Re: [PATCH] selinux: Add helper functions to get and set checkreqprot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Sep 9, 2020 at 2:23 PM Lakshmi Ramasubramanian
<nramas@xxxxxxxxxxxxxxxxxxx> wrote:
>
> checkreqprot data member in selinux_state struct is accessed directly by
> SELinux functions to get and set. This could cause unexpected read or
> write access to this data member due to compiler optimizations and\or

and/or

> compiler's reordering of access to this field.
>
> Add helper functions to get and set checkreqprot data member in
> selinux_state struct. These helper functions use READ_ONCE and
> WRITE_ONCE macros to ensure explicit read or write of memory for
> this data member.

s/explicit/atomic/

> This patch is based on commit 66ccd2560aff
> ("selinux: simplify away security_policydb_len()") in "next" branch
> in https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git

Don't include this kind of information in a commit message, if needed
it can go after the --- or in brackets in the subject line ala [-next]
 but it isn't necessary when sending against the next branch because
that's the default expectation for submitted patches for selinux.  No
need to cc lsm list on selinux-only patches.

> Signed-off-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>
> Suggested-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---

> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index cbdd3c7aff8b..b19d919f01e7 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -209,6 +209,16 @@ static inline bool selinux_policycap_genfs_seclabel_symlinks(void)
>         return state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS];
>  }
>
> +static inline bool selinux_checkreqprot(const struct selinux_state *state)
> +{
> +       return READ_ONCE(state->checkreqprot);
> +}
> +static inline void selinux_checkreqprot_set(struct selinux_state *state,
> +                                           bool value)
> +{
> +       WRITE_ONCE(state->checkreqprot, value);
> +}

Move these up with the enforcing accessor functions in this header and
use a consistent naming, e.g. checkreqprot_enabled(),
checkreqprot_set().
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux