UBUNTU: SAUCE: LSM: Limit calls to certain module hooks

LSM hooks dealing with security context strings should
only be called for one security module. Add call macros
that invoke a single module hook and us in for those cases.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/security/security.c b/security/security.c
index 8982e37caf87f3a2639e8d4bfa3d6e40da4d68e9..bea21fa8f29dfea5a3a4db390f259a45a42992d3 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -646,6 +646,16 @@ static void __init lsm_early_task(struct task_struct *task)
                        P->hook.FUNC(__VA_ARGS__);              \
        } while (0)
 
+#define call_one_void_hook(FUNC, ...)                          \
+       do {                                                    \
+               struct security_hook_list *P;                   \
+                                                               \
+               hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
+                       P->hook.FUNC(__VA_ARGS__);              \
+                       break;                                  \
+               }                                               \
+       } while (0)
+
 #define call_int_hook(FUNC, IRC, ...) ({                       \
        int RC = IRC;                                           \
        do {                                                    \
@@ -660,6 +670,19 @@ static void __init lsm_early_task(struct task_struct *task)
        RC;                                                     \
 })
 
+#define call_one_int_hook(FUNC, IRC, ...) ({                   \
+       int RC = IRC;                                           \
+       do {                                                    \
+               struct security_hook_list *P;                   \
+                                                               \
+               hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
+                       RC = P->hook.FUNC(__VA_ARGS__);         \
+                       break;                                  \
+               }                                               \
+       } while (0);                                            \
+       RC;                                                     \
+})
+
 /* Security operations */
 
 int security_binder_set_context_mgr(struct task_struct *mgr)
@@ -1893,7 +1916,7 @@ EXPORT_SYMBOL(security_ismaclabel);
 
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
-       return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
+       return call_one_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
                                seclen);
 }
 EXPORT_SYMBOL(security_secid_to_secctx);
@@ -1901,13 +1924,13 @@ EXPORT_SYMBOL(security_secid_to_secctx);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
 {
        *secid = 0;
-       return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+       return call_one_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
 }
 EXPORT_SYMBOL(security_secctx_to_secid);
 
 void security_release_secctx(char *secdata, u32 seclen)
 {
-       call_void_hook(release_secctx, secdata, seclen);
+       call_one_void_hook(release_secctx, secdata, seclen);
 }
 EXPORT_SYMBOL(security_release_secctx);
 
@@ -2032,7 +2055,7 @@ EXPORT_SYMBOL(security_sock_rcv_skb);
 int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
                                      int __user *optlen, unsigned len)
 {
-       return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
+       return call_one_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
                                optval, optlen, len);
 }