From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH v2 1/3] selinux: simplify away security_policydb_len()
Date: Thu, 27 Aug 2020 09:56:38 -0400 [thread overview]
Message-ID: <CAHC9VhTOTuscseVrLEj17y2ULG9rWjLrxT+PorakT8EGk4dhTA@mail.gmail.com> (raw)
In-Reply-To: <CAEjxPJ4LL022dtKyqs+YB-gKVuJqRNQu0dafjgzZLqStqn-zSA@mail.gmail.com>
On Wed, Aug 26, 2020 at 10:05 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Aug 26, 2020 at 9:59 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > Remove the security_policydb_len() calls from sel_open_policy() and
> > instead update the inode size from the size returned from
> > security_read_policy().
> >
> > Since after this change security_policydb_len() is only called from
> > security_load_policy(), remove it entirely and just open-code it there.
> >
> > Also, since security_load_policy() is always called with fsi->mutex
> > held, make it dereference the policy pointer directly and drop the
> > unnecessary RCU locking.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> One comment below but nonetheless:
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>
> > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> > index 8381614627569..7cc2f7486c18f 100644
> > --- a/security/selinux/ss/services.c
> > +++ b/security/selinux/ss/services.c
> > @@ -3912,11 +3896,17 @@ int security_read_policy(struct selinux_state *state,
> > int rc;
> > struct policy_file fp;
> >
> > - if (!selinux_initialized(state))
> > + /*
> > + * NOTE: We do not need to take the rcu read lock
> > + * around the code below because other policy-modifying
> > + * operations are already excluded by selinuxfs via
> > + * fsi->mutex.
> > + */
> > + policy = rcu_dereference_check(state->policy, 1);
> > + if (!policy)
> > return -EINVAL;
>
> If/when my patch to move the mutex to selinux_state and use it in
> rcu_dereference_protected() lands, we'll want to change this one over
> too.
FWIW, I felt the mutex move was more significant than this patchset so
I merged it first. Ondrej, would you mind rebasing this patch and
making the changes above?
Thanks.
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2020-08-27 14:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-26 13:59 [PATCH v2 0/3] selinux: RCU conversion follow-ups Ondrej Mosnacek
2020-08-26 13:59 ` [PATCH v2 1/3] selinux: simplify away security_policydb_len() Ondrej Mosnacek
2020-08-26 14:05 ` Stephen Smalley
2020-08-27 13:56 ` Paul Moore [this message]
2020-08-27 13:57 ` Paul Moore
2020-08-26 13:59 ` [PATCH v2 2/3] selinux: eliminate the redundant policycap array Ondrej Mosnacek
2020-08-26 14:11 ` Stephen Smalley
2020-08-27 7:40 ` Ondrej Mosnacek
2020-08-26 13:59 ` [PATCH v2 3/3] selinux: remove the 'initialized' flag from selinux_state Ondrej Mosnacek
2020-08-26 14:15 ` Stephen Smalley
2020-08-27 14:05 ` Paul Moore
2020-08-27 14:16 ` Stephen Smalley
2020-08-27 14:23 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHC9VhTOTuscseVrLEj17y2ULG9rWjLrxT+PorakT8EGk4dhTA@mail.gmail.com \
--to=paul@paul-moore.com \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.