--- v31
+++ v27
@@ -1,317 +1,263 @@
-Change the security_cred_getsecid() interface to fill in a
-lsmblob instead of a u32 secid. The associated data elements
-in the audit sub-system are changed from a secid to a lsmblob
-to accommodate multiple possible LSM audit users.
+The IMA interfaces ima_get_action() and ima_match_policy()
+call LSM functions that use lsmblobs. Change the IMA functions
+to pass the lsmblob to be compatible with the LSM functions.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-Acked-by: Paul Moore <paul@paul-moore.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
-Cc: linux-audit@redhat.com
+To: Mimi Zohar <zohar@linux.ibm.com>
---
- drivers/android/binder.c | 12 +----------
- include/linux/security.h | 2 +-
- kernel/audit.c | 25 +++++++----------------
- kernel/audit.h | 3 ++-
- kernel/auditsc.c | 33 +++++++++++--------------------
- security/integrity/ima/ima_main.c | 8 ++++----
- security/security.c | 12 ++++++++---
- 7 files changed, 36 insertions(+), 59 deletions(-)
+ security/integrity/ima/ima.h | 6 ++---
+ security/integrity/ima/ima_api.c | 6 ++---
+ security/integrity/ima/ima_appraise.c | 5 ++--
+ security/integrity/ima/ima_main.c | 36 +++++++++++----------------
+ security/integrity/ima/ima_policy.c | 17 ++++++-------
+ 5 files changed, 31 insertions(+), 39 deletions(-)
-diff --git a/drivers/android/binder.c b/drivers/android/binder.c
-index 916a42c68b58..27b53e5f71a1 100644
---- a/drivers/android/binder.c
-+++ b/drivers/android/binder.c
-@@ -2720,18 +2720,8 @@ static void binder_transaction(struct binder_proc *proc,
- if (target_node && target_node->txn_security_ctx) {
- struct lsmblob blob;
- size_t added_size;
-- u32 secid;
-
-- security_cred_getsecid(proc->cred, &secid);
-- /*
-- * Later in this patch set security_cred_getsecid() will
-- * provide a lsmblob instead of a secid. lsmblob_init
-- * is used to ensure that all the secids in the lsmblob
-- * get the value returned from security_cred_getsecid(),
-- * which means that the one expected by
-- * security_secid_to_secctx() will be set.
-- */
-- lsmblob_init(&blob, secid);
-+ security_cred_getsecid(proc->cred, &blob);
- ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz);
- if (ret) {
- return_error = BR_FAILED_REPLY;
-diff --git a/include/linux/security.h b/include/linux/security.h
-index 3433850a3f9e..3b653fe331dd 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -484,7 +484,7 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
- void security_cred_free(struct cred *cred);
- int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
- void security_transfer_creds(struct cred *new, const struct cred *old);
--void security_cred_getsecid(const struct cred *c, u32 *secid);
-+void security_cred_getsecid(const struct cred *c, struct lsmblob *blob);
- int security_kernel_act_as(struct cred *new, struct lsmblob *blob);
- int security_kernel_create_files_as(struct cred *new, struct inode *inode);
- int security_kernel_module_request(char *kmod_name);
-diff --git a/kernel/audit.c b/kernel/audit.c
-index d92c7b894183..8ec64e6e8bc0 100644
---- a/kernel/audit.c
-+++ b/kernel/audit.c
-@@ -125,7 +125,7 @@ static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
- /* The identity of the user shutting down the audit system. */
- static kuid_t audit_sig_uid = INVALID_UID;
- static pid_t audit_sig_pid = -1;
--static u32 audit_sig_sid;
-+struct lsmblob audit_sig_lsm;
-
- /* Records can be lost in several ways:
- 0) [suppressed in audit_alloc]
-@@ -1441,29 +1441,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
- }
- case AUDIT_SIGNAL_INFO:
- len = 0;
-- if (audit_sig_sid) {
-- struct lsmblob blob;
--
-- /*
-- * lsmblob_init sets all values in the lsmblob
-- * to audit_sig_sid. This is temporary until
-- * audit_sig_sid is converted to a lsmblob, which
-- * happens later in this patch set.
