LSM: Make lsm_early_cred() and lsm_early_task() local functions.

Since current->cred == current->real_cred when ordered_lsm_init() is called, and lsm_early_cred()/lsm_early_task() need to be called between the amount of required bytes is determined and module specific initialization function is called, we can move these calls from individual modules to ordered_lsm_init(). Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <james.morris@microsoft.com>
author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> 2019-01-18 05:15:59 -0500
committer: James Morris <james.morris@microsoft.com> 2019-01-18 14:44:02 -0500
commit: 1cfb2a512e74e577bb0ed7c8d76df90a41a83f6a (patch)
tree: f628dd07b171deba0cdc1ff48621f6c07aa0de2a
parent: c1a85a00ea66cb6f0bd0f14e47c28c2b0999799f (diff)
6 files changed, 11 insertions, 27 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 195707210975..22fc786d723a 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -2112,9 +2112,4 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
 extern int lsm_inode_alloc(struct inode *inode);
-#ifdef CONFIG_SECURITY
-void __init lsm_early_cred(struct cred *cred);
-void __init lsm_early_task(struct task_struct *task);
-#endif
 #endif /* ! __LINUX_LSM_HOOKS_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b6c395e2acd0..bb5a02d2439f 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1484,8 +1484,6 @@ static int __init set_init_ctx(void)
 {
        struct cred *cred = (struct cred *)current->real_cred;
-        lsm_early_cred(cred);
-        lsm_early_task(current);
        set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
        return 0;
diff --git a/security/security.c b/security/security.c
index a618e22df5c6..992b612c819a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -278,6 +278,9 @@ static void __init ordered_lsm_parse(const char *order, const char *origin)
        kfree(sep);
 }
+static void __init lsm_early_cred(struct cred *cred);
+static void __init lsm_early_task(struct task_struct *task);
 static void __init ordered_lsm_init(void)
 {
        struct lsm_info **lsm;
@@ -312,6 +315,8 @@ static void __init ordered_lsm_init(void)
                                                    blob_sizes.lbs_inode, 0,
                                                    SLAB_PANIC, NULL);
+        lsm_early_cred((struct cred *) current->cred);
+        lsm_early_task(current);
        for (lsm = ordered_lsms; *lsm; lsm++)
                initialize_lsm(*lsm);
@@ -465,17 +470,12 @@ static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
 * lsm_early_cred - during initialization allocate a composite cred blob
 * @cred: the cred that needs a blob
 *
- * Allocate the cred blob for all the modules if it's not already there
+ * Allocate the cred blob for all the modules
 */
-void __init lsm_early_cred(struct cred *cred)
+static void __init lsm_early_cred(struct cred *cred)
 {
-        int rc;
+        int rc = lsm_cred_alloc(cred, GFP_KERNEL);
-        if (cred == NULL)
-                panic("%s: NULL cred.\n", __func__);
-        if (cred->security != NULL)
-                return;
-        rc = lsm_cred_alloc(cred, GFP_KERNEL);
        if (rc)
                panic("%s: Early cred alloc failed.\n", __func__);
 }
@@ -589,17 +589,12 @@ int lsm_msg_msg_alloc(struct msg_msg *mp)
 * lsm_early_task - during initialization allocate a composite task blob
 * @task: the task that needs a blob
 *
- * Allocate the task blob for all the modules if it's not already there
+ * Allocate the task blob for all the modules
 */
-void __init lsm_early_task(struct task_struct *task)
+static void __init lsm_early_task(struct task_struct *task)
 {
-        int rc;
+        int rc = lsm_task_alloc(task);
-        if (task == NULL)
-                panic("%s: task cred.\n", __func__);
-        if (task->security != NULL)
-                return;
-        rc = lsm_task_alloc(task);
        if (rc)
                panic("%s: Early task alloc failed.\n", __func__);
 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b2ee49f938f1..5d92167dbe05 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -207,7 +207,6 @@ static void cred_init_security(void)
        struct cred *cred = (struct cred *) current->real_cred;
        struct task_security_struct *tsec;
-        lsm_early_cred(cred);
        tsec = selinux_cred(cred);
        tsec->osid = tsec->sid = SECINITSID_KERNEL;
 }
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 0b848b1f6366..79d6d2a6a0bc 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4671,8 +4671,6 @@ static __init int smack_init(void)
        if (!smack_inode_cache)
                return -ENOMEM;
-        lsm_early_cred(cred);
        /*
         * Set the security state for the initial task.
         */
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 066c0daf0efc..2b3eee06004b 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -566,7 +566,6 @@ static int __init tomoyo_init(void)
        /* register ourselves with the security framework */
        security_add_hooks(tomoyo_hooks, ARRAY_SIZE(tomoyo_hooks), "tomoyo");
        printk(KERN_INFO "TOMOYO Linux initialized\n");
-        lsm_early_cred(cred);
        blob = tomoyo_cred(cred);
        *blob = &tomoyo_kernel_domain;
        tomoyo_mm_init();
author	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>	2019-01-18 05:15:59 -0500
committer	James Morris <james.morris@microsoft.com>	2019-01-18 14:44:02 -0500
commit	1cfb2a512e74e577bb0ed7c8d76df90a41a83f6a (patch)
tree	f628dd07b171deba0cdc1ff48621f6c07aa0de2a
parent	c1a85a00ea66cb6f0bd0f14e47c28c2b0999799f (diff)