SELinux: Abstract use of ipc security blobs

Don't use the ipc->security pointer directly.
Don't use the msg_msg->security pointer directly.
Provide helper functions that provides the security blob pointers.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>

2 files changed, 22 insertions, 9 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 23da46cd6e37..4b64ad31326f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5678,7 +5678,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
         struct common_audit_data ad;
         u32 sid = current_sid();
 
-        isec = ipc_perms->security;
+        isec = selinux_ipc(ipc_perms);
 
         ad.type = LSM_AUDIT_DATA_IPC;
         ad.u.ipc_id = ipc_perms->key;
@@ -5735,7 +5735,7 @@ static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
         struct common_audit_data ad;
         u32 sid = current_sid();
 
-        isec = msq->security;
+        isec = selinux_ipc(msq);
 
         ad.type = LSM_AUDIT_DATA_IPC;
         ad.u.ipc_id = msq->key;
@@ -5784,8 +5784,8 @@ static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *m
         u32 sid = current_sid();
         int rc;
 
-        isec = msq->security;
-        msec = msg->security;
+        isec = selinux_ipc(msq);
+        msec = selinux_msg_msg(msg);
 
         /*
          * First time through, need to assign label to the message
@@ -5832,8 +5832,8 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m
         u32 sid = task_sid(target);
         int rc;
 
-        isec = msq->security;
-        msec = msg->security;
+        isec = selinux_ipc(msq);
+        msec = selinux_msg_msg(msg);
 
         ad.type = LSM_AUDIT_DATA_IPC;
         ad.u.ipc_id = msq->key;
@@ -5886,7 +5886,7 @@ static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
         struct common_audit_data ad;
         u32 sid = current_sid();
 
-        isec = shp->security;
+        isec = selinux_ipc(shp);
 
         ad.type = LSM_AUDIT_DATA_IPC;
         ad.u.ipc_id = shp->key;
@@ -5983,7 +5983,7 @@ static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
         struct common_audit_data ad;
         u32 sid = current_sid();
 
-        isec = sma->security;
+        isec = selinux_ipc(sma);
 
         ad.type = LSM_AUDIT_DATA_IPC;
         ad.u.ipc_id = sma->key;
@@ -6069,7 +6069,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
 
 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
 {
-        struct ipc_security_struct *isec = ipcp->security;
+        struct ipc_security_struct *isec = selinux_ipc(ipcp);
         *secid = isec->sid;
 }
 
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 562fad58c56b..539cacf4a572 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -26,6 +26,7 @@
 #include <linux/in.h>
 #include <linux/spinlock.h>
 #include <linux/lsm_hooks.h>
+#include <linux/msg.h>
 #include <net/net_namespace.h>
 #include "flask.h"
 #include "avc.h"
@@ -175,4 +176,16 @@ static inline struct inode_security_struct *selinux_inode(
         return inode->i_security + selinux_blob_sizes.lbs_inode;
 }
 
+static inline struct msg_security_struct *selinux_msg_msg(
+                                                const struct msg_msg *msg_msg)
+{
+        return msg_msg->security;
+}
+
+static inline struct ipc_security_struct *selinux_ipc(
+                                                const struct kern_ipc_perm *ipc)
+{
+        return ipc->security;
+}
+
 #endif /* _SELINUX_OBJSEC_H_ */