--- v38
+++ v24
@@ -1,467 +1,565 @@
-Change security_secid_to_secctx() to take a lsmblob as input
-instead of a u32 secid. It will then call the LSM hooks
-using the lsmblob element allocated for that module. The
-callers have been updated as well. This allows for the
-possibility that more than one module may be called upon
-to translate a secid to a string, as can occur in the
-audit code.
+Add a new lsmcontext data structure to hold all the information
+about a "security context", including the string, its size and
+which LSM allocated the string. The allocation information is
+necessary because LSMs have different policies regarding the
+lifecycle of these strings. SELinux allocates and destroys
+them on each use, whereas Smack provides a pointer to an entry
+in a list that never goes away.
-Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: John Johansen <john.johansen@canonical.com>
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Cc: linux-integrity@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-audit@redhat.com
Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: linux-nfs@vger.kernel.org
---
- drivers/android/binder.c | 12 +++++++++-
- include/linux/security.h | 5 +++--
- include/net/scm.h | 7 +++++-
- kernel/audit.c | 21 +++++++++++++++--
- kernel/auditsc.c | 27 ++++++++++++++++++----
- net/ipv4/ip_sockglue.c | 4 +++-
- net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++--
- net/netfilter/nf_conntrack_standalone.c | 4 +++-
- net/netfilter/nfnetlink_queue.c | 11 +++++++--
- net/netlabel/netlabel_unlabeled.c | 30 +++++++++++++++++++++----
- net/netlabel/netlabel_user.c | 6 ++---
- security/security.c | 11 +++++----
- 12 files changed, 123 insertions(+), 29 deletions(-)
+ drivers/android/binder.c | 10 ++++---
+ fs/ceph/xattr.c | 6 ++++-
+ fs/nfs/nfs4proc.c | 8 ++++--
+ fs/nfsd/nfs4xdr.c | 7 +++--
+ include/linux/security.h | 35 +++++++++++++++++++++++--
+ include/net/scm.h | 5 +++-
+ kernel/audit.c | 14 +++++++---
+ kernel/auditsc.c | 12 ++++++---
+ net/ipv4/ip_sockglue.c | 4 ++-
+ net/netfilter/nf_conntrack_netlink.c | 4 ++-
+ net/netfilter/nf_conntrack_standalone.c | 4 ++-
+ net/netfilter/nfnetlink_queue.c | 13 ++++++---
+ net/netlabel/netlabel_unlabeled.c | 19 +++++++++++---
+ net/netlabel/netlabel_user.c | 4 ++-
+ security/security.c | 11 ++++----
+ 15 files changed, 121 insertions(+), 35 deletions(-)
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
-index 6428f6be69e3..34602b68d2a1 100644
+index 1a15e9e19e22..f74a72867ec9 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
-@@ -3170,10 +3170,20 @@ static void binder_transaction(struct binder_proc *proc,
-
- if (target_node && target_node->txn_security_ctx) {
- u32 secid;
-+ struct lsmblob blob;
- size_t added_size;
-
- security_cred_getsecid(proc->cred, &secid);
-- ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
-+ /*
-+ * Later in this patch set security_task_getsecid() will
-+ * provide a lsmblob instead of a secid. lsmblob_init
-+ * is used to ensure that all the secids in the lsmblob
-+ * get the value returned from security_task_getsecid(),
-+ * which means that the one expected by
-+ * security_secid_to_secctx() will be set.
