From: Song Liu <song@kernel.org>
To: linux-security-module@vger.kernel.org
Cc: paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
kernel-team@meta.com, Song Liu <song@kernel.org>
Subject: [PATCH] lsm: Move security_netlink_send to under CONFIG_SECURITY_NETWORK
Date: Mon, 21 Apr 2025 15:52:50 -0700 [thread overview]
Message-ID: <20250421225250.2544754-1-song@kernel.org> (raw)
security_netlink_send() is a networking hook, so it fits better under
CONFIG_SECURITY_NETWORK.
Signed-off-by: Song Liu <song@kernel.org>
---
include/linux/security.h | 12 ++++++------
security/security.c | 36 ++++++++++++++++++------------------
2 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 25811836afb7..6a09318e2bf9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -563,7 +563,6 @@ int security_setselfattr(unsigned int attr, struct lsm_ctx __user *ctx,
int security_getprocattr(struct task_struct *p, int lsmid, const char *name,
char **value);
int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
-int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, struct lsm_context *cp);
int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp);
@@ -1527,11 +1526,6 @@ static inline int security_setprocattr(int lsmid, char *name, void *value,
return -EINVAL;
}
-static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
-{
- return 0;
-}
-
static inline int security_ismaclabel(const char *name)
{
return 0;
@@ -1629,6 +1623,7 @@ static inline int security_watch_key(struct key *key)
#ifdef CONFIG_SECURITY_NETWORK
+int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk);
int security_unix_may_send(struct socket *sock, struct socket *other);
int security_socket_create(int family, int type, int protocol, int kern);
@@ -1684,6 +1679,11 @@ int security_sctp_assoc_established(struct sctp_association *asoc,
int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk);
#else /* CONFIG_SECURITY_NETWORK */
+static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
+{
+ return 0;
+}
+
static inline int security_unix_stream_connect(struct sock *sock,
struct sock *other,
struct sock *newsk)
diff --git a/security/security.c b/security/security.c
index dbfe95eb3064..0193bf8f1dae 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4274,24 +4274,6 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size)
return LSM_RET_DEFAULT(setprocattr);
}
-/**
- * security_netlink_send() - Save info and check if netlink sending is allowed
- * @sk: sending socket
- * @skb: netlink message
- *
- * Save security information for a netlink message so that permission checking
- * can be performed when the message is processed. The security information
- * can be saved using the eff_cap field of the netlink_skb_parms structure.
- * Also may be used to provide fine grained control over message transmission.
- *
- * Return: Returns 0 if the information was successfully saved and message is
- * allowed to be transmitted.
- */
-int security_netlink_send(struct sock *sk, struct sk_buff *skb)
-{
- return call_int_hook(netlink_send, sk, skb);
-}
-
/**
* security_ismaclabel() - Check if the named attribute is a MAC label
* @name: full extended attribute name
@@ -4481,6 +4463,24 @@ int security_watch_key(struct key *key)
#endif /* CONFIG_KEY_NOTIFICATIONS */
#ifdef CONFIG_SECURITY_NETWORK
+/**
+ * security_netlink_send() - Save info and check if netlink sending is allowed
+ * @sk: sending socket
+ * @skb: netlink message
+ *
+ * Save security information for a netlink message so that permission checking
+ * can be performed when the message is processed. The security information
+ * can be saved using the eff_cap field of the netlink_skb_parms structure.
+ * Also may be used to provide fine grained control over message transmission.
+ *
+ * Return: Returns 0 if the information was successfully saved and message is
+ * allowed to be transmitted.
+ */
+int security_netlink_send(struct sock *sk, struct sk_buff *skb)
+{
+ return call_int_hook(netlink_send, sk, skb);
+}
+
/**
* security_unix_stream_connect() - Check if a AF_UNIX stream is allowed
* @sock: originating sock
--
2.47.1
next reply other threads:[~2025-04-21 22:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-21 22:52 Song Liu [this message]
2025-04-22 19:34 ` [PATCH] lsm: Move security_netlink_send to under CONFIG_SECURITY_NETWORK Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250421225250.2544754-1-song@kernel.org \
--to=song@kernel.org \
--cc=jmorris@namei.org \
--cc=kernel-team@meta.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox