From patchwork Fri Mar 15 17:31:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13593812 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E18EB45BFB; Fri, 15 Mar 2024 17:31:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710523873; cv=none; b=JvmcWbWAsQCig7W7Ro49VxazxM+pA3JZOnjPzh+1MDd0GC8EC/QVR0TJNvFY9+rUC97Ab/NOEY81hapgjAtAngSOJR3gHfEvOi86jWZQ9qCQUuy/32vYjOUIWsWZuuP+tpmsRX7JlTqStDFHXdH6Jbk5enlqXKhjtSlSr/sxH3A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710523873; c=relaxed/simple; bh=AuyctvHzXCuOG0qApdvaa1TbjS2ba7xRFCCfptYNNyc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=UJfbUK8KoPqte+UYdeIRYRP47F0qFix60ULP/i5450MlZAGLD8E2clAh1nHGGJ77pvFetNtqWJ5A9mW88Ev5bAUMCDZJelui+YgLSGZo5Bb4VEnAFph4CxR/1EHGV+CvFPqZwozu4YW8X4HZY0dKKlmUHcKNrQMPP8JSoefK8AY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com; spf=pass smtp.mailfrom=googlemail.com; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b=hmk27yYC; arc=none smtp.client-ip=209.85.208.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=googlemail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="hmk27yYC" Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-568aa3096e9so1907131a12.0; Fri, 15 Mar 2024 10:31:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1710523870; x=1711128670; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4I8kF2HOLsV3f6ALBOCC7UdtwRxp7Bq+Pw3KZf1q5w4=; b=hmk27yYCviBmjlIjrJmosuwxL0h7C2XahZz38bEzjDcGQd9iprLnm7oeTdoVaoxQy7 fG2MboIml/CFZNBxbVQ6ro3fYOz5d7/WFjb51BvpH+uFxTbNoEIbBvE2c1XWR4dWUk0r Zh3HWexQS+LwdmtH7oxUU0HbtxR4tNnEaEFl0P5ayoc5UJ09YxMIozyogMvXgma/V/h1 /mv6i5mc9uSoNH3OCDLUdWx0bVBFlK19Nf6JajHt/qOkQuuM1E9Aq9taDSIt0nsTDIwf AJTvR2otqPW46+FtQ3S8qBD6HKvoiXtcnZdYP1Ta36D2gDWJa6cuTQaH79G16IaY4ibL f5kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710523870; x=1711128670; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4I8kF2HOLsV3f6ALBOCC7UdtwRxp7Bq+Pw3KZf1q5w4=; b=V12NQ/Fc2Wu6yBeBdONTTcpiNHwBt+/F9dz9JBYtfiyFEmJQj8BfH8ECOZ3yBghppy 44E+GNu5yaUAaVBSBLFAYxAWw+gWVjyZCQZu3keyaM4q8gT7as3DHKLBf8FU/W8Ni4/i KWa4XYCSFUsO5MvAcOm/MjQqE1P3BHn460efgriTkIww1F2902FCpFMGkwFIyFWFo3BF eiB/5JwLF7U+wYMhw1dhownxNUiFMkfBwzFvu/7pMsAt5gwGVRf7+U4NnPyU+LBbPe9k rWLbqCFOCYzC7sy4Kkhl37Ufq0Kg43tO8MZcHcRyyFSYBAAy24KyPjsZtaD1tMwc7Dm3 QZ1g== X-Forwarded-Encrypted: i=1; AJvYcCVEoCmO+W2bWal9FmVq1SCmOgA6k6wzsSdEBNv/6e88mJwle79PgLd3pj7BViJYy6rv//O8BVSLAYwaEXBm+o2W+q6haGM+LwoH+/Nb X-Gm-Message-State: AOJu0YxlYoYjup4Zs/M+BYOgJi5klGcPpbbXWhCBVohJ6ZxOYqgvphHL cOyMakA+ljfOjKv7yk+JF+pznnMxvjCQMwB55P4NIEbwdIDS+Ov8Rnwr+PztX2qcWg== X-Google-Smtp-Source: AGHT+IFi4/oRUcITZyAkekpL0lNl9ACqipPV/q1xqTx1K7ccrkOr2Q2sI8ksPqSYFH88beTuMAxc9w== X-Received: by 2002:a17:906:ad91:b0:a46:7461:b7da with SMTP id la17-20020a170906ad9100b00a467461b7damr3605057ejb.36.1710523870252; Fri, 15 Mar 2024 10:31:10 -0700 (PDT) Received: from ddev.DebianHome (dynamic-095-119-217-226.95.119.pool.telefonica.de. [95.119.217.226]) by smtp.gmail.com with ESMTPSA id w23-20020aa7da57000000b00568ba93876esm88935eds.28.2024.03.15.10.31.