Smack: Abstract use of ipc security blobs

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Don't use the ipc->security pointer directly.
Don't use the msg_msg->security pointer directly.
Provide helper functions that provides the security blob pointers.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>

authored by

Casey Schaufler and committed by

Kees Cook 7 years ago 019bcca4 7c653828

+20 -5

2 changed files

expand all

security

smack

smack.h

smack_lsm.c

+11

security/smack/smack.h

··· 24 24 #include <linux/list.h> 25 25 #include <linux/rculist.h> 26 26 #include <linux/lsm_audit.h> 27 + #include <linux/msg.h> 27 28 28 29 /* 29 30 * Use IPv6 port labeling if IPv6 is enabled and secmarks ··· 372 371 static inline struct inode_smack *smack_inode(const struct inode *inode) 373 372 { 374 373 return inode->i_security + smack_blob_sizes.lbs_inode; 374 + } 375 + 376 + static inline struct smack_known **smack_msg_msg(const struct msg_msg *msg) 377 + { 378 + return (struct smack_known **)&msg->security; 379 + } 380 + 381 + static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc) 382 + { 383 + return (struct smack_known **)&ipc->security; 375 384 } 376 385 377 386 /*

+9 -5

security/smack/smack_lsm.c

··· 2834 2834 */ 2835 2835 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2836 2836 { 2837 - return (struct smack_known *)isp->security; 2837 + struct smack_known **blob = smack_ipc(isp); 2838 + 2839 + return *blob; 2838 2840 } 2839 2841 2840 2842 /** ··· 2847 2845 */ 2848 2846 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2849 2847 { 2850 - struct smack_known *skp = smk_of_current(); 2848 + struct smack_known **blob = smack_ipc(isp); 2851 2849 2852 - isp->security = skp; 2850 + *blob = smk_of_current(); 2853 2851 return 0; 2854 2852 } 2855 2853 ··· 3161 3159 */ 3162 3160 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3163 3161 { 3164 - struct smack_known *iskp = ipp->security; 3162 + struct smack_known **blob = smack_ipc(ipp); 3163 + struct smack_known *iskp = *blob; 3165 3164 int may = smack_flags_to_may(flag); 3166 3165 struct smk_audit_info ad; 3167 3166 int rc; ··· 3183 3180 */ 3184 3181 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3185 3182 { 3186 - struct smack_known *iskp = ipp->security; 3183 + struct smack_known **blob = smack_ipc(ipp); 3184 + struct smack_known *iskp = *blob; 3187 3185 3188 3186 *secid = iskp->smk_secid; 3189 3187 }