From eb9210097efea81065c301e5b6b4da7a566deb4a Mon Sep 17 00:00:00 2001 From: Eamon Walsh Date: Wed, 6 Jan 2010 12:52:51 -0500 Subject: xselinux: Remove reference counting calls for SID objects. Starting with libselinux 2.0.86, SID objects are no longer reference counted and the sidput() and sidget() calls are no-ops. Signed-off-by: Eamon Walsh Reviewed-by: Keith Packard --- Xext/xselinux_ext.c | 5 +--- Xext/xselinux_hooks.c | 65 +++++++++------------------------------------------ Xext/xselinux_label.c | 23 +++++++----------- 3 files changed, 20 insertions(+), 73 deletions(-) diff --git a/Xext/xselinux_ext.c b/Xext/xselinux_ext.c index b36fb13eb..dc27c92ed 100644 --- a/Xext/xselinux_ext.c +++ b/Xext/xselinux_ext.c @@ -132,7 +132,6 @@ ProcSELinuxSetCreateContext(ClientPtr client, unsigned offset) ptr = dixLookupPrivate(privPtr, subjectKey); pSid = (security_id_t *)(ptr + offset); - sidput(*pSid); *pSid = NULL; rc = Success; @@ -193,11 +192,9 @@ ProcSELinuxSetDeviceContext(ClientPtr client) } subj = dixLookupPrivate(&dev->devPrivates, subjectKey); - sidput(subj->sid); subj->sid = sid; obj = dixLookupPrivate(&dev->devPrivates, objectKey); - sidput(obj->sid); - sidget(obj->sid = sid); + obj->sid = sid; rc = Success; out: diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c index 72732e702..6c8c8cdbe 100644 --- a/Xext/xselinux_hooks.c +++ b/Xext/xselinux_hooks.c @@ -69,9 +69,6 @@ DevPrivateKey dataKey = &dataKeyIndex; /* audit file descriptor */ static int audit_fd; -/* whether AVC is active */ -static int avc_active; - /* atoms for window label properties */ static Atom atom_ctx; static Atom atom_client_ctx; @@ -125,9 +122,7 @@ SELinuxLabelClient(ClientPtr client) security_context_t ctx; subj = dixLookupPrivate(&client->devPrivates, subjectKey); - sidput(subj->sid); obj = dixLookupPrivate(&client->devPrivates, objectKey); - sidput(obj->sid); /* Try to get a context from the socket */ if (fd < 0 || getpeercon_raw(fd, &ctx) < 0) { @@ -170,7 +165,7 @@ finish: FatalError("SELinux: client %d: context_to_sid_raw(%s) failed\n", client->index, ctx); - sidget(obj->sid = subj->sid); + obj->sid = subj->sid; freecon(ctx); } @@ -191,7 +186,6 @@ SELinuxLabelInitial(void) subj = dixLookupPrivate(&serverClient->devPrivates, subjectKey); obj = dixLookupPrivate(&serverClient->devPrivates, objectKey); subj->privileged = 1; - sidput(subj->sid); /* Use the context of the X server process for the serverClient */ if (getcon_raw(&ctx) < 0) @@ -201,7 +195,7 @@ SELinuxLabelInitial(void) if (avc_context_to_sid_raw(ctx, &subj->sid) < 0) FatalError("SELinux: serverClient: context_to_sid(%s) failed\n", ctx); - sidget(obj->sid = subj->sid); + obj->sid = subj->sid; freecon(ctx); srec.client = serverClient; @@ -231,7 +225,7 @@ SELinuxLabelResource(XaceResourceAccessRec *rec, SELinuxSubjectRec *subj, /* Check for a create context */ if (rec->rtype & RC_DRAWABLE && subj->win_create_sid) { - sidget(obj->sid = subj->win_create_sid); + obj->sid = subj->win_create_sid; return Success; } @@ -359,17 +353,14 @@ SELinuxDevice(CallbackListPtr *pcbl, pointer unused, pointer calldata) SELinuxSubjectRec *dsubj; dsubj = dixLookupPrivate(&rec->dev->devPrivates, subjectKey); - sidput(dsubj->sid); - sidput(obj->sid); - if (subj->dev_create_sid) { /* Label the device