From: Stephen Smalley <sds@tycho.nsa.gov> To: Will Deacon <will@kernel.org>, selinux@vger.kernel.org Cc: linux-kernel@vger.kernel.org Subject: Re: [RFC PATCH 1/2] selinux: Don't call avc_compute_av() from RCU path walk Date: Tue, 19 Nov 2019 13:59:40 -0500 [thread overview] Message-ID: <5e51f9a5-ba76-a42d-fc2b-9255f8544859@tycho.nsa.gov> (raw) In-Reply-To: <20191119184057.14961-2-will@kernel.org> On 11/19/19 1:40 PM, Will Deacon wrote: > 'avc_compute_av()' can block, so we carefully exit the RCU read-side > critical section before calling it in 'avc_has_perm_noaudit()'. > Unfortunately, if we're calling from the VFS layer on the RCU path walk > via 'selinux_inode_permission()' then we're still actually in an RCU > read-side critical section and must not block. avc_compute_av() should never block AFAIK. The blocking concern was with slow_avc_audit(), and even that appears dubious to me. That seems to be more about misuse of d_find_alias in dump_common_audit_data() than anything. > > 'avc_denied()' already handles this by simply returning success and > postponing the auditing until we're called again on the slowpath, so > follow the same approach here and return early if the node lookup fails > on the RCU walk path. > > Signed-off-by: Will Deacon <will@kernel.org> > --- > security/selinux/avc.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/security/selinux/avc.c b/security/selinux/avc.c > index ecd3829996aa..9c183c899e92 100644 > --- a/security/selinux/avc.c > +++ b/security/selinux/avc.c > @@ -1159,16 +1159,19 @@ inline int avc_has_perm_noaudit(struct selinux_state *state, > rcu_read_lock(); > > node = avc_lookup(state->avc, ssid, tsid, tclass); > - if (unlikely(!node)) > + if (unlikely(!node)) { > + if (flags & AVC_NONBLOCKING) > + goto out; > node = avc_compute_av(state, ssid, tsid, tclass, avd, &xp_node); > - else > + } else { > memcpy(avd, &node->ae.avd, sizeof(*avd)); > + } > > denied = requested & ~(avd->allowed); > if (unlikely(denied)) > rc = avc_denied(state, ssid, tsid, tclass, requested, 0, 0, > flags, avd); > - > +out: > rcu_read_unlock(); > return rc; > } >
next prev parent reply other threads:[~2019-11-19 18:59 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-11-19 18:40 [RFC PATCH 0/2] Avoid blocking in selinux inode callbacks on RCU walk Will Deacon 2019-11-19 18:40 ` [RFC PATCH 1/2] selinux: Don't call avc_compute_av() from RCU path walk Will Deacon 2019-11-19 18:59 ` Stephen Smalley [this message] 2019-11-20 13:12 ` Will Deacon 2019-11-20 15:28 ` Stephen Smalley 2019-11-20 19:07 ` Paul E. McKenney 2019-11-20 19:13 ` Will Deacon 2019-11-19 18:40 ` [RFC PATCH 2/2] selinux: Propagate RCU walk status from 'security_inode_follow_link()' Will Deacon 2019-11-19 18:46 ` Stephen Smalley 2019-11-20 13:13 ` Will Deacon 2019-11-20 13:31 ` Stephen Smalley 2019-11-29 7:36 ` [selinux] 5149a783b9: WARNING:at_security/selinux/avc.c:#avc_has_perm_flags kernel test robot
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=5e51f9a5-ba76-a42d-fc2b-9255f8544859@tycho.nsa.gov \ --to=sds@tycho.nsa.gov \ --cc=linux-kernel@vger.kernel.org \ --cc=selinux@vger.kernel.org \ --cc=will@kernel.org \ --subject='Re: [RFC PATCH 1/2] selinux: Don'\''t call avc_compute_av() from RCU path walk' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).