Merge tag 'selinux-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore: - Stop passing the 'selinux_state' pointers as function arguments As discussed during the end of the last development cycle, passing a selinux_state pointer through the SELinux code has a noticeable impact on performance, and with the current code it is not strictly necessary. This simplifies things by referring directly to the single selinux_state global variable which should help improve SELinux performance. - Uninline the unlikely portions of avc_has_perm_noaudit() This change was also based on a discussion from the last development cycle, and is heavily based on an initial proof of concept patch from you. The core issue was that avc_has_perm_noaudit() was not able to be inlined, as intended, due to its size. We solved this issue by extracting the less frequently hit portions of avc_has_perm_noaudit() into a separate function, reducing the size of avc_has_perm_noaudit() to the point where the compiler began inlining the function. We also took the opportunity to clean up some ugly RCU locking in the code that became uglier with the change. - Remove the runtime disable functionality After several years of work by the userspace and distro folks, we are finally in a place where we feel comfortable removing the runtime disable functionality which we initially deprecated at the start of 2020. There is plenty of information in the kernel's deprecation (now removal) notice, but the main motivation was to be able to safely mark the LSM hook structures as '__ro_after_init'. LWN also wrote a good summary of the deprecation this morning which offers a more detailed history: https://lwn.net/SubscriberLink/927463/dcfa0d4ed2872f03 - Remove the checkreqprot functionality The original checkreqprot deprecation notice stated that the removal would happen no sooner than June 2021, which means this falls hard into the "better late than never" bucket. The Kconfig and deprecation notice has more detail on this setting, but the basic idea is that we want to ensure that the SELinux policy allows for the memory protections actually applied by the kernel, and not those requested by the process. While we haven't found anyone running a supported distro that is affected by this deprecation/removal, anyone who is affected would only need to update their policy to reflect the reality of their applications' mapping protections. - Minor Makefile improvements Some minor Makefile improvements to correct some dependency issues likely only ever seen by SELinux developers. I expect we will have at least one more tweak to the Makefile during the next merge window, but it didn't quite make the cutoff this time around. * tag 'selinux-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: ensure av_permissions.h is built when needed selinux: fix Makefile dependencies of flask.h selinux: stop returning node from avc_insert() selinux: clean up dead code after removing runtime disable selinux: update the file list in MAINTAINERS selinux: remove the runtime disable functionality selinux: remove the 'checkreqprot' functionality selinux: stop passing selinux_state pointers and their offspring selinux: uninline unlikely parts of avc_has_perm_noaudit()

Merge tag 'selinux-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore: - Stop passing the 'selinux_state' pointers as function arguments As discussed during the end of the last development cycle, passing a selinux_state pointer through the SELinux code has a noticeable impact on performance, and with the current code it is not strictly necessary. This simplifies things by referring directly to the single selinux_state global variable which should help improve SELinux performance. - Uninline the unlikely portions of avc_has_perm_noaudit() This change was also based on a discussion from the last development cycle, and is heavily based on an initial proof of concept patch from you. The core issue was that avc_has_perm_noaudit() was not able to be inlined, as intended, due to its size. We solved this issue by extracting the less frequently hit portions of avc_has_perm_noaudit() into a separate function, reducing the size of avc_has_perm_noaudit() to the point where the compiler began inlining the function. We also took the opportunity to clean up some ugly RCU locking in the code that became uglier with the change. - Remove the runtime disable functionality After several years of work by the userspace and distro folks, we are finally in a place where we feel comfortable removing the runtime disable functionality which we initially deprecated at the start of 2020. There is plenty of information in the kernel's deprecation (now removal) notice, but the main motivation was to be able to safely mark the LSM hook structures as '__ro_after_init'. LWN also wrote a good summary of the deprecation this morning which offers a more detailed history: https://lwn.net/SubscriberLink/927463/dcfa0d4ed2872f03 - Remove the checkreqprot functionality The original checkreqprot deprecation notice stated that the removal would happen no sooner than June 2021, which means this falls hard into the "better late than never" bucket. The Kconfig and deprecation notice has more detail on this setting, but the basic idea is that we want to ensure that the SELinux policy allows for the memory protections actually applied by the kernel, and not those requested by the process. While we haven't found anyone running a supported distro that is affected by this deprecation/removal, anyone who is affected would only need to update their policy to reflect the reality of their applications' mapping protections. - Minor Makefile improvements Some minor Makefile improvements to correct some dependency issues likely only ever seen by SELinux developers. I expect we will have at least one more tweak to the Makefile during the next merge window, but it didn't quite make the cutoff this time around. * tag 'selinux-pr-20230420' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: ensure av_permissions.h is built when needed selinux: fix Makefile dependencies of flask.h selinux: stop returning node from avc_insert() selinux: clean up dead code after removing runtime disable selinux: update the file list in MAINTAINERS selinux: remove the runtime disable functionality selinux: remove the 'checkreqprot' functionality selinux: stop passing selinux_state pointers and their offspring selinux: uninline unlikely parts of avc_has_perm_noaudit()
72eaa096 · Linus Torvalds · a5624566 · 4ce1f694 · 72eaa096 · 72eaa096
Commit 72eaa096 authored Apr 24, 2023 by Linus Torvalds
38 changed files
--- a/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
+++ b/Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
@@ -4,6 +4,9 @@ KernelVersion:	2.6.12-rc2 (predates git)
 Contact:	selinux@vger.kernel.org
 Description:

