From patchwork Sat Aug 13 20:35:36 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 9279303
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	19E7460231
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Sun, 14 Aug 2016 11:48:47 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0A650289E6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Sun, 14 Aug 2016 11:48:47 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id F368828A57; Sun, 14 Aug 2016 11:48:46 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6D058289E6
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Sun, 14 Aug 2016 11:48:46 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934725AbcHNLsj (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Sun, 14 Aug 2016 07:48:39 -0400
Received: from nm17-vm1.bullet.mail.bf1.yahoo.com ([98.139.213.55]:46949
	"EHLO nm17-vm1.bullet.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S934754AbcHNLsh (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Sun, 14 Aug 2016 07:48:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
	t=1471120538; bh=84n7B6PmuEb6StY/xoGeflcCfpS2hgvwWIJJ5KvrKv0=;
	h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject;
	b=eM2v7/Uh3bIcTpRjdZ3w5Tuvi0RCEuQpOg/qIxvkQYAwoaX+3Thenq7AyJfRcFY+Lyqe8HmaYvDQCoXG9ZUf+LHUr9ToCrSPsl+lCFjtrC6jwg1Z7odhElXmhZ52fkYXg2HfgL0bk9B91Kyhbcd1kMF7X7yUtQY/0bCOf5cPAaTcJxx1IoMhkgbUqFBXMCEmVqTrqtDVnG6119UtjOH9xOhA6c/RmWLvsqAL2PYWXHlxQR4OjV8Wze5Q/8D0qFtFcu/9ZhJmq25d3xSRFZbQTI3YhkIKTtY0pdZMEIiGmEzuxLLSJ0cmWOnCmVFYQv5oRA2E6dt62Z2qsCYIEi8tww==
Received: from [98.139.215.142] by nm17.bullet.mail.bf1.yahoo.com with NNFMP;
	13 Aug 2016 20:35:38 -0000
Received: from [68.142.230.74] by tm13.bullet.mail.bf1.yahoo.com with NNFMP;
	13 Aug 2016 20:35:38 -0000
Received: from [127.0.0.1] by smtp231.mail.bf1.yahoo.com with NNFMP;
	13 Aug 2016 20:35:38 -0000
X-Yahoo-Newman-Id: 441691.22222.bm@smtp231.mail.bf1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: kaSaxnYVM1n6KlDLqV1.vHDYA2QfiwS.DtxRQGPqyZ5CX7y
	j2KN28m4grOgXKMTeuE2aYqyKn0s7NTRUthiKi9hST92v6FQmm4c2rTT6LeI
	NwqJMgAl_Mzb7gH9drfxZaKFEOePw6JGu45VZU.idLOHLodou.4376fr4lbW
	MciSq5EHps.ilSVJhSRy.Cef4qCtlRbsVc.OUc_2Iwvkn8Vhh2meuTBzOHGc
	iVxkzLuhfgHkc1jTTh8fhe8g0vDiic8tE6AnudH2IhowKBLMikdrbiG5yM_C
	j4_itkzfIID1EwiZK9g1J4a3Dmp7d1JWJQm3A2Hu13nhqfrBhvvYwI7ufUHG
	S9f7ck6XPrYU82eUBBLRPgtko__utwMnAWw18WkzDEWW7n8SmCmCv14MzeBs
	Vu9ig2el6H_4CkQ4Z2P5ya2xWouLPkp5TTckeq2DQjW3brhL9u3acRcCA_K0
	VcTkGHkvmya.qE.VNkwk0Cqs_HJxpfl6QpLXU0oAipI949qPxUSXrkJIhDki
	9TNNlYuKWt2nH7BkK02jldsOV.vXKgnvBj9kPocqPYF1a.UckiLqDBtZ9Rgt
	AOySr6lJc9c79
X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw--
Subject: [PATCH 04/25] AppArmor: Abstract the cred security blob
To: LSM <linux-security-module@vger.kernel.org>,
	James Morris <jmorris@namei.org>
References: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com>
Cc: John Johansen <john.johansen@canonical.com>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	Paul Moore <paul@paul-moore.com>, Stephen Smalley <sds@tycho.nsa.gov>
From: Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <afb7227c-9b67-b564-7883-65591c36e956@schaufler-ca.com>
Date: Sat, 13 Aug 2016 13:35:36 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
	Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com>
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Subject: [PATCH 04/25] AppArmor: Abstract the cred security blob

Abstract reading the credential security blob.
Remove abstraction when writing the credential security blob.
There is no change in the behavior of the code.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/apparmor/include/context.h | 10 ++++++++--
 security/apparmor/lsm.c             | 15 +++++++++------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 6bf6579..07fb7a1 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -18,10 +18,11 @@
 #include <linux/cred.h>
 #include <linux/slab.h>
 #include <linux/sched.h>
+#include <linux/lsm_hooks.h>
 
 #include "policy.h"
 
-#define cred_cxt(X) (X)->security
+#define cred_cxt(X) apparmor_cred(X)
 #define current_cxt() cred_cxt(current_cred())
 
 /* struct aa_file_cxt - the AppArmor context the file was opened in
@@ -85,6 +86,10 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token);
 int aa_restore_previous_profile(u64 cookie);
 struct aa_profile *aa_get_task_profile(struct task_struct *task);
 
+static inline struct aa_task_cxt *apparmor_cred(const struct cred *cred)
+{
+	return cred->security;
+}
 
 /**
  * aa_cred_profile - obtain cred's profiles
@@ -96,7 +101,8 @@ struct aa_profile *aa_get_task_profile(struct task_struct *task);
  */
 static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
 {
-	struct aa_task_cxt *cxt = cred_cxt(cred);
+	struct aa_task_cxt *cxt = apparmor_cred(cred);
+
 	BUG_ON(!cxt || !cxt->profile);
 	return cxt->profile;
 }
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b865cf7..b86c337 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -49,7 +49,7 @@ int apparmor_initialized __initdata;
 static void apparmor_cred_free(struct cred *cred)
 {
 	aa_free_task_context(cred_cxt(cred));
-	cred_cxt(cred) = NULL;
+	cred->security = NULL;
 }
 
 /*
@@ -62,7 +62,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
 	if (!cxt)
 		return -ENOMEM;
 
-	cred_cxt(cred) = cxt;
+	cred->security = cxt;
 	return 0;
 }
 
@@ -72,13 +72,14 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
 static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
 				 gfp_t gfp)
 {
+	struct aa_task_cxt *cxt;
 	/* freed by apparmor_cred_free */
-	struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
+	cxt = aa_alloc_task_context(gfp);
 	if (!cxt)
 		return -ENOMEM;
 
 	aa_dup_task_context(cxt, cred_cxt(old));
-	cred_cxt(new) = cxt;
+	new->security = cxt;
 	return 0;
 }
 
@@ -886,7 +887,7 @@ static int __init set_init_cxt(void)
 		return -ENOMEM;
 
 	cxt->profile = aa_get_profile(root_ns->unconfined);
-	cred_cxt(cred) = cxt;
+	cred->security = cxt;
 
 	return 0;
 }
@@ -896,11 +897,13 @@ static int __init apparmor_init(void)
 	int error;
 
 	if (!apparmor_enabled || !security_module_enable("apparmor")) {
-		aa_info_message("AppArmor disabled by boot time parameter");
+		aa_info_message(
+			"AppArmor disabled by boot time parameter");
 		apparmor_enabled = 0;
 		return 0;
 	}
 
+
 	error = aa_alloc_root_ns();
 	if (error) {
 		AA_ERROR("Unable to allocate default profile namespace\n");