diff options
| author | Stephen Smalley <stephen.smalley.work@gmail.com> | 2023-03-09 13:30:37 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2023-03-14 15:22:45 -0400 |
| commit | e67b79850fcc4eb5816d69d34fd82aeda350aca7 (patch) | |
| tree | ac2ab206d913dd36a95347b59bc739551651cafc /security/selinux/ima.c | |
| parent | f62ca0b6e31d82e0622a8e31ce5562e80edf6c3c (diff) | |
| download | linux-e67b79850fcc4eb5816d69d34fd82aeda350aca7.tar.gz linux-e67b79850fcc4eb5816d69d34fd82aeda350aca7.tar.bz2 linux-e67b79850fcc4eb5816d69d34fd82aeda350aca7.zip | |
selinux: stop passing selinux_state pointers and their offspring
Linus observed that the pervasive passing of selinux_state pointers
introduced by me in commit aa8e712cee93 ("selinux: wrap global selinux
state") adds overhead and complexity without providing any
benefit. The original idea was to pave the way for SELinux namespaces
but those have not yet been implemented and there isn't currently
a concrete plan to do so. Remove the passing of the selinux_state
pointers, reverting to direct use of the single global selinux_state,
and likewise remove passing of child pointers like the selinux_avc.
The selinux_policy pointer remains as it is needed for atomic switching
of policies.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/oe-kbuild-all/202303101057.mZ3Gv5fK-lkp@intel.com/
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/ima.c')
| -rw-r--r-- | security/selinux/ima.c | 37 |
1 files changed, 16 insertions, 21 deletions
diff --git a/security/selinux/ima.c b/security/selinux/ima.c index a915b89d55b0..7daf59667f59 100644 --- a/security/selinux/ima.c +++ b/security/selinux/ima.c @@ -15,12 +15,10 @@ /* * selinux_ima_collect_state - Read selinux configuration settings * - * @state: selinux_state - * * On success returns the configuration settings string. * On error, returns NULL. */ -static char *selinux_ima_collect_state(struct selinux_state *state) +static char *selinux_ima_collect_state(void) { const char *on = "=1;", *off = "=0;"; char *buf; @@ -39,26 +37,27 @@ static char *selinux_ima_collect_state(struct selinux_state *state) rc = strscpy(buf, "initialized", buf_len); WARN_ON(rc < 0); - rc = strlcat(buf, selinux_initialized(state) ? on : off, buf_len); + rc = strlcat(buf, selinux_initialized() ? on : off, buf_len); WARN_ON(rc >= buf_len); rc = strlcat(buf, "enforcing", buf_len); WARN_ON(rc >= buf_len); - rc = strlcat(buf, enforcing_enabled(state) ? on : off, buf_len); + rc = strlcat(buf, enforcing_enabled() ? on : off, buf_len); WARN_ON(rc >= buf_len); rc = strlcat(buf, "checkreqprot", buf_len); WARN_ON(rc >= buf_len); - rc = strlcat(buf, checkreqprot_get(state) ? on : off, buf_len); + rc = strlcat(buf, checkreqprot_get() ? on : off, buf_len); WARN_ON(rc >= buf_len); for (i = 0; i < __POLICYDB_CAP_MAX; i++) { rc = strlcat(buf, selinux_policycap_names[i], buf_len); WARN_ON(rc >= buf_len); - rc = strlcat(buf, state->policycap[i] ? on : off, buf_len); + rc = strlcat(buf, selinux_state.policycap[i] ? on : off, + buf_len); WARN_ON(rc >= buf_len); } @@ -67,19 +66,17 @@ static char *selinux_ima_collect_state(struct selinux_state *state) /* * selinux_ima_measure_state_locked - Measure SELinux state and hash of policy - * - * @state: selinux state struct */ -void selinux_ima_measure_state_locked(struct selinux_state *state) +void selinux_ima_measure_state_locked(void) { char *state_str = NULL; void *policy = NULL; size_t policy_len; int rc = 0; - lockdep_assert_held(&state->policy_mutex); + lockdep_assert_held(&selinux_state.policy_mutex); - state_str = selinux_ima_collect_state(state); + state_str = selinux_ima_collect_state(); if (!state_str) { pr_err("SELinux: %s: failed to read state.\n", __func__); return; @@ -94,10 +91,10 @@ void selinux_ima_measure_state_locked(struct selinux_state *state) /* * Measure SELinux policy only after initialization is completed. */ - if (!selinux_initialized(state)) + if (!selinux_initialized()) return; - rc = security_read_state_kernel(state, &policy, &policy_len); + rc = security_read_state_kernel(&policy, &policy_len); if (rc) { pr_err("SELinux: %s: failed to read policy %d.\n", __func__, rc); return; @@ -112,14 +109,12 @@ void selinux_ima_measure_state_locked(struct selinux_state *state) /* * selinux_ima_measure_state - Measure SELinux state and hash of policy - * - * @state: selinux state struct */ -void selinux_ima_measure_state(struct selinux_state *state) +void selinux_ima_measure_state(void) { - lockdep_assert_not_held(&state->policy_mutex); + lockdep_assert_not_held(&selinux_state.policy_mutex); - mutex_lock(&state->policy_mutex); - selinux_ima_measure_state_locked(state); - mutex_unlock(&state->policy_mutex); + mutex_lock(&selinux_state.policy_mutex); + selinux_ima_measure_state_locked(); + mutex_unlock(&selinux_state.policy_mutex); } |