selinux: don't sleep when CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE …

…is true Unfortunately commit 81200b0 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort") added a five second sleep during early kernel boot, e.g. start_kernel(), which could cause a "scheduling while atomic" panic. This patch fixes this problem by moving the sleep out of checkreqprot_set() and into sel_write_checkreqprot() so that we only sleep when the checkreqprot setting is set during runtime, after the kernel has booted. The error message remains the same in both cases. Fixes: 81200b0 ("selinux: checkreqprot is deprecated, add some ssleep() discomfort") Reported-by: J. Bruce Fields <bfields@fieldses.org> Signed-off-by: Paul Moore <paul@paul-moore.com>
roxell · Apr 14, 2022 · 6a9e261 · 6a9e261
1 parent 81200b0
commit 6a9e261
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
@@ -152,10 +152,8 @@ static inline bool checkreqprot_get(const struct selinux_state *state)
 
 static inline void checkreqprot_set(struct selinux_state *state, bool value)
 {
-	if (value) {
+	if (value)
 		pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-checkreqprot\n");
-		ssleep(5);
-	}
 	WRITE_ONCE(state->checkreqprot, value);
 }
 

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
@@ -762,6 +762,8 @@ static ssize_t sel_write_checkreqprot(struct file *file, const char __user *buf,
 	}
 
 	checkreqprot_set(fsi->state, (new_value ? 1 : 0));
+	if (new_value)
+		ssleep(5);
 	length = count;
 
 	selinux_ima_measure_state(fsi->state);