On 7/28/2020 4:11 AM, John Johansen wrote: > On 7/24/20 1:32 PM, Casey Schaufler wrote: >> Change security_secctx_to_secid() to fill in a lsmblob instead >> of a u32 secid. Multiple LSMs may be able to interpret the >> string, and this allows for setting whichever secid is >> appropriate. Change security_secmark_relabel_packet() to use a >> lsmblob instead of a u32 secid. In some other cases there is >> scaffolding where interfaces have yet to be converted. >> >> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx> >> Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx> >> Cc: netdev@xxxxxxxxxxxxxxx > one comment below, but its a nice to have so > > Reviewed-by: John Johansen <john.johansen@xxxxxxxxxxxxx> > > >> --- >> include/linux/security.h | 30 +++++++++++++++++++++++---- >> include/net/scm.h | 7 +++++-- >> kernel/cred.c | 4 +--- >> net/ipv4/ip_sockglue.c | 6 ++++-- >> net/netfilter/nft_meta.c | 18 +++++++++------- >> net/netfilter/xt_SECMARK.c | 9 ++++++-- >> net/netlabel/netlabel_unlabeled.c | 23 +++++++++++++-------- >> security/security.c | 34 ++++++++++++++++++++++++++----- >> 8 files changed, 98 insertions(+), 33 deletions(-) >> >> diff --git a/include/linux/security.h b/include/linux/security.h >> index d81e8886d799..98176faaaba5 100644 >> --- a/include/linux/security.h >> +++ b/include/linux/security.h >> @@ -189,6 +189,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb) >> return !memcmp(bloba, blobb, sizeof(*bloba)); >> } >> >> +/** >> + * lsmblob_value - find the first non-zero value in an lsmblob structure. >> + * @blob: Pointer to the data >> + * >> + * This needs to be used with extreme caution, as the cases where >> + * it is appropriate are rare. >> + * >> + * Return the first secid value set in the lsmblob. >> + * There should only be one. > It would be really nice if we could have an LSM debug config, that would > do things like checking there is indeed only one value when this fn > is called. I can't see a CONFIG_LSM_DEBUG for this alone, but if you have other places you'd like to see it I'm open to it.
