[1/2] LSM: switch to blocking policy update notifiers

Message ID	20190605083606.4209-1-janne.karhunen@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: Janne Karhunen <janne.karhunen@gmail.com> To: sds@tycho.nsa.gov, zohar@linux.ibm.com, paul@paul-moore.com Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, Janne Karhunen <janne.karhunen@gmail.com> Subject: [PATCH 1/2] LSM: switch to blocking policy update notifiers Date: Wed, 5 Jun 2019 11:36:05 +0300 Message-Id: <20190605083606.4209-1-janne.karhunen@gmail.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk
Series	[1/2] LSM: switch to blocking policy update notifiers \| expand [1/2] LSM: switch to blocking policy update notifiers [2/2] ima: use the lsm policy update notifier

Janne Karhunen June 5, 2019, 8:36 a.m. UTC

Atomic policy updaters are not very useful as they cannot
usually perform the policy updates on their own. Since it
seems that there is no strict need for the atomicity,
switch to the blocking variant. While doing so, rename
the functions accordingly.

Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com>
---
 drivers/infiniband/core/device.c |  6 +++---
 include/linux/security.h         |  6 +++---
 security/security.c              | 23 +++++++++++++----------
 security/selinux/hooks.c         |  2 +-
 security/selinux/selinuxfs.c     |  2 +-
 5 files changed, 21 insertions(+), 18 deletions(-)

Casey Schaufler June 5, 2019, 3:23 p.m. UTC | #1

On 6/5/2019 1:36 AM, Janne Karhunen wrote:
> Atomic policy updaters are not very useful as they cannot
> usually perform the policy updates on their own. Since it
> seems that there is no strict need for the atomicity,
> switch to the blocking variant. While doing so, rename
> the functions accordingly.
>
> Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com>
> ---
>  drivers/infiniband/core/device.c |  6 +++---
>  include/linux/security.h         |  6 +++---
>  security/security.c              | 23 +++++++++++++----------
>  security/selinux/hooks.c         |  2 +-
>  security/selinux/selinuxfs.c     |  2 +-
>  5 files changed, 21 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
> index 78dc07c6ac4b..61c0c93a2e73 100644
> --- a/drivers/infiniband/core/device.c
> +++ b/drivers/infiniband/core/device.c
> @@ -2499,7 +2499,7 @@ static int __init ib_core_init(void)
>  		goto err_mad;
>  	}
>  
> -	ret = register_lsm_notifier(&ibdev_lsm_nb);
> +	ret = register_blocking_lsm_notifier(&ibdev_lsm_nb);
>  	if (ret) {
>  		pr_warn("Couldn't register LSM notifier. ret %d\n", ret);
>  		goto err_sa;
> @@ -2518,7 +2518,7 @@ static int __init ib_core_init(void)
>  	return 0;
>  
>  err_compat:
> -	unregister_lsm_notifier(&ibdev_lsm_nb);
> +	unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
>  err_sa:
>  	ib_sa_cleanup();
>  err_mad:
> @@ -2544,7 +2544,7 @@ static void __exit ib_core_cleanup(void)
>  	nldev_exit();
>  	rdma_nl_unregister(RDMA_NL_LS);
>  	unregister_pernet_device(&rdma_dev_net_ops);
> -	unregister_lsm_notifier(&ibdev_lsm_nb);
> +	unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
>  	ib_sa_cleanup();
>  	ib_mad_cleanup();
>  	addr_cleanup();
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 659071c2e57c..fc655fbe44ad 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -189,9 +189,9 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
>  
>  #ifdef CONFIG_SECURITY
>  
> -int call_lsm_notifier(enum lsm_event event, void *data);
> -int register_lsm_notifier(struct notifier_block *nb);
> -int unregister_lsm_notifier(struct notifier_block *nb);
> +int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> +int register_blocking_lsm_notifier(struct notifier_block *nb);
> +int unregister_blocking_lsm_notifier(struct notifier_block *nb);

Why is it important to change the names of these hooks?
It's not like you had call_atomic_lsm_notifier() before.
It seems like a lot of unnecessary code churn.

>  
>  /* prototypes */
>  extern int security_init(void);
> diff --git a/security/security.c b/security/security.c
> index c01a88f65ad8..6bfc7636ddb7 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -39,7 +39,7 @@
>  #define LSM_COUNT (__end_lsm_info - __start_lsm_info)
>  
>  struct security_hook_heads security_hook_heads __lsm_ro_after_init;
> -static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
> +static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
>  
>  static struct kmem_cache *lsm_file_cache;
>  static struct kmem_cache *lsm_inode_cache;
> @@ -430,23 +430,26 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
>  		panic("%s - Cannot get early memory.\n", __func__);
>  }
>  
> -int call_lsm_notifier(enum lsm_event event, void *data)
> +int call_blocking_lsm_notifier(enum lsm_event event, void *data)
>  {
> -	return atomic_notifier_call_chain(&lsm_notifier_chain, event, data);
> +	return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,
> +					    event, data);
>  }
> -EXPORT_SYMBOL(call_lsm_notifier);
> +EXPORT_SYMBOL(call_blocking_lsm_notifier);
>  
> -int register_lsm_notifier(struct notifier_block *nb)
> +int register_blocking_lsm_notifier(struct notifier_block *nb)
>  {
> -	return atomic_notifier_chain_register(&lsm_notifier_chain, nb);
> +	return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,
> +						nb);
>  }
> -EXPORT_SYMBOL(register_lsm_notifier);
> +EXPORT_SYMBOL(register_blocking_lsm_notifier);
>  
> -int unregister_lsm_notifier(struct notifier_block *nb)
> +int unregister_blocking_lsm_notifier(struct notifier_block *nb)
>  {
> -	return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);
> +	return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,
> +						  nb);
>  }
> -EXPORT_SYMBOL(unregister_lsm_notifier);
> +EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
>  
>  /**
>   * lsm_cred_alloc - allocate a composite cred blob
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index c61787b15f27..c1e37018c8eb 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -197,7 +197,7 @@ static int selinux_lsm_notifier_avc_callback(u32 event)
>  {
>  	if (event == AVC_CALLBACK_RESET) {
>  		sel_ib_pkey_flush();
> -		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> +		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
>  	}
>  
>  	return 0;
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 145ee62f205a..1e2e3e4b5fdb 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -180,7 +180,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
>  		selnl_notify_setenforce(new_value);
>  		selinux_status_update_setenforce(state, new_value);
>  		if (!new_value)
> -			call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> +			call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
>  	}
>  	length = count;
>  out:

Janne Karhunen June 5, 2019, 4:51 p.m. UTC | #2

On Wed, Jun 5, 2019 at 6:23 PM Casey Schaufler <casey@schaufler-ca.com> wrote:

> > -int call_lsm_notifier(enum lsm_event event, void *data);
> > -int register_lsm_notifier(struct notifier_block *nb);
> > -int unregister_lsm_notifier(struct notifier_block *nb);
> > +int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> > +int register_blocking_lsm_notifier(struct notifier_block *nb);
> > +int unregister_blocking_lsm_notifier(struct notifier_block *nb);
>
> Why is it important to change the names of these hooks?
> It's not like you had call_atomic_lsm_notifier() before.
> It seems like a lot of unnecessary code churn.

Paul was thinking there will eventually be two sets of notifiers
(atomic and blocking) and this creates the clear separation. That's
probably true, but it does indeed create a pretty big change that it
is not really needed yet. I'm fine either way.

--
Janne

Casey Schaufler June 5, 2019, 5:05 p.m. UTC | #3

On 6/5/2019 9:51 AM, Janne Karhunen wrote:
> On Wed, Jun 5, 2019 at 6:23 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
>>> -int call_lsm_notifier(enum lsm_event event, void *data);
>>> -int register_lsm_notifier(struct notifier_block *nb);
>>> -int unregister_lsm_notifier(struct notifier_block *nb);
>>> +int call_blocking_lsm_notifier(enum lsm_event event, void *data);
>>> +int register_blocking_lsm_notifier(struct notifier_block *nb);
>>> +int unregister_blocking_lsm_notifier(struct notifier_block *nb);
>> Why is it important to change the names of these hooks?
>> It's not like you had call_atomic_lsm_notifier() before.
>> It seems like a lot of unnecessary code churn.
> Paul was thinking there will eventually be two sets of notifiers
> (atomic and blocking) and this creates the clear separation.

One hook with an added "bool blocking" argument, if
that's the only difference?

>  That's
> probably true, but it does indeed create a pretty big change that it
> is not really needed yet. I'm fine either way.
>
>
> --
> Janne

Paul Moore June 5, 2019, 7:14 p.m. UTC | #4

On Wed, Jun 5, 2019 at 1:05 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 6/5/2019 9:51 AM, Janne Karhunen wrote:
> > On Wed, Jun 5, 2019 at 6:23 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> >
> >>> -int call_lsm_notifier(enum lsm_event event, void *data);
> >>> -int register_lsm_notifier(struct notifier_block *nb);
> >>> -int unregister_lsm_notifier(struct notifier_block *nb);
> >>> +int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> >>> +int register_blocking_lsm_notifier(struct notifier_block *nb);
> >>> +int unregister_blocking_lsm_notifier(struct notifier_block *nb);
> >> Why is it important to change the names of these hooks?
> >> It's not like you had call_atomic_lsm_notifier() before.
> >> It seems like a lot of unnecessary code churn.
> > Paul was thinking there will eventually be two sets of notifiers
> > (atomic and blocking) and this creates the clear separation.
>
> One hook with an added "bool blocking" argument, if
> that's the only difference?

I think there is value in keeping a similar convention to the notifier
code on which this is based, see include/linux/notifier.h.

Paul Moore June 5, 2019, 7:15 p.m. UTC | #5

On Wed, Jun 5, 2019 at 4:36 AM Janne Karhunen <janne.karhunen@gmail.com> wrote:
>
> Atomic policy updaters are not very useful as they cannot
> usually perform the policy updates on their own. Since it
> seems that there is no strict need for the atomicity,
> switch to the blocking variant. While doing so, rename
> the functions accordingly.
>
> Signed-off-by: Janne Karhunen <janne.karhunen@gmail.com>
> ---
>  drivers/infiniband/core/device.c |  6 +++---
>  include/linux/security.h         |  6 +++---
>  security/security.c              | 23 +++++++++++++----------
>  security/selinux/hooks.c         |  2 +-
>  security/selinux/selinuxfs.c     |  2 +-
>  5 files changed, 21 insertions(+), 18 deletions(-)

Acked-by: Paul Moore <paul@paul-moore.com>

> diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
> index 78dc07c6ac4b..61c0c93a2e73 100644
> --- a/drivers/infiniband/core/device.c
> +++ b/drivers/infiniband/core/device.c
> @@ -2499,7 +2499,7 @@ static int __init ib_core_init(void)
>                 goto err_mad;
>         }
>
> -       ret = register_lsm_notifier(&ibdev_lsm_nb);
> +       ret = register_blocking_lsm_notifier(&ibdev_lsm_nb);
>         if (ret) {
>                 pr_warn("Couldn't register LSM notifier. ret %d\n", ret);
>                 goto err_sa;
> @@ -2518,7 +2518,7 @@ static int __init ib_core_init(void)
>         return 0;
>
>  err_compat:
> -       unregister_lsm_notifier(&ibdev_lsm_nb);
> +       unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
>  err_sa:
>         ib_sa_cleanup();
>  err_mad:
> @@ -2544,7 +2544,7 @@ static void __exit ib_core_cleanup(void)
>         nldev_exit();
>         rdma_nl_unregister(RDMA_NL_LS);
>         unregister_pernet_device(&rdma_dev_net_ops);
> -       unregister_lsm_notifier(&ibdev_lsm_nb);
> +       unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
>         ib_sa_cleanup();
>         ib_mad_cleanup();
>         addr_cleanup();
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 659071c2e57c..fc655fbe44ad 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -189,9 +189,9 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
>
>  #ifdef CONFIG_SECURITY
>
> -int call_lsm_notifier(enum lsm_event event, void *data);
> -int register_lsm_notifier(struct notifier_block *nb);
> -int unregister_lsm_notifier(struct notifier_block *nb);
> +int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> +int register_blocking_lsm_notifier(struct notifier_block *nb);
> +int unregister_blocking_lsm_notifier(struct notifier_block *nb);
>
>  /* prototypes */
>  extern int security_init(void);
> diff --git a/security/security.c b/security/security.c
> index c01a88f65ad8..6bfc7636ddb7 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -39,7 +39,7 @@
>  #define LSM_COUNT (__end_lsm_info - __start_lsm_info)
>
>  struct security_hook_heads security_hook_heads __lsm_ro_after_init;
> -static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
> +static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
>
>  static struct kmem_cache *lsm_file_cache;
>  static struct kmem_cache *lsm_inode_cache;
> @@ -430,23 +430,26 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
>                 panic("%s - Cannot get early memory.\n", __func__);
>  }
>
> -int call_lsm_notifier(enum lsm_event event, void *data)
> +int call_blocking_lsm_notifier(enum lsm_event event, void *data)
>  {
> -       return atomic_notifier_call_chain(&lsm_notifier_chain, event, data);
> +       return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,
> +                                           event, data);
>  }
> -EXPORT_SYMBOL(call_lsm_notifier);
> +EXPORT_SYMBOL(call_blocking_lsm_notifier);
>
> -int register_lsm_notifier(struct notifier_block *nb)
> +int register_blocking_lsm_notifier(struct notifier_block *nb)
>  {
> -       return atomic_notifier_chain_register(&lsm_notifier_chain, nb);
> +       return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,
> +                                               nb);
>  }
> -EXPORT_SYMBOL(register_lsm_notifier);
> +EXPORT_SYMBOL(register_blocking_lsm_notifier);
>
> -int unregister_lsm_notifier(struct notifier_block *nb)
> +int unregister_blocking_lsm_notifier(struct notifier_block *nb)
>  {
> -       return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);
> +       return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,
> +                                                 nb);
>  }
> -EXPORT_SYMBOL(unregister_lsm_notifier);
> +EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
>
>  /**
>   * lsm_cred_alloc - allocate a composite cred blob
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index c61787b15f27..c1e37018c8eb 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -197,7 +197,7 @@ static int selinux_lsm_notifier_avc_callback(u32 event)
>  {
>         if (event == AVC_CALLBACK_RESET) {
>                 sel_ib_pkey_flush();
> -               call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> +               call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
>         }
>
>         return 0;
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 145ee62f205a..1e2e3e4b5fdb 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -180,7 +180,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
>                 selnl_notify_setenforce(new_value);
>                 selinux_status_update_setenforce(state, new_value);
>                 if (!new_value)
> -                       call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
> +                       call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
>         }
>         length = count;
>  out:
> --
> 2.17.1
>

James Morris June 7, 2019, 12:45 a.m. UTC | #6

On Wed, 5 Jun 2019, Paul Moore wrote:

> On Wed, Jun 5, 2019 at 1:05 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> > On 6/5/2019 9:51 AM, Janne Karhunen wrote:
> >
> > One hook with an added "bool blocking" argument, if
> > that's the only difference?
> 
> I think there is value in keeping a similar convention to the notifier
> code on which this is based, see include/linux/notifier.h.
> 

Although this doesn't seem to be what other users in the kernel are doing. 
Probably the less code churn the better in this case.

Paul Moore June 7, 2019, 5:19 a.m. UTC | #7

On Thu, Jun 6, 2019 at 8:45 PM James Morris <jmorris@namei.org> wrote:
> On Wed, 5 Jun 2019, Paul Moore wrote:
> > On Wed, Jun 5, 2019 at 1:05 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> > > On 6/5/2019 9:51 AM, Janne Karhunen wrote:
> > >
> > > One hook with an added "bool blocking" argument, if
> > > that's the only difference?
> >
> > I think there is value in keeping a similar convention to the notifier
> > code on which this is based, see include/linux/notifier.h.
>
> Although this doesn't seem to be what other users in the kernel are doing.

How many of them potentially have the need for both blocking and
non-blocking notifiers?  I didn't go through the entire list of
callers, but it seems all that I looked at used only one type.  The
simple fact that we started with one type of notifier for the LSM, and
we are now switching to the other (and getting lucky that it is safe
to do so for the existing callers) seems to lend some weight to the
argument we may need both and adding "block"/"blocking"/etc. to the
name has value.

James Morris June 7, 2019, 9:48 p.m. UTC | #8

On Fri, 7 Jun 2019, Paul Moore wrote:

> On Thu, Jun 6, 2019 at 8:45 PM James Morris <jmorris@namei.org> wrote:
> > On Wed, 5 Jun 2019, Paul Moore wrote:
> > > On Wed, Jun 5, 2019 at 1:05 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> > > > On 6/5/2019 9:51 AM, Janne Karhunen wrote:
> > > >
> > > > One hook with an added "bool blocking" argument, if
> > > > that's the only difference?
> > >
> > > I think there is value in keeping a similar convention to the notifier
> > > code on which this is based, see include/linux/notifier.h.
> >
> > Although this doesn't seem to be what other users in the kernel are doing.
> 
> How many of them potentially have the need for both blocking and
> non-blocking notifiers?  I didn't go through the entire list of
> callers, but it seems all that I looked at used only one type.  The
> simple fact that we started with one type of notifier for the LSM, and
> we are now switching to the other (and getting lucky that it is safe
> to do so for the existing callers) seems to lend some weight to the
> argument we may need both and adding "block"/"blocking"/etc. to the
> name has value.

Fair enough.

Janne Karhunen June 9, 2019, 5:06 p.m. UTC | #9

On Sat, Jun 8, 2019 at 12:48 AM James Morris <jmorris@namei.org> wrote:

> > simple fact that we started with one type of notifier for the LSM, and
> > we are now switching to the other (and getting lucky that it is safe
> > to do so for the existing callers) seems to lend some weight to the
> > argument we may need both and adding "block"/"blocking"/etc. to the
> > name has value.
>
> Fair enough.

Ok, I take this to mean we have an agreement to go with this variant.
I will post the fixes to the Mimi's findings on top of this one
tomorrow.

--
Janne

[1/2] LSM: switch to blocking policy update notifiers

Commit Message

Comments

Patch