Re: [PATCH] context based audit filtering (take 3)

On Tue, 2006-02-21 at 17:59 -0600, Darrel Goeddel wrote: > - Add a selinux callback for re-initializing the se_rule field when there is > a policy reload. THIS NEEDS WORK - It doesn't obey proper locking yet, but > it is functional. I need to get my head around the locking of the audit > structures a little better - I'll also take suggestions ;) <snip> > @@ -726,3 +777,45 @@ unlock_and_return: > rcu_read_unlock(); > return result; > } > + > +static int selinux_callback(void) > +{ > + struct audit_entry *entry; > + int i, j, err = 0; > + > + /* TODO: add proper locking. */ > + for (i = 0; i < AUDIT_NR_FILTERS; i++) { > + list_for_each_entry(entry, &audit_filter_list[i], list) { > + for (j = 0; j < entry->rule.field_count; j++) { > + struct audit_field *f = &entry->rule.fields[j]; > + switch (f->type) { > + case AUDIT_SE_USER: > + case AUDIT_SE_ROLE: > + case AUDIT_SE_TYPE: > + case AUDIT_SE_SEN: > + case AUDIT_SE_CLR: > + selinux_audit_rule_free(f->se_rule); > + err = selinux_audit_rule_init(f->type, > + f->op, f->se_str, &f->se_rule); > + if (err == -EINVAL) { > + printk(KERN_WARNING "selinux audit rule for item %s is invalid\n", f->se_str); > + err = 0; > + } > + if (err) > + goto out; > + } > + } > + } > + } For RCU, you need to make a new copy of the entry, mutate the copy (not the original), list_replace_rcu the old original with the modified copy, and call_rcu to drop the original when it is safe to do so. Look at the SELinux AVC code for an example (avc_update_node).