+	REMOVAL UPDATE: The SELinux checkreqprot functionality was removed in
+	March 2023, the original deprecation notice is shown below.
+
 	The selinuxfs "checkreqprot" node allows SELinux to be configured
 	to check the protection requested by userspace for mmap/mprotect
 	calls instead of the actual protection applied by the kernel.

--- a/Documentation/ABI/obsolete/sysfs-selinux-disable
+++ b/Documentation/ABI/obsolete/sysfs-selinux-disable
@@ -4,6 +4,9 @@ KernelVersion:	2.6.12-rc2 (predates git)
 Contact:	selinux@vger.kernel.org
 Description:

+	REMOVAL UPDATE: The SELinux runtime disable functionality was removed
+	in March 2023, the original deprecation notice is shown below.
+
 	The selinuxfs "disable" node allows SELinux to be disabled at runtime
 	prior to a policy being loaded into the kernel.  If disabled via this
 	mechanism, SELinux will remain disabled until the system is rebooted.

--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -18822,8 +18822,8 @@ S:	Supported
 W:	https://selinuxproject.org
 W:	https://github.com/SELinuxProject
 T:	git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
-F:	Documentation/ABI/obsolete/sysfs-selinux-checkreqprot
-F:	Documentation/ABI/obsolete/sysfs-selinux-disable
+F:	Documentation/ABI/removed/sysfs-selinux-checkreqprot
+F:	Documentation/ABI/removed/sysfs-selinux-disable
 F:	Documentation/admin-guide/LSM/SELinux.rst
 F:	include/trace/events/avc.h
 F:	include/uapi/linux/selinux_netlink.h

--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1740,36 +1740,6 @@ extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
 		__used __section(".early_lsm_info.init")		\
 		__aligned(sizeof(unsigned long))

-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-/*
- * Assuring the safety of deleting a security module is up to
- * the security module involved. This may entail ordering the
- * module's hook list in a particular way, refusing to disable
- * the module once a policy is loaded or any number of other
- * actions better imagined than described.
- *
- * The name of the configuration option reflects the only module
- * that currently uses the mechanism. Any developer who thinks
- * disabling their module is a good idea needs to be at least as
- * careful as the SELinux team.
- */
-static inline void security_delete_hooks(struct security_hook_list *hooks,
-						int count)
-{
-	int i;
-
-	for (i = 0; i < count; i++)
-		hlist_del_rcu(&hooks[i].list);
-}
-#endif /* CONFIG_SECURITY_SELINUX_DISABLE */
-
-/* Currently required to handle SELinux runtime hook disable. */
-#ifdef CONFIG_SECURITY_WRITABLE_HOOKS
-#define __lsm_ro_after_init
-#else
-#define __lsm_ro_after_init	__ro_after_init
-#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
-
 extern int lsm_inode_alloc(struct inode *inode);

 #endif /* ! __LINUX_LSM_HOOKS_H */
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -32,11 +32,6 @@ config SECURITY

 	  If you are unsure how to answer this question, answer N.

-config SECURITY_WRITABLE_HOOKS
-	depends on SECURITY
-	bool
-	default n
-
 config SECURITYFS
 	bool "Enable the securityfs filesystem"
 	help

--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1209,13 +1209,13 @@ static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb
 /*
 * The cred blob is a pointer to, not an instance of, an aa_label.
 */
-struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
 	.lbs_cred = sizeof(struct aa_label *),
 	.lbs_file = sizeof(struct aa_file_ctx),
 	.lbs_task = sizeof(struct aa_task_ctx),
 };

-static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list apparmor_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
 	LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
 	LSM_HOOK_INIT(capget, apparmor_capget),
@@ -1427,7 +1427,7 @@ static const struct kernel_param_ops param_ops_aaintbool = {
 	.get = param_get_aaintbool
 };
 /* Boot time disable flag */
-static int apparmor_enabled __lsm_ro_after_init = 1;
+static int apparmor_enabled __ro_after_init = 1;
 module_param_named(enabled, apparmor_enabled, aaintbool, 0444);

 static int __init apparmor_enabled_setup(char *str)

--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -6,7 +6,7 @@
 #include <linux/lsm_hooks.h>
 #include <linux/bpf_lsm.h>

-static struct security_hook_list bpf_lsm_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
 	#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
 	LSM_HOOK_INIT(NAME, bpf_lsm_##NAME),
 	#include <linux/lsm_hook_defs.h>
@@ -22,7 +22,7 @@ static int __init bpf_lsm_init(void)
 	return 0;
 }

