diff options
| author | Ondrej Mosnacek <omosnace@redhat.com> | 2020-01-17 14:15:14 +0100 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2020-02-10 10:49:01 -0500 |
| commit | 4b36cb773a8153417a080f8025d522322f915aea (patch) | |
| tree | a7a24544c4b50c91f43dde124e711b76e2b6c4d6 /security/selinux/ss | |
| parent | bb6d3fb354c5ee8d6bde2d576eb7220ea09862b9 (diff) | |
| download | linux-4b36cb773a8153417a080f8025d522322f915aea.tar.gz | |
selinux: move status variables out of selinux_ss
It fits more naturally in selinux_state, since it reflects also global state (the enforcing and policyload fields). Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/ss')
| -rw-r--r-- | security/selinux/ss/services.c | 2 | ||||
| -rw-r--r-- | security/selinux/ss/services.h | 2 | ||||
| -rw-r--r-- | security/selinux/ss/status.c | 124 |
3 files changed, 0 insertions, 128 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 216ce602a2b5..5cf491768142 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -46,7 +46,6 @@ #include <linux/in.h> #include <linux/sched.h> #include <linux/audit.h> -#include <linux/mutex.h> #include <linux/vmalloc.h> #include <net/netlabel.h> @@ -81,7 +80,6 @@ static struct selinux_ss selinux_ss; void selinux_ss_init(struct selinux_ss **ss) { rwlock_init(&selinux_ss.policy_rwlock); - mutex_init(&selinux_ss.status_lock); *ss = &selinux_ss; } diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h index c5896f39e8f6..e9bddf33e53d 100644 --- a/security/selinux/ss/services.h +++ b/security/selinux/ss/services.h @@ -29,8 +29,6 @@ struct selinux_ss { rwlock_t policy_rwlock; u32 latest_granting; struct selinux_map map; - struct page *status_page; - struct mutex status_lock; } __randomize_layout; void services_compute_xperms_drivers(struct extended_perms *xperms, diff --git a/security/selinux/ss/status.c b/security/selinux/ss/status.c deleted file mode 100644 index 3c554a442467..000000000000 --- a/security/selinux/ss/status.c +++ /dev/null @@ -1,124 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0-only -/* - * mmap based event notifications for SELinux - * - * Author: KaiGai Kohei <kaigai@ak.jp.nec.com> - * - * Copyright (C) 2010 NEC corporation - */ -#include <linux/kernel.h> -#include <linux/gfp.h> -#include <linux/mm.h> -#include <linux/mutex.h> -#include "avc.h" -#include "services.h" - -/* - * The selinux_status_page shall be exposed to userspace applications - * using mmap interface on /selinux/status. - * It enables to notify applications a few events that will cause reset - * of userspace access vector without context switching. - * - * The selinux_kernel_status structure on the head of status page is - * protected from concurrent accesses using seqlock logic, so userspace - * application should reference the status page according to the seqlock - * logic. - * - * Typically, application checks status->sequence at the head of access - * control routine. If it is odd-number, kernel is updating the status, - * so please wait for a moment. If it is changed from the last sequence - * number, it means something happen, so application will reset userspace - * avc, if needed. - * In most cases, application shall confirm the kernel status is not - * changed without any system call invocations. - */ - -/* - * selinux_kernel_status_page - * - * It returns a reference to selinux_status_page. If the status page is - * not allocated yet, it also tries to allocate it at the first time. - */ -struct page *selinux_kernel_status_page(struct selinux_state *state) -{ - struct selinux_kernel_status *status; - struct page *result = NULL; - - mutex_lock(&state->ss->status_lock); - if (!state->ss->status_page) { - state->ss->status_page = alloc_page(GFP_KERNEL|__GFP_ZERO); - - if (state->ss->status_page) { - status = page_address(state->ss->status_page); - - status->version = SELINUX_KERNEL_STATUS_VERSION; - status->sequence = 0; - status->enforcing = enforcing_enabled(state); - /* - * NOTE: the next policyload event shall set - * a positive value on the status->policyload, - * although it may not be 1, but never zero. - * So, application can know it was updated. - */ - status->policyload = 0; - status->deny_unknown = - !security_get_allow_unknown(state); - } - } - result = state->ss->status_page; - mutex_unlock(&state->ss->status_lock); - - return result; -} - -/* - * selinux_status_update_setenforce - * - * It updates status of the current enforcing/permissive mode. - */ -void selinux_status_update_setenforce(struct selinux_state *state, - int enforcing) -{ - struct selinux_kernel_status *status; - - mutex_lock(&state->ss->status_lock); - if (state->ss->status_page) { - status = page_address(state->ss->status_page); - - status->sequence++; - smp_wmb(); - - status->enforcing = enforcing; - - smp_wmb(); - status->sequence++; - } - mutex_unlock(&state->ss->status_lock); -} - -/* - * selinux_status_update_policyload - * - * It updates status of the times of policy reloaded, and current - * setting of deny_unknown. - */ -void selinux_status_update_policyload(struct selinux_state *state, - int seqno) -{ - struct selinux_kernel_status *status; - - mutex_lock(&state->ss->status_lock); - if (state->ss->status_page) { - status = page_address(state->ss->status_page); - - status->sequence++; - smp_wmb(); - - status->policyload = seqno; - status->deny_unknown = !security_get_allow_unknown(state); - - smp_wmb(); - status->sequence++; - } - mutex_unlock(&state->ss->status_lock); -} |