[PATCH v38 05/39] proc: Use lsmids instead of lsm names for attrs

Tue, 27 Sep 2022 12:57:07 -0700 

Use the LSM ID number instead of the LSM name to identify which
security module's attibute data should be shown in /proc/self/attr.
The security_[gs]etprocattr() functions have been changed to expect
the LSM ID. The change from a string comparison to an integer comparison
in these functions will provide a minor performance improvement.

Signed-off-by: Casey Schaufler <ca...@schaufler-ca.com>
---
 fs/proc/base.c           | 29 +++++++++++++++--------------
 fs/proc/internal.h       |  2 +-
 include/linux/security.h | 11 +++++------
 security/security.c      | 11 +++++------
 4 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 93f7e3d971e4..b2bda7d0619f 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -96,6 +96,7 @@
 #include <linux/time_namespace.h>
 #include <linux/resctrl.h>
 #include <linux/cn_proc.h>
+#include <uapi/linux/lsm.h>
 #include <trace/events/oom.h>
 #include "internal.h"
 #include "fd.h"
@@ -145,10 +146,10 @@ struct pid_entry {
        NOD(NAME, (S_IFREG|(MODE)),                     \
                NULL, &proc_single_file_operations,     \
                { .proc_show = show } )
-#define ATTR(LSM, NAME, MODE)                          \
+#define ATTR(LSMID, NAME, MODE)                                \
        NOD(NAME, (S_IFREG|(MODE)),                     \
                NULL, &proc_pid_attr_operations,        \
-               { .lsm = LSM })
+               { .lsmid = LSMID })
 
 /*
  * Count the number of hardlinks for the pid_entry table, excluding the .
@@ -2727,7 +2728,7 @@ static ssize_t proc_pid_attr_read(struct file * file, 
char __user * buf,
        if (!task)
                return -ESRCH;
 
-       length = security_getprocattr(task, PROC_I(inode)->op.lsm,
+       length = security_getprocattr(task, PROC_I(inode)->op.lsmid,
                                      (char*)file->f_path.dentry->d_name.name,
                                      &p);
        put_task_struct(task);
@@ -2785,7 +2786,7 @@ static ssize_t proc_pid_attr_write(struct file * file, 
const char __user * buf,
        if (rv < 0)
                goto out_free;
 
-       rv = security_setprocattr(PROC_I(inode)->op.lsm,
+       rv = security_setprocattr(PROC_I(inode)->op.lsmid,
                                  file->f_path.dentry->d_name.name, page,
                                  count);
        mutex_unlock(&current->signal->cred_guard_mutex);
@@ -2834,27 +2835,27 @@ static const struct inode_operations 
proc_##LSM##_attr_dir_inode_ops = { \
 
 #ifdef CONFIG_SECURITY_SMACK
 static const struct pid_entry smack_attr_dir_stuff[] = {
-       ATTR("smack", "current",        0666),
+       ATTR(LSM_ID_SMACK, "current",   0666),
 };
 LSM_DIR_OPS(smack);
 #endif
 
 #ifdef CONFIG_SECURITY_APPARMOR
 static const struct pid_entry apparmor_attr_dir_stuff[] = {
-       ATTR("apparmor", "current",     0666),
-       ATTR("apparmor", "prev",        0444),
-       ATTR("apparmor", "exec",        0666),
+       ATTR(LSM_ID_APPARMOR, "current",        0666),
+       ATTR(LSM_ID_APPARMOR, "prev",           0444),
+       ATTR(LSM_ID_APPARMOR, "exec",           0666),
 };
 LSM_DIR_OPS(apparmor);
 #endif
 
 static const struct pid_entry attr_dir_stuff[] = {
-       ATTR(NULL, "current",           0666),
-       ATTR(NULL, "prev",              0444),
-       ATTR(NULL, "exec",              0666),
-       ATTR(NULL, "fscreate",          0666),
-       ATTR(NULL, "keycreate",         0666),
-       ATTR(NULL, "sockcreate",        0666),
+       ATTR(LSM_ID_INVALID, "current",         0666),
+       ATTR(LSM_ID_INVALID, "prev",            0444),
+       ATTR(LSM_ID_INVALID, "exec",            0666),
+       ATTR(LSM_ID_INVALID, "fscreate",        0666),
+       ATTR(LSM_ID_INVALID, "keycreate",       0666),
+       ATTR(LSM_ID_INVALID, "sockcreate",      0666),
 #ifdef CONFIG_SECURITY_SMACK
        DIR("smack",                    0555,
            proc_smack_attr_dir_inode_ops, proc_smack_attr_dir_ops),
diff --git a/fs/proc/internal.h b/fs/proc/internal.h
index 06a80f78433d..3f6f4a7a1498 100644
--- a/fs/proc/internal.h
+++ b/fs/proc/internal.h
@@ -87,7 +87,7 @@ union proc_op {
        int (*proc_show)(struct seq_file *m,
                struct pid_namespace *ns, struct pid *pid,
                struct task_struct *task);
-       const char *lsm;
+       int lsmid;
 };
 
 struct proc_inode {
diff --git a/include/linux/security.h b/include/linux/security.h
index abdd151fc720..c4696f14daac 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -478,10 +478,9 @@ int security_sem_semctl(struct kern_ipc_perm *sma, int 
cmd);
 int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,
                        unsigned nsops, int alter);
 void security_d_instantiate(struct dentry *dentry, struct inode *inode);
-int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
+int security_getprocattr(struct task_struct *p, int lsmid, char *name,
                         char **value);
-int security_setprocattr(const char *lsm, const char *name, void *value,
-                        size_t size);
+int security_setprocattr(int lsmid, const char *name, void *value, size_t 
size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
@@ -1317,14 +1316,14 @@ static inline void security_d_instantiate(struct dentry 
*dentry,
                                          struct inode *inode)
 { }
 
-static inline int security_getprocattr(struct task_struct *p, const char *lsm,
+static inline int security_getprocattr(struct task_struct *p, int lsmid,
                                       char *name, char **value)
 {
        return -EINVAL;
 }
 
-static inline int security_setprocattr(const char *lsm, char *name,
-                                      void *value, size_t size)
+static inline int security_setprocattr(int lsmid, char *name, void *value,
+                                      size_t size)
 {
        return -EINVAL;
 }
diff --git a/security/security.c b/security/security.c
index 14f22d9c9d84..af62f4c1cc89 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2075,26 +2075,25 @@ void security_d_instantiate(struct dentry *dentry, 
struct inode *inode)
 }
 EXPORT_SYMBOL(security_d_instantiate);
 
-int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
-                               char **value)
+int security_getprocattr(struct task_struct *p, int lsmid, char *name,
+                        char **value)
 {
        struct security_hook_list *hp;
 
        hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
-               if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
+               if (lsmid != LSM_ID_INVALID && lsmid != hp->lsmid->id)
                        continue;
                return hp->hook.getprocattr(p, name, value);
        }
        return LSM_RET_DEFAULT(getprocattr);
 }
 
-int security_setprocattr(const char *lsm, const char *name, void *value,
-                        size_t size)
+int security_setprocattr(int lsmid, const char *name, void *value, size_t size)
 {
        struct security_hook_list *hp;
 
        hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
-               if (lsm != NULL && strcmp(lsm, hp->lsmid->lsm))
+               if (lsmid != LSM_ID_INVALID && lsmid != hp->lsmid->id)
                        continue;
                return hp->hook.setprocattr(name, value, size);
        }
-- 
2.37.3

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Reply via email to