From: Paul Moore <paul@paul-moore.com>
To: Janne Karhunen <janne.karhunen@gmail.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
zohar@linux.ibm.com, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 1/2] LSM: switch to blocking policy update notifiers
Date: Wed, 5 Jun 2019 15:15:51 -0400 [thread overview]
Message-ID: <CAHC9VhT6ws9WaodE2n+-LPmyZXVs=2qZSUDccUDyb_1Lc2MMjQ@mail.gmail.com> (raw)
In-Reply-To: <20190605083606.4209-1-janne.karhunen@gmail.com>
On Wed, Jun 5, 2019 at 4:36 AM Janne Karhunen <janne.karhunen@gmail.com> wrote:
>
> Atomic policy updaters are not very useful as they cannot
> usually perform the policy updates on their own. Since it
> seems that there is no strict need for the atomicity,
> switch to the blocking variant. While doing so, rename
> the functions accordingly.
>
> Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com>
> ---
> drivers/infiniband/core/device.c | 6 +++---
> include/linux/security.h | 6 +++---
> security/security.c | 23 +++++++++++++----------
> security/selinux/hooks.c | 2 +-
> security/selinux/selinuxfs.c | 2 +-
> 5 files changed, 21 insertions(+), 18 deletions(-)
Acked-by: Paul Moore <paul@paul-moore.com>
> diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
> index 78dc07c6ac4b..61c0c93a2e73 100644
> --- a/drivers/infiniband/core/device.c
> +++ b/drivers/infiniband/core/device.c
> @@ -2499,7 +2499,7 @@ static int __init ib_core_init(void)
> goto err_mad;
> }
>
> - ret = register_lsm_notifier(&ibdev_lsm_nb);
> + ret = register_blocking_lsm_notifier(&ibdev_lsm_nb);
> if (ret) {
> pr_warn("Couldn't register LSM notifier. ret %d\n", ret);
> goto err_sa;
> @@ -2518,7 +2518,7 @@ static int __init ib_core_init(void)
> return 0;
>
> err_compat:
> - unregister_lsm_notifier(&ibdev_lsm_nb);
> + unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
> err_sa:
> ib_sa_cleanup();
> err_mad:
> @@ -2544,7 +2544,7 @@ static void __exit ib_core_cleanup(void)
> nldev_exit();
> rdma_nl_unregister(RDMA_NL_LS);
> unregister_pernet_device(&rdma_dev_net_ops);
> - unregister_lsm_notifier(&ibdev_lsm_nb);
> + unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
> ib_sa_cleanup();
> ib_mad_cleanup();
> addr_cleanup();
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 659071c2e57c..fc655fbe44ad 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -189,9 +189,9 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
>
> #ifdef CONFIG_SECURITY
>
> -int call_lsm_notifier(enum lsm_event event, void *data);
> -int register_lsm_notifier(struct notifier_block *nb);
> -int unregister_lsm_notifier(struct notifier_block *nb);
> +int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> +int register_blocking_lsm_notifier(struct notifier_block *nb);
> +int unregister_blocking_lsm_notifier(struct notifier_block *nb);
>
> /* prototypes */
> extern int security_init(void);
> diff --git a/security/security.c b/security/security.c
> index c01a88f65ad8..6bfc7636ddb7 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -39,7 +39,7 @@
> #define LSM_COUNT (__end_lsm_info - __start_lsm_info)
>
> struct security_hook_heads security_hook_heads __lsm_ro_after_init;
> -static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
> +static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
>
> static struct kmem_cache *lsm_file_cache;
> static struct kmem_cache *lsm_inode_cache;
> @@ -430,23 +430,26 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
> panic("%s - Cannot get early memory.\n", __func__);
> }
>
> -int call_lsm_notifier(enum lsm_event event, void *data)
> +int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> {
> - return atomic_notifier_call_chain(&lsm_notifier_chain, event, data);
> + return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,
> + event, data);
> }
> -EXPORT_SYMBOL(call_lsm_notifier);
> +EXPORT_SYMBOL(call_blocking_lsm_notifier);
>
> -int register_lsm_notifier(struct notifier_block *nb)
> +int register_blocking_lsm_notifier(struct notifier_block *nb)
> {
> - return atomic_notifier_chain_register(&lsm_notifier_chain, nb);
> + return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,
> + nb);
> }
> -EXPORT_SYMBOL(register_lsm_notifier);
> +EXPORT_SYMBOL(register_blocking_lsm_notifier);
>
> -int unregister_lsm_notifier(struct notifier_block *nb)
> +int unregister_blocking_lsm_notifier(struct notifier_block *nb)
> {
> - return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);
> + return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,
> + nb);
> }
> -EXPORT_SYMBOL(unregister_lsm_notifier);
> +EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
>
> /**
> * lsm_cred_alloc - allocate a composite cred blob
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index c61787b15f27..c1e37018c8eb 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -197,7 +197,7 @@ static int selinux_lsm_notifier_avc_callback(u32 event)
> {
> if (event == AVC_CALLBACK_RESET) {
> sel_ib_pkey_flush();
> - call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> + call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> }
>
> return 0;
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 145ee62f205a..1e2e3e4b5fdb 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -180,7 +180,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
> selnl_notify_setenforce(new_value);
> selinux_status_update_setenforce(state, new_value);
> if (!new_value)
> - call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> + call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> }
> length = count;
> out:
> --
> 2.17.1
>
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2019-06-05 19:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-05 8:36 [PATCH 1/2] LSM: switch to blocking policy update notifiers Janne Karhunen
2019-06-05 8:36 ` [PATCH 2/2] ima: use the lsm policy update notifier Janne Karhunen
2019-06-06 21:59 ` Mimi Zohar
2019-06-06 22:28 ` Mimi Zohar
2019-06-05 15:23 ` [PATCH 1/2] LSM: switch to blocking policy update notifiers Casey Schaufler
2019-06-05 16:51 ` Janne Karhunen
2019-06-05 17:05 ` Casey Schaufler
2019-06-05 19:14 ` Paul Moore
2019-06-07 0:45 ` James Morris
2019-06-07 5:19 ` Paul Moore
2019-06-07 21:48 ` James Morris
2019-06-09 17:06 ` Janne Karhunen
2019-06-05 19:15 ` Paul Moore [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-05-31 14:02 Janne Karhunen
2019-06-03 15:57 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhT6ws9WaodE2n+-LPmyZXVs=2qZSUDccUDyb_1Lc2MMjQ@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=janne.karhunen@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).