diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2009-07-01 13:45:40 -0400 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2009-07-14 10:55:34 -0400 |
| commit | 8c372f665db44cf753bb299e2ee7dcf6143b9e9e (patch) | |
| tree | e952589afb3633a7a216dd0adaf0eaf4278ac712 /libselinux/src/stringrep.c | |
| parent | 1ac1ff6382505fa1e245fdc9c91b2448a7843101 (diff) | |
| download | android_external_selinux-8c372f665db44cf753bb299e2ee7dcf6143b9e9e.tar.gz android_external_selinux-8c372f665db44cf753bb299e2ee7dcf6143b9e9e.tar.bz2 android_external_selinux-8c372f665db44cf753bb299e2ee7dcf6143b9e9e.zip | |
libselinux: lazy init
Revive Steve Grubb's patch for libselinux lazy init and extend it to
address not only the reading of /etc/selinux/config but also probing
for /selinux/class and reading of /selinux/mls. This should reduce the
need for dontaudit rules for programs that link with libselinux and it
should reduce unnecessary overhead.
I did not convert init_selinuxmnt over to lazy init since the functions
that use selinux_mnt are not localized, and it only requires stat'ing
of /selinux in the common case.
I couldn't see a valid reason why we needed fini_obj_class_compat(), as
the existence of /selinux/class will only change across a reboot with
different kernel versions. fini_context_translations() already had a
comment saying that it was unnecessary as well.
Before:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat64("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3
After:
$ strace ls 2> err
$ grep selinux err
open("/lib/libselinux.so.1", O_RDONLY) = 3
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
Original-patch-by: Steve Grubb <linux_4ever@yahoo.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'libselinux/src/stringrep.c')
| -rw-r--r-- | libselinux/src/stringrep.c | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c index b3f3120e..b19bce73 100644 --- a/libselinux/src/stringrep.c +++ b/libselinux/src/stringrep.c @@ -152,7 +152,25 @@ static const struct av_inherit { #define NVECTORS ARRAY_SIZE(av_perm_to_string) #define MAXVECTORS 8*sizeof(access_vector_t) -extern int obj_class_compat; +static pthread_once_t once = PTHREAD_ONCE_INIT; + +static int obj_class_compat; + +static void init_obj_class_compat(void) +{ + char path[PATH_MAX]; + struct stat s; + + if (!selinux_mnt) + return; + + snprintf(path,PATH_MAX,"%s/class",selinux_mnt); + if (stat(path,&s) < 0) + return; + + if (S_ISDIR(s.st_mode)) + obj_class_compat = 0; +} struct discover_class_node { char *name; @@ -420,6 +438,8 @@ security_class_t string_to_security_class(const char *s) { struct discover_class_node *node; + __selinux_once(once, init_obj_class_compat); + if (obj_class_compat) return string_to_security_class_compat(s); @@ -441,6 +461,8 @@ access_vector_t string_to_av_perm(security_class_t tclass, const char *s) struct discover_class_node *node; security_class_t kclass = unmap_class(tclass); + __selinux_once(once, init_obj_class_compat); + if (obj_class_compat) return map_perm(tclass, string_to_av_perm_compat(kclass, s)); @@ -462,6 +484,8 @@ const char *security_class_to_string(security_class_t tclass) tclass = unmap_class(tclass); + __selinux_once(once, init_obj_class_compat); + if (obj_class_compat) return security_class_to_string_compat(tclass); @@ -481,6 +505,8 @@ const char *security_av_perm_to_string(security_class_t tclass, av = unmap_perm(tclass, av); tclass = unmap_class(tclass); + __selinux_once(once, init_obj_class_compat); + if (obj_class_compat) return security_av_perm_to_string_compat(tclass,av); |