[v2,07/25] net: Prepare UDS for secuirty module stacking

Message ID	20190618230551.7475-8-casey@schaufler-ca.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <selinux-owner@kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov Subject: [PATCH v2 07/25] net: Prepare UDS for secuirty module stacking Date: Tue, 18 Jun 2019 16:05:33 -0700 Message-Id: <20190618230551.7475-8-casey@schaufler-ca.com> In-Reply-To: <20190618230551.7475-1-casey@schaufler-ca.com> References: <20190618230551.7475-1-casey@schaufler-ca.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	LSM: Module stacking for AppArmor \| expand [v2,00/25] LSM: Module stacking for AppArmor [v2,01/25] LSM: Infrastructure management of the superblock [v2,02/25] LSM: Infrastructure management of the sock security [v2,03/25] LSM: Infrastructure management of the key blob [v2,04/25] LSM: Create and manage the lsmblob data structure. [v2,05/25] Use lsmblob in security_audit_rule_match [v2,06/25] LSM: Use lsmblob in security_kernel_act_as [v2,07/25] net: Prepare UDS for secuirty module stacking [v2,08/25] LSM: Use lsmblob in security_secctx_to_secid [v2,09/25] LSM: Use lsmblob in security_secid_to_secctx [v2,10/25] LSM: Use lsmblob in security_ipc_getsecid [v2,11/25] LSM: Use lsmblob in security_task_getsecid [v2,12/25] LSM: Use lsmblob in security_inode_getsecid [v2,13/25] LSM: Use lsmblob in security_cred_getsecid [v2,14/25] IMA: Change internal interfaces to use lsmblobs [v2,15/25] LSM: Specify which LSM to display [v2,16/25] LSM: Ensure the correct LSM context releaser [v2,17/25] LSM: Use lsmcontext in security_secid_to_secctx [v2,18/25] LSM: Use lsmcontext in security_dentry_init_security [v2,19/25] LSM: Use lsmcontext in security_inode_getsecctx [v2,20/25] LSM: security_secid_to_secctx in netlink netfilter [v2,21/25] Audit: Store LSM audit information in an lsmblob [v2,22/25] LSM: Return the lsmblob slot on initialization [v2,23/25] NET: Store LSM netlabel data in a lsmblob [v2,24/25] Fix slotted list and getpeersec_d [v2,25/25] AppArmor: Remove the exclusive flag

Message ID

20190618230551.7475-8-casey@schaufler-ca.com (mailing list archive)

State

Superseded

Headers

From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, keescook@chromium.org,
        john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
        paul@paul-moore.com, sds@tycho.nsa.gov
Subject: [PATCH v2 07/25] net: Prepare UDS for secuirty module stacking
Date: Tue, 18 Jun 2019 16:05:33 -0700
Message-Id: <20190618230551.7475-8-casey@schaufler-ca.com>
In-Reply-To: <20190618230551.7475-1-casey@schaufler-ca.com>
References: <20190618230551.7475-1-casey@schaufler-ca.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-owner@vger.kernel.org
Precedence: bulk

Series

LSM: Module stacking for AppArmor | expand

Commit Message

Casey Schaufler June 18, 2019, 11:05 p.m. UTC

Change the data used in UDS SO_PEERSEC processing from a
secid to a more general struct lsmblob. Update the
security_socket_getpeersec_dgram() interface to use the
lsmblob. There is a small amount of scaffolding code
that will come out when the security_secid_to_secctx()
code is brought in line with the lsmblob.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/security.h |  7 +++++--
 include/net/af_unix.h    |  2 +-
 include/net/scm.h        |  8 +++++---
 net/ipv4/ip_sockglue.c   |  8 +++++---
 net/unix/af_unix.c       |  6 +++---
 security/security.c      | 16 +++++++++++++---
 6 files changed, 32 insertions(+), 15 deletions(-)

Comments

Kees Cook June 19, 2019, 4:59 a.m. UTC | #1

typo in Subject -> "secuirty" -> "security"

On Tue, Jun 18, 2019 at 04:05:33PM -0700, Casey Schaufler wrote:
> Change the data used in UDS SO_PEERSEC processing from a
> secid to a more general struct lsmblob. Update the
> security_socket_getpeersec_dgram() interface to use the
> lsmblob. There is a small amount of scaffolding code
> that will come out when the security_secid_to_secctx()
> code is brought in line with the lsmblob.

Can you spell this out a little more, "scaffolding code passes slot 1
unconditionally while the following patches will fix this up when they
are made aware of lsmblob" etc. (Also, why slot 1 and not slot 0?)

-Kees

> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
>  include/linux/security.h |  7 +++++--
>  include/net/af_unix.h    |  2 +-
>  include/net/scm.h        |  8 +++++---
>  net/ipv4/ip_sockglue.c   |  8 +++++---
>  net/unix/af_unix.c       |  6 +++---
>  security/security.c      | 16 +++++++++++++---
>  6 files changed, 32 insertions(+), 15 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 89a5391f2441..64f5cc2dd249 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1276,7 +1276,8 @@ int security_socket_shutdown(struct socket *sock, int how);
>  int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
>  int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
>  				      int __user *optlen, unsigned len);
> -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
> +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
> +				     struct lsmblob *l);
>  int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
>  void security_sk_free(struct sock *sk);
>  void security_sk_clone(const struct sock *sk, struct sock *newsk);
> @@ -1414,7 +1415,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
>  	return -ENOPROTOOPT;
>  }
>  
> -static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
> +static inline int security_socket_getpeersec_dgram(struct socket *sock,
> +						   struct sk_buff *skb,
> +						   struct lsmblob *l)
>  {
>  	return -ENOPROTOOPT;
>  }
> diff --git a/include/net/af_unix.h b/include/net/af_unix.h
> index 3426d6dacc45..933492c08b8c 100644
> --- a/include/net/af_unix.h
> +++ b/include/net/af_unix.h
> @@ -36,7 +36,7 @@ struct unix_skb_parms {
>  	kgid_t			gid;
>  	struct scm_fp_list	*fp;		/* Passed files		*/
>  #ifdef CONFIG_SECURITY_NETWORK
> -	u32			secid;		/* Security ID		*/
> +	struct lsmblob		lsmblob;	/* Security LSM data	*/
>  #endif
>  	u32			consumed;
>  } __randomize_layout;
> diff --git a/include/net/scm.h b/include/net/scm.h
> index 1ce365f4c256..c87a17101c86 100644
> --- a/include/net/scm.h
> +++ b/include/net/scm.h
> @@ -33,7 +33,7 @@ struct scm_cookie {
>  	struct scm_fp_list	*fp;		/* Passed files		*/
>  	struct scm_creds	creds;		/* Skb credentials	*/
>  #ifdef CONFIG_SECURITY_NETWORK
> -	u32			secid;		/* Passed security ID 	*/
> +	struct lsmblob		lsmblob;	/* Passed LSM data	*/
>  #endif
>  };
>  
> @@ -46,7 +46,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl);
>  #ifdef CONFIG_SECURITY_NETWORK
>  static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
>  {
> -	security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
> +	security_socket_getpeersec_dgram(sock, NULL, &scm->lsmblob);
>  }
>  #else
>  static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
> @@ -97,7 +97,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
>  	int err;
>  
>  	if (test_bit(SOCK_PASSSEC, &sock->flags)) {
> -		err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
> +		/* Scaffolding - it has to be element 1 for now */
> +		err = security_secid_to_secctx(scm->lsmblob.secid[1],
> +					       &secdata, &seclen);
>  
>  		if (!err) {
>  			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> index 82f341e84fae..fbe2147ee595 100644
> --- a/net/ipv4/ip_sockglue.c
> +++ b/net/ipv4/ip_sockglue.c
> @@ -130,15 +130,17 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
>  
>  static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
>  {
> +	struct lsmblob lb;
>  	char *secdata;
> -	u32 seclen, secid;
> +	u32 seclen;
>  	int err;
>  
> -	err = security_socket_getpeersec_dgram(NULL, skb, &secid);
> +	err = security_socket_getpeersec_dgram(NULL, skb, &lb);
>  	if (err)
>  		return;
>  
> -	err = security_secid_to_secctx(secid, &secdata, &seclen);
> +	/* Scaffolding - it has to be element 1 */
> +	err = security_secid_to_secctx(lb.secid[1], &secdata, &seclen);
>  	if (err)
>  		return;
>  
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index ddb838a1b74c..c50a004a1389 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -143,17 +143,17 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
>  #ifdef CONFIG_SECURITY_NETWORK
>  static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
>  {
> -	UNIXCB(skb).secid = scm->secid;
> +	UNIXCB(skb).lsmblob = scm->lsmblob;
>  }
>  
>  static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
>  {
> -	scm->secid = UNIXCB(skb).secid;
> +	scm->lsmblob = UNIXCB(skb).lsmblob;
>  }
>  
>  static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
>  {
> -	return (scm->secid == UNIXCB(skb).secid);
> +	return lsmblob_equal(&scm->lsmblob, &(UNIXCB(skb).lsmblob));
>  }
>  #else
>  static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
> diff --git a/security/security.c b/security/security.c
> index 4296cd2ca508..5ed818699e15 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2132,10 +2132,20 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
>  				optval, optlen, len);
>  }
>  
> -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
> +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
> +				     struct lsmblob *l)
>  {
> -	return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
> -			     skb, secid);
> +	struct security_hook_list *hp;
> +	int rc = -ENOPROTOOPT;
> +
> +	hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
> +			     list) {
> +		rc = hp->hook.socket_getpeersec_dgram(sock, skb,
> +						      &l->secid[hp->slot]);
> +		if (rc != 0)
> +			break;
> +	}
> +	return rc;
>  }
>  EXPORT_SYMBOL(security_socket_getpeersec_dgram);
>  
> -- 
> 2.20.1
>

