[PATCH 16/97] LSM: Use lsm_export in the secctx_to_secid hooks
Casey Schaufler
casey at schaufler-ca.com
Thu Feb 28 22:18:12 UTC 2019
Convert the secctx_to_secid hooks to use the lsm_export
structure instead of a u32 secid. There is some scaffolding
involved that will be removed when security_secctx_to_secid()
is updated.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
include/linux/lsm_hooks.h | 7 ++++---
security/apparmor/include/secid.h | 3 ++-
security/apparmor/secid.c | 9 +++++----
security/security.c | 8 ++++++--
security/selinux/hooks.c | 12 +++++++++---
security/smack/smack_lsm.c | 7 ++++---
6 files changed, 30 insertions(+), 16 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 50629fb10cd5..97ef535dafd0 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1311,8 +1311,8 @@
* context.
* @seclen pointer which contains the length of the data
* @secctx_to_secid:
- * Convert security context to secid.
- * @secid contains the pointer to the generated security ID.
+ * Convert security context to exported lsm data.
+ * @l contains the pointer to the generated security data.
* @secdata contains the security context.
*
* @release_secctx:
@@ -1656,7 +1656,8 @@ union security_list_options {
int (*ismaclabel)(const char *name);
int (*secid_to_secctx)(struct lsm_export *l, char **secdata,
u32 *seclen);
- int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid);
+ int (*secctx_to_secid)(const char *secdata, u32 seclen,
+ struct lsm_export *l);
void (*release_secctx)(char *secdata, u32 seclen);
void (*inode_invalidate_secctx)(struct inode *inode);
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index 03369183f512..5381eff03d4f 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -27,7 +27,8 @@ struct aa_label;
struct aa_label *aa_secid_to_label(struct lsm_export *l);
int apparmor_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen);
-int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsm_export *l);
void apparmor_release_secctx(char *secdata, u32 seclen);
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index ab4dc165e43e..69d98a89db75 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -75,9 +75,9 @@ struct aa_label *aa_secid_to_label(struct lsm_export *l)
return label;
}
-static inline void aa_import_secid(struct lsm_export *l, u32 secid)
+static inline void aa_export_secid(struct lsm_export *l, u32 secid)
{
- l->flags = LSM_EXPORT_APPARMOR;
+ l->flags |= LSM_EXPORT_APPARMOR;
l->apparmor = secid;
}
@@ -111,7 +111,8 @@ int apparmor_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen)
return 0;
}
-int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsm_export *l)
{
struct aa_label *label;
@@ -119,7 +120,7 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
seclen, GFP_KERNEL, false, false);
if (IS_ERR(label))
return PTR_ERR(label);
- *secid = label->secid;
+ aa_export_secid(l, label->secid);
return 0;
}
diff --git a/security/security.c b/security/security.c
index 6e05d3127760..f3c29dd51c7a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1998,8 +1998,12 @@ EXPORT_SYMBOL(security_secid_to_secctx);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
- *secid = 0;
- return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+ struct lsm_export data = { .flags = LSM_EXPORT_NONE };
+ int rc;
+
+ rc = call_int_hook(secctx_to_secid, 0, secdata, seclen, &data);
+ lsm_export_secid(&data, secid);
+ return rc;
}
EXPORT_SYMBOL(security_secctx_to_secid);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index eae3c42c07fd..744fa6141ae1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6204,10 +6204,16 @@ static int selinux_secid_to_secctx(struct lsm_export *l, char **secdata,
secdata, seclen);
}
-static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+static int selinux_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsm_export *l)
{
- return security_context_to_sid(&selinux_state, secdata, seclen,
- secid, GFP_KERNEL);
+ u32 secid;
+ int rc;
+
+ rc = security_context_to_sid(&selinux_state, secdata, seclen,
+ &secid, GFP_KERNEL);
+ selinux_export_secid(l, secid);
+ return rc;
}
static void selinux_release_secctx(char *secdata, u32 seclen)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 83a2b1153790..1ee9c94c0e16 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4371,14 +4371,15 @@ static int smack_secid_to_secctx(struct lsm_export *l, char **secdata,
*
* Exists for audit and networking code.
*/
-static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+static int smack_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsm_export *l)
{
struct smack_known *skp = smk_find_entry(secdata);
if (skp)
- *secid = skp->smk_secid;
+ smack_export_secid(l, skp->smk_secid);
else
- *secid = 0;
+ smack_export_secid(l, 0);
return 0;
}
--
2.17.0
More information about the Linux-security-module-archive
mailing list