From: Stephen Smalley <sds@tycho.nsa.gov>
To: peter enderborg <peter.enderborg@sony.com>,
selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2 4/5] selinux: Use pointer to switch policydb and sidtab
Date: Thu, 08 Feb 2018 10:10:41 -0500 [thread overview]
Message-ID: <1518102641.21656.52.camel@tycho.nsa.gov> (raw)
In-Reply-To: <44f6385f-b2a5-2dbe-7034-851e5d06e42d@sony.com>
On Thu, 2018-02-08 at 08:16 +0100, peter enderborg wrote:
> On 01/30/2018 03:37 PM, Stephen Smalley wrote:
> > On Fri, 2018-01-26 at 15:32 +0100, peter.enderborg@sony.com wrote:
> > goto err;
> >
> > - rc = security_preserve_bools(newpolicydb);
> > + rc = security_preserve_bools(&next_rcu->policydb);
> > if (rc) {
> > printk(KERN_ERR "SELinux: unable to preserve
> > booleans\n");
> > goto err;
> > Most of this shouldn't need to be under the read lock.
> >
> > > @@ -2189,7 +2194,7 @@ int security_load_policy(void *data, size_t
> > > len)
> > > * in the new SID table.
> > > */
> > > args.oldp = &crm->policydb;
> > > - args.newp = newpolicydb;
> > > + args.newp = &next_rcu->policydb;
> > > rc = sidtab_map(&newsidtab, convert_context, &args);
> > > if (rc) {
> > > printk(KERN_ERR "SELinux: unable to convert the
> > > internal"
> > > @@ -2204,8 +2209,9 @@ int security_load_policy(void *data, size_t
> > > len)
> > >
> > > /* Install the new policydb and SID table. */
> > > /* next */
> > > + security_load_policycaps(&next_rcu->policydb);
> >
> > This cannot be done outside of the write lock; it has to be atomic
> > with
> > the policy switch.
>
> Can you please elaborate, does some else write the policydb without a
> lock?
> Is there any other data that is shared? I see this as a private until
> we switch the pointer.
security_load_policycaps() updates the selinux_policycap_* variables
from the policydb. Those variables are used by the hooks to
enable/disable policy-specific functionality, like whether to check
open permission or assign finer-grained security classes to sockets.
We need to atomically update those variables with the active policy;
otherwise, a hook may perform a permission check that wasn't supposed
to be enabled under the old policy against the old policy (yielding an
unexpected denial). Everything done under the write lock currently is
there for a reason.
> > > + read_unlock(&policy_rwlock);
> > > write_lock_irq(&policy_rwlock);
> > > - memcpy(&next_rcu->policydb, newpolicydb, sizeof(struct
> > > policydb));
> > > sidtab_set(&next_rcu->sidtab, &newsidtab);
> > > security_load_policycaps(&next_rcu->policydb);
> > > oldmap = crm->current_mapping;
> > > @@ -2213,8 +2219,9 @@ int security_load_policy(void *data, size_t
> > > len)
> > > next_rcu->current_mapping_size = map_size;
> > >
> > > seqno = ++latest_granting;
> > > - write_unlock_irq(&policy_rwlock);
> > > + old_rcu = crm;
> > > crm = next_rcu;
> > > + write_unlock_irq(&policy_rwlock);
> > >
> > > /* Free the old policydb and SID table. */
> > > policydb_destroy(oldpolicydb);
> > > @@ -2226,17 +2233,16 @@ int security_load_policy(void *data,
> > > size_t
> > > len)
> > > selinux_status_update_policyload(seqno);
> > > selinux_netlbl_cache_invalidate();
> > > selinux_xfrm_notify_policyload();
> > > + kfree(oldpolicydb);
> > > + kfree(old_rcu);
> > >
> > > rc = 0;
> > > goto out;
> > > -
> > > err:
> > > kfree(map);
> > > sidtab_destroy(&newsidtab);
> > > - policydb_destroy(newpolicydb);
> > > -
> > > +
>
>
WARNING: multiple messages have this Message-ID (diff)
From: sds@tycho.nsa.gov (Stephen Smalley)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v2 4/5] selinux: Use pointer to switch policydb and sidtab
Date: Thu, 08 Feb 2018 10:10:41 -0500 [thread overview]
Message-ID: <1518102641.21656.52.camel@tycho.nsa.gov> (raw)
In-Reply-To: <44f6385f-b2a5-2dbe-7034-851e5d06e42d@sony.com>
On Thu, 2018-02-08 at 08:16 +0100, peter enderborg wrote:
> On 01/30/2018 03:37 PM, Stephen Smalley wrote:
> > On Fri, 2018-01-26 at 15:32 +0100, peter.enderborg at sony.com wrote:
> > goto err;
> >
> > - rc = security_preserve_bools(newpolicydb);
> > + rc = security_preserve_bools(&next_rcu->policydb);
> > if (rc) {
> > printk(KERN_ERR "SELinux: unable to preserve
> > booleans\n");
> > goto err;
> > Most of this shouldn't need to be under the read lock.
> >
> > > @@ -2189,7 +2194,7 @@ int security_load_policy(void *data, size_t
> > > len)
> > > * in the new SID table.
