Thread (72 messages) 72 messages, 7 authors, 2024-06-24

Re: [PATCH v39 20/42] LSM: Use lsmcontext in security_dentry_init_security

From: Xiubo Li <hidden>
Date: 2023-12-18 02:51:10
Also in: ceph-devel, linux-nfs, lkml 

On 12/16/23 06:16, Casey Schaufler wrote:
quoted hunk ↗ jump to hunk
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.

Special care is taken in the NFS code, which uses the
same data structure for its own copied labels as it does
for the data which comes from security_dentry_init_security().
In the case of copied labels the data has to be freed, not
released.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: ceph-devel@vger.kernel.org
Cc: linux-nfs@vger.kernel.org
---
  fs/ceph/super.h               |  3 +--
  fs/ceph/xattr.c               | 19 ++++++-------------
  fs/fuse/dir.c                 | 35 ++++++++++++++++++-----------------
  fs/nfs/dir.c                  |  2 +-
  fs/nfs/inode.c                | 17 ++++++++++-------
  fs/nfs/internal.h             |  8 +++++---
  fs/nfs/nfs4proc.c             | 22 +++++++++-------------
  fs/nfs/nfs4xdr.c              | 22 ++++++++++++----------
  include/linux/lsm_hook_defs.h |  2 +-
  include/linux/nfs4.h          |  8 ++++----
  include/linux/nfs_fs.h        |  2 +-
  include/linux/security.h      |  7 +++----
  security/security.c           |  9 ++++-----
  security/selinux/hooks.c      |  9 +++++----
  14 files changed, 80 insertions(+), 85 deletions(-)

diff --git a/fs/ceph/super.h b/fs/ceph/super.h
index fe0f64a0acb2..d503cc7478b7 100644
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -1133,8 +1133,7 @@ struct ceph_acl_sec_ctx {
  	void *acl;
  #endif
  #ifdef CONFIG_CEPH_FS_SECURITY_LABEL
-	void *sec_ctx;
-	u32 sec_ctxlen;
+	struct lsmcontext lsmctx;
  #endif
  #ifdef CONFIG_FS_ENCRYPTION
  	struct ceph_fscrypt_auth *fscrypt_auth;
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index 113956d386c0..4c767a20ac4c 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1383,8 +1383,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
  	int err;
  
  	err = security_dentry_init_security(dentry, mode, &dentry->d_name,
-					    &name, &as_ctx->sec_ctx,
-					    &as_ctx->sec_ctxlen);
+					    &name, &as_ctx->lsmctx);
  	if (err < 0) {
  		WARN_ON_ONCE(err != -EOPNOTSUPP);
  		err = 0; /* do nothing */
@@ -1409,7 +1408,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
  	 */
  	name_len = strlen(name);
  	err = ceph_pagelist_reserve(pagelist,
-				    4 * 2 + name_len + as_ctx->sec_ctxlen);
+				    4 * 2 + name_len + as_ctx->lsmctx.len);
  	if (err)
  		goto out;
  
@@ -1429,11 +1428,9 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
  		as_ctx->pagelist = pagelist;
  	}
  
-	ceph_pagelist_encode_32(pagelist, name_len);
-	ceph_pagelist_append(pagelist, name, name_len);
-
Why remove these ?

-	ceph_pagelist_encode_32(pagelist, as_ctx->sec_ctxlen);
-	ceph_pagelist_append(pagelist, as_ctx->sec_ctx, as_ctx->sec_ctxlen);
+	ceph_pagelist_encode_32(pagelist, as_ctx->lsmctx.len);
+	ceph_pagelist_append(pagelist, as_ctx->lsmctx.context,
+			     as_ctx->lsmctx.len);
  
  
[...]

Thanks,

- Xiubo
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help