@@ -81,10 +81,11 @@ struct lsm_export {
u32 apparmor;
u32 flags;
};
-#define LSM_EXPORT_NONE 0x00
-#define LSM_EXPORT_SELINUX 0x01
-#define LSM_EXPORT_SMACK 0x02
-#define LSM_EXPORT_APPARMOR 0x04
+#define LSM_EXPORT_NONE 0x00000000
+#define LSM_EXPORT_SELINUX 0x00000001
+#define LSM_EXPORT_SMACK 0x00000002
+#define LSM_EXPORT_APPARMOR 0x00000004
+#define LSM_EXPORT_LENGTH 0x80000000 /* Only the length required */
static inline void lsm_export_init(struct lsm_export *l)
{
@@ -428,7 +429,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
-int security_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen);
+int security_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp);
int security_secctx_to_secid(struct lsm_context *cp, struct lsm_export *l);
void security_release_secctx(struct lsm_context *cp);
@@ -1197,7 +1198,7 @@ static inline int security_ismaclabel(const char *name)
}
static inline int security_secid_to_secctx(struct lsm_export *l,
- char **secdata, u32 *seclen)
+ struct lsm_seccontext *cp)
{
return -EOPNOTSUPP;
}
@@ -96,7 +96,7 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
int err;
if (test_bit(SOCK_PASSSEC, &sock->flags)) {
- err = security_secid_to_secctx(&scm->le, &lc.context, &lc.len);
+ err = security_secid_to_secctx(&scm->le, &lc);
if (!err) {
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY,
@@ -1416,8 +1416,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
}
case AUDIT_SIGNAL_INFO:
if (lsm_export_any(&audit_sig_lsm)) {
- err = security_secid_to_secctx(&audit_sig_lsm,
- &lc.context, &lc.len);
+ err = security_secid_to_secctx(&audit_sig_lsm, &lc);
if (err)
return err;
}
@@ -2166,7 +2165,7 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
if (lsm_export_any(&n->olsm)) {
struct lsm_context lc;
- if (security_secid_to_secctx(&n->olsm, &lc.context, &lc.len)) {
+ if (security_secid_to_secctx(&n->olsm, &lc)) {
audit_log_format(ab, " osid=(unknown)");
if (call_panic)
*call_panic = 2;
@@ -2209,7 +2208,7 @@ int audit_log_task_context(struct audit_buffer *ab)
if (!lsm_export_any(&le))
return 0;
- error = security_secid_to_secctx(&le, &lc.context, &lc.len);
+ error = security_secid_to_secctx(&le, &lc);
if (error) {
if (error != -EINVAL)
goto error_path;
@@ -935,7 +935,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
unsigned int sessionid,
struct lsm_export *l, char *comm)
{
- struct lsm_context lc = { .context = NULL, };
+ struct lsm_context lc;
struct audit_buffer *ab;
int rc = 0;
@@ -947,7 +947,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
if (lsm_export_any(l)) {
- if (security_secid_to_secctx(l, &lc.context, &lc.len)) {
+ if (security_secid_to_secctx(l, &lc)) {
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
@@ -1161,8 +1161,8 @@ static void show_special(struct audit_context *context, int *call_panic)
from_kgid(&init_user_ns, context->ipc.gid),
context->ipc.mode);
if (lsm_export_any(l)) {
- struct lsm_context lc = { .context = NULL, };
- if (security_secid_to_secctx(l, &lc.context, &lc.len)) {
+ struct lsm_context lc;
+ if (security_secid_to_secctx(l, &lc)) {
audit_log_format(ab, " osid=(unknown)");
*call_panic = 1;
} else {
@@ -138,7 +138,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
if (err)
return;
- err = security_secid_to_secctx(&le, &lc.context, &lc.len);
+ err = security_secid_to_secctx(&le, &lc);
if (err)
return;
@@ -337,7 +337,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
le.selinux = ct->secmark;
le.smack = ct->secmark;
- ret = security_secid_to_secctx(&le, &lc.context, &lc.len);
+ ret = security_secid_to_secctx(&le, &lc);
if (ret)
return 0;
@@ -622,18 +622,19 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
#ifdef CONFIG_NF_CONNTRACK_SECMARK
int len, ret;
struct lsm_export le;
+ struct lsm_context lc;
lsm_export_init(&le);
- le.flags = LSM_EXPORT_SELINUX | LSM_EXPORT_SMACK;
+ le.flags = LSM_EXPORT_SELINUX | LSM_EXPORT_SMACK | LSM_EXPORT_LENGTH;
le.selinux = ct->secmark;
le.smack = ct->secmark;
- ret = security_secid_to_secctx(&le, NULL, &len);
+ ret = security_secid_to_secctx(&le, &lc);
if (ret)
return 0;
return nla_total_size(0) /* CTA_SECCTX */
- + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
+ + nla_total_size(sizeof(char) * lc.len); /* CTA_SECCTX_NAME */
#else
return 0;
#endif
@@ -178,7 +178,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
le.selinux = ct->secmark;
le.smack = ct->secmark;
