On Wed, Aug 26, 2020 at 7:29 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > Move the mutex used to synchronize policy changes (reloads and setting > of booleans) from selinux_fs_info to selinux_state and use it in > lockdep checks for rcu_dereference_protected() calls in the security > server functions. This makes the dependency on the mutex explicit > in the code rather than relying on comments. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > --- > v2 switches selinuxfs from using &selinux_state.policy_mutex to using > fsi->state->policy_mutex. selinuxfs operates on fsi->state->policy > for all policy reading or modifying operations. It only acts on > &selinux_state for checking permissions in the current context. > At present, fsi->state is always &selinux_state; this will change > when selinux namespaces are introduced. > > security/selinux/hooks.c | 1 + > security/selinux/include/security.h | 1 + > security/selinux/selinuxfs.c | 26 ++++++++++---------- > security/selinux/ss/services.c | 37 +++++++---------------------- > 4 files changed, 22 insertions(+), 43 deletions(-) Seeing this is in an actual patch, it now looks logical to me. *thumbsup* Reviewed-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
