From patchwork Mon Jul 11 19:29:44 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 9224001
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4284F60572
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 11 Jul 2016 19:29:53 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FC3F27DCE
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 11 Jul 2016 19:29:53 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2468C27E5A; Mon, 11 Jul 2016 19:29:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9F9AB27DCE
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 11 Jul 2016 19:29:52 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750950AbcGKT3w (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Mon, 11 Jul 2016 15:29:52 -0400
Received: from nm4.bullet.mail.bf1.yahoo.com ([98.139.212.163]:52951 "EHLO
	nm4.bullet.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1750931AbcGKT3v (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Mon, 11 Jul 2016 15:29:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
	t=1468265390; bh=V0vglzOUtHRfat9EUdsThoVe2uMMh+kJbatWz4VmGyk=;
	h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject;
	b=dQ/lB65+JGm2Eyg81BjmtywDqoTgdRJ0ciDKLw7EX0OkLeNRyRYuZGmUjpWqYvoO83CKp0GVAaH9NEM+1BI1Hmlz91zkMhslO/eCRj4ju2eGNthYWvygdkMoWt+NGCydeW/P5fZj43DFuhuqId3bnRSfz53Fr8kIy0vLWzW57BuVxszdSKu+FUg4pQXGWHdTSkrgLLoxXZzTGCuE1Uv5aqif6jwGp2gbxhONKpi478pE2e8+mXLuMus8OYYgSHTDME+KTIYRRKHoVYxgujel9DeNgnajs+YCXd1hvOCZuG1iS9JXU5qtpPwmjU3/dP9RQIY8XexsMtIh8PUm3MBsyw==
Received: from [98.139.214.32] by nm4.bullet.mail.bf1.yahoo.com with NNFMP;
	11 Jul 2016 19:29:50 -0000
Received: from [98.139.211.203] by tm15.bullet.mail.bf1.yahoo.com with NNFMP;
	11 Jul 2016 19:29:50 -0000
Received: from [127.0.0.1] by smtp212.mail.bf1.yahoo.com with NNFMP;
	11 Jul 2016 19:29:50 -0000
X-Yahoo-Newman-Id: 502773.12848.bm@smtp212.mail.bf1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: s0Wi9FoVM1nEZR46leUsLADyelSecQ2t4hgcB3Ouj8hTOSL
	v28AuZHhnU58c91rSDwbFpAFWWLyXqIz7LBgNpQ8pnJFRPbDuQp4AyzGCm05
	8BfdJkIYgiVHpGoUGU6klXUiegY_zOrOs3bihEEBJBaC9nJaQ5pmMBDwGYmC
	Mv_N50HqFYhyaZ_q3veR639nopqKgdR0PFb6MsMzbPh1RuTc1RQe9gXOrLhh
	1IZ3KAQuzTvqUTXZS8mc5MPGw9pDa6qYOFHQ9DGIkAnoUN0pSaX89EA.VUQd
	U.TgO1NNYpabH0YXX9EbcbJc14W2C_zlRzfaenQGQlSUE8hmJa938wzfGl21
	7lyu0iONAvVw6gQU16GwiT9S3cuhCIG.mmz9JIEwTBRmIAvK6tIyXQ.vLKeJ
	UfdKbvPNwebDIV_jYzDpT.cPxaEMliGVkC8ZSOu9MOA6n0NiiqSwKidul5aQ
	8k8kzQIr7om4cyYQom_nKyQoHYTmhF56_d3735HKFxXPWjDCiyHDsmOnfAPD
	k1jzkFXd.F1wrvS7cA91jc35egGpsHkWqrjpxhERr9L8EqFgUhMyxdm5TR7i
	BwgxEtYv8y2tt
X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw--
Subject: [PATCH RFC 01/10] AppArmor: Abstract the cred security blob
To: LSM <linux-security-module@vger.kernel.org>,
	James Morris <jmorris@namei.org>
References: <a3dd7388-8864-01f7-f026-567b6628cecf@schaufler-ca.com>
Cc: John Johansen <john.johansen@canonical.com>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <3bee601f-8f4b-58e6-f516-67c60a59ef46@schaufler-ca.com>
Date: Mon, 11 Jul 2016 12:29:44 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
	Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <a3dd7388-8864-01f7-f026-567b6628cecf@schaufler-ca.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Subject: [PATCH RFC 01/10] AppArmor: Abstract the cred security blob

Abstract reading the credential security blob.
Remove abstraction when writing the credential security blob.
There is no change in the behavior of the code.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/apparmor/include/context.h | 10 ++++++++--
 security/apparmor/lsm.c             | 15 +++++++++------
 2 files changed, 17 insertions(+), 8 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 6bf6579..07fb7a1 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -18,10 +18,11 @@
 #include <linux/cred.h>
 #include <linux/slab.h>
 #include <linux/sched.h>
+#include <linux/lsm_hooks.h>
 
 #include "policy.h"
 
-#define cred_cxt(X) (X)->security
+#define cred_cxt(X) apparmor_cred(X)
 #define current_cxt() cred_cxt(current_cred())
 
 /* struct aa_file_cxt - the AppArmor context the file was opened in
@@ -85,6 +86,10 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token);
 int aa_restore_previous_profile(u64 cookie);
 struct aa_profile *aa_get_task_profile(struct task_struct *task);
 
+static inline struct aa_task_cxt *apparmor_cred(const struct cred *cred)
+{
+	return cred->security;
+}
 
 /**
  * aa_cred_profile - obtain cred's profiles
@@ -96,7 +101,8 @@ struct aa_profile *aa_get_task_profile(struct task_struct *task);
  */
 static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
 {
-	struct aa_task_cxt *cxt = cred_cxt(cred);
+	struct aa_task_cxt *cxt = apparmor_cred(cred);
+
 	BUG_ON(!cxt || !cxt->profile);
 	return cxt->profile;
 }
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 5cac15f..1c022ec 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -49,7 +49,7 @@ int apparmor_initialized __initdata;
 static void apparmor_cred_free(struct cred *cred)
 {
 	aa_free_task_context(cred_cxt(cred));
-	cred_cxt(cred) = NULL;
+	cred->security = NULL;
 }
 
 /*
@@ -62,7 +62,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
 	if (!cxt)
 		return -ENOMEM;
 
-	cred_cxt(cred) = cxt;
+	cred->security = cxt;
 	return 0;
 }
 
@@ -72,13 +72,14 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
 static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
 				 gfp_t gfp)
 {
+	struct aa_task_cxt *cxt;
 	/* freed by apparmor_cred_free */
-	struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
+	cxt = aa_alloc_task_context(gfp);
 	if (!cxt)
 		return -ENOMEM;
 
 	aa_dup_task_context(cxt, cred_cxt(old));
-	cred_cxt(new) = cxt;
+	new->security = cxt;
 	return 0;
 }
 
@@ -880,7 +881,7 @@ static int __init set_init_cxt(void)
 		return -ENOMEM;
 
 	cxt->profile = aa_get_profile(root_ns->unconfined);
-	cred_cxt(cred) = cxt;
+	cred->security = cxt;
 
 	return 0;
 }
@@ -890,11 +891,13 @@ static int __init apparmor_init(void)
 	int error;
 
 	if (!apparmor_enabled || !security_module_enable("apparmor")) {
-		aa_info_message("AppArmor disabled by boot time parameter");
+		aa_info_message(
+			"AppArmor disabled by boot time parameter");
 		apparmor_enabled = 0;
 		return 0;
 	}
 
+
 	error = aa_alloc_root_ns();
 	if (error) {
 		AA_ERROR("Unable to allocate default profile namespace\n");