Re: [SSSD] [PATCHES] If possible, use cache in SELinux rules processing

Mon, 30 Jul 2012 10:04:10 -0700 

On Mon, Jul 30, 2012 at 09:34:43AM +0200, Jan Zelený wrote:
> These three patches provide changes that reduce the amount of data retrieved 
> from IPA server in case this data is previously retrieved by HBAC access 
> provider.
> 
> #168: modify hbac_get_cached_rules() so it can be used out of the HBAC code
> #169: use cache for HBAC rules
> #170: use cache for host record

Nack, the patches break HBAC-linked SELinux mappings completely.

hbac_get_cached_rules() doesn't return originalDN, yet
ipa_get_selinux_hbac_process depends on them.

Code style issues are inline.

> +errno_t hbac_get_cached_rules(TALLOC_CTX *mem_ctx,
> +                              struct sysdb_ctx *sysdb,
> +                              size_t *_rule_count,
> +                              struct sysdb_attrs ***_rules)
>  {
>      errno_t ret;
> -    struct sysdb_ctx *sysdb = hbac_ctx_sysdb(hbac_ctx);
> -    size_t count;
>      struct ldb_message **msgs;
> +    struct sysdb_attrs **rules;
> +    size_t rule_count;
>      TALLOC_CTX *tmp_ctx;
>      char *filter;
>      const char *attrs[] = { OBJECTCLASS,
> @@ -680,7 +680,7 @@ static errno_t hbac_get_cached_rules(TALLOC_CTX *mem_ctx,
>                              IPA_HOST_CATEGORY,
>                              NULL };
>  
> -    tmp_ctx = talloc_new(hbac_ctx);
> +    tmp_ctx = talloc_new(mem_ctx);

Please create temporary context on NULL..

>      if (tmp_ctx == NULL) return ENOMEM;
>  
>      filter = talloc_asprintf(tmp_ctx, "(objectClass=%s)", IPA_HBAC_RULE);
> @@ -691,20 +691,22 @@ static errno_t hbac_get_cached_rules(TALLOC_CTX 
> *mem_ctx,
>  
>      ret = sysdb_search_custom(mem_ctx, sysdb, filter,

..use the temporary context here ^^ instead of mem_ctx..

>                                HBAC_RULES_SUBDIR, attrs,
> -                              &count, &msgs);
> +                              &rule_count, &msgs);
>      if (ret != EOK && ret != ENOENT) {
>          DEBUG(1, ("Error looking up HBAC rules"));
>          goto done;
>      } if (ret == ENOENT) {
> -       count = 0;
> +       rule_count = 0;
>      }
>  
> -    ret = sysdb_msg2attrs(mem_ctx, count, msgs, &hbac_ctx->rules);
> +    ret = sysdb_msg2attrs(mem_ctx, rule_count, msgs, &rules);
>      if (ret != EOK) {
>          DEBUG(1, ("Could not convert ldb message to sysdb_attrs\n"));
>          goto done;
>      }
> -    hbac_ctx->rule_count = count;
> +
> +    if (_rules) *_rules = rules;

..and then steal the result with talloc_steal()

> +    if (_rule_count) *_rule_count = rule_count;
>  
>      ret = EOK;
>  done:
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to