-+ */
-+ lsmblob_init(&blob, secid);
-+ ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz);
- if (ret) {
- binder_txn_error("%d:%d failed to get security context\n",
- thread->pid, proc->pid);
+@@ -2448,6 +2448,7 @@ static void binder_transaction(struct binder_proc *proc,
+ int t_debug_id = atomic_inc_return(&binder_last_id);
+ char *secctx = NULL;
+ u32 secctx_sz = 0;
++ struct lsmcontext scaff; /* scaffolding */
+
+ e = binder_transaction_log_add(&binder_transaction_log);
+ e->debug_id = t_debug_id;
+@@ -2750,7 +2751,8 @@ static void binder_transaction(struct binder_proc *proc,
+ t->security_ctx = 0;
+ WARN_ON(1);
+ }
+- security_release_secctx(secctx, secctx_sz);
++ lsmcontext_init(&scaff, secctx, secctx_sz, 0);
++ security_release_secctx(&scaff);
+ secctx = NULL;
+ }
+ t->buffer->debug_id = t->debug_id;
+@@ -3084,8 +3086,10 @@ static void binder_transaction(struct binder_proc *proc,
+ binder_alloc_free_buf(&target_proc->alloc, t->buffer);
+ err_binder_alloc_buf_failed:
+ err_bad_extra_size:
+- if (secctx)
+- security_release_secctx(secctx, secctx_sz);
++ if (secctx) {
++ lsmcontext_init(&scaff, secctx, secctx_sz, 0);
++ security_release_secctx(&scaff);
++ }
+ err_get_secctx_failed:
+ kfree(tcomplete);
+ binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
+diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
+index 24997982de01..cc4f911f0d74 100644
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -1348,12 +1348,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
+
+ void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx)
+ {
++#ifdef CONFIG_CEPH_FS_SECURITY_LABEL
++ struct lsmcontext scaff; /* scaffolding */
++#endif
+ #ifdef CONFIG_CEPH_FS_POSIX_ACL
+ posix_acl_release(as_ctx->acl);
+ posix_acl_release(as_ctx->default_acl);
+ #endif
+ #ifdef CONFIG_CEPH_FS_SECURITY_LABEL
+- security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen);
++ lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0);
++ security_release_secctx(&scaff);
+ #endif
+ if (as_ctx->pagelist)
+ ceph_pagelist_release(as_ctx->pagelist);
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 0ce04e0e5d82..d3c29eb2e9dd 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -139,8 +139,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
+ static inline void
+ nfs4_label_release_security(struct nfs4_label *label)
+ {
+- if (label)
+- security_release_secctx(label->label, label->len);
++ struct lsmcontext scaff; /* scaffolding */
++
++ if (label) {
++ lsmcontext_init(&scaff, label->label, label->len, 0);
++ security_release_secctx(&scaff);
++ }
+ }
+ static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
+ {
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 45ee6b12ce5b..43698f15a52b 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -2834,6 +2834,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
+ int err;
+ struct nfs4_acl *acl = NULL;
+ #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
++ struct lsmcontext scaff; /* scaffolding */
+ void *context = NULL;
+ int contextlen;
+ #endif
+@@ -3335,8 +3336,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
+
+ out:
+ #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+- if (context)
+- security_release_secctx(context, contextlen);
++ if (context) {
++ lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/
++ security_release_secctx(&scaff);
++ }
+ #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */
+ kfree(acl);
+ if (tempfh) {
diff --git a/include/linux/security.h b/include/linux/security.h
-index 0134a938fd65..d9ab76c909e0 100644
+index e4a4816f1b94..cfa19eb9533b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
-@@ -569,7 +569,7 @@ int security_getprocattr(struct task_struct *p, int lsmid, char *name,
- int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
- int security_netlink_send(struct sock *sk, struct sk_buff *skb);
- int security_ismaclabel(const char *name);
--int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
-+int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen);
+@@ -133,6 +133,37 @@ enum lockdown_reason {
+
+ extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
+
++/*
++ * A "security context" is the text representation of
++ * the information used by LSMs.
++ * This structure contains the string, its length, and which LSM
++ * it is useful for.
++ */
++struct lsmcontext {
++ char *context; /* Provided by the module */
++ u32 len;
++ int slot; /* Identifies the module */
++};
++
++/**
++ * lsmcontext_init - initialize an lsmcontext structure.
++ * @cp: Pointer to the context to initialize
++ * @context: Initial context, or NULL
++ * @size: Size of context, or 0
++ * @slot: Which LSM provided the context
++ *
++ * Fill in the lsmcontext from the provided information.
++ * This is a scaffolding function that will be removed when
++ * lsmcontext integration is complete.
++ */
++static inline void lsmcontext_init(struct lsmcontext *cp, char *context,
++ u32 size, int slot)
++{
++ cp->slot = slot;
++ cp->context = context;
++ cp->len = size;
++}
++
+ /*
+ * Data exported by the security modules
+ *
+@@ -536,7 +567,7 @@ int security_ismaclabel(const char *name);
+ int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen);
int security_secctx_to_secid(const char *secdata, u32 seclen,
struct lsmblob *blob);
- void security_release_secctx(char *secdata, u32 seclen);
-@@ -1426,7 +1426,8 @@ static inline int security_ismaclabel(const char *name)
- return 0;
- }
-
--static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
-+static inline int security_secid_to_secctx(struct lsmblob *blob,
-+ char **secdata, u32 *seclen)
- {
+-void security_release_secctx(char *secdata, u32 seclen);
++void security_release_secctx(struct lsmcontext *cp);
+ void security_inode_invalidate_secctx(struct inode *inode);
+ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
+ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
+@@ -1371,7 +1402,7 @@ static inline int security_secctx_to_secid(const char *secdata,
return -EOPNOTSUPP;
}
+
+-static inline void security_release_secctx(char *secdata, u32 seclen)
++static inline void security_release_secctx(struct lsmcontext *cp)
+ {
+ }
+
diff --git a/include/net/scm.h b/include/net/scm.h
-index 1ce365f4c256..23a35ff1b3f2 100644
+index 23a35ff1b3f2..f273c4d777ec 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
-@@ -92,12 +92,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
+@@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
#ifdef CONFIG_SECURITY_NETWORK
static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
{
-+ struct lsmblob lb;
++ struct lsmcontext context;
+ struct lsmblob lb;
char *secdata;
u32 seclen;
- int err;
-
- if (test_bit(SOCK_PASSSEC, &sock->flags)) {
-- err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
-+ /* There can only be one security module using the secid,
-+ * and the infrastructure will know which it is.
-+ */
-+ lsmblob_init(&lb, scm->secid);
-+ err = security_secid_to_secctx(&lb, &secdata, &seclen);
+@@ -106,7 +107,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
+- security_release_secctx(secdata, seclen);
++ /*scaffolding*/
++ lsmcontext_init(&context, secdata, seclen, 0);
++ security_release_secctx(&context);
+ }
+ }
+ }
diff --git a/kernel/audit.c b/kernel/audit.c
-index a75978ae38ad..6aa7db400d10 100644
+index f6af7b27a6fa..902962ea9be6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
-@@ -1464,7 +1464,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
- case AUDIT_SIGNAL_INFO:
- len = 0;
- if (audit_sig_sid) {
-- err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
-+ struct lsmblob blob;
-+
-+ /*
-+ * lsmblob_init sets all values in the lsmblob
-+ * to audit_sig_sid. This is temporary until
-+ * audit_sig_sid is converted to a lsmblob, which
-+ * happens later in this patch set.
-+ */
-+ lsmblob_init(&blob, audit_sig_sid);
-+ err = security_secid_to_secctx(&blob, &ctx, &len);
- if (err)
- return err;
- }
-@@ -2170,12 +2179,20 @@ int audit_log_task_context(struct audit_buffer *ab)
+@@ -1192,6 +1192,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ struct audit_sig_info *sig_data;
+ char *ctx = NULL;
+ u32 len;
++ struct lsmcontext scaff; /* scaffolding */
+
+ err = audit_netlink_ok(skb, msg_type);
+ if (err)
+@@ -1449,15 +1450,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
+ }
+ sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
+ if (!sig_data) {
+- if (lsmblob_is_set(&audit_sig_lsm))
+- security_release_secctx(ctx, len);
++ if (lsmblob_is_set(&audit_sig_lsm)) {
++ lsmcontext_init(&scaff, ctx, len, 0);
++ security_release_secctx(&scaff);
++ }
+ return -ENOMEM;
+ }
+ sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
+ sig_data->pid = audit_sig_pid;
+ if (lsmblob_is_set(&audit_sig_lsm)) {
+ memcpy(sig_data->ctx, ctx, len);
+- security_release_secctx(ctx, len);
++ lsmcontext_init(&scaff, ctx, len, 0);
++ security_release_secctx(&scaff);
+ }
+ audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
+ sig_data, sizeof(*sig_data) + len);
+@@ -2132,6 +2136,7 @@ int audit_log_task_context(struct audit_buffer *ab)
unsigned len;
int error;
- u32 sid;
-+ struct lsmblob blob;
-
- security_current_getsecid_subj(&sid);
- if (!sid)
- return 0;
-
-- error = security_secid_to_secctx(sid, &ctx, &len);
-+ /*
-+ * lsmblob_init sets all values in the lsmblob to sid.
-+ * This is temporary until security_task_getsecid is converted
-+ * to use a lsmblob, which happens later in this patch set.
-+ */
-+ lsmblob_init(&blob, sid);
-+ error = security_secid_to_secctx(&blob, &ctx, &len);
-+
- if (error) {
- if (error != -EINVAL)
- goto error_path;
+ struct lsmblob blob;
++ struct lsmcontext scaff; /* scaffolding */
+
+ security_task_getsecid(current, &blob);
+ if (!lsmblob_is_set(&blob))
+@@ -2145,7 +2150,8 @@ int audit_log_task_context(struct audit_buffer *ab)
+ }
+
+ audit_log_format(ab, " subj=%s", ctx);
+- security_release_secctx(ctx, len);
++ lsmcontext_init(&scaff, ctx, len, 0);
++ security_release_secctx(&scaff);
+ return 0;
+
+ error_path:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
-index 5fab2367bfd0..d083c050d660 100644
+index c766502b58f2..a73253515bc9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
-@@ -679,6 +679,13 @@ static int audit_filter_rules(struct task_struct *tsk,
- security_current_getsecid_subj(&sid);
- need_sid = 0;
- }
-+ /*
-+ * lsmblob_init sets all values in the lsmblob
-+ * to sid. This is temporary until
-+ * security_task_getsecid() is converted to
-+ * provide a lsmblob, which happens later in
-+ * this patch set.
-+ */
- lsmblob_init(&blob, sid);
- result = security_audit_rule_match(&blob,
- f->type, f->op,
-@@ -695,6 +702,13 @@ static int audit_filter_rules(struct task_struct *tsk,
- if (f->lsm_str) {
- /* Find files that match */
- if (name) {
-+ /*
-+ * lsmblob_init sets all values in the
-+ * lsmblob to sid. This is temporary
-+ * until name->osid is converted to a
-+ * lsmblob, which happens later in
-+ * this patch set.
-+ */
- lsmblob_init(&blob, name->osid);
- result = security_audit_rule_match(
- &blob,
-@@ -1093,6 +1107,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
+@@ -998,6 +998,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
+ struct lsmblob *blob, char *comm)
+ {
+ struct audit_buffer *ab;
++ struct lsmcontext lsmcxt;
char *ctx = NULL;
u32 len;
int rc = 0;
-+ struct lsmblob blob;
-
- ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
- if (!ab)
-@@ -1102,7 +1117,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
- from_kuid(&init_user_ns, auid),
- from_kuid(&init_user_ns, uid), sessionid);
- if (sid) {
-- if (security_secid_to_secctx(sid, &ctx, &len)) {
-+ lsmblob_init(&blob, sid);
-+ if (security_secid_to_secctx(&blob, &ctx, &len)) {
- audit_log_format(ab, " obj=(none)");
+@@ -1015,7 +1016,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
rc = 1;
} else {
-@@ -1393,8 +1409,10 @@ static void show_special(struct audit_context *context, int *call_panic)
- if (osid) {
- char *ctx = NULL;
- u32 len;
-+ struct lsmblob blob;
-
-- if (security_secid_to_secctx(osid, &ctx, &len)) {
-+ lsmblob_init(&blob, osid);
-+ if (security_secid_to_secctx(&blob, &ctx, &len)) {
- audit_log_format(ab, " osid=%u", osid);
+ audit_log_format(ab, " obj=%s", ctx);
+- security_release_secctx(ctx, len);
++ lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/
++ security_release_secctx(&lsmcxt);
+ }
+ }
+ audit_log_format(ab, " ocomm=");
+@@ -1228,6 +1230,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
+
+ static void show_special(struct audit_context *context, int *call_panic)
+ {
++ struct lsmcontext lsmcxt;
+ struct audit_buffer *ab;
+ int i;
+
+@@ -1261,7 +1264,8 @@ static void show_special(struct audit_context *context, int *call_panic)
*call_panic = 1;
} else {
-@@ -1560,9 +1578,10 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
- if (n->osid != 0) {
+ audit_log_format(ab, " obj=%s", ctx);
+- security_release_secctx(ctx, len);
++ lsmcontext_init(&lsmcxt, ctx, len, 0);
++ security_release_secctx(&lsmcxt);
+ }
+ }
+ if (context->ipc.has_perm) {
+@@ -1410,6 +1414,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
char *ctx = NULL;
u32 len;
-+ struct lsmblob blob;
-
-- if (security_secid_to_secctx(
-- n->osid, &ctx, &len)) {
-+ lsmblob_init(&blob, n->osid);
-+ if (security_secid_to_secctx(&blob, &ctx, &len)) {
- audit_log_format(ab, " osid=%u", n->osid);
- if (call_panic)
+ struct lsmblob blob;
++ struct lsmcontext lsmcxt;
+
+ lsmblob_init(&blob, n->osid);
+ if (security_secid_to_secctx(&blob, &ctx, &len)) {
+@@ -1418,7 +1423,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
*call_panic = 2;
+ } else {
+ audit_log_format(ab, " obj=%s", ctx);
+- security_release_secctx(ctx, len);
++ lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */
++ security_release_secctx(&lsmcxt);
+ }
+ }
+
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
-index e49a61a053a6..bb8e2af31d4f 100644
+index 2f089733ada7..a7e4c1b34b6c 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
{
-+ struct lsmblob lb;
++ struct lsmcontext context;
+ struct lsmblob lb;
char *secdata;
u32 seclen, secid;
- int err;
-@@ -138,7 +139,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
- if (err)
+@@ -145,7 +146,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
return;
-- err = security_secid_to_secctx(secid, &secdata, &seclen);
-+ lsmblob_init(&lb, secid);
-+ err = security_secid_to_secctx(&lb, &secdata, &seclen);
- if (err)
- return;
-
+ put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
+- security_release_secctx(secdata, seclen);
++ lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */
++ security_release_secctx(&context);
+ }
+
+ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
-index 7562b215b932..2e257aa4f61b 100644
+index d4902d120799..3b9cf2a1fed7 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
-@@ -347,8 +347,13 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
- struct nlattr *nest_secctx;
+@@ -339,6 +339,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
int len, ret;
char *secctx;
-+ struct lsmblob blob;
-
-- ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
-+ /* lsmblob_init() puts ct->secmark into all of the secids in blob.
-+ * security_secid_to_secctx() will know which security module
-+ * to use to create the secctx. */
-+ lsmblob_init(&blob, ct->secmark);
-+ ret = security_secid_to_secctx(&blob, &secctx, &len);
- if (ret)
- return 0;
-
-@@ -656,8 +661,13 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
- {
- #ifdef CONFIG_NF_CONNTRACK_SECMARK
- int len, ret;
-+ struct lsmblob blob;
-
-- ret = security_secid_to_secctx(ct->secmark, NULL, &len);
-+ /* lsmblob_init() puts ct->secmark into all of the secids in blob.
-+ * security_secid_to_secctx() will know which security module
-+ * to use to create the secctx. */
-+ lsmblob_init(&blob, ct->secmark);
-+ ret = security_secid_to_secctx(&blob, NULL, &len);
- if (ret)
- return 0;
-
+ struct lsmblob blob;
++ struct lsmcontext context;
+
+ /* lsmblob_init() puts ct->secmark into all of the secids in blob.
+ * security_secid_to_secctx() will know which security module
+@@ -359,7 +360,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
+
+ ret = 0;
+ nla_put_failure:
+- security_release_secctx(secctx, len);
++ lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
++ security_release_secctx(&context);
+ return ret;
+ }
+ #else
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
-index 4ffe84c5a82c..da61eb8cde76 100644
+index 54da1a3e8cb1..e2bdc851a477 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
-@@ -178,8 +178,10 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
- int ret;
+@@ -176,6 +176,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
u32 len;
char *secctx;
-+ struct lsmblob blob;
-
-- ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
-+ lsmblob_init(&blob, ct->secmark);
-+ ret = security_secid_to_secctx(&blob, &secctx, &len);
- if (ret)
- return;
-
+ struct lsmblob blob;
++ struct lsmcontext context;
+
+ lsmblob_init(&blob, ct->secmark);
+ ret = security_secid_to_secctx(&blob, &secctx, &len);
+@@ -184,7 +185,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
+
+ seq_printf(s, "secctx=%s ", secctx);
+
+- security_release_secctx(secctx, len);
++ lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
++ security_release_secctx(&context);
+ }
+ #else
+ static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
-index 87a9009d5234..bc25d49575e4 100644
+index a6dbef71fc32..dcc31cb7f287 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
-@@ -305,13 +305,20 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
- {
+@@ -398,6 +398,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
+ enum ip_conntrack_info ctinfo;
+ struct nfnl_ct_hook *nfnl_ct;
+ bool csum_verify;
++ struct lsmcontext scaff; /* scaffolding */
+ char *secdata = NULL;
u32 seclen = 0;
- #if IS_ENABLED(CONFIG_NETWORK_SECMARK)
-+ struct lsmblob blob;
-+
- if (!skb || !sk_fullsock(skb->sk))
- return 0;
-
- read_lock_bh(&skb->sk->sk_callback_lock);
-
-- if (skb->secmark)
-- security_secid_to_secctx(skb->secmark, secdata, &seclen);
-+ if (skb->secmark) {
-+ /* lsmblob_init() puts ct->secmark into all of the secids in
-+ * blob. security_secid_to_secctx() will know which security
-+ * module to use to create the secctx. */
-+ lsmblob_init(&blob, skb->secmark);
-+ security_secid_to_secctx(&blob, secdata, &seclen);
+
+@@ -628,8 +629,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
+ }
+
+ nlh->nlmsg_len = skb->len;
+- if (seclen)
+- security_release_secctx(secdata, seclen);
++ if (seclen) {
++ lsmcontext_init(&scaff, secdata, seclen, 0);
++ security_release_secctx(&scaff);
+ }
-
- read_unlock_bh(&skb->sk->sk_callback_lock);
- #endif
+ return skb;
+
+ nla_put_failure:
+@@ -637,8 +640,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
+ kfree_skb(skb);
+ net_err_ratelimited("nf_queue: error creating packet message\n");
+ nlmsg_failure:
+- if (seclen)
+- security_release_secctx(secdata, seclen);
++ if (seclen) {
++ lsmcontext_init(&scaff, secdata, seclen, 0);
++ security_release_secctx(&scaff);
++ }
+ return NULL;
+ }
+
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
-index 87fb0747d3e9..980ad209b57e 100644
+index 93240432427f..32b6eea7ba0c 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
-@@ -376,6 +376,7 @@ int netlbl_unlhsh_add(struct net *net,
+@@ -374,6 +374,7 @@ int netlbl_unlhsh_add(struct net *net,
+ struct net_device *dev;
+ struct netlbl_unlhsh_iface *iface;
struct audit_buffer *audit_buf = NULL;
++ struct lsmcontext context;
char *secctx = NULL;
u32 secctx_len;
-+ struct lsmblob blob;
-
- if (addr_len != sizeof(struct in_addr) &&
- addr_len != sizeof(struct in6_addr))
-@@ -438,7 +439,11 @@ int netlbl_unlhsh_add(struct net *net,
- unlhsh_add_return:
- rcu_read_unlock();
- if (audit_buf != NULL) {
-- if (security_secid_to_secctx(secid,
-+ /* lsmblob_init() puts secid into all of the secids in blob.
