selinux: don't sleep when CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is true

Unfortunately commit 81200b0265b1 ("selinux: checkreqprot is
deprecated, add some ssleep() discomfort") added a five second sleep
during early kernel boot, e.g. start_kernel(), which could cause a
"scheduling while atomic" panic.  This patch fixes this problem by
moving the sleep out of checkreqprot_set() and into
sel_write_checkreqprot() so that we only sleep when the checkreqprot
setting is set during runtime, after the kernel has booted.  The
error message remains the same in both cases.

Fixes: 81200b0265b1 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort")
Reported-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index f7e6be63adfb9194485a41a2570d9a030211a004..393aff41d3ef89db689738b45b17f9d8c5958fb4 100644 (file)
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -152,10 +152,8 @@ static inline bool checkreqprot_get(const struct selinux_state *state)
 
 static inline void checkreqprot_set(struct selinux_state *state, bool value)
 {
-       if (value) {
+       if (value)
                pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot\n");
-               ssleep(5);
-       }
        WRITE_ONCE(state->checkreqprot, value);
 }
 

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 6c8b6a0ddecf1b6d0e2d6e5fe8f51750155bdd8e..8fcdd494af273f402a073d948cb6d6879c98cc12 100644 (file)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -762,6 +762,8 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
        }
 
        checkreqprot_set(fsi->state, (new_value ? 1 : 0));
+       if (new_value)
+               ssleep(5);
        length = count;
 
        selinux_ima_measure_state(fsi->state);