[libvirt] [PATCH 8/n] selinux: avoid memory overhead of matchpathcon

Eric Blake eblake at redhat.com
Wed Dec 1 03:54:37 UTC 2010 

* src/security/security_selinux.c
(SELinuxRestoreSecurityFileLabel): Use selabel_lookup instead of
matchpathcon.
Suggested by Daniel Walsh.
---

Makes the huge difference that I originally thought I'd get with patch
5/n earlier in the series.  Beforehand, when trying to start a single
kvm guest then stopping libvirtd, valgrind reports:

==5584== LEAK SUMMARY:
==5584==    definitely lost: 372 bytes in 13 blocks
==5584==    indirectly lost: 0 bytes in 0 blocks
==5584==      possibly lost: 349 bytes in 18 blocks

after, it reports:

==7803== LEAK SUMMARY:
==7803==    definitely lost: 412 bytes in 14 blocks
==7803==    indirectly lost: 839,126 bytes in 11,265 blocks
==7803==      possibly lost: 349 bytes in 18 blocks

Obviously, I still haven't plugged everything, but this works
around the fact that libselinux used __thread incorrectly for
matchpathcon() caching.

 src/security/security_selinux.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 2a45172..37539c2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -14,6 +14,7 @@
  */
 #include <config.h>
 #include <selinux/selinux.h>
+#include <selinux/label.h>
 #include <selinux/context.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -362,6 +363,7 @@ SELinuxRestoreSecurityFileLabel(const char *path)
 {
     struct stat buf;
     security_context_t fcon = NULL;
+    struct selabel_handle *handle = NULL;
     int rc = -1;
     char *newpath = NULL;
     char ebuf[1024];
@@ -380,14 +382,16 @@ SELinuxRestoreSecurityFileLabel(const char *path)
         goto err;
     }

-    if (matchpathcon(newpath, buf.st_mode, &fcon) == 0)  {
-        rc = SELinuxSetFilecon(newpath, fcon);
+    if ((handle = selabel_open(SELABEL_CTX_FILE, NULL, 0)) == NULL ||
+        selabel_lookup(handle, &fcon, newpath, buf.st_mode) < 0) {
+        VIR_WARN("cannot lookup default selinux label for %s", newpath);
     } else {
-        VIR_WARN("cannot lookup default selinux label for %s",
-                 newpath);
+        rc = SELinuxSetFilecon(newpath, fcon);
     }

 err:
+    if (handle)
+        selabel_close(handle);
     freecon(fcon);
     VIR_FREE(newpath);
     return rc;
-- 
1.7.3.2

More information about the libvir-list mailing list