From patchwork Fri Dec 15 22:15:55 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495105
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic312-30.consmr.mail.ne1.yahoo.com
 (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06E0318EA9
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:16:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="m1m3Yf9c"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678606; bh=FmMcsVVDLGfPaI0hFOy8AYrMrLRvj34ZN+ckuE1msOk=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=m1m3Yf9ciOM+tToNpqpK7z3qn2dnhZjs6lQVTgz0JD2oPdjAlYO3+eQR9OB7yJDlXfQqsfzqVh5npgvn1dlF24mkydf70HNMhPj2Pq3VesF7Z19Yummk0DRCsuwGshwPPA3PafoNuHDTsaIAFEPmaFJD8Ygw11LH9Mu/AXCOjLYDlwg4Y53SRDdNFNSSs0CRqcTtOUON1RwMUxdrYiqlJiLq/kzj5P1qW7Bhksjq4NjFIWszyxK0HhhbCXRTn/lxHV9MkzciEsrnO16W4O8xG6r9SM/ji9lZleXsFuw9pz7uw6sNYiH158oLvNTcxkPoxhzlgN9z5nLSJ3NpltwPHw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678606; bh=rhXq6UaWj3lymorjt1SjraObFjPjZaSh7yi8ccPuT+9=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=mXNGDMh0LBTGw+XTniM1m7qNGTst9CF6/iGsd40kdssv790dpumHcGYr8JtN0F5qJiJcEMXorIDPjRzJm01twSHAMmYnslMxVlvvxN06+2OL5zJfYniy8op33kU0yVt8IA2hOtLWWOkL39g9jjx5BbnL7KvfcH+sNijsAPLIaemex4g6bv6dF0E02MhiTRtuNORWNCe/77EDpir1AyHC/iZQDL3Ou2ScFtC3k18jc1T/Dv/n7LboeLGiLJmjcMY+LV0tsc/vIlUxysp66NcAV88POes0vnh1KSa42lT8WsTWVYZSkLeiA1u8j1g/GwC++BxGPsnxOKori8MgTGMToA==
X-YMail-OSG: O2HtxKcVM1mb_7stTd9ZNKZ7qkd_vxRRuArVX4xEflH6EQ.OY.yFXfjCgI1UwjP
 tkkFAUYdFJJpupA9pp5fyvTgO49M9yMGMS2up.KPYE1z.2Rj1bwA0fXsBJBoDf4uf3sdXHoo.aFY
 oY2qL9C1Wvz1NOGxLeMPEFQuV88s.BmVCyJV3et9XB0jAUriPUYn7ND9gATf80kYpq3pA_Pcz.sH
 7cgC8pUXx1qMI7QTrLwxpbuSJCB6yuaRoq8NlzAf8ZU5F43HvdLlBTrwdM7OXwA9jrD4hpCKpMhW
 hJCmmw6zWNhy71FXsa64FAmA7RhDg_G61ZQlEkJyNGSoVqqHLwx1uJ66KqVuA67DCcplNR45cdSU
 TGSUIiC6JqtCrgC6cIOkclWDbaeRM5SdfUOfwcXDh326Xyzc_rL7kOMp5a5MvW0CgP4RWlp6HJlh
 GwrYZEzf66Rhht2TG3wwg8H07rHyhVVCnzInfebsMEJ3F6tZlEemvmZ2HzsLN60Ys26F6WBHqqSj
 WlujBflq5c5v4pWooEBKYaTSDhjNa4G7tuZtRROqdtlI7dSAxHgZCyeGY623EAK58KHuKG671M4t
 PbWr4X5vExVHAcjVc3E2jKvzDUWb9SyqKM2dPkLPU1OtimmEt8nu0vBkK32KHlZFqn3vSejF0F1b
 LUPwgyRPqlvVZfAMqDxPcry9XSbgk4GGpLenPtpPN.bvGri3lLRB1jgVo53j3LS14m3fCKXVS306
 K0R9nVaBDrzwfQFiJqcQ30oZWf_WLnsF30ZIKWpDd6XPhqE5VlF8BIVy7.qK4Ex8l8_7riMjBuNe
 riIUAW1jpmoTeJzljNcYWhxm4IKbropoAf0C6I.kPuZmxT.v.GIN7gbQnPiZbrWSWvlLHKoOw9SJ
 K8pj6LVqIrgk2V55DNUbbS8i_O9hbAy5bE6NkyXztgNueDGdz.ucqYwVu6dE2sfstwYTp5y1N4d6
 CONHksJUnOS62CTnS1bRh1G11UylfveCcMF78zsvLWAjG5R1Umtig_Fz9RCsi65dbh03osMdD9QD
 BzYkJfVHu_r4B6QP6JBQVtNJDIH3zrrx53obYcPi3pMWuQyX59ZW_hZKT_e6haYB9UObbVsvyo_s
 1zlKts5piDGRBG7.rjg.Hsni2vRkQl8rAN99S3VlYN3toSqDFTKjEgSgQjzOV8Bb.LgA9jwMQM5M
 h_5DXuuRlhZzyTSANd6FDJUtwaWDqwR3iNub.fLKgAbnCYf2ylWuTM_m2QWaAYfB0hQsHzdve906
 .b6b7IFBXuchobanW5iHCNtBaQ4LWvisPOpBfVz2u5Bk4molBf4V4g7ivQI5RHjv_S89zasgQT_q
 JX0l9Zs_CwfkOBCELPSjt.OphzypDe985doTAdvTuanjdocJSl.8MHWaD5TaotVagvXX.Dl1DLhL
 n65oggb7nzUMHlHccBlqghusyBtD_9tiUK_Jk.ln7xmsdKn6r4a7DUpvjz82c4eyvjtaZbdsDDuH
 CAkLEKJoR9U_T5oaQjEROv94lFXSJYEx5_ow6CpiuCGIVXCdeYwNKWu2FnPO00NAEI3Q5euWrxs3
 OV3Aap5EM78W7Q8jlTxHWHqlwTsy0zhKMyyb_CRzL.gICEhda4jU4RJyIwG51D6RZL2Xq0TolO.X
 XbT29E.0DC7o5FsS8Twa7QqaE0_l59Lqy0NsnO731DhiyKwDHvaq6aK_E7JQUm8Drg0H5bS1G2EC
 9LjZPxEeCoqXhxVPDBqnnuGOQFuxIpN2eb4oiLksMUikldRpDI9SQu74355ms3dI6QNQUL.uw3D6
 GLHsAxh7QseICmelTDb2kJIMxhlIZ_g7ofSEiPeUbXADtmLzz0Xd0XMQh5usq7f5IYrhRtUMktvy
 x8VMXgKup1iqPJy0wahF11ApM7gPaJBVt52IJFKI2.aDnvPqBksTT1vjPzv2.ZGjmg2hpsBsvAi6
 bOeAQDLBhWCd7dp89QkvTNelQyrAB854EUEmSmID1TrMGdoqdxT_ZByUHMyt.A190WmV9.5T9PnE
 hyYqWP5iPrEK8UAKK_kYW.CmaPfuy59K7ldkqQO1CQOZnS_Nv_VtEJk9aeyeapcBP5.xAeD2LIZy
 elAOnU_tAWJ_1wU6UOAhcs0_t10PjP7Ya6M9nHEmU8XsMuVfXjsP8LReK1lvwl1S3U9yMWyZLIBJ
 O7u4aGXYc_uKC.uh2JuvKWMjzSKW8Q_gF2hBtodIZYEib19LTznnxgJBVfivR.M.rSU4fCqCeioE
 Bx1oNnI7BugXQ83w9C2UWJK0l4D4CeLmNPV4yjd4J0z0d.O8C8POxEt6JMl8DdOEPstJzoFfCF3Y
 K5NijeCAaTIOUhMCv1Q--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: dab07133-ca5a-4854-a152-4a9956023969
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:16:46 +0000
Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID af526ee8ff178a31e5a49e4e8cc011a6;
          Fri, 15 Dec 2023 22:16:44 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	linux-integrity@vger.kernel.org
Subject: [PATCH v39 01/42] integrity: disassociate ima_filter_rule from
 security_audit_rule
Date: Fri, 15 Dec 2023 14:15:55 -0800
Message-ID: <20231215221636.105680-2-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Create real functions for the ima_filter_rule interfaces.
These replace #defines that obscure the reuse of audit
interfaces. The new functions are put in security.c because
they use security module registered hooks that we don't
want exported.

Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org
---
 include/linux/security.h     | 24 ++++++++++++++++++++++++
 security/integrity/ima/ima.h | 26 --------------------------
 security/security.c          | 21 +++++++++++++++++++++
 3 files changed, 45 insertions(+), 26 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 750130a7b9dd..4790508818ee 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2009,6 +2009,30 @@ static inline void security_audit_rule_free(void *lsmrule)
 #endif /* CONFIG_SECURITY */
 #endif /* CONFIG_AUDIT */
 
+#if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY)
+int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
+int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
+void ima_filter_rule_free(void *lsmrule);
+
+#else
+
+static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
+					   void **lsmrule)
+{
+	return 0;
+}
+
+static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
+					    void *lsmrule)
+{
+	return 0;
+}
+
+static inline void ima_filter_rule_free(void *lsmrule)
+{ }
+
+#endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */
+
 #ifdef CONFIG_SECURITYFS
 
 extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index c29db699c996..560d6104de72 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -420,32 +420,6 @@ static inline void ima_free_modsig(struct modsig *modsig)
 }
 #endif /* CONFIG_IMA_APPRAISE_MODSIG */
 
-/* LSM based policy rules require audit */
-#ifdef CONFIG_IMA_LSM_RULES
-
-#define ima_filter_rule_init security_audit_rule_init
-#define ima_filter_rule_free security_audit_rule_free
-#define ima_filter_rule_match security_audit_rule_match
-
-#else
-
-static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
-				       void **lsmrule)
-{
-	return -EINVAL;
-}
-
-static inline void ima_filter_rule_free(void *lsmrule)
-{
-}
-
-static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
-					void *lsmrule)
-{
-	return -EINVAL;
-}
-#endif /* CONFIG_IMA_LSM_RULES */
-
 #ifdef	CONFIG_IMA_READ_POLICY
 #define	POLICY_FILE_FLAGS	(S_IWUSR | S_IRUSR)
 #else
diff --git a/security/security.c b/security/security.c
index d7b15ea67c3f..8e5379a76369 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5350,6 +5350,27 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
 }
 #endif /* CONFIG_AUDIT */
 
+#ifdef CONFIG_IMA_LSM_RULES
+/*
+ * The integrity subsystem uses the same hooks as
+ * the audit subsystem.
+ */
+int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
+{
+	return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
+}
+
+void ima_filter_rule_free(void *lsmrule)
+{
+	call_void_hook(audit_rule_free, lsmrule);
+}
+
+int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
+{
+	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
+}
+#endif /* CONFIG_IMA_LSM_RULES */
+
 #ifdef CONFIG_BPF_SYSCALL
 /**
  * security_bpf() - Check if the bpf syscall operation is allowed

From patchwork Fri Dec 15 22:15:56 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495116
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6402C18ED0
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:18:25 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="I1tRGW0v"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678704; bh=DnwPkOYZraIIhFEbNt5Wju9rOS7ndRvvMLf58bGhDCY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=I1tRGW0vmxhhvIh6UrZ6UaWoeGYSbgTl1vxc8/G4RDR0jcPwPurXsL5H/94oKRhdyIF/TXl+dZ/nACryUTOxAb4k1aTBnw+wBnaqkmzMDI1c7DBXmqMl17eItPLHeBwzmR5nS4xL9GsEWjnSSBfNuZJYunwkmZGc/6OjA2Db3FDFty7T7Ub1F9YcYuPBKUashxamATo6QR/HVMm2OFjfmVjl5gfGXp35w6S+TqftrR4rMmZ8RYJUiswwAn3TF9n7+oUXOHyHN/1has2TAvMESZ88/cGjSUhrQvDlw52zLl84IeOZeApZP1NvU3AEnyei0+gkM/8gV0cRazAMTxlLmw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678704; bh=0EF/uQY77fW47L/zanuKc52hNgOFFesyhMuWU/QQ6ys=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=WR6TFvVYBOUG/bD+aeRe3yqVsJ36QSpzYWxON/desqZGrLVvTQk14J78duyvkEf4SiUhNg0c8icYjGbT0fwaF+X7+YAUjatBl+qNBJ/MctQNOqvzU4n4IDtMD7mD3IEfOTlUqN4I/GlDJmwjfallT6iEilmenwBkGgg7j03oAGA5ZNlVlFEQScuw8pKT/LKq2n2qq4shoDVab5rUBHqFaV3iBFAD5xURy2bSCY6+SYjU67xGikX7BY7+Kc/6D+3lwOiSkTJdPRogAcAtLnOL7hOVcP5iat27P6sDKxKzzdSMGWTxXodoxUBuiyWe4sZuhEwZ69v7TrXOz7TPDzC7Vw==
X-YMail-OSG: 92CbLl4VM1m_S56aS.Q1V7aDv.lw2pScJBAFIF0.M4NScuLtPChQPQfb8V4u1gX
 zTuwnglMGNwMWNXim6W0UPyAXxJ3AXE8BPfLtLKXWtCWiXRWVwJ7Lj1nAWJfJaig218gV2pQi0OV
 SnxlBXFwYQkjcUFRrjJHk6RlvuEmt9mLhXftg1rI8O6yUaViBLSFsWbf3NMJvJN5tl7UdntdR6Fd
 xzRUhRPHroNL0j0DC6sYRakM9ej7.JbrWoBkFOvpD4i6S1U.Yt4h8S6ITknZ3SulrIW2eDm7gPbD
 mFrCFPjoEfK9HFFqbBUDZpAU5AeIM7spWtQA8AMxcWGRddvy8tzDOasf2Cobfo.3xOAbjqxsWMpw
 lZ6GdgVFefOifxeiIbJomZyLnxKig3FAcxCzPT3poJF5cTAAhKcM8TV6wva0Xn2yjk4ACrRmpCnJ
 TMKZnqe_IGhT2v3JC_Dpp5y0_YaQuu3UCAQHRUY4lYMQPWEAPwSY9Ci4r_kqtC9_vSITbBVF7pPn
 sj9tHnILl_RcIDFiJnBo2MbcSqV2KieihZJ4M5jI2KXFlyVC2E3c_6DEFFeB2vYqoUgzUPaBYyf1
 0wFvuNqTPySeN2Sl.8qBvNu47BasHUWXul53LEz3kcRyB3rLoYDbbQTuVHysqyfFOclHlhgsYV8N
 KE0QEgdGT0DNjD7QOIG9oOPTfiswdDBBGIn34hemi2bchoLU4TIFlREu6BG9Hb9uZQfVAbYiDTnp
 77WwjKQKMkzAuT8XklsqEKuntyRyTxUL7aeK0Y2RLrJxqoIeY5.1ObXHZ6fxmR3IM6Jn7KmQx9XC
 tGPsbQB0CjT7lmhaZfRfk2J_44LEHEEJRt0P0hjyV.1caWCWbe_8gepIDDRKZpak6kytx9z2KHrR
 2wPhLc3bFdM62RFfFd2NsxOymIFOWj6O6OrQB4Q2QFeV3Wtg.2_KUh_5GebsspTh3UgfMuYbDJaK
 .WTW.8Vev0mEKixLBpQsvXjduWsj4k6iDY_Ij01FYIOyxXZBJK9Z2acd9RRUQU4AzYD_nNX90ZDM
 CnWXlncRyxrxt92gvlfzBesrWhYeyWpWB21itSQdZKClgD6ZlFUtvcBBP.o3k7AZzV885tULrmCB
 fN6fyGbsA6pOPJLGuZ44IZQ20BcnaabeIFVUnU2WCOFT0eGPTlCUN8gG_NR2gPKidQmpcCQMlamH
 aiiG4bGQ95b3lgs_TLSDt7p90bJ6KDHxQVrn8VEDDsvr_kS02cXvi9nOoFhbcR9Q66culMPd5u30
 htNPXYLPgxn7dOX179VU2Cg2CErtS..tOX_bVmbAApWvv6YSAsOnYrK2CX_tzsNbZBrh8CDAGexd
 xnchwbflqxQ9DWAkijPJNH9gC1DbQerWeqFT3IF09FkeSSq85UKtt_wBNMjrIbfQx3YknncvpFmL
 Pgnf6.FUZi3hfk5cr4NyPa9kBjNb4irEr69WMYhr29H6uWoWVeld8ogmwIxIIZkXcsC.0kzWTRuj
 LTw9m.l3QLtipPIbjhAZSLfW60aPY4qietdKwrBNXExgkT2vdQS10roCEabLBhywB7KSYH7CClwF
 ZiV2k4ALgEWRsAnDR2UtmuCOQ1zrFyg9rE47pPoRFl4tiXp1AUfvwJEen6QGhsICku_B6CKxkROz
 YVm1y99Ycopaihopv9Yai6qZOGn90G0jkoCEb5Nzk.FoiVrpLsHhAfxjy6Ml.Nn15YCXXtpExfaY
 K42IFfOoenJPC_1Mh46hkSusPfS5bta.xsRtifPW5fSTVds_3ZqbNCu3RyFmUhxj5EY_uQ1GDXXK
 slUPHPXx7Atc6lqU9ciffHW7LYdFX4tgDNqb4oh9gOZVe2wNhgz5p_bObaREsfD_JF6Gsw_VsyOe
 _9r07lFbVIDbBpcCQeRsWrcOFvjRvHZGc0QF7UrVgRihuKJ6iLKT4GOHvlgWiO6A6S2RbDFwV_me
 QVOInMkX6oe4Ff24QnmyFasL9bLCt3xjclQIehkMxtaIPJHFlmhYsMRyrI0CE8VFZ0WDzv7qRZWq
 D1cgdHUhwl5b1cPTGaJA8m9sxjJazPYlKiqtkC9YWKLUvUs5hzOhCjuIhxJC7H_m7LRV7fc8HK53
 37lL4YC.UHj9K7DgkpekjKYVMYl7AMBhRFnzkEdsL9aak4xUWYlyY2BvnmkKL8mDzuBdFRKQbacO
 bHmKnzA2_IlqybXP01xNC4F_ipb8f2zTZawSSIv396jvY.jg09IiH00C8MzkAgC4VwLlTs57SxlB
 s0QAf7GfjkjPrKpLGlunnTN7tBwJbaj6J2ptzo3.ujA--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 24a17b18-0db7-4e1c-b805-ac479274476e
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:18:24 +0000
Received: by hermes--production-gq1-6949d6d8f9-c9pk7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID f3cc26e4d12b933f3b6c85ffc86b5c01;
          Fri, 15 Dec 2023 22:18:18 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 02/42] SM: Infrastructure management of the sock security
Date: Fri, 15 Dec 2023 14:15:56 -0800
Message-ID: <20231215221636.105680-3-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Move management of the sock->sk_security blob out
of the individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.

Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h         |  1 +
 security/apparmor/include/net.h   |  3 +-
 security/apparmor/lsm.c           | 20 +-------
 security/apparmor/net.c           |  2 +-
 security/security.c               | 36 ++++++++++++++-
 security/selinux/hooks.c          | 76 ++++++++++++++-----------------
 security/selinux/include/objsec.h |  5 ++
 security/selinux/netlabel.c       | 23 +++++-----
 security/smack/smack.h            |  5 ++
 security/smack/smack_lsm.c        | 70 ++++++++++++++--------------
 security/smack/smack_netfilter.c  |  4 +-
 11 files changed, 131 insertions(+), 114 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index a2ade0ffe9e7..efd4a0655159 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -73,6 +73,7 @@ struct lsm_blob_sizes {
 	int	lbs_cred;
 	int	lbs_file;
 	int	lbs_inode;
+	int	lbs_sock;
 	int	lbs_superblock;
 	int	lbs_ipc;
 	int	lbs_msg_msg;
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
index 67bf888c3bd6..c42ed8a73f1c 100644
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -51,10 +51,9 @@ struct aa_sk_ctx {
 	struct aa_label *peer;
 };
 
-#define SK_CTX(X) ((X)->sk_security)
 static inline struct aa_sk_ctx *aa_sock(const struct sock *sk)
 {
-	return sk->sk_security;
+	return sk->sk_security + apparmor_blob_sizes.lbs_sock;
 }
 
 #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P)				  \
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e490a7000408..8af5f458e218 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1056,22 +1056,6 @@ static int apparmor_userns_create(const struct cred *cred)
 	return error;
 }
 
-/**
- * apparmor_sk_alloc_security - allocate and attach the sk_security field
- */
-static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
-{
-	struct aa_sk_ctx *ctx;
-
-	ctx = kzalloc(sizeof(*ctx), flags);
-	if (!ctx)
-		return -ENOMEM;
-
-	sk->sk_security = ctx;
-
-	return 0;
-}
-
 /**
  * apparmor_sk_free_security - free the sk_security field
  */
@@ -1079,10 +1063,8 @@ static void apparmor_sk_free_security(struct sock *sk)
 {
 	struct aa_sk_ctx *ctx = aa_sock(sk);
 
-	sk->sk_security = NULL;
 	aa_put_label(ctx->label);
 	aa_put_label(ctx->peer);
-	kfree(ctx);
 }
 
 /**
@@ -1452,6 +1434,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
 	.lbs_cred = sizeof(struct aa_label *),
 	.lbs_file = sizeof(struct aa_file_ctx),
 	.lbs_task = sizeof(struct aa_task_ctx),
+	.lbs_sock = sizeof(struct aa_sk_ctx),
 };
 
 static const struct lsm_id apparmor_lsmid = {
@@ -1497,7 +1480,6 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
 	LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
 
-	LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
 	LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
 	LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
 
diff --git a/security/apparmor/net.c b/security/apparmor/net.c
index 87e934b2b548..77413a519117 100644
--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
@@ -151,7 +151,7 @@ static int aa_label_sk_perm(const struct cred *subj_cred,
 			    const char *op, u32 request,
 			    struct sock *sk)
 {
-	struct aa_sk_ctx *ctx = SK_CTX(sk);
+	struct aa_sk_ctx *ctx = aa_sock(sk);
 	int error = 0;
 
 	AA_BUG(!label);
diff --git a/security/security.c b/security/security.c
index 8e5379a76369..0a51e3d23570 100644
--- a/security/security.c
+++ b/security/security.c
@@ -30,6 +30,7 @@
 #include <linux/string.h>
 #include <linux/msg.h>
 #include <net/flow.h>
+#include <net/sock.h>
 
 /* How many LSMs were built into the kernel? */
 #define LSM_COUNT (__end_lsm_info - __start_lsm_info)
@@ -226,6 +227,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
 	lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
 	lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
 	lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
+	lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock);
 	lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
 	lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
 	lsm_set_blob_size(&needed->lbs_xattr_count,
@@ -400,6 +402,7 @@ static void __init ordered_lsm_init(void)
 	init_debug("inode blob size      = %d\n", blob_sizes.lbs_inode);
 	init_debug("ipc blob size        = %d\n", blob_sizes.lbs_ipc);
 	init_debug("msg_msg blob size    = %d\n", blob_sizes.lbs_msg_msg);
+	init_debug("sock blob size       = %d\n", blob_sizes.lbs_sock);
 	init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);
 	init_debug("task blob size       = %d\n", blob_sizes.lbs_task);
 	init_debug("xattr slots          = %d\n", blob_sizes.lbs_xattr_count);
@@ -4626,6 +4629,28 @@ int security_socket_getpeersec_dgram(struct socket *sock,
 }
 EXPORT_SYMBOL(security_socket_getpeersec_dgram);
 
+/**
+ * lsm_sock_alloc - allocate a composite sock blob
+ * @sock: the sock that needs a blob
+ * @priority: allocation mode
+ *
+ * Allocate the sock blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+static int lsm_sock_alloc(struct sock *sock, gfp_t priority)
+{
+	if (blob_sizes.lbs_sock == 0) {
+		sock->sk_security = NULL;
+		return 0;
+	}
+
+	sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
+	if (sock->sk_security == NULL)
+		return -ENOMEM;
+	return 0;
+}
+
 /**
  * security_sk_alloc() - Allocate and initialize a sock's LSM blob
  * @sk: sock
@@ -4639,7 +4664,14 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
  */
 int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
 {
-	return call_int_hook(sk_alloc_security, 0, sk, family, priority);
+	int rc = lsm_sock_alloc(sk, priority);
+
+	if (unlikely(rc))
+		return rc;
+	rc = call_int_hook(sk_alloc_security, 0, sk, family, priority);
+	if (unlikely(rc))
+		security_sk_free(sk);
+	return rc;
 }
 
 /**
@@ -4651,6 +4683,8 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
 void security_sk_free(struct sock *sk)
 {
 	call_void_hook(sk_free_security, sk);
+	kfree(sk->sk_security);
+	sk->sk_security = NULL;
 }
 
 /**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b340425ccfae..aa15acd344ea 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4547,7 +4547,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
 
 static int sock_has_perm(struct sock *sk, u32 perms)
 {
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	struct common_audit_data ad;
 	struct lsm_network_audit net;
 
@@ -4600,7 +4600,7 @@ static int selinux_socket_post_create(struct socket *sock, int family,
 	isec->initialized = LABEL_INITIALIZED;
 
 	if (sock->sk) {
-		sksec = sock->sk->sk_security;
+		sksec = selinux_sock(sock->sk);
 		sksec->sclass = sclass;
 		sksec->sid = sid;
 		/* Allows detection of the first association on this socket */
@@ -4616,8 +4616,8 @@ static int selinux_socket_post_create(struct socket *sock, int family,
 static int selinux_socket_socketpair(struct socket *socka,
 				     struct socket *sockb)
 {
-	struct sk_security_struct *sksec_a = socka->sk->sk_security;
-	struct sk_security_struct *sksec_b = sockb->sk->sk_security;
+	struct sk_security_struct *sksec_a = selinux_sock(socka->sk);
+	struct sk_security_struct *sksec_b = selinux_sock(sockb->sk);
 
 	sksec_a->peer_sid = sksec_b->sid;
 	sksec_b->peer_sid = sksec_a->sid;
@@ -4632,7 +4632,7 @@ static int selinux_socket_socketpair(struct socket *socka,
 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
 {
 	struct sock *sk = sock->sk;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	u16 family;
 	int err;
 
@@ -4765,7 +4765,7 @@ static int selinux_socket_connect_helper(struct socket *sock,
 					 struct sockaddr *address, int addrlen)
 {
 	struct sock *sk = sock->sk;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	int err;
 
 	err = sock_has_perm(sk, SOCKET__CONNECT);
@@ -4943,9 +4943,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
 					      struct sock *other,
 					      struct sock *newsk)
 {
-	struct sk_security_struct *sksec_sock = sock->sk_security;
-	struct sk_security_struct *sksec_other = other->sk_security;
-	struct sk_security_struct *sksec_new = newsk->sk_security;
+	struct sk_security_struct *sksec_sock = selinux_sock(sock);
+	struct sk_security_struct *sksec_other = selinux_sock(other);
+	struct sk_security_struct *sksec_new = selinux_sock(newsk);
 	struct common_audit_data ad;
 	struct lsm_network_audit net;
 	int err;
@@ -4974,8 +4974,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock,
 static int selinux_socket_unix_may_send(struct socket *sock,
 					struct socket *other)
 {
-	struct sk_security_struct *ssec = sock->sk->sk_security;
-	struct sk_security_struct *osec = other->sk->sk_security;
+	struct sk_security_struct *ssec = selinux_sock(sock->sk);
+	struct sk_security_struct *osec = selinux_sock(other->sk);
 	struct common_audit_data ad;
 	struct lsm_network_audit net;
 
@@ -5012,7 +5012,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
 				       u16 family)
 {
 	int err = 0;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	u32 sk_sid = sksec->sid;
 	struct common_audit_data ad;
 	struct lsm_network_audit net;
@@ -5041,7 +5041,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
 	int err, peerlbl_active, secmark_active;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	u16 family = sk->sk_family;
 	u32 sk_sid = sksec->sid;
 	struct common_audit_data ad;
@@ -5109,7 +5109,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock,
 	int err = 0;
 	char *scontext = NULL;
 	u32 scontext_len;
-	struct sk_security_struct *sksec = sock->sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sock->sk);
 	u32 peer_sid = SECSID_NULL;
 
 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
@@ -5167,34 +5167,27 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
 
 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
 {
-	struct sk_security_struct *sksec;
-
-	sksec = kzalloc(sizeof(*sksec), priority);
-	if (!sksec)
-		return -ENOMEM;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 
 	sksec->peer_sid = SECINITSID_UNLABELED;
 	sksec->sid = SECINITSID_UNLABELED;
 	sksec->sclass = SECCLASS_SOCKET;
 	selinux_netlbl_sk_security_reset(sksec);
-	sk->sk_security = sksec;
 
 	return 0;
 }
 
 static void selinux_sk_free_security(struct sock *sk)
 {
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 
-	sk->sk_security = NULL;
 	selinux_netlbl_sk_security_free(sksec);
-	kfree(sksec);
 }
 
 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
 {
-	struct sk_security_struct *sksec = sk->sk_security;
-	struct sk_security_struct *newsksec = newsk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
+	struct sk_security_struct *newsksec = selinux_sock(newsk);
 
 	newsksec->sid = sksec->sid;
 	newsksec->peer_sid = sksec->peer_sid;
@@ -5208,7 +5201,7 @@ static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
 	if (!sk)
 		*secid = SECINITSID_ANY_SOCKET;
 	else {
-		const struct sk_security_struct *sksec = sk->sk_security;
+		const struct sk_security_struct *sksec = selinux_sock(sk);
 
 		*secid = sksec->sid;
 	}
@@ -5218,7 +5211,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
 {
 	struct inode_security_struct *isec =
 		inode_security_novalidate(SOCK_INODE(parent));
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 
 	if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
 	    sk->sk_family == PF_UNIX)
@@ -5235,7 +5228,7 @@ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
 {
 	struct sock *sk = asoc->base.sk;
 	u16 family = sk->sk_family;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	struct common_audit_data ad;
 	struct lsm_network_audit net;
 	int err;
@@ -5290,7 +5283,7 @@ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc,
 static int selinux_sctp_assoc_request(struct sctp_association *asoc,
 				      struct sk_buff *skb)
 {
-	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
 	u32 conn_sid;
 	int err;
 
@@ -5323,7 +5316,7 @@ static int selinux_sctp_assoc_request(struct sctp_association *asoc,
 static int selinux_sctp_assoc_established(struct sctp_association *asoc,
 					  struct sk_buff *skb)
 {
-	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
 
 	if (!selinux_policycap_extsockclass())
 		return 0;
@@ -5422,8 +5415,8 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname,
 static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
 				  struct sock *newsk)
 {
-	struct sk_security_struct *sksec = sk->sk_security;
-	struct sk_security_struct *newsksec = newsk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
+	struct sk_security_struct *newsksec = selinux_sock(newsk);
 
 	/* If policy does not support SECCLASS_SCTP_SOCKET then call
 	 * the non-sctp clone version.
@@ -5455,7 +5448,7 @@ static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
 static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
 				     struct request_sock *req)
 {
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	int err;
 	u16 family = req->rsk_ops->family;
 	u32 connsid;
@@ -5476,7 +5469,7 @@ static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
 static void selinux_inet_csk_clone(struct sock *newsk,
 				   const struct request_sock *req)
 {
-	struct sk_security_struct *newsksec = newsk->sk_security;
+	struct sk_security_struct *newsksec = selinux_sock(newsk);
 
 	newsksec->sid = req->secid;
 	newsksec->peer_sid = req->peer_secid;
@@ -5493,7 +5486,7 @@ static void selinux_inet_csk_clone(struct sock *newsk,
 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
 {
 	u16 family = sk->sk_family;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 
 	/* handle mapped IPv4 packets arriving via IPv6 sockets */
 	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -5574,7 +5567,7 @@ static int selinux_tun_dev_attach_queue(void *security)
 static int selinux_tun_dev_attach(struct sock *sk, void *security)
 {
 	struct tun_security_struct *tunsec = security;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 
 	/* we don't currently perform any NetLabel based labeling here and it
 	 * isn't clear that we would want to do so anyway; while we could apply
@@ -5697,7 +5690,7 @@ static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
 			return NF_ACCEPT;
 
 		/* standard practice, label using the parent socket */
-		sksec = sk->sk_security;
+		sksec = selinux_sock(sk);
 		sid = sksec->sid;
 	} else
 		sid = SECINITSID_KERNEL;
@@ -5720,7 +5713,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
 	sk = skb_to_full_sk(skb);
 	if (sk == NULL)
 		return NF_ACCEPT;
-	sksec = sk->sk_security;
+	sksec = selinux_sock(sk);
 
 	ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf);
 	if (selinux_parse_skb(skb, &ad, NULL, 0, &proto))
@@ -5809,7 +5802,7 @@ static unsigned int selinux_ip_postroute(void *priv,
 		u32 skb_sid;
 		struct sk_security_struct *sksec;
 
-		sksec = sk->sk_security;
+		sksec = selinux_sock(sk);
 		if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
 			return NF_DROP;
 		/* At this point, if the returned skb peerlbl is SECSID_NULL
@@ -5838,7 +5831,7 @@ static unsigned int selinux_ip_postroute(void *priv,
 	} else {
 		/* Locally generated packet, fetch the security label from the
 		 * associated socket. */
-		struct sk_security_struct *sksec = sk->sk_security;
+		struct sk_security_struct *sksec = selinux_sock(sk);
 		peer_sid = sksec->sid;
 		secmark_perm = PACKET__SEND;
 	}
@@ -5881,7 +5874,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
 	unsigned int data_len = skb->len;
 	unsigned char *data = skb->data;
 	struct nlmsghdr *nlh;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	u16 sclass = sksec->sclass;
 	u32 perm;
 
@@ -6915,6 +6908,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
 	.lbs_inode = sizeof(struct inode_security_struct),
 	.lbs_ipc = sizeof(struct ipc_security_struct),
 	.lbs_msg_msg = sizeof(struct msg_security_struct),
+	.lbs_sock = sizeof(struct sk_security_struct),
 	.lbs_superblock = sizeof(struct superblock_security_struct),
 	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
 };
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 8159fd53c3de..ca12d4d7cfc6 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -194,4 +194,9 @@ static inline struct superblock_security_struct *selinux_superblock(
 	return superblock->s_security + selinux_blob_sizes.lbs_superblock;
 }
 
+static inline struct sk_security_struct *selinux_sock(const struct sock *sock)
+{
+	return sock->sk_security + selinux_blob_sizes.lbs_sock;
+}
+
 #endif /* _SELINUX_OBJSEC_H_ */
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 8f182800e412..e8832726bd86 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -17,6 +17,7 @@
 #include <linux/gfp.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>
+#include <linux/lsm_hooks.h>
 #include <net/sock.h>
 #include <net/netlabel.h>
 #include <net/ip.h>
@@ -68,7 +69,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb,
 static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk)
 {
 	int rc;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	struct netlbl_lsm_secattr *secattr;
 
 	if (sksec->nlbl_secattr != NULL)
@@ -100,7 +101,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
 							const struct sock *sk,
 							u32 sid)
 {
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr;
 
 	if (secattr == NULL)
@@ -240,7 +241,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
 	 * being labeled by it's parent socket, if it is just exit */
 	sk = skb_to_full_sk(skb);
 	if (sk != NULL) {
-		struct sk_security_struct *sksec = sk->sk_security;
+		struct sk_security_struct *sksec = selinux_sock(sk);
 
 		if (sksec->nlbl_state != NLBL_REQSKB)
 			return 0;
@@ -277,7 +278,7 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc,
 {
 	int rc;
 	struct netlbl_lsm_secattr secattr;
-	struct sk_security_struct *sksec = asoc->base.sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(asoc->base.sk);
 	struct sockaddr_in addr4;
 	struct sockaddr_in6 addr6;
 
@@ -356,7 +357,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family)
  */
 void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
 {
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 
 	if (family == PF_INET)
 		sksec->nlbl_state = NLBL_LABELED;
@@ -374,8 +375,8 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family)
  */
 void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk)
 {
-	struct sk_security_struct *sksec = sk->sk_security;
-	struct sk_security_struct *newsksec = newsk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
+	struct sk_security_struct *newsksec = selinux_sock(newsk);
 
 	newsksec->nlbl_state = sksec->nlbl_state;
 }
@@ -393,7 +394,7 @@ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk)
 int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
 {
 	int rc;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	struct netlbl_lsm_secattr *secattr;
 
 	if (family != PF_INET && family != PF_INET6)
@@ -507,7 +508,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
 {
 	int rc = 0;
 	struct sock *sk = sock->sk;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	struct netlbl_lsm_secattr secattr;
 
 	if (selinux_netlbl_option(level, optname) &&
@@ -545,7 +546,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk,
 						struct sockaddr *addr)
 {
 	int rc;
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 	struct netlbl_lsm_secattr *secattr;
 
 	/* connected sockets are allowed to disconnect when the address family
@@ -584,7 +585,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk,
 int selinux_netlbl_socket_connect_locked(struct sock *sk,
 					 struct sockaddr *addr)
 {
-	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *sksec = selinux_sock(sk);
 
 	if (sksec->nlbl_state != NLBL_REQSKB &&
 	    sksec->nlbl_state != NLBL_CONNLABELED)
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 041688e5a77a..297f21446f45 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -355,6 +355,11 @@ static inline struct superblock_smack *smack_superblock(
 	return superblock->s_security + smack_blob_sizes.lbs_superblock;
 }
 
+static inline struct socket_smack *smack_sock(const struct sock *sock)
+{
+	return sock->sk_security + smack_blob_sizes.lbs_sock;
+}
+
 /*
  * Is the directory transmuting?
  */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 53336d7daa93..cd44f7f3f393 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1572,7 +1572,7 @@ static int smack_inode_getsecurity(struct mnt_idmap *idmap,
 		if (sock == NULL || sock->sk == NULL)
 			return -EOPNOTSUPP;
 
-		ssp = sock->sk->sk_security;
+		ssp = smack_sock(sock->sk);
 
 		if (strcmp(name, XATTR_SMACK_IPIN) == 0)
 			isp = ssp->smk_in;
@@ -1960,7 +1960,7 @@ static int smack_file_receive(struct file *file)
 
 	if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
 		sock = SOCKET_I(inode);
-		ssp = sock->sk->sk_security;
+		ssp = smack_sock(sock->sk);
 		tsp = smack_cred(current_cred());
 		/*
 		 * If the receiving process can't write to the
@@ -2380,11 +2380,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
 {
 	struct smack_known *skp = smk_of_current();
-	struct socket_smack *ssp;
-
-	ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
-	if (ssp == NULL)
-		return -ENOMEM;
+	struct socket_smack *ssp = smack_sock(sk);
 
 	/*
 	 * Sockets created by kernel threads receive web label.
@@ -2398,11 +2394,10 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
 	}
 	ssp->smk_packet = NULL;
 
-	sk->sk_security = ssp;
-
 	return 0;
 }
 
+#ifdef SMACK_IPV6_PORT_LABELING
 /**
  * smack_sk_free_security - Free a socket blob
  * @sk: the socket
@@ -2411,7 +2406,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
  */
 static void smack_sk_free_security(struct sock *sk)
 {
-#ifdef SMACK_IPV6_PORT_LABELING
 	struct smk_port_label *spp;
 
 	if (sk->sk_family == PF_INET6) {
@@ -2424,9 +2418,8 @@ static void smack_sk_free_security(struct sock *sk)
 		}
 		rcu_read_unlock();
 	}
-#endif
-	kfree(sk->sk_security);
 }
+#endif
 
 /**
  * smack_sk_clone_security - Copy security context
@@ -2437,8 +2430,8 @@ static void smack_sk_free_security(struct sock *sk)
  */
 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk)
 {
-	struct socket_smack *ssp_old = sk->sk_security;
-	struct socket_smack *ssp_new = newsk->sk_security;
+	struct socket_smack *ssp_old = smack_sock(sk);
+	struct socket_smack *ssp_new = smack_sock(newsk);
 
 	*ssp_new = *ssp_old;
 }
@@ -2554,7 +2547,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
  */
 static int smack_netlbl_add(struct sock *sk)
 {
-	struct socket_smack *ssp = sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sk);
 	struct smack_known *skp = ssp->smk_out;
 	int rc;
 
@@ -2586,7 +2579,7 @@ static int smack_netlbl_add(struct sock *sk)
  */
 static void smack_netlbl_delete(struct sock *sk)
 {
-	struct socket_smack *ssp = sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sk);
 
 	/*
 	 * Take the label off the socket if one is set.
@@ -2618,7 +2611,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap)
 	struct smack_known *skp;
 	int rc = 0;
 	struct smack_known *hkp;
-	struct socket_smack *ssp = sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sk);
 	struct smk_audit_info ad;
 
 	rcu_read_lock();
@@ -2691,7 +2684,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
 {
 	struct sock *sk = sock->sk;
 	struct sockaddr_in6 *addr6;
-	struct socket_smack *ssp = sock->sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sock->sk);
 	struct smk_port_label *spp;
 	unsigned short port = 0;
 
@@ -2779,7 +2772,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
 				int act)
 {
 	struct smk_port_label *spp;
-	struct socket_smack *ssp = sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sk);
 	struct smack_known *skp = NULL;
 	unsigned short port;
 	struct smack_known *object;
@@ -2873,7 +2866,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
 	if (sock == NULL || sock->sk == NULL)
 		return -EOPNOTSUPP;
 
-	ssp = sock->sk->sk_security;
+	ssp = smack_sock(sock->sk);
 
 	if (strcmp(name, XATTR_SMACK_IPIN) == 0)
 		ssp->smk_in = skp;
@@ -2921,7 +2914,7 @@ static int smack_socket_post_create(struct socket *sock, int family,
 	 * Sockets created by kernel threads receive web label.
 	 */
 	if (unlikely(current->flags & PF_KTHREAD)) {
-		ssp = sock->sk->sk_security;
+		ssp = smack_sock(sock->sk);
 		ssp->smk_in = &smack_known_web;
 		ssp->smk_out = &smack_known_web;
 	}
@@ -2946,8 +2939,8 @@ static int smack_socket_post_create(struct socket *sock, int family,
 static int smack_socket_socketpair(struct socket *socka,
 		                   struct socket *sockb)
 {
-	struct socket_smack *asp = socka->sk->sk_security;
-	struct socket_smack *bsp = sockb->sk->sk_security;
+	struct socket_smack *asp = smack_sock(socka->sk);
+	struct socket_smack *bsp = smack_sock(sockb->sk);
 
 	asp->smk_packet = bsp->smk_out;
 	bsp->smk_packet = asp->smk_out;
@@ -3010,7 +3003,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
 		if (__is_defined(SMACK_IPV6_SECMARK_LABELING))
 			rsp = smack_ipv6host_label(sip);
 		if (rsp != NULL) {
-			struct socket_smack *ssp = sock->sk->sk_security;
+			struct socket_smack *ssp = smack_sock(sock->sk);
 
 			rc = smk_ipv6_check(ssp->smk_out, rsp, sip,
 					    SMK_CONNECTING);
@@ -3805,9 +3798,9 @@ static int smack_unix_stream_connect(struct sock *sock,
 {
 	struct smack_known *skp;
 	struct smack_known *okp;
-	struct socket_smack *ssp = sock->sk_security;
-	struct socket_smack *osp = other->sk_security;
-	struct socket_smack *nsp = newsk->sk_security;
+	struct socket_smack *ssp = smack_sock(sock);
+	struct socket_smack *osp = smack_sock(other);
+	struct socket_smack *nsp = smack_sock(newsk);
 	struct smk_audit_info ad;
 	int rc = 0;
 #ifdef CONFIG_AUDIT
@@ -3853,8 +3846,8 @@ static int smack_unix_stream_connect(struct sock *sock,
  */
 static int smack_unix_may_send(struct socket *sock, struct socket *other)
 {
-	struct socket_smack *ssp = sock->sk->sk_security;
-	struct socket_smack *osp = other->sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sock->sk);
+	struct socket_smack *osp = smack_sock(other->sk);
 	struct smk_audit_info ad;
 	int rc;
 
@@ -3891,7 +3884,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
 	struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
 #endif
 #ifdef SMACK_IPV6_SECMARK_LABELING
-	struct socket_smack *ssp = sock->sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sock->sk);
 	struct smack_known *rsp;
 #endif
 	int rc = 0;
@@ -4103,7 +4096,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family,
 	netlbl_secattr_init(&secattr);
 
 	if (sk)
-		ssp = sk->sk_security;
+		ssp = smack_sock(sk);
 
 	if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) {
 		skp = smack_from_secattr(&secattr, ssp);
@@ -4125,7 +4118,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family,
  */
 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
-	struct socket_smack *ssp = sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sk);
 	struct smack_known *skp = NULL;
 	int rc = 0;
 	struct smk_audit_info ad;
@@ -4229,7 +4222,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
 	u32 slen = 1;
 	int rc = 0;
 
-	ssp = sock->sk->sk_security;
+	ssp = smack_sock(sock->sk);
 	if (ssp->smk_packet != NULL) {
 		rcp = ssp->smk_packet->smk_known;
 		slen = strlen(rcp) + 1;
@@ -4279,7 +4272,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
 
 	switch (family) {
 	case PF_UNIX:
-		ssp = sock->sk->sk_security;
+		ssp = smack_sock(sock->sk);
 		s = ssp->smk_out->smk_secid;
 		break;
 	case PF_INET:
@@ -4328,7 +4321,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
 	    (sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
 		return;
 
-	ssp = sk->sk_security;
+	ssp = smack_sock(sk);
 	ssp->smk_in = skp;
 	ssp->smk_out = skp;
 	/* cssp->smk_packet is already set in smack_inet_csk_clone() */
@@ -4348,7 +4341,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
 {
 	u16 family = sk->sk_family;
 	struct smack_known *skp;
-	struct socket_smack *ssp = sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sk);
 	struct sockaddr_in addr;
 	struct iphdr *hdr;
 	struct smack_known *hskp;
@@ -4434,7 +4427,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
 static void smack_inet_csk_clone(struct sock *sk,
 				 const struct request_sock *req)
 {
-	struct socket_smack *ssp = sk->sk_security;
+	struct socket_smack *ssp = smack_sock(sk);
 	struct smack_known *skp;
 
 	if (req->peer_secid != 0) {
@@ -5002,6 +4995,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
 	.lbs_inode = sizeof(struct inode_smack),
 	.lbs_ipc = sizeof(struct smack_known *),
 	.lbs_msg_msg = sizeof(struct smack_known *),
+	.lbs_sock = sizeof(struct socket_smack),
 	.lbs_superblock = sizeof(struct superblock_smack),
 	.lbs_xattr_count = SMACK_INODE_INIT_XATTRS,
 };
@@ -5124,7 +5118,9 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream),
 	LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram),
 	LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security),
+#ifdef SMACK_IPV6_PORT_LABELING
 	LSM_HOOK_INIT(sk_free_security, smack_sk_free_security),
+#endif
 	LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security),
 	LSM_HOOK_INIT(sock_graft, smack_sock_graft),
 	LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request),
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index b945c1d3a743..bad71b7e648d 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -26,8 +26,8 @@ static unsigned int smack_ip_output(void *priv,
 	struct socket_smack *ssp;
 	struct smack_known *skp;
 
-	if (sk && sk->sk_security) {
-		ssp = sk->sk_security;
+	if (sk) {
+		ssp = smack_sock(sk);
 		skp = ssp->smk_out;
 		skb->secmark = skp->smk_secid;
 	}

From patchwork Fri Dec 15 22:15:57 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495115
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic312-30.consmr.mail.ne1.yahoo.com
 (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA22D13B137
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:18:21 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="aU7oB6Lb"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678701; bh=FWuDNgdpCAWOPQ8pKENu3D4KD/v4ITCKXFqzF8c2TZc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=aU7oB6Lb6iP0yRjijZgDLrdJMMoo2694H3uQOuUQs3j5bGN+Hl8rm6Ok0ua/wCtClxpifru0VGRtlKL/zxbLhXRA38G7k4XoCHRzLLpwBWy0Cr4nGVaBCYTl8YDgKm+TR58piXRTa8/zxiO0gMuiQSbOFwcN5JUhRhomZarMusTHohiK93TtAzSQ2tx3lozavHoEHntomvad9BMM1qgs2tAiChedHR3/xrR3SU7auXXtV+Iq/e8y5cDvUhqi+Ze6uZ0//O/b2MXt+C3w04EErZ0ScG5G4q/CzgOQNjO4XCqyaufzRTrpPBOw7iyytA5vsU26gt8yD46OIvfr2Ks1kw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678701; bh=OoxX26JW+NchuXGVZv3GGkGMlzlO1isaAVCjJ1Ui5qc=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=qTvZtOQ0H6CU0fKfahLPxANvk1F6ZXFDWITw4DlQ1B2ClPU/x9GBn1gMlolBRgkbGL1F2O8XyXaY9V6BrX+JgT6ANhWDu/8c/hAz1kG41pU6GgHdHhNx0KV2JmgM269x5ZizO2xbMmRNskxh7X/NNjSlC4fb0l7t+9h+891uGu9hyNNjlGX0oSBdrihdtqtAEYGqdcbB66ahc8GPYZwXzIXVUTpudMqXhU+kkhwwdlgRzBo8h2VHhv7tIOTezYEXpF83jhPCMkhpq9BSov/945efVfiUZDYEFEOlY453Ho/2Id/EPh5v0tmJ3O7lF0D8lNbPA0uUitT6r7PODMSS6Q==
X-YMail-OSG: ver.UiQVM1mWsJ__gOg3uxzsQ8W_x7_5GYYrD2NTVkpyRaIwO7EwZn3j4XaxQpV
 Agm.FDvMcyUplmhdSEC8fb9ZOPb5ky4KHNk0RmWo.Fxm6yIWmbYw09Kk9AIGCrkCs2Z2h_W_uerG
 VRty4aljvVa1T8TQDeKynOc2aXJo4yFIiGfPNlykmoxhtUQ.vGU_wGwXEx9lL2LkzUK5S0K5PCYo
 zGJTJ9yQ2MM91R7LdkuU8fsrFWKLnt5xFBTnmt6jthVGi5nLSF_Je65lS.7z1RVav2eB2fMkMDVe
 BHK4e0KjXChO5lWp3ohJ6YRW8j.xS5IR7e0wg_veyefYmIzi3_u02cWXlWity6Zd0Nmt_V.XKutT
 UCveMB0J39wtLr2nYyRe8h_rgG6P5N.idEU8s3bkOjbexF1bV_Nuzr8M.72Fr4cE13pAzgdg5Kg4
 KFsh5e30xE1BvzY.WI6ItsIkEi1ODIU_pcHAKRUDz7ki.zgRclYr_N31YV.FfP0UHkMNOEGOXM.9
 SttQ6FP0vaO1A5mSmmXbmJdcfq2l3xSO3DU8f0XddtHnqnCiAs24uVciBla7QjLBvLEEUtxlubyn
 D1WaCLB_9PZmJY3CKRjVmCHblQ_cQXm.rBdIrjj4LauZ0AKfiNNNsC_5QxVQZ8PkA91.Y_dlGzE1
 BsO.0WEQA5YdqGOFp9Fqfh0w2QlBVOZlArBP8qQZ5vlaho1IzV9x7R_gtdXDGSPcxHKZdXfA7UiX
 Er3EXews6o0j8An0wAAfF.tqBeyeGDLU.d0uHmLYSQVm9KzrU4FEHfNL.YVT.prLOHia4vCrxN5j
 EiswHFwh0.ShFxjTPh4CU2oKronWPMm_DLpBl8Bk95UEL2aiKPmOsQQDzhXAXN1_5gxlPoZgRN5w
 G7xBnkgfKtWGPh1ZeWAtOlvUjeXla8qa_0CBpmK5qsulRhodPqBtqAvYr8LJESi.MzYDLSnLDsyv
 jNyQQlza2fGngDd7wtHF3WRlZIKnoHigquFpeaF5bA2Fw3vkdhKH1gGyzc83EliOdRmIkFOf6OyB
 gRrce9.TlmkbxeWSO8EUKsbTQ.GWrfYPpCojN_msH_rOBpGNcLaJjeXOhj8EDVadbvgLhsRazgEl
 .xwjw9Gpd_S2ocRYAJqQ.GpeZuwvqPfhp7bk51krHkZoBNrV4d8.ux.kbvGeTw90d6kCNpGJ6XT1
 lgP4kS4hgSJNgv1BaqWDSCLgM5SneWhPJHA0eURaKWFx_TTKcqiI.IPu0Zw1T9FJQlryiWKcMcgt
 9RkjoYs1odqhTx9GH5N6KYd.UpnJZ8DBu4T_.vrX2jRn4br4sNkJ2hLeXNQschEZHW6vdd6HzTFK
 OzN08O822xjyYVE9WK6Zmoy.29EIADfsx.L._Ta0Dx18sk6sTE4JiDkEQB2aHrIG1nV5SnJi2dPv
 e128_X2v588nDVGQF.F8deBnpuvPiLsS.Jv9njp0zBN1u.ocF_JATd_KViSnJ5ynV07Doix_HLdL
 ZqI52bBqBQzKpOrSE1C5embIr66VufC5XDdwk.BFWqZFoSOkdfS9AkLPZr24Z5tffe0.NqFOBLUJ
 3zl2PFL0_05tT.KVFvcAo2bIb9smvqB4PZQnJ7YmFr1.McUguemF8TFV3olUjJyR7Og52m5l7pUY
 lKje97cKwpSnflEd2SQvKpmdSBlcFqtG1x_ArgKwl3D4jWbaveUvnWrEAtCakC1kPDU8q_YFjO9G
 aFbCRqFWVkxW.C4RFEePZ84YLlD9wI_weU8eHGQmuVUzWi9dQcJfLB3W4ZJlIkKKz6YocaVJj7NR
 yc7CfpNke.rRrJv5J4l25F4KYRGucwt.5s43yhDsgUjGwxiwFt7n.PWPXadQrupwd_WFcOWW.jE4
 3cZrF5mGnDMhWD2LXMvmmhDbG60P2ghQGNz0wGP.W81fzv5NlJh5wt8tqgGT5uy9UclLWL4_ngD3
 _gvhINRPB5mk2gv0Q3fJ3nV_JDpT6ObGKbqPMq26hUOavogmV9KMCz.IpMpUN.2u0_N7xaC3HUX9
 ga7FX_5fPM9DZwUnlSMYnbqiycnsvBWRmxWbic0dIphxJ5IXiKb3n69bQdQ0SlMsyX0m9_hKVGZt
 uT.goRB0sOcC.5lEkdfezfLDw9uta0F2HxeQK6Pn_4uo7AvKF87NbPivi4m7BNzUYCxBqD5t0Fkc
 QWw3q9pl.1MlqQkNVuuEXuG5sQkn4yzye5MNt0DADcucI213c25u4zAP5AF2EW2vYhVhlDqJKDMF
 HG8Qcb_XcbF8RXUZMXPHpYqsNO95CXFHZuAYZ9YtPkY7O_5ICzwytzIKwE2MfN1fh8BQ5iLVhh45
 0OYEQh3mJXMmaeB7eI6I-
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 0df143bb-7cfd-4c6e-9191-144d8b00e699
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:18:21 +0000
Received: by hermes--production-gq1-6949d6d8f9-c9pk7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID f3cc26e4d12b933f3b6c85ffc86b5c01;
          Fri, 15 Dec 2023 22:18:20 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 03/42] LSM: Add the lsmblob data structure.
Date: Fri, 15 Dec 2023 14:15:57 -0800
Message-ID: <20231215221636.105680-4-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

When more than one security module is exporting data to audit and
networking sub-systems a single 32 bit integer is no longer
sufficient to represent the data. Add a structure to be used instead.

The lsmblob structure definition is intended to keep the LSM
specific information private to the individual security modules.
The module specific information is included in a new set of
header files under include/lsm. Each security module is allowed
to define the information included for its use in the lsmblob.
SELinux includes a u32 secid. Smack includes a pointer into its
global label list. The conditional compilation based on feature
inclusion is contained in the include/lsm files.

Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm/apparmor.h | 17 +++++++++++++++++
 include/linux/lsm/bpf.h      | 16 ++++++++++++++++
 include/linux/lsm/selinux.h  | 16 ++++++++++++++++
 include/linux/lsm/smack.h    | 17 +++++++++++++++++
 include/linux/security.h     | 20 ++++++++++++++++++++
 5 files changed, 86 insertions(+)
 create mode 100644 include/linux/lsm/apparmor.h
 create mode 100644 include/linux/lsm/bpf.h
 create mode 100644 include/linux/lsm/selinux.h
 create mode 100644 include/linux/lsm/smack.h

diff --git a/include/linux/lsm/apparmor.h b/include/linux/lsm/apparmor.h
new file mode 100644
index 000000000000..8ff1cd899a20
--- /dev/null
+++ b/include/linux/lsm/apparmor.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Linux Security Module interface to other subsystems.
+ * AppArmor presents a single u32 value which is known as a secid.
+ */
+#ifndef __LINUX_LSM_APPARMOR_H
+#define __LINUX_LSM_APPARMOR_H
+
+struct aa_label;
+
+struct lsmblob_apparmor {
+#ifdef CONFIG_SECURITY_APPARMOR
+	struct aa_label *label;
+#endif
+};
+
+#endif /* ! __LINUX_LSM_APPARMOR_H */
diff --git a/include/linux/lsm/bpf.h b/include/linux/lsm/bpf.h
new file mode 100644
index 000000000000..48abdcd82ded
--- /dev/null
+++ b/include/linux/lsm/bpf.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Linux Security Module interface to other subsystems.
+ * BPF may present a single u32 value.
+ */
+#ifndef __LINUX_LSM_BPF_H
+#define __LINUX_LSM_BPF_H
+#include <linux/types.h>
+
+struct lsmblob_bpf {
+#ifdef CONFIG_BPF_LSM
+	u32 secid;
+#endif
+};
+
+#endif /* ! __LINUX_LSM_BPF_H */
diff --git a/include/linux/lsm/selinux.h b/include/linux/lsm/selinux.h
new file mode 100644
index 000000000000..fd16456b36ac
--- /dev/null
+++ b/include/linux/lsm/selinux.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Linux Security Module interface to other subsystems.
+ * SELinux presents a single u32 value which is known as a secid.
+ */
+#ifndef __LINUX_LSM_SELINUX_H
+#define __LINUX_LSM_SELINUX_H
+#include <linux/types.h>
+
+struct lsmblob_selinux {
+#ifdef CONFIG_SECURITY_SELINUX
+	u32 secid;
+#endif
+};
+
+#endif /* ! __LINUX_LSM_SELINUX_H */
diff --git a/include/linux/lsm/smack.h b/include/linux/lsm/smack.h
new file mode 100644
index 000000000000..2018f288302f
--- /dev/null
+++ b/include/linux/lsm/smack.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Linux Security Module interface to other subsystems.
+ * Smack presents a pointer into the global Smack label list.
+ */
+#ifndef __LINUX_LSM_SMACK_H
+#define __LINUX_LSM_SMACK_H
+
+struct smack_known;
+
+struct lsmblob_smack {
+#ifdef CONFIG_SECURITY_SMACK
+	struct smack_known *skp;
+#endif
+};
+
+#endif /* ! __LINUX_LSM_SMACK_H */
diff --git a/include/linux/security.h b/include/linux/security.h
index 4790508818ee..d4103b6cd3fc 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -33,6 +33,10 @@
 #include <linux/mm.h>
 #include <linux/sockptr.h>
 #include <uapi/linux/lsm.h>
+#include <linux/lsm/selinux.h>
+#include <linux/lsm/smack.h>
+#include <linux/lsm/apparmor.h>
+#include <linux/lsm/bpf.h>
 
 struct linux_binprm;
 struct cred;
@@ -139,6 +143,22 @@ enum lockdown_reason {
 	LOCKDOWN_CONFIDENTIALITY_MAX,
 };
 
+/* stacking scaffolding */
+struct lsmblob_scaffold {
+	u32 secid;
+};
+
+/*
+ * Data exported by the security modules
+ */
+struct lsmblob {
+	struct lsmblob_selinux selinux;
+	struct lsmblob_smack smack;
+	struct lsmblob_apparmor apparmor;
+	struct lsmblob_bpf bpf;
+	struct lsmblob_scaffold scaffold;
+};
+
 extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
 extern u32 lsm_active_cnt;
 extern const struct lsm_id *lsm_idlist[];

From patchwork Fri Dec 15 22:15:58 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495117
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic312-30.consmr.mail.ne1.yahoo.com
 (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3258A18EB2
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:19:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="RL7sxK5X"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678796; bh=XOlmqRunZBVq69sGk0g7ZhZDA5Y8IFDjB0qmCPPOv+Q=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=RL7sxK5XKP+pCKAfL0V6kIOA8Aswnp6h0G0KzMu2a2N9HAJKpLVnv7zEglUcrsQGIN1VRKR/GMuJYR602d5+FP3p9pHm15aBI525ChtW2bqFAA3WmkoAjRKoDTj5/jjxc6zAXoyxQL+PGm2CMgkEgWPxKI8lS5lUox078ETF1cNB6WN3seI56mmASWY9BF+GlaVsPBpENm6qoPAIxhyWPf4d+b9LJiE/0OLqzDdj12p+sQN/hQzAmildKqun4iJrEdCli/Rwt8K9eJY/KWsvo3Mq1iExFaA1iiCLhDtv//H4mnmsau8YWkoy/hgs6fbNAutUAlvsz0KYhZutUa7vFA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678796; bh=4NC1BO5KnAdWf/dQfq5XAYyV3FGUafFUG4ppzmG8zjw=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=TpdcX3G0YaS8vdpDfPmqzJ/UX89EYvt1Q2+UCq0jPx5embcm3WaQ1/9UXHCg0brADx1DVzFyncsmZfVqg01TNWPmkdRaJLZx4fNmrK0toKITet0sPuxoeJii1ZtrKEtlNsQSBMDNoucYX83qC73SCYknqSbeVg887g/X1atncMHrkCr8A7fsqKXiE6HbUiVDl8F3JDumCEVhmZFVpSGrvT06vJE2XPo1pyutfKPOJ8AqwZmVh34iwdoKLrip/P1tSojjLj1F8SO/Bx8nGFA9cgKzSmC4SqtsztSsH2l9NO6QbuQ+TpPaT00rpzG/h3cKE3vk3Tlvo527fNo5eENSzA==
X-YMail-OSG: ZGVZ5kAVM1nj88ra0SQfghUzLilFc_PpE6NURBwJD0OjiHzauBAx6dxvXesC3Gz
 MC2wMW.UD5qW2pfa5MCTLJcmLPySaviX2Mf1Qf43oHm3D6ZjBLdnovDDJuX7xuZs.JNBAKKOByET
 Khd40O7j.1voqlE8l29siyWrBK7ZwFq.AWHa4Guo2KX5tNw9VAJ4.wIoLaHikvasFAk_4rK9CmOM
 Tfs3xn.vasMRxnc8AyW0OVt6ZuhBgi69VbeWHFFEhVJDFPG6S7gYINUVfROwo9s8hAfibMdGbDuI
 zIqcXbpTbvfLGVRRJSvXUU7hJPcZw2qcNFgzTkBIPyP7vr6f8GDW837tYRFE_u0KiZU9vkcaMvXs
 tqxH7sA66ZRIcQtWF34SlhhkFn0i.IiCzlbSnOQ0VOWpFdObE7XN2Cfkn3c_hZS8WoV2GtB5mjSn
 w.rHGdviEVYHW2yMS5wKygcozWDvbtiY7yHGhowqfg61Uv..EZ2RLOIrSGFPJrNH1bpRE3LfzP.f
 NEwDYbEBfB3SegWNOCN_T_M0XQvM5fnFUp9trOqwkfmxYyz08of9e1J5Ya4hdRfAvOlFDvjUL2WH
 HRj71IW4ZHzmExSM3LRHFgWJhanfgHr3te9VIHpXlxTVBQLxgwQzmcFU_OERXaNstYA67ZyzGejv
 GxYtD2cUgNi10lxwaXnDXDfUi1Ub34F.gkP7UtBj097JjXqP2HX7jU7l_K4qAWzVEHeLhoplYQBS
 78ZKalgCUyl8ugKyvDyjbA_vKK2xzJdUjRBR6KJrPKU5WZws8PhEEwM6u_OrwTpHQl7s2tjN74wB
 eCkMiEc7w57QXouEmj8bmicf8j7k10_EC8bisulQMvmG_ge264MiB.2Nrp_l5LmsUFVNj_plGDmT
 yF7FaU4nwq86uSM2HckLss5hmWhnW.Tu1Mo1wAfW0JL6RArso8HacSu11.EVA4EzWaTHYU9ylR8H
 _KDXdzMGQz5uRO1R3D22gXKL6eN0_ZfVhmoi69msQpbY9v9ijdVmmkuro0_SMpav5vAkbOigZTuP
 FF9hUOrrDylt9ihKN6IFPJglT.VhRIzOKNDXmfZZOffqAtsDgkffcEq4r5pjnESCPvGf8baExUKf
 gNP4TrQgFlc54l.X_lI0lT8coKXPBfdHeIxAQvSKTrM_WuRWvEOS8fHtsAy8pu2yZBH.b5PcwBOi
 omGiDFJnAtUtO7iLihwRrLXWQINrRAPzSfnp.H6c4k66vt9oM9vdStBqflyxw7eKPfjR9G2GNjmR
 vaJj_C72f6sxWXc_bwxAY8O6eq7wAQ67gN4G5yXEnNkzlJA4xfvdv9qylgAlkPRPXlN3xofZxinA
 eRP3Gvk4frks6j5nVKgbWiu9Yj9LF5Cq4b.L9Fik8PmlUBkUCgMsAPv7fg2nNDwinZPzNdBfxhrY
 ItrMInjW1tITcREDsV52rRE9m7APzmuzIOoXDftnTcAaXG_jEhP8fw9y9rZ6ZFRJzhNA1rt2KJcz
 YqYrujfvI.Qjfkz0l6JDm.TWpsrGvsGVl8SbHgHB.zVZapOQGDZ8jcQ4YYpa_sijP7s0nFG7thyT
 bOA4eaR_IAN0Yqrxf5z4dMyaAIhqn0oEu67W5rQQ.B7JIf_QaTGu7JZYrMc7VY8SqJbBQVwOq2Uz
 aHi3YH67q78lTft2E75kVBQu.J0C.0ZZGfbpeVE0o4_TKdays7tPO17vnfULEehaxRG02iabybIb
 LmIIgBvUuSc.da1hyBUpyG8Bu9OWtnoWK3qOMzCjy5svGC2HEn3UTVO8lOkD3q9AJ9APN9jGEW2Z
 tH.8QkZPni3PpvhoHNehMyBY403N472U2IbSBfcoEi5DQRGev9pOv2i7plnpyvczdhWBSj9VBvm0
 VA8Ee2CAn30jF.yaJg7C4iFj8ezryjEGwBgdj0EqI.L6JTPvyHRpiWKdFlrZGduUrkA_44wOXPj7
 Ssl2zvCxYzbnRAZknN9wlXMXIWoc4hFG8eoprp1MlZds0GSbWFeLN.Hk7IFK7JxXYbzGW4uEV_Xa
 edsnq2BTdULNSnJu.Ba3qIVOWM4Yf73CGqPPj7LwkY3JM8EznDCgi1ons6Jdc0AHXglij.dNEP8F
 iGU2jY4fFYSTx3Yp55S6WXZgEgcfyO680.NA3uFR4Qvu8_7QwwXtCH9OZHO4gH6PNqQ33LPHJaDU
 UlJ559yMtmZ0XroFeojpYMV3Ivi4.eDaymWM1aSPNmDYKIkcgUIJZ8c4qYpJtuhxq_o2n2XzucaW
 qqYPKM0nrCF4sYgZmWOkxdfA59.DtRjE9lW0HIt9NsYZxAx.QF5bn.FiurPtUghW5hbrezf_vCNO
 3mv9G_trOfp_HRJw.GkdQEQ--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 79e56a49-4da7-479e-8958-3704ffa427a2
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:19:56 +0000
Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 015b8086b2cbbee47da79b085b628701;
          Fri, 15 Dec 2023 22:19:53 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 04/42] IMA: avoid label collisions with stacked LSMs
Date: Fri, 15 Dec 2023 14:15:58 -0800
Message-ID: <20231215221636.105680-5-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Integrity measurement may filter on security module information
and needs to be clear in the case of multiple active security
modules which applies. Provide a boot option ima_rules_lsm= to
allow the user to specify an active security module to apply
filters to. If not specified, use the first registered module
that supports the audit_rule_match() LSM hook. Allow the user
to specify in the IMA policy an lsm= option to specify the
security module to use for a particular rule.

This requires adding the LSM of interest as a parameter
to three of the audit hooks.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
To: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
To: audit@vger.kernel.org
---
 Documentation/ABI/testing/ima_policy |  8 +++-
 include/linux/lsm_hook_defs.h        |  7 +--
 include/linux/security.h             | 26 +++++++---
 security/apparmor/audit.c            | 15 ++++--
 security/apparmor/include/audit.h    |  7 +--
 security/integrity/ima/ima_policy.c  | 71 ++++++++++++++++++++++++----
 security/security.c                  | 64 +++++++++++++++++++++----
 security/selinux/include/audit.h     | 10 ++--
 security/selinux/ss/services.c       | 15 ++++--
 security/smack/smack_lsm.c           | 12 ++++-
 10 files changed, 192 insertions(+), 43 deletions(-)

diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index c2385183826c..a59291b97c24 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -26,7 +26,7 @@ Description:
 				[uid=] [euid=] [gid=] [egid=]
 				[fowner=] [fgroup=]]
 			lsm:	[[subj_user=] [subj_role=] [subj_type=]
-				 [obj_user=] [obj_role=] [obj_type=]]
+				 [obj_user=] [obj_role=] [obj_type=] [lsm=]]
 			option:	[digest_type=] [template=] [permit_directio]
 				[appraise_type=] [appraise_flag=]
 				[appraise_algos=] [keyrings=]
@@ -138,6 +138,12 @@ Description:
 
 			measure subj_user=_ func=FILE_CHECK mask=MAY_READ
 
+		It is possible to explicitly specify which security
+		module a rule applies to using lsm=.  If the security
+		module specified is not active on the system the rule
+		will be rejected.  If lsm= is not specified the first
+		security module registered on the system will be assumed.
+
 		Example of measure rules using alternate PCRs::
 
 			measure func=KEXEC_KERNEL_CHECK pcr=4
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index c925a0d26edf..2159013890aa 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -392,10 +392,11 @@ LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer)
 
 #ifdef CONFIG_AUDIT
 LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr,
-	 void **lsmrule)
+	 void **lsmrule, int lsmid)
 LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule)
-LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule)
-LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule)
+LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule,
+	 int lsmid)
+LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule, int lsmid)
 #endif /* CONFIG_AUDIT */
 
 #ifdef CONFIG_BPF_SYSCALL
diff --git a/include/linux/security.h b/include/linux/security.h
index d4103b6cd3fc..2320ed78c4de 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -286,6 +286,8 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb);
 extern int security_init(void);
 extern int early_security_init(void);
 extern u64 lsm_name_to_attr(const char *name);
+extern u64 lsm_name_to_id(const char *name);
+extern const char *lsm_id_to_name(u64 id);
 
 /* Security operations */
 int security_binder_set_context_mgr(const struct cred *mgr);
@@ -536,6 +538,16 @@ static inline u64 lsm_name_to_attr(const char *name)
 	return LSM_ATTR_UNDEF;
 }
 
+static inline u64 lsm_name_to_id(const char *name)
+{
+	return LSM_ID_UNDEF;
+}
+
+static inline const char *lsm_id_to_name(u64 id)
+{
+	return NULL;
+}
+
 static inline void security_free_mnt_opts(void **mnt_opts)
 {
 }
@@ -2030,25 +2042,27 @@ static inline void security_audit_rule_free(void *lsmrule)
 #endif /* CONFIG_AUDIT */
 
 #if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY)
-int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
-int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
-void ima_filter_rule_free(void *lsmrule);
+int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,
+			 int lsmid);
+int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
+			  int lsmid);
+void ima_filter_rule_free(void *lsmrule, int lsmid);
 
 #else
 
 static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
-					   void **lsmrule)
+				       void **lsmrule, int lsmid)
 {
 	return 0;
 }
 
 static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
-					    void *lsmrule)
+					void *lsmrule, int lsmid)
 {
 	return 0;
 }
 
-static inline void ima_filter_rule_free(void *lsmrule)
+static inline void ima_filter_rule_free(void *lsmrule, int lsmid)
 { }
 
 #endif /* defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY) */
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 45beb1c5f747..0a9f0019355a 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -206,10 +206,12 @@ struct aa_audit_rule {
 	struct aa_label *label;
 };
 
-void aa_audit_rule_free(void *vrule)
+void aa_audit_rule_free(void *vrule, int lsmid)
 {
 	struct aa_audit_rule *rule = vrule;
 
+	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR)
+		return;
 	if (rule) {
 		if (!IS_ERR(rule->label))
 			aa_put_label(rule->label);
@@ -217,10 +219,13 @@ void aa_audit_rule_free(void *vrule)
 	}
 }
 
-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
+int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule,
+		       int lsmid)
 {
 	struct aa_audit_rule *rule;
 
+	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR)
+		return 0;
 	switch (field) {
 	case AUDIT_SUBJ_ROLE:
 		if (op != Audit_equal && op != Audit_not_equal)
@@ -240,7 +245,7 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 				     GFP_KERNEL, true, false);
 	if (IS_ERR(rule->label)) {
 		int err = PTR_ERR(rule->label);
-		aa_audit_rule_free(rule);
+		aa_audit_rule_free(rule, LSM_ID_APPARMOR);
 		return err;
 	}
 
@@ -264,12 +269,14 @@ int aa_audit_rule_known(struct audit_krule *rule)
 	return 0;
 }
 
-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
+int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid)
 {
 	struct aa_audit_rule *rule = vrule;
 	struct aa_label *label;
 	int found = 0;
 
+	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR)
+		return 0;
 	label = aa_secid_to_label(sid);
 
 	if (!label)
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index acbb03b9bd25..a75c45dd059f 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -199,9 +199,10 @@ static inline int complain_error(int error)
 	return error;
 }
 
-void aa_audit_rule_free(void *vrule);
-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
+void aa_audit_rule_free(void *vrule, int lsmid);
+int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule,
+		       int lsmid);
 int aa_audit_rule_known(struct audit_krule *rule);
-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);
+int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid);
 
 #endif /* __AA_AUDIT_H */
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index f69062617754..a563e0478cc6 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -117,6 +117,8 @@ struct ima_rule_entry {
 		void *rule;	/* LSM file metadata specific */
 		char *args_p;	/* audit value */
 		int type;	/* audit type */
+		int lsm_id;	/* which LSM rule applies to */
+		bool lsm_specific;	/* true if lsm is specified */
 	} lsm[MAX_LSM_RULES];
 	char *fsname;
 	struct ima_rule_opt_list *keyrings; /* Measure keys added to these keyrings */
@@ -309,6 +311,25 @@ static int __init default_appraise_policy_setup(char *str)
 }
 __setup("ima_appraise_tcb", default_appraise_policy_setup);
 
+static int default_rules_lsm __ro_after_init = LSM_ID_UNDEF;
+
+static int __init ima_rules_lsm_init(char *str)
+{
+	int newdrl;
+
+	newdrl = lsm_name_to_id(str);
+	if (newdrl >= 0) {
+		default_rules_lsm = newdrl;
+		return 1;
+	}
+
+	pr_err("default ima rule lsm \"%s\" not registered, value unchanged.",
+		str);
+
+	return 1;
+}
+__setup("ima_rules_lsm=", ima_rules_lsm_init);
+
 static struct ima_rule_opt_list *ima_alloc_rule_opt_list(const substring_t *src)
 {
 	struct ima_rule_opt_list *opt_list;
@@ -380,7 +401,8 @@ static void ima_lsm_free_rule(struct ima_rule_entry *entry)
 	int i;
 
 	for (i = 0; i < MAX_LSM_RULES; i++) {
-		ima_filter_rule_free(entry->lsm[i].rule);
+		ima_filter_rule_free(entry->lsm[i].rule,
+				     entry->lsm[i].lsm_id);
 		kfree(entry->lsm[i].args_p);
 	}
 }
@@ -425,7 +447,8 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
 
 		ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
 				     nentry->lsm[i].args_p,
-				     &nentry->lsm[i].rule);
+				     &nentry->lsm[i].rule,
+				     entry->lsm[i].lsm_id);
 		if (!nentry->lsm[i].rule)
 			pr_warn("rule for LSM \'%s\' is undefined\n",
 				nentry->lsm[i].args_p);
@@ -451,7 +474,8 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
 	 * be owned by nentry.
 	 */
 	for (i = 0; i < MAX_LSM_RULES; i++)
-		ima_filter_rule_free(entry->lsm[i].rule);
+		ima_filter_rule_free(entry->lsm[i].rule,
+				     entry->lsm[i].lsm_id);
 	kfree(entry);
 
 	return 0;
@@ -650,14 +674,16 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 			security_inode_getsecid(inode, &osid);
 			rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type,
 						   Audit_equal,
-						   lsm_rule->lsm[i].rule);
+						   lsm_rule->lsm[i].rule,
+						   lsm_rule->lsm[i].lsm_id);
 			break;
 		case LSM_SUBJ_USER:
 		case LSM_SUBJ_ROLE:
 		case LSM_SUBJ_TYPE:
 			rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type,
 						   Audit_equal,
-						   lsm_rule->lsm[i].rule);
+						   lsm_rule->lsm[i].rule,
+						   lsm_rule->lsm[i].lsm_id);
 			break;
 		default:
 			break;
@@ -680,7 +706,8 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 out:
 	if (rule_reinitialized) {
 		for (i = 0; i < MAX_LSM_RULES; i++)
-			ima_filter_rule_free(lsm_rule->lsm[i].rule);
+			ima_filter_rule_free(lsm_rule->lsm[i].rule,
+					     lsm_rule->lsm[i].lsm_id);
 		kfree(lsm_rule);
 	}
 	return result;
@@ -1073,7 +1100,7 @@ enum policy_opt {
 	Opt_digest_type,
 	Opt_appraise_type, Opt_appraise_flag, Opt_appraise_algos,
 	Opt_permit_directio, Opt_pcr, Opt_template, Opt_keyrings,
-	Opt_label, Opt_err
+	Opt_lsm, Opt_label, Opt_err
 };
 
 static const match_table_t policy_tokens = {
@@ -1121,6 +1148,7 @@ static const match_table_t policy_tokens = {
 	{Opt_pcr, "pcr=%s"},
 	{Opt_template, "template=%s"},
 	{Opt_keyrings, "keyrings=%s"},
+	{Opt_lsm, "lsm=%s"},
 	{Opt_label, "label=%s"},
 	{Opt_err, NULL}
 };
@@ -1140,7 +1168,8 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry,
 	entry->lsm[lsm_rule].type = audit_type;
 	result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
 				      entry->lsm[lsm_rule].args_p,
-				      &entry->lsm[lsm_rule].rule);
+				      &entry->lsm[lsm_rule].rule,
+				      entry->lsm[lsm_rule].lsm_id);
 	if (!entry->lsm[lsm_rule].rule) {
 		pr_warn("rule for LSM \'%s\' is undefined\n",
 			entry->lsm[lsm_rule].args_p);
@@ -1878,6 +1907,23 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
 						 &(template_desc->num_fields));
 			entry->template = template_desc;
 			break;
+		case Opt_lsm: {
+			int i;
+
+			result = lsm_name_to_id(args[0].from);
+			if (result < 0) {
+				for (i = 0; i < MAX_LSM_RULES; i++)
+					entry->lsm[i].args_p = NULL;
+				result = -EINVAL;
+				break;
+			}
+			for (i = 0; i < MAX_LSM_RULES; i++) {
+				entry->lsm[i].lsm_id = result;
+				entry->lsm[i].lsm_specific = true;
+			}
+			result = 0;
+			break;
+			}
 		case Opt_err:
 			ima_log_string(ab, "UNKNOWN", p);
 			result = -EINVAL;
@@ -1923,6 +1969,7 @@ ssize_t ima_parse_add_rule(char *rule)
 	struct ima_rule_entry *entry;
 	ssize_t result, len;
 	int audit_info = 0;
+	int i;
 
 	p = strsep(&rule, "\n");
 	len = strlen(p) + 1;
@@ -1940,6 +1987,11 @@ ssize_t ima_parse_add_rule(char *rule)
 
 	INIT_LIST_HEAD(&entry->list);
 
+	for (i = 0; i < MAX_LSM_RULES; i++) {
+		entry->lsm[i].lsm_id = default_rules_lsm;
+		entry->lsm[i].lsm_specific = false;
+	}
+
 	result = ima_parse_rule(p, entry);
 	if (result) {
 		ima_free_rule(entry);
@@ -2251,6 +2303,9 @@ int ima_policy_show(struct seq_file *m, void *v)
 					   entry->lsm[i].args_p);
 				break;
 			}
+			if (entry->lsm[i].lsm_specific)
+				seq_printf(m, pt(Opt_lsm),
+				    lsm_id_to_name(entry->lsm[i].lsm_id));
 			seq_puts(m, " ");
 		}
 	}
diff --git a/security/security.c b/security/security.c
index 0a51e3d23570..cdf9ee12b064 100644
--- a/security/security.c
+++ b/security/security.c
@@ -271,6 +271,46 @@ static void __init initialize_lsm(struct lsm_info *lsm)
 u32 lsm_active_cnt __ro_after_init;
 const struct lsm_id *lsm_idlist[LSM_CONFIG_COUNT];
 
+/**
+ * lsm_name_to_id - get the LSM ID for a registered LSM
+ * @name: the name of the LSM
+ *
+ * Returns the LSM ID associated with the named LSM or
+ * LSM_ID_UNDEF if the name isn't recongnized.
+ */
+u64 lsm_name_to_id(const char *name)
+{
+	int i;
+
+	for (i = 0; i < LSM_CONFIG_COUNT; i++) {
+		if (!lsm_idlist[i]->name)
+			return LSM_ID_UNDEF;
+		if (!strcmp(name, lsm_idlist[i]->name))
+			return lsm_idlist[i]->id;
+	}
+	return LSM_ID_UNDEF;
+}
+
+/**
+ * lsm_id_to_name - get the LSM name for a registered LSM ID
+ * @id: the ID of the LSM
+ *
+ * Returns the LSM name associated with the LSM ID or
+ * NULL if the ID isn't recongnized.
+ */
+const char *lsm_id_to_name(u64 id)
+{
+	int i;
+
+	for (i = 0; i < LSM_CONFIG_COUNT; i++) {
+		if (!lsm_idlist[i]->name)
+			return NULL;
+		if (id == lsm_idlist[i]->id)
+			return lsm_idlist[i]->name;
+	}
+	return NULL;
+}
+
 /* Populate ordered LSMs list from comma-separated LSM name list. */
 static void __init ordered_lsm_parse(const char *order, const char *origin)
 {
@@ -5336,7 +5376,8 @@ int security_key_getsecurity(struct key *key, char **buffer)
  */
 int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
 {
-	return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
+	return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule,
+			     LSM_ID_UNDEF);
 }
 
 /**
@@ -5362,7 +5403,7 @@ int security_audit_rule_known(struct audit_krule *krule)
  */
 void security_audit_rule_free(void *lsmrule)
 {
-	call_void_hook(audit_rule_free, lsmrule);
+	call_void_hook(audit_rule_free, lsmrule, LSM_ID_UNDEF);
 }
 
 /**
@@ -5380,7 +5421,8 @@ void security_audit_rule_free(void *lsmrule)
  */
 int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
 {
-	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
+	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
+			     LSM_ID_UNDEF);
 }
 #endif /* CONFIG_AUDIT */
 
@@ -5389,19 +5431,23 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
  * The integrity subsystem uses the same hooks as
  * the audit subsystem.
  */
-int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
+int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,
+			 int lsmid)
 {
-	return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
+	return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule,
+			     lsmid);
 }
 
-void ima_filter_rule_free(void *lsmrule)
+void ima_filter_rule_free(void *lsmrule, int lsmid)
 {
-	call_void_hook(audit_rule_free, lsmrule);
+	call_void_hook(audit_rule_free, lsmrule, lsmid);
 }
 
-int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
+int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
+			  int lsmid)
 {
-	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
+	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
+			     lsmid);
 }
 #endif /* CONFIG_IMA_LSM_RULES */
 
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h
index d5495134a5b9..59468baf0c91 100644
--- a/security/selinux/include/audit.h
+++ b/security/selinux/include/audit.h
@@ -21,21 +21,24 @@
  *	@op: the operator the rule uses
  *	@rulestr: the text "target" of the rule
  *	@rule: pointer to the new rule structure returned via this
+ *	@lsmid: the relevant LSM
  *
  *	Returns 0 if successful, -errno if not.  On success, the rule structure
  *	will be allocated internally.  The caller must free this structure with
  *	selinux_audit_rule_free() after use.
  */
-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule);
+int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule,
+			    int lsmid);
 
 /**
  *	selinux_audit_rule_free - free an selinux audit rule structure.
  *	@rule: pointer to the audit rule to be freed
+ *	@lsmid: which LSM this rule relates to
  *
  *	This will free all memory associated with the given rule.
  *	If @rule is NULL, no operation is performed.
  */
-void selinux_audit_rule_free(void *rule);
+void selinux_audit_rule_free(void *rule, int lsmid);
 
 /**
  *	selinux_audit_rule_match - determine if a context ID matches a rule.
@@ -43,11 +46,12 @@ void selinux_audit_rule_free(void *rule);
  *	@field: the field this rule refers to
  *	@op: the operator the rule uses
  *	@rule: pointer to the audit rule to check against
+ *	@lsmid: the relevant LSM
  *
  *	Returns 1 if the context id matches the rule, 0 if it does not, and
  *	-errno on failure.
  */
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule);
+int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, int lsmid);
 
 /**
  *	selinux_audit_rule_known - check to see if rule contains selinux fields.
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 1eeffc66ea7d..a9fe8d85acae 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3487,17 +3487,20 @@ struct selinux_audit_rule {
 	struct context au_ctxt;
 };
 
-void selinux_audit_rule_free(void *vrule)
+void selinux_audit_rule_free(void *vrule, int lsmid)
 {
 	struct selinux_audit_rule *rule = vrule;
 
+	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SELINUX)
+		return;
 	if (rule) {
 		context_destroy(&rule->au_ctxt);
 		kfree(rule);
 	}
 }
 
-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
+int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule,
+			    int lsmid)
 {
 	struct selinux_state *state = &selinux_state;
 	struct selinux_policy *policy;
@@ -3511,6 +3514,8 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 
 	*rule = NULL;
 
+	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SELINUX)
+		return 0;
 	if (!selinux_initialized())
 		return -EOPNOTSUPP;
 
@@ -3592,7 +3597,7 @@ int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
 
 err:
 	rcu_read_unlock();
-	selinux_audit_rule_free(tmprule);
+	selinux_audit_rule_free(tmprule, LSM_ID_SELINUX);
 	*rule = NULL;
 	return rc;
 }
@@ -3622,7 +3627,7 @@ int selinux_audit_rule_known(struct audit_krule *rule)
 	return 0;
 }
 
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
+int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid)
 {
 	struct selinux_state *state = &selinux_state;
 	struct selinux_policy *policy;
@@ -3631,6 +3636,8 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
 	struct selinux_audit_rule *rule = vrule;
 	int match = 0;
 
+	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SELINUX)
+		return 0;
 	if (unlikely(!rule)) {
 		WARN_ONCE(1, "selinux_audit_rule_match: missing rule\n");
 		return -ENOENT;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index cd44f7f3f393..4342947f51d8 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4672,16 +4672,20 @@ static int smack_post_notification(const struct cred *w_cred,
  * @op: required testing operator (=, !=, >, <, ...)
  * @rulestr: smack label to be audited
  * @vrule: pointer to save our own audit rule representation
+ * @lsmid: the relevant LSM
  *
  * Prepare to audit cases where (@field @op @rulestr) is true.
  * The label to be audited is created if necessay.
  */
-static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
+static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule,
+				 int lsmid)
 {
 	struct smack_known *skp;
 	char **rule = (char **)vrule;
 	*rule = NULL;
 
+	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SMACK)
+		return 0;
 	if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
 		return -EINVAL;
 
@@ -4726,15 +4730,19 @@ static int smack_audit_rule_known(struct audit_krule *krule)
  * @field: audit rule flags given from user-space
  * @op: required testing operator
  * @vrule: smack internal rule presentation
+ * @lsmid: the relevant LSM
  *
  * The core Audit hook. It's used to take the decision of
  * whether to audit or not to audit a given object.
  */
-static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule)
+static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
+				  int lsmid)
 {
 	struct smack_known *skp;
 	char *rule = vrule;
 
+	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SMACK)
+		return 0;
 	if (unlikely(!rule)) {
 		WARN_ONCE(1, "Smack: missing rule\n");
 		return -ENOENT;

From patchwork Fri Dec 15 22:15:59 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495118
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BBCE18EA7
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:20:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="hTnkUEkj"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678799; bh=PTIMd+egNKmt7pb1HPXpAuOoq8vFOuUgx1vm0aUiDzI=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=hTnkUEkj18EyV6z1Xnc1tLqdXqDTJNRptD3oHrf0i/lPUip2fiYgfBsMWzqjurHHSq+JSJhvO8Q7cznP4gSPf7Bs8LOWWo1JQUpWREerPHeaml3U4HF5HZsVxjVIicRfEyGHScr86ymNiHB7uxZHsK+Ps0oDZsKwPhcpaSUp2QY4aqEHFbyGRN/EGFZNI3wxHOGeLRlPIxY5M0jC8duaYvN/y+3XTowrUK4qHg6uYqP/60zMTVicIeUROOjqQWHZpR9rU8rEFHPFPxRpiIHmqzZv47/o3PbblU/EUX1isxA9lj0R1nrDlE9pxZB5FkURBtu9KgJ4xemQz4jg7vqfXw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678799; bh=hV/pZR27iBooGLF539XutgsypFvYkVA8nGKEUbz4S91=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=qtrqBqn66M5c2Ly1isBSIPwYP6MMUlq2i/JAM2Jv4PJtiAoMyqWkkoIYFlVWFhLkGjSAhbJCJh7uI7Ylm6wQjTYdUZTziJMX6ITefGq9H97hOIaNMLWWNn93P8vzOtuOS/kmRHd/U+pMAopSajDFIZdubjXj2wrvOiNrg4Dp1Gya0uJhQWjnUP708hahEITXQHug5ELNS1U9A+KZWQ+tC/c6BIHTK9+AP+dzjKXi99PXONzvexiraeBouBWzFXUnIyyv+HleLzv9wYOEJALNK9m+6FQvZZKEmYXju65R0I94407tmRtVxcGilYOUxg4I884dTEqbANQZEDPoL5L0Dg==
X-YMail-OSG: 4QAj2FwVM1lommx4rdIU9JNyciqzLySONrfykdnGjujlATa6JO.WG0c.gplS2Xr
 OHrNZ3Ae8RvSJxT2jcMBf35CTFbuphDmPJRedYw2XzPkeVPcrSdjfPKdWGErcIai3HyxySXuUH3I
 VMKc2ms3gcjO6xhaRA1C7kHce3C5DebM8sYhB6wUe7nEkF1K8JHD2yfKi563EVBE.JLw8DfNu4tO
 LPZL0J58plS_HSPIgR65jxdJVp_uZk6vB1fOTJWjAouhOlp3tGnk6cbu2bU7cbYKp3ooZ9vzgPGk
 rp.MOzKOSXRWFGAC5Xo1M6.sp9KUtYEh7k1SH5.3Jys4oHlkd7cwtEltIF4Hu.F3VZjCExNHvAGS
 I3aEwP4dugL7NI2ujSt.GwxtW_w6qybVDi7XZBty5zkbTBBSSSn4e0_EAVNTU0i3IE3LswDg0nuY
 DazVh0zWkr5ZC103b_jNX0wporJYFBR35enF0mTsjvGoTMoBuZ7rg8GcUP3_zfjyFpKoVe98_eMr
 JSFyboZUgbe7LAZN2b2BPw8v8YodgaIJQorPT.Vc7lK_MatGcBk6DYJyFA4epdto9GBXl0.hP619
 Hg6_ge.SSTYESxtwMIGx23pj90OvA68VMoTVh9ejHpI5RF74VrtoGHRelZP8glpdsqOSnDYt5FGA
 8Kmiplu.RB7KhylwJgITlRSeWGDOAlIQoYZn8d1nc14PYEe9HrBxTy4iVUA.6oRWUnJ5r6mnl.kG
 MiO.899uIfzEKTVpifpzYtEhVuUGttaIct8aBrPND715AdZkILh5EzJ3YX5xoILWY1HgxgQ0iCGY
 L00JPnQtho_gfOoBX8FZZvthlHyrLkGIgRZUy4ZQZFCnQVLBykhj4nuGgJvpjhUVXAQ9kpAPnJfF
 6ejItIUuvrXTTqnFuuvFotcNmRLewB_FzVTVdq9F5_mYDMOtSxHrACRlMUmjA6TtJwmaB7r16oXm
 R4lVvCCvLlMc_ysTXq_XFrrTBofmbupyptmEwJxDwD2LAncipHiivuXr4Ew_j8hc5QWtCXmB2FFq
 9Vi_YKJhBtIcCJ5Gwnw3Tl4KdqVJKrNztNO7MvIRl0Ycvx3R8wzoqEP6NLEHAKu7psXUX8Ag09yE
 pYicFyhOmJJhnEs40FDlJCFCTUlfXwglxllVmbk.o.T.ZJScx.nDmaJvFthiqrqv3lG8u1tk.8s1
 eCU_R37aSeHQSMwh9iFh_bT1KkTZwOtv30tUhct4oybsSyxHEsRdfBXOrOxhMy2qmBGBJeFTYEBO
 nrMRl6dfHAXD2xQzeOQSSEblk8PGh_a93KhNC6RQjg0FzEh9U0LQpFj74N6j6vnXWQB7DEVrbPkf
 v2u78JAjymEv2HINRAS1sh8jWuaieohGAijWFbr9FZYNKKjA_mvzWgErZj9vmAE1kfIXxQBBn.iU
 ZPzx5..Ig2CnI8zfPoPWz0VU1kW2BJYWuMxrxKq_AugcSEYjW.vTFduX7M3u3eFvNpxvTpzNyu0g
 oXpMpo9qEM8J0hv6RdKxxFRN34zTqPdCbd71tQsGW_cidxQ0aJ36sEbvNvERK6Qz_mdfFKrvpK_r
 ogeKjP9IH0MPPX2ctTMTDY426udF_yH2q2K7vex2tA0KlPHiKb28P_bdR0nkV30peJLmRPincYsN
 LHSGd1b2QfBpPlICS.FHxt1_xdxGPNJlk_pDclrUsitznwqKuKwwBwv7.NYqu_xDETkbZm5nvmgT
 7OAjmYqLl0G_EP.vRgTxJeEkmfitsqyiAXmLCMYwa3Stx.y8fZYHPEfbV3cN5v4VBQQW5c2fh0f.
 LwF6OwvryVxbe2EN_A5eI3Z7xELOkc03lpLgkgF3o25H.H_weaFJTX5VWxcWu8ayuBvf6hIIIm5k
 p_S0ts3knYAmYGC83XL2KQsSNlZ.C4zPA8Q.V4tJMmkFuVWyq3p1zDQT1PNC1mLi4yI2D5aFt_RY
 bHwVCb1D7DVdYI1bo_9hcf2aN6QC7LrUFKB67eiX8l0e9cziwbeJZwPjTCSboDerkSM4W5YH1AHL
 LD0Hrywrgdc_jICZ3HFi9QtWKGtpE1izq16G9CFn7nRob81A.WjUf5N5zTzXd1M2XTJvuK9YPYMP
 VAqHSfoxO8QSrXUah.NR0GBRLOBBonfeWZ.eUC_MnaBuICtfiMBkxscWgy6Bkdj3Ruxtzg.UnvWE
 AupHduPf.rRi3UvcDrWqnbl.7QZo269FkDSJX.5JnCTtiW.PIGq00Hv2bOYhFtBe2BaMOntjwZ2g
 9a3iRsqMKG6_NU4vgFwCMf1icJbwYRG31GgJiiiJr2puRU2xJk4KhnCCZNj3GlK.mJKRlTbbD.XF
 eg0pT3TZeNy92Ys_Pe0WA
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 1aad6597-2ff4-4b0b-9299-7f93af5445b2
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:19:59 +0000
Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 015b8086b2cbbee47da79b085b628701;
          Fri, 15 Dec 2023 22:19:54 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	linux-audit@redhat.com
Subject: [PATCH v39 05/42] LSM: Use lsmblob in security_audit_rule_match
Date: Fri, 15 Dec 2023 14:15:59 -0800
Message-ID: <20231215221636.105680-6-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.

Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Cc: linux-audit@redhat.com
---
 include/linux/lsm_hook_defs.h       |  4 ++--
 include/linux/security.h            | 13 +++++++------
 kernel/auditfilter.c                | 10 +++++++---
 kernel/auditsc.c                    | 18 ++++++++++++++----
 security/apparmor/audit.c           | 10 ++++++++--
 security/apparmor/include/audit.h   |  3 ++-
 security/integrity/ima/ima_policy.c | 11 +++++++----
 security/security.c                 | 12 ++++++------
 security/selinux/include/audit.h    |  5 +++--
 security/selinux/ss/services.c      | 11 ++++++++---
 security/smack/smack_lsm.c          | 12 ++++++++----
 11 files changed, 72 insertions(+), 37 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 2159013890aa..24c588b87412 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -394,8 +394,8 @@ LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer)
 LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr,
 	 void **lsmrule, int lsmid)
 LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule)
-LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule,
-	 int lsmid)
+LSM_HOOK(int, 0, audit_rule_match, struct lsmblob *blob, u32 field, u32 op,
+	 void *lsmrule, int lsmid)
 LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule, int lsmid)
 #endif /* CONFIG_AUDIT */
 
diff --git a/include/linux/security.h b/include/linux/security.h
index 2320ed78c4de..6ded4f04f117 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2013,7 +2013,8 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
 #ifdef CONFIG_SECURITY
 int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
 int security_audit_rule_known(struct audit_krule *krule);
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+			      void *lsmrule);
 void security_audit_rule_free(void *lsmrule);
 
 #else
@@ -2029,8 +2030,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
 	return 0;
 }
 
-static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
-					    void *lsmrule)
+static inline int security_audit_rule_match(struct lsmblob *blob, u32 field,
+					    u32 op, void *lsmrule)
 {
 	return 0;
 }
@@ -2044,8 +2045,8 @@ static inline void security_audit_rule_free(void *lsmrule)
 #if defined(CONFIG_IMA_LSM_RULES) && defined(CONFIG_SECURITY)
 int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,
 			 int lsmid);
-int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
-			  int lsmid);
+int ima_filter_rule_match(struct lsmblob *blob, u32 field, u32 op,
+			  void *lsmrule, int lsmid);
 void ima_filter_rule_free(void *lsmrule, int lsmid);
 
 #else
@@ -2056,7 +2057,7 @@ static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
 	return 0;
 }
 
-static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op,
+static inline int ima_filter_rule_match(struct lsmblob *blob, u32 field, u32 op,
 					void *lsmrule, int lsmid)
 {
 	return 0;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 8317a37dea0b..0a6a1c4c3507 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1338,6 +1338,7 @@ int audit_filter(int msgtype, unsigned int listtype)
 
 		for (i = 0; i < e->rule.field_count; i++) {
 			struct audit_field *f = &e->rule.fields[i];
+			struct lsmblob blob = { };
 			pid_t pid;
 			u32 sid;
 
@@ -1369,9 +1370,12 @@ int audit_filter(int msgtype, unsigned int listtype)
 			case AUDIT_SUBJ_SEN:
 			case AUDIT_SUBJ_CLR:
 				if (f->lsm_rule) {
-					security_current_getsecid_subj(&sid);
-					result = security_audit_rule_match(sid,
-						   f->type, f->op, f->lsm_rule);
+					/* stacking scaffolding */
+					security_current_getsecid_subj(
+							&blob.scaffold.secid);
+					result = security_audit_rule_match(
+						   &blob, f->type, f->op,
+						   f->lsm_rule);
 				}
 				break;
 			case AUDIT_EXE:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6f0d6fb6523f..fb001300f0c2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -471,6 +471,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
+	struct lsmblob blob = { };
 	unsigned int sessionid;
 
 	if (ctx && rule->prio <= ctx->prio)
@@ -681,7 +682,10 @@ static int audit_filter_rules(struct task_struct *tsk,
 					security_current_getsecid_subj(&sid);
 					need_sid = 0;
 				}
-				result = security_audit_rule_match(sid, f->type,
+				/* stacking scaffolding */
+				blob.scaffold.secid = sid;
+				result = security_audit_rule_match(&blob,
+								   f->type,
 								   f->op,
 								   f->lsm_rule);
 			}
@@ -696,15 +700,19 @@ static int audit_filter_rules(struct task_struct *tsk,
 			if (f->lsm_rule) {
 				/* Find files that match */
 				if (name) {
+					/* stacking scaffolding */
+					blob.scaffold.secid = name->osid;
 					result = security_audit_rule_match(
-								name->osid,
+								&blob,
 								f->type,
 								f->op,
 								f->lsm_rule);
 				} else if (ctx) {
 					list_for_each_entry(n, &ctx->names_list, list) {
+						/* stacking scaffolding */
+						blob.scaffold.secid = n->osid;
 						if (security_audit_rule_match(
-								n->osid,
+								&blob,
 								f->type,
 								f->op,
 								f->lsm_rule)) {
@@ -716,7 +724,9 @@ static int audit_filter_rules(struct task_struct *tsk,
 				/* Find ipc objects that match */
 				if (!ctx || ctx->type != AUDIT_IPC)
 					break;
-				if (security_audit_rule_match(ctx->ipc.osid,
+				/* stacking scaffolding */
+				blob.scaffold.secid = ctx->ipc.osid;
+				if (security_audit_rule_match(&blob,
 							      f->type, f->op,
 							      f->lsm_rule))
 					++result;
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 0a9f0019355a..72c414d00ba6 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -269,7 +269,8 @@ int aa_audit_rule_known(struct audit_krule *rule)
 	return 0;
 }
 
-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid)
+int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule,
+			int lsmid)
 {
 	struct aa_audit_rule *rule = vrule;
 	struct aa_label *label;
@@ -277,7 +278,12 @@ int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid)
 
 	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR)
 		return 0;
-	label = aa_secid_to_label(sid);
+
+	/* stacking scaffolding */
+	if (!blob->apparmor.label && blob->scaffold.secid)
+		label = aa_secid_to_label(blob->scaffold.secid);
+	else
+		label = blob->apparmor.label;
 
 	if (!label)
 		return -ENOENT;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index a75c45dd059f..ae3fc4089b00 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -203,6 +203,7 @@ void aa_audit_rule_free(void *vrule, int lsmid);
 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule,
 		       int lsmid);
 int aa_audit_rule_known(struct audit_krule *rule);
-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid);
+int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule,
+			int lsmid);
 
 #endif /* __AA_AUDIT_H */
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index a563e0478cc6..d24205aa1beb 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -657,7 +657,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 		return false;
 	for (i = 0; i < MAX_LSM_RULES; i++) {
 		int rc = 0;
-		u32 osid;
+		struct lsmblob blob = { };
 
 		if (!lsm_rule->lsm[i].rule) {
 			if (!lsm_rule->lsm[i].args_p)
@@ -671,8 +671,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 		case LSM_OBJ_USER:
 		case LSM_OBJ_ROLE:
 		case LSM_OBJ_TYPE:
-			security_inode_getsecid(inode, &osid);
-			rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type,
+			/* stacking scaffolding */
+			security_inode_getsecid(inode, &blob.scaffold.secid);
+			rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
 						   Audit_equal,
 						   lsm_rule->lsm[i].rule,
 						   lsm_rule->lsm[i].lsm_id);
@@ -680,7 +681,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 		case LSM_SUBJ_USER:
 		case LSM_SUBJ_ROLE:
 		case LSM_SUBJ_TYPE:
-			rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type,
+			/* stacking scaffolding */
+			blob.scaffold.secid = secid;
+			rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
 						   Audit_equal,
 						   lsm_rule->lsm[i].rule,
 						   lsm_rule->lsm[i].lsm_id);
diff --git a/security/security.c b/security/security.c
index cdf9ee12b064..b3d150b6248e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -5408,7 +5408,7 @@ void security_audit_rule_free(void *lsmrule)
 
 /**
  * security_audit_rule_match() - Check if a label matches an audit rule
- * @secid: security label
+ * @lsmblob: security label
  * @field: LSM audit field
  * @op: matching operator
  * @lsmrule: audit rule
@@ -5419,9 +5419,9 @@ void security_audit_rule_free(void *lsmrule)
  * Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on
  *         failure.
  */
-int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *lsmrule)
 {
-	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
+	return call_int_hook(audit_rule_match, 0, blob, field, op, lsmrule,
 			     LSM_ID_UNDEF);
 }
 #endif /* CONFIG_AUDIT */
@@ -5443,10 +5443,10 @@ void ima_filter_rule_free(void *lsmrule, int lsmid)
 	call_void_hook(audit_rule_free, lsmrule, lsmid);
 }
 
-int ima_filter_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
-			  int lsmid)
+int ima_filter_rule_match(struct lsmblob *blob, u32 field, u32 op,
+			  void *lsmrule, int lsmid)
 {
-	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
+	return call_int_hook(audit_rule_match, 0, blob, field, op, lsmrule,
 			     lsmid);
 }
 #endif /* CONFIG_IMA_LSM_RULES */
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h
index 59468baf0c91..61a396c9d9ae 100644
--- a/security/selinux/include/audit.h
+++ b/security/selinux/include/audit.h
@@ -42,7 +42,7 @@ void selinux_audit_rule_free(void *rule, int lsmid);
 
 /**
  *	selinux_audit_rule_match - determine if a context ID matches a rule.
- *	@sid: the context ID to check
+ *	@blob: includes the context ID to check
  *	@field: the field this rule refers to
  *	@op: the operator the rule uses
  *	@rule: pointer to the audit rule to check against
@@ -51,7 +51,8 @@ void selinux_audit_rule_free(void *rule, int lsmid);
  *	Returns 1 if the context id matches the rule, 0 if it does not, and
  *	-errno on failure.
  */
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, int lsmid);
+int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+			     void *rule, int lsmid);
 
 /**
  *	selinux_audit_rule_known - check to see if rule contains selinux fields.
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index a9fe8d85acae..eef6655f7730 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3627,7 +3627,8 @@ int selinux_audit_rule_known(struct audit_krule *rule)
 	return 0;
 }
 
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid)
+int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+			     void *vrule, int lsmid)
 {
 	struct selinux_state *state = &selinux_state;
 	struct selinux_policy *policy;
@@ -3655,10 +3656,14 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, int lsmid)
 		goto out;
 	}
 
-	ctxt = sidtab_search(policy->sidtab, sid);
+	/* stacking scaffolding */
+	if (!blob->selinux.secid && blob->scaffold.secid)
+		blob->selinux.secid = blob->scaffold.secid;
+
+	ctxt = sidtab_search(policy->sidtab, blob->selinux.secid);
 	if (unlikely(!ctxt)) {
 		WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
-			  sid);
+			  blob->selinux.secid);
 		match = -ENOENT;
 		goto out;
 	}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 4342947f51d8..9851d56dff69 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4726,7 +4726,7 @@ static int smack_audit_rule_known(struct audit_krule *krule)
 
 /**
  * smack_audit_rule_match - Audit given object ?
- * @secid: security id for identifying the object to test
+ * @blob: security id for identifying the object to test
  * @field: audit rule flags given from user-space
  * @op: required testing operator
  * @vrule: smack internal rule presentation
@@ -4735,8 +4735,8 @@ static int smack_audit_rule_known(struct audit_krule *krule)
  * The core Audit hook. It's used to take the decision of
  * whether to audit or not to audit a given object.
  */
-static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
-				  int lsmid)
+static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
+				  void *vrule, int lsmid)
 {
 	struct smack_known *skp;
 	char *rule = vrule;
@@ -4751,7 +4751,11 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
 	if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
 		return 0;
 
-	skp = smack_from_secid(secid);
+	/* stacking scaffolding */
+	if (!blob->smack.skp && blob->scaffold.secid)
+		skp = smack_from_secid(blob->scaffold.secid);
+	else
+		skp = blob->smack.skp;
 
 	/*
 	 * No need to do string comparisons. If a match occurs,

From patchwork Fri Dec 15 22:16:00 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495120
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic315-27.consmr.mail.ne1.yahoo.com
 (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9212F13B138
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:21:34 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="EzqDWxXQ"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678893; bh=lBi3k2ICfoYFWhBJYrFpICQoyPO6may1y/R8xZSsEgQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=EzqDWxXQQDo91wTVg8AgyVbgcwHZOH54+QvMk0ikHbHZ1I8nZCl7W0qxbaX4rku3GPkfyov+UdnjhhpD77Q724BPfwTn7hz/3XrJb4zC1IBOSqXl8vQl3ABQ/xsgsjRO2XkV5v8IuntG6MbGZxM1dPJRMsYqkhGq17C0jVwd6LqGpOiM7ZHKkvgX/hXDbF0V3bveEnpgQwOmU2sUBcYeQ0ydKLg8ovLY5j4e1tvNsoa2NUYr3ewRgIDQfTgtyAC5gP2aJ4TN0JD/pLcfVgj1BwBxFncqWZgPvsDIsSs8crf++XU8Wgf2klOHdoADKY1noKiZPgitlJcBqN2z2i/KjQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678893; bh=KQh7kwWXMhkLV2D8r40HzsA2QJD/rfuVKZN7A7sSF68=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=th8w8bfGVuKpnNY0HSrdvMYFOoytmt7YZZsB++n1NhBvAHK+Jd2ovlpuFgvvSLIZSSvD09C0f18qOKF1uUDtr09ZRh1h60pTUVprytry0BVkRKJ7T3VEPxEYTnPCa68Na1w21P2vXYRV+FB3W3vfGNihzO8xvLyyo9n+vMYRfFdUmbej8bYECLjaZhOxKZ9dhl37uhxk7AoodnPp9aIfkMoEp4KHyoLHQoZKFbX2figQ2NK8kFVptZld+bt8XrotrvVhzfegTuG+n3Kz7g3zEaxekOl/HJPaAuVeR3/2tuVg9DBAi9Magr0FA4dXinKKG53emtTQot1E8Q10Cwyc5A==
X-YMail-OSG: IXqotckVM1n85PzG8jhgr7f2n7hZP8jAtRfQBwFXaCeD4keWtEMwubghUYBoJAS
 Z8.vzDy9Cp7dE1925CuCVkvDC.MdXLMS2CnCxqJpGAktr02Mmwoc09MfbCF7JQJQGsvcr8hm9plY
 JA1SILk.2425c3GYkbVi0X9UeuTG8mQ1VcVgX906DTWr79BDV7Smy1tNdrEtATGrAePS7sz46keh
 VNoH2_ZBJQZMlHAYPR7OFPdax6Z_wB6iQBlQ_EsyNUsb_Z1lHvAvSFOXz28n1BFo0Ryb2LrsHqa.
 ZhP1D18IpsAMhLLH14URQdLkTYX1yVDd4HY.pXfwjnNoaBMmowClSHg7rYkKEXtAZFC_wghKRZrP
 Njqph1c0psKiAKgxwFJPntX0.18TOaj4NesJfUVhAoArdzUeub3KMVY9RhPms_7CU8tsjq1E1TJy
 7Gzmw2WucTkIpYgRUobwA3aAfUNnZZ68rTMeRx27yj_UGbsnuiGHCZIZFVTCk6G2LezH4RsKjGl0
 dxaaDjDdIHlJZwqe8JuKpHkUesQXO_uafefjMqIHNhkouMiISmTQUJe2uWXQEKpnNQMAQ2mwr_4V
 RGtA8HRdafAYhJsQlzXP822evjFLcYapfIZvmLYU35AglWGr1dQpZv6SiJqIeuFBUqZn9EGTZmrJ
 6qPHNQCvXz.2DQ2DuJnWRBSjGaJ8.0bPG0uasUUmmHDorY3Yl04ds9PgjdBF.kYBCWrlRBhRhqtc
 qGKSuVa358.s2Mx1RoFdOiGfl5MNT8RgvDLncZp2MUk0yay3pxs2a4XPckGIfdEj7XRbiz9C20Fn
 zj9kj8VsL7VzqRn1yGbuBGqSWTdeMSMSaHSTszOJTMLPGyunqTJ_R1rVMBxmpl9f_JkRggV8J92W
 IefzLRe.FZJTG0Qsq.RrM4St3KUZA4IK1dje3r_OmR8O_vNqVM1M23vRyoIrnORUzFJfC8Xt0KO6
 RtZLBiLQgenR0ylh7kdQQ2CERPxYNpde8a8ZNz0Iq.CIQzns138G0s__YgSlXB4vD5p21rseKYUE
 N_2Dzi8iS2N40OG3iK59hhbuvkSMfXXY24YYS84clhljbFgq301EYILUnSfJRDM6zlsWupLyECqT
 kpPuZOvk9Dh9pn_MbSRwI42xer09NXkC.xRlo5fZpAfYTkL0q62zaPouuqyYeePKHaiQ7qUTZBKI
 xlIiZfD8j6SN0H1gb.RAXhjFvr36j9A3sBmDDP32YFTtdUsUPPlsfCOFCbJNbOJytoTjA7aYSQ4X
 KqSvjZMTWM3IndAE.yD4d787LBt3ZAOxrXip9eNdan989OD3WNJGXNM0F1L0AfhMwAuoCLZcuSQ2
 Yegg8WIKmf.Ui28fcpocRkUtgxd_cSeUZeT._Nq.q1gKVCX8rOIG70D7yw069ok7GJnv_nc8JueX
 bkyW_FiyIKFrHjcIopRouvg9f6.unx1nJB9T_EcK59NGeRTe1FX9GkHUmKS0OmMHica3N8RB3_TS
 droRhXBsB2nIoDFte3iJvneL0IpC5YzKXm60X70xtjRUD6T1UXmpAGDfhzrSWZcWo2L1Po.3XTE4
 QeHQJiCZi4nA9Klj._IYSc3xagRwyVlxOUCLt9Q59Qmr4LjAt05tS7HgJitB9BIlr9xhlb1p49uT
 gslNuX0fatowK024B.a5OvGOF_Lu8vnvms3KHxm6m4mX0FPeZYY8YQW6_noec0E10VXLD9BvehBb
 ULEH473X7arMn7wrUZsb9aHsIlMTU_y5OCs6txZcmUTv1oYodQnnpvGmU0691UtKZIDSez9yGUC1
 iXI_SK3UyL1bkaU0wwXSJSzuPkWsOF2E7oWvUgiL1gF9Dk6gx7R.0A5gdKoOotshNNwVcnGkry2.
 sj3k81h3V7z3uQ_V7.JLWcsteArfgX2njZpZwtzY_kBDWs1aRRy3ZMHF5QTIasLj7YWb3OIDOvwl
 aHGnOS9GXYwIjc0xkC8stoLja4NrhKDY4os21qF0Y_EK0glmtah.u0mdFahJhZa5k09RVFNoUVfq
 eL5rTm3YTKvY_thf2iYtwIujPpNEdA.MG_PCkTOpyZtZ5dF3v8qzmm_OkEzOgY4jXLPgHHL0k.zs
 _3niSTV0XsL0YNVknWcx1x8SUsf_B64wmRjYpsqpFTcal2p9KPElCF4vFIuX3EToAcibr4iyWbyI
 qEbHRIFwn2j.OGZ9THwbEWdUHWhGFoX2C29IWQ4PcbEZQcdQ8wN5gpLz4KimnYVhZDnvwFuZXewn
 MeSiw1jaeI_qxzV1e1Uu6IEh.f05GOosfV7nKKJYvdPOFpQRJwFrqylJoDyJqvdjEo41yBcC6ctA
 5ic64s9dUT9GQe2hidgXAjw--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 3dd58605-0086-4829-9451-8c281b363c15
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:21:33 +0000
Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 53259725741f313dacdbfffb86fd7fff;
          Fri, 15 Dec 2023 22:21:28 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 06/42] LSM: Add lsmblob_to_secctx hook
Date: Fri, 15 Dec 2023 14:16:00 -0800
Message-ID: <20231215221636.105680-7-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Add a new hook security_lsmblob_to_secctx() and its LSM specific
implementations. The LSM specific code will use the lsmblob element
allocated for that module. This allows for the possibility that more
than one module may be called upon to translate a secid to a string,
as can occur in the audit code.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hook_defs.h     |  2 ++
 include/linux/security.h          | 11 +++++++++-
 kernel/auditfilter.c              |  1 -
 security/apparmor/include/secid.h |  2 ++
 security/apparmor/lsm.c           |  1 +
 security/apparmor/secid.c         | 36 +++++++++++++++++++++++++++++++
 security/security.c               | 30 ++++++++++++++++++++++++++
 security/selinux/hooks.c          | 16 ++++++++++++--
 security/smack/smack_lsm.c        | 31 +++++++++++++++++++++-----
 9 files changed, 121 insertions(+), 9 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 24c588b87412..52d090d1957c 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -272,6 +272,8 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)
 LSM_HOOK(int, 0, ismaclabel, const char *name)
 LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
 	 u32 *seclen)
+LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob,
+	 char **secdata, u32 *seclen)
 LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
 LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen)
 LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
diff --git a/include/linux/security.h b/include/linux/security.h
index 6ded4f04f117..7e4b31b771c1 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -507,6 +507,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+			       u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
 void security_inode_invalidate_secctx(struct inode *inode);
@@ -1420,7 +1422,14 @@ static inline int security_ismaclabel(const char *name)
 	return 0;
 }
 
-static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static inline int security_secid_to_secctx(u32 secid, char **secdata,
+					   u32 *seclen)
+{
+	return -EOPNOTSUPP;
+}
+
+static inline int security_lsmblob_to_secctx(struct lsmblob *blob,
+					     char **secdata, u32 *seclen)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 0a6a1c4c3507..08dc64bb8496 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1340,7 +1340,6 @@ int audit_filter(int msgtype, unsigned int listtype)
 			struct audit_field *f = &e->rule.fields[i];
 			struct lsmblob blob = { };
 			pid_t pid;
-			u32 sid;
 
 			switch (f->type) {
 			case AUDIT_PID:
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index a912a5d5d04f..816a425e2023 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -26,6 +26,8 @@ extern int apparmor_display_secid_mode;
 
 struct aa_label *aa_secid_to_label(u32 secid);
 int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+			       u32 *seclen);
 int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void apparmor_release_secctx(char *secdata, u32 seclen);
 
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8af5f458e218..1b230ade84fc 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1533,6 +1533,7 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
 #endif
 
 	LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
+	LSM_HOOK_INIT(lsmblob_to_secctx, apparmor_lsmblob_to_secctx),
 	LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
 	LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
 
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 83d3d1e6d9dc..a7c6f5061882 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -90,6 +90,42 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 	return 0;
 }
 
+int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+			       u32 *seclen)
+{
+	/* TODO: cache secctx and ref count so we don't have to recreate */
+	struct aa_label *label;
+	int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT;
+	int len;
+
+	AA_BUG(!seclen);
+
+	/* stacking scaffolding */
+	if (!blob->apparmor.label && blob->scaffold.secid)
+		label = aa_secid_to_label(blob->scaffold.secid);
+	else
+		label = blob->apparmor.label;
+
+	if (!label)
+		return -EINVAL;
+
+	if (apparmor_display_secid_mode)
+		flags |= FLAG_SHOW_MODE;
+
+	if (secdata)
+		len = aa_label_asxprint(secdata, root_ns, label,
+					flags, GFP_ATOMIC);
+	else
+		len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
+
+	if (len < 0)
+		return -ENOMEM;
+
+	*seclen = len;
+
+	return 0;
+}
+
 int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 {
 	struct aa_label *label;
diff --git a/security/security.c b/security/security.c
index b3d150b6248e..4b78bface040 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4187,6 +4187,36 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 }
 EXPORT_SYMBOL(security_secid_to_secctx);
 
+/**
+ * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx
+ * @blob: lsm specific information
+ * @secdata: secctx
+ * @seclen: secctx length
+ *
+ * Convert a @blob entry to security context.  If @secdata is NULL the
+ * length of the result will be returned in @seclen, but no @secdata
+ * will be returned.  This does mean that the length could change between
+ * calls to check the length and the next call which actually allocates
+ * and returns the @secdata.
+ *
+ * Return: Return 0 on success, error on failure.
+ */
+int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+			       u32 *seclen)
+{
+	struct security_hook_list *hp;
+	int rc;
+
+	hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
+		rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen);
+		if (rc != LSM_RET_DEFAULT(secid_to_secctx))
+			return rc;
+	}
+
+	return LSM_RET_DEFAULT(secid_to_secctx);
+}
+EXPORT_SYMBOL(security_lsmblob_to_secctx);
+
 /**
  * security_secctx_to_secid() - Convert a secctx to a secid
  * @secdata: secctx
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aa15acd344ea..83ce496e8ef6 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6549,8 +6549,19 @@ static int selinux_ismaclabel(const char *name)
 
 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
-	return security_sid_to_context(secid,
-				       secdata, seclen);
+	return security_sid_to_context(secid, secdata, seclen);
+}
+
+static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+				     u32 *seclen)
+{
+	u32 secid = blob->selinux.secid;
+
+	/* stacking scaffolding */
+	if (!secid)
+		secid = blob->scaffold.secid;
+
+	return security_sid_to_context(secid, secdata, seclen);
 }
 
 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
@@ -7300,6 +7311,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(inode_alloc_security, selinux_inode_alloc_security),
 	LSM_HOOK_INIT(sem_alloc_security, selinux_sem_alloc_security),
 	LSM_HOOK_INIT(secid_to_secctx, selinux_secid_to_secctx),
+	LSM_HOOK_INIT(lsmblob_to_secctx, selinux_lsmblob_to_secctx),
 	LSM_HOOK_INIT(inode_getsecctx, selinux_inode_getsecctx),
 	LSM_HOOK_INIT(sk_alloc_security, selinux_sk_alloc_security),
 	LSM_HOOK_INIT(tun_dev_alloc_security, selinux_tun_dev_alloc_security),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 9851d56dff69..a4ace6ea2ab0 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4738,7 +4738,7 @@ static int smack_audit_rule_known(struct audit_krule *krule)
 static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
 				  void *vrule, int lsmid)
 {
-	struct smack_known *skp;
+	struct smack_known *skp = blob->smack.skp;
 	char *rule = vrule;
 
 	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_SMACK)
@@ -4752,10 +4752,8 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
 		return 0;
 
 	/* stacking scaffolding */
-	if (!blob->smack.skp && blob->scaffold.secid)
+	if (!skp && blob->scaffold.secid)
 		skp = smack_from_secid(blob->scaffold.secid);
-	else
-		skp = blob->smack.skp;
 
 	/*
 	 * No need to do string comparisons. If a match occurs,
@@ -4786,7 +4784,6 @@ static int smack_ismaclabel(const char *name)
 	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
 }
 
-
 /**
  * smack_secid_to_secctx - return the smack label for a secid
  * @secid: incoming integer
@@ -4805,6 +4802,29 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 	return 0;
 }
 
+/**
+ * smack_lsmblob_to_secctx - return the smack label
+ * @blob: includes incoming Smack data
+ * @secdata: destination
+ * @seclen: how long it is
+ *
+ * Exists for audit code.
+ */
+static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
+				   u32 *seclen)
+{
+	struct smack_known *skp = blob->smack.skp;
+
+	/* stacking scaffolding */
+	if (!skp && blob->scaffold.secid)
+		skp = smack_from_secid(blob->scaffold.secid);
+
+	if (secdata)
+		*secdata = skp->smk_known;
+	*seclen = strlen(skp->smk_known);
+	return 0;
+}
+
 /**
  * smack_secctx_to_secid - return the secid for a smack label
  * @secdata: smack label
@@ -5162,6 +5182,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
 
 	LSM_HOOK_INIT(ismaclabel, smack_ismaclabel),
 	LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx),
+	LSM_HOOK_INIT(lsmblob_to_secctx, smack_lsmblob_to_secctx),
 	LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid),
 	LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
 	LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),

From patchwork Fri Dec 15 22:16:01 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495119
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic312-30.consmr.mail.ne1.yahoo.com
 (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E3A818EBA
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:21:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="iu6zT0cu"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678891; bh=r4sv6r1Tr6ohOGlxHLuy3Yttmx0SO3JcXgN2XVd1JEQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=iu6zT0cuHdfJDJ6T0Hgcxgd8VjwbeNYpCQAIod7PuuUjYHkuQ0cdjFl/v37RJUaFTYQRnncyCasGjHSgBeyeeuCwNZaK8B4YSJY2b8+l+H3L0b1oe2D6a9aaB/hlMxSYZonfHhRCCJKJ/PQWU4ueQ/8wVhn4Jxc2x06a+qry5Jug2XiUxgwrSGfHQOf6wv2rfrnZatTT9pEvTFvzP5VWR/QEbfZp5yXmzOtzKWEe6en/N+U/PZNK8X9baXVAtVXDgN8ArT1VPTPWoTtwvv+5a/xw4VY46X3cRTUwVbCuQLdZsGr76m3pSzu+Kl7zB2nMe4GATp4MQxkJC6r0ZLPyXw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678891; bh=FbWzL3LnCJaSNO4au1TSsAw4G5Vl+MLv7Tk7jzgz83V=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=IT9DB9mWGFN/PLrHpbVaNeWJPDIkABYpTr4biFXJwiB6W39mDyAVYiS7mjvn7GBitxiGm3HGidfyYn64JaLvUv9LWgYiS7s1V1XlWoyqlJF8O8CoCfxAAB97J0CDYnfJ1Hj0SwIt6JhnepIX4w3dvSwxPQLdCfgI+/gtf3ZURb3dAXjRHLcUXjg/BW1svhzOhXJzSadMPagXZbRToyXGnIkZrnXoTSJ8GLIlQYEd38ZAipgxuzSyVMbWDZvDS2wdV+x4du9lt5FEpCNS4kW0Pj+nXXqzQeu3hqhi+cmJr3qRrXTXaj2PIX3RxMBejxm2RQQjFKchmIQcGwX399fm9g==
X-YMail-OSG: lneyKBUVM1n0tAl.3lbmcDViRn1NZB4wLS61.xpg4tIs9jEH9Wl27J_pAuDfNdM
 rKL.zK3wPg8zm77CfdgUZLBpJQVe3QKy47u65jA_gQNvd9sqgWO81fJxc0MroEb78TObprmXI3U4
 9Ie01xUMycu1QwjA_FE1wge1I3gDbAcFKNhUL0T16xzGoAED_C7CfmXrpVA8YYemeaG_AYY74d.a
 fVy5Ky09LOyKh31uUm9WTV7Gt3V8aZ3scdIMVBdZDDt8CL79hEOM8mHrVeJYH9faDogx0s2sJwnV
 unxH2BYBFBL7Hq11j4UuCTNV3J0sQ1C0YTejQieGWln_CbgbpaNHIqJiRyjT7cJBfU1005xLmNAt
 9ngKzGmuC.NsaxxgqkG6nweGY_Eec6cLvrIKn3VoScjdXtHmi3euX1PiJwfOuigJFNHqX.OMzaOd
 FeUHxTixwzyH.wmO1mojG_2g8yCo1MoYfUS9d92EXZcs33QcF.3NBEgKUbpFoPjHwMifkHYKNp0Q
 xn.0nb0Q6IkEhM0DLBvi3PvyKvDjTUWWZEmeW32wKM0sWJo5ot9tapJ4cQTpS.zSaOu1TiF9NtWf
 QkQcc0Lny8ayB_J2wGgbMXPvUThZ0PgKWZgc0DNlFV4VpD9NojmzpFBUtna.79b7yWVg8YjvA3iF
 IAkeMzsBzfQ0lPUnhh96FzR2QhVdsIx7Umsgr_o26wtaQ1aUnlt1eKCKVI6wfHRGFqm2VmbOxq9o
 XCA_pHAGrvRCAtRK6afaTuirgVgtPC7ACwITZ.X64INn4CxyJAidXX.i4_YhaA5pNqL8AKNoVcPn
 oIqdM_Q5UZkO5MUwOrEC_oLaju0vvQW4N0OENVsin2iclZijPEs4rYp8yVdHA47P1p1uveSTy7IJ
 U3vETKdJWrXilXJ.YBzgVTJapX3bUwOxuhIkm4adeTBIsh1ueMHQSJnIWIcBFRxW9XxQ.Wks.Jyo
 cI9ei2o1mPNaDsswPOjR3BHFb0U8bWVqhYEBAevMV3dih34TjobK2I5yMuQKbTz1S3390sSGu7Su
 9dQ0gVuq40KYLJXPVAWUMhRQHr3ODU4rg6vxb4QmqxcADz7l4jEkUdIING6IJr6x5SlwSjYBtGj_
 ua9cSvyrj_kBMO0DGK..HxS6q.31t78.NhFP1WJ1rbmqz5SpLB2RtiLclFf_4mV9tt2bjpfmjbti
 xVUWjHqLEcXsYnUNhOH.2LGyciKtppBs9pC6BmzXcyPVnb4KpLTkA.vs.ySwE8LqdThvXaGwAr1N
 ItU_MuvOrytmApjSs8PriPBtf1XEZEISla6pkEM.og.xGhmLDIHqY64bkKXASSgo95Z7ZKszIBvD
 3PuRnWuiR7.NB7sjd_ofuug5sgtS0uchdjxYi2olxgJxgm71cXNmR0_.00iB0HaFTeRD3bsNVz_q
 BslDNT0t_hzrVqMdCtaXLDyXsOtqe0bUgeoz74slkaAYJDJ_7rPSx_VN8BuKKtZIkZINWiOfF09m
 Y6.sbHzoqZIaGXeIJ_ASHYJU9H2U0ijrsSOSlmPpVq4VbC5l2B9onO_WLm2FZV0ZQdF2P3QrncLP
 H5Lv02O8XF_EwxswUziZ7pLji8QERX7FYLJcAMO_231cSwqJi9Y_krwjPkdiIByccI2SuZlgVDD8
 qvTmWKnIzk1jQeP8tdg7l80b8CNPHF0XCTUZTc3fGRkps2xfNfGQMhn9z9e6X2Fph_dULGUOz3nT
 jugd30_.sxYj9aNR1W94TNWGMaS8uMKg.S2k5z5J1X_orsMD4qaXhxn8xSEeL1QYx2EbwVblr0yn
 dDNNsU_f9QkCh77OXYfaaxeEQsASMQhaEMJAcOwt1Q2MXqwZswN8NYFCq1JquEI7DuTPuCIweUmh
 2RZiuV8L4mCOdYDhmPnTEixAcATUlFjQSA4.GnNUJt3vOLCgMqawHcR_nUNWZ.igFffj7Y3abihY
 zKg_fybf5MZJ3PJ30rXwhLsD38wxQsjBSx0JBEPNeki1QON3qTgfn5_xv16XIjKPk1SNNg6FUPdm
 n_kdAlHPTdKzONnvNvlfszIvux6NwXC1BHZMIxgD64yRvwuFEEQ_rU2BmPcPjhpFBfbSkQtYJJnz
 FCksVjAj.ixTQTeBpvSnFPiXOih91OIZUE0xOgHBUdW6LCp.N3mHBsL8cjfQBUMG6uRHwYPU9uNZ
 AOubAhOVDjtfz8OT.pww3_zIwXkBjLMGDV2MIl4o2lKbqBOIZk9C1c8mahfFr494ybUWxEs.sM16
 LifJFAAHBCugFy_gbq.2ULiJAr6kP_ak_csVel8_K6CSN0SiqbNgGeZ6_xfnOrcEfpAsp89KvZXz
 qs6PQHcwp60J2lM0B56DCgQ--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 971399df-9dab-4e22-a79f-53d4c0fe7e57
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:21:31 +0000
Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 53259725741f313dacdbfffb86fd7fff;
          Fri, 15 Dec 2023 22:21:29 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 07/42] Audit: maintain an lsmblob in audit_context
Date: Fri, 15 Dec 2023 14:16:01 -0800
Message-ID: <20231215221636.105680-8-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Replace the secid value stored in struct audit_context with a struct
lsmblob. Change the code that uses this value to accommodate the
change. security_audit_rule_match() expects a lsmblob, so existing
scaffolding can be removed. A call to security_secid_to_secctx()
is changed to security_lsmblob_to_secctx().  The call to
security_ipc_getsecid() is scaffolded.

A new function lsmblob_is_set() is introduced to identify whether
an lsmblob contains a non-zero value.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/security.h | 13 +++++++++++++
 kernel/audit.h           |  3 ++-
 kernel/auditsc.c         | 19 ++++++++-----------
 3 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 7e4b31b771c1..029cf071148b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -276,6 +276,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
 	return kernel_load_data_str[id];
 }
 
+/**
+ * lsmblob_is_set - report if there is a value in the lsmblob
+ * @blob: Pointer to the exported LSM data
+ *
+ * Returns true if there is a value set, false otherwise
+ */
+static inline bool lsmblob_is_set(struct lsmblob *blob)
+{
+	const struct lsmblob empty = {};
+
+	return !!memcmp(blob, &empty, sizeof(*blob));
+}
+
 #ifdef CONFIG_SECURITY
 
 int call_blocking_lsm_notifier(enum lsm_event event, void *data);
diff --git a/kernel/audit.h b/kernel/audit.h
index a60d2840559e..b1f2de4d4f1e 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -11,6 +11,7 @@
 
 #include <linux/fs.h>
 #include <linux/audit.h>
+#include <linux/security.h>
 #include <linux/skbuff.h>
 #include <uapi/linux/mqueue.h>
 #include <linux/tty.h>
@@ -160,7 +161,7 @@ struct audit_context {
 			kuid_t			uid;
 			kgid_t			gid;
 			umode_t			mode;
-			u32			osid;
+			struct lsmblob		oblob;
 			int			has_perm;
 			uid_t			perm_uid;
 			gid_t			perm_gid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fb001300f0c2..52b4697d938c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk,
 				/* Find ipc objects that match */
 				if (!ctx || ctx->type != AUDIT_IPC)
 					break;
-				/* stacking scaffolding */
-				blob.scaffold.secid = ctx->ipc.osid;
-				if (security_audit_rule_match(&blob,
+				if (security_audit_rule_match(&ctx->ipc.oblob,
 							      f->type, f->op,
 							      f->lsm_rule))
 					++result;
@@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic)
 			audit_log_format(ab, " a%d=%lx", i,
 				context->socketcall.args[i]);
 		break; }
-	case AUDIT_IPC: {
-		u32 osid = context->ipc.osid;
-
+	case AUDIT_IPC:
 		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
 				 from_kuid(&init_user_ns, context->ipc.uid),
 				 from_kgid(&init_user_ns, context->ipc.gid),
 				 context->ipc.mode);
-		if (osid) {
+		if (lsmblob_is_set(&context->ipc.oblob)) {
 			char *ctx = NULL;
 			u32 len;
 
-			if (security_secid_to_secctx(osid, &ctx, &len)) {
-				audit_log_format(ab, " osid=%u", osid);
+			if (security_lsmblob_to_secctx(&context->ipc.oblob,
+						       &ctx, &len)) {
 				*call_panic = 1;
 			} else {
 				audit_log_format(ab, " obj=%s", ctx);
@@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic)
 				context->ipc.perm_gid,
 				context->ipc.perm_mode);
 		}
-		break; }
+		break;
 	case AUDIT_MQ_OPEN:
 		audit_log_format(ab,
 			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
@@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
 	context->ipc.gid = ipcp->gid;
 	context->ipc.mode = ipcp->mode;
 	context->ipc.has_perm = 0;
-	security_ipc_getsecid(ipcp, &context->ipc.osid);
+	/* stacking scaffolding */
+	security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
 	context->type = AUDIT_IPC;
 }
 

From patchwork Fri Dec 15 22:16:02 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495125
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B4B9A18EAE
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:23:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="DKhPVw4U"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678985; bh=3K2HpHNKhJjYC/jlHqs8c4QospmLiwGAijJoid6Lhnc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=DKhPVw4UDyUBJVlvdOCbp4QubI/rR98eR1dqQde7ANvmLh1KkmxNjMqzTAhO1tw/ZFV64fXnB9vCHMd2NPL94Dll8OdPOgOsZ5+wZ4nGzhNQ71Oo2xXoD1aBkkn1O/eOHigxp+IeiC6UW3FWKNu5hjWC7dNieXy7cs1ZjrA1vi3lisfv4zEjEjFEu+v319rn+pv595OEedznkehTNmi4QA5AoPnOyzPRdWrEWPZS2Z0oIguG/F1qmglG3HEBVe+AKTCvKvG2OgKBeI7pJlfXxEIfpQMRozLJr+as4jxHzsjYPR0xs6cPf2/QZ2nJiM/hk8mdggwl29j59Mf6YPhdkg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678985; bh=MZlb38rYf8W/vHI2h+PHatLwwFEtf+RcJsUCjZNVPSg=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=UGEnKkw9Wxb1IltArVG+6nPj8eZ3iJn1NlS1mayB9y8lLNKwE/sw+HkhHHTfyAT4OBsZb8s9AGw7oSH7dM2sxP4XzHINCzVK5ERj9ySS+XQBPlhxfIQcLIEkXzXx27dWlSTW9dMJfED0JvpWMvC/y5ZPvGdOSFgS5vThWOEEdWM4vlw71/Fb7H+5yA/MY34JARWPz79BSzBkQRgA/i7ol2Oq4xRmAN/TJT1jbMkbBKpGHF1cUXHlAZNn8P5ZbW0e0roNljIgFwTXnDIwYKL779Vd0Ll2DDFumqTIU/Y6/iiHQt2L6Kf+zq2X5bjjIGhbRTg4jXvBSxLeItCgJ2rxyg==
X-YMail-OSG: MqD1QvEVM1mzRvOFxVeJteBxh.3_0ejux3rZfLw1NuBTZFSCG0SXigzMUQJMboc
 OUVHg1hLd59R97LEs.5KR.eUsCKGFr0BYlMTEl8Acj5mfP4JoNrLgjbC34XZ0q1mNT1oLSC7RJ9V
 dnAqdS8hYP5t6OMYvQFJ7EOJ9oL29wwC3K4vKfOzL5oIZ.WyHtfzPpORDBI9QM3um47BynpPgaPs
 T_rlkZ3QqGx9ngV1VuYzVQ3Ay2lRvySSOXF3dtwk6z1UQH_nLffChyoHzRqJo54y7oe9eU74bRnz
 LJ25Jsu1W_X1pTyOF90D_3t9MfsvyJmQT75IKgrvLhACJXIHt6XYltNdprXtT.GPPFt99XOtsa6N
 iHqFXeKXNaBpZTebUb6Dyae8QFyIjxc0CHq2dl1EcTfhTGmhnP3EyW1qAxSJXaTIRszsIPkKyjda
 51kpT34xH43GHRQ9cAtvvTKK4g83DFNf3YanvKs42ZxgLUCi9qFgmqvYsAsv_HHD17qVvurV3n4o
 Hwmovc4Ngbu3N_LdHB_Ls8KWCc8qMDODDMxdGdOSqR3gQj7hMl1yU3UbXUJ5zi_tTssOv8jdjLdi
 LnGUOyEBGpx5ye3cUTvlShTrwkBkHiWlDtyIb9D5EzbwnvjGA99.FRNaYn_mK1PsgSr5s1EAD1r3
 tNwzMjtjLLyOW1qXtELIb8VrpAv_5_RXdw761kvuliPR.hjbEalLKFAxStLaAZLNeMbmjOhuXjE_
 PJNitrxarnaIgXrvBFsGAeEucedvHtxEKCvmk_whTtCeW4Dk2uJG80xLEvaAdGD8Q.mAPPTlZmhf
 7G29OMa9HHoFqrgtqKD5MJhqUuNSViwhJ3YroD05iuf9nJxkhLJW5zqBrKLlvUEENzRRkJq9z.kG
 KRLGFrtzl1.tVXaHHkNLhG8.nMoADpuSD0ymoo_6_Mt7Bt.6rLMvhr0NKmZOMMRRGPq2Jxv1hMal
 kgELtulFLV3ACpFUL5JDNuYtlEBJsIY7jgR8I9R3xV60uy4F88mgnz2ILSfEWr1V1IgX7Fgu3Quk
 RApobblUPf1YjF.g8cwbuqxR22b.8sHtFhLj9Nvv_qwN_jd9FJ3ZmJVvoVCvcJMcRHwVTV_dqYAp
 3DqIj3SHphJjsHRvCPN2IzfUE26DOzLvdbzkQZ7WJhdGhC1DEZpK06mzB4NiE2CxcWG1t.kDpgME
 0cue3FJYDeM8Q6Hj1QGCNAzRV2.e8_yEVWFF_OyTtNkO0_m7MDY_wjCzCub3ZeVwXZ4nBT.fWjlO
 UCiYJPPsbfmqehehvLLekQt3Pd9W4hKBnBuFSAQcvTauJGmeC9CbJJXYUq1SdNfzQWaQgwuhb4E5
 k9j4v_TrMMt4E7IkOYUhmumtEy87IWPMoXoirfr00zX55RsiytnIomHo2QHYx6mLBhsYYUaru_HK
 3eZA6A_01w.8_7LiGB9ca.87rgF0spMslLBcB4XBLzFPI2mEPp2y6Q8.cuAgFUiJ.UppriKpiBuO
 vxhIIUNqSMHO8R866MfhqgZDzHzLQhP_RuzfhbNXsh500RuFyUdgAAgINRnvA7wMV0GEnI30QjIn
 _MTsRKVjLMiwX1xyuExwjtTHWS4wp_w1ASnTu0xt6etpuv.bolC5yF9TH9Yn9_o_bcbak4.h_b2z
 N109owM.GaAo1APZ5xySnl.v_0cWCAgPl3F4BPYkC1WnFZ.gYknQ6F1NBRlfLk1X5CyKq7J8G0C5
 XONELvaHVWOOKUe2Ef5E8Lt6ZB2KdX858PYpdyzSUvS6RmsVG6polN_09YQlfSgrihrIV2N8gLzj
 qtQmsNtuN5i70.jsi9uRDqivxmATWbIVn6wAsnyiRLrh2dzJ9kZJWeO.Y0Tr5kudaDM8tdaaqROq
 vpyDzP9GY93K9ernnYW7jtqVfEv58V1CBYXo4U3ByyzvsM.dbYKQKFKxoXtVcY6SNTlf5muMuMgM
 EsU7STc.R7yObS820_O8FQBvZAlHi4bB3PpO2SfOFR3kn5PIaZn0yz1AlcCNeSe0ZzJtoDxOTInW
 3Z_i3NNOUkw78ilppG7QujhJL1MD8jeuaTq1zVWAefOrhe88C3n64FUVzsKqlpKV7rkRNLfSxJLj
 ochBEVe8BRXat.9uSD7BnVETt3mPh3or8nt07zFIVAyDs.yaTspJX_3kgBnBSOqxe.D7RMMiF3S5
 DICrfg6Hnhzm8PWdNfGPq1T9F.hHasoeDqVqIIVFfWQR0w0c1ify7LHdBvt9HN_JtlZGRfPXwf1D
 fZ4szefntB0PgfrdjBcjCGQR6.yXuZp7w98Hibjug2gMeivCnDlL13LEGwszQinxpJpO_DmqD3Np
 ANpmaJqSYJJs1YwqjqXZS7KfC
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: fa0799ff-e34b-4ec5-bfc7-8fc06b8687f9
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:23:05 +0000
Received: by hermes--production-gq1-6949d6d8f9-q7525 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 7388d6c7a490bc7dfaae35982f4a3b58;
          Fri, 15 Dec 2023 22:23:03 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	linux-audit@redhat.com,
	audit@vger.kernel.org
Subject: [PATCH v39 08/42] LSM: Use lsmblob in security_ipc_getsecid
Date: Fri, 15 Dec 2023 14:16:02 -0800
Message-ID: <20231215221636.105680-9-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

There may be more than one LSM that provides IPC data for auditing.
Change security_ipc_getsecid() to fill in a lsmblob structure instead
of the u32 secid.  Change the name to security_ipc_getlsmblob() to
reflect the change.  The audit data structure containing the secid
will be updated later, so there is a bit of scaffolding here.

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-audit@redhat.com
Cc: audit@vger.kernel.org
---
 include/linux/lsm_hook_defs.h |  4 ++--
 include/linux/security.h      | 18 +++++++++++++++---
 kernel/auditsc.c              |  3 +--
 security/security.c           | 14 +++++++-------
 security/selinux/hooks.c      |  9 ++++++---
 security/smack/smack_lsm.c    | 17 ++++++++++-------
 6 files changed, 41 insertions(+), 24 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 52d090d1957c..d69332031270 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -234,8 +234,8 @@ LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p,
 	 struct inode *inode)
 LSM_HOOK(int, 0, userns_create, const struct cred *cred)
 LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag)
-LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp,
-	 u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmblob, struct kern_ipc_perm *ipcp,
+	 struct lsmblob *blob)
 LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg)
 LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg)
 LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm)
diff --git a/include/linux/security.h b/include/linux/security.h
index 029cf071148b..2ca118960234 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -289,6 +289,17 @@ static inline bool lsmblob_is_set(struct lsmblob *blob)
 	return !!memcmp(blob, &empty, sizeof(*blob));
 }
 
+/**
+ * lsmblob_init - initialize a lsmblob structure
+ * @blob: Pointer to the data to initialize
+ *
+ * Set all secid for all modules to the specified value.
+ */
+static inline void lsmblob_init(struct lsmblob *blob)
+{
+	memset(blob, 0, sizeof(*blob));
+}
+
 #ifdef CONFIG_SECURITY
 
 int call_blocking_lsm_notifier(enum lsm_event event, void *data);
@@ -487,7 +498,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
 void security_task_to_inode(struct task_struct *p, struct inode *inode);
 int security_create_user_ns(const struct cred *cred);
 int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
+void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob);
 int security_msg_msg_alloc(struct msg_msg *msg);
 void security_msg_msg_free(struct msg_msg *msg);
 int security_msg_queue_alloc(struct kern_ipc_perm *msq);
@@ -1299,9 +1310,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp,
 	return 0;
 }
 
-static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static inline void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
+					   struct lsmblob *blob)
 {
-	*secid = 0;
+	lsmblob_init(blob);
 }
 
 static inline int security_msg_msg_alloc(struct msg_msg *msg)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 52b4697d938c..89d490db0494 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2638,8 +2638,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
 	context->ipc.gid = ipcp->gid;
 	context->ipc.mode = ipcp->mode;
 	context->ipc.has_perm = 0;
-	/* stacking scaffolding */
-	security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
+	security_ipc_getlsmblob(ipcp, &context->ipc.oblob);
 	context->type = AUDIT_IPC;
 }
 
diff --git a/security/security.c b/security/security.c
index 4b78bface040..b82245d55f66 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3595,17 +3595,17 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
 }
 
 /**
- * security_ipc_getsecid() - Get the sysv ipc object's secid
+ * security_ipc_getlsmblob() - Get the sysv ipc object LSM data
  * @ipcp: ipc permission structure
- * @secid: secid pointer
+ * @blob: pointer to lsm information
  *
- * Get the secid associated with the ipc object.  In case of failure, @secid
- * will be set to zero.
+ * Get the lsm information associated with the ipc object.
  */
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+
+void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob)
 {
-	*secid = 0;
-	call_void_hook(ipc_getsecid, ipcp, secid);
+	lsmblob_init(blob);
+	call_void_hook(ipc_getlsmblob, ipcp, blob);
 }
 
 /**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 83ce496e8ef6..f15991ef6ca8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6266,10 +6266,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
 	return ipc_has_perm(ipcp, av);
 }
 
-static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
+				   struct lsmblob *blob)
 {
 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
-	*secid = isec->sid;
+	blob->selinux.secid = isec->sid;
+	/* stacking scaffolding */
+	blob->scaffold.secid = isec->sid;
 }
 
 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
@@ -7165,7 +7168,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(userns_create, selinux_userns_create),
 
 	LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
-	LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
+	LSM_HOOK_INIT(ipc_getlsmblob, selinux_ipc_getlsmblob),
 
 	LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
 	LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a4ace6ea2ab0..b00f4f44f9c5 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3396,16 +3396,19 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
 }
 
 /**
- * smack_ipc_getsecid - Extract smack security id
+ * smack_ipc_getlsmblob - Extract smack security data
  * @ipp: the object permissions
- * @secid: where result will be saved
+ * @blob: where result will be saved
  */
-static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
+static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp,
+				 struct lsmblob *blob)
 {
-	struct smack_known **blob = smack_ipc(ipp);
-	struct smack_known *iskp = *blob;
+	struct smack_known **iskpp = smack_ipc(ipp);
+	struct smack_known *iskp = *iskpp;
 
-	*secid = iskp->smk_secid;
+	blob->smack.skp = iskp;
+	/* stacking scaffolding */
+	blob->scaffold.secid = iskp->smk_secid;
 }
 
 /**
@@ -5109,7 +5112,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(task_to_inode, smack_task_to_inode),
 
 	LSM_HOOK_INIT(ipc_permission, smack_ipc_permission),
-	LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
+	LSM_HOOK_INIT(ipc_getlsmblob, smack_ipc_getlsmblob),
 
 	LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
 

From patchwork Fri Dec 15 22:16:03 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495126
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CD86C18EBF
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:23:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="PE31wjlz"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678990; bh=3gRmOpEVfGBTXm6cSKhWruAudxiwq20dQIpn1DBXMZo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=PE31wjlzEmZd4FphqG4EbQ0GtaI1Tui4SjzO4NYGegKopGP3vBleFgrxOHCTgjCCdDROw7qR7QNkWMnPs0hwCvh/cJLd8niIlMUqtu6z+cI1kbMhJnIu95cAptRmQpP2NDaiRayWr8H5A0s7yUkod9Zb7tRPjaPu00f8L/s4TfvHWEUO6ZyTYMTgUbb5oSztXFZ6mTX87NESL7386BomdlLeUpXN7ODLo3gP4+n0KaLc1mIvXvE28qCmgrICmD+m/WXOMzGrgsXZHZno33VXGnml/A0lv9HsxfsXtA7UNj96OQ6fmdqT54Z5TmL1SHB5RTjLwdjuMUNYeacnRWMuVg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702678990; bh=H5piEox20lILUqaYg1+cSexnAfnzjYEDZOBrX8aTAyh=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=IF0bQZ1+AKuNEajnLXSmOXwOBIGFlvyS3Uo8IGwU6zGcgR/Y05bLbCgvoq7GjsGMLXbczHvvtrMm9vAT7EVpDlq98Cm9A8+TRInfVHENmRb/85knl4cNpCCdO+/R/BPTzVnjXnw7oztHmSlMsFJ5lDM0pA7XQTuDmMEZjjEnOc584EO1mG3P4jmKB28Y+o4W74j3a1C2SLUac2N6m2nEiUZsm07s9d+U26uY2AjDsWmTkiBYILRfosX5a9C9b7rDPm/PJ8ClHTNwyT+ZC1wvbN6rsNNOi//36DRCLkWuOQE3b5AzAPFqOAEbiwZcCyzpxc6iWZ4jYw3NoNzrHqVtxA==
X-YMail-OSG: in9VcAkVM1nNitpu5NpH_n4mm0U_l6svqqhF85jMdH_7ilyAmu1rkFoi05OhLyL
 vA2DPRBnsj3UQo6ScA9nT5kmtLtVzAmv_FoAcE2AtmnDcZ0A1s79tGtkdnOJnWZ2j9t_Tj7zBYJx
 GZqe5S9QjMnYMvexGmDsv_Xh72Cr0okdU40E9Qs0kgE6XfZflsLALcmFV1Q5L2Un0WO.goDHtzKU
 AlauAwQIQi9hDcFgLUH5dXTKdq8gxZnDQAp1l7KIgRCT5HQA1nPCA.90PZ4yqUV0GGs6KFKHm5.k
 g8dsB0H2nfAmQ8LWNhg00Gp9IQIBintUE0Eag3IqcFHLYvvipMITTq2aPRgzwydwZ1yS4kprRV4z
 MIRFMZRva9KrkIWhD_fVEa1ngOsZ18KRfmBjdGmZeXC5k4.BaA0ZPcHCixUCw8Gdvhw7n0VnRctJ
 J0tnRpHywrv17xmMiRw5gj0yqCxnWCaXRdusnMGWc72Xmy7MafCrW79ZR64CpUMp7q2OXEx5RaqH
 sh7j8_eAhtG_uH.so6v6sX.hi8Hew7OWe38etzW5xCvIM1nReFftAohDCPg0mKr.fhhKJJlkED9e
 2V7aG9DMEkuHLvSIk1Sh8TxxtFx_Uq9LPip1HUgaNX5IleUaui6RhrPt28X6QvNLSahdMHI6mefj
 _rXI57fa7P4qz5ygt1TNm4TiXexNZqV5ppZ5mzzKJxWj.AJX5S.WVjfFbmU72PcdQ1yhznWfQVb9
 HjBNvl0KFKughXKccEpNFuHLWYd4iKjMekdtycWDMzOA4lfMbX8aNKX2lefBTnrKU8NV1lwmjMRb
 V2xyLyTjI8.GKaZVwpqkRwsvvTlcOqlH0Tam1VpS02un1KhbzTSDIRBPuG9YGtnc.jSYMAgtn088
 GbrLWG2cmdnL7P.tQxgxzIaxDDbDhzr08thiJYWrQSr30Rv8H6.5m3JGKE6coXRSGhzAeUeS1iNg
 6p_UuE6gk1wGHzykYWXZQhsHSysL65UhPl_uXXO4_HQCvhgJJ.TmYJBkYSg4RWC.HJyCsWhX_Qe.
 8TCb0YN6dp2A9vFOpyeGLIsETGufPtvzmr8YOWAIUa2sgg1W414bedYe7CpUOqkY_JnCXzM.Sm2G
 yGBqoMYzG.4W68ivwhfkcZJ.qCrmqXZBQzIOcWRx1gBRL._wcBss8qwdG8tG1YuMzylyxSUdnktF
 bIhIQAzZLxUCn9QscEEopakodEX.ZW7MFCsYrHwxY5LEpr_1DERnWJtCAac2zC5NfzmSZjV3fK8R
 0nc0CxZR44m45vS2DE3Aa6a4WsokBjspVu2PZo1WzqzdzhJvZP62RrdEaorL.37lxgu6Bz23cCQy
 ArC9h35vyGlaZ9PY2usMllVU_joS96ZlnwOGVvu4zXjvDYYL_bxCISNbVXQpqgIsJJr4WFvP2fdS
 mwkTLCrRx_u0uV1tkTyt1651daEe6KggD9y7L_FNFa5bEL5QEDavHuJ1U8KA2FBhOS7c1Jh1wUcV
 CP4NJ0ZGRweBttfuzT.7585aZgi321RIAJq9YwCcCDDh7AVmD36fMXxU9cnhHhpUIRFzoes8PSRv
 CWvAo44luerGKlPQg22biAS_1R8nr_BhXE4kp5JJktr48M1ZqoMbg..tNSzrHXD9jpB0b.8ofvF2
 Yw.Erq4KSUALk0WJXuvVMz24Kd.PgLuTGWNHKKUcWAF5UGElFi8a26wmccC8OkStdFBfXIO3SrsA
 TxU7XJoPizWfgYbdl8vuU_xUNj4UlpCyHDTIAqaFdIBl_edrUlOdlV49oyitxO5ubUD6ZfPfqh1f
 b.E5bPNKtJgP5clIVTrHKBggnVTNCIgS5932gv19kMBme1WomTSBvYlVv4Ln159mhy1Qh1ao3DN7
 QM1RH5VKQbVhvU_veiE62FkTxYroaDs8FEkyo14HMq0T6x_r88yS7oLLz2sedmcQxKhCExyBZFkw
 T0A6C3P0NRxTilpVf1gFB1nrNYSChfUIMk93kstuOhEnsUhinjmx3Umh5l1duuHZWL2zbN4scfDi
 pWXnyD3ochJz52.neAsl_S21n3onqNAbPTqbZ_H6nM1nvii2qUsmqP1E1stkjhXbst6FOsqoPkRn
 cOpdojxFVLHFeGFekAverOZ.qL_U2HsYtAU764OPHW4IfjVZ7al9OyiKVPL4RdUPkeSiP_kUgnNU
 bSSLgXu7uU28UBAn8DKbbuzXiD3sq7h_al1shIA0ZmP4NuCp5_jfSVzhC9dmmrCSk5rQxko5Jsmo
 U5OZUPnRpWBN9WIJbcAz5yM5TdCvLrlfu9ra8rLWr63Fh
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: d4803ee4-5cf8-4a92-b582-81ac2b7ba410
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:23:10 +0000
Received: by hermes--production-gq1-6949d6d8f9-q7525 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 7388d6c7a490bc7dfaae35982f4a3b58;
          Fri, 15 Dec 2023 22:23:05 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 09/42] Audit: Update shutdown LSM data
Date: Fri, 15 Dec 2023 14:16:03 -0800
Message-ID: <20231215221636.105680-10-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

The audit process LSM information is changed from a secid audit_sig_sid
to an lsmblob in audit_sig_lsm. Update the users of this data
appropriately. Calls to security_secid_to_secctx() are changed to use
security_lsmblob_to_secctx() instead. security_current_getsecid_subj()
is scaffolded. It will be updated in a subsequent patch.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 kernel/audit.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 16205dd29843..875df831fb61 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -123,7 +123,7 @@ static u32	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
 /* The identity of the user shutting down the audit system. */
 static kuid_t		audit_sig_uid = INVALID_UID;
 static pid_t		audit_sig_pid = -1;
-static u32		audit_sig_sid;
+static struct lsmblob	audit_sig_lsm;
 
 /* Records can be lost in several ways:
    0) [suppressed in audit_alloc]
@@ -1460,20 +1460,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	}
 	case AUDIT_SIGNAL_INFO:
 		len = 0;
-		if (audit_sig_sid) {
-			err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
+		if (lsmblob_is_set(&audit_sig_lsm)) {
+			err = security_lsmblob_to_secctx(&audit_sig_lsm, &ctx,
+							 &len);
 			if (err)
 				return err;
 		}
 		sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL);
 		if (!sig_data) {
-			if (audit_sig_sid)
+			if (lsmblob_is_set(&audit_sig_lsm))
 				security_release_secctx(ctx, len);
 			return -ENOMEM;
 		}
 		sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
 		sig_data->pid = audit_sig_pid;
-		if (audit_sig_sid) {
+		if (lsmblob_is_set(&audit_sig_lsm)) {
 			memcpy(sig_data->ctx, ctx, len);
 			security_release_secctx(ctx, len);
 		}
@@ -2389,7 +2390,8 @@ int audit_signal_info(int sig, struct task_struct *t)
 			audit_sig_uid = auid;
 		else
 			audit_sig_uid = uid;
-		security_current_getsecid_subj(&audit_sig_sid);
+		/* stacking scaffolding */
+		security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid);
 	}
 
 	return audit_signal_info_syscall(t);

From patchwork Fri Dec 15 22:16:04 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495127
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic316-27.consmr.mail.ne1.yahoo.com
 (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F81E13B139
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:24:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="ezsOsT0i"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679084; bh=ya0OCYd/b1yyh4uzXzAyH0lituR0lp9LeCsospqdOmE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=ezsOsT0iVIiMzWakeQboTpN55HwqCCZ5/hBr9qm3hxZVebROS3slB4hhFLIrsaPeKE2ulVMhfzWPvBZaTEU5abaoYzQ1H2eJTNFAfT+1vR+fbIMXWVDw9howdpIoJ1M1RD6xnp+wXgmYtk58VGFjpxm5eRn3bFs8ZMZ5rkIQoDYHPWZmxi8BW8XG2sqrJdA989ICRHvg1B32UGz70m+v2hdeaV6Tz5RGhWw2C/r+2iPjZZYCY7QhKrfmEpTxMocKaMfYnAhVX5lSPz1h7NXYwvujhLUQe9Ko8xi6scC/sPKsSVfDRH1AsXdGc96KtaBXEIduySqw4caun+K1cY6s8Q==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679084; bh=ec9K0gp/YeS3lx9Mu8qvVcYa7PUUxMItvUguWAEC1xS=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=M+hjx3MHwoY66xRLPtFd10vBS6+fHX4XfE0YUKkuu32tsy4KdL5sSXn7Jdlhsq3OtUYBst4BVdzHiRccXKs2J+iy7AzD82JzN+EioxMeK32pXAEEAwECTojbIzvxn2xzywy18UHuLZC9Log8oaIQE8BIxMIuqtiWX88hIEEWJfJwDEX8YnlA0eaHcxk/liX3w2IvrntEQo2tr2tY+QFUxY8jEqejj1+oSg01xcameNZkB5kl6CyDwMRT15mKgPJyBmZAGngKd7dcbTakOMLEuzphlKQPOGQVKtH46mD/yJzL5j0I4OxJpGyHEmncjy6+59AgPQrucamBk4/axzx6Vw==
X-YMail-OSG: Ma1O6GMVM1nxIpbBLmG.pYTD21spsB1YngIitqUoRskKRZiwyX9YYznJoD16mfn
 yK3ksPM.u.iKnz8jowqrVu4H5T4Si784oFxFEekFvb4x02vO0UK5rTz01rSsURPR_4aU3pYB2RQS
 h5N5qatC1JlM7tzVx2uqy9dBu_tb1.2RrJRZN1Q5mycO0KmMK20qnj_iA9rkBf2PHDSykID8f3xd
 9E5677x5RV6bV8DV9MDa30GwtcP0k3pffc72d53sKjYDr7H_PkWGtk76jGO3Nh901y1CwthsoaS.
 V335nByvimLzKdbtoQFeWRMo7oZSoZCEEyH8dHmQzwsdQQycDG4pPylLurcP0WhZ7Y60zvfmA1Ys
 Py3CYCDFnZHdO9FuZxOPLlcJPCDNoBOH9CZB_ZMSUwB7Z5.k.b2XF_LUg3IAlVTa9cZwyMlh2u5m
 n.EOlaoOUCtCBJws4BlJcFQfSVFbpPnomeLpxRcPnwiP7Vm9drsWyFOVYZsLLyzXU7FfI_dJAU9Q
 G2rMmskdNRhcnLp1N28sQI_Eh9oMeEAUHg0NZEXbvMUyrEnH_RDLMjOx1IrJQKqL6GBddGM3BcdK
 ASmbHwo7XHsz5NQWjWhHICv5A6fAxiqjO_tzZdHHKi77ljJPJhQxBegyonJyfOWksMWB0.HrquhG
 x0nL.bjS0iQYvQqrYoo.UQ9YOm9GWyEHh3bHEPy9LCU56BmImxDZTg10PrWBWqcR_aPN9WBV1_PE
 0sT6Rk2jF.MmDEvCiDJneEPPhVi5psHc_AYT7udFX2OalX6BSz9dw4qei.g3SaDFJdXApIMor5pU
 wKjv3BXwuMTY1b1l0OdrEYtAF2X9PKVfmbGFn2CX70wuFxW0HQHJaDQdxnkk6xrExAMinMh07Yq7
 8PeVFTtrp9jSdLe_nONNtZsWj8rQ3ZiyDkpaErpZ2QZQqsh2GIeYts5x7nmHOt.osSbcGSEcWK4C
 oq4lQB_N4mnXTFJWSUKMluZfhppO.rySQuqLLM2XOO3Aefh55ey3ONUawJjTvga47SSY4_UxDhmR
 25ioZmauruff7Wx8DiyMTvyQD2gT_n6GB5CJ0gPPohc58V8tmZnpuKSL5kJjcc0twZz9OoOgjhpv
 9PYV8PDXT5API5ZAKUNK5B6eadkqjaUlQVTfaGo.yCWfHSLgnTRKyCtkKwftScS.k.gTDEIZXSYu
 QeM7yPj0XP6Sx3eiieq0Cjj0n_iqSpZNPOuK1XF4ZYRvEuqWggRu3HpAtrF5GSO.dzXWexzmRWrP
 oKtwOgOvM9C1vrrdI2XQjcojuaRpijp2D50C1t119pb.xDwrcmMaiqE3_JCECxYTBeGkN4w4S7VC
 z3UEsEkmKNkVduIAQGrSsNwFTxIr8bcyN0SPh8XJz3cKVkh2M9d_fBn_B2W_DM12wacujYchUpb9
 F_L.760UO9DwKiyq25dweP0Gzk7hVajvloyhaTzW2_FIiUXX.v7UXkWppA15K5JZE6XEYVAtui2S
 IRqd5xJMkBX_61B.3txr6SoVakSZ_Euv2DWWD4_s7HPdamaDqG0_PT1gO4bPVAaqbzO1.7nLn_NR
 JB.YCemt_.mAaC_cFuTI_0e1WKFhbIaaj4KuToSl.Hr2rIsg4YpUz5crilUw6ZfdqXBk7mBYX0i3
 jo7.LIJWmiUfH8nK6tSj7RILU02J3nI993BqdthVnsI2gvxkHnReYxved7zKrwKyB6gEQE_okxnU
 hiAdvHgFis7qh_FshFm6ywpNV9B_qvOUYVdwwFVpZRBgzMbx3FpVPDblO2rKmG9kGKhIvjq8btqG
 ZO34ehWio3dTRl0n8__3uoqn.bekXvIl73SpIzqxD74BtKLf8MWzYZ5Cc7Qg0WDqxwoRSokP7nR6
 nnqXYEz6jOdPoUzFJ3bRHC9wHFhiOtulttkL7Eg9mAY08CneQfh7gf8H7GX0KaZeMVLBtVYV3CRC
 NSu8VFkzWg7ECktOI_RXPwyPmiU6.G82LU6a4lHxKX3ugJRSzPnrdjkspXuPgTkXCk3CK42AdaH8
 eJ23BodqJdrCpPKus.x9SPjy6og0N4LMUM3XYdub6jn0j7ZJ3sXB1qugP72C0pD1WNRTbuxj4ZLD
 KAhKYEdwzB5mQfuok_Qm_FBRLoIq8zSMZ03jDn_tSbpZrD..dvT4wvlFYAhAt7ZwYdA2nAymyy8E
 CkE7DMO2V0skdg0.7Rv9kxG9y2QICVSHFpALVox4JMD9dlqvS_QMA4B1mGE657BefE0aXmYabZwk
 _DcFHL9MuJAf19Q7sBwBoLqKwrlaXX_0hIesmJCltht5yjgYy6JvpsPpHCwJOJ4J6le4wkXqerFJ
 I0osv2XHek.xg6n9dHdZr28_86YrcrA--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 4a404d4f-f93e-4b92-96f2-dc46c989ad72
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:24:44 +0000
Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID aee9c1d49ff512a4183bc9eedbd8cede;
          Fri, 15 Dec 2023 22:24:38 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	linux-integrity@vger.kernel.org,
	linux-audit@redhat.com,
	netdev@vger.kernel.org
Subject: [PATCH v39 10/42] LSM: Use lsmblob in security_current_getsecid
Date: Fri, 15 Dec 2023 14:16:04 -0800
Message-ID: <20231215221636.105680-11-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Change the security_current_getsecid_subj() and
security_task_getsecid_obj() interfaces to fill in
a lsmblob structure instead of a u32 secid in support of
LSM stacking. Audit interfaces will need to collect all
possible security data for possible reporting.

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: linux-audit@redhat.com
Cc: netdev@vger.kernel.org
---
 include/linux/lsm_hook_defs.h         |  6 +--
 include/linux/security.h              | 13 +++---
 kernel/audit.c                        | 11 +++--
 kernel/auditfilter.c                  |  3 +-
 kernel/auditsc.c                      | 22 ++++++----
 net/netlabel/netlabel_unlabeled.c     |  5 ++-
 net/netlabel/netlabel_user.h          |  6 ++-
 security/apparmor/lsm.c               | 20 ++++++---
 security/integrity/ima/ima.h          |  6 +--
 security/integrity/ima/ima_api.c      |  6 +--
 security/integrity/ima/ima_appraise.c |  6 +--
 security/integrity/ima/ima_main.c     | 59 ++++++++++++++-------------
 security/integrity/ima/ima_policy.c   | 14 +++----
 security/security.c                   | 28 ++++++-------
 security/selinux/hooks.c              | 17 +++++---
 security/smack/smack_lsm.c            | 23 +++++++----
 16 files changed, 138 insertions(+), 107 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index d69332031270..2db7320a1e05 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -213,9 +213,9 @@ LSM_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred * old)
 LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid)
 LSM_HOOK(int, 0, task_getpgid, struct task_struct *p)
 LSM_HOOK(int, 0, task_getsid, struct task_struct *p)
-LSM_HOOK(void, LSM_RET_VOID, current_getsecid_subj, u32 *secid)
-LSM_HOOK(void, LSM_RET_VOID, task_getsecid_obj,
-	 struct task_struct *p, u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, current_getlsmblob_subj, struct lsmblob *blob)
+LSM_HOOK(void, LSM_RET_VOID, task_getlsmblob_obj,
+	 struct task_struct *p, struct lsmblob *blob)
 LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice)
 LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio)
 LSM_HOOK(int, 0, task_getioprio, struct task_struct *p)
diff --git a/include/linux/security.h b/include/linux/security.h
index 2ca118960234..6306e8ab0cf6 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -479,8 +479,8 @@ int security_task_fix_setgroups(struct cred *new, const struct cred *old);
 int security_task_setpgid(struct task_struct *p, pid_t pgid);
 int security_task_getpgid(struct task_struct *p);
 int security_task_getsid(struct task_struct *p);
-void security_current_getsecid_subj(u32 *secid);
-void security_task_getsecid_obj(struct task_struct *p, u32 *secid);
+void security_current_getlsmblob_subj(struct lsmblob *blob);
+void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob);
 int security_task_setnice(struct task_struct *p, int nice);
 int security_task_setioprio(struct task_struct *p, int ioprio);
 int security_task_getioprio(struct task_struct *p);
@@ -1227,14 +1227,15 @@ static inline int security_task_getsid(struct task_struct *p)
 	return 0;
 }
 
-static inline void security_current_getsecid_subj(u32 *secid)
+static inline void security_current_getlsmblob_subj(struct lsmblob *blob)
 {
-	*secid = 0;
+	lsmblob_init(blob);
 }
 
-static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid)
+static inline void security_task_getlsmblob_obj(struct task_struct *p,
+						struct lsmblob *blob)
 {
-	*secid = 0;
+	lsmblob_init(blob);
 }
 
 static inline int security_task_setnice(struct task_struct *p, int nice)
diff --git a/kernel/audit.c b/kernel/audit.c
index 875df831fb61..54dfe339e341 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2164,16 +2164,16 @@ void audit_log_key(struct audit_buffer *ab, char *key)
 
 int audit_log_task_context(struct audit_buffer *ab)
 {
+	struct lsmblob blob;
 	char *ctx = NULL;
 	unsigned len;
 	int error;
-	u32 sid;
 
-	security_current_getsecid_subj(&sid);
-	if (!sid)
+	security_current_getlsmblob_subj(&blob);
+	if (!lsmblob_is_set(&blob))
 		return 0;
 
-	error = security_secid_to_secctx(sid, &ctx, &len);
+	error = security_lsmblob_to_secctx(&blob, &ctx, &len);
 	if (error) {
 		if (error != -EINVAL)
 			goto error_path;
@@ -2390,8 +2390,7 @@ int audit_signal_info(int sig, struct task_struct *t)
 			audit_sig_uid = auid;
 		else
 			audit_sig_uid = uid;
-		/* stacking scaffolding */
-		security_current_getsecid_subj(&audit_sig_lsm.scaffold.secid);
+		security_current_getlsmblob_subj(&audit_sig_lsm);
 	}
 
 	return audit_signal_info_syscall(t);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 08dc64bb8496..d0df226bdc51 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1370,8 +1370,7 @@ int audit_filter(int msgtype, unsigned int listtype)
 			case AUDIT_SUBJ_CLR:
 				if (f->lsm_rule) {
 					/* stacking scaffolding */
-					security_current_getsecid_subj(
-							&blob.scaffold.secid);
+					security_current_getlsmblob_subj(&blob);
 					result = security_audit_rule_match(
 						   &blob, f->type, f->op,
 						   f->lsm_rule);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 89d490db0494..7afeae468745 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -470,7 +470,6 @@ static int audit_filter_rules(struct task_struct *tsk,
 {
 	const struct cred *cred;
 	int i, need_sid = 1;
-	u32 sid;
 	struct lsmblob blob = { };
 	unsigned int sessionid;
 
@@ -675,15 +674,14 @@ static int audit_filter_rules(struct task_struct *tsk,
 					 * fork()/copy_process() in which case
 					 * the new @tsk creds are still a dup
 					 * of @current's creds so we can still
-					 * use security_current_getsecid_subj()
+					 * use
+					 * security_current_getlsmblob_subj()
 					 * here even though it always refs
 					 * @current's creds
 					 */
-					security_current_getsecid_subj(&sid);
+					security_current_getlsmblob_subj(&blob);
 					need_sid = 0;
 				}
-				/* stacking scaffolding */
-				blob.scaffold.secid = sid;
 				result = security_audit_rule_match(&blob,
 								   f->type,
 								   f->op,
@@ -2730,12 +2728,15 @@ int __audit_sockaddr(int len, void *a)
 void __audit_ptrace(struct task_struct *t)
 {
 	struct audit_context *context = audit_context();
+	struct lsmblob blob;
 
 	context->target_pid = task_tgid_nr(t);
 	context->target_auid = audit_get_loginuid(t);
 	context->target_uid = task_uid(t);
 	context->target_sessionid = audit_get_sessionid(t);
-	security_task_getsecid_obj(t, &context->target_sid);
+	security_task_getlsmblob_obj(t, &blob);
+	/* stacking scaffolding */
+	context->target_sid = blob.scaffold.secid;
 	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
 }
 
@@ -2751,6 +2752,7 @@ int audit_signal_info_syscall(struct task_struct *t)
 	struct audit_aux_data_pids *axp;
 	struct audit_context *ctx = audit_context();
 	kuid_t t_uid = task_uid(t);
+	struct lsmblob blob;
 
 	if (!audit_signals || audit_dummy_context())
 		return 0;
@@ -2762,7 +2764,9 @@ int audit_signal_info_syscall(struct task_struct *t)
 		ctx->target_auid = audit_get_loginuid(t);
 		ctx->target_uid = t_uid;
 		ctx->target_sessionid = audit_get_sessionid(t);
-		security_task_getsecid_obj(t, &ctx->target_sid);
+		security_task_getlsmblob_obj(t, &blob);
+		/* stacking scaffolding */
+		ctx->target_sid = blob.scaffold.secid;
 		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
 		return 0;
 	}
@@ -2783,7 +2787,9 @@ int audit_signal_info_syscall(struct task_struct *t)
 	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
 	axp->target_uid[axp->pid_count] = t_uid;
 	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
-	security_task_getsecid_obj(t, &axp->target_sid[axp->pid_count]);
+	security_task_getlsmblob_obj(t, &blob);
+	/* stacking scaffolding */
+	axp->target_sid[axp->pid_count] = blob.scaffold.secid;
 	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
 	axp->pid_count++;
 
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 9996883bf2b7..129d71c147f1 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1534,11 +1534,14 @@ int __init netlbl_unlabel_defconf(void)
 	int ret_val;
 	struct netlbl_dom_map *entry;
 	struct netlbl_audit audit_info;
+	struct lsmblob blob;
 
 	/* Only the kernel is allowed to call this function and the only time
 	 * it is called is at bootup before the audit subsystem is reporting
 	 * messages so don't worry to much about these values. */
-	security_current_getsecid_subj(&audit_info.secid);
+	security_current_getlsmblob_subj(&blob);
+	/* stacking scaffolding */
+	audit_info.secid = blob.scaffold.secid;
 	audit_info.loginuid = GLOBAL_ROOT_UID;
 	audit_info.sessionid = 0;
 
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index d6c5b31eb4eb..c4864fa18a08 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -32,7 +32,11 @@
  */
 static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info)
 {
-	security_current_getsecid_subj(&audit_info->secid);
+	struct lsmblob blob;
+
+	security_current_getlsmblob_subj(&blob);
+	/* stacking scaffolding */
+	audit_info->secid = blob.scaffold.secid;
 	audit_info->loginuid = audit_get_loginuid(current);
 	audit_info->sessionid = audit_get_sessionid(current);
 }
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 1b230ade84fc..b5f3beb26d5a 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -979,17 +979,24 @@ static void apparmor_bprm_committed_creds(const struct linux_binprm *bprm)
 	return;
 }
 
-static void apparmor_current_getsecid_subj(u32 *secid)
+static void apparmor_current_getlsmblob_subj(struct lsmblob *blob)
 {
 	struct aa_label *label = __begin_current_label_crit_section();
-	*secid = label->secid;
+
+	blob->apparmor.label = label;
+	/* stacking scaffolding */
+	blob->scaffold.secid = label->secid;
 	__end_current_label_crit_section(label);
 }
 
-static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid)
+static void apparmor_task_getlsmblob_obj(struct task_struct *p,
+					  struct lsmblob *blob)
 {
 	struct aa_label *label = aa_get_task_label(p);
-	*secid = label->secid;
+
+	blob->apparmor.label = label;
+	/* stacking scaffolding */
+	blob->scaffold.secid = label->secid;
 	aa_put_label(label);
 }
 
@@ -1519,8 +1526,9 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
 
 	LSM_HOOK_INIT(task_free, apparmor_task_free),
 	LSM_HOOK_INIT(task_alloc, apparmor_task_alloc),
-	LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj),
-	LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj),
+	LSM_HOOK_INIT(current_getlsmblob_subj,
+		      apparmor_current_getlsmblob_subj),
+	LSM_HOOK_INIT(task_getlsmblob_obj, apparmor_task_getlsmblob_obj),
 	LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
 	LSM_HOOK_INIT(task_kill, apparmor_task_kill),
 	LSM_HOOK_INIT(userns_create, apparmor_userns_create),
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 560d6104de72..53f794b75bf9 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -256,7 +256,7 @@ static inline void ima_process_queued_keys(void) {}
 
 /* LIM API function definitions */
 int ima_get_action(struct mnt_idmap *idmap, struct inode *inode,
-		   const struct cred *cred, u32 secid, int mask,
+		   const struct cred *cred, struct lsmblob *blob, int mask,
 		   enum ima_hooks func, int *pcr,
 		   struct ima_template_desc **template_desc,
 		   const char *func_data, unsigned int *allowed_algos);
@@ -287,8 +287,8 @@ const char *ima_d_path(const struct path *path, char **pathbuf, char *filename);
 
 /* IMA policy related functions */
 int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
-		     const struct cred *cred, u32 secid, enum ima_hooks func,
-		     int mask, int flags, int *pcr,
+		     const struct cred *cred, struct lsmblob *blob,
+		     enum ima_hooks func, int mask, int flags, int *pcr,
 		     struct ima_template_desc **template_desc,
 		     const char *func_data, unsigned int *allowed_algos);
 void ima_init_policy(void);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 597ea0c4d72f..f9f74419f5ef 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -165,7 +165,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
  * @idmap: idmap of the mount the inode was found from
  * @inode: pointer to the inode associated with the object being validated
  * @cred: pointer to credentials structure to validate
- * @secid: secid of the task being validated
+ * @blob: secid(s) of the task being validated
  * @mask: contains the permission mask (MAY_READ, MAY_WRITE, MAY_EXEC,
  *        MAY_APPEND)
  * @func: caller identifier
@@ -187,7 +187,7 @@ void ima_add_violation(struct file *file, const unsigned char *filename,
  *
  */
 int ima_get_action(struct mnt_idmap *idmap, struct inode *inode,
-		   const struct cred *cred, u32 secid, int mask,
+		   const struct cred *cred, struct lsmblob *blob, int mask,
 		   enum ima_hooks func, int *pcr,
 		   struct ima_template_desc **template_desc,
 		   const char *func_data, unsigned int *allowed_algos)
@@ -196,7 +196,7 @@ int ima_get_action(struct mnt_idmap *idmap, struct inode *inode,
 
 	flags &= ima_policy_flag;
 
-	return ima_match_policy(idmap, inode, cred, secid, func, mask,
+	return ima_match_policy(idmap, inode, cred, blob, func, mask,
 				flags, pcr, template_desc, func_data,
 				allowed_algos);
 }
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 870dde67707b..41cf92d15972 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -73,13 +73,13 @@ bool is_ima_appraise_enabled(void)
 int ima_must_appraise(struct mnt_idmap *idmap, struct inode *inode,
 		      int mask, enum ima_hooks func)
 {
-	u32 secid;
+	struct lsmblob blob;
 
 	if (!ima_appraise)
 		return 0;
 
-	security_current_getsecid_subj(&secid);
-	return ima_match_policy(idmap, inode, current_cred(), secid,
+	security_current_getlsmblob_subj(&blob);
+	return ima_match_policy(idmap, inode, current_cred(), &blob,
 				func, mask, IMA_APPRAISE | IMA_HASH, NULL,
 				NULL, NULL, NULL);
 }
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index cc1217ac2c6f..657143fe558d 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -205,8 +205,8 @@ void ima_file_free(struct file *file)
 }
 
 static int process_measurement(struct file *file, const struct cred *cred,
-			       u32 secid, char *buf, loff_t size, int mask,
-			       enum ima_hooks func)
+			       struct lsmblob *blob, char *buf, loff_t size,
+			       int mask, enum ima_hooks func)
 {
 	struct inode *backing_inode, *inode = file_inode(file);
 	struct integrity_iint_cache *iint = NULL;
@@ -230,7 +230,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
 	 * bitmask based on the appraise/audit/measurement policy.
 	 * Included is the appraise submask.
 	 */
-	action = ima_get_action(file_mnt_idmap(file), inode, cred, secid,
+	action = ima_get_action(file_mnt_idmap(file), inode, cred, blob,
 				mask, func, &pcr, &template_desc, NULL,
 				&allowed_algos);
 	violation_check = ((func == FILE_CHECK || func == MMAP_CHECK ||
@@ -430,23 +430,23 @@ static int process_measurement(struct file *file, const struct cred *cred,
 int ima_file_mmap(struct file *file, unsigned long reqprot,
 		  unsigned long prot, unsigned long flags)
 {
-	u32 secid;
+	struct lsmblob blob;
 	int ret;
 
 	if (!file)
 		return 0;
 
-	security_current_getsecid_subj(&secid);
+	security_current_getlsmblob_subj(&blob);
 
 	if (reqprot & PROT_EXEC) {
-		ret = process_measurement(file, current_cred(), secid, NULL,
+		ret = process_measurement(file, current_cred(), &blob, NULL,
 					  0, MAY_EXEC, MMAP_CHECK_REQPROT);
 		if (ret)
 			return ret;
 	}
 
 	if (prot & PROT_EXEC)
-		return process_measurement(file, current_cred(), secid, NULL,
+		return process_measurement(file, current_cred(), &blob, NULL,
 					   0, MAY_EXEC, MMAP_CHECK);
 
 	return 0;
@@ -473,9 +473,9 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
 	char *pathbuf = NULL;
 	const char *pathname = NULL;
 	struct inode *inode;
+	struct lsmblob blob;
 	int result = 0;
 	int action;
-	u32 secid;
 	int pcr;
 
 	/* Is mprotect making an mmap'ed file executable? */
@@ -483,13 +483,13 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
 	    !(prot & PROT_EXEC) || (vma->vm_flags & VM_EXEC))
 		return 0;
 
-	security_current_getsecid_subj(&secid);
+	security_current_getlsmblob_subj(&blob);
 	inode = file_inode(vma->vm_file);
 	action = ima_get_action(file_mnt_idmap(vma->vm_file), inode,
-				current_cred(), secid, MAY_EXEC, MMAP_CHECK,
+				current_cred(), &blob, MAY_EXEC, MMAP_CHECK,
 				&pcr, &template, NULL, NULL);
 	action |= ima_get_action(file_mnt_idmap(vma->vm_file), inode,
-				 current_cred(), secid, MAY_EXEC,
+				 current_cred(), &blob, MAY_EXEC,
 				 MMAP_CHECK_REQPROT, &pcr, &template, NULL,
 				 NULL);
 
@@ -527,15 +527,18 @@ int ima_bprm_check(struct linux_binprm *bprm)
 {
 	int ret;
 	u32 secid;
+	struct lsmblob blob = { };
 
-	security_current_getsecid_subj(&secid);
-	ret = process_measurement(bprm->file, current_cred(), secid, NULL, 0,
-				  MAY_EXEC, BPRM_CHECK);
+	security_current_getlsmblob_subj(&blob);
+	ret = process_measurement(bprm->file, current_cred(),
+				  &blob, NULL, 0, MAY_EXEC, BPRM_CHECK);
 	if (ret)
 		return ret;
 
 	security_cred_getsecid(bprm->cred, &secid);
-	return process_measurement(bprm->file, bprm->cred, secid, NULL, 0,
+	/* stacking scaffolding */
+	blob.scaffold.secid = secid;
+	return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0,
 				   MAY_EXEC, CREDS_CHECK);
 }
 
@@ -551,10 +554,10 @@ int ima_bprm_check(struct linux_binprm *bprm)
  */
 int ima_file_check(struct file *file, int mask)
 {
-	u32 secid;
+	struct lsmblob blob;
 
-	security_current_getsecid_subj(&secid);
-	return process_measurement(file, current_cred(), secid, NULL, 0,
+	security_current_getlsmblob_subj(&blob);
+	return process_measurement(file, current_cred(), &blob, NULL, 0,
 				   mask & (MAY_READ | MAY_WRITE | MAY_EXEC |
 					   MAY_APPEND), FILE_CHECK);
 }
@@ -755,7 +758,7 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
 		  bool contents)
 {
 	enum ima_hooks func;
-	u32 secid;
+	struct lsmblob blob;
 
 	/*
 	 * Do devices using pre-allocated memory run the risk of the
@@ -775,9 +778,9 @@ int ima_read_file(struct file *file, enum kernel_read_file_id read_id,
 
 	/* Read entire file for all partial reads. */
 	func = read_idmap[read_id] ?: FILE_CHECK;
-	security_current_getsecid_subj(&secid);
-	return process_measurement(file, current_cred(), secid, NULL,
-				   0, MAY_READ, func);
+	security_current_getlsmblob_subj(&blob);
+	return process_measurement(file, current_cred(), &blob, NULL, 0,
+				   MAY_READ, func);
 }
 
 const int read_idmap[READING_MAX_ID] = {
@@ -805,7 +808,7 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
 		       enum kernel_read_file_id read_id)
 {
 	enum ima_hooks func;
-	u32 secid;
+	struct lsmblob blob;
 
 	/* permit signed certs */
 	if (!file && read_id == READING_X509_CERTIFICATE)
@@ -818,8 +821,8 @@ int ima_post_read_file(struct file *file, void *buf, loff_t size,
 	}
 
 	func = read_idmap[read_id] ?: FILE_CHECK;
-	security_current_getsecid_subj(&secid);
-	return process_measurement(file, current_cred(), secid, buf, size,
+	security_current_getlsmblob_subj(&blob);
+	return process_measurement(file, current_cred(), &blob, buf, size,
 				   MAY_READ, func);
 }
 
@@ -945,7 +948,7 @@ int process_buffer_measurement(struct mnt_idmap *idmap,
 	int digest_hash_len = hash_digest_size[ima_hash_algo];
 	int violation = 0;
 	int action = 0;
-	u32 secid;
+	struct lsmblob blob;
 
 	if (digest && digest_len < digest_hash_len)
 		return -EINVAL;
@@ -968,9 +971,9 @@ int process_buffer_measurement(struct mnt_idmap *idmap,
 	 * buffer measurements.
 	 */
 	if (func) {
-		security_current_getsecid_subj(&secid);
+		security_current_getlsmblob_subj(&blob);
 		action = ima_get_action(idmap, inode, current_cred(),
-					secid, 0, func, &pcr, &template,
+					&blob, 0, func, &pcr, &template,
 					func_data, NULL);
 		if (!(action & IMA_MEASURE) && !digest)
 			return -ENOENT;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index d24205aa1beb..48287b75fe77 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -579,7 +579,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
  * @idmap: idmap of the mount the inode was found from
  * @inode: a pointer to an inode
  * @cred: a pointer to a credentials structure for user validation
- * @secid: the secid of the task to be validated
+ * @blob: the secid(s) of the task to be validated
  * @func: LIM hook identifier
  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
  * @func_data: func specific data, may be NULL
@@ -589,7 +589,7 @@ static bool ima_match_rule_data(struct ima_rule_entry *rule,
 static bool ima_match_rules(struct ima_rule_entry *rule,
 			    struct mnt_idmap *idmap,
 			    struct inode *inode, const struct cred *cred,
-			    u32 secid, enum ima_hooks func, int mask,
+			    struct lsmblob *blob, enum ima_hooks func, int mask,
 			    const char *func_data)
 {
 	int i;
@@ -681,8 +681,6 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 		case LSM_SUBJ_USER:
 		case LSM_SUBJ_ROLE:
 		case LSM_SUBJ_TYPE:
-			/* stacking scaffolding */
-			blob.scaffold.secid = secid;
 			rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
 						   Audit_equal,
 						   lsm_rule->lsm[i].rule,
@@ -748,7 +746,7 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
  * @inode: pointer to an inode for which the policy decision is being made
  * @cred: pointer to a credentials structure for which the policy decision is
  *        being made
- * @secid: LSM secid of the task to be validated
+ * @blob: LSM secid(s) of the task to be validated
  * @func: IMA hook identifier
  * @mask: requested action (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC)
  * @flags: IMA actions to consider (e.g. IMA_MEASURE | IMA_APPRAISE)
@@ -765,8 +763,8 @@ static int get_subaction(struct ima_rule_entry *rule, enum ima_hooks func)
  * than writes so ima_match_policy() is classical RCU candidate.
  */
 int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
-		     const struct cred *cred, u32 secid, enum ima_hooks func,
-		     int mask, int flags, int *pcr,
+		     const struct cred *cred, struct lsmblob *blob,
+		     enum ima_hooks func, int mask, int flags, int *pcr,
 		     struct ima_template_desc **template_desc,
 		     const char *func_data, unsigned int *allowed_algos)
 {
@@ -784,7 +782,7 @@ int ima_match_policy(struct mnt_idmap *idmap, struct inode *inode,
 		if (!(entry->action & actmask))
 			continue;
 
-		if (!ima_match_rules(entry, idmap, inode, cred, secid,
+		if (!ima_match_rules(entry, idmap, inode, cred, blob,
 				     func, mask, func_data))
 			continue;
 
diff --git a/security/security.c b/security/security.c
index b82245d55f66..58387e1f0c04 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3357,33 +3357,33 @@ int security_task_getsid(struct task_struct *p)
 }
 
 /**
- * security_current_getsecid_subj() - Get the current task's subjective secid
- * @secid: secid value
+ * security_current_getlsmblob_subj() - Current task's subjective LSM data
+ * @blob: lsm specific information
  *
  * Retrieve the subjective security identifier of the current task and return
- * it in @secid.  In case of failure, @secid will be set to zero.
+ * it in @blob.
  */
-void security_current_getsecid_subj(u32 *secid)
+void security_current_getlsmblob_subj(struct lsmblob *blob)
 {
-	*secid = 0;
-	call_void_hook(current_getsecid_subj, secid);
+	lsmblob_init(blob);
+	call_void_hook(current_getlsmblob_subj, blob);
 }
-EXPORT_SYMBOL(security_current_getsecid_subj);
+EXPORT_SYMBOL(security_current_getlsmblob_subj);
 
 /**
- * security_task_getsecid_obj() - Get a task's objective secid
+ * security_task_getlsmblob_obj() - Get a task's objective LSM data
  * @p: target task
- * @secid: secid value
+ * @blob: lsm specific information
  *
  * Retrieve the objective security identifier of the task_struct in @p and
- * return it in @secid. In case of failure, @secid will be set to zero.
+ * return it in @blob.
  */
-void security_task_getsecid_obj(struct task_struct *p, u32 *secid)
+void security_task_getlsmblob_obj(struct task_struct *p, struct lsmblob *blob)
 {
-	*secid = 0;
-	call_void_hook(task_getsecid_obj, p, secid);
+	lsmblob_init(blob);
+	call_void_hook(task_getlsmblob_obj, p, blob);
 }
-EXPORT_SYMBOL(security_task_getsecid_obj);
+EXPORT_SYMBOL(security_task_getlsmblob_obj);
 
 /**
  * security_task_setnice() - Check if setting a task's nice value is allowed
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f15991ef6ca8..d70000363b7a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4124,14 +4124,19 @@ static int selinux_task_getsid(struct task_struct *p)
 			    PROCESS__GETSESSION, NULL);
 }
 
-static void selinux_current_getsecid_subj(u32 *secid)
+static void selinux_current_getlsmblob_subj(struct lsmblob *blob)
 {
-	*secid = current_sid();
+	blob->selinux.secid = current_sid();
+	/* stacking scaffolding */
+	blob->scaffold.secid = blob->selinux.secid;
 }
 
-static void selinux_task_getsecid_obj(struct task_struct *p, u32 *secid)
+static void selinux_task_getlsmblob_obj(struct task_struct *p,
+					struct lsmblob *blob)
 {
-	*secid = task_sid_obj(p);
+	blob->selinux.secid = task_sid_obj(p);
+	/* stacking scaffolding */
+	blob->scaffold.secid = blob->selinux.secid;
 }
 
 static int selinux_task_setnice(struct task_struct *p, int nice)
@@ -7153,8 +7158,8 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(task_setpgid, selinux_task_setpgid),
 	LSM_HOOK_INIT(task_getpgid, selinux_task_getpgid),
 	LSM_HOOK_INIT(task_getsid, selinux_task_getsid),
-	LSM_HOOK_INIT(current_getsecid_subj, selinux_current_getsecid_subj),
-	LSM_HOOK_INIT(task_getsecid_obj, selinux_task_getsecid_obj),
+	LSM_HOOK_INIT(current_getlsmblob_subj, selinux_current_getlsmblob_subj),
+	LSM_HOOK_INIT(task_getlsmblob_obj, selinux_task_getlsmblob_obj),
 	LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
 	LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
 	LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b00f4f44f9c5..46cc79eb1200 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2210,30 +2210,35 @@ static int smack_task_getsid(struct task_struct *p)
 }
 
 /**
- * smack_current_getsecid_subj - get the subjective secid of the current task
- * @secid: where to put the result
+ * smack_current_getlsmblob_subj - get the subjective secid of the current task
+ * @blob: where to put the result
  *
  * Sets the secid to contain a u32 version of the task's subjective smack label.
  */
-static void smack_current_getsecid_subj(u32 *secid)
+static void smack_current_getlsmblob_subj(struct lsmblob *blob)
 {
 	struct smack_known *skp = smk_of_current();
 
-	*secid = skp->smk_secid;
+	blob->smack.skp = skp;
+	/* stacking scaffolding */
+	blob->scaffold.secid = skp->smk_secid;
 }
 
 /**
- * smack_task_getsecid_obj - get the objective secid of the task
+ * smack_task_getlsmblob_obj - get the objective data of the task
  * @p: the task
  * @secid: where to put the result
  *
  * Sets the secid to contain a u32 version of the task's objective smack label.
  */
-static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid)
+static void smack_task_getlsmblob_obj(struct task_struct *p,
+				      struct lsmblob *blob)
 {
 	struct smack_known *skp = smk_of_task_struct_obj(p);
 
-	*secid = skp->smk_secid;
+	blob->smack.skp = skp;
+	/* stacking scaffolding */
+	blob->scaffold.secid = skp->smk_secid;
 }
 
 /**
@@ -5100,8 +5105,8 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),
 	LSM_HOOK_INIT(task_getpgid, smack_task_getpgid),
 	LSM_HOOK_INIT(task_getsid, smack_task_getsid),
-	LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj),
-	LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj),
+	LSM_HOOK_INIT(current_getlsmblob_subj, smack_current_getlsmblob_subj),
+	LSM_HOOK_INIT(task_getlsmblob_obj, smack_task_getlsmblob_obj),
 	LSM_HOOK_INIT(task_setnice, smack_task_setnice),
 	LSM_HOOK_INIT(task_setioprio, smack_task_setioprio),
 	LSM_HOOK_INIT(task_getioprio, smack_task_getioprio),

From patchwork Fri Dec 15 22:16:05 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495128
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DC7013B143
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:24:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="XgA2Ul+H"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679085; bh=gM+LsHgIihuJigplOYZBWLpN1B0KNpUXeKsws5Epi88=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=XgA2Ul+HkuBJmXYTuZHKX1hJeapIjvKzGgy1If/1zQPoA09oh0IUw7tlw8uGEafQstODmnb2UiJE8++jD78zu/7+w7c1nme8zDx9WdjK5KxSBKd81Pat70qhWDtIjtxDG7NHcAsa64CFjl+FcFefmHbPD9FIU/oFPEXutX7Tq3c9mYe3X0R1vDw6AeKEOpB2Eg7RqhyJChH/wtaq8wVyhu/ezXeYPxzk0rE7E4sLcPUHLAjmk8quJ5hKwj0ojOVcI1tt4m5t2Z2iNbk7TaxZroigqFv/2MpYTCHy4C5+2S0AUz0YLB9dRCI29A7h0SwjFPumA0Grq6m1QnMfHXjlHA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679085; bh=sJisvyEaiEIDTvHJoCBm959AQyUp2ajfAaIoeslpkEv=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=RJdVqm7YtTgRmgYS5OaT3Bryze+oouKK2KdpPldhLKp9cbDdVEDK8bztfNk+MezcYi31bZU409oSrJNmZMuYxugJnW5OGPnO3ASrZzmc6S0CAKU26BadtZ+Ik9Gz01+tZGVfyEkkggmzfXgGjqfkqg+k1JCl7IhOsMREGTU7p7I61Y/vkRqygy5HWKWoYe+RDU7sGDIrJaNE97XR/i+orWnL/R4RoX3dCwj1kIwIw1SYN4CZjDLzVoq0XJw4bz3FlKjPUe1iHHGPdXDBBpAf8xu2UWenE7RVGSN/4+u7GMM4sVVOb7nwXy0ytGFQz3V52vKZRz0WjWxDTvwbpirgtA==
X-YMail-OSG: j48yVbgVM1lH6smcB8G24yK2ZUW8_4Tx.H1cT_wnooEsxERehzA1g23E6RTyf2O
 MDwKYLO2CUnNmWrSxmsuzTkHtI3Mxsc.t01dcVNxm.FWE4c353ZaB1JiW0I3._3u6oaHyCRBM_KN
 UT6_uQAiEeXS3RDJIaFexpxaNITUfrPq2LhrKWJoB4kUDV.oyMkZrhI_w4tdWwpWuY3zVPKiGNFT
 mHmwysM_gvg05lTAzAmMMOwpQI6VjC8LQBS.6JzBx25GurMamU6wOST28Ma7U4.zU2fBF9ZLYhm_
 Wbb84U_Gv9FXwd.f_cPlUuIl4X7CC.KJaRBm1RIj8DlYdk4EcsKS.lMxBPkudmsnvj7tLe10_JRh
 j3jh11y_MEDK4U2FpQJ2fltsSLOUpCVq80yza2RnRA5fD04UkztusJXKnBC7vW9fl90bBTFEybz4
 FUxbuMDQQ_g43vKDIg2iv8h9pRBDB1tKejzCmSn.oLkk6nx7puZpdT11AvAyeqcZK9fYk49QFxdJ
 tViNue4SHIF7GKIOUvtlCWCrQBDprfvFMiqF07YFpkRvhs6J0J0CQsjUepojTDDBGb5RxiyBH2rh
 kQgaijESZmr3kAFbuXRzA.h9VijSzf7M2S4Zzu9ytoHlJoSjLI38yyxhcOKaaNWYVRHtovjJQyFy
 hzbRusjA3zUl5Xk_FbUuHKhok.IReyv8vHM7vEjWwI82I88NNpfTczMbENmH9qGcHjUMynh17kbY
 NTNF9GzDdGU2hP.pijNn3aBifQlUiepdjsWzjf7tO58Wf8iCLnRen3oNQ_oS17JgkEe065IWTs.0
 OJX9BcswXqh8FAd_x5cGKVxsnuHgUntG5Y6qhB7C13l.FrwscKb4CFveymrC2uI3BjHaTbykLIV1
 Eneb2lRBqid_gW7FZaoObm6I6bx8KV.PaKqR6.qTxjbiF6iYfHZOLbchBnfaFuW0xittxSwBLciq
 9utwt6abGB46dM94i7Jwj70lrfs7iDxP2ftg9WlG40pdtURtzq4l8FqnjWzeETPkUVdDs.Up5A0e
 fL_ahGvMeimta9j8hrzf1JUhCbcwa59gL7YWsN.e0VQ2o.fxls_zH4grab6nLJtnSJXPZieCZrqC
 MGtBfa0wiF5DA0SLLO2K5iXCSKzbOZJg6P8LKKMtCozJD3SA.qIrDMuprXEmggNYuorrrV.4nld8
 qvhKamGz_Sd0oipW8iX8rvkBAT3yrmQqEsXu2YziOJvOLnBRnelfqrHqurFiqp3VW3bfQ1S8F8nl
 ZfElLDytX20xedow_VxV7WfCIJkWK3e8iALigBHZWqTnooS3zMo8xXVTKKzMaFrCKpFdTfYoB0qA
 E4kZn1KohYWFKzD9l.eQBAEIaGTfDCc_q.2wXf.1w9FjteF7rPsSjn40NpK5MkRyhYH4fEgrrAnZ
 E5_0Vc_unRUgwQj5RZDoLVaFn9.FkwVpI1TWENKg_sazL_uowz5wACkC1U2L2szbieGdHKs3cISk
 GRw1GiYeFLQzMi8sTJTx7KZEgxTk3OcNouGZwftvlmef_ZONSPC6kXTi3NkjlUnoteNBiKU9FnJJ
 qq_ZGIDTGZFw6L4LUgTk6qWc1tHbdRlonyhr90P3DoXGibsJ8VL78mnlHRw5hn9BV9_VV.xFbyZ.
 aFkrn4ywD1RglF5QODebrwsUFt3Tmf1IGF13KBLSGAay42aHLoNHtfJGSwznD1QFldDqXI3.kCgC
 0dU0aVG6R62E4z2_1UZpX7AuC5.T5hVGqKhmlzR.QGmrl0gtWgSl4DJ6k0vi6lYFKQzWv34QRzWC
 Kn6uHA4kAGKF55MqG1m5H9h..vRaT7dxIhZDLj9ATyU4wtWDlnrossSjMICt7rvqsAgH2zvV472y
 c0ODctFnljLdbviqpo28vHUB0x0BX5bA9iMvH.e39ZRLhxR54uYS2Ks7pEKXjhCqz4Ytzo5YKIBz
 fh3IqH_o1FpVw8Mhm8.9J44xEKN6J.MyZXOySMsrPXu_lKQVizf4QIAt1yJnjIo3.SUIdi3tDU60
 6EfVFLoBCDdHT075LeSBfL9tp_ZTZJDTLo0VzGGTsEH9HyTAKQOdpSwjI3CyowFr55HEIgzabwPQ
 ZRZB10YG_Ex_CB3L_D2eExZ0o4IM90kxR71f7c9x5Mc0U_eIW2pN9UrcBKyBchMd1Zsv.wq8HmFX
 0cGYrsZYG7hV5O7XjDsY.GsFpBreidrfYmqnvjFHpNLo95q8hH2hO1nTNOqE7MjODUPMtJbyPal.
 AQYraiuH8uSlHH1ZHh1y1MS8HQZw9MaVpJT.1tj4fquaZyCZ5mCD8Jk.z75mSFhbrZr6ZUGwAA3d
 kNhaH_yAdZGl8f8cykucwMO9dre9zpho-
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 830ae4f8-7df5-44b1-a4f9-bcff6dbf4917
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:24:45 +0000
Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID aee9c1d49ff512a4183bc9eedbd8cede;
          Fri, 15 Dec 2023 22:24:40 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	linux-integrity@vger.kernel.org,
	audit@vger.kernel.org
Subject: [PATCH v39 11/42] LSM: Use lsmblob in security_inode_getsecid
Date: Fri, 15 Dec 2023 14:16:05 -0800
Message-ID: <20231215221636.105680-12-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Change the security_inode_getsecid() interface to fill in a
lsmblob structure instead of a u32 secid. This allows for its
callers to gather data from all registered LSMs. Data is provided
for IMA and audit. Change the name to security_inode_getlsmblob().

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: audit@vger.kernel.org
---
 include/linux/lsm_hook_defs.h       |  3 ++-
 include/linux/security.h            |  7 ++++---
 kernel/auditsc.c                    |  6 +++++-
 security/integrity/ima/ima_policy.c |  3 +--
 security/security.c                 | 11 +++++------
 security/selinux/hooks.c            | 15 +++++++++------
 security/smack/smack_lsm.c          | 12 +++++++-----
 7 files changed, 33 insertions(+), 24 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 2db7320a1e05..3c51ee8e3d6c 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -161,7 +161,8 @@ LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode,
 	 const char *name, const void *value, size_t size, int flags)
 LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer,
 	 size_t buffer_size)
-LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, inode_getlsmblob, struct inode *inode,
+	 struct lsmblob *blob)
 LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new)
 LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, const char *name)
 LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir,
diff --git a/include/linux/security.h b/include/linux/security.h
index 6306e8ab0cf6..e8b7f858de04 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -431,7 +431,7 @@ int security_inode_getsecurity(struct mnt_idmap *idmap,
 			       void **buffer, bool alloc);
 int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
-void security_inode_getsecid(struct inode *inode, u32 *secid);
+void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob);
 int security_inode_copy_up(struct dentry *src, struct cred **new);
 int security_inode_copy_up_xattr(const char *name);
 int security_kernfs_init_security(struct kernfs_node *kn_dir,
@@ -1020,9 +1020,10 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer,
 	return 0;
 }
 
-static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
+static inline void security_inode_getlsmblob(struct inode *inode,
+					     struct lsmblob *blob)
 {
-	*secid = 0;
+	lsmblob_init(blob);
 }
 
 static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 7afeae468745..b15e44e56409 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2276,13 +2276,17 @@ static void audit_copy_inode(struct audit_names *name,
 			     const struct dentry *dentry,
 			     struct inode *inode, unsigned int flags)
 {
+	struct lsmblob blob;
+
 	name->ino   = inode->i_ino;
 	name->dev   = inode->i_sb->s_dev;
 	name->mode  = inode->i_mode;
 	name->uid   = inode->i_uid;
 	name->gid   = inode->i_gid;
 	name->rdev  = inode->i_rdev;
-	security_inode_getsecid(inode, &name->osid);
+	security_inode_getlsmblob(inode, &blob);
+	/* stacking scaffolding */
+	name->osid = blob.scaffold.secid;
 	if (flags & AUDIT_INODE_NOEVAL) {
 		name->fcap_ver = -1;
 		return;
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 48287b75fe77..8edf7a0ef9f6 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -671,8 +671,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
 		case LSM_OBJ_USER:
 		case LSM_OBJ_ROLE:
 		case LSM_OBJ_TYPE:
-			/* stacking scaffolding */
-			security_inode_getsecid(inode, &blob.scaffold.secid);
+			security_inode_getlsmblob(inode, &blob);
 			rc = ima_filter_rule_match(&blob, lsm_rule->lsm[i].type,
 						   Audit_equal,
 						   lsm_rule->lsm[i].rule,
diff --git a/security/security.c b/security/security.c
index 58387e1f0c04..ed4e9b5fdf70 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2607,16 +2607,15 @@ int security_inode_listsecurity(struct inode *inode,
 EXPORT_SYMBOL(security_inode_listsecurity);
 
 /**
- * security_inode_getsecid() - Get an inode's secid
+ * security_inode_getlsmblob() - Get an inode's LSM data
  * @inode: inode
- * @secid: secid to return
+ * @blob: lsm specific information to return
  *
- * Get the secid associated with the node.  In case of failure, @secid will be
- * set to zero.
+ * Get the lsm specific information associated with the node.
  */
-void security_inode_getsecid(struct inode *inode, u32 *secid)
+void security_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
 {
-	call_void_hook(inode_getsecid, inode, secid);
+	call_void_hook(inode_getlsmblob, inode, blob);
 }
 
 /**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d70000363b7a..4ab923698da9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3496,15 +3496,18 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
 	return len;
 }
 
-static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
+static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
 {
 	struct inode_security_struct *isec = inode_security_novalidate(inode);
-	*secid = isec->sid;
+
+	blob->selinux.secid = isec->sid;
+	/* stacking scaffolding */
+	blob->scaffold.secid = isec->sid;
 }
 
 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
 {
-	u32 sid;
+	struct lsmblob blob;
 	struct task_security_struct *tsec;
 	struct cred *new_creds = *new;
 
@@ -3516,8 +3519,8 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
 
 	tsec = selinux_cred(new_creds);
 	/* Get label from overlay inode and set it in create_sid */
-	selinux_inode_getsecid(d_inode(src), &sid);
-	tsec->create_sid = sid;
+	selinux_inode_getlsmblob(d_inode(src), &blob);
+	tsec->create_sid = blob.selinux.secid;
 	*new = new_creds;
 	return 0;
 }
@@ -7125,7 +7128,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(inode_getsecurity, selinux_inode_getsecurity),
 	LSM_HOOK_INIT(inode_setsecurity, selinux_inode_setsecurity),
 	LSM_HOOK_INIT(inode_listsecurity, selinux_inode_listsecurity),
-	LSM_HOOK_INIT(inode_getsecid, selinux_inode_getsecid),
+	LSM_HOOK_INIT(inode_getlsmblob, selinux_inode_getlsmblob),
 	LSM_HOOK_INIT(inode_copy_up, selinux_inode_copy_up),
 	LSM_HOOK_INIT(inode_copy_up_xattr, selinux_inode_copy_up_xattr),
 	LSM_HOOK_INIT(path_notify, selinux_path_notify),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 46cc79eb1200..e6d49e59a0c0 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1615,15 +1615,17 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
 }
 
 /**
- * smack_inode_getsecid - Extract inode's security id
+ * smack_inode_getlsmblob - Extract inode's security id
  * @inode: inode to extract the info from
- * @secid: where result will be saved
+ * @blob: where result will be saved
  */
-static void smack_inode_getsecid(struct inode *inode, u32 *secid)
+static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
 {
 	struct smack_known *skp = smk_of_inode(inode);
 
-	*secid = skp->smk_secid;
+	blob->smack.skp = skp;
+	/* stacking scaffolding */
+	blob->scaffold.secid = skp->smk_secid;
 }
 
 /*
@@ -5081,7 +5083,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity),
 	LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity),
 	LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity),
-	LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
+	LSM_HOOK_INIT(inode_getlsmblob, smack_inode_getlsmblob),
 
 	LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
 	LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),

From patchwork Fri Dec 15 22:16:06 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495130
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic315-27.consmr.mail.ne1.yahoo.com
 (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9120018EA2
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:26:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="lgAPuz89"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679179; bh=rEz0OJc8nFf9kWkBCfqRtfoAcWA/jm97QnB3Ho7hKzw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=lgAPuz89S1/R/+ijaVL4CdZPKAN9+bbK75NMb80OdMRDs6lbBSiAra68+4OHq0ZeVYVs162JRpSVll23PqcN97Xyu075mSW5GgIhcUDtsFpJumns83VwCOkqj3o5E48y/UezGP5WogwlNnoWZf18bexm4vIv9WbvLYWsGVaeB32CcE7WtoJlaxo1CGsD1DPFQhVK0hS8MADFSnjp7vHrK55pIbGFKk4G+0tfe5PGvQUi3dFELMICUFDjc96/qA/W79kRylaveGiw5YXspKA9hHkS/QFGoZcfWDLnt1atezAibFHCvfLb+111/fQfEZHA5zjvd92D3InLIOxyyjnLnQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679179; bh=smnZW4VeD6pHtPVZifDGQCxn0DmciFPSthPYcomNrfa=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=B6nQqUDv3WrMQDocvRJ1+CFVK10n1SA/0348TLIDnLztx+4J1AzbG2ugd8K1KeqzYjvmLd3W2cL5CNXTX/LouTICtgFo7SsaErF6rPmKQUPWKjzyv7SZsy45tyGFJ8j2XvsRU+n/EnFm51sh3qjVM/MrxrbETO6xsyMztYXRPd1iuBzbkID9lMXWyY4vmUN6K4Zuh3xnLl0Ns3XxfX96TwxsryAd42IpPGE434TLc5JeqHgJ8r9voEgp+ovREcRHwTBftFZxmUR0uqSW0JRfRVU/YDvIdeER8pmCtFBxkPzVflDZKfBIPyodmN7q817aqUToHGQaAtYo4wgw9GpcgQ==
X-YMail-OSG: p.dJWzcVM1lYfQW_x5Xn0e67PlR.G1L6XH3ostQy4WcPfZBRFNM4TIxpYKjRcXz
 Vy3ayZju0.Qk8o5.QWydogqavZjOpse3PSvjb.K1cvza1Tv0lBPpzxL2iG3tJXa2mc5kehJR5ZSG
 76Xviodp4Gk7XXn5DeFMC0KZ11UwsF6TM.TLNlDmAc.DxbtaI_YTwyyA3hdtfeDf_99PpyHiuePT
 r1JssMgLr8uVyd4Pm42BM_NZiOVsB5nQNbTnPvKobhSjwb37gglmHZs7g1XLrov3u4M_0a67iSlC
 qqnNGNp8KWKZyc5adezmWvgKCCKKxrHw8XniHZhIP.Rj9OPM_tE.Ty5Ot.z1NJMKqCPxAKrji1fj
 lJbS5A_JjtNhGDG0BQuBwLs7G6I4TH7PJdY98rzhG9CTl_hqI4abzbHjw1P4spxTn4MiB0Tp.5SD
 Ja_asG0uyFY72Zg0T4qorKgoQ4dRhbbRo_9G4WFGWf.Ki6VjrHQXge1JBd_N993dti8YLSOZDfUV
 ekpX9yZDCaB6I8ZZo09xhcmFwICal5SGbZttH0qrdXHoBmG8yehriVUfmVvxrwa7AnnM532ljWdD
 A2s6iSfW1vOJhx22g2MMvDWxfUo4BIKHzWa_tNr6ZPmcpCkqPekuUOK3KzjtjbK67elVbz9mRR1x
 d9tQT41Rgv1j65sfyKlXL84M8hNoo7by1IHratjaPBO7EQsN_DU_V4yRhqaZ4yPInGLdDqgl5bbs
 OPkNTTtSYuxO_KqAvliD82f6AIeIzwabAejcJk8d7ckJDZ8ZBCtXMywVgaamtmBfO_RpeZrxQ7Id
 bmtoAILn6PJYseKjFG5jzEQf2CCNfFRHNaD3O09AYZYtPjCfvZ0JA2vQ7ba_e0AZuqIwFrvma6nj
 IPmV_XQwDGscjix72KIbbG_xjFohLY3iXqmheZKYCD.hiJy_8WY_puMtlzYMihG.coXbHzxnGora
 rBq_d.lBRbNuRT5h6V31hzvf0BOpN0U8ovAbokE493sasd6Q62fFOdEXqLX3vE2max2xUy.ucetq
 3bkNFVjmGtTQbUQ3VN.zUxMKGyxxndnaHrFg1t2CpZQ457xpc_mtDxCqczcJQV65nZjbALhyjG3a
 9qtterWsOuSZPpwRviET9Uivd7UZOLmjvq5krSJkId1D7GrzENxuw46acI47Y4G8Ri78C4ljn7Jv
 4nM_KTzhwuXLR3uAb6MSxySHL9u1uvGin3CZMJSVY8JLoOdns.0U.EyyEXzsI3elAujJTea6pJFX
 2iTaA6ZBPP6vnjOKSNC9DJz_T8Z0fWPi7yXawLTMkfXru6OKVm6mspjiL8qwQBJ1rc0JV1Gq6UDF
 .aAEWaBLLvSESDxDKnUszsXuT4j0QLQ5yigNtDLB2fQ63aN6nJwFx5UbCLhrOumYGk19PojbAT5b
 O..kan4SIeWcowvv6bKQOTfaTbFa5eD15PHtgi1EbSKVWQuDydUZFa6vNeTa.FzYZDG6_acY77J9
 Ce9OeSV06mo5n8rQD0iRiASvzxNVv47X3_sMF_a65TmUNTh1cX5jSrrz6qoPTizjb52rY68RR_Wz
 kReDZttV_3O1h1X7InI.vSBtqsWnenryfXCeUk7Z7sMLTo4Aa4cl7MGdDNRh0QZ8HA0wc9jcQVTn
 Getc9TnIciE_CH29P55_l9LnWeKE1FrBL.lR_QYEBTevgwMqW0KaXojH5ib302J4PedEgvUA8rt3
 KvEsK893TX6jrtl6Ls7XpAQsr0B8cZU6Q.DE55azP05ZK3Z355onPR8L_u9HZNn7PXd3YWj3xr42
 htWK3HC7CtsjSCZf9sx6FGH5n1TcqAVFBtjr_dVfcnukQnn5xK23tA0WlpwI_aaBkKSO5_tCWAGa
 weVMUhUXYn0P2QdFjlL9uMScvgyGGajtWS.PeNorqG1pKYADOwt_EmjvZiFcBF6b1452v5uNNhUn
 yBbl1hVIXdXF4VA1X1hdxmmwUJEQVXGBKCNZ8DOM5NoX8_3YEL1XAc.fS71lwNAcbLXCSKBTSnV0
 gSsyRsUaMENhLk7Nea73PsQ2NwS6lvDVamqVi1HvzznYeu0Z.cMqPTFebFYV.eETBhUCQCgpJMkw
 gR.dvfJRU4ucf3Ouvbc64W5Eq9Ab5wARK7imUAAwfacG7OfCD06XLNL0UyObWIBc2QoHp2PwUFgt
 xz7YOejldqFrOB4ylpVvovniIJz3AAMWiP3U6.ZwWp.EputK1LQl3Z8FFM5h.NFA0l8PUz00.i55
 LtTaxO1nLp7lZOJryhKUV52RPpA2f_5p4HGV52mm3aRkTXufGLCjurmnxwfOyGwJON.aqVqFSfcX
 qeAZgrDs9qZ.XPZBks68VCBOK
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: f742a184-4405-4544-a521-c51fc18dd0d3
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:26:19 +0000
Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 82d6a093b466d43a3aa36e3491ebb0ec;
          Fri, 15 Dec 2023 22:26:13 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 12/42] Audit: use an lsmblob in audit_names
Date: Fri, 15 Dec 2023 14:16:06 -0800
Message-ID: <20231215221636.105680-13-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Replace the osid field in the audit_names structure with a
lsmblob structure. This accommodates the use of an lsmblob in
security_audit_rule_match() and security_inode_getsecid().

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 kernel/audit.h   |  2 +-
 kernel/auditsc.c | 20 +++++---------------
 2 files changed, 6 insertions(+), 16 deletions(-)

diff --git a/kernel/audit.h b/kernel/audit.h
index b1f2de4d4f1e..6c664aed8f89 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -82,7 +82,7 @@ struct audit_names {
 	kuid_t			uid;
 	kgid_t			gid;
 	dev_t			rdev;
-	u32			osid;
+	struct lsmblob		oblob;
 	struct audit_cap_data	fcap;
 	unsigned int		fcap_ver;
 	unsigned char		type;		/* record type */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index b15e44e56409..aaea62822505 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -698,19 +698,15 @@ static int audit_filter_rules(struct task_struct *tsk,
 			if (f->lsm_rule) {
 				/* Find files that match */
 				if (name) {
-					/* stacking scaffolding */
-					blob.scaffold.secid = name->osid;
 					result = security_audit_rule_match(
-								&blob,
+								&name->oblob,
 								f->type,
 								f->op,
 								f->lsm_rule);
 				} else if (ctx) {
 					list_for_each_entry(n, &ctx->names_list, list) {
-						/* stacking scaffolding */
-						blob.scaffold.secid = n->osid;
 						if (security_audit_rule_match(
-								&blob,
+								&n->oblob,
 								f->type,
 								f->op,
 								f->lsm_rule)) {
@@ -1562,13 +1558,11 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 				 from_kgid(&init_user_ns, n->gid),
 				 MAJOR(n->rdev),
 				 MINOR(n->rdev));
-	if (n->osid != 0) {
+	if (lsmblob_is_set(&n->oblob)) {
 		char *ctx = NULL;
 		u32 len;
 
-		if (security_secid_to_secctx(
-			n->osid, &ctx, &len)) {
-			audit_log_format(ab, " osid=%u", n->osid);
+		if (security_lsmblob_to_secctx(&n->oblob, &ctx, &len)) {
 			if (call_panic)
 				*call_panic = 2;
 		} else {
@@ -2276,17 +2270,13 @@ static void audit_copy_inode(struct audit_names *name,
 			     const struct dentry *dentry,
 			     struct inode *inode, unsigned int flags)
 {
-	struct lsmblob blob;
-
 	name->ino   = inode->i_ino;
 	name->dev   = inode->i_sb->s_dev;
 	name->mode  = inode->i_mode;
 	name->uid   = inode->i_uid;
 	name->gid   = inode->i_gid;
 	name->rdev  = inode->i_rdev;
-	security_inode_getlsmblob(inode, &blob);
-	/* stacking scaffolding */
-	name->osid = blob.scaffold.secid;
+	security_inode_getlsmblob(inode, &name->oblob);
 	if (flags & AUDIT_INODE_NOEVAL) {
 		name->fcap_ver = -1;
 		return;

From patchwork Fri Dec 15 22:16:07 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495129
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D45AD18EAE
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:26:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="q6TncGL0"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679180; bh=9ZcTX73QaNIO/8jzBGKXu9xrcBn+sNqoh3q8BtNK3z0=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=q6TncGL0o5mRPp1DFh7rcom3F97s9xEtBJUdPI1GMBbbWkf3ZiOMYOJj8X6Ywi3wu7buSahEB0OO6C4YSWLt6uKeLkExZmjMeSB/Hr6gXJGxpPhbBUi0Hykn5DYXV8sFu79gWRJgZJzPvOM34mlgm8gvzjY+k9PbknlO7PiNAWr6YLrlRmwQtCKzJXvN2EudnUoAKVYmVTqEEI0STRNvymSbozC7O9zWz7ieU5LPdcoV0YkrshNPt0fI0SxxxPyRqc+qHGJ31gBz+h0Rk+Lp3r4le7xyJphNpKXxZyTVsxRy+cniG3ehp2IWQHZUzMs4NmbvsMGYcSBchvy9TCwmBw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679180; bh=b5BBXITdN5mFkMToNi9u7QnrGy45/Mii05J4BSlJ/fk=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=rq6OzAwTLj2BVTjfsrPHzM+CAHoOTDC3B/yPI+JkNpeMoiVh0Bi21x9jwN4GEM3XdcDnIYLmBcGNCAksTDz5UeRuEJrvV4J9C5JDE/QjcQWxvi5Htl6+AB9n63WUvh1zGqbP4d6iYjz1bvIWag8zNhxCi+JYXf23rHrhljx/710QcDcvi+AalkvK/hHq72uhF1Dk4gTwEpuLc/nTAf5RO01caZFhIfUEaMTvPPhuJhHYnCUCeWx0NBuUdRCJ0aTbB8wSwyiEc/NtEXEQhP48xu5zi/yiRUG4w2fbUPkYdjl4m76wk/tdGchibvY15WYzYkif5WnqGu1CankE2hEU6w==
X-YMail-OSG: 9Uq_wqsVM1nsNmlQkGIjPQshXW_e3Tk6keFl7P6HDOPFhqJ284oEQptFiXV6W4m
 lF1OOt4bFL4amsHwHSXv5J1Y_t6r3dgpWxieSzYOaBg4vc7fqYRARNpezgv1l0js1EjDdzX4Aavx
 xJAKW7AaXwfYSZKRkfYCeH3Mb0rr4Wjwmj0ES80NRk8bW2oiNdy_6_dYnirwbKqSe.25Tz3bNdZ1
 moF5.On4t8XvSRY4pCl8K_KnB_3aGv5Yzgh59xvj2yxfmWPq3y1rMYMl1y78rW1Qyq_zjoDeyQ_9
 Iw7VHU9EorgG5DnDoTQ253p7p5NoxI7JiUlh_hFIT2LAyTDVSGHC25Ic0QoEiDB_hN.03Iuf85sh
 QUaz2fqTz3Gm0vTY3HlVgaKOt2FB5EkOnW.eshlzhlKBAK524LTXPduufEcy2upEGXgGjexd0nej
 zmSIt1U_O8zM8_BhW0Mxutr7OeDCVmm4X_Pj7pTlVrOSnMALYXDFfHoPSukmyLaDEQGGL2T2KWtp
 FhjHHSzYbrJ34osF10NC.z99mojsHlnEI2iL5z3wbGwaAnif2WC_3FbfrAvTRHiCFcQaySoYMlXq
 2t6JJ3NznZVQtxmDvbGWhh3aUDxY6cd5huKTzyHyZ4dY5K2MH30mwTWYZ5u2NcEZBRC4OiEQKaCQ
 YEuNKn3zlfjFSmEjKE8kyUubbFx7zwNlIB55N8a_3aKd8.IOJA4qlp6ztBv5SInWJzHiLfIbITBn
 uC1hak85Wgl_rsYYGVACq3rMlrTZCTHVRjCMrxveNEzc1zuDyXbj6pxANrvGMcdpvuU.yEutkVNQ
 J0kGjgNjBeKs9djrDr0dgg4i5nbGeGKTz8UA9c_aLdRfiH8eQtn9p3phEqSnfh6ejgsZn4MByjJJ
 yLytgGxxgEbp2CFa0u18a9Vw1UHJ.I404NDqMwBghD75phsSIPnQNPizIZmIffJW41hy4Thox9U9
 umv55xn8MzncshrzNO_f6Wyb6FMMjxbQVZfqdbJ5UzyMa_N.mKvd33UKjShhVbjAvahzmOBnkgn_
 Kneq2nNEFhvoEoHW2hIggx_E8N9tplGOtsmEzlkOXa8sfX.qO7yH99bc6gvd4EuFya2FXKsI6SZV
 lk6DxAqGlwtyn.G5FIJUCrsIMe3C.kH_4FtuEiXXimJMNArQqngNWGnZm9m__bBUrr5gnpgSum09
 Ek1i19n_SN03gnejfzqLD8YgRqFyh7XP22yKz65pFufbtnYAf4Y.Q_kcqJrkdb9rznBk4No9T6h0
 MGdIzCEmtIRRuDLX4TB9HikpOnlLJ3KwVSRwZi78pp89F5pUQXff64OyLxvvsyAqX6O3PpuP1wsW
 Js7yylf3anQNuxI8_jQy.13aGSEWCA4CuIQdajVLjKdOSbBgNxCUO_HLk_8IDgyF.SA3F3kMxFm_
 n8q2IRbzAAHOR4mhpR5nuRdJbz6FCeEUxtmekoK8ToMRVel4QvSCJlgaGSeNnYRmSljBIeJrpZp1
 5VkayYarMtr6OyoSWZF9bUm9o8o0ku5X5E3CCavUXSJMQI4p4tRkY9DvCwYONeRoOegpDknpQ8ps
 HEq8MscOMjuaTh4TQIWZWMnMCWzL_uVX5uGuc.gX8iwj6wDJoe8QGXO_Hslb9ovBDOpIdeQy2peJ
 39eecZm7TWEL67A2.IQOGbV0saf0c8w5F8JL5Pn1TlgiwmhpZeD3sWpeNzAb0f0aJ.vnrC27NKnn
 pTkbehBdD5IJFQrthx3i4Dh5D.16XuRlk1NLJuSk6_RefvvnwnFrRZWQPVxoW6.DcgRLipEvkgX_
 E_KiizjnbRbNGobrUS_nN8XuXsCCZ2EeOt5F54964ucQXVlPAR6ym8jEuZahFbxCmuAuVEZp2GUt
 O_0eej8ni7zOo9Wi.5Sd1xWcUpClz1Ek.r6lbyAmmObMDtJcU1rrzpcTW4Z7kplCU6VMrN5Zu13A
 nt0JDGjvelP5YvQRxEtjDuaj0TcT7AfijDjkt372.h.TNTihJJ2ScfJnLG5cL66LxeAct8ATEIWd
 nQagK_eUA5GyF27_ILDzUxE1TlRB6wOUgWnwlebvEEyOQv8PY2HxucE42wtlO2t6WwLwPHjHTgKS
 s1JBoeCor4t4huR1lpX2GSZfITTC3yHeMSUEPWimn3v.ITLu_dobsmsHCj8ux4PlJuAbYyBY5DGO
 WvATeJdE8y3kRcua4yWLf2JkKC4WXTd1rYGLKuh6X_zODv4lvUHRdDqBC.0fD3F2_3.5RPft6_XX
 .WPFh8ZcAMdG5ZtP7Fl1muK__u.jnE.f9JNVlwFnKKhcZMBt2uRqj
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 99d984fe-a30e-482e-9dbf-fc3592ae0374
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:26:20 +0000
Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 82d6a093b466d43a3aa36e3491ebb0ec;
          Fri, 15 Dec 2023 22:26:16 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	linux-integrity@vger.kernel.org,
	audit@vger.kernel.org,
	Todd Kjos <tkjos@google.com>
Subject: [PATCH v39 13/42] LSM: Create new security_cred_getlsmblob LSM hook
Date: Fri, 15 Dec 2023 14:16:07 -0800
Message-ID: <20231215221636.105680-14-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Create a new LSM hook security_cred_getlsmblob() which, like
security_cred_getsecid(), fetches LSM specific attributes from the
cred structure.  The associated data elements in the audit sub-system
are changed from a secid to a lsmblob to accommodate multiple possible
LSM audit users.

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
---
 include/linux/lsm_hook_defs.h     |  2 ++
 include/linux/security.h          |  7 +++++++
 security/integrity/ima/ima_main.c |  7 ++-----
 security/security.c               | 15 +++++++++++++++
 security/selinux/hooks.c          |  8 ++++++++
 security/smack/smack_lsm.c        | 18 ++++++++++++++++++
 6 files changed, 52 insertions(+), 5 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 3c51ee8e3d6c..fe9c1d89dc66 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -196,6 +196,8 @@ LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old,
 LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new,
 	 const struct cred *old)
 LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, cred_getlsmblob, const struct cred *c,
+	 struct lsmblob *blob)
 LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid)
 LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode)
 LSM_HOOK(int, 0, kernel_module_request, char *kmod_name)
diff --git a/include/linux/security.h b/include/linux/security.h
index e8b7f858de04..67ecf8588c90 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -460,6 +460,7 @@ void security_cred_free(struct cred *cred);
 int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
 void security_transfer_creds(struct cred *new, const struct cred *old);
 void security_cred_getsecid(const struct cred *c, u32 *secid);
+void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob);
 int security_kernel_act_as(struct cred *new, u32 secid);
 int security_kernel_create_files_as(struct cred *new, struct inode *inode);
 int security_kernel_module_request(char *kmod_name);
@@ -1151,6 +1152,12 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid)
 	*secid = 0;
 }
 
+static inline void security_cred_getlsmblob(const struct cred *c,
+					    struct lsmblob *blob)
+{
+	*secid = 0;
+}
+
 static inline int security_kernel_act_as(struct cred *cred, u32 secid)
 {
 	return 0;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 657143fe558d..c69eb9665cc1 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -526,8 +526,7 @@ int ima_file_mprotect(struct vm_area_struct *vma, unsigned long prot)
 int ima_bprm_check(struct linux_binprm *bprm)
 {
 	int ret;
-	u32 secid;
-	struct lsmblob blob = { };
+	struct lsmblob blob;
 
 	security_current_getlsmblob_subj(&blob);
 	ret = process_measurement(bprm->file, current_cred(),
@@ -535,9 +534,7 @@ int ima_bprm_check(struct linux_binprm *bprm)
 	if (ret)
 		return ret;
 
-	security_cred_getsecid(bprm->cred, &secid);
-	/* stacking scaffolding */
-	blob.scaffold.secid = secid;
+	security_cred_getlsmblob(bprm->cred, &blob);
 	return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0,
 				   MAY_EXEC, CREDS_CHECK);
 }
diff --git a/security/security.c b/security/security.c
index ed4e9b5fdf70..1cbd45310f63 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3111,6 +3111,21 @@ void security_cred_getsecid(const struct cred *c, u32 *secid)
 }
 EXPORT_SYMBOL(security_cred_getsecid);
 
+/**
+ * security_cred_getlsmblob() - Get the LSM data from a set of credentials
+ * @c: credentials
+ * @blob: destination for the LSM data
+ *
+ * Retrieve the security data of the cred structure @c.  In case of
+ * failure, @blob will be cleared.
+ */
+void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob)
+{
+	lsmblob_init(blob);
+	call_void_hook(cred_getlsmblob, c, blob);
+}
+EXPORT_SYMBOL(security_cred_getlsmblob);
+
 /**
  * security_kernel_act_as() - Set the kernel credentials to act as secid
  * @new: credentials
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4ab923698da9..1bc28f5f6870 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3992,6 +3992,13 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
 	*secid = cred_sid(c);
 }
 
+static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob)
+{
+	blob->selinux.secid = cred_sid(c);
+	/* stacking scaffolding */
+	blob->scaffold.secid = blob->selinux.secid;
+}
+
 /*
  * set the security data for a kernel service
  * - all the creation contexts are set to unlabelled
@@ -7153,6 +7160,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
 	LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
 	LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
+	LSM_HOOK_INIT(cred_getlsmblob, selinux_cred_getlsmblob),
 	LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
 	LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
 	LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index e6d49e59a0c0..7dab00bbd0ed 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2121,6 +2121,23 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid)
 	rcu_read_unlock();
 }
 
+/**
+ * smack_cred_getlsmblob - get the Smack label for a creds structure
+ * @cred: the object creds
+ * @blob: where to put the data
+ *
+ * Sets the Smack part of the blob
+ */
+static void smack_cred_getlsmblob(const struct cred *cred,
+				  struct lsmblob *blob)
+{
+	rcu_read_lock();
+	blob->smack.skp = smk_of_task(smack_cred(cred));
+	/* stacking scaffolding */
+	blob->scaffold.secid = blob->smack.skp->smk_secid;
+	rcu_read_unlock();
+}
+
 /**
  * smack_kernel_act_as - Set the subjective context in a set of credentials
  * @new: points to the set of credentials to be modified.
@@ -5102,6 +5119,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(cred_prepare, smack_cred_prepare),
 	LSM_HOOK_INIT(cred_transfer, smack_cred_transfer),
 	LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid),
+	LSM_HOOK_INIT(cred_getlsmblob, smack_cred_getlsmblob),
 	LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as),
 	LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as),
 	LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),

From patchwork Fri Dec 15 22:16:08 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495142
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic312-30.consmr.mail.ne1.yahoo.com
 (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA21118EA2
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:27:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="S635WZGu"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679272; bh=0xhRzVzL77uFNzvgfzEeytBOt25I4y9r8KJQkUff9Rs=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=S635WZGutjA0fM2+I03Er0WW8GqRslS3Adtw9IpI5pzCgaG/nAaCLUxdRNo3rwsiIncPW+CY2JDvqjnUMFrJp8JlnRoFF+M9veeHePdJy1qLpOTEYkKr4OQvJFZMJc+T4KkTVOxvQdMUQKo2HzVqv5OyrwhvUDG7GmmWlkpmB95hnhVe9oWwhh0WvitkNo6yWIbI5uLVC5HOTsANUzpBWRoue4KHBhSOPc9NPuCdfZD9O5sXVloKw2VdruNBbw8hfJ5lo+CIjGS+BqZWfWG1O5rdf9bfnJmwI2tK0OL5iclHvbPfUUxZozXzoSeI8AZpzy46A2X6CrsRkDQC9jg8ng==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679272; bh=SKPWV8ey4mzCkDWp91daijRkgT1+ie4X/UBDMuLVczs=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=qmbyDRsoe1Qbqqe+yzwBv2k9CgcuybdGc0UaLTk8hcAd0IU1ZWU6XiwQo7jrj5HzHlRpGBdLjDmGk25ci5S5CXpgifMjS83oqKPujJPPMBFMe09zXkVS2jCJqlh2ykkgOvUHGwtDFDf63J9a07Ud+dCrkkvGmpUr7vS++1iDzXGVFpjPQAVtrKDawiOk/PTSqmMFukzgY20KekfXOpNHJSRzKjZhBPonvq6B/etQOJiy6Htd5MsSofsZzLxdbEbAHmGC3abfSf19mgrAwB1meDzdrUAfyO+nK0h4ThkjL9VOHJOJp+DfLprOaRLC1tKnY2zhAMrIKobQOBoVvFdKiA==
X-YMail-OSG: PH3FmKYVM1mF1hVCKF_PWKmGU_PfyDwYDJXKUjaH8c4Vj7Nhx2WLQdueqNQekjR
 sVa4xzp0IAusanfXXF..oX0721SXKzbwUErhB.sLx9qhTXUWhVlFsPpqWSibdhSQ3_IHqx5gBbJU
 NmCGS2eaeCszcB6aTPsRqvwtixdkBd6BSv1EPnGF84QMyuUnUxezUC_94bf0RkK_h6iclc8EstUw
 w5uA9_4N55f02pHmv2uyVi1811C6YcU1UPfPliB.W78rI.c2ZwbkfFLbv.qLxd5ddpymnwvCCV5g
 7xlGGA6e7E5pT7AWuldFeS12bFkqAOQSB_sP0Z0oS2TT7TvmtOCy4KNVIp1D6JoGLzYexo58NMFy
 zPiGY7DsCxngv6BvE75zZvzzOspqBY9nnN29JrlwHq3c0I6._88UO69XrFHDATli51fVErGivI0e
 UNA_tAezv2fd7chQIE60ziTlcGukSy885Bd7cG35TRbrzC7i1K8pEMKmD74.KRvmw4w2i8ZcHCpm
 p.22P60V21V0VO_M_gDZm7aM8fdzfTKklaMQKJLuhondiSBofDBr3LrDm4Gn27ATQu_MPEXMdUQc
 G0M7v5KuC0VLYxaU6ImlEfZlzL40C8iYcSg5McmfMtaNl7hmmkHxwDHTTv41WTooiOnS4I_Ne.IS
 X7mANDAaC4OWlS73r7cbheiGkJgwGTWeWeMeNrwDDdj9VxX8UYNJ0QY8tc8p.CDztmGFTaTXtYcZ
 7ctlp7UGLWZlc7_5_TZjGnLCFgnXj1MVbcGuQRWlO70DRqH.PQZATH2GP4.TiN8fnci0ZdXoYYdt
 IQC8w.bhK.5fy9PSTlpK4IeN4nfh3HNhPo4B3gC7qw1LL2pAjHOwMtbEWI6ONQHYLhk4GDsfNmv0
 XxsgFWAWRIXjXo4VtFm7q0qDA.EISbuP3_s2s4xR5slgY7wqjhGWdiLxp_azck8NPq8snXWGH_tN
 lbHGtyieJMn3Ne0Not3esxuTd_RY5fksMzEaUw1K9M2LhL3us08XvNV4wNZZxXfvGTun3JT6waWM
 DxW7R2oGTO_q771VuPQFkPBtSs9SsOpEJRk0jG54cdaiq9awAQW92toAf29GI0GMYm0lo3VbEC80
 ADdY1TlaUgH4UP_5VVLLTNmnkgtV5aH8OPTfL6lACk3djtFwm9dlA7MCNS6XNxowtO4n9fKqly4.
 Gqjs_Yw1FE_Y66Tcq.WCVUfHzYmZnZUnF6v5TAoenoKD_O3H6QHNHyhuNS18EB2IMS_vDlEyhRv4
 zliHrvN.mmRbYDfWDVNdYZgd5YY937lPGF9A9d2CZhpiVVYr.zd7bsawJK1E.hIxypSJmaqGFIss
 KE70ImlB9.Ihoz8Wau3VRvrYaITtxV4hGkuAKmUL01JHGwIQ_X685FP.grKzj3ZUv5_GDHgE92iK
 Oxk8wV9GJ1OuXGu2lcNg7u54gc_PGVaV7O6JAkR_4HzK6ydQrOz1VlIgf_Y7xl2ZjixDrbbVhYCB
 Ed0DsC1c54td2EFkvqkvKEjsM2oQd0.ojgGGS9byBEMvXMak93UuPooFubYChKErA5e2tZIlySAw
 GglXMss.qW.vxMy7bzBUCcrW5AMdzfMkbrZQPy4NpioRu9OnbFXdbNV70dvyNrw6bmA0yxMurKPS
 nUO3bXEB39topgQLWBS_RP_3lgdg30TNRXWqszdnL3I9jOuozvJc434Ea8INgg8cpEAuFlQ0VtYz
 6Rig2OnEPfHcffHkFpSuxwYA5U1Nc8O9wYQhC6VZV7MaxOFuoJswbtVVf79YVa4mFHUXNmJHUn65
 ryOcm1n7GwhyEME9NlKHDQs97q_m8nzgGx5W7k_8kKNoZVUf3dNRyBzaiDk7z_FZ8MTqgAdK2Q4h
 cCarmDg0ufu2eGWryHd.gKFbTA7WaiV3O0yeiHfBxYvy3ymMgFvx0U8jwUYoykcKsGrMLuNINqQ.
 NRe5XBn1D.7fVL7r0eiArBPwGgTLNqq8vCOLfMjX00yBmL3ee9_kJGw.oU3zjez_UGEWCmLPGGxX
 bBxOfpuCix1t_PBTMXsxLsy2FGSLrtgoHhbXw68eRybUiKBgNMHISXJhKvNflfF.BAHw.bNeywWN
 PtKv8Ui67c4DcGTNZeqpclcnN7fduBzFZwDpkStEwM0vskibOVRWp4RyKdBaKA2xt52jCWdcRy7E
 Z6gb_DiZi54519rHI1HOi9ObwU7i6ZHjTRSFF8JcLg1SxYzQkbJxU1EFwT.j5TmPDwWbl18hxlmE
 F7rm4lZXO9kY.AQYZeTm9W4qQMvUQPxxlETkJxsyrT5JhIxW.qh4.hOtRH3UjP0NgpgG.vDCh.VT
 kDLhQm_.uoOr2Kmz2fDVsQYWxOsUy
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: b4d1f540-b7f0-435b-8a33-53babebcef2a
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:27:52 +0000
Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID b2d8de7c709cc71c362074832ee86fab;
          Fri, 15 Dec 2023 22:27:49 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 14/42] Audit: Change context data from secid to lsmblob
Date: Fri, 15 Dec 2023 14:16:08 -0800
Message-ID: <20231215221636.105680-15-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Change the LSM data stored in the audit transactions from a secid
to an LSM blob. This is done in struct audit_context and struct
audit_aux_data_pids. Several cases of scaffolding can be removed.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 kernel/audit.h       |  2 +-
 kernel/auditfilter.c |  1 -
 kernel/auditsc.c     | 31 ++++++++++++-------------------
 3 files changed, 13 insertions(+), 21 deletions(-)

diff --git a/kernel/audit.h b/kernel/audit.h
index 6c664aed8f89..b413c0420c6f 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -144,7 +144,7 @@ struct audit_context {
 	kuid_t		    target_auid;
 	kuid_t		    target_uid;
 	unsigned int	    target_sessionid;
-	u32		    target_sid;
+	struct lsmblob	    target_blob;
 	char		    target_comm[TASK_COMM_LEN];
 
 	struct audit_tree_refs *trees, *first_trees;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index d0df226bdc51..24cb8259e5b1 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1369,7 +1369,6 @@ int audit_filter(int msgtype, unsigned int listtype)
 			case AUDIT_SUBJ_SEN:
 			case AUDIT_SUBJ_CLR:
 				if (f->lsm_rule) {
-					/* stacking scaffolding */
 					security_current_getlsmblob_subj(&blob);
 					result = security_audit_rule_match(
 						   &blob, f->type, f->op,
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index aaea62822505..bfe2ee3ccbe6 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -100,7 +100,7 @@ struct audit_aux_data_pids {
 	kuid_t			target_auid[AUDIT_AUX_PIDS];
 	kuid_t			target_uid[AUDIT_AUX_PIDS];
 	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
-	u32			target_sid[AUDIT_AUX_PIDS];
+	struct lsmblob		target_blob[AUDIT_AUX_PIDS];
 	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
 	int			pid_count;
 };
@@ -1019,7 +1019,7 @@ static void audit_reset_context(struct audit_context *ctx)
 	ctx->target_pid = 0;
 	ctx->target_auid = ctx->target_uid = KUIDT_INIT(0);
 	ctx->target_sessionid = 0;
-	ctx->target_sid = 0;
+	lsmblob_init(&ctx->target_blob);
 	ctx->target_comm[0] = '\0';
 	unroll_tree_refs(ctx, NULL, 0);
 	WARN_ON(!list_empty(&ctx->killed_trees));
@@ -1093,8 +1093,9 @@ static inline void audit_free_context(struct audit_context *context)
 }
 
