[PATCH v13 16/25] LSM: Use lsmcontext in security_dentry_init_security

Stephen Smalley sds at tycho.nsa.gov
Tue Jan 7 19:23:44 UTC 2020 

On 12/24/19 6:59 PM, Casey Schaufler wrote:
> Change the security_dentry_init_security() interface to
> fill an lsmcontext structure instead of a void * data area
> and a length. The lone caller of this interface is NFS4,
> which may make copies of the data using its own mechanisms.
> A rework of the nfs4 code to use the lsmcontext properly
> is a significant project. SELinux is handled correctly, and
> is the only current user.
> 
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
>   fs/nfs/nfs4proc.c        | 15 ++++++++-------
>   include/linux/security.h |  7 +++----
>   security/security.c      | 29 +++++++++++++++++++++++++----
>   3 files changed, 36 insertions(+), 15 deletions(-)
> 
> diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
> index a30e36654c57..6cd2463f890b 100644
> --- a/fs/nfs/nfs4proc.c
> +++ b/fs/nfs/nfs4proc.c
> @@ -112,6 +112,7 @@ static inline struct nfs4_label *
>   nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
>   	struct iattr *sattr, struct nfs4_label *label)
>   {
> +	struct lsmcontext context;
>   	int err;
>   
>   	if (label == NULL)
> @@ -121,21 +122,21 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
>   		return NULL;
>   
>   	err = security_dentry_init_security(dentry, sattr->ia_mode,
> -				&dentry->d_name, (void **)&label->label, &label->len);
> +					    &dentry->d_name, &context);
> +
> +	label->label = context.context;
> +	label->len = context.len;

No point in setting label->label/len if err != 0.

> +
>   	if (err == 0)
>   		return label;
>   
>   	return NULL;
> +
>   }

Leftover empty line.

>   static inline void
>   nfs4_label_release_security(struct nfs4_label *label)
>   {
> -	struct lsmcontext scaff; /* scaffolding */
> -
> -	if (label) {
> -		lsmcontext_init(&scaff, label->label, label->len, 0);
> -		security_release_secctx(&scaff);
> -	}
> +	kfree(label->label);
>   }
>   static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
>   {

Not sure why you don't just leave the scaffolding here?

More information about the Linux-security-module-archive mailing list