ich777/linux_media
1
0
Fork 0
mirror of https://github.com/tbsdtv/linux_media.git synced 2025-07-23 20:51:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

selinux: access policycaps with READ_ONCE/WRITE_ONCE

Browse Source 
Use READ_ONCE/WRITE_ONCE for all accesses to the
selinux_state.policycaps booleans to prevent compiler
mischief.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Stephen Smalley
2020-09-10 10:28:05 -04:00
committed by Paul Moore
parent 66ccd2560a
commit e8ba53d002
2 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
security/selinux/include/security.h
View File

@@ -164,49 +164,49 @@ static inline bool selinux_policycap_netpeer(void)
{ {
struct selinux_state *state = &selinux_state; struct selinux_state *state = &selinux_state;
return state->policycap[POLICYDB_CAPABILITY_NETPEER]; return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NETPEER]);
} }
static inline bool selinux_policycap_openperm(void) static inline bool selinux_policycap_openperm(void)
{ {
struct selinux_state *state = &selinux_state; struct selinux_state *state = &selinux_state;
return state->policycap[POLICYDB_CAPABILITY_OPENPERM]; return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_OPENPERM]);
} }
static inline bool selinux_policycap_extsockclass(void) static inline bool selinux_policycap_extsockclass(void)
{ {
struct selinux_state *state = &selinux_state; struct selinux_state *state = &selinux_state;
return state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS]; return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS]);
} }
static inline bool selinux_policycap_alwaysnetwork(void) static inline bool selinux_policycap_alwaysnetwork(void)
{ {
struct selinux_state *state = &selinux_state; struct selinux_state *state = &selinux_state;
return state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK]; return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK]);
} }
static inline bool selinux_policycap_cgroupseclabel(void) static inline bool selinux_policycap_cgroupseclabel(void)
{ {
struct selinux_state *state = &selinux_state; struct selinux_state *state = &selinux_state;
return state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL]; return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL]);
} }
static inline bool selinux_policycap_nnp_nosuid_transition(void) static inline bool selinux_policycap_nnp_nosuid_transition(void)
{ {
struct selinux_state *state = &selinux_state; struct selinux_state *state = &selinux_state;
return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION]; return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION]);
} }
static inline bool selinux_policycap_genfs_seclabel_symlinks(void) static inline bool selinux_policycap_genfs_seclabel_symlinks(void)
{ {
struct selinux_state *state = &selinux_state; struct selinux_state *state = &selinux_state;
return state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]; return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]);
} }
int security_mls_enabled(struct selinux_state *state); int security_mls_enabled(struct selinux_state *state);

3
security/selinux/ss/services.c
View File

@@ -2123,7 +2123,8 @@ static void security_load_policycaps(struct selinux_state *state,
p = &policy->policydb; p = &policy->policydb;
for (i = 0; i < ARRAY_SIZE(state->policycap); i++) for (i = 0; i < ARRAY_SIZE(state->policycap); i++)
state->policycap[i] = ebitmap_get_bit(&p->policycaps, i); WRITE_ONCE(state->policycap[i],
ebitmap_get_bit(&p->policycaps, i));
for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
pr_info("SELinux: policy capability %s=%d\n", pr_info("SELinux: policy capability %s=%d\n",