[PATCH v12 11/25] LSM: Use lsmblob in security_cred_getsecid
Stephen Smalley
sds at tycho.nsa.gov
Tue Dec 17 18:23:45 UTC 2019
On 12/16/19 5:36 PM, Casey Schaufler wrote:
> Change the security_cred_getsecid() interface to fill in a
> lsmblob instead of a u32 secid. The associated data elements
> in the audit sub-system are changed from a secid to a lsmblob
> to accommodate multiple possible LSM audit users.
>
> Reviewed-by: Kees Cook <keescook at chromium.org>
> Reviewed-by: John Johansen <john.johansen at canonical.com>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> cc: linux-integrity at vger.kernel.org
> ---
> include/linux/security.h | 2 +-
> kernel/audit.c | 19 +++++++-----------
> kernel/audit.h | 5 +++--
> kernel/auditsc.c | 33 +++++++++++--------------------
> security/integrity/ima/ima_main.c | 8 ++++----
> security/security.c | 12 ++++++++---
> 6 files changed, 36 insertions(+), 43 deletions(-)
>
> index 6ee53e43c986..69b52f25038a 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -124,7 +124,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
> /* The identity of the user shutting down the audit system. */
> kuid_t audit_sig_uid = INVALID_UID;
> pid_t audit_sig_pid = -1;
> -u32 audit_sig_sid = 0;
> +struct lsmblob audit_sig_lsm;
Not your bug but wondering why these variables aren't static; seemingly
localized to audit.c.
> diff --git a/kernel/audit.h b/kernel/audit.h
> index 6fb7160412d4..af9bc09e656c 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -134,7 +135,7 @@ struct audit_context {
> kuid_t target_auid;
> kuid_t target_uid;
> unsigned int target_sessionid;
> - u32 target_sid;
> + struct lsmblob target_lsm;
Probably should be consistent with the indentation of the other fields.
> char target_comm[TASK_COMM_LEN];
>
> struct audit_tree_refs *trees, *first_trees;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 5752e51883d5..c1e3ac8eb1ad 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -112,7 +112,7 @@ struct audit_aux_data_pids {
> kuid_t target_auid[AUDIT_AUX_PIDS];
> kuid_t target_uid[AUDIT_AUX_PIDS];
> unsigned int target_sessionid[AUDIT_AUX_PIDS];
> - u32 target_sid[AUDIT_AUX_PIDS];
> + struct lsmblob target_lsm[AUDIT_AUX_PIDS];
> char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
> int pid_count;
> };
Ditto
Other than those minor stylistic matters,
Acked-by: Stephen Smalley <sds at tycho.nsa.gov>
More information about the Linux-security-module-archive
mailing list