* [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid
[not found] <20240825190048.13289-1-casey@schaufler-ca.com>
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-27 12:23 ` Stephen Smalley
2024-08-25 19:00 ` [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
1 sibling, 1 reply; 4+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic, linux-audit, audit
There may be more than one LSM that provides IPC data for auditing.
Change security_ipc_getsecid() to fill in a lsmblob structure instead
of the u32 secid. Change the name to security_ipc_getlsmblob() to
reflect the change. The audit data structure containing the secid
will be updated later, so there is a bit of scaffolding here.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-audit@redhat.com
Cc: audit@vger.kernel.org
---
include/linux/lsm_hook_defs.h | 4 ++--
include/linux/security.h | 18 +++++++++++++++---
kernel/auditsc.c | 3 +--
security/security.c | 14 +++++++-------
security/selinux/hooks.c | 9 ++++++---
security/smack/smack_lsm.c | 17 ++++++++++-------
6 files changed, 41 insertions(+), 24 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 3e5f6baa7b9f..c3ffc3f98343 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -253,8 +253,8 @@ LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p,
struct inode *inode)
LSM_HOOK(int, 0, userns_create, const struct cred *cred)
LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag)
-LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp,
- u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmblob, struct kern_ipc_perm *ipcp,
+ struct lsmblob *blob)
LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg)
LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg)
LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm)
diff --git a/include/linux/security.h b/include/linux/security.h
index a0b23b6e8734..ebe8edaae953 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -290,6 +290,17 @@ static inline bool lsmblob_is_set(struct lsmblob *blob)
return !!memcmp(blob, &empty, sizeof(*blob));
}
+/**
+ * lsmblob_init - initialize a lsmblob structure
+ * @blob: Pointer to the data to initialize
+ *
+ * Set all secid for all modules to the specified value.
+ */
+static inline void lsmblob_init(struct lsmblob *blob)
+{
+ memset(blob, 0, sizeof(*blob));
+}
+
#ifdef CONFIG_SECURITY
int call_blocking_lsm_notifier(enum lsm_event event, void *data);
@@ -500,7 +511,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
void security_task_to_inode(struct task_struct *p, struct inode *inode);
int security_create_user_ns(const struct cred *cred);
int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
+void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob);
int security_msg_msg_alloc(struct msg_msg *msg);
void security_msg_msg_free(struct msg_msg *msg);
int security_msg_queue_alloc(struct kern_ipc_perm *msq);
@@ -1340,9 +1351,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp,
return 0;
}
-static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static inline void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
+ struct lsmblob *blob)
{
- *secid = 0;
+ lsmblob_init(blob);
}
static inline int security_msg_msg_alloc(struct msg_msg *msg)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 84f6e9356b8f..94b7ef89da2e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2638,8 +2638,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
context->ipc.gid = ipcp->gid;
context->ipc.mode = ipcp->mode;
context->ipc.has_perm = 0;
- /* scaffolding */
- security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
+ security_ipc_getlsmblob(ipcp, &context->ipc.oblob);
context->type = AUDIT_IPC;
}
diff --git a/security/security.c b/security/security.c
index bb541a3be410..6e72e678b5b4 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3611,17 +3611,17 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
}
/**
- * security_ipc_getsecid() - Get the sysv ipc object's secid
+ * security_ipc_getlsmblob() - Get the sysv ipc object LSM data
* @ipcp: ipc permission structure
- * @secid: secid pointer
+ * @blob: pointer to lsm information
*
- * Get the secid associated with the ipc object. In case of failure, @secid
- * will be set to zero.
+ * Get the lsm information associated with the ipc object.
