[PATCH v1 18/22] LSM: Use multiple secids in security module interfaces

From: Casey Schaufler
Date: Mon Jul 16 2018 - 14:24:38 EST


LSM: Use multiple secids in security module interfaces

This is the first of two parts required to change the
security module infrastructure from using a u32 to
identify extended security attributes to using a pointer
to a structure containing the information required for
the set of security modules involved. You can't put an
SELinux secid, a Smack secid and an AppArmor secid
all into a u32. They don't fit. Schemes that map a
single u32 into sets of u32s are frought with data
management issues and as a result are not suitable for
use in the variety of ways secids manifest themselves
in the Linux kernel.

This patch changes the interfaces to the security modules
to use a "struct secids" pointer where they used a u32
before. There are changes in networking code where the
layering isn't so clean as I would like it to be.

Signed-off-by: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
---
include/linux/lsm_hooks.h | 38 +++++++-------
include/linux/security.h | 19 +++++++
include/net/flow.h | 5 +-
include/net/netlabel.h | 8 +--
net/core/filter.c | 4 +-
net/ipv4/cipso_ipv4.c | 4 +-
net/netlabel/netlabel_kapi.c | 4 +-
net/netlabel/netlabel_unlabeled.c | 29 ++++++-----
net/netlabel/netlabel_user.c | 4 +-
net/netlabel/netlabel_user.h | 2 +-
net/xfrm/xfrm_policy.c | 7 +--
net/xfrm/xfrm_state.c | 3 +-
security/apparmor/audit.c | 4 +-
security/apparmor/include/audit.h | 2 +-
security/apparmor/include/secid.h | 5 +-
security/apparmor/lsm.c | 7 +--
security/apparmor/secid.c | 9 ++--
security/security.c | 85 ++++++++++++++++++++++++-------
security/selinux/hooks.c | 59 +++++++++++----------
security/selinux/include/audit.h | 2 +-
security/selinux/include/xfrm.h | 9 ++--
security/selinux/netlabel.c | 2 +-
security/selinux/ss/services.c | 10 ++--
security/selinux/xfrm.c | 25 +++++----
security/smack/smack_access.c | 4 +-
security/smack/smack_lsm.c | 76 +++++++++++++++------------
security/smack/smackfs.c | 14 +++--
27 files changed, 275 insertions(+), 165 deletions(-)

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 115e7cd89d88..7c321d11d994 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1548,7 +1548,7 @@ union security_list_options {
int flags);
int (*inode_listsecurity)(struct inode *inode, char *buffer,
size_t buffer_size);
- void (*inode_getsecid)(struct inode *inode, u32 *secid);
+ void (*inode_getsecid)(struct inode *inode, struct secids *secid);
int (*inode_copy_up)(struct dentry *src, struct cred **new);
int (*inode_copy_up_xattr)(const char *name);

@@ -1578,8 +1578,8 @@ union security_list_options {
int (*cred_prepare)(struct cred *new, const struct cred *old,
gfp_t gfp);
void (*cred_transfer)(struct cred *new, const struct cred *old);
- void (*cred_getsecid)(const struct cred *c, u32 *secid);
- int (*kernel_act_as)(struct cred *new, u32 secid);
+ void (*cred_getsecid)(const struct cred *c, struct secids *secid);
+ int (*kernel_act_as)(struct cred *new, struct secids *secid);
int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
int (*kernel_module_request)(char *kmod_name);
int (*kernel_read_file)(struct file *file, enum kernel_read_file_id id);
@@ -1590,7 +1590,7 @@ union security_list_options {
int (*task_setpgid)(struct task_struct *p, pid_t pgid);
int (*task_getpgid)(struct task_struct *p);
int (*task_getsid)(struct task_struct *p);
- void (*task_getsecid)(struct task_struct *p, u32 *secid);
+ void (*task_getsecid)(struct task_struct *p, struct secids *secid);
int (*task_setnice)(struct task_struct *p, int nice);
int (*task_setioprio)(struct task_struct *p, int ioprio);
int (*task_getioprio)(struct task_struct *p);
@@ -1608,7 +1608,7 @@ union security_list_options {
void (*task_to_inode)(struct task_struct *p, struct inode *inode);

int (*ipc_permission)(struct kern_ipc_perm *ipcp, short flag);
- void (*ipc_getsecid)(struct kern_ipc_perm *ipcp, u32 *secid);
+ void (*ipc_getsecid)(struct kern_ipc_perm *ipcp, struct secids *secid);

int (*msg_msg_alloc_security)(struct msg_msg *msg);
void (*msg_msg_free_security)(struct msg_msg *msg);
@@ -1644,8 +1644,10 @@ union security_list_options {
int (*getprocattr)(struct task_struct *p, char *name, char **value);
int (*setprocattr)(const char *name, void *value, size_t size);
int (*ismaclabel)(const char *name);
- int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
- int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid);
+ int (*secid_to_secctx)(struct secids *secid, char **secdata,
+ u32 *seclen);
+ int (*secctx_to_secid)(const char *secdata, u32 seclen,
+ struct secids *secid);
void (*release_secctx)(char *secdata, u32 seclen);

