Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

SELinux: drop load_mutex in security_load_policy

Browse source 
We used to protect against races of policy load in security_load_policy
by using the load_mutex.  Since then we have added a new mutex,
sel_mutex, in sel_write_load() which is always held across all calls to
security_load_policy we are covered and can safely just drop this one.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Eric Paris 2008-06-09 15:58:04 -04:00 committed by James Morris
parent cea78dc4ca
commit 89abd0acf0
1 changed files with 1 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
security/selinux/ss/services.c
View file

@ -71,7 +71,6 @@ int selinux_policycap_openperm;
extern const struct selinux_class_perm selinux_class_perm; extern const struct selinux_class_perm selinux_class_perm;
static DEFINE_RWLOCK(policy_rwlock); static DEFINE_RWLOCK(policy_rwlock);
static DEFINE_MUTEX(load_mutex);
static struct sidtab sidtab; static struct sidtab sidtab;
struct policydb policydb; struct policydb policydb;
@ -1453,17 +1452,13 @@ int security_load_policy(void *data, size_t len)
int rc = 0; int rc = 0;
struct policy_file file = { data, len }, *fp = &file; struct policy_file file = { data, len }, *fp = &file;
mutex_lock(&load_mutex);
if (!ss_initialized) { if (!ss_initialized) {
avtab_cache_init(); avtab_cache_init();
if (policydb_read(&policydb, fp)) { if (policydb_read(&policydb, fp)) {
mutex_unlock(&load_mutex);
avtab_cache_destroy(); avtab_cache_destroy();
return -EINVAL; return -EINVAL;
} }
if (policydb_load_isids(&policydb, &sidtab)) { if (policydb_load_isids(&policydb, &sidtab)) {
mutex_unlock(&load_mutex);
policydb_destroy(&policydb); policydb_destroy(&policydb);
avtab_cache_destroy(); avtab_cache_destroy();
return -EINVAL; return -EINVAL;
@ -1472,7 +1467,6 @@ int security_load_policy(void *data, size_t len)
if (validate_classes(&policydb)) { if (validate_classes(&policydb)) {
printk(KERN_ERR printk(KERN_ERR
"SELinux: the definition of a class is incorrect\n"); "SELinux: the definition of a class is incorrect\n");
mutex_unlock(&load_mutex);
sidtab_destroy(&sidtab); sidtab_destroy(&sidtab);
policydb_destroy(&policydb); policydb_destroy(&policydb);
avtab_cache_destroy(); avtab_cache_destroy();
@ -1482,7 +1476,6 @@ int security_load_policy(void *data, size_t len)
policydb_loaded_version = policydb.policyvers; policydb_loaded_version = policydb.policyvers;
ss_initialized = 1; ss_initialized = 1;
seqno = ++latest_granting; seqno = ++latest_granting;
mutex_unlock(&load_mutex);
selinux_complete_init(); selinux_complete_init();
avc_ss_reset(seqno); avc_ss_reset(seqno);
selnl_notify_policyload(seqno); selnl_notify_policyload(seqno);
@ -1495,13 +1488,10 @@ int security_load_policy(void *data, size_t len)
sidtab_hash_eval(&sidtab, "sids"); sidtab_hash_eval(&sidtab, "sids");
#endif #endif
if (policydb_read(&newpolicydb, fp)) { if (policydb_read(&newpolicydb, fp))
mutex_unlock(&load_mutex);
return -EINVAL; return -EINVAL;
}
if (sidtab_init(&newsidtab)) { if (sidtab_init(&newsidtab)) {
mutex_unlock(&load_mutex);
policydb_destroy(&newpolicydb); policydb_destroy(&newpolicydb);
return -ENOMEM; return -ENOMEM;
} }
@ -1549,7 +1539,6 @@ int security_load_policy(void *data, size_t len)
seqno = ++latest_granting; seqno = ++latest_granting;
policydb_loaded_version = policydb.policyvers; policydb_loaded_version = policydb.policyvers;
write_unlock_irq(&policy_rwlock); write_unlock_irq(&policy_rwlock);
mutex_unlock(&load_mutex);
/* Free the old policydb and SID table. */ /* Free the old policydb and SID table. */
policydb_destroy(&oldpolicydb); policydb_destroy(&oldpolicydb);
@ -1563,7 +1552,6 @@ int security_load_policy(void *data, size_t len)
return 0; return 0;
err: err:
mutex_unlock(&load_mutex);
sidtab_destroy(&newsidtab); sidtab_destroy(&newsidtab);
policydb_destroy(&newpolicydb); policydb_destroy(&newpolicydb);
return rc; return rc;