linux_dsm_epyc7002/security/selinux
Daniel Burgener 0eea609153 selinux: Create new booleans and class dirs out of tree
In order to avoid concurrency issues around selinuxfs resource availability
during policy load, we first create new directories out of tree for
reloaded resources, then swap them in, and finally delete the old versions.

This fix focuses on concurrency in each of the two subtrees swapped, and
not concurrency between the trees.  This means that it is still possible
that subsequent reads to eg the booleans directory and the class directory
during a policy load could see the old state for one and the new for the other.
The problem of ensuring that policy loads are fully atomic from the perspective
of userspace is larger than what is dealt with here.  This commit focuses on
ensuring that the directories contents always match either the new or the old
policy state from the perspective of userspace.

In the previous implementation, on policy load /sys/fs/selinux is updated
by deleting the previous contents of
/sys/fs/selinux/{class,booleans} and then recreating them.  This means
that there is a period of time when the contents of these directories do not
exist which can cause race conditions as userspace relies on them for
information about the policy.  In addition, it means that error recovery in
the event of failure is challenging.

In order to demonstrate the race condition that this series fixes, you
can use the following commands:

while true; do cat /sys/fs/selinux/class/service/perms/status
>/dev/null; done &
while true; do load_policy; done;

In the existing code, this will display errors fairly often as the class
lookup fails.  (In normal operation from systemd, this would result in a
permission check which would be allowed or denied based on policy settings
around unknown object classes.) After applying this patch series you
should expect to no longer see such error messages.

Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-08-21 09:41:31 -04:00
..
include selinux: move policy commit after updating selinuxfs 2020-08-17 20:50:22 -04:00
ss selinux: fix memdup.cocci warnings 2020-08-20 08:39:05 -04:00
.gitignore .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
avc.c selinux: ensure we cleanup the internal AVC counters on error in avc_update() 2019-12-21 10:59:21 -05:00
hooks.c selinux: permit removing security.selinux xattr before policy load 2020-08-20 21:55:31 -04:00
ibpkey.c selinux: clean up selinux_enabled/disabled/enforcing_boot 2019-12-18 21:22:46 -05:00
Kconfig Documentation,selinux: deprecate setting checkreqprot to 1 2020-02-10 10:49:01 -05:00
Makefile selinux: hash context structure directly 2020-04-17 16:04:34 -04:00
netif.c selinux: Fix spelling mistakes in the comments 2020-07-08 12:15:52 -04:00
netlabel.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
netlink.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
netnode.c selinux: Fix spelling mistakes in the comments 2020-07-08 12:15:52 -04:00
netport.c selinux: Fix spelling mistakes in the comments 2020-07-08 12:15:52 -04:00
nlmsgtab.c net: bridge: vlan: add rtm definitions and dump support 2020-01-15 13:48:17 +01:00
selinuxfs.c selinux: Create new booleans and class dirs out of tree 2020-08-21 09:41:31 -04:00
status.c selinux: move status variables out of selinux_ss 2020-02-10 10:49:01 -05:00
xfrm.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00