Re: [RFC PATCH 2/2] selinux: Propagate RCU walk status from 'security_inode_follow_link()'
From: Will Deacon
Date: Wed Nov 20 2019 - 08:13:10 EST
Hi Stephen,
Thanks for the quick review.
On Tue, Nov 19, 2019 at 01:46:37PM -0500, Stephen Smalley wrote:
> On 11/19/19 1:40 PM, Will Deacon wrote:
> > 'selinux_inode_follow_link()' can be called as part of an RCU path walk,
> > and is passed a 'bool rcu' parameter to indicate whether or not it is
> > being called from within an RCU read-side critical section.
> >
> > Unfortunately, this knowledge is not propagated further and, instead,
> > 'avc_has_perm()' unconditionally passes a flags argument of '0' to both
> > 'avc_has_perm_noaudit()' and 'avc_audit()' which may block.
> >
> > Introduce 'avc_has_perm_flags()' which can be used safely from within an
> > RCU read-side critical section.
>
> Please see e46e01eebbbcf2ff6d28ee7cae9f117e9d1572c8 ("selinux: stop passing
> MAY_NOT_BLOCK to the AVC upon follow_link").
Ha, not sure how I missed that -- my patch is almost a direct revert,
including the name 'avs_has_perm_flags()'! My only concern is that the
commit message for e46e01eebbbc asserts that the only use of MAY_NOT_BLOCK
is in slow_avc_audit(), but AVC_NONBLOCKING is used more widely than that.
For example:
selinux_inode_follow_link()
-> avc_has_perm()
-> avc_has_perm_noaudit()
-> avc_denied()
-> avc_update_node()
where we return early if AVC_NONBLOCKING is set, except flags are always
zero on this path.
Will