From patchwork Wed Jul 10 21:32:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13729734 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic309-27.consmr.mail.ne1.yahoo.com (sonic309-27.consmr.mail.ne1.yahoo.com [66.163.184.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8A72513B59E for ; Wed, 10 Jul 2024 21:32:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647161; cv=none; b=qE+lyMw7rYK6n8nphUnJFwSpyz8DIjkJE/KXelgLTS2VvFaAOPP2BZeE0jD+MPuWuLukZ+7GXK4SXuixtKFbed1wgjXi0kuq/+cqcP5JVFUcWyD1S4uKyK5MOgwh0Q1D+FlkfMsTBbu4W8HsTWe8nC64Ve5vrGI+G+o4aVSVkeI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647161; c=relaxed/simple; bh=f7za591KnOUTnNQ9E+csKEdr5FeXU72FCbQn5AU3Ge8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HnQA/JCrMeQb7KJt7yF2wpa+ro8gxG0QqSegzOTFln+Xb9CquhtKtxGLBUD6cwHcIQlfU+sW6YPYsYF8HFJyzOXheZGHdE+0vKb6ROEH4yAYIXWdvwOZH9b8poaXOvNqwHDj5epky+6S00GTyMSOrwHJpYWuJRARYeh6hHt+BUM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=ruQ4qf7p; arc=none smtp.client-ip=66.163.184.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="ruQ4qf7p" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647157; bh=Im6kyqhR9REq4dhHiO00goPhETy4X9CDJmIISQwpTbQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=ruQ4qf7pgqpDliciQLwizEXsltmv8wVdTtq/7RvtUfnXy/vACtdw6njmSgWO62AsR+ppYLvNz/0ZJoV4zIUBgXnsUb1sSDL8Q4AOsu9kQyhbg/194YUw4aWmJJ/XauXtm0Rse0SOsTAjbPx3LhM1EpeL+WiD6pkJF8Sehn7eTjMqot/pipE/E5X7nsmflybT3Tg7wHqcGSiJrlYHGmv4czpC79vYbefXWRj7DFBBfmyEFTZtMo0G3W2b6TQXdfwvaIHqwCYG24FiZqskEv1QZA8niqM5sUhDigeqO08Q5yjhPhR0wWPbs0+NW/Qbf2RbW6O2SNmug1c/iIE+F7f2mg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647157; bh=4Xp7imh7aWIt4SkY4N4O34SMGTmnfFSBN8KwcyOqTbk=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GyL1n2WguIeW8aNij7b9zpwT4PsCdgH1qZFtQZHBCY6WMreSz92xVhTuTG077tcB3J9vEmiKMPnDX5uhfhQ2hzR57dTkJWOFETA2ZY5B7MUwPyc2VqinjkHC7SgR0NvC06OlTVyIokO6B5RJK7mHnPyRVfV+gBywd0mqLNB6O/8EvE6giQ3whqk0aVk2DxMJxyZOR7os2e5ySYoHU00vN2NDo5T1wK7E/voiNryBg8ZuR5/XqT02jvYlvsW0D3L5HD1MDMHsbfSEMIo+MngijpNO1BQFeLhKf8JSofyMqawlO0ZnP9wqAcuT++yr3xghadoaUeP5kldv3EtiEy7rVQ== X-YMail-OSG: M7ex2OkVM1m50aV4xxGr7QLz5_I.B__VghfXMS7wrstYAKtxytuEkTfhoxFZ6Qc YDoTRYGnM1DpiTytgTUeuApj.kL5xts.PqaB8hQuJBkZhGebABoEP_smxDm1P_CqYC2NLED20Dje cPvy0ZxCQ83Qmauqu1VxmCkKG_sSFrfhrDC_u2y1.y0PsrB19J6xX5o7vNHVViWBzMXkEebGrztY GUYPNbkZdOqAGsSww3jpOafMc0o5XMVhfOldGGPxm2_tlu6sqjhbT4h5.qxjBa8ueU5rdmoehGIR wEtbJA0Dh6O8nLwv87OrfxOjCFV9Byd67VwD0EwNobBazhXCXuq7rEP_2CBxBXzAqOaXUqpb0wKP r_I8gmNB_GF9NrXWvpiygGAL99C6q5kv9sXrDwTTfjL9_AEUOHPklvK.UmfBCSs3G4s4KHYEERAf gXmRAW35wBGhBN61WEBJ4gWijmPujjKOoT2azInWoQ9Xo89E8tLEE6W.COEgbUnxQdmO6LcrsrcM FXt965.WiT6.i.Ll3wZcoAQNUI2NU4_ZAJHPDd7TpnqmyoOWd4BtmdvQVMkrcYK84lNXqd_za1a4 su_957JQXkLGbzG2FxlbzuWHZj9lTPf5phfnzFbFXrp4mfiNNfq.FEx33FHfpCYW9sl4qOPv1r6R gZI3fmnLRFHF.II8UON22oNmTz_hlKw.UW2FmWQ2kAy_SElUDhhgPgR1sEjHEcSoWdXO5XF4sHH6 LrSh60wufMTVcW8WYWOzlb7Bx4FDrnxWjhV.QyajdCD75zsgb70lYAIjCfFeCSdT2wB7mfmKxobG tn3KXFnrI.8NInUedv_XW9Tt5AzTw9WTpQN8t1VWsnHmZ1nlP6njacmB4S242vhYe.FjejIKazQY a0sWNSBIm75j6S.c0oVLRxfyxlPve826DA7QNEYRFajYiTBttnpY1UqQ1H9NrXBv4bETjhTzS.f2 KzKVHghR0RbDWy3IhTBbBJMUeNVSFHv.LsDeeC2jVlV_sHWh5pWdrUvJtCFeZac9WsgNbbwPalmX fykMIJGzeFCMgfNHeBCxr6ylEMWCVc44zxvZvyX_RbcSFzKUvkI1Cn6_jjJ5elsQz2rLoXklBDRq N4w.ur9W9f1nDMJAASIKkSTjVBSNiDHlmB7a5VmxDCW6EfZIQem12PQfmDkRthps73i0mHpTe60u PtERlg_H9HG3suJ5a5SdhJE8WsUSUuUv8zfWeKe0Q9Pljjcs2nfTB3V90oK2IbOCDqmfrYgqMpOE jBp_i8R21r77jKiKumsPGptmN9bDd1y3_Z1vzd8fN1Ww.MIH8th26yxEHKBL31PuK_z_KJzrCM3l d53lR2Ha6B.EV4DUySZ4hp0QvRFOSr4EgGbr_YRFnDrZap6sbVnDEI8lEFggYbVJxTyYx7KCKIMp rx7sl7ntdF8zQ1vgL8B7r3GMDtyC3ylSogx8tQDmGEdWOJoCw3QesbexLEZ6zOe_saCSX6ZRS4ZW yF4qLWnO2BRocJoZwkCYXS0xWCdj06UFxhWkLyJ6k_v09iumGbcw5uN85SvMu9OUiDPs8FhCditn uMQneZGjWn0HRZCDZrYQ15eE6UljGlaYiu5.ku5D8pPmWxSV5ZOIN6xBeD1vzJQm4LpSPnn.7Y_J 0cRb_LDynJm5bE_4M0mWZchYsYGgWYTkIgNUUfpzXzPozn4yG3S.MU.Np_HT_qzIlsINujM7Wg26 yrZ0l0fZiRfdAac569RqbgmGBvZeCKfVt4FmlivTlXWurLUYCLGhz2pxjq75pJWBeOuk3TY95JWu T5H9S2B7F6Uyd.mEcQfV7a0I46qZGUmtAKfXdQ6Ab1noatzyNTsfcpj3.TkjHFMouiTMb_LWACQX 87EECZBbNYqhuCMy.A3jUH46cF3VRe_L1v7i.nrClH4qtuLUiw.NYuHGTNd.HCbAw8i5OzV1whtR B9cUEGBjbh3CdgOuNJYc1g.y0Jph963pV2a6DKMoUCoeRasioyVgJLELr44HLfBM6JKyni3pQDFp K_ImlSMxv5G_ew8xt6px..xIAQ8PPtfUoUkTWcDAQmg3xb9OZslmqzRttVoQQQ_3VmcJS8g8Lagd 7v0yBFKqp6jPJ7pH4tyDXaHk1pTo0C_3TYBu.d2xGsdtWNToMr5ZyjDbRKcrN7.wp5zlusrWm2WI K01PAiRt7S7iC4WZgrKNb6wpD5cG6MLnIXVzjAl4JfJ8IYyZm52EBtLzCftG.5gUFxXyxhkwbTdo nrt_9AItjUhSuCT8waygb X-Sonic-MF: X-Sonic-ID: 1784d72a-320a-400e-aaaf-aa648c06e562 Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Wed, 10 Jul 2024 21:32:37 +0000 Received: by hermes--production-gq1-799bb7c8cf-hxpdl (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 6067ff4c38dc9a73b3d19ab334e8cbec; Wed, 10 Jul 2024 21:32:35 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, mic@digikod.net Subject: [PATCH v2 1/6] LSM: Infrastructure management of the sock security Date: Wed, 10 Jul 2024 14:32:25 -0700 Message-ID: <20240710213230.11978-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240710213230.11978-1-casey@schaufler-ca.com> References: <20240710213230.11978-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 3 +- security/apparmor/lsm.c | 17 +------ security/apparmor/net.c | 2 +- security/security.c | 36 +++++++++++++- security/selinux/hooks.c | 80 ++++++++++++++----------------- security/selinux/include/objsec.h | 5 ++ security/selinux/netlabel.c | 23 ++++----- security/smack/smack.h | 5 ++ security/smack/smack_lsm.c | 70 +++++++++++++-------------- security/smack/smack_netfilter.c | 4 +- 11 files changed, 133 insertions(+), 113 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index a2ade0ffe9e7..efd4a0655159 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -73,6 +73,7 @@ struct lsm_blob_sizes { int lbs_cred; int lbs_file; int lbs_inode; + int lbs_sock; int lbs_superblock; int lbs_ipc; int lbs_msg_msg; diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h index 67bf888c3bd6..c42ed8a73f1c 100644 --- a/security/apparmor/include/net.h +++ b/security/apparmor/include/net.h @@ -51,10 +51,9 @@ struct aa_sk_ctx { struct aa_label *peer; }; -#define SK_CTX(X) ((X)->sk_security) static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) { - return sk->sk_security; + return sk->sk_security + apparmor_blob_sizes.lbs_sock; } #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 6239777090c4..b3eb0a2f999a 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1057,27 +1057,12 @@ static int apparmor_userns_create(const struct cred *cred) return error; } -static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) -{ - struct aa_sk_ctx *ctx; - - ctx = kzalloc(sizeof(*ctx), flags); - if (!ctx) - return -ENOMEM; - - sk->sk_security = ctx; - - return 0; -} - static void apparmor_sk_free_security(struct sock *sk) { struct aa_sk_ctx *ctx = aa_sock(sk); - sk->sk_security = NULL; aa_put_label(ctx->label); aa_put_label(ctx->peer); - kfree(ctx); } /** @@ -1425,6 +1410,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = { .lbs_cred = sizeof(struct aa_label *), .lbs_file = sizeof(struct aa_file_ctx), .lbs_task = sizeof(struct aa_task_ctx), + .lbs_sock = sizeof(struct aa_sk_ctx), }; static const struct lsm_id apparmor_lsmid = { @@ -1470,7 +1456,6 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = { LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), - LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), diff --git a/security/apparmor/net.c b/security/apparmor/net.c index 87e934b2b548..77413a519117 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -151,7 +151,7 @@ static int aa_label_sk_perm(const struct cred *subj_cred, const char *op, u32 request, struct sock *sk) { - struct aa_sk_ctx *ctx = SK_CTX(sk); + struct aa_sk_ctx *ctx = aa_sock(sk); int error = 0; AA_BUG(!label); diff --git a/security/security.c b/security/security.c index e5ca08789f74..5e93a72bdca6 100644 --- a/security/security.c +++ b/security/security.c @@ -29,6 +29,7 @@ #include #include #include +#include /* How many LSMs were built into the kernel? */ #define LSM_COUNT (__end_lsm_info - __start_lsm_info) @@ -227,6 +228,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); + lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); lsm_set_blob_size(&needed->lbs_xattr_count, @@ -401,6 +403,7 @@ static void __init ordered_lsm_init(void) init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); + init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count); @@ -4647,6 +4650,28 @@ int security_socket_getpeersec_dgram(struct socket *sock, } EXPORT_SYMBOL(security_socket_getpeersec_dgram); +/** + * lsm_sock_alloc - allocate a composite sock blob + * @sock: the sock that needs a blob + * @priority: allocation mode + * + * Allocate the sock blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_sock_alloc(struct sock *sock, gfp_t priority) +{ + if (blob_sizes.lbs_sock == 0) { + sock->sk_security = NULL; + return 0; + } + + sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority); + if (sock->sk_security == NULL) + return -ENOMEM; + return 0; +} + /** * security_sk_alloc() - Allocate and initialize a sock's LSM blob * @sk: sock @@ -4660,7 +4685,14 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram); */ int security_sk_alloc(struct sock *sk, int family, gfp_t priority) { - return call_int_hook(sk_alloc_security, sk, family, priority); + int rc = lsm_sock_alloc(sk, priority); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(sk_alloc_security, sk, family, priority); + if (unlikely(rc)) + security_sk_free(sk); + return rc; } /** @@ -4672,6 +4704,8 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority) void security_sk_free(struct sock *sk) { call_void_hook(sk_free_security, sk); + kfree(sk->sk_security); + sk->sk_security = NULL; } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 7eed331e90f0..19346e1817ff 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4579,7 +4579,7 @@ static int socket_sockcreate_sid(const struct task_security_struct *tsec, static int sock_has_perm(struct sock *sk, u32 perms) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -4647,7 +4647,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, isec->initialized = LABEL_INITIALIZED; if (sock->sk) { - sksec = sock->sk->sk_security; + sksec = selinux_sock(sock->sk); sksec->sclass = sclass; sksec->sid = sid; /* Allows detection of the first association on this socket */ @@ -4663,8 +4663,8 @@ static int selinux_socket_post_create(struct socket *sock, int family, static int selinux_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct sk_security_struct *sksec_a = socka->sk->sk_security; - struct sk_security_struct *sksec_b = sockb->sk->sk_security; + struct sk_security_struct *sksec_a = selinux_sock(socka->sk); + struct sk_security_struct *sksec_b = selinux_sock(sockb->sk); sksec_a->peer_sid = sksec_b->sid; sksec_b->peer_sid = sksec_a->sid; @@ -4679,7 +4679,7 @@ static int selinux_socket_socketpair(struct socket *socka, static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family; int err; @@ -4819,7 +4819,7 @@ static int selinux_socket_connect_helper(struct socket *sock, struct sockaddr *address, int addrlen) { struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; err = sock_has_perm(sk, SOCKET__CONNECT); @@ -4997,9 +4997,9 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) { - struct sk_security_struct *sksec_sock = sock->sk_security; - struct sk_security_struct *sksec_other = other->sk_security; - struct sk_security_struct *sksec_new = newsk->sk_security; + struct sk_security_struct *sksec_sock = selinux_sock(sock); + struct sk_security_struct *sksec_other = selinux_sock(other); + struct sk_security_struct *sksec_new = selinux_sock(newsk); struct common_audit_data ad; struct lsm_network_audit net; int err; @@ -5028,8 +5028,8 @@ static int selinux_socket_unix_stream_connect(struct sock *sock, static int selinux_socket_unix_may_send(struct socket *sock, struct socket *other) { - struct sk_security_struct *ssec = sock->sk->sk_security; - struct sk_security_struct *osec = other->sk->sk_security; + struct sk_security_struct *ssec = selinux_sock(sock->sk); + struct sk_security_struct *osec = selinux_sock(other->sk); struct common_audit_data ad; struct lsm_network_audit net; @@ -5066,7 +5066,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, u16 family) { int err = 0; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u32 sk_sid = sksec->sid; struct common_audit_data ad; struct lsm_network_audit net; @@ -5095,7 +5095,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb, static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { int err, peerlbl_active, secmark_active; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 family = sk->sk_family; u32 sk_sid = sksec->sid; struct common_audit_data ad; @@ -5163,7 +5163,7 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, int err = 0; char *scontext = NULL; u32 scontext_len; - struct sk_security_struct *sksec = sock->sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sock->sk); u32 peer_sid = SECSID_NULL; if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET || @@ -5223,34 +5223,27 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority) { - struct sk_security_struct *sksec; - - sksec = kzalloc(sizeof(*sksec), priority); - if (!sksec) - return -ENOMEM; + struct sk_security_struct *sksec = selinux_sock(sk); sksec->peer_sid = SECINITSID_UNLABELED; sksec->sid = SECINITSID_UNLABELED; sksec->sclass = SECCLASS_SOCKET; selinux_netlbl_sk_security_reset(sksec); - sk->sk_security = sksec; return 0; } static void selinux_sk_free_security(struct sock *sk) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); - sk->sk_security = NULL; selinux_netlbl_sk_security_free(sksec); - kfree(sksec); } static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = sksec->sid; newsksec->peer_sid = sksec->peer_sid; @@ -5264,7 +5257,7 @@ static void selinux_sk_getsecid(const struct sock *sk, u32 *secid) if (!sk) *secid = SECINITSID_ANY_SOCKET; else { - const struct sk_security_struct *sksec = sk->sk_security; + const struct sk_security_struct *sksec = selinux_sock(sk); *secid = sksec->sid; } @@ -5274,7 +5267,7 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent) { struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(parent)); - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 || sk->sk_family == PF_UNIX) @@ -5291,7 +5284,7 @@ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, { struct sock *sk = asoc->base.sk; u16 family = sk->sk_family; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct common_audit_data ad; struct lsm_network_audit net; int err; @@ -5346,7 +5339,7 @@ static int selinux_sctp_process_new_assoc(struct sctp_association *asoc, static int selinux_sctp_assoc_request(struct sctp_association *asoc, struct sk_buff *skb) { - struct sk_security_struct *sksec = asoc->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); u32 conn_sid; int err; @@ -5379,7 +5372,7 @@ static int selinux_sctp_assoc_request(struct sctp_association *asoc, static int selinux_sctp_assoc_established(struct sctp_association *asoc, struct sk_buff *skb) { - struct sk_security_struct *sksec = asoc->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); if (!selinux_policycap_extsockclass()) return 0; @@ -5478,8 +5471,8 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname, static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); /* If policy does not support SECCLASS_SCTP_SOCKET then call * the non-sctp clone version. @@ -5495,8 +5488,8 @@ static void selinux_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) { - struct sk_security_struct *ssksec = ssk->sk_security; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *ssksec = selinux_sock(ssk); + struct sk_security_struct *sksec = selinux_sock(sk); ssksec->sclass = sksec->sclass; ssksec->sid = sksec->sid; @@ -5511,7 +5504,7 @@ static int selinux_mptcp_add_subflow(struct sock *sk, struct sock *ssk) static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, struct request_sock *req) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); int err; u16 family = req->rsk_ops->family; u32 connsid; @@ -5532,7 +5525,7 @@ static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, static void selinux_inet_csk_clone(struct sock *newsk, const struct request_sock *req) { - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->sid = req->secid; newsksec->peer_sid = req->peer_secid; @@ -5549,7 +5542,7 @@ static void selinux_inet_csk_clone(struct sock *newsk, static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb) { u16 family = sk->sk_family; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* handle mapped IPv4 packets arriving via IPv6 sockets */ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) @@ -5624,7 +5617,7 @@ static int selinux_tun_dev_attach_queue(void *security) static int selinux_tun_dev_attach(struct sock *sk, void *security) { struct tun_security_struct *tunsec = security; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); /* we don't currently perform any NetLabel based labeling here and it * isn't clear that we would want to do so anyway; while we could apply @@ -5747,7 +5740,7 @@ static unsigned int selinux_ip_output(void *priv, struct sk_buff *skb, return NF_ACCEPT; /* standard practice, label using the parent socket */ - sksec = sk->sk_security; + sksec = selinux_sock(sk); sid = sksec->sid; } else sid = SECINITSID_KERNEL; @@ -5770,7 +5763,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb, sk = skb_to_full_sk(skb); if (sk == NULL) return NF_ACCEPT; - sksec = sk->sk_security; + sksec = selinux_sock(sk); ad_net_init_from_iif(&ad, &net, state->out->ifindex, state->pf); if (selinux_parse_skb(skb, &ad, NULL, 0, &proto)) @@ -5859,7 +5852,7 @@ static unsigned int selinux_ip_postroute(void *priv, u32 skb_sid; struct sk_security_struct *sksec; - sksec = sk->sk_security; + sksec = selinux_sock(sk); if (selinux_skb_peerlbl_sid(skb, family, &skb_sid)) return NF_DROP; /* At this point, if the returned skb peerlbl is SECSID_NULL @@ -5888,7 +5881,7 @@ static unsigned int selinux_ip_postroute(void *priv, } else { /* Locally generated packet, fetch the security label from the * associated socket. */ - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); peer_sid = sksec->sid; secmark_perm = PACKET__SEND; } @@ -5931,7 +5924,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) unsigned int data_len = skb->len; unsigned char *data = skb->data; struct nlmsghdr *nlh; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); u16 sclass = sksec->sclass; u32 perm; @@ -6989,6 +6982,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), .lbs_msg_msg = sizeof(struct msg_security_struct), + .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, }; diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index dea1d6f3ed2d..b074099acbaf 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -195,4 +195,9 @@ selinux_superblock(const struct super_block *superblock) return superblock->s_security + selinux_blob_sizes.lbs_superblock; } +static inline struct sk_security_struct *selinux_sock(const struct sock *sock) +{ + return sock->sk_security + selinux_blob_sizes.lbs_sock; +} + #endif /* _SELINUX_OBJSEC_H_ */ diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 55885634e880..fbe5f8c29f81 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -68,7 +69,7 @@ static int selinux_netlbl_sidlookup_cached(struct sk_buff *skb, static struct netlbl_lsm_secattr *selinux_netlbl_sock_genattr(struct sock *sk) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (sksec->nlbl_secattr != NULL) @@ -100,7 +101,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr( const struct sock *sk, u32 sid) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr = sksec->nlbl_secattr; if (secattr == NULL) @@ -240,7 +241,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, * being labeled by it's parent socket, if it is just exit */ sk = skb_to_full_sk(skb); if (sk != NULL) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB) return 0; @@ -277,7 +278,7 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_association *asoc, { int rc; struct netlbl_lsm_secattr secattr; - struct sk_security_struct *sksec = asoc->base.sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(asoc->base.sk); struct sockaddr_in addr4; struct sockaddr_in6 addr6; @@ -356,7 +357,7 @@ int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family) */ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (family == PF_INET) sksec->nlbl_state = NLBL_LABELED; @@ -374,8 +375,8 @@ void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family) */ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) { - struct sk_security_struct *sksec = sk->sk_security; - struct sk_security_struct *newsksec = newsk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); + struct sk_security_struct *newsksec = selinux_sock(newsk); newsksec->nlbl_state = sksec->nlbl_state; } @@ -393,7 +394,7 @@ void selinux_netlbl_sctp_sk_clone(struct sock *sk, struct sock *newsk) int selinux_netlbl_socket_post_create(struct sock *sk, u16 family) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; if (family != PF_INET && family != PF_INET6) @@ -510,7 +511,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock, { int rc = 0; struct sock *sk = sock->sk; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr secattr; if (selinux_netlbl_option(level, optname) && @@ -548,7 +549,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, struct sockaddr *addr) { int rc; - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); struct netlbl_lsm_secattr *secattr; /* connected sockets are allowed to disconnect when the address family @@ -587,7 +588,7 @@ static int selinux_netlbl_socket_connect_helper(struct sock *sk, int selinux_netlbl_socket_connect_locked(struct sock *sk, struct sockaddr *addr) { - struct sk_security_struct *sksec = sk->sk_security; + struct sk_security_struct *sksec = selinux_sock(sk); if (sksec->nlbl_state != NLBL_REQSKB && sksec->nlbl_state != NLBL_CONNLABELED) diff --git a/security/smack/smack.h b/security/smack/smack.h index 041688e5a77a..297f21446f45 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -355,6 +355,11 @@ static inline struct superblock_smack *smack_superblock( return superblock->s_security + smack_blob_sizes.lbs_superblock; } +static inline struct socket_smack *smack_sock(const struct sock *sock) +{ + return sock->sk_security + smack_blob_sizes.lbs_sock; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index f5cbec1e6a92..a931b44bc959 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1581,7 +1581,7 @@ static int smack_inode_getsecurity(struct mnt_idmap *idmap, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) isp = ssp->smk_in; @@ -1969,7 +1969,7 @@ static int smack_file_receive(struct file *file) if (inode->i_sb->s_magic == SOCKFS_MAGIC) { sock = SOCKET_I(inode); - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); tsp = smack_cred(current_cred()); /* * If the receiving process can't write to the @@ -2384,11 +2384,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) { struct smack_known *skp = smk_of_current(); - struct socket_smack *ssp; - - ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); - if (ssp == NULL) - return -ENOMEM; + struct socket_smack *ssp = smack_sock(sk); /* * Sockets created by kernel threads receive web label. @@ -2402,11 +2398,10 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) } ssp->smk_packet = NULL; - sk->sk_security = ssp; - return 0; } +#ifdef SMACK_IPV6_PORT_LABELING /** * smack_sk_free_security - Free a socket blob * @sk: the socket @@ -2415,7 +2410,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) */ static void smack_sk_free_security(struct sock *sk) { -#ifdef SMACK_IPV6_PORT_LABELING struct smk_port_label *spp; if (sk->sk_family == PF_INET6) { @@ -2428,9 +2422,8 @@ static void smack_sk_free_security(struct sock *sk) } rcu_read_unlock(); } -#endif - kfree(sk->sk_security); } +#endif /** * smack_sk_clone_security - Copy security context @@ -2441,8 +2434,8 @@ static void smack_sk_free_security(struct sock *sk) */ static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) { - struct socket_smack *ssp_old = sk->sk_security; - struct socket_smack *ssp_new = newsk->sk_security; + struct socket_smack *ssp_old = smack_sock(sk); + struct socket_smack *ssp_new = smack_sock(newsk); *ssp_new = *ssp_old; } @@ -2558,7 +2551,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) */ static int smack_netlbl_add(struct sock *sk) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = ssp->smk_out; int rc; @@ -2591,7 +2584,7 @@ static int smack_netlbl_add(struct sock *sk) */ static void smack_netlbl_delete(struct sock *sk) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); /* * Take the label off the socket if one is set. @@ -2623,7 +2616,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) struct smack_known *skp; int rc = 0; struct smack_known *hkp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smk_audit_info ad; rcu_read_lock(); @@ -2696,7 +2689,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) { struct sock *sk = sock->sk; struct sockaddr_in6 *addr6; - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smk_port_label *spp; unsigned short port = 0; @@ -2784,7 +2777,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, int act) { struct smk_port_label *spp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; unsigned short port; struct smack_known *object; @@ -2887,7 +2880,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) ssp->smk_in = skp; @@ -2935,7 +2928,7 @@ static int smack_socket_post_create(struct socket *sock, int family, * Sockets created by kernel threads receive web label. */ if (unlikely(current->flags & PF_KTHREAD)) { - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); ssp->smk_in = &smack_known_web; ssp->smk_out = &smack_known_web; } @@ -2960,8 +2953,8 @@ static int smack_socket_post_create(struct socket *sock, int family, static int smack_socket_socketpair(struct socket *socka, struct socket *sockb) { - struct socket_smack *asp = socka->sk->sk_security; - struct socket_smack *bsp = sockb->sk->sk_security; + struct socket_smack *asp = smack_sock(socka->sk); + struct socket_smack *bsp = smack_sock(sockb->sk); asp->smk_packet = bsp->smk_out; bsp->smk_packet = asp->smk_out; @@ -3024,7 +3017,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) rsp = smack_ipv6host_label(sip); if (rsp != NULL) { - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); rc = smk_ipv6_check(ssp->smk_out, rsp, sip, SMK_CONNECTING); @@ -3819,9 +3812,9 @@ static int smack_unix_stream_connect(struct sock *sock, { struct smack_known *skp; struct smack_known *okp; - struct socket_smack *ssp = sock->sk_security; - struct socket_smack *osp = other->sk_security; - struct socket_smack *nsp = newsk->sk_security; + struct socket_smack *ssp = smack_sock(sock); + struct socket_smack *osp = smack_sock(other); + struct socket_smack *nsp = smack_sock(newsk); struct smk_audit_info ad; int rc = 0; #ifdef CONFIG_AUDIT @@ -3867,8 +3860,8 @@ static int smack_unix_stream_connect(struct sock *sock, */ static int smack_unix_may_send(struct socket *sock, struct socket *other) { - struct socket_smack *ssp = sock->sk->sk_security; - struct socket_smack *osp = other->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); + struct socket_smack *osp = smack_sock(other->sk); struct smk_audit_info ad; int rc; @@ -3905,7 +3898,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; #endif #ifdef SMACK_IPV6_SECMARK_LABELING - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smack_known *rsp; #endif int rc = 0; @@ -4117,7 +4110,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, netlbl_secattr_init(&secattr); if (sk) - ssp = sk->sk_security; + ssp = smack_sock(sk); if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { skp = smack_from_secattr(&secattr, ssp); @@ -4139,7 +4132,7 @@ static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, */ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; int rc = 0; struct smk_audit_info ad; @@ -4243,7 +4236,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock, u32 slen = 1; int rc = 0; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (ssp->smk_packet != NULL) { rcp = ssp->smk_packet->smk_known; slen = strlen(rcp) + 1; @@ -4293,7 +4286,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, switch (family) { case PF_UNIX: - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); s = ssp->smk_out->smk_secid; break; case PF_INET: @@ -4342,7 +4335,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent) (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) return; - ssp = sk->sk_security; + ssp = smack_sock(sk); ssp->smk_in = skp; ssp->smk_out = skp; /* cssp->smk_packet is already set in smack_inet_csk_clone() */ @@ -4362,7 +4355,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, { u16 family = sk->sk_family; struct smack_known *skp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct sockaddr_in addr; struct iphdr *hdr; struct smack_known *hskp; @@ -4448,7 +4441,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, static void smack_inet_csk_clone(struct sock *sk, const struct request_sock *req) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp; if (req->peer_secid != 0) { @@ -5018,6 +5011,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), .lbs_msg_msg = sizeof(struct smack_known *), + .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, }; @@ -5141,7 +5135,9 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), +#ifdef SMACK_IPV6_PORT_LABELING LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), +#endif LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), LSM_HOOK_INIT(sock_graft, smack_sock_graft), LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index b945c1d3a743..bad71b7e648d 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -26,8 +26,8 @@ static unsigned int smack_ip_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; } From patchwork Wed Jul 10 21:32:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13729735 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic310-30.consmr.mail.ne1.yahoo.com (sonic310-30.consmr.mail.ne1.yahoo.com [66.163.186.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C9A012F38B for ; Wed, 10 Jul 2024 21:32:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.186.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647162; cv=none; b=oFx+hqwhzGCDncewvG3Yb+oWrRerOI8GlYcJ3ercnIKGD9cYFud75XiagR1DDNUUj8+eWF2XztYER9pnsUa/LKDK0+/WTWSlqvIKP+RajS57FK2cGrkUJO3B3djasqLfwCZB5wQ7Z8t2zZUC7MGVGaqeG27NTGNre4ubDsmDJjA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647162; c=relaxed/simple; bh=s/n3den+fdhxYj1+n3R7uBZdudROT0iZ8kwtNk/+J2s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bYlhWTEETWduthospzszWkz/5xFNPrHZh1i8Jo0wu2bV8W8vY/KlAfLPyqcGiU+778/0l/SmszzVQALXJORoCkjmI89IN7Fm/s2BSvkO3bkljk4YhtPXMulestjVeaY/zXnU2YjODHX0oUNe8xFi/xoPW2Lq1+yqp8ZeZAgnWLo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=BBS4PLr0; arc=none smtp.client-ip=66.163.186.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="BBS4PLr0" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647159; bh=NGJI3yg+r6O8XjvFIsjyRNfKglWpLJo8h83/isXtWJ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=BBS4PLr0eO6BR8+9z18sLK9Fk/KihZtctiWzCe1TMIAlkY4q1jq11cJfrA8rDlzmEJvIVWwmhffb3D3OO9KOJmsMih07sfD0SMupOZdtBB7WXMouASDJ/YFUo5adfhY6ypI0HrrikYu2j1vM9PBjDinNMUK/+8WpjOKKriFFf9CerxjX5Xfi/zWCpBRutTP6xbvI1eL4wHVU4p3qwp6sEpXIA86gb4FulvHJs5tsZwuc6naiKjT6pYTuILkMji+rRZvqfCZxIBB02UGP/rgLha8wfMYk1vZc2NwZmO+LKytxWAadyE6NEB4JdFPE2XgysPN1vXLwC7jbIDOXLQ3w4A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647159; bh=uUe6T4J4Y1521ZrMcQTigaHisjFEQ4DBNs3J6+Y1Jz+=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=LIRm2mnPS9UKWR2yBDV4B741G5whm8P3aP8d7UEX9wJyv5eqawLnSAgaJMXZajVatIwexizGDT2RoKcu/AOQQTWRHnt+B/yAtEfvftSZI50d809Dppm8DGNqb6ZaxasqD8bQRmkhUfl0rg6eneSQNdlWu1WHX3QvavkJT0Js9v60XVO/lBXcP/9E+3VRTWmmJfTfJfyF72M/9+BuUQOKZBl8q57e3UBNq27Nndy5qhb/iO+ZsX9m58nZwxRruOFokaiVL/BSXiALF8gABRcUtR3UycB9tF855dzcBRkQg7LLPcdRrVMrmo4C1hu2enNQXQnyZB6R7oYMfZiE3rLDHg== X-YMail-OSG: 2G4etvYVM1m.ZAfEKgJevN929tAN5qTA7Cu9tjbEUOqQBoHeZK8t0EM5uAOjMrY ZRgtpauOcUmpJLgdfpenJntWJzHWzCGVk9TzSCfFJidMBljv_WlejeL0Rihliri9pW66vY9S3MRE 1ETgx4KHf0TrzFBUTg_aVG_FZ9Cimt5zeawvvaaexm8xk3o4U3XRNcwz66i03cw8n3WIRR2RElvF spAkon_NPUENHcBPbkrXOe9LvtG5aT1l2MDdZrMvywFixcWfYSv5WCkGXIfoQ1smrvxooMkfCAHn J20i3sScDzMnsw011QODfisacCyMh.MZeTHvfC6KCsmeEV_vmacKI_YB3HiPSMFQuaUFZGfYui13 _Kb27RXGcF7wKs5EKCubOrdbirJLg5vD902oEzakvvaGZieHaQmBsl2rsYpCrxbyxWk51Hk2JBsL hQXaBsMQChweAysI9PPV9biL08qdgwoAHav92WZcfANL4X1EyorXI.EWvBDKWWwxxs5u1GQRYkzw e7HHsWtpQizWuC_qBAv0q3tsNAYblvrupSJb.5d734zzzM5asjVL3nbhyoMRwg9NuOjhCl_rFaPz JbgDxuGXLESnS3pr.4IkcPjdXzQkEDjYeiqcO5qMgTvocGt4g9MTFi7XNN0PqCOsmLk2ADYOJB0d 72cVHNTESbrFZ2mLY7ebFPhc5a55uxytLt6z3WvNZq8tLpQpOjo5x9jD3NIFIBjg76AnLcLQl1X7 R8WBS.NljZhhP6Vl.q1RFdxpc_ittubDssBRbAyCP0C.VixqUiYO4.eGJbFZN79bZUW0hl7G2EO7 KoE6yUkEImYgxa.2Lz9aBB5wRQ4st7USTnDx3iRw.JSPkSmiKtfb3I2EKWF7JHVs.Qy9Nn96dY63 YV5paSkLTvcX91UhPp54GuIf2lnhuoqCYXuX2hkhsarQSvlUJfBUOZ572NpfXSdUhCRccNmAGBDr 0F.H_hIj6kVy7HAd_6xgibgigLvjgS2jL0.GBfO5X5yGKUxuMLP9J4WB9NXI4aOwI5CyxNSgJcnf d5LQwa_67cN88A7Tlz33WnJp3SfmucwkjFgLepzTA2_9.Xvu6XT__Q0JKawUWfiQzJFIPhvUmf_q iyocNkgNUIAMioP7ym4nXmVMpghnGj1hODdFVvemyutCeXYMTEgmD2tMFN.wRj2n8ADMGJeSaGO1 UQ6wzHb.fGqCfM6KVAhd3JL5hmNnYtxbfGyDSHCdE22ksxmLVhRYleIt732ldiPgP.SGgKVvBE1U Y6V6_hhEphtoJKqV70H8pF._YUnGxGgfpPKQsbWfBFSfo2LD0HZ5Y0nGTs.ObbFGp5UlZ19EZOsB sNuttcYNJIO35XjUgApiB0N9sDHxgz8viCFf76oheK2OMvujeJDppU1ra6HTQrq8EPaLCVmmCtSI VEYZDCQXHrOCARO1Ho.jU2gBktAWTGvL8tQuDRcHVHNANgBP2gc1BH4oUteN4hz.5AmMVHK7YhCq xGPIkYw6rsAaymjsN3gNBKo.FqCkxpdqN3ZTH.CTXvzYzbDIXC7Gan6.L2ZZsxt.mf3Gshv8F.0O CTNoK8FTJwFmVNl9xVsLp.zHhmPoF6BtUu_X29GZJPXaCrn0KSmWsOwqJ38ZdxXjrEA5qrYL6WwK EtHZAGXLojUiVzCvq19alACyUfrHFFNBleTHyz8vxx.Ku4gT5r9dasQpQM4x7LjzETYNvXTfH2Y. 72AxQxIhny13xbfcmuwcaYTv3kBTK4sce6ydjYkxFyWXKDyMxFUhP.cko92kxJoqvy8f8.w.eIuu z4auhrsWvZjup.T30IA9Bf0LrruaaF2Zx.LcCqMtKePrZ85t.ilPenqZAslvbfn5i64633InaHdl k4Ti.aOzX6e0rsw78nsvETNG.m4AJMqKYFHiw3mN1zJonNoiRmecWRw8WuzpAvtQUtniAnbSZK9s V9u27xNpR.XlW_S5vkybQJKxwobSa01XFwn_kz4rt8QOOlIM3kMGocNOqlbmxQUfg7d8Q9U8Zqtg XzfKBXbFHwBW0mpKGtNX4RXBBsojwvGegL7TCHvhQQzUbkdxqO8ACFJmaeqJxV9_K3GBpam.Jlx9 l73Kx3bEZrTDJvfKKBAt4rV9QvTpQJ89uvqLSMJgWa2d.rAeg7qziACq2w6xrkDWm8fmiYVDRCfP I_U1eWeFbyJgS_FDgu8t.dGxt3zQOXqkOGQSb5tpfC_duP27i01K.SkwGmS2p1ZLJbJEiAqlJRLO mD4cfbSR7jMS4RpVtl.wcHmuCO.VQ.60Sk_rjZaCoQeOWehY3JgUnM2Eu5WaCwvCQWzLSkvF8GaJ BsZg- X-Sonic-MF: X-Sonic-ID: d565065a-3915-4bc3-9a36-b30bb40b4164 Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.ne1.yahoo.com with HTTP; Wed, 10 Jul 2024 21:32:39 +0000 Received: by hermes--production-gq1-799bb7c8cf-hxpdl (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 6067ff4c38dc9a73b3d19ab334e8cbec; Wed, 10 Jul 2024 21:32:37 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, mic@digikod.net Subject: [PATCH v2 2/6] LSM: Infrastructure management of the key security blob Date: Wed, 10 Jul 2024 14:32:26 -0700 Message-ID: <20240710213230.11978-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240710213230.11978-1-casey@schaufler-ca.com> References: <20240710213230.11978-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move management of the key->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. There are no existing modules that require a key_free hook, so the call to it and the definition for it have been removed. Signed-off-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hook_defs.h | 1 - include/linux/lsm_hooks.h | 1 + security/security.c | 39 +++++++++++++++++++++++++++++-- security/selinux/hooks.c | 21 ++++------------- security/selinux/include/objsec.h | 7 ++++++ security/smack/smack.h | 7 ++++++ security/smack/smack_lsm.c | 31 +++++++++++------------- 7 files changed, 69 insertions(+), 38 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 44488b1ab9a9..cc81f7f7c024 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -402,7 +402,6 @@ LSM_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid, #ifdef CONFIG_KEYS LSM_HOOK(int, 0, key_alloc, struct key *key, const struct cred *cred, unsigned long flags) -LSM_HOOK(void, LSM_RET_VOID, key_free, struct key *key) LSM_HOOK(int, 0, key_permission, key_ref_t key_ref, const struct cred *cred, enum key_need_perm need_perm) LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index efd4a0655159..7233bc0737be 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -76,6 +76,7 @@ struct lsm_blob_sizes { int lbs_sock; int lbs_superblock; int lbs_ipc; + int lbs_key; int lbs_msg_msg; int lbs_task; int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ diff --git a/security/security.c b/security/security.c index 5e93a72bdca6..92068ebd7e2b 100644 --- a/security/security.c +++ b/security/security.c @@ -227,6 +227,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) blob_sizes.lbs_inode = sizeof(struct rcu_head); lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); + lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key); lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); @@ -402,6 +403,9 @@ static void __init ordered_lsm_init(void) init_debug("file blob size = %d\n", blob_sizes.lbs_file); init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); +#ifdef CONFIG_KEYS + init_debug("key blob size = %d\n", blob_sizes.lbs_key); +#endif /* CONFIG_KEYS */ init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); @@ -718,6 +722,29 @@ static int lsm_ipc_alloc(struct kern_ipc_perm *kip) return 0; } +#ifdef CONFIG_KEYS +/** + * lsm_key_alloc - allocate a composite key blob + * @key: the key that needs a blob + * + * Allocate the key blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_key_alloc(struct key *key) +{ + if (blob_sizes.lbs_key == 0) { + key->security = NULL; + return 0; + } + + key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL); + if (key->security == NULL) + return -ENOMEM; + return 0; +} +#endif /* CONFIG_KEYS */ + /** * lsm_msg_msg_alloc - allocate a composite msg_msg blob * @mp: the msg_msg that needs a blob @@ -5290,7 +5317,14 @@ EXPORT_SYMBOL(security_skb_classify_flow); int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { - return call_int_hook(key_alloc, key, cred, flags); + int rc = lsm_key_alloc(key); + + if (unlikely(rc)) + return rc; + rc = call_int_hook(key_alloc, key, cred, flags); + if (unlikely(rc)) + security_key_free(key); + return rc; } /** @@ -5301,7 +5335,8 @@ int security_key_alloc(struct key *key, const struct cred *cred, */ void security_key_free(struct key *key) { - call_void_hook(key_free, key); + kfree(key->security); + key->security = NULL; } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 19346e1817ff..986825ba1cc5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6658,11 +6658,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, unsigned long flags) { const struct task_security_struct *tsec; - struct key_security_struct *ksec; - - ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); - if (!ksec) - return -ENOMEM; + struct key_security_struct *ksec = selinux_key(k); tsec = selinux_cred(cred); if (tsec->keycreate_sid) @@ -6670,18 +6666,9 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, else ksec->sid = tsec->sid; - k->security = ksec; return 0; } -static void selinux_key_free(struct key *k) -{ - struct key_security_struct *ksec = k->security; - - k->security = NULL; - kfree(ksec); -} - static int selinux_key_permission(key_ref_t key_ref, const struct cred *cred, enum key_need_perm need_perm) @@ -6722,14 +6709,14 @@ static int selinux_key_permission(key_ref_t key_ref, sid = cred_sid(cred); key = key_ref_to_ptr(key_ref); - ksec = key->security; + ksec = selinux_key(key); return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); } static int selinux_key_getsecurity(struct key *key, char **_buffer) { - struct key_security_struct *ksec = key->security; + struct key_security_struct *ksec = selinux_key(key); char *context = NULL; unsigned len; int rc; @@ -6981,6 +6968,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_file = sizeof(struct file_security_struct), .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), + .lbs_key = sizeof(struct key_security_struct), .lbs_msg_msg = sizeof(struct msg_security_struct), .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), @@ -7318,7 +7306,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { #endif #ifdef CONFIG_KEYS - LSM_HOOK_INIT(key_free, selinux_key_free), LSM_HOOK_INIT(key_permission, selinux_key_permission), LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), #ifdef CONFIG_KEY_NOTIFICATIONS diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index b074099acbaf..83b9443d6919 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -195,6 +195,13 @@ selinux_superblock(const struct super_block *superblock) return superblock->s_security + selinux_blob_sizes.lbs_superblock; } +#ifdef CONFIG_KEYS +static inline struct key_security_struct *selinux_key(const struct key *key) +{ + return key->security + selinux_blob_sizes.lbs_key; +} +#endif /* CONFIG_KEYS */ + static inline struct sk_security_struct *selinux_sock(const struct sock *sock) { return sock->sk_security + selinux_blob_sizes.lbs_sock; diff --git a/security/smack/smack.h b/security/smack/smack.h index 297f21446f45..dbf8d7226eb5 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -360,6 +360,13 @@ static inline struct socket_smack *smack_sock(const struct sock *sock) return sock->sk_security + smack_blob_sizes.lbs_sock; } +#ifdef CONFIG_KEYS +static inline struct smack_known **smack_key(const struct key *key) +{ + return key->security + smack_blob_sizes.lbs_key; +} +#endif /* CONFIG_KEYS */ + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a931b44bc959..c57eacf1d3b1 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4473,23 +4473,13 @@ static void smack_inet_csk_clone(struct sock *sk, static int smack_key_alloc(struct key *key, const struct cred *cred, unsigned long flags) { + struct smack_known **blob = smack_key(key); struct smack_known *skp = smk_of_task(smack_cred(cred)); - key->security = skp; + *blob = skp; return 0; } -/** - * smack_key_free - Clear the key security blob - * @key: the object - * - * Clear the blob pointer - */ -static void smack_key_free(struct key *key) -{ - key->security = NULL; -} - /** * smack_key_permission - Smack access on a key * @key_ref: gets to the object @@ -4503,6 +4493,8 @@ static int smack_key_permission(key_ref_t key_ref, const struct cred *cred, enum key_need_perm need_perm) { + struct smack_known **blob; + struct smack_known *skp; struct key *keyp; struct smk_audit_info ad; struct smack_known *tkp = smk_of_task(smack_cred(cred)); @@ -4540,7 +4532,9 @@ static int smack_key_permission(key_ref_t key_ref, * If the key hasn't been initialized give it access so that * it may do so. */ - if (keyp->security == NULL) + blob = smack_key(keyp); + skp = *blob; + if (skp == NULL) return 0; /* * This should not occur @@ -4556,8 +4550,8 @@ static int smack_key_permission(key_ref_t key_ref, ad.a.u.key_struct.key = keyp->serial; ad.a.u.key_struct.key_desc = keyp->description; #endif - rc = smk_access(tkp, keyp->security, request, &ad); - rc = smk_bu_note("key access", tkp, keyp->security, request, rc); + rc = smk_access(tkp, skp, request, &ad); + rc = smk_bu_note("key access", tkp, skp, request, rc); return rc; } @@ -4572,11 +4566,12 @@ static int smack_key_permission(key_ref_t key_ref, */ static int smack_key_getsecurity(struct key *key, char **_buffer) { - struct smack_known *skp = key->security; + struct smack_known **blob = smack_key(key); + struct smack_known *skp = *blob; size_t length; char *copy; - if (key->security == NULL) { + if (skp == NULL) { *_buffer = NULL; return 0; } @@ -5010,6 +5005,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { .lbs_file = sizeof(struct smack_known *), .lbs_inode = sizeof(struct inode_smack), .lbs_ipc = sizeof(struct smack_known *), + .lbs_key = sizeof(struct smack_known *), .lbs_msg_msg = sizeof(struct smack_known *), .lbs_sock = sizeof(struct socket_smack), .lbs_superblock = sizeof(struct superblock_smack), @@ -5146,7 +5142,6 @@ static struct security_hook_list smack_hooks[] __ro_after_init = { /* key management security hooks */ #ifdef CONFIG_KEYS LSM_HOOK_INIT(key_alloc, smack_key_alloc), - LSM_HOOK_INIT(key_free, smack_key_free), LSM_HOOK_INIT(key_permission, smack_key_permission), LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), #ifdef CONFIG_KEY_NOTIFICATIONS From patchwork Wed Jul 10 21:32:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13729738 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic309-27.consmr.mail.ne1.yahoo.com (sonic309-27.consmr.mail.ne1.yahoo.com [66.163.184.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66732D535 for ; Wed, 10 Jul 2024 21:34:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647261; cv=none; b=KgzPq/lAxh7+vS1NwK8WoBZL3aCNeJq7IjfD/rESR5lsFrqbY6J2XuGri8WlyJJ17oPywSf8GkWrYkRjrgHeFJd0UxttYd6DOSU0GYOdOvntwoJwy0cq2qjFfQTXtyCMdkmMusm2ErDz5CXwuJ33mspeM8yzQzBFcp/gtFmUSn0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647261; c=relaxed/simple; bh=nRcUg32FhBUVtUkgSi9nGRUtS/r3i4XGWEbRUj77x9g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iHgd//z3M9u9JuOWO/snvrYy3cq2v0jeEs0NjXO+zDhib7lGT03qz2bZiZVlgxivirbIJjjhuBN0J7TDCZwtk9q7XW38hMO4cmTrBW/vecI8a2bmUM5prXMi0M1s7611swliiPDZRljasEjJbgDWGnE5R1tdj2exAOtYJIjeS0U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=d0wZBDEG; arc=none smtp.client-ip=66.163.184.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="d0wZBDEG" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647257; bh=wd1U9fhPPj5arquf6HMbm+gnB5vxWYoZIYmA4HUedc4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=d0wZBDEGmNy1IEqEpheX4K7qUQDJRXvRLDmjhRthYxSsL5kSiTNFDGoyTOkmo6jg0Qhl+kikz9n4fX/+k8CydRBL8UWD3kYdoysxGeJhH+1hhr0BBAvmbC7wqjm66FBvKHGzD73V54nrXAGvAtdqr3yKalLmRxq9KMnSlgBVxVUPVbFraAKdI7yXuBbEBSXZDFH8Q+CyCIyKrdZnGPxBkyr1V8cAbqSvRzw439TNb6WazHI5dH1TnS8FRJsyzzsb/AIBc3k78FMufM0pLqkECmHfZx/uNM9G1R4uJQxiCwLONcztMwsTif1VoV9Ty0K2sEaQkRjT2KIBuTQtOAj3HA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647257; bh=X5SE7HU2mGNWYS28wM8+I6XN7iUYQRakicPYHaV/tFO=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=kcdyCeNK6M1fT3qexYVAigQ+ticQMQzCIgl6uPpn0nrhvCPiiG1L1PKHn8jJfZeuBpCHuSoO6E2H1q7DFIiXcGF1evHR+3ubGAg8I2/NeyX8Kb6b7fQd7UgOXb4cRmkzQweqMDsD8YJ/QnSyYpHtFRDTQu+vGLHYtwdqeddWHvj/Z9DPxzzAH2/fXGbQRvpMkUlTFaS8M6/Oqqab1B7LQq53QyfHy30f9TtHcOrLUPblrCQ2iSUJkBGdxXLPyLtRVd9Rkxx7dYA3as1CnH+g+Z92UWXu9yzbHy9tuqhhMedljgc82iGkYIVEEu606B5Yx5TpmBeNzs8MJ8AVK9HCOg== X-YMail-OSG: V7GfGpIVM1nwP1gtTDqO4L8JNlBS2ErQR7ps2DFVBipCbIoM_0_VUiwi7NmKB7Z faIx5awyVNauYy7k1bemwxsC1ZGUw7G1qSiHCN5ZsTcwHrxzFS.tyK5t4jyxfI1k1RUXQuc0oQgB gSVfVfph4hUVFeGvxENHTut2SKOtTdNgSw.Tqg94TXM9cHMRZgmjSXPi9oqrrTgpgH4iCv4yjzzo ytYJ2kOUIiBOI0zPYUIA6VAZvoqZj2fVreyasaVPVBytM.yRH1zPCffm6ePiOBIjIhCgEe5jjnNo sHrRIrJZbmTNxxMS1rP9iywam57E6MEZJKXwjc037WBcbrv4OYavT5hVh7L_x.44DMVwzs9v7C1W _0uzMAzG9YCf6.0.VttAPSDX_hCzHWj_NmY0PeI8k2a6VE2iPxaX22Cu0gTHU5kIspURcvkxOgex W1.DfjSlIZu9jmu9rKDpVCY_axesiNVaGTeTe1cHEq9R7uCDQION62VFRDjQ_Vs3h1dymH__jcmO qavI0pI4mddmQplG.fKme0hx5KxSKTrDgtqOEKBwHEtL6A7L.d60KOLl8DO5u3eHP0BDJPq.EYOe KGO1OYFen8i6AZnTbgAAtJwXHgqFJmbnwY1Id7LEjujs8hXG2MRZ9LEK9gMCq1U3jHcd2WxZ94yV 1L896bGBtWVM4PCiqDhlqVbKttQgfkl4RSiFbPpkWZrNtLHE3pAXRxDYw0gEvV91b0nl3nVbXrbI XZnurajIMBJo24grmMhwXRqTrJPBk2A8hJwDooIP_zso7t17HnC_mgffolJhpPciM1cVEyRd8rHr a9a5ZnDRq9oPdOgvQWpfwCzsD7qrZPFGn7cpZafw9AL03VyEGvMRRkh_Ky46e8NoN2UxriYKy1XA .C7GF4jfDBXWOcZ6GND7ufkiV86S851ILjdtLmGTwz2aJzKfieYTjhwmdJGtCdpY.P6BN7Ujfd8w NiMgTj0O4O14ztalGO2p72XTg8dd.ZshY7HvKRxSqwyL6FnqOFCH.Wt_7DKKO0nqvpYCdC4QLaMz RRCn1gDP58gwRnEf.PW2ikw9NCs7R9F6VidDMfGMQQG7bZnqf3rqVN7mbdk06YalgXbguZeVOFTv ReVaKRv4mUj2iJdlyqAN_2VzIc6sa46GyiIukSsAJcrJ6k9x9S.S8i1wxD7cqqI4QGs5EduDpWQM zmxgH2Lx8a0WgDd4yT.sFjxajQdO3dOFhNh9t5ry64u5lxhTiITLt3lMcDl6ufd4o.i2g9I4mZ4A spR2BGtU5QCzYM3oXYIAYzUk.tO0TZZhHa4OilYRWc1GFcDvVWJU4YkIn2wrgevOlq8Nl1EPpZEI N21y__fvRrydyZ8Ike7iXCKe7nzzVAg1YvYOPm.XZiQO8dv1rxRafG28vj2zTi7bvqTQUiMnWDzw pJEkqsT0D_PcnnfcLJ73bP8cT0VwdCaQWJXQK4kBLgruMfJ__wgtgz7pilvTmkeqhASap1338SgA Go5BpdoaBxVMf3yP0Hh9TGbXhhrg0oSYYChVFse2z4Rl86C9oUwUFxPQAxjNHGC.D4TANsvJyMtN 3NfgrEyYU.6MfI28jlNMWXFB31igGJj9LmHUy.4tt564NXcNNqbt.TjdYd4EXwjlu_gH2DuyY94a qh1.HdSwvuhaxWGfyQJpST9TUVzTKjeAKzZogAPyadld4LGyPrQyTTXroR.62f7.J5fiCw4BQEaH GVrs5hcpfnaVZuKBHTNBufLFyIepz2whfqKex8MmjNVSV_ZILjwTlfjasd5mm9dSoz_EJktTV_Dp eZTeyuHdMO_juC5gj5l6VfA3pm2bPMuM7UywhO6K8x3CpQ31HS.LK5Xp1gX.srwZ6EOA44.L9zOz 1WDQEWE1INL0GsFL1t7lZ_adGZ5AA5_te63Hf3NFyshRx88TOQBqXyPZbDkPBPT45117CPQ2vyvl 7hIu9UV5eYtELAkBlmqB8yo7PQ8YNbk_OU8WRIsY1AImQ8qcVdicuNCQcxUBzBcv1si7kaaQ0s3J jZc7q3pn6Rrq9vizyZ6_RT.yLtmCcHVGSgKK0GHJOsFyv62tYiKBR6H1mkyAA1bxPgfF7XUeFflV wYPGIc8uermMmGmBczpLnGfgf3a0g1SZ3jy9jGHvBNmYF7.do2i2YRipkzKac5ZpPgK_ZcpdzzOA 5XSQRVumMw0_8_wzDNlCAraMuAPWF9cxsTKHM.qG1PrDQ3c_opdNfA0aMI3KaDxvWebTgWrLcYCX EoHYEK1DYOxqsoxXDaJs80fhaFpyTUpY1gv3KzEhN99bNSFKfe4E4ecM_ne90RwngHHEY67QrPYo a2Q-- X-Sonic-MF: X-Sonic-ID: 0a8eff31-3a28-4b34-85a7-fc5ba8efa1e3 Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Wed, 10 Jul 2024 21:34:17 +0000 Received: by hermes--production-gq1-799bb7c8cf-jfh5x (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID e290f093598dd7cebf6712409b4ec393; Wed, 10 Jul 2024 21:34:11 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, mic@digikod.net Subject: [PATCH v2 3/6] LSM: Add helper for blob allocations Date: Wed, 10 Jul 2024 14:32:27 -0700 Message-ID: <20240710213230.11978-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240710213230.11978-1-casey@schaufler-ca.com> References: <20240710213230.11978-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a helper function lsm_blob_alloc() for general use in the hook specific functions that allocate LSM blobs. Change the hook specific functions to use this helper. This reduces the code size by a small amount and will make adding new instances of infrastructure managed security blobs easier. Signed-off-by: Casey Schaufler Reviewed-by: John Johansen --- security/security.c | 97 +++++++++++++++------------------------------ 1 file changed, 33 insertions(+), 64 deletions(-) diff --git a/security/security.c b/security/security.c index 92068ebd7e2b..e5af4274b8aa 100644 --- a/security/security.c +++ b/security/security.c @@ -603,27 +603,42 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb) EXPORT_SYMBOL(unregister_blocking_lsm_notifier); /** - * lsm_cred_alloc - allocate a composite cred blob - * @cred: the cred that needs a blob + * lsm_blob_alloc - allocate a composite blob + * @dest: the destination for the blob + * @size: the size of the blob * @gfp: allocation type * - * Allocate the cred blob for all the modules + * Allocate a blob for all the modules * * Returns 0, or -ENOMEM if memory can't be allocated. */ -static int lsm_cred_alloc(struct cred *cred, gfp_t gfp) +static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp) { - if (blob_sizes.lbs_cred == 0) { - cred->security = NULL; + if (size == 0) { + *dest = NULL; return 0; } - cred->security = kzalloc(blob_sizes.lbs_cred, gfp); - if (cred->security == NULL) + *dest = kzalloc(size, gfp); + if (*dest == NULL) return -ENOMEM; return 0; } +/** + * lsm_cred_alloc - allocate a composite cred blob + * @cred: the cred that needs a blob + * @gfp: allocation type + * + * Allocate the cred blob for all the modules + * + * Returns 0, or -ENOMEM if memory can't be allocated. + */ +static int lsm_cred_alloc(struct cred *cred, gfp_t gfp) +{ + return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp); +} + /** * lsm_early_cred - during initialization allocate a composite cred blob * @cred: the cred that needs a blob @@ -690,15 +705,7 @@ int lsm_inode_alloc(struct inode *inode) */ static int lsm_task_alloc(struct task_struct *task) { - if (blob_sizes.lbs_task == 0) { - task->security = NULL; - return 0; - } - - task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); - if (task->security == NULL) - return -ENOMEM; - return 0; + return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL); } /** @@ -711,15 +718,7 @@ static int lsm_task_alloc(struct task_struct *task) */ static int lsm_ipc_alloc(struct kern_ipc_perm *kip) { - if (blob_sizes.lbs_ipc == 0) { - kip->security = NULL; - return 0; - } - - kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL); - if (kip->security == NULL) - return -ENOMEM; - return 0; + return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL); } #ifdef CONFIG_KEYS @@ -733,15 +732,7 @@ static int lsm_ipc_alloc(struct kern_ipc_perm *kip) */ static int lsm_key_alloc(struct key *key) { - if (blob_sizes.lbs_key == 0) { - key->security = NULL; - return 0; - } - - key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL); - if (key->security == NULL) - return -ENOMEM; - return 0; + return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL); } #endif /* CONFIG_KEYS */ @@ -755,15 +746,8 @@ static int lsm_key_alloc(struct key *key) */ static int lsm_msg_msg_alloc(struct msg_msg *mp) { - if (blob_sizes.lbs_msg_msg == 0) { - mp->security = NULL; - return 0; - } - - mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL); - if (mp->security == NULL) - return -ENOMEM; - return 0; + return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg, + GFP_KERNEL); } /** @@ -790,15 +774,8 @@ static void __init lsm_early_task(struct task_struct *task) */ static int lsm_superblock_alloc(struct super_block *sb) { - if (blob_sizes.lbs_superblock == 0) { - sb->s_security = NULL; - return 0; - } - - sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL); - if (sb->s_security == NULL) - return -ENOMEM; - return 0; + return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock, + GFP_KERNEL); } /** @@ -4680,23 +4657,15 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram); /** * lsm_sock_alloc - allocate a composite sock blob * @sock: the sock that needs a blob - * @priority: allocation mode + * @gfp: allocation mode * * Allocate the sock blob for all the modules * * Returns 0, or -ENOMEM if memory can't be allocated. */ -static int lsm_sock_alloc(struct sock *sock, gfp_t priority) +static int lsm_sock_alloc(struct sock *sock, gfp_t gfp) { - if (blob_sizes.lbs_sock == 0) { - sock->sk_security = NULL; - return 0; - } - - sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority); - if (sock->sk_security == NULL) - return -ENOMEM; - return 0; + return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp); } /** From patchwork Wed Jul 10 21:32:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13729739 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic311-30.consmr.mail.ne1.yahoo.com (sonic311-30.consmr.mail.ne1.yahoo.com [66.163.188.