[RFC PATCH 05/15] LSM: Single calls in secid hooks
Casey Schaufler
casey at schaufler-ca.com
Sat Jun 21 17:18:40 UTC 2025
security_socket_getpeersec_stream(), security_socket_getpeersec_dgram()
and security_secctx_to_secid() can only provide a single security context
or secid to their callers. Open code these hooks to return the first
hook provided. Because only one "major" LSM is allowed there will only
be one hook in the list, with the excepton being BPF. BPF is not expected
to be using these interfaces.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
security/security.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/security/security.c b/security/security.c
index db85006d2fd5..2286285f8aea 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3806,8 +3806,13 @@ EXPORT_SYMBOL(security_lsmprop_to_secctx);
*/
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
+ struct lsm_static_call *scall;
+
*secid = 0;
- return call_int_hook(secctx_to_secid, secdata, seclen, secid);
+ lsm_for_each_hook(scall, secctx_to_secid) {
+ return scall->hl->hook.secctx_to_secid(secdata, seclen, secid);
+ }
+ return LSM_RET_DEFAULT(secctx_to_secid);
}
EXPORT_SYMBOL(security_secctx_to_secid);
@@ -4268,8 +4273,13 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,
sockptr_t optlen, unsigned int len)
{
- return call_int_hook(socket_getpeersec_stream, sock, optval, optlen,
- len);
+ struct lsm_static_call *scall;
+
+ lsm_for_each_hook(scall, socket_getpeersec_stream) {
+ return scall->hl->hook.socket_getpeersec_stream(sock, optval,
+ optlen, len);
+ }
+ return LSM_RET_DEFAULT(socket_getpeersec_stream);
}
/**
@@ -4289,7 +4299,13 @@ int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,
int security_socket_getpeersec_dgram(struct socket *sock,
struct sk_buff *skb, u32 *secid)
{
- return call_int_hook(socket_getpeersec_dgram, sock, skb, secid);
+ struct lsm_static_call *scall;
+
+ lsm_for_each_hook(scall, socket_getpeersec_dgram) {
+ return scall->hl->hook.socket_getpeersec_dgram(sock, skb,
+ secid);
+ }
+ return LSM_RET_DEFAULT(socket_getpeersec_dgram);
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
--
2.47.0
More information about the Linux-security-module-archive
mailing list