selinux: access policycaps with READ_ONCE/WRITE_ONCE

author Stephen Smalley <stephen.smalley.work@gmail.com>

Thu, 10 Sep 2020 14:28:05 +0000 (10:28 -0400)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 5 Nov 2020 10:51:21 +0000 (11:51 +0100)
author Stephen Smalley <stephen.smalley.work@gmail.com>
Thu, 10 Sep 2020 14:28:05 +0000 (10:28 -0400)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 5 Nov 2020 10:51:21 +0000 (11:51 +0100)
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h

index b0e02cfe3ce14b8eac067ab88f9812e1eb156d3a..8a432f646967e8de2a85b3f93b94bf0a46dff37a 100644 (file)
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -177,49 +177,49 @@ static inline bool selinux_policycap_netpeer(void)
  {
         struct selinux_state *state = &selinux_state;
  
-       return state->policycap[POLICYDB_CAPABILITY_NETPEER];
+       return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NETPEER]);
  }
  
  static inline bool selinux_policycap_openperm(void)
  {
         struct selinux_state *state = &selinux_state;
  
-       return state->policycap[POLICYDB_CAPABILITY_OPENPERM];
+       return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_OPENPERM]);
  }
  
  static inline bool selinux_policycap_extsockclass(void)
  {
         struct selinux_state *state = &selinux_state;
  
-       return state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS];
+       return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS]);
  }
  
  static inline bool selinux_policycap_alwaysnetwork(void)
  {
         struct selinux_state *state = &selinux_state;
  
-       return state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK];
+       return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK]);
  }
  
  static inline bool selinux_policycap_cgroupseclabel(void)
  {
         struct selinux_state *state = &selinux_state;
  
-       return state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL];
+       return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL]);
  }
  
  static inline bool selinux_policycap_nnp_nosuid_transition(void)
  {
         struct selinux_state *state = &selinux_state;
  
-       return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION];
+       return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION]);
  }
  
  static inline bool selinux_policycap_genfs_seclabel_symlinks(void)
  {
         struct selinux_state *state = &selinux_state;
  
-       return state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS];
+       return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]);
  }
  
  int security_mls_enabled(struct selinux_state *state);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c

index 1caf4e6033096772110497acb0b5ceaae1b857d2..c55b3063753abb334f42bc2f795501dfcce81f61 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2103,7 +2103,8 @@ static void security_load_policycaps(struct selinux_state *state)
         struct ebitmap_node *node;
  
         for (i = 0; i < ARRAY_SIZE(state->policycap); i++)
-               state->policycap[i] = ebitmap_get_bit(&p->policycaps, i);
+               WRITE_ONCE(state->policycap[i],
+                       ebitmap_get_bit(&p->policycaps, i));
  
         for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
                 pr_info("SELinux:  policy capability %s=%d\n",
author	Stephen Smalley <stephen.smalley.work@gmail.com>
	Thu, 10 Sep 2020 14:28:05 +0000 (10:28 -0400)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 5 Nov 2020 10:51:21 +0000 (11:51 +0100)
security/selinux/include/security.h		patch \| blob \| history
security/selinux/ss/services.c		patch \| blob \| history