*/
-void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+
+void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob)
{
- *secid = 0;
- call_void_hook(ipc_getsecid, ipcp, secid);
+ lsmblob_init(blob);
+ call_void_hook(ipc_getlsmblob, ipcp, blob);
}
/**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 102489e6d579..1b34b86426e8 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6328,10 +6328,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
return ipc_has_perm(ipcp, av);
}
-static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
+ struct lsmblob *blob)
{
struct ipc_security_struct *isec = selinux_ipc(ipcp);
- *secid = isec->sid;
+ blob->selinux.secid = isec->sid;
+ /* scaffolding */
+ blob->scaffold.secid = isec->sid;
}
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
@@ -7252,7 +7255,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(userns_create, selinux_userns_create),
LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
- LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
+ LSM_HOOK_INIT(ipc_getlsmblob, selinux_ipc_getlsmblob),
LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 5d74d8590862..370ca7fb1843 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3442,16 +3442,19 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
}
/**
- * smack_ipc_getsecid - Extract smack security id
+ * smack_ipc_getlsmblob - Extract smack security data
* @ipp: the object permissions
- * @secid: where result will be saved
+ * @blob: where result will be saved
*/
-static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
+static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp,
+ struct lsmblob *blob)
{
- struct smack_known **blob = smack_ipc(ipp);
- struct smack_known *iskp = *blob;
+ struct smack_known **iskpp = smack_ipc(ipp);
+ struct smack_known *iskp = *iskpp;
- *secid = iskp->smk_secid;
+ blob->smack.skp = iskp;
+ /* scaffolding */
+ blob->scaffold.secid = iskp->smk_secid;
}
/**
@@ -5157,7 +5160,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(task_to_inode, smack_task_to_inode),
LSM_HOOK_INIT(ipc_permission, smack_ipc_permission),
- LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
+ LSM_HOOK_INIT(ipc_getlsmblob, smack_ipc_getlsmblob),
LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook
[not found] <20240825190048.13289-1-casey@schaufler-ca.com>
2024-08-25 19:00 ` [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
@ 2024-08-25 19:00 ` Casey Schaufler
2024-08-27 5:00 ` kernel test robot
1 sibling, 1 reply; 4+ messages in thread
From: Casey Schaufler @ 2024-08-25 19:00 UTC (permalink / raw)
To: casey, paul, linux-security-module
Cc: jmorris, serge, keescook, john.johansen, penguin-kernel,
stephen.smalley.work, linux-kernel, mic, linux-integrity, audit,
Todd Kjos
Create a new LSM hook security_cred_getlsmblob() which, like
security_cred_getsecid(), fetches LSM specific attributes from the
cred structure. The associated data elements in the audit sub-system
are changed from a secid to a lsmblob to accommodate multiple possible
LSM audit users.
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: audit@vger.kernel.org
Cc: Todd Kjos <tkjos@google.com>
---
include/linux/lsm_hook_defs.h | 2 ++
include/linux/security.h | 7 +++++++
security/integrity/ima/ima_main.c | 7 ++-----
security/security.c | 15 +++++++++++++++
security/selinux/hooks.c | 8 ++++++++
security/smack/smack_lsm.c | 18 ++++++++++++++++++
6 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 4fd508841a6e..4bdd36626633 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -215,6 +215,8 @@ LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old,
LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new,
const struct cred *old)
LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid)
+LSM_HOOK(void, LSM_RET_VOID, cred_getlsmblob, const struct cred *c,
+ struct lsmblob *blob)
LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid)
LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode)
LSM_HOOK(int, 0, kernel_module_request, char *kmod_name)
diff --git a/include/linux/security.h b/include/linux/security.h
index 4fe6f64cc3b4..111c1fc18f25 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -473,6 +473,7 @@ void security_cred_free(struct cred *cred);
