On 12/17/2019 10:11 AM, Stephen Smalley wrote:
> On 12/16/19 5:36 PM, Casey Schaufler wrote:
>> Change the security_task_getsecid() interface to fill in
>> a lsmblob structure instead of a u32 secid in support of
>> LSM stacking. Audit interfaces will need to collect all
>> possible secids for possible reporting.
>>
>> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
>> Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx>
>> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
>> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
>> cc: linux-integrity@xxxxxxxxxxxxxxx
>> ---
>> drivers/android/binder.c | 4 +--
>> include/linux/security.h | 7 +++--
>> kernel/audit.c | 11 +++----
>> kernel/auditfilter.c | 4 +--
>> kernel/auditsc.c | 18 ++++++++----
>> net/netlabel/netlabel_unlabeled.c | 5 +++-
>> net/netlabel/netlabel_user.h | 6 +++-
>> security/integrity/ima/ima_appraise.c | 4 ++-
>> security/integrity/ima/ima_main.c | 42 +++++++++++++++------------
>> security/security.c | 12 ++++++--
>> 10 files changed, 69 insertions(+), 44 deletions(-)
>>
>
>> diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
>> index 300c8d2943c5..69e549164949 100644
>> --- a/security/integrity/ima/ima_appraise.c
>> +++ b/security/integrity/ima/ima_appraise.c
>> @@ -49,11 +49,13 @@ bool is_ima_appraise_enabled(void)
>> int ima_must_appraise(struct inode *inode, int mask, enum ima_hooks func)
>> {
>> u32 secid;
>> + struct lsmblob blob;
>> if (!ima_appraise)
>> return 0;
>> - security_task_getsecid(current, &secid);
>> + security_task_getsecid(current, &blob);
>> + lsmblob_secid(&blob, &secid);
>> return ima_match_policy(inode, current_cred(), secid, func, mask,
>> IMA_APPRAISE | IMA_HASH, NULL, NULL);
>> }
>
> I missed where lsmblob_secid() is defined? Looks like it is later deleted by patch 12/25. Leftover from an earlier version of the series? Have you checked that it compiles after each patch?
Bugger. Yes, this is a straight up botch. lsmblb_secid() is never defined in
this version.
>
>
