From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: paul@paul-moore.com, omosnace@redhat.com,
Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH 1/2] selinux: move avdcache to per-task security blob
Date: Fri, 14 Nov 2025 12:45:12 -0500 [thread overview]
Message-ID: <20251114174514.14695-1-stephen.smalley.work@gmail.com> (raw)
The SELinux task_security_struct was originally per-task but later
migrated to per-cred when creds were first introduced to Linux. The
avdcache was meant to be per-task rather than per-cred; move it to a
new task_selinux_struct that is allocated per-task.
Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead")
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
security/selinux/hooks.c | 35 +++++++++++++++++++------------
security/selinux/include/objsec.h | 13 ++++++++++--
2 files changed, 33 insertions(+), 15 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a22b1920242f..0eea43e4a90c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -212,11 +212,15 @@ static int selinux_lsm_notifier_avc_callback(u32 event)
static void cred_init_security(void)
{
struct task_security_struct *tsec;
+ struct task_selinux_struct *tsel;
/* NOTE: the lsm framework zeros out the buffer on allocation */
tsec = selinux_cred(unrcu_pointer(current->real_cred));
- tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL;
+ tsec->osid = tsec->sid = SECINITSID_KERNEL;
+
+ tsel = selinux_task(current);
+ tsel->avdcache.sid = SECINITSID_KERNEL;
}
/*
@@ -3126,10 +3130,10 @@ static noinline int audit_inode_permission(struct inode *inode,
* Clear the task's AVD cache in @tsec and reset it to the current policy's
* and task's info.
*/
-static inline void task_avdcache_reset(struct task_security_struct *tsec)
+static inline void task_avdcache_reset(struct task_selinux_struct *tsec)
{
memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir));
- tsec->avdcache.sid = tsec->sid;
+ tsec->avdcache.sid = current_sid();
tsec->avdcache.seqno = avc_policy_seqno();
tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1;
}
@@ -3143,7 +3147,7 @@ static inline void task_avdcache_reset(struct task_security_struct *tsec)
* Search @tsec for a AVD cache entry that matches @isec and return it to the
* caller via @avdc. Returns 0 if a match is found, negative values otherwise.
*/
-static inline int task_avdcache_search(struct task_security_struct *tsec,
+static inline int task_avdcache_search(struct task_selinux_struct *tsec,
struct inode_security_struct *isec,
struct avdc_entry **avdc)
{
@@ -3153,7 +3157,7 @@ static inline int task_avdcache_search(struct task_security_struct *tsec,
if (isec->sclass != SECCLASS_DIR)
return -ENOENT;
- if (unlikely(tsec->sid != tsec->avdcache.sid ||
+ if (unlikely(current_sid() != tsec->avdcache.sid ||
tsec->avdcache.seqno != avc_policy_seqno())) {
task_avdcache_reset(tsec);
return -ENOENT;
@@ -3183,7 +3187,7 @@ static inline int task_avdcache_search(struct task_security_struct *tsec,
* Update the AVD cache in @tsec with the @avdc and @audited info associated
* with @isec.
*/
-static inline void task_avdcache_update(struct task_security_struct *tsec,
+static inline void task_avdcache_update(struct task_selinux_struct *tsec,
struct inode_security_struct *isec,
struct av_decision *avd,
u32 audited)
@@ -3217,7 +3221,8 @@ static int selinux_inode_permission(struct inode *inode, int requested)
{
int mask;
u32 perms;
- struct task_security_struct *tsec;
+ u32 sid = current_sid();
+ struct task_selinux_struct *tsec;
struct inode_security_struct *isec;
struct avdc_entry *avdc;
int rc, rc2;
@@ -3229,8 +3234,8 @@ static int selinux_inode_permission(struct inode *inode, int requested)
if (!mask)
return 0;
- tsec = selinux_cred(current_cred());
- if (task_avdcache_permnoaudit(tsec))
+ tsec = selinux_task(current);
+ if (task_avdcache_permnoaudit(tsec, sid))
return 0;
isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK);
@@ -3250,7 +3255,7 @@ static int selinux_inode_permission(struct inode *inode, int requested)
struct av_decision avd;
/* Cache miss. */
- rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass,
+ rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass,
perms, 0, &avd);
audited = avc_audit_required(perms, &avd, rc,
(requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,
@@ -3299,11 +3304,11 @@ static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
static int selinux_inode_getattr(const struct path *path)
{
- struct task_security_struct *tsec;
+ struct task_selinux_struct *tsec;
- tsec = selinux_cred(current_cred());
+ tsec = selinux_task(current);
- if (task_avdcache_permnoaudit(tsec))
+ if (task_avdcache_permnoaudit(tsec, current_sid()))
return 0;
return path_has_perm(current_cred(), path, FILE__GETATTR);
@@ -4167,7 +4172,10 @@ static int selinux_task_alloc(struct task_struct *task,
u64 clone_flags)
{
u32 sid = current_sid();
+ struct task_selinux_struct *old_tsec = selinux_task(current);
+ struct task_selinux_struct *new_tsec = selinux_task(task);
+ *new_tsec = *old_tsec;
return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL);
}
@@ -7154,6 +7162,7 @@ static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *att
struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
.lbs_cred = sizeof(struct task_security_struct),
+ .lbs_task = sizeof(struct task_selinux_struct),
.lbs_file = sizeof(struct file_security_struct),
.lbs_inode = sizeof(struct inode_security_struct),
.lbs_ipc = sizeof(struct ipc_security_struct),
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 2d5139c6d45b..1ac35ae5332f 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -44,6 +44,9 @@ struct task_security_struct {
u32 create_sid; /* fscreate SID */
u32 keycreate_sid; /* keycreate SID */
u32 sockcreate_sid; /* fscreate SID */
+} __randomize_layout;
+
+struct task_selinux_struct {
#define TSEC_AVDC_DIR_SIZE (1 << 2)
struct {
u32 sid; /* current SID for cached entries */
@@ -54,10 +57,11 @@ struct task_security_struct {
} avdcache;
} __randomize_layout;
-static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec)
+static inline bool task_avdcache_permnoaudit(struct task_selinux_struct *tsec,
+ u32 sid)
{
return (tsec->avdcache.permissive_neveraudit &&
- tsec->sid == tsec->avdcache.sid &&
+ sid == tsec->avdcache.sid &&
tsec->avdcache.seqno == avc_policy_seqno());
}
@@ -177,6 +181,11 @@ static inline struct task_security_struct *selinux_cred(const struct cred *cred)
return cred->security + selinux_blob_sizes.lbs_cred;
}
+static inline struct task_selinux_struct *selinux_task(const struct task_struct *task)
+{
+ return task->security + selinux_blob_sizes.lbs_task;
+}
+
static inline struct file_security_struct *selinux_file(const struct file *file)
{
return file->f_security + selinux_blob_sizes.lbs_file;
--
2.51.1
next reply other threads:[~2025-11-14 17:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-14 17:45 Stephen Smalley [this message]
2025-11-14 17:45 ` [PATCH 2/2] selinux: rename task_security_struct to cred_security_struct Stephen Smalley
2025-11-17 19:55 ` [PATCH 1/2] selinux: move avdcache to per-task security blob Paul Moore
2025-11-17 21:25 ` Stephen Smalley
2025-11-17 21:43 ` Paul Moore
2025-11-18 13:44 ` Stephen Smalley
2025-11-18 15:47 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251114174514.14695-1-stephen.smalley.work@gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).