SMACK: Add new lock for adding entry in smack master list

Message ID	1479878217-20022-1-git-send-email-vishal.goel@samsung.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Vishal Goel <vishal.goel@samsung.com> To: casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: vishal.goel@samsung.com, himanshu.sh@samsung.com, Vishal Goel <vishal.goel@samsung.com>, Himanshu Shukla <himanshu.sh@samsung.com> Subject: [PATCH] SMACK: Add new lock for adding entry in smack master list Date: Wed, 23 Nov 2016 10:46:57 +0530 Message-id: <1479878217-20022-1-git-send-email-vishal.goel@samsung.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk

Message ID

1479878217-20022-1-git-send-email-vishal.goel@samsung.com (mailing list archive)

State

New, archived

Headers

From: Vishal Goel <vishal.goel@samsung.com>
To: casey@schaufler-ca.com, linux-security-module@vger.kernel.org
Cc: vishal.goel@samsung.com, himanshu.sh@samsung.com,
	Vishal Goel <vishal.goel@samsung.com>,
	Himanshu Shukla <himanshu.sh@samsung.com>
Subject: [PATCH] SMACK: Add new lock for adding entry in smack master list
Date: Wed, 23 Nov 2016 10:46:57 +0530
Message-id: <1479878217-20022-1-git-send-email-vishal.goel@samsung.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk

Commit Message

Vishal Goel Nov. 23, 2016, 5:16 a.m. UTC

"smk_set_access()" function adds a new rule entry in subject label specific
list(rule_list) and in global rule list(smack_rule_list) both. Mutex lock
(rule_lock) is used to avoid simultaneous updates. But this lock is subject
label specific lock. If 2 processes tries to add different rules(i.e with
different subject labels) simultaneously, then both the processes can take
the "rule_lock" respectively. So it will cause a problem while adding
entries in master rule list.
Now a new mutex lock(smack_master_list_lock) has been taken to add entry in
smack_rule_list to avoid simultaneous updates of different rules.

Signed-off-by: Vishal Goel <vishal.goel@samsung.com>
Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>
---
 security/smack/smackfs.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Casey Schaufler Nov. 28, 2016, 10:34 p.m. UTC | #1

On 11/22/2016 9:16 PM, Vishal Goel wrote:
> "smk_set_access()" function adds a new rule entry in subject label specific
> list(rule_list) and in global rule list(smack_rule_list) both. Mutex lock
> (rule_lock) is used to avoid simultaneous updates. But this lock is subject
> label specific lock. If 2 processes tries to add different rules(i.e with
> different subject labels) simultaneously, then both the processes can take
> the "rule_lock" respectively. So it will cause a problem while adding
> entries in master rule list.
> Now a new mutex lock(smack_master_list_lock) has been taken to add entry in
> smack_rule_list to avoid simultaneous updates of different rules.
>
> Signed-off-by: Vishal Goel <vishal.goel@samsung.com>
> Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>

Acked-by: Casey Schaufler <casey@schaufler-ca.com>

I have queued this for 4.11 as it's too late for 4.10.

> ---
>  security/smack/smackfs.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index 6492fe9..0d7294f 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -67,6 +67,7 @@ enum smk_inos {
>  /*
>   * List locks
>   */
> +static DEFINE_MUTEX(smack_master_list_lock);
>  static DEFINE_MUTEX(smack_cipso_lock);
>  static DEFINE_MUTEX(smack_ambient_lock);
>  static DEFINE_MUTEX(smk_net4addr_lock);
> @@ -262,12 +263,16 @@ static int smk_set_access(struct smack_parsed_rule *srp,
>  		 * it needs to get added for reporting.
>  		 */
>  		if (global) {
> +			mutex_unlock(rule_lock);
>  			smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);
>  			if (smlp != NULL) {
>  				smlp->smk_rule = sp;
> +				mutex_lock(&smack_master_list_lock);
>  				list_add_rcu(&smlp->list, &smack_rule_list);
> +				mutex_unlock(&smack_master_list_lock);
>  			} else
>  				rc = -ENOMEM;
> +			return rc;
>  		}
>  	}
>  

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 6492fe9..0d7294f 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -67,6 +67,7 @@  enum smk_inos {
 /*
  * List locks
  */
+static DEFINE_MUTEX(smack_master_list_lock);
 static DEFINE_MUTEX(smack_cipso_lock);
 static DEFINE_MUTEX(smack_ambient_lock);
 static DEFINE_MUTEX(smk_net4addr_lock);
@@ -262,12 +263,16 @@  static int smk_set_access(struct smack_parsed_rule *srp,
 		 * it needs to get added for reporting.
 		 */
 		if (global) {
+			mutex_unlock(rule_lock);
 			smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);
 			if (smlp != NULL) {
 				smlp->smk_rule = sp;
+				mutex_lock(&smack_master_list_lock);
 				list_add_rcu(&smlp->list, &smack_rule_list);
+				mutex_unlock(&smack_master_list_lock);
 			} else
 				rc = -ENOMEM;
+			return rc;
 		}
 	}

SMACK: Add new lock for adding entry in smack master list

Commit Message

Comments

Patch