tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

security: add const qualifier to struct sock in various places

A followup change to tcp_request_sock_op would have to drop the 'const'
qualifier from the 'route_req' function as the
'security_inet_conn_request' call is moved there - and that function
expects a 'struct sock *'.

However, it turns out its also possible to add a const qualifier to
security_inet_conn_request instead.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Florian Westphal and committed by
Jakub Kicinski 41dd9596 d4bff72c

+15 -15
+1 -1
include/linux/lsm_audit.h
··· 26 26 27 27 struct lsm_network_audit { 28 28 int netif; 29 - struct sock *sk; 29 + const struct sock *sk; 30 30 u16 family; 31 31 __be16 dport; 32 32 __be16 sport;
+1 -1
include/linux/lsm_hook_defs.h
··· 301 301 struct sock *newsk) 302 302 LSM_HOOK(void, LSM_RET_VOID, sk_getsecid, struct sock *sk, u32 *secid) 303 303 LSM_HOOK(void, LSM_RET_VOID, sock_graft, struct sock *sk, struct socket *parent) 304 - LSM_HOOK(int, 0, inet_conn_request, struct sock *sk, struct sk_buff *skb, 304 + LSM_HOOK(int, 0, inet_conn_request, const struct sock *sk, struct sk_buff *skb, 305 305 struct request_sock *req) 306 306 LSM_HOOK(void, LSM_RET_VOID, inet_csk_clone, struct sock *newsk, 307 307 const struct request_sock *req)
+2 -2
include/linux/security.h
··· 1358 1358 void security_sk_classify_flow(struct sock *sk, struct flowi *fl); 1359 1359 void security_req_classify_flow(const struct request_sock *req, struct flowi *fl); 1360 1360 void security_sock_graft(struct sock*sk, struct socket *parent); 1361 - int security_inet_conn_request(struct sock *sk, 1361 + int security_inet_conn_request(const struct sock *sk, 1362 1362 struct sk_buff *skb, struct request_sock *req); 1363 1363 void security_inet_csk_clone(struct sock *newsk, 1364 1364 const struct request_sock *req); ··· 1519 1519 { 1520 1520 } 1521 1521 1522 - static inline int security_inet_conn_request(struct sock *sk, 1522 + static inline int security_inet_conn_request(const struct sock *sk, 1523 1523 struct sk_buff *skb, struct request_sock *req) 1524 1524 { 1525 1525 return 0;
+1 -1
security/apparmor/include/net.h
··· 107 107 struct socket *sock); 108 108 109 109 int apparmor_secmark_check(struct aa_label *label, char *op, u32 request, 110 - u32 secid, struct sock *sk); 110 + u32 secid, const struct sock *sk); 111 111 112 112 #endif /* __AA_NET_H */
+1 -1
security/apparmor/lsm.c
··· 1147 1147 } 1148 1148 1149 1149 #ifdef CONFIG_NETWORK_SECMARK 1150 - static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb, 1150 + static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 1151 1151 struct request_sock *req) 1152 1152 { 1153 1153 struct aa_sk_ctx *ctx = SK_CTX(sk);
+3 -3
security/apparmor/net.c
··· 211 211 } 212 212 213 213 static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid, 214 - struct common_audit_data *sa, struct sock *sk) 214 + struct common_audit_data *sa) 215 215 { 216 216 int i, ret; 217 217 struct aa_perms perms = { }; ··· 244 244 } 245 245 246 246 int apparmor_secmark_check(struct aa_label *label, char *op, u32 request, 247 - u32 secid, struct sock *sk) 247 + u32 secid, const struct sock *sk) 248 248 { 249 249 struct aa_profile *profile; 250 250 DEFINE_AUDIT_SK(sa, op, sk); 251 251 252 252 return fn_for_each_confined(label, profile, 253 253 aa_secmark_perm(profile, request, secid, 254 - &sa, sk)); 254 + &sa)); 255 255 } 256 256 #endif
+2 -2
security/lsm_audit.c
··· 183 183 184 184 185 185 static inline void print_ipv6_addr(struct audit_buffer *ab, 186 - struct in6_addr *addr, __be16 port, 186 + const struct in6_addr *addr, __be16 port, 187 187 char *name1, char *name2) 188 188 { 189 189 if (!ipv6_addr_any(addr)) ··· 322 322 } 323 323 case LSM_AUDIT_DATA_NET: 324 324 if (a->u.net->sk) { 325 - struct sock *sk = a->u.net->sk; 325 + const struct sock *sk = a->u.net->sk; 326 326 struct unix_sock *u; 327 327 struct unix_address *addr; 328 328 int len = 0;
+1 -1
security/security.c
··· 2225 2225 } 2226 2226 EXPORT_SYMBOL(security_sock_graft); 2227 2227 2228 - int security_inet_conn_request(struct sock *sk, 2228 + int security_inet_conn_request(const struct sock *sk, 2229 2229 struct sk_buff *skb, struct request_sock *req) 2230 2230 { 2231 2231 return call_int_hook(inet_conn_request, 0, sk, skb, req);
+1 -1
security/selinux/hooks.c
··· 5355 5355 selinux_netlbl_sctp_sk_clone(sk, newsk); 5356 5356 } 5357 5357 5358 - static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb, 5358 + static int selinux_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 5359 5359 struct request_sock *req) 5360 5360 { 5361 5361 struct sk_security_struct *sksec = sk->sk_security;
+2 -2
security/smack/smack_lsm.c
··· 3864 3864 * 3865 3865 * Returns smack_known of the IP options or NULL if that won't work. 3866 3866 */ 3867 - static struct smack_known *smack_from_netlbl(struct sock *sk, u16 family, 3867 + static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 3868 3868 struct sk_buff *skb) 3869 3869 { 3870 3870 struct netlbl_lsm_secattr secattr; ··· 4114 4114 * Returns 0 if a task with the packet label could write to 4115 4115 * the socket, otherwise an error code 4116 4116 */ 4117 - static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4117 + static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4118 4118 struct request_sock *req) 4119 4119 { 4120 4120 u16 family = sk->sk_family;