lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4e2669fc0be9b0f1ca15b17ca415a87d@paul-moore.com>
Date: Thu, 10 Oct 2024 23:08:08 -0400
From: Paul Moore <paul@...l-moore.com>
To: Casey Schaufler <casey@...aufler-ca.com>, casey@...aufler-ca.com, linux-security-module@...r.kernel.org
Cc: jmorris@...ei.org, serge@...lyn.com, keescook@...omium.org, john.johansen@...onical.com, penguin-kernel@...ove.sakura.ne.jp, stephen.smalley.work@...il.com, linux-kernel@...r.kernel.org, selinux@...r.kernel.org, mic@...ikod.net
Subject: Re: [PATCH v4 4/13] Audit: maintain an lsm_prop in audit_context

On Oct  9, 2024 Casey Schaufler <casey@...aufler-ca.com> wrote:
> 
> Replace the secid value stored in struct audit_context with a struct
> lsm_prop. Change the code that uses this value to accommodate the
> change. security_audit_rule_match() expects a lsm_prop, so existing
> scaffolding can be removed. A call to security_secid_to_secctx()
> is changed to security_lsmprop_to_secctx().  The call to
> security_ipc_getsecid() is scaffolded.
> 
> A new function lsmprop_is_set() is introduced to identify whether
> an lsm_prop contains a non-zero value.
> 
> Signed-off-by: Casey Schaufler <casey@...aufler-ca.com>
> ---
>  include/linux/security.h | 24 ++++++++++++++++++++++++
>  kernel/audit.h           |  3 ++-
>  kernel/auditsc.c         | 19 ++++++++-----------
>  3 files changed, 34 insertions(+), 12 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index f1c68e38b15d..5652baa4ca3c 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -291,6 +291,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
>  
>  #ifdef CONFIG_SECURITY
>  
> +/**
> + * lsmprop_is_set - report if there is a value in the lsm_prop
> + * @prop: Pointer to the exported LSM data
> + *
> + * Returns true if there is a value set, false otherwise
> + */
> +static inline bool lsm_prop_is_set(struct lsm_prop *prop)
> +{
> +	const struct lsm_prop empty = {};
> +
> +	return !!memcmp(prop, &empty, sizeof(*prop));
> +}
> +
>  int call_blocking_lsm_notifier(enum lsm_event event, void *data);
>  int register_blocking_lsm_notifier(struct notifier_block *nb);
>  int unregister_blocking_lsm_notifier(struct notifier_block *nb);
> @@ -552,6 +565,17 @@ int security_bdev_setintegrity(struct block_device *bdev,
>  			       size_t size);
>  #else /* CONFIG_SECURITY */
>  
> +/**
> + * lsmprop_is_set - report if there is a value in the lsm_prop
> + * @prop: Pointer to the exported LSM data
> + *
> + * Returns true if there is a value set, false otherwise
> + */
> +static inline bool lsm_prop_is_set(struct lsm_prop *prop)
> +{
> +	return false;
> +}

If we're going to call this lsmprop_is_set() (see 5/13), we really should
name it that way to start in this patch.

Considering everything else in this patchset looks okay, if you want me
to fix this up during the merge let me know.

--
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