lsm: security_lsmblob_to_secctx module selection
Add a parameter lsmid to security_lsmblob_to_secctx() to identify which of the security modules that may be active should provide the security context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing a hook is used. security_secid_to_secctx() is unchanged, and will always report the first LSM providing a hook. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subj tweak] Signed-off-by: Paul Moore <paul@paul-moore.com>pull/1354/merge
Casey Schaufler
Paul Moore
parent
0a561e3904
commit
a59076f266
|
|
@ -567,7 +567,8 @@ int security_getprocattr(struct task_struct *p, int lsmid, const char *name,
|
|||
int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
|
||||
int security_ismaclabel(const char *name);
|
||||
int security_secid_to_secctx(u32 secid, struct lsm_context *cp);
|
||||
int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp);
|
||||
int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,
|
||||
int lsmid);
|
||||
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
|
||||
void security_release_secctx(struct lsm_context *cp);
|
||||
void security_inode_invalidate_secctx(struct inode *inode);
|
||||
|
|
@ -1551,7 +1552,8 @@ static inline int security_secid_to_secctx(u32 secid, struct lsm_context *cp)
|
|||
}
|
||||
|
||||
static inline int security_lsmprop_to_secctx(struct lsm_prop *prop,
|
||||
struct lsm_context *cp)
|
||||
struct lsm_context *cp,
|
||||
int lsmid)
|
||||
{
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1473,7 +1473,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
|
|||
case AUDIT_SIGNAL_INFO:
|
||||
if (lsmprop_is_set(&audit_sig_lsm)) {
|
||||
err = security_lsmprop_to_secctx(&audit_sig_lsm,
|
||||
&lsmctx);
|
||||
&lsmctx, LSM_ID_UNDEF);
|
||||
if (err < 0)
|
||||
return err;
|
||||
}
|
||||
|
|
@ -2188,7 +2188,7 @@ int audit_log_task_context(struct audit_buffer *ab)
|
|||
if (!lsmprop_is_set(&prop))
|
||||
return 0;
|
||||
|
||||
error = security_lsmprop_to_secctx(&prop, &ctx);
|
||||
error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF);
|
||||
if (error < 0) {
|
||||
if (error != -EINVAL)
|
||||
goto error_path;
|
||||
|
|
|
|||
|
|
@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
|
|||
from_kuid(&init_user_ns, auid),
|
||||
from_kuid(&init_user_ns, uid), sessionid);
|
||||
if (lsmprop_is_set(prop)) {
|
||||
if (security_lsmprop_to_secctx(prop, &ctx) < 0) {
|
||||
if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) {
|
||||
audit_log_format(ab, " obj=(none)");
|
||||
rc = 1;
|
||||
} else {
|
||||
|
|
@ -1395,7 +1395,8 @@ static void show_special(struct audit_context *context, int *call_panic)
|
|||
struct lsm_context lsmctx;
|
||||
|
||||
if (security_lsmprop_to_secctx(&context->ipc.oprop,
|
||||
&lsmctx) < 0) {
|
||||
&lsmctx,
|
||||
LSM_ID_UNDEF) < 0) {
|
||||
*call_panic = 1;
|
||||
} else {
|
||||
audit_log_format(ab, " obj=%s", lsmctx.context);
|
||||
|
|
@ -1560,7 +1561,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
|
|||
if (lsmprop_is_set(&n->oprop)) {
|
||||
struct lsm_context ctx;
|
||||
|
||||
if (security_lsmprop_to_secctx(&n->oprop, &ctx) < 0) {
|
||||
if (security_lsmprop_to_secctx(&n->oprop, &ctx,
|
||||
LSM_ID_UNDEF) < 0) {
|
||||
if (call_panic)
|
||||
*call_panic = 2;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -98,7 +98,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
|
|||
audit_info->sessionid);
|
||||
|
||||
if (lsmprop_is_set(&audit_info->prop) &&
|
||||
security_lsmprop_to_secctx(&audit_info->prop, &ctx) > 0) {
|
||||
security_lsmprop_to_secctx(&audit_info->prop, &ctx,
|
||||
LSM_ID_UNDEF) > 0) {
|
||||
audit_log_format(audit_buf, " subj=%s", ctx.context);
|
||||
security_release_secctx(&ctx);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4342,17 +4342,31 @@ EXPORT_SYMBOL(security_secid_to_secctx);
|
|||
* security_lsmprop_to_secctx() - Convert a lsm_prop to a secctx
|
||||
* @prop: lsm specific information
|
||||
* @cp: the LSM context
|
||||
* @lsmid: which security module to report
|
||||
*
|
||||
* Convert a @prop entry to security context. If @cp is NULL the
|
||||
* length of the result will be returned. This does mean that the
|
||||
* length could change between calls to check the length and the
|
||||
* next call which actually allocates and returns the @cp.
|
||||
*
|
||||
* @lsmid identifies which LSM should supply the context.
|
||||
* A value of LSM_ID_UNDEF indicates that the first LSM suppling
|
||||
* the hook should be used. This is used in cases where the
|
||||
* ID of the supplying LSM is unambiguous.
|
||||
*
|
||||
* Return: Return length of data on success, error on failure.
|
||||
*/
|
||||
int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp)
|
||||
int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,
|
||||
int lsmid)
|
||||
{
|
||||
return call_int_hook(lsmprop_to_secctx, prop, cp);
|
||||
struct lsm_static_call *scall;
|
||||
|
||||
lsm_for_each_hook(scall, lsmprop_to_secctx) {
|
||||
if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id)
|
||||
continue;
|
||||
return scall->hl->hook.lsmprop_to_secctx(prop, cp);
|
||||
}
|
||||
return LSM_RET_DEFAULT(lsmprop_to_secctx);
|
||||
}
|
||||
EXPORT_SYMBOL(security_lsmprop_to_secctx);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue