[PATCH 1/6] LSM: Infrastructure management of the sock security

Paul Moore paul at paul-moore.com
Tue Jul 9 19:15:17 UTC 2024


On Mon, Jul 8, 2024 at 5:40 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> Move management of the sock->sk_security blob out
> of the individual security modules and into the security
> infrastructure. Instead of allocating the blobs from within
> the modules the modules tell the infrastructure how much
> space is required, and the space is allocated there.
>
> Acked-by: Paul Moore <paul at paul-moore.com>
> Reviewed-by: Kees Cook <keescook at chromium.org>
> Reviewed-by: John Johansen <john.johansen at canonical.com>
> Acked-by: Stephen Smalley <stephen.smalley.work at gmail.com>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
>  include/linux/lsm_hooks.h         |  1 +
>  security/apparmor/include/net.h   |  3 +-
>  security/apparmor/lsm.c           | 17 +------
>  security/apparmor/net.c           |  2 +-
>  security/security.c               | 36 +++++++++++++-
>  security/selinux/hooks.c          | 80 ++++++++++++++-----------------
>  security/selinux/include/objsec.h |  5 ++
>  security/selinux/netlabel.c       | 23 ++++-----
>  security/smack/smack.h            |  5 ++
>  security/smack/smack_lsm.c        | 70 +++++++++++++--------------
>  security/smack/smack_netfilter.c  |  4 +-
>  11 files changed, 133 insertions(+), 113 deletions(-)

...

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 7eed331e90f0..19346e1817ff 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5495,8 +5488,8 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
>
>  static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
>  {
> -       struct sk_security_struct *ssksec = ssk->sk_security;
> -       struct sk_security_struct *sksec = sk->sk_security;
> +       struct sk_security_struct *ssksec = selinux_sock(ssk);
> +       struct sk_security_struct *sksec = selinux_sock(sk);
>
>         ssksec->sclass = sksec->sclass;
>         ssksec->sid = sksec->sid;

That's new :)

Unfortunately I merged a previous version of this patch into lsm/dev a
couple of weeks ago (see below) which appears to have a bug based on
the changes in this revision (lore link below).  While I'm generally
adverse to popping patches off the lsm/dev branch so as to not upset
any ongoing development work, given that we are at -rc7 it's probably
okay and much cleaner than doing a full revert; I'll remove that
commit now.

https://lore.kernel.org/linux-security-module/CAHC9VhQeWF814h8+ho3uKuz+NvvFApwJo4FkdmoRvYpuTcrk4A@mail.gmail.com

-- 
paul-moore.com



More information about the Linux-security-module-archive mailing list