Smack: Abstract use of cred security blob

Don't use the cred->security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
author: Casey Schaufler <casey@schaufler-ca.com> 2018-11-09 19:12:56 -0500
committer: Kees Cook <keescook@chromium.org> 2019-01-08 16:18:44 -0500
commit: b17103a8b8ae9c9ecc5e1e6501b1478ee2dc6fe4 (patch)
tree: e080e34cf17f616e24f44bc1c1f25e285bf9857a
parent: 6d9c939dbe4d0bcea09cd4b410f624cde1acb678 (diff)
4 files changed, 53 insertions, 43 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index f7db791fb566..01a922856eba 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -356,6 +356,11 @@ extern struct list_head smack_onlycap_list;
 #define SMACK_HASH_SLOTS 16
 extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
+static inline struct task_smack *smack_cred(const struct cred *cred)
+{
+        return cred->security;
+}
 /*
 * Is the directory transmuting?
 */
@@ -382,13 +387,19 @@ static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
        return tsp->smk_task;
 }
-static inline struct smack_known *smk_of_task_struct(const struct task_struct *t)
+static inline struct smack_known *smk_of_task_struct(
+                                                const struct task_struct *t)
 {
        struct smack_known *skp;
+        const struct cred *cred;
        rcu_read_lock();
-        skp = smk_of_task(__task_cred(t)->security);
+        cred = __task_cred(t);
+        skp = smk_of_task(smack_cred(cred));
        rcu_read_unlock();
        return skp;
 }
@@ -405,7 +416,7 @@ static inline struct smack_known *smk_of_forked(const struct task_smack *tsp)
 */
 static inline struct smack_known *smk_of_current(void)
 {
-        return smk_of_task(current_security());
+        return smk_of_task(smack_cred(current_cred()));
 }
 /*
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 9a4c0ad46518..489d49a20b47 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -275,7 +275,7 @@ out_audit:
 int smk_curacc(struct smack_known *obj_known,
               u32 mode, struct smk_audit_info *a)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        return smk_tskacc(tsp, obj_known, mode, a);
 }
@@ -635,7 +635,7 @@ DEFINE_MUTEX(smack_onlycap_lock);
 */
 bool smack_privileged_cred(int cap, const struct cred *cred)
 {
-        struct task_smack *tsp = cred->security;
+        struct task_smack *tsp = smack_cred(cred);
        struct smack_known *skp = tsp->smk_task;
        struct smack_known_list_elem *sklep;
        int rc;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 780733341d02..9a050ca17296 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -139,7 +139,7 @@ static int smk_bu_note(char *note, struct smack_known *sskp,
 static int smk_bu_current(char *note, struct smack_known *oskp,
                          int mode, int rc)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        char acc[SMK_NUM_ACCESS_TYPE + 1];
        if (rc <= 0)
@@ -160,7 +160,7 @@ static int smk_bu_current(char *note, struct smack_known *oskp,
 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
 static int smk_bu_task(struct task_struct *otp, int mode, int rc)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        struct smack_known *smk_task = smk_of_task_struct(otp);
        char acc[SMK_NUM_ACCESS_TYPE + 1];
@@ -182,7 +182,7 @@ static int smk_bu_task(struct task_struct *otp, int mode, int rc)
 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
 static int smk_bu_inode(struct inode *inode, int mode, int rc)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        struct inode_smack *isp = inode->i_security;
        char acc[SMK_NUM_ACCESS_TYPE + 1];
@@ -212,7 +212,7 @@ static int smk_bu_inode(struct inode *inode, int mode, int rc)
 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
 static int smk_bu_file(struct file *file, int mode, int rc)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        struct smack_known *sskp = tsp->smk_task;
        struct inode *inode = file_inode(file);
        struct inode_smack *isp = inode->i_security;
@@ -242,7 +242,7 @@ static int smk_bu_file(struct file *file, int mode, int rc)
 static int smk_bu_credfile(const struct cred *cred, struct file *file,
                                int mode, int rc)
 {
-        struct task_smack *tsp = cred->security;
+        struct task_smack *tsp = smack_cred(cred);
        struct smack_known *sskp = tsp->smk_task;
        struct inode *inode = file_inode(file);
        struct inode_smack *isp = inode->i_security;
@@ -448,7 +448,7 @@ static int smk_ptrace_rule_check(struct task_struct *tracer,
        rcu_read_lock();
        tracercred = __task_cred(tracer);
-        tsp = tracercred->security;
+        tsp = smack_cred(tracercred);
        tracer_known = smk_of_task(tsp);
        if ((mode & PTRACE_MODE_ATTACH) &&
