Merge branch 'master' of jbrindle@oss.tresys.com:/home/git/selinux

libselinux/ChangeLog

@@ -1,3 +1,10 @@
+2.0.79 2009-03-11
+	* Netlink socket handoff patch from Adam Jackson.
+	* AVC caching of compute_create results by Eric Paris.
+
+2.0.78 2009-02-27
+	* Fix incorrect conversion in discover_class code.
+
 2.0.77 2009-01-12
 	* add restorecon to python bindings from Dan Walsh.
 

libselinux/VERSION

@@ -1 +1 @@
-2.0.77
+2.0.79

libselinux/include/selinux/avc.h

@@ -427,6 +427,29 @@ void avc_av_stats(void);
  */
 void avc_sid_stats(void);
 
+/**
+ * avc_netlink_acquire_fd - Acquire netlink socket fd.
+ *
+ * Allows the application to manage messages from the netlink socket in
+ * its own main loop.
+ */
+int avc_netlink_acquire_fd(void);
+
+/**
+ * avc_netlink_release_fd - Release netlink socket fd.
+ *
+ * Returns ownership of the netlink socket to the library.
+ */
+void avc_netlink_release_fd(void);
+
+/**
+ * avc_netlink_check_nb - Check netlink socket for new messages.
+ *
+ * Called by the application when using avc_netlink_acquire_fd() to
+ * process kernel netlink events.
+ */
+int avc_netlink_check_nb(void);
+
 #ifdef __cplusplus
 }
 #endif

libselinux/src/avc.c

@@ -20,6 +20,7 @@ struct avc_entry {
 	security_id_t tsid;
 	security_class_t tclass;
 	struct av_decision avd;
+	security_id_t	create_sid;
 	int used;		/* used recently */
 };
 
@@ -340,6 +341,15 @@ static inline struct avc_node *avc_reclaim_node(void)
 	return cur;
 }
 
+static inline void avc_clear_avc_entry(struct avc_entry *ae)
+{
+	ae->ssid = ae->tsid = ae->create_sid = NULL;
+	ae->tclass = 0;
+	ae->avd.allowed = ae->avd.decided = 0;
+	ae->avd.auditallow = ae->avd.auditdeny = 0;
+	ae->used = 0;
+}
+
 static inline struct avc_node *avc_claim_node(security_id_t ssid,
 					      security_id_t tsid,
 					      security_class_t tclass)
@@ -361,6 +371,7 @@ static inline struct avc_node *avc_claim_node(security_id_t ssid,
 	}
 
 	hvalue = avc_hash(ssid, tsid, tclass);
+	avc_clear_avc_entry(&new->ae);
 	new->ae.used = 1;
 	new->ae.ssid = ssid;
 	new->ae.tsid = tsid;
@@ -498,8 +509,8 @@ static int avc_insert(security_id_t ssid, security_id_t tsid,
  * avc_remove - Remove AVC and sidtab entries for SID.
  * @sid: security identifier to be removed
  *
- * Remove all AVC entries containing @sid as source
- * or target, and remove @sid from the SID table.
+ * Remove all AVC entries containing @sid as source, target, or
+ * create_sid, and remove @sid from the SID table.
  * Free the memory allocated for the structure corresponding
  * to @sid.  After this function has been called, @sid must
  * not be used until another call to avc_context_to_sid() has
@@ -514,19 +525,15 @@ static void avc_remove(security_id_t sid)
 		cur = avc_cache.slots[i];
 		prev = NULL;
 		while (cur) {
-			if (sid == cur->ae.ssid || sid == cur->ae.tsid) {
+			if (sid == cur->ae.ssid || sid == cur->ae.tsid ||
+			    sid == cur->ae.create_sid) {
 				if (prev)
 					prev->next = cur->next;
 				else
 					avc_cache.slots[i] = cur->next;
 				tmp = cur;
 				cur = cur->next;
-				tmp->ae.ssid = tmp->ae.tsid = NULL;
-				tmp->ae.tclass = 0;
-				tmp->ae.avd.allowed = tmp->ae.avd.decided = 0;
-				tmp->ae.avd.auditallow = tmp->ae.avd.auditdeny =
-				    0;
-				tmp->ae.used = 0;
+				avc_clear_avc_entry(&tmp->ae);
 				tmp->next = avc_node_freelist;
 				avc_node_freelist = tmp;
 				avc_cache.active_nodes--;
@@ -570,11 +577,7 @@ int avc_reset(void)
 		while (node) {
 			tmp = node;
 			node = node->next;
-			tmp->ae.ssid = tmp->ae.tsid = NULL;
-			tmp->ae.tclass = 0;
-			tmp->ae.avd.allowed = tmp->ae.avd.decided = 0;
-			tmp->ae.avd.auditallow = tmp->ae.avd.auditdeny = 0;
-			tmp->ae.used = 0;
+			avc_clear_avc_entry(&tmp->ae);
 			tmp->next = avc_node_freelist;
 			avc_node_freelist = tmp;
 			avc_cache.active_nodes--;
@@ -812,7 +815,7 @@ int avc_has_perm_noaudit(security_id_t ssid,
 	access_vector_t denied;
 	struct avc_entry_ref ref;
 
-	if (!avc_using_threads) {
+	if (!avc_using_threads && !avc_app_main_loop) {
 		(void)avc_netlink_check_nb();
 	}
 
@@ -896,23 +899,55 @@ int avc_compute_create(security_id_t ssid,  security_id_t tsid,
 		       security_class_t tclass, security_id_t *newsid)
 {
 	int rc;
+	struct avc_entry_ref aeref;
+	struct avc_entry entry;
+	security_context_t ctx;
+
 	*newsid = NULL;
+	avc_entry_ref_init(&aeref);
+
 	avc_get_lock(avc_lock);
-	if (ssid->refcnt > 0 && tsid->refcnt > 0) {
-		security_context_t ctx = NULL;
+	if (ssid->refcnt <= 0 || tsid->refcnt <= 0) {
+		errno = EINVAL;	/* bad reference count */
+		rc = -1;
+		goto out;
+	}
+
+	/* check for a cached entry */
+	rc = avc_lookup(ssid, tsid, tclass, 0, &aeref);
+	if (rc) {
+		/* need to make a cache entry for this tuple */
+		rc = security_compute_av_raw(ssid->ctx, tsid->ctx,
+					     tclass, 0, &entry.avd);
+		if (rc)
+			goto out;
+		rc = avc_insert(ssid, tsid, tclass, &entry, &aeref);
+		if (rc)
+			goto out;
+	}
+
+	/* check for a saved compute_create value */
+	if (!aeref.ae->create_sid) {
+		/* need to query the kernel policy */
 		rc = security_compute_create_raw(ssid->ctx, tsid->ctx, tclass,
 						 &ctx);
 		if (rc)
 			goto out;
 		rc = sidtab_context_to_sid(&avc_sidtab, ctx, newsid);
-		if (!rc)
-			(*newsid)->refcnt++;
 		freecon(ctx);
+		if (rc)
+			goto out;
+
+		aeref.ae->create_sid = *newsid;
 	} else {
-		errno = EINVAL;	/* bad reference count */
-		rc = -1;
+		/* found saved value */
+		*newsid = aeref.ae->create_sid;
 	}
+
+	rc = 0;
 out:
+	if (*newsid)
+		(*newsid)->refcnt++;
 	avc_release_lock(avc_lock);
 	return rc;
 }

libselinux/src/avc_internal.c

@@ -34,6 +34,7 @@ void (*avc_func_log) (const char *, ...) = NULL;
 void (*avc_func_audit) (void *, security_class_t, char *, size_t) = NULL;
 
 int avc_using_threads = 0;
+int avc_app_main_loop = 0;
 void *(*avc_func_create_thread) (void (*)(void)) = NULL;
 void (*avc_func_stop_thread) (void *) = NULL;
 
@@ -250,3 +251,15 @@ void avc_netlink_loop(void)
 		"%s:  netlink thread: errors encountered, terminating\n",
 		avc_prefix);
 }
+
+int avc_netlink_acquire_fd(void)
+{
+    avc_app_main_loop = 1;
+
+    return fd;
+}
+
+void avc_netlink_release_fd(void)
+{
+    avc_app_main_loop = 0;
+}

libselinux/src/avc_internal.h

@@ -35,6 +35,7 @@ extern void (*avc_func_log) (const char *, ...)hidden;
 extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden;
 
 extern int avc_using_threads hidden;
+extern int avc_app_main_loop hidden;
 extern void *(*avc_func_create_thread) (void (*)(void))hidden;
 extern void (*avc_func_stop_thread) (void *)hidden;
 
@@ -184,7 +185,6 @@ int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
 /* netlink kernel message code */
 extern int avc_netlink_trouble hidden;
 int avc_netlink_open(int blocking) hidden;
-int avc_netlink_check_nb(void) hidden;
 void avc_netlink_loop(void) hidden;
 void avc_netlink_close(void) hidden;
 

libselinux/src/selinuxswig.i

@@ -50,6 +50,11 @@
 
 %ignore avc_add_callback;
 
+/* Ignore netlink stuff for now */
+%ignore avc_netlink_acquire_fd;
+%ignore avc_netlink_release_fd;
+%ignore avc_netlink_check_nb;
+
 %include "../include/selinux/selinux.h"
 %include "../include/selinux/avc.h"
 %include "../include/selinux/get_default_type.h"

libselinux/src/stringrep.c

@@ -225,7 +225,7 @@ static struct discover_class_node * discover_class(const char *s)
 	if (ret < 0)
 		goto err3;
 
-	if (sscanf(buf, "%u", (unsigned int*)&node->value) != 1)
+	if (sscanf(buf, "%hu", &node->value) != 1)
 		goto err3;
 
 	/* load up permission indicies */

scripts/release

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+DIRS="libsepol libselinux libsemanage policycoreutils checkpolicy sepolgen"
+
+mkdir ../selinux-dev-release
+
+for i in $DIRS; do
+	cd $i
+	git archive --format=tar --prefix=$i-`cat VERSION`/ HEAD | gzip > ../../selinux-dev-release/$i-`cat VERSION`.tar.gz
+	cd ..
+done
+