Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4297333imm; Tue, 11 Sep 2018 09:44:33 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYeehJI0mX/AhiK+Glf9cd9OGLtXeZ3MYC9/8SaUZ3tm4rTNbs2juIh1Z2/2BAT3x8rPhv1 X-Received: by 2002:a17:902:59cf:: with SMTP id d15-v6mr28677429plj.184.1536684273092; Tue, 11 Sep 2018 09:44:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536684273; cv=none; d=google.com; s=arc-20160816; b=gbKvvEye3hzIICFrrgFMO11tWbc5IpZwHxefsEqJrrNO0eqsbx6UTfGLgJp/n67s1K AD2UrEIvlKkjNmtBweYHS9BbasAcdONc/aak4XQCPObfU2E+lGbVqVaO/Yr8eUwFL4VD CMJDnfz2oiXXT1H//gD53/xmFM0ZDHqynJDpwhxShjpm5Z5L9G7PGlY56hwqbG+FEqAd 9tBrl55GCFKIgPSzUbnvd5kHkPcHAEYCyv31I9O66GevJcniw7VLhKO1tOCYJxOy0Gnb aIniWe06iRKbrAQ9ux3Y0GCieanAuzAHMv2RczRQ6kdY8O/uGzQVUpWQ4WB07wbPTY6h /gLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=pxMBbdWyRUQWupRMTBSQXs1ILab0LPqTMI4w5YFgpL0=; b=lDK0EJ1Ryfvmbsy/Pzsp8mSYvHqUqVVP3e5vtrC8GYHWc+Dbm+3c5yfRFcBryB3fzJ BoQWr8YiTUPosSWcy31gSXxm4Fq60uaLwgP7Snj4xT3LQAM3gIWFVcauOhs9vFH0tJZd BDtu6Ffy+vWSq5Y0Pzsy+i4haj1kZt5gtQmmp2ecMIiVu+ScWWc1NnGu4HZ0ZoEnuc4W SgQAdAMd5NJc5gZguXWD2a6OJsgeH5lKyzxJwfL+kMluZFwNeUcmrX8AmwjggmUnqNX+ Zty16KXRpR1yLci6ZIqnj6vGZYgvvBsaO4L9o4QCp+VXRavUDoaEGN446i/H8pKzXP1A 1YXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=ecuuO93M; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 185-v6si21164515pgj.511.2018.09.11.09.44.18; Tue, 11 Sep 2018 09:44:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=ecuuO93M; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728196AbeIKVmV (ORCPT + 99 others); Tue, 11 Sep 2018 17:42:21 -0400 Received: from sonic303-27.consmr.mail.ne1.yahoo.com ([66.163.188.153]:38850 "EHLO sonic303-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728181AbeIKVmV (ORCPT ); Tue, 11 Sep 2018 17:42:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1536684133; bh=pxMBbdWyRUQWupRMTBSQXs1ILab0LPqTMI4w5YFgpL0=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=ecuuO93MXTPkV87HW9hjfzQlfIWFIYISreV7tpjpQxTCrOgctfJZ+Up8ntfbfjRzmItO4RIsU4mgxIxVjMZ2bhilpHTL0eRKdvB8IsL3Dr+3zZd9MIWQSYvtwb+6IomvghfIPwGpsmb7yuTZ5DB0noRcAnRVLgyqF/qtP0shC5J1vndQ5r2IhWVgsVgGMlg2P6jgVXAnq8Gx+QHTrS7MBHtYQaU16Cpn8BYJC7UeDCh5z7mU6GAO/FMyFEWfPCiF4JuMVxetMud6Qkzlbq/Zytx4Kzk4LG0G67lE8jGljxWN1Fm9b1KerQ5dHbTFIMup9i3AEjBbY5IgZ3TLJ4hnlQ== X-YMail-OSG: xLgbNVoVM1kRoG1JU0i16pGMii6aHPqtG9ySp_7vIok2XHvQJHv_zGYSj3RDY44 k5vCUMHJWws9GraSHFxt1tbNmMXFmY4mV1W7ppSy6eCAJlNOkDhiJAZAGRRfRWADFHxMVyKzUElF UAQ1.VBVx_TwaajZwM1D5dwkqiKBoVVuTrVv9AXnHtKcbSOps.secSZtX8xBh5I0k_neraN9y.cr crvaARkTCoJm.P3mM8dt_yI6K3YruvO.mX9HC2votxiQVSEvPsx5kGvOvoTMe47K7CUGocOPqyhU 2FpeavM655A7_m3sC.MWcFLPwr9ZdTeiRN4.Fgqh.vsgXzQP7LGE9.e81sSH7U6XYWuAVN8ObH1m OuqDkI9RebqRw4YUavJ_aqC5zpyqRBE8uYgO5Q0psgoNPsmOs4HloArV07OQlFiJnBmVg7HTE97v YZOYMiVd18gZql3SAv_WrFd95IoOEZ_NZcQmSRY1b47F89jKeuUHTyKRyO.qrZauzeGy6KT5TROp hJiq2yJXWsR47sTNaYM.8lV_Gfi_rrGjqITbU7BUIUOTjbx1JeYEqIs.NbdEyOdUt4CJJfH5sPVu .4Bh_jBKlodTX9mMS9iahTrJrSBIr3EU.ToeDgQ8X4e.rEf8MLeVAyVNNtM08H0whAMq_BMFn0YW nO7x85.Ofl6pQhxmllQvMZMXkHBLGBCBmXbx4r_piuL6f6HhkneHa66dNRYd9KZdUGSpfSfuRZvv 3FrktHCDVMniYZX1L8DvqyDV00Y1PmIpjGbQ6X6q7CF.ERsgYDzrSOnVhhL1vP4v4CdE7b8sNSXR Hpoq1AKa8ffemcV8vBlEi5VWVjID71kGKDKhS3JR3J5R_Hx.ZHBU9Tyf7lwp80bcV9_qzpy4fDAY PDOzuaNG_plkTHRjdymFns3Td78dKFa3XkmEtTNXxBISLSb4d61UI2dFaDIdO4OVdMR0BCpQ0J.v lwOogZrmaNucNHRZ1tDyG_OjHbB0H7UrXOV9Cl2DR.ewxgyVhvC14nvM61TEwzYfCHS3JKP1_cfg AF80xc3l2bUO94gDbvhhrnj6eeGykmbUpIHwiWRaoXrJgSA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.ne1.yahoo.com with HTTP; Tue, 11 Sep 2018 16:42:13 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.102]) ([67.169.65.224]) by smtp420.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID a9dff44e5e7d4424e9ee126a36ee4bba; Tue, 11 Sep 2018 16:42:11 +0000 (UTC) Subject: [PATCH 08/10] Smack: Abstract use of inode security blob To: LSM , James Morris , LKLM , SE Linux , John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , Stephen Smalley , "linux-fsdevel@vger.kernel.org" , Alexey Dobriyan Cc: "Schaufler, Casey" References: From: Casey Schaufler Message-ID: <70b7f8cf-bfb1-1ec3-e4d4-5d2da632b52b@schaufler-ca.com> Date: Tue, 11 Sep 2018 09:42:07 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Don't use the inode->i_security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler --- security/smack/smack.h | 9 +++++++-- security/smack/smack_lsm.c | 32 ++++++++++++++++---------------- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 043525a52e94..5da5bd1b9b47 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -367,12 +367,17 @@ static inline struct smack_known **smack_file(const struct file *file) return file->f_security; } +static inline struct inode_smack *smack_inode(const struct inode *inode) +{ + return inode->i_security; +} + /* * Is the directory transmuting? */ static inline int smk_inode_transmutable(const struct inode *isp) { - struct inode_smack *sip = isp->i_security; + struct inode_smack *sip = smack_inode(isp); return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0; } @@ -381,7 +386,7 @@ static inline int smk_inode_transmutable(const struct inode *isp) */ static inline struct smack_known *smk_of_inode(const struct inode *isp) { - struct inode_smack *sip = isp->i_security; + struct inode_smack *sip = smack_inode(isp); return sip->smk_inode; } diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index d1430341798f..364699ad55b9 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -166,7 +166,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc) static int smk_bu_inode(struct inode *inode, int mode, int rc) { struct task_smack *tsp = smack_cred(current_cred()); - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (isp->smk_flags & SMK_INODE_IMPURE) @@ -198,7 +198,7 @@ static int smk_bu_file(struct file *file, int mode, int rc) struct task_smack *tsp = smack_cred(current_cred()); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file_inode(file); - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (isp->smk_flags & SMK_INODE_IMPURE) @@ -228,7 +228,7 @@ static int smk_bu_credfile(const struct cred *cred, struct file *file, struct task_smack *tsp = smack_cred(cred); struct smack_known *sskp = tsp->smk_task; struct inode *inode = file_inode(file); - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); char acc[SMK_NUM_ACCESS_TYPE + 1]; if (isp->smk_flags & SMK_INODE_IMPURE) @@ -824,7 +824,7 @@ static int smack_set_mnt_opts(struct super_block *sb, /* * Initialize the root inode. */ - isp = inode->i_security; + isp = smack_inode(inode); if (isp == NULL) { isp = new_inode_smack(sp->smk_root); if (isp == NULL) @@ -912,7 +912,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) if (bprm->called_set_creds) return 0; - isp = inode->i_security; + isp = smack_inode(inode); if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) return 0; @@ -992,7 +992,7 @@ static void smack_inode_free_rcu(struct rcu_head *head) */ static void smack_inode_free_security(struct inode *inode) { - struct inode_smack *issp = inode->i_security; + struct inode_smack *issp = smack_inode(inode); /* * The inode may still be referenced in a path walk and @@ -1020,7 +1020,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir, const struct qstr *qstr, const char **name, void **value, size_t *len) { - struct inode_smack *issp = inode->i_security; + struct inode_smack *issp = smack_inode(inode); struct smack_known *skp = smk_of_current(); struct smack_known *isp = smk_of_inode(inode); struct smack_known *dsp = smk_of_inode(dir); @@ -1358,7 +1358,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, size_t size, int flags) { struct smack_known *skp; - struct inode_smack *isp = d_backing_inode(dentry)->i_security; + struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { isp->smk_flags |= SMK_INODE_TRANSMUTE; @@ -1439,7 +1439,7 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name) if (rc != 0) return rc; - isp = d_backing_inode(dentry)->i_security; + isp = smack_inode(d_backing_inode(dentry)); /* * Don't do anything special for these. * XATTR_NAME_SMACKIPIN @@ -1714,7 +1714,7 @@ static int smack_mmap_file(struct file *file, if (unlikely(IS_PRIVATE(file_inode(file)))) return 0; - isp = file_inode(file)->i_security; + isp = smack_inode(file_inode(file)); if (isp->smk_mmap == NULL) return 0; sbsp = file_inode(file)->i_sb->s_security; @@ -2056,7 +2056,7 @@ static int smack_kernel_act_as(struct cred *new, u32 secid) static int smack_kernel_create_files_as(struct cred *new, struct inode *inode) { - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); struct task_smack *tsp = smack_cred(new); tsp->smk_forked = isp->smk_inode; @@ -2256,7 +2256,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, */ static void smack_task_to_inode(struct task_struct *p, struct inode *inode) { - struct inode_smack *isp = inode->i_security; + struct inode_smack *isp = smack_inode(inode); struct smack_known *skp = smk_of_task_struct(p); isp->smk_inode = skp; @@ -2719,7 +2719,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { struct smack_known *skp; - struct inode_smack *nsp = inode->i_security; + struct inode_smack *nsp = smack_inode(inode); struct socket_smack *ssp; struct socket *sock; int rc = 0; @@ -3327,7 +3327,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) if (inode == NULL) return; - isp = inode->i_security; + isp = smack_inode(inode); mutex_lock(&isp->smk_lock); /* @@ -4559,7 +4559,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) /* * Get label from overlay inode and set it in create_sid */ - isp = d_inode(dentry->d_parent)->i_security; + isp = smack_inode(d_inode(dentry->d_parent)); skp = isp->smk_inode; tsp->smk_task = skp; *new = new_creds; @@ -4596,7 +4596,7 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode, /* * the attribute of the containing directory */ - isp = d_inode(dentry->d_parent)->i_security; + isp = smack_inode(d_inode(dentry->d_parent)); if (isp->smk_flags & SMK_INODE_TRANSMUTE) { rcu_read_lock(); -- 2.17.1