Re: [PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid

(off-list ancestor, not in this archive)
[PATCH v12 00/25] LSM: Module stacking for AppArmor · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
[PATCH v12 01/25] LSM: Infrastructure management of the sock security · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 01/25] LSM: Infrastructure management of the sock security · Stephen Smalley <hidden> · 2019-12-17
[PATCH v12 02/25] LSM: Create and manage the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 02/25] LSM: Create and manage the lsmblob data structure. · Stephen Smalley <hidden> · 2019-12-17
Re: [PATCH v12 02/25] LSM: Create and manage the lsmblob data structure. · Mimi Zohar <zohar@linux.ibm.com> · 2019-12-19
Re: [PATCH v12 02/25] LSM: Create and manage the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-19
[PATCH v12 03/25] LSM: Use lsmblob in security_audit_rule_match · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 03/25] LSM: Use lsmblob in security_audit_rule_match · Stephen Smalley <hidden> · 2019-12-17
Re: [PATCH v12 03/25] LSM: Use lsmblob in security_audit_rule_match · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-17
Re: [PATCH v12 03/25] LSM: Use lsmblob in security_audit_rule_match · Kees Cook <hidden> · 2019-12-17
Re: [PATCH v12 03/25] LSM: Use lsmblob in security_audit_rule_match · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-18
Re: [PATCH v12 03/25] LSM: Use lsmblob in security_audit_rule_match · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 05/25] net: Prepare UDS for security module stacking · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 05/25] net: Prepare UDS for security module stacking · Stephen Smalley <hidden> · 2019-12-17
[PATCH v12 04/25] LSM: Use lsmblob in security_kernel_act_as · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 04/25] LSM: Use lsmblob in security_kernel_act_as · Stephen Smalley <hidden> · 2019-12-17
[PATCH v12 08/25] LSM: Use lsmblob in security_ipc_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 08/25] LSM: Use lsmblob in security_ipc_getsecid · Stephen Smalley <hidden> · 2019-12-17
[PATCH v12 07/25] LSM: Use lsmblob in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 07/25] LSM: Use lsmblob in security_secid_to_secctx · Stephen Smalley <hidden> · 2019-12-17
[PATCH v12 06/25] LSM: Use lsmblob in security_secctx_to_secid · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 06/25] LSM: Use lsmblob in security_secctx_to_secid · Stephen Smalley <hidden> · 2019-12-17
[PATCH v12 10/25] LSM: Use lsmblob in security_inode_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 10/25] LSM: Use lsmblob in security_inode_getsecid · Stephen Smalley <hidden> · 2019-12-17
[PATCH v12 11/25] LSM: Use lsmblob in security_cred_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 11/25] LSM: Use lsmblob in security_cred_getsecid · Stephen Smalley <hidden> · 2019-12-17
[PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid · Stephen Smalley <hidden> · 2019-12-17
Re: [PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-17
[PATCH v12 12/25] IMA: Change internal interfaces to use lsmblobs · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 12/25] IMA: Change internal interfaces to use lsmblobs · Stephen Smalley <hidden> · 2019-12-17
[PATCH v12 13/25] LSM: Specify which LSM to display · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 13/25] LSM: Specify which LSM to display · Stephen Smalley <hidden> · 2019-12-18
Re: [PATCH v12 13/25] LSM: Specify which LSM to display · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-18
[PATCH v12 14/25] LSM: Ensure the correct LSM context releaser · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 14/25] LSM: Ensure the correct LSM context releaser · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 16/25] LSM: Use lsmcontext in security_dentry_init_security · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 16/25] LSM: Use lsmcontext in security_dentry_init_security · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 17/25] LSM: Use lsmcontext in security_inode_getsecctx · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 17/25] LSM: Use lsmcontext in security_inode_getsecctx · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 15/25] LSM: Use lsmcontext in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 15/25] LSM: Use lsmcontext in security_secid_to_secctx · Stephen Smalley <hidden> · 2019-12-18
Re: [PATCH v12 15/25] LSM: Use lsmcontext in security_secid_to_secctx · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 20/25] LSM: Verify LSM display sanity in binder · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 20/25] LSM: Verify LSM display sanity in binder · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 18/25] LSM: security_secid_to_secctx in netlink netfilter · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 18/25] LSM: security_secid_to_secctx in netlink netfilter · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 19/25] NET: Store LSM netlabel data in a lsmblob · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 19/25] NET: Store LSM netlabel data in a lsmblob · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 22/25] Audit: Include object data for all security modules · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 22/25] Audit: Include object data for all security modules · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 21/25] Audit: Add subj_LSM fields when necessary · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 21/25] Audit: Add subj_LSM fields when necessary · Stephen Smalley <hidden> · 2019-12-18
[PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Stephen Smalley <hidden> · 2019-12-18
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Stephen Smalley <hidden> · 2019-12-18
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Stephen Smalley <hidden> · 2019-12-18
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Simon McVittie <hidden> · 2019-12-19
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Stephen Smalley <hidden> · 2019-12-19
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Stephen Smalley <hidden> · 2019-12-19
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Simon McVittie <hidden> · 2019-12-19
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Stephen Smalley <hidden> · 2019-12-19
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · John Johansen <john.johansen@canonical.com> · 2019-12-19
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-19
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · John Johansen <john.johansen@canonical.com> · 2019-12-19
Re: [PATCH v12 23/25] NET: Add SO_PEERCONTEXT for multiple LSMs · John Johansen <john.johansen@canonical.com> · 2019-12-19
[PATCH v12 24/25] LSM: Add /proc attr entry for full LSM context · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16
[PATCH v12 25/25] AppArmor: Remove the exclusive flag · Casey Schaufler <casey@schaufler-ca.com> · 2019-12-16

From: Casey Schaufler <casey@schaufler-ca.com>
Date: 2019-12-17 18:26:30
Also in: selinux

Possibly related (same subject, not in this thread)

2019-12-24 · [PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid · Casey Schaufler <casey@schaufler-ca.com>
2019-12-16 · [PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid · Casey Schaufler <casey@schaufler-ca.com>
2019-12-16 · [PATCH v12 09/25] LSM: Use lsmblob in security_task_getsecid · Casey Schaufler <casey@schaufler-ca.com>

On 12/17/2019 10:11 AM, Stephen Smalley wrote:

On 12/16/19 5:36 PM, Casey Schaufler wrote:

quoted

Change the security_task_getsecid() interface to fill in
a lsmblob structure instead of a u32 secid in support of
LSM stacking. Audit interfaces will need to collect all
possible secids for possible reporting.

Reviewed-by: Kees Cook <redacted>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
cc: linux-integrity@vger.kernel.org
---
  drivers/android/binder.c              |  4 +--
  include/linux/security.h              |  7 +++--
  kernel/audit.c                        | 11 +++----
  kernel/auditfilter.c                  |  4 +--
  kernel/auditsc.c                      | 18 ++++++++----
  net/netlabel/netlabel_unlabeled.c     |  5 +++-
  net/netlabel/netlabel_user.h          |  6 +++-
  security/integrity/ima/ima_appraise.c |  4 ++-
  security/integrity/ima/ima_main.c     | 42 +++++++++++++++------------
  security/security.c                   | 12 ++++++--
  10 files changed, 69 insertions(+), 44 deletions(-)

quoted

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 300c8d2943c5..69e549164949 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c

@@ -49,11 +49,13 @@ bool is_ima_appraise_enabled(void)

  int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
  {
      u32 secid;
+    struct lsmblob blob;
        if (!ima_appraise)
          return 0;
  -    security_task_getsecid(current, &secid);
+    security_task_getsecid(current, &blob);
+    lsmblob_secid(&blob, &secid);
      return ima_match_policy(inode, current_cred(), secid, func, mask,
                  IMA_APPRAISE | IMA_HASH, NULL, NULL);
  }

I missed where lsmblob_secid() is defined?  Looks like it is later deleted by patch 12/25.  Leftover from an earlier version of the series?  Have you checked that it compiles after each patch?

Bugger. Yes, this is a straight up botch. lsmblb_secid() is never defined in
this version.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help