Re: [PATCH] selinux: move user accesses in selinuxfs out of locked regions
On Thu, Jun 28, 2018 at 8:38 PM Paul Moore wrote: > On Thu, Jun 28, 2018 at 8:23 PM Paul Moore wrote: > > On Tue, Jun 26, 2018 at 8:15 AM Stephen Smalley wrote: > > > On 06/25/2018 12:34 PM, Jann Horn wrote: > > > > If a user is accessing a file in selinuxfs with a pointer to a userspace > > > > buffer that is backed by e.g. a userfaultfd, the userspace access can > > > > stall indefinitely, which can block fsi->mutex if it is held. > > > > > > > > For sel_read_policy(), remove the locking, since this method doesn't > > > > seem > > > > to access anything that requires locking. > > > > > > > > For sel_read_bool(), move the user access below the locked region. > > > > > > > > For sel_write_bool() and sel_commit_bools_write(), move the user access > > > > up above the locked region. > > > > > > > > Cc: sta...@vger.kernel.org > > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > > > Signed-off-by: Jann Horn > > > > > > Only question I have is wrt the Fixes line, i.e. was this an issue until > > > userfaultfd was introduced, and if not, > > > do we need it to be back-ported any further than the commit which > > > introduced it. > > > > Considering we are talking about v2.6.12 I have to wonder if anyone is > > bothering with backports for kernels that old. Even the RHEL-5.x > > based systems are at least on v2.6.18. > > > > Regardless, I think this is fine to merge as-is; thanks everyone. > > FYI, I did have to remove the "fsi" variable from sel_read_policy() to > keep the compiler happy. Please double check to make sure your code > compiles cleanly in the future. I realize I didn't specify this above ... I merged this into selinux/stable-4.18; I'm building a test kernel now and if everything looks okay I'll send it to Linus tomorrow. -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] selinux: move user accesses in selinuxfs out of locked regions
On Thu, Jun 28, 2018 at 8:23 PM Paul Moore wrote: > On Tue, Jun 26, 2018 at 8:15 AM Stephen Smalley wrote: > > On 06/25/2018 12:34 PM, Jann Horn wrote: > > > If a user is accessing a file in selinuxfs with a pointer to a userspace > > > buffer that is backed by e.g. a userfaultfd, the userspace access can > > > stall indefinitely, which can block fsi->mutex if it is held. > > > > > > For sel_read_policy(), remove the locking, since this method doesn't seem > > > to access anything that requires locking. > > > > > > For sel_read_bool(), move the user access below the locked region. > > > > > > For sel_write_bool() and sel_commit_bools_write(), move the user access > > > up above the locked region. > > > > > > Cc: sta...@vger.kernel.org > > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > > Signed-off-by: Jann Horn > > > > Only question I have is wrt the Fixes line, i.e. was this an issue until > > userfaultfd was introduced, and if not, > > do we need it to be back-ported any further than the commit which > > introduced it. > > Considering we are talking about v2.6.12 I have to wonder if anyone is > bothering with backports for kernels that old. Even the RHEL-5.x > based systems are at least on v2.6.18. > > Regardless, I think this is fine to merge as-is; thanks everyone. FYI, I did have to remove the "fsi" variable from sel_read_policy() to keep the compiler happy. Please double check to make sure your code compiles cleanly in the future. -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] selinux: move user accesses in selinuxfs out of locked regions
On Tue, Jun 26, 2018 at 8:15 AM Stephen Smalley wrote: > On 06/25/2018 12:34 PM, Jann Horn wrote: > > If a user is accessing a file in selinuxfs with a pointer to a userspace > > buffer that is backed by e.g. a userfaultfd, the userspace access can > > stall indefinitely, which can block fsi->mutex if it is held. > > > > For sel_read_policy(), remove the locking, since this method doesn't seem > > to access anything that requires locking. > > > > For sel_read_bool(), move the user access below the locked region. > > > > For sel_write_bool() and sel_commit_bools_write(), move the user access > > up above the locked region. > > > > Cc: sta...@vger.kernel.org > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > > Signed-off-by: Jann Horn > > Only question I have is wrt the Fixes line, i.e. was this an issue until > userfaultfd was introduced, and if not, > do we need it to be back-ported any further than the commit which introduced > it. Considering we are talking about v2.6.12 I have to wonder if anyone is bothering with backports for kernels that old. Even the RHEL-5.x based systems are at least on v2.6.18. Regardless, I think this is fine to merge as-is; thanks everyone. > Otherwise, you can add my > Acked-by: Stephen Smalley -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] selinux: move user accesses in selinuxfs out of locked regions
On Mon, Jun 25, 2018 at 6:40 PM Jann Horn wrote: > > On Tue, Jun 26, 2018 at 12:36 AM Paul Moore wrote: > > > > On Mon, Jun 25, 2018 at 12:34 PM Jann Horn wrote: > > > If a user is accessing a file in selinuxfs with a pointer to a userspace > > > buffer that is backed by e.g. a userfaultfd, the userspace access can > > > stall indefinitely, which can block fsi->mutex if it is held. > > > > > > For sel_read_policy(), remove the locking, since this method doesn't seem > > > to access anything that requires locking. > > > > Forgive me, I'm thinking about this quickly so I could be very wrong > > here, but isn't the mutex needed to prevent problems in multi-threaded > > apps hitting the same fd at the same time? > > sel_read_policy() operates on a read-only copy of the policy, accessed > via ->private_data, allocated using vmalloc in sel_open_policy() via > security_read_policy(). As far as I can tell, nothing can write to > that read-only copy of the policy. None of the handlers in > sel_policy_ops write - they just mmap as readonly (in which case > you're already reading without locks, by the way) or read. Great, thanks. -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.