[PATCH v26 15/25] LSM: Ensure the correct LSM context releaser

Paul Moore paul at paul-moore.com
Fri May 21 20:19:17 UTC 2021


On Thu, May 13, 2021 at 4:24 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> Add a new lsmcontext data structure to hold all the information
> about a "security context", including the string, its size and
> which LSM allocated the string. The allocation information is
> necessary because LSMs have different policies regarding the
> lifecycle of these strings. SELinux allocates and destroys
> them on each use, whereas Smack provides a pointer to an entry
> in a list that never goes away.
>
> Reviewed-by: Kees Cook <keescook at chromium.org>
> Reviewed-by: John Johansen <john.johansen at canonical.com>
> Acked-by: Stephen Smalley <sds at tycho.nsa.gov>
> Acked-by: Chuck Lever <chuck.lever at oracle.com>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> Cc: linux-integrity at vger.kernel.org
> Cc: netdev at vger.kernel.org
> Cc: linux-audit at redhat.com
> Cc: netfilter-devel at vger.kernel.org
> To: Pablo Neira Ayuso <pablo at netfilter.org>
> Cc: linux-nfs at vger.kernel.org
> ---
>  drivers/android/binder.c                | 10 ++++---
>  fs/ceph/xattr.c                         |  6 ++++-
>  fs/nfs/nfs4proc.c                       |  8 ++++--
>  fs/nfsd/nfs4xdr.c                       |  7 +++--
>  include/linux/security.h                | 35 +++++++++++++++++++++++--
>  include/net/scm.h                       |  5 +++-
>  kernel/audit.c                          | 14 +++++++---
>  kernel/auditsc.c                        | 12 ++++++---
>  net/ipv4/ip_sockglue.c                  |  4 ++-
>  net/netfilter/nf_conntrack_netlink.c    |  4 ++-
>  net/netfilter/nf_conntrack_standalone.c |  4 ++-
>  net/netfilter/nfnetlink_queue.c         | 13 ++++++---
>  net/netlabel/netlabel_unlabeled.c       | 19 +++++++++++---
>  net/netlabel/netlabel_user.c            |  4 ++-
>  security/security.c                     | 11 ++++----
>  15 files changed, 121 insertions(+), 35 deletions(-)

Acked-by: Paul Moore <paul at paul-moore.com>


--
paul moore
www.paul-moore.com



More information about the Linux-security-module-archive mailing list