* [PATCH] LSM: Make lsm_early_cred() and lsm_early_task() local functions.
@ 2019-01-18 10:15 Tetsuo Handa
2019-01-18 19:19 ` Casey Schaufler
2019-01-18 19:45 ` James Morris
0 siblings, 2 replies; 3+ messages in thread
From: Tetsuo Handa @ 2019-01-18 10:15 UTC (permalink / raw)
To: Casey Schaufler, Kees Cook; +Cc: linux-security-module, Tetsuo Handa
Since current->cred == current->real_cred when ordered_lsm_init()
is called, and lsm_early_cred()/lsm_early_task() need to be called
between the amount of required bytes is determined and module specific
initialization function is called, we can move these calls from
individual modules to ordered_lsm_init().
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
include/linux/lsm_hooks.h | 5 -----
security/apparmor/lsm.c | 2 --
security/security.c | 27 +++++++++++----------------
security/selinux/hooks.c | 1 -
security/smack/smack_lsm.c | 2 --
security/tomoyo/tomoyo.c | 1 -
6 files changed, 11 insertions(+), 27 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index c753d06..b3e94bc 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2133,9 +2133,4 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
extern int lsm_inode_alloc(struct inode *inode);
-#ifdef CONFIG_SECURITY
-void __init lsm_early_cred(struct cred *cred);
-void __init lsm_early_task(struct task_struct *task);
-#endif
-
#endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index dff7f94..49d664d 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1484,8 +1484,6 @@ static int __init set_init_ctx(void)
{
struct cred *cred = (struct cred *)current->real_cred;
- lsm_early_cred(cred);
- lsm_early_task(current);
set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
return 0;
diff --git a/security/security.c b/security/security.c
index 9a98c52..8c09334 100644
--- a/security/security.c
+++ b/security/security.c
@@ -278,6 +278,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
kfree(sep);
}
+static void __init lsm_early_cred(struct cred *cred);
+static void __init lsm_early_task(struct task_struct *task);
+
static void __init ordered_lsm_init(void)
{
struct lsm_info **lsm;
@@ -312,6 +315,8 @@ static void __init ordered_lsm_init(void)
blob_sizes.lbs_inode, 0,
SLAB_PANIC, NULL);
+ lsm_early_cred((struct cred *) current->cred);
+ lsm_early_task(current);
for (lsm = ordered_lsms; *lsm; lsm++)
initialize_lsm(*lsm);
@@ -465,17 +470,12 @@ static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
* lsm_early_cred - during initialization allocate a composite cred blob
* @cred: the cred that needs a blob
*
- * Allocate the cred blob for all the modules if it's not already there
+ * Allocate the cred blob for all the modules
*/
-void __init lsm_early_cred(struct cred *cred)
+static void __init lsm_early_cred(struct cred *cred)
{
- int rc;
+ int rc = lsm_cred_alloc(cred, GFP_KERNEL);
- if (cred == NULL)
- panic("%s: NULL cred.\n", __func__);
- if (cred->security != NULL)
- return;
- rc = lsm_cred_alloc(cred, GFP_KERNEL);
if (rc)
panic("%s: Early cred alloc failed.\n", __func__);
}
@@ -589,17 +589,12 @@ int lsm_msg_msg_alloc(struct msg_msg *mp)
* lsm_early_task - during initialization allocate a composite task blob
* @task: the task that needs a blob
*
- * Allocate the task blob for all the modules if it's not already there
+ * Allocate the task blob for all the modules
*/
-void __init lsm_early_task(struct task_struct *task)
+static void __init lsm_early_task(struct task_struct *task)
{
- int rc;
+ int rc = lsm_task_alloc(task);
- if (task == NULL)
- panic("%s: task cred.\n", __func__);
- if (task->security != NULL)
- return;
- rc = lsm_task_alloc(task);
if (rc)
panic("%s: Early task alloc failed.\n", __func__);
}
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 2332243..d0fa81c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -209,7 +209,6 @@ static void cred_init_security(void)
struct cred *cred = (struct cred *) current->real_cred;
struct task_security_struct *tsec;
- lsm_early_cred(cred);
tsec = selinux_cred(cred);
tsec->osid = tsec->sid = SECINITSID_KERNEL;
}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a326cd9..fa98394 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4772,8 +4772,6 @@ static __init int smack_init(void)
if (!smack_inode_cache)
return -ENOMEM;
- lsm_early_cred(cred);
-
/*
* Set the security state for the initial task.
*/
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 066c0da..2b3eee0 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -566,7 +566,6 @@ static int __init tomoyo_init(void)
/* register ourselves with the security framework */
security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
printk(KERN_INFO "TOMOYO Linux initialized\n");
- lsm_early_cred(cred);
blob = tomoyo_cred(cred);
*blob = &tomoyo_kernel_domain;
tomoyo_mm_init();
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] LSM: Make lsm_early_cred() and lsm_early_task() local functions.
2019-01-18 10:15 [PATCH] LSM: Make lsm_early_cred() and lsm_early_task() local functions Tetsuo Handa
@ 2019-01-18 19:19 ` Casey Schaufler
2019-01-18 19:45 ` James Morris
1 sibling, 0 replies; 3+ messages in thread
From: Casey Schaufler @ 2019-01-18 19:19 UTC (permalink / raw)
To: Tetsuo Handa, Kees Cook; +Cc: linux-security-module, Casey Schaufler
On 1/18/2019 2:15 AM, Tetsuo Handa wrote:
> Since current->cred == current->real_cred when ordered_lsm_init()
> is called, and lsm_early_cred()/lsm_early_task() need to be called
> between the amount of required bytes is determined and module specific
> initialization function is called, we can move these calls from
> individual modules to ordered_lsm_init().
