diff mbox series

[1/2] selinux: slow_avc_audit has become non-blocking

Message ID YMI08apUwu1Y7Tc5@zeniv-ca.linux.org.uk (mailing list archive)
State Accepted
Delegated to: Paul Moore
Headers show
Series [1/2] selinux: slow_avc_audit has become non-blocking | expand

Commit Message

Al Viro June 10, 2021, 3:51 p.m. UTC
[followup to dump_common_audit_data() changes from this winter; in vfs.git#work.audit]
Does anybody have objections to the below?

From 663a40ab49308b5acaba8a335190fce66e17d969 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Sat, 16 Jan 2021 15:40:54 -0500
Subject: [PATCH 1/2] selinux: slow_avc_audit has become non-blocking

dump_common_audit_data() is safe to use under rcu_read_lock() now;
no need for AVC_NONBLOCKING and games around it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 security/selinux/avc.c         | 28 ++++++++--------------------
 security/selinux/hooks.c       | 13 ++-----------
 security/selinux/include/avc.h |  4 ----
 3 files changed, 10 insertions(+), 35 deletions(-)

Comments

Paul Moore June 10, 2021, 11:12 p.m. UTC | #1
On Thu, Jun 10, 2021 at 11:51 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> [followup to dump_common_audit_data() changes from this winter; in vfs.git#work.audit]
> Does anybody have objections to the below?
>
> From 663a40ab49308b5acaba8a335190fce66e17d969 Mon Sep 17 00:00:00 2001
> From: Al Viro <viro@zeniv.linux.org.uk>
> Date: Sat, 16 Jan 2021 15:40:54 -0500
> Subject: [PATCH 1/2] selinux: slow_avc_audit has become non-blocking
>
> dump_common_audit_data() is safe to use under rcu_read_lock() now;
> no need for AVC_NONBLOCKING and games around it
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
>  security/selinux/avc.c         | 28 ++++++++--------------------
>  security/selinux/hooks.c       | 13 ++-----------
>  security/selinux/include/avc.h |  4 ----
>  3 files changed, 10 insertions(+), 35 deletions(-)

This looks okay to me, thanks Al.  If you want to fix patch 2/2 I can
pull both into selinux/next.
Al Viro June 11, 2021, 1:45 a.m. UTC | #2
On Thu, Jun 10, 2021 at 07:12:15PM -0400, Paul Moore wrote:
> On Thu, Jun 10, 2021 at 11:51 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > [followup to dump_common_audit_data() changes from this winter; in vfs.git#work.audit]
> > Does anybody have objections to the below?
> >
> > From 663a40ab49308b5acaba8a335190fce66e17d969 Mon Sep 17 00:00:00 2001
> > From: Al Viro <viro@zeniv.linux.org.uk>
> > Date: Sat, 16 Jan 2021 15:40:54 -0500
> > Subject: [PATCH 1/2] selinux: slow_avc_audit has become non-blocking
> >
> > dump_common_audit_data() is safe to use under rcu_read_lock() now;
> > no need for AVC_NONBLOCKING and games around it
> >
> > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> > ---
> >  security/selinux/avc.c         | 28 ++++++++--------------------
> >  security/selinux/hooks.c       | 13 ++-----------
> >  security/selinux/include/avc.h |  4 ----
> >  3 files changed, 10 insertions(+), 35 deletions(-)
> 
> This looks okay to me, thanks Al.  If you want to fix patch 2/2 I can
> pull both into selinux/next.

Done and force-pushed into the same branch...  Do you want a formal pull request?
Paul Moore June 11, 2021, 1:51 a.m. UTC | #3
On Thu, Jun 10, 2021 at 9:45 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Thu, Jun 10, 2021 at 07:12:15PM -0400, Paul Moore wrote:
> > On Thu, Jun 10, 2021 at 11:51 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> > >
> > > [followup to dump_common_audit_data() changes from this winter; in vfs.git#work.audit]
> > > Does anybody have objections to the below?
> > >
> > > From 663a40ab49308b5acaba8a335190fce66e17d969 Mon Sep 17 00:00:00 2001
> > > From: Al Viro <viro@zeniv.linux.org.uk>
> > > Date: Sat, 16 Jan 2021 15:40:54 -0500
> > > Subject: [PATCH 1/2] selinux: slow_avc_audit has become non-blocking
> > >
> > > dump_common_audit_data() is safe to use under rcu_read_lock() now;
> > > no need for AVC_NONBLOCKING and games around it
> > >
> > > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> > > ---
> > >  security/selinux/avc.c         | 28 ++++++++--------------------
> > >  security/selinux/hooks.c       | 13 ++-----------
> > >  security/selinux/include/avc.h |  4 ----
> > >  3 files changed, 10 insertions(+), 35 deletions(-)
> >
> > This looks okay to me, thanks Al.  If you want to fix patch 2/2 I can
> > pull both into selinux/next.
>
> Done and force-pushed into the same branch...  Do you want a formal pull request?

