Merge tag 'selinux-pr-20200803' of git://git.kernel.org/pub/scm/linux/kernel/git...

Pull selinux updates from Paul Moore:
 "Beyond the usual smattering of bug fixes, we've got three small
  improvements worth highlighting:

   - improved SELinux policy symbol table performance due to a reworking
     of the insert and search functions

   - allow reading of SELinux labels before the policy is loaded,
     allowing for some more "exotic" initramfs approaches

   - improved checking an error reporting about process
     class/permissions during SELinux policy load"

* tag 'selinux-pr-20200803' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: complete the inlining of hashtab functions
  selinux: prepare for inlining of hashtab functions
  selinux: specialize symtab insert and search functions
  selinux: Fix spelling mistakes in the comments
  selinux: fixed a checkpatch warning with the sizeof macro
  selinux: log error messages on required process class / permissions
  scripts/selinux/mdp: fix initial SID handling
  selinux: allow reading labels before policy is loaded

diff --combined security/selinux/ss/conditional.c
index 0cc7cdd584651ac00b3bfd38e779acc36ffc63cc,e68dd2e4cac1d17516bf875603d3c2b462f6b696..5a47258c1d77c30005f0f302634de161711109ce
--- 1/security/selinux/ss/conditional.c
--- 2/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@@ -27,9 -27,6 +27,9 @@@ static int cond_evaluate_expr(struct po
        int s[COND_EXPR_MAXDEPTH];
        int sp = -1;
  
 +      if (expr->len == 0)
 +              return -1;
 +
        for (i = 0; i < expr->len; i++) {
                struct cond_expr_node *node = &expr->nodes[i];
  
@@@ -203,7 -200,7 +203,7 @@@ static int bool_isvalid(struct cond_boo
        return 1;
  }
  
- int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
+ int cond_read_bool(struct policydb *p, struct symtab *s, void *fp)
  {
        char *key = NULL;
        struct cond_bool_datum *booldatum;
@@@ -215,7 -212,7 +215,7 @@@
        if (!booldatum)
                return -ENOMEM;
  
-       rc = next_entry(buf, fp, sizeof buf);
+       rc = next_entry(buf, fp, sizeof(buf));
        if (rc)
                goto err;
  
@@@ -238,7 -235,7 +238,7 @@@
        if (rc)
                goto err;
        key[len] = '\0';
-       rc = hashtab_insert(h, key, booldatum);
+       rc = symtab_insert(s, key, booldatum);
        if (rc)
                goto err;
  
@@@ -395,19 -392,27 +395,19 @@@ static int cond_read_node(struct policy
  
                rc = next_entry(buf, fp, sizeof(u32) * 2);
                if (rc)
 -                      goto err;
 +                      return rc;
  
                expr->expr_type = le32_to_cpu(buf[0]);
                expr->bool = le32_to_cpu(buf[1]);
  
 -              if (!expr_node_isvalid(p, expr)) {
 -                      rc = -EINVAL;
 -                      goto err;
 -              }
 +              if (!expr_node_isvalid(p, expr))
 +                      return -EINVAL;
        }
  
        rc = cond_read_av_list(p, fp, &node->true_list, NULL);
        if (rc)
 -              goto err;
 -      rc = cond_read_av_list(p, fp, &node->false_list, &node->true_list);
 -      if (rc)
 -              goto err;
 -      return 0;
 -err:
 -      cond_node_destroy(node);
 -      return rc;
 +              return rc;
 +      return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
  }
  
  int cond_read_list(struct policydb *p, void *fp)
@@@ -416,7 -421,7 +416,7 @@@
        u32 i, len;
        int rc;
  
-       rc = next_entry(buf, fp, sizeof buf);
+       rc = next_entry(buf, fp, sizeof(buf));
        if (rc)
                return rc;
  

diff --combined security/selinux/ss/services.c
index ef0afd878bfca0f88fe91955ce48a59177a12597,9e76a80db6e1f05fdcb33b370fc00e4145ba6dc8..1caf4e6033096772110497acb0b5ceaae1b857d2
--- 1/security/selinux/ss/services.c
--- 2/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@@ -1441,7 -1441,7 +1441,7 @@@ static int string_to_context_struct(str
  
        *p++ = 0;
  
-       usrdatum = hashtab_search(&pol->p_users.table, scontextp);
+       usrdatum = symtab_search(&pol->p_users, scontextp);
        if (!usrdatum)
                goto out;
  
@@@ -1457,7 -1457,7 +1457,7 @@@
  
        *p++ = 0;
  
-       role = hashtab_search(&pol->p_roles.table, scontextp);
+       role = symtab_search(&pol->p_roles, scontextp);
        if (!role)
                goto out;
        ctx->role = role->value;
@@@ -1469,7 -1469,7 +1469,7 @@@
        oldc = *p;
        *p++ = 0;
  
-       typdatum = hashtab_search(&pol->p_types.table, scontextp);
+       typdatum = symtab_search(&pol->p_types, scontextp);
        if (!typdatum || typdatum->attribute)
                goto out;
  
@@@ -1671,7 -1671,7 +1671,7 @@@ static void filename_compute_type(struc
        ft.tclass = tclass;
        ft.name = objname;
  
-       datum = hashtab_search(&policydb->filename_trans, &ft);
+       datum = policydb_filenametr_search(policydb, &ft);
        while (datum) {
                if (ebitmap_get_bit(&datum->stypes, stype - 1)) {
                        newcontext->type = datum->otype;
@@@ -1834,7 -1834,7 +1834,7 @@@ static int security_compute_sid(struct 
                        .tclass = tclass,
                };
  
-               rtd = hashtab_search(&policydb->role_tr, &rtk);
+               rtd = policydb_roletr_search(policydb, &rtk);
                if (rtd)
                        newcontext.role = rtd->new_role;
        }
@@@ -2024,26 -2024,26 +2024,26 @@@ static int convert_context(struct conte
  
        /* Convert the user. */
        rc = -EINVAL;
-       usrdatum = hashtab_search(&args->newp->p_users.table,
-                                 sym_name(args->oldp,
-                                          SYM_USERS, oldc->user - 1));
+       usrdatum = symtab_search(&args->newp->p_users,
+                                sym_name(args->oldp,
+                                         SYM_USERS, oldc->user - 1));
        if (!usrdatum)
                goto bad;
        newc->user = usrdatum->value;
  
        /* Convert the role. */
        rc = -EINVAL;
-       role = hashtab_search(&args->newp->p_roles.table,
-                             sym_name(args->oldp, SYM_ROLES, oldc->role - 1));
+       role = symtab_search(&args->newp->p_roles,
+                            sym_name(args->oldp, SYM_ROLES, oldc->role - 1));
        if (!role)
                goto bad;
        newc->role = role->value;
  
        /* Convert the type. */
        rc = -EINVAL;
-       typdatum = hashtab_search(&args->newp->p_types.table,
-                                 sym_name(args->oldp,
-                                          SYM_TYPES, oldc->type - 1));
+       typdatum = symtab_search(&args->newp->p_types,
+                                sym_name(args->oldp,
+                                         SYM_TYPES, oldc->type - 1));
        if (!typdatum)
                goto bad;
        newc->type = typdatum->value;
@@@ -2623,7 -2623,7 +2623,7 @@@ int security_get_user_sids(struct selin
                goto out_unlock;
  
        rc = -EINVAL;
-       user = hashtab_search(&policydb->p_users.table, username);
+       user = symtab_search(&policydb->p_users, username);
        if (!user)
                goto out_unlock;
  
@@@ -2888,12 -2888,8 +2888,12 @@@ err
        if (*names) {
                for (i = 0; i < *len; i++)
                        kfree((*names)[i]);
 +              kfree(*names);
        }
        kfree(*values);
 +      *len = 0;
 +      *names = NULL;
 +      *values = NULL;
        goto out;
  }
  
@@@ -2979,7 -2975,7 +2979,7 @@@ static int security_preserve_bools(stru
        if (rc)
                goto out;
        for (i = 0; i < nbools; i++) {
-               booldatum = hashtab_search(&policydb->p_bools.table, bnames[i]);
+               booldatum = symtab_search(&policydb->p_bools, bnames[i]);
                if (booldatum)
                        booldatum->state = bvalues[i];
        }
@@@ -3230,7 -3226,7 +3230,7 @@@ int security_get_permissions(struct sel
        read_lock(&state->ss->policy_rwlock);
  
        rc = -EINVAL;
-       match = hashtab_search(&policydb->p_classes.table, class);
+       match = symtab_search(&policydb->p_classes, class);
        if (!match) {
                pr_err("SELinux: %s:  unrecognized class %s\n",
                        __func__, class);
@@@ -3369,7 -3365,7 +3369,7 @@@ int selinux_audit_rule_init(u32 field, 
        case AUDIT_SUBJ_USER:
        case AUDIT_OBJ_USER:
                rc = -EINVAL;
-               userdatum = hashtab_search(&policydb->p_users.table, rulestr);
+               userdatum = symtab_search(&policydb->p_users, rulestr);
                if (!userdatum)
                        goto out;
                tmprule->au_ctxt.user = userdatum->value;
@@@ -3377,7 -3373,7 +3377,7 @@@
        case AUDIT_SUBJ_ROLE:
        case AUDIT_OBJ_ROLE:
                rc = -EINVAL;
-               roledatum = hashtab_search(&policydb->p_roles.table, rulestr);
+               roledatum = symtab_search(&policydb->p_roles, rulestr);
                if (!roledatum)
                        goto out;
                tmprule->au_ctxt.role = roledatum->value;
@@@ -3385,7 -3381,7 +3385,7 @@@
        case AUDIT_SUBJ_TYPE:
        case AUDIT_OBJ_TYPE:
                rc = -EINVAL;
-               typedatum = hashtab_search(&policydb->p_types.table, rulestr);
+               typedatum = symtab_search(&policydb->p_types, rulestr);
                if (!typedatum)
                        goto out;
                tmprule->au_ctxt.type = typedatum->value;