diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2024-10-09 10:32:10 -0700 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2024-10-11 14:34:12 -0400 |
| commit | 870b7fdc660b38c4e1bd8bf48e62aa352ddf8f42 (patch) | |
| tree | 6895925c59b98edee5d7813c3ad2004507394af6 /security/selinux | |
| parent | ed870e35db660724ff0d815d9a3ef9a6247ffbab (diff) | |
| download | linux-870b7fdc660b38c4e1bd8bf48e62aa352ddf8f42.tar.gz linux-870b7fdc660b38c4e1bd8bf48e62aa352ddf8f42.tar.bz2 linux-870b7fdc660b38c4e1bd8bf48e62aa352ddf8f42.zip | |
lsm: use lsm_prop in security_audit_rule_match
Change the secid parameter of security_audit_rule_match
to a lsm_prop structure pointer. Pass the entry from the
lsm_prop structure for the approprite slot to the LSM hook.
Change the users of security_audit_rule_match to use the
lsm_prop instead of a u32. The scaffolding function lsmprop_init()
fills the structure with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the lsm_prop structure later in the series.
At that point the use of lsmprop_init() is dropped.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/include/audit.h | 4 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 10 |
2 files changed, 9 insertions, 5 deletions
diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index 168d17be7df3..c745ea2a993d 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -41,7 +41,7 @@ void selinux_audit_rule_free(void *rule); /** * selinux_audit_rule_match - determine if a context ID matches a rule. - * @sid: the context ID to check + * @prop: includes the context ID to check * @field: the field this rule refers to * @op: the operator the rule uses * @rule: pointer to the audit rule to check against @@ -49,7 +49,7 @@ void selinux_audit_rule_free(void *rule); * Returns 1 if the context id matches the rule, 0 if it does not, and * -errno on failure. */ -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule); +int selinux_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, void *rule); /** * selinux_audit_rule_known - check to see if rule contains selinux fields. diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index a9830fbfc5c6..e0c14773a7b7 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -3635,7 +3635,7 @@ int selinux_audit_rule_known(struct audit_krule *rule) return 0; } -int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) +int selinux_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, void *vrule) { struct selinux_state *state = &selinux_state; struct selinux_policy *policy; @@ -3661,10 +3661,14 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) goto out; } - ctxt = sidtab_search(policy->sidtab, sid); + /* scaffolding */ + if (!prop->selinux.secid && prop->scaffold.secid) + prop->selinux.secid = prop->scaffold.secid; + + ctxt = sidtab_search(policy->sidtab, prop->selinux.secid); if (unlikely(!ctxt)) { WARN_ONCE(1, "selinux_audit_rule_match: unrecognized SID %d\n", - sid); + prop->selinux.secid); match = -ENOENT; goto out; } |