From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com, netdev@vger.kernel.org,
horms@kernel.org,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH v7 04/42] selinux: dynamically allocate selinux namespace
Date: Thu, 14 Aug 2025 09:25:55 -0400 [thread overview]
Message-ID: <20250814132637.1659-5-stephen.smalley.work@gmail.com> (raw)
In-Reply-To: <20250814132637.1659-1-stephen.smalley.work@gmail.com>
Move from static allocation of a single selinux namespace to
dynamic allocation. Include necessary support for lifecycle management
of the selinux namespace, modeled after the user namespace support.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
security/selinux/avc.c | 32 ++++++++++----
security/selinux/hooks.c | 65 +++++++++++++++++++++++++----
security/selinux/include/security.h | 27 +++++++++++-
security/selinux/selinuxfs.c | 3 +-
security/selinux/ss/services.c | 17 +++++++-
5 files changed, 125 insertions(+), 19 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 32e1a116f2b7..056e597912ec 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -91,20 +91,34 @@ struct selinux_avc {
struct avc_cache avc_cache;
};
-static struct selinux_avc selinux_avc;
-
-void selinux_avc_init(struct selinux_avc **avc)
+int selinux_avc_create(struct selinux_avc **avc)
{
+ struct selinux_avc *newavc;
int i;
- selinux_avc.avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD;
+ newavc = kzalloc(sizeof(*newavc), GFP_KERNEL);
+ if (!newavc)
+ return -ENOMEM;
+
+ newavc->avc_cache_threshold = AVC_DEF_CACHE_THRESHOLD;
+
for (i = 0; i < AVC_CACHE_SLOTS; i++) {
- INIT_HLIST_HEAD(&selinux_avc.avc_cache.slots[i]);
- spin_lock_init(&selinux_avc.avc_cache.slots_lock[i]);
+ INIT_HLIST_HEAD(&newavc->avc_cache.slots[i]);
+ spin_lock_init(&newavc->avc_cache.slots_lock[i]);
}
- atomic_set(&selinux_avc.avc_cache.active_nodes, 0);
- atomic_set(&selinux_avc.avc_cache.lru_hint, 0);
- *avc = &selinux_avc;
+ atomic_set(&newavc->avc_cache.active_nodes, 0);
+ atomic_set(&newavc->avc_cache.lru_hint, 0);
+
+ *avc = newavc;
+ return 0;
+}
+
+static void avc_flush(struct selinux_avc *avc);
+
+void selinux_avc_free(struct selinux_avc *avc)
+{
+ avc_flush(avc);
+ kfree(avc);
}
unsigned int avc_get_cache_threshold(struct selinux_avc *avc)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d45a3ac9ded6..7c405f3289db 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -107,7 +107,7 @@
#define SELINUX_INODE_INIT_XATTRS 1
-static struct selinux_state init_selinux_state;
+static struct selinux_state *init_selinux_state;
struct selinux_state *current_selinux_state;
/* SECMARK reference count */
@@ -7749,16 +7749,67 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
#endif
};
+static void selinux_state_free(struct work_struct *work);
+
+int selinux_state_create(struct selinux_state *parent,
+ struct selinux_state **state)
+{
+ struct selinux_state *newstate;
+ int rc;
+
+ newstate = kzalloc(sizeof(*newstate), GFP_KERNEL);
+ if (!newstate)
+ return -ENOMEM;
+
+ refcount_set(&newstate->count, 1);
+ INIT_WORK(&newstate->work, selinux_state_free);
+
+ mutex_init(&newstate->status_lock);
+ mutex_init(&newstate->policy_mutex);
+
+ rc = selinux_avc_create(&newstate->avc);
+ if (rc)
+ goto err;
+
+ if (parent)
+ newstate->parent = get_selinux_state(parent);
+
+ *state = newstate;
+ return 0;
+err:
+ kfree(newstate);
+ return rc;
+}
+
+static void selinux_state_free(struct work_struct *work)
+{
+ struct selinux_state *parent, *state =
+ container_of(work, struct selinux_state, work);
+
+ do {
+ parent = state->parent;
+ if (state->status_page)
+ __free_page(state->status_page);
+ selinux_state_policy_free(state);
+ selinux_avc_free(state->avc);
+ kfree(state);
+ state = parent;
+ } while (state && refcount_dec_and_test(&state->count));
+}
+
+void __put_selinux_state(struct selinux_state *state)
+{
+ schedule_work(&state->work);
+}
+
static __init int selinux_init(void)
{
pr_info("SELinux: Initializing.\n");
- memset(&init_selinux_state, 0, sizeof(init_selinux_state));
- enforcing_set(&init_selinux_state, selinux_enforcing_boot);
- selinux_avc_init(&init_selinux_state.avc);
- mutex_init(&init_selinux_state.status_lock);
- mutex_init(&init_selinux_state.policy_mutex);
- current_selinux_state = &init_selinux_state;
+ if (selinux_state_create(NULL, &init_selinux_state))
+ panic("SELinux: Could not create initial namespace\n");
+ enforcing_set(init_selinux_state, selinux_enforcing_boot);
+ current_selinux_state = init_selinux_state;
/* Set the security state for the initial task. */
cred_init_security();
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 168bd75f9cdf..d733d2dabb9f 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -105,9 +105,34 @@ struct selinux_state {
struct selinux_avc *avc;
struct selinux_policy __rcu *policy;
struct mutex policy_mutex;
+ struct selinux_state *parent;
+
+ refcount_t count;
+ struct work_struct work;
} __randomize_layout;
-void selinux_avc_init(struct selinux_avc **avc);
+int selinux_state_create(struct selinux_state *parent,
+ struct selinux_state **state);
+void __put_selinux_state(struct selinux_state *state);
+
+void selinux_policy_free(struct selinux_policy *policy);
+void selinux_state_policy_free(struct selinux_state *state);
+
+int selinux_avc_create(struct selinux_avc **avc);
+void selinux_avc_free(struct selinux_avc *avc);
+
+static inline void put_selinux_state(struct selinux_state *state)
+{
+ if (state && refcount_dec_and_test(&state->count))
+ __put_selinux_state(state);
+}
+
+static inline struct selinux_state *
+get_selinux_state(struct selinux_state *state)
+{
+ refcount_inc(&state->count);
+ return state;
+}
extern struct selinux_state *current_selinux_state;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index d07d585fa401..28d0fe3b3244 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -90,7 +90,7 @@ static int selinux_fs_info_create(struct super_block *sb)
return -ENOMEM;
fsi->last_ino = SEL_INO_NEXT - 1;
- fsi->state = current_selinux_state;
+ fsi->state = get_selinux_state(current_selinux_state);
fsi->sb = sb;
sb->s_fs_info = fsi;
return 0;
@@ -102,6 +102,7 @@ static void selinux_fs_info_free(struct super_block *sb)
unsigned int i;
if (fsi) {
