On Thu, Jul 25, 2013 at 11:32 AM, Casey Schaufler
<ca...@schaufler-ca.com> wrote:
> Subject: [PATCH v14 3/6] LSM: Explicit individual LSM associations
> [...]
> Introduce feature specific security operation vectors
> for NetLabel, XFRM, secmark and presentation in the
> traditional /proc/.../attr interfaces. This allows
> proper handling of secids.
> [...]
> --- a/include/linux/lsm.h
> +++ b/include/linux/lsm.h
> @@ -164,9 +164,18 @@ static inline void lsm_init_secid(struct secids *secid,
> u32 lsecid, int order)
> {
> memset(secid, 0, sizeof(*secid));
>
> - if (lsecid != 0)
> + if (lsecid == 0)
> + return;
> + /*
> + * An order of -1 means set it for all LSMs.
> + */
> + if (order < 0) {
> + secid->si_lsm[0] = lsecid;
> + secid->si_count++;
> + } else {
> + secid->si_lsm[order] = lsecid;
> secid->si_count = 1;
> - secid->si_lsm[order] = lsecid;
> + }
> }
>
> static inline int lsm_zero_secid(struct secids *secid)
> @@ -178,39 +187,64 @@ static inline int lsm_zero_secid(struct secids *secid)
>
> #ifdef CONFIG_SECURITY
>
> +extern struct security_operations *present_ops;
> static inline struct security_operations *lsm_present_ops(void)
> {
> - return security_ops;
> + return present_ops;
> }
>
> static inline int lsm_present_order(void)
> {
> - return 0;
> + return present_ops->order;
> }
>
> +#ifdef CONFIG_NETLABEL
> +extern struct security_operations *netlbl_ops;
> +
> static inline struct security_operations *lsm_netlbl_ops(void)
> {
> - return security_ops;
> + return netlbl_ops;
> }
>
> static inline int lsm_netlbl_order(void)
> {
> - return 0;
> + return netlbl_ops->order;
> }
> +#endif /* CONFIG_NETLABEL */
> +
> +#ifdef CONFIG_SECURITY_NETWORK_XFRM
> +extern struct security_operations *xfrm_ops;
>
> static inline struct security_operations *lsm_xfrm_ops(void)
> {
> - return security_ops;
> + return xfrm_ops;
> }
>
> static inline int lsm_xfrm_order(void)
> {
> - return 0;
> + return xfrm_ops->order;
> }
> +#endif /* CONFIG_SECURITY_NETWORK_XFRM */
> +
> +#ifdef CONFIG_NETWORK_SECMARK
> +extern struct security_operations *secmark_ops;
>
> static inline struct security_operations *lsm_secmark_ops(void)
> {
> - return security_ops;
> + return secmark_ops;
> +}
> +
> +static inline int lsm_secmark_order(void)
> +{
> + return secmark_ops->order;
> +}
> +#endif /* CONFIG_NETWORK_SECMARK */
> +
> +#else /* CONFIG_SECURITY */
> +
> +static inline int lsm_xfrm_order(void)
> +{
> + return 0;
> }
>
> static inline int lsm_secmark_order(void)
> @@ -218,6 +252,11 @@ static inline int lsm_secmark_order(void)
> return 0;
> }
>
> +static inline struct security_operations *lsm_secmark_ops(void)
> +{
> + return NULL;
> +}
> +
> #endif /* CONFIG_SECURITY */
>
> #endif /* ! _LINUX_LSM_H */
Something went wrong here with the #ifdef/#else stuff here. I built
without CONFIG_SECURITY_NETWORK_XFRM and it fails, missing
lsm_xfrm_order().
If I added an #else to the CONFIG_SECURITY_NETWORK_XFRM check and made
lsm_xfrm_order() return 0 there too, it built fine.
-Kees
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
