lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20091214163910.GA8502@us.ibm.com>
Date:	Mon, 14 Dec 2009 10:39:11 -0600
From:	"Serge E. Hallyn" <serue@...ibm.com>
To:	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc:	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] TOMOYO: Use RCU primitives for list operation

Quoting Tetsuo Handa (penguin-kernel@...ove.SAKURA.ne.jp):
> Can somebody please review?

Thanks, Tetsuo!

Just out of curiosity (and bc I'm personally much more familiar with plain old
rcu), I assume you have a list of places where sleeping under rcu is necessary
or greatly simplifies/cleans up the code?

Acked-by: Serge Hallyn <serue@...ibm.com>

-serge

> ----------
> [PATCH] TOMOYO: Use RCU primitives for list operation
> 
> Currently, TOMOYO is using down_read() only for protecting ->prev member from
> writers. If we convert list operation using RCU primitives so that readers don't
> look at ->prev member, we can replace down_read() by srcu_read_lock().
> 
> tomoyo_read_lock()/tomoyo_read_unlock() (these are wrappers for
> srcu_read_lock()/srcu_read_unlock()) protects the data against the garbage
> collector (which will be added in the future). I call tomoyo_read_lock() when
> /sys/kernel/security/tomoyo/ interface is open()ed and call
> tomoyo_read_unlock() when /sys/kernel/security/tomoyo/ interface is close()d
> rather than calling tomoyo_read_lock()/tomoyo_read_unlock() upon individual
> read()/write() requests. In this way, the pointers saved in
> "struct tomoyo_io_buffer" are guaranteed to be valid. Please ignore
> 
>   warning: context imbalance in 'tomoyo_open_control' - wrong count at exit
>   warning: context imbalance in 'tomoyo_close_control' - unexpected unlock
> 
> messages when built with "C=1" option.
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> ---
>  common.c   |   90 +++++++++++++++++++++++++++----------------------
>  common.h   |   28 +++++++++++----
>  domain.c   |   63 ++++++++++++++++++++--------------
>  file.c     |  110 ++++++++++++++++++++++++++++++++++++++++++-------------------
>  realpath.c |    8 ++--
>  tomoyo.c   |   20 +++++++++--
>  6 files changed, 207 insertions(+), 112 deletions(-)
> 
> diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
> index 6c60616..f01b936 100644
> --- a/security/tomoyo/common.c
> +++ b/security/tomoyo/common.c
> @@ -365,10 +365,9 @@ bool tomoyo_is_domain_def(const unsigned char *buffer)
>   *
>   * @domainname: The domainname to find.
>   *
> - * Caller must call down_read(&tomoyo_domain_list_lock); or
> - * down_write(&tomoyo_domain_list_lock); .
> - *
>   * Returns pointer to "struct tomoyo_domain_info" if found, NULL otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
>  {
> @@ -377,7 +376,7 @@ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
> 
>  	name.name = domainname;
>  	tomoyo_fill_path_info(&name);
> -	list_for_each_entry(domain, &tomoyo_domain_list, list) {
> +	list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
>  		if (!domain->is_deleted &&
>  		    !tomoyo_pathcmp(&name, domain->domainname))
>  			return domain;
> @@ -829,6 +828,8 @@ bool tomoyo_verbose_mode(const struct tomoyo_domain_info *domain)
>   * @domain: Pointer to "struct tomoyo_domain_info".
>   *
>   * Returns true if the domain is not exceeded quota, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
>  {
> @@ -837,8 +838,7 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
> 
>  	if (!domain)
>  		return true;
> -	down_read(&tomoyo_domain_acl_info_list_lock);
> -	list_for_each_entry(ptr, &domain->acl_info_list, list) {
> +	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
>  		if (ptr->type & TOMOYO_ACL_DELETED)
>  			continue;
>  		switch (tomoyo_acl_type2(ptr)) {
> @@ -866,7 +866,6 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_domain_info * const domain)
>  			break;
>  		}
>  	}
> -	up_read(&tomoyo_domain_acl_info_list_lock);
>  	if (count < tomoyo_check_flags(domain, TOMOYO_MAX_ACCEPT_ENTRY))
>  		return true;
>  	if (!domain->quota_warned) {
> @@ -1096,6 +1095,8 @@ static DECLARE_RWSEM(tomoyo_policy_manager_list_lock);
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_manager_entry(const char *manager,
>  				       const bool is_delete)
> @@ -1118,7 +1119,7 @@ static int tomoyo_update_manager_entry(const char *manager,
>  	if (!saved_manager)
>  		return -ENOMEM;
>  	down_write(&tomoyo_policy_manager_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
>  		if (ptr->manager != saved_manager)
>  			continue;
>  		ptr->is_deleted = is_delete;
> @@ -1134,7 +1135,7 @@ static int tomoyo_update_manager_entry(const char *manager,
>  		goto out;
>  	new_entry->manager = saved_manager;
>  	new_entry->is_domain = is_domain;
> -	list_add_tail(&new_entry->list, &tomoyo_policy_manager_list);
> +	list_add_tail_rcu(&new_entry->list, &tomoyo_policy_manager_list);
>  	error = 0;
>   out:
>  	up_write(&tomoyo_policy_manager_list_lock);
> @@ -1147,6 +1148,8 @@ static int tomoyo_update_manager_entry(const char *manager,
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
>  {
> @@ -1166,6 +1169,8 @@ static int tomoyo_write_manager_policy(struct tomoyo_io_buffer *head)
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns 0.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
>  {
> @@ -1174,7 +1179,6 @@ static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
> 
>  	if (head->read_eof)
>  		return 0;
> -	down_read(&tomoyo_policy_manager_list_lock);
>  	list_for_each_cookie(pos, head->read_var2,
>  			     &tomoyo_policy_manager_list) {
>  		struct tomoyo_policy_manager_entry *ptr;
> @@ -1186,7 +1190,6 @@ static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
>  		if (!done)
>  			break;
>  	}
> -	up_read(&tomoyo_policy_manager_list_lock);
>  	head->read_eof = done;
>  	return 0;
>  }
> @@ -1196,6 +1199,8 @@ static int tomoyo_read_manager_policy(struct tomoyo_io_buffer *head)
>   *
>   * Returns true if the current process is permitted to modify policy
>   * via /sys/kernel/security/tomoyo/ interface.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static bool tomoyo_is_policy_manager(void)
>  {
> @@ -1209,29 +1214,25 @@ static bool tomoyo_is_policy_manager(void)
>  		return true;
>  	if (!tomoyo_manage_by_non_root && (task->cred->uid || task->cred->euid))
>  		return false;
> -	down_read(&tomoyo_policy_manager_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
>  		if (!ptr->is_deleted && ptr->is_domain
>  		    && !tomoyo_pathcmp(domainname, ptr->manager)) {
>  			found = true;
>  			break;
>  		}
>  	}
> -	up_read(&tomoyo_policy_manager_list_lock);
>  	if (found)
>  		return true;
>  	exe = tomoyo_get_exe();
>  	if (!exe)
>  		return false;
> -	down_read(&tomoyo_policy_manager_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_policy_manager_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_policy_manager_list, list) {
>  		if (!ptr->is_deleted && !ptr->is_domain
>  		    && !strcmp(exe, ptr->manager->name)) {
>  			found = true;
>  			break;
>  		}
>  	}
> -	up_read(&tomoyo_policy_manager_list_lock);
>  	if (!found) { /* Reduce error messages. */
>  		static pid_t last_pid;
>  		const pid_t pid = current->pid;
> @@ -1252,6 +1253,8 @@ static bool tomoyo_is_policy_manager(void)
>   * @data: String to parse.
>   *
>   * Returns true on success, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
>  				 const char *data)
> @@ -1267,11 +1270,8 @@ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
>  			domain = tomoyo_real_domain(p);
>  		read_unlock(&tasklist_lock);
>  	} else if (!strncmp(data, "domain=", 7)) {
> -		if (tomoyo_is_domain_def(data + 7)) {
> -			down_read(&tomoyo_domain_list_lock);
> +		if (tomoyo_is_domain_def(data + 7))
>  			domain = tomoyo_find_domain(data + 7);
> -			up_read(&tomoyo_domain_list_lock);
> -		}
>  	} else
>  		return false;
>  	head->write_var1 = domain;
> @@ -1285,13 +1285,11 @@ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
>  	if (domain) {
>  		struct tomoyo_domain_info *d;
>  		head->read_var1 = NULL;
> -		down_read(&tomoyo_domain_list_lock);
> -		list_for_each_entry(d, &tomoyo_domain_list, list) {
> +		list_for_each_entry_rcu(d, &tomoyo_domain_list, list) {
>  			if (d == domain)
>  				break;
>  			head->read_var1 = &d->list;
>  		}
> -		up_read(&tomoyo_domain_list_lock);
>  		head->read_var2 = NULL;
>  		head->read_bit = 0;
>  		head->read_step = 0;
> @@ -1307,6 +1305,8 @@ static bool tomoyo_is_select_one(struct tomoyo_io_buffer *head,
>   * @domainname: The name of domain.
>   *
>   * Returns 0.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_delete_domain(char *domainname)
>  {
> @@ -1317,7 +1317,7 @@ static int tomoyo_delete_domain(char *domainname)
>  	tomoyo_fill_path_info(&name);
>  	down_write(&tomoyo_domain_list_lock);
>  	/* Is there an active domain? */
> -	list_for_each_entry(domain, &tomoyo_domain_list, list) {
> +	list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
>  		/* Never delete tomoyo_kernel_domain */
>  		if (domain == &tomoyo_kernel_domain)
>  			continue;
> @@ -1337,6 +1337,8 @@ static int tomoyo_delete_domain(char *domainname)
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
>  {
> @@ -1359,11 +1361,9 @@ static int tomoyo_write_domain_policy(struct tomoyo_io_buffer *head)
>  		domain = NULL;
>  		if (is_delete)
>  			tomoyo_delete_domain(data);
> -		else if (is_select) {
> -			down_read(&tomoyo_domain_list_lock);
> +		else if (is_select)
>  			domain = tomoyo_find_domain(data);
> -			up_read(&tomoyo_domain_list_lock);
> -		} else
> +		else
>  			domain = tomoyo_find_or_assign_new_domain(data, 0);
>  		head->write_var1 = domain;
>  		return 0;
> @@ -1508,6 +1508,8 @@ static bool tomoyo_print_entry(struct tomoyo_io_buffer *head,
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns 0.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
>  {
> @@ -1519,7 +1521,6 @@ static int tomoyo_read_domain_policy(struct tomoyo_io_buffer *head)
>  		return 0;
>  	if (head->read_step == 0)
>  		head->read_step = 1;
> -	down_read(&tomoyo_domain_list_lock);
>  	list_for_each_cookie(dpos, head->read_var1, &tomoyo_domain_list) {
>  		struct tomoyo_domain_info *domain;
>  		const char *quota_exceeded = "";
> @@ -1552,7 +1553,6 @@ acl_loop:
>  		if (head->read_step == 3)
>  			goto tail_mark;
>  		/* Print ACL entries in the domain. */
> -		down_read(&tomoyo_domain_acl_info_list_lock);
>  		list_for_each_cookie(apos, head->read_var2,
>  				     &domain->acl_info_list) {
>  			struct tomoyo_acl_info *ptr
> @@ -1562,7 +1562,6 @@ acl_loop:
>  			if (!done)
>  				break;
>  		}
> -		up_read(&tomoyo_domain_acl_info_list_lock);
>  		if (!done)
>  			break;
>  		head->read_step = 3;
> @@ -1574,7 +1573,6 @@ tail_mark:
>  		if (head->read_single_domain)
>  			break;
>  	}
> -	up_read(&tomoyo_domain_list_lock);
>  	head->read_eof = done;
>  	return 0;
>  }
> @@ -1590,6 +1588,8 @@ tail_mark:
>   *
>   *     ( echo "select " $domainname; echo "use_profile " $profile ) |
>   *     /usr/lib/ccs/loadpolicy -d
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
>  {
> @@ -1601,9 +1601,7 @@ static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
>  	if (!cp)
>  		return -EINVAL;
>  	*cp = '\0';
> -	down_read(&tomoyo_domain_list_lock);
>  	domain = tomoyo_find_domain(cp + 1);
> -	up_read(&tomoyo_domain_list_lock);
>  	if (strict_strtoul(data, 10, &profile))
>  		return -EINVAL;
>  	if (domain && profile < TOMOYO_MAX_PROFILES
> @@ -1625,6 +1623,8 @@ static int tomoyo_write_domain_profile(struct tomoyo_io_buffer *head)
>   *     awk ' { if ( domainname == "" ) { if ( $1 == "<kernel>" )
>   *     domainname = $0; } else if ( $1 == "use_profile" ) {
>   *     print $2 " " domainname; domainname = ""; } } ; '
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
>  {
> @@ -1633,7 +1633,6 @@ static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
> 
>  	if (head->read_eof)
>  		return 0;
> -	down_read(&tomoyo_domain_list_lock);
>  	list_for_each_cookie(pos, head->read_var1, &tomoyo_domain_list) {
>  		struct tomoyo_domain_info *domain;
>  		domain = list_entry(pos, struct tomoyo_domain_info, list);
> @@ -1644,7 +1643,6 @@ static int tomoyo_read_domain_profile(struct tomoyo_io_buffer *head)
>  		if (!done)
>  			break;
>  	}
> -	up_read(&tomoyo_domain_list_lock);
>  	head->read_eof = done;
>  	return 0;
>  }
> @@ -1701,6 +1699,8 @@ static int tomoyo_read_pid(struct tomoyo_io_buffer *head)
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
>  {
> @@ -1735,6 +1735,8 @@ static int tomoyo_write_exception_policy(struct tomoyo_io_buffer *head)
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns 0 on success, -EINVAL otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_read_exception_policy(struct tomoyo_io_buffer *head)
>  {
> @@ -1864,15 +1866,13 @@ void tomoyo_load_policy(const char *filename)
>  	tomoyo_policy_loaded = true;
>  	{ /* Check all profiles currently assigned to domains are defined. */
>  		struct tomoyo_domain_info *domain;
> -		down_read(&tomoyo_domain_list_lock);
> -		list_for_each_entry(domain, &tomoyo_domain_list, list) {
> +		list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
>  			const u8 profile = domain->profile;
>  			if (tomoyo_profile_ptr[profile])
>  				continue;
>  			panic("Profile %u (used by '%s') not defined.\n",
>  			      profile, domain->domainname->name);
>  		}
> -		up_read(&tomoyo_domain_list_lock);
>  	}
>  }
> 
> @@ -1920,6 +1920,8 @@ static int tomoyo_read_self_domain(struct tomoyo_io_buffer *head)
>   * @file: Pointer to "struct file".
>   *
>   * Associates policy handler and returns 0 on success, -ENOMEM otherwise.
> + *
> + * Caller acquires tomoyo_read_lock().
>   */
>  static int tomoyo_open_control(const u8 type, struct file *file)
>  {
> @@ -2005,6 +2007,7 @@ static int tomoyo_open_control(const u8 type, struct file *file)
>  			return -ENOMEM;
>  		}
>  	}
> +	head->reader_idx = tomoyo_read_lock();
>  	file->private_data = head;
>  	/*
>  	 * Call the handler now if the file is
> @@ -2026,6 +2029,8 @@ static int tomoyo_open_control(const u8 type, struct file *file)
>   * @buffer_len: Size of @buffer.
>   *
>   * Returns bytes read on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_read_control(struct file *file, char __user *buffer,
>  			       const int buffer_len)
> @@ -2069,6 +2074,8 @@ static int tomoyo_read_control(struct file *file, char __user *buffer,
>   * @buffer_len: Size of @buffer.
>   *
>   * Returns @buffer_len on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_write_control(struct file *file, const char __user *buffer,
>  				const int buffer_len)
> @@ -2119,11 +2126,14 @@ static int tomoyo_write_control(struct file *file, const char __user *buffer,
>   * @file: Pointer to "struct file".
>   *
>   * Releases memory and returns 0.
> + *
> + * Caller looses tomoyo_read_lock().
>   */
>  static int tomoyo_close_control(struct file *file)
>  {
>  	struct tomoyo_io_buffer *head = file->private_data;
> 
> +	tomoyo_read_unlock(head->reader_idx);
>  	/* Release memory used for policy I/O. */
>  	tomoyo_free(head->read_buf);
>  	head->read_buf = NULL;
> diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
> index bd10f9f..c6f1392 100644
> --- a/security/tomoyo/common.h
> +++ b/security/tomoyo/common.h
> @@ -269,6 +269,8 @@ struct tomoyo_io_buffer {
>  	int (*write) (struct tomoyo_io_buffer *);
>  	/* Exclusive lock for this structure.   */
>  	struct mutex io_sem;
> +	/* Index returned by tomoyo_read_lock(). */
> +	int reader_idx;
>  	/* The position currently reading from. */
>  	struct list_head *read_var1;
>  	/* Extra variables for reading.         */
> @@ -446,16 +448,28 @@ extern struct tomoyo_domain_info tomoyo_kernel_domain;
>   * @cookie:     the &struct list_head to use as a cookie.
>   * @head:       the head for your list.
>   *
> - * Same with list_for_each() except that this primitive uses @cookie
> + * Same with list_for_each_rcu() except that this primitive uses @cookie
>   * so that we can continue iteration.
>   * @cookie must be NULL when iteration starts, and @cookie will become
>   * NULL when iteration finishes.