with the create context */ - sidget(obj->sid = subj->dev_create_sid); - sidget(dsubj->sid = subj->dev_create_sid); + obj->sid = subj->dev_create_sid; + dsubj->sid = subj->dev_create_sid; } else { /* Label the device directly with the process SID */ - sidget(obj->sid = subj->sid); - sidget(dsubj->sid = subj->sid); + obj->sid = subj->sid; + dsubj->sid = subj->sid; } } @@ -483,8 +474,6 @@ SELinuxExtension(CallbackListPtr *pcbl, pointer unused, pointer calldata) return; } - sidput(obj->sid); - /* Perform a transition to obtain the final SID */ if (avc_compute_create(serv->sid, sid, SECCLASS_X_EXTENSION, &obj->sid) < 0) { @@ -520,7 +509,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata) /* If this is a new object that needs labeling, do it now */ if (access_mode & DixCreateAccess) { - sidput(obj->sid); rc = SELinuxSelectionToSID(name, subj, &obj->sid, &obj->poly); if (rc != Success) obj->sid = unlabeled_sid; @@ -538,7 +526,6 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata) break; obj = dixLookupPrivate(&pSel->devPrivates, objectKey); } - sidput(tsid); if (pSel) *rec->ppSel = pSel; @@ -557,11 +544,10 @@ SELinuxSelection(CallbackListPtr *pcbl, pointer unused, pointer calldata) /* Label the content (advisory only) */ if (access_mode & DixSetAttrAccess) { data = dixLookupPrivate(&pSel->devPrivates, dataKey); - sidput(data->sid); if (subj->sel_create_sid) - sidget(data->sid = subj->sel_create_sid); + data->sid = subj->sel_create_sid; else - sidget(data->sid = obj->sid); + data->sid = obj->sid; } } @@ -586,7 +572,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata) /* If this is a new object that needs labeling, do it now */ if (rec->access_mode & DixCreateAccess) { - sidput(obj->sid); rc = SELinuxPropertyToSID(name, subj, &obj->sid, &obj->poly); if (rc != Success) { rec->status = rc; @@ -605,7 +590,6 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata) break; obj = dixLookupPrivate(&pProp->devPrivates, objectKey); } - sidput(tsid); if (pProp) *rec->ppProp = pProp; @@ -624,11 +608,10 @@ SELinuxProperty(CallbackListPtr *pcbl, pointer unused, pointer calldata) /* Label the content (advisory only) */ if (rec->access_mode & DixWriteAccess) { data = dixLookupPrivate(&pProp->devPrivates, dataKey); - sidput(data->sid); if (subj->prp_create_sid) - sidget(data->sid = subj->prp_create_sid); + data->sid = subj->prp_create_sid; else - sidget(data->sid = obj->sid); + data->sid = obj->sid; } } @@ -705,8 +688,6 @@ SELinuxScreen(CallbackListPtr *pcbl, pointer is_saver, pointer calldata) /* If this is a new object that needs labeling, do it now */ if (access_mode & DixCreateAccess) { - sidput(obj->sid); - /* Perform a transition to obtain the final SID */ if (avc_compute_create(subj->sid, subj->sid, SECCLASS_X_SCREEN, &obj->sid) < 0) { @@ -838,7 +819,6 @@ SELinuxSubjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata) PrivateCallbackRec *rec = calldata; SELinuxSubjectRec *subj = *rec->value; - sidget(unlabeled_sid); subj->sid = unlabeled_sid; avc_entry_ref_init(&subj->aeref); @@ -851,14 +831,6 @@ SELinuxSubjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata) SELinuxSubjectRec *subj = *rec->value; xfree(subj->command); - - if (avc_active) { - sidput(subj->sid); - sidput(subj->dev_create_sid); - sidput(subj->win_create_sid); - sidput(subj->sel_create_sid); - sidput(subj->prp_create_sid); - } } static void @@ -867,20 +839,9 @@ SELinuxObjectInit(CallbackListPtr *pcbl, pointer unused, pointer calldata) PrivateCallbackRec *rec = calldata; SELinuxObjectRec *obj = *rec->value; - sidget(unlabeled_sid); obj->sid = unlabeled_sid; } -static void -SELinuxObjectFree(CallbackListPtr *pcbl, pointer unused, pointer calldata) -{ - PrivateCallbackRec *rec = calldata; - SELinuxObjectRec *obj = *rec->value; - - if (avc_active) - sidput(obj->sid); -} - static int netlink_fd; static void @@ -923,7 +884,6 @@ SELinuxFlaskReset(void) RemoveGeneralSocket(netlink_fd); avc_destroy(); - avc_active = 0; } void @@ -961,7 +921,6 @@ SELinuxFlaskInit(void) if (avc_open(&avc_option, 1) < 0) FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n"); - avc_active = 1; if (security_get_initial_context_raw("unlabeled", &ctx) < 0) FatalError("SELinux: Failed to look up unlabeled context\n"); @@ -997,9 +956,7 @@ SELinuxFlaskInit(void) ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL); ret &= dixRegisterPrivateDeleteFunc(subjectKey, SELinuxSubjectFree, NULL); ret &= dixRegisterPrivateInitFunc(objectKey, SELinuxObjectInit, NULL); - ret &= dixRegisterPrivateDeleteFunc(objectKey, SELinuxObjectFree, NULL); ret &= dixRegisterPrivateInitFunc(dataKey, SELinuxObjectInit, NULL); - ret &= dixRegisterPrivateDeleteFunc(dataKey, SELinuxObjectFree, NULL); ret &= AddCallback(&ClientStateCallback, SELinuxClientState, NULL); ret &= AddCallback(&ResourceStateCallback, SELinuxResourceState, NULL); diff --git a/Xext/xselinux_label.c b/Xext/xselinux_label.c index 239536cf3..9b5023a53 100644 --- a/Xext/xselinux_label.c +++ b/Xext/xselinux_label.c @@ -177,20 +177,17 @@ SELinuxSelectionToSID(Atom selection, SELinuxSubjectRec *subj, /* Check for an override context next */ if (subj->sel_use_sid) { - sidget(tsid = subj->sel_use_sid); + tsid = subj->sel_use_sid; goto out; } - sidget(tsid = obj->sid); + tsid = obj->sid; /* Polyinstantiate if necessary to obtain the final SID */ - if (obj->poly) { - sidput(tsid); - if (avc_compute_member(subj->sid, obj->sid, - SECCLASS_X_SELECTION, &tsid) < 0) { - ErrorF("SELinux: a compute_member call failed!\n"); - return BadValue; - } + if (obj->poly && avc_compute_member(subj->sid, obj->sid, + SECCLASS_X_SELECTION, &tsid) < 0) { + ErrorF("SELinux: a compute_member call failed!\n"); + return BadValue; } out: *sid_rtn = tsid; @@ -217,7 +214,7 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj, /* Check for an override context next */ if (subj->prp_use_sid) { - sidget(tsid = subj->prp_use_sid); + tsid = subj->prp_use_sid; goto out; } @@ -234,10 +231,8 @@ SELinuxPropertyToSID(Atom property, SELinuxSubjectRec *subj, if (avc_compute_member(subj->sid, tsid2, SECCLASS_X_PROPERTY, &tsid) < 0) { ErrorF("SELinux: a compute_member call failed!\n"); - sidput(tsid2); return BadValue; } - sidput(tsid2); } out: *sid_rtn = tsid; @@ -273,10 +268,8 @@ SELinuxEventToSID(unsigned type, security_id_t sid_of_window, } freecon(ctx); /* Cache the SID value */ - if (!SELinuxArraySet(&arr_events, type, sid)) { - sidput(sid); + if (!SELinuxArraySet(&arr_events, type, sid)) return BadAlloc; - } } /* Perform a transition to obtain the final SID */ -- cgit v1.2.3