This repository has been archived by the owner on Jul 6, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
0094-LSM-Use-multiple-secids-in-security-module-interface.patch
1490 lines (1350 loc) · 51.3 KB
/
0094-LSM-Use-multiple-secids-in-security-module-interface.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Casey Schaufler <[email protected]>
Date: Tue, 28 Aug 2018 11:40:43 -0700
Subject: [PATCH] LSM: Use multiple secids in security module interfaces
This is the first of two parts required to change the
security module infrastructure from using a u32 to
identify extended security attributes to using a pointer
to a structure containing the information required for
the set of security modules involved. You can't put an
SELinux secid, a Smack secid and an AppArmor secid
all into a u32. They don't fit. Schemes that map a
single u32 into sets of u32s are frought with data
management issues and as a result are not suitable for
use in the variety of ways secids manifest themselves
in the Linux kernel.
This patch changes the interfaces to the security modules
to use a "struct secids" pointer where they used a u32
before. There are changes in networking code where the
layering isn't so clean as I would like it to be.
Signed-off-by: Casey Schaufler <[email protected]>
---
include/linux/lsm_hooks.h | 38 +++++++-------
include/linux/security.h | 19 +++++++
include/net/flow.h | 5 +-
include/net/netlabel.h | 8 +--
net/core/filter.c | 4 +-
net/ipv4/cipso_ipv4.c | 4 +-
net/netlabel/netlabel_kapi.c | 4 +-
net/netlabel/netlabel_unlabeled.c | 29 ++++++-----
net/netlabel/netlabel_user.c | 4 +-
net/netlabel/netlabel_user.h | 2 +-
net/xfrm/xfrm_policy.c | 7 +--
net/xfrm/xfrm_state.c | 3 +-
security/apparmor/audit.c | 4 +-
security/apparmor/include/audit.h | 2 +-
security/apparmor/include/secid.h | 5 +-
security/apparmor/lsm.c | 7 +--
security/apparmor/secid.c | 9 ++--
security/security.c | 85 ++++++++++++++++++++++++-------
security/selinux/hooks.c | 59 +++++++++++----------
security/selinux/include/audit.h | 2 +-
security/selinux/include/xfrm.h | 9 ++--
security/selinux/netlabel.c | 2 +-
security/selinux/ss/services.c | 10 ++--
security/selinux/xfrm.c | 25 +++++----
security/smack/smack_access.c | 4 +-
security/smack/smack_lsm.c | 76 +++++++++++++++------------
security/smack/smackfs.c | 14 +++--
27 files changed, 275 insertions(+), 165 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 28d3ebffca1b..f259cb09958f 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1554,7 +1554,7 @@ union security_list_options {
int flags);
int (*inode_listsecurity)(struct inode *inode, char *buffer,
size_t buffer_size);
- void (*inode_getsecid)(struct inode *inode, u32 *secid);
+ void (*inode_getsecid)(struct inode *inode, struct secids *secid);
int (*inode_copy_up)(struct dentry *src, struct cred **new);
int (*inode_copy_up_xattr)(const char *name);
@@ -1584,8 +1584,8 @@ union security_list_options {
int (*cred_prepare)(struct cred *new, const struct cred *old,
gfp_t gfp);
void (*cred_transfer)(struct cred *new, const struct cred *old);
- void (*cred_getsecid)(const struct cred *c, u32 *secid);
- int (*kernel_act_as)(struct cred *new, u32 secid);
+ void (*cred_getsecid)(const struct cred *c, struct secids *secid);
+ int (*kernel_act_as)(struct cred *new, struct secids *secid);
int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
int (*kernel_module_request)(char *kmod_name);
int (*kernel_load_data)(enum kernel_load_data_id id);
@@ -1597,7 +1597,7 @@ union security_list_options {
int (*task_setpgid)(struct task_struct *p, pid_t pgid);
int (*task_getpgid)(struct task_struct *p);
int (*task_getsid)(struct task_struct *p);
- void (*task_getsecid)(struct task_struct *p, u32 *secid);
+ void (*task_getsecid)(struct task_struct *p, struct secids *secid);
int (*task_setnice)(struct task_struct *p, int nice);
int (*task_setioprio)(struct task_struct *p, int ioprio);
int (*task_getioprio)(struct task_struct *p);
@@ -1615,7 +1615,7 @@ union security_list_options {
void (*task_to_inode)(struct task_struct *p, struct inode *inode);
int (*ipc_permission)(struct kern_ipc_perm *ipcp, short flag);
- void (*ipc_getsecid)(struct kern_ipc_perm *ipcp, u32 *secid);
+ void (*ipc_getsecid)(struct kern_ipc_perm *ipcp, struct secids *secid);
int (*msg_msg_alloc_security)(struct msg_msg *msg);