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
void security_transfer_creds(struct cred *new, const struct cred *old);
void security_cred_getsecid(const struct cred *c, u32 *secid);
+void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob);
int security_kernel_act_as(struct cred *new, u32 secid);
int security_kernel_create_files_as(struct cred *new, struct inode *inode);
int security_kernel_module_request(char *kmod_name);
@@ -1192,6 +1193,12 @@ static inline void security_cred_getsecid(const struct cred *c, u32 *secid)
*secid = 0;
}
+static inline void security_cred_getlsmblob(const struct cred *c,
+ struct lsmblob *blob)
+{
+ *secid = 0;
+}
+
static inline int security_kernel_act_as(struct cred *cred, u32 secid)
{
return 0;
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index d408a700fe6f..8171da96a4a4 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -541,8 +541,7 @@ static int ima_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
static int ima_bprm_check(struct linux_binprm *bprm)
{
int ret;
- u32 secid;
- struct lsmblob blob = { };
+ struct lsmblob blob;
security_current_getlsmblob_subj(&blob);
ret = process_measurement(bprm->file, current_cred(),
@@ -550,9 +549,7 @@ static int ima_bprm_check(struct linux_binprm *bprm)
if (ret)
return ret;
- security_cred_getsecid(bprm->cred, &secid);
- /* scaffolding */
- blob.scaffold.secid = secid;
+ security_cred_getlsmblob(bprm->cred, &blob);
return process_measurement(bprm->file, bprm->cred, &blob, NULL, 0,
MAY_EXEC, CREDS_CHECK);
}
diff --git a/security/security.c b/security/security.c
index c2be9798c012..325030bc7112 100644
--- a/security/security.c
+++ b/security/security.c
@@ -3153,6 +3153,21 @@ void security_cred_getsecid(const struct cred *c, u32 *secid)
}
EXPORT_SYMBOL(security_cred_getsecid);
+/**
+ * security_cred_getlsmblob() - Get the LSM data from a set of credentials
+ * @c: credentials
+ * @blob: destination for the LSM data
+ *
+ * Retrieve the security data of the cred structure @c. In case of
+ * failure, @blob will be cleared.
+ */
+void security_cred_getlsmblob(const struct cred *c, struct lsmblob *blob)
+{
+ lsmblob_init(blob);
+ call_void_hook(cred_getlsmblob, c, blob);
+}
+EXPORT_SYMBOL(security_cred_getlsmblob);
+
/**
* security_kernel_act_as() - Set the kernel credentials to act as secid
* @new: credentials
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f5d09beeef0f..076511c446bd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4029,6 +4029,13 @@ static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
*secid = cred_sid(c);
}
+static void selinux_cred_getlsmblob(const struct cred *c, struct lsmblob *blob)
+{
+ blob->selinux.secid = cred_sid(c);
+ /* scaffolding */
+ blob->scaffold.secid = blob->selinux.secid;
+}
+
/*
* set the security data for a kernel service
* - all the creation contexts are set to unlabelled
@@ -7240,6 +7247,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, selinux_cred_prepare),
LSM_HOOK_INIT(cred_transfer, selinux_cred_transfer),
LSM_HOOK_INIT(cred_getsecid, selinux_cred_getsecid),
+ LSM_HOOK_INIT(cred_getlsmblob, selinux_cred_getlsmblob),
LSM_HOOK_INIT(kernel_act_as, selinux_kernel_act_as),
LSM_HOOK_INIT(kernel_create_files_as, selinux_kernel_create_files_as),
LSM_HOOK_INIT(kernel_module_request, selinux_kernel_module_request),
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 8cda7dcf30e1..dbcf1c65da3c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2150,6 +2150,23 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid)
rcu_read_unlock();
}
+/**
+ * smack_cred_getlsmblob - get the Smack label for a creds structure
+ * @cred: the object creds
+ * @blob: where to put the data
+ *
+ * Sets the Smack part of the blob
+ */
+static void smack_cred_getlsmblob(const struct cred *cred,
+ struct lsmblob *blob)
+{
+ rcu_read_lock();
+ blob->smack.skp = smk_of_task(smack_cred(cred));
+ /* scaffolding */
+ blob->scaffold.secid = blob->smack.skp->smk_secid;
+ rcu_read_unlock();
+}
+
/**
* smack_kernel_act_as - Set the subjective context in a set of credentials
* @new: points to the set of credentials to be modified.
