| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhRnFehuM4ODOMeUo9MZ-6K5bDL6KdakgzrivJKeUGDQFA@mail.gmail.com>
Date: Sun, 5 Dec 2021 21:44:28 -0500
From: Paul Moore <paul@...l-moore.com>
To: Casey Schaufler <casey@...aufler-ca.com>
Cc: casey.schaufler@...el.com, jmorris@...ei.org,
linux-security-module@...r.kernel.org, selinux@...r.kernel.org,
linux-audit@...hat.com, keescook@...omium.org,
john.johansen@...onical.com, penguin-kernel@...ove.sakura.ne.jp,
sds@...ho.nsa.gov, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v30 06/28] LSM: Use lsmblob in security_audit_rule_match
On Tue, Nov 23, 2021 at 8:50 PM Casey Schaufler <casey@...aufler-ca.com> wrote:
>
> Change the secid parameter of security_audit_rule_match
> to a lsmblob structure pointer. Pass the entry from the
> lsmblob structure for the approprite slot to the LSM hook.
>
> Change the users of security_audit_rule_match to use the
> lsmblob instead of a u32. The scaffolding function lsmblob_init()
> fills the blob with the value of the old secid, ensuring that
> it is available to the appropriate module hook. The sources of
> the secid, security_task_getsecid() and security_inode_getsecid(),
> will be converted to use the blob structure later in the series.
> At the point the use of lsmblob_init() is dropped.
>
> Signed-off-by: Casey Schaufler <casey@...aufler-ca.com>
> Cc: linux-audit@...hat.com
> ---
> include/linux/security.h | 5 +++--
> kernel/auditfilter.c | 6 ++++--
> kernel/auditsc.c | 16 +++++++++++-----
> security/security.c | 5 +++--
> 4 files changed, 21 insertions(+), 11 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index ddd4cf48413c..d846d90f5624 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1954,7 +1954,7 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
> int security_audit_rule_init(u32 field, u32 op, char *rulestr,
> struct audit_rules *lsmrules);
> int security_audit_rule_known(struct audit_krule *krule);
> -int security_audit_rule_match(u32 secid, u32 field, u32 op,
> +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
> struct audit_rules *lsmrules);
> void security_audit_rule_free(struct audit_rules *lsmrules);
>
> @@ -1971,7 +1971,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
> return 0;
> }
>
> -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
> +static inline int security_audit_rule_match(struct lsmblob *blob secid,
> + u32 field, u32 op,
> struct audit_rules *lsmrules)
> {
> return 0;
Assuming you fixup the typo above that the test robot found it looks
reasonable to me.
Acked-by: Paul Moore <paul@...l-moore.com>
--
paul moore
www.paul-moore.com
Powered by blists - more mailing lists