selinux: simplify away security_policydb_len()

Remove the security_policydb_len() calls from sel_open_policy() and
instead update the inode size from the size returned from
security_read_policy().

Since after this change security_policydb_len() is only called from
security_load_policy(), remove it entirely and just open-code it there.

Also, since security_load_policy() is always called with policy_mutex
held, make it dereference the policy pointer directly and drop the
unnecessary RCU locking.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index bbbf7141ccdbc957c8bcafa0eedb6ad62b75e1a3..cbdd3c7aff8b289b975eed78ccb41d635da1bfda 100644 (file)
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -219,7 +219,6 @@ void selinux_policy_cancel(struct selinux_state *state,
                        struct selinux_policy *policy);
 int security_read_policy(struct selinux_state *state,
                         void **data, size_t *len);
-size_t security_policydb_len(struct selinux_state *state);
 
 int security_policycap_supported(struct selinux_state *state,
                                 unsigned int req_cap);

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 29567acdda2145a9b5d003b34dfd29790220a674..45e9efa9bf5bf5e74411388fd45ebc00ff228555 100644 (file)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -415,16 +415,16 @@ static int sel_open_policy(struct inode *inode, struct file *filp)
        if (!plm)
                goto err;
 
-       if (i_size_read(inode) != security_policydb_len(state)) {
-               inode_lock(inode);
-               i_size_write(inode, security_policydb_len(state));
-               inode_unlock(inode);
-       }
-
        rc = security_read_policy(state, &plm->data, &plm->len);
        if (rc)
                goto err;
 
+       if ((size_t)i_size_read(inode) != plm->len) {
+               inode_lock(inode);
+               i_size_write(inode, plm->len);
+               inode_unlock(inode);
+       }
+
        fsi->policy_opened = 1;
 
        filp->private_data = plm;

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 85cfd46836c7e1f3e375e9c9fa39ae21efa180b9..8dc111fbe23aba23b9879e9cd4cdef7b09d877bd 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2328,22 +2328,6 @@ err_policy:
        return rc;
 }
 
-size_t security_policydb_len(struct selinux_state *state)
-{
-       struct selinux_policy *policy;
-       size_t len;
-
-       if (!selinux_initialized(state))
-               return 0;
-
-       rcu_read_lock();
-       policy = rcu_dereference(state->policy);
-       len = policy->policydb.len;
-       rcu_read_unlock();
-
-       return len;
-}
-
 /**
  * security_port_sid - Obtain the SID for a port.
  * @protocol: protocol number
@@ -3903,11 +3887,12 @@ int security_read_policy(struct selinux_state *state,
        int rc;
        struct policy_file fp;
 
-       if (!selinux_initialized(state))
+       policy = rcu_dereference_protected(
+                       state->policy, lockdep_is_held(&state->policy_mutex));
+       if (!policy)
                return -EINVAL;
 
-       *len = security_policydb_len(state);
-
+       *len = policy->policydb.len;
        *data = vmalloc_user(*len);
        if (!*data)
                return -ENOMEM;
@@ -3915,11 +3900,7 @@ int security_read_policy(struct selinux_state *state,
        fp.data = *data;
        fp.len = *len;
 
-       rcu_read_lock();
-       policy = rcu_dereference(state->policy);
        rc = policydb_write(&policy->policydb, &fp);
-       rcu_read_unlock();
-
        if (rc)
                return rc;