From patchwork Mon Apr 18 14:59:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12816779 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 923C4C433EF for ; Mon, 18 Apr 2022 15:40:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345237AbiDRPnT (ORCPT ); Mon, 18 Apr 2022 11:43:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53890 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345630AbiDRPmw (ORCPT ); Mon, 18 Apr 2022 11:42:52 -0400 Received: from sonic305-27.consmr.mail.ne1.yahoo.com (sonic305-27.consmr.mail.ne1.yahoo.com [66.163.185.153]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1CDA43388F for ; Mon, 18 Apr 2022 08:08:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1650294480; bh=wXGkXPOoZqXR1+vDMzUyhmy3q+IXdFsHGXXFWyw6XmU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=EwuhT9EzGIImq4liZX9W/+3fYM6DvJBCNlmQ82hgVBPr3pXmVlpAxBIHvrdyLYXV8vpLCs2AwBOfic9nbyTHqHlkL8zHfJ6utQQsArTH7Oyy7Mw9DC+TZLtDvUKUa717s3JGHsnXzQOsusRfh2As1pbLoCmEiUzzTtmLedSSiFNkqoHhz5YuuMXX9MwnpPQ2GNk+Togl68hkoOq/QhOx8XUIuKcX0j41wNa4XzEBhsxI1EKtEs3WqFrpqNGyTf+2ZFgLcKeEkzwuSNVL6Ms9CLJSDBKxjD7mUNJ8yQqLJeMgVVXkAlMHObNzvRWDfFhYbLWCzQEB+cOCH1VkoiH1BQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1650294480; bh=gAVTj3N4cC5riWjoqNrDl89ddH6UyK+syOskTWBRoSb=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=j09sM08yzq6fsvd6VJlQXqjSnf2k9iuEQr6niq6bk1fZ87lkiCJOTMo1CaHZvc/x73hvXZcOl/74MsE9G5Ipn4AKdpNZcYTCTTvwjW/DLmjE0yh7drdgn5PDhbokRF4sp85hwgufODWrFjuLEapVaY8PbIzHhTFkDnrNkcpVPe0wc6le5EnqeYyqgVNCta8qWrIFd3XnvKvdZbRlL65L4aEgT5Od2O+/StUUB7bu9NzVdWbruUFczLru3CCwlGjHm0y75rTd18F8N7Mjr9e9a4UkHZd6te3jhO6F5LkwhOVxCpMK3oTfqLdQUK9RJxhupD4eQSk8GA+wVpuEFnXCgA== X-YMail-OSG: 2K9cdUkVM1l9wPqyn6v5DBCr8ZY..tCsjBaYT37tJBPw6_1KcCRrqMqh1UZzDkR LHLKO5WMRkVJ0x_EowWnC.9L72brloOakb2tUmMHeghnAZOCozp2JsIYI.cnGgNtBfrAxtIf7Zm7 qkTgHChNwpmfcuqbKYhxCA8GVZA5mi1Of2mqF3CvrP4Gb1ODpKKDvT0YCil5yAB6Pqxoud2QM9sx 54ZX9ccDGaheedrvHU4ReCqD95NmeEZPB5giZfacnVBbMsppCGZwIsuN_Yak_jtnRnBAffWbYCQO GLJw0cX7.x2BZUPivclKeeNji3OSJBFtOWkR1cUVMYyWlDewQ0deLZTRDKg8ATj98n7aDeuYDW_x w_lDNQKrM26TeGzhJdmTTl0BIVuveXopNXffpijZMwamzwHHV_ymEXm3mn4.4havK5gkHhHgN5t2 6f90wETBNP6vVlU32FSdkdg.ltrLo.ufs.UYoknXrkS8iNaDwm51orQvSdoPHfkDFpYTuB.ODwDz beVHBjhiVShC.9Z2mLsol0N2EE81Qtg1y26j.JHKwtOBV863vpNtiRstiFYtJ0eknpiAtsuojLX4 7W8VXy0z3tNp9XH7xc62B1BluBlFq20HGw7g5AH2fjd3X6KPLoQL2IhSHxDGiazDOkmNC7K8tQI4 eg0MOUCb.HQuyXwCDbsUfoLEyKpUnt9bEQPJVJdlzNWBErjPRtEIDP5eiAFdY3gunQ84zGes0WcI FHHISkwAkQkcMak4mSBfD.1E8jasAqnPNpoEvD8W4wBUh_pSvpr.7c4SZ3u5e0Kjb.34FVz5679r ztPgi9u6kJXkyr9xqVzWaw_VLbBKsX_lOWTxhazsCZb6h.Syw2OOcIEvCY.bLucc6AJCfl8vFHYH 9N7RhWEGeCXGoW9Natb.e_3JvZcs1i3xEavuJX7RhEBPusGapsoDwysi4qvQ4WAzvbOBdswdF9b_ HRWaTEq5gzru4okTvHpp1l9barXQ3ib7kF2tLoS0jA6HUPuygX647BL.8jyMa0HN1OPDSWxgOOQv hgHczEGoO8P96tgqjJR9.rQJr83pOBxXt_CcT8zubBnJDbBD.0FWAU4J6Fe9Ivtz6hUdVeBRCq5n zXj0.t0IzGm8hZd4ezvaRkfCgwxSIkXEFx4FN36HVmV7ZKi3UU4Pmhs32HMiSz4M5Km7NMhAFSQO IL1qpGFGwnSukwIONACVTH3xiqfAK449ThOFn7ZyIYNa4gbKvqvbqhOT_t6OphESrgSCTKiiOVVo lFaVl494rZvYNSmzgfNWbuOqjpImXIvLwZqVbUOjzlvxOjuTYORJj32ujbdBTf8ndk7zKBWCZ5jW 144QssT4GFX1ednChTOzsCOFQ94uwbHEuD1Jz0STJyvEIAJh6AwHVheVVjCh7fP_iQZFEyhJu9Dk ZDnStehGtuRrMaQpJ95hc5sQ.cDCR2Prmj7iNUIEL5WCsEZLL3vRTAkJQQXQ3LcZiJUgLupQZCjX rMgin7IefWNxduuI7GsedJ3ie3fw6OMisQ6Qci8X5owl192I.rh7Uwhud7URyZZ7_O_3g4nTG_hV IhK90Rx1JV.2jTF_r6.ROzomwgTnBgAqSJ0WjoqhhJhJbxEeTvzyt9.DhwVeKfQRwj5mBZyY8tpf _mTtlqjDqQiB4VTaSX2djhWud66mqZqh_5Pn.SUxUEsBa9fQKq3nylTVkEBdiowERwapHtk05Ydp ThzzI_buccG2kPTOOh4FpI_dB57UqJ..4N5wHvhKe8KTVZivkLq6jO731QPBwYvQPQ.2YNw5YPTr rpX7VaWWMOkqMXhro5cz1wslTv3FiE1CE8r5xUKmBU9NjDEgDXsWigmnwNjnCskt0WMSlzLV1Ibb Z.sWoqvQOQNEiz8IPEpejITgiNqFF5qMJdzNww6Z9415or0sI.xPmb6dxelcn46EuqcD23WhG542 XrwEGhtdreGCHZENoH4jB6EHCyf2zQhPaJfJQXwBoFirUw4hJWM98Ovvx1oH8hwRk.9YFSZIxI.4 WnuUyFBVHwlLBNoAUv8aBxNGj3oXNM7dfWkOQ7VPioCJ2yOjxipTpNFFCqyl6n6deXRhuQrmCcQ3 JTaXS5elbMDVoNGF_c6CkunCr2_wZx46kU6aYrI9EAvA0tnlxsoSIYLMoBn90swnNfT4xTRs71RE fKFO7HTw4LbQ4iJrjeUmE0eP_BG_LzMthrMPEB7o2Gdvo9oIcUr9n833R7gfqz1ywp6U41lOjtrX wYJL7Bn4WibefV_JL5OKahuzMVtTi44nu2m4qL1z1TFSAYdf7uggUjDDEJ6Z4WtfSvsgMpaeQiUv eJLtQVaZGlolv5Lfx9W7N98IlINyi X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic305.consmr.mail.ne1.yahoo.com with HTTP; Mon, 18 Apr 2022 15:08:00 +0000 Received: by hermes--canary-production-ne1-c7c4f6977-qcc8c (VZM Hermes SMTP Server) with ESMTPA ID 2afd461de5a55bc64b17c8606f02f3b8; Mon, 18 Apr 2022 15:07:57 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, Chuck Lever , linux-integrity@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH v35 15/29] LSM: Ensure the correct LSM context releaser Date: Mon, 18 Apr 2022 07:59:31 -0700 Message-Id: <20220418145945.38797-16-casey@schaufler-ca.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220418145945.38797-1-casey@schaufler-ca.com> References: <20220418145945.38797-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Add a new lsmcontext data structure to hold all the information about a "security context", including the string, its size and which LSM allocated the string. The allocation information is necessary because LSMs have different policies regarding the lifecycle of these strings. SELinux allocates and destroys them on each use, whereas Smack provides a pointer to an entry in a list that never goes away. Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Paul Moore Acked-by: Stephen Smalley Acked-by: Chuck Lever Signed-off-by: Casey Schaufler Cc: linux-integrity@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-audit@redhat.com Cc: netfilter-devel@vger.kernel.org To: Pablo Neira Ayuso Cc: linux-nfs@vger.kernel.org --- drivers/android/binder.c | 10 ++++--- fs/ceph/xattr.c | 6 ++++- fs/nfs/nfs4proc.c | 8 ++++-- fs/nfsd/nfs4xdr.c | 7 +++-- include/linux/security.h | 35 +++++++++++++++++++++++-- include/net/scm.h | 5 +++- kernel/audit.c | 14 +++++++--- kernel/auditsc.c | 12 ++++++--- net/ipv4/ip_sockglue.c | 4 ++- net/netfilter/nf_conntrack_netlink.c | 4 ++- net/netfilter/nf_conntrack_standalone.c | 4 ++- net/netfilter/nfnetlink_queue.c | 13 ++++++--- net/netlabel/netlabel_unlabeled.c | 19 +++++++++++--- net/netlabel/netlabel_user.c | 4 ++- security/security.c | 11 ++++---- 15 files changed, 121 insertions(+), 35 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 26838061defb..2125b4b795da 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2725,6 +2725,7 @@ static void binder_transaction(struct binder_proc *proc, int t_debug_id = atomic_inc_return(&binder_last_id); char *secctx = NULL; u32 secctx_sz = 0; + struct lsmcontext scaff; /* scaffolding */ struct list_head sgc_head; struct list_head pf_head; const void __user *user_buffer = (const void __user *) @@ -3033,7 +3034,8 @@ static void binder_transaction(struct binder_proc *proc, t->security_ctx = 0; WARN_ON(1); } - security_release_secctx(secctx, secctx_sz); + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); secctx = NULL; } t->buffer->debug_id = t->debug_id; @@ -3433,8 +3435,10 @@ static void binder_transaction(struct binder_proc *proc, binder_alloc_free_buf(&target_proc->alloc, t->buffer); err_binder_alloc_buf_failed: err_bad_extra_size: - if (secctx) - security_release_secctx(secctx, secctx_sz); + if (secctx) { + lsmcontext_init(&scaff, secctx, secctx_sz, 