[PATCH RFC 5/15] LSM: Single calls in secid hooks

Casey Schaufler casey at schaufler-ca.com
Tue Nov 4 16:00:20 UTC 2025 

On 10/14/2025 4:12 PM, Paul Moore wrote:
> On Jun 21, 2025 Casey Schaufler <casey at schaufler-ca.com> wrote:
>> security_socket_getpeersec_stream(), security_socket_getpeersec_dgram()
>> and security_secctx_to_secid() can only provide a single security context
>> or secid to their callers.  Open code these hooks to return the first
>> hook provided. Because only one "major" LSM is allowed there will only
>> be one hook in the list, with the excepton being BPF. BPF is not expected
>> to be using these interfaces.
>>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>> ---
>>  security/security.c | 24 ++++++++++++++++++++----
>>  1 file changed, 20 insertions(+), 4 deletions(-)
>>
>> diff --git a/security/security.c b/security/security.c
>> index db85006d2fd5..2286285f8aea 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -3806,8 +3806,13 @@ EXPORT_SYMBOL(security_lsmprop_to_secctx);
>>   */
>>  int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
>>  {
>> +	struct lsm_static_call *scall;
>> +
>>  	*secid = 0;
>> -	return call_int_hook(secctx_to_secid, secdata, seclen, secid);
>> +	lsm_for_each_hook(scall, secctx_to_secid) {
>> +		return scall->hl->hook.secctx_to_secid(secdata, seclen, secid);
>> +	}
>> +	return LSM_RET_DEFAULT(secctx_to_secid);
>>  }
>>  EXPORT_SYMBOL(security_secctx_to_secid);
> Two thoughts come to mind:
>
> If we are relying on BPF not using these hooks we should remove the BPF
> callback.  It looks like the secctx_to_secid and socket_getpeersec_stream
> callbacks are already absent from the BPF LSM, so it's just a matter of
> working with the BPF folks to see if socket_getpeersec_dgram can be
> removed.  If it can't be removed, you'll need to find another solution.

That should be doable. If BPF decides they want to use lsm_prop data
they already have a passel of work to do, and I see that they have
already suggested removing the BPF data from lsm_prop.
The socket_getpeersec_dgram interface uses secids, not lsm_prop, but
that's an artifact of networking attitude, not what's "right" for it.

> Instead of opening up the call_int_hook() wrapper here, what would it
> look like if we enforced the single callback rule at LSM registration
> time?

I have considered that approach in the past. It would require that
security_add_hooks() know which hooks are single callback and only
call lsm_static_call_init() if no LSM had requested the hook before.
This would be fairly straight forward and have the advantage of allowing
the infrastructure to report which single callback hooks have been
chosen and which disallowed. It does raise the question of whether the
LSM that requested the hook should be notified in the case it was
discarded. That's messy, as there are multiple single callback hooks,
and you could have a case where some are chosen and others disallowed.
I would go without notification, as it's hard to say what an LSM would
do with that information.

I'll give it a go in the next version.

>> @@ -4268,8 +4273,13 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
>>  int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,
>>  				      sockptr_t optlen, unsigned int len)
>>  {
>> -	return call_int_hook(socket_getpeersec_stream, sock, optval, optlen,
>> -			     len);
>> +	struct lsm_static_call *scall;
>> +
>> +	lsm_for_each_hook(scall, socket_getpeersec_stream) {
>> +		return scall->hl->hook.socket_getpeersec_stream(sock, optval,
>> +								optlen, len);
>> +	}
>> +	return LSM_RET_DEFAULT(socket_getpeersec_stream);
>>  }
>>  
>>  /**
>> @@ -4289,7 +4299,13 @@ int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,
>>  int security_socket_getpeersec_dgram(struct socket *sock,
>>  				     struct sk_buff *skb, u32 *secid)
>>  {
>> -	return call_int_hook(socket_getpeersec_dgram, sock, skb, secid);
>> +	struct lsm_static_call *scall;
>> +
>> +	lsm_for_each_hook(scall, socket_getpeersec_dgram) {
>> +		return scall->hl->hook.socket_getpeersec_dgram(sock, skb,
>> +							       secid);
>> +	}
>> +	return LSM_RET_DEFAULT(socket_getpeersec_dgram);
>>  }
>>  EXPORT_SYMBOL(security_socket_getpeersec_dgram);
>>  
>> -- 
>> 2.47.0
> --
> paul-moore.com

More information about the Linux-security-module-archive mailing list