[SELinux commit]SELinux userland upstream repository branch, master, updated. 20080909-250-g705071c

ewalsh at oss.tresys.com ewalsh at oss.tresys.com
Thu Dec 2 17:46:20 CST 2010 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "SELinux userland upstream repository".

The branch, master has been updated
       via  705071c6b178dd5df710c69cc21d24b662eebe42 (commit)
       via  569ce5498553b87dc7af343b2efb4da8d3ecdb4f (commit)
       via  a00fd94a46e92a233f4e613660e9962918f28207 (commit)
       via  a29ff33baf366825c0fbe721d30b12b5b96a64e1 (commit)
      from  7bb6003219e5a3a26a5427dd81019b517a18804f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 705071c6b178dd5df710c69cc21d24b662eebe42
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Thu Dec 2 20:08:22 2010 -0500

    bump libselinux to 2.0.97
    
    Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>

commit 569ce5498553b87dc7af343b2efb4da8d3ecdb4f
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Thu Dec 2 19:30:06 2010 -0500

    matchpathcon: Close selabel handle in thread destructor.
    
    This is necessary because the handle is thread-local.
    
    Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>

commit a00fd94a46e92a233f4e613660e9962918f28207
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Thu Dec 2 19:21:10 2010 -0500

    selabel: Store substitution data in the handle instead of globally.
    
    This is for thread safety.
    
    Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>

commit a29ff33baf366825c0fbe721d30b12b5b96a64e1
Author: Eamon Walsh <ewalsh at tycho.nsa.gov>
Date:   Thu Dec 2 14:08:59 2010 -0500

    Implement destructors for thread-local heap data.
    
    Description of problem:
    Use of __thread variables is great for creating a thread-safe variable, but
    only insofar as the contents of that variable can safely be abandoned on
    pthread_exit().  The moment you store malloc()d data into a __thread void*
    variable, you have leaked memory when the thread exits, since there is no way
    to associate a destructor with __thread variables.
    
    The _only_ safe way to use thread-local caching of malloc()d data is to use
    pthread_key_create, and associate a destructor that will call free() on the
    resulting data when the thread exits.
    
    libselinux is guilty of abusing __thread variables to store malloc()d data as a
    form of a cache, to minimize computation by reusing earlier results from the
    same thread.  As a result of this memory leak, repeated starting and stopping
    of domains via libvirt can result in the OOM killer triggering, since libvirt
    fires up a thread per domain, and each thread uses selinux calls such as
    fgetfilecon.
    
    Version-Release number of selected component (if applicable):
    libselinux-2.0.94-2.el6.x86_64
    libvirt-0.8.1-27.el6.x86_64
    
    How reproducible:
    100%
    
    Steps to Reproduce:
    0. These steps are run as root, assuming hardware kvm support and existence of
    a VM named fedora (adjust the steps below as appropriate); if desired, I can
    reduce this to a simpler test case that does not rely on libvirt, by using a
    single .c file that links against libselinux and repeatedly spawns threads.
    1. service libvirtd stop
    2. valgrind --quiet --leak-check=full /usr/sbin/libvirtd& pid=$!
    3. virsh start fedora
    4. kill $pid
    
    Actual results:
    The biggest leak reported is due to libselinux' abuse of __thread:
    
    ==26696== 829,730 (40 direct, 829,690 indirect) bytes in 1 blocks are
    definitely lost in loss record 500 of 500
    ==26696==    at 0x4A0515D: malloc (vg_replace_malloc.c:195)
    ==26696==    by 0x3022E0D48C: selabel_open (label.c:165)
    ==26696==    by 0x3022E11646: matchpathcon_init_prefix (matchpathcon.c:296)
    ==26696==    by 0x3022E1190D: matchpathcon (matchpathcon.c:317)
    ==26696==    by 0x3033ED7FB5: SELinuxRestoreSecurityFileLabel (security_selinux.c:381)
    ==26696==    by 0x3033ED8539: SELinuxRestoreSecurityAllLabel (security_selinux.c:749)
    ==26696==    by 0x459153: qemuSecurityStackedRestoreSecurityAllLabel (qemu_security_stacked.c:257)
    ==26696==    by 0x43F0C5: qemudShutdownVMDaemon (qemu_driver.c:4311)
    ==26696==    by 0x4555C9: qemudStartVMDaemon (qemu_driver.c:4234)
    ==26696==    by 0x458416: qemudDomainObjStart (qemu_driver.c:7268)
    ==26696==    by 0x45896F: qemudDomainStart (qemu_driver.c:7308)
    ==26696==    by 0x3033E75412: virDomainCreate (libvirt.c:4881)
    ==26696==
    
    Basically, libvirt created a thread that used matchpathcon during 'virsh start
    fedora', and matchpathcon stuffed over 800k of malloc'd data into:
    
    static __thread char **con_array;
    
    which are then inaccessible when libvirt exits the thread as part of shutting
    down on SIGTERM.
    
    Expected results:
    valgrind should not report any memory leaks related to libselinux.
    
    Signed-off-by: Eamon Walsh <ewalsh at tycho.nsa.gov>
    Reported-by: Eric Blake <eblake at redhat.com>
    Tested-by: Eric Blake <eblake at redhat.com>

-----------------------------------------------------------------------

Summary of changes:
 libselinux/ChangeLog              |    3 ++
 libselinux/VERSION                |    2 +-
 libselinux/src/label.c            |   45 ++++++++++++++----------------------
 libselinux/src/label_internal.h   |   10 ++++++++
 libselinux/src/matchpathcon.c     |   18 ++++++++++++++
 libselinux/src/selinux_internal.h |   13 ++++++++++
 libselinux/src/setrans_client.c   |   26 +++++++++++++++++++++
 7 files changed, 89 insertions(+), 28 deletions(-)


hooks/post-receive
--
SELinux userland upstream repository

More information about the selinux-commits mailing list