All of lore.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
	linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, keescook@chromium.org,
	john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
	paul@paul-moore.com, sds@tycho.nsa.gov
Subject: [PATCH 14/58] LSM: Use lsm_export in security_kernel_act_as
Date: Fri, 31 May 2019 16:31:05 -0700	[thread overview]
Message-ID: <20190531233149.715-15-casey@schaufler-ca.com> (raw)
In-Reply-To: <20190531233149.715-1-casey@schaufler-ca.com>

From: Casey Schaufler <cschaufler@schaufler-ca.com>

Convert security_kernel_act_as to use the lsm_export structure
instead of a u32 secid. There is some scaffolding involved
that will be removed when the related data is updated.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/cred.h     |  3 ++-
 include/linux/security.h |  5 +++--
 kernel/cred.c            | 10 ++++++----
 security/security.c      |  8 ++------
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/include/linux/cred.h b/include/linux/cred.h
index efb6edf32de7..9305298eca17 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -22,6 +22,7 @@
 
 struct cred;
 struct inode;
+struct lsm_export;
 
 /*
  * COW Supplementary groups list
@@ -165,7 +166,7 @@ extern const struct cred *override_creds(const struct cred *);
 extern void revert_creds(const struct cred *);
 extern struct cred *prepare_kernel_cred(struct task_struct *);
 extern int change_create_files_as(struct cred *, struct inode *);
-extern int set_security_override(struct cred *, u32);
+extern int set_security_override(struct cred *, struct lsm_export *);
 extern int set_security_override_from_ctx(struct cred *, const char *);
 extern int set_create_files_as(struct cred *, struct inode *);
 extern int cred_fscmp(const struct cred *, const struct cred *);
diff --git a/include/linux/security.h b/include/linux/security.h
index ea2c6c4e88db..7369cdc3a681 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -378,7 +378,7 @@ void security_cred_free(struct cred *cred);
 int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
 void security_transfer_creds(struct cred *new, const struct cred *old);
 void security_cred_getsecid(const struct cred *c, u32 *secid);
-int security_kernel_act_as(struct cred *new, u32 secid);
+int security_kernel_act_as(struct cred *new, struct lsm_export *l);
 int security_kernel_create_files_as(struct cred *new, struct inode *inode);
 int security_kernel_module_request(char *kmod_name);
 int security_kernel_load_data(enum kernel_load_data_id id);
@@ -961,7 +961,8 @@ static inline void security_transfer_creds(struct cred *new,
 {
 }
 
-static inline int security_kernel_act_as(struct cred *cred, u32 secid)
+static inline int security_kernel_act_as(struct cred *cred,
+					 struct lsm_export *l)
 {
 	return 0;
 }
diff --git a/kernel/cred.c b/kernel/cred.c
index 45d77284aed0..40a3fde22667 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -701,14 +701,14 @@ EXPORT_SYMBOL(prepare_kernel_cred);
 /**
  * set_security_override - Set the security ID in a set of credentials
  * @new: The credentials to alter
- * @secid: The LSM security ID to set
+ * @l: The LSM security information to set
  *
  * Set the LSM security ID in a set of credentials so that the subjective
  * security is overridden when an alternative set of credentials is used.
  */
-int set_security_override(struct cred *new, u32 secid)
+int set_security_override(struct cred *new, struct lsm_export *l)
 {
-	return security_kernel_act_as(new, secid);
+	return security_kernel_act_as(new, l);
 }
 EXPORT_SYMBOL(set_security_override);
 
@@ -724,6 +724,7 @@ EXPORT_SYMBOL(set_security_override);
  */
 int set_security_override_from_ctx(struct cred *new, const char *secctx)
 {
+	struct lsm_export le;
 	u32 secid;
 	int ret;
 
@@ -731,7 +732,8 @@ int set_security_override_from_ctx(struct cred *new, const char *secctx)
 	if (ret < 0)
 		return ret;
 
-	return set_security_override(new, secid);
+	lsm_export_to_all(&le, secid);
+	return set_security_override(new, &le);
 }
 EXPORT_SYMBOL(set_security_override_from_ctx);
 
diff --git a/security/security.c b/security/security.c
index 1e819ecf26ff..edaaaef54239 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1615,13 +1615,9 @@ void security_cred_getsecid(const struct cred *c, u32 *secid)
 }
 EXPORT_SYMBOL(security_cred_getsecid);
 
-int security_kernel_act_as(struct cred *new, u32 secid)
+int security_kernel_act_as(struct cred *new, struct lsm_export *l)
 {
-	struct lsm_export data = { .flags = LSM_EXPORT_NONE };
-
-	lsm_export_to_all(&data, secid);
-
-	return call_int_hook(kernel_act_as, 0, new, &data);
+	return call_int_hook(kernel_act_as, 0, new, l);
 }
 
 int security_kernel_create_files_as(struct cred *new, struct inode *inode)
-- 
2.19.1


  parent reply	other threads:[~2019-05-31 23:33 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-31 23:30 [PATCH 00/58] LSM: Module stacking for AppArmor Casey Schaufler
2019-05-31 23:30 ` [PATCH 01/58] LSM: Infrastructure management of the superblock Casey Schaufler
2019-05-31 23:30 ` [PATCH 02/58] LSM: Infrastructure management of the sock security Casey Schaufler
2019-05-31 23:30 ` [PATCH 03/58] LSM: Infrastructure management of the key security blob Casey Schaufler
2019-05-31 23:30 ` [PATCH 04/58] LSM: Create an lsm_export data structure Casey Schaufler
2019-05-31 23:30 ` [PATCH 05/58] LSM: Use lsm_export in the inode_getsecid hooks Casey Schaufler
2019-05-31 23:30 ` [PATCH 06/58] LSM: Use lsm_export in the cred_getsecid hooks Casey Schaufler
2019-05-31 23:30 ` [PATCH 07/58] LSM: Use lsm_export in the ipc_getsecid and task_getsecid hooks Casey Schaufler
2019-05-31 23:30 ` [PATCH 08/58] LSM: Use lsm_export in the kernel_ask_as hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 09/58] LSM: Use lsm_export in the getpeersec_dgram hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 10/58] LSM: Use lsm_export in the audit_rule_match hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 11/58] LSM: Use lsm_export in the secid_to_secctx hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 12/58] LSM: Use lsm_export in the secctx_to_secid hooks Casey Schaufler
2019-05-31 23:31 ` [PATCH 13/58] LSM: Use lsm_export in security_audit_rule_match Casey Schaufler
2019-05-31 23:31 ` Casey Schaufler [this message]
2019-05-31 23:31 ` [PATCH 15/58] LSM: Use lsm_export in security_socket_getpeersec_dgram Casey Schaufler
2019-05-31 23:31 ` [PATCH 16/58] LSM: Use lsm_export in security_secctx_to_secid Casey Schaufler
2019-05-31 23:31 ` [PATCH 17/58] LSM: Use lsm_export in security_secid_to_secctx Casey Schaufler
  -- strict thread matches above, loose matches on Subject: below --
2019-06-02 16:50 [PATCH 00/58] LSM: Module stacking for AppArmor Casey Schaufler
2019-06-02 16:50 ` [PATCH 14/58] LSM: Use lsm_export in security_kernel_act_as Casey Schaufler
2019-05-31 23:09 [PATCH 00/58] LSM: Module stacking for AppArmor Casey Schaufler
2019-05-31 23:09 ` [PATCH 14/58] LSM: Use lsm_export in security_kernel_act_as Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190531233149.715-15-casey@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=casey.schaufler@intel.com \
    --cc=jmorris@namei.org \
    --cc=john.johansen@canonical.com \
    --cc=keescook@chromium.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.