From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, paul@paul-moore.com,
linux-security-module@vger.kernel.org
Cc: john.johansen@canonical.com, selinux@vger.kernel.org,
jmorris@namei.org, linux-kernel@vger.kernel.org,
linux-audit@redhat.com
Subject: [PATCH v38 24/39] Use lsmcontext in security_dentry_init_security
Date: Tue, 27 Sep 2022 12:54:06 -0700 [thread overview]
Message-ID: <20220927195421.14713-25-casey@schaufler-ca.com> (raw)
In-Reply-To: <20220927195421.14713-1-casey@schaufler-ca.com>
Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.
Special care is taken in the NFS code, which uses the
same data structure for its own copied labels as it does
for the data which comes from security_dentry_init_security().
In the case of copied labels the data has to be freed, not
released.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
fs/ceph/super.h | 3 +--
fs/ceph/xattr.c | 19 ++++++-------------
fs/fuse/dir.c | 35 ++++++++++++++++++-----------------
fs/nfs/dir.c | 2 +-
fs/nfs/inode.c | 17 ++++++++++-------
fs/nfs/internal.h | 8 +++++---
fs/nfs/nfs4proc.c | 20 ++++++++------------
fs/nfs/nfs4xdr.c | 22 ++++++++++++----------
include/linux/nfs4.h | 8 ++++----
include/linux/nfs_fs.h | 2 +-
include/linux/security.h | 18 ++++++++++++++----
security/security.c | 17 +++++++++++++----
12 files changed, 93 insertions(+), 78 deletions(-)
diff --git a/fs/ceph/super.h b/fs/ceph/super.h
index 40630e6f691c..60c560a842e7 100644
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -1072,8 +1072,7 @@ struct ceph_acl_sec_ctx {
void *acl;
#endif
#ifdef CONFIG_CEPH_FS_SECURITY_LABEL
- void *sec_ctx;
- u32 sec_ctxlen;
+ struct lsmcontext lsmctx;
#endif
struct ceph_pagelist *pagelist;
};
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index d943be72dfff..c7f8c3a56be8 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1332,8 +1332,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
int err;
err = security_dentry_init_security(dentry, mode, &dentry->d_name,
- &name, &as_ctx->sec_ctx,
- &as_ctx->sec_ctxlen);
+ &name, &as_ctx->lsmctx);
if (err < 0) {
WARN_ON_ONCE(err != -EOPNOTSUPP);
err = 0; /* do nothing */
@@ -1358,7 +1357,7 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
*/
name_len = strlen(name);
err = ceph_pagelist_reserve(pagelist,
- 4 * 2 + name_len + as_ctx->sec_ctxlen);
+ 4 * 2 + name_len + as_ctx->lsmctx.len);
if (err)
goto out;
@@ -1378,11 +1377,9 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
as_ctx->pagelist = pagelist;
}
- ceph_pagelist_encode_32(pagelist, name_len);
- ceph_pagelist_append(pagelist, name, name_len);
-
- ceph_pagelist_encode_32(pagelist, as_ctx->sec_ctxlen);
- ceph_pagelist_append(pagelist, as_ctx->sec_ctx, as_ctx->sec_ctxlen);
+ ceph_pagelist_encode_32(pagelist, as_ctx->lsmctx.len);
+ ceph_pagelist_append(pagelist, as_ctx->lsmctx.context,
+ as_ctx->lsmctx.len);
err = 0;
out:
@@ -1395,16 +1392,12 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx)
{
-#ifdef CONFIG_CEPH_FS_SECURITY_LABEL
- struct lsmcontext scaff; /* scaffolding */
-#endif
#ifdef CONFIG_CEPH_FS_POSIX_ACL
posix_acl_release(as_ctx->acl);
posix_acl_release(as_ctx->default_acl);
#endif
#ifdef CONFIG_CEPH_FS_SECURITY_LABEL
- lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0);
- security_release_secctx(&scaff);
+ security_release_secctx(&as_ctx->lsmctx);
#endif
if (as_ctx->pagelist)
ceph_pagelist_release(as_ctx->pagelist);
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index b585b04e815e..235f8039bb5b 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -470,29 +470,29 @@ static int get_security_context(struct dentry *entry, umode_t mode,
{
struct fuse_secctx *fctx;
struct fuse_secctx_header *header;
- void *ctx = NULL, *ptr;
- u32 ctxlen, total_len = sizeof(*header);
+ struct lsmcontext lsmctx = { };
+ void *ptr;
+ u32 total_len = sizeof(*header);
int err, nr_ctx = 0;
- const char *name;
+ const char *name = NULL;
size_t namelen;
err = security_dentry_init_security(entry, mode, &entry->d_name,
- &name, &ctx, &ctxlen);
- if (err) {
- if (err != -EOPNOTSUPP)
- goto out_err;
- /* No LSM is supporting this security hook. Ignore error */
- ctxlen = 0;
- ctx = NULL;
- }
+ &name, &lsmctx);
+
+ /* If no LSM is supporting this security hook ignore error */
+ if (err && err != -EOPNOTSUPP)
+ goto out_err;
- if (ctxlen) {
+ if (lsmctx.len) {
nr_ctx = 1;
namelen = strlen(name) + 1;
err = -EIO;
- if (WARN_ON(namelen > XATTR_NAME_MAX + 1 || ctxlen > S32_MAX))
+ if (WARN_ON(namelen > XATTR_NAME_MAX + 1 ||
+ lsmctx.len > S32_MAX))
goto out_err;
- total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen + ctxlen);
+ total_len += FUSE_REC_ALIGN(sizeof(*fctx) + namelen +
+ lsmctx.len);
}
err = -ENOMEM;
@@ -505,19 +505,20 @@ static int get_security_context(struct dentry *entry, umode_t mode,
ptr += sizeof(*header);
if (nr_ctx) {
fctx = ptr;
- fctx->size = ctxlen;
+ fctx->size = lsmctx.len;
ptr += sizeof(*fctx);
strcpy(ptr, name);
ptr += namelen;
- memcpy(ptr, ctx, ctxlen);
+ memcpy(ptr, lsmctx.context, lsmctx.len);
}
*security_ctxlen = total_len;
*security_ctx = header;
err = 0;
out_err:
- kfree(ctx);
+ if (nr_ctx)
+ security_release_secctx(&lsmctx);
return err;
}
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 5d6c2ddc7ea6..a1979b3d311f 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -810,7 +810,7 @@ static int nfs_readdir_entry_decode(struct nfs_readdir_descriptor *desc,
int ret;
if (entry->fattr->label)
- entry->fattr->label->len = NFS4_MAXLABELLEN;
+ entry->fattr->label->lsmctx.len = NFS4_MAXLABELLEN;
ret = xdr_decode(desc, entry, stream);
if (ret || !desc->plus)
return ret;
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index bea7c005119c..5bec6ead5407 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -361,14 +361,15 @@ void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr)
return;
if ((fattr->valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL) && inode->i_security) {
- error = security_inode_notifysecctx(inode, fattr->label->label,
- fattr->label->len);
+ error = security_inode_notifysecctx(inode,
+ fattr->label->lsmctx.context,
+ fattr->label->lsmctx.len);
if (error)
printk(KERN_ERR "%s() %s %d "
"security_inode_notifysecctx() %d\n",
__func__,
- (char *)fattr->label->label,
- fattr->label->len, error);
+ (char *)fattr->label->lsmctx.context,
+ fattr->label->lsmctx.len, error);
nfs_clear_label_invalid(inode);
}
}
@@ -384,12 +385,14 @@ struct nfs4_label *nfs4_label_alloc(struct nfs_server *server, gfp_t flags)
if (label == NULL)
return ERR_PTR(-ENOMEM);
- label->label = kzalloc(NFS4_MAXLABELLEN, flags);
- if (label->label == NULL) {
+ label->lsmctx.context = kzalloc(NFS4_MAXLABELLEN, flags);
+ if (label->lsmctx.context == NULL) {
kfree(label);
return ERR_PTR(-ENOMEM);
}
- label->len = NFS4_MAXLABELLEN;
+ label->lsmctx.len = NFS4_MAXLABELLEN;
+ /* Use an invalid LSM slot as this should never be "released". */
+ label->lsmctx.slot = -1;
return label;
}
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index 898dd95bc7a7..b02297d9b5ae 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -342,13 +342,15 @@ nfs4_label_copy(struct nfs4_label *dst, struct nfs4_label *src)
if (!dst || !src)
return NULL;
- if (src->len > NFS4_MAXLABELLEN)
+ if (src->lsmctx.len > NFS4_MAXLABELLEN)
return NULL;
dst->lfs = src->lfs;
dst->pi = src->pi;
- dst->len = src->len;
- memcpy(dst->label, src->label, src->len);
+ /* Use an invalid LSM slot as lsmctx should never be "released" */
+ dst->lsmctx.slot = -1;
+ dst->lsmctx.len = src->lsmctx.len;
+ memcpy(dst->lsmctx.context, src->lsmctx.context, src->lsmctx.len);
return dst;
}
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 47259990fae1..7ff49d4b7e97 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -123,8 +123,7 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
return NULL;
err = security_dentry_init_security(dentry, sattr->ia_mode,
- &dentry->d_name, NULL,
- (void **)&label->label, &label->len);
+ &dentry->d_name, NULL, &label->lsmctx);
if (err == 0)
return label;
@@ -133,12 +132,8 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
static inline void
nfs4_label_release_security(struct nfs4_label *label)
{
- struct lsmcontext scaff; /* scaffolding */
-
- if (label) {
- lsmcontext_init(&scaff, label->label, label->len, 0);
- security_release_secctx(&scaff);
- }
+ if (label)
+ security_release_secctx(&label->lsmctx);
}
static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
{
@@ -3799,7 +3794,7 @@ nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx,
int open_flags, struct iattr *attr, int *opened)
{
struct nfs4_state *state;
- struct nfs4_label l = {0, 0, 0, NULL}, *label = NULL;
+ struct nfs4_label l = { }, *label = NULL;
label = nfs4_label_init_security(dir, ctx->dentry, attr, &l);
@@ -6114,7 +6109,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf,
size_t buflen)
{
struct nfs_server *server = NFS_SERVER(inode);
- struct nfs4_label label = {0, 0, buflen, buf};
+ struct nfs4_label label = {0, 0, {buf, buflen, -1} };
u32 bitmask[3] = { 0, 0, FATTR4_WORD2_SECURITY_LABEL };
struct nfs_fattr fattr = {
@@ -6142,7 +6137,7 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf,
return ret;
if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL))
return -ENOENT;
- return label.len;
+ return label.lsmctx.len;
}
static int nfs4_get_security_label(struct inode *inode, void *buf,
@@ -6219,7 +6214,8 @@ static int nfs4_do_set_security_label(struct inode *inode,
static int
nfs4_set_security_label(struct inode *inode, const void *buf, size_t buflen)
{
- struct nfs4_label ilabel = {0, 0, buflen, (char *)buf };
+ struct nfs4_label ilabel = {0, 0,
+ {(char *)buf, buflen, -1}};
struct nfs_fattr *fattr;
int status;
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index acfe5f4bda48..9f1a376fb92c 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -1154,7 +1154,7 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap,
