From patchwork Wed Apr 25 08:59:07 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sargun Dhillon <sargun@sargun.me>
X-Patchwork-Id: 10361911
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	99F3E60225
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed, 25 Apr 2018 08:59:13 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8659828E76
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed, 25 Apr 2018 08:59:13 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7AFD628ED2; Wed, 25 Apr 2018 08:59:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 49D4928E76
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Wed, 25 Apr 2018 08:59:12 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751244AbeDYI7L (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Wed, 25 Apr 2018 04:59:11 -0400
Received: from mail-it0-f66.google.com ([209.85.214.66]:39430 "EHLO
	mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751069AbeDYI7K (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Wed, 25 Apr 2018 04:59:10 -0400
Received: by mail-it0-f66.google.com with SMTP id c3-v6so4405611itj.4
	for <linux-security-module@vger.kernel.org>;
	Wed, 25 Apr 2018 01:59:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sargun.me; s=google;
	h=date:from:to:cc:subject:message-id:references:mime-version
	:content-disposition:in-reply-to:user-agent;
	bh=XEysX1lMIDlPXlnv9cQlltzS5QdXE3DL2SZhGZFXmfE=;
	b=otJqEh8QmaGNemp0F1S+Y1incmT9f8krM0qDUcgtl+f1uAUiKHHgl/Qk/gvGGRAc3K
	0myVDwSTN+tCdat5WA2owKrReBi7hpoqekUyTFJoCTAN/Ku+4DVWacs7kEBCWzCv353M
	fK1vebxyUsNB6PB1GyN9L0f6y/puUkQea154Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:date:from:to:cc:subject:message-id:references
	:mime-version:content-disposition:in-reply-to:user-agent;
	bh=XEysX1lMIDlPXlnv9cQlltzS5QdXE3DL2SZhGZFXmfE=;
	b=H0Gpx8iR8Lb7AH9HR87GL5TL8PYEWNjumhuGaSYuQmnOfE95zHEEyufDLz5foVy0gJ
	OYoI/7ahN+rOZeLE5778cHIZddIeOMoon84EDraT1LkzaHoxGCa+Raows0gVaNiyCkvV
	oZmua1jNuIK58qjMQpi8TLzb6m/F+GYc+psTUw7RKbIc6FOOEv2gN12liqaeORA+1MIG
	IiqxVFCpVhzhOMfUH2Ozlek+oXk+fMnM07fKLahqvuvlYVI/IJYgx5eEGkKR1y4cHBot
	kTfSH5CrIzTAX3iYuO1zZP0jzzKrMCergMMrSXKomVSL0JJf+UDB4qvYSLuDWEuuqevv
	nx9Q==
X-Gm-Message-State: ALQs6tDdHD3zvR8RGwwadGP7h0NaR4QH2T1jydBcJG2bV9c2gHnhy7iT
	hbx4kH0wg8UZ/lR75/DmURdVEW1HlwMjeQ==
X-Google-Smtp-Source: 
 AB8JxZoOqb89nAgtIYfMEGpFz3Y9Ukr/8W9tS3RNTD5D6AkteVrPqgVRJBCEM3yt9elYajvyEZQ99w==
X-Received: by 2002:a24:9149:: with SMTP id
	i70-v6mr4438948ite.142.1524646749369;
	Wed, 25 Apr 2018 01:59:09 -0700 (PDT)
Received: from ircssh-2.c.rugged-nimbus-611.internal
	(80.60.198.104.bc.googleusercontent.com. [104.198.60.80])
	by smtp.gmail.com with ESMTPSA id
	g130-v6sm8224289iog.83.2018.04.25.01.59.08
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 25 Apr 2018 01:59:08 -0700 (PDT)
Date: Wed, 25 Apr 2018 08:59:07 +0000
From: Sargun Dhillon <sargun@sargun.me>
To: linux-security-module@vger.kernel.org
Cc: penguin-kernel@i-love.sakura.ne.jp, keescook@chromium.org,
	igor.stoppa@huawei.com, casey@schaufler-ca.com, jmorris@namei.org,
	sds@tycho.nsa.gov, paul@paul-moore.com, plautrba@redhat.com
Subject: [PATCH v7 2/6] security: Make security_hook_heads private
Message-ID: 
 <fca9f1bcd6d0284844c65221de07bc4335595b9a.1524645853.git.sargun@sargun.me>
References: <cover.1524645853.git.sargun@sargun.me>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1524645853.git.sargun@sargun.me>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

This is in preparation for future patches. The pointer to the hook
head is no longer embedded in the security_hook_list structure,
and instead, now there is an offset.

In addition, since struct security_hook_heads is a static defined
in security.c, and it's full of hlist_heads, who's initialization
involves setting them to null, there's no more reason for explicit
initialization.

Signed-off-by: Sargun Dhillon <sargun@sargun.me>
---
 include/linux/lsm_hooks.h                     | 10 +++++---
 scripts/gcc-plugins/randomize_layout_plugin.c |  2 --
 security/security.c                           | 34 +++++++++++++++++----------
 security/security.h                           |  3 ++-
 4 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 65f346cb6639..93bb0f8a597f 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2014,7 +2014,7 @@ struct lsm_info {
 
 struct security_hook_list {
 	struct hlist_node		list;
-	struct hlist_head		*head;
+	const unsigned int		offset;
 	union security_list_options	hook;
 	/* This field is not currently in use */
 	struct lsm_info			*info;
@@ -2026,8 +2026,13 @@ struct security_hook_list {
  * care of the common case and reduces the amount of
  * text involved.
  */
+#define HOOK_OFFSET(HEAD)	offsetof(struct security_hook_heads, HEAD)
+
 #define LSM_HOOK_INIT(HEAD, HOOK) \
-	{ .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } }
+	{					\
+		.offset	= HOOK_OFFSET(HEAD),	\
+		.hook	= { .HEAD = HOOK }	\
+	}
 
 #define LSM_MODULE_INIT(NAME, HOOKS)		\
 	{					\
@@ -2036,7 +2041,6 @@ struct security_hook_list {
 		.count	= ARRAY_SIZE(HOOKS),	\
 	}
 
-extern struct security_hook_heads security_hook_heads;
 extern void security_add_hooks(struct lsm_info *lsm);
 
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
index 6d5bbd31db7f..d94138999427 100644
--- a/scripts/gcc-plugins/randomize_layout_plugin.c
+++ b/scripts/gcc-plugins/randomize_layout_plugin.c
@@ -52,8 +52,6 @@ static const struct whitelist_entry whitelist[] = {
 	{ "net/unix/af_unix.c", "unix_skb_parms", "char" },
 	/* big_key payload.data struct splashing */
 	{ "security/keys/big_key.c", "path", "void *" },
-	/* walk struct security_hook_heads as an array of struct hlist_head */
-	{ "security/security.c", "hlist_head", "security_hook_heads" },
 	{ }
 };
 
diff --git a/security/security.c b/security/security.c
index 36b9d2b0a135..acdbf65bd752 100644
--- a/security/security.c
+++ b/security/security.c
@@ -41,9 +41,13 @@
 
 DEFINE_MUTEX(lsm_info_lock);
 struct hlist_head lsm_info_head __lsm_ro_after_init = HLIST_HEAD_INIT;
-struct security_hook_heads security_hook_heads __lsm_ro_after_init;
+static struct security_hook_heads security_hook_heads __lsm_ro_after_init;
 static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
 
+struct security_hook_heads *get_security_hook_heads(void)
+{
+	return &security_hook_heads;
+}
 
 /* Boot-time LSM user choice */
 static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
@@ -70,12 +74,6 @@ static void __init do_security_initcalls(void)
  */
 int __init security_init(void)
 {
-	int i;
-	struct hlist_head *list = (struct hlist_head *) &security_hook_heads;
-
-	for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head);
-	     i++)
-		INIT_HLIST_HEAD(&list[i]);
 	pr_info("Security Framework initialized\n");
 
 	/*
@@ -152,6 +150,20 @@ void security_delete_hooks(struct lsm_info *info)
 	mutex_unlock(&lsm_info_lock);
 }
 #endif /* CONFIG_SECURITY_SELINUX_DISABLE */
+
+static void __init security_add_hook(struct security_hook_list *hook,
+					struct lsm_info *info)
+{
+	const unsigned int offset = hook->offset;
+	const unsigned int idx = offset / sizeof(struct hlist_head);
+	struct hlist_head *head;
+
+	WARN_ON(offset % sizeof(struct hlist_head));
+
+	hook->info = info;
+	head = (struct hlist_head *)(&security_hook_heads) + idx;
+	hlist_add_tail_rcu(&hook->list, head);
+}
 /**
  * security_add_hooks - Add a modules hooks to the hook lists.
  * @lsm_info: The lsm_info struct for this security module
@@ -160,14 +172,10 @@ void security_delete_hooks(struct lsm_info *info)
  */
 void __init security_add_hooks(struct lsm_info *info)
 {
-	struct security_hook_list *hook;
 	int i;
 
-	for (i = 0; i < info->count; i++) {
-		hook = &info->hooks[i];
-		hook->info = info;
-		hlist_add_tail_rcu(&hook->list, hook->head);
-	}
+	for (i = 0; i < info->count; i++)
+		security_add_hook(&info->hooks[i], info);
 
 	mutex_lock(&lsm_info_lock);
 	hlist_add_tail_rcu(&info->list, &lsm_info_head);
diff --git a/security/security.h b/security/security.h
index 79d1388fb038..b4d1a60862c3 100644
--- a/security/security.h
+++ b/security/security.h
@@ -5,6 +5,7 @@
 
 #ifndef __SECURITY_SECURITY_H
 #define __SECURITY_SECURITY_H
-extern struct hlist_head lsm_info_head;
 extern struct mutex lsm_info_lock;
+extern struct hlist_head lsm_info_head;
+extern struct security_hook_heads *get_security_hook_heads(void);
 #endif