From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com, paul@paul-moore.com,
linux-security-module@vger.kernel.org
Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
stephen.smalley.work@gmail.com, mic@digikod.net
Subject: [PATCH 3/6] LSM: Add helper for blob allocations
Date: Mon, 8 Jul 2024 14:39:54 -0700 [thread overview]
Message-ID: <20240708213957.20519-4-casey@schaufler-ca.com> (raw)
In-Reply-To: <20240708213957.20519-1-casey@schaufler-ca.com>
Create a helper function lsm_blob_alloc() for general use in the hook
specific functions that allocate LSM blobs. Change the hook specific
functions to use this helper. This reduces the code size by a small
amount and will make adding new instances of infrastructure managed
security blobs easier.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
security/security.c | 97 +++++++++++++++------------------------------
1 file changed, 33 insertions(+), 64 deletions(-)
diff --git a/security/security.c b/security/security.c
index aae37481b7be..438ec6708eb3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -605,27 +605,42 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb)
EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
/**
- * lsm_cred_alloc - allocate a composite cred blob
- * @cred: the cred that needs a blob
+ * lsm_blob_alloc - allocate a composite blob
+ * @dest: the destination for the blob
+ * @size: the size of the blob
* @gfp: allocation type
*
- * Allocate the cred blob for all the modules
+ * Allocate a blob for all the modules
*
* Returns 0, or -ENOMEM if memory can't be allocated.
*/
-static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
+static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp)
{
- if (blob_sizes.lbs_cred == 0) {
- cred->security = NULL;
+ if (size == 0) {
+ *dest = NULL;
return 0;
}
- cred->security = kzalloc(blob_sizes.lbs_cred, gfp);
- if (cred->security == NULL)
+ *dest = kzalloc(size, gfp);
+ if (*dest == NULL)
return -ENOMEM;
return 0;
}
+/**
+ * lsm_cred_alloc - allocate a composite cred blob
+ * @cred: the cred that needs a blob
+ * @gfp: allocation type
+ *
+ * Allocate the cred blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
+{
+ return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp);
+}
+
/**
* lsm_early_cred - during initialization allocate a composite cred blob
* @cred: the cred that needs a blob
@@ -692,15 +707,7 @@ int lsm_inode_alloc(struct inode *inode)
*/
static int lsm_task_alloc(struct task_struct *task)
{
- if (blob_sizes.lbs_task == 0) {
- task->security = NULL;
- return 0;
- }
-
- task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
- if (task->security == NULL)
- return -ENOMEM;
- return 0;
+ return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL);
}
/**
@@ -713,15 +720,7 @@ static int lsm_task_alloc(struct task_struct *task)
*/
static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
{
- if (blob_sizes.lbs_ipc == 0) {
- kip->security = NULL;
- return 0;
- }
-
- kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
- if (kip->security == NULL)
- return -ENOMEM;
- return 0;
+ return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL);
}
#ifdef CONFIG_KEYS
@@ -735,15 +734,7 @@ static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
*/
static int lsm_key_alloc(struct key *key)
{
- if (blob_sizes.lbs_key == 0) {
- key->security = NULL;
- return 0;
- }
-
- key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
- if (key->security == NULL)
- return -ENOMEM;
- return 0;
+ return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL);
}
#endif /* CONFIG_KEYS */
@@ -757,15 +748,8 @@ static int lsm_key_alloc(struct key *key)
*/
static int lsm_msg_msg_alloc(struct msg_msg *mp)
{
- if (blob_sizes.lbs_msg_msg == 0) {
- mp->security = NULL;
- return 0;
- }
-
- mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
- if (mp->security == NULL)
- return -ENOMEM;
- return 0;
+ return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg,
+ GFP_KERNEL);
}
/**
@@ -792,15 +776,8 @@ static void __init lsm_early_task(struct task_struct *task)
*/
static int lsm_superblock_alloc(struct super_block *sb)
{
- if (blob_sizes.lbs_superblock == 0) {
- sb->s_security = NULL;
- return 0;
- }
-
- sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL);
- if (sb->s_security == NULL)
- return -ENOMEM;
- return 0;
+ return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock,
+ GFP_KERNEL);
}
/**
@@ -4682,23 +4659,15 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
/**
* lsm_sock_alloc - allocate a composite sock blob
* @sock: the sock that needs a blob
- * @priority: allocation mode
+ * @gfp: allocation mode
*
* Allocate the sock blob for all the modules
*
* Returns 0, or -ENOMEM if memory can't be allocated.
*/
-static int lsm_sock_alloc(struct sock *sock, gfp_t priority)
+static int lsm_sock_alloc(struct sock *sock, gfp_t gfp)
{
- if (blob_sizes.lbs_sock == 0) {
- sock->sk_security = NULL;
- return 0;
- }
-
- sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
- if (sock->sk_security == NULL)
- return -ENOMEM;
- return 0;
+ return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp);
}
/**
--
2.41.0
next prev parent reply other threads:[~2024-07-08 21:41 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240708213957.20519-1-casey.ref@schaufler-ca.com>
2024-07-08 21:39 ` [PATCH 0/6] LSM: Infrastructure blob allocation Casey Schaufler
2024-07-08 21:39 ` [PATCH 1/6] LSM: Infrastructure management of the sock security Casey Schaufler
2024-07-09 19:15 ` Paul Moore
2024-07-09 23:00 ` Casey Schaufler
2024-07-09 23:05 ` Paul Moore
2024-07-09 23:29 ` Casey Schaufler
2024-07-10 0:00 ` Paul Moore
2024-07-09 22:08 ` Paul Moore
2024-07-09 22:32 ` John Johansen
2024-07-08 21:39 ` [PATCH 2/6] LSM: Infrastructure management of the key security blob Casey Schaufler
2024-07-09 22:08 ` Paul Moore
2024-07-09 22:47 ` John Johansen
2024-07-09 23:01 ` Paul Moore
2024-07-08 21:39 ` Casey Schaufler [this message]
2024-07-09 22:08 ` [PATCH 3/6] LSM: Add helper for blob allocations Paul Moore
2024-07-09 23:09 ` Casey Schaufler
2024-07-10 0:01 ` Paul Moore
2024-07-09 22:51 ` John Johansen
2024-07-08 21:39 ` [PATCH 4/6] LSM: Infrastructure management of the dev_tun blob Casey Schaufler
2024-07-09 22:08 ` Paul Moore
2024-07-09 23:01 ` John Johansen
2024-07-09 23:11 ` Casey Schaufler
2024-07-08 21:39 ` [PATCH 5/6] LSM: Infrastructure management of the infiniband blob Casey Schaufler
2024-07-09 22:08 ` Paul Moore
2024-07-09 23:38 ` John Johansen
2024-07-08 21:39 ` [PATCH 6/6] LSM: Infrastructure management of the perf_event security blob Casey Schaufler
2024-07-09 22:08 ` Paul Moore
2024-07-09 23:47 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240708213957.20519-4-casey@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox