Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp2252000ybc;
        Wed, 20 Nov 2019 11:09:24 -0800 (PST)
X-Google-Smtp-Source: APXvYqz4ZDOFoUs8hQ6urpF/+yL0mSdaHUhkra91yMn5Nfm6lyOVMp5QW4R2xqKRTFay1yOYpkAC
X-Received: by 2002:adf:94a6:: with SMTP id 35mr5443421wrr.108.1574276964638;
        Wed, 20 Nov 2019 11:09:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1574276964; cv=none;
        d=google.com; s=arc-20160816;
        b=LKR9pS18FufsZsrvLOsIL7Ghj4VexGLVN+rqcsdbGsCr0EkMBL44FVsLBr1zhHUAwY
         qGjIDKvkE4jgGN0E73nlvWWUZlAlYlt84Ntnbh7LSvI/fR0xi0mLneuaBn9q8rABY0sJ
         E57Wn0FDSZq2Aqv8ymIvWWvfo5JLibKEPsB97ThFGHAzj1ZQjGcu+yr73U/6DFcAmHmf
         MjVUNyx3ptbRPTjg2MB6SYtO4kC/Gi1TqLr/Vew51bSFCbUCvmJFdv7aW2iCDYA1IG2J
         nMac6fjgOfqhOJQvzVW6lcIpgl77iDkkc59MtRTpmVSidQEnKHFAx47L0v32kMWXPpYw
         Zgwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:reply-to:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=Rza5vR/QeGf6yPNrn5B32blnXdBpAfPVHvw8AUdF5VM=;
        b=D8yZr4AktY0NoojGJdgrzJPJS9cpm3thcLEbQoXfhkqw76zCnu6eI3WQRfcreyreik
         7l4Zr2j+wC+ZEiFxw7kLB/QOIKPSkojWkwhRgxUd6HvcnlAVEvTNUInzQ0vGmNjNj4AG
         KesF4ZfCua4xDlNF37+tj8b7aMUyx5y5EmQWfCGfHQeLHQV+kS1qVVnZCgTpeCLP4IcP
         D5+KMMjs4SblTTJDTd7ZXY4i12yCLE20hV2gDi4Rihkgs3+6fXsFXf1FUrS/nBLk/69d
         4qrxj4mOmRvtaQOk++aewvCK7cQY6ZGkd+hVhzE84SvcL/YD5BxTWrQzZSOEfvr2rMln
         NPhA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=rHZOXTXH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t12si329129edc.171.2019.11.20.11.08.59;
        Wed, 20 Nov 2019 11:09:24 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=rHZOXTXH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727512AbfKTTHp (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Wed, 20 Nov 2019 14:07:45 -0500
Received: from mail.kernel.org ([198.145.29.99]:52154 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727303AbfKTTHp (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 Nov 2019 14:07:45 -0500
Received: from paulmck-ThinkPad-P72.home (unknown [199.201.64.130])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 2F543206DA;
        Wed, 20 Nov 2019 19:07:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1574276864;
        bh=V866TiQ37Bv8SX4Pfw1bZoTHjOd22HYTmKl3zs2nlG4=;
        h=Date:From:To:Cc:Subject:Reply-To:References:In-Reply-To:From;
        b=rHZOXTXH5wLAn+QSFKaIKlS8vq+e8k0YE/rwrXjSrgbTR/M4M9mEM0weUQY/69F0s
         f/IMew6TtidFI5uYXUuhENO5a5dxKH9wIUbNxhCAKgDp6vEurV8qpSYvpV/3IH3Zof
         910xaBPzepO5TwqnB9Z0CBl2ANOXdt32fm8+89HE=
Received: by paulmck-ThinkPad-P72.home (Postfix, from userid 1000)
        id 0A109352286C; Wed, 20 Nov 2019 11:07:43 -0800 (PST)
Date:   Wed, 20 Nov 2019 11:07:43 -0800
From:   "Paul E. McKenney" <paulmck@kernel.org>
To:     Stephen Smalley <sds@tycho.nsa.gov>
Cc:     Will Deacon <will@kernel.org>, selinux@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        "viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
        linuxfs <linux-fsdevel@vger.kernel.org>, rcu@vger.kernel.org
Subject: Re: [RFC PATCH 1/2] selinux: Don't call avc_compute_av() from RCU
 path walk
Message-ID: <20191120190743.GT2889@paulmck-ThinkPad-P72>
Reply-To: paulmck@kernel.org
References: <20191119184057.14961-1-will@kernel.org>
 <20191119184057.14961-2-will@kernel.org>
 <5e51f9a5-ba76-a42d-fc2b-9255f8544859@tycho.nsa.gov>
 <20191120131229.GA21500@willie-the-truck>
 <d8dbd290-0ffa-271f-0268-5e9148e7ee9b@tycho.nsa.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <d8dbd290-0ffa-271f-0268-5e9148e7ee9b@tycho.nsa.gov>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 20, 2019 at 10:28:31AM -0500, Stephen Smalley wrote:
> On 11/20/19 8:12 AM, Will Deacon wrote:
> > Hi Stephen,
> > 
> > Thanks for the quick reply.
> > 
> > On Tue, Nov 19, 2019 at 01:59:40PM -0500, Stephen Smalley wrote:
> > > On 11/19/19 1:40 PM, Will Deacon wrote:
> > > > 'avc_compute_av()' can block, so we carefully exit the RCU read-side
> > > > critical section before calling it in 'avc_has_perm_noaudit()'.
> > > > Unfortunately, if we're calling from the VFS layer on the RCU path walk
> > > > via 'selinux_inode_permission()' then we're still actually in an RCU
> > > > read-side critical section and must not block.
> > > 
> > > avc_compute_av() should never block AFAIK. The blocking concern was with
> > > slow_avc_audit(), and even that appears dubious to me. That seems to be more
> > > about misuse of d_find_alias in dump_common_audit_data() than anything.
> > 
> > Apologies, I lost track of GFP_ATOMIC when I reading the code and didn't
> > think it was propagated down to all of the potential allocations and
> > string functions. Having looked at it again, I can't see where it blocks.
> > 
> > Might be worth a comment in avc_compute_av(), because the temporary
> > dropping of rcu_read_lock() looks really dodgy when we could be running
> > on the RCU path walk path anyway.
> 
> I don't think that's a problem but I'll defer to the fsdevel and rcu folks.
> The use of RCU within the SELinux AVC long predates the introduction of RCU
> path walk, and the rcu_read_lock()/unlock() pairs inside the AVC are not
> related in any way to RCU path walk.  Hopefully they don't break it.  The
> SELinux security server (i.e. security_compute_av() and the rest of
> security/selinux/ss/*) internally has its own locking for its data
> structures, primarily the policy rwlock.  There was also a patch long ago to
> convert use of that policy rwlock to RCU but it didn't seem justified at the
> time.  We are interested in revisiting that however.  That would introduce
> its own set of rcu_read_lock/unlock pairs inside of security_compute_av() as
> well.

RCU readers nest, so it should be fine.  (Famous last words...)

							Thanx, Paul