Message ID | 20200827162753.2089782-1-omosnace@redhat.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | [v3] selinux: simplify away security_policydb_len() | expand |
On Thu, Aug 27, 2020 at 12:28 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > Remove the security_policydb_len() calls from sel_open_policy() and > instead update the inode size from the size returned from > security_read_policy(). > > Since after this change security_policydb_len() is only called from > security_load_policy(), remove it entirely and just open-code it there. > > Also, since security_load_policy() is always called with policy_mutex > held, make it dereference the policy pointer directly and drop the > unnecessary RCU locking. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
On Thu, Aug 27, 2020 at 12:28 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > Remove the security_policydb_len() calls from sel_open_policy() and > instead update the inode size from the size returned from > security_read_policy(). > > Since after this change security_policydb_len() is only called from > security_load_policy(), remove it entirely and just open-code it there. > > Also, since security_load_policy() is always called with policy_mutex > held, make it dereference the policy pointer directly and drop the > unnecessary RCU locking. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > > v3: rebase on top of latest selinux/next > > security/selinux/include/security.h | 1 - > security/selinux/selinuxfs.c | 12 ++++++------ > security/selinux/ss/services.c | 27 ++++----------------------- > 3 files changed, 10 insertions(+), 30 deletions(-) Merged into selinux/next.
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index bbbf7141ccdbc..cbdd3c7aff8b2 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -219,7 +219,6 @@ void selinux_policy_cancel(struct selinux_state *state, struct selinux_policy *policy); int security_read_policy(struct selinux_state *state, void **data, size_t *len); -size_t security_policydb_len(struct selinux_state *state); int security_policycap_supported(struct selinux_state *state, unsigned int req_cap); diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 29567acdda214..45e9efa9bf5bf 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -415,16 +415,16 @@ static int sel_open_policy(struct inode *inode, struct file *filp) if (!plm) goto err; - if (i_size_read(inode) != security_policydb_len(state)) { - inode_lock(inode); - i_size_write(inode, security_policydb_len(state)); - inode_unlock(inode); - } - rc = security_read_policy(state, &plm->data, &plm->len); if (rc) goto err; + if ((size_t)i_size_read(inode) != plm->len) { + inode_lock(inode); + i_size_write(inode, plm->len); + inode_unlock(inode); + } + fsi->policy_opened = 1; filp->private_data = plm; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 85cfd46836c7e..8dc111fbe23ab 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2328,22 +2328,6 @@ err_policy: return rc; } -size_t security_policydb_len(struct selinux_state *state) -{ - struct selinux_policy *policy; - size_t len; - - if (!selinux_initialized(state)) - return 0; - - rcu_read_lock(); - policy = rcu_dereference(state->policy); - len = policy->policydb.len; - rcu_read_unlock(); - - return len; -} - /** * security_port_sid - Obtain the SID for a port. * @protocol: protocol number @@ -3903,11 +3887,12 @@ int security_read_policy(struct selinux_state *state, int rc; struct policy_file fp; - if (!selinux_initialized(state)) + policy = rcu_dereference_protected( + state->policy, lockdep_is_held(&state->policy_mutex)); + if (!policy) return -EINVAL; - *len = security_policydb_len(state); - + *len = policy->policydb.len; *data = vmalloc_user(*len); if (!*data) return -ENOMEM; @@ -3915,11 +3900,7 @@ int security_read_policy(struct selinux_state *state, fp.data = *data; fp.len = *len; - rcu_read_lock(); - policy = rcu_dereference(state->policy); rc = policydb_write(&policy->policydb, &fp); - rcu_read_unlock(); - if (rc) return rc;
Remove the security_policydb_len() calls from sel_open_policy() and instead update the inode size from the size returned from security_read_policy(). Since after this change security_policydb_len() is only called from security_load_policy(), remove it entirely and just open-code it there. Also, since security_load_policy() is always called with policy_mutex held, make it dereference the policy pointer directly and drop the unnecessary RCU locking. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- v3: rebase on top of latest selinux/next security/selinux/include/security.h | 1 - security/selinux/selinuxfs.c | 12 ++++++------ security/selinux/ss/services.c | 27 ++++----------------------- 3 files changed, 10 insertions(+), 30 deletions(-)