[apparmor] [RFC][PATCH] ima: Use sequence number to wait for policy updates
Mimi Zohar
zohar at linux.ibm.com
Tue May 7 20:27:33 UTC 2024
Hi Roberto,
On Tue, 2024-05-07 at 11:32 +0200, Roberto Sassu wrote:
> On Tue, 2024-05-07 at 11:28 +0200, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu at huawei.com>
> >
> > Maintain a global sequence number, and set it to individual policy rules,
> > when they are created.
>
> Just did an attempt, to see if this path is viable.
>
> This patch would be an alternative to:
>
> [PATCH v3] ima: Avoid blocking in RCU read-side critical section
Stephen had said,
"Sidebar: the refactoring of the SELinux policy loading logic may have
made it possible to revisit the approaches here to permit holding a
reference to the policy from which the rule was derived so that we
don't have to return -ESTALE in this scenario."
Removing -ESTALE would be the best solution. We could then remove the -ESTALE
detection.
I assume the change would be in selinux_policy_commit(). Instead of freeing the
old policy, define and increment a per policy reference count for each
registered notifier callback.
/* Free the old policy */
synchronize_rcu();
selinux_policy_free(oldpolicy);
kfree(load_state->convert_data);
/* Notify others of the policy change */
selinux_notify_policy_change(seqno);
Mimi
More information about the AppArmor
mailing list