[PATCH v39 20/42] LSM: Use lsmcontext in security_dentry_init_security

Mon Dec 18 02:50:57 UTC 2023

On 12/16/23 06:16, Casey Schaufler wrote:
> Replace the (secctx,seclen) pointer pair with a single
> lsmcontext pointer to allow return of the LSM identifier
> along with the context and context length. This allows
> security_release_secctx() to know how to release the
> context. Callers have been modified to use or save the
> returned data from the new structure.
>
> Special care is taken in the NFS code, which uses the
> same data structure for its own copied labels as it does
> for the data which comes from security_dentry_init_security().
> In the case of copied labels the data has to be freed, not
> released.
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> Cc: ceph-devel at vger.kernel.org
> Cc: linux-nfs at vger.kernel.org
> ---
>   fs/ceph/super.h               |  3 +--
>   fs/ceph/xattr.c               | 19 ++++++-------------
>   fs/fuse/dir.c                 | 35 ++++++++++++++++++-----------------
>   fs/nfs/dir.c                  |  2 +-
>   fs/nfs/inode.c                | 17 ++++++++++-------
>   fs/nfs/internal.h             |  8 +++++---
>   fs/nfs/nfs4proc.c             | 22 +++++++++-------------
>   fs/nfs/nfs4xdr.c              | 22 ++++++++++++----------
>   include/linux/lsm_hook_defs.h |  2 +-
>   include/linux/nfs4.h          |  8 ++++----
>   include/linux/nfs_fs.h        |  2 +-
>   include/linux/security.h      |  7 +++----
>   security/security.c           |  9 ++++-----
>   security/selinux/hooks.c      |  9 +++++----
>   14 files changed, 80 insertions(+), 85 deletions(-)
>
> diff --git a/fs/ceph/super.h b/fs/ceph/super.h
> index fe0f64a0acb2..d503cc7478b7 100644
> --- a/fs/ceph/super.h
> +++ b/fs/ceph/super.h
> @@ -1133,8 +1133,7 @@ struct ceph_acl_sec_ctx {
>   	void *acl;
>   #endif
>   #ifdef CONFIG_CEPH_FS_SECURITY_LABEL
> -	void *sec_ctx;
> -	u32 sec_ctxlen;
> +	struct lsmcontext lsmctx;
>   #endif
>   #ifdef CONFIG_FS_ENCRYPTION
>   	struct ceph_fscrypt_auth *fscrypt_auth;
> diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
> index 113956d386c0..4c767a20ac4c 100644
> --- a/fs/ceph/xattr.c
> +++ b/fs/ceph/xattr.c
> @@ -1383,8 +1383,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
>   	int err;
>   
>   	err = security_dentry_init_security(dentry, mode, &dentry->d_name,
> -					    &name, &as_ctx->sec_ctx,
> -					    &as_ctx->sec_ctxlen);
> +					    &name, &as_ctx->lsmctx);
>   	if (err < 0) {
>   		WARN_ON_ONCE(err != -EOPNOTSUPP);
>   		err = 0; /* do nothing */
> @@ -1409,7 +1408,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
>   	 */
>   	name_len = strlen(name);
>   	err = ceph_pagelist_reserve(pagelist,
> -				    4 * 2 + name_len + as_ctx->sec_ctxlen);
> +				    4 * 2 + name_len + as_ctx->lsmctx.len);
>   	if (err)
>   		goto out;
>   
> @@ -1429,11 +1428,9 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
>   		as_ctx->pagelist = pagelist;
>   	}
>   
> -	ceph_pagelist_encode_32(pagelist, name_len);
> -	ceph_pagelist_append(pagelist, name, name_len);
> -

Why remove these ?

> -	ceph_pagelist_encode_32(pagelist, as_ctx->sec_ctxlen);
> -	ceph_pagelist_append(pagelist, as_ctx->sec_ctx, as_ctx->sec_ctxlen);
> +	ceph_pagelist_encode_32(pagelist, as_ctx->lsmctx.len);
> +	ceph_pagelist_append(pagelist, as_ctx->lsmctx.context,
> +			     as_ctx->lsmctx.len);
>   
>   
[...]

Thanks,

- Xiubo