[PATCH 47/97] LSM: Use lsm_context in inode_notifysecctx hooks
Casey Schaufler
casey at schaufler-ca.com
Thu Feb 28 22:18:43 UTC 2019
Convert SELinux and Smack to use the lsm_context structure
instead of a context/secid pair. There is some scaffolding involved
that will be removed when the related data is updated.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
include/linux/lsm_hooks.h | 5 ++---
security/security.c | 6 +++++-
security/selinux/hooks.c | 6 ++++--
security/smack/smack_lsm.c | 5 +++--
4 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 713378bdd69a..a7a68be7e507 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1367,8 +1367,7 @@
* Must be called with inode->i_mutex locked.
*
* @inode we wish to set the security context of.
- * @ctx contains the string which we wish to set in the inode.
- * @ctxlen contains the length of @ctx.
+ * @cp contains the string which we wish to set in the inode.
*
* @inode_setsecctx:
* Change the security context of an inode. Updates the
@@ -1658,7 +1657,7 @@ union security_list_options {
void (*release_secctx)(char *secdata, u32 seclen);
void (*inode_invalidate_secctx)(struct inode *inode);
- int (*inode_notifysecctx)(struct inode *inode, void *ctx, u32 ctxlen);
+ int (*inode_notifysecctx)(struct inode *inode, struct lsm_context *cp);
int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
int (*inode_getsecctx)(struct inode *inode, struct lsm_context *cp);
diff --git a/security/security.c b/security/security.c
index b2aa50a583c7..a0c4ae7da840 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2014,7 +2014,11 @@ EXPORT_SYMBOL(security_inode_invalidate_secctx);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
{
- return call_int_hook(inode_notifysecctx, 0, inode, ctx, ctxlen);
+ struct lsm_context lc;
+
+ lc.context = ctx;
+ lc.len = ctxlen;
+ return call_int_hook(inode_notifysecctx, 0, inode, &lc);
}
EXPORT_SYMBOL(security_inode_notifysecctx);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a67b8a3e6b9c..33e58efe59ce 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6232,9 +6232,11 @@ static void selinux_inode_invalidate_secctx(struct inode *inode)
/*
* called with inode->i_mutex locked
*/
-static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
+static int selinux_inode_notifysecctx(struct inode *inode,
+ struct lsm_context *cp)
{
- return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
+ return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX,
+ cp->context, cp->len, 0);
}
/*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b3d4410696a6..26cf42ddba0e 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4389,9 +4389,10 @@ static void smack_release_secctx(char *secdata, u32 seclen)
{
}
-static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
+static int smack_inode_notifysecctx(struct inode *inode, struct lsm_context *cp)
{
- return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0);
+ return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, cp->context,
+ cp->len, 0);
}
static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
--
2.17.0
More information about the Linux-security-module-archive
mailing list