On Fri, Mar 10, 2023 at 8:03 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> Linus observed that the pervasive passing of selinux_state pointers
> introduced by me in commit aa8e712cee93 ("selinux: wrap global selinux
> state") adds overhead and complexity without providing any
> benefit. The original idea was to pave the way for SELinux namespaces
> but those have not yet been implemented and there isn't currently
> a concrete plan to do so. Remove the passing of the selinux_state
> pointers, reverting to direct use of the single global selinux_state,
> and likewise remove passing of child pointers like the selinux_avc.
> The selinux_policy pointer remains as it is needed for atomic switching
> of policies.
>
> Suggested-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Reported-by: kernel test robot <lkp@xxxxxxxxx>
> Link: https://lore.kernel.org/oe-kbuild-all/202303101057.mZ3Gv5fK-lkp@xxxxxxxxx/
> Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---
> v2 fixes the lockdep_assert_held() in security/selinux/ima.c reported by kernel test robot.
>
> security/selinux/avc.c | 197 ++++-----
> security/selinux/hooks.c | 549 ++++++++++---------------
> security/selinux/ibpkey.c | 2 +-
> security/selinux/ima.c | 37 +-
> security/selinux/include/avc.h | 29 +-
> security/selinux/include/avc_ss.h | 3 +-
> security/selinux/include/conditional.h | 4 +-
> security/selinux/include/ima.h | 10 +-
> security/selinux/include/security.h | 171 +++-----
> security/selinux/netif.c | 2 +-
> security/selinux/netlabel.c | 17 +-
> security/selinux/netnode.c | 4 +-
> security/selinux/netport.c | 2 +-
> security/selinux/selinuxfs.c | 208 ++++------
> security/selinux/ss/services.c | 346 +++++++---------
> security/selinux/ss/services.h | 1 -
> security/selinux/status.c | 44 +-
> security/selinux/xfrm.c | 20 +-
> 18 files changed, 651 insertions(+), 995 deletions(-)
Merged into selinux/next, thanks Stephen.
--
paul-moore.com
