mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-15 16:53:54 +08:00
selinux: convert policy read-write lock to RCU
Convert the policy read-write lock to RCU. This is significantly simplified by the earlier work to encapsulate the policy data structures and refactor the policy load and boolean setting logic. Move the latest_granting sequence number into the selinux_policy structure so that it can be updated atomically with the policy. Since removing the policy rwlock and moving latest_granting reduces the selinux_ss structure to nothing more than a wrapper around the selinux_policy pointer, get rid of the extra layer of indirection. At present this change merely passes a hardcoded 1 to rcu_dereference_check() in the cases where we know we do not need to take rcu_read_lock(), with the preceding comment explaining why. Alternatively we could pass fsi->mutex down from selinuxfs and apply a lockdep check on it instead. Based in part on earlier attempts to convert the policy rwlock to RCU by Kaigai Kohei [1] and by Peter Enderborg [2]. [1] https://lore.kernel.org/selinux/6e2f9128-e191-ebb3-0e87-74bfccb0767f@tycho.nsa.gov/ [2] https://lore.kernel.org/selinux/20180530141104.28569-1-peter.enderborg@sony.com/ Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
c76a2f9ecd
commit
1b8b31a2e6
@ -7235,7 +7235,6 @@ static __init int selinux_init(void)
|
|||||||
memset(&selinux_state, 0, sizeof(selinux_state));
|
memset(&selinux_state, 0, sizeof(selinux_state));
|
||||||
enforcing_set(&selinux_state, selinux_enforcing_boot);
|
enforcing_set(&selinux_state, selinux_enforcing_boot);
|
||||||
selinux_state.checkreqprot = selinux_checkreqprot_boot;
|
selinux_state.checkreqprot = selinux_checkreqprot_boot;
|
||||||
selinux_ss_init(&selinux_state.ss);
|
|
||||||
selinux_avc_init(&selinux_state.avc);
|
selinux_avc_init(&selinux_state.avc);
|
||||||
mutex_init(&selinux_state.status_lock);
|
mutex_init(&selinux_state.status_lock);
|
||||||
|
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
#include <linux/dcache.h>
|
#include <linux/dcache.h>
|
||||||
#include <linux/magic.h>
|
#include <linux/magic.h>
|
||||||
#include <linux/types.h>
|
#include <linux/types.h>
|
||||||
|
#include <linux/rcupdate.h>
|
||||||
#include <linux/refcount.h>
|
#include <linux/refcount.h>
|
||||||
#include <linux/workqueue.h>
|
#include <linux/workqueue.h>
|
||||||
#include "flask.h"
|
#include "flask.h"
|
||||||
@ -84,7 +85,6 @@ extern int selinux_enabled_boot;
|
|||||||
#define POLICYDB_BOUNDS_MAXDEPTH 4
|
#define POLICYDB_BOUNDS_MAXDEPTH 4
|
||||||
|
|
||||||
struct selinux_avc;
|
struct selinux_avc;
|
||||||
struct selinux_ss;
|
|
||||||
struct selinux_policy;
|
struct selinux_policy;
|
||||||
|
|
||||||
struct selinux_state {
|
struct selinux_state {
|
||||||
@ -102,10 +102,9 @@ struct selinux_state {
|
|||||||
struct mutex status_lock;
|
struct mutex status_lock;
|
||||||
|
|
||||||
struct selinux_avc *avc;
|
struct selinux_avc *avc;
|
||||||
struct selinux_ss *ss;
|
struct selinux_policy __rcu *policy;
|
||||||
} __randomize_layout;
|
} __randomize_layout;
|
||||||
|
|
||||||
void selinux_ss_init(struct selinux_ss **ss);
|
|
||||||
void selinux_avc_init(struct selinux_avc **avc);
|
void selinux_avc_init(struct selinux_avc **avc);
|
||||||
|
|
||||||
extern struct selinux_state selinux_state;
|
extern struct selinux_state selinux_state;
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -26,12 +26,7 @@ struct selinux_policy {
|
|||||||
struct sidtab *sidtab;
|
struct sidtab *sidtab;
|
||||||
struct policydb policydb;
|
struct policydb policydb;
|
||||||
struct selinux_map map;
|
struct selinux_map map;
|
||||||
};
|
|
||||||
|
|
||||||
struct selinux_ss {
|
|
||||||
rwlock_t policy_rwlock;
|
|
||||||
u32 latest_granting;
|
u32 latest_granting;
|
||||||
struct selinux_policy *policy;
|
|
||||||
} __randomize_layout;
|
} __randomize_layout;
|
||||||
|
|
||||||
void services_compute_xperms_drivers(struct extended_perms *xperms,
|
void services_compute_xperms_drivers(struct extended_perms *xperms,
|
||||||
|
Loading…
Reference in New Issue
Block a user