Re: [PATCH 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

2017-05-12 Thread Stephen Smalley 
On Thu, 2017-05-11 at 22:51 +, Daniel Jurgens wrote:
> On 5/10/2017 2:22 PM, Stephen Smalley wrote:
> > On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> > > From: Daniel Jurgens 
> > > 
> > > 
> > >  libsepol/src/ibpkeys.c|  264
> > > ++
> > >  python/semanage/semanage  |   60 +++-
> > >  python/semanage/seobject.py   |  253
> > > +
> > >  28 files changed, 2159 insertions(+), 17 deletions(-)
> > 
> > That's a lot of code.  Did you look at whether you could generalize
> > the
> > port record stuff at all to see if we could factor out common
> > helpers
> > or anything?  I guess this is consistent with the current code, but
> > it
> > seems like a lot of very similar code being duplicated and then
> > slightly tweaked.
> 
> I don't see a good way to generalize.  The high/low pkey/port part
> overlaps, but all that code is compact anyway.  To make it work for
> both would complicate it to figure out the correct key/ocontext to
> use.  The protocol and subnet_prefix handling is most of the code,
> and it's very different.

Yes, looking at it more closely, I agree.  Thanks for looking at it
anyway.

> > 
> > >  
> > >   create_dir(newroot_path(), 0o755)
> > > diff --git a/libsepol/VERSION b/libsepol/VERSION
> > > index 5154b3f..e70b452 100644
> > > --- a/libsepol/VERSION
> > > +++ b/libsepol/VERSION
> > > @@ -1 +1 @@
> > > -2.6
> > > +2.6.0
> > 
> > Extraneous change?
> 
> Yes.
> > > +struct sepol_ibpkey {
> > > + /* Subnet prefix */
> > > + char *subnet_prefix;
> > > + size_t subnet_prefix_sz;
> > 
> > Do we need support for variable-length subnet prefix?  Can it
> > change?
> 
> It doesn't need to be variable.  I'll remove.
> > > +#ifdef DARWIN
> > > + memcpy(subnet_prefix_bytes, in_addr.s6_addr, 16);
> > > +#else
> > > + memcpy(subnet_prefix_bytes, in_addr.s6_addr32, 16);
> > > +#endif
> > 
> > Just reduce to always using s6_addr
> 
> Done
> > > +static int ibpkey_alloc_subnet_prefix(sepol_handle_t *handle,
> > > +   char **subnet_prefix,
> > > +   size_t *subnet_prefix_sz)
> > > +{
> > > + char *tmp_subnet_prefix = malloc(16);
> > > + size_t tmp_subnet_prefix_sz = 16;
> > 
> > No magic constants, and definitely not repeatedly used.
> 
> Done

Re: [PATCH 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

2017-05-10 Thread Stephen Smalley 
On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> Update libsepol and libsemanage to work with pkey records. Add local
> storage for new and modified pkey records in pkeys.local. Update
> semanage
> to parse the pkey command options to add, modify, and delete pkeys.
> 
> Signed-off-by: Daniel Jurgens 
> ---
>  libsemanage/include/semanage/ibpkey_record.h  |   76 
>  libsemanage/include/semanage/ibpkeys_local.h  |   36 ++
>  libsemanage/include/semanage/ibpkeys_policy.h |   28 ++
>  libsemanage/include/semanage/semanage.h   |3 +
>  libsemanage/src/direct_api.c  |   29 ++-
>  libsemanage/src/handle.h  |   36 ++-
>  libsemanage/src/ibpkey_internal.h |   52 +++
>  libsemanage/src/ibpkey_record.c   |  187 ++
>  libsemanage/src/ibpkeys_file.c|  181 ++
>  libsemanage/src/ibpkeys_local.c   |  182 ++
>  libsemanage/src/ibpkeys_policy.c  |   52 +++
>  libsemanage/src/ibpkeys_policydb.c|   62 
>  libsemanage/src/libsemanage.map   |1 +
>  libsemanage/src/policy_components.c   |5 +-
>  libsemanage/src/semanage_store.c  |1 +
>  libsemanage/src/semanage_store.h  |1 +
>  libsemanage/src/semanageswig.i|3 +
>  libsemanage/src/semanageswig_python.i |   43 +++
>  libsemanage/utils/semanage_migrate_store  |3 +-
>  libsepol/VERSION  |2 +-
>  libsepol/include/sepol/ibpkey_record.h|   75 
>  libsepol/include/sepol/ibpkeys.h  |   44 +++
>  libsepol/include/sepol/sepol.h|2 +
>  libsepol/src/ibpkey_internal.h|   21 ++
>  libsepol/src/ibpkey_record.c  |  474
> +
>  libsepol/src/ibpkeys.c|  264 ++
>  python/semanage/semanage  |   60 +++-
>  python/semanage/seobject.py   |  253 +
>  28 files changed, 2159 insertions(+), 17 deletions(-)

That's a lot of code.  Did you look at whether you could generalize the
port record stuff at all to see if we could factor out common helpers
or anything?  I guess this is consistent with the current code, but it
seems like a lot of very similar code being duplicated and then
slightly tweaked.

