--- v38
+++ v1
@@ -1,132 +1,38 @@
-Refactor audit_log_task_context(), creating a new
-audit_log_subject_context(). This is used in netlabel auditing
-to provide multiple subject security contexts as necessary.
+The secid_to_secctx() hook has to be balanced with a release_secctx
+hook for stacking. This hook does nothing.
 
-Acked-by: Paul Moore <paul@paul-moore.com>
 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
 ---
- include/linux/audit.h        |  7 +++++++
- kernel/audit.c               | 26 ++++++++++++++++----------
- net/netlabel/netlabel_user.c |  7 +------
- 3 files changed, 24 insertions(+), 16 deletions(-)
+ security/smack/smack_lsm.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
 
-diff --git a/include/linux/audit.h b/include/linux/audit.h
-index edb919722448..87ba6fe7f1a2 100644
---- a/include/linux/audit.h
-+++ b/include/linux/audit.h
-@@ -188,6 +188,8 @@ extern void		    audit_log_path_denied(int type,
- 						  const char *operation);
- extern void		    audit_log_lost(const char *message);
- 
-+extern int audit_log_subject_context(struct audit_buffer *ab,
-+				     struct lsmblob *blob);
- extern int audit_log_task_context(struct audit_buffer *ab);
- extern void audit_log_task_info(struct audit_buffer *ab);
- 
-@@ -248,6 +250,11 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key)
- { }
- static inline void audit_log_path_denied(int type, const char *operation)
- { }
-+static inline int audit_log_subject_context(struct audit_buffer *ab,
-+					    struct lsmblob *blob)
-+{
-+	return 0;
-+}
- static inline int audit_log_task_context(struct audit_buffer *ab)
- {
- 	return 0;
-diff --git a/kernel/audit.c b/kernel/audit.c
-index fb182f7e9d18..a611130f83cb 100644
---- a/kernel/audit.c
-+++ b/kernel/audit.c
-@@ -2226,20 +2226,17 @@ static void audit_buffer_aux_end(struct audit_buffer *ab)
- 	ab->skb = skb_peek(&ab->skb_list);
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 38ea48d22547..a837af153ed9 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -4470,10 +4470,11 @@ static int smack_secctx_to_secid(const char *secdata, u32 seclen,
  }
  
--int audit_log_task_context(struct audit_buffer *ab)
-+int audit_log_subject_context(struct audit_buffer *ab, struct lsmblob *blob)
+ /*
+- * There used to be a smack_release_secctx hook
+- * that did nothing back when hooks were in a vector.
+- * Now that there's a list such a hook adds cost.
++ * There smack_release_secctx hook does nothing
+  */
++static void smack_release_secctx(char *secdata, u32 seclen)
++{
++}
+ 
+ static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
  {
- 	int i;
- 	int error;
--	struct lsmblob blob;
- 	struct lsmcontext context;
- 
--	security_current_getsecid_subj(&blob);
--	if (!lsmblob_is_set(&blob))
-+	if (!lsmblob_is_set(blob))
- 		return 0;
- 
- 	if (!lsm_multiple_contexts()) {
--		error = security_secid_to_secctx(&blob, &context,
--						 LSMBLOB_FIRST);
-+		error = security_secid_to_secctx(blob, &context, LSMBLOB_FIRST);
- 		if (error) {
- 			if (error != -EINVAL)
- 				goto error_path;
-@@ -2254,15 +2251,15 @@ int audit_log_task_context(struct audit_buffer *ab)
- 		if (error)
- 			goto error_path;
- 		for (i = 0; i < LSMBLOB_ENTRIES; i++) {
--			if (blob.secid[i] == 0)
-+			if (blob->secid[i] == 0)
- 				continue;
--			error = security_secid_to_secctx(&blob, &context, i);
-+			error = security_secid_to_secctx(blob, &context, i);
- 			if (error) {
- 				audit_log_format(ab, "%ssubj_%s=?",
- 						 i ? " " : "",
- 						 lsm_slot_to_name(i));
- 				if (error != -EINVAL)
--					audit_panic("error in audit_log_task_context");
-+					audit_panic("error in audit_log_subject_context");
- 			} else {
- 				audit_log_format(ab, "%ssubj_%s=%s",
- 						 i ? " " : "",
-@@ -2277,9 +2274,18 @@ int audit_log_task_context(struct audit_buffer *ab)
- 	return 0;
- 
- error_path:
--	audit_panic("error in audit_log_task_context");
-+	audit_panic("error in audit_log_subject_context");
- 	return error;
- }
-+EXPORT_SYMBOL(audit_log_subject_context);
-+
-+int audit_log_task_context(struct audit_buffer *ab)
-+{
-+	struct lsmblob blob;
-+
-+	security_current_getsecid_subj(&blob);
-+	return audit_log_subject_context(ab, &blob);
-+}
- EXPORT_SYMBOL(audit_log_task_context);
- 
- void audit_log_d_path_exe(struct audit_buffer *ab,
-diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
-index 1941877fd16f..42812bdfc31a 100644
---- a/net/netlabel/netlabel_user.c
-+++ b/net/netlabel/netlabel_user.c
-@@ -84,7 +84,6 @@ struct audit_buffer *netlbl_audit_start_common(int type,
- 					       struct netlbl_audit *audit_info)
- {
- 	struct audit_buffer *audit_buf;
--	struct lsmcontext context;
- 	struct lsmblob blob;
- 
- 	if (audit_enabled == AUDIT_OFF)
-@@ -99,11 +98,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
- 			 audit_info->sessionid);
- 
- 	lsmblob_init(&blob, audit_info->secid);
--	if (audit_info->secid != 0 &&
--	    security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST) == 0) {
--		audit_log_format(audit_buf, " subj=%s", context.context);
--		security_release_secctx(&context);
--	}
-+	audit_log_subject_context(audit_buf, &blob);
- 
- 	return audit_buf;
- }
+@@ -4713,6 +4714,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
+ 	LSM_HOOK_INIT(ismaclabel, smack_ismaclabel),
+ 	LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx),
+ 	LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid),
++	LSM_HOOK_INIT(release_secctx, smack_release_secctx),
+ 	LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
+ 	LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
+ 	LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),
 -- 
-2.37.3
+2.19.1