Re: [PATCH v8 1/2] LSM: Multiple concurrent LSMs

Casey Schaufler <casey@xxxxxxxxxxxxxxxx> · Mon, 26 Nov 2012 08:33:39 -0800

On 11/26/2012 5:04 AM, Tetsuo Handa wrote:
> Something like this?

I've incorporated several of differences. They'll be in the next (v8) patch.

>
> int security_getprocattr(struct task_struct *p, char *name, char **value)
> {
> 	struct security_operations *sop;
> 	struct security_operations *note[COMPOSER_MAX];
> 	char *values[COMPOSER_MAX];
> 	int rcs[COMPOSER_MAX];
> 	int i = 0;
> 	struct security_operations *preferred = lsm_present;
>
> 	if (preferred)
> 		return preferred->getprocattr(p, name, value);
>
> 	/*
> 	 * Find all the LSMs that produce procattrs and call them,
> 	 * saving the results.
> 	 */
> 	for_each_hook(sop, getprocattr) {
> 		note[i] = sop;
> 		values[i] = NULL;
> 		rcs[i] = sop->getprocattr(p, name, &values[i]);
> 		i++;
> 	}
> 	/*
> 	 * Special cases for 0 and 1 LSMs getting called.
> 	 * Otherwise, return a composed string.
> 	 */
> 	if (!i)
> 		return -EINVAL;
> 	if (i == 1) {
> 		*value = values[0];
> 		return rcs[0];
> 	} else {
> 		char *result;
> 		int notes = i;
> 		int total = 0;
> 		for (i = 0; i < notes; i++) {
> 			if (rcs[i] < 0)
> 				total += 6; /* "(null)" */
> 			else
> 				total += rcs[i];
> 			total += strlen(note[i]->name) + 2;
> 		}
> 		result = kzalloc(total + 3, GFP_KERNEL);
> 		*value = result;
> 		if (!result) {
> 			for (i = 0; i < notes; i++)
> 				kfree(values[i]);
> 			return -ENOMEM;
> 		}
> 		for (i = 0; i < notes; i++) {
> 			char *cp;
> 			strcat(result, "/");
> 			strcat(result, note[i]->name);
> 			strcat(result, "=");
> 			if (!values[i]) {
> 				strcat(result, "(null)");
> 				continue;
> 			}
> 			cp = memchr(values[i], '\n', rcs[i]);
> 			if (cp)
> 				*cp = '\0';
> 			strncat(result, values[i], rcs[i]);
> 			kfree(values[i]);
> 		}
> 		strcat(result, "/\n");
> 		return strlen(result) + 1;
> 	}
> }
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.