+ put_selinux_state(fsi->state);
for (i = 0; i < fsi->bool_num; i++)
kfree(fsi->bool_pending_names[i]);
kfree(fsi->bool_pending_names);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 430a654b42a5..90a73bc627ca 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2228,7 +2228,7 @@ static void security_load_policycaps(struct selinux_state *state,
static int security_preserve_bools(struct selinux_policy *oldpolicy,
struct selinux_policy *newpolicy);
-static void selinux_policy_free(struct selinux_policy *policy)
+void selinux_policy_free(struct selinux_policy *policy)
{
if (!policy)
return;
@@ -2240,6 +2240,21 @@ static void selinux_policy_free(struct selinux_policy *policy)
kfree(policy);
}
+void selinux_state_policy_free(struct selinux_state *state)
+{
+ struct selinux_policy *policy;
+
+ /*
+ * This is only called from selinux_state_free() when the
+ * refcount for the state drops to zero, i.e. there are no
+ * remaining references to the state and hence no remaining
+ * references to its policy.
+ */
+ policy = rcu_dereference_protected(state->policy,
+ refcount_read(&state->count) == 0);
+ selinux_policy_free(policy);
+}
+
static void selinux_policy_cond_free(struct selinux_policy *policy)
{
cond_policydb_destroy_dup(&policy->policydb);
--
2.50.1
next prev parent reply other threads:[~2025-08-14 13:27 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 13:25 [PATCH v7 00/42] SELinux namespace support Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 01/42] selinux: restore passing of selinux_state Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 02/42] selinux: introduce current_selinux_state Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 03/42] selinux: support multiple selinuxfs instances Stephen Smalley
2025-08-14 13:25 ` Stephen Smalley [this message]
2025-08-14 13:25 ` [PATCH v7 05/42] netstate,selinux: create the selinux netlink socket per network namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 06/42] selinux: limit selinux netlink notifications to init namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 07/42] selinux: support per-task/cred selinux namespace Stephen Smalley
2025-08-14 13:25 ` [PATCH v7 08/42] selinux: introduce cred_selinux_state() and use it Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 09/42] selinux: init inode from nearest initialized namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 10/42] selinux: add a selinuxfs interface to unshare selinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 11/42] selinux: add limits for SELinux namespaces Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 12/42] selinux: exempt creation of init SELinux namespace from limits Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 13/42] selinux: refactor selinux_state_create() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 14/42] selinux: allow userspace to detect non-init SELinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 15/42] selinuxfs: restrict write operations to the same selinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 16/42] selinux: introduce a global SID table Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 17/42] selinux: wrap security server interfaces to use the " Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 18/42] selinux: introduce a Kconfig option for SELinux namespaces Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 19/42] selinux: eliminate global SID table if !CONFIG_SECURITY_SELINUX_NS Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 20/42] selinux: maintain a small cache in the global SID table Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 21/42] selinux: update hook functions to use correct selinux namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 22/42] selinux: introduce cred_task_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 23/42] selinux: introduce cred_has_extended_perms() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 24/42] selinux: introduce cred_self_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 25/42] selinux: introduce cred_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 26/42] selinux: introduce cred_ssid_has_perm() and cred_other_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 27/42] selinux: introduce task_obj_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 28/42] selinux: update bprm hooks for selinux namespaces Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 29/42] selinux: add kerneldoc to new permission checking functions Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 30/42] selinux: convert selinux_file_send_sigiotask() to namespace-aware helper Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 31/42] selinux: rename cred_has_perm*() to cred_tsid_has_perm*() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 32/42] selinux: update cred_tsid_has_perm_noaudit() to return the combined avd Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 33/42] selinux: convert additional checks to cred_ssid_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 34/42] selinux: introduce selinux_state_has_perm() Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 35/42] selinux: annotate selinuxfs permission checks Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 36/42] selinux: annotate process transition " Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 37/42] selinux: convert xfrm and netlabel " Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 38/42] selinux: switch selinux_lsm_setattr() checks to current namespace Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 39/42] selinux: make open_perms namespace-aware Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 40/42] selinux: split cred_ssid_has_perm() into two cases Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 41/42] selinux: convert nlmsg_sock_has_extended_perms() to namespace-aware Stephen Smalley
2025-08-14 13:26 ` [PATCH v7 42/42] selinux: disallow writes to /sys/fs/selinux/user in non-init namespaces Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814132637.1659-5-stephen.smalley.work@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=horms@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).