-- */
-- lsmblob_init(&blob, audit_sig_sid);
-- err = security_secid_to_secctx(&blob, &ctx, &len);
-+ if (lsmblob_is_set(&audit_sig_lsm)) {
-+ err = security_secid_to_secctx(&audit_sig_lsm, &ctx,
-+ &len);
- if (err)
- return err;
- }
- sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
- if (!sig_data) {
-- if (audit_sig_sid)
-+ if (lsmblob_is_set(&audit_sig_lsm))
- security_release_secctx(ctx, len);
- return -ENOMEM;
- }
- sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
- sig_data->pid = audit_sig_pid;
-- if (audit_sig_sid) {
-+ if (lsmblob_is_set(&audit_sig_lsm)) {
- memcpy(sig_data->ctx, ctx, len);
- security_release_secctx(ctx, len);
- }
-@@ -2352,7 +2344,6 @@ int audit_set_loginuid(kuid_t loginuid)
- int audit_signal_info(int sig, struct task_struct *t)
- {
- kuid_t uid = current_uid(), auid;
-- struct lsmblob blob;
-
- if (auditd_test_task(t) &&
- (sig == SIGTERM || sig == SIGHUP ||
-@@ -2363,9 +2354,7 @@ int audit_signal_info(int sig, struct task_struct *t)
- audit_sig_uid = auid;
- else
- audit_sig_uid = uid;
-- security_task_getsecid_subj(current, &blob);
-- /* scaffolding until audit_sig_sid is converted */
-- audit_sig_sid = blob.secid[0];
-+ security_task_getsecid_subj(current, &audit_sig_lsm);
- }
-
- return audit_signal_info_syscall(t);
-diff --git a/kernel/audit.h b/kernel/audit.h
-index c4498090a5bd..527d4c4acb12 100644
---- a/kernel/audit.h
-+++ b/kernel/audit.h
-@@ -12,6 +12,7 @@
- #include <linux/fs.h>
- #include <linux/audit.h>
- #include <linux/skbuff.h>
-+#include <linux/security.h>
- #include <uapi/linux/mqueue.h>
- #include <linux/tty.h>
- #include <uapi/linux/openat2.h> // struct open_how
-@@ -143,7 +144,7 @@ struct audit_context {
- kuid_t target_auid;
- kuid_t target_uid;
- unsigned int target_sessionid;
-- u32 target_sid;
-+ struct lsmblob target_lsm;
- char target_comm[TASK_COMM_LEN];
-
- struct audit_tree_refs *trees, *first_trees;
-diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index 34cec4cd3dbf..930254bca7b5 100644
---- a/kernel/auditsc.c
-+++ b/kernel/auditsc.c
-@@ -99,7 +99,7 @@ struct audit_aux_data_pids {
- kuid_t target_auid[AUDIT_AUX_PIDS];
- kuid_t target_uid[AUDIT_AUX_PIDS];
- unsigned int target_sessionid[AUDIT_AUX_PIDS];
-- u32 target_sid[AUDIT_AUX_PIDS];
-+ struct lsmblob target_lsm[AUDIT_AUX_PIDS];
- char target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
- int pid_count;
- };
-@@ -1009,7 +1009,7 @@ static void audit_reset_context(struct audit_context *ctx)
- ctx->target_pid = 0;
- ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);
- ctx->target_sessionid = 0;
-- ctx->target_sid = 0;
-+ lsmblob_init(&ctx->target_lsm, 0);
- ctx->target_comm[0] = '\0';
- unroll_tree_refs(ctx, NULL, 0);
- WARN_ON(!list_empty(&ctx->killed_trees));
-@@ -1107,14 +1107,14 @@ static inline void audit_free_context(struct audit_context *context)
- }
-
- static int audit_log_pid_context(struct audit_context *context, pid_t pid,
-- kuid_t auid, kuid_t uid, unsigned int sessionid,
-- u32 sid, char *comm)
-+ kuid_t auid, kuid_t uid,
-+ unsigned int sessionid,
-+ struct lsmblob *blob, char *comm)
- {
- struct audit_buffer *ab;
- char *ctx = NULL;
- u32 len;
- int rc = 0;
-- struct lsmblob blob;
-
- ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
- if (!ab)
-@@ -1123,9 +1123,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
- audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
- from_kuid(&init_user_ns, auid),
- from_kuid(&init_user_ns, uid), sessionid);
-- if (sid) {
-- lsmblob_init(&blob, sid);
-- if (security_secid_to_secctx(&blob, &ctx, &len)) {
-+ if (lsmblob_is_set(blob)) {
-+ if (security_secid_to_secctx(blob, &ctx, &len)) {
- audit_log_format(ab, " obj=(none)");
- rc = 1;
- } else {
-@@ -1753,7 +1752,7 @@ static void audit_log_exit(void)
- axs->target_auid[i],
- axs->target_uid[i],
- axs->target_sessionid[i],
-- axs->target_sid[i],
-+ &axs->target_lsm[i],
- axs->target_comm[i]))
- call_panic = 1;
- }
-@@ -1762,7 +1761,7 @@ static void audit_log_exit(void)
- audit_log_pid_context(context, context->target_pid,
- context->target_auid, context->target_uid,
- context->target_sessionid,
-- context->target_sid, context->target_comm))
-+ &context->target_lsm, context->target_comm))
- call_panic = 1;
-
- if (context->pwd.dentry && context->pwd.mnt) {
-@@ -2698,15 +2697,12 @@ int __audit_sockaddr(int len, void *a)
- void __audit_ptrace(struct task_struct *t)
- {
- struct audit_context *context = audit_context();
-- struct lsmblob blob;
-
- context->target_pid = task_tgid_nr(t);
- context->target_auid = audit_get_loginuid(t);
- context->target_uid = task_uid(t);
- context->target_sessionid = audit_get_sessionid(t);
-- security_task_getsecid_obj(t, &blob);
-- /* scaffolding - until target_sid is converted */
-- context->target_sid = blob.secid[0];
-+ security_task_getsecid_obj(t, &context->target_lsm);
- memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
- }
-