@@ -515,7 +515,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
        int rc;
        struct smack_known *skp;
-        skp = smk_of_task(current_security());
+        skp = smk_of_task(smack_cred(current_cred()));
        rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
        return rc;
@@ -831,7 +831,7 @@ static int smack_sb_statfs(struct dentry *dentry)
 static int smack_bprm_set_creds(struct linux_binprm *bprm)
 {
        struct inode *inode = file_inode(bprm->file);
-        struct task_smack *bsp = bprm->cred->security;
+        struct task_smack *bsp = smack_cred(bprm->cred);
        struct inode_smack *isp;
        struct superblock_smack *sbsp;
        int rc;
@@ -1662,7 +1662,7 @@ static int smack_mmap_file(struct file *file,
                return -EACCES;
        mkp = isp->smk_mmap;
-        tsp = current_security();
+        tsp = smack_cred(current_cred());
        skp = smk_of_current();
        rc = 0;
@@ -1758,7 +1758,7 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
                                     struct fown_struct *fown, int signum)
 {
        struct smack_known *skp;
-        struct smack_known *tkp = smk_of_task(tsk->cred->security);
+        struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
        const struct cred *tcred;
        struct file *file;
        int rc;
@@ -1811,7 +1811,7 @@ static int smack_file_receive(struct file *file)
        if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
                sock = SOCKET_I(inode);
                ssp = sock->sk->sk_security;
-                tsp = current_security();
+                tsp = smack_cred(current_cred());
                /*
                 * If the receiving process can't write to the
                 * passed socket or if the passed socket can't
@@ -1853,7 +1853,7 @@ static int smack_file_receive(struct file *file)
 */
 static int smack_file_open(struct file *file)
 {
-        struct task_smack *tsp = file->f_cred->security;
+        struct task_smack *tsp = smack_cred(file->f_cred);
        struct inode *inode = file_inode(file);
        struct smk_audit_info ad;
        int rc;
@@ -1900,7 +1900,7 @@ static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
 */
 static void smack_cred_free(struct cred *cred)
 {
-        struct task_smack *tsp = cred->security;
+        struct task_smack *tsp = smack_cred(cred);
        struct smack_rule *rp;
        struct list_head *l;
        struct list_head *n;
@@ -1930,7 +1930,7 @@ static void smack_cred_free(struct cred *cred)
 static int smack_cred_prepare(struct cred *new, const struct cred *old,
                              gfp_t gfp)
 {
-        struct task_smack *old_tsp = old->security;
+        struct task_smack *old_tsp = smack_cred(old);
        struct task_smack *new_tsp;
        int rc;
@@ -1961,15 +1961,14 @@ static int smack_cred_prepare(struct cred *new, const struct cred *old,
 */
 static void smack_cred_transfer(struct cred *new, const struct cred *old)
 {
-        struct task_smack *old_tsp = old->security;
+        struct task_smack *old_tsp = smack_cred(old);
-        struct task_smack *new_tsp = new->security;
+        struct task_smack *new_tsp = smack_cred(new);
        new_tsp->smk_task = old_tsp->smk_task;
        new_tsp->smk_forked = old_tsp->smk_task;
        mutex_init(&new_tsp->smk_rules_lock);
        INIT_LIST_HEAD(&new_tsp->smk_rules);
        /* cbs copy rule list */
 }
@@ -1980,12 +1979,12 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
 *
 * Sets the secid to contain a u32 version of the smack label.
 */
-static void smack_cred_getsecid(const struct cred *c, u32 *secid)
+static void smack_cred_getsecid(const struct cred *cred, u32 *secid)
 {
        struct smack_known *skp;
        rcu_read_lock();
-        skp = smk_of_task(c->security);
+        skp = smk_of_task(smack_cred(cred));
        *secid = skp->smk_secid;
        rcu_read_unlock();
 }
@@ -1999,7 +1998,7 @@ static void smack_cred_getsecid(const struct cred *c, u32 *secid)
 */
 static int smack_kernel_act_as(struct cred *new, u32 secid)
 {
-        struct task_smack *new_tsp = new->security;
+        struct task_smack *new_tsp = smack_cred(new);
        new_tsp->smk_task = smack_from_secid(secid);
        return 0;
@@ -2017,7 +2016,7 @@ static int smack_kernel_create_files_as(struct cred *new,
                                        struct inode *inode)
 {
        struct inode_smack *isp = inode->i_security;
-        struct task_smack *tsp = new->security;
+        struct task_smack *tsp = smack_cred(new);
        tsp->smk_forked = isp->smk_inode;
        tsp->smk_task = tsp->smk_forked;
@@ -2201,7 +2200,7 @@ static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info,
         * specific behavior. This is not clean. For one thing
         * we can't take privilege into account.
