Skip to content

Commit a39c0f7

Browse files
cschauflerpcmoore
cschaufler
authored and
pcmoore
committed
lsm: infrastructure management of the dev_tun blob
Move management of the dev_tun security blob out of the individual security modules and into the LSM infrastructure. The security modules tell the infrastructure how much space they require at initialization. There are no longer any modules that require the dev_tun_free hook. The hook definition has been removed. Signed-off-by: Casey Schaufler <[email protected]> Reviewed-by: John Johansen <[email protected]> [PM: subject tweak, selinux style fixes] Signed-off-by: Paul Moore <[email protected]>
1 parent 0900128 commit a39c0f7

File tree

5 files changed

+28
-20
lines changed

5 files changed

+28
-20
lines changed

include/linux/lsm_hook_defs.h

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -353,8 +353,7 @@ LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_inc, void)
353353
LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_dec, void)
354354
LSM_HOOK(void, LSM_RET_VOID, req_classify_flow, const struct request_sock *req,
355355
struct flowi_common *flic)
356-
LSM_HOOK(int, 0, tun_dev_alloc_security, void **security)
357-
LSM_HOOK(void, LSM_RET_VOID, tun_dev_free_security, void *security)
356+
LSM_HOOK(int, 0, tun_dev_alloc_security, void *security)
358357
LSM_HOOK(int, 0, tun_dev_create, void)
359358
LSM_HOOK(int, 0, tun_dev_attach_queue, void *security)
360359
LSM_HOOK(int, 0, tun_dev_attach, struct sock *sk, void *security)

include/linux/lsm_hooks.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,7 @@ struct lsm_blob_sizes {
8080
int lbs_msg_msg;
8181
int lbs_task;
8282
int lbs_xattr_count; /* number of xattr slots in new_xattrs array */
83+
int lbs_tun_dev;
8384
};
8485

8586
/**

security/security.c

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -232,6 +232,7 @@ static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)
232232
lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock);
233233
lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);
234234
lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);
235+
lsm_set_blob_size(&needed->lbs_tun_dev, &blob_sizes.lbs_tun_dev);
235236
lsm_set_blob_size(&needed->lbs_xattr_count,
236237
&blob_sizes.lbs_xattr_count);
237238
}
@@ -410,6 +411,7 @@ static void __init ordered_lsm_init(void)
410411
init_debug("sock blob size = %d\n", blob_sizes.lbs_sock);
411412
init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);
412413
init_debug("task blob size = %d\n", blob_sizes.lbs_task);
414+
init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev);
413415
init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count);
414416

415417
/*
@@ -4875,7 +4877,18 @@ EXPORT_SYMBOL(security_secmark_refcount_dec);
48754877
*/
48764878
int security_tun_dev_alloc_security(void **security)
48774879
{
4878-
return call_int_hook(tun_dev_alloc_security, security);
4880+
int rc;
4881+
4882+
rc = lsm_blob_alloc(security, blob_sizes.lbs_tun_dev, GFP_KERNEL);
4883+
if (rc)
4884+
return rc;
4885+
4886+
rc = call_int_hook(tun_dev_alloc_security, *security);
4887+
if (rc) {
4888+
kfree(*security);
4889+
*security = NULL;
4890+
}
4891+
return rc;
48794892
}
48804893
EXPORT_SYMBOL(security_tun_dev_alloc_security);
48814894

@@ -4887,7 +4900,7 @@ EXPORT_SYMBOL(security_tun_dev_alloc_security);
48874900
*/
48884901
void security_tun_dev_free_security(void *security)
48894902
{
4890-
call_void_hook(tun_dev_free_security, security);
4903+
kfree(security);
48914904
}
48924905
EXPORT_SYMBOL(security_tun_dev_free_security);
48934906

security/selinux/hooks.c

Lines changed: 6 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -5578,24 +5578,14 @@ static void selinux_req_classify_flow(const struct request_sock *req,
55785578
flic->flowic_secid = req->secid;
55795579
}
55805580

5581-
static int selinux_tun_dev_alloc_security(void **security)
5581+
static int selinux_tun_dev_alloc_security(void *security)
55825582
{
5583-
struct tun_security_struct *tunsec;
5583+
struct tun_security_struct *tunsec = selinux_tun_dev(security);
55845584

5585-
tunsec = kzalloc(sizeof(*tunsec), GFP_KERNEL);
5586-
if (!tunsec)
5587-
return -ENOMEM;
55885585
tunsec->sid = current_sid();
5589-
5590-
*security = tunsec;
55915586
return 0;
55925587
}
55935588

5594-
static void selinux_tun_dev_free_security(void *security)
5595-
{
5596-
kfree(security);
5597-
}
5598-
55995589
static int selinux_tun_dev_create(void)
56005590
{
56015591
u32 sid = current_sid();
@@ -5613,15 +5603,15 @@ static int selinux_tun_dev_create(void)
56135603

56145604
static int selinux_tun_dev_attach_queue(void *security)
56155605
{
5616-
struct tun_security_struct *tunsec = security;
5606+
struct tun_security_struct *tunsec = selinux_tun_dev(security);
56175607

56185608
return avc_has_perm(current_sid(), tunsec->sid, SECCLASS_TUN_SOCKET,
56195609
TUN_SOCKET__ATTACH_QUEUE, NULL);
56205610
}
56215611

56225612
static int selinux_tun_dev_attach(struct sock *sk, void *security)
56235613
{
5624-
struct tun_security_struct *tunsec = security;
5614+
struct tun_security_struct *tunsec = selinux_tun_dev(security);
56255615
struct sk_security_struct *sksec = selinux_sock(sk);
56265616

56275617
/* we don't currently perform any NetLabel based labeling here and it
@@ -5639,7 +5629,7 @@ static int selinux_tun_dev_attach(struct sock *sk, void *security)
56395629

56405630
static int selinux_tun_dev_open(void *security)
56415631
{
5642-
struct tun_security_struct *tunsec = security;
5632+
struct tun_security_struct *tunsec = selinux_tun_dev(security);
56435633
u32 sid = current_sid();
56445634
int err;
56455635

@@ -6978,6 +6968,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
69786968
.lbs_sock = sizeof(struct sk_security_struct),
69796969
.lbs_superblock = sizeof(struct superblock_security_struct),
69806970
.lbs_xattr_count = SELINUX_INODE_INIT_XATTRS,
6971+
.lbs_tun_dev = sizeof(struct tun_security_struct),
69816972
};
69826973

69836974
#ifdef CONFIG_PERF_EVENTS
@@ -7289,7 +7280,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
72897280
LSM_HOOK_INIT(secmark_refcount_inc, selinux_secmark_refcount_inc),
72907281
LSM_HOOK_INIT(secmark_refcount_dec, selinux_secmark_refcount_dec),
72917282
LSM_HOOK_INIT(req_classify_flow, selinux_req_classify_flow),
7292-
LSM_HOOK_INIT(tun_dev_free_security, selinux_tun_dev_free_security),
72937283
LSM_HOOK_INIT(tun_dev_create, selinux_tun_dev_create),
72947284
LSM_HOOK_INIT(tun_dev_attach_queue, selinux_tun_dev_attach_queue),
72957285
LSM_HOOK_INIT(tun_dev_attach, selinux_tun_dev_attach),

security/selinux/include/objsec.h

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -207,4 +207,9 @@ static inline struct sk_security_struct *selinux_sock(const struct sock *sock)
207207
return sock->sk_security + selinux_blob_sizes.lbs_sock;
208208
}
209209

210+
static inline struct tun_security_struct *selinux_tun_dev(void *security)
211+
{
212+
return security + selinux_blob_sizes.lbs_tun_dev;
213+
}
214+
210215
#endif /* _SELINUX_OBJSEC_H_ */

0 commit comments

Comments
 (0)