- err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid); + err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &blob); - err = security_secmark_relabel_packet(tmp_secid); + err = security_secmark_relabel_packet(lsmblob_value(&blob)); @@ -42,13 +42,14 @@ secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info), @@ -56,6 +57,10 @@ static int checkentry_lsm(struct xt_secmark_target_info_v1 *info). + >> + */ This value may be zero - MAY_EXEC, BPRM_CHECK); + security_current_getsecid_subj(&blob); + * security module to use to create the secctx. + * A clever decorating and organizing solution that doesn't damage surfaces, these small hooks will help you fearlessly change your space. >> --- a/kernel/sys_ni.c > + return -EINVAL; > +++ b/include/uapi/linux/lsm.h > --- a/security/commoncap.c > #define __NR_lsm_self_attr 451 +#include > 450 common set_mempolicy_home_node sys_set_mempolicy_home_node + hp->hook.cred_getsecid(c, &blob->secid[hp->lsmid->slot]); > +#define LSM_ID_INVALID -1 + } @@ -1163,7 +1172,9 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd. -static inline int ima_filter_rule_match(u32 secid, u32 field, u32 op, + return 0; @@ -2382,10 +2394,26 @@ int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid), +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, - err = security_secid_to_secctx(&lb, &secdata, &seclen); + err = security_secid_to_secctx(&lb, &context); - put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen, secdata); > + struct lsm_ctx *ip; >> #undef LSM_HOOK + if (copy_to_user(ids, interum, total_size) != 0 || >> + * slot has to be LSMBLOB_NEEDED because some of the hooks + lsmrule); > > + kfree(interum); > +++ b/include/uapi/asm-generic/unistd.h -{ + /* scaffolding until osid is updated */ - */ >> hook lists. > security/apparmor/lsm.c | 6 +++++- + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) + * In that case, we need a method for +int ima_filter_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); This item: Command Small Wire Toggle Hooks, Damage Free Hanging Wall Hooks with Adhesive Strips, No Tools Wall Hooks for Hanging Organizational Items in Living Spaces, 16 White Hooks and 24 Command Strips $11.23 ($0.70/Count) Command Large Utility Hooks, Damage Free Hanging Wall Hooks with Adhesive Strips $10.59 ($1.51/Count) > >> static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { > +#define LSMBLOB_NEEDED -2 /* Slot requested on initialization */ >> + interum[i] = lsm_idlist[i]->id; + */ > + .lsm = LANDLOCK_NAME, > Add an integer member "id" to the struct lsm_id. >>>> + /* Change > + */ + err = security_secid_to_secctx(&blob, &ctx, &len); @@ -2170,12 +2179,20 @@ int audit_log_task_context(struct audit_buffer *ab). > + int attr; + struct sk_buff_head skb_list; /* formatted skbs, ready to send */, + struct audit_stamp stamp; /* audit stamp for these records */. When the aux record in complete > index 38342c1fa4bc..71eab206ba6e 100644 + init_debug("lsm count = %d\n", lsm_id); @@ -483,6 +491,16 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, + /* + security module registered on the system will be assumed. - ret = security_secid_to_secctx(&blob, &secctx, &len); + ret = security_secid_to_secctx(&blob, &context); @@ -363,13 +362,12 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct), - if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)), + if (nla_put_string(skb, CTA_SECCTX_NAME, context.context)), - lsmcontext_init(&context, secctx, len, 0); /* scaffolding */, @@ -662,15 +660,11 @@ static inline size_t ctnetlink_acct_size(const struct nf_conn *ct), - /* lsmblob_init() puts ct->secmark into all of the secids in blob. > + * supplied by this module require a slot. >> intention of this code to lock out loadable modules. > @@ -5,6 +5,7 @@ > - if (rc) > instead of only retrieving information about a