Commit 2d470c77 authored by Casey Schaufler's avatar Casey Schaufler Committed by Paul Moore
Browse files

lsm: replace context+len with lsm_context 



Replace the (secctx,seclen) pointer pair with a single
lsm_context pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.

security_secid_to_secctx() and security_lsmproc_to_secctx()
will now return the length value on success instead of 0.

Cc: netdev@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
[PM: subject tweak, kdoc fix, signedness fix from Dan Carpenter]
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent 6fba8981

drivers/android/binder.c

+2 −3
Original line number Diff line number Diff line
@@ -3296,9 +3296,8 @@ static void binder_transaction(struct binder_proc *proc, 
		size_t added_size;



		security_cred_getsecid(proc->cred, &secid);

		ret = security_secid_to_secctx(secid, &lsmctx.context,

					       &lsmctx.len);

		if (ret) {

		ret = security_secid_to_secctx(secid, &lsmctx);

		if (ret < 0) {

			binder_txn_error("%d:%d failed to get security context\n",

				thread->pid, proc->pid);

			return_error = BR_FAILED_REPLY;

include/linux/lsm_hook_defs.h

+2 −3
Original line number Diff line number Diff line
@@ -295,10 +295,9 @@ LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct *p, const char *name, 
	 char **value)

LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size)

LSM_HOOK(int, 0, ismaclabel, const char *name)

LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata,

	 u32 *seclen)

LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, struct lsm_context *cp)

LSM_HOOK(int, -EOPNOTSUPP, lsmprop_to_secctx, struct lsm_prop *prop,

	 char **secdata, u32 *seclen)

	 struct lsm_context *cp)

LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid)

LSM_HOOK(void, LSM_RET_VOID, release_secctx, struct lsm_context *cp)

LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)

include/linux/security.h

+4 −5
Original line number Diff line number Diff line
@@ -584,8 +584,8 @@ int security_getprocattr(struct task_struct *p, int lsmid, const char *name, 
int security_setprocattr(int lsmid, const char *name, void *value, size_t size);

int security_netlink_send(struct sock *sk, struct sk_buff *skb);

int security_ismaclabel(const char *name);

int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);

int security_lsmprop_to_secctx(struct lsm_prop *prop, char **secdata, u32 *seclen);

int security_secid_to_secctx(u32 secid, struct lsm_context *cp);

int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp);

int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);

void security_release_secctx(struct lsm_context *cp);

void security_inode_invalidate_secctx(struct inode *inode);
@@ -1557,14 +1557,13 @@ static inline int security_ismaclabel(const char *name) 
	return 0;

}



static inline int security_secid_to_secctx(u32 secid, char **secdata,

					   u32 *seclen)

static inline int security_secid_to_secctx(u32 secid, struct lsm_context *cp)

{

	return -EOPNOTSUPP;

}



static inline int security_lsmprop_to_secctx(struct lsm_prop *prop,

					     char **secdata, u32 *seclen)

					     struct lsm_context *cp)

{

	return -EOPNOTSUPP;

}

include/net/scm.h

+2 −3
Original line number Diff line number Diff line
@@ -109,10 +109,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc 
	int err;



	if (test_bit(SOCK_PASSSEC, &sock->flags)) {

		err = security_secid_to_secctx(scm->secid, &ctx.context,

					       &ctx.len);

		err = security_secid_to_secctx(scm->secid, &ctx);



		if (!err) {

		if (err >= 0) {

			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, ctx.len,

				 ctx.context);

			security_release_secctx(&ctx);

kernel/audit.c

+4 −5
Original line number Diff line number Diff line
@@ -1473,9 +1473,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, 
	case AUDIT_SIGNAL_INFO:

		if (lsmprop_is_set(&audit_sig_lsm)) {

			err = security_lsmprop_to_secctx(&audit_sig_lsm,

							 &lsmctx.context,

							 &lsmctx.len);

			if (err)

							 &lsmctx);

			if (err < 0)

				return err;

		}

		sig_data = kmalloc(struct_size(sig_data, ctx, lsmctx.len),
@@ -2188,8 +2187,8 @@ int audit_log_task_context(struct audit_buffer *ab) 
	if (!lsmprop_is_set(&prop))

		return 0;



	error = security_lsmprop_to_secctx(&prop, &ctx.context, &ctx.len);

	if (error) {

	error = security_lsmprop_to_secctx(&prop, &ctx);

	if (error < 0) {

		if (error != -EINVAL)

			goto error_path;

		return 0;