[libvirt] [PATCH 8/n] selinux: avoid memory overhead of matchpathcon
* src/security/security_selinux.c
(SELinuxRestoreSecurityFileLabel): Use selabel_lookup instead of
matchpathcon.
Suggested by Daniel Walsh.
---
Makes the huge difference that I originally thought I'd get with patch
5/n earlier in the series. Beforehand, when trying to start a single
kvm guest then stopping libvirtd, valgrind reports:
==5584== LEAK SUMMARY:
==5584== definitely lost: 372 bytes in 13 blocks
==5584== indirectly lost: 0 bytes in 0 blocks
==5584== possibly lost: 349 bytes in 18 blocks
after, it reports:
==7803== LEAK SUMMARY:
==7803== definitely lost: 412 bytes in 14 blocks
==7803== indirectly lost: 839,126 bytes in 11,265 blocks
==7803== possibly lost: 349 bytes in 18 blocks
Obviously, I still haven't plugged everything, but this works
around the fact that libselinux used __thread incorrectly for
matchpathcon() caching.
src/security/security_selinux.c | 12 ++++++++----
1 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 2a45172..37539c2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -14,6 +14,7 @@
*/
#include <config.h>
#include <selinux/selinux.h>
+#include <selinux/label.h>
#include <selinux/context.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -362,6 +363,7 @@ SELinuxRestoreSecurityFileLabel(const char *path)
{
struct stat buf;
security_context_t fcon = NULL;
+ struct selabel_handle *handle = NULL;
int rc = -1;
char *newpath = NULL;
char ebuf[1024];
@@ -380,14 +382,16 @@ SELinuxRestoreSecurityFileLabel(const char *path)
goto err;
}
- if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
- rc = SELinuxSetFilecon(newpath, fcon);
+ if ((handle = selabel_open(SELABEL_CTX_FILE, NULL, 0)) == NULL ||
+ selabel_lookup(handle, &fcon, newpath, buf.st_mode) < 0) {
+ VIR_WARN("cannot lookup default selinux label for %s", newpath);
} else {
- VIR_WARN("cannot lookup default selinux label for %s",
- newpath);
+ rc = SELinuxSetFilecon(newpath, fcon);
}
err:
+ if (handle)
+ selabel_close(handle);
freecon(fcon);
VIR_FREE(newpath);
return rc;
--
1.7.3.2