>   */
> -#define list_for_each_cookie(pos, cookie, head)                       \
> -	for (({ if (!cookie)                                          \
> -				     cookie = head; }),               \
> -	     pos = (cookie)->next;                                    \
> -	     prefetch(pos->next), pos != (head) || ((cookie) = NULL); \
> -	     (cookie) = pos, pos = pos->next)
> +#define list_for_each_cookie(pos, cookie, head)				\
> +	for (({ if (!cookie)						\
> +				     cookie = head; }),			\
> +		     pos = rcu_dereference((cookie)->next);		\
> +	     prefetch(pos->next), pos != (head) || ((cookie) = NULL);	\
> +	     (cookie) = pos, pos = rcu_dereference(pos->next))
> +
> +extern struct srcu_struct tomoyo_ss;
> +
> +static inline int tomoyo_read_lock(void)
> +{
> +	return srcu_read_lock(&tomoyo_ss);
> +}
> +
> +static inline void tomoyo_read_unlock(int idx)
> +{
> +	srcu_read_unlock(&tomoyo_ss, idx);
> +}
> 
>  #endif /* !defined(_SECURITY_TOMOYO_COMMON_H) */
> diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
> index fcf52ac..2fd1901 100644
> --- a/security/tomoyo/domain.c
> +++ b/security/tomoyo/domain.c
> @@ -217,6 +217,8 @@ static DECLARE_RWSEM(tomoyo_domain_initializer_list_lock);
>   * @is_delete:  True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_domain_initializer_entry(const char *domainname,
>  						  const char *program,
> @@ -246,7 +248,7 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname,
>  	if (!saved_program)
>  		return -ENOMEM;
>  	down_write(&tomoyo_domain_initializer_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_domain_initializer_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) {
>  		if (ptr->is_not != is_not ||
>  		    ptr->domainname != saved_domainname ||
>  		    ptr->program != saved_program)
> @@ -266,7 +268,7 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname,
>  	new_entry->program = saved_program;
>  	new_entry->is_not = is_not;
>  	new_entry->is_last_name = is_last_name;
> -	list_add_tail(&new_entry->list, &tomoyo_domain_initializer_list);
> +	list_add_tail_rcu(&new_entry->list, &tomoyo_domain_initializer_list);
>  	error = 0;
>   out:
>  	up_write(&tomoyo_domain_initializer_list_lock);
> @@ -279,13 +281,14 @@ static int tomoyo_update_domain_initializer_entry(const char *domainname,
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns true on success, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head)
>  {
>  	struct list_head *pos;
>  	bool done = true;
> 
> -	down_read(&tomoyo_domain_initializer_list_lock);
>  	list_for_each_cookie(pos, head->read_var2,
>  			     &tomoyo_domain_initializer_list) {
>  		const char *no;
> @@ -308,7 +311,6 @@ bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head)
>  		if (!done)
>  			break;
>  	}
> -	up_read(&tomoyo_domain_initializer_list_lock);
>  	return done;
>  }
> 
> @@ -320,6 +322,8 @@ bool tomoyo_read_domain_initializer_policy(struct tomoyo_io_buffer *head)
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  int tomoyo_write_domain_initializer_policy(char *data, const bool is_not,
>  					   const bool is_delete)
> @@ -345,6 +349,8 @@ int tomoyo_write_domain_initializer_policy(char *data, const bool is_not,
>   *
>   * Returns true if executing @program reinitializes domain transition,
>   * false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static bool tomoyo_is_domain_initializer(const struct tomoyo_path_info *
>  					 domainname,
> @@ -355,8 +361,7 @@ static bool tomoyo_is_domain_initializer(const struct tomoyo_path_info *
>  	struct tomoyo_domain_initializer_entry *ptr;
>  	bool flag = false;
> 
> -	down_read(&tomoyo_domain_initializer_list_lock);
> -	list_for_each_entry(ptr,  &tomoyo_domain_initializer_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_domain_initializer_list, list) {
>  		if (ptr->is_deleted)
>  			continue;
>  		if (ptr->domainname) {
> @@ -376,7 +381,6 @@ static bool tomoyo_is_domain_initializer(const struct tomoyo_path_info *
>  		}
>  		flag = true;
>  	}
> -	up_read(&tomoyo_domain_initializer_list_lock);
>  	return flag;
>  }
> 
> @@ -430,6 +434,8 @@ static DECLARE_RWSEM(tomoyo_domain_keeper_list_lock);
>   * @is_delete:  True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_domain_keeper_entry(const char *domainname,
>  					     const char *program,
> @@ -459,7 +465,7 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname,
>  	if (!saved_domainname)
>  		return -ENOMEM;
>  	down_write(&tomoyo_domain_keeper_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_domain_keeper_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
>  		if (ptr->is_not != is_not ||
>  		    ptr->domainname != saved_domainname ||
>  		    ptr->program != saved_program)
> @@ -479,7 +485,7 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname,
>  	new_entry->program = saved_program;
>  	new_entry->is_not = is_not;
>  	new_entry->is_last_name = is_last_name;
> -	list_add_tail(&new_entry->list, &tomoyo_domain_keeper_list);
> +	list_add_tail_rcu(&new_entry->list, &tomoyo_domain_keeper_list);
>  	error = 0;
>   out:
>  	up_write(&tomoyo_domain_keeper_list_lock);
> @@ -493,6 +499,7 @@ static int tomoyo_update_domain_keeper_entry(const char *domainname,
>   * @is_not:    True if it is "no_keep_domain" entry.
>   * @is_delete: True if it is a delete request.
>   *
> + * Caller holds tomoyo_read_lock().
>   */
>  int tomoyo_write_domain_keeper_policy(char *data, const bool is_not,
>  				      const bool is_delete)
> @@ -513,13 +520,14 @@ int tomoyo_write_domain_keeper_policy(char *data, const bool is_not,
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns true on success, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head)
>  {
>  	struct list_head *pos;
>  	bool done = true;
> 
> -	down_read(&tomoyo_domain_keeper_list_lock);
>  	list_for_each_cookie(pos, head->read_var2,
>  			     &tomoyo_domain_keeper_list) {
>  		struct tomoyo_domain_keeper_entry *ptr;
> @@ -542,7 +550,6 @@ bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head)
>  		if (!done)
>  			break;
>  	}
> -	up_read(&tomoyo_domain_keeper_list_lock);
>  	return done;
>  }
> 
> @@ -555,6 +562,8 @@ bool tomoyo_read_domain_keeper_policy(struct tomoyo_io_buffer *head)
>   *
>   * Returns true if executing @program supresses domain transition,
>   * false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static bool tomoyo_is_domain_keeper(const struct tomoyo_path_info *domainname,
>  				    const struct tomoyo_path_info *program,
> @@ -563,8 +572,7 @@ static bool tomoyo_is_domain_keeper(const struct tomoyo_path_info *domainname,
>  	struct tomoyo_domain_keeper_entry *ptr;
>  	bool flag = false;
> 
> -	down_read(&tomoyo_domain_keeper_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_domain_keeper_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_domain_keeper_list, list) {
>  		if (ptr->is_deleted)
>  			continue;
>  		if (!ptr->is_last_name) {
> @@ -582,7 +590,6 @@ static bool tomoyo_is_domain_keeper(const struct tomoyo_path_info *domainname,
>  		}
>  		flag = true;
>  	}
> -	up_read(&tomoyo_domain_keeper_list_lock);
>  	return flag;
>  }
> 
> @@ -627,6 +634,8 @@ static DECLARE_RWSEM(tomoyo_alias_list_lock);
>   * @is_delete:     True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_alias_entry(const char *original_name,
>  				     const char *aliased_name,
> @@ -646,7 +655,7 @@ static int tomoyo_update_alias_entry(const char *original_name,
>  	if (!saved_original_name || !saved_aliased_name)
>  		return -ENOMEM;
>  	down_write(&tomoyo_alias_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_alias_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
>  		if (ptr->original_name != saved_original_name ||
>  		    ptr->aliased_name != saved_aliased_name)
>  			continue;
> @@ -663,7 +672,7 @@ static int tomoyo_update_alias_entry(const char *original_name,
>  		goto out;
>  	new_entry->original_name = saved_original_name;
>  	new_entry->aliased_name = saved_aliased_name;
> -	list_add_tail(&new_entry->list, &tomoyo_alias_list);
> +	list_add_tail_rcu(&new_entry->list, &tomoyo_alias_list);
>  	error = 0;
>   out:
>  	up_write(&tomoyo_alias_list_lock);
> @@ -676,13 +685,14 @@ static int tomoyo_update_alias_entry(const char *original_name,
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns true on success, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head)
>  {
>  	struct list_head *pos;
>  	bool done = true;
> 
> -	down_read(&tomoyo_alias_list_lock);
>  	list_for_each_cookie(pos, head->read_var2, &tomoyo_alias_list) {
>  		struct tomoyo_alias_entry *ptr;
> 
> @@ -695,7 +705,6 @@ bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head)
>  		if (!done)
>  			break;
>  	}
> -	up_read(&tomoyo_alias_list_lock);
>  	return done;
>  }
> 
> @@ -706,6 +715,8 @@ bool tomoyo_read_alias_policy(struct tomoyo_io_buffer *head)
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  int tomoyo_write_alias_policy(char *data, const bool is_delete)
>  {
> @@ -724,6 +735,8 @@ int tomoyo_write_alias_policy(char *data, const bool is_delete)
>   * @profile:    Profile number to assign if the domain was newly created.