-@@ -2722,7 +2718,6 @@ int audit_signal_info_syscall(struct task_struct *t)
- struct audit_aux_data_pids *axp;
- struct audit_context *ctx = audit_context();
- kuid_t t_uid = task_uid(t);
-- struct lsmblob blob;
-
- if (!audit_signals || audit_dummy_context())
+diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
+index 55f3bd4f0b01..a6b59fcaf62a 100644
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -251,7 +251,7 @@ static inline void ima_process_queued_keys(void) {}
+
+ /* LIM API function definitions */
+ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
+- const struct cred *cred, u32 secid, int mask,
++ const struct cred *cred, struct lsmblob *blob, int mask,
+ enum ima_hooks func, int *pcr,
+ struct ima_template_desc **template_desc,
+ const char *func_data);
+@@ -282,8 +282,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
+
+ /* IMA policy related functions */
+ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
+- const struct cred *cred, u32 secid, enum ima_hooks func,
+- int mask, int flags, int *pcr,
++ const struct cred *cred, struct lsmblob *blob,
++ enum ima_hooks func, int mask, int flags, int *pcr,
+ struct ima_template_desc **template_desc,
+ const char *func_data);
+ void ima_init_policy(void);
+diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
+index d8e321cc6936..691f68d478f1 100644
+--- a/security/integrity/ima/ima_api.c
++++ b/security/integrity/ima/ima_api.c
+@@ -165,7 +165,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
+ * @mnt_userns: user namespace of the mount the inode was found from
+ * @inode: pointer to the inode associated with the object being validated
+ * @cred: pointer to credentials structure to validate
+- * @secid: secid of the task being validated
++ * @blob: LSM data of the task being validated
+ * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
+ * MAY_APPEND)
+ * @func: caller identifier
+@@ -185,7 +185,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
+ *
+ */
+ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
+- const struct cred *cred, u32 secid, int mask,
++ const struct cred *cred, struct lsmblob *blob, int mask,
+ enum ima_hooks func, int *pcr,
+ struct ima_template_desc **template_desc,
+ const char *func_data)
+@@ -194,7 +194,7 @@ int ima_get_action(struct user_namespace *mnt_userns, struct inode *inode,
+
+ flags &= ima_policy_flag;
+
+- return ima_match_policy(mnt_userns, inode, cred, secid, func, mask,
++ return ima_match_policy(mnt_userns, inode, cred, blob, func, mask,
+ flags, pcr, template_desc, func_data);
+ }
+
+diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
+index f8c7b593175f..b2af72289f00 100644
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -77,10 +77,9 @@ int ima_must_appraise(struct user_namespace *mnt_userns, struct inode *inode,
return 0;
-@@ -2734,9 +2729,7 @@ int audit_signal_info_syscall(struct task_struct *t)
- ctx->target_auid = audit_get_loginuid(t);
- ctx->target_uid = t_uid;
- ctx->target_sessionid = audit_get_sessionid(t);
-- security_task_getsecid_obj(t, &blob);
-- /* scaffolding until target_sid is converted */
-- ctx->target_sid = blob.secid[0];
-+ security_task_getsecid_obj(t, &ctx->target_lsm);
- memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
- return 0;
- }
-@@ -2757,9 +2750,7 @@ int audit_signal_info_syscall(struct task_struct *t)
- axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
- axp->target_uid[axp->pid_count] = t_uid;
- axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
-- security_task_getsecid_obj(t, &blob);
-- /* scaffolding until target_sid is converted */
-- axp->target_sid[axp->pid_count] = blob.secid[0];
-+ security_task_getsecid_obj(t, &axp->target_lsm[axp->pid_count]);
- memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
- axp->pid_count++;
-
+
+ security_task_getsecid_subj(current, &blob);
+- /* scaffolding the .secid[0] */
+ return ima_match_policy(mnt_userns, inode, current_cred(),
+- blob.secid[0], func, mask,
+- IMA_APPRAISE | IMA_HASH, NULL, NULL, NULL);
++ &blob, func, mask, IMA_APPRAISE | IMA_HASH,
++ NULL, NULL, NULL);
+ }
+
+ static int ima_fix_xattr(struct dentry *dentry,
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index c327f93d3962..1a4f7b00253b 100644
+index b3e00340a97c..b63f73d43bd2 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
-@@ -486,7 +486,6 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
- int ima_bprm_check(struct linux_binprm *bprm)
+@@ -194,8 +194,8 @@ void ima_file_free(struct file *file)
+ }
+
+ static int process_measurement(struct file *file, const struct cred *cred,
+- u32 secid, char *buf, loff_t size, int mask,
+- enum ima_hooks func)
++ struct lsmblob *blob, char *buf, loff_t size,
++ int mask, enum ima_hooks func)
{
- int ret;
-- u32 secid;
+ struct inode *inode = file_inode(file);
+ struct integrity_iint_cache *iint = NULL;
+@@ -218,7 +218,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
+ * bitmask based on the appraise/audit/measurement policy.
+ * Included is the appraise submask.
+ */
+- action = ima_get_action(file_mnt_user_ns(file), inode, cred, secid,
++ action = ima_get_action(file_mnt_user_ns(file), inode, cred, blob,
+ mask, func, &pcr, &template_desc, NULL);
+ violation_check = ((func == FILE_CHECK || func == MMAP_CHECK) &&
+ (ima_policy_flag & IMA_MEASURE));
+@@ -392,8 +392,7 @@ int ima_file_mmap(struct file *file, unsigned long prot)
+
+ if (file && (prot & PROT_EXEC)) {
+ security_task_getsecid_subj(current, &blob);
+- /* scaffolding - until process_measurement changes */
+- return process_measurement(file, current_cred(), blob.secid[0],
++ return process_measurement(file, current_cred(), &blob,
+ NULL, 0, MAY_EXEC, MMAP_CHECK);
+ }
+
+@@ -434,7 +433,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
+ inode = file_inode(vma->vm_file);
+ /* scaffolding */
+ action = ima_get_action(file_mnt_user_ns(vma->vm_file), inode,
+- current_cred(), blob.secid[0], MAY_EXEC,
++ current_cred(), &blob, MAY_EXEC,
+ MMAP_CHECK, &pcr, &template, 0);
+
+ /* Is the mmap'ed file in policy? */
+@@ -473,16 +472,14 @@ int ima_bprm_check(struct linux_binprm *bprm)
struct lsmblob blob;
security_task_getsecid_subj(current, &blob);
-@@ -496,9 +495,10 @@ int ima_bprm_check(struct linux_binprm *bprm)
+- /* scaffolding until process_measurement changes */
+- ret = process_measurement(bprm->file, current_cred(), blob.secid[0],
+- NULL, 0, MAY_EXEC, BPRM_CHECK);
++ ret = process_measurement(bprm->file, current_cred(), &blob, NULL, 0,
++ MAY_EXEC, BPRM_CHECK);
if (ret)
return ret;
-- security_cred_getsecid(bprm->cred, &secid);
-- return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
-- MAY_EXEC, CREDS_CHECK);
-+ security_cred_getsecid(bprm->cred, &blob);
-+ /* scaffolding until process_measurement changes */
-+ return process_measurement(bprm->file, bprm->cred, blob.secid[0],
-+ NULL, 0, MAY_EXEC, CREDS_CHECK);
+ security_cred_getsecid(bprm->cred, &blob);
+- /* scaffolding until process_measurement changes */
+- return process_measurement(bprm->file, bprm->cred, blob.secid[0],
+- NULL, 0, MAY_EXEC, CREDS_CHECK);
++ return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0,
++ MAY_EXEC, CREDS_CHECK);
}
/**
-diff --git a/security/security.c b/security/security.c
-index 57423c92589d..0e17620a60e2 100644
---- a/security/security.c
-+++ b/security/security.c
-@@ -1800,10 +1800,16 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
- call_void_hook(cred_transfer, new, old);
- }
-
--void security_cred_getsecid(const struct cred *c, u32 *secid)
-+void security_cred_getsecid(const struct cred *c, struct lsmblob *blob)
+@@ -500,8 +497,7 @@ int ima_file_check(struct file *file, int mask)
+ struct lsmblob blob;
+
+ security_task_getsecid_subj(current, &blob);
+- /* scaffolding until process_measurement changes */
+- return process_measurement(file, current_cred(), blob.secid[0], NULL, 0,
++ return process_measurement(file, current_cred(), &blob, NULL, 0,
+ mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
+ MAY_APPEND), FILE_CHECK);
+ }
+@@ -698,9 +694,8 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
+ /* Read entire file for all partial reads. */
+ func = read_idmap[read_id] ?: FILE_CHECK;
+ security_task_getsecid_subj(current, &blob);
+- /* scaffolding - until process_measurement changes */
+- return process_measurement(file, current_cred(), blob.secid[0], NULL,
+- 0, MAY_READ, func);
++ return process_measurement(file, current_cred(), &blob, NULL, 0,
++ MAY_READ, func);
+ }
+
+ const int read_idmap[READING_MAX_ID] = {
+@@ -742,9 +737,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
+
