On 12/17/2023 6:50 PM, Xiubo Li wrote:
>
> On 12/16/23 06:16, Casey Schaufler wrote:
>> Replace the (secctx,seclen) pointer pair with a single
>> lsmcontext pointer to allow return of the LSM identifier
>> along with the context and context length. This allows
>> security_release_secctx() to know how to release the
>> context. Callers have been modified to use or save the
>> returned data from the new structure.
>>
>> Special care is taken in the NFS code, which uses the
>> same data structure for its own copied labels as it does
>> for the data which comes from security_dentry_init_security().
>> In the case of copied labels the data has to be freed, not
>> released.
>>
>> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
>> Cc: ceph-devel@xxxxxxxxxxxxxxx
>> Cc: linux-nfs@xxxxxxxxxxxxxxx
>> ---
>> fs/ceph/super.h | 3 +--
>> fs/ceph/xattr.c | 19 ++++++-------------
>> fs/fuse/dir.c | 35 ++++++++++++++++++-----------------
>> fs/nfs/dir.c | 2 +-
>> fs/nfs/inode.c | 17 ++++++++++-------
>> fs/nfs/internal.h | 8 +++++---
>> fs/nfs/nfs4proc.c | 22 +++++++++-------------
>> fs/nfs/nfs4xdr.c | 22 ++++++++++++----------
>> include/linux/lsm_hook_defs.h | 2 +-
>> include/linux/nfs4.h | 8 ++++----
>> include/linux/nfs_fs.h | 2 +-
>> include/linux/security.h | 7 +++----
>> security/security.c | 9 ++++-----
>> security/selinux/hooks.c | 9 +++++----
>> 14 files changed, 80 insertions(+), 85 deletions(-)
>>
>> diff --git a/fs/ceph/super.h b/fs/ceph/super.h
>> index fe0f64a0acb2..d503cc7478b7 100644
>> --- a/fs/ceph/super.h
>> +++ b/fs/ceph/super.h
>> @@ -1133,8 +1133,7 @@ struct ceph_acl_sec_ctx {
>> void *acl;
>> #endif
>> #ifdef CONFIG_CEPH_FS_SECURITY_LABEL
>> - void *sec_ctx;
>> - u32 sec_ctxlen;
>> + struct lsmcontext lsmctx;
>> #endif
>> #ifdef CONFIG_FS_ENCRYPTION
>> struct ceph_fscrypt_auth *fscrypt_auth;
>> diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
>> index 113956d386c0..4c767a20ac4c 100644
>> --- a/fs/ceph/xattr.c
>> +++ b/fs/ceph/xattr.c
>> @@ -1383,8 +1383,7 @@ int ceph_security_init_secctx(struct dentry
>> *dentry, umode_t mode,
>> int err;
>> err = security_dentry_init_security(dentry, mode,
>> &dentry->d_name,
>> - &name, &as_ctx->sec_ctx,
>> - &as_ctx->sec_ctxlen);
>> + &name, &as_ctx->lsmctx);
>> if (err < 0) {
>> WARN_ON_ONCE(err != -EOPNOTSUPP);
>> err = 0; /* do nothing */
>> @@ -1409,7 +1408,7 @@ int ceph_security_init_secctx(struct dentry
>> *dentry, umode_t mode,
>> */
>> name_len = strlen(name);
>> err = ceph_pagelist_reserve(pagelist,
>> - 4 * 2 + name_len + as_ctx->sec_ctxlen);
>> + 4 * 2 + name_len + as_ctx->lsmctx.len);
>> if (err)
>> goto out;
>> @@ -1429,11 +1428,9 @@ int ceph_security_init_secctx(struct dentry
>> *dentry, umode_t mode,
>> as_ctx->pagelist = pagelist;
>> }
>> - ceph_pagelist_encode_32(pagelist, name_len);
>> - ceph_pagelist_append(pagelist, name, name_len);
>> -
>
> Why remove these ?
Looks like I have a merge error. Thank you for reviewing.
I will repair this.
>
>> - ceph_pagelist_encode_32(pagelist, as_ctx->sec_ctxlen);
>> - ceph_pagelist_append(pagelist, as_ctx->sec_ctx,
>> as_ctx->sec_ctxlen);
>> + ceph_pagelist_encode_32(pagelist, as_ctx->lsmctx.len);
>> + ceph_pagelist_append(pagelist, as_ctx->lsmctx.context,
>> + as_ctx->lsmctx.len);
>>
> [...]
>
> Thanks,
>
> - Xiubo
>
