From patchwork Sat Aug 13 20:36:20 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9279321 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0232060231 for ; Sun, 14 Aug 2016 11:50:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E3F9228A01 for ; Sun, 14 Aug 2016 11:50:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D409428A4A; Sun, 14 Aug 2016 11:50:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 494C128A01 for ; Sun, 14 Aug 2016 11:50:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934208AbcHNLuA (ORCPT ); Sun, 14 Aug 2016 07:50:00 -0400 Received: from nm4.bullet.mail.bf1.yahoo.com ([98.139.212.163]:47221 "EHLO nm4.bullet.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934143AbcHNLt7 (ORCPT ); Sun, 14 Aug 2016 07:49:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1471120582; bh=IT6/nccc4SPSzxBhIs1piUvuFe4dbzlPxVn5yklCYvA=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=prB1gKH+lBQaZpwJwZ9b/erFhmAtTAvhCISq/T7/PmgfaTo39sygDiLK7lkEOMglBd8VXtCvDbE7dnbiEk1QrSgNvCrn+y1qOttPYdRXrsVaTEVetCVqSgsYqsez/KTRHcBZ5C1yOLfUsWIg8YfUpkbw4nDSwNxWL50V2YVRsOFEV2ZfVgn9kDwFYhL5EQz31kukwGgJwNWzDsHfqbhVgy2E+nr2q8uZRrLae+Q7kJbq9PRWkRenLvgWm7Z41u5sbeMug/uAMmVWwELEh7Ud3grI4spXEzbV5B2hR1nsqehrkzkwNkZ8A/i8o/xZ4MIx7nDvUhxYk3b04gAtbI/6Ww== Received: from [98.139.170.180] by nm4.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:36:22 -0000 Received: from [98.139.211.192] by tm23.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:36:22 -0000 Received: from [127.0.0.1] by smtp201.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:36:22 -0000 X-Yahoo-Newman-Id: 398696.42657.bm@smtp201.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: V7lwy7AVM1klu24nFb47VlZtdvVwF1C5r5AT.Vk4yBlp5Kk vD9qmE9uiaqhbm58vxREBqADlIoUru.qnXpw869Czzc7ojCT4L6.MbKuyh1D tw5sXmCT11CBKGqcZ2RtYzIleME8pDoBukGRRKCXolHw8chqgJMXb.6jywou aZDZ_0P7qCDHG3blOeShcaFjOpYoF7tfey6k54nBz9jGdAstEV1rA2RdGrZA GdDjsIBngEPwmaaSo8MjromHoPmGaCRwrg92bJ9bxvQ.pOYMtzYk3j21VAwZ yEko.E8cl4NgKYzXMh_LIYSl8OeQXeMvV4ZsWcCxm84Cfe_U_toSGMIXFmXF Vzla2HgLDvr8c.AO7gJzw2ZVOT415v6.5GAD_AuERi8NNWRR6p3HuDzCLIzJ Ei6pymiNVKfiCHW1nLphx7JQxgmdewPkXAubjW_rcIRWI02qxcl5nCGYdV8e GAa4YgjwDU1cMvzfWd9n6IsCCJm866iZdfsjEYczhntgSkvWkKL5OxiYo9CG D8Uwugs_6toLKjtTe6b57TeYVt.QZev_s_wGmUPP05X0lhCRb X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: [PATCH 10/25] SELinux: Abstract the file security blob To: LSM , James Morris References: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com> Cc: John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley From: Casey Schaufler Message-ID: Date: Sat, 13 Aug 2016 13:36:20 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH 10/25] SELinux: Abstract the file security blob Abstract reading the file security blob. Remove abstraction when writing the file security blob. There is no change in the behavior of the code. Signed-off-by: Casey Schaufler --- security/selinux/hooks.c | 18 +++++++++--------- security/selinux/include/objsec.h | 5 +++++ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 15c885d..04c8e9a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -371,7 +371,7 @@ static int file_alloc_security(struct file *file) static void file_free_security(struct file *file) { - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); file->f_security = NULL; kmem_cache_free(file_security_cache, fsec); } @@ -1775,7 +1775,7 @@ static int file_has_perm(const struct cred *cred, struct file *file, u32 av) { - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); struct inode *inode = file_inode(file); struct common_audit_data ad; u32 sid = cred_sid(cred); @@ -2103,7 +2103,7 @@ static int selinux_binder_transfer_file(struct task_struct *from, struct file *file) { u32 sid = task_sid(to); - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); struct dentry *dentry = file->f_path.dentry; struct inode_security_struct *isec; struct common_audit_data ad; @@ -3308,7 +3308,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask) static int selinux_file_permission(struct file *file, int mask) { struct inode *inode = file_inode(file); - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); struct inode_security_struct *isec; u32 sid = current_sid(); @@ -3343,7 +3343,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file, u32 requested, u16 cmd) { struct common_audit_data ad; - struct file_security_struct *fsec = file->f_security; + struct file_security_struct *fsec = selinux_file(file); struct inode *inode = file_inode(file); struct inode_security_struct *isec; struct lsm_ioctlop_audit ioctl; @@ -3572,7 +3572,7 @@ static void selinux_file_set_fowner(struct file *file) { struct file_security_struct *fsec; - fsec = file->f_security; + fsec = selinux_file(file); fsec->fown_sid = current_sid(); } @@ -3587,7 +3587,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk, /* struct fown_struct is never outside the context of a struct file */ file = container_of(fown, struct file, f_owner); - fsec = file->f_security; + fsec = selinux_file(file); if (!signum) perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ @@ -3610,7 +3610,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred) struct file_security_struct *fsec; struct inode_security_struct *isec; - fsec = file->f_security; + fsec = selinux_file(file); isec = inode_security(file_inode(file)); /* * Save inode label and policy sequence number @@ -3740,7 +3740,7 @@ static int selinux_kernel_module_from_file(struct file *file) ad.type = LSM_AUDIT_DATA_PATH; ad.u.path = file->f_path; - fsec = file->f_security; + fsec = selinux_file(file); if (sid != fsec->sid) { rc = avc_has_perm(sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); if (rc) diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 8556776..b39e03b 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -139,4 +139,9 @@ static inline struct task_security_struct *selinux_cred(const struct cred *cred) return cred->security; } +static inline struct file_security_struct *selinux_file(const struct file *file) +{ + return file->f_security; +} + #endif /* _SELINUX_OBJSEC_H_ */