[PATCH v2 48/49] selinux: repair security_fs_use() interface and its users

[Stephen Smalley <stephen.smalley.work@gmail.com>]

The security server interfaces were meant to be independent of
the core kernel data structures and security blobs. Originally
security_fs_use() passed the fstype, behavior, and sid parameters
explicitly, but this was later simplified to just pass the
superblock structure and set fields in the superblock security
blob directly, breaking this layering. With the introduction of
the global SID table, we need to map the SID returned by the
security server to a global SID, which is less straightforward
in the absence of proper layering. Revert the security_fs_use()
interface and implementation to its original form and update the
callers. This is not a performance-critical path regardless and
any small benefit from passing the single superblock pointer
instead of the three separate parameters is not worth the
maintainability cost.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 security/selinux/global_sidtab.c      | 22 +++++++---------------
 security/selinux/hooks.c              |  7 +++++--
 security/selinux/include/security.h   |  8 +++++---
 security/selinux/include/selinux_ss.h |  3 ++-
 security/selinux/ss/services.c        | 24 ++++++++++++------------
 5 files changed, 31 insertions(+), 33 deletions(-)

diff --git a/security/selinux/global_sidtab.c b/security/selinux/global_sidtab.c
index 396efd98e064..e1acf6607788 100644
--- a/security/selinux/global_sidtab.c
+++ b/security/selinux/global_sidtab.c
@@ -691,33 +691,25 @@ int security_net_peersid_resolve(struct selinux_state *state, u32 nlbl_sid,
 	return map_ss_sid_to_global(state, ss_outsid, out_sid, GFP_ATOMIC);
 }
 
-// only required for (mis)use of superblock_security_struct + selinux_superblock() below.
-// TODO Remove when security_fs_use() interface is repaired
-#include "objsec.h"
-
-int security_fs_use(struct selinux_state *state, struct super_block *sb)
+int security_fs_use(struct selinux_state *state, const char *fstype,
+		    unsigned short *behavior, u32 *sid)
 {
 	int rc;
-	struct superblock_security_struct *sbsec = selinux_superblock(sb);
 
 	if (!selinux_initialized(state)) {
-		sbsec->behavior = SECURITY_FS_USE_NONE;
-		sbsec->sid = SECINITSID_UNLABELED;
+		*behavior = SECURITY_FS_USE_NONE;
+		*sid = SECINITSID_UNLABELED;
 		return 0;
 	}
 
-	// TODO - it was a mistake to have pushed direct access to
-	// sbsec into a security server function. Fix both that
-	// interface and here to explicitly return the behavior and
-	// SID via parameters to be set in the sbsec by the caller.
-	rc = selinux_ss_fs_use(state, sb);
+	rc = selinux_ss_fs_use(state, fstype, behavior, sid);
 	if (rc)
 		return rc;
 
-	if (sbsec->sid <= SECINITSID_NUM)
+	if (*sid <= SECINITSID_NUM)
 		return 0;
 
-	return map_ss_sid_to_global(state, sbsec->sid, &sbsec->sid, GFP_ATOMIC);
+	return map_ss_sid_to_global(state, *sid, sid, GFP_ATOMIC);
 }
 
 int security_genfs_sid(struct selinux_state *state, const char *fstype,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a9b5879cdd62..06a5ffaebafd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -762,7 +762,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
 		 * Determine the labeling behavior to use for this
 		 * filesystem type.
 		 */
-		rc = security_fs_use(current_selinux_state, sb);
+		rc = security_fs_use(current_selinux_state, sb->s_type->name,
+				     &sbsec->behavior, &sbsec->sid);
 		if (rc) {
 			pr_warn("%s: security_fs_use(%s) returned %d\n",
 					__func__, sb->s_type->name, rc);
@@ -973,7 +974,9 @@ static int selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
 
 	if (newsbsec->behavior == SECURITY_FS_USE_NATIVE &&
 		!(kern_flags & SECURITY_LSM_NATIVE_LABELS) && !set_context) {
-		rc = security_fs_use(current_selinux_state, newsb);
+		rc = security_fs_use(current_selinux_state,
+				     newsb->s_type->name,
+				     &newsbsec->behavior, &newsbsec->sid);
 		if (rc)
 			goto out;
 	}
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 7aac5c4e4991..d1f65e0741a8 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -587,7 +587,8 @@ int security_get_allow_unknown(struct selinux_state *state);
 #define SECURITY_FS_USE_MAX	 7 /* Highest SECURITY_FS_USE_XXX */
 
