2:12 p.m.
From: "Richard W.M. Jones" <rjones(a)redhat.com>
According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
---
src/security/security_selinux.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a3ef728..8b88785 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -935,20 +935,26 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
return 0;
}
+#if HAVE_SELINUX_LABEL_H
+static struct selabel_handle *sehandle = NULL;
+static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER;
+
+static void
+seHandleInit (void)
+{
+ sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+}
+#endif
+
/* Set fcon to the appropriate label for path and mode, or return -1. */
static int
getContext(const char *newpath, mode_t mode, security_context_t *fcon)
{
#if HAVE_SELINUX_LABEL_H
- struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
- int ret;
-
- if (handle == NULL)
+ if (virOnce(&sehandleonce, seHandleInit) < 0 || sehandle == NULL)
return -1;
- ret = selabel_lookup_raw(handle, fcon, newpath, mode);
- selabel_close(handle);
- return ret;
+ return selabel_lookup_raw(sehandle, fcon, newpath, mode);
#else
return matchpathcon(newpath, mode, fcon);
#endif
--
1.8.1
2:20 p.m.
On 01/23/2013 01:12 PM, Richard W.M. Jones wrote:
From: "Richard W.M. Jones" <rjones(a)redhat.com>
According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
The idea seems reasonable, but I think the patch deserves a v2 for
implementation reasons.
---
src/security/security_selinux.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a3ef728..8b88785 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -935,20 +935,26 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
return 0;
}
+#if HAVE_SELINUX_LABEL_H
+static struct selabel_handle *sehandle = NULL;
+static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER;
Rather than open-coding this, why not use VIR_ONCE_GLOBAL_INIT()?
+
+static void
+seHandleInit (void)
+{
+ sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+}
Besides, this function should typically return int rather than void, and
by returning -1 if sehandle is NULL,...
+#endif
+
/* Set fcon to the appropriate label for path and mode, or return -1. */
static int
getContext(const char *newpath, mode_t mode, security_context_t *fcon)
{
#if HAVE_SELINUX_LABEL_H
- struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
- int ret;
-
- if (handle == NULL)
+ if (virOnce(&sehandleonce, seHandleInit) < 0 || sehandle == NULL)
...then you can simplify this code.
return -1;
- ret = selabel_lookup_raw(handle, fcon, newpath, mode);
- selabel_close(handle);
- return ret;
+ return selabel_lookup_raw(sehandle, fcon, newpath, mode);
#else
return matchpathcon(newpath, mode, fcon);
#endif
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
2:23 p.m.
On Wed, Jan 23, 2013 at 01:20:48PM -0700, Eric Blake wrote:
On 01/23/2013 01:12 PM, Richard W.M. Jones wrote:
> +#if HAVE_SELINUX_LABEL_H
> +static struct selabel_handle *sehandle = NULL;
> +static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER;
Rather than open-coding this, why not use VIR_ONCE_GLOBAL_INIT()?
Because I was copying this from virdbus.c which does it like this.
Perhaps virdbus.c should be fixed?
Version 2 coming up ...
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages. http://libguestfs.org
2:34 p.m.
On Wed, Jan 23, 2013 at 08:12:25PM +0000, Richard W.M. Jones wrote:
From: "Richard W.M. Jones" <rjones(a)redhat.com>
According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
---
src/security/security_selinux.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a3ef728..8b88785 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -935,20 +935,26 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
return 0;
}
+#if HAVE_SELINUX_LABEL_H
+static struct selabel_handle *sehandle = NULL;
+static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER;
+
+static void
+seHandleInit (void)
+{
+ sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+}
+#endif
Eeek, please no more global variables - I only just finished removing
them all from this file. Put this in the virSecuritySELinuxData struct
instead.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4321
days inactive
4321
days old
3 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Richard W.M. Jones