diff mbox

[15/25] LSM: Remove unused security_release_secctx

Message ID cc45263f-5b35-f7d7-7436-4d0f69931d33@schaufler-ca.com
State New
Headers show

Commit Message

Casey Schaufler Aug. 13, 2016, 8:37 p.m. UTC
Subject: [PATCH 15/25] LSM: Remove unused security_release_secctx

None of the upstream security modules release secctx's.
This hook is unused and clutters the code substantialy.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 fs/kernfs/dir.c                                       |  6 +-----
 fs/kernfs/inode.c                                     |  2 --
 fs/nfs/nfs4proc.c                                     | 16 ----------------
 fs/nfsd/nfs4xdr.c                                     |  4 ----
 fs/xattr.c                                            |  4 +---
 include/linux/security.h                              |  5 -----
 include/net/scm.h                                     |  4 +---
 kernel/audit.c                                        | 17 ++++-------------
 kernel/auditsc.c                                      |  2 --
 net/ipv4/ip_sockglue.c                                |  1 -
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c |  2 --
 net/netfilter/nf_conntrack_netlink.c                  |  1 -
 net/netfilter/nf_conntrack_standalone.c               |  2 --
 net/netlabel/netlabel_unlabeled.c                     |  4 ----
 net/netlabel/netlabel_user.c                          |  1 -
 security/security.c                                   |  6 ------
 16 files changed, 7 insertions(+), 70 deletions(-)
diff mbox

Patch

diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
index e57174d..b45ab83 100644
--- a/fs/kernfs/dir.c
+++ b/fs/kernfs/dir.c
@@ -566,12 +566,8 @@  void kernfs_put(struct kernfs_node *kn)
 
 	kfree_const(kn->name);
 
-	if (kn->iattr) {
-		if (kn->iattr->ia_secdata)
-			security_release_secctx(kn->iattr->ia_secdata,
-						kn->iattr->ia_secdata_len);
+	if (kn->iattr)
 		simple_xattrs_free(&kn->iattr->xattrs);
-	}
 	kfree(kn->iattr);
 	ida_simple_remove(&root->ino_ida, kn->ino);
 	kmem_cache_free(kernfs_node_cache, kn);
diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c
index 63b925d..650748e 100644
--- a/fs/kernfs/inode.c
+++ b/fs/kernfs/inode.c
@@ -189,8 +189,6 @@  int kernfs_iop_setxattr(struct dentry *unused, struct inode *inode,
 		error = kernfs_node_setsecdata(kn, &secdata, &secdata_len);
 		mutex_unlock(&kernfs_mutex);
 
-		if (secdata)
-			security_release_secctx(secdata, secdata_len);
 		return error;
 	} else if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
 		return simple_xattr_set(&attrs->xattrs, name, value, size,
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index a036e93..6e61b53 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -123,12 +123,6 @@  nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
 
 	return NULL;
 }
-static inline void
-nfs4_label_release_security(struct nfs4_label *label)
-{
-	if (label)
-		security_release_secctx(label->label, label->len);
-}
 static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
 {
 	if (label)
@@ -141,9 +135,6 @@  static inline struct nfs4_label *
 nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
 	struct iattr *sattr, struct nfs4_label *l)
 { return NULL; }
-static inline void
-nfs4_label_release_security(struct nfs4_label *label)
-{ return; }
 static inline u32 *
 nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
 { return server->attr_bitmask; }
@@ -3037,8 +3028,6 @@  nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx,
 	/* Protect against concurrent sillydeletes */
 	state = nfs4_do_open(dir, ctx, open_flags, attr, label, opened);
 
-	nfs4_label_release_security(label);
-
 	if (IS_ERR(state))
 		return ERR_CAST(state);
 	return state->inode;
@@ -3750,7 +3739,6 @@  nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 		goto out;
 	}
 out:
-	nfs4_label_release_security(ilabel);
 	put_nfs_open_context(ctx);
 	return status;
 }
@@ -4023,7 +4011,6 @@  static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
 				&exception);
 	} while (exception.retry);
 
-	nfs4_label_release_security(label);
 	return err;
 }
 
@@ -4061,7 +4048,6 @@  static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
 		err = nfs4_handle_exception(NFS_SERVER(dir), err,
 				&exception);
 	} while (exception.retry);
-	nfs4_label_release_security(label);
 
 	return err;
 }
@@ -4171,8 +4157,6 @@  static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
 				&exception);
 	} while (exception.retry);
 
-	nfs4_label_release_security(label);
-
 	return err;
 }
 
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 0aa0236..a70960b 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2788,10 +2788,6 @@  out_acl:
 	status = nfs_ok;
 
 out:
-#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
-	if (context)
-		security_release_secctx(context, contextlen);
-#endif /* CONFIG_NFSD_V4_SECURITY_LABEL */
 	kfree(acl);
 	if (tempfh) {
 		fh_put(tempfh);
diff --git a/fs/xattr.c b/fs/xattr.c
index c243905..0fe1095 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -158,7 +158,7 @@  xattr_getsecurity(struct inode *inode, const char *name, void *value,
 
 	if (!value || !size) {
 		len = security_inode_getsecurity(inode, name, &buffer, false);
-		goto out_noalloc;
+		goto out;
 	}
 
 	len = security_inode_getsecurity(inode, name, &buffer, true);
@@ -170,8 +170,6 @@  xattr_getsecurity(struct inode *inode, const char *name, void *value,
 	}
 	memcpy(value, buffer, len);
 out:
-	security_release_secctx(buffer, len);
-out_noalloc:
 	return len;
 }
 EXPORT_SYMBOL_GPL(xattr_getsecurity);
diff --git a/include/linux/security.h b/include/linux/security.h
index 7bf0a88..28ba388 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -363,7 +363,6 @@  int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
-void security_release_secctx(char *secdata, u32 seclen);
 
 void security_inode_invalidate_secctx(struct inode *inode);
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
@@ -1115,10 +1114,6 @@  static inline int security_secctx_to_secid(const char *secdata,
 	return -EOPNOTSUPP;
 }
 
-static inline void security_release_secctx(char *secdata, u32 seclen)
-{
-}
-
 static inline void security_inode_invalidate_secctx(struct inode *inode)
 {
 }
diff --git a/include/net/scm.h b/include/net/scm.h
index 59fa93c..5fc29b7 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -96,10 +96,8 @@  static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
 	if (test_bit(SOCK_PASSSEC, &sock->flags)) {
 		err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
 
-		if (!err) {
+		if (!err)
 			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
-			security_release_secctx(secdata, seclen);
-		}
 	}
 }
 #else
diff --git a/kernel/audit.c b/kernel/audit.c
index a8a91bd..5f0ec783 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1029,17 +1029,12 @@  static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 				return err;
 		}
 		sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
-		if (!sig_data) {
-			if (audit_sig_sid)
-				security_release_secctx(ctx, len);
+		if (!sig_data)
 			return -ENOMEM;
-		}
 		sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
 		sig_data->pid = audit_sig_pid;
-		if (audit_sig_sid) {
+		if (audit_sig_sid)
 			memcpy(sig_data->ctx, ctx, len);
-			security_release_secctx(ctx, len);
-		}
 		audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
 				 sig_data, sizeof(*sig_data) + len);
 		kfree(sig_data);
@@ -1808,7 +1803,6 @@  void audit_log_name(struct audit_context *context, struct audit_names *n,
 				*call_panic = 2;
 		} else {
 			audit_log_format(ab, " obj=%s", ctx);
-			security_release_secctx(ctx, len);
 		}
 	}
 
@@ -1855,7 +1849,6 @@  int audit_log_task_context(struct audit_buffer *ab)
 	}
 
 	audit_log_format(ab, " subj=%s", ctx);
-	security_release_secctx(ctx, len);
 	return 0;
 
 error_path:
@@ -2055,12 +2048,10 @@  void audit_log_secctx(struct audit_buffer *ab, u32 secid)
 	u32 len;
 	char *secctx;
 
-	if (security_secid_to_secctx(secid, &secctx, &len)) {
+	if (security_secid_to_secctx(secid, &secctx, &len))
 		audit_panic("Cannot convert secid to context");
-	} else {
+	else
 		audit_log_format(ab, " obj=%s", secctx);
-		security_release_secctx(secctx, len);
-	}
 }
 EXPORT_SYMBOL(audit_log_secctx);
 #endif
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 5abf1dc..0936262 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -983,7 +983,6 @@  static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 			rc = 1;
 		} else {
 			audit_log_format(ab, " obj=%s", ctx);
-			security_release_secctx(ctx, len);
 		}
 	}
 	audit_log_format(ab, " ocomm=");
@@ -1199,7 +1198,6 @@  static void show_special(struct audit_context *context, int *call_panic)
 				*call_panic = 1;
 			} else {
 				audit_log_format(ab, " obj=%s", ctx);
-				security_release_secctx(ctx, len);
 			}
 		}
 		if (context->ipc.has_perm) {
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 71a52f4d..8ef899b 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -127,7 +127,6 @@  static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 		return;
 
 	put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
-	security_release_secctx(secdata, seclen);
 }
 
 static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 6392371..9e9b0a3 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -109,8 +109,6 @@  static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 		return;
 
 	seq_printf(s, "secctx=%s ", secctx);
-
-	security_release_secctx(secctx, len);
 }
 #else
 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 050bb34..0cfa4ff 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -332,7 +332,6 @@  static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 
 	ret = 0;
 nla_put_failure:
-	security_release_secctx(secctx, len);
 	return ret;
 }
 #else
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 958a145..980ffd0 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -133,8 +133,6 @@  static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 		return;
 
 	seq_printf(s, "secctx=%s ", secctx);
-
-	security_release_secctx(secctx, len);
 }
 #else
 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 4528cff..1ae0bd3 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -461,7 +461,6 @@  unlhsh_add_return:
 					     &secctx,
 					     &secctx_len) == 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			security_release_secctx(secctx, secctx_len);
 		}
 		audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
 		audit_log_end(audit_buf);
@@ -517,7 +516,6 @@  static int netlbl_unlhsh_remove_addr4(struct net *net,
 		    security_secid_to_secctx(entry->secid,
 					     &secctx, &secctx_len) == 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			security_release_secctx(secctx, secctx_len);
 		}
 		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
 		audit_log_end(audit_buf);
@@ -578,7 +576,6 @@  static int netlbl_unlhsh_remove_addr6(struct net *net,
 		    security_secid_to_secctx(entry->secid,
 					     &secctx, &secctx_len) == 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			security_release_secctx(secctx, secctx_len);
 		}
 		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
 		audit_log_end(audit_buf);
@@ -1154,7 +1151,6 @@  static int netlbl_unlabel_staticlist_gen(u32 cmd,
 			  NLBL_UNLABEL_A_SECCTX,
 			  secctx_len,
 			  secctx);
-	security_release_secctx(secctx, secctx_len);
 	if (ret_val != 0)
 		goto list_cb_failure;
 
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 58495f4..c117e01 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -117,7 +117,6 @@  struct audit_buffer *netlbl_audit_start_common(int type,
 				     &secctx,
 				     &secctx_len) == 0) {
 		audit_log_format(audit_buf, " subj=%s", secctx);
-		security_release_secctx(secctx, secctx_len);
 	}
 
 	return audit_buf;
diff --git a/security/security.c b/security/security.c
index 1a4d927..8a0c14a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1485,12 +1485,6 @@  int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 }
 EXPORT_SYMBOL(security_secctx_to_secid);
 
-void security_release_secctx(char *secdata, u32 seclen)
-{
-	call_void_hook(release_secctx, secdata, seclen);
-}
-EXPORT_SYMBOL(security_release_secctx);
-
 void security_inode_invalidate_secctx(struct inode *inode)
 {
 	call_void_hook(inode_invalidate_secctx, inode);