void (*msg_msg_free_security)(struct msg_msg *msg);
@@ -1651,8 +1651,10 @@ union security_list_options {
int (*getprocattr)(struct task_struct *p, char *name, char **value);
int (*setprocattr)(const char *name, void *value, size_t size);
int (*ismaclabel)(const char *name);
- int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
- int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid);
+ int (*secid_to_secctx)(struct secids *secid, char **secdata,
+ u32 *seclen);
+ int (*secctx_to_secid)(const char *secdata, u32 seclen,
+ struct secids *secid);
void (*release_secctx)(char *secdata, u32 seclen);
void (*inode_invalidate_secctx)(struct inode *inode);
@@ -1687,20 +1689,21 @@ union security_list_options {
int (*socket_sock_rcv_skb)(struct sock *sk, struct sk_buff *skb);
int (*socket_getpeersec_stream)(struct socket *sock,
char __user *optval,
- int __user *optlen, unsigned len);
+ int __user *optlen, unsigned int len);
int (*socket_getpeersec_dgram)(struct socket *sock,
- struct sk_buff *skb, u32 *secid);
+ struct sk_buff *skb,
+ struct secids *secid);
int (*sk_alloc_security)(struct sock *sk, int family, gfp_t priority);
void (*sk_free_security)(struct sock *sk);
void (*sk_clone_security)(const struct sock *sk, struct sock *newsk);
- void (*sk_getsecid)(struct sock *sk, u32 *secid);
+ void (*sk_getsecid)(struct sock *sk, struct secids *secid);
void (*sock_graft)(struct sock *sk, struct socket *parent);
int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
struct request_sock *req);
void (*inet_csk_clone)(struct sock *newsk,
const struct request_sock *req);
void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
- int (*secmark_relabel_packet)(u32 secid);
+ int (*secmark_relabel_packet)(struct secids *secid);
void (*secmark_refcount_inc)(void);
void (*secmark_refcount_dec)(void);
void (*req_classify_flow)(const struct request_sock *req,
@@ -1739,15 +1742,16 @@ union security_list_options {
struct xfrm_user_sec_ctx *sec_ctx);
int (*xfrm_state_alloc_acquire)(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec,
- u32 secid);
+ const struct secids *secid);
void (*xfrm_state_free_security)(struct xfrm_state *x);
int (*xfrm_state_delete_security)(struct xfrm_state *x);
- int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx, u32 fl_secid,
- u8 dir);
+ int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx,
+ struct secids *fl_secid, u8 dir);
int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
struct xfrm_policy *xp,
const struct flowi *fl);
- int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
+ int (*xfrm_decode_session)(struct sk_buff *skb, struct secids *secid,
+ int ckall);
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
/* key management security hooks */
@@ -1764,8 +1768,8 @@ union security_list_options {
int (*audit_rule_init)(u32 field, u32 op, char *rulestr,
void **lsmrule);
int (*audit_rule_known)(struct audit_krule *krule);
- int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule,
- struct audit_context *actx);
+ int (*audit_rule_match)(struct secids *secid, u32 field, u32 op,
+ void *lsmrule, struct audit_context *actx);
void (*audit_rule_free)(void *lsmrule);
#endif /* CONFIG_AUDIT */
diff --git a/include/linux/security.h b/include/linux/security.h
index a29decd3f9d1..2ff982167d57 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -73,6 +73,25 @@ enum lsm_event {
LSM_POLICY_CHANGE,
};
+struct secids {
+ union {
+ u32 common;
+ u32 selinux;
+ u32 smack;
+ u32 apparmor;
+ };
+};
+
+static inline bool secid_valid(const struct secids *secids)
+{
+ return secids->common != 0;
+}
+
+static inline void secid_init(struct secids *secid)
+{
+ memset(secid, 0, sizeof(*secid));
+}
+
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, unsigned int opts);
diff --git a/include/net/flow.h b/include/net/flow.h
index 8ce21793094e..aa29d11bc3d7 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -11,6 +11,7 @@
#include <linux/socket.h>
#include <linux/in6.h>
#include <linux/atomic.h>
+#include <linux/security.h>
#include <net/flow_dissector.h>
#include <linux/uidgid.h>
@@ -37,7 +38,7 @@ struct flowi_common {
#define FLOWI_FLAG_ANYSRC 0x01
#define FLOWI_FLAG_KNOWN_NH 0x02
#define FLOWI_FLAG_SKIP_NH_OIF 0x04
- __u32 flowic_secid;
+ struct secids flowic_secid;
struct flowi_tunnel flowic_tun_key;
kuid_t flowic_uid;
};
@@ -107,7 +108,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
fl4->flowi4_scope = scope;
fl4->flowi4_proto = proto;
fl4->flowi4_flags = flags;
- fl4->flowi4_secid = 0;
+ secid_init(&fl4->flowi4_secid);
fl4->flowi4_tun_key.tun_id = 0;
fl4->flowi4_uid = uid;
fl4->daddr = daddr;
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 72d6435fc16c..51dacbb88886 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -111,7 +111,7 @@ struct calipso_doi;
/* NetLabel audit information */
struct netlbl_audit {
- u32 secid;
+ struct secids secid;
kuid_t loginuid;
unsigned int sessionid;
};
@@ -215,7 +215,7 @@ struct netlbl_lsm_secattr {
struct netlbl_lsm_catmap *cat;
u32 lvl;
} mls;
- u32 secid;
+ struct secids secid;
} attr;
};
@@ -429,7 +429,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net,
const void *addr,
const void *mask,
u16 family,
- u32 secid,
+ struct secids *secid,
struct netlbl_audit *audit_info);
int netlbl_cfg_unlbl_static_del(struct net *net,
const char *dev_name,
@@ -537,7 +537,7 @@ static inline int netlbl_cfg_unlbl_static_add(struct net *net,
const void *addr,
const void *mask,
u16 family,
- u32 secid,
+ struct secids *secid,
struct netlbl_audit *audit_info)
{
return -ENOSYS;
diff --git a/net/core/filter.c b/net/core/filter.c
index 01561268d216..a562dc379f15 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4288,7 +4288,7 @@ static int bpf_ipv4_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
err = fib_table_lookup(tb, &fl4, &res, FIB_LOOKUP_NOREF);
} else {
fl4.flowi4_mark = 0;
- fl4.flowi4_secid = 0;
+ secid_init(&fl4.flowi4_secid);
fl4.flowi4_tun_key.tun_id = 0;
fl4.flowi4_uid = sock_net_uid(net, NULL);
@@ -4399,7 +4399,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
f6i = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, strict);
} else {
fl6.flowi6_mark = 0;
- fl6.flowi6_secid = 0;
+ secid_init(&fl6.flowi6_secid);
fl6.flowi6_tun_key.tun_id = 0;
fl6.flowi6_uid = sock_net_uid(net, NULL);
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 6a1b52b34e20..be8a88084508 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1474,7 +1474,7 @@ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def,
buffer[0] = CIPSO_V4_TAG_LOCAL;
buffer[1] = CIPSO_V4_TAG_LOC_BLEN;
- *(u32 *)&buffer[2] = secattr->attr.secid;
+ *(u32 *)&buffer[2] = secattr->attr.secid.common;
return CIPSO_V4_TAG_LOC_BLEN;
}
@@ -1494,7 +1494,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
const unsigned char *tag,
struct netlbl_lsm_secattr *secattr)
{
- secattr->attr.secid = *(u32 *)&tag[2];
+ secattr->attr.secid.common = *(u32 *)&tag[2];
secattr->flags |= NETLBL_SECATTR_SECID;
return 0;
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 15fe2120b310..551bf3be961b 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -224,7 +224,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net,
const void *addr,
const void *mask,
u16 family,
- u32 secid,
+ struct secids *secid,
struct netlbl_audit *audit_info)
{
u32 addr_len;
@@ -244,7 +244,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net,
return netlbl_unlhsh_add(net,
dev_name, addr, mask, addr_len,
- secid, audit_info);
+ secid->common, audit_info);
}
/**
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 0067f472367b..86c3c1611641 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -80,7 +80,7 @@ struct netlbl_unlhsh_tbl {
#define netlbl_unlhsh_addr4_entry(iter) \
container_of(iter, struct netlbl_unlhsh_addr4, list)
struct netlbl_unlhsh_addr4 {
- u32 secid;
+ struct secids secid;
struct netlbl_af4list list;
struct rcu_head rcu;
@@ -88,7 +88,7 @@ struct netlbl_unlhsh_addr4 {
#define netlbl_unlhsh_addr6_entry(iter) \
container_of(iter, struct netlbl_unlhsh_addr6, list)
struct netlbl_unlhsh_addr6 {
- u32 secid;
+ struct secids secid;
struct netlbl_af6list list;
struct rcu_head rcu;
@@ -244,7 +244,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
const struct in_addr *addr,
const struct in_addr *mask,
- u32 secid)
+ struct secids *secid)
{
int ret_val;
struct netlbl_unlhsh_addr4 *entry;
@@ -256,7 +256,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
entry->list.addr = addr->s_addr & mask->s_addr;
entry->list.mask = mask->s_addr;
entry->list.valid = 1;
- entry->secid = secid;
+ entry->secid = *secid;
spin_lock(&netlbl_unlhsh_lock);
ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list);
