From nobody Thu Oct 9 01:13:10 2025 Received: from sonic307-15.consmr.mail.ne1.yahoo.com (sonic307-15.consmr.mail.ne1.yahoo.com [66.163.190.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D31D2189902 for ; Sat, 21 Jun 2025 17:19:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.190.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526347; cv=none; b=Vyf0c1s9HrNcErA5k4oPMcmfNb15r530W06mXoa7R+10aJnXhyotubLgV8xWbCI9wio7/OYug39m7qibFLmiK4y33Qpeh6Z9nlRHsQgJBgFV2g5yNYk6p/YZD5wBEdFGcK8i0arJmDvZHdD06fX07oQxWuD5yvnxFSpVI5+Dhek= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526347; c=relaxed/simple; bh=foLWTmSFbq1rceU6d97FGgq+vU1w14xbqY+Q6ZfnhYU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=m9vrIsLshNzoBz9+P4OS2EKwEgcoKNG46GE8ZbzafJEax6+bEpdVP7mjN6GPPwpwGvGb4SiAABQiuN3Eq28W/zPBQENmYAFbCt8Mg/SWnkp4ZFlX6QLB6uScTOiF/jAFZK/Wu638jywN4W+g3u2IMnmxN08SYH/Hc5lvCUGoSec= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=ES57MrqN; arc=none smtp.client-ip=66.163.190.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="ES57MrqN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526338; bh=T735gLFSu6sJJ+AgJymFISZ7osZRKKZtK3bncmGvTo8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=ES57MrqNxnoLffIN1pBgiFojjR7QYomvo50gAFLpq208rMqBq0y8aiQ2XrFJ6wM/E3WuoGDW4r2ZtuOaI//1LdCiAA3x2z2tV3xAo/WW0xcJrKuJC8KulUpJyapz8ydUENK/HBonUTmvgWOgCP3FoEnn4a0C7V3/wYaum8nE93WQI0Umlbg5REm5NrZVpjwnuGL70cuC9sqdc2nHvoNeUdrk9McrknaWPNRmn98F8WI2tUxZxJqplRCaN17J5szuXVDTIo3v8oEOcciCnPIr3rrE4ECjriuh47E0E6MN26SC9ZwvFS9aVvPEO632vig+9Ux6pJBkFP17wJhdWxYRYQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526338; bh=uV1apujUxPf8zIpPvkxccpYmCVi+UCf+UegtfPdhbJg=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=ZgyosvMYGyjjoZlnTvvIobfht10cZFGdP0z1+pcpYLMGf3ZSZ4eGwfoIimFPB/KRyA4OchgFghV1g7eYRA89oT4XoIoSiZ/zllYxeRMO8tmjcgdM9cDoRUzoUBrEDuOjkrA/Ba5Yr+S3VXN9QrZTlhxS1GNXBmUAEi7IrJ+PGfwvrLEcgUkiw8rgmn9ytolGn/1J2kTdju8kc+A4tJadQyWmUmKmD1Ka032+BkJKAGZ6JyXWfbwfxYUFcs3H1cXC4hsl+V/uhVDoQrEb3OW3i1/85o17Jk9AVta2JEHGkkW5Wm/Nrvf+waUS7RaYG1WfQN8aNGQaJqeR/EGVYGjIOg== X-YMail-OSG: liHcFTEVM1kmcFAJD40iGPX1rr25whu5qcuEX4rvVl4n7i5tBfU8fW5Zwjmys_q tlzP6Nsibzb72PE.dwJRUqBKrZElIHLqf.VfXxGe8hsInizleOBQQFDWw0MoD1mf5V1BHTUBsNX5 tfm7A1FyDdv6lQwLTfonm21BOol1ITu.BR81uiz7u1R_dFneGQzVyKhOA98KiS3pKuGUxnhTlyWM R69WSUvN944PG8WV.NKkJfGl46wu4pKjjYWiLLp7R7x9Kyjozx.MrmwOnID_RpL6hs1CsTzYoBPv plFK.Z8AjwzKbfgenHx3aBVyxuQaeuGOpTjls6xgEYoQhodK0GsrEDHIondj_Wk5qPSMUvyw2PsI GOtSKBDp70YoIck.t0QpIOleJmKA04gfl2.UQBoo80SJRz0yTU_q1KvZ0FhFyvBs9DsntI70Xhj7 nCM6fYsCLwP5kTY1PZXF_F7AuF97DHrogzR8EzcJOvingUOB4JZurzscBFkq0IuCHIDxe4Gpu_4L 4O.KDDrEHfxlEO3K4teDe_frXJpgEwvj3_UZ4YJYr_9s17oYPI4xJ_fLxK7QOjxGPbCHGCSQSNh1 LjNkCHk4nrDhLWGZSf1v8L0MHJqgBfhrlvU1Ze4dPCIyh.Uzr_Xn_uQ9wj5n_pvn8EQggsj5.osX 6TCZj5roFGdF7IWaZCyIWp5qnNgMgQG9rdY9LyTxpBKipLjDN6KVaI3tWO6_ELxvWtC4zvl6THxy WHtRk_pSmZ4Ly7HO5IQY2VGYlZHUyY1vW9hpSRCJTCfaRfiV90BjwghPaQTLG6gSMeR90cRxAJ_l 5iChnY.DFPRH_PIm9phX0thLFSz4Dk4D9Typ7JAQcM5P_neZRb3gCsmm3r5Ld4ffjAR.I4JgjJpM zoLQ1BrSClaFLfDXUMWVc_FXARCUAzdtFOHRXCVmOzaZEM.CMASx6J8ngiM6TccDi.sQDBY_aJvn hQhLMW9j.bmA96Qb1Cf.viRCEHs0v_wLAk.B67f3DaxmjQaL2RKbPSCzK2lrGlWuARxNjGBp64u1 sXODzl72757sRqEifcXidKKjR_GK8wJ6SzHq3SAvbYJaFM6RaeYm1I1AK61ypiPng_hCoX3beKTn osL64ClNOX4NmeGc4rYYmzrRmOrVV0_OJrZs4rZgGbYjQj1f_Qpi0.cB3YL6zR1Q0_2rbnPXRgjZ LXYtf0VLMxvx3mlJ6vIkM30zTLV3RAkkGYVkDTrq3tKr7cf0JeF.suy7rO7aH3fjZ5JQChfKVXUR qgFmJOPucmN6AjQxNR.mvNYqu0SsIwqxOvAsF8hIxbGTZ2xZMjiou_sUL5JtkBboGej1D7pqI8jq yp3b.TtBpoFW8wv1wvld7ap.Y0Mc4F9H.KG1tvcMZxMM8zr6dYuckOinyqavLGxmqEKJYM_Taru_ jHdZhVCE9tYBvKANWAFZXZ6tr43LnAp3.iUkWNLsKvkkf3wouS.uwl.2RmNDc.doAbREGDnR2k4a mUVVqcuS4VS6ZH9Qaw6BNOxKUFfu3bHrZSfkVX2Mirl2uXjcRklKqz3znHb_ekUAAV9PzvZ82MBt FUgEs8ZIJARY5kRBZ5e.03opBuVw9aRfbY2n2b84GrsamYrFGc4..k9aj2u2eLEUXZSCd7yBsyx8 vP8JsL2yZEiaxe4dKTzV4DzuviBDkwypbVe5DnVX1QdnT6qnmo_IczIMbMBCmfY17HcACvT4y79X _cOw6hBcz4uMaV3N1nzr9C3kBI.s6O1aSF0WEqseXyqqEznTi7DPZGNp1SuPPcurMD0aowgAZO6p y4UIH.hDW.uTc7vG6bP_aXT1X5rBx0hTBQpBJXMpZveHsTVb7jIieZ9DNmhfzahKfZEUbboBF8SR ruDMBacgDwcjCBEgvQgtkkAJwpnAd0Sg_LRNJUgr9TaehWNPDMhQhkNfuKcSj_oafgP3T0.DxpyV feA0n3XSwk37zYIAOFlnRbJK9hNcaluZptLnsZ8VpIuVi1MsEufGflvpk0hTcBNrMaIqampdRYhV 9y4Hwum9Tlj8Trao4Q_LR0UvFCPqFXqoCTtaFgohjqVYJ9wgvlJv8K70w6YrBpg2vfpxtfQ1nJ1C J32NwONX0DQhbYRy_zQygMOHbvXklnzEOMsBtpeyFOxGXnCDoPQIe01t72zITv8R3CvSmv9iAbON WuUdYIomT1EoyI4KEWsqhSZ5TVVDdYMvYZFiK3dhyBnKXNfisSkvmXTu_mvECMa1rFjZF49CSWpZ RN6.90SBoBqBhO3woigdfi8DQso7sULHSByXboGjFCUlb0waB44U- X-Sonic-MF: X-Sonic-ID: b4fda604-d86e-4f1f-aa37-c93c0e6ea58e Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:18:58 +0000 Received: by hermes--production-gq1-74d64bb7d7-fddgg (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 250c349a2671887e65e0396b7ea9bbf4; Sat, 21 Jun 2025 17:18:55 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 01/15] Audit: Create audit_stamp structure Date: Sat, 21 Jun 2025 10:18:36 -0700 Message-ID: <20250621171851.5869-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Replace the timestamp and serial number pair used in audit records with a structure containing the two elements. Signed-off-by: Casey Schaufler --- kernel/audit.c | 17 +++++++++-------- kernel/audit.h | 13 +++++++++---- kernel/auditsc.c | 22 +++++++++------------- 3 files changed, 27 insertions(+), 25 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 61b5744d0bb6..547967cb4266 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1833,11 +1833,11 @@ unsigned int audit_serial(void) } =20 static inline void audit_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) + struct audit_stamp *stamp) { - if (!ctx || !auditsc_get_stamp(ctx, t, serial)) { - ktime_get_coarse_real_ts64(t); - *serial =3D audit_serial(); + if (!ctx || !auditsc_get_stamp(ctx, stamp)) { + ktime_get_coarse_real_ts64(&stamp->ctime); + stamp->serial =3D audit_serial(); } } =20 @@ -1860,8 +1860,7 @@ struct audit_buffer *audit_log_start(struct audit_con= text *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct timespec64 t; - unsigned int serial; + struct audit_stamp stamp; =20 if (audit_initialized !=3D AUDIT_INITIALIZED) return NULL; @@ -1916,12 +1915,14 @@ struct audit_buffer *audit_log_start(struct audit_c= ontext *ctx, gfp_t gfp_mask, return NULL; } =20 - audit_get_stamp(ab->ctx, &t, &serial); + audit_get_stamp(ab->ctx, &stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy =3D 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial); + (unsigned long long)stamp.ctime.tv_sec, + stamp.ctime.tv_nsec/1000000, + stamp.serial); =20 return ab; } diff --git a/kernel/audit.h b/kernel/audit.h index 0211cb307d30..4d6dd2588f9b 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -99,6 +99,12 @@ struct audit_proctitle { char *value; /* the cmdline field */ }; =20 +/* A timestamp/serial pair to identify an event */ +struct audit_stamp { + struct timespec64 ctime; /* time of syscall entry */ + unsigned int serial; /* serial number for record */ +}; + /* The per-task audit context. */ struct audit_context { int dummy; /* must be the first element */ @@ -108,10 +114,9 @@ struct audit_context { AUDIT_CTX_URING, /* in use by io_uring */ } context; enum audit_state state, current_state; - unsigned int serial; /* serial number for record */ + struct audit_stamp stamp; /* event identifier */ int major; /* syscall number */ int uring_op; /* uring operation */ - struct timespec64 ctime; /* time of syscall entry */ unsigned long argv[4]; /* syscall arguments */ long return_code;/* syscall return code */ u64 prio; @@ -263,7 +268,7 @@ extern void audit_put_tty(struct tty_struct *tty); extern unsigned int audit_serial(void); #ifdef CONFIG_AUDITSYSCALL extern int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial); + struct audit_stamp *stamp); =20 extern void audit_put_watch(struct audit_watch *watch); extern void audit_get_watch(struct audit_watch *watch); @@ -304,7 +309,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx); extern struct list_head *audit_killed_trees(void); #else /* CONFIG_AUDITSYSCALL */ -#define auditsc_get_stamp(c, t, s) 0 +#define auditsc_get_stamp(c, s) 0 #define audit_put_watch(w) do { } while (0) #define audit_get_watch(w) do { } while (0) #define audit_to_watch(k, p, l, o) (-EINVAL) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 78fd876a5473..528b6d2f5cb0 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -994,10 +994,10 @@ static void audit_reset_context(struct audit_context = *ctx) */ =20 ctx->current_state =3D ctx->state; - ctx->serial =3D 0; + ctx->stamp.serial =3D 0; + ctx->stamp.ctime =3D (struct timespec64){ .tv_sec =3D 0, .tv_nsec =3D 0 }; ctx->major =3D 0; ctx->uring_op =3D 0; - ctx->ctime =3D (struct timespec64){ .tv_sec =3D 0, .tv_nsec =3D 0 }; memset(ctx->argv, 0, sizeof(ctx->argv)); ctx->return_code =3D 0; ctx->prio =3D (ctx->state =3D=3D AUDIT_STATE_RECORD ? ~0ULL : 0); @@ -1917,7 +1917,7 @@ void __audit_uring_entry(u8 op) =20 ctx->context =3D AUDIT_CTX_URING; ctx->current_state =3D ctx->state; - ktime_get_coarse_real_ts64(&ctx->ctime); + ktime_get_coarse_real_ts64(&ctx->stamp.ctime); } =20 /** @@ -2039,7 +2039,7 @@ void __audit_syscall_entry(int major, unsigned long a= 1, unsigned long a2, context->argv[3] =3D a4; context->context =3D AUDIT_CTX_SYSCALL; context->current_state =3D state; - ktime_get_coarse_real_ts64(&context->ctime); + ktime_get_coarse_real_ts64(&context->stamp.ctime); } =20 /** @@ -2508,21 +2508,17 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); /** * auditsc_get_stamp - get local copies of audit_context values * @ctx: audit_context for the task - * @t: timespec64 to store time recorded in the audit_context - * @serial: serial value that is recorded in the audit_context + * @stamp: timestamp to record * * Also sets the context as auditable. */ -int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) +int auditsc_get_stamp(struct audit_context *ctx, struct audit_stamp *stamp) { if (ctx->context =3D=3D AUDIT_CTX_UNUSED) return 0; - if (!ctx->serial) - ctx->serial =3D audit_serial(); - t->tv_sec =3D ctx->ctime.tv_sec; - t->tv_nsec =3D ctx->ctime.tv_nsec; - *serial =3D ctx->serial; + if (!ctx->stamp.serial) + ctx->stamp.serial =3D audit_serial(); + *stamp =3D ctx->stamp; if (!ctx->prio) { ctx->prio =3D 1; ctx->current_state =3D AUDIT_STATE_RECORD; --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic311-30.consmr.mail.ne1.yahoo.com (sonic311-30.consmr.mail.ne1.yahoo.com [66.163.188.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90840221FD4 for ; Sat, 21 Jun 2025 17:19:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.188.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526349; cv=none; b=TA92y6A2mbLYenHXH8r/xLIGzgYZRbxlNGsi+68djZ6F8horT7VBZCltWae+t5/JhLGic3YEySXxEkyGYBs+mG+1AQ76XCMXocBkm3wZammsBGcpCB3LM/QFgHlx5oYLTVdsDgC/0lM0fhqEQ/q5mJZCFlikIMNaviJiWfNVVo8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526349; c=relaxed/simple; bh=f/ieU2SBlQarA4UPMRaLfv1Or/VeNhHMPTpO+QdUsqs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=krBWQ2LclvRXwiK8CNsZpDg5RyxyJyVqLBlPbrfMmGCFJUp6sYK6s4NvwN7OQC0Op5qYXrrtvOuGjexym5GM5zRMTz+2crW2dlLS3F3XKEGrs/up8dN6XA2pt+zYTNtZo67UWfkzlTgFznyHjY7exbArrRIaOt3nw7bVTjVud7E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=c+/mK39b; arc=none smtp.client-ip=66.163.188.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="c+/mK39b" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526341; bh=nlAYkCZOgW9StF3nsNr63pDVEMmu9DZvz9PJ8UJIL14=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=c+/mK39bGEN88k6s1zSkTHFMWHUFhIZa+3eWLkYQq717MQmQnrt9grtW8NCCp/ryGP/Y6hE/yWCuFBJ7wXcrJ9/XKiV6/NUH0YM9gTEzf2dIcel0p0GtpzNXUQ1I+FGta0p6QWOHhiQ19xKU4q6gvlu/kG94WNjzzftn60sKPOoO1rHJRrJB0bCYEk68AMxPUGpuhVFpCU0uT7XWmaFZoxt8RWT7zz6GEkwcm3tlxytJ1fB3SeKqbncFR3HoY2sxq48SQixRUdFkqKIk0otbv/GYliIXMlMLHMcXAfZp7D+yuiKrwgh7v+FqTvSpNZH4/0Z3+HryhV5Lb8pZ5CxfTQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526341; bh=V0yYj7f6Aww0C3PIJ5lfoOr5h4JMs0nQLcg8oBpolaZ=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=XmhGaL3AT2SNzPdr3OGaP0WWmaIJWqwfQQb1hUDaJgQDKNgWYxdxirhzCUlDl2UD8/JiJ/G+BOYCXqpCn0nV93yEMSYYUSFRWlC7cGcodtSsekjEqw69M41FwssM658XIm7oHn+6D8uCtd/f61AYpb4IHkFUCQZM0lv2seNFw0doioWrk3frEebqy7fEsYL2j+vWKjLmWu+xNVjDmciGaqiV34C88j8pbui22coSAGaKGy7OB4c3dh3EVNk8T5kPABmWToguqhdSwllDFge7Dwuq6RLth4cVuEXDfdK5hxGlpkzM1NbgHEGwvRIv0X00mPeX4wes61nEwW6waiC6zg== X-YMail-OSG: PqwLdiwVM1mV59oiMLsZ7Xp9k1m6QonPKfAKdXxSmveRxqvwiUC6_CRtVsP4l5l zlRzYdrb69fqczhOhCISocBo0N07UyDnAiqKhHjc48kjnDbXQEIdhgFxgA5rN0CIdJGRH3AhZvs3 BjO07YYq.Ea..DADNLU0BImXRXJ0gnRKPRJIHC4dDHJMHGtamJvN_d9d._YxFG03.bD3v8isX4lH Maek1qc4nOupePT9IG0_in9JPXgTUs0NMrEi_hkZ1fAtXlb.qmljTc1CyC5mVx1d9xTNkuuIGJMF cz9F8pHVMAg7xKs9QWA5SoRW_CkIQEDR2Mgj1wW58kPNzlD0R0qZyRa1vK2MuMHp7yfKjVpuCaQN EodNh5K4iTSGTgUaIaODb.mYfHlxAJvRNcGNlY2S5NSUQ1byLg8RhOMwOMMVDmOLcgrOApOZhrwz L9P56FF8B9rRtkhupdr8HEkN28n3rGeiG5xqdK_JCF3A3wcDJWJDMcnKJocBqkE23h.i7d6czaoK qOYJB.Hp_QGWdE_cggnvIZ7u3SF9dDVwW94rNs1GGEVKmRaTGg9BtKNNCZvcDRl37ClRDT0Xbuir gAWwNwJXiW2FfnOUIsFH8P2bqXKS1ckyS3l3IRQ9tTm5YFKHNo4fJpunY_BS0EBDq3FwwU5EnaiS VXpbZlJzEpmUJnshses1XUWePSE307w7E7iUvHQWB99IWZZK.A6jhgbrrIWKlVsouRCmOC6.391k KotqmfzXtIOyfeexf7y6SP6n2Yw2U9.GwjhGrBPPlHv3bY0o9sWS8IAPY5PSeZh3oS22ryi9gRXn nK8kqnKQ03gUswi5xmSc7xe0amUEogEzgjrVxLcWYdJ4l.QybFuc.YMGR0d7w4PePmYMVm5D5JeF RuvFL8oln7q1x1IVceRCp4Zepxcz9dwvi5egGaVPiOpg65JAZsJMVweAtoR8C2e4D6RNPZA9ooF5 _M7obpnjVVa8OIOKYRqJrhYj.iVjd4o8WS6UTH1t75kXkmFKsQ1et9UjgPC_4BVjYVz9OlpqE1Ws HniqF.tf_G1x4icJOwyiRPuTGeUEA_6RxvSaGDlNBls3kU2buLxEChgAZoDCWj.Cl2yj8jwhqTdO at84tFx_98Pi5nGrF5hutx7imDZJ.gcbZdQLU2gaIdnD0AuyorvFm5As.cIF7OOnkAfw3VXzxBL8 si4pf1zxeT.jXa..084KstCgCg6g0dvsyFH5m4sotwlFhQVIWpjhBBoWsFi0HwiySpMDMCzqz7j3 rqEc5u4S9hm9FFGu__NwEqlv_ddHtmRZEaAMFZyDSn2UQzGsi9YxDcG24SsoEpDOIGJ_rKRgHglZ UUbeDWyxtJDiDuFJKOgpgnZnuPpVldAbE7lvlvEO9PgMSn0EV5xb6t76xiwHGVdJ5DMKy7O4PUVJ xAGh.q3cuRHtDfQAc_LMs03uq2X1lkz3FGonfaeAX33hUseQgD5XZh_bQPIxUS0aPPcsgxD1rdwc _XGYlZtH.XXG6ofFLIC67DL1.T_oQsWrU8UX4RNDhSCDWYRfockgZNTtLJE8pkfrqq9u8jN9lFVG i6eWTznl_oI4dHLZkhaxKQ3KBWmz_ZT25xGwbcLMrLWbc6hfDd_jhnLgftpMB63XJwVMQ_x2nquw VSwu7xmmlw8bVE7opt3r9K6YmMGu7GvXeNDmzFgm92dlMs.bCuAxQcLmNCFgEDwdRqdS7SQ0PUws 0Qovg9Zrr7Obv0Xtx.4GtPcibhFakF6fmCKBkE0RlLNfbwSn2wx5MlGvWU4yANdwK_20okEnegaZ By5iQ9E96V3_LkvUJVGN8wlx3iEyPqWvCm0WlCul5RKRHevTvl3Zh7PGeQ9ckIDxfty24LHt9mFg mShfD7k2qcrZT2CwlLoPDUByL.BvigtU7CCsQjhxOFUlHIh6QllBrVUaHzi34BMMXLOBNTyaWAul N8TisXVAHeyCD6AUSHqMKmnDF4IaQ.cK0d96fk1hvfGg3k.XUhPjaApm4z9bUlTPB255L.7ldeo2 CvPojiEarVaH43foeBP22q.cuBv6lbRFmsoataxz4N_C2goGB6kaN78lMqketIneGMXLfNnLyuP. KvZ5_21Fv6U.ULUSxgVtNXVuNeQ.apu7fNaKXZe6mGZ1asq9OUxAFfvEXRCuqvwli4RAMkSmJ5VC ihrZFtlWAxJbSpB7olr5sw7E4gz76QCXzgaBQxWK_xlOIC_Sy3SGxgudfFel2aLWj_ZkvrtUSRsH Eq4HEoYIyddZ3mEihK5oMGuv20BxLiFvRVqmN.9DDYU5REsYZSjC8ZBFBpLffPInIe5fCwfHk3S9 Buwyl0jxUNJB1WWFSY2vJR8_u X-Sonic-MF: X-Sonic-ID: 2e27f746-1c00-4ce9-9e9c-04cc21375c2c Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:19:01 +0000 Received: by hermes--production-gq1-74d64bb7d7-fddgg (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 250c349a2671887e65e0396b7ea9bbf4; Sat, 21 Jun 2025 17:18:58 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 02/15] LSM: security_lsmblob_to_secctx module selection Date: Sat, 21 Jun 2025 10:18:37 -0700 Message-ID: <20250621171851.5869-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a parameter lsmid to security_lsmblob_to_secctx() to identify which of the security modules that may be active should provide the security context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing a hook is used. security_secid_to_secctx() is unchanged, and will always report the first LSM providing a hook. Signed-off-by: Casey Schaufler --- include/linux/security.h | 6 ++++-- kernel/audit.c | 4 ++-- kernel/auditsc.c | 8 +++++--- net/netlabel/netlabel_user.c | 3 ++- security/security.c | 13 +++++++++++-- 5 files changed, 24 insertions(+), 10 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index c032ec4e95ff..5fbe38521938 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -564,7 +564,8 @@ int security_getprocattr(struct task_struct *p, int lsm= id, const char *name, int security_setprocattr(int lsmid, const char *name, void *value, size_t = size); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, struct lsm_context *cp); -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *= cp); +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *= cp, + int lsmid); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(struct lsm_context *cp); void security_inode_invalidate_secctx(struct inode *inode); @@ -1536,7 +1537,8 @@ static inline int security_secid_to_secctx(u32 secid,= struct lsm_context *cp) } =20 static inline int security_lsmprop_to_secctx(struct lsm_prop *prop, - struct lsm_context *cp) + struct lsm_context *cp, + int lsmid) { return -EOPNOTSUPP; } diff --git a/kernel/audit.c b/kernel/audit.c index 547967cb4266..226c8ae00d04 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1473,7 +1473,7 @@ static int audit_receive_msg(struct sk_buff *skb, str= uct nlmsghdr *nlh, case AUDIT_SIGNAL_INFO: if (lsmprop_is_set(&audit_sig_lsm)) { err =3D security_lsmprop_to_secctx(&audit_sig_lsm, - &lsmctx); + &lsmctx, LSM_ID_UNDEF); if (err < 0) return err; } @@ -2188,7 +2188,7 @@ int audit_log_task_context(struct audit_buffer *ab) if (!lsmprop_is_set(&prop)) return 0; =20 - error =3D security_lsmprop_to_secctx(&prop, &ctx); + error =3D security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); if (error < 0) { if (error !=3D -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 528b6d2f5cb0..322d4e27f28e 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context= *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmprop_is_set(prop)) { - if (security_lsmprop_to_secctx(prop, &ctx) < 0) { + if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) { audit_log_format(ab, " obj=3D(none)"); rc =3D 1; } else { @@ -1395,7 +1395,8 @@ static void show_special(struct audit_context *contex= t, int *call_panic) struct lsm_context lsmctx; =20 if (security_lsmprop_to_secctx(&context->ipc.oprop, - &lsmctx) < 0) { + &lsmctx, + LSM_ID_UNDEF) < 0) { *call_panic =3D 1; } else { audit_log_format(ab, " obj=3D%s", lsmctx.context); @@ -1560,7 +1561,8 @@ static void audit_log_name(struct audit_context *cont= ext, struct audit_names *n, if (lsmprop_is_set(&n->oprop)) { struct lsm_context ctx; =20 - if (security_lsmprop_to_secctx(&n->oprop, &ctx) < 0) { + if (security_lsmprop_to_secctx(&n->oprop, &ctx, + LSM_ID_UNDEF) < 0) { if (call_panic) *call_panic =3D 2; } else { diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 0d04d23aafe7..6d6545297ee3 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -98,7 +98,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_info->sessionid); =20 if (lsmprop_is_set(&audit_info->prop) && - security_lsmprop_to_secctx(&audit_info->prop, &ctx) > 0) { + security_lsmprop_to_secctx(&audit_info->prop, &ctx, + LSM_ID_UNDEF) > 0) { audit_log_format(audit_buf, " subj=3D%s", ctx.context); security_release_secctx(&ctx); } diff --git a/security/security.c b/security/security.c index 8a4e0f70e49d..e4b596bedb93 100644 --- a/security/security.c +++ b/security/security.c @@ -3756,6 +3756,7 @@ EXPORT_SYMBOL(security_ismaclabel); * security_secid_to_secctx() - Convert a secid to a secctx * @secid: secid * @cp: the LSM context + * @lsmid: which security module to report * * Convert secid to security context. If @cp is NULL the length of the * result will be returned, but no data will be returned. This @@ -3782,9 +3783,17 @@ EXPORT_SYMBOL(security_secid_to_secctx); * * Return: Return length of data on success, error on failure. */ -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *= cp) +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *= cp, + int lsmid) { - return call_int_hook(lsmprop_to_secctx, prop, cp); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, lsmprop_to_secctx) { + if (lsmid !=3D LSM_ID_UNDEF && lsmid !=3D scall->hl->lsmid->id) + continue; + return scall->hl->hook.lsmprop_to_secctx(prop, cp); + } + return LSM_RET_DEFAULT(lsmprop_to_secctx); } EXPORT_SYMBOL(security_lsmprop_to_secctx); =20 --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic303-27.consmr.mail.ne1.yahoo.com (sonic303-27.consmr.mail.ne1.yahoo.com [66.163.188.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B117223707 for ; Sat, 21 Jun 2025 17:19:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.188.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526353; cv=none; b=F7U681MXRIftVbu9n3BHJi5SfxKcpGQhaWpYGZRUgAojAY8K7lDejfZ686mx8tqSXlvYbnN1IIJsxyReTlb5kWl3QEDzWbNATpJFfUUUOJlOZcchu6AU2lRVxgQoT7sWkJ1bb0WzqgsE6Xin01wj1kPRC2MKipkccwiRZqOSMw4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526353; c=relaxed/simple; bh=XqdJ1A0nznyOImAHTYc9HjLNGrEbUQQs1hNHiZG6OiE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UVLTD9wym7wDMjcN9lMk3vuSdL5NjSBhSjkpJR1rdevs3h/Dunnwqx2X78VJX5y88mteXz8UJQFKhBubvKDIUzPIgYMn6NKpUOGyCx2bvHJhMHiMs75DHynZfPxdjbKHjSu1oiAaj2Mf/Fp3GBsQ4Pdba6POWGx4aKEYirhQn+Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=CV3aym/G; arc=none smtp.client-ip=66.163.188.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="CV3aym/G" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526345; bh=bJ7l59TST58DHWpP7Ib5XS1nHQnKTBdyPvqsiBIJWZI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=CV3aym/GIpJaI4Sx2Mu+UEQqWOH6/fz4a5J41ClqKuqiZnZtFUq2N6bnZ6S15xJrouw5pLjR2lBHHXc1SmGT9ft1YqXHput4LV+4jJ6dFEpeZcrG+aPsoQ7hrwt9jlMY8ambLWa7vfbjD/S2q4oTCEQc/j8Kh0I8NFoFEd5CQOLQ7HtZhQ0DGyT0bjN19UCxy0cunB30QePs6JGkHkYDiK6cKyHfUpwOwarjaVXg+gttpv51GxK782Oc3UbpJvwBD76cRdzcZJC2S5KtFdCDDC0IWB8Nbl6blFCdQLe2FOB7YPUlg7kWtmM6Y6mAA1f9hx2h18pFAUz6xg5BF/nP/g== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526345; bh=zrU5CNUSCwoG/VMYiT4lRGhC4HZbcE66hp6vYp3VyoV=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=MneRYsmDBspH6gpouBoBpftNhfyluxGM4Eyk5I0m56+zp/mFMYFEyEC4C6+IJm+JrW1IG++/TFNU+tKEbDVgOHzcby/xrNt6LZygjKs2UgO6C6/xmNB5+muAmut/U0bAOACUcNoXIftTgZGMjfUHNL+xqZ3Mzbsrqhbjos+7MkUk5EkKurOFhBvP+KDsC2CKvG0ujkDUwHnbUw/XExTfHnNmhFa5fiQCqwicNJXNc/tHAWT5cAcbbwKD3qRQKy2zzXymKGlvj1m1PoiUZ3ijPt2S7K/t1QGKWcZl3GZUKRRV8/m9oH8PaqoNMBmOC0UPGlnTScVrEq7UP6vDTxD8hw== X-YMail-OSG: 8Y6vjHMVM1mEHa8eFYDkLzB8aO1_n9vDZt7WmGdBu0bFsKu6yrRj9RDulLYqypd .hAfFm.AMAg_N6VMLg29achhiDC6URozusEOiYAYTJ7Tu8jP3KfKb7x3fvoFMjCN8kABYLL.FRGd 9Jg55Qn49gryjVBNRzkvHTd2Tx7sS2k7a3uQSl1etcc3E9.rbQcf3ltS.9qaotgrbaWwdjV2LAlu HG48PyaVrHPKw0deVtLtLu4eYVF6BqhjRAcXuvWdBdKnylP_5fVuzF.SkQmEup6pma52xCsLg1K7 wp161_6HIihN7W1s8.55RtZ2zKaVKP5Uf0aeTHzhi4H7qJQHSJtUCJ6DzD_TvVwo09OjtuIntxsU JFh.PCAGyPVXZuuAH7qPnd_zvzF0fIqhCuw2N69pXCWBuUXAxTQytBXhivzL3yy77toioh7FsMQo aa1uiUuBTgwUKP70957pY7GMv2JqLec.sV9uGNml84Ct8Fve1ULQ0JPalMCXBix8qYd_NBhoXQhW 6fXnLQR.pPTMqyX0eOMeRSZ40Mhh0P.2mYSvFt5D0wNyolF1t3qBN1UHefQYpMkt2pkC_WokqlwX hBQ8fBcA9FTGHoelSR1EqxXbw3gjh6IC7dhtAXkqkPjwDl8DMAdRe0qJMDhLZSwFGt3Acx2ygVrS VUT7GM0HncV8Me4HBT2MdUE2TXj0Wqcm5yurdIF21OaiKVq3NHVLl1gmUw6a1qKxU.SOADGZwgBM cwmfLdAXsDjj4NrtYDIaGHq9TaPDLji1af8.qvkOzmau6BtVOLXXGgZsestYuHC83UxF4KhyVK0o .qmoio4p122uYSdMALTXtXQ_2VhNn76aPMiNDUT5MELA2J5fShOCpAmXkGnHz04XeFrzRNxQpbP1 RzdMerUpFOHwqAh56J3hAc2AbObp25BHH8X_RMbkoM4KnTXKjknTy3_JQ.ZMJ3v1dpotwDbGnMte 27ZOnnjk863XVjkLsjKfByGOTO9yKUDD23b13qlUE0.NpYpMTVeI8rnTCaugeY_4.VSKeqNGhhYh LRBraMCTygrlg5ZlyveX1ZrUY67p9F1M2PYwkd2IbvIhmuVkxdcpSJtdxjRZHQIyTU.kcxnpyDZu CQEBhfaaoX7Wx4T1kS9s7QlTwUOs3VCRov15Balyr5bW0wOIiXKOW0EClAqkV6wfg9XHf5cqVVoH LE717w5O0GjCSKYrrsMwWvbmHKX2sTJm4FsbOARtYtRM6.5vyfJRI26Q3rOhJWsE.eP0eMqcgZTb tQIUOerCje9oizUyiLxFYLm.zEXJVA7ojXcAeHCVDmp.IdeV73mnNLdIKdKEL5L41wVYtPyBV6WT dzYsTbeM5uuWYoDrvswEwiC1mAeD5xJ0jicBvC0hVRKWHk3iDueXi4A6HWb9cbgKk2vwwNMWH.Yr VaD3GlyuTCcLbVSki2dYUV_LX._r.i23aqaO1FMWAEOQD7qWjoZ_vvl_rXq6RfFbTB1gSWnPSvfv pPa0.QTGAOywfTyaWpCU8QJXaSk.iu5AjRuycZeamN7jdRwqB_y85zYLzam7bO2nFWSY6PWYc5Z3 xBkjY2gxLvK4lrV6yS6Pa2zxab0W.FoEOVe4095c48HhqhfLhCiLxhiOmqu097_ON6Ok.WajnoVj BTsmceK1u4cbg3es.yPuS2d6wBoNKuTEcRIWOEzC_f.155__6qCeXv978a7WDspocq2KGaSkeaM4 _CwUIjdvRMp0o7LY7K9S2ubuEdfB5d8RE1pCENvsA_mrFCtB.FGgFP7yBjZBkA7BfgXytMAGq75F rr9ThgHcWQ.yh2KsUCC5e07Ya9jcehsO82c53p6bl8Onx58r80Bpp9T72ckZDisD4S.nxCP3hDuv N9.VL3d2HHfUKqVBj30ztbgV9W0qpvTq7EzmXFRnVulBm2K5B2F1Zj7x4lD8lSQllAwvqq3_jbXB dg.UqNt99vhy4a_.dWojuZLaAGSL2rcTQWz7S1N3q.dKSYs63wP588AfETZIgnfi8y.CtZB17YRm 9.gfpwpVcEbc3Bt.24BKlfp0sME2w7jA9F8D.QqoFZhXgkc8JeLldiU7wNAKstb2UrCj6pxXGdN8 3_3hQlcMzpkBF7R8UivkH66dPO_Hv_olN6azeu6wNseSiDMfqhUrnP1ny4c4vtFU34VZqbzcoTmA DBtksUr7486VLiG13irwNnmNXao5Fe7wy3wzIIP0WSmI3ssPojMY9PItxAvxda1ZOFJ4O.1.Y2La lzA5jwuYTlpDEWFyS4hlXiP8w.cBU4nrcviYkkIyn_EzmZPr6n6Xi.QFKl9jcs2QAhvEjqU2jYVM KzGvZ4OHITbn_0Id_X9f6sI2K2A-- X-Sonic-MF: X-Sonic-ID: 24fc7525-15b8-4b88-a092-2d09a0383fc4 Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:19:05 +0000 Received: by hermes--production-gq1-74d64bb7d7-fddgg (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 250c349a2671887e65e0396b7ea9bbf4; Sat, 21 Jun 2025 17:19:00 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 03/15] Audit: Add record for multiple task security contexts Date: Sat, 21 Jun 2025 10:18:38 -0700 Message-ID: <20250621171851.5869-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Replace the single skb pointer in an audit_buffer with a list of skb pointers. Add the audit_stamp information to the audit_buffer as there's no guarantee that there will be an audit_context containing the stamp associated with the event. At audit_log_end() time create auxiliary records as have been added to the list. Functions are created to manage the skb list in the audit_buffer. Create a new audit record AUDIT_MAC_TASK_CONTEXTS. An example of the MAC_TASK_CONTEXTS record is: type=3DMAC_TASK_CONTEXTS msg=3Daudit(1600880931.832:113) subj_apparmor=3Dunconfined subj_smack=3D_ When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record the "subj=3D" field in other records in the event will be "subj=3D?". An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on a subject security context. Refactor audit_log_task_context(), creating a new audit_log_subj_ctx(). This is used in netlabel auditing to provide multiple subject security contexts as necessary. Suggested-by: Paul Moore Signed-off-by: Casey Schaufler --- include/linux/audit.h | 16 +++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 207 +++++++++++++++++++++++++++++------ net/netlabel/netlabel_user.c | 9 +- security/apparmor/lsm.c | 3 + security/lsm.h | 4 - security/lsm_init.c | 5 - security/security.c | 3 - security/selinux/hooks.c | 3 + security/smack/smack_lsm.c | 3 + 10 files changed, 202 insertions(+), 52 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 0050ef288ab3..5020939fb8bc 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -37,6 +37,8 @@ struct audit_watch; struct audit_tree; struct sk_buff; struct kern_ipc_perm; +struct lsm_id; +struct lsm_prop; =20 struct audit_krule { u32 pflags; @@ -147,6 +149,9 @@ extern unsigned compat_signal_class[]; #define AUDIT_TTY_ENABLE BIT(0) #define AUDIT_TTY_LOG_PASSWD BIT(1) =20 +/* bit values for audit_lsm_secctx */ +#define AUDIT_SECCTX_SUBJECT BIT(0) + struct filename; =20 #define AUDIT_OFF 0 @@ -185,6 +190,7 @@ extern void audit_log_path_denied(int type, const char *operation); extern void audit_log_lost(const char *message); =20 +extern int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *pr= op); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); =20 @@ -210,6 +216,8 @@ extern u32 audit_enabled; =20 extern int audit_signal_info(int sig, struct task_struct *t); =20 +extern void audit_lsm_secctx(const struct lsm_id *lsmid, int flags); + #else /* CONFIG_AUDIT */ static inline __printf(4, 5) void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type, @@ -245,6 +253,11 @@ static inline void audit_log_key(struct audit_buffer *= ab, char *key) { } static inline void audit_log_path_denied(int type, const char *operation) { } +static inline int audit_log_subj_ctx(struct audit_buffer *ab, + struct lsm_prop *prop) +{ + return 0; +} static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; @@ -269,6 +282,9 @@ static inline int audit_signal_info(int sig, struct tas= k_struct *t) return 0; } =20 +static inline void audit_lsm_secctx(const struct lsm_id *lsmid, int flags) +{ } + #endif /* CONFIG_AUDIT */ =20 #ifdef CONFIG_AUDIT_COMPAT_GENERIC diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 9a4ecc9f6dc5..8cad2f307719 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -148,6 +148,7 @@ #define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */ #define AUDIT_LANDLOCK_ACCESS 1423 /* Landlock denial */ #define AUDIT_LANDLOCK_DOMAIN 1424 /* Landlock domain status */ +#define AUDIT_MAC_TASK_CONTEXTS 1425 /* Multiple LSM task contexts */ =20 #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 226c8ae00d04..2ddb5d7696da 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -54,6 +54,7 @@ #include #include #include +#include #include #include #include @@ -81,6 +82,11 @@ static u32 audit_failure =3D AUDIT_FAIL_PRINTK; /* private audit network namespace index */ static unsigned int audit_net_id; =20 +/* Number of modules that provide a security context. + List of lsms that provide a security context */ +static u32 audit_subj_secctx_cnt; +static const struct lsm_id *audit_subj_lsms[MAX_LSM_COUNT]; + /** * struct audit_net - audit private network namespace data * @sk: communication socket @@ -195,8 +201,10 @@ static struct audit_ctl_mutex { * to place it on a transmit queue. Multiple audit_buffers can be in * use simultaneously. */ struct audit_buffer { - struct sk_buff *skb; /* formatted skb ready to send */ + struct sk_buff *skb; /* the skb for audit_log functions */ + struct sk_buff_head skb_list; /* formatted skbs, ready to send */ struct audit_context *ctx; /* NULL or associated context */ + struct audit_stamp stamp; /* audit stamp for these records */ gfp_t gfp_mask; }; =20 @@ -278,6 +286,27 @@ static pid_t auditd_pid_vnr(void) return pid; } =20 +/** + * audit_lsm_secctx - Identify a security module as providing a secctx. + * @lsmid: LSM identity + * @flags: which contexts are provided + * + * Description: + * Increments the count of the security modules providing a secctx. + * If the LSM id is already in the list leave it alone. + */ +void audit_lsm_secctx(const struct lsm_id *lsmid, int flags) +{ + int i; + + if (flags & AUDIT_SECCTX_SUBJECT) { + for (i =3D 0 ; i < audit_subj_secctx_cnt; i++) + if (audit_subj_lsms[i] =3D=3D lsmid) + return; + audit_subj_lsms[audit_subj_secctx_cnt++] =3D lsmid; + } +} + /** * audit_get_sk - Return the audit socket for the given network namespace * @net: the destination network namespace @@ -1776,10 +1805,13 @@ __setup("audit_backlog_limit=3D", audit_backlog_lim= it_set); =20 static void audit_buffer_free(struct audit_buffer *ab) { + struct sk_buff *skb; + if (!ab) return; =20 - kfree_skb(ab->skb); + while ((skb =3D skb_dequeue(&ab->skb_list))) + kfree_skb(skb); kmem_cache_free(audit_buffer_cache, ab); } =20 @@ -1795,6 +1827,10 @@ static struct audit_buffer *audit_buffer_alloc(struc= t audit_context *ctx, ab->skb =3D nlmsg_new(AUDIT_BUFSIZ, gfp_mask); if (!ab->skb) goto err; + + skb_queue_head_init(&ab->skb_list); + skb_queue_tail(&ab->skb_list, ab->skb); + if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0)) goto err; =20 @@ -1860,7 +1896,6 @@ struct audit_buffer *audit_log_start(struct audit_con= text *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct audit_stamp stamp; =20 if (audit_initialized !=3D AUDIT_INITIALIZED) return NULL; @@ -1915,14 +1950,14 @@ struct audit_buffer *audit_log_start(struct audit_c= ontext *ctx, gfp_t gfp_mask, return NULL; } =20 - audit_get_stamp(ab->ctx, &stamp); + audit_get_stamp(ab->ctx, &ab->stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy =3D 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)stamp.ctime.tv_sec, - stamp.ctime.tv_nsec/1000000, - stamp.serial); + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); =20 return ab; } @@ -2178,31 +2213,128 @@ void audit_log_key(struct audit_buffer *ab, char *= key) audit_log_format(ab, "(null)"); } =20 -int audit_log_task_context(struct audit_buffer *ab) +/** + * audit_buffer_aux_new - Add an aux record buffer to the skb list + * @ab: audit_buffer + * @type: message type + * + * Aux records are allocated and added to the skb list of + * the "main" record. The ab->skb is reset to point to the + * aux record on its creation. When the aux record in complete + * ab->skb has to be reset to point to the "main" record. + * This allows the audit_log_ functions to be ignorant of + * which kind of record it is logging to. It also avoids adding + * special data for aux records. + * + * On success ab->skb will point to the new aux record. + * Returns 0 on success, -ENOMEM should allocation fail. + */ +static int audit_buffer_aux_new(struct audit_buffer *ab, int type) +{ + WARN_ON(ab->skb !=3D skb_peek(&ab->skb_list)); + + ab->skb =3D nlmsg_new(AUDIT_BUFSIZ, ab->gfp_mask); + if (!ab->skb) + goto err; + if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0)) + goto err; + skb_queue_tail(&ab->skb_list, ab->skb); + + audit_log_format(ab, "audit(%llu.%03lu:%u): ", + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); + + return 0; + +err: + kfree_skb(ab->skb); + ab->skb =3D skb_peek(&ab->skb_list); + return -ENOMEM; +} + +/** + * audit_buffer_aux_end - Switch back to the "main" record from an aux rec= ord + * @ab: audit_buffer + * + * Restores the "main" audit record to ab->skb. + */ +static void audit_buffer_aux_end(struct audit_buffer *ab) +{ + ab->skb =3D skb_peek(&ab->skb_list); +} + +/** + * audit_log_subj_ctx - Add LSM subject information + * @ab: audit_buffer + * @prop: LSM subject properties. + * + * Add a subj=3D field and, if necessary, a AUDIT_MAC_TASK_CONTEXTS record. + */ +int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop) { - struct lsm_prop prop; struct lsm_context ctx; + char *space =3D ""; int error; + int i; =20 - security_current_getlsmprop_subj(&prop); - if (!lsmprop_is_set(&prop)) + security_current_getlsmprop_subj(prop); + if (!lsmprop_is_set(prop)) return 0; =20 - error =3D security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); - if (error < 0) { - if (error !=3D -EINVAL) - goto error_path; + if (audit_subj_secctx_cnt < 2) { + error =3D security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF); + if (error < 0) { + if (error !=3D -EINVAL) + goto error_path; + return 0; + } + audit_log_format(ab, " subj=3D%s", ctx.context); + security_release_secctx(&ctx); return 0; } - - audit_log_format(ab, " subj=3D%s", ctx.context); - security_release_secctx(&ctx); + /* Multiple LSMs provide contexts. Include an aux record. */ + audit_log_format(ab, " subj=3D?"); + error =3D audit_buffer_aux_new(ab, AUDIT_MAC_TASK_CONTEXTS); + if (error) + goto error_path; + + for (i =3D 0; i < audit_subj_secctx_cnt; i++) { + error =3D security_lsmprop_to_secctx(prop, &ctx, + audit_subj_lsms[i]->id); + if (error < 0) { + /* + * Don't print anything. An LSM like BPF could + * claim to support contexts, but only do so under + * certain conditions. + */ + if (error =3D=3D -EOPNOTSUPP) + continue; + if (error !=3D -EINVAL) + audit_panic("error in audit_log_task_context"); + } else { + audit_log_format(ab, "%ssubj_%s=3D%s", space, + audit_subj_lsms[i]->name, ctx.context); + space =3D " "; + security_release_secctx(&ctx); + } + } + audit_buffer_aux_end(ab); return 0; =20 error_path: - audit_panic("error in audit_log_task_context"); + audit_panic("error in audit_log_subj_ctx"); return error; } +EXPORT_SYMBOL(audit_log_subj_ctx); + +int audit_log_task_context(struct audit_buffer *ab) +{ + struct lsm_prop prop; + + security_current_getlsmprop_subj(&prop); + return audit_log_subj_ctx(ab, &prop); +} EXPORT_SYMBOL(audit_log_task_context); =20 void audit_log_d_path_exe(struct audit_buffer *ab, @@ -2411,6 +2543,26 @@ int audit_signal_info(int sig, struct task_struct *t) return audit_signal_info_syscall(t); } =20 +/** + * __audit_log_end - enqueue one audit record + * @skb: the buffer to send + */ +static void __audit_log_end(struct sk_buff *skb) +{ + struct nlmsghdr *nlh; + + if (audit_rate_check()) { + /* setup the netlink header, see the comments in + * kauditd_send_multicast_skb() for length quirks */ + nlh =3D nlmsg_hdr(skb); + nlh->nlmsg_len =3D skb->len - NLMSG_HDRLEN; + + /* queue the netlink packet */ + skb_queue_tail(&audit_queue, skb); + } else + audit_log_lost("rate limit exceeded"); +} + /** * audit_log_end - end one audit record * @ab: the audit_buffer @@ -2423,25 +2575,16 @@ int audit_signal_info(int sig, struct task_struct *= t) void audit_log_end(struct audit_buffer *ab) { struct sk_buff *skb; - struct nlmsghdr *nlh; =20 if (!ab) return; =20 - if (audit_rate_check()) { - skb =3D ab->skb; - ab->skb =3D NULL; + while ((skb =3D skb_dequeue(&ab->skb_list))) + __audit_log_end(skb); =20 - /* setup the netlink header, see the comments in - * kauditd_send_multicast_skb() for length quirks */ - nlh =3D nlmsg_hdr(skb); - nlh->nlmsg_len =3D skb->len - NLMSG_HDRLEN; - - /* queue the netlink packet and poke the kauditd thread */ - skb_queue_tail(&audit_queue, skb); + /* poke the kauditd thread */ + if (audit_rate_check()) wake_up_interruptible(&kauditd_wait); - } else - audit_log_lost("rate limit exceeded"); =20 audit_buffer_free(ab); } diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 6d6545297ee3..0da652844dd6 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,7 +84,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; - struct lsm_context ctx; =20 if (audit_enabled =3D=3D AUDIT_OFF) return NULL; @@ -96,13 +95,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_log_format(audit_buf, "netlabel: auid=3D%u ses=3D%u", from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - - if (lsmprop_is_set(&audit_info->prop) && - security_lsmprop_to_secctx(&audit_info->prop, &ctx, - LSM_ID_UNDEF) > 0) { - audit_log_format(audit_buf, " subj=3D%s", ctx.context); - security_release_secctx(&ctx); - } + audit_log_subj_ctx(audit_buf, &audit_info->prop); =20 return audit_buf; } diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index db8592bed189..4ba6db93e5b0 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -2251,6 +2251,9 @@ static int __init apparmor_init(void) security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), &apparmor_lsmid); =20 + /* Inform the audit system that secctx is used */ + audit_lsm_secctx(&apparmor_lsmid, AUDIT_SECCTX_SUBJECT); + /* Report that AppArmor successfully initialized */ apparmor_initialized =3D 1; if (aa_g_profile_mode =3D=3D APPARMOR_COMPLAIN) diff --git a/security/lsm.h b/security/lsm.h index d1d54540da98..c432dc0c5e30 100644 --- a/security/lsm.h +++ b/security/lsm.h @@ -24,10 +24,6 @@ extern bool lsm_debug; extern unsigned int lsm_count; extern const struct lsm_id *lsm_idlist[]; =20 -/* LSM property configuration */ -extern unsigned int lsm_count_prop_subj; -extern unsigned int lsm_count_prop_obj; - /* LSM blob configuration */ extern struct lsm_blob_sizes blob_sizes; =20 diff --git a/security/lsm_init.c b/security/lsm_init.c index c2ef4db055db..54166688efff 100644 --- a/security/lsm_init.c +++ b/security/lsm_init.c @@ -190,11 +190,6 @@ static void __init lsm_order_append(struct lsm_info *l= sm, const char *src) lsm_order[lsm_count] =3D lsm; lsm_idlist[lsm_count++] =3D lsm->id; =20 - if (lsm->id->flags & LSM_ID_FLG_PROP_SUBJ) - lsm_count_prop_subj++; - if (lsm->id->flags & LSM_ID_FLG_PROP_OBJ) - lsm_count_prop_obj++; - lsm_pr_dbg("enabling LSM %s:%s\n", src, lsm->id->name); } =20 diff --git a/security/security.c b/security/security.c index e4b596bedb93..db85006d2fd5 100644 --- a/security/security.c +++ b/security/security.c @@ -78,9 +78,6 @@ bool lsm_debug __ro_after_init; unsigned int lsm_count __ro_after_init; const struct lsm_id *lsm_idlist[MAX_LSM_COUNT]; =20 -unsigned int lsm_count_prop_subj __ro_after_init; -unsigned int lsm_count_prop_obj __ro_after_init; - struct lsm_blob_sizes blob_sizes; =20 struct kmem_cache *lsm_file_cache; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b00c2627286a..9a64c76839da 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7594,6 +7594,9 @@ static __init int selinux_init(void) /* Set the security state for the initial task. */ cred_init_security(); =20 + /* Inform the audit system that secctx is used */ + audit_lsm_secctx(&selinux_lsmid, AUDIT_SECCTX_SUBJECT); + default_noexec =3D !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); if (!default_noexec) pr_notice("SELinux: virtual memory is executable by default\n"); diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 46ef5ece991c..3a8d9324d040 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -5268,6 +5268,9 @@ static __init int smack_init(void) /* initialize the smack_known_list */ init_smack_known_list(); =20 + /* Inform the audit system that secctx is used */ + audit_lsm_secctx(&smack_lsmid, AUDIT_SECCTX_SUBJECT); + return 0; } =20 --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic307-15.consmr.mail.ne1.yahoo.com (sonic307-15.consmr.mail.ne1.yahoo.com [66.163.190.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB342221FD0 for ; Sat, 21 Jun 2025 17:20:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.190.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526442; cv=none; b=DH5Ejz/1zSpjAY+El9YhdjYtQgcqP9pRFc+zy0AZOeWNIOqiW/02bdlS832OAIrXJmd9Yvdc3V4JnD9ItC9OHPKf0yzTl5lx498vdj6dio0qnH1QhJ86sKeOtDFtN3SWrzyicAoI3j8RE0OnZHFQqwlvXRMTgIVvS4otkv+0LLE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526442; c=relaxed/simple; bh=uxdl6HPPepE9Rfhyzvk3fi6XCcHGqhuy9H9ghgPKdmk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HKcd0s2nCPF1DJO4wRzHImHwd+7gg2lqZdanxelY5c13HUr954s3G2/Pq6GaViYjMgw/YeQtG6xDjVMwD3wIsUbIFsL+ZEJqEXF7g+T6lfxL7LJm1I7U3o9Lwrk0OXp4S8m2f7miJARRyZ/IeRKgErvVEOkAfweD7pRDzrxXbWY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=L6OYr/z1; arc=none smtp.client-ip=66.163.190.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="L6OYr/z1" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526439; bh=joJHcHA7u9kgwFCUsrI7feQ1Z7H7Da38zdGYGgG+MQ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=L6OYr/z1Ti79UWvGk7/Jsh8Ao/qwtvvJ3aKLsaeziOv2jKsgjE7zlvWLEu+sltY8C3vU79AfKG0aDHF2+Xgixk1ax2pafQNHUTYG2vR70MxM2ogZH7QRou+92rgVswbTbXFarpgq71+K7aO0O3JGervUoZ+RRFrIc04QzYE9RcW9I2le3F54P6ZllrnXpWslP+DMWTYnOem28m6BiBN/1getn5kKnqhkxROq/iDicleNDhynpMbGMaG5nrkuaG6JbZBIqrTrzy/GQLhVh2wS4CmSur14QZ1fv94EWVpJ/BSVP8oDBg2fBu56MEI7Fi8IzjIMJIYEGnuDkJ8DvWwUfA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526439; bh=mUHrLd6RasGuMmp5MKXDUWxSyLY2Y07Wz5mhHwLxxbr=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=mW4ai1Gy+LnwjXSKDCDR3gVbQfdZVzIFO7rbAE5rcwAlrWDEmjgRIuRu7DznbCUTbSLMkZrdvNNYijCaHItJmLl0wvpeasw8u0ZpocYgf+S7HzGxPfqNwWjWu6wocx4+hJt4UEHs+r7ZUj8B8dqGqUrOmIgoZ6LANoXp+b0pk7+L13K+XrUee2rm2smARsDVYwqaUZXbHjlZ/qf6xrcYfajaSXAIoZA/o8D6UEDYEOHfXsCSuJMO3l3A2cnw0HzaF6IfcsCD0Qc7kzz8ZQ6SqSjBKSVXxMmZSC857v2Xr03QIAwX1wX+jzGKJYjGTLTJZ73WFsDBo3JBImrSChh5tQ== X-YMail-OSG: kpZdxYMVM1lqmg1QFmVlo_uFKCzM3_cshu9upO25UIMndO4LKXhJTXTiCIEHYrl yMKc4Zjl4ZdWTNKkiDszCx_XYSoi3jQN6Kr6DWvOUbSnSnC2tNOLqVMtPMEjRwvjitpRFqNbid76 GJwWD6Ne8yARu.wxAE8TM3pEPBg.JL9bhb6gmkiwWpGgK4tGCnDHE.HFCq7Jrk1_FHO4b_3PcJD5 zuYeLYhEvxw0oBasCCeHlz7gkjRSdxViI2jqCwsYUNXkE27sLk9AMzh1SHr3twPhHJxGWVDvSwEm D9gWEIs0cC_kwzWxFTqr6eFmo_xPTOYV.Vo2Tcqm9zLGQdi88YY7BV4U4kEtEx_fwmowDxP6podx zEkNSkwWjY8AI8BpxHEOOW2dVtIMv3U.byCF1se442okTWTtInMCzm7FdwD0VYvH_vRz_Otswa9b 70cjG332Xxv9PVdRmGazpBzdLQMyhqlOdi.YmxKM5T4s9kRlV74xDM.tZstm0NDZktWDQgJC2LlK fZ_EcuAL.mL3DI9qbM67PTqUisgImDwgRlrCrOHPdRCXUG8RUukBTFFiXDM6AzbhkaZNRFUw5Tfp qIqMmnsJfHhKHEHFYVSkh0okOQdOpqaCwhJH82JJ4Zm.zJAqWmG.WYBLwjdndB2ppUWavnDJvXRD wWS.mpNzNyLYclgaG27TBPi9_XsfZLCLslIMusHIqs.8HcpBv6Nu6Jwxemb9kO.dkz5_bLB54SBZ oXnGErZCWRHtfN_k8VWDCvYST38cBfJFbhlAYEKGNOvYw__IuTQSJtXZ5fXifh1xSSMJmdNjyFz6 72xwe1owx3.BLS2CazzD99v8PwY1jhF6fqZDHA99OdK.OlqKiXJbcKN3M0ENotkxqzZu6_hx1XCA IU_K1Afb3WtVcFq84b4EQfAI9rpVl12VJ9xxvf91WEb8l7povE.6UwNkmcsUQ3mWhKUhC0gt_Aoz d6YDgCLX.jVC2Ms1KX6MFgqmHK3rlz_w1Tey1fz9NHKw_BzNpQhUcpr1tWUcwYhombrOBp6RPUVU Mzk3N5DlpCPEao9Izv.gOFMuaN.vE9gWwP8MPIuUj271xJhiLYbsp0Z97ZaaU.5273_Fu2DIJofW k1GgNTKZ2C59zebhvDr6S4tcDlPxcfa5o46ru5.xnLqnFIQsbErDKYwsNLLEM_QOW8K5aOJj3ExX MdIsp_K.I0iTfuDJ51xHX1dyy4X4JLdZ9LB1_a0S0x7Mq17tkyB4w2QoIF1.63m.eGqqxWBGTKBV 31TzSLUKcqPCnq2gX.DPjWmDN4rPyh_wfKTg0v7VcS_r8y1GkxtDUea1cd3jAc13UUgtZlJFE5xV .D.Zn3AczI5fUNCXT8Dysr.hsdh0vW6.M_tgEgoKK9jne5Crjra18pb3VAskXaF1YL7Uf5eStMHS qYQTEXGZTbWz9ja7EqIp0VhAg3mqpiSIvVQjYHFA7A92SKjODT.r0oYmqo3KxXU7zkOlFUWWfABe 3xL7rZFBKg.7ximW_u0cU80F3_ykrIJnTuFxcr8ktPF.iCQc7LYMxnbSWhgK28ozcFqkFvsscEgZ KuCNeTaJrbp07G3Fbkcv0C4RjPflPfsJipEHof35758iIt83i9VUV9iHjcpOL_QOU75WJuhMft5M GbMoz.9.qTpAvX5B9MNFPp0Uc3maQ8jFo0dCa3Sd_9mHv14aCP9QRk_6LhnA3Wfdln4p3J7UiCsN uKeqZEQpB_c2YA1_71TajOb9y_WNc6YFn.pBXDNQtosMgTN7jSSnp905rG8ofr3smQcSQPnKOU59 lKUTYmznle9llCnWNczzX.wt0ATkAYLOZPabls9aoeNWoK00Jng41o_LxLMf7pTD_W_SrFdaG_ve wdGnt7FPHdWUCSOzr40nr_jegZb7MQ38caHdFb9LPbGAiaHddA_2pB.WVPoOvSPNyx3aDEm2c4F0 3sDWFH7pa2.7zLeL4NdVZGLYOkM87hemIMLNG7UyTAgZcywsDPchY7Q2zkGHo6F6gHzWkkE4Rbi4 PNkqmZgAhFwncJVDTrRmiHLfBQ4A58iU0vb_nIQrF8gXmPi9tpoAuoCArFwMMJjv7NE2WFKAhtaG frznUP7zXDmaaJN_lwMt3rray0tnsuy5q9hA9RYtcxXkmhojj7AcgIB7zEcDe.U5DrlYjcL5J9SV 6LVCgh5dO7XroAn6d0WvsdDvc4lhqLsahSmtNR9jVzJLzGo8CCAhO6NSISZfnf1A_tEnYvz4u8bV rlyVkaRtPPYQJPjPoafFNJFhqL5UfzB.pN7lPiiBBmwV0qXdVdAWC1HVt2VRTZ0HQoiEfPR3hGef OZ4HXRA0..xOCKECd6S.ZRaRy37Ei X-Sonic-MF: X-Sonic-ID: 8bb049ea-8a8b-4edc-9944-06f7b73509eb Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:20:39 +0000 Received: by hermes--production-gq1-74d64bb7d7-cmxx8 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 311260ab82870132bd75579510690963; Sat, 21 Jun 2025 17:20:34 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 04/15] Audit: Add record for multiple object contexts Date: Sat, 21 Jun 2025 10:18:39 -0700 Message-ID: <20250621171851.5869-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. An example of the MAC_OBJ_CONTEXTS record is: type=3DMAC_OBJ_CONTEXTS msg=3Daudit(1601152467.009:1050): obj_selinux=3Dunconfined_u:object_r:user_home_t:s0 When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record the "obj=3D" field in other records in the event will be "obj=3D?". An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context. Signed-off-by: Casey Schaufler --- include/linux/audit.h | 7 +++++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 58 +++++++++++++++++++++++++++++++++++++- kernel/auditsc.c | 45 ++++++++--------------------- security/selinux/hooks.c | 3 +- security/smack/smack_lsm.c | 3 +- 6 files changed, 80 insertions(+), 37 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 5020939fb8bc..c507fdfcf534 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -151,6 +151,7 @@ extern unsigned compat_signal_class[]; =20 /* bit values for audit_lsm_secctx */ #define AUDIT_SECCTX_SUBJECT BIT(0) +#define AUDIT_SECCTX_OBJECT BIT(1) =20 struct filename; =20 @@ -191,6 +192,7 @@ extern void audit_log_path_denied(int type, extern void audit_log_lost(const char *message); =20 extern int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *pr= op); +extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *pro= p); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); =20 @@ -258,6 +260,11 @@ static inline int audit_log_subj_ctx(struct audit_buff= er *ab, { return 0; } +static inline int audit_log_obj_ctx(struct audit_buffer *ab, + struct lsm_prop *prop) +{ + return 0; +} static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 8cad2f307719..14a1c1fe013a 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -149,6 +149,7 @@ #define AUDIT_LANDLOCK_ACCESS 1423 /* Landlock denial */ #define AUDIT_LANDLOCK_DOMAIN 1424 /* Landlock domain status */ #define AUDIT_MAC_TASK_CONTEXTS 1425 /* Multiple LSM task contexts */ +#define AUDIT_MAC_OBJ_CONTEXTS 1426 /* Multiple LSM objext contexts */ =20 #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 2ddb5d7696da..fbb991dec717 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -85,7 +85,9 @@ static unsigned int audit_net_id; /* Number of modules that provide a security context. List of lsms that provide a security context */ static u32 audit_subj_secctx_cnt; +static u32 audit_obj_secctx_cnt; static const struct lsm_id *audit_subj_lsms[MAX_LSM_COUNT]; +static const struct lsm_id *audit_obj_lsms[MAX_LSM_COUNT]; =20 /** * struct audit_net - audit private network namespace data @@ -305,6 +307,12 @@ void audit_lsm_secctx(const struct lsm_id *lsmid, int = flags) return; audit_subj_lsms[audit_subj_secctx_cnt++] =3D lsmid; } + if (flags & AUDIT_SECCTX_OBJECT) { + for (i =3D 0 ; i < audit_obj_secctx_cnt; i++) + if (audit_obj_lsms[i] =3D=3D lsmid) + return; + audit_obj_lsms[audit_obj_secctx_cnt++] =3D lsmid; + } } =20 /** @@ -1142,7 +1150,6 @@ static int is_audit_feature_set(int i) return af.features & AUDIT_FEATURE_TO_MASK(i); } =20 - static int audit_get_feature(struct sk_buff *skb) { u32 seq; @@ -2337,6 +2344,55 @@ int audit_log_task_context(struct audit_buffer *ab) } EXPORT_SYMBOL(audit_log_task_context); =20 +int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop) +{ + int i; + int rc; + int error =3D 0; + char *space =3D ""; + struct lsm_context ctx; + + if (audit_obj_secctx_cnt < 2) { + error =3D security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF); + if (error < 0) { + if (error !=3D -EINVAL) + goto error_path; + return error; + } + audit_log_format(ab, " obj=3D%s", ctx.context); + security_release_secctx(&ctx); + return 0; + } + audit_log_format(ab, " obj=3D?"); + error =3D audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS); + if (error) + goto error_path; + + for (i =3D 0; i < audit_obj_secctx_cnt; i++) { + rc =3D security_lsmprop_to_secctx(prop, &ctx, + audit_obj_lsms[i]->id); + if (rc < 0) { + audit_log_format(ab, "%sobj_%s=3D?", space, + audit_obj_lsms[i]->name); + if (rc !=3D -EINVAL) + audit_panic("error in audit_log_obj_ctx"); + error =3D rc; + } else { + audit_log_format(ab, "%sobj_%s=3D%s", space, + audit_obj_lsms[i]->name, ctx.context); + security_release_secctx(&ctx); + } + space =3D " "; + } + + audit_buffer_aux_end(ab); + return error; + +error_path: + audit_panic("error in audit_log_obj_ctx"); + return error; +} + void audit_log_d_path_exe(struct audit_buffer *ab, struct mm_struct *mm) { diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 322d4e27f28e..0c28fa33d099 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1098,7 +1098,6 @@ static int audit_log_pid_context(struct audit_context= *context, pid_t pid, char *comm) { struct audit_buffer *ab; - struct lsm_context ctx; int rc =3D 0; =20 ab =3D audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1108,15 +1107,9 @@ static int audit_log_pid_context(struct audit_contex= t *context, pid_t pid, audit_log_format(ab, "opid=3D%d oauid=3D%d ouid=3D%d oses=3D%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmprop_is_set(prop)) { - if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) { - audit_log_format(ab, " obj=3D(none)"); - rc =3D 1; - } else { - audit_log_format(ab, " obj=3D%s", ctx.context); - security_release_secctx(&ctx); - } - } + if (lsmprop_is_set(prop) && audit_log_obj_ctx(ab, prop)) + rc =3D 1; + audit_log_format(ab, " ocomm=3D"); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1392,16 +1385,8 @@ static void show_special(struct audit_context *conte= xt, int *call_panic) from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); if (lsmprop_is_set(&context->ipc.oprop)) { - struct lsm_context lsmctx; - - if (security_lsmprop_to_secctx(&context->ipc.oprop, - &lsmctx, - LSM_ID_UNDEF) < 0) { + if (audit_log_obj_ctx(ab, &context->ipc.oprop)) *call_panic =3D 1; - } else { - audit_log_format(ab, " obj=3D%s", lsmctx.context); - security_release_secctx(&lsmctx); - } } if (context->ipc.has_perm) { audit_log_end(ab); @@ -1558,18 +1543,9 @@ static void audit_log_name(struct audit_context *con= text, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (lsmprop_is_set(&n->oprop)) { - struct lsm_context ctx; - - if (security_lsmprop_to_secctx(&n->oprop, &ctx, - LSM_ID_UNDEF) < 0) { - if (call_panic) - *call_panic =3D 2; - } else { - audit_log_format(ab, " obj=3D%s", ctx.context); - security_release_secctx(&ctx); - } - } + if (lsmprop_is_set(&n->oprop) && + audit_log_obj_ctx(ab, &n->oprop)) + *call_panic =3D 2; =20 /* log the audit_names record type */ switch (n->type) { @@ -1780,15 +1756,16 @@ static void audit_log_exit(void) axs->target_sessionid[i], &axs->target_ref[i], axs->target_comm[i])) - call_panic =3D 1; + call_panic =3D 1; } =20 if (context->target_pid && audit_log_pid_context(context, context->target_pid, context->target_auid, context->target_uid, context->target_sessionid, - &context->target_ref, context->target_comm)) - call_panic =3D 1; + &context->target_ref, + context->target_comm)) + call_panic =3D 1; =20 if (context->pwd.dentry && context->pwd.mnt) { ab =3D audit_log_start(context, GFP_KERNEL, AUDIT_CWD); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9a64c76839da..9f816e25198a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7595,7 +7595,8 @@ static __init int selinux_init(void) cred_init_security(); =20 /* Inform the audit system that secctx is used */ - audit_lsm_secctx(&selinux_lsmid, AUDIT_SECCTX_SUBJECT); + audit_lsm_secctx(&selinux_lsmid, + AUDIT_SECCTX_SUBJECT | AUDIT_SECCTX_OBJECT); =20 default_noexec =3D !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); if (!default_noexec) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 3a8d9324d040..d363adead435 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -5269,7 +5269,8 @@ static __init int smack_init(void) init_smack_known_list(); =20 /* Inform the audit system that secctx is used */ - audit_lsm_secctx(&smack_lsmid, AUDIT_SECCTX_SUBJECT); + audit_lsm_secctx(&smack_lsmid, + AUDIT_SECCTX_SUBJECT | AUDIT_SECCTX_OBJECT); =20 return 0; } --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic306-27.consmr.mail.ne1.yahoo.com (sonic306-27.consmr.mail.ne1.yahoo.com [66.163.189.