[PATCH 15/97] LSM: Use lsm_export in the secid_to_secctx hooks
Casey Schaufler
casey at schaufler-ca.com
Thu Feb 28 22:18:11 UTC 2019
Convert the secid_to_secctx hooks to use the lsm_export
structure instead of a u32 secid. There is some scaffolding
involved that will be removed when security_secid_to_secctx()
is updated.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
include/linux/lsm_hooks.h | 5 +++--
security/apparmor/include/secid.h | 2 +-
security/apparmor/secid.c | 6 ++----
security/security.c | 5 ++++-
security/selinux/hooks.c | 6 +++++-
security/smack/smack_lsm.c | 9 +++++++--
6 files changed, 22 insertions(+), 11 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 932af86333b4..50629fb10cd5 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1306,7 +1306,7 @@
* This does mean that the length could change between calls to check the
* length and the next call which actually allocates and returns the
* secdata.
- * @secid contains the security ID.
+ * @l points to the security information.
* @secdata contains the pointer that stores the converted security
* context.
* @seclen pointer which contains the length of the data
@@ -1654,7 +1654,8 @@ union security_list_options {
int (*getprocattr)(struct task_struct *p, char *name, char **value);
int (*setprocattr)(const char *name, void *value, size_t size);
int (*ismaclabel)(const char *name);
- int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
+ int (*secid_to_secctx)(struct lsm_export *l, char **secdata,
+ u32 *seclen);
int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid);
void (*release_secctx)(char *secdata, u32 seclen);
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index c283c620efe3..03369183f512 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -26,7 +26,7 @@ struct aa_label;
#define AA_SECID_WILDCARD 1
struct aa_label *aa_secid_to_label(struct lsm_export *l);
-int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int apparmor_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen);
int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
void apparmor_release_secctx(char *secdata, u32 seclen);
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 1546c45a2a18..ab4dc165e43e 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -81,15 +81,13 @@ static inline void aa_import_secid(struct lsm_export *l, u32 secid)
l->apparmor = secid;
}
-int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+int apparmor_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen)
{
/* TODO: cache secctx and ref count so we don't have to recreate */
- struct lsm_export data;
struct aa_label *label;
int len;
- aa_import_secid(&data, secid);
- label = aa_secid_to_label(&data);
+ label = aa_secid_to_label(l);
AA_BUG(!seclen);
diff --git a/security/security.c b/security/security.c
index 51491fda1bc2..6e05d3127760 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1988,7 +1988,10 @@ EXPORT_SYMBOL(security_ismaclabel);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
- return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
+ struct lsm_export data;
+
+ lsm_export_to_all(&data, secid);
+ return call_int_hook(secid_to_secctx, -EOPNOTSUPP, &data, secdata,
seclen);
}
EXPORT_SYMBOL(security_secid_to_secctx);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1cde918e4140..eae3c42c07fd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6194,8 +6194,12 @@ static int selinux_ismaclabel(const char *name)
return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
}
-static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static int selinux_secid_to_secctx(struct lsm_export *l, char **secdata,
+ u32 *seclen)
{
+ u32 secid;
+
+ selinux_import_secid(l, &secid);
return security_sid_to_context(&selinux_state, secid,
secdata, seclen);
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a1a9fdd3f1c7..83a2b1153790 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4348,9 +4348,14 @@ static int smack_ismaclabel(const char *name)
*
* Exists for networking code.
*/
-static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static int smack_secid_to_secctx(struct lsm_export *l, char **secdata,
+ u32 *seclen)
{
- struct smack_known *skp = smack_from_secid(secid);
+ struct smack_known *skp;
+ u32 secid;
+
+ smack_import_secid(l, &secid);
+ skp = smack_from_secid(secid);
if (secdata)
*secdata = skp->smk_known;
--
2.17.0
More information about the Linux-security-module-archive
mailing list