LSM: Infrastructure management of the file security
Move management of the file->f_security blob out of the individual security modules and into the infrastructure. The modules no longer allocate or free the data, instead they tell the infrastructure how much space they require. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Casey Schaufler
committed by
Kees Cook
Kees Cook
parent
f28952ac90
commit
33bf60cabc
@@ -146,7 +146,6 @@ static int __init checkreqprot_setup(char *str)
|
||||
__setup("checkreqprot=", checkreqprot_setup);
|
||||
|
||||
static struct kmem_cache *sel_inode_cache;
|
||||
static struct kmem_cache *file_security_cache;
|
||||
|
||||
/**
|
||||
* selinux_secmark_enabled - Check to see if SECMARK is currently enabled
|
||||
@@ -378,27 +377,15 @@ static void inode_free_security(struct inode *inode)
|
||||
|
||||
static int file_alloc_security(struct file *file)
|
||||
{
|
||||
struct file_security_struct *fsec;
|
||||
struct file_security_struct *fsec = selinux_file(file);
|
||||
u32 sid = current_sid();
|
||||
|
||||
fsec = kmem_cache_zalloc(file_security_cache, GFP_KERNEL);
|
||||
if (!fsec)
|
||||
return -ENOMEM;
|
||||
|
||||
fsec->sid = sid;
|
||||
fsec->fown_sid = sid;
|
||||
file->f_security = fsec;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void file_free_security(struct file *file)
|
||||
{
|
||||
struct file_security_struct *fsec = selinux_file(file);
|
||||
file->f_security = NULL;
|
||||
kmem_cache_free(file_security_cache, fsec);
|
||||
}
|
||||
|
||||
static int superblock_alloc_security(struct super_block *sb)
|
||||
{
|
||||
struct superblock_security_struct *sbsec;
|
||||
@@ -3345,11 +3332,6 @@ static int selinux_file_alloc_security(struct file *file)
|
||||
return file_alloc_security(file);
|
||||
}
|
||||
|
||||
static void selinux_file_free_security(struct file *file)
|
||||
{
|
||||
file_free_security(file);
|
||||
}
|
||||
|
||||
/*
|
||||
* Check whether a task has the ioctl permission and cmd
|
||||
* operation to an inode.
|
||||
@@ -6646,6 +6628,7 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
|
||||
|
||||
struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
|
||||
.lbs_cred = sizeof(struct task_security_struct),
|
||||
.lbs_file = sizeof(struct file_security_struct),
|
||||
};
|
||||
|
||||
static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
|
||||
@@ -6717,7 +6700,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
|
||||
|
||||
LSM_HOOK_INIT(file_permission, selinux_file_permission),
|
||||
LSM_HOOK_INIT(file_alloc_security, selinux_file_alloc_security),
|
||||
LSM_HOOK_INIT(file_free_security, selinux_file_free_security),
|
||||
LSM_HOOK_INIT(file_ioctl, selinux_file_ioctl),
|
||||
LSM_HOOK_INIT(mmap_file, selinux_mmap_file),
|
||||
LSM_HOOK_INIT(mmap_addr, selinux_mmap_addr),
|
||||
@@ -6902,9 +6884,6 @@ static __init int selinux_init(void)
|
||||
sel_inode_cache = kmem_cache_create("selinux_inode_security",
|
||||
sizeof(struct inode_security_struct),
|
||||
0, SLAB_PANIC, NULL);
|
||||
file_security_cache = kmem_cache_create("selinux_file_security",
|
||||
sizeof(struct file_security_struct),
|
||||
0, SLAB_PANIC, NULL);
|
||||
avc_init();
|
||||
|
||||
avtab_cache_init();
|
||||
|
||||
Reference in New Issue
Block a user