On 7/21/2025 4:21 PM, Paul Moore wrote:
> Convert the lsm_blob_size fields to unsigned integers as there is no
> current need for them to be negative, change "lsm_set_blob_size()" to
> "lsm_blob_size_update()" to better reflect reality, and perform some
> other minor cleanups to the associated code.
>
> Reviewed-by: Kees Cook <k...@kernel.org>
> Reviewed-by: John Johansen <john.johan...@canonical.com>
> Signed-off-by: Paul Moore <p...@paul-moore.com>
Reviewed-by: Casey Schaufler <ca...@schaufler-ca.com>
> ---
> include/linux/lsm_hooks.h | 28 ++++++++++-----------
> security/lsm_init.c | 51 +++++++++++++++++++++++----------------
> 2 files changed, 44 insertions(+), 35 deletions(-)
>
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index bc477fb20d02..a7ecb0791a0f 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -102,20 +102,20 @@ struct security_hook_list {
> * Security blob size or offset data.
> */
> struct lsm_blob_sizes {
> - int lbs_cred;
> - int lbs_file;
> - int lbs_ib;
> - int lbs_inode;
> - int lbs_sock;
> - int lbs_superblock;
> - int lbs_ipc;
> - int lbs_key;
> - int lbs_msg_msg;
> - int lbs_perf_event;
> - int lbs_task;
> - int lbs_xattr_count; /* number of xattr slots in new_xattrs array */
> - int lbs_tun_dev;
> - int lbs_bdev;
> + unsigned int lbs_cred;
> + unsigned int lbs_file;
> + unsigned int lbs_ib;
> + unsigned int lbs_inode;
> + unsigned int lbs_sock;
> + unsigned int lbs_superblock;
> + unsigned int lbs_ipc;
> + unsigned int lbs_key;
> + unsigned int lbs_msg_msg;
> + unsigned int lbs_perf_event;
> + unsigned int lbs_task;
> + unsigned int lbs_xattr_count; /* num xattr slots in new_xattrs array */
> + unsigned int lbs_tun_dev;
> + unsigned int lbs_bdev;
> };
>
> /*
> diff --git a/security/lsm_init.c b/security/lsm_init.c
> index b1156f414491..aad363e37140 100644
> --- a/security/lsm_init.c
> +++ b/security/lsm_init.c
> @@ -169,16 +169,22 @@ static void __init lsm_order_append(struct lsm_info
> *lsm, const char *src)
> lsm_is_enabled(lsm) ? "enabled" : "disabled");
> }
>
> -static void __init lsm_set_blob_size(int *need, int *lbs)
> +/**
> + * lsm_blob_size_update - Update the LSM blob size and offset information
> + * @sz_req: the requested additional blob size
> + * @sz_cur: the existing blob size
> + */
> +static void __init lsm_blob_size_update(unsigned int *sz_req,
> + unsigned int *sz_cur)
> {
> - int offset;
> + unsigned int offset;
>
> - if (*need <= 0)
> + if (*sz_req == 0)
> return;
>
> - offset = ALIGN(*lbs, sizeof(void *));
> - *lbs = offset + *need;
> - *need = offset;
> + offset = ALIGN(*sz_cur, sizeof(void *));
> + *sz_cur = offset + *sz_req;
> + *sz_req = offset;
> }
>
> /**
> @@ -193,24 +199,27 @@ static void __init lsm_prepare(struct lsm_info *lsm)
> return;
>
> /* Register the LSM blob sizes. */
> - lsm_set_blob_size(&blobs->lbs_cred, &blob_sizes.lbs_cred);
> - lsm_set_blob_size(&blobs->lbs_file, &blob_sizes.lbs_file);
> - lsm_set_blob_size(&blobs->lbs_ib, &blob_sizes.lbs_ib);
> + blobs = lsm->blobs;
> + lsm_blob_size_update(&blobs->lbs_cred, &blob_sizes.lbs_cred);
> + lsm_blob_size_update(&blobs->lbs_file, &blob_sizes.lbs_file);
> + lsm_blob_size_update(&blobs->lbs_ib, &blob_sizes.lbs_ib);
> /* inode blob gets an rcu_head in addition to LSM blobs. */
> if (blobs->lbs_inode && blob_sizes.lbs_inode == 0)
> blob_sizes.lbs_inode = sizeof(struct rcu_head);
> - lsm_set_blob_size(&blobs->lbs_inode, &blob_sizes.lbs_inode);
> - lsm_set_blob_size(&blobs->lbs_ipc, &blob_sizes.lbs_ipc);
> - lsm_set_blob_size(&blobs->lbs_key, &blob_sizes.lbs_key);
> - lsm_set_blob_size(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
> - lsm_set_blob_size(&blobs->lbs_perf_event, &blob_sizes.lbs_perf_event);
> - lsm_set_blob_size(&blobs->lbs_sock, &blob_sizes.lbs_sock);
> - lsm_set_blob_size(&blobs->lbs_superblock, &blob_sizes.lbs_superblock);
> - lsm_set_blob_size(&blobs->lbs_task, &blob_sizes.lbs_task);
> - lsm_set_blob_size(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev);
> - lsm_set_blob_size(&blobs->lbs_xattr_count,
> - &blob_sizes.lbs_xattr_count);
> - lsm_set_blob_size(&blobs->lbs_bdev, &blob_sizes.lbs_bdev);
> + lsm_blob_size_update(&blobs->lbs_inode, &blob_sizes.lbs_inode);
> + lsm_blob_size_update(&blobs->lbs_ipc, &blob_sizes.lbs_ipc);
> + lsm_blob_size_update(&blobs->lbs_key, &blob_sizes.lbs_key);
> + lsm_blob_size_update(&blobs->lbs_msg_msg, &blob_sizes.lbs_msg_msg);
> + lsm_blob_size_update(&blobs->lbs_perf_event,
> + &blob_sizes.lbs_perf_event);
> + lsm_blob_size_update(&blobs->lbs_sock, &blob_sizes.lbs_sock);
> + lsm_blob_size_update(&blobs->lbs_superblock,
> + &blob_sizes.lbs_superblock);
> + lsm_blob_size_update(&blobs->lbs_task, &blob_sizes.lbs_task);
> + lsm_blob_size_update(&blobs->lbs_tun_dev, &blob_sizes.lbs_tun_dev);
> + lsm_blob_size_update(&blobs->lbs_xattr_count,
> + &blob_sizes.lbs_xattr_count);
> + lsm_blob_size_update(&blobs->lbs_bdev, &blob_sizes.lbs_bdev);
> }
>
> /* Initialize a given LSM, if it is enabled. */
