From patchwork Mon Dec 13 23:40:14 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 1567509
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=yahoo.com header.i=@yahoo.com header.a=rsa-sha256
 header.s=s2048 header.b=DEIbbkGO;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=23.128.96.18; helo=vger.kernel.org;
 envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by bilbo.ozlabs.org (Postfix) with ESMTP id 4JCdXQ6h5Yz9sVq
	for <incoming@patchwork.ozlabs.org>; Tue, 14 Dec 2021 10:49:42 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244277AbhLMXtk (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
        Mon, 13 Dec 2021 18:49:40 -0500
Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:46554
        "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S242732AbhLMXtj (ORCPT
        <rfc822;netfilter-devel@vger.kernel.org>);
        Mon, 13 Dec 2021 18:49:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639439378; bh=jED1FKxellw4KtQDkWf6Z/5uafpV100mgrllKbb8X90=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=DEIbbkGO6YIqi7gr3KJm9RTXTpuAYmaPK4b2ckhYa9hDnniHq60fPqZHdPWpbIgibhGLXTyI2hnOpvmilltqIqsucKpjOshaGu2e2y9ynhTqOdhr71BeWgVR98KCrpFagjysirbdVY7PjKKvvcIZsjBCgqYjwyb3Bz7WxVxSZATD1KPr/vlPF2xVs5mnb6xuSgE5QnYVtNAqXQQjhlZmWd+PwnF+A+g4T9eCJE0XQ9XjaNn1AQLL8wDIuzKf5eL6iEYHffLuQYJXOzv7Kg0bCS02K8BUc0D4/cMW51vqccoauVVeHT7Hf7X09XlkF6m+GV5RQ+I22U9nj6POuTFKRw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639439378; bh=V/ADtwObiPT035hBwB4n02igK7ErvLlMXO92/D5Wt8Z=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=kDB31NVsOWacd5kJumDs9pfT4GG+uPgCxeteU8YZLxLbpohVgT2O5vHy0NO3W7aA0zSPgUbJLDkyCpNlGZPO/q4BAvaCL8WcaK1dvL95aIl5gL+IXcxxz4htcNh8yX2Ap3CZDpY3Z4nnDKTw5F51EJUNAptxuspiJ9UHUgnw9tqWGmYb+cuOAKcTB5Hpsrppe63/9l9Hh4859itgwsBsCJEgrurwICW2W45O6X+2fRjQ3fIJJdrfwf0j5GZIWt1+JXSGe9D2+zUlBykZnv1WMJmmW1dF7M9urmKfpIQvHwNi1bw9CINQiIeHCxgMLTOwMbTH1GA2HGbwicRONGMuJA==
X-YMail-OSG: yxJ0gS4VM1mvuKEFInuzdpAPEHoEFSCzPrBQDCOuxRhSVefQ9ewJ5LrKxndhrSM
 oBKRpVUT2u8VpLCnsA4.hCyQMgXkqPQV5fiU.b_dmo4peXOevUU4j6zbJTdpwCT4giViHf49xtaJ
 D6x7Rr7ePN5s3cW.13az9qExpQ7m8iwmtwD2.wNteznkx586M..1GYcljFnyNf0e9OXsiJ.s3Rum
 xrZACBEft800Q0yCPk.WFN0SoEqo06dYfHChE1CIGGFvdPS8aDmLhfHrp7of2o65cJP.dDCfiOFH
 IdggmbJv0kpCNx6NIb7WYOIGgQ0vMkZ_4wWBi_euiM5alMg1hpC.fQ4YfjgWcQcRhMHpse5OQ1iH
 vsPPaFQsrixonA9U5fOKOfAuGLZBToLAb0T8UHzjyfzUpJEGnwdIl0axH9WZhObocA3InBAiw_GP
 .ZygM3Zu2AqwwivqnCLTYEONOgiq1jqY0iTjvnjojehtnOMr9Uufv9Rl0SO371xGPw_epsaB2wb2
 NnL.R6.yfV0CYo76IXny046riaPLW9pbgi1IkyO0l0q01uBZurRBd.46VZ8ISYB5tSOuIuc1Z8Cx
 6VSHtaRjepIE4BYHTS97O_DG5yTROKJhg_lnYxL37DcGvtw_.HBivAxzgVAh3f5CIhc_ts_XhVoG
 ndJMrOarleASemNaUjTs991aOYAyb72HuOvWILgIWnKzXz7Rbkcj38a7xmxaaxt0x45bp63Hbmsb
 60gz_cPyDH0THVEL3mZs0_anIlmsMRNKUk75Aw6JBpxnO3_2wexH60c_EejnITb2yWRwaT43WGkV
 cWLep3OGk5R4JyqK64LI4at_qDj3kWr1w9rmnLLNxfqXDxSTa4YpDBYej8Umr82CBnatovbR1GjR
 oFybsMT9SN5eqc12xGbbXIkbuy3qIOpSHNTG.m.H_s8ZIWBuOeFcRF4ONqexzafKzP8KKuI_5l2p
 fsDeqTTC_FsGMvudP9Yo9VM4t1Zv1ABp8YCBnra5UbeKQyJ3uiMExgiDTLJDT9ben53rh27jgVhL
 4aIF0t_vhltqEDQl4TO6U7WKZHjo80vQdOKCK1pgjS7gbQLSH0w8eoCACMjIQYAe9E448Ynrcfnu
 ALvznzjnbda4b2SkV.Rsw5X4NTIEAOPZNpLdUo_oajMqQ3AHVCKBQKvB9OImXWKZ8cY1g.nFm9Tx
 oTH19CM9YhOm2cPHHCOgj8mvpEOsKNwTkcKdSh2DmOjKDo1bkQdd9QsynNAq6SjLdudD09Cl47gW
 2c73FejA_PT7kBKmEc_pxjsE49alizY0cJ0QUci9gmlVtvsr9cziedUu4U71XnFWMdTwyvbb0CMP
 UVQAMWc_TnTTCsYk_BQjpbYR90I5w1Afb0eYXSqNJbT0RQ9Qiqs0gIZmFoibtWEJr0MOLRfY_Yy3
 gA9VkW98HkeupgCpaJJTmxLAuoXtI6wf9cVWafpxzDbKRNCYW64MFp7BUW0PGxn3psqxFppLZ7wW
 7NOPNjJ7IJE1QXLY1R9JmGlGY0s5dGsd.zxyud0BOdOZEMpA0uLhNaJQC1yyN_fodt0U_baqTjDP
 bknPzP6UgaP.Lu8wzvXgXi_Fz7s98vkl_otQq.dEiHGRG3ISqgUlE.4kTRtZXnaIAel7n.XFWKmC
 XGaYoQfWZ1i0KEdLqPtO3QYChwvO2n_K0ObRC0fz2oVXjLsnzmKzlvO6bHepDGjtj_Zjbydllk.s
 jGpx9fz_4l2o9leW.7FFo7z9NzyiXfxdpM54SPfehZvIgkHp5ajALDE9BYZg_18D0gidt1x0A8XZ
 uTo8uyjMtifsMtx9JOnbEcJCtJhCp3SSfUmPoiHvXtbM8eUscoyp2AuzNP3epL5xGTd7n97ZBa_k
 266rlx09mw0cR75zOQ2xedLJkM0t9RPKdqIGWyCVWGRv0y0qY2gRyT6oDQuVsZXvFzR0mf6TkYIg
 odpjd4Mm.5Qz7hh301YwiXLvAqfPX8F27XqCIlhsS7QC_5A_L.Zkt4TTuFcHANtW3L_It0acJEKd
 Vyanji.mORQCXlDgLyRrIto_HcbSxBT6TEVqFcWmeV1n5eaxKDCL7qHdUwh580jX5Cpfzld.d7fV
 j7EaG2JiuPTksEiVq5Hj5OOlZHKRxu_O8inY3OwVu4FNEroYDALWZLaH5xrugPxofCGg.NPt23b7
 dkwb_R02NjP3XdZZNAx2KC0Zdd2mjEu2NS_pdVsfYsHHi.GoYzBgIuVWdoepqoA0EEpQ5qrJLWTN
 SEeXqfDrUjqdLmenbGXFinvtSdIxKVZMng5iHHR4.oxrzJ7KT4Uqc1cDur1Onw_RCHfqFUSHt_Ae
 Vf8z14KGi4OL24U_4wUId6luhGjE0zcW37qdvV7sedew-
X-Sonic-MF: <casey@schaufler-ca.com>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:49:38 +0000
Received: by kubenode527.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 3c37c5f8f0988af181e864687125ff70;
          Mon, 13 Dec 2021 23:49:33 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
        keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
        sds@tycho.nsa.gov, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: [PATCH v31 08/28] LSM: Use lsmblob in security_secctx_to_secid
Date: Mon, 13 Dec 2021 15:40:14 -0800
Message-Id: <20211213234034.111891-9-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com>
References: <20211213234034.111891-1-casey@schaufler-ca.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Change the security_secctx_to_secid interface to use a lsmblob
structure in place of the single u32 secid in support of
module stacking. Change its callers to do the same.

The security module hook is unchanged, still passing back a secid.
The infrastructure passes the correct entry from the lsmblob.

Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/security.h          | 26 ++++++++++++++++++--
 kernel/cred.c                     |  4 +---
 net/netfilter/nft_meta.c          | 10 ++++----
 net/netfilter/xt_SECMARK.c        |  7 +++++-
 net/netlabel/netlabel_unlabeled.c | 23 +++++++++++-------
 security/security.c               | 40 ++++++++++++++++++++++++++-----
 6 files changed, 85 insertions(+), 25 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index aaa63bf5026e..8a547fc4affa 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -198,6 +198,27 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
 extern int lsm_name_to_slot(char *name);
 extern const char *lsm_slot_to_name(int slot);
 
+/**
+ * lsmblob_value - find the first non-zero value in an lsmblob structure.
+ * @blob: Pointer to the data
+ *
+ * This needs to be used with extreme caution, as the cases where
+ * it is appropriate are rare.
+ *
+ * Return the first secid value set in the lsmblob.
+ * There should only be one.
+ */
+static inline u32 lsmblob_value(const struct lsmblob *blob)
+{
+	int i;
+
+	for (i = 0; i < LSMBLOB_ENTRIES; i++)
+		if (blob->secid[i])
+			return blob->secid[i];
+
+	return 0;
+}
+
 /* These functions are in security/commoncap.c */
 extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
 		       int cap, unsigned int opts);
@@ -530,7 +551,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+int security_secctx_to_secid(const char *secdata, u32 seclen,
+			     struct lsmblob *blob);
 void security_release_secctx(char *secdata, u32 seclen);
 void security_inode_invalidate_secctx(struct inode *inode);
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
@@ -1391,7 +1413,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
 
 static inline int security_secctx_to_secid(const char *secdata,
 					   u32 seclen,
-					   u32 *secid)
+					   struct lsmblob *blob)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/kernel/cred.c b/kernel/cred.c
index e5e41bd4efc3..a112ea708b6e 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -796,14 +796,12 @@ EXPORT_SYMBOL(set_security_override);
 int set_security_override_from_ctx(struct cred *new, const char *secctx)
 {
 	struct lsmblob blob;
-	u32 secid;
 	int ret;
 
-	ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
+	ret = security_secctx_to_secid(secctx, strlen(secctx), &blob);
 	if (ret < 0)
 		return ret;
 
-	lsmblob_init(&blob, secid);
 	return set_security_override(new, &blob);
 }
 EXPORT_SYMBOL(set_security_override_from_ctx);
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index fe91ff5f8fbe..c171c9aadb01 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -813,21 +813,21 @@ static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
 
 static int nft_secmark_compute_secid(struct nft_secmark *priv)
 {
-	u32 tmp_secid = 0;
+	struct lsmblob blob;
 	int err;
 
-	err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
+	err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob);
 	if (err)
 		return err;
 
-	if (!tmp_secid)
+	if (!lsmblob_is_set(&blob))
 		return -ENOENT;
 
-	err = security_secmark_relabel_packet(tmp_secid);
+	err = security_secmark_relabel_packet(lsmblob_value(&blob));
 	if (err)
 		return err;
 
-	priv->secid = tmp_secid;
+	priv->secid = lsmblob_value(&blob);
 	return 0;
 }
 
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 498a0bf6f044..87ca3a537d1c 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info)
 
 static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
 {
+	struct lsmblob blob;
 	int err;
 
 	info->secctx[SECMARK_SECCTX_MAX - 1] = '\0';
 	info->secid = 0;
 
 	err = security_secctx_to_secid(info->secctx, strlen(info->secctx),
-				       &info->secid);
+				       &blob);
 	if (err) {
 		if (err == -EINVAL)
 			pr_info_ratelimited("invalid security context \'%s\'\n",
@@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
 		return err;
 	}
 
+	/* xt_secmark_target_info can't be changed to use lsmblobs because
+	 * it is exposed as an API. Use lsmblob_value() to get the one
+	 * value that got set by security_secctx_to_secid(). */
+	info->secid = lsmblob_value(&blob);
 	if (!info->secid) {
 		pr_info_ratelimited("unable to map security context \'%s\'\n",
 				    info->secctx);
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 566ba4397ee4..762561318d78 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -880,7 +880,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
 	void *addr;
 	void *mask;
 	u32 addr_len;
-	u32 secid;
+	struct lsmblob blob;
 	struct netlbl_audit audit_info;
 
 	/* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -904,13 +904,18 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
 	ret_val = security_secctx_to_secid(
 		                  nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
 				  nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
-				  &secid);
+				  &blob);
 	if (ret_val != 0)
 		return ret_val;
 
+	/* netlbl_unlhsh_add will be changed to pass a struct lsmblob *
+	 * instead of a u32 later in this patch set. security_secctx_to_secid()
+	 * will only be setting one entry in the lsmblob struct, so it is
+	 * safe to use lsmblob_value() to get that one value. */
+
 	return netlbl_unlhsh_add(&init_net,
-				 dev_name, addr, mask, addr_len, secid,
-				 &audit_info);
+				 dev_name, addr, mask, addr_len,
+				 lsmblob_value(&blob), &audit_info);
 }
 
 /**
@@ -931,7 +936,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
 	void *addr;
 	void *mask;
 	u32 addr_len;
-	u32 secid;
+	struct lsmblob blob;
 	struct netlbl_audit audit_info;
 
 	/* Don't allow users to add both IPv4 and IPv6 addresses for a
@@ -953,13 +958,15 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
 	ret_val = security_secctx_to_secid(
 		                  nla_data(info->attrs[NLBL_UNLABEL_A_SECCTX]),
 				  nla_len(info->attrs[NLBL_UNLABEL_A_SECCTX]),
-				  &secid);
+				  &blob);
 	if (ret_val != 0)
 		return ret_val;
 
+	/* security_secctx_to_secid() will only put one secid into the lsmblob
+	 * so it's safe to use lsmblob_value() to get the secid. */
 	return netlbl_unlhsh_add(&init_net,
-				 NULL, addr, mask, addr_len, secid,
-				 &audit_info);
+				 NULL, addr, mask, addr_len,
+				 lsmblob_value(&blob), &audit_info);
 }
 
 /**
diff --git a/security/security.c b/security/security.c
index 171e2fe66e5e..7ae68b6ffc7f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2195,10 +2195,22 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 }
 EXPORT_SYMBOL(security_secid_to_secctx);
 
-int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+int security_secctx_to_secid(const char *secdata, u32 seclen,
+			     struct lsmblob *blob)
 {
-	*secid = 0;
-	return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
+	struct security_hook_list *hp;
+	int rc;
+
+	lsmblob_init(blob, 0);
+	hlist_for_each_entry(hp, &security_hook_heads.secctx_to_secid, list) {
+		if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+			continue;
+		rc = hp->hook.secctx_to_secid(secdata, seclen,
+					      &blob->secid[hp->lsmid->slot]);
+		if (rc != 0)
+			return rc;
+	}
+	return 0;
 }
 EXPORT_SYMBOL(security_secctx_to_secid);
 
@@ -2349,10 +2361,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
 				optval, optlen, len);
 }
 
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
+				     u32 *secid)
 {
-	return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
-			     skb, secid);
+	struct security_hook_list *hp;
+	int rc = -ENOPROTOOPT;
+
+	/*
+	 * Only one security module should provide a real hook for
+	 * this. A stub or bypass like is used in BPF should either
+	 * (somehow) leave rc unaltered or return -ENOPROTOOPT.
+	 */
+	hlist_for_each_entry(hp, &security_hook_heads.socket_getpeersec_dgram,
+			     list) {
+		if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+			continue;
+		rc = hp->hook.socket_getpeersec_dgram(sock, skb, secid);
+		if (rc != -ENOPROTOOPT)
+			break;
+	}
+	return rc;
 }
 EXPORT_SYMBOL(security_socket_getpeersec_dgram);
 

From patchwork Mon Dec 13 23:40:15 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 1567510
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=yahoo.com header.i=@yahoo.com header.a=rsa-sha256
 header.s=s2048 header.b=TCZmH7xI;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=23.128.96.18; helo=vger.kernel.org;
 envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by bilbo.ozlabs.org (Postfix) with ESMTP id 4JCdYh4tR9z9sVq
	for <incoming@patchwork.ozlabs.org>; Tue, 14 Dec 2021 10:50:48 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239035AbhLMXup (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
        Mon, 13 Dec 2021 18:50:45 -0500
Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:37297
        "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S238845AbhLMXuo (ORCPT
        <rfc822;netfilter-devel@vger.kernel.org>);
        Mon, 13 Dec 2021 18:50:44 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639439444; bh=4DGh/JM0QhmeTFRLj4qUlvPwzAsptonLJlq2DPQNd6g=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=TCZmH7xIgpQBbo+jxRo28BK+loPYFWOrQC+5dQNOUmuMks31yultzW2RY/YRc0qacwfjHt3KSr0BemMpOctoFZCd2/wg43XdKWKsjQIt+XT90EcTIo3xMnWutCE1bz1MNO+UlH3RSj2QkLNsJQYWnmpv5UO31nimmfI7uaedOE4v0sKz+XUuxe1qGtIGajOtmHVArUWneWySalY3jG75sJu9Y1Exwl/h2XE8F34M+ZRcdogTPD8LMRpcK01w6w3uW/ct1NVNI+XVZyfn4xS+1qX1pCgRibsHm0O57pnuqu8yYQEw93ixLcyJ3IxOlwlKubSqQB0gRq0BjSx3dcBmGw==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639439444; bh=lAw7NxdpvQt21T1uv17BItigZvUklMnHpeY8CDny0z5=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=BPzuj8B7xLj42GC5TwOUYHShWKsfXIh7vdm3i0zVj6KYtGp6F0Iv7X2Ok9APdb68k9nhw30bFw7Ubfp3zYIaCUbz/+KLSvpw5JDVKNxmldpAvX0eKGHBsGXC19JGZC/BPjl7za5qhOhLv1zKYZnP1cEBohLWS9uidzpYPFN51tfVnEL0ygPAoqekt+KbyBlV8gkUHvNJVZMFznDupa38WDkPkxnSCio5m28kGXFB6lrXGsNxL9xQLAhbyU2KGSY2og4CxGZ03i4b72h7NpRA/lEFMk9TdLuuIyxkVz3K1x3jCsj87jebd0TBxj9IdYUmIv6WJJhPtePZi15eOixcvA==
X-YMail-OSG: R7I091AVM1nKhsbJkLLpNRrEidQ3CCFDZ1QO3dRgE42V70_beT34NuGz6D.XBHM
 KHngGSK4I30212WLBgCfsh6Q5CQbv9xRrfW9Ca9vNfmDKXe7l.OkIE_Zd5Yio5urYvYZvHTWrKKQ
 gb2w7TM_v4hqBNwScPqOKyJcBsi7VZvZQU5LD6F3rUck9EBvXbxSREJHT1d.wk.MhDWMa1V_48vZ
 52_kxoEhjEQw_U5iZz11BKF3URmxXQ7MXVz6H9OeaGMEweB_mF3stYgZW3ThF0pzSNVeQsd2y6jZ
 NqS02rVPzjj0dYHvkfzG67eUKK7NzCKL_zbolRQMzCpzUtVNBp8bu.RRDNA64GIJkMPoiYys9oBX
 2qcysRQQC6B6jQdXXV6Bd2GEOERq.7LWVXXh5HW082U9GMFKvXtk9ADmmZzcnaTtU8A41BhstszS
 z8gaLbZ.1ec5ShB1DC2Fao6kIgSHZYGBPS3cf_Ax2Pwa.OSFGtV9ivGtO7hNspse4sT9sPRuu91u
 .aKHmVUhqVeLDHidBy1l0B1afczseQeTQahOcBu_qDX.hGi82xq16Oe9KpJh3nExIB_pMpatj8z1
 3Gw9JPTIr5kK5Z3ovtFzs9L6l_NZtCKAYfcLs8S51Uzq8QjtrvBVyb79E94OdMEOUTh.lCRZhgBg
 z9jENebH5ARp95F_GMAws5UQfu8AcFjFI3nvlZrdibnW6oReg5_drFfHTBisl9UGVViBQFO0llDe
 uAL12jw0xl8HCWd9UDKt_BOd9YThgNuowwbksWDnIj9KHXXRjxrtVGTN9owvN9G0xhxOwDSc90Om
 LUxYCZ5Q3Bi53GJhwmGhDd8k2pn.t6lH0PdvBw8EJlctl8JH2NoTkrmK_.uTYMQUy4C9vq6fA_iq
 POR.ywLsDZ4vV17ZgT7re8MzsJRRedRagHokZhFcOpjg3uWR2dIg2mVi3is.gCwkZZhb40sodGE6
 K4Tm93CUB0LsqXpMGYb3yiYxP_vnIX4UZnEUpDgbO8fgLKiDkr6OKnazYZ6p4G5dUD_bUBX4z5kJ
 TSDoovqZE3xJGyqQRvsFZnzhhdlmorF7T4C3AEG9.ZTxJsK01hZPBdK5t0ae6CZ2IL4F.kauflaq
 9PTHk9aHdoaQj0ZteYD2OYXtVprpwn96nOTiGqbG92ABr5ctKZfEu8j6e9XI4P8BcDuSTw7f.SK5
 G4n7Mx0eP2TC8wFNaa09ujMY_D9odjwavUKLnrX48ajhch9c5SZkExsl278LWdh53toXKcLp0N8d
 dcvMFU4ON_o1KHlixO39_Ce97eUcEeqwfVGGQYeRriMHLx9rna65LqmC.E2iXiAl6fpB0d76kTa_
 gutmaQsNQsWd2WDZ1HmypTvF6m7VW81.DrgPm45AlMH07AFV7IwCYuQ1pspuR_GGOe2jlIo.QHyy
 6iMFpb1cfHMhWgR4i.kbHQesQbNOYuDJqD261SW2HCxaZX00l36NQ3oxfG5uaZ407dSss0fD482o
 eYsHtf_kcMYdG5q6TJXbPYiqVE4PC7YtVTsHKi5Ncl5c7_LjIJiB0d74y5MarzZOFmnIm6FSeiJn
 byy4Eb8QSUVXPszL_7zyLW9nCqkZM0QKdCiDD6FHKGeGWgXUW_KrtfWdfizHCuLEatnE96DZO8PO
 nHE5mVip3avsg4CU8Yd_hy4PuS0AW6gpNeInf1T9vB_WlAoCqCwF8lkPHZ9JVK8Gj08ZRiNosrK2
 ZcOyeEXhjji78aWSN.rlnwRv4LF47gFjIaWPgkzICXWuw3Y4T_omIfNr4DbQzml3B0umasdL0fWn
 fSgdquIyBm9vEboAfF1lBIvjvIrl1YnJe36XSniwr5VOX25FnNwhcqHSEt435AcjhwGBtFgIrovI
 SwMAYk4N9Sx5Xn2dj3hW.yCkXZRy3uORsDRlYswV3txqROvxU2SEjmv7snF5LaiEjBn7_t9e.q7S
 NyH7YlSFGmz6HRLDuFyC9tGXyC2yhMd_nmIAOHA2oTA21PsxdS.BBprZZxqPkKE5dwhkIE9OxG98
 CPAaUbYD_VGLItLzU0AE_moY7Hxw_Qzl_KYMqiWBBVqofmLcxTZ2B_pa7lb6_4iek4HVeiYHYa.e
 SWp57qQh9OA2xr.HYpU1omJrU_6zA_UtqceUzgsnzhWnmng3tSxvDGQ4nEmgcjq15j0g6ATvQ.2l
 4kdOr11q8oZIXE0s5AzkcjMDsK8cQqE8NQu2EH8wbcMbjIiB5FE59fMoMJ3XyOJEKBC0qtMB1TLU
 BBloHtBuI8AA65NQyg5_ocQuwfvupXr9OWXuaHHUxHLrBsXo6crXM691hzB9iCYIeTKA-
X-Sonic-MF: <casey@schaufler-ca.com>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:50:44 +0000
Received: by kubenode527.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 57efa93688f26ab0173e0a80180e1c16;
          Mon, 13 Dec 2021 23:50:39 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
        keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
        sds@tycho.nsa.gov, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: [PATCH v31 09/28] LSM: Use lsmblob in security_secid_to_secctx
Date: Mon, 13 Dec 2021 15:40:15 -0800
Message-Id: <20211213234034.111891-10-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com>
References: <20211213234034.111891-1-casey@schaufler-ca.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Change security_secid_to_secctx() to take a lsmblob as input
instead of a u32 secid. It will then call the LSM hooks
using the lsmblob element allocated for that module. The
callers have been updated as well. This allows for the
possibility that more than one module may be called upon
to translate a secid to a string, as can occur in the
audit code.

Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
Cc: linux-audit@redhat.com
Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org>
---
 drivers/android/binder.c                | 12 +++++++++-
 include/linux/security.h                |  5 +++--
 include/net/scm.h                       |  7 +++++-
 kernel/audit.c                          | 20 +++++++++++++++--
 kernel/auditsc.c                        | 27 ++++++++++++++++++----
 net/ipv4/ip_sockglue.c                  |  4 +++-
 net/netfilter/nf_conntrack_netlink.c    | 14 ++++++++++--
 net/netfilter/nf_conntrack_standalone.c |  4 +++-
 net/netfilter/nfnetlink_queue.c         | 11 +++++++--
 net/netlabel/netlabel_unlabeled.c       | 30 +++++++++++++++++++++----
 net/netlabel/netlabel_user.c            |  6 ++---
 security/security.c                     | 11 +++++----
 12 files changed, 122 insertions(+), 29 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index cffbe57a8e08..7805d08cd1e7 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2719,10 +2719,20 @@ static void binder_transaction(struct binder_proc *proc,
 
 	if (target_node && target_node->txn_security_ctx) {
 		u32 secid;
+		struct lsmblob blob;
 		size_t added_size;
 
 		security_cred_getsecid(proc->cred, &secid);
-		ret = security_secid_to_secctx(secid, &secctx, &secctx_sz);
+		/*
+		 * Later in this patch set security_task_getsecid() will
+		 * provide a lsmblob instead of a secid. lsmblob_init
+		 * is used to ensure that all the secids in the lsmblob
+		 * get the value returned from security_task_getsecid(),
+		 * which means that the one expected by
+		 * security_secid_to_secctx() will be set.
+		 */
+		lsmblob_init(&blob, secid);
+		ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz);
 		if (ret) {
 			return_error = BR_FAILED_REPLY;
 			return_error_param = ret;
diff --git a/include/linux/security.h b/include/linux/security.h
index 8a547fc4affa..669eff47737a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -550,7 +550,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
 			 size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
-int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen,
 			     struct lsmblob *blob);
 void security_release_secctx(char *secdata, u32 seclen);
@@ -1406,7 +1406,8 @@ static inline int security_ismaclabel(const char *name)
 	return 0;
 }
 
-static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+static inline int security_secid_to_secctx(struct lsmblob *blob,
+					   char **secdata, u32 *seclen)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/include/net/scm.h b/include/net/scm.h
index 1ce365f4c256..23a35ff1b3f2 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -92,12 +92,17 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
 #ifdef CONFIG_SECURITY_NETWORK
 static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
 {
+	struct lsmblob lb;
 	char *secdata;
 	u32 seclen;
 	int err;
 
 	if (test_bit(SOCK_PASSSEC, &sock->flags)) {
-		err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
+		/* There can only be one security module using the secid,
+		 * and the infrastructure will know which it is.
+		 */
+		lsmblob_init(&lb, scm->secid);
+		err = security_secid_to_secctx(&lb, &secdata, &seclen);
 
 		if (!err) {
 			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
diff --git a/kernel/audit.c b/kernel/audit.c
index 121d37e700a6..22286163e93e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1442,7 +1442,16 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	case AUDIT_SIGNAL_INFO:
 		len = 0;
 		if (audit_sig_sid) {
-			err = security_secid_to_secctx(audit_sig_sid, &ctx, &len);
+			struct lsmblob blob;
+
+			/*
+			 * lsmblob_init sets all values in the lsmblob
+			 * to audit_sig_sid. This is temporary until
+			 * audit_sig_sid is converted to a lsmblob, which
+			 * happens later in this patch set.
+			 */
+			lsmblob_init(&blob, audit_sig_sid);
+			err = security_secid_to_secctx(&blob, &ctx, &len);
 			if (err)
 				return err;
 		}
@@ -2131,12 +2140,19 @@ int audit_log_task_context(struct audit_buffer *ab)
 	unsigned len;
 	int error;
 	u32 sid;
+	struct lsmblob blob;
 
 	security_task_getsecid_subj(current, &sid);
 	if (!sid)
 		return 0;
 
-	error = security_secid_to_secctx(sid, &ctx, &len);
+	/*
+	 * lsmblob_init sets all values in the lsmblob to sid.
+	 * This is temporary until security_task_getsecid is converted
+	 * to use a lsmblob, which happens later in this patch set.
+	 */
+	lsmblob_init(&blob, sid);
+	error = security_secid_to_secctx(&blob, &ctx, &len);
 	if (error) {
 		if (error != -EINVAL)
 			goto error_path;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index e0c71fe27c2f..b28e2cbcc92c 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -670,6 +670,13 @@ static int audit_filter_rules(struct task_struct *tsk,
 					security_task_getsecid_subj(tsk, &sid);
 					need_sid = 0;
 				}
+				/*
+				 * lsmblob_init sets all values in the lsmblob
+				 * to sid. This is temporary until
+				 * security_task_getsecid() is converted to
+				 * provide a lsmblob, which happens later in
+				 * this patch set.
+				 */
 				lsmblob_init(&blob, sid);
 				result = security_audit_rule_match(&blob,
 							f->type, f->op,
@@ -686,6 +693,13 @@ static int audit_filter_rules(struct task_struct *tsk,
 			if (f->lsm_str) {
 				/* Find files that match */
 				if (name) {
+					/*
+					 * lsmblob_init sets all values in the
+					 * lsmblob to sid. This is temporary
+					 * until name->osid is converted to a
+					 * lsmblob, which happens later in
+					 * this patch set.
+					 */
 					lsmblob_init(&blob, name->osid);
 					result = security_audit_rule_match(
 								&blob,
@@ -1109,6 +1123,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 	char *ctx = NULL;
 	u32 len;
 	int rc = 0;
+	struct lsmblob blob;
 
 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
 	if (!ab)
@@ -1118,7 +1133,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 			 from_kuid(&init_user_ns, auid),
 			 from_kuid(&init_user_ns, uid), sessionid);
 	if (sid) {
-		if (security_secid_to_secctx(sid, &ctx, &len)) {
+		lsmblob_init(&blob, sid);
+		if (security_secid_to_secctx(&blob, &ctx, &len)) {
 			audit_log_format(ab, " obj=(none)");
 			rc = 1;
 		} else {
@@ -1362,8 +1378,10 @@ static void show_special(struct audit_context *context, int *call_panic)
 		if (osid) {
 			char *ctx = NULL;
 			u32 len;
+			struct lsmblob blob;
 
-			if (security_secid_to_secctx(osid, &ctx, &len)) {
+			lsmblob_init(&blob, osid);
+			if (security_secid_to_secctx(&blob, &ctx, &len)) {
 				audit_log_format(ab, " osid=%u", osid);
 				*call_panic = 1;
 			} else {
@@ -1524,9 +1542,10 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 	if (n->osid != 0) {
 		char *ctx = NULL;
 		u32 len;
+		struct lsmblob blob;
 
-		if (security_secid_to_secctx(
-			n->osid, &ctx, &len)) {
+		lsmblob_init(&blob, n->osid);
+		if (security_secid_to_secctx(&blob, &ctx, &len)) {
 			audit_log_format(ab, " osid=%u", n->osid);
 			if (call_panic)
 				*call_panic = 2;
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 38d29b175ca6..be7073df19a5 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
 
 static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 {
+	struct lsmblob lb;
 	char *secdata;
 	u32 seclen, secid;
 	int err;
@@ -138,7 +139,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 	if (err)
 		return;
 
-	err = security_secid_to_secctx(secid, &secdata, &seclen);
+	lsmblob_init(&lb, secid);
+	err = security_secid_to_secctx(&lb, &secdata, &seclen);
 	if (err)
 		return;
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c7708bde057c..67b0f3cfc5c7 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -341,8 +341,13 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 	struct nlattr *nest_secctx;
 	int len, ret;
 	char *secctx;
+	struct lsmblob blob;
 
-	ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+	/* lsmblob_init() puts ct->secmark into all of the secids in blob.
+	 * security_secid_to_secctx() will know which security module
+	 * to use to create the secctx.  */
+	lsmblob_init(&blob, ct->secmark);
+	ret = security_secid_to_secctx(&blob, &secctx, &len);
 	if (ret)
 		return 0;
 
@@ -650,8 +655,13 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
 {
 #ifdef CONFIG_NF_CONNTRACK_SECMARK
 	int len, ret;
+	struct lsmblob blob;
 
-	ret = security_secid_to_secctx(ct->secmark, NULL, &len);
+	/* lsmblob_init() puts ct->secmark into all of the secids in blob.
+	 * security_secid_to_secctx() will know which security module
+	 * to use to create the secctx.  */
+	lsmblob_init(&blob, ct->secmark);
+	ret = security_secid_to_secctx(&blob, NULL, &len);
 	if (ret)
 		return 0;
 
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 80f675d884b2..79c280d1efce 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -178,8 +178,10 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 	int ret;
 	u32 len;
 	char *secctx;
+	struct lsmblob blob;
 
-	ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
+	lsmblob_init(&blob, ct->secmark);
+	ret = security_secid_to_secctx(&blob, &secctx, &len);
 	if (ret)
 		return;
 
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 4acc4b8e9fe5..62c0c5b847c6 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -305,13 +305,20 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
 {
 	u32 seclen = 0;
 #if IS_ENABLED(CONFIG_NETWORK_SECMARK)
+	struct lsmblob blob;
+
 	if (!skb || !sk_fullsock(skb->sk))
 		return 0;
 
 	read_lock_bh(&skb->sk->sk_callback_lock);
 
-	if (skb->secmark)
-		security_secid_to_secctx(skb->secmark, secdata, &seclen);
+	if (skb->secmark) {
+		/* lsmblob_init() puts ct->secmark into all of the secids in
+		 * blob. security_secid_to_secctx() will know which security
+		 * module to use to create the secctx.  */
+		lsmblob_init(&blob, skb->secmark);
+		security_secid_to_secctx(&blob, secdata, &seclen);
+	}
 
 	read_unlock_bh(&skb->sk->sk_callback_lock);
 #endif
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 762561318d78..51cb4fce5edf 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -376,6 +376,7 @@ int netlbl_unlhsh_add(struct net *net,
 	struct audit_buffer *audit_buf = NULL;
 	char *secctx = NULL;
 	u32 secctx_len;
+	struct lsmblob blob;
 
 	if (addr_len != sizeof(struct in_addr) &&
 	    addr_len != sizeof(struct in6_addr))
@@ -438,7 +439,11 @@ int netlbl_unlhsh_add(struct net *net,
 unlhsh_add_return:
 	rcu_read_unlock();
 	if (audit_buf != NULL) {
-		if (security_secid_to_secctx(secid,
+		/* lsmblob_init() puts secid into all of the secids in blob.
+		 * security_secid_to_secctx() will know which security module
+		 * to use to create the secctx.  */
+		lsmblob_init(&blob, secid);
+		if (security_secid_to_secctx(&blob,
 					     &secctx,
 					     &secctx_len) == 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", secctx);
@@ -475,6 +480,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
 	struct net_device *dev;
 	char *secctx;
 	u32 secctx_len;
+	struct lsmblob blob;
 
 	spin_lock(&netlbl_unlhsh_lock);
 	list_entry = netlbl_af4list_remove(addr->s_addr, mask->s_addr,
@@ -493,8 +499,13 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
 					  (dev != NULL ? dev->name : NULL),
 					  addr->s_addr, mask->s_addr);
 		dev_put(dev);
+		/* lsmblob_init() puts entry->secid into all of the secids
+		 * in blob. security_secid_to_secctx() will know which
+		 * security module to use to create the secctx.  */
+		if (entry != NULL)
+			lsmblob_init(&blob, entry->secid);
 		if (entry != NULL &&
-		    security_secid_to_secctx(entry->secid,
+		    security_secid_to_secctx(&blob,
 					     &secctx, &secctx_len) == 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", secctx);
 			security_release_secctx(secctx, secctx_len);
@@ -536,6 +547,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
 	struct net_device *dev;
 	char *secctx;
 	u32 secctx_len;
+	struct lsmblob blob;
 
 	spin_lock(&netlbl_unlhsh_lock);
 	list_entry = netlbl_af6list_remove(addr, mask, &iface->addr6_list);
@@ -553,8 +565,13 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
 					  (dev != NULL ? dev->name : NULL),
 					  addr, mask);
 		dev_put(dev);
+		/* lsmblob_init() puts entry->secid into all of the secids
+		 * in blob. security_secid_to_secctx() will know which
+		 * security module to use to create the secctx.  */
+		if (entry != NULL)
+			lsmblob_init(&blob, entry->secid);
 		if (entry != NULL &&
-		    security_secid_to_secctx(entry->secid,
+		    security_secid_to_secctx(&blob,
 					     &secctx, &secctx_len) == 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", secctx);
 			security_release_secctx(secctx, secctx_len);
@@ -1080,6 +1097,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
 	u32 secid;
 	char *secctx;
 	u32 secctx_len;
+	struct lsmblob blob;
 
 	data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
 			   cb_arg->seq, &netlbl_unlabel_gnl_family,
@@ -1134,7 +1152,11 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
 		secid = addr6->secid;
 	}
 
-	ret_val = security_secid_to_secctx(secid, &secctx, &secctx_len);
+	/* lsmblob_init() secid into all of the secids in blob.
+	 * security_secid_to_secctx() will know which security module
+	 * to use to create the secctx.  */
+	lsmblob_init(&blob, secid);
+	ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len);
 	if (ret_val != 0)
 		goto list_cb_failure;
 	ret_val = nla_put(cb_arg->skb,
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 3ed4fea2a2de..893301ae0131 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -86,6 +86,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 	struct audit_buffer *audit_buf;
 	char *secctx;
 	u32 secctx_len;
+	struct lsmblob blob;
 
 	if (audit_enabled == AUDIT_OFF)
 		return NULL;
@@ -98,10 +99,9 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 			 from_kuid(&init_user_ns, audit_info->loginuid),
 			 audit_info->sessionid);
 
+	lsmblob_init(&blob, audit_info->secid);
 	if (audit_info->secid != 0 &&
-	    security_secid_to_secctx(audit_info->secid,
-				     &secctx,
-				     &secctx_len) == 0) {
+	    security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) {
 		audit_log_format(audit_buf, " subj=%s", secctx);
 		security_release_secctx(secctx, secctx_len);
 	}
diff --git a/security/security.c b/security/security.c
index 7ae68b6ffc7f..a0612afefc24 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2176,17 +2176,16 @@ int security_ismaclabel(const char *name)
 }
 EXPORT_SYMBOL(security_ismaclabel);
 
-int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen)
 {
 	struct security_hook_list *hp;
 	int rc;
 
-	/*
-	 * Currently, only one LSM can implement secid_to_secctx (i.e this
-	 * LSM hook is not "stackable").
-	 */
 	hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
-		rc = hp->hook.secid_to_secctx(secid, secdata, seclen);
+		if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
+			continue;
+		rc = hp->hook.secid_to_secctx(blob->secid[hp->lsmid->slot],
+					      secdata, seclen);
 		if (rc != LSM_RET_DEFAULT(secid_to_secctx))
 			return rc;
 	}

From patchwork Mon Dec 13 23:40:21 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 1567511
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=yahoo.com header.i=@yahoo.com header.a=rsa-sha256
 header.s=s2048 header.b=YP84/wT2;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=23.128.96.18; helo=vger.kernel.org;
 envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by bilbo.ozlabs.org (Postfix) with ESMTP id 4JCdjD1yddz9sRN
	for <incoming@patchwork.ozlabs.org>; Tue, 14 Dec 2021 10:57:20 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244361AbhLMX5Q (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
        Mon, 13 Dec 2021 18:57:16 -0500
Received: from sonic306-28.consmr.mail.ne1.yahoo.com ([66.163.189.90]:46294
        "EHLO sonic306-28.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S235661AbhLMX5O (ORCPT
        <rfc822;netfilter-devel@vger.kernel.org>);
        Mon, 13 Dec 2021 18:57:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639439834; bh=Sn5tjjAGSmqW3nsqIgtZNqgzkhGliBqVHotdg9HEefo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=YP84/wT2Xty3MBSNMp7XC4nnHiBV1Se90j+VUuV2H6dw53bcAeXNevBQihCVfBdqpgyPmzltM0md/PKZTXw7T1qtKuHz+mmWvSaeUdVuuofjrp3uaaNGgYAoTnaMJkvpkWrjW1sQuxznSLdve4Sr3iVHY77TCfE7e/Ra8BsSdvsg2/13AyxB02GptdtX491D3HD7SvoB9qTczkEIUFFKWJaGoKzxnsS5FdpwblJ2wVUEAmX+X3SIAiWUwN2q5hrjIgDuYzuT/CgE0WRsoGz1zfDoy7CD8ocbcPKW/vHt/fxgPvOp7EscQIStdGXhAOHYRDr2A4PXJa58bUcRrva1/A==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639439834; bh=WWHXYx/YU0+TYu8UNTr5i2Tvia2wLWZDXQiN9WRM7v1=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=aazwde7/k1nIb62hXiFt1TvqqgFMaKRsUQdU6y3Fiy9nHj3HejDoHoP3/M/335opGhPe8pkdD+c9VCE4LkxnhNMEyh0luDq+NzWeaw3d7xYU95WRhW1R0wyqnSnLKe87xooY4ah7xJSR2SQOUrQIrXeU9hyLrZwQtpxDaUd4zmuT4k7Sk3xVQrGS0854ktBd/QS/m9SHnNYJGye84wFJ08Io0sn5/xMIjpZe44GbqUamINER4/xigTqr4rxqf1sb4zRYQ5XEM+2LbXiS9/6G3a+rfun/qWoq77Ll3s2A0E0L5O8a/eTStTJ4vfTM5Uk4vs+RzWdfAyAuM+nFxtit0g==
X-YMail-OSG: OEodNHwVM1lLc70lSb3Q7McpeYOUxzSMiC.VqaCS6Wjwe5xTSb59hzGao34qiKu
 uL32ec_SK00UScL6pFM.sEJltybyuVpFz0imSBdLLTby6G5Z1aIa31nZL0uqwPnXrjFKPKOm4c1m
 0k8HLpluKSUjHwYVg.6DebM0joz5sm1qSMzoq5.UMiOPStVKfcSvP4O8tTdwtYVD9e40uFqmvCpG
 eulXmrurJevY2p4Gk88OT1wMYNg8trNtLHjJf7GQ1S2evO0y2GTzhVoEcnZUvdmgLlyFT7Qjqk1Q
 zNlzSFt_IKDoAQOgnRE7u5tP4rkaV_6.XTLbHAZ1AM4h4fkIcgi1K57_4BAX7I8d1MNOMEAV.clQ
 a86dAO_Wxm4W34dgTYmt_oHbDrRPS4DBWFw46aBoA7scOmGuX7vKuqlN1eRNTIepCWP5ZMWG_wyB
 oGxTpaHUL2WNvw5h5GvA5QFQCPBUiOrutkf6HXL041LUh37bnsbAjiyIxmzCg3I3dLxv2eavksX6
 WrCwvWRp4SFJ2lIcxKr44tr9Xi50x4e.qmksfWxX.Rkf2QwvPDB95GERcv.VLdnvqMN1bcuhFQyC
 zwmwtmk4smmlpkg9ulNz6EAc5olnTgOsw9Asm13D5cUcEnC9ZDnHyQUPp7tY8YftGkR2aqeXv6JR
 3r2DmkXUEjz2nADYXpn46LinhDQOWFaIr9vmnjtpgEZ5TMrr3J3RAmkHg.z8xQEJq6KmKR3LSftW
 h7FEfG8NhrpT.rtWwglNTuIjOMp3Fro0CrkNJL0zuqptgEJsy7dNum2loO2Jp3.yKp3O5fnlxnSy
 5rfSz793NsTkiio6OELgPtIiWs2oaa6qB5WJ.GNZdJgBsP67Oey9lRwFZxQUIKSDVxP2xQRMZQG9
 zAZGcRjMyE30dlIvsN3wEjLamECq0g9zVETmy1MZ656oF2k564WYY9ee73Fv5emPXtNfTa9J0cEf
 TaQ9utj2tads_lvTlEDwW9k39M68P.wslaMP0OEez3JHMNPUI1z8CQWHTHgWVVhVmyY8cnU3jA_v
 JFw3ITbejy11v31Rn4ugdGgfzlSlpx21O.3uHNrykZgD.lL0D7wdAc9Cf2ekGJ4qAuR1L7IFphg.
 dyWttI6rdXuOAqHGgvPaAx4ulsCULFKE0VC604YEU56ZagnSUikNmofiH0F31HptE1V6gaAcphBF
 1mIpIOzJIGghzsQqy3Et9HlBoh1KbYsZPKm9vh8o9_u0sbzPEyuHqBNelagCxg4OpWIZKMjFKV_C
 PddmWocLOuLPPDckhPmXiEIfxQ0pUB1hPPADvM5F_8Ep56X6nFxQemMKGMBmu.gJekCAX.yHLAPB
 x_9RHnuz3RDzwkt5aLzwSEFdyVBs1G83wUsDdOy2oPCDc6rEiV8I_0R.4YVVqiODdFnkzdC1u8bS
 njTsr4DDV7Et3MCDg_zGUdVH_XCClEYReBTs8ja79aGuONvO9Z8rBkYI1Z3EFEYM.Fti11qZYl43
 8Q1hvLNX1xLbtMDxwZG07vVM147I1wYw1aVw10FJ7bByi9JuekUBYNifi3558Lfgi25AI2wQwcaB
 l_xoKZpw4zBbmwL7fMI5jN77dczJMO8XiDOCDmlqQbM8aKHnu.cL1Q_N7DSy_9p6eZ7PplxgDlrO
 BPqPGzD2LrOySeNgT6tkwIHBy2IajI2r5yi9Wx6GXaVkTX3ue55qDRyTmlWIkydrovWghaqTD.Zb
 s.rsCxwP4ggHZW293Bwz2H3vCuh2o4l4Abgp_gXy7gzxeCZjHGUOZWLlNnpaaUFgPsr7VnjPMhHm
 oYrL8EIOZqQkgYBSi7KAviizCmK.LHTyklCMeVToSa9BuRRIDPq3BuFunA4N.r.UjC5LcngeWhcK
 s6Za3H9R9QTJXpAUd40jzxEEoEfsiqQmCAFMp4IKDzPX.9O_M1vleTEG.0ligq7Eo.d4NFC5Vy0Y
 9zmquCiaXzPgyqLIIU5joT8ezreDD9poSZLg2badE9WcuGLIDedmVFG9yRQqcErY1tajoxGkZSTM
 GrbmEuwuBeoAQYMEXQnutfR0yFMMBRajfysAX44MCONoDd_g191vCGb1wwMeqf2vLopztD6rmqz8
 Nd0Szpaje_67ZDhZRTQ9k_aWeJwCABRwKHXZUqle5DE6HJBLaDHdkaA9Z2yXPslJIZ.k9sD.Ctdb
 0fCAvibIGdbAXaQs1x8AXe0Xzwruv1NmMt9ypCwJyz_0rTisa61529WBkK81.lXGuQX4sJyJavIc
 VwyJeczoGDSRAdTpGrj1JwasepWbBVJY_cqTD5VmPsEhcJoapkEYekCLY1DLNI2hC4zmz2B0-
X-Sonic-MF: <casey@schaufler-ca.com>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic306.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:57:14 +0000
Received: by kubenode527.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 2cfefa36b6f587455d7cc15b16ec7ee3;
          Mon, 13 Dec 2021 23:57:12 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
        keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
        sds@tycho.nsa.gov, linux-kernel@vger.kernel.org,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Chuck Lever <chuck.lever@oracle.com>,
        linux-integrity@vger.kernel.org, netdev@vger.kernel.org,
        netfilter-devel@vger.kernel.org, linux-nfs@vger.kernel.org
Subject: [PATCH v31 15/28] LSM: Ensure the correct LSM context releaser
Date: Mon, 13 Dec 2021 15:40:21 -0800
Message-Id: <20211213234034.111891-16-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com>
References: <20211213234034.111891-1-casey@schaufler-ca.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Add a new lsmcontext data structure to hold all the information
about a "security context", including the string, its size and
which LSM allocated the string. The allocation information is
necessary because LSMs have different policies regarding the
lifecycle of these strings. SELinux allocates and destroys
them on each use, whereas Smack provides a pointer to an entry
in a list that never goes away.

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-integrity@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-audit@redhat.com
Cc: netfilter-devel@vger.kernel.org
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: linux-nfs@vger.kernel.org
---
 drivers/android/binder.c                | 10 ++++---
 fs/ceph/xattr.c                         |  6 ++++-
 fs/nfs/nfs4proc.c                       |  8 ++++--
 fs/nfsd/nfs4xdr.c                       |  7 +++--
 include/linux/security.h                | 35 +++++++++++++++++++++++--
 include/net/scm.h                       |  5 +++-
 kernel/audit.c                          | 14 +++++++---
 kernel/auditsc.c                        | 12 ++++++---
 net/ipv4/ip_sockglue.c                  |  4 ++-
 net/netfilter/nf_conntrack_netlink.c    |  4 ++-
 net/netfilter/nf_conntrack_standalone.c |  4 ++-
 net/netfilter/nfnetlink_queue.c         | 13 ++++++---
 net/netlabel/netlabel_unlabeled.c       | 19 +++++++++++---
 net/netlabel/netlabel_user.c            |  4 ++-
 security/security.c                     | 11 ++++----
 15 files changed, 121 insertions(+), 35 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 27b53e5f71a1..32dca5b40e8a 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2469,6 +2469,7 @@ static void binder_transaction(struct binder_proc *proc,
 	int t_debug_id = atomic_inc_return(&binder_last_id);
 	char *secctx = NULL;
 	u32 secctx_sz = 0;
+	struct lsmcontext scaff; /* scaffolding */
 
 	e = binder_transaction_log_add(&binder_transaction_log);
 	e->debug_id = t_debug_id;
@@ -2771,7 +2772,8 @@ static void binder_transaction(struct binder_proc *proc,
 			t->security_ctx = 0;
 			WARN_ON(1);
 		}
-		security_release_secctx(secctx, secctx_sz);
+		lsmcontext_init(&scaff, secctx, secctx_sz, 0);
+		security_release_secctx(&scaff);
 		secctx = NULL;
 	}
 	t->buffer->debug_id = t->debug_id;
@@ -3112,8 +3114,10 @@ static void binder_transaction(struct binder_proc *proc,
 	binder_alloc_free_buf(&target_proc->alloc, t->buffer);
 err_binder_alloc_buf_failed:
 err_bad_extra_size:
-	if (secctx)
-		security_release_secctx(secctx, secctx_sz);
+	if (secctx) {
+		lsmcontext_init(&scaff, secctx, secctx_sz, 0);
+		security_release_secctx(&scaff);
+	}
 err_get_secctx_failed:
 	kfree(tcomplete);
 	binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index fcf7dfdecf96..df2b3bf46364 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -1374,12 +1374,16 @@ int ceph_security_init_secctx(struct dentry *dentry, umode_t mode,
 
 void ceph_release_acl_sec_ctx(struct ceph_acl_sec_ctx *as_ctx)
 {
+#ifdef CONFIG_CEPH_FS_SECURITY_LABEL
+	struct lsmcontext scaff; /* scaffolding */
+#endif
 #ifdef CONFIG_CEPH_FS_POSIX_ACL
 	posix_acl_release(as_ctx->acl);
 	posix_acl_release(as_ctx->default_acl);
 #endif
 #ifdef CONFIG_CEPH_FS_SECURITY_LABEL
-	security_release_secctx(as_ctx->sec_ctx, as_ctx->sec_ctxlen);
+	lsmcontext_init(&scaff, as_ctx->sec_ctx, as_ctx->sec_ctxlen, 0);
+	security_release_secctx(&scaff);
 #endif
 	if (as_ctx->pagelist)
 		ceph_pagelist_release(as_ctx->pagelist);
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index ee3bc79f6ca3..194bb09663e0 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -137,8 +137,12 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
 static inline void
 nfs4_label_release_security(struct nfs4_label *label)
 {
-	if (label)
-		security_release_secctx(label->label, label->len);
+	struct lsmcontext scaff; /* scaffolding */
+
+	if (label) {
+		lsmcontext_init(&scaff, label->label, label->len, 0);
+		security_release_secctx(&scaff);
+	}
 }
 static inline u32 *nfs4_bitmask(struct nfs_server *server, struct nfs4_label *label)
 {
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 5a93a5db4fb0..f96da9ac116a 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2841,6 +2841,7 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
 	int err;
 	struct nfs4_acl *acl = NULL;
 #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
+	struct lsmcontext scaff; /* scaffolding */
 	void *context = NULL;
 	int contextlen;
 #endif
@@ -3342,8 +3343,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp,
 
 out:
 #ifdef CONFIG_NFSD_V4_SECURITY_LABEL
-	if (context)
-		security_release_secctx(context, contextlen);
+	if (context) {
+		lsmcontext_init(&scaff, context, contextlen, 0); /*scaffolding*/
+		security_release_secctx(&scaff);
+	}
 #endif /* CONFIG_NFSD_V4_SECURITY_LABEL */
 	kfree(acl);
 	if (tempfh) {
diff --git a/include/linux/security.h b/include/linux/security.h
index 872e543d37dd..e439663c955f 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -135,6 +135,37 @@ enum lockdown_reason {
 
 extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
 
+/*
+ * A "security context" is the text representation of
+ * the information used by LSMs.
+ * This structure contains the string, its length, and which LSM
+ * it is useful for.
+ */
+struct lsmcontext {
+	char	*context;	/* Provided by the module */
+	u32	len;
+	int	slot;		/* Identifies the module */
+};
+
+/**
+ * lsmcontext_init - initialize an lsmcontext structure.
+ * @cp: Pointer to the context to initialize
+ * @context: Initial context, or NULL
+ * @size: Size of context, or 0
+ * @slot: Which LSM provided the context
+ *
+ * Fill in the lsmcontext from the provided information.
+ * This is a scaffolding function that will be removed when
+ * lsmcontext integration is complete.
+ */
+static inline void lsmcontext_init(struct lsmcontext *cp, char *context,
+				   u32 size, int slot)
+{
+	cp->slot = slot;
+	cp->context = context;
+	cp->len = size;
+}
+
 /*
  * Data exported by the security modules
  *
@@ -570,7 +601,7 @@ int security_ismaclabel(const char *name);
 int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen,
 			     struct lsmblob *blob);
-void security_release_secctx(char *secdata, u32 seclen);
+void security_release_secctx(struct lsmcontext *cp);
 void security_inode_invalidate_secctx(struct inode *inode);
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
@@ -1440,7 +1471,7 @@ static inline int security_secctx_to_secid(const char *secdata,
 	return -EOPNOTSUPP;
 }
 
-static inline void security_release_secctx(char *secdata, u32 seclen)
+static inline void security_release_secctx(struct lsmcontext *cp)
 {
 }
 
diff --git a/include/net/scm.h b/include/net/scm.h
index 23a35ff1b3f2..f273c4d777ec 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -92,6 +92,7 @@ static __inline__ int scm_send(struct socket *sock, struct msghdr *msg,
 #ifdef CONFIG_SECURITY_NETWORK
 static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm)
 {
+	struct lsmcontext context;
 	struct lsmblob lb;
 	char *secdata;
 	u32 seclen;
@@ -106,7 +107,9 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
 
 		if (!err) {
 			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
-			security_release_secctx(secdata, seclen);
+			/*scaffolding*/
+			lsmcontext_init(&context, secdata, seclen, 0);
+			security_release_secctx(&context);
 		}
 	}
 }
diff --git a/kernel/audit.c b/kernel/audit.c
index 8ec64e6e8bc0..c17ec23158c4 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1192,6 +1192,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	struct audit_sig_info   *sig_data;
 	char			*ctx = NULL;
 	u32			len;
+	struct lsmcontext	scaff; /* scaffolding */
 
 	err = audit_netlink_ok(skb, msg_type);
 	if (err)
@@ -1449,15 +1450,18 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		}
 		sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
 		if (!sig_data) {
-			if (lsmblob_is_set(&audit_sig_lsm))
-				security_release_secctx(ctx, len);
+			if (lsmblob_is_set(&audit_sig_lsm)) {
+				lsmcontext_init(&scaff, ctx, len, 0);
+				security_release_secctx(&scaff);
+			}
 			return -ENOMEM;
 		}
 		sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
 		sig_data->pid = audit_sig_pid;
 		if (lsmblob_is_set(&audit_sig_lsm)) {
 			memcpy(sig_data->ctx, ctx, len);
-			security_release_secctx(ctx, len);
+			lsmcontext_init(&scaff, ctx, len, 0);
+			security_release_secctx(&scaff);
 		}
 		audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
 				 sig_data, sizeof(*sig_data) + len);
@@ -2132,6 +2136,7 @@ int audit_log_task_context(struct audit_buffer *ab)
 	unsigned len;
 	int error;
 	struct lsmblob blob;
+	struct lsmcontext scaff; /* scaffolding */
 
 	security_task_getsecid_subj(current, &blob);
 	if (!lsmblob_is_set(&blob))
@@ -2145,7 +2150,8 @@ int audit_log_task_context(struct audit_buffer *ab)
 	}
 
 	audit_log_format(ab, " subj=%s", ctx);
-	security_release_secctx(ctx, len);
+	lsmcontext_init(&scaff, ctx, len, 0);
+	security_release_secctx(&scaff);
 	return 0;
 
 error_path:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 930254bca7b5..3c72ff647fd8 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1112,6 +1112,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 				 struct lsmblob *blob, char *comm)
 {
 	struct audit_buffer *ab;
+	struct lsmcontext lsmcxt;
 	char *ctx = NULL;
 	u32 len;
 	int rc = 0;
@@ -1129,7 +1130,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 			rc = 1;
 		} else {
 			audit_log_format(ab, " obj=%s", ctx);
-			security_release_secctx(ctx, len);
+			lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/
+			security_release_secctx(&lsmcxt);
 		}
 	}
 	audit_log_format(ab, " ocomm=");
@@ -1342,6 +1344,7 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
 
 static void show_special(struct audit_context *context, int *call_panic)
 {
+	struct lsmcontext lsmcxt;
 	struct audit_buffer *ab;
 	int i;
 
@@ -1376,7 +1379,8 @@ static void show_special(struct audit_context *context, int *call_panic)
 				*call_panic = 1;
 			} else {
 				audit_log_format(ab, " obj=%s", ctx);
-				security_release_secctx(ctx, len);
+				lsmcontext_init(&lsmcxt, ctx, len, 0);
+				security_release_secctx(&lsmcxt);
 			}
 		}
 		if (context->ipc.has_perm) {
@@ -1533,6 +1537,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 		char *ctx = NULL;
 		u32 len;
 		struct lsmblob blob;
+		struct lsmcontext lsmcxt;
 
 		lsmblob_init(&blob, n->osid);
 		if (security_secid_to_secctx(&blob, &ctx, &len)) {
@@ -1541,7 +1546,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 				*call_panic = 2;
 		} else {
 			audit_log_format(ab, " obj=%s", ctx);
-			security_release_secctx(ctx, len);
+			lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */
+			security_release_secctx(&lsmcxt);
 		}
 	}
 
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index be7073df19a5..dbba700fb151 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -130,6 +130,7 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg, struct sk_buff *skb,
 
 static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 {
+	struct lsmcontext context;
 	struct lsmblob lb;
 	char *secdata;
 	u32 seclen, secid;
@@ -145,7 +146,8 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 		return;
 
 	put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
-	security_release_secctx(secdata, seclen);
+	lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */
+	security_release_secctx(&context);
 }
 
 static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 67b0f3cfc5c7..40cbb00432d4 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -342,6 +342,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 	int len, ret;
 	char *secctx;
 	struct lsmblob blob;
+	struct lsmcontext context;
 
 	/* lsmblob_init() puts ct->secmark into all of the secids in blob.
 	 * security_secid_to_secctx() will know which security module
@@ -362,7 +363,8 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 
 	ret = 0;
 nla_put_failure:
-	security_release_secctx(secctx, len);
+	lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
+	security_release_secctx(&context);
 	return ret;
 }
 #else
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 79c280d1efce..3fcf44342b14 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -179,6 +179,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 	u32 len;
 	char *secctx;
 	struct lsmblob blob;
+	struct lsmcontext context;
 
 	lsmblob_init(&blob, ct->secmark);
 	ret = security_secid_to_secctx(&blob, &secctx, &len);
@@ -187,7 +188,8 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 
 	seq_printf(s, "secctx=%s ", secctx);
 
-	security_release_secctx(secctx, len);
+	lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
+	security_release_secctx(&context);
 }
 #else
 static inline void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 62c0c5b847c6..5961a9b17f66 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -397,6 +397,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	enum ip_conntrack_info ctinfo;
 	struct nfnl_ct_hook *nfnl_ct;
 	bool csum_verify;
+	struct lsmcontext scaff; /* scaffolding */
 	char *secdata = NULL;
 	u32 seclen = 0;
 
@@ -626,8 +627,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	}
 
 	nlh->nlmsg_len = skb->len;
-	if (seclen)
-		security_release_secctx(secdata, seclen);
+	if (seclen) {
+		lsmcontext_init(&scaff, secdata, seclen, 0);
+		security_release_secctx(&scaff);
+	}
 	return skb;
 
 nla_put_failure:
@@ -635,8 +638,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	kfree_skb(skb);
 	net_err_ratelimited("nf_queue: error creating packet message\n");
 nlmsg_failure:
-	if (seclen)
-		security_release_secctx(secdata, seclen);
+	if (seclen) {
+		lsmcontext_init(&scaff, secdata, seclen, 0);
+		security_release_secctx(&scaff);
+	}
 	return NULL;
 }
 
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 15b53fc4e83f..7cb6f27c8cb2 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -374,6 +374,7 @@ int netlbl_unlhsh_add(struct net *net,
 	struct net_device *dev;
 	struct netlbl_unlhsh_iface *iface;
 	struct audit_buffer *audit_buf = NULL;
+	struct lsmcontext context;
 	char *secctx = NULL;
 	u32 secctx_len;
 	struct lsmblob blob;
@@ -447,7 +448,9 @@ int netlbl_unlhsh_add(struct net *net,
 					     &secctx,
 					     &secctx_len) == 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			security_release_secctx(secctx, secctx_len);
+			/* scaffolding */
+			lsmcontext_init(&context, secctx, secctx_len, 0);
+			security_release_secctx(&context);
 		}
 		audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
 		audit_log_end(audit_buf);
@@ -478,6 +481,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
 	struct netlbl_unlhsh_addr4 *entry;
 	struct audit_buffer *audit_buf;
 	struct net_device *dev;
+	struct lsmcontext context;
 	char *secctx;
 	u32 secctx_len;
 	struct lsmblob blob;
@@ -508,7 +512,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
 		    security_secid_to_secctx(&blob,
 					     &secctx, &secctx_len) == 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			security_release_secctx(secctx, secctx_len);
+			/* scaffolding */
+			lsmcontext_init(&context, secctx, secctx_len, 0);
+			security_release_secctx(&context);
 		}
 		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
 		audit_log_end(audit_buf);
@@ -545,6 +551,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
 	struct netlbl_unlhsh_addr6 *entry;
 	struct audit_buffer *audit_buf;
 	struct net_device *dev;
+	struct lsmcontext context;
 	char *secctx;
 	u32 secctx_len;
 	struct lsmblob blob;
@@ -574,7 +581,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
 		    security_secid_to_secctx(&blob,
 					     &secctx, &secctx_len) == 0) {
 			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			security_release_secctx(secctx, secctx_len);
+			lsmcontext_init(&context, secctx, secctx_len, 0);
+			security_release_secctx(&context);
 		}
 		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
 		audit_log_end(audit_buf);
@@ -1093,6 +1101,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
 	int ret_val = -ENOMEM;
 	struct netlbl_unlhsh_walk_arg *cb_arg = arg;
 	struct net_device *dev;
+	struct lsmcontext context;
 	void *data;
 	u32 secid;
 	char *secctx;
@@ -1163,7 +1172,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
 			  NLBL_UNLABEL_A_SECCTX,
 			  secctx_len,
 			  secctx);
-	security_release_secctx(secctx, secctx_len);
+	/* scaffolding */
+	lsmcontext_init(&context, secctx, secctx_len, 0);
+	security_release_secctx(&context);
 	if (ret_val != 0)
 		goto list_cb_failure;
 
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index 893301ae0131..ef139d8ae7cd 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -84,6 +84,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 					       struct netlbl_audit *audit_info)
 {
 	struct audit_buffer *audit_buf;
+	struct lsmcontext context;
 	char *secctx;
 	u32 secctx_len;
 	struct lsmblob blob;
@@ -103,7 +104,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 	if (audit_info->secid != 0 &&
 	    security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) {
 		audit_log_format(audit_buf, " subj=%s", secctx);
-		security_release_secctx(secctx, secctx_len);
+		lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/
+		security_release_secctx(&context);
 	}
 
 	return audit_buf;
diff --git a/security/security.c b/security/security.c
index 1d734d9579f1..d14717fe0cb7 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2363,16 +2363,17 @@ int security_secctx_to_secid(const char *secdata, u32 seclen,
 }
 EXPORT_SYMBOL(security_secctx_to_secid);
 
-void security_release_secctx(char *secdata, u32 seclen)
+void security_release_secctx(struct lsmcontext *cp)
 {
 	struct security_hook_list *hp;
-	int ilsm = lsm_task_ilsm(current);
 
 	hlist_for_each_entry(hp, &security_hook_heads.release_secctx, list)
-		if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) {
-			hp->hook.release_secctx(secdata, seclen);
-			return;
+		if (cp->slot == hp->lsmid->slot) {
+			hp->hook.release_secctx(cp->context, cp->len);
+			break;
 		}
+
+	memset(cp, 0, sizeof(*cp));
 }
 EXPORT_SYMBOL(security_release_secctx);
 

From patchwork Mon Dec 13 23:40:22 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 1567512
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=yahoo.com header.i=@yahoo.com header.a=rsa-sha256
 header.s=s2048 header.b=h4AqiYb9;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=23.128.96.18; helo=vger.kernel.org;
 envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by bilbo.ozlabs.org (Postfix) with ESMTP id 4JCdkS3SG3z9sRN
	for <incoming@patchwork.ozlabs.org>; Tue, 14 Dec 2021 10:58:24 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239484AbhLMX6V (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
        Mon, 13 Dec 2021 18:58:21 -0500
Received: from sonic301-38.consmr.mail.ne1.yahoo.com ([66.163.184.207]:43107
        "EHLO sonic301-38.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S239232AbhLMX6V (ORCPT
        <rfc822;netfilter-devel@vger.kernel.org>);
        Mon, 13 Dec 2021 18:58:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639439901; bh=PBedEzlKAak40yG894Xfp/LLsmNg/dxYLK2k0ILkdSA=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=h4AqiYb9pZGfAS7g9IZfGIuDiSGxxzehsrJ+spAZ5QFiOxeNnlVdBeUNQ5Vr2e13bupg00h3zOOyIfhJj06DOg6p2BTMCVJxjpybqRDL/Oe1qr68Y4UzlSyZ8d0MyBXjimX7LIpcci5+E50UHoaDNhN25iJLh1C/JvcOqQq/G9+wVjYKLvX8fbN+vrG6AvwbMRWFU0gOK0sclDCk/sLsXMAqFC3zhV4cCCyRU153PzmeMoZLJzioMDVQKYb1BjkLsB34vh/pWmG1eJ1I7HYDDH7RrWSxM4Ir2zLS/aS5AK9IVg6lcJJocJvL7iyAxz+xil/NnqpFGYYzKl0ylRtI6g==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639439901; bh=8lHTP5kxRVnD3Ao+M8IU6wp6xqsDgQ3d25cUAITR3J0=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=JyW1xLUmZpVX1go82DEkoVT6QNJhcdHpWhEjD0AhS2YsWg9JtHOeV2j1lg4yAOf8s7fl2Mct9Wp+amhTL2pAXCB0XDv3M5rDg4+GnmgGCZSaQl2Rp4GTBkAEPmU6JdvDyK9zXpLZoketm/Dqc8O8Pm3ZYhFV1wpVq5YZKhkfPGxoUYtvlsvgaVMIURiAZacxlP7dnq7MQdbRWPUmomUngROLuiG/uDV8q9VzZVyrqsTEtFSL1s5gc75ICRXom/g6Re/zQ90kh/L9YOh9A3lKxQ80w3+BZKnrFq3sBz2E+XZUUhlnn7/4PaLtxFNviDPf8Ltag4Bp0qeQbQ6opKV3Hw==
X-YMail-OSG: 1mVmxF0VM1mufzy0HK7RrvJAFctnMUMSID69e7rsYqLuHf1wj8_BbWb7S08LaxB
 M8Xw0zz7W3r.OPl0dSGwRU_xr2p1tXRnSGIjJj1rXZd78AQAAA8ATgl4SF70GX05hydy0nAgw.4n
 P8YhAKdlhPHYRg6Vl_Pv2VxUDm_tSl5OIvewsAUq6zRk80.Tf4dSn6QtGlU2HnT.LOeBp94xAnjx
 REFHpfoVqavl5.UMPxJapNUp8Qe3EicS4Cl4dlZ.GXYUKK2e4Lweu.Zvac3jiW9G4AaK2V4XPIoZ
 t451ufQBEpyAT.RQP89VOiyRC2298NTgpdrHhxdonhcTxmtcXnLaK3tpZ78DBA4c1dL1Os6T4YT_
 b4HF0Ip3H5FLIqdXbecvGN_5SuLZmNA_Cuj2XatgLyBIvUlpBBwpBtH2xgayRcufMJNQW7GjTrRf
 _NmyOhUPpDLl3.boryNgRM0Ct3GlF2M1Pa8Zdr_D.imxalALcoko1lESbGTlfMZCN5uRCFNGR4S7
 0tXflxXkcQEp_TNiX1dHh_D8Cr6LLbikkfLUst0Hwc8c1rBKmSjskyO6ulAi2c8CT3H_sRelI.1H
 flaPZC94ckJewTC_.zxFX2tejT708IocHZ0ypnnSiEEIY02X7Fo44vQ_FTB9IbDoDm.PH8AOjgRb
 kfyRrSotrtaPNlNGprSKH8RXj7H79WSLnuWWQprh12E1Czc60pdtguWUygZqy8QvzXCmfnmkKudx
 owIJNe6FMVKTqqyiDrlosUeiYvRIifU8q5toGa0YDcifeDIxGF.EUUEQiqVntcKU5uiS4HcKQiQC
 75HXKmeBsjFAnVcBaVMQCpY1wz_7QRjvKoFdVKO5ppcmTuCMORgPD_HdSJqw5yDAhESudS55TLUZ
 iDon3VrqmbZ_uwkpBv1yfvIv85hEe8hodlHV4V.5nJhuGnYcXO7lwGfdTUHZK9jRad_OJQBlN4qT
 yCYdmTsSTzYlYwTFEnH2wPB.JvanGvBxE1TaVExzpo6.axoMUO7N2Q9huWs76aGyNEgV3RS1KNyV
 yalvm4_oHrIyrQjuIlGbMYD3LOGfwLDpFsXi.1_O58P4z6qkcxVth41ot7fBm80HoUGVLfFuBiwt
 .P8TxB4WtbPYOIU5GNxj9_MapVpo5kWCAynfKRx6jBMkexCZtkOiHictBeiZXqCD1c5iojkUjHBq
 ehz_ZvrvqW0Q1jX.hrBbgugVU29i7ZF3WWUl.9GD46GhyesQ_3FhEWg4VffRKKnP6xHvvXi3UoM5
 RydWs4FejpItzR.iNHMSZqePnbx0DE4A_ONaRto2TuXHT6GhiYyNNQxIHQ38KeGClhh7fOomRaen
 z46fwafiJXFCLuu7xP5Tmpw4lG2CZIGJEzdNVsDTlk8iPXttm8yhwVcich016EpFid3gcKyku7kY
 YdawH_bsc_qzBvzZDxcB8DMtPQbxmz69F5Ic0Ok2el1eC5Wmep.bimvBZsih.h8PjISbnAQRR7Yg
 MnC_YVdpkWDwWaf2DKx2AAS7keAg.6iqrbpqNOea.iEKxjeEPEkQrLx.icrL14P8c_nIknOK7.NV
 EBcdlW8l.QpmVNZgXtwKefoBhJZrZ0xNZQIEjsdJv11LE7VIX0v7bahl7bchUgBSawJ63UZMGx5K
 zMRgtzipltGMFT4BpNS2_Wxjb5pyq.VujepoJB.glRqnTxC9JPyxG0f.BqTWBsiNqLqHe37IBbsg
 aJZb72U9B24NnuigYruXa.2EtVWYK2b._tYb6xxbOJSHPQZ4NKNWG.Oq1jrX5dEw6vgvdQxxVDYV
 .xFZsyTql1cUUywPsey3sbpFO.gtpabCHOPOZRhLHiDQGX4rj.1fseZBka1dlmb0sLiD19Av5HWX
 fd_BOH1t411oxmvi0aIIzXW4DXCUapq72U4cGoe3eFFg3c_WFE74YPTjMZcrhv5l8ugCSVGdUVB7
 VNnaq7LuD7uWj4i.vOTd.R2Kfl3PsrbfUH5DNeWErCOn62LnriM8X1TBCJBjuIHUZnnet5vnPOIz
 ubFKbsW915clcjH5aX_GqxZJ.rgoIQFgPJcMPM4KRWQPpALDpnt9u82VT.6ICK1k4TlVtVD2mwVK
 JGvA5X57Wea77OEs0zx5kM6ZwMzZpiZt0OUa603j42JXVfS83CbBwyRhQQgXoEPi.rCEnWK3.9gw
 TtPBMNlcSu.8lVKqunJGt61KXR2LV5ttAFu3uhrrQvWrxzE8m1_ZZm574sdPaxSbppXhDiJ.RhJk
 XbgnztS0Mwq2ec_Z7HYjQAfEiKYdNlgOEI.8TYCJI_c7GrOQkPYyFcr6lTgljKs6WzWRhtY597gu
 cSqY5MV0wl.Qv4x5LS.H60Ha37pFIcelS9oB1hnVME5aevhkr
X-Sonic-MF: <casey@schaufler-ca.com>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic301.consmr.mail.ne1.yahoo.com with HTTP; Mon, 13 Dec 2021 23:58:21 +0000
Received: by kubenode529.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID 1cbb5caca434fc2d243d7902734cae87;
          Mon, 13 Dec 2021 23:58:18 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
        keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
        sds@tycho.nsa.gov, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: [PATCH v31 16/28] LSM: Use lsmcontext in security_secid_to_secctx
Date: Mon, 13 Dec 2021 15:40:22 -0800
Message-Id: <20211213234034.111891-17-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com>
References: <20211213234034.111891-1-casey@schaufler-ca.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Replace the (secctx,seclen) pointer pair with a single
lsmcontext pointer to allow return of the LSM identifier
along with the context and context length. This allows
security_release_secctx() to know how to release the
context. Callers have been modified to use or save the
returned data from the new structure.

security_secid_to_secctx() will now return the length value
if the passed lsmcontext pointer is NULL.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
Cc: linux-audit@redhat.com
Cc: netfilter-devel@vger.kernel.org
---
 drivers/android/binder.c                | 26 +++++++---------
 include/linux/security.h                |  4 +--
 include/net/scm.h                       |  9 ++----
 kernel/audit.c                          | 39 +++++++++++-------------
 kernel/auditsc.c                        | 31 +++++++------------
 net/ipv4/ip_sockglue.c                  |  8 ++---
 net/netfilter/nf_conntrack_netlink.c    | 18 ++++-------
 net/netfilter/nf_conntrack_standalone.c |  7 ++---
 net/netfilter/nfnetlink_queue.c         |  5 +++-
 net/netlabel/netlabel_unlabeled.c       | 40 ++++++++-----------------
 net/netlabel/netlabel_user.c            |  7 ++---
 security/security.c                     | 29 ++++++++++++++++--
 12 files changed, 98 insertions(+), 125 deletions(-)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 32dca5b40e8a..b9699f7ac603 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -2467,9 +2467,7 @@ static void binder_transaction(struct binder_proc *proc,
 	binder_size_t last_fixup_min_off = 0;
 	struct binder_context *context = proc->context;
 	int t_debug_id = atomic_inc_return(&binder_last_id);
-	char *secctx = NULL;
-	u32 secctx_sz = 0;
-	struct lsmcontext scaff; /* scaffolding */
+	struct lsmcontext lsmctx = { };
 
 	e = binder_transaction_log_add(&binder_transaction_log);
 	e->debug_id = t_debug_id;
@@ -2723,14 +2721,14 @@ static void binder_transaction(struct binder_proc *proc,
 		size_t added_size;
 
 		security_cred_getsecid(proc->cred, &blob);
-		ret = security_secid_to_secctx(&blob, &secctx, &secctx_sz);
+		ret = security_secid_to_secctx(&blob, &lsmctx);
 		if (ret) {
 			return_error = BR_FAILED_REPLY;
 			return_error_param = ret;
 			return_error_line = __LINE__;
 			goto err_get_secctx_failed;
 		}
-		added_size = ALIGN(secctx_sz, sizeof(u64));
+		added_size = ALIGN(lsmctx.len, sizeof(u64));
 		extra_buffers_size += added_size;
 		if (extra_buffers_size < added_size) {
 			/* integer overflow of extra_buffers_size */
@@ -2757,24 +2755,22 @@ static void binder_transaction(struct binder_proc *proc,
 		t->buffer = NULL;
 		goto err_binder_alloc_buf_failed;
 	}
-	if (secctx) {
+	if (lsmctx.context) {
 		int err;
 		size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
 				    ALIGN(tr->offsets_size, sizeof(void *)) +
 				    ALIGN(extra_buffers_size, sizeof(void *)) -
-				    ALIGN(secctx_sz, sizeof(u64));
+				    ALIGN(lsmctx.len, sizeof(u64));
 
 		t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
 		err = binder_alloc_copy_to_buffer(&target_proc->alloc,
 						  t->buffer, buf_offset,
-						  secctx, secctx_sz);
+						  lsmctx.context, lsmctx.len);
 		if (err) {
 			t->security_ctx = 0;
 			WARN_ON(1);
 		}
-		lsmcontext_init(&scaff, secctx, secctx_sz, 0);
-		security_release_secctx(&scaff);
-		secctx = NULL;
+		security_release_secctx(&lsmctx);
 	}
 	t->buffer->debug_id = t->debug_id;
 	t->buffer->transaction = t;
@@ -2831,7 +2827,7 @@ static void binder_transaction(struct binder_proc *proc,
 	off_end_offset = off_start_offset + tr->offsets_size;
 	sg_buf_offset = ALIGN(off_end_offset, sizeof(void *));
 	sg_buf_end_offset = sg_buf_offset + extra_buffers_size -
-		ALIGN(secctx_sz, sizeof(u64));
+		ALIGN(lsmctx.len, sizeof(u64));
 	off_min = 0;
 	for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
 	     buffer_offset += sizeof(binder_size_t)) {
@@ -3114,10 +3110,8 @@ static void binder_transaction(struct binder_proc *proc,
 	binder_alloc_free_buf(&target_proc->alloc, t->buffer);
 err_binder_alloc_buf_failed:
 err_bad_extra_size:
-	if (secctx) {
-		lsmcontext_init(&scaff, secctx, secctx_sz, 0);
-		security_release_secctx(&scaff);
-	}
+	if (lsmctx.context)
+		security_release_secctx(&lsmctx);
 err_get_secctx_failed:
 	kfree(tcomplete);
 	binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
diff --git a/include/linux/security.h b/include/linux/security.h
index e439663c955f..3c66edb31e14 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -598,7 +598,7 @@ int security_setprocattr(const char *lsm, const char *name, void *value,
 			 size_t size);
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_ismaclabel(const char *name);
-int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen);
+int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp);
 int security_secctx_to_secid(const char *secdata, u32 seclen,
 			     struct lsmblob *blob);
 void security_release_secctx(struct lsmcontext *cp);
@@ -1459,7 +1459,7 @@ static inline int security_ismaclabel(const char *name)
 }
 
 static inline int security_secid_to_secctx(struct lsmblob *blob,
-					   char **secdata, u32 *seclen)
+					   struct lsmcontext *cp)
 {
 	return -EOPNOTSUPP;
 }
diff --git a/include/net/scm.h b/include/net/scm.h
index f273c4d777ec..b77a52f93389 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -94,8 +94,6 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
 {
 	struct lsmcontext context;
 	struct lsmblob lb;
-	char *secdata;
-	u32 seclen;
 	int err;
 
 	if (test_bit(SOCK_PASSSEC, &sock->flags)) {
@@ -103,12 +101,11 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc
 		 * and the infrastructure will know which it is.
 		 */
 		lsmblob_init(&lb, scm->secid);
-		err = security_secid_to_secctx(&lb, &secdata, &seclen);
+		err = security_secid_to_secctx(&lb, &context);
 
 		if (!err) {
-			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata);
-			/*scaffolding*/
-			lsmcontext_init(&context, secdata, seclen, 0);
+			put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, context.len,
+				 context.context);
 			security_release_secctx(&context);
 		}
 	}
diff --git a/kernel/audit.c b/kernel/audit.c
index c17ec23158c4..841123390d41 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1190,9 +1190,6 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 	struct audit_buffer	*ab;
 	u16			msg_type = nlh->nlmsg_type;
 	struct audit_sig_info   *sig_data;
-	char			*ctx = NULL;
-	u32			len;
-	struct lsmcontext	scaff; /* scaffolding */
 
 	err = audit_netlink_ok(skb, msg_type);
 	if (err)
@@ -1440,33 +1437,34 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 		kfree(new);
 		break;
 	}
-	case AUDIT_SIGNAL_INFO:
-		len = 0;
+	case AUDIT_SIGNAL_INFO: {
+		struct lsmcontext context = { };
+		int len = 0;
+
 		if (lsmblob_is_set(&audit_sig_lsm)) {
-			err = security_secid_to_secctx(&audit_sig_lsm, &ctx,
-						       &len);
+			err = security_secid_to_secctx(&audit_sig_lsm,
+						       &context);
 			if (err)
 				return err;
 		}
-		sig_data = kmalloc(sizeof(*sig_data) + len, GFP_KERNEL);
+		sig_data = kmalloc(sizeof(*sig_data) + context.len, GFP_KERNEL);
 		if (!sig_data) {
-			if (lsmblob_is_set(&audit_sig_lsm)) {
-				lsmcontext_init(&scaff, ctx, len, 0);
-				security_release_secctx(&scaff);
-			}
+			if (lsmblob_is_set(&audit_sig_lsm))
+				security_release_secctx(&context);
 			return -ENOMEM;
 		}
 		sig_data->uid = from_kuid(&init_user_ns, audit_sig_uid);
 		sig_data->pid = audit_sig_pid;
 		if (lsmblob_is_set(&audit_sig_lsm)) {
-			memcpy(sig_data->ctx, ctx, len);
-			lsmcontext_init(&scaff, ctx, len, 0);
-			security_release_secctx(&scaff);
+			len = context.len;
+			memcpy(sig_data->ctx, context.context, len);
+			security_release_secctx(&context);
 		}
 		audit_send_reply(skb, seq, AUDIT_SIGNAL_INFO, 0, 0,
 				 sig_data, sizeof(*sig_data) + len);
 		kfree(sig_data);
 		break;
+	}
 	case AUDIT_TTY_GET: {
 		struct audit_tty_status s;
 		unsigned int t;
@@ -2132,26 +2130,23 @@ void audit_log_key(struct audit_buffer *ab, char *key)
 
 int audit_log_task_context(struct audit_buffer *ab)
 {
-	char *ctx = NULL;
-	unsigned len;
 	int error;
 	struct lsmblob blob;
-	struct lsmcontext scaff; /* scaffolding */
+	struct lsmcontext context;
 
 	security_task_getsecid_subj(current, &blob);
 	if (!lsmblob_is_set(&blob))
 		return 0;
 
-	error = security_secid_to_secctx(&blob, &ctx, &len);
+	error = security_secid_to_secctx(&blob, &context);
 	if (error) {
 		if (error != -EINVAL)
 			goto error_path;
 		return 0;
 	}
 
-	audit_log_format(ab, " subj=%s", ctx);
-	lsmcontext_init(&scaff, ctx, len, 0);
-	security_release_secctx(&scaff);
+	audit_log_format(ab, " subj=%s", context.context);
+	security_release_secctx(&context);
 	return 0;
 
 error_path:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 3c72ff647fd8..a3de97beba21 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1112,9 +1112,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 				 struct lsmblob *blob, char *comm)
 {
 	struct audit_buffer *ab;
-	struct lsmcontext lsmcxt;
-	char *ctx = NULL;
-	u32 len;
+	struct lsmcontext lsmctx;
 	int rc = 0;
 
 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
@@ -1125,13 +1123,12 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 			 from_kuid(&init_user_ns, auid),
 			 from_kuid(&init_user_ns, uid), sessionid);
 	if (lsmblob_is_set(blob)) {
-		if (security_secid_to_secctx(blob, &ctx, &len)) {
+		if (security_secid_to_secctx(blob, &lsmctx)) {
 			audit_log_format(ab, " obj=(none)");
 			rc = 1;
 		} else {
-			audit_log_format(ab, " obj=%s", ctx);
-			lsmcontext_init(&lsmcxt, ctx, len, 0); /*scaffolding*/
-			security_release_secctx(&lsmcxt);
+			audit_log_format(ab, " obj=%s", lsmctx.context);
+			security_release_secctx(&lsmctx);
 		}
 	}
 	audit_log_format(ab, " ocomm=");
@@ -1344,7 +1341,6 @@ static void audit_log_fcaps(struct audit_buffer *ab, struct audit_names *name)
 
 static void show_special(struct audit_context *context, int *call_panic)
 {
-	struct lsmcontext lsmcxt;
 	struct audit_buffer *ab;
 	int i;
 
@@ -1369,17 +1365,15 @@ static void show_special(struct audit_context *context, int *call_panic)
 				 from_kgid(&init_user_ns, context->ipc.gid),
 				 context->ipc.mode);
 		if (osid) {
-			char *ctx = NULL;
-			u32 len;
+			struct lsmcontext lsmcxt;
 			struct lsmblob blob;
 
 			lsmblob_init(&blob, osid);
-			if (security_secid_to_secctx(&blob, &ctx, &len)) {
+			if (security_secid_to_secctx(&blob, &lsmcxt)) {
 				audit_log_format(ab, " osid=%u", osid);
 				*call_panic = 1;
 			} else {
-				audit_log_format(ab, " obj=%s", ctx);
-				lsmcontext_init(&lsmcxt, ctx, len, 0);
+				audit_log_format(ab, " obj=%s", lsmcxt.context);
 				security_release_secctx(&lsmcxt);
 			}
 		}
@@ -1534,20 +1528,17 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
 				 MAJOR(n->rdev),
 				 MINOR(n->rdev));
 	if (n->osid != 0) {
-		char *ctx = NULL;
-		u32 len;
 		struct lsmblob blob;
-		struct lsmcontext lsmcxt;
+		struct lsmcontext lsmctx;
 
 		lsmblob_init(&blob, n->osid);
-		if (security_secid_to_secctx(&blob, &ctx, &len)) {
+		if (security_secid_to_secctx(&blob, &lsmctx)) {
 			audit_log_format(ab, " osid=%u", n->osid);
 			if (call_panic)
 				*call_panic = 2;
 		} else {
-			audit_log_format(ab, " obj=%s", ctx);
-			lsmcontext_init(&lsmcxt, ctx, len, 0); /* scaffolding */
-			security_release_secctx(&lsmcxt);
+			audit_log_format(ab, " obj=%s", lsmctx.context);
+			security_release_secctx(&lsmctx);
 		}
 	}
 
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index dbba700fb151..47d1085e037e 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -132,8 +132,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 {
 	struct lsmcontext context;
 	struct lsmblob lb;
-	char *secdata;
-	u32 seclen, secid;
+	u32 secid;
 	int err;
 
 	err = security_socket_getpeersec_dgram(NULL, skb, &secid);
@@ -141,12 +140,11 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 		return;
 
 	lsmblob_init(&lb, secid);
-	err = security_secid_to_secctx(&lb, &secdata, &seclen);
+	err = security_secid_to_secctx(&lb, &context);
 	if (err)
 		return;
 
-	put_cmsg(msg, SOL_IP, SCM_SECURITY, seclen, secdata);
-	lsmcontext_init(&context, secdata, seclen, 0); /* scaffolding */
+	put_cmsg(msg, SOL_IP, SCM_SECURITY, context.len, context.context);
 	security_release_secctx(&context);
 }
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 40cbb00432d4..e4a0d1c8ac55 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -339,8 +339,7 @@ static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 {
 	struct nlattr *nest_secctx;
-	int len, ret;
-	char *secctx;
+	int ret;
 	struct lsmblob blob;
 	struct lsmcontext context;
 
@@ -348,7 +347,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 	 * security_secid_to_secctx() will know which security module
 	 * to use to create the secctx.  */
 	lsmblob_init(&blob, ct->secmark);
-	ret = security_secid_to_secctx(&blob, &secctx, &len);
+	ret = security_secid_to_secctx(&blob, &context);
 	if (ret)
 		return 0;
 
@@ -357,13 +356,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 	if (!nest_secctx)
 		goto nla_put_failure;
 
-	if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
+	if (nla_put_string(skb, CTA_SECCTX_NAME, context.context))
 		goto nla_put_failure;
 	nla_nest_end(skb, nest_secctx);
 
 	ret = 0;
 nla_put_failure:
-	lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
 	security_release_secctx(&context);
 	return ret;
 }
@@ -656,15 +654,11 @@ static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
 static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
 {
 #ifdef CONFIG_NF_CONNTRACK_SECMARK
-	int len, ret;
+	int len;
 	struct lsmblob blob;
 
-	/* lsmblob_init() puts ct->secmark into all of the secids in blob.
-	 * security_secid_to_secctx() will know which security module
-	 * to use to create the secctx.  */
-	lsmblob_init(&blob, ct->secmark);
-	ret = security_secid_to_secctx(&blob, NULL, &len);
-	if (ret)
+	len = security_secid_to_secctx(&blob, NULL);
+	if (len <= 0)
 		return 0;
 
 	return nla_total_size(0) /* CTA_SECCTX */
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 3fcf44342b14..c8825e89a21e 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -176,19 +176,16 @@ static void ct_seq_stop(struct seq_file *s, void *v)
 static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 {
 	int ret;
-	u32 len;
-	char *secctx;
 	struct lsmblob blob;
 	struct lsmcontext context;
 
 	lsmblob_init(&blob, ct->secmark);
-	ret = security_secid_to_secctx(&blob, &secctx, &len);
+	ret = security_secid_to_secctx(&blob, &context);
 	if (ret)
 		return;
 
-	seq_printf(s, "secctx=%s ", secctx);
+	seq_printf(s, "secctx=%s ", context.context);
 
-	lsmcontext_init(&context, secctx, len, 0); /* scaffolding */
 	security_release_secctx(&context);
 }
 #else
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 5961a9b17f66..f19897b3cf39 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -306,6 +306,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
 	u32 seclen = 0;
 #if IS_ENABLED(CONFIG_NETWORK_SECMARK)
 	struct lsmblob blob;
+	struct lsmcontext context = { };
 
 	if (!skb || !sk_fullsock(skb->sk))
 		return 0;
@@ -317,10 +318,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
 		 * blob. security_secid_to_secctx() will know which security
 		 * module to use to create the secctx.  */
 		lsmblob_init(&blob, skb->secmark);
-		security_secid_to_secctx(&blob, secdata, &seclen);
+		security_secid_to_secctx(&blob, &context);
+		*secdata = context.context;
 	}
 
 	read_unlock_bh(&skb->sk->sk_callback_lock);
+	seclen = context.len;
 #endif
 	return seclen;
 }
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 7cb6f27c8cb2..596a75814fbf 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -375,8 +375,6 @@ int netlbl_unlhsh_add(struct net *net,
 	struct netlbl_unlhsh_iface *iface;
 	struct audit_buffer *audit_buf = NULL;
 	struct lsmcontext context;
-	char *secctx = NULL;
-	u32 secctx_len;
 	struct lsmblob blob;
 
 	if (addr_len != sizeof(struct in_addr) &&
@@ -444,12 +442,9 @@ int netlbl_unlhsh_add(struct net *net,
 		 * security_secid_to_secctx() will know which security module
 		 * to use to create the secctx.  */
 		lsmblob_init(&blob, secid);
-		if (security_secid_to_secctx(&blob,
-					     &secctx,
-					     &secctx_len) == 0) {
-			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			/* scaffolding */
-			lsmcontext_init(&context, secctx, secctx_len, 0);
+		if (security_secid_to_secctx(&blob, &context) == 0) {
+			audit_log_format(audit_buf, " sec_obj=%s",
+					 context.context);
 			security_release_secctx(&context);
 		}
 		audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
@@ -482,8 +477,6 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
 	struct audit_buffer *audit_buf;
 	struct net_device *dev;
 	struct lsmcontext context;
-	char *secctx;
-	u32 secctx_len;
 	struct lsmblob blob;
 
 	spin_lock(&netlbl_unlhsh_lock);
@@ -509,11 +502,9 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
 		if (entry != NULL)
 			lsmblob_init(&blob, entry->secid);
 		if (entry != NULL &&
-		    security_secid_to_secctx(&blob,
-					     &secctx, &secctx_len) == 0) {
-			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			/* scaffolding */
-			lsmcontext_init(&context, secctx, secctx_len, 0);
+		    security_secid_to_secctx(&blob, &context) == 0) {
+			audit_log_format(audit_buf, " sec_obj=%s",
+					 context.context);
 			security_release_secctx(&context);
 		}
 		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
@@ -552,8 +543,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
 	struct audit_buffer *audit_buf;
 	struct net_device *dev;
 	struct lsmcontext context;
-	char *secctx;
-	u32 secctx_len;
 	struct lsmblob blob;
 
 	spin_lock(&netlbl_unlhsh_lock);
@@ -578,10 +567,9 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
 		if (entry != NULL)
 			lsmblob_init(&blob, entry->secid);
 		if (entry != NULL &&
-		    security_secid_to_secctx(&blob,
-					     &secctx, &secctx_len) == 0) {
-			audit_log_format(audit_buf, " sec_obj=%s", secctx);
-			lsmcontext_init(&context, secctx, secctx_len, 0);
+		    security_secid_to_secctx(&blob, &context) == 0) {
+			audit_log_format(audit_buf, " sec_obj=%s",
+					 context.context);
 			security_release_secctx(&context);
 		}
 		audit_log_format(audit_buf, " res=%u", entry != NULL ? 1 : 0);
@@ -1104,8 +1092,6 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
 	struct lsmcontext context;
 	void *data;
 	u32 secid;
-	char *secctx;
-	u32 secctx_len;
 	struct lsmblob blob;
 
 	data = genlmsg_put(cb_arg->skb, NETLINK_CB(cb_arg->nl_cb->skb).portid,
@@ -1165,15 +1151,13 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd,
 	 * security_secid_to_secctx() will know which security module
 	 * to use to create the secctx.  */
 	lsmblob_init(&blob, secid);
-	ret_val = security_secid_to_secctx(&blob, &secctx, &secctx_len);
+	ret_val = security_secid_to_secctx(&blob, &context);
 	if (ret_val != 0)
 		goto list_cb_failure;
 	ret_val = nla_put(cb_arg->skb,
 			  NLBL_UNLABEL_A_SECCTX,
-			  secctx_len,
-			  secctx);
-	/* scaffolding */
-	lsmcontext_init(&context, secctx, secctx_len, 0);
+			  context.len,
+			  context.context);
 	security_release_secctx(&context);
 	if (ret_val != 0)
 		goto list_cb_failure;
diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c
index ef139d8ae7cd..951ba0639d20 100644
--- a/net/netlabel/netlabel_user.c
+++ b/net/netlabel/netlabel_user.c
@@ -85,8 +85,6 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 {
 	struct audit_buffer *audit_buf;
 	struct lsmcontext context;
-	char *secctx;
-	u32 secctx_len;
 	struct lsmblob blob;
 
 	if (audit_enabled == AUDIT_OFF)
@@ -102,9 +100,8 @@ struct audit_buffer *netlbl_audit_start_common(int type,
 
 	lsmblob_init(&blob, audit_info->secid);
 	if (audit_info->secid != 0 &&
-	    security_secid_to_secctx(&blob, &secctx, &secctx_len) == 0) {
-		audit_log_format(audit_buf, " subj=%s", secctx);
-		lsmcontext_init(&context, secctx, secctx_len, 0);/*scaffolding*/
+	    security_secid_to_secctx(&blob, &context) == 0) {
+		audit_log_format(audit_buf, " subj=%s", context.context);
 		security_release_secctx(&context);
 	}
 
diff --git a/security/security.c b/security/security.c
index d14717fe0cb7..dc0d4ae44a64 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2327,18 +2327,41 @@ int security_ismaclabel(const char *name)
 }
 EXPORT_SYMBOL(security_ismaclabel);
 
