1

selinux,smack: properly reference the LSM blob in security_watch_key()

Unfortunately when we migrated the lifecycle management of the key LSM
blob to the LSM framework we forgot to convert the security_watch_key()
callbacks for SELinux and Smack.  This patch corrects this by making use
of the selinux_key() and smack_key() helper functions respectively.

This patch also removes some input checking in the Smack callback as it
is no longer needed.

Fixes: 5f8d28f6d7 ("lsm: infrastructure management of the key security blob")
Reported-by: syzbot+044fdf24e96093584232@syzkaller.appspotmail.com
Tested-by: syzbot+044fdf24e96093584232@syzkaller.appspotmail.com
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Paul Moore 2024-09-19 11:37:11 -04:00
parent ea7e2d5e49
commit 8a23c9e1ba
2 changed files with 4 additions and 11 deletions

View File

@ -6720,7 +6720,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
#ifdef CONFIG_KEY_NOTIFICATIONS
static int selinux_watch_key(struct key *key)
{
struct key_security_struct *ksec = key->security;
struct key_security_struct *ksec = selinux_key(key);
u32 sid = current_sid();
return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);

View File

@ -4629,16 +4629,9 @@ static int smack_watch_key(struct key *key)
{
struct smk_audit_info ad;
struct smack_known *tkp = smk_of_current();
struct smack_known **blob = smack_key(key);
int rc;
if (key == NULL)
return -EINVAL;
/*
* If the key hasn't been initialized give it access so that
* it may do so.
*/
if (key->security == NULL)
return 0;
/*
* This should not occur
*/
@ -4653,8 +4646,8 @@ static int smack_watch_key(struct key *key)
ad.a.u.key_struct.key = key->serial;
ad.a.u.key_struct.key_desc = key->description;
#endif
rc = smk_access(tkp, key->security, MAY_READ, &ad);
rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc);
rc = smk_access(tkp, *blob, MAY_READ, &ad);
rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc);
return rc;
}
#endif /* CONFIG_KEY_NOTIFICATIONS */