On Fri, Jul 24, 2020 at 4:25 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Fri, Jul 24, 2020 at 3:43 PM Mike Palmiotto > <mike.palmiotto@xxxxxxxxxxxxxxx> wrote: > > > > On Fri, Jul 24, 2020 at 3:34 PM Mike Palmiotto > > <mike.palmiotto@xxxxxxxxxxxxxxx> wrote: > > > > > > On Fri, Jul 24, 2020 at 2:26 PM Stephen Smalley > > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > > > On Fri, Jul 24, 2020 at 12:23 PM Mike Palmiotto > > > > <mike.palmiotto@xxxxxxxxxxxxxxx> wrote: > > > > > > > > > > On Fri, Jul 24, 2020 at 12:09 PM Stephen Smalley > > > > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > > > > > > > On Fri, Jul 24, 2020 at 11:48 AM Stephen Smalley > > > > > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > > > > > > > > > On Fri, Jul 24, 2020 at 11:34 AM Stephen Smalley > > > > > > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > > > <snip> > > > > > > So, options would appear to be: > > > > > > 1) Drop the usage of avc_using_threads altogether, i.e. even if the > > > > > > caller provided a thread callback, don't create another thread and > > > > > > just call selinux_status_updated() on every avc_has_perm_noaudit() > > > > > > unless avc_app_main_loop is set. Rationale: dbus-daemon was only > > > > > > using threads to avoid the overhead of avc_netlink_check_nb() on every > > > > > > avc_has_perm_noaudit() call, and we've eliminated that via use of > > > > > > sestatus, hence we don't need to create a separate thread at all. > > > > > > -or- > > > > > > 2) If using threads, then create the netlink socket during avc_init > > > > > > and keep using the netlink loop for the thread. This preserves the > > > > > > blocking behavior. > > > > > > > > > > > > #1 seems more optimal to me and gets rid of threading for dbus-daemon, > > > > > > which was something they didn't like anyway. > > > > > > > > > > Perhaps this is misguided, but it seems like avc_init is deprecated > > > > > and along with it the ability to even set a custom thread callback. > > > > > IOTW there does not appear to be a mechanism to set a thread callback > > > > > while using avc_open (only avc_init). Perhaps we can just get rid of > > > > > the default callback for avc_open and allow the (deprecated) avc_init > > > > > to continue using it as it does? > > > > > > > > > > Is this basically what you were proposing for #2? I think I'd be more > > > > > inclined to go with that approach, in case userspace object managers > > > > > are doing other things in their thread callback. > > > > > > > > I think that's the same as #2 if I understood you currently. That's > > > > fine if you prefer it. > > > > So then programs using avc_init() with non-NULL thread callbacks > > > > (hence avc_using_threads == 1) will still create the netlink socket > > > > and start a thread running avc_netlink_loop(). And programs using > > > > avc_netlink_acquire_fd() will create the netlink socket if not already > > > > created and can use it however they want. Everything else will move > > > > to using the status page. > > > > > > What do you think about moving avc_create_thread call (if > > > avc_using_threads is set) into avc_netlink_acquire_fd(). > > > > > > That way, if the caller is using avc_init with a create_thread > > > callback, they can get their netlink socket and create the netlink > > > thread and everything will function as before. In theory, this would > > > also work for the sestatus netlink fallback. > > > > Alternatively, we could just move the thread creation into the > > sestatus fallback, since, as you pointed out, the only reason for > > creating a thread would be to avoid the avc_netlink_check_nb() > > overhead. > > avc_netlink_acquire_fd() isn't called by dbus-daemon in its current > release used in Fedora/RHEL. > So adding it there won't help. We could add it to > selinux_status_open(). Just need to make sure we don't call > avc_netlink_open() twice there (it is already called in the fallback > case) or make it safe to do so. I've given this a bit more thought, and I'm actually leaning toward your option #1, Stephen. Doing away with netlink threads (for non-fallback) should be fine. The only real change in functionality would be handling of status events on the next access check, rather than immediately in the thread. I have a patch repaired to use this approach (and properly handle avc threads for the sestatus fallback case). I just need to rebase/review/re-test before submitting. Thanks for all of the feedback and sorry for the delay. -- Mike Palmiotto https://crunchydata.com