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
-				 kuid_t auid, kuid_t uid, unsigned int sessionid,
-				 u32 sid, char *comm)
+				 kuid_t auid, kuid_t uid,
+				 unsigned int sessionid, struct lsmblob *blob,
+				 char *comm)
 {
 	struct audit_buffer *ab;
 	char *ctx = NULL;
@@ -1108,8 +1109,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
 			 from_kuid(&init_user_ns, auid),
 			 from_kuid(&init_user_ns, uid), sessionid);
-	if (sid) {
-		if (security_secid_to_secctx(sid, &ctx, &len)) {
+	if (lsmblob_is_set(blob)) {
+		if (security_lsmblob_to_secctx(blob, &ctx, &len)) {
 			audit_log_format(ab, " obj=(none)");
 			rc = 1;
 		} else {
@@ -1778,7 +1779,7 @@ static void audit_log_exit(void)
 						  axs->target_auid[i],
 						  axs->target_uid[i],
 						  axs->target_sessionid[i],
-						  axs->target_sid[i],
+						  &axs->target_blob[i],
 						  axs->target_comm[i]))
 				call_panic = 1;
 	}
@@ -1787,7 +1788,7 @@ static void audit_log_exit(void)
 	    audit_log_pid_context(context, context->target_pid,
 				  context->target_auid, context->target_uid,
 				  context->target_sessionid,
-				  context->target_sid, context->target_comm))
+				  &context->target_blob, context->target_comm))
 			call_panic = 1;
 
 	if (context->pwd.dentry && context->pwd.mnt) {
@@ -2722,15 +2723,12 @@ int __audit_sockaddr(int len, void *a)
 void __audit_ptrace(struct task_struct *t)
 {
 	struct audit_context *context = audit_context();
-	struct lsmblob blob;
 
 	context->target_pid = task_tgid_nr(t);
 	context->target_auid = audit_get_loginuid(t);
 	context->target_uid = task_uid(t);
 	context->target_sessionid = audit_get_sessionid(t);
-	security_task_getlsmblob_obj(t, &blob);
-	/* stacking scaffolding */
-	context->target_sid = blob.scaffold.secid;
+	security_task_getlsmblob_obj(t, &context->target_blob);
 	memcpy(context->target_comm, t->comm, TASK_COMM_LEN);
 }
 
@@ -2746,7 +2744,6 @@ int audit_signal_info_syscall(struct task_struct *t)
 	struct audit_aux_data_pids *axp;
 	struct audit_context *ctx = audit_context();
 	kuid_t t_uid = task_uid(t);
-	struct lsmblob blob;
 
 	if (!audit_signals || audit_dummy_context())
 		return 0;
@@ -2758,9 +2755,7 @@ int audit_signal_info_syscall(struct task_struct *t)
 		ctx->target_auid = audit_get_loginuid(t);
 		ctx->target_uid = t_uid;
 		ctx->target_sessionid = audit_get_sessionid(t);
-		security_task_getlsmblob_obj(t, &blob);
-		/* stacking scaffolding */
-		ctx->target_sid = blob.scaffold.secid;
+		security_task_getlsmblob_obj(t, &ctx->target_blob);
 		memcpy(ctx->target_comm, t->comm, TASK_COMM_LEN);
 		return 0;
 	}
@@ -2781,9 +2776,7 @@ int audit_signal_info_syscall(struct task_struct *t)
 	axp->target_auid[axp->pid_count] = audit_get_loginuid(t);
 	axp->target_uid[axp->pid_count] = t_uid;
 	axp->target_sessionid[axp->pid_count] = audit_get_sessionid(t);
-	security_task_getlsmblob_obj(t, &blob);
-	/* stacking scaffolding */
-	axp->target_sid[axp->pid_count] = blob.scaffold.secid;
+	security_task_getlsmblob_obj(t, &axp->target_blob[axp->pid_count]);
 	memcpy(axp->target_comm[axp->pid_count], t->comm, TASK_COMM_LEN);
 	axp->pid_count++;
 

From patchwork Fri Dec 15 22:16:09 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495143
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic315-27.consmr.mail.ne1.yahoo.com
 (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE44118EAF
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:27:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="RYo4PIki"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679275; bh=rpVF07UMGtg88DKNUmDaWG5YnR644Gu2+YORdLn3CjM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=RYo4PIki48OzhQDXTVF78fjQALs6vR1XwPl1zE5is6LKjjTqISVMy0SAf6fMYVUjXPuE/YZApCzIBBZ4gawjXwxrnnKQiFIO8HtR04HSOqKKxL9JDq2cqise40zmDJi+1m7itqKeZaM/rX5D0rDj9kANIrae+NXicYYDKAus+aDCsb76tShPd4hfFHXvY0dEThd9nf/aQAaSasLa2kX1bcfeeReOsDTGaEfV6ElS4egevQsmLDeNmabQ/WdDGSyu3rV65x7uSZVSkiGj7V1yVWo+TE97QAqJdTd88hdMs4Yy7TCKv4ebRJZ48f6AgSWmMPFVPSxb1QB7i9WUwVcL7A==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679275; bh=KjvpqDT/X0DPTRduLA9P9hC/fZRG9wcfX6H0AXdSwqo=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=rUFoS6wAmIEqGFbDkB7rg/f6y1TCaBLOeMRSOhdYOt7OJbb8fSWZ4dC7ytvj4a86TxK2isXCTg59t453TQqpz3AIgpVWJgWHuF09dveiXQXolrCpumR/31G0IUTsP8x8iq5eFU9yjkg5hbY2dSMwQivWLO2lC7Jp1I+HhTlkWCIdY0J8wj14nemBu+qL6BExQD+EOvnZzxN4DYy4xZlMBpkgxCfCjfSo1905ZyebG2wqJvFibKjDp775DMMqxt1/C6qth+he4s588aMYQwjkxEVsO1Wk8Yx/QHMgMzZ1GlypQCBH8H0B3a5eH06peQD5Pv1ArhzolEWhKazzi5AfQw==
X-YMail-OSG: OwJShbQVM1kRuOTC47pBP7x5vUuEs8W6NDxO5m8rzV6KQ6rWDWZ3H4XFIRb3g7n
 o2y7UPcTEFJio0bDWBpFOrdKb8QliZZKWyVkKIIXC.Txp1ZsRJ_GAULufHP3IOIEuLnj7GGiZYcP
 k20a421F6882jxB.DktikNoCdrLwuR07CpnZydiVPLE.KPI8Z5Fwa_ruK3g1VNfLqiKWgWw265lx
 vbmMH8vDM7bCdg4Rni47R1jQLKtvNDNuLw.x8NaeHRNTX5noetebn2FjUaxQJ3HbZg8p7yA4AnnS
 2_ZeiBZbCwDDRkfgjd2A.Q2MGR3rtB8ZsUrM7bo.SxSzIYm8_Rnreic_756RyZb4ysygh4DJ2jqd
 bHM3mN.ySN0_ketgmlgeNl5rfZl9gV90U0bNw0Xlc9KqeAKV6BCDcgBw2XaumBxMydZz67iEGktK
 ZnxZ.f22p7EYMGges5DZTxUe9KFMn7KQikD7xOsgSijgRYUSI0.JdqJpJ8nublFyfysaOVvvQ9hx
 wg3F7KGItOChavAszQadWJGUCKoMJdyhoaPlcTCNO.ZTn.uTRPQ8.8IdGQsE6QOzthr.aLlTsTkc
 bNZHN48RmilXBD18ZpWGbf6iGvdtUSK05yyYcsuRw5sqD1lyxE802GbRTueLzMp50mwtaivL9PRE
 Qyz75jsca2_pn_xY76mn.xPD70caRHSxzvV4_A7K_cp.loymc.teWXuF_CmJSnaLIpFqbXCvhbPO
 xK6QsZJgLatAy5eTgszZGT85rsnK3V5XgdT_qsSp3IwXkGjF3BJors8e9bxQKt0i9RgClL0zeI5_
 fXQiHuok3Md5MGnG42wZ5daygPh.od2E_k1rLPVHA7XOk_ZUlriG4sIWDP_fxjzSWE4nPA4Z2uel
 I8Erm.dNcee9gD4YGqvUNHGmYtLG01s3xHLnOnTb_C_irQBB3I_BmMkR3JIuO9sw_YtZBAzlE1Xi
 bMyENADb2lU_.PwEKcH7NdhePYztT6J6nc7fyruAfs7tEgiC6wYcZgtAGkIcpNfTvGpRQC8LMSYn
 o7J06vOzd26UeYwIH86tqHFXv4kzGius0AtDeGRy_mmoW.BK3DJeKdlzOJtpUiBu.CdYGGMF04fU
 GgeutXOwi3g7LvkINK7o6R7.GWvhE.HxTzAhWcv1h9AWg56NerFSAAoEIoAWx4NR7B.9HcdCxipZ
 _zJEX8qq.SknusaBF7DgMsK_ogBr7ZykNzbh628q7yTWpGRowsO3FowqcL7.VXRgPbZqiMD2y0.d
 5p23P48KANFaDBUxEnv3_pFFmyqzaT6cddP3sHiifDvdhJdEk7syLtdXhGIswkDtA45152xnXy15
 YXlTKvKF3AztkVGTh_zYjP4KcpD3FbWQQnFKysxT0Iq3kywyTQqPAZqYlTq9osY9dkv.5Cir7Qhg
 _6Ombz9zE_w2JvBdzoMnJJnHOu3f0ZZKpODNfyUk6bF_QFYEw2q__66x3XjjkKuXoxRNjVYMhKJI
 1W.OPKnUCGvQOFcXFEe1zsUKC8bBdBPlpwB1yH0v9NKge1UF5Fb64klVpc8tvQ_QqDZbo0.VJ5gA
 .mXwfr3_9mSxZerA6XoJi39IZ71cfrRYimsWp0wFTJAGpP4EKCJ4ONq62DWhIIzYTVlxuJpgzQ1w
 rX6uTQfJlbwpCbgtyC8gTCpt.2pxty8R5Sa3XwSlgK0QewW7jAHxHbyQimKBjd.QdPput0lpMm9j
 aai6CfXd0xlnoFqahrhh5p1H3EktdA1g2hc3rJCfig0erJ1zAO2edZ9jrtm8GJzuBSKGPamLfoQj
 ghvyz98n7xwxsdeZ2O.vxfqg8Cz21GkOgnlCnP7SJ_1QmrSbEtqoFvXS0vvN1MPRgXc7_K4bOQqQ
 nIRm_V6sdVM25PKQ3ekhbhcCYl5fn3YXlKcCRkm6MDe4YV7o1QD7zOopYpOBSRF4wpdxe0E6uusf
 Uohmb8Iy5ujvjHVVetb5PwSSrc6C.2dJFt0OvJ7VJJm.QuJXC1J_rSZ9Fp8jJZTrZFLpkX7vYeaI
 8weynnlHCN3tsPRh9WOuVoHMacS247dU23AQ4tId2PwhnM1_hxYHd3dRZDtxMwFKRB7wG.n16COX
 FYeT2Cpa6QwpOPcnqp.p_yiyFGUlgoA8I9tfB81XiZNMJFc61oicAmNsliObstikL4zSFFElHu2T
 zll5L7mbNYE.ckeCiNy5bEZ4.aO5W8BwswGZKr85tX8ptz4911g1YrALJGu3wRiK9psfzJa1PQnH
 YpcVZHChVOmyRjYwb.o5lfloG8w_ixLBm8o270YVrDaWX4GxKOgRsP4aAbJgicQ2aYgSb6SkIGjt
 l3O5dmHdUDJpocf4adNQqEXPlrUEp
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 1c8bf860-4283-47c4-a644-eb7e3b01e7c7
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:27:55 +0000
Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID b2d8de7c709cc71c362074832ee86fab;
          Fri, 15 Dec 2023 22:27:50 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 15/42] Netlabel: Use lsmblob for audit data
Date: Fri, 15 Dec 2023 14:16:09 -0800
Message-ID: <20231215221636.105680-16-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Replace the secid in the netlbl_audit structure with an lsmblob.
Remove stacking scaffolding that was required when the value
was a secid.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/net/netlabel.h            | 2 +-
 net/netlabel/netlabel_unlabeled.c | 5 +----
 net/netlabel/netlabel_user.c      | 7 +++----
 net/netlabel/netlabel_user.h      | 6 +-----
 security/smack/smackfs.c          | 4 +---
 5 files changed, 7 insertions(+), 17 deletions(-)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 43ae50337685..03656b8d0b4f 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -97,7 +97,7 @@ struct calipso_doi;
 
 /* NetLabel audit information */
 struct netlbl_audit {
-	u32 secid;
+	struct lsmblob blob;
 	kuid_t loginuid;
 	unsigned int sessionid;
 };
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 129d71c147f1..7bac13ae07a3 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1534,14 +1534,11 @@ int __init netlbl_unlabel_defconf(void)
 	int ret_val;
 	struct netlbl_dom_map *entry;
 	struct netlbl_audit audit_info;
-	struct lsmblob blob;
 
 	/* Only the kernel is allowed to call this function and the only time
 	 * it is called is at bootup before the audit subsystem is reporting
 	 * messages so don't worry to much about these values. */
-	security_current_getlsmblob_subj(&blob);
-	/* stacking scaffolding */
-	audit_info.secid = blob.scaffold.secid;
+	security_current_getlsmblob_subj(&audit_info.blob);
 	audit_info.loginuid = GLOBAL_ROOT_UID;
 	audit_info.sessionid = 0;
 
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 3ed4fea2a2de..6cd1fcb3902b 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -98,10 +98,9 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 			 from_kuid(&init_user_ns, audit_info->loginuid),
 			 audit_info->sessionid);
 
-	if (audit_info->secid != 0 &&
-	    security_secid_to_secctx(audit_info->secid,
-				     &secctx,
-				     &secctx_len) == 0) {
+	if (lsmblob_is_set(&audit_info->blob) &&
+	    security_lsmblob_to_secctx(&audit_info->blob, &secctx,
+				       &secctx_len) == 0) {
 		audit_log_format(audit_buf, " subj=%s", secctx);
 		security_release_secctx(secctx, secctx_len);
 	}
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index c4864fa18a08..1a9639005d09 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -32,11 +32,7 @@
  */
 static inline void netlbl_netlink_auditinfo(struct netlbl_audit *audit_info)
 {
-	struct lsmblob blob;
-
-	security_current_getlsmblob_subj(&blob);
-	/* stacking scaffolding */
-	audit_info->secid = blob.scaffold.secid;
+	security_current_getlsmblob_subj(&audit_info->blob);
 	audit_info->loginuid = audit_get_loginuid(current);
 	audit_info->sessionid = audit_get_sessionid(current);
 }
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index e22aad7604e8..878fe44b662d 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -182,11 +182,9 @@ static inline void smack_catset_bit(unsigned int cat, char *catsetp)
  */
 static void smk_netlabel_audit_set(struct netlbl_audit *nap)
 {
-	struct smack_known *skp = smk_of_current();
-
 	nap->loginuid = audit_get_loginuid(current);
 	nap->sessionid = audit_get_sessionid(current);
-	nap->secid = skp->smk_secid;
+	nap->blob.smack.skp = smk_of_current();
 }
 
 /*

From patchwork Fri Dec 15 22:16:10 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495144
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic315-27.consmr.mail.ne1.yahoo.com
 (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB5B818EA9
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:29:30 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="sVo+2tTQ"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679370; bh=ijG5KPhLf8WT9NPh/OPeKCb8y6uCh4mFGx52DZt41Xw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=sVo+2tTQ9ZU/YywgcLnwVdW7tbsVuhWTZUsJnzTBvYQhZBW9MDHgXQDdeYkGx25McXhVBTebIdUXLoP/hFvUNi1pO5mwtRtvxmcNh7oWLHvztnJYqa9o37T6FYAJXci3ImvAeGweY7MMM9IXh3pj43qRaJhaMj8fKbTiC/em4Yo/2tPrkBwRwJxQH1PQAjJGBBAYvqW82iN5d3ckona1zruu3S//JhMjqFl3V+pB5l2HqeNw+u8UZ0q9rXXAqC8H08FHuYy1Qlt3hWsTIzPomyL9ILIT+yRpBS3Ex/u/AvfwJHexTxzhn43B27H3g3/by6AtdBR1/xwkKJsiaVAezw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679370; bh=n1hH47rWY9fgnuQ/rz4Sv5DTPAPyyO3vRCiHHcVesHU=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=Peo3mDFvjl7iEq5fQQ3A1FoORcw4KsEhDrkb4vcs1WRidJL0N2iZ0NvHzil7v3sa72CEz0Ic83Pvkfq2YVUHRkg7FPYe6YHzars83frips2xdt6CXv+7UUXhosUo5OCNs8nCcQQHQfN0cdmnBZRfX9OEYqepDhLYrq3IavrQn4FnX44oi9wznqYWyFErvddV/4gDlv638ysL5pcf9MV63Mazu/V54z+0q0IwQINb+eLvIcBnFDrcMWen1bFS4jxibArX0IYWYIw8voMTANC5cdYE8HJerlcETlfobkuehbNbbdSwwvsoeuycvud60AuhZLptHwKYutl94kBzcmI3xA==
X-YMail-OSG: OUAxtq8VM1nN_jBvRUPGfj4Ygg1sHkG551Je8uio1spMIuN1W.BOGm7G5iQvCVG
 08Gbha7YCzyM1ezfvemA3mzZejxatEuvdfxiH2XklWCvzMsgT9dMnXXZ_KzVadeRNB6NXbs4YvUc
 919GZc8IkYKQHkwWE9LKfqrvjOhI18wOXJup664b3M4Lm6n0FPq15Z39MsUpIdvU299QGbiMGU_t
 lBIsSBhgrGYmAKC2rfbsVkKPTw_4DzN4ddQf4qwvbXT60CaviIBBGXP7j7pdGbEJ1L232tVKdG3U
 .W_MxY3HOZKq52V7DveaEnzlqIAinUZAtgYe94Mi7BG7qBcZrrjwiDbQ0PB2hHK93tciFpyPG00I
 KJFd8Y0lyYMnQS53tDz0yNsIiJ1dx52H0Wd5snHefb2uXNNQGf3U66ZaNqBDyXw4PwZroTWkzaeZ
 8a0yELOyVBoewY38Z3gZjwr_6vhof3WGAcGcx4yoCEa6a.h.pG.wRaIMAloorbGKJ_egMEDKAyB5
 DpVzQKZH2D.uiM9dFAdKePaNcHBrRg2o6MOkQUFair9z7wXPVzSf3HUxNB9OJO3pwS3rXqRPKffd
 1PjE0URlNE2b5W.PMYI6CZRj7qEHazIkUUysaE60kGgU5bDiahxDilYWqbi5KZBo16c8jpjt2jye
 3BQ2Rqgv5AI5Bgo.HX0YGaAhSzX6wnlygqDtQRpbCgDTq4v8mIFl05avOpasYn8A6BX5DpwMkJW8
 dn2pXc56Mu2a6Ezpd6bF2rEb0uFuC_exbUTb_CPpqf0IiGaPD14Z6GLDG37.Lbk4QikgI453CPk1
 5hy.h8VIipGsFM6pgZ04igLGrYHPvtf0G4y_UWeDO3UfeTJlVGSVQn2.hUSE2GxKZ2lzSoKS3at9
 avzRQBiceShB1S7eKWMH64tHTQeZQH7j.VoweRptdp5yMc0bRBphe1tPcJmJqXF0UPKJckqIiACn
 kn6YNp5t.1Ob2JLV2LUeXZ.8H5HgyBW1on0a_ZysnFkK.LOuMTTnvQP.TVElBL9AMSDav.RjIsyD
 8orC7i7YHarwWpO2Z1sENvcfPp6i4.Orn3NnQHsLrthapFBERJtuC4DqJJ.H3ZValpg0jf0jIO7h
 c4otp7HHhNfbovB3b8KDHWB4_SAgz88naG5jFJQka3Rgts627boFx31Y0C.Wn9XNg2Onj28dVc2A
 lgz5fJWLnrCosyXYYCwxANt2m8czuHeSBY0cGplAlZg0qjoFnUmglPdBDTp5salR0vPdrBOA_pyK
 gPf.AShcwTMIbg7Q3z5NMeyhSlIPSCUrPXGYIyEmmB_hSrx8oZA1TeVfsFS0w2GQmqePgBGM7pjU
 xB_2VwhrkW_b1vrTLTPt9wGkFS6wQ2elS3n6zC8HkFpcpL57WB1yw3GvCTLtNpNVNiFnMaVGfXZr
 3Mq3fSzR_ctLp.OMAlPgGV0xDW4LbdbHudLYVvzinABBZYVnvhpl6naUWROZgw.APNZbj9nDHVTx
 PrdfE.p5MpCVVO324RWqW0fo8t_9hRBotct3ww2pmcV_ege9.rTCMlOk96qYwpLPhavQ1LpmaJy0
 gdBFmTOLbG9taQ8mSHPBwv3vCU0HPWrB7gwEarAdSMviGAPpGjcYBeR.1SPFd9bwLGp7VJVyLydH
 .Lsz9fqr.Jn9jJUc9IZWF6sTm.LQEEQ5nyL8BtKVWLn8mHwnyuHrXxSdGLdhzE6y7xGb50G9o2BG
 XVURd5AzrtM4AGiyMVgop0pgTcWyz.V1lNU_UvKQBb0pBPBRJlnES20GMC.4qE7K9mq1WdZqW0kW
 3fD8RtBm5SmdD4qxkP9Cn7gGZEvjOnbOb4Blirph9SUI2_jYo5WHmA8HJAWLdwWM1sA8Tv.49r_e
 CKBtqPiFPHTqEO2uq_IaF8PQ2l2.LdhK.GvxRQniJY4RtyhfI58db46iXlomOYbBMTCei1GBIOk7
 jjX4XoKpWopf7m6FhdQEYV3DInl2g7H5DRE8mcK3e2g_urZzGN9Y5xA4.FRnAc7290ZCTERDjMl2
 yIkldk0XdM1K22TYWIoBMcf.1dVgFj1PRegFaa.L5n4W0z85PZ8OjuleevBFVSs4kK9R1GYwjXlX
 Y1S6s6d6C61gBNibAvHoc6jsC1Y98rQaLZ4dpOYb4BH2a78GjJPXOGhW0i7CRIX08QDiZQUrtqTy
 H.WGSPSldKJkJ64ht2giwCmH6JCeIB3WRAsjuqDnrWQtOWygHa.5Im3NJ64JwaxUq2SSv8Ha0u6_
 yDTnvjI3p9YXp0Ut5n668uXc8op8PvUSTLkvm7XqNE_uVHYEGMGT_OtbyTjLJB9.Ri8uQeAgLMAq
 q6BA.S3rXIyE60eIzkzwMwO0zv7uiBg--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 80a7ca31-8c66-42a1-9e3d-01cace7e99be
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:29:30 +0000
Received: by hermes--production-gq1-6949d6d8f9-nsbdm (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID d22b1f6ad07bda71c6e1d3c51ac27d9d;
          Fri, 15 Dec 2023 22:29:23 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	Chuck Lever <chuck.lever@oracle.com>,
	linux-integrity@vger.kernel.org,
	netdev@vger.kernel.org,
	audit@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	linux-nfs@vger.kernel.org,
	Todd Kjos <tkjos@google.com>
Subject: [PATCH v39 16/42] LSM: Ensure the correct LSM context releaser
Date: Fri, 15 Dec 2023 14:16:10 -0800
Message-ID: <20231215221636.105680-17-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Add a new lsmcontext data structure to hold all the information
about a "security context", including the string, its size and
which LSM allocated the string. The allocation information is
necessary because LSMs have different policies regarding the
lifecycle of these strings. SELinux allocates and destroys
them on each use, whereas Smack provides a pointer to an entry
in a list that never goes away.

Update security_release_secctx() to use the lsmcontext instead
of a (char *, len) pair. Change its callers to do likewise.
The LSMs supporting this hook have had comments added to
remind the developer that there is more work to be done.

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: linux-nfs@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
---
 drivers/android/binder.c                | 24 ++++++-------
 fs/ceph/xattr.c                         |  6 +++-
 fs/nfs/nfs4proc.c                       |  8 +++--
 fs/nfsd/nfs4xdr.c                       |  8 +++--
 include/linux/lsm_hook_defs.h           |  2 +-
 include/linux/security.h                | 35 +++++++++++++++++--
 include/net/scm.h                       | 11 +++---
 kernel/audit.c                          | 34 ++++++++++---------
 kernel/auditsc.c                        | 23 +++++++------
 net/ipv4/ip_sockglue.c                  | 10 +++---
 net/netfilter/nf_conntrack_netlink.c    | 10 +++---
 net/netfilter/nf_conntrack_standalone.c |  9 +++--
 net/netfilter/nfnetlink_queue.c         | 13 ++++---
 net/netlabel/netlabel_unlabeled.c       | 45 +++++++++++--------------
 net/netlabel/netlabel_user.c            | 11 +++---
 security/apparmor/include/secid.h       |  2 +-
 security/apparmor/secid.c               | 11 ++++--
 security/security.c                     |  8 ++---
 security/selinux/hooks.c                | 11 ++++--
 19 files changed, 170 insertions(+), 111 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 92128aae2d06..58bdb5b75131 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2920,8 +2920,7 @@ static void binder_transaction(struct binder_proc *proc,
 	struct binder_context *context = proc->context;
 	int t_debug_id = atomic_inc_return(&binder_last_id);
 	ktime_t t_start_time = ktime_get();
-	char *secctx = NULL;
-	u32 secctx_sz = 0;
+	struct lsmcontext lsmctx;
 	struct list_head sgc_head;
 	struct list_head pf_head;
 	const void __user *user_buffer = (const void __user *)
@@ -3200,7 +3199,8 @@ static void binder_transaction(struct binder_proc *proc,
 		size_t added_size;
 
 		security_cred_getsecid(proc->cred, &secid);
-		ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
+		ret = security_secid_to_secctx(secid, &lsmctx.context,
+					       &lsmctx.len);
 		if (ret) {
 			binder_txn_error("%d:%d failed to get security context\n",
 				thread->pid, proc->pid);
@@ -3209,7 +3209,7 @@ static void binder_transaction(struct binder_proc *proc,
 			return_error_line = __LINE__;
 			goto err_get_secctx_failed;
 		}
-		added_size = ALIGN(secctx_sz, sizeof(u64));
+		added_size = ALIGN(lsmctx.len, sizeof(u64));
 		extra_buffers_size += added_size;
 		if (extra_buffers_size < added_size) {
 			binder_txn_error("%d:%d integer overflow of extra_buffers_size\n",
@@ -3243,23 +3243,23 @@ static void binder_transaction(struct binder_proc *proc,
 		t->buffer = NULL;
 		goto err_binder_alloc_buf_failed;
 	}
-	if (secctx) {
+	if (lsmctx.context) {
 		int err;
 		size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
 				    ALIGN(tr->offsets_size, sizeof(void *)) +
 				    ALIGN(extra_buffers_size, sizeof(void *)) -
-				    ALIGN(secctx_sz, sizeof(u64));
+				    ALIGN(lsmctx.len, sizeof(u64));
 
 		t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
 		err = binder_alloc_copy_to_buffer(&target_proc->alloc,
 						  t->buffer, buf_offset,
-						  secctx, secctx_sz);
+						  lsmctx.context, lsmctx.len);
 		if (err) {
 			t->security_ctx = 0;
 			WARN_ON(1);
 		}
-		security_release_secctx(secctx, secctx_sz);
-		secctx = NULL;
+		security_release_secctx(&lsmctx);
+		lsmctx.context = NULL;
 	}
 	t->buffer->debug_id = t->debug_id;
 	t->buffer->transaction = t;
@@ -3303,7 +3303,7 @@ static void binder_transaction(struct binder_proc *proc,
 	off_end_offset = off_start_offset + tr->offsets_size;
 	sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
 	sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
-		ALIGN(secctx_sz, sizeof(u64));
+		ALIGN(lsmctx.len, sizeof(u64));
 	off_min = 0;
 	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
 	     buffer_offset += sizeof(binder_size_t)) {
@@ -3682,8 +3682,8 @@ static void binder_transaction(struct binder_proc *proc,
 	binder_alloc_free_buf(&target_proc->alloc, t->buffer);
 err_binder_alloc_buf_failed:
 err_bad_extra_size:
-	if (secctx)
-		security_release_secctx(secctx, secctx_sz);
+	if (lsmctx.context)
+		security_release_secctx(&lsmctx);
 err_get_secctx_failed:
 	kfree(tcomplete);
 	binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index e066a556eccb..113956d386c0 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1446,12 +1446,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
 
 void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx)
 {
+#ifdef CONFIG_CEPH_FS_SECURITY_LABEL
+	struct lsmcontext scaff; /* scaffolding */
+#endif
 #ifdef CONFIG_CEPH_FS_POSIX_ACL
 	posix_acl_release(as_ctx->acl);
 	posix_acl_release(as_ctx->default_acl);
 #endif
 #ifdef CONFIG_CEPH_FS_SECURITY_LABEL
-	security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen);
+	lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0);
+	security_release_secctx(&scaff);
 #endif
 #ifdef CONFIG_FS_ENCRYPTION
 	kfree(as_ctx->fscrypt_auth);
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 8a943fffaad5..6ea99e2aabf3 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -138,8 +138,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
 static inline void
 nfs4_label_release_security(struct nfs4_label *label)
 {
-	if (label)
-		security_release_secctx(label->label, label->len);
+	struct lsmcontext scaff; /* scaffolding */
+
+	if (label) {
+		lsmcontext_init(&scaff, label->label, label->len, 0);
+		security_release_secctx(&scaff);
+	}
 }
 static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
 {
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index ec4ed6206df1..9cade754356a 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3627,8 +3627,12 @@ nfsd4_encode_fattr4(struct svc_rqst *rqstp, struct xdr_stream *xdr,
 
 out:
 #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
-	if (args.context)
-		security_release_secctx(args.context, args.contextlen);
+	if (args.context) {
+		struct lsmcontext scaff; /* scaffolding */
+
+		lsmcontext_init(&scaff, args.context, args.contextlen, 0);
+		security_release_secctx(&scaff);
+	}
 #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */
 	kfree(args.acl);
 	if (tempfh) {
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index fe9c1d89dc66..c5e5a32f5e07 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -278,7 +278,7 @@ LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
 LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob,
 	 char **secdata, u32 *seclen)
 LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
-LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen)
+LSM_HOOK(void, LSM_RET_VOID, release_secctx, struct lsmcontext *cp)
 LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
 LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen)
 LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen)
diff --git a/include/linux/security.h b/include/linux/security.h
index 67ecf8588c90..9712056d71a0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -148,6 +148,37 @@ struct lsmblob_scaffold {
 	u32 secid;
 };
 
+/*
+ * A "security context" is the text representation of
+ * the information used by LSMs.
+ * This structure contains the string, its length, and which LSM
+ * it is useful for.
+ */
+struct lsmcontext {
+	char	*context;	/* Provided by the module */
+	u32	len;
+	int	id;		/* Identifies the module */
+};
+
+/**
+ * lsmcontext_init - initialize an lsmcontext structure.
+ * @cp: Pointer to the context to initialize
+ * @context: Initial context, or NULL
+ * @size: Size of context, or 0
+ * @id: Which LSM provided the context
+ *
+ * Fill in the lsmcontext from the provided information.
+ * This is a scaffolding function that will be removed when
+ * lsmcontext integration is complete.
+ */
+static inline void lsmcontext_init(struct lsmcontext *cp, char *context,
+				   u32 size, int id)
+{
+	cp->id = id;
+	cp->context = context;
+	cp->len = size;
+}
+
 /*
  * Data exported by the security modules
  */
@@ -535,7 +566,7 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
 			       u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
-void security_release_secctx(char *secdata, u32 seclen);
+void security_release_secctx(struct lsmcontext *cp);
 void security_inode_invalidate_secctx(struct inode *inode);
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
@@ -1475,7 +1506,7 @@ static inline int security_secctx_to_secid(const char *secdata,
 	return -EOPNOTSUPP;
 }
 
-static inline void security_release_secctx(char *secdata, u32 seclen)
+static inline void security_release_secctx(struct lsmcontext *cp)
 {
 }
 
diff --git a/include/net/scm.h b/include/net/scm.h
index e8c76b4be2fe..6e1add51d4c2 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -93,16 +93,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
 #ifdef CONFIG_SECURITY_NETWORK
 static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
 {
-	char *secdata;
-	u32 seclen;
+	struct lsmcontext ctx;
 	int err;
 
 	if (test_bit(SOCK_PASSSEC, &sock->flags)) {
-		err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
+		err = security_secid_to_secctx(scm->secid, &ctx.context,
+					       &ctx.len);
 
 		if (!err) {
-			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
-			security_release_secctx(secdata, seclen);
+			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, ctx.len,
+				 ctx.context);
+			security_release_secctx(&ctx);
 		}
 	}
 }
diff --git a/kernel/audit.c b/kernel/audit.c
index 54dfe339e341..47cfb6b20c3c 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1209,8 +1209,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	struct audit_buffer	*ab;
 	u16			msg_type = nlh->nlmsg_type;
 	struct audit_sig_info   *sig_data;
-	char			*ctx = NULL;
-	u32			len;
+	struct lsmcontext	lsmctx;
 
 	err = audit_netlink_ok(skb, msg_type);
 	if (err)
@@ -1458,30 +1457,34 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		kfree(new);
 		break;
 	}
-	case AUDIT_SIGNAL_INFO:
-		len = 0;
+	case AUDIT_SIGNAL_INFO: {
+		size_t sig_data_size;
+
 		if (lsmblob_is_set(&audit_sig_lsm)) {
-			err = security_lsmblob_to_secctx(&audit_sig_lsm, &ctx,
-							 &len);
+			err = security_lsmblob_to_secctx(&audit_sig_lsm,
+							 &lsmctx.context,
+							 &lsmctx.len);
 			if (err)
 				return err;
 		}
-		sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL);
+		sig_data_size = struct_size(sig_data, ctx, lsmctx.len);
+		sig_data = kmalloc(sig_data_size, GFP_KERNEL);
 		if (!sig_data) {
 			if (lsmblob_is_set(&audit_sig_lsm))
-				security_release_secctx(ctx, len);
+				security_release_secctx(&lsmctx);
 			return -ENOMEM;
 		}
 		sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
 		sig_data->pid = audit_sig_pid;
 		if (lsmblob_is_set(&audit_sig_lsm)) {
-			memcpy(sig_data->ctx, ctx, len);
-			security_release_secctx(ctx, len);
+			memcpy(sig_data->ctx, lsmctx.context, lsmctx.len);
+			security_release_secctx(&lsmctx);
 		}
 		audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
-				 sig_data, struct_size(sig_data, ctx, len));
+				 sig_data, sig_data_size);
 		kfree(sig_data);
 		break;
+	}
 	case AUDIT_TTY_GET: {
 		struct audit_tty_status s;
 		unsigned int t;
@@ -2164,24 +2167,23 @@ void audit_log_key(struct audit_buffer *ab, char *key)
 
 int audit_log_task_context(struct audit_buffer *ab)
 {
+	struct lsmcontext ctx;
 	struct lsmblob blob;
-	char *ctx = NULL;
-	unsigned len;
 	int error;
 
 	security_current_getlsmblob_subj(&blob);
 	if (!lsmblob_is_set(&blob))
 		return 0;
 
-	error = security_lsmblob_to_secctx(&blob, &ctx, &len);
+	error = security_lsmblob_to_secctx(&blob, &ctx.context, &ctx.len);
 	if (error) {
 		if (error != -EINVAL)
 			goto error_path;
 		return 0;
 	}
 
-	audit_log_format(ab, " subj=%s", ctx);
-	security_release_secctx(ctx, len);
+	audit_log_format(ab, " subj=%s", ctx.context);
+	security_release_secctx(&ctx);
 	return 0;
 
 error_path:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index bfe2ee3ccbe6..2874255f5f25 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1098,8 +1098,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 				 char *comm)
 {
 	struct audit_buffer *ab;
-	char *ctx = NULL;
-	u32 len;
+	struct lsmcontext ctx;
 	int rc = 0;
 
 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
@@ -1110,12 +1109,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 			 from_kuid(&init_user_ns, auid),
 			 from_kuid(&init_user_ns, uid), sessionid);
 	if (lsmblob_is_set(blob)) {
-		if (security_lsmblob_to_secctx(blob, &ctx, &len)) {
+		if (security_lsmblob_to_secctx(blob, &ctx.context, &ctx.len)) {
 			audit_log_format(ab, " obj=(none)");
 			rc = 1;
 		} else {
-			audit_log_format(ab, " obj=%s", ctx);
-			security_release_secctx(ctx, len);
+			audit_log_format(ab, " obj=%s", ctx.context);
+			security_release_secctx(&ctx);
 		}
 	}
 	audit_log_format(ab, " ocomm=");
@@ -1371,6 +1370,7 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer **
 
 static void show_special(struct audit_context *context, int *call_panic)
 {
+	struct lsmcontext lsmcxt;
 	struct audit_buffer *ab;
 	int i;
 
@@ -1401,7 +1401,8 @@ static void show_special(struct audit_context *context, int *call_panic)
 				*call_panic = 1;
 			} else {
 				audit_log_format(ab, " obj=%s", ctx);
-				security_release_secctx(ctx, len);
+				lsmcontext_init(&lsmcxt, ctx, len, 0);
+				security_release_secctx(&lsmcxt);
 			}
 		}
 		if (context->ipc.has_perm) {
@@ -1560,15 +1561,15 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 				 MAJOR(n->rdev),
 				 MINOR(n->rdev));
 	if (lsmblob_is_set(&n->oblob)) {
-		char *ctx = NULL;
-		u32 len;
+		struct lsmcontext ctx;
 
-		if (security_lsmblob_to_secctx(&n->oblob, &ctx, &len)) {
+		if (security_lsmblob_to_secctx(&n->oblob, &ctx.context,
+					       &ctx.len)) {
 			if (call_panic)
 				*call_panic = 2;
 		} else {
-			audit_log_format(ab, " obj=%s", ctx);
-			security_release_secctx(ctx, len);
+			audit_log_format(ab, " obj=%s", ctx.context);
+			security_release_secctx(&ctx);
 		}
 	}
 
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 2efc53526a38..3bf8ff9d4434 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -130,20 +130,20 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
 
 static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 {
-	char *secdata;
-	u32 seclen, secid;
+	struct lsmcontext ctx;
+	u32 secid;
 	int err;
 
 	err = security_socket_getpeersec_dgram(NULL, skb, &secid);
 	if (err)
 		return;
 
-	err = security_secid_to_secctx(secid, &secdata, &seclen);
+	err = security_secid_to_secctx(secid, &ctx.context, &ctx.len);
 	if (err)
 		return;
 
-	put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
-	security_release_secctx(secdata, seclen);
+	put_cmsg(msg, SOL_IP, SCM_SECURITY, ctx.len, ctx.context);
+	security_release_secctx(&ctx);
 }
 
 static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index fb0ae15e96df..3e79b339a1bc 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -357,10 +357,10 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct,
 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 {
 	struct nlattr *nest_secctx;
-	int len, ret;
-	char *secctx;
+	struct lsmcontext ctx;
+	int ret;
 
-	ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+	ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len);
 	if (ret)
 		return 0;
 
@@ -369,13 +369,13 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 	if (!nest_secctx)
 		goto nla_put_failure;
 
-	if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
+	if (nla_put_string(skb, CTA_SECCTX_NAME, ctx.context))
 		goto nla_put_failure;
 	nla_nest_end(skb, nest_secctx);
 
 	ret = 0;
 nla_put_failure:
-	security_release_secctx(secctx, len);
+	security_release_secctx(&ctx);
 	return ret;
 }
 #else
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 0ee98ce5b816..23949d233375 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -175,17 +175,16 @@ static void ct_seq_stop(struct seq_file *s, void *v)
 #ifdef CONFIG_NF_CONNTRACK_SECMARK
 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 {
+	struct lsmcontext ctx;
 	int ret;
-	u32 len;
-	char *secctx;
 
-	ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+	ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len);
 	if (ret)
 		return;
 
-	seq_printf(s, "secctx=%s ", secctx);
+	seq_printf(s, "secctx=%s ", ctx.context);
 
-	security_release_secctx(secctx, len);
+	security_release_secctx(&ctx);
 }
 #else
 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 171d1f52d3dd..8b4c5c08daa7 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -408,6 +408,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	enum ip_conntrack_info ctinfo = 0;
 	const struct nfnl_ct_hook *nfnl_ct;
 	bool csum_verify;
+	struct lsmcontext scaff; /* scaffolding */
 	char *secdata = NULL;
 	u32 seclen = 0;
 	ktime_t tstamp;
@@ -651,8 +652,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	}
 
 	nlh->nlmsg_len = skb->len;
-	if (seclen)
-		security_release_secctx(secdata, seclen);
+	if (seclen) {
+		lsmcontext_init(&scaff, secdata, seclen, 0);
+		security_release_secctx(&scaff);
+	}
 	return skb;
 
 nla_put_failure:
@@ -660,8 +663,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	kfree_skb(skb);
 	net_err_ratelimited("nf_queue: error creating packet message\n");
 nlmsg_failure:
-	if (seclen)
-		security_release_secctx(secdata, seclen);
+	if (seclen) {
+		lsmcontext_init(&scaff, secdata, seclen, 0);
+		security_release_secctx(&scaff);
+	}
 	return NULL;
 }
 
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 7bac13ae07a3..464105080245 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -374,8 +374,7 @@ int netlbl_unlhsh_add(struct net *net,
 	struct net_device *dev;
 	struct netlbl_unlhsh_iface *iface;
 	struct audit_buffer *audit_buf = NULL;
-	char *secctx = NULL;
-	u32 secctx_len;
+	struct lsmcontext ctx;
 
 	if (addr_len != sizeof(struct in_addr) &&
 	    addr_len != sizeof(struct in6_addr))
@@ -438,11 +437,10 @@ int netlbl_unlhsh_add(struct net *net,
 unlhsh_add_return:
 	rcu_read_unlock();
 	if (audit_buf != NULL) {
-		if (security_secid_to_secctx(secid,
-					     &secctx,
-					     &secctx_len) == 0) {
-			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			security_release_secctx(secctx, secctx_len);
+		if (security_secid_to_secctx(secid, &ctx.context,
+					     &ctx.len) == 0) {
+			audit_log_format(audit_buf, " sec_obj=%s", ctx.context);
+			security_release_secctx(&ctx);
 		}
 		audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
 		audit_log_end(audit_buf);
@@ -473,8 +471,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
 	struct netlbl_unlhsh_addr4 *entry;
 	struct audit_buffer *audit_buf;
 	struct net_device *dev;
-	char *secctx;
-	u32 secctx_len;
+	struct lsmcontext ctx;
 
 	spin_lock(&netlbl_unlhsh_lock);
 	list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
@@ -494,10 +491,10 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
 					  addr->s_addr, mask->s_addr);
 		dev_put(dev);
 		if (entry != NULL &&
-		    security_secid_to_secctx(entry->secid,
-					     &secctx, &secctx_len) == 0) {
-			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			security_release_secctx(secctx, secctx_len);
+		    security_secid_to_secctx(entry->secid, &ctx.context,
+					     &ctx.len) == 0) {
+			audit_log_format(audit_buf, " sec_obj=%s", ctx.context);
+			security_release_secctx(&ctx);
 		}
 		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
 		audit_log_end(audit_buf);
@@ -534,8 +531,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
 	struct netlbl_unlhsh_addr6 *entry;
 	struct audit_buffer *audit_buf;
 	struct net_device *dev;
-	char *secctx;
-	u32 secctx_len;
+	struct lsmcontext ctx;
 
 	spin_lock(&netlbl_unlhsh_lock);
 	list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
@@ -554,10 +550,10 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
 					  addr, mask);
 		dev_put(dev);
 		if (entry != NULL &&
-		    security_secid_to_secctx(entry->secid,
-					     &secctx, &secctx_len) == 0) {
-			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			security_release_secctx(secctx, secctx_len);
+		    security_secid_to_secctx(entry->secid, &ctx.context,
+					     &ctx.len) == 0) {
+			audit_log_format(audit_buf, " sec_obj=%s", ctx.context);
+			security_release_secctx(&ctx);
 		}
 		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
 		audit_log_end(audit_buf);
@@ -1069,10 +1065,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
 	int ret_val = -ENOMEM;
 	struct netlbl_unlhsh_walk_arg *cb_arg = arg;
 	struct net_device *dev;
+	struct lsmcontext ctx;
 	void *data;
 	u32 secid;
-	char *secctx;
-	u32 secctx_len;
 
 	data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
 			   cb_arg->seq, &netlbl_unlabel_gnl_family,
@@ -1127,14 +1122,14 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
 		secid = addr6->secid;
 	}
 
-	ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
+	ret_val = security_secid_to_secctx(secid, &ctx.context, &ctx.len);
 	if (ret_val != 0)
 		goto list_cb_failure;
 	ret_val = nla_put(cb_arg->skb,
 			  NLBL_UNLABEL_A_SECCTX,
-			  secctx_len,
-			  secctx);
-	security_release_secctx(secctx, secctx_len);
+			  ctx.len,
+			  ctx.context);
+	security_release_secctx(&ctx);
 	if (ret_val != 0)
 		goto list_cb_failure;
 
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 6cd1fcb3902b..b9289a22b363 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -84,8 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 					       struct netlbl_audit *audit_info)
 {
 	struct audit_buffer *audit_buf;
-	char *secctx;
-	u32 secctx_len;
+	struct lsmcontext ctx;
 
 	if (audit_enabled == AUDIT_OFF)
 		return NULL;
@@ -99,10 +98,10 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 			 audit_info->sessionid);
 
 	if (lsmblob_is_set(&audit_info->blob) &&
-	    security_lsmblob_to_secctx(&audit_info->blob, &secctx,
-				       &secctx_len) == 0) {
-		audit_log_format(audit_buf, " subj=%s", secctx);
-		security_release_secctx(secctx, secctx_len);
+	    security_lsmblob_to_secctx(&audit_info->blob, &ctx.context,
+				       &ctx.len) == 0) {
+		audit_log_format(audit_buf, " subj=%s", ctx.context);
+		security_release_secctx(&ctx);
 	}
 
 	return audit_buf;
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index 816a425e2023..e47c37c1beda 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -29,7 +29,7 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
 			       u32 *seclen);
 int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
-void apparmor_release_secctx(char *secdata, u32 seclen);
+void apparmor_release_secctx(struct lsmcontext *cp);
 
 
 int aa_alloc_secid(struct aa_label *label, gfp_t gfp);
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index a7c6f5061882..e9f655f54a42 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -139,9 +139,16 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 	return 0;
 }
 
-void apparmor_release_secctx(char *secdata, u32 seclen)
+void apparmor_release_secctx(struct lsmcontext *cp)
 {
-	kfree(secdata);
+	/*
+	 * stacking scaffolding:
+	 * When it is possible for more than one LSM to provide a
+	 * release hook, do this check:
+	 * if (cp->id == LSM_ID_APPARMOR || cp->id == LSM_ID_UNDEF)
+	 */
+
+	kfree(cp->context);
 }
 
 /**
diff --git a/security/security.c b/security/security.c
index 1cbd45310f63..063a209ac17f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4250,14 +4250,14 @@ EXPORT_SYMBOL(security_secctx_to_secid);
 
 /**
  * security_release_secctx() - Free a secctx buffer
- * @secdata: secctx
- * @seclen: length of secctx
+ * @cp: the security context
  *
  * Release the security context.
  */
-void security_release_secctx(char *secdata, u32 seclen)
+void security_release_secctx(struct lsmcontext *cp)
 {
-	call_void_hook(release_secctx, secdata, seclen);
+	call_void_hook(release_secctx, cp);
+	memset(cp, 0, sizeof(*cp));
 }
 EXPORT_SYMBOL(security_release_secctx);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1bc28f5f6870..1a428a6964a0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6588,9 +6588,16 @@ static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 				       secid, GFP_KERNEL);
 }
 
-static void selinux_release_secctx(char *secdata, u32 seclen)
+static void selinux_release_secctx(struct lsmcontext *cp)
 {
-	kfree(secdata);
+	/*
+	 * stacking scaffolding:
+	 * When it is possible for more than one LSM to provide a
+	 * release hook, do this check:
+	 * if (cp->id == LSM_ID_SELINUX || cp->id == LSM_ID_UNDEF)
+	 */
+
+	kfree(cp->context);
 }
 
 static void selinux_inode_invalidate_secctx(struct inode *inode)

From patchwork Fri Dec 15 22:16:11 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495145
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic312-30.consmr.mail.ne1.yahoo.com
 (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2B9818EB2
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:29:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="a1FP82km"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679372; bh=4LhKS1dSp6/aRhZhVxxpOMfzUTMlpn6YH3k+S376Occ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=a1FP82km1z3caVooNt2FMFfdMyUTRZf13iMB7SZ32fNGIYKmddGWgfP1LXxdBL+gqcTZArkfrPWp4+nuTpiUUki483X10m9YsQhOVMeve0qNRliHWbH6yKbG5NJcbKZIZ6D2FkrNOwObRVfB5bYBGXFVIWmhgQzswsDGdAkTEE6KtFpf3a/1m6zMe9Zd9tw5hFU/ibeTu1HLqk2Sa7nHg7l30e6H2hmCznugfd/Gj3qQJN1NcYyAHeT6oy4TZfk+961aeL+tAtz3yPOcJJtRDl8LEgl9et0Pav7jW0rdBlwjRr3nMeM7rsXOK1pI+iFvDcqZtlgMubVLnuhDpz9x1g==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679372; bh=SWHPnTAgjCxjL/NgCROjTqbzvJAgirvRVZRe2R0YNuZ=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=Ep+F8MyeHyJxwgAdiJNfEVAbaNccUQnTqLD5wV+Nk6gBUtNw5AZ/QlDOaUfA0UEHAbSQf0XVWt/29Upkc16qxOSDKGmaughOd94OwxbJsULRjtqaCSXu+dsh09Q9yGs7yPSE1UjXO3Ddwz+kE3QaVmwLr3lv2uBhR6RBJu6ZHGKXgyKWPOPzIf1NNr0SZY3AB8kk08YhEdR8iKfwSHJ85kde3SqHvqNNdMxzyhkLznvjEaBjllMnWT33OrTeMzN7JYtigpur0HAHwjZuuRC3FqQPHD+LDtC7doLsDxK8Y8xheybMDQEdfzSrlhwGbNltS8KNb93HVNfBo45NpH/97g==
X-YMail-OSG: C8R6ojoVM1mPBBe.JlbfoPhuIHkgWruFpgJ4Hn17_b1pXpagOzp7CBzGvQ3uNn7
 SkcHMzRAkFR7eViuX5pA08G5fyCE3FR_G2BpL3lZa7UkFVVHMZazSrq0t2Qr.87IxVL50Vw2FRj5
 tVxjM4R_K1kJw9j3fz_R0XDfWe9H_F_sTi2qyIDJvaClGFLI8EVZPVDQF0XkUMqZO7TSlao1F58G
 zr30IPBJa1SlLO43qe4FFk8r_PF6l7lHaLf6K28fEupXIMN9EfB1_fxteiEXE_4YbwrP3rMIf03J
 Ko7LyxZOQvXS5zawzcGXjOSRH9WVq9udz27E9JkyHfQ36r44tr4eY9FWcT7e2wXcULnAc66Wjoyv
 W7Pupt_jEJdivoVw52PZJcXTLCwWP2dn7IhZ2iEoMcIESswE61nXXgKXhrYhKo8BzR8Ywu2Plduh
 nq9O2yQUVdPS4UhwdrexBnshbpuphhX8d1psBptqxmPoff0hJfqolIgClfJdUxjTvr8LEHynkjTZ
 P_XCw.IOvAPMoAfrL7E8leouoMQ8HPnwIcCG8Ofj93WEPDRTbZksXmFgvPM1zqtmum7dhIvtQX_1
 CE8tvuormyCF5mMF2OWVXYMJA5bg3yWr_p4D1hCfhpOw2sa9h31NbCRiUaPbvqAlA6vMKdvGwxc4
 OpK9HUxkHenqH01cs2_rAz0FH0n06N98lxc57X4TamrPoPkc7eppQ4nlcntTtf_9wXFZuApawG9E
 uuW3hKj95XOG1EUCoOkCebeaZeJ8JgOautXNToppumAlBtxrptzUUHXBXE7Ap8qEfLqqFWeZTmoC
 tzJZBTUNxgO95UFgWLttQg610F6CNCSNRzjjOokWGQUqLNiqTGoo1H6NZEzxVA.HWsmMAffffGQW
 dA3nY1YyFraZ4b4YdLG7Wq79PumAeqUhZurRwIiaruulMry2qibAQ6GAo4gYwcyMXdePNDm4Rgnc
 tUnfVvXluV_zS5s5msLSL7iSrKPpBrJJolepg_kmJlL3kzbxAs5IGJsLuWLiGTftC7WIyIffU_JZ
 0qou4.oxbrpO4Taa5OcyiGVICwlVFF2AS6sTo6ZjkaA12gg5.WAGwLhx1UW4SClQVDnT2eTkJAQE
 E1hiDd9Jv0tQ3Q.FXmuvRW4qAbzKbDXCoYqLrf0.FGz7GoGBHo9sDQm4gRJnSwb4ZHODQrvhaKcS
 rZ9t9RjaDA43wZCER7ZRRhDqRlTIgLN2CCg5v1CdJhbkSmPRlfdLmqxuET9ODnMKJjnNqQd04.Yp
 DDv8pL9s69OMTlhJA0j_IL.CGx2Ct81a.lHM.8ZTc2dL51LV.OD4TIJujNqfNZEw4hKvSuJo0VJ5
 dxSL9xtNtqK2Msw1GotWT8LkZNOA1.aDjGcio0McktvuIRp6vSa7RcaM2MTbLR2N27jqgHLlGn3h
 MsF3uH7UGxgJAaMJOixMqJOx_JocELXtU05Dh10Ar5RLq68x_bGjiI3Te2J20tC_NWCXgLsmIecb
 gkKRIXijM91xjh6yt_wj2x7ykimH1gHK_4raATXAvazMIi8wdV4TFVgiE33jqnVyW9R645iRdzKC
 cJMcQyV0dkPwyKB00Qwt5tC0qnAbRdxv5LJ1_ddMnPxEJ7UFHwHlsYPteBr5jHOXSrmtx8tQvugE
 YpVzRiCHjOh2akeOjnB9Zx1DO7HXu8rr5qZbzjVLmAhHXJmXIm_Nf._1Jp29RMqwFpkQzcC1XLb_
 H9PlhApTE6SkjF5Sqdkbh8O2aB0.mShLUqT9DcxoGPUpm8hf0CmADwUyrcRjqsMgMlyaUmBFaDUj
 hKAbInucH74TUwpOCrn3FBFsgLCFURekrLP4yA_xJ9u_XPsQhcDVcuLgNp8..U_VWB.vg_.d1UaD
 u5GG5KULZLcNQM485jKSqsPnpZEV_TgsHmT4k7yCtChnIT1GQWD8UsLOo5GGhB2N.ftkYLRxFC0L
 cZ5wXjmnTCWU1nSTAinKxQ_Wd6hJ4cJ.z3oi_JFRRlDMmU4y2SiP_XBMRxQzrat80WBAJ3Olg2j2
 v2Hs8DHGEaGpDHpowP.tHOamXfszDPi72ffs6aebZSbQIZNDmeK7CS8I4hSgQgGdMB7OGatyADKf
 ZgqTfoVspwMQ7Ek1FiP4_PG8qHvJipG7VsvecLMOGJbzkB1iYao1BNfy4wTJ1sQe68dYEmc8qlef
 A8CP4QZCZvdT1UaTgX5lcy3HyroaqXXTtDbslwl2lQ6BJpyvenbGUOTKkPxRJK16nQg8Dj7.5XOQ
 WrfT7vYAe9xyAlMBvXoYPEBFu2ZAIwg9Bjz_9duoclK9FPTO5xzLTaxPiwTXVivIUciLVu_IwWnB
 CiQVEUthhMM7WXReuwIfAaLBMvE68cw--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 78e8c0bb-cb01-438b-ab26-b82b1d5134d3
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:29:32 +0000
Received: by hermes--production-gq1-6949d6d8f9-nsbdm (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID d22b1f6ad07bda71c6e1d3c51ac27d9d;
          Fri, 15 Dec 2023 22:29:26 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	netdev@vger.kernel.org,
	audit@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	Todd Kjos <tkjos@google.com>
Subject: [PATCH v39 17/42] LSM: Use lsmcontext in security_secid_to_secctx
Date: Fri, 15 Dec 2023 14:16:11 -0800
Message-ID: <20231215221636.105680-18-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.

security_secid_to_secctx() will now return the length value
on success instead of 0.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
---
 drivers/android/binder.c                |  5 ++---
 include/linux/lsm_hook_defs.h           |  3 +--
 include/linux/security.h                |  5 ++---
 include/net/scm.h                       |  5 ++---
 net/ipv4/ip_sockglue.c                  |  4 ++--
 net/netfilter/nf_conntrack_netlink.c    |  8 ++++----
 net/netfilter/nf_conntrack_standalone.c |  4 ++--
 net/netfilter/nfnetlink_queue.c         | 27 ++++++++++---------------
 net/netlabel/netlabel_unlabeled.c       | 13 +++++-------
 security/apparmor/include/secid.h       |  2 +-
 security/apparmor/secid.c               | 13 +++++++-----
 security/security.c                     | 17 ++++++++--------
 security/selinux/hooks.c                | 17 ++++++++++++++--
 security/smack/smack_lsm.c              | 16 ++++++++-------
 14 files changed, 72 insertions(+), 67 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 58bdb5b75131..c0fa95e64e7c 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3199,9 +3199,8 @@ static void binder_transaction(struct binder_proc *proc,
 		size_t added_size;
 
 		security_cred_getsecid(proc->cred, &secid);
-		ret = security_secid_to_secctx(secid, &lsmctx.context,
-					       &lsmctx.len);
-		if (ret) {
+		ret = security_secid_to_secctx(secid, &lsmctx);
+		if (ret < 0) {
 			binder_txn_error("%d:%d failed to get security context\n",
 				thread->pid, proc->pid);
 			return_error = BR_FAILED_REPLY;
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index c5e5a32f5e07..8e0155ac6697 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -273,8 +273,7 @@ LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct *p, const char *name,
 	 char **value)
 LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)
 LSM_HOOK(int, 0, ismaclabel, const char *name)
-LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,
-	 u32 *seclen)
+LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, struct lsmcontext *cp)
 LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob,
 	 char **secdata, u32 *seclen)
 LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
diff --git a/include/linux/security.h b/include/linux/security.h
index 9712056d71a0..03b79089eaf7 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -562,7 +562,7 @@ int security_getprocattr(struct task_struct *p, int lsmid, const char *name,
 int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
-int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int security_secid_to_secctx(u32 secid, struct lsmcontext *cp);
 int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
 			       u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
@@ -1487,8 +1487,7 @@ static inline int security_ismaclabel(const char *name)
 	return 0;
 }
 
-static inline int security_secid_to_secctx(u32 secid, char **secdata,
-					   u32 *seclen)
+static inline int security_secid_to_secctx(u32 secid, struct lsmcontext *cp)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/include/net/scm.h b/include/net/scm.h
index 6e1add51d4c2..91452b36b5bf 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -97,10 +97,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
 	int err;
 
 	if (test_bit(SOCK_PASSSEC, &sock->flags)) {
-		err = security_secid_to_secctx(scm->secid, &ctx.context,
-					       &ctx.len);
+		err = security_secid_to_secctx(scm->secid, &ctx);
 
-		if (!err) {
+		if (err >= 0) {
 			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, ctx.len,
 				 ctx.context);
 			security_release_secctx(&ctx);
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 3bf8ff9d4434..38b9f822a70d 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -138,8 +138,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 	if (err)
 		return;
 
-	err = security_secid_to_secctx(secid, &ctx.context, &ctx.len);
-	if (err)
+	err = security_secid_to_secctx(secid, &ctx);
+	if (err < 0)
 		return;
 
 	put_cmsg(msg, SOL_IP, SCM_SECURITY, ctx.len, ctx.context);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 3e79b339a1bc..a7dfc39bfbf3 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -360,8 +360,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 	struct lsmcontext ctx;
 	int ret;
 
-	ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len);
-	if (ret)
+	ret = security_secid_to_secctx(ct->secmark, &ctx);
+	if (ret < 0)
 		return 0;
 
 	ret = -1;
@@ -669,8 +669,8 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
 #ifdef CONFIG_NF_CONNTRACK_SECMARK
 	int len, ret;
 
-	ret = security_secid_to_secctx(ct->secmark, NULL, &len);
-	if (ret)
+	ret = security_secid_to_secctx(ct->secmark, NULL);
+	if (ret < 0)
 		return 0;
 
 	return nla_total_size(0) /* CTA_SECCTX */
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 23949d233375..a1d8952db1c1 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -178,8 +178,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 	struct lsmcontext ctx;
 	int ret;
 
-	ret = security_secid_to_secctx(ct->secmark, &ctx.context, &ctx.len);
-	if (ret)
+	ret = security_secid_to_secctx(ct->secmark, &ctx);
+	if (ret < 0)
 		return;
 
 	seq_printf(s, "secctx=%s ", ctx.context);
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 8b4c5c08daa7..f7918b21672d 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -319,18 +319,18 @@ static int nfqnl_put_sk_classid(struct sk_buff *skb, struct sock *sk)
 	return 0;
 }
 
-static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
+static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *ctx)
 {
 	u32 seclen = 0;
 #if IS_ENABLED(CONFIG_NETWORK_SECMARK)
+
 	if (!skb || !sk_fullsock(skb->sk))
 		return 0;
 
 	read_lock_bh(&skb->sk->sk_callback_lock);
 
 	if (skb->secmark)
-		security_secid_to_secctx(skb->secmark, secdata, &seclen);
-
+		seclen = security_secid_to_secctx(skb->secmark, ctx);
 	read_unlock_bh(&skb->sk->sk_callback_lock);
 #endif
 	return seclen;
@@ -408,8 +408,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	enum ip_conntrack_info ctinfo = 0;
 	const struct nfnl_ct_hook *nfnl_ct;
 	bool csum_verify;
-	struct lsmcontext scaff; /* scaffolding */
-	char *secdata = NULL;
+	struct lsmcontext ctx;
 	u32 seclen = 0;
 	ktime_t tstamp;
 
@@ -484,8 +483,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	}
 
 	if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
-		seclen = nfqnl_get_sk_secctx(entskb, &secdata);
-		if (seclen)
+		seclen = nfqnl_get_sk_secctx(entskb, &ctx);
+		if (seclen >= 0)
 			size += nla_total_size(seclen);
 	}
 
@@ -624,7 +623,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	if (nfqnl_put_sk_classid(skb, entskb->sk) < 0)
 		goto nla_put_failure;
 
-	if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
+	if (seclen && nla_put(skb, NFQA_SECCTX, ctx.len, ctx.context))
 		goto nla_put_failure;
 
 	if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0)
@@ -652,10 +651,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	}
 
 	nlh->nlmsg_len = skb->len;
-	if (seclen) {
-		lsmcontext_init(&scaff, secdata, seclen, 0);
-		security_release_secctx(&scaff);
-	}
+	if (seclen >= 0)
+		security_release_secctx(&ctx);
 	return skb;
 
 nla_put_failure:
@@ -663,10 +660,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	kfree_skb(skb);
 	net_err_ratelimited("nf_queue: error creating packet message\n");
 nlmsg_failure:
-	if (seclen) {
-		lsmcontext_init(&scaff, secdata, seclen, 0);
-		security_release_secctx(&scaff);
-	}
+	if (seclen >= 0)
+		security_release_secctx(&ctx);
 	return NULL;
 }
 
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 464105080245..b43cfb4fe4f1 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -437,8 +437,7 @@ int netlbl_unlhsh_add(struct net *net,
 unlhsh_add_return:
 	rcu_read_unlock();
 	if (audit_buf != NULL) {
-		if (security_secid_to_secctx(secid, &ctx.context,
-					     &ctx.len) == 0) {
+		if (security_secid_to_secctx(secid, &ctx) >= 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", ctx.context);
 			security_release_secctx(&ctx);
 		}
@@ -491,8 +490,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
 					  addr->s_addr, mask->s_addr);
 		dev_put(dev);
 		if (entry != NULL &&
-		    security_secid_to_secctx(entry->secid, &ctx.context,
-					     &ctx.len) == 0) {
+		    security_secid_to_secctx(entry->secid, &ctx) >= 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", ctx.context);
 			security_release_secctx(&ctx);
 		}
@@ -550,8 +548,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
 					  addr, mask);
 		dev_put(dev);
 		if (entry != NULL &&
-		    security_secid_to_secctx(entry->secid, &ctx.context,
-					     &ctx.len) == 0) {
+		    security_secid_to_secctx(entry->secid, &ctx) >= 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", ctx.context);
 			security_release_secctx(&ctx);
 		}
@@ -1122,8 +1119,8 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
 		secid = addr6->secid;
 	}
 
-	ret_val = security_secid_to_secctx(secid, &ctx.context, &ctx.len);
-	if (ret_val != 0)
+	ret_val = security_secid_to_secctx(secid, &ctx);
+	if (ret_val < 0)
 		goto list_cb_failure;
 	ret_val = nla_put(cb_arg->skb,
 			  NLBL_UNLABEL_A_SECCTX,
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index e47c37c1beda..b66c2d043a02 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -25,7 +25,7 @@ struct aa_label;
 extern int apparmor_display_secid_mode;
 
 struct aa_label *aa_secid_to_label(u32 secid);
-int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int apparmor_secid_to_secctx(u32 secid, struct lsmcontext *cp);
 int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
 			       u32 *seclen);
 int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index e9f655f54a42..55d6c54fe90e 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -61,7 +61,7 @@ struct aa_label *aa_secid_to_label(u32 secid)
 	return xa_load(&aa_secids, secid);
 }
 
-int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+int apparmor_secid_to_secctx(u32 secid, struct lsmcontext *cp)
 {
 	/* TODO: cache secctx and ref count so we don't have to recreate */
 	struct aa_label *label = aa_secid_to_label(secid);
@@ -76,8 +76,8 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 	if (apparmor_display_secid_mode)
 		flags |= FLAG_SHOW_MODE;
 
-	if (secdata)
-		len = aa_label_asxprint(secdata, root_ns, label,
+	if (cp)
+		len = aa_label_asxprint(&cp->context, root_ns, label,
 					flags, GFP_ATOMIC);
 	else
 		len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
@@ -85,9 +85,12 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 	if (len < 0)
 		return -ENOMEM;
 
-	*seclen = len;
+	if (cp) {
+		cp->len = len;
+		cp->id = LSM_ID_APPARMOR;
+	}
 
-	return 0;
+	return len;
 }
 
 int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
diff --git a/security/security.c b/security/security.c
index 063a209ac17f..708a26a88447 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4172,17 +4172,16 @@ EXPORT_SYMBOL(security_ismaclabel);
 /**
  * security_secid_to_secctx() - Convert a secid to a secctx
  * @secid: secid
- * @secdata: secctx
- * @seclen: secctx length
+ * @cp: the LSM context
  *
- * Convert secid to security context.  If @secdata is NULL the length of the
- * result will be returned in @seclen, but no @secdata will be returned.  This
+ * Convert secid to security context.  If @cp is NULL the length of the
+ * result will be returned, but no data will be returned.  This
  * does mean that the length could change between calls to check the length and
- * the next call which actually allocates and returns the @secdata.
+ * the next call which actually allocates and returns the data.
  *
- * Return: Return 0 on success, error on failure.
+ * Return: Return length of data on success, error on failure.
  */
-int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+int security_secid_to_secctx(u32 secid, struct lsmcontext *cp)
 {
 	struct security_hook_list *hp;
 	int rc;
@@ -4192,7 +4191,7 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 	 * LSM hook is not "stackable").
 	 */
 	hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
-		rc = hp->hook.secid_to_secctx(secid, secdata, seclen);
+		rc = hp->hook.secid_to_secctx(secid, cp);
 		if (rc != LSM_RET_DEFAULT(secid_to_secctx))
 			return rc;
 	}
@@ -4221,7 +4220,7 @@ int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
 	struct security_hook_list *hp;
 	int rc;
 
-	hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
+	hlist_for_each_entry(hp, &security_hook_heads.lsmblob_to_secctx, list) {
 		rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen);
 		if (rc != LSM_RET_DEFAULT(secid_to_secctx))
 			return rc;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1a428a6964a0..37b97cf81da1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6565,9 +6565,22 @@ static int selinux_ismaclabel(const char *name)
 	return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
 }
 
-static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static int selinux_secid_to_secctx(u32 secid, struct lsmcontext *cp)
 {
-	return security_sid_to_context(secid, secdata, seclen);
+	u32 seclen;
+	u32 ret;
+
+	if (cp) {
+		cp->id = LSM_ID_SELINUX;
+		ret = security_sid_to_context(secid, &cp->context, &cp->len);
+		if (ret < 0)
+			return ret;
+		return cp->len;
+	}
+	ret = security_sid_to_context(secid, NULL, &seclen);
+	if (ret < 0)
+		return ret;
+	return seclen;
 }
 
 static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7dab00bbd0ed..d82753bc52ab 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4814,19 +4814,21 @@ static int smack_ismaclabel(const char *name)
 /**
  * smack_secid_to_secctx - return the smack label for a secid
  * @secid: incoming integer
- * @secdata: destination
- * @seclen: how long it is
+ * @cp: destination
  *
  * Exists for networking code.
  */
-static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static int smack_secid_to_secctx(u32 secid, struct lsmcontext *cp)
 {
 	struct smack_known *skp = smack_from_secid(secid);
+	int len = strlen(skp->smk_known);
 
-	if (secdata)
-		*secdata = skp->smk_known;
-	*seclen = strlen(skp->smk_known);
-	return 0;
+	if (cp) {
+		cp->context = skp->smk_known;
+		cp->len = len;
+		cp->id = LSM_ID_SMACK;
+	}
+	return len;
 }
 
 /**

From patchwork Fri Dec 15 22:16:12 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495146
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic302-28.consmr.mail.ne1.yahoo.com
 (sonic302-28.consmr.mail.ne1.yahoo.com [66.163.186.154])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10F8F18B06
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:31:02 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="B8WXlYQr"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679462; bh=tvjpqyt0BcyonO3ugUYGc4el/VCR47tpN/rANrjzTAc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=B8WXlYQrZfgt6RefCIoEB/5GKWJuNMD+0Hh4axrMtbk2WHtNsJ1ccCn91LqTlGGc2oyLohn2Pa+P2Vgyj/evMdowV803vIs3YOnNIChPr2jl4bsk5Rmoii9M24FoDzJqlFRNxu7NME8CiFrheF53bpTote2B0EiVMVg3gCNn4lB4SkZPU6wi4MuRT3YuNBHSto2uW2iAuRjmE/rqyWsPOi4SCyDmfBaTIEO+KI6XnVZF1hM5QwEVb3AyJFSEp3Xf0a2mJvFn3amuxEVpbZkln2LKfCUyVYtijA6UCb2bld7dZ4aIkx7GPD32k2wswqvpF+XmlOfXVssXDl99xaR/aw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679462; bh=bPByZF8rLBiGTktlsL90nGtynZWnHPGEnlWUsFGMw7Y=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=umMoMCO/tUrPh6OHT/boS359m0VX7LFdo+Z2cseYI/mF2GS9ReSYkFiIjjNi2tOeO3xT3lgeK3EVSiEV0V0X2TK7Zl1n5l/yKTSQ6pbwodBs/qsiEphDt6Zy2w9jtS0oupbSCVcmAW9AjH46jyNkiwHgyNktUREJSjukXovubEKkJtzR5y0oZQssGQDIujDY4dS8AdblsPKtem5ul70D5ZyRVZjO/7/y9nLN+osvYmMvByWYClc6Iys6Yv3u6aFaOZ3hRG6whP6gddDPGT5mWuSCygsy8+IUOU0qBmw1/VFmRzh4P2061laL5eH6mkuD/9n6HNceJKHBhp0IaV65lA==
X-YMail-OSG: 0QMuOSUVM1kw95lhlQabvIQO0DmMjM8MwkYIHISkR6S1Zmjjqgmd1I6VG9HAu9s
 UW_uEKG_0Sp2XDyGA8934o315tAC5keTiNrHG4JDyzYck7hndZAP2PKyyU.rMNQod_U4kmOCZ2Wy
 sk0UCaY2pordIKX_5L1ekzeOZPv9vbia0vs1N3RCDWYDz4nR99LHvCK46d1sRncAMHUEoMCgyDGI
 rDVzrGFezs0uQUf5u52Nn_tqwPWsLfqDetUoR.a09FEcPpncIKnnbaRtWDBgr9rghbIeuF8jga8k
 p8Dv_UZ25sQ80OBNe2VwH7v9n23d.2KJcKHL5zUai9R7_gvHxf3ks.dxANjdLElKXcpsQ6NOo55s
 VtkKTiwmi25mcyw5ACbwDvT6d5_dGBz7Eo6uezZ6Ex7lzgs8ebTQlyY.AwJFQncxUmo1NEapx_66
 147cq_gkS2CnK3obiy5CPAdB6C3PwtLHBQWgMabf_HxZkRflxck93UGi3btsFVzuyzxe4opbUswu
 XB7PQvQSlD4mI4KKnB962k0BG1ro.yP6kA2rjSxqL7MKYSNxSpQVi6_KMRFHO2DRVBlMyT7uafLN
 EwVdf1uC7HRwzhg0UXDNXdZpRJcARWJsNHU0rlMuo0M9CJFXBmENC.mvRmUxIxTRmCUK1aacyELh
 xqRWgCysYoNjpTn1xwseyTIbRLh8KhLxrgns.gmAOQafuZvycSaVl8FOg4SnRPdePmqYGsEnDl0T
 fwaF.CB8PwrC472JhGTBKpN7fqwTrC.FfF3py5LcoQ.dwu5aYdOQDvdW31bfcbk9_bjtbH8XZ57Y
 qCXZnnPzYaPl2d1zDRduFapJ970p39_0g1m6Me5Yt5lAfvUF.lqtkC5RDUopAQxzBd18z.3pJtIL
 pYhLKV94ukFJI6p2fwozXbtcBJQgjTtYXNAM42vFADlk7EA6iUgJqsLYgKvP90gnwd5nazaLAER5
 yCNIMKkHtO2mROFmSyLJrJv6CDjiAgzjQJVoFFW5L4jQZlSSn5waamtljUN2QDnwCeTuic_LXa3f
 ST5sfLa7HslBpNW6SSLmWCAtRnbvy9cX_GUtNb5JMgJ2G4NAlkWhrLyyT7ZWb6R38uq.Ei14C88s
 nKSR_cSjjU1Tox49cnA8q7hSZz2udJgOuAnczrR5uyBfreTyGmnScVDpI3xOnrmOBTFzBS8cNdwn
 DMKeeIroFaIChJ_vxV2w5vfdsrn8bT.q_PdtP7M6uzzPPLVADt.v.Iyrjr.2t56a7InX6O7qfr_u
 ol0V2GSaG2oASl9Gb.J2NO0qrAgE6ouzkd1rU_UhtQoed.R.kD_2uWciajUzhEjBuzbs8PEqMbFK
 xOSIkVnq5vY02CJ.o6xVOMoPNaKP.1B_z9mW4yieW.8NKU4YMUqc296NpnD_GGTrPrqYkEFlxwq4
 U_ReCyYwjl_gb2HwHloap6jXnS0IyjpN8qyfKX3aFeXpFkbUEbYPjD8cgZMfLhZJ2jn0Cnz2Dnmu
 LSN.oaX0KmrVvaHu9n93HGn6HHAksFV9xiY2wEC52FjlJU5xLW5Sj17RDeU7WxD8E3QDjHyogf6K
 gKRBDwKBeR7IduSAT4jHgA1D2ics.zwF.6db9CW0Py3Gy0xGdfsryGqI8KeOcOhQyUO.GQQ6umr4
 ShEZ11ygArhdvo2fJ9E2bSBp7YiXYwPQF_JD45e3WO96Yif2tyzEkJHSudpdbW4BTEcmroRgMJ.v
 _HXeBO1m8QOPZQhy8GUYJiTR0fVsVSABNm1VzCPIDBm_JoO.OHAsEvOdVuKN0Yj0eWx1Wxw3U9k1
 xfem9cUF5HFh30J2ZEyreqhN50EDCWZyoAPyA1DImbDQdzzpZhMuET5UD46x.AK05l_.eo0YhQIz
 tRpW8YXXkkZ12lXvrL7ZU9AttkuqsmWBCKkbevy2N9fL5SP9BclDCnN1NMjasmbeVLz52AtjYqwr
 uPXbHb369j405k_wSvySYVBX5.IQ_mFgApi_lry5zETXKdvq9LjfQ2Lpij83x3nRPV34c5jKVekn
 QgTd0C7.hHSE3jb7nM..1QjQteixOmzz7ASD3lNPDVQ_xU16DU0bG0TlTkCLK0ZGdIpaUAH7zVTF
 JYMHRMnX9B0CYvSjRknVXjOXrclpQSXVYXKd.3qE9kj2VxL6Zdo15w5FSnBuSdBwjnSfYHLwz1jo
 gF1hWSQkoIwTnqHcvY3.WjOQXmyBDnpeuzZJm6TG78cGkcd8uAHJm4EOCI1yhtVuvd1dJn3AOidd
 Fqlu.EKQa7ylT0xaXILS2UaSSlDS2Ryb4J5BmzPN8IG9Gpf.jOz8LNLkIALkbInS6Om4ZWoVMtFj
 FkeKGSl8JYvVJCZ1vJ6X6H9K7H5Fk8w--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 47bdd27c-92f1-4436-8090-65bda4506aeb
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic302.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:31:02 +0000
Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 4f41d5d0227d5bac936de484a6531ff5;
          Fri, 15 Dec 2023 22:31:00 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	netdev@vger.kernel.org,
	audit@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	Todd Kjos <tkjos@google.com>
Subject: [PATCH v39 18/42] LSM: Use lsmcontext in security_lsmblob_to_secctx
Date: Fri, 15 Dec 2023 14:16:12 -0800
Message-ID: <20231215221636.105680-19-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.

security_lsmblob_to_secctx() will now return the length value
on success instead of 0.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
---
 include/linux/lsm_hook_defs.h     |  2 +-
 include/linux/security.h          |  5 ++---
 kernel/audit.c                    |  9 ++++-----
 kernel/auditsc.c                  | 17 ++++++-----------
 net/netlabel/netlabel_user.c      |  3 +--
 security/apparmor/include/secid.h |  3 +--
 security/apparmor/secid.c         | 14 ++++++++------
 security/security.c               | 24 +++++++++++-------------
 security/selinux/hooks.c          | 18 +++++++++++++++---
 security/smack/smack_lsm.c        | 16 ++++++++++------
 10 files changed, 59 insertions(+), 52 deletions(-)

diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 8e0155ac6697..339a4559daf8 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -275,7 +275,7 @@ LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)
 LSM_HOOK(int, 0, ismaclabel, const char *name)
 LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, struct lsmcontext *cp)
 LSM_HOOK(int, -EOPNOTSUPP, lsmblob_to_secctx, struct lsmblob *blob,
-	 char **secdata, u32 *seclen)
+	 struct lsmcontext *cp)
 LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)
 LSM_HOOK(void, LSM_RET_VOID, release_secctx, struct lsmcontext *cp)
 LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
diff --git a/include/linux/security.h b/include/linux/security.h
index 03b79089eaf7..2a0615a62125 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -563,8 +563,7 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, struct lsmcontext *cp);
-int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
-			       u32 *seclen);
+int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(struct lsmcontext *cp);
 void security_inode_invalidate_secctx(struct inode *inode);
@@ -1493,7 +1492,7 @@ static inline int security_secid_to_secctx(u32 secid, struct lsmcontext *cp)
 }
 
 static inline int security_lsmblob_to_secctx(struct lsmblob *blob,
-					     char **secdata, u32 *seclen)
+					     struct lsmcontext *cp)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/kernel/audit.c b/kernel/audit.c
index 47cfb6b20c3c..a93a710c980e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1462,9 +1462,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 
 		if (lsmblob_is_set(&audit_sig_lsm)) {
 			err = security_lsmblob_to_secctx(&audit_sig_lsm,
-							 &lsmctx.context,
-							 &lsmctx.len);
-			if (err)
+							 &lsmctx);
+			if (err < 0)
 				return err;
 		}
 		sig_data_size = struct_size(sig_data, ctx, lsmctx.len);
@@ -2175,8 +2174,8 @@ int audit_log_task_context(struct audit_buffer *ab)
 	if (!lsmblob_is_set(&blob))
 		return 0;
 
