Linux Security Module listsecurity (and security xattr hooks) only one called?

Pasquier, Thomas tfjmp at g.harvard.edu
Mon Sep 5 11:20:57 EDT 2016


In security/security.c (see here:
https://github.com/torvalds/linux/blob/835c92d43b29eb354abdbd5475308a474d7efdfa/security/security.c
)

Looking at this:

int security_inode_listsecurity(struct inode *inode, char *buffer, size_t
buffer_size)
{
    if (unlikely(IS_PRIVATE(inode)))
        return 0;
    return call_int_hook(inode_listsecurity, 0, inode, buffer, buffer_size);
}
One would expect all stacked security module to be called. However, when
looking at this:

#define call_int_hook(FUNC, IRC, ...) ({            \
    int RC = IRC;                       \
    do {                            \
        struct security_hook_list *P;           \
                                \
        list_for_each_entry(P, &security_hook_heads.FUNC, list) { \
            RC = P->hook.FUNC(__VA_ARGS__);     \
            if (RC != 0)                \
                break;              \
        }                       \
    } while (0);                        \
    RC;                         \
})
If one of the module return a non-zero value, the other are not called.
That means that the list of security of xattr is not built (or rather that
it only contains the first module being called), as the lenght of inserted
element is returned. Similarly for setsecurity and getsecurity, it seems
that only one module will be called as if the given module does not support
the security xattr, it returns -EOPNOTSUPP (instead I believe the next
module being called, until one supporting the attribute is met).

What is the rational here? I could change the code to support multiple
security xattr, but don't want to do so before I understand why it was done
like this. Any help is welcome.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160905/5241c2fa/attachment-0001.html 


More information about the Kernelnewbies mailing list