>   *
>   * Returns pointer to "struct tomoyo_domain_info" on success, NULL otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
>  							    domainname,
> @@ -742,7 +755,7 @@ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
>  	if (!saved_domainname)
>  		goto out;
>  	/* Can I reuse memory of deleted domain? */
> -	list_for_each_entry(domain, &tomoyo_domain_list, list) {
> +	list_for_each_entry_rcu(domain, &tomoyo_domain_list, list) {
>  		struct task_struct *p;
>  		struct tomoyo_acl_info *ptr;
>  		bool flag;
> @@ -760,7 +773,7 @@ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
>  		read_unlock(&tasklist_lock);
>  		if (flag)
>  			continue;
> -		list_for_each_entry(ptr, &domain->acl_info_list, list) {
> +		list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
>  			ptr->type |= TOMOYO_ACL_DELETED;
>  		}
>  		tomoyo_set_domain_flag(domain, true, domain->flags);
> @@ -776,7 +789,7 @@ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
>  		INIT_LIST_HEAD(&domain->acl_info_list);
>  		domain->domainname = saved_domainname;
>  		domain->profile = profile;
> -		list_add_tail(&domain->list, &tomoyo_domain_list);
> +		list_add_tail_rcu(&domain->list, &tomoyo_domain_list);
>  	}
>   out:
>  	up_write(&tomoyo_domain_list_lock);
> @@ -789,6 +802,8 @@ struct tomoyo_domain_info *tomoyo_find_or_assign_new_domain(const char *
>   * @bprm: Pointer to "struct linux_binprm".
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  int tomoyo_find_next_domain(struct linux_binprm *bprm)
>  {
> @@ -849,8 +864,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
>  	if (tomoyo_pathcmp(&r, &s)) {
>  		struct tomoyo_alias_entry *ptr;
>  		/* Is this program allowed to be called via symbolic links? */
> -		down_read(&tomoyo_alias_list_lock);
> -		list_for_each_entry(ptr, &tomoyo_alias_list, list) {
> +		list_for_each_entry_rcu(ptr, &tomoyo_alias_list, list) {
>  			if (ptr->is_deleted ||
>  			    tomoyo_pathcmp(&r, ptr->original_name) ||
>  			    tomoyo_pathcmp(&s, ptr->aliased_name))
> @@ -861,7 +875,6 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
>  			tomoyo_fill_path_info(&r);
>  			break;
>  		}
> -		up_read(&tomoyo_alias_list_lock);
>  	}
> 
>  	/* Check execute permission. */
> @@ -892,9 +905,7 @@ int tomoyo_find_next_domain(struct linux_binprm *bprm)
>  	}
>  	if (domain || strlen(new_domain_name) >= TOMOYO_MAX_PATHNAME_LEN)
>  		goto done;
> -	down_read(&tomoyo_domain_list_lock);
>  	domain = tomoyo_find_domain(new_domain_name);
> -	up_read(&tomoyo_domain_list_lock);
>  	if (domain)
>  		goto done;
>  	if (is_enforce)
> diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
> index 482f0e7..3c47286 100644
> --- a/security/tomoyo/file.c
> +++ b/security/tomoyo/file.c
> @@ -213,6 +213,8 @@ static DECLARE_RWSEM(tomoyo_globally_readable_list_lock);
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_globally_readable_entry(const char *filename,
>  						 const bool is_delete)
> @@ -228,7 +230,7 @@ static int tomoyo_update_globally_readable_entry(const char *filename,
>  	if (!saved_filename)
>  		return -ENOMEM;
>  	down_write(&tomoyo_globally_readable_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
>  		if (ptr->filename != saved_filename)
>  			continue;
>  		ptr->is_deleted = is_delete;
> @@ -243,7 +245,7 @@ static int tomoyo_update_globally_readable_entry(const char *filename,
>  	if (!new_entry)
>  		goto out;
>  	new_entry->filename = saved_filename;
> -	list_add_tail(&new_entry->list, &tomoyo_globally_readable_list);
> +	list_add_tail_rcu(&new_entry->list, &tomoyo_globally_readable_list);
>  	error = 0;
>   out:
>  	up_write(&tomoyo_globally_readable_list_lock);
> @@ -256,21 +258,22 @@ static int tomoyo_update_globally_readable_entry(const char *filename,
>   * @filename: The filename to check.
>   *
>   * Returns true if any domain can open @filename for reading, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
>  					     filename)
>  {
>  	struct tomoyo_globally_readable_file_entry *ptr;
>  	bool found = false;
> -	down_read(&tomoyo_globally_readable_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_globally_readable_list, list) {
> +
> +	list_for_each_entry_rcu(ptr, &tomoyo_globally_readable_list, list) {
>  		if (!ptr->is_deleted &&
>  		    tomoyo_path_matches_pattern(filename, ptr->filename)) {
>  			found = true;
>  			break;
>  		}
>  	}
> -	up_read(&tomoyo_globally_readable_list_lock);
>  	return found;
>  }
> 
> @@ -281,6 +284,8 @@ static bool tomoyo_is_globally_readable_file(const struct tomoyo_path_info *
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
>  {
> @@ -293,13 +298,14 @@ int tomoyo_write_globally_readable_policy(char *data, const bool is_delete)
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns true on success, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
>  {
>  	struct list_head *pos;
>  	bool done = true;
> 
> -	down_read(&tomoyo_globally_readable_list_lock);
>  	list_for_each_cookie(pos, head->read_var2,
>  			     &tomoyo_globally_readable_list) {
>  		struct tomoyo_globally_readable_file_entry *ptr;
> @@ -313,7 +319,6 @@ bool tomoyo_read_globally_readable_policy(struct tomoyo_io_buffer *head)
>  		if (!done)
>  			break;
>  	}
> -	up_read(&tomoyo_globally_readable_list_lock);
>  	return done;
>  }
> 
> @@ -356,6 +361,8 @@ static DECLARE_RWSEM(tomoyo_pattern_list_lock);
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_file_pattern_entry(const char *pattern,
>  					    const bool is_delete)
> @@ -371,7 +378,7 @@ static int tomoyo_update_file_pattern_entry(const char *pattern,
>  	if (!saved_pattern)
>  		return -ENOMEM;
>  	down_write(&tomoyo_pattern_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_pattern_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
>  		if (saved_pattern != ptr->pattern)
>  			continue;
>  		ptr->is_deleted = is_delete;
> @@ -386,7 +393,7 @@ static int tomoyo_update_file_pattern_entry(const char *pattern,
>  	if (!new_entry)
>  		goto out;
>  	new_entry->pattern = saved_pattern;
> -	list_add_tail(&new_entry->list, &tomoyo_pattern_list);
> +	list_add_tail_rcu(&new_entry->list, &tomoyo_pattern_list);
>  	error = 0;
>   out:
>  	up_write(&tomoyo_pattern_list_lock);
> @@ -399,6 +406,8 @@ static int tomoyo_update_file_pattern_entry(const char *pattern,
>   * @filename: The filename to find patterned pathname.
>   *
>   * Returns pointer to pathname pattern if matched, @filename otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static const struct tomoyo_path_info *
>  tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
> @@ -406,8 +415,7 @@ tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
>  	struct tomoyo_pattern_entry *ptr;
>  	const struct tomoyo_path_info *pattern = NULL;
> 
> -	down_read(&tomoyo_pattern_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_pattern_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_pattern_list, list) {
>  		if (ptr->is_deleted)
>  			continue;
>  		if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
> @@ -420,7 +428,6 @@ tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
>  			break;
>  		}
>  	}
> -	up_read(&tomoyo_pattern_list_lock);
>  	if (pattern)
>  		filename = pattern;
>  	return filename;
> @@ -433,6 +440,8 @@ tomoyo_get_file_pattern(const struct tomoyo_path_info *filename)
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  int tomoyo_write_pattern_policy(char *data, const bool is_delete)
>  {
> @@ -445,13 +454,14 @@ int tomoyo_write_pattern_policy(char *data, const bool is_delete)
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns true on success, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
>  {
>  	struct list_head *pos;
>  	bool done = true;
> 
> -	down_read(&tomoyo_pattern_list_lock);
>  	list_for_each_cookie(pos, head->read_var2, &tomoyo_pattern_list) {
>  		struct tomoyo_pattern_entry *ptr;
>  		ptr = list_entry(pos, struct tomoyo_pattern_entry, list);
> @@ -462,7 +472,6 @@ bool tomoyo_read_file_pattern(struct tomoyo_io_buffer *head)
>  		if (!done)
>  			break;
>  	}
> -	up_read(&tomoyo_pattern_list_lock);
>  	return done;
>  }
> 
> @@ -505,6 +514,8 @@ static DECLARE_RWSEM(tomoyo_no_rewrite_list_lock);
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_no_rewrite_entry(const char *pattern,
>  					  const bool is_delete)
> @@ -519,7 +530,7 @@ static int tomoyo_update_no_rewrite_entry(const char *pattern,
>  	if (!saved_pattern)
>  		return -ENOMEM;
>  	down_write(&tomoyo_no_rewrite_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
>  		if (ptr->pattern != saved_pattern)
>  			continue;
>  		ptr->is_deleted = is_delete;
> @@ -534,7 +545,7 @@ static int tomoyo_update_no_rewrite_entry(const char *pattern,
>  	if (!new_entry)
>  		goto out;
>  	new_entry->pattern = saved_pattern;
> -	list_add_tail(&new_entry->list, &tomoyo_no_rewrite_list);
> +	list_add_tail_rcu(&new_entry->list, &tomoyo_no_rewrite_list);
>  	error = 0;
>   out:
>  	up_write(&tomoyo_no_rewrite_list_lock);
> @@ -548,14 +559,15 @@ static int tomoyo_update_no_rewrite_entry(const char *pattern,
>   *
>   * Returns true if @filename is specified by "deny_rewrite" directive,
>   * false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
>  {
>  	struct tomoyo_no_rewrite_entry *ptr;
>  	bool found = false;
> 
> -	down_read(&tomoyo_no_rewrite_list_lock);
> -	list_for_each_entry(ptr, &tomoyo_no_rewrite_list, list) {
> +	list_for_each_entry_rcu(ptr, &tomoyo_no_rewrite_list, list) {
>  		if (ptr->is_deleted)
>  			continue;
>  		if (!tomoyo_path_matches_pattern(filename, ptr->pattern))
> @@ -563,7 +575,6 @@ static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
>  		found = true;
>  		break;
>  	}
> -	up_read(&tomoyo_no_rewrite_list_lock);
>  	return found;
>  }
> 
> @@ -574,6 +585,8 @@ static bool tomoyo_is_no_rewrite_file(const struct tomoyo_path_info *filename)
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
>  {
> @@ -586,13 +599,14 @@ int tomoyo_write_no_rewrite_policy(char *data, const bool is_delete)
>   * @head: Pointer to "struct tomoyo_io_buffer".
