[PATCH 45/97] LSM: Use lsm_context in secctx_to_secid hooks
Casey Schaufler
casey at schaufler-ca.com
Thu Feb 28 22:18:41 UTC 2019
Convert SELinux, Smack and AppArmor to use the lsm_context structure
instead of a context/secid pair. There is some scaffolding involved
that will be removed when the related data is updated.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
include/linux/lsm_hooks.h | 4 ++--
security/apparmor/include/secid.h | 2 +-
security/apparmor/secid.c | 7 +++----
security/security.c | 6 +++++-
security/selinux/hooks.c | 4 ++--
security/smack/smack_lsm.c | 4 ++--
6 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 97b258488e4d..bb748b0a045b 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1311,8 +1311,8 @@
* context.
* @secctx_to_secid:
* Convert security context to exported lsm data.
+ * @cp contains the security context.
* @l contains the pointer to the generated security data.
- * @secdata contains the security context.
*
* @release_secctx:
* Release the security context.
@@ -1654,7 +1654,7 @@ union security_list_options {
int (*setprocattr)(const char *name, void *value, size_t size);
int (*ismaclabel)(const char *name);
int (*secid_to_secctx)(struct lsm_export *l, struct lsm_context *cp);
- int (*secctx_to_secid)(const char *secdata, u32 seclen,
+ int (*secctx_to_secid)(const struct lsm_context *cp,
struct lsm_export *l);
void (*release_secctx)(char *secdata, u32 seclen);
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index 964d3dc92635..acfcf99bff0e 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -27,7 +27,7 @@ struct aa_label;
struct aa_label *aa_secid_to_label(struct lsm_export *l);
int apparmor_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp);
-int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
+int apparmor_secctx_to_secid(const struct lsm_context *cp,
struct lsm_export *l);
void apparmor_release_secctx(char *secdata, u32 seclen);
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 4e11434605d6..35df38592b6e 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -110,13 +110,12 @@ int apparmor_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp)
return 0;
}
-int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
- struct lsm_export *l)
+int apparmor_secctx_to_secid(const struct lsm_context *cp, struct lsm_export *l)
{
struct aa_label *label;
- label = aa_label_strn_parse(&root_ns->unconfined->label, secdata,
- seclen, GFP_KERNEL, false, false);
+ label = aa_label_strn_parse(&root_ns->unconfined->label, cp->context,
+ cp->len, GFP_KERNEL, false, false);
if (IS_ERR(label))
return PTR_ERR(label);
aa_export_secid(l, label->secid);
diff --git a/security/security.c b/security/security.c
index 9b25f0113b4f..fa94f012a7ab 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1991,8 +1991,12 @@ EXPORT_SYMBOL(security_secid_to_secctx);
int security_secctx_to_secid(const char *secdata, u32 seclen,
struct lsm_export *l)
{
+ struct lsm_context lc;
+
+ lc.context = secdata;
+ lc.len = seclen;
lsm_export_init(l);
- return call_one_int_hook(secctx_to_secid, 0, secdata, seclen, l);
+ return call_one_int_hook(secctx_to_secid, 0, &lc, l);
}
EXPORT_SYMBOL(security_secctx_to_secid);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4d679697cdad..00b47c01960b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6203,13 +6203,13 @@ static int selinux_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp)
&cp->context, &cp->len);
}
-static int selinux_secctx_to_secid(const char *secdata, u32 seclen,
+static int selinux_secctx_to_secid(const struct lsm_context *cp,
struct lsm_export *l)
{
u32 secid;
int rc;
- rc = security_context_to_sid(&selinux_state, secdata, seclen,
+ rc = security_context_to_sid(&selinux_state, cp->context, cp->len,
&secid, GFP_KERNEL);
selinux_export_secid(l, secid);
return rc;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 015a2342aad5..a5108215ed49 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4370,10 +4370,10 @@ static int smack_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp)
*
* Exists for audit and networking code.
*/
-static int smack_secctx_to_secid(const char *secdata, u32 seclen,
+static int smack_secctx_to_secid(const struct lsm_context *cp,
struct lsm_export *l)
{
- struct smack_known *skp = smk_find_entry(secdata);
+ struct smack_known *skp = smk_find_entry(cp->context);
if (skp)
smack_export_secid(l, skp->smk_secid);
--
2.17.0
More information about the Linux-security-module-archive
mailing list