libsepol: move unchanged data out of loop

Perform the lookup whether the class is in the current scope once, and
not for every permission.
This also ensures the class is checked to be in the current scope if
there are no permissions attached.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2024-06-08 19:21:41 +02:00 committed by James Carter
parent a3332e5741
commit 52e5c306f5
1 changed files with 18 additions and 20 deletions

View File

@ -1925,7 +1925,7 @@ static int find_perm(hashtab_key_t key, hashtab_datum_t datum, void *varg)
* Note that if a declaration had no requirement at all (e.g., an ELSE * Note that if a declaration had no requirement at all (e.g., an ELSE
* block) this returns 1. */ * block) this returns 1. */
static int is_decl_requires_met(link_state_t * state, static int is_decl_requires_met(link_state_t * state,
avrule_decl_t * decl, const avrule_decl_t * decl,
struct missing_requirement *req) struct missing_requirement *req)
{ {
/* (This algorithm is very unoptimized. It performs many /* (This algorithm is very unoptimized. It performs many
@ -1933,9 +1933,9 @@ static int is_decl_requires_met(link_state_t * state,
* which symbols have been verified, so that they do not need * which symbols have been verified, so that they do not need
* to be re-checked.) */ * to be re-checked.) */
unsigned int i, j; unsigned int i, j;
ebitmap_t *bitmap; const ebitmap_t *bitmap;
char *id, *perm_id; const char *id, *perm_id;
policydb_t *pol = state->base; const policydb_t *pol = state->base;
ebitmap_node_t *node; ebitmap_node_t *node;
/* check that all symbols have been satisfied */ /* check that all symbols have been satisfied */
@ -1961,21 +1961,14 @@ static int is_decl_requires_met(link_state_t * state,
} }
/* check that all classes and permissions have been satisfied */ /* check that all classes and permissions have been satisfied */
for (i = 0; i < decl->required.class_perms_len; i++) { for (i = 0; i < decl->required.class_perms_len; i++) {
const class_datum_t *cladatum = pol->class_val_to_struct[i];
const scope_datum_t *scope;
bitmap = decl->required.class_perms_map + i; bitmap = &decl->required.class_perms_map[i];
ebitmap_for_each_positive_bit(bitmap, node, j) {
struct find_perm_arg fparg;
class_datum_t *cladatum;
uint32_t perm_value = j + 1;
int rc;
scope_datum_t *scope;
id = pol->p_class_val_to_name[i]; id = pol->p_class_val_to_name[i];
cladatum = pol->class_val_to_struct[i];
scope =
hashtab_search(state->base->p_classes_scope.table, scope = hashtab_search(state->base->p_classes_scope.table, id);
id);
if (scope == NULL) { if (scope == NULL) {
ERR(state->handle, ERR(state->handle,
"Could not find scope information for class %s", "Could not find scope information for class %s",
@ -1983,6 +1976,11 @@ static int is_decl_requires_met(link_state_t * state,
return -1; return -1;
} }
ebitmap_for_each_positive_bit(bitmap, node, j) {
struct find_perm_arg fparg;
uint32_t perm_value = j + 1;
int rc;
fparg.valuep = perm_value; fparg.valuep = perm_value;
fparg.key = NULL; fparg.key = NULL;