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACF492253FE for ; Sat, 21 Jun 2025 17:20:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.189.89 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526446; cv=none; b=jttdHJC7l6PQXYU177xgURFcbjT7Sf84q30ip+ifjomD6hzFgf4M00rwTF9GgcaSPndtLdKjVB9B/A/PLqtI0j9raSPxLLIn2tzrAUVjQpKnGtRkPStZtxIZMwUqcj0bsXUvesX3fX6TyhR238F/8bdlppdQQemxcnccfjzSG7c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526446; c=relaxed/simple; bh=lXFlHaJ1Z1Ynqo39wnAKbE6gwdwpkl053IT82YXG3P8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=j11hxZEZxu7j6ICkYLG/CHGObBE6gwmjSdnQR+TpGs1reExxhB5gx0LK7i5JpfhdtglPC//SG3lU5yJJw2pVn+fKqCKzKp57KOzjx5fVLhi8ITuTtzzU0l7LQWnS0XVZq2qvrl53x8fUJiJhHeAuox3JcXi5SHiGYamDezdIJc0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=oDim/UIn; arc=none smtp.client-ip=66.163.189.89 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="oDim/UIn" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526438; bh=P/usmRD3xsOrSJtNG8M9zwcTc6TGpwoIp/0pYZ9vVpc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=oDim/UInVUuxdh6QGmtMD55WWKu4VAx9k0gBlsF9bSe1qNKHrHlVABRP2wnlyKWbLmkrWLpBakHU3nd+lWplQ24mp5W5wj3RnZJpxAQGwB6VZFqaT5L8IFoOLOAjiA9mM8Uz77Daj4pTZURpJn07ygg3lloloilUCksqF7BLtsI85Zh9SG8g03u5YpcWNHl17ba59AQOkXiPhG5TQSTEqWHhSFbb6NFsM2g4AvZaUH4TvrSn8Oh2nb9oWNekVJUymdqGfn0rDDysmA996qTO6dBsO3r3tT57asGb+bIH8Moojd12neTvf6iXy7U/nZF3BCXNtFla2eEzTig6QuQi5g== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526438; bh=ON0V1BXb/ENS2rbPIGA++64oU32aY5OD82iBFaBrCaS=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GzoQrTDpMCgvmk4xtdjQGvc8w4SGcI6NnwIX90o7l2jLLjbJ6Ut783Iac9LHQ7UeNt5cY0D+p0RNSYd5NjZ5OErx/GqZVCJ+yPKsVbQlQ5v4H64q7+Uww/WrXjbQqrZu6n25lNJBX6jFbhIS8fWHG4E4qyET0wEi2H7/mI9AnG7JnAeHxiJLlaK4h/qlVHF9IFppDShRVIEZhkC+3xpTR2xr/xeZ1dEZL840fhyn8AQYVzVPa6StXAhEApCEly1eiuJsX1tUSN3kVJtm36mp5Jbsh/m32M5V9cN1tVcUMaf59iOA5KRuasLB3JQH6CTofYw5B/8rSbyRl6X1vhr2BQ== X-YMail-OSG: lfUS7TAVM1kNC1pxNzOMy2X8APsKRwz.s2XT006_eYmH72cU2V825tcqYazSNhd RpyFweFFszSyuL1lfyd.SntgckoLT2aq_56vPu6qSufbo0_WNnPMsaH_vDViRQu2ZPU.yJxhqm7l wa4q1fKdg4LyElw2J92TWFr7qmXOFcYAc0SotK1xobjcEPjVvbi5x7qwzXAC2B75NZuLfAvZengq 1cKi_s0ZeW.wGT_MosqVg..nrQ7T3yoQUutlw.h1mHMyRJ.N5XbjPVOFTGrHGzQ3kVXq27SgB.Ua DtZq4RGbtyCpiuDeA4_yTV7SZACH2DvIvTRwEFt4HHz7Aqk56n_5yC2RTDwB1_ppfl2iwt5pG2Su bd5IOyIp33c5UBrXYJxGu.Sx1qb0IdHLGLvY.xQfPauRLp.xWvbhpkV4WNfLeiUpLDaYeKq3ZXcO jMAMtrgcAzSOjJzbHyLQkuUfhru0Baa5xgjPEoCPRgmBv6fJI5PMwMJRDg255jrwPijZve2Kw2hz qxOMnu5fJjLL8L3tMD1x75QK6pLo.AjtIsrHAloW4zmLoIcJ6QqsxrGt8EFu7KMDZCkYiRhnsFzc 7ENwZmttZ2hZoaeIERuUkZCBsQGW7Vgy5c5appdnziK3lmquVRPlzrlDPI.GLNtzUTekGCcCo38w 5aTfc985x7IfzA4FtNUEyQXsK91hGrWNsIyBWlcghpSen_ag9QeyRCga2PadkcqP1ulvbbpSBmed 2p.wv_OL.4FatP.7jYssC7Lrr17qwCMI7pL28M.J73b0bOgx1C9HocoKf8D2YdDe3aX7AJBAuKTw VoWEW74C5zU_sp17xsXtFSiHILhXACIAtoNsDKyi4d1AEup5o2Ur1_nDnQ5_3SFHzYKfmZ3dlgIf OU1wx1.RFrG0fkM7O4pSrWvPiTzTFrqLMEYBmaDVDuDC7sX3vMCov.BBxv8VWoGcruiSK2.5ZZY5 U3hVbiT8vY1i5pL3_mm6u6wRAjMbhAobKwsx9xaSWG50.Um7pJL.rsodcfhjehbGrNra7vhlau7W Hr0CKHEYFvKOlq6JMQ2P.gWlVOiCv35fm5O_NMYxmXw2.ZTs2Dt0suV4FforWQKIU77kT3y8OVS1 WiKhuuc_wKW0V56Imq7NZF7ckr4epcPoC0i08XWwPA3tyGiOWDl8e3kf9h8xgVlza_7F_UQzL5Kg N.SAWPn582PF_iCABrlEX1FVafuKwb6zlAWcyuMqcx9acVtjLqlbnZXMRdRCd1JqUwrsxrfrMOwQ tCHVNnONfnW_UBx.Z7QImRRPOrrlR_fyITyQSNZDCGZUlQyOdPziK.ZbIDivsgEfUCmBDA4QlHuO y.StapM81wltpsUyNCqUjYOMh.hKYi3W6VDVJUtAvO_5a3_YB3r8RqNhg64V1_xUnsIzPlmcpp3X GDdgJDhnjt2ZtHge32jX1qmx2q3Oer8u8zc1364pwQo.P33HGyG3pig7KPkLYSGZw2BL7lpRhtE. wZjMtMxOfk_grtYXynx24gwtUai0niK_9P8g6zJWn181596uH3E91H8VkMIXFLs_ff5.FKE3pict vz0wOjvmGW.gkHSuUyLdsOlnbqFpRA.p1oRbpbsRn1ReTd5fi.8fNdTKNR5Fltox0cqCDBZe4Hj7 j29VwgbRrGaW3..C.G38F4FK4YYtnhj7MfE4YUiy2Jii5VfI.zn5vMIlURb7pYix1a43lPbXjy0Y T2UexzFI.CGUMbO6m5UdEqW.BQrhFU0AnAczWaHpiw75nvHYDnygx4JrH3WWiHo78eqMi__tB2ZY DvkE7mLlfJ1nVIhMDJ1lphrG2qMW6F3i1IIy60yRg5PkbSt.c9JWPjiTT2KG6ECIblXZjB0p.Vfo kNwGRLYsIahL2UdF5kTuZyI_WauOV_PuygnSb.HL87QX0oltBDk_I7vgcIlwCRWVFc3ZWXa5oaB1 qhIJ0Z3y1ptubVRAereIc.iyUmagd0t83HVdmc2epMvUOnGN9CP3eH1ojREGVPbpzKWPsd60ADYT jNpKF7Z05LESmDQ8odjGRPboP2afPHk2mBAj7a4tEJrctZ.NseXFHolmP3VUNn9I2OrYbq.T48Yq awF6TiEW0nlxlxxY25SkggLnf5dDXUD3grIVOzfv9Fqkd4eunZwTftzlcrL0eme0iMRpeqUuwlrN eLlu4iZszYXFY1ZxAth8jL6LXts7Ooc9qVfFa1aipkqKaOjbrce00avm8LOmFWVmGw4ITcyhX_5G PepDNs2IlKzEmc2.txH1i7fnbfN6_KoZTVY4gsg2.ROAdR4P_HxIKwVAPVgZbNInlLDOSIkKLWYy 3aQsysx4C012smv0d4.fSLmNl1ts- X-Sonic-MF: X-Sonic-ID: c11f7d66-2732-44d0-aae5-2bc4a8f9af6f Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:20:38 +0000 Received: by hermes--production-gq1-74d64bb7d7-cmxx8 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 311260ab82870132bd75579510690963; Sat, 21 Jun 2025 17:20:35 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 05/15] LSM: Single calls in secid hooks Date: Sat, 21 Jun 2025 10:18:40 -0700 Message-ID: <20250621171851.5869-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" security_socket_getpeersec_stream(), security_socket_getpeersec_dgram() and security_secctx_to_secid() can only provide a single security context or secid to their callers. Open code these hooks to return the first hook provided. Because only one "major" LSM is allowed there will only be one hook in the list, with the excepton being BPF. BPF is not expected to be using these interfaces. Signed-off-by: Casey Schaufler --- security/security.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/security/security.c b/security/security.c index db85006d2fd5..2286285f8aea 100644 --- a/security/security.c +++ b/security/security.c @@ -3806,8 +3806,13 @@ EXPORT_SYMBOL(security_lsmprop_to_secctx); */ int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { + struct lsm_static_call *scall; + *secid =3D 0; - return call_int_hook(secctx_to_secid, secdata, seclen, secid); + lsm_for_each_hook(scall, secctx_to_secid) { + return scall->hl->hook.secctx_to_secid(secdata, seclen, secid); + } + return LSM_RET_DEFAULT(secctx_to_secid); } EXPORT_SYMBOL(security_secctx_to_secid); =20 @@ -4268,8 +4273,13 @@ EXPORT_SYMBOL(security_sock_rcv_skb); int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optva= l, sockptr_t optlen, unsigned int len) { - return call_int_hook(socket_getpeersec_stream, sock, optval, optlen, - len); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, socket_getpeersec_stream) { + return scall->hl->hook.socket_getpeersec_stream(sock, optval, + optlen, len); + } + return LSM_RET_DEFAULT(socket_getpeersec_stream); } =20 /** @@ -4289,7 +4299,13 @@ int security_socket_getpeersec_stream(struct socket = *sock, sockptr_t optval, int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) { - return call_int_hook(socket_getpeersec_dgram, sock, skb, secid); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, socket_getpeersec_dgram) { + return scall->hl->hook.socket_getpeersec_dgram(sock, skb, + secid); + } + return LSM_RET_DEFAULT(socket_getpeersec_dgram); } EXPORT_SYMBOL(security_socket_getpeersec_dgram); =20 --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic303-27.consmr.mail.ne1.yahoo.com (sonic303-27.consmr.mail.ne1.yahoo.com [66.163.188.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0C72D223704 for ; Sat, 21 Jun 2025 17:20:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.188.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526442; cv=none; b=WUy3Ia9yqXYSqgZxB/T+WX/o/P5pFsYE/Q53Z958RVS+jTT8EMXijJNTUDIBLNw81hdySQJAVewkxCUAQaFRLUibtUR2H58iW4EVf5Mb2VtSbRBhfEZR8nx9fvR9bOuQXEw992H6auBfLEI4p2j4nqWbfCYQSoVT30GN58bDQhw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526442; c=relaxed/simple; bh=UyCJBTfuhEp+Ni4G5mlbGTTMVkJdAVgVfFk2ItfgdCo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=M3ZMIyUBwXbycXRkLHo72vEu87hunuXd+4Fx9CoNerT0JMkC7W2Du+7lBDiLrXJiY1HxKBBE0jfm1OvfIBoBlaAyGfkoN+BKkRqMLX/vlQ8M1mAqCtqb1mtHNvOLN/W8Vyz9yVnKqlP8PHWjyVSTWSE76DrEF1OyZ3+gVYB/pVA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=SsYp2fBV; arc=none smtp.client-ip=66.163.188.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="SsYp2fBV" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526440; bh=7BSeliQV1VLiCfSV65JktQ+lUnNoX3/LR/dHf0syM7M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=SsYp2fBVaZtVWvF6m0VIZDBGFwoUlo52YswPtvcMnIOfHv+OJyk/2yi63hr+V22+mL/6N4eQFpCP4ewdiX26IxdqJne9QrHPeVmXI2Hx1jVO9PGiHN5+oGrc8fZOsFDCsIQZA+dK5rBeP/3JIYPa9A3Nt2aXUsia0jXyaThtAAyWiG+/KO1RWo9UwauewZONNO1QgC6MwHDNqNpaY/0N/G2S8gZrvEQnpdFckWJtRThJnwRPUcuajPvGq4b71eMFeUa5DxERAtQXD9hc4w090Nn5YJ9d4CiQpVOXdSTk2FTP09WsMkNxFn50ot2fPcBeJ9tUZecLCuS3oqc318uQtQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526440; bh=lI283QOmAWHWBmQjMNMGJxgXApdqw0BW7OMdI0Zg+6u=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=ZHF2rhGnh4RFIrNLnZsoXbjIfK0hlMuswT8AUY3oNFjxheIqzl8JqosAlUSCJQ1ODam4uUmvxfRmqh5brcBajz6Y1LS4SrGFmNm0X2SL9/JwJxduh7KbIly8OCpIaXy21j7R0lC31CnOKMFI0lgsa7a8gEcZn+27nzvD69GCLihkNxv30xwslqwvto8Ht1GDOPE2uh9EK+f+X2NIyWPOzE/z4ZBZtSZ7vrVl5UKbQC7IdgGVEXmDQnRDv0EqzwtqpDSb/9mAa3w5i3DkdAGacUQkPe+N01kLxAuOqCZhYoNHhM8JcTVPGS71iDfgItbF4ZgwcMRJfDJcBlfGWCneRA== X-YMail-OSG: rGY7mw8VM1m2vedgZmNuOCGJg5dcFAerDfyZNhEr_qtWyjJ8E0WG_GmtWQXNBl9 mCMOyKO3gpf4V8M8vt1V6D_.qtDFUNgpzfLT8C_JM6a6YlA38a3nii.xbKM8Ubz8qwMun3gmU3ph cRZSGvt6wyj8W3TZVKkeorjSmdZrQLTL90lpuvTIO17UrKqKoNEvF69zbn8uxsSN1jgR1XLtZ_dR c7bEPwi0ICXqqjwzRO2aUuptrY7d.JOkl3ELpwFeluG_yYgq4.j5BEEqgkX.bAxW7lU9pJU1cG3B riamvjBWqnccCfQdWBxhoxyXA7VvZhuWQ20z42u2E41XquUfM8KJpiDZ0YroiDUSRBv4amBkBtCa xpVIHqFe2ZvJhie6f6poTu1Yehi3t06ioCqFssnkZC2CTlIGXiDZ3CmP2kIeqFnDLWLcsZNEc950 sTsnjYdmdSoXa2mmTskUYLdyMjVEyU.Z4FFN7xxYEYo1B2kE_Fa_O9n0niV6A3uV1oAeRMHlqFMT 3Hia5B7TxVnbIyrMOkFzZEsFclnHhfv9pxBOPmWO1h5AB.n39Wxbz2ZInjDshBJGqZU23kJcO35A FrSPxEHKBSr3upMwCP_oEhcY2oj53Gwf_n.6KKjl.4FUyByZCdvZkHT806mtiUFOkRZpdKkoB4vU w0s26qVOfSl6NlBYEMUi9xu5d9y4vijVNOIWDP1_CrvualKcLf5wLeato.Va2DumQp95PhhNFyTC 1B8isk2Ep8R3N8k6uPxtS9DyIRPUiPtVc3xli_Y1zgzPED.UbxtDWr6.d.Nb.w4aTrSxh0aqpZfU FELACwHUNXRAYSSmfyy7tUhpOWR0CREVFFjRYI7cLl2k6s9atycRm...kCRhWeODcCB2JsFkyzMf 28Mz9WqT9I7Q8Vd5pQ9svtBI8_IBOVZtsIdeTbvSEeB2MQHKL7mYMnYEEc8e52QggkT6VZ44hbGQ RNnTEiIZ_2sYYg_2gQXMY30Cp51r5mzGZcOtfPLmQE.BQxm6D5tvbJEZ55iPUrHjDXY8DNtBCWRI DD_KFyFFobAYfWbbgdbYkB4I9A0UMeOMezOg8Yg7JQ7DRARg2.wWCrqL1MfIjVItGqORO8CdG4M3 slcP1ffu5YD3OG2klJlgdf7yW7i7coY8d.T0BZCrNpdRnyPz3KtkUEc9OxML3uOBqTYeSBicjnpN .Qz.WRNbjz1wi_8iAP2Xa6wGNT62cGB0UM6lxljaJvtH6OUhV0oIqlBvOzzrGLtWXthAmLwY9jiu h6.bDpveSNbd8fP0Rplkb7Mv3JPRvJSpWVj0RPe1KkhPzD0lVVKzyg7XQwNfsHy4Udt95tHt9GFV RFlVrG1xG6K7cNxlXV7SPr2S6hIpn7ysjax0z8zGUffe5grPMbjxUr42bzk330IRVWo3NkFq5.U6 cT3RsBocPhVMqfcB_QUGLxkPQxNnbO7gb5EPNnsMixLtTCoIPGYdh.Ee7R4KePzlLbvPdT9FYEAB HFEMG8kRU9HZNzv6pjcguo5DrYloY1rLN._M9rnurBjh0UgXF8rqrSw3A7L7d8Xds9KBZG0pvGuV uq5z7Nd34kXAeekHjlqTQiXrorXe1rX4MubTpSJHQXIPqN_k.vuylZqpLlHsu5QLOJfegZLnrVdW zA7fq73DW_qdxSXj.nl.AUEUzEelTP8RdDsdVn.TmqxgaJgJxIzS8ThwFdPqEnCea77mX1jjdCs3 MYYKa5kX1us1iF.Rg_ey9FkM7Kn.apq.KQ.zQDgWeGYKBC3PW2AhwWSg9fI1eKUPObDrqehQF8Hr 5Xk9ilBI36sL1MLev8km.uOt2opldCIxm79lyo6CDaUz7WSgWXGfnqD_HRPpT9rD7qwlvIrVv.MA lrVu1znWg0Qb5ifHB4l.bUPB9NmSDQjraZQI2aamp7.BK8xFHR1Ig.rS93jJ8Q9blO3_5QVRGWSS hQJeKtsxbHNzlk75z5HbKb7XlR1p5r.idIkXj75ABsKMYKpOiskwoP1D2RVUBb2E43RIS8.cM77Q oNJGkfkfnBZ4.u2yYape2YDdzDUQzlu3MlvmJEOZiK7XjKZkQ5QjFIW8RwHSQZQiN.BSy_xwq_Cc OgcKN_FgBoo6CgL5djpNqWnP2uDqLeX4J17rpgPqfmcPJu6Qy6Sdac9vjueiNiCbKLbF0b9sAx4b mFJ3_ExJElqwog4qY9Jz.ZxhGMkXmVQhWwzAYxGKIktf_ljmb_R9oXCy1XLMW3Yt1ql_Ti_3yfbm UHVPdluCSpMfzU87AwtCfv15.tsOOiiJhC4zR4HOvSE1SuKuDXwORLGvraTUfXiQ1O7KyEri6n8b 753Qm32NqL5oylIPETeVxYpRp7P1w X-Sonic-MF: X-Sonic-ID: ffe1763e-d3af-4a28-ac8e-854791229561 Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:20:40 +0000 Received: by hermes--production-gq1-74d64bb7d7-cmxx8 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 311260ab82870132bd75579510690963; Sat, 21 Jun 2025 17:20:37 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 06/15] LSM: Exclusive secmark usage Date: Sat, 21 Jun 2025 10:18:41 -0700 Message-ID: <20250621171851.5869-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The network secmark can only be used by one security module at a time. Establish mechanism to identify to security modules whether they have access to the secmark. SELinux already incorparates mechanism, but it has to be added to Smack and AppArmor. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/apparmor/include/net.h | 5 +++++ security/apparmor/lsm.c | 7 ++++--- security/lsm_init.c | 6 ++++++ security/selinux/hooks.c | 4 +++- security/smack/smack.h | 5 +++++ security/smack/smack_lsm.c | 3 ++- security/smack/smack_netfilter.c | 10 ++++++++-- 8 files changed, 34 insertions(+), 7 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 5bc144c5f685..1ad9f8a86b10 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -122,6 +122,7 @@ struct lsm_blob_sizes { unsigned int lbs_xattr_count; /* num xattr slots in new_xattrs array */ unsigned int lbs_tun_dev; unsigned int lbs_bdev; + bool lbs_secmark; /* expressed desire for secmark use */ }; =20 /* diff --git a/security/apparmor/include/net.h b/security/apparmor/include/ne= t.h index c42ed8a73f1c..2e43e1e8303c 100644 --- a/security/apparmor/include/net.h +++ b/security/apparmor/include/net.h @@ -51,6 +51,11 @@ struct aa_sk_ctx { struct aa_label *peer; }; =20 +static inline bool aa_secmark(void) +{ + return apparmor_blob_sizes.lbs_secmark; +} + static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) { return sk->sk_security + apparmor_blob_sizes.lbs_sock; diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 4ba6db93e5b0..255d2e40386f 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1291,7 +1291,7 @@ static int apparmor_socket_sock_rcv_skb(struct sock *= sk, struct sk_buff *skb) { struct aa_sk_ctx *ctx =3D aa_sock(sk); =20 - if (!skb->secmark) + if (!aa_secmark() || !skb->secmark) return 0; =20 /* @@ -1407,7 +1407,7 @@ static int apparmor_inet_conn_request(const struct so= ck *sk, struct sk_buff *skb { struct aa_sk_ctx *ctx =3D aa_sock(sk); =20 - if (!skb->secmark) + if (!aa_secmark() || !skb->secmark) return 0; =20 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT, @@ -1423,6 +1423,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_= init =3D { .lbs_file =3D sizeof(struct aa_file_ctx), .lbs_task =3D sizeof(struct aa_task_ctx), .lbs_sock =3D sizeof(struct aa_sk_ctx), + .lbs_secmark =3D true, }; =20 static const struct lsm_id apparmor_lsmid =3D { @@ -2085,7 +2086,7 @@ static unsigned int apparmor_ip_postroute(void *priv, struct aa_sk_ctx *ctx; struct sock *sk; =20 - if (!skb->secmark) + if (!aa_secmark() || !skb->secmark) return NF_ACCEPT; =20 sk =3D skb_to_full_sk(skb); diff --git a/security/lsm_init.c b/security/lsm_init.c index 54166688efff..4e3944c68bc8 100644 --- a/security/lsm_init.c +++ b/security/lsm_init.c @@ -313,6 +313,12 @@ static void __init lsm_prep_single(struct lsm_info *ls= m) lsm_blob_size_update(&blobs->lbs_xattr_count, &blob_sizes.lbs_xattr_count); lsm_blob_size_update(&blobs->lbs_bdev, &blob_sizes.lbs_bdev); + if (blobs->lbs_secmark) { + if (blob_sizes.lbs_secmark) + blobs->lbs_secmark =3D false; + else + blob_sizes.lbs_secmark =3D true; + } } =20 /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9f816e25198a..18ab1f13f3f9 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -165,7 +165,8 @@ __setup("checkreqprot=3D", checkreqprot_setup); */ static int selinux_secmark_enabled(void) { - return (selinux_policycap_alwaysnetwork() || + return selinux_blob_sizes.lbs_secmark && + (selinux_policycap_alwaysnetwork() || atomic_read(&selinux_secmark_refcount)); } =20 @@ -7160,6 +7161,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_i= nit =3D { .lbs_xattr_count =3D SELINUX_INODE_INIT_XATTRS, .lbs_tun_dev =3D sizeof(struct tun_security_struct), .lbs_ib =3D sizeof(struct ib_security_struct), + .lbs_secmark =3D true, }; =20 #ifdef CONFIG_PERF_EVENTS diff --git a/security/smack/smack.h b/security/smack/smack.h index 709e0d6cd5e1..2f7b8d79b69f 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -389,6 +389,11 @@ static inline int smk_inode_transmutable(const struct = inode *isp) return (sip->smk_flags & SMK_INODE_TRANSMUTE) !=3D 0; } =20 +static inline bool smack_secmark(void) +{ + return smack_blob_sizes.lbs_secmark; +} + /* * Present a pointer to the smack label entry in an inode blob. */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index d363adead435..c8c173bb9cc3 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -4102,7 +4102,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, = struct sockaddr_in6 *sip) #ifdef CONFIG_NETWORK_SECMARK static struct smack_known *smack_from_skb(struct sk_buff *skb) { - if (skb =3D=3D NULL || skb->secmark =3D=3D 0) + if (!smack_secmark() || skb =3D=3D NULL || skb->secmark =3D=3D 0) return NULL; =20 return smack_from_secid(skb->secmark); @@ -5030,6 +5030,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_ini= t =3D { .lbs_sock =3D sizeof(struct socket_smack), .lbs_superblock =3D sizeof(struct superblock_smack), .lbs_xattr_count =3D SMACK_INODE_INIT_XATTRS, + .lbs_secmark =3D true, }; =20 static const struct lsm_id smack_lsmid =3D { diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfil= ter.c index 17ba578b1308..1dcaba0d224a 100644 --- a/security/smack/smack_netfilter.c +++ b/security/smack/smack_netfilter.c @@ -26,7 +26,7 @@ static unsigned int smack_ip_output(void *priv, struct socket_smack *ssp; struct smack_known *skp; =20 - if (sk) { + if (smack_secmark() && sk) { ssp =3D smack_sock(sk); skp =3D ssp->smk_out; skb->secmark =3D skp->smk_secid; @@ -54,12 +54,18 @@ static const struct nf_hook_ops smack_nf_ops[] =3D { =20 static int __net_init smack_nf_register(struct net *net) { + if (!smack_secmark()) + return 0; + return nf_register_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); } =20 static void __net_exit smack_nf_unregister(struct net *net) { + if (!smack_secmark()) + return; + nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops)); } =20 @@ -70,7 +76,7 @@ static struct pernet_operations smack_net_ops =3D { =20 int __init smack_nf_ip_init(void) { - if (smack_enabled =3D=3D 0) + if (smack_enabled =3D=3D 0 || !smack_secmark()) return 0; =20 printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic310-30.consmr.mail.ne1.yahoo.com (sonic310-30.consmr.mail.ne1.yahoo.com [66.163.186.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C84622459FF for ; Sat, 21 Jun 2025 17:20:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.186.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526452; cv=none; b=cro7U59rgZsCwdM/f6or1P1C8cO7NG2qa83Vu485B9uNjP+jpI8r8dTtaL2ut+H0nAB6gmK63x7RrwFDZlfcjud4MsG6FCeo1yxSvMjyt5jhgWpnUoMhLp9EbJl76OZKNoqirM5GEmniq14VQdzE4BzRg/vChKbcT1CCZOZH7sM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526452; c=relaxed/simple; bh=aGOH+aAyANs+mfgpijgWGmqq9R5UIKA9AhxcYrw7YSs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ijPNxE4RE1eNqGc8s5N4XtM5hvUOY6xjnF3Z5lpEl7Rc08HBG90Ob/8xjhNXKWjo5SJhhgeZlkeUUU8XhPuxJbH/uHxnqiedy3IeOC9NZVH6ZcuciU0vdn89Y+s2wfHAxbi8JJGN5q1HNU0kddMtgO8bR2AbSt1IgiTMH7O3TeM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=XFqs2s88; arc=none smtp.client-ip=66.163.186.