Thanks for the offer, but I can just pull those top two patches from
work.audit.  However, this mail came in just as I was shutting down
for the evening so I'll take care of it tomorrow.
Paul Moore June 11, 2021, 5:18 p.m. UTC | #4
On Thu, Jun 10, 2021 at 9:51 PM Paul Moore <paul@paul-moore.com> wrote:
> On Thu, Jun 10, 2021 at 9:45 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> > On Thu, Jun 10, 2021 at 07:12:15PM -0400, Paul Moore wrote:
> > > On Thu, Jun 10, 2021 at 11:51 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> > > >
> > > > [followup to dump_common_audit_data() changes from this winter; in vfs.git#work.audit]
> > > > Does anybody have objections to the below?
> > > >
> > > > From 663a40ab49308b5acaba8a335190fce66e17d969 Mon Sep 17 00:00:00 2001
> > > > From: Al Viro <viro@zeniv.linux.org.uk>
> > > > Date: Sat, 16 Jan 2021 15:40:54 -0500
> > > > Subject: [PATCH 1/2] selinux: slow_avc_audit has become non-blocking
> > > >
> > > > dump_common_audit_data() is safe to use under rcu_read_lock() now;
> > > > no need for AVC_NONBLOCKING and games around it
> > > >
> > > > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> > > > ---
> > > >  security/selinux/avc.c         | 28 ++++++++--------------------
> > > >  security/selinux/hooks.c       | 13 ++-----------
> > > >  security/selinux/include/avc.h |  4 ----
> > > >  3 files changed, 10 insertions(+), 35 deletions(-)
> > >
> > > This looks okay to me, thanks Al.  If you want to fix patch 2/2 I can
> > > pull both into selinux/next.
> >
> > Done and force-pushed into the same branch...  Do you want a formal pull request?
>
> Thanks for the offer, but I can just pull those top two patches from
> work.audit.  However, this mail came in just as I was shutting down
> for the evening so I'll take care of it tomorrow.

Both are now in selinux/next, thanks Al.
diff mbox series

Patch

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index ad451cf9375e..9c3d2a29616a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -758,7 +758,11 @@  static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
 	}
 }
 
-/* This is the slow part of avc audit with big stack footprint */
+/*
+ * This is the slow part of avc audit with big stack footprint.
+ * Note that it is non-blocking and can be called from under
+ * rcu_read_lock().
+ */
 noinline int slow_avc_audit(struct selinux_state *state,
 			    u32 ssid, u32 tsid, u16 tclass,
 			    u32 requested, u32 audited, u32 denied, int result,
@@ -825,7 +829,7 @@  int __init avc_add_callback(int (*callback)(u32 event), u32 events)
  * @ssid,@tsid,@tclass : identifier of an AVC entry
  * @seqno : sequence number when decision was made
  * @xpd: extended_perms_decision to be added to the node
- * @flags: the AVC_* flags, e.g. AVC_NONBLOCKING, AVC_EXTENDED_PERMS, or 0.
+ * @flags: the AVC_* flags, e.g. AVC_EXTENDED_PERMS, or 0.
  *
  * if a valid AVC entry doesn't exist,this function returns -ENOENT.
  * if kmalloc() called internal returns NULL, this function returns -ENOMEM.
@@ -844,21 +848,6 @@  static int avc_update_node(struct selinux_avc *avc,
 	struct hlist_head *head;
 	spinlock_t *lock;
 