>  create mode 100644 libsemanage/include/semanage/ibpkey_record.h
>  create mode 100644 libsemanage/include/semanage/ibpkeys_local.h
>  create mode 100644 libsemanage/include/semanage/ibpkeys_policy.h
>  create mode 100644 libsemanage/src/ibpkey_internal.h
>  create mode 100644 libsemanage/src/ibpkey_record.c
>  create mode 100644 libsemanage/src/ibpkeys_file.c
>  create mode 100644 libsemanage/src/ibpkeys_local.c
>  create mode 100644 libsemanage/src/ibpkeys_policy.c
>  create mode 100644 libsemanage/src/ibpkeys_policydb.c
>  create mode 100644 libsepol/include/sepol/ibpkey_record.h
>  create mode 100644 libsepol/include/sepol/ibpkeys.h
>  create mode 100644 libsepol/src/ibpkey_internal.h
>  create mode 100644 libsepol/src/ibpkey_record.c
>  create mode 100644 libsepol/src/ibpkeys.c
> 
> diff --git a/libsemanage/include/semanage/ibpkey_record.h
> b/libsemanage/include/semanage/ibpkey_record.h
> new file mode 100644
> index 000..45fe59e
> --- /dev/null
> +++ b/libsemanage/include/semanage/ibpkey_record.h
> @@ -0,0 +1,76 @@
> +/* Copyright (C) 2017 Mellanox Technologies Inc */
> +
> +#ifndef _SEMANAGE_IBPKEY_RECORD_H_
> +#define _SEMANAGE_IBPKEY_RECORD_H_
> +
> +#include 
> +#include 
> +#include 
> +
> +#ifndef _SEMANAGE_IBPKEY_DEFINED_
> +struct semanage_ibpkey;
> +struct semanage_ibpkey_key;
> +typedef struct semanage_ibpkey semanage_ibpkey_t;
> +typedef struct semanage_ibpkey_key semanage_ibpkey_key_t;
> +#define _SEMANAGE_IBPKEY_DEFINED_
> +#endif
> +
> +extern int semanage_ibpkey_compare(const semanage_ibpkey_t *ibpkey,
> +    const semanage_ibpkey_key_t
> *key);
> +
> +extern int semanage_ibpkey_compare2(const semanage_ibpkey_t *ibpkey,
> + const semanage_ibpkey_t
> *ibpkey2);
> +
> +extern int semanage_ibpkey_key_create(semanage_handle_t *handle,
> +   const char *subnet_prefix,
> +   int low, int high,
> +   semanage_ibpkey_key_t
> **key_ptr);
> +
> +extern int semanage_ibpkey_key_extract(semanage_handle_t *handle,
> +    const semanage_ibpkey_t
> *ibpkey,
> +    semanage_ibpkey_key_t
> **key_ptr);
> +
> +extern void semanage_ibpkey_key_free(semanage_ibpkey_key_t *key);
> +
> +extern int semanage_ibpkey_get_subnet_prefix(semanage_handle_t
> *handle,
> +  const semanage_ibpkey_t
> *ibpkey,
> +

[PATCH 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

2017-05-09 Thread Dan Jurgens 
From: Daniel Jurgens 

Update libsepol and libsemanage to work with pkey records. Add local
storage for new and modified pkey records in pkeys.local. Update semanage
to parse the pkey command options to add, modify, and delete pkeys.

