* [PATCH 1/3] selinux: rename task_security_struct to cred_security_struct @ 2025-11-19 2:03 Paul Moore 2025-11-19 2:03 ` [PATCH 2/3] selinux: move avdcache to per-task security struct Paul Moore 2025-11-19 2:03 ` [PATCH 3/3] selinux: rename the cred_security_struct variables to "crsec" Paul Moore 0 siblings, 2 replies; 8+ messages in thread From: Paul Moore @ 2025-11-19 2:03 UTC (permalink / raw) To: selinux; +Cc: Stephen Smalley From: Stephen Smalley <stephen.smalley.work@gmail.com> Before Linux had cred structures, the SELinux task_security_struct was per-task and although the structure was switched to being per-cred long ago, the name was never updated. This change renames it to cred_security_struct to avoid confusion and pave the way for the introduction of an actual per-task security structure for SELinux. No functional change. Cc: stable@vger.kernel.org Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> --- security/selinux/hooks.c | 68 +++++++++++++++---------------- security/selinux/include/objsec.h | 8 ++-- 2 files changed, 38 insertions(+), 38 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index dfc22da42f30..0890e7ee84c9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -210,7 +210,7 @@ static int selinux_lsm_notifier_avc_callback(u32 event) */ static void cred_init_security(void) { - struct task_security_struct *tsec; + struct cred_security_struct *tsec; /* NOTE: the lsm framework zeros out the buffer on allocation */ @@ -223,7 +223,7 @@ static void cred_init_security(void) */ static inline u32 cred_sid(const struct cred *cred) { - const struct task_security_struct *tsec; + const struct cred_security_struct *tsec; tsec = selinux_cred(cred); return tsec->sid; @@ -437,7 +437,7 @@ static int may_context_mount_sb_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { - const struct task_security_struct *tsec = selinux_cred(cred); + const struct cred_security_struct *tsec = selinux_cred(cred); int rc; rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, @@ -454,7 +454,7 @@ static int may_context_mount_inode_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { - const struct task_security_struct *tsec = selinux_cred(cred); + const struct cred_security_struct *tsec = selinux_cred(cred); int rc; rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, NULL); @@ -1788,7 +1788,7 @@ static int file_has_perm(const struct cred *cred, * Determine the label for an inode that might be unioned. */ static int -selinux_determine_inode_label(const struct task_security_struct *tsec, +selinux_determine_inode_label(const struct cred_security_struct *tsec, struct inode *dir, const struct qstr *name, u16 tclass, u32 *_new_isid) @@ -1817,7 +1817,7 @@ static int may_create(struct inode *dir, struct dentry *dentry, u16 tclass) { - const struct task_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *tsec = selinux_cred(current_cred()); struct inode_security_struct *dsec; struct superblock_security_struct *sbsec; u32 sid, newsid; @@ -2251,8 +2251,8 @@ static u32 ptrace_parent_sid(void) } static int check_nnp_nosuid(const struct linux_binprm *bprm, - const struct task_security_struct *old_tsec, - const struct task_security_struct *new_tsec) + const struct cred_security_struct *old_tsec, + const struct cred_security_struct *new_tsec) { int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); @@ -2305,8 +2305,8 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm, static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) { - const struct task_security_struct *old_tsec; - struct task_security_struct *new_tsec; + const struct cred_security_struct *old_tsec; + struct cred_security_struct *new_tsec; struct inode_security_struct *isec; struct common_audit_data ad; struct inode *inode = file_inode(bprm->file); @@ -2483,7 +2483,7 @@ static inline void flush_unauthorized_files(const struct cred *cred, */ static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) { - struct task_security_struct *new_tsec; + struct cred_security_struct *new_tsec; struct rlimit *rlim, *initrlim; int rc, i; @@ -2529,7 +2529,7 @@ static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) */ static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) { - const struct task_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *tsec = selinux_cred(current_cred()); u32 osid, sid; int rc; @@ -2911,7 +2911,7 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, { u32 newsid; int rc; - struct task_security_struct *tsec; + struct cred_security_struct *tsec; rc = selinux_determine_inode_label(selinux_cred(old), d_inode(dentry->d_parent), name, @@ -2929,7 +2929,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, int *xattr_count) { - const struct task_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *tsec = selinux_cred(current_cred()); struct superblock_security_struct *sbsec; struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); u32 newsid, clen; @@ -3110,7 +3110,7 @@ static noinline int audit_inode_permission(struct inode *inode, * Clear the task's AVD cache in @tsec and reset it to the current policy's * and task's info. */ -static inline void task_avdcache_reset(struct task_security_struct *tsec) +static inline void task_avdcache_reset(struct cred_security_struct *tsec) { memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); tsec->avdcache.sid = tsec->sid; @@ -3127,7 +3127,7 @@ static inline void task_avdcache_reset(struct task_security_struct *tsec) * Search @tsec for a AVD cache entry that matches @isec and return it to the * caller via @avdc. Returns 0 if a match is found, negative values otherwise. */ -static inline int task_avdcache_search(struct task_security_struct *tsec, +static inline int task_avdcache_search(struct cred_security_struct *tsec, struct inode_security_struct *isec, struct avdc_entry **avdc) { @@ -3167,7 +3167,7 @@ static inline int task_avdcache_search(struct task_security_struct *tsec, * Update the AVD cache in @tsec with the @avdc and @audited info associated * with @isec. */ -static inline void task_avdcache_update(struct task_security_struct *tsec, +static inline void task_avdcache_update(struct cred_security_struct *tsec, struct inode_security_struct *isec, struct av_decision *avd, u32 audited) @@ -3201,7 +3201,7 @@ static int selinux_inode_permission(struct inode *inode, int requested) { int mask; u32 perms; - struct task_security_struct *tsec; + struct cred_security_struct *tsec; struct inode_security_struct *isec; struct avdc_entry *avdc; int rc, rc2; @@ -3283,7 +3283,7 @@ static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, static int selinux_inode_getattr(const struct path *path) { - struct task_security_struct *tsec; + struct cred_security_struct *tsec; tsec = selinux_cred(current_cred()); @@ -3659,7 +3659,7 @@ static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) static int selinux_inode_copy_up(struct dentry *src, struct cred **new) { struct lsm_prop prop; - struct task_security_struct *tsec; + struct cred_security_struct *tsec; struct cred *new_creds = *new; if (new_creds == NULL) { @@ -3697,7 +3697,7 @@ static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, struct kernfs_node *kn) { - const struct task_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *tsec = selinux_cred(current_cred()); u32 