This patch adds an allocation priority parameter to the skb_alloc_security() hook, to allow modules to make better use of kmalloc() if they need to allocate a security blob for an skb. This is in keeping with the socket_sock_alloc_security() hook, and has been previously discussed on this list (nobody got around to implementing it). I'd like to get this into the tree ASAP, as we'll need to submit the networking hooks very soon. Comments? - James -- James Morris <jmorrisat_private> diff -urN -X dontdiff lsm-2.5-orig/include/linux/security.h lsm-2.5-skballoc/include/linux/security.h --- lsm-2.5-orig/include/linux/security.h Thu Oct 10 11:04:21 2002 +++ lsm-2.5-skballoc/include/linux/security.h Thu Oct 10 11:35:37 2002 @@ -707,6 +707,7 @@ * being allocated. An LSM module may allocate and assign a new security * blob for the &sk_buff via this hook. * @skb contains the buffer being allocated. + * @priority contains the kernel allocation priority value. * Return 0 if successful, or -ENOMEM on out of memory condition. * @skb_clone: * This hook is called when an &sk_buff is being cloned, and may be used, @@ -1315,7 +1316,7 @@ void (*tcp_create_openreq_child) (struct sock * sk, struct sock * newsk, struct sk_buff * skb); - int (*skb_alloc_security) (struct sk_buff * skb); + int (*skb_alloc_security) (struct sk_buff * skbm int priority); int (*skb_clone) (struct sk_buff * newskb, const struct sk_buff * oldskb); void (*skb_copy) (struct sk_buff * newskb, diff -urN -X dontdiff lsm-2.5-orig/net/core/skbuff.c lsm-2.5-skballoc/net/core/skbuff.c --- lsm-2.5-orig/net/core/skbuff.c Thu Oct 10 11:04:25 2002 +++ lsm-2.5-skballoc/net/core/skbuff.c Thu Oct 10 11:37:46 2002 @@ -195,7 +195,7 @@ if (!data) goto nodata; - if (security_ops->skb_alloc_security(skb)) { + if (security_ops->skb_alloc_security(skb, gfp_mask)) { kfree(data); goto nodata; } diff -urN -X dontdiff lsm-2.5-orig/security/capability.c lsm-2.5-skballoc/security/capability.c --- lsm-2.5-orig/security/capability.c Thu Oct 10 11:04:31 2002 +++ lsm-2.5-skballoc/security/capability.c Thu Oct 10 11:41:41 2002 @@ -998,7 +998,7 @@ return 0; } -static int cap_skb_alloc_security (struct sk_buff *skb) +static int cap_skb_alloc_security (struct sk_buff *skb, int priority) { return 0; } diff -urN -X dontdiff lsm-2.5-orig/security/dte/dte.c lsm-2.5-skballoc/security/dte/dte.c --- lsm-2.5-orig/security/dte/dte.c Thu Oct 10 11:04:31 2002 +++ lsm-2.5-skballoc/security/dte/dte.c Thu Oct 10 11:38:55 2002 @@ -835,7 +835,7 @@ return 0; } -static int dte_skb_alloc_security (struct sk_buff *skb) +static int dte_skb_alloc_security (struct sk_buff *skb, int priority) { return 0; } diff -urN -X dontdiff lsm-2.5-orig/security/dummy.c lsm-2.5-skballoc/security/dummy.c --- lsm-2.5-orig/security/dummy.c Thu Oct 10 11:04:31 2002 +++ lsm-2.5-skballoc/security/dummy.c Thu Oct 10 11:42:03 2002 @@ -816,7 +816,7 @@ return 0; } -static int dummy_skb_alloc_security (struct sk_buff *skb) +static int dummy_skb_alloc_security (struct sk_buff *skb, int priority) { return 0; } diff -urN -X dontdiff lsm-2.5-orig/security/lids/lids_lsm.c lsm-2.5-skballoc/security/lids/lids_lsm.c --- lsm-2.5-orig/security/lids/lids_lsm.c Thu Oct 10 11:04:32 2002 +++ lsm-2.5-skballoc/security/lids/lids_lsm.c Thu Oct 10 11:39:13 2002 @@ -994,7 +994,7 @@ return 0; } -static int lids_skb_alloc_security (struct sk_buff *skb) +static int lids_skb_alloc_security (struct sk_buff *skb, int priority) { return 0; } diff -urN -X dontdiff lsm-2.5-orig/security/owlsm.c lsm-2.5-skballoc/security/owlsm.c --- lsm-2.5-orig/security/owlsm.c Thu Oct 10 11:04:31 2002 +++ lsm-2.5-skballoc/security/owlsm.c Thu Oct 10 11:42:22 2002 @@ -816,7 +816,7 @@ return 0; } -static int owlsm_skb_alloc_security (struct sk_buff *skb) +static int owlsm_skb_alloc_security (struct sk_buff *skb, int priority) { return 0; } diff -urN -X dontdiff lsm-2.5-orig/security/selinux/hooks.c lsm-2.5-skballoc/security/selinux/hooks.c --- lsm-2.5-orig/security/selinux/hooks.c Thu Oct 10 11:04:33 2002 +++ lsm-2.5-skballoc/security/selinux/hooks.c Thu Oct 10 11:41:18 2002 @@ -338,12 +338,12 @@ static spinlock_t skb_alloc_lock = SPIN_LOCK_UNLOCKED; -static int skb_alloc_security(struct sk_buff *skb) +static int skb_alloc_security(struct sk_buff *skb, int priority) { struct skb_security_struct *ssec, *new_ssec; unsigned long flags; - new_ssec = kmalloc(sizeof(struct skb_security_struct), SAFE_ALLOC); + new_ssec = kmalloc(sizeof(struct skb_security_struct), priority); if (!new_ssec) return -ENOMEM; @@ -916,7 +916,7 @@ if (ssec && ssec->magic == SELINUX_MAGIC) return 1; - rc = skb_alloc_security(skb); + rc = skb_alloc_security(skb, SAFE_ALLOC); if (rc) return rc; @@ -4470,9 +4470,9 @@ return task_has_system(current, SYSTEM__IPC_INFO); } -static int selinux_skb_alloc_security(struct sk_buff *skb) +static int selinux_skb_alloc_security(struct sk_buff *skb, int priority) { - return skb_alloc_security(skb); + return skb_alloc_security(skb, priority); } static int selinux_skb_clone(struct sk_buff *newskb, _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 19:12:54 PDT