@@ -566,12 +566,8 @@ void kernfs_put(struct kernfs_node *kn)
kfree_const(kn->name);
- if (kn->iattr) {
- if (kn->iattr->ia_secdata)
- security_release_secctx(kn->iattr->ia_secdata,
- kn->iattr->ia_secdata_len);
+ if (kn->iattr)
simple_xattrs_free(&kn->iattr->xattrs);
- }
kfree(kn->iattr);
ida_simple_remove(&root->ino_ida, kn->ino);
kmem_cache_free(kernfs_node_cache, kn);
@@ -189,8 +189,6 @@ int kernfs_iop_setxattr(struct dentry *unused, struct inode *inode,
error = kernfs_node_setsecdata(kn, &secdata, &secdata_len);
mutex_unlock(&kernfs_mutex);
- if (secdata)
- security_release_secctx(secdata, secdata_len);
return error;
} else if (!strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN)) {
return simple_xattr_set(&attrs->xattrs, name, value, size,
@@ -123,12 +123,6 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
return NULL;
}
-static inline void
-nfs4_label_release_security(struct nfs4_label *label)
-{
- if (label)
- security_release_secctx(label->label, label->len);
-}
static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
{
if (label)
@@ -141,9 +135,6 @@ static inline struct nfs4_label *
nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
struct iattr *sattr, struct nfs4_label *l)
{ return NULL; }
-static inline void
-nfs4_label_release_security(struct nfs4_label *label)
-{ return; }
static inline u32 *
nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
{ return server->attr_bitmask; }
@@ -3037,8 +3028,6 @@ nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx,
/* Protect against concurrent sillydeletes */
state = nfs4_do_open(dir, ctx, open_flags, attr, label, opened);
- nfs4_label_release_security(label);
-
if (IS_ERR(state))
return ERR_CAST(state);
return state->inode;
@@ -3750,7 +3739,6 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
goto out;
}
out:
- nfs4_label_release_security(ilabel);
put_nfs_open_context(ctx);
return status;
}
@@ -4023,7 +4011,6 @@ static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
&exception);
} while (exception.retry);
- nfs4_label_release_security(label);
return err;
}
@@ -4061,7 +4048,6 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
err = nfs4_handle_exception(NFS_SERVER(dir), err,
&exception);
} while (exception.retry);
- nfs4_label_release_security(label);
return err;
}
@@ -4171,8 +4157,6 @@ static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
&exception);
} while (exception.retry);
- nfs4_label_release_security(label);
-
return err;
}
@@ -2788,10 +2788,6 @@ out_acl:
status = nfs_ok;
out:
-#ifdef CONFIG_NFSD_V4_SECURITY_LABEL
- if (context)
- security_release_secctx(context, contextlen);
-#endif /* CONFIG_NFSD_V4_SECURITY_LABEL */
kfree(acl);
if (tempfh) {
fh_put(tempfh);
@@ -158,7 +158,7 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
if (!value || !size) {
len = security_inode_getsecurity(inode, name, &buffer, false);
- goto out_noalloc;
+ goto out;
}
len = security_inode_getsecurity(inode, name, &buffer, true);
@@ -170,8 +170,6 @@ xattr_getsecurity(struct inode *inode, const char *name, void *value,
}
memcpy(value, buffer, len);
out:
- security_release_secctx(buffer, len);
-out_noalloc:
return len;
}
EXPORT_SYMBOL_GPL(xattr_getsecurity);
@@ -363,7 +363,6 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
-void security_release_secctx(char *secdata, u32 seclen);
void security_inode_invalidate_secctx(struct inode *inode);
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
@@ -1115,10 +1114,6 @@ static inline int security_secctx_to_secid(const char *secdata,
return -EOPNOTSUPP;
}
-static inline void security_release_secctx(char *secdata, u32 seclen)
-{
-}
-
static inline void security_inode_invalidate_secctx(struct inode *inode)
{
}
@@ -96,10 +96,8 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
if (test_bit(SOCK_PASSSEC, &sock->flags)) {
err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
- if (!err) {
+ if (!err)
put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
- security_release_secctx(secdata, seclen);
- }
}
}
#else
@@ -1029,17 +1029,12 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return err;
}
sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
- if (!sig_data) {
- if (audit_sig_sid)
- security_release_secctx(ctx, len);
+ if (!sig_data)
return -ENOMEM;
- }
sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
sig_data->pid = audit_sig_pid;
- if (audit_sig_sid) {
+ if (audit_sig_sid)
memcpy(sig_data->ctx, ctx, len);
- security_release_secctx(ctx, len);
- }
audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
sig_data, sizeof(*sig_data) + len);
kfree(sig_data);
@@ -1808,7 +1803,6 @@ void audit_log_name(struct audit_context *context, struct audit_names *n,
*call_panic = 2;
} else {
audit_log_format(ab, " obj=%s", ctx);
- security_release_secctx(ctx, len);
}
}
@@ -1855,7 +1849,6 @@ int audit_log_task_context(struct audit_buffer *ab)
}
audit_log_format(ab, " subj=%s", ctx);
- security_release_secctx(ctx, len);
return 0;
error_path:
@@ -2055,12 +2048,10 @@ void audit_log_secctx(struct audit_buffer *ab, u32 secid)
u32 len;
char *secctx;
- if (security_secid_to_secctx(secid, &secctx, &len)) {
+ if (security_secid_to_secctx(secid, &secctx, &len))
audit_panic("Cannot convert secid to context");
- } else {
+ else
audit_log_format(ab, " obj=%s", secctx);
- security_release_secctx(secctx, len);
- }
}
EXPORT_SYMBOL(audit_log_secctx);
#endif
@@ -983,7 +983,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
rc = 1;
} else {
audit_log_format(ab, " obj=%s", ctx);
- security_release_secctx(ctx, len);
}
}
audit_log_format(ab, " ocomm=");
@@ -1199,7 +1198,6 @@ static void show_special(struct audit_context *context, int *call_panic)
*call_panic = 1;
} else {
audit_log_format(ab, " obj=%s", ctx);
- security_release_secctx(ctx, len);
}
}
if (context->ipc.has_perm) {
@@ -127,7 +127,6 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
return;
put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
- security_release_secctx(secdata, seclen);
}
static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
@@ -109,8 +109,6 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
return;
seq_printf(s, "secctx=%s ", secctx);
-
- security_release_secctx(secctx, len);
}
#else
static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
@@ -332,7 +332,6 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
ret = 0;
nla_put_failure:
- security_release_secctx(secctx, len);
return ret;
}
#else
@@ -133,8 +133,6 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
return;
seq_printf(s, "secctx=%s ", secctx);
-
- security_release_secctx(secctx, len);
}
#else
static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
@@ -461,7 +461,6 @@ unlhsh_add_return:
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
}
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
@@ -517,7 +516,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
security_secid_to_secctx(entry->secid,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
audit_log_end(audit_buf);
@@ -578,7 +576,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
security_secid_to_secctx(entry->secid,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
}
audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
audit_log_end(audit_buf);
@@ -1154,7 +1151,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
NLBL_UNLABEL_A_SECCTX,
secctx_len,
secctx);
- security_release_secctx(secctx, secctx_len);
if (ret_val != 0)
goto list_cb_failure;
@@ -117,7 +117,6 @@ struct audit_buffer *netlbl_audit_start_common(int type,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
}
return audit_buf;
@@ -1485,12 +1485,6 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
}
EXPORT_SYMBOL(security_secctx_to_secid);
-void security_release_secctx(char *secdata, u32 seclen)
-{
- call_void_hook(release_secctx, secdata, seclen);
-}
-EXPORT_SYMBOL(security_release_secctx);
-
void security_inode_invalidate_secctx(struct inode *inode)
{
call_void_hook(inode_invalidate_secctx, inode);
Subject: [PATCH 15/25] LSM: Remove unused security_release_secctx None of the upstream security modules release secctx's. This hook is unused and clutters the code substantialy. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- fs/kernfs/dir.c | 6 +----- fs/kernfs/inode.c | 2 -- fs/nfs/nfs4proc.c | 16 ---------------- fs/nfsd/nfs4xdr.c | 4 ---- fs/xattr.c | 4 +--- include/linux/security.h | 5 ----- include/net/scm.h | 4 +--- kernel/audit.c | 17 ++++------------- kernel/auditsc.c | 2 -- net/ipv4/ip_sockglue.c | 1 - net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c | 2 -- net/netfilter/nf_conntrack_netlink.c | 1 - net/netfilter/nf_conntrack_standalone.c | 2 -- net/netlabel/netlabel_unlabeled.c | 4 ---- net/netlabel/netlabel_user.c | 1 - security/security.c | 6 ------ 16 files changed, 7 insertions(+), 70 deletions(-)