Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / selinux / 58866dd5668e845fd1cc0f62ae8dd4b93d9caf2b^! / . / libselinux / src / avc_sidtab.c
commit58866dd5668e845fd1cc0f62ae8dd4b93d9caf2b[log] [tgz]
authorEamon Walsh <ewalsh@tycho.nsa.gov>Wed Sep 02 17:41:22 2009 -0400
committerEamon Walsh <ewalsh@tycho.nsa.gov>Wed Sep 02 20:36:42 2009 -0400
tree22ae88ce32ae288ca335828367aa37f701597774
parentacc3a041458c94820114b71876406950aeed621d [diff] [blame]
The userspace AVC currently has refcounted SID's.  This patch strips out
the refcounting under the following justifications:

1.  Managing the refcounts by calling sidput() and sidget() as
appropriate is a difficult and bug-prone task for users of the library.

2.  The userspace AVC doesn't currently make use of the refcounts to
reclaim unused SID's unless avc_cleanup() is explicitly called.

3.  The kernel itself no longer uses refcounting for it's own SID's.

The implication of this change is that SID's (basically malloc'ed copies
of security contexts) will persist in the AVC's SID table until the next
call to avc_destroy().  This presents the potential for increased memory
usage, but in practice I don't believe this will be an issue.  ABI
compatibility is preserved: the avc_cleanup(), sidput(), and sidget()
calls are changed to no-ops.

Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
index dab5c4e..3ca1d1f 100644
--- a/libselinux/src/avc_sidtab.c
+++ b/libselinux/src/avc_sidtab.c

@@ -67,53 +67,13 @@
 	hvalue = sidtab_hash(newctx);
 	newnode->next = s->htable[hvalue];
 	newnode->sid_s.ctx = newctx;
-	newnode->sid_s.refcnt = 0;	/* caller should increment */
+	newnode->sid_s.refcnt = 1;	/* unused */
 	s->htable[hvalue] = newnode;
 	s->nel++;
       out:
 	return rc;
 }
 
-void sidtab_remove(struct sidtab *s, security_id_t sid)
-{
-	int hvalue;
-	struct sidtab_node *cur, *prev;
-
-	hvalue = sidtab_hash(sid->ctx);
-	cur = s->htable[hvalue];
-	prev = NULL;
-	while (cur) {
-		if (sid == &cur->sid_s) {
-			if (prev)
-				prev->next = cur->next;
-			else
-				s->htable[hvalue] = cur->next;
-			avc_free(cur);
-			s->nel--;
-			return;
-		} else {
-			prev = cur;
-			cur = cur->next;
-		}
-	}
-}
-
-security_id_t sidtab_claim_sid(struct sidtab *s)
-{
-	int i;
-	struct sidtab_node *cur;
-
-	for (i = 0; i < SIDTAB_SIZE; i++) {
-		cur = s->htable[i];
-		while (cur) {
-			if (!cur->sid_s.refcnt)
-				return &cur->sid_s;
-			cur = cur->next;
-		}
-	}
-	return NULL;
-}
-
 int
 sidtab_context_to_sid(struct sidtab *s,
 		      security_context_t ctx, security_id_t * sid)