@@ -5150,6 +5167,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
LSM_HOOK_INIT(cred_prepare, smack_cred_prepare),
LSM_HOOK_INIT(cred_transfer, smack_cred_transfer),
LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid),
+ LSM_HOOK_INIT(cred_getlsmblob, smack_cred_getlsmblob),
LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as),
LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as),
LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),
--
2.41.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook
2024-08-25 19:00 ` [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
@ 2024-08-27 5:00 ` kernel test robot
0 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2024-08-27 5:00 UTC (permalink / raw)
To: Casey Schaufler, paul, linux-security-module
Cc: llvm, oe-kbuild-all, jmorris, serge, keescook, john.johansen,
penguin-kernel, stephen.smalley.work, linux-kernel, mic,
linux-integrity, audit, Todd Kjos
Hi Casey,
kernel test robot noticed the following build errors:
[auto build test ERROR on pcmoore-selinux/next]
[also build test ERROR on zohar-integrity/next-integrity linus/master pcmoore-audit/next v6.11-rc5 next-20240826]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Add-the-lsmblob-data-structure/20240826-170520
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git next
patch link: https://lore.kernel.org/r/20240825190048.13289-11-casey%40schaufler-ca.com
patch subject: [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook
config: s390-allnoconfig (https://download.01.org/0day-ci/archive/20240827/202408271124.LJcw8xus-lkp@intel.com/config)
compiler: clang version 20.0.0git (https://github.com/llvm/llvm-project 08e5a1de8227512d4774a534b91cb2353cef6284)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240827/202408271124.LJcw8xus-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202408271124.LJcw8xus-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from fs/open.c:9:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/open.c:14:
In file included from include/linux/tty.h:11:
In file included from include/linux/tty_port.h:5:
In file included from include/linux/kfifo.h:40:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:548:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
548 | val = __raw_readb(PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:561:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
561 | val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu'
37 | #define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x))
| ^
include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16'
102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
| ^
In file included from fs/open.c:14:
In file included from include/linux/tty.h:11:
In file included from include/linux/tty_port.h:5:
In file included from include/linux/kfifo.h:40:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:574:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
574 | val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu'
35 | #define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x))
| ^
include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32'
115 | #define __swab32(x) (__u32)__builtin_bswap32((__u32)(x))
| ^
In file included from fs/open.c:14:
In file included from include/linux/tty.h:11:
In file included from include/linux/tty_port.h:5:
In file included from include/linux/kfifo.h:40:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:585:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
585 | __raw_writeb(value, PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:595:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
595 | __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:605:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
605 | __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:693:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
693 | readsb(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:701:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
701 | readsw(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:709:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
709 | readsl(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:718:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
718 | writesb(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:727:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
727 | writesw(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:736:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
736 | writesl(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
In file included from fs/open.c:19:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
13 warnings and 1 error generated.
--
In file included from fs/read_write.c:14:
In file included from include/linux/fsnotify.h:16:
In file included from include/linux/audit.h:13:
In file included from include/linux/ptrace.h:10:
In file included from include/linux/pid_namespace.h:7:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/read_write.c:15:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
1 warning and 1 error generated.
--
In file included from fs/namei.c:25:
In file included from include/linux/pagemap.h:8:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/namei.c:29:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
In file included from fs/namei.c:41:
In file included from include/linux/init_task.h:18:
In file included from include/net/net_namespace.h:43:
In file included from include/linux/skbuff.h:28:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:548:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
548 | val = __raw_readb(PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:561:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
561 | val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:37:59: note: expanded from macro '__le16_to_cpu'
37 | #define __le16_to_cpu(x) __swab16((__force __u16)(__le16)(x))
| ^
include/uapi/linux/swab.h:102:54: note: expanded from macro '__swab16'
102 | #define __swab16(x) (__u16)__builtin_bswap16((__u16)(x))
| ^
In file included from fs/namei.c:41:
In file included from include/linux/init_task.h:18:
In file included from include/net/net_namespace.h:43:
In file included from include/linux/skbuff.h:28:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:574:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
574 | val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
| ~~~~~~~~~~ ^
include/uapi/linux/byteorder/big_endian.h:35:59: note: expanded from macro '__le32_to_cpu'
35 | #define __le32_to_cpu(x) __swab32((__force __u32)(__le32)(x))
| ^
include/uapi/linux/swab.h:115:54: note: expanded from macro '__swab32'
115 | #define __swab32(x) (__u32)__builtin_bswap32((__u32)(x))
| ^
In file included from fs/namei.c:41:
In file included from include/linux/init_task.h:18:
In file included from include/net/net_namespace.h:43:
In file included from include/linux/skbuff.h:28:
In file included from include/linux/dma-mapping.h:11:
In file included from include/linux/scatterlist.h:9:
In file included from arch/s390/include/asm/io.h:93:
include/asm-generic/io.h:585:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
585 | __raw_writeb(value, PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:595:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
595 | __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:605:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
605 | __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:693:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
693 | readsb(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:701:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
701 | readsw(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:709:20: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
709 | readsl(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:718:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
718 | writesb(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:727:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
727 | writesw(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
include/asm-generic/io.h:736:21: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
736 | writesl(PCI_IOBASE + addr, buffer, count);
| ~~~~~~~~~~ ^
13 warnings and 1 error generated.
