Inter-revision diff: patch 22

Comparing v1 (message) to v30 (message) 

--- v1
+++ v30
@@ -1,61 +1,89 @@
-Convert security_cred_getsecid to use the lsm_export structure
-instead of a u32 secid. There is some scaffolding involved
-that will be removed when the related data is updated.
+Replace the osid field in the audit_names structure
+with a lsmblob structure. This accomodates the use
+of an lsmblob in security_audit_rule_match() and
+security_inode_getsecid().
 
 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
 ---
- include/linux/security.h          | 2 +-
- security/integrity/ima/ima_main.c | 3 ++-
- security/security.c               | 8 +++-----
- 3 files changed, 6 insertions(+), 7 deletions(-)
+ kernel/audit.h   |  2 +-
+ kernel/auditsc.c | 22 ++++++++--------------
+ 2 files changed, 9 insertions(+), 15 deletions(-)
 
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 2d04687c3fa9..40aa7b9f3c83 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -381,7 +381,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
- void security_cred_free(struct cred *cred);
- int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
- void security_transfer_creds(struct cred *new, const struct cred *old);
--void security_cred_getsecid(const struct cred *c, u32 *secid);
-+void security_cred_getsecid(const struct cred *c, struct lsm_export *l);
- int security_kernel_act_as(struct cred *new, struct lsm_export *l);
- int security_kernel_create_files_as(struct cred *new, struct inode *inode);
- int security_kernel_module_request(char *kmod_name);
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index 1e3cfaf0ee5c..f5efa9ef270d 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -374,7 +374,8 @@ int ima_bprm_check(struct linux_binprm *bprm)
- 	if (ret)
- 		return ret;
+diff --git a/kernel/audit.h b/kernel/audit.h
+index 527d4c4acb12..a2fca1134519 100644
+--- a/kernel/audit.h
++++ b/kernel/audit.h
+@@ -82,7 +82,7 @@ struct audit_names {
+ 	kuid_t			uid;
+ 	kgid_t			gid;
+ 	dev_t			rdev;
+-	u32			osid;
++	struct lsmblob		lsmblob;
+ 	struct audit_cap_data	fcap;
+ 	unsigned int		fcap_ver;
+ 	unsigned char		type;		/* record type */
+diff --git a/kernel/auditsc.c b/kernel/auditsc.c
+index ded4e8740fa2..0d0351dc0c52 100644
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -691,17 +691,16 @@ static int audit_filter_rules(struct task_struct *tsk,
+ 					 * lsmblob, which happens later in
+ 					 * this patch set.
+ 					 */
+-					lsmblob_init(&blob, name->osid);
+ 					result = security_audit_rule_match(
+-								&blob,
++								&name->lsmblob,
+ 								f->type,
+ 								f->op,
+ 								&f->lsm_rules);
+ 				} else if (ctx) {
+ 					list_for_each_entry(n, &ctx->names_list, list) {
+-						lsmblob_init(&blob, n->osid);
+ 						if (security_audit_rule_match(
+-							&blob, f->type, f->op,
++							&n->lsmblob,
++							f->type, f->op,
+ 							&f->lsm_rules)) {
+ 							++result;
+ 							break;
+@@ -1528,13 +1527,12 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
+ 				 from_kgid(&init_user_ns, n->gid),
+ 				 MAJOR(n->rdev),
+ 				 MINOR(n->rdev));
+-	if (n->osid != 0) {
+-		struct lsmblob blob;
++	if (lsmblob_is_set(&n->lsmblob)) {
+ 		struct lsmcontext lsmctx;
  
--	security_cred_getsecid(bprm->cred, &secid);
-+	security_cred_getsecid(bprm->cred, &le);
-+	lsm_export_secid(&le, &secid);
- 	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
- 				   MAY_EXEC, CREDS_CHECK);
- }
-diff --git a/security/security.c b/security/security.c
-index e12ce930dfd9..69983ad68233 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -1604,12 +1604,10 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
- 	call_void_hook(cred_transfer, new, old);
- }
- 
--void security_cred_getsecid(const struct cred *c, u32 *secid)
-+void security_cred_getsecid(const struct cred *c, struct lsm_export *l)
+-		lsmblob_init(&blob, n->osid);
+-		if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) {
+-			audit_log_format(ab, " osid=%u", n->osid);
++		if (security_secid_to_secctx(&n->lsmblob, &lsmctx,
++					     LSMBLOB_FIRST)) {
++			audit_log_format(ab, " osid=?");
+ 			if (call_panic)
+ 				*call_panic = 2;
+ 		} else {
+@@ -2236,17 +2234,13 @@ static void audit_copy_inode(struct audit_names *name,
+ 			     const struct dentry *dentry,
+ 			     struct inode *inode, unsigned int flags)
  {
--	struct lsm_export data = { .flags = LSM_EXPORT_NONE };
+-	struct lsmblob blob;
 -
--	call_void_hook(cred_getsecid, c, &data);
--	lsm_export_secid(&data, secid);
-+	lsm_export_init(l);
-+	call_void_hook(cred_getsecid, c, l);
- }
- EXPORT_SYMBOL(security_cred_getsecid);
- 
+ 	name->ino   = inode->i_ino;
+ 	name->dev   = inode->i_sb->s_dev;
+ 	name->mode  = inode->i_mode;
+ 	name->uid   = inode->i_uid;
+ 	name->gid   = inode->i_gid;
+ 	name->rdev  = inode->i_rdev;
+-	security_inode_getsecid(inode, &blob);
+-	/* scaffolding until osid is updated */
+-	name->osid = blob.secid[0];
++	security_inode_getsecid(inode, &name->lsmblob);
+ 	if (flags & AUDIT_INODE_NOEVAL) {
+ 		name->fcap_ver = -1;
+ 		return;
 -- 
-2.19.1
+2.31.1
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help