From patchwork Tue Mar 18 08:33:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 14020590 Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 675991FF7DD; Tue, 18 Mar 2025 08:35:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286923; cv=none; b=ulgMyldHsu2CHQHXxCKDYGW02fW2SMhI73O9QnRvVLWZmMBCb3QVby/RK19yKsskiFL8274qnnfNFrTZpdzEjnK9+btVR5rk4oZVjW9NuwmsqAaW3QYQUjp1xc+0P6yivaMBkKWvPMikMwxf1p2l6S0sVL9mDX9n8wor9geOvuQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286923; c=relaxed/simple; bh=DMypu84hUPCKk8cM3dl3hIRp0KNBfqijO2rHEs9V0Tg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=mohM7ZC4RdHWuDU4B3Czn5+kfJ+w1uoJRw4X5RwHVzWQRDUFelAVjY0lTG0nrHlyg0DKMa/hwlKnDN27xx4fofvZQVQdNE/JTNrjqy1vpcRzBhzqoO/tuIdNcNHdzsIEtVZoEY/aWUNuSamOrP4MC1eAyU+55LTJ/NNedWb+7mY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=rMKsFVsG; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="rMKsFVsG" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1742286919; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BDYLTpuSkx0XjSYvI9V7boQta4mwgXSpWwdwbRlgNcA=; b=rMKsFVsGqxH7v0XAe/ROD+Zuk9a2Mn2FVy/UzuW0fjJphQCP6EGTv1CJrLa/IpEQr3uhPF 0yfdb3dpiVs/bOJFq4aflmqa2dvKnYIR5fhwi6A9nPuHrugDq7dHxHHQ09CRZRVIirdMKa nOdiciK/mVRg2c3rQGa3EgnWGXYm7znBregOjEpSsCo+wD4aSg9kaffGOsKa4o5xPqp8eJ gS8W9QXd0G6+87PeUh6MfNOQIi05yhF4WEXmoIbyWrWuan4ZdBQ3R5I8nssMScwH2SwHdv 7I7nfdFK+Lz+Oe8TNWOdW98W5iN4J5TsQNa5WxhiFYTlv+hCXj2wHbz3mOPeGg== To: Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= , Paul Moore , Stephen Smalley , Ondrej Mosnacek , =?utf-8?q?Thi=C3=A9baud_Weksteen?= , =?utf-8?q?Bram_Bonn?= =?utf-8?q?=C3=A9?= , Casey Schaufler , Canfeng Guo , GUO Zihua , selinux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH 1/6] selinux: constify network address pointer Date: Tue, 18 Mar 2025 09:33:34 +0100 Message-ID: <20250318083422.21489-6-cgoettsche@seltendoof.de> In-Reply-To: <20250318083422.21489-1-cgoettsche@seltendoof.de> References: <20250318083422.21489-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche The network address, either an IPv4 or IPv6 one, is not modified. Signed-off-by: Christian Göttsche --- security/selinux/include/netnode.h | 2 +- security/selinux/include/security.h | 2 +- security/selinux/netnode.c | 8 ++++---- security/selinux/ss/services.c | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/security/selinux/include/netnode.h b/security/selinux/include/netnode.h index 9b8b655a8cd3..e4dc904c3585 100644 --- a/security/selinux/include/netnode.h +++ b/security/selinux/include/netnode.h @@ -21,6 +21,6 @@ void sel_netnode_flush(void); -int sel_netnode_sid(void *addr, u16 family, u32 *sid); +int sel_netnode_sid(const void *addr, u16 family, u32 *sid); #endif diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index e7827ed7be5f..278c144c22d6 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -309,7 +309,7 @@ int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid); int security_netif_sid(const char *name, u32 *if_sid); -int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid); +int security_node_sid(u16 domain, const void *addr, u32 addrlen, u32 *out_sid); int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, u16 tclass); diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 5c8c77e50aad..b7900d5ae557 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -187,7 +187,7 @@ static void sel_netnode_insert(struct sel_netnode *node) * failure. * */ -static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) +static int sel_netnode_sid_slow(const void *addr, u16 family, u32 *sid) { int ret; struct sel_netnode *node; @@ -207,13 +207,13 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) ret = security_node_sid(PF_INET, addr, sizeof(struct in_addr), sid); if (new) - new->nsec.addr.ipv4 = *(__be32 *)addr; + new->nsec.addr.ipv4 = *(const __be32 *)addr; break; case PF_INET6: ret = security_node_sid(PF_INET6, addr, sizeof(struct in6_addr), sid); if (new) - new->nsec.addr.ipv6 = *(struct in6_addr *)addr; + new->nsec.addr.ipv6 = *(const struct in6_addr *)addr; break; default: BUG(); @@ -247,7 +247,7 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) * on failure. * */ -int sel_netnode_sid(void *addr, u16 family, u32 *sid) +int sel_netnode_sid(const void *addr, u16 family, u32 *sid) { struct sel_netnode *node; diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e431772c6168..ec9ddfccc7ee 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2643,7 +2643,7 @@ static bool match_ipv6_addrmask(const u32 input[4], const u32 addr[4], const u32 * @out_sid: security identifier */ int security_node_sid(u16 domain, - void *addrp, + const void *addrp, u32 addrlen, u32 *out_sid) { @@ -2672,7 +2672,7 @@ int security_node_sid(u16 domain, if (addrlen != sizeof(u32)) goto out; - addr = *((u32 *)addrp); + addr = *((const u32 *)addrp); c = policydb->ocontexts[OCON_NODE]; while (c) { From patchwork Tue Mar 18 08:33:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 14020585 Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C968C1FF7DD; Tue, 18 Mar 2025 08:34:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286895; cv=none; b=VINUMPqnG02YICA60QLzlqenEA3WhC5u7zn1Z4iXbwsgZl39/cqJZY+723lEGbZ+bnIVXsJoTTIdROtQGwSHrWB4YlC9fHglJVNkWHZ5SyzbzL5FuYTCjexuaj0CW17pZAPT5AhSzP7D2KQYv028pe5epPN0WhSqUE53c1B5Syg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286895; c=relaxed/simple; bh=MFUs8+IYFyBcBjCYHLgZ+RXxXndtSbbFTM4vbc5mgd0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=Yi74XlZRpZW9g3m+yzSwLHN3hB+0OmY5bqhs0tYSeDn6V+QQC9aK0RHbL3ZHODIIwh7f8MFu6Ee2a99x8uQj5Hj3lmuxZZzFnoei63QDBs/tbCYUwgNBzKbEVkohivDZqEhniEmacQKE8GlfzE8oN4+U8/hExU+VpOegM3wHBok= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=QvzLlDFv; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="QvzLlDFv" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1742286884; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=s93yBV3BSJn5LVCBfGTaijGihV02lgcOIXQOv8jiEm0=; b=QvzLlDFvjUNhOblVyNU2GNE6XTdgPxGtByz9JlLBT7ltEaVccGsVEViX4Yfr8VcRg1cCvN eUD7Ap0/SGqBAfnwnzaNxzDkeCHl+VZtcdHeww6lgF6+vDM1mPa9tYrRC3qKmIFOM/k7ta W2o3cu/GsKe8xWPSs/nhZaz2sB5yjDFzZ2ipdOy6oOsoxvjxyiZsThPq0WFybGRts2gJKY 2g2LaNoZSHwHr6AmwcDzQVLml6G0bWX1CUh4KBqQmRi+KLPPjnfaW3PfqLHvdjTvv/QdCt bY+bxkRgt/kssI+zp2aUYCnGowKDZQhKJZhENI1JugD9VwKm698Cpba5EIxl2Q== To: Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= , Paul Moore , Stephen Smalley , Ondrej Mosnacek , Casey Schaufler , John Johansen , =?utf-8?q?Thi=C3=A9baud_Wekste?= =?utf-8?q?en?= , =?utf-8?q?Bram_Bonn=C3=A9?= , Canfeng Guo , GUO Zihua , selinux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH 2/6] selinux: contify network namespace pointer Date: Tue, 18 Mar 2025 09:33:29 +0100 Message-ID: <20250318083422.21489-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche The network namespace is not modified. Signed-off-by: Christian Göttsche --- security/selinux/include/objsec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index c88cae81ee4c..b11c97c9feed 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -82,7 +82,7 @@ struct ipc_security_struct { }; struct netif_security_struct { - struct net *ns; /* network namespace */ + const struct net *ns; /* network namespace */ int ifindex; /* device index */ u32 sid; /* SID for this interface */ }; From patchwork Tue Mar 18 08:33:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 14020586 Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C78771FF7CD; Tue, 18 Mar 2025 08:34:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286896; cv=none; b=c9PT6fdFgp3/vDtlX1nmjwnWeTGizaTXrjrvkUarsJ+FHm+tjVC+7fZji0VrazptHC7u+gB5W0AcOSfgcMYVuRhqFQklaVkcK5JuR0oZi0cfRdnPD87EGDu9QyYR+Ob2Rusapyc9JhUNRdIhpZrPMbqq64oJsrkgZBT1MxihRdI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286896; c=relaxed/simple; bh=kBVHht6WxUyAZRBWC0FXhX0pMnJ+PhbFwV3C7vq8ALY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=pj79niOiSMmYdm75oxseK1Fw628NwPbBQLdl1Mi491+NBv76z4dcl2hdwPB7fecTJ+BV4AF6yZnMI7tnIKWvtY7+SE9xpETtoqIF4XL+hc70buwfwcnrGL5pAuzG2nLJ/xBcwL5EUhsquDaX/Rirz2X9zOkN4R0Xk01HMF1HwbE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=AnEvAOxs; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="AnEvAOxs" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1742286890; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=lRAcXX/kDNCEMotPxD3KkkStBQuxDq+ovFAm2BtKgAE=; b=AnEvAOxsVA7Qhg8XwrofPsvtSPesLccYhkSGz4w6XUTBgwbyvRHp6umwoem0rS86z9+din UQmQvybum9dl4nu7mFGjGCvIJP+JfqOzfe81hAwdCeO19eZbvF3EhJDxvmfR7hQiAjW+Y7 ZldMEYeyCS6UO+FfU+k79rQZEKiP/DHTzC6S/0TsxZuQGWqHbfDTrOivqx1MX8TXlW0ZQn 0YenHHqHCcC3WCBS9mtKHdBWVDUaFagKoM2WvnG8wEmTx8G4V97+m0W04j8xS3nNieeu6p rTzSDjccQKQl74+QKcUBHw48O9+s9tXPKdUYpwnAzflfdLGejjqG8jfHE4LBdg== To: Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= , Paul Moore , Stephen Smalley , Ondrej Mosnacek , =?utf-8?q?Thi=C3=A9baud_Weksteen?= , =?utf-8?q?Bram_Bonn?= =?utf-8?q?=C3=A9?= , Casey Schaufler , Canfeng Guo , GUO Zihua , selinux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH 3/6] selinux: add likely hints for fast paths Date: Tue, 18 Mar 2025 09:33:30 +0100 Message-ID: <20250318083422.21489-2-cgoettsche@seltendoof.de> In-Reply-To: <20250318083422.21489-1-cgoettsche@seltendoof.de> References: <20250318083422.21489-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche In the network hashtable lookup code add likely() compiler hints in the fast path, like already done in sel_netif_sid(). Signed-off-by: Christian Göttsche --- security/selinux/ibpkey.c | 2 +- security/selinux/netnode.c | 2 +- security/selinux/netport.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c index 48f537b41c58..94f3eef22bad 100644 --- a/security/selinux/ibpkey.c +++ b/security/selinux/ibpkey.c @@ -184,7 +184,7 @@ int sel_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *sid) rcu_read_lock(); pkey = sel_ib_pkey_find(subnet_prefix, pkey_num); - if (pkey) { + if (likely(pkey)) { *sid = pkey->psec.sid; rcu_read_unlock(); return 0; diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index b7900d5ae557..8bb456d80dd5 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -253,7 +253,7 @@ int sel_netnode_sid(const void *addr, u16 family, u32 *sid) rcu_read_lock(); node = sel_netnode_find(addr, family); - if (node != NULL) { + if (likely(node != NULL)) { *sid = node->nsec.sid; rcu_read_unlock(); return 0; diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 2e22ad9c2bd0..7d2207384d40 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -186,7 +186,7 @@ int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid) rcu_read_lock(); port = sel_netport_find(protocol, pnum); - if (port != NULL) { + if (likely(port != NULL)) { *sid = port->psec.sid; rcu_read_unlock(); return 0; From patchwork Tue Mar 18 08:33:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 14020587 Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6927D2046B2; Tue, 18 Mar 2025 08:34:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286901; cv=none; b=ZXumY2H+gvATTOvN1wmdBEiHJLLeUdKIpY9f8eBNOXpZ14Gs1RFb5MhpMqZ5KMZlsZEepB0xSHJPZsk+YX00SjPaObci3LpL8hyf8uutatrabwYg1UAdSf8eIczTYo546RQ1tWYsNrzkC7MTyaB8x09NZsUhOeug+CSr/uD/A/I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286901; c=relaxed/simple; bh=uvMHnXlZ6C++Ug/lwkoepOst++U5iRmTmeQR1KQbFUw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=cNEA3mzYYvPfexVxUzVH5ugkiu6FkElDTrVwfTOdA0Lh+OpnSwNt9ok2QNP5GFUSAbfbo6cq7dB7t/Zjp+lmA/Lfo3oaU/VB2MDZ9J3dBkLw2OyVJoyoCNSZUyhB1plEsXIvYmXV4NhemOEdTvhcOg1frBMdho62x26o+vikNQY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=psFYS8UF; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="psFYS8UF" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1742286896; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CJzsqiQzoZATgBAE4Jue8N4gJvoM7rHqr8Tb1P4sHhw=; b=psFYS8UFIpnjhHKJqGbH6vEcTh1oryH0xoSlQOuQbaMTh6V2SznjISDh+ZpjsilbAHGuNB wE/8/tPSWEbOVfwViors8rlfRtXKpRlz19S3+z+zNA7uPVbIh6cXOvseski7H/U4b5cd5s hADT6w4q/P7UNSRLL+MvQ9nsrHFAXLt2PSJH7rsdeEc3dqMup3MjEybcIZDbimh37Dlq6a ae1dqFCqGIQ8eaiz1bzJ4VyxxGMud07Y0CaGUIIGO4gtyPeggOsAGn2sYFUIahs1Eq91qM kexL9JoBTbd1Qt5LV5xk+KXrr0Izrc3vBNrfxqDCy5k8ARbYPjJZPdzVOUloQw== To: Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= , Paul Moore , Stephen Smalley , Ondrej Mosnacek , =?utf-8?q?Thi=C3=A9baud_Weksteen?= , =?utf-8?q?Bram_Bonn?= =?utf-8?q?=C3=A9?= , Casey Schaufler , GUO Zihua , Canfeng Guo , selinux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH 4/6] selinux: improve network lookup failure warnings Date: Tue, 18 Mar 2025 09:33:31 +0100 Message-ID: <20250318083422.21489-3-cgoettsche@seltendoof.de> In-Reply-To: <20250318083422.21489-1-cgoettsche@seltendoof.de> References: <20250318083422.21489-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche Rate limit the warnings and include additional available information. Signed-off-by: Christian Göttsche --- security/selinux/netif.c | 8 ++++---- security/selinux/netnode.c | 4 ++-- security/selinux/netport.c | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 43a0d3594b72..38fdba1e64bf 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c @@ -141,8 +141,8 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid) dev = dev_get_by_index(ns, ifindex); if (unlikely(dev == NULL)) { - pr_warn("SELinux: failure in %s(), invalid network interface (%d)\n", - __func__, ifindex); + pr_warn_ratelimited("SELinux: failure in %s(), invalid network interface (%d)\n", + __func__, ifindex); return -ENOENT; } @@ -169,8 +169,8 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid) spin_unlock_bh(&sel_netif_lock); dev_put(dev); if (unlikely(ret)) - pr_warn("SELinux: failure in %s(), unable to determine network interface label (%d)\n", - __func__, ifindex); + pr_warn_ratelimited("SELinux: failure in %s(), unable to determine network interface label (%d): %d\n", + __func__, ifindex, ret); return ret; } diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 8bb456d80dd5..76cf531af110 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -228,8 +228,8 @@ static int sel_netnode_sid_slow(const void *addr, u16 family, u32 *sid) spin_unlock_bh(&sel_netnode_lock); if (unlikely(ret)) - pr_warn("SELinux: failure in %s(), unable to determine network node label\n", - __func__); + pr_warn_ratelimited("SELinux: failure in %s(), unable to determine network node label (%d): %d\n", + __func__, family, ret); return ret; } diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 7d2207384d40..dadf14984fb4 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -162,8 +162,8 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid) out: spin_unlock_bh(&sel_netport_lock); if (unlikely(ret)) - pr_warn("SELinux: failure in %s(), unable to determine network port label\n", - __func__); + pr_warn_ratelimited("SELinux: failure in %s(), unable to determine network port label (%d:%d): %d\n", + __func__, protocol, pnum, ret); return ret; } From patchwork Tue Mar 18 08:33:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 14020588 Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C751B2054E1; Tue, 18 Mar 2025 08:35:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286906; cv=none; b=KQnnUNHpZcWhXiCr5chVmwHlm3MHj6zSh06S7T1969hkH4uTKFyU/JOqP9mwNkSXe8clynygZChPLAK5nH98tYkWRH3mKEEqaOqYl7/3Ecxgv/zSV+Chn2GkhopoThzzBKjXTSN5VWgxEMv5eiUHEEDcaTxvEoxDqVgeoPMxCOE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286906; c=relaxed/simple; bh=2AWMJbH51prcLuG/a3sS1hKTbUteeKt3MLJWU8+bklE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=VJNn/Ik7fA0X03VVJY6Z3eIFPYryL3Ppk6YjINJDDRADb0Siq237PNEYR1usr69ijPuAfjhosXHRFP/mXg9maWmeP3TzFs6ZnM6nfc/IhpQaAwLU449dFohMI1k+GgjqVnQ5OkX7oI3WMVADeYwlEV30w9xmxXR+ZJLq+WGxBPo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=k2JotuSK; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="k2JotuSK" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1742286902; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=esfaz6XL2nBXvGJhNIRzr33HjxNzNLMTAs0zGyZIVN8=; b=k2JotuSK88WkB3a57lsdN6eoD/Nszik8apJo2iUlLxHP2wCHryejyg/fbnz3OvY80txVFY YijRnNOJqh3cM9nRYIgX8wBMuNYnPq8ChjuAX5RnPDFZAc3eWjRqIV/0PGQ+7r//5Wm6Qn XkF84NooWihmoKHP/GbbT/MJDezMu0wGXRZQSG8s6wYikKZyB6EAaLErIaQf3c7fFLwdZW KB3m82hlkutF/E1w+2vIKZrxn3Suxk45s4tmO3q5NQms1INJG5BejYiCkEO5HdJbSVtr2p Qc871CltJQsft/k3xv9BxUABwQSn3NpgVnhaOuzsvgaitLMNwUTcOwDbX3gp5g== To: Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= , Paul Moore , Stephen Smalley , Ondrej Mosnacek , =?utf-8?q?Thi=C3=A9baud_Weksteen?= , =?utf-8?q?Bram_Bonn?= =?utf-8?q?=C3=A9?= , Casey Schaufler , Canfeng Guo , GUO Zihua , Chen Zhou , selinux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH 5/6] selinux: unify OOM handling in network hashtables Date: Tue, 18 Mar 2025 09:33:32 +0100 Message-ID: <20250318083422.21489-4-cgoettsche@seltendoof.de> In-Reply-To: <20250318083422.21489-1-cgoettsche@seltendoof.de> References: <20250318083422.21489-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche For network objects, like interfaces, nodes, port and InfiniBands, the object to SID lookup is cached in hashtables. OOM during such hashtable additions of new objects is considered non-fatal and the computed SID is simply returned without adding the compute result into the hash table. Actually ignore OOM in the InfiniBand code, despite the comment already suggesting to do so. This reverts commit c350f8bea271 ("selinux: Fix error return code in sel_ib_pkey_sid_slow()"). Add comments in the other places. Use kmalloc() instead of kzalloc(), since all members are initialized on success and the data is only used in internbal hash tables, so no risk of information leakage to userspace. Fixes: c350f8bea271 ("selinux: Fix error return code in sel_ib_pkey_sid_slow()") Signed-off-by: Christian Göttsche --- security/selinux/ibpkey.c | 11 +++++------ security/selinux/netif.c | 6 +++++- security/selinux/netnode.c | 5 ++++- security/selinux/netport.c | 6 +++++- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c index 94f3eef22bad..470481cfe0e8 100644 --- a/security/selinux/ibpkey.c +++ b/security/selinux/ibpkey.c @@ -130,7 +130,7 @@ static int sel_ib_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid) { int ret; struct sel_ib_pkey *pkey; - struct sel_ib_pkey *new = NULL; + struct sel_ib_pkey *new; unsigned long flags; spin_lock_irqsave(&sel_ib_pkey_lock, flags); @@ -146,12 +146,11 @@ static int sel_ib_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid) if (ret) goto out; - /* If this memory allocation fails still return 0. The SID - * is valid, it just won't be added to the cache. - */ - new = kzalloc(sizeof(*new), GFP_ATOMIC); + new = kmalloc(sizeof(*new), GFP_ATOMIC); if (!new) { - ret = -ENOMEM; + /* If this memory allocation fails still return 0. The SID + * is valid, it just won't be added to the cache. + */ goto out; } diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 38fdba1e64bf..2ab7fe9e1ea2 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c @@ -156,7 +156,11 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid) ret = security_netif_sid(dev->name, sid); if (ret != 0) goto out; - new = kzalloc(sizeof(*new), GFP_ATOMIC); + + /* If this memory allocation fails still return 0. The SID + * is valid, it just won't be added to the cache. + */ + new = kmalloc(sizeof(*new), GFP_ATOMIC); if (new) { new->nsec.ns = ns; new->nsec.ifindex = ifindex; diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 76cf531af110..15fdf385062e 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -201,7 +201,10 @@ static int sel_netnode_sid_slow(const void *addr, u16 family, u32 *sid) return 0; } - new = kzalloc(sizeof(*new), GFP_ATOMIC); + /* If this memory allocation fails still return 0. The SID + * is valid, it just won't be added to the cache. + */ + new = kmalloc(sizeof(*new), GFP_ATOMIC); switch (family) { case PF_INET: ret = security_node_sid(PF_INET, diff --git a/security/selinux/netport.c b/security/selinux/netport.c index dadf14984fb4..648c2bce83a7 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -151,7 +151,11 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid) ret = security_port_sid(protocol, pnum, sid); if (ret != 0) goto out; - new = kzalloc(sizeof(*new), GFP_ATOMIC); + + /* If this memory allocation fails still return 0. The SID + * is valid, it just won't be added to the cache. + */ + new = kmalloc(sizeof(*new), GFP_ATOMIC); if (new) { new->psec.port = pnum; new->psec.protocol = protocol; From patchwork Tue Mar 18 08:33:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 14020589 Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4DA271E5210; Tue, 18 Mar 2025 08:35:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286917; cv=none; b=jfBlNVzAJ1kSJxUt2v6XmnN5KvZFohpm+uhVMF4VlSdgGqDkVSnPnu8VK68qBX/ViAHdiA4mq7l3nPrelwUSTk9dYPLTpLFYOhNpWQgglpVPgOfjJ9II9cVc6pxGDgqosK9pSXe/hk4uRcMArZEWZqcEKuzxjiDCeyrg8JnZeaA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1742286917; c=relaxed/simple; bh=x3MFLKxajThmrsuQ3jKAODZyN1gCOqA9za4QRnq5HhA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ZduvimvrAKxtP0zqHxz3k3az5u8OCCu1jLK7Qt70E6VP03rggZb74XRfNVPUVqBbdffS+Ihnj9/ODr5Hlxi+tBAFo3g0OHNT0oEymerhU/gK2BojbjFjnxpCsoJ5dKKGq+PtyOEbAtOsnFY3ezCgrQqBK1tKiX/wpwm/imt6gY0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=HJEwj33N; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="HJEwj33N" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1742286913; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KgljvI9zTG/ra/bOFf1+lbMP9VvMSOzOYz/eiv2gK5g=; b=HJEwj33NMcIFsh8WLbVYS/9Xsj5ogy0U+LAi66Tz1cQdmvtbvbGZufG79pdtmwU91AcPld WgO61zHMlfmpuY1OYaOxM0/ObygVrKA2qGac5+raFIENv795eHVMV3qT7qJKF1N9kjVpS1 rE0D4P3ySLhI7jneriykyv0ykQQknGJ7fRHoIa0plyT1vw+vFPilIl5n/by2G0VxvGBdF8 aHBcFgVZTGYhIFd6voa9NSofzNMtVk1vdv9Y08q7WhHBeEsRSuCoK4LG5emr1k6TEZX1UI xSDHu08TkA6cbtb1Tc2QlhY5SUHXwCT6rCF/lamSa7eemuPZyfY4n1XAoThr9Q== To: Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= , Paul Moore , Stephen Smalley , Ondrej Mosnacek , =?utf-8?q?Thi=C3=A9baud_Weksteen?= , =?utf-8?q?Bram_Bonn?= =?utf-8?q?=C3=A9?= , Casey Schaufler , Canfeng Guo , GUO Zihua , selinux@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [RFC PATCH 6/6] selinux: add cache stats for network tables Date: Tue, 18 Mar 2025 09:33:33 +0100 Message-ID: <20250318083422.21489-5-cgoettsche@seltendoof.de> In-Reply-To: <20250318083422.21489-1-cgoettsche@seltendoof.de> References: <20250318083422.21489-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche Export utilization statistics for network object labeling related hash tables, similar to AVC and SID hash tables, to userspace via new selinuxfs files under /stats/. Guard this functionality with a new compile time option SECURITY_SELINUX_NETTABLE_STATS. Signed-off-by: Christian Göttsche --- security/selinux/Kconfig | 8 ++ security/selinux/ibpkey.c | 33 +++++++ security/selinux/include/ibpkey.h | 5 + security/selinux/include/netif.h | 4 + security/selinux/include/netnode.h | 4 + security/selinux/include/netport.h | 4 + security/selinux/netif.c | 39 ++++++++ security/selinux/netnode.c | 33 +++++++ security/selinux/netport.c | 33 +++++++ security/selinux/selinuxfs.c | 152 ++++++++++++++++++++++++++++- 10 files changed, 313 insertions(+), 2 deletions(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 61abc1e094a8..cae0c7b2c994 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -46,6 +46,14 @@ config SECURITY_SELINUX_AVC_STATS /sys/fs/selinux/avc/cache_stats, which may be monitored via tools such as avcstat. +config SECURITY_SELINUX_NETTABLE_STATS + bool "SELinux Network Hashtable Statistics" + depends on SECURITY_SELINUX + default y + help + This option collects network hash table statistics to + /sys/fs/selinux/stats/. + config SECURITY_SELINUX_SIDTAB_HASH_BITS int "SELinux sidtab hashtable size" depends on SECURITY_SELINUX diff --git a/security/selinux/ibpkey.c b/security/selinux/ibpkey.c index 470481cfe0e8..c1ad58297ac4 100644 --- a/security/selinux/ibpkey.c +++ b/security/selinux/ibpkey.c @@ -218,6 +218,39 @@ void sel_ib_pkey_flush(void) spin_unlock_irqrestore(&sel_ib_pkey_lock, flags); } +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS +/** + * sel_ib_pkey_get_hash_stats - Dump pkey table statistics + * @page: the page sized buffer to write to + * + * Description: + * Make the utilization of the hash table available for userspace for + * introspection. + * + */ +int sel_ib_pkey_get_hash_stats(char *page) +{ + unsigned int idx, chain_len, max_chain_len = 0, slots_used = 0, total = 0; + unsigned long long chain2_len_sum = 0; + + for (idx = 0; idx < SEL_PKEY_HASH_SIZE; idx++) { + chain_len = sel_ib_pkey_hash[idx].size; + + if (chain_len > 0) + slots_used++; + if (chain_len > max_chain_len) + max_chain_len = chain_len; + total += chain_len; + chain2_len_sum += (unsigned long long)chain_len * chain_len; + } + + return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" + "longest chain: %d\nsum of chain length^2: %llu\n", + total, slots_used, SEL_PKEY_HASH_SIZE, max_chain_len, + chain2_len_sum); +} +#endif /* CONFIG_SECURITY_SELINUX_NETTABLE_STATS */ + static __init int sel_ib_pkey_init(void) { int iter; diff --git a/security/selinux/include/ibpkey.h b/security/selinux/include/ibpkey.h index 875b055849e1..2d84877fc8c5 100644 --- a/security/selinux/include/ibpkey.h +++ b/security/selinux/include/ibpkey.h @@ -20,6 +20,11 @@ #ifdef CONFIG_SECURITY_INFINIBAND void sel_ib_pkey_flush(void); int sel_ib_pkey_sid(u64 subnet_prefix, u16 pkey, u32 *sid); + +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS +int sel_ib_pkey_get_hash_stats(char *page); +#endif + #else static inline void sel_ib_pkey_flush(void) { diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h index 2838bdc170dd..7246eb3ebc71 100644 --- a/security/selinux/include/netif.h +++ b/security/selinux/include/netif.h @@ -21,4 +21,8 @@ void sel_netif_flush(void); int sel_netif_sid(struct net *ns, int ifindex, u32 *sid); +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS +int sel_netif_get_hash_stats(char *page); +#endif + #endif /* _SELINUX_NETIF_H_ */ diff --git a/security/selinux/include/netnode.h b/security/selinux/include/netnode.h index e4dc904c3585..897c72b4b664 100644 --- a/security/selinux/include/netnode.h +++ b/security/selinux/include/netnode.h @@ -23,4 +23,8 @@ void sel_netnode_flush(void); int sel_netnode_sid(const void *addr, u16 family, u32 *sid); +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS +int sel_netnode_get_hash_stats(char *page); +#endif + #endif diff --git a/security/selinux/include/netport.h b/security/selinux/include/netport.h index 9096a8289948..1b9744656616 100644 --- a/security/selinux/include/netport.h +++ b/security/selinux/include/netport.h @@ -22,4 +22,8 @@ void sel_netport_flush(void); int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid); +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS +int sel_netport_get_hash_stats(char *page); +#endif + #endif diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 2ab7fe9e1ea2..f7bdf75f871e 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c @@ -250,6 +250,45 @@ void sel_netif_flush(void) spin_unlock_bh(&sel_netif_lock); } +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS +/** + * sel_netif_get_hash_stats - Dump network interface table statistics + * @page: the page sized buffer to write to + * + * Description: + * Make the utilization of the hash table available for userspace for + * introspection. + * + */ +int sel_netif_get_hash_stats(char *page) +{ + unsigned int idx, chain_len, max_chain_len = 0, slots_used = 0, total = 0; + unsigned long long chain2_len_sum = 0; + const struct sel_netif *netif; + + rcu_read_lock(); + for (idx = 0; idx < SEL_NETIF_HASH_SIZE; idx++) { + chain_len = 0; + + list_for_each_entry_rcu(netif, &sel_netif_hash[idx], list) + chain_len++; + + if (chain_len > 0) + slots_used++; + if (chain_len > max_chain_len) + max_chain_len = chain_len; + total += chain_len; + chain2_len_sum += (unsigned long long)chain_len * chain_len; + } + rcu_read_unlock(); + + return scnprintf(page, PAGE_SIZE, "entries: %d/%d\nbuckets used: %d/%d\n" + "longest chain: %d\nsum of chain length^2: %llu\n", + total, SEL_NETIF_HASH_MAX, slots_used, SEL_NETIF_HASH_SIZE, + max_chain_len, chain2_len_sum); +} +#endif /* CONFIG_SECURITY_SELINUX_NETTABLE_STATS */ + static int sel_netif_netdev_notifier_handler(struct notifier_block *this, unsigned long event, void *ptr) { diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 15fdf385062e..0e380ee82eb2 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -290,6 +290,39 @@ void sel_netnode_flush(void) spin_unlock_bh(&sel_netnode_lock); } +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS +/** + * sel_netnode_get_hash_stats - Dump network address table statistics + * @page: the page sized buffer to write to + * + * Description: + * Make the utilization of the hash table available for userspace for + * introspection. + * + */ +int sel_netnode_get_hash_stats(char *page) +{ + unsigned int idx, chain_len, max_chain_len = 0, slots_used = 0, total = 0; + unsigned long long chain2_len_sum = 0; + + for (idx = 0; idx < SEL_NETNODE_HASH_SIZE; idx++) { + chain_len = sel_netnode_hash[idx].size; + + if (chain_len > 0) + slots_used++; + if (chain_len > max_chain_len) + max_chain_len = chain_len; + total += chain_len; + chain2_len_sum += (unsigned long long)chain_len * chain_len; + } + + return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" + "longest chain: %d\nsum of chain length^2: %llu\n", + total, slots_used, SEL_NETNODE_HASH_SIZE, max_chain_len, + chain2_len_sum); +} +#endif /* CONFIG_SECURITY_SELINUX_NETTABLE_STATS */ + static __init int sel_netnode_init(void) { int iter; diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 648c2bce83a7..2a315dcc4344 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -224,6 +224,39 @@ void sel_netport_flush(void) spin_unlock_bh(&sel_netport_lock); } +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS +/** + * sel_netport_get_hash_stats - Dump network port table statistics + * @page: the page sized buffer to write to + * + * Description: + * Make the utilization of the hash table available for userspace for + * introspection. + * + */ +int sel_netport_get_hash_stats(char *page) +{ + unsigned int idx, chain_len, max_chain_len = 0, slots_used = 0, total = 0; + unsigned long long chain2_len_sum = 0; + + for (idx = 0; idx < SEL_NETPORT_HASH_SIZE; idx++) { + chain_len = sel_netport_hash[idx].size; + + if (chain_len > 0) + slots_used++; + if (chain_len > max_chain_len) + max_chain_len = chain_len; + total += chain_len; + chain2_len_sum += (unsigned long long)chain_len * chain_len; + } + + return scnprintf(page, PAGE_SIZE, "entries: %d\nbuckets used: %d/%d\n" + "longest chain: %d\nsum of chain length^2: %llu\n", + total, slots_used, SEL_NETPORT_HASH_SIZE, max_chain_len, + chain2_len_sum); +} +#endif /* CONFIG_SECURITY_SELINUX_NETTABLE_STATS */ + static __init int sel_netport_init(void) { int iter; diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 47480eb2189b..815c509a633b 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -42,6 +42,10 @@ #include "objsec.h" #include "conditional.h" #include "ima.h" +#include "ibpkey.h" +#include "netif.h" +#include "netnode.h" +#include "netport.h" enum sel_inos { SEL_ROOT_INO = 2, @@ -1619,6 +1623,138 @@ static int sel_make_avc_files(struct dentry *dir) return 0; } +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS +static ssize_t sel_read_netif_stats(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + char *page; + ssize_t length; + + page = (char *)__get_free_page(GFP_KERNEL); + if (!page) + return -ENOMEM; + + length = sel_netif_get_hash_stats(page); + if (length >= 0) + length = simple_read_from_buffer(buf, count, ppos, page, length); + free_page((unsigned long)page); + + return length; +} + +static const struct file_operations sel_netif_stats_ops = { + .read = sel_read_netif_stats, + .llseek = generic_file_llseek, +}; + +static ssize_t sel_read_netnode_stats(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + char *page; + ssize_t length; + + page = (char *)__get_free_page(GFP_KERNEL); + if (!page) + return -ENOMEM; + + length = sel_netnode_get_hash_stats(page); + if (length >= 0) + length = simple_read_from_buffer(buf, count, ppos, page, length); + free_page((unsigned long)page); + + return length; +} + +static const struct file_operations sel_netnode_stats_ops = { + .read = sel_read_netnode_stats, + .llseek = generic_file_llseek, +}; + +static ssize_t sel_read_netport_stats(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + char *page; + ssize_t length; + + page = (char *)__get_free_page(GFP_KERNEL); + if (!page) + return -ENOMEM; + + length = sel_netport_get_hash_stats(page); + if (length >= 0) + length = simple_read_from_buffer(buf, count, ppos, page, length); + free_page((unsigned long)page); + + return length; +} + +static const struct file_operations sel_netport_stats_ops = { + .read = sel_read_netport_stats, + .llseek = generic_file_llseek, +}; + +#ifdef CONFIG_SECURITY_INFINIBAND +static ssize_t sel_read_ib_pkey_stats(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + char *page; + ssize_t length; + + page = (char *)__get_free_page(GFP_KERNEL); + if (!page) + return -ENOMEM; + + length = sel_ib_pkey_get_hash_stats(page); + if (length >= 0) + length = simple_read_from_buffer(buf, count, ppos, page, length); + free_page((unsigned long)page); + + return length; +} + +static const struct file_operations sel_ib_pkey_stats_ops = { + .read = sel_read_ib_pkey_stats, + .llseek = generic_file_llseek, +}; +#endif /* CONFIG_SECURITY_INFINIBAND */ + +static int sel_make_stats_files(struct dentry *dir) +{ + struct super_block *sb = dir->d_sb; + struct selinux_fs_info *fsi = sb->s_fs_info; + unsigned int i; + static const struct tree_descr files[] = { + { "netif_hash_stats", &sel_netif_stats_ops, 0444 }, + { "netnode_hash_stats", &sel_netnode_stats_ops, 0444 }, + { "netport_hash_stats", &sel_netport_stats_ops, 0444 }, +#ifdef CONFIG_SECURITY_INFINIBAND + { "ibpkey_hash_stats", &sel_ib_pkey_stats_ops, 0444 }, +#endif + }; + + for (i = 0; i < ARRAY_SIZE(files); i++) { + struct inode *inode; + struct dentry *dentry; + + dentry = d_alloc_name(dir, files[i].name); + if (!dentry) + return -ENOMEM; + + inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode); + if (!inode) { + dput(dentry); + return -ENOMEM; + } + + inode->i_fop = files[i].ops; + inode->i_ino = ++fsi->last_ino; + d_add(dentry, inode); + } + + return 0; +} +#endif /* CONFIG_SECURITY_SELINUX_NETTABLE_STATS */ + static int sel_make_ss_files(struct dentry *dir) { struct super_block *sb = dir->d_sb; @@ -2051,6 +2187,18 @@ static int sel_fill_super(struct super_block *sb, struct fs_context *fc) if (ret) goto err; +#ifdef CONFIG_SECURITY_SELINUX_NETTABLE_STATS + dentry = sel_make_dir(sb->s_root, "stats", &fsi->last_ino); + if (IS_ERR(dentry)) { + ret = PTR_ERR(dentry); + goto err; + } + + ret = sel_make_stats_files(dentry); + if (ret) + goto err; +#endif /* CONFIG_SECURITY_SELINUX_NETTABLE_STATS */ + dentry = sel_make_dir(sb->s_root, "ss", &fsi->last_ino); if (IS_ERR(dentry)) { ret = PTR_ERR(dentry); @@ -2094,8 +2242,8 @@ static int sel_fill_super(struct super_block *sb, struct fs_context *fc) return 0; err: - pr_err("SELinux: %s: failed while creating inodes\n", - __func__); + pr_err("SELinux: %s: failed while creating inodes: %d\n", + __func__, ret); selinux_fs_info_free(sb);