[PATCH 05/97] LSM: Create an lsm_export data structure.

Stephen Smalley sds at tycho.nsa.gov
Fri Mar 1 14:00:49 UTC 2019


On 2/28/19 5:18 PM, Casey Schaufler wrote:
> When more than one security module is exporting data to
> audit and networking sub-systems a single 32 bit integer
> is no longer sufficient to represent the data. Add a
> structure to be used instead.
> 
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
>   include/linux/security.h | 12 ++++++++++++
>   1 file changed, 12 insertions(+)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 13537a49ae97..a79fe8ef9d84 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -73,6 +73,18 @@ enum lsm_event {
>   	LSM_POLICY_CHANGE,
>   };
>   
> +/* Data exported by the security modules */
> +struct lsm_export {
> +	u32	selinux;
> +	u32	smack;
> +	u32	apparmor;
> +	u32	flags;
> +};
> +#define LSM_EXPORT_NONE		0x00
> +#define LSM_EXPORT_SELINUX	0x01
> +#define LSM_EXPORT_SMACK	0x02
> +#define LSM_EXPORT_APPARMOR	0x04

Can this be generalized to avoid hardcoding the names of specific 
security modules in the field and symbol names?  Possibly just an array 
of secids with the indices dynamically assigned by the infrastructure at 
registration time?  We don't really want to have to patch this structure 
every time someone adds a new security module that needs audit and/or 
network facilities, right?

> +
>   /* These functions are in security/commoncap.c */
>   extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
>   		       int cap, unsigned int opts);
> 



More information about the Linux-security-module-archive mailing list