SELinux: allow preemption between transition permission checks

In security_get_user_sids, move the transition permission checks outside of the section holding the policy rdlock, and use the AVC to perform the checks, calling cond_resched after each one. These changes should allow preemption between the individual checks and enable caching of the results. It may however increase the overall time spent in the function in some cases, particularly in the cache miss case. The long term fix will be to take much of this logic to userspace by exporting additional state via selinuxfs, and ultimately deprecating and eliminating this interface from the kernel. Tested-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
author: Stephen Smalley <sds@tycho.nsa.gov> 2007-06-07 15:34:10 -0400
committer: James Morris <jmorris@namei.org> 2007-07-11 22:52:25 -0400
commit: 2c3c05dbcbc7b9d71549fe0e2b249f10f5a66518 (patch)
tree: bab75df9fafc435f3370a6d773d3284716347249 /security/selinux
parent: 9dc9978084ea2a96b9f42752753d9e38a9f9d7b2 (diff)
4 files changed, 45 insertions, 29 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index e4396a89edc6..cc5fcef9e226 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -832,6 +832,7 @@ int avc_ss_reset(u32 seqno)
 * @tsid: target security identifier
 * @tclass: target security class
 * @requested: requested permissions, interpreted based on @tclass
+ * @flags:  AVC_STRICT or 0
 * @avd: access vector decisions
 *
 * Check the AVC to determine whether the @requested permissions are granted
@@ -846,8 +847,9 @@ int avc_ss_reset(u32 seqno)
 * should be released for the auditing.
 */
 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
-                         u16 tclass, u32 requested,
+                         u16 tclass, u32 requested,
-                         struct av_decision *avd)
+                         unsigned flags,
+                         struct av_decision *avd)
 {
        struct avc_node *node;
        struct avc_entry entry, *p_ae;
@@ -874,7 +876,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
        denied = requested & ~(p_ae->avd.allowed);
        if (!requested || denied) {
-                if (selinux_enforcing)
+                if (selinux_enforcing || (flags & AVC_STRICT))
                        rc = -EACCES;
                else
                        if (node)
@@ -909,7 +911,7 @@ int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
        struct av_decision avd;
        int rc;
-        rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, &avd);
+        rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
        avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
        return rc;
 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ad8dd4e8657e..b29059ecc045 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1592,9 +1592,10 @@ static int selinux_vm_enough_memory(long pages)
        rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
        if (rc == 0)
                rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
-                                        SECCLASS_CAPABILITY,
+                                          SECCLASS_CAPABILITY,
-                                        CAP_TO_MASK(CAP_SYS_ADMIN),
+                                          CAP_TO_MASK(CAP_SYS_ADMIN),
-                                        NULL);
+                                          0,
+                                          NULL);
        if (rc == 0)
                cap_sys_admin = 1;
@@ -4626,7 +4627,7 @@ static int selinux_setprocattr(struct task_struct *p,
                if (p->ptrace & PT_PTRACED) {
                        error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
                                                     SECCLASS_PROCESS,
-                                                     PROCESS__PTRACE, &avd);
+                                                     PROCESS__PTRACE, 0, &avd);
                        if (!error)
                                tsec->sid = sid;
                        task_unlock(p);
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 6ed10c3d3339..e145f6e13b0b 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -102,9 +102,11 @@ void avc_audit(u32 ssid, u32 tsid,
               u16 tclass, u32 requested,
               struct av_decision *avd, int result, struct avc_audit_data *auditdata);
+#define AVC_STRICT 1 /* Ignore permissive mode. */
 int avc_has_perm_noaudit(u32 ssid, u32 tsid,
-                         u16 tclass, u32 requested,
+                         u16 tclass, u32 requested,
-                         struct av_decision *avd);