-struct lsm_blob_sizes bpf_lsm_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes bpf_lsm_blob_sizes __ro_after_init = {
 	.lbs_inode = sizeof(struct bpf_storage_blob),
 	.lbs_task = sizeof(struct bpf_storage_blob),
 };

--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1440,7 +1440,7 @@ int cap_mmap_file(struct file *file, unsigned long reqprot,

 #ifdef CONFIG_SECURITY

-static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list capability_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(capable, cap_capable),
 	LSM_HOOK_INIT(settime, cap_settime),
 	LSM_HOOK_INIT(ptrace_access_check, cap_ptrace_access_check),

--- a/security/landlock/cred.c
+++ b/security/landlock/cred.c
@@ -34,7 +34,7 @@ static void hook_cred_free(struct cred *const cred)
 		landlock_put_ruleset_deferred(dom);
 }

-static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list landlock_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(cred_prepare, hook_cred_prepare),
 	LSM_HOOK_INIT(cred_free, hook_cred_free),
 };

--- a/security/landlock/fs.c
+++ b/security/landlock/fs.c
@@ -1280,7 +1280,7 @@ static int hook_file_truncate(struct file *const file)
 	return -EACCES;
 }

-static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list landlock_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(inode_free_security, hook_inode_free_security),

 	LSM_HOOK_INIT(sb_delete, hook_sb_delete),

--- a/security/landlock/ptrace.c
+++ b/security/landlock/ptrace.c
@@ -108,7 +108,7 @@ static int hook_ptrace_traceme(struct task_struct *const parent)
 	return task_ptrace(parent, current);
 }

-static struct security_hook_list landlock_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list landlock_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(ptrace_access_check, hook_ptrace_access_check),
 	LSM_HOOK_INIT(ptrace_traceme, hook_ptrace_traceme),
 };

--- a/security/landlock/setup.c
+++ b/security/landlock/setup.c
@@ -15,9 +15,9 @@
 #include "ptrace.h"
 #include "setup.h"

-bool landlock_initialized __lsm_ro_after_init = false;
+bool landlock_initialized __ro_after_init = false;

-struct lsm_blob_sizes landlock_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
 	.lbs_cred = sizeof(struct landlock_cred_security),
 	.lbs_file = sizeof(struct landlock_file_security),
 	.lbs_inode = sizeof(struct landlock_inode_security),

--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -214,7 +214,7 @@ static int loadpin_load_data(enum kernel_load_data_id id, bool contents)
 	return loadpin_check(NULL, (enum kernel_read_file_id) id);
 }

-static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list loadpin_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(sb_free_security, loadpin_sb_free_security),
 	LSM_HOOK_INIT(kernel_read_file, loadpin_read_file),
 	LSM_HOOK_INIT(kernel_load_data, loadpin_load_data),

--- a/security/lockdown/lockdown.c
+++ b/security/lockdown/lockdown.c
@@ -71,7 +71,7 @@ static int lockdown_is_locked_down(enum lockdown_reason what)
 	return 0;
 }

-static struct security_hook_list lockdown_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list lockdown_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(locked_down, lockdown_is_locked_down),
 };


--- a/security/security.c
+++ b/security/security.c
@@ -74,14 +74,14 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
 };

-struct security_hook_heads security_hook_heads __lsm_ro_after_init;
+struct security_hook_heads security_hook_heads __ro_after_init;
 static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);

 static struct kmem_cache *lsm_file_cache;
 static struct kmem_cache *lsm_inode_cache;

 char *lsm_names;
-static struct lsm_blob_sizes blob_sizes __lsm_ro_after_init;
+static struct lsm_blob_sizes blob_sizes __ro_after_init;

 /* Boot-time LSM user choice */
 static __initdata const char *chosen_lsm_order;

--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -23,30 +23,6 @@ config SECURITY_SELINUX_BOOTPARAM

 	  If you are unsure how to answer this question, answer N.

-config SECURITY_SELINUX_DISABLE
-	bool "NSA SELinux runtime disable"
-	depends on SECURITY_SELINUX
-	select SECURITY_WRITABLE_HOOKS
-	default n
-	help
-	  This option enables writing to a selinuxfs node 'disable', which
-	  allows SELinux to be disabled at runtime prior to the policy load.
-	  SELinux will then remain disabled until the next boot.
-	  This option is similar to the selinux=0 boot parameter, but is to
-	  support runtime disabling of SELinux, e.g. from /sbin/init, for
-	  portability across platforms where boot parameters are difficult
-	  to employ.
-
-	  NOTE: selecting this option will disable the '__ro_after_init'
-	  kernel hardening feature for security hooks.   Please consider
-	  using the selinux=0 boot parameter instead of enabling this
-	  option.
-
-	  WARNING: this option is deprecated and will be removed in a future
-	  kernel release.
-
-	  If you are unsure how to answer this question, answer N.
-
 config SECURITY_SELINUX_DEVELOP
 	bool "NSA SELinux Development Support"
 	depends on SECURITY_SELINUX
@@ -70,29 +46,6 @@ config SECURITY_SELINUX_AVC_STATS
 	  /sys/fs/selinux/avc/cache_stats, which may be monitored via
 	  tools such as avcstat.