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Seems to work fine to me.
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
> include/linux/lsm_hooks.h | 5 -----
> security/apparmor/lsm.c | 2 --
> security/security.c | 27 +++++++++++----------------
> security/selinux/hooks.c | 1 -
> security/smack/smack_lsm.c | 2 --
> security/tomoyo/tomoyo.c | 1 -
> 6 files changed, 11 insertions(+), 27 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index c753d06..b3e94bc 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -2133,9 +2133,4 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
>
> extern int lsm_inode_alloc(struct inode *inode);
>
> -#ifdef CONFIG_SECURITY
> -void __init lsm_early_cred(struct cred *cred);
> -void __init lsm_early_task(struct task_struct *task);
> -#endif
> -
> #endif /* ! __LINUX_LSM_HOOKS_H */
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index dff7f94..49d664d 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -1484,8 +1484,6 @@ static int __init set_init_ctx(void)
> {
> struct cred *cred = (struct cred *)current->real_cred;
>
> - lsm_early_cred(cred);
> - lsm_early_task(current);
> set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
>
> return 0;
> diff --git a/security/security.c b/security/security.c
> index 9a98c52..8c09334 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -278,6 +278,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
> kfree(sep);
> }
>
> +static void __init lsm_early_cred(struct cred *cred);
> +static void __init lsm_early_task(struct task_struct *task);
> +
> static void __init ordered_lsm_init(void)
> {
> struct lsm_info **lsm;
> @@ -312,6 +315,8 @@ static void __init ordered_lsm_init(void)
> blob_sizes.lbs_inode, 0,
> SLAB_PANIC, NULL);
>
> + lsm_early_cred((struct cred *) current->cred);
> + lsm_early_task(current);
> for (lsm = ordered_lsms; *lsm; lsm++)
> initialize_lsm(*lsm);
>
> @@ -465,17 +470,12 @@ static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
> * lsm_early_cred - during initialization allocate a composite cred blob
> * @cred: the cred that needs a blob
> *
> - * Allocate the cred blob for all the modules if it's not already there
> + * Allocate the cred blob for all the modules
> */
> -void __init lsm_early_cred(struct cred *cred)
> +static void __init lsm_early_cred(struct cred *cred)
> {
> - int rc;
> + int rc = lsm_cred_alloc(cred, GFP_KERNEL);
>
> - if (cred == NULL)
> - panic("%s: NULL cred.\n", __func__);
> - if (cred->security != NULL)
> - return;
> - rc = lsm_cred_alloc(cred, GFP_KERNEL);
> if (rc)
> panic("%s: Early cred alloc failed.\n", __func__);
> }
> @@ -589,17 +589,12 @@ int lsm_msg_msg_alloc(struct msg_msg *mp)
> * lsm_early_task - during initialization allocate a composite task blob
> * @task: the task that needs a blob
> *
> - * Allocate the task blob for all the modules if it's not already there
> + * Allocate the task blob for all the modules
> */
> -void __init lsm_early_task(struct task_struct *task)
> +static void __init lsm_early_task(struct task_struct *task)
> {
> - int rc;
> + int rc = lsm_task_alloc(task);
>
> - if (task == NULL)
> - panic("%s: task cred.\n", __func__);
> - if (task->security != NULL)
> - return;
> - rc = lsm_task_alloc(task);
> if (rc)
> panic("%s: Early task alloc failed.\n", __func__);
> }
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 2332243..d0fa81c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -209,7 +209,6 @@ static void cred_init_security(void)
> struct cred *cred = (struct cred *) current->real_cred;
> struct task_security_struct *tsec;
>
> - lsm_early_cred(cred);
> tsec = selinux_cred(cred);
> tsec->osid = tsec->sid = SECINITSID_KERNEL;
> }
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index a326cd9..fa98394 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -4772,8 +4772,6 @@ static __init int smack_init(void)
> if (!smack_inode_cache)
> return -ENOMEM;
>
> - lsm_early_cred(cred);
> -
> /*
> * Set the security state for the initial task.
> */
> diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> index 066c0da..2b3eee0 100644
> --- a/security/tomoyo/tomoyo.c
> +++ b/security/tomoyo/tomoyo.c
> @@ -566,7 +566,6 @@ static int __init tomoyo_init(void)
> /* register ourselves with the security framework */
> security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
> printk(KERN_INFO "TOMOYO Linux initialized\n");
> - lsm_early_cred(cred);
> blob = tomoyo_cred(cred);
> *blob = &tomoyo_kernel_domain;
> tomoyo_mm_init();
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] LSM: Make lsm_early_cred() and lsm_early_task() local functions.
2019-01-18 10:15 [PATCH] LSM: Make lsm_early_cred() and lsm_early_task() local functions Tetsuo Handa
2019-01-18 19:19 ` Casey Schaufler
@ 2019-01-18 19:45 ` James Morris
1 sibling, 0 replies; 3+ messages in thread
From: James Morris @ 2019-01-18 19:45 UTC (permalink / raw)
To: Tetsuo Handa; +Cc: Casey Schaufler, Kees Cook, linux-security-module
On Fri, 18 Jan 2019, Tetsuo Handa wrote:
> Since current->cred == current->real_cred when ordered_lsm_init()
> is called, and lsm_early_cred()/lsm_early_task() need to be called
> between the amount of required bytes is determined and module specific
> initialization function is called, we can move these calls from
> individual modules to ordered_lsm_init().
>
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-18 19:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-18 10:15 [PATCH] LSM: Make lsm_early_cred() and lsm_early_task() local functions Tetsuo Handa
2019-01-18 19:19 ` Casey Schaufler
2019-01-18 19:45 ` James Morris
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).