Add a parameter lsmid to security_lsmblob_to_secctx() to identify which
of the security modules that may be active should provide the security
context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing
a hook is used. security_secid_to_secctx() is unchanged, and will
always report the first LSM providing a hook.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
include/linux/security.h | 6 ++++--
kernel/audit.c | 4 ++--
kernel/auditsc.c | 8 +++++---
net/netlabel/netlabel_user.c | 3 ++-
security/security.c | 13 +++++++++++--
5 files changed, 24 insertions(+), 10 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 980b6c207cad..540894695c4b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -566,7 +566,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
int security_ismaclabel(const char *name);
int security_secid_to_secctx(u32 secid, struct lsm_context *cp);
-int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp);
+int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,
+ int lsmid);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
void security_release_secctx(struct lsm_context *cp);
void security_inode_invalidate_secctx(struct inode *inode);
@@ -1543,7 +1544,8 @@ static inline int security_secid_to_secctx(u32 secid, struct lsm_context *cp)
}
static inline int security_lsmprop_to_secctx(struct lsm_prop *prop,
- struct lsm_context *cp)
+ struct lsm_context *cp,
+ int lsmid)
{
return -EOPNOTSUPP;
}
diff --git a/kernel/audit.c b/kernel/audit.c
index 2a567f667528..6bbadb605ca3 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1473,7 +1473,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
case AUDIT_SIGNAL_INFO:
if (lsmprop_is_set(&audit_sig_lsm)) {
err = security_lsmprop_to_secctx(&audit_sig_lsm,
- &lsmctx);
+ &lsmctx, LSM_ID_UNDEF);
if (err < 0)
return err;
}
@@ -2188,7 +2188,7 @@ int audit_log_task_context(struct audit_buffer *ab)
if (!lsmprop_is_set(&prop))
return 0;
- error = security_lsmprop_to_secctx(&prop, &ctx);
+ error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF);
if (error < 0) {
if (error != -EINVAL)
goto error_path;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 60f2c927afd7..dc3f7e9666f2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
if (lsmprop_is_set(prop)) {
- if (security_lsmprop_to_secctx(prop, &ctx) < 0) {
+ if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) {
audit_log_format(ab, " obj=(none)");
rc = 1;
} else {
@@ -1395,7 +1395,8 @@ static void show_special(struct audit_context *context, int *call_panic)
struct lsm_context lsmctx;
if (security_lsmprop_to_secctx(&context->ipc.oprop,
- &lsmctx) < 0) {
+ &lsmctx,
+ LSM_ID_UNDEF) < 0) {
*call_panic = 1;
} else {
audit_log_format(ab, " obj=%s", lsmctx.context);
@@ -1560,7 +1561,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
if (lsmprop_is_set(&n->oprop)) {
struct lsm_context ctx;
- if (security_lsmprop_to_secctx(&n->oprop, &ctx) < 0) {
+ if (security_lsmprop_to_secctx(&n->oprop, &ctx,
+ LSM_ID_UNDEF) < 0) {
if (call_panic)
*call_panic = 2;
} else {
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 0d04d23aafe7..6d6545297ee3 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -98,7 +98,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
audit_info->sessionid);
if (lsmprop_is_set(&audit_info->prop) &&
- security_lsmprop_to_secctx(&audit_info->prop, &ctx) > 0) {
+ security_lsmprop_to_secctx(&audit_info->prop, &ctx,
+ LSM_ID_UNDEF) > 0) {
audit_log_format(audit_buf, " subj=%s", ctx.context);
security_release_secctx(&ctx);
}
diff --git a/security/security.c b/security/security.c
index 143561ebc3e8..55f9c7ad3f89 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4312,6 +4312,7 @@ EXPORT_SYMBOL(security_ismaclabel);
* security_secid_to_secctx() - Convert a secid to a secctx
* @secid: secid
* @cp: the LSM context
+ * @lsmid: which security module to report
*
* Convert secid to security context. If @cp is NULL the length of the
* result will be returned, but no data will be returned. This
@@ -4338,9 +4339,17 @@ EXPORT_SYMBOL(security_secid_to_secctx);
*
* Return: Return length of data on success, error on failure.
*/
-int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp)
+int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,
+ int lsmid)
{
- return call_int_hook(lsmprop_to_secctx, prop, cp);
+ struct lsm_static_call *scall;
+
+ lsm_for_each_hook(scall, lsmprop_to_secctx) {
+ if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
+ continue;
+ return scall->hl->hook.lsmprop_to_secctx(prop, cp);
+ }
+ return LSM_RET_DEFAULT(lsmprop_to_secctx);
}
EXPORT_SYMBOL(security_lsmprop_to_secctx);
--
2.47.0On Mar 19, 2025 Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> Add a parameter lsmid to security_lsmblob_to_secctx() to identify which
> of the security modules that may be active should provide the security
> context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing
> a hook is used. security_secid_to_secctx() is unchanged, and will
> always report the first LSM providing a hook.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Tested-by: Fan Wu <wufan@kernel.org>
> ---
> include/linux/security.h | 6 ++++--
> kernel/audit.c | 4 ++--
> kernel/auditsc.c | 8 +++++---
> net/netlabel/netlabel_user.c | 3 ++-
> security/security.c | 13 +++++++++++--
> 5 files changed, 24 insertions(+), 10 deletions(-)
...
