Re: [PATCH] selinux:Significant reduce of preempt_disable holds

From: Stephen Smalley
Date: Wed Jan 17 2018 - 11:15:34 EST

Next message: Arnaldo Carvalho de Melo: "[PATCH 26/32] perf util: Improve error checking for time percent input"
Previous message: Maxime Chevallier: "[PATCH] spi: a3700: Add full-duplex support"
In reply to: peter.enderborg: "[PATCH] selinux:Significant reduce of preempt_disable holds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2018-01-17 at 15:55 +0100, peter.enderborg@xxxxxxxx wrote:
> From: Peter Enderborg <peter.enderborg@xxxxxxxx>
>
> Holding the preempt_disable is very bad for low latency tasks
> as audio and therefore we need to break out the rule-set dependent
> part from this disable. By using a rwsem instead of rwlock we
> have an efficient locking and less preemption interference.
>
> Selinux uses a lot of read_locks. This patch replaces the rwlock
> with rwsem/percpu_down_read() that does not hold preempt_disable.

Many of these functions are called while holding spinlocks, and some of
them are called from interrupt. Unless I misunderstand, you can't just
replace read_lock() with percpu_down_read(), which might sleep.

What you might be able to do is to convert the whole thing to RCU, but
this would require reworking how policy booleans are changed and how
policy is reloaded.

You might also try increasing your AVC size via
/sys/fs/selinux/avc/cache_threshold to reduce cache misses and thus
calls to security_compute_av().