--
In file included from fs/splice.c:21:
In file included from include/linux/bvec.h:10:
In file included from include/linux/highmem.h:10:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/splice.c:27:
include/linux/mm_inline.h:47:41: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
47 | __mod_lruvec_state(lruvec, NR_LRU_BASE + lru, nr_pages);
| ~~~~~~~~~~~ ^ ~~~
include/linux/mm_inline.h:49:22: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
49 | NR_ZONE_LRU_BASE + lru, nr_pages);
| ~~~~~~~~~~~~~~~~ ^ ~~~
In file included from fs/splice.c:31:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:10:
In file included from include/linux/perf_event.h:62:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
3 warnings and 1 error generated.
--
In file included from fs/statfs.c:2:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:5:
In file included from include/linux/tracepoint.h:21:
In file included from include/linux/static_call.h:135:
In file included from include/linux/cpu.h:17:
In file included from include/linux/node.h:18:
In file included from include/linux/device.h:32:
In file included from include/linux/device/driver.h:21:
In file included from include/linux/module.h:19:
In file included from include/linux/elf.h:6:
In file included from arch/s390/include/asm/elf.h:181:
In file included from arch/s390/include/asm/mmu_context.h:11:
In file included from arch/s390/include/asm/pgalloc.h:18:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/statfs.c:2:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:10:
In file included from include/linux/perf_event.h:62:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
fs/statfs.c:131:3: warning: 'memcpy' will always overflow; destination buffer has size 88, but size argument is 120 [-Wfortify-source]
131 | memcpy(&buf, st, sizeof(*st));
| ^
fs/statfs.c:172:3: warning: 'memcpy' will always overflow; destination buffer has size 88, but size argument is 120 [-Wfortify-source]
172 | memcpy(&buf, st, sizeof(*st));
| ^
3 warnings and 1 error generated.
--
In file included from fs/aio.c:20:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:5:
In file included from include/linux/tracepoint.h:21:
In file included from include/linux/static_call.h:135:
In file included from include/linux/cpu.h:17:
In file included from include/linux/node.h:18:
In file included from include/linux/device.h:32:
In file included from include/linux/device/driver.h:21:
In file included from include/linux/module.h:19:
In file included from include/linux/elf.h:6:
In file included from arch/s390/include/asm/elf.h:181:
In file included from arch/s390/include/asm/mmu_context.h:11:
In file included from arch/s390/include/asm/pgalloc.h:18:
In file included from include/linux/mm.h:2228:
include/linux/vmstat.h:514:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion]
514 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_"
| ~~~~~~~~~~~ ^ ~~~
In file included from fs/aio.c:20:
In file included from include/linux/syscalls.h:93:
In file included from include/trace/syscall.h:7:
In file included from include/linux/trace_events.h:10:
In file included from include/linux/perf_event.h:62:
>> include/linux/security.h:1199:3: error: use of undeclared identifier 'secid'
1199 | *secid = 0;
| ^
In file included from fs/aio.c:29:
include/linux/mman.h:158:9: warning: division by zero is undefined [-Wdivision-by-zero]
158 | _calc_vm_trans(flags, MAP_SYNC, VM_SYNC ) |
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/mman.h:136:21: note: expanded from macro '_calc_vm_trans'
136 | : ((x) & (bit1)) / ((bit1) / (bit2))))
| ^ ~~~~~~~~~~~~~~~~~
include/linux/mman.h:159:9: warning: division by zero is undefined [-Wdivision-by-zero]
159 | _calc_vm_trans(flags, MAP_STACK, VM_NOHUGEPAGE) |
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/mman.h:136:21: note: expanded from macro '_calc_vm_trans'
136 | : ((x) & (bit1)) / ((bit1) / (bit2))))
| ^ ~~~~~~~~~~~~~~~~~
3 warnings and 1 error generated.
