selinux: move status variables out of selinux_ss

It fits more naturally in selinux_state, since it reflects also global
state (the enforcing and policyload fields).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Ondrej Mosnacek 2020-01-17 14:15:14 +01:00 committed by Paul Moore
parent bb6d3fb354
commit 4b36cb773a
6 changed files with 23 additions and 22 deletions

View File

@ -6,9 +6,9 @@
obj-$(CONFIG_SECURITY_SELINUX) := selinux.o obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
netnode.o netport.o \ netnode.o netport.o status.o \
ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \ ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o ss/policydb.o ss/services.o ss/conditional.o ss/mls.o
selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o

View File

@ -7161,6 +7161,7 @@ static __init int selinux_init(void)
selinux_state.checkreqprot = selinux_checkreqprot_boot; selinux_state.checkreqprot = selinux_checkreqprot_boot;
selinux_ss_init(&selinux_state.ss); selinux_ss_init(&selinux_state.ss);
selinux_avc_init(&selinux_state.avc); selinux_avc_init(&selinux_state.avc);
mutex_init(&selinux_state.status_lock);
/* Set the security state for the initial task. */ /* Set the security state for the initial task. */
cred_init_security(); cred_init_security();

View File

@ -108,6 +108,10 @@ struct selinux_state {
bool checkreqprot; bool checkreqprot;
bool initialized; bool initialized;
bool policycap[__POLICYDB_CAPABILITY_MAX]; bool policycap[__POLICYDB_CAPABILITY_MAX];
struct page *status_page;
struct mutex status_lock;
struct selinux_avc *avc; struct selinux_avc *avc;
struct selinux_ss *ss; struct selinux_ss *ss;
} __randomize_layout; } __randomize_layout;

View File

@ -46,7 +46,6 @@
#include <linux/in.h> #include <linux/in.h>
#include <linux/sched.h> #include <linux/sched.h>
#include <linux/audit.h> #include <linux/audit.h>
#include <linux/mutex.h>
#include <linux/vmalloc.h> #include <linux/vmalloc.h>
#include <net/netlabel.h> #include <net/netlabel.h>
@ -81,7 +80,6 @@ static struct selinux_ss selinux_ss;
void selinux_ss_init(struct selinux_ss **ss) void selinux_ss_init(struct selinux_ss **ss)
{ {
rwlock_init(&selinux_ss.policy_rwlock); rwlock_init(&selinux_ss.policy_rwlock);
mutex_init(&selinux_ss.status_lock);
*ss = &selinux_ss; *ss = &selinux_ss;
} }

View File

@ -29,8 +29,6 @@ struct selinux_ss {
rwlock_t policy_rwlock; rwlock_t policy_rwlock;
u32 latest_granting; u32 latest_granting;
struct selinux_map map; struct selinux_map map;
struct page *status_page;
struct mutex status_lock;
} __randomize_layout; } __randomize_layout;
void services_compute_xperms_drivers(struct extended_perms *xperms, void services_compute_xperms_drivers(struct extended_perms *xperms,

View File

@ -11,7 +11,7 @@
#include <linux/mm.h> #include <linux/mm.h>
#include <linux/mutex.h> #include <linux/mutex.h>
#include "avc.h" #include "avc.h"
#include "services.h" #include "security.h"
/* /*
* The selinux_status_page shall be exposed to userspace applications * The selinux_status_page shall be exposed to userspace applications
@ -44,12 +44,12 @@ struct page *selinux_kernel_status_page(struct selinux_state *state)
struct selinux_kernel_status *status; struct selinux_kernel_status *status;
struct page *result = NULL; struct page *result = NULL;
mutex_lock(&state->ss->status_lock); mutex_lock(&state->status_lock);
if (!state->ss->status_page) { if (!state->status_page) {
state->ss->status_page = alloc_page(GFP_KERNEL|__GFP_ZERO); state->status_page = alloc_page(GFP_KERNEL|__GFP_ZERO);
if (state->ss->status_page) { if (state->status_page) {
status = page_address(state->ss->status_page); status = page_address(state->status_page);
status->version = SELINUX_KERNEL_STATUS_VERSION; status->version = SELINUX_KERNEL_STATUS_VERSION;
status->sequence = 0; status->sequence = 0;
@ -65,8 +65,8 @@ struct page *selinux_kernel_status_page(struct selinux_state *state)
!security_get_allow_unknown(state); !security_get_allow_unknown(state);
} }
} }
result = state->ss->status_page; result = state->status_page;
mutex_unlock(&state->ss->status_lock); mutex_unlock(&state->status_lock);
return result; return result;
} }
@ -81,9 +81,9 @@ void selinux_status_update_setenforce(struct selinux_state *state,
{ {
struct selinux_kernel_status *status; struct selinux_kernel_status *status;
mutex_lock(&state->ss->status_lock); mutex_lock(&state->status_lock);
if (state->ss->status_page) { if (state->status_page) {
status = page_address(state->ss->status_page); status = page_address(state->status_page);
status->sequence++; status->sequence++;
smp_wmb(); smp_wmb();
@ -93,7 +93,7 @@ void selinux_status_update_setenforce(struct selinux_state *state,
smp_wmb(); smp_wmb();
status->sequence++; status->sequence++;
} }
mutex_unlock(&state->ss->status_lock); mutex_unlock(&state->status_lock);
} }
/* /*
@ -107,9 +107,9 @@ void selinux_status_update_policyload(struct selinux_state *state,
{ {
struct selinux_kernel_status *status; struct selinux_kernel_status *status;
mutex_lock(&state->ss->status_lock); mutex_lock(&state->status_lock);
if (state->ss->status_page) { if (state->status_page) {
status = page_address(state->ss->status_page); status = page_address(state->status_page);
status->sequence++; status->sequence++;
smp_wmb(); smp_wmb();
@ -120,5 +120,5 @@ void selinux_status_update_policyload(struct selinux_state *state,
smp_wmb(); smp_wmb();
status->sequence++; status->sequence++;
} }
mutex_unlock(&state->ss->status_lock); mutex_unlock(&state->status_lock);
} }