hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SELinux: Abstract use of file security blob 

Don't use the file->f_security pointer directly.
Provide a helper function that provides the security blob pointer.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Casey Schaufler 2018-09-21 17:22:32 -07:00 committed by Kees Cook
parent bbd3662a83
commit bb6c6b02cc
2 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
security/selinux/hooks.c
View File

@ -394,7 +394,7 @@ static int file_alloc_security(struct file *file)
static void file_free_security(struct file *file) static void file_free_security(struct file *file)
{ {
struct file_security_struct *fsec = file->f_security; struct file_security_struct *fsec = selinux_file(file);
file->f_security = NULL; file->f_security = NULL;
kmem_cache_free(file_security_cache, fsec); kmem_cache_free(file_security_cache, fsec);
} }
@ -1733,7 +1733,7 @@ static int file_has_perm(const struct cred *cred,
struct file *file, struct file *file,
u32 av) u32 av)
{ {
struct file_security_struct *fsec = file->f_security; struct file_security_struct *fsec = selinux_file(file);
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct common_audit_data ad; struct common_audit_data ad;
u32 sid = cred_sid(cred); u32 sid = cred_sid(cred);
@ -2077,7 +2077,7 @@ static int selinux_binder_transfer_file(struct task_struct *from,
struct file *file) struct file *file)
{ {
u32 sid = task_sid(to); u32 sid = task_sid(to);
struct file_security_struct *fsec = file->f_security; struct file_security_struct *fsec = selinux_file(file);
struct dentry *dentry = file->f_path.dentry; struct dentry *dentry = file->f_path.dentry;
struct inode_security_struct *isec; struct inode_security_struct *isec;
struct common_audit_data ad; struct common_audit_data ad;
@ -3323,7 +3323,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
static int selinux_file_permission(struct file *file, int mask) static int selinux_file_permission(struct file *file, int mask)
{ {
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct file_security_struct *fsec = file->f_security; struct file_security_struct *fsec = selinux_file(file);
struct inode_security_struct *isec; struct inode_security_struct *isec;
u32 sid = current_sid(); u32 sid = current_sid();
@ -3358,7 +3358,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
u32 requested, u16 cmd) u32 requested, u16 cmd)
{ {
struct common_audit_data ad; struct common_audit_data ad;
struct file_security_struct *fsec = file->f_security; struct file_security_struct *fsec = selinux_file(file);
struct inode *inode = file_inode(file); struct inode *inode = file_inode(file);
struct inode_security_struct *isec; struct inode_security_struct *isec;
struct lsm_ioctlop_audit ioctl; struct lsm_ioctlop_audit ioctl;
@ -3610,7 +3610,7 @@ static void selinux_file_set_fowner(struct file *file)
{ {
struct file_security_struct *fsec; struct file_security_struct *fsec;
fsec = file->f_security; fsec = selinux_file(file);
fsec->fown_sid = current_sid(); fsec->fown_sid = current_sid();
} }
@ -3625,7 +3625,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
/* struct fown_struct is never outside the context of a struct file */ /* struct fown_struct is never outside the context of a struct file */
file = container_of(fown, struct file, f_owner); file = container_of(fown, struct file, f_owner);
fsec = file->f_security; fsec = selinux_file(file);
if (!signum) if (!signum)
perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */ perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
@ -3649,7 +3649,7 @@ static int selinux_file_open(struct file *file)
struct file_security_struct *fsec; struct file_security_struct *fsec;
struct inode_security_struct *isec; struct inode_security_struct *isec;
fsec = file->f_security; fsec = selinux_file(file);
isec = inode_security(file_inode(file)); isec = inode_security(file_inode(file));
/* /*
* Save inode label and policy sequence number * Save inode label and policy sequence number
@ -3788,7 +3788,7 @@ static int selinux_kernel_module_from_file(struct file *file)
ad.type = LSM_AUDIT_DATA_FILE; ad.type = LSM_AUDIT_DATA_FILE;
ad.u.file = file; ad.u.file = file;
fsec = file->f_security; fsec = selinux_file(file);
if (sid != fsec->sid) { if (sid != fsec->sid) {
rc = avc_has_perm(&selinux_state, rc = avc_has_perm(&selinux_state,
sid, fsec->sid, SECCLASS_FD, FD__USE, &ad); sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);

5
security/selinux/include/objsec.h
View File

@ -165,4 +165,9 @@ static inline struct task_security_struct *selinux_cred(const struct cred *cred)
return cred->security + selinux_blob_sizes.lbs_cred; return cred->security + selinux_blob_sizes.lbs_cred;
} }
static inline struct file_security_struct *selinux_file(const struct file *file)
{
return file->f_security;
}
#endif /* _SELINUX_OBJSEC_H_ */ #endif /* _SELINUX_OBJSEC_H_ */