bybrooklyn/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-04-18 06:44:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'lsm-pr-20250121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm

Browse Source 
Pull lsm updates from Paul Moore:

 - Improved handling of LSM "secctx" strings through lsm_context struct

   The LSM secctx string interface is from an older time when only one
   LSM was supported, migrate over to the lsm_context struct to better
   support the different LSMs we now have and make it easier to support
   new LSMs in the future.

   These changes explain the Rust, VFS, and networking changes in the
   diffstat.

 - Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are
   enabled

   Small tweak to be a bit smarter about when we build the LSM's common
   audit helpers.

 - Check for absurdly large policies from userspace in SafeSetID

   SafeSetID policies rules are fairly small, basically just "UID:UID",
   it easy to impose a limit of KMALLOC_MAX_SIZE on policy writes which
   helps quiet a number of syzbot related issues. While work is being
   done to address the syzbot issues through other mechanisms, this is a
   trivial and relatively safe fix that we can do now.

 - Various minor improvements and cleanups

   A collection of improvements to the kernel selftests, constification
   of some function parameters, removing redundant assignments, and
   local variable renames to improve readability.

* tag 'lsm-pr-20250121' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
  lockdown: initialize local array before use to quiet static analysis
  safesetid: check size of policy writes
  net: corrections for security_secid_to_secctx returns
  lsm: rename variable to avoid shadowing
  lsm: constify function parameters
  security: remove redundant assignment to return variable
  lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set
  selftests: refactor the lsm `flags_overset_lsm_set_self_attr` test
  binder: initialize lsm_context structure
  rust: replace lsm context+len with lsm_context
  lsm: secctx provider check on release
  lsm: lsm_context in security_dentry_init_security
  lsm: use lsm_context in security_inode_getsecctx
  lsm: replace context+len with lsm_context
  lsm: ensure the correct LSM context releaser
This commit is contained in:
Linus Torvalds
2025-01-21 20:03:04 -08:00
parent 678ca9f78e 714d87c90a
commit f96a974170
31 changed files with 351 additions and 309 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
security/smack/smack_lsm.c
View File

@@ -4801,41 +4801,48 @@ static int smack_ismaclabel(const char *name)
return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
}
/**
* smack_to_secctx - fill a lsm_context
* @skp: Smack label
* @cp: destination
*
* Fill the passed @cp and return the length of the string
*/
static int smack_to_secctx(struct smack_known *skp, struct lsm_context *cp)
{
int len = strlen(skp->smk_known);
if (cp) {
cp->context = skp->smk_known;
cp->len = len;
cp->id = LSM_ID_SMACK;
}
return len;
}
/**
* smack_secid_to_secctx - return the smack label for a secid
* @secid: incoming integer
* @secdata: destination
* @seclen: how long it is
* @cp: destination
*
* Exists for networking code.
*/
static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
static int smack_secid_to_secctx(u32 secid, struct lsm_context *cp)
{
struct smack_known *skp = smack_from_secid(secid);
if (secdata)
*secdata = skp->smk_known;
*seclen = strlen(skp->smk_known);
return 0;
return smack_to_secctx(smack_from_secid(secid), cp);
}
/**
* smack_lsmprop_to_secctx - return the smack label
* @prop: includes incoming Smack data
* @secdata: destination
* @seclen: how long it is
* @cp: destination
*
* Exists for audit code.
*/
static int smack_lsmprop_to_secctx(struct lsm_prop *prop, char **secdata,
u32 *seclen)
static int smack_lsmprop_to_secctx(struct lsm_prop *prop,
struct lsm_context *cp)
{
struct smack_known *skp = prop->smack.skp;
if (secdata)
*secdata = skp->smk_known;
*seclen = strlen(skp->smk_known);
return 0;
return smack_to_secctx(prop->smack.skp, cp);
}
/**
@@ -4875,12 +4882,13 @@ static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
ctx, ctxlen, 0, NULL);
}
static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
static int smack_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
{
struct smack_known *skp = smk_of_inode(inode);
*ctx = skp->smk_known;
*ctxlen = strlen(skp->smk_known);
cp->context = skp->smk_known;
cp->len = strlen(skp->smk_known);
cp->id = LSM_ID_SMACK;
return 0;
}