[PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid

Casey Schaufler casey at schaufler-ca.com
Tue Dec 17 18:26:23 UTC 2019 

On 12/17/2019 10:11 AM, Stephen Smalley wrote:
> On 12/16/19 5:36 PM, Casey Schaufler wrote:
>> Change the security_task_getsecid() interface to fill in
>> a lsmblob structure instead of a u32 secid in support of
>> LSM stacking. Audit interfaces will need to collect all
>> possible secids for possible reporting.
>>
>> Reviewed-by: Kees Cook <keescook at chromium.org>
>> Reviewed-by: John Johansen <john.johansen at canonical.com>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>> cc: linux-integrity at vger.kernel.org
>> ---
>>   drivers/android/binder.c              |  4 +--
>>   include/linux/security.h              |  7 +++--
>>   kernel/audit.c                        | 11 +++----
>>   kernel/auditfilter.c                  |  4 +--
>>   kernel/auditsc.c                      | 18 ++++++++----
>>   net/netlabel/netlabel_unlabeled.c     |  5 +++-
>>   net/netlabel/netlabel_user.h          |  6 +++-
>>   security/integrity/ima/ima_appraise.c |  4 ++-
>>   security/integrity/ima/ima_main.c     | 42 +++++++++++++++------------
>>   security/security.c                   | 12 ++++++--
>>   10 files changed, 69 insertions(+), 44 deletions(-)
>>
>
>> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
>> index 300c8d2943c5..69e549164949 100644
>> --- a/security/integrity/ima/ima_appraise.c
>> +++ b/security/integrity/ima/ima_appraise.c
>> @@ -49,11 +49,13 @@ bool is_ima_appraise_enabled(void)
>>   int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
>>   {
>>       u32 secid;
>> +    struct lsmblob blob;
>>         if (!ima_appraise)
>>           return 0;
>>   -    security_task_getsecid(current, &secid);
>> +    security_task_getsecid(current, &blob);
>> +    lsmblob_secid(&blob, &secid);
>>       return ima_match_policy(inode, current_cred(), secid, func, mask,
>>                   IMA_APPRAISE | IMA_HASH, NULL, NULL);
>>   }
>
> I missed where lsmblob_secid() is defined?  Looks like it is later deleted by patch 12/25.  Leftover from an earlier version of the series?  Have you checked that it compiles after each patch?

Bugger. Yes, this is a straight up botch. lsmblb_secid() is never defined in
this version. 

>
>

More information about the Linux-security-module-archive mailing list