 #ifdef CONFIG_SECURITY_SELINUX_NS
-int security_fs_use(struct selinux_state *state, struct super_block *sb);
+int security_fs_use(struct selinux_state *state, const char *fstype,
+		    unsigned short *behavior, u32 *sid);
 
 int security_genfs_sid(struct selinux_state *state, const char *fstype,
 		       const char *path, u16 sclass, u32 *sid);
@@ -596,9 +597,10 @@ int selinux_policy_genfs_sid(struct selinux_policy *policy, const char *fstype,
 			     const char *path, u16 sclass, u32 *sid);
 #else
 static inline int security_fs_use(struct selinux_state *state,
-				  struct super_block *sb)
+				  const char *fstype, unsigned short *behavior,
+				  u32 *sid)
 {
-	return selinux_ss_fs_use(state, sb);
+	return selinux_ss_fs_use(state, fstype, behavior, sid);
 }
 
 static inline int security_genfs_sid(struct selinux_state *state,
diff --git a/security/selinux/include/selinux_ss.h b/security/selinux/include/selinux_ss.h
index d1f526475b53..e7b5346d2b49 100644
--- a/security/selinux/include/selinux_ss.h
+++ b/security/selinux/include/selinux_ss.h
@@ -94,7 +94,8 @@ int selinux_ss_sid_mls_copy(struct selinux_state *state, u32 sid, u32 mls_sid,
 int selinux_ss_net_peersid_resolve(struct selinux_state *state, u32 nlbl_sid,
 				   u32 nlbl_type, u32 xfrm_sid, u32 *peer_sid);
 
-int selinux_ss_fs_use(struct selinux_state *state, struct super_block *sb);
+int selinux_ss_fs_use(struct selinux_state *state, const char *fstype,
+		      unsigned short *behavior, u32 *sid);
 
 int selinux_ss_genfs_sid(struct selinux_state *state, const char *fstype,
 			 const char *path, u16 sclass, u32 *sid);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index a98c9ff8b790..32eb57af8a7a 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -62,7 +62,6 @@
 #include "services.h"
 #include "conditional.h"
 #include "mls.h"
-#include "objsec.h"
 #include "netlabel.h"
 #include "xfrm.h"
 #include "ebitmap.h"
@@ -3008,21 +3007,22 @@ int selinux_ss_policy_genfs_sid(struct selinux_policy *policy,
 /**
  * selinux_ss_fs_use - Determine how to handle labeling for a filesystem.
  * @state: SELinux state
- * @sb: superblock in question
+ * @fstype: filesystem type
+ * @behavior: labeling behavior to apply
+ * @sid: SID for superblock
  */
-int selinux_ss_fs_use(struct selinux_state *state, struct super_block *sb)
+int selinux_ss_fs_use(struct selinux_state *state, const char *fstype,
+		      unsigned short *behavior, u32 *sid)
 {
 	struct selinux_policy *policy;
 	struct policydb *policydb;
 	struct sidtab *sidtab;
 	int rc;
 	struct ocontext *c;
-	struct superblock_security_struct *sbsec = selinux_superblock(sb);
-	const char *fstype = sb->s_type->name;
 
 	if (!selinux_initialized(state)) {
-		sbsec->behavior = SECURITY_FS_USE_NONE;
-		sbsec->sid = SECINITSID_UNLABELED;
+		*behavior = SECURITY_FS_USE_NONE;
+		*sid = SECINITSID_UNLABELED;
 		return 0;
 	}
 
@@ -3040,8 +3040,8 @@ int selinux_ss_fs_use(struct selinux_state *state, struct super_block *sb)
 	}
 
 	if (c) {
-		sbsec->behavior = c->v.behavior;
-		rc = ocontext_to_sid(sidtab, c, 0, &sbsec->sid);
+		*behavior = c->v.behavior;
+		rc = ocontext_to_sid(sidtab, c, 0, sid);
 		if (rc == -ESTALE) {
 			rcu_read_unlock();
 			goto retry;
@@ -3050,16 +3050,16 @@ int selinux_ss_fs_use(struct selinux_state *state, struct super_block *sb)
 			goto out;
 	} else {
 		rc = __security_genfs_sid(policy, fstype, "/",
-					SECCLASS_DIR, &sbsec->sid);
+					SECCLASS_DIR, sid);
 		if (rc == -ESTALE) {
 			rcu_read_unlock();
 			goto retry;
 		}
 		if (rc) {
-			sbsec->behavior = SECURITY_FS_USE_NONE;
+			*behavior = SECURITY_FS_USE_NONE;
 			rc = 0;
 		} else {
-			sbsec->behavior = SECURITY_FS_USE_GENFS;
+			*behavior = SECURITY_FS_USE_GENFS;
 		}
 	}
 
-- 
2.49.0