mirror of
https://github.com/torvalds/linux.git
synced 2026-03-08 01:04:41 +01:00
lsm/stable-7.0 PR 20260203
-----BEGIN PGP SIGNATURE----- iQJIBAABCgAyFiEES0KozwfymdVUl37v6iDy2pc3iXMFAmmCurkUHHBhdWxAcGF1 bC1tb29yZS5jb20ACgkQ6iDy2pc3iXNDWA//RZxjjyY1I0GRDepJXJ8UFEVt4Fdr VsnSKL3o7sf0SAsQj2HCJsJPiwD5fHm2C2gdxh9rFC0bPpMbTVAkwUL7WhP+nkAt LA+UZKYurrk1XF6OctILoY3JcXmynb1Oe3lg6uVcWX5b1uEriqRgGKNcMYLb5fmr D1vZ9LMuZe8WwGTScprQID9FMrZ0TDbdI/vqG7si1W/PCFH7630MPJkmzmjPWvnV xJISKLOG+qbyWoNGLr+VaNjkmA+jPfsXAKWbfNXUGfikP8g/OHpFd70nIzJs8p7J dxZD7w6/kqSGhauQjcX8ov0zKxn83Z2Xt0+4Ldl5vOCWI3r4T3Y8WdarmULbq65n jIN8djDgmCJPqa5zuPmik+womaPk2GmSy1viEJdT4W0iHggTC1snOz1J+BbD+nkh uEZkmcCZbaeEQmfefxIyHDirrFsJvrunWupGrkfxvfFr+QU8H1xNLfMd6CQzvtI4 P5p/KrnP2e58tJqvPxSY315ewUMy73kZU5DUl+Rq6Y4ai415R7vtwwEEkSKWnyja LMdEumc9IrsiBMcLmsj8QwobCr7XJtdCQV5ohR8CPxxcsI/G0pR99e1pckD7l7Qm OG461BKHntU3SFWSiZw+rNWlJuyPcSy5nmUxQvxQHP9pShZPu8rTfYX+CBzrHJk2 OFjAwNJn1N/NfYI= =cCyp -----END PGP SIGNATURE----- Merge tag 'lsm-pr-20260203' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm Pull lsm updates from Paul Moore: - Unify the security_inode_listsecurity() calls in NFSv4 While looking at security_inode_listsecurity() with an eye towards improving the interface, we realized that the NFSv4 code was making multiple calls to the LSM hook that could be consolidated into one. - Mark the LSM static branch keys as static - this helps resolve some sparse warnings - Add __rust_helper annotations to the LSM and cred wrapper functions - Remove the unsused set_security_override_from_ctx() function - Minor fixes to some of the LSM kdoc comment blocks * tag 'lsm-pr-20260203' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: lsm: make keys for static branch static cred: remove unused set_security_override_from_ctx() rust: security: add __rust_helper to helpers rust: cred: add __rust_helper to helpers nfs: unify security_inode_listsecurity() calls lsm: fix kernel-doc struct member names
This commit is contained in:
Linus Torvalds
commit
bcc8fd3e15
7 changed files with 23 additions and 75 deletions
|
|
@ -8172,33 +8172,12 @@ static int nfs4_xattr_get_nfs4_label(const struct xattr_handler *handler,
|
|||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
static ssize_t
|
||||
nfs4_listxattr_nfs4_label(struct inode *inode, char *list, size_t list_len)
|
||||
{
|
||||
int len = 0;
|
||||
|
||||
if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL)) {
|
||||
len = security_inode_listsecurity(inode, list, list_len);
|
||||
if (len >= 0 && list_len && len > list_len)
|
||||
return -ERANGE;
|
||||
}
|
||||
return len;
|
||||
}
|
||||
|
||||
static const struct xattr_handler nfs4_xattr_nfs4_label_handler = {
|
||||
.prefix = XATTR_SECURITY_PREFIX,
|
||||
.get = nfs4_xattr_get_nfs4_label,
|
||||
.set = nfs4_xattr_set_nfs4_label,
|
||||
};
|
||||
|
||||
#else
|
||||
|
||||
static ssize_t
|
||||
nfs4_listxattr_nfs4_label(struct inode *inode, char *list, size_t list_len)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_NFS_V4_2
|
||||
|
|
@ -10995,7 +10974,7 @@ const struct nfs4_minor_version_ops *nfs_v4_minor_ops[] = {
|
|||
|
||||
static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
|
||||
{
|
||||
ssize_t error, error2, error3, error4 = 0;
