On 6/5/2019 1:36 AM, Janne Karhunen wrote: > Atomic policy updaters are not very useful as they cannot > usually perform the policy updates on their own. Since it > seems that there is no strict need for the atomicity, > switch to the blocking variant. While doing so, rename > the functions accordingly. > > Signed-off-by: Janne Karhunen <janne.karhunen@xxxxxxxxx> > --- > drivers/infiniband/core/device.c | 6 +++--- > include/linux/security.h | 6 +++--- > security/security.c | 23 +++++++++++++---------- > security/selinux/hooks.c | 2 +- > security/selinux/selinuxfs.c | 2 +- > 5 files changed, 21 insertions(+), 18 deletions(-) > > diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c > index 78dc07c6ac4b..61c0c93a2e73 100644 > --- a/drivers/infiniband/core/device.c > +++ b/drivers/infiniband/core/device.c > @@ -2499,7 +2499,7 @@ static int __init ib_core_init(void) > goto err_mad; > } > > - ret = register_lsm_notifier(&ibdev_lsm_nb); > + ret = register_blocking_lsm_notifier(&ibdev_lsm_nb); > if (ret) { > pr_warn("Couldn't register LSM notifier. ret %d\n", ret); > goto err_sa; > @@ -2518,7 +2518,7 @@ static int __init ib_core_init(void) > return 0; > > err_compat: > - unregister_lsm_notifier(&ibdev_lsm_nb); > + unregister_blocking_lsm_notifier(&ibdev_lsm_nb); > err_sa: > ib_sa_cleanup(); > err_mad: > @@ -2544,7 +2544,7 @@ static void __exit ib_core_cleanup(void) > nldev_exit(); > rdma_nl_unregister(RDMA_NL_LS); > unregister_pernet_device(&rdma_dev_net_ops); > - unregister_lsm_notifier(&ibdev_lsm_nb); > + unregister_blocking_lsm_notifier(&ibdev_lsm_nb); > ib_sa_cleanup(); > ib_mad_cleanup(); > addr_cleanup(); > diff --git a/include/linux/security.h b/include/linux/security.h > index 659071c2e57c..fc655fbe44ad 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -189,9 +189,9 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id) > > #ifdef CONFIG_SECURITY > > -int call_lsm_notifier(enum lsm_event event, void *data); > -int register_lsm_notifier(struct notifier_block *nb); > -int unregister_lsm_notifier(struct notifier_block *nb); > +int call_blocking_lsm_notifier(enum lsm_event event, void *data); > +int register_blocking_lsm_notifier(struct notifier_block *nb); > +int unregister_blocking_lsm_notifier(struct notifier_block *nb); Why is it important to change the names of these hooks? It's not like you had call_atomic_lsm_notifier() before. It seems like a lot of unnecessary code churn. > > /* prototypes */ > extern int security_init(void); > diff --git a/security/security.c b/security/security.c > index c01a88f65ad8..6bfc7636ddb7 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -39,7 +39,7 @@ > #define LSM_COUNT (__end_lsm_info - __start_lsm_info) > > struct security_hook_heads security_hook_heads __lsm_ro_after_init; > -static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain); > +static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain); > > static struct kmem_cache *lsm_file_cache; > static struct kmem_cache *lsm_inode_cache; > @@ -430,23 +430,26 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, > panic("%s - Cannot get early memory.\n", __func__); > } > > -int call_lsm_notifier(enum lsm_event event, void *data) > +int call_blocking_lsm_notifier(enum lsm_event event, void *data) > { > - return atomic_notifier_call_chain(&lsm_notifier_chain, event, data); > + return blocking_notifier_call_chain(&blocking_lsm_notifier_chain, > + event, data); > } > -EXPORT_SYMBOL(call_lsm_notifier); > +EXPORT_SYMBOL(call_blocking_lsm_notifier); > > -int register_lsm_notifier(struct notifier_block *nb) > +int register_blocking_lsm_notifier(struct notifier_block *nb) > { > - return atomic_notifier_chain_register(&lsm_notifier_chain, nb); > + return blocking_notifier_chain_register(&blocking_lsm_notifier_chain, > + nb); > } > -EXPORT_SYMBOL(register_lsm_notifier); > +EXPORT_SYMBOL(register_blocking_lsm_notifier); > > -int unregister_lsm_notifier(struct notifier_block *nb) > +int unregister_blocking_lsm_notifier(struct notifier_block *nb) > { > - return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb); > + return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain, > + nb); > } > -EXPORT_SYMBOL(unregister_lsm_notifier); > +EXPORT_SYMBOL(unregister_blocking_lsm_notifier); > > /** > * lsm_cred_alloc - allocate a composite cred blob > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index c61787b15f27..c1e37018c8eb 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -197,7 +197,7 @@ static int selinux_lsm_notifier_avc_callback(u32 event) > { > if (event == AVC_CALLBACK_RESET) { > sel_ib_pkey_flush(); > - call_lsm_notifier(LSM_POLICY_CHANGE, NULL); > + call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); > } > > return 0; > diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c > index 145ee62f205a..1e2e3e4b5fdb 100644 > --- a/security/selinux/selinuxfs.c > +++ b/security/selinux/selinuxfs.c > @@ -180,7 +180,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, > selnl_notify_setenforce(new_value); > selinux_status_update_setenforce(state, new_value); > if (!new_value) > - call_lsm_notifier(LSM_POLICY_CHANGE, NULL); > + call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL); > } > length = count; > out:
Attachment:
signature.asc
Description: OpenPGP digital signature