selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Subject: Re: [RFC PATCH] selinux: encapsulate policy state, refactor policy load
Date: Thu, 30 Jul 2020 20:10:41 -0400	[thread overview]
Message-ID: <CAHC9VhTZxW8EnZ+tUQyDWkcJjcKjtCD07aUWZ8qZ71rX1K71jA@mail.gmail.com> (raw)
In-Reply-To: <208642b5-b046-a26f-09d1-9e05377cefe7@gmail.com>

On Thu, Jul 30, 2020 at 6:33 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> On 7/30/20 6:09 PM, Stephen Smalley wrote:
>
> > Encapsulate the policy state in its own structure (struct
> > selinux_policy) that is separately allocated but referenced from the
> > selinux_ss structure.  The policy state includes the SID table
> > (particularly the context structures), the policy database, and the
> > mapping between the kernel classes/permissions and the policy values.
> > Refactor the security server portion of the policy load logic to
> > cleanly separate loading of the new structures from committing the new
> > policy.  Unify the initial policy load and reload code paths as much
> > as possible, avoiding duplicated code.  Make sure we are taking the
> > policy read-lock prior to any dereferencing of the policy.  Move the
> > copying of the policy capability booleans into the state structure
> > outside of the policy write-lock because they are separate from the
> > policy and are read outside of any policy lock; possibly they should
> > be using at least READ_ONCE/WRITE_ONCE or smp_load_acquire/store_release.
> >
> > These changes simplify the policy loading logic, reduce the size of
> > the critical section while holding the policy write-lock, and should
> > facilitate future changes to e.g. refactor the entire policy reload
> > logic including the selinuxfs code to make the updating of the policy
> > and the selinuxfs directory tree atomic and/or to convert the policy
> > read-write lock to RCU.
> >
> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> > ---
>
> > @@ -2098,10 +2104,12 @@ static int convert_context(struct context *oldc, struct context *newc, void *p)
> >
> >   static void security_load_policycaps(struct selinux_state *state)
> >   {
> > -     struct policydb *p = &state->ss->policydb;
> > +     struct policydb *p = &state->ss->policy->policydb;
> >       unsigned int i;
> >       struct ebitmap_node *node;
> >
> > +     read_lock(&state->ss->policy_rwlock);
> > +
>
> Oops, should have moved the dereferencing of policy after taking the
> read-lock here; fixed it everywhere else I think but missed this one.
> Will fix in the next version but will wait for other comments on this
> version.

While I haven't looked at this patch in detail, I'm generally in favor
of cleanups and the encapsulation work has generally been a good thing
in my opinion.  It also should go without saying that fixing, or
improving, the atomic load issue would be a very good thing.

> > @@ -2132,112 +2200,58 @@ static int security_preserve_bools(struct selinux_state *state,
> >    */
> >   int security_load_policy(struct selinux_state *state, void *data, size_t len)
> >   {
> <snip>
> >       /*
> >        * Convert the internal representations of contexts
> >        * in the new SID table.
> >        */
> >       args.state = state;
> > -     args.oldp = policydb;
> > -     args.newp = newpolicydb;
> > +     args.oldp = &state->ss->policy->policydb;
> > +     args.newp = &newpolicy->policydb;
> >
> >       convert_params.func = convert_context;
> >       convert_params.args = &args;
> > -     convert_params.target = newsidtab;
> > +     convert_params.target = &newpolicy->sidtab;
> >
> > -     rc = sidtab_convert(oldsidtab, &convert_params);
> > +     rc = sidtab_convert(&state->ss->policy->sidtab, &convert_params);
>
> Should sidtab_convert() be called while holding policy read-lock since
> we are passing state->ss->policy->policydb via the args field of
> convert_params and using it within the callback?  I think it happens to
> be safe currently by virtue of the fact that nothing else can write to
> it since selinuxfs is holding its semaphore during the entire policy
> reload but it seems inconsistent. However, if we do take policy
> read-lock across the call, then sidtab_convert() needs to use GFP_ATOMIC
> allocations instead of GFP_KERNEL.

Without looking too closely at the call chains, or the allocation
sizes, I would vote for taking the lock in the name of consistency.

-- 
paul moore
www.paul-moore.com

      reply	other threads:[~2020-07-31  0:10 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-30 22:09 [RFC PATCH] selinux: encapsulate policy state, refactor policy load Stephen Smalley
2020-07-30 22:33 ` Stephen Smalley
2020-07-31  0:10   ` Paul Moore [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHC9VhTZxW8EnZ+tUQyDWkcJjcKjtCD07aUWZ8qZ71rX1K71jA@mail.gmail.com \
    --to=paul@paul-moore.com \
    --cc=omosnace@redhat.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).