- ret = security_secid_to_secctx(&le, &lc.context, &lc.len);
+ ret = security_secid_to_secctx(&le, &lc);
if (ret)
return;
@@ -322,7 +322,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
le.flags = LSM_EXPORT_SELINUX | LSM_EXPORT_SMACK;
le.selinux = skb->secmark;
le.smack = skb->secmark;
- security_secid_to_secctx(&le, &lc.context, &lc.len);
+ security_secid_to_secctx(&le, &lc);
*secdata = lc.context;
}
@@ -450,7 +450,7 @@ int netlbl_unlhsh_add(struct net *net,
rcu_read_unlock();
if (audit_buf != NULL) {
struct lsm_context lc;
- if (security_secid_to_secctx(l, &lc.context, &lc.len) == 0) {
+ if (security_secid_to_secctx(l, &lc) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", lc.context);
security_release_secctx(&lc);
}
@@ -504,8 +504,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(&entry->le,
- &lc.context, &lc.len) == 0) {
+ security_secid_to_secctx(&entry->le, &lc) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", lc.context);
security_release_secctx(&lc);
}
@@ -566,8 +565,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(&entry->le,
- &lc.context, &lc.len) == 0) {
+ security_secid_to_secctx(&entry->le, &lc) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", lc.context);
security_release_secctx(&lc);
}
@@ -1137,7 +1135,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
lep = &addr6->le;
}
- ret_val = security_secid_to_secctx(lep, &lc.context, &lc.len);
+ ret_val = security_secid_to_secctx(lep, &lc);
if (ret_val != 0)
goto list_cb_failure;
ret_val = nla_put(cb_arg->skb,
@@ -112,8 +112,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
audit_info->sessionid);
if (lsm_export_any(&audit_info->le) &&
- security_secid_to_secctx(&audit_info->le, &lc.context,
- &lc.len) == 0) {
+ security_secid_to_secctx(&audit_info->le, &lc) == 0) {
audit_log_format(audit_buf, " subj=%s", lc.context);
security_release_secctx(&lc);
}
@@ -92,8 +92,7 @@ int apparmor_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp)
if (!label)
return -EINVAL;
- /* scaffolding check - Casey */
- if (cp)
+ if (!(l->flags & LSM_EXPORT_LENGTH))
len = aa_label_asxprint(&cp->context, root_ns, label,
FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT,
@@ -1973,18 +1973,9 @@ int security_ismaclabel(const char *name)
}
EXPORT_SYMBOL(security_ismaclabel);
-int security_secid_to_secctx(struct lsm_export *l, char **secdata, u32 *seclen)
+int security_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp)
{
- struct lsm_context lc = { .context = NULL, .len = 0, };
- int rc;
-
- rc = call_one_int_hook(secid_to_secctx, -EOPNOTSUPP, l, &lc);
- if (secdata)
- *secdata = lc.context;
- else
- security_release_secctx(&lc);
- *seclen = lc.len;
- return rc;
+ return call_one_int_hook(secid_to_secctx, -EOPNOTSUPP, l, cp);
}
EXPORT_SYMBOL(security_secid_to_secctx);
@@ -6199,6 +6199,9 @@ static int selinux_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp)
u32 secid;
selinux_import_secid(l, &secid);
+ if (l->flags & LSM_EXPORT_LENGTH)
+ return security_sid_to_context(&selinux_state, secid,
+ NULL, &cp->len);
return security_sid_to_context(&selinux_state, secid,
&cp->context, &cp->len);
}
@@ -4357,7 +4357,7 @@ static int smack_secid_to_secctx(struct lsm_export *l, struct lsm_context *cp)
smack_import_secid(l, &secid);
skp = smack_from_secid(secid);
- cp->context = skp->smk_known;
+ cp->context = (l->flags & LSM_EXPORT_LENGTH) ? NULL : skp->smk_known;
cp->len = strlen(skp->smk_known);
return 0;
}
Convert security_secid_to_secctx to use the lsm_context structure instead of a context/secid pair. There is some scaffolding involved that will be removed when the related data is updated. Add a flag for lsm_export to indicate that the caller of security_secid_to_secctx() is only interested in the length of the context. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- include/linux/security.h | 13 +++++++------ include/net/scm.h | 2 +- kernel/audit.c | 7 +++---- kernel/auditsc.c | 8 ++++---- net/ipv4/ip_sockglue.c | 2 +- net/netfilter/nf_conntrack_netlink.c | 9 +++++---- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nfnetlink_queue.c | 2 +- net/netlabel/netlabel_unlabeled.c | 10 ++++------ net/netlabel/netlabel_user.c | 3 +-- security/apparmor/secid.c | 3 +-- security/security.c | 13 ++----------- security/selinux/hooks.c | 3 +++ security/smack/smack_lsm.c | 2 +- 14 files changed, 35 insertions(+), 44 deletions(-)