mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-20 21:00:03 +01:00
xselinux: Remove reference counting calls for SID objects.
Starting with libselinux 2.0.86, SID objects are no longer reference counted and the sidput() and sidget() calls are no-ops. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov> Reviewed-by: Keith Packard <keithp@keithp.com>
This commit is contained in:
Eamon Walsh
parent
c030ec32b6
commit
1b6f498b84
1 changed files with 19 additions and 70 deletions
|
|
@ -112,9 +112,6 @@ typedef struct {
|
||||||
/* labeling handle */
|
/* labeling handle */
|
||||||
static struct selabel_handle *label_hnd;
|
static struct selabel_handle *label_hnd;
|
||||||
|
|
||||||
/* whether AVC is active */
|
|
||||||
static int avc_active;
|
|
||||||
|
|
||||||
/* atoms for window label properties */
|
/* atoms for window label properties */
|
||||||
static Atom atom_ctx;
|
static Atom atom_ctx;
|
||||||
static Atom atom_client_ctx;
|
static Atom atom_client_ctx;
|
||||||
|
|
@ -238,20 +235,17 @@ SELinuxSelectionToSID(Atom selection, SELinuxSubjectRec *subj,
|
||||||
|
|
||||||
/* Check for an override context next */
|
/* Check for an override context next */
|
||||||
if (subj->sel_use_sid) {
|
if (subj->sel_use_sid) {
|
||||||
sidget(tsid = subj->sel_use_sid);
|
tsid = subj->sel_use_sid;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
sidget(tsid = obj->sid);
|
tsid = obj->sid;
|
||||||
|
|
||||||
/* Polyinstantiate if necessary to obtain the final SID */
|
/* Polyinstantiate if necessary to obtain the final SID */
|
||||||
if (obj->poly) {
|
if (obj->poly && avc_compute_member(subj->sid, obj->sid,
|
||||||
sidput(tsid);
|
SECCLASS_X_SELECTION, &tsid) < 0) {
|
||||||
if (avc_compute_member(subj->sid, obj->sid,
|
ErrorF("SELinux: a compute_member call failed!\n");
|
||||||
SECCLASS_X_SELECTION, &tsid) < 0) {
|
return BadValue;
|
||||||
ErrorF("SELinux: a compute_member call failed!\n");
|
|
||||||
return BadValue;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
out:
|
out:
|
||||||
*sid_rtn = tsid;
|
*sid_rtn = tsid;
|
||||||
|
|
@ -278,7 +272,7 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj,
|
||||||
|
|
||||||
/* Check for an override context next */
|
/* Check for an override context next */
|
||||||
if (subj->prp_use_sid) {
|
if (subj->prp_use_sid) {
|
||||||
sidget(tsid = subj->prp_use_sid);
|
tsid = subj->prp_use_sid;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -295,10 +289,8 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj,
|
||||||
if (avc_compute_member(subj->sid, tsid2,
|
if (avc_compute_member(subj->sid, tsid2,
|
||||||
SECCLASS_X_PROPERTY, &tsid) < 0) {
|
SECCLASS_X_PROPERTY, &tsid) < 0) {
|
||||||
ErrorF("SELinux: a compute_member call failed!\n");
|
ErrorF("SELinux: a compute_member call failed!\n");
|
||||||
sidput(tsid2);
|
|
||||||
return BadValue;
|
return BadValue;
|
||||||
}
|
}
|
||||||
sidput(tsid2);
|
|
||||||
}
|
}
|
||||||
out:
|
out:
|
||||||
*sid_rtn = tsid;
|
*sid_rtn = tsid;
|
||||||
|
|
@ -438,9 +430,7 @@ SELinuxLabelClient(ClientPtr client)
|
||||||
security_context_t ctx;
|
security_context_t ctx;
|
||||||
|
|
||||||
subj = dixLookupPrivate(&client->devPrivates, subjectKey);
|
subj = dixLookupPrivate(&client->devPrivates, subjectKey);
|
||||||
sidput(subj->sid);
|
|
||||||
obj = dixLookupPrivate(&client->devPrivates, objectKey);
|
obj = dixLookupPrivate(&client->devPrivates, objectKey);
|
||||||
sidput(obj->sid);
|
|
||||||
|
|
||||||
/* Try to get a context from the socket */
|
/* Try to get a context from the socket */
|
||||||
if (fd < 0 || getpeercon_raw(fd, &ctx) < 0) {
|
if (fd < 0 || getpeercon_raw(fd, &ctx) < 0) {
|
||||||
|
|
@ -484,7 +474,7 @@ finish:
|
||||||
FatalError("SELinux: client %d: context_to_sid_raw(%s) failed\n",
|
FatalError("SELinux: client %d: context_to_sid_raw(%s) failed\n",
|
||||||
client->index, ctx);
|
client->index, ctx);
|
||||||
|
|
||||||
sidget(obj->sid = subj->sid);
|
obj->sid = subj->sid;
|
||||||
freecon(ctx);
|
freecon(ctx);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -505,7 +495,6 @@ SELinuxLabelInitial(void)
|
||||||
subj = dixLookupPrivate(&serverClient->devPrivates, subjectKey);
|
subj = dixLookupPrivate(&serverClient->devPrivates, subjectKey);
|
||||||
obj = dixLookupPrivate(&serverClient->devPrivates, objectKey);
|
obj = dixLookupPrivate(&serverClient->devPrivates, objectKey);
|
||||||
subj->privileged = 1;
|
subj->privileged = 1;
|
||||||
sidput(subj->sid);
|
|
||||||
|
|
||||||
/* Use the context of the X server process for the serverClient */
|
/* Use the context of the X server process for the serverClient */
|
||||||
if (getcon_raw(&ctx) < 0)
|
if (getcon_raw(&ctx) < 0)
|
||||||
|
|
@ -515,7 +504,7 @@ SELinuxLabelInitial(void)
|
||||||
if (avc_context_to_sid_raw(ctx, &subj->sid) < 0)
|
if (avc_context_to_sid_raw(ctx, &subj->sid) < 0)
|
||||||
FatalError("SELinux: serverClient: context_to_sid(%s) failed\n", ctx);
|
FatalError("SELinux: serverClient: context_to_sid(%s) failed\n", ctx);
|
||||||
|
|
||||||
sidget(obj->sid = subj->sid);
|
obj->sid = subj->sid;
|
||||||
freecon(ctx);
|
freecon(ctx);
|
||||||
|
|
||||||
srec.client = serverClient;
|
srec.client = serverClient;
|
||||||
|
|
@ -545,7 +534,7 @@ SELinuxLabelResource(XaceResourceAccessRec *rec, SELinuxSubjectRec *subj,
|
||||||
|
|
||||||
/* Check for a create context */
|
/* Check for a create context */
|
||||||
if (rec->rtype & RC_DRAWABLE && subj->win_create_sid) {
|
if (rec->rtype & RC_DRAWABLE && subj->win_create_sid) {
|
||||||
sidget(obj->sid = subj->win_create_sid);
|
obj->sid = subj->win_create_sid;
|
||||||
return Success;
|
return Success;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -673,17 +662,14 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
SELinuxSubjectRec *dsubj;
|
SELinuxSubjectRec *dsubj;
|
||||||
dsubj = dixLookupPrivate(&rec->dev->devPrivates, subjectKey);
|
dsubj = dixLookupPrivate(&rec->dev->devPrivates, subjectKey);
|
||||||
|
|
||||||
sidput(dsubj->sid);
|
|
||||||
sidput(obj->sid);
|
|
||||||
|
|
||||||
if (subj->dev_create_sid) {
|
if (subj->dev_create_sid) {
|
||||||
/* Label the device with the create context */
|
/* Label the device with the create context */
|
||||||
sidget(obj->sid = subj->dev_create_sid);
|
obj->sid = subj->dev_create_sid;
|
||||||
sidget(dsubj->sid = subj->dev_create_sid);
|
dsubj->sid = subj->dev_create_sid;
|
||||||
} else {
|
} else {
|
||||||
/* Label the device directly with the process SID */
|
/* Label the device directly with the process SID */
|
||||||
sidget(obj->sid = subj->sid);
|
obj->sid = subj->sid;
|
||||||
sidget(dsubj->sid = subj->sid);
|
dsubj->sid = subj->sid;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -807,8 +793,6 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
sidput(obj->sid);
|
|
||||||
|
|
||||||
/* Perform a transition to obtain the final SID */
|
/* Perform a transition to obtain the final SID */
|
||||||
if (avc_compute_create(serv->sid, sid, SECCLASS_X_EXTENSION,
|
if (avc_compute_create(serv->sid, sid, SECCLASS_X_EXTENSION,
|
||||||
&obj->sid) < 0) {
|
&obj->sid) < 0) {
|
||||||
|
|
@ -846,7 +830,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
|
|
||||||
/* If this is a new object that needs labeling, do it now */
|
/* If this is a new object that needs labeling, do it now */
|
||||||
if (access_mode & DixCreateAccess) {
|
if (access_mode & DixCreateAccess) {
|
||||||
sidput(obj->sid);
|
|
||||||
rc = SELinuxSelectionToSID(name, subj, &obj->sid, &obj->poly);
|
rc = SELinuxSelectionToSID(name, subj, &obj->sid, &obj->poly);
|
||||||
if (rc != Success)
|
if (rc != Success)
|
||||||
obj->sid = unlabeled_sid;
|
obj->sid = unlabeled_sid;
|
||||||
|
|
@ -864,7 +847,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
break;
|
break;
|
||||||
obj = dixLookupPrivate(&pSel->devPrivates, objectKey);
|
obj = dixLookupPrivate(&pSel->devPrivates, objectKey);
|
||||||
}
|
}
|
||||||
sidput(tsid);
|
|
||||||
|
|
||||||
if (pSel)
|
if (pSel)
|
||||||
*rec->ppSel = pSel;
|
*rec->ppSel = pSel;
|
||||||
|
|
@ -883,11 +865,10 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
/* Label the content (advisory only) */
|
/* Label the content (advisory only) */
|
||||||
if (access_mode & DixSetAttrAccess) {
|
if (access_mode & DixSetAttrAccess) {
|
||||||
data = dixLookupPrivate(&pSel->devPrivates, dataKey);
|
data = dixLookupPrivate(&pSel->devPrivates, dataKey);
|
||||||
sidput(data->sid);
|
|
||||||
if (subj->sel_create_sid)
|
if (subj->sel_create_sid)
|
||||||
sidget(data->sid = subj->sel_create_sid);
|
data->sid = subj->sel_create_sid;
|
||||||
else
|
else
|
||||||
sidget(data->sid = obj->sid);
|
data->sid = obj->sid;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -912,7 +893,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
|
|
||||||
/* If this is a new object that needs labeling, do it now */
|
/* If this is a new object that needs labeling, do it now */
|
||||||
if (rec->access_mode & DixCreateAccess) {
|
if (rec->access_mode & DixCreateAccess) {
|
||||||
sidput(obj->sid);
|
|
||||||
rc = SELinuxPropertyToSID(name, subj, &obj->sid, &obj->poly);
|
rc = SELinuxPropertyToSID(name, subj, &obj->sid, &obj->poly);
|
||||||
if (rc != Success) {
|
if (rc != Success) {
|
||||||
rec->status = rc;
|
rec->status = rc;
|
||||||
|
|
@ -931,7 +911,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
break;
|
break;
|
||||||
obj = dixLookupPrivate(&pProp->devPrivates, objectKey);
|
