UBUNTU: SAUCE: LSM: Special handling for secctx lsm hooks

Create a special set of LSM hooks for the translation
to human readable security data.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 13a67fd1a76728ce5370afcde2597f6c0225be5b..c5bf59eb5066288a7a1e390ba87332950b5137e8 100644 (file)
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2073,6 +2073,16 @@ struct security_hook_list {
        char                            *lsm;
 } __randomize_layout;
 
+/*
+ * The set of hooks that may be selected for a specific module.
+ */
+struct lsm_one_hooks {
+       char *lsm;
+       union security_list_options secid_to_secctx;
+       union security_list_options secctx_to_secid;
+       union security_list_options socket_getpeersec_stream;
+};
+
 /*
  * Security blob size or offset data.
  */

diff --git a/security/security.c b/security/security.c
index 1ffe63bf647bc5e2d833d9a5c3f0bb4ceb07a699..120285afdee9bd99896394459a49cb26335820be 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -435,6 +435,9 @@ static int lsm_append(const char *new, char **result)
        return 0;
 }
 
+/* Base list of once-only hooks */
+static struct lsm_one_hooks lsm_base_one;
+
 /**
  * security_add_hooks - Add a modules hooks to the hook lists.
  * @hooks: the hooks to add
@@ -451,6 +454,25 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
        for (i = 0; i < count; i++) {
                hooks[i].lsm = lsm;
                hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
+
+               /*
+                * Check for the special hooks that are restricted to
+                * a single module to create the base set. Use the hooks
+                * from that module for the set, which may not be complete.
+                */
+               if (lsm_base_one.lsm && strcmp(lsm_base_one.lsm, hooks[i].lsm))
+                       continue;
+               if (hooks[i].head == &security_hook_heads.secid_to_secctx)
+                       lsm_base_one.secid_to_secctx = hooks[i].hook;
+               else if (hooks[i].head == &security_hook_heads.secctx_to_secid)
+                       lsm_base_one.secctx_to_secid = hooks[i].hook;
+               else if (hooks[i].head ==
+                               &security_hook_heads.socket_getpeersec_stream)
+                       lsm_base_one.socket_getpeersec_stream = hooks[i].hook;
+               else
+                       continue;
+               if (lsm_base_one.lsm == NULL)
+                       lsm_base_one.lsm = kstrdup(hooks[i].lsm, GFP_KERNEL);
        }
 
        /*
@@ -705,14 +727,8 @@ static void __init lsm_early_task(struct task_struct *task)
 
 #define call_one_int_hook(FUNC, IRC, ...) ({                   \
        int RC = IRC;                                           \
-       do {                                                    \
-               struct security_hook_list *P;                   \
-                                                               \
-               hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
-                       RC = P->hook.FUNC(__VA_ARGS__);         \
-                       break;                                  \
-               }                                               \
-       } while (0);                                            \
+       if (lsm_base_one.FUNC.FUNC)                             \
+               RC = lsm_base_one.FUNC.FUNC(__VA_ARGS__);       \
        RC;                                                     \
 })