Skip to content

Commit e8ba53d

Browse files
stephensmalleypcmoore
stephensmalley
authored and
pcmoore
committed
selinux: access policycaps with READ_ONCE/WRITE_ONCE
Use READ_ONCE/WRITE_ONCE for all accesses to the selinux_state.policycaps booleans to prevent compiler mischief. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
1 parent 66ccd25 commit e8ba53d

2 files changed

Lines changed: 9 additions & 8 deletions

File tree

security/selinux/include/security.h

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -164,49 +164,49 @@ static inline bool selinux_policycap_netpeer(void)
164164
{
165165
struct selinux_state *state = &selinux_state;
166166

167-
return state->policycap[POLICYDB_CAPABILITY_NETPEER];
167+
return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NETPEER]);
168168
}
169169

170170
static inline bool selinux_policycap_openperm(void)
171171
{
172172
struct selinux_state *state = &selinux_state;
173173

174-
return state->policycap[POLICYDB_CAPABILITY_OPENPERM];
174+
return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_OPENPERM]);
175175
}
176176

177177
static inline bool selinux_policycap_extsockclass(void)
178178
{
179179
struct selinux_state *state = &selinux_state;
180180

181-
return state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS];
181+
return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_EXTSOCKCLASS]);
182182
}
183183

184184
static inline bool selinux_policycap_alwaysnetwork(void)
185185
{
186186
struct selinux_state *state = &selinux_state;
187187

188-
return state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK];
188+
return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_ALWAYSNETWORK]);
189189
}
190190

191191
static inline bool selinux_policycap_cgroupseclabel(void)
192192
{
193193
struct selinux_state *state = &selinux_state;
194194

195-
return state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL];
195+
return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_CGROUPSECLABEL]);
196196
}
197197

198198
static inline bool selinux_policycap_nnp_nosuid_transition(void)
199199
{
200200
struct selinux_state *state = &selinux_state;
201201

202-
return state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION];
202+
return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION]);
203203
}
204204

205205
static inline bool selinux_policycap_genfs_seclabel_symlinks(void)
206206
{
207207
struct selinux_state *state = &selinux_state;
208208

209-
return state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS];
209+
return READ_ONCE(state->policycap[POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS]);
210210
}
211211

212212
int security_mls_enabled(struct selinux_state *state);

security/selinux/ss/services.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2123,7 +2123,8 @@ static void security_load_policycaps(struct selinux_state *state,
21232123
p = &policy->policydb;
21242124

21252125
for (i = 0; i < ARRAY_SIZE(state->policycap); i++)
2126-
state->policycap[i] = ebitmap_get_bit(&p->policycaps, i);
2126+
WRITE_ONCE(state->policycap[i],
2127+
ebitmap_get_bit(&p->policycaps, i));
21272128

21282129
for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
21292130
pr_info("SELinux: policy capability %s=%d\n",

0 commit comments

Comments
 (0)