parent_sid, newsid, clen; int rc; char *context; @@ -4161,8 +4161,8 @@ static int selinux_task_alloc(struct task_struct *task, static int selinux_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { - const struct task_security_struct *old_tsec = selinux_cred(old); - struct task_security_struct *tsec = selinux_cred(new); + const struct cred_security_struct *old_tsec = selinux_cred(old); + struct cred_security_struct *tsec = selinux_cred(new); *tsec = *old_tsec; return 0; @@ -4173,8 +4173,8 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, */ static void selinux_cred_transfer(struct cred *new, const struct cred *old) { - const struct task_security_struct *old_tsec = selinux_cred(old); - struct task_security_struct *tsec = selinux_cred(new); + const struct cred_security_struct *old_tsec = selinux_cred(old); + struct cred_security_struct *tsec = selinux_cred(new); *tsec = *old_tsec; } @@ -4195,7 +4195,7 @@ static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) */ static int selinux_kernel_act_as(struct cred *new, u32 secid) { - struct task_security_struct *tsec = selinux_cred(new); + struct cred_security_struct *tsec = selinux_cred(new); u32 sid = current_sid(); int ret; @@ -4219,7 +4219,7 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid) static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) { struct inode_security_struct *isec = inode_security(inode); - struct task_security_struct *tsec = selinux_cred(new); + struct cred_security_struct *tsec = selinux_cred(new); u32 sid = current_sid(); int ret; @@ -4744,7 +4744,7 @@ static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) /* socket security operations */ -static int socket_sockcreate_sid(const struct task_security_struct *tsec, +static int socket_sockcreate_sid(const struct cred_security_struct *tsec, u16 secclass, u32 *socksid) { if (tsec->sockcreate_sid > SECSID_NULL) { @@ -4797,7 +4797,7 @@ static int sock_has_perm(struct sock *sk, u32 perms) static int selinux_socket_create(int family, int type, int protocol, int kern) { - const struct task_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *tsec = selinux_cred(current_cred()); u32 newsid; u16 secclass; int rc; @@ -4816,7 +4816,7 @@ static int selinux_socket_create(int family, int type, static int selinux_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern) { - const struct task_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *tsec = selinux_cred(current_cred()); struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); struct sk_security_struct *sksec; u16 sclass = socket_type_to_security_class(family, type, protocol); @@ -6526,7 +6526,7 @@ static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, char **value) { - const struct task_security_struct *tsec; + const struct cred_security_struct *tsec; int error; u32 sid; u32 len; @@ -6581,7 +6581,7 @@ static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, static int selinux_lsm_setattr(u64 attr, void *value, size_t size) { - struct task_security_struct *tsec; + struct cred_security_struct *tsec; struct cred *new; u32 mysid = current_sid(), sid = 0, ptsid; int error; @@ -6876,7 +6876,7 @@ static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) static int selinux_key_alloc(struct key *k, const struct cred *cred, unsigned long flags) { - const struct task_security_struct *tsec; + const struct cred_security_struct *tsec; struct key_security_struct *ksec = selinux_key(k); tsec = selinux_cred(cred); @@ -7137,7 +7137,7 @@ static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *att #endif struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { - .lbs_cred = sizeof(struct task_security_struct), + .lbs_cred = sizeof(struct cred_security_struct), .lbs_file = sizeof(struct file_security_struct), .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 2d5139c6d45b..e71ce352bc97 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -37,7 +37,7 @@ struct avdc_entry { bool permissive; /* AVC permissive flag */ }; -struct task_security_struct { +struct cred_security_struct { u32 osid; /* SID prior to last execve */ u32 sid; /* current SID */ u32 exec_sid; /* exec SID */ @@ -54,7 +54,7 @@ struct task_security_struct { } avdcache; } __randomize_layout; -static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec) +static inline bool task_avdcache_permnoaudit(struct cred_security_struct *tsec) { return (tsec->avdcache.permissive_neveraudit && tsec->sid == tsec->avdcache.sid && @@ -172,7 +172,7 @@ struct perf_event_security_struct { }; extern struct lsm_blob_sizes selinux_blob_sizes; -static inline struct task_security_struct *selinux_cred(const struct cred *cred) +static inline struct cred_security_struct *selinux_cred(const struct cred *cred) { return cred->security + selinux_blob_sizes.lbs_cred; } @@ -207,7 +207,7 @@ selinux_ipc(const struct kern_ipc_perm *ipc) */ static inline u32 current_sid(void) { - const struct task_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *tsec = selinux_cred(current_cred()); return tsec->sid; } -- 2.52.0 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/3] selinux: move avdcache to per-task security struct 2025-11-19 2:03 [PATCH 1/3] selinux: rename task_security_struct to cred_security_struct Paul Moore @ 2025-11-19 2:03 ` Paul Moore 2025-11-19 15:50 ` Paul Moore 2025-11-19 2:03 ` [PATCH 3/3] selinux: rename the cred_security_struct variables to "crsec" Paul Moore 1 sibling, 1 reply; 8+ messages in thread From: Paul Moore @ 2025-11-19 2:03 UTC (permalink / raw) To: selinux; +Cc: Stephen Smalley From: Stephen Smalley <stephen.smalley.work@gmail.com> The avdcache is meant to be per-task; move it to a new task_security_struct that is duplicated per-task. Cc: stable@vger.kernel.org Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead") Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com> --- security/selinux/hooks.c | 31 ++++++++++++++++++------------- security/selinux/include/objsec.h | 13 +++++++++++-- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0890e7ee84c9..0ac4b05eb56c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -215,7 +215,7 @@ static void cred_init_security(void) /* NOTE: the lsm framework zeros out the buffer on allocation */ tsec = selinux_cred(unrcu_pointer(current->real_cred)); - tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL; + tsec->osid = tsec->sid = SECINITSID_KERNEL; } /* @@ -3110,10 +3110,10 @@ static noinline int audit_inode_permission(struct inode *inode, * Clear the task's AVD cache in @tsec and reset it to the current policy's * and task's info. */ -static inline void task_avdcache_reset(struct cred_security_struct *tsec) +static inline void task_avdcache_reset(struct task_security_struct *tsec) { memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir)); - tsec->avdcache.sid = tsec->sid; + tsec->avdcache.sid = current_sid(); tsec->avdcache.seqno = avc_policy_seqno(); tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1; } @@ -3127,7 +3127,7 @@ static inline void task_avdcache_reset(struct cred_security_struct *tsec) * Search @tsec for a AVD cache entry that matches @isec and return it to the * caller via @avdc. Returns 0 if a match is found, negative values otherwise. */ -static inline int task_avdcache_search(struct cred_security_struct *tsec, +static inline int