On 12/16/19 5:36 PM, Casey Schaufler wrote:
Change the security_task_getsecid() interface to fill in
a lsmblob structure instead of a u32 secid in support of
LSM stacking. Audit interfaces will need to collect all
possible secids for possible reporting.
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
cc: linux-integrity@xxxxxxxxxxxxxxx
---
drivers/android/binder.c | 4 +--
include/linux/security.h | 7 +++--
kernel/audit.c | 11 +++----
kernel/auditfilter.c | 4 +--
kernel/auditsc.c | 18 ++++++++----
net/netlabel/netlabel_unlabeled.c | 5 +++-
net/netlabel/netlabel_user.h | 6 +++-
security/integrity/ima/ima_appraise.c | 4 ++-
security/integrity/ima/ima_main.c | 42 +++++++++++++++------------
security/security.c | 12 ++++++--
10 files changed, 69 insertions(+), 44 deletions(-)
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 300c8d2943c5..69e549164949 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -49,11 +49,13 @@ bool is_ima_appraise_enabled(void)
int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
{
u32 secid;
+ struct lsmblob blob;
if (!ima_appraise)
return 0;
- security_task_getsecid(current, &secid);
+ security_task_getsecid(current, &blob);
+ lsmblob_secid(&blob, &secid);
return ima_match_policy(inode, current_cred(), secid, func, mask,
IMA_APPRAISE | IMA_HASH, NULL, NULL);
}
I missed where lsmblob_secid() is defined? Looks like it is later
deleted by patch 12/25. Leftover from an earlier version of the series?
Have you checked that it compiles after each patch?
