[PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid

Stephen Smalley sds at tycho.nsa.gov
Tue Dec 17 18:11:44 UTC 2019


On 12/16/19 5:36 PM, Casey Schaufler wrote:
> Change the security_task_getsecid() interface to fill in
> a lsmblob structure instead of a u32 secid in support of
> LSM stacking. Audit interfaces will need to collect all
> possible secids for possible reporting.
> 
> Reviewed-by: Kees Cook <keescook at chromium.org>
> Reviewed-by: John Johansen <john.johansen at canonical.com>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> cc: linux-integrity at vger.kernel.org
> ---
>   drivers/android/binder.c              |  4 +--
>   include/linux/security.h              |  7 +++--
>   kernel/audit.c                        | 11 +++----
>   kernel/auditfilter.c                  |  4 +--
>   kernel/auditsc.c                      | 18 ++++++++----
>   net/netlabel/netlabel_unlabeled.c     |  5 +++-
>   net/netlabel/netlabel_user.h          |  6 +++-
>   security/integrity/ima/ima_appraise.c |  4 ++-
>   security/integrity/ima/ima_main.c     | 42 +++++++++++++++------------
>   security/security.c                   | 12 ++++++--
>   10 files changed, 69 insertions(+), 44 deletions(-)
> 

> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
> index 300c8d2943c5..69e549164949 100644
> --- a/security/integrity/ima/ima_appraise.c
> +++ b/security/integrity/ima/ima_appraise.c
> @@ -49,11 +49,13 @@ bool is_ima_appraise_enabled(void)
>   int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
>   {
>   	u32 secid;
> +	struct lsmblob blob;
>   
>   	if (!ima_appraise)
>   		return 0;
>   
> -	security_task_getsecid(current, &secid);
> +	security_task_getsecid(current, &blob);
> +	lsmblob_secid(&blob, &secid);
>   	return ima_match_policy(inode, current_cred(), secid, func, mask,
>   				IMA_APPRAISE | IMA_HASH, NULL, NULL);
>   }

I missed where lsmblob_secid() is defined?  Looks like it is later 
deleted by patch 12/25.  Leftover from an earlier version of the series? 
  Have you checked that it compiles after each patch?




More information about the Linux-security-module-archive mailing list