From 3e719d6c5a0b700786900cf82869370ccc5f5928 Mon Sep 17 00:00:00 2001 From: Arvin Schnell Date: Mon, 27 Mar 2023 10:43:01 +0200 Subject: [PATCH] - avoid some extra checks if SELinux is compile-time disabled --- LIBVERSION | 2 +- package/snapper.changes | 1 + snapper/FileUtils.cc | 78 +++++++++++++++++++---------------------- snapper/Lvm.cc | 17 ++------- snapper/Lvm.h | 3 -- snapper/Selinux.cc | 13 +++---- snapper/Selinux.h | 8 +++-- snapper/Snapper.cc | 32 ++++++++--------- snapper/Snapper.h | 9 ++--- 9 files changed, 71 insertions(+), 92 deletions(-) diff --git a/LIBVERSION b/LIBVERSION index 024b066c..ca063943 100644 --- a/LIBVERSION +++ b/LIBVERSION @@ -1 +1 @@ -6.2.1 +6.2.2 diff --git a/package/snapper.changes b/package/snapper.changes index 042f59a6..9bc8a20d 100644 --- a/package/snapper.changes +++ b/package/snapper.changes @@ -3,6 +3,7 @@ Tue Mar 21 08:51:05 CET 2023 - aschnell@suse.com - enable SELinux (and allow to disable via conditional build) (bsc#1209515) +- avoid some extra checks if SELinux is compile-time disabled ------------------------------------------------------------------- Thu Feb 23 11:14:58 CET 2023 - aschnell@suse.com diff --git a/snapper/FileUtils.cc b/snapper/FileUtils.cc index 92662d19..9da572f3 100644 --- a/snapper/FileUtils.cc +++ b/snapper/FileUtils.cc @@ -34,7 +34,7 @@ #include #include #include -#include +#include #include #include @@ -695,29 +695,26 @@ namespace snapper bool retval = true; #ifdef ENABLE_SELINUX - if (_is_selinux_enabled()) - { - assert(selabel_handle); - - struct stat buf; - if (stat(name, &buf, AT_SYMLINK_NOFOLLOW)) - { - y2err("Failed to stat " << fullname() << "/" << name); - return false; - } + assert(selabel_handle); - char* con = selabel_handle->selabel_lookup(fullname() + "/" + name, buf.st_mode); - if (con) - { - retval = fsetfilecon(name, con); - } - else - { - retval = false; - } + struct stat buf; + if (stat(name, &buf, AT_SYMLINK_NOFOLLOW)) + { + y2err("Failed to stat " << fullname() << "/" << name); + return false; + } - freecon(con); + char* con = selabel_handle->selabel_lookup(fullname() + "/" + name, buf.st_mode); + if (con) + { + retval = fsetfilecon(name, con); } + else + { + retval = false; + } + + freecon(con); #endif return retval; @@ -758,31 +755,28 @@ namespace snapper bool retval = true; #ifdef ENABLE_SELINUX - if (_is_selinux_enabled()) - { - assert(selabel_handle); + assert(selabel_handle); - struct stat buf; - - if (stat(&buf)) - { - y2err("Failed to stat " << fullname()); - return false; - } + struct stat buf; - char* con = selabel_handle->selabel_lookup(fullname(), buf.st_mode); - if (con) - { - retval = fsetfilecon(con); - } - else - { - y2war("can't get proper label for path:" << fullname()); - retval = false; - } + if (stat(&buf)) + { + y2err("Failed to stat " << fullname()); + return false; + } - freecon(con); + char* con = selabel_handle->selabel_lookup(fullname(), buf.st_mode); + if (con) + { + retval = fsetfilecon(con); } + else + { + y2war("can't get proper label for path:" << fullname()); + retval = false; + } + + freecon(con); #endif return retval; diff --git a/snapper/Lvm.cc