SELinux: Abstract use of file security blob

Don't use the file->f_security pointer directly.
Provide a helper function that provides the security blob pointer.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 239b13b442e773b95e7c672bfe9af458806bb2ef..620be0367c0b6ba9e68f2d242b3ab1f3dcc107c4 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -394,7 +394,7 @@ static int file_alloc_security(struct file *file)
 
 static void file_free_security(struct file *file)
 {
-       struct file_security_struct *fsec = file->f_security;
+       struct file_security_struct *fsec = selinux_file(file);
        file->f_security = NULL;
        kmem_cache_free(file_security_cache, fsec);
 }
@@ -1733,7 +1733,7 @@ static int file_has_perm(const struct cred *cred,
                         struct file *file,
                         u32 av)
 {
-       struct file_security_struct *fsec = file->f_security;
+       struct file_security_struct *fsec = selinux_file(file);
        struct inode *inode = file_inode(file);
        struct common_audit_data ad;
        u32 sid = cred_sid(cred);
@@ -2077,7 +2077,7 @@ static int selinux_binder_transfer_file(struct task_struct *from,
                                        struct file *file)
 {
        u32 sid = task_sid(to);
-       struct file_security_struct *fsec = file->f_security;
+       struct file_security_struct *fsec = selinux_file(file);
        struct dentry *dentry = file->f_path.dentry;
        struct inode_security_struct *isec;
        struct common_audit_data ad;
@@ -3323,7 +3323,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
 static int selinux_file_permission(struct file *file, int mask)
 {
        struct inode *inode = file_inode(file);
-       struct file_security_struct *fsec = file->f_security;
+       struct file_security_struct *fsec = selinux_file(file);
        struct inode_security_struct *isec;
        u32 sid = current_sid();
 
@@ -3358,7 +3358,7 @@ static int ioctl_has_perm(const struct cred *cred, struct file *file,
                u32 requested, u16 cmd)
 {
        struct common_audit_data ad;
-       struct file_security_struct *fsec = file->f_security;
+       struct file_security_struct *fsec = selinux_file(file);
        struct inode *inode = file_inode(file);
        struct inode_security_struct *isec;
        struct lsm_ioctlop_audit ioctl;
@@ -3610,7 +3610,7 @@ static void selinux_file_set_fowner(struct file *file)
 {
        struct file_security_struct *fsec;
 
-       fsec = file->f_security;
+       fsec = selinux_file(file);
        fsec->fown_sid = current_sid();
 }
 
@@ -3625,7 +3625,7 @@ static int selinux_file_send_sigiotask(struct task_struct *tsk,
        /* struct fown_struct is never outside the context of a struct file */
        file = container_of(fown, struct file, f_owner);
 
-       fsec = file->f_security;
+       fsec = selinux_file(file);
 
        if (!signum)
                perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
@@ -3649,7 +3649,7 @@ static int selinux_file_open(struct file *file)
        struct file_security_struct *fsec;
        struct inode_security_struct *isec;
 
-       fsec = file->f_security;
+       fsec = selinux_file(file);
        isec = inode_security(file_inode(file));
        /*
         * Save inode label and policy sequence number
@@ -3788,7 +3788,7 @@ static int selinux_kernel_module_from_file(struct file *file)
        ad.type = LSM_AUDIT_DATA_FILE;
        ad.u.file = file;
 
-       fsec = file->f_security;
+       fsec = selinux_file(file);
        if (sid != fsec->sid) {
                rc = avc_has_perm(&selinux_state,
                                  sid, fsec->sid, SECCLASS_FD, FD__USE, &ad);

diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index c2974b031d05d1a54de7481c5a5608847e42ea4b..e0ac2992e059e5d688dbccda5e54de91207fcfe0 100644 (file)
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -165,4 +165,9 @@ static inline struct task_security_struct *selinux_cred(const struct cred *cred)
        return cred->security + selinux_blob_sizes.lbs_cred;
 }
 
+static inline struct file_security_struct *selinux_file(const struct file *file)
+{
+       return file->f_security;
+}
+
 #endif /* _SELINUX_OBJSEC_H_ */