| Message ID | 1547806559-12097-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | LSM: Make lsm_early_cred() and lsm_early_task() local functions. | expand |
On 1/18/2019 2:15 AM, Tetsuo Handa wrote: > Since current->cred == current->real_cred when ordered_lsm_init() > is called, and lsm_early_cred()/lsm_early_task() need to be called > between the amount of required bytes is determined and module specific > initialization function is called, we can move these calls from > individual modules to ordered_lsm_init(). > > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Seems to work fine to me. Acked-by: Casey Schaufler <casey@schaufler-ca.com> > --- > include/linux/lsm_hooks.h | 5 ----- > security/apparmor/lsm.c | 2 -- > security/security.c | 27 +++++++++++---------------- > security/selinux/hooks.c | 1 - > security/smack/smack_lsm.c | 2 -- > security/tomoyo/tomoyo.c | 1 - > 6 files changed, 11 insertions(+), 27 deletions(-) > > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index c753d06..b3e94bc 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -2133,9 +2133,4 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, > > extern int lsm_inode_alloc(struct inode *inode); > > -#ifdef CONFIG_SECURITY > -void __init lsm_early_cred(struct cred *cred); > -void __init lsm_early_task(struct task_struct *task); > -#endif > - > #endif /* ! __LINUX_LSM_HOOKS_H */ > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c > index dff7f94..49d664d 100644 > --- a/security/apparmor/lsm.c > +++ b/security/apparmor/lsm.c > @@ -1484,8 +1484,6 @@ static int __init set_init_ctx(void) > { > struct cred *cred = (struct cred *)current->real_cred; > > - lsm_early_cred(cred); > - lsm_early_task(current); > set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); > > return 0; > diff --git a/security/security.c b/security/security.c > index 9a98c52..8c09334 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -278,6 +278,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) > kfree(sep); > } > > +static void __init lsm_early_cred(struct cred *cred); > +static void __init lsm_early_task(struct task_struct *task); > + > static void __init ordered_lsm_init(void) > { > struct lsm_info **lsm; > @@ -312,6 +315,8 @@ static void __init ordered_lsm_init(void) > blob_sizes.lbs_inode, 0, > SLAB_PANIC, NULL); > > + lsm_early_cred((struct cred *) current->cred); > + lsm_early_task(current); > for (lsm = ordered_lsms; *lsm; lsm++) > initialize_lsm(*lsm); > > @@ -465,17 +470,12 @@ static int lsm_cred_alloc(struct cred *cred, gfp_t gfp) > * lsm_early_cred - during initialization allocate a composite cred blob > * @cred: the cred that needs a blob > * > - * Allocate the cred blob for all the modules if it's not already there > + * Allocate the cred blob for all the modules > */ > -void __init lsm_early_cred(struct cred *cred) > +static void __init lsm_early_cred(struct cred *cred) > { > - int rc; > + int rc = lsm_cred_alloc(cred, GFP_KERNEL); > > - if (cred == NULL) > - panic("%s: NULL cred.\n", __func__); > - if (cred->security != NULL) > - return; > - rc = lsm_cred_alloc(cred, GFP_KERNEL); > if (rc) > panic("%s: Early cred alloc failed.\n", __func__); > } > @@ -589,17 +589,12 @@ int lsm_msg_msg_alloc(struct msg_msg *mp) > * lsm_early_task - during initialization allocate a composite task blob > * @task: the task that needs a blob > * > - * Allocate the task blob for all the modules if it's not already there > + * Allocate the task blob for all the modules > */ > -void __init lsm_early_task(struct task_struct *task) > +static void __init lsm_early_task(struct task_struct *task) > { > - int rc; > + int rc = lsm_task_alloc(task); > > - if (task == NULL) > - panic("%s: task cred.\n", __func__); > - if (task->security != NULL) > - return; > - rc = lsm_task_alloc(task); > if (rc) > panic("%s: Early task alloc failed.\n", __func__); > } > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 2332243..d0fa81c 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -209,7 +209,6 @@ static void cred_init_security(void) > struct cred *cred = (struct cred *) current->real_cred; > struct task_security_struct *tsec; > > - lsm_early_cred(cred); > tsec = selinux_cred(cred); > tsec->osid = tsec->sid = SECINITSID_KERNEL; > } > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index a326cd9..fa98394 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -4772,8 +4772,6 @@ static __init int smack_init(void) > if (!smack_inode_cache) > return -ENOMEM; > > - lsm_early_cred(cred); > - > /* > * Set the security state for the initial task. > */ > diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c > index 066c0da..2b3eee0 100644 > --- a/security/tomoyo/tomoyo.c > +++ b/security/tomoyo/tomoyo.c > @@ -566,7 +566,6 @@ static int __init tomoyo_init(void) > /* register ourselves with the security framework */ > security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); > printk(KERN_INFO "TOMOYO Linux initialized\n"); > - lsm_early_cred(cred); > blob = tomoyo_cred(cred); > *blob = &tomoyo_kernel_domain; > tomoyo_mm_init();
