Smack: Abstract use of cred security blob

Don't use the cred->security pointer directly.
Provide a helper function that provides the security blob pointer.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
[kees: adjusted for ordered init series]
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Casey Schaufler 2018-11-09 16:12:56 -08:00 committed by Kees Cook
parent 6d9c939dbe
commit b17103a8b8
4 changed files with 53 additions and 43 deletions

View File

@ -356,6 +356,11 @@ extern struct list_head smack_onlycap_list;
#define SMACK_HASH_SLOTS 16 #define SMACK_HASH_SLOTS 16
extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
static inline struct task_smack *smack_cred(const struct cred *cred)
{
return cred->security;
}
/* /*
* Is the directory transmuting? * Is the directory transmuting?
*/ */
@ -382,13 +387,19 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
return tsp->smk_task; return tsp->smk_task;
} }
static inline struct smack_known *smk_of_task_struct(const struct task_struct *t) static inline struct smack_known *smk_of_task_struct(
const struct task_struct *t)
{ {
struct smack_known *skp; struct smack_known *skp;
const struct cred *cred;
rcu_read_lock(); rcu_read_lock();
skp = smk_of_task(__task_cred(t)->security);
cred = __task_cred(t);
skp = smk_of_task(smack_cred(cred));
rcu_read_unlock(); rcu_read_unlock();
return skp; return skp;
} }
@ -405,7 +416,7 @@ static inline struct smack_known *smk_of_forked(const struct task_smack *tsp)
*/ */
static inline struct smack_known *smk_of_current(void) static inline struct smack_known *smk_of_current(void)
{ {
return smk_of_task(current_security()); return smk_of_task(smack_cred(current_cred()));
} }
/* /*

View File

@ -275,7 +275,7 @@ out_audit:
int smk_curacc(struct smack_known *obj_known, int smk_curacc(struct smack_known *obj_known,
u32 mode, struct smk_audit_info *a) u32 mode, struct smk_audit_info *a)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
return smk_tskacc(tsp, obj_known, mode, a); return smk_tskacc(tsp, obj_known, mode, a);
} }
@ -635,7 +635,7 @@ DEFINE_MUTEX(smack_onlycap_lock);
*/ */
bool smack_privileged_cred(int cap, const struct cred *cred) bool smack_privileged_cred(int cap, const struct cred *cred)
{ {
struct task_smack *tsp = cred->security; struct task_smack *tsp = smack_cred(cred);
struct smack_known *skp = tsp->smk_task; struct smack_known *skp = tsp->smk_task;
struct smack_known_list_elem *sklep; struct smack_known_list_elem *sklep;
int rc; int rc;

