From patchwork Mon Dec 13 23:40:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12674999 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA825C433EF for ; Mon, 13 Dec 2021 23:57:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244340AbhLMX5P (ORCPT ); Mon, 13 Dec 2021 18:57:15 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:46349 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239442AbhLMX5O (ORCPT ); Mon, 13 Dec 2021 18:57:14 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439834; bh=Sn5tjjAGSmqW3nsqIgtZNqgzkhGliBqVHotdg9HEefo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=YP84/wT2Xty3MBSNMp7XC4nnHiBV1Se90j+VUuV2H6dw53bcAeXNevBQihCVfBdqpgyPmzltM0md/PKZTXw7T1qtKuHz+mmWvSaeUdVuuofjrp3uaaNGgYAoTnaMJkvpkWrjW1sQuxznSLdve4Sr3iVHY77TCfE7e/Ra8BsSdvsg2/13AyxB02GptdtX491D3HD7SvoB9qTczkEIUFFKWJaGoKzxnsS5FdpwblJ2wVUEAmX+X3SIAiWUwN2q5hrjIgDuYzuT/CgE0WRsoGz1zfDoy7CD8ocbcPKW/vHt/fxgPvOp7EscQIStdGXhAOHYRDr2A4PXJa58bUcRrva1/A== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439834; bh=WWHXYx/YU0+TYu8UNTr5i2Tvia2wLWZDXQiN9WRM7v1=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=aazwde7/k1nIb62hXiFt1TvqqgFMaKRsUQdU6y3Fiy9nHj3HejDoHoP3/M/335opGhPe8pkdD+c9VCE4LkxnhNMEyh0luDq+NzWeaw3d7xYU95WRhW1R0wyqnSnLKe87xooY4ah7xJSR2SQOUrQIrXeU9hyLrZwQtpxDaUd4zmuT4k7Sk3xVQrGS0854ktBd/QS/m9SHnNYJGye84wFJ08Io0sn5/xMIjpZe44GbqUamINER4/xigTqr4rxqf1sb4zRYQ5XEM+2LbXiS9/6G3a+rfun/qWoq77Ll3s2A0E0L5O8a/eTStTJ4vfTM5Uk4vs+RzWdfAyAuM+nFxtit0g== X-YMail-OSG: OEodNHwVM1lLc70lSb3Q7McpeYOUxzSMiC.VqaCS6Wjwe5xTSb59hzGao34qiKu uL32ec_SK00UScL6pFM.sEJltybyuVpFz0imSBdLLTby6G5Z1aIa31nZL0uqwPnXrjFKPKOm4c1m 0k8HLpluKSUjHwYVg.6DebM0joz5sm1qSMzoq5.UMiOPStVKfcSvP4O8tTdwtYVD9e40uFqmvCpG eulXmrurJevY2p4Gk88OT1wMYNg8trNtLHjJf7GQ1S2evO0y2GTzhVoEcnZUvdmgLlyFT7Qjqk1Q zNlzSFt_IKDoAQOgnRE7u5tP4rkaV_6.XTLbHAZ1AM4h4fkIcgi1K57_4BAX7I8d1MNOMEAV.clQ a86dAO_Wxm4W34dgTYmt_oHbDrRPS4DBWFw46aBoA7scOmGuX7vKuqlN1eRNTIepCWP5ZMWG_wyB oGxTpaHUL2WNvw5h5GvA5QFQCPBUiOrutkf6HXL041LUh37bnsbAjiyIxmzCg3I3dLxv2eavksX6 WrCwvWRp4SFJ2lIcxKr44tr9Xi50x4e.qmksfWxX.Rkf2QwvPDB95GERcv.VLdnvqMN1bcuhFQyC zwmwtmk4smmlpkg9ulNz6EAc5olnTgOsw9Asm13D5cUcEnC9ZDnHyQUPp7tY8YftGkR2aqeXv6JR 3r2DmkXUEjz2nADYXpn46LinhDQOWFaIr9vmnjtpgEZ5TMrr3J3RAmkHg.z8xQEJq6KmKR3LSftW h7FEfG8NhrpT.rtWwglNTuIjOMp3Fro0CrkNJL0zuqptgEJsy7dNum2loO2Jp3.yKp3O5fnlxnSy 5rfSz793NsTkiio6OELgPtIiWs2oaa6qB5WJ.GNZdJgBsP67Oey9lRwFZxQUIKSDVxP2xQRMZQG9 zAZGcRjMyE30dlIvsN3wEjLamECq0g9zVETmy1MZ656oF2k564WYY9ee73Fv5emPXtNfTa9J0cEf TaQ9utj2tads_lvTlEDwW9k39M68P.wslaMP0OEez3JHMNPUI1z8CQWHTHgWVVhVmyY8cnU3jA_v JFw3ITbejy11v31Rn4ugdGgfzlSlpx21O.3uHNrykZgD.lL0D7wdAc9Cf2ekGJ4qAuR1L7IFphg. dyWttI6rdXuOAqHGgvPaAx4ulsCULFKE0VC604YEU56ZagnSUikNmofiH0F31HptE1V6gaAcphBF 1mIpIOzJIGghzsQqy3Et9HlBoh1KbYsZPKm9vh8o9_u0sbzPEyuHqBNelagCxg4OpWIZKMjFKV_C PddmWocLOuLPPDckhPmXiEIfxQ0pUB1hPPADvM5F_8Ep56X6nFxQemMKGMBmu.gJekCAX.yHLAPB x_9RHnuz3RDzwkt5aLzwSEFdyVBs1G83wUsDdOy2oPCDc6rEiV8I_0R.4YVVqiODdFnkzdC1u8bS njTsr4DDV7Et3MCDg_zGUdVH_XCClEYReBTs8ja79aGuONvO9Z8rBkYI1Z3EFEYM.Fti11qZYl43 8Q1hvLNX1xLbtMDxwZG07vVM147I1wYw1aVw10FJ7bByi9JuekUBYNifi3558Lfgi25AI2wQwcaB l_xoKZpw4zBbmwL7fMI5jN77dczJMO8XiDOCDmlqQbM8aKHnu.cL1Q_N7DSy_9p6eZ7PplxgDlrO BPqPGzD2LrOySeNgT6tkwIHBy2IajI2r5yi9Wx6GXaVkTX3ue55qDRyTmlWIkydrovWghaqTD.Zb s.rsCxwP4ggHZW293Bwz2H3vCuh2o4l4Abgp_gXy7gzxeCZjHGUOZWLlNnpaaUFgPsr7VnjPMhHm oYrL8EIOZqQkgYBSi7KAviizCmK.LHTyklCMeVToSa9BuRRIDPq3BuFunA4N.r.UjC5LcngeWhcK s6Za3H9R9QTJXpAUd40jzxEEoEfsiqQmCAFMp4IKDzPX.9O_M1vleTEG.0ligq7Eo.d4NFC5Vy0Y 9zmquCiaXzPgyqLIIU5joT8ezreDD9poSZLg2badE9WcuGLIDedmVFG9yRQqcErY1tajoxGkZSTM GrbmEuwuBeoAQYMEXQnutfR0yFMMBRajfysAX44MCONoDd_g191vCGb1wwMeqf2vLopztD6rmqz8 Nd0Szpaje_67ZDhZRTQ9k_aWeJwCABRwKHXZUqle5DE6HJBLaDHdkaA9Z2yXPslJIZ.k9sD.Ctdb 0fCAvibIGdbAXaQs1x8AXe0Xzwruv1NmMt9ypCwJyz_0rTisa61529WBkK81.lXGuQX4sJyJavIc VwyJeczoGDSRAdTpGrj1JwasepWbBVJY_cqTD5VmPsEhcJoapkEYekCLY1DLNI2hC4zmz2B0- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:57:14 +0000 Received: by kubenode527.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 2cfefa36b6f587455d7cc15b16ec7ee3; Mon, 13 Dec 2021 23:57:12 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Stephen Smalley , Chuck Lever , linux-integrity@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v31 15/28] LSM: Ensure the correct LSM context releaser Date: Mon, 13 Dec 2021 15:40:21 -0800 Message-Id: <20211213234034.111891-16-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Add a new lsmcontext data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Chuck Lever Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso Cc: linux-nfs@vger.kernel.org --- drivers/android/binder.c | 10 ++++--- fs/ceph/xattr.c | 6 ++++- fs/nfs/nfs4proc.c | 8 ++++-- fs/nfsd/nfs4xdr.c | 7 +++-- include/linux/security.h | 35 +++++++++++++++++++++++-- include/net/scm.h | 5 +++- kernel/audit.c | 14 +++++++--- kernel/auditsc.c | 12 ++++++--- net/ipv4/ip_sockglue.c | 4 ++- net/netfilter/nf_conntrack_netlink.c | 4 ++- net/netfilter/nf_conntrack_standalone.c | 4 ++- net/netfilter/nfnetlink_queue.c | 13 ++++++--- net/netlabel/netlabel_unlabeled.c | 19 +++++++++++--- net/netlabel/netlabel_user.c | 4 ++- security/security.c | 11 ++++---- 15 files changed, 121 insertions(+), 35 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 27b53e5f71a1..32dca5b40e8a 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2469,6 +2469,7 @@ static void binder_transaction(struct binder_proc *proc, int t_debug_id = atomic_inc_return(&binder_last_id); char *secctx = NULL; u32 secctx_sz = 0; + struct lsmcontext scaff; /* scaffolding */ e = binder_transaction_log_add(&binder_transaction_log); e->debug_id = t_debug_id; @@ -2771,7 +2772,8 @@ static void binder_transaction(struct binder_proc *proc, t->security_ctx = 0; WARN_ON(1); } - security_release_secctx(secctx, secctx_sz); + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); secctx = NULL; } t->buffer->debug_id = t->debug_id; @@ -3112,8 +3114,10 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) - security_release_secctx(secctx, secctx_sz); + if (secctx) { + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); + } err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index fcf7dfdecf96..df2b3bf46364 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1374,12 +1374,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ +#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); + security_release_secctx(&scaff); #endif if (as_ctx->pagelist) ceph_pagelist_release(as_ctx->pagelist); diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index ee3bc79f6ca3..194bb09663e0 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -137,8 +137,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - if (label) - security_release_secctx(label->label, label->len); + struct lsmcontext scaff; /* scaffolding */ + + if (label) { + lsmcontext_init(&scaff, label->label, label->len, 0); + security_release_secctx(&scaff); + } } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 5a93a5db4fb0..f96da9ac116a 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2841,6 +2841,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ void *context = NULL; int contextlen; #endif @@ -3342,8 +3343,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) - security_release_secctx(context, contextlen); + if (context) { + lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ + security_release_secctx(&scaff); + } #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index 872e543d37dd..e439663c955f 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -135,6 +135,37 @@ enum lockdown_reason { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +/* + * A "security context" is the text representation of + * the information used by LSMs. + * This structure contains the string, its length, and which LSM + * it is useful for. + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int slot; /* Identifies the module */ +}; + +/** + * lsmcontext_init - initialize an lsmcontext structure. + * @cp: Pointer to the context to initialize + * @context: Initial context, or NULL + * @size: Size of context, or 0 + * @slot: Which LSM provided the context + * + * Fill in the lsmcontext from the provided information. + * This is a scaffolding function that will be removed when + * lsmcontext integration is complete. + */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int slot) +{ + cp->slot = slot; + cp->context = context; + cp->len = size; +} + /* * Data exported by the security modules * @@ -570,7 +601,7 @@ int security_ismaclabel(const char *name); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); -void security_release_secctx(char *secdata, u32 seclen); +void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); @@ -1440,7 +1471,7 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline void security_release_secctx(struct lsmcontext *cp) { } diff --git a/include/net/scm.h b/include/net/scm.h index 23a35ff1b3f2..f273c4d777ec 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen; @@ -106,7 +107,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + /*scaffolding*/ + lsmcontext_init(&context, secdata, seclen, 0); + security_release_secctx(&context); } } } diff --git a/kernel/audit.c b/kernel/audit.c index 8ec64e6e8bc0..c17ec23158c4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1192,6 +1192,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_sig_info *sig_data; char *ctx = NULL; u32 len; + struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1449,15 +1450,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) - security_release_secctx(ctx, len); + if (lsmblob_is_set(&audit_sig_lsm)) { + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); + } return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, sizeof(*sig_data) + len); @@ -2132,6 +2136,7 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; struct lsmblob blob; + struct lsmcontext scaff; /* scaffolding */ security_task_getsecid_subj(current, &blob); if (!lsmblob_is_set(&blob)) @@ -2145,7 +2150,8 @@ int audit_log_task_context(struct audit_buffer *ab) } audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 930254bca7b5..3c72ff647fd8 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1112,6 +1112,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; + struct lsmcontext lsmcxt; char *ctx = NULL; u32 len; int rc = 0; @@ -1129,7 +1130,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ + security_release_secctx(&lsmcxt); } } audit_log_format(ab, " ocomm="); @@ -1342,6 +1344,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name) static void show_special(struct audit_context *context, int *call_panic) { + struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1376,7 +1379,8 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); + security_release_secctx(&lsmcxt); } } if (context->ipc.has_perm) { @@ -1533,6 +1537,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, char *ctx = NULL; u32 len; struct lsmblob blob; + struct lsmcontext lsmcxt; lsmblob_init(&blob, n->osid); if (security_secid_to_secctx(&blob, &ctx, &len)) { @@ -1541,7 +1546,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, *call_panic = 2; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ + security_release_secctx(&lsmcxt); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index be7073df19a5..dbba700fb151 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen, secid; @@ -145,7 +146,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + security_release_secctx(&context); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 67b0f3cfc5c7..40cbb00432d4 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -342,6 +342,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) int len, ret; char *secctx; struct lsmblob blob; + struct lsmcontext context; /* lsmblob_init() puts ct->secmark into all of the secids in blob. * security_secid_to_secctx() will know which security module @@ -362,7 +363,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) ret = 0; nla_put_failure: - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 79c280d1efce..3fcf44342b14 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -179,6 +179,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) u32 len; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -187,7 +188,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) seq_printf(s, "secctx=%s ", secctx); - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 62c0c5b847c6..5961a9b17f66 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -397,6 +397,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info ctinfo; struct nfnl_ct_hook *nfnl_ct; bool csum_verify; + struct lsmcontext scaff; /* scaffolding */ char *secdata = NULL; u32 seclen = 0; @@ -626,8 +627,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return skb; nla_put_failure: @@ -635,8 +638,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index 15b53fc4e83f..7cb6f27c8cb2 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -374,6 +374,7 @@ int netlbl_unlhsh_add(struct net *net, struct net_device *dev; struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; + struct lsmcontext context; char *secctx = NULL; u32 secctx_len; struct lsmblob blob; @@ -447,7 +448,9 @@ int netlbl_unlhsh_add(struct net *net, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -478,6 +481,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct netlbl_unlhsh_addr4 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -508,7 +512,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -545,6 +551,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct netlbl_unlhsh_addr6 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -574,7 +581,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1093,6 +1101,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, int ret_val = -ENOMEM; struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; + struct lsmcontext context; void *data; u32 secid; char *secctx; @@ -1163,7 +1172,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, NLBL_UNLABEL_A_SECCTX, secctx_len, secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 893301ae0131..ef139d8ae7cd 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, if (audit_info->secid != 0 && security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_release_secctx(&context); } return audit_buf; diff --git a/security/security.c b/security/security.c index 1d734d9579f1..d14717fe0cb7 100644 --- a/security/security.c +++ b/security/security.c @@ -2363,16 +2363,17 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, } EXPORT_SYMBOL(security_secctx_to_secid); -void security_release_secctx(char *secdata, u32 seclen) +void security_release_secctx(struct lsmcontext *cp) { struct security_hook_list *hp; - int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { - hp->hook.release_secctx(secdata, seclen); - return; + if (cp->slot == hp->lsmid->slot) { + hp->hook.release_secctx(cp->context, cp->len); + break; } + + memset(cp, 0, sizeof(*cp)); } EXPORT_SYMBOL(security_release_secctx); From patchwork Mon Dec 13 23:40:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12675029 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A624FC433FE for ; Mon, 13 Dec 2021 23:59:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244370AbhLMX7Z (ORCPT ); Mon, 13 Dec 2021 18:59:25 -0500 Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:35430 "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242149AbhLMX7Y (ORCPT ); Mon, 13 Dec 2021 18:59:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439964; bh=7aljRJZOQnxiiyHnbK9ZxaikfmtFhGou1fAGhswXEYg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=XL/Fntuct5OnQEcqyey9uxeb2AAsPmTIeNpotLpAyfZMnVSvmUbRH9EbrzAt1pG99xzRW6jCot5OKyAEQvh8pMPHkd82BNCI+awXPw2NbDqi2QwYz5qe6gH2Xxy/H6hiusEa3zkblbh1HWqDde8Gb3L3uECC/SgV0VRK1N6nxcsWNWu2DmsW1O4sy0QvwaLxVhqJ9Suo+3OAXgls93Sjk8FKvpue6y3AaQGkblrfDU5Psl6mq9ABD9UAEbviHg1+mUUBUFVVQmeEGZUd03l/r2Es+GzPu3dXnXoPJw54XH2ZEnuA8JCuMLMyA/dSZb2TG+Lyct8pytIX46XzjklxHA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639439964; bh=OJb3oQujEHudylx0PQavH7jpX9Vcky+B3oP0slc6k9f=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=PgbZPERcwgvdnSuYAjedj76GRqF6VKQtcF6vq+/OdHoPACa21zQc6JCdPa2o5pFyW31ijgtR5nJIsSbxuoIphF05mut4g4UmUkEJaOqfQfuOY4eo0kBXEZsn/AFscZMOeOZ2jBMX8tpGNX1Q51/1KK6rK21aMFnpAL4rquOoXlUaKqeitGpQ3ssCX7JdhTZ9B6WWju1INXCkCOpcnGZ/bgsCetOF4J2temModSS40a3bCDYoQHMCsefwtABXHiJRKvlXoFBNEKVZkBQ74qwxiaH/txDCm2Hrn5PnUjmXOl3LTAKnDvrlNa7G/FeLJBUotLdnd1pFwJRpGy/DthOc0g== X-YMail-OSG: KP969SUVM1k3J.h_dKxei1ZrcqE7ao3ac7.ZzSVXJgBlFIggNAfAFpNYRmgHUrX JDLVRkAaQWudgNkDydZ7O5XxOVEGKf1wPkzEm5_t5M.ERhmhDYaoKI1FtGH0v4iP4pYiWnffxGR7 