Re: [PATCH] selinux: don't sleep when CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is true

Paul Moore <paul@xxxxxxxxxxxxxx> · Thu, 14 Apr 2022 16:54:32 -0400

On Thu, Apr 14, 2022 at 4:53 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>
> Unfortunately commit 81200b0265b1 ("selinux: checkreqprot is
> deprecated, add some ssleep() discomfort") added a five second sleep
> during early kernel boot, e.g. start_kernel(), which could cause a
> "scheduling while atomic" panic.  This patch fixes this problem by
> moving the sleep out of checkreqprot_set() and into
> sel_write_checkreqprot() so that we only sleep when the checkreqprot
> setting is set during runtime, after the kernel has booted.  The
> error message remains the same in both cases.
>
> Fixes: 81200b0265b1 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort")
> Reported-by: J. Bruce Fields <bfields@xxxxxxxxxxxx>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
>  security/selinux/include/security.h |    4 +---
>  security/selinux/selinuxfs.c        |    2 ++
>  2 files changed, 3 insertions(+), 3 deletions(-)

This patch is very trivial, but just a word of warning that I haven't
actually tested it yet, so YMMV ... my test kernel is building now.

> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index f7e6be63adfb..393aff41d3ef 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -152,10 +152,8 @@ static inline bool checkreqprot_get(const struct selinux_state *state)
>
>  static inline void checkreqprot_set(struct selinux_state *state, bool value)
>  {
> -       if (value) {
> +       if (value)
>                 pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot\n";);
> -               ssleep(5);
> -       }
>         WRITE_ONCE(state->checkreqprot, value);
>  }
>
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 6c8b6a0ddecf..8fcdd494af27 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -762,6 +762,8 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
>         }
>
>         checkreqprot_set(fsi->state, (new_value ? 1 : 0));
> +       if (new_value)
> +               ssleep(5);
>         length = count;
>
>         selinux_ima_measure_state(fsi->state);
>

-- 
paul-moore.com