task_avdcache_search(struct task_security_struct *tsec, struct inode_security_struct *isec, struct avdc_entry **avdc) { @@ -3137,7 +3137,7 @@ static inline int task_avdcache_search(struct cred_security_struct *tsec, if (isec->sclass != SECCLASS_DIR) return -ENOENT; - if (unlikely(tsec->sid != tsec->avdcache.sid || + if (unlikely(current_sid() != tsec->avdcache.sid || tsec->avdcache.seqno != avc_policy_seqno())) { task_avdcache_reset(tsec); return -ENOENT; @@ -3167,7 +3167,7 @@ static inline int task_avdcache_search(struct cred_security_struct *tsec, * Update the AVD cache in @tsec with the @avdc and @audited info associated * with @isec. */ -static inline void task_avdcache_update(struct cred_security_struct *tsec, +static inline void task_avdcache_update(struct task_security_struct *tsec, struct inode_security_struct *isec, struct av_decision *avd, u32 audited) @@ -3201,7 +3201,8 @@ static int selinux_inode_permission(struct inode *inode, int requested) { int mask; u32 perms; - struct cred_security_struct *tsec; + u32 sid = current_sid(); + struct task_security_struct *tsec; struct inode_security_struct *isec; struct avdc_entry *avdc; int rc, rc2; @@ -3213,8 +3214,8 @@ static int selinux_inode_permission(struct inode *inode, int requested) if (!mask) return 0; - tsec = selinux_cred(current_cred()); - if (task_avdcache_permnoaudit(tsec)) + tsec = selinux_task(current); + if (task_avdcache_permnoaudit(tsec, sid)) return 0; isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK); @@ -3234,7 +3235,7 @@ static int selinux_inode_permission(struct inode *inode, int requested) struct av_decision avd; /* Cache miss. */ - rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass, + rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0, &avd); audited = avc_audit_required(perms, &avd, rc, (requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0, @@ -3283,11 +3284,11 @@ static int selinux_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, static int selinux_inode_getattr(const struct path *path) { - struct cred_security_struct *tsec; + struct task_security_struct *tsec; - tsec = selinux_cred(current_cred()); + tsec = selinux_task(current); - if (task_avdcache_permnoaudit(tsec)) + if (task_avdcache_permnoaudit(tsec, current_sid())) return 0; return path_has_perm(current_cred(), path, FILE__GETATTR); @@ -4151,7 +4152,10 @@ static int selinux_task_alloc(struct task_struct *task, u64 clone_flags) { u32 sid = current_sid(); + struct task_security_struct *old_tsec = selinux_task(current); + struct task_security_struct *new_tsec = selinux_task(task); + *new_tsec = *old_tsec; return avc_has_perm(sid, sid, SECCLASS_PROCESS, PROCESS__FORK, NULL); } @@ -7138,6 +7142,7 @@ static int selinux_bpf_token_create(struct bpf_token *token, union bpf_attr *att struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_cred = sizeof(struct cred_security_struct), + .lbs_task = sizeof(struct task_security_struct), .lbs_file = sizeof(struct file_security_struct), .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index e71ce352bc97..6cc5104fd2f2 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -44,6 +44,9 @@ struct cred_security_struct { u32 create_sid; /* fscreate SID */ u32 keycreate_sid; /* keycreate SID */ u32 sockcreate_sid; /* fscreate SID */ +} __randomize_layout; + +struct task_security_struct { #define TSEC_AVDC_DIR_SIZE (1 << 2) struct { u32 sid; /* current SID for cached entries */ @@ -54,10 +57,11 @@ struct cred_security_struct { } avdcache; } __randomize_layout; -static inline bool task_avdcache_permnoaudit(struct cred_security_struct *tsec) +static inline bool task_avdcache_permnoaudit(struct task_security_struct *tsec, + u32 sid) { return (tsec->avdcache.permissive_neveraudit && - tsec->sid == tsec->avdcache.sid && + sid == tsec->avdcache.sid && tsec->avdcache.seqno == avc_policy_seqno()); } @@ -177,6 +181,11 @@ static inline struct cred_security_struct *selinux_cred(const struct cred *cred) return cred->security + selinux_blob_sizes.lbs_cred; } +static inline struct task_security_struct *selinux_task(const struct task_struct *task) +{ + return task->security + selinux_blob_sizes.lbs_task; +} + static inline struct file_security_struct *selinux_file(const struct file *file) { return file->f_security + selinux_blob_sizes.lbs_file; -- 2.52.0 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] selinux: move avdcache to per-task security struct 2025-11-19 2:03 ` [PATCH 2/3] selinux: move avdcache to per-task security struct Paul Moore @ 2025-11-19 15:50 ` Paul Moore 2025-11-19 15:58 ` Stephen Smalley 0 siblings, 1 reply; 8+ messages in thread From: Paul Moore @ 2025-11-19 15:50 UTC (permalink / raw) To: selinux; +Cc: Stephen Smalley On Tue, Nov 18, 2025 at 9:03 PM Paul Moore <paul@paul-moore.com> wrote: > > From: Stephen Smalley <stephen.smalley.work@gmail.com> > > The avdcache is meant to be per-task; move it to a new > task_security_struct that is duplicated per-task. > > Cc: stable@vger.kernel.org > Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead") > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > security/selinux/hooks.c | 31 ++++++++++++++++++------------- > security/selinux/include/objsec.h | 13 +++++++++++-- > 2 files changed, 29 insertions(+), 15 deletions(-) ... > diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h > index e71ce352bc97..6cc5104fd2f2 100644 > --- a/security/selinux/include/objsec.h > +++ b/security/selinux/include/objsec.h > @@ -177,6 +181,11 @@ static inline struct cred_security_struct *selinux_cred(const struct cred *cred) > return cred->security + selinux_blob_sizes.lbs_cred; > } > > +static inline struct task_security_struct *selinux_task(const struct task_struct *task) > +{ > + return task->security + selinux_blob_sizes.lbs_task; > +} FYI, I just noticed this and fixed it, but selinux_task() needed to be wrapped to fit under 80 characters. -- paul-moore.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] selinux: move avdcache to per-task security struct 2025-11-19 15:50 ` Paul Moore @ 2025-11-19 15:58 ` Stephen Smalley 2025-11-19 16:01 ` Paul Moore 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2025-11-19 15:58 UTC (permalink / raw) To: Paul Moore; +Cc: selinux On Wed, Nov 19, 2025 at 10:50 AM Paul Moore <paul@paul-moore.com> wrote: > > On Tue, Nov 18, 2025 at 9:03 PM Paul Moore <paul@paul-moore.com> wrote: > > > > From: Stephen Smalley <stephen.smalley.work@gmail.com> > > > > The avdcache is meant to be per-task; move it to a new > > task_security_struct that is duplicated per-task. > > > > Cc: stable@vger.kernel.org > > Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead") > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > > Signed-off-by: Paul Moore <paul@paul-moore.com> > > --- > > security/selinux/hooks.c | 31 ++++++++++++++++++------------- > > security/selinux/include/objsec.h | 13 +++++++++++-- > > 2 files changed, 29 insertions(+), 15 deletions(-) > > ... > > > diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h > > index e71ce352bc97..6cc5104fd2f2 100644 > > --- a/security/selinux/include/objsec.h > > +++ b/security/selinux/include/objsec.h > > @@ -177,6 +181,11 @@ static inline struct cred_security_struct *selinux_cred(const struct cred *cred) > > return cred->security + selinux_blob_sizes.lbs_cred; > > } > > > > +static inline struct task_security_struct *selinux_task(const struct task_struct *task) > > +{ > > + return task->security + selinux_blob_sizes.lbs_task; > > +} > > FYI, I just noticed this and fixed it, but selinux_task() needed to be > wrapped to fit under 80 characters. Ok, wasn't sure since we didn't wrap selinux_cred() but I guess it is just on the edge of 80. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/3] selinux: move avdcache to per-task security struct 2025-11-19 15:58 ` Stephen Smalley @ 2025-11-19 16:01 ` Paul Moore 0 siblings, 0 replies; 8+ messages in thread From: Paul Moore @ 2025-11-19 16:01 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux On Wed, Nov 19, 2025 at 10:58 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > On Wed, Nov 19, 2025 at 10:50 AM Paul Moore <paul@paul-moore.com> wrote: > > On Tue, Nov 18, 2025 at 9:03 PM Paul Moore <paul@paul-moore.com> wrote: > > > > > > From: Stephen Smalley <stephen.smalley.work@gmail.com> > > > > > > The avdcache is meant to be per-task; move it to a new > > > task_security_struct that is duplicated per-task. > > > > > > Cc: stable@vger.kernel.org > > > Fixes: 5d7ddc59b3d89b724a5aa8f30d0db94ff8d2d93f ("selinux: reduce path walk overhead") > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > > > Signed-off-by: Paul Moore <paul@paul-moore.com> > > > --- > > > security/selinux/hooks.c | 31 ++++++++++++++++++------------- > > > security/selinux/include/objsec.h | 13 +++++++++++-- > > > 2 files changed, 29 insertions(+), 15 deletions(-) > > > > ... > > > > > diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h > > > index e71ce352bc97..6cc5104fd2f2 100644 > > > --- a/security/selinux/include/objsec.h > > > +++ b/security/selinux/include/objsec.h > > > @@ -177,6 +181,11 @@ static inline struct cred_security_struct *selinux_cred(const struct cred *cred) > > > return cred->security + selinux_blob_sizes.lbs_cred; > > > } > > > > > > +static inline struct task_security_struct *selinux_task(const struct task_struct *task) > > > +{ > > > + return task->security + selinux_blob_sizes.lbs_task; > > > +} > > > > FYI, I just noticed this and fixed it, but selinux_task() needed to be > > wrapped to fit under 80 characters. > > Ok, wasn't sure since we didn't wrap selinux_cred() but I guess it is > just on the edge of 80. Also don't discount me simply missing something ;) -- paul-moore.com ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 3/3] selinux: rename the cred_security_struct variables to "crsec" 2025-11-19 2:03 [PATCH 1/3] selinux: rename task_security_struct to cred_security_struct Paul Moore 2025-11-19 2:03 ` [PATCH 2/3] selinux: move avdcache to per-task security struct Paul Moore @ 2025-11-19 2:03 ` Paul Moore 2025-11-19 14:26 ` Stephen Smalley 1 sibling, 1 reply; 8+ messages in thread From: Paul Moore @ 2025-11-19 2:03 UTC (permalink / raw) To: selinux; +Cc: Stephen Smalley Along with the renaming from task_security_struct to cred_security_struct, rename the local variables to "crsec" from "tsec". This both fits with existing conventions and helps distinguish between task and cred related variables. No functional changes. Signed-off-by: Paul Moore <paul@paul-moore.com> --- security/selinux/hooks.c | 154 +++++++++++++++++++-------------------- 1 file changed, 77 insertions(+), 77 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 0ac4b05eb56c..49f5720a144c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -210,12 +210,12 @@ static int selinux_lsm_notifier_avc_callback(u32 event) */ static void cred_init_security(void) { - struct cred_security_struct *tsec; + struct cred_security_struct *crsec; /* NOTE: the lsm framework zeros out the buffer on allocation */ - tsec = selinux_cred(unrcu_pointer(current->real_cred)); - tsec->osid = tsec->sid = SECINITSID_KERNEL; + crsec = selinux_cred(unrcu_pointer(current->real_cred)); + crsec->osid = crsec->sid = SECINITSID_KERNEL; } /* @@ -223,10 +223,10 @@ static void cred_init_security(void) */ static inline u32 cred_sid(const struct cred *cred) { - const struct cred_security_struct *tsec; + const struct cred_security_struct *crsec; - tsec = selinux_cred(cred); - return tsec->sid; + crsec = selinux_cred(cred); + return crsec->sid; } static void __ad_net_init(struct common_audit_data *ad, @@ -437,15 +437,15 @@ static int may_context_mount_sb_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { - const struct cred_security_struct *tsec = selinux_cred(cred); + const struct cred_security_struct *crsec = selinux_cred(cred); int rc; - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, + rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, NULL); if (rc) return rc; - rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, + rc = avc_has_perm(crsec->sid, sid, SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, NULL); return rc; } @@ -454,9 +454,9 @@ static int may_context_mount_inode_relabel(u32 sid, struct superblock_security_struct *sbsec, const struct cred *cred) { - const struct cred_security_struct *tsec = selinux_cred(cred); + const struct cred_security_struct *crsec = selinux_cred(cred); int rc; - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, + rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, NULL); if (rc) return rc; @@ -1788,7 +1788,7 @@ static int file_has_perm(const struct cred *cred, * Determine the label for an inode that might be unioned. */ static int -selinux_determine_inode_label(const struct cred_security_struct *tsec, +selinux_determine_inode_label(const struct cred_security_struct *crsec, struct inode *dir, const struct qstr *name, u16 tclass, u32 *_new_isid) @@ -1800,11 +1800,11 @@ selinux_determine_inode_label(const struct cred_security_struct *tsec, (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { *_new_isid = sbsec->mntpoint_sid; } else if ((sbsec->flags & SBLABEL_MNT) && - tsec->create_sid) { - *_new_isid = tsec->create_sid; + crsec->create_sid) { + *_new_isid = crsec->create_sid; } else { const struct inode_security_struct *dsec = inode_security(dir); - return security_transition_sid(tsec->sid, + return security_transition_sid(crsec->sid, dsec->sid, tclass, name, _new_isid); } @@ -1817,7 +1817,7 @@ static int may_create(struct inode *dir, struct dentry *dentry, u16 tclass) { - const struct cred_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *crsec = selinux_cred(current_cred()); struct inode_security_struct *dsec; struct superblock_security_struct *sbsec; u32 sid, newsid; @@ -1827,7 +1827,7 @@ static int may_create(struct inode *dir, dsec = inode_security(dir); sbsec = selinux_superblock(dir->i_sb); - sid = tsec->sid; + sid = crsec->sid; ad.type = LSM_AUDIT_DATA_DENTRY; ad.u.dentry = dentry; @@ -1838,7 +1838,7 @@ static int may_create(struct inode *dir, if (rc) return rc; - rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, + rc = selinux_determine_inode_label(crsec, dir, &dentry->d_name, tclass, &newsid); if (rc) return rc; @@ -2529,12 +2529,12 @@ static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) */ static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) { - const struct cred_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *crsec = selinux_cred(current_cred()); u32 osid, sid; int rc; - osid = tsec->osid; - sid = tsec->sid; + osid = crsec->osid; + sid = crsec->sid; if (sid == osid) return; @@ -2911,7 +2911,7 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, { u32 newsid; int rc; - struct cred_security_struct *tsec; + struct cred_security_struct *crsec; rc = selinux_determine_inode_label(selinux_cred(old), d_inode(dentry->d_parent), name, @@ -2920,8 +2920,8 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, if (rc) return rc; - tsec = selinux_cred(new); - tsec->create_sid = newsid; + crsec = selinux_cred(new); + crsec->create_sid = newsid; return 0; } @@ -2929,7 +2929,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, int *xattr_count) { - const struct cred_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *crsec = selinux_cred(current_cred()); struct superblock_security_struct *sbsec; struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); u32 newsid, clen; @@ -2939,9 +2939,9 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, sbsec = selinux_superblock(dir->i_sb); - newsid = tsec->create_sid; + newsid = crsec->create_sid; newsclass = inode_mode_to_security_class(inode->i_mode); - rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid); + rc = selinux_determine_inode_label(crsec, dir, qstr, newsclass, &newsid); if (rc) return rc; @@ -3660,7 +3660,7 @@ static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) static int selinux_inode_copy_up(struct dentry *src, struct cred **new) { struct lsm_prop prop; - struct cred_security_struct *tsec; + struct cred_security_struct *crsec; struct cred *new_creds = *new; if (new_creds == NULL) { @@ -3669,10 +3669,10 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) return -ENOMEM; } - tsec = selinux_cred(new_creds); + crsec = selinux_cred(new_creds); /* Get label from overlay inode and set it in create_sid */ selinux_inode_getlsmprop(d_inode(src), &prop); - tsec->create_sid = prop.selinux.secid; + crsec->create_sid = prop.selinux.secid; *new = new_creds; return 0; } @@ -3698,7 +3698,7 @@ static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, struct kernfs_node *kn) { - const struct cred_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *crsec = selinux_cred(current_cred()); u32 parent_sid, newsid, clen; int rc; char *context; @@ -3726,8 +3726,8 @@ static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, if (rc) return rc; - if (tsec->create_sid) { - newsid = tsec->create_sid; + if (crsec->create_sid) { + newsid = crsec->create_sid; } else { u16 secclass = inode_mode_to_security_class(kn->mode); const char *kn_name; @@ -3738,7 +3738,7 @@ static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, q.name = kn_name; q.hash_len = hashlen_string(kn_dir, kn_name); - rc = security_transition_sid(tsec->sid, + rc = security_transition_sid(crsec->sid, parent_sid, secclass, &q, &newsid); if (rc) @@ -4166,9 +4166,9 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) { const struct cred_security_struct *old_tsec = selinux_cred(old); - struct cred_security_struct *tsec = selinux_cred(new); + struct cred_security_struct *crsec = selinux_cred(new); - *tsec = *old_tsec; + *crsec = *old_tsec; return 0; } @@ -4178,9 +4178,9 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, static void selinux_cred_transfer(struct cred *new, const struct cred *old) { const struct cred_security_struct *old_tsec = selinux_cred(old); - struct cred_security_struct *tsec = selinux_cred(new); + struct cred_security_struct *crsec = selinux_cred(new); - *tsec = *old_tsec; + *crsec = *old_tsec; } static void selinux_cred_getsecid(const struct cred *c, u32 *secid) @@ -4199,7 +4199,7 @@ static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) */ static int selinux_kernel_act_as(struct cred *new, u32 secid) { - struct cred_security_struct *tsec = selinux_cred(new); + struct cred_security_struct *crsec = selinux_cred(new); u32 sid = current_sid(); int ret; @@ -4208,10 +4208,10 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid) KERNEL_SERVICE__USE_AS_OVERRIDE, NULL); if (ret == 0) { - tsec->sid = secid; - tsec->create_sid = 0; - tsec->keycreate_sid = 0; - tsec->sockcreate_sid = 0; + crsec->sid = secid; + crsec->create_sid = 0; + crsec->keycreate_sid = 0; + crsec->sockcreate_sid = 0; } return ret; } @@ -4223,7 +4223,7 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid) static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) { struct inode_security_struct *isec = inode_security(inode); - struct cred_security_struct *tsec = selinux_cred(new); + struct cred_security_struct *crsec = selinux_cred(new); u32 sid = current_sid(); int ret; @@ -4233,7 +4233,7 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) NULL); if (ret == 0) - tsec->create_sid = isec->sid; + crsec->create_sid = isec->sid; return ret; } @@ -4748,15 +4748,15 @@ static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) /* socket security operations */ -static int socket_sockcreate_sid(const struct cred_security_struct *tsec, +static int socket_sockcreate_sid(const struct cred_security_struct *crsec, u16 secclass, u32 *socksid) { - if (tsec->sockcreate_sid > SECSID_NULL) { - *socksid = tsec->sockcreate_sid; + if (crsec->sockcreate_sid > SECSID_NULL) { + *socksid = crsec->sockcreate_sid; return 0; } - return security_transition_sid(tsec->sid, tsec->sid, + return security_transition_sid(crsec->sid, crsec->sid, secclass, NULL, socksid); } @@ -4801,7 +4801,7 @@ static int sock_has_perm(struct sock *sk, u32 perms) static int selinux_socket_create(int family, int type, int protocol, int kern) { - const struct cred_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *crsec = selinux_cred(current_cred()); u32 newsid; u16 secclass; int rc; @@ -4810,17 +4810,17 @@ static int selinux_socket_create(int family, int type, return 0; secclass = socket_type_to_security_class(family, type, protocol); - rc = socket_sockcreate_sid(tsec, secclass, &newsid); + rc = socket_sockcreate_sid(crsec, secclass, &newsid); if (rc) return rc; - return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); + return avc_has_perm(crsec->sid, newsid, secclass, SOCKET__CREATE, NULL); } static int selinux_socket_post_create(struct socket *sock, int family, int type, int protocol, int kern) { - const struct cred_security_struct *tsec = selinux_cred(current_cred()); + const struct cred_security_struct *crsec = selinux_cred(current_cred()); struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); struct sk_security_struct *sksec; u16 sclass = socket_type_to_security_class(family, type, protocol); @@ -4828,7 +4828,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, int err = 0; if (!kern) { - err = socket_sockcreate_sid(tsec, sclass, &sid); + err = socket_sockcreate_sid(crsec, sclass, &sid); if (err) return err; } @@ -6530,37 +6530,37 @@ static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, char **value) { - const struct cred_security_struct *tsec; + const struct cred_security_struct *crsec; int error; u32 sid; u32 len; rcu_read_lock(); - tsec = selinux_cred(__task_cred(p)); + crsec = selinux_cred(__task_cred(p)); if (p != current) { - error = avc_has_perm(current_sid(), tsec->sid, + error = avc_has_perm(current_sid(), crsec->sid, SECCLASS_PROCESS, PROCESS__GETATTR, NULL); if (error) goto err_unlock; } switch (attr) { case LSM_ATTR_CURRENT: - sid = tsec->sid; + sid = crsec->sid; break; case LSM_ATTR_PREV: - sid = tsec->osid; + sid = crsec->osid; break; case LSM_ATTR_EXEC: - sid = tsec->exec_sid; + sid = crsec->exec_sid; break; case LSM_ATTR_FSCREATE: - sid = tsec->create_sid; + sid = crsec->create_sid; break; case LSM_ATTR_KEYCREATE: - sid = tsec->keycreate_sid; + sid = crsec->keycreate_sid; break; case LSM_ATTR_SOCKCREATE: - sid = tsec->sockcreate_sid; + sid = crsec->sockcreate_sid; break; default: error = -EOPNOTSUPP; @@ -6585,7 +6585,7 @@ static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, static int selinux_lsm_setattr(u64 attr, void *value, size_t size) { - struct cred_security_struct *tsec; + struct cred_security_struct *crsec; struct cred *new; u32 mysid = current_sid(), sid = 0, ptsid; int error; @@ -6671,11 +6671,11 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size) operation. See selinux_bprm_creds_for_exec for the execve checks and may_create for the file creation checks. The operation will then fail if the context is not permitted. */ - tsec = selinux_cred(new); + crsec = selinux_cred(new); if (attr == LSM_ATTR_EXEC) { - tsec->exec_sid = sid; + crsec->exec_sid = sid; } else if (attr == LSM_ATTR_FSCREATE) { - tsec->create_sid = sid; + crsec->create_sid = sid; } else if (attr == LSM_ATTR_KEYCREATE) { if (sid) { error = avc_has_perm(mysid, sid, @@ -6683,22 +6683,22 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size) if (error) goto abort_change; } - tsec->keycreate_sid = sid; + crsec->keycreate_sid = sid; } else if (attr == LSM_ATTR_SOCKCREATE) { - tsec->sockcreate_sid = sid; + crsec->sockcreate_sid = sid; } else if (attr == LSM_ATTR_CURRENT) { error = -EINVAL; if (sid == 0) goto abort_change; if (!current_is_single_threaded()) { - error = security_bounded_transition(tsec->sid, sid); + error = security_bounded_transition(crsec->sid, sid); if (error) goto abort_change; } /* Check permissions for the transition. */ - error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, + error = avc_has_perm(crsec->sid, sid, SECCLASS_PROCESS, PROCESS__DYNTRANSITION, NULL); if (error) goto abort_change; @@ -6713,7 +6713,7 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size) goto abort_change; } - tsec->sid = sid; + crsec->sid = sid; } else { error = -EINVAL; goto abort_change; @@ -6880,14 +6880,14 @@ static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) static int selinux_key_alloc(struct key *k, const struct cred *cred, unsigned long flags) { - const struct cred_security_struct *tsec; + const struct cred_security_struct *crsec; struct key_security_struct *ksec = selinux_key(k); - tsec = selinux_cred(cred); - if (tsec->keycreate_sid) - ksec->sid = tsec->keycreate_sid; + crsec = selinux_cred(cred); + if (crsec->keycreate_sid) + ksec->sid = crsec->keycreate_sid; else - ksec->sid = tsec->sid; + ksec->sid = crsec->sid; return 0; } -- 2.52.0 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 3/3] selinux: rename the cred_security_struct variables to "crsec" 2025-11-19 2:03 ` [PATCH 3/3] selinux: rename the cred_security_struct variables to "crsec" Paul Moore @ 2025-11-19 14:26 ` Stephen Smalley 2025-11-19 15:42 ` Paul Moore 0 siblings, 1 reply; 8+ messages in thread From: Stephen Smalley @ 2025-11-19 14:26 UTC (permalink / raw) To: Paul Moore; +Cc: selinux On Tue, Nov 18, 2025 at 9:03 PM Paul Moore <paul@paul-moore.com> wrote: > > Along with the renaming from task_security_struct to cred_security_struct, > rename the local variables to "crsec" from "tsec". This both fits with > existing conventions and helps distinguish between task and cred related > variables. > > No functional changes. > > Signed-off-by: Paul Moore <paul@paul-moore.com> Did you mean to leave the tsec variable in current_sid() in objsec.h and the old_tsec/new_tsec variables used in various places unchanged? Not looking forward to re-basing the working-selinuxns branch on top of this. Otherwise, Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > security/selinux/hooks.c | 154 +++++++++++++++++++-------------------- > 1 file changed, 77 insertions(+), 77 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 0ac4b05eb56c..49f5720a144c 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -210,12 +210,12 @@ static int selinux_lsm_notifier_avc_callback(u32 event) > */ > static void cred_init_security(void) > { > - struct cred_security_struct *tsec; > + struct cred_security_struct *crsec; > > /* NOTE: the lsm framework zeros out the buffer on allocation */ > > - tsec = selinux_cred(unrcu_pointer(current->real_cred)); > - tsec->osid = tsec->sid = SECINITSID_KERNEL; > + crsec = selinux_cred(unrcu_pointer(current->real_cred)); > + crsec->osid = crsec->sid = SECINITSID_KERNEL; > } > > /* > @@ -223,10 +223,10 @@ static void cred_init_security(void) > */ > static inline u32 cred_sid(const struct cred *cred) > { > - const struct cred_security_struct *tsec; > + const struct cred_security_struct *crsec; > > - tsec = selinux_cred(cred); > - return tsec->sid; > + crsec = selinux_cred(cred); > + return crsec->sid; > } > > static void __ad_net_init(struct common_audit_data *ad, > @@ -437,15 +437,15 @@ static int may_context_mount_sb_relabel(u32 sid, > struct superblock_security_struct *sbsec, > const struct cred *cred) > { > - const struct cred_security_struct *tsec = selinux_cred(cred); > + const struct cred_security_struct *crsec = selinux_cred(cred); > int rc; > > - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, > + rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, > FILESYSTEM__RELABELFROM, NULL); > if (rc) > return rc; > > - rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM, > + rc = avc_has_perm(crsec->sid, sid, SECCLASS_FILESYSTEM, > FILESYSTEM__RELABELTO, NULL); > return rc; > } > @@ -454,9 +454,9 @@ static int may_context_mount_inode_relabel(u32 sid, > struct superblock_security_struct *sbsec, > const struct cred *cred) > { > - const struct cred_security_struct *tsec = selinux_cred(cred); > + const struct cred_security_struct *crsec = selinux_cred(cred); > int rc; > - rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, > + rc = avc_has_perm(crsec->sid, sbsec->sid, SECCLASS_FILESYSTEM, > FILESYSTEM__RELABELFROM, NULL); > if (rc) > return rc; > @@ -1788,7 +1788,7 @@ static int file_has_perm(const struct cred *cred, > * Determine the label for an inode that might be unioned. > */ > static int > -selinux_determine_inode_label(const struct cred_security_struct *tsec, > +selinux_determine_inode_label(const struct cred_security_struct *crsec, > struct inode *dir, > const struct qstr *name, u16 tclass, > u32 *_new_isid) > @@ -1800,11 +1800,11 @@ selinux_determine_inode_label(const struct cred_security_struct *tsec, > (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)) { > *_new_isid = sbsec->mntpoint_sid; > } else if ((sbsec->flags & SBLABEL_MNT) && > - tsec->create_sid) { > - *_new_isid = tsec->create_sid; > + crsec->create_sid) { > + *_new_isid = crsec->create_sid; > } else { > const struct inode_security_struct *dsec = inode_security(dir); > - return security_transition_sid(tsec->sid, > + return security_transition_sid(crsec->sid, > dsec->sid, tclass, > name, _new_isid); > } > @@ -1817,7 +1817,7 @@ static int may_create(struct inode *dir, > struct dentry *dentry, > u16 tclass) > { > - const struct