From patchwork Sat Aug 13 20:37:38 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 9279357 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E876460780 for ; Sun, 14 Aug 2016 11:52:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D875228A06 for ; Sun, 14 Aug 2016 11:52:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CCE8A28A57; Sun, 14 Aug 2016 11:52:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 741DD28A4A for ; Sun, 14 Aug 2016 11:52:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965226AbcHNLw0 (ORCPT ); Sun, 14 Aug 2016 07:52:26 -0400 Received: from nm49-vm10.bullet.mail.bf1.yahoo.com ([216.109.114.251]:53606 "EHLO nm49-vm10.bullet.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965498AbcHNLwY (ORCPT ); Sun, 14 Aug 2016 07:52:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1471120661; bh=dcP+XdTRjSqrzNEh7z7glxRVGcD6tJwkFiQbwLroUFc=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From:Subject; b=E1zQ6idtQQxZOxYVvlSBpSEqOYBmOYImXE57AQaVLr2F+gT1r4utBNEcUE5NNejfLBlYZhZW23iS3QTINRs6LZm31F8QLrm2V/2CIAaS1J/miIJXkvvfIVrOddUdqodzPFFKa/1p/hCoyf979NO9dwVaNpTxnaWG8EViYK7NH6US2FcjKaY9VMvCUjsCtM7wdbXQ3Sv4rFj+sjXtikEfPojL0KpxyjlzKZRiRQs1UWcdJuZXCNNrAW+pPRgh6hktROsjZqKpduvD5SjlUB0phyZgFU28FGPtMeTdYyFM5XXql1GcNv2MnmpSC0AxZrRyxUfbSTN9CjkozY1T24jaLw== Received: from [98.139.215.140] by nm49.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:37:41 -0000 Received: from [98.139.211.205] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:37:41 -0000 Received: from [127.0.0.1] by smtp214.mail.bf1.yahoo.com with NNFMP; 13 Aug 2016 20:37:41 -0000 X-Yahoo-Newman-Id: 362699.99952.bm@smtp214.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: blglLn4VM1k_Zlb1fJ_f.IIFOijfAIlbOlKsNQ9HWC0NRmA ATfQAipXVFnQdKZG4QBd2Z_8z.k.IpCuF79YA90.nVK2Q0WqfFabUC3Q2O3W oaU8go97j6Xzs1j7ZXTaOhznD._YcGMEfVaanpfxtzcXdmDrgfMljKxf.CDm Ti1ElAv.RunOmypidQ1dLzJOIVUcADmhFHzf1DXUizUgFIOsToyX.KdUbS56 i9WplWhZqc3e8qps0k8IVuM_9sinFWDMDU7dNUt6NGIkvBSRsdS8_mKU9nXh 0bMPcV0uUxU_FMtsaFjWR91hHip.rpUjctx.QlYFxu.8vOk5DUnTtxBLlCqN b0p_Xdp.lF10qRl9cBir9Qq_EaFnHYmfBuAkm9P9MnXZy1pbZgRNAqBJ_OOC FyuP5ShvPpVEUSsblNVAWEahDrVSNwbESjTqbbGuTCxtNTbyzwdtCetT3LPd i.FsOYN0nCVlvRDSlYEW.qkUTzmJAv4kZuFdj7MEYbkfFlzvTMidY8zeHRCP 4Ft09gGfakk1Ki_W66DWNEQh.bQo05z8TrwGxldGZvP8QH5Nbe8X5e7Aou0H awvHldDl1ag1X X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Subject: [PATCH 17/25] Smack: Abstract remaining security blobs To: LSM , James Morris References: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com> Cc: John Johansen , Tetsuo Handa , Paul Moore , Stephen Smalley From: Casey Schaufler Message-ID: <9b84402b-9715-3c5d-adbc-cddb1353349f@schaufler-ca.com> Date: Sat, 13 Aug 2016 13:37:38 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <801ef9a9-e594-387c-f285-8d90879ee2bf@schaufler-ca.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Subject: [PATCH 17/25] Smack: Abstract remaining security blobs Abstract reading the remaining security blobs. There is no change in the behavior of the code. Signed-off-by: Casey Schaufler --- security/smack/smack.h | 35 ++++++++++- security/smack/smack_lsm.c | 131 ++++++++++++++++++++++----------------- security/smack/smack_netfilter.c | 8 +-- 3 files changed, 111 insertions(+), 63 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 9b201b4..141f3bf 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -363,12 +363,43 @@ static inline struct smack_known **smack_file(const struct file *file) #endif } +static inline struct inode_smack *smack_inode(const struct inode *inode) +{ + return inode->i_security; +} + +static inline struct socket_smack *smack_sock(const struct sock *sock) +{ + return sock->sk_security; +} + +static inline struct superblock_smack *smack_superblock( + const struct super_block *superblock) +{ + return superblock->s_security; +} + +static inline struct smack_known *smack_msg_msg(const struct msg_msg *msg) +{ + return msg->security; +} + +static inline struct smack_known *smack_ipc(const struct kern_ipc_perm *ipc) +{ + return ipc->security; +} + +static inline struct smack_known *smack_key(const struct key *key) +{ + return key->security; +} + /* * Is the directory transmuting? */ static inline int smk_inode_transmutable(const struct inode *isp) { - struct inode_smack *sip = isp->i_security; + struct inode_smack *sip = smack_inode(isp); return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0; } @@ -377,7 +408,7 @@ static inline int smk_inode_transmutable(const struct inode *isp) */ static inline struct smack_known *smk_of_inode(const struct inode *isp) { - struct inode_smack *sip = isp->i_security; + struct inode_smack *sip = smack_inode(isp); return sip->smk_inode; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index fbd0fb3..c078933 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -164,7 +164,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc) static int smk_bu_inode(struct inode *inode, int mode, int rc) { struct task_smack *tsp = smack_cred(current_cred()); - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (isp->smk_flags & SMK_INODE_IMPURE) @@ -196,7 +196,7 @@ static int smk_bu_file(struct file *file, int mode, int rc) struct task_smack *tsp = smack_cred(current_cred()); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file_inode(file); - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (isp->smk_flags & SMK_INODE_IMPURE) @@ -226,7 +226,7 @@ static int smk_bu_credfile(const struct cred *cred, struct file *file, struct task_smack *tsp = smack_cred(cred); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file->f_inode; - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (isp->smk_flags & SMK_INODE_IMPURE) @@ -286,6 +286,19 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip, } /** + * init_inode_smack - initialize an inode security blob + * @isp: the blob to initialize + * @skp: a pointer to the Smack label entry to use in the blob + * + */ +static void init_inode_smack(struct inode_smack *isp, struct smack_known *skp) +{ + isp->smk_inode = skp; + isp->smk_flags = 0; + mutex_init(&isp->smk_lock); +} + +/** * new_inode_smack - allocate an inode security blob * @skp: a pointer to the Smack label entry to use in the blob * @@ -299,9 +312,7 @@ static struct inode_smack *new_inode_smack(struct smack_known *skp) if (isp == NULL) return NULL; - isp->smk_inode = skp; - isp->smk_flags = 0; - mutex_init(&isp->smk_lock); + init_inode_smack(isp, skp); return isp; } @@ -554,7 +565,9 @@ static int smack_sb_alloc_security(struct super_block *sb) */ static void smack_sb_free_security(struct super_block *sb) { - kfree(sb->s_security); + struct superblock_smack *sbsp = smack_superblock(sb); + + kfree(sbsp); sb->s_security = NULL; } @@ -750,7 +763,7 @@ static int smack_set_mnt_opts(struct super_block *sb, { struct dentry *root = sb->s_root; struct inode *inode = d_backing_inode(root); - struct superblock_smack *sp = sb->s_security; + struct superblock_smack *sp = smack_superblock(sb); struct inode_smack *isp; struct smack_known *skp; int i; @@ -828,7 +841,7 @@ static int smack_set_mnt_opts(struct super_block *sb, /* * Initialize the root inode. */ - isp = inode->i_security; + isp = smack_inode(inode); if (isp == NULL) { isp = new_inode_smack(sp->smk_root); if (isp == NULL) @@ -883,7 +896,7 @@ out_err: */ static int smack_sb_statfs(struct dentry *dentry) { - struct superblock_smack *sbp = dentry->d_sb->s_security; + struct superblock_smack *sbp = smack_superblock(dentry->d_sb); int rc; struct smk_audit_info ad; @@ -916,11 +929,11 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) if (bprm->cred_prepared) return 0; - isp = inode->i_security; + isp = smack_inode(inode); if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) return 0; - sbsp = inode->i_sb->s_security; + sbsp = smack_superblock(inode->i_sb); if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && isp->smk_task != sbsp->smk_root) return 0; @@ -1007,7 +1020,7 @@ static int smack_inode_alloc_security(struct inode *inode) */ static void smack_inode_free_security(struct inode *inode) { - kmem_cache_free(smack_inode_cache, inode->i_security); + kmem_cache_free(smack_inode_cache, smack_inode(inode)); inode->i_security = NULL; } @@ -1026,7 +1039,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, const char **name, void **value, size_t *len) { - struct inode_smack *issp = inode->i_security; + struct inode_smack *issp = smack_inode(inode); struct smack_known *skp = smk_of_current(); struct smack_known *isp = smk_of_inode(inode); struct smack_known *dsp = smk_of_inode(dir); @@ -1364,7 +1377,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { struct smack_known *skp; - struct inode_smack *isp = d_backing_inode(dentry)->i_security; + struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { isp->smk_flags |= SMK_INODE_TRANSMUTE; @@ -1451,7 +1464,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) if (rc != 0) return rc; - isp = d_backing_inode(dentry)->i_security; + isp = smack_inode(d_backing_inode(dentry)); /* * Don't do anything special for these. * XATTR_NAME_SMACKIPIN @@ -1511,7 +1524,7 @@ static int smack_inode_getsecurity(struct inode *inode, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) isp = ssp->smk_in; @@ -1554,7 +1567,7 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer, */ static void smack_inode_getsecid(struct inode *inode, u32 *secid) { - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); *secid = isp->smk_inode->smk_secid; } @@ -1719,7 +1732,7 @@ static int smack_mmap_file(struct file *file, if (file == NULL) return 0; - isp = file_inode(file)->i_security; + isp = smack_inode(file_inode(file)); if (isp->smk_mmap == NULL) return 0; sbsp = file_inode(file)->i_sb->s_security; @@ -2051,7 +2064,7 @@ static int smack_kernel_act_as(struct cred *new, u32 secid) static int smack_kernel_create_files_as(struct cred *new, struct inode *inode) { - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); struct task_smack *tsp = smack_cred(new); tsp->smk_forked = isp->smk_inode; @@ -2272,7 +2285,7 @@ static int smack_task_wait(struct task_struct *p) */ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) { - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); struct smack_known *skp = smk_of_task_struct(p); isp->smk_inode = skp; @@ -2318,7 +2331,9 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) */ static void smack_sk_free_security(struct sock *sk) { - kfree(sk->sk_security); + struct socket_smack *ssp = smack_sock(sk); + + kfree(ssp); } /** @@ -2437,7 +2452,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) static int smack_netlabel(struct sock *sk, int labeled) { struct smack_known *skp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); int rc = 0; /* @@ -2482,7 +2497,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) int rc; int sk_lbl; struct smack_known *hkp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smk_audit_info ad; rcu_read_lock(); @@ -2558,7 +2573,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) { struct sock *sk = sock->sk; struct sockaddr_in6 *addr6; - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smk_port_label *spp; unsigned short port = 0; @@ -2631,7 +2646,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, int act) { struct smk_port_label *spp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; unsigned short port; struct smack_known *object; @@ -2696,7 +2711,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { struct smack_known *skp; - struct inode_smack *nsp = inode->i_security; + struct inode_smack *nsp = smack_inode(inode); struct socket_smack *ssp; struct socket *sock; int rc = 0; @@ -2723,7 +2738,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, if (sock == NULL || sock->sk == NULL) return -EOPNOTSUPP; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (strcmp(name, XATTR_SMACK_IPIN) == 0) ssp->smk_in = skp; @@ -2771,7 +2786,7 @@ static int smack_socket_post_create(struct socket *sock, int family, * Sockets created by kernel threads receive web label. */ if (unlikely(current->flags & PF_KTHREAD)) { - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); ssp->smk_in = &smack_known_web; ssp->smk_out = &smack_known_web; } @@ -2823,7 +2838,7 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, #endif #ifdef SMACK_IPV6_SECMARK_LABELING struct smack_known *rsp; - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); #endif if (sock->sk == NULL) @@ -2905,7 +2920,7 @@ static void smack_msg_msg_free_security(struct msg_msg *msg) */ static struct smack_known *smack_of_shm(struct shmid_kernel *shp) { - return (struct smack_known *)shp->shm_perm.security; + return smack_ipc(&shp->shm_perm); } /** @@ -3032,7 +3047,7 @@ static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, */ static struct smack_known *smack_of_sem(struct sem_array *sma) { - return (struct smack_known *)sma->sem_perm.security; + return smack_ipc(&sma->sem_perm); } /** @@ -3158,7 +3173,7 @@ static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, } /** - * smack_msg_alloc_security - Set the security blob for msg + * smack_msg_queue_alloc_security - Set the security blob for msg * @msq: the object * * Returns 0 @@ -3173,7 +3188,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq) } /** - * smack_msg_free_security - Clear the security blob for msg + * smack_msg_queue_free_security - Clear the security blob for msg * @msq: the object * * Clears the blob pointer @@ -3193,7 +3208,7 @@ static void smack_msg_queue_free_security(struct msg_queue *msq) */ static struct smack_known *smack_of_msq(struct msg_queue *msq) { - return (struct smack_known *)msq->q_perm.security; + return smack_ipc(&msq->q_perm); } /** @@ -3308,7 +3323,7 @@ static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, */ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) { - struct smack_known *iskp = ipp->security; + struct smack_known *iskp = smack_ipc(ipp); int may = smack_flags_to_may(flag); struct smk_audit_info ad; int rc; @@ -3329,7 +3344,7 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) */ static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) { - struct smack_known *iskp = ipp->security; + struct smack_known *iskp = smack_ipc(ipp); *secid = iskp->smk_secid; } @@ -3357,7 +3372,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) if (inode == NULL) return; - isp = inode->i_security; + isp = smack_inode(inode); mutex_lock(&isp->smk_lock); /* @@ -3368,7 +3383,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) goto unlockandout; sbp = inode->i_sb; - sbsp = sbp->s_security; + sbsp = smack_superblock(sbp); /* * We're going to use the superblock default label * if there's no label on the file. @@ -3672,9 +3687,9 @@ static int smack_unix_stream_connect(struct sock *sock, { struct smack_known *skp; struct smack_known *okp; - struct socket_smack *ssp = sock->sk_security; - struct socket_smack *osp = other->sk_security; - struct socket_smack *nsp = newsk->sk_security; + struct socket_smack *ssp = smack_sock(sock); + struct socket_smack *osp = smack_sock(other); + struct socket_smack *nsp = smack_sock(newsk); struct smk_audit_info ad; int rc = 0; #ifdef CONFIG_AUDIT @@ -3720,8 +3735,8 @@ static int smack_unix_stream_connect(struct sock *sock, */ static int smack_unix_may_send(struct socket *sock, struct socket *other) { - struct socket_smack *ssp = sock->sk->sk_security; - struct socket_smack *osp = other->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); + struct socket_smack *osp = smack_sock(other->sk); struct smk_audit_info ad; int rc; @@ -3758,7 +3773,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; #endif #ifdef SMACK_IPV6_SECMARK_LABELING - struct socket_smack *ssp = sock->sk->sk_security; + struct socket_smack *ssp = smack_sock(sock->sk); struct smack_known *rsp; #endif int rc = 0; @@ -3932,7 +3947,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { struct netlbl_lsm_secattr secattr; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp = NULL; int rc = 0; struct smk_audit_info ad; @@ -4041,7 +4056,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock, int slen = 1; int rc = 0; - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); if (ssp->smk_packet != NULL) { rcp = ssp->smk_packet->smk_known; slen = strlen(rcp) + 1; @@ -4091,7 +4106,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, switch (family) { case PF_UNIX: - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); s = ssp->smk_out->smk_secid; break; case PF_INET: @@ -4104,7 +4119,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock, * Translate what netlabel gave us. */ if (sock != NULL && sock->sk != NULL) - ssp = sock->sk->sk_security; + ssp = smack_sock(sock->sk); netlbl_secattr_init(&secattr); rc = netlbl_skbuff_getattr(skb, family, &secattr); if (rc == 0) { @@ -4142,7 +4157,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent) (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) return; - ssp = sk->sk_security; + ssp = smack_sock(sk); ssp->smk_in = skp; ssp->smk_out = skp; /* cssp->smk_packet is already set in smack_inet_csk_clone() */ @@ -4162,7 +4177,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, { u16 family = sk->sk_family; struct smack_known *skp; - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct netlbl_lsm_secattr secattr; struct sockaddr_in addr; struct iphdr *hdr; @@ -4261,7 +4276,7 @@ access_check: static void smack_inet_csk_clone(struct sock *sk, const struct request_sock *req) { - struct socket_smack *ssp = sk->sk_security; + struct socket_smack *ssp = smack_sock(sk); struct smack_known *skp; if (req->peer_secid != 0) { @@ -4322,6 +4337,7 @@ static void smack_key_free(struct key *key) static int smack_key_permission(key_ref_t key_ref, const struct cred *cred, unsigned perm) { + struct smack_known *skp; struct key *keyp; struct smk_audit_info ad; struct smack_known *tkp = smk_of_task(smack_cred(cred)); @@ -4335,7 +4351,8 @@ static int smack_key_permission(key_ref_t key_ref, * If the key hasn't been initialized give it access so that * it may do so. */ - if (keyp->security == NULL) + skp = smack_key(keyp); + if (skp == NULL) return 0; /* * This should not occur @@ -4351,8 +4368,8 @@ static int smack_key_permission(key_ref_t key_ref, request = MAY_READ; if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) request = MAY_WRITE; - rc = smk_access(tkp, keyp->security, request, &ad); - rc = smk_bu_note("key access", tkp, keyp->security, request, rc); + rc = smk_access(tkp, skp, request, &ad); + rc = smk_bu_note("key access", tkp, skp, request, rc); return rc; } @@ -4367,11 +4384,11 @@ static int smack_key_permission(key_ref_t key_ref, */ static int smack_key_getsecurity(struct key *key, char **_buffer) { - struct smack_known *skp = key->security; + struct smack_known *skp = smack_key(key); size_t length; char *copy; - if (key->security == NULL) { + if (skp == NULL) { *_buffer = NULL; return 0; } diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c index aa6bf1b..a893dcf 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -30,8 +30,8 @@ static unsigned int smack_ipv6_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk && smack_sock(sk)) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; } @@ -48,8 +48,8 @@ static unsigned int smack_ipv4_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; - if (sk && sk->sk_security) { - ssp = sk->sk_security; + if (sk && smack_sock(sk)) { + ssp = smack_sock(sk); skp = ssp->smk_out; skb->secmark = skp->smk_secid; }