From: Steffen Klassert <steffen.klassert@secunet.com>
To: Paul Moore <paul@paul-moore.com>
Cc: netdev@vger.kernel.org,
LSM list <linux-security-module@vger.kernel.org>,
SELinux list <selinux@tycho.nsa.gov>,
Fan Du <fan.du@windriver.com>, Dave Jones <davej@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCHv2 2/2] selinux: add gfp argument to security_xfrm_policy_alloc and fix callers
Date: Mon, 10 Mar 2014 13:52:03 +0100 [thread overview]
Message-ID: <20140310125203.GZ32371@secunet.com> (raw)
In-Reply-To: <2297449.8Lk5u4VomY@sifl>
On Fri, Mar 07, 2014 at 05:27:17PM -0500, Paul Moore wrote:
> On Friday, March 07, 2014 12:44:19 PM Nikolay Aleksandrov wrote:
> > security_xfrm_policy_alloc can be called in atomic context so the
> > allocation should be done with GFP_ATOMIC. Add an argument to let the
> > callers choose the appropriate way. In order to do so a gfp argument
> > needs to be added to the method xfrm_policy_alloc_security in struct
> > security_operations and to the internal function
> > selinux_xfrm_alloc_user. After that switch to GFP_ATOMIC in the atomic
> > callers and leave GFP_KERNEL as before for the rest.
> > The path that needed the gfp argument addition is:
> > security_xfrm_policy_alloc -> security_ops.xfrm_policy_alloc_security ->
> > all users of xfrm_policy_alloc_security (e.g. selinux_xfrm_policy_alloc) ->
> > selinux_xfrm_alloc_user (here the allocation used to be GFP_KERNEL only)
> >
> > Now adding a gfp argument to selinux_xfrm_alloc_user requires us to also
> > add it to security_context_to_sid which is used inside and prior to this
> > patch did only GFP_KERNEL allocation. So add gfp argument to
> > security_context_to_sid and adjust all of its callers as well.
> >
> > CC: Paul Moore <paul@paul-moore.com>
> > CC: Dave Jones <davej@redhat.com>
> > CC: Steffen Klassert <steffen.klassert@secunet.com>
> > CC: Fan Du <fan.du@windriver.com>
> > CC: David S. Miller <davem@davemloft.net>
> > CC: LSM list <linux-security-module@vger.kernel.org>
> > CC: SELinux list <selinux@tycho.nsa.gov>
> >
> > Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
>
> This looks good to me, thanks for finding this and following through with a
> patch.
>
> Acked-by: Paul Moore <paul@paul-moore.com>
>
Both patches applied to the ipsec tree.
Thanks everyone!
WARNING: multiple messages have this Message-ID (diff)
From: Steffen Klassert <steffen.klassert@secunet.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Nikolay Aleksandrov <nikolay@redhat.com>,
<netdev@vger.kernel.org>, Dave Jones <davej@redhat.com>,
Fan Du <fan.du@windriver.com>,
"David S. Miller" <davem@davemloft.net>,
LSM list <linux-security-module@vger.kernel.org>,
SELinux list <selinux@tycho.nsa.gov>
Subject: Re: [PATCHv2 2/2] selinux: add gfp argument to security_xfrm_policy_alloc and fix callers
Date: Mon, 10 Mar 2014 13:52:03 +0100 [thread overview]
Message-ID: <20140310125203.GZ32371@secunet.com> (raw)
In-Reply-To: <2297449.8Lk5u4VomY@sifl>
On Fri, Mar 07, 2014 at 05:27:17PM -0500, Paul Moore wrote:
> On Friday, March 07, 2014 12:44:19 PM Nikolay Aleksandrov wrote:
> > security_xfrm_policy_alloc can be called in atomic context so the
> > allocation should be done with GFP_ATOMIC. Add an argument to let the
> > callers choose the appropriate way. In order to do so a gfp argument
> > needs to be added to the method xfrm_policy_alloc_security in struct
> > security_operations and to the internal function
> > selinux_xfrm_alloc_user. After that switch to GFP_ATOMIC in the atomic
> > callers and leave GFP_KERNEL as before for the rest.