Casey Schaufler June 19, 2019, 4:42 p.m. UTC | #2

On 6/18/2019 9:59 PM, Kees Cook wrote:
> typo in Subject -> "secuirty" -> "security"
>
> On Tue, Jun 18, 2019 at 04:05:33PM -0700, Casey Schaufler wrote:
>> Change the data used in UDS SO_PEERSEC processing from a
>> secid to a more general struct lsmblob. Update the
>> security_socket_getpeersec_dgram() interface to use the
>> lsmblob. There is a small amount of scaffolding code
>> that will come out when the security_secid_to_secctx()
>> code is brought in line with the lsmblob.
> Can you spell this out a little more, "scaffolding code passes slot 1
> unconditionally while the following patches will fix this up when they
> are made aware of lsmblob" etc. (Also, why slot 1 and not slot 0?)

It should be slot 0. An earlier version had special meaning for
slot 0, but that proved unnecessary. This is a bug, as it will break
if you have exactly one of the major LSMs built in.

> -Kees
>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> ---
>>  include/linux/security.h |  7 +++++--
>>  include/net/af_unix.h    |  2 +-
>>  include/net/scm.h        |  8 +++++---
>>  net/ipv4/ip_sockglue.c   |  8 +++++---
>>  net/unix/af_unix.c       |  6 +++---
>>  security/security.c      | 16 +++++++++++++---
>>  6 files changed, 32 insertions(+), 15 deletions(-)
>>
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 89a5391f2441..64f5cc2dd249 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -1276,7 +1276,8 @@ int security_socket_shutdown(struct socket *sock, int how);
>>  int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
>>  int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
>>  				      int __user *optlen, unsigned len);
>> -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
>> +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
>> +				     struct lsmblob *l);
>>  int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
>>  void security_sk_free(struct sock *sk);
>>  void security_sk_clone(const struct sock *sk, struct sock *newsk);
>> @@ -1414,7 +1415,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
>>  	return -ENOPROTOOPT;
>>  }
>>  
>> -static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
>> +static inline int security_socket_getpeersec_dgram(struct socket *sock,
>> +						   struct sk_buff *skb,
>> +						   struct lsmblob *l)
>>  {
>>  	return -ENOPROTOOPT;
>>  }
>> diff --git a/include/net/af_unix.h b/include/net/af_unix.h
>> index 3426d6dacc45..933492c08b8c 100644
>> --- a/include/net/af_unix.h
>> +++ b/include/net/af_unix.h
>> @@ -36,7 +36,7 @@ struct unix_skb_parms {
>>  	kgid_t			gid;
>>  	struct scm_fp_list	*fp;		/* Passed files		*/
>>  #ifdef CONFIG_SECURITY_NETWORK
>> -	u32			secid;		/* Security ID		*/
>> +	struct lsmblob		lsmblob;	/* Security LSM data	*/
>>  #endif
>>  	u32			consumed;
>>  } __randomize_layout;
>> diff --git a/include/net/scm.h b/include/net/scm.h
>> index 1ce365f4c256..c87a17101c86 100644
>> --- a/include/net/scm.h
>> +++ b/include/net/scm.h
>> @@ -33,7 +33,7 @@ struct scm_cookie {
>>  	struct scm_fp_list	*fp;		/* Passed files		*/
>>  	struct scm_creds	creds;		/* Skb credentials	*/
>>  #ifdef CONFIG_SECURITY_NETWORK
>> -	u32			secid;		/* Passed security ID 	*/
>> +	struct lsmblob		lsmblob;	/* Passed LSM data	*/
>>  #endif
>>  };
>>  
>> @@ -46,7 +46,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl);
>>  #ifdef CONFIG_SECURITY_NETWORK
>>  static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
>>  {
>> -	security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
>> +	security_socket_getpeersec_dgram(sock, NULL, &scm->lsmblob);
>>  }
>>  #else
>>  static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
>> @@ -97,7 +97,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
>>  	int err;
>>  
>>  	if (test_bit(SOCK_PASSSEC, &sock->flags)) {
>> -		err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
>> +		/* Scaffolding - it has to be element 1 for now */
>> +		err = security_secid_to_secctx(scm->lsmblob.secid[1],
>> +					       &secdata, &seclen);
>>  
>>  		if (!err) {
>>  			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
>> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
>> index 82f341e84fae..fbe2147ee595 100644
>> --- a/net/ipv4/ip_sockglue.c
>> +++ b/net/ipv4/ip_sockglue.c
>> @@ -130,15 +130,17 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
>>  
>>  static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
>>  {
>> +	struct lsmblob lb;
>>  	char *secdata;
>> -	u32 seclen, secid;
>> +	u32 seclen;
>>  	int err;
>>  
>> -	err = security_socket_getpeersec_dgram(NULL, skb, &secid);
>> +	err = security_socket_getpeersec_dgram(NULL, skb, &lb);
>>  	if (err)
>>  		return;
>>  
>> -	err = security_secid_to_secctx(secid, &secdata, &seclen);
>> +	/* Scaffolding - it has to be element 1 */
>> +	err = security_secid_to_secctx(lb.secid[1], &secdata, &seclen);
>>  	if (err)
>>  		return;
>>  
>> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
>> index ddb838a1b74c..c50a004a1389 100644
>> --- a/net/unix/af_unix.c
>> +++ b/net/unix/af_unix.c
>> @@ -143,17 +143,17 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
>>  #ifdef CONFIG_SECURITY_NETWORK
>>  static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
>>  {
>> -	UNIXCB(skb).secid = scm->secid;
>> +	UNIXCB(skb).lsmblob = scm->lsmblob;
>>  }
>>  
>>  static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
>>  {
>> -	scm->secid = UNIXCB(skb).secid;
>> +	scm->lsmblob = UNIXCB(skb).lsmblob;
>>  }
>>  
>>  static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
>>  {
>> -	return (scm->secid == UNIXCB(skb).secid);
>> +	return lsmblob_equal(&scm->lsmblob, &(UNIXCB(skb).lsmblob));
>>  }
>>  #else
>>  static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
>> diff --git a/security/security.c b/security/security.c
>> index 4296cd2ca508..5ed818699e15 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -2132,10 +2132,20 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
>>  				optval, optlen, len);
>>  }
>>  
>> -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
>> +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
>> +				     struct lsmblob *l)
>>  {
>> -	return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
>> -			     skb, secid);
>> +	struct security_hook_list *hp;
>> +	int rc = -ENOPROTOOPT;
>> +
>> +	hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
>> +			     list) {
>> +		rc = hp->hook.socket_getpeersec_dgram(sock, skb,
>> +						      &l->secid[hp->slot]);
>> +		if (rc != 0)
>> +			break;
>> +	}
>> +	return rc;
>>  }
>>  EXPORT_SYMBOL(security_socket_getpeersec_dgram);
>>  
>> -- 
>> 2.20.1
>>

diff --git a/include/linux/security.h b/include/linux/security.h
index 89a5391f2441..64f5cc2dd249 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1276,7 +1276,8 @@  int security_socket_shutdown(struct socket *sock, int how);
 int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
 int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
 				      int __user *optlen, unsigned len);
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+				     struct lsmblob *l);
 int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
 void security_sk_free(struct sock *sk);
 void security_sk_clone(const struct sock *sk, struct sock *newsk);
@@ -1414,7 +1415,9 @@  static inline int security_socket_getpeersec_stream(struct socket *sock, char __
 	return -ENOPROTOOPT;
 }
 