+ func = read_idmap[read_id] ?: FILE_CHECK;
+ security_task_getsecid_subj(current, &blob);
+- /* scaffolding until process_measurement changes */
+- return process_measurement(file, current_cred(), blob.secid[0], buf,
+- size, MAY_READ, func);
++ return process_measurement(file, current_cred(), &blob, buf, size,
++ MAY_READ, func);
+ }
+
+ /**
+@@ -889,7 +883,7 @@ void process_buffer_measurement(struct user_namespace *mnt_userns,
+ security_task_getsecid_subj(current, &blob);
+ /* scaffolding */
+ action = ima_get_action(mnt_userns, inode, current_cred(),
+- blob.secid[0], 0, func, &pcr, &template,
++ &blob, 0, func, &pcr, &template,
+ func_data);
+ if (!(action & IMA_MEASURE))
+ return;
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 5ee7629fd782..caacd8bf0462 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -546,7 +546,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
+ * @mnt_userns: user namespace of the mount the inode was found from
+ * @inode: a pointer to an inode
+ * @cred: a pointer to a credentials structure for user validation
+- * @secid: the secid of the task to be validated
++ * @blob: the lsm data of the task to be validated
+ * @func: LIM hook identifier
+ * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
+ * @func_data: func specific data, may be NULL
+@@ -556,8 +556,8 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
+ static bool ima_match_rules(struct ima_rule_entry *rule,
+ struct user_namespace *mnt_userns,
+ struct inode *inode, const struct cred *cred,
+- u32 secid, enum ima_hooks func, int mask,
+- const char *func_data)
++ struct lsmblob *blob, enum ima_hooks func,
++ int mask, const char *func_data)
{
-- *secid = 0;
-- call_void_hook(cred_getsecid, c, secid);
-+ struct security_hook_list *hp;
-+
-+ lsmblob_init(blob, 0);
-+ hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) {
-+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
-+ continue;
-+ hp->hook.cred_getsecid(c, &blob->secid[hp->lsmid->slot]);
-+ }
- }
- EXPORT_SYMBOL(security_cred_getsecid);
+ int i;
+
+@@ -626,8 +626,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
+ case LSM_SUBJ_USER:
+ case LSM_SUBJ_ROLE:
+ case LSM_SUBJ_TYPE:
+- lsmblob_init(&lsmdata, secid);
+- rc = ima_filter_rule_match(&lsmdata, rule->lsm[i].type,
++ rc = ima_filter_rule_match(blob, rule->lsm[i].type,
+ Audit_equal,
+ rule->lsm[i].rule);
+ break;
+@@ -671,7 +670,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
+ * @inode: pointer to an inode for which the policy decision is being made
+ * @cred: pointer to a credentials structure for which the policy decision is
+ * being made
+- * @secid: LSM secid of the task to be validated
++ * @blob: LSM data of the task to be validated
+ * @func: IMA hook identifier
+ * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
+ * @pcr: set the pcr to extend
+@@ -686,8 +685,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
+ * than writes so ima_match_policy() is classical RCU candidate.
+ */
+ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
+- const struct cred *cred, u32 secid, enum ima_hooks func,
+- int mask, int flags, int *pcr,
++ const struct cred *cred, struct lsmblob *blob,
++ enum ima_hooks func, int mask, int flags, int *pcr,
+ struct ima_template_desc **template_desc,
+ const char *func_data)
+ {
+@@ -703,7 +702,7 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode,
+ if (!(entry->action & actmask))
+ continue;
+
+- if (!ima_match_rules(entry, mnt_userns, inode, cred, secid,
++ if (!ima_match_rules(entry, mnt_userns, inode, cred, blob,
+ func, mask, func_data))
+ continue;
--
-2.31.1
+2.29.2