tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

proc: Use lsmids instead of lsm names for attrs

Use the LSM ID number instead of the LSM name to identify which
security module's attibute data should be shown in /proc/self/attr.
The security_[gs]etprocattr() functions have been changed to expect
the LSM ID. The change from a string comparison to an integer comparison
in these functions will provide a minor performance improvement.

Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Mickael Salaun <mic@digikod.net>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Casey Schaufler and committed by
Paul Moore 267c068e 9285c5ad

+28 -29
+15 -14
fs/proc/base.c
··· 97 97 #include <linux/resctrl.h> 98 98 #include <linux/cn_proc.h> 99 99 #include <linux/ksm.h> 100 + #include <uapi/linux/lsm.h> 100 101 #include <trace/events/oom.h> 101 102 #include "internal.h" 102 103 #include "fd.h" ··· 147 146 NOD(NAME, (S_IFREG|(MODE)), \ 148 147 NULL, &proc_single_file_operations, \ 149 148 { .proc_show = show } ) 150 - #define ATTR(LSM, NAME, MODE) \ 149 + #define ATTR(LSMID, NAME, MODE) \ 151 150 NOD(NAME, (S_IFREG|(MODE)), \ 152 151 NULL, &proc_pid_attr_operations, \ 153 - { .lsm = LSM }) 152 + { .lsmid = LSMID }) 154 153 155 154 /* 156 155 * Count the number of hardlinks for the pid_entry table, excluding the . ··· 2727 2726 if (!task) 2728 2727 return -ESRCH; 2729 2728 2730 - length = security_getprocattr(task, PROC_I(inode)->op.lsm, 2729 + length = security_getprocattr(task, PROC_I(inode)->op.lsmid, 2731 2730 file->f_path.dentry->d_name.name, 2732 2731 &p); 2733 2732 put_task_struct(task); ··· 2785 2784 if (rv < 0) 2786 2785 goto out_free; 2787 2786 2788 - rv = security_setprocattr(PROC_I(inode)->op.lsm, 2787 + rv = security_setprocattr(PROC_I(inode)->op.lsmid, 2789 2788 file->f_path.dentry->d_name.name, page, 2790 2789 count); 2791 2790 mutex_unlock(&current->signal->cred_guard_mutex); ··· 2834 2833 2835 2834 #ifdef CONFIG_SECURITY_SMACK 2836 2835 static const struct pid_entry smack_attr_dir_stuff[] = { 2837 - ATTR("smack", "current", 0666), 2836 + ATTR(LSM_ID_SMACK, "current", 0666), 2838 2837 }; 2839 2838 LSM_DIR_OPS(smack); 2840 2839 #endif 2841 2840 2842 2841 #ifdef CONFIG_SECURITY_APPARMOR 2843 2842 static const struct pid_entry apparmor_attr_dir_stuff[] = { 2844 - ATTR("apparmor", "current", 0666), 2845 - ATTR("apparmor", "prev", 0444), 2846 - ATTR("apparmor", "exec", 0666), 2843 + ATTR(LSM_ID_APPARMOR, "current", 0666), 2844 + ATTR(LSM_ID_APPARMOR, "prev", 0444), 2845 + ATTR(LSM_ID_APPARMOR, "exec", 0666), 2847 2846 }; 2848 2847 LSM_DIR_OPS(apparmor); 2849 2848 #endif 2850 2849 2851 2850 static const struct pid_entry attr_dir_stuff[] = { 2852 - ATTR(NULL, "current", 0666), 2853 - ATTR(NULL, "prev", 0444), 2854 - ATTR(NULL, "exec", 0666), 2855 - ATTR(NULL, "fscreate", 0666), 2856 - ATTR(NULL, "keycreate", 0666), 2857 - ATTR(NULL, "sockcreate", 0666), 2851 + ATTR(LSM_ID_UNDEF, "current", 0666), 2852 + ATTR(LSM_ID_UNDEF, "prev", 0444), 2853 + ATTR(LSM_ID_UNDEF, "exec", 0666), 2854 + ATTR(LSM_ID_UNDEF, "fscreate", 0666), 2855 + ATTR(LSM_ID_UNDEF, "keycreate", 0666), 2856 + ATTR(LSM_ID_UNDEF, "sockcreate", 0666), 2858 2857 #ifdef CONFIG_SECURITY_SMACK 2859 2858 DIR("smack", 0555, 2860 2859 proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
+1 -1
fs/proc/internal.h
