[PATCH 1/6] LSM: Infrastructure management of the sock security
Paul Moore
paul at paul-moore.com
Tue Jul 9 19:15:17 UTC 2024
On Mon, Jul 8, 2024 at 5:40 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>
> Move management of the sock->sk_security blob out
> of the individual security modules and into the security
> infrastructure. Instead of allocating the blobs from within
> the modules the modules tell the infrastructure how much
> space is required, and the space is allocated there.
>
> Acked-by: Paul Moore <paul at paul-moore.com>
> Reviewed-by: Kees Cook <keescook at chromium.org>
> Reviewed-by: John Johansen <john.johansen at canonical.com>
> Acked-by: Stephen Smalley <stephen.smalley.work at gmail.com>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
> ---
> include/linux/lsm_hooks.h | 1 +
> security/apparmor/include/net.h | 3 +-
> security/apparmor/lsm.c | 17 +------
> security/apparmor/net.c | 2 +-
> security/security.c | 36 +++++++++++++-
> security/selinux/hooks.c | 80 ++++++++++++++-----------------
> security/selinux/include/objsec.h | 5 ++
> security/selinux/netlabel.c | 23 ++++-----
> security/smack/smack.h | 5 ++
> security/smack/smack_lsm.c | 70 +++++++++++++--------------
> security/smack/smack_netfilter.c | 4 +-
> 11 files changed, 133 insertions(+), 113 deletions(-)
...
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 7eed331e90f0..19346e1817ff 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5495,8 +5488,8 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
>
> static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
> {
> - struct sk_security_struct *ssksec = ssk->sk_security;
> - struct sk_security_struct *sksec = sk->sk_security;
> + struct sk_security_struct *ssksec = selinux_sock(ssk);
> + struct sk_security_struct *sksec = selinux_sock(sk);
>
> ssksec->sclass = sksec->sclass;
> ssksec->sid = sksec->sid;
That's new :)
Unfortunately I merged a previous version of this patch into lsm/dev a
couple of weeks ago (see below) which appears to have a bug based on
the changes in this revision (lore link below). While I'm generally
adverse to popping patches off the lsm/dev branch so as to not upset
any ongoing development work, given that we are at -rc7 it's probably
okay and much cleaner than doing a full revert; I'll remove that
commit now.
https://lore.kernel.org/linux-security-module/CAHC9VhQeWF814h8+ho3uKuz+NvvFApwJo4FkdmoRvYpuTcrk4A@mail.gmail.com
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list