|
||||
ssize_t error, error2, error3;
|
||||
size_t left = size;
|
||||
|
||||
error = generic_listxattr(dentry, list, left);
|
||||
|
|
@ -11006,10 +10985,9 @@ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
|
|||
left -= error;
|
||||
}
|
||||
|
||||
error2 = nfs4_listxattr_nfs4_label(d_inode(dentry), list, left);
|
||||
error2 = security_inode_listsecurity(d_inode(dentry), list, left);
|
||||
if (error2 < 0)
|
||||
return error2;
|
||||
|
||||
if (list) {
|
||||
list += error2;
|
||||
left -= error2;
|
||||
|
|
@ -11018,18 +10996,8 @@ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
|
|||
error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, left);
|
||||
if (error3 < 0)
|
||||
return error3;
|
||||
if (list) {
|
||||
list += error3;
|
||||
left -= error3;
|
||||
}
|
||||
|
||||
if (!nfs_server_capable(d_inode(dentry), NFS_CAP_SECURITY_LABEL)) {
|
||||
error4 = security_inode_listsecurity(d_inode(dentry), list, left);
|
||||
if (error4 < 0)
|
||||
return error4;
|
||||
}
|
||||
|
||||
error += error2 + error3 + error4;
|
||||
error += error2 + error3;
|
||||
if (size && error > size)
|
||||
return -ERANGE;
|
||||
return error;
|
||||
|
|
|
|||
|
|
@ -164,7 +164,6 @@ static inline const struct cred *kernel_cred(void)
|
|||
return rcu_dereference_raw(init_task.cred);
|
||||
}
|
||||
extern int set_security_override(struct cred *, u32);
|
||||
extern int set_security_override_from_ctx(struct cred *, const char *);
|
||||
extern int set_create_files_as(struct cred *, struct inode *);
|
||||
extern int cred_fscmp(const struct cred *, const struct cred *);
|
||||
extern void __init cred_init(void);
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ struct lsm_static_calls_table {
|
|||
|
||||
/**
|
||||
* struct lsm_id - Identify a Linux Security Module.
|
||||
* @lsm: name of the LSM, must be approved by the LSM maintainers
|
||||
* @name: name of the LSM, must be approved by the LSM maintainers
|
||||
* @id: LSM ID number from uapi/linux/lsm.h
|
||||
*
|
||||
* Contains the information that identifies the LSM.
|
||||
|
|
@ -164,7 +164,7 @@ enum lsm_order {
|
|||
* @initcall_core: LSM callback for core_initcall() setup, optional
|
||||
* @initcall_subsys: LSM callback for subsys_initcall() setup, optional
|
||||
* @initcall_fs: LSM callback for fs_initcall setup, optional
|
||||
* @nitcall_device: LSM callback for device_initcall() setup, optional
|
||||
* @initcall_device: LSM callback for device_initcall() setup, optional
|
||||
* @initcall_late: LSM callback for late_initcall() setup, optional
|
||||
*/
|
||||
struct lsm_info {
|
||||
|
|
|
|||
|
|
@ -620,29 +620,6 @@ int set_security_override(struct cred *new, u32 secid)
|
|||
}
|
||||
EXPORT_SYMBOL(set_security_override);
|
||||
|
||||
/**
|
||||
* set_security_override_from_ctx - Set the security ID in a set of credentials
|
||||
* @new: The credentials to alter
|
||||
* @secctx: The LSM security context to generate the security ID from.
|
||||
*
|
||||
* Set the LSM security ID in a set of credentials so that the subjective
|
||||
* security is overridden when an alternative set of credentials is used. The
|
||||
* security ID is specified in string form as a security context to be
|
||||
* interpreted by the LSM.
|
||||
*/
|
||||
int set_security_override_from_ctx(struct cred *new, const char *secctx)
|
||||
{
|
||||
u32 secid;
|
||||
int ret;
|
||||
|
||||
ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
return set_security_override(new, secid);
|
||||
}
|
||||
EXPORT_SYMBOL(set_security_override_from_ctx);
|
||||
|
||||
/**
|
||||
* set_create_files_as - Set the LSM file create context in a set of credentials
|
||||
* @new: The credentials to alter
|
||||
|
|
|
|||
|
|
@ -2,12 +2,12 @@
|
|||
|
||||
#include <linux/cred.h>
|
||||
|
||||
const struct cred *rust_helper_get_cred(const struct cred *cred)
|
||||
__rust_helper const struct cred *rust_helper_get_cred(const struct cred *cred)
|
||||
{
|
||||
return get_cred(cred);
|
||||
}
|
||||
|
||||
void rust_helper_put_cred(const struct cred *cred)
|
||||
__rust_helper void rust_helper_put_cred(const struct cred *cred)
|
||||
{
|
||||
put_cred(cred);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,41 +3,45 @@
|
|||
#include <linux/security.h>
|
||||
|
||||
#ifndef CONFIG_SECURITY
|
||||
void rust_helper_security_cred_getsecid(const struct cred *c, u32 *secid)
|
||||
__rust_helper void rust_helper_security_cred_getsecid(const struct cred *c,
|
||||
u32 *secid)
|
||||
{
|
||||
security_cred_getsecid(c, secid);
|
||||
}
|
||||
|
||||
int rust_helper_security_secid_to_secctx(u32 secid, struct lsm_context *cp)
|
||||
__rust_helper int rust_helper_security_secid_to_secctx(u32 secid,
|
||||
struct lsm_context *cp)
|
||||
{
|
||||
return security_secid_to_secctx(secid, cp);
|
||||
}
|
||||
|
||||
void rust_helper_security_release_secctx(struct lsm_context *cp)
|
||||
__rust_helper void rust_helper_security_release_secctx(struct lsm_context *cp)
|
||||
{
|
||||
security_release_secctx(cp);
|
||||
}
|
||||
|
||||
int rust_helper_security_binder_set_context_mgr(const struct cred *mgr)
|
||||
__rust_helper int
|
||||
rust_helper_security_binder_set_context_mgr(const struct cred *mgr)
|
||||
{
|
||||
return security_binder_set_context_mgr(mgr);
|
||||
}
|
||||
|
||||
int rust_helper_security_binder_transaction(const struct cred *from,
|
||||
const struct cred *to)
|
||||
__rust_helper int
|
||||
rust_helper_security_binder_transaction(const struct cred *from,
|
||||
const struct cred *to)
|
||||
{
|
||||
return security_binder_transaction(from, to);
|
||||
}
|
||||
|
||||
int rust_helper_security_binder_transfer_binder(const struct cred *from,
|
||||
const struct cred *to)
|
||||
__rust_helper int
|
||||
rust_helper_security_binder_transfer_binder(const struct cred *from,
|
||||
const struct cred *to)
|
||||
{
|
||||
return security_binder_transfer_binder(from, to);
|
||||
}
|
||||
|
||||
int rust_helper_security_binder_transfer_file(const struct cred *from,
|
||||
const struct cred *to,
|
||||
const struct file *file)
|
||||
__rust_helper int rust_helper_security_binder_transfer_file(
|
||||
const struct cred *from, const struct cred *to, const struct file *file)
|
||||
{
|
||||
return security_binder_transfer_file(from, to, file);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -115,7 +115,7 @@ do { \
|
|||
#define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \
|
||||
DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \
|
||||
*((RET(*)(__VA_ARGS__))NULL)); \
|
||||
DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM));
|
||||
static DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM));
|
||||
|
||||
#define LSM_HOOK(RET, DEFAULT, NAME, ...) \
|
||||
LSM_DEFINE_UNROLL(DEFINE_LSM_STATIC_CALL, NAME, RET, __VA_ARGS__)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue