summaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
diff options
context:
space:
mode:
authorOndrej Mosnacek <omosnace@redhat.com>2020-01-17 14:15:14 +0100
committerPaul Moore <paul@paul-moore.com>2020-02-10 10:49:01 -0500
commit4b36cb773a8153417a080f8025d522322f915aea (patch)
treea7a24544c4b50c91f43dde124e711b76e2b6c4d6 /security/selinux/ss
parentbb6d3fb354c5ee8d6bde2d576eb7220ea09862b9 (diff)
downloadlinux-4b36cb773a8153417a080f8025d522322f915aea.tar.gz
linux-4b36cb773a8153417a080f8025d522322f915aea.tar.bz2
linux-4b36cb773a8153417a080f8025d522322f915aea.zip
selinux: move status variables out of selinux_ss
It fits more naturally in selinux_state, since it reflects also global state (the enforcing and policyload fields). Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/ss')
-rw-r--r--security/selinux/ss/services.c2
-rw-r--r--security/selinux/ss/services.h2
-rw-r--r--security/selinux/ss/status.c124
3 files changed, 0 insertions, 128 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 216ce602a2b5..5cf491768142 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -46,7 +46,6 @@
#include <linux/in.h>
#include <linux/sched.h>
#include <linux/audit.h>
-#include <linux/mutex.h>
#include <linux/vmalloc.h>
#include <net/netlabel.h>
@@ -81,7 +80,6 @@ static struct selinux_ss selinux_ss;
void selinux_ss_init(struct selinux_ss **ss)
{
rwlock_init(&selinux_ss.policy_rwlock);
- mutex_init(&selinux_ss.status_lock);
*ss = &selinux_ss;
}
diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
index c5896f39e8f6..e9bddf33e53d 100644
--- a/security/selinux/ss/services.h
+++ b/security/selinux/ss/services.h
@@ -29,8 +29,6 @@ struct selinux_ss {
rwlock_t policy_rwlock;
u32 latest_granting;
struct selinux_map map;
- struct page *status_page;
- struct mutex status_lock;
} __randomize_layout;
void services_compute_xperms_drivers(struct extended_perms *xperms,
diff --git a/security/selinux/ss/status.c b/security/selinux/ss/status.c
deleted file mode 100644
index 3c554a442467..000000000000
--- a/security/selinux/ss/status.c
+++ /dev/null
@@ -1,124 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0-only
-/*
- * mmap based event notifications for SELinux
- *
- * Author: KaiGai Kohei <kaigai@ak.jp.nec.com>
- *
- * Copyright (C) 2010 NEC corporation
- */
-#include <linux/kernel.h>
-#include <linux/gfp.h>
-#include <linux/mm.h>
-#include <linux/mutex.h>
-#include "avc.h"
-#include "services.h"
-
-/*
- * The selinux_status_page shall be exposed to userspace applications
- * using mmap interface on /selinux/status.
- * It enables to notify applications a few events that will cause reset
- * of userspace access vector without context switching.
- *
- * The selinux_kernel_status structure on the head of status page is
- * protected from concurrent accesses using seqlock logic, so userspace
- * application should reference the status page according to the seqlock
- * logic.
- *
- * Typically, application checks status->sequence at the head of access
- * control routine. If it is odd-number, kernel is updating the status,
- * so please wait for a moment. If it is changed from the last sequence
- * number, it means something happen, so application will reset userspace
- * avc, if needed.
- * In most cases, application shall confirm the kernel status is not
- * changed without any system call invocations.
- */
-
-/*
- * selinux_kernel_status_page
- *
- * It returns a reference to selinux_status_page. If the status page is
- * not allocated yet, it also tries to allocate it at the first time.
- */
-struct page *selinux_kernel_status_page(struct selinux_state *state)
-{
- struct selinux_kernel_status *status;
- struct page *result = NULL;
-
- mutex_lock(&state->ss->status_lock);
- if (!state->ss->status_page) {
- state->ss->status_page = alloc_page(GFP_KERNEL|__GFP_ZERO);
-
- if (state->ss->status_page) {
- status = page_address(state->ss->status_page);
-
- status->version = SELINUX_KERNEL_STATUS_VERSION;
- status->sequence = 0;
- status->enforcing = enforcing_enabled(state);
- /*
- * NOTE: the next policyload event shall set
- * a positive value on the status->policyload,
- * although it may not be 1, but never zero.
- * So, application can know it was updated.
- */
- status->policyload = 0;
- status->deny_unknown =
- !security_get_allow_unknown(state);
- }
- }
- result = state->ss->status_page;
- mutex_unlock(&state->ss->status_lock);
-
- return result;
-}
-
-/*
- * selinux_status_update_setenforce
- *
- * It updates status of the current enforcing/permissive mode.
- */
-void selinux_status_update_setenforce(struct selinux_state *state,
- int enforcing)
-{
- struct selinux_kernel_status *status;
-
- mutex_lock(&state->ss->status_lock);
- if (state->ss->status_page) {
- status = page_address(state->ss->status_page);
-
- status->sequence++;
- smp_wmb();
-
- status->enforcing = enforcing;
-
- smp_wmb();
- status->sequence++;
- }
- mutex_unlock(&state->ss->status_lock);
-}
-
-/*
- * selinux_status_update_policyload
- *
- * It updates status of the times of policy reloaded, and current
- * setting of deny_unknown.
- */
-void selinux_status_update_policyload(struct selinux_state *state,
- int seqno)
-{
- struct selinux_kernel_status *status;
-
- mutex_lock(&state->ss->status_lock);
- if (state->ss->status_page) {
- status = page_address(state->ss->status_page);
-
- status->sequence++;
- smp_wmb();
-
- status->policyload = seqno;
- status->deny_unknown = !security_get_allow_unknown(state);
-
- smp_wmb();
- status->sequence++;
- }
- mutex_unlock(&state->ss->status_lock);
-}