void (*inode_invalidate_secctx)(struct inode *inode);
@@ -1680,20 +1682,21 @@ union security_list_options {
int (*socket_sock_rcv_skb)(struct sock *sk, struct sk_buff *skb);
int (*socket_getpeersec_stream)(struct socket *sock,
char __user *optval,
- int __user *optlen, unsigned len);
+ int __user *optlen, unsigned int len);
int (*socket_getpeersec_dgram)(struct socket *sock,
- struct sk_buff *skb, u32 *secid);
+ struct sk_buff *skb,
+ struct secids *secid);
int (*sk_alloc_security)(struct sock *sk, int family, gfp_t priority);
void (*sk_free_security)(struct sock *sk);
void (*sk_clone_security)(const struct sock *sk, struct sock *newsk);
- void (*sk_getsecid)(struct sock *sk, u32 *secid);
+ void (*sk_getsecid)(struct sock *sk, struct secids *secid);
void (*sock_graft)(struct sock *sk, struct socket *parent);
int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
struct request_sock *req);
void (*inet_csk_clone)(struct sock *newsk,
const struct request_sock *req);
void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
- int (*secmark_relabel_packet)(u32 secid);
+ int (*secmark_relabel_packet)(struct secids *secid);
void (*secmark_refcount_inc)(void);
void (*secmark_refcount_dec)(void);
void (*req_classify_flow)(const struct request_sock *req,
@@ -1732,15 +1735,16 @@ union security_list_options {
struct xfrm_user_sec_ctx *sec_ctx);
int (*xfrm_state_alloc_acquire)(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec,
- u32 secid);
+ const struct secids *secid);
void (*xfrm_state_free_security)(struct xfrm_state *x);
int (*xfrm_state_delete_security)(struct xfrm_state *x);
- int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx, u32 fl_secid,
- u8 dir);
+ int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx,
+ struct secids *fl_secid, u8 dir);
int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
struct xfrm_policy *xp,
const struct flowi *fl);
- int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
+ int (*xfrm_decode_session)(struct sk_buff *skb, struct secids *secid,
+ int ckall);
#endif /* CONFIG_SECURITY_NETWORK_XFRM */

/* key management security hooks */
@@ -1757,8 +1761,8 @@ union security_list_options {
int (*audit_rule_init)(u32 field, u32 op, char *rulestr,
void **lsmrule);
int (*audit_rule_known)(struct audit_krule *krule);
- int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule,
- struct audit_context *actx);
+ int (*audit_rule_match)(struct secids *secid, u32 field, u32 op,
+ void *lsmrule, struct audit_context *actx);
void (*audit_rule_free)(void *lsmrule);
#endif /* CONFIG_AUDIT */

diff --git a/include/linux/security.h b/include/linux/security.h
index ea875e761d14..6e8e98237a79 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -70,6 +70,25 @@ enum lsm_event {
LSM_POLICY_CHANGE,
};

+struct secids {
+ union {
+ u32 common;
+ u32 selinux;
+ u32 smack;
+ u32 apparmor;
+ };
+};
+
+static inline bool secid_valid(const struct secids *secids)
+{
+ return secids->common != 0;
+}
+
+static inline void secid_init(struct secids *secid)
+{
+ memset(secid, 0, sizeof(*secid));
+}
+
/* These functions are in security/commoncap.c */
extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
int cap, int audit);
diff --git a/include/net/flow.h b/include/net/flow.h
index 8ce21793094e..aa29d11bc3d7 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -11,6 +11,7 @@
#include <linux/socket.h>
#include <linux/in6.h>
#include <linux/atomic.h>
+#include <linux/security.h>
#include <net/flow_dissector.h>
#include <linux/uidgid.h>

@@ -37,7 +38,7 @@ struct flowi_common {
#define FLOWI_FLAG_ANYSRC 0x01
#define FLOWI_FLAG_KNOWN_NH 0x02
#define FLOWI_FLAG_SKIP_NH_OIF 0x04
- __u32 flowic_secid;
+ struct secids flowic_secid;
struct flowi_tunnel flowic_tun_key;
kuid_t flowic_uid;
};
@@ -107,7 +108,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
fl4->flowi4_scope = scope;
fl4->flowi4_proto = proto;
fl4->flowi4_flags = flags;
- fl4->flowi4_secid = 0;
+ secid_init(&fl4->flowi4_secid);
fl4->flowi4_tun_key.tun_id = 0;
fl4->flowi4_uid = uid;
fl4->daddr = daddr;
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 72d6435fc16c..51dacbb88886 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -111,7 +111,7 @@ struct calipso_doi;

/* NetLabel audit information */
struct netlbl_audit {
- u32 secid;
+ struct secids secid;
kuid_t loginuid;
unsigned int sessionid;
};
@@ -215,7 +215,7 @@ struct netlbl_lsm_secattr {
struct netlbl_lsm_catmap *cat;
u32 lvl;
} mls;
- u32 secid;
+ struct secids secid;
} attr;
};

@@ -429,7 +429,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net,
const void *addr,
const void *mask,
u16 family,
- u32 secid,
+ struct secids *secid,
struct netlbl_audit *audit_info);
int netlbl_cfg_unlbl_static_del(struct net *net,
const char *dev_name,
@@ -537,7 +537,7 @@ static inline int netlbl_cfg_unlbl_static_add(struct net *net,
const void *addr,
const void *mask,
u16 family,
- u32 secid,
+ struct secids *secid,
struct netlbl_audit *audit_info)
{
return -ENOSYS;
diff --git a/net/core/filter.c b/net/core/filter.c
index e7f12e9f598c..74cf4c829068 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4128,7 +4128,7 @@ static int bpf_ipv4_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
err = fib_table_lookup(tb, &fl4, &res, FIB_LOOKUP_NOREF);
} else {
fl4.flowi4_mark = 0;
- fl4.flowi4_secid = 0;
+ secid_init(&fl4.flowi4_secid);
fl4.flowi4_tun_key.tun_id = 0;
fl4.flowi4_uid = sock_net_uid(net, NULL);

@@ -4230,7 +4230,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
f6i = ipv6_stub->fib6_table_lookup(net, tb, oif, &fl6, strict);
} else {
fl6.flowi6_mark = 0;
- fl6.flowi6_secid = 0;
+ secid_init(&fl6.flowi6_secid);
fl6.flowi6_tun_key.tun_id = 0;
fl6.flowi6_uid = sock_net_uid(net, NULL);