@@ -284,7 +284,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
const struct in6_addr *addr,
const struct in6_addr *mask,
- u32 secid)
+ struct secids *secid)
{
int ret_val;
struct netlbl_unlhsh_addr6 *entry;
@@ -300,7 +300,7 @@ static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
entry->list.mask = *mask;
entry->list.valid = 1;
- entry->secid = secid;
+ entry->secid = *secid;
spin_lock(&netlbl_unlhsh_lock);
ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list);
@@ -389,6 +389,7 @@ int netlbl_unlhsh_add(struct net *net,
struct audit_buffer *audit_buf = NULL;
char *secctx = NULL;
u32 secctx_len;
+ struct secids ids;
if (addr_len != sizeof(struct in_addr) &&
addr_len != sizeof(struct in6_addr))
@@ -421,7 +422,8 @@ int netlbl_unlhsh_add(struct net *net,
const struct in_addr *addr4 = addr;
const struct in_addr *mask4 = mask;
- ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
+ ids.common = secid;
+ ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, &ids);
if (audit_buf != NULL)
netlbl_af4list_audit_addr(audit_buf, 1,
dev_name,
@@ -434,7 +436,8 @@ int netlbl_unlhsh_add(struct net *net,
const struct in6_addr *addr6 = addr;
const struct in6_addr *mask6 = mask;
- ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
+ ids.common = secid;
+ ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, &ids);
if (audit_buf != NULL)
netlbl_af6list_audit_addr(audit_buf, 1,
dev_name,
@@ -508,7 +511,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(entry->secid,
+ security_secid_to_secctx(entry->secid.common,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
@@ -569,7 +572,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(entry->secid,
+ security_secid_to_secctx(entry->secid.common,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
@@ -1125,7 +1128,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;
- secid = addr4->secid;
+ secid = addr4->secid.common;
} else {
ret_val = nla_put_in6_addr(cb_arg->skb,
NLBL_UNLABEL_A_IPV6ADDR,
@@ -1139,7 +1142,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;
- secid = addr6->secid;
+ secid = addr6->secid.common;
}
ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
@@ -1551,7 +1554,7 @@ int __init netlbl_unlabel_defconf(void)
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
- security_task_getsecid(current, &audit_info.secid);
+ security_task_getsecid(current, &audit_info.secid.common);
audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 4676f5bb16ae..d5b5ce7e9aa2 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -112,8 +112,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
from_kuid(&init_user_ns, audit_info->loginuid),
audit_info->sessionid);
- if (audit_info->secid != 0 &&
- security_secid_to_secctx(audit_info->secid,
+ if (audit_info->secid.common != 0 &&
+ security_secid_to_secctx(audit_info->secid.common,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index 4a397cde1a48..782ee194fdbd 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -48,7 +48,7 @@
static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
struct netlbl_audit *audit_info)
{
- security_task_getsecid(current, &audit_info->secid);
+ security_task_getsecid(current, &audit_info->secid.common);
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index e9aea82f370d..df6bed189d45 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1079,7 +1079,8 @@ static int xfrm_policy_match(const struct xfrm_policy *pol,
match = xfrm_selector_match(sel, fl, family);
if (match)
- ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
+ ret = security_xfrm_policy_lookup(pol->security,
+ fl->flowi_secid.common,
dir);
return ret;
@@ -1198,7 +1199,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
goto out;
}
err = security_xfrm_policy_lookup(pol->security,
- fl->flowi_secid,
+ fl->flowi_secid.common,
dir);
if (!err) {
if (!xfrm_pol_hold_rcu(pol))
@@ -2298,7 +2299,7 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
afinfo->decode_session(skb, fl, reverse);
- err = security_xfrm_decode_session(skb, &fl->flowi_secid);
+ err = security_xfrm_decode_session(skb, &fl->flowi_secid.common);
rcu_read_unlock();
return err;
}
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 44acc724122b..c34c87049536 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1031,7 +1031,8 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
memcpy(&x->mark, &pol->mark, sizeof(x->mark));