Signed-off-by: Daniel Jurgens 
---
 libsemanage/include/semanage/ibpkey_record.h  |   76 
 libsemanage/include/semanage/ibpkeys_local.h  |   36 ++
 libsemanage/include/semanage/ibpkeys_policy.h |   28 ++
 libsemanage/include/semanage/semanage.h   |3 +
 libsemanage/src/direct_api.c  |   29 ++-
 libsemanage/src/handle.h  |   36 ++-
 libsemanage/src/ibpkey_internal.h |   52 +++
 libsemanage/src/ibpkey_record.c   |  187 ++
 libsemanage/src/ibpkeys_file.c|  181 ++
 libsemanage/src/ibpkeys_local.c   |  182 ++
 libsemanage/src/ibpkeys_policy.c  |   52 +++
 libsemanage/src/ibpkeys_policydb.c|   62 
 libsemanage/src/libsemanage.map   |1 +
 libsemanage/src/policy_components.c   |5 +-
 libsemanage/src/semanage_store.c  |1 +
 libsemanage/src/semanage_store.h  |1 +
 libsemanage/src/semanageswig.i|3 +
 libsemanage/src/semanageswig_python.i |   43 +++
 libsemanage/utils/semanage_migrate_store  |3 +-
 libsepol/VERSION  |2 +-
 libsepol/include/sepol/ibpkey_record.h|   75 
 libsepol/include/sepol/ibpkeys.h  |   44 +++
 libsepol/include/sepol/sepol.h|2 +
 libsepol/src/ibpkey_internal.h|   21 ++
 libsepol/src/ibpkey_record.c  |  474 +
 libsepol/src/ibpkeys.c|  264 ++
 python/semanage/semanage  |   60 +++-
 python/semanage/seobject.py   |  253 +
 28 files changed, 2159 insertions(+), 17 deletions(-)
 create mode 100644 libsemanage/include/semanage/ibpkey_record.h
 create mode 100644 libsemanage/include/semanage/ibpkeys_local.h
 create mode 100644 libsemanage/include/semanage/ibpkeys_policy.h
 create mode 100644 libsemanage/src/ibpkey_internal.h
 create mode 100644 libsemanage/src/ibpkey_record.c
 create mode 100644 libsemanage/src/ibpkeys_file.c
 create mode 100644 libsemanage/src/ibpkeys_local.c
 create mode 100644 libsemanage/src/ibpkeys_policy.c
 create mode 100644 libsemanage/src/ibpkeys_policydb.c
 create mode 100644 libsepol/include/sepol/ibpkey_record.h
 create mode 100644 libsepol/include/sepol/ibpkeys.h
 create mode 100644 libsepol/src/ibpkey_internal.h
 create mode 100644 libsepol/src/ibpkey_record.c
 create mode 100644 libsepol/src/ibpkeys.c

diff --git a/libsemanage/include/semanage/ibpkey_record.h 
b/libsemanage/include/semanage/ibpkey_record.h
new file mode 100644
index 000..45fe59e
--- /dev/null
+++ b/libsemanage/include/semanage/ibpkey_record.h
@@ -0,0 +1,76 @@
+/* Copyright (C) 2017 Mellanox Technologies Inc */
+
+#ifndef _SEMANAGE_IBPKEY_RECORD_H_
+#define _SEMANAGE_IBPKEY_RECORD_H_
+
+#include 
+#include 
+#include 
+
+#ifndef _SEMANAGE_IBPKEY_DEFINED_
+struct semanage_ibpkey;
+struct semanage_ibpkey_key;
+typedef struct semanage_ibpkey semanage_ibpkey_t;
+typedef struct semanage_ibpkey_key semanage_ibpkey_key_t;
+#define _SEMANAGE_IBPKEY_DEFINED_
+#endif
+
+extern int semanage_ibpkey_compare(const semanage_ibpkey_t *ibpkey,
+  const semanage_ibpkey_key_t *key);
+
+extern int semanage_ibpkey_compare2(const semanage_ibpkey_t *ibpkey,
+   const semanage_ibpkey_t *ibpkey2);
+
+extern int semanage_ibpkey_key_create(semanage_handle_t *handle,
+ const char *subnet_prefix,
+ int low, int high,
+ semanage_ibpkey_key_t **key_ptr);
+
+extern int semanage_ibpkey_key_extract(semanage_handle_t *handle,
+  const semanage_ibpkey_t *ibpkey,
+  semanage_ibpkey_key_t **key_ptr);
+
+extern void semanage_ibpkey_key_free(semanage_ibpkey_key_t *key);
+
+extern int semanage_ibpkey_get_subnet_prefix(semanage_handle_t *handle,
+const semanage_ibpkey_t *ibpkey,
+char **subnet_prefix_ptr);
+
+extern int semanage_ibpkey_get_subnet_prefix_bytes(semanage_handle_t *handle,
+  const semanage_ibpkey_t 
*ibpkey,
+  char **subnet_prefix,
+  size_t *subnet_prefix_sz);
+
+extern int semanage_ibpkey_set_subnet_prefix(semanage_handle_t *handle,
+semanage_ibpkey_t *ibpkey,
+