Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp620387imu; Mon, 26 Nov 2018 15:55:51 -0800 (PST) X-Google-Smtp-Source: AFSGD/XVGMkYbZsqBT8IFBAzmaTslZmG8qgtnMLTBAJRnD2gMnx2xfhGQQSwxN/mjcFIOQFNLsSj X-Received: by 2002:a63:5320:: with SMTP id h32mr27016329pgb.414.1543276550954; Mon, 26 Nov 2018 15:55:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543276550; cv=none; d=google.com; s=arc-20160816; b=hhTYyVzMZFRcdQi/yuJReXxY1k5mOmY1t/re0wbNSvdOAvG5FTJKzcEyivoD1s9vMw j+MUoDeBS5wHJPM3+I6IubbICxAQ0AyN+gF3wi2KqbFqyRlE4lY2PTQvK7/Q4PIBWsiN mLt6mFQb2IHioTCSZ/opm80uJ1aL+zSKGy4C6gCC4KhQIB7vNVFjoyLtyCk06zIS4kfA FntQipkGtX7et/Bb59lg78fYDv+FdDj4er9/p0H+UhaVkgY6gd9Vb27t0cKwcqdx6Udi tsKKS8LWHuznl9nOx9Ds0RweMTgmztW+enYzzM2LymyaMv1IaW8zhY3iut+9h4Dfbt9d jIlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=q3ZwNVKWIQFkGRgaOEndkUgGeJo8IZZCX1iJ8ynimVY=; b=q+VEDi6SK3jD/pC8IyttqDc5nuLg8xKGOsBfV3vBv/sYlugyjvM8R6Tf9hJPaEIhcD aC+Y7dh/U/RGB3/3K77dZiZZCLEhY9/kYiBBVf9viWfbVPYQ3VE5y1Y2QRUBQUwunj98 RVSLrgjPqUqWvPlhygxN5qmKz4wh4Db0yumcWsyyVnIHBJOCH1l+HFqOUJ1zf/knBlN6 cKrSoK6yxH4bj8lSYbjHTnWMfq4TIDnR04c27U3QBacBezJv7vNbhbS0/lUU7oXmzAyG lgGf7+fOSD5ymRkyo/9AJfNNteu20VS+0sZhOgCxD2jTiCSwT2PXsxMJn08xbf3O+/Zj +LYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=LktRq5oH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d10si1767502pgf.136.2018.11.26.15.55.36; Mon, 26 Nov 2018 15:55:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=LktRq5oH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728081AbeK0Kub (ORCPT + 99 others); Tue, 27 Nov 2018 05:50:31 -0500 Received: from sonic304-28.consmr.mail.ne1.yahoo.com ([66.163.191.154]:40505 "EHLO sonic304-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728004AbeK0Kua (ORCPT ); Tue, 27 Nov 2018 05:50:30 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1543276478; bh=q3ZwNVKWIQFkGRgaOEndkUgGeJo8IZZCX1iJ8ynimVY=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=LktRq5oHeLoROVC93cWVRk/4AdXOQEGy7vMXD8pdJeqv8GuxzDPvGRGbraCwqoiHZFjkaBFRS85GIA9buy5vVXdIVJ/Z7Kev1JHS3rEGqLVch/HvKxSEqloXic8ppP8bf3Fmp6Kwgesuf6BStgrAn5rnJ4ZKWA9qSiBHrL9bIhbaF8brncmqIS3pwnuJ/FiTI+lgRbQ2FODngUaGOO6n37jNUseBneHgwF8m1Y8U5Nsh/AzFUbz25Lwaw6sQAy21EHcGfJomiSODg5fdvisTf48TtmCWAxgW8PnU5bPlGrxlp4tKjrqp5Yw2scVYDgazWsdhHMfdbYlSe+7Rqp/JTw== X-YMail-OSG: 6jbfc.YVM1k59bAQ79GuJKFoPYDPbFypNl6k.1npMFvGbDEP0o4yfvKlfkyETgX 8F8oo1QWJNEXXNbS2iLvlIRJwRHw3EN9SalWxv78X0nDbm41n.1D2XtA3UGDyk9eNW_xDAfcD8lu dtHRFZVHeOSsaSmuoJrGiat0RUk8swy_3yP3CpkNltDYdVwu31pOslGEDZQmnl9YwbXRuMtQyNqN bqHLsmKsRULAhD21hK22eFXs9tIImhDUywSjVQ_qIfR7GeD31aCliIwovzr4o59SrIsWye8fDLQf r0oDy2rZmdZo64T0aFKpxVQ5gyIRRWCErUaBZxL8qAEPqixJ6GqS_4dO2O0x585PZaUO3O_zo8RB d0_Cq_q7mydCFlPio5MlQDMRDFyzjetTjegVgwUx01yS6tt9e9s8BlqJwFCStQ.N.e6O42rKnw10 1mzyMRZatLlhz2jkPlyUm5o2hiSKbFyaVE.vUC8pxb5_rWWhHnJ0s7auNlxIX6q3t1Sbb70DCV0b u0DbBhzmRS13DF8_51UEmRvHeoBdFRraiXAlKm73lP8y8QP7pLpnDt4.4XqjjESAuzB6yX7RPieT MB54y4krgYW8GtGuQ.ObIHa26GGGNpRmhlnEPdVElXhulA7w11MaiRMqS2ijol6.UzfRhFqhuZDj 7UsVQNxPwP_m1xRQnz0PiFXYtltB.ZQGs8v3WRoTIn1_fCPzppM_lvk35e5DHGAUQ18HIscAPo8U jYXB9gEI4Xpb2oByBjTUGmcAQVZCBfe2TH36b7tUmvmLPKJH9kHNO7waqIaWOnQFs4oQdaOeU2wd vBJhdl.kNXWjPQG_pyrctDeJMfsjBy6shQEEyUiMwqqYnOeCPFG_tUNSE9Z_XTprX1A9IpnssImg PdqWXroigyXPJPHSCRw8hy05ok73Zra6yjL9DBoqZNxJycNjfEt.COGf6nVb7hCvUh.NQH6WyqUm 3ztAFQzqFqCBb0cJBX_bJci7mBOivfyiEX58tgs2j4V70yIXdcrj3kSiEdxgv5oN5NFoevrU.S58 pdZUhxsXWizUaUDs7xPJRJMG_PPbzAMHnO4vr6_ylwXTbIrJH1E_vJWANEr_WJ10brsyULD5NyPE 2uQ2xMQpm1xWZtUXY_jD5qav98LsqwioKpe5uhw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 26 Nov 2018 23:54:38 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp432.