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="XFqs2s88" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526442; bh=28BsSsKBMb/CRoqFk+67h23muo0Ip5+8Af2Px0B+JrA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=XFqs2s88nK22KFcbLKBsip5hLp0g6vIn2P0RICkblH7u+PKUxlEmKC4F9ry6HLnpOMeCopInzIew6mbZkp72ZBtxJVZUtIogmgrP+mib491slsTmdLiCV/ZZn9ychoamuDsmJ6dPfz2q73EloCdIvpgJGMOzfO5unqw2RnQ6taUtLKS0Ap41/MCHKZG8QNu8zN7w5YjlyOziCMTWpnHqOzf6Ys47F029EXPMh0hvweSwy0cemUkjiSqCTy1ec7OgSBCO7mTQDUvYp71FeLjDadhaTb5kn2OkFD58A50ywgO9+LCgpszczhvQS+29n1ypuFqaJiKmNu53IuxY29bQfQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526442; bh=oJ9PYsGMMW0JYw7aHEo6Nq//kF6oA2q3BZ9qxW1ORKs=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=qf9M/JrC/qmRwWipob4mzwLxRc8fTHQFIG2Dt2sjOmDNPIlmXXJj4UcyE0V3KPcYOezOi9T1eDa7gm5dXCeE5i7zqAN22hQThqqV7AgIb5FDvQ0CaVbcYPyqH8daf84cox32JgJi9cq1W0MLoNrcYU21Sf3lZQFiRqO4e0yMh/hKCYXjKsvVvQnKi9AWNgeYNzKiXWUW4JmYlb7Duri85xmsaqwijZPrM1Ts5tO2Pk6snvZI4CnLjQkECi5bzqdWsyFsDqzHwiEcPMqbnzmPEVNniTDp5H0y5qwLgNj3RLVZNyuSUThIvEb0Q0mmIr23pF5t2gy3ZdhhUDD1PC7ZVw== X-YMail-OSG: xMaNaS0VM1nwKa67gwCV7oVs6MyB.OSqshu.Zs3nP_ZX4AAUG0ACyo2Q_JRRtby YWcEQyA9vs8Ml6O0MgA.heIISR.M.H0RHn.HDok1PICV0h.s0zbPBlroTdUI_AY22Ijr2VHLni_g 3yJT0q3r5W1GoXG9zDO83hnlLVftrFuP.Q2EYWfBPnHPpyngvNjZBsqc04GEAOKrtN0ZbzHEH.UN 1NYaoPbg0uX59Qrlk5p7LyqNn_I1CrlQYbmEY_wfk7ocTIzuI3szAcKOIVVlT7jF67zttw0QZXs1 svB4.VijSFJCc.DbxKrCv2DwQ2S7mz69SdF3eLAaktV2tONObgb_PI_2entpfA6C2v85p8AXPhBo VnIbSuVFoMeYwcwi_CHoZf1Yj21U0rM6ArdplIZEgwaMv1hUvyYrkUwd9L6tvCLaoDyd3glmm3bG STh0dMUPMVh_MxJVvVm932R9kAbST.7HkpxOIbz85IpKin7ZO4aunWAphRD26ozNguhK.Wf2ghnA Hhmx0lo7oxzPlFB1CvYQqH1Kbakn9o9KsX36Pv0qBsoBwYI4VWTx5BSUMn58.QZDzd4Q2B7u0A_O H.XT8JSF3HEPChRXFOpvNlKKRs4ZhAuYR.7FFe8XIyESvrK0Ylvsj1yhFkUjGiPXtgmO.ijwnT4s vvrllM8tbO8Cenl.UWh33Ij040PdhfnJVhBthNVKDmYpODXXItB0c8D.w7IKQesAmwKzvVW1gEnY CAenHwJKr_cGstpqOuClg3uKNasv6LbXfkb9MV52bEyKyHXEWGyo2RV.8EB35cN_20T_dGaNRZpw zT5zt7.0y8MwOnbzqCR_6aTL.ekVHUqhyPgxdHMo.rAZmIK3i_R0bXsxi9fwgcxepkpuIg.XEcjW pcWpWV8wo0idbb1faiDdgxtCTlFcQVUc393u68Xsn3RObvZxPbIqZWq2CVXnTXgp_a0SNVw4bDKF zhnGdcfuhI0lDinTMvwr_nBgUth8RBsRzjV.Jf4lWXtlty2PfEWPNQO5EStXFrxHhPRMQ29bJxW_ 1U7wuQVMrzMYKvC7LLCGggGnHACbBsuvaAUQVrfa7RC5yC1vD4PSzzXTIzTbuopU0WNkSgcDEKbx lt9m8qDMqlJe47u.q9TmiKNRahpOHYQoo_83VgUorG8UVVN.hUxfiGnbnp41nTCiw.ZYYcnF1KrZ 0izHNlSLeloNLb1P1Xc9OVm5J_4z6cRUQqNbB6_1NSD0AP1p3UaKJuBtaDH_emJFmhEMzEceaPPh VdlJMMiqgS6j2vhUg7u2SxRhywwf5vvowvGjkD17vSdYabHCBU_ADOPJ.ahA8.7citjt4fJXBR.Y 2Jy11J2WD2OdnBtL4ztjsPrQF.IPQ8gfbcD40MwreKFDtLN6Etisr1WlyopdWr4mm3uzrkBber.Z kM3jVxrfvXl5_YOr0Tn4RKWjfDzkXP0QM8D22P55_ytVU0K7W2ZUsCMYLZ2wI.FzWPv6nJDu6Om. 3jBGFFruFerR5a0eNvSyYh9pc_rWXGsFMGxkYKvCfxUUiKns1aj1_f0gYNgg3DM3XQC1V6OzKq3S 37n.hdJwet5UBgC9T90MOLe5u43PzVvximzjrITa52Yjf.LEvve_ZvWsKclN4ZV0dOwYQQlAO8mG U1.cVOcldnmPhF1b5LsDX3Z6EDuLVbje48v0OLqdQDhY7dQyu8xBTmOba4ZiMZV.CjxAJ7mI5m3N pbVvTXoGPAfcn36siGjQPmNnvDxYM4uAZU4.hsYCT7gu.OLC8WaLnQdwxEAFARDYwClJuwFUVW2Y 3QZ8w0bpCVnjlOsRTs5KW4Wg.tOWGc2FMvpDwC0pgEg6IkOuJkrGvCgIne35QQso58k514SZK1od agx7ynqU_Zo9GiDd7jhzolgrlJVFwfCG21402gyYtviVesSM2dq5VdFwI3ZsfzlvdZsencEcn03B JmdHeyRvELjrtzksY9ziYMcucOUp2yCb3kWiszOCzO0pIwYq8heTGz1EKLJk913iMjisOn.rNeYY qGpZwVLwLKYz5WE07XfvI_z1bLoU0dEUmX7a._eRZhf_F_D94v6iv_40uDOlMCkDc8seZATOkvLj KbYNZ7kvxYlteH9ezGxLQtiliQpnNXDMNsN7I4K8OGBWa2y_UZhJsamf.33hCBNz2pHhkk4UNClT WmPfwZZxGmJqW_x7XAsbfmCYs4NI8FwzSkSe0P0_q.l2HDQNIZPr4AcbXVuyyurIkStLEcq0AHaP zwJJdPIrrUa2oChIZHXLfBVcAMp2fWqmVJf9nWlpLtP4SFi4DzEYleutqBfI7vbeMOu_RwI805.g JRJiwnl5mQteVZPPhalF5vaLrkKk- X-Sonic-MF: X-Sonic-ID: 11436d48-2019-47aa-a971-74adf09de465 Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:20:42 +0000 Received: by hermes--production-gq1-74d64bb7d7-cmxx8 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 311260ab82870132bd75579510690963; Sat, 21 Jun 2025 17:20:38 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 07/15] Audit: Call only the first of the audit rule hooks Date: Sat, 21 Jun 2025 10:18:42 -0700 Message-ID: <20250621171851.5869-8-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The audit system is not (yet) capable for distinguishing between audit rules specified for multiple security modules. Call only the first registered of the audit rule hooks. The order of registration, which can be specified with the lsm=3D boot parameter, is hence an important consideration. Signed-off-by: Casey Schaufler --- security/security.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/security/security.c b/security/security.c index 2286285f8aea..93d4ac39fe9f 100644 --- a/security/security.c +++ b/security/security.c @@ -5056,7 +5056,13 @@ void security_key_post_create_or_update(struct key *= keyring, struct key *key, int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmr= ule, gfp_t gfp) { - return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, audit_rule_init) { + return scall->hl->hook.audit_rule_init(field, op, rulestr, + lsmrule, gfp); + } + return LSM_RET_DEFAULT(audit_rule_init); } =20 /** @@ -5070,7 +5076,12 @@ int security_audit_rule_init(u32 field, u32 op, char= *rulestr, void **lsmrule, */ int security_audit_rule_known(struct audit_krule *krule) { - return call_int_hook(audit_rule_known, krule); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, audit_rule_known) { + return scall->hl->hook.audit_rule_known(krule); + } + return LSM_RET_DEFAULT(audit_rule_known); } =20 /** @@ -5082,7 +5093,12 @@ int security_audit_rule_known(struct audit_krule *kr= ule) */ void security_audit_rule_free(void *lsmrule) { - call_void_hook(audit_rule_free, lsmrule); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, audit_rule_free) { + scall->hl->hook.audit_rule_free(lsmrule); + return; + } } =20 /** @@ -5101,7 +5117,13 @@ void security_audit_rule_free(void *lsmrule) int security_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, void *lsmrule) { - return call_int_hook(audit_rule_match, prop, field, op, lsmrule); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, audit_rule_match) { + return scall->hl->hook.audit_rule_match(prop, field, op, + lsmrule); + } + return LSM_RET_DEFAULT(audit_rule_match); } #endif /* CONFIG_AUDIT */ =20 --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic306-27.consmr.mail.ne1.yahoo.com (sonic306-27.consmr.mail.ne1.yahoo.com [66.163.189.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D28892571AA for ; Sat, 21 Jun 2025 17:22:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.189.89 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526540; cv=none; b=f2lrXyaHh+IJa+7Y6TtBcvW8IPtFEQEA89LPurD1ZZl/Tf1titV4w/lC1MrBy5zPoiD3UtmdM9Bcv85+qJHAuWaqtrK0N3LgIQg07PvhtyYgslYYjPeuT0zfOfrjjw92Eyzf/9Ybw1HPp3EEoBdYTObtm0zuEU3pj0CakkDUxns= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526540; c=relaxed/simple; bh=cXiQebxgLX00fT/tSH95ainL+DuArcuKLJT9NWIis24=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZaXGJSinTw/G7W4pkrycgFfcHD194FpF8smVXyR8fbCm+3YGI3LWfhAcK2hc09cAKH0/x0n0z4WxLY5HueB7MiUAlTHq3zw5VPKPg3jxA7C2d9samgd2ln+DBcXwjr8icdMmdiy3bN/5NtvfihI2MgE8OQLNzgGpQ6F7WuUyDDA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=Mx9YMRUr; arc=none smtp.client-ip=66.163.189.89 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="Mx9YMRUr" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526538; bh=rabLJkQuOMiYX35FNRjwZiFevYSDVzgMqoGPRpzLUwg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=Mx9YMRUr9cv9oXwRTjvF2wllIhjBfqP3y0HtjSaaHzxIR1Qw5tYPOoeyZ41mGqc60pOKKCM8nwOQpOG01O5o0Clv1Q/y1O6DRVAE+jwsmhwT8r4kV0UEI0SHY5cfZxw+BnpXNSfDfOs5ZuqzQBk4UmBC80nYN9RWF1GuUP+8bkt4lnFMRkgG31tcydD541dPURku9FULWlHAiag/0WQYKV62rz0bQ192jWlrgwO20JJ8q28WB3WeSvoioU1sOGLul1dYRb1dlseicu/v4/UXVkiou7SXrKLB+iY16qosUfXb7VOOlsRaZ7iYx6M5XpvUMDsLYfzuzyMjt/0dEWPBQg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526538; bh=TPRHdfcg3c9hvB4bdbvELaIMfGbtH/TwK3fKgCCl3mr=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=e7Qf5MT6NMYV4TqQyiwrQ46/KQswsTFdev9J5f79CE+4CHeuCU4929lUFLEr2PRHGS2NdGfrc9uVo5yUBFcadAhQ2DJpyo9WgdbUQoa0NI/TzfM8Ks5CXvc23qKVyLVrLdAzwEgVO6cLoiqe+asX5LyGV1y9lMUdiDm30FLEyyXe5KDEI+TK0X8oI3+YZSzMeEh1daDifXwoPFz/9du3Xk+xXrCaxV9Jq/KKrl6OM9C2ZZHkaEBEm5M9fSstxdc1kLbWpk5SF4JDr3OJ1FualQU7UuD1pqC3WIZfJJdaKy8dXpVuikp5OZbkQv5mLErHMlD58FLYD2Dgk/fKABCN9A== X-YMail-OSG: _HJuy2AVM1k14Uw3UABYidswokWmfNEAS1ytmRt2BfMnYMIX6qpizcvLO.TKgQE UjPRmtipwjEZ2R5FLcvK43XoOTBDxsyyg0jLdMZC1iDQFOmuqUUb5NEG5ZdCZW_5xhEK756FCiBg oQ5Urb4UQsFTxpVEknf6D.TCOxda1OPXkkMcTWq1zR0SblAV0yVWoooTXSnNtJxNdoM6qzIoO_VN Dg4vf16lIWOaksj13bu9oYvK44GpIN3cY1z0IPiEV7Ace3jKIcod5dIc433HdxxyOngRv9eTq8_d z62hFW.jDRfG3RIpcDMfZPKnvn3qH73OjYbXJT3zJVpcm2fLo_SVqWyc7Q4K2YZC1XXTyXpaYW9f w1WtxdQH12sO2TEf0rIdwz4eUFTJX0nQW1zCEf_IlY3ysETKkD3J2K8AnyWFgG8ANSJEZ6Tyb1PX DdExZZBBrGa0zk8pGAqjwiR5WIswbgnw_P.kJWnL5n97KOGlxNtp7avDxoEOsgwxHTqTLhqXnOzf PFYdYCMjKUtDfbW6iEd.nEPpRJ26pxkpORG9Qmol0VrFDkw7pCCReckqXAqESrzXqq8CGippXsUG 9eiax0mKnsFHmkp0rGlUwktCYD2xPTN4I0_24SRCMHINA_5MsHHriDyEJvJsnbHANI.sHMbP_z51 AWy6.VNOQmf8hOzQ6lCQGdteACZdLaQuX.s_BROV7vzr3CovpjYu24ZlgWBxRlVTpk0D1AG6YeuK uG3yymS5vv.TwL5asa8FdvIGKN3Sj7WcyPCS9CeZcjSnfqDXVQ4VYyykRyMeZMOgGCuob9CGOzlt ctX23Dxyw71oXZ9PvoB3RyJ3cUmCgU8XKG25Tpx_7Ge7uXy4xRJ005tgfsGsvnBfLiKyEp8eC0eV ozJnob_Lft.jd0kRZKpc8epp9oRetjOIX46MXxEes3KtJNuYaOSeq0aD4TaHew2YVt0uPvyNX2lN nlMHCI2cqQzuFGzFsgIQQZ.EMpI.FsFzK0fBLclT.9rkZfOe3HTbZ71W.qdDQUTf.FwhR61u3x7. RKZGrTwCePLeFvlrZElkHijIQnsFjTqquaOxnqIxibsw5tS3OwG_xlhvGAhubQ3PvhhJ0hhUu27m 40ywYwCAZmJuvydyqgoJjShxpG2Rs1e_076J3DZkYMCXOZ19FoYzd1uO.SCwq1iqHTAirq2_nu3j SOacJ5OOBeH16wsfCPsyK0MNoVyq9Jc2imKK9QlFUms_4OJlGQn3GT9qhVOv5kN.9_spXPbeNypV WJ5O0aGp9Rcy1J0AXKuUWsG.qV3VMPPfVTaqau2ggufsXW4ZHe2IKtAthrnY09isA13uGXVbl_VD FOLGTXgzrFBcH4H1slk9sn1zE48t.TWkGwAb49g.01Mrufrfj64CTwUXMhIh0YFSwyJof5Wfebot 9Hm5n2k21SompOy2iz_ncnUMdPn3J3azRyoa7Guup7.uFr8CLTiqjwz8u1K2ia9FZApgxOCbIygo iI5qV0DAHrN6l0TRP.2zACMzHl3a5tA7bK.F00Z4gtP2g5eVfFqGtdinYQ6fWasCsABunwzcZq6m RtP3hPoP107UjR5n68ttHSp5MUoDl7vSms3vDwPth7AnHWR5h0G4SKildOyhWXMit4jJexvTQUpc yxSI6CWOroLTn82CJZCD86lk1URPmr4w3oO1rJ4eoF7wMcDxEd_rFdkYtK09o48iUmtiEU1j.iyE hDXLXuIEX1Lw0yMKYfP27c4u0E35iZvjMIW6RPy4ZAJ8qMLxW2RSsXBub.QSVj1m9skb53E8c8Q7 3bZSOe.HtB9QKDuYBEUa3cHxtiWylFeu4QwxgLyFyd0gWiNB_br2guO4iXyBIAG0u70qcmMG7jm2 0mzUKIcjXNk4m4ujGAJ_X0zy0Q.REIA1aNsSGYhUtaHAABuvdBStSs76gY.YRF4oXsY8U6wiNyzH KWvTNsTG248b7jWEWyWsA_JxrqOIWPVljSVDCuyRbwnE_ikWHpG7bxV3S0XObj9iyzg7kIvBCtJy VXoNT0WqaJbNiqH5da3J4XImCtMq0htu2_GdZIjkUYrpKP7rZ6B_3wY69m1i1xjvwfPQQwvIOMmc WGhoLu_Xt_Tmi55g36Ogtc4hMcT9Fj9r6g2i.j1rlGX_fbJ7LTT9161tkpnyhOdlNTFKSd0xq756 qmwKcipn5G2zi.48wQZOYuWwnyMAJOrNqSrh3FZnjAN8lNSyAZ1zQvu_V4DZJjXxcu.dFE__wD3J 9swQUXF7FTk9G88hqAZyjLVu6L8NeaX198.7K0I9BdjeYwd0sbVM974HnhHs5HnW4EzMEzH8a8dm N4I7CRRZaD0_Bcg3y9BBAf.KJ X-Sonic-MF: X-Sonic-ID: 295b33d7-51bf-4ad8-9a32-de7877d31889 Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:22:18 +0000 Received: by hermes--production-gq1-74d64bb7d7-dp9cd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID be755b04d481595739dfcf42be1b4c68; Sat, 21 Jun 2025 17:22:13 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 08/15] AppArmor: Remove the exclusive flag Date: Sat, 21 Jun 2025 10:18:43 -0700 Message-ID: <20250621171851.5869-9-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" With the preceeding audit changes AppArmor no longer needs to be treated as an "exclusive" security module. Remove the flag that indicates it is exclusive. Signed-off-by: Casey Schaufler --- security/apparmor/lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 255d2e40386f..ac38864d9bce 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -2278,7 +2278,7 @@ static int __init apparmor_init(void) =20 DEFINE_LSM(apparmor) =3D { .id =3D &apparmor_lsmid, - .flags =3D LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags =3D LSM_FLAG_LEGACY_MAJOR, .enabled =3D &apparmor_enabled, .blobs =3D &apparmor_blob_sizes, .init =3D apparmor_init, --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic311-30.consmr.mail.ne1.yahoo.com (sonic311-30.consmr.mail.ne1.yahoo.com [66.163.188.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 938B92571BA for ; Sat, 21 Jun 2025 17:22:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.188.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526538; cv=none; b=Xc0VmLwZbjoW/s9UcqGKA2LQ5L0fuEPjAX/zOriRGbL9iVIlSV/zbBz/07B1MA7Xs9PrnJxwMDJ46mI3xAy/OM7FH2gFRj3+DIIEH4q2Q2abFCyOFy2d2tjeqci8vzvKQlM1Of3hpn+t9Po/rpG9s7jCXabDSOxfmuX69NWW/KU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526538; c=relaxed/simple; bh=uB7yD1qyg6F5R21Apr6SOlRFrJq/nuG5H6U1B+gczfw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=B+XPQnEFe2MQode6LEAvdIvbpatV32fZXcEgN/wl/mg+C5vVF+ZoM2JefYxpzdGaaOGgvOs/5+ZMWkv6qb2QsJ/WqgetNaok3PQ/dZVHrN8tXjDg59/EB8ljq499RWYURqduUdYZHNxtrxzsr4L4yT+LaYn1R5MK13pxUZb5KA0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=mKxsjLTy; arc=none smtp.client-ip=66.163.188.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="mKxsjLTy" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526537; bh=Ma/ujA/zU9vMJ2PjqU3PgUxULblvq7rfGh0Q2+r5a54=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=mKxsjLTySs7eYlrzGCNPWcPYmB699idLdmBHZRE8wb94q3xjHIsXuigKf0LLo3WkN4nNuPjTPa9n7jGQRbHJbGcUf1Gqh7x50k9hVH9gAFUyZwiaOg2UzWPSNfkIyNx1ptZALGCbeqWg7hQ3Tr6LPI72G3zFHUYtpNfJzny4/q/4CjNVGBMJWhvu81OKST2BHRXsQjjTOTwDde7uL/rdAQjijt0f5qgZLsYOhwhh1ytooqm6kwyUeg80Tqj8VLJBQhSo8UBkbl7izja+U2sOtKxk+re2o8aiYQ9m+jZsW4rdkCffalerAP3AbjhJhQVgreIKbmPKd6Wb5MCdKNB6Sg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526537; bh=xI9x0e9BH5uzKwXu43mTrUSfhbyF5HTbdLWhcaI9Fe4=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Y7OtFytL09P+YXI4KA0RjOUXP32FOjoCcTSBzu/jGSHb+uriLw5xurG5MYuSEzW8m80ZE9gIBSDsDXATz2nqO++42I18QZqnboJoAFf4NZ318f2+nl5WgXDdpGUGnF7cCf5zgqeMjBjwvoi8ZqhwSuStrTs6omHK2UHntlY7zqLKQhIXP1KToxrMiFMH8Xt/dQr7qU77DH6VSwk9BpQh8HwUYDYnMOXrWpXfq0fJLL6cVHuweyjgEjAir7ZACvZaQkgZEJzGsK7wVlAwASjWKKPmg9+zfC8Cd5aBj5e4XI94WJj8QGCvDcBl4rEZWmRTdz1EDTLYBZsct4VEAVnUrQ== X-YMail-OSG: FqcE2dMVM1mAGzvVVO2AlJuFIjNnw28KfK4U6SlX5qruGe.QDNf4.YAML3hU6mc 6m2NMpeZubOPd2aSNqmDeyIaBG5RzYMBOOGBdpVfo5XYMhxItUTyHG7Rl.ZP0BwYUtjl.Gx2BHgA 1S5AgPjqYfZWlYWiRT48OX5.0fQzyNZ5cWcfnptgB4UXbpOLCzBkDjcOWPTNrlI_bNMlQk0Ro.0q _Nk7IGoouZ18jSkBZcoGmdie3ntB8dVjGOuZ9STJ465AK8miI.QIUevCMw5tOdGbFMSNUn23BYPF Qxauyg1hGs9GtO4lVAEMFtvXNGjph.Kco1mjdYxNkkN4RL4WAMt1rRV_jS4y3CUhhbvxYPiiZTy8 il8zUjSWDxlPvdMx6JMXLbI5wix12urhw9XyUN9E3atWgNbARYtiPrLHU4QUmgihSMjQ8nd9Ylsh _Uo8WzJ4QvJK2m3Qs22E8vmLJLnoqWS5lYKOBPPhJFAjUqt2sEmToPsaOtDtIox6P6CQR2D6RhZ. 4N8Fv.JaPfXNnK8WtSUUIHvTZSql9jnEB.NvXfOcRjCowKZBRGZmAkyM15u7QAysIpmGtrap6IWq c3282joQQB9amGM2lKBNguePoq4kutXuUbFf_rjyX2S3DvRLnRCFMmWb3A487_cC78PyyxVAcK_w 4VFzvLONLZcQ1cffbxugcC99UE9IdvBgbO58dDvnXrm7nf5wF70n91YaHDJXNhYa9EUzj28F3qWM 1ZQ1Yzk0YJxOg2xiqn3NpQ4akdNAtDSuFiNACM5HzhsfJkpuV8squV0mrvsED0XaVeUnUxt.Ka3j NsP1TCUvpxU.8U1vQx_S40JhMHol2rtProd.dEZlxQzV.tS4an4Eyfl5U6fEc3g9vCMYivoBbbqu hHq4e_fK9ahIT.2Vs89u8zz12Po2hfaSIRD4zKUCLwTJ.a3l6HWsIJf9DyJJfxI7bKDUdw8RgoOR mDu2NkpU6vNCCZK.1UmT5vEi_ILOxN7GQbjIqfKFzkgaQ9wB6P5omkcVMIVna7TjEMwzr54N94fp DNNcdDo2GP9Uqsv6l8WcM38buWpolbvuuMhnbE8QBHQaJaHB3GmiDqGGHBrSp7IAfbVrUGMbWPkO MAeYjr.aQVrI7ZmtCGUpDBcexmeT1FncnFIuwc99Br6ENnGA84zoOASiM9tVrgj9Xrq32Rgl7a.U wRRIoSVJlDxXfAwBqujwbi2wkkaZPWyDA9g63cthioxveqRRqWXdPQP.xo_lHbOx9uSl733k6jGc qdmohbTyzkrWSj5GDUqQwuthTQiEg7NEAx2pIX8NvC9m6Y4P44zlmTlpDgNmJand80z7EGc5KREK 7k..228IbUa1r.tkthOenxS2CkQIhI7ycL6Vb3brrGGIBwFaForMe7gvnQrQpkq3EIsdd5OJUiC3 orNle131hu5Rs.Mood2wgLMD4qGcIQVuBA0FzV7MMQum_ErlFyWCf0fkCjT.LKzZ53SBHxvGDoWd LmqpLKGh9sznGo6SeKdAvrnOiXbuPo_FJAoAO2LRYjL8HucSlaMFTuujOVA8CHwvCJ.BAh6i.tZH .s5eF5YfBBQwT.znx4h4HBuN8BZS3k.1BugbuI_cSnufSsPYzLQeSsZBQ_.W6PDsBc0Qy7EKrlhC f_QTjnGyNpJNq1lUzz9Z3PujlXjUzXZWdrOeTVBEJtzsBQ7cOJdPcSYs_Io1gf4Fhfg8eSnEeopG cXM6XPj8ePWv2bIPN4BgcblLXPGEqE8.1tCFkWZ8TC8bs4TADf8coi0_mJ44MF8sc3S_JzVn8Ck0 vSk6uSk8U674NM.quITfPvG2ZLq_AMroef96gY3i7hwKxkIDKvWiP4NQas8FSJUMCrkRS5cVm3VV n4eHAoQ7wk9UjTdqnSJIuaY0wmA2M.Xee1P0GOxlmFxpl1rmb5byk1iuLLUX_g_PofToK0LN4Ta3 upDDLWAFmeQv42ONADkhkiXvRQIjEsS3G2hr19wU21GntTvbf4_UvxwIxUzjDNWHwi5RcTG5ffCV 3iQFuHLUPchyeG7uHfzrsSrYWFeI6RrK34YSa4I4pWBc_y0y8d9yuaFnxz34LpniegGRtLOFy_D7 suHml69r0Ev2uq7aZfEgGgyVdOKg1H5RfcRXsS2veUVGu_b2YhQ49QBvaqZctOBHi6yzgaGljDcA UJodVYZrK4juNTqzQBmcAu5QXMNM_ph7Sdt9466J2eMjCI53AIsyMB9seDfZD7W2KOeeESRIns0h EmSGr4caz.isOXhr7QJLsCibRmvOpzdTJk5vLays8SekQhzurAyye4zFHNDGL53a6TgSdRkQhENM wE652MWCRc0zQLrJSMGWsh0Opxqbd3BIsFw-- X-Sonic-MF: X-Sonic-ID: a6b988b2-fbe9-43a4-a5b4-a222d64c3566 Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:22:17 +0000 Received: by hermes--production-gq1-74d64bb7d7-dp9cd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID be755b04d481595739dfcf42be1b4c68; Sat, 21 Jun 2025 17:22:14 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 09/15] LSM: Add mount opts blob size tracking Date: Sat, 21 Jun 2025 10:18:44 -0700 Message-ID: <20250621171851.5869-10-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add mount option data to the blob size accounting in anticipation of using a shared mnt_opts blob. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/lsm_init.c | 2 ++ security/selinux/hooks.c | 1 + security/smack/smack_lsm.c | 1 + 4 files changed, 5 insertions(+) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 1ad9f8a86b10..2e3b1559714c 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -122,6 +122,7 @@ struct lsm_blob_sizes { unsigned int lbs_xattr_count; /* num xattr slots in new_xattrs array */ unsigned int lbs_tun_dev; unsigned int lbs_bdev; + unsigned int lbs_mnt_opts; bool lbs_secmark; /* expressed desire for secmark use */ }; =20 diff --git a/security/lsm_init.c b/security/lsm_init.c index 4e3944c68bc8..d27a457627ed 100644 --- a/security/lsm_init.c +++ b/security/lsm_init.c @@ -313,6 +313,7 @@ static void __init lsm_prep_single(struct lsm_info *lsm) lsm_blob_size_update(&blobs->lbs_xattr_count, &blob_sizes.lbs_xattr_count); lsm_blob_size_update(&blobs->lbs_bdev, &blob_sizes.lbs_bdev); + lsm_blob_size_update(&blobs->lbs_mnt_opts, &blob_sizes.lbs_mnt_opts); if (blobs->lbs_secmark) { if (blob_sizes.lbs_secmark) blobs->lbs_secmark =3D false; @@ -460,6 +461,7 @@ int __init security_init(void) lsm_pr("blob(tun_dev) size %d\n", blob_sizes.lbs_tun_dev); lsm_pr("blob(xattr) count %d\n", blob_sizes.lbs_xattr_count); lsm_pr("blob(bdev) size %d\n", blob_sizes.lbs_bdev); + lsm_pr("blob(mnt_opts) size %d\n", blob_sizes.lbs_mnt_opts); } =20 if (blob_sizes.lbs_file) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 18ab1f13f3f9..c86b430f34c3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7161,6 +7161,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_i= nit =3D { .lbs_xattr_count =3D SELINUX_INODE_INIT_XATTRS, .lbs_tun_dev =3D sizeof(struct tun_security_struct), .lbs_ib =3D sizeof(struct ib_security_struct), + .lbs_mnt_opts =3D sizeof(struct selinux_mnt_opts), .lbs_secmark =3D true, }; =20 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index c8c173bb9cc3..956dce6b1e97 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -5030,6 +5030,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_ini= t =3D { .lbs_sock =3D sizeof(struct socket_smack), .lbs_superblock =3D sizeof(struct superblock_smack), .lbs_xattr_count =3D SMACK_INODE_INIT_XATTRS, + .lbs_mnt_opts =3D sizeof(struct smack_mnt_opts), .lbs_secmark =3D true, }; =20 --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic307-15.consmr.mail.ne1.yahoo.com (sonic307-15.consmr.mail.ne1.yahoo.com [66.163.190.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B51E3258CDA for ; Sat, 21 Jun 2025 17:22:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.190.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526541; cv=none; b=axP+oLZ/cRNQ6/tY+pQK36VXqU3LJyzWvZPJ60yH7fQK7x9dEPVhFwftM77yblQOoCc+DsORY++gbPQLRDIshxdX7SSsRoMWiN/nh4MM8f8/Q0rzLO+BcyFpAaIWbM++n4KEdOjrQX9r1LBpNMe2hQIth4VtzMHqx/POosq9Rn0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526541; c=relaxed/simple; bh=J7uUJzI+DyUy/0s3Dwtgp4wm8Zo3tkjGbsf/RH4nq4s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uOvT/HgzvGDLlVNzJ4RC4xO59fd1BHMpGBXoKRm0kAy39rmXOS5sjDKn7FyK0Xp8jxZkWfOC9vOUxuAl3EJxjC3h09XhOn8QU9VXmkpd1ts6mS+uoAgwTyspX1Nq+isWvKGfQ/KAkofl9Gy5cWRP1KIPUarsNOchrnfW30yO60g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=l8KyckIP; arc=none smtp.client-ip=66.163.190.