Convert the cred_getsecid hooks to use the lsm_export
structure instead of a u32 secid. There is some scaffolding
involved that will be removed when security_sk_classify_flow()
is updated.
Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
---
include/linux/lsm_hooks.h | 4 ++--
security/security.c | 5 ++++-
security/selinux/hooks.c | 6 +++---
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index f798a947bf8d..44597189fea4 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -877,7 +877,7 @@
* @sk_clone_security:
* Clone/copy security structure.
* @sk_getsecid:
- * Retrieve the LSM-specific secid for the sock to enable caching
+ * Retrieve the LSM exported data for the sock to enable caching
* of network authorizations.
* @sock_graft:
* Sets the socket's isec sid to the sock's sid.
@@ -1696,7 +1696,7 @@ union security_list_options {
int (*sk_alloc_security)(struct sock *sk, int family, gfp_t priority);
void (*sk_free_security)(struct sock *sk);
void (*sk_clone_security)(const struct sock *sk, struct sock *newsk);
- void (*sk_getsecid)(struct sock *sk, u32 *secid);
+ void (*sk_getsecid)(struct sock *sk, struct lsm_export *l);
void (*sock_graft)(struct sock *sk, struct socket *parent);
int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
struct request_sock *req);
diff --git a/security/security.c b/security/security.c
index f6ee25ebfa3c..909b6b8d1a50 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2152,7 +2152,10 @@ EXPORT_SYMBOL(security_sk_clone);
void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
{
- call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
+ struct lsm_export data = { .flags = LSM_EXPORT_NONE };
+
+ call_void_hook(sk_getsecid, sk, &data);
+ lsm_export_secid(&data, &fl->flowi_secid);
}
EXPORT_SYMBOL(security_sk_classify_flow);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 104b2315d36d..6f61a894f7c5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4893,14 +4893,14 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
selinux_netlbl_sk_security_reset(newsksec);
}
-static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
+static void selinux_sk_getsecid(struct sock *sk, struct lsm_export *l)
{
if (!sk)
- *secid = SECINITSID_ANY_SOCKET;
+ selinux_export_secid(l, SECINITSID_ANY_SOCKET);
else {
struct sk_security_struct *sksec = selinux_sock(sk);
- *secid = sksec->sid;
+ selinux_export_secid(l, sksec->sid);
}
}
--
2.17.0