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 82178cc69c96..e17896a5a947 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1480,7 +1480,7 @@ static int cipso_v4_gentag_loc(const struct cipso_v4_doi *doi_def,

buffer[0] = CIPSO_V4_TAG_LOCAL;
buffer[1] = CIPSO_V4_TAG_LOC_BLEN;
- *(u32 *)&buffer[2] = secattr->attr.secid;
+ *(u32 *)&buffer[2] = secattr->attr.secid.common;

return CIPSO_V4_TAG_LOC_BLEN;
}
@@ -1500,7 +1500,7 @@ static int cipso_v4_parsetag_loc(const struct cipso_v4_doi *doi_def,
const unsigned char *tag,
struct netlbl_lsm_secattr *secattr)
{
- secattr->attr.secid = *(u32 *)&tag[2];
+ secattr->attr.secid.common = *(u32 *)&tag[2];
secattr->flags |= NETLBL_SECATTR_SECID;

return 0;
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index ea7c67050792..592ec7ba8822 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -224,7 +224,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net,
const void *addr,
const void *mask,
u16 family,
- u32 secid,
+ struct secids *secid,
struct netlbl_audit *audit_info)
{
u32 addr_len;
@@ -244,7 +244,7 @@ int netlbl_cfg_unlbl_static_add(struct net *net,

return netlbl_unlhsh_add(net,
dev_name, addr, mask, addr_len,
- secid, audit_info);
+ secid->common, audit_info);
}

/**
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index c070dfc0190a..92744f4791c4 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -80,7 +80,7 @@ struct netlbl_unlhsh_tbl {
#define netlbl_unlhsh_addr4_entry(iter) \
container_of(iter, struct netlbl_unlhsh_addr4, list)
struct netlbl_unlhsh_addr4 {
- u32 secid;
+ struct secids secid;

struct netlbl_af4list list;
struct rcu_head rcu;
@@ -88,7 +88,7 @@ struct netlbl_unlhsh_addr4 {
#define netlbl_unlhsh_addr6_entry(iter) \
container_of(iter, struct netlbl_unlhsh_addr6, list)
struct netlbl_unlhsh_addr6 {
- u32 secid;
+ struct secids secid;

struct netlbl_af6list list;
struct rcu_head rcu;
@@ -244,7 +244,7 @@ static struct netlbl_unlhsh_iface *netlbl_unlhsh_search_iface(int ifindex)
static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
const struct in_addr *addr,
const struct in_addr *mask,
- u32 secid)
+ struct secids *secid)
{
int ret_val;
struct netlbl_unlhsh_addr4 *entry;
@@ -256,7 +256,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
entry->list.addr = addr->s_addr & mask->s_addr;
entry->list.mask = mask->s_addr;
entry->list.valid = 1;
- entry->secid = secid;
+ entry->secid = *secid;

spin_lock(&netlbl_unlhsh_lock);
ret_val = netlbl_af4list_add(&entry->list, &iface->addr4_list);
@@ -284,7 +284,7 @@ static int netlbl_unlhsh_add_addr4(struct netlbl_unlhsh_iface *iface,
static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
const struct in6_addr *addr,
const struct in6_addr *mask,
- u32 secid)
+ struct secids *secid)
{
int ret_val;
struct netlbl_unlhsh_addr6 *entry;
@@ -300,7 +300,7 @@ static int netlbl_unlhsh_add_addr6(struct netlbl_unlhsh_iface *iface,
entry->list.addr.s6_addr32[3] &= mask->s6_addr32[3];
entry->list.mask = *mask;
entry->list.valid = 1;
- entry->secid = secid;
+ entry->secid = *secid;

spin_lock(&netlbl_unlhsh_lock);
ret_val = netlbl_af6list_add(&entry->list, &iface->addr6_list);
@@ -389,6 +389,7 @@ int netlbl_unlhsh_add(struct net *net,
struct audit_buffer *audit_buf = NULL;
char *secctx = NULL;
u32 secctx_len;
+ struct secids ids;

if (addr_len != sizeof(struct in_addr) &&
addr_len != sizeof(struct in6_addr))
@@ -421,7 +422,8 @@ int netlbl_unlhsh_add(struct net *net,
const struct in_addr *addr4 = addr;
const struct in_addr *mask4 = mask;

- ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
+ ids.common = secid;
+ ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, &ids);
if (audit_buf != NULL)
netlbl_af4list_audit_addr(audit_buf, 1,
dev_name,
@@ -434,7 +436,8 @@ int netlbl_unlhsh_add(struct net *net,
const struct in6_addr *addr6 = addr;
const struct in6_addr *mask6 = mask;

- ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
+ ids.common = secid;
+ ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, &ids);
if (audit_buf != NULL)
netlbl_af6list_audit_addr(audit_buf, 1,
dev_name,
@@ -508,7 +511,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(entry->secid,
+ security_secid_to_secctx(entry->secid.common,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
@@ -569,7 +572,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
if (dev != NULL)
dev_put(dev);
if (entry != NULL &&
- security_secid_to_secctx(entry->secid,
+ security_secid_to_secctx(entry->secid.common,
&secctx, &secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
@@ -1124,7 +1127,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;

- secid = addr4->secid;
+ secid = addr4->secid.common;
} else {
ret_val = nla_put_in6_addr(cb_arg->skb,
NLBL_UNLABEL_A_IPV6ADDR,
@@ -1138,7 +1141,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
if (ret_val != 0)
goto list_cb_failure;

- secid = addr6->secid;
+ secid = addr6->secid.common;
}

ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
@@ -1543,7 +1546,7 @@ int __init netlbl_unlabel_defconf(void)
/* Only the kernel is allowed to call this function and the only time
* it is called is at bootup before the audit subsystem is reporting
* messages so don't worry to much about these values. */
- security_task_getsecid(current, &audit_info.secid);
+ security_task_getsecid(current, &audit_info.secid.common);
audit_info.loginuid = GLOBAL_ROOT_UID;
audit_info.sessionid = 0;

diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 2f328af91a52..415643011499 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -112,8 +112,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
from_kuid(&init_user_ns, audit_info->loginuid),
audit_info->sessionid);

