Change the security_secctx_to_secid interface to use a lsmblob
structure in place of the single u32 secid in support of
module stacking. Change its callers to do the same.

The security module hook is unchanged, still passing back a secid.
The infrastructure passes the correct entry from the lsmblob.

Signed-off-by: Casey Schaufler <ca...@schaufler-ca.com>
Cc: net...@vger.kernel.org
Cc: netfilter-de...@vger.kernel.org
To: Pablo Neira Ayuso <pa...@netfilter.org>
---
 include/linux/security.h          | 26 ++++++++++++++++++--
 kernel/cred.c                     |  4 +---
 net/netfilter/nft_meta.c          | 10 ++++----
 net/netfilter/xt_SECMARK.c        |  7 +++++-
 net/netlabel/netlabel_unlabeled.c | 23 +++++++++++-------
 security/security.c               | 40 ++++++++++++++++++++++++++-----
 6 files changed, 85 insertions(+), 25 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index b63a14866464..1a1fbe0746a0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -196,6 +196,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, 
struct lsmblob *blobb)
 extern int lsm_name_to_slot(char *name);
 extern const char *lsm_slot_to_name(int slot);
 
+/**
+ * lsmblob_value - find the first non-zero value in an lsmblob structure.
+ * @blob: Pointer to the data
+ *
+ * This needs to be used with extreme caution, as the cases where
+ * it is appropriate are rare.
+ *
+ * Return the first secid value set in the lsmblob.
+ * There should only be one.
+ */
+static inline u32 lsmblob_value(const struct lsmblob *blob)
+{
+       int i;
+
+       for (i = 0; i < LSMBLOB_ENTRIES; i++)
+               if (blob->secid[i])
+                       return blob->secid[i];
+
+       return 0;
+}
+
 /* These functions are in security/commoncap.c */
 extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
                       int cap, unsigned int opts);
@@ -524,7 +545,8 @@ int security_setprocattr(const char *lsm, const char *name, 
void *value,
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+int security_secctx_to_secid(const char *secdata, u32 seclen,
+                            struct lsmblob *blob);
 void security_release_secctx(char *secdata, u32 seclen);
 void security_inode_invalidate_secctx(struct inode *inode);
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
@@ -1364,7 +1386,7 @@ static inline int security_secid_to_secctx(u32 secid, 
char **secdata, u32 *secle
 
 static inline int security_secctx_to_secid(const char *secdata,
                                           u32 seclen,
-                                          u32 *secid)
+                                          struct lsmblob *blob)
 {
        return -EOPNOTSUPP;
 }
diff --git a/kernel/cred.c b/kernel/cred.c
index 22e0e7cbefde..848306c7d823 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -757,14 +757,12 @@ EXPORT_SYMBOL(set_security_override);
 int set_security_override_from_ctx(struct cred *new, const char *secctx)
 {
        struct lsmblob blob;
-       u32 secid;
        int ret;
 
-       ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
+       ret = security_secctx_to_secid(secctx, strlen(secctx), &blob);
        if (ret < 0)
                return ret;
 
-       lsmblob_init(&blob, secid);
        return set_security_override(new, &blob);
 }
 EXPORT_SYMBOL(set_security_override_from_ctx);
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index a7e01e9952f1..f9448e81798e 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -809,21 +809,21 @@ static const struct nla_policy 
nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
 
 static int nft_secmark_compute_secid(struct nft_secmark *priv)
 {
-       u32 tmp_secid = 0;
+       struct lsmblob blob;
        int err;
 
-       err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), 
&tmp_secid);
+       err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob);
        if (err)
                return err;
 
-       if (!tmp_secid)
+       if (!lsmblob_is_set(&blob))
                return -ENOENT;
 
-       err = security_secmark_relabel_packet(tmp_secid);
+       err = security_secmark_relabel_packet(lsmblob_value(&blob));
        if (err)
                return err;
 
-       priv->secid = tmp_secid;
+       priv->secid = lsmblob_value(&blob);
        return 0;
 }
 
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 75625d13e976..9845d98e6b77 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -43,13 +43,14 @@ secmark_tg(struct sk_buff *skb, const struct 
xt_action_param *par)
 
 static int checkentry_lsm(struct xt_secmark_target_info *info)
 {
+       struct lsmblob blob;
        int err;
 
        info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
        info->secid = 0;
 
        err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
-                                      &info->secid);
+                                      &blob);
        if (err) {
                if (err == -EINVAL)
                        pr_info_ratelimited("invalid security context \'%s\'\n",
@@ -57,6 +58,10 @@ static int checkentry_lsm(struct xt_secmark_target_info 
*info)
                return err;
        }
 
+       /* xt_secmark_target_info can't be changed to use lsmblobs because
+        * it is exposed as an API. Use lsmblob_value() to get the one
+        * value that got set by security_secctx_to_secid(). */
+       info->secid = lsmblob_value(&blob);
        if (!info->secid) {
                pr_info_ratelimited("unable to map security context \'%s\'\n",
                                    info->secctx);
diff --git a/net/netlabel/netlabel_unlabeled.c 
b/net/netlabel/netlabel_unlabeled.c
index ccb491642811..df9448af23dd 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -882,7 +882,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
        void *addr;
        void *mask;
        u32 addr_len;
-       u32 secid;
+       struct lsmblob blob;
        struct netlbl_audit audit_info;
 
        /* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -906,13 +906,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
        ret_val = security_secctx_to_secid(
                                  nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
                                  nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
-                                 &secid);
+                                 &blob);
        if (ret_val != 0)
                return ret_val;
 
+       /* netlbl_unlhsh_add will be changed to pass a struct lsmblob *
+        * instead of a u32 later in this patch set. security_secctx_to_secid()
+        * will only be setting one entry in the lsmblob struct, so it is
+        * safe to use lsmblob_value() to get that one value. */
+
        return netlbl_unlhsh_add(&init_net,
-                                dev_name, addr, mask, addr_len, secid,
-                                &audit_info);
+                                dev_name, addr, mask, addr_len,
+                                lsmblob_value(&blob), &audit_info);
 }
 
 /**
@@ -933,7 +938,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
        void *addr;
        void *mask;
        u32 addr_len;
-       u32 secid;
+       struct lsmblob blob;
        struct netlbl_audit audit_info;
 
        /* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -955,13 +960,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff 
*skb,
        ret_val = security_secctx_to_secid(
                                  nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
                                  nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
-                                 &secid);
+                                 &blob);
        if (ret_val != 0)
                return ret_val;
 
+       /* security_secctx_to_secid() will only put one secid into the lsmblob
+        * so it's safe to use lsmblob_value() to get the secid. */
        return netlbl_unlhsh_add(&init_net,
-                                NULL, addr, mask, addr_len, secid,
-                                &audit_info);
+                                NULL, addr, mask, addr_len,
+                                lsmblob_value(&blob), &audit_info);
 }
 
 /**
diff --git a/security/security.c b/security/security.c
index aa81f2d629af..4fcffbf1ff8d 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2140,10 +2140,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, 
u32 *seclen)
 }
 EXPORT_SYMBOL(security_secid_to_secctx);
 
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+int security_secctx_to_secid(const char *secdata, u32 seclen,
+                            struct lsmblob *blob)
 {
-       *secid = 0;
-       return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+       struct security_hook_list *hp;
+       int rc;
+
+       lsmblob_init(blob, 0);
+       hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
+               if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+                       continue;
+               rc = hp->hook.secctx_to_secid(secdata, seclen,
+                                             &blob->secid[hp->lsmid->slot]);
+               if (rc != 0)
+                       return rc;
+       }
+       return 0;
 }
 EXPORT_SYMBOL(security_secctx_to_secid);
 
@@ -2294,10 +2306,26 @@ int security_socket_getpeersec_stream(struct socket 
*sock, char __user *optval,
                                optval, optlen, len);
 }
 
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, 
u32 *secid)
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+                                    u32 *secid)
 {
-       return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
-                            skb, secid);
+       struct security_hook_list *hp;
+       int rc = -ENOPROTOOPT;
+
+       /*
+        * Only one security module should provide a real hook for
+        * this. A stub or bypass like is used in BPF should either
+        * (somehow) leave rc unaltered or return -ENOPROTOOPT.
+        */
+       hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
+                            list) {
+               if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+                       continue;
+               rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid);
+               if (rc != -ENOPROTOOPT)
+                       break;
+       }
+       return rc;
 }
 EXPORT_SYMBOL(security_socket_getpeersec_dgram);
 
-- 
2.29.2

Reply via email to