dAXKDln8vl9RPsPrGD7wnWMdGJk.GurBLjOPWUadcJZkt1nksfBaMa1pSGUuyGAMzg3hkObYw1Na lBzGmwWYhYezQA2E6I5HeiM5.9AfSVLiaUlELXrMEyelybcF6M5D2OgJ0hkcvkCXG2QUaLzMvoUM 114fWQfCmaCnGWOVRKqNyajFxJ7d7HuwSLhVdoHmSjsBeTC0H0atfohxXmbhOJjvmVx_4XLnOQEJ wvBxyRaiqlPcTOKv74H_xo7Z1YsZs5D8xajNCS5V9asfNvZv6mTaA7VKNEMt94mG6DfUJpmIJW2C 2k_AC930OHJXkuQtItGJVLaaJ6CfOhBD1GQsFbtswkbFLBXcuyKUig7eHGQZ.V8N4EzasDZ.FrdL jUsHIyIcYu9O0.CzIO38IiyFjiRrUyqGz9_AcCdoxXepRQqwhVrhKHbsYjgCeDE6ebsz09f.KWzb 9U6fItHWIicA2CBK8Ss.t6G6vgfc1UyJSTkChVyKO5jA3N3w9m6kaA_SIK_OSQpDgHG472u19pw4 nel6AI8rOC9uZJ8rJvDGiJ1xTJYmih9xm8POPjQFVkjUrwCm5WP6G9tz5Z_JUD27XI0tqZHoYb8p M3aLr3V.2bPZmXSWXhnUSBIpzSF953dlMX7Wwm6k3TAipKdglO5ul8TosHPs0j5VE3P3_0vfB6WJ lY5C3gFdKMNR8VLtqVeQ5CAoJxBAQlZ2Xu_eUWXK3eDOGtQ4J3MHsGvBE9gHarp5CnqHWp_BJKcd sPsb6llakWvaj9RT7OpRUEpLJ_tzd_hvwmIS2wZW1Caf4JuzLapIwwWj8VGtqJfBUiuQO6MsWJjF s8fHP9gOKVV0tz9RfsiXooMQJ7aZqk_Wiq.q.GZ.cg_ImLkDoHA17pfLT8sqqCIa_aUU0x48BWgR pxqq7zGloyLv_RKh18mjLS1hyG6XJqwwodIRrwRsnSpeftsaej9bE.mIFPrJywmLRjgAGS6JrK.A BGzp1ovdj6TJ1o6z8GHOjZBZcK61qggabiYUy.4PlUJNXyMal_v.WYoUrltpFNinxaYKwgCfeVkA VuLFO.AVWcaub2FiPKGzVRSE1qxX9eMfUFyqlVhXF9aEREaEj2F183cMFBAwOnfR6nldzAcnyvHY i2SJXxK_YXqBPwAuBUW4oEZWlztjN40TGVZnP95sKaHxtjh05_bvT4J4Fun2NUtoz06MCffjZ1Ed Bmj4QSPeeS.jtK9bfhY5f7f70NOPTTUfdHeKHBR5WVocKbYQayko.CaQgTMHFPGIVg7v9BYsYPHo UYwdXW3y00ml1svhdGKCO2mvB27eNrQxaGbXmpVoj1jw8olEn8zNPEgV1r.tHzMgWfS9CF3jdi21 zOHDXHrEwIyAEwgBuMZUwLwgkpckL2wLx9tuZ465JwOedOt7pasGKku5XYTey6yoj0wNQtsE2teq VwOATQwLHsCEAVIc.Cv__p3o6TYDTFXpisLTtRyQsJfTDn8nAhJLXdyVAuJXoLVJuK21uWdbZka8 U006PFXjB3yrKcsf4Iht16z56Z0Z4h_Y5.f5bMRMM.ENtP6RFG7VvAqKhl.tAbVHqXSawjdolccw qgnhNxAAl4tmWMpairaLxyU0rEd.MIxiRHyHocDDsb_OXxpUe2jysS4phAbhVg3C9quSb7LW9RSy kYHJFFrOaGQIWqSgeqe3C3jZGw5O5nhnp1Vy4RQ6SKKNdD5OInsjNbSOkFVB_kNPXIG_3ML2e2u_ F_wV3_BamTdxPHLKSyzacapS_wSMa9Wn2acs1mnlyyG9oYA8sNyee4vUyVs4NQzPMGkDJlgOjme0 U2hWJbCcMSHBNWCHaXQiAzGpyZOFG1q3AJP0EQ_b4_Xg180XOzSE_Wo3UBbbJLJa0R.LwAMFmoqF 6FO16Y.4IBj89YvuLf0Kf4MBs9FPdDF42k9qhbF3j_yIR4kBFSMUs35vtf3ztQNY2G6ecZeTJCMs QjnHy2CX8DIBw9ubZM4dvZxbwnq9Xc.CQ3VtFrbMfGQ6mL9IP6WPav4Q.sAzto1Z5jpZ6NItfJnj KwdYCs4UkvwVZ84uBGkIFmRHRKEPlFH.HG6H9vQp.MzJwk7c99gaxZ6Dt_.oNCP6ZpBk0GsuXNZa KCTUkKVcOCe.yiatY7NJy6V7vEyPH3RZEfyGxUHUzIecw X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:59:24 +0000 Received: by kubenode530.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 0dc0dbe9111101f136bd150c68ae8268; Mon, 13 Dec 2021 23:59:23 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Stephen Smalley , Chuck Lever , linux-nfs@vger.kernel.org Subject: [PATCH v31 17/28] LSM: Use lsmcontext in security_inode_getsecctx Date: Mon, 13 Dec 2021 15:40:23 -0800 Message-Id: <20211213234034.111891-18-casey@schaufler-ca.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com> References: <20211213234034.111891-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Change the security_inode_getsecctx() interface to fill a lsmcontext structure instead of data and length pointers. This provides the information about which LSM created the context so that security_release_secctx() can use the correct hook. Acked-by: Stephen Smalley Acked-by: Paul Moore Acked-by: Chuck Lever Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-nfs@vger.kernel.org --- fs/nfsd/nfs4xdr.c | 23 +++++++++-------------- include/linux/security.h | 5 +++-- security/security.c | 13 +++++++++++-- 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index f96da9ac116a..4aa412e0bfac 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2724,11 +2724,11 @@ nfsd4_encode_layout_types(struct xdr_stream *xdr, u32 layout_types) #ifdef CONFIG_NFSD_V4_SECURITY_LABEL static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + struct lsmcontext *context) { __be32 *p; - p = xdr_reserve_space(xdr, len + 4 + 4 + 4); + p = xdr_reserve_space(xdr, context->len + 4 + 4 + 4); if (!p) return nfserr_resource; @@ -2738,13 +2738,13 @@ nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, */ *p++ = cpu_to_be32(0); /* lfs */ *p++ = cpu_to_be32(0); /* pi */ - p = xdr_encode_opaque(p, context, len); + p = xdr_encode_opaque(p, context->context, context->len); return 0; } #else static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + struct lsmcontext *context) { return 0; } #endif @@ -2841,9 +2841,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - struct lsmcontext scaff; /* scaffolding */ - void *context = NULL; - int contextlen; + struct lsmcontext context = { }; #endif bool contextsupport = false; struct nfsd4_compoundres *resp = rqstp->rq_resp; @@ -2901,7 +2899,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) { if (exp->ex_flags & NFSEXP_SECURITY_LABEL) err = security_inode_getsecctx(d_inode(dentry), - &context, &contextlen); + &context); else err = -EOPNOTSUPP; contextsupport = (err == 0); @@ -3321,8 +3319,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, #ifdef CONFIG_NFSD_V4_SECURITY_LABEL if (bmval2 & FATTR4_WORD2_SECURITY_LABEL) { - status = nfsd4_encode_security_label(xdr, rqstp, context, - contextlen); + status = nfsd4_encode_security_label(xdr, rqstp, &context); if (status) goto out; } @@ -3343,10 +3340,8 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) { - lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ - security_release_secctx(&scaff); - } + if (context.context) + security_release_secctx(&context); #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index 3c66edb31e14..e29d2894928d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -605,7 +605,7 @@ void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp); int security_locked_down(enum lockdown_reason what); #else /* CONFIG_SECURITY */ @@ -1487,7 +1487,8 @@ static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 { return -EOPNOTSUPP; } -static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +static inline int security_inode_getsecctx(struct inode *inode, + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/security/security.c b/security/security.c index dc0d4ae44a64..1b9e1189d74b 100644 --- a/security/security.c +++ b/security/security.c @@ -2418,9 +2418,18 @@ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) } EXPORT_SYMBOL(security_inode_setsecctx); -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp) { - return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen); + struct security_hook_list *hp; + + memset(cp, 0, sizeof(*cp)); + + hlist_for_each_entry(hp, &security_hook_heads.inode_getsecctx, list) { + cp->slot = hp->lsmid->slot; + return hp->hook.inode_getsecctx(inode, (void **)&cp->context, + &cp->len); + } + return -EOPNOTSUPP; } EXPORT_SYMBOL(security_inode_getsecctx);