cred_security_struct *tsec = selinux_cred(current_cred()); > + const struct cred_security_struct *crsec = selinux_cred(current_cred()); > struct inode_security_struct *dsec; > struct superblock_security_struct *sbsec; > u32 sid, newsid; > @@ -1827,7 +1827,7 @@ static int may_create(struct inode *dir, > dsec = inode_security(dir); > sbsec = selinux_superblock(dir->i_sb); > > - sid = tsec->sid; > + sid = crsec->sid; > > ad.type = LSM_AUDIT_DATA_DENTRY; > ad.u.dentry = dentry; > @@ -1838,7 +1838,7 @@ static int may_create(struct inode *dir, > if (rc) > return rc; > > - rc = selinux_determine_inode_label(tsec, dir, &dentry->d_name, tclass, > + rc = selinux_determine_inode_label(crsec, dir, &dentry->d_name, tclass, > &newsid); > if (rc) > return rc; > @@ -2529,12 +2529,12 @@ static void selinux_bprm_committing_creds(const struct linux_binprm *bprm) > */ > static void selinux_bprm_committed_creds(const struct linux_binprm *bprm) > { > - const struct cred_security_struct *tsec = selinux_cred(current_cred()); > + const struct cred_security_struct *crsec = selinux_cred(current_cred()); > u32 osid, sid; > int rc; > > - osid = tsec->osid; > - sid = tsec->sid; > + osid = crsec->osid; > + sid = crsec->sid; > > if (sid == osid) > return; > @@ -2911,7 +2911,7 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, > { > u32 newsid; > int rc; > - struct cred_security_struct *tsec; > + struct cred_security_struct *crsec; > > rc = selinux_determine_inode_label(selinux_cred(old), > d_inode(dentry->d_parent), name, > @@ -2920,8 +2920,8 @@ static int selinux_dentry_create_files_as(struct dentry *dentry, int mode, > if (rc) > return rc; > > - tsec = selinux_cred(new); > - tsec->create_sid = newsid; > + crsec = selinux_cred(new); > + crsec->create_sid = newsid; > return 0; > } > > @@ -2929,7 +2929,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, > const struct qstr *qstr, > struct xattr *xattrs, int *xattr_count) > { > - const struct cred_security_struct *tsec = selinux_cred(current_cred()); > + const struct cred_security_struct *crsec = selinux_cred(current_cred()); > struct superblock_security_struct *sbsec; > struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); > u32 newsid, clen; > @@ -2939,9 +2939,9 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir, > > sbsec = selinux_superblock(dir->i_sb); > > - newsid = tsec->create_sid; > + newsid = crsec->create_sid; > newsclass = inode_mode_to_security_class(inode->i_mode); > - rc = selinux_determine_inode_label(tsec, dir, qstr, newsclass, &newsid); > + rc = selinux_determine_inode_label(crsec, dir, qstr, newsclass, &newsid); > if (rc) > return rc; > > @@ -3660,7 +3660,7 @@ static void selinux_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) > static int selinux_inode_copy_up(struct dentry *src, struct cred **new) > { > struct lsm_prop prop; > - struct cred_security_struct *tsec; > + struct cred_security_struct *crsec; > struct cred *new_creds = *new; > > if (new_creds == NULL) { > @@ -3669,10 +3669,10 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new) > return -ENOMEM; > } > > - tsec = selinux_cred(new_creds); > + crsec = selinux_cred(new_creds); > /* Get label from overlay inode and set it in create_sid */ > selinux_inode_getlsmprop(d_inode(src), &prop); > - tsec->create_sid = prop.selinux.secid; > + crsec->create_sid = prop.selinux.secid; > *new = new_creds; > return 0; > } > @@ -3698,7 +3698,7 @@ static int selinux_inode_copy_up_xattr(struct dentry *dentry, const char *name) > static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, > struct kernfs_node *kn) > { > - const struct cred_security_struct *tsec = selinux_cred(current_cred()); > + const struct cred_security_struct *crsec = selinux_cred(current_cred()); > u32 parent_sid, newsid, clen; > int rc; > char *context; > @@ -3726,8 +3726,8 @@ static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, > if (rc) > return rc; > > - if (tsec->create_sid) { > - newsid = tsec->create_sid; > + if (crsec->create_sid) { > + newsid = crsec->create_sid; > } else { > u16 secclass = inode_mode_to_security_class(kn->mode); > const char *kn_name; > @@ -3738,7 +3738,7 @@ static int selinux_kernfs_init_security(struct kernfs_node *kn_dir, > q.name = kn_name; > q.hash_len = hashlen_string(kn_dir, kn_name); > > - rc = security_transition_sid(tsec->sid, > + rc = security_transition_sid(crsec->sid, > parent_sid, secclass, &q, > &newsid); > if (rc) > @@ -4166,9 +4166,9 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, > gfp_t gfp) > { > const struct cred_security_struct *old_tsec = selinux_cred(old); > - struct cred_security_struct *tsec = selinux_cred(new); > + struct cred_security_struct *crsec = selinux_cred(new); > > - *tsec = *old_tsec; > + *crsec = *old_tsec; > return 0; > } > > @@ -4178,9 +4178,9 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old, > static void selinux_cred_transfer(struct cred *new, const struct cred *old) > { > const struct cred_security_struct *old_tsec = selinux_cred(old); > - struct cred_security_struct *tsec = selinux_cred(new); > + struct cred_security_struct *crsec = selinux_cred(new); > > - *tsec = *old_tsec; > + *crsec = *old_tsec; > } > > static void selinux_cred_getsecid(const struct cred *c, u32 *secid) > @@ -4199,7 +4199,7 @@ static void selinux_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop) > */ > static int selinux_kernel_act_as(struct cred *new, u32 secid) > { > - struct cred_security_struct *tsec = selinux_cred(new); > + struct cred_security_struct *crsec = selinux_cred(new); > u32 sid = current_sid(); > int ret; > > @@ -4208,10 +4208,10 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid) > KERNEL_SERVICE__USE_AS_OVERRIDE, > NULL); > if (ret == 0) { > - tsec->sid = secid; > - tsec->create_sid = 0; > - tsec->keycreate_sid = 0; > - tsec->sockcreate_sid = 0; > + crsec->sid = secid; > + crsec->create_sid = 0; > + crsec->keycreate_sid = 0; > + crsec->sockcreate_sid = 0; > } > return ret; > } > @@ -4223,7 +4223,7 @@ static int selinux_kernel_act_as(struct cred *new, u32 secid) > static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) > { > struct inode_security_struct *isec = inode_security(inode); > - struct cred_security_struct *tsec = selinux_cred(new); > + struct cred_security_struct *crsec = selinux_cred(new); > u32 sid = current_sid(); > int ret; > > @@ -4233,7 +4233,7 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode) > NULL); > > if (ret == 0) > - tsec->create_sid = isec->sid; > + crsec->create_sid = isec->sid; > return ret; > } > > @@ -4748,15 +4748,15 @@ static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid) > > /* socket security operations */ > > -static int socket_sockcreate_sid(const struct cred_security_struct *tsec, > +static int socket_sockcreate_sid(const struct cred_security_struct *crsec, > u16 secclass, u32 *socksid) > { > - if (tsec->sockcreate_sid > SECSID_NULL) { > - *socksid = tsec->sockcreate_sid; > + if (crsec->sockcreate_sid > SECSID_NULL) { > + *socksid = crsec->sockcreate_sid; > return 0; > } > > - return security_transition_sid(tsec->sid, tsec->sid, > + return security_transition_sid(crsec->sid, crsec->sid, > secclass, NULL, socksid); > } > > @@ -4801,7 +4801,7 @@ static int sock_has_perm(struct sock *sk, u32 perms) > static int selinux_socket_create(int