LSM: switch to blocking policy update notifiers

mainline inclusion from mainline-v5.3-rc1 commit 42df744c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I692HU CVE: NA -------------------------------- Atomic policy updaters are not very useful as they cannot usually perform the policy updates on their own. Since it seems that there is no strict need for the atomicity, switch to the blocking variant. While doing so, rename the functions accordingly. Signed-off-by: N Janne Karhunen <janne.karhunen@gmail.com> Acked-by: N Paul Moore <paul@paul-moore.com> Acked-by: N James Morris <jamorris@linux.microsoft.com> Signed-off-by: N Mimi Zohar <zohar@linux.ibm.com> Conflicts: drivers/infiniband/core/security.c Signed-off-by: N GUO Zihua <guozihua@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

LSM: switch to blocking policy update notifiers
mainline inclusion from mainline-v5.3-rc1 commit 42df744c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I692HU CVE: NA -------------------------------- Atomic policy updaters are not very useful as they cannot usually perform the policy updates on their own. Since it seems that there is no strict need for the atomicity, switch to the blocking variant. While doing so, rename the functions accordingly. Signed-off-by: N Janne Karhunen <janne.karhunen@gmail.com> Acked-by: N Paul Moore <paul@paul-moore.com> Acked-by: N James Morris <jamorris@linux.microsoft.com> Signed-off-by: N Mimi Zohar <zohar@linux.ibm.com> Conflicts: drivers/infiniband/core/security.c Signed-off-by: N GUO Zihua <guozihua@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
725660b8 · Janne Karhunen · Yongqiang Liu · 13d09031 · 725660b8 · 725660b8
6 changed file
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -1226,7 +1226,7 @@ static int __init ib_core_init(void)
 		goto err_mad;
 	}
-	ret = register_lsm_notifier(&ibdev_lsm_nb);
+	ret = register_blocking_lsm_notifier(&ibdev_lsm_nb);
 	if (ret) {
 		pr_warn("Couldn't register LSM notifier. ret %d\n", ret);
 		goto err_sa;
@@ -1262,7 +1262,7 @@ static void __exit ib_core_cleanup(void)
 	roce_gid_mgmt_cleanup();
 	nldev_exit();
 	rdma_nl_unregister(RDMA_NL_LS);
-	unregister_lsm_notifier(&ibdev_lsm_nb);
+	unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
 	ib_sa_cleanup();
 	ib_mad_cleanup();
 	addr_cleanup();

--- a/drivers/infiniband/core/security.c
+++ b/drivers/infiniband/core/security.c
@@ -714,7 +714,7 @@ int ib_mad_agent_security_setup(struct ib_mad_agent *agent,
 		goto free_security;
 	agent->lsm_nb.notifier_call = ib_mad_agent_security_change;
-	ret = register_lsm_notifier(&agent->lsm_nb);
+	ret = register_blocking_lsm_notifier(&agent->lsm_nb);
 	if (ret)
 		goto free_security;
@@ -733,7 +733,7 @@ void ib_mad_agent_security_cleanup(struct ib_mad_agent *agent)
 		return;
 	if (agent->lsm_nb_reg)
-		unregister_lsm_notifier(&agent->lsm_nb);
+		unregister_blocking_lsm_notifier(&agent->lsm_nb);
 	security_ib_free_security(agent->security);
 }

--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -188,9 +188,9 @@ struct security_mnt_opts {
 	int num_mnt_opts;
 };
-int call_lsm_notifier(enum lsm_event event, void *data);
+int call_blocking_lsm_notifier(enum lsm_event event, void *data);
-int register_lsm_notifier(struct notifier_block *nb);
+int register_blocking_lsm_notifier(struct notifier_block *nb);
-int unregister_lsm_notifier(struct notifier_block *nb);
+int unregister_blocking_lsm_notifier(struct notifier_block *nb);
 static inline void security_init_mnt_opts(struct security_mnt_opts *opts)
 {
@@ -406,17 +406,17 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
 struct security_mnt_opts {
 };
-static inline int call_lsm_notifier(enum lsm_event event, void *data)
+static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
 {
 	return 0;
 }
-static inline int register_lsm_notifier(struct notifier_block *nb)
+static inline int register_blocking_lsm_notifier(struct notifier_block *nb)
 {
 	return 0;
 }
-static inline  int unregister_lsm_notifier(struct notifier_block *nb)
+static inline  int unregister_blocking_lsm_notifier(struct notifier_block *nb)
 {
 	return 0;
 }

--- a/security/security.c
+++ b/security/security.c
@@ -38,7 +38,7 @@
 #define SECURITY_NAME_MAX	10
 struct security_hook_heads security_hook_heads __lsm_ro_after_init;
-static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
+static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);
 char *lsm_names;
 /* Boot-time LSM user choice */
@@ -180,23 +180,26 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
 		panic("%s - Cannot get early memory.\n", __func__);
 }
-int call_lsm_notifier(enum lsm_event event, void *data)
+int call_blocking_lsm_notifier(enum lsm_event event, void *data)
 {
-	return atomic_notifier_call_chain(&lsm_notifier_chain, event, data);
+	return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,
+					    event, data);
 }
-EXPORT_SYMBOL(call_lsm_notifier);
+EXPORT_SYMBOL(call_blocking_lsm_notifier);
-int register_lsm_notifier(struct notifier_block *nb)
+int register_blocking_lsm_notifier(struct notifier_block *nb)
 {
-	return atomic_notifier_chain_register(&lsm_notifier_chain, nb);
+	return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,
+						nb);
 }
-EXPORT_SYMBOL(register_lsm_notifier);
+EXPORT_SYMBOL(register_blocking_lsm_notifier);
-int unregister_lsm_notifier(struct notifier_block *nb)
+int unregister_blocking_lsm_notifier(struct notifier_block *nb)
 {
-	return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);
+	return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,
+						  nb);
 }
-EXPORT_SYMBOL(unregister_lsm_notifier);
+EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
 /*
 * Hook list operation macros.

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -199,7 +199,7 @@ static int selinux_lsm_notifier_avc_callback(u32 event)
 {
 	if (event == AVC_CALLBACK_RESET) {
 		sel_ib_pkey_flush();
-		call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
+		call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
 	}
 	return 0;

--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -180,7 +180,7 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
 		selnl_notify_setenforce(new_value);
 		selinux_status_update_setenforce(state, new_value);
 		if (!new_value)
-			call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
+			call_blocking_lsm_notifier(LSM_POLICY_CHANGE, NULL);
 	}
 	length = count;
 out: