[PATCH 1/1] [RFC] SELINUX: Remove obsolete deferred inode security init list.

Paul Moore paul at paul-moore.com
Fri Jan 6 20:30:43 UTC 2023


On Mon, Dec 12, 2022 at 10:40 PM Alexander Kozhevnikov
<alexander.kozhevnikov at huawei-partners.com> wrote:
>
> This patch is a proposed code optimization for SELinux:
>
> 1) Each inode has SELinux security structure attached
>    to it, this one need to be initialized at some point.
> 2) This initialization is done by the function
>    inode_doinit_with_dentry ( ).
> 3) In the kernel releases started from some point in the past
>    this function (2) is always called normally from function
>    __inode_security_revalidate ( ).
> 4) Which in turn is always called  from inode_security ( ), which
>    is a base point for any selinux calls and always called on
>    any access to any inode except a few special cases when
>    _inode_security_novalidate ( ) is used.
> 5) Inode security structure initialization can be done only after
>    SELinux is fully initialized and policy is loaded.
> 6) So, for this purpose there was a special defeferred inode security
>    initialization list protected by a spinlock implemented, which was
>    populated instead of isec initialization in function
>    inode_doinit_with_dentry ( ), if it was called before SELinux full
>    initialization, and processed at the time when SELinux policy load
>    occurred by calling again inode_doinit_with_dentry ( ) on each inode
>    in this list.
> 7) This list was a part of a default initialization logic before (3) was
>    implemented, but now, taking into account new mechanism implemented
>    with current approach of inode security revalidation on each access
>    (4)-(3)-(2), it looks obsolete and not needed anymore.
> 8) So deferred initialization, this list and code associated with it can
>    be safely removed now, as anyway, if inode isec was not initialized
>    before it will be processed on any next inode access.
> 9) Another case for calling inode_doinit_with_dentry( ) is when a new
>    dentry is created. This is done by call from d_instantiate( ). When
>    the deferred initialization list is removed it would be useful to
>    also check for SELinux initialization status here before calling
>    inode_doinit_with_dentry( ) like it is done in
>    __inode_security_revalidate( ).
> 10) There are two possible positive consequences from this removal:
>      a. More clean and simple code, less memory consumption;
>      b. This deferred initialization in some cases (for example SELinux
>         was switched on manually after system was up quite a long time)
>         could take some significant time to process, i.e. system looks
>         hung for some notable time. And now this is avoided.
>
> Signed-off-by: Alexander Kozhevnikov <alexander.kozhevnikov at huawei-partners.com>
> ---
>  security/selinux/hooks.c          | 91 ++++---------------------------
>  security/selinux/include/objsec.h |  3 -
>  2 files changed, 11 insertions(+), 83 deletions(-)

Merged into selinux/next with some minor style and grammar fixes,
thanks Alexander!

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list