obj = dixLookupPrivate(&pProp->devPrivates, objectKey);
|
||||||
}
|
}
|
||||||
sidput(tsid);
|
|
||||||
|
|
||||||
if (pProp)
|
if (pProp)
|
||||||
*rec->ppProp = pProp;
|
*rec->ppProp = pProp;
|
||||||
|
|
@ -950,11 +929,10 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
/* Label the content (advisory only) */
|
/* Label the content (advisory only) */
|
||||||
if (rec->access_mode & DixWriteAccess) {
|
if (rec->access_mode & DixWriteAccess) {
|
||||||
data = dixLookupPrivate(&pProp->devPrivates, dataKey);
|
data = dixLookupPrivate(&pProp->devPrivates, dataKey);
|
||||||
sidput(data->sid);
|
|
||||||
if (subj->prp_create_sid)
|
if (subj->prp_create_sid)
|
||||||
sidget(data->sid = subj->prp_create_sid);
|
data->sid = subj->prp_create_sid;
|
||||||
else
|
else
|
||||||
sidget(data->sid = obj->sid);
|
data->sid = obj->sid;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1031,8 +1009,6 @@ SELinuxScreen(CallbackListPtr *pcbl, pointer is_saver, pointer calldata)
|
||||||
|
|
||||||
/* If this is a new object that needs labeling, do it now */
|
/* If this is a new object that needs labeling, do it now */
|
||||||
if (access_mode & DixCreateAccess) {
|
if (access_mode & DixCreateAccess) {
|
||||||
sidput(obj->sid);
|
|
||||||
|
|
||||||
/* Perform a transition to obtain the final SID */
|
/* Perform a transition to obtain the final SID */
|
||||||
if (avc_compute_create(subj->sid, subj->sid, SECCLASS_X_SCREEN,
|
if (avc_compute_create(subj->sid, subj->sid, SECCLASS_X_SCREEN,
|
||||||
&obj->sid) < 0) {
|
&obj->sid) < 0) {
|
||||||
|
|
@ -1164,7 +1140,6 @@ SELinuxSubjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
PrivateCallbackRec *rec = calldata;
|
PrivateCallbackRec *rec = calldata;
|
||||||
SELinuxSubjectRec *subj = *rec->value;
|
SELinuxSubjectRec *subj = *rec->value;
|
||||||
|
|
||||||
sidget(unlabeled_sid);
|
|
||||||
subj->sid = unlabeled_sid;
|
subj->sid = unlabeled_sid;
|
||||||
|
|
||||||
avc_entry_ref_init(&subj->aeref);
|
avc_entry_ref_init(&subj->aeref);
|
||||||
|
|
@ -1177,14 +1152,6 @@ SELinuxSubjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
SELinuxSubjectRec *subj = *rec->value;
|
SELinuxSubjectRec *subj = *rec->value;
|
||||||
|
|
||||||
xfree(subj->command);
|
xfree(subj->command);
|
||||||
|
|
||||||
if (avc_active) {
|
|
||||||
sidput(subj->sid);
|
|
||||||
sidput(subj->dev_create_sid);
|
|
||||||
sidput(subj->win_create_sid);
|
|
||||||
sidput(subj->sel_create_sid);
|
|
||||||
sidput(subj->prp_create_sid);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
|
@ -1193,20 +1160,9 @@ SELinuxObjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
||||||
PrivateCallbackRec *rec = calldata;
|
PrivateCallbackRec *rec = calldata;
|
||||||
SELinuxObjectRec *obj = *rec->value;
|
SELinuxObjectRec *obj = *rec->value;
|
||||||
|
|
||||||
sidget(unlabeled_sid);
|
|
||||||
obj->sid = unlabeled_sid;
|
obj->sid = unlabeled_sid;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
|
||||||
SELinuxObjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata)
|
|
||||||
{
|
|
||||||
PrivateCallbackRec *rec = calldata;
|
|
||||||
SELinuxObjectRec *obj = *rec->value;
|
|
||||||
|
|
||||||
if (avc_active)
|
|
||||||
sidput(obj->sid);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Extension Dispatch
|
* Extension Dispatch
|
||||||
|
|
@ -1310,7 +1266,6 @@ ProcSELinuxSetCreateContext(ClientPtr client, unsigned offset)
|
||||||
|
|
||||||
ptr = dixLookupPrivate(privPtr, subjectKey);
|
ptr = dixLookupPrivate(privPtr, subjectKey);
|
||||||
pSid = (security_id_t *)(ptr + offset);
|
pSid = (security_id_t *)(ptr + offset);
|
||||||
sidput(*pSid);
|
|
||||||
*pSid = NULL;
|
*pSid = NULL;
|
||||||
|
|
||||||
rc = Success;
|
rc = Success;
|
||||||
|
|
@ -1371,11 +1326,9 @@ ProcSELinuxSetDeviceContext(ClientPtr client)
|
||||||
}
|
}
|
||||||
|
|
||||||
subj = dixLookupPrivate(&dev->devPrivates, subjectKey);
|
subj = dixLookupPrivate(&dev->devPrivates, subjectKey);
|
||||||
sidput(subj->sid);
|
|
||||||
subj->sid = sid;
|
subj->sid = sid;
|
||||||
obj = dixLookupPrivate(&dev->devPrivates, objectKey);
|
obj = dixLookupPrivate(&dev->devPrivates, objectKey);
|
||||||
sidput(obj->sid);
|
obj->sid = sid;
|
||||||
sidget(obj->sid = sid);
|
|
||||||
|
|
||||||
rc = Success;
|
rc = Success;
|
||||||
out:
|
out:
|
||||||
|
|
@ -1912,7 +1865,6 @@ SELinuxResetProc(ExtensionEntry *extEntry)
|
||||||
RemoveGeneralSocket(netlink_fd);
|
RemoveGeneralSocket(netlink_fd);
|
||||||
|
|
||||||
avc_destroy();
|
avc_destroy();
|
||||||
avc_active = 0;
|
|
||||||
|
|
||||||
/* Free local state */
|
/* Free local state */
|
||||||
xfree(knownAtoms);
|
xfree(knownAtoms);
|
||||||
|
|
@ -1981,7 +1933,6 @@ SELinuxExtensionInit(INITARGS)
|
||||||
|
|
||||||
if (avc_open(&avc_option, 1) < 0)
|
if (avc_open(&avc_option, 1) < 0)
|
||||||
FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n");
|
FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n");
|
||||||
avc_active = 1;
|
|
||||||
|
|
||||||
label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1);
|
label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1);
|
||||||
if (!label_hnd)
|
if (!label_hnd)
|
||||||
|
|
@ -2021,9 +1972,7 @@ SELinuxExtensionInit(INITARGS)
|
||||||
ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL);
|
ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL);
|
||||||
ret &= dixRegisterPrivateDeleteFunc(subjectKey, SELinuxSubjectFree, NULL);
|
ret &= dixRegisterPrivateDeleteFunc(subjectKey, SELinuxSubjectFree, NULL);
|
||||||
ret &= dixRegisterPrivateInitFunc(objectKey, SELinuxObjectInit, NULL);
|
ret &= dixRegisterPrivateInitFunc(objectKey, SELinuxObjectInit, NULL);
|
||||||
ret &= dixRegisterPrivateDeleteFunc(objectKey, SELinuxObjectFree, NULL);
|
|
||||||
ret &= dixRegisterPrivateInitFunc(dataKey, SELinuxObjectInit, NULL);
|
ret &= dixRegisterPrivateInitFunc(dataKey, SELinuxObjectInit, NULL);
|
||||||
ret &= dixRegisterPrivateDeleteFunc(dataKey, SELinuxObjectFree, NULL);
|
|
||||||
|
|
||||||
ret &= AddCallback(&ClientStateCallback, SELinuxClientState, NULL);
|
ret &= AddCallback(&ClientStateCallback, SELinuxClientState, NULL);
|
||||||
ret &= AddCallback(&ResourceStateCallback, SELinuxResourceState, NULL);
|
ret &= AddCallback(&ResourceStateCallback, SELinuxResourceState, NULL);
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue