Re: [RFC PATCH 2/2] selinux: Propagate RCU walk status from 'security_inode_follow_link()'

[Will Deacon]

Hi Stephen,

Thanks for the quick review.

On Tue, Nov 19, 2019 at 01:46:37PM -0500, Stephen Smalley wrote:
> On 11/19/19 1:40 PM, Will Deacon wrote:
> > 'selinux_inode_follow_link()' can be called as part of an RCU path walk,
> > and is passed a 'bool rcu' parameter to indicate whether or not it is
> > being called from within an RCU read-side critical section.
> > 
> > Unfortunately, this knowledge is not propagated further and, instead,
> > 'avc_has_perm()' unconditionally passes a flags argument of '0' to both
> > 'avc_has_perm_noaudit()' and 'avc_audit()' which may block.
> > 
> > Introduce 'avc_has_perm_flags()' which can be used safely from within an
> > RCU read-side critical section.
> 
> Please see e46e01eebbbcf2ff6d28ee7cae9f117e9d1572c8 ("selinux: stop passing
> MAY_NOT_BLOCK to the AVC upon follow_link").

Ha, not sure how I missed that -- my patch is almost a direct revert,
including the name 'avs_has_perm_flags()'! My only concern is that the
commit message for e46e01eebbbc asserts that the only use of MAY_NOT_BLOCK
is in slow_avc_audit(), but AVC_NONBLOCKING is used more widely than that.

For example:

	selinux_inode_follow_link()
	  -> avc_has_perm()
	    -> avc_has_perm_noaudit()
	      -> avc_denied()
	        -> avc_update_node()

where we return early if AVC_NONBLOCKING is set, except flags are always
zero on this path.

Will