Re: [PATCH v12 11/25] LSM: Use lsmblob in security_cred_getsecid

[Stephen Smalley <sds@xxxxxxxxxxxxx>]

On 12/16/19 5:36 PM, Casey Schaufler wrote:
> Change the security_cred_getsecid() interface to fill in a
> lsmblob instead of a u32 secid. The associated data elements
> in the audit sub-system are changed from a secid to a lsmblob
> to accommodate multiple possible LSM audit users.
>
> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
> cc: linux-integrity@xxxxxxxxxxxxxxx
> ---
>   include/linux/security.h          |  2 +-
>   kernel/audit.c                    | 19 +++++++-----------
>   kernel/audit.h                    |  5 +++--
>   kernel/auditsc.c                  | 33 +++++++++++--------------------
>   security/integrity/ima/ima_main.c |  8 ++++----
>   security/security.c               | 12 ++++++++---
>   6 files changed, 36 insertions(+), 43 deletions(-)

> index 6ee53e43c986..69b52f25038a 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -124,7 +124,7 @@ static u32	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
>   /* The identity of the user shutting down the audit system. */
>   kuid_t		audit_sig_uid = INVALID_UID;
>   pid_t		audit_sig_pid = -1;
> -u32		audit_sig_sid = 0;
> +struct lsmblob	audit_sig_lsm;

Not your bug but wondering why these variables aren't static; seemingly 
localized to audit.c.

> diff --git a/kernel/audit.h b/kernel/audit.h
> index 6fb7160412d4..af9bc09e656c 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -134,7 +135,7 @@ struct audit_context {
>   	kuid_t		    target_auid;
>   	kuid_t		    target_uid;
>   	unsigned int	    target_sessionid;
> -	u32		    target_sid;
> +	struct lsmblob   target_lsm;

Probably should be consistent with the indentation of the other fields.

>   	char		    target_comm[TASK_COMM_LEN];
>   
>   	struct audit_tree_refs *trees, *first_trees;

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 5752e51883d5..c1e3ac8eb1ad 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -112,7 +112,7 @@ struct audit_aux_data_pids {
>   	kuid_t			target_auid[AUDIT_AUX_PIDS];
>   	kuid_t			target_uid[AUDIT_AUX_PIDS];
>   	unsigned int		target_sessionid[AUDIT_AUX_PIDS];
> -	u32			target_sid[AUDIT_AUX_PIDS];
> +	struct lsmblob	target_lsm[AUDIT_AUX_PIDS];
>   	char 			target_comm[AUDIT_AUX_PIDS][TASK_COMM_LEN];
>   	int			pid_count;
>   };

Ditto

Other than those minor stylistic matters,
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>