-config SECURITY_SELINUX_CHECKREQPROT_VALUE
-	int "NSA SELinux checkreqprot default value"
-	depends on SECURITY_SELINUX
-	range 0 1
-	default 0
-	help
-	  This option sets the default value for the 'checkreqprot' flag
-	  that determines whether SELinux checks the protection requested
-	  by the application or the protection that will be applied by the
-	  kernel (including any implied execute for read-implies-exec) for
-	  mmap and mprotect calls.  If this option is set to 0 (zero),
-	  SELinux will default to checking the protection that will be applied
-	  by the kernel.  If this option is set to 1 (one), SELinux will
-	  default to checking the protection requested by the application.
-	  The checkreqprot flag may be changed from the default via the
-	  'checkreqprot=' boot parameter.  It may also be changed at runtime
-	  via /sys/fs/selinux/checkreqprot if authorized by policy.
-
-	  WARNING: this option is deprecated and will be removed in a future
-	  kernel release.
-
-	  If you are unsure how to answer this question, answer 0.
-
 config SECURITY_SELINUX_SIDTAB_HASH_BITS
 	int "NSA SELinux sidtab hashtable size"
 	depends on SECURITY_SELINUX

--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -23,8 +23,8 @@ ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
 $(addprefix $(obj)/,$(selinux-y)): $(obj)/flask.h

 quiet_cmd_flask = GEN     $(obj)/flask.h $(obj)/av_permissions.h
-      cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
+      cmd_flask = $< $(obj)/flask.h $(obj)/av_permissions.h

 targets += flask.h av_permissions.h
-$(obj)/flask.h: $(src)/include/classmap.h FORCE
+$(obj)/flask.h $(obj)/av_permissions.h &: scripts/selinux/genheaders/genheaders FORCE
 	$(call if_changed,flask)
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
--- a/security/selinux/ibpkey.c
+++ b/security/selinux/ibpkey.c
@@ -141,7 +141,7 @@ static int sel_ib_pkey_sid_slow(u64 subnet_prefix, u16 pkey_num, u32 *sid)
 		return 0;
 	}

-	ret = security_ib_pkey_sid(&selinux_state, subnet_prefix, pkey_num,
+	ret = security_ib_pkey_sid(subnet_prefix, pkey_num,
 				   sid);
 	if (ret)
 		goto out;

--- a/security/selinux/ima.c
+++ b/security/selinux/ima.c
@@ -15,12 +15,10 @@
 /*
 * selinux_ima_collect_state - Read selinux configuration settings
 *
- * @state: selinux_state
- *
 * On success returns the configuration settings string.
 * On error, returns NULL.
 */
-static char *selinux_ima_collect_state(struct selinux_state *state)
+static char *selinux_ima_collect_state(void)
 {
 	const char *on = "=1;", *off = "=0;";
 	char *buf;
@@ -39,26 +37,27 @@ static char *selinux_ima_collect_state(struct selinux_state *state)
 	rc = strscpy(buf, "initialized", buf_len);
 	WARN_ON(rc < 0);

-	rc = strlcat(buf, selinux_initialized(state) ? on : off, buf_len);
+	rc = strlcat(buf, selinux_initialized() ? on : off, buf_len);
 	WARN_ON(rc >= buf_len);

 	rc = strlcat(buf, "enforcing", buf_len);
 	WARN_ON(rc >= buf_len);

-	rc = strlcat(buf, enforcing_enabled(state) ? on : off, buf_len);
+	rc = strlcat(buf, enforcing_enabled() ? on : off, buf_len);
 	WARN_ON(rc >= buf_len);

 	rc = strlcat(buf, "checkreqprot", buf_len);
 	WARN_ON(rc >= buf_len);

-	rc = strlcat(buf, checkreqprot_get(state) ? on : off, buf_len);
+	rc = strlcat(buf, checkreqprot_get() ? on : off, buf_len);
 	WARN_ON(rc >= buf_len);

 	for (i = 0; i < __POLICYDB_CAP_MAX; i++) {
 		rc = strlcat(buf, selinux_policycap_names[i], buf_len);
 		WARN_ON(rc >= buf_len);

-		rc = strlcat(buf, state->policycap[i] ? on : off, buf_len);
+		rc = strlcat(buf, selinux_state.policycap[i] ? on : off,
+			buf_len);
 		WARN_ON(rc >= buf_len);
 	}

@@ -67,19 +66,17 @@ static char *selinux_ima_collect_state(struct selinux_state *state)

 /*
 * selinux_ima_measure_state_locked - Measure SELinux state and hash of policy
- *
- * @state: selinux state struct
 */
-void selinux_ima_measure_state_locked(struct selinux_state *state)
+void selinux_ima_measure_state_locked(void)
 {
 	char *state_str = NULL;
 	void *policy = NULL;
 	size_t policy_len;
 	int rc = 0;

-	lockdep_assert_held(&state->policy_mutex);
+	lockdep_assert_held(&selinux_state.policy_mutex);

-	state_str = selinux_ima_collect_state(state);
+	state_str = selinux_ima_collect_state();
 	if (!state_str) {
 		pr_err("SELinux: %s: failed to read state.\n", __func__);
 		return;
@@ -94,10 +91,10 @@ void selinux_ima_measure_state_locked(struct selinux_state *state)
 	/*
 	 * Measure SELinux policy only after initialization is completed.
 	 */
-	if (!selinux_initialized(state))
+	if (!selinux_initialized())
 		return;

-	rc = security_read_state_kernel(state, &policy, &policy_len);
+	rc = security_read_state_kernel(&policy, &policy_len);
 	if (rc) {
 		pr_err("SELinux: %s: failed to read policy %d.\n", __func__, rc);
 		return;
@@ -112,14 +109,12 @@ void selinux_ima_measure_state_locked(struct selinux_state *state)

 /*
 * selinux_ima_measure_state - Measure SELinux state and hash of policy
- *
- * @state: selinux state struct
 */
-void selinux_ima_measure_state(struct selinux_state *state)
+void selinux_ima_measure_state(void)
 {
-	lockdep_assert_not_held(&state->policy_mutex);
+	lockdep_assert_not_held(&selinux_state.policy_mutex);

-	mutex_lock(&state->policy_mutex);
-	selinux_ima_measure_state_locked(state);
-	mutex_unlock(&state->policy_mutex);
+	mutex_lock(&selinux_state.policy_mutex);
+	selinux_ima_measure_state_locked();
+	mutex_unlock(&selinux_state.policy_mutex);
 }
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -52,7 +52,6 @@ struct selinux_audit_data {
 	u32 audited;
 	u32 denied;
 	int result;
-	struct selinux_state *state;
 } __randomize_layout;

 /*
@@ -97,14 +96,12 @@ static inline u32 avc_audit_required(u32 requested,
 	return audited;
 }

-int slow_avc_audit(struct selinux_state *state,
-		   u32 ssid, u32 tsid, u16 tclass,
+int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
 		   u32 requested, u32 audited, u32 denied, int result,
 		   struct common_audit_data *a);

 /**
 * avc_audit - Audit the granting or denial of permissions.
- * @state: SELinux state
 * @ssid: source security identifier
 * @tsid: target security identifier
 * @tclass: target security class
@@ -122,8 +119,7 @@ int slow_avc_audit(struct selinux_state *state,
 * be performed under a lock, to allow the lock to be released
 * before calling the auditing code.
 */
-static inline int avc_audit(struct selinux_state *state,
-			    u32 ssid, u32 tsid,
+static inline int avc_audit(u32 ssid, u32 tsid,
 			    u16 tclass, u32 requested,
 			    struct av_decision *avd,
 			    int result,
@@ -133,30 +129,27 @@ static inline int avc_audit(struct selinux_state *state,
 	audited = avc_audit_required(requested, avd, result, 0, &denied);
 	if (likely(!audited))
 		return 0;
-	return slow_avc_audit(state, ssid, tsid, tclass,
+	return slow_avc_audit(ssid, tsid, tclass,
 			      requested, audited, denied, result,
 			      a);
 }

 #define AVC_STRICT 1 /* Ignore permissive mode. */
 #define AVC_EXTENDED_PERMS 2	/* update extended permissions */
-int avc_has_perm_noaudit(struct selinux_state *state,
-			 u32 ssid, u32 tsid,
+int avc_has_perm_noaudit(u32 ssid, u32 tsid,
 			 u16 tclass, u32 requested,
 			 unsigned flags,
 			 struct av_decision *avd);

-int avc_has_perm(struct selinux_state *state,
-		 u32 ssid, u32 tsid,
+int avc_has_perm(u32 ssid, u32 tsid,
 		 u16 tclass, u32 requested,
 		 struct common_audit_data *auditdata);

-int avc_has_extended_perms(struct selinux_state *state,
-			   u32 ssid, u32 tsid, u16 tclass, u32 requested,
+int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested,
 			   u8 driver, u8 perm, struct common_audit_data *ad);


-u32 avc_policy_seqno(struct selinux_state *state);
+u32 avc_policy_seqno(void);

 #define AVC_CALLBACK_GRANT		1
 #define AVC_CALLBACK_TRY_REVOKE		2
@@ -171,11 +164,9 @@ u32 avc_policy_seqno(struct selinux_state *state);
 int avc_add_callback(int (*callback)(u32 event), u32 events);

 /* Exported to selinuxfs */
-struct selinux_avc;
-int avc_get_hash_stats(struct selinux_avc *avc, char *page);
-unsigned int avc_get_cache_threshold(struct selinux_avc *avc);
-void avc_set_cache_threshold(struct selinux_avc *avc,
-			     unsigned int cache_threshold);
+int avc_get_hash_stats(char *page);
+unsigned int avc_get_cache_threshold(void);
+void avc_set_cache_threshold(unsigned int cache_threshold);