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Mar 2024 10:31:09 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Cc: Paul Moore , Stephen Smalley , Ondrej Mosnacek , linux-kernel@vger.kernel.org Subject: [PATCH 1/2] selinux: avoid identifier using reserved name Date: Fri, 15 Mar 2024 18:31:01 +0100 Message-ID: <20240315173105.636749-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240315173105.636749-1-cgzones@googlemail.com> References: <20240315173105.636749-1-cgzones@googlemail.com> Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Avoid using an identifier starting with double underscores, which signals a reserved identifier. Signed-off-by: Christian Göttsche --- security/selinux/hooks.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a0fde0641f77..f9a61ff64b83 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6347,16 +6347,16 @@ static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, char **value) { - const struct task_security_struct *__tsec; + const struct task_security_struct *tsec; u32 sid; int error; unsigned len; rcu_read_lock(); - __tsec = selinux_cred(__task_cred(p)); + tsec = selinux_cred(__task_cred(p)); if (current != p) { - error = avc_has_perm(current_sid(), __tsec->sid, + error = avc_has_perm(current_sid(), tsec->sid, SECCLASS_PROCESS, PROCESS__GETATTR, NULL); if (error) goto bad; @@ -6364,22 +6364,22 @@ static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, switch (attr) { case LSM_ATTR_CURRENT: - sid = __tsec->sid; + sid = tsec->sid; break; case LSM_ATTR_PREV: - sid = __tsec->osid; + sid = tsec->osid; break; case LSM_ATTR_EXEC: - sid = __tsec->exec_sid; + sid = tsec->exec_sid; break; case LSM_ATTR_FSCREATE: - sid = __tsec->create_sid; + sid = tsec->create_sid; break; case LSM_ATTR_KEYCREATE: - sid = __tsec->keycreate_sid; + sid = tsec->keycreate_sid; break; case LSM_ATTR_SOCKCREATE: - sid = __tsec->sockcreate_sid; + sid = tsec->sockcreate_sid; break; default: error = -EOPNOTSUPP; From patchwork Fri Mar 15 17:31:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13593813 X-Patchwork-Delegate: paul@paul-moore.com Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5A6654642A; Fri, 15 Mar 2024 17:31:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.52 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710523874; cv=none; b=WbcKNfx2zbcOOSthdfZOyiTI5Qx7cMZE92K2byTqrs+QKGQ6WQaqw4pNZ7RJ4xU2zdQH04pTsJPQ20MXcfNUs1v0bTuGPra08i0Y1v/NU+Wm2oDusLc/Jq4nc39rVLObn5xtw23F2tCkT0Skm8d46Rm58rFVH85oUY3EiSf/eTU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710523874; c=relaxed/simple; bh=rjDnkjs+ZYqLGAWaK7/C4IYmXWE3AUvsfoFz7CE1bAA=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=d/YZDtvhH7+UPrJbh2ckd+QuXik5o21U5WHKgJUg2YTpWblkIt/7oFQhsn3nj9ELrh93tU5MyiHbKY7a19tWdcDJMInSqfMZvnEmM8+6bIA+VVdmDknqVLuptFJxLBy7H54f9GJbG3sLGATb1tXAEiR3/9uCqqLZva5uTVJGMi8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com; spf=pass smtp.mailfrom=googlemail.com; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b=LiRpwiB8; arc=none smtp.client-ip=209.85.208.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=googlemail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="LiRpwiB8" Received: by mail-ed1-f52.google.com with SMTP id 4fb4d7f45d1cf-566e869f631so2752943a12.0; Fri, 15 Mar 2024 10:31:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1710523870; x=1711128670; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=oDsYhpfipGym17a6LaH0lhvlMbNzYHAToLHVYi0KWTs=; b=LiRpwiB8dPS09pF49p5nbOpo4mPy8IXhlMw1SNXkES/5QBTyPG6F018NM2ifrgLZip LI5qKBPERcGIJMzNZgwUdpzIvbIZvl0AnVVTV0s9aiGY4lcaM4E3ys6i1dRSvz1YSyI4 t8SrWcN6bupvQWnPlIK8UZyCgKLjAw1VPdyWlatqER0nAEWn8QFQFq2Z6hFxDL2wLMlU dSAzaPx3W4mFT+AUBenQ89MSSo7Jh/2DCYkEh+UXObOBPrEfBHdjI49ORKlY2hHY00SR +QuTCHpc0wIk7ld/pQgoLIA2YLY4i+Awh44sGizuv5iE73luD6pvv7hkP5RBA692bYmc Nw3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710523870; x=1711128670; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oDsYhpfipGym17a6LaH0lhvlMbNzYHAToLHVYi0KWTs=; b=XsoY8R681H2n6B7ywe7ja+4ZYjISBxF158trc6Qh3Jg3hzZN4PONr/kWfVvFsaeBPe iqKq42NtRDRb8f4pqGB0JRt90M6GKKl/8kiISwlxOZDgf2ifDOLlCSaNG6eo/VqoceLd kAZz4lLU5gkBdveOBsMJeLmtAWEvJGLyHHrzZzLHsvgzjA4+ViDuNC/GqCdwdNcq2Mdz DTyVMv4tv5b2sGb8Pa22D+5Nga6RFVTz3UEq+frNx7Bj9+XKPRVbhBircTfm4zfFQlDS 6E0pCvozNJk53yefHt41Zj69wrwth7nkTyJek4sKkr8f43i3Yqf7hDljPap3ijsd4p2U nkgw== X-Forwarded-Encrypted: i=1; AJvYcCWRWdcte/zUg+81PnS7IHRMCMxX8ZqnsF0JHwd7d8aUMm2/Gs2GxYKSKW3GHCezxo1V7toQ6+4wa7pje4xwa6ZCPANxiEOlqolJNftk X-Gm-Message-State: AOJu0YzoufYdGjX9Fas/KdFjzrbFZ4G2nZgQ3q+aQ4AkcOR4ojuAYvwn AafpvCofgIB3al/5B5/zFhGxGcGlSTpGZOEiDW6o17PY6HyRDv0CMFC6EZ6wKvRKdw== X-Google-Smtp-Source: AGHT+IHpyUZXiIN8kGjVmByDzzTyMESb0L/JkcRU11qQ26QKy5L7v3Z5vhKpomS7I/0PiWnGTnJCrw== X-Received: by 2002:a05:6402:5486:b0:566:806a:6f9e with SMTP id fg6-20020a056402548600b00566806a6f9emr3777774edb.28.1710523869433; Fri, 15 Mar 2024 10:31:09 -0700 (PDT) Received: from ddev.DebianHome (dynamic-095-119-217-226.95.119.pool.telefonica.de. [95.119.217.226]) by smtp.gmail.com with ESMTPSA id w23-20020aa7da57000000b00568ba93876esm88935eds.28.2024.03.15.10.31.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Mar 2024 10:31:09 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Cc: Paul Moore , Stephen Smalley , Ondrej Mosnacek , linux-kernel@vger.kernel.org Subject: [PATCH 2/2] selinux: make more use of current_sid() Date: Fri, 15 Mar 2024 18:31:00 +0100 Message-ID: <20240315173105.636749-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Use the internal helper current_sid() where applicable. Signed-off-by: Christian Göttsche --- security/selinux/hooks.c | 22 ++++++---------------- security/selinux/xfrm.c | 7 ++----- 2 files changed, 8 insertions(+), 21 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f9a61ff64b83..9c41dc9eb0a0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2961,7 +2961,7 @@ static int selinux_inode_init_security_anon(struct inode *inode, const struct qstr *name, const struct inode *context_inode) { - const struct task_security_struct *tsec = selinux_cred(current_cred()); + u32 sid = current_sid(); struct common_audit_data ad; struct inode_security_struct *isec; int rc; @@ -2990,7 +2990,7 @@ static int selinux_inode_init_security_anon(struct inode *inode, } else { isec->sclass = SECCLASS_ANON_INODE; rc = security_transition_sid( - tsec->sid, tsec->sid, + sid, sid, isec->sclass, name, &isec->sid); if (rc) return rc; @@ -3005,7 +3005,7 @@ static int selinux_inode_init_security_anon(struct inode *inode, ad.type = LSM_AUDIT_DATA_ANONINODE; ad.u.anonclass = name ? (const char *)name->name : "?"; - return avc_has_perm(tsec->sid, + return avc_has_perm(sid, isec->sid, isec->sclass, FILE__CREATE, @@ -3063,14 +3063,12 @@ static int selinux_inode_readlink(struct dentry *dentry) static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, bool rcu) { - const struct cred *cred = current_cred(); struct common_audit_data ad; struct inode_security_struct *isec; - u32 sid; + u32 sid = current_sid(); ad.type = LSM_AUDIT_DATA_DENTRY; ad.u.dentry = dentry; - sid = cred_sid(cred); isec = inode_security_rcu(inode, rcu); if (IS_ERR(isec)) return PTR_ERR(isec); @@ -3094,12 +3092,11 @@ static noinline int audit_inode_permission(struct inode *inode, static int selinux_inode_permission(struct inode *inode, int mask) { - const struct cred *cred = current_cred(); u32 perms; bool from_access; bool no_block = mask & MAY_NOT_BLOCK; struct inode_security_struct *isec; - u32 sid; + u32 sid = current_sid(); struct av_decision avd; int rc, rc2; u32 audited, denied; @@ -3116,7 +3113,6 @@ static int selinux_inode_permission(struct inode *inode, int mask) perms = file_mask_to_av(inode->i_mode, mask); - sid = cred_sid(cred); isec = inode_security_rcu(inode, no_block); if (IS_ERR(isec)) return PTR_ERR(isec); @@ -5563,13 +5559,7 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) static int selinux_secmark_relabel_packet(u32 sid) { - const struct task_security_struct *tsec; - u32 tsid; - - tsec = selinux_cred(current_cred()); - tsid = tsec->sid; - - return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO, + return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO, NULL); } diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index 95fcd2d3433e..90ec4ef1b082 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c @@ -76,7 +76,6 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, gfp_t gfp) { int rc; - const struct task_security_struct *tsec = selinux_cred(current_cred()); struct xfrm_sec_ctx *ctx = NULL; u32 str_len; @@ -103,7 +102,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, if (rc) goto err; - rc = avc_has_perm(tsec->sid, ctx->ctx_sid, + rc = avc_has_perm(current_sid(), ctx->ctx_sid, SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); if (rc) goto err; @@ -134,12 +133,10 @@ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx) */ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) { - const struct task_security_struct *tsec = selinux_cred(current_cred()); - if (!ctx) return 0; - return avc_has_perm(tsec->sid, ctx->ctx_sid, + return avc_has_perm(current_sid(), ctx->ctx_sid, SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL); }