vim +/secid +1199 include/linux/security.h
1195
1196 static inline void security_cred_getlsmblob(const struct cred *c,
1197 struct lsmblob *blob)
1198 {
> 1199 *secid = 0;
1200 }
1201
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid
2024-08-25 19:00 ` [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
@ 2024-08-27 12:23 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2024-08-27 12:23 UTC (permalink / raw)
To: Casey Schaufler
Cc: paul, linux-security-module, jmorris, serge, keescook,
john.johansen, penguin-kernel, linux-kernel, mic, linux-audit,
audit
On Sun, Aug 25, 2024 at 3:02 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> There may be more than one LSM that provides IPC data for auditing.
> Change security_ipc_getsecid() to fill in a lsmblob structure instead
> of the u32 secid. Change the name to security_ipc_getlsmblob() to
> reflect the change. The audit data structure containing the secid
> will be updated later, so there is a bit of scaffolding here.
>
> Reviewed-by: Kees Cook <keescook@chromium.org>
> Reviewed-by: John Johansen <john.johansen@canonical.com>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> Acked-by: Paul Moore <paul@paul-moore.com>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Cc: linux-audit@redhat.com
> Cc: audit@vger.kernel.org
1. Need to cc selinux list on patches that modify it.
2. Can't retain Acked-by or Reviewed-by lines if the patch has changed
since the review.
> ---
> include/linux/lsm_hook_defs.h | 4 ++--
> include/linux/security.h | 18 +++++++++++++++---
> kernel/auditsc.c | 3 +--
> security/security.c | 14 +++++++-------
> security/selinux/hooks.c | 9 ++++++---
> security/smack/smack_lsm.c | 17 ++++++++++-------
> 6 files changed, 41 insertions(+), 24 deletions(-)
>
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 3e5f6baa7b9f..c3ffc3f98343 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -253,8 +253,8 @@ LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p,
> struct inode *inode)
> LSM_HOOK(int, 0, userns_create, const struct cred *cred)
> LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag)
> -LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp,
> - u32 *secid)
> +LSM_HOOK(void, LSM_RET_VOID, ipc_getlsmblob, struct kern_ipc_perm *ipcp,
> + struct lsmblob *blob)
> LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg)
> LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg)
> LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index a0b23b6e8734..ebe8edaae953 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -290,6 +290,17 @@ static inline bool lsmblob_is_set(struct lsmblob *blob)
> return !!memcmp(blob, &empty, sizeof(*blob));
> }
>
> +/**
> + * lsmblob_init - initialize a lsmblob structure
> + * @blob: Pointer to the data to initialize
> + *
> + * Set all secid for all modules to the specified value.
> + */
> +static inline void lsmblob_init(struct lsmblob *blob)
> +{
> + memset(blob, 0, sizeof(*blob));
> +}
> +
> #ifdef CONFIG_SECURITY
>
> int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> @@ -500,7 +511,7 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
> void security_task_to_inode(struct task_struct *p, struct inode *inode);
> int security_create_user_ns(const struct cred *cred);
> int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
> -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
> +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob);
> int security_msg_msg_alloc(struct msg_msg *msg);
> void security_msg_msg_free(struct msg_msg *msg);
> int security_msg_queue_alloc(struct kern_ipc_perm *msq);
> @@ -1340,9 +1351,10 @@ static inline int security_ipc_permission(struct kern_ipc_perm *ipcp,
> return 0;
> }
>
> -static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
> +static inline void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
> + struct lsmblob *blob)
> {
> - *secid = 0;
> + lsmblob_init(blob);
> }
>
> static inline int security_msg_msg_alloc(struct msg_msg *msg)
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 84f6e9356b8f..94b7ef89da2e 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -2638,8 +2638,7 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
> context->ipc.gid = ipcp->gid;
> context->ipc.mode = ipcp->mode;
> context->ipc.has_perm = 0;
> - /* scaffolding */
> - security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
> + security_ipc_getlsmblob(ipcp, &context->ipc.oblob);
> context->type = AUDIT_IPC;
> }
>
> diff --git a/security/security.c b/security/security.c
> index bb541a3be410..6e72e678b5b4 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -3611,17 +3611,17 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
> }
>
> /**
> - * security_ipc_getsecid() - Get the sysv ipc object's secid
> + * security_ipc_getlsmblob() - Get the sysv ipc object LSM data
> * @ipcp: ipc permission structure
> - * @secid: secid pointer
> + * @blob: pointer to lsm information
> *
> - * Get the secid associated with the ipc object. In case of failure, @secid
> - * will be set to zero.