x->if_id = if_id;
- error = security_xfrm_state_alloc_acquire(x, pol->security, fl->flowi_secid);
+ error = security_xfrm_state_alloc_acquire(x, pol->security,
+ fl->flowi_secid.common);
if (error) {
x->km.state = XFRM_STATE_DEAD;
to_put = x;
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 70b9730c0be6..4b26b37c8470 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -226,14 +226,14 @@ int aa_audit_rule_known(struct audit_krule *rule)
return 0;
}
-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+int aa_audit_rule_match(struct secids *sid, u32 field, u32 op, void *vrule,
struct audit_context *actx)
{
struct aa_audit_rule *rule = vrule;
struct aa_label *label;
int found = 0;
- label = aa_secid_to_label(sid);
+ label = aa_secid_to_label(sid->apparmor);
if (!label)
return -ENOENT;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index b8c8b1066b0a..8042046eef90 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -192,7 +192,7 @@ static inline int complain_error(int error)
void aa_audit_rule_free(void *vrule);
int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
int aa_audit_rule_known(struct audit_krule *rule);
-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+int aa_audit_rule_match(struct secids *sid, u32 field, u32 op, void *vrule,
struct audit_context *actx);
#endif /* __AA_AUDIT_H */
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index dee6fa3b6081..81f29538e415 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -23,8 +23,9 @@ struct aa_label;
#define AA_SECID_INVALID 0
struct aa_label *aa_secid_to_label(u32 secid);
-int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
-int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+int apparmor_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen);
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
+ struct secids *secid);
void apparmor_release_secctx(char *secdata, u32 seclen);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 158988a24153..0ef0a12d2c57 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -707,10 +707,10 @@ static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
return;
}
-static void apparmor_task_getsecid(struct task_struct *p, u32 *secid)
+static void apparmor_task_getsecid(struct task_struct *p, struct secids *secid)
{
struct aa_label *label = aa_get_task_label(p);
- *secid = label->secid;
+ secid->apparmor = label->secid;
aa_put_label(label);
}
@@ -1082,7 +1082,8 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock,
* Sets the netlabel socket state on sk from parent
*/
static int apparmor_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb, u32 *secid)
+ struct sk_buff *skb,
+ struct secids *secid)
{
/* TODO: requires secid support */
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 4ccec1bcf6f5..3ef6f3704aeb 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -73,10 +73,10 @@ struct aa_label *aa_secid_to_label(u32 secid)
return label;
}
-int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+int apparmor_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen)
{
/* TODO: cache secctx and ref count so we don't have to recreate */
- struct aa_label *label = aa_secid_to_label(secid);
+ struct aa_label *label = aa_secid_to_label(secid->apparmor);
int len;
AA_BUG(!seclen);
@@ -101,7 +101,8 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
return 0;
}
-int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
+ struct secids *secid)
{
struct aa_label *label;
@@ -109,7 +110,7 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
seclen, GFP_KERNEL, false, false);
if (IS_ERR(label))
return PTR_ERR(label);
- *secid = label->secid;
+ secid->apparmor = label->secid;
return 0;
}
diff --git a/security/security.c b/security/security.c
index 468695df6559..26511761d824 100644
--- a/security/security.c
+++ b/security/security.c
@@ -132,6 +132,7 @@ int __init security_init(void)
pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock);
pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock);
pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task);
+ pr_info("LSM: secid size = %zu\n", sizeof(struct secids));
#endif /* CONFIG_SECURITY_LSM_DEBUG */
return 0;
@@ -1250,7 +1251,10 @@ EXPORT_SYMBOL(security_inode_listsecurity);
void security_inode_getsecid(struct inode *inode, u32 *secid)
{
- call_void_hook(inode_getsecid, inode, secid);
+ struct secids ids;
+
+ call_void_hook(inode_getsecid, inode, &ids);
+ *secid = ids.common;
}
int security_inode_copy_up(struct dentry *src, struct cred **new)
@@ -1467,14 +1471,20 @@ void security_transfer_creds(struct cred *new, const struct cred *old)
void security_cred_getsecid(const struct cred *c, u32 *secid)
{
- *secid = 0;
- call_void_hook(cred_getsecid, c, secid);
+ struct secids ids;
+
+ ids.common = 0;
+ call_void_hook(cred_getsecid, c, &ids);
+ *secid = ids.common;
}
EXPORT_SYMBOL(security_cred_getsecid);
int security_kernel_act_as(struct cred *new, u32 secid)
{
- return call_int_hook(kernel_act_as, 0, new, secid);
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(kernel_act_as, 0, new, &ids);
}
int security_kernel_create_files_as(struct cred *new, struct inode *inode)
@@ -1549,8 +1559,11 @@ int security_task_getsid(struct task_struct *p)
void security_task_getsecid(struct task_struct *p, u32 *secid)
{
- *secid = 0;
- call_void_hook(task_getsecid, p, secid);
+ struct secids ids;
+
+ ids.common = 0;
+ call_void_hook(task_getsecid, p, &ids);
+ *secid = ids.common;
}
EXPORT_SYMBOL(security_task_getsecid);
@@ -1632,8 +1645,11 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- *secid = 0;
- call_void_hook(ipc_getsecid, ipcp, secid);
+ struct secids ids;
+
+ ids.common = 0;
+ call_void_hook(ipc_getsecid, ipcp, &ids);
+ *secid = ids.common;
}
int security_msg_msg_alloc(struct msg_msg *msg)
@@ -1812,15 +1828,24 @@ EXPORT_SYMBOL(security_ismaclabel);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
- return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(secid_to_secctx, -EOPNOTSUPP, &ids, secdata,
seclen);
}
EXPORT_SYMBOL(security_secid_to_secctx);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
- *secid = 0;
- return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+ struct secids ids;
+ int rc;
+
+ ids.common = 0;
+ rc = call_int_hook(secctx_to_secid, 0, secdata, seclen, &ids);
+ *secid = ids.common;
+
+ return rc;
}
EXPORT_SYMBOL(security_secctx_to_secid);
@@ -1957,8 +1982,14 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
{
- return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
- skb, secid);
+ struct secids ids;
+ int rc;
+
+ rc = call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
+ skb, &ids);
+ *secid = ids.common;
+
+ return rc;
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);
@@ -2027,7 +2058,10 @@ EXPORT_SYMBOL(security_inet_conn_established);
int security_secmark_relabel_packet(u32 secid)
{
- return call_int_hook(secmark_relabel_packet, 0, secid);
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(secmark_relabel_packet, 0, &ids);
}
EXPORT_SYMBOL(security_secmark_relabel_packet);
@@ -2166,7 +2200,10 @@ EXPORT_SYMBOL(security_xfrm_state_alloc);
int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec, u32 secid)
{
- return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid);
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, &ids);
}
int security_xfrm_state_delete(struct xfrm_state *x)
@@ -2182,7 +2219,10 @@ void security_xfrm_state_free(struct xfrm_state *x)
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
- return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir);
+ struct secids ids;
+
+ ids.common = fl_secid;
+ return call_int_hook(xfrm_policy_lookup, 0, ctx, &ids, dir);
}
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
@@ -2211,7 +2251,13 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
{
- return call_int_hook(xfrm_decode_session, 0, skb, secid, 1);
+ struct secids ids;
+ int rc;
+
+ rc = call_int_hook(xfrm_decode_session, 0, skb, &ids, 1);
+ *secid = ids.common;
+
+ return rc;
}
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
@@ -2281,7 +2327,10 @@ void security_audit_rule_free(void *lsmrule)
int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx)
{
- return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(audit_rule_match, 0, &ids, field, op, lsmrule,
actx);
}
#endif /* CONFIG_AUDIT */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 78dfe2fdd7ff..e3317111ac9b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3484,15 +3484,15 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
return len;
}
-static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
+static void selinux_inode_getsecid(struct inode *inode, struct secids *secid)
