[PATCH 45/59] LSM: Use lsm_context in security_inode_getsecctx
Casey Schaufler
casey at schaufler-ca.com
Tue Apr 9 21:39:32 UTC 2019
From: Casey Schaufler <cschaufler at schaufler-ca.com>
Convert security_inode_getsecctx to use the lsm_context structure
instead of a context/secid pair. There is some scaffolding involved
that will be removed when the related data is updated.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
fs/kernfs/inode.c | 11 +++++------
fs/nfsd/nfs4xdr.c | 14 ++++++--------
include/linux/security.h | 5 +++--
security/security.c | 11 ++---------
4 files changed, 16 insertions(+), 25 deletions(-)
diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c
index 460e611b1938..41c5afc698fc 100644
--- a/fs/kernfs/inode.c
+++ b/fs/kernfs/inode.c
@@ -351,8 +351,7 @@ static int kernfs_security_xattr_set(const struct xattr_handler *handler,
{
struct kernfs_node *kn = inode->i_private;
struct kernfs_iattrs *attrs;
- void *secdata;
- u32 secdata_len = 0;
+ struct lsm_context lc = { .context = NULL, .len = 0, };
int error;
attrs = kernfs_iattrs(kn);
@@ -362,16 +361,16 @@ static int kernfs_security_xattr_set(const struct xattr_handler *handler,
error = security_inode_setsecurity(inode, suffix, value, size, flags);
if (error)
return error;
- error = security_inode_getsecctx(inode, &secdata, &secdata_len);
+ error = security_inode_getsecctx(inode, &lc);
if (error)
return error;
mutex_lock(&kernfs_mutex);
- error = kernfs_node_setsecdata(attrs, &secdata, &secdata_len);
+ error = kernfs_node_setsecdata(attrs, (void **)&lc.context, &lc.len);
mutex_unlock(&kernfs_mutex);
- if (secdata)
- security_release_secctx(secdata, secdata_len);
+ if (lc.context)
+ security_release_secctx(lc.context, lc.len);
return error;
}
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 3de42a729093..1bf34730d054 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2420,8 +2420,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
__be32 status;
int err;
struct nfs4_acl *acl = NULL;
- void *context = NULL;
- int contextlen;
+ struct lsm_context lc = { .context = NULL, .len = 0, };
bool contextsupport = false;
struct nfsd4_compoundres *resp = rqstp->rq_resp;
u32 minorversion = resp->cstate.minorversion;
@@ -2477,8 +2476,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
if ((bmval2 & FATTR4_WORD2_SECURITY_LABEL) ||
bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) {
if (exp->ex_flags & NFSEXP_SECURITY_LABEL)
- err = security_inode_getsecctx(d_inode(dentry),
- &context, &contextlen);
+ err = security_inode_getsecctx(d_inode(dentry), &lc);
else
err = -EOPNOTSUPP;
contextsupport = (err == 0);
@@ -2907,8 +2905,8 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
}
if (bmval2 & FATTR4_WORD2_SECURITY_LABEL) {
- status = nfsd4_encode_security_label(xdr, rqstp, context,
- contextlen);
+ status = nfsd4_encode_security_label(xdr, rqstp, lc.context,
+ lc.len);
if (status)
goto out;
}
@@ -2919,8 +2917,8 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
out:
#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
- if (context)
- security_release_secctx(context, contextlen);
+ if (lc.context)
+ security_release_secctx(lc.context, lc.len);
#endif /* CONFIG_NFSD_V4_SECURITY_LABEL */
kfree(acl);
if (tempfh) {
diff --git a/include/linux/security.h b/include/linux/security.h
index 2abbaf72779e..b9f824952748 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -441,7 +441,7 @@ void security_release_secctx(char *secdata, u32 seclen);
void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, struct lsm_context *cp);
int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
-int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp);
#else /* CONFIG_SECURITY */
static inline int call_lsm_notifier(enum lsm_event event, void *data)
@@ -1243,7 +1243,8 @@ static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32
{
return -EOPNOTSUPP;
}
-static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+static inline int security_inode_getsecctx(struct inode *inode,
+ struct lsm_context *cp);
{
return -EOPNOTSUPP;
}
diff --git a/security/security.c b/security/security.c
index f5e332bfcdbe..b7e15cbd4021 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2038,16 +2038,9 @@ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
}
EXPORT_SYMBOL(security_inode_setsecctx);
-int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
{
- struct lsm_context lc = { .context = NULL, .len = 0, };
- int rc;
-
- rc = call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, &lc);
-
- *ctx = (void *)lc.context;
- *ctxlen = lc.len;
- return rc;
+ return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, cp);
}
EXPORT_SYMBOL(security_inode_getsecctx);
--
2.19.1
More information about the Linux-security-module-archive
mailing list