--- v1
+++ v38
@@ -1,88 +1,100 @@
-LSM hooks dealing with security context strings should
-only be called for one security module. Add call macros
-that invoke a single module hook and us in for those cases.
+Remove scaffolding in netlabel audit by keeping subject
+lsm information in an lsmblob structure instead of a secid.
+Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
- security/security.c | 32 ++++++++++++++++++++++++++++----
- 1 file changed, 28 insertions(+), 4 deletions(-)
+ include/net/netlabel.h | 2 +-
+ net/netlabel/netlabel_unlabeled.c | 4 +---
+ net/netlabel/netlabel_user.c | 4 +---
+ net/netlabel/netlabel_user.h | 6 +-----
+ security/smack/smackfs.c | 2 +-
+ 5 files changed, 5 insertions(+), 13 deletions(-)
-diff --git a/security/security.c b/security/security.c
-index 015c38c882ba..7bf16c547010 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -713,6 +713,16 @@ int lsm_superblock_alloc(struct super_block *sb)
- P->hook.FUNC(__VA_ARGS__); \
- } while (0)
+diff --git a/include/net/netlabel.h b/include/net/netlabel.h
+index 73fc25b4042b..d9aaa264e29c 100644
+--- a/include/net/netlabel.h
++++ b/include/net/netlabel.h
+@@ -97,7 +97,7 @@ struct calipso_doi;
-+#define call_one_void_hook(FUNC, ...) \
-+ do { \
-+ struct security_hook_list *P; \
-+ \
-+ hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
-+ P->hook.FUNC(__VA_ARGS__); \
-+ break; \
-+ } \
-+ } while (0)
-+
- #define call_int_hook(FUNC, IRC, ...) ({ \
- int RC = IRC; \
- do { \
-@@ -727,6 +737,19 @@ int lsm_superblock_alloc(struct super_block *sb)
- RC; \
- })
+ /* NetLabel audit information */
+ struct netlbl_audit {
+- u32 secid;
++ struct lsmblob lsmblob;
+ kuid_t loginuid;
+ unsigned int sessionid;
+ };
+diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
+index 050753d2f2bb..24519b803a6c 100644
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -1529,13 +1529,11 @@ int __init netlbl_unlabel_defconf(void)
+ int ret_val;
+ struct netlbl_dom_map *entry;
+ struct netlbl_audit audit_info;
+- struct lsmblob blob;
-+#define call_one_int_hook(FUNC, IRC, ...) ({ \
-+ int RC = IRC; \
-+ do { \
-+ struct security_hook_list *P; \
-+ \
-+ hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
-+ RC = P->hook.FUNC(__VA_ARGS__); \
-+ break; \
-+ } \
-+ } while (0); \
-+ RC; \
-+})
-+
- /* Security operations */
+ /* Only the kernel is allowed to call this function and the only time
+ * it is called is at bootup before the audit subsystem is reporting
+ * messages so don't worry to much about these values. */
+- security_current_getsecid_subj(&blob);
+- audit_info.secid = lsmblob_first(&blob);
++ security_current_getsecid_subj(&audit_info.lsmblob);
+ audit_info.loginuid = GLOBAL_ROOT_UID;
+ audit_info.sessionid = 0;
- int security_binder_set_context_mgr(struct task_struct *mgr)
-@@ -1966,7 +1989,8 @@ EXPORT_SYMBOL(security_ismaclabel);
+diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
+index 42812bdfc31a..e72dfe2da77a 100644
+--- a/net/netlabel/netlabel_user.c
++++ b/net/netlabel/netlabel_user.c
+@@ -84,7 +84,6 @@ struct audit_buffer *netlbl_audit_start_common(int type,
+ struct netlbl_audit *audit_info)
+ {
+ struct audit_buffer *audit_buf;
+- struct lsmblob blob;
- int security_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen)
+ if (audit_enabled == AUDIT_OFF)
+ return NULL;
+@@ -97,8 +96,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
+ from_kuid(&init_user_ns, audit_info->loginuid),
+ audit_info->sessionid);
+
+- lsmblob_init(&blob, audit_info->secid);
+- audit_log_subject_context(audit_buf, &blob);
++ audit_log_subject_context(audit_buf, &audit_info->lsmblob);
+
+ return audit_buf;
+ }
+diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
+index 34bb6572f33b..56a634244a6e 100644
+--- a/net/netlabel/netlabel_user.h
++++ b/net/netlabel/netlabel_user.h
+@@ -32,11 +32,7 @@
+ */
+ static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info)
{
-- return call_int_hook(secid_to_secctx, -EOPNOTSUPP, l, secdata, seclen);
-+ return call_one_int_hook(secid_to_secctx, -EOPNOTSUPP, l, secdata,
-+ seclen);
+- struct lsmblob blob;
+-
+- security_current_getsecid_subj(&blob);
+- /* scaffolding until secid is converted */
+- audit_info->secid = lsmblob_first(&blob);
++ security_current_getsecid_subj(&audit_info->lsmblob);
+ audit_info->loginuid = audit_get_loginuid(current);
+ audit_info->sessionid = audit_get_sessionid(current);
}
- EXPORT_SYMBOL(security_secid_to_secctx);
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 314336463111..f74207f6c71e 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -186,7 +186,7 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap)
-@@ -1974,13 +1998,13 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
- struct lsm_export *l)
- {
- lsm_export_init(l);
-- return call_int_hook(secctx_to_secid, 0, secdata, seclen, l);
-+ return call_one_int_hook(secctx_to_secid, 0, secdata, seclen, l);
- }
- EXPORT_SYMBOL(security_secctx_to_secid);
-
- void security_release_secctx(char *secdata, u32 seclen)
- {
-- call_void_hook(release_secctx, secdata, seclen);
-+ call_one_void_hook(release_secctx, secdata, seclen);
- }
- EXPORT_SYMBOL(security_release_secctx);
-
-@@ -2105,7 +2129,7 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
- int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
- int __user *optlen, unsigned len)
- {
-- return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
-+ return call_one_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
- optval, optlen, len);
+ nap->loginuid = audit_get_loginuid(current);
+ nap->sessionid = audit_get_sessionid(current);
+- nap->secid = skp->smk_secid;
++ nap->lsmblob.secid[smack_lsmid.slot] = skp->smk_secid;
}
+ /*
--
-2.19.1
+2.37.3