diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2026-02-09 10:16:48 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2026-02-09 10:16:48 -0800 |
| commit | bcc8fd3e1573c502edc0cb61abea0e113a761799 (patch) | |
| tree | 3df2e9b53c6411da4b5c0d40910565d3001dc70a | |
| parent | 698749164aa53cc313248efd2dc1c25dcf25c99c (diff) | |
| parent | 472711068fa950642b9b471aaebcc82e9930eb8c (diff) | |
Merge tag 'lsm-pr-20260203' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm
Pull lsm updates from Paul Moore:
- Unify the security_inode_listsecurity() calls in NFSv4
While looking at security_inode_listsecurity() with an eye towards
improving the interface, we realized that the NFSv4 code was making
multiple calls to the LSM hook that could be consolidated into one.
- Mark the LSM static branch keys as static - this helps resolve some
sparse warnings
- Add __rust_helper annotations to the LSM and cred wrapper functions
- Remove the unsused set_security_override_from_ctx() function
- Minor fixes to some of the LSM kdoc comment blocks
* tag 'lsm-pr-20260203' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm:
lsm: make keys for static branch static
cred: remove unused set_security_override_from_ctx()
rust: security: add __rust_helper to helpers
rust: cred: add __rust_helper to helpers
nfs: unify security_inode_listsecurity() calls
lsm: fix kernel-doc struct member names
| -rw-r--r-- | fs/nfs/nfs4proc.c | 38 | ||||
| -rw-r--r-- | include/linux/cred.h | 1 | ||||
| -rw-r--r-- | include/linux/lsm_hooks.h | 4 | ||||
| -rw-r--r-- | kernel/cred.c | 23 | ||||
| -rw-r--r-- | rust/helpers/cred.c | 4 | ||||
| -rw-r--r-- | rust/helpers/security.c | 26 | ||||
| -rw-r--r-- | security/security.c | 2 |
7 files changed, 23 insertions, 75 deletions
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index a0885ae55abc..dcd94262f0a1 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -8172,33 +8172,12 @@ static int nfs4_xattr_get_nfs4_label(const struct xattr_handler *handler, return -EOPNOTSUPP; } -static ssize_t -nfs4_listxattr_nfs4_label(struct inode *inode, char *list, size_t list_len) -{ - int len = 0; - - if (nfs_server_capable(inode, NFS_CAP_SECURITY_LABEL)) { - len = security_inode_listsecurity(inode, list, list_len); - if (len >= 0 && list_len && len > list_len) - return -ERANGE; - } - return len; -} - static const struct xattr_handler nfs4_xattr_nfs4_label_handler = { .prefix = XATTR_SECURITY_PREFIX, .get = nfs4_xattr_get_nfs4_label, .set = nfs4_xattr_set_nfs4_label, }; -#else - -static ssize_t -nfs4_listxattr_nfs4_label(struct inode *inode, char *list, size_t list_len) -{ - return 0; -} - #endif #ifdef CONFIG_NFS_V4_2 @@ -10995,7 +10974,7 @@ const struct nfs4_minor_version_ops *nfs_v4_minor_ops[] = { static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size) { - ssize_t error, error2, error3, error4 = 0; + ssize_t error, error2, error3; size_t left = size; error = generic_listxattr(dentry, list, left); @@ -11006,10 +10985,9 @@ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size) left -= error; } - error2 = nfs4_listxattr_nfs4_label(d_inode(dentry), list, left); + error2 = security_inode_listsecurity(d_inode(dentry), list, left); if (error2 < 0) return error2; - if (list) { list += error2; left -= error2; @@ -11018,18 +10996,8 @@ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size) error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, left); if (error3 < 0) return error3; - if (list) { - list += error3; - left -= error3; - } - - if (!nfs_server_capable(d_inode(dentry), NFS_CAP_SECURITY_LABEL)) { - error4 = security_inode_listsecurity(d_inode(dentry), list, left); - if (error4 < 0) - return error4; - } - error += error2 + error3 + error4; + error += error2 + error3; if (size && error > size) return -ERANGE; return error; diff --git a/include/linux/cred.h b/include/linux/cred.h index 343a140a6ba2..ed1609d78cd7 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -164,7 +164,6 @@ static inline const struct cred *kernel_cred(void) return rcu_dereference_raw(init_task.cred); } extern int set_security_override(struct cred *, u32); -extern int set_security_override_from_ctx(struct cred *, const char *); extern int set_create_files_as(struct cred *, struct inode *); extern int cred_fscmp(const struct cred *, const struct cred *); extern void __init cred_init(void); diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index b92008641242..d48bf0ad26f4 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -73,7 +73,7 @@ struct lsm_static_calls_table { /** * struct lsm_id - Identify a Linux Security Module. - * @lsm: name of the LSM, must be approved by the LSM maintainers + * @name: name of the LSM, must be approved by the LSM maintainers * @id: LSM ID number from uapi/linux/lsm.h * * Contains the information that identifies the LSM. @@ -164,7 +164,7 @@ enum lsm_order { * @initcall_core: LSM callback for core_initcall() setup, optional * @initcall_subsys: LSM callback for subsys_initcall() setup, optional * @initcall_fs: LSM callback for fs_initcall setup, optional - * @nitcall_device: LSM callback for device_initcall() setup, optional + * @initcall_device: LSM callback for device_initcall() setup, optional * @initcall_late: LSM callback for late_initcall() setup, optional */ struct lsm_info { diff --git a/kernel/cred.c b/kernel/cred.c index a6f686b30da1..12a7b1ce5131 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -621,29 +621,6 @@ int set_security_override(struct cred *new, u32 secid) EXPORT_SYMBOL(set_security_override); /** - * set_security_override_from_ctx - Set the security ID in a set of credentials - * @new: The credentials to alter - * @secctx: The LSM security context to generate the security ID from. - * - * Set the LSM security ID in a set of credentials so that the subjective - * security is overridden when an alternative set of credentials is used. The - * security ID is specified in string form as a security context to be - * interpreted by the LSM. - */ -int set_security_override_from_ctx(struct cred *new, const char *secctx) -{ - u32 secid; - int ret; - - ret = security_secctx_to_secid(secctx, strlen(secctx), &secid); - if (ret < 0) - return ret; - - return set_security_override(new, secid); -} -EXPORT_SYMBOL(set_security_override_from_ctx); - -/** * set_create_files_as - Set the LSM file create context in a set of credentials * @new: The credentials to alter * @inode: The inode to take the context from diff --git a/rust/helpers/cred.c b/rust/helpers/cred.c index fde7ae20cdd1..a56a7b753623 100644 --- a/rust/helpers/cred.c +++ b/rust/helpers/cred.c @@ -2,12 +2,12 @@ #include <linux/cred.h> -const struct cred *rust_helper_get_cred(const struct cred *cred) +__rust_helper const struct cred *rust_helper_get_cred(const struct cred *cred) { return get_cred(cred); } -void rust_helper_put_cred(const struct cred *cred) +__rust_helper void rust_helper_put_cred(const struct cred *cred) { put_cred(cred); } diff --git a/rust/helpers/security.c b/rust/helpers/security.c index ca22da09548d..8d0a25fcf931 100644 --- a/rust/helpers/security.c +++ b/rust/helpers/security.c @@ -3,41 +3,45 @@ #include <linux/security.h> #ifndef CONFIG_SECURITY -void rust_helper_security_cred_getsecid(const struct cred *c, u32 *secid) +__rust_helper void rust_helper_security_cred_getsecid(const struct cred *c, + u32 *secid) { security_cred_getsecid(c, secid); } -int rust_helper_security_secid_to_secctx(u32 secid, struct lsm_context *cp) +__rust_helper int rust_helper_security_secid_to_secctx(u32 secid, + struct lsm_context *cp) { return security_secid_to_secctx(secid, cp); } -void rust_helper_security_release_secctx(struct lsm_context *cp) +__rust_helper void rust_helper_security_release_secctx(struct lsm_context *cp) { security_release_secctx(cp); } -int rust_helper_security_binder_set_context_mgr(const struct cred *mgr) +__rust_helper int +rust_helper_security_binder_set_context_mgr(const struct cred *mgr) { return security_binder_set_context_mgr(mgr); } -int rust_helper_security_binder_transaction(const struct cred *from, - const struct cred *to) +__rust_helper int +rust_helper_security_binder_transaction(const struct cred *from, + const struct cred *to) { return security_binder_transaction(from, to); } -int rust_helper_security_binder_transfer_binder(const struct cred *from, - const struct cred *to) +__rust_helper int +rust_helper_security_binder_transfer_binder(const struct cred *from, + const struct cred *to) { return security_binder_transfer_binder(from, to); } -int rust_helper_security_binder_transfer_file(const struct cred *from, - const struct cred *to, - const struct file *file) +__rust_helper int rust_helper_security_binder_transfer_file( + const struct cred *from, const struct cred *to, const struct file *file) { return security_binder_transfer_file(from, to, file); } diff --git a/security/security.c b/security/security.c index 31a688650601..67af9228c4e9 100644 --- a/security/security.c +++ b/security/security.c @@ -115,7 +115,7 @@ do { \ #define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \ DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \ *((RET(*)(__VA_ARGS__))NULL)); \ - DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM)); + static DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM)); #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ LSM_DEFINE_UNROLL(DEFINE_LSM_STATIC_CALL, NAME, RET, __VA_ARGS__) |