known (list of) LSM? Each existing LSM > rc = call_int_hook(task_alloc, 0, task, clone_flags); @@ -646,7 +648,8 @@ int security_getprocattr(struct task_struct *p, int lsmid, char *name. >> @@ -8,6 +8,7 @@ >> const char *lsm; /* Name of the LSM */ Now you can organize your home or office just the way you want with Command indoor hooks. @@ -3357,8 +3358,10 @@ nfsd4_encode_fattr(struct xdr_stream *xdr, struct svc_fh *fhp. + Each single wall hook can hold up to 0.5 pounds. + struct security_hook_list *hp; Command Strips hold strongly on a variety of smooth, finished surfaces, and these adhesive hooks remove cleanly with no sticky residue or damage left behind. > + * is one. >> pr_info("LSM support for eBPF active\n"); + lsmcontext_init(&lsmcxt, ctx, len, 0); + rc = count; > On Tue, Sep 27, 2022 at 01:31:55PM -0700, Casey Schaufler wrote: 2 Remove red liner. +}; + */ - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, > + for (slot = 0; slot < lsm_slot; slot++) > security/security.c | 12 ++++++------ >> has been updated to include it's LSMID in the lsm_id. >> intention of this code to lock out loadable modules. + * lsmblob_is_set - report if there is a value in the lsmblob > But TOMOYO does not need such constant because TOMOYO does not use /proc/ files. > @@ -1243,7 +1226,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { >> @@ -25,6 +25,7 @@ > @@ -0,0 +1,32 @@ - lsmblob_init(&blob, ct->secmark); + * @id: the LSM id number, see LSM_ID_XXX - void *value, size_t size), +static inline int security_setprocattr(int lsmid, char *name, void *value, > #include + security_current_getsecid_subj(&blob); - }. + struct sk_security_struct *newsksec = selinux_sock(newsk); @@ -5219,7 +5214,7 @@ static void selinux_sk_getsecid(struct sock *sk, u32 *secid). + audit_log_pid_context(context, context->target_pid, + + for (slot = 0; slot < lsm_slot; slot++) >> --- a/security/landlock/setup.c > >> + + */ >>>> + * A security module may call security_add_hooks() more > + struct lsm_ctx __user *, ctx, +#define LSM_ID_SELINUX 33 - fattr->label->len, error); + (char *)fattr->label->lsmctx.context, > + struct aa_sk_ctx *ctx = aa_sock(sk); > + for (i = 0; i < lsm_id; i++) { - security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); + security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); @@ -530,6 +530,10 @@ static void tomoyo_task_free(struct task_struct *task), +static struct lsm_id tomoyo_lsmid __lsm_ro_after_init = { - if (label) > }; > static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request, > */ > ------------------------------ > + * + for (i = 0; i < count; i++) + * Returns a list of the active LSM ids. @@ -1113,7 +1114,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid. - u32 *ctxlen); + const char **xattr_name, @@ -543,7 +532,6 @@ static int netlbl_unlhsh_remove_addr6(struct net *net. > - LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), -. + +int security_getprocattr(struct task_struct *p, int lsmid, char *name. > +} - error = security_secid_to_secctx(&blob, &context); + error = security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST); @@ -1107,7 +1107,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, - if (security_secid_to_secctx(blob, &lsmctx)) {, + if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) {, @@ -1400,7 +1400,8 @@ static void show_special(struct audit_context *context, int *call_panic), - if (security_secid_to_secctx(&blob, &lsmcxt)) {, + if (security_secid_to_secctx(&blob, &lsmcxt, > static struct security_hook_list yama_hooks[] __lsm_ro_after_init = {, 20220927195421.14713-1-casey.ref@schaufler-ca.com, [PATCH v38 01/39] LSM: Identify modules by more than name, 0 siblings, 39 replies; 68+ messages in thread, https://github.com/cschaufler/lsm-stacking.git#stack-6.0-rc7-38, [PATCH v38 00/39] LSM: Module stacking for