-+ * security_secid_to_secctx() will know which security module
-+ * to use to create the secctx. */
-+ lsmblob_init(&blob, secid);
-+ if (security_secid_to_secctx(&blob,
+ struct lsmblob blob;
+@@ -447,7 +448,9 @@ int netlbl_unlhsh_add(struct net *net,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
-@@ -475,6 +480,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
+- security_release_secctx(secctx, secctx_len);
++ /* scaffolding */
++ lsmcontext_init(&context, secctx, secctx_len, 0);
++ security_release_secctx(&context);
+ }
+ audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
+ audit_log_end(audit_buf);
+@@ -478,6 +481,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
+ struct netlbl_unlhsh_addr4 *entry;
+ struct audit_buffer *audit_buf;
struct net_device *dev;
++ struct lsmcontext context;
char *secctx;
u32 secctx_len;
-+ struct lsmblob blob;
-
- spin_lock(&netlbl_unlhsh_lock);
- list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
-@@ -493,8 +499,13 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
- (dev != NULL ? dev->name : NULL),
- addr->s_addr, mask->s_addr);
- dev_put(dev);
-+ /* lsmblob_init() puts entry->secid into all of the secids
-+ * in blob. security_secid_to_secctx() will know which
-+ * security module to use to create the secctx. */
-+ if (entry != NULL)
-+ lsmblob_init(&blob, entry->secid);
- if (entry != NULL &&
-- security_secid_to_secctx(entry->secid,
-+ security_secid_to_secctx(&blob,
+ struct lsmblob blob;
+@@ -509,7 +513,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
+ security_secid_to_secctx(&blob,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
-@@ -536,6 +547,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
+- security_release_secctx(secctx, secctx_len);
++ /* scaffolding */
++ lsmcontext_init(&context, secctx, secctx_len, 0);
++ security_release_secctx(&context);
+ }
+ audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
+ audit_log_end(audit_buf);
+@@ -546,6 +552,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
+ struct netlbl_unlhsh_addr6 *entry;
+ struct audit_buffer *audit_buf;
struct net_device *dev;
++ struct lsmcontext context;
char *secctx;
u32 secctx_len;
-+ struct lsmblob blob;
-
- spin_lock(&netlbl_unlhsh_lock);
- list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
-@@ -553,8 +565,13 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
- (dev != NULL ? dev->name : NULL),
- addr, mask);
- dev_put(dev);
-+ /* lsmblob_init() puts entry->secid into all of the secids
-+ * in blob. security_secid_to_secctx() will know which
-+ * security module to use to create the secctx. */
-+ if (entry != NULL)
-+ lsmblob_init(&blob, entry->secid);
- if (entry != NULL &&
-- security_secid_to_secctx(entry->secid,
-+ security_secid_to_secctx(&blob,
+ struct lsmblob blob;
+@@ -576,7 +583,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
+ security_secid_to_secctx(&blob,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
-@@ -1080,6 +1097,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
+- security_release_secctx(secctx, secctx_len);
++ lsmcontext_init(&context, secctx, secctx_len, 0);
++ security_release_secctx(&context);
+ }
+ audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
+ audit_log_end(audit_buf);
+@@ -1095,6 +1103,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
+ int ret_val = -ENOMEM;
+ struct netlbl_unlhsh_walk_arg *cb_arg = arg;
+ struct net_device *dev;
++ struct lsmcontext context;
+ void *data;
u32 secid;
char *secctx;
- u32 secctx_len;
-+ struct lsmblob blob;
-
- data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
- cb_arg->seq, &netlbl_unlabel_gnl_family,
-@@ -1134,7 +1152,11 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
- secid = addr6->secid;
- }
-
-- ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
-+ /* lsmblob_init() secid into all of the secids in blob.
-+ * security_secid_to_secctx() will know which security module
-+ * to use to create the secctx. */
-+ lsmblob_init(&blob, secid);
-+ ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len);
+@@ -1165,7 +1174,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
+ NLBL_UNLABEL_A_SECCTX,
+ secctx_len,
+ secctx);
+- security_release_secctx(secctx, secctx_len);
++ /* scaffolding */
++ lsmcontext_init(&context, secctx, secctx_len, 0);
++ security_release_secctx(&context);
if (ret_val != 0)
goto list_cb_failure;
- ret_val = nla_put(cb_arg->skb,
+
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
-index 3ed4fea2a2de..893301ae0131 100644
+index 893301ae0131..ef139d8ae7cd 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
-@@ -86,6 +86,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
+@@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
+ struct netlbl_audit *audit_info)
+ {
struct audit_buffer *audit_buf;
++ struct lsmcontext context;
char *secctx;
u32 secctx_len;
-+ struct lsmblob blob;
-
- if (audit_enabled == AUDIT_OFF)
- return NULL;
-@@ -98,10 +99,9 @@ struct audit_buffer *netlbl_audit_start_common(int type,
- from_kuid(&init_user_ns, audit_info->loginuid),
- audit_info->sessionid);
-
-+ lsmblob_init(&blob, audit_info->secid);
+ struct lsmblob blob;
+@@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
if (audit_info->secid != 0 &&
-- security_secid_to_secctx(audit_info->secid,
-- &secctx,
-- &secctx_len) == 0) {
-+ security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) {
+ security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
- }
+- security_release_secctx(secctx, secctx_len);
++ lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/
++ security_release_secctx(&context);
+ }
+
+ return audit_buf;
diff --git a/security/security.c b/security/security.c
-index 0c5be69d8146..9c49406e5ff9 100644
+index 517623ba81dc..904ae6c46be0 100644
--- a/security/security.c
+++ b/security/security.c
-@@ -2209,17 +2209,16 @@ int security_ismaclabel(const char *name)
- }
- EXPORT_SYMBOL(security_ismaclabel);
-
--int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
-+int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen)
+@@ -2288,16 +2288,17 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
+ }
+ EXPORT_SYMBOL(security_secctx_to_secid);
+
+-void security_release_secctx(char *secdata, u32 seclen)
++void security_release_secctx(struct lsmcontext *cp)
{
struct security_hook_list *hp;
- int rc;
-
-- /*
-- * Currently, only one LSM can implement secid_to_secctx (i.e this
-- * LSM hook is not "stackable").
-- */
- hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
-- rc = hp->hook.secid_to_secctx(secid, secdata, seclen);
-+ if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
-+ continue;
-+ rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot],
-+ secdata, seclen);
- if (rc != LSM_RET_DEFAULT(secid_to_secctx))
- return rc;
- }
+- int ilsm = lsm_task_ilsm(current);
+
+ hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list)
+- if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) {
+- hp->hook.release_secctx(secdata, seclen);
+- return;
++ if (cp->slot == hp->lsmid->slot) {
++ hp->hook.release_secctx(cp->context, cp->len);
++ break;
+ }
++
++ memset(cp, 0, sizeof(*cp));
+ }
+ EXPORT_SYMBOL(security_release_secctx);
+
--
-2.37.3
+2.25.4