@@ -1311,8 +1311,8 @@
* context.
* @seclen pointer which contains the length of the data
* @secctx_to_secid:
- * Convert security context to secid.
- * @secid contains the pointer to the generated security ID.
+ * Convert security context to exported lsm data.
+ * @l contains the pointer to the generated security data.
* @secdata contains the security context.
*
* @release_secctx:
@@ -1656,7 +1656,8 @@ union security_list_options {
int (*ismaclabel)(const char *name);
int (*secid_to_secctx)(struct lsm_export *l, char **secdata,
u32 *seclen);
- int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid);
+ int (*secctx_to_secid)(const char *secdata, u32 seclen,
+ struct lsm_export *l);
void (*release_secctx)(char *secdata, u32 seclen);
void (*inode_invalidate_secctx)(struct inode *inode);
@@ -27,7 +27,8 @@ struct aa_label;
struct aa_label *aa_secid_to_label(struct lsm_export *l);
int apparmor_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen);
-int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsm_export *l);
void apparmor_release_secctx(char *secdata, u32 seclen);
@@ -75,9 +75,9 @@ struct aa_label *aa_secid_to_label(struct lsm_export *l)
return label;
}
-static inline void aa_import_secid(struct lsm_export *l, u32 secid)
+static inline void aa_export_secid(struct lsm_export *l, u32 secid)
{
- l->flags = LSM_EXPORT_APPARMOR;
+ l->flags |= LSM_EXPORT_APPARMOR;
l->apparmor = secid;
}
@@ -111,7 +111,8 @@ int apparmor_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen)
return 0;
}
-int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsm_export *l)
{
struct aa_label *label;
@@ -119,7 +120,7 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
seclen, GFP_KERNEL, false, false);
if (IS_ERR(label))
return PTR_ERR(label);
- *secid = label->secid;
+ aa_export_secid(l, label->secid);
return 0;
}
@@ -1998,8 +1998,12 @@ EXPORT_SYMBOL(security_secid_to_secctx);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
- *secid = 0;
- return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+ struct lsm_export data = { .flags = LSM_EXPORT_NONE };
+ int rc;
+
+ rc = call_int_hook(secctx_to_secid, 0, secdata, seclen, &data);
+ lsm_export_secid(&data, secid);
+ return rc;
}
EXPORT_SYMBOL(security_secctx_to_secid);
@@ -6204,10 +6204,16 @@ static int selinux_secid_to_secctx(struct lsm_export *l, char **secdata,
secdata, seclen);
}
-static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+static int selinux_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsm_export *l)
{
- return security_context_to_sid(&selinux_state, secdata, seclen,
- secid, GFP_KERNEL);
+ u32 secid;
+ int rc;
+
+ rc = security_context_to_sid(&selinux_state, secdata, seclen,
+ &secid, GFP_KERNEL);
+ selinux_export_secid(l, secid);
+ return rc;
}
static void selinux_release_secctx(char *secdata, u32 seclen)
@@ -4371,14 +4371,15 @@ static int smack_secid_to_secctx(struct lsm_export *l, char **secdata,
*
* Exists for audit and networking code.
*/
-static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+static int smack_secctx_to_secid(const char *secdata, u32 seclen,
+ struct lsm_export *l)
{
struct smack_known *skp = smk_find_entry(secdata);
if (skp)
- *secid = skp->smk_secid;
+ smack_export_secid(l, skp->smk_secid);
else
- *secid = 0;
+ smack_export_secid(l, 0);
return 0;
}
Convert the secctx_to_secid hooks to use the lsm_export structure instead of a u32 secid. There is some scaffolding involved that will be removed when security_secctx_to_secid() is updated. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- include/linux/lsm_hooks.h | 7 ++++--- security/apparmor/include/secid.h | 3 ++- security/apparmor/secid.c | 9 +++++---- security/security.c | 8 ++++++-- security/selinux/hooks.c | 12 +++++++++--- security/smack/smack_lsm.c | 7 ++++--- 6 files changed, 30 insertions(+), 16 deletions(-)