-static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+static inline int security_socket_getpeersec_dgram(struct socket *sock,
+						   struct sk_buff *skb,
+						   struct lsmblob *l)
 {
 	return -ENOPROTOOPT;
 }
diff --git a/include/net/af_unix.h b/include/net/af_unix.h
index 3426d6dacc45..933492c08b8c 100644
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -36,7 +36,7 @@  struct unix_skb_parms {
 	kgid_t			gid;
 	struct scm_fp_list	*fp;		/* Passed files		*/
 #ifdef CONFIG_SECURITY_NETWORK
-	u32			secid;		/* Security ID		*/
+	struct lsmblob		lsmblob;	/* Security LSM data	*/
 #endif
 	u32			consumed;
 } __randomize_layout;
diff --git a/include/net/scm.h b/include/net/scm.h
index 1ce365f4c256..c87a17101c86 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -33,7 +33,7 @@  struct scm_cookie {
 	struct scm_fp_list	*fp;		/* Passed files		*/
 	struct scm_creds	creds;		/* Skb credentials	*/
 #ifdef CONFIG_SECURITY_NETWORK
-	u32			secid;		/* Passed security ID 	*/
+	struct lsmblob		lsmblob;	/* Passed LSM data	*/
 #endif
 };
 
@@ -46,7 +46,7 @@  struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl);
 #ifdef CONFIG_SECURITY_NETWORK
 static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
 {
-	security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
+	security_socket_getpeersec_dgram(sock, NULL, &scm->lsmblob);
 }
 #else
 static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct scm_cookie *scm)
@@ -97,7 +97,9 @@  static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
 	int err;
 
 	if (test_bit(SOCK_PASSSEC, &sock->flags)) {
-		err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
+		/* Scaffolding - it has to be element 1 for now */
+		err = security_secid_to_secctx(scm->lsmblob.secid[1],
+					       &secdata, &seclen);
 
 		if (!err) {
 			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 82f341e84fae..fbe2147ee595 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -130,15 +130,17 @@  static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
 
 static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 {
+	struct lsmblob lb;
 	char *secdata;
-	u32 seclen, secid;
+	u32 seclen;
 	int err;
 
-	err = security_socket_getpeersec_dgram(NULL, skb, &secid);
+	err = security_socket_getpeersec_dgram(NULL, skb, &lb);
 	if (err)
 		return;
 
-	err = security_secid_to_secctx(secid, &secdata, &seclen);
+	/* Scaffolding - it has to be element 1 */
+	err = security_secid_to_secctx(lb.secid[1], &secdata, &seclen);
 	if (err)
 		return;
 
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index ddb838a1b74c..c50a004a1389 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -143,17 +143,17 @@  static struct hlist_head *unix_sockets_unbound(void *addr)
 #ifdef CONFIG_SECURITY_NETWORK
 static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 {
-	UNIXCB(skb).secid = scm->secid;
+	UNIXCB(skb).lsmblob = scm->lsmblob;
 }
 
 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 {
-	scm->secid = UNIXCB(skb).secid;
+	scm->lsmblob = UNIXCB(skb).lsmblob;
 }
 
 static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
 {
-	return (scm->secid == UNIXCB(skb).secid);
+	return lsmblob_equal(&scm->lsmblob, &(UNIXCB(skb).lsmblob));
 }
 #else
 static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
diff --git a/security/security.c b/security/security.c
index 4296cd2ca508..5ed818699e15 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2132,10 +2132,20 @@  int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
 				optval, optlen, len);
 }
 
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+				     struct lsmblob *l)
 {
-	return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
-			     skb, secid);
+	struct security_hook_list *hp;
+	int rc = -ENOPROTOOPT;
+
+	hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
+			     list) {
+		rc = hp->hook.socket_getpeersec_dgram(sock, skb,
+						      &l->secid[hp->slot]);
+		if (rc != 0)
+			break;
+	}
+	return rc;
 }
 EXPORT_SYMBOL(security_socket_getpeersec_dgram);

[v2,07/25] net: Prepare UDS for secuirty module stacking

Commit Message

Comments

Patch