b/snapper/Lvm.cc index 6021faef..8ffdfc27 100644 --- a/snapper/Lvm.cc +++ b/snapper/Lvm.cc @@ -1,6 +1,6 @@ /* * Copyright (c) [2011-2014] Novell, Inc. - * Copyright (c) [2020-2022] SUSE LLC + * Copyright (c) [2020-2023] SUSE LLC * * All Rights Reserved. * @@ -104,18 +104,6 @@ namespace snapper mount_options.push_back("nouuid"); mount_options.push_back("norecovery"); } - -#ifdef ENABLE_SELINUX - try - { - selabel_handle = SelinuxLabelHandle::get_selinux_handle(); - } - catch (const SelinuxException& e) - { - SN_RETHROW(e); - } -#endif - } @@ -140,7 +128,7 @@ namespace snapper #ifdef ENABLE_SELINUX if (_is_selinux_enabled()) { - assert(selabel_handle); + SelinuxLabelHandle* selabel_handle = SelinuxLabelHandle::get_selinux_handle(); char* con = NULL; @@ -184,6 +172,7 @@ namespace snapper } } #endif + createLvmConfig(subvolume_dir, mode); } diff --git a/snapper/Lvm.h b/snapper/Lvm.h index 6a31e984..02d40c9f 100644 --- a/snapper/Lvm.h +++ b/snapper/Lvm.h @@ -74,7 +74,6 @@ namespace snapper bool time_support = false; }; - class SelinuxLabelHandle; class Lvm : public Filesystem { @@ -115,7 +114,6 @@ namespace snapper const string mount_type; const LvmCapabilities* caps; LvmCache* cache; - SelinuxLabelHandle* selabel_handle = nullptr; bool detectThinVolumeNames(const MtabData& mtab_data); void activateSnapshot(const string& vg_name, const string& lv_name) const; @@ -134,5 +132,4 @@ namespace snapper } - #endif diff --git a/snapper/Selinux.cc b/snapper/Selinux.cc index 23955ec5..1e209973 100644 --- a/snapper/Selinux.cc +++ b/snapper/Selinux.cc @@ -1,5 +1,6 @@ /* * Copyright (c) [2016] Red Hat, Inc. + * Copyright (c) 2023 SUSE LLC * * All Rights Reserved. * @@ -120,7 +121,7 @@ namespace snapper else { if (errno == ENOENT) - y2deb("Selinux context not defined for path " << path); + y2deb("SELinux context not defined for path " << path); return NULL; } @@ -137,7 +138,7 @@ namespace snapper { selinux_enabled = (is_selinux_enabled() == 1); // may return -1 on error selinux_checked = true; - y2mil("Selinux support " << (selinux_enabled ? "enabled" : "disabled")); + y2mil("SELinux support " << (selinux_enabled ? "enabled" : "disabled")); } return selinux_enabled; @@ -147,13 +148,9 @@ namespace snapper SelinuxLabelHandle* SelinuxLabelHandle::get_selinux_handle() { - if (_is_selinux_enabled()) - { - static SelinuxLabelHandle handle; - return &handle; - } + static SelinuxLabelHandle handle; - return nullptr; + return &handle; } } diff --git a/snapper/Selinux.h b/snapper/Selinux.h index 38735ced..a9b98125 100644 --- a/snapper/Selinux.h +++ b/snapper/Selinux.h @@ -69,14 +69,18 @@ namespace snapper class SelinuxLabelHandle : public boost::noncopyable { public: + + /** + * Will most likely throw if SELinux is not enabled. + */ static SelinuxLabelHandle* get_selinux_handle(); char* selabel_lookup(const string& path, int mode); - ~SelinuxLabelHandle() { selabel_close(handle); } - private: + SelinuxLabelHandle(); + ~SelinuxLabelHandle() { selabel_close(handle); } struct selabel_handle* handle; }; diff --git a/snapper/Snapper.cc b/snapper/Snapper.cc index 5966c471..63a63c86 100644 --- a/snapper/Snapper.cc +++ b/snapper/Snapper.cc @@ -1,6 +1,6 @@ /* * Copyright (c) [2011-2015] Novell, Inc. - * Copyright (c) [2016-2022] SUSE LLC + * Copyright (c) [2016-2023] SUSE LLC * * All Rights Reserved. * @@ -96,17 +96,6 @@ namespace snapper y2mil("libsnapper version " VERSION); y2mil("config_name:" << config_name << " disable_filters:" << disable_filters); -#ifdef ENABLE_SELINUX - try - { - selabel_handle = SelinuxLabelHandle::get_selinux_handle(); - } - catch (const SelinuxException& e) - { - SN_RETHROW(e); - } -#endif - try { config_info = new ConfigInfo(config_name, root_prefix); @@ -120,8 +109,15 @@ namespace snapper filesystem = Filesystem::create(*config_info, root_prefix); - // With btrfs backend, it's useless try syncing snapshot RO subvolumes - syncSelinuxContexts(filesystem->fstype() == "btrfs"); +#ifdef ENABLE_SELINUX + if (_is_selinux_enabled()) + { + SelinuxLabelHandle* selabel_handle = SelinuxLabelHandle::get_selinux_handle(); + + // With btrfs backend, it's useless try syncing snapshot RO subvolumes + syncSelinuxContexts(selabel_handle, filesystem->fstype() == "btrfs"); + } +#endif bool sync_acl; if (config_info->get_value(KEY_SYNC_ACL, sync_acl) && sync_acl == true) @@ -924,7 +920,7 @@ namespace snapper void - Snapper::syncSelinuxContexts(bool skip_snapshot_dir) const + Snapper::syncSelinuxContexts(SelinuxLabelHandle* selabel_handle, bool skip_snapshot_dir) const { #ifdef ENABLE_SELINUX try @@ -934,14 +930,14 @@ namespace snapper if (infos_dir.restorecon(selabel_handle)) { - syncSelinuxContextsInInfosDir(skip_snapshot_dir); + syncSelinuxContextsInInfosDir(selabel_handle, skip_snapshot_dir); } else { SnapperContexts scons; if (infos_dir.fsetfilecon(scons.subvolume_context())) - syncSelinuxContextsInInfosDir(skip_snapshot_dir); + syncSelinuxContextsInInfosDir(selabel_handle, skip_snapshot_dir); } } catch (const SelinuxException& e) @@ -954,7 +950,7 @@ namespace snapper void - Snapper::syncSelinuxContextsInInfosDir(bool skip_snapshot_dir) const + Snapper::syncSelinuxContextsInInfosDir(SelinuxLabelHandle* selabel_handle, bool skip_snapshot_dir) const { #ifdef ENABLE_SELINUX static const regex rx("[0-9]+", regex::extended); diff --git a/snapper/Snapper.h b/snapper/Snapper.h index 3a29d981..14831d63 100644 --- a/snapper/Snapper.h +++ b/snapper/Snapper.h @@ -1,6 +1,6 @@ /* * Copyright (c) [2011-2015] Novell, Inc. - * Copyright (c) [2016-2022] SUSE LLC + * Copyright (c) [2016-2023] SUSE LLC * * All Rights Reserved. * @@ -206,8 +206,9 @@ namespace snapper void syncAcl(const vector& uids, const vector& gids) const; - void syncSelinuxContexts(bool skip_snapshot_dir) const; - void syncSelinuxContextsInInfosDir(bool skip_snapshot_dir) const; + void syncSelinuxContexts(SelinuxLabelHandle* selabel_handle, bool skip_snapshot_dir) const; + void syncSelinuxContextsInInfosDir(SelinuxLabelHandle* selabel_handle, bool skip_snapshot_dir) const; + void syncInfoDir(SDir& dir) const; ConfigInfo* config_info = nullptr; @@ -218,7 +219,7 @@ namespace snapper Snapshots snapshots; - SelinuxLabelHandle* selabel_handle = nullptr; + SelinuxLabelHandle* selabel_handle_unused = nullptr; // TODO remove }; -- 2.47.3