selinux,smack: properly reference the LSM blob in security_watch_key()
Unfortunately when we migrated the lifecycle management of the key LSM
blob to the LSM framework we forgot to convert the security_watch_key()
callbacks for SELinux and Smack. This patch corrects this by making use
of the selinux_key() and smack_key() helper functions respectively.
This patch also removes some input checking in the Smack callback as it
is no longer needed.
Fixes: 5f8d28f6d7
("lsm: infrastructure management of the key security blob")
Reported-by: syzbot+044fdf24e96093584232@syzkaller.appspotmail.com
Tested-by: syzbot+044fdf24e96093584232@syzkaller.appspotmail.com
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
parent
ea7e2d5e49
commit
8a23c9e1ba
@ -6720,7 +6720,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
|
||||
#ifdef CONFIG_KEY_NOTIFICATIONS
|
||||
static int selinux_watch_key(struct key *key)
|
||||
{
|
||||
struct key_security_struct *ksec = key->security;
|
||||
struct key_security_struct *ksec = selinux_key(key);
|
||||
u32 sid = current_sid();
|
||||
|
||||
return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, KEY__VIEW, NULL);
|
||||
|
@ -4629,16 +4629,9 @@ static int smack_watch_key(struct key *key)
|
||||
{
|
||||
struct smk_audit_info ad;
|
||||
struct smack_known *tkp = smk_of_current();
|
||||
struct smack_known **blob = smack_key(key);
|
||||
int rc;
|
||||
|
||||
if (key == NULL)
|
||||
return -EINVAL;
|
||||
/*
|
||||
* If the key hasn't been initialized give it access so that
|
||||
* it may do so.
|
||||
*/
|
||||
if (key->security == NULL)
|
||||
return 0;
|
||||
/*
|
||||
* This should not occur
|
||||
*/
|
||||
@ -4653,8 +4646,8 @@ static int smack_watch_key(struct key *key)
|
||||
ad.a.u.key_struct.key = key->serial;
|
||||
ad.a.u.key_struct.key_desc = key->description;
|
||||
#endif
|
||||
rc = smk_access(tkp, key->security, MAY_READ, &ad);
|
||||
rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc);
|
||||
rc = smk_access(tkp, *blob, MAY_READ, &ad);
|
||||
rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc);
|
||||
return rc;
|
||||
}
|
||||
#endif /* CONFIG_KEY_NOTIFICATIONS */
|
||||
|
Loading…
Reference in New Issue
Block a user