selinux: pre-allocate the status page

cgzones · pcmoore · commit fc983171e4c8 · 2024-04-30T19:01:04.000-04:00
Since the status page is currently only allocated on first use, the sequence number of the initial policyload (i.e. 1) is not stored, leading to the observable sequence of 0, 2, 3, 4, ... Try to pre-allocate the status page during the initialization of the selinuxfs, so selinux_status_update_policyload() will set the sequence number. This brings the status page to return the actual sequence number for the initial policy load, which is also observable via the netlink socket. I could not find any occurrence where userspace depends on the actual value returned by selinux_status_policyload(3), thus the breakage should be unnoticed. Closes: https://lore.kernel.org/selinux/87o7fmua12.fsf@redhat.com/ Signed-off-by: Christian Göttsche <cgzones@googlemail.com> [PM: trimmed 'reported-by' that was missing an email] Signed-off-by: Paul Moore <paul@paul-moore.com>
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
@@ -2161,6 +2161,12 @@ static int __init init_sel_fs(void)
 		selinux_null.dentry = NULL;
 	}
 
+	/*
+	 * Try to pre-allocate the status page, so the sequence number of the
+	 * initial policy load can be stored.
+	 */
+	(void) selinux_kernel_status_page();
+
 	return err;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2161,6 +2161,12 @@ static int __init init_sel_fs(void)`
`2161`	`2161`	`selinux_null.dentry = NULL;`
`2162`	`2162`	`}`
`2163`	`2163`
	`2164`	`+ /*`
	`2165`	`+ * Try to pre-allocate the status page, so the sequence number of the`
	`2166`	`+ * initial policy load can be stored.`
	`2167`	`+ */`
	`2168`	`+ (void) selinux_kernel_status_page();`
	`2169`	`+`
`2164`	`2170`	`return err;`
`2165`	`2171`	`}`
`2166`	`2172`