}
if (label && (attrmask[2] & FATTR4_WORD2_SECURITY_LABEL)) {
- len += 4 + 4 + 4 + (XDR_QUADLEN(label->len) << 2);
+ len += 4 + 4 + 4 + (XDR_QUADLEN(label->lsmctx.len) << 2);
bmval[2] |= FATTR4_WORD2_SECURITY_LABEL;
}
@@ -1186,8 +1186,9 @@ static void encode_attrs(struct xdr_stream *xdr, const struct iattr *iap,
if (label && (bmval[2] & FATTR4_WORD2_SECURITY_LABEL)) {
*p++ = cpu_to_be32(label->lfs);
*p++ = cpu_to_be32(label->pi);
- *p++ = cpu_to_be32(label->len);
- p = xdr_encode_opaque_fixed(p, label->label, label->len);
+ *p++ = cpu_to_be32(label->lsmctx.len);
+ p = xdr_encode_opaque_fixed(p, label->lsmctx.context,
+ label->lsmctx.len);
}
if (bmval[2] & FATTR4_WORD2_MODE_UMASK) {
*p++ = cpu_to_be32(iap->ia_mode & S_IALLUGO);
@@ -4236,12 +4237,12 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
return -EIO;
if (len < NFS4_MAXLABELLEN) {
if (label) {
- if (label->len) {
- if (label->len < len)
+ if (label->lsmctx.len) {
+ if (label->lsmctx.len < len)
return -ERANGE;
- memcpy(label->label, p, len);
+ memcpy(label->lsmctx.context, p, len);
}
- label->len = len;
+ label->lsmctx.len = len;
label->pi = pi;
label->lfs = lfs;
status = NFS_ATTR_FATTR_V4_SECURITY_LABEL;
@@ -4250,10 +4251,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
} else
printk(KERN_WARNING "%s: label too long (%u)!\n",
__func__, len);
- if (label && label->label)
+ if (label && label->lsmctx.context)
dprintk("%s: label=%.*s, len=%d, PI=%d, LFS=%d\n",
- __func__, label->len, (char *)label->label,
- label->len, label->pi, label->lfs);
+ __func__, label->lsmctx.len,
+ (char *)label->lsmctx.context,
+ label->lsmctx.len, label->pi, label->lfs);
}
return status;
}
diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
index 8d04b6a5964c..5c2d69cf609a 100644
--- a/include/linux/nfs4.h
+++ b/include/linux/nfs4.h
@@ -15,6 +15,7 @@
#include <linux/list.h>
#include <linux/uidgid.h>
+#include <linux/security.h>
#include <uapi/linux/nfs4.h>
#include <linux/sunrpc/msg_prot.h>
@@ -44,10 +45,9 @@ struct nfs4_acl {
#define NFS4_MAXLABELLEN 2048
struct nfs4_label {
- uint32_t lfs;
- uint32_t pi;
- u32 len;
- char *label;
+ uint32_t lfs;
+ uint32_t pi;
+ struct lsmcontext lsmctx;
};
typedef struct { char data[NFS4_VERIFIER_SIZE]; } nfs4_verifier;
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index 7931fa472561..d4f30861c656 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -428,7 +428,7 @@ static inline void nfs4_label_free(struct nfs4_label *label)
{
#ifdef CONFIG_NFS_V4_SECURITY_LABEL
if (label) {
- kfree(label->label);
+ kfree(label->lsmctx.context);
kfree(label);
}
#endif
diff --git a/include/linux/security.h b/include/linux/security.h
index be935b8d7df5..4f2c1bb857be 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -246,8 +246,19 @@ static inline bool lsmblob_equal(const struct lsmblob *bloba,
}
/* Map lsm names to blob slot numbers */
+#if LSMBLOB_ENTRIES > 0
extern int lsm_name_to_slot(char *name);
extern const char *lsm_slot_to_name(int slot);
+#else
+static inline int lsm_name_to_slot(char *name)
+{
+ return LSMBLOB_INVALID;
+}
+static inline const char *lsm_slot_to_name(int slot)
+{
+ return NULL;
+}
+#endif
/**
* lsmblob_value - find the first non-zero value in an lsmblob structure.
@@ -487,8 +498,8 @@ int security_sb_clone_mnt_opts(const struct super_block *oldsb,
int security_move_mount(const struct path *from_path, const struct path *to_path);
int security_dentry_init_security(struct dentry *dentry, int mode,
const struct qstr *name,
- const char **xattr_name, void **ctx,
- u32 *ctxlen);
+ const char **xattr_name,
+ struct lsmcontext *lsmcxt);
int security_dentry_create_files_as(struct dentry *dentry, int mode,
struct qstr *name,
const struct cred *old,
@@ -906,8 +917,7 @@ static inline int security_dentry_init_security(struct dentry *dentry,
int mode,
const struct qstr *name,
const char **xattr_name,
- void **ctx,
- u32 *ctxlen)
+ struct lsmcontext *lsmcxt)
{
return -EOPNOTSUPP;
}
diff --git a/security/security.c b/security/security.c
index d57554ce386a..d31989e4bc25 100644
--- a/security/security.c
+++ b/security/security.c
@@ -496,6 +496,8 @@ static int lsm_append(const char *new, char **result)
* Current index to use while initializing the lsmblob secid list.
*/
static int lsm_slot __lsm_ro_after_init;
+
+#if LSMBLOB_ENTRIES > 0
static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES] __lsm_ro_after_init;
/**
@@ -540,6 +542,7 @@ const char *lsm_slot_to_name(int slot)
return NULL;
return lsm_slotlist[slot]->lsm;
}
+#endif /* LSMBLOB_ENTRIES > 0 */
/**
* security_add_hooks - Add a modules hooks to the hook lists.
@@ -568,6 +571,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
WARN_ON(!lsmid->slot || !lsmid->id);
+#if LSMBLOB_ENTRIES > 0
if (lsmid->slot == LSMBLOB_NEEDED) {
if (lsm_slot >= LSMBLOB_ENTRIES)
panic("%s Too many LSMs registered.\n", __func__);
@@ -576,6 +580,7 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
init_debug("%s assigned lsmblob slot %d\n", lsmid->lsm,
lsmid->slot);
}
+#endif /* LSMBLOB_ENTRIES > 0 */
for (i = 0; i < count; i++) {
hooks[i].lsmid = lsmid;
@@ -1186,8 +1191,8 @@ void security_inode_free(struct inode *inode)
int security_dentry_init_security(struct dentry *dentry, int mode,
const struct qstr *name,
- const char **xattr_name, void **ctx,
- u32 *ctxlen)
+ const char **xattr_name,
+ struct lsmcontext *lsmctx)
{
struct security_hook_list *hp;
int rc;
@@ -1195,9 +1200,13 @@ int security_dentry_init_security(struct dentry *dentry, int mode,
/*
* Only one module will provide a security context.
*/
- hlist_for_each_entry(hp, &security_hook_heads.dentry_init_security, list) {
+ hlist_for_each_entry(hp, &security_hook_heads.dentry_init_security,
+ list) {
rc = hp->hook.dentry_init_security(dentry, mode, name,
- xattr_name, ctx, ctxlen);
+ xattr_name,
+ (void **)&lsmctx->context,
+ &lsmctx->len);
+ lsmctx->slot = hp->lsmid->slot;
if (rc != LSM_RET_DEFAULT(dentry_init_security))
return rc;
}
--
2.37.3
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2022-09-27 20:07 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220927195421.14713-1-casey.ref@schaufler-ca.com>
2022-09-27 19:53 ` [PATCH v38 00/39] LSM: Module stacking for AppArmor Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 01/39] LSM: Identify modules by more than name Casey Schaufler
2022-10-12 21:14 ` Mickaël Salaün
2023-03-03 15:17 ` Georgia Garcia
2023-03-03 16:52 ` Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 02/39] LSM: Add an LSM identifier for external use Casey Schaufler
2022-10-12 21:14 ` Mickaël Salaün
2022-10-20 22:47 ` Casey Schaufler
2023-03-03 17:14 ` Georgia Garcia
2022-09-27 19:53 ` [PATCH v38 03/39] LSM: Identify the process attributes for each module Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 04/39] LSM: Maintain a table of LSM attribute data Casey Schaufler
2022-10-13 10:04 ` Tetsuo Handa
2022-10-20 23:42 ` Casey Schaufler
2022-10-23 7:27 ` Tetsuo Handa
2022-10-23 10:10 ` Tetsuo Handa
2022-10-23 17:20 ` Casey Schaufler
2022-10-23 17:13 ` Casey Schaufler
2022-10-24 15:13 ` Tetsuo Handa
2022-10-24 16:37 ` Casey Schaufler
2022-10-25 9:59 ` Tetsuo Handa
2022-09-27 19:53 ` [PATCH v38 05/39] proc: Use lsmids instead of lsm names for attrs Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 06/39] LSM: lsm_self_attr syscall for LSM self attributes Casey Schaufler
2022-09-27 22:45 ` kernel test robot
2022-09-28 11:04 ` kernel test robot
2022-10-12 21:16 ` Mickaël Salaün
2022-10-20 15:44 ` Paul Moore
2022-10-20 16:13 ` Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 07/39] integrity: disassociate ima_filter_rule from security_audit_rule Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 08/39] LSM: Infrastructure management of the sock security Casey Schaufler
2022-10-12 21:17 ` Mickaël Salaün
2022-09-27 19:53 ` [PATCH v38 09/39] LSM: Add the lsmblob data structure Casey Schaufler
2022-10-12 21:18 ` Mickaël Salaün
2022-09-27 19:53 ` [PATCH v38 10/39] LSM: provide lsm name and id slot mappings Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 11/39] IMA: avoid label collisions with stacked LSMs Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 12/39] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 13/39] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 14/39] LSM: Use lsmblob in security_secctx_to_secid Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 15/39] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 16/39] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2022-09-27 19:53 ` [PATCH v38 17/39] LSM: Use lsmblob in security_current_getsecid Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 18/39] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 19/39] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 20/39] LSM: Specify which LSM to display Casey Schaufler
2022-10-12 21:19 ` Mickaël Salaün
2022-09-27 19:54 ` [PATCH v38 21/39] LSM: Ensure the correct LSM context releaser Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 22/39] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 23/39] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2022-09-27 19:54 ` Casey Schaufler [this message]
2022-09-27 19:54 ` [PATCH v38 25/39] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 26/39] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 27/39] binder: Pass LSM identifier for confirmation Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 28/39] LSM: security_secid_to_secctx module selection Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 29/39] Audit: Keep multiple LSM data in audit_names Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 30/39] Audit: Create audit_stamp structure Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 31/39] LSM: Add a function to report multiple LSMs Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 32/39] Audit: Allow multiple records in an audit_buffer Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 33/39] Audit: Add record for multiple task security contexts Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 34/39] audit: multiple subject lsm values for netlabel Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 35/39] Audit: Add record for multiple object contexts Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 36/39] netlabel: Use a struct lsmblob in audit data Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 37/39] LSM: Removed scaffolding function lsmcontext_init Casey Schaufler
2022-09-27 19:54 ` [PATCH v38 38/39] AppArmor: Remove the exclusive flag Casey Schaufler
2022-09-27 20:31 ` [PATCH v38 39/39] LSM: Create lsm_module_list system call Casey Schaufler
2022-09-28 14:27 ` kernel test robot
2022-10-12 21:19 ` Mickaël Salaün
2022-10-20 20:28 ` Casey Schaufler
2022-10-12 22:04 ` Kees Cook
2022-10-25 0:39 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220927195421.14713-25-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=casey.schaufler@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox