aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/avc.c9
-rw-r--r--security/selinux/hooks.c23
-rw-r--r--security/selinux/netif.c2
3 files changed, 27 insertions, 7 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 1d69f6649bff..95a8ef4a5073 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -312,6 +312,7 @@ static inline int avc_reclaim_node(void)
312 if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags)) 312 if (!spin_trylock_irqsave(&avc_cache.slots_lock[hvalue], flags))
313 continue; 313 continue;
314 314
315 rcu_read_lock();
315 list_for_each_entry(node, &avc_cache.slots[hvalue], list) { 316 list_for_each_entry(node, &avc_cache.slots[hvalue], list) {
316 if (atomic_dec_and_test(&node->ae.used)) { 317 if (atomic_dec_and_test(&node->ae.used)) {
317 /* Recently Unused */ 318 /* Recently Unused */
@@ -319,11 +320,13 @@ static inline int avc_reclaim_node(void)
319 avc_cache_stats_incr(reclaims); 320 avc_cache_stats_incr(reclaims);
320 ecx++; 321 ecx++;
321 if (ecx >= AVC_CACHE_RECLAIM) { 322 if (ecx >= AVC_CACHE_RECLAIM) {
323 rcu_read_unlock();
322 spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); 324 spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags);
323 goto out; 325 goto out;
324 } 326 }
325 } 327 }
326 } 328 }
329 rcu_read_unlock();
327 spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags); 330 spin_unlock_irqrestore(&avc_cache.slots_lock[hvalue], flags);
328 } 331 }
329out: 332out:
@@ -821,8 +824,14 @@ int avc_ss_reset(u32 seqno)
821 824
822 for (i = 0; i < AVC_CACHE_SLOTS; i++) { 825 for (i = 0; i < AVC_CACHE_SLOTS; i++) {
823 spin_lock_irqsave(&avc_cache.slots_lock[i], flag); 826 spin_lock_irqsave(&avc_cache.slots_lock[i], flag);
827 /*
828 * With preemptable RCU, the outer spinlock does not
829 * prevent RCU grace periods from ending.
830 */
831 rcu_read_lock();
824 list_for_each_entry(node, &avc_cache.slots[i], list) 832 list_for_each_entry(node, &avc_cache.slots[i], list)
825 avc_node_delete(node); 833 avc_node_delete(node);
834 rcu_read_unlock();
826 spin_unlock_irqrestore(&avc_cache.slots_lock[i], flag); 835 spin_unlock_irqrestore(&avc_cache.slots_lock[i], flag);
827 } 836 }
828 837
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1bf2543ea942..308e2cf17d75 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -755,9 +755,18 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
755 int set_context = (oldsbsec->flags & CONTEXT_MNT); 755 int set_context = (oldsbsec->flags & CONTEXT_MNT);
756 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT); 756 int set_rootcontext = (oldsbsec->flags & ROOTCONTEXT_MNT);
757 757
758 /* we can't error, we can't save the info, this shouldn't get called 758 /*
759 * this early in the boot process. */ 759 * if the parent was able to be mounted it clearly had no special lsm
760 BUG_ON(!ss_initialized); 760 * mount options. thus we can safely put this sb on the list and deal
761 * with it later
762 */
763 if (!ss_initialized) {
764 spin_lock(&sb_security_lock);
765 if (list_empty(&newsbsec->list))
766 list_add(&newsbsec->list, &superblock_security_head);
767 spin_unlock(&sb_security_lock);
768 return;
769 }
761 770
762 /* how can we clone if the old one wasn't set up?? */ 771 /* how can we clone if the old one wasn't set up?? */
763 BUG_ON(!oldsbsec->initialized); 772 BUG_ON(!oldsbsec->initialized);
@@ -2392,22 +2401,22 @@ static int selinux_sb_statfs(struct dentry *dentry)
2392} 2401}
2393 2402
2394static int selinux_mount(char *dev_name, 2403static int selinux_mount(char *dev_name,
2395 struct nameidata *nd, 2404 struct path *path,
2396 char *type, 2405 char *type,
2397 unsigned long flags, 2406 unsigned long flags,
2398 void *data) 2407 void *data)
2399{ 2408{
2400 int rc; 2409 int rc;
2401 2410
2402 rc = secondary_ops->sb_mount(dev_name, nd, type, flags, data); 2411 rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2403 if (rc) 2412 if (rc)
2404 return rc; 2413 return rc;
2405 2414
2406 if (flags & MS_REMOUNT) 2415 if (flags & MS_REMOUNT)
2407 return superblock_has_perm(current, nd->path.mnt->mnt_sb, 2416 return superblock_has_perm(current, path->mnt->mnt_sb,
2408 FILESYSTEM__REMOUNT, NULL); 2417 FILESYSTEM__REMOUNT, NULL);
2409 else 2418 else
2410 return dentry_has_perm(current, nd->path.mnt, nd->path.dentry, 2419 return dentry_has_perm(current, path->mnt, path->dentry,
2411 FILE__MOUNTON); 2420 FILE__MOUNTON);
2412} 2421}
2413 2422
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index c658b84c3196..b4e14bc0bf32 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -239,11 +239,13 @@ static void sel_netif_kill(int ifindex)
239{ 239{
240 struct sel_netif *netif; 240 struct sel_netif *netif;
241 241
242 rcu_read_lock();
242 spin_lock_bh(&sel_netif_lock); 243 spin_lock_bh(&sel_netif_lock);
243 netif = sel_netif_find(ifindex); 244 netif = sel_netif_find(ifindex);
244 if (netif) 245 if (netif)
245 sel_netif_destroy(netif); 246 sel_netif_destroy(netif);
246 spin_unlock_bh(&sel_netif_lock); 247 spin_unlock_bh(&sel_netif_lock);
248 rcu_read_unlock();
247} 249}
248 250
249/** 251/**
generated by cgit v1.2.2 (git 2.25.0) at 2025-11-22 11:48:11 -0500