Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4533159imm; Wed, 30 May 2018 07:22:36 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIMSS27RC8iA2wIYPiWle5yt14AI2qZW9TzMnRVgrk2YelzKSlZxL5+oFu0fBQlruBztcIa X-Received: by 2002:a63:b64f:: with SMTP id v15-v6mr2384605pgt.276.1527690155972; Wed, 30 May 2018 07:22:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527690155; cv=none; d=google.com; s=arc-20160816; b=dvvCOm1wLrd3aHnikfbe1rxj8X9HUR4cZuNsNU9pn5bu9wBIpJCPlVlETMCY0IelPT AhjZ37XlcgMW//bjhQp+Mf3us58UQvvn6XJmo8pvb8w+wvKV4IJGeR8aPuZQjuJuqo1O mlXzbY2Dm5FFQIY3l7Yn0AEfbnvrQ7GD8UgIh/N/ISV/S8l7BTqDmxpGOhOYGgTK4FPp cRYRmakMFerBI3ZKCs6kKXKWtnOL0J1AJV/48MlDzdiXryJLt7mFmevxIoJcnVCmtMgp mRTIEWo72X/gMj3jOKeW48evuwN31ZKUAFK8lPTQiYH6ZGnu3MDll9KnDpd/mNkuKktH /mVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:to:from:arc-authentication-results; bh=DwBHDb9TK8Sar8qq3bs+SDayKWGk0DtYPPvjkgvQW44=; b=YY+5/WsG2WX7+cqa8u5ZO6OaemuJ0Tixe1JgwCiw2yqcnfMDxlSXWFY+OD/4mAWA8n QE5Faxsly1ictYy0jquMSgggTbckmwtdnIW9T4akGSRc2c/45ef3E7UPa0B4obcMtSnC bwOrFLshAtyvqsGPnrIYPgbr1b2CRIXz8/NwbzDj9Qcd7krIsHB1+zpULvqpuzIbPaGb HWpqL9BW1AZGryyb1Xt01pHc0KiigS+fIIZEnHRZ/ZPLKV4wvgT7Oh1RTkQEegvRJc5b GfMTeK9tCFOc6AH+GSEIYPdeKJiqCbZfsHg3UEOI6pLr6Lh5sHiJn49FtkNb+/fV6z+a rFxg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w16-v6si1451669pgv.77.2018.05.30.07.22.21; Wed, 30 May 2018 07:22:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932065AbeE3OVn (ORCPT + 99 others); Wed, 30 May 2018 10:21:43 -0400 Received: from seldsegrel01.sonyericsson.com ([37.139.156.29]:11379 "EHLO SELDSEGREL01.sonyericsson.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752975AbeE3OVh (ORCPT ); Wed, 30 May 2018 10:21:37 -0400 From: Peter Enderborg To: , Paul Moore , Stephen Smalley , Eric Paris , James Morris , Daniel Jurgens , Doug Ledford , , , , "Serge E . Hallyn" , "Paul E . McKenney" Subject: [PATCH V3 3/5 selinux-next] selinux: sidtab_clone switch to use rwlock. Date: Wed, 30 May 2018 16:11:02 +0200 Message-ID: <20180530141104.28569-4-peter.enderborg@sony.com> X-Mailer: git-send-email 2.15.1 In-Reply-To: <20180530141104.28569-1-peter.enderborg@sony.com> References: <20180530141104.28569-1-peter.enderborg@sony.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We need a copy of sidtabs, so change the generic sidtab_clone as from a function pointer and let it use a read rwlock while do the clone. Signed-off-by: Peter Enderborg --- security/selinux/ss/services.c | 20 +------------------- security/selinux/ss/sidtab.c | 39 ++++++++++++++++++++++++++++++++------- security/selinux/ss/sidtab.h | 3 ++- 3 files changed, 35 insertions(+), 27 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 4f3ce389084c..2be471d72c85 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1891,19 +1891,6 @@ int security_change_sid(struct selinux_state *state, out_sid, false); } -/* Clone the SID into the new SID table. */ -static int clone_sid(u32 sid, - struct context *context, - void *arg) -{ - struct sidtab *s = arg; - - if (sid > SECINITSID_NUM) - return sidtab_insert(s, sid, context); - else - return 0; -} - static inline int convert_context_handle_invalid_context( struct selinux_state *state, struct context *context) @@ -2199,10 +2186,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) goto err; } - /* Clone the SID table. */ - sidtab_shutdown(old_set->sidtab); - - rc = sidtab_map(old_set->sidtab, clone_sid, next_set->sidtab); + rc = sidtab_clone(old_set->sidtab, next_set->sidtab); if (rc) goto err; @@ -2926,8 +2910,6 @@ int security_set_bools(struct selinux_state *state, int len, int *values) goto out; } - seqno = ++state->ss->latest_granting; - state->ss->active_set = next_set; rc = 0; out: if (!rc) { diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index 5be31b7af225..811503cd7c2b 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -27,7 +27,7 @@ int sidtab_init(struct sidtab *s) s->nel = 0; s->next_sid = 1; s->shutdown = 0; - spin_lock_init(&s->lock); + rwlock_init(&s->lock); return 0; } @@ -116,6 +116,31 @@ struct context *sidtab_search_force(struct sidtab *s, u32 sid) return sidtab_search_core(s, sid, 1); } +int sidtab_clone(struct sidtab *s, struct sidtab *d) +{ + int i, rc = 0; + struct sidtab_node *cur; + + if (!s || !d) + goto errout; + + read_lock(&s->lock); + for (i = 0; i < SIDTAB_SIZE; i++) { + cur = s->htable[i]; + while (cur) { + if (cur->sid > SECINITSID_NUM) + rc = sidtab_insert(d, cur->sid, &cur->context); + if (rc) + goto out; + cur = cur->next; + } + } +out: + read_unlock(&s->lock); +errout: + return rc; +} + int sidtab_map(struct sidtab *s, int (*apply) (u32 sid, struct context *context, @@ -202,7 +227,7 @@ int sidtab_context_to_sid(struct sidtab *s, if (!sid) sid = sidtab_search_context(s, context); if (!sid) { - spin_lock_irqsave(&s->lock, flags); + write_lock_irqsave(&s->lock, flags); /* Rescan now that we hold the lock. */ sid = sidtab_search_context(s, context); if (sid) @@ -221,7 +246,7 @@ int sidtab_context_to_sid(struct sidtab *s, if (ret) s->next_sid--; unlock_out: - spin_unlock_irqrestore(&s->lock, flags); + write_unlock_irqrestore(&s->lock, flags); } if (ret) @@ -287,21 +312,21 @@ void sidtab_set(struct sidtab *dst, struct sidtab *src) unsigned long flags; int i; - spin_lock_irqsave(&src->lock, flags); + write_lock_irqsave(&src->lock, flags); dst->htable = src->htable; dst->nel = src->nel; dst->next_sid = src->next_sid; dst->shutdown = 0; for (i = 0; i < SIDTAB_CACHE_LEN; i++) dst->cache[i] = NULL; - spin_unlock_irqrestore(&src->lock, flags); + write_unlock_irqrestore(&src->lock, flags); } void sidtab_shutdown(struct sidtab *s) { unsigned long flags; - spin_lock_irqsave(&s->lock, flags); + write_lock_irqsave(&s->lock, flags); s->shutdown = 1; - spin_unlock_irqrestore(&s->lock, flags); + write_unlock_irqrestore(&s->lock, flags); } diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h index a1a1d2617b6f..6751f8bcbd66 100644 --- a/security/selinux/ss/sidtab.h +++ b/security/selinux/ss/sidtab.h @@ -29,7 +29,7 @@ struct sidtab { unsigned char shutdown; #define SIDTAB_CACHE_LEN 3 struct sidtab_node *cache[SIDTAB_CACHE_LEN]; - spinlock_t lock; + rwlock_t lock; }; int sidtab_init(struct sidtab *s); @@ -51,6 +51,7 @@ void sidtab_hash_eval(struct sidtab *h, char *tag); void sidtab_destroy(struct sidtab *s); void sidtab_set(struct sidtab *dst, struct sidtab *src); void sidtab_shutdown(struct sidtab *s); +int sidtab_clone(struct sidtab *s, struct sidtab *d); #endif /* _SS_SIDTAB_H_ */ -- 2.15.1