selinux: move status variables out of selinux_ss
diff mbox series

Message ID 20200117131514.496122-1-omosnace@redhat.com
State Accepted
Headers show
Series
  • selinux: move status variables out of selinux_ss
Related show

Commit Message

Ondrej Mosnacek Jan. 17, 2020, 1:15 p.m. UTC
It fits more naturally in selinux_state, since it reflects also global
state (the enforcing and policyload fields).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 security/selinux/Makefile           |  4 ++--
 security/selinux/hooks.c            |  1 +
 security/selinux/include/security.h |  4 ++++
 security/selinux/ss/services.c      |  2 --
 security/selinux/ss/services.h      |  2 --
 security/selinux/{ss => }/status.c  | 32 ++++++++++++++---------------
 6 files changed, 23 insertions(+), 22 deletions(-)
 rename security/selinux/{ss => }/status.c (81%)

Comments

Stephen Smalley Jan. 17, 2020, 7:48 p.m. UTC | #1
On 1/17/20 8:15 AM, Ondrej Mosnacek wrote:
> It fits more naturally in selinux_state, since it reflects also global
> state (the enforcing and policyload fields).
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>

> ---
>   security/selinux/Makefile           |  4 ++--
>   security/selinux/hooks.c            |  1 +
>   security/selinux/include/security.h |  4 ++++
>   security/selinux/ss/services.c      |  2 --
>   security/selinux/ss/services.h      |  2 --
>   security/selinux/{ss => }/status.c  | 32 ++++++++++++++---------------
>   6 files changed, 23 insertions(+), 22 deletions(-)
>   rename security/selinux/{ss => }/status.c (81%)

[...]
Paul Moore Jan. 31, 2020, 3:38 a.m. UTC | #2
On Fri, Jan 17, 2020 at 8:15 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> It fits more naturally in selinux_state, since it reflects also global
> state (the enforcing and policyload fields).
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>  security/selinux/Makefile           |  4 ++--
>  security/selinux/hooks.c            |  1 +
>  security/selinux/include/security.h |  4 ++++
>  security/selinux/ss/services.c      |  2 --
>  security/selinux/ss/services.h      |  2 --
>  security/selinux/{ss => }/status.c  | 32 ++++++++++++++---------------
>  6 files changed, 23 insertions(+), 22 deletions(-)
>  rename security/selinux/{ss => }/status.c (81%)

Makes sense to me too.  I've queued this up in selinux/next, you'll
see it in the tree once the merge window closes.

Patch
diff mbox series

diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 2000f95fb197..0c77ede1cc11 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -6,9 +6,9 @@ 
 obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
 
 selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
-	     netnode.o netport.o \
+	     netnode.o netport.o status.o \
 	     ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
-	     ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o
+	     ss/policydb.o ss/services.o ss/conditional.o ss/mls.o
 
 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 61085eb3cd24..f9224866d60a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7156,6 +7156,7 @@  static __init int selinux_init(void)
 	selinux_state.checkreqprot = selinux_checkreqprot_boot;
 	selinux_ss_init(&selinux_state.ss);
 	selinux_avc_init(&selinux_state.avc);
+	mutex_init(&selinux_state.status_lock);
 
 	/* Set the security state for the initial task. */
 	cred_init_security();
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index a39f9565d80b..f3a621058aba 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -108,6 +108,10 @@  struct selinux_state {
 	bool checkreqprot;
 	bool initialized;
 	bool policycap[__POLICYDB_CAPABILITY_MAX];
+
+	struct page *status_page;
+	struct mutex status_lock;
+
 	struct selinux_avc *avc;
 	struct selinux_ss *ss;
 } __randomize_layout;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 216ce602a2b5..5cf491768142 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -46,7 +46,6 @@ 
 #include <linux/in.h>
 #include <linux/sched.h>
 #include <linux/audit.h>
-#include <linux/mutex.h>
 #include <linux/vmalloc.h>
 #include <net/netlabel.h>
 
@@ -81,7 +80,6 @@  static struct selinux_ss selinux_ss;
 void selinux_ss_init(struct selinux_ss **ss)
 {
 	rwlock_init(&selinux_ss.policy_rwlock);
-	mutex_init(&selinux_ss.status_lock);
 	*ss = &selinux_ss;
 }
 
diff --git a/security/selinux/ss/services.h b/security/selinux/ss/services.h
index c5896f39e8f6..e9bddf33e53d 100644
--- a/security/selinux/ss/services.h
+++ b/security/selinux/ss/services.h
@@ -29,8 +29,6 @@  struct selinux_ss {
 	rwlock_t policy_rwlock;
 	u32 latest_granting;
 	struct selinux_map map;
-	struct page *status_page;
-	struct mutex status_lock;
 } __randomize_layout;
 
 void services_compute_xperms_drivers(struct extended_perms *xperms,
diff --git a/security/selinux/ss/status.c b/security/selinux/status.c
similarity index 81%
rename from security/selinux/ss/status.c
rename to security/selinux/status.c
index 3c554a442467..4bc8f809934c 100644
--- a/security/selinux/ss/status.c
+++ b/security/selinux/status.c
@@ -11,7 +11,7 @@ 
 #include <linux/mm.h>
 #include <linux/mutex.h>
 #include "avc.h"
-#include "services.h"
+#include "security.h"
 
 /*
  * The selinux_status_page shall be exposed to userspace applications
@@ -44,12 +44,12 @@  struct page *selinux_kernel_status_page(struct selinux_state *state)
 	struct selinux_kernel_status   *status;
 	struct page		       *result = NULL;
 
-	mutex_lock(&state->ss->status_lock);
-	if (!state->ss->status_page) {
-		state->ss->status_page = alloc_page(GFP_KERNEL|__GFP_ZERO);
+	mutex_lock(&state->status_lock);
+	if (!state->status_page) {
+		state->status_page = alloc_page(GFP_KERNEL|__GFP_ZERO);
 
-		if (state->ss->status_page) {
-			status = page_address(state->ss->status_page);
+		if (state->status_page) {
+			status = page_address(state->status_page);
 
 			status->version = SELINUX_KERNEL_STATUS_VERSION;
 			status->sequence = 0;
@@ -65,8 +65,8 @@  struct page *selinux_kernel_status_page(struct selinux_state *state)
 				!security_get_allow_unknown(state);
 		}
 	}
-	result = state->ss->status_page;
-	mutex_unlock(&state->ss->status_lock);
+	result = state->status_page;
+	mutex_unlock(&state->status_lock);
 
 	return result;
 }
@@ -81,9 +81,9 @@  void selinux_status_update_setenforce(struct selinux_state *state,
 {
 	struct selinux_kernel_status   *status;
 
-	mutex_lock(&state->ss->status_lock);
-	if (state->ss->status_page) {
-		status = page_address(state->ss->status_page);
+	mutex_lock(&state->status_lock);
+	if (state->status_page) {
+		status = page_address(state->status_page);
 
 		status->sequence++;
 		smp_wmb();
@@ -93,7 +93,7 @@  void selinux_status_update_setenforce(struct selinux_state *state,
 		smp_wmb();
 		status->sequence++;
 	}
-	mutex_unlock(&state->ss->status_lock);
+	mutex_unlock(&state->status_lock);
 }
 
 /*
@@ -107,9 +107,9 @@  void selinux_status_update_policyload(struct selinux_state *state,
 {
 	struct selinux_kernel_status   *status;
 
-	mutex_lock(&state->ss->status_lock);
-	if (state->ss->status_page) {
-		status = page_address(state->ss->status_page);
+	mutex_lock(&state->status_lock);
+	if (state->status_page) {
+		status = page_address(state->status_page);
 
 		status->sequence++;
 		smp_wmb();
@@ -120,5 +120,5 @@  void selinux_status_update_policyload(struct selinux_state *state,
 		smp_wmb();
 		status->sequence++;
 	}
-	mutex_unlock(&state->ss->status_lock);
+	mutex_unlock(&state->status_lock);
 }