 /* Attempt to free avc node cache */
 void avc_disable(void);

--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -9,8 +9,7 @@

 #include <linux/types.h>

-struct selinux_avc;
-int avc_ss_reset(struct selinux_avc *avc, u32 seqno);
+int avc_ss_reset(u32 seqno);

 /* Class/perm mapping support */
 struct security_class_mapping {

--- a/security/selinux/include/conditional.h
+++ b/security/selinux/include/conditional.h
@@ -16,8 +16,8 @@
 int security_get_bools(struct selinux_policy *policy,
 		       u32 *len, char ***names, int **values);

-int security_set_bools(struct selinux_state *state, u32 len, int *values);
+int security_set_bools(u32 len, int *values);

-int security_get_bool_value(struct selinux_state *state, u32 index);
+int security_get_bool_value(u32 index);

 #endif
--- a/security/selinux/include/ima.h
+++ b/security/selinux/include/ima.h
@@ -14,15 +14,13 @@
 #include "security.h"

 #ifdef CONFIG_IMA
-extern void selinux_ima_measure_state(struct selinux_state *selinux_state);
-extern void selinux_ima_measure_state_locked(
-			struct selinux_state *selinux_state);
+extern void selinux_ima_measure_state(void);
+extern void selinux_ima_measure_state_locked(void);
 #else
-static inline void selinux_ima_measure_state(struct selinux_state *selinux_state)
+static inline void selinux_ima_measure_state(void)
 {
 }
-static inline void selinux_ima_measure_state_locked(
-			struct selinux_state *selinux_state)
+static inline void selinux_ima_measure_state_locked(void)
 {
 }
 #endif

--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -153,7 +153,7 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
 		goto out;
 	}

-	ret = security_netif_sid(&selinux_state, dev->name, sid);
+	ret = security_netif_sid(dev->name, sid);
 	if (ret != 0)
 		goto out;
 	new = kzalloc(sizeof(*new), GFP_ATOMIC);

--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -46,7 +46,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
 {
 	int rc;

-	rc = security_netlbl_secattr_to_sid(&selinux_state, secattr, sid);
+	rc = security_netlbl_secattr_to_sid(secattr, sid);
 	if (rc == 0 &&
 	    (secattr->flags & NETLBL_SECATTR_CACHEABLE) &&
 	    (secattr->flags & NETLBL_SECATTR_CACHE))
@@ -77,8 +77,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
 	secattr = netlbl_secattr_alloc(GFP_ATOMIC);
 	if (secattr == NULL)
 		return NULL;
-	rc = security_netlbl_sid_to_secattr(&selinux_state, sksec->sid,
-					    secattr);
+	rc = security_netlbl_sid_to_secattr(sksec->sid, secattr);
 	if (rc != 0) {
 		netlbl_secattr_free(secattr);
 		return NULL;
@@ -245,8 +244,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
 	if (secattr == NULL) {
 		secattr = &secattr_storage;
 		netlbl_secattr_init(secattr);
-		rc = security_netlbl_sid_to_secattr(&selinux_state, sid,
-						    secattr);
+		rc = security_netlbl_sid_to_secattr(sid, secattr);
 		if (rc != 0)
 			goto skbuff_setsid_return;
 	}
@@ -283,8 +281,7 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc,
 		return 0;

 	netlbl_secattr_init(&secattr);
-	rc = security_netlbl_sid_to_secattr(&selinux_state,
-					    asoc->secid, &secattr);
+	rc = security_netlbl_sid_to_secattr(asoc->secid, &secattr);
 	if (rc != 0)
 		goto assoc_request_return;

@@ -332,8 +329,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
 		return 0;

 	netlbl_secattr_init(&secattr);
-	rc = security_netlbl_sid_to_secattr(&selinux_state, req->secid,
-					    &secattr);
+	rc = security_netlbl_sid_to_secattr(req->secid, &secattr);
 	if (rc != 0)
 		goto inet_conn_request_return;
 	rc = netlbl_req_setattr(req, &secattr);
@@ -463,8 +459,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 		perm = RAWIP_SOCKET__RECVFROM;
 	}

-	rc = avc_has_perm(&selinux_state,
-			  sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
+	rc = avc_has_perm(sksec->sid, nlbl_sid, sksec->sclass, perm, ad);
 	if (rc == 0)
 		return 0;


--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -204,13 +204,13 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
 	new = kzalloc(sizeof(*new), GFP_ATOMIC);
 	switch (family) {
 	case PF_INET:
-		ret = security_node_sid(&selinux_state, PF_INET,
+		ret = security_node_sid(PF_INET,
 					addr, sizeof(struct in_addr), sid);
 		if (new)
 			new->nsec.addr.ipv4 = *(__be32 *)addr;
 		break;
 	case PF_INET6:
-		ret = security_node_sid(&selinux_state, PF_INET6,
+		ret = security_node_sid(PF_INET6,
 					addr, sizeof(struct in6_addr), sid);
 		if (new)
 			new->nsec.addr.ipv6 = *(struct in6_addr *)addr;

--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -148,7 +148,7 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
 		return 0;
 	}

-	ret = security_port_sid(&selinux_state, protocol, pnum, sid);
+	ret = security_port_sid(protocol, pnum, sid);
 	if (ret != 0)
 		goto out;
 	new = kzalloc(sizeof(*new), GFP_ATOMIC);

--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
--- a/security/selinux/ss/services.h
+++ b/security/selinux/ss/services.h
@@ -30,7 +30,6 @@ struct selinux_policy {
 } __randomize_layout;

 struct convert_context_args {
-	struct selinux_state *state;
 	struct policydb *oldp;
 	struct policydb *newp;
 };

--- a/security/selinux/status.c
+++ b/security/selinux/status.c
@@ -39,21 +39,21 @@
 * It returns a reference to selinux_status_page. If the status page is
 * not allocated yet, it also tries to allocate it at the first time.
 */
-struct page *selinux_kernel_status_page(struct selinux_state *state)
+struct page *selinux_kernel_status_page(void)
 {
 	struct selinux_kernel_status   *status;
 	struct page		       *result = NULL;

-	mutex_lock(&state->status_lock);
-	if (!state->status_page) {
-		state->status_page = alloc_page(GFP_KERNEL|__GFP_ZERO);
+	mutex_lock(&selinux_state.status_lock);
+	if (!selinux_state.status_page) {
+		selinux_state.status_page = alloc_page(GFP_KERNEL|__GFP_ZERO);

-		if (state->status_page) {
-			status = page_address(state->status_page);
+		if (selinux_state.status_page) {
+			status = page_address(selinux_state.status_page);

 			status->version = SELINUX_KERNEL_STATUS_VERSION;
 			status->sequence = 0;
-			status->enforcing = enforcing_enabled(state);
+			status->enforcing = enforcing_enabled();
 			/*
 			 * NOTE: the next policyload event shall set
 			 * a positive value on the status->policyload,
@@ -62,11 +62,11 @@ struct page *selinux_kernel_status_page(struct selinux_state *state)
 			 */
 			status->policyload = 0;
 			status->deny_unknown =
-				!security_get_allow_unknown(state);
+				!security_get_allow_unknown();
 		}
 	}
-	result = state->status_page;
-	mutex_unlock(&state->status_lock);
+	result = selinux_state.status_page;
+	mutex_unlock(&selinux_state.status_lock);

 	return result;
 }
@@ -76,14 +76,13 @@ struct page *selinux_kernel_status_page(struct selinux_state *state)
 *
 * It updates status of the current enforcing/permissive mode.
 */
-void selinux_status_update_setenforce(struct selinux_state *state,
-				      int enforcing)
+void selinux_status_update_setenforce(int enforcing)
 {
 	struct selinux_kernel_status   *status;

-	mutex_lock(&state->status_lock);
-	if (state->status_page) {
-		status = page_address(state->status_page);
+	mutex_lock(&selinux_state.status_lock);
+	if (selinux_state.status_page) {
+		status = page_address(selinux_state.status_page);

 		status->sequence++;
 		smp_wmb();
@@ -93,7 +92,7 @@ void selinux_status_update_setenforce(struct selinux_state *state,
 		smp_wmb();
 		status->sequence++;
 	}
-	mutex_unlock(&state->status_lock);
+	mutex_unlock(&selinux_state.status_lock);
 }

 /*
@@ -102,23 +101,22 @@ void selinux_status_update_setenforce(struct selinux_state *state,
 * It updates status of the times of policy reloaded, and current
 * setting of deny_unknown.
 */
-void selinux_status_update_policyload(struct selinux_state *state,
-				      int seqno)
+void selinux_status_update_policyload(int seqno)
 {
 	struct selinux_kernel_status   *status;

-	mutex_lock(&state->status_lock);
-	if (state->status_page) {
-		status = page_address(state->status_page);
+	mutex_lock(&selinux_state.status_lock);
+	if (selinux_state.status_page) {
+		status = page_address(selinux_state.status_page);

 		status->sequence++;
 		smp_wmb();

 		status->policyload = seqno;
-		status->deny_unknown = !security_get_allow_unknown(state);
+		status->deny_unknown = !security_get_allow_unknown();

 		smp_wmb();
 		status->sequence++;
 	}
-	mutex_unlock(&state->status_lock);
+	mutex_unlock(&selinux_state.status_lock);
 }
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -98,13 +98,12 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
 	ctx->ctx_len = str_len;
 	memcpy(ctx->ctx_str, &uctx[1], str_len);
 	ctx->ctx_str[str_len] = '\0';
-	rc = security_context_to_sid(&selinux_state, ctx->ctx_str, str_len,
+	rc = security_context_to_sid(ctx->ctx_str, str_len,
 				     &ctx->ctx_sid, gfp);
 	if (rc)
 		goto err;

