SELinux: Abstract use of ipc security blobs

Don't use the ipc->security pointer directly. Don't use the msg_msg->security pointer directly. Provide helper functions that provides the security blob pointers. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org>
2018-09-21 17:19:45 -07:00 · 2018-09-21 17:19:45 -07:00 · 7c6538280a
commit 7c6538280a
parent f4ad8f2c40
2 changed files with 22 additions and 9 deletions
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@ -5678,7 +5678,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
 	struct common_audit_data ad;
 	u32 sid = current_sid();
-	isec = ipc_perms->security;
+	isec = selinux_ipc(ipc_perms);
 	ad.type = LSM_AUDIT_DATA_IPC;
 	ad.u.ipc_id = ipc_perms->key;
@ -5735,7 +5735,7 @@ static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
 	struct common_audit_data ad;
 	u32 sid = current_sid();
-	isec = msq->security;
+	isec = selinux_ipc(msq);
 	ad.type = LSM_AUDIT_DATA_IPC;
 	ad.u.ipc_id = msq->key;
@ -5784,8 +5784,8 @@ static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *m
 	u32 sid = current_sid();
 	int rc;
-	isec = msq->security;
+	isec = selinux_ipc(msq);
-	msec = msg->security;
+	msec = selinux_msg_msg(msg);
 	/*
 	 * First time through, need to assign label to the message
@ -5832,8 +5832,8 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m
 	u32 sid = task_sid(target);
 	int rc;
-	isec = msq->security;
+	isec = selinux_ipc(msq);
-	msec = msg->security;
+	msec = selinux_msg_msg(msg);
 	ad.type = LSM_AUDIT_DATA_IPC;
 	ad.u.ipc_id = msq->key;
@ -5886,7 +5886,7 @@ static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
 	struct common_audit_data ad;
 	u32 sid = current_sid();
-	isec = shp->security;
+	isec = selinux_ipc(shp);
 	ad.type = LSM_AUDIT_DATA_IPC;
 	ad.u.ipc_id = shp->key;
@ -5983,7 +5983,7 @@ static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
 	struct common_audit_data ad;
 	u32 sid = current_sid();
-	isec = sma->security;
+	isec = selinux_ipc(sma);
 	ad.type = LSM_AUDIT_DATA_IPC;
 	ad.u.ipc_id = sma->key;
@ -6069,7 +6069,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
 {
-	struct ipc_security_struct *isec = ipcp->security;
+	struct ipc_security_struct *isec = selinux_ipc(ipcp);
 	*secid = isec->sid;
 }
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@ -26,6 +26,7 @@
 #include <linux/in.h>
 #include <linux/spinlock.h>
 #include <linux/lsm_hooks.h>
 #include <linux/msg.h>
 #include <net/net_namespace.h>
 #include "flask.h"
 #include "avc.h"
@ -175,4 +176,16 @@ static inline struct inode_security_struct *selinux_inode(
 	return inode->i_security + selinux_blob_sizes.lbs_inode;
 }
 static inline struct msg_security_struct *selinux_msg_msg(
 						const struct msg_msg *msg_msg)
 {
 	return msg_msg->security;
 }
 static inline struct ipc_security_struct *selinux_ipc(
 						const struct kern_ipc_perm *ipc)
 {
 	return ipc->security;
 }
 #endif /* _SELINUX_OBJSEC_H_ */