| Message ID | 20250409185019.238841-41-paul@paul-moore.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Rework the LSM initialization | expand |
On Wed, Apr 09, 2025 at 02:49:55PM -0400, Paul Moore wrote: > Convert the lsm_blob_size fields to unsigned integers as there is no > current need for them to be negative, change "lsm_set_blob_size()" to > "lsm_blob_size_update()" to better reflect reality, and perform some > other minor cleanups to the associated code. > > Signed-off-by: Paul Moore <paul@paul-moore.com> Seems okay. Reviewed-by: Kees Cook <kees@kernel.org>
On 4/9/25 11:49, Paul Moore wrote: > Convert the lsm_blob_size fields to unsigned integers as there is no > current need for them to be negative, change "lsm_set_blob_size()" to > "lsm_blob_size_update()" to better reflect reality, and perform some > other minor cleanups to the associated code. > > Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: John Johansen <john.johansen@canonical.com> > --- > include/linux/lsm_hooks.h | 28 +++++++++++----------- > security/lsm_init.c | 50 +++++++++++++++++++++++---------------- > 2 files changed, 43 insertions(+), 35 deletions(-) > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index bc477fb20d02..a7ecb0791a0f 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -102,20 +102,20 @@ struct security_hook_list { > * Security blob size or offset data. > */ > struct lsm_blob_sizes { > - int lbs_cred; > - int lbs_file; > - int lbs_ib; > - int lbs_inode; > - int lbs_sock; > - int lbs_superblock; > - int lbs_ipc; > - int lbs_key; > - int lbs_msg_msg; > - int lbs_perf_event; > - int lbs_task; > - int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ > - int lbs_tun_dev; > - int lbs_bdev; > + unsigned int lbs_cred; > + unsigned int lbs_file; > + unsigned int lbs_ib; > + unsigned int lbs_inode; > + unsigned int lbs_sock; > + unsigned int lbs_superblock; > + unsigned int lbs_ipc; > + unsigned int lbs_key; > + unsigned int lbs_msg_msg; > + unsigned int lbs_perf_event; > + unsigned int lbs_task; > + unsigned int lbs_xattr_count; /* num xattr slots in new_xattrs array */ > + unsigned int lbs_tun_dev; > + unsigned int lbs_bdev; > }; > > /* > diff --git a/security/lsm_init.c b/security/lsm_init.c > index 7f2bc8c22ce9..9bb4b4fc9888 100644 > --- a/security/lsm_init.c > +++ b/security/lsm_init.c > @@ -148,16 +148,22 @@ static void __init lsm_order_append(struct lsm_info *lsm, const char *src) > lsm_is_enabled(lsm) ? "enabled" : "disabled"); > } > > -static void __init lsm_set_blob_size(int *need, int *lbs) > +/** > + * lsm_blob_size_update - Update the LSM blob size and offset information > + * @sz_req: the requested additional blob size > + * @sz_cur: the existing blob size > + */ > +static void __init lsm_blob_size_update(unsigned int *sz_req, > + unsigned int *sz_cur) > { > - int offset; > + unsigned int offset; > > - if (*need <= 0) > + if (*sz_req == 0) > return; > > - offset = ALIGN(*lbs, sizeof(void *)); > - *lbs = offset + *need; > - *need = offset; > + offset = ALIGN(*sz_cur, sizeof(void *)); > + *sz_cur = offset + *sz_req; > + *sz_req = offset; > } > > /** > @@ -186,24 +192,26 @@ static void __init lsm_prep_single(struct lsm_info *lsm) > > /* Register the LSM blob sizes. */ > blobs = lsm->blobs; > - lsm_set_blob_size(&blobs->lbs_cred, &blob_sizes.lbs_cred); > - lsm_set_blob_size(&blobs->lbs_file, &blob_sizes.lbs_file); > - lsm_set_blob_size(&blobs->lbs_ib, &blob_sizes.lbs_ib); > + lsm_blob_size_update(&blobs->lbs_cred, &blob_sizes.lbs_cred); > + lsm_blob_size_update(&blobs->lbs_file, &blob_sizes.lbs_file); > + lsm_blob_size_update(&blobs->lbs_ib, &blob_sizes.lbs_ib); > /* inode blob gets an rcu_head in addition to LSM blobs. */ > if (blobs->lbs_inode && blob_sizes.lbs_inode == 0) > blob_sizes.lbs_inode = sizeof(struct rcu_head); > - lsm_set_blob_size(&blobs->lbs_inode, &blob_sizes.lbs_inode); > - lsm_set_blob_size(&blobs->lbs_ipc, &blob_sizes.lbs_ipc); > - lsm_set_blob_size(&blobs->lbs_key, &blob_sizes.lbs_key); > - lsm_set_blob_size(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg); > - lsm_set_blob_size(&blobs->lbs_perf_event, &blob_sizes.lbs_perf_event); > - lsm_set_blob_size(&blobs->lbs_sock, &blob_sizes.lbs_sock); > - lsm_set_blob_size(&blobs->lbs_superblock, &blob_sizes.lbs_superblock); > - lsm_set_blob_size(&blobs->lbs_task, &blob_sizes.lbs_task); > - lsm_set_blob_size(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev); > - lsm_set_blob_size(&blobs->lbs_xattr_count, > - &blob_sizes.lbs_xattr_count); > - lsm_set_blob_size(&blobs->lbs_bdev, &blob_sizes.lbs_bdev); > + lsm_blob_size_update(&blobs->lbs_inode, &blob_sizes.lbs_inode); > + lsm_blob_size_update(&blobs->lbs_ipc, &blob_sizes.lbs_ipc); > + lsm_blob_size_update(&blobs->lbs_key, &blob_sizes.lbs_key); > + lsm_blob_size_update(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg); > + lsm_blob_size_update(&blobs->lbs_perf_event, > + &blob_sizes.lbs_perf_event); > + lsm_blob_size_update(&blobs->lbs_sock, &blob_sizes.lbs_sock); > + lsm_blob_size_update(&blobs->lbs_superblock, > + &blob_sizes.lbs_superblock); > + lsm_blob_size_update(&blobs->lbs_task, &blob_sizes.lbs_task); > + lsm_blob_size_update(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev); > + lsm_blob_size_update(&blobs->lbs_xattr_count, > + &blob_sizes.lbs_xattr_count); > + lsm_blob_size_update(&blobs->lbs_bdev, &blob_sizes.lbs_bdev); > } > > /* Initialize a given LSM, if it is enabled. */
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index bc477fb20d02..a7ecb0791a0f 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -102,20 +102,20 @@ struct security_hook_list { * Security blob size or offset data. */ struct lsm_blob_sizes { - int lbs_cred; - int lbs_file; - int lbs_ib; - int lbs_inode; - int lbs_sock; - int lbs_superblock; - int lbs_ipc; - int lbs_key; - int lbs_msg_msg; - int lbs_perf_event; - int lbs_task; - int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ - int lbs_tun_dev; - int lbs_bdev; + unsigned int lbs_cred; + unsigned int lbs_file; + unsigned int lbs_ib; + unsigned int lbs_inode; + unsigned int lbs_sock; + unsigned int lbs_superblock; + unsigned int lbs_ipc; + unsigned int lbs_key; + unsigned int lbs_msg_msg; + unsigned int lbs_perf_event; + unsigned int lbs_task; + unsigned int lbs_xattr_count; /* num xattr slots in new_xattrs array */ + unsigned int lbs_tun_dev; + unsigned int lbs_bdev; }; /* diff --git a/security/lsm_init.c b/security/lsm_init.c index 7f2bc8c22ce9..9bb4b4fc9888 100644 --- a/security/lsm_init.c +++ b/security/lsm_init.c @@ -148,16 +148,22 @@ static void __init lsm_order_append(struct lsm_info *lsm, const char *src) lsm_is_enabled(lsm) ? "enabled" : "disabled"); } -static void __init lsm_set_blob_size(int *need, int *lbs) +/** + * lsm_blob_size_update - Update the LSM blob size and offset information + * @sz_req: the requested additional blob size + * @sz_cur: the existing blob size + */ +static void __init lsm_blob_size_update(unsigned int *sz_req, + unsigned int *sz_cur) { - int offset; + unsigned int offset; - if (*need <= 0) + if (*sz_req == 0) return; - offset = ALIGN(*lbs, sizeof(void *)); - *lbs = offset + *need; - *need = offset; + offset = ALIGN(*sz_cur, sizeof(void *)); + *sz_cur = offset + *sz_req; + *sz_req = offset; } /** @@ -186,24 +192,26 @@ static void __init lsm_prep_single(struct lsm_info *lsm) /* Register the LSM blob sizes. */ blobs = lsm->blobs; - lsm_set_blob_size(&blobs->lbs_cred, &blob_sizes.lbs_cred); - lsm_set_blob_size(&blobs->lbs_file, &blob_sizes.lbs_file); - lsm_set_blob_size(&blobs->lbs_ib, &blob_sizes.lbs_ib); + lsm_blob_size_update(&blobs->lbs_cred, &blob_sizes.lbs_cred); + lsm_blob_size_update(&blobs->lbs_file, &blob_sizes.lbs_file); + lsm_blob_size_update(&blobs->lbs_ib, &blob_sizes.lbs_ib); /* inode blob gets an rcu_head in addition to LSM blobs. */ if (blobs->lbs_inode && blob_sizes.lbs_inode == 0) blob_sizes.lbs_inode = sizeof(struct rcu_head); - lsm_set_blob_size(&blobs->lbs_inode, &blob_sizes.lbs_inode); - lsm_set_blob_size(&blobs->lbs_ipc, &blob_sizes.lbs_ipc); - lsm_set_blob_size(&blobs->lbs_key, &blob_sizes.lbs_key); - lsm_set_blob_size(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg); - lsm_set_blob_size(&blobs->lbs_perf_event, &blob_sizes.lbs_perf_event); - lsm_set_blob_size(&blobs->lbs_sock, &blob_sizes.lbs_sock); - lsm_set_blob_size(&blobs->lbs_superblock, &blob_sizes.lbs_superblock); - lsm_set_blob_size(&blobs->lbs_task, &blob_sizes.lbs_task); - lsm_set_blob_size(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev); - lsm_set_blob_size(&blobs->lbs_xattr_count, - &blob_sizes.lbs_xattr_count); - lsm_set_blob_size(&blobs->lbs_bdev, &blob_sizes.lbs_bdev); + lsm_blob_size_update(&blobs->lbs_inode, &blob_sizes.lbs_inode); + lsm_blob_size_update(&blobs->lbs_ipc, &blob_sizes.lbs_ipc); + lsm_blob_size_update(&blobs->lbs_key, &blob_sizes.lbs_key); + lsm_blob_size_update(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg); + lsm_blob_size_update(&blobs->lbs_perf_event, + &blob_sizes.lbs_perf_event); + lsm_blob_size_update(&blobs->lbs_sock, &blob_sizes.lbs_sock); + lsm_blob_size_update(&blobs->lbs_superblock, + &blob_sizes.lbs_superblock); + lsm_blob_size_update(&blobs->lbs_task, &blob_sizes.lbs_task); + lsm_blob_size_update(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev); + lsm_blob_size_update(&blobs->lbs_xattr_count, + &blob_sizes.lbs_xattr_count); + lsm_blob_size_update(&blobs->lbs_bdev, &blob_sizes.lbs_bdev); } /* Initialize a given LSM, if it is enabled. */
Convert the lsm_blob_size fields to unsigned integers as there is no current need for them to be negative, change "lsm_set_blob_size()" to "lsm_blob_size_update()" to better reflect reality, and perform some other minor cleanups to the associated code. Signed-off-by: Paul Moore <paul@paul-moore.com> --- include/linux/lsm_hooks.h | 28 +++++++++++----------- security/lsm_init.c | 50 +++++++++++++++++++++++---------------- 2 files changed, 43 insertions(+), 35 deletions(-)