[libvirt] [PATCH] selinux: Only create the selabel_handle once.
From: "Richard W.M. Jones" <rjones@redhat.com> According to Eric Paris this is slightly more efficient because it only loads the regular expressions in libselinux once. --- src/security/security_selinux.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index a3ef728..8b88785 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -935,20 +935,26 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon) return 0; } +#if HAVE_SELINUX_LABEL_H +static struct selabel_handle *sehandle = NULL; +static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER; + +static void +seHandleInit (void) +{ + sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0); +} +#endif + /* Set fcon to the appropriate label for path and mode, or return -1. */ static int getContext(const char *newpath, mode_t mode, security_context_t *fcon) { #if HAVE_SELINUX_LABEL_H - struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); - int ret; - - if (handle == NULL) + if (virOnce(&sehandleonce, seHandleInit) < 0 || sehandle == NULL) return -1; - ret = selabel_lookup_raw(handle, fcon, newpath, mode); - selabel_close(handle); - return ret; + return selabel_lookup_raw(sehandle, fcon, newpath, mode); #else return matchpathcon(newpath, mode, fcon); #endif -- 1.8.1
On 01/23/2013 01:12 PM, Richard W.M. Jones wrote:
From: "Richard W.M. Jones" <rjones@redhat.com>
According to Eric Paris this is slightly more efficient because it only loads the regular expressions in libselinux once.
The idea seems reasonable, but I think the patch deserves a v2 for implementation reasons.
--- src/security/security_selinux.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index a3ef728..8b88785 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -935,20 +935,26 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon) return 0; }
+#if HAVE_SELINUX_LABEL_H +static struct selabel_handle *sehandle = NULL; +static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER;
Rather than open-coding this, why not use VIR_ONCE_GLOBAL_INIT()?
+ +static void +seHandleInit (void) +{ + sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0); +}
Besides, this function should typically return int rather than void, and by returning -1 if sehandle is NULL,...
+#endif + /* Set fcon to the appropriate label for path and mode, or return -1. */ static int getContext(const char *newpath, mode_t mode, security_context_t *fcon) { #if HAVE_SELINUX_LABEL_H - struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); - int ret; - - if (handle == NULL) + if (virOnce(&sehandleonce, seHandleInit) < 0 || sehandle == NULL)
...then you can simplify this code.
return -1;
- ret = selabel_lookup_raw(handle, fcon, newpath, mode); - selabel_close(handle); - return ret; + return selabel_lookup_raw(sehandle, fcon, newpath, mode); #else return matchpathcon(newpath, mode, fcon); #endif
-- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Wed, Jan 23, 2013 at 01:20:48PM -0700, Eric Blake wrote:
On 01/23/2013 01:12 PM, Richard W.M. Jones wrote:
+#if HAVE_SELINUX_LABEL_H +static struct selabel_handle *sehandle = NULL; +static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER;
Rather than open-coding this, why not use VIR_ONCE_GLOBAL_INIT()?
Because I was copying this from virdbus.c which does it like this. Perhaps virdbus.c should be fixed? Version 2 coming up ... Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org
On Wed, Jan 23, 2013 at 08:12:25PM +0000, Richard W.M. Jones wrote:
From: "Richard W.M. Jones" <rjones@redhat.com>
According to Eric Paris this is slightly more efficient because it only loads the regular expressions in libselinux once. --- src/security/security_selinux.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index a3ef728..8b88785 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -935,20 +935,26 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon) return 0; }
+#if HAVE_SELINUX_LABEL_H +static struct selabel_handle *sehandle = NULL; +static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER; + +static void +seHandleInit (void) +{ + sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0); +} +#endif
Eeek, please no more global variables - I only just finished removing them all from this file. Put this in the virSecuritySELinuxData struct instead. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Richard W.M. Jones