sleep in selinux_audit_rule_init
Paul Moore
paul at paul-moore.com
Thu May 30 12:29:54 UTC 2019
On Thu, May 30, 2019 at 8:07 AM Stephen Smalley <sds at tycho.nsa.gov> wrote:
> ... And lastly, it looks like lsm
> notifiers are atomic notifiers (not clear to me why) so you can't block
> in the callback, thereby requiring scheduling the work as is done in
> infiniband. I'm not sure though why we can't make the lsm notifiers
> blocking notifiers. The only callers of call_lsm_notifier() are
> sel_write_enforce() and selinux_lsm_notifier_avc_callback(), called from
> avc_ss_reset(), called from sel_write_enforce(), security_load_policy()
> and security_set_bools(), all outside of locks and in process context
> AFAICS.
Off the top of my head I don't recall why the atomic notifiers were
chosen over the blocking notifiers; it may simply be an artifact of an
interim patch that was changed. Regardless, I have no problem if we
switch to using blocking notifiers. However, if we are changing it
now it might be a good idea to also add a "block"/"blocking" somewhere
in the lsm_notifier functions' name to make the change obvious and to
help make it easier if we ever need to add atomic notifier support in
the future.
--
paul moore
www.paul-moore.com
More information about the Linux-security-module-archive
mailing list