>
> Intel Xeon W3520 2.67 Ghz running FC27 with 4.15.0-rc8git
> (+measurement)
> I get preempt_disable in worst case for 1.2ms in
> security_compute_av().
> With the patch I get 960us as the longest security_compute_av()
> without preempt disabeld. It very much noise in the measurement
> but it is not likely a degrade.
>
> And the preempt_disable times is also very dependent on the selinux
> rule-set.
>
> In security_get_user_sids() we have two nested for-loops and the
> inner part calls sittab_context_to_sid() that calls
> sidtab_search_context() that has a for loop() over a while() where
> the loops is dependent on the rules.
>
> On the test system the average lookup time is 60us and does
> not change with the rwsem usage.
>
> Reported-by: BjÃrn Davidsson <bjorn.davidsson@xxxxxxxx>
> Signed-off-by: Peter Enderborg <peter.enderborg@xxxxxxxx>
> ---
> Âsecurity/selinux/ss/services.c | 134 ++++++++++++++++++++-----------
> ----------
> Â1 file changed, 67 insertions(+), 67 deletions(-)
>
> diff --git a/security/selinux/ss/services.c
> b/security/selinux/ss/services.c
> index 33cfe5d..a3daaf2 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -87,7 +87,7 @@ int selinux_policycap_alwaysnetwork;
> Âint selinux_policycap_cgroupseclabel;
> Âint selinux_policycap_nnp_nosuid_transition;
> Â
> -static DEFINE_RWLOCK(policy_rwlock);
> +DEFINE_STATIC_PERCPU_RWSEM(policy_rwsem);
> Â
> Âstatic struct sidtab sidtab;
> Âstruct policydb policydb;
> @@ -779,7 +779,7 @@ static int security_compute_validatetrans(u32
> oldsid, u32 newsid, u32 tasksid,
> Â if (!ss_initialized)
> Â return 0;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â if (!user)
> Â tclass = unmap_class(orig_tclass);
> @@ -833,7 +833,7 @@ static int security_compute_validatetrans(u32
> oldsid, u32 newsid, u32 tasksid,
> Â }
> Â
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -867,7 +867,7 @@ int security_bounded_transition(u32 old_sid, u32
> new_sid)
> Â int index;
> Â int rc;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â rc = -EINVAL;
> Â old_context = sidtab_search(&sidtab, old_sid);
> @@ -929,7 +929,7 @@ int security_bounded_transition(u32 old_sid, u32
> new_sid)
> Â kfree(old_name);
> Â }
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â
> Â return rc;
> Â}
> @@ -1017,7 +1017,7 @@ void security_compute_xperms_decision(u32 ssid,
> Â memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow-
> >p));
> Â memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit-
> >p));
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â if (!ss_initialized)
> Â goto allow;
> Â
> @@ -1070,7 +1070,7 @@ void security_compute_xperms_decision(u32 ssid,
> Â }
> Â }
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return;
> Âallow:
> Â memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed-
> >p));
> @@ -1097,7 +1097,7 @@ void security_compute_av(u32 ssid,
> Â u16 tclass;
> Â struct context *scontext = NULL, *tcontext = NULL;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â avd_init(avd);
> Â xperms->len = 0;
> Â if (!ss_initialized)
> @@ -1130,7 +1130,7 @@ void security_compute_av(u32 ssid,
> Â context_struct_compute_av(scontext, tcontext, tclass, avd,
> xperms);
> Â map_decision(orig_tclass, avd, policydb.allow_unknown);
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return;
> Âallow:
> Â avd->allowed = 0xffffffff;
> @@ -1144,7 +1144,7 @@ void security_compute_av_user(u32 ssid,
> Â{
> Â struct context *scontext = NULL, *tcontext = NULL;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â avd_init(avd);
> Â if (!ss_initialized)
> Â goto allow;
> @@ -1175,7 +1175,7 @@ void security_compute_av_user(u32 ssid,
> Â
> Â context_struct_compute_av(scontext, tcontext, tclass, avd,
> NULL);
> Â out:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return;
> Âallow:
> Â avd->allowed = 0xffffffff;
> @@ -1277,7 +1277,7 @@ static int security_sid_to_context_core(u32
> sid, char **scontext,
> Â rc = -EINVAL;
> Â goto out;
> Â }
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â if (force)
> Â context = sidtab_search_force(&sidtab, sid);
> Â else
> @@ -1290,7 +1290,7 @@ static int security_sid_to_context_core(u32
> sid, char **scontext,
> Â }
> Â rc = context_struct_to_string(context, scontext,
> scontext_len);
> Âout_unlock:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Âout:
> Â return rc;
> Â
> @@ -1442,7 +1442,7 @@ static int security_context_to_sid_core(const
> char *scontext, u32 scontext_len,
> Â goto out;
> Â }
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â rc = string_to_context_struct(&policydb, &sidtab, scontext2,
> Â ÂÂÂÂÂÂscontext_len, &context,
> def_sid);
> Â if (rc == -EINVAL && force) {
> @@ -1454,7 +1454,7 @@ static int security_context_to_sid_core(const
> char *scontext, u32 scontext_len,
> Â rc = sidtab_context_to_sid(&sidtab, &context, sid);
> Â context_destroy(&context);
> Âout_unlock:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Âout:
> Â kfree(scontext2);
> Â kfree(str);
> @@ -1604,7 +1604,7 @@ static int security_compute_sid(u32 ssid,
> Â
> Â context_init(&newcontext);
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â if (kern) {
> Â tclass = unmap_class(orig_tclass);
> @@ -1738,7 +1738,7 @@ static int security_compute_sid(u32 ssid,
> Â /* Obtain the sid for the context. */
> Â rc = sidtab_context_to_sid(&sidtab, &newcontext, out_sid);
> Âout_unlock:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â context_destroy(&newcontext);
> Âout:
> Â return rc;
> @@ -2160,7 +2160,7 @@ int security_load_policy(void *data, size_t
> len)
> Â sidtab_set(&oldsidtab, &sidtab);
> Â
> Â /* Install the new policydb and SID table. */
> - write_lock_irq(&policy_rwlock);
> + percpu_down_write(&policy_rwsem);
> Â memcpy(&policydb, newpolicydb, sizeof(policydb));
> Â sidtab_set(&sidtab, &newsidtab);
> Â security_load_policycaps();
> @@ -2168,7 +2168,7 @@ int security_load_policy(void *data, size_t
> len)
> Â current_mapping = map;
> Â current_mapping_size = map_size;
> Â seqno = ++latest_granting;
> - write_unlock_irq(&policy_rwlock);
> + percpu_up_write(&policy_rwsem);
> Â
> Â /* Free the old policydb and SID table. */
> Â policydb_destroy(oldpolicydb);
> @@ -2198,9 +2198,9 @@ size_t security_policydb_len(void)
> Â{
> Â size_t len;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â len = policydb.len;
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â
> Â return len;
> Â}
> @@ -2216,7 +2216,7 @@ int security_port_sid(u8 protocol, u16 port,
> u32 *out_sid)
> Â struct ocontext *c;
> Â int rc = 0;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â c = policydb.ocontexts[OCON_PORT];
> Â while (c) {
> @@ -2241,7 +2241,7 @@ int security_port_sid(u8 protocol, u16 port,
> u32 *out_sid)
> Â }
> Â
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -2256,7 +2256,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16
> pkey_num, u32 *out_sid)
> Â struct ocontext *c;
> Â int rc = 0;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â c = policydb.ocontexts[OCON_IBPKEY];
> Â while (c) {
> @@ -2281,7 +2281,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16
> pkey_num, u32 *out_sid)
> Â *out_sid = SECINITSID_UNLABELED;
> Â
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -2296,7 +2296,7 @@ int security_ib_endport_sid(const char
> *dev_name, u8 port_num, u32 *out_sid)
> Â struct ocontext *c;
> Â int rc = 0;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â c = policydb.ocontexts[OCON_IBENDPORT];
> Â while (c) {
> @@ -2322,7 +2322,7 @@ int security_ib_endport_sid(const char
> *dev_name, u8 port_num, u32 *out_sid)
> Â *out_sid = SECINITSID_UNLABELED;
> Â
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -2336,7 +2336,7 @@ int security_netif_sid(char *name, u32 *if_sid)
> Â int rc = 0;
> Â struct ocontext *c;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â c = policydb.ocontexts[OCON_NETIF];
> Â while (c) {
> @@ -2363,7 +2363,7 @@ int security_netif_sid(char *name, u32 *if_sid)
> Â *if_sid = SECINITSID_NETIF;
> Â
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -2395,7 +2395,7 @@ int security_node_sid(u16 domain,
> Â int rc;
> Â struct ocontext *c;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â switch (domain) {
> Â case AF_INET: {
> @@ -2450,7 +2450,7 @@ int security_node_sid(u16 domain,
> Â
> Â rc = 0;
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -2489,7 +2489,7 @@ int security_get_user_sids(u32 fromsid,
> Â if (!ss_initialized)
> Â goto out;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â context_init(&usercon);
> Â
> @@ -2539,7 +2539,7 @@ int security_get_user_sids(u32 fromsid,
> Â }
> Â rc = 0;
> Âout_unlock:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â if (rc || !mynel) {
> Â kfree(mysids);
> Â goto out;
> @@ -2580,7 +2580,7 @@ int security_get_user_sids(u32 fromsid,
> Â * cannot support xattr or use a fixed labeling behavior like
> Â * transition SIDs or task SIDs.
> Â *
> - * The caller must acquire the policy_rwlock before calling this
> function.
> + * The caller must acquire the policy_rwsem before calling this
> function.
> Â */
> Âstatic inline int __security_genfs_sid(const char *fstype,
> Â ÂÂÂÂÂÂÂchar *path,
> @@ -2639,7 +2639,7 @@ static inline int __security_genfs_sid(const
> char *fstype,
> Â * @sclass: file security class
> Â * @sid: SID for path
> Â *
> - * Acquire policy_rwlock before calling __security_genfs_sid() and
> release
> + * Acquire policy_rwsem before calling __security_genfs_sid() and
> release
> Â * it afterward.
> Â */
> Âint security_genfs_sid(const char *fstype,
> @@ -2649,9 +2649,9 @@ int security_genfs_sid(const char *fstype,
> Â{
> Â int retval;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â retval = __security_genfs_sid(fstype, path, orig_sclass,
> sid);
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return retval;
> Â}
> Â
> @@ -2666,7 +2666,7 @@ int security_fs_use(struct super_block *sb)
> Â struct superblock_security_struct *sbsec = sb->s_security;
> Â const char *fstype = sb->s_type->name;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â c = policydb.ocontexts[OCON_FSUSE];
> Â while (c) {
> @@ -2696,7 +2696,7 @@ int security_fs_use(struct super_block *sb)
> Â }
> Â
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -2704,7 +2704,7 @@ int security_get_bools(int *len, char ***names,
> int **values)
> Â{
> Â int i, rc;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â *names = NULL;
> Â *values = NULL;
> Â
> @@ -2733,7 +2733,7 @@ int security_get_bools(int *len, char ***names,
> int **values)
> Â }
> Â rc = 0;
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Âerr:
> Â if (*names) {
> @@ -2751,7 +2751,7 @@ int security_set_bools(int len, int *values)
> Â int lenp, seqno = 0;
> Â struct cond_node *cur;
> Â
> - write_lock_irq(&policy_rwlock);
> + percpu_down_write(&policy_rwsem);
> Â
> Â rc = -EFAULT;
> Â lenp = policydb.p_bools.nprim;
> @@ -2784,7 +2784,7 @@ int security_set_bools(int len, int *values)
> Â seqno = ++latest_granting;
> Â rc = 0;
> Âout:
> - write_unlock_irq(&policy_rwlock);
> + percpu_up_write(&policy_rwsem);
> Â if (!rc) {
> Â avc_ss_reset(seqno);
> Â selnl_notify_policyload(seqno);
> @@ -2799,7 +2799,7 @@ int security_get_bool_value(int index)
> Â int rc;
> Â int len;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â rc = -EFAULT;
> Â len = policydb.p_bools.nprim;
> @@ -2808,7 +2808,7 @@ int security_get_bool_value(int index)
> Â
> Â rc = policydb.bool_val_to_struct[index]->state;
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -2864,7 +2864,7 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid,
> u32 *new_sid)
> Â
> Â context_init(&newcon);
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â rc = -EINVAL;
> Â context1 = sidtab_search(&sidtab, sid);
> @@ -2906,7 +2906,7 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid,
> u32 *new_sid)
> Â
> Â rc = sidtab_context_to_sid(&sidtab, &newcon, new_sid);
> Âout_unlock:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â context_destroy(&newcon);
> Âout:
> Â return rc;
> @@ -2963,7 +2963,7 @@ int security_net_peersid_resolve(u32 nlbl_sid,
> u32 nlbl_type,
> Â if (!policydb.mls_enabled)
> Â return 0;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â rc = -EINVAL;
> Â nlbl_ctx = sidtab_search(&sidtab, nlbl_sid);
> @@ -2990,7 +2990,7 @@ int security_net_peersid_resolve(u32 nlbl_sid,
> u32 nlbl_type,
> Â Â* expressive */
> Â *peer_sid = xfrm_sid;
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -3011,7 +3011,7 @@ int security_get_classes(char ***classes, int
> *nclasses)
> Â{
> Â int rc;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â rc = -ENOMEM;
> Â *nclasses = policydb.p_classes.nprim;
> @@ -3029,7 +3029,7 @@ int security_get_classes(char ***classes, int
> *nclasses)
> Â }
> Â
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -3051,7 +3051,7 @@ int security_get_permissions(char *class, char
> ***perms, int *nperms)
> Â int rc, i;
> Â struct class_datum *match;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â rc = -EINVAL;
> Â match = hashtab_search(policydb.p_classes.table, class);
> @@ -3080,11 +3080,11 @@ int security_get_permissions(char *class,
> char ***perms, int *nperms)
> Â goto err;
> Â
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â
> Âerr:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â for (i = 0; i < *nperms; i++)
> Â kfree((*perms)[i]);
> Â kfree(*perms);
> @@ -3115,9 +3115,9 @@ int security_policycap_supported(unsigned int
> req_cap)
> Â{
> Â int rc;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â rc = ebitmap_get_bit(&policydb.policycaps, req_cap);
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â
> Â return rc;
> Â}
> @@ -3181,7 +3181,7 @@ int selinux_audit_rule_init(u32 field, u32 op,
> char *rulestr, void **vrule)
> Â
> Â context_init(&tmprule->au_ctxt);
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â tmprule->au_seqno = latest_granting;
> Â
> @@ -3221,7 +3221,7 @@ int selinux_audit_rule_init(u32 field, u32 op,
> char *rulestr, void **vrule)
> Â }
> Â rc = 0;
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â
> Â if (rc) {
> Â selinux_audit_rule_free(tmprule);
> @@ -3271,7 +3271,7 @@ int selinux_audit_rule_match(u32 sid, u32
> field, u32 op, void *vrule,
> Â return -ENOENT;
> Â }
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â if (rule->au_seqno < latest_granting) {
> Â match = -ESTALE;
> @@ -3362,7 +3362,7 @@ int selinux_audit_rule_match(u32 sid, u32
> field, u32 op, void *vrule,
> Â }
> Â
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return match;
> Â}
> Â
> @@ -3448,7 +3448,7 @@ int security_netlbl_secattr_to_sid(struct
> netlbl_lsm_secattr *secattr,
> Â return 0;
> Â }
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â if (secattr->flags & NETLBL_SECATTR_CACHE)
> Â *sid = *(u32 *)secattr->cache->data;
> @@ -3484,12 +3484,12 @@ int security_netlbl_secattr_to_sid(struct
> netlbl_lsm_secattr *secattr,
> Â } else
> Â *sid = SECSID_NULL;
> Â
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return 0;
> Âout_free:
> Â ebitmap_destroy(&ctx_new.range.level[0].cat);
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â
> @@ -3511,7 +3511,7 @@ int security_netlbl_sid_to_secattr(u32 sid,
> struct netlbl_lsm_secattr *secattr)
> Â if (!ss_initialized)
> Â return 0;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â
> Â rc = -ENOENT;
> Â ctx = sidtab_search(&sidtab, sid);
> @@ -3529,7 +3529,7 @@ int security_netlbl_sid_to_secattr(u32 sid,
> struct netlbl_lsm_secattr *secattr)
> Â mls_export_netlbl_lvl(ctx, secattr);
> Â rc = mls_export_netlbl_cat(ctx, secattr);
> Âout:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â return rc;
> Â}
> Â#endif /* CONFIG_NETLABEL */
> @@ -3557,9 +3557,9 @@ int security_read_policy(void **data, size_t
> *len)
> Â fp.data = *data;
> Â fp.len = *len;
> Â
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> Â rc = policydb_write(&policydb, &fp);
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> Â
> Â if (rc)
> Â return rc;

Next message: Arnaldo Carvalho de Melo: "[PATCH 26/32] perf util: Improve error checking for time percent input"
Previous message: Maxime Chevallier: "[PATCH] spi: a3700: Add full-duplex support"
In reply to: peter.enderborg: "[PATCH] selinux:Significant reduce of preempt_disable holds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]