View File

@ -139,7 +139,7 @@ static int smk_bu_note(char *note, struct smack_known *sskp,
static int smk_bu_current(char *note, struct smack_known *oskp, static int smk_bu_current(char *note, struct smack_known *oskp,
int mode, int rc) int mode, int rc)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
char acc[SMK_NUM_ACCESS_TYPE + 1]; char acc[SMK_NUM_ACCESS_TYPE + 1];
if (rc <= 0) if (rc <= 0)
@ -160,7 +160,7 @@ static int smk_bu_current(char *note, struct smack_known *oskp,
#ifdef CONFIG_SECURITY_SMACK_BRINGUP #ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_task(struct task_struct *otp, int mode, int rc) static int smk_bu_task(struct task_struct *otp, int mode, int rc)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *smk_task = smk_of_task_struct(otp); struct smack_known *smk_task = smk_of_task_struct(otp);
char acc[SMK_NUM_ACCESS_TYPE + 1]; char acc[SMK_NUM_ACCESS_TYPE + 1];
@ -182,7 +182,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc)
#ifdef CONFIG_SECURITY_SMACK_BRINGUP #ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_inode(struct inode *inode, int mode, int rc) static int smk_bu_inode(struct inode *inode, int mode, int rc)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
struct inode_smack *isp = inode->i_security; struct inode_smack *isp = inode->i_security;
char acc[SMK_NUM_ACCESS_TYPE + 1]; char acc[SMK_NUM_ACCESS_TYPE + 1];
@ -212,7 +212,7 @@ static int smk_bu_inode(struct inode *inode, int mode, int rc)
#ifdef CONFIG_SECURITY_SMACK_BRINGUP #ifdef CONFIG_SECURITY_SMACK_BRINGUP
static int smk_bu_file(struct file *file, int mode, int rc) static int smk_bu_file(struct file *file, int mode, int rc)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
struct smack_known *sskp = tsp->smk_task; struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct inode_smack *isp = inode->i_security; struct inode_smack *isp = inode->i_security;
@ -242,7 +242,7 @@ static int smk_bu_file(struct file *file, int mode, int rc)
static int smk_bu_credfile(const struct cred *cred, struct file *file, static int smk_bu_credfile(const struct cred *cred, struct file *file,
int mode, int rc) int mode, int rc)
{ {
struct task_smack *tsp = cred->security; struct task_smack *tsp = smack_cred(cred);
struct smack_known *sskp = tsp->smk_task; struct smack_known *sskp = tsp->smk_task;
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct inode_smack *isp = inode->i_security; struct inode_smack *isp = inode->i_security;
@ -448,7 +448,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
rcu_read_lock(); rcu_read_lock();
tracercred = __task_cred(tracer); tracercred = __task_cred(tracer);
tsp = tracercred->security; tsp = smack_cred(tracercred);
tracer_known = smk_of_task(tsp); tracer_known = smk_of_task(tsp);
if ((mode & PTRACE_MODE_ATTACH) && if ((mode & PTRACE_MODE_ATTACH) &&
@ -515,7 +515,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
int rc; int rc;
struct smack_known *skp; struct smack_known *skp;
skp = smk_of_task(current_security()); skp = smk_of_task(smack_cred(current_cred()));
rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
return rc; return rc;
@ -831,7 +831,7 @@ static int smack_sb_statfs(struct dentry *dentry)
static int smack_bprm_set_creds(struct linux_binprm *bprm) static int smack_bprm_set_creds(struct linux_binprm *bprm)
{ {
struct inode *inode = file_inode(bprm->file); struct inode *inode = file_inode(bprm->file);
struct task_smack *bsp = bprm->cred->security; struct task_smack *bsp = smack_cred(bprm->cred);
struct inode_smack *isp; struct inode_smack *isp;
struct superblock_smack *sbsp; struct superblock_smack *sbsp;
int rc; int rc;
@ -1662,7 +1662,7 @@ static int smack_mmap_file(struct file *file,
return -EACCES; return -EACCES;
mkp = isp->smk_mmap; mkp = isp->smk_mmap;
tsp = current_security(); tsp = smack_cred(current_cred());
skp = smk_of_current(); skp = smk_of_current();
rc = 0; rc = 0;
@ -1758,7 +1758,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
struct fown_struct *fown, int signum) struct fown_struct *fown, int signum)
{ {
struct smack_known *skp; struct smack_known *skp;
struct smack_known *tkp = smk_of_task(tsk->cred->security); struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
const struct cred *tcred; const struct cred *tcred;
struct file *file; struct file *file;
int rc; int rc;
@ -1811,7 +1811,7 @@ static int smack_file_receive(struct file *file)
if (inode->i_sb->s_magic == SOCKFS_MAGIC) { if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
sock = SOCKET_I(inode); sock = SOCKET_I(inode);
ssp = sock->sk->sk_security; ssp = sock->sk->sk_security;
tsp = current_security(); tsp = smack_cred(current_cred());
/* /*
* If the receiving process can't write to the * If the receiving process can't write to the
* passed socket or if the passed socket can't * passed socket or if the passed socket can't
@ -1853,7 +1853,7 @@ static int smack_file_receive(struct file *file)
*/ */
static int smack_file_open(struct file *file) static int smack_file_open(struct file *file)
{ {
struct task_smack *tsp = file->f_cred->security; struct task_smack *tsp = smack_cred(file->f_cred);
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct smk_audit_info ad; struct smk_audit_info ad;
int rc; int rc;
@ -1900,7 +1900,7 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
*/ */
static void smack_cred_free(struct cred *cred) static void smack_cred_free(struct cred *cred)
{ {
struct task_smack *tsp = cred->security; struct task_smack *tsp = smack_cred(cred);
struct smack_rule *rp; struct smack_rule *rp;
struct list_head *l; struct list_head *l;
struct list_head *n; struct list_head *n;
@ -1930,7 +1930,7 @@ static void smack_cred_free(struct cred *cred)
static int smack_cred_prepare(struct cred *new, const struct cred *old, static int smack_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp) gfp_t gfp)
{ {
struct task_smack *old_tsp = old->security; struct task_smack *old_tsp = smack_cred(old);
struct task_smack *new_tsp; struct task_smack *new_tsp;
int rc; int rc;
@ -1961,15 +1961,14 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
*/ */
static void smack_cred_transfer(struct cred *new, const struct cred *old) static void smack_cred_transfer(struct cred *new, const struct cred *old)
{ {
struct task_smack *old_tsp = old->security; struct task_smack *old_tsp = smack_cred(old);
struct task_smack *new_tsp = new->security; struct task_smack *new_tsp = smack_cred(new);
new_tsp->smk_task = old_tsp->smk_task; new_tsp->smk_task = old_tsp->smk_task;
new_tsp->smk_forked = old_tsp->smk_task; new_tsp->smk_forked = old_tsp->smk_task;
mutex_init(&new_tsp->smk_rules_lock); mutex_init(&new_tsp->smk_rules_lock);
INIT_LIST_HEAD(&new_tsp->smk_rules); INIT_LIST_HEAD(&new_tsp->smk_rules);
/* cbs copy rule list */ /* cbs copy rule list */
} }
@ -1980,12 +1979,12 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
* *
* Sets the secid to contain a u32 version of the smack label. * Sets the secid to contain a u32 version of the smack label.
*/ */
static void smack_cred_getsecid(const struct cred *c, u32 *secid) static void smack_cred_getsecid(const struct cred *cred, u32 *secid)
{ {
struct smack_known *skp; struct smack_known *skp;
rcu_read_lock(); rcu_read_lock();
skp = smk_of_task(c->security); skp = smk_of_task(smack_cred(cred));
*secid = skp->smk_secid; *secid = skp->smk_secid;
rcu_read_unlock(); rcu_read_unlock();
} }
@ -1999,7 +1998,7 @@ static void smack_cred_getsecid(const struct cred *c, u32 *secid)
*/ */
static int smack_kernel_act_as(struct cred *new, u32 secid) static int smack_kernel_act_as(struct cred *new, u32 secid)
{ {
struct task_smack *new_tsp = new->security; struct task_smack *new_tsp = smack_cred(new);
new_tsp->smk_task = smack_from_secid(secid); new_tsp->smk_task = smack_from_secid(secid);
return 0; return 0;
@ -2017,7 +2016,7 @@ static int smack_kernel_create_files_as(struct cred *new,
struct inode *inode) struct inode *inode)
{ {
struct inode_smack *isp = inode->i_security; struct inode_smack *isp = inode->i_security;
struct task_smack *tsp = new->security; struct task_smack *tsp = smack_cred(new);
tsp->smk_forked = isp->smk_inode; tsp->smk_forked = isp->smk_inode;
tsp->smk_task = tsp->smk_forked; tsp->smk_task = tsp->smk_forked;
@ -2201,7 +2200,7 @@ static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info,
* specific behavior. This is not clean. For one thing * specific behavior. This is not clean. For one thing
* we can't take privilege into account. * we can't take privilege into account.
*/ */
skp = smk_of_task(cred->security); skp = smk_of_task(smack_cred(cred));
rc = smk_access(skp, tkp, MAY_DELIVER, &ad); rc = smk_access(skp, tkp, MAY_DELIVER, &ad);
rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc);
return rc; return rc;
@ -3528,7 +3527,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
*/ */
static int smack_setprocattr(const char *name, void *value, size_t size) static int smack_setprocattr(const char *name, void *value, size_t size)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
struct cred *new; struct cred *new;
struct smack_known *skp; struct smack_known *skp;
struct smack_known_list_elem *sklep; struct smack_known_list_elem *sklep;
@ -3569,7 +3568,7 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
if (new == NULL) if (new == NULL)
return -ENOMEM; return -ENOMEM;
tsp = new->security; tsp = smack_cred(new);
tsp->smk_task = skp; tsp->smk_task = skp;
/* /*
* process can change its label only once * process can change its label only once
@ -4214,7 +4213,7 @@ static void smack_inet_csk_clone(struct sock *sk,
static int smack_key_alloc(struct key *key, const struct cred *cred, static int smack_key_alloc(struct key *key, const struct cred *cred,
unsigned long flags) unsigned long flags)
{ {
struct smack_known *skp = smk_of_task(cred->security); struct smack_known *skp = smk_of_task(smack_cred(cred));
key->security = skp; key->security = skp;
return 0; return 0;
@ -4245,7 +4244,7 @@ static int smack_key_permission(key_ref_t key_ref,
{ {
struct key *keyp; struct key *keyp;
struct smk_audit_info ad; struct smk_audit_info ad;
struct smack_known *tkp = smk_of_task(cred->security); struct smack_known *tkp = smk_of_task(smack_cred(cred));
int request = 0; int request = 0;
int rc; int rc;
@ -4520,7 +4519,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
return -ENOMEM; return -ENOMEM;
} }
tsp = new_creds->security; tsp = smack_cred(new_creds);
/* /*
* Get label from overlay inode and set it in create_sid * Get label from overlay inode and set it in create_sid
@ -4548,8 +4547,8 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
const struct cred *old, const struct cred *old,
struct cred *new) struct cred *new)
{ {
struct task_smack *otsp = old->security; struct task_smack *otsp = smack_cred(old);
struct task_smack *ntsp = new->security; struct task_smack *ntsp = smack_cred(new);
struct inode_smack *isp; struct inode_smack *isp;
int may; int may;