On Fri, 18 Jan 2019, Tetsuo Handa wrote: > Since current->cred == current->real_cred when ordered_lsm_init() > is called, and lsm_early_cred()/lsm_early_task() need to be called > between the amount of required bytes is determined and module specific > initialization function is called, we can move these calls from > individual modules to ordered_lsm_init(). > > Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index c753d06..b3e94bc 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -2133,9 +2133,4 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, extern int lsm_inode_alloc(struct inode *inode); -#ifdef CONFIG_SECURITY -void __init lsm_early_cred(struct cred *cred); -void __init lsm_early_task(struct task_struct *task); -#endif - #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index dff7f94..49d664d 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1484,8 +1484,6 @@ static int __init set_init_ctx(void) { struct cred *cred = (struct cred *)current->real_cred; - lsm_early_cred(cred); - lsm_early_task(current); set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); return 0; diff --git a/security/security.c b/security/security.c index 9a98c52..8c09334 100644 --- a/security/security.c +++ b/security/security.c @@ -278,6 +278,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin) kfree(sep); } +static void __init lsm_early_cred(struct cred *cred); +static void __init lsm_early_task(struct task_struct *task); + static void __init ordered_lsm_init(void) { struct lsm_info **lsm; @@ -312,6 +315,8 @@ static void __init ordered_lsm_init(void) blob_sizes.lbs_inode, 0, SLAB_PANIC, NULL); + lsm_early_cred((struct cred *) current->cred); + lsm_early_task(current); for (lsm = ordered_lsms; *lsm; lsm++) initialize_lsm(*lsm); @@ -465,17 +470,12 @@ static int lsm_cred_alloc(struct cred *cred, gfp_t gfp) * lsm_early_cred - during initialization allocate a composite cred blob * @cred: the cred that needs a blob * - * Allocate the cred blob for all the modules if it's not already there + * Allocate the cred blob for all the modules */ -void __init lsm_early_cred(struct cred *cred) +static void __init lsm_early_cred(struct cred *cred) { - int rc; + int rc = lsm_cred_alloc(cred, GFP_KERNEL); - if (cred == NULL) - panic("%s: NULL cred.\n", __func__); - if (cred->security != NULL) - return; - rc = lsm_cred_alloc(cred, GFP_KERNEL); if (rc) panic("%s: Early cred alloc failed.\n", __func__); } @@ -589,17 +589,12 @@ int lsm_msg_msg_alloc(struct msg_msg *mp) * lsm_early_task - during initialization allocate a composite task blob * @task: the task that needs a blob * - * Allocate the task blob for all the modules if it's not already there + * Allocate the task blob for all the modules */ -void __init lsm_early_task(struct task_struct *task) +static void __init lsm_early_task(struct task_struct *task) { - int rc; + int rc = lsm_task_alloc(task); - if (task == NULL) - panic("%s: task cred.\n", __func__); - if (task->security != NULL) - return; - rc = lsm_task_alloc(task); if (rc) panic("%s: Early task alloc failed.\n", __func__); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2332243..d0fa81c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -209,7 +209,6 @@ static void cred_init_security(void) struct cred *cred = (struct cred *) current->real_cred; struct task_security_struct *tsec; - lsm_early_cred(cred); tsec = selinux_cred(cred); tsec->osid = tsec->sid = SECINITSID_KERNEL; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a326cd9..fa98394 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4772,8 +4772,6 @@ static __init int smack_init(void) if (!smack_inode_cache) return -ENOMEM; - lsm_early_cred(cred); - /* * Set the security state for the initial task. */ diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 066c0da..2b3eee0 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -566,7 +566,6 @@ static int __init tomoyo_init(void) /* register ourselves with the security framework */ security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo"); printk(KERN_INFO "TOMOYO Linux initialized\n"); - lsm_early_cred(cred); blob = tomoyo_cred(cred); *blob = &tomoyo_kernel_domain; tomoyo_mm_init();
Since current->cred == current->real_cred when ordered_lsm_init() is called, and lsm_early_cred()/lsm_early_task() need to be called between the amount of required bytes is determined and module specific initialization function is called, we can move these calls from individual modules to ordered_lsm_init(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --- include/linux/lsm_hooks.h | 5 ----- security/apparmor/lsm.c | 2 -- security/security.c | 27 +++++++++++---------------- security/selinux/hooks.c | 1 - security/smack/smack_lsm.c | 2 -- security/tomoyo/tomoyo.c | 1 - 6 files changed, 11 insertions(+), 27 deletions(-)