0); + security_release_secctx(&scaff); + } err_get_secctx_failed: kfree(tcomplete); binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index afec84088471..8ac30a5c05ef 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -1383,12 +1383,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode, void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) { +#ifdef CONFIG_CEPH_FS_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ +#endif #ifdef CONFIG_CEPH_FS_POSIX_ACL posix_acl_release(as_ctx->acl); posix_acl_release(as_ctx->default_acl); #endif #ifdef CONFIG_CEPH_FS_SECURITY_LABEL - security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen); + lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); + security_release_secctx(&scaff); #endif if (as_ctx->pagelist) ceph_pagelist_release(as_ctx->pagelist); diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 16106f805ffa..dc8bdcdd2d2a 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -133,8 +133,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry, static inline void nfs4_label_release_security(struct nfs4_label *label) { - if (label) - security_release_secctx(label->label, label->len); + struct lsmcontext scaff; /* scaffolding */ + + if (label) { + lsmcontext_init(&scaff, label->label, label->len, 0); + security_release_secctx(&scaff); + } } static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label) { diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index da92e7d2ab6a..77388b5ece56 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2830,6 +2830,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL + struct lsmcontext scaff; /* scaffolding */ void *context = NULL; int contextlen; #endif @@ -3341,8 +3342,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) - security_release_secctx(context, contextlen); + if (context) { + lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ + security_release_secctx(&scaff); + } #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index a6574d13c6fb..5a681f60fd50 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -135,6 +135,37 @@ enum lockdown_reason { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; +/* + * A "security context" is the text representation of + * the information used by LSMs. + * This structure contains the string, its length, and which LSM + * it is useful for. + */ +struct lsmcontext { + char *context; /* Provided by the module */ + u32 len; + int slot; /* Identifies the module */ +}; + +/** + * lsmcontext_init - initialize an lsmcontext structure. + * @cp: Pointer to the context to initialize + * @context: Initial context, or NULL + * @size: Size of context, or 0 + * @slot: Which LSM provided the context + * + * Fill in the lsmcontext from the provided information. + * This is a scaffolding function that will be removed when + * lsmcontext integration is complete. + */ +static inline void lsmcontext_init(struct lsmcontext *cp, char *context, + u32 size, int slot) +{ + cp->slot = slot; + cp->context = context; + cp->len = size; +} + /* * Data exported by the security modules * @@ -587,7 +618,7 @@ int security_ismaclabel(const char *name); int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); -void security_release_secctx(char *secdata, u32 seclen); +void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); @@ -1451,7 +1482,7 @@ static inline int security_secctx_to_secid(const char *secdata, return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline void security_release_secctx(struct lsmcontext *cp) { } diff --git a/include/net/scm.h b/include/net/scm.h index 23a35ff1b3f2..f273c4d777ec 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, #ifdef CONFIG_SECURITY_NETWORK static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen; @@ -106,7 +107,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + /*scaffolding*/ + lsmcontext_init(&context, secdata, seclen, 0); + security_release_secctx(&context); } } } diff --git a/kernel/audit.c b/kernel/audit.c index 2b670ac129be..0eff57959b4e 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1214,6 +1214,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) struct audit_sig_info *sig_data; char *ctx = NULL; u32 len; + struct lsmcontext scaff; /* scaffolding */ err = audit_netlink_ok(skb, msg_type); if (err) @@ -1471,15 +1472,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) } sig_data = kmalloc(struct_size(sig_data, ctx, len), GFP_KERNEL); if (!sig_data) { - if (lsmblob_is_set(&audit_sig_lsm)) - security_release_secctx(ctx, len); + if (lsmblob_is_set(&audit_sig_lsm)) { + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); + } return -ENOMEM; } sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid); sig_data->pid = audit_sig_pid; if (lsmblob_is_set(&audit_sig_lsm)) { memcpy(sig_data->ctx, ctx, len); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); } audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0, sig_data, struct_size(sig_data, ctx, len)); @@ -2171,6 +2175,7 @@ int audit_log_task_context(struct audit_buffer *ab) unsigned len; int error; struct lsmblob blob; + struct lsmcontext scaff; /* scaffolding */ security_current_getsecid_subj(&blob); if (!lsmblob_is_set(&blob)) @@ -2185,7 +2190,8 @@ int audit_log_task_context(struct audit_buffer *ab) } audit_log_format(ab, " subj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&scaff, ctx, len, 0); + security_release_secctx(&scaff); return 0; error_path: diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 52ea8da8462f..1503fb281278 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1121,6 +1121,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; + struct lsmcontext lsmcxt; char *ctx = NULL; u32 len; int rc = 0; @@ -1138,7 +1139,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, rc = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/ + security_release_secctx(&lsmcxt); } } audit_log_format(ab, " ocomm="); @@ -1398,6 +1400,7 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer ** static void show_special(struct audit_context *context, int *call_panic) { + struct lsmcontext lsmcxt; struct audit_buffer *ab; int i; @@ -1432,7 +1435,8 @@ static void show_special(struct audit_context *context, int *call_panic) *call_panic = 1; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); + security_release_secctx(&lsmcxt); } } if (context->ipc.has_perm) { @@ -1594,6 +1598,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, char *ctx = NULL; u32 len; struct lsmblob blob; + struct lsmcontext lsmcxt; lsmblob_init(&blob, n->osid); if (security_secid_to_secctx(&blob, &ctx, &len)) { @@ -1602,7 +1607,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, *call_panic = 2; } else { audit_log_format(ab, " obj=%s", ctx); - security_release_secctx(ctx, len); + lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */ + security_release_secctx(&lsmcxt); } } diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 933a8f94f93a..70ca4510ea35 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb, static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) { + struct lsmcontext context; struct lsmblob lb; char *secdata; u32 seclen, secid; @@ -145,7 +146,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) return; put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata); - security_release_secctx(secdata, seclen); + lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */ + security_release_secctx(&context); } static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index a28e275981d4..f053d7544355 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -348,6 +348,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) int len, ret; char *secctx; struct lsmblob blob; + struct lsmcontext context; /* lsmblob_init() puts ct->secmark into all of the secids in blob. * security_secid_to_secctx() will know which security module @@ -368,7 +369,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) ret = 0; nla_put_failure: - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); return ret; } #else diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index bba3a66f5636..3b6ba86783f6 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -179,6 +179,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) u32 len; char *secctx; struct lsmblob blob; + struct lsmcontext context; lsmblob_init(&blob, ct->secmark); ret = security_secid_to_secctx(&blob, &secctx, &len); @@ -187,7 +188,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) seq_printf(s, "secctx=%s ", secctx); - security_release_secctx(secctx, len); + lsmcontext_init(&context, secctx, len, 0); /* scaffolding */ + security_release_secctx(&context); } #else static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 6269fe122345..f69d5e997da2 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -397,6 +397,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, enum ip_conntrack_info ctinfo = 0; const struct nfnl_ct_hook *nfnl_ct; bool csum_verify; + struct lsmcontext scaff; /* scaffolding */ char *secdata = NULL; u32 seclen = 0; ktime_t tstamp; @@ -634,8 +635,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, } nlh->nlmsg_len = skb->len; - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return skb; nla_put_failure: @@ -643,8 +646,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, kfree_skb(skb); net_err_ratelimited("nf_queue: error creating packet message\n"); nlmsg_failure: - if (seclen) - security_release_secctx(secdata, seclen); + if (seclen) { + lsmcontext_init(&scaff, secdata, seclen, 0); + security_release_secctx(&scaff); + } return NULL; } diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index bbb3b6a4f0d7..b3e3d920034d 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -374,6 +374,7 @@ int netlbl_unlhsh_add(struct net *net, struct net_device *dev; struct netlbl_unlhsh_iface *iface; struct audit_buffer *audit_buf = NULL; + struct lsmcontext context; char *secctx = NULL; u32 secctx_len; struct lsmblob blob; @@ -447,7 +448,9 @@ int netlbl_unlhsh_add(struct net *net, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0); audit_log_end(audit_buf); @@ -478,6 +481,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, struct netlbl_unlhsh_addr4 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -508,7 +512,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -545,6 +551,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, struct netlbl_unlhsh_addr6 *entry; struct audit_buffer *audit_buf; struct net_device *dev; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -574,7 +581,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " sec_obj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); } audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0); audit_log_end(audit_buf); @@ -1093,6 +1101,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, int ret_val = -ENOMEM; struct netlbl_unlhsh_walk_arg *cb_arg = arg; struct net_device *dev; + struct lsmcontext context; void *data; u32 secid; char *secctx; @@ -1163,7 +1172,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, NLBL_UNLABEL_A_SECCTX, secctx_len, secctx); - security_release_secctx(secctx, secctx_len); + /* scaffolding */ + lsmcontext_init(&context, secctx, secctx_len, 0); + security_release_secctx(&context); if (ret_val != 0) goto list_cb_failure; diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 893301ae0131..ef139d8ae7cd 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; + struct lsmcontext context; char *secctx; u32 secctx_len; struct lsmblob blob; @@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, if (audit_info->secid != 0 && security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) { audit_log_format(audit_buf, " subj=%s", secctx); - security_release_secctx(secctx, secctx_len); + lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/ + security_release_secctx(&context); } return audit_buf; diff --git a/security/security.c b/security/security.c index ec4d1b3026d8..407852be43da 100644 --- a/security/security.c +++ b/security/security.c @@ -2379,16 +2379,17 @@ int security_secctx_to_secid(const char *secdata, u32 seclen, } EXPORT_SYMBOL(security_secctx_to_secid); -void security_release_secctx(char *secdata, u32 seclen) +void security_release_secctx(struct lsmcontext *cp) { struct security_hook_list *hp; - int ilsm = lsm_task_ilsm(current); hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list) - if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) { - hp->hook.release_secctx(secdata, seclen); - return; + if (cp->slot == hp->lsmid->slot) { + hp->hook.release_secctx(cp->context, cp->len); + break; } + + memset(cp, 0, sizeof(*cp)); } EXPORT_SYMBOL(security_release_secctx); From patchwork Mon Apr 18 14:59:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 12816778 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07147C433F5 for ; Mon, 18 Apr 2022 15:40:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245488AbiDRPnR (ORCPT ); Mon, 18 Apr 2022 11:43:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345661AbiDRPmx (ORCPT ); Mon, 18 Apr 2022 11:42:53 -0400 Received: from sonic311-30.consmr.mail.ne1.yahoo.com (sonic311-30.consmr.mail.ne1.yahoo.com [66.163.188.211]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E5FD34660 for ; Mon, 18 Apr 2022 08:08:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1650294486; bh=At4+NxZXv0MZomzONJVkImtyKnD/GEtK+yc2Jid0QkM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=hXeK59YACZjLWOMQj803iSWV8jcVcorn7ovF6z/xi2i1hEobn31g92tJ7/0IDu5ezosJW798gTNDu/iyp396QwqskaD238H1eOkp5u0iDOG4oVmQa/zKL1xcbXcDPKqdpU5YMz15Kpz98T48k9JPWzJ1pm5RQicLDnZ3vOxs4XlPJUuir0Czg0m0p7Vu6V0wapqfCOLKuaap1fmFxj8Lq+gMu9TvEL/L4lRBhHEi9d11lslHH00OR/Fdr3t2D6ZynphvG2RLmtZ+7t45vBXtBNS0Q1AnAd9AE3GDUHpfzOv5pNVWwuSCZvt2kUgby6S6vZUP8IxsPJr8OyLDvsCCWQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1650294486; bh=THlOm56qqLM7jjy0oWlv79uA8dQtJmJQAV3MybDiqEI=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=S79kxUiTvDUqzeDjNxwMfzaLdUwRmz59BgUKvVzePzbTT+FC7mEmmREnhK8Yl4P75jBPR2WmWooM78cHm3tOnc8Z5VYIwI0ia0DVUpOcG8sMiMG9woAQqhhD9Zpuc/oLjNE6SMIV/mCLspltUA96nQz1uBYKn83ffKLYJhKl1nTFRngpdx8QT1uucfTzfLwAEhQNw9Q2HLi3IbtVRpIhZK7fLDntMUnwjhrbf8UoNqChnqMfqftCSvztyNdlQrBft9SthGV78/FWFo07pWVgzd99PEHz23BqE7+j9LvpSFP+615o5dGNcIuM7cAHckSqN0PMYWbyYdlmy0RmrItD1w== X-YMail-OSG: ufkWR7wVM1n7OFEt.pWhiGRlSa88oZ5wh5LJ3zGwE23j4wzdpLB34OZNa6YOms0 g..BUGMZGdpxyN8IDqWowjOuAHIM527Za2T34KZt78L4syj5seunfqtRpqjxDDg2NZnbcLScVDOv rNBCxvzlnaC6HIEI7BP9vG5UOjt7HC6jBVUYFhIk2s9dJRkIkE8HsoTfjmU5nbQaa9pTv.C8ZYP5 jLT1jcWI2e21n0hyExpXlRryUs4Khp6d6cKDZ99Kzt23lLZMs0xYwFO7l39aQNqqrV4vrt6W15gl Oqetm3Q520uG.e.7LHtJRPGqAnf8B9BYfEy05hOyxkWZ2eRZhsvcPSIxBfcT3Bi3EQcVVa9_OrAo fTvA9ZlowqqIWs4wa7Ct_i6Ru3VrdFWlTBZ.evYbvPlrMURuh6dtKUfAIRi0F_vAtCILG_beCcLN 0kpIdEvMjLpJsNlg7GOUFEOvWnnJe02SfbnHyw9wXC40oEVbZMtbj21oz24Vy8OdE1GW2YQ2VfNP lk8cqgZyUXZOcKN5vsDsV8OQG9DvqQuwf31GAGulyYM7I2.SBlDmrzEdNifiWb1bEes_OWmlpdWA k8l0jnnNrffxiY21cWa940r7z4TVWqprFGTtN2v2gHE2oJkW_3tR1CAtrr6BTZ_hKLMklNM3oYqY lRcwBykzrPMwlwNv9MrX_2p1VuVGDMaPVjci2LgDjUUlZb9AVKIkimMeMdd2RtPZcDf7sAwY.kOq EyPRg0YqkPScouJqSm0y2xta7A6gQnrLYSm4NQ7WlmodlzPoS0wILtsjEVPSQO9i6q5buxbiLrxN mnOTTxK1HauMbXimIxhn3aVzOZZErk5KBkHzOZ.Ayn8pSc2w.TpJkFR8BWZI6zE5bVlox2gHZaNZ 3OY5BR1t9C6W_uU7z91zJKTXv5l.UI.9htkQm8mBngYCSbdTB9aOv4o6ieKbWLqGVbF_tSl29xPE buDckv.R6iOhI.hjdszgIbfVmLxCPAkUlVAgYiKCSARJCfNOL2vIWqxtWLNl8GiE7o7mkjIFYS4g ctqAZX4IyrLzktTuMmMOflpMEZ5m7_22OjQBO5a0np2cnH6RjNIlQ.7JWBa.boq2xVULMZjpZXR3 bc2xRbeHDb3SXNGqOt85KgFWhBheMDXakVx6.KYTNt4C0uyLvw6eSTEDvveBKio3JlUXx.MzJ267 4z65xhkLcgtC3RST_WbQ0C1D3163qkrAVXImYumEDUnebTP2Jg2vnKNwnCWqItJ77K4Yx7N0ZTt0 zRe3I7keXi8YQNEUu7XaTCgVp0jGUJrxBzs9zS_PoylNKMNXE7pfmskPojcuywJRKdzasYs7Yudk nbMEX3TfHxlkXYH1QRcrdvo4AEUPPQC0zRbN6ZYslanvC711nhuTowdUKvs1HflqItYCuazQk271 cJMqXnYU4sXTkfw64.bApcCB9AEtZRQoxZ2XVnQhAw41Tz.2k4k3JR..TlyT5lWZL79SCe5FR5J2 fpcEZrc7vt6wApJ0A59Rs0I_nlzpJrhgJ6iW1ZO.TJ0mRN7nLjNxT53nGcZjLrdVjS2eDwhZUoLj WmhmJCV03qASl5_1l0fYHWycmwqMV9uP45CpXaTW5m2_tWU7HqDtseq3.HXSpspX531Eb_JTY8Ho fc8LaMNeJpZRo7M6IP4MzPZl5G.ZVAWMt.Akyc20.QBwI5b6yA6D7DLj7jA4bEplqRPkJ5RcfVMd SMBWtJR6iM0931NvVCcSKHLPT42RTHuwEbtulv21hKeO5vrh2KI47_urCstOmR.8QDCieUJZ8fiZ 3Sa90v4dR7VtPl7OfPK3k4EbGM.XcKZn6N1OnB3_cA3HdYa8_KqiosKBLk5Ycxv_O4WT3faLig5d YuwfagfP0sqohS9mpdbVby7KVBnyV0HGoT5KEPIKnGVP65l1_plUFKx8JvTGAXmLBzdL8PrdJbcU mjFrFNIMJE8JJoVZO5LEGjI4TaffPIOUqqTtMPtF2kdzHVSWcPYrbllg1KfL6Qn2QO8LNvdv4INx rTwMVMpwMLEHrj5YdZo2viWiQ.vMHebunv1Ikf6LVV6igII3waB6oyV5DXgb1IMonQAuzfDeFiZX 8rzbUOQ3bsiRT9FPdvNF07AUSh8nuC3up.SxJmuBMFdEm96B7Rd_WyUqr21VqMtdsyXNv7JGsVQt AbK54ChIcQ6LVAJP6BmvgG624cG6mA_CO8fs6OD378qN.Vlrj_e_wD7GZTD.HR703CxkEu7iojQG mufYvn.Gm6sfZ41gUXJhNthMG4VEzsshQohWyYOpdLRPTKqv1dcLqDFiFlHr4HJdEaJ3X4hZdqYA QZUeaCX.QByRq5_o7eJhJqHzVfkjWGuVdE6k8ghalTuubx1as492gb4tmWA-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Mon, 18 Apr 2022 15:08:06 +0000 Received: by hermes--canary-production-ne1-c7c4f6977-qcc8c (VZM Hermes SMTP Server) with ESMTPA ID 2afd461de5a55bc64b17c8606f02f3b8; Mon, 18 Apr 2022 15:08:00 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, Chuck Lever , linux-nfs@vger.kernel.org Subject: [PATCH v35 17/29] LSM: Use lsmcontext in security_inode_getsecctx Date: Mon, 18 Apr 2022 07:59:33 -0700 Message-Id: <20220418145945.38797-18-casey@schaufler-ca.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220418145945.38797-1-casey@schaufler-ca.com> References: <20220418145945.38797-1-casey@schaufler-ca.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org Change the security_inode_getsecctx() interface to fill a lsmcontext structure instead of data and length pointers. This provides the information about which LSM created the context so that security_release_secctx() can use the correct hook. Acked-by: Stephen Smalley Acked-by: Paul Moore Acked-by: Chuck Lever Reviewed-by: Kees Cook Reviewed-by: John Johansen Signed-off-by: Casey Schaufler Cc: linux-nfs@vger.kernel.org --- fs/nfsd/nfs4xdr.c | 23 +++++++++-------------- include/linux/security.h | 5 +++-- security/security.c | 13 +++++++++++-- 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 77388b5ece56..b1505fbfb2e9 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -2713,11 +2713,11 @@ nfsd4_encode_layout_types(struct xdr_stream *xdr, u32 layout_types) #ifdef CONFIG_NFSD_V4_SECURITY_LABEL static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + struct lsmcontext *context) { __be32 *p; - p = xdr_reserve_space(xdr, len + 4 + 4 + 4); + p = xdr_reserve_space(xdr, context->len + 4 + 4 + 4); if (!p) return nfserr_resource; @@ -2727,13 +2727,13 @@ nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, */ *p++ = cpu_to_be32(0); /* lfs */ *p++ = cpu_to_be32(0); /* pi */ - p = xdr_encode_opaque(p, context, len); + p = xdr_encode_opaque(p, context->context, context->len); return 0; } #else static inline __be32 nfsd4_encode_security_label(struct xdr_stream *xdr, struct svc_rqst *rqstp, - void *context, int len) + struct lsmcontext *context) { return 0; } #endif @@ -2830,9 +2830,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, int err; struct nfs4_acl *acl = NULL; #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - struct lsmcontext scaff; /* scaffolding */ - void *context = NULL; - int contextlen; + struct lsmcontext context = { }; #endif bool contextsupport = false; struct nfsd4_compoundres *resp = rqstp->rq_resp; @@ -2893,7 +2891,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, bmval0 & FATTR4_WORD0_SUPPORTED_ATTRS) { if (exp->ex_flags & NFSEXP_SECURITY_LABEL) err = security_inode_getsecctx(d_inode(dentry), - &context, &contextlen); + &context); else err = -EOPNOTSUPP; contextsupport = (err == 0); @@ -3320,8 +3318,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, #ifdef CONFIG_NFSD_V4_SECURITY_LABEL if (bmval2 & FATTR4_WORD2_SECURITY_LABEL) { - status = nfsd4_encode_security_label(xdr, rqstp, context, - contextlen); + status = nfsd4_encode_security_label(xdr, rqstp, &context); if (status) goto out; } @@ -3342,10 +3339,8 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp, out: #ifdef CONFIG_NFSD_V4_SECURITY_LABEL - if (context) { - lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/ - security_release_secctx(&scaff); - } + if (context.context) + security_release_secctx(&context); #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */ kfree(acl); if (tempfh) { diff --git a/include/linux/security.h b/include/linux/security.h index 945b21f6ffa4..dc66f3f48456 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -622,7 +622,7 @@ void security_release_secctx(struct lsmcontext *cp); void security_inode_invalidate_secctx(struct inode *inode); int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp); int security_locked_down(enum lockdown_reason what); #else /* CONFIG_SECURITY */ @@ -1498,7 +1498,8 @@ static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 { return -EOPNOTSUPP; } -static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +static inline int security_inode_getsecctx(struct inode *inode, + struct lsmcontext *cp) { return -EOPNOTSUPP; } diff --git a/security/security.c b/security/security.c index 91e9c8341a55..64073d807240 100644 --- a/security/security.c +++ b/security/security.c @@ -2434,9 +2434,18 @@ int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) } EXPORT_SYMBOL(security_inode_setsecctx); -int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp) { - return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen); + struct security_hook_list *hp; + + memset(cp, 0, sizeof(*cp)); + + hlist_for_each_entry(hp, &security_hook_heads.inode_getsecctx, list) { + cp->slot = hp->lsmid->slot; + return hp->hook.inode_getsecctx(inode, (void **)&cp->context, + &cp->len); + } + return -EOPNOTSUPP; } EXPORT_SYMBOL(security_inode_getsecctx);