Re: [PATCH] 2/5: LSM hooks rework

Mon, 14 Feb 2005 06:32:28 -0800 

On Sun, 2005-02-13 at 22:11, Kurt Garloff wrote:
> From: Kurt Garloff <[EMAIL PROTECTED]>
> Subject: Clean LSM stub file
> References: 40217, 39439
> 
> Rather than having every LSM hook twice, once for the case with
> CONFIG_SECURITY enabled and once for the disabled case, put
> everything in one inline function.

The attached patch fixes compilation if CONFIG_SECURITY_NETWORK is
turned off.

> This reduces the chance of the two to go out of sync immensely.

... as it already happened with security_sk_free(). Also fixed in the
attached patch.


Regards,
-- 
Andreas Gruenbacher <[EMAIL PROTECTED]>
SUSE Labs, SUSE LINUX GMBH
--- Begin Message --- 
The patch didn't define dummy inline functions for the
CONFIG_SECURITY_NETWORK=n case.

Also, security_sk_free() returns void.

Signed-off-by: Andreas Gruenbacher <[EMAIL PROTECTED]>

Index: linux-2.6.11-rc3/include/linux/security.h
===================================================================
--- linux-2.6.11-rc3.orig/include/linux/security.h
+++ linux-2.6.11-rc3/include/linux/security.h
@@ -1261,6 +1261,11 @@ static inline int security_init(void)
 # define COND_SECURITY(seop, def) def
 #endif
 
+#ifdef CONFIG_SECURITY_NETWORK
+#define COND_SECURITY_NETWORK(seop, def) COND_SECURITY(seop, def)
+#else
+#define COND_SECURITY_NETWORK(seop, def) def
+#endif
 /* SELinux noop */
 #define SE_NOP ({})
 
@@ -2044,12 +2049,11 @@ static inline int security_netlink_recv(
                         cap_netlink_recv (skb));
 }
 
-#ifdef CONFIG_SECURITY_NETWORK
 static inline int security_unix_stream_connect(struct socket * sock,
                                               struct socket * other, 
                                               struct sock * newsk)
 {
-       return COND_SECURITY(unix_stream_connect(sock, other, newsk),
+       return COND_SECURITY_NETWORK(unix_stream_connect(sock, other, newsk),
                         0);
 }
 
@@ -2057,14 +2061,14 @@ static inline int security_unix_stream_c
 static inline int security_unix_may_send(struct socket * sock, 
                                         struct socket * other)
 {
-       return COND_SECURITY(unix_may_send(sock, other),
+       return COND_SECURITY_NETWORK(unix_may_send(sock, other),
                         0);
 }
 
 static inline int security_socket_create (int family, int type,
                                          int protocol, int kern)
 {
-       return COND_SECURITY(socket_create(family, type, protocol, kern),
+       return COND_SECURITY_NETWORK(socket_create(family, type, protocol, 
kern),
                         0);
 }
 
@@ -2073,7 +2077,7 @@ static inline void security_socket_post_
                                               int type, 
                                               int protocol, int kern)
 {
-       COND_SECURITY(socket_post_create(sock, family, type, protocol, kern),
+       COND_SECURITY_NETWORK(socket_post_create(sock, family, type, protocol, 
kern),
                  SE_NOP);
 }
 
@@ -2081,7 +2085,7 @@ static inline int security_socket_bind(s
                                       struct sockaddr * address, 
                                       int addrlen)
 {
-       return COND_SECURITY(socket_bind(sock, address, addrlen),
+       return COND_SECURITY_NETWORK(socket_bind(sock, address, addrlen),
                         0);
 }
 
@@ -2089,34 +2093,34 @@ static inline int security_socket_connec
                                          struct sockaddr * address, 
                                          int addrlen)
 {
-       return COND_SECURITY(socket_connect(sock, address, addrlen),
+       return COND_SECURITY_NETWORK(socket_connect(sock, address, addrlen),
                         0);
 }
 
 static inline int security_socket_listen(struct socket * sock, int backlog)
 {
-       return COND_SECURITY(socket_listen(sock, backlog),
+       return COND_SECURITY_NETWORK(socket_listen(sock, backlog),
                         0);
 }
 
 static inline int security_socket_accept(struct socket * sock, 
                                         struct socket * newsock)
 {
-       return COND_SECURITY(socket_accept(sock, newsock),
+       return COND_SECURITY_NETWORK(socket_accept(sock, newsock),
                         0);
 }
 
 static inline void security_socket_post_accept(struct socket * sock, 
                                               struct socket * newsock)
 {
-       COND_SECURITY(socket_post_accept(sock, newsock),
+       COND_SECURITY_NETWORK(socket_post_accept(sock, newsock),
                  SE_NOP);
 }
 
 static inline int security_socket_sendmsg(struct socket * sock, 
                                          struct msghdr * msg, int size)
 {
-       return COND_SECURITY(socket_sendmsg(sock, msg, size),
+       return COND_SECURITY_NETWORK(socket_sendmsg(sock, msg, size),
                         0);
 }
 
@@ -2124,68 +2128,67 @@ static inline int security_socket_recvms
                                          struct msghdr * msg, int size, 
                                          int flags)
 {
-       return COND_SECURITY(socket_recvmsg(sock, msg, size, flags),
+       return COND_SECURITY_NETWORK(socket_recvmsg(sock, msg, size, flags),
                         0);
 }
 
 static inline int security_socket_getsockname(struct socket * sock)
 {
-       return COND_SECURITY(socket_getsockname(sock),
+       return COND_SECURITY_NETWORK(socket_getsockname(sock),
                         0);
 }
 
 static inline int security_socket_getpeername(struct socket * sock)
 {
-       return COND_SECURITY(socket_getpeername(sock),
+       return COND_SECURITY_NETWORK(socket_getpeername(sock),
                         0);
 }
 
 static inline int security_socket_getsockopt(struct socket * sock, 
                                             int level, int optname)
 {
-       return COND_SECURITY(socket_getsockopt(sock, level, optname),
+       return COND_SECURITY_NETWORK(socket_getsockopt(sock, level, optname),
                         0);
 }
 
 static inline int security_socket_setsockopt(struct socket * sock, 
                                             int level, int optname)
 {
-       return COND_SECURITY(socket_setsockopt(sock, level, optname),
+       return COND_SECURITY_NETWORK(socket_setsockopt(sock, level, optname),
                         0);
 }
 
 static inline int security_socket_shutdown(struct socket * sock, int how)
 {
-       return COND_SECURITY(socket_shutdown(sock, how),
+       return COND_SECURITY_NETWORK(socket_shutdown(sock, how),
                         0);
 }
 
 static inline int security_sock_rcv_skb (struct sock * sk, 
                                         struct sk_buff * skb)
 {
-       return COND_SECURITY(socket_sock_rcv_skb(sk, skb),
+       return COND_SECURITY_NETWORK(socket_sock_rcv_skb(sk, skb),
                         0);
 }
 
 static inline int security_socket_getpeersec(struct socket *sock, char __user 
*optval,
                                             int __user *optlen, unsigned len)
 {
-       return COND_SECURITY(socket_getpeersec(sock, optval, optlen, len),
+       return COND_SECURITY_NETWORK(socket_getpeersec(sock, optval, optlen, 
len),
                         -ENOPROTOOPT);
 }
 
 static inline int security_sk_alloc(struct sock *sk, int family, int priority)
 {
-       return COND_SECURITY(sk_alloc_security(sk, family, priority),
+       return COND_SECURITY_NETWORK(sk_alloc_security(sk, family, priority),
                         0);
 }
 
 static inline void security_sk_free(struct sock *sk)
 {
-       return COND_SECURITY(sk_free_security(sk),
-                        0);
+       COND_SECURITY_NETWORK(sk_free_security(sk),
+                        SE_NOP);
 }
-#endif /* CONFIG_SECURITY_NETWORK */
 
 #endif /* ! __LINUX_SECURITY_H */

--- End Message ---

Reply via email to