family, int type, > int protocol, int kern) > { > - const struct cred_security_struct *tsec = selinux_cred(current_cred()); > + const struct cred_security_struct *crsec = selinux_cred(current_cred()); > u32 newsid; > u16 secclass; > int rc; > @@ -4810,17 +4810,17 @@ static int selinux_socket_create(int family, int type, > return 0; > > secclass = socket_type_to_security_class(family, type, protocol); > - rc = socket_sockcreate_sid(tsec, secclass, &newsid); > + rc = socket_sockcreate_sid(crsec, secclass, &newsid); > if (rc) > return rc; > > - return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL); > + return avc_has_perm(crsec->sid, newsid, secclass, SOCKET__CREATE, NULL); > } > > static int selinux_socket_post_create(struct socket *sock, int family, > int type, int protocol, int kern) > { > - const struct cred_security_struct *tsec = selinux_cred(current_cred()); > + const struct cred_security_struct *crsec = selinux_cred(current_cred()); > struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); > struct sk_security_struct *sksec; > u16 sclass = socket_type_to_security_class(family, type, protocol); > @@ -4828,7 +4828,7 @@ static int selinux_socket_post_create(struct socket *sock, int family, > int err = 0; > > if (!kern) { > - err = socket_sockcreate_sid(tsec, sclass, &sid); > + err = socket_sockcreate_sid(crsec, sclass, &sid); > if (err) > return err; > } > @@ -6530,37 +6530,37 @@ static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) > static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, > char **value) > { > - const struct cred_security_struct *tsec; > + const struct cred_security_struct *crsec; > int error; > u32 sid; > u32 len; > > rcu_read_lock(); > - tsec = selinux_cred(__task_cred(p)); > + crsec = selinux_cred(__task_cred(p)); > if (p != current) { > - error = avc_has_perm(current_sid(), tsec->sid, > + error = avc_has_perm(current_sid(), crsec->sid, > SECCLASS_PROCESS, PROCESS__GETATTR, NULL); > if (error) > goto err_unlock; > } > switch (attr) { > case LSM_ATTR_CURRENT: > - sid = tsec->sid; > + sid = crsec->sid; > break; > case LSM_ATTR_PREV: > - sid = tsec->osid; > + sid = crsec->osid; > break; > case LSM_ATTR_EXEC: > - sid = tsec->exec_sid; > + sid = crsec->exec_sid; > break; > case LSM_ATTR_FSCREATE: > - sid = tsec->create_sid; > + sid = crsec->create_sid; > break; > case LSM_ATTR_KEYCREATE: > - sid = tsec->keycreate_sid; > + sid = crsec->keycreate_sid; > break; > case LSM_ATTR_SOCKCREATE: > - sid = tsec->sockcreate_sid; > + sid = crsec->sockcreate_sid; > break; > default: > error = -EOPNOTSUPP; > @@ -6585,7 +6585,7 @@ static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p, > > static int selinux_lsm_setattr(u64 attr, void *value, size_t size) > { > - struct cred_security_struct *tsec; > + struct cred_security_struct *crsec; > struct cred *new; > u32 mysid = current_sid(), sid = 0, ptsid; > int error; > @@ -6671,11 +6671,11 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size) > operation. See selinux_bprm_creds_for_exec for the execve > checks and may_create for the file creation checks. The > operation will then fail if the context is not permitted. */ > - tsec = selinux_cred(new); > + crsec = selinux_cred(new); > if (attr == LSM_ATTR_EXEC) { > - tsec->exec_sid = sid; > + crsec->exec_sid = sid; > } else if (attr == LSM_ATTR_FSCREATE) { > - tsec->create_sid = sid; > + crsec->create_sid = sid; > } else if (attr == LSM_ATTR_KEYCREATE) { > if (sid) { > error = avc_has_perm(mysid, sid, > @@ -6683,22 +6683,22 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size) > if (error) > goto abort_change; > } > - tsec->keycreate_sid = sid; > + crsec->keycreate_sid = sid; > } else if (attr == LSM_ATTR_SOCKCREATE) { > - tsec->sockcreate_sid = sid; > + crsec->sockcreate_sid = sid; > } else if (attr == LSM_ATTR_CURRENT) { > error = -EINVAL; > if (sid == 0) > goto abort_change; > > if (!current_is_single_threaded()) { > - error = security_bounded_transition(tsec->sid, sid); > + error = security_bounded_transition(crsec->sid, sid); > if (error) > goto abort_change; > } > > /* Check permissions for the transition. */ > - error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS, > + error = avc_has_perm(crsec->sid, sid, SECCLASS_PROCESS, > PROCESS__DYNTRANSITION, NULL); > if (error) > goto abort_change; > @@ -6713,7 +6713,7 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size) > goto abort_change; > } > > - tsec->sid = sid; > + crsec->sid = sid; > } else { > error = -EINVAL; > goto abort_change; > @@ -6880,14 +6880,14 @@ static int selinux_inode_getsecctx(struct inode *inode, struct lsm_context *cp) > static int selinux_key_alloc(struct key *k, const struct cred *cred, > unsigned long flags) > { > - const struct cred_security_struct *tsec; > + const struct cred_security_struct *crsec; > struct key_security_struct *ksec = selinux_key(k); > > - tsec = selinux_cred(cred); > - if (tsec->keycreate_sid) > - ksec->sid = tsec->keycreate_sid; > + crsec = selinux_cred(cred); > + if (crsec->keycreate_sid) > + ksec->sid = crsec->keycreate_sid; > else > - ksec->sid = tsec->sid; > + ksec->sid = crsec->sid; > > return 0; > } > -- > 2.52.0 > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 3/3] selinux: rename the cred_security_struct variables to "crsec" 2025-11-19 14:26 ` Stephen Smalley @ 2025-11-19 15:42 ` Paul Moore 0 siblings, 0 replies; 8+ messages in thread From: Paul Moore @ 2025-11-19 15:42 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux On Wed, Nov 19, 2025 at 9:26 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > On Tue, Nov 18, 2025 at 9:03 PM Paul Moore <paul@paul-moore.com> wrote: > > > > Along with the renaming from task_security_struct to cred_security_struct, > > rename the local variables to "crsec" from "tsec". This both fits with > > existing conventions and helps distinguish between task and cred related > > variables. > > > > No functional changes. > > > > Signed-off-by: Paul Moore <paul@paul-moore.com> > > Did you mean to leave the tsec variable in current_sid() in objsec.h > and the old_tsec/new_tsec variables used in various places unchanged? Nope, thanks for catching that. Expect a v2 later today; the change should be pretty quick and mechanical (and likely all the problems caught by the compiler), but it's large enough that I want to run it through the normal set of tests first. > Not looking forward to re-basing the working-selinuxns branch on top of this. Yeah, sorry about that, but using "tsec" for both task_security_struct and cred_security_struct was going to be a constant source of pain. > Otherwise, > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> -- paul-moore.com ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-11-19 16:01 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-11-19 2:03 [PATCH 1/3] selinux: rename task_security_struct to cred_security_struct Paul Moore 2025-11-19 2:03 ` [PATCH 2/3] selinux: move avdcache to per-task security struct Paul Moore 2025-11-19 15:50 ` Paul Moore 2025-11-19 15:58 ` Stephen Smalley 2025-11-19 16:01 ` Paul Moore 2025-11-19 2:03 ` [PATCH 3/3] selinux: rename the cred_security_struct variables to "crsec" Paul Moore 2025-11-19 14:26 ` Stephen Smalley 2025-11-19 15:42 ` Paul Moore
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).