[PATCH 3/6] LSM: Add helper for blob allocations
John Johansen
john.johansen at canonical.com
Tue Jul 9 22:51:05 UTC 2024
On 7/8/24 14:39, Casey Schaufler wrote:
> Create a helper function lsm_blob_alloc() for general use in the hook
> specific functions that allocate LSM blobs. Change the hook specific
> functions to use this helper. This reduces the code size by a small
> amount and will make adding new instances of infrastructure managed
> security blobs easier.
>
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
looks good
Reviewed-by: John Johansen <john.johansen at canonical.com>
> ---
> security/security.c | 97 +++++++++++++++------------------------------
> 1 file changed, 33 insertions(+), 64 deletions(-)
>
> diff --git a/security/security.c b/security/security.c
> index aae37481b7be..438ec6708eb3 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -605,27 +605,42 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb)
> EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
>
> /**
> - * lsm_cred_alloc - allocate a composite cred blob
> - * @cred: the cred that needs a blob
> + * lsm_blob_alloc - allocate a composite blob
> + * @dest: the destination for the blob
> + * @size: the size of the blob
> * @gfp: allocation type
> *
> - * Allocate the cred blob for all the modules
> + * Allocate a blob for all the modules
> *
> * Returns 0, or -ENOMEM if memory can't be allocated.
> */
> -static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
> +static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp)
> {
> - if (blob_sizes.lbs_cred == 0) {
> - cred->security = NULL;
> + if (size == 0) {
> + *dest = NULL;
> return 0;
> }
>
> - cred->security = kzalloc(blob_sizes.lbs_cred, gfp);
> - if (cred->security == NULL)
> + *dest = kzalloc(size, gfp);
> + if (*dest == NULL)
> return -ENOMEM;
> return 0;
> }
>
> +/**
> + * lsm_cred_alloc - allocate a composite cred blob
> + * @cred: the cred that needs a blob
> + * @gfp: allocation type
> + *
> + * Allocate the cred blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
> +{
> + return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp);
> +}
> +
> /**
> * lsm_early_cred - during initialization allocate a composite cred blob
> * @cred: the cred that needs a blob
> @@ -692,15 +707,7 @@ int lsm_inode_alloc(struct inode *inode)
> */
> static int lsm_task_alloc(struct task_struct *task)
> {
> - if (blob_sizes.lbs_task == 0) {
> - task->security = NULL;
> - return 0;
> - }
> -
> - task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
> - if (task->security == NULL)
> - return -ENOMEM;
> - return 0;
> + return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL);
> }
>
> /**
> @@ -713,15 +720,7 @@ static int lsm_task_alloc(struct task_struct *task)
> */
> static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
> {
> - if (blob_sizes.lbs_ipc == 0) {
> - kip->security = NULL;
> - return 0;
> - }
> -
> - kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
> - if (kip->security == NULL)
> - return -ENOMEM;
> - return 0;
> + return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL);
> }
>
> #ifdef CONFIG_KEYS
> @@ -735,15 +734,7 @@ static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
> */
> static int lsm_key_alloc(struct key *key)
> {
> - if (blob_sizes.lbs_key == 0) {
> - key->security = NULL;
> - return 0;
> - }
> -
> - key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
> - if (key->security == NULL)
> - return -ENOMEM;
> - return 0;
> + return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL);
> }
> #endif /* CONFIG_KEYS */
>
> @@ -757,15 +748,8 @@ static int lsm_key_alloc(struct key *key)
> */
> static int lsm_msg_msg_alloc(struct msg_msg *mp)
> {
> - if (blob_sizes.lbs_msg_msg == 0) {
> - mp->security = NULL;
> - return 0;
> - }
> -
> - mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
> - if (mp->security == NULL)
> - return -ENOMEM;
> - return 0;
> + return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg,
> + GFP_KERNEL);
> }
>
> /**
> @@ -792,15 +776,8 @@ static void __init lsm_early_task(struct task_struct *task)
> */
> static int lsm_superblock_alloc(struct super_block *sb)
> {
> - if (blob_sizes.lbs_superblock == 0) {
> - sb->s_security = NULL;
> - return 0;
> - }
> -
> - sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL);
> - if (sb->s_security == NULL)
> - return -ENOMEM;
> - return 0;
> + return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock,
> + GFP_KERNEL);
> }
>
> /**
> @@ -4682,23 +4659,15 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
> /**
> * lsm_sock_alloc - allocate a composite sock blob
> * @sock: the sock that needs a blob
> - * @priority: allocation mode
> + * @gfp: allocation mode
> *
> * Allocate the sock blob for all the modules
> *
> * Returns 0, or -ENOMEM if memory can't be allocated.
> */
> -static int lsm_sock_alloc(struct sock *sock, gfp_t priority)
> +static int lsm_sock_alloc(struct sock *sock, gfp_t gfp)
> {
> - if (blob_sizes.lbs_sock == 0) {
> - sock->sk_security = NULL;
> - return 0;
> - }
> -
> - sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
> - if (sock->sk_security == NULL)
> - return -ENOMEM;
> - return 0;
> + return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp);
> }
>
> /**
More information about the Linux-security-module-archive
mailing list