> + * Get the lsm information associated with the ipc object.
> */
> -void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
> +
> +void security_ipc_getlsmblob(struct kern_ipc_perm *ipcp, struct lsmblob *blob)
> {
> - *secid = 0;
> - call_void_hook(ipc_getsecid, ipcp, secid);
> + lsmblob_init(blob);
> + call_void_hook(ipc_getlsmblob, ipcp, blob);
> }
>
> /**
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 102489e6d579..1b34b86426e8 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6328,10 +6328,13 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
> return ipc_has_perm(ipcp, av);
> }
>
> -static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
> +static void selinux_ipc_getlsmblob(struct kern_ipc_perm *ipcp,
> + struct lsmblob *blob)
> {
> struct ipc_security_struct *isec = selinux_ipc(ipcp);
> - *secid = isec->sid;
> + blob->selinux.secid = isec->sid;
> + /* scaffolding */
> + blob->scaffold.secid = isec->sid;
> }
>
> static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
> @@ -7252,7 +7255,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(userns_create, selinux_userns_create),
>
> LSM_HOOK_INIT(ipc_permission, selinux_ipc_permission),
> - LSM_HOOK_INIT(ipc_getsecid, selinux_ipc_getsecid),
> + LSM_HOOK_INIT(ipc_getlsmblob, selinux_ipc_getlsmblob),
>
> LSM_HOOK_INIT(msg_queue_associate, selinux_msg_queue_associate),
> LSM_HOOK_INIT(msg_queue_msgctl, selinux_msg_queue_msgctl),
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 5d74d8590862..370ca7fb1843 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -3442,16 +3442,19 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
> }
>
> /**
> - * smack_ipc_getsecid - Extract smack security id
> + * smack_ipc_getlsmblob - Extract smack security data
> * @ipp: the object permissions
> - * @secid: where result will be saved
> + * @blob: where result will be saved
> */
> -static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
> +static void smack_ipc_getlsmblob(struct kern_ipc_perm *ipp,
> + struct lsmblob *blob)
> {
> - struct smack_known **blob = smack_ipc(ipp);
> - struct smack_known *iskp = *blob;
> + struct smack_known **iskpp = smack_ipc(ipp);
> + struct smack_known *iskp = *iskpp;
>
> - *secid = iskp->smk_secid;
> + blob->smack.skp = iskp;
> + /* scaffolding */
> + blob->scaffold.secid = iskp->smk_secid;
> }
>
> /**
> @@ -5157,7 +5160,7 @@ static struct security_hook_list smack_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(task_to_inode, smack_task_to_inode),
>
> LSM_HOOK_INIT(ipc_permission, smack_ipc_permission),
> - LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
> + LSM_HOOK_INIT(ipc_getlsmblob, smack_ipc_getlsmblob),
>
> LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
>
> --
> 2.41.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-08-27 12:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20240825190048.13289-1-casey@schaufler-ca.com>
2024-08-25 19:00 ` [PATCH 05/13] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2024-08-27 12:23 ` Stephen Smalley
2024-08-25 19:00 ` [PATCH 10/13] LSM: Create new security_cred_getlsmblob LSM hook Casey Schaufler
2024-08-27 5:00 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox