lsm: add helper for blob allocations

Create a helper function lsm_blob_alloc() for general use in the hook specific functions that allocate LSM blobs. Change the hook specific functions to use this helper. This reduces the code size by a small amount and will make adding new instances of infrastructure managed security blobs easier. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johansen@canonical.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com>

lsm: add helper for blob allocations
Create a helper function lsm_blob_alloc() for general use in the hook specific functions that allocate LSM blobs. Change the hook specific functions to use this helper. This reduces the code size by a small amount and will make adding new instances of infrastructure managed security blobs easier. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johansen@canonical.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com>
09001284 · Casey Schaufler · Paul Moore · 5f8d28f6 · 09001284
Commit 09001284 authored Jul 10, 2024 by Casey Schaufler Committed by Paul Moore Jul 29, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 64 deletions

security/security.c security/security.c +33 -64

No files found.
--- a/security/security.c
+++ b/security/security.c
@@ -603,27 +603,42 @@ int unregister_blocking_lsm_notifier(struct notifier_block *nb)
 EXPORT_SYMBOL(unregister_blocking_lsm_notifier);
 /**
- * lsm_cred_alloc - allocate a composite cred blob
+ * lsm_blob_alloc - allocate a composite blob
- * @cred: the cred that needs a blob
+ * @dest: the destination for the blob
+ * @size: the size of the blob
 * @gfp: allocation type
 *
- * Allocate the cred blob for all the modules
+ * Allocate a blob for all the modules
 *
 * Returns 0, or -ENOMEM if memory can't be allocated.
 */
-static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
+static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp)
 {
-	if (blob_sizes.lbs_cred == 0) {
+	if (size == 0) {
-		cred->security = NULL;
+		*dest = NULL;
 		return 0;
 	}
-	cred->security = kzalloc(blob_sizes.lbs_cred, gfp);
+	*dest = kzalloc(size, gfp);
-	if (cred->security == NULL)
+	if (*dest == NULL)
 		return -ENOMEM;
 	return 0;
 }
+/**
+ * lsm_cred_alloc - allocate a composite cred blob
+ * @cred: the cred that needs a blob
+ * @gfp: allocation type
+ *
+ * Allocate the cred blob for all the modules
+ *
+ * Returns 0, or -ENOMEM if memory can't be allocated.
+ */
+static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
+{
+	return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp);
+}
 /**
 * lsm_early_cred - during initialization allocate a composite cred blob
 * @cred: the cred that needs a blob
@@ -690,15 +705,7 @@ int lsm_inode_alloc(struct inode *inode)
 */
 static int lsm_task_alloc(struct task_struct *task)
 {
-	if (blob_sizes.lbs_task == 0) {
+	return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL);
-		task->security = NULL;
-		return 0;
-	}
-	task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL);
-	if (task->security == NULL)
-		return -ENOMEM;
-	return 0;
 }
 /**
@@ -711,15 +718,7 @@ static int lsm_task_alloc(struct task_struct *task)
 */
 static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
 {
-	if (blob_sizes.lbs_ipc == 0) {
+	return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL);
-		kip->security = NULL;
-		return 0;
-	}
-	kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL);
-	if (kip->security == NULL)
-		return -ENOMEM;
-	return 0;
 }
 #ifdef CONFIG_KEYS
@@ -733,15 +732,7 @@ static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
 */
 static int lsm_key_alloc(struct key *key)
 {
-	if (blob_sizes.lbs_key == 0) {
+	return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL);
-		key->security = NULL;
-		return 0;
-	}
-	key->security = kzalloc(blob_sizes.lbs_key, GFP_KERNEL);
-	if (key->security == NULL)
-		return -ENOMEM;
-	return 0;
 }
 #endif /* CONFIG_KEYS */
@@ -755,15 +746,8 @@ static int lsm_key_alloc(struct key *key)
 */
 static int lsm_msg_msg_alloc(struct msg_msg *mp)
 {
-	if (blob_sizes.lbs_msg_msg == 0) {
+	return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg,
-		mp->security = NULL;
+			      GFP_KERNEL);
-		return 0;
-	}
-	mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL);
-	if (mp->security == NULL)
-		return -ENOMEM;
-	return 0;
 }
 /**
@@ -790,15 +774,8 @@ static void __init lsm_early_task(struct task_struct *task)
 */
 static int lsm_superblock_alloc(struct super_block *sb)
 {
-	if (blob_sizes.lbs_superblock == 0) {
+	return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock,
-		sb->s_security = NULL;
+			      GFP_KERNEL);
-		return 0;
-	}
-	sb->s_security = kzalloc(blob_sizes.lbs_superblock, GFP_KERNEL);
-	if (sb->s_security == NULL)
-		return -ENOMEM;
-	return 0;
 }
 /**
@@ -4706,23 +4683,15 @@ EXPORT_SYMBOL(security_socket_getpeersec_dgram);
 /**
 * lsm_sock_alloc - allocate a composite sock blob
 * @sock: the sock that needs a blob
- * @priority: allocation mode
+ * @gfp: allocation mode
 *
 * Allocate the sock blob for all the modules
 *
 * Returns 0, or -ENOMEM if memory can't be allocated.
 */
-static int lsm_sock_alloc(struct sock *sock, gfp_t priority)
+static int lsm_sock_alloc(struct sock *sock, gfp_t gfp)
 {
-	if (blob_sizes.lbs_sock == 0) {
+	return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp);
-		sock->sk_security = NULL;
-		return 0;
-	}
-	sock->sk_security = kzalloc(blob_sizes.lbs_sock, priority);
-	if (sock->sk_security == NULL)
-		return -ENOMEM;
-	return 0;
 }
 /**