         */
-        skp = smk_of_task(cred->security);
+        skp = smk_of_task(smack_cred(cred));
        rc = smk_access(skp, tkp, MAY_DELIVER, &ad);
        rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc);
        return rc;
@@ -3528,7 +3527,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
 */
 static int smack_setprocattr(const char *name, void *value, size_t size)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        struct cred *new;
        struct smack_known *skp;
        struct smack_known_list_elem *sklep;
@@ -3569,7 +3568,7 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
        if (new == NULL)
                return -ENOMEM;
-        tsp = new->security;
+        tsp = smack_cred(new);
        tsp->smk_task = skp;
        /*
         * process can change its label only once
@@ -4214,7 +4213,7 @@ static void smack_inet_csk_clone(struct sock *sk,
 static int smack_key_alloc(struct key *key, const struct cred *cred,
                           unsigned long flags)
 {
-        struct smack_known *skp = smk_of_task(cred->security);
+        struct smack_known *skp = smk_of_task(smack_cred(cred));
        key->security = skp;
        return 0;
@@ -4245,7 +4244,7 @@ static int smack_key_permission(key_ref_t key_ref,
 {
        struct key *keyp;
        struct smk_audit_info ad;
-        struct smack_known *tkp = smk_of_task(cred->security);
+        struct smack_known *tkp = smk_of_task(smack_cred(cred));
        int request = 0;
        int rc;
@@ -4520,7 +4519,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
                        return -ENOMEM;
        }
-        tsp = new_creds->security;
+        tsp = smack_cred(new_creds);
        /*
         * Get label from overlay inode and set it in create_sid
@@ -4548,8 +4547,8 @@ static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
                                        const struct cred *old,
                                        struct cred *new)
 {
-        struct task_smack *otsp = old->security;
+        struct task_smack *otsp = smack_cred(old);
-        struct task_smack *ntsp = new->security;
+        struct task_smack *ntsp = smack_cred(new);
        struct inode_smack *isp;
        int may;
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 06b517075ec0..faf2ea3968b3 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -2208,14 +2208,14 @@ static const struct file_operations smk_logging_ops = {
 static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        return smk_seq_start(s, pos, &tsp->smk_rules);
 }
 static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        return smk_seq_next(s, v, pos, &tsp->smk_rules);
 }
@@ -2262,7 +2262,7 @@ static int smk_open_load_self(struct inode *inode, struct file *file)
 static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
                              size_t count, loff_t *ppos)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
                                    &tsp->smk_rules_lock, SMK_FIXED24_FMT);
@@ -2414,14 +2414,14 @@ static const struct file_operations smk_load2_ops = {
 static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        return smk_seq_start(s, pos, &tsp->smk_rules);
 }
 static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        return smk_seq_next(s, v, pos, &tsp->smk_rules);
 }
@@ -2467,7 +2467,7 @@ static int smk_open_load_self2(struct inode *inode, struct file *file)
 static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
                              size_t count, loff_t *ppos)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
                                    &tsp->smk_rules_lock, SMK_LONG_FMT);
@@ -2681,14 +2681,14 @@ static const struct file_operations smk_syslog_ops = {
 static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        return smk_seq_start(s, pos, &tsp->smk_relabel);
 }
 static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        return smk_seq_next(s, v, pos, &tsp->smk_relabel);
 }
@@ -2736,7 +2736,7 @@ static int smk_open_relabel_self(struct inode *inode, struct file *file)
 static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
                                size_t count, loff_t *ppos)
 {
-        struct task_smack *tsp = current_security();
+        struct task_smack *tsp = smack_cred(current_cred());
        char *data;
        int rc;
        LIST_HEAD(list_tmp);
author	Casey Schaufler <casey@schaufler-ca.com>	2018-11-09 19:12:56 -0500
committer	Kees Cook <keescook@chromium.org>	2019-01-08 16:18:44 -0500
commit	b17103a8b8ae9c9ecc5e1e6501b1478ee2dc6fe4 (patch)
tree	e080e34cf17f616e24f44bc1c1f25e285bf9857a
parent	6d9c939dbe4d0bcea09cd4b410f624cde1acb678 (diff)