-int security_secid_to_secctx(struct lsmblob *blob, char **secdata, u32 *seclen)
+/**
+ * security_secid_to_secctx - convert secid to secctx
+ * @blob: set of secids
+ * @cp: lsm context into which result is put
+ *
+ * Translate secid information into a secctx string.
+ * Return a negative value on error.
+ * If cp is NULL return the length of the string.
+ * Otherwise, return 0.
+ */
+int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
 {
 	struct security_hook_list *hp;
 	int ilsm = lsm_task_ilsm(current);
 
+	if (cp)
+		memset(cp, 0, sizeof(*cp));
+
 	hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) {
 		if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
 			continue;
-		if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot)
+		if (ilsm == LSMBLOB_INVALID || ilsm == hp->lsmid->slot) {
+			if (!cp) {
+				int len;
+				int rc;
+				rc = hp->hook.secid_to_secctx(
+					blob->secid[hp->lsmid->slot],
+					NULL, &len);
+				return rc ? rc : len;
+			}
+			cp->slot = hp->lsmid->slot;
 			return hp->hook.secid_to_secctx(
 					blob->secid[hp->lsmid->slot],
-					secdata, seclen);
+					&cp->context, &cp->len);
+		}
 	}
 
 	return LSM_RET_DEFAULT(secid_to_secctx);

From patchwork Mon Dec 13 23:40:24 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 1567513
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=yahoo.com header.i=@yahoo.com header.a=rsa-sha256
 header.s=s2048 header.b=At4f0v9Z;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=23.128.96.18; helo=vger.kernel.org;
 envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by bilbo.ozlabs.org (Postfix) with ESMTP id 4JCdn242j1z9sRN
	for <incoming@patchwork.ozlabs.org>; Tue, 14 Dec 2021 11:00:38 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244383AbhLNAAf (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
        Mon, 13 Dec 2021 19:00:35 -0500
Received: from sonic315-27.consmr.mail.ne1.yahoo.com ([66.163.190.153]:37856
        "EHLO sonic315-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S242585AbhLNAAf (ORCPT
        <rfc822;netfilter-devel@vger.kernel.org>);
        Mon, 13 Dec 2021 19:00:35 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639440035; bh=IIKa//ZfOf9ldI+2RZhwihcRPJzmFh5O4/PZDXiqrxo=;
 h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To;
 b=At4f0v9ZRIeAl1TmpXlWbNAtmLwMyclenQ84AtCqi+1JgsAv+dFNs+KkLTH7qB2RFVc/TlMRNd2wuPXVDdZqKn0pmWbuU/mKSjoLEhn5WosF6zjJd7w1h95NCtc2ns63wFxsXEYdNs0/GdER9gytuhUbeQc9rDTKA0D3JYDOvltiPXallT3OPOS0Mtc73e/yALQu8vGguN7b3aGwdqLU2pIXZa9Kjlj07CuRrOUSOwngrFeSQvrPqmgA4CVoqpPTOA5RNPlP9Tty7o9mi4/gVaG009pwePTIzOI7aDk4mBYZd3VZilzTxel2w7n034d9nwbcy01ov65Q3phIdcdyjQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
 t=1639440035; bh=CwPoWL/GQUcdxFWZsBGI8L44rlH3jTfPje7Kl4NSJE3=;
 h=X-Sonic-MF:From:To:Subject:Date:From:Subject;
 b=rU6SnYCpMTBsfLk7PNtn1y7yEK8+xbithXL1qp4ja/SWW/3H2Q836OVdwiD/bLQz4/Bfrrn193jtI5u+kEZJCMADCYdLnHl7e1OdmfAJNfS4PzkK2KK8GK+37dFiHrMcEr9RnLhTAT93KzY8xklYlg/+U9SnpD5iCD7yuoZyi0YxjpOAhoIUPCM3CovSCLtJNkOcLikcav4F9gElyzq/WFtAgLLS/rgGGdrBo+fY447l9rWKgllqtiTnBA+JAZ5AI8N8AYRIf+cXq+Jj28rF+k1pJfGFSXV5jadcal06HIsK8E2/Do+MgjrmW85JsLeI+Hs4kW2tP5OqQ0rwyxULCQ==
X-YMail-OSG: rPKqrxgVM1n1y6qm4CPuvvnOVf0sfan3XVDMFwN.kTgvOzpa9FWkCNIVLgeYCEG
 FtwLQMWh8g3bXOiaXXiwPB5Y5fDUAycL0zi6wSChz2rLMumeZnpQcI.S99zEqtfgjoo8VGHkHDKS
 fDFz3yvgmhwxilA7bIPpAEoooo1iT34NZmS88hByExLZkuT1qTOZQQEfH5rwZtz2mQE80zbFHAo9
 JCZcMo5pSTVE4.lHuVK75r7Uqh2o.zeTr49hZLuV96A8rEux0WWcxHEvGkLdVeiwpDC3SPwXt3sX
 B3X_PtcywSxTSWiqgJbsCVS4pUqF2p3WxLMfdYmBQSf_cgLRL0uHP5O2LVGbK92tDXOa35bTgn_N
 bfAKE.72Li12I4EPPMr16x_NxcXVAdA6c7udIeoa9zSiLzr0rBHzQzHpY0.otklcHyK3w7jPDo4R
 pFggCihPx_DybzA9ywLAXf.ZZJ_mzTQ6NkqtvIdSmRmtH.oTtrmEHKeo6xEe4.CjO.Cdi65DKqoh
 qt3WYpzLX7qPJNwPOba4WR1U3jEYK3Nexfjf8fmaktI_BFtx5gbw9de8XCPMaLril4KiZUooCW.n
 wcVTKTVlWSE47NrNIp4BMca6PP_0dbYBqe7iyypRjWfZ9LpL0Ok5sGYMmi3btJNJi029oM73ssa0
 _tbK5nQxrpyPSGzN92kQFzQcYnKqyJA8M7YnD3.WyEwv0izfGbozD0R_xmo0yuoKLrMs6sgKt._B
 E5P_GoyPj1SarNgF268uT1SxalLQoeKL3xEyEDzv5yNyQZeurVGj4tx8Zo0yQCakpfigSfoOj.za
 P5D5xw49SYDGNDg9aFyRLvgWxQyWmOCjAiJ.yzgAzPg3m_Qg3SZmGdcQv58LoBjYrFQ8GXeowc2l
 uLryjYaUrQw.TARsYK6mpVRF.lKYUVwqvsb1Ig6DPGWaLSt9a4zHwI9bsj4eG7oYXiWLi9ZvJLRE
 BGr6LzCnrBph8Y2x5BMWNxOepov4I04eOvshf_ssPAWJY9GFQXqiSGaUiPD1kv_SXd8SpcabPtAr
 ON5UNHRETqoRb1i9jWdLrKGhFc7KKLyk0dv5noNqtWfGR4kXHICDNfChFVVvPW0YZi5yLQY90DzB
 l725TIhxBDnNQNF69mbJsiRFrBohmqsrUFfUO4uUYIhbHbth_m1VSLD2_1zHpSje58DtjZQPvEkb
 O2Tz045REDfWYoggILcqaOGfMEBDtLko0SRvAjDX3f4YcAg7hhhdFhY225q_EAtPR4nn3B6SSWqz
 7RXesQuGL3v6A76QMrY7x.id90b5LVF99YWytqI1yZ6VkOgoEUQaUNNBiZMWUjFGXPDPqYe_exse
 b7aO0L_ECXJNhRhX7I_TWWisnD.Hd0XkkS1jJO8PZgDtFpWIuFeFXCpQj.5G7lJ0oJzl3bq6hMHq
 Ik6ANLQbg92yoAvX1S.p2uHzwmUbjskZLql.PUy8O60tqCz8bmZaSTeYIhKpfPbZ7vGudtimqScN
 8UrPSQT2_1trBFfJlQL0LSQI0KIQUz4AWJLOd0lfXzkzDVJt6fC_1PUx8kFz_vzCqZAhpiXikOU0
 g0_8PEhMXyoVUly5bY8ukLVNcLXyxt8GDTAV_Qny_G1RHtlkp7Nb0C69Y6.trm1bHBqtcjQ6AVfI
 AQfnkSmOaJuvLeDfsM4idMOMp.Td3oiVWDqhfghguGO8aBLv._Kt0gVgKRTsi7mSgFNZqAajMvM6
 m4BN0UwrPtluMTeuLUNDXCl3JS1eAZXcGrPUDH5qg0vlLLe8JTLobnVnq86OaHKhoXSs5slZMh.I
 hKg2WjHwqh1TMQd_VYQk75cIQi4QI4h2mUHCDU0Wj1mM5jDtfpFCDp5SwPc9WOkVYtTfd5nuk2BJ
 nR7O3fefbTr35SrD3sqFqr0URG2Y.knWgEAWoIJ12LCeXuYUdFw7o8qULYzYtKgPs3CUO3I9RDfr
 1gMEyodS_xjU0SJvoJO6wiAqn4yGalNWraMG7mNg3C0t705b4nNz2bfCuaSxfjUPwGPKhPnNDm4J
 p_5ZT.mSc.iCqiDNz7DVdBetBnL9TDXKoD6tLWKKZgM3N0AxHDouB.urlhXyNyLtiAICZ_.sJaDK
 SdEHX1D28vmJCyx4jou_E3aDk77TCaL9V.aeNPii6As5m_YDNtZLqhYVpr8W3FbJhASUHsMVVSGs
 L3DTKqIqgyrZSkP.a1SMqrq2y6omzEU86kXkqdHXYnCr.GCBqO44BnRnRpNdxiVvZkaid8IYR_Cu
 mkNh56jOIeA3LLoLASPGxVC4V6hfWf1eLXv_3SIGqPlj3fXSPmmkMElZk9KTdLA5QFUu0cMpRZH1
 bIUNCrX7bVNmDYrSw3G55Oc.ZNVmpxyxEUlAZLIwDXiackaI-
X-Sonic-MF: <casey@schaufler-ca.com>
Received: from sonic.gate.mail.ne1.yahoo.com by
 sonic315.consmr.mail.ne1.yahoo.com with HTTP; Tue, 14 Dec 2021 00:00:35 +0000
Received: by kubenode516.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP
 Server) with ESMTPA ID d9da30bbc942afdefef6ca173bbb7167;
          Tue, 14 Dec 2021 00:00:30 +0000 (UTC)
From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
        keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
        sds@tycho.nsa.gov, linux-kernel@vger.kernel.org,
        Stephen Smalley <stephen.smalley.work@gmail.com>,
        Pablo Neira Ayuso <pablo@netfilter.org>,
        netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: [PATCH v31 18/28] LSM: security_secid_to_secctx in netlink netfilter
Date: Mon, 13 Dec 2021 15:40:24 -0800
Message-Id: <20211213234034.111891-19-casey@schaufler-ca.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20211213234034.111891-1-casey@schaufler-ca.com>
References: <20211213234034.111891-1-casey@schaufler-ca.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Change netlink netfilter interfaces to use lsmcontext
pointers, and remove scaffolding.

Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: netdev@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org
---
 net/netfilter/nfnetlink_queue.c | 37 +++++++++++++--------------------
 1 file changed, 14 insertions(+), 23 deletions(-)

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index f19897b3cf39..69343275c54b 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -301,15 +301,13 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb, struct sock *sk)
 	return -1;
 }
 
-static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
+static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context)
 {
-	u32 seclen = 0;
 #if IS_ENABLED(CONFIG_NETWORK_SECMARK)
 	struct lsmblob blob;
-	struct lsmcontext context = { };
 
 	if (!skb || !sk_fullsock(skb->sk))
-		return 0;
+		return;
 
 	read_lock_bh(&skb->sk->sk_callback_lock);
 
@@ -318,14 +316,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
 		 * blob. security_secid_to_secctx() will know which security
 		 * module to use to create the secctx.  */
 		lsmblob_init(&blob, skb->secmark);
-		security_secid_to_secctx(&blob, &context);
-		*secdata = context.context;
+		security_secid_to_secctx(&blob, context);
 	}
 
 	read_unlock_bh(&skb->sk->sk_callback_lock);
-	seclen = context.len;
 #endif
-	return seclen;
+	return;
 }
 
 static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry)
@@ -397,12 +393,10 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	struct net_device *indev;
 	struct net_device *outdev;
 	struct nf_conn *ct = NULL;
+	struct lsmcontext context = { };
 	enum ip_conntrack_info ctinfo;
 	struct nfnl_ct_hook *nfnl_ct;
 	bool csum_verify;
-	struct lsmcontext scaff; /* scaffolding */
-	char *secdata = NULL;
-	u32 seclen = 0;
 
 	size = nlmsg_total_size(sizeof(struct nfgenmsg))
 		+ nla_total_size(sizeof(struct nfqnl_msg_packet_hdr))
@@ -470,9 +464,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	}
 
 	if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
-		seclen = nfqnl_get_sk_secctx(entskb, &secdata);
-		if (seclen)
-			size += nla_total_size(seclen);
+		nfqnl_get_sk_secctx(entskb, &context);
+		if (context.len)
+			size += nla_total_size(context.len);
 	}
 
 	skb = alloc_skb(size, GFP_ATOMIC);
@@ -602,7 +596,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	    nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
 		goto nla_put_failure;
 
-	if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
+	if (context.len &&
+	    nla_put(skb, NFQA_SECCTX, context.len, context.context))
 		goto nla_put_failure;
 
 	if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0)
@@ -630,10 +625,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	}
 
 	nlh->nlmsg_len = skb->len;
-	if (seclen) {
-		lsmcontext_init(&scaff, secdata, seclen, 0);
-		security_release_secctx(&scaff);
-	}
+	if (context.len)
+		security_release_secctx(&context);
 	return skb;
 
 nla_put_failure:
@@ -641,10 +634,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 	kfree_skb(skb);
 	net_err_ratelimited("nf_queue: error creating packet message\n");
 nlmsg_failure:
-	if (seclen) {
-		lsmcontext_init(&scaff, secdata, seclen, 0);
-		security_release_secctx(&scaff);
-	}
+	if (context.len)
+		security_release_secctx(&context);
 	return NULL;
 }