summaryrefslogtreecommitdiff
path: root/security/selinux/ima.c
diff options
context:
space:
mode:
authorStephen Smalley <stephen.smalley.work@gmail.com>2023-03-09 21:30:37 +0300
committerPaul Moore <paul@paul-moore.com>2023-03-14 22:22:45 +0300
commite67b79850fcc4eb5816d69d34fd82aeda350aca7 (patch)
treeac2ab206d913dd36a95347b59bc739551651cafc /security/selinux/ima.c
parentf62ca0b6e31d82e0622a8e31ce5562e80edf6c3c (diff)
downloadlinux-e67b79850fcc4eb5816d69d34fd82aeda350aca7.tar.xz
selinux: stop passing selinux_state pointers and their offspring
Linus observed that the pervasive passing of selinux_state pointers introduced by me in commit aa8e712cee93 ("selinux: wrap global selinux state") adds overhead and complexity without providing any benefit. The original idea was to pave the way for SELinux namespaces but those have not yet been implemented and there isn't currently a concrete plan to do so. Remove the passing of the selinux_state pointers, reverting to direct use of the single global selinux_state, and likewise remove passing of child pointers like the selinux_avc. The selinux_policy pointer remains as it is needed for atomic switching of policies. Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Reported-by: kernel test robot <lkp@intel.com> Link: https://lore.kernel.org/oe-kbuild-all/202303101057.mZ3Gv5fK-lkp@intel.com/ Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/ima.c')
-rw-r--r--security/selinux/ima.c37
1 files changed, 16 insertions, 21 deletions
diff --git a/security/selinux/ima.c b/security/selinux/ima.c
index a915b89d55b0..7daf59667f59 100644
--- a/security/selinux/ima.c
+++ b/security/selinux/ima.c
@@ -15,12 +15,10 @@
/*
* selinux_ima_collect_state - Read selinux configuration settings
*
- * @state: selinux_state
- *
* On success returns the configuration settings string.
* On error, returns NULL.
*/
-static char *selinux_ima_collect_state(struct selinux_state *state)
+static char *selinux_ima_collect_state(void)
{
const char *on = "=1;", *off = "=0;";
char *buf;
@@ -39,26 +37,27 @@ static char *selinux_ima_collect_state(struct selinux_state *state)
rc = strscpy(buf, "initialized", buf_len);
WARN_ON(rc < 0);
- rc = strlcat(buf, selinux_initialized(state) ? on : off, buf_len);
+ rc = strlcat(buf, selinux_initialized() ? on : off, buf_len);
WARN_ON(rc >= buf_len);
rc = strlcat(buf, "enforcing", buf_len);
WARN_ON(rc >= buf_len);
- rc = strlcat(buf, enforcing_enabled(state) ? on : off, buf_len);
+ rc = strlcat(buf, enforcing_enabled() ? on : off, buf_len);
WARN_ON(rc >= buf_len);
rc = strlcat(buf, "checkreqprot", buf_len);
WARN_ON(rc >= buf_len);
- rc = strlcat(buf, checkreqprot_get(state) ? on : off, buf_len);
+ rc = strlcat(buf, checkreqprot_get() ? on : off, buf_len);
WARN_ON(rc >= buf_len);
for (i = 0; i < __POLICYDB_CAP_MAX; i++) {
rc = strlcat(buf, selinux_policycap_names[i], buf_len);
WARN_ON(rc >= buf_len);
- rc = strlcat(buf, state->policycap[i] ? on : off, buf_len);
+ rc = strlcat(buf, selinux_state.policycap[i] ? on : off,
+ buf_len);
WARN_ON(rc >= buf_len);
}
@@ -67,19 +66,17 @@ static char *selinux_ima_collect_state(struct selinux_state *state)
/*
* selinux_ima_measure_state_locked - Measure SELinux state and hash of policy
- *
- * @state: selinux state struct
*/
-void selinux_ima_measure_state_locked(struct selinux_state *state)
+void selinux_ima_measure_state_locked(void)
{
char *state_str = NULL;
void *policy = NULL;
size_t policy_len;
int rc = 0;
- lockdep_assert_held(&state->policy_mutex);
+ lockdep_assert_held(&selinux_state.policy_mutex);
- state_str = selinux_ima_collect_state(state);
+ state_str = selinux_ima_collect_state();
if (!state_str) {
pr_err("SELinux: %s: failed to read state.\n", __func__);
return;
@@ -94,10 +91,10 @@ void selinux_ima_measure_state_locked(struct selinux_state *state)
/*
* Measure SELinux policy only after initialization is completed.
*/
- if (!selinux_initialized(state))
+ if (!selinux_initialized())
return;
- rc = security_read_state_kernel(state, &policy, &policy_len);
+ rc = security_read_state_kernel(&policy, &policy_len);
if (rc) {
pr_err("SELinux: %s: failed to read policy %d.\n", __func__, rc);
return;
@@ -112,14 +109,12 @@ void selinux_ima_measure_state_locked(struct selinux_state *state)
/*
* selinux_ima_measure_state - Measure SELinux state and hash of policy
- *
- * @state: selinux state struct
*/
-void selinux_ima_measure_state(struct selinux_state *state)
+void selinux_ima_measure_state(void)
{
- lockdep_assert_not_held(&state->policy_mutex);
+ lockdep_assert_not_held(&selinux_state.policy_mutex);
- mutex_lock(&state->policy_mutex);
- selinux_ima_measure_state_locked(state);
- mutex_unlock(&state->policy_mutex);
+ mutex_lock(&selinux_state.policy_mutex);
+ selinux_ima_measure_state_locked();
+ mutex_unlock(&selinux_state.policy_mutex);
}