[PATCH 3/6] LSM: Add helper for blob allocations

John Johansen john.johansen at canonical.com
Tue Jul 9 22:51:05 UTC 2024 

On 7/8/24 14:39, Casey Schaufler wrote:
> Create a helper function lsm_blob_alloc() for general use in the hook
> specific functions that allocate LSM blobs. Change the hook specific
> functions to use this helper. This reduces the code size by a small
> amount and will make adding new instances of infrastructure managed
> security blobs easier.
> 
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>

looks good

Reviewed-by: John Johansen <john.johansen at canonical.com>

> ---
>   security/security.c | 97 +++++++++++++++------------------------------
>   1 file changed, 33 insertions(+), 64 deletions(-)
> 
> diff --git a/security/security.c b/security/security.c
> index aae37481b7be..438ec6708eb3 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -605,27 +605,42 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb)
>   EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
>   
>   /**
> - * lsm_cred_alloc - allocate a composite cred blob
> - * @cred: the cred that needs a blob
> + * lsm_blob_alloc - allocate a composite blob
> + * @dest: the destination for the blob
> + * @size: the size of the blob
>    * @gfp: allocation type
>    *
> - * Allocate the cred blob for all the modules
> + * Allocate a blob for all the modules
>    *
>    * Returns 0, or -ENOMEM if memory can't be allocated.
>    */
> -static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
> +static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp)
>   {
> -	if (blob_sizes.lbs_cred == 0) {
> -		cred->security = NULL;
> +	if (size == 0) {
> +		*dest = NULL;
>   		return 0;
>   	}
>   
> -	cred->security = kzalloc(blob_sizes.lbs_cred, gfp);
> -	if (cred->security == NULL)
> +	*dest = kzalloc(size, gfp);
> +	if (*dest == NULL)
>   		return -ENOMEM;
>   	return 0;
>   }
>   
> +/**
> + * lsm_cred_alloc - allocate a composite cred blob
> + * @cred: the cred that needs a blob
> + * @gfp: allocation type
> + *
> + * Allocate the cred blob for all the modules
> + *
> + * Returns 0, or -ENOMEM if memory can't be allocated.
> + */
> +static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
> +{
> +	return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp);
> +}
> +
>   /**
>    * lsm_early_cred - during initialization allocate a composite cred blob
>    * @cred: the cred that needs a blob
> @@ -692,15 +707,7 @@ int lsm_inode_alloc(struct inode *inode)
>    */
>   static int lsm_task_alloc(struct task_struct *task)
>   {
> -	if (blob_sizes.lbs_task == 0) {
> -		task->security = NULL;
> -		return 0;
> -	}
> -
> -	task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
> -	if (task->security == NULL)
> -		return -ENOMEM;
> -	return 0;
> +	return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL);
>   }
>   
>   /**
> @@ -713,15 +720,7 @@ static int lsm_task_alloc(struct task_struct *task)
>    */
>   static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
>   {
> -	if (blob_sizes.lbs_ipc == 0) {
> -		kip->security = NULL;
> -		return 0;
> -	}
> -
> -	kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
> -	if (kip->security == NULL)
> -		return -ENOMEM;
> -	return 0;
> +	return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL);
>   }
>   
>   #ifdef CONFIG_KEYS
> @@ -735,15 +734,7 @@ static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
>    */
>   static int lsm_key_alloc(struct key *key)
>   {
> -	if (blob_sizes.lbs_key == 0) {
> -		key->security = NULL;
> -		return 0;
> -	}
> -
> -	key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
> -	if (key->security == NULL)
> -		return -ENOMEM;
> -	return 0;
> +	return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL);
>   }
>   #endif /* CONFIG_KEYS */
>   
> @@ -757,15 +748,8 @@ static int lsm_key_alloc(struct key *key)
>    */
>   static int lsm_msg_msg_alloc(struct msg_msg *mp)
>   {
> -	if (blob_sizes.lbs_msg_msg == 0) {
> -		mp->security = NULL;
> -		return 0;
> -	}
> -
> -	mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
> -	if (mp->security == NULL)
> -		return -ENOMEM;
> -	return 0;
> +	return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg,
> +			      GFP_KERNEL);
>   }
>   
>   /**
> @@ -792,15 +776,8 @@ static void __init lsm_early_task(struct task_struct *task)
>    */
>   static int lsm_superblock_alloc(struct super_block *sb)
>   {
> -	if (blob_sizes.lbs_superblock == 0) {
> -		sb->s_security = NULL;
> -		return 0;
> -	}
> -
> -	sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL);
> -	if (sb->s_security == NULL)
> -		return -ENOMEM;
> -	return 0;
> +	return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock,
> +			      GFP_KERNEL);
>   }
>   
>   /**
> @@ -4682,23 +4659,15 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
>   /**
>    * lsm_sock_alloc - allocate a composite sock blob
>    * @sock: the sock that needs a blob
> - * @priority: allocation mode
> + * @gfp: allocation mode
>    *
>    * Allocate the sock blob for all the modules
>    *
>    * Returns 0, or -ENOMEM if memory can't be allocated.
>    */
> -static int lsm_sock_alloc(struct sock *sock, gfp_t priority)
> +static int lsm_sock_alloc(struct sock *sock, gfp_t gfp)
>   {
> -	if (blob_sizes.lbs_sock == 0) {
> -		sock->sk_security = NULL;
> -		return 0;
> -	}
> -
> -	sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
> -	if (sock->sk_security == NULL)
> -		return -ENOMEM;
> -	return 0;
> +	return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp);
>   }
>   
>   /**

More information about the Linux-security-module-archive mailing list