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 9072484bf06eed14b19ec38255730e47; Mon, 26 Nov 2018 23:54:34 +0000 (UTC) Subject: [PATCH v5 35/38] SELinux: Abstract use of ipc security blobs To: James Morris , LSM , LKLM , SE Linux Cc: John Johansen , Kees Cook , Tetsuo Handa , Paul Moore , "linux-fsdevel@vger.kernel.org" , Stephen Smalley , Alexey Dobriyan , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Salvatore Mesoraca References: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> From: Casey Schaufler Message-ID: <2b9fa6ed-c7b9-49a3-c4e2-957ef1d31243@schaufler-ca.com> Date: Mon, 26 Nov 2018 15:54:31 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <50db058a-7dde-441b-a7f9-f6837fe8b69f@schaufler-ca.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Don't use the ipc->security pointer directly. Don't use the msg_msg->security pointer directly. Provide helper functions that provides the security blob pointers. Signed-off-by: Casey Schaufler Reviewed-by: Kees Cook Signed-off-by: Kees Cook --- security/selinux/hooks.c | 18 +++++++++--------- security/selinux/include/objsec.h | 13 +++++++++++++ 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index f0e7ac26f3a9..1e56b036018a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5889,7 +5889,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms, struct common_audit_data ad; u32 sid = current_sid(); - isec = ipc_perms->security; + isec = selinux_ipc(ipc_perms); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = ipc_perms->key; @@ -5946,7 +5946,7 @@ static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) struct common_audit_data ad; u32 sid = current_sid(); - isec = msq->security; + isec = selinux_ipc(msq); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = msq->key; @@ -5995,8 +5995,8 @@ static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *m u32 sid = current_sid(); int rc; - isec = msq->security; - msec = msg->security; + isec = selinux_ipc(msq); + msec = selinux_msg_msg(msg); /* * First time through, need to assign label to the message @@ -6043,8 +6043,8 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m u32 sid = task_sid(target); int rc; - isec = msq->security; - msec = msg->security; + isec = selinux_ipc(msq); + msec = selinux_msg_msg(msg); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = msq->key; @@ -6097,7 +6097,7 @@ static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg) struct common_audit_data ad; u32 sid = current_sid(); - isec = shp->security; + isec = selinux_ipc(shp); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = shp->key; @@ -6194,7 +6194,7 @@ static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg) struct common_audit_data ad; u32 sid = current_sid(); - isec = sma->security; + isec = selinux_ipc(sma); ad.type = LSM_AUDIT_DATA_IPC; ad.u.ipc_id = sma->key; @@ -6280,7 +6280,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) { - struct ipc_security_struct *isec = ipcp->security; + struct ipc_security_struct *isec = selinux_ipc(ipcp); *secid = isec->sid; } diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h index 562fad58c56b..539cacf4a572 100644 --- a/security/selinux/include/objsec.h +++ b/security/selinux/include/objsec.h @@ -26,6 +26,7 @@ #include #include #include +#include #include #include "flask.h" #include "avc.h" @@ -175,4 +176,16 @@ static inline struct inode_security_struct *selinux_inode( return inode->i_security + selinux_blob_sizes.lbs_inode; } +static inline struct msg_security_struct *selinux_msg_msg( + const struct msg_msg *msg_msg) +{ + return msg_msg->security; +} + +static inline struct ipc_security_struct *selinux_ipc( + const struct kern_ipc_perm *ipc) +{ + return ipc->security; +} + #endif /* _SELINUX_OBJSEC_H_ */ -- 2.14.5