View File

@ -2208,14 +2208,14 @@ static const struct file_operations smk_logging_ops = {
static void *load_self_seq_start(struct seq_file *s, loff_t *pos) static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_rules); return smk_seq_start(s, pos, &tsp->smk_rules);
} }
static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos) static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_rules); return smk_seq_next(s, v, pos, &tsp->smk_rules);
} }
@ -2262,7 +2262,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self(struct file *file, const char __user *buf, static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_FIXED24_FMT); &tsp->smk_rules_lock, SMK_FIXED24_FMT);
@ -2414,14 +2414,14 @@ static const struct file_operations smk_load2_ops = {
static void *load_self2_seq_start(struct seq_file *s, loff_t *pos) static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_rules); return smk_seq_start(s, pos, &tsp->smk_rules);
} }
static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos) static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_rules); return smk_seq_next(s, v, pos, &tsp->smk_rules);
} }
@ -2467,7 +2467,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file)
static ssize_t smk_write_load_self2(struct file *file, const char __user *buf, static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
&tsp->smk_rules_lock, SMK_LONG_FMT); &tsp->smk_rules_lock, SMK_LONG_FMT);
@ -2681,14 +2681,14 @@ static const struct file_operations smk_syslog_ops = {
static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos) static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_start(s, pos, &tsp->smk_relabel); return smk_seq_start(s, pos, &tsp->smk_relabel);
} }
static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos) static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
return smk_seq_next(s, v, pos, &tsp->smk_relabel); return smk_seq_next(s, v, pos, &tsp->smk_relabel);
} }
@ -2736,7 +2736,7 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file)
static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
struct task_smack *tsp = current_security(); struct task_smack *tsp = smack_cred(current_cred());
char *data; char *data;
int rc; int rc;
LIST_HEAD(list_tmp); LIST_HEAD(list_tmp);