diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2024-09-16 16:55:42 +0200 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2024-09-16 16:55:42 +0200 |
| commit | ad060dbbcfcfcba624ef1a75e1d71365a98b86d8 (patch) | |
| tree | 4f872b9266bbab1540dbc5b5010d64e0a7b5aafd /security/selinux/avc.c | |
| parent | dc644fba3cf837f22d14991cab3c4c65af37ae21 (diff) | |
| parent | d19a9e25a722d629041ac8fd320a86c016e349d1 (diff) | |
Merge tag 'selinux-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore:
- Ensure that both IPv4 and IPv6 connections are properly initialized
While we always properly initialized IPv4 connections early in their
life, we missed the necessary IPv6 change when we were adding IPv6
support.
- Annotate the SELinux inode revalidation function to quiet KCSAN
KCSAN correctly identifies a race in __inode_security_revalidate()
when we check to see if an inode's SELinux has been properly
initialized. While KCSAN is correct, it is an intentional choice made
for performance reasons; if necessary, we check the state a second
time, this time with a lock held, before initializing the inode's
state.
- Code cleanups, simplification, etc.
A handful of individual patches to simplify some SELinux kernel
logic, improve return code granularity via ERR_PTR(), follow the
guidance on using KMEM_CACHE(), and correct some minor style
problems.
* tag 'selinux-pr-20240911' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: fix style problems in security/selinux/include/audit.h
selinux: simplify avc_xperms_audit_required()
selinux: mark both IPv4 and IPv6 accepted connection sockets as labeled
selinux: replace kmem_cache_create() with KMEM_CACHE()
selinux: annotate false positive data race to avoid KCSAN warnings
selinux: refactor code to return ERR_PTR in selinux_netlbl_sock_genattr
selinux: Streamline type determination in security_compute_sid
Diffstat (limited to 'security/selinux/avc.c')
| -rw-r--r-- | security/selinux/avc.c | 20 |
1 files changed, 6 insertions, 14 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b49c44869dc4..cc0b0af20296 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -134,18 +134,10 @@ static inline u32 avc_hash(u32 ssid, u32 tsid, u16 tclass) */ void __init avc_init(void) { - avc_node_cachep = kmem_cache_create("avc_node", sizeof(struct avc_node), - 0, SLAB_PANIC, NULL); - avc_xperms_cachep = kmem_cache_create("avc_xperms_node", - sizeof(struct avc_xperms_node), - 0, SLAB_PANIC, NULL); - avc_xperms_decision_cachep = kmem_cache_create( - "avc_xperms_decision_node", - sizeof(struct avc_xperms_decision_node), - 0, SLAB_PANIC, NULL); - avc_xperms_data_cachep = kmem_cache_create("avc_xperms_data", - sizeof(struct extended_perms_data), - 0, SLAB_PANIC, NULL); + avc_node_cachep = KMEM_CACHE(avc_node, SLAB_PANIC); + avc_xperms_cachep = KMEM_CACHE(avc_xperms_node, SLAB_PANIC); + avc_xperms_decision_cachep = KMEM_CACHE(avc_xperms_decision_node, SLAB_PANIC); + avc_xperms_data_cachep = KMEM_CACHE(extended_perms_data, SLAB_PANIC); } int avc_get_hash_stats(char *page) @@ -396,7 +388,7 @@ static inline u32 avc_xperms_audit_required(u32 requested, audited = denied & avd->auditdeny; if (audited && xpd) { if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT)) - audited &= ~requested; + audited = 0; } } else if (result) { audited = denied = requested; @@ -404,7 +396,7 @@ static inline u32 avc_xperms_audit_required(u32 requested, audited = requested & avd->auditallow; if (audited && xpd) { if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) - audited &= ~requested; + audited = 0; } } |