tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

lsm: lsm_context in security_dentry_init_security

Replace the (secctx,seclen) pointer pair with a single lsm_context
pointer to allow return of the LSM identifier along with the context
and context length. This allows security_release_secctx() to know how
to release the context. Callers have been modified to use or save the
returned data from the new structure.

Cc: ceph-devel@vger.kernel.org
Cc: linux-nfs@vger.kernel.org
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subject tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Casey Schaufler and committed by
Paul Moore b530104f 76ecf306

+49 -70
+1 -2
fs/ceph/super.h
··· 1132 1132 void *acl; 1133 1133 #endif 1134 1134 #ifdef CONFIG_CEPH_FS_SECURITY_LABEL 1135 - void *sec_ctx; 1136 - u32 sec_ctxlen; 1135 + struct lsm_context lsmctx; 1137 1136 #endif 1138 1137 #ifdef CONFIG_FS_ENCRYPTION 1139 1138 struct ceph_fscrypt_auth *fscrypt_auth;
+6 -10
fs/ceph/xattr.c
··· 1383 1383 int err; 1384 1384 1385 1385 err = security_dentry_init_security(dentry, mode, &dentry->d_name, 1386 - &name, &as_ctx->sec_ctx, 1387 - &as_ctx->sec_ctxlen); 1386 + &name, &as_ctx->lsmctx); 1388 1387 if (err < 0) { 1389 1388 WARN_ON_ONCE(err != -EOPNOTSUPP); 1390 1389 err = 0; /* do nothing */ ··· 1408 1409 */ 1409 1410 name_len = strlen(name); 1410 1411 err = ceph_pagelist_reserve(pagelist, 1411 - 4 * 2 + name_len + as_ctx->sec_ctxlen); 1412 + 4 * 2 + name_len + as_ctx->lsmctx.len); 1412 1413 if (err) 1413 1414 goto out; 1414 1415 ··· 1431 1432 ceph_pagelist_encode_32(pagelist, name_len); 1432 1433 ceph_pagelist_append(pagelist, name, name_len); 1433 1434 1434 - ceph_pagelist_encode_32(pagelist, as_ctx->sec_ctxlen); 1435 - ceph_pagelist_append(pagelist, as_ctx->sec_ctx, as_ctx->sec_ctxlen); 1435 + ceph_pagelist_encode_32(pagelist, as_ctx->lsmctx.len); 1436 + ceph_pagelist_append(pagelist, as_ctx->lsmctx.context, 1437 + as_ctx->lsmctx.len); 1436 1438 1437 1439 err = 0; 1438 1440 out: ··· 1446 1446 1447 1447 void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx) 1448 1448 { 1449 - #ifdef CONFIG_CEPH_FS_SECURITY_LABEL 1450 - struct lsm_context scaff; /* scaffolding */ 1451 - #endif 1452 1449 #ifdef CONFIG_CEPH_FS_POSIX_ACL 1453 1450 posix_acl_release(as_ctx->acl); 1454 1451 posix_acl_release(as_ctx->default_acl); 1455 1452 #endif 1456 1453 #ifdef CONFIG_CEPH_FS_SECURITY_LABEL 1457 - lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0); 1458 - security_release_secctx(&scaff); 1454 + security_release_secctx(&as_ctx->lsmctx); 1459 1455 #endif 1460 1456 #ifdef CONFIG_FS_ENCRYPTION 1461 1457 kfree(as_ctx->fscrypt_auth);
+18 -17
fs/fuse/dir.c
··· 467 467 { 468 468 struct fuse_secctx *fctx; 469 469 struct fuse_secctx_header *header; 470 - void *ctx = NULL, *ptr; 471 - u32 ctxlen, total_len = sizeof(*header); 470 + struct lsm_context lsmctx = { }; 471 + void *ptr; 472 + u32 total_len = sizeof(*header); 472 473 int err, nr_ctx = 0; 473 - const char *name; 474 + const char *name = NULL; 474 475 size_t namelen; 475 476 476 477 err = security_dentry_init_security(entry, mode, &entry->d_name, 477 - &name, &ctx, &ctxlen); 478 - if (err) { 479 - if (err != -EOPNOTSUPP) 480 - goto out_err; 481 - /* No LSM is supporting this security hook. Ignore error */ 482 - ctxlen = 0; 483 - ctx = NULL; 484 - } 478 + &name, &lsmctx); 485 479 486 - if (ctxlen) { 480 + /* If no LSM is supporting this security hook ignore error */ 481 + if (err && err != -EOPNOTSUPP) 482 + goto out_err; 483 + 484 + if (lsmctx.len) { 487 485 nr_ctx = 1; 488 486 namelen = strlen(name) + 1; 489 487 err = -EIO; 490 - if (WARN_ON(namelen > XATTR_NAME_MAX + 1 || ctxlen > S32_MAX)) 488 + if (WARN_ON(namelen > XATTR_NAME_MAX + 1 || 489 + lsmctx.len > S32_MAX)) 491 490 goto out_err; 492 - total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen + ctxlen); 491 + total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen + 492 + lsmctx.len); 493 493 } 494 494 495 495 err = -ENOMEM; ··· 502 502 ptr += sizeof(*header); 503 503 if (nr_ctx) { 504 504 fctx = ptr; 505 - fctx->size = ctxlen; 505 + fctx->size = lsmctx.len; 506 506 ptr += sizeof(*fctx); 507 507 508 508 strcpy(ptr, name); 509 509 ptr += namelen; 510 510 511 - memcpy(ptr, ctx, ctxlen); 511 + memcpy(ptr, lsmctx.context, lsmctx.len); 512 512 } 513 513 ext->size = total_len; 514 514 ext->value = header; 515 515 err = 0; 516 516 out_err: 517 - kfree(ctx); 517 + if (nr_ctx) 518 + security_release_secctx(&lsmctx); 518 519 return err; 519 520 } 520 521
+12 -8
fs/nfs/nfs4proc.c
··· 114 114 nfs4_label_init_security(struct inode *dir, struct dentry *dentry, 115 115 struct iattr *sattr, struct nfs4_label *label) 116 116 { 117 + struct lsm_context shim; 117 118 int err; 118 119 119 120 if (label == NULL) ··· 129 128 label->label = NULL; 130 129 131 130 err = security_dentry_init_security(dentry, sattr->ia_mode, 132 - &dentry->d_name, NULL, 133 - (void **)&label->label, &label->len); 134 - if (err == 0) 135 - return label; 131 + &dentry->d_name, NULL, &shim); 132 + if (err) 133 + return NULL; 136 134 137 - return NULL; 135 + label->label = shim.context; 136 + label->len = shim.len; 137 + return label; 138 138 } 139 139 static inline void 140 140 nfs4_label_release_security(struct nfs4_label *label) 141 141 { 142 - struct lsm_context scaff; /* scaffolding */ 142 + struct lsm_context shim; 143 143 144 144 if (label) { 145 - lsmcontext_init(&scaff, label->label, label->len, 0); 146 - security_release_secctx(&scaff); 145 + shim.context = label->label; 146 + shim.len = label->len; 147 + shim.id = LSM_ID_UNDEF; 148 + security_release_secctx(&shim); 147 149 } 148 150 } 149 151 static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
+1 -1
include/linux/lsm_hook_defs.h
··· 83 83 const struct path *to_path) 84 84 LSM_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry, 85 85 int mode, const struct qstr *name, const char **xattr_name, 86 - void **ctx, u32 *ctxlen) 86 + struct lsm_context *cp) 87 87 LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode, 88 88 struct qstr *name, const struct cred *old, struct cred *new) 89 89
+3 -23
include/linux/security.h
··· 237 237 int id; /* Identifies the module */ 238 238 }; 239 239 240 - /** 241 - * lsmcontext_init - initialize an lsmcontext structure. 242 - * @cp: Pointer to the context to initialize 243 - * @context: Initial context, or NULL 244 - * @size: Size of context, or 0 245 - * @id: Which LSM provided the context 246 - * 247 - * Fill in the lsmcontext from the provided information. 248 - * This is a scaffolding function that will be removed when 249 - * lsm_context integration is complete. 250 - */ 251 - static inline void lsmcontext_init(struct lsm_context *cp, char *context, 252 - u32 size, int id) 253 - { 254 - cp->id = id; 255 - cp->context = context; 256 - cp->len = size; 257 - } 258 - 259 240 /* 260 241 * Values used in the task_security_ops calls 261 242 */ ··· 390 409 int security_move_mount(const struct path *from_path, const struct path *to_path); 391 410 int security_dentry_init_security(struct dentry *dentry, int mode, 392 411 const struct qstr *name, 393 - const char **xattr_name, void **ctx, 394 - u32 *ctxlen); 412 + const char **xattr_name, 413 + struct lsm_context *lsmcxt); 395 414 int security_dentry_create_files_as(struct dentry *dentry, int mode, 396 415 struct qstr *name, 397 416 const struct cred *old, ··· 864 883 int mode, 865 884 const struct qstr *name, 866 885 const char **xattr_name, 867 - void **ctx, 868 - u32 *ctxlen) 886 + struct lsm_context *lsmcxt) 869 887 { 870 888 return -EOPNOTSUPP; 871 889 }
+4 -5
security/security.c
··· 1735 1735 * @mode: mode used to determine resource type 1736 1736 * @name: name of the last path component 1737 1737 * @xattr_name: name of the security/LSM xattr 1738 - * @ctx: pointer to the resulting LSM context 1739 - * @ctxlen: length of @ctx 1738 + * @lsmctx: pointer to the resulting LSM context 1740 1739 * 1741 1740 * Compute a context for a dentry as the inode is not yet available since NFSv4 1742 1741 * has no label backed by an EA anyway. It is important to note that ··· 1745 1746 */ 1746 1747 int security_dentry_init_security(struct dentry *dentry, int mode, 1747 1748 const struct qstr *name, 1748 - const char **xattr_name, void **ctx, 1749 - u32 *ctxlen) 1749 + const char **xattr_name, 1750 + struct lsm_context *lsmctx) 1750 1751 { 1751 1752 return call_int_hook(dentry_init_security, dentry, mode, name, 1752 - xattr_name, ctx, ctxlen); 1753 + xattr_name, lsmctx); 1753 1754 } 1754 1755 EXPORT_SYMBOL(security_dentry_init_security); 1755 1756
+4 -4
security/selinux/hooks.c
··· 2869 2869 2870 2870 static int selinux_dentry_init_security(struct dentry *dentry, int mode, 2871 2871 const struct qstr *name, 2872 - const char **xattr_name, void **ctx, 2873 - u32 *ctxlen) 2872 + const char **xattr_name, 2873 + struct lsm_context *cp) 2874 2874 { 2875 2875 u32 newsid; 2876 2876 int rc; ··· 2885 2885 if (xattr_name) 2886 2886 *xattr_name = XATTR_NAME_SELINUX; 2887 2887 2888 - return security_sid_to_context(newsid, (char **)ctx, 2889 - ctxlen); 2888 + cp->id = LSM_ID_SELINUX; 2889 + return security_sid_to_context(newsid, &cp->context, &cp->len); 2890 2890 } 2891 2891 2892 2892 static int selinux_dentry_create_files_as(struct dentry *dentry, int mode,