[PATCH 1/1] [RFC] SELINUX: Remove obsolete deferred inode security init list.

Paul Moore paul at paul-moore.com
Fri Jan 6 22:33:05 UTC 2023


On Fri, Jan 6, 2023 at 3:30 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Mon, Dec 12, 2022 at 10:40 PM Alexander Kozhevnikov
> <alexander.kozhevnikov at huawei-partners.com> wrote:
> >
> > This patch is a proposed code optimization for SELinux:
> >
> > 1) Each inode has SELinux security structure attached
> >    to it, this one need to be initialized at some point.
> > 2) This initialization is done by the function
> >    inode_doinit_with_dentry ( ).
> > 3) In the kernel releases started from some point in the past
> >    this function (2) is always called normally from function
> >    __inode_security_revalidate ( ).
> > 4) Which in turn is always called  from inode_security ( ), which
> >    is a base point for any selinux calls and always called on
> >    any access to any inode except a few special cases when
> >    _inode_security_novalidate ( ) is used.
> > 5) Inode security structure initialization can be done only after
> >    SELinux is fully initialized and policy is loaded.
> > 6) So, for this purpose there was a special defeferred inode security
> >    initialization list protected by a spinlock implemented, which was
> >    populated instead of isec initialization in function
> >    inode_doinit_with_dentry ( ), if it was called before SELinux full
> >    initialization, and processed at the time when SELinux policy load
> >    occurred by calling again inode_doinit_with_dentry ( ) on each inode
> >    in this list.
> > 7) This list was a part of a default initialization logic before (3) was
> >    implemented, but now, taking into account new mechanism implemented
> >    with current approach of inode security revalidation on each access
> >    (4)-(3)-(2), it looks obsolete and not needed anymore.
> > 8) So deferred initialization, this list and code associated with it can
> >    be safely removed now, as anyway, if inode isec was not initialized
> >    before it will be processed on any next inode access.
> > 9) Another case for calling inode_doinit_with_dentry( ) is when a new
> >    dentry is created. This is done by call from d_instantiate( ). When
> >    the deferred initialization list is removed it would be useful to
> >    also check for SELinux initialization status here before calling
> >    inode_doinit_with_dentry( ) like it is done in
> >    __inode_security_revalidate( ).
> > 10) There are two possible positive consequences from this removal:
> >      a. More clean and simple code, less memory consumption;
> >      b. This deferred initialization in some cases (for example SELinux
> >         was switched on manually after system was up quite a long time)
> >         could take some significant time to process, i.e. system looks
> >         hung for some notable time. And now this is avoided.
> >
> > Signed-off-by: Alexander Kozhevnikov <alexander.kozhevnikov at huawei-partners.com>
> > ---
> >  security/selinux/hooks.c          | 91 ++++---------------------------
> >  security/selinux/include/objsec.h |  3 -
> >  2 files changed, 11 insertions(+), 83 deletions(-)
>
> Merged into selinux/next with some minor style and grammar fixes,
> thanks Alexander!

Unfortunately I just had to back this commit out of selinux/next as
the automated testing using the selinux-testsuite failed on my Fedora
Rawhide test system failed.

Please verify that this patch passes the selinux-testsuite on a modern
Fedora Rawhide install using Linux v6.2-rc2 as a base.

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list