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9F8508287E for ; Wed, 10 Jul 2024 21:34:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.188.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647262; cv=none; b=baVp+4bkdMfU/SYDLzqTmazoqwXZP5acCHpueJ9OOLYq6jtIffHtEmZSGnndc+JOxeeh5oEglTOJCLW35QIGBJryWto+8mYukLuciXE8QR4C4+n6QZh1xx3CGfj4ZeK10jpcO+cOHmuEpUrSsf5LrcMzS3Ff3Bu8L/4TeW+F6rg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647262; c=relaxed/simple; bh=G55R3/vBJCDebM8T/ZcbEMF5gpFTRFuVtpt/6RxfOIo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YTMwi8MLqWoViTeFebm/FB7fBB7dqIPV89uo5mg6sps+9FoklXVvWoH94Z9aoXVoE48eiCZF1IkCViUUcpy3pSTRBQuRPU/Ir2UILqTxRyrhPwDEfX9tfa1aJz3w4QMKZpNJdG7+D/am8l+Wh0czy+x++ppIQjJzyzDT0EEa1ow= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=WIDjJII2; arc=none smtp.client-ip=66.163.188.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="WIDjJII2" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647254; bh=1nodLXpEIclSsfjezwcKYYJe7TxJ/g0XTF/DCRIQkm0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=WIDjJII2rb+CgpemSXoGieHry1qAJifqQnJ/FFJD7o9J1L7g1qjnw41/pRewYUHdjCk0gBTZsjBkUu+tPM0QxogtmsGVms3NN1SPRmzNK9Cv7arhj2JupjKWnEY9eODuZ2eQ6XUYV9xxsw1v1Au6qtfaNqtwCrQxGu0FbmZpkNkgvJ2Nj66okzdTXQbc1I5CWZjubkD9uF25RGULsvaFLpz0SCSVLa5md629znWlpJj2J137rsMbe+vdWYEhHmz7PkIKor+4tkrT3v2r/MKyn640T6kTTb+8y2CCQkw+jqqG5MpTGFnJePWqxhfTUJlleqkDLWhP8uQkdqkIOIv+EA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647254; bh=01LKZS8+itLh3eEOV6w7nw2rsOzsyfYFQqYfv7danNW=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=YuIBCV93ukMXnnqZU2nIqSPt2UyXolWYq0OshZmKsRweDReC+vCwu2V+9KeYLtKryzl1IhDb488U4VkdJaUj/9/8GdTNdL3tuqurdRUdifoFTJ9IHnBe2cYH3yf4zs9/b/ESD7+nG+Zu/Jlhu0tIkEg2Xl9eep+l7yQYzJHnUcaNPOfZJL9Se8yhoie9YkBaNLwMT+rqhjxy6zHQQV29oWAk6d04HbZ9mOstrhJw1ckpxpGS/uovdoV+ghPyAuwl4V8WhwQrhXwSa3V1mjSKouZ6u2EnP/bRotJVkKZbnFwQRfl1PI+GM6Yk2Ep+i5IchMVU0MyW0fpOvb3TOhTR8Q== X-YMail-OSG: JXXza.sVM1mj4f9ayvqAUL9v59Qdye1vZcvX0jzg4VpuzOD9xN3nxyRx3StrCQF Rzt5icov..3k2lHrBXqNFTFwi3ALqyIbSTrsKfbDT7MaTLOjgGggvuXphPjRHKsfbVH_14d.2xG. MTLM4hJIgPGaZQ84YhVjh553O0rGpA0DKK3soa2JOIm1ZlpXqYDxE7Znng_Bkb2zmOLm.s4.AsYM 68WOkxhNNmVA6SPGZFRk.jJOTuqrtISZEGL3L86Gyv8b1jgwElR3YQ1FSE6TqtdtOhysyVaOAiPW VJ3uKTmYfPDxsuFhjzJb3dso1DtgzfgJQobKkFEbdPcSUYrs5yevjiqR9itMDESh9mpnuacoASDm .Vx2PufYZNpZFbZpv6MDZYSFKdZIFnfeIM9V04h9sSS.9fPhnE6z9GH6tffFruR3npJ9aBTEW9G8 hv0ikDGZlT2TaBAKrpobNe4mhw4Bt2DyQN5PZXwsfsMWhtiqNpE8iKcwrEC.Ij3YHfYCvXqodK7I uP60UYwaLbYy_nB8VL02VnLZJJN0NxhSy.cPCM_prX02FxjSH4xpeZF.yBNN0tPdmSgeCJoas_i. .iHNOIdOmyX4z490PlpxggUN5lK6oCa9txzF3pQjGEUv8USiSyaH1GSxNIFxQtRLqBh8Mn.J076e AT.iXSHHKo.XOCP3aX9IHQqz8ms7eh9AosoalvYiOtNTNcQtSrUWKNreX2fNxkmYSclD3l4ozAcL NwxZcEftY0nrq1OfMfWUhw3NwQ6sGDwsL.rF3Yqrm2fhV4r4RGE.zu3Jc18QklMMJPsx39vn2BjD IfH.NZjTpjKPGSSTkAEa1sO8DLMMmKo79LNUoJ5FLJ6aXyXBpSvWxgX.gZ7M_S85Cy1T3tNIv8WK H7jQQzLJl2OBM3v9fjEYNIJYf3QeGPe5oiXS8Sv0Ixx09nMj0H0sBX3iOyZB6sIfOcwB2pzmCZuV km_lLk6lVPyouyFwi_nkPA6e9vt4rPqx4J69wcc7NElX25jeCobG34F5VSyJmbbLyIoxFrEK37Ua OVvMV.eXH.lOkkMS1_XDZUFz8PrcSiA4VBL3v8Hc0GXFolbsZ9PqYe7vzQQofhymeK3BAZaA1CJY ds__QcsXVE.23KtHFV8jJIv69Yj8YYZnjVy5kDpYCbs6WF7rvYcCgjFN7Qlth_vdFsIx_yFkKZgJ 37FgCfW1Xs5HuuTiqJNh2j0dMVRLgmHaBWlQ6lWSzoUCbUqvzfHk0x8pDT5gj61eMOz6D6BX8IBp aUKrkaxCJaZYgAIRvl64Q5w56SCcrbji0A.A968N2Y_n6N47DkHj7FSpzwcoswXE6gdaBY__9Soh vJWXPxxc_zrGZPq3.e5xKvlTgZhFYuzK2kErnVJZ7kSb2rEh1u1g84HepeBlDtnS089B9Y4rQ6.7 BVD37PPHcCyjySaeC.YHPvywGNe7.7J.41h4sW9iz7DuBV7faND27cYC1x1M2zsSSMjf_yQzI8iR PK.HXFOkz8r494B_2n09R0x6tTbOxqwDD9EwXWB4IF7bvFxHzWhB.qgEiZAyDnC7j.IdSEI1V5E2 wxciTzRgH1_hCMZMpcBzqA9DMxTOS9XhoNgcby5Fw2Ry10ziDlhfXX3ZRMPH7SFHcUnrUL.vlVVn fj.Px766Zoc_1i8QtqqYyx6WeSTol8XW0QquK3zH2fteyEEGUXLcmnv5dfQwwtm4EeP_CHwSM5_g iqBahFuhNbXGtT45auJoti4ZHMMJKn1J2TkZHFHF42l4PbWQRxtZo22B6w0rsY2aT6lybput1L9a XjMVdN4IEuSXz1DppqYGsCAVFDUZw0oHlgL7Qez9mFd4KgKiGy6zY9wrJvRRFifz27cnCKcRMm8D PHIN5k2c3EnfU_cH3YqlFZjXFw3NRmgowa4om2tmNK4MepBkDVEUR6dmKqZlNUYSks_qnvLejFAz TclA_uvcKKZ88bKsAQjtdfhxHa2nLhpU_PWRoG5LhI7euBWWuQlGk_1Aj0X2AmBUT2PMUrlMDRy5 cUDEuj.n1k1n6H45Qn.hLOjYgSbFvXWQ9ISdYfWXJLsJgorsxcJ..2XhJuk2Itcc0szplz8zW2OU BuVEnbdSbTwTvIUTzm.qsOekJ23VM7jocMn8Q.lxGSS3k4tckw7FqccSd2oRJiYCtpUkgKWdZ.P6 ozUG8vYNG73aXZeam9fOhSyzUutYGb.zql2uvTlJe8kzlEZN37yJ6.xF02HMRTVtFHqUobxGH7yb ix1SetanGqDT8xmWpITxnBrpHjw-- X-Sonic-MF: X-Sonic-ID: fdd195ef-bf7d-46e0-bb1f-612825356727 Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Wed, 10 Jul 2024 21:34:14 +0000 Received: by hermes--production-gq1-799bb7c8cf-jfh5x (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID e290f093598dd7cebf6712409b4ec393; Wed, 10 Jul 2024 21:34:13 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, mic@digikod.net Subject: [PATCH v2 4/6] LSM: Infrastructure management of the dev_tun blob Date: Wed, 10 Jul 2024 14:32:28 -0700 Message-ID: <20240710213230.11978-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240710213230.11978-1-casey@schaufler-ca.com> References: <20240710213230.11978-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move management of the dev_tun security blob out of the individual security modules and into the LSM infrastructure. The security modules tell the infrastructure how much space they require at initialization. There are no longer any modules that require the dev_tun_free hook. The hook definition has been removed. Signed-off-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hook_defs.h | 3 +-- include/linux/lsm_hooks.h | 1 + security/security.c | 17 +++++++++++++++-- security/selinux/hooks.c | 22 ++++++---------------- security/selinux/include/objsec.h | 6 ++++++ 5 files changed, 29 insertions(+), 20 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index cc81f7f7c024..f1e0d6138845 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -352,8 +352,7 @@ LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_inc, void) LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_dec, void) LSM_HOOK(void, LSM_RET_VOID, req_classify_flow, const struct request_sock *req, struct flowi_common *flic) -LSM_HOOK(int, 0, tun_dev_alloc_security, void **security) -LSM_HOOK(void, LSM_RET_VOID, tun_dev_free_security, void *security) +LSM_HOOK(int, 0, tun_dev_alloc_security, void *security) LSM_HOOK(int, 0, tun_dev_create, void) LSM_HOOK(int, 0, tun_dev_attach_queue, void *security) LSM_HOOK(int, 0, tun_dev_attach, struct sock *sk, void *security) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7233bc0737be..0ff14ff128c8 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -80,6 +80,7 @@ struct lsm_blob_sizes { int lbs_msg_msg; int lbs_task; int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ + int lbs_tun_dev; }; /** diff --git a/security/security.c b/security/security.c index e5af4274b8aa..f1eb93b65ae9 100644 --- a/security/security.c +++ b/security/security.c @@ -232,6 +232,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); + lsm_set_blob_size(&needed->lbs_tun_dev, &blob_sizes.lbs_tun_dev); lsm_set_blob_size(&needed->lbs_xattr_count, &blob_sizes.lbs_xattr_count); } @@ -410,6 +411,7 @@ static void __init ordered_lsm_init(void) init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); init_debug("task blob size = %d\n", blob_sizes.lbs_task); + init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev); init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count); /* @@ -4849,7 +4851,18 @@ EXPORT_SYMBOL(security_secmark_refcount_dec); */ int security_tun_dev_alloc_security(void **security) { - return call_int_hook(tun_dev_alloc_security, security); + int rc; + + rc = lsm_blob_alloc(security, blob_sizes.lbs_tun_dev, GFP_KERNEL); + if (rc) + return rc; + + rc = call_int_hook(tun_dev_alloc_security, *security); + if (rc) { + kfree(*security); + *security = NULL; + } + return rc; } EXPORT_SYMBOL(security_tun_dev_alloc_security); @@ -4861,7 +4874,7 @@ EXPORT_SYMBOL(security_tun_dev_alloc_security); */ void security_tun_dev_free_security(void *security) { - call_void_hook(tun_dev_free_security, security); + kfree(security); } EXPORT_SYMBOL(security_tun_dev_free_security); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 986825ba1cc5..34ed787a4bfa 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5573,24 +5573,14 @@ static void selinux_req_classify_flow(const struct request_sock *req, flic->flowic_secid = req->secid; } -static int selinux_tun_dev_alloc_security(void **security) +static int selinux_tun_dev_alloc_security(void *security) { - struct tun_security_struct *tunsec; + struct tun_security_struct *tunsec = selinux_tun_dev(security); - tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL); - if (!tunsec) - return -ENOMEM; tunsec->sid = current_sid(); - - *security = tunsec; return 0; } -static void selinux_tun_dev_free_security(void *security) -{ - kfree(security); -} - static int selinux_tun_dev_create(void) { u32 sid = current_sid(); @@ -5608,7 +5598,7 @@ static int selinux_tun_dev_create(void) static int selinux_tun_dev_attach_queue(void *security) { - struct tun_security_struct *tunsec = security; + struct tun_security_struct *tunsec = selinux_tun_dev(security); return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__ATTACH_QUEUE, NULL); @@ -5616,7 +5606,7 @@ static int selinux_tun_dev_attach_queue(void *security) static int selinux_tun_dev_attach(struct sock *sk, void *security) { - struct tun_security_struct *tunsec = security; + struct tun_security_struct *tunsec = selinux_tun_dev(security); struct sk_security_struct *sksec = selinux_sock(sk); /* we don't currently perform any NetLabel based labeling here and it @@ -5634,7 +5624,7 @@ static int selinux_tun_dev_attach(struct sock *sk, void *security) static int selinux_tun_dev_open(void *security) { - struct tun_security_struct *tunsec = security; + struct tun_security_struct *tunsec = selinux_tun_dev(security); u32 sid = current_sid(); int err; @@ -6973,6 +6963,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, + .lbs_tun_dev = sizeof(struct tun_security_struct), }; #ifdef CONFIG_PERF_EVENTS @@ -7283,7 +7274,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc), LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec), LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow), - LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security), LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create), LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue), LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach), diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 83b9443d6919..461c6985977d 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -207,4 +207,10 @@ static inline struct sk_security_struct *selinux_sock(const struct sock *sock) return sock->sk_security + selinux_blob_sizes.lbs_sock; } +static inline struct tun_security_struct * +selinux_tun_dev(void *security) +{ + return security + selinux_blob_sizes.lbs_tun_dev; +} + #endif /* _SELINUX_OBJSEC_H_ */ From patchwork Wed Jul 10 21:32:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13729737 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic309-27.consmr.mail.ne1.yahoo.com (sonic309-27.consmr.mail.ne1.yahoo.com [66.163.184.