diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2024-07-10 14:32:26 -0700 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2024-07-29 16:54:51 -0400 |
| commit | 5f8d28f6d7d568dbbc8c5bce94894474c07afd4f (patch) | |
| tree | b2fbd3be03b83a6d68059a43d09964b5ac73a00e /security/selinux/hooks.c | |
| parent | 2aff9d20d50ac45dd13a013ef5231f4fb8912356 (diff) | |
| download | linux-5f8d28f6d7d568dbbc8c5bce94894474c07afd4f.tar.gz linux-5f8d28f6d7d568dbbc8c5bce94894474c07afd4f.tar.bz2 linux-5f8d28f6d7d568dbbc8c5bce94894474c07afd4f.zip | |
lsm: infrastructure management of the key security blob
Move management of the key->security blob out of the individual security
modules and into the security infrastructure. Instead of allocating the
blobs from within the modules the modules tell the infrastructure how
much space is required, and the space is allocated there. There are
no existing modules that require a key_free hook, so the call to it and
the definition for it have been removed.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: John Johansen <john.johansen@canonical.com>
[PM: subject tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 21 |
1 files changed, 4 insertions, 17 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e08ffb1ddd5a..7dbf169f733f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6663,11 +6663,7 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, unsigned long flags) { const struct task_security_struct *tsec; - struct key_security_struct *ksec; - - ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL); - if (!ksec) - return -ENOMEM; + struct key_security_struct *ksec = selinux_key(k); tsec = selinux_cred(cred); if (tsec->keycreate_sid) @@ -6675,18 +6671,9 @@ static int selinux_key_alloc(struct key *k, const struct cred *cred, else ksec->sid = tsec->sid; - k->security = ksec; return 0; } -static void selinux_key_free(struct key *k) -{ - struct key_security_struct *ksec = k->security; - - k->security = NULL; - kfree(ksec); -} - static int selinux_key_permission(key_ref_t key_ref, const struct cred *cred, enum key_need_perm need_perm) @@ -6727,14 +6714,14 @@ static int selinux_key_permission(key_ref_t key_ref, sid = cred_sid(cred); key = key_ref_to_ptr(key_ref); - ksec = key->security; + ksec = selinux_key(key); return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL); } static int selinux_key_getsecurity(struct key *key, char **_buffer) { - struct key_security_struct *ksec = key->security; + struct key_security_struct *ksec = selinux_key(key); char *context = NULL; unsigned len; int rc; @@ -6986,6 +6973,7 @@ struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = { .lbs_file = sizeof(struct file_security_struct), .lbs_inode = sizeof(struct inode_security_struct), .lbs_ipc = sizeof(struct ipc_security_struct), + .lbs_key = sizeof(struct key_security_struct), .lbs_msg_msg = sizeof(struct msg_security_struct), .lbs_sock = sizeof(struct sk_security_struct), .lbs_superblock = sizeof(struct superblock_security_struct), @@ -7324,7 +7312,6 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = { #endif #ifdef CONFIG_KEYS - LSM_HOOK_INIT(key_free, selinux_key_free), LSM_HOOK_INIT(key_permission, selinux_key_permission), LSM_HOOK_INIT(key_getsecurity, selinux_key_getsecurity), #ifdef CONFIG_KEY_NOTIFICATIONS |