- if (audit_info->secid != 0 &&
- security_secid_to_secctx(audit_info->secid,
+ if (audit_info->secid.common != 0 &&
+ security_secid_to_secctx(audit_info->secid.common,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " subj=%s", secctx);
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index 4a397cde1a48..782ee194fdbd 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -48,7 +48,7 @@
static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
struct netlbl_audit *audit_info)
{
- security_task_getsecid(current, &audit_info->secid);
+ security_task_getsecid(current, &audit_info->secid.common);
audit_info->loginuid = audit_get_loginuid(current);
audit_info->sessionid = audit_get_sessionid(current);
}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 5f48251c1319..63fa1ff1a71d 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1069,7 +1069,8 @@ static int xfrm_policy_match(const struct xfrm_policy *pol,

match = xfrm_selector_match(sel, fl, family);
if (match)
- ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
+ ret = security_xfrm_policy_lookup(pol->security,
+ fl->flowi_secid.common,
dir);

return ret;
@@ -1182,7 +1183,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
goto out;
}
err = security_xfrm_policy_lookup(pol->security,
- fl->flowi_secid,
+ fl->flowi_secid.common,
dir);
if (!err) {
if (!xfrm_pol_hold_rcu(pol))
@@ -2365,7 +2366,7 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
return -EAFNOSUPPORT;

afinfo->decode_session(skb, fl, reverse);
- err = security_xfrm_decode_session(skb, &fl->flowi_secid);
+ err = security_xfrm_decode_session(skb, &fl->flowi_secid.common);
rcu_read_unlock();
return err;
}
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 8308281f3253..30086d2eaf6f 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1011,7 +1011,8 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
xfrm_init_tempstate(x, fl, tmpl, daddr, saddr, family);
memcpy(&x->mark, &pol->mark, sizeof(x->mark));

- error = security_xfrm_state_alloc_acquire(x, pol->security, fl->flowi_secid);
+ error = security_xfrm_state_alloc_acquire(x, pol->security,
+ fl->flowi_secid.common);
if (error) {
x->km.state = XFRM_STATE_DEAD;
to_put = x;
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index eeaddfe0c0fb..d67faf77d6c5 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -225,14 +225,14 @@ int aa_audit_rule_known(struct audit_krule *rule)
return 0;
}

-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+int aa_audit_rule_match(struct secids *sid, u32 field, u32 op, void *vrule,
struct audit_context *actx)
{
struct aa_audit_rule *rule = vrule;
struct aa_label *label;
int found = 0;

- label = aa_secid_to_label(sid);
+ label = aa_secid_to_label(sid->apparmor);

if (!label)
return -ENOENT;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index b8c8b1066b0a..8042046eef90 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -192,7 +192,7 @@ static inline int complain_error(int error)
void aa_audit_rule_free(void *vrule);
int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
int aa_audit_rule_known(struct audit_krule *rule);
-int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+int aa_audit_rule_match(struct secids *sid, u32 field, u32 op, void *vrule,
struct audit_context *actx);

#endif /* __AA_AUDIT_H */
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index dee6fa3b6081..81f29538e415 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -23,8 +23,9 @@ struct aa_label;
#define AA_SECID_INVALID 0

struct aa_label *aa_secid_to_label(u32 secid);
-int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
-int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+int apparmor_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen);
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
+ struct secids *secid);
void apparmor_release_secctx(char *secdata, u32 seclen);


diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b0bf6ffe6a97..b0200481c811 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -707,10 +707,10 @@ static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
return;
}

-static void apparmor_task_getsecid(struct task_struct *p, u32 *secid)
+static void apparmor_task_getsecid(struct task_struct *p, struct secids *secid)
{
struct aa_label *label = aa_get_task_label(p);
- *secid = label->secid;
+ secid->apparmor = label->secid;
aa_put_label(label);
}

@@ -1077,7 +1077,8 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock,
* Sets the netlabel socket state on sk from parent
*/
static int apparmor_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb, u32 *secid)
+ struct sk_buff *skb,
+ struct secids *secid)

{
/* TODO: requires secid support */
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index f2f22d00db18..07a5024dd675 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -73,10 +73,10 @@ struct aa_label *aa_secid_to_label(u32 secid)
return label;
}

-int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+int apparmor_secid_to_secctx(struct secids *secid, char **secdata, u32 *seclen)
{
/* TODO: cache secctx and ref count so we don't have to recreate */
- struct aa_label *label = aa_secid_to_label(secid);
+ struct aa_label *label = aa_secid_to_label(secid->apparmor);
int len;

AA_BUG(!secdata);
@@ -102,7 +102,8 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
return 0;
}

-int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen,
+ struct secids *secid)
{
struct aa_label *label;

@@ -110,7 +111,7 @@ int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
seclen, GFP_KERNEL, false, false);
if (IS_ERR(label))
return PTR_ERR(label);
- *secid = label->secid;
+ secid->apparmor = label->secid;

return 0;
}
diff --git a/security/security.c b/security/security.c
index eea36930f6f3..785cd38b1245 100644
--- a/security/security.c
+++ b/security/security.c
@@ -129,6 +129,7 @@ int __init security_init(void)
pr_info("LSM: sock blob size = %d\n", blob_sizes.lbs_sock);
pr_info("LSM: superblock blob size = %d\n", blob_sizes.lbs_superblock);
pr_info("LSM: task blob size = %d\n", blob_sizes.lbs_task);
+ pr_info("LSM: secid size = %zu\n", sizeof(struct secids));
#endif /* CONFIG_SECURITY_LSM_DEBUG */

return 0;
@@ -1249,7 +1250,10 @@ EXPORT_SYMBOL(security_inode_listsecurity);

void security_inode_getsecid(struct inode *inode, u32 *secid)
{
- call_void_hook(inode_getsecid, inode, secid);
+ struct secids ids;
+
+ call_void_hook(inode_getsecid, inode, &ids);
+ *secid = ids.common;
}

int security_inode_copy_up(struct dentry *src, struct cred **new)
@@ -1459,14 +1463,20 @@ void security_transfer_creds(struct cred *new, const struct cred *old)

void security_cred_getsecid(const struct cred *c, u32 *secid)
{
- *secid = 0;
- call_void_hook(cred_getsecid, c, secid);
+ struct secids ids;
+
+ ids.common = 0;
+ call_void_hook(cred_getsecid, c, &ids);
+ *secid = ids.common;
}
EXPORT_SYMBOL(security_cred_getsecid);

int security_kernel_act_as(struct cred *new, u32 secid)
{
- return call_int_hook(kernel_act_as, 0, new, secid);
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(kernel_act_as, 0, new, &ids);
}

int security_kernel_create_files_as(struct cred *new, struct inode *inode)
@@ -1525,8 +1535,11 @@ int security_task_getsid(struct task_struct *p)

void security_task_getsecid(struct task_struct *p, u32 *secid)
{
- *secid = 0;
- call_void_hook(task_getsecid, p, secid);
+ struct secids ids;
+
+ ids.common = 0;
+ call_void_hook(task_getsecid, p, &ids);
+ *secid = ids.common;
}
EXPORT_SYMBOL(security_task_getsecid);

@@ -1608,8 +1621,11 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)

void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
- *secid = 0;
- call_void_hook(ipc_getsecid, ipcp, secid);
+ struct secids ids;
+
+ ids.common = 0;
+ call_void_hook(ipc_getsecid, ipcp, &ids);
+ *secid = ids.common;
}

int security_msg_msg_alloc(struct msg_msg *msg)
@@ -1788,15 +1804,24 @@ EXPORT_SYMBOL(security_ismaclabel);

int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
- return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(secid_to_secctx, -EOPNOTSUPP, &ids, secdata,
seclen);
}
EXPORT_SYMBOL(security_secid_to_secctx);

int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
{
- *secid = 0;
- return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+ struct secids ids;
+ int rc;
+
+ ids.common = 0;
+ rc = call_int_hook(secctx_to_secid, 0, secdata, seclen, &ids);
+ *secid = ids.common;
+
+ return rc;
}
EXPORT_SYMBOL(security_secctx_to_secid);

@@ -1933,8 +1958,14 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,

int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
{
- return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
- skb, secid);
+ struct secids ids;
+ int rc;
+
+ rc = call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
+ skb, &ids);
+ *secid = ids.common;
+
+ return rc;
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);

@@ -2003,7 +2034,10 @@ EXPORT_SYMBOL(security_inet_conn_established);

int security_secmark_relabel_packet(u32 secid)
{
- return call_int_hook(secmark_relabel_packet, 0, secid);
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(secmark_relabel_packet, 0, &ids);
}
EXPORT_SYMBOL(security_secmark_relabel_packet);

@@ -2142,7 +2176,10 @@ EXPORT_SYMBOL(security_xfrm_state_alloc);
int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
struct xfrm_sec_ctx *polsec, u32 secid)
{
- return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid);
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, &ids);
}

int security_xfrm_state_delete(struct xfrm_state *x)
@@ -2158,7 +2195,10 @@ void security_xfrm_state_free(struct xfrm_state *x)

int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
- return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir);
+ struct secids ids;
+
+ ids.common = fl_secid;
+ return call_int_hook(xfrm_policy_lookup, 0, ctx, &ids, dir);
}

int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
@@ -2187,7 +2227,13 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x,

int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
{
- return call_int_hook(xfrm_decode_session, 0, skb, secid, 1);
+ struct secids ids;
+ int rc;
+
+ rc = call_int_hook(xfrm_decode_session, 0, skb, &ids, 1);
+ *secid = ids.common;
+
+ return rc;
}

void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
@@ -2257,7 +2303,10 @@ void security_audit_rule_free(void *lsmrule)
int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx)
{
- return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
+ struct secids ids;
+
+ ids.common = secid;
+ return call_int_hook(audit_rule_match, 0, &ids, field, op, lsmrule,
actx);
}
#endif /* CONFIG_AUDIT */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index fcdf1ea3c438..c12c36f72258 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3426,15 +3426,15 @@ static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t
return len;
}

-static void selinux_inode_getsecid(struct inode *inode, u32 *secid)
+static void selinux_inode_getsecid(struct inode *inode, struct secids *secid)
{
struct inode_security_struct *isec = inode_security_novalidate(inode);
- *secid = isec->sid;
+ secid->selinux = isec->sid;
}

static int selinux_inode_copy_up(struct dentry *src, struct cred **new)
{
- u32 sid;
+ struct secids sids;
struct task_security_struct *tsec;
struct cred *new_creds = *new;

@@ -3446,8 +3446,8 @@ static int selinux_inode_copy_up(struct dentry *src, struct cred **new)

tsec = selinux_cred(new_creds);
/* Get label from overlay inode and set it in create_sid */
- selinux_inode_getsecid(d_inode(src), &sid);
- tsec->create_sid = sid;
+ selinux_inode_getsecid(d_inode(src), &sids);
+ tsec->create_sid = sids.selinux;
*new = new_creds;
return 0;
}
@@ -3864,28 +3864,28 @@ static void selinux_cred_transfer(struct cred *new, const struct cred *old)
*tsec = *old_tsec;
}

-static void selinux_cred_getsecid(const struct cred *c, u32 *secid)
+static void selinux_cred_getsecid(const struct cred *c, struct secids *secid)
{
- *secid = cred_sid(c);
+ secid->selinux = cred_sid(c);
}

/*
* set the security data for a kernel service
* - all the creation contexts are set to unlabelled
*/
-static int selinux_kernel_act_as(struct cred *new, u32 secid)
+static int selinux_kernel_act_as(struct cred *new, struct secids *secid)
{
struct task_security_struct *tsec = selinux_cred(new);
u32 sid = current_sid();
int ret;

ret = avc_has_perm(&selinux_state,
- sid, secid,
+ sid, secid->selinux,
SECCLASS_KERNEL_SERVICE,
KERNEL_SERVICE__USE_AS_OVERRIDE,
NULL);
if (ret == 0) {
- tsec->sid = secid;
+ tsec->sid = secid->selinux;
tsec->create_sid = 0;
tsec->keycreate_sid = 0;
tsec->sockcreate_sid = 0;
@@ -3997,9 +3997,9 @@ static int selinux_task_getsid(struct task_struct *p)
PROCESS__GETSESSION, NULL);
}

-static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
+static void selinux_task_getsecid(struct task_struct *p, struct secids *secid)
{
- *secid = task_sid(p);
+ secid->selinux = task_sid(p);
}

static int selinux_task_setnice(struct task_struct *p, int nice)
@@ -5024,7 +5024,9 @@ static int selinux_socket_getpeersec_stream(struct socket *sock,
return err;
}

-static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+static int selinux_socket_getpeersec_dgram(struct socket *sock,
+ struct sk_buff *skb,
+ struct secids *secid)
{
u32 peer_secid = SECSID_NULL;
u16 family;
@@ -5046,7 +5048,7 @@ static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *
selinux_skb_peerlbl_sid(skb, family, &peer_secid);

out:
- *secid = peer_secid;
+ secid->selinux = peer_secid;
if (peer_secid == SECSID_NULL)
return -EINVAL;
return 0;
@@ -5083,14 +5085,14 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
selinux_netlbl_sk_security_reset(newsksec);
}

-static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
+static void selinux_sk_getsecid(struct sock *sk, struct secids *secid)
{
if (!sk)
- *secid = SECINITSID_ANY_SOCKET;
+ secid->selinux = SECINITSID_ANY_SOCKET;
else {
struct sk_security_struct *sksec = selinux_sock(sk);

- *secid = sksec->sid;
+ secid->selinux = sksec->sid;
}
}

@@ -5323,7 +5325,7 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
}

-static int selinux_secmark_relabel_packet(u32 sid)
+static int selinux_secmark_relabel_packet(struct secids *secid)
{
const struct task_security_struct *__tsec;
u32 tsid;
@@ -5332,8 +5334,8 @@ static int selinux_secmark_relabel_packet(u32 sid)
tsid = __tsec->sid;

return avc_has_perm(&selinux_state,
- tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
- NULL);
+ tsid, secid->selinux, SECCLASS_PACKET,
+ PACKET__RELABELTO, NULL);
}

static void selinux_secmark_refcount_inc(void)
@@ -5349,7 +5351,7 @@ static void selinux_secmark_refcount_dec(void)
static void selinux_req_classify_flow(const struct request_sock *req,
struct flowi *fl)
{
- fl->flowi_secid = req->secid;
+ fl->flowi_secid.selinux = req->secid;
}

static int selinux_tun_dev_alloc_security(void **security)
@@ -6174,10 +6176,11 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
return ipc_has_perm(ipcp, av);
}

-static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp,
+ struct secids *secid)
{
struct ipc_security_struct *isec = selinux_ipc(ipcp);
- *secid = isec->sid;
+ secid->selinux = isec->sid;
}

static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
@@ -6383,16 +6386,18 @@ static int selinux_ismaclabel(const char *name)
return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
}

-static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static int selinux_secid_to_secctx(struct secids *secid, char **secdata,
+ u32 *seclen)
{
- return security_sid_to_context(&selinux_state, secid,
+ return security_sid_to_context(&selinux_state, secid->selinux,
secdata, seclen);
}

-static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+static int selinux_secctx_to_secid(const char *secdata, u32 seclen,
+ struct secids *secid)
{
return security_context_to_sid(&selinux_state, secdata, seclen,
- secid, GFP_KERNEL);
+ &secid->selinux, GFP_KERNEL);
}

static void selinux_release_secctx(char *secdata, u32 seclen)
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h
index 1bdf973433cc..c9cadad5660e 100644
--- a/security/selinux/include/audit.h
+++ b/security/selinux/include/audit.h
@@ -51,7 +51,7 @@ void selinux_audit_rule_free(void *rule);
* Returns 1 if the context id matches the rule, 0 if it does not, and
* -errno on failure.
*/
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule,
+int selinux_audit_rule_match(struct secids *sid, u32 field, u32 op, void *rule,
struct audit_context *actx);

/**
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index a0b465316292..99bac3ccfebd 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -20,10 +20,12 @@ int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
int selinux_xfrm_state_alloc(struct xfrm_state *x,
struct xfrm_user_sec_ctx *uctx);
int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
- struct xfrm_sec_ctx *polsec, u32 secid);
+ struct xfrm_sec_ctx *polsec,
+ const struct secids *secid);
void selinux_xfrm_state_free(struct xfrm_state *x);
int selinux_xfrm_state_delete(struct xfrm_state *x);
-int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
+int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx,
+ struct secids *fl_secid, u8 dir);
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
struct xfrm_policy *xp,
const struct flowi *fl);
@@ -40,7 +42,8 @@ int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
struct common_audit_data *ad);
int selinux_xfrm_postroute_last(u32 sk_sid, struct sk_buff *skb,
struct common_audit_data *ad, u8 proto);
-int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
+int selinux_xfrm_decode_session(struct sk_buff *skb, struct secids *sid,
+ int ckall);
int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid);

static inline void selinux_xfrm_notify_policyload(void)
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index c40914a157b7..efc87a76af72 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -122,7 +122,7 @@ static struct netlbl_lsm_secattr *selinux_netlbl_sock_getattr(
return NULL;

if ((secattr->flags & NETLBL_SECATTR_SECID) &&
- (secattr->attr.secid == sid))
+ (secattr->attr.secid.selinux == sid))
return secattr;

return NULL;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 7f9c87b077f3..b79b5b2ddf59 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -3410,7 +3410,7 @@ int selinux_audit_rule_known(struct audit_krule *rule)
return 0;
}

-int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+int selinux_audit_rule_match(struct secids *sid, u32 field, u32 op, void *vrule,
struct audit_context *actx)
{
struct selinux_state *state = &selinux_state;
@@ -3431,10 +3431,10 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
goto out;
}

- ctxt = sidtab_search(&state->ss->sidtab, sid);
+ ctxt = sidtab_search(&state->ss->sidtab, sid->selinux);
if (unlikely(!ctxt)) {
WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n",
- sid);
+ sid->selinux);
match = -ENOENT;
goto out;
}
@@ -3609,7 +3609,7 @@ int security_netlbl_secattr_to_sid(struct selinux_state *state,
if (secattr->flags & NETLBL_SECATTR_CACHE)
*sid = *(u32 *)secattr->cache->data;
else if (secattr->flags & NETLBL_SECATTR_SECID)
- *sid = secattr->attr.secid;
+ *sid = secattr->attr.secid.selinux;
else if (secattr->flags & NETLBL_SECATTR_MLS_LVL) {
rc = -EIDRM;
ctx = sidtab_search(sidtab, SECINITSID_NETMSG);
@@ -3682,7 +3682,7 @@ int security_netlbl_sid_to_secattr(struct selinux_state *state,
if (secattr->domain == NULL)
goto out;

- secattr->attr.secid = sid;
+ secattr->attr.secid.selinux = sid;
secattr->flags |= NETLBL_SECATTR_DOMAIN_CPY | NETLBL_SECATTR_SECID;
mls_export_netlbl_lvl(policydb, ctx, secattr);
rc = mls_export_netlbl_cat(policydb, ctx, secattr);
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 8ffe7e1053c4..067dd8307a9b 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -153,7 +153,8 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
* LSM hook implementation that authorizes that a flow can use a xfrm policy
* rule.
*/
-int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
+int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx,
+ struct secids *fl_secid, u8 dir)
{
int rc;

@@ -167,7 +168,7 @@ int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
return -EINVAL;

rc = avc_has_perm(&selinux_state,
- fl_secid, ctx->ctx_sid,
+ fl_secid->selinux, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
return (rc == -EACCES ? -ESRCH : rc);
}
@@ -200,14 +201,14 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,

state_sid = x->security->ctx_sid;

- if (fl->flowi_secid != state_sid)
+ if (fl->flowi_secid.selinux != state_sid)
return 0;

/* We don't need a separate SA Vs. policy polmatch check since the SA
* is now of the same label as the flow and a flow Vs. policy polmatch
* check had already happened in selinux_xfrm_policy_lookup() above. */
return (avc_has_perm(&selinux_state,
- fl->flowi_secid, state_sid,
+ fl->flowi_secid.selinux, state_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
NULL) ? 0 : 1);
}
@@ -261,13 +262,14 @@ static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
* LSM hook implementation that checks and/or returns the xfrm sid for the
* incoming packet.
*/
-int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall)
+int selinux_xfrm_decode_session(struct sk_buff *skb, struct secids *sid,
+ int ckall)
{
if (skb == NULL) {
- *sid = SECSID_NULL;
+ sid->selinux = SECSID_NULL;
return 0;
}
- return selinux_xfrm_skb_sid_ingress(skb, sid, ckall);
+ return selinux_xfrm_skb_sid_ingress(skb, &sid->selinux, ckall);
}

int selinux_xfrm_skb_sid(struct sk_buff *skb, u32 *sid)
@@ -344,7 +346,8 @@ int selinux_xfrm_state_alloc(struct xfrm_state *x,
* on a secid.
*/
int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
- struct xfrm_sec_ctx *polsec, u32 secid)
+ struct xfrm_sec_ctx *polsec,
+ const struct secids *secid)
{
int rc;
struct xfrm_sec_ctx *ctx;
@@ -354,10 +357,10 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
if (!polsec)
return 0;

- if (secid == 0)
+ if (!secid_valid(secid))
return -EINVAL;

- rc = security_sid_to_context(&selinux_state, secid, &ctx_str,
+ rc = security_sid_to_context(&selinux_state, secid->selinux, &ctx_str,
&str_len);
if (rc)
return rc;
@@ -370,7 +373,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,

ctx->ctx_doi = XFRM_SC_DOI_LSM;
ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
- ctx->ctx_sid = secid;
+ ctx->ctx_sid = secid->selinux;
ctx->ctx_len = str_len;
memcpy(ctx->ctx_str, ctx_str, str_len);

diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 489d49a20b47..1bbbd53de78b 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -550,7 +550,9 @@ struct smack_known *smk_import_entry(const char *string, int len)
skp->smk_secid = smack_next_secid++;
skp->smk_netlabel.domain = skp->smk_known;
skp->smk_netlabel.flags =
- NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
+ NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL |
+ NETLBL_SECATTR_SECID;
+ skp->smk_netlabel.attr.secid.smack = skp->smk_secid;
/*
* If direct labeling works use it.
* Otherwise use mapped labeling.
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 2d1a3fba40eb..157c6a731305 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1471,11 +1471,11 @@ static int smack_inode_listsecurity(struct inode *inode, char *buffer,
* @inode: inode to extract the info from
* @secid: where result will be saved
*/
-static void smack_inode_getsecid(struct inode *inode, u32 *secid)
+static void smack_inode_getsecid(struct inode *inode, struct secids *secid)
{
struct smack_known *skp = smk_of_inode(inode);

- *secid = skp->smk_secid;
+ secid->smack = skp->smk_secid;
}

/*
@@ -1941,12 +1941,15 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
struct task_smack *old_tsp = smack_cred(old);
struct task_smack *new_tsp = smack_cred(new);

- new_tsp->smk_task = old_tsp->smk_task;
- new_tsp->smk_forked = old_tsp->smk_task;
- mutex_init(&new_tsp->smk_rules_lock);
- INIT_LIST_HEAD(&new_tsp->smk_rules);
+ int rc;
+
+ init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task);

- /* cbs copy rule list */
+ rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules,
+ GFP_KERNEL);
+ if (rc == 0)
+ rc = smk_copy_relabel(&new_tsp->smk_relabel,
+ &old_tsp->smk_relabel, GFP_KERNEL);
}

/**
@@ -1956,13 +1959,13 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
*
* Sets the secid to contain a u32 version of the smack label.
*/
-static void smack_cred_getsecid(const struct cred *cred, u32 *secid)
+static void smack_cred_getsecid(const struct cred *cred, struct secids *secid)
{
struct smack_known *skp;

rcu_read_lock();
skp = smk_of_task(smack_cred(cred));
- *secid = skp->smk_secid;
+ secid->smack = skp->smk_secid;
rcu_read_unlock();
}

@@ -1973,11 +1976,11 @@ static void smack_cred_getsecid(const struct cred *cred, u32 *secid)
*
* Set the security data for a kernel service.
*/
-static int smack_kernel_act_as(struct cred *new, u32 secid)
+static int smack_kernel_act_as(struct cred *new, struct secids *secid)
{
struct task_smack *new_tsp = smack_cred(new);

- new_tsp->smk_task = smack_from_secid(secid);
+ new_tsp->smk_task = smack_from_secid(secid->smack);
return 0;
}

@@ -2063,11 +2066,11 @@ static int smack_task_getsid(struct task_struct *p)
*
* Sets the secid to contain a u32 version of the smack label.
*/
-static void smack_task_getsecid(struct task_struct *p, u32 *secid)
+static void smack_task_getsecid(struct task_struct *p, struct secids *secid)
{
struct smack_known *skp = smk_of_task_struct(p);

- *secid = skp->smk_secid;
+ secid->smack = skp->smk_secid;
}

/**
@@ -3206,12 +3209,12 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
* @ipp: the object permissions
* @secid: where result will be saved
*/
-static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
+static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, struct secids *secid)
{
struct smack_known **blob = smack_ipc(ipp);
struct smack_known *iskp = *blob;

- *secid = iskp->smk_secid;
+ secid->smack = iskp->smk_secid;
}

/**
@@ -3724,7 +3727,7 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
/*
* Looks like a fallback, which gives us a secid.
*/
- return smack_from_secid(sap->attr.secid);
+ return smack_from_secid(sap->attr.secid.smack);
/*
* Without guidance regarding the smack value
* for the packet fall back on the network
@@ -3857,7 +3860,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
if (proto != IPPROTO_UDP && proto != IPPROTO_TCP)
break;
#ifdef SMACK_IPV6_SECMARK_LABELING
- if (skb && skb->secmark != 0)
+ if (skb)
skp = smack_from_secid(skb->secmark);
else
skp = smack_ipv6host_label(&sadd);
@@ -3928,7 +3931,8 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
* Sets the netlabel socket state on sk from parent
*/
static int smack_socket_getpeersec_dgram(struct socket *sock,
- struct sk_buff *skb, u32 *secid)
+ struct sk_buff *skb,
+ struct secids *secid)

{
struct netlbl_lsm_secattr secattr;
@@ -3956,9 +3960,11 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
break;
case PF_INET:
#ifdef CONFIG_SECURITY_SMACK_NETFILTER
- s = skb->secmark;
- if (s != 0)
- break;
+ if (skb->secmark) {
+ s = skb->secmark;
+ if (s != 0)
+ break;
+ }
#endif
/*
* Translate what netlabel gave us.
@@ -3979,7 +3985,7 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
#endif
break;
}
- *secid = s;
+ secid->smack = s;
if (s == 0)
return -EINVAL;
return 0;
@@ -4053,9 +4059,11 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
* If there is no secmark fall back to CIPSO.
* The secmark is assumed to reflect policy better.
*/
- if (skb && skb->secmark != 0) {
- skp = smack_from_secid(skb->secmark);
- goto access_check;
+ if (skb) {
+ if (skb->secmark != 0) {
+ skp = smack_from_secid(skb->secmark);
+ goto access_check;
+ }
}
#endif /* CONFIG_SECURITY_SMACK_NETFILTER */

@@ -4326,8 +4334,8 @@ static int smack_audit_rule_known(struct audit_krule *krule)
* The core Audit hook. It's used to take the decision of
* whether to audit or not to audit a given object.
*/
-static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
- struct audit_context *actx)
+static int smack_audit_rule_match(struct secids *secid, u32 field, u32 op,
+ void *vrule, struct audit_context *actx)
{
struct smack_known *skp;
char *rule = vrule;
@@ -4340,7 +4348,7 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
return 0;

- skp = smack_from_secid(secid);
+ skp = smack_from_secid(secid->smack);

/*
* No need to do string comparisons. If a match occurs,
@@ -4380,9 +4388,10 @@ static int smack_ismaclabel(const char *name)
*
* Exists for networking code.
*/
-static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static int smack_secid_to_secctx(struct secids *secid, char **secdata,
+ u32 *seclen)
{
- struct smack_known *skp = smack_from_secid(secid);
+ struct smack_known *skp = smack_from_secid(secid->smack);

if (secdata)
*secdata = skp->smk_known;
@@ -4398,14 +4407,15 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
*
* Exists for audit and networking code.
*/
-static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+static int smack_secctx_to_secid(const char *secdata, u32 seclen,
+ struct secids *secid)
{
struct smack_known *skp = smk_find_entry(secdata);

if (skp)
- *secid = skp->smk_secid;
+ secid->smack = skp->smk_secid;
else
- *secid = 0;
+ secid->smack = 0;
return 0;
}

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 9d2dde608298..0a075c80abb4 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -197,7 +197,7 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap)

nap->loginuid = audit_get_loginuid(current);
nap->sessionid = audit_get_sessionid(current);
- nap->secid = skp->smk_secid;
+ nap->secid.smack = skp->smk_secid;
}

/*
@@ -1165,6 +1165,7 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
u32 mask_bits = (1<<31);
__be32 nsa;
u32 temp_mask;
+ struct secids secid;

/*
* Must have privilege.
@@ -1281,10 +1282,13 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
* this host so that incoming packets get labeled.
* but only if we didn't get the special CIPSO option
*/
- if (rc == 0 && skp != NULL)
+ if (rc == 0 && skp != NULL) {
+ secid_init(&secid);
+ secid.smack = snp->smk_label->smk_secid;
rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
&snp->smk_host, &snp->smk_mask, PF_INET,
- snp->smk_label->smk_secid, &audit_info);
+ &secid, &audit_info);
+ }

if (rc == 0)
rc = count;
@@ -2951,7 +2955,9 @@ static int __init smk_preset_netlabel(struct smack_known *skp)
{
skp->smk_netlabel.domain = skp->smk_known;
skp->smk_netlabel.flags =
- NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
+ NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL |
+ NETLBL_SECATTR_SECID;
+ skp->smk_netlabel.attr.secid.smack = skp->smk_secid;
return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
&skp->smk_netlabel, strlen(skp->smk_known));
}
--
2.17.1