LSM: switch to blocking policy update notifiers

Atomic policy updaters are not very useful as they cannot
usually perform the policy updates on their own. Since it
seems that there is no strict need for the atomicity,
switch to the blocking variant. While doing so, rename
the functions accordingly.

Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

5 files changed, 24 insertions, 21 deletions

diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index 78dc07c6ac4b..61c0c93a2e73 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -2499,7 +2499,7 @@ static int __init ib_core_init(void)
                 goto err_mad;
         }
 
-        ret = register_lsm_notifier(&ibdev_lsm_nb);
+        ret = register_blocking_lsm_notifier(&ibdev_lsm_nb);
         if (ret) {
                 pr_warn("Couldn't register LSM notifier. ret %d\n", ret);
                 goto err_sa;
@@ -2518,7 +2518,7 @@ static int __init ib_core_init(void)
         return 0;
 
 err_compat:
-        unregister_lsm_notifier(&ibdev_lsm_nb);
+        unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
 err_sa:
         ib_sa_cleanup();
 err_mad:
@@ -2544,7 +2544,7 @@ static void __exit ib_core_cleanup(void)
         nldev_exit();
         rdma_nl_unregister(RDMA_NL_LS);
         unregister_pernet_device(&rdma_dev_net_ops);
-        unregister_lsm_notifier(&ibdev_lsm_nb);
+        unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
         ib_sa_cleanup();
         ib_mad_cleanup();
         addr_cleanup();
diff --git a/include/linux/security.h b/include/linux/security.h
index 659071c2e57c..5f7441abbf42 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -189,9 +189,9 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
 
 #ifdef CONFIG_SECURITY
 
-int call_lsm_notifier(enum lsm_event event, void *data);
-int register_lsm_notifier(struct notifier_block *nb);
-int unregister_lsm_notifier(struct notifier_block *nb);
+int call_blocking_lsm_notifier(enum lsm_event event, void *data);
+int register_blocking_lsm_notifier(struct notifier_block *nb);
+int unregister_blocking_lsm_notifier(struct notifier_block *nb);
 
 /* prototypes */
 extern int security_init(void);
@@ -394,17 +394,17 @@ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
 #else /* CONFIG_SECURITY */
 
-static inline int call_lsm_notifier(enum lsm_event event, void *data)
+static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
 {
         return 0;
 }
 
-static inline int register_lsm_notifier(struct notifier_block *nb)
+static inline int register_blocking_lsm_notifier(struct notifier_block *nb)
 {
         return 0;
 }
 
-static inline  int unregister_lsm_notifier(struct notifier_block *nb)
+static inline  int unregister_blocking_lsm_notifier(struct notifier_block *nb)
 {
         return 0;
 }
diff --git a/security/security.c b/security/security.c
index 613a5c00e602..47e5849d7557 100644
--- a/security/security.c
+++ b/security/security.c
@@ -39,7 +39,7 @@
 #define LSM_COUNT (__end_lsm_info - __start_lsm_info)
 
 struct security_hook_heads security_hook_heads __lsm_ro_after_init;
-static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
+static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
 
 static struct kmem_cache *lsm_file_cache;
 static struct kmem_cache *lsm_inode_cache;
@@ -430,23 +430,26 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
                 panic("%s - Cannot get early memory.\n", __func__);
 }
 
-int call_lsm_notifier(enum lsm_event event, void *data)
+int call_blocking_lsm_notifier(enum lsm_event event, void *data)
 {
-        return atomic_notifier_call_chain(&lsm_notifier_chain, event, data);
+        return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,
+                                            event, data);
 }
-EXPORT_SYMBOL(call_lsm_notifier);
+EXPORT_SYMBOL(call_blocking_lsm_notifier);
 
-int register_lsm_notifier(struct notifier_block *nb)
+int register_blocking_lsm_notifier(struct notifier_block *nb)
 {
-        return atomic_notifier_chain_register(&lsm_notifier_chain, nb);
+        return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,
+                                                nb);
 }
-EXPORT_SYMBOL(register_lsm_notifier);
+EXPORT_SYMBOL(register_blocking_lsm_notifier);
 
-int unregister_lsm_notifier(struct notifier_block *nb)
+int unregister_blocking_lsm_notifier(struct notifier_block *nb)
 {
-        return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);
+        return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,
+                                                  nb);
 }
-EXPORT_SYMBOL(unregister_lsm_notifier);
+EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
 
 /**
  * lsm_cred_alloc - allocate a composite cred blob
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c61787b15f27..c1e37018c8eb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -197,7 +197,7 @@ static int selinux_lsm_notifier_avc_callback(u32 event)
 {
         if (event == AVC_CALLBACK_RESET) {
                 sel_ib_pkey_flush();
-                call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
+                call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
         }
 
         return 0;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 145ee62f205a..1e2e3e4b5fdb 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -180,7 +180,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
                 selnl_notify_setenforce(new_value);
                 selinux_status_update_setenforce(state, new_value);
                 if (!new_value)
-                        call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
+                        call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
         }
         length = count;
 out: