[PATCH 10/97] LSM: Use lsm_export in the sk_getsecid hooks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Convert the cred_getsecid hooks to use the lsm_export
structure instead of a u32 secid. There is some scaffolding
involved that will be removed when security_sk_classify_flow()
is updated.

Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
---
 include/linux/lsm_hooks.h | 4 ++--
 security/security.c       | 5 ++++-
 security/selinux/hooks.c  | 6 +++---
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index f798a947bf8d..44597189fea4 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -877,7 +877,7 @@
  * @sk_clone_security:
  *	Clone/copy security structure.
  * @sk_getsecid:
- *	Retrieve the LSM-specific secid for the sock to enable caching
+ *	Retrieve the LSM exported data for the sock to enable caching
  *	of network authorizations.
  * @sock_graft:
  *	Sets the socket's isec sid to the sock's sid.
@@ -1696,7 +1696,7 @@ union security_list_options {
 	int (*sk_alloc_security)(struct sock *sk, int family, gfp_t priority);
 	void (*sk_free_security)(struct sock *sk);
 	void (*sk_clone_security)(const struct sock *sk, struct sock *newsk);
-	void (*sk_getsecid)(struct sock *sk, u32 *secid);
+	void (*sk_getsecid)(struct sock *sk, struct lsm_export *l);
 	void (*sock_graft)(struct sock *sk, struct socket *parent);
 	int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
 					struct request_sock *req);
diff --git a/security/security.c b/security/security.c
index f6ee25ebfa3c..909b6b8d1a50 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2152,7 +2152,10 @@ EXPORT_SYMBOL(security_sk_clone);
 
 void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
 {
-	call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
+	struct lsm_export data = { .flags = LSM_EXPORT_NONE };
+
+	call_void_hook(sk_getsecid, sk, &data);
+	lsm_export_secid(&data, &fl->flowi_secid);
 }
 EXPORT_SYMBOL(security_sk_classify_flow);
 
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 104b2315d36d..6f61a894f7c5 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4893,14 +4893,14 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
 	selinux_netlbl_sk_security_reset(newsksec);
 }
 
-static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
+static void selinux_sk_getsecid(struct sock *sk, struct lsm_export *l)
 {
 	if (!sk)
-		*secid = SECINITSID_ANY_SOCKET;
+		selinux_export_secid(l, SECINITSID_ANY_SOCKET);
 	else {
 		struct sk_security_struct *sksec = selinux_sock(sk);
 
-		*secid = sksec->sid;
+		selinux_export_secid(l, sksec->sid);
 	}
 }
 
-- 
2.17.0




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux