Re: [PATCH] 2/5: LSM hooks rework
From: Andreas Gruenbacher
Date: Mon Feb 14 2005 - 09:32:33 EST
On Sun, 2005-02-13 at 22:11, Kurt Garloff wrote:
> From: Kurt Garloff <garloff@xxxxxxx>
> Subject: Clean LSM stub file
> References: 40217, 39439
>
> Rather than having every LSM hook twice, once for the case with
> CONFIG_SECURITY enabled and once for the disabled case, put
> everything in one inline function.
The attached patch fixes compilation if CONFIG_SECURITY_NETWORK is
turned off.
> This reduces the chance of the two to go out of sync immensely.
... as it already happened with security_sk_free(). Also fixed in the
attached patch.
Regards,
--
Andreas Gruenbacher <agruen@xxxxxxx>
SUSE Labs, SUSE LINUX GMBH
--- Begin Message ---
The patch didn't define dummy inline functions for the
CONFIG_SECURITY_NETWORK=n case.
Also, security_sk_free() returns void.
Signed-off-by: Andreas Gruenbacher <agruen@xxxxxxx>
Index: linux-2.6.11-rc3/include/linux/security.h
===================================================================
--- linux-2.6.11-rc3.orig/include/linux/security.h
+++ linux-2.6.11-rc3/include/linux/security.h
@@ -1261,6 +1261,11 @@ static inline int security_init(void)
# define COND_SECURITY(seop, def) def
#endif
+#ifdef CONFIG_SECURITY_NETWORK
+#define COND_SECURITY_NETWORK(seop, def) COND_SECURITY(seop, def)
+#else
+#define COND_SECURITY_NETWORK(seop, def) def
+#endif
/* SELinux noop */
#define SE_NOP ({})
@@ -2044,12 +2049,11 @@ static inline int security_netlink_recv(
cap_netlink_recv (skb));
}
-#ifdef CONFIG_SECURITY_NETWORK
static inline int security_unix_stream_connect(struct socket * sock,
struct socket * other,
struct sock * newsk)
{
- return COND_SECURITY(unix_stream_connect(sock, other, newsk),
+ return COND_SECURITY_NETWORK(unix_stream_connect(sock, other, newsk),
0);
}
@@ -2057,14 +2061,14 @@ static inline int security_unix_stream_c
static inline int security_unix_may_send(struct socket * sock,
struct socket * other)
{
- return COND_SECURITY(unix_may_send(sock, other),
+ return COND_SECURITY_NETWORK(unix_may_send(sock, other),
0);
}
static inline int security_socket_create (int family, int type,
int protocol, int kern)
{
- return COND_SECURITY(socket_create(family, type, protocol, kern),
+ return COND_SECURITY_NETWORK(socket_create(family, type, protocol, kern),
0);
}
@@ -2073,7 +2077,7 @@ static inline void security_socket_post_
int type,
int protocol, int kern)
{
- COND_SECURITY(socket_post_create(sock, family, type, protocol, kern),
+ COND_SECURITY_NETWORK(socket_post_create(sock, family, type, protocol, kern),
SE_NOP);
}
@@ -2081,7 +2085,7 @@ static inline int security_socket_bind(s
struct sockaddr * address,
int addrlen)
{
- return COND_SECURITY(socket_bind(sock, address, addrlen),
+ return COND_SECURITY_NETWORK(socket_bind(sock, address, addrlen),
0);
}
@@ -2089,34 +2093,34 @@ static inline int security_socket_connec
struct sockaddr * address,
int addrlen)
{
- return COND_SECURITY(socket_connect(sock, address, addrlen),
+ return COND_SECURITY_NETWORK(socket_connect(sock, address, addrlen),
0);
}
static inline int security_socket_listen(struct socket * sock, int backlog)
{
- return COND_SECURITY(socket_listen(sock, backlog),
+ return COND_SECURITY_NETWORK(socket_listen(sock, backlog),
0);
}
static inline int security_socket_accept(struct socket * sock,
struct socket * newsock)
{
- return COND_SECURITY(socket_accept(sock, newsock),
+ return COND_SECURITY_NETWORK(socket_accept(sock, newsock),
0);
}
static inline void security_socket_post_accept(struct socket * sock,
struct socket * newsock)
{
- COND_SECURITY(socket_post_accept(sock, newsock),
+ COND_SECURITY_NETWORK(socket_post_accept(sock, newsock),
SE_NOP);
}
static inline int security_socket_sendmsg(struct socket * sock,
struct msghdr * msg, int size)
{
- return COND_SECURITY(socket_sendmsg(sock, msg, size),
+ return COND_SECURITY_NETWORK(socket_sendmsg(sock, msg, size),
0);
}
@@ -2124,68 +2128,67 @@ static inline int security_socket_recvms
struct msghdr * msg, int size,
int flags)
{
- return COND_SECURITY(socket_recvmsg(sock, msg, size, flags),
+ return COND_SECURITY_NETWORK(socket_recvmsg(sock, msg, size, flags),
0);
}
static inline int security_socket_getsockname(struct socket * sock)
{
- return COND_SECURITY(socket_getsockname(sock),
+ return COND_SECURITY_NETWORK(socket_getsockname(sock),
0);
}
static inline int security_socket_getpeername(struct socket * sock)
{
- return COND_SECURITY(socket_getpeername(sock),
+ return COND_SECURITY_NETWORK(socket_getpeername(sock),
0);
}
static inline int security_socket_getsockopt(struct socket * sock,
int level, int optname)
{
- return COND_SECURITY(socket_getsockopt(sock, level, optname),
+ return COND_SECURITY_NETWORK(socket_getsockopt(sock, level, optname),
0);
}
static inline int security_socket_setsockopt(struct socket * sock,
int level, int optname)
{
- return COND_SECURITY(socket_setsockopt(sock, level, optname),
+ return COND_SECURITY_NETWORK(socket_setsockopt(sock, level, optname),
0);
}
static inline int security_socket_shutdown(struct socket * sock, int how)
{
- return COND_SECURITY(socket_shutdown(sock, how),
+ return COND_SECURITY_NETWORK(socket_shutdown(sock, how),
0);
}
static inline int security_sock_rcv_skb (struct sock * sk,
struct sk_buff * skb)
{
- return COND_SECURITY(socket_sock_rcv_skb(sk, skb),
+ return COND_SECURITY_NETWORK(socket_sock_rcv_skb(sk, skb),
0);
}
static inline int security_socket_getpeersec(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len)
{
- return COND_SECURITY(socket_getpeersec(sock, optval, optlen, len),
+ return COND_SECURITY_NETWORK(socket_getpeersec(sock, optval, optlen, len),
-ENOPROTOOPT);
}
static inline int security_sk_alloc(struct sock *sk, int family, int priority)
{
- return COND_SECURITY(sk_alloc_security(sk, family, priority),
+ return COND_SECURITY_NETWORK(sk_alloc_security(sk, family, priority),
0);
}
static inline void security_sk_free(struct sock *sk)
{
- return COND_SECURITY(sk_free_security(sk),
- 0);
+ COND_SECURITY_NETWORK(sk_free_security(sk),
+ SE_NOP);
}
-#endif /* CONFIG_SECURITY_NETWORK */
#endif /* ! __LINUX_SECURITY_H */
--- End Message ---