{
struct inode_security_struct *isec = inode_security_novalidate(inode);
- *secid = isec->sid;
+ secid->selinux = isec->sid;
}
static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
{
- u32 sid;
+ struct secids sids;
struct task_security_struct *tsec;
struct cred *new_creds = *new;
@@ -3504,8 +3504,8 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
tsec = selinux_cred(new_creds);
/* Get label from overlay inode and set it in create_sid */
- selinux_inode_getsecid(d_inode(src), &sid);
- tsec->create_sid = sid;
+ selinux_inode_getsecid(d_inode(src), &sids);
+ tsec->create_sid = sids.selinux;
*new = new_creds;
return 0;
}
@@ -3922,28 +3922,28 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
*tsec = *old_tsec;
}
-static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
+static void selinux_cred_getsecid(const struct cred *c, struct secids *secid)
{
- *secid = cred_sid(c);
+ secid->selinux = cred_sid(c);
}
/*
* set the security data for a kernel service
* - all the creation contexts are set to unlabelled
*/
-static int selinux_kernel_act_as(struct cred *new, u32 secid)
+static int selinux_kernel_act_as(struct cred *new, struct secids *secid)
{
struct task_security_struct *tsec = selinux_cred(new);
u32 sid = current_sid();
int ret;
ret = avc_has_perm(&selinux_state,
- sid, secid,
+ sid, secid->selinux,
SECCLASS_KERNEL_SERVICE,
KERNEL_SERVICE__USE_AS_OVERRIDE,
NULL);
if (ret == 0) {
- tsec->sid = secid;
+ tsec->sid = secid->selinux;
tsec->create_sid = 0;
tsec->keycreate_sid = 0;
tsec->sockcreate_sid = 0;
@@ -4069,9 +4069,9 @@ static int selinux_task_getsid(struct task_struct *p)
PROCESS__GETSESSION, NULL);
}
-static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
+static void selinux_task_getsecid(struct task_struct *p, struct secids *secid)
{
- *secid = task_sid(p);
+ secid->selinux = task_sid(p);
}
static int selinux_task_setnice(struct task_struct *p, int nice)
@@ -5096,7 +5096,9 @@ static int selinux_socket_getpeersec_stream(struct socket *sock,
return err;
}
-static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+static int selinux_socket_getpeersec_dgram(struct socket *sock,
+ struct sk_buff *skb,
+ struct secids *secid)
{
u32 peer_secid = SECSID_NULL;
u16 family;
@@ -5118,7 +5120,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
selinux_skb_peerlbl_sid(skb, family, &peer_secid);
out:
- *secid = peer_secid;
+ secid->selinux = peer_secid;
if (peer_secid == SECSID_NULL)
return -EINVAL;
return 0;
@@ -5155,14 +5157,14 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
selinux_netlbl_sk_security_reset(newsksec);
}
-static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
+static void selinux_sk_getsecid(struct sock *sk, struct secids *secid)
{
if (!sk)
- *secid = SECINITSID_ANY_SOCKET;
+ secid->selinux = SECINITSID_ANY_SOCKET;
else {
struct sk_security_struct *sksec = selinux_sock(sk);
- *secid = sksec->sid;
+ secid->selinux = sksec->sid;
}
}
@@ -5401,7 +5403,7 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
}
-static int selinux_secmark_relabel_packet(u32 sid)
+static int selinux_secmark_relabel_packet(struct secids *secid)
{
const struct task_security_struct *__tsec;
u32 tsid;
@@ -5410,8 +5412,8 @@ static int selinux_secmark_relabel_packet(u32 sid)
tsid = __tsec->sid;
return avc_has_perm(&selinux_state,
- tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
- NULL);
+ tsid, secid->selinux, SECCLASS_PACKET,
+ PACKET__RELABELTO, NULL);
}
static void selinux_secmark_refcount_inc(void)
@@ -5427,7 +5429,7 @@ static void selinux_secmark_refcount_dec(void)
static void selinux_req_classify_flow(const struct request_sock *req,
struct flowi *fl)
{
- fl->flowi_secid = req->secid;
+ fl->flowi_secid.selinux = req->secid;
}
static int selinux_tun_dev_alloc_security(void **security)
@@ -6272,10 +6274,11 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
return ipc_has_perm(ipcp, av);
}
-static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp,
+ struct secids *secid)
{
struct ipc_security_struct *isec = selinux_ipc(ipcp);
- *secid = isec->sid;
+ secid->selinux = isec->sid;
}
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
@@ -6482,16 +6485,18 @@ static int selinux_ismaclabel(const char *name)
return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
}
-static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)