[40/59] LSM: Use lsm_context in inode_getsecctx hooks

Message ID	20190409213946.1667-41-casey@schaufler-ca.com (mailing list archive)
State	Not Applicable
Headers	show Return-Path: <selinux-owner@kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com Subject: [PATCH 40/59] LSM: Use lsm_context in inode_getsecctx hooks Date: Tue, 9 Apr 2019 14:39:27 -0700 Message-Id: <20190409213946.1667-41-casey@schaufler-ca.com> In-Reply-To: <20190409213946.1667-1-casey@schaufler-ca.com> References: <20190409213946.1667-1-casey@schaufler-ca.com> Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	LSM: Module stacking for AppArmor \| expand [00/59] LSM: Module stacking for AppArmor [01/59] LSM: Infrastructure management of the superblock [02/59] LSM: Infrastructure management of the sock security [03/59] LSM: Infrastructure management of the key security blob [04/59] LSM: Create an lsm_export data structure. [05/59] LSM: Use lsm_export in the inode_getsecid hooks [06/59] LSM: Use lsm_export in the cred_getsecid hooks [07/59] LSM: Use lsm_export in the ipc_getsecid and task_getsecid hooks [08/59] LSM: Use lsm_export in the kernel_ask_as hooks [09/59] LSM: Use lsm_export in the getpeersec_dgram hooks [10/59] LSM: Use lsm_export in the audit_rule_match hooks [11/59] LSM: Fix logical operation in lsm_export checks [12/59] LSM: Use lsm_export in the secid_to_secctx hooks [13/59] LSM: Use lsm_export in the secctx_to_secid hooks [14/59] LSM: Use lsm_export in security_audit_rule_match [15/59] LSM: Use lsm_export in security_kernel_act_as [16/59] LSM: Use lsm_export in security_socket_getpeersec_dgram [17/59] LSM: Use lsm_export in security_secctx_to_secid [18/59] LSM: Use lsm_export in security_secid_to_secctx [19/59] LSM: Use lsm_export in security_ipc_getsecid [20/59] LSM: Use lsm_export in security_task_getsecid [21/59] LSM: Use lsm_export in security_inode_getsecid [22/59] LSM: Use lsm_export in security_cred_getsecid [23/59] Audit: Change audit_sig_sid to audit_sig_lsm [24/59] Audit: Convert target_sid to an lsm_export structure [25/59] Audit: Convert osid to an lsm_export structure [26/59] IMA: Clean out lsm_export scaffolding [27/59] NET: Store LSM access information in the socket blob for UDS [28/59] NET: Remove scaffolding on secmarks [29/59] NET: Remove scaffolding on new secmarks [30/59] NET: Remove netfilter scaffolding for lsm_export [31/59] Netlabel: Replace secids with lsm_export [32/59] LSM: Remove lsm_export scaffolding functions [33/59] IMA: FIXUP prototype using lsm_export [34/59] Smack: Restore the release_secctx hook [35/59] AppArmor: Remove unnecessary hook stub [36/59] LSM: Limit calls to certain module hooks [37/59] LSM: Create a data structure for a security context [38/59] LSM: Use lsm_context in secid_to_secctx hooks [39/59] LSM: Use lsm_context in secctx_to_secid hooks [40/59] LSM: Use lsm_context in inode_getsecctx hooks [41/59] LSM: Use lsm_context in inode_notifysecctx hooks [42/59] LSM: Use lsm_context in dentry_init_security hooks [43/59] LSM: Use lsm_context in security_dentry_init_security [44/59] LSM: Use lsm_context in security_inode_notifysecctx [45/59] LSM: Use lsm_context in security_inode_getsecctx [46/59] LSM: Use lsm_context in security_secctx_to_secid [47/59] LSM: Use lsm_context in release_secctx hooks [48/59] LSM: Use lsm_context in security_release_secctx [49/59] LSM: Use lsm_context in security_secid_to_secctx [50/59] fs: remove lsm_context scaffolding [51/59] LSM: Add the release function to the lsm_context [52/59] LSM: Use lsm_context in inode_setsecctx hooks [53/59] LSM: Use lsm_context in security_inode_setsecctx [54/59] kernfs: remove lsm_context scaffolding [55/59] LSM: Remove unused macro [56/59] LSM: Special handling for secctx lsm hooks [57/59] SELinux: Use blob offset in current_sid [58/59] LSM: Specify which LSM to display with /proc/self/attr/display [59/59] AppArmor: Remove the exclusive flag

Message ID

20190409213946.1667-41-casey@schaufler-ca.com (mailing list archive)

State

Not Applicable

Headers

From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com
Subject: [PATCH 40/59] LSM: Use lsm_context in inode_getsecctx hooks
Date: Tue,  9 Apr 2019 14:39:27 -0700
Message-Id: <20190409213946.1667-41-casey@schaufler-ca.com>
In-Reply-To: <20190409213946.1667-1-casey@schaufler-ca.com>
References: <20190409213946.1667-1-casey@schaufler-ca.com>
Sender: selinux-owner@vger.kernel.org
Precedence: bulk

Series

LSM: Module stacking for AppArmor | expand

Commit Message

Casey Schaufler April 9, 2019, 9:39 p.m. UTC

Convert SELinux and Smack to use the lsm_context structure
instead of a context/secid pair. There is some scaffolding involved
that will be removed when the related data is updated.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h  | 7 +++----
 security/security.c        | 9 ++++++++-
 security/selinux/hooks.c   | 6 +++---
 security/smack/smack_lsm.c | 6 +++---
 4 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 8b842fd13fb4..34ed56be82b8 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1401,12 +1401,11 @@ 
  *	@ctxlen contains the length of @ctx.
  *
  * @inode_getsecctx:
- *	On success, returns 0 and fills out @ctx and @ctxlen with the security
+ *	On success, returns 0 and fills out @cp with the security
  *	context for the given @inode.
  *
  *	@inode we wish to get the security context of.
- *	@ctx is a pointer in which to place the allocated security context.
- *	@ctxlen points to the place to put the length of @ctx.
+ *	@cp is a pointer in which to place the allocated security context.
  *
  * Security hooks for using the eBPF maps and programs functionalities through
  * eBPF syscalls.
@@ -1679,7 +1678,7 @@  union security_list_options {
 	void (*inode_invalidate_secctx)(struct inode *inode);
 	int (*inode_notifysecctx)(struct inode *inode, void *ctx, u32 ctxlen);
 	int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
-	int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
+	int (*inode_getsecctx)(struct inode *inode, struct lsm_context *cp);
 
 #ifdef CONFIG_SECURITY_NETWORK
 	int (*unix_stream_connect)(struct sock *sock, struct sock *other,
diff --git a/security/security.c b/security/security.c
index f3788840019a..4625a9b00d1d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2040,7 +2040,14 @@  EXPORT_SYMBOL(security_inode_setsecctx);
 
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
 {
-	return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen);
+	struct lsm_context lc = { .context = NULL, .len = 0, };
+	int rc;
+
+	rc = call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, &lc);
+
+	*ctx = (void *)lc.context;
+	*ctxlen = lc.len;
+	return rc;
 }
 EXPORT_SYMBOL(security_inode_getsecctx);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a2257ccaee5c..e881f42d3ff8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6355,14 +6355,14 @@  static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
 }
 
-static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
 {
 	int len = 0;
 	len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
-						ctx, true);
+						(void **)&cp->context, true);
 	if (len < 0)
 		return len;
-	*ctxlen = len;
+	cp->len = len;
 	return 0;
 }
 #ifdef CONFIG_KEYS
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 78c01ef707eb..46eead699e1d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4484,12 +4484,12 @@  static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
 	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0);
 }
 
-static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+static int smack_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
 {
 	struct smack_known *skp = smk_of_inode(inode);
 
-	*ctx = skp->smk_known;
-	*ctxlen = strlen(skp->smk_known);
+	cp->context = skp->smk_known;
+	cp->len = strlen(skp->smk_known);
 	return 0;
 }

[40/59] LSM: Use lsm_context in inode_getsecctx hooks

Commit Message

Patch