On Wed, Dec 18, 2019 at 1:01 AM Ravi Kumar Siddojigari
<rsiddoji@xxxxxxxxxxxxxx> wrote:
> -----Original Message-----
> From: selinux-owner@xxxxxxxxxxxxxxx <selinux-owner@xxxxxxxxxxxxxxx> On Behalf Of Ravi Kumar Siddojigari
> Sent: Tuesday, December 17, 2019 8:42 PM
> To: 'Paul Moore' <paul@xxxxxxxxxxxxxx>
> Cc: selinux@xxxxxxxxxxxxxxx
> Subject: RE: [PATCH] selinux: move pkey sid cache based retrieval under defconfig
>
> Yes Paul, it should be under CONFIG_SECURITY_INFINIBAND thanks for correcting this .
> Hope we can taken it fwd as all the targets with disabled InfiniBand can be gained .
> Please find the updated path for review .
>
> From 6a8c60eacd0b6e5189722bb1823864b6728c2e34 Mon Sep 17 00:00:00 2001
> From: Ravi Kumar Siddojigari <rsiddoji@xxxxxxxxxxxxxx>
> Date: Wed, 11 Dec 2019 19:57:24 +0530
> Subject: [PATCH] selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.
>
> Move cache based pkey sid retrieval code which was added with Commit 409dcf31. under CONFIG_SECURITY_INFINIBAND.
> As its going to alloc a new cache which may impact low ram devices which was enabled by default.
>
> Change-Id: I80a13fb7bce8723c8c880cb77cbaee42db413a7a
> Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@xxxxxxxxxxxxxx>
> ---
> security/selinux/Makefile | 4 +++-
> security/selinux/hooks.c | 6 ++++++
> security/selinux/include/objsec.h | 2 ++
> 3 files changed, 11 insertions(+), 1 deletion(-)
...
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b1a9ac9..157faaf 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -94,7 +94,11 @@
> #include "netif.h"
> #include "netnode.h"
> #include "netport.h"
> +
> +#ifdef CONFIG_SECURITY_INFINIBAND
> #include "ibpkey.h"
> +#endif
See the comments below ...
> #include "xfrm.h"
> #include "netlabel.h"
> #include "audit.h"
> @@ -198,7 +202,9 @@ static int selinux_netcache_avc_callback(u32 event) static int selinux_lsm_notifier_avc_callback(u32 event) {
> if (event == AVC_CALLBACK_RESET) {
> +#ifdef CONFIG_SECURITY_INFINIBAND
> sel_ib_pkey_flush();
> +#endif
> call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> }
In cases like the you see directly above, and in the #include further
up, the kernel usually solves this by creating dummy function in the
header file. In this case, ibpkey.h would look something like this:
>>>
/* header comments, blah blah blah */
#ifndef _SELINUX_IB_PKEY_H
#define _SELINUX_IB_PKEY_H
#ifdef CONFIG_SECURITY_INFINIBAND
void sel_ib_pkey_flush(void);
int sel_ib_pkey_sid(u64 subnet_prefix, u16 pkey, u32 *sid);
#else
static inline void sel_ib_pkey_flush(void)
{
return;
}
static inline int sel_ib_pkey_sid(u64 subnet_prefix, u16 pkey, u32 *sid)
{
*sid = SECINITSID_UNLABELED;
return 0;
}
#endif
#endif
>>>
Does that make sense?
--
paul moore
www.paul-moore.com