+                         unsigned flags,
+                         struct av_decision *avd);
 int avc_has_perm(u32 ssid, u32 tsid,
                 u16 tclass, u32 requested,
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e4249adaa880..b5f017f07a75 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1587,19 +1587,18 @@ int security_get_user_sids(u32 fromsid,
                           u32 *nel)
 {
        struct context *fromcon, usercon;
-        u32 *mysids, *mysids2, sid;
+        u32 *mysids = NULL, *mysids2, sid;
        u32 mynel = 0, maxnel = SIDS_NEL;
        struct user_datum *user;
        struct role_datum *role;
-        struct av_decision avd;
        struct ebitmap_node *rnode, *tnode;
        int rc = 0, i, j;
-        if (!ss_initialized) {
+        *sids = NULL;
-                *sids = NULL;
+        *nel = 0;
-                *nel = 0;
+        if (!ss_initialized)
                goto out;
-        }
        POLICY_RDLOCK;
@@ -1635,17 +1634,9 @@ int security_get_user_sids(u32 fromsid,
                        if (mls_setup_user_range(fromcon, user, &usercon))
                                continue;
-                        rc = context_struct_compute_av(fromcon, &usercon,
-                                                       SECCLASS_PROCESS,
-                                                       PROCESS__TRANSITION,
-                                                       &avd);
-                        if (rc ||  !(avd.allowed & PROCESS__TRANSITION))
-                                continue;
                        rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
-                        if (rc) {
+                        if (rc)
-                                kfree(mysids);
                                goto out_unlock;
-                        }
                        if (mynel < maxnel) {
                                mysids[mynel++] = sid;
                        } else {
@@ -1653,7 +1644,6 @@ int security_get_user_sids(u32 fromsid,
                                mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
                                if (!mysids2) {
                                        rc = -ENOMEM;
-                                        kfree(mysids);
                                        goto out_unlock;
                                }
                                memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
@@ -1664,11 +1654,32 @@ int security_get_user_sids(u32 fromsid,
                }
        }
-        *sids = mysids;
-        *nel = mynel;
 out_unlock:
        POLICY_RDUNLOCK;
+        if (rc || !mynel) {
+                kfree(mysids);
+                goto out;
+        }
+        mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
+        if (!mysids2) {
+                rc = -ENOMEM;
+                kfree(mysids);
+                goto out;
+        }
+        for (i = 0, j = 0; i < mynel; i++) {
+                rc = avc_has_perm_noaudit(fromsid, mysids[i],
+                                          SECCLASS_PROCESS,
+                                          PROCESS__TRANSITION, AVC_STRICT,
+                                          NULL);
+                if (!rc)
+                        mysids2[j++] = mysids[i];
+                cond_resched();
+        }
+        rc = 0;
+        kfree(mysids);
+        *sids = mysids2;
+        *nel = j;
 out:
        return rc;
 }
author	Stephen Smalley <sds@tycho.nsa.gov>	2007-06-07 15:34:10 -0400
committer	James Morris <jmorris@namei.org>	2007-07-11 22:52:25 -0400
commit	2c3c05dbcbc7b9d71549fe0e2b249f10f5a66518 (patch)
tree	bab75df9fafc435f3370a6d773d3284716347249 /security/selinux
parent	9dc9978084ea2a96b9f42752753d9e38a9f9d7b2 (diff)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c index e4396a89edc6..cc5fcef9e226 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c
@@ -832,6 +832,7 @@ int avc_ss_reset(u32 seqno)
832	* @tsid: target security identifier	832	* @tsid: target security identifier
833	* @tclass: target security class	833	* @tclass: target security class
834	* @requested: requested permissions, interpreted based on @tclass	834	* @requested: requested permissions, interpreted based on @tclass
		835	* @flags: AVC_STRICT or 0
835	* @avd: access vector decisions	836	* @avd: access vector decisions
836	*	837	*
837	* Check the AVC to determine whether the @requested permissions are granted	838	* Check the AVC to determine whether the @requested permissions are granted
@@ -846,8 +847,9 @@ int avc_ss_reset(u32 seqno)
846	* should be released for the auditing.	847	* should be released for the auditing.