>   *
>   * Returns true on success, false otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
>  {
>  	struct list_head *pos;
>  	bool done = true;
> 
> -	down_read(&tomoyo_no_rewrite_list_lock);
>  	list_for_each_cookie(pos, head->read_var2, &tomoyo_no_rewrite_list) {
>  		struct tomoyo_no_rewrite_entry *ptr;
>  		ptr = list_entry(pos, struct tomoyo_no_rewrite_entry, list);
> @@ -603,7 +617,6 @@ bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
>  		if (!done)
>  			break;
>  	}
> -	up_read(&tomoyo_no_rewrite_list_lock);
>  	return done;
>  }
> 
> @@ -621,6 +634,8 @@ bool tomoyo_read_no_rewrite_policy(struct tomoyo_io_buffer *head)
>   * Current policy syntax uses "allow_read/write" instead of "6",
>   * "allow_read" instead of "4", "allow_write" instead of "2",
>   * "allow_execute" instead of "1".
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_file_acl(const char *filename, u8 perm,
>  				  struct tomoyo_domain_info * const domain,
> @@ -658,6 +673,8 @@ static int tomoyo_update_file_acl(const char *filename, u8 perm,
>   * @may_use_pattern: True if patterned ACL is permitted.
>   *
>   * Returns 0 on success, -EPERM otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
>  					 domain,
> @@ -669,8 +686,7 @@ static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
>  	struct tomoyo_acl_info *ptr;
>  	int error = -EPERM;
> 
> -	down_read(&tomoyo_domain_acl_info_list_lock);
> -	list_for_each_entry(ptr, &domain->acl_info_list, list) {
> +	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
>  		struct tomoyo_single_path_acl_record *acl;
>  		if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
>  			continue;
> @@ -693,7 +709,6 @@ static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
>  		error = 0;
>  		break;
>  	}
> -	up_read(&tomoyo_domain_acl_info_list_lock);
>  	return error;
>  }
> 
> @@ -705,6 +720,8 @@ static int tomoyo_check_single_path_acl2(const struct tomoyo_domain_info *
>   * @operation: Mode ("read" or "write" or "read/write" or "execute").
>   *
>   * Returns 0 on success, -EPERM otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
>  				 const struct tomoyo_path_info *filename,
> @@ -738,6 +755,8 @@ static int tomoyo_check_file_acl(const struct tomoyo_domain_info *domain,
>   * @mode:      Access control mode.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
>  				   const struct tomoyo_path_info *filename,
> @@ -791,6 +810,8 @@ static int tomoyo_check_file_perm2(struct tomoyo_domain_info * const domain,
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
>  			     const bool is_delete)
> @@ -838,6 +859,8 @@ int tomoyo_write_file_policy(char *data, struct tomoyo_domain_info *domain,
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
>  					 struct tomoyo_domain_info *
> @@ -861,7 +884,7 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
>  	down_write(&tomoyo_domain_acl_info_list_lock);
>  	if (is_delete)
>  		goto delete;
> -	list_for_each_entry(ptr, &domain->acl_info_list, list) {
> +	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
>  		if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
>  			continue;
>  		acl = container_of(ptr, struct tomoyo_single_path_acl_record,
> @@ -894,12 +917,12 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
>  	if (perm == (1 << TOMOYO_TYPE_READ_WRITE_ACL))
>  		acl->perm |= rw_mask;
>  	acl->filename = saved_filename;
> -	list_add_tail(&acl->head.list, &domain->acl_info_list);
> +	list_add_tail_rcu(&acl->head.list, &domain->acl_info_list);
>  	error = 0;
>  	goto out;
>   delete:
>  	error = -ENOENT;
> -	list_for_each_entry(ptr, &domain->acl_info_list, list) {
> +	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
>  		if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_SINGLE_PATH_ACL)
>  			continue;
>  		acl = container_of(ptr, struct tomoyo_single_path_acl_record,
> @@ -934,6 +957,8 @@ static int tomoyo_update_single_path_acl(const u8 type, const char *filename,
>   * @is_delete: True if it is a delete request.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
>  					 const char *filename2,
> @@ -959,7 +984,7 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
>  	down_write(&tomoyo_domain_acl_info_list_lock);
>  	if (is_delete)
>  		goto delete;
> -	list_for_each_entry(ptr, &domain->acl_info_list, list) {
> +	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
>  		if (tomoyo_acl_type1(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
>  			continue;
>  		acl = container_of(ptr, struct tomoyo_double_path_acl_record,
> @@ -982,12 +1007,12 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
>  	acl->perm = perm;
>  	acl->filename1 = saved_filename1;
>  	acl->filename2 = saved_filename2;
> -	list_add_tail(&acl->head.list, &domain->acl_info_list);
> +	list_add_tail_rcu(&acl->head.list, &domain->acl_info_list);
>  	error = 0;
>  	goto out;
>   delete:
>  	error = -ENOENT;
> -	list_for_each_entry(ptr, &domain->acl_info_list, list) {
> +	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
>  		if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
>  			continue;
>  		acl = container_of(ptr, struct tomoyo_double_path_acl_record,
> @@ -1014,6 +1039,8 @@ static int tomoyo_update_double_path_acl(const u8 type, const char *filename1,
>   * @filename: Filename to check.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
>  					const u8 type,
> @@ -1033,6 +1060,8 @@ static int tomoyo_check_single_path_acl(struct tomoyo_domain_info *domain,
>   * @filename2: Second filename to check.
>   *
>   * Returns 0 on success, -EPERM otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
>  					const u8 type,
> @@ -1047,8 +1076,7 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
> 
>  	if (!tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE))
>  		return 0;
> -	down_read(&tomoyo_domain_acl_info_list_lock);
> -	list_for_each_entry(ptr, &domain->acl_info_list, list) {
> +	list_for_each_entry_rcu(ptr, &domain->acl_info_list, list) {
>  		struct tomoyo_double_path_acl_record *acl;
>  		if (tomoyo_acl_type2(ptr) != TOMOYO_TYPE_DOUBLE_PATH_ACL)
>  			continue;
> @@ -1063,7 +1091,6 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
>  		error = 0;
>  		break;
>  	}
> -	up_read(&tomoyo_domain_acl_info_list_lock);
>  	return error;
>  }
> 
> @@ -1076,6 +1103,8 @@ static int tomoyo_check_double_path_acl(const struct tomoyo_domain_info *domain,
>   * @mode:      Access control mode.
>   *
>   * Returns 0 on success, negative value otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
>  						const domain, u8 operation,
> @@ -1124,6 +1153,8 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
>   * @filename: Check permission for "execute".