AppArmor, [PATCH v38 02/39] LSM: Add an LSM identifier for external use, 38 siblings, 2 replies; 68+ messages in thread, [PATCH v38 03/39] LSM: Identify the process attributes for each module, [PATCH v38 04/39] LSM: Maintain a table of LSM attribute data, 38 siblings, 0 replies; 68+ messages in thread, [PATCH v38 05/39] proc: Use lsmids instead of lsm names for attrs, 38 siblings, 1 reply; 68+ messages in thread, [PATCH v38 06/39] LSM: lsm_self_attr syscall for LSM self attributes, [PATCH v38 07/39] integrity: disassociate ima_filter_rule from security_audit_rule, 38 siblings, 4 replies; 68+ messages in thread, [PATCH v38 08/39] LSM: Infrastructure management of the sock security, [PATCH v38 09/39] LSM: Add the lsmblob data structure, [PATCH v38 10/39] LSM: provide lsm name and id slot mappings, [PATCH v38 11/39] IMA: avoid label collisions with stacked LSMs, [PATCH v38 12/39] LSM: Use lsmblob in security_audit_rule_match, [PATCH v38 13/39] LSM: Use lsmblob in security_kernel_act_as, [PATCH v38 14/39] LSM: Use lsmblob in security_secctx_to_secid, [PATCH v38 15/39] LSM: Use lsmblob in security_secid_to_secctx, [PATCH v38 16/39] LSM: Use lsmblob in security_ipc_getsecid, [PATCH v38 17/39] LSM: Use lsmblob in security_current_getsecid, [PATCH v38 18/39] LSM: Use lsmblob in security_inode_getsecid, [PATCH v38 19/39] LSM: Use lsmblob in security_cred_getsecid, [PATCH v38 20/39] LSM: Specify which LSM to display, [PATCH v38 21/39] LSM: Ensure the correct LSM context releaser, [PATCH v38 22/39] LSM: Use lsmcontext in security_secid_to_secctx, [PATCH v38 23/39] LSM: Use lsmcontext in security_inode_getsecctx, [PATCH v38 24/39] Use lsmcontext in security_dentry_init_security, [PATCH v38 25/39] LSM: security_secid_to_secctx in netlink netfilter, [PATCH v38 26/39] NET: Store LSM netlabel data in a lsmblob, [PATCH v38 27/39] binder: Pass LSM identifier for confirmation, [PATCH v38 28/39] LSM: security_secid_to_secctx module selection, [PATCH v38 29/39] Audit: Keep multiple LSM data in audit_names, [PATCH v38 30/39] Audit: Create audit_stamp structure, [PATCH v38 31/39] LSM: Add a function to report multiple LSMs, [PATCH v38 32/39] Audit: Allow multiple records in an audit_buffer, [PATCH v38 33/39] Audit: Add record for multiple task security contexts, [PATCH v38 34/39] audit: multiple subject lsm values for netlabel, [PATCH v38 35/39] Audit: Add record for multiple object contexts, [PATCH v38 36/39] netlabel: Use a struct lsmblob in audit data, [PATCH v38 37/39] LSM: Removed scaffolding function lsmcontext_init, [PATCH v38 38/39] AppArmor: Remove the exclusive flag, [PATCH v38 39/39] LSM: Create lsm_module_list system call, 38 siblings, 3 replies; 68+ messages in thread, 3 siblings, 0 replies; 68+ messages in thread, [-- Attachment #1: Type: text/plain, Size: 11784 bytes --], https://git-scm.com/docs/git-format-patch#_base_tree_information, https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/LSM-Identify-modules-by-more-than-name/20220928-045406, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git, https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross, https://github.com/intel-lab-lkp/linux/commit/e614eb870ca4cc351e1847e79041960feb9604dc, [-- Attachment #2: config --] >>>> >> --- a/security/bpf/hooks.c > +++ b/security/lsm_syscalls.c + * values. - /* scaffolding until target_sid is converted */ + unsigned int flags; > extern char *lsm_names; + }. > have to be treated differently from built-in modules, if they're allowed > #include - * will only be setting one entry in the lsmblob struct, so it is - struct lsmcontext scaff; /* scaffolding */ - * apparmor_socket_getpeersec_dgram - get security label of packet > + > + * a negative value indicating the error is returned.
Photography Studios In Toronto,
Galway Shopping Centre Map,
House Cleaning Services Chicago,
Articles C