On Wed, Jul 10, 2024 at 5:32 PM Casey Schaufler [off-list ref] wrote:

When more than one Linux Security Module (LSM) can use the security
blob for a partincular object the management of the memory associated
with that blob needs to be done by the infrastructure rather than the
individual modules.  Until now, this has been done on an as needed basis,
with the blob management remaining in the modules until such time as a
new configuration of modules requires sharing the blob.  This piecemeal
approach makes adding new modules that use blobs more difficult, as
moving the blob management to the infrastructure isn't as simple as
it might seem. This patch set moves management of the security blobs
that is done in the modules into the infrastructure. Making security
blob management more consistant improves mantainablity and makes the
possibilty of general improvement of LSM blob managment easier.

No effort has been put into pursuing the possible performance
optimizations these changes introduce. For example, sk_security blobs
might be moved to use kmem_zone_alloc(). The option of changing the
blob sizes to being compile time determined rather than calculated at
run time has been considered for future exploration.

In the cases where infrastructure blob freeing no longer requires
any special action on the part of any security module the hook
definition has been removed as it is no long necessary.

Security blobs for the xfrm subsystem are problematic as the only
security module that implements them (SELinux) has a variable size blob
that has a published external API. Management of these blobs by the
infrastructure will require significant consideration and negotiation
with the maintainers of the existing code.  This has been deferred until
such time as another user of xfrm appears.

Casey Schaufler (6):
  LSM: Infrastructure management of the sock security
  LSM: Infrastructure management of the key security blob
  LSM: Add helper for blob allocations
  LSM: Infrastructure management of the dev_tun blob
  LSM: Infrastructure management of the infiniband blob
  LSM: Infrastructure management of the perf_event security blob

 include/linux/lsm_hook_defs.h     |   8 +-
 include/linux/lsm_hooks.h         |   5 +
 security/apparmor/include/net.h   |   3 +-
 security/apparmor/lsm.c           |  17 +--
 security/apparmor/net.c           |   2 +-
 security/security.c               | 184 +++++++++++++++++++++---------
 security/selinux/hooks.c          | 157 +++++++++----------------
 security/selinux/include/objsec.h |  30 +++++
 security/selinux/netlabel.c       |  23 ++--
 security/smack/smack.h            |  12 ++
 security/smack/smack_lsm.c        | 101 ++++++++--------
 security/smack/smack_netfilter.c  |   4 +-
 12 files changed, 298 insertions(+), 248 deletions(-)

Thanks Casey, these look good.  I'm going to merge them in
lsm/dev-staging now with the expectation that they'll be merged after
the upcoming merge window closes.

-- 
paul-moore.com