[PATCH 1/6] LSM: Infrastructure management of the sock security
Casey Schaufler
casey at schaufler-ca.com
Tue Jul 9 23:00:32 UTC 2024
On 7/9/2024 12:15 PM, Paul Moore wrote:
> On Mon, Jul 8, 2024 at 5:40 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> Move management of the sock->sk_security blob out
>> of the individual security modules and into the security
>> infrastructure. Instead of allocating the blobs from within
>> the modules the modules tell the infrastructure how much
>> space is required, and the space is allocated there.
>>
>> Acked-by: Paul Moore <paul at paul-moore.com>
>> Reviewed-by: Kees Cook <keescook at chromium.org>
>> Reviewed-by: John Johansen <john.johansen at canonical.com>
>> Acked-by: Stephen Smalley <stephen.smalley.work at gmail.com>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>> ---
>> include/linux/lsm_hooks.h | 1 +
>> security/apparmor/include/net.h | 3 +-
>> security/apparmor/lsm.c | 17 +------
>> security/apparmor/net.c | 2 +-
>> security/security.c | 36 +++++++++++++-
>> security/selinux/hooks.c | 80 ++++++++++++++-----------------
>> security/selinux/include/objsec.h | 5 ++
>> security/selinux/netlabel.c | 23 ++++-----
>> security/smack/smack.h | 5 ++
>> security/smack/smack_lsm.c | 70 +++++++++++++--------------
>> security/smack/smack_netfilter.c | 4 +-
>> 11 files changed, 133 insertions(+), 113 deletions(-)
> ..
>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 7eed331e90f0..19346e1817ff 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -5495,8 +5488,8 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk
>>
>> static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
>> {
>> - struct sk_security_struct *ssksec = ssk->sk_security;
>> - struct sk_security_struct *sksec = sk->sk_security;
>> + struct sk_security_struct *ssksec = selinux_sock(ssk);
>> + struct sk_security_struct *sksec = selinux_sock(sk);
>>
>> ssksec->sclass = sksec->sclass;
>> ssksec->sid = sksec->sid;
> That's new :)
>
> Unfortunately I merged a previous version of this patch into lsm/dev a
> couple of weeks ago (see below) which appears to have a bug based on
> the changes in this revision (lore link below). While I'm generally
> adverse to popping patches off the lsm/dev branch so as to not upset
> any ongoing development work, given that we are at -rc7 it's probably
> okay and much cleaner than doing a full revert; I'll remove that
> commit now.
Sorry 'bout that. I had troubles with kernels built from lsm/dev crashing,
so I switched to linus' tree.
>
> https://lore.kernel.org/linux-security-module/CAHC9VhQeWF814h8+ho3uKuz+NvvFApwJo4FkdmoRvYpuTcrk4A@mail.gmail.com
>
More information about the Linux-security-module-archive
mailing list