixLookupPrivate(privPtr, subjectKey);
pSid = (security_id_t *)(ptr + offset);
sidput(*pSid);
*pSid = NULL;
rc = Success;
@ -193,11 +192,9 @@ ProcSELinuxSetDeviceContext(ClientPtr client)
}
subj = dixLookupPrivate(&dev->devPrivates, subjectKey);
sidput(subj->sid);
subj->sid = sid;
obj = dixLookupPrivate(&dev->devPrivates, objectKey);
sidput(obj->sid);
sidget(obj->sid = sid);
obj->sid = sid;
rc = Success;
out:

65
Xext/xselinux_hooks.c
View File

@ -69,9 +69,6 @@ DevPrivateKey dataKey = &dataKeyIndex;
/* audit file descriptor */
static int audit_fd;
/* whether AVC is active */
static int avc_active;
/* atoms for window label properties */
static Atom atom_ctx;
static Atom atom_client_ctx;
@ -125,9 +122,7 @@ SELinuxLabelClient(ClientPtr client)
security_context_t ctx;
subj = dixLookupPrivate(&client->devPrivates, subjectKey);
sidput(subj->sid);
obj = dixLookupPrivate(&client->devPrivates, objectKey);
sidput(obj->sid);
/* Try to get a context from the socket */
if (fd < 0 || getpeercon_raw(fd, &ctx) < 0) {
@ -170,7 +165,7 @@ finish:
FatalError("SELinux: client %d: context_to_sid_raw(%s) failed\n",
client->index, ctx);
sidget(obj->sid = subj->sid);
obj->sid = subj->sid;
freecon(ctx);
}
@ -191,7 +186,6 @@ SELinuxLabelInitial(void)
subj = dixLookupPrivate(&serverClient->devPrivates, subjectKey);
obj = dixLookupPrivate(&serverClient->devPrivates, objectKey);
subj->privileged = 1;
sidput(subj->sid);
/* Use the context of the X server process for the serverClient */
if (getcon_raw(&ctx) < 0)
@ -201,7 +195,7 @@ SELinuxLabelInitial(void)
if (avc_context_to_sid_raw(ctx, &subj->sid) < 0)
FatalError("SELinux: serverClient: context_to_sid(%s) failed\n", ctx);
sidget(obj->sid = subj->sid);
obj->sid = subj->sid;
freecon(ctx);
srec.client = serverClient;
@ -231,7 +225,7 @@ SELinuxLabelResource(XaceResourceAccessRec *rec, SELinuxSubjectRec *subj,
/* Check for a create context */
if (rec->rtype & RC_DRAWABLE && subj->win_create_sid) {
sidget(obj->sid = subj->win_create_sid);
obj->sid = subj->win_create_sid;
return Success;
}
@ -359,17 +353,14 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
SELinuxSubjectRec *dsubj;
dsubj = dixLookupPrivate(&rec->dev->devPrivates, subjectKey);
sidput(dsubj->sid);
sidput(obj->sid);
if (subj->dev_create_sid) {
/* Label the device with the create context */
sidget(obj->sid = subj->dev_create_sid);
sidget(dsubj->sid = subj->dev_create_sid);
obj->sid = subj->dev_create_sid;
dsubj->sid = subj->dev_create_sid;
} else {
/* Label the device directly with the process SID */
sidget(obj->sid = subj->sid);
sidget(dsubj->sid = subj->sid);
obj->sid = subj->sid;
dsubj->sid = subj->sid;
}
}
@ -483,8 +474,6 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
return;
}
sidput(obj->sid);
/* Perform a transition to obtain the final SID */
if (avc_compute_create(serv->sid, sid, SECCLASS_X_EXTENSION,
&obj->sid) < 0) {
@ -520,7 +509,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* If this is a new object that needs labeling, do it now */
if (access_mode & DixCreateAccess) {
sidput(obj->sid);
rc = SELinuxSelectionToSID(name, subj, &obj->sid, &obj->poly);
if (rc != Success)
obj->sid = unlabeled_sid;
@ -538,7 +526,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
break;
obj = dixLookupPrivate(&pSel->devPrivates, objectKey);
}
sidput(tsid);
if (pSel)
*rec->ppSel = pSel;
@ -557,11 +544,10 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* Label the content (advisory only) */
if (access_mode & DixSetAttrAccess) {
data = dixLookupPrivate(&pSel->devPrivates, dataKey);
sidput(data->sid);
if (subj->sel_create_sid)
sidget(data->sid = subj->sel_create_sid);
data->sid = subj->sel_create_sid;
else
sidget(data->sid = obj->sid);
data->sid = obj->sid;
}
}
@ -586,7 +572,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* If this is a new object that needs labeling, do it now */
if (rec->access_mode & DixCreateAccess) {
sidput(obj->sid);
rc = SELinuxPropertyToSID(name, subj, &obj->sid, &obj->poly);
if (rc != Success) {
rec->status = rc;
@ -605,7 +590,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
break;
obj = dixLookupPrivate(&pProp->devPrivates, objectKey);
}
sidput(tsid);
if (pProp)
*rec->ppProp = pProp;
@ -624,11 +608,10 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
/* Label the content (advisory only) */
if (rec->access_mode & DixWriteAccess) {
data = dixLookupPrivate(&pProp->devPrivates, dataKey);
sidput(data->sid);
if (subj->prp_create_sid)
sidget(data->sid = subj->prp_create_sid);
data->sid = subj->prp_create_sid;
else
sidget(data->sid = obj->sid);
data->sid = obj->sid;
}
}
@ -705,8 +688,6 @@ SELinuxScreen(CallbackListPtr *pcbl, pointer is_saver, pointer calldata)
/* If this is a new object that needs labeling, do it now */
if (access_mode & DixCreateAccess) {
sidput(obj->sid);
/* Perform a transition to obtain the final SID */
if (avc_compute_create(subj->sid, subj->sid, SECCLASS_X_SCREEN,
&obj->sid) < 0) {
@ -838,7 +819,6 @@ SELinuxSubjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
PrivateCallbackRec *rec = calldata;
SELinuxSubjectRec *subj = *rec->value;
sidget(unlabeled_sid);
subj->sid = unlabeled_sid;
avc_entry_ref_init(&subj->aeref);
@ -851,14 +831,6 @@ SELinuxSubjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata)
SELinuxSubjectRec *subj = *rec->value;
xfree(subj->command);
if (avc_active) {
sidput(subj->sid);
sidput(subj->dev_create_sid);
sidput(subj->win_create_sid);
sidput(subj->sel_create_sid);
sidput(subj->prp_create_sid);
}
}
static void
@ -867,20 +839,9 @@ SELinuxObjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
PrivateCallbackRec *rec = calldata;
SELinuxObjectRec *obj = *rec->value;
sidget(unlabeled_sid);
obj->sid = unlabeled_sid;
}
static void
SELinuxObjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata)
{
PrivateCallbackRec *rec = calldata;
SELinuxObjectRec *obj = *rec->value;
if (avc_active)
sidput(obj->sid);
}
static int netlink_fd;
static void
@ -923,7 +884,6 @@ SELinuxFlaskReset(void)
RemoveGeneralSocket(netlink_fd);
avc_destroy();
avc_active = 0;
}
void
@ -961,7 +921,6 @@ SELinuxFlaskInit(void)
if (avc_open(&avc_option, 1) < 0)
FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n");
avc_active = 1;
if (security_get_initial_context_raw("unlabeled", &ctx) < 0)
FatalError("SELinux: Failed to look up unlabeled context\n");
@ -997,9 +956,7 @@ SELinuxFlaskInit(void)
ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL);
ret &= dixRegisterPrivateDeleteFunc(subjectKey, SELinuxSubjectFree, NULL);
ret &= dixRegisterPrivateInitFunc(objectKey, SELinuxObjectInit, NULL);
ret &= dixRegisterPrivateDeleteFunc(objectKey, SELinuxObjectFree, NULL);
ret &= dixRegisterPrivateInitFunc(dataKey, SELinuxObjectInit, NULL);
ret &= dixRegisterPrivateDeleteFunc(dataKey, SELinuxObjectFree, NULL);
ret &= AddCallback(&ClientStateCallback, SELinuxClientState, NULL);
ret &= AddCallback(&ResourceStateCallback, SELinuxResourceState, NULL);

23
Xext/xselinux_label.c
View File

@ -177,20 +177,17 @@ SELinuxSelectionToSID(Atom selection, SELinuxSubjectRec *subj,
/* Check for an override context next */
if (subj->sel_use_sid) {
sidget(tsid = subj->sel_use_sid);
tsid = subj->sel_use_sid;
goto out;
}
sidget(tsid = obj->sid);
tsid = obj->sid;
/* Polyinstantiate if necessary to obtain the final SID */
if (obj->poly) {
sidput(tsid);
if (avc_compute_member(subj->sid, obj->sid,
SECCLASS_X_SELECTION, &tsid) < 0) {
ErrorF("SELinux: a compute_member call failed!\n");
return BadValue;
}
if (obj->poly && avc_compute_member(subj->sid, obj->sid,
SECCLASS_X_SELECTION, &tsid) < 0) {
ErrorF("SELinux: a compute_member call failed!\n");
return BadValue;
}
out:
*sid_rtn = tsid;
@ -217,7 +214,7 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj,
/* Check for an override context next */
if (subj->prp_use_sid) {
sidget(tsid = subj->prp_use_sid);
tsid = subj->prp_use_sid;
goto out;
}
@ -234,10 +231,8 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj,
if (avc_compute_member(subj->sid, tsid2,
SECCLASS_X_PROPERTY, &tsid) < 0) {
ErrorF("SELinux: a compute_member call failed!\n");
sidput(tsid2);
return BadValue;
}
sidput(tsid2);
}
out:
*sid_rtn = tsid;
@ -273,10 +268,8 @@ SELinuxEventToSID(unsigned type, security_id_t sid_of_window,
}
freecon(ctx);
/* Cache the SID value */
if (!SELinuxArraySet(&arr_events, type, sid)) {
sidput(sid);
if (!SELinuxArraySet(&arr_events, type, sid))
return BadAlloc;
}
}
/* Perform a transition to obtain the final SID */