Re: [PATCH v2] selinux: move policy mutex to selinux_state, use in lockdep checks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 26, 2020 at 7:29 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
> Move the mutex used to synchronize policy changes (reloads and setting
> of booleans) from selinux_fs_info to selinux_state and use it in
> lockdep checks for rcu_dereference_protected() calls in the security
> server functions.  This makes the dependency on the mutex explicit
> in the code rather than relying on comments.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---
> v2 switches selinuxfs from using &selinux_state.policy_mutex to using
> fsi->state->policy_mutex.  selinuxfs operates on fsi->state->policy
> for all policy reading or modifying operations.  It only acts on
> &selinux_state for checking permissions in the current context.
> At present, fsi->state is always &selinux_state; this will change
> when selinux namespaces are introduced.
>
>  security/selinux/hooks.c            |  1 +
>  security/selinux/include/security.h |  1 +
>  security/selinux/selinuxfs.c        | 26 ++++++++++----------
>  security/selinux/ss/services.c      | 37 +++++++----------------------
>  4 files changed, 22 insertions(+), 43 deletions(-)

Seeing this is in an actual patch, it now looks logical to me. *thumbsup*

Reviewed-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

-- 
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux