LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Peter Enderborg <peter.enderborg@sony.com>
To: <peter.enderborg@sony.com>, Paul Moore <paul@paul-moore.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	Eric Paris <eparis@parisplace.org>,
	James Morris <james.l.morris@oracle.com>,
	Daniel Jurgens <danielj@mellanox.com>,
	Doug Ledford <dledford@redhat.com>, <selinux@tycho.nsa.gov>,
	<linux-security-module@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>,
	"Serge E . Hallyn" <serge@hallyn.com>,
	"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>
Subject: [PATCH V3 3/5 selinux-next] selinux: sidtab_clone switch to use rwlock.
Date: Wed, 30 May 2018 16:11:02 +0200	[thread overview]
Message-ID: <20180530141104.28569-4-peter.enderborg@sony.com> (raw)
In-Reply-To: <20180530141104.28569-1-peter.enderborg@sony.com>

We need a copy of sidtabs, so change the generic sidtab_clone
as from a function pointer and let it use a read rwlock while
do the clone.

Signed-off-by: Peter Enderborg <peter.enderborg@sony.com>
---
 security/selinux/ss/services.c | 20 +-------------------
 security/selinux/ss/sidtab.c   | 39 ++++++++++++++++++++++++++++++++-------
 security/selinux/ss/sidtab.h   |  3 ++-
 3 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4f3ce389084c..2be471d72c85 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1891,19 +1891,6 @@ int security_change_sid(struct selinux_state *state,
 				    out_sid, false);
 }
 
-/* Clone the SID into the new SID table. */
-static int clone_sid(u32 sid,
-		     struct context *context,
-		     void *arg)
-{
-	struct sidtab *s = arg;
-
-	if (sid > SECINITSID_NUM)
-		return sidtab_insert(s, sid, context);
-	else
-		return 0;
-}
-
 static inline int convert_context_handle_invalid_context(
 	struct selinux_state *state,
 	struct context *context)
@@ -2199,10 +2186,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len)
 		goto err;
 	}
 
-	/* Clone the SID table. */
-	sidtab_shutdown(old_set->sidtab);
-
-	rc = sidtab_map(old_set->sidtab, clone_sid, next_set->sidtab);
+	rc = sidtab_clone(old_set->sidtab, next_set->sidtab);
 	if (rc)
 		goto err;
 
@@ -2926,8 +2910,6 @@ int security_set_bools(struct selinux_state *state, int len, int *values)
 			goto out;
 	}
 
-	seqno = ++state->ss->latest_granting;
-	state->ss->active_set = next_set;
 	rc = 0;
 out:
 	if (!rc) {
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 5be31b7af225..811503cd7c2b 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -27,7 +27,7 @@ int sidtab_init(struct sidtab *s)
 	s->nel = 0;
 	s->next_sid = 1;
 	s->shutdown = 0;
-	spin_lock_init(&s->lock);
+	rwlock_init(&s->lock);
 	return 0;
 }
 
@@ -116,6 +116,31 @@ struct context *sidtab_search_force(struct sidtab *s, u32 sid)
 	return sidtab_search_core(s, sid, 1);
 }
 
+int sidtab_clone(struct sidtab *s, struct sidtab *d)
+{
+	int i, rc = 0;
+	struct sidtab_node *cur;
+
+	if (!s || !d)
+		goto errout;
+
+	read_lock(&s->lock);
+	for (i = 0; i < SIDTAB_SIZE; i++) {
+		cur = s->htable[i];
+		while (cur) {
+			if (cur->sid > SECINITSID_NUM)
+				rc =  sidtab_insert(d, cur->sid, &cur->context);
+			if (rc)
+				goto out;
+			cur = cur->next;
+		}
+	}
+out:
+	read_unlock(&s->lock);
+errout:
+	return rc;
+}
+
 int sidtab_map(struct sidtab *s,
 	       int (*apply) (u32 sid,
 			     struct context *context,
@@ -202,7 +227,7 @@ int sidtab_context_to_sid(struct sidtab *s,
 	if (!sid)
 		sid = sidtab_search_context(s, context);
 	if (!sid) {
-		spin_lock_irqsave(&s->lock, flags);
+		write_lock_irqsave(&s->lock, flags);
 		/* Rescan now that we hold the lock. */
 		sid = sidtab_search_context(s, context);
 		if (sid)
@@ -221,7 +246,7 @@ int sidtab_context_to_sid(struct sidtab *s,
 		if (ret)
 			s->next_sid--;
 unlock_out:
-		spin_unlock_irqrestore(&s->lock, flags);
+		write_unlock_irqrestore(&s->lock, flags);
 	}
 
 	if (ret)
@@ -287,21 +312,21 @@ void sidtab_set(struct sidtab *dst, struct sidtab *src)
 	unsigned long flags;
 	int i;
 
-	spin_lock_irqsave(&src->lock, flags);
+	write_lock_irqsave(&src->lock, flags);
 	dst->htable = src->htable;
 	dst->nel = src->nel;
 	dst->next_sid = src->next_sid;
 	dst->shutdown = 0;
 	for (i = 0; i < SIDTAB_CACHE_LEN; i++)
 		dst->cache[i] = NULL;
-	spin_unlock_irqrestore(&src->lock, flags);
+	write_unlock_irqrestore(&src->lock, flags);
 }
 
 void sidtab_shutdown(struct sidtab *s)
 {
 	unsigned long flags;
 
-	spin_lock_irqsave(&s->lock, flags);
+	write_lock_irqsave(&s->lock, flags);
 	s->shutdown = 1;
-	spin_unlock_irqrestore(&s->lock, flags);
+	write_unlock_irqrestore(&s->lock, flags);
 }
diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h
index a1a1d2617b6f..6751f8bcbd66 100644
--- a/security/selinux/ss/sidtab.h
+++ b/security/selinux/ss/sidtab.h
@@ -29,7 +29,7 @@ struct sidtab {
 	unsigned char shutdown;
 #define SIDTAB_CACHE_LEN	3
 	struct sidtab_node *cache[SIDTAB_CACHE_LEN];
-	spinlock_t lock;
+	rwlock_t lock;
 };
 
 int sidtab_init(struct sidtab *s);
@@ -51,6 +51,7 @@ void sidtab_hash_eval(struct sidtab *h, char *tag);
 void sidtab_destroy(struct sidtab *s);
 void sidtab_set(struct sidtab *dst, struct sidtab *src);
 void sidtab_shutdown(struct sidtab *s);
+int sidtab_clone(struct sidtab *s, struct sidtab *d);
 
 #endif	/* _SS_SIDTAB_H_ */
 
-- 
2.15.1

  parent reply	other threads:[~2018-05-30 14:21 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-30 14:10 [PATCH V3 0/5] selinux:Significant reduce of preempt_disable holds Peter Enderborg
2018-05-30 14:11 ` [PATCH V3 1/5 selinux-next] selinux: Make allocation atomic in policydb objects functions Peter Enderborg
2018-05-30 14:11 ` [PATCH V3 2/5 selinux-next] selinux: Introduce selinux_ruleset struct Peter Enderborg
2018-05-30 21:15   ` J Freyensee
2018-06-01 13:48   ` kbuild test robot
2018-06-01 13:56   ` kbuild test robot
2018-05-30 14:11 ` Peter Enderborg [this message]
2018-05-30 21:22   ` [PATCH V3 3/5 selinux-next] selinux: sidtab_clone switch to use rwlock J Freyensee
2018-05-31  5:35     ` peter enderborg
2018-05-30 14:11 ` [PATCH V3 4/5 selinux-next] selinux: seqno separation Peter Enderborg
2018-05-30 14:11 ` [PATCH V3 5/5 selinux-next] selinux: Switch to rcu read locks for avc_compute Peter Enderborg
2018-05-30 20:34 ` [PATCH V3 0/5] selinux:Significant reduce of preempt_disable holds Stephen Smalley
2018-05-31  9:04   ` peter enderborg
2018-05-31 12:42     ` Stephen Smalley
2018-05-31 14:12       ` peter enderborg
2018-05-31 14:21         ` Stephen Smalley
2018-05-31 16:40           ` Stephen Smalley
2018-06-01 11:18       ` peter enderborg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180530141104.28569-4-peter.enderborg@sony.com \
    --to=peter.enderborg@sony.com \
    --cc=danielj@mellanox.com \
    --cc=dledford@redhat.com \
    --cc=eparis@parisplace.org \
    --cc=james.l.morris@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=paulmck@linux.vnet.ibm.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=serge@hallyn.com \
    --subject='Re: [PATCH V3 3/5 selinux-next] selinux: sidtab_clone switch to use rwlock.' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).