On Tue, Aug 11, 2020 at 3:02 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > Refactor the logic for changing SELinux policy booleans in a similar > manner to the refactoring of policy load, thereby reducing the > size of the critical section when the policy write-lock is held > and making it easier to convert the policy rwlock to RCU in the > future. Instead of directly modifying the policydb in place, modify > a copy and then swap it into place through a single pointer update. > Only fully copy the portions of the policydb that are affected by > boolean changes to avoid the full cost of a deep policydb copy. > Introduce another level of indirection for the sidtab since changing > booleans does not require updating the sidtab, unlike policy load. > While we are here, create a common helper for notifying > other kernel components and userspace of a policy change and call it > from both security_set_bools() and selinux_policy_commit(). > > Based on an old (2004) patch by Kaigai Kohei [1] to convert the policy > rwlock to RCU that was deferred at the time since it did not > significantly improve performance and introduced complexity. Peter > Enderborg later submitted a patch series to convert to RCU [2] that > would have made changing booleans a much more expensive operation > by requiring a full policydb_write();policydb_read(); sequence to > deep copy the entire policydb and also had concerns regarding > atomic allocations. > > This change is now simplified by the earlier work to encapsulate > policy state in the selinux_policy struct and to refactor > policy load. After this change, the last major obstacle to > converting the policy rwlock to RCU is likely the sidtab live > convert support. > > [1] https://lore.kernel.org/selinux/6e2f9128-e191-ebb3-0e87-74bfccb0767f@xxxxxxxxxxxxx/ > [2] https://lore.kernel.org/selinux/20180530141104.28569-1-peter.enderborg@xxxxxxxx/ > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > --- > v2 fixes a memory leak of the oldpolicy structure in security_set_bools(). > Thanks, kmemleak! > > security/selinux/ss/avtab.c | 49 ++++++++- > security/selinux/ss/avtab.h | 1 + > security/selinux/ss/conditional.c | 156 ++++++++++++++++++++++++++++ > security/selinux/ss/conditional.h | 2 + > security/selinux/ss/hashtab.c | 53 ++++++++++ > security/selinux/ss/hashtab.h | 6 ++ > security/selinux/ss/services.c | 163 ++++++++++++++++++------------ > security/selinux/ss/services.h | 2 +- > 8 files changed, 368 insertions(+), 64 deletions(-) Merged into selinux/next, thanks. -- paul moore www.paul-moore.com