Re: [PATCH 22/58] Audit: Change audit_sig_sid to audit_sig_lsm

Casey Schaufler <casey@xxxxxxxxxxxxxxxx> · Mon, 3 Jun 2019 15:23:07 -0700

On 6/1/2019 7:03 PM, Kees Cook wrote:
> On Fri, May 31, 2019 at 04:09:44PM -0700, Casey Schaufler wrote:
>> Remove lsm_export scaffolding around audit_sig_sid by
>> changing the u32 secid into an lsm_export structure named
>> audit_sig_lsm.
>>
>> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
>> ---
>>  include/linux/security.h |  7 +++++++
>>  kernel/audit.c           | 18 ++++++++----------
>>  kernel/audit.h           |  2 +-
>>  kernel/auditsc.c         |  3 +--
>>  4 files changed, 17 insertions(+), 13 deletions(-)
>>
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 40aa7b9f3c83..e76d7a9dbe50 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -93,6 +93,13 @@ static inline void lsm_export_init(struct lsm_export *l)
>>  	memset(l, 0, sizeof(*l));
>>  }
>>  
>> +static inline bool lsm_export_any(struct lsm_export *l)
>> +{
>> +	return (((l->flags & LSM_EXPORT_SELINUX) && l->selinux) ||
>> +		((l->flags & LSM_EXPORT_SMACK) && l->smack) ||
>> +		((l->flags & LSM_EXPORT_APPARMOR) && l->apparmor));
>> +}
> All of these helpers need kerndoc.

Point.

> Bikeshed on naming:
> - struct lsm_export renamed to lsm_secid

I want to get away from the expectation that what an
LSM exports has to be a u32 secid. It's not in any patchset
yet, but I plan to replace the Smack u32 with a struct smack_known *
at some point in the future. That will require a little work
in the secmark code, but will have significant performance
improvement in audit and UDS.

> - lsm_export_any renamed to lsm_secid_defined() or ..._is_set() or
>   ..._non_zero() ?

I'll admit lsm_export_any() isn't a great name. The state it has
to convey is "some LSM has set a value, and it isn't an error value."
Like "secid != 0", except that it matters whether the 0 came from
secid having never been set, as opposed to it was set because something
went wrong. At the same time, I don't want it to imply that the value
is set for all LSMs, because it may not be. That's why I used "any".
Some LSM *has* set a value. That value may not be the one you're hoping
for, but you may need to call the subsystem (e.g.audit) that's going to
look.

Maybe lsm_export_is_interesting()?
I'd love to discover there's a convention I could adhere to.