Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
lsm: secctx provider check on release
Verify that the LSM releasing the secctx is the LSM that
allocated it. This was not necessary when only one LSM could
create a secctx, but once there can be more than one it is.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subject tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
authored by
Casey Schaufler
and committed by
Paul Moore
a4626e97
b530104f
+10
-16
+5
-8
security/apparmor/secid.c
+5
-8
security/apparmor/secid.c
···
108
108
109
109
void apparmor_release_secctx(struct lsm_context *cp)
110
110
{
111
-
/*
112
-
* stacking scaffolding:
113
-
* When it is possible for more than one LSM to provide a
114
-
* release hook, do this check:
115
-
* if (cp->id == LSM_ID_APPARMOR || cp->id == LSM_ID_UNDEF)
116
-
*/
117
-
118
-
kfree(cp->context);
111
+
if (cp->id == LSM_ID_APPARMOR) {
112
+
kfree(cp->context);
113
+
cp->context = NULL;
114
+
cp->id = LSM_ID_UNDEF;
115
+
}
119
116
}
120
117
121
118
/**
+5
-8
security/selinux/hooks.c
+5
-8
security/selinux/hooks.c
···
6672
6672
6673
6673
static void selinux_release_secctx(struct lsm_context *cp)
6674
6674
{
6675
-
/*
6676
-
* stacking scaffolding:
6677
-
* When it is possible for more than one LSM to provide a
6678
-
* release hook, do this check:
6679
-
* if (cp->id == LSM_ID_SELINUX || cp->id == LSM_ID_UNDEF)
6680
-
*/
6681
-
6682
-
kfree(cp->context);
6675
+
if (cp->id == LSM_ID_SELINUX) {
6676
+
kfree(cp->context);
6677
+
cp->context = NULL;
6678
+
cp->id = LSM_ID_UNDEF;
6679
+
}
6683
6680
}
6684
6681
6685
6682
static void selinux_inode_invalidate_secctx(struct inode *inode)