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6677D8287E for ; Wed, 10 Jul 2024 21:34:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647259; cv=none; b=sB+hbjcOxjXk7qyDgvndaMxEzBG5N9Wuw466HcYLthFm/a3LgHHVwPCMQyMrq0kwT650bOXv8hP+Pte2q8doEnBSP+5xpFATRejUysT/Lp+8coZzDxX0elzBSFjRqd6rDq189pOf0Ar2QMFVjj+rIPM9ePfZiJ+Dzkiv6pYtKC8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647259; c=relaxed/simple; bh=pQ6D/eVGREMzto47KUSU68nUJJbqR88VG/lLRjhPmMo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PGnRfE+2l6FJL+dGpRD62/Ytt56Ts3i+b4+7p6IoBIa26/61vjF6jOEg4lGMKGhTah1dzPMurdmyyBIyIIA6cbgwpk5dzYqZqI4YEnbGfQ51dMDFIzsPQw8hmkyccr+nsxOSNVXh5lFLALtbjQoskrUReL90+R8A2/hYo1Mo78E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=afrN0grw; arc=none smtp.client-ip=66.163.184.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="afrN0grw" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647257; bh=E9cLMQVnTwQkpUE1vZbyi+mBC4SmZ1s2+PXuFp1S1H4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=afrN0grw9l5dQVjGGZ0i7xH5iLaWtJIbSeQBcl+pHgSck7oo0s4/xLlIA6Dg1WLyIZTsIg0Zfv+ytKBxyuHgQ7Nd0GSwzz+qN66pf0POW6c86pYWJyJNEZkr2Pf2uOxSLqhyUPfHjqMTdELNWKGE8jZBuzGTq1TxWZR+U1LObdDvFup6reZHn6SnvRkXXMJZH8P5hUL2i1RkCFvffuh+PDAkq/TsbV87YNYyEXnbuaBPmOZI0Q0SdEDA3onIA84jp9g2ihoJsBSa0bCjGk4U8W/1ktLA2EOUhyLJTeE15IPDX21UmQwaDY8CBdOvWOB540z+lxBEcM9zz5LZGJe0rg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647257; bh=ZVuDFNemB7ivI6qWSLbN/JW6Jpw6hzjR1JHTU7vtXW5=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=c9aCCUnm1lcHnE6zb4jhjUZsm3r/e2BxtUn1o541FKYBeXanAZPpvHn47Gv3xBGNeCpcBHCcjgquSSIxx7ZzGlh68b0apuh0D+YElRRm3CmMjo0aX1f+xe10Zz0ZTuXWqlPH5mCaK5mRRzY1779FCBJ9bfHoBPMGy4mSOAVJyKfauOo/2UyI7uG4Q4d7fSRRZfB062abhMCSo0cHievCop6jW+byqdQnM10EprnWFJtGDTAPBXXIQsbT26B2Dcrnb3vUiGuLv1VwUgpBvixaCz6/qYX/swGU7OMoPuxjvkyXEeEjQ/lhP+FhOTddYyvtMOPL/FaEIz50Bx/Ly10r+w== X-YMail-OSG: OKTaUN4VM1lqhaB_Q9dzYM_Nrsmj58hHbVadINMymuqgQFxPHWorjKCjBZXd1rD q53nrPrOGVaMXFEsk4RKinVjfotl5hn1dPk4socetU4TopFcCzFzJtIQqYLPigWcn4LjI7apXKbX uP.2l5px5kMCpgkocn6G.jTtySB39XGcgIv96QV0SF7zdSBE65U1Bp51VOLeqs8NkRysngAYhsTJ F6IDdgLh8TjFg9U5OcJXVojfODCJj4xnHjq8jlgVGGAfvDxJGmzdV85XkvxBZMowduQlCGjaY2me rQ3MqyoQ8EZH5IxwdCx2Zv8WNlij24dHuwki5JrchMMg65yPMpRjsZE_9IrkWGHpe4mqg747SX2f woDnhs1dzq3WabylJ4jVyBRKUL_2RyccGqu76DPmgFYa9f5DnphHk8K29dYzZcDVKzZxjHIr_Jnw .yYVg_GBKYPLLAAnwhz2gebSUUeyFT2Kg3D_tdvW6hGePVfj_LdOxA.CFR_q3zvVw5JLLOhUNDGw oNdnFyycaOATOXOLEM7LtPw9xAtb1PjbVPVEKVtgzYreZviT7aZdePDfx67CGrdQgnBd1DQUC54c colBD2OtUmJ0qV3fG_ee.JTloL6E_LOz891ZWQ.uasbqapfHm_kmtmQCXMarSRP1zrLCms5H_8kt U93Upa7ve9IIJeSVCogK8uvG50Q3hJsSJfeT04zeiFu2vQxK.zHeuz8woQ_YHyZCS55tl.d.0jPe eFV8Fbc.ajpIpNlJQCXE95bRAhyCLGTOqV60JqltF4CGxr5UOQQvAzXjCz6eQlTq1aqAaVtHPtS2 m2hn.bIo.H3p7wvW.Zncyd0d7dXfm5beyGyKEZ1uuGjHoJ4gCLS43O7R6uDPaOINBlb4O4jNYaj7 EjZxHzxMoNgXsDM7AExE2A_uKHYXE7zAfn5pHOEnDzgr_XtVlce4dZUIQ2z_EH08.Ey5f1bA8R5e J3k0cC_1W.rWamEPgiH1ScR9ZJ_LBvG30AsM4j7iBSuYltMwe.24T.PHUi9ZVRML.bjxyH3lcX6t pOL0DIBA5C_2_6jtPGnvqa26i.SRcHZ.rnKvGCsTlHRN6KOUBCL4Edqutuv28ISEqx.kvpzi.I.U uTdahtssGDuCZ9rg_35.9zacqcnB7lN2e_v72Y1jWeGWizRV_1PcfU4o.iiQ2aAPFe3IQuH7LCnh tmvuI3HPBh46D7OQwA1xVsNlDdsMu4z5iOeQ09AYliDqux7EjY73t9Rm38lJPbHl40Wpn7X9ozOW H0e9o316nFO7d7YYnZdR4rsq0lLgSxWoseeCH._PAZcLVTs1m1bUxK2WIuiDlKvbKfBtOFRy5ruk q9xob.nbHrusH2roCEHxr.BTe.LafLGKBVajcM21c73oXYPwzRE13Gh3zg0BAG8sxW1J1nD.oQdY QCzG8QbMMgJr0aRKcsk8mP4MB8rcKHJRoTjP5XxSMaE3gVG.rGzHKUnPxDI2sy7EHFS.nm_m8fyU 341ivfMUjp_iJW._TJHYqF7uYC8glF1Ug3q4fc_YvRFhu1ab61unYq7WVez0dCuqMKInVjfxJlJI WrrpCpr5RDisSXp8_JlQ06UQ9Yfzl4j6QEPe3RZTVy1wTjnXqUlrH8GKrBrz0ZfPPbazbPWxDPaO PmuV_jgZz3a4rg.PdPSDIAMjt3YVLHKQgCTKDA59DvWixwqJQA0QSmuVgxC2gXGfAw2E_9MJllq4 maN07VnerF2tYwT3Ozv1BEYahPzpTgJDnLd13IMN9itxPhmPq_eA4gA9sgcIPi50.20wq8cDZyV. mPRXzgdBWylquGXM6aSM2UUT10mrUGFmvT4diTUh1ujXbJioRiSheWQsn_LychrohvsAOQdkeGPC KvJ0CqTzikhUvLpLY0grfbL6pV1Sy7W8Dr09z1_uVlnxwTTjzRyZQKc90Um2tlPXo0TN0orAVuS1 p9GjTMugh3HQ5p5PdTrl13375InWfoDmRLtmP2BNOgKvvbLpH.TUUO81MtiZ6fIxpaPzDpxN1kbv VG0OZ2Hd1XJef4ccQgR2h0EUkQbhLGVT9St3ofZX3QsGrzwwc5J0oBtt685UX1Osz2b1BTditPne qeei5LDHyzme986qtEVyk0XYfIwO7JzOlqNYAO1czXx4n4y6Ipj6dG1WS7BDak8puWCYSt08UdbE xeN18wrtMO2pA4_jdq7dwibLTCcil64eC4a7GQ0MUcWWZUlgXfEZi6aW6kRETFlPs95S9DjcLTb1 DCN10ug1ufR0tTALf_Cnn610C X-Sonic-MF: X-Sonic-ID: 429c8445-fc75-4698-a56d-dd9792d85b21 Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Wed, 10 Jul 2024 21:34:17 +0000 Received: by hermes--production-gq1-799bb7c8cf-jfh5x (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID e290f093598dd7cebf6712409b4ec393; Wed, 10 Jul 2024 21:34:14 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, mic@digikod.net Subject: [PATCH v2 5/6] LSM: Infrastructure management of the infiniband blob Date: Wed, 10 Jul 2024 14:32:29 -0700 Message-ID: <20240710213230.11978-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240710213230.11978-1-casey@schaufler-ca.com> References: <20240710213230.11978-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move management of the infiniband security blob out of the individual security modules and into the LSM infrastructure. The security modules tell the infrastructure how much space they require at initialization. There are no longer any modules that require the ib_free() hook. The hook definition has been removed. Signed-off-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hook_defs.h | 3 +-- include/linux/lsm_hooks.h | 1 + security/security.c | 17 +++++++++++++++-- security/selinux/hooks.c | 16 +++------------- security/selinux/include/objsec.h | 6 ++++++ 5 files changed, 26 insertions(+), 17 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index f1e0d6138845..7c979137c0f2 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -372,8 +372,7 @@ LSM_HOOK(int, 0, mptcp_add_subflow, struct sock *sk, struct sock *ssk) LSM_HOOK(int, 0, ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey) LSM_HOOK(int, 0, ib_endport_manage_subnet, void *sec, const char *dev_name, u8 port_num) -LSM_HOOK(int, 0, ib_alloc_security, void **sec) -LSM_HOOK(void, LSM_RET_VOID, ib_free_security, void *sec) +LSM_HOOK(int, 0, ib_alloc_security, void *sec) #endif /* CONFIG_SECURITY_INFINIBAND */ #ifdef CONFIG_SECURITY_NETWORK_XFRM diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 0ff14ff128c8..b6fc6ac88723 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -72,6 +72,7 @@ struct security_hook_list { struct lsm_blob_sizes { int lbs_cred; int lbs_file; + int lbs_ib; int lbs_inode; int lbs_sock; int lbs_superblock; diff --git a/security/security.c b/security/security.c index f1eb93b65ae9..e8f34cbb1990 100644 --- a/security/security.c +++ b/security/security.c @@ -219,6 +219,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred); lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file); + lsm_set_blob_size(&needed->lbs_ib, &blob_sizes.lbs_ib); /* * The inode blob gets an rcu_head in addition to * what the modules might need. @@ -402,6 +403,7 @@ static void __init ordered_lsm_init(void) init_debug("cred blob size = %d\n", blob_sizes.lbs_cred); init_debug("file blob size = %d\n", blob_sizes.lbs_file); + init_debug("ib blob size = %d\n", blob_sizes.lbs_ib); init_debug("inode blob size = %d\n", blob_sizes.lbs_inode); init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc); #ifdef CONFIG_KEYS @@ -5070,7 +5072,18 @@ EXPORT_SYMBOL(security_ib_endport_manage_subnet); */ int security_ib_alloc_security(void **sec) { - return call_int_hook(ib_alloc_security, sec); + int rc; + + rc = lsm_blob_alloc(sec, blob_sizes.lbs_ib, GFP_KERNEL); + if (rc) + return rc; + + rc = call_int_hook(ib_alloc_security, *sec); + if (rc) { + kfree(*sec); + *sec = NULL; + } + return rc; } EXPORT_SYMBOL(security_ib_alloc_security); @@ -5082,7 +5095,7 @@ EXPORT_SYMBOL(security_ib_alloc_security); */ void security_ib_free_security(void *sec) { - call_void_hook(ib_free_security, sec); + kfree(sec); } EXPORT_SYMBOL(security_ib_free_security); #endif /* CONFIG_SECURITY_INFINIBAND */ diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 34ed787a4bfa..11f4bdabda97 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6776,23 +6776,13 @@ static int selinux_ib_endport_manage_subnet(void *ib_sec, const char *dev_name, INFINIBAND_ENDPORT__MANAGE_SUBNET, &ad); } -static int selinux_ib_alloc_security(void **ib_sec) +static int selinux_ib_alloc_security(void *ib_sec) { - struct ib_security_struct *sec; + struct ib_security_struct *sec = selinux_ib(ib_sec); - sec = kzalloc(sizeof(*sec), GFP_KERNEL); - if (!sec) - return -ENOMEM; sec->sid = current_sid(); - - *ib_sec = sec; return 0; } - -static void selinux_ib_free_security(void *ib_sec) -{ - kfree(ib_sec); -} #endif #ifdef CONFIG_BPF_SYSCALL @@ -6964,6 +6954,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_superblock = sizeof(struct superblock_security_struct), .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, .lbs_tun_dev = sizeof(struct tun_security_struct), + .lbs_ib = sizeof(struct ib_security_struct), }; #ifdef CONFIG_PERF_EVENTS @@ -7282,7 +7273,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { LSM_HOOK_INIT(ib_pkey_access, selinux_ib_pkey_access), LSM_HOOK_INIT(ib_endport_manage_subnet, selinux_ib_endport_manage_subnet), - LSM_HOOK_INIT(ib_free_security, selinux_ib_free_security), #endif #ifdef CONFIG_SECURITY_NETWORK_XFRM LSM_HOOK_INIT(xfrm_policy_free_security, selinux_xfrm_policy_free), diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 461c6985977d..b1878f9395b5 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -213,4 +213,10 @@ selinux_tun_dev(void *security) return security + selinux_blob_sizes.lbs_tun_dev; } +static inline struct ib_security_struct * +selinux_ib(void *ib_sec) +{ + return ib_sec + selinux_blob_sizes.lbs_ib; +} + #endif /* _SELINUX_OBJSEC_H_ */ From patchwork Wed Jul 10 21:32:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13729740 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic316-27.consmr.mail.ne1.yahoo.com (sonic316-27.consmr.mail.ne1.yahoo.com [66.163.187.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D74BD535 for ; Wed, 10 Jul 2024 21:35:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.187.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647357; cv=none; b=AvKPc3Dgchc3W1lOXx/XpVfPzeTiwrOkcztR7VDL8/XBYMDbSTDHNYYPOXKErbBpjzPI8YPZR2XyFJdi+7fdyYUH4filEiRQ2ZkYoDnfRz1TqzoCctNbMZ/F/I+5OFknGdoXAscKWIP7ZZo5ipMUveY4YwuY+Lu/ClkglJNndPA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720647357; c=relaxed/simple; bh=2EhCYsIzr0si97J1QYfmDT1bDqO4u/uKt2I08nDMfdU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=R3b4+utdPaTdKGqep43ANUmbYKAWyeWVUTalNB+hU0j6HhQp5KuqTVAQHS2yytIaNauvRAB7pxxVym6DL0hTLMBxNQzH3LJqMWVX5T0uscgU6fC8GziE727BDkYlmcO0DKnfl47Ky+nMo1NZ6rHYlN5daZRFY2f9QlvkwEWUCgo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=Kmokk+8Q; arc=none smtp.client-ip=66.163.187.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="Kmokk+8Q" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647354; bh=L25Pfj89kcj6bP8haqQKOdpjtzclR6D+8BGBHyqsn9o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Kmokk+8QvMaLl7LDD3N2vmVvZfn8WTJ3Hl2NhmE1GE3JBdBkuw8aZg4sbPmrWjNkczA+6AvPIuu48D/UqpokDoS2dIN7XXDBPaVqctMKmgERztuHrYc9ogsc59wfDkXWIN3QCJUx411DIuQ07Sb3MKrI4/iXKFmSka6VxomJDUKYvRJyzXV16rnQQK9u2dTMuoMDeqImWV70ZNKBvrDpmrlESFELOfLiVNHURZZxb7mW6IBU/YyQQTeaerJBcpBAD3VZtsBZNo4pR/oh6mzTHPbFRzf2qEPgp3Z09STHk7+n6SScV39B03unCMaTiosy/S1qSWoZfBj16a83GxguTg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1720647354; bh=9lRrdMoDN2Gqn3i58bSvQEhD+hiHKilVf3qQRUp2SMU=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=VSifdL4dMmBmt2V9ekwJBOkYGooQsmtUTdwkHpcKuzP8HFBzB1QHzExtv1ET+XhfGsOOk8D/qyDWTiULwa7prGJghaIkOPO2coh8as72ysdpkPmc4ZNUpYV3S3g+s32KHZBRtuu/50HStbN+QHRdyZyVjOf2NvQIXzadtNO0w55rj8DFBaJmgY98WWiD5kJJxk3Miny5jCExM2guJ0cLfKGNfiZY7Mdv4u+P3vcqLrhAxVyA/7/spSpovlqEHBX6Dk68ISs8dV8dTM1msO/FAaGQBEH1IKUBj2rAJKpul9eSr/s3k+G/ueLG2yTqJJRXz20sHz2owK6fjFQKvVM8Dw== X-YMail-OSG: PlqKp3UVM1kOKmuxcOqkoskYd8_FqX7oDYgx4jO7m2eV5wmMuyNz0U8izOrLhYm cfXGe3uM2DS7_vWga7Zn.xP_BSGgAZhTwYRXirfh8.mWVWFwArh3P_NSVjdQoHnvEbVvHJJqn.gt Ur3KylIUfLH0RjD5dQMvBqL1nQwGryi1mLWlesfazAI4DPV_KK_OB7JLgCcOWUTaJQ9_PcdmRjNP TWaio72R87tcx4yLQuyzeh..MIl.fLkbfjVnulflw4hl.tbrf6.fWzi5h5LfnT6O1AUFpUgoyx8f tyIjV854wKs0xBbnVD_Y31EKnmTrq8mUEbq0ybK3A7QayIxDt3zOZGCd35RCwgKrKv0PcfwnUX3_ bYzDnb.WwbHlqRpq7lAk0fdlTHmBq35eT6TGJI_0lyE4gFs0CCZVmWZqIXPMNl2KUi58XHR8Eejo 1SWwFKWhBhhxHSD7Zmj8QTT7FDzImDevh0BKkrgpTZXyxUv83mHn78GNcLmHeh0KgbbATVkS6Wg0 ._GsBe9rzQ4NwQ7DnWxtGxXa5K75H2kltqgP2cX99eU2QLK0Bw8e1pipA6CnTETET_E6V7uqpEiE IcPPOUdqIYHscEtzfib8qzSuR5ovgo0MHuJdDVYSDYw6j.__V5DNbpSYSV4qyNeb3Q2JqlevBMXQ vbQOzsw0tFawXdA13nx9jgHxcPsfJ_LqbXcwoh8lfz_GgFwIBEVIp7IDmQE04j5tKbDRUMWF_6sg WZvSa48ky6htl4fS9FPQEuVmRa1ZoD4MpTzR5u387WXgLNmmYWmYHwuLjtaWHbl3NBUrIRnoxXPq QJhMXTUCm7U49_oCummhfgKK1VoGxkDovRbxPh8dDA2zJrsc96Xn0r2ACB3uaBEaOo2KMNOsSr7e 71gkHnROK_VZAH1GUzJQC4rak3Ra9gNwhqGyD5kGT3rCK2ozme.UHaiUDHEtCRiHvaz8YNO0fCKh gcV80PtQesKoSIfUJ6khLN7g8opCecZWNlz.FuBEBEMITXPz6X0u4roE8jR.udGjCTLfqWtXky78 ev45mDiGY8htufss5xvcATBc.yeC_Hrz86poWJSCXc1FEkynw4gEKzvbENk3VEzQSgGGj.vRReGf tLAKofX9KEPILvyDy6XyeZgGrJ8f_2_GGQH_3XE4VfDuAYWOCjMRXSCndO8bRq9vHbODz68nwDE5 hIEXhKqr8tnxr_K9BxUPYIdVOKlah2UD.Qfxxv6MxHI2QY.YvcAX_gbalu8XmrymToV2o7pQBTny LzOpERV.FF.nnUh946T43pqcQUzVc_T66EyXt1xsPBskXTt8MmHp1K0wpW4.NIEnhbLPONzFKgKR M2XFci6HoEHV.Qwa9LtSg8sfxrCrZVgMJ9LPhewKWXAn6z_ICYZVoWA_Pa1al8iuaVfAg0Dyoybp vURMrva5iSHEU6TmFkeEsCgf0UZrMplA2AUKp2o7jANAOZGtSFZpnhovYmNu4ShXU5h9e5gfyMhT 0XG7uTSRgJ.vyOlww7eTq0aitZOiCN8BHIMof.mBPiUPnW0om9tPbBCaVVBch256zBiE8VY69OoI 5YrTBPCQ4ZDAsG5CJ_ZrDk7z5ujiG5Wlsp7XHk6G02YV4Jksy_w6GUCiyjOT9ECt5.L8Xg0I2upM MN_Q7H4r2mj8nbVA7vneNef2khQM7IZo82u83mHIaacgUz50RjWj8nrOm5s7EqgNBlSnAi_g55tF QoVnJf0FKo0yk3XR4LoCGmLF2R44qX0Mmdq_Fu56yunVRWf0NoalGXgK1d3jneV7TGcdY95vitaj KG66jQh82XUJ1fu9JT5ydwEgCs9OQT_tE7sIDuu9EWiDOXjJBB0s53YJnBmMRi9U18IBX2D6vr.O jdlQV8498aMkCRYuRKhZHp6vwi0xvcj2Fve7ryRdzo3kV8KHO803DIeCdH5lHGFjEyN72M_7C.18 ia5nfu_oUxEuuB9c_UsC57duVr6vVec6uQw9nh497Z_0s25RC4BGhmz49bv1Z9uQAcbUH2hGwJNV l3tTihXgmbtCbOnlAn4ElOoDImleqF9sCDkQkRBvn8zKU7YL.Lo2FnltFivxmmycr9yBfR.9CebD SJg7vBUKTXTabE1GiRKD0sJqxHIBdnmConBUqpCmzJlIRWhsDbJt7aoMsSiAlElM1T2kFpnzwySB stp71RnnRO_f.9soBTcGq1VGpyqzwAc7HyCPh1P60qHaEggC7PVi0MqaKYFse.3hvzqLg2w_OlJq izh3TDt5m_ntZbsrBXDNV7Y.thAVFm35.Wo.AIbjVyK.hRVG3fiUrsWvA_bE0yvl.QMCMMqv7m7q zwUY- X-Sonic-MF: X-Sonic-ID: 5f687b58-dda2-480a-a420-265863d844e9 Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Wed, 10 Jul 2024 21:35:54 +0000 Received: by hermes--production-gq1-799bb7c8cf-zh7nt (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID b02b0457b05e8bf93c289b59d86d57f9; Wed, 10 Jul 2024 21:35:48 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, mic@digikod.net Subject: [PATCH v2 6/6] LSM: Infrastructure management of the perf_event security blob Date: Wed, 10 Jul 2024 14:32:30 -0700 Message-ID: <20240710213230.11978-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240710213230.11978-1-casey@schaufler-ca.com> References: <20240710213230.11978-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Move management of the perf_event->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. There are no longer any modules that require the perf_event_free() hook. The hook definition has been removed. Signed-off-by: Casey Schaufler Reviewed-by: John Johansen --- include/linux/lsm_hook_defs.h | 1 - include/linux/lsm_hooks.h | 1 + security/security.c | 20 ++++++++++++++++++-- security/selinux/hooks.c | 18 ++++-------------- security/selinux/include/objsec.h | 6 ++++++ 5 files changed, 29 insertions(+), 17 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 7c979137c0f2..658e4ba282e6 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -438,7 +438,6 @@ LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) #ifdef CONFIG_PERF_EVENTS LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) LSM_HOOK(int, 0, perf_event_alloc, struct perf_event *event) -LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event) LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) #endif /* CONFIG_PERF_EVENTS */ diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index b6fc6ac88723..f1ca8082075a 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -79,6 +79,7 @@ struct lsm_blob_sizes { int lbs_ipc; int lbs_key; int lbs_msg_msg; + int lbs_perf_event; int lbs_task; int lbs_xattr_count; /* number of xattr slots in new_xattrs array */ int lbs_tun_dev; diff --git a/security/security.c b/security/security.c index e8f34cbb1990..444b0ea28c04 100644 --- a/security/security.c +++ b/security/security.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #include @@ -230,6 +231,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed) lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key); lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); + lsm_set_blob_size(&needed->lbs_perf_event, &blob_sizes.lbs_perf_event); lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock); lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock); lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); @@ -412,6 +414,7 @@ static void __init ordered_lsm_init(void) init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg); init_debug("sock blob size = %d\n", blob_sizes.lbs_sock); init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock); + init_debug("perf event blob size = %d\n", blob_sizes.lbs_perf_event); init_debug("task blob size = %d\n", blob_sizes.lbs_task); init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev); init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count); @@ -5659,7 +5662,19 @@ int security_perf_event_open(struct perf_event_attr *attr, int type) */ int security_perf_event_alloc(struct perf_event *event) { - return call_int_hook(perf_event_alloc, event); + int rc; + + rc = lsm_blob_alloc(&event->security, blob_sizes.lbs_perf_event, + GFP_KERNEL); + if (rc) + return rc; + + rc = call_int_hook(perf_event_alloc, event); + if (rc) { + kfree(event->security); + event->security = NULL; + } + return rc; } /** @@ -5670,7 +5685,8 @@ int security_perf_event_alloc(struct perf_event *event) */ void security_perf_event_free(struct perf_event *event) { - call_void_hook(perf_event_free, event); + kfree(event->security); + event->security = NULL; } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 11f4bdabda97..f42f6af55a73 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6950,6 +6950,9 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_ipc = sizeof(struct ipc_security_struct), .lbs_key = sizeof(struct key_security_struct), .lbs_msg_msg = sizeof(struct msg_security_struct), +#ifdef CONFIG_PERF_EVENTS + .lbs_perf_event = sizeof(struct perf_event_security_struct), +#endif .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), .lbs_xattr_count = SELINUX_INODE_INIT_XATTRS, @@ -6981,24 +6984,12 @@ static int selinux_perf_event_alloc(struct perf_event *event) { struct perf_event_security_struct *perfsec; - perfsec = kzalloc(sizeof(*perfsec), GFP_KERNEL); - if (!perfsec) - return -ENOMEM; - + perfsec = selinux_perf_event(event->security); perfsec->sid = current_sid(); - event->security = perfsec; return 0; } -static void selinux_perf_event_free(struct perf_event *event) -{ - struct perf_event_security_struct *perfsec = event->security; - - event->security = NULL; - kfree(perfsec); -} - static int selinux_perf_event_read(struct perf_event *event) { struct perf_event_security_struct *perfsec = event->security; @@ -7310,7 +7301,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { #ifdef CONFIG_PERF_EVENTS LSM_HOOK_INIT(perf_event_open, selinux_perf_event_open), - LSM_HOOK_INIT(perf_event_free, selinux_perf_event_free), LSM_HOOK_INIT(perf_event_read, selinux_perf_event_read), LSM_HOOK_INIT(perf_event_write, selinux_perf_event_write), #endif diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index b1878f9395b5..d632a9180b41 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -219,4 +219,10 @@ selinux_ib(void *ib_sec) return ib_sec + selinux_blob_sizes.lbs_ib; } +static inline struct perf_event_security_struct * +selinux_perf_event(void *perf_event) +{ + return perf_event + selinux_blob_sizes.lbs_perf_event; +} + #endif /* _SELINUX_OBJSEC_H_ */