Re: [PATCH v30 06/28] LSM: Use lsmblob in security_audit_rule_match

(off-list ancestor, not in this archive)
[PATCH v30 00/28] LSM: Module stacking for AppArmor · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 01/28] integrity: disassociate ima_filter_rule from security_audit_rule · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
Re: [PATCH v30 01/28] integrity: disassociate ima_filter_rule from security_audit_rule · Paul Moore <paul@paul-moore.com> · 2021-12-06
[PATCH v30 02/28] LSM: Infrastructure management of the sock security · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 03/28] LSM: Add the lsmblob data structure. · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
Re: [PATCH v30 03/28] LSM: Add the lsmblob data structure. · Paul Moore <paul@paul-moore.com> · 2021-12-06
[PATCH v30 04/28] LSM: provide lsm name and id slot mappings · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 05/28] IMA: avoid label collisions with stacked LSMs · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 06/28] LSM: Use lsmblob in security_audit_rule_match · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
Re: [PATCH v30 06/28] LSM: Use lsmblob in security_audit_rule_match · kernel test robot <hidden> · 2021-11-24
Re: [PATCH v30 06/28] LSM: Use lsmblob in security_audit_rule_match · Paul Moore <paul@paul-moore.com> · 2021-12-06
[PATCH v30 07/28] LSM: Use lsmblob in security_kernel_act_as · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 08/28] LSM: Use lsmblob in security_secctx_to_secid · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 09/28] LSM: Use lsmblob in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 10/28] LSM: Use lsmblob in security_ipc_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 11/28] LSM: Use lsmblob in security_task_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 12/28] LSM: Use lsmblob in security_inode_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 13/28] LSM: Use lsmblob in security_cred_getsecid · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 14/28] LSM: Specify which LSM to display · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 15/28] LSM: Ensure the correct LSM context releaser · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 16/28] LSM: Use lsmcontext in security_secid_to_secctx · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 17/28] LSM: Use lsmcontext in security_inode_getsecctx · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 18/28] LSM: security_secid_to_secctx in netlink netfilter · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 19/28] NET: Store LSM netlabel data in a lsmblob · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 20/28] binder: Pass LSM identifier for confirmation · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 21/28] LSM: Extend security_secid_to_secctx to include module selection · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 22/28] Audit: Keep multiple LSM data in audit_names · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
Re: [PATCH v30 22/28] Audit: Keep multiple LSM data in audit_names · Paul Moore <paul@paul-moore.com> · 2021-12-06
[PATCH v30 23/28] Audit: Create audit_stamp structure · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
Re: [PATCH v30 23/28] Audit: Create audit_stamp structure · Paul Moore <paul@paul-moore.com> · 2021-12-06
[PATCH v30 24/28] Audit: Add framework for auxiliary records · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
Re: [PATCH v30 24/28] Audit: Add framework for auxiliary records · Paul Moore <paul@paul-moore.com> · 2021-12-06
[PATCH v30 25/28] Audit: Add record for multiple task security contexts · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
Re: [PATCH v30 25/28] Audit: Add record for multiple task security contexts · Paul Moore <paul@paul-moore.com> · 2021-12-06
[PATCH v30 26/28] Audit: Add record for multiple object security contexts · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
Re: [PATCH v30 26/28] Audit: Add record for multiple object security contexts · kernel test robot <hidden> · 2021-11-24
Re: [PATCH v30 26/28] Audit: Add record for multiple object security contexts · kernel test robot <hidden> · 2021-11-24
Re: [PATCH v30 26/28] Audit: Add record for multiple object security contexts · Paul Moore <paul@paul-moore.com> · 2021-12-06
[PATCH v30 27/28] LSM: Add /proc attr entry for full LSM context · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24
[PATCH v30 28/28] AppArmor: Remove the exclusive flag · Casey Schaufler <casey@schaufler-ca.com> · 2021-11-24

From: Paul Moore <paul@paul-moore.com>
Date: 2021-12-06 02:44:42
Also in: lkml, selinux

On Tue, Nov 23, 2021 at 8:50 PM Casey Schaufler [off-list ref] wrote:

quoted hunk ↗ jump to hunk

Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.

Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-audit@redhat.com
---
 include/linux/security.h |  5 +++--
 kernel/auditfilter.c     |  6 ++++--
 kernel/auditsc.c         | 16 +++++++++++-----
 security/security.c      |  5 +++--
 4 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index ddd4cf48413c..d846d90f5624 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h

@@ -1954,7 +1954,7 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
 int security_audit_rule_init(u32 field, u32 op, char *rulestr,
                             struct audit_rules *lsmrules);
 int security_audit_rule_known(struct audit_krule *krule);
-int security_audit_rule_match(u32 secid, u32 field, u32 op,
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
                              struct audit_rules *lsmrules);
 void security_audit_rule_free(struct audit_rules *lsmrules);

@@ -1971,7 +1971,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
        return 0;
 }

-static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
+static inline int security_audit_rule_match(struct lsmblob *blob secid,
+                                           u32 field, u32 op,
                                            struct audit_rules *lsmrules)
 {
        return 0;

Assuming you fixup the typo above that the test robot found it looks
reasonable to me.

Acked-by: Paul Moore <paul@paul-moore.com>

--
paul moore
www.paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help