> > > */
> > > args.oldp = &crm->policydb;
> > > - args.newp = newpolicydb;
> > > + args.newp = &next_rcu->policydb;
> > > rc = sidtab_map(&newsidtab, convert_context, &args);
> > > if (rc) {
> > > printk(KERN_ERR "SELinux: unable to convert the
> > > internal"
> > > @@ -2204,8 +2209,9 @@ int security_load_policy(void *data, size_t
> > > len)
> > >
> > > /* Install the new policydb and SID table. */
> > > /* next */
> > > + security_load_policycaps(&next_rcu->policydb);
> >
> > This cannot be done outside of the write lock; it has to be atomic
> > with
> > the policy switch.
>
> Can you please elaborate, does some else write the policydb without a
> lock?
> Is there any other data that is shared? I see this as a private until
> we switch the pointer.
security_load_policycaps() updates the selinux_policycap_* variables
from the policydb. Those variables are used by the hooks to
enable/disable policy-specific functionality, like whether to check
open permission or assign finer-grained security classes to sockets.
We need to atomically update those variables with the active policy;
otherwise, a hook may perform a permission check that wasn't supposed
to be enabled under the old policy against the old policy (yielding an
unexpected denial). Everything done under the write lock currently is
there for a reason.
> > > + read_unlock(&policy_rwlock);
> > > write_lock_irq(&policy_rwlock);
> > > - memcpy(&next_rcu->policydb, newpolicydb, sizeof(struct
> > > policydb));
> > > sidtab_set(&next_rcu->sidtab, &newsidtab);
> > > security_load_policycaps(&next_rcu->policydb);
> > > oldmap = crm->current_mapping;
> > > @@ -2213,8 +2219,9 @@ int security_load_policy(void *data, size_t
> > > len)
> > > next_rcu->current_mapping_size = map_size;
> > >
> > > seqno = ++latest_granting;
> > > - write_unlock_irq(&policy_rwlock);
> > > + old_rcu = crm;
> > > crm = next_rcu;
> > > + write_unlock_irq(&policy_rwlock);
> > >
> > > /* Free the old policydb and SID table. */
> > > policydb_destroy(oldpolicydb);
> > > @@ -2226,17 +2233,16 @@ int security_load_policy(void *data,
> > > size_t
> > > len)
> > > selinux_status_update_policyload(seqno);
> > > selinux_netlbl_cache_invalidate();
> > > selinux_xfrm_notify_policyload();
> > > + kfree(oldpolicydb);
> > > + kfree(old_rcu);
> > >
> > > rc = 0;
> > > goto out;
> > > -
> > > err:
> > > kfree(map);
> > > sidtab_destroy(&newsidtab);
> > > - policydb_destroy(newpolicydb);
> > > -
> > > +
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-02-08 15:10 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-26 14:32 [PATCH v2 0/5] selinux:Significant reduce of preempt_disable holds peter.enderborg
2018-01-26 14:32 ` peter.enderborg
2018-01-26 14:32 ` peter.enderborg at sony.com
2018-01-26 14:32 ` [PATCH v2 1/5] selinux:Remove direct references to policydb peter.enderborg
2018-01-26 14:32 ` peter.enderborg
2018-01-26 14:32 ` peter.enderborg at sony.com
2018-01-30 13:46 ` Stephen Smalley
2018-01-30 13:46 ` Stephen Smalley
2018-02-01 15:17 ` peter enderborg
2018-02-01 15:17 ` peter enderborg
2018-02-01 15:28 ` Stephen Smalley
2018-02-01 15:28 ` Stephen Smalley
2018-02-01 15:55 ` Paul Moore
2018-02-01 15:55 ` Paul Moore
2018-04-03 11:41 ` peter enderborg
2018-04-03 11:41 ` peter enderborg
2018-04-03 11:56 ` Paul Moore
2018-04-03 11:56 ` Paul Moore
2018-01-26 14:32 ` [PATCH v2 2/5] selinux: Move policydb to pointer structure peter.enderborg
2018-01-26 14:32 ` peter.enderborg
2018-01-26 14:32 ` peter.enderborg at sony.com
2018-01-26 14:32 ` [PATCH v2 3/5] selinux: Move sidtab " peter.enderborg
2018-01-26 14:32 ` peter.enderborg
2018-01-26 14:32 ` peter.enderborg at sony.com
2018-01-26 14:32 ` [PATCH v2 4/5] selinux: Use pointer to switch policydb and sidtab peter.enderborg
2018-01-26 14:32 ` peter.enderborg
2018-01-26 14:32 ` peter.enderborg at sony.com
2018-01-30 14:37 ` Stephen Smalley
2018-01-30 14:37 ` Stephen Smalley
2018-02-08 7:16 ` peter enderborg
2018-02-08 7:16 ` peter enderborg
2018-02-08 15:10 ` Stephen Smalley [this message]
2018-02-08 15:10 ` Stephen Smalley
2018-01-26 14:32 ` [PATCH v2 5/5] selinux: Switch locking to RCU peter.enderborg
2018-01-26 14:32 ` peter.enderborg
2018-01-26 14:32 ` peter.enderborg at sony.com
2018-01-30 13:37 ` [PATCH v2 0/5] selinux:Significant reduce of preempt_disable holds Stephen Smalley
2018-01-30 13:37 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518102641.21656.52.camel@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=linux-security-module@vger.kernel.org \
--cc=peter.enderborg@sony.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.