> > The path that needed the gfp argument addition is:
> > security_xfrm_policy_alloc -> security_ops.xfrm_policy_alloc_security ->
> > all users of xfrm_policy_alloc_security (e.g. selinux_xfrm_policy_alloc) ->
> > selinux_xfrm_alloc_user (here the allocation used to be GFP_KERNEL only)
> >
> > Now adding a gfp argument to selinux_xfrm_alloc_user requires us to also
> > add it to security_context_to_sid which is used inside and prior to this
> > patch did only GFP_KERNEL allocation. So add gfp argument to
> > security_context_to_sid and adjust all of its callers as well.
> >
> > CC: Paul Moore <paul@paul-moore.com>
> > CC: Dave Jones <davej@redhat.com>
> > CC: Steffen Klassert <steffen.klassert@secunet.com>
> > CC: Fan Du <fan.du@windriver.com>
> > CC: David S. Miller <davem@davemloft.net>
> > CC: LSM list <linux-security-module@vger.kernel.org>
> > CC: SELinux list <selinux@tycho.nsa.gov>
> >
> > Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
>
> This looks good to me, thanks for finding this and following through with a
> patch.
>
> Acked-by: Paul Moore <paul@paul-moore.com>
>
Both patches applied to the ipsec tree.
Thanks everyone!
next prev parent reply other threads:[~2014-03-10 12:52 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-27 15:19 kmalloc with locks held in xfrm Dave Jones
2014-02-27 16:17 ` Possible fix Nikolay Aleksandrov
2014-02-27 16:24 ` Nikolay Aleksandrov
2014-02-27 17:05 ` Nikolay Aleksandrov
2014-02-28 7:23 ` Steffen Klassert
2014-02-28 10:10 ` Nikolay Aleksandrov
2014-02-28 22:10 ` Paul Moore
2014-03-02 16:26 ` Nikolay Aleksandrov
2014-03-05 12:20 ` Steffen Klassert
2014-03-07 3:04 ` Paul Moore
2014-03-07 11:23 ` Steffen Klassert
2014-03-07 15:50 ` Paul Moore
2014-03-04 12:26 ` [PATCH 0/2] af_key: fixes for sleeping while atomic Nikolay Aleksandrov
2014-03-04 12:26 ` [PATCH 1/2] net: af_key: fix sleeping under rcu Nikolay Aleksandrov
2014-03-04 12:46 ` David Laight
2014-03-04 21:40 ` David Miller
2014-03-04 12:26 ` [PATCH 2/2] selinux: add gfp argument to security_xfrm_policy_alloc and fix callers Nikolay Aleksandrov
2014-03-07 3:22 ` Paul Moore
2014-03-07 3:22 ` Paul Moore
2014-03-07 10:52 ` Nikolay Aleksandrov
2014-03-07 10:52 ` Nikolay Aleksandrov
2014-03-05 12:07 ` [PATCH 0/2] af_key: fixes for sleeping while atomic Steffen Klassert
2014-03-05 22:21 ` Paul Moore
2014-03-07 11:44 ` [PATCHv2 " Nikolay Aleksandrov
2014-03-07 11:44 ` [PATCHv2 1/2] net: af_key: fix sleeping under rcu Nikolay Aleksandrov
2014-03-07 11:44 ` [PATCHv2 2/2] selinux: add gfp argument to security_xfrm_policy_alloc and fix callers Nikolay Aleksandrov
2014-03-07 11:44 ` Nikolay Aleksandrov
2014-03-07 22:27 ` Paul Moore
2014-03-07 22:27 ` Paul Moore
2014-03-10 12:52 ` Steffen Klassert [this message]
2014-03-10 12:52 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140310125203.GZ32371@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=fan.du@windriver.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.