diff options
author | Eric Paris <eparis@redhat.com> | 2008-06-09 15:58:04 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-07-14 01:01:58 -0400 |
commit | 89abd0acf0335f3f760a3c0698d43bb1eaa83e44 (patch) | |
tree | c71f08fd6b9fa3969352f96d88daa1409474e2d6 /security/selinux/ss | |
parent | cea78dc4ca044e9666e8f5d797ec50ab85253e49 (diff) |
SELinux: drop load_mutex in security_load_policy
We used to protect against races of policy load in security_load_policy
by using the load_mutex. Since then we have added a new mutex,
sel_mutex, in sel_write_load() which is always held across all calls to
security_load_policy we are covered and can safely just drop this one.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/ss')
-rw-r--r-- | security/selinux/ss/services.c | 14 |
1 files changed, 1 insertions, 13 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index f26a8cad06e7..543fd0f31b33 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -71,7 +71,6 @@ int selinux_policycap_openperm; | |||
71 | extern const struct selinux_class_perm selinux_class_perm; | 71 | extern const struct selinux_class_perm selinux_class_perm; |
72 | 72 | ||
73 | static DEFINE_RWLOCK(policy_rwlock); | 73 | static DEFINE_RWLOCK(policy_rwlock); |
74 | static DEFINE_MUTEX(load_mutex); | ||
75 | 74 | ||
76 | static struct sidtab sidtab; | 75 | static struct sidtab sidtab; |
77 | struct policydb policydb; | 76 | struct policydb policydb; |
@@ -1453,17 +1452,13 @@ int security_load_policy(void *data, size_t len) | |||
1453 | int rc = 0; | 1452 | int rc = 0; |
1454 | struct policy_file file = { data, len }, *fp = &file; | 1453 | struct policy_file file = { data, len }, *fp = &file; |
1455 | 1454 | ||
1456 | mutex_lock(&load_mutex); | ||
1457 | |||
1458 | if (!ss_initialized) { | 1455 | if (!ss_initialized) { |
1459 | avtab_cache_init(); | 1456 | avtab_cache_init(); |
1460 | if (policydb_read(&policydb, fp)) { | 1457 | if (policydb_read(&policydb, fp)) { |
1461 | mutex_unlock(&load_mutex); | ||
1462 | avtab_cache_destroy(); | 1458 | avtab_cache_destroy(); |
1463 | return -EINVAL; | 1459 | return -EINVAL; |
1464 | } | 1460 | } |
1465 | if (policydb_load_isids(&policydb, &sidtab)) { | 1461 | if (policydb_load_isids(&policydb, &sidtab)) { |
1466 | mutex_unlock(&load_mutex); | ||
1467 | policydb_destroy(&policydb); | 1462 | policydb_destroy(&policydb); |
1468 | avtab_cache_destroy(); | 1463 | avtab_cache_destroy(); |
1469 | return -EINVAL; | 1464 | return -EINVAL; |
@@ -1472,7 +1467,6 @@ int security_load_policy(void *data, size_t len) | |||
1472 | if (validate_classes(&policydb)) { | 1467 | if (validate_classes(&policydb)) { |
1473 | printk(KERN_ERR | 1468 | printk(KERN_ERR |
1474 | "SELinux: the definition of a class is incorrect\n"); | 1469 | "SELinux: the definition of a class is incorrect\n"); |
1475 | mutex_unlock(&load_mutex); | ||
1476 | sidtab_destroy(&sidtab); | 1470 | sidtab_destroy(&sidtab); |
1477 | policydb_destroy(&policydb); | 1471 | policydb_destroy(&policydb); |
1478 | avtab_cache_destroy(); | 1472 | avtab_cache_destroy(); |
@@ -1482,7 +1476,6 @@ int security_load_policy(void *data, size_t len) | |||
1482 | policydb_loaded_version = policydb.policyvers; | 1476 | policydb_loaded_version = policydb.policyvers; |
1483 | ss_initialized = 1; | 1477 | ss_initialized = 1; |
1484 | seqno = ++latest_granting; | 1478 | seqno = ++latest_granting; |
1485 | mutex_unlock(&load_mutex); | ||
1486 | selinux_complete_init(); | 1479 | selinux_complete_init(); |
1487 | avc_ss_reset(seqno); | 1480 | avc_ss_reset(seqno); |
1488 | selnl_notify_policyload(seqno); | 1481 | selnl_notify_policyload(seqno); |
@@ -1495,13 +1488,10 @@ int security_load_policy(void *data, size_t len) | |||
1495 | sidtab_hash_eval(&sidtab, "sids"); | 1488 | sidtab_hash_eval(&sidtab, "sids"); |
1496 | #endif | 1489 | #endif |
1497 | 1490 | ||
1498 | if (policydb_read(&newpolicydb, fp)) { | 1491 | if (policydb_read(&newpolicydb, fp)) |
1499 | mutex_unlock(&load_mutex); | ||
1500 | return -EINVAL; | 1492 | return -EINVAL; |
1501 | } | ||
1502 | 1493 | ||
1503 | if (sidtab_init(&newsidtab)) { | 1494 | if (sidtab_init(&newsidtab)) { |
1504 | mutex_unlock(&load_mutex); | ||
1505 | policydb_destroy(&newpolicydb); | 1495 | policydb_destroy(&newpolicydb); |
1506 | return -ENOMEM; | 1496 | return -ENOMEM; |
1507 | } | 1497 | } |
@@ -1549,7 +1539,6 @@ int security_load_policy(void *data, size_t len) | |||
1549 | seqno = ++latest_granting; | 1539 | seqno = ++latest_granting; |
1550 | policydb_loaded_version = policydb.policyvers; | 1540 | policydb_loaded_version = policydb.policyvers; |
1551 | write_unlock_irq(&policy_rwlock); | 1541 | write_unlock_irq(&policy_rwlock); |
1552 | mutex_unlock(&load_mutex); | ||
1553 | 1542 | ||
1554 | /* Free the old policydb and SID table. */ | 1543 | /* Free the old policydb and SID table. */ |
1555 | policydb_destroy(&oldpolicydb); | 1544 | policydb_destroy(&oldpolicydb); |
@@ -1563,7 +1552,6 @@ int security_load_policy(void *data, size_t len) | |||
1563 | return 0; | 1552 | return 0; |
1564 | 1553 | ||
1565 | err: | 1554 | err: |
1566 | mutex_unlock(&load_mutex); | ||
1567 | sidtab_destroy(&newsidtab); | 1555 | sidtab_destroy(&newsidtab); |
1568 | policydb_destroy(&newpolicydb); | 1556 | policydb_destroy(&newpolicydb); |
1569 | return rc; | 1557 | return rc; |