UBUNTU: SAUCE: Stacking v38: LSM: Use lsmblob in security_ipc_getsecid

author Casey Schaufler <casey@schaufler-ca.com>

Mon, 27 Jun 2022 20:48:53 +0000 (13:48 -0700)

committer Andrea Righi <andrea.righi@canonical.com>

Thu, 23 Mar 2023 19:41:23 +0000 (20:41 +0100)
author Casey Schaufler <casey@schaufler-ca.com>
Mon, 27 Jun 2022 20:48:53 +0000 (13:48 -0700)
committer Andrea Righi <andrea.righi@canonical.com>
Thu, 23 Mar 2023 19:41:23 +0000 (20:41 +0100)
diff --git a/include/linux/security.h b/include/linux/security.h

index 450dcb3bde36abc2d2c5ee0ef84585915f426b9c..ce03586c255f0a02cc94167cc931ef1fce613634 100644 (file)
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -553,7 +553,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
  void security_task_to_inode(struct task_struct *p, struct inode *inode);
  int security_create_user_ns(const struct cred *cred);
  int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
+void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct lsmblob *blob);
  int security_msg_msg_alloc(struct msg_msg *msg);
  void security_msg_msg_free(struct msg_msg *msg);
  int security_msg_queue_alloc(struct kern_ipc_perm *msq);
@@ -1349,9 +1349,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp,
         return 0;
  }
  
-static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp,
+                                        struct lsmblob *blob)
  {
-       *secid = 0;
+       lsmblob_init(blob, 0);
  }
  
  static inline int security_msg_msg_alloc(struct msg_msg *msg)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c

index 74f58df2732543952f2892b679b76c7738b1365d..9e0ae06ecf8dc647d301108cdfa6ebd7136edd7e 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2646,12 +2646,17 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
  void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
  {
         struct audit_context *context = audit_context();
+       struct lsmblob blob;
  
         context->ipc.uid = ipcp->uid;
         context->ipc.gid = ipcp->gid;
         context->ipc.mode = ipcp->mode;
         context->ipc.has_perm = 0;
-       security_ipc_getsecid(ipcp, &context->ipc.osid);
+       security_ipc_getsecid(ipcp, &blob);
+       /* context->ipc.osid will be changed to a lsmblob later in
+        * the patch series. This will allow auditing of all the object
+        * labels associated with the ipc object. */
+       context->ipc.osid = lsmblob_value(&blob);
         context->type = AUDIT_IPC;
  }
  
diff --git a/security/security.c b/security/security.c

index e19ea1d769a0d4803640b2e1c1093530d1b0395a..b86851d08d2f875ddf7fb9058052783fe5602692 100644 (file)
--- a/security/security.c
+++ b/security/security.c
@@ -2117,10 +2117,16 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
         return call_int_hook(ipc_permission, 0, ipcp, flag);
  }
  
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct lsmblob *blob)
  {
-       *secid = 0;
-       call_void_hook(ipc_getsecid, ipcp, secid);
+       struct security_hook_list *hp;
+
+       lsmblob_init(blob, 0);
+       hlist_for_each_entry(hp, &security_hook_heads.ipc_getsecid, list) {
+               if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+                       continue;
+               hp->hook.ipc_getsecid(ipcp, &blob->secid[hp->lsmid->slot]);
+       }
  }
  
  int security_msg_msg_alloc(struct msg_msg *msg)
author	Casey Schaufler <casey@schaufler-ca.com>
	Mon, 27 Jun 2022 20:48:53 +0000 (13:48 -0700)
committer	Andrea Righi <andrea.righi@canonical.com>
	Thu, 23 Mar 2023 19:41:23 +0000 (20:41 +0100)
include/linux/security.h		patch \| blob \| blame \| history
kernel/auditsc.c		patch \| blob \| blame \| history
security/security.c		patch \| blob \| blame \| history