> diff --git a/security/security.c b/security/security.c
> index 143561ebc3e8..55f9c7ad3f89 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -4312,6 +4312,7 @@ EXPORT_SYMBOL(security_ismaclabel);
> * security_secid_to_secctx() - Convert a secid to a secctx
> * @secid: secid
> * @cp: the LSM context
> + * @lsmid: which security module to report
> *
> * Convert secid to security context. If @cp is NULL the length of the
> * result will be returned, but no data will be returned. This
> @@ -4338,9 +4339,17 @@ EXPORT_SYMBOL(security_secid_to_secctx);
> *
> * Return: Return length of data on success, error on failure.
> */
> -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp)
> +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,
> + int lsmid)
> {
> - return call_int_hook(lsmprop_to_secctx, prop, cp);
> + struct lsm_static_call *scall;
> +
> + lsm_for_each_hook(scall, lsmprop_to_secctx) {
> + if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
> + continue;
As mentioned in the v2 review:
"Let's use LSM_ID_UNDEF instead of 0 here to add some clarity on
how an undefined ID is handled. The function header comment
should also explain the special handling when LSM_ID_UNDEF is
specified."
https://lore.kernel.org/audit/5838489ecd5186900315f8f6c6e02f22@paul-moore.com/
> + return scall->hl->hook.lsmprop_to_secctx(prop, cp);
> + }
> + return LSM_RET_DEFAULT(lsmprop_to_secctx);
> }
> EXPORT_SYMBOL(security_lsmprop_to_secctx);
>
> --
> 2.47.0
--
paul-moore.com
On Wed, Mar 19, 2025 at 7:50 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> Add a parameter lsmid to security_lsmblob_to_secctx() to identify which
> of the security modules that may be active should provide the security
> context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing
> a hook is used. security_secid_to_secctx() is unchanged, and will
> always report the first LSM providing a hook.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
...
> diff --git a/security/security.c b/security/security.c
> index 143561ebc3e8..55f9c7ad3f89 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -4312,6 +4312,7 @@ EXPORT_SYMBOL(security_ismaclabel);
> * security_secid_to_secctx() - Convert a secid to a secctx
> * @secid: secid
> * @cp: the LSM context
> + * @lsmid: which security module to report
> *
> * Convert secid to security context. If @cp is NULL the length of the
> * result will be returned, but no data will be returned. This
> @@ -4338,9 +4339,17 @@ EXPORT_SYMBOL(security_secid_to_secctx);
> *
> * Return: Return length of data on success, error on failure.
> */
> -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp)
> +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,
> + int lsmid)
> {
> - return call_int_hook(lsmprop_to_secctx, prop, cp);
> + struct lsm_static_call *scall;
> +
> + lsm_for_each_hook(scall, lsmprop_to_secctx) {
> + if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
It took me some time to figure out why if LSM_ID_UNDEF is passed the
first LSM providing a hook is used, might be better to change it to:
if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id)
Otherwise, it works as described. I'm working on adding a new IPE
property based on SELinux file labels, and this just came up as I
needed it. Thank you.
Tested-by: Fan Wu <wufan@kernel.org>
> + continue;
> + return scall->hl->hook.lsmprop_to_secctx(prop, cp);
> + }
> + return LSM_RET_DEFAULT(lsmprop_to_secctx);
> }
> EXPORT_SYMBOL(security_lsmprop_to_secctx);
>
> --
> 2.47.0
>
>
On 3/25/2025 4:44 PM, Fan Wu wrote:
> On Wed, Mar 19, 2025 at 7:50 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>> Add a parameter lsmid to security_lsmblob_to_secctx() to identify which
>> of the security modules that may be active should provide the security
>> context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing
>> a hook is used. security_secid_to_secctx() is unchanged, and will
>> always report the first LSM providing a hook.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ..
>> diff --git a/security/security.c b/security/security.c
>> index 143561ebc3e8..55f9c7ad3f89 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -4312,6 +4312,7 @@ EXPORT_SYMBOL(security_ismaclabel);
>> * security_secid_to_secctx() - Convert a secid to a secctx
>> * @secid: secid
>> * @cp: the LSM context
>> + * @lsmid: which security module to report
>> *
>> * Convert secid to security context. If @cp is NULL the length of the
>> * result will be returned, but no data will be returned. This
>> @@ -4338,9 +4339,17 @@ EXPORT_SYMBOL(security_secid_to_secctx);
>> *
>> * Return: Return length of data on success, error on failure.
>> */
>> -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp)
>> +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,
>> + int lsmid)
>> {
>> - return call_int_hook(lsmprop_to_secctx, prop, cp);
>> + struct lsm_static_call *scall;
>> +
>> + lsm_for_each_hook(scall, lsmprop_to_secctx) {
>> + if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
> It took me some time to figure out why if LSM_ID_UNDEF is passed the
> first LSM providing a hook is used, might be better to change it to:
>
> if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id)
Thank you. That change will be in v4.
>
> Otherwise, it works as described. I'm working on adding a new IPE
> property based on SELinux file labels, and this just came up as I
> needed it. Thank you.
>
> Tested-by: Fan Wu <wufan@kernel.org>
>
>> + continue;
>> + return scall->hl->hook.lsmprop_to_secctx(prop, cp);
>> + }
>> + return LSM_RET_DEFAULT(lsmprop_to_secctx);
>> }
>> EXPORT_SYMBOL(security_lsmprop_to_secctx);
>>
>> --
>> 2.47.0
>>
>>
© 2016 - 2025 Red Hat, Inc.