-	error = security_lsmblob_to_secctx(&blob, &ctx.context, &ctx.len);
-	if (error) {
+	error = security_lsmblob_to_secctx(&blob, &ctx);
+	if (error < 0) {
 		if (error != -EINVAL)
 			goto error_path;
 		return 0;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2874255f5f25..c37cc02ea4cc 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 			 from_kuid(&init_user_ns, auid),
 			 from_kuid(&init_user_ns, uid), sessionid);
 	if (lsmblob_is_set(blob)) {
-		if (security_lsmblob_to_secctx(blob, &ctx.context, &ctx.len)) {
+		if (security_lsmblob_to_secctx(blob, &ctx) < 0) {
 			audit_log_format(ab, " obj=(none)");
 			rc = 1;
 		} else {
@@ -1370,7 +1370,7 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer **
 
 static void show_special(struct audit_context *context, int *call_panic)
 {
-	struct lsmcontext lsmcxt;
+	struct lsmcontext lsmctx;
 	struct audit_buffer *ab;
 	int i;
 
@@ -1393,16 +1393,12 @@ static void show_special(struct audit_context *context, int *call_panic)
 				 from_kgid(&init_user_ns, context->ipc.gid),
 				 context->ipc.mode);
 		if (lsmblob_is_set(&context->ipc.oblob)) {
-			char *ctx = NULL;
-			u32 len;
-
 			if (security_lsmblob_to_secctx(&context->ipc.oblob,
-						       &ctx, &len)) {
+						       &lsmctx) < 0) {
 				*call_panic = 1;
 			} else {
-				audit_log_format(ab, " obj=%s", ctx);
-				lsmcontext_init(&lsmcxt, ctx, len, 0);
-				security_release_secctx(&lsmcxt);
+				audit_log_format(ab, " obj=%s", lsmctx.context);
+				security_release_secctx(&lsmctx);
 			}
 		}
 		if (context->ipc.has_perm) {
@@ -1563,8 +1559,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 	if (lsmblob_is_set(&n->oblob)) {
 		struct lsmcontext ctx;
 
-		if (security_lsmblob_to_secctx(&n->oblob, &ctx.context,
-					       &ctx.len)) {
+		if (security_lsmblob_to_secctx(&n->oblob, &ctx) < 0) {
 			if (call_panic)
 				*call_panic = 2;
 		} else {
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index b9289a22b363..561e1e476a49 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -98,8 +98,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 			 audit_info->sessionid);
 
 	if (lsmblob_is_set(&audit_info->blob) &&
-	    security_lsmblob_to_secctx(&audit_info->blob, &ctx.context,
-				       &ctx.len) == 0) {
+	    security_lsmblob_to_secctx(&audit_info->blob, &ctx) >= 0) {
 		audit_log_format(audit_buf, " subj=%s", ctx.context);
 		security_release_secctx(&ctx);
 	}
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index b66c2d043a02..568820a11efc 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -26,8 +26,7 @@ extern int apparmor_display_secid_mode;
 
 struct aa_label *aa_secid_to_label(u32 secid);
 int apparmor_secid_to_secctx(u32 secid, struct lsmcontext *cp);
-int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
-			       u32 *seclen);
+int apparmor_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp);
 int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void apparmor_release_secctx(struct lsmcontext *cp);
 
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 55d6c54fe90e..c9b9a8d90afa 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -93,8 +93,7 @@ int apparmor_secid_to_secctx(u32 secid, struct lsmcontext *cp)
 	return len;
 }
 
-int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
-			       u32 *seclen)
+int apparmor_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
 {
 	/* TODO: cache secctx and ref count so we don't have to recreate */
 	struct aa_label *label;
@@ -115,8 +114,8 @@ int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
 	if (apparmor_display_secid_mode)
 		flags |= FLAG_SHOW_MODE;
 
-	if (secdata)
-		len = aa_label_asxprint(secdata, root_ns, label,
+	if (cp)
+		len = aa_label_asxprint(&cp->context, root_ns, label,
 					flags, GFP_ATOMIC);
 	else
 		len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
@@ -124,9 +123,12 @@ int apparmor_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
 	if (len < 0)
 		return -ENOMEM;
 
-	*seclen = len;
+	if (cp) {
+		cp->len = len;
+		cp->id = LSM_ID_APPARMOR;
+	}
 
-	return 0;
+	return len;
 }
 
 int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
diff --git a/security/security.c b/security/security.c
index 708a26a88447..e070a6cd4089 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4203,30 +4203,28 @@ EXPORT_SYMBOL(security_secid_to_secctx);
 /**
  * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx
  * @blob: lsm specific information
- * @secdata: secctx
- * @seclen: secctx length
+ * @cp: the LSM context
  *
- * Convert a @blob entry to security context.  If @secdata is NULL the
- * length of the result will be returned in @seclen, but no @secdata
- * will be returned.  This does mean that the length could change between
- * calls to check the length and the next call which actually allocates
- * and returns the @secdata.
+ * Convert a @blob entry to security context. If @cp is NULL the
+ * length of the result will be returned, but no data will be returned.
+ * This does mean that the length could change between calls to check
+ * the length and the next call which actually allocates and returns
+ * the data.
  *
- * Return: Return 0 on success, error on failure.
+ * Return: Return length of data on success, error on failure.
  */
-int security_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
-			       u32 *seclen)
+int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
 {
 	struct security_hook_list *hp;
 	int rc;
 
 	hlist_for_each_entry(hp, &security_hook_heads.lsmblob_to_secctx, list) {
-		rc = hp->hook.lsmblob_to_secctx(blob, secdata, seclen);
-		if (rc != LSM_RET_DEFAULT(secid_to_secctx))
+		rc = hp->hook.lsmblob_to_secctx(blob, cp);
+		if (rc != LSM_RET_DEFAULT(lsmblob_to_secctx))
 			return rc;
 	}
 
-	return LSM_RET_DEFAULT(secid_to_secctx);
+	return LSM_RET_DEFAULT(lsmblob_to_secctx);
 }
 EXPORT_SYMBOL(security_lsmblob_to_secctx);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 37b97cf81da1..d138aa692abd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6583,16 +6583,28 @@ static int selinux_secid_to_secctx(u32 secid, struct lsmcontext *cp)
 	return seclen;
 }
 
-static int selinux_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
-				     u32 *seclen)
+static int selinux_lsmblob_to_secctx(struct lsmblob *blob,
+				     struct lsmcontext *cp)
 {
 	u32 secid = blob->selinux.secid;
+	u32 seclen;
+	u32 ret;
 
 	/* stacking scaffolding */
 	if (!secid)
 		secid = blob->scaffold.secid;
 
-	return security_sid_to_context(secid, secdata, seclen);
+	if (cp) {
+		cp->id = LSM_ID_SELINUX;
+		ret = security_sid_to_context(secid, &cp->context, &cp->len);
+		if (ret < 0)
+			return ret;
+		return cp->len;
+	}
+	ret = security_sid_to_context(secid, NULL, &seclen);
+	if (ret < 0)
+		return ret;
+	return seclen;
 }
 
 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index d82753bc52ab..1fdd4233a9b3 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4839,19 +4839,23 @@ static int smack_secid_to_secctx(u32 secid, struct lsmcontext *cp)
  *
  * Exists for audit code.
  */
-static int smack_lsmblob_to_secctx(struct lsmblob *blob, char **secdata,
-				   u32 *seclen)
+static int smack_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
 {
 	struct smack_known *skp = blob->smack.skp;
+	int len;
 
 	/* stacking scaffolding */
 	if (!skp && blob->scaffold.secid)
 		skp = smack_from_secid(blob->scaffold.secid);
 
-	if (secdata)
-		*secdata = skp->smk_known;
-	*seclen = strlen(skp->smk_known);
-	return 0;
+	len = strlen(skp->smk_known);
+
+	if (cp) {
+		cp->context = skp->smk_known;
+		cp->len = len;
+		cp->id = LSM_ID_SMACK;
+	}
+	return len;
 }
 
 /**

From patchwork Fri Dec 15 22:16:13 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495147
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic316-27.consmr.mail.ne1.yahoo.com
 (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 180F118EC0
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:31:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="UvO00vVv"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679465; bh=rCo1n5NulVLUwl0INHBYB1LidebEAHUCa4+pCaV/mX8=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=UvO00vVvoGXmk4B9dJE6E/3uUWznN0mjPpcVgIUzCWcR/CPXHhF4Ctjh9gIE8zEq0DTMXLaCh1+Vb+cWlGNSQLZl3AoJpClHUVlTNyx+Afm3pbR4Jf/m+IP0awqnCMvYLKKuoOEndo26QL3GQbQ4b1z/uyP/zXHwm8/LdKW43GYeQCBNW59jh1UGVoAQg+Coj7xmfdJemN5Vi+tcXQeQrX/vvsPvj1UbuqUsu2yEQs6mexI7rubq5iCw0HbjGta9eYXExnC18m8Y1Ieedf5tBS88lOasHpf0kVaNBYXDTbqxsIDTTIzr9puPe5LhIvZW/U4e5RYeJvEPzbraKpXOnw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679465; bh=2139v8sAj7176eErxK+u02Zn0Dqi4BnPGxmfbZsxQYz=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=Yx1bNV3YphYRW0Y0G+qK+s1iYwPDBtwQJf8LOawkByVhG3hrvGg7zVEWaxHMhyQRelpkChKfMV8pNlBhdp4RKjPsDkMCFV1zAYCR8p0Bbg/n6u+LsJ8ofRPXWpcztq0pzntH4NBXRDcmZv3SSud5Z8uBSlwP5TJvdbmc9+rECSnDKhT1WoGRNWpk1/iIOLJWG3S7rlApx1lHAMsyepp6xOaOTG8Di0Tcf7B7dcoqhiqqhfjNDFiRez32POuvcnwU0D1PxMUt8yeiX7wOetYFP7PoNJVkEzGm9uC16FHYxfpqlXqaiaLgOScTFclfLHM3+vRRURe7eTsiZwxJZUTAhQ==
X-YMail-OSG: OuTCzF8VM1neUYExZposEVH3Rd5CRFWDvGYvm4mjLMpUgDTaDnZJT.Rohg8qvg8
 9bkTwSvyQ1hZ9G9xsAkU733bFZXZypPB4KkEmcCG8uV6hQnxO1GnsR3065u12S0dyqYSqCIphBaf
 dqlTn.0gAlRIeEomao6YRqKsQ.6ICuvv0ieGKRO.Svtem1SkEh6iPrY2zpLTPCYI9tvW1XbRmncL
 bKnIN197c6mhKPKl7XubCpE90mJPrnHmGhYUC_b3xDkDmTlsL1.RA2gzT7r1tpVh9wB.YNBpN2D1
 .ALwoDTU4I0yBw3tih9BertkmPiP03jZ5gdLgv4Qyodyv269w.mb3c5HPWh0mL74TywlOENZqoEK
 gKkVjmcKfw.FVm1b6d3zqfXspc7vPHS3u2yiYgY2wubIXUdxI0NH4SMTFbbJJk.MjCu4NyskcKYE
 ggTkTwbvZ3l.aG9R2c5o.Dk.GIGahACKGW90CaYx5lvCAWPhzKTpzmDvD64TjIfOVJ.GBUkeYRBm
 gcEly2bqWL5nrWBB6X341a8w2tCPqYibbrXX7emxGm1..J.IoRaawQINXpcj9WfjCVf8_jfc9_50
 h6rxxUhnW7db1tZLHJCFonk3hwJFceQQTHDZ4A0Os9cGySSkF0nJTpGf4eIYRCBrg0ng0sF9rcp.
 fUoeFShiArvd2nlH0l3pO5I.PvFRbKiaclB7Xj6OKFk9quxqMXG_Vddce83wVL9H2TvPNP7yn3EL
 sNXAHUrciubObrMYjj4D81adFq0032rWw9Hr42FRT7KT6DRN2Kcj1B4c4wmge_vvz.3THlKXTqmc
 9QQvbVx_fToLympzSzRJHQjNACn6cA8xSuASd_kkRAZbOcapOBSSDw..B1iYL272F_GOGXlQ8oDZ
 nA47XjgCSStNduGdLwtg5xLsEYOfEi3cuf8iIk6D_Q33cuw_L.7hxrH526fxk0cOoTDYJuboQdWx
 BgsX1Q27cNcCUWL2Q8NPd1Of7uRPfHApho_JrzJwjPCp.GKWnR89.UhlZKab06cVItIHvq.bv2Em
 P4zazS_Om1FcK11JrLzYp1pUUVWdp3Zw75TSTBhEL_nxpaGDZj1BMHHCIs.EuIdPmI_.uRsB8bHF
 zXmRaKLmHgx8PAQceFx9QUSUvsTOxZKLbzRERmNzIs0i79nvw5W2LpTyCjcqDp0S4Pwkrq3ggjN3
 w2SAFysSsHjhn7hjDUzZ2stBL8P59dQkBqF_lOht0IJp2JHOqkXLkCEtNd04UpI.C.NWlMHjDBX5
 lzvqAkkG_5bMq5oK0k0V8yF9ssl645sSB4X1d0drgWKFZn7s8rE2aqLRFKlXL7NKrWN5Owku1xIM
 wOWBhYhc1s_g0CNvAlzOfol2abiE8BKfL5a4dquM08TRMx01CKl_P5XFU3ivWo3eWoe8S_cUxnuS
 VuLRmKjlKkuGPhK5gZhasnsqE_IKJiCAd4dUr2LQPrtIL5nHEpWR.DenrTXTDkYgj00z60LGpeB6
 cK9wigPbLjOM8Eu5O0cP.P_lG_oITY8u8mR7nMdhDj9im7J_rRzsOXnZP6FUu0xeW4xE2TVKEjeB
 epdnYT3tnzEQxnd.8CmSI7wBlxNQmGR7EEplL_DvmQVc39rg_EnHkiGOTIUoIvzbwYfW8GYRMXXP
 SeQDcS6E70kJnmcUAmuujvQt0UHyi1I73I7E9I8EbD5fi0sx0x.0uvZ0I.9O0P_sejGFEDMiSK7n
 Z5VOf6z3XnRDayIZxmOeyR.pipDqeyuB2nkexrsPiz1ruNSEnodel8zPyPtqSMcaOWA2O5.hZCa0
 .9UbS6VVZ21GE7MG8vKDapfQ0Snobv00Ct3j9hgwaY6ng6O8Dyp8vgrTL8wULojQiRPG.RADyvno
 UXMUytfBWKSMuTIbvMbHAu7bCwjv.qAh1pD2HQ.JTfURoHyfwqDgpPlwyzTQCjKUmN1CjtbDEwGF
 PW9xg3a9aEBWNKk0oS5Xf7PKK3TxPg05R8fs94NwU7HmimobszDFS5VgzkeiQ5QwngAHhLX6jQJ9
 Vb0YVOvCbsbGbbPR_J.Q1O9.9ehIO6JU6BwkCcEGRPQxmDzm.jHnDJ5Yh2oy8X0k4P_6sqFZjfLp
 SITfS99yJJiphZUvnjtoV6Mlrxmk.8qTcO84Ax3SBtDeG4MS.lthK9m3Cu1Rw7yfspqiOj5mlJyP
 xFJG1VoHpx_eRWpcKgY3vFWkDKfyL2Sg80HLHWpnoQJKGv9O3i75wAIhhcQv5xT3LtI5J1MJ9soX
 FeG0_JrbwOVk2AEWWfiuk68V6ET.69DWkocQhYoC7PBJUrliukP624moXnowIWM2kM7mfxTz65XA
 tVrIAWnf23PtBXPx6OgsefxqLN_ZtwQ--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 32c05da9-b477-41b8-935e-97f829c9bca1
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:31:05 +0000
Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 4f41d5d0227d5bac936de484a6531ff5;
          Fri, 15 Dec 2023 22:31:02 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	Chuck Lever <chuck.lever@oracle.com>,
	linux-nfs@vger.kernel.org
Subject: [PATCH v39 19/42] LSM: Use lsmcontext in security_inode_getsecctx
Date: Fri, 15 Dec 2023 14:16:13 -0800
Message-ID: <20231215221636.105680-20-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Change the security_inode_getsecctx() interface to fill
a lsmcontext structure instead of data and length pointers.
This provides the information about which LSM created the
context so that security_release_secctx() can use the
correct hook.

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-nfs@vger.kernel.org
---
 fs/nfsd/nfs4xdr.c             | 25 +++++++++----------------
 include/linux/lsm_hook_defs.h |  4 ++--
 include/linux/security.h      |  5 +++--
 security/security.c           | 12 ++++++------
 security/selinux/hooks.c      | 10 ++++++----
 security/smack/smack_lsm.c    |  7 ++++---
 6 files changed, 30 insertions(+), 33 deletions(-)

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 9cade754356a..d81a32c5929c 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2805,11 +2805,11 @@ static __be32 nfsd4_encode_nfsace4(struct xdr_stream *xdr, struct svc_rqst *rqst
 #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
 static inline __be32
 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp,
-			    void *context, int len)
+			    const struct lsmcontext *context)
 {
 	__be32 *p;
 
-	p = xdr_reserve_space(xdr, len + 4 + 4 + 4);
+	p = xdr_reserve_space(xdr, context->len + 4 + 4 + 4);
 	if (!p)
 		return nfserr_resource;
 
@@ -2819,13 +2819,13 @@ nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp,
 	 */
 	*p++ = cpu_to_be32(0); /* lfs */
 	*p++ = cpu_to_be32(0); /* pi */
-	p = xdr_encode_opaque(p, context, len);
+	p = xdr_encode_opaque(p, context->context, context->len);
 	return 0;
 }
 #else
 static inline __be32
 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp,
-			    void *context, int len)
+			    struct lsmcontext *context)
 { return 0; }
 #endif
 
@@ -2908,8 +2908,7 @@ struct nfsd4_fattr_args {
 	struct nfs4_acl		*acl;
 	u64			size;
 #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
-	void			*context;
-	int			contextlen;
+	struct lsmcontext	context;
 #endif
 	u32			rdattr_err;
 	bool			contextsupport;
@@ -3364,8 +3363,7 @@ static __be32 nfsd4_encode_fattr4_suppattr_exclcreat(struct xdr_stream *xdr,
 static __be32 nfsd4_encode_fattr4_sec_label(struct xdr_stream *xdr,
 					    const struct nfsd4_fattr_args *args)
 {
-	return nfsd4_encode_security_label(xdr, args->rqstp,
-					   args->context, args->contextlen);
+	return nfsd4_encode_security_label(xdr, args->rqstp, &args->context);
 }
 #endif
 
@@ -3587,12 +3585,11 @@ nfsd4_encode_fattr4(struct svc_rqst *rqstp, struct xdr_stream *xdr,
 	args.contextsupport = false;
 
 #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
-	args.context = NULL;
 	if ((u.attrmask[2] & FATTR4_WORD2_SECURITY_LABEL) ||
 	     u.attrmask[0] & FATTR4_WORD0_SUPPORTED_ATTRS) {
 		if (exp->ex_flags & NFSEXP_SECURITY_LABEL)
 			err = security_inode_getsecctx(d_inode(dentry),
-						&args.context, &args.contextlen);
+						       &args.context);
 		else
 			err = -EOPNOTSUPP;
 		args.contextsupport = (err == 0);
@@ -3627,12 +3624,8 @@ nfsd4_encode_fattr4(struct svc_rqst *rqstp, struct xdr_stream *xdr,
 
 out:
 #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
-	if (args.context) {
-		struct lsmcontext scaff; /* scaffolding */
-
-		lsmcontext_init(&scaff, args.context, args.contextlen, 0);
-		security_release_secctx(&scaff);
-	}
+	if (args.context.context)
+		security_release_secctx(&args.context);
 #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */
 	kfree(args.acl);
 	if (tempfh) {
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 339a4559daf8..f2bbce7fb28e 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -281,8 +281,8 @@ LSM_HOOK(void, LSM_RET_VOID, release_secctx, struct lsmcontext *cp)
 LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
 LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen)
 LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen)
-LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, void **ctx,
-	 u32 *ctxlen)
+LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode,
+	 struct lsmcontext *cp)
 
 #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
 LSM_HOOK(int, 0, post_notification, const struct cred *w_cred,
diff --git a/include/linux/security.h b/include/linux/security.h
index 2a0615a62125..dbbfbcfbb299 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -569,7 +569,7 @@ void security_release_secctx(struct lsmcontext *cp);
 void security_inode_invalidate_secctx(struct inode *inode);
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
-int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
+int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp);
 int security_locked_down(enum lockdown_reason what);
 int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len,
 		      void *val, size_t val_len, u64 id, u64 flags);
@@ -1520,7 +1520,8 @@ static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32
 {
 	return -EOPNOTSUPP;
 }
-static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+static inline int security_inode_getsecctx(struct inode *inode,
+					   struct lsmcontext *cp)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/security/security.c b/security/security.c
index e070a6cd4089..e1487979603e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4317,17 +4317,17 @@ EXPORT_SYMBOL(security_inode_setsecctx);
 /**
  * security_inode_getsecctx() - Get the security label of an inode
  * @inode: inode
- * @ctx: secctx
- * @ctxlen: length of secctx
+ * @cp: security context
  *
- * On success, returns 0 and fills out @ctx and @ctxlen with the security
- * context for the given @inode.
+ * On success, returns 0 and fills out @cp with the security context
+ * for the given @inode.
  *
  * Return: Returns 0 on success, error on failure.
  */
-int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp)
 {
-	return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen);
+	memset(cp, 0, sizeof(*cp));
+	return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, cp);
 }
 EXPORT_SYMBOL(security_inode_getsecctx);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d138aa692abd..1e97b703f252 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6654,14 +6654,16 @@ static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
 				     ctx, ctxlen, 0);
 }
 
-static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+static int selinux_inode_getsecctx(struct inode *inode, struct lsmcontext *cp)
 {
-	int len = 0;
+	int len;
 	len = selinux_inode_getsecurity(&nop_mnt_idmap, inode,
-					XATTR_SELINUX_SUFFIX, ctx, true);
+					XATTR_SELINUX_SUFFIX,
+					(void **)&cp->context, true);
 	if (len < 0)
 		return len;
-	*ctxlen = len;
+	cp->len = len;
+	cp->id = LSM_ID_SELINUX;
 	return 0;
 }
 #ifdef CONFIG_KEYS
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 1fdd4233a9b3..a58e2c14f120 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4895,12 +4895,13 @@ static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
 				     ctx, ctxlen, 0);
 }
 
-static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
+static int smack_inode_getsecctx(struct inode *inode, struct lsmcontext *cp)
 {
 	struct smack_known *skp = smk_of_inode(inode);
 
-	*ctx = skp->smk_known;
-	*ctxlen = strlen(skp->smk_known);
+	cp->context = skp->smk_known;
+	cp->len = strlen(skp->smk_known);
+	cp->id = LSM_ID_SMACK;
 	return 0;
 }
 

From patchwork Fri Dec 15 22:16:14 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495152
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F381E18EB8
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:32:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="Mhkm/OUf"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679557; bh=KFKWiTph33t2gPpx3h/moCpllvvhkv3otlJUUDDSqTQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=Mhkm/OUf2fQjwomCcnoqyU/GGEOLbKnfr9hdb2SpuVcaB/FbocqJAsdcIZOmOrRULr8zAEsLQo7fNWpikybtyZMtFHzUgOLIO2GrNWRgohAvquA6nGGZWeOwf8E/sBBPEj2zYglBgJIr6sPb5NRFiPJAm6Se6DTuP1SESTMqYhyxubQm+Uc1eFNUBEoEfFr4l9JxyXHinuYVcNO0Aw1jU/KRMJ8mmmslpvi0rzt6MbLN43/sxHAPasM6wSWtS0Sv3ldSmHVZEpUWhPgiESRIpaviCHodKzZo3TDBmlJUdfRhh0dO7yy7/+Jd2TZaHwbdPDkb+Cpk6V8dsJK2HaKq3Q==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679557; bh=kvtU4Ke5VWfygsu/rdD5fKMDduGb2OkPpnL+dTzge4h=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=XulfTWarUdfPIvt2Z9SC3Yhqd+sDIL8muWuiS1c3RO5KYO2VCpz9RgqT6I/jAoFhIKOWqVa6E9hJBEfdoUQqAtygEGSPn1mSsikdHgwpbopfw2ClXF8RlUHADUJqFrhemSh20056E+PtDbK7Uia2PTMpkZuuqyDz/PuvP1UowCbwJb/EdF1vbw1x7Hgpr1pl/ne61js+Yk6uU9PUlVf2q9ZbtS1M3ycImlQ4J+s2e2DF/WYGD2QnOIjkWfveHgh7DLAPkdyyd9t9JdEbNdbZygQkBDQ6bxNxt1EqPp+hdjZY8IHXGwsJFIdZBER6Y9AyoaVEQmFA8jhep2aogc4EGw==
X-YMail-OSG: uJYSCEUVM1mX7vphcRMEWTrfZmpymynG2BFN9EAYws_cBSLXypIYkRa.yCz_0bO
 4FFv_yMJQ02CXNPp5qmJcPhKfqPOpJzFGDGST37TTcltpIOfnm94HeJKW9._1Yjp5CA017QJ.3ta
 s.k0N4h3mCOAP9h6VM7P_p1XjJAJ13VeiuFjM7IMJVE2BLA5uoQa24PYZPbqZ0d717g599qBg6iC
 _3uC5NLrxrZRjVPC4tjmOy3x8dyXU7X7AdtLQzgyfmln5Gy.itwm92UyvRc4j9vGdMYWBNK6wioi
 d27cYrXWSkZVNOTKuA4a_3xniiqdnLeLlfrOT3p1DVrxs0rB1WzT3uOXqM0BoK.HxNPZ27w_rFQZ
 YCo9IRg1ax1wGgKHHXt86T.RbmM5mjNuSSX1wF7gAIbpjm03zQLJlRv4Wq0ZMYS.V7hlc03lJsPm
 dLks5lFxUSGmR7X2yMrMW5cCBxZ.f0xHQMl.lsC_OGB23qGaWMrk0vkM3FHoFTFp7ZuIKXY0VaPW
 QAEV7P4TApztvDpxAKLlS8WUOQNtLfFuNeXB8xtxVaan_..yKFLcRfgsH2b85ByyLjxmtJ2BVkGv
 ydpLXBM47WSauvdOMuHUaIo3cZ3FHOpH6YH8at2UWaAqECIcV7FhKxffb40QSMH_gUAsXbaoOE1G
 TVmYpacs87axbVhYs6VI.ZzXma2ZY5XGpStQVs2rVCSJTwT.GcFJ4IBRcaVwxDjVlku1tAib9N2L
 s0KScAaFeAdYgtPTDjrC4m3W1BDK5KBcqEccAmOgnX0fDcvPTC2_M5O01PgVzqFam.3CFw2c48A5
 OgxcL5f6MY2tgg3j5JxlBD4R57URgenCB40o4YZCCerf4iZIks3qQt2if7wNmDS_CdZLNwZhk5ek
 ZSnOI7DMlvAV1I.gefj2tp211ftm4ezRcbWL0fK69cckoNEyKd.6sc430hQAu5B0Di3zhMKHc.Xb
 w.D4ldL63L9dDZwepabmqEgG7gO0ZsZ7H1YyDuHS6vbUSO9r0F0gsXbbrxeSb0hFxgJN_A0b_3zh
 9wTyVDUaIwzw_8eQvNO84SYXhXj4F1qlvZrHCAC6MFqBJK4_rxB92ITMM.9fBgZWd9dpYGmaLW4P
 67cOyQsHAiFNUYcqRmcoxvt.sYFg5z2JphZEBT3BzUzC8zwYaHz.ue6gJ1FEiiF1FciFnl8IdCjH
 bK2ZZGMXtQGJY4E.y2UojDGzc2A.47NXSLFdXc7lGw.DJFanqm8zqUJk08Ov71rUAVrVsUGk_Q.K
 rgcA8XYCuw38o.AN4KLDebD4TQix1R9CSc5gIXoIOrEZT.CvpWdLZmzvEb7_vym4hcvZElkdST3k
 2WY3tnPRxBxlJ3czWLQqpAnDMnue8GtKP9eJ2yjG6x_7Pn2_r3um4r.sFlAo6D3qDVKTPlK.Q2qX
 TaJ8sPTGtWK8deaFDUU2dql_eKoxST1sIufPCmhfD0qP6UZOkYKkWdADnYZJnkHaj8h2kF82W1ch
 G7Oxq4P838zHcAt4O4VlDP5k6sDI3tV78lc19NwTMC1TvKCJ5y7AhtwubvlmrPXjGx8RWnbuhX9o
 n_c_QLFLQQiOArytbvWhufR.ZVfW8PYM4JqwxpUhfpwiXpyGM.GI2h9JeOoDOFO_5jrqmalG.emU
 Pnme9LKiN6dYqKGeMLU09sidz7iNmfTbxbq7Lol7zAiaGe8roT8LKhGiocY7rvrzKEu1M_1_1T2F
 UbJNanskASMRWULcr9NZ8ocJqKzMYju4LlN2yP7Q1XShxKOgM4GF8CDXcHGJijoPH7lKSunOxNVy
 l0hy6T_0AHIwomr7pZRKsBLwxRc3aBLbsuvqwRe9lsRHyHl.h68hii6lqkojbDHhAJr9ML6hBRXy
 FH8Lts32gaDbwka9Z6OC_LcLEq4xTac4rbn_.k0bEA24rDTirkKAWsLo5jxnSffPZVQ2bFtqspkF
 Ffo8_6U8qi9IBbYoOOH8ed0Uk4H93uJGy2xY499JzYh8dKHSl5Ue4kp4zSKlUlRtSwYnsSFbx038
 1ycSWFTkfAzcJbnLlAyNxAg9eS2OjPZ.mxu8S1D6.Hiv3OiMxAypWozwCG5h6MlnQkkcWwwfochz
 6lgwoXmO3Ox0se9qxf8cSWxOtUMXnSmY1ILINwjcafr9WCjO43ZFmGTppnYwGW2TTRHbjLPDeD1T
 OpcoO27xfAb8eCgVIX.gli16mOOq6QAwWG6F8ugVGvIo_BiUxGFLnrzn.PwjLmNk2yoR7l_9Wltj
 ykCQoUG4tpVrBCzlF_gp2aNiBETPp6Jy.4jY7dTyhXTPOSONeN.02NwRaUxhzmhgfHCOY83VCICR
 iQXWoH394KfFrAJe8dzOWh6lGBDe3bRg-
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: bfca283d-322e-4c88-9b88-c2713d6bb7cf
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:32:37 +0000
Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID e3e0e17187ae06698f220367a4c91416;
          Fri, 15 Dec 2023 22:32:35 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net,
	ceph-devel@vger.kernel.org,
	linux-nfs@vger.kernel.org
Subject: [PATCH v39 20/42] LSM: Use lsmcontext in
 security_dentry_init_security
Date: Fri, 15 Dec 2023 14:16:14 -0800
Message-ID: <20231215221636.105680-21-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.

Special care is taken in the NFS code, which uses the
same data structure for its own copied labels as it does
for the data which comes from security_dentry_init_security().
In the case of copied labels the data has to be freed, not
released.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: ceph-devel@vger.kernel.org
Cc: linux-nfs@vger.kernel.org
---
 fs/ceph/super.h               |  3 +--
 fs/ceph/xattr.c               | 19 ++++++-------------
 fs/fuse/dir.c                 | 35 ++++++++++++++++++-----------------
 fs/nfs/dir.c                  |  2 +-
 fs/nfs/inode.c                | 17 ++++++++++-------
 fs/nfs/internal.h             |  8 +++++---
 fs/nfs/nfs4proc.c             | 22 +++++++++-------------
 fs/nfs/nfs4xdr.c              | 22 ++++++++++++----------
 include/linux/lsm_hook_defs.h |  2 +-
 include/linux/nfs4.h          |  8 ++++----
 include/linux/nfs_fs.h        |  2 +-
 include/linux/security.h      |  7 +++----
 security/security.c           |  9 ++++-----
 security/selinux/hooks.c      |  9 +++++----
 14 files changed, 80 insertions(+), 85 deletions(-)

diff --git a/fs/ceph/super.h b/fs/ceph/super.h
index fe0f64a0acb2..d503cc7478b7 100644
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -1133,8 +1133,7 @@ struct ceph_acl_sec_ctx {
 	void *acl;
 #endif
 #ifdef CONFIG_CEPH_FS_SECURITY_LABEL
-	void *sec_ctx;
-	u32 sec_ctxlen;
+	struct lsmcontext lsmctx;
 #endif
 #ifdef CONFIG_FS_ENCRYPTION
 	struct ceph_fscrypt_auth *fscrypt_auth;
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index 113956d386c0..4c767a20ac4c 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1383,8 +1383,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
 	int err;
 
 	err = security_dentry_init_security(dentry, mode, &dentry->d_name,
-					    &name, &as_ctx->sec_ctx,
-					    &as_ctx->sec_ctxlen);
+					    &name, &as_ctx->lsmctx);
 	if (err < 0) {
 		WARN_ON_ONCE(err != -EOPNOTSUPP);
 		err = 0; /* do nothing */
@@ -1409,7 +1408,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
 	 */
 	name_len = strlen(name);
 	err = ceph_pagelist_reserve(pagelist,
-				    4 * 2 + name_len + as_ctx->sec_ctxlen);
+				    4 * 2 + name_len + as_ctx->lsmctx.len);
 	if (err)
 		goto out;
 
@@ -1429,11 +1428,9 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
 		as_ctx->pagelist = pagelist;
 	}
 
-	ceph_pagelist_encode_32(pagelist, name_len);
-	ceph_pagelist_append(pagelist, name, name_len);
-
-	ceph_pagelist_encode_32(pagelist, as_ctx->sec_ctxlen);
-	ceph_pagelist_append(pagelist, as_ctx->sec_ctx, as_ctx->sec_ctxlen);
+	ceph_pagelist_encode_32(pagelist, as_ctx->lsmctx.len);
+	ceph_pagelist_append(pagelist, as_ctx->lsmctx.context,
+			     as_ctx->lsmctx.len);
 
 	err = 0;
 out:
@@ -1446,16 +1443,12 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
 
 void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx)
 {
-#ifdef CONFIG_CEPH_FS_SECURITY_LABEL
-	struct lsmcontext scaff; /* scaffolding */
-#endif
 #ifdef CONFIG_CEPH_FS_POSIX_ACL
 	posix_acl_release(as_ctx->acl);
 	posix_acl_release(as_ctx->default_acl);
 #endif
 #ifdef CONFIG_CEPH_FS_SECURITY_LABEL
-	lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0);
-	security_release_secctx(&scaff);
+	security_release_secctx(&as_ctx->lsmctx);
 #endif
 #ifdef CONFIG_FS_ENCRYPTION
 	kfree(as_ctx->fscrypt_auth);
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index d19cbf34c634..ee24797842df 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -462,29 +462,29 @@ static int get_security_context(struct dentry *entry, umode_t mode,
 {
 	struct fuse_secctx *fctx;
 	struct fuse_secctx_header *header;
-	void *ctx = NULL, *ptr;
-	u32 ctxlen, total_len = sizeof(*header);
+	struct lsmcontext lsmctx = { };
+	void *ptr;
+	u32 total_len = sizeof(*header);
 	int err, nr_ctx = 0;
-	const char *name;
+	const char *name = NULL;
 	size_t namelen;
 
 	err = security_dentry_init_security(entry, mode, &entry->d_name,
-					    &name, &ctx, &ctxlen);
-	if (err) {
-		if (err != -EOPNOTSUPP)
-			goto out_err;
-		/* No LSM is supporting this security hook. Ignore error */
-		ctxlen = 0;
-		ctx = NULL;
-	}
+					    &name, &lsmctx);
+
+	/* If no LSM is supporting this security hook ignore error */
+	if (err && err != -EOPNOTSUPP)
+		goto out_err;
 
-	if (ctxlen) {
+	if (lsmctx.len) {
 		nr_ctx = 1;
 		namelen = strlen(name) + 1;
 		err = -EIO;
-		if (WARN_ON(namelen > XATTR_NAME_MAX + 1 || ctxlen > S32_MAX))
+		if (WARN_ON(namelen > XATTR_NAME_MAX + 1 ||
+		    lsmctx.len > S32_MAX))
 			goto out_err;
-		total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen + ctxlen);
+		total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen +
+					    lsmctx.len);
 	}
 
 	err = -ENOMEM;
@@ -497,19 +497,20 @@ static int get_security_context(struct dentry *entry, umode_t mode,
 	ptr += sizeof(*header);
 	if (nr_ctx) {
 		fctx = ptr;
-		fctx->size = ctxlen;
+		fctx->size = lsmctx.len;
 		ptr += sizeof(*fctx);
 
 		strcpy(ptr, name);
 		ptr += namelen;
 
-		memcpy(ptr, ctx, ctxlen);
+		memcpy(ptr, lsmctx.context, lsmctx.len);
 	}
 	ext->size = total_len;
 	ext->value = header;
 	err = 0;
 out_err:
-	kfree(ctx);
+	if (nr_ctx)
+		security_release_secctx(&lsmctx);
 	return err;
 }
 
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 13dffe4201e6..c56a7caea6d3 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -807,7 +807,7 @@ static int nfs_readdir_entry_decode(struct nfs_readdir_descriptor *desc,
 	int ret;
 
 	if (entry->fattr->label)
-		entry->fattr->label->len = NFS4_MAXLABELLEN;
+		entry->fattr->label->lsmctx.len = NFS4_MAXLABELLEN;
 	ret = xdr_decode(desc, entry, stream);
 	if (ret || !desc->plus)
 		return ret;
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index ebb8d60e1152..ddd8f7bae5de 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -357,14 +357,15 @@ void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr)
 		return;
 
 	if ((fattr->valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL) && inode->i_security) {
-		error = security_inode_notifysecctx(inode, fattr->label->label,
-				fattr->label->len);
+		error = security_inode_notifysecctx(inode,
+						fattr->label->lsmctx.context,
+						fattr->label->lsmctx.len);
 		if (error)
 			printk(KERN_ERR "%s() %s %d "
 					"security_inode_notifysecctx() %d\n",
 					__func__,
-					(char *)fattr->label->label,
-					fattr->label->len, error);
+					(char *)fattr->label->lsmctx.context,
+					fattr->label->lsmctx.len, error);
 		nfs_clear_label_invalid(inode);
 	}
 }
@@ -380,12 +381,14 @@ struct nfs4_label *nfs4_label_alloc(struct nfs_server *server, gfp_t flags)
 	if (label == NULL)
 		return ERR_PTR(-ENOMEM);
 
-	label->label = kzalloc(NFS4_MAXLABELLEN, flags);
-	if (label->label == NULL) {
+	label->lsmctx.context = kzalloc(NFS4_MAXLABELLEN, flags);
+	if (label->lsmctx.context == NULL) {
 		kfree(label);
 		return ERR_PTR(-ENOMEM);
 	}
-	label->len = NFS4_MAXLABELLEN;
+	label->lsmctx.len = NFS4_MAXLABELLEN;
+	/* Use an invalid LSM ID as this should never be "released". */
+	label->lsmctx.id = LSM_ID_UNDEF;
 
 	return label;
 }
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index 9c9cf764f600..1bc7cdf52f04 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -346,13 +346,15 @@ nfs4_label_copy(struct nfs4_label *dst, struct nfs4_label *src)
 	if (!dst || !src)
 		return NULL;
 
-	if (src->len > NFS4_MAXLABELLEN)
+	if (src->lsmctx.len > NFS4_MAXLABELLEN)
 		return NULL;
 
 	dst->lfs = src->lfs;
 	dst->pi = src->pi;
-	dst->len = src->len;
-	memcpy(dst->label, src->label, src->len);
+	/* Use an invalid LSM ID as lsmctx should never be "released" */
+	dst->lsmctx.id = LSM_ID_UNDEF;
+	dst->lsmctx.len = src->lsmctx.len;
+	memcpy(dst->lsmctx.context, src->lsmctx.context, src->lsmctx.len);
 
 	return dst;
 }
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 6ea99e2aabf3..79626ce7cecd 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -124,12 +124,11 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
 
 	label->lfs = 0;
 	label->pi = 0;
-	label->len = 0;
-	label->label = NULL;
+	label->lsmctx.len = 0;
+	label->lsmctx.context = NULL;
 
 	err = security_dentry_init_security(dentry, sattr->ia_mode,
-				&dentry->d_name, NULL,
-				(void **)&label->label, &label->len);
+				&dentry->d_name, NULL, &label->lsmctx);
 	if (err == 0)
 		return label;
 
@@ -138,12 +137,8 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
 static inline void
 nfs4_label_release_security(struct nfs4_label *label)
 {
-	struct lsmcontext scaff; /* scaffolding */
-
-	if (label) {
-		lsmcontext_init(&scaff, label->label, label->len, 0);
-		security_release_secctx(&scaff);
-	}
+	if (label)
+		security_release_secctx(&label->lsmctx);
 }
 static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
 {
@@ -6155,7 +6150,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf,
 					size_t buflen)
 {
 	struct nfs_server *server = NFS_SERVER(inode);
-	struct nfs4_label label = {0, 0, buflen, buf};
+	struct nfs4_label label = {0, 0, {buf, buflen, -1} };
 
 	u32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL };
 	struct nfs_fattr fattr = {
@@ -6183,7 +6178,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf,
 		return ret;
 	if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL))
 		return -ENOENT;
-	return label.len;
+	return label.lsmctx.len;
 }
 
 static int nfs4_get_security_label(struct inode *inode, void *buf,
@@ -6260,7 +6255,8 @@ static int nfs4_do_set_security_label(struct inode *inode,
 static int
 nfs4_set_security_label(struct inode *inode, const void *buf, size_t buflen)
 {
-	struct nfs4_label ilabel = {0, 0, buflen, (char *)buf };
+	struct nfs4_label ilabel = {0, 0,
+				    {(char *)buf, buflen, -1}};
 	struct nfs_fattr *fattr;
 	int status;
 
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index deec76cf5afe..fe6d184ff169 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -1154,7 +1154,7 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap,
 	}
 
 	if (label && (attrmask[2] & FATTR4_WORD2_SECURITY_LABEL)) {
-		len += 4 + 4 + 4 + (XDR_QUADLEN(label->len) << 2);
+		len += 4 + 4 + 4 + (XDR_QUADLEN(label->lsmctx.len) << 2);
 		bmval[2] |= FATTR4_WORD2_SECURITY_LABEL;
 	}
 
@@ -1186,8 +1186,9 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap,
 	if (label && (bmval[2] & FATTR4_WORD2_SECURITY_LABEL)) {
 		*p++ = cpu_to_be32(label->lfs);
 		*p++ = cpu_to_be32(label->pi);
-		*p++ = cpu_to_be32(label->len);
-		p = xdr_encode_opaque_fixed(p, label->label, label->len);
+		*p++ = cpu_to_be32(label->lsmctx.len);
+		p = xdr_encode_opaque_fixed(p, label->lsmctx.context,
+					    label->lsmctx.len);
 	}
 	if (bmval[2] & FATTR4_WORD2_MODE_UMASK) {
 		*p++ = cpu_to_be32(iap->ia_mode & S_IALLUGO);
@@ -4236,11 +4237,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
 			return -EIO;
 		bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
 		if (len < NFS4_MAXLABELLEN) {
-			if (label && label->len) {
-				if (label->len < len)
+			if (label && label->lsmctx.len) {
+				if (label->lsmctx.len < len)
 					return -ERANGE;
-				memcpy(label->label, p, len);
-				label->len = len;
+				memcpy(label->lsmctx.context, p, len);
+				label->lsmctx.len = len;
 				label->pi = pi;
 				label->lfs = lfs;
 				status = NFS_ATTR_FATTR_V4_SECURITY_LABEL;
@@ -4248,10 +4249,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
 		} else
 			printk(KERN_WARNING "%s: label too long (%u)!\n",
 					__func__, len);
-		if (label && label->label)
+		if (label && label->lsmctx.context)
 			dprintk("%s: label=%.*s, len=%d, PI=%d, LFS=%d\n",
-				__func__, label->len, (char *)label->label,
-				label->len, label->pi, label->lfs);
+				__func__, label->lsmctx.len,
+				(char *)label->lsmctx.context,
+				label->lsmctx.len, label->pi, label->lfs);
 	}
 	return status;
 }
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index f2bbce7fb28e..741bbf5df0af 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -83,7 +83,7 @@ LSM_HOOK(int, 0, move_mount, const struct path *from_path,
 	 const struct path *to_path)
 LSM_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry,
 	 int mode, const struct qstr *name, const char **xattr_name,
-	 void **ctx, u32 *ctxlen)
+	 struct lsmcontext *cp)
 LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode,
 	 struct qstr *name, const struct cred *old, struct cred *new)
 
diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
index c11c4db34639..04e4afc8deb5 100644
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -15,6 +15,7 @@
 
 #include <linux/list.h>
 #include <linux/uidgid.h>
+#include <linux/security.h>
 #include <uapi/linux/nfs4.h>
 #include <linux/sunrpc/msg_prot.h>
 
@@ -44,10 +45,9 @@ struct nfs4_acl {
 #define NFS4_MAXLABELLEN	2048
 
 struct nfs4_label {
-	uint32_t	lfs;
-	uint32_t	pi;
-	u32		len;
-	char	*label;
+	uint32_t		lfs;
+	uint32_t		pi;
+	struct lsmcontext	lsmctx;
 };
 
 typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier;
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index 279262057a92..c314fb43547f 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -457,7 +457,7 @@ static inline void nfs4_label_free(struct nfs4_label *label)
 {
 #ifdef CONFIG_NFS_V4_SECURITY_LABEL
 	if (label) {
-		kfree(label->label);
+		kfree(label->lsmctx.context);
 		kfree(label);
 	}
 #endif
diff --git a/include/linux/security.h b/include/linux/security.h
index dbbfbcfbb299..35604f43d4ff 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -404,8 +404,8 @@ int security_sb_clone_mnt_opts(const struct super_block *oldsb,
 int security_move_mount(const struct path *from_path, const struct path *to_path);
 int security_dentry_init_security(struct dentry *dentry, int mode,
 				  const struct qstr *name,
-				  const char **xattr_name, void **ctx,
-				  u32 *ctxlen);
+				  const char **xattr_name,
+				  struct lsmcontext *lsmcxt);
 int security_dentry_create_files_as(struct dentry *dentry, int mode,
 					struct qstr *name,
 					const struct cred *old,
@@ -855,8 +855,7 @@ static inline int security_dentry_init_security(struct dentry *dentry,
 						 int mode,
 						 const struct qstr *name,
 						 const char **xattr_name,
-						 void **ctx,
-						 u32 *ctxlen)
+						 struct lsmcontext *lsmcxt)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/security/security.c b/security/security.c
index e1487979603e..cea3c1b614a1 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1666,8 +1666,7 @@ void security_inode_free(struct inode *inode)
  * @mode: mode used to determine resource type
  * @name: name of the last path component
  * @xattr_name: name of the security/LSM xattr
- * @ctx: pointer to the resulting LSM context
- * @ctxlen: length of @ctx
+ * @lsmctx: pointer to the resulting LSM context
  *
  * Compute a context for a dentry as the inode is not yet available since NFSv4
  * has no label backed by an EA anyway.  It is important to note that
@@ -1677,8 +1676,8 @@ void security_inode_free(struct inode *inode)
  */
 int security_dentry_init_security(struct dentry *dentry, int mode,
 				  const struct qstr *name,
-				  const char **xattr_name, void **ctx,
-				  u32 *ctxlen)
+				  const char **xattr_name,
+				  struct lsmcontext *lsmctx)
 {
 	struct security_hook_list *hp;
 	int rc;
@@ -1689,7 +1688,7 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
 	hlist_for_each_entry(hp, &security_hook_heads.dentry_init_security,
 			     list) {
 		rc = hp->hook.dentry_init_security(dentry, mode, name,
-						   xattr_name, ctx, ctxlen);
+						   xattr_name, lsmctx);
 		if (rc != LSM_RET_DEFAULT(dentry_init_security))
 			return rc;
 	}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 1e97b703f252..ed4237223959 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2859,8 +2859,8 @@ static void selinux_inode_free_security(struct inode *inode)
 
 static int selinux_dentry_init_security(struct dentry *dentry, int mode,
 					const struct qstr *name,
-					const char **xattr_name, void **ctx,
-					u32 *ctxlen)
+					const char **xattr_name,
+					struct lsmcontext *cp)
 {
 	u32 newsid;
 	int rc;
@@ -2875,8 +2875,9 @@ static int selinux_dentry_init_security(struct dentry *dentry, int mode,
 	if (xattr_name)
 		*xattr_name = XATTR_NAME_SELINUX;
 
-	return security_sid_to_context(newsid, (char **)ctx,
-				       ctxlen);
+	cp->id = LSM_ID_SELINUX;
+	return security_sid_to_context(newsid, (char **)cp->context,
+				       &cp->len);
 }
 
 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,

From patchwork Fri Dec 15 22:16:15 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495153
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic315-27.consmr.mail.ne1.yahoo.com
 (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB9A618ED0
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:32:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="QCZJbU6L"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679561; bh=wsEZq6q3+06miaqCNUNybAu13net40ImW1aiAhPQhxQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=QCZJbU6LrMTJCc1hOfHZbSe+1Uc5TEhFp2zc7su0C2gO+NHc8gLc0b+UcqkhErBX/v0H/sUzkLGualahkkDLxM2jeKFHcM1Pu3Sx+Upyu8IBDSsOO3zIv4f9vLKLk8tf9a6SNNu0+x+vcD5zei0kTRNLM74I6hGnrx3F0P0guKn4gw/V3NjmOw+ZF2A1341/q3d7r6u9Jh1ZskkI3sLTPmgQJ+1PnRfatN2R5VyAcCNLIRekluI1xC5PmwNr9LPnvqLz9vVrq8YegGj0FHwkoaLC2+HfgfpoMGoT9BMLhmYumoM/655QOpbMrY8pZbieO7BVlvZ2TOE2diqFuupONg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679561; bh=7HZaBEZxB3eI5UhvDTGUKLIn6qQxXCBNIualX0pMysA=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=SptKgulM0OOltFnCe+1IgKhXS3sSbE9zGajcKi/1yabAbJ60yGEYJySCFW29wgGLVnC19IG6atBlxTbhJZfnp9tnR6o9C83o28fg0aw3i0aVtfzLGY5EfJerGqrhhNR8ES0UHio13RqN+AQ8KuH3DAUvSGIq+AnCpNcaw8eE+6bLQhujKczLAwV9KfiLniyMoRlVNBQsp2toAUY3cMSXIkFvjRlW/pJsrvDDPVANBVp5jYg7JOQI/MD53grJCflYOdL2X0+Gm8BYvFuiDJPVPKfQrYaBrtvQ+IuxPTvSFOZXv3d83WL5uczp6KBtyORzaLG6Gfmd5IdsKwI2FNVnhQ==
X-YMail-OSG: Q.B9lmMVM1ljekOpGmYVAs.JLwyntks5YzILaO2SQ316mgjmH2U05UxEPKy66Ej
 Us0tQUypAJNAcR7VEODx4vjQIul.hXqezoj2VWSxbrDmpItpayOVqL6mDodfMXoTlORLNzM4WG6X
 8dO3WC0H8KrnIFoo5FX3FmZbYKaR4HA16f1MYPRHZgIIbe7wq693RcKssIm8JYtk_4lDxXTwcjig
 fg4uxrhGjScWMl0nVX7hxEveY3BZyZQcV8mr6AB7m1b_q5oUGSB8bCOFBdVhfM51XUWMp3wjdPKX
 WnBlLRqhHsnqD5CMdXi59e9trKEPSMhN7JQo5x.D0zdcw2q7w5I8cF5FHjlds9PDsaaEpmFIf70b
 kDfGtmPdjDJ70JbCQQDFZOrXhUrmAdwUqWXpXFLZ8BJbTV7MalTNit7VN8w3B_uvjxcYSBpQHRap
 Q2mwydb7.KgtT5OuGY4BvBnmvd8Bkzul21._vfJx84xoGCPhrFvvfk2zMlucQB8N_s4Ej.wLYmgm
 QVR8n.S1V6kzdnG_mlfEU1IJan1miQQAcNMJ5vFazBQ7ktPRG1Mit2vJKkqsiEaenfOllfiHBADU
 ObXEjs7peS5SQZBgLmGXnqm3TZCzDOCBgZCM_5OWYErESq4R6SAY5MBFXavgy0UH.ssR.KLeCGdI
 NqqR8PnVAyCuh6uRwOb3B14bcVUjOJTilIBi_OICf0fPhwlogRp5N4h5CliCNiLYcW4SdPMg9A5u
 t2en8jdaRZCmnCcp4Yki.Q_H9ge4MIeNS7qC5nzllv_jWBD6VBgPc.V6SeKAbOL8yTvXf1SdViBb
 5paHHvVum.gc7a7GkGer4dAtVljgYbi8saZldYilziVch7bnkZXyUdiguXmVTSmOFcciSxkYeIR2
 8PWN.oSaFF8Vh6xXl5U.YhpPEQ3rxFgK2TCUu7ED9VScWAuwMMIsdxGxq71_UPZMllL.2wxI_53M
 LDY334lEnwvXjnBmdePckPcGRWS.tWMNOSaFWya0lL5OqDyMAfIDkL1NnisbsSzwtNZ14E6n87Ct
 qE_Zr1fTcCXxaNZ71azYf8YCeHa6Z_u6dHA7bcV35.8EVg1ne1Vj3LwvyhRtQUKYZgmrcipE0_hc
 NOO8db000zuhzkeixO8zq_3_1A3P1Hbgeq191cjMX1A_erXXZGdQKSPLVqweeTiGmtUecPFZgNdr
 ZJdiwVt4ngJeH8LxdbgW6wajyOuvB3UObAWSDo6LsBIQjSDvzK1bqccR.izi3r3a_x7EWfZk6BRU
 et6b6U8po9vj2sEm0KvZygZLTKNmbymMvcUeACm1C.5O2jWUhbntlAj1LD7KesGzU9EazdJ616li
 DFJHaHSEO03D6F_7QvUtk9SrL4bC1ZOFbkmOC4Lc1Vyz4uMctFc4flJrHwi7S1S5LNOD1mL73gKg
 0KHl0NAno9bjwqzes0DmZrA.niRWDYBunytUeFpxvEK8D3HpBekVqN6gW7x8_UEIXbxzwqXt2i4r
 NEXX9nuSc3tXP33_sugllxo8WUmRlxjEVatMEjm060l2dXwNs9OlWP0FprxNca53O5Fcg4kI68wz
 CXynIHI3pqTE7zN1ZL5X55JcpDoK83aD2Y3_LooT7dXh.pH.qfunMsg_a6Znx4m0Xm.FQBJkgvrB
 O8XmB3rwhTpKrTui6j3aVTBDahq._wND2bclVJYGJCrSDEfvDfwmblTo8Mwuq2r0rZCXH4t8z_FV
 Hda.mHOGOh7itxALUgtulE4t6CVIUjtVlLjmrgRJSYaGA4OaD2qM.9T6TWBOFRJ3n9aNATQeTMAF
 etXEuvPIgXgvAvI8QyTGr5X5v4jYa26hE52XOKulKx0N3Y8.3RJxNB5jGuBVOp34fspGOCawJb_w
 KlsMsk8JiyVXMFk2dAYfgz54.KlBninprh_7Q5yxu0gFmsw6_jjTSE0.kK7u3HKHKcN32Z9DNREN
 f6mtxub6AEqvOdrdqRVzhOwoWsuXSp5ROExQis4Oo.rAIid3KfBbm4KbroUNp8FusBGODwnf2qof
 P65QPE.NMp5JdFwoAbdLyaWjoN8xMJmCpgSUD1YeXGl.z8nVQc3pwDfbMZtyx5mraotSfBZ.gQKM
 tFeVJRpKWmfSh72VU3Wcyb2ZASE0DZQO2ZRTMQvrLLLb3PgvXO3PbhTayz5FWkfEJRZm7xOad6O0
 iZGklOA.67VHLbaUIrDqeZULEn2pjAObzjZGLX65_NiooJfcrGW2wRBW7Sf2yVk2d5NrWyZkf5nJ
 E_do5GxqgAlVRJrqUnJFz4O9.KryApjfQ5gNtdG9dpsqf8OiMGQkilPT2.otxSWfqe_3O5iXfx2n
 CkhcpUcUeQoQogEYhpp8CE7RzBd4X
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 74795a18-4949-44d0-9593-75fef32c61a7
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:32:41 +0000
Received: by hermes--production-gq1-6949d6d8f9-ghhkt (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID e3e0e17187ae06698f220367a4c91416;
          Fri, 15 Dec 2023 22:32:37 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 21/42] LSM: security_lsmblob_to_secctx module selection
Date: Fri, 15 Dec 2023 14:16:15 -0800
Message-ID: <20231215221636.105680-22-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Add a parameter lsmid to security_lsmblob_to_secctx() to identify which
of the security modules that may be active should provide the security
context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing
a hook is used. security_secid_to_secctx() is unchanged, and will
always report the first LSM providing a hook.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/security.h     |  5 +++--
 kernel/audit.c               |  4 ++--
 kernel/auditsc.c             |  8 +++++---
 net/netlabel/netlabel_user.c |  3 ++-
 security/security.c          | 11 ++++++-----
 5 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 35604f43d4ff..360a454d5f8e 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -563,7 +563,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, struct lsmcontext *cp);
-int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp);
+int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp,
+			       int lsmid);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(struct lsmcontext *cp);
 void security_inode_invalidate_secctx(struct inode *inode);
@@ -1491,7 +1492,7 @@ static inline int security_secid_to_secctx(u32 secid, struct lsmcontext *cp)
 }
 
 static inline int security_lsmblob_to_secctx(struct lsmblob *blob,
-					     struct lsmcontext *cp)
+					     struct lsmcontext *cp, int lsmid)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/kernel/audit.c b/kernel/audit.c
index a93a710c980e..edefb370a72e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1462,7 +1462,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 
 		if (lsmblob_is_set(&audit_sig_lsm)) {
 			err = security_lsmblob_to_secctx(&audit_sig_lsm,
-							 &lsmctx);
+							 &lsmctx, LSM_ID_UNDEF);
 			if (err < 0)
 				return err;
 		}
@@ -2174,7 +2174,7 @@ int audit_log_task_context(struct audit_buffer *ab)
 	if (!lsmblob_is_set(&blob))
 		return 0;
 
-	error = security_lsmblob_to_secctx(&blob, &ctx);
+	error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF);
 	if (error < 0) {
 		if (error != -EINVAL)
 			goto error_path;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index c37cc02ea4cc..3c0559b01677 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 			 from_kuid(&init_user_ns, auid),
 			 from_kuid(&init_user_ns, uid), sessionid);
 	if (lsmblob_is_set(blob)) {
-		if (security_lsmblob_to_secctx(blob, &ctx) < 0) {
+		if (security_lsmblob_to_secctx(blob, &ctx, LSM_ID_UNDEF) < 0) {
 			audit_log_format(ab, " obj=(none)");
 			rc = 1;
 		} else {
@@ -1394,7 +1394,8 @@ static void show_special(struct audit_context *context, int *call_panic)
 				 context->ipc.mode);
 		if (lsmblob_is_set(&context->ipc.oblob)) {
 			if (security_lsmblob_to_secctx(&context->ipc.oblob,
-						       &lsmctx) < 0) {
+						       &lsmctx,
+						       LSM_ID_UNDEF) < 0) {
 				*call_panic = 1;
 			} else {
 				audit_log_format(ab, " obj=%s", lsmctx.context);
@@ -1559,7 +1560,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 	if (lsmblob_is_set(&n->oblob)) {
 		struct lsmcontext ctx;
 
-		if (security_lsmblob_to_secctx(&n->oblob, &ctx) < 0) {
+		if (security_lsmblob_to_secctx(&n->oblob, &ctx,
+					       LSM_ID_UNDEF) < 0) {
 			if (call_panic)
 				*call_panic = 2;
 		} else {
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 561e1e476a49..842a236540b0 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -98,7 +98,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 			 audit_info->sessionid);
 
 	if (lsmblob_is_set(&audit_info->blob) &&
-	    security_lsmblob_to_secctx(&audit_info->blob, &ctx) >= 0) {
+	    security_lsmblob_to_secctx(&audit_info->blob, &ctx,
+				       LSM_ID_UNDEF) >= 0) {
 		audit_log_format(audit_buf, " subj=%s", ctx.context);
 		security_release_secctx(&ctx);
 	}
diff --git a/security/security.c b/security/security.c
index cea3c1b614a1..444051575793 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4203,6 +4203,7 @@ EXPORT_SYMBOL(security_secid_to_secctx);
  * security_lsmblob_to_secctx() - Convert a lsmblob to a secctx
  * @blob: lsm specific information
  * @cp: the LSM context
+ * @lsmid: which security module to report
  *
  * Convert a @blob entry to security context. If @cp is NULL the
  * length of the result will be returned, but no data will be returned.
@@ -4212,15 +4213,15 @@ EXPORT_SYMBOL(security_secid_to_secctx);
  *
  * Return: Return length of data on success, error on failure.
  */
-int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
+int security_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp,
+			       int lsmid)
 {
 	struct security_hook_list *hp;
-	int rc;
 
 	hlist_for_each_entry(hp, &security_hook_heads.lsmblob_to_secctx, list) {
-		rc = hp->hook.lsmblob_to_secctx(blob, cp);
-		if (rc != LSM_RET_DEFAULT(lsmblob_to_secctx))
-			return rc;
+		if (lsmid != hp->lsmid->id && lsmid != LSM_ID_UNDEF)
+			continue;
+		return hp->hook.lsmblob_to_secctx(blob, cp);
 	}
 
 	return LSM_RET_DEFAULT(lsmblob_to_secctx);

From patchwork Fri Dec 15 22:16:16 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495154
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic316-27.consmr.mail.ne1.yahoo.com
 (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 67D5C13B143
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:34:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="kkik3eSC"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679655; bh=mM0WZyCz/tlNmJgaPwRTDUjkjMqKhKg8VZllCO0EmTg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=kkik3eSCu8YpbDnaARezAwEWl7snnrGP4kDaWewhitXWdeRsofIWdyENtVBbUS4BIu0lJUZT5Z6kzZBOfDvolBRM6dnJ1KXVzplUNZa8A89vm0Esw2TwdbZqV6esCn4yH7y8/hxGkcYMg7DVB0K/VBV8G9qyONmMjQQxCD4Rk8hZl6BQ/zcp+eTR+Jw9jaOpcFaQOo6Jd9GjTOUMcKf3485JxlFUXpzb+bWQBLl/PiCeajjS7nzl1akVvbdfe3YhfyRJjQ2mfMArZRO4wFBqs5vC1L0C8VZyHJSdz6FmX0DyC1AlflNaBmNvayOHhv/1T8SjWULJwKAsctUckYu8Og==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679655; bh=FAxExbaql8jFIp3VAoQmKNgDIKq+qzvGc5Ayk/CpIzN=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=quhmEjbY0r3/bnqNHDATa5W9SG/kDVAwrxT3KW8iWJA3mo2xMOtErj+y+VEFZ9tvj0RHd0T3kPoSMeQDlWf4b705o4ufgFTLfp5ArQsmcB+BCYrA+c7tlFCdZk/LCotx05Wv3bTUrzKHqf/ZyCTRwbNuOoE/EYwox7r5CEFc3rPJJTUHv1pifLqz6B7IXv71p4BIpnNJ6gH32iGaU49IMJZh6PDaAHTeujNBVW1HMOi6w8mhdbiHi74L9GeQ2CQCgWuuIhAw02zc/XnMI6SOqzYaoASc7/de4NCQRjRKVXycZWZfJs3uGGT4IQ9nwEz/iFRDqCsqk3zfaBNO2ehWaA==
X-YMail-OSG: sxegZS4VM1k15GHIGmAaacxqx.3QE2n8uqa0ajCnfWujfk7IzkatndBN8Z29DyU
 COw7esx.JSHVN54WHazV99Ak7AAlDrKXjhHt0mDij9arGgTBNgkp4kENjFPelvRWycfL3tMlKu5X
 f9QFuxmRCCibmN3RepR.wzWy6YgQjYTV8p9lh42CZZhb9QsGC5N7O9iSt1LV8RgY2zyUI.8pM.yT
 tkfc_MgaRORQQYVwRNShdDLKxw8Jqzofbrdon9FfEZKjI4_49YDJcp1fJmOycnsMLITO5o4g0aRQ
 RF4CJm.PsT7uyb9QGqtK2oSBC8G0_vZL9REMu_9SrP6MyoSMs9rRLshk33Ia24j3n5duWke_Nt5C
 IP7xKyTpMurmLg5kizTE.gdP0iu_dNPnsv0tGL2WsiNNt3fLQE8mAtGPhcaJApZSZmBs32mCEQ1z
 7nlR9uxNNj6iiCNRrp6cdz.WgsPGx7wJlkeQDq1qm3TLw5mo6HaOFYWI6cNhoyconSnlCpuUTpM2
 gJ0V1KES1iuNGRayYDM3CgGSywMIx3G1JlCTUpIG8l8pRdTKayC0cIxtpFGVw8_5PEwSGL7OWkSP
 F3vWPrAK7L5z12x7L2ql25vm8lKvBmzLYvAl1McWpurTcbqkE98EhSz_ynyUJjMyDea39Ec1QTWo
 KHTuc3umJ6jSiILxB.zS5fKfhFcgj39k1_59zHwGeDYtHuM0FHujbdP_7gMyI1w0Gw9_JrEjJ_lK
 _V1Q78kN8yrHu.qbCgGEHsZI3j6LMx1A8_wSdMP_egG5vM7Q2Ak5brOO0lQaAw_8ZdCxvA7fkugP
 exZLv.mZHKyswtvwaAoj4PVftpul5Pzo1GkBmWXx2m35CHXjeHFQ_NL5S3Z1mxynBRXCe9lJNcT5
 DsKKsDM_6HhYJxPQz5H8lhezxFsVrfdxE9KeyzsqcYbBDVzrmcQxvwufQiBz_y6FS8e71iZam7fL
 uY77Mr.P4XVyur_MOwlMt87oTe0VW3M5AKR_bZ4dq62WJ0nAz.FesGgSqMBHYd55t9F2VYdadgqf
 hXsNks45OTlbuLGANcxGouw5IvHnfyHzwev2uhCPFU8P.5oyGbhe_bpPxXzyAqVjqm2HA_oyA.di
 tE8LaDZ7FBrOT56tNEj7Fq_oLe8dYbhtIhUAtllHeT9sue8SgDivsk06qtpmZ_IuXD7pocCX_vTw
 WOvZ6Gqc70buLTB7sfERNVIc0VuxlIpVnIHx6Wq67MRILLH51yggt3SETzTUyPA24gRu9.j4rNW6
 f1we3bHR60Z0oRt48QlFsSyVIs2qPNkd36Qoj8jb8gZUEyQedIGaduJDjxiNbpZsFtn9jCUhB6ww
 DuJIOwVZei0LV4cyJt5A2.xrc_rheG4pzTDkIWfbpTvKLVl5SGBzbD7lBXw.7RAYNWM_QFf5asoa
 5yylpZ6nfTuPrqcnbf7NGyGB4VT8Szf3wBcFJmZ30d7uNOR13QMuJDZ7BYr5Wp7D9gU9uMNPF0KX
 8tvOcGgmAg2KbHlnV2XQ90nTSztYPS._K5wCff6wC.ACZ0dpTnPO4E_P5RK8XwVVam0Iyr3Aqmi.
 X_KGQOy45MunRxyRTEnzqsFrktBkt.shyw_mG4vU6kQWiX1pxKhq3anL89sunhxYWylODrlkCuNF
 5E9TqaTou9KIuTG.zQTmLCk6nwX6nJOTwsfxIJxr1sH74jUvbIFPXxiIRI7i6baCFDKQZD2AEep6
 2yhQNvHMYM8chbrDEpWyb2ok87hZ9at6UZwRGYt46ZwVGTFdH.55iD_wpYPxdbn6BDbbjRDhWGtB
 EEWUtjMOqtk3Kj4nzhAmWWbtLglOhm4DOgk8XTmCx7KiqU5F6sllo6uxJwPKMgHQ3Rxu3lVkpgLG
 HThBVtkL8XyIyKRiiopFwK2.rFvq_dnJiFAILf6iMgY3qsPf2GciUJt2kYm.2a2Ni9Iy58i8XIcF
 JCH6KcQCtG2axtWYnp.ZfTFe8izar5dHBvzmBexJN97ctKFYeP3bOICi9VQ5ANfNy85QKBfl7oD_
 8PKRSD_.QScGafu0kE3EsW1ec17tQpEIBuUuFC46lDP4zMJgfqX2PEutKz3FvvurV5HDUuKhNqE2
 BVzWEY0_sCZJ0wx.01djAXLo7wEh3BEulEUOI28X0x3RA8uJMN9mQ3Z99ybs11WTd_UhNDDM586k
 EEQ8rcitKvg9Z9SxasjCI5mOezjSCI3_kBK5db4Kv6Vem8WP4R0dldVTvQ0Nx.u1niIPcMUPyZkK
 gxlwa900JxnlnuTkmew0NsZZmi4WZrWPRsYk4_rA7izzWJLcw1bGGuRd33HaGyDhTTT8fiDasFZr
 6uWgYcbOGCiOZvNL6U.0nZIGqLWsn
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: c1a56000-005b-4423-8689-f3e899d8bc69
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:34:15 +0000
Received: by hermes--production-gq1-6949d6d8f9-dpfkp (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 0a4ea853851f0b1cf5e01328013d4c00;
          Fri, 15 Dec 2023 22:34:10 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 22/42] Audit: Create audit_stamp structure
Date: Fri, 15 Dec 2023 14:16:16 -0800
Message-ID: <20231215221636.105680-23-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Replace the timestamp and serial number pair used in audit records
with a structure containing the two elements.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
---
 kernel/audit.c   | 17 +++++++++--------
 kernel/audit.h   | 13 +++++++++----
 kernel/auditsc.c | 22 +++++++++-------------
 3 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index edefb370a72e..5291f65a01c8 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1820,11 +1820,11 @@ unsigned int audit_serial(void)
 }
 
 static inline void audit_get_stamp(struct audit_context *ctx,
-				   struct timespec64 *t, unsigned int *serial)
+				   struct audit_stamp *stamp)
 {
-	if (!ctx || !auditsc_get_stamp(ctx, t, serial)) {
-		ktime_get_coarse_real_ts64(t);
-		*serial = audit_serial();
+	if (!ctx || !auditsc_get_stamp(ctx, stamp)) {
+		ktime_get_coarse_real_ts64(&stamp->ctime);
+		stamp->serial = audit_serial();
 	}
 }
 
@@ -1847,8 +1847,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 				     int type)
 {
 	struct audit_buffer *ab;
-	struct timespec64 t;
-	unsigned int serial;
+	struct audit_stamp stamp;
 
 	if (audit_initialized != AUDIT_INITIALIZED)
 		return NULL;
@@ -1903,12 +1902,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 		return NULL;
 	}
 
-	audit_get_stamp(ab->ctx, &t, &serial);
+	audit_get_stamp(ab->ctx, &stamp);
 	/* cancel dummy context to enable supporting records */
 	if (ctx)
 		ctx->dummy = 0;
 	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
-			 (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial);
+			 (unsigned long long)stamp.ctime.tv_sec,
+			 stamp.ctime.tv_nsec/1000000,
+			 stamp.serial);
 
 	return ab;
 }
diff --git a/kernel/audit.h b/kernel/audit.h
index b413c0420c6f..f147540862c7 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -99,6 +99,12 @@ struct audit_proctitle {
 	char	*value;	/* the cmdline field */
 };
 
+/* A timestamp/serial pair to identify an event */
+struct audit_stamp {
+	struct timespec64	ctime;	/* time of syscall entry */
+	unsigned int		serial;	/* serial number for record */
+};
+
 /* The per-task audit context. */
 struct audit_context {
 	int		    dummy;	/* must be the first element */
@@ -108,10 +114,9 @@ struct audit_context {
 		AUDIT_CTX_URING,	/* in use by io_uring */
 	} context;
 	enum audit_state    state, current_state;
-	unsigned int	    serial;     /* serial number for record */
+	struct audit_stamp  stamp;	/* event identifier */
 	int		    major;      /* syscall number */
 	int		    uring_op;   /* uring operation */
-	struct timespec64   ctime;      /* time of syscall entry */
 	unsigned long	    argv[4];    /* syscall arguments */
 	long		    return_code;/* syscall return code */
 	u64		    prio;
@@ -263,7 +268,7 @@ extern void audit_put_tty(struct tty_struct *tty);
 extern unsigned int audit_serial(void);
 #ifdef CONFIG_AUDITSYSCALL
 extern int auditsc_get_stamp(struct audit_context *ctx,
-			      struct timespec64 *t, unsigned int *serial);
+			     struct audit_stamp *stamp);
 
 extern void audit_put_watch(struct audit_watch *watch);
 extern void audit_get_watch(struct audit_watch *watch);
@@ -304,7 +309,7 @@ extern void audit_filter_inodes(struct task_struct *tsk,
 				struct audit_context *ctx);
 extern struct list_head *audit_killed_trees(void);
 #else /* CONFIG_AUDITSYSCALL */
-#define auditsc_get_stamp(c, t, s) 0
+#define auditsc_get_stamp(c, s) 0
 #define audit_put_watch(w) do { } while (0)
 #define audit_get_watch(w) do { } while (0)
 #define audit_to_watch(k, p, l, o) (-EINVAL)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 3c0559b01677..23f72c14276d 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -994,10 +994,10 @@ static void audit_reset_context(struct audit_context *ctx)
 	 */
 
 	ctx->current_state = ctx->state;
-	ctx->serial = 0;
+	ctx->stamp.serial = 0;
 	ctx->major = 0;
 	ctx->uring_op = 0;
-	ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
+	ctx->stamp.ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 };
 	memset(ctx->argv, 0, sizeof(ctx->argv));
 	ctx->return_code = 0;
 	ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0);
@@ -1918,7 +1918,7 @@ void __audit_uring_entry(u8 op)
 
 	ctx->context = AUDIT_CTX_URING;
 	ctx->current_state = ctx->state;
-	ktime_get_coarse_real_ts64(&ctx->ctime);
+	ktime_get_coarse_real_ts64(&ctx->stamp.ctime);
 }
 
 /**
@@ -2040,7 +2040,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2,
 	context->argv[3]    = a4;
 	context->context = AUDIT_CTX_SYSCALL;
 	context->current_state  = state;
-	ktime_get_coarse_real_ts64(&context->ctime);
+	ktime_get_coarse_real_ts64(&context->stamp.ctime);
 }
 
 /**
@@ -2511,21 +2511,17 @@ EXPORT_SYMBOL_GPL(__audit_inode_child);
 /**
  * auditsc_get_stamp - get local copies of audit_context values
  * @ctx: audit_context for the task
- * @t: timespec64 to store time recorded in the audit_context
- * @serial: serial value that is recorded in the audit_context
+ * @stamp: timestamp to record
  *
  * Also sets the context as auditable.
  */
-int auditsc_get_stamp(struct audit_context *ctx,
-		       struct timespec64 *t, unsigned int *serial)
+int auditsc_get_stamp(struct audit_context *ctx, struct audit_stamp *stamp)
 {
 	if (ctx->context == AUDIT_CTX_UNUSED)
 		return 0;
-	if (!ctx->serial)
-		ctx->serial = audit_serial();
-	t->tv_sec  = ctx->ctime.tv_sec;
-	t->tv_nsec = ctx->ctime.tv_nsec;
-	*serial    = ctx->serial;
+	if (!ctx->stamp.serial)
+		ctx->stamp.serial = audit_serial();
+	*stamp = ctx->stamp;
 	if (!ctx->prio) {
 		ctx->prio = 1;
 		ctx->current_state = AUDIT_STATE_RECORD;

From patchwork Fri Dec 15 22:16:17 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495155
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1399CCA67
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:34:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="VOH94/AM"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679657; bh=Cj3o8DDeOO3mB2stYC+RNoE7w+k7QDtNzeFRm8yCL30=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=VOH94/AMCtT3XLQN3JbYEDaP9EXBH4lav/Z/S7RpX/AM8dUHG1/Pzl70sGxr1cy5JVjvBDwIK9kygK902MJKPQ4LcDufULNxVQpudI8S1nEVNQJjKPf5IL1BsDRMTVtE06zVRf4+EV0QtUe7utm9TusNBjJCubAHLlQ6b4/Hr78z37n4q5Gsjv6QHr2IME2JoVK+m7TVk/UXVi/VNTimSy4Y8fTHlhd6SwFdOXzdqKHuF/UL3R5rccOe6FHnBPpCwf+R3Yk27AI0wYKT7mqdka7hUBCZYn7xdo0bg+IeNW/pWB1BKR4CYBjf++ifRRfHaSEvO8Lmt5MzTb82VpO+DQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679657; bh=9V75+0NTxvTdqySoNPi8lLXqS5Hh71vBXC/3KK7dvpn=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=RVCLtmbKc87y0mj7uQEh3NTyd5tN51nvRSl8e9nq4HJep6NpctacJUQ5NfhwXsE2t9PFu+BmQW/Jij4iIVCLwSHaGPRX0fFOFzkgCc/7uvh7/WCOLXxhJaPukCl4q6IcyN6EYLY7JQDFyJvTIzFoKYWLjWR1PbmarZrRpxFhpFaNXOFoL6Gt4vdVLf2WacU4UW2KTQ/pHsOc/27nocz2g6v7mUgxhT7x5iP6Mj8Pb04IoHYRnCk+0Y/L+kY26Kl11bFyRSaWG6XrmUzHhNDWp5Y16EMYC8D/Xxzcg4lOrCAcH1l5yc5v6wWSE5c7JvQj7euaLbm2b86UqYGP/wUVeQ==
X-YMail-OSG: IpwwlcAVM1nFyIeUx.iyrETs0wI1G3Hy1EN47o8f5N64TEMEzyzJb9EH51zNjlI
 qoBc1RfKL4.e0zXPZST6UnAJMxOZEOAQEyatgOwDijn_7dGDFUJCbBPBiHhcCsOyj9pllTM4e2hI
 Yw6kj8RZWjqxdk75sIcQoYTqbmupi9bTGTrARIreTlC54nbPa_vmQHNwwHHpTmmb7k20N7tmMTo9
 q.i1CB5.CQ82smY3yu0PFqM3v6jJLqE6JaS0aJ1LU3Orcf0SY44DuqKyTbshY_c4nIlR.KGuma48
 9iszMEYGDTZ47OPtRrMtb2q11TSPWREV4kBd8bL2VsxQfI7H9kT92J8UvOpoIiFaesyB_9ci2Nq9
 CoY24_SqAyVt6crxEQvL4EYREIJ.7iaM6VIQzhVDSGU5U9i7yw6tZZLt4A1XBZXjigLVpYNNt_Bt
 QCWf2nAbBHgLx9lMZPqsbLSA4mz71ac0zwzinjsqC_l25WTg0pkrnNovR2ROyr14ekKNw73qLmWf
 NKNshHl9V_s0yejFkQtkUfv6fa5UiIG.qMad.AKYwEoRnJt1NOjuLmWBxoaoU_Xn_g.trwku3D4x
 _2PCdRmqP9awKqDhoxVgNOi9BljuYRmMl3y.5.qIhN7zjECxCg61EuBTjg1QhkOgzdKE.lV6Ml9S
 GqANN.9_tJdAdt25frtNcRZ2Pw2SeqI6_wpLvUbTB4dZoihtpcTVZg.Ue5N1pjcTyrn9oM94rqJ5
 zT0QACgs2hnWLwjOzms3mWV3zDefJ2cXtP351VvDqkCFysq7PmgzUMp6ZcUoNE7aNcPsPcVT7vcK
 2Kf0wchKI8lFHLo76.110d6ImFk1rDHgi0Co618JcO4iYKEXUMLADoz1SGbWs6k1S4eGVlaYCAVN
 WIj0i6JDqlMUdUxUMSB1gW9wEIewv0hgGEgs9.TOi.E6G9v84WXP5TR4rP0MjMMz7E4KBGmgngba
 KAGCazWvYfzacKHeXr2QWXQ9dclVR0XXxz4FzaOs1wTm3xWB.2E5ga_7SwXVm4LlawgLknmC2ZEQ
 4KZd9wVWxlsOGWnxc25eVbcBABsMFj9hPcDA5J43t2b1Ws75uWbMT2b7jt_7Bfqf3DAtmYBqU4B_
 jKodmrhcx57PeLKukaZbiRl3BMZbCByuoIGyAfSQktifD5V3s1JykIQBN8tLpH2TzY5UE8l1wOp7
 kjpz4sxY.Fl5ppXmyeRt6SAnD0ATNGqu5kNcZ0Z4JWQOgkAIFYT.DnfU6OFMb2aQ07Fay9u7fSIo
 5cSLcEMOR.vG8xsOTUZ4bIj.sIe7DFep5IFkEJMGPqFz7PjujlD6Mi_laQ12hR6iEEVxKQcp.nXc
 SoXdrz9ZKcHTQkGogfKT6aAC.DqeI.xRn7f0jnVG5u7ZVSn2EgqfI.qzSiiIS0W16B_psTUaMrjs
 o01yG3WlNiR0_Pt8s6xjPbcfH4TxBKED3iWxLSUf4T8d5lLJ.j5XYZVRb2XD8W3iWO8qvNnJEEQD
 Mfc8qrS0eLqKdXKOlmwS8E8EPu5gcURRBzjkhYXTnQwG5Lt7CaXWL4gTGn.HD4gvQ0MoVcmxIln.
 kpI0nyZfByL5kzf0JnreE99VZ8of7GUt4GpzvUk471udt1arA3ng7rx1tH5Z.tWvv6xE6A5Wa.nv
 wGAUTFUjhHRtrzQxpahhWb4bbfH4kZRveipKoPUM3QbLkX4QBeKl1BDtc_L0qEdYIYxYPiYR4qjp
 rPjCTefDGGmZJAn6UXgC4fhodjJfn4MI4dfENgic9EV6paZFdv0lbxYKU7mQBLtVK61wiyfsrE14
 mcxFDUjbRN4pZdftkeP5fw1B26e6Yqq02duHE..5k44EYKKlvvJT25YVRzmVHuErn1.oGamBJQoG
 XGnpSixfd7oQL8pAg4EljH1wXa6nVQwqY_LQX8g5izNX1O1pJW3jHenztTwTNmG3sSPps77o4xSh
 PBqqkqvFqgfg94.NzDAiuvcNQCQ3i9EH3w3RkE46pAL8.Grzduj01Gs5AqPi5pgsxRrsbseZYqv9
 U9aF8VeoVWcr68DjaKAGPwxvEv_bVym14zwZ.MwmgneB2A1mVHo2LISmUTGs.2SiJvDQ7oEu_alZ
 e_WmV2f2mDA_fXkGLFI95.Igp4InJd.Li6JBuBhZsbAlN_DI0IOEZwa5U3Ba6Z9otnWrBVrKmTgu
 ajPlNr7Dq_qdNtICzkCt6EBDfA1EsLx8YbdqZ4REkHLUFbt6ivUNXWh3MBECyYZcZQZtab.6jTee
 fjlIeJFg_qEud3fxVeaxm7SP_PCOkL23yJ3xQ0XVVcWbu4tyYgEH7orVeTNg_ctSAxV3A781Uc0O
 0K1pxPHbvpfbq0prxcBpvdkKHYOBW_g--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 649d807f-2ba2-4b35-9a62-bb24e6295b3c
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:34:17 +0000
Received: by hermes--production-gq1-6949d6d8f9-dpfkp (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 0a4ea853851f0b1cf5e01328013d4c00;
          Fri, 15 Dec 2023 22:34:11 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 23/42] Audit: Allow multiple records in an audit_buffer
Date: Fri, 15 Dec 2023 14:16:17 -0800
Message-ID: <20231215221636.105680-24-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Replace the single skb pointer in an audit_buffer with
a list of skb pointers. Add the audit_stamp information
to the audit_buffer as there's no guarantee that there
will be an audit_context containing the stamp associated
with the event. At audit_log_end() time create auxiliary
records (none are currently defined) as have been added
to the list. Functions are created to manage the skb list
in the audit_buffer.

Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 kernel/audit.c | 111 +++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 89 insertions(+), 22 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 5291f65a01c8..b194494c4dc4 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -195,8 +195,10 @@ static struct audit_ctl_mutex {
  * to place it on a transmit queue.  Multiple audit_buffers can be in
  * use simultaneously. */
 struct audit_buffer {
-	struct sk_buff       *skb;	/* formatted skb ready to send */
+	struct sk_buff       *skb;	/* the skb for audit_log functions */
+	struct sk_buff_head  skb_list;	/* formatted skbs, ready to send */
 	struct audit_context *ctx;	/* NULL or associated context */
+	struct audit_stamp   stamp;	/* audit stamp for these records */
 	gfp_t		     gfp_mask;
 };
 
@@ -1763,10 +1765,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set);
 
 static void audit_buffer_free(struct audit_buffer *ab)
 {
+	struct sk_buff *skb;
+
 	if (!ab)
 		return;
 
-	kfree_skb(ab->skb);
+	while ((skb = skb_dequeue(&ab->skb_list)))
+		kfree_skb(skb);
 	kmem_cache_free(audit_buffer_cache, ab);
 }
 
@@ -1782,6 +1787,10 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
 	ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
 	if (!ab->skb)
 		goto err;
+
+	skb_queue_head_init(&ab->skb_list);
+	skb_queue_tail(&ab->skb_list, ab->skb);
+
 	if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
 		goto err;
 
@@ -1847,7 +1856,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 				     int type)
 {
 	struct audit_buffer *ab;
-	struct audit_stamp stamp;
 
 	if (audit_initialized != AUDIT_INITIALIZED)
 		return NULL;
@@ -1902,14 +1910,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 		return NULL;
 	}
 
-	audit_get_stamp(ab->ctx, &stamp);
+	audit_get_stamp(ab->ctx, &ab->stamp);
 	/* cancel dummy context to enable supporting records */
 	if (ctx)
 		ctx->dummy = 0;
 	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
-			 (unsigned long long)stamp.ctime.tv_sec,
-			 stamp.ctime.tv_nsec/1000000,
-			 stamp.serial);
+			 (unsigned long long)ab->stamp.ctime.tv_sec,
+			 ab->stamp.ctime.tv_nsec/1000000,
+			 ab->stamp.serial);
 
 	return ab;
 }
@@ -2165,6 +2173,57 @@ void audit_log_key(struct audit_buffer *ab, char *key)
 		audit_log_format(ab, "(null)");
 }
 
+/**
+ * audit_buffer_aux_new - Add an aux record buffer to the skb list
+ * @ab: audit_buffer
+ * @type: message type
+ *
+ * Aux records are allocated and added to the skb list of
+ * the "main" record. The ab->skb is reset to point to the
+ * aux record on its creation. When the aux record in complete
+ * ab->skb has to be reset to point to the "main" record.
+ * This allows the audit_log_ functions to be ignorant of
+ * which kind of record it is logging to. It also avoids adding
+ * special data for aux records.
+ *
+ * On success ab->skb will point to the new aux record.
+ * Returns 0 on success, -ENOMEM should allocation fail.
+ */
+static int audit_buffer_aux_new(struct audit_buffer *ab, int type)
+{
+	WARN_ON(ab->skb != skb_peek(&ab->skb_list));
+
+	ab->skb = nlmsg_new(AUDIT_BUFSIZ, ab->gfp_mask);
+	if (!ab->skb)
+		goto err;
+	if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
+		goto err;
+	skb_queue_tail(&ab->skb_list, ab->skb);
+
+	audit_log_format(ab, "audit(%llu.%03lu:%u): ",
+			 (unsigned long long)ab->stamp.ctime.tv_sec,
+			 ab->stamp.ctime.tv_nsec/1000000,
+			 ab->stamp.serial);
+
+	return 0;
+
+err:
+	kfree_skb(ab->skb);
+	ab->skb = skb_peek(&ab->skb_list);
+	return -ENOMEM;
+}
+
+/**
+ * audit_buffer_aux_end - Switch back to the "main" record from an aux record
+ * @ab: audit_buffer
+ *
+ * Restores the "main" audit record to ab->skb.
+ */
+static void audit_buffer_aux_end(struct audit_buffer *ab)
+{
+	ab->skb = skb_peek(&ab->skb_list);
+}
+
 int audit_log_task_context(struct audit_buffer *ab)
 {
 	struct lsmcontext ctx;
@@ -2399,26 +2458,14 @@ int audit_signal_info(int sig, struct task_struct *t)
 }
 
 /**
- * audit_log_end - end one audit record
- * @ab: the audit_buffer
- *
- * We can not do a netlink send inside an irq context because it blocks (last
- * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
- * queue and a kthread is scheduled to remove them from the queue outside the
- * irq context.  May be called in any context.
+ * __audit_log_end - enqueue one audit record
+ * @skb: the buffer to send
  */
-void audit_log_end(struct audit_buffer *ab)
+static void __audit_log_end(struct sk_buff *skb)
 {
-	struct sk_buff *skb;
 	struct nlmsghdr *nlh;
 
-	if (!ab)
-		return;
-
 	if (audit_rate_check()) {
-		skb = ab->skb;
-		ab->skb = NULL;
-
 		/* setup the netlink header, see the comments in
 		 * kauditd_send_multicast_skb() for length quirks */
 		nlh = nlmsg_hdr(skb);
@@ -2429,6 +2476,26 @@ void audit_log_end(struct audit_buffer *ab)
 		wake_up_interruptible(&kauditd_wait);
 	} else
 		audit_log_lost("rate limit exceeded");
+}
+
+/**
+ * audit_log_end - end one audit record
+ * @ab: the audit_buffer
+ *
+ * We can not do a netlink send inside an irq context because it blocks (last
+ * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a
+ * queue and a kthread is scheduled to remove them from the queue outside the
+ * irq context.  May be called in any context.
+ */
+void audit_log_end(struct audit_buffer *ab)
+{
+	struct sk_buff *skb;
+
+	if (!ab)
+		return;
+
+	while ((skb = skb_dequeue(&ab->skb_list)))
+		__audit_log_end(skb);
 
 	audit_buffer_free(ab);
 }

From patchwork Fri Dec 15 22:16:18 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495156
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22D45657
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:35:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="Cbeu0CWu"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679747; bh=c7E3EinGlYIO5DFIuwJVpD1kjxNAwcYojPiiLg1ANXo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=Cbeu0CWuLslNmc7PxcRvqMyT1SoSDMnGmRrQZfTNCQRrddiZ1TECQHuID6rx9zoZdaNK7FU73JvhHCBR/RqWYgESwC812oSuFW87yGCOU9YqTROysAed/HCuUwqO86zNMEZryDouUR0UccxtCdas8aO/OUDCf7+c3iT6ACwFlK/g0ENNcd32zmkL0Ky8EmM5EbeaESiM5VgXoqefeGySE3gmhVcpBFOnMlaHl5RbHSAUt7/+z9HQWvIoVPMWXoCLHesh8fT6FiTRLiVh5EmodRD+56yKBigaN1M2JVmnZxoYN3uz6Os+X1XItfKxoHL86Sl8f0lU3SQncOx84IeJdA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679747; bh=4g0jPcAkz+MM31SdD1zEI+4JpoZmv25pL7oQyuni4NI=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=mXXAGg9GNOryPQQn7V9Ox2kVP0oPru1Z3+4SIBuwAHBC1cs2RbcGDj7Rv8J6uFatfgeJHYdbG68YVYEtrq62mnri/P3tUHHxu+N7XOqOJ5Hrfs7cDG4HP30ibxwvNTZwcOsCvlIwLfsdAc9PwTCf8Ey5P7J4JV457wlcUmIHGXoi9w1M4HuvRhOOUqHjDqWlOcssOhvETjx55us7kNRKNsZcfhTto2xUCxcxlHhXgx+7U8F6xGWprksIAphDAu5vwgaTGqMDzNLksX+E3TL3cIvWAyYMKafINrEz/rKFiFxDuloSJHMWp5ijtou0GKphZFqzeEtqKP2YpuVPNwguMg==
X-YMail-OSG: LC6mkRAVM1l7e5HM0_6jX4Hj7otrxSTEpj83RH0zZhphiPXFX1LiS2CyNG7BJ.w
 2IiTgED9z3WqFAydqYiC0IqxyvQEo4OIbaZt_CZCEo87m4j8OL_hQAs1jz3cpEbNImrDvdw1eCim
 IWWxUlRiEOoIdBYvcXKr60.EU8KAJ3F7kdrnpnTrZTJueIAMC_C_1XrgUbWwNNY7IVB7YV_YmJvG
 gGgWpiSZ85D3miifviNR0TQKlMFmFzJn.oM4cGzPvqQVyIBtQrzLonZsJma5KvYv.eL1aFuSgGoK
 dr1ieWq42r6qDGZaiDuv5XWJfbvveJxU4LDntvBwsVwdYlZrzDixLDKzc1OQ2oqwFh2fTQSILSJh
 AECwD8fXNESwmXJ8SXHa6r8FI6qP8sw326xUV3aG0F1OSwbMTOD3g3T6eFmcqVzD0vaV9PxlZKYp
 aG.WMpEoc185y3o9BkiirY.vZgtEG5bNZoAyqq2GfB01uLRYwHCgxDQ3CQrELB1E6ipImB9ki7y7
 AeRLKKyk2AHFHEtWq8pmDIiz3UHyzf9MQi0F3Ew4oHqhzRrbTkRElt9wzyxq9Pt_3dZtdFEu8DwB
 9JQEua4sVPq0CD8WE5YFiswA.fMBRRBufVb.b9Ncbsz18pbPA83HpHy67Zwt1HWhFDPvF7hAPMls
 AE_ipml0ZYIkA4OHOuQkJyGBH15gK38yUM6shilBX.tqldMxagtYO5V8WGi8VUAJLMne6VrvcFb5
 XEgJ2JHvOX_rXR10CpX264L.B3yjGuciLnLf4VwXkhk6z_oiQ89c5Ed1QX3l4YfPkJqlXpkxi_jw
 gZEcIiOo3PDtlcveREIv_lsHhecwmVoJ88sXShmj2_.lpPmmyCn_kHgOfATc.0QPrkyS0FtTd.LY
 nynDH_ouqdN3tdoFu7czd4N2GiYWPJ4glSjpGwd8ybBGGF3TNYqMp0QtmdwcRMXO5WFGxyz5KWC7
 A2fMEAXRRNIR1GqUIoutL.jOh2cHpGSaEzqnCET3ey6WVWdtJPpoQW2o43BZh16_kAhGngG0wZoh
 5ALVOLWjsDNTELR5Kwse1uG6TKhvG0IryYKXhGx1AwT8IE2I6XDMdi7UO_B1YWo5ydmXZ2X27OD_
 XV4.7mtEjyH3ms9bS2.f_eMyHs0qXWhGerH6M.iZXj.cBHw5ZUCkICpv2nxB3NoJPZ_77agex8hX
 bkG3qNB1oA0rA_htPO47JdDrf9FIE5W7hnUgR9F2p4vdW_5kF59Y_TEDz43uARqC2qR9gLrtHUrp
 x2vfG.ZT1fy.eUtHzPavIWnZ0H17PHp0IpirBhjKB3rYde3AejQruQNyzbhkPjx_JkJELUz_VwEy
 y249zpcCLck2r30581A6mL9peWZRMRFu05th0B5OkY2BRhwRUZHmbkCYSftwfHQBlpW5qhInFe4N
 z3l8fDmM60bHZzigpwhqiU6BHt0h3OAjbSjkGZH.tS1Z3sqFrF8dlaFMY6UYTcnKxANaGKcNS1uQ
 iKhJDEP_xgG8LNuDuF70MzmGNaUVvzKm69PwFd0XfmzNfgP9w4AFAusN8KYjstYYc8BFXuIzARdz
 vuS.UoPccKiDLwSsIZn_RfHELSryTcx94xK1G1v_T.aEz3cXA6VPBIteSzGAWkMvAW2fJ02787GS
 CGIquzSn5g14hB0T2RN6g_KOMgK_0sj1WmBIWi8Fmr0ITlS7k8MBrMNTSU4Y_UxvSBqsbtUU9NaG
 vGNVcVSHf4_SclMyen0vXZxagQkkRuzZZTFDDCsYxwzKWzSa4daZBLJh5Fk03zY0nBGrmrXEqYLd
 Fc6rFkwYl0ocH84IrlxTUBf.I8GB9LFYIdMo7Iro6EoEmDUBYmCt3OGJ.3h6jOuuyf5r9yDRmVDy
 d5VX0DR60GDyz99u52DspIFHDQTvoQZoTv7W6Eq4HzbgPg9E5kYYlfn4fvXv1CGR1b1giZaizseP
 SIao88GhaiIa3nbb6FQr0yWFZABN_G7IwogWJTY_mv6RkLcxq5lWxRooHre0MV8.abOOmk4K9Ndv
 Jj9xJUsukoPBVbOYtu4c6n1BvFKNa0wmMnPfiQlrxRoBOaNouy8_j2LuwS3cT63AK0PrJmX0ybbW
 Mjs.jW4O5uTaIVHlhDTT6Kf6NGxB1qTGv5Kt.4vSSe7jSXypMxdD6no_7UIU3AI7Ei80VD5d0DZZ
 zs9aqepZBJbCjgzirjR66GJGVs5kUZZ_tsDe.OVFT2fpcLCnpHmtJY0BknM5iV9Ovc2K_hQFZ8Qd
 2q3O9aE9vd5w350vR9aC.lTqWkxSEy25.J5Zdk8UU5Rg5M45NP4Q8NHLHSohlVoohj1nR6wY3A4U
 E9N.G9GVq0HP6VvCGAj2ohBwLaANv
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: cdc641ab-9029-499e-b365-09cc3fca6299
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:35:47 +0000
Received: by hermes--production-gq1-6949d6d8f9-c9pk7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 4756c4ce944f308f64e0301afd197084;
          Fri, 15 Dec 2023 22:35:45 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 24/42] Audit: Add record for multiple task security
 contexts
Date: Fri, 15 Dec 2023 14:16:18 -0800
Message-ID: <20231215221636.105680-25-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Create a new audit record AUDIT_MAC_TASK_CONTEXTS.
An example of the MAC_TASK_CONTEXTS (1420) record is:

    type=MAC_TASK_CONTEXTS[1420]
    msg=audit(1600880931.832:113)
    subj_apparmor=unconfined
    subj_smack=_

When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record
the "subj=" field in other records in the event will be "subj=?".
An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on a subject security context.

Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h  |  2 ++
 include/linux/security.h   |  1 +
 include/uapi/linux/audit.h |  1 +
 kernel/audit.c             | 45 ++++++++++++++++++++++++++++++++------
 security/apparmor/lsm.c    |  1 +
 security/bpf/hooks.c       |  1 +
 security/security.c        |  3 +++
 security/selinux/hooks.c   |  1 +
 security/smack/smack_lsm.c |  1 +
 9 files changed, 49 insertions(+), 7 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index efd4a0655159..605aaf38c3f5 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -47,12 +47,14 @@ struct security_hook_heads {
  * struct lsm_id - Identify a Linux Security Module.
  * @lsm: name of the LSM, must be approved by the LSM maintainers
  * @id: LSM ID number from uapi/linux/lsm.h
+ * @lsmblob: indicates the LSM has an entry in struct lsmblob
  *
  * Contains the information that identifies the LSM.
  */
 struct lsm_id {
 	const char	*name;
 	u64		id;
+	bool		lsmblob;
 };
 
 /*
diff --git a/include/linux/security.h b/include/linux/security.h
index 360a454d5f8e..947cb3a35db4 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -192,6 +192,7 @@ struct lsmblob {
 
 extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
 extern u32 lsm_active_cnt;
+extern u32 lsm_blob_cnt;
 extern const struct lsm_id *lsm_idlist[];
 
 /* These functions are in security/commoncap.c */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d676ed2b246e..dc045164b86b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -143,6 +143,7 @@
 #define AUDIT_MAC_UNLBL_STCDEL	1417	/* NetLabel: del a static label */
 #define AUDIT_MAC_CALIPSO_ADD	1418	/* NetLabel: add CALIPSO DOI entry */
 #define AUDIT_MAC_CALIPSO_DEL	1419	/* NetLabel: del CALIPSO DOI entry */
+#define AUDIT_MAC_TASK_CONTEXTS	1420	/* Multiple LSM task contexts */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
diff --git a/kernel/audit.c b/kernel/audit.c
index b194494c4dc4..9d971fa96c0e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -54,6 +54,7 @@
 #include <net/netlink.h>
 #include <linux/skbuff.h>
 #include <linux/security.h>
+#include <linux/lsm_hooks.h>
 #include <linux/freezer.h>
 #include <linux/pid_namespace.h>
 #include <net/netns/generic.h>
@@ -2228,21 +2229,51 @@ int audit_log_task_context(struct audit_buffer *ab)
 {
 	struct lsmcontext ctx;
 	struct lsmblob blob;
+	bool space = false;
 	int error;
+	int i;
 
 	security_current_getlsmblob_subj(&blob);
 	if (!lsmblob_is_set(&blob))
 		return 0;
 
-	error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF);
-	if (error < 0) {
-		if (error != -EINVAL)
-			goto error_path;
+	if (lsm_blob_cnt < 2) {
+		error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF);
+		if (error < 0) {
+			if (error != -EINVAL)
+				goto error_path;
+			return 0;
+		}
+		audit_log_format(ab, " subj=%s", ctx.context);
+		security_release_secctx(&ctx);
 		return 0;
 	}
-
-	audit_log_format(ab, " subj=%s", ctx.context);
-	security_release_secctx(&ctx);
+	/* Multiple LSMs provide contexts. Include an aux record. */
+	audit_log_format(ab, " subj=?");
+	error = audit_buffer_aux_new(ab, AUDIT_MAC_TASK_CONTEXTS);
+	if (error)
+		goto error_path;
+
+	for (i = 0; i < lsm_active_cnt; i++) {
+		if (!lsm_idlist[i]->lsmblob)
+			continue;
+		error = security_lsmblob_to_secctx(&blob, &ctx,
+						   lsm_idlist[i]->id);
+		if (error < 0) {
+			if (error == -EOPNOTSUPP)
+				continue;
+			audit_log_format(ab, "%ssubj_%s=?", space ? " " : "",
+					 lsm_idlist[i]->name);
+			if (error != -EINVAL)
+				audit_panic("error in audit_log_task_context");
+		} else {
+			audit_log_format(ab, "%ssubj_%s=%s", space ? " " : "",
+					 lsm_idlist[i]->name, ctx.context);
+			security_release_secctx(&ctx);
+		}
+		space = true;
+	}
+	audit_buffer_aux_end(ab);
 	return 0;
 
 error_path:
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b5f3beb26d5a..075942b253ae 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1447,6 +1447,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
 static const struct lsm_id apparmor_lsmid = {
 	.name = "apparmor",
 	.id = LSM_ID_APPARMOR,
+	.lsmblob = true,
 };
 
 static struct security_hook_list apparmor_hooks[] __ro_after_init = {
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index 57b9ffd53c98..2da40774dd20 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -19,6 +19,7 @@ static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
 static const struct lsm_id bpf_lsmid = {
 	.name = "bpf",
 	.id = LSM_ID_BPF,
+	.lsmblob = true,
 };
 
 static int __init bpf_lsm_init(void)
diff --git a/security/security.c b/security/security.c
index 444051575793..8ff6cef26e6c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -269,6 +269,7 @@ static void __init initialize_lsm(struct lsm_info *lsm)
  * Current index to use while initializing the lsm id list.
  */
 u32 lsm_active_cnt __ro_after_init;
+u32 lsm_blob_cnt __ro_after_init;
 const struct lsm_id *lsm_idlist[LSM_CONFIG_COUNT];
 
 /**
@@ -599,6 +600,8 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
 		if (lsm_active_cnt >= LSM_CONFIG_COUNT)
 			panic("%s Too many LSMs registered.\n", __func__);
 		lsm_idlist[lsm_active_cnt++] = lsmid;
+		if (lsmid->lsmblob)
+			lsm_blob_cnt++;
 	}
 
 	for (i = 0; i < count; i++) {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ed4237223959..656f25337334 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7092,6 +7092,7 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
 static const struct lsm_id selinux_lsmid = {
 	.name = "selinux",
 	.id = LSM_ID_SELINUX,
+	.lsmblob = true,
 };
 
 /*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a58e2c14f120..a9ab31a40e36 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -5069,6 +5069,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
 static const struct lsm_id smack_lsmid = {
 	.name = "smack",
 	.id = LSM_ID_SMACK,
+	.lsmblob = true,
 };
 
 static struct security_hook_list smack_hooks[] __ro_after_init = {

From patchwork Fri Dec 15 22:16:19 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495157
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic316-27.consmr.mail.ne1.yahoo.com
 (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C1F218EC0
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:35:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="cZx2YgbZ"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679750; bh=7oGr4ctFH9QOr0JDyPZF54I+ATweTTJfL6KeAVlw3sg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=cZx2YgbZ0yWw8PpjV3NBeAE4zqX0pXv1QozyWcijSEUi7mMMMmSz4A28juWjG9QSvTRx0LxJEngNKyEFhIoSS8gMCYfE1KNTeqbDYiD0NENd0z2DZSElMt4sOFdeDah2agSRFMXnsjo10h/sNzZvML3peFldRC3XD4qImGroW3VqtHAi5xs3CjZqENEzmgraiy1tNSqKtE1hZLk87kDa4VrC6OXHQfeMsvMhSVJF8d9SEAkYJ490hwymy9a2xs+G63ZtLt09LAbUCS0/4Th1EcgqP4TdYw+1RaplrupGprIlDsABYdL+du3lGQEJhDUu8zKinlAJAoI2l8qG/NX5jQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679750; bh=cZH7URqADBFeRFOdehMoNbzHoLzBFNRIHZY4YfjZzcE=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=uKm7o6iHNoldhoYCf2qCc+1apLB+99AQBzcaYAfNdeddf0Hm4Fx244M0xQGl18FPHnVtE8vunlIwcAffiR7FcZqZB13T4bUH34GGHETixcYEWh9TKVFyKoSAAkkNWsIV9EKi516g+HNsz3ZfffvLdND+Xgz6SaHUfWxnIQaGV9qvgxzQMFpIlp3sihobjy2Fk+Z7M6aHglGOQaExv+cdC/kNBdnx9N8p9QkbieN0VQ77VXwX8RdStO9x/Saf4HJYTsemvhFM+RshWcR8eizVcql2l0T2ae1g21DzXiKSk1FP2RhwDWjJYXUiUZNVZRflJmLkplSZrF45NEhv1HxUKg==
X-YMail-OSG: 5Zw6fdMVM1nvxgH9LBsMWQy7JWOMc3r_aNw741QEytgrLfSY.XsGwvJmleLxaai
 uzo6gmtXdLcCYZ95dthMySItWzE4dU7jXJ3I2sOo6ctlDZnQ72Y8knZr70dhZlMJhpQ81679A8Q2
 LuOsMc1_c44Rpkdx.QZaMT6g59ydug56lB8jPQ2LEy_dkxhr9sWPsXDmWkSJ_EJascLmRHG.WJK_
 7iwFXNPLTIgXu0nJ7ssD2E6MSJR_J86fnDz.oZtsbwmlI8KUuYDBcXgy9mwsI6dB2jFrYUMvzwdM
 y1Rlb5P6itVnh426wXUin3Ie6fb.5qOCGLWUBbJc_zlVppE4uJ1xF01rcX1d5QbujVPmmXj98EYZ
 QDkluDZ2Np1VLWXhNJobcrYalvhF4t3fiLjWX_CAEIOx7diYaQiaw9OPJYwJSpHaO6Ica0kJtgnh
 bbIy9Cs8s1YQW1.dmhK10YgC8n25yss6pxn5Ne_jAc93wYyvi6PAF5Bf5QNW4_wnU82p9f5JfD1C
 feuudW3Exd67VZs3T_iPu2iXnsWzAn_TVJ2PkoyElU2ba0nwvxKH0tSszSJseD7I7vJjmI9BRYs3
 4fYFIzkAk7auDDQBlJUkkEnNFjFvXPcu1UllOiSnXj.lKN_mdQ.qGB_GFgM29K09_MMzFVwqyp6x
 Y0g5j2bcmIc2IWv0.cgGyFDXNB7lsZ8caRwJd6rtD1ILVo3P1TE.VO9OzKPEoQ9GINQygj0YLo21
 CLlGwQWEJnFVoDxYOo89yP5I5l24gdBxpl9FNgwOfc7AdVgZ1HCch.SCMUvuuTth8XRmwOfqjYKA
 H14E6MlG_ilJ__IswPl6nlinLN7GezO4AZFGOqcXJR.drkDRnIN.cWjR8.7xDdUxHZ5o0BTBTsHu
 WrszOIsff.mPIpXmPPCnJi_vNpAOHssw6SDmZrrdB5cg_2QYGtlOly9K_brgFmFDqeJkAlt8wWWI
 LblQ6bj1I_igp1surKGIYZrqeuTGLCtGKWOid8x2tkzAy17G17yideQkOu1t0VsrrzcHJjisJc0W
 yK6WvgTZWMQ8vXbnErLvhBHv144b5Lw8dYdOVbzR0z7G2qdPcy8AfaQqbCbw8rXvL2qtBne7VDaP
 FgyXtf49oopVvon_5aCSWe7L5JaqZcEq.iYcD0FpqEFwtWvsi62eItoip.DvCBl_OVSbkNBMTSQH
 nv4x_Lkw_IntnK0aMrBJZpHy1oQh1zckPnkyiI43W9Ye8qYvVqFl9lK7F09WSRjV1OxQB9Y34Rps
 H8nG9.QN0mCf9P03kFHGzzwHeCVOr.Jz4jZz66IyXjxVYE1YoS9Brz00ihDeuRVtrF3XOub3sgus
 gCver4bqGE9K6zjodxhZPSGPasRshtn3doJ.koKoUa01PItoyry2ybkw9HgtwmNuNkAYY7MBlAyo
 _7DaETVj8AYVrtaU9o_IYMJOv0xKUcTLGpOpyRDmW7BTIKb5MAajAxLE9EB0wcu0IlkVK6lbhuAY
 VcxsJ4DvkoJbnziW2VWqqifBqnVzs034G6cU2auYdRYUJGdhdm3xJ04la2mEdcLajQ3oxd2KELSI
 _W0Z3dXlKT.mbzetSS1Y22abuuq.AoNMfp3qL7CQ6L8Szux5R1OFItphR13_jVKphG2Os7QCvSwT
 N_NvELC_kHAtwkl82Uq9.dHkIGB0QhlQ1uiHJt45Ln2scDJxTIfCGXREqMn8XkNBqqI8ukpABJsB
 rFHhtbMyIXilBLkT2c5SwDVb2RGkUEd0j26wDDfHH6I2Yd_06fxOfXX8WILX5vY778RVF1iuOhwH
 0udeZLU2NK1mGFLsAP.Y.JO1qKLOVxT5O20xbQhFloXPcKc1nhQ7MK1pdwI3Gk1.o1Dk8K.AVsgC
 r7bIMm7V19sWwgRhUrhwRQYfikoyF5JdQ1MP_pNZ4GXMBMXf4WudVr0GqZWxY9bc1_fWRp5ABQ6U
 ikwGA8hvF1J_NTtB85DhOSIXWBQ56.Uf36yq08DbHT_5S.kU10AykF160.sL8OODBun2vv_fNSjC
 3WqOG1REeUMTyz4dFdZh7OQFClvzj6PluR9i5eHaRFXwl5JrOf6rbVns1pWUy1bzDRtz4LKE.mYB
 kxsT1CEp3QiUss4I49r2TqnpsNT0yx07lnO0dF_cDkMzdJX2W1sJG29UH4x3ATLSZvQlZmvJKmCb
 N_mb.FfYdqQEpgWt3oFxM4AugF9HmfaTjVf6XYCoMkBEjQM4SxDCpt5irf17shekX7XJx13bMlDl
 qfAFBOILIfJxdmbEgQomPDZNBaxB_m2GOQwW590LmGI49zrrNHCqe4PuPT1xh.QfAT6BawFyAk1.
 73Uw4ijlsptbMoe82_tJZQA7rGqsq
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: a6d2c742-c961-47ca-aaf3-9c461d42ba67
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:35:50 +0000
Received: by hermes--production-gq1-6949d6d8f9-c9pk7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 4756c4ce944f308f64e0301afd197084;
          Fri, 15 Dec 2023 22:35:46 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 25/42] audit: multiple subject lsm values for netlabel
Date: Fri, 15 Dec 2023 14:16:19 -0800
Message-ID: <20231215221636.105680-26-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Refactor audit_log_task_context(), creating a new
audit_log_subject_context(). This is used in netlabel auditing
to provide multiple subject security contexts as necessary.

Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/audit.h        |  8 ++++++++
 kernel/audit.c               | 21 ++++++++++++++-------
 net/netlabel/netlabel_user.c |  8 +-------
 3 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 51b1b7054a23..8974500f730f 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -36,6 +36,7 @@ struct mqstat;
 struct audit_watch;
 struct audit_tree;
 struct sk_buff;
+struct lsmblob;
 
 struct audit_krule {
 	u32			pflags;
@@ -184,6 +185,8 @@ extern void		    audit_log_path_denied(int type,
 						  const char *operation);
 extern void		    audit_log_lost(const char *message);
 
+extern int audit_log_subject_context(struct audit_buffer *ab,
+				     struct lsmblob *blob);
 extern int audit_log_task_context(struct audit_buffer *ab);
 extern void audit_log_task_info(struct audit_buffer *ab);
 
@@ -244,6 +247,11 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key)
 { }
 static inline void audit_log_path_denied(int type, const char *operation)
 { }
+static inline int audit_log_subject_context(struct audit_buffer *ab,
+					    struct lsmblob *blob)
+{
+	return 0;
+}
 static inline int audit_log_task_context(struct audit_buffer *ab)
 {
 	return 0;
diff --git a/kernel/audit.c b/kernel/audit.c
index 9d971fa96c0e..626942c38bca 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -2225,20 +2225,18 @@ static void audit_buffer_aux_end(struct audit_buffer *ab)
 	ab->skb = skb_peek(&ab->skb_list);
 }
 
-int audit_log_task_context(struct audit_buffer *ab)
+int audit_log_subject_context(struct audit_buffer *ab, struct lsmblob *blob)
 {
 	struct lsmcontext ctx;
-	struct lsmblob blob;
 	bool space = false;
 	int error;
 	int i;
 
-	security_current_getlsmblob_subj(&blob);
-	if (!lsmblob_is_set(&blob))
+	if (!lsmblob_is_set(blob))
 		return 0;
 
 	if (lsm_blob_cnt < 2) {
-		error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF);
+		error = security_lsmblob_to_secctx(blob, &ctx, LSM_ID_UNDEF);
 		if (error < 0) {
 			if (error != -EINVAL)
 				goto error_path;
@@ -2257,7 +2255,7 @@ int audit_log_task_context(struct audit_buffer *ab)
 	for (i = 0; i < lsm_active_cnt; i++) {
 		if (!lsm_idlist[i]->lsmblob)
 			continue;
-		error = security_lsmblob_to_secctx(&blob, &ctx,
+		error = security_lsmblob_to_secctx(blob, &ctx,
 						   lsm_idlist[i]->id);
 		if (error < 0) {
 			if (error == -EOPNOTSUPP)
@@ -2277,9 +2275,18 @@ int audit_log_task_context(struct audit_buffer *ab)
 	return 0;
 
 error_path:
-	audit_panic("error in audit_log_task_context");
+	audit_panic("error in audit_log_subject_context");
 	return error;
 }
+EXPORT_SYMBOL(audit_log_subject_context);
+
+int audit_log_task_context(struct audit_buffer *ab)
+{
+	struct lsmblob blob;
+
+	security_current_getlsmblob_subj(&blob);
+	return audit_log_subject_context(ab, &blob);
+}
 EXPORT_SYMBOL(audit_log_task_context);
 
 void audit_log_d_path_exe(struct audit_buffer *ab,
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 842a236540b0..4dd0f453bb4e 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -84,7 +84,6 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 					       struct netlbl_audit *audit_info)
 {
 	struct audit_buffer *audit_buf;
-	struct lsmcontext ctx;
 
 	if (audit_enabled == AUDIT_OFF)
 		return NULL;
@@ -97,12 +96,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 			 from_kuid(&init_user_ns, audit_info->loginuid),
 			 audit_info->sessionid);
 
-	if (lsmblob_is_set(&audit_info->blob) &&
-	    security_lsmblob_to_secctx(&audit_info->blob, &ctx,
-				       LSM_ID_UNDEF) >= 0) {
-		audit_log_format(audit_buf, " subj=%s", ctx.context);
-		security_release_secctx(&ctx);
-	}
+	audit_log_subject_context(audit_buf, &audit_info->blob);
 
 	return audit_buf;
 }

From patchwork Fri Dec 15 22:16:20 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495159
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic316-27.consmr.mail.ne1.yahoo.com
 (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AEF1618EAE
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:37:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="AhqJWdJA"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679845; bh=rC84q4bv3pOtqZ3VRmXBUeRBFuqoQ0GIzDt+InZd7gQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=AhqJWdJAQn+9Fkp9Gbd9jOytDRNEXFej9nWk++B0/E4HBPk1ZndK9HZ19N7zXLN47c58tL+4L//ztGpaHqK8jSKLnjrYBSJJQJWGqQwrZjLCXTwj5zH1Fg64LuO2y+wTV5sfQAMrFH8gbvaH7dMMFYOSFg7M849P6Zp5EYjW65z7ic6CwzG1Wy4Dw5M7kTgFRd/m5xI9Yy7wRY/hCDScEbfjFs2A9Hg/Uiv+IRFpJxbzj7Q0wdoSoJC8EneQFHszaoAGRvxreSdycdrs/H7h+4s1ZQam+XOrq1yfVKYNfe1GISSz3Iw6HjnMwxG6cKdso528+AfAH5s3hyP58ddmlg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679845; bh=xxqyIWfLrsoSC0eg4eaY/Ihbdbw7/1QkMeH4uCpRhjA=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=bsWxJ+qAnxmSFGKm+DwFKdDbsTm8glU06xW2gXaMjdcRq4Dtqe0vC+U4AjIwc3/4fELJ1HyWiWBcvUQy9aQAxTkTu82KcUZzXfxNg+/A/g3UspP2KTR1WQ61+nO/FqJKbcuDrTeXQDs7cgYYKYXM6uUJsD3g5QSrUvVRIeVJZlPpvl0DwzIOMO1/s4Xfixn2xjYxYy62yNWg9aYTb1w39bdCQ+HiBIt7+SvbEm/dJn3PLo4tFv4lDCnRxeAmZ6us/kwi/16txYUhQtjB6j5MmNsQU062X1AyF14hcpavBT+eSz5kFG2qvdqIy8Z3z13NQsP63Ia30MrECghldmJE8A==
X-YMail-OSG: wpQks4kVM1ks7bL54iPNm92BB7fVWR4.pHazEAku13DFNhodHpOV32ok5_AO.ji
 Oo84oXteJa4mOngt0RJ8cd4QQR1TogNA1jPbptU6zIQfnMc23rcDFO0vEnukdPH5aCkkfEWxWu9G
 QfmoDClkRmOJMDTiIFJrA.592876aqSWT7bRPRlC_ykjYRTTdDxlCqlp.j8kaYsA36xY.du.chhX
 TxN7M4wpPyVCufkavSbTeyF70.DvXqfR0_rc.1WJxhqah1e5h7nu0dqOcjFiTKA3IVg2OHQeWb9o
 .qFQ2m3.SIfnzGw2Ed8fsyd0ahlevNU8k1psEdtdA.Kv3U5mI2nBJBLMH4eRwd7rgqGq6tdc4PRI
 Xwq5HaYrnwWVZoVus_Fu6f_8bxy2sbM_TJHE4cGQdcOp5ApNuSYui11.3VxHmWC4m80t3zvhvpUF
 lQs6D9NJRuAKR3Ohk4uNB1pFcLhS7AhBLd1vQLQbuhxPXz4p.Az9BuL1CzPgYwPvbBbTC58BREEq
 76BQBMYU05V9sWFfp9e.hQDngquiorlWU0p.iXvygxDKBpMH5iXy0g.wSiru44n7DBrHFElMqJ3H
 rhw42hEHdBHMsouuft.C_eE.ILsFp0yWnLWq80JvY0YssLZMUQozNLrNm5vjRUCavwzqtYzdazoB
 BGjPz0_exSg69WVa3ZzhkFwCE3VVnGEsDr0ecZ8u2TXp_pLxzLS1zT2mhkJcumDd0nXGpjxqrVPi
 AoIdnAaBLoAkR51kFbooSGo4Xp8LsQ6g22VhM6_fm8FNPZoQzuS53vIfBax9ke8oNh0uDVjOg8Xw
 FxzJbsB4wH0TBdnMmgMZRE0n9X3HZW6KD2UVXYU8H0bChyNbDIBTgbQooJPT3O6Z.bGenaoSeImg
 pl5X6tOhAXcl6gE8pB4fPDoi1qxALbCRCP6IydH8egqmw64HGGo9bcfH0NN94ofnOP5muO2Fe0Qv
 NxYK75LxQot.PTDfkSj34eTlwfx6nhbbzCPtGg1LSLBq9sggrvky06Vm38pQFfQeZHwRzbNNWPS3
 kcA.BVy8UofbEVS5N4EdzzfDLOaK1UDhRtfG61_iofge98GISiqM7B7XBJOWlSLnh.VShxPkUdby
 lRLE9F4KUOr.orQ6B8xy8RPZwYx5Nhq.90WsuW2lQqZdyV9qYhxEQCssQFhdpCkX93bQplPv4CAe
 bJY8zyxaAhnsaREToaJ5go.gRaZBgKiJiE2bWUvEWcia6WzTWCVgjRQsJgBm3a.wE6xNFtB.o6D6
 LfTg2.HuYDg6qAPdNBmOsN9vSTaEjFWBGup.AfNaK9M7sAxpHusDB3t3TPXnVxxdOV7k8eMsiwLH
 .bIU2_NR76sDhjQ07odnCYo0LPBJhshGeOyLvO9IpT6zAnslyUTvoBoThg1us9fdkaKtWGWJwN_a
 zJnC9ls.1kRRKZgebAngNgmDWP76qyb3idNB0rnaDZEGeksrU61buzTCR_QuzoK_ZaX7u_7KPelO
 12Y9wCE8qGSrKad2M0Hmn7I43BesikCE8ORhoE3_HDbJFtKhux_9CK4JfMr2dkuNh7o5MAfqHCHD
 31vBrC3aETvCvZo6yCmPeIb5gMGK6XKUCHto1KrY.pHSL0YxGD7dy5l1Y7f.kcuAs6KqBSQYNZJB
 KIuUc.kSQ.mLVL3QneW4Op8Db9M3PQPchn9LWL9BtSJNPo_D_DmcUeR0hlP6LSFe72mxw0o2lGnC
 NeRrJ4veLY91e1cdWlCsvACEucdEkHY2Hx80e_YwroiQou.hQ8QTawwpxVQaV20qoDYbvoPBqeQm
 yNS4XXlBrkxEDGXEVESkIjfIVlvmULjfMd7Xhrp6l4h3p1o8x4kHgDj7EYZ8rYNWo1PSFY6QVqwC
 C3Ys_gEAYTcPIhkzoAfuSDcIg0aUfFOhOX_.VHlWTJuAGEdEQrarbIXHAPr15Z0cvRL.cwAAHOgO
 eRYQKXX4T5u3nybyntYofe5wEGOvuqpRohr5Mc8vWPtUwdife1htyobvDazwHqPnbKXDZZ0Z3yHT
 aldwUGznnXcTF0MgN9N6UIWaLXGR6rvSCQGR3PVpt2945IJN4ffMapsHiCgdW5mQaEXUTfYRE34T
 R5dWIP6QNfufdJeJEVVkHzDjXTUdaBOOMXSLCl2NY_7J8x05Zu2gZtC_vX1V9j0vvEuP17w6L0lK
 b.gPKrxz5uNu5.IsvPth.6sNEJBjeL7pWmRD8QVfvKwDm_c7Ad5MKJ84inmehdxTk2673ED.lhdL
 FsMifpdQ3ibB2m4X0dymSxxWRN6z1ZWPEUXgfkdS3W7Y04mVYUwnpYuTkod.WVm8Z2uFHrO9NFl8
 ODPvFwBLhjtsD93zl1glW.c01pqLehA--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 087cb55c-d788-456f-a84f-8c7f42d79f4b
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:37:25 +0000
Received: by hermes--production-gq1-6949d6d8f9-7dnvp (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 99c4f57f4ffceb7049a22eccaa6e59f8;
          Fri, 15 Dec 2023 22:37:20 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 26/42] Audit: Add record for multiple object contexts
Date: Fri, 15 Dec 2023 14:16:20 -0800
Message-ID: <20231215221636.105680-27-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Create a new audit record AUDIT_MAC_OBJ_CONTEXTS.
An example of the MAC_OBJ_CONTEXTS (1421) record is:

    type=MAC_OBJ_CONTEXTS[1421]
    msg=audit(1601152467.009:1050):
    obj_selinux=unconfined_u:object_r:user_home_t:s0

When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record
the "obj=" field in other records in the event will be "obj=?".
An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on an object security context.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Paul Moore <paul@paul-moore.com>
---
 include/linux/audit.h      |  5 +++
 include/uapi/linux/audit.h |  1 +
 kernel/audit.c             | 51 +++++++++++++++++++++++-
 kernel/auditsc.c           | 81 ++++++++++++--------------------------
 4 files changed, 82 insertions(+), 56 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 8974500f730f..914cfd563ce3 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -185,6 +185,8 @@ extern void		    audit_log_path_denied(int type,
 						  const char *operation);
 extern void		    audit_log_lost(const char *message);
 
+extern void audit_log_object_context(struct audit_buffer *ab,
+				     struct lsmblob *blob);
 extern int audit_log_subject_context(struct audit_buffer *ab,
 				     struct lsmblob *blob);
 extern int audit_log_task_context(struct audit_buffer *ab);
@@ -247,6 +249,9 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key)
 { }
 static inline void audit_log_path_denied(int type, const char *operation)
 { }
+static inline  void audit_log_object_context(struct audit_buffer *ab,
+					     struct lsmblob *blob)
+{ }
 static inline int audit_log_subject_context(struct audit_buffer *ab,
 					    struct lsmblob *blob)
 {
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index dc045164b86b..bed324162a7c 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -144,6 +144,7 @@
 #define AUDIT_MAC_CALIPSO_ADD	1418	/* NetLabel: add CALIPSO DOI entry */
 #define AUDIT_MAC_CALIPSO_DEL	1419	/* NetLabel: del CALIPSO DOI entry */
 #define AUDIT_MAC_TASK_CONTEXTS	1420	/* Multiple LSM task contexts */
+#define AUDIT_MAC_OBJ_CONTEXTS	1421	/* Multiple LSM objext contexts */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
diff --git a/kernel/audit.c b/kernel/audit.c
index 626942c38bca..dc11dd4c41fc 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1105,7 +1105,6 @@ static int is_audit_feature_set(int i)
 	return af.features & AUDIT_FEATURE_TO_MASK(i);
 }
 
-
 static int audit_get_feature(struct sk_buff *skb)
 {
 	u32 seq;
@@ -2289,6 +2288,56 @@ int audit_log_task_context(struct audit_buffer *ab)
 }
 EXPORT_SYMBOL(audit_log_task_context);
 
+void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob)
+{
+	int i;
+	int error;
+	bool space = false;
+	struct lsmcontext context;
+
+	if (lsm_blob_cnt < 2) {
+		error = security_lsmblob_to_secctx(blob, &context,
+						   LSM_ID_UNDEF);
+		if (error) {
+			if (error != -EINVAL)
+				goto error_path;
+			return;
+		}
+		audit_log_format(ab, " obj=%s", context.context);
+		security_release_secctx(&context);
+		return;
+	}
+	audit_log_format(ab, " obj=?");
+	error = audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS);
+	if (error)
+		goto error_path;
+
+	for (i = 0; i < lsm_blob_cnt; i++) {
+		if (!lsm_idlist[i]->lsmblob)
+			continue;
+		error = security_lsmblob_to_secctx(blob, &context,
+						   lsm_idlist[i]->id);
+		if (error) {
+			audit_log_format(ab, "%sobj_%s=?",
+					 space ? " " : "", lsm_idlist[i]->name);
+			if (error != -EINVAL)
+				audit_panic("error in audit_log_object_context");
+		} else {
+			audit_log_format(ab, "%sobj_%s=%s",
+					 space ? " " : "", lsm_idlist[i]->name,
+					 context.context);
+			security_release_secctx(&context);
+		}
+		space = true;
+	}
+
+	audit_buffer_aux_end(ab);
+	return;
+
+error_path:
+	audit_panic("error in audit_log_object_context");
+}
+
 void audit_log_d_path_exe(struct audit_buffer *ab,
 			  struct mm_struct *mm)
 {
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 23f72c14276d..bc13666dd6ed 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1092,36 +1092,27 @@ static inline void audit_free_context(struct audit_context *context)
 	kfree(context);
 }
 
-static int audit_log_pid_context(struct audit_context *context, pid_t pid,
-				 kuid_t auid, kuid_t uid,
-				 unsigned int sessionid, struct lsmblob *blob,
-				 char *comm)
+static void audit_log_pid_context(struct audit_context *context, pid_t pid,
+				  kuid_t auid, kuid_t uid,
+				  unsigned int sessionid, struct lsmblob *blob,
+				  char *comm)
 {
 	struct audit_buffer *ab;
-	struct lsmcontext ctx;
-	int rc = 0;
 
 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
 	if (!ab)
-		return rc;
+		return;
 
 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
 			 from_kuid(&init_user_ns, auid),
 			 from_kuid(&init_user_ns, uid), sessionid);
-	if (lsmblob_is_set(blob)) {
-		if (security_lsmblob_to_secctx(blob, &ctx, LSM_ID_UNDEF) < 0) {
-			audit_log_format(ab, " obj=(none)");
-			rc = 1;
-		} else {
-			audit_log_format(ab, " obj=%s", ctx.context);
-			security_release_secctx(&ctx);
-		}
-	}
+	if (lsmblob_is_set(blob))
+		audit_log_object_context(ab, blob);
 	audit_log_format(ab, " ocomm=");
 	audit_log_untrustedstring(ab, comm);
 	audit_log_end(ab);
 
-	return rc;
+	return;
 }
 
 static void audit_log_execve_info(struct audit_context *context,
@@ -1370,7 +1361,6 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer **
 
 static void show_special(struct audit_context *context, int *call_panic)
 {
-	struct lsmcontext lsmctx;
 	struct audit_buffer *ab;
 	int i;
 
@@ -1392,16 +1382,8 @@ static void show_special(struct audit_context *context, int *call_panic)
 				 from_kuid(&init_user_ns, context->ipc.uid),
 				 from_kgid(&init_user_ns, context->ipc.gid),
 				 context->ipc.mode);
-		if (lsmblob_is_set(&context->ipc.oblob)) {
-			if (security_lsmblob_to_secctx(&context->ipc.oblob,
-						       &lsmctx,
-						       LSM_ID_UNDEF) < 0) {
-				*call_panic = 1;
-			} else {
-				audit_log_format(ab, " obj=%s", lsmctx.context);
-				security_release_secctx(&lsmctx);
-			}
-		}
+		if (lsmblob_is_set(&context->ipc.oblob))
+			audit_log_object_context(ab, &context->ipc.oblob);
 		if (context->ipc.has_perm) {
 			audit_log_end(ab);
 			ab = audit_log_start(context, GFP_KERNEL,
@@ -1557,18 +1539,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 				 from_kgid(&init_user_ns, n->gid),
 				 MAJOR(n->rdev),
 				 MINOR(n->rdev));
-	if (lsmblob_is_set(&n->oblob)) {
-		struct lsmcontext ctx;
-
-		if (security_lsmblob_to_secctx(&n->oblob, &ctx,
-					       LSM_ID_UNDEF) < 0) {
-			if (call_panic)
-				*call_panic = 2;
-		} else {
-			audit_log_format(ab, " obj=%s", ctx.context);
-			security_release_secctx(&ctx);
-		}
-	}
+	if (lsmblob_is_set(&n->oblob))
+		audit_log_object_context(ab, &n->oblob);
 
 	/* log the audit_names record type */
 	switch (n->type) {
@@ -1773,21 +1745,20 @@ static void audit_log_exit(void)
 		struct audit_aux_data_pids *axs = (void *)aux;
 
 		for (i = 0; i < axs->pid_count; i++)
-			if (audit_log_pid_context(context, axs->target_pid[i],
-						  axs->target_auid[i],
-						  axs->target_uid[i],
-						  axs->target_sessionid[i],
-						  &axs->target_blob[i],
-						  axs->target_comm[i]))
-				call_panic = 1;
-	}
-
-	if (context->target_pid &&
-	    audit_log_pid_context(context, context->target_pid,
-				  context->target_auid, context->target_uid,
-				  context->target_sessionid,
-				  &context->target_blob, context->target_comm))
-			call_panic = 1;
+			audit_log_pid_context(context, axs->target_pid[i],
+					      axs->target_auid[i],
+					      axs->target_uid[i],
+					      axs->target_sessionid[i],
+					      &axs->target_blob[i],
+					      axs->target_comm[i]);
+	}
+
+	if (context->target_pid)
+		audit_log_pid_context(context, context->target_pid,
+				      context->target_auid, context->target_uid,
+				      context->target_sessionid,
+				      &context->target_blob,
+				      context->target_comm);
 
 	if (context->pwd.dentry && context->pwd.mnt) {
 		ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);

From patchwork Fri Dec 15 22:16:21 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495158
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic312-30.consmr.mail.ne1.yahoo.com
 (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 859CA495C3
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:37:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="bysT4xYk"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679842; bh=AY20ZFrU1wbcN7ypVt2+incPtgkBfYNVy9D03vUKxiE=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=bysT4xYkSawnxm4xVclXf5BSqOa/dAXgZR1opyCdJq8BeUriarGLgR2pRG4SlyanOe4icu3T5DdTolxgv9xIlaRuLOVteAsLefQiGrtJoQI/bTsPbo5+LAOzkdyCdJDYbtfK1JCdAcL7gRjZeY7KsrX6P6MNWY3gd3UQ2m0RqirAyHCjjy1PVWd4eo39VNXn/939oX31FkVyfDxBndCXBZqiXxDtMB7dFahuK8aS58Exs9NkIWZHQIeMnGNAp3M0oRpCl+hrnu5VITHqjgxvBRFBqBA3eqHcArsYTdV6+VfF4fykAReZiXUJH/XGL1z6wJGK1WveUz+MwdX2vccaSg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679842; bh=IXnnuOyJkeRjF55SPtDjdc+TVP1mutI/FpT9qm3+Hs6=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=kevNW2Vmly6srcVMOg2DDaCLXsDyDwC6uhvSE7uFvg0V/Uame0uUh2JzN5ejc2s5sVjd9IV9+ug4kmgKC+zDtlbhHb0gMUE6gHxRBvjhx1YHYikY4EzeyivHAGjIO4UmggmQBWiDXi5+7u98Xs1ijJavcvDrgc0ewUmGkpENWX3m5YBa+BS7qEFQCz5bgX52g1BjNuJkX/KfvDqCq23eJ/iw72+ZcDt+kluYrrmAL3lAX43c3/j3V27XiL/Uxv6ebe+d25s3aws2cIy47MRvgo2/oa5dz5A883ObuMzeNr58fvsMPrJARmMTQ34x+Goi+L1LaL7YJkNhrhxeELaHtQ==
X-YMail-OSG: lIV3mRMVM1m8JyYYibsBE.59mSHktsLaZm6jE2.8x4nksF6kKd.iiSZcEXvXgyc
 _QHB3Trgz33IAHCW1dzKe_5kobq16.A3ENtMxZWCuttEOS7SHIbcN7Joq6dp9u0UXGs3Kqkd1mhv
 _ZuKGsOomYIORjs6CWyIE_gj0SPYnwntCm_bg.01knLqPaQt9vXSGmImgGOa2sSF2F1vZH.EOJNK
 SAuKW.UCx9NPQPwiczgQPpsaWLW.9siMtrQBXIz50wsKYbCNSepniFfyNb8QmRK1PY_U4u6BTGPF
 dk6GBpKzTO2MaN0FkJXhD8hPK1LZg87PIawmONOxrQARVRzxGrkZcqvxldBQHq2fM87RgL8eDmun
 NB.YD_B1Q8VMYQHQTijo0ThdZIipVdGPXULkEXxxDPVehFglrg6HNIK1Rp0965VDjkIoKPiBrIhO
 tmZ1e6ZQVFyNSCuUv2a7QYxhASgSZUfkP80K9siKp0EJreYWZXGZ5V24cgeesV502hGaxRehZ6Al
 rFstnkHHHE8GI23aLFu1nUp80U0uT1Bv_rrHS9KUydf4iCggt5olB_gJPRyROlVDRfdQVrguzGVi
 D0ZhTm6OSLEf0favkSKug4Gx7PoaxLlas620c0fbKEnime5S7UUFGfAysrjmaz9GVh51FxFbsDh9
 Rcbci42Ef_b555AWQPiOxU2rxUzAiRgu6ZwEkjRccEmNGTtcvCXDaX2FeaxVGjkzX0dZ2Uh_586I
 jMlRE3DzjUdAj6floNgokx.St.B0U7M_qo9_v5gQlz3qw4UBdzAU9wX2pxt8hiWUi2RAsSfd1ULm
 zpoVXwdmee1yxLAyi092w70P09jPVEt5RfUC0VZBqQeZA5es44.RH.uALfG373f2rJI8r_MjnU0l
 B8Ziy8csoCoyyxlqUzKROa7_pMaxheCZb7PsYzLGF5klFk82BaesZFxDzME.qH4V17rHoZwjpn9F
 Pb.oPr0g3wBtX3Pv0DoV.x9y8pB0Ppgfw7SRzIilsd507ZaQon_2vErrL6JQKY4Ba_KbYVwL5nSg
 v_6ebQ5xTyauwdU6Bw4rHixIXwyX_hf4sev7rKqlf6JUA7VkjVu1dK8muDUS2mjdMwDBFjT6TV_W
 QN7aJasZm6diZXw1RWDQlWnn_tXr5HVmTpq06BL20xJCF6lV7ODbDmxbe.jST62nWsV8LNtQZcup
 8Ocj7g2poQ9p9E6tTy87qgeYS5FmRKvfvNHSd4JmDdV9RLddDCSLRj2KtZV.m2l0kS6muJfqzAd8
 8PxfW6yDtpq3feyeZkvY9.lwX.5hTCkA.KRwRf2CVbtk4nP9Tx89QEOHN.6.TSNvVujy2Bu0Y7pU
 OGt53Vag5CCXczyNegjr32ICppqMKGpitXpFuai4lyoAC__05c4dJRQAF1ybc2XTCXPaiXUR2TpB
 wJgIgXKc2bwW6Rpfz84kTiVRmnazwxMIhjrTyeLc5O4CAC6k48MZy0X8CM_pp1XwzWpuphTF3e00
 _TEvJRrQdZqNuiyUdADhzazNyeccQFQ_4DM5ny2tnjSCBwjLW.skUiaZg62OkRbEZkWhGO4jCf4Z
 tX1qXUxGwyiHr0p8vz8eQ0nq1u3VDZFuX9dOe8p3Y2U2UM2Y8l1UcCio9g0wPZtnLGyfhdNwZGPM
 L_NHJ3jmwWScYTtZtYKuR9yguv9OhmyA9cof3pZE15PrayqWp85ld6Oi7V5yqYjyUyim2r3RPrc6
 mcNMhXyCnv9YK36j52pXzTvxRKa.VTb._My7yARBlb2GzhNg6vRhMAnHlkaI1.8nJUt2NnO.vt8o
 vLKdBOOd1_hRAofD4Z9QVLOkzYeLDizstcbd_iSuk1WFudNiqazymYIT4DQgJmpTK9BXuuT3Jn1C
 sMKa39EDG53lgpPN4vkZgprLX8Oq0717QSADFgwq00RtTelgSgLKx.F7RzM8WYZO7mEJgFYnFrRo
 sofBcORMSeHu5tOCbyVzrUOdLqqTzxO_aU6VdX7pZ.3R7CJK8O_h2mSj9b.Es4CQzSMcBUP57WK5
 LZkSsF5RBCVEPPbKAvTFMaD35uon5trQqMMev9wzNxNSIY_QSwP9NB6B2BTaxXeG1NgEnv_WV00c
 dpzYFJfj2tgKG5zWYsvKT1uMjGNZmcZcIXObiTsHnGALex15uoI..QV80i.5hAa9CsrEg2HYo1UD
 WXnwrNjlTYUe7lQIEvA5osE77kLutJV4txEtp6176142F9n9Jv9Ghuu8dB4R6gCQL0FMr3LMyiC_
 0tH5bKDrIE9UbcwKibYqXdNsmFtX14HVcBRDyDon7Gp6jsQO3
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 9755b1ff-cb19-43be-bb3f-72b0628282f6
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:37:22 +0000
Received: by hermes--production-gq1-6949d6d8f9-7dnvp (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 99c4f57f4ffceb7049a22eccaa6e59f8;
          Fri, 15 Dec 2023 22:37:21 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 27/42] LSM: Remove unused lsmcontext_init()
Date: Fri, 15 Dec 2023 14:16:21 -0800
Message-ID: <20231215221636.105680-28-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

The lsmcontext init functing is no longer used.
Remove it.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/security.h | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 947cb3a35db4..529671a89ce0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -160,25 +160,6 @@ struct lsmcontext {
 	int	id;		/* Identifies the module */
 };
 
-/**
- * lsmcontext_init - initialize an lsmcontext structure.
- * @cp: Pointer to the context to initialize
- * @context: Initial context, or NULL
- * @size: Size of context, or 0
- * @id: Which LSM provided the context
- *
- * Fill in the lsmcontext from the provided information.
- * This is a scaffolding function that will be removed when
- * lsmcontext integration is complete.
- */
-static inline void lsmcontext_init(struct lsmcontext *cp, char *context,
-				   u32 size, int id)
-{
-	cp->id = id;
-	cp->context = context;
-	cp->len = size;
-}
-
 /*
  * Data exported by the security modules
  */

From patchwork Fri Dec 15 22:16:22 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495162
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic302-28.consmr.mail.ne1.yahoo.com
 (sonic302-28.consmr.mail.ne1.yahoo.com [66.163.186.154])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C4E3B18EA7
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:38:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="s8E7a9Ht"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679938; bh=vw4D+BEaDQJfSHAGsDrE6ropoXZ857wJv+qK1Uq2Fhw=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=s8E7a9HtnwBj2iiRElPv7y2OTlbx0dCRAAA6Or5I/05O5N4cr6J1nrWYTkW6kVIbRI2i/KYtGGPGF6pH0JQ4Gzx6xHG62xwnWN4SxNrYpR2OZKP1lUykR2lPd/javdaj3N+znlS1+3IO8z+1JzCIy/hC9M7sjLwGrb6X1UfXBDoaG3EzcErxgWfioyVoTkjesWsKFyRuqrwbmNM3p99JfS02u/U7za4IJb1FyIKF4EXBsS7Q4tk2KYk2uwgqU57CoQLAGG1CLBtYhVqCgnfo7fNHrnzbwCyNVfnpXwlTUwMpgnSY5rfDppPAFNvYnQF/sx+3TY7rK1eQhK4bS7PNyw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679938; bh=2LzbYmbZES/Rx27hObskEXduuG+XqU8pv+hZKjvn5r7=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=dTX/HxkqVX5PK0d8MQO+peyShfelnwP8wEJpgP5MijcaSk0LSP8OCbQc28xaIYckvSRYLJ6PbM2kN6Nq5G4qmV18kjaCf/9jkMH/IN7vqjyBFDerk4hHuutLOR+Z1sUgbPapRGOzZCKv/Q/F04Rmoxk8FcZl2Hkj9bcqFzRGZ3Za2Tp+6yFzNdkq+nWGDv6yY6bRK+5bh5SHdBdyBZWHcpDHEzpNjmbKlhogrubXOrgY5LAPoKKMItnZSUUtzwG3CuZmm27GdYZytU/SXnIiT6gKc4KUSXK2w1MzJFhXTIOXl/xNwKbbWezYnldeGvO8S9sexpb0B4zBzhW/SlyOqw==
X-YMail-OSG: ECI1w1QVM1lUPGDvCk.pmrmMnDdEK5GNlLDmCYaPQkgnT9WuOsTiEo95cqhIlNo
 TtgRjn6x0bF.d5_TUduVxhGFXkWD3CMsERJM8o9VRsScgjM.08rjAE5yRAycJOBnC8uuLghnGnkX
 AA7OSgDi4gmXY_h9RwVM6oBmdD9iOFGFhEcrUVXXYD8bxgFBVn0PpxcBVU9LYlSm5GHBFqZVWBKF
 JXaqm3VGwFl87GOQ2zwB4Lk8s.5hPq6snASDUR1sMhdjGhxf0BvCq.gA_ZMQyoHVAFuyRPL6Z_lJ
 5cn9ORu8NnKWsfehnZz.oqLHFaT_XevKQfv_v84t48Hi13BS_rKAMxNWERqR48EwudIS7.J0gk8P
 qWMSyVACNSZQXAUBBSLz_JJmG2DWuN6a3gd54eyHyq6emy.v0vexGBa9niv0u3BoEaagTOHAmIRn
 fkUK.1I33xYVw43RgCb9mbv9WmKHCjDt_TnWTDsKMLLLPxXzeTa3lAK7lQzx.OVRXlq.sMFGwegG
 lAcD6tf0_7f134E_HiyzD.lcLliPWNM6Sa5mtXgdg1y6rRLRpavf6l4RWjXE.AFRCxDRoJCoMP9s
 o0SEYmqhhLgaaYU15xc0RgFCNXtRO7oxuQgRW3PLXORDTZcOeqVUpCHdsO9U.NFEsFKjeZ4VZDuk
 l_izfvqkq1Uf0km9NNJIj0o1MUwlguu_uJiR3di52XdC.15C2yb9D8mrByaag9GqRxG3EPOGlOZI
 r2cJTbNJHZy9sdmnnuQppw7uDGYDRZ5BiKA8olF82E4gyEcLHuqVieBAhfVnvuvLIWZw9kHe1TNw
 HNL64uvBFGoGC2.x5OTpfWi_JEncu.PpcY3Cjo53fMQh7FFJ0mLb0S7tuAZrDtuA3BgP9o9tczT4
 4IA_Ffmt9wuOHr7B0On4bQDCr2zMQAeldPGlc9idMJUa9JBXU17ZWt9N32M._skMb33xx.ZvpPK7
 hpadrCUNZYvk1.SXK2K40gBw9P75FvVXrmVTb9n9OeVtaXcbEcVGxgz9aeshLY39V926WSz4H.Gp
 yJhC_JsjCP9zh8O3NNkrmfn.Tp0RF1uOggxcMD57rqz0J3PP8qZSwe6uKrQONI2X.7WxUcpInwP9
 qC0TQkp6aXuJnVVZxChvW6Jh6EQ6rlOcOgpCajM_k4yHL9TDQoxsmkzouNctX.XUnAq02vyuTNKR
 VanQ9hKbGIZC99faHuGSsRp8kxnOHXRj2cZs.tepmUuRo4_xyjqc2WfMaUPx.tgS7iSnpgq4KvG2
 rbFn_1RciW2QpNSh0l_.5Qvz8cCnXgywfux55G4XW4RcDUfuFFGGMIFu0SppUUlXcI6b5cYumnLL
 6B0lOwJZnCQSqLGr8RsvlI7ERXYuTzVNLY4v_KX3GOh6LaOqS0NSQTLahvf7GMYTzvXKMa9t3yNs
 Ih7I2XOggIpXASE9FQXqsOiji0vGWvu96G_z6U2uBvfEl6zhml5SJby3hJCEf7BVVGHe9F_EzXzC
 qGGgWpm2pSWbS4wCcUksiuatvst7WyWjXV0iSngbdXZQt7LMRSYlCOn.B_MRUxw.EkOOpkyRlK6B
 plIwXU1jrjFDv_AdDn58zIFFZaC8KV3qmsQ8WNjjuh5YBHMrgzY7Z00mWVM.HeQFpxzlSqTuB9G.
 QhXaHiWRjTVhMr0nBFV3.XP_1KegolrudmhQgNwpjs.v18WB3L0L0Aowpp5nZePzKElyMmTEDE8n
 TWsaE8EYCnmTUplsnE8idnnKDZx8MmD.TIvFtxof98bJu_kz8ypvBBkrEC7EjsiYD6y0SUlc_05p
 eu_MuDcrn0WCZSOh7RZ_ATZZfE40kf6qfK2FycR0E.WGcRsK.F2v4wFHr3bxWtQMXo.bxZ2euJ02
 zSzJuUQBYgzaSa47VXlM9cDmKtIR7ijgfS_Uwc.7pLea66fkbptD2vW4mw1FqnB_2l.iC1udenJk
 C_vAz5oYhBvgytwh16qeHZHGo49D08N9bEYLMD7.QVfCrUbORu1cJJT3zbjv9IxJw8AFBhnHwzcj
 DAYhTxAFcNQiZU6edrIBJD5EOQVlowYurYtjo7ZMQbBy75lbIK0bKvpNZ8dkoygMlzA5z5qybYxa
 1Idac7UNmr3RwZLOZWzDc0frBzJNlA4vYkKMbSBBgn0jusSM8mdJxwaYZBpIbnf3URPT2oPwHdf5
 xiFFMMiLXbSY7GczQ6F5Z.0SD6jLkjoZ2wQDct2FMI1QjVeuV85YI68Fugh5s6kEV59svyA0UXoM
 JSXGtfKEd1LTAU8pJmUNVuhIwUJiyhpsqPlQeHnLHufJhjHA4vNFm_EjPy3OznnLQHNTjQ4ii8ia
 zXrMrUIikzIyzmeMacTEuWMl78iM-
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: e49cc921-3fa7-4678-8a0e-ca413b7682da
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic302.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:38:58 +0000
Received: by hermes--production-gq1-6949d6d8f9-q7525 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 522caf1ff66b851381e701962a25c33e;
          Fri, 15 Dec 2023 22:38:54 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 28/42] LSM: Improve logic in security_getprocattr
Date: Fri, 15 Dec 2023 14:16:22 -0800
Message-ID: <20231215221636.105680-29-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

The conditional in security_getprocattr() can be simplified
and made clearer. This change does that.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/security/security.c b/security/security.c
index 8ff6cef26e6c..f2ef6032a925 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4107,11 +4107,10 @@ int security_getprocattr(struct task_struct *p, int lsmid, const char *name,
 {
 	struct security_hook_list *hp;
 
-	hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
-		if (lsmid != 0 && lsmid != hp->lsmid->id)
-			continue;
-		return hp->hook.getprocattr(p, name, value);
-	}
+	hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list)
+		if (lsmid == LSM_ID_UNDEF || lsmid == hp->lsmid->id)
+			return hp->hook.getprocattr(p, name, value);
+
 	return LSM_RET_DEFAULT(getprocattr);
 }
 

From patchwork Fri Dec 15 22:16:23 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495161
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 63EA118EAC
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:38:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="tTllBY/E"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679937; bh=9keQf9g8TT1WOTQ4FMsX6B5QIMK24lZJ/xlVXj6t8WU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=tTllBY/E6SGxl+s9lXFNHY+lk5xjxPuWSo69GbT05A8S6sbVEqBokVFaoZrIgEA5jIPPb7YBUrjSfIxQPUqhBSOgd0yEFArlfcRgEuxbER2RGlQddeuKlHAKTDMSB5XeI/f8WmSOhfydOex7RYluhhpkqlsOvtpUKLsqfQrUQ8MSJxMiAKg1UCQR3YzKaoXJmjEjOdhVF1BOHd5nAHT2394anIsFJf0gN4aDxu3koNeWs3OUfyw5u/3+qTCg4QcWSeibEXlEmOExUuvkNyOQnxwwlBEzpuWe4gk3X6jfi3UnVr+oixRohEFbP0+MviJfiuavec3Vwf9z+cczQzRZ4g==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702679937; bh=CQqsukU7gsFz0lAYspeBrRZglBXPOm741QE/iLeobu2=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=gZOeQRUBrPQk642wfw4ZWb9K3976Ch0P33u9+zRPpFwsLefkTSLthCs5kE3b+HrAX9j9IK2gWL26RDmdApeBWdu3DTzODujcsPpSEP8SDclAVfbqcVk8rPL72oyH+dXAMAmluZAj9WB05O6LCXA0d1WqiJlYiOXjg3Gk5VP5jARV6nOTbofcwaP/z4IkedNu60XuIuEWd/yWpAAO0hDeZ/exOTRMSala5W9VioWwxIh45ZoYq61kUJPftfuCeeNe90TU2X/+vI8QOKbn9RvJefY0Xwz2XWXDzXMCHFwWawFDFHLiy5lD9cb27PcCoyOl8c+wYLEbWJfkn96kmWxJBw==
X-YMail-OSG: n5fF0doVM1lZUSo11zSkzVfMSBl6JA9JVJAUwgdHa7WOiPISWCVuhE5ZkQaGJA2
 rVPFy.ry9_zVh_EGfz4VEIFv2e1lvYZS11xfPdYjRkpbvgdXlLaelXMBebLpGm2Jn2UAOB8gw.X4
 b9qzT53D2j7zQjmtVCZL1MD..QGM_hNTwyC_FuFzAIFxn3_Rpz3X2NH0ONBPOoUO3i_sc1VQyZFq
 FvdbPWxcCoDG347hjUHgg1IEdKcKV5Ad5WLMeM7WxNlhGoIDJXY3f1CVVkNNP567CnvdnIhGb7fw
 0ezXWyh5X7Gr_VPc3IKpVv.lfUwNV4lTBH6UW7jucj2XxnBDW1k2cDzpLYQ1.b6mgKg7XMVbNTrT
 ujlqzxg9D1v6e3vX2zPk3XQWMHEihYyD_OLHDCHmvG6USTB8fYha1YGvWdQtefmqcmIacU1Rr6hl
 8EGvVN_jYUPWRGHcjWmf5xRhj2VtP5eJteVnRjHnEBoI34l0mImUTPK1jCeoA69VTSy5dG_dIkf1
 lDqy42946hUi9hzLKyx1qXAo3L7zq0fI.5kCTHCYrJtKZqWJvY3a77i0Lem4vt.2nfgsuNbp06sq
 dc.jsXUdPwYrGHFxq2KDfu_pwtefAyoS79WPqI34c2d2pJ0YHhmLQS17PjgJMnpBfTH3XjjMVBn.
 vESvcXo7k7u7kNIzvpzs3Wf.s82bH_AMEZlJgzjrwvQ_SqE6oU6T_vuhokf3Qv2F2dtZ0hhxeute
 aAR4v4NgX5xhqvgCk.kmiQhvMd98WOPq4Al8lRQ2z6h2X_LrV8VDWB1mFMiMw2u6X_jhtThT9q8_
 IR6V5.Aa0SIcUx1hrdfvBoBloHHQuxzblQZsOz8fHSOyt5S52Jm5qWmMHbayrsTLLBeJEWAFPOiH
 99qgSs81nicClkYlXd_WUikXA5WAjCb_J.Mmfa_qHHKGsyIG5qGURzKms6HNm3oRQnV1kB5Fmc19
 6kHg19Bwz3KhuuMNzrBW4yP8mnyR_MqcMK8HwqIEm2BR247cMh_5uxo6mv1pDgvOS4Ss_FWO5O9J
 9HWCSkFclln6wFhiKvrhTWugMN.lPNd_Ylou1vvXbLTqku3YjM6eFELrcOkVMbFm6UMQjiDRSvnh
 FEqeGDy1P2hPrKGdm0Ju8yFD.Oft5gJNGzYyTZMPwUhE0he_YBFYY1d9WSi8wne73CUWQEqxMVmK
 i5Xu_npffOkIGd6qdFVHtqx_tvzqYgQEDfJRkPvuCi6yOAaXt_x_Zow8jOdUrXNfF8rUGmzq86bj
 73OJ4fU1..nUiMoKPe3xluLY1Z.dMKvdt6V8kfKlTmr9N6KDmtz3VpklbN3daTDaVSfgYzeyn_W9
 N99Lx.SST080lpDOFE2toRhjVhqrcKvPHICD5pzeFv.i2cHloU7qKbD3TXoYwmgaqc5sOUu1NRQM
 CuyKPc.kdU4T5S_fTIAiWWWZjeRCTFpS23YwjSdXZuMcKYNwhe15.317.H9UBK.u_UnPC_FvifgC
 j91ACufAmzbjPirK00LKQpPCqHYxpRsbAfUDSf1Kt2w4KgtM9qOXHOHhdRGKxVco1MHIUYKoBLvQ
 s2r1C5rVEys0e9uTrFyMbiIo7TgcpjZ6dvfHIXj0OfuKWHkYMC943rt4BE5Ny0Z8VNxeDzkvaaPm
 m.uo3cg9ROS94.LdctzXdn1BwYoRDS3mPlZBtlhqE6JAPEv.uLMgedz6NTWsbReCj.zvUMJt9BBl
 UuWyR.9uM_ObAmVNDyf8Pb1oUx..Lqq4FgyDDzD0rpZnGmKiuN_eCX2YsUFNDGV75k5f6brgB24u
 w6QXaxwrMahQ04Upjy00dFA_l0e8EjZlnft9mLgk8dStViittzdrR2DkSShmokx3usCgok69T5HQ
 qWmygj8DYb9g1LgAlnqmnsB.GzHcfmn79dQks9zK5nmSsuAI248WKYHpUYqsjcEN_aZejC_jvsEJ
 V7FAGymdR.1oH5d9wps22MJbgV7EGMYTeLOu_YIiJtMsWCUPksV8OoB_7JIxUDKofxq57X3gvcec
 F8uFpZ1oubMgiOtsH4wCLaI6FgNI71IZ_FAQ9vdnVVdaRuLSZlmx2_.IjRIzdRdjLydaAs1bkpRu
 6Sv1PWM9y7GCdIgRcI0.78ua0VaDxjx7PA.WyPTF0OV5yQEY7DTHxYvIJa8R1cB8WgBmIew_kxpB
 NwDDSmErTFUSrDjvFfB77Qcv3DWCdOEzUyqIDPntngDo8EWeYR8dGVweEqTOypceJCt8Ic06xBGY
 z5GqSOxIqVlm9fxNuS975PVsqfbBfAN8OtxjQqaEVu2GO4SbQQJm5.GVWdHf27Ei7t3NaPssIlQc
 ZT7QK.AXplPvt9cevmWJyH46VHEM-
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: dd58fa10-8b58-492f-8a87-50fb20c791ee
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:38:57 +0000
Received: by hermes--production-gq1-6949d6d8f9-q7525 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 522caf1ff66b851381e701962a25c33e;
          Fri, 15 Dec 2023 22:38:55 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 29/42] LSM: secctx provider check on release
Date: Fri, 15 Dec 2023 14:16:23 -0800
Message-ID: <20231215221636.105680-30-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Verify that the LSM releasing the secctx is the LSM that
allocated it. This was not necessary when only one LSM could
create a secctx, but once there can be more than one it is.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/apparmor/secid.c | 10 ++--------
 security/selinux/hooks.c  | 10 ++--------
 2 files changed, 4 insertions(+), 16 deletions(-)

diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index c9b9a8d90afa..1df08372bf1b 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -146,14 +146,8 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 
 void apparmor_release_secctx(struct lsmcontext *cp)
 {
-	/*
-	 * stacking scaffolding:
-	 * When it is possible for more than one LSM to provide a
-	 * release hook, do this check:
-	 * if (cp->id == LSM_ID_APPARMOR || cp->id == LSM_ID_UNDEF)
-	 */
-
-	kfree(cp->context);
+	if (cp->id == LSM_ID_APPARMOR)
+		kfree(cp->context);
 }
 
 /**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 656f25337334..a6deccbbcc40 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6616,14 +6616,8 @@ static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 
 static void selinux_release_secctx(struct lsmcontext *cp)
 {
-	/*
-	 * stacking scaffolding:
-	 * When it is possible for more than one LSM to provide a
-	 * release hook, do this check:
-	 * if (cp->id == LSM_ID_SELINUX || cp->id == LSM_ID_UNDEF)
-	 */
-
-	kfree(cp->context);
+	if (cp->id == LSM_ID_SELINUX)
+		kfree(cp->context);
 }
 
 static void selinux_inode_invalidate_secctx(struct inode *inode)

From patchwork Fri Dec 15 22:16:24 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495164
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic315-27.consmr.mail.ne1.yahoo.com
 (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA97818EC1
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:40:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="O6zwzudR"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680033; bh=o5IMFBUGP2UovHyCSNRiU+4kZ3jQYyLWEB5ADn6j2oU=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=O6zwzudRZVUq8/FVNESHRKoaMDlJ5scqxAv5JDviYB9mNlB/tPsF1kXlZ4Q5jGlhnqKfzbx4yEPSls7cv+tLceDr526M8rBDCa95/Omwc9A+ULU00lkuuW12xcAtti/B5hr8dw3ytH5MJBEIBI81PD7JYRSbd0gotwlNgCuVzcuDYHy6rOu7x896Ndynp8067dT+bmTstNVBk8X24e/khYoj5H3YoDshmE6IXXdA7vfyrxgVcxARqy0QQ5Dbh78/UPvqaXaYQNi8E8WG9Jef7JU4wjvorp3W3nQeE1t4Z8AaDEUZaBExYfKDxX5yDQe3cqDxFPM2czNYxKCN1iEIJw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680033; bh=+bUJYUNOXUuVi58l0WjnoNkLHMIXQZXrNStlx5iarTM=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=d//Xed7AmTwqwyuD7jNF6GcThSFms6MTymep/x8SPkwM3Y9fjyXzpjB7/l3fAi/QahahcQ7KFoX0nUY2rAaRJ2HWN8uNsAVr/6VpJfXy4qeyk6AuGrVjNJd+lHcMJ9GgIUKtsMziWo7gZxRuJRnuArKIZg2Xqnp6Jn4s80H/ASJzZXfCeOW0FW19jvtMMDRLKxA+/bbwapn1ME7Ukym/5KxBQkj6AyxpV1nwIAg3MoEAkLphLemPDx4VlcSfGbSJl05IoW1yDrFUpxOkMGvpaw/4UxupyxlZVc5tRVQ0mHrSoDnomf6Up8bYoxrMLZETpV0lS9xpjvTTOOqNl0uNYg==
X-YMail-OSG: LuT8lnAVM1nEZoptBRpIACvIfKhJTin.P1ZwBGe1zPGEiYD2ZOPaST8XiPvbDGO
 SeNN7zoADgVlrgQ7rX_CtmqcNy.KSk6oRPLw6KWCgL8LLag5_GLx8uwE.L1SJJpXjLM98lFwRXOh
 goJlGpjCeYzAGQRLIYcTJgcSJdh6at1ppH5sJOFwyLdxojbO5UlhbQbAsdz9WIBmUO9v2nzqcvvg
 sYr_MA8VoO0YJAp_i9z5zXrGLU57inhSFNPjH2s7RP3tPCkm7mmliycSaESsPvZWtt3ztrptg0CC
 xexglxtCMzJXkM_FueiZlE3F6T4E_w9eBxefPHYeIGgIoCrLdYKVmuJ0_GCl4O7F8vc6ABX157Y1
 wZkq27JpSDToc975D7J.kGwiGPkxEyq1kLoPkt.wNGwh4n.dL3mMimy5dEx366FkYBVHjN1wSQAm
 eTlQ1g7Gxq0Ukvt7N5JecI5E63tuRiBcy9b_9lqXfxdYHwxkTE7_SS7X1DE9yuTKRepnPqiXSN4O
 PGhaok2r8.69P8OuKrfVoVpw3ejK3yW0lqrub0PZDolg03VTYzTTQlbCB7_cYRovWP0Ukk52Jna2
 lqCrpDJr2DA0P9aSEHAwtbOGQW7b.DGrHa1ut0yboWqCcOyBdgbE1av_Kfsv2AASH8kUP1_lGRDb
 znDVYUojshoN4WAWSC1dJsymGJDplft5FbPxSHAmu6Zzs3NexiRnlKNtQaLcXrzrYKIusLKtodas
 xIaOzg5KVcUP6Py1vrZcZqGpD9i5Kbi.RNpvmT1LLI0WY41aDuYp3ajB4vaSZIw7daDxYbNThV89
 8dzdO65TA8PuqXujqt3zt3BmRQn1rclBiJZzsjEuzP1I9j52R9c_OO1ZMPbxXUp9kuSm26D1LIJ5
 gqYYWKENac_EpEBkOaEN38fTYk6L4F3sPK96_YMIdJfOBDRf3ickRGaooyXmpSJngyhjcPlmjliB
 4Ia65ahXfqd_5jckbC.Eigw7bX.gABeJ9F3gsikF9BtkAQ6CII45EXBC7iRe_rlJc5QeadCFdLxi
 LvRhcPi9ETznW1zzpCfxanWsqieDX5yFKn_GHkPrOTXrH_KNcH_3mra5VRGAGNQKgHkyHaVtGGO1
 1LztTlKM_Ict0GflBH5BGEzY4h9U57IMAcsAGIb5Il93tb8G7UANbjU_.yN8Luz6VuU1QedBWvoC
 SR6sDNtygO6acb98fKyh4i09IG00iSD8PEsovZWtXKGe0a.DYguT9RBg3AsciM33JKdxI9m8MyNF
 p.UffrTm9sBs2ylITeSnjEunW1butr581m1uC.5ZMqktR5PfDOhHbBrrAhju0Z9FYxcgqlrcrXw9
 FWK2NhUPbLHXFHXr93Ij4BZ73wbJ..J.A6JPhJJYrvjoI2Ns32hgWJGbs1_HyTPfSlUcRm7tQdFz
 czfFXgMbtd7op4V.FrBXiPxrJTp_yE8vvVL2dPDlEPPMAZeiYXLEB3_Aa89tvsxucWgRaARwRXRc
 pEWayQqQ78CuOPXVG293pB5a.eSDjt8_XedP39.tjb9mCCcSGxM07FCTsGf3RYZw._PoELXUAULk
 _pzZxrIIvFzX_vYV589y_W9wtOJ_bFjqN0fstBYfXZk8uCYpkln1VBvQuq0zhWIW3pLCzMjtgV4X
 YelQzxnzNjRtz_W4VjEoCHm3jvxlubLgIxVbuf.Yt8gMsSYqAz0MQrMTSfeKL.seoZOxqC1PC.n9
 81yghYGThpPCYxsNjemYZgRk_3HbRjdl8gLYNoUY2Pdrm61gPu9eAbD42WpCKNoW4EhIx74Lk1BU
 5o93mZurnOSCZGP_H6YFcJpSKH3_7Iomv4I3R5aEV4Ub0RXT..unGjLdJyZXUNbIWQ2Bc.9ves4D
 5.5D08dgK75eH36un9tizKfJqBabHaeX6RBX0.OHYd_p6GQ4Up_by1DStQDpONE0UH.bu3uND8rp
 PmRFgDPdr85_p0E7d5DQTafpmH4iIMcXvLVi0L8sRl6gdFUX5FkMPLtDmeCTI5KS1aWHDIpiUfnr
 S20i00gvy_.C2wUQhZpWk4ZGjYJe2PWvVnaDCTusl1YAMf4eXuiueiFiBi8vkoE2zsaiF_ehTbo4
 evnLUIT93KR3JJE.jpkajBON416r4AlTIWo2MzOhTh6PhFW3Nu4IJA6mXSjv6KPTpykUNKcLbtn8
 41c4HYm7bpJ1T7Bc9FYNRvtbjqCD6hTGllRwBMZVTlaMziUsyq1LwahHCfh2MQ7cigAt_iGW.nLL
 X42_NASxM7T2eBQtHQRIzkiobOZQqUZMoOLgpoiLui0swU3kqkpQl9EyCji5KZfEkgsovv8O.C2I
 _ukiPRJx4Z334LuV1mX49pEETWSm.
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 88385606-f443-4ae1-a189-0fcb3bac267e
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:40:33 +0000
Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 154018758a06b94c4980c22812ec859e;
          Fri, 15 Dec 2023 22:40:29 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 30/42] LSM: Single calls in socket_getpeersec hooks
Date: Fri, 15 Dec 2023 14:16:24 -0800
Message-ID: <20231215221636.105680-31-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

security_socket_getpeersec_stream() and security_socket_getpeersec_dgram()
can only provide a single security context or secid to their callers.
Open code these two hooks to return the first hook provided. Because
only one "major" LSM is allowed there will only be one hook in the list,
with the excepton being BPF. BPF is not expected to be using these
interfaces.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/security/security.c b/security/security.c
index f2ef6032a925..3f0a4c5094a5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4686,8 +4686,14 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
 int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,
 				      sockptr_t optlen, unsigned int len)
 {
-	return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
-			     optval, optlen, len);
+	struct security_hook_list *hp;
+
+	hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_stream,
+			     list)
+		return hp->hook.socket_getpeersec_stream(sock, optval, optlen,
+							 len);
+
+	return -ENOPROTOOPT;
 }
 
 /**
@@ -4707,8 +4713,13 @@ int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,
 int security_socket_getpeersec_dgram(struct socket *sock,
 				     struct sk_buff *skb, u32 *secid)
 {
-	return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
-			     skb, secid);
+	struct security_hook_list *hp;
+
+	hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
+			     list)
+		return hp->hook.socket_getpeersec_dgram(sock, skb, secid);
+
+	return -ENOPROTOOPT;
 }
 EXPORT_SYMBOL(security_socket_getpeersec_dgram);
 

From patchwork Fri Dec 15 22:16:25 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495163
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B1F718EB8
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:40:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="PPZC3NED"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680032; bh=HgKzEIUhaILipzY9DdZwoNSdFerxS4tj7fn6yV2s/8c=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=PPZC3NEDdt7Us7Ydx1VW0Sl1zTTAqxBCOp1DbkHH0feKwMcyMmOlSJivc6XjYd+QvMM/wzd0mk9LMyN1BintFp1YQQ2FwtnR39zwyfKQWLE4yAcgM28UT9LXtAVx0Wr+rRpXpUzXkH5klCVlXuLywnlLFE1HGsxsbFC3iqgrYJfnFc0D9hKxDPpazyRCigzzdufSOBIkLfxmC8QzbHfYr4ZfsCLXhdtUHrumX+aRDBK7zHUe1dEvAQTNXhn0MpNIuWtfOW7/Z5uXYgTTtdV5Zm028nD4Xjmr2Ok8Zh1DMhv4pkxNuHwLQ9EgOa7tsdJS4IRNWMZ900pjWAIau/qMBA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680032; bh=20Z0uj3l4zIsBAGeaBkSy96dDVzLo/RmCINWO23RmQW=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=W6OlrNS9Kn1r21it5z8rUtTpJsfIqDPMFrmaxKjYSDhGL1iuRwhWMmrRIA+XiC/E21YlldeawmEfzfUS2MxCFdPWMOOFsbpu932OOrMC2OKkcm1gJAZpA7a/doZvag6NiDYp/7xU+p0YEA2r4ADRvPUZ7d2p16b9Fj7yvHRizqm3M9TtG1avYODFuuK6b5KJvMlVG5iZxD8WUY0WnJxmgHw5FvhaEJrmANhAypsPnV+OS9OL5sXrZsl8qMsKZEw4ANhxqX8Kh6TxUJ0bgoQdRxaweL5tvFDOtunc3dFLjMgHdwToGOiCyYVyehp2w5zABRlMFyO1hEmoHbMPH3TLBg==
X-YMail-OSG: iOqyNHkVM1m_yVy3N01Hs1wdrRke9sf1gUAzxy_cIByHGRjwkzC2OflT2ugr3HI
 sxv1H59KVqOqhBlk2l0pIP9isgNGmtz5df8thedoToovaRMdPP9VJCSgk1_4DhLUXZZijXBa3dgV
 erISGrakYfgtr.SCnhUYbVbH996UG.4t59xAYHb5jsXdt5ZlMwdH5YCU6pYwoy_teAKHjVb1bgMI
 rEl69ejqzVYUWglgdMOayRF_TYLnRGhQfjaWWqGncOdFHbTl7JCBxYwuXrQDOCv1nuRmEfwNOlGg
 Sy76_vw4QSIXh2pLuztViKG3kuoRspMRkBq8VhIwy0zLrgcn9zcwUYm29Omv.rL4_zbu9DHSwR5b
 s5MJvc_Z2eYJpHuz9llvxPgmJxPJ8.lbzFrHa1aVFm7qEgKhf_LXf5wa3rHyWUAg.mCWZFCuQw9I
 xIaspae4zUnUo33w_In4OYRL3DNlaF3EXBmfFCnBINrv1Vv0OJruRR7EbGyzNAhHI5Gdf8sbheoa
 vh5WdniIl1oXpxdwzy_aqweWiSTNyvam_IvvDu.4rYpIWAgNJgY3QYhfUgEByIxw15KQoSW__yN0
 Pcfy_It_AvNAMqe_QjZ6dxZPGL94zm3r0.NrAyNPqurhtB11zp2V8owzeoNBs_d6K6RJad4DH6Xv
 fjvAW9CArNSN9APImuHWL.rkHEDlazjbq0EUkvk65OQ5cif5rMX_Dzic_TSR.Dbxs2t1UyF.LHGr
 I.CpDloOFnjYY18R.vA5eFOsugzZpN5wxEdQ79mbl_uQMqPb9Ci0LL_lxuA4NYDagQb4cGcytU3z
 M6aG6ig5i_h9QILbQBAUlO_bYa2g_dMcMAzl9g3U6reCYYaURIUo5LJt7rMHRBYxXXZ4ArLTBqyB
 T24lZDxJOeAUyRmVKSwQe2SZMnlBL6QsEs_rY.qRxkHkjDzFO9gt0dXgP2MWmX3P8uTmddXEPc2Q
 Uo_WHEJjWeADCfuGe08VkWu438D7myXiFcHTeXUuG3ILaJa0MtTdFZ.naK42p9nkVprO0N3qQ9pZ
 IV1cQxOfyw3VInl0UDlB14R6ufxFnCDtCuXCnP0KeSxttFrKD5sA4bvVBN0ZxTW60pFX1pd4XtDv
 mwi6MoKHZXSiiIVstWjfY0v.J0arF6Zk_WbfF4.Utg5Ob7AljHNKt6AhXXJbIzWB9NO5us3jlr9b
 200vn2pv_FHjQIE_O2ZECnkXPbMq4OPc.egWpHNbq_VfNhf6FX5zYbpfkw3atsHN2U0VpkpzWOL_
 JgferiqTIO8yZmxsSye83ij5oNW8yuoziWxHwxvZvNfLfyT6.j9yFvdgBEMxryPykESBSnMMg42Z
 It02Gc6uRnhpXQJdcv_MxfnPTy9MpUylJ_pOd3v0SYrZFjGhRQujZEY7TMIJbkcCey5PvoOWmFU8
 oe__yp9pKCnjPou2h215cmnXo6xKhTXFHLBAuURPXez9WHDR2ejp4EIRR77grn1rD1jcSoItu9Kq
 rEKT5TnQX843MYQJdeRXuT95hEd9ObHzEm93paJrxCQrRdwOLf0vaH6I.xv5ccNd_pmCL2F24RbF
 EA5if92tzerLVIIJ_UM1ijpSKbscodCZhZxmEE3pdlwpOa3ww4VFjW5xtcJC9683csaoOddATWT3
 DQnKIMKUWhfWOZm4JCuJ67yuKoao2g5eG9uSMdQCFw1z0iqNyjSYFeRvjB7oySoNUXyQ1on93XQy
 Rhd4pxqwAdEOuzyiC1DDDaYyM.aPJxXlkLUNXmXiEIqx4LRT2pcmnJaWMrNgyKBTZyPklTYJVtij
 vBhyJQpv650EdrzTAH8.PYyWgGxFb4muQn4sia2pH13YzefjsouF3uweiyeb_M0Xb.WT24Mc4Ds3
 cRXYMqhhjp5bAQjKrx0NUZo1S3e5m0L3lk83TKQNzLQIV0wiQJOi6f1vVd_AlKFUY1lSAgEkcS5E
 fLv9uFLk.b2zrGrSPKAxVOQLoM.cTZCQiySEkXiqkvNyCiVZTvZGxfUt577LiM_emPsS3OdnKdHY
 Box9E_RTMacLn9OkYqM2Opcr38YvLveAF9Ayg.KwDAqfJOvC.htioiiR63HYFlGWlVKK3tzkopS9
 buoblYYHswhrdkXmlsR1yL8CNM1hW6.ZxikAmInwL6Bc5gmEJxXpZNyTjIuW5OCI3tbKzl0kNh64
 8WHwQBvIrDJWXpICn0qDJxYOZSg_DahiAeIUcn6rmzt3DN26UL7hZ9be6UXW_VhJEPJYrWKm8.am
 xMMc7hTWIeO3DvW_Ws1dbTQhG8AVZELef8tgXwLwIEwm5UK0.jBh42q7AK2Aai_RKS8oOT4eOsvW
 z8XLibiYA99XY5CcssWYywGagCuCf.g--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 15c8c364-5e98-40d6-a6bd-e2c4ffe2f2b9
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:40:32 +0000
Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 154018758a06b94c4980c22812ec859e;
          Fri, 15 Dec 2023 22:40:31 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 31/42] LSM: Exclusive secmark usage
Date: Fri, 15 Dec 2023 14:16:25 -0800
Message-ID: <20231215221636.105680-32-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

The network secmark can only be used by one security module
at a time. Establish mechanism to identify to security modules
whether they have access to the secmark. SELinux already
incorparates mechanism, but it has to be added to Smack and
AppArmor.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h        |  1 +
 security/apparmor/include/net.h  |  5 +++++
 security/apparmor/lsm.c          |  7 ++++---
 security/security.c              |  6 ++++++
 security/selinux/hooks.c         |  4 +++-
 security/smack/smack.h           |  5 +++++
 security/smack/smack_lsm.c       |  3 ++-
 security/smack/smack_netfilter.c | 10 ++++++++--
 8 files changed, 34 insertions(+), 7 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 605aaf38c3f5..4deb1a4d2d1a 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -81,6 +81,7 @@ struct lsm_blob_sizes {
 	int	lbs_msg_msg;
 	int	lbs_task;
 	int	lbs_xattr_count; /* number of xattr slots in new_xattrs array */
+	bool	lbs_secmark;	/* expressed desire for secmark use */
 };
 
 /**
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
index c42ed8a73f1c..2e43e1e8303c 100644
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -51,6 +51,11 @@ struct aa_sk_ctx {
 	struct aa_label *peer;
 };
 
+static inline bool aa_secmark(void)
+{
+	return apparmor_blob_sizes.lbs_secmark;
+}
+
 static inline struct aa_sk_ctx *aa_sock(const struct sock *sk)
 {
 	return sk->sk_security + apparmor_blob_sizes.lbs_sock;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 075942b253ae..ab9b0b37f1f7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1322,7 +1322,7 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
 	struct aa_sk_ctx *ctx = aa_sock(sk);
 
-	if (!skb->secmark)
+	if (!aa_secmark() || !skb->secmark)
 		return 0;
 
 	return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
@@ -1426,7 +1426,7 @@ static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb
 {
 	struct aa_sk_ctx *ctx = aa_sock(sk);
 
-	if (!skb->secmark)
+	if (!aa_secmark() || !skb->secmark)
 		return 0;
 
 	return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT,
@@ -1442,6 +1442,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
 	.lbs_file = sizeof(struct aa_file_ctx),
 	.lbs_task = sizeof(struct aa_task_ctx),
 	.lbs_sock = sizeof(struct aa_sk_ctx),
+	.lbs_secmark = true,
 };
 
 static const struct lsm_id apparmor_lsmid = {
@@ -2105,7 +2106,7 @@ static unsigned int apparmor_ip_postroute(void *priv,
 	struct aa_sk_ctx *ctx;
 	struct sock *sk;
 
-	if (!skb->secmark)
+	if (!aa_secmark() || !skb->secmark)
 		return NF_ACCEPT;
 
 	sk = skb_to_full_sk(skb);
diff --git a/security/security.c b/security/security.c
index 3f0a4c5094a5..8469816c0472 100644
--- a/security/security.c
+++ b/security/security.c
@@ -232,6 +232,12 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
 	lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
 	lsm_set_blob_size(&needed->lbs_xattr_count,
 			  &blob_sizes.lbs_xattr_count);
+	if (needed->lbs_secmark) {
+		if (!blob_sizes.lbs_secmark)
+			blob_sizes.lbs_secmark = true;
+		else
+			needed->lbs_secmark = false;
+	}
 }
 
 /* Prepare LSM for initialization. */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a6deccbbcc40..3e590f632f59 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -164,7 +164,8 @@ __setup("checkreqprot=", checkreqprot_setup);
  */
 static int selinux_secmark_enabled(void)
 {
-	return (selinux_policycap_alwaysnetwork() ||
+	return selinux_blob_sizes.lbs_secmark &&
+	       (selinux_policycap_alwaysnetwork() ||
 		atomic_read(&selinux_secmark_refcount));
 }
 
@@ -6969,6 +6970,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
 	.lbs_sock = sizeof(struct sk_security_struct),
 	.lbs_superblock = sizeof(struct superblock_security_struct),
 	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
+	.lbs_secmark = true,
 };
 
 #ifdef CONFIG_PERF_EVENTS
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 297f21446f45..0f5bc5c03b9e 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -369,6 +369,11 @@ static inline int smk_inode_transmutable(const struct inode *isp)
 	return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
 }
 
+static inline bool smack_secmark(void)
+{
+	return smack_blob_sizes.lbs_secmark;
+}
+
 /*
  * Present a pointer to the smack label entry in an inode blob.
  */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a9ab31a40e36..c93e81facf1b 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4090,7 +4090,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
 #ifdef CONFIG_NETWORK_SECMARK
 static struct smack_known *smack_from_skb(struct sk_buff *skb)
 {
-	if (skb == NULL || skb->secmark == 0)
+	if (!smack_secmark() || skb == NULL || skb->secmark == 0)
 		return NULL;
 
 	return smack_from_secid(skb->secmark);
@@ -5064,6 +5064,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
 	.lbs_sock = sizeof(struct socket_smack),
 	.lbs_superblock = sizeof(struct superblock_smack),
 	.lbs_xattr_count = SMACK_INODE_INIT_XATTRS,
+	.lbs_secmark = true,
 };
 
 static const struct lsm_id smack_lsmid = {
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index bad71b7e648d..fd146e3a2286 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -26,7 +26,7 @@ static unsigned int smack_ip_output(void *priv,
 	struct socket_smack *ssp;
 	struct smack_known *skp;
 
-	if (sk) {
+	if (smack_secmark() && sk) {
 		ssp = smack_sock(sk);
 		skp = ssp->smk_out;
 		skb->secmark = skp->smk_secid;
@@ -54,12 +54,18 @@ static const struct nf_hook_ops smack_nf_ops[] = {
 
 static int __net_init smack_nf_register(struct net *net)
 {
+	if (!smack_secmark())
+		return 0;
+
 	return nf_register_net_hooks(net, smack_nf_ops,
 				     ARRAY_SIZE(smack_nf_ops));
 }
 
 static void __net_exit smack_nf_unregister(struct net *net)
 {
+	if (!smack_secmark())
+		return;
+
 	nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
 }
 
@@ -70,7 +76,7 @@ static struct pernet_operations smack_net_ops = {
 
 static int __init smack_nf_ip_init(void)
 {
-	if (smack_enabled == 0)
+	if (smack_enabled == 0 || !smack_secmark())
 		return 0;
 
 	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");

From patchwork Fri Dec 15 22:16:26 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495166
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic315-27.consmr.mail.ne1.yahoo.com
 (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0986518EC1
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:42:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="Ztiz8+Pv"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680128; bh=ZI3o3PMEzb9gnitNsbuB3iBlot4aiealGMA8AVY8gd4=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=Ztiz8+PvN+jZx4/zNPAG3bcpLK+DYIGrzdgqvTcx9ps7HPagfCTJbk35iW7G6kgl9YJ7iD4JJQex0NJwW0I9jxXGP+wy7WltuZ8w/HIsgH/LR2+PZg90vbck3NA1KcXpGEG0rc+pxy4NDjOk53xrUtuiEi5NzDmItNDBcZe7DhNdPZvEKo6xIIQJZW4a2X/E4aQmlbuEQvbvVMpBMtRmiYe30hAvdiPkEiZAw5A1sVry+IaeFhUYTa5prJDqQehz4s3Lo9NDBjZp6Nn+AQyS9udvh8ulC6ObdC7f3XVDcEfgDR7Q1gJUWUoR53LXaXPeWxHU4yHyXVBdF2Vnh46YmQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680128; bh=6ZYf5huaZmC9UCs9n/eiabsPtkOvK63TXZvyZflzODb=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=WfNrh7/wdS0hnDSscJ3M6HNOCYETyZ4YVq6LuCht7eRVKiihfnUpa6qCD2g9MMJplOKHHKSHy1JtfW3wFq2rTorIlZ3PBWvzzzt50yVtxKdJ6D+ea1Rh4TdYqzifxl+aQWc0wcettM4IrSGm7F/2HDsBtiJ/kNSq1TQqNKL+FtBocRebBGttFZ3qbZxH/rT3Rj7Jy1Scn4xHOn5JqwS9x5REhY3BMu0d6NuJg4kELUbnidnWlDwgoFCYDH+RtEQjwR96HGwTB1HoWFdrQAI+MnrjO2Of/RommYQEEH0hMEg5Dber3kgQiBW00X5YiV6uqBqfj9iok6RDvufV5YjqbA==
X-YMail-OSG: sVzvT_YVM1nT2E2zuucRPLt_6v38mKH.6L16gk4SfdU7K03jPqXodH6Cii2vDHz
 kmdMC5Vrn.lhaWfP6ZukFVn1bU.c31n6AQw.vRypoQrzxbOQRnupGbHTDGRWqcu56V3ezjbHw7Qo
 TKC0mcDpDWVvTZdFnt51w94XIr.O9rK1fj6k5VLRa.faP6X4fsSD9StpxJ1tybq2qVqKae5zjNxS
 iXPX_LMUjr1vXAumcSDw3JH6xSWiRctahDp6O0QlWFBPHrwW2vySLeAJAhDs.WCw0erLwfDVdDfO
 CocLyy.cCEeFSjTfUMmJZbbdo3yUppM6xN6z2B_v0NVr0QTKEIzqHrJAu0gfaqqm4GWmSQhhzNaM
 i0S5XKnvKwSjkjaRz46rS8zkEzu6lGIYbJfzGnZXZMNGbCV37vMM6Lp5M3aoGwecVK5K7TmioDpL
 lRfOdJDs0Ar52r._b9PpE0E6xRBgfZPZbykEJx5OEEVtgmhBhmkOqVu3TH6Bc6TR9zkcR58cUGDu
 31ujZHQUnDy.zttBys2HcyzXJTpzYU8MFLkzm7ArVNYOKwl8m.czF3INKgPrWD0S9Ez8VsHvFp.m
 rqO6rjLsJI6Cy.ZGdP9FCh_u9Ib3WBx7EJ8kSfOyO3T7tUEYugwOgFgtoH7mCm9md1agNqxbBvTm
 EpGBao5xJPtPWDlkyTZ3kzXskDBdYQc4oDYWz2nFpnCAoVMZ6Fbt8b1oKP5EoSpLSWhD4laX.rVK
 1QxlORlM_HMHq7hSYs8_GmFdgouWyeeiMOFvFoQ_LvH2zj5Dcq0zWBhM0rBQdyraXuSsWJfzw4Xw
 AUqWfTmueDaolIFAz8vEhgXj0fXINeQvamPa09X6CVnd1iP4Sl00sGckLuXf6p.mI_dPgxA_9ZhW
 oLgmt52wf_VDnUg5BTNVHUEvjPbjTpslA6qPkcy_uZ3AVA6AN8prodsyf..imriaz5tabvvpGuoo
 t5uehv8O7o0QsBBD0bVz.V.agEfKYw9lt9r35OlVLZPh63IMOfC4v8I6dFQfHe_cYjKs0MjcstZN
 GlcbNXxguzwuqnXf1Yg2n1FcXedIW54SjkVKOk45uX3rzPAgkLCNxe5zTnqVaoN40HI8hCzS.Yf.
 3ZfLyedzvdfxSKaMQGlx8MA0LQgp4.oPRxIQKlNP_YvAW4AMi8VlQqLluaHhYSff08.gDLwKW81s
 TiyMUgYzp1e67ouzToRrTyhWM91oYd8KQK6tIXNrWeUU39lAzCVy6h7.rv9yJVAEC6QOT3bZcJ5a
 2yrnPAMtZwJoVJ.lyT3jEHiLxk3wLUFSbucJ7xRGe1FZ4ZwIRe8n2z4UCAflVeo.IixCpHSuKvxJ
 er3lPHdGthLxpx0WGNn_yHeUuwwwycugYINk038qV4dkcSxxwuuOwV2M2WFoVpIMOHmde6kyTK1M
 hAgyUDYd4qVuZK07wHUEWp_EMeOGfbAGztOMNq8e._jWq5pjMExiNFtTYRPOJNcMX_mcd1wS0kkh
 aixWX21YHLnUhsQwu1qnwTE4g561MjHOGTHMOXtgONGmV1o_TW6PodCFYPj9La5rRB9G8R0qepSp
 qI8iWNkowDHnl560qib7Il9aKHehcI49bwgY0omWbZTJiHANkz7RwEjywIj1Wk22F9Hk8aVbQsfA
 h.CUbNA4dK8fCUHjSH0eYrJHZz.FXfstkRxpAYRxd8O45rieF3TtmfB.HL8Wx3R0Va0v2xkFcTmB
 DXuZTJnjaOQb9S3qp9BE7S7_knMcDHH7CXlrZaOWrFFXyJGQOiEmA5m5Fcuieyc6u_04BleZVqRI
 KZAqqOEwoTLCorG1KljQ8K9pJ___7uZMN3jaVXvpUjVnGH0FnK.V1qMrVKD24LfbzQ6z3WoZOpvI
 NPzVJspsYY27CIFyhkK0jsuKZ6a1IQ7.Y0BWf1CNt9DvMpEpbcowmtQtqDuvMLD132co54u27hiu
 exAt3SzUyoDTDeKeVMlDKcoSfMx5vc5d2nvFQUxIFTC.zWD1KRbQePXn79aMIukqFxtXruB.Bt04
 .RgMfLlarCgEHiK_AwbpAFfqzR._hXfPSeetQgZndXEL73_EpZi.iMEcLVugyA3GJF2Oxm7Cnxxz
 58kmA4D1lH22.VSB7WEyJ5lkLjyWZJkDeAkA3co.uSR_N8yfbwCAQTROPvlu6099Mrbyej8czJ3Q
 dSV.VZ9TEFLg728FsdmttKByY2ostFvG0W_kbsu8O94bvPzpYW6NLs0sejUEcmWjQc4LFsT8nm2a
 lwcPRMIHJDiKkb94UgGBeYriETfcakAZ3PS9VQ7HaS0fUQxyxNYHUrSKzLei1q4zHZhf1o4bInIo
 0m9MmQRbxm8osGYTU19aawRgdBMDJ
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: d15b9472-9cd2-4430-a308-5ac4cfafeb7a
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:42:08 +0000
Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 7cf3dab1b010cdb86f7a13f4b7451804;
          Fri, 15 Dec 2023 22:42:04 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 32/42] LSM: Identify which LSM handles the context string
Date: Fri, 15 Dec 2023 14:16:26 -0800
Message-ID: <20231215221636.105680-33-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

The security_secctx_to_secid() call can only interpret the
context string for a single LSM. Use the first LSM that supplies a hook.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/security.c b/security/security.c
index 8469816c0472..8576121fadb9 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4248,8 +4248,13 @@ EXPORT_SYMBOL(security_lsmblob_to_secctx);
  */
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 {
+	struct security_hook_list *hp;
+
 	*secid = 0;
-	return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+	hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list)
+		return hp->hook.secctx_to_secid(secdata, seclen, secid);
+
+	return LSM_RET_DEFAULT(secctx_to_secid);
 }
 EXPORT_SYMBOL(security_secctx_to_secid);
 

From patchwork Fri Dec 15 22:16:27 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495165
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F4C118EBF
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:42:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="XQMWrGxr"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680127; bh=ZEHXiJrgb1zdL6EoMkNwkV2keMKbDFlpdJJZebncUCo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=XQMWrGxrG4L3NnnVe7i8hL42HSG2x92vGiuBrb5h7861cSnJSJj6UZSocWY/Zy844umtGZqOq21NiipRm7bD/zU9DUQp1llTHQaDlosGo47pgHDGysBwpgmYkrDiVl5n4ZcX5z40y4UNTe/9mqYp/vE/ap5aAazMH0UKQ/+dnhC94W/nkCZJZOu2kxf5NlTY9IsQtkIb45A4AKd7kQqwz4xH0JaAqLgbIhUl6o5x1wmC4CvUcQWdYZRSpIYIb+OC5ZTmmclWfpc8uQN5KuTAU20+F/0RSfYHsshI4KY5QbAX7sLxlprv1t6/DJuKp2E84GQOojt+JHuhj1CL9BQYGg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680127; bh=s9OinXN4BNWiWYh6Ku+HYSjEK5Odfe0nhz7SEss2thB=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=R0sXa90XNC82x534Q3cB14JE14NEArCzJICwgqtC6E1SVuOSKCiMfjl+ss0VDC929LyM/Z9lHZmoYuO6PbDbqICckBAQOs356v6waZAurZCXB+8ls4W43axMACW1KwDbjn/T6uB1dqfP64nqSjLSm/5SormCnQBaajTUCqyiKLk6WULS+6fGPbkOW4Qfksg0IK1zEY6m24+Jk4JDL4JQNy3GhwC061Ipbsjsuwh+fPBnv68Vxsqm+HuEsEa0VjLqj25sA/ftOjpnyI6gu2lEL+KwBITbz+MOh7KfyCLK/JBi/YjqTC17F9r0AebxTLdVffSYiqhyVHmYjggVINOIsg==
X-YMail-OSG: 4BWwR2EVM1n6hAHa6QGlI.yY8SH2x_io_qTXv0EuYNulesBo29F8UhoKLmK6sOe
 7b4yXWzQUh8sei9zAmlZizdpVrv7o4Cg2Mi9gYbeG9KhZyi05Xx89X8klJOBvjYcnQLyxad3nESb
 sUpiwS_jEst2OAP4gG730TJPdTl_KTqNux_1pvskC2qxgwDknZOLemxJSZb80OGP8RVtmGh9QFMi
 WOUEH7iIapC8SCKyqhjIuJP3CF6gsyyresT00MwXe64_9LVotZRCciyi9eGyPHzqTDIyzACONkDY
 y6O7cm7epddA21bePLsVutH89mSCF28Nuc1lPokhhYlwmIT4FVPzWeXO4jteItGUKradKT.LOscz
 JZBtP1OWInVb1Cy16R8hNXi6BXXuBs8kstyrwl7w8CZT7AuEcmwMzyoA0bGIoHX4nnM.ear5DqX6
 ..EFjD5jkUjdCvFPU5HgLBTfxz1ruMSe2MiHKP4VrEH6tUWOdieOag3Ew1roLvU9.FaSRVVpuXu.
 N1LfiDaTeBJK_pJT7Wqxvq7X3D4ASs4WKp4azhXKB4oY.XSz3nrEV40ncgHkl9hPf.9UNxsuKLVY
 ZPTRHoDtFRWGf4XgQPZfGNZPK64l322Im7OiU4xfjHkCdbunyvlsuJuWrfxqEs5mrS0oTrMN9lGk
 NWybrMaS7kqzA2xn9JWc9HQHwBb8s0h3APCC0DTN9KkOlQMZrtf8nS9BcdSDMYDHUE_KsyLocwlA
 hFCpx.rdLAyFspNJD_8FhyDtDwYG1AL9aLyalw6UuevWQAs9M41Cb3VOO_ftvdlrjsmtYk2FiRhC
 ZMUixPTnbFvZQhk.qI_uUoHh2J2fEDro2Mf1_3.E9_gy89UxvlFghhUWmrHsnlK9kzuc0rrMzfpm
 DvJgK5eW0YnbX6JJaheIfsHOVY7wTryI4LjUjzJWxgtpiL0GfQ4.0181CV8MzrY8aaAjoQBtzml5
 itiVeDYRT1KV4_7Fz0WA7mmjnGNSyWM.0PkqZ08mqr1yquN9AvUwIpFIx6YRHi5kz6hqwJuOxSHc
 v9dIUfVpzmnbLQe0cQ06rH9rlAqNJmfAlWlJiAw3XlkTOq7G_oJ2ZUbJ1j6ewIjXijap5A2Clnk4
 Xh7vEuEWD79rgIWuZj31cuv3OSVFKvfws2vYi5msF0h8EiRJup.fbqo8ZvoNlvAyKyaZBuaeHAJm
 _NGrC6ehPPDmtMjhTrfk.R44CW.nOdZFAohAVS9PkVIekuAyrBo3MACrZ4OVQcVN_yfyneVD8TbD
 Ie0_1vNC.Xr92BS2t070ntUnfq5gRk08eOlWtGb.bQv.v3z8D1h4fEX2YGAxKdaXxfKtVhCFM53D
 JDm102kBNAFCzupinn_49rH5KKfKLI71nMhOv0tb_gqRF7iQwGpHfW.7vTF9p647y1q6oyExKUPr
 BxR0lwaXnmPom6.cqLPV97SGDb2fE76pBpUCRAIgcTO3aOzyrlcADP8oQvPvu_Hf0FUNv5q99Cc3
 JAZE2LuPPUXUEgvvI1jR47W_ShHN92GTqT_4GRWIkiWnkjUnxT2Y_gfYUIP8h6N2w9Zcws2ScEZE
 vaHdrCDFiIPmlST1p48Rw1nWr9r0A_9AioRPSNn9ISV0LnzjHWgIkSIEj8on9IqBCu34DjB82Zla
 3hMgh8RbmPCFICJJMadhtTdUEbFjJjILdzyhKVSPRgxQsF4MpiogIFBAHSHEhJa24ah5aKdggqkc
 r5JShu6IjWYBBQzSljNkgzaX4DeZQQnyvnCiF9K1tYauH3ZCOG2wuSY7v.GuC0yXzolVN4OSar4K
 J4hHXwWFAwE9nHrRqmiCM41CqiY26fWvirjiuDTbMO6C4DpSK96w35egSxPM3lzkMS5K3bNgvU_s
 lN9W2IF7l9qoBlXYjtMxlEtvGEzpWW8nVzol.ifaGDk.KJgCF2QKqlewTVLLgX.lVMajsXrD7B1O
 N8kwf7b.Ekr9KHYxmavVPnSmwHkZ8jKvM7dBUzxssB78V7UZJoDoxExcls3HT9ES6A7kX._yJGfb
 Ov_Yf0NkpFrRbjlEdk5pHy_opS4EfZ.vKEQPgdwXih_6WUvdkhRRYHPwl0BHdX4nD9.VxO4htO1z
 UBHmKoAqdNZQ3giK05rHc.WEtJKXzIsEx97ZyNoLeH8KINMGXOcktjnYQU8i0TmF7XCcjyrF6v95
 .RKla44Hse6Euwd2aPeYDcpu_6bcVl4AdVfln0ssz4obkvM6cBCUvFdjp02xw3kpdt3SqC6V0.nV
 G0lH.L40i9H.BZYPLvKGWdKPRH.zvuzDfknHfhimnyfaIc06kTh_kBRyDFMd.4rWhnlx6d1ERzNL
 z4boCUtjlfXAjS2R56UsyG.v._0w-
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: e8cd937a-6ca5-488c-acac-5073aa4e5ddd
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:42:07 +0000
Received: by hermes--production-gq1-6949d6d8f9-bvfr7 (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 7cf3dab1b010cdb86f7a13f4b7451804;
          Fri, 15 Dec 2023 22:42:05 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 33/42] AppArmor: Remove the exclusive flag
Date: Fri, 15 Dec 2023 14:16:27 -0800
Message-ID: <20231215221636.105680-34-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

With the inclusion of the interface LSM process attribute
mechanism AppArmor no longer needs to be treated as an
"exclusive" security module. Remove the flag that indicates
it is exclusive. Remove the stub getpeersec_dgram AppArmor
hook as it has no effect in the single LSM case and
interferes in the multiple LSM case.

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/apparmor/lsm.c | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index ab9b0b37f1f7..d47816e91bd3 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1385,22 +1385,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock,
 	return error;
 }
 
-/**
- * apparmor_socket_getpeersec_dgram - get security label of packet
- * @sock: the peer socket
- * @skb: packet data
- * @secid: pointer to where to put the secid of the packet
- *
- * Sets the netlabel socket state on sk from parent
- */
-static int apparmor_socket_getpeersec_dgram(struct socket *sock,
-					    struct sk_buff *skb, u32 *secid)
-
-{
-	/* TODO: requires secid support */
-	return -ENOPROTOOPT;
-}
-
 /**
  * apparmor_sock_graft - Initialize newly created socket
  * @sk: child sock
@@ -1510,8 +1494,6 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
 #endif
 	LSM_HOOK_INIT(socket_getpeersec_stream,
 		      apparmor_socket_getpeersec_stream),
-	LSM_HOOK_INIT(socket_getpeersec_dgram,
-		      apparmor_socket_getpeersec_dgram),
 	LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
 #ifdef CONFIG_NETWORK_SECMARK
 	LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
@@ -2296,7 +2278,7 @@ static int __init apparmor_init(void)
 
 DEFINE_LSM(apparmor) = {
 	.name = "apparmor",
-	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
+	.flags = LSM_FLAG_LEGACY_MAJOR,
 	.enabled = &apparmor_enabled,
 	.blobs = &apparmor_blob_sizes,
 	.init = apparmor_init,

From patchwork Fri Dec 15 22:16:28 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495167
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic316-27.consmr.mail.ne1.yahoo.com
 (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 08EC718EAF
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:43:41 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="LNfEV2M2"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680221; bh=NuchN7LWq+7dR5oCIrU3dqcwUFeyKlFDBPhpyQdG6gM=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=LNfEV2M2x3AhAouQU996hBof6gSHadROPBvcNl6jSwDmqAgwTMwKD51vgsF3tpnzeTm+NiJwX/pZbQCcpNRi4pytUnEs3pnEuWOddteKmTIczsgLzw/TQtG7os7uP6FC4B5blWE8IzKkzy7mEd2zUpn3CmqVIAphpBOZ5l3MVhsvozJgFMYnsHkYygvFzVuIoSngaYEKafP2aH3sytyfNZcFFshLn8ZywnEPZ15Lcu8BhBzDrnBzjWEk8JIXhRmMtYjB4SGA51x0BeLDpv53vsZ1O89754S/bP7ztoIK0u2YEyCGvkevLq/9sMoln7NbqRgqTUPAUqkkbgJLshFjUA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680221; bh=99tChxCy/47LiTe3kp/zL7x3mbeHpcRS7ymKZm7mlez=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=SVuu7mux7yxU2IT5thac09F0yiwx1pPPATUntIUmqOMbjwSiHKk+uXqDt98LtxdtxkjlBKi2RNx2NTl5fLbWrANZn4vQWR0LxEm80RelLHrMjR2bcBg+6Em4zrMGcMhJ90HHTWFA7usHWTKOnXjI5ehjG0wQfwqZ5NXTGPw5gY4TGlJNPlmEpv8HPBfYhsRv5wNMvxjcPIwqs8j7BdGflombzlpoOVILzyvBrVxNFhj/+GwpDXBv0oIr3YcHqbT3ieUcpzOZyJP5iiDfzCMrmqmci0soihPeFmS4xaWucwKE72uYf/cNsDSEn8zAV0YvkoaQBfXE/UNI8WGvxaVCDw==
X-YMail-OSG: 6F_hx6sVM1l2Sp7xn_RpIj6KUhGj.KY8cx1OV5K6jzcSd0YKqE2AcPtu773ohVu
 oMgpvLNX9lt3nkZbLC7NvmkeYu8iVqFjVP.2IYvwsR3aJ7pJk0D06xvdtu0US6Kn2Ih22QBILbAM
 zDyzValcq7lQ4o3TxYcYEGwd5miELrMFhhpxLNfrQnlcQXz7J48tHUb1VvO300oFaNxOw.HGXr7d
 uFeaKRSqlFty2JXns.wFWUEoQcShd0sGXlPZCIseoXFzjy5nX0UemQIojiALs7B_uIPBqQRT1kwG
 F6Kf1mcCfWL1z3N1CsGfC8b.s8WsJA.YrIKiU3aFcWc8LTLER18gSPoMlrn.aUMwREqFoJ.14PYL
 I1Fi6HbpfdtsFFxqR.8BIgMfjqOkyQMba6YJ7mcBHFQUXLAzuV88EHTR9AWKsLQExpqJV_QUJeuG
 1V4T_EbuE2KzxLidclOISihL8PWmFdWXL4fqvtmSz45GgVJMm7jvCNw8J318TfwExMlpDM76RK_z
 64kwfl2RZAUbIYjDCpcN2_jsv6tNBwwomrz6.fAYCjm4dL2jp6nHfOreqib6hMJfr1xQQlj8zAGn
 neEvsjJDkpIoKE8BYDOsWR6pTiM6Py_csfMVsPZF0dpSn3II4mBLPeWFVT94dDYmzgn4rOlYlN78
 2Nn9nahaRnQH3jjNHfF9BegGYhh0dAQLJImQw9pU21MzOVp.fOWdKHeZ.95t7C.TB8_mo.z.02U5
 G1cd_VWlXzjTdCzKh3Dql0KITOmUMaxSojJbyYhHHp42X0HQIc0.cgPdRSuRrspM2nUbSUpisXMM
 _akftguzIff5aI0W2JXeX_Lzxp0q4j945ZGpvBQdUhebIqTbo_gp_j0eKJk0e7oNBy5e14idix7N
 nV2v9AQhIKRVFmWo9X5DLFBy6GjBCOhHiOGbnRYEzHk1QVERGlP53kg0FyXoZPLYf_On8AT5MZCp
 bU9XwAwE69L280c5s4fBdGyRqTjlUSlQo3Cx6EBmpgVl7CdZeO.8939Y8KdoCQtOJWkiPZXXMRFY
 WyV1b59VABlD5eMwTUd8AnGsXDENVk6G4NZ1RHwux4uv3fMlQcu2yCwAUTdedm1YTen8GsojzpPr
 BVRxPEna6QX139rnhZEbsP2NjDWO0pIU0SqMw0axLNYCDdLYa0f1uYkMSSMyRhVlrJJfBvv0ceAl
 SJmKwG_r7_CBmicBThuFRzQHvd_COHURz2rXOELXxrNvDt7F3b7ohjOeOU2arMAI92h0y_yXKVRP
 n7cVN04VqPQYoZONLAYYYI7ZktrxxSymIZ6sdsWDX4bKSzAlm3lRKon8zz5aiSg.ieYwWTQYz.ik
 XYDPYT5lgCGIq8CtYHjsuc.VN52gzeqkdPKPePj.SD1ujM1sV.jNGKvOmXF7ELJKa1xifemUvoow
 O9vjmrj.ShX7kmMKksLx2QE2FRZOEJs2EyB5Scnhdvfcef5eE71A5YhB10SUdZW5jI.CzRDgkajZ
 6csbnhkpT_AErsApe6vZ8cf7CrPofh7HYTHxIGCT5czkflxIAgDZQ7LpywlQcbzhfTMmjFX6MKMm
 S4P9TcL1VGEWA33361AlmuzEz4h4phtplgi3YaWCxnWIw0W69tf0WnV8w_BIBgywxcdPduO9ZUJu
 oM2QPNX8Ku93wKFP04GcbJY1iXlVLuSvRJv9BzVvOxVsO7ju8Q01HiZVJh37WiXdoE9M5iR6HRak
 slutT817fDY.E6yzw4kHeekra.f92TxN8VAvHd2qw2rbuyPTGlq2Yj1PzlwaBqx8oynG5GMdZPH3
 .QXbyqMMBpXEuXDJiqTNPqxtpixsYpaPm0O7Qc7O2lOBueox9yUshrOQFLMlWD.UfwOGTCcxmYc4
 lnpZnol7IYTloIWsBpYyELb3wJuVLdo1x4FcqZ69.WnHwkka2yCG3bnnReshabgKfBVAlL8saI6o
 r8FwQl4c_7BP7chJGs3RPs8grYHGVUZm3P1RZTkT3THF9O2WqQlGezYKyldaZMBEe2OuGiXdXxdv
 QPZTWgWVetcH7Za5agtYwtWQqG5BjtlkCme2o6xoYkFnlX3ulIPnvySznHP9291ZR9Q5NqhOmy7L
 Sld9r6xx07lHOIPiFda4Ivpkg0VYYI.V9xZ1xvRQ5OLx8QASs0ac6J7WfnZCURHFPkcp3bCLuawC
 Yd3.o9I6ZlpTCJKVXjctsRG_BcK06Zt4.Ip330f7Cc6rzWDrHX.t_Z7BM53YN4lxHx9TJQqXki3W
 qfQLw5zbM68oa7NHc2KrbrFhJ856Hla1.XR06SlGXUD9I2BmBLEFOv_IkHuW0hOja21XY39_KTTS
 bXSehd6gwn.2qrOVgXKLDejkZXys-
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 869ce3e1-48f0-48d5-8d86-93a5ceaf74f1
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:43:41 +0000
Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID ca4128361bb8b08e481604451b6f4d3b;
          Fri, 15 Dec 2023 22:43:39 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 34/42] LSM: Add mount opts blob size tracking
Date: Fri, 15 Dec 2023 14:16:28 -0800
Message-ID: <20231215221636.105680-35-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Add mount option data to the blob size accounting in anticipation
of using a shared mnt_opts blob.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h  | 1 +
 security/security.c        | 2 ++
 security/selinux/hooks.c   | 1 +
 security/smack/smack_lsm.c | 1 +
 4 files changed, 5 insertions(+)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 4deb1a4d2d1a..59085248809a 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -81,6 +81,7 @@ struct lsm_blob_sizes {
 	int	lbs_msg_msg;
 	int	lbs_task;
 	int	lbs_xattr_count; /* number of xattr slots in new_xattrs array */
+	int	lbs_mnt_opts;
 	bool	lbs_secmark;	/* expressed desire for secmark use */
 };
 
diff --git a/security/security.c b/security/security.c
index 8576121fadb9..fd429f67d2da 100644
--- a/security/security.c
+++ b/security/security.c
@@ -232,6 +232,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
 	lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
 	lsm_set_blob_size(&needed->lbs_xattr_count,
 			  &blob_sizes.lbs_xattr_count);
+	lsm_set_blob_size(&needed->lbs_mnt_opts, &blob_sizes.lbs_mnt_opts);
 	if (needed->lbs_secmark) {
 		if (!blob_sizes.lbs_secmark)
 			blob_sizes.lbs_secmark = true;
@@ -453,6 +454,7 @@ static void __init ordered_lsm_init(void)
 	init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);
 	init_debug("task blob size       = %d\n", blob_sizes.lbs_task);
 	init_debug("xattr slots          = %d\n", blob_sizes.lbs_xattr_count);
+	init_debug("mnt_opts blob size   = %d\n", blob_sizes.lbs_mnt_opts);
 
 	/*
 	 * Create any kmem_caches needed for blobs
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3e590f632f59..e0f6f2093708 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6970,6 +6970,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
 	.lbs_sock = sizeof(struct sk_security_struct),
 	.lbs_superblock = sizeof(struct superblock_security_struct),
 	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
+	.lbs_mnt_opts = sizeof(struct selinux_mnt_opts),
 	.lbs_secmark = true,
 };
 
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c93e81facf1b..573d5bffb9e1 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -5064,6 +5064,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
 	.lbs_sock = sizeof(struct socket_smack),
 	.lbs_superblock = sizeof(struct superblock_smack),
 	.lbs_xattr_count = SMACK_INODE_INIT_XATTRS,
+	.lbs_mnt_opts = sizeof(struct smack_mnt_opts),
 	.lbs_secmark = true,
 };
 

From patchwork Fri Dec 15 22:16:29 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495168
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic302-28.consmr.mail.ne1.yahoo.com
 (sonic302-28.consmr.mail.ne1.yahoo.com [66.163.186.154])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24E0017987
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:43:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="Te5/75Ah"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680223; bh=OP/fe7KTWBlNrxCDPndD55sIV1PdVPH4756etwgkPBQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=Te5/75Ah40FU7JV5zv4gA6YC/GtWU4lkiluweGh8clYFZtrSecHKgjyvJcnL2vUHmln8cpd1eBYM34ZXb59MyNxqxEmyTYETJkF2f5S4GBbS2MZKRvEVg2iTguKW8xcOO9W2vETPJP+rAQtEdR3F8NksGHm9KMjQVkuugnCdrrpUyfIBesDpVJnENqAqW5ebAmDt/cWlimu0gz/4fTSjnIJMxLV7vlhxm0gRFvj56NKNl8/2n4yikBUHyUXeIogyGVNvj7XwEs5m0djCVNQkPVk/mssQefrMVnDt+eP1WhfDPFG2VAoRGU+v/olcB3Ev/78CQP8IX13MHdffadM1sQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680223; bh=7cFt1PnR65sziyB7/ELmNrG9oDxSfh9AtHlEi4CMFj3=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=XZkZ0BrR3fReGnMSvRUVFxa+FWXY1wSRN4ATIbczwhmoZznlZO5P+tbD+xrnDR8qQk7CSEKN3ALVI+ESoJGlSXwRvkL63qsQnRmi4tHO8+5Sjg8gqSv7OdkhDs26UntIJ1MZLmZLm9hMQuulpUpSJXebh7Kv5XDrGLD9gbkQjOA85wimp6X8ii9lRQsgobAQ8NiZMLWd6ijPIMneKIjNZ+8JCv5zQt+4SLDUI57Jgw+Ulr/YntJ19MVAsJAMXO2P7GmK09Sy2pYDI9nISVmuCEFs8+CR1ZxHtezdcMRxeZcHoe7Bh7ijj9S2tyq1WYdmENan70m67yEoQLGPvV1frw==
X-YMail-OSG: eciJ4hsVM1n5pF1jj95VYuHjVLjV.aaiZGxotjXzMoKI.BOXVgAVgqMmPG6tuq5
 oNHFI65wJIE59K.OLoIgW.9DdrNZjmQwKCHRSBWuDNVt6zecmseorjWPzmo5QXzdCOSBd9kfX8fG
 2L2_g97ZxZ8VsSO0WIRe8BdhtiUh1JP5GVeJLtW22MTCoNYIjnOuzrIyek5h.CcD9nPSpuba.ZA0
 eA7TTDsLlvWefCfvaLdvZUltxAFR_FVTbL0j0r_rd50OVSZCxqPJNShF8sSBqPO0x0FegF_u4jC4
 gtvy9SIduFMYwLmmHktPMaSeVtAYdLFEjCSQKB8Nq3NZjgvyi0F1P3Mij9u3VV9xqZSAnpR9mEqK
 XS8JUGWe70fphe6h1or6mJ660l2Lq4XaOAycECYj9Co3TXYA7UJ1zNgZm8xbPvQnqgCeb__a63MI
 LPiYdFKPbBChOTqALqaNQ28_ZwJQGApRiey9TDOTSI43wHbkogIhp8IEx.ntF7Oobtr.kkK1GO6V
 j46eO_AvuX4bffOyGBz9grJDdcDR64n808WsgC35FwfE0WTHqptLV3pwckuHVjoViqjir0uFDwHG
 vTZ2R2VcHtZOFjRWPfJhIXLk20Gfim4VsBiOkFCBWrAmHZjUTPQpl6NBVq_NvIiZ4yZ.u_3ZkUCp
 ZImS5eZ3mxjwnK0QdeFIg3BAiBzY6FON4X.kdLS6xW82xip2QCYSQ0Kj7OHvkkrhAxKDRarWNOiE
 FiKptJWZ89NrwQYb7QdGYyBj2nylIDXQk4O5cMggyrOMZNbkBOQb_amksd1KgCMm4zX.RbCAU0Sw
 PmVC1GBdwdR66Kn.kIUWPV6WntiIp71JpecCw5HwsSgxvFH46QrBFQnqaEFX9fCfNk4cqKfy0DOd
 _g7oOrcPjGJgX.0wIQ3y_ytSvymxpah0Nv7XinVeAQGyWtFL_LJem.yGsd5OSM4415PRqR_AQ_WS
 MgwzdeXyXWKgv_mwKKqxxj9gguQwa3SCSZnXvw6SuEZG5o4TPnCQESOOPD40CWwm.aH4popS3pmT
 ST7d9edcPJZocwXjUwoEB61ibRYI6eGu3c3evE.iKzZkgBRxtWGwnl0RtlNoF3kr6XbKK7PNSNZ5
 6E9XbVJ.e9DtT5eRMsFP3Ld3PZXl0L0dH7s3RP19eDXzonhHATgOQMOsx7k2vrrxuIHiTKHrmcDG
 RVBX.ZGV3NgwbTS40lMoJQz7G4aSegWDXxlRh59l3h.lkRv8cHold1ANAKGbgpCIxi4QDqORIqIr
 n2T50RsanKwqS.xpLoZlztfyA4Ck2QyObh_l0tA069NC229Kr0xA4O7rQuYxMWJgrUbKY1yhheoO
 iU14FWi1JLQlZmJBopNOCEt_4D.CJlbV7fVk8WHd0ZO2OyDsH_7RSmTs4faXJXIOQ2BbHLipsx0s
 43ZAtl5cIaJGT.lyjnm_ZvQ_xaKqp8iJn3aji7BJTKiaFN8RctW9GmnR5lMzpHpJDRxJMMjCedCz
 YFpjB4oDalkz8KXvsAAYBZMo20uTQ4w456yWe2J5qoi0WxMzKWEscWijRgLjazlypEXkJkpj974X
 FHgs0ATyBVx6tNw9uotJIhWMScF5uxWlIMhMufGIzHg27fo3vGZOssjMCvbtyeRkZebSo0zFmWtF
 4kzgyWSBD2GDbwn_aTN.NYlxPRCXf7WETO6Ck6nSepv7ya5MJWW24tJtg0rUXT_tZSjTay3SeoA1
 TZxE43YtdBCRPFNIe7orin_pk72OoXOcxTrEWgwBozCqhnsEzrbMGdT_NkwzEhO_QA3B2hK8Sipn
 8_KWSoqbW6JOLOIwZztNeJPFBTdvFT6rGepvuwtBSBwM0OzKXgDx9_Oe4J1f0fbrEgyDgrxgABd8
 33HhBI_S8PgfCcqGrwOplPEcLlgcU0KPTYNa3IMxP8N6eLA7ASIBsYH6iqiTDgBx0IPp.Vu1sSF5
 v9ZOS3IKtpof7wlWJZcGSYzRciEGcPV9zZMGLQTy4N1.aFkL9EAh.TBpwSBk3jiI6f7K5KT0QrTy
 B1DYNslbtD4hx8PJyR_oOhpfprZH9nt.eE6Z4y_31OJ1ld2N9iJ1jl47ChHFxlex53NyhlO4JMDL
 VTFD.R8Lb61F6thncA6sn6Djaa7eYa1NS1OFzQkaQyRS2apCxRsZZwuLGxwEgPR_oG5npcHCdxXS
 SglOwZ9ZGIZtYiPrdJFbDxU4wQQuzuPt7qVmXFJ.AeHaAEZlN_xdsACSeDGfJ.d.eLFi418D_4yO
 qdxWumaX1I24q6cIN39TRf1SEgyQk7v_zhmjh.6oQzszOrtL2BmEsJ6YMnwGGLBofdDkVWBP4E1y
 0Xw_lRfrOf9pX7TbfC0i_VI1JWw--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 787729f1-851d-4e07-aff2-45c0a9d88a4a
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic302.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:43:43 +0000
Received: by hermes--production-gq1-6949d6d8f9-k52jv (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID ca4128361bb8b08e481604451b6f4d3b;
          Fri, 15 Dec 2023 22:43:40 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 35/42] LSM: allocate mnt_opts blobs instead of module
 specific data
Date: Fri, 15 Dec 2023 14:16:29 -0800
Message-ID: <20231215221636.105680-36-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Replace allocations of LSM specific mount data with the
shared mnt_opts blob.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h  |  1 +
 security/security.c        | 12 ++++++++++++
 security/selinux/hooks.c   | 10 +++++++---
 security/smack/smack_lsm.c |  4 ++--
 4 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 59085248809a..24a0f62ec2ac 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -156,5 +156,6 @@ extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[];
 		__aligned(sizeof(unsigned long))
 
 extern int lsm_inode_alloc(struct inode *inode);
+extern void *lsm_mnt_opts_alloc(gfp_t priority);
 
 #endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/security/security.c b/security/security.c
index fd429f67d2da..7a9fbe706525 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1385,6 +1385,18 @@ void security_sb_free(struct super_block *sb)
 	sb->s_security = NULL;
 }
 
+/**
+ * lsm_mnt_opts_alloc - allocate a mnt_opts blob
+ * @priority: memory allocation priority
+ *
+ * Returns a newly allocated mnt_opts blob or NULL if
+ * memory isn't available.
+ */
+void *lsm_mnt_opts_alloc(gfp_t priority)
+{
+	return kzalloc(blob_sizes.lbs_mnt_opts, priority);
+}
+
 /**
  * security_free_mnt_opts() - Free memory associated with mount options
  * @mnt_opts: LSM processed mount options
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e0f6f2093708..3d046c9d0121 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2787,7 +2787,7 @@ static int selinux_fs_context_submount(struct fs_context *fc,
 	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
 		return 0;
 
-	opts = kzalloc(sizeof(*opts), GFP_KERNEL);
+	opts = lsm_mnt_opts_alloc(GFP_KERNEL);
 	if (!opts)
 		return -ENOMEM;
 
@@ -2809,8 +2809,12 @@ static int selinux_fs_context_dup(struct fs_context *fc,
 	if (!src)
 		return 0;
 
-	fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
-	return fc->security ? 0 : -ENOMEM;
+	fc->security = lsm_mnt_opts_alloc(GFP_KERNEL);
+	if (!fc->security)
+		return -ENOMEM;
+
+	memcpy(fc->security, src, sizeof(*src));
+	return 0;
 }
 
 static const struct fs_parameter_spec selinux_fs_parameters[] = {
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 573d5bffb9e1..97ffb07797e9 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -638,7 +638,7 @@ static int smack_fs_context_submount(struct fs_context *fc,
 	struct smack_mnt_opts *ctx;
 	struct inode_smack *isp;
 
-	ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+	ctx = lsm_mnt_opts_alloc(GFP_KERNEL);
 	if (!ctx)
 		return -ENOMEM;
 	fc->security = ctx;
@@ -689,7 +689,7 @@ static int smack_fs_context_dup(struct fs_context *fc,
 	if (!src)
 		return 0;
 
-	fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL);
+	fc->security = lsm_mnt_opts_alloc(GFP_KERNEL);
 	if (!fc->security)
 		return -ENOMEM;
 

From patchwork Fri Dec 15 22:16:30 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495170
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic315-27.consmr.mail.ne1.yahoo.com
 (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A24B218EB8
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:45:19 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="YzD++rAj"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680318; bh=q3GJ/ydywQ11Q5gXfImcpvZcBSkSEwJUqRpdOx0312E=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=YzD++rAj8fArr7vAm3sUyJzrrVF5efT4glTlRY5IEtN53Zs4ke6gxeviycRQpUmGeAklERslAvjX58JjrC/kxDwAexz3n8+Pi0Fa610dFiH/8hBHcJdbMrHbzQbqhCtaJxL1AzXX5zVAP+fZB0fbhz+iJUPsAOSTy+jFbPMwWkFBwcjVpJcN94bf9wypi6a7z4ShuXGyAKrtr1uHVRy4CEaF8Ik8oxJqU3fqvSPTl3cu6EaJI4TKBPwM6+l0JXMLTjv7+iz6kQQVG/T7MrUPuz1tbBBrG4mPT6VN5/2t+0T3ALU7kW/bMiNn8xg0shkm6qz4ZvWvZymXEEa5cO64dg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680318; bh=i1KpasmTOcn/CQBphNgw9BBsygmY8VTXE4TE39k8yrT=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=GTMql7sQEvQ8xLUTvU0eT/0J7FfiNKQh92IhpDHzw+ksYjSffS1i/iagqrofRVjlpSAnqwCvssVG0+jyKNQT9f4g+1qyOmjrXc/w/tyPIMGre4tQX2wLdP4WHYg9kfAeNJ+w8oAwulmobr8YlsbGcldfJIEPBgOmtXYYpvRpNqksM5Q6GV+6xNBOt8GkBVYx8UjLxgjSgYHgUI9ZoqEk4Tc+q5Y2CJ6EqjlkjqXgY6ww5+dgERRNNhCNPLeTb43ylVIZsJ7OmlDKPHJbTprXUTNiVT9COmjJGT6+2Hzwp30qifYsBu7irR/xgivG5yeZsDg+X5Powzbs85pgLcZf6g==
X-YMail-OSG: zQGojZEVM1lOimhzZ77u0GJgPwUZNXqifFQcTrR.mIl.ET36DXntMDVhXmW9GB2
 I.dPndgvFEOCfLjT3tkxg1_j1bq7I0ACuGOVGleKeUrp_L7BHd0jrbC2ye4P47oKBjiiDw61KY_Z
 PGH4W35tEyGgT6ZG2R0qoPiU8.AKRJt1hR6C0X8JyIe_ry2WBXlKj9tJkPA8Db2sK6kva2Pr0hDw
 ttkfcIh.pbnoIl65bRCC.CcRGMFHxw0X_i3w6t0f5aeJx3NKGCV6m.ihDalxI6FbXq.KgYbgvIoT
 4AhpdPOjc21Bqgib1EEoDkiriszXQ.4VHhV67kYS.eP9UsqRLVuHI3G7ZFierm321JvaOXh0PerV
 Qi.PL9xlKn4jwE3mvri4t_LOMDDC2gWD8WXHt4rvqckBVp5Mk4U6gygj_ATz.KqQIhJavc5518uX
 3xsRQgF.YUcaTxQoT9Wq6WK37jLwpZlPpI6r04osJHlLHdpTjLuSfzSdYuTBz4WQO5kQsda9rSo2
 9pH4LW091LVEcAiFI5S6rrfS1lnrr5gdriRp_oDSnDdjQcSyK2zXgEHw5mm4ODX1NrGRirG6q7ab
 WeIRPctUnQ3dKW0elC2ocmp5it._5Yb.Na2sLbfOS8GXRjanypXs_hw32qEpIjIxQhTwSzFk5XJ2
 ffWQp8atdpnA0gd39br5MhNHoc26KVGLF7ahPDh4yzKZaYi1aWUioWF.rOF17XKwC3xU1jSfZ79b
 .rRMoIvQYuIaca8cd91wmrbqDB1EGquy27YxoPo6hF4S_gTw9.xAYNVMRZOQGkBZSAsLemA8lQ4c
 lt7CJnW4HMv4NoMKaevSOr4zZDPvuTRtO2JBiOw_cBOc7ytnLWTgr5aKoGO.VgMHG_iW8na3d9RS
 Cu4f1kgqJztOcVnXb.LKGZNzp_Dn_O0qH33ksvqSdgH7wp0H_qbyKDweOQxpw3VFMjuE8oVuY2OD
 qAMnXo8rIS.Rhhn73BG9RhV0ibPw0M5ozbiKOlYrvtIvcry7mjS7W2kik7OU5cKfq611x0nKDgu9
 ZQifOEg9R1FQlJEratdrafbBLT1u606RO5v_MlJvIgLwWM77Zsexb25AJWdb0Mje53CWNfN9JbhH
 mvQ1cxsQHgA5lcIvNisMhbN.3rfPkcte.EavWgpdk3.7cVGkvGfgcR80.uwPTS7XKDHeiEqag35A
 zkMuGBCsnSg8k21FQz30ADcWemAm2MaygWtmsygwjB.zejndI2aK5WPPyHyqHIUYsWYz4ghkofXT
 sAjJPSgVpc2kyFpFiDK9uvH.cmahwMvzb2h3KT9ljtkUqQHM.ErPHf1TQp8CZf._9IuiBl9tkcF_
 KXsgQRS7rntzsUqc6AJ6X0ljD5EjbGgzRXLtmE9cqKHOtTkLFl9tzGVFFUDegLmC9nxPDWiIkBVJ
 xQ5lnHLnF9nmzHTSNUQL.p2Q1QgWTeWYCUvSM8lEvP5Jw.CZD7p4I6KLWnQUT0jJztHwTn0dqOjv
 0zf5NW0n11iChZ1KzbMRsrLYR5JLne46T0o4.g3FExlxvZbfCpIL.32QoqM3hyiXR5N3z_Zjc2Jh
 CFKwb8pJSqX.W4lHgHeSbAGWTiIYsnH65Wi2RVve3LAkzFqYI9Y__7KBH_rL64_magtdWxCFV4PK
 bRmXyJ8RAc9.8vHn_jbgAJFe6Zf7zXap.eEMelyInJgyXFQuljjx0s03ImOZwdS8_jbnoQm.VkQc
 CktLT6VmZEwU7f5bB_Lz7rpSoUZL46eoLrOEiz64AxDFHYZ23gFImw_bjT8b4zOJxjKfvLRqVVCs
 eniCBffuUMAd_khNXhFeXPKUym7WZ1CerTXcy3zPmSCLdlWefXyGWDYeulXqdWEnW4y87Xl64X52
 1dqiH8buFM2T1iOxmBfl3A.ud7bOmmkMS.pHey8jihFokbHClIuRKtLa.Ak9SCUp78Q7CKw.BaRf
 XDmXJOtgaseYPd40ie202fZwosa_d3c716cQGxyG2auDSv8shS_je_Jz3HlOSLCRNtHm479XNHoa
 MG57mhqojYeLuEbV0TlurzhPxonTzsZl_4NX6.k2GXkoQGgz5FODdf8LHpPS4nSSxd6BByGucDF1
 u5rK4UUF_RppfLlrJ8Mn51VPpX4GbieKmCxMFhOE8MimQu19UHR967IMo0iFVPlPkt8UsuyE8iNP
 5s1Dc.sU64bxtHdz0weUTV76sA71sGqb951wQIN4Kq.xwQ648j3j2EKPh3n0fujPsDbhdMOAy7E0
 sDaMj0sE_FMOh43wN456btf1wcA6FxG5OvGdyLx.60oBvmqRTyo8wSYPOnihSDkjoI3QqhM5Mf1k
 _BA_5ONGaDFDcSuRp5teCLjiBWRLeUA--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: d9c7d73f-dd58-4f27-ba34-839cdfadde7f
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:45:18 +0000
Received: by hermes--production-gq1-6949d6d8f9-hnk4w (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID eb823cd57ae610622380a59672438916;
          Fri, 15 Dec 2023 22:45:13 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 36/42] LSM: Infrastructure management of the key security
 blob
Date: Fri, 15 Dec 2023 14:16:30 -0800
Message-ID: <20231215221636.105680-37-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Move management of the key->security blob out of the
individual security modules and into the security
infrastructure. Instead of allocating the blobs from within
the modules the modules tell the infrastructure how much
space is required, and the space is allocated there.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h         |  1 +
 security/security.c               | 41 +++++++++++++++++++++++++++++--
 security/selinux/hooks.c          | 23 +++++------------
 security/selinux/include/objsec.h |  7 ++++++
 security/smack/smack.h            |  7 ++++++
 security/smack/smack_lsm.c        | 33 +++++++++++--------------
 6 files changed, 75 insertions(+), 37 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 24a0f62ec2ac..fdeffa0c8d13 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -78,6 +78,7 @@ struct lsm_blob_sizes {
 	int	lbs_sock;
 	int	lbs_superblock;
 	int	lbs_ipc;
+	int	lbs_key;
 	int	lbs_msg_msg;
 	int	lbs_task;
 	int	lbs_xattr_count; /* number of xattr slots in new_xattrs array */
diff --git a/security/security.c b/security/security.c
index 7a9fbe706525..092752666fb6 100644
--- a/security/security.c
+++ b/security/security.c
@@ -226,6 +226,9 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
 		blob_sizes.lbs_inode = sizeof(struct rcu_head);
 	lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);
 	lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);
+#ifdef CONFIG_KEYS
+	lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key);
+#endif
 	lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
 	lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock);
 	lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
@@ -449,6 +452,9 @@ static void __init ordered_lsm_init(void)
 	init_debug("file blob size       = %d\n", blob_sizes.lbs_file);
 	init_debug("inode blob size      = %d\n", blob_sizes.lbs_inode);
 	init_debug("ipc blob size        = %d\n", blob_sizes.lbs_ipc);
+#ifdef CONFIG_KEYS
+	init_debug("key blob size        = %d\n", blob_sizes.lbs_key);
+#endif /* CONFIG_KEYS */
 	init_debug("msg_msg blob size    = %d\n", blob_sizes.lbs_msg_msg);
 	init_debug("sock blob size       = %d\n", blob_sizes.lbs_sock);
 	init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);
@@ -768,6 +774,29 @@ static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
 	return 0;
 }
 
+#ifdef CONFIG_KEYS
+/**
+ * lsm_key_alloc - allocate a composite key blob
+ * @key: the key that needs a blob
+ *
+ * Allocate the key blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+int lsm_key_alloc(struct key *key)
+{
+	if (blob_sizes.lbs_key == 0) {
+		key->security = NULL;
+		return 0;
+	}
+
+	key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
+	if (key->security == NULL)
+		return -ENOMEM;
+	return 0;
+}
+#endif /* CONFIG_KEYS */
+
 /**
  * lsm_msg_msg_alloc - allocate a composite msg_msg blob
  * @mp: the msg_msg that needs a blob
@@ -5390,7 +5419,14 @@ EXPORT_SYMBOL(security_skb_classify_flow);
 int security_key_alloc(struct key *key, const struct cred *cred,
 		       unsigned long flags)
 {
-	return call_int_hook(key_alloc, 0, key, cred, flags);
+	int rc = lsm_key_alloc(key);
+
+	if (unlikely(rc))
+		return rc;
+	rc = call_int_hook(key_alloc, 0, key, cred, flags);
+	if (unlikely(rc))
+		security_key_free(key);
+	return rc;
 }
 
 /**
@@ -5401,7 +5437,8 @@ int security_key_alloc(struct key *key, const struct cred *cred,
  */
 void security_key_free(struct key *key)
 {
-	call_void_hook(key_free, key);
+	kfree(key->security);
+	key->security = NULL;
 }
 
 /**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3d046c9d0121..a9af3c848a16 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6672,11 +6672,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
 			     unsigned long flags)
 {
 	const struct task_security_struct *tsec;
-	struct key_security_struct *ksec;
-
-	ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
-	if (!ksec)
-		return -ENOMEM;
+	struct key_security_struct *ksec = selinux_key(k);
 
 	tsec = selinux_cred(cred);
 	if (tsec->keycreate_sid)
@@ -6684,18 +6680,9 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred,
 	else
 		ksec->sid = tsec->sid;
 
-	k->security = ksec;
 	return 0;
 }
 
-static void selinux_key_free(struct key *k)
-{
-	struct key_security_struct *ksec = k->security;
-
-	k->security = NULL;
-	kfree(ksec);
-}
-
 static int selinux_key_permission(key_ref_t key_ref,
 				  const struct cred *cred,
 				  enum key_need_perm need_perm)
@@ -6736,14 +6723,14 @@ static int selinux_key_permission(key_ref_t key_ref,
 
 	sid = cred_sid(cred);
 	key = key_ref_to_ptr(key_ref);
-	ksec = key->security;
+	ksec = selinux_key(key);
 
 	return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
 }
 
 static int selinux_key_getsecurity(struct key *key, char **_buffer)
 {
-	struct key_security_struct *ksec = key->security;
+	struct key_security_struct *ksec = selinux_key(key);
 	char *context = NULL;
 	unsigned len;
 	int rc;
@@ -6970,6 +6957,9 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
 	.lbs_file = sizeof(struct file_security_struct),
 	.lbs_inode = sizeof(struct inode_security_struct),
 	.lbs_ipc = sizeof(struct ipc_security_struct),
+#ifdef CONFIG_KEYS
+	.lbs_key = sizeof(struct key_security_struct),
+#endif /* CONFIG_KEYS */
 	.lbs_msg_msg = sizeof(struct msg_security_struct),
 	.lbs_sock = sizeof(struct sk_security_struct),
 	.lbs_superblock = sizeof(struct superblock_security_struct),
@@ -7310,7 +7300,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
 #endif
 
 #ifdef CONFIG_KEYS
-	LSM_HOOK_INIT(key_free, selinux_key_free),
 	LSM_HOOK_INIT(key_permission, selinux_key_permission),
 	LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity),
 #ifdef CONFIG_KEY_NOTIFICATIONS
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index ca12d4d7cfc6..a76d39528262 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -194,6 +194,13 @@ static inline struct superblock_security_struct *selinux_superblock(
 	return superblock->s_security + selinux_blob_sizes.lbs_superblock;
 }
 
+#ifdef CONFIG_KEYS
+static inline struct key_security_struct *selinux_key(const struct key *key)
+{
+	return key->security + selinux_blob_sizes.lbs_key;
+}
+#endif /* CONFIG_KEYS */
+
 static inline struct sk_security_struct *selinux_sock(const struct sock *sock)
 {
 	return sock->sk_security + selinux_blob_sizes.lbs_sock;
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 0f5bc5c03b9e..85ec8141fe70 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -360,6 +360,13 @@ static inline struct socket_smack *smack_sock(const struct sock *sock)
 	return sock->sk_security + smack_blob_sizes.lbs_sock;
 }
 
+#ifdef CONFIG_KEYS
+static inline struct smack_known **smack_key(const struct key *key)
+{
+	return key->security + smack_blob_sizes.lbs_key;
+}
+#endif /* CONFIG_KEYS */
+
 /*
  * Is the directory transmuting?
  */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 97ffb07797e9..b273e94028bb 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4486,23 +4486,13 @@ static void smack_inet_csk_clone(struct sock *sk,
 static int smack_key_alloc(struct key *key, const struct cred *cred,
 			   unsigned long flags)
 {
+	struct smack_known **blob = smack_key(key);
 	struct smack_known *skp = smk_of_task(smack_cred(cred));
 
-	key->security = skp;
+	*blob = skp;
 	return 0;
 }
 
-/**
- * smack_key_free - Clear the key security blob
- * @key: the object
- *
- * Clear the blob pointer
- */
-static void smack_key_free(struct key *key)
-{
-	key->security = NULL;
-}
-
 /**
  * smack_key_permission - Smack access on a key
  * @key_ref: gets to the object
@@ -4516,6 +4506,8 @@ static int smack_key_permission(key_ref_t key_ref,
 				const struct cred *cred,
 				enum key_need_perm need_perm)
 {
+	struct smack_known **blob;
+	struct smack_known *skp;
 	struct key *keyp;
 	struct smk_audit_info ad;
 	struct smack_known *tkp = smk_of_task(smack_cred(cred));
@@ -4553,7 +4545,9 @@ static int smack_key_permission(key_ref_t key_ref,
 	 * If the key hasn't been initialized give it access so that
 	 * it may do so.
 	 */
-	if (keyp->security == NULL)
+	blob = smack_key(keyp);
+	skp = *blob;
+	if (skp == NULL)
 		return 0;
 	/*
 	 * This should not occur
@@ -4569,8 +4563,8 @@ static int smack_key_permission(key_ref_t key_ref,
 	ad.a.u.key_struct.key = keyp->serial;
 	ad.a.u.key_struct.key_desc = keyp->description;
 #endif
-	rc = smk_access(tkp, keyp->security, request, &ad);
-	rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
+	rc = smk_access(tkp, skp, request, &ad);
+	rc = smk_bu_note("key access", tkp, skp, request, rc);
 	return rc;
 }
 
@@ -4585,11 +4579,12 @@ static int smack_key_permission(key_ref_t key_ref,
  */
 static int smack_key_getsecurity(struct key *key, char **_buffer)
 {
-	struct smack_known *skp = key->security;
+	struct smack_known **blob = smack_key(key);
+	struct smack_known *skp = *blob;
 	size_t length;
 	char *copy;
 
-	if (key->security == NULL) {
+	if (skp == NULL) {
 		*_buffer = NULL;
 		return 0;
 	}
@@ -5060,6 +5055,9 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
 	.lbs_file = sizeof(struct smack_known *),
 	.lbs_inode = sizeof(struct inode_smack),
 	.lbs_ipc = sizeof(struct smack_known *),
+#ifdef CONFIG_KEYS
+	.lbs_key = sizeof(struct smack_known *),
+#endif /* CONFIG_KEYS */
 	.lbs_msg_msg = sizeof(struct smack_known *),
 	.lbs_sock = sizeof(struct socket_smack),
 	.lbs_superblock = sizeof(struct superblock_smack),
@@ -5199,7 +5197,6 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
  /* key management security hooks */
 #ifdef CONFIG_KEYS
 	LSM_HOOK_INIT(key_alloc, smack_key_alloc),
-	LSM_HOOK_INIT(key_free, smack_key_free),
 	LSM_HOOK_INIT(key_permission, smack_key_permission),
 	LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity),
 #ifdef CONFIG_KEY_NOTIFICATIONS

From patchwork Fri Dec 15 22:16:31 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495169
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB39D18EAE
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:45:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="VWDM4zzk"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680318; bh=IGboAo7eFziof5CfECIvA248+i4VKISGr6D9poWTQsA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=VWDM4zzksd2Gf64oGlAl9GHtZ2JQI6d90bHMM+8qij0+NP6oVfwH16B8ny6HMDXZzJ6uzCochV71t1KI7AoacBPJJXyFzsnU4CyBrsyt1Y6oLOHyc/zzMFiOdrlpPqv66iA1rifHOSzNXiddorxEPtduq2aLgjQ+6R9XYiN5L/B7CALOAkRuboTUaeL4KwkIrm+PjO6bQZNVf5oewsIPGiMX/KCJONmBckgQysbZ2ftoXpwbU+CesVn7f0RLj5N4bQJfYBEL0QnaX7dcYsAs6QDElZCxu6vsfRosjzRV3112LEB9WG+bIfxazbUKiGU4wRaBohAYxL46jjEsLnqoxA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680318; bh=i3Q4Jv+BeKcP5htciuGw83/sHswM3vBj2rN3B5mr+3H=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=e8cZ/c1DPSn3vpbPKcadJs4krgNz/pSkRdS45rRVJ5t8FM9mIzOmUQ6wnxlxdi0NcWs9OuxMcMmha73WsZ19gzTQ5gCxBw5vhxO+pcO3DuhBOO7YIttxrmj7hTwexTsgTXTo1JG6c4XLUSOq6Qh8PAQPvvibjzFIlB5IkOYjIChfs0dLBW1pHaralVUuxxUWg21+X53sGuRYbIFsOr9eUsejrnKg8bh4eDZh4zEybsmZ8XHVPjRlelwRGyfg3N3dTjrkIEFIE8jzSsO8ho40vsrZD1RxlTLem7te5PsB01sO52p1RSrguLi/zb4KiAamDUUG2MkcNsDprndpgaFPLg==
X-YMail-OSG: qOGcv2YVM1kUlpfgd5gHgw_uNj77p8Lb4lXB7D1yMO_dFeRQop3gfAL4iUW_Hpz
 yc1YhKztk27TMdZIPlMk_b1U0VvRGnUs_I_E7z.dwq391cxxHAX5RLKFVJcALN5RiDQagySEeYcF
 b1Z3aWbiTM1.h7vhu0oT9.YN1k9soFgx8JFCG4o.DrMcI7OJUy6OZsMyViKAijFSMx.uc3kgCbjG
 svS2wD_.Zbcf.yiikY7y5HKDz0itMomDdVICMCgaR5SzkoKH1ziSv5hmv.4uUcnsxIYcjIK2P6Fj
 C6sSXl9JNoHsacyZs8HhfzG4XC.CfvMthSE82Mu0gP4nE6ECx9RDO_ykD9f8WCyTjn5K5xOMTFqp
 xIpufTfC7SOIPbeJEuq0HpgCsSVe.94ztLdzr5rZqg8WWjTv4C.AYhWOwbB14Dqe4HkRDakdNWXh
 HYSZ0XipgcUrWq20N89ThRTo3urp_3e7K599MQFMtYe6B456osPVjoSTITeOtc5i7Sx3dwOE6Bxg
 mlBdaQA37JLWi32_QdXXQqOyDP4FspCs4Phsv555n3T57i_j2Qc6Hv8FSzdQVLnAlgK_u4FlLY25
 0bYaKUAsvx1i3Dg1LBH6zBNC.gJno0aIbBcc2xcTtLTqJgmBGrPIyBlmNd7kbbjOh.IAqZViZQNh
 BXz_87IeQsXJ83HXxB0p0xuu6MORsJeZVqY_TTSALxcT5QFRP92qirSiLI_z678mQ2UWi05pnP11
 rWmCZow0LrAPYthNe0wO0Ghyw8BH3WLITuz.DWy8kfN_zRrhoZZDPd4zmSNbZZfiQStTf7MhHUE6
 WDV2fcd7SE8W7OazYv7r2YlIY.8Qa3ecWwumODOgRgthuyO8RBsHaFA_Q3VQMSPg5Uff_X0KGax3
 YALih6PW0XAB_PHIy0Aps8CDsMeyeQqHe0Vr6FfrRrX0wP9aKYwTwjTAulbwfYQ5fKOFxdadBl2s
 9kGQiT7VFKQCGnh2NXeV.Sl8.fyVn8TQWdewPCKUypJJZy3dDuDsLAgG01O1Sg7xzAthlgl6bWF2
 I2orI959sI1AFnjqsJni2gKp6Nt7Y0TTnJ71DLmIaBNZusrGWKQ.eKXw1ELbgGmhhNypx7NYGmah
 JUPQPj_E6fA9br6VaZ5L4fktcycVyCFiXL_XMo1V672nwnvp42oMTu3rAScznSRwLimAQwk22cgo
 DUyzLRhYvlW8SAwR.7_9lfL_bSTDWFN2trSm9Ln1sAjE5V49RwZlHfFXO_ML0.7MFMc82uP.aR8H
 YtMeoAVn.mKFRspoYiY8hX.BpptUKvssJ4H.jQxN0cU6p3zXHMvFhMzoDiO9dbyzh1AGebqiBWwM
 j6yImSZ9VMgiORtNycLXQOUaONpNQePSrUumAXFzZQrgoqVNWRjifAMdwwzNr4NG3EAhiSmF72TI
 TFnt9Pfo52rC7LwopB6Voesga3c9pNCYTFak71xFF7XzrYZwKkpnLLO1A9k1_GJibHgPoMt62gN3
 G2YPlNRbQAlt..xwiNTsPNpru40tc7BiDLda08_cfvGLyiI1Guzp0Bp4va4vr5cT3gNoR2.pOz9x
 mnuGHXgja3pUArBOpoVOCQFmM0yH40i0ggIsizS7jUSpd36PCkirW4dnQeBLoBrPAZUL25hkFUjL
 kz69.jdUJ1A2ybonaOOX4cdQhOgPs.sZWFBeSnzR4DSkhkZy95hL4chcTLMFRrPX_Ra_Wu25.Unp
 YemGSRqw4.7kSAJn63qxXFfyLeEwQv0agcA9ZbId3ki6KP9lYWGvOrd4pTz2wTf7VvyuGFe9v6oy
 Myf76xB_LjiX7B8ny5tkhTKJQZTg1ukYPEmSgIZLCoPICCs.rKXUAsxRDzgFkV0CDQMx9DHfPE4K
 jYuI8JsazhJrwb7ZSt5VL3SkRbSsqEflumNrhrlMl8HqdK5BBK.BEExD18s6mXFKAeKiM66.ue7c
 lrTHvW5xxEfaZRpaDKkvJ4vAltFhwshrItvpJkezOkA4AAFhztF_SoVyEIRY5q_hRqCJSOT6tS7C
 97b62co3fQx4cEqfbSuduIOAGwN0jDEJhpvhUrZ.AOIqaRuptGLgDJaBM0CJxXYV14v.BjRyrQmd
 ZEpGylD9._93csowidlPVRctilG3HAf9wIJermoRaBpUiIN_l3hUH8KOXu8U_Id7ojiF9C4ncm9S
 CmykhQ3LzcY1DDDUaE34TeX8jsNG8WdxxoPyON1UgrKncM.7ddewvuCvmgvXTxl0X0sllnuyDS9J
 wyK7ishvEhFyM5Tf1ijxyTVBZqn2FwtAihxxh9QYd5RrZE0wmu9iOJP9CkyKaGZHXqS2d.oblv.S
 TAhUz5yAf3yu32NHcRjTj45QUzDFJfQ--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 00781111-531e-48f1-8001-67903e0535c5
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:45:18 +0000
Received: by hermes--production-gq1-6949d6d8f9-hnk4w (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID eb823cd57ae610622380a59672438916;
          Fri, 15 Dec 2023 22:45:15 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 37/42] LSM: Infrastructure management of the mnt_opts
 security blob
Date: Fri, 15 Dec 2023 14:16:31 -0800
Message-ID: <20231215221636.105680-38-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Move management of the mnt_opts->security blob out of the
individual security modules and into the security
infrastructure. Blobs are atill allocated within the modules
as they are only required when mount options are present.
The modules tell the infrastructure how much space is required,
and the space is allocated if needed. Modules can no longer
count on the presence of a blob implying that mount options
specific to that module are present, so flags are added
to the module specific blobs to indicate that this module
has options.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c        | 14 ++++-----
 security/selinux/hooks.c   | 58 +++++++++++++++++++++++-------------
 security/smack/smack_lsm.c | 61 ++++++++++++++++++++++++++------------
 3 files changed, 85 insertions(+), 48 deletions(-)

diff --git a/security/security.c b/security/security.c
index 092752666fb6..64cdf0e09832 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1352,18 +1352,15 @@ int security_fs_context_parse_param(struct fs_context *fc,
 				    struct fs_parameter *param)
 {
 	struct security_hook_list *hp;
-	int trc;
-	int rc = -ENOPARAM;
+	int rc;
 
 	hlist_for_each_entry(hp, &security_hook_heads.fs_context_parse_param,
 			     list) {
-		trc = hp->hook.fs_context_parse_param(fc, param);
-		if (trc == 0)
-			rc = 0;
-		else if (trc != -ENOPARAM)
-			return trc;
+		rc = hp->hook.fs_context_parse_param(fc, param);
+		if (rc != -ENOPARAM)
+			return rc;
 	}
-	return rc;
+	return -ENOPARAM;
 }
 
 /**
@@ -1437,6 +1434,7 @@ void security_free_mnt_opts(void **mnt_opts)
 	if (!*mnt_opts)
 		return;
 	call_void_hook(sb_free_mnt_opts, *mnt_opts);
+	kfree(*mnt_opts);
 	*mnt_opts = NULL;
 }
 EXPORT_SYMBOL(security_free_mnt_opts);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a9af3c848a16..46dee63eec12 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -365,15 +365,28 @@ static void inode_free_security(struct inode *inode)
 }
 
 struct selinux_mnt_opts {
+	bool initialized;
 	u32 fscontext_sid;
 	u32 context_sid;
 	u32 rootcontext_sid;
 	u32 defcontext_sid;
 };
 
+static inline struct selinux_mnt_opts *selinux_mnt_opts(void *mnt_opts)
+{
+	if (mnt_opts)
+		return mnt_opts + selinux_blob_sizes.lbs_mnt_opts;
+	return NULL;
+}
+
 static void selinux_free_mnt_opts(void *mnt_opts)
 {
-	kfree(mnt_opts);
+	struct selinux_mnt_opts *opts;
+
+	if (mnt_opts) {
+		opts = selinux_mnt_opts(mnt_opts);
+		opts->initialized = false;
+	}
 }
 
 enum {
@@ -628,7 +641,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	const struct cred *cred = current_cred();
 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
 	struct dentry *root = sb->s_root;
-	struct selinux_mnt_opts *opts = mnt_opts;
+	struct selinux_mnt_opts *opts = selinux_mnt_opts(mnt_opts);
 	struct inode_security_struct *root_isec;
 	u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
 	u32 defcontext_sid = 0;
@@ -644,7 +657,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	mutex_lock(&sbsec->lock);
 
 	if (!selinux_initialized()) {
-		if (!opts) {
+		if (!opts || !opts->initialized) {
 			/* Defer initialization until selinux_complete_init,
 			   after the initial policy is loaded and the security
 			   server is ready to handle calls. */
@@ -682,7 +695,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 	 * also check if someone is trying to mount the same sb more
 	 * than once with different security options.
 	 */
-	if (opts) {
+	if (opts && opts->initialized) {
 		if (opts->fscontext_sid) {
 			fscontext_sid = opts->fscontext_sid;
 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
@@ -991,7 +1004,7 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
  */
 static int selinux_add_opt(int token, const char *s, void **mnt_opts)
 {
-	struct selinux_mnt_opts *opts = *mnt_opts;
+	struct selinux_mnt_opts *opts;
 	u32 *dst_sid;
 	int rc;
 
@@ -1006,12 +1019,12 @@ static int selinux_add_opt(int token, const char *s, void **mnt_opts)
 		return -EINVAL;
 	}
 
-	if (!opts) {
-		opts = kzalloc(sizeof(*opts), GFP_KERNEL);
-		if (!opts)
+	if (!*mnt_opts) {
+		*mnt_opts = lsm_mnt_opts_alloc(GFP_KERNEL);
+		if (!*mnt_opts)
 			return -ENOMEM;
-		*mnt_opts = opts;
 	}
+	opts = selinux_mnt_opts(*mnt_opts);
 
 	switch (token) {
 	case Opt_context:
@@ -1038,6 +1051,7 @@ static int selinux_add_opt(int token, const char *s, void **mnt_opts)
 		WARN_ON(1);
 		return -EINVAL;
 	}
+	opts->initialized = true;
 	rc = security_context_str_to_sid(s, dst_sid, GFP_KERNEL);
 	if (rc)
 		pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=%d\n",
@@ -2629,10 +2643,7 @@ static int selinux_sb_eat_lsm_opts(char *options, void **mnt_opts)
 	return 0;
 
 free_opt:
-	if (*mnt_opts) {
-		selinux_free_mnt_opts(*mnt_opts);
-		*mnt_opts = NULL;
-	}
+	selinux_free_mnt_opts(*mnt_opts);
 	return rc;
 }
 
@@ -2683,13 +2694,13 @@ static int selinux_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts)
 
 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts)
 {
-	struct selinux_mnt_opts *opts = mnt_opts;
+	struct selinux_mnt_opts *opts = selinux_mnt_opts(mnt_opts);
 	struct superblock_security_struct *sbsec = selinux_superblock(sb);
 
 	if (!(sbsec->flags & SE_SBINITIALIZED))
 		return 0;
 
-	if (!opts)
+	if (!opts || !opts->initialized)
 		return 0;
 
 	if (opts->fscontext_sid) {
@@ -2787,9 +2798,13 @@ static int selinux_fs_context_submount(struct fs_context *fc,
 	if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
 		return 0;
 
-	opts = lsm_mnt_opts_alloc(GFP_KERNEL);
-	if (!opts)
-		return -ENOMEM;
+	if (!fc->security) {
+		fc->security = lsm_mnt_opts_alloc(GFP_KERNEL);
+		if (!fc->security)
+			return -ENOMEM;
+	}
+	opts = selinux_mnt_opts(fc->security);
+	opts->initialized = true;
 
 	if (sbsec->flags & FSCONTEXT_MNT)
 		opts->fscontext_sid = sbsec->sid;
@@ -2797,14 +2812,14 @@ static int selinux_fs_context_submount(struct fs_context *fc,
 		opts->context_sid = sbsec->mntpoint_sid;
 	if (sbsec->flags & DEFCONTEXT_MNT)
 		opts->defcontext_sid = sbsec->def_sid;
-	fc->security = opts;
 	return 0;
 }
 
 static int selinux_fs_context_dup(struct fs_context *fc,
 				  struct fs_context *src_fc)
 {
-	const struct selinux_mnt_opts *src = src_fc->security;
+	const struct selinux_mnt_opts *src = selinux_mnt_opts(src_fc->security);
+	struct selinux_mnt_opts *dst;
 
 	if (!src)
 		return 0;
@@ -2813,7 +2828,8 @@ static int selinux_fs_context_dup(struct fs_context *fc,
 	if (!fc->security)
 		return -ENOMEM;
 
-	memcpy(fc->security, src, sizeof(*src));
+	dst = selinux_mnt_opts(fc->security);
+	memcpy(dst, src, sizeof(*src));
 	return 0;
 }
 
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index b273e94028bb..61bd3f626e7d 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -560,6 +560,7 @@ static int smack_sb_alloc_security(struct super_block *sb)
 }
 
 struct smack_mnt_opts {
+	bool initialized;
 	const char *fsdefault;
 	const char *fsfloor;
 	const char *fshat;
@@ -567,24 +568,37 @@ struct smack_mnt_opts {
 	const char *fstransmute;
 };
 
+static inline struct smack_mnt_opts *smack_mnt_opts(void *mnt_opts)
+{
+	if (mnt_opts)
+		return mnt_opts + smack_blob_sizes.lbs_mnt_opts;
+	return NULL;
+}
+
 static void smack_free_mnt_opts(void *mnt_opts)
 {
-	kfree(mnt_opts);
+	struct smack_mnt_opts *opts;
+
+	if (mnt_opts) {
+		opts = smack_mnt_opts(mnt_opts);
+		opts->initialized = false;
+	}
 }
 
 static int smack_add_opt(int token, const char *s, void **mnt_opts)
 {
-	struct smack_mnt_opts *opts = *mnt_opts;
+	struct smack_mnt_opts *opts;
 	struct smack_known *skp;
 
-	if (!opts) {
-		opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL);
-		if (!opts)
+	if (!s)
+		return -EINVAL;
+
+	if (!*mnt_opts) {
+		*mnt_opts = lsm_mnt_opts_alloc(GFP_KERNEL);
+		if (!*mnt_opts)
 			return -ENOMEM;
-		*mnt_opts = opts;
 	}
-	if (!s)
-		return -ENOMEM;
+	opts = smack_mnt_opts(*mnt_opts);
 
 	skp = smk_import_entry(s, 0);
 	if (IS_ERR(skp))
@@ -617,6 +631,7 @@ static int smack_add_opt(int token, const char *s, void **mnt_opts)
 		opts->fstransmute = skp->smk_known;
 		break;
 	}
+	opts->initialized = true;
 	return 0;
 
 out_opt_err:
@@ -638,10 +653,12 @@ static int smack_fs_context_submount(struct fs_context *fc,
 	struct smack_mnt_opts *ctx;
 	struct inode_smack *isp;
 
-	ctx = lsm_mnt_opts_alloc(GFP_KERNEL);
-	if (!ctx)
-		return -ENOMEM;
-	fc->security = ctx;
+	if (!fc->security) {
+		fc->security = lsm_mnt_opts_alloc(GFP_KERNEL);
+		if (!fc->security)
+			return -ENOMEM;
+	}
+	ctx = smack_mnt_opts(fc->security);
 
 	sbsp = smack_superblock(reference);
 	isp = smack_inode(reference->s_root->d_inode);
@@ -671,6 +688,7 @@ static int smack_fs_context_submount(struct fs_context *fc,
 				return -ENOMEM;
 		}
 	}
+	ctx->initialized = true;
 	return 0;
 }
 
@@ -684,16 +702,21 @@ static int smack_fs_context_submount(struct fs_context *fc,
 static int smack_fs_context_dup(struct fs_context *fc,
 				struct fs_context *src_fc)
 {
-	struct smack_mnt_opts *dst, *src = src_fc->security;
+	struct smack_mnt_opts *src;
+	struct smack_mnt_opts *dst;
 
+	src = smack_mnt_opts(src_fc->security);
 	if (!src)
 		return 0;
 
-	fc->security = lsm_mnt_opts_alloc(GFP_KERNEL);
-	if (!fc->security)
-		return -ENOMEM;
+	if (!fc->security) {
+		fc->security = lsm_mnt_opts_alloc(GFP_KERNEL);
+		if (!fc->security)
+			return -ENOMEM;
+	}
 
-	dst = fc->security;
+	dst = smack_mnt_opts(fc->security);
+	dst->initialized = src->initialized;
 	dst->fsdefault = src->fsdefault;
 	dst->fsfloor = src->fsfloor;
 	dst->fshat = src->fshat;
@@ -803,7 +826,7 @@ static int smack_set_mnt_opts(struct super_block *sb,
 	struct superblock_smack *sp = smack_superblock(sb);
 	struct inode_smack *isp;
 	struct smack_known *skp;
-	struct smack_mnt_opts *opts = mnt_opts;
+	struct smack_mnt_opts *opts = smack_mnt_opts(mnt_opts);
 	bool transmute = false;
 
 	if (sp->smk_flags & SMK_SB_INITIALIZED)
@@ -836,7 +859,7 @@ static int smack_set_mnt_opts(struct super_block *sb,
 
 	sp->smk_flags |= SMK_SB_INITIALIZED;
 
-	if (opts) {
+	if (opts && opts->initialized) {
 		if (opts->fsdefault) {
 			skp = smk_import_entry(opts->fsdefault, 0);
 			if (IS_ERR(skp))

From patchwork Fri Dec 15 22:16:32 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495171
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic316-27.consmr.mail.ne1.yahoo.com
 (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B20B18EAE
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:46:52 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="pUqVE5zK"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680411; bh=uKhqCEuW3HN1RNrz6vcbzbPS+KDRSe9EK23D2ZT30dY=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=pUqVE5zK5Q24QDjcj72JPdGLPGuFtb5aEJ+94Am5jk8mhrm2bPlXIlZNjxaMrk5OI2K7x8HT75PpKJzxNOo/16fNbuok+kn+mLFuipZk62K9A1anX7yLmy92osqHIxNa+Sm8J0KamIs36bNO9OV9+j1n2aCAULN3O6M+1dH1yS9xQLvz1e7QjJI0OkwX6ZjYj+z74Nh2bmYOqWN5ecR7eLyCZi49xujFzU2UlGxoqVVcymzGMLRTGFe7yNDvO6Rx3Vf5zdOt9SMW6f+PlDkXatTREhU1HvqX7+uTe8Wx/iDJPmsT+klNEba8oCM+PJ6QY5HLyw9VDdSfQ8CYBcpBsg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680411; bh=hsPYL+9UYxSrSAV24yoGwudNIN6Iewr2VgfagLgtaUe=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=eLUWk0q0cz2fSXII1SeIEdwI7B04AmVusZ8ZQ7nP7AojHlDgl/Szzk5yW6pGfi+rIZDwKIK3iOF8yI3QHUz2ie25iZknmoCZ/yzrryf3VHIQDndZE1BXxasfbFPiX9B0xn7rq6Xmc0HIUjkCvFkKhJqBXronrwkAgoVfUv50m/Ig8IAGIJTZ93tccPRHKfdRPhiiA01+/rD3b/mtgrMJrqavcUXuwi8LjnfigWnCV6nXMSHZHWr9WtT/6lK4pOq4COdaLOU8iAbhTNVhT6mzvkM1psh05KcUO7hVRliwrhNFqu/1WlaeKfgaPVMpWnSsvY/BrmDAzuDu92L+rYFUNw==
X-YMail-OSG: uJUDWOcVM1m4zhcGaRvcpMdNTHEv4FUcZqYzHtvKQ.7DvWqiv7gZWn0CVgYH1tg
 mne3Tw5dHf02xeHUooR7BCg1xl7kZTWBevfm.9keJ1Uk9L6jyQc2PNSWWXY30fNkQThGV09Tr_Ah
 ZqDlJvsICJKJnLyIPQtP_hSvAAqlFOQwzpzAPDEm8H5bVvZTxlwczjkyjk2dAylrxKCLe6SWvRcL
 grnFMWjLHxLcPyYTmC8U0ilYhkP06TvRI5sc562MeEQA3EpOlLgxp0yDcKVeCg6mIf6gsqVPZPDW
 _c2NO3rP6wrkPrSLcOQ5ioX1cjnaKfIL.k8NBrMvx.fZzsM0zlTIooY6m0eW53Z44EjPHhDYJeou
 bJXT26E5FHLWUTyPnExMRBsLM.3Hzlk3S_lzAAAuaGoY0fEWmu.xvjWO8JZBY2qt4osPVSLs05bw
 poLGdtwxkorvzsjFaud0T8NBXtt0gz9SWuEXiGgVmuepog77nPhWZ7XQ4tYCXth7QlQJw7rSbr0t
 2Yu56NdciqHm75tTx.QjEgYRIv0pNHp0V7hatgXIkBhqtHySLGTGejQ.1e4mtsTjQn4Vr7..puff
 2VBCZTDF5kZUJ8.HNDv.3yKZARfTlwvTnPiIuhkekbWCADF5pPQNx1qEzfTLeof3W1pxoW69eddO
 BVcH2__MZrqk9ct3zDVJeaIRHVvztibJMjWuzGTvMybS5XP3v4g.BYmV4OHsJ8ctSr.pmQd7.Y3Z
 BjBnDl2uTajnIopSCM04SiXtHgSjf8jTP7p1qGBjkMvIkmjVOTZLF7NKewB.7AWwG9OpP24S2o9D
 .FkUKFOEZukBUzZttmr4lOV2YgCCWeAg_jDbdY.fbkW.0IvWqYPkiF5oCeWogZZZgzPwf_RlFNyp
 h_BbhdqKn_dCJ5SZCsBb3mJ08tf70eTHjEKSRndewuTWFYFk6IAH25uAzWOuZqp2W3xISjeByot6
 JDH4deURib0noaZT2o_avRQ23S0h8XjJiQHCxl.PIWKnLnfP1Ya6fhm_AEevU46lrPJc6DHCyUWf
 Nap7rsPga8OvxUVmJRU5rb1nHWSH4W1mBFSICx3DT1cHfsewb54l0MnBlBewEljS0MjtJKo2H9ob
 NtSf5f0s0EvqIbcH4PZH0v5bFyxrUzs4OtoNNxSuOrcDfSZe_Oe8GmYutgJgZk3vVBVNVlZO_iM1
 uVbkzUar2hFnWk88aodLmIlHGKLuXiQcm3jGykrRfFkakvK96TugpIr_1OBFuzQLK.7OqSLm2Dw0
 PjnIpfjSy8PD3dfxhxMJRBQHnZ0lonGs8ZVa7BrJa2wGRB6QnSaMwk6jPDwA_R_v1SG9yJkBsc3f
 b5KfmuU_apWMBbG9el8qvCv0MXJDkSXAt8Y9PNBAG_FgSuwz.Lsf3dQcjyZcUEI7K3wrPBR8_T4b
 .SEsMpyrc8X2yY3F5yx4Dn7TLPb9lnPd0EM.bY2SFIyrDXzFjsCt93iSK1tBznXj70k0tQUNsl3k
 V7L8o.T1H8P9lMGa2Foroqasd.UiOo14uU8Q1Fw6fR08x8w6vZi8XTbXwOsvPWnxVcG16dtxdCys
 DgAdoBQRi2gnIOGE0ubs2W3oc1Yp8kkVxAC8TPSbgND8TVLAP6v5zUUI1FpnRpteHK0zR9TcqoJf
 ctQrXts1hDvyVoOysvVXYtUkqUbE9rtuUWPAxKHOW.znElThQ4rvsDzxKa0ohTA8_F8I4Z7X2i55
 Eel0qHv6pIHagFXEdcnBwY6umuN1.MpHj8VB4rijwR4rFJDNztkbHHg8_7IStDv4h7RC43Wbjbv6
 BbfdkBr7Ttm_YJEH_jUZaPuKp.86l44dHV5jcF7AyH_EcSU9U6Xe.5rFLV1S_a45JyTgqIXbiHpp
 8T8E7nDEeQH3ktiv6cD5UJziafVQAmkvlubWJNHQP9WTX2YHVbgYuk.4Ez408OBDkws4Vm1KnhZx
 kfAcPCXR94o.gy.F15FdyeWLoblDW.0iaw122tG1rhwV4qP0W6GKji_3tDjiEjJJT6iy5m7Uj9_9
 T2YoVb6V06MLiIxIp6dXBws.Diu9DtGAJYhdW8nS2XvV8F5gfM5MaPIGdJreH.awLPb4YS9eSjGX
 D1K8xeNGYZf8RpROczlQ8JzKTk8cjhN_vMIl1lySz889xcvePZDJnk2pLfm.AKcTJxDh5UGIK54N
 0WlYMQA8T_wsphADsGB7z2CG7aW2SJehhqdEcJ8Lch3O02e7rg6Xu9D1ab9xW0Ii3kGumxqNUzxU
 PyUD035lM8kzNB34wMm30mUzHiQpJTQ5vohPvHiSl1nxljF1enOQGyr.Zt3wJaKXb4Hy7pt1NMc1
 vbtaJ0D5buiOV1536uWT_lF7epCdl
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: d6019e9a-3993-4a0c-87d8-d51d380b768a
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:46:51 +0000
Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID c8320ae1bddb7a2f7fa2be3a3860d99b;
          Fri, 15 Dec 2023 22:46:49 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 38/42] LSM: Correct handling of ENOSYS in inode_setxattr
Date: Fri, 15 Dec 2023 14:16:32 -0800
Message-ID: <20231215221636.105680-39-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

The usual "bail on fail" behavior of LSM hooks doesn't
work for security_inode_setxattr(). Modules are allowed
to return -ENOSYS if the attribute specified isn't one
they manage. Fix the code to accommodate this unusal case.
This requires changes to the hooks in SELinux and Smack.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c        | 29 +++++++++++++++--------------
 security/selinux/hooks.c   |  7 ++-----
 security/smack/smack_lsm.c | 10 +++++-----
 3 files changed, 22 insertions(+), 24 deletions(-)

diff --git a/security/security.c b/security/security.c
index 64cdf0e09832..b1a849e8589c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2346,24 +2346,25 @@ int security_inode_setxattr(struct mnt_idmap *idmap,
 			    struct dentry *dentry, const char *name,
 			    const void *value, size_t size, int flags)
 {
-	int ret;
+	struct security_hook_list *hp;
+	int rc = -ENOSYS;
 
 	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
 		return 0;
-	/*
-	 * SELinux and Smack integrate the cap call,
-	 * so assume that all LSMs supplying this call do so.
-	 */
-	ret = call_int_hook(inode_setxattr, 1, idmap, dentry, name, value,
-			    size, flags);
 
-	if (ret == 1)
-		ret = cap_inode_setxattr(dentry, name, value, size, flags);
-	if (ret)
-		return ret;
-	ret = ima_inode_setxattr(dentry, name, value, size);
-	if (ret)
-		return ret;
+	hlist_for_each_entry(hp, &security_hook_heads.inode_setxattr, list) {
+		rc = hp->hook.inode_setxattr(idmap, dentry, name, value, size,
+					     flags);
+		if (rc != -ENOSYS)
+			break;
+	}
+	if (rc == -ENOSYS)
+		rc = cap_inode_setxattr(dentry, name, value, size, flags);
+	if (rc)
+		return rc;
+	rc = ima_inode_setxattr(dentry, name, value, size);
+	if (rc)
+		return rc;
 	return evm_inode_setxattr(idmap, dentry, name, value, size);
 }
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 46dee63eec12..4ac4b536c568 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3207,13 +3207,10 @@ static int selinux_inode_setxattr(struct mnt_idmap *idmap,
 	int rc = 0;
 
 	if (strcmp(name, XATTR_NAME_SELINUX)) {
-		rc = cap_inode_setxattr(dentry, name, value, size, flags);
-		if (rc)
-			return rc;
-
 		/* Not an attribute we recognize, so just check the
 		   ordinary setattr permission. */
-		return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+		rc = dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
+		return rc ? rc : -ENOSYS;
 	}
 
 	if (!selinux_initialized())
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 61bd3f626e7d..02b9aa200ad4 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1340,7 +1340,7 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap,
 		    strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
 			rc = -EINVAL;
 	} else
-		rc = cap_inode_setxattr(dentry, name, value, size, flags);
+		rc = -ENOSYS;
 
 	if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
 		rc = -EPERM;
@@ -1354,11 +1354,11 @@ static int smack_inode_setxattr(struct mnt_idmap *idmap,
 			rc = -EINVAL;
 	}
 
-	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
-	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
-
 	if (rc == 0) {
-		rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
+		smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
+		smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
+		rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)),
+				MAY_WRITE, &ad);
 		rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
 	}
 

From patchwork Fri Dec 15 22:16:33 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495172
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F18B518EDA
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:46:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="o6nK9tPX"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680413; bh=2ItutyWCOqum5ggW8vKDaicqqW2B05naexATsg5BxIQ=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=o6nK9tPXZEDlhK1RQFmUfDBpU1FFmGVc5SqOuEt5ivSppKyjWRmLoj+Wnz4v/7Gqy2WrR7h9g+/6gxIV58lneIfy6sXDcZsKvq9K8tTj+Zw8J7s5U8ggUevdghiRy3LHh+rZmb73dtqCvHrAzbykQr9RyCvBu9b+ekf+gFe+tHVEiPfPYhQNCS5JXqiwNwZuM0GCaMBbEqIu6i6YB5QClOqylEtF1F2qi+nxPJ9q2SBZHv5kbfxgHOKA4KaLuIXp5Kbj8KH7RFx/ed15nPgF0eSZYy8Pss4tGAlgnZYBYHmdu4Lu51IoXGsAiHZ9RIPq9hCzVqLSK2ik4W4yXWsTEw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680413; bh=q2MmQW1mPAbzMStPB9LmS+O7dSyQ31yTK+IfVeQq9Al=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=p/H/VYwqo3eF7m2bPDBhxmWOvDqbAyh36ugNyjiOi9bTixHqoO3Geu7UuMuLUxSdcQ5T48x1vJnr7CO0UaSr9hAuk0yhsuncyzx+SlU1sk9FnHlFp2MlVsRdTToeFajhtx8bip2PV2Y0bQNgUOV9MN/hOQObmDhfAD2+mWw2wvna+XBHME5uQDMJtzFeAMd7KgKuvsNBFjlbUwkjDGO/8RT9KIuGDJJD+82XfqtGOtpL6ugJSus1whTJ9o1Otuz6ScmH4rs1FUwLqeY3olc66NmqeiPYh/te+vVP0Sy6/nxFdhhLDxGTZU2iko3LZXh3U4rksa92Ean8h1TkB3xaWg==
X-YMail-OSG: LMx2RTsVM1l4HPMjS8coAPC.2n_3OKvu2Oy.C6C8n49wLINMG8Rs9hhUwe35Q3P
 GcnagTgAmNb48nb653IxjbkMGSmyeP97_YCHx0aa81zD6PyLI02dwmod2CictfTpisES6lcK6PWu
 FatSmZu2xgYha9KoyxscnecRtHJsxu68RvPNoC37BjENkn6WgsgIw.4MQ6y.fBQ6A1IRFbWzCeN8
 qnrepxtQfzN5UYybJpt8pymFEYwvj3KCreOxZ350jDDPNt1efQ1oDdopo8lHizhM.NP9Bmk14MxX
 vG9wpA0yK93aB8cr0kHutsik2qrloISYiA0isMKnqnvSgM8CmXdTbkOUA5XONcha3u78DMNK3LHc
 G9fG5CocNAKjBF0EXoFJZrTn_sFotAzsCSg8wyGt6eN6aEDs9IKpt3aE0S.4XOStcN3gBWF9XdVB
 IuHghgW0w0LPCScSdUu3vAPK4fV9Njuf97Kz38o5uvPEoBeRMevR2BfGLWzABu1IBt4TBKCq7Ex7
 yQE7vfNuac2M8sHZ8DS7gvd9mgttBCev7am5_zFy.WtD5_7x6vdB4ywX_CDiD2vPlSDlquPlCUMe
 T7NW1uyXxcBkM7nDE3rMMNkEZ.JtJhKN2EX3Xk2mwN2d2ACxmu1srat5vQmCQcV5.xFaxUGqEvlU
 PXcDTnUdDPsQ1j8uUK5RlgskIlua0F4UFihcsXylq2cCGxLQKGE1iMKACccTSv.GR_ZfpqifiLbM
 YnVeIgWcqGm8j0wy4ZXaD72fJ2JVnQrKgEScmJ1DEwAJX.G9i0PbuKZ9QhW9pGH_f0KE1mou7.ny
 lQthPfJyhgDMr3y9.5dF8qoOoSw1TWsCgIy3JWiNtc6pndhi1xrUadhAI867IvvRzN7b2a9h6ZxQ
 oU8WSfENeqXVWjd2sLJulP99NOIM.G4f1Zu.B8PVVMSwSeJMlj8a08Zv43TSn6jpM3FIVjw1.Y1V
 ZcEwmTWokF43.jUhh8_SvVMcQVIUe2dhP9pxfDCVjKD_VAC3_a_7pC2VblBfce2T_72r1EgR71vu
 x4KZFAg7kVyF.91grJILjj7f0ZWNkaS6R1h3LDemz.17rvCSp7RPRm.B28XKLJwQFYwRJyY3x_K5
 QsRp9T0Eh31YPDUL5j4VF2rHJia_Dgk.m4uIY5jG1XXK7P_6oR5BrZL2m0opF8WFqDd7ujWQL9b1
 .rgezKfgXz0y4zBwgLCEq6hsfORNmx4i0iPDlMe7obYx6gqgjTlLzwF290ow6T2TxHfa7JLPQrb6
 JkdUHhsbzmfhtFvoufk_GuhFZiUxzGnWug7r8mdP9nxyb4SXwuN6uERlHOUT2jgnR9N6Q8HO5j8b
 gqqzFWZ4MZADII5Fh55rYaI414eTxD2IldTcN3KSoDz0LVr0n0POzF9ZLZ03kmi_SsrVUTKE.6IJ
 MsofwFNXzZod5mmUxf5tOox4zFERBk4YI.DhkzM6_IYULLpQkZTVXq0nvgInW8POa_LVsIc.Jfmo
 jHUeQEPOeLO.JIF834jsS3xlW_kZQexRcR622saTRxDhqvSUGiTvf7hRFZ0Mg6IFsWMZuGIUtrps
 ulyqUyCO499RHeNb0T8K50zwDTMfkGnjSpd_Ci3IBCzbwH4sT.os1NmnnuNh7wZL67fTTsaHuH3z
 YP8YqSw5IVpLbo.nb3MJafRbbp3Xc.SnG3aH8e9MbAM0HKXsdQQy1Eslocb678ypKQROogqi2luU
 9BoQJ6sCck.BQbJSXAAX.N95F4r.9pE9ua5KjM1TjqD3tTX8dlc4OAsmsjulRal.Im0lOCo42G9W
 6naZ_hF2TxWbSZuj4gA33NO9ckebZyKqiWinLRs1q53NFBzdMsZeXoXXJahuREaqZy60UwwETDdq
 Rx9vuvEQMO.frT3ApOvwCNQhebEM4V9wYtA607Ew_exJQHePc6xhobkhN8eMG3F6dw2SlSw3maPS
 YSGL02LpqF0iF1HPM1SHVcR7NXtfzIqBycgTEnVGZtPvSlADOtxa_NvH.Sr7ERTLRBeVxp3YYVIb
 CYkem_y7_5JlM46YIkWTU0yuQl7njV4ghx4cTvJXW_7LHIzKSiWkC3.oRcDppv96IYn82p.O.9Wa
 7LvlXb6t2oGZaGMxmgYYfY4uBo3FEstsVK.giu9ar7Gq7GbwD12I16mQXEsfnwymjZp0nHD9sSQB
 CqRRuxCepmoNqMH839vpAr_jg2mMG3GKuVOe22x29zg2dlKoN9j7yv5kEBG6F4RDTAhsWbbvKbuR
 Huc4o7knfICdWxVdIHzulFHnh3IDtDgYofwhN79mdfv7Srkm99iNt7fwntO5WVmakQDL3DOUae2.
 _EzZh77zcb4FKPBudYxwJugCA2ayByg--
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 0df4a50c-3bf3-44d5-aef7-5af268ef7bef
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:46:53 +0000
Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID c8320ae1bddb7a2f7fa2be3a3860d99b;
          Fri, 15 Dec 2023 22:46:51 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 39/42] LSM: Remove lsmblob scaffolding
Date: Fri, 15 Dec 2023 14:16:33 -0800
Message-ID: <20231215221636.105680-40-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Remove the scaffold member from the lsmblob. Remove the
remaining places it is being set.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/security.h       |  6 ------
 security/apparmor/audit.c      |  6 +-----
 security/apparmor/lsm.c        |  4 ----
 security/apparmor/secid.c      |  6 +-----
 security/selinux/hooks.c       | 14 --------------
 security/selinux/ss/services.c |  4 ----
 security/smack/smack_lsm.c     | 33 ++++-----------------------------
 7 files changed, 6 insertions(+), 67 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index 529671a89ce0..f7727bf767e5 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -143,11 +143,6 @@ enum lockdown_reason {
 	LOCKDOWN_CONFIDENTIALITY_MAX,
 };
 
-/* stacking scaffolding */
-struct lsmblob_scaffold {
-	u32 secid;
-};
-
 /*
  * A "security context" is the text representation of
  * the information used by LSMs.
@@ -168,7 +163,6 @@ struct lsmblob {
 	struct lsmblob_smack smack;
 	struct lsmblob_apparmor apparmor;
 	struct lsmblob_bpf bpf;
-	struct lsmblob_scaffold scaffold;
 };
 
 extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 72c414d00ba6..d51ab2f1284f 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -279,11 +279,7 @@ int aa_audit_rule_match(struct lsmblob *blob, u32 field, u32 op, void *vrule,
 	if (lsmid != LSM_ID_UNDEF || lsmid != LSM_ID_APPARMOR)
 		return 0;
 
-	/* stacking scaffolding */
-	if (!blob->apparmor.label && blob->scaffold.secid)
-		label = aa_secid_to_label(blob->scaffold.secid);
-	else
-		label = blob->apparmor.label;
+	label = blob->apparmor.label;
 
 	if (!label)
 		return -ENOENT;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index d47816e91bd3..c31d5c008b14 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -984,8 +984,6 @@ static void apparmor_current_getlsmblob_subj(struct lsmblob *blob)
 	struct aa_label *label = __begin_current_label_crit_section();
 
 	blob->apparmor.label = label;
-	/* stacking scaffolding */
-	blob->scaffold.secid = label->secid;
 	__end_current_label_crit_section(label);
 }
 
@@ -995,8 +993,6 @@ static void apparmor_task_getlsmblob_obj(struct task_struct *p,
 	struct aa_label *label = aa_get_task_label(p);
 
 	blob->apparmor.label = label;
-	/* stacking scaffolding */
-	blob->scaffold.secid = label->secid;
 	aa_put_label(label);
 }
 
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 1df08372bf1b..e5cfaedf1a9f 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -102,11 +102,7 @@ int apparmor_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
 
 	AA_BUG(!seclen);
 
-	/* stacking scaffolding */
-	if (!blob->apparmor.label && blob->scaffold.secid)
-		label = aa_secid_to_label(blob->scaffold.secid);
-	else
-		label = blob->apparmor.label;
+	label = blob->apparmor.label;
 
 	if (!label)
 		return -EINVAL;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4ac4b536c568..113ee3df9b5a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3520,8 +3520,6 @@ static void selinux_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
 	struct inode_security_struct *isec = inode_security_novalidate(inode);
 
 	blob->selinux.secid = isec->sid;
-	/* stacking scaffolding */
-	blob->scaffold.secid = isec->sid;
 }
 
 static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
@@ -4014,8 +4012,6 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
 static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob)
 {
 	blob->selinux.secid = cred_sid(c);
-	/* stacking scaffolding */
-	blob->scaffold.secid = blob->selinux.secid;
 }
 
 /*
@@ -4156,16 +4152,12 @@ static int selinux_task_getsid(struct task_struct *p)
 static void selinux_current_getlsmblob_subj(struct lsmblob *blob)
 {
 	blob->selinux.secid = current_sid();
-	/* stacking scaffolding */
-	blob->scaffold.secid = blob->selinux.secid;
 }
 
 static void selinux_task_getlsmblob_obj(struct task_struct *p,
 					struct lsmblob *blob)
 {
 	blob->selinux.secid = task_sid_obj(p);
-	/* stacking scaffolding */
-	blob->scaffold.secid = blob->selinux.secid;
 }
 
 static int selinux_task_setnice(struct task_struct *p, int nice)
@@ -6305,8 +6297,6 @@ static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
 {
 	struct ipc_security_struct *isec = selinux_ipc(ipcp);
 	blob->selinux.secid = isec->sid;
-	/* stacking scaffolding */
-	blob->scaffold.secid = isec->sid;
 }
 
 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
@@ -6609,10 +6599,6 @@ static int selinux_lsmblob_to_secctx(struct lsmblob *blob,
 	u32 seclen;
 	u32 ret;
 
-	/* stacking scaffolding */
-	if (!secid)
-		secid = blob->scaffold.secid;
-
 	if (cp) {
 		cp->id = LSM_ID_SELINUX;
 		ret = security_sid_to_context(secid, &cp->context, &cp->len);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index eef6655f7730..48211352345e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3656,10 +3656,6 @@ int selinux_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
 		goto out;
 	}
 
-	/* stacking scaffolding */
-	if (!blob->selinux.secid && blob->scaffold.secid)
-		blob->selinux.secid = blob->scaffold.secid;
-
 	ctxt = sidtab_search(policy->sidtab, blob->selinux.secid);
 	if (unlikely(!ctxt)) {
 		WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 02b9aa200ad4..a486ac42caac 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1644,11 +1644,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
  */
 static void smack_inode_getlsmblob(struct inode *inode, struct lsmblob *blob)
 {
-	struct smack_known *skp = smk_of_inode(inode);
-
-	blob->smack.skp = skp;
-	/* stacking scaffolding */
-	blob->scaffold.secid = skp->smk_secid;
+	blob->smack.skp = smk_of_inode(inode);
 }
 
 /*
@@ -2156,8 +2152,6 @@ static void smack_cred_getlsmblob(const struct cred *cred,
 {
 	rcu_read_lock();
 	blob->smack.skp = smk_of_task(smack_cred(cred));
-	/* stacking scaffolding */
-	blob->scaffold.secid = blob->smack.skp->smk_secid;
 	rcu_read_unlock();
 }
 
@@ -2259,11 +2253,7 @@ static int smack_task_getsid(struct task_struct *p)
  */
 static void smack_current_getlsmblob_subj(struct lsmblob *blob)
 {
-	struct smack_known *skp = smk_of_current();
-
-	blob->smack.skp = skp;
-	/* stacking scaffolding */
-	blob->scaffold.secid = skp->smk_secid;
+	blob->smack.skp = smk_of_current();
 }
 
 /**
@@ -2276,11 +2266,7 @@ static void smack_current_getlsmblob_subj(struct lsmblob *blob)
 static void smack_task_getlsmblob_obj(struct task_struct *p,
 				      struct lsmblob *blob)
 {
-	struct smack_known *skp = smk_of_task_struct_obj(p);
-
-	blob->smack.skp = skp;
-	/* stacking scaffolding */
-	blob->scaffold.secid = skp->smk_secid;
+	blob->smack.skp = smk_of_task_struct_obj(p);
 }
 
 /**
@@ -3451,11 +3437,8 @@ static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp,
 				 struct lsmblob *blob)
 {
 	struct smack_known **iskpp = smack_ipc(ipp);
-	struct smack_known *iskp = *iskpp;
 
-	blob->smack.skp = iskp;
-	/* stacking scaffolding */
-	blob->scaffold.secid = iskp->smk_secid;
+	blob->smack.skp = *iskpp;
 }
 
 /**
@@ -4796,10 +4779,6 @@ static int smack_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
 	if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
 		return 0;
 
-	/* stacking scaffolding */
-	if (!skp && blob->scaffold.secid)
-		skp = smack_from_secid(blob->scaffold.secid);
-
 	/*
 	 * No need to do string comparisons. If a match occurs,
 	 * both pointers will point to the same smack_known
@@ -4862,10 +4841,6 @@ static int smack_lsmblob_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
 	struct smack_known *skp = blob->smack.skp;
 	int len;
 
-	/* stacking scaffolding */
-	if (!skp && blob->scaffold.secid)
-		skp = smack_from_secid(blob->scaffold.secid);
-
 	len = strlen(skp->smk_known);
 
 	if (cp) {

From patchwork Fri Dec 15 22:16:34 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495174
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic316-27.consmr.mail.ne1.yahoo.com
 (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 52C6E18EDC
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:48:32 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="o42C0lgv"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680511; bh=K7csj15FYLLSxxZ7kmvWUnCpbvfgQe4Te4FnBFnK+kc=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=o42C0lgvhJJccYUQJIt3HAj2Mp25A9V4iriVooDx9znzphhTVPMPe2Ci/FLEbxk9I6qQwU6Uy2BvujwGC1iqoucayfhJt9mQ2MLoYEAxDQLAJfNa7G/5BbvwyHyQZLpmzGcoQ8r+pA+BvYl3XcFM38+bDod4sDxBpvC3HaFpdyjcyh7wPmsmjN8xRKledvsKL7yhgsuny8Gw5P6wNtkkqrAHpG7CVU34JK0Ga4ayyI2+0EwHlriJbP3jNO183lGG+9us+cPKQmr/3bJ4dnGzWP7nR722+XfTCQKs93/MwLzuG/HWLrNgxxBO/RzgYXURLY7tYEG756RHchSlhldX4w==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680511; bh=DtL8HKeo5K0jeMbDCKFA+5LU5qxUJKbqKjaC0bD6jGG=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=RSBKnnBYBZLwiWPvCKmzj2dPWHIAe/Wq9FTAy4TVyBjTs/Xdg2u1tjKGMOIaNx6HmNoNnCBS5Kth9ojYusDUUXPu0Anq+7B4kwxR/7HwqHn2uCEqTZe+CQUHNGVk45oqgmOGCr2Vuotj1fr+QoD0YD4unXmORvD8bcJog4u6oV9mfjSBS8lGEqTvYWDK4YOphh4djbzAznYLZHlNwhxKlBehOR2yksw2o+7OmFw+r4F1Ectd9XqpHz3r5pKhlAsH56LwMCDOV8uo6sf+StLVUk4W0KezzrHK8owzICc0cQvhzsj2wyKXKcgS8ScuN+oiIuTkpZU7UTRh4bnf+RMJEw==
X-YMail-OSG: oBmP0J0VM1mym6yc5Gp3a9_15t6J9XSDppTDpHUsmj6MnaiAdbXU9C26zxhS6vx
 u6oUtGKCsByZN.b51ldHCc7Rwx0HCOM.Ebhw9MDi6NlcqEkgTtbOmAlyWCNTdi1NSf5vJrlX1QlX
 k6Y6iDs0O7G6Mb0juy5tZwEj2YsfEa0UqaQ_yvyHEUKvCrRY4Xu_xpaQVWo5VdfsGfTqgdV0HVg4
 OMjXUxGiwKYQwe3V38ZoWrPVSwtFkTstALsmNohS35EJW3gdicHUwg83jHoLgYCPHDCLamzJROjq
 J_p.WpuB10_XomKafKlat0mc.JVyd2cWoKDhR0J8tfH7_mK9IwPcWGYo6N.6ygqYC19oNy3tfmWK
 RzINYpgeZ2S6aBskXwOdcx5ADtibgoD.pG8LjAhTmPC_.A85P2nK3NM.e8dSdeyJUMA5.c.tye7D
 dKA3VaFfysThkL3Hl9TImEt01WDQbgeGQtl3dE8rfLmHd74Q58U6Zqh6AZW9E8j5lLHERvJQQ96z
 wnvU_tR1lAWeywKshGfj014HyzObVDRNrr6LanZWhXNcMFUKgnc1cciqLV1VJY4BMwUbEFRYssnx
 fqiSPnfbBvMTaizuxDBTr8eKwcng0bSBdLrEDaDPAcQZE9eIlAfQ.JgfnPoBeUUPiCd1cEs4aivP
 xWnsw._XkmXKa3o26D5zKv_jcV3FgpAwKZykbtuOwsUlGY3Ogkr2L6VtP_afA554ebfTqIhXy..1
 v2xSi2LTNynbB6WdCeEz0cWJmbiSrhGWsUnqggDw3yQxcxyjOIXaat2garwGbhlQ_LPVKxoDApQU
 s_nSU4pZI.ROxnvDcsvzMnCgbmGWV9FZjbEpGEsvspsl9MJv80luwmBCeV3kO6F1ewxubRumcEXC
 2T4Yq3VuJmcv4YxFPhYZiM6ZwFytDh4HzPa0j8wzFq5eSKg.njYnyauTWUyEOP8ypW2Z3pZ7Cx.K
 M1VfV0xrMlYj.Q7_cif5DASZ1lPOYsEkwgJLg_s.5KBmmWilCzBYqLhwWWvBCoSlQm9h626b9gff
 mP4N2a_x82pzl1HPm7PF7CmgzVgz8JLPicgOqmgQ9PtPAPpTz6Zl15hFk.jzIdVVLgrk2CbjAH3G
 YPY5QJc86kZ5dpKl9a.w2vOzrX5uPJciF5Ovthq7q43QHsOEuEqF5dWxFmGW4n2CGPE6FkHq9MCY
 nV9V32IybxfuOOeoLFIaCApKUtvHsSz4eMPR3IBGxBxhc2Y_HPYS7Sw798XqZKWNnqvXlw0nxJCr
 88MB_nkgMIvdLIIH5F7C20QC0ia.F42wBYr24v.RnaOdTJaJKcJ0fq05q3.tfsSdjPmm.G3ptE7D
 dixjZ4PEDpKo9QVMvJ3.9Mi4C0UAme3VSA2D4r1VOs4Tm8oeqTVk4KVBgRtZhLHqL3JXXtrvNFCL
 QM7W_Ti.ycoR6B9X70g2085zGMSzS_dclDdEn6caAjAmiZocO7qPR8BgAKrytFHgiErlxLoYw7iT
 QJuga7KaYbfmr2w8xzo_zgCWM.slTPeEfER8sOdVzbU4ckqKbNKfcpZ_8G9lBGAkJpntc47XecsH
 O9lJAFEh9c.vCwAIqSA0Usrbk0FiNazWXjxpwzmU9IOwCyFzC_1aMDADcDY0O7VQDmAgaLAhCs7O
 ahWkHKi.VvUZVokBfLxKZ5Ud_nRlfCPkTjnnpi9jtV.vE0XwPM0iK_R35k8jAZd0eA0Spyciw..m
 XmwIZizaBaQB9qza2rDMe8lqAMtXe9BCqby4qIVY7mBg9nodZb_WKnECVMqa8I0EbNp2mJlybsn0
 SQGM.yrk9Rk_hOgiTtw2vXOiH0zuPJ4yDJsSbsyxtDxhS_Zmw5PPb1Khc8nek7mlgMXp6gyR39Ku
 5ojg1Y6LJPoPMEfAw_toJMMKy8LVfqa0w1Il3dK4jP5G4JcTWzgUFjNyAV4BqhId12nPhftXkgMR
 0B3lzYpo_EhIQvvyhC_6rvGkJlQDaJqix4vWW7N5oKezo.1cDRBycUcVWPg9egJL2vW1VKgg83vv
 ClMY4DW1iK9LZLq0rHMcYuUvqZDAnV8NScr3bPhM9q0DdmGfwBLTB_GdL5XdDrIxZCz6bKIufIqe
 cve5uNG6.WUaabWPzyjb6MzVEeZIe7lOUdkDzAW_xXM.9c3432fmE3DK8Z0c93ycYSDocJvqzJ0m
 epPWLSfMetOyfBF.E8DzO_eZfOqIFvNt93.2AAXvUYThPzANtcUEszB8cEJQ3gq44T4wtA3eW.Su
 zGDUvlopJXqDTvjA00gg9NX02s27mZb1s1iqizdPaLiKi0N3LW0cy5St.7FdRSiBOINaEG1hGco1
 GbdU9jaqUw4EFCAdT03UTE8tv5EaD
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 39fbb8ec-7d31-4bc7-827d-e816f8f08030
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic316.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:48:31 +0000
Received: by hermes--production-gq1-6949d6d8f9-qkzts (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 98319ae8e5188ac722d06529a3337566;
          Fri, 15 Dec 2023 22:48:25 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 40/42] LSM: Allow reservation of netlabel
Date: Fri, 15 Dec 2023 14:16:34 -0800
Message-ID: <20231215221636.105680-41-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Allow LSMs to request exclusive access to the netlabel facility.
Provide mechanism for LSMs to determine if they have access to
netlabel. Update the current users of netlabel, SELinux and Smack,
to use and respect the exclusive use of netlabel.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/lsm_hooks.h           |  1 +
 security/security.c                 |  6 +++++
 security/selinux/hooks.c            |  7 +++---
 security/selinux/include/netlabel.h |  5 +++++
 security/selinux/netlabel.c         |  4 ++--
 security/smack/smack.h              |  5 +++++
 security/smack/smack_lsm.c          | 35 +++++++++++++++++++++--------
 security/smack/smackfs.c            | 20 ++++++++++++++++-
 8 files changed, 68 insertions(+), 15 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index fdeffa0c8d13..da60bf163447 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -84,6 +84,7 @@ struct lsm_blob_sizes {
 	int	lbs_xattr_count; /* number of xattr slots in new_xattrs array */
 	int	lbs_mnt_opts;
 	bool	lbs_secmark;	/* expressed desire for secmark use */
+	bool	lbs_netlabel;	/* expressed desire for netlabel use */
 };
 
 /**
diff --git a/security/security.c b/security/security.c
index b1a849e8589c..f1bff6b5b076 100644
--- a/security/security.c
+++ b/security/security.c
@@ -242,6 +242,12 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
 		else
 			needed->lbs_secmark = false;
 	}
+	if (needed->lbs_netlabel) {
+		if (!blob_sizes.lbs_netlabel)
+			blob_sizes.lbs_netlabel = true;
+		else
+			needed->lbs_netlabel = false;
+	}
 }
 
 /* Prepare LSM for initialization. */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 113ee3df9b5a..6da2e95ad5b7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -182,7 +182,7 @@ static int selinux_secmark_enabled(void)
 static int selinux_peerlbl_enabled(void)
 {
 	return (selinux_policycap_alwaysnetwork() ||
-		netlbl_enabled() || selinux_xfrm_enabled());
+		selinux_netlbl_enabled() || selinux_xfrm_enabled());
 }
 
 static int selinux_netcache_avc_callback(u32 event)
@@ -5673,7 +5673,7 @@ static unsigned int selinux_ip_forward(void *priv, struct sk_buff *skb,
 				 SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
 			return NF_DROP;
 
-	if (netlbl_enabled())
+	if (selinux_netlbl_enabled())
 		/* we do this in the FORWARD path and not the POST_ROUTING
 		 * path because we want to make sure we apply the necessary
 		 * labeling before IPsec is applied so we can leverage AH
@@ -5690,7 +5690,7 @@ static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb,
 	struct sock *sk;
 	u32 sid;
 
-	if (!netlbl_enabled())
+	if (!selinux_netlbl_enabled())
 		return NF_ACCEPT;
 
 	/* we do this in the LOCAL_OUT path and not the POST_ROUTING path
@@ -6965,6 +6965,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
 	.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
 	.lbs_mnt_opts = sizeof(struct selinux_mnt_opts),
 	.lbs_secmark = true,
+	.lbs_netlabel = true,
 };
 
 #ifdef CONFIG_PERF_EVENTS
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 4d0456d3d459..189803009d04 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -147,4 +147,9 @@ static inline int selinux_netlbl_socket_connect_locked(struct sock *sk,
 }
 #endif /* CONFIG_NETLABEL */
 
+static inline bool selinux_netlbl_enabled(void)
+{
+	return selinux_blob_sizes.lbs_netlabel && netlbl_enabled();
+}
+
 #endif
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index e8832726bd86..1242296b5fe1 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -198,7 +198,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
 	int rc;
 	struct netlbl_lsm_secattr secattr;
 
-	if (!netlbl_enabled()) {
+	if (!selinux_netlbl_enabled()) {
 		*type = NETLBL_NLTYPE_NONE;
 		*sid = SECSID_NULL;
 		return 0;
@@ -440,7 +440,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
 	u32 perm;
 	struct netlbl_lsm_secattr secattr;
 
-	if (!netlbl_enabled())
+	if (!selinux_netlbl_enabled())
 		return 0;
 
 	netlbl_secattr_init(&secattr);
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 85ec8141fe70..2191f8304e4f 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -367,6 +367,11 @@ static inline struct smack_known **smack_key(const struct key *key)
 }
 #endif /* CONFIG_KEYS */
 
+static inline bool smack_netlabel(void)
+{
+	return smack_blob_sizes.lbs_netlabel;
+}
+
 /*
  * Is the directory transmuting?
  */
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a486ac42caac..9f5a37a5b47e 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2584,6 +2584,9 @@ static int smack_netlbl_add(struct sock *sk)
 	struct smack_known *skp = ssp->smk_out;
 	int rc;
 
+	if (!smack_netlabel())
+		return 0;
+
 	local_bh_disable();
 	bh_lock_sock_nested(sk);
 
@@ -2614,6 +2617,9 @@ static void smack_netlbl_delete(struct sock *sk)
 {
 	struct socket_smack *ssp = smack_sock(sk);
 
+	if (!smack_netlabel())
+		return;
+
 	/*
 	 * Take the label off the socket if one is set.
 	 */
@@ -2664,7 +2670,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap)
 		/*
 		 * Clear the socket netlabel if it's set.
 		 */
-		if (!rc)
+		if (!rc && smack_netlabel())
 			smack_netlbl_delete(sk);
 	}
 	rcu_read_unlock();
@@ -3970,6 +3976,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
 	int acat;
 	int kcat;
 
+	if (!smack_netlabel())
+		return smack_net_ambient;
 	/*
 	 * Netlabel found it in the cache.
 	 */
@@ -4126,6 +4134,9 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family,
 	struct socket_smack *ssp = NULL;
 	struct smack_known *skp = NULL;
 
+	if (!smack_netlabel())
+		return NULL;
+
 	netlbl_secattr_init(&secattr);
 
 	if (sk)
@@ -4196,7 +4207,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 		rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
 		rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
 					MAY_WRITE, rc);
-		if (rc != 0)
+		if (rc != 0 && smack_netlabel())
 			netlbl_skbuff_err(skb, family, rc, 0);
 		break;
 #if IS_ENABLED(CONFIG_IPV6)
@@ -4407,7 +4418,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
 	if (skp == NULL) {
 		skp = smack_from_netlbl(sk, family, skb);
 		if (skp == NULL)
-			skp = &smack_known_huh;
+			skp = smack_net_ambient;
 	}
 
 #ifdef CONFIG_AUDIT
@@ -4428,8 +4439,11 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
 	/*
 	 * Save the peer's label in the request_sock so we can later setup
 	 * smk_packet in the child socket so that SO_PEERCRED can report it.
+	 *
+	 * Only do this if Smack is using netlabel.
 	 */
-	req->peer_secid = skp->smk_secid;
+	if (smack_netlabel())
+		req->peer_secid = skp->smk_secid;
 
 	/*
 	 * We need to decide if we want to label the incoming connection here
@@ -4442,10 +4456,12 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
 	hskp = smack_ipv4host_label(&addr);
 	rcu_read_unlock();
 
-	if (hskp == NULL)
-		rc = netlbl_req_setattr(req, &skp->smk_netlabel);
-	else
-		netlbl_req_delattr(req);
+	if (smack_netlabel()) {
+		if (hskp == NULL)
+			rc = netlbl_req_setattr(req, &skp->smk_netlabel);
+		else
+			netlbl_req_delattr(req);
+	}
 
 	return rc;
 }
@@ -4463,7 +4479,7 @@ static void smack_inet_csk_clone(struct sock *sk,
 	struct socket_smack *ssp = smack_sock(sk);
 	struct smack_known *skp;
 
-	if (req->peer_secid != 0) {
+	if (smack_netlabel() && req->peer_secid != 0) {
 		skp = smack_from_secid(req->peer_secid);
 		ssp->smk_packet = skp;
 	} else
@@ -5062,6 +5078,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
 	.lbs_xattr_count = SMACK_INODE_INIT_XATTRS,
 	.lbs_mnt_opts = sizeof(struct smack_mnt_opts),
 	.lbs_secmark = true,
+	.lbs_netlabel = true,
 };
 
 static const struct lsm_id smack_lsmid = {
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 878fe44b662d..f8c0ea18b2fe 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -77,7 +77,7 @@ static DEFINE_MUTEX(smk_net6addr_lock);
  * If it isn't somehow marked, use this.
  * It can be reset via smackfs/ambient
  */
-struct smack_known *smack_net_ambient;
+struct smack_known *smack_net_ambient = &smack_known_floor;
 
 /*
  * This is the level in a CIPSO header that indicates a
@@ -685,6 +685,9 @@ static void smk_cipso_doi(void)
 	struct cipso_v4_doi *doip;
 	struct netlbl_audit nai;
 
+	if (!smack_netlabel())
+		return;
+
 	smk_netlabel_audit_set(&nai);
 
 	rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
@@ -725,6 +728,9 @@ static void smk_unlbl_ambient(char *oldambient)
 	int rc;
 	struct netlbl_audit nai;
 
+	if (!smack_netlabel())
+		return;
+
 	smk_netlabel_audit_set(&nai);
 
 	if (oldambient != NULL) {
@@ -848,6 +854,8 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 	 */
 	if (!smack_privileged(CAP_MAC_ADMIN))
 		return -EPERM;
+	if (!smack_netlabel())
+		return -EINVAL;
 	if (*ppos != 0)
 		return -EINVAL;
 	if (format == SMK_FIXED24_FMT &&
@@ -1178,6 +1186,8 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
 	 */
 	if (!smack_privileged(CAP_MAC_ADMIN))
 		return -EPERM;
+	if (!smack_netlabel())
+		return -EINVAL;
 	if (*ppos != 0)
 		return -EINVAL;
 	if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
@@ -1437,6 +1447,8 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
 	 */
 	if (!smack_privileged(CAP_MAC_ADMIN))
 		return -EPERM;
+	if (!smack_netlabel())
+		return -EINVAL;
 	if (*ppos != 0)
 		return -EINVAL;
 	if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
@@ -1608,6 +1620,8 @@ static ssize_t smk_write_doi(struct file *file, const char __user *buf,
 
 	if (!smack_privileged(CAP_MAC_ADMIN))
 		return -EPERM;
+	if (!smack_netlabel())
+		return -EINVAL;
 
 	if (count >= sizeof(temp) || count == 0)
 		return -EINVAL;
@@ -1675,6 +1689,8 @@ static ssize_t smk_write_direct(struct file *file, const char __user *buf,
 
 	if (!smack_privileged(CAP_MAC_ADMIN))
 		return -EPERM;
+	if (!smack_netlabel())
+		return -EINVAL;
 
 	if (count >= sizeof(temp) || count == 0)
 		return -EINVAL;
@@ -1753,6 +1769,8 @@ static ssize_t smk_write_mapped(struct file *file, const char __user *buf,
 
 	if (!smack_privileged(CAP_MAC_ADMIN))
 		return -EPERM;
+	if (!smack_netlabel())
+		return -EINVAL;
 
 	if (count >= sizeof(temp) || count == 0)
 		return -EINVAL;

From patchwork Fri Dec 15 22:16:35 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495173
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic306-28.consmr.mail.ne1.yahoo.com
 (sonic306-28.consmr.mail.ne1.yahoo.com [66.163.189.90])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1732218EBF
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:48:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="SoLgQbXf"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680508; bh=gRUGzkRraMOtA1ZY2czwdZ1ExZidr2K7SF6xcBYCs0k=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=SoLgQbXfqsl6Z2ppYzwDp3aZFtcDuN8Ap/5Sb1//P8N77OSclDsUQWqP10Vm3PR9SeDuv/9rIGT1QvxBKQ8gQClfO5tSNr2OTxp3BhQpFO24a91x5aEhahdaL0D3QN72a2pUbiFm9YJ2zTwBtWoMWARzqiP/bhOb2cIxMAaAas/OXH5+nL1Pfj8T2ooPdVgEJEOmggjYwYfaxnlKx+hDvntT6KeJ127hL8OEmyP4hYXMhyrwK8TYne4/KfgAKpw5YDrrY/tkb478YK30kDHL0Z4a/0SBWNNaH5K1/A29R25uoyFHiII5zUicW5ngsYjQZkNRMyQlWMCj+UifYZq61Q==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680508; bh=TG4+ZQ3eMtuA1/dVf2s7hxpLGJv/hfIBvoPy8vStqlO=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=AiS5ytJpZkKbJIzmyPftaTWIyTtA4NkNcmuoezVuMs7QFC7tzT1P5zKTsILuIWezeFakwo5ZVmMIiRCeO/NucsN4rixXXf1xBqdA82+fooKzdGq8cNXQBJoc/cqpTiRSl5qsXOX+JLIVO6OoLKj2eZk3GL+m8buGQmMJNmlrE+wpIzQ7dhZCed5u+ovvketq1RwnsyU+1lOh8G7Iw/EJkrhU28Mf5ntl8gDelpLxiGtj7Oz9jmHwYZ/lhM+pDj0aDozWIr8cCGVxR51b81CK2rUTUUR4PqGetu7LmUK++otCEZPJtfBXvTllxja2hzV+Gz/fmc26nTfPrm1tIxBbMQ==
X-YMail-OSG: Q6tcmVMVM1kHYAZa6zAk9MP6WPMoYIpea1s1q_SdnSkihAwjvLxe1ml3z7.Ote8
 LN7Rm2bGsrYjOTR3XTUfmQ5KlXhw3ndhKMIDEU6jq4PrZpbMJp3EKnddjf4EqyV4tfUhTvAEyuhb
 iSTKUlodXEKQB_.lead3bPAMpJgMJjL7zQh4EzFO3G.i2ZhYuXWShK5a6OmqQVHNz2JpO7b_vxoH
 ZA9q6o_yAtdQgkzcNx5SzUeCKBbLtT0jDmrSzZLl_JSau_E4L783gQ3eOveBYnVOrY.PVwWDQcbc
 BvIXhLNggN_MzIEjP2XtrIRqD.5Ob0HNigbTiGRFcHdBO_DiugA936NPg_rTNl1uZotyT_42uCzo
 91Ttz2KMb7sctJdbAB32cn3KLbXO7D4nkC4ziD33rq_0C3exgDCwFZbZEdkBRfcimujKuSTlje0H
 uUj7XgJrb1EoaTs887Kx3MxE_c1h3p1svS_.sSYWd98ii7p.eyJRDJIE37ggJVPWEoVl_uRccEi8
 LrNtz9lBSIj.st0PbvVK.gGtFSdz2PWYVshUXuwnx.PL7wfJgKWz1h.L55XZrJs5bmUTXd8TS94L
 xeAefLZMUEYUwq1rDIDa5z9YrhKEWn8PtRp.fwATzl7WpvK2d6u.1JdysV25mJrJkFXAH2cjnna6
 UN42QDLRnK2cbyuTFNcZds532kAEhRzxqp7y8KPQrzVP6hglhOCHOf0V2ab99.gmsODf_aFnjxJ2
 1JBL_MGWPjTNASsTSrrVVKVxrXd4X4GOCEmToB49PaXxTw5ePAGHD0cxUt2aTRDOK4BF4soL5wjA
 mXTo3oZu061MI.4Yhjcm8F3aSZfPnjV_tqIpYwuAcYN_WAxAABW3Yj_d.YO4ZZkxvhK6Pp_v3612
 2lLxo_1Gr_112LmqkIt5nGjfq1XavKwafA.xoF2UMP0vDo_4R8agZ59nOqQxbV4VBDFuhtAAHx2u
 __VzA_uhuzjlSZDraWYteRUABQ0yZPta9ZZGC_QhEGxVPaxGzbbGem.hZTVcq7lZ2DXQtHVznIw8
 12DWT40cV6KLw3D2dEqQ3Yi4xSYq4aAYxziPDAHBe_5ffDWIv5_dROJDqMGHpqWGJlkFVw_Ssfs3
 ZQuM23k70wGHezjq21MV_X8ROko33cwtlimxB7cIrvMC.Zm8K3OuiTa0LrPXL.fLOHvpcHltde2c
 oKl_c1O8X6P_s6TPCXpFrxaDl.MrIlqyFiELedHrFV6LbrrhOwmO16SOacuM1bgM_ShPBcK1bbbh
 n8WwWGjYlCwYfhSC8BjBXRz404iJOFpN8hp1bY1Nem70ooG89Xvr6xz7GrS.uHY48FUR6OzX5lP5
 EEKgJl80JRw_95Wc1zCfDp6luPLSRteX0hy.zYyeODyzHV6geJaYa1scbRHo3eo6B8FOBK9QPzUq
 _4zDV2F1oVMRvGdKWYLEYqmp2iq.L8xgh9T1_oJW.0V0fOq1DAeDIFY7Cfz3_FzW7vRwXnQDoYiq
 ZXLbj4_uN3ibmDZmcDngQ1hJmqSJ2fzC4EXUiuBPP1mTWcukKKN4ELqQBeNxV4ekcrbFBjA.7lIi
 Uy480nNKhBPWE0dMCVFoxielzfIkEPpw0LKL4LhCSPTfL4a3Kc71POymfJ3LqcMYe5G3vSK0OlDG
 UcRA8pKx16WM0ixwU6Oj9jkZEau0KYWcu8mQJsIZyId63f32s4bVtAoHRrjCM5DHLFkYGfszvUkU
 tEhdCxnTpBa8.oH5dzd2QBKNpyRlU.ZlrlKwWoFXXPhsSVuxBOfQFre51JhQOC49qXtOH6R0D1d4
 bxqkdxf1WRlyICf.XQ2.Ls66GHHlScfavr0x7MeD9HfrZf45.QfGN2mUJO0V1coXxRHavJJfG6_.
 f6mJFXVFdHofGu1Tjx.3EnMyCtW1poLDpEeyJ3HcVHI93IUJl64JhyTrgj5JYWmb0w8pElJPliYr
 lQFeZU0l_c7InV7pOPGTEl29c5JMc0H.DaG6bmAs7bF9jYLKItirwcAMt_mIf8aPSAKlpZmuMyS4
 7KMcScAmpPRYYrUz8NdYxPH5QlxdhsSblvuO3_y1j97XoKoa6HHpv9YNimu_KX2KejUrYiBS84RT
 YwoBpac93iUPAHJuIJYHxPLxWmktzvDvTlYso7F1bOoh5NyoNl1c.ROsMmLdyju29rQMdsKftTl5
 yOIqXD..m4YtSHLvS7F6iUpL0WRSn2WF.1niPrGj2Rhtfe3haV5J3TRBeFON8BYB90m._Ruw7WCm
 UvkWglIrhmhPexWxIb22BpNrrKqVhlUyV7KtFg77tcJWtHU2Nfae5zj8NK5Gk6XJ5kka1B6lLwVy
 GQuI0MFegwi0D_bEa30wY.RcVMIY-
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 4611144a-9a8d-43bf-b7cf-99a84dc30b45
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:48:28 +0000
Received: by hermes--production-gq1-6949d6d8f9-qkzts (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID 98319ae8e5188ac722d06529a3337566;
          Fri, 15 Dec 2023 22:48:26 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 41/42] LSM: restrict security_cred_getsecid() to a single
 LSM
Date: Fri, 15 Dec 2023 14:16:35 -0800
Message-ID: <20231215221636.105680-42-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

The LSM hook security_cred_getsecid() provides a single secid
that is only used by the binder driver. Provide the first value
available, and abandon any other hooks.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/security.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/security/security.c b/security/security.c
index f1bff6b5b076..504dfc6d05fa 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3157,13 +3157,20 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
  * @c: credentials
  * @secid: secid value
  *
- * Retrieve the security identifier of the cred structure @c.  In case of
- * failure, @secid will be set to zero.
+ * Retrieve the first available security identifier of the
+ * cred structure @c.  In case of failure, @secid will be set to zero.
+ * Currently only used by binder.
  */
 void security_cred_getsecid(const struct cred *c, u32 *secid)
 {
+	struct security_hook_list *hp;
+
+	hlist_for_each_entry(hp, &security_hook_heads.cred_getsecid, list) {
+		hp->hook.cred_getsecid(c, secid);
+		return;
+	}
+
 	*secid = 0;
-	call_void_hook(cred_getsecid, c, secid);
 }
 EXPORT_SYMBOL(security_cred_getsecid);
 

From patchwork Fri Dec 15 22:16:36 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 13495175
X-Patchwork-Delegate: paul@paul-moore.com
Received: from sonic312-30.consmr.mail.ne1.yahoo.com
 (sonic312-30.consmr.mail.ne1.yahoo.com [66.163.191.211])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1DFE318EAC
	for <linux-security-module@vger.kernel.org>;
 Fri, 15 Dec 2023 22:50:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=none smtp.mailfrom=schaufler-ca.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com
 header.b="WtED4umQ"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680603; bh=rBrX20RKGA/fq/6ZpKrjQGgBq3YXTniSXMxOJWRHlHg=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=WtED4umQ89i9DP+27JOtPJGe9d3NXsKNgLFfejji1w7wZu4mfkW9h+tvy/py22+meL6gIkQ0SHRhPBq/3S6aEl0QxSDLQQq2gPmClnCWI0qnUNpsndo0u4sVtD6OLu099nzTjBdGlWM9Q7G8H7AI68trm0kasNN0K3KUb48GK+FLyqJdJA1Bj/P4Djh9De4c9pU+PowMERuYXR+dOwGXKctAHsHWKLyTsDT7ajLgdZU5cASK2jcEO9k3TcTSsDvvcTIssjqK476xPhld5X37GiUQ0033yjWkLtyPToLt7TezKC1fk239wmUeHhQL7mBT080HRUokKw/O/VkNEoYgIw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1702680603; bh=cCXPVLJVjTpxa8aQ8l1NNDtJgIgas1pHPmm6wKmj16L=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=BxocgvuEZnoLKRLBuHCyqVkixWK5K4RA1y4IawGw0dRulFGlndVqEJhTCfMIlpcWIxhn6IPbqb8iCXoSTHD3rGm61+klPEuPSkLtFS1DwNUSKIBvVF7FUEXWbsXprESZgf+QKqlaRwIU9ZvgyfISn6VvACd+fWPGzi8UuJgsGKeGf/xEZf2HhF32Nesk/WAHvm1KBzwgVK1kX/IrjCLa9Hae8UMCrvOM3B2hnIU+cHPPFpjr9yuAyxXJD2/JeSUfERUFwqgkksPZr9xhwFkAxfEyh7y3zPO2Ijfnn4Tz9+Aqr2S9C6V5CbI4BJCULz3qCxELbMViE8GNESNvClWvXg==
X-YMail-OSG: kmcwAAYVM1nyQRivV3hBA0khhAbEdFHCub.rsza7.P7rdz2eFCPoeeJ4sx8HNB_
 ku3LC9CjjwgqvSFLFScjonwVruLtk4qOcs8YpZx2z2Wf25ffB93qtqjls0lE_._dtovZPgHEJ2cN
 A5xJI9FxePac8BaphtEcNRoRyqs9y1Vzuc220jbqtYo4z4q.15Q78p6qfNUPUkepwEKjnHg3VlrA
 rasZDFgO7yHhVwCcwQl7x2MtDFLIBxzCZcPhWksxwzRH5I3qUXMsFkVzpNYloUg9o2TbiUxN17Ab
 y1F2N.TjpalA6cOK9qVIfV.ETVR..fBnQQLmKadcUOS0OUp7dKaTGtSfYTzL66Bqu2loQHySAfqN
 lBmBQeaYFB0rK.lX1rjXa0WL2osGdsEH4pioNWY043ZKBwL7DQj1sl8r0K8GalAde1_LYvN.uo6M
 LBhZVVCKCs3wrn1vuSqXr9B40Rf1r6XOoa_v_ICZbrqcyxIpc0DWLDkABws3Ru2fTLX1gtwGOZ4e
 Jd8reFczWzTIHxVuDOXoew3i83YzUAqzVGL0tEA9ZhDPM5w4yTeELdzfta0AeBuC6eIcgY2R0LKA
 NH8FLlc9MIashQmPwCPzmKqDl1ekuV7hmT7bnlovkIlDE0Nf_5rPw3oaFQcRDZp36MR6rpH.Hbzn
 _MQveONfTIytn8k3k6qadPJUrg3.cbJD1b_kPS.fpgk29kxV4gGUgVLhDSg.Zyswb3tnICgzMkdB
 eyd2OZX5US6LgWnnROjZhzCE6EkM.kpW7S2CjD6K6zkbgaYOGQM78ynzlhGIVAj0FhIcgosEgsIA
 D_0oGrzvsdHLxec15pFxbSXqHzKPe04VdJ9Bdb_uFMnWmwDF9hHZ4Dgp0OIDLogB3Ud0jys1ziSH
 IuJErvGSg7u1bY_Z_lz7sKRsqlKtab.gJcZiCyI1SRF.rJx1gtTBeKGmTv.862ZBNk2d7bago_4r
 z9pc4lpkFwvLmJK7oGHUbZ0.SeuVhXyk5HjoNiCp6GOnCModc91R1cI4VJmU1WmpjgJMw8o_.yws
 1BZUwGn1xmMeJt3Ft3Bj3JuAKM2ucrQmtcuXA98STc0_XeQBX6Mnoq04NwClxDVCu_jYV8AXjlvI
 BG5U4zkuYRR0dTPxQtdvXCgkf49leWgsurk_r36WcdM2M_AalvKg9IvApnKgA2O09KL.AYtjIMLb
 fQR.wTbkPY2LJyP2qgNhyrMw3A75VI7aOIC.EcbnlvAZdoY_Z9WIaLby0K604uQr22Dpd5nk_0Gb
 eJ7TQEG0VMKpa1NqXIQlbse_mDMeWwrRsh5GNAWDHK8RwTAJnMLOJTIUVqQx2E_Z1udTScFGiogP
 24xYuWNv8mS4BcIT33BScQJ2AbgQwoeQX05vGXr2L5sF1DW5fKnGZrdsp0A.rP9PVrOvxqshzwWs
 Im.mxm2C.uZT1aCiQd_PTHvSfQuIOiIED9nDwP_MMvh6bBXVGPSHbh1ZYAFIYhWFgH.nV.HbGV33
 jnyRbB6nzaMi1iBcBaw6MuTkybOrkSHQ.Dddcc08aEs2FXg_k4B5uwhKvjLU43KcaY0ZLAG0l8gj
 UAKIca5LJxfJRBMQEULYQYZtY5uHVoT7KBYcwIQVEKBp2oay_CYHnJCryQPa5qOMCdo2YKywwue0
 sMGfeNMgT8oKKRSEDKge2_t4KvTgk5LsL73.XAlULL7QmakMaFqnHiaIzb3GjGo61MS7tWkXyeOs
 uJp.jGROc2JS3wLW6cKiEsCz4.ALOEeVqhhgTq144iNAAb1BaOtP4hc3KcdfE.f8pZ0XO6tAaJrb
 7n0pDb0y9LlAHZYePNodyQUMAOK4aeQiOs51lPzJGbB3e14qHMrmoR4683bipgDPU85B2cilzfgp
 KSjMn9r9cLJC.MI10dVS9VDz.Vpq28FHTq_7ofAOpZo4Jq5f4ekIr50Jz8O52UTGgu_yMAAfqrs9
 brj3w1rdO1VOXU8f5FU91M.y4caQlQCHnCoQmPLQObA8HZHlAElv9aiVwHdSrm53adPgdrZa.ypk
 xZJwXdiuE6gtHqUpB.RWRtmwg9GL3jF35EJlZwdseOAHFGNBlLITtjErih.nT4iWV9k3vBGO27gh
 eR0FTskk9VEMs__zRR1Wq7g62CcQ5xOSeaPFh1LntoscJf_THYk8QZt4hfJTO9dsaQCukTSoULJ_
 WjLgn9507MdbhZKMmGBd_lLqgwAar9irq6VVCMR2mfN8z6hT7ej6c.YYKIyFz_dx.yxWe3SpINVV
 Tx9YdrLMwBcWPWVscNT5HCvWEZceWPRzc2YRc1LPl3xYhDFaPPgIAU4kfbVZk7yy3FYAYr18MXpk
 dIN7rgjLJJheLtXegbHmrh5YWISbh
X-Sonic-MF: <casey@schaufler-ca.com>
X-Sonic-ID: 2be22b4b-e59a-4cd7-b2d9-37a846ad2914
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic312.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Dec 2023 22:50:03 +0000
Received: by hermes--production-gq1-6949d6d8f9-pmzmd (Yahoo Inc. Hermes SMTP
 Server) with ESMTPA ID bab51986ed5b5f266b6ddd6db4744dbe;
          Fri, 15 Dec 2023 22:50:00 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v39 42/42] Smack: Remove LSM_FLAG_EXCLUSIVE
Date: Fri, 15 Dec 2023 14:16:36 -0800
Message-ID: <20231215221636.105680-43-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20231215221636.105680-1-casey@schaufler-ca.com>
References: <20231215221636.105680-1-casey@schaufler-ca.com>
Precedence: bulk
X-Mailing-List: linux-security-module@vger.kernel.org
List-Id: <linux-security-module.vger.kernel.org>
List-Subscribe: <mailto:linux-security-module+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-security-module+unsubscribe@vger.kernel.org>
MIME-Version: 1.0

Smack no longer has any behaviors that require LSM_FLAG_EXCLUSIVE.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/smack/smack_lsm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 9f5a37a5b47e..7bf2a3fabf33 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -5325,7 +5325,7 @@ static __init int smack_init(void)
  */
 DEFINE_LSM(smack) = {
 	.name = "smack",
-	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
+	.flags = LSM_FLAG_LEGACY_MAJOR,
 	.blobs = &smack_blob_sizes,
 	.init = smack_init,
 };