SELinux: Abstract use of ipc security blobs

Don't use the ipc->security pointer directly.
Don't use the msg_msg->security pointer directly.
Provide helper functions that provides the security blob pointers.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 23da46cd6e37711aca3a412f565cbc06630993e6..4b64ad31326f6451ea2298860a6af0eb152b2b5f 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5678,7 +5678,7 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
        struct common_audit_data ad;
        u32 sid = current_sid();
 
-       isec = ipc_perms->security;
+       isec = selinux_ipc(ipc_perms);
 
        ad.type = LSM_AUDIT_DATA_IPC;
        ad.u.ipc_id = ipc_perms->key;
@@ -5735,7 +5735,7 @@ static int selinux_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
        struct common_audit_data ad;
        u32 sid = current_sid();
 
-       isec = msq->security;
+       isec = selinux_ipc(msq);
 
        ad.type = LSM_AUDIT_DATA_IPC;
        ad.u.ipc_id = msq->key;
@@ -5784,8 +5784,8 @@ static int selinux_msg_queue_msgsnd(struct kern_ipc_perm *msq, struct msg_msg *m
        u32 sid = current_sid();
        int rc;
 
-       isec = msq->security;
-       msec = msg->security;
+       isec = selinux_ipc(msq);
+       msec = selinux_msg_msg(msg);
 
        /*
         * First time through, need to assign label to the message
@@ -5832,8 +5832,8 @@ static int selinux_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *m
        u32 sid = task_sid(target);
        int rc;
 
-       isec = msq->security;
-       msec = msg->security;
+       isec = selinux_ipc(msq);
+       msec = selinux_msg_msg(msg);
 
        ad.type = LSM_AUDIT_DATA_IPC;
        ad.u.ipc_id = msq->key;
@@ -5886,7 +5886,7 @@ static int selinux_shm_associate(struct kern_ipc_perm *shp, int shmflg)
        struct common_audit_data ad;
        u32 sid = current_sid();
 
-       isec = shp->security;
+       isec = selinux_ipc(shp);
 
        ad.type = LSM_AUDIT_DATA_IPC;
        ad.u.ipc_id = shp->key;
@@ -5983,7 +5983,7 @@ static int selinux_sem_associate(struct kern_ipc_perm *sma, int semflg)
        struct common_audit_data ad;
        u32 sid = current_sid();
 
-       isec = sma->security;
+       isec = selinux_ipc(sma);
 
        ad.type = LSM_AUDIT_DATA_IPC;
        ad.u.ipc_id = sma->key;
@@ -6069,7 +6069,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
 
 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
 {
-       struct ipc_security_struct *isec = ipcp->security;
+       struct ipc_security_struct *isec = selinux_ipc(ipcp);
        *secid = isec->sid;
 }
 

diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 562fad58c56b7bb9b4b717bc2e8220b44a4652d4..539cacf4a572fdda5dd372c578d5ed2ab3757a0e 100644 (file)
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -26,6 +26,7 @@
 #include <linux/in.h>
 #include <linux/spinlock.h>
 #include <linux/lsm_hooks.h>
+#include <linux/msg.h>
 #include <net/net_namespace.h>
 #include "flask.h"
 #include "avc.h"
@@ -175,4 +176,16 @@ static inline struct inode_security_struct *selinux_inode(
        return inode->i_security + selinux_blob_sizes.lbs_inode;
 }
 
+static inline struct msg_security_struct *selinux_msg_msg(
+                                               const struct msg_msg *msg_msg)
+{
+       return msg_msg->security;
+}
+
+static inline struct ipc_security_struct *selinux_ipc(
+                                               const struct kern_ipc_perm *ipc)
+{
+       return ipc->security;
+}
+
 #endif /* _SELINUX_OBJSEC_H_ */