From: Paul Moore Date: Thu, 14 Apr 2022 20:40:10 +0000 (-0400) Subject: selinux: don't sleep when CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is true X-Git-Tag: v5.19-rc1~196^2~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6a9e261cbbee08c499f2331910027e8c40c8f81f;p=thirdparty%2Flinux.git selinux: don't sleep when CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE is true Unfortunately commit 81200b0265b1 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort") added a five second sleep during early kernel boot, e.g. start_kernel(), which could cause a "scheduling while atomic" panic. This patch fixes this problem by moving the sleep out of checkreqprot_set() and into sel_write_checkreqprot() so that we only sleep when the checkreqprot setting is set during runtime, after the kernel has booted. The error message remains the same in both cases. Fixes: 81200b0265b1 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort") Reported-by: J. Bruce Fields Signed-off-by: Paul Moore --- diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h index f7e6be63adfb9..393aff41d3ef8 100644 --- a/security/selinux/include/security.h +++ b/security/selinux/include/security.h @@ -152,10 +152,8 @@ static inline bool checkreqprot_get(const struct selinux_state *state) static inline void checkreqprot_set(struct selinux_state *state, bool value) { - if (value) { + if (value) pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot\n"); - ssleep(5); - } WRITE_ONCE(state->checkreqprot, value); } diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 6c8b6a0ddecf1..8fcdd494af273 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -762,6 +762,8 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf, } checkreqprot_set(fsi->state, (new_value ? 1 : 0)); + if (new_value) + ssleep(5); length = count; selinux_ima_measure_state(fsi->state);