-	/*
-	 * If we are in a non-blocking code path, e.g. VFS RCU walk,
-	 * then we must not add permissions to a cache entry
-	 * because we will not audit the denial.  Otherwise,
-	 * during the subsequent blocking retry (e.g. VFS ref walk), we
-	 * will find the permissions already granted in the cache entry
-	 * and won't audit anything at all, leading to silent denials in
-	 * permissive mode that only appear when in enforcing mode.
-	 *
-	 * See the corresponding handling of MAY_NOT_BLOCK in avc_audit()
-	 * and selinux_inode_permission().
-	 */
-	if (flags & AVC_NONBLOCKING)
-		return 0;
-
 	node = avc_alloc_node(avc);
 	if (!node) {
 		rc = -ENOMEM;
@@ -1119,7 +1108,7 @@  int avc_has_extended_perms(struct selinux_state *state,
  * @tsid: target security identifier
  * @tclass: target security class
  * @requested: requested permissions, interpreted based on @tclass
- * @flags:  AVC_STRICT, AVC_NONBLOCKING, or 0
+ * @flags:  AVC_STRICT or 0
  * @avd: access vector decisions
  *
  * Check the AVC to determine whether the @requested permissions are granted
@@ -1204,8 +1193,7 @@  int avc_has_perm_flags(struct selinux_state *state,
 	struct av_decision avd;
 	int rc, rc2;
 
-	rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested,
-				  (flags & MAY_NOT_BLOCK) ? AVC_NONBLOCKING : 0,
+	rc = avc_has_perm_noaudit(state, ssid, tsid, tclass, requested, 0,
 				  &avd);
 
 	rc2 = avc_audit(state, ssid, tsid, tclass, requested, &avd, rc,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index eaea837d89d1..f22ad1229471 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3164,17 +3164,13 @@  static noinline int audit_inode_permission(struct inode *inode,
 {
 	struct common_audit_data ad;
 	struct inode_security_struct *isec = selinux_inode(inode);
-	int rc;
 
 	ad.type = LSM_AUDIT_DATA_INODE;
 	ad.u.inode = inode;
 
-	rc = slow_avc_audit(&selinux_state,
+	return slow_avc_audit(&selinux_state,
 			    current_sid(), isec->sid, isec->sclass, perms,
 			    audited, denied, result, &ad);
-	if (rc)
-		return rc;
-	return 0;
 }
 
 static int selinux_inode_permission(struct inode *inode, int mask)
@@ -3209,8 +3205,7 @@  static int selinux_inode_permission(struct inode *inode, int mask)
 		return PTR_ERR(isec);
 
 	rc = avc_has_perm_noaudit(&selinux_state,
-				  sid, isec->sid, isec->sclass, perms,
-				  no_block ? AVC_NONBLOCKING : 0,
+				  sid, isec->sid, isec->sclass, perms, 0,
 				  &avd);
 	audited = avc_audit_required(perms, &avd, rc,
 				     from_access ? FILE__AUDIT_ACCESS : 0,
@@ -3218,10 +3213,6 @@  static int selinux_inode_permission(struct inode *inode, int mask)
 	if (likely(!audited))
 		return rc;
 
-	/* fall back to ref-walk if we have to generate audit */
-	if (no_block)
-		return -ECHILD;
-
 	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);
 	if (rc2)
 		return rc2;
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index cf4cc3ef959b..c3bbfc8e8b46 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -134,9 +134,6 @@  static inline int avc_audit(struct selinux_state *state,
 	audited = avc_audit_required(requested, avd, result, 0, &denied);
 	if (likely(!audited))
 		return 0;
-	/* fall back to ref-walk if we have to generate audit */
-	if (flags & MAY_NOT_BLOCK)
-		return -ECHILD;
 	return slow_avc_audit(state, ssid, tsid, tclass,
 			      requested, audited, denied, result,
 			      a);
@@ -144,7 +141,6 @@  static inline int avc_audit(struct selinux_state *state,
 
 #define AVC_STRICT 1 /* Ignore permissive mode. */
 #define AVC_EXTENDED_PERMS 2	/* update extended permissions */
-#define AVC_NONBLOCKING    4	/* non blocking */
 int avc_has_perm_noaudit(struct selinux_state *state,
 			 u32 ssid, u32 tsid,
 			 u16 tclass, u32 requested,