847	*/	848	*/
848	int avc_has_perm_noaudit(u32 ssid, u32 tsid,	849	int avc_has_perm_noaudit(u32 ssid, u32 tsid,
849	u16 tclass, u32 requested,	850	u16 tclass, u32 requested,
850	struct av_decision *avd)	851	unsigned flags,
		852	struct av_decision *avd)
851	{	853	{
852	struct avc_node *node;	854	struct avc_node *node;
853	struct avc_entry entry, *p_ae;	855	struct avc_entry entry, *p_ae;
@@ -874,7 +876,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
874	denied = requested & ~(p_ae->avd.allowed);	876	denied = requested & ~(p_ae->avd.allowed);
875		877
876	if (!requested \|\| denied) {	878	if (!requested \|\| denied) {
877	if (selinux_enforcing)	879	if (selinux_enforcing \|\| (flags & AVC_STRICT))
878	rc = -EACCES;	880	rc = -EACCES;
879	else	881	else
880	if (node)	882	if (node)
@@ -909,7 +911,7 @@ int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
909	struct av_decision avd;	911	struct av_decision avd;
910	int rc;	912	int rc;
911		913
912	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, &avd);	914	rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
913	avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);	915	avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
914	return rc;	916	return rc;
915	}	917	}


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index ad8dd4e8657e..b29059ecc045 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -1592,9 +1592,10 @@ static int selinux_vm_enough_memory(long pages)
1592	rc = secondary_ops->capable(current, CAP_SYS_ADMIN);	1592	rc = secondary_ops->capable(current, CAP_SYS_ADMIN);
1593	if (rc == 0)	1593	if (rc == 0)
1594	rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,	1594	rc = avc_has_perm_noaudit(tsec->sid, tsec->sid,
1595	SECCLASS_CAPABILITY,	1595	SECCLASS_CAPABILITY,
1596	CAP_TO_MASK(CAP_SYS_ADMIN),	1596	CAP_TO_MASK(CAP_SYS_ADMIN),
1597	NULL);	1597	0,
		1598	NULL);
1598		1599
1599	if (rc == 0)	1600	if (rc == 0)
1600	cap_sys_admin = 1;	1601	cap_sys_admin = 1;
@@ -4626,7 +4627,7 @@ static int selinux_setprocattr(struct task_struct *p,
4626	if (p->ptrace & PT_PTRACED) {	4627	if (p->ptrace & PT_PTRACED) {
4627	error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,	4628	error = avc_has_perm_noaudit(tsec->ptrace_sid, sid,
4628	SECCLASS_PROCESS,	4629	SECCLASS_PROCESS,
4629	PROCESS__PTRACE, &avd);	4630	PROCESS__PTRACE, 0, &avd);
4630	if (!error)	4631	if (!error)
4631	tsec->sid = sid;	4632	tsec->sid = sid;
4632	task_unlock(p);	4633	task_unlock(p);


diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 6ed10c3d3339..e145f6e13b0b 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h
@@ -102,9 +102,11 @@ void avc_audit(u32 ssid, u32 tsid,
102	u16 tclass, u32 requested,	102	u16 tclass, u32 requested,
103	struct av_decision avd, int result, struct avc_audit_data auditdata);	103	struct av_decision avd, int result, struct avc_audit_data auditdata);
104		104
		105	#define AVC_STRICT 1 /* Ignore permissive mode. */
105	int avc_has_perm_noaudit(u32 ssid, u32 tsid,	106	int avc_has_perm_noaudit(u32 ssid, u32 tsid,
106	u16 tclass, u32 requested,	107	u16 tclass, u32 requested,
107	struct av_decision *avd);	108	unsigned flags,
		109	struct av_decision *avd);
108		110
109	int avc_has_perm(u32 ssid, u32 tsid,	111	int avc_has_perm(u32 ssid, u32 tsid,
110	u16 tclass, u32 requested,	112	u16 tclass, u32 requested,


diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e4249adaa880..b5f017f07a75 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -1587,19 +1587,18 @@ int security_get_user_sids(u32 fromsid,
1587	u32 *nel)	1587	u32 *nel)
1588	{	1588	{
1589	struct context *fromcon, usercon;	1589	struct context *fromcon, usercon;
1590	u32 mysids, mysids2, sid;	1590	u32 mysids = NULL, mysids2, sid;
1591	u32 mynel = 0, maxnel = SIDS_NEL;	1591	u32 mynel = 0, maxnel = SIDS_NEL;
1592	struct user_datum *user;	1592	struct user_datum *user;
1593	struct role_datum *role;	1593	struct role_datum *role;
1594	struct av_decision avd;
1595	struct ebitmap_node rnode, tnode;	1594	struct ebitmap_node rnode, tnode;
1596	int rc = 0, i, j;	1595	int rc = 0, i, j;
1597		1596
1598	if (!ss_initialized) {	1597	*sids = NULL;
1599	*sids = NULL;	1598	*nel = 0;
1600	*nel = 0;	1599
		1600	if (!ss_initialized)
1601	goto out;	1601	goto out;
1602	}
1603		1602
1604	POLICY_RDLOCK;	1603	POLICY_RDLOCK;
1605		1604
@@ -1635,17 +1634,9 @@ int security_get_user_sids(u32 fromsid,
1635	if (mls_setup_user_range(fromcon, user, &usercon))	1634	if (mls_setup_user_range(fromcon, user, &usercon))
1636	continue;	1635	continue;
1637		1636
1638	rc = context_struct_compute_av(fromcon, &usercon,
1639	SECCLASS_PROCESS,
1640	PROCESS__TRANSITION,
1641	&avd);
1642	if (rc \|\| !(avd.allowed & PROCESS__TRANSITION))
1643	continue;
1644	rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);	1637	rc = sidtab_context_to_sid(&sidtab, &usercon, &sid);
1645	if (rc) {	1638	if (rc)
1646	kfree(mysids);
1647	goto out_unlock;	1639	goto out_unlock;
1648	}
1649	if (mynel < maxnel) {	1640	if (mynel < maxnel) {
1650	mysids[mynel++] = sid;	1641	mysids[mynel++] = sid;
1651	} else {	1642	} else {
@@ -1653,7 +1644,6 @@ int security_get_user_sids(u32 fromsid,
1653	mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);	1644	mysids2 = kcalloc(maxnel, sizeof(*mysids2), GFP_ATOMIC);
1654	if (!mysids2) {	1645	if (!mysids2) {
1655	rc = -ENOMEM;	1646	rc = -ENOMEM;
1656	kfree(mysids);
1657	goto out_unlock;	1647	goto out_unlock;
1658	}	1648	}
1659	memcpy(mysids2, mysids, mynel * sizeof(*mysids2));	1649	memcpy(mysids2, mysids, mynel * sizeof(*mysids2));
@@ -1664,11 +1654,32 @@ int security_get_user_sids(u32 fromsid,
1664	}	1654	}
1665	}	1655	}
1666		1656
1667	*sids = mysids;
1668	*nel = mynel;
1669
1670	out_unlock:	1657	out_unlock:
1671	POLICY_RDUNLOCK;	1658	POLICY_RDUNLOCK;
		1659	if (rc \|\| !mynel) {
		1660	kfree(mysids);
		1661	goto out;
		1662	}
		1663
		1664	mysids2 = kcalloc(mynel, sizeof(*mysids2), GFP_KERNEL);
		1665	if (!mysids2) {
		1666	rc = -ENOMEM;
		1667	kfree(mysids);
		1668	goto out;
		1669	}
		1670	for (i = 0, j = 0; i < mynel; i++) {
		1671	rc = avc_has_perm_noaudit(fromsid, mysids[i],
		1672	SECCLASS_PROCESS,
		1673	PROCESS__TRANSITION, AVC_STRICT,
		1674	NULL);
		1675	if (!rc)
		1676	mysids2[j++] = mysids[i];
		1677	cond_resched();
		1678	}
		1679	rc = 0;
		1680	kfree(mysids);
		1681	*sids = mysids2;
		1682	*nel = j;
1672	out:	1683	out:
1673	return rc;	1684	return rc;
1674	}	1685	}