[PATCH 67/97] LSM: Make getting the secmark right cleaner with lsm_export_one_secid

Casey Schaufler <casey@xxxxxxxxxxxxxxxx> · Thu, 28 Feb 2019 14:19:03 -0800

Getting the u32 secmark from the result of security_secctx_to_secid()
requires knowledge about which LSM interpreted the context. Add a
function lsm_export_one_secid() that finds the active secid in a
lsm_export structure. Use it in secmark processing.

Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
---
 include/linux/security.h   | 16 ++++++++++++++++
 net/netfilter/nft_meta.c   |  7 +------
 net/netfilter/xt_SECMARK.c |  7 +------
 3 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index cb5e685f60eb..cb392c6b620f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -115,6 +115,22 @@ static inline bool lsm_export_equal(struct lsm_export *l, struct lsm_export *m)
 	return true;
 }
 
+/*
+ * After calling security_secctx_to_secid() one, and only one
+ * of the LSM fields will be set in the lsm_export. Return
+ * whichever one was set. Used to supply secmarks.
+ */
+static inline u32 lsm_export_one_secid(struct lsm_export *l)
+{
+	if (l->flags & LSM_EXPORT_SELINUX)
+		return l->selinux;
+	if (l->flags & LSM_EXPORT_SMACK)
+		return l->smack;
+	if (l->flags & LSM_EXPORT_APPARMOR)
+		return l->apparmor;
+	return 0;
+}
+
 extern struct lsm_export *lsm_export_skb(struct sk_buff *skb);
 
 /* Text representation of LSM specific security information - a "context" */
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index ad1aa430f733..1a2b3efc79ee 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -576,12 +576,7 @@ static int nft_secmark_compute_secid(struct nft_secmark *priv)
 	if (err)
 		return err;
 
-	/* Use the "best" secid */
-	if (le.selinux)
-		tmp_secid = le.selinux;
-	else
-		tmp_secid = le.smack;
-
+	tmp_secid = lsm_export_one_secid(&le);
 	if (!tmp_secid)
 		return -ENOENT;
 
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index a06e50535194..b20753957e8d 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -67,12 +67,7 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
 		return err;
 	}
 
-	/* Smack is cheating, using SECMARK_MODE_SEL */
-	if (le.selinux)
-		info->secid = le.selinux;
-	else
-		info->secid = le.smack;
-
+	info->secid = lsm_export_one_secid(&le);
 	if (!info->secid) {
 		pr_info_ratelimited("unable to map security context \'%s\'\n",
 				    info->secctx);
-- 
2.17.0







