tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

sem/security: Pass kern_ipc_perm not sem_array into the sem security hooks

All of the implementations of security hooks that take sem_array only
access sem_perm the struct kern_ipc_perm member. This means the
dependencies of the sem security hooks can be simplified by passing
the kern_ipc_perm member of sem_array.

Making this change will allow struct sem and struct sem_array
to become private to ipc/sem.c.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

Eric W. Biederman aefad959 dd206bec

+53 -57
+5 -5
include/linux/lsm_hooks.h
··· 1592 1592 int (*shm_shmat)(struct shmid_kernel *shp, char __user *shmaddr, 1593 1593 int shmflg); 1594 1594 1595 - int (*sem_alloc_security)(struct sem_array *sma); 1596 - void (*sem_free_security)(struct sem_array *sma); 1597 - int (*sem_associate)(struct sem_array *sma, int semflg); 1598 - int (*sem_semctl)(struct sem_array *sma, int cmd); 1599 - int (*sem_semop)(struct sem_array *sma, struct sembuf *sops, 1595 + int (*sem_alloc_security)(struct kern_ipc_perm *sma); 1596 + void (*sem_free_security)(struct kern_ipc_perm *sma); 1597 + int (*sem_associate)(struct kern_ipc_perm *sma, int semflg); 1598 + int (*sem_semctl)(struct kern_ipc_perm *sma, int cmd); 1599 + int (*sem_semop)(struct kern_ipc_perm *sma, struct sembuf *sops, 1600 1600 unsigned nsops, int alter); 1601 1601 1602 1602 int (*netlink_send)(struct sock *sk, struct sk_buff *skb);
+10 -11
include/linux/security.h
··· 36 36 struct cred; 37 37 struct rlimit; 38 38 struct siginfo; 39 - struct sem_array; 40 39 struct sembuf; 41 40 struct kern_ipc_perm; 42 41 struct audit_context; ··· 367 368 int security_shm_associate(struct shmid_kernel *shp, int shmflg); 368 369 int security_shm_shmctl(struct shmid_kernel *shp, int cmd); 369 370 int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg); 370 - int security_sem_alloc(struct sem_array *sma); 371 - void security_sem_free(struct sem_array *sma); 372 - int security_sem_associate(struct sem_array *sma, int semflg); 373 - int security_sem_semctl(struct sem_array *sma, int cmd); 374 - int security_sem_semop(struct sem_array *sma, struct sembuf *sops, 371 + int security_sem_alloc(struct kern_ipc_perm *sma); 372 + void security_sem_free(struct kern_ipc_perm *sma); 373 + int security_sem_associate(struct kern_ipc_perm *sma, int semflg); 374 + int security_sem_semctl(struct kern_ipc_perm *sma, int cmd); 375 + int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops, 375 376 unsigned nsops, int alter); 376 377 void security_d_instantiate(struct dentry *dentry, struct inode *inode); 377 378 int security_getprocattr(struct task_struct *p, char *name, char **value); ··· 1102 1103 return 0; 1103 1104 } 1104 1105 1105 - static inline int security_sem_alloc(struct sem_array *sma) 1106 + static inline int security_sem_alloc(struct kern_ipc_perm *sma) 1106 1107 { 1107 1108 return 0; 1108 1109 } 1109 1110 1110 - static inline void security_sem_free(struct sem_array *sma) 1111 + static inline void security_sem_free(struct kern_ipc_perm *sma) 1111 1112 { } 1112 1113 1113 - static inline int security_sem_associate(struct sem_array *sma, int semflg) 1114 + static inline int security_sem_associate(struct kern_ipc_perm *sma, int semflg) 1114 1115 { 1115 1116 return 0; 1116 1117 } 1117 1118 1118 - static inline int security_sem_semctl(struct sem_array *sma, int cmd) 1119 + static inline int security_sem_semctl(struct kern_ipc_perm *sma, int cmd) 1119 1120 { 1120 1121 return 0; 1121 1122 } 1122 1123 1123 - static inline int security_sem_semop(struct sem_array *sma, 1124 + static inline int security_sem_semop(struct kern_ipc_perm *sma, 1124 1125 struct sembuf *sops, unsigned nsops, 1125 1126 int alter) 1126 1127 {
+8 -11
ipc/sem.c
··· 265 265 struct kern_ipc_perm *p = container_of(head, struct kern_ipc_perm, rcu); 266 266 struct sem_array *sma = container_of(p, struct sem_array, sem_perm); 267 267 268 - security_sem_free(sma); 268 + security_sem_free(&sma->sem_perm); 269 269 kvfree(sma); 270 270 } 271 271 ··· 495 495 sma->sem_perm.key = key; 496 496 497 497 sma->sem_perm.security = NULL; 498 - retval = security_sem_alloc(sma); 498 + retval = security_sem_alloc(&sma->sem_perm); 499 499 if (retval) { 500 500 kvfree(sma); 501 501 return retval; ··· 535 535 */ 536 536 static inline int sem_security(struct kern_ipc_perm *ipcp, int semflg) 537 537 { 538 - struct sem_array *sma; 539 - 540 - sma = container_of(ipcp, struct sem_array, sem_perm); 541 - return security_sem_associate(sma, semflg); 538 + return security_sem_associate(ipcp, semflg); 542 539 } 543 540 544 541 /* ··· 1206 1209 if (ipcperms(ns, &sma->sem_perm, S_IRUGO)) 1207 1210 goto out_unlock; 1208 1211 1209 - err = security_sem_semctl(sma, cmd); 1212 + err = security_sem_semctl(&sma->sem_perm, cmd); 1210 1213 if (err) 1211 1214 goto out_unlock; 1212 1215 ··· 1297 1300 return -EACCES; 1298 1301 } 1299 1302 1300 - err = security_sem_semctl(sma, SETVAL); 1303 + err = security_sem_semctl(&sma->sem_perm, SETVAL); 1301 1304 if (err) { 1302 1305 rcu_read_unlock(); 1303 1306 return -EACCES; ··· 1351 1354 if (ipcperms(ns, &sma->sem_perm, cmd == SETALL ? S_IWUGO : S_IRUGO)) 1352 1355 goto out_rcu_wakeup; 1353 1356 1354 - err = security_sem_semctl(sma, cmd); 1357 + err = security_sem_semctl(&sma->sem_perm, cmd); 1355 1358 if (err) 1356 1359 goto out_rcu_wakeup; 1357 1360 ··· 1542 1545 1543 1546 sma = container_of(ipcp, struct sem_array, sem_perm); 1544 1547 1545 - err = security_sem_semctl(sma, cmd); 1548 + err = security_sem_semctl(&sma->sem_perm, cmd); 1546 1549 if (err) 1547 1550 goto out_unlock1; 1548 1551 ··· 1959 1962 goto out_free; 1960 1963 } 1961 1964 1962 - error = security_sem_semop(sma, sops, nsops, alter); 1965 + error = security_sem_semop(&sma->sem_perm, sops, nsops, alter); 1963 1966 if (error) { 1964 1967 rcu_read_unlock(); 1965 1968 goto out_free;
+5 -5
security/security.c
