[PATCH v39 20/42] LSM: Use lsmcontext in security_dentry_init_security
Xiubo Li
xiubli at redhat.com
Mon Dec 18 02:50:57 UTC 2023
On 12/16/23 06:16, Casey Schaufler wrote:
> Replace the (secctx,seclen) pointer pair with a single
> lsmcontext pointer to allow return of the LSM identifier
> along with the context and context length. This allows
> security_release_secctx() to know how to release the
> context. Callers have been modified to use or save the
> returned data from the new structure.
>
> Special care is taken in the NFS code, which uses the
> same data structure for its own copied labels as it does
> for the data which comes from security_dentry_init_security().
> In the case of copied labels the data has to be freed, not
> released.
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> Cc: ceph-devel at vger.kernel.org
> Cc: linux-nfs at vger.kernel.org
> ---
> fs/ceph/super.h | 3 +--
> fs/ceph/xattr.c | 19 ++++++-------------
> fs/fuse/dir.c | 35 ++++++++++++++++++-----------------
> fs/nfs/dir.c | 2 +-
> fs/nfs/inode.c | 17 ++++++++++-------
> fs/nfs/internal.h | 8 +++++---
> fs/nfs/nfs4proc.c | 22 +++++++++-------------
> fs/nfs/nfs4xdr.c | 22 ++++++++++++----------
> include/linux/lsm_hook_defs.h | 2 +-
> include/linux/nfs4.h | 8 ++++----
> include/linux/nfs_fs.h | 2 +-
> include/linux/security.h | 7 +++----
> security/security.c | 9 ++++-----
> security/selinux/hooks.c | 9 +++++----
> 14 files changed, 80 insertions(+), 85 deletions(-)
>
> diff --git a/fs/ceph/super.h b/fs/ceph/super.h
> index fe0f64a0acb2..d503cc7478b7 100644
> --- a/fs/ceph/super.h
> +++ b/fs/ceph/super.h
> @@ -1133,8 +1133,7 @@ struct ceph_acl_sec_ctx {
> void *acl;
> #endif
> #ifdef CONFIG_CEPH_FS_SECURITY_LABEL
> - void *sec_ctx;
> - u32 sec_ctxlen;
> + struct lsmcontext lsmctx;
> #endif
> #ifdef CONFIG_FS_ENCRYPTION
> struct ceph_fscrypt_auth *fscrypt_auth;
> diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
> index 113956d386c0..4c767a20ac4c 100644
> --- a/fs/ceph/xattr.c
> +++ b/fs/ceph/xattr.c
> @@ -1383,8 +1383,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
> int err;
>
> err = security_dentry_init_security(dentry, mode, &dentry->d_name,
> - &name, &as_ctx->sec_ctx,
> - &as_ctx->sec_ctxlen);
> + &name, &as_ctx->lsmctx);
> if (err < 0) {
> WARN_ON_ONCE(err != -EOPNOTSUPP);
> err = 0; /* do nothing */
> @@ -1409,7 +1408,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
> */
> name_len = strlen(name);
> err = ceph_pagelist_reserve(pagelist,
> - 4 * 2 + name_len + as_ctx->sec_ctxlen);
> + 4 * 2 + name_len + as_ctx->lsmctx.len);
> if (err)
> goto out;
>
> @@ -1429,11 +1428,9 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
> as_ctx->pagelist = pagelist;
> }
>
> - ceph_pagelist_encode_32(pagelist, name_len);
> - ceph_pagelist_append(pagelist, name, name_len);
> -
Why remove these ?
> - ceph_pagelist_encode_32(pagelist, as_ctx->sec_ctxlen);
> - ceph_pagelist_append(pagelist, as_ctx->sec_ctx, as_ctx->sec_ctxlen);
> + ceph_pagelist_encode_32(pagelist, as_ctx->lsmctx.len);
> + ceph_pagelist_append(pagelist, as_ctx->lsmctx.context,
> + as_ctx->lsmctx.len);
>
>
[...]
Thanks,
- Xiubo
More information about the Linux-security-module-archive
mailing list