··· 92 92 int (*proc_show)(struct seq_file *m, 93 93 struct pid_namespace *ns, struct pid *pid, 94 94 struct task_struct *task); 95 - const char *lsm; 95 + int lsmid; 96 96 }; 97 97 98 98 struct proc_inode {
+5 -6
include/linux/security.h
··· 472 472 int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops, 473 473 unsigned nsops, int alter); 474 474 void security_d_instantiate(struct dentry *dentry, struct inode *inode); 475 - int security_getprocattr(struct task_struct *p, const char *lsm, const char *name, 475 + int security_getprocattr(struct task_struct *p, int lsmid, const char *name, 476 476 char **value); 477 - int security_setprocattr(const char *lsm, const char *name, void *value, 478 - size_t size); 477 + int security_setprocattr(int lsmid, const char *name, void *value, size_t size); 479 478 int security_netlink_send(struct sock *sk, struct sk_buff *skb); 480 479 int security_ismaclabel(const char *name); 481 480 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); ··· 1338 1339 struct inode *inode) 1339 1340 { } 1340 1341 1341 - static inline int security_getprocattr(struct task_struct *p, const char *lsm, 1342 + static inline int security_getprocattr(struct task_struct *p, int lsmid, 1342 1343 const char *name, char **value) 1343 1344 { 1344 1345 return -EINVAL; 1345 1346 } 1346 1347 1347 - static inline int security_setprocattr(const char *lsm, char *name, 1348 - void *value, size_t size) 1348 + static inline int security_setprocattr(int lsmid, char *name, void *value, 1349 + size_t size) 1349 1350 { 1350 1351 return -EINVAL; 1351 1352 }
+7 -8
security/security.c
··· 3840 3840 /** 3841 3841 * security_getprocattr() - Read an attribute for a task 3842 3842 * @p: the task 3843 - * @lsm: LSM name 3843 + * @lsmid: LSM identification 3844 3844 * @name: attribute name 3845 3845 * @value: attribute value 3846 3846 * ··· 3848 3848 * 3849 3849 * Return: Returns the length of @value on success, a negative value otherwise. 3850 3850 */ 3851 - int security_getprocattr(struct task_struct *p, const char *lsm, 3852 - const char *name, char **value) 3851 + int security_getprocattr(struct task_struct *p, int lsmid, const char *name, 3852 + char **value) 3853 3853 { 3854 3854 struct security_hook_list *hp; 3855 3855 3856 3856 hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) { 3857 - if (lsm != NULL && strcmp(lsm, hp->lsmid->name)) 3857 + if (lsmid != 0 && lsmid != hp->lsmid->id) 3858 3858 continue; 3859 3859 return hp->hook.getprocattr(p, name, value); 3860 3860 } ··· 3863 3863 3864 3864 /** 3865 3865 * security_setprocattr() - Set an attribute for a task 3866 - * @lsm: LSM name 3866 + * @lsmid: LSM identification 3867 3867 * @name: attribute name 3868 3868 * @value: attribute value 3869 3869 * @size: attribute value size ··· 3873 3873 * 3874 3874 * Return: Returns bytes written on success, a negative value otherwise. 3875 3875 */ 3876 - int security_setprocattr(const char *lsm, const char *name, void *value, 3877 - size_t size) 3876 + int security_setprocattr(int lsmid, const char *name, void *value, size_t size) 3878 3877 { 3879 3878 struct security_hook_list *hp; 3880 3879 3881 3880 hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) { 3882 - if (lsm != NULL && strcmp(lsm, hp->lsmid->name)) 3881 + if (lsmid != 0 && lsmid != hp->lsmid->id) 3883 3882 continue; 3884 3883 return hp->hook.setprocattr(name, value, size); 3885 3884 }