[PATCH v3 09/16] SELinux: Abstract use of file security blob
Casey Schaufler
casey at schaufler-ca.com
Thu Sep 20 15:20:50 UTC 2018
On 9/20/2018 1:51 AM, David Laight wrote:
> From: Casey Schaufler
>> Sent: 20 September 2018 01:21
>>
>> SELinux: Abstract use of file security blob
>>
>> Don't use the file->f_security pointer directly.
>> Provide a helper function that provides the security blob pointer.
> ...
>> +static inline struct file_security_struct *selinux_file(const struct file *file)
>> +{
>> + return file->f_security;
>> +}
>> +
> Why?
In patch 16/16 this becomes:
static inline struct file_security_struct *selinux_file(const struct file *file)
{
+#ifdef CONFIG_SECURITY_STACKING
+ return file->f_security + selinux_blob_sizes.lbs_file;
+#else
return file->f_security;
+#endif
}
You could hard code this bit everywhere it's used, but that
would be prone to error. I'm not generally an abstractionist
myself, but it these cases abstraction adds value.
More information about the Linux-security-module-archive
mailing list