Merge tag 'lsm-pr-20240617' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

+1 -1

include/linux/lsm_hook_defs.h

··· 413 413 414 414 #ifdef CONFIG_AUDIT 415 415 LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, 416 - void **lsmrule) 416 + void **lsmrule, gfp_t gfp) 417 417 LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) 418 418 LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) 419 419 LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule)

+3 -2

include/linux/security.h

··· 2048 2048 2049 2049 #ifdef CONFIG_AUDIT 2050 2050 #ifdef CONFIG_SECURITY 2051 - int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); 2051 + int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, 2052 + gfp_t gfp); 2052 2053 int security_audit_rule_known(struct audit_krule *krule); 2053 2054 int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); 2054 2055 void security_audit_rule_free(void *lsmrule); ··· 2057 2056 #else 2058 2057 2059 2058 static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, 2060 - void **lsmrule) 2059 + void **lsmrule, gfp_t gfp) 2061 2060 { 2062 2061 return 0; 2063 2062 }

+3 -2

kernel/auditfilter.c

··· 529 529 entry->rule.buflen += f_val; 530 530 f->lsm_str = str; 531 531 err = security_audit_rule_init(f->type, f->op, str, 532 - (void **)&f->lsm_rule); 532 + (void **)&f->lsm_rule, 533 + GFP_KERNEL); 533 534 /* Keep currently invalid fields around in case they 534 535 * become valid after a policy reload. */ 535 536 if (err == -EINVAL) { ··· 800 799 801 800 /* our own (refreshed) copy of lsm_rule */ 802 801 ret = security_audit_rule_init(df->type, df->op, df->lsm_str, 803 - (void **)&df->lsm_rule); 802 + (void **)&df->lsm_rule, GFP_KERNEL); 804 803 /* Keep currently invalid fields around in case they 805 804 * become valid after a policy reload. */ 806 805 if (ret == -EINVAL) {

+3 -3

security/apparmor/audit.c

··· 217 217 } 218 218 } 219 219 220 - int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 220 + int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) 221 221 { 222 222 struct aa_audit_rule *rule; 223 223 ··· 230 230 return -EINVAL; 231 231 } 232 232 233 - rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); 233 + rule = kzalloc(sizeof(struct aa_audit_rule), gfp); 234 234 235 235 if (!rule) 236 236 return -ENOMEM; 237 237 238 238 /* Currently rules are treated as coming from the root ns */ 239 239 rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, 240 - GFP_KERNEL, true, false); 240 + gfp, true, false); 241 241 if (IS_ERR(rule->label)) { 242 242 int err = PTR_ERR(rule->label); 243 243 aa_audit_rule_free(rule);

+1 -1

security/apparmor/include/audit.h

··· 200 200 } 201 201 202 202 void aa_audit_rule_free(void *vrule); 203 - int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule); 203 + int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp); 204 204 int aa_audit_rule_known(struct audit_krule *rule); 205 205 int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule); 206 206

+1 -1

security/integrity/ima/ima.h

··· 546 546 #else 547 547 548 548 static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr, 549 - void **lsmrule) 549 + void **lsmrule, gfp_t gfp) 550 550 { 551 551 return -EINVAL; 552 552 }

+9 -6

security/integrity/ima/ima_policy.c

··· 401 401 kfree(entry); 402 402 } 403 403 404 - static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry) 404 + static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry, 405 + gfp_t gfp) 405 406 { 406 407 struct ima_rule_entry *nentry; 407 408 int i; ··· 411 410 * Immutable elements are copied over as pointers and data; only 412 411 * lsm rules can change 413 412 */ 414 - nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL); 413 + nentry = kmemdup(entry, sizeof(*nentry), gfp); 415 414 if (!nentry) 416 415 return NULL; 417 416 ··· 426 425 427 426 ima_filter_rule_init(nentry->lsm[i].type, Audit_equal, 428 427 nentry->lsm[i].args_p, 429 - &nentry->lsm[i].rule); 428 + &nentry->lsm[i].rule, 429 + gfp); 430 430 if (!nentry->lsm[i].rule) 431 431 pr_warn("rule for LSM \'%s\' is undefined\n", 432 432 nentry->lsm[i].args_p); ··· 440 438 int i; 441 439 struct ima_rule_entry *nentry; 442 440 443 - nentry = ima_lsm_copy_rule(entry); 441 + nentry = ima_lsm_copy_rule(entry, GFP_KERNEL); 444 442 if (!nentry) 445 443 return -ENOMEM; 446 444 ··· 666 664 } 667 665 668 666 if (rc == -ESTALE && !rule_reinitialized) { 669 - lsm_rule = ima_lsm_copy_rule(rule); 667 + lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC); 670 668 if (lsm_rule) { 671 669 rule_reinitialized = true; 672 670 goto retry; ··· 1142 1140 entry->lsm[lsm_rule].type = audit_type; 1143 1141 result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal, 1144 1142 entry->lsm[lsm_rule].args_p, 1145 - &entry->lsm[lsm_rule].rule); 1143 + &entry->lsm[lsm_rule].rule, 1144 + GFP_KERNEL); 1146 1145 if (!entry->lsm[lsm_rule].rule) { 1147 1146 pr_warn("rule for LSM \'%s\' is undefined\n", 1148 1147 entry->lsm[lsm_rule].args_p);

+4 -2

security/security.c

··· 5332 5332 * @op: rule operator 5333 5333 * @rulestr: rule context 5334 5334 * @lsmrule: receive buffer for audit rule struct 5335 + * @gfp: GFP flag used for kmalloc 5335 5336 * 5336 5337 * Allocate and initialize an LSM audit rule structure. 5337 5338 * 5338 5339 * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of 5339 5340 * an invalid rule. 5340 5341 */ 5341 - int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) 5342 + int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule, 5343 + gfp_t gfp) 5342 5344 { 5343 - return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule); 5345 + return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp); 5344 5346 } 5345 5347 5346 5348 /**

+3 -1

security/selinux/include/audit.h

··· 21 21 * @op: the operator the rule uses 22 22 * @rulestr: the text "target" of the rule 23 23 * @rule: pointer to the new rule structure returned via this 24 + * @gfp: GFP flag used for kmalloc 24 25 * 25 26 * Returns 0 if successful, -errno if not. On success, the rule structure 26 27 * will be allocated internally. The caller must free this structure with 27 28 * selinux_audit_rule_free() after use. 28 29 */ 29 - int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); 30 + int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule, 31 + gfp_t gfp); 30 32 31 33 /** 32 34 * selinux_audit_rule_free - free an selinux audit rule structure.

+3 -2

security/selinux/ss/services.c

··· 3507 3507 } 3508 3508 } 3509 3509 3510 - int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3510 + int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 3511 + gfp_t gfp) 3511 3512 { 3512 3513 struct selinux_state *state = &selinux_state; 3513 3514 struct selinux_policy *policy; ··· 3549 3548 return -EINVAL; 3550 3549 } 3551 3550 3552 - tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL); 3551 + tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp); 3553 3552 if (!tmprule) 3554 3553 return -ENOMEM; 3555 3554 context_init(&tmprule->au_ctxt);

+3 -1

security/smack/smack_lsm.c

··· 4693 4693 * @op: required testing operator (=, !=, >, <, ...) 4694 4694 * @rulestr: smack label to be audited 4695 4695 * @vrule: pointer to save our own audit rule representation 4696 + * @gfp: type of the memory for the allocation 4696 4697 * 4697 4698 * Prepare to audit cases where (@field @op @rulestr) is true. 4698 4699 * The label to be audited is created if necessay. 4699 4700 */ 4700 - static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4701 + static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4702 + gfp_t gfp) 4701 4703 { 4702 4704 struct smack_known *skp; 4703 4705 char **rule = (char **)vrule;

Configure Feed

Configure Feed