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="l8KyckIP" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526539; bh=Y1MBhcJxNgXqSKEpTzfE0odcwfmPXmVNep1TIM/mV+A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=l8KyckIPwN3lSwqkkMwUVSuUQVmpFYPgbNH3OEaCHhkU/bF/feBWtaeIUroTsjdt+O9Q4dnH+AMO4fiv8NANqTsAwJQ48ta2GZEJ1SjZkM1ueTujLDza+QymY89mo2EDvP3mcjFGGJK174mfLHh4v+xJIpR0D6HRgeARcF4ykfEAzcb1JN8Kewv6UpYRjug7Tx6pX2bt/E2SlJCiDEipnGhfGVFe/hDzlxpmTnDbIkPSPGXKvspwtrQSCVapHSVItZSrketk01Ier+vtjN4Bs1c6pl/LJSWBU47ALruQ/Tghmj2pSsRB6iJm+KuuVD1cTdjhDFO/ihrdRBi167Oogg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526539; bh=SdNviW33BgwdNqMIRz2/oJb4GnfVq5bRDheKk/X8w1Y=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=TF9ZosF8oeyj3loyBIE8nRoiGkhad8g3d0GU5Olb57BTRnwKcOst7YcMDkauT7VDPwPnMHlYX3tD/z1fYVEaexXvQejjATEd2jKLGzzSQJRHMjoK6gKdyVFyPqwEDfV2Vpumd1KlsR3QWEEEs/Kkd/4WXTeRHfW+lp1fwVT2rBiOnEMtbOLn5UiaeDtR1NgaRxmQBejjButJC19RoVMma5Y77yhb93qCYJ69Zj+ehhI41GFkKx9myW7e3u6cjjzzn1aZgtHZ2x9bsn+fniu8jmoxGus0AN0LYOwrgEUR/lpfq/hjcstcZ3HsrZhEDAkO8bT5dqptxbrIC2mlk1VZ0Q== X-YMail-OSG: LzGsyu4VM1nmlNCBDsMlbzaFQO3f4.Ip5J5llpfsbw8P3CI64Myyy950WLOJitU heYuJ60dZho3NUDuGrdzcBLuXuZ32pfnH.w66NN25R1YqAHntedzuTAz0SeDxGAUfNupYQQ_OA7d Ib6qvjUjj9jhXSWgoayVmHZE.m7GuBZ7hStuXb9Lk_BElRg1X3JuylffS4e4STbZLpZiJM6OElp. 9LkbICq5ux4__mctAJQWnTkT3w6RdwRdwuaZbbLHv.QVdQm8VyANXrCl5.2u_GL7k2EqftKF0j1T qIp5bfTkWwnKqWojLPxsKVSRpTfhD21McXnXrrZDOTpTN8EkVdnE8L2p.Z7.rMR7LUGTr2NBxsYw ol7pvOri4JF5BkSMES7RqkNDax1b5UZm6S2bfzDXMYQ4aCdQEMouRsinfgsLDgdP7pt4Welw6h2j gJNeR1Q..tjWJqRRO6F2IUmMRFaIlXLrcDyGudxYwqTQ_IE5VrjJDb3dCvycmp2vhR13sbzOdXYS _P5i9lDu2015f3w7WlRBcvmq8WGr1dpZNnt3dy9ryX0C8bP9Yl.7XR9OZv1Es.yb2Z2jM15NUkeD Vp9DcUkzljqJtbHq54xEqH4PzWDDEMkNnXzSyvhR0sflsb_5OSSBBQUkvQBc5x4aGxOrtzgJOGtJ 6VM1pZnCU5oC2EcZhhiZ_zpX6_pt0_uqJXiQSrkNNx7D2844RzzGOBrk1bxp1VRgoEjVWjRuV0es 0ppEVvdxH57DYS22PCdEP4JRbkisbHpTjCoCH.OrAU7dYhRGE5BRt4hlcStEmt829vbtJ_1qUjXd e_TtHp3oCwyXOMY.S62FOUnrmApX7a1i3u.yGFBvrSZ0NS7CqUN9sJi.O7ynY_NV.3cVvImpl41r hM7sBucJ1h0kENeDRpr4n1vft8Pe2xJP3zNPTWiLOg44tQ_hZjbfgNsNv6mfYyvJZo9seTHYKiMz DO30n5eQHUsnQnTIMdKdmvTupDaqBBNNzJJCPgL0xrDlb4whOPYgzdCiSy8lpb.Ixz2Z67_awZev eJ.gfNX9cm0h6VoQaTCE9hpXE.yhR6rFuAKnrliec5J3a2ozR_L1Vr0RfBvMufE6Z4xA9hhlLdBg UukwSOBQKkIcQtNF3_xE4fpc2kPETaYsv9YUBBW_BWz89WFM5SEa.6hmSFTjD0lqaeQxfuLyQI8B 1zG2X6GS0QBPHmragRKsO4J6I8T7vcvzZH7EtDJK1QA3ibmZLuZrrxdZybbwrWgY8SI3DBYDjSeM tSoVNAUh1loAJJvUp6adnbETa42XRfwKcvRSTrYgobrGqbt7AVudmT6gxfkpCit7k41Z9Ekz6N.P gcEInAcD4psbOpxEsQo9MdMuVROLpggfXVGI_tiLfkVMVKfuC.AW4Ge8l7CzktH9TotwfK.5DMat G3.7WzrvdLW21VlpV9erngBkNm8JW0gvx4BVNdWDulLs46ABm1NPXS7HnXYzYobT3ed_CLm7ispb pBGFjQhqrbgD7mvX0i.0aCu6p3AM3P7K5bQMXAV22KHc8hLvBmfC.Hsu2WNgALYobjZSFMY9Gvcl kdtz5_uQLgPEb.7yEIUdlgdtjy41UGGsDQmNd4kuAasvT2Cnnifi0vW2FtCdt8UPJ9.g3kcAXZlp DwX0YP3jR6117tvKl6r_V.7cuvv_swL8xtp1oEldKa1M_fYf0vBfl_T9RvLkGfwEfa.l02IA_U6I eXJPLCvmSCld3chBfbLX7BZypcv250OqYIbXVBWhXvTEZzDAFG_vPpdbQlCWJozs0m41eo2fqCDE eVjrcuoPdlAh7SuvyUYGFXNoo2pe4TIXjVpKZw7Ux8aCqJrRb20l4kWKdztaN67WZQ72bfErJxqB Ns75jkkSRcfpk1R7Dz_woGnWbDMN65a2Q2QMeTFnlwj4pa86tSZeJlpiSx4HQeKAsWA2FKXvRIVG vmf.j9WIRnlXea0B3pGCs88fR0Q5wyl9aTAYq_Ku1DM20YuOhW.qQnM7olfODIF_7amte51.I0Rd tWU2Us6e1MYkZyR2LdCcOOGvQvVNwR3paTXJne0I0wc.XgJf0AMdeq_CcI8LlB8UhYqVRZJ_gx32 Tx2SDZaRZ7Kw2J30nRzYa6owo4yziiZJI3knVUBivfvPVIgWy0jzHSLX1Hg7webvLSzfYkXIInts lRJ9bk591OURFqDF4a8cDhhT.VjuqTf47a9n3UL9InjiMQOke094QVWO4avJPLpzCLmH.9kjgB5u I_A4bn_Fhgoavyblf5W9dS4HyhuZRqiq5ryAG2bd4i3e1ifTNejvSyNNUDKUN36WHDtabmYeNXTe dl7TYZUvScv8vTL.lxZxlrYhfeT1JvbsxGSeO X-Sonic-MF: X-Sonic-ID: bf334de0-969f-47e6-b08c-372df8d94efb Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:22:19 +0000 Received: by hermes--production-gq1-74d64bb7d7-dp9cd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID be755b04d481595739dfcf42be1b4c68; Sat, 21 Jun 2025 17:22:15 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 10/15] LSM: allocate mnt_opts blobs instead of module specific data Date: Sat, 21 Jun 2025 10:18:45 -0700 Message-ID: <20250621171851.5869-11-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Replace allocations of LSM specific mount data with the shared mnt_opts blob. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/security.c | 12 ++++++++++++ security/selinux/hooks.c | 10 +++++++--- security/smack/smack_lsm.c | 4 ++-- 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 2e3b1559714c..38f89762c0df 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -220,4 +220,5 @@ static inline struct xattr *lsm_get_xattr_slot(struct x= attr *xattrs, return &xattrs[(*xattr_count)++]; } =20 +extern void *lsm_mnt_opts_alloc(gfp_t priority); #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/security.c b/security/security.c index 93d4ac39fe9f..98a80078b2df 100644 --- a/security/security.c +++ b/security/security.c @@ -901,6 +901,18 @@ void security_sb_free(struct super_block *sb) sb->s_security =3D NULL; } =20 +/** + * lsm_mnt_opts_alloc - allocate a mnt_opts blob + * @priority: memory allocation priority + * + * Returns a newly allocated mnt_opts blob or NULL if + * memory isn't available. + */ +void *lsm_mnt_opts_alloc(gfp_t priority) +{ + return kzalloc(blob_sizes.lbs_mnt_opts, priority); +} + /** * security_free_mnt_opts() - Free memory associated with mount options * @mnt_opts: LSM processed mount options diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c86b430f34c3..8e0671920e3a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2809,7 +2809,7 @@ static int selinux_fs_context_submount(struct fs_cont= ext *fc, if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) return 0; =20 - opts =3D kzalloc(sizeof(*opts), GFP_KERNEL); + opts =3D lsm_mnt_opts_alloc(GFP_KERNEL); if (!opts) return -ENOMEM; =20 @@ -2831,8 +2831,12 @@ static int selinux_fs_context_dup(struct fs_context = *fc, if (!src) return 0; =20 - fc->security =3D kmemdup(src, sizeof(*src), GFP_KERNEL); - return fc->security ? 0 : -ENOMEM; + fc->security =3D lsm_mnt_opts_alloc(GFP_KERNEL); + if (!fc->security) + return -ENOMEM; + + memcpy(fc->security, src, sizeof(*src)); + return 0; } =20 static const struct fs_parameter_spec selinux_fs_parameters[] =3D { diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 956dce6b1e97..0cc24b57bb52 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -622,7 +622,7 @@ static int smack_fs_context_submount(struct fs_context = *fc, struct smack_mnt_opts *ctx; struct inode_smack *isp; =20 - ctx =3D kzalloc(sizeof(*ctx), GFP_KERNEL); + ctx =3D lsm_mnt_opts_alloc(GFP_KERNEL); if (!ctx) return -ENOMEM; fc->security =3D ctx; @@ -673,7 +673,7 @@ static int smack_fs_context_dup(struct fs_context *fc, if (!src) return 0; =20 - fc->security =3D kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); + fc->security =3D lsm_mnt_opts_alloc(GFP_KERNEL); if (!fc->security) return -ENOMEM; =20 --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic303-27.consmr.mail.ne1.yahoo.com (sonic303-27.consmr.mail.ne1.yahoo.com [66.163.188.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 76B0C257435 for ; Sat, 21 Jun 2025 17:22:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.188.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526543; cv=none; b=r0+xuKv/kiO6w10nr6CIpdc0y10CE5KxFMN6E9j+BdJCi6R2Xivt0ErpZPmsXEiUQONTdkzlgF67GU27lXlVvvqVEThvfLkd6lsU69xOnPuhaloB0stJT9QzTT6HBy2wao2eFOv+tNUDH6Uxhg7QYB+fmHgF0Xt3QywY7YSVGWU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526543; c=relaxed/simple; bh=cYB7wVZ7Rhr0i64ao9TJQTDSRAlaZ0hBe6NBzmfr/nQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oKox/BLMJOeDKQ+3VVoD3vB3GYFnV8qKKqxdsESEeObvWCPsMJIV3Ob2igNk/V8e1FI26fM8BZdky40pvE9rjpMpryH+Kw+QymFYMAF/qSnXqSg5Si9oaZUW1ENGaF6yFkU75uZVTcb6cr1NETGuU57pu9ytTYnO+mGuQzn13iY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=LmAdzeyt; arc=none smtp.client-ip=66.163.188.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="LmAdzeyt" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526540; bh=qmscUqqpqbD9PhRRSa/P0IgR16WK+5vFh/M6mGzBnp8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=LmAdzeytP9Bd0uV6zeBb3HwDT+dPpEM/vrX0uLgSzbuuK+3X1v/YX+cWV0RGkBIv//HB0MRLJ+NRgZIC9G1GamWqQQz3GuYhMiMpj137uLLVXUq1rqf5eWxW/80QNaG3Vw8nccxfBzdjzbXUzZAJcsW6oEgAMUZ8JfcA7RekA9npULbiRUMM/WC87MIZ53o+p7Lozy3R73G+t955PdDMgNdB4T4UNqE+y+7JvgTDAPdOuwj3Ddt1vLxy/Xk+v4954IOiq59j1o+77VI9oFgj1K5bDDXy11zTQXotI28RGU0LPNgi3QmJxZNOWEophEWcNoXxduoEw1ZTaXqJ7ymBcw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526540; bh=EY/jM/UtR3Ra1RVoatia/ADf/xTXtWeufeSjTuTRVs0=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=OeUmEfcE5ZFDo50qEr4buITUXXB9SNwTmLpX3M7Qv84+agWN0cqZKB/qD4GAFSpweO1BKXnDe166bAyS//SBVaPvwXG17w8PvGN3x5Z3djp1zLycKQqf2ALZq9PT7gOF25phob+7WrzAZkCrVDJ/qRi4lreExBvtSbGtuifr3NjhTAC90KtXnI8h9skfGuOXrgOZKzle3QxAImxU1gZ6xnw4vRwaI6DfXwSBOOafnp6Ww00ysd7w1akx4+C5/tV+ayCiKZcoGWWaqwOK6JqGruRXQJ0ixnsYU6M7E5v6eNfj4qMQoZ4tco36HatReyktN6CW19VDQvM1IiPDHunH3Q== X-YMail-OSG: b8yVeyQVM1kG.LqQKsBrA9bQMJgZq_l3mq85RbcsACjdg2jXOg1QnPQv2A4Tf1j 4BWcXA3b2KzFKf_et10T2akybc.RmhoJxKtf78j2_Tsx0eFHV73K4b7tDURJRPX8UqeY3nHCquzN GNZQsCGfjwjWxt3tOAQLiBUBe352QNRz6BDgDoWkP7fc4nYZI_F_nXbfwr0YUFaZMheFNffpCGeC tC2E.JZkNY7y.gqQqkDWsIvPnnri7EB.bDKxTfBo4M8MzYhYB2ugxXzoZcUkgemqvr5qS8DJIUuu qQoNEsgU3qBbqMnea9qa8QFAiAAeyz6kqt63QvPR2EdeoNyL9wu4MipzH3ehtHgV4Xvspzwqxyad NJ3pehr51WvLwScY0tfgDkPrdBoVn0GE6JZLNJsXNh9znOFnMomf9snmZzTvqj7aUW8xf_n5ahW7 bKedsMNRp_H_08jiXC4mv_bwZ4T6n4jvtuWjQXj46slZiZcFuxPYC8FZ_rdaKBkMfVwyZM15.PYv RjRQE5IA4nLyf4B_BhW51jrYKLEqckStWUH9qsezqj1RlfD3gyPVntp6KTpneThL..Ok2kftfr3Q ucBS31vfiizcFakMqfX5w9V5kxV.ZgW_H_uIqlZUWn89.1xqMwj1ReBjvLZpGhpG7Zx96ylHqDL7 VQpVoqoSnUNRisPLS99zdmBGAHmTYlGJlHDEHGFXjAMR7gTLylA_1b_QwulYEXPQ2vXHvrcuuvY3 RR7hZB3diFxp3bCm2o896Ono5Th5nxp.xy0AGerLx0JgNbBaCJm2GUtq7JWvGRDOT.rWeFCala.O B5mwlTd2Hg3w1.sO1l_71G3HmV_ylH8bRlJaF4VrTkUl7pgeUs6.jyH_PnElqMPX75h4_yEgB0_V rvA19y0RlLz64t2gJF9TdKCBf61wNXYFHTUZtxdXllndVcIq2N3Mus4fttH3PgR3oiU7N9h6Am7k AYUY8rkIR.icWZejcr6iYOc1G4mMUkmRBDwsYcD4_YT_UaNebT4npboPeIZQsAbi4w2UkMYEWPxb gnEGYU.qsPFg91ka5nc5g8h..iKZEknt8fbrVcQv31SmESUhDqmktL5XhGdeWu59lWT9ugucYm5j FqAXS8p6tpDlFuflkPmyhX5LDbpwDkcRnzWjDZZgHnSamH2XPx97Dnyfaff9DBmFR0WvjUTjzu0f qbsB4D9dqvW8P3ojF.ztwMgza.959_Fq6FRx9umE80mgx9tqxmOze6tnhtXKeGnH8JRPk7rPUisr _7eNyOmsxjJ3yLYFplluWQborPK26if28sxKrKyrRP3jAUcKV6vbxRos1JW8NbPk30o.fb_phrwR 9y4OE13wcshyg9pT05BFXPSCur.TT_5blekphrpCc3pNSuLTYhmYt080b_TyL9_Dla6Bl_4rM3tp PVEqKYvjnXap5veyxelH7KNw8oPFQqkwc_9Q7HdUhfFD_3t3wIlt7hnualMPQ5UiXA7YOD3HQdD5 XzQBYQUGZE7IKDH3iEJxk53OohM6MziJWdGIE_xKpISyy5c8HHK594tr7zGlpmFWNq2Ut4kmBZCW 59VPKKNoRwpwEN7gIHMa_wtVr0q0utuNSyVlTlZvnMnBrvx71RgN8abxN5pX1Nlz0UwyXWQdzQsi jcpJkoKPn2dUfbfxab8.WcAnO8J50V9Rar9HLaf.evgR2p2eIUKaLN4LxoQ_Ko8T5hUmess5hL9J CwVBCzR.__yZGrhCvwv_IVWZZ0DJJr8DVxsFdtBdAulxIz96l5aXaTXcDD3FK4YBVylcD5_XqLTe J6blzlutuOUgbPfUpVM_SFxZZu6hQma5oYaOPqwl2uX22D9jgYV9p1Ap2cG1XCmtikB9dDfy_4_3 ls8hW9kxoFJ8n1GaMzeCwdg7J8f7rTc6LrAHzYUj1SkszcdXuEip9liyx58XMHncKmyWv4VnFQOx xh0lMiVjsJvgNh9L6EmKJP41l16XeAdG40Mi6suJjE8ZOaKgiIE1rlWTFPyBmXKdUEn72WJwu0no u_RnW1pn68NRu6L.oUwirzWDk0UyzGlzf_IIEVf.taT5ZZtfV3IdZ3ZGLdYdLkgQvPBGaWu4Q8uD x8PMkyuzOqGzoc0Wf1KkqRbthPqhXt5BvbxCdYT26hMzZ1GUFABE2PRNwQHrvKoNe3P72H7d7r7t JdZ5SKEEWuEoZ1dHYJmagTTvcfQ8rBXdEYKZChHRv8YnOPSTZ4_Rl6.GId6x_aKHMZpRjuJIXY1w uf0KY.p.7uwHvhirg1_wHLVx98vsvHRWvq6fKRn2Ttps_y4vWRuZY41qgKJE33KGAdV1T0SGs8.t nl_.lisPHb_Xa7dkUMOPtASaJtMMHzyhBJuzZWx4- X-Sonic-MF: X-Sonic-ID: c05b0629-db5a-49bb-a3d9-feda2a22aef3 Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:22:20 +0000 Received: by hermes--production-gq1-74d64bb7d7-dp9cd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID be755b04d481595739dfcf42be1b4c68; Sat, 21 Jun 2025 17:22:17 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 11/15] LSM: Infrastructure management of the mnt_opts security blob Date: Sat, 21 Jun 2025 10:18:46 -0700 Message-ID: <20250621171851.5869-12-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Move management of the mnt_opts->security blob out of the individual security modules and into the security infrastructure. Blobs are still allocated within the modules as they are only required when mount options are present. The modules tell the infrastructure how much space is required, and the space is allocated if needed. Modules can no longer count on the presence of a blob implying that mount options specific to that module are present, so flags are added to the module specific blobs to indicate that this module has options. Signed-off-by: Casey Schaufler --- security/security.c | 14 ++++----- security/selinux/hooks.c | 58 +++++++++++++++++++++++------------- security/smack/smack_lsm.c | 61 ++++++++++++++++++++++++++------------ 3 files changed, 85 insertions(+), 48 deletions(-) diff --git a/security/security.c b/security/security.c index 98a80078b2df..dd167a872248 100644 --- a/security/security.c +++ b/security/security.c @@ -840,17 +840,14 @@ int security_fs_context_parse_param(struct fs_context= *fc, struct fs_parameter *param) { struct lsm_static_call *scall; - int trc; - int rc =3D -ENOPARAM; + int rc; =20 lsm_for_each_hook(scall, fs_context_parse_param) { - trc =3D scall->hl->hook.fs_context_parse_param(fc, param); - if (trc =3D=3D 0) - rc =3D 0; - else if (trc !=3D -ENOPARAM) - return trc; + rc =3D scall->hl->hook.fs_context_parse_param(fc, param); + if (rc !=3D -ENOPARAM) + return rc; } - return rc; + return -ENOPARAM; } =20 /** @@ -924,6 +921,7 @@ void security_free_mnt_opts(void **mnt_opts) if (!*mnt_opts) return; call_void_hook(sb_free_mnt_opts, *mnt_opts); + kfree(*mnt_opts); *mnt_opts =3D NULL; } EXPORT_SYMBOL(security_free_mnt_opts); diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8e0671920e3a..636a38449253 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -379,15 +379,28 @@ static void inode_free_security(struct inode *inode) } =20 struct selinux_mnt_opts { + bool initialized; u32 fscontext_sid; u32 context_sid; u32 rootcontext_sid; u32 defcontext_sid; }; =20 +static inline struct selinux_mnt_opts *selinux_mnt_opts(void *mnt_opts) +{ + if (mnt_opts) + return mnt_opts + selinux_blob_sizes.lbs_mnt_opts; + return NULL; +} + static void selinux_free_mnt_opts(void *mnt_opts) { - kfree(mnt_opts); + struct selinux_mnt_opts *opts; + + if (mnt_opts) { + opts =3D selinux_mnt_opts(mnt_opts); + opts->initialized =3D false; + } } =20 enum { @@ -642,7 +655,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, const struct cred *cred =3D current_cred(); struct superblock_security_struct *sbsec =3D selinux_superblock(sb); struct dentry *root =3D sb->s_root; - struct selinux_mnt_opts *opts =3D mnt_opts; + struct selinux_mnt_opts *opts =3D selinux_mnt_opts(mnt_opts); struct inode_security_struct *root_isec; u32 fscontext_sid =3D 0, context_sid =3D 0, rootcontext_sid =3D 0; u32 defcontext_sid =3D 0; @@ -658,7 +671,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, mutex_lock(&sbsec->lock); =20 if (!selinux_initialized()) { - if (!opts) { + if (!opts || !opts->initialized) { /* Defer initialization until selinux_complete_init, after the initial policy is loaded and the security server is ready to handle calls. */ @@ -696,7 +709,7 @@ static int selinux_set_mnt_opts(struct super_block *sb, * also check if someone is trying to mount the same sb more * than once with different security options. */ - if (opts) { + if (opts && opts->initialized) { if (opts->fscontext_sid) { fscontext_sid =3D opts->fscontext_sid; if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, @@ -1005,7 +1018,7 @@ static int selinux_sb_clone_mnt_opts(const struct sup= er_block *oldsb, */ static int selinux_add_opt(int token, const char *s, void **mnt_opts) { - struct selinux_mnt_opts *opts =3D *mnt_opts; + struct selinux_mnt_opts *opts; u32 *dst_sid; int rc; =20 @@ -1020,12 +1033,12 @@ static int selinux_add_opt(int token, const char *s= , void **mnt_opts) return -EINVAL; } =20 - if (!opts) { - opts =3D kzalloc(sizeof(*opts), GFP_KERNEL); - if (!opts) + if (!*mnt_opts) { + *mnt_opts =3D lsm_mnt_opts_alloc(GFP_KERNEL); + if (!*mnt_opts) return -ENOMEM; - *mnt_opts =3D opts; } + opts =3D selinux_mnt_opts(*mnt_opts); =20 switch (token) { case Opt_context: @@ -1052,6 +1065,7 @@ static int selinux_add_opt(int token, const char *s, = void **mnt_opts) WARN_ON(1); return -EINVAL; } + opts->initialized =3D true; rc =3D security_context_str_to_sid(s, dst_sid, GFP_KERNEL); if (rc) pr_warn("SELinux: security_context_str_to_sid (%s) failed with errno=3D%= d\n", @@ -2651,10 +2665,7 @@ static int selinux_sb_eat_lsm_opts(char *options, vo= id **mnt_opts) return 0; =20 free_opt: - if (*mnt_opts) { - selinux_free_mnt_opts(*mnt_opts); - *mnt_opts =3D NULL; - } + selinux_free_mnt_opts(*mnt_opts); return rc; } =20 @@ -2705,13 +2716,13 @@ static int selinux_sb_mnt_opts_compat(struct super_= block *sb, void *mnt_opts) =20 static int selinux_sb_remount(struct super_block *sb, void *mnt_opts) { - struct selinux_mnt_opts *opts =3D mnt_opts; + struct selinux_mnt_opts *opts =3D selinux_mnt_opts(mnt_opts); struct superblock_security_struct *sbsec =3D selinux_superblock(sb); =20 if (!(sbsec->flags & SE_SBINITIALIZED)) return 0; =20 - if (!opts) + if (!opts || !opts->initialized) return 0; =20 if (opts->fscontext_sid) { @@ -2809,9 +2820,13 @@ static int selinux_fs_context_submount(struct fs_con= text *fc, if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT))) return 0; =20 - opts =3D lsm_mnt_opts_alloc(GFP_KERNEL); - if (!opts) - return -ENOMEM; + if (!fc->security) { + fc->security =3D lsm_mnt_opts_alloc(GFP_KERNEL); + if (!fc->security) + return -ENOMEM; + } + opts =3D selinux_mnt_opts(fc->security); + opts->initialized =3D true; =20 if (sbsec->flags & FSCONTEXT_MNT) opts->fscontext_sid =3D sbsec->sid; @@ -2819,14 +2834,14 @@ static int selinux_fs_context_submount(struct fs_co= ntext *fc, opts->context_sid =3D sbsec->mntpoint_sid; if (sbsec->flags & DEFCONTEXT_MNT) opts->defcontext_sid =3D sbsec->def_sid; - fc->security =3D opts; return 0; } =20 static int selinux_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) { - const struct selinux_mnt_opts *src =3D src_fc->security; + const struct selinux_mnt_opts *src =3D selinux_mnt_opts(src_fc->security); + struct selinux_mnt_opts *dst; =20 if (!src) return 0; @@ -2835,7 +2850,8 @@ static int selinux_fs_context_dup(struct fs_context *= fc, if (!fc->security) return -ENOMEM; =20 - memcpy(fc->security, src, sizeof(*src)); + dst =3D selinux_mnt_opts(fc->security); + memcpy(dst, src, sizeof(*src)); return 0; } =20 diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0cc24b57bb52..ced66130fb7d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -544,6 +544,7 @@ static int smack_sb_alloc_security(struct super_block *= sb) } =20 struct smack_mnt_opts { + bool initialized; const char *fsdefault; const char *fsfloor; const char *fshat; @@ -551,24 +552,37 @@ struct smack_mnt_opts { const char *fstransmute; }; =20 +static inline struct smack_mnt_opts *smack_mnt_opts(void *mnt_opts) +{ + if (mnt_opts) + return mnt_opts + smack_blob_sizes.lbs_mnt_opts; + return NULL; +} + static void smack_free_mnt_opts(void *mnt_opts) { - kfree(mnt_opts); + struct smack_mnt_opts *opts; + + if (mnt_opts) { + opts =3D smack_mnt_opts(mnt_opts); + opts->initialized =3D false; + } } =20 static int smack_add_opt(int token, const char *s, void **mnt_opts) { - struct smack_mnt_opts *opts =3D *mnt_opts; + struct smack_mnt_opts *opts; struct smack_known *skp; =20 - if (!opts) { - opts =3D kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); - if (!opts) + if (!s) + return -EINVAL; + + if (!*mnt_opts) { + *mnt_opts =3D lsm_mnt_opts_alloc(GFP_KERNEL); + if (!*mnt_opts) return -ENOMEM; - *mnt_opts =3D opts; } - if (!s) - return -ENOMEM; + opts =3D smack_mnt_opts(*mnt_opts); =20 skp =3D smk_import_entry(s, 0); if (IS_ERR(skp)) @@ -601,6 +615,7 @@ static int smack_add_opt(int token, const char *s, void= **mnt_opts) opts->fstransmute =3D skp->smk_known; break; } + opts->initialized =3D true; return 0; =20 out_opt_err: @@ -622,10 +637,12 @@ static int smack_fs_context_submount(struct fs_contex= t *fc, struct smack_mnt_opts *ctx; struct inode_smack *isp; =20 - ctx =3D lsm_mnt_opts_alloc(GFP_KERNEL); - if (!ctx) - return -ENOMEM; - fc->security =3D ctx; + if (!fc->security) { + fc->security =3D lsm_mnt_opts_alloc(GFP_KERNEL); + if (!fc->security) + return -ENOMEM; + } + ctx =3D smack_mnt_opts(fc->security); =20 sbsp =3D smack_superblock(reference); isp =3D smack_inode(reference->s_root->d_inode); @@ -655,6 +672,7 @@ static int smack_fs_context_submount(struct fs_context = *fc, return -ENOMEM; } } + ctx->initialized =3D true; return 0; } =20 @@ -668,16 +686,21 @@ static int smack_fs_context_submount(struct fs_contex= t *fc, static int smack_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) { - struct smack_mnt_opts *dst, *src =3D src_fc->security; + struct smack_mnt_opts *src; + struct smack_mnt_opts *dst; =20 + src =3D smack_mnt_opts(src_fc->security); if (!src) return 0; =20 - fc->security =3D lsm_mnt_opts_alloc(GFP_KERNEL); - if (!fc->security) - return -ENOMEM; + if (!fc->security) { + fc->security =3D lsm_mnt_opts_alloc(GFP_KERNEL); + if (!fc->security) + return -ENOMEM; + } =20 - dst =3D fc->security; + dst =3D smack_mnt_opts(fc->security); + dst->initialized =3D src->initialized; dst->fsdefault =3D src->fsdefault; dst->fsfloor =3D src->fsfloor; dst->fshat =3D src->fshat; @@ -787,7 +810,7 @@ static int smack_set_mnt_opts(struct super_block *sb, struct superblock_smack *sp =3D smack_superblock(sb); struct inode_smack *isp; struct smack_known *skp; - struct smack_mnt_opts *opts =3D mnt_opts; + struct smack_mnt_opts *opts =3D smack_mnt_opts(mnt_opts); bool transmute =3D false; =20 if (sp->smk_flags & SMK_SB_INITIALIZED) @@ -820,7 +843,7 @@ static int smack_set_mnt_opts(struct super_block *sb, =20 sp->smk_flags |=3D SMK_SB_INITIALIZED; =20 - if (opts) { + if (opts && opts->initialized) { if (opts->fsdefault) { skp =3D smk_import_entry(opts->fsdefault, 0); if (IS_ERR(skp)) --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic310-30.consmr.mail.ne1.yahoo.com (sonic310-30.consmr.mail.ne1.yahoo.com [66.163.186.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 41626221F29 for ; Sat, 21 Jun 2025 17:23:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.186.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526640; cv=none; b=nfu5QkG/cdbi2tLCTAp+HDdXttDk//l0FthePJBww164QyTOel8AJMcCn5Yp2pzFPW5wBcrVPeAoenY1zWNFbqkq65vO/HSrPglw6pJgS9AOk+Ip2GzolAd2fVJkb1cisUiSo1dNWnidyO0hX6l60HLg8yziQCdD/uv8JF/dEWc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526640; c=relaxed/simple; bh=WCex6USUjchIBX3agUhZ21r2drcQgrb/zwis2EoHBsE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PapBojKJ1nsWXM9QMzfZibaDSi2/XEryVjClwRxreNAQL95geVYI9KTpStF5pz03KYnKJ7D2VIN5GHDC1T3liU+Btj2++aLWsCieJqfvBpPEkhDPYCtSpSyBbWsYO8cGM3ZBObzSRT0i9denl32fN6RwLdVEbTBvbfa/iVfRYRg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=BavUeyvv; arc=none smtp.client-ip=66.163.186.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="BavUeyvv" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526637; bh=/X9aAotKwhvZSj8lCSMa1mezz/JdY5QwcNE+kbuMXz0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=BavUeyvvKetASYW+Ks78y/wpBjdMesLCEdxtpnbHcW/8crwEV7+GfUSrwgFOwuGuBQExoYsSK3dNt5oWzMRkFwiG1p7PGF9GvpIbAjRNWA8zl/OpCjo7uv705WN+ULx3+jA8A1HqmDT5CefazI0kkrRysDI84wSDq2HGiIqBz0bxA1jm/arQkRpps/kn2bL1c3NH2z1u/nyOhpzgwZUug8CDPmNJPncKIB1YXJ83p9tU8jO+TeVFhK6idSCtQ9zpMxw3/0qJjhams4KwSC611BCTQP/uv9v+Jyki4dsJLsdthKm4SBd4HTZDpMJ1170PTRD3eh7N0YLGIGDEeV6Klg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526637; bh=gsUloo5tYjuY1bMON3q4xynOB2TMU483/jAQmtCEmhn=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=HszgQfES8M4keViwjQrf3mOiCZuDFey/XH+XH9WcfKQu4Sa3j4EEHV2k4ObgW/zulaqZKrb1q70J9AG4KUnEVcDZH5K2l6XS3TSCBGHKoyRDzoq6lpkw9+3FdsFKEFtkhIxEzb6sm9T7eHVoc/c10TjiuhmdrGuEjz33G37BzqwKlYl/wix725rnsvPnfBR6iG/fDhQn6zPK5aBjwlRqRSGUFolFB85P0/KQ2TU3Qc+vNVugG2M5eNF6ilC2YwpJPMhkF5Q9dZ8l0KjLpJfNc1bmBBFzI9lxeRXUfzky00HtT2SPB71foqMBzoTaZ450LTGnOBigaqwQChd4QdGnUA== X-YMail-OSG: s43fKssVM1mSEWJVNIFZDWhrYBYzWkiC_5fhmz_1pBxKCNbsh.tehhqnkGuwEN. u0G5kBoVGcCZGi7dfptupHdElrlWhQVogvgXLOyhNB2CUDCRSKNLAtKswhXvbX4LNU0JgGU0vTZz CmvWqtcgU6NIYvtD4LLB7KBgbVDAthiOz.dVs4dtUc.FGFgo4RIXOciu2pw7Gv6Cr_OxlhrgNkF5 345K_ZH_a7qY1HuCuFMv4Jas5RM5HU10qCOnGr1fCuGMcB.wlHC26L0tbwG.lZS43rmEmIjwblnw aeE.paRS_PCAdECMwJG0uFAvp3avJ.SAU9ps_DiN83yQMdrYwaOPleKEEQXe.huuKjkQzDtUXcyS CTYKPetz4Ti1o487ctV1802w2tVdlHithDI1w8IbXl_.3gPlaH1hqvpFvrbWA58oALpw5SLb3Usw d_IwnarLD6NjncSf7Gwgv5RlPwkj94SC.i5DXorsy.YDTEC7HxFBpJm7mOmMtFLS9Hm74lzPK9vA rYi2CE4AoNerqi7EriHG62VqvgpSHaNtrcBU8Ux4ZRzwyGDe.pJh2nub5Fz9BJt9GuJjNJQqH8EQ E4ICvcRLsjzCy1YDoTRCZmZrPSM.vlp0NHlyT2aMGaZq6TCkH3PaD2KJy_7Sbm_2fHcXeTShc88v 1P.0dju_F2QbEhmXg7mKpI4X7J7VmpGH_bSsJDKxoyFgQvQj5G_JbJdl_nYXynoRv0qWSdFTIUsy ZkgkZwrcn152yLXaeX1HD_U6XzgZQKPTUNL8ADeiqQIxtpwqUcoMJIsQa7HSCX923uiqUM59e28R F9MnYchERY1tzF93ty4Wh3.0SMkBHXVrxQH6BvVWBgBkW3q0JfWEORh8YSj.n131Ble7GM1F6QWP yI0WiPxvEXbR7Df8sldMQ6X6s3_n.3.9Vb5hr1jrVc0HESfF5XWey02ITNdKZS0wSme0V4i6.zTt nOQjnJTD6n_uPY1Edw54gOFhqjUVypKLiINrE7nvI5hSvBTKBFuaGv6l9AHTohxXd8IprHFVrr.. qepqS1BuGShJf9.gkzG_nWk7ZueJ0SOFEp50ZUqLKLtnnZ7X1.dWQ22c9CJ5cBkcn9BCitNAbRYV VQMvEh0eeV6OJrEzc0hFG6z8k6cdAHe1upWHyHjy_XqFxOfwG4VuK5_rRiim1vqiWl1JqVKxKXL6 t4pAzWgnQCVSsjv6DK7XbuEZo5KK.MIuagPr0Ad5N9EP5NC30a68_OtFjXgza8J1EJM3VlXJ_g4A a5ZlNcuS82m36b9wdDcnwXRNyun2uN.nrSICBJgWrOxgZ.Heiv7vg3Hm8opCRiB3JcWmekcHhqSh EcpsjCfVM7Uq5mPVIbT7FzQ9okabxA665R3jy6CJH8y4OUNfniyq4HwSaS0RimMDol_5.VmbgSs0 T5XybRetKqgE7UHhaWOx34tdYZh45jfpX3F.ytCH93ZqQ0HnGqa94vEkn8wDQKdUmlUcQ.m.2g2p TTgtzbCKEnKMTikn0_a5VXI.Thm4uvaqMkehSFfp2gL3iq9jPs1ta4mWiex_GPWhgKnZFwV4SPJ5 IzTOCBm11loI2pueKvQLLgp0biw3Q8CB1CdvtodNy__zhOdCXdxbyk3BEItiU9hxQIQJtp4hXSqe 5719BO982auhtaQcg3zP9KmU8numQw6MjNnx_37hokgcFP2FaAswIXjxVUjKpRaPliQYEyhurpv5 MJyMPaKM_eHx29LO7g8h5c8Cjr5MO5Du5IBRd6897NE9EwfC1q0K64ZuH9IZL2fHTE6H6JNPz2II SjFrwQkZG_BYj38UH9CEtbk3AdPB25bSaLqtk40A_x96hjIaS9pn2E62BToaUhpn5KO9otjeuyNI 7ltDnIgc7PdFxmwuUpkTTpJ14sknQTa5HUEFKhSdr4MaXDoZdvZcTg3HtAcKK0RJ4QgpKfB.nC_. lrc9gYY3d.gmZVWavjejZiTGETXUIez1njZfdjUqOdv3M74yt4VtYIvHfpcs2GTCIKRLsbFhZ3nS .pT4pAQajS25ro_SCVTbIQx66acAXSZbnDs7WvBa1tmLYccz92ykviHauZdjGaXJwDZ.OhIAj5OC zm4nscSL0kBiW_5V4snD3Q_4A..ctsYcfHGAPjhImMzgQVSLiCfTlE68Ymili4ob9apuisvX5OQC gYjoV1.3sr5Umf1nVW2z3cVFjlFXuW4xmjPvRJkffuyxe22Rggn_thfyBeLo76BsDtr75gvDg_HK dwcwAYyTw_FrpAtWsuwxVj1w9a5VF9_5LqtgbHWnCz7._adG69rM3j0tOo.0YRNHWvQF8VjfPiza iUuTZ1XxiDOG4nn6IRIuJZVT_3.VDYgi78GtJfg-- X-Sonic-MF: X-Sonic-ID: f3d2ab60-019c-4839-b765-23bd0792f2de Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:23:57 +0000 Received: by hermes--production-gq1-74d64bb7d7-dp9cd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5256f3ef263223dbc5f852ba156c094e; Sat, 21 Jun 2025 17:23:51 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 12/15] LSM: Allow reservation of netlabel Date: Sat, 21 Jun 2025 10:18:47 -0700 Message-ID: <20250621171851.5869-13-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Allow LSMs to request exclusive access to the netlabel facility. Provide mechanism for LSMs to determine if they have access to netlabel. Update the current users of netlabel, SELinux and Smack, to use and respect the exclusive use of netlabel. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + security/lsm_init.c | 6 +++++ security/selinux/hooks.c | 7 +++--- security/selinux/include/netlabel.h | 5 ++++ security/selinux/netlabel.c | 4 ++-- security/smack/smack.h | 5 ++++ security/smack/smack_lsm.c | 36 +++++++++++++++++++++-------- security/smack/smackfs.c | 20 +++++++++++++++- 8 files changed, 69 insertions(+), 15 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 38f89762c0df..06e840fd4b63 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -124,6 +124,7 @@ struct lsm_blob_sizes { unsigned int lbs_bdev; unsigned int lbs_mnt_opts; bool lbs_secmark; /* expressed desire for secmark use */ + bool lbs_netlabel; /* expressed desire for netlabel use */ }; =20 /* diff --git a/security/lsm_init.c b/security/lsm_init.c index d27a457627ed..784f8296966f 100644 --- a/security/lsm_init.c +++ b/security/lsm_init.c @@ -320,6 +320,12 @@ static void __init lsm_prep_single(struct lsm_info *ls= m) else blob_sizes.lbs_secmark =3D true; } + if (blobs->lbs_netlabel) { + if (blob_sizes.lbs_netlabel) + blobs->lbs_netlabel =3D false; + else + blob_sizes.lbs_netlabel =3D true; + } } =20 /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 636a38449253..9578b63bbd2a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -183,7 +183,7 @@ static int selinux_secmark_enabled(void) static int selinux_peerlbl_enabled(void) { return (selinux_policycap_alwaysnetwork() || - netlbl_enabled() || selinux_xfrm_enabled()); + selinux_netlbl_enabled() || selinux_xfrm_enabled()); } =20 static int selinux_netcache_avc_callback(u32 event) @@ -5860,7 +5860,7 @@ static unsigned int selinux_ip_forward(void *priv, st= ruct sk_buff *skb, SECCLASS_PACKET, PACKET__FORWARD_IN, &ad)) return NF_DROP; =20 - if (netlbl_enabled()) + if (selinux_netlbl_enabled()) /* we do this in the FORWARD path and not the POST_ROUTING * path because we want to make sure we apply the necessary * labeling before IPsec is applied so we can leverage AH @@ -5877,7 +5877,7 @@ static unsigned int selinux_ip_output(void *priv, str= uct sk_buff *skb, struct sock *sk; u32 sid; =20 - if (!netlbl_enabled()) + if (!selinux_netlbl_enabled()) return NF_ACCEPT; =20 /* we do this in the LOCAL_OUT path and not the POST_ROUTING path @@ -7183,6 +7183,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_i= nit =3D { .lbs_ib =3D sizeof(struct ib_security_struct), .lbs_mnt_opts =3D sizeof(struct selinux_mnt_opts), .lbs_secmark =3D true, + .lbs_netlabel =3D true, }; =20 #ifdef CONFIG_PERF_EVENTS diff --git a/security/selinux/include/netlabel.h b/security/selinux/include= /netlabel.h index 5731c0dcd3e8..5be82aa8e7ca 100644 --- a/security/selinux/include/netlabel.h +++ b/security/selinux/include/netlabel.h @@ -134,4 +134,9 @@ static inline int selinux_netlbl_socket_connect_locked(= struct sock *sk, } #endif /* CONFIG_NETLABEL */ =20 +static inline bool selinux_netlbl_enabled(void) +{ + return selinux_blob_sizes.lbs_netlabel && netlbl_enabled(); +} + #endif diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index d51dfe892312..a6c58b8e7bfd 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -199,7 +199,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, int rc; struct netlbl_lsm_secattr secattr; =20 - if (!netlbl_enabled()) { + if (!selinux_netlbl_enabled()) { *type =3D NETLBL_NLTYPE_NONE; *sid =3D SECSID_NULL; return 0; @@ -444,7 +444,7 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_stru= ct *sksec, u32 perm; struct netlbl_lsm_secattr secattr; =20 - if (!netlbl_enabled()) + if (!selinux_netlbl_enabled()) return 0; =20 netlbl_secattr_init(&secattr); diff --git a/security/smack/smack.h b/security/smack/smack.h index 2f7b8d79b69f..de707d481e39 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -380,6 +380,11 @@ static inline struct smack_known **smack_key(const str= uct key *key) } #endif /* CONFIG_KEYS */ =20 +static inline bool smack_netlabel(void) +{ + return smack_blob_sizes.lbs_netlabel; +} + /* * Is the directory transmuting? */ diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index ced66130fb7d..650f2700160f 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2598,6 +2598,9 @@ static int smack_netlbl_add(struct sock *sk) struct smack_known *skp =3D ssp->smk_out; int rc; =20 + if (!smack_netlabel()) + return 0; + local_bh_disable(); bh_lock_sock_nested(sk); =20 @@ -2629,6 +2632,9 @@ static void smack_netlbl_delete(struct sock *sk) { struct socket_smack *ssp =3D smack_sock(sk); =20 + if (!smack_netlabel()) + return; + /* * Take the label off the socket if one is set. */ @@ -2679,7 +2685,7 @@ static int smk_ipv4_check(struct sock *sk, struct soc= kaddr_in *sap) /* * Clear the socket netlabel if it's set. */ - if (!rc) + if (!rc && smack_netlabel()) smack_netlbl_delete(sk); } rcu_read_unlock(); @@ -4005,6 +4011,8 @@ static struct smack_known *smack_from_secattr(struct = netlbl_lsm_secattr *sap, int acat; int kcat; =20 + if (!smack_netlabel()) + return smack_net_ambient; /* * Netlabel found it in the cache. */ @@ -4155,6 +4163,9 @@ static struct smack_known *smack_from_netlbl(const st= ruct sock *sk, u16 family, struct socket_smack *ssp =3D NULL; struct smack_known *skp =3D NULL; =20 + if (!smack_netlabel()) + return NULL; + netlbl_secattr_init(&secattr); =20 if (sk) @@ -4225,7 +4236,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk,= struct sk_buff *skb) rc =3D smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); rc =3D smk_bu_note("IPv4 delivery", skp, ssp->smk_in, MAY_WRITE, rc); - if (rc !=3D 0) + if (rc !=3D 0 && smack_netlabel()) netlbl_skbuff_err(skb, family, rc, 0); break; #if IS_ENABLED(CONFIG_IPV6) @@ -4413,7 +4424,7 @@ static int smack_inet_conn_request(const struct sock = *sk, struct sk_buff *skb, if (skp =3D=3D NULL) { skp =3D smack_from_netlbl(sk, family, skb); if (skp =3D=3D NULL) - skp =3D &smack_known_huh; + skp =3D smack_net_ambient; } =20 #ifdef CONFIG_AUDIT @@ -4434,8 +4445,11 @@ static int smack_inet_conn_request(const struct sock= *sk, struct sk_buff *skb, /* * Save the peer's label in the request_sock so we can later setup * smk_packet in the child socket so that SO_PEERCRED can report it. + * + * Only do this if Smack is using netlabel. */ - req->peer_secid =3D skp->smk_secid; + if (smack_netlabel()) + req->peer_secid =3D skp->smk_secid; =20 /* * We need to decide if we want to label the incoming connection here @@ -4448,10 +4462,13 @@ static int smack_inet_conn_request(const struct soc= k *sk, struct sk_buff *skb, hskp =3D smack_ipv4host_label(&addr); rcu_read_unlock(); =20 - if (hskp =3D=3D NULL) - rc =3D netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); - else - netlbl_req_delattr(req); + if (smack_netlabel()) { + if (hskp =3D=3D NULL) + rc =3D netlbl_req_setattr(req, + &ssp->smk_out->smk_netlabel); + else + netlbl_req_delattr(req); + } =20 return rc; } @@ -4469,7 +4486,7 @@ static void smack_inet_csk_clone(struct sock *sk, struct socket_smack *ssp =3D smack_sock(sk); struct smack_known *skp; =20 - if (req->peer_secid !=3D 0) { + if (smack_netlabel() && req->peer_secid !=3D 0) { skp =3D smack_from_secid(req->peer_secid); ssp->smk_packet =3D skp; } else @@ -5055,6 +5072,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_ini= t =3D { .lbs_xattr_count =3D SMACK_INODE_INIT_XATTRS, .lbs_mnt_opts =3D sizeof(struct smack_mnt_opts), .lbs_secmark =3D true, + .lbs_netlabel =3D true, }; =20 static const struct lsm_id smack_lsmid =3D { diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 405ace6db109..2e43e9670265 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -79,7 +79,7 @@ static DEFINE_MUTEX(smk_net6addr_lock); * If it isn't somehow marked, use this. * It can be reset via smackfs/ambient */ -struct smack_known *smack_net_ambient; +struct smack_known *smack_net_ambient =3D &smack_known_floor; =20 /* * This is the level in a CIPSO header that indicates a @@ -671,6 +671,9 @@ static void smk_cipso_doi(void) struct cipso_v4_doi *doip; struct netlbl_audit nai; =20 + if (!smack_netlabel()) + return; + smk_netlabel_audit_set(&nai); =20 rc =3D netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai); @@ -711,6 +714,9 @@ static void smk_unlbl_ambient(char *oldambient) int rc; struct netlbl_audit nai; =20 + if (!smack_netlabel()) + return; + smk_netlabel_audit_set(&nai); =20 if (oldambient !=3D NULL) { @@ -834,6 +840,8 @@ static ssize_t smk_set_cipso(struct file *file, const c= har __user *buf, */ if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; if (*ppos !=3D 0) return -EINVAL; if (format =3D=3D SMK_FIXED24_FMT && @@ -1156,6 +1164,8 @@ static ssize_t smk_write_net4addr(struct file *file, = const char __user *buf, */ if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; if (*ppos !=3D 0) return -EINVAL; if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) @@ -1414,6 +1424,8 @@ static ssize_t smk_write_net6addr(struct file *file, = const char __user *buf, */ if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; if (*ppos !=3D 0) return -EINVAL; if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) @@ -1585,6 +1597,8 @@ static ssize_t smk_write_doi(struct file *file, const= char __user *buf, =20 if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; =20 if (count >=3D sizeof(temp) || count =3D=3D 0) return -EINVAL; @@ -1652,6 +1666,8 @@ static ssize_t smk_write_direct(struct file *file, co= nst char __user *buf, =20 if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; =20 if (count >=3D sizeof(temp) || count =3D=3D 0) return -EINVAL; @@ -1730,6 +1746,8 @@ static ssize_t smk_write_mapped(struct file *file, co= nst char __user *buf, =20 if (!smack_privileged(CAP_MAC_ADMIN)) return -EPERM; + if (!smack_netlabel()) + return -EINVAL; =20 if (count >=3D sizeof(temp) || count =3D=3D 0) return -EINVAL; --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic306-27.consmr.mail.ne1.yahoo.com (sonic306-27.consmr.mail.ne1.yahoo.com [66.163.189.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E6B1253358 for ; Sat, 21 Jun 2025 17:23:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.189.89 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526641; cv=none; b=e1SG9s3TgUG70SzDce4rZEReYrghouw57f0btxpLlwnZ0Z/5LajCYlRpzXEzxcm8v7GfULCi0jeDWNgvnZzhlNZOt6R8OXE3E0V224SfNXwwBgRGDEV+1JzHbvdPTuoFspGnI3b7uXMHuOoaqZ8unjjTE3UdvY6JSjNe+ZcdN1g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526641; c=relaxed/simple; bh=HWHyaWIb/BtpPN0SB7P8ktq3MZPQ3308NHR0pTMakjE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bX1n/UYE7BIUTVx2pTvLVOAieza0L6CICqbxuWIgbeKnEP/wDSeVAIK3WXTCh8/in+iQA1R04z/4ezbppAbYQQDJ+RiEOJBB/hpr7sVXLnuxLO7LYItNeOeSvueVWl42BiSLWtDaUkDPJVsX+quAAp4OpXvgyPRmsNds7Jqgs0A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=bQ+bSYda; arc=none smtp.client-ip=66.163.189.89 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="bQ+bSYda" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526638; bh=cJeLymkxKR6/Zy7QPMuI4QExf32iwM1KwA8MI/WeCFk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=bQ+bSYda8V5GBT+VTeH2YY1lGgxhZEHR2yDS5kWuqx3RwpbMlU/ABPs9fLR0waS7EODe26dikGHrCE1kIERcycUgVp5LM9CkNJxLOHd7hjm7Mpfs9GeU4bS+fBzf+3eWXn7eQFF77dJDP4tMMfNCjvo3fL8yeqnwuO+xjT2ODfhXGLtNqmO53IIG1e30uvgb3t9yCM3WNtzyYgh8yZXZ8EUTv7cfvMk/BmeRtk5o6k/zYfa1+izZj76GL4XOEAmB9qfQB71a5AOrm6Do+WA7iWUZyTTA0bDqw0Zgu59d/1sQy5KcO+PJxEXTtWDRnDdlANLaFfoNqYzoTkUtrVcYew== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526638; bh=LifPUm+5DjJKqlIFxJgZTwDJMmE4j9e3aQjOFTs3o7T=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=GxJkFniZWEmAv47JLzv/ByA1qZkFrtb0z1r3P2n2sE/8LpPZlb8S7EdhnsHR7a7DsPGxhuc4McJSfggobQ904kKOi5R7oAaoLC7jSAEO8c7mWBW5geM7nWswPFElY2aJYNE2cboOMsX2zTIU7H6b1AyiiMCyT9D7C4pW3E6rUGrXdFpWS+HfatlkQhTbrwLaa9C6xhMurAc3UrKL8VfU5Kk7PO2BSAWVKgm0+HeziaL2hj50+LdgHQMQXrtnXrdUaEy3sTXUpd9iFqI+bTzhbFWXCG2MlxdxQJl0k39MwCdmtuYZu2N8svcPV/WPd+EINLHXdhOyqgRBtWSEq05A4Q== X-YMail-OSG: F39ozxAVM1msUKuhTxvq1a8AR3kYBUsn5t.Ed8k9yfIGylQGopdUedOtVbxxjxI iU6IssCN3Uk4xCQTuH0SXP4AO0d6jdkBvjGsHNs0nqdgy_nsKf27qFKJQ4cliIdJKqvAwHS94cWZ aTr0vg157v.XTzi8t1MdFjywq4B5Xj3YV8hu575nd003C4bHoK3ItCigZq1j6L3731zosXAlAfYB foreGxEa1q6cv4fPd.w1oXAUbnP5UN5bzK9B44YrKF.lZmIBVXcBrqSHPYADvOkzdJpgvcCzn80J hWspdkSyDsnlPJ3z1ivXSj3wwaqWhEBqsRvAke5FArQTAs9mrJEuxy6whs5AsZuNG0N2ZziSx.Vi TqZuyB4OStqFjFY4y8ssCEDpei_C0vpQ.zAq7z9_IS3VVK_u1LtTLyD76KX1G6Jp.Z9uYeyu_eXV PoeakUiifkvUlDwR_REnYTtVbg03D1NzvkEGQ1Ks_aC.5k6U5qh.hr9aRcmyB.xayA0Mr.fhekDS BTZTjVqZdpYaIv3An492atqxUS9i3B2F7JY0sNNkp_dPyHkwfoTaA.lSi.gbF2HR10UYgDcPTREB 6VgiQqkaBo__km3y7z5Qdu9MljcdIzdGV501mkaBFsV4uMu_PWOcFSx0jebatC6Aqb0SWpFGXKgP Vo89._1xZAxW4TIkBL114O3MUPTWslM2lH6ml4iu3c6D8Rdl0HOlHQh49FNrPtJrWDD3_76F7SkS kNm7xj5bKS7hl14PA5JZ.NdrXOd8Dmr3kSY7FVK.vd90sVtiyC8.pge.apu4XY_.evm3T5Bokd5_ WyR5WIlQg5CohhasoOdBhEf2.b2G2f7RX8.VgV8.OqySxgHIZBBB7F.tYQMcWJW24tQJLiCnrADp nWBmPflhrlsTy1jo52eFliuwnzYuJIZtutuhAv558BV1Na4JxVADAqZuaTl1OeS2oHoLETdFZLAa RhItsSoKgjwHhq8_Y_9xILR5_uDHCN7TSSQNet_Al94c5x_KlQ2vCmiYo4psh4De6vqSZ.5HJfxd 0JDGKmw2Is2hMKo3YUKudVoJ4SDUNPODPZ_BN7O1HFkVD9o71O6U2l0QT.CjGTQWcGreRl3bHAxO 98A8usk9Kd6mueypOHZaQ1x4u3_NuMFF080UzOTBzI_6ajMebyxmGhCD._.sQggrAQKKGcu4xEB8 Gfe4_wa5_fLCws3AMjIXDnH3Y0naESh0JGpENwayUslA.AkcZ0mdQ5eteVePcHlV0Q8Rz3I9joX0 Hy4eKLbKY7qD7KTprRC3.znpcedQn3kJGw9ncikncMco0TuoNBDqZYrSaG6uoIxyTxC836fuvHkk BlhrDIolXH73JWtBMFWEasMrancbkp_wEE.ip_0_.gka0tujn_Vq3MkfCJOtaGWHiLYsJh44ddWd vT63mAh.K4WI9gYby.QOPUeDTU3PjMjZCgB6dfyQ.bak5Yz1u.PTHefKH.tHDesGqVG.w3.087ak s4_JuUPloO8fzkmRWvfd1SzzLOH2zlubhI6blGH_0oFBZ63C9M0Ua8SExhFiPDEASae0h2Dl2l0B sGHG5fVBCO_274nUwqSKPVEfai7tv6C7h0n_62tRRymCqAxSC2qnvJAX.MSMuiXsraVmZM1eX7ki Vdh417kKe.RU7W9thINFdFwNn.Czgtg_hZU7C6EJJXP0OCGnqJAQjX156fzU_Mtf2HXU3aTnhCkk qunpWLGbSqljM65b1F.PxTHs1RXvy9HTnb4uGaROyHS1wJDlZ.12oP2ZY8Q2nxqS1WkZUCeJVvkC Ig3eAvzZlFruC_Uf5NQH6C1MAFRbJmKOxOZyiixEWVr0M01HbYGGtPibmZ9NrGuppl8EKTl1YZNr U1WtTG2IA0mS0YbjkHWs43cV7BTzCNf5Gl6oM1ralCXognDVmCrbX24LBWGkbrjAmzPOY.vWrEPz rkdjbnHXC5y6GWBaiPkLsiKasOCr.4L6I.SFB91u.ylQOvVq2xLWIW2nl.fAIDU5Fj3kPGiTftlS 6fEW5iiuXDkCR2ysHBHZAwZQ930yiobZVhGp8Stwyd2BvTSnpgUG3CXbaPuT.61tfCe3rVTH.F4p rSghBABpKn_xDjQp4wG2C6KvtQ0BGfEQqmN4lfY56gXECn6pgJb5NIYVkoPo0vpBAx.5vyfliam. sqwgB6Tc_BQW.Yt3N5j2HNxnrCEGx5054LU8b.gpUJhln1hVVktrjYF2hxVTDCYScJLRu1sZfOjh cJ7Wvof4QAPD44mc5_Icf.OW8zkXovuZx3I_yRj9fvMStIsp7QycghEITcNgoZxoy2Ky31ggsKZB XzsGYnOKKoJZ5JT2hCYN_h7.S55d5C_yjZOlB X-Sonic-MF: X-Sonic-ID: 3fe1b76a-764b-47f3-8958-efcc76b5a47c Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:23:58 +0000 Received: by hermes--production-gq1-74d64bb7d7-dp9cd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5256f3ef263223dbc5f852ba156c094e; Sat, 21 Jun 2025 17:23:53 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 13/15] LSM: restrict security_cred_getsecid() to a single LSM Date: Sat, 21 Jun 2025 10:18:48 -0700 Message-ID: <20250621171851.5869-14-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The LSM hook security_cred_getsecid() provides a single secid that is only used by the binder driver. Provide the first value available, and abandon any other hooks. Signed-off-by: Casey Schaufler --- security/security.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security/security.c b/security/security.c index dd167a872248..409b1cb10d35 100644 --- a/security/security.c +++ b/security/security.c @@ -2740,8 +2740,13 @@ void security_transfer_creds(struct cred *new, const= struct cred *old) */ void security_cred_getsecid(const struct cred *c, u32 *secid) { + struct lsm_static_call *scall; + *secid =3D 0; - call_void_hook(cred_getsecid, c, secid); + lsm_for_each_hook(scall, cred_getsecid) { + scall->hl->hook.cred_getsecid(c, secid); + break; + } } EXPORT_SYMBOL(security_cred_getsecid); =20 --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic306-27.consmr.mail.ne1.yahoo.com (sonic306-27.consmr.mail.ne1.yahoo.com [66.163.189.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A073253F2C for ; Sat, 21 Jun 2025 17:23:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.189.89 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526641; cv=none; b=i1zkqC0IIUCV7laJQqBy7TaO4fQI3cIyQhuEGhgoCf1R/2ho6jNscNhISIqVoKi90mTrEBatypROxs0IgsuWxEoBZKbUKJenzBwNSkR5iome62hZSBf/JjIBS9J0D9MxEIvp06l316mwtgDSNBSTNCMqUFyaF1hzfORKyPbwnCA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526641; c=relaxed/simple; bh=kJ8f4ZD3u00ToRZgbsmnK0EdRqbXBfQMZThYhH17QzM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FoZN647NjsUoWbYX2/+t6bRcqJMsiVluFzb/KvPyLJ67BZEwFNR+ULugh6IPdBdzJxspnioQKjBw7lrb3GZe7EAicpXyQWcIyHFmXzwo68hoaXQGpikqwhZCEscvFGTLv/Bq+O+7pmRrluZ4v4njb8A7aU6bOGOmG2jwgzdmZSo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=MpM/FBUP; arc=none smtp.client-ip=66.163.189.89 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="MpM/FBUP" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526638; bh=x4vyQeliurxK0jOyOlK67UgTequUsiEOBF40J/SQBGQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=MpM/FBUPZc1eI9jgn364cJLsNZQ3L3UwmbYzGR1rju/0TpQ0t3JxWS/Bap175Ro0IcbywLVoC5J4xx89wzdXSYyrCezWik0lAvFVx4eWCg6k1JwnN/X0tiy6xmgs1oecoGaGPky/VhmMh/gYgI7DSCQmSdvgZ6kHfZL0CBQ2vfTuRQaGUGZHgbiScYFtlgbot1Bdgli9rjSw+zhC8VH3JaoYlm/TWW4Pj9S0DiFiyFtexVxhgB4cjKE2z/roTbm2g5w5fNPZc9HqumEzuaf3JyJa7lThzJSv52+32VYJGcUh33NpVcnh0tfAUfJvuNZEGiPK3YCy8S1b2Z6f+0aBIQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526638; bh=GHzkwnY+Qn7rL1xvKp6I5Z6/smvvQDsMofbZqLSwmv5=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=qdD75DMXEbRigXZg+FMSXaF9XR+kxzHaDVwIsYj++0R+uG5ibhAyQ5I1Q/AcU1+mRFLFjpDCvhYdj0IMcerM/WHCYmW2Tpo0WQ898m09JrMgG52n6OtihZtux/e8YYQ/lwCeUDcoF4r6QYRslVszgKKkOEMIB1me+b4EWPk0F14ZIPTOE41hPZQv7I3U7G3i8N38nwQ4LGHNx6OLGSLCGgvEq0K4kDT11ozrNzzeI225SihJh6MG+BZpeKBFe1RtFaj+r2hU0b8wVKhbiN6RsoNHWEmOEVQ+reb0JI6Ke1+3N+tr8Am+rk/WMiITMOdh3/y7pBAkdKSfNgmSXOJZMA== X-YMail-OSG: 1zKKyBoVM1mRAMu7D_WQwraIGXQlroA7OXNTPIrI8gC5OOX1Fx8yecB5puzkCWK EX3MB7YBUbm7f_b6MPItSKxBDsEhjpyl7w7n4jNAmvuQANpArKNIjDmgkxJ34dALvAOL1uE0Eu.v Nn4oJa8QIK0sls85zY5qwt7gn_Dd7AvazkGUHVApntKlM4YjTcemQYAan61Ii1ybZYVjnZyb2uSt qjWiNiJsKnlzD5wmHdIBEjulPz8mrr6lhqYOt.12LeMa7wkNJNEuVwinRndmZRq3KzkSWLge4Cko LTLM5pT.Vdigdq2Pnhn3IHwAWhmOuCMkIxXroG9iC2Zgus2xzXbPkir6w9LOYESoCnotrWxLjq2C XrfRqDligaCKCBrx3LnQa81zfqM9ymSwOm8FTGIwogx6Qn7GkrojjOFExH2QQOWRyfWMsWHnZxNK C2awLfW9kcU3EAhgf6n1ihF_8tecyweeH0HyxRNU67BcvWuX.bpPC2QmBc_PnFH_vqPLdruFICYQ c3g3C8y9gZl60une26ltaaqjIbnqQjtR8F9tLRvhf20Vfjzw_LoO5L1W9VYEt1o6yUyIrs_zKKkn 9lzZCy9zP.1iU9RUj7QZtfauFN3Q53qmYQeNXHveHdNuKECJ11BkyHQMyChQBnt_J3IXMWgiYznn 9K2Kb5nt.ECXWAr1lSojvHWFyANeT6K.y8KwoB7UNe6w_H6lQoiBbEPaVsY8cdkI4GAPJQ.wLAt0 VmQwXqimo1MNfO_LFlQBB4MhQxbVJ0D.izc9LGwyVg76wh2wLhQkmK289BQyVIfcuhI8TLxTj1nz TBQkJXosFuJ6NPcGD1mj4Kfmn7fm_i41o97TuXylm9rv7xJ5NQcqrf5OeO.PHDwTraTDeb5VKkzM uJug.eDgeSo5ChlfHs3KNH66ESlWYz4gnpKaZ6vHwgtVq15JejG6_1XKMxn9XVPrusKgZK7I4p9p xVn9cbJq_Qef8fOZvVd4bcWVRJ3BN0ssCQfx9k.puKSguDlUFlwR0fcy9HvnfF71Dfc6acthdO7S 5IirFiNW9XyNO75.OtJqNKO0pseysTnjzk4QeNTBmc2a22ib4qA7duWGr6oq9LzJbESHiTQgOP5w o87UazfXxS_FQnO9cCtn29WeZ9q4qdo6WaA0uLtfKl1NUSk9QOJo_WyLTEZTACyibgG7tFXyvQPv _DQrqIwP9O23MhorTH7F39e2QksxoajHq0obuAzax4IBB6j4TrcsMt8MSBn.65R8uT1b3cT.m2pL jXVGR4FvZpwLysgKYrNeVIdssHl.215a14uQDKH4MmoU_oF.okR502KmYqyAc4qBfY8XjWDTKcTM h2oHbhraWtsnWLU2E3ohTGEie1w2EcZHdYUKQD1o4Zf_AKpAIrWbcPrrR5m6Ns2NuVaysQIHhjhT wHAKAWMgU8xCJ.EMsttzTWPkou8ccm6B5dJ7SGHyL7Nm3aMwH0P.EL5ESiaN8Bz2pFjYhnD0Ltly E_VeLT87IDos64NhxGbECORw1be2m7Dqr4NQh9ruZSv98bIILa5rtQekub5Po3IE6zN332w2.7tb gjeNcuw7oUuxdADSccTIaE0qcidnpz_wncmfEfOJDgUcr9ZnjcN3WtR_n4klPUgGTT5UV28UJ5g9 caoj.jzfN9riU1hPktO1KcLMpTgMDnWXWCQ9jU8WJOsNQ8ilLV7dmDudVWfrWuo28BDO.9OFPcBz BPJn7cGes.tQqXO60Ujv0WMxojxgx7ds7GPGQtG0cwf.17_rUdWDDF1NYp8sdT2dC61aGN0jJaAL OHbRUjXjsvsh3A0FY.IDDVY6vxQdms2TpxRLKRmDIHyXzzgsG85wNuX6vHeIToUqVWwmRAMW3UkC dAE_88eiglgJXimCTMuepEyYHvNeo_AFgU_3csUGpmnFAbp3jtlCATJRxBZ_XwVm_DeJCpLXJjLI kEr5b2rlPR1N2OyCCRUb425Zvn3Kdr72OXDPvJiFIVuKF1.MKMfjmkaJlx9D4qLSgF6g.XBDfEGf RBOzGvearHp0A.T5Zek44z5giYPqXOYS6DQOakPc3Ol30.SToar4TNPEO3e91JvYvXxNHT6ecNpp .lSSaxXtnitWWMmSraC6cNezkLngxMHeq812ncDLleI4vz5GWtWsAGzjYsIveJSXrTDWeNbrd0Zz ZV3.tu2ZCoVMWnFg9VwrEZ1.lNR4QbFm.Kl6D8byUs6Phn6qM.nzpEMgZDNjMdAivsMeDBLzDZ.C l7SHGtDz5UoDlaJ3UFCLsV9PVzx8cJQb6UJ6Xmo5QC1xb9.nj4SolkssM9HEqXGxyhghhBbb6XTz EFXO48Mt8Vttj1BqBSxOjrKDiVluIBemomujU X-Sonic-MF: X-Sonic-ID: 39b451ff-64bb-4d8b-8d79-7e5430e9371a Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:23:58 +0000 Received: by hermes--production-gq1-74d64bb7d7-dp9cd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5256f3ef263223dbc5f852ba156c094e; Sat, 21 Jun 2025 17:23:54 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 14/15] Smack: Remove LSM_FLAG_EXCLUSIVE Date: Sat, 21 Jun 2025 10:18:49 -0700 Message-ID: <20250621171851.5869-15-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Smack no longer has any behaviors that require LSM_FLAG_EXCLUSIVE. Signed-off-by: Casey Schaufler --- security/smack/smack_lsm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 650f2700160f..fa7a9b76f0a4 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -5339,7 +5339,7 @@ static int __init smack_initcall(void) */ DEFINE_LSM(smack) =3D { .id =3D &smack_lsmid, - .flags =3D LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags =3D LSM_FLAG_LEGACY_MAJOR, .blobs =3D &smack_blob_sizes, .init =3D smack_init, .initcall_device =3D smack_initcall, --=20 2.47.0 From nobody Thu Oct 9 01:13:10 2025 Received: from sonic311-30.consmr.mail.ne1.yahoo.com (sonic311-30.consmr.mail.ne1.yahoo.com [66.163.188.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A41CD25A2D8 for ; Sat, 21 Jun 2025 17:24:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.188.211 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526645; cv=none; b=MwkYrMXnHgk5XqAgC9hH4jwx0cmAKbf7VlrfQxHYFW17STn7F32IkMSr+2LaPVRYrqvILdx/cpyLctoiBF1+SRloYCqkpkIRC2jhwMU+SDo8izFRwgb6V2stDwgcIQy95N7LZHaKylZm81r06xAMa6i9pe4nyf9Dy/KqGQuiJFs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750526645; c=relaxed/simple; bh=PXNl/4U8SPxf6zMvJk8C55Fc9VC3ay7Kotmda9k1aiY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RlgOvfrAlTRggYLwOINjKySQIpH1vi8HYumq7zUvxoxp/lcTuGYda2bIz9kiedsWTRE7aBygNAfqQ91oMrpLHwAJJD0asqTFv8P+CubOQnmlr6e7xltTTdGqhK/bGZk4RiajmuXxnFetwo1O5O025VA2VG0WTTZw2cEvnu8oniY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=WavFRWZA; arc=none smtp.client-ip=66.163.188.211 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="WavFRWZA" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526642; bh=W/cTrlOevtxan2rTu6YSeU2owjx8zOs1+huUBxSxev0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=WavFRWZAyL+1UxvSxNxOzCi53CfDmj4Bqwu0ZtYGNXsOggopcifDCuFVUMUHyXpg7L6uU41MQgnTZod7IjnbpakRcaLG+1U5ao8LlXGmuF5K40BOjn0y+LvV8oiTUVnlDbGRN1xw8VPzqbJLlK4rIU02c0QedwakH63sH2eCJQnFJgnKnCjf6mUl8SHXfW1Yrqcm7dVjZa/RcREk/T1f4sMIJbKSzN1xgt6D/jIFsxe5DvIut6Mh+484S2wxlc4KQKzOVizPZ/IHCHnYvb5zR5MT+//EyCm3OpOLXZFkTosvZRgh94hl35DpPX9o1RPL8xDyhX+llZ2RdL1Gz9r1Hg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1750526642; bh=siaMc1Pc1Y6p7sggT57dif6f4Luw/nMeR2jpnOfiNY2=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=Gkb3M8dyPWy2thVL7P8oI5F+y+vkpFGlQx459dKe2dt6ajJaIqWw4zWMYKXZIKhvBFy6mI18EdbUMgLvqjrHl3INGLHluXsC+F4aqWx7LC3KXAxpmAOJKLWVtaLnRC7ni4YNbZ5q/azzv+yUL01QygAUVdnK45E6u8DyLNuWkybhUSxo88Lqwt2ddWMNvvbcnk4M5hFNyOESjTZLQCkgtnmJLICYzU9eD0tfT9PaAGNgz1vvsmene55uCfpK1eayXDUKJRFUZqkML3u9vUtOwm6J8OiQQenXIsnOca9xkHQQA6ovg09u9EhFNwSh4yf1kXSMNBHfF+7LI9mUQUenuQ== X-YMail-OSG: IWDPGnAVM1lWRUNQZCk2bf1RzWdc32XWZTKIiidnTEv71DHLxeCYV.OjDgSX0pr QT8nd17cvTeY6_XAVHxDKZz505daLZs48wX4a8usru0WB.TSasTv.Sb4SgNUUoaEOKn4hvaTjlnC GncHDbvdu9bPuSGknf9Tq21nMS7EQAagnEuwCDZYz51iVNryOb_ZS5eZOyayn5i8uypGFTe4k3hQ IkP4zO1kTHP09rZ3c_4xxb2nNrxtVw3xyJtZ4xHlQXea1SZzkL2_CdMiL2x.szgFZ44OKHPyBDYV sdGVfjVjyovapu4oKdfetr5tLV2Uk_8Y9gDSIhydtsvW2KaIdmylTnCFGmJqj7p1vbvSFSI2AYuk d9nJfdA8MYXstYdg_pF9BBq4JNvCs4OyLBTVQolmLct2Ts.r2PNmI8rYaQmw4kGXb0cA4oTF_1kC o.lPHdKlzn2NwjC88DQnn6pkUSbHel7ohom3Swkpeh1lTS6TirGlIXXMW0Mu7j9vp0GKsr3cx7pZ YYOazd1QvMgL62RvywhkHn1YcLnBFAjXx6EZ8UIIFaAD0gQr32J1bd9sW.iCgnBcIdlDT4HbEYBW GXQTSk1_jsW3NCPUP.rdWF41EZ7CCSvYxrDauepSweNLs2NNWKb.A6g9vv45NhapfEp8RHSysUgy p8taRsWnm2RKrxRPzi9M5qJWa.EBMrqalPSETiWKR6Hdz4tUWKrK7jeTtbgX4auIlaVtAUMvGFlT 8Aha59fpj_EzZ.rlr9KFWGCUGw__m6Rp74dwuhK5EEJ7AB85Y6QXhn0CMBVdoqUQklTQrXKZzxwW 1ut6uA2xmfQIHYfuJDH8DZF2D0UU22QluHybk0evv1_oKT8lSriZ7ZsjMldbYxyRbohun_Hq4a2i 3D4O6AWJWsWdBSq6o4WhHXLtXScPm786shHJfMOGNmc08D8Um1_c7N1uebj46M7ad6VUU.CJL2td _tTADvImukczkyXQtjRzFoOWBbisAHoRcPWPctMdey0yzWz4sLCpEBUoPI32CGd0vND1f_OziKTs hbgQ5C_sV1vtsPixyEW174si_xvZj0aMsX8h46.Z_FIZyke.zwYp1XF56w3sIpZJh0zzXb1fdpqI .ZwjxRzB4lUqdX4lC1VQywqk94heJVqYfjM053cle.J6DKpT9YVBlOh36EVSP7qRGQi9Cj9NxE8p 8lxb6kTAPy6iY0J31m1Lchnqyeu6IWd5WUwV2tiLcIqCbMxpgxSUMO2Evt5Mopm6nVjqbaqfLH3W wtNIFaNo4iIdPgNYyqA4etrb8gcBGInA0cYnB2hBKpbZTomFJVQrS9bPIGeQWERlJ5sKL6tKa1hL mAhjUFJnOAAMn7XMrudvN_4SqsmK3N4TdMQRMIMMdbymo_l9LxGWVWyF5OSMrBLQpRsXBzsoNy97 jf6m.LlbE.9AUeK7VskgfOJ2XVJD3iz5WkiOOBisWwSivgBrXs6pHPBGs0Bk.O29kz0vokk0OtrL XvxeoljlLHKtsjaWl4NXdW4ALjpy8eZcPeiwcRQvPrtXN45VXRagbFXETNFY65h1cEUt4D8kL0xy 6e.M3pQiX0EoepAjEb4kE0_eXF0rcy2dC05j0POLyF9tWiwl_0728X.kdFjMO3fmzJA23iP.CzZT wP7JoLjE_SEG0Iu7.hN2zPjiEEtdAoOgUgw4PANW.mPE9vyXwfDr1ilgmY2Aduttsj0.ckTLvDb2 .uEUpXLXcD3UWt1fkgLfNmbdD63sMdADQvNwOxCCEwEHHi0Qxw8OWsqLjx9gosw5M.nM3N4PVhAT egMyDDq6tB_q9PNXoEOtPBe0oIMXi4OctYnUxChF5B6CzlhVJWhRBUAdRNabtJJNx4UKPpvUs2Mb DUJ1Odcnca6RSXb5Oy9hkpmbXQ7CqdNhQK42HYTYxYT.OH4prsT1H24oMtugVp1QSvwq0kLSAC_T 8gKE.e698KtL6fniemQc4GsYCQ2m1sFc_NAxQw2DuZYwsFc6VerqVh884hdy0qSABLLWUJDLw30t YZ9IUVEmzW6iL89zdtR01yOwo8D1HQYpqx.oleZut5d_zVEFXVaoSBf_v.2QKLFTyeODAUwoBQgO jRtUkVPZ3lkdd.CUF0jV3ViPE9q7_nb32_.iia6F8ZusyBMcxOpjbR5oET2JwV78m5AfYf6fBFhz qjyF6v_eiO5sNG5HrIex1_kZo37EvlnpwmZkr9RVvT9uo88NN8TolnFO8WNSnzHQzY929ACmp7hq sr_0b6_c8dhobMyT5hSK5f40h84pTln77cV69QeP5TEjO5sZ8bl1ME9Rhy6asYmpf7vIMhWqZeFe H7maYBirO_4l6VPeBF5zkPA8m36KW7yP8B_KC X-Sonic-MF: X-Sonic-ID: c9865e50-085c-43f5-ab63-822986864379 Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Sat, 21 Jun 2025 17:24:02 +0000 Received: by hermes--production-gq1-74d64bb7d7-dp9cd (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5256f3ef263223dbc5f852ba156c094e; Sat, 21 Jun 2025 17:23:55 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [RFC PATCH 15/15] LSM: Remove exclusive LSM flag Date: Sat, 21 Jun 2025 10:18:50 -0700 Message-ID: <20250621171851.5869-16-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20250621171851.5869-1-casey@schaufler-ca.com> References: <20250621171851.5869-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Only SELinux specifies LSM_FLAG_EXCLUSIVE, so there is no point in enforcing it. There is no expectation that new exclusive security modules will be accepted, as the reasons for exclusivity have been addressed. The LSM_FLAG_EXCLUSIVE flag and its enforcement can be removed. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 - security/lsm_init.c | 17 +---------------- security/selinux/hooks.c | 2 +- 3 files changed, 2 insertions(+), 18 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 06e840fd4b63..717541fcd653 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -149,7 +149,6 @@ extern void security_add_hooks(struct security_hook_lis= t *hooks, int count, const struct lsm_id *lsmid); =20 #define LSM_FLAG_LEGACY_MAJOR BIT(0) -#define LSM_FLAG_EXCLUSIVE BIT(1) =20 enum lsm_order { LSM_ORDER_FIRST =3D -1, /* This is only for capabilities. */ diff --git a/security/lsm_init.c b/security/lsm_init.c index 784f8296966f..3d8f59104d8f 100644 --- a/security/lsm_init.c +++ b/security/lsm_init.c @@ -28,7 +28,6 @@ static __initdata const char *lsm_order_cmdline; static __initdata const char *lsm_order_legacy; =20 /* Ordered list of LSMs to initialize. */ -static __initdata struct lsm_info *lsm_exclusive; static __initdata struct lsm_info *lsm_order[MAX_LSM_COUNT + 1]; =20 #define lsm_order_for_each(iter) \ @@ -150,8 +149,7 @@ static bool __init lsm_order_exists(struct lsm_info *ls= m) * @src: source of the addition * * Append @lsm to the enabled LSM array after ensuring that it hasn't been - * explicitly disabled, is a duplicate entry, or would run afoul of the - * LSM_FLAG_EXCLUSIVE logic. + * explicitly disabled or is a duplicate entry. */ static void __init lsm_order_append(struct lsm_info *lsm, const char *src) { @@ -173,19 +171,6 @@ static void __init lsm_order_append(struct lsm_info *l= sm, const char *src) return; } =20 - if (lsm->flags & LSM_FLAG_EXCLUSIVE) { - if (lsm_exclusive) { - lsm_pr_dbg("skip exclusive LSM conflict %s:%s\n", - src, lsm->id->name); - lsm_enabled_set(lsm, false); - return; - } else { - lsm_pr_dbg("select exclusive LSM %s:%s\n", - src, lsm->id->name); - lsm_exclusive =3D lsm; - } - } - lsm_enabled_set(lsm, true); lsm_order[lsm_count] =3D lsm; lsm_idlist[lsm_count++] =3D lsm->id; diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 9578b63bbd2a..039d03be91f0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7675,7 +7675,7 @@ void selinux_complete_init(void) all processes and objects when they are created. */ DEFINE_LSM(selinux) =3D { .id =3D &selinux_lsmid, - .flags =3D LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, + .flags =3D LSM_FLAG_LEGACY_MAJOR, .enabled =3D &selinux_enabled_boot, .blobs =3D &selinux_blob_sizes, .init =3D selinux_init, --=20 2.47.0