-	rc = avc_has_perm(&selinux_state,
-			  tsec->sid, ctx->ctx_sid,
+	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
 			  SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
 	if (rc)
 		goto err;
@@ -140,8 +139,7 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
 	if (!ctx)
 		return 0;

-	return avc_has_perm(&selinux_state,
-			    tsec->sid, ctx->ctx_sid,
+	return avc_has_perm(tsec->sid, ctx->ctx_sid,
 			    SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
 			    NULL);
 }
@@ -163,8 +161,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
 	if (!selinux_authorizable_ctx(ctx))
 		return -EINVAL;

-	rc = avc_has_perm(&selinux_state,
-			  fl_secid, ctx->ctx_sid,
+	rc = avc_has_perm(fl_secid, ctx->ctx_sid,
 			  SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
 	return (rc == -EACCES ? -ESRCH : rc);
 }
@@ -205,7 +202,7 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
 	/* We don't need a separate SA Vs. policy polmatch check since the SA
 	 * is now of the same label as the flow and a flow Vs. policy polmatch
 	 * check had already happened in selinux_xfrm_policy_lookup() above. */
-	return (avc_has_perm(&selinux_state, flic_sid, state_sid,
+	return (avc_has_perm(flic_sid, state_sid,
 			     SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
 			     NULL) ? 0 : 1);
 }
@@ -355,7 +352,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
 	if (secid == 0)
 		return -EINVAL;

-	rc = security_sid_to_context(&selinux_state, secid, &ctx_str,
+	rc = security_sid_to_context(secid, &ctx_str,
 				     &str_len);
 	if (rc)
 		return rc;
@@ -424,8 +421,7 @@ int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
 	/* This check even when there's no association involved is intended,
 	 * according to Trent Jaeger, to make sure a process can't engage in
 	 * non-IPsec communication unless explicitly allowed by policy. */
-	return avc_has_perm(&selinux_state,
-			    sk_sid, peer_sid,
+	return avc_has_perm(sk_sid, peer_sid,
 			    SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, ad);
 }

@@ -468,6 +464,6 @@ int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
 	/* This check even when there's no association involved is intended,
 	 * according to Trent Jaeger, to make sure a process can't engage in
 	 * non-IPsec communication unless explicitly allowed by policy. */
-	return avc_has_perm(&selinux_state, sk_sid, SECINITSID_UNLABELED,
+	return avc_has_perm(sk_sid, SECINITSID_UNLABELED,
 			    SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, ad);
 }
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4847,7 +4847,7 @@ static int smack_uring_cmd(struct io_uring_cmd *ioucmd)

 #endif /* CONFIG_IO_URING */

-struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
 	.lbs_cred = sizeof(struct task_smack),
 	.lbs_file = sizeof(struct smack_known *),
 	.lbs_inode = sizeof(struct inode_smack),
@@ -4856,7 +4856,7 @@ struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
 	.lbs_superblock = sizeof(struct superblock_smack),
 };

-static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list smack_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
 	LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
 	LSM_HOOK_INIT(syslog, smack_syslog),

--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -499,7 +499,7 @@ static int tomoyo_socket_sendmsg(struct socket *sock, struct msghdr *msg,
 	return tomoyo_socket_sendmsg_permission(sock, msg, size);
 }

-struct lsm_blob_sizes tomoyo_blob_sizes __lsm_ro_after_init = {
+struct lsm_blob_sizes tomoyo_blob_sizes __ro_after_init = {
 	.lbs_task = sizeof(struct tomoyo_task),
 };

@@ -546,7 +546,7 @@ static void tomoyo_task_free(struct task_struct *task)
 * tomoyo_security_ops is a "struct security_operations" which is used for
 * registering TOMOYO.
 */
-static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list tomoyo_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare),
 	LSM_HOOK_INIT(bprm_committed_creds, tomoyo_bprm_committed_creds),
 	LSM_HOOK_INIT(task_alloc, tomoyo_task_alloc),
@@ -583,7 +583,7 @@ static struct security_hook_list tomoyo_hooks[] __lsm_ro_after_init = {
 /* Lock for GC. */
 DEFINE_SRCU(tomoyo_ss);

-int tomoyo_enabled __lsm_ro_after_init = 1;
+int tomoyo_enabled __ro_after_init = 1;

 /**
 * tomoyo_init - Register TOMOYO Linux as a LSM module.

--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -421,7 +421,7 @@ static int yama_ptrace_traceme(struct task_struct *parent)
 	return rc;
 }

-static struct security_hook_list yama_hooks[] __lsm_ro_after_init = {
+static struct security_hook_list yama_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(ptrace_access_check, yama_ptrace_access_check),
 	LSM_HOOK_INIT(ptrace_traceme, yama_ptrace_traceme),
 	LSM_HOOK_INIT(task_prctl, yama_task_prctl),