selinux: add gfp argument to security_xfrm_policy_alloc and fix callers

security_xfrm_policy_alloc can be called in atomic context so the allocation should be done with GFP_ATOMIC. Add an argument to let the callers choose the appropriate way. In order to do so a gfp argument needs to be added to the method xfrm_policy_alloc_security in struct security_operations and to the internal function selinux_xfrm_alloc_user. After that switch to GFP_ATOMIC in the atomic callers and leave GFP_KERNEL as before for the rest. The path that needed the gfp argument addition is: security_xfrm_policy_alloc -> security_ops.xfrm_policy_alloc_security -> all users of xfrm_policy_alloc_security (e.g. selinux_xfrm_policy_alloc) -> selinux_xfrm_alloc_user (here the allocation used to be GFP_KERNEL only) Now adding a gfp argument to selinux_xfrm_alloc_user requires us to also add it to security_context_to_sid which is used inside and prior to this patch did only GFP_KERNEL allocation. So add gfp argument to security_context_to_sid and adjust all of its callers as well. CC: Paul Moore <paul@paul-moore.com> CC: Dave Jones <davej@redhat.com> CC: Steffen Klassert <steffen.klassert@secunet.com> CC: Fan Du <fan.du@windriver.com> CC: David S. Miller <davem@davemloft.net> CC: LSM list <linux-security-module@vger.kernel.org> CC: SELinux list <selinux@tycho.nsa.gov> Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
author: Nikolay Aleksandrov <nikolay@redhat.com> 2014-03-07 06:44:19 -0500
committer: Steffen Klassert <steffen.klassert@secunet.com> 2014-03-10 03:30:02 -0400
commit: 52a4c6404f91f2d2c5592ee6365a8418c4565f53 (patch)
tree: c88320060de9b18fbe345a46dc9d91eecb92dde9 /net
parent: 87536a81e1f52409b45333ce8cac415a1218163c (diff)
2 files changed, 6 insertions, 6 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 1526023f99ed..79326978517a 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2239,7 +2239,7 @@ static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_
                        goto out;
                }
-                err = security_xfrm_policy_alloc(&xp->security, uctx);
+                err = security_xfrm_policy_alloc(&xp->security, uctx, GFP_KERNEL);
                kfree(uctx);
                if (err)
@@ -2341,7 +2341,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa
                if (!uctx)
                        return -ENOMEM;
-                err = security_xfrm_policy_alloc(&pol_ctx, uctx);
+                err = security_xfrm_policy_alloc(&pol_ctx, uctx, GFP_KERNEL);
                kfree(uctx);
                if (err)
                        return err;
@@ -3241,7 +3241,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
                if ((*dir = verify_sec_ctx_len(p)))
                        goto out;
                uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_ATOMIC);
-                *dir = security_xfrm_policy_alloc(&xp->security, uctx);
+                *dir = security_xfrm_policy_alloc(&xp->security, uctx, GFP_ATOMIC);
                kfree(uctx);
                if (*dir)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c274179d60a2..2f7ddc3a59b4 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1221,7 +1221,7 @@ static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct nlattr **attrs
                return 0;
        uctx = nla_data(rt);
-        return security_xfrm_policy_alloc(&pol->security, uctx);
+        return security_xfrm_policy_alloc(&pol->security, uctx, GFP_KERNEL);
 }
 static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
@@ -1626,7 +1626,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
                if (rt) {
                        struct xfrm_user_sec_ctx *uctx = nla_data(rt);
-                        err = security_xfrm_policy_alloc(&ctx, uctx);
+                        err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL);
                        if (err)
                                return err;
                }
@@ -1928,7 +1928,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
                if (rt) {
                        struct xfrm_user_sec_ctx *uctx = nla_data(rt);
-                        err = security_xfrm_policy_alloc(&ctx, uctx);
+                        err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL);
                        if (err)
                                return err;
                }
author	Nikolay Aleksandrov <nikolay@redhat.com>	2014-03-07 06:44:19 -0500
committer	Steffen Klassert <steffen.klassert@secunet.com>	2014-03-10 03:30:02 -0400
commit	52a4c6404f91f2d2c5592ee6365a8418c4565f53 (patch)
tree	c88320060de9b18fbe345a46dc9d91eecb92dde9 /net
parent	87536a81e1f52409b45333ce8cac415a1218163c (diff)

diff --git a/net/key/af_key.c b/net/key/af_key.c index 1526023f99ed..79326978517a 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c
@@ -2239,7 +2239,7 @@ static int pfkey_spdadd(struct sock sk, struct sk_buff skb, const struct sadb_
2239	goto out;	2239	goto out;
2240	}	2240	}
2241		2241
2242	err = security_xfrm_policy_alloc(&xp->security, uctx);	2242	err = security_xfrm_policy_alloc(&xp->security, uctx, GFP_KERNEL);
2243	kfree(uctx);	2243	kfree(uctx);
2244		2244
2245	if (err)	2245	if (err)
@@ -2341,7 +2341,7 @@ static int pfkey_spddelete(struct sock sk, struct sk_buff skb, const struct sa
2341	if (!uctx)	2341	if (!uctx)
2342	return -ENOMEM;	2342	return -ENOMEM;
2343		2343
2344	err = security_xfrm_policy_alloc(&pol_ctx, uctx);	2344	err = security_xfrm_policy_alloc(&pol_ctx, uctx, GFP_KERNEL);
2345	kfree(uctx);	2345	kfree(uctx);
2346	if (err)	2346	if (err)
2347	return err;	2347	return err;
@@ -3241,7 +3241,7 @@ static struct xfrm_policy pfkey_compile_policy(struct sock sk, int opt,
3241	if ((*dir = verify_sec_ctx_len(p)))	3241	if ((*dir = verify_sec_ctx_len(p)))
3242	goto out;	3242	goto out;
3243	uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_ATOMIC);	3243	uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx, GFP_ATOMIC);
3244	*dir = security_xfrm_policy_alloc(&xp->security, uctx);	3244	*dir = security_xfrm_policy_alloc(&xp->security, uctx, GFP_ATOMIC);
3245	kfree(uctx);	3245	kfree(uctx);
3246		3246
3247	if (*dir)	3247	if (*dir)


diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index c274179d60a2..2f7ddc3a59b4 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c
@@ -1221,7 +1221,7 @@ static int copy_from_user_sec_ctx(struct xfrm_policy pol, struct nlattr *attrs
1221	return 0;	1221	return 0;
1222		1222
1223	uctx = nla_data(rt);	1223	uctx = nla_data(rt);
1224	return security_xfrm_policy_alloc(&pol->security, uctx);	1224	return security_xfrm_policy_alloc(&pol->security, uctx, GFP_KERNEL);
1225	}	1225	}
1226		1226
1227	static void copy_templates(struct xfrm_policy xp, struct xfrm_user_tmpl ut,	1227	static void copy_templates(struct xfrm_policy xp, struct xfrm_user_tmpl ut,
@@ -1626,7 +1626,7 @@ static int xfrm_get_policy(struct sk_buff skb, struct nlmsghdr nlh,
1626	if (rt) {	1626	if (rt) {
1627	struct xfrm_user_sec_ctx *uctx = nla_data(rt);	1627	struct xfrm_user_sec_ctx *uctx = nla_data(rt);
1628		1628
1629	err = security_xfrm_policy_alloc(&ctx, uctx);	1629	err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL);
1630	if (err)	1630	if (err)
1631	return err;	1631	return err;
1632	}	1632	}
@@ -1928,7 +1928,7 @@ static int xfrm_add_pol_expire(struct sk_buff skb, struct nlmsghdr nlh,
1928	if (rt) {	1928	if (rt) {
1929	struct xfrm_user_sec_ctx *uctx = nla_data(rt);	1929	struct xfrm_user_sec_ctx *uctx = nla_data(rt);
1930		1930
1931	err = security_xfrm_policy_alloc(&ctx, uctx);	1931	err = security_xfrm_policy_alloc(&ctx, uctx, GFP_KERNEL);
1932	if (err)	1932	if (err)
1933	return err;	1933	return err;
1934	}	1934	}