>   *
>   * Returns 0 on success, negativevalue otherwise.
> + *
> + * Caller holds tomoyo_read_lock().
>   */
>  int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
>  			   const struct tomoyo_path_info *filename)
> @@ -1152,6 +1183,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
>  	struct tomoyo_path_info *buf;
>  	const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
>  	const bool is_enforce = (mode == 3);
> +	int idx;
> 
>  	if (!mode || !path->mnt)
>  		return 0;
> @@ -1163,6 +1195,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
>  		 * don't call me.
>  		 */
>  		return 0;
> +	idx = tomoyo_read_lock();
>  	buf = tomoyo_get_path(path);
>  	if (!buf)
>  		goto out;
> @@ -1188,6 +1221,7 @@ int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,
>  							     buf, mode);
>   out:
>  	tomoyo_free(buf);
> +	tomoyo_read_unlock(idx);
>  	if (!is_enforce)
>  		error = 0;
>  	return error;
> @@ -1209,9 +1243,11 @@ int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
>  	struct tomoyo_path_info *buf;
>  	const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
>  	const bool is_enforce = (mode == 3);
> +	int idx;
> 
>  	if (!mode || !path->mnt)
>  		return 0;
> +	idx = tomoyo_read_lock();
>  	buf = tomoyo_get_path(path);
>  	if (!buf)
>  		goto out;
> @@ -1231,6 +1267,7 @@ int tomoyo_check_1path_perm(struct tomoyo_domain_info *domain,
>  						     mode);
>   out:
>  	tomoyo_free(buf);
> +	tomoyo_read_unlock(idx);
>  	if (!is_enforce)
>  		error = 0;
>  	return error;
> @@ -1251,9 +1288,12 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
>  	const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
>  	const bool is_enforce = (mode == 3);
>  	struct tomoyo_path_info *buf;
> +	int idx;
> 
>  	if (!mode || !filp->f_path.mnt)
>  		return 0;
> +
> +	idx = tomoyo_read_lock();
>  	buf = tomoyo_get_path(&filp->f_path);
>  	if (!buf)
>  		goto out;
> @@ -1266,6 +1306,7 @@ int tomoyo_check_rewrite_permission(struct tomoyo_domain_info *domain,
>  						     buf, mode);
>   out:
>  	tomoyo_free(buf);
> +	tomoyo_read_unlock(idx);
>  	if (!is_enforce)
>  		error = 0;
>  	return error;
> @@ -1290,9 +1331,11 @@ int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
>  	const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
>  	const bool is_enforce = (mode == 3);
>  	const char *msg;
> +	int idx;
> 
>  	if (!mode || !path1->mnt || !path2->mnt)
>  		return 0;
> +	idx = tomoyo_read_lock();
>  	buf1 = tomoyo_get_path(path1);
>  	buf2 = tomoyo_get_path(path2);
>  	if (!buf1 || !buf2)
> @@ -1331,6 +1374,7 @@ int tomoyo_check_2path_perm(struct tomoyo_domain_info * const domain,
>   out:
>  	tomoyo_free(buf1);
>  	tomoyo_free(buf2);
> +	tomoyo_read_unlock(idx);
>  	if (!is_enforce)
>  		error = 0;
>  	return error;
> diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
> index e3c7aa0..62363b3 100644
> --- a/security/tomoyo/realpath.c
> +++ b/security/tomoyo/realpath.c
> @@ -402,11 +402,13 @@ void __init tomoyo_realpath_init(void)
>  		INIT_LIST_HEAD(&tomoyo_name_list[i]);
>  	INIT_LIST_HEAD(&tomoyo_kernel_domain.acl_info_list);
>  	tomoyo_kernel_domain.domainname = tomoyo_save_name(TOMOYO_ROOT_NAME);
> -	list_add_tail(&tomoyo_kernel_domain.list, &tomoyo_domain_list);
> -	down_read(&tomoyo_domain_list_lock);
> +	/*
> +	 * tomoyo_read_lock() is not needed because this function is
> +	 * called before the first "delete" request.
> +	 */
> +	list_add_tail_rcu(&tomoyo_kernel_domain.list, &tomoyo_domain_list);
>  	if (tomoyo_find_domain(TOMOYO_ROOT_NAME) != &tomoyo_kernel_domain)
>  		panic("Can't register tomoyo_kernel_domain");
> -	up_read(&tomoyo_domain_list_lock);
>  }
> 
>  /* Memory allocated for temporary purpose. */
> diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> index ad9555f..714daa3 100644
> --- a/security/tomoyo/tomoyo.c
> +++ b/security/tomoyo/tomoyo.c
> @@ -76,8 +76,18 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
>  	 * Execute permission is checked against pathname passed to do_execve()
>  	 * using current domain.
>  	 */
> -	if (!domain)
> -		return tomoyo_find_next_domain(bprm);
> +	if (!domain) {
> +		/*
> +		 * We will need to protect whole execve() operation when GC
> +		 * starts kfree()ing "struct tomoyo_domain_info" because
> +		 * bprm->cred->security points to "struct tomoyo_domain_info"
> +		 * but "struct tomoyo_domain_info" does not have a refcounter.
> +		 */
> +		const int idx = tomoyo_read_lock();
> +		const int err = tomoyo_find_next_domain(bprm);
> +		tomoyo_read_unlock(idx);
> +		return err;
> +	}
>  	/*
>  	 * Read permission is checked against interpreters using next domain.
>  	 * '1' is the result of open_to_namei_flags(O_RDONLY).
> @@ -278,6 +288,9 @@ static struct security_operations tomoyo_security_ops = {
>  	.sb_pivotroot        = tomoyo_sb_pivotroot,
>  };
> 
> +/* Lock for GC. */
> +struct srcu_struct tomoyo_ss;
> +
>  static int __init tomoyo_init(void)
>  {
>  	struct cred *cred = (struct cred *) current_cred();
> @@ -285,7 +298,8 @@ static int __init tomoyo_init(void)
>  	if (!security_module_enable(&tomoyo_security_ops))
>  		return 0;
>  	/* register ourselves with the security framework */
> -	if (register_security(&tomoyo_security_ops))
> +	if (register_security(&tomoyo_security_ops) ||
> +	    init_srcu_struct(&tomoyo_ss))
>  		panic("Failure registering TOMOYO Linux");
>  	printk(KERN_INFO "TOMOYO Linux initialized\n");
>  	cred->security = &tomoyo_kernel_domain;
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