diff options
| author | Stephen Smalley <stephen.smalley.work@gmail.com> | 2020-08-07 09:29:33 -0400 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2020-08-17 20:48:57 -0400 |
| commit | 461698026ffa740253b3114891d86eeb54a58bbc (patch) | |
| tree | 67b82fefa3ef2ef200c09ae7ab1ce31a21ed6899 /security/selinux/ss/services.h | |
| parent | 339949be25863ac15e24659c2ab4b01185e1234a (diff) | |
selinux: encapsulate policy state, refactor policy load
Encapsulate the policy state in its own structure (struct
selinux_policy) that is separately allocated but referenced from the
selinux_ss structure. The policy state includes the SID table
(particularly the context structures), the policy database, and the
mapping between the kernel classes/permissions and the policy values.
Refactor the security server portion of the policy load logic to
cleanly separate loading of the new structures from committing the new
policy. Unify the initial policy load and reload code paths as much
as possible, avoiding duplicated code. Make sure we are taking the
policy read-lock prior to any dereferencing of the policy. Move the
copying of the policy capability booleans into the state structure
outside of the policy write-lock because they are separate from the
policy and are read outside of any policy lock; possibly they should
be using at least READ_ONCE/WRITE_ONCE or smp_load_acquire/store_release.
These changes simplify the policy loading logic, reduce the size of
the critical section while holding the policy write-lock, and should
facilitate future changes to e.g. refactor the entire policy reload
logic including the selinuxfs code to make the updating of the policy
and the selinuxfs directory tree atomic and/or to convert the policy
read-write lock to RCU.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/ss/services.h')
| -rw-r--r-- | security/selinux/ss/services.h | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h index a06f3d835216..c36933c1c363 100644 --- a/security/selinux/ss/services.h +++ b/security/selinux/ss/services.h @@ -22,12 +22,16 @@ struct selinux_map { u16 size; /* array size of mapping */ }; -struct selinux_ss { - struct sidtab *sidtab; +struct selinux_policy { + struct sidtab sidtab; struct policydb policydb; + struct selinux_map map; +}; + +struct selinux_ss { rwlock_t policy_rwlock; u32 latest_granting; - struct selinux_map map; + struct selinux_policy *policy; } __randomize_layout; void services_compute_xperms_drivers(struct extended_perms *xperms, |