| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250617210105.17479-3-casey@schaufler-ca.com>
Date: Tue, 17 Jun 2025 14:01:04 -0700
From: Casey Schaufler <casey@...aufler-ca.com>
To: casey@...aufler-ca.com,
paul@...l-moore.com,
eparis@...hat.com,
linux-security-module@...r.kernel.org
Cc: jmorris@...ei.org,
serge@...lyn.com,
keescook@...omium.org,
john.johansen@...onical.com,
penguin-kernel@...ove.sakura.ne.jp,
stephen.smalley.work@...il.com,
linux-kernel@...r.kernel.org,
selinux@...r.kernel.org
Subject: [PATCH 2/3] LSM: allocate mnt_opts blobs instead of module specific data
Replace allocations of LSM specific mount data with the
shared mnt_opts blob.
Signed-off-by: Casey Schaufler <casey@...aufler-ca.com>
---
include/linux/lsm_hooks.h | 1 +
security/security.c | 12 ++++++++++++
security/selinux/hooks.c | 10 +++++++---
security/smack/smack_lsm.c | 4 ++--
4 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 9741c76e4654..1871ebc5833b 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -219,4 +219,5 @@ static inline struct xattr *lsm_get_xattr_slot(struct xattr *xattrs,
return &xattrs[(*xattr_count)++];
}
+extern void *lsm_mnt_opts_alloc(gfp_t priority);
#endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/security/security.c b/security/security.c
index 8a4e0f70e49d..ec61fb7e6492 100644
--- a/security/security.c
+++ b/security/security.c
@@ -904,6 +904,18 @@ void security_sb_free(struct super_block *sb)
sb->s_security = NULL;
}
+/**
+ * lsm_mnt_opts_alloc - allocate a mnt_opts blob
+ * @priority: memory allocation priority
+ *
+ * Returns a newly allocated mnt_opts blob or NULL if
+ * memory isn't available.
+ */
+void *lsm_mnt_opts_alloc(gfp_t priority)
+{
+ return kzalloc(blob_sizes.lbs_mnt_opts, priority);
+}
+
/**
* security_free_mnt_opts() - Free memory associated with mount options
* @mnt_opts: LSM processed mount options
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 88cd1d56081a..f7eda0cce68f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2808,7 +2808,7 @@ static int selinux_fs_context_submount(struct fs_context *fc,
if (!(sbsec->flags & (FSCONTEXT_MNT|CONTEXT_MNT|DEFCONTEXT_MNT)))
return 0;
- opts = kzalloc(sizeof(*opts), GFP_KERNEL);
+ opts = lsm_mnt_opts_alloc(GFP_KERNEL);
if (!opts)
return -ENOMEM;
@@ -2830,8 +2830,12 @@ static int selinux_fs_context_dup(struct fs_context *fc,
if (!src)
return 0;
- fc->security = kmemdup(src, sizeof(*src), GFP_KERNEL);
- return fc->security ? 0 : -ENOMEM;
+ fc->security = lsm_mnt_opts_alloc(GFP_KERNEL);
+ if (!fc->security)
+ return -ENOMEM;
+
+ memcpy(fc->security, src, sizeof(*src));
+ return 0;
}
static const struct fs_parameter_spec selinux_fs_parameters[] = {
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 44bd92410425..1d456df40096 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -622,7 +622,7 @@ static int smack_fs_context_submount(struct fs_context *fc,
struct smack_mnt_opts *ctx;
struct inode_smack *isp;
- ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+ ctx = lsm_mnt_opts_alloc(GFP_KERNEL);
if (!ctx)
return -ENOMEM;
fc->security = ctx;
@@ -673,7 +673,7 @@ static int smack_fs_context_dup(struct fs_context *fc,
if (!src)
return 0;
- fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL);
+ fc->security = lsm_mnt_opts_alloc(GFP_KERNEL);
if (!fc->security)
return -ENOMEM;
--
2.47.0
Powered by blists - more mailing lists