··· 1220 1220 return call_int_hook(shm_shmat, 0, shp, shmaddr, shmflg); 1221 1221 } 1222 1222 1223 - int security_sem_alloc(struct sem_array *sma) 1223 + int security_sem_alloc(struct kern_ipc_perm *sma) 1224 1224 { 1225 1225 return call_int_hook(sem_alloc_security, 0, sma); 1226 1226 } 1227 1227 1228 - void security_sem_free(struct sem_array *sma) 1228 + void security_sem_free(struct kern_ipc_perm *sma) 1229 1229 { 1230 1230 call_void_hook(sem_free_security, sma); 1231 1231 } 1232 1232 1233 - int security_sem_associate(struct sem_array *sma, int semflg) 1233 + int security_sem_associate(struct kern_ipc_perm *sma, int semflg) 1234 1234 { 1235 1235 return call_int_hook(sem_associate, 0, sma, semflg); 1236 1236 } 1237 1237 1238 - int security_sem_semctl(struct sem_array *sma, int cmd) 1238 + int security_sem_semctl(struct kern_ipc_perm *sma, int cmd) 1239 1239 { 1240 1240 return call_int_hook(sem_semctl, 0, sma, cmd); 1241 1241 } 1242 1242 1243 - int security_sem_semop(struct sem_array *sma, struct sembuf *sops, 1243 + int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops, 1244 1244 unsigned nsops, int alter) 1245 1245 { 1246 1246 return call_int_hook(sem_semop, 0, sma, sops, nsops, alter);
+14 -14
security/selinux/hooks.c
··· 5767 5767 } 5768 5768 5769 5769 /* Semaphore security operations */ 5770 - static int selinux_sem_alloc_security(struct sem_array *sma) 5770 + static int selinux_sem_alloc_security(struct kern_ipc_perm *sma) 5771 5771 { 5772 5772 struct ipc_security_struct *isec; 5773 5773 struct common_audit_data ad; 5774 5774 u32 sid = current_sid(); 5775 5775 int rc; 5776 5776 5777 - rc = ipc_alloc_security(&sma->sem_perm, SECCLASS_SEM); 5777 + rc = ipc_alloc_security(sma, SECCLASS_SEM); 5778 5778 if (rc) 5779 5779 return rc; 5780 5780 5781 - isec = sma->sem_perm.security; 5781 + isec = sma->security; 5782 5782 5783 5783 ad.type = LSM_AUDIT_DATA_IPC; 5784 - ad.u.ipc_id = sma->sem_perm.key; 5784 + ad.u.ipc_id = sma->key; 5785 5785 5786 5786 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5787 5787 SEM__CREATE, &ad); 5788 5788 if (rc) { 5789 - ipc_free_security(&sma->sem_perm); 5789 + ipc_free_security(sma); 5790 5790 return rc; 5791 5791 } 5792 5792 return 0; 5793 5793 } 5794 5794 5795 - static void selinux_sem_free_security(struct sem_array *sma) 5795 + static void selinux_sem_free_security(struct kern_ipc_perm *sma) 5796 5796 { 5797 - ipc_free_security(&sma->sem_perm); 5797 + ipc_free_security(sma); 5798 5798 } 5799 5799 5800 - static int selinux_sem_associate(struct sem_array *sma, int semflg) 5800 + static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) 5801 5801 { 5802 5802 struct ipc_security_struct *isec; 5803 5803 struct common_audit_data ad; 5804 5804 u32 sid = current_sid(); 5805 5805 5806 - isec = sma->sem_perm.security; 5806 + isec = sma->security; 5807 5807 5808 5808 ad.type = LSM_AUDIT_DATA_IPC; 5809 - ad.u.ipc_id = sma->sem_perm.key; 5809 + ad.u.ipc_id = sma->key; 5810 5810 5811 5811 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5812 5812 SEM__ASSOCIATE, &ad); 5813 5813 } 5814 5814 5815 5815 /* Note, at this point, sma is locked down */ 5816 - static int selinux_sem_semctl(struct sem_array *sma, int cmd) 5816 + static int selinux_sem_semctl(struct kern_ipc_perm *sma, int cmd) 5817 5817 { 5818 5818 int err; 5819 5819 u32 perms; ··· 5851 5851 return 0; 5852 5852 } 5853 5853 5854 - err = ipc_has_perm(&sma->sem_perm, perms); 5854 + err = ipc_has_perm(sma, perms); 5855 5855 return err; 5856 5856 } 5857 5857 5858 - static int selinux_sem_semop(struct sem_array *sma, 5858 + static int selinux_sem_semop(struct kern_ipc_perm *sma, 5859 5859 struct sembuf *sops, unsigned nsops, int alter) 5860 5860 { 5861 5861 u32 perms; ··· 5865 5865 else 5866 5866 perms = SEM__READ; 5867 5867 5868 - return ipc_has_perm(&sma->sem_perm, perms); 5868 + return ipc_has_perm(sma, perms); 5869 5869 } 5870 5870 5871 5871 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
+11 -11
security/smack/smack_lsm.c
··· 3077 3077 * 3078 3078 * Returns a pointer to the smack value 3079 3079 */ 3080 - static struct smack_known *smack_of_sem(struct sem_array *sma) 3080 + static struct smack_known *smack_of_sem(struct kern_ipc_perm *sma) 3081 3081 { 3082 - return (struct smack_known *)sma->sem_perm.security; 3082 + return (struct smack_known *)sma->security; 3083 3083 } 3084 3084 3085 3085 /** ··· 3088 3088 * 3089 3089 * Returns 0 3090 3090 */ 3091 - static int smack_sem_alloc_security(struct sem_array *sma) 3091 + static int smack_sem_alloc_security(struct kern_ipc_perm *sma) 3092 3092 { 3093 - struct kern_ipc_perm *isp = &sma->sem_perm; 3093 + struct kern_ipc_perm *isp = sma; 3094 3094 struct smack_known *skp = smk_of_current(); 3095 3095 3096 3096 isp->security = skp; ··· 3103 3103 * 3104 3104 * Clears the blob pointer 3105 3105 */ 3106 - static void smack_sem_free_security(struct sem_array *sma) 3106 + static void smack_sem_free_security(struct kern_ipc_perm *sma) 3107 3107 { 3108 - struct kern_ipc_perm *isp = &sma->sem_perm; 3108 + struct kern_ipc_perm *isp = sma; 3109 3109 3110 3110 isp->security = NULL; 3111 3111 } ··· 3117 3117 * 3118 3118 * Returns 0 if current has the requested access, error code otherwise 3119 3119 */ 3120 - static int smk_curacc_sem(struct sem_array *sma, int access) 3120 + static int smk_curacc_sem(struct kern_ipc_perm *sma, int access) 3121 3121 { 3122 3122 struct smack_known *ssp = smack_of_sem(sma); 3123 3123 struct smk_audit_info ad; ··· 3125 3125 3126 3126 #ifdef CONFIG_AUDIT 3127 3127 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3128 - ad.a.u.ipc_id = sma->sem_perm.id; 3128 + ad.a.u.ipc_id = sma->id; 3129 3129 #endif 3130 3130 rc = smk_curacc(ssp, access, &ad); 3131 3131 rc = smk_bu_current("sem", ssp, access, rc); ··· 3139 3139 * 3140 3140 * Returns 0 if current has the requested access, error code otherwise 3141 3141 */ 3142 - static int smack_sem_associate(struct sem_array *sma, int semflg) 3142 + static int smack_sem_associate(struct kern_ipc_perm *sma, int semflg) 3143 3143 { 3144 3144 int may; 3145 3145 ··· 3154 3154 * 3155 3155 * Returns 0 if current has the requested access, error code otherwise 3156 3156 */ 3157 - static int smack_sem_semctl(struct sem_array *sma, int cmd) 3157 + static int smack_sem_semctl(struct kern_ipc_perm *sma, int cmd) 3158 3158 { 3159 3159 int may; 3160 3160 ··· 3198 3198 * 3199 3199 * Returns 0 if access is allowed, error code otherwise 3200 3200 */ 3201 - static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 3201 + static int smack_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops, 3202 3202 unsigned nsops, int alter) 3203 3203 { 3204 3204 return smk_curacc_sem(sma, MAY_READWRITE);