sepgsql uavc comment improvements.

Robert Haas and KaiGai Kohei

sepgsql uavc comment improvements.
Robert Haas and KaiGai Kohei
a9d845be · Robert Haas · 624f155f · a9d845be
Commit a9d845be authored Sep 27, 2011 by Robert Haas
Show whitespace changes
Inline Side-by-side

Showing with 46 additions and 28 deletions

contrib/sepgsql/uavc.c contrib/sepgsql/uavc.c +46 -28

No files found.
--- a/contrib/sepgsql/uavc.c
+++ b/contrib/sepgsql/uavc.c
@@ -130,13 +130,29 @@ sepgsql_avc_reclaim(void)
 	}
 }
-/*
+/* -------------------------------------------------------------------------
+ *
 * sepgsql_avc_check_valid
 *
- * It checks whether the cached entries are still valid, or not.
+ * This function checks whether the cached entries are still valid.  If
- * If security policy has been reloaded since last reference of access
+ * the security policy has been reloaded (or any other events that requires
- * vector cache, we have to release all the entries, because they are
+ * resetting userspace caches has occurred) since the last reference to
- * not valid yet.
+ * the access vector cache, we must flush the cache.
+ *
+ * Access control decisions must be atomic, but multiple system calls may
+ * be required to make a decision; thus, when referencing the access vector
+ * cache, we must loop until we complete without an intervening cache flush
+ * event.  In practice, looping even once should be very rare.  Callers should
+ * do something like this:
+ *
+ *   sepgsql_avc_check_valid();
+ *   do {
+ *           :
+ *       <reference to uavc>
+ *           :
+ *   } while (!sepgsql_avc_check_valid())
+ *
+ * -------------------------------------------------------------------------
 */
 static bool
 sepgsql_avc_check_valid(void)
@@ -153,8 +169,8 @@ sepgsql_avc_check_valid(void)
 /*
 * sepgsql_avc_unlabeled
 *
- * It returns an alternative label to be applied when no label or invalid 
+ * Returns an alternative label to be applied when no label or an invalid 
- * label would be assigned on objects.
+ * label would otherwise be assigned.
 */
 static char *
 sepgsql_avc_unlabeled(void)
@@ -221,9 +237,15 @@ sepgsql_avc_compute(const char *scontext, const char *tcontext, uint16 tclass)
 		sepgsql_compute_avd(scontext, ucontext, tclass, &avd);
 	/*
-	 * To boost up trusted procedure checks on db_procedure object
+	 * It also caches a security label to be switched when a client
-	 * class, we also confirm the decision when user calls a procedure
+	 * labeled as 'scontext' executes a procedure labeled as 'tcontext',
-	 * labeled as 'tcontext'.
+	 * not only access control decision on the procedure.
+	 * The security label to be switched shall be computed uniquely on
+	 * a pair of 'scontext' and 'tcontext', thus, it is reasonable to
+	 * cache the new label on avc, and enables to reduce unnecessary
+	 * system calls.
+	 * It shall be referenced at sepgsql_needs_fmgr_hook to check whether
+	 * the supplied function is a trusted procedure, or not.
 	 */
 	if (tclass == SEPG_CLASS_DB_PROCEDURE)
 	{
@@ -278,9 +300,8 @@ sepgsql_avc_compute(const char *scontext, const char *tcontext, uint16 tclass)
 /*
 * sepgsql_avc_lookup
 *
- * It lookups a cache entry that matches with the supplied object
+ * Look up a cache entry that matches the supplied security contexts and
- * identifiers and object class. If not found, it tries to create
+ * object class.  If not found, create a new cache entry.
- * a new cache entry.
 */
 static avc_cache *
 sepgsql_avc_lookup(const char *scontext, const char *tcontext, uint16 tclass)
@@ -338,8 +359,8 @@ sepgsql_avc_check_perms_label(const char *tcontext,
 		result = true;
 		/*
-		 * If target object is unlabeled, we assume it has
+		 * If the target object is unlabeled, we perform the check using the
-		 * system 'unlabeled' security context instead.
+		 * label supplied by sepgsql_avc_unlabeled().
 		 */
 		if (tcontext)
 			cache = sepgsql_avc_lookup(scontext, tcontext, tclass);
@@ -362,10 +383,10 @@ sepgsql_avc_check_perms_label(const char *tcontext,
 		{
 			/*
 			 * In permissive mode or permissive domain, violated permissions
-			 * shall be audited on the log files at once, and implicitly
+			 * shall be audited to the log files at once, and then implicitly
-			 * allowed them to avoid flood of access denied logs, because
+			 * allowed to avoid a flood of access denied logs, because
-			 * the purpose of permissive mode/domain is to collect violation
+			 * the purpose of permissive mode/domain is to collect a violation
-			 * log to fix up security policy itself.
+			 * log that will make it possible to fix up the security policy.
 			 */
 			if (!sepgsql_getenforce() || cache->permissive)
 				cache->allowed |= required;
@@ -422,9 +443,9 @@ sepgsql_avc_check_perms(const ObjectAddress *tobject,
 /*
 * sepgsql_avc_trusted_proc
 *
- * It returns a security label to be switched on execution of the supplied
+ * If the supplied function OID is configured as a trusted procedure, this
- * procedure, if it was configured as a trusted procedure. Otherwise, NULL
+ * function will return a security label to be used during the execution of
- * shall be returned.
+ * that function.  Otherwise, it returns NULL.
 */
 char *
 sepgsql_avc_trusted_proc(Oid functionId)
@@ -455,7 +476,7 @@ sepgsql_avc_trusted_proc(Oid functionId)
 /*
 * sepgsql_avc_exit
 *
- * It clean up userspace avc stuff on process exit
+ * Clean up userspace AVC on process exit.
 */
 static void
 sepgsql_avc_exit(int code, Datum arg)
@@ -466,8 +487,7 @@ sepgsql_avc_exit(int code, Datum arg)
 /*
 * sepgsql_avc_init
 *
- * It shall be invoked at once from _PG_init routine to initialize
+ * Initialize the userspace AVC.  This should be called from _PG_init.
- * userspace access vector cache stuff.
 */
 void
 sepgsql_avc_init(void)
@@ -504,8 +524,6 @@ sepgsql_avc_init(void)
 		ereport(LOG,
 				(errmsg("SELinux: kernel status page uses fallback mode")));
-	/*
+	/* Arrange to close selinux status page on process exit. */
-	 * To close selinux status page on process exit
-	 */
 	on_proc_exit(sepgsql_avc_exit, 0);
 }