Re: [PATCH v13 14/25] LSM: Ensure the correct LSM context releaser

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Casey Schaufler <casey@schaufler-ca.com>,
	casey.schaufler@intel.com, jmorris@namei.org,
	linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: keescook@chromium.org, john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com
Subject: Re: [PATCH v13 14/25] LSM: Ensure the correct LSM context releaser
Date: Tue, 7 Jan 2020 14:16:17 -0500	[thread overview]
Message-ID: <cae85ebf-989a-2a2c-2402-d7ae48971545@tycho.nsa.gov> (raw)
In-Reply-To: <20191224235939.7483-15-casey@schaufler-ca.com>

On 12/24/19 6:59 PM, Casey Schaufler wrote:
> Add a new lsmcontext data structure to hold all the information
> about a "security context", including the string, its size and
> which LSM allocated the string. The allocation information is
> necessary because LSMs have different policies regarding the
> lifecycle of these strings. SELinux allocates and destroys
> them on each use, whereas Smack provides a pointer to an entry
> in a list that never goes away.
> 
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Reviewed-by: John Johansen <john.johansen@canonical.com>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> cc: linux-integrity@vger.kernel.org
> cc: netdev@vger.kernel.org
> ---
>   drivers/android/binder.c                | 10 ++++---
>   fs/ceph/xattr.c                         |  6 ++++-
>   fs/nfs/nfs4proc.c                       |  8 ++++--
>   fs/nfsd/nfs4xdr.c                       |  7 +++--
>   include/linux/security.h                | 35 +++++++++++++++++++++++--
>   include/net/scm.h                       |  5 +++-
>   kernel/audit.c                          | 14 +++++++---
>   kernel/auditsc.c                        | 12 ++++++---
>   net/ipv4/ip_sockglue.c                  |  4 ++-
>   net/netfilter/nf_conntrack_netlink.c    |  4 ++-
>   net/netfilter/nf_conntrack_standalone.c |  4 ++-
>   net/netfilter/nfnetlink_queue.c         | 13 ++++++---
>   net/netlabel/netlabel_unlabeled.c       | 19 +++++++++++---
>   net/netlabel/netlabel_user.c            |  4 ++-
>   security/security.c                     | 11 ++++----
>   15 files changed, 121 insertions(+), 35 deletions(-)
> 

> diff --git a/include/linux/security.h b/include/linux/security.h
> index d12b5e828b8d..c040c959b413 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -128,6 +128,37 @@ enum lockdown_reason {
>   	LOCKDOWN_CONFIDENTIALITY_MAX,
>   };
>   
> +/*
> + * A "security context" is the text representation of
> + * the information used by LSMs.
> + * This structure contains the string, its length, and which LSM
> + * it is useful for.
> + */
> +struct lsmcontext {
> +	char	*context;	/* Provided by the module */
> +	u32	len;
> +	int	slot;		/* Identifies the module */
> +};
> +
> +/**
> + * lsmcontext_init - initialize an lsmcontext structure.
> + * @cp: Pointer to the context to initialize
> + * @context: Initial context, or NULL
> + * @size: Size of context, or 0
> + * @slot: Which LSM provided the context
> + *
> + * Fill in the lsmcontext from the provided information.
> + * This is a scaffolding function that will be removed when
> + * lsmcontext integration is complete.

Still present after the entire series is applied, with one residual user 
in ceph.  Intentional or an oversight?

Otherwise,
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

> + */
> +static inline void lsmcontext_init(struct lsmcontext *cp, char *context,
> +				   u32 size, int slot)
> +{
> +	cp->slot = slot;
> +	cp->context = context;
> +	cp->len = size;
> +}
> +
>   /*
>    * Data exported by the security modules
>    *