From patchwork Sat Aug 13 20:37:14 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9279343 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 49B9860780 for ; Sun, 14 Aug 2016 11:51:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3947628A06 for ; Sun, 14 Aug 2016 11:51:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2DF6B28A57; Sun, 14 Aug 2016 11:51:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F6B728A06 for ; Sun, 14 Aug 2016 11:51:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965341AbcHNLvE (ORCPT ); Sun, 14 Aug 2016 07:51:04 -0400 Received: from nm30-vm0.bullet.mail.bf1.yahoo.com ([98.139.213.126]:44269 "EHLO nm30-vm0.bullet.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933008AbcHNLvB (ORCPT ); Sun, 14 Aug 2016 07:51:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1471120637; bh=jxDQVkzEmxWhU6n1MMRSsjEz7pFeNKi24JTTGiqAlEA=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=UQXG7d3jALguKBgmn948Ct/GlfBJ4nv7XsIR5G1eetwxWEJHz5kVhBxiQjzIj36+ku1Vz1C9gPPlq7tho21BLMDoTxKpIXM2zATe59JEk9OQwtLL+RY9sYbSMUTqtqAhhjJVO7U7sK3QQDqfM1wBeMcFEeXfQ2vtOLWd3LEHbzNHEW1+BQ6aPVFHXiuBRiBs3/yQsqFsEFS22JTQp3y3g1ffDMMRxub+lellds4zBdgb/y/mQezUulWlE3EAA//dgfs+K6vqdooM3serGCMx/txkqxfPMmgMpaU/hoW0ZyzahAQqIM081kBhDdGQeE+lnCognEyKUrsfxqFQuVkn/A== Received: from [66.196.81.170] by nm30.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:37:17 -0000 Received: from [68.142.230.64] by tm16.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:37:17 -0000 Received: from [127.0.0.1] by smtp221.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:37:17 -0000 X-Yahoo-Newman-Id: 357315.15180.bm@smtp221.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: KgEOy7oVM1ndU8_8YApvZjfVjEW6XC0p3xjE8sJ1p7hKDDD hUh6USWD5l776mqOmrJAJvGQ4C1jgtz4ImzVllJrB2QDkZwmCpkI27r_Yln4 .Q5cM1TC8H_MPa6uy7U3.mLYoeGkTFpROV9o0tdSJ05SSmwBSP_X02QHQG0m PbLONWPgpy.LGmd1TD6ObkQR9mySL.nTfdaXNRJ2NaOuS4btTJsRj5ETC8eQ kOBtPN008jxXR3l9hqfY_aQXYD3elnVLx3I78mGOTWYQkoKyfZCNVkKn3QGo tV40_5aetoKA0H6I_f_IVjnQsF7cmAju9CLG_SDG0XFhuBkBGfwClv5JKmbv EnpHj9DtZf02NT4XSkGsyEcERJ3iPVBt2CEir1OrdiQnt6GhI8sa..su1gt8 cwOkZggT_5gDfwHUK2kopJqMsJVqktWMX5lNJp5NXJKVtW7_S4Kh31G7HcR4 i7z8p0F7ryVwU_afoIYWUEY5gz3P_9PU.EHnieQNI8rja_fWCaJmI8Wbuk9W gtlak.2KLgcf0IxD8DggEX3EdzdeoKSy3w.Kh012hjXwuO1qLPe7FcaYrHbR 26gOdSElr1URg X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: [PATCH 15/25] LSM: Remove unused security_release_secctx To: LSM , James Morris References: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com> Cc: John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley From: Casey Schaufler Message-ID: Date: Sat, 13 Aug 2016 13:37:14 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH 15/25] LSM: Remove unused security_release_secctx None of the upstream security modules release secctx's. This hook is unused and clutters the code substantialy. Signed-off-by: Casey Schaufler --- fs/kernfs/dir.c | 6 +----- fs/kernfs/inode.c | 2 -- fs/nfs/nfs4proc.c | 16 ---------------- fs/nfsd/nfs4xdr.c | 4 ---- fs/xattr.c | 4 +--- include/linux/security.h | 5 ----- include/net/scm.h | 4 +--- kernel/audit.c | 17 ++++------------- kernel/auditsc.c | 2 -- net/ipv4/ip_sockglue.c | 1 - net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 2 -- net/netfilter/nf_conntrack_netlink.c | 1 - net/netfilter/nf_conntrack_standalone.c | 2 -- net/netlabel/netlabel_unlabeled.c | 4 ---- net/netlabel/netlabel_user.c | 1 - security/security.c | 6 ------ 16 files changed, 7 insertions(+), 70 deletions(-) diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c index e57174d..b45ab83 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -566,12 +566,8 @@ void kernfs_put(struct kernfs_node *kn) kfree_const(kn->name); - if (kn->iattr) { - if (kn->iattr->ia_secdata) - security_release_secctx(kn->iattr->ia_secdata, - kn->iattr->ia_secdata_len); + if (kn->iattr) simple_xattrs_free(&kn->iattr->xattrs); - } kfree(kn->iattr); ida_simple_remove(&root->ino_ida, kn->ino); kmem_cache_free(kernfs_node_cache, kn); diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c index 63b925d..650748e 100644 --- a/fs/kernfs/inode.c +++ b/fs/kernfs/inode.c @@ -189,8 +189,6 @@ int kernfs_iop_setxattr(struct dentry *unused, struct inode *inode, error = kernfs_node_setsecdata(kn, &secdata, &secdata_len); mutex_unlock(&kernfs_mutex); - if (secdata) - security_release_secctx(secdata, secdata_len); return error; } else if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) { return simple_xattr_set(&attrs->xattrs, name, value, size, diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index a036e93..6e61b53 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -123,12 +123,6 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, return NULL; } -static inline void -nfs4_label_release_security(struct nfs4_label *label) -{ - if (label) - security_release_secctx(label->label, label->len); -} static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { if (label) @@ -141,9 +135,6 @@ static inline struct nfs4_label * nfs4_label_init_security(struct inode *dir, struct dentry *dentry, struct iattr *sattr, struct nfs4_label *l) { return NULL; } -static inline void -nfs4_label_release_security(struct nfs4_label *label) -{ return; } static inline u32 * nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { return server->attr_bitmask; } @@ -3037,8 +3028,6 @@ nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx, /* Protect against concurrent sillydeletes */ state = nfs4_do_open(dir, ctx, open_flags, attr, label, opened); - nfs4_label_release_security(label); - if (IS_ERR(state)) return ERR_CAST(state); return state->inode; @@ -3750,7 +3739,6 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr, goto out; } out: - nfs4_label_release_security(ilabel); put_nfs_open_context(ctx); return status; } @@ -4023,7 +4011,6 @@ static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry, &exception); } while (exception.retry); - nfs4_label_release_security(label); return err; } @@ -4061,7 +4048,6 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry, err = nfs4_handle_exception(NFS_SERVER(dir), err, &exception); } while (exception.retry); - nfs4_label_release_security(label); return err; } @@ -4171,8 +4157,6 @@ static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry, &exception); } while (exception.retry); - nfs4_label_release_security(label); - return err; } diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 0aa0236..a70960b 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2788,10 +2788,6 @@ out_acl: status = nfs_ok; out: -#ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) - security_release_secctx(context, contextlen); -#endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { fh_put(tempfh); diff --git a/fs/xattr.c b/fs/xattr.c index c243905..0fe1095 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -158,7 +158,7 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value, if (!value || !size) { len = security_inode_getsecurity(inode, name, &buffer, false); - goto out_noalloc; + goto out; } len = security_inode_getsecurity(inode, name, &buffer, true); @@ -170,8 +170,6 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value, } memcpy(value, buffer, len); out: - security_release_secctx(buffer, len); -out_noalloc: return len; } EXPORT_SYMBOL_GPL(xattr_getsecurity); diff --git a/include/linux/security.h b/include/linux/security.h index 7bf0a88..28ba388 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -363,7 +363,6 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); -void security_release_secctx(char *secdata, u32 seclen); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); @@ -1115,10 +1114,6 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) -{ -} - static inline void security_inode_invalidate_secctx(struct inode *inode) { } diff --git a/include/net/scm.h b/include/net/scm.h index 59fa93c..5fc29b7 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -96,10 +96,8 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc if (test_bit(SOCK_PASSSEC, &sock->flags)) { err = security_secid_to_secctx(scm->secid, &secdata, &seclen); - if (!err) { + if (!err) put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); - } } } #else diff --git a/kernel/audit.c b/kernel/audit.c index a8a91bd..5f0ec783 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1029,17 +1029,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) return err; } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); - if (!sig_data) { - if (audit_sig_sid) - security_release_secctx(ctx, len); + if (!sig_data) return -ENOMEM; - } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; - if (audit_sig_sid) { + if (audit_sig_sid) memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); - } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); kfree(sig_data); @@ -1808,7 +1803,6 @@ void audit_log_name(struct audit_context *context, struct audit_names *n, *call_panic = 2; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); } } @@ -1855,7 +1849,6 @@ int audit_log_task_context(struct audit_buffer *ab) } audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); return 0; error_path: @@ -2055,12 +2048,10 @@ void audit_log_secctx(struct audit_buffer *ab, u32 secid) u32 len; char *secctx; - if (security_secid_to_secctx(secid, &secctx, &len)) { + if (security_secid_to_secctx(secid, &secctx, &len)) audit_panic("Cannot convert secid to context"); - } else { + else audit_log_format(ab, " obj=%s", secctx); - security_release_secctx(secctx, len); - } } EXPORT_SYMBOL(audit_log_secctx); #endif diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 5abf1dc..0936262 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -983,7 +983,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); } } audit_log_format(ab, " ocomm="); @@ -1199,7 +1198,6 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); } } if (context->ipc.has_perm) { diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 71a52f4d..8ef899b 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -127,7 +127,6 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c index 6392371..9e9b0a3 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c @@ -109,8 +109,6 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) return; seq_printf(s, "secctx=%s ", secctx); - - security_release_secctx(secctx, len); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 050bb34..0cfa4ff 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -332,7 +332,6 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) ret = 0; nla_put_failure: - security_release_secctx(secctx, len); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 958a145..980ffd0 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -133,8 +133,6 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) return; seq_printf(s, "secctx=%s ", secctx); - - security_release_secctx(secctx, len); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 4528cff..1ae0bd3 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -461,7 +461,6 @@ unlhsh_add_return: &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -517,7 +516,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, security_secid_to_secctx(entry->secid, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -578,7 +576,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, security_secid_to_secctx(entry->secid, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1154,7 +1151,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, NLBL_UNLABEL_A_SECCTX, secctx_len, secctx); - security_release_secctx(secctx, secctx_len); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 58495f4..c117e01 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -117,7 +117,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); } return audit_buf; diff --git a/security/security.c b/security/security.c index 1a4d927..8a0c14a 100644 --- a/security/security.c +++ b/security/security.c @@ -1485,12 +1485,6 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) } EXPORT_SYMBOL(security_secctx_to_secid); -void security_release_secctx(char *secdata, u32 seclen) -{ - call_void_hook(release_secctx, secdata, seclen); -} -EXPORT_SYMBOL(security_release_secctx); - void security_inode_invalidate_secctx(struct inode *inode) { call_void_hook(inode_invalidate_secctx, inode);