[PATCH 16/97] LSM: Use lsm_export in the secctx_to_secid hooks
From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2019-02-28 22:20:14
Also in:
selinux
Subsystem:
apparmor security module, security subsystem, selinux security module, smack security module, the rest · Maintainers:
John Johansen, Paul Moore, James Morris, "Serge E. Hallyn", Stephen Smalley, Casey Schaufler, Linus Torvalds
Convert the secctx_to_secid hooks to use the lsm_export structure instead of a u32 secid. There is some scaffolding involved that will be removed when security_secctx_to_secid() is updated. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- include/linux/lsm_hooks.h | 7 ++++--- security/apparmor/include/secid.h | 3 ++- security/apparmor/secid.c | 9 +++++---- security/security.c | 8 ++++++-- security/selinux/hooks.c | 12 +++++++++--- security/smack/smack_lsm.c | 7 ++++--- 6 files changed, 30 insertions(+), 16 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 50629fb10cd5..97ef535dafd0 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h@@ -1311,8 +1311,8 @@ * context. * @seclen pointer which contains the length of the data * @secctx_to_secid: - * Convert security context to secid. - * @secid contains the pointer to the generated security ID. + * Convert security context to exported lsm data. + * @l contains the pointer to the generated security data. * @secdata contains the security context. * * @release_secctx:
@@ -1656,7 +1656,8 @@ union security_list_options { int (*ismaclabel)(const char *name); int (*secid_to_secctx)(struct lsm_export *l, char **secdata, u32 *seclen); - int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid); + int (*secctx_to_secid)(const char *secdata, u32 seclen, + struct lsm_export *l); void (*release_secctx)(char *secdata, u32 seclen); void (*inode_invalidate_secctx)(struct inode *inode);
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index 03369183f512..5381eff03d4f 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h@@ -27,7 +27,8 @@ struct aa_label; struct aa_label *aa_secid_to_label(struct lsm_export *l); int apparmor_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen); -int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); +int apparmor_secctx_to_secid(const char *secdata, u32 seclen, + struct lsm_export *l); void apparmor_release_secctx(char *secdata, u32 seclen);
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index ab4dc165e43e..69d98a89db75 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c@@ -75,9 +75,9 @@ struct aa_label *aa_secid_to_label(struct lsm_export *l) return label; } -static inline void aa_import_secid(struct lsm_export *l, u32 secid) +static inline void aa_export_secid(struct lsm_export *l, u32 secid) { - l->flags = LSM_EXPORT_APPARMOR; + l->flags |= LSM_EXPORT_APPARMOR; l->apparmor = secid; }
@@ -111,7 +111,8 @@ int apparmor_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen) return 0; } -int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +int apparmor_secctx_to_secid(const char *secdata, u32 seclen, + struct lsm_export *l) { struct aa_label *label;
@@ -119,7 +120,7 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) seclen, GFP_KERNEL, false, false); if (IS_ERR(label)) return PTR_ERR(label); - *secid = label->secid; + aa_export_secid(l, label->secid); return 0; }
diff --git a/security/security.c b/security/security.c
index 6e05d3127760..f3c29dd51c7a 100644
--- a/security/security.c
+++ b/security/security.c@@ -1998,8 +1998,12 @@ EXPORT_SYMBOL(security_secid_to_secctx); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { - *secid = 0; - return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid); + struct lsm_export data = { .flags = LSM_EXPORT_NONE }; + int rc; + + rc = call_int_hook(secctx_to_secid, 0, secdata, seclen, &data); + lsm_export_secid(&data, secid); + return rc; } EXPORT_SYMBOL(security_secctx_to_secid);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index eae3c42c07fd..744fa6141ae1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c@@ -6204,10 +6204,16 @@ static int selinux_secid_to_secctx(struct lsm_export *l, char **secdata, secdata, seclen); } -static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +static int selinux_secctx_to_secid(const char *secdata, u32 seclen, + struct lsm_export *l) { - return security_context_to_sid(&selinux_state, secdata, seclen, - secid, GFP_KERNEL); + u32 secid; + int rc; + + rc = security_context_to_sid(&selinux_state, secdata, seclen, + &secid, GFP_KERNEL); + selinux_export_secid(l, secid); + return rc; } static void selinux_release_secctx(char *secdata, u32 seclen)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 83a2b1153790..1ee9c94c0e16 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c@@ -4371,14 +4371,15 @@ static int smack_secid_to_secctx(struct lsm_export *l, char **secdata, * * Exists for audit and networking code. */ -static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) +static int smack_secctx_to_secid(const char *secdata, u32 seclen, + struct lsm_export *l) { struct smack_known *skp = smk_find_entry(secdata); if (skp) - *secid = skp->smk_secid; + smack_export_secid(l, skp->smk_secid); else - *secid = 0; + smack_export_secid(l, 0); return 0; }
--
2.17.0