kdbus: Remove kdbus Linux Security Module hooks

This commit removes support for kdbus-LSM hooks as policy decisions are handled solely by userspace (libdbuspolicy library). This commit reverts following: - 802de9506 ("lsm: smack: smack callbacks for kdbus security hooks") - f13b7e7bd ("kdbus: use LSM hooks in kdbus code") - 067afa709 ("lsm: smack: Make ipc/kdbus includes visible so smack callbacks could see them") - 442f047fd ("lsm: make security_file_receive available for external modules") - 3b556db4b ("lsm: kdbus security hooks") Change-Id: Iae90cdb9577a9e706288b28d70bd57574398276e Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
author: Karol Lewandowski <k.lewandowsk@samsung.com> 2016-06-23 15:02:50 +0200
committer: Seung-Woo Kim <sw0312.kim@samsung.com> 2016-12-14 13:52:20 +0900
commit: 6d83e3d703f7464ccd12b78c5b3e9041be24ea8c (patch)
tree: 091ce555339a4dac9a7acfc14c618a27d338a478 /ipc
parent: c170bbb6cff411fb98f5624bde8e227fa32fcdc5 (diff)
4 files changed, 12 insertions, 51 deletions
diff --git a/ipc/kdbus/connection.c b/ipc/kdbus/connection.c
index 880007724bef..02a68724c2f2 100644
--- a/ipc/kdbus/connection.c
+++ b/ipc/kdbus/connection.c
@@ -31,7 +31,6 @@
 #include <linux/slab.h>
 #include <linux/syscalls.h>
 #include <linux/uio.h>
-#include <linux/security.h>
 
 #include "bus.h"
 #include "connection.h"
@@ -54,7 +53,7 @@
 #define KDBUS_CONN_ACTIVE_NEW	(INT_MIN + 1)
 
 /* Disable internal kdbus policy - possibilities of connections to own, see and
- * talk to names are restricted by libdbuspolicy library and LSM hooks
+ * talk to names are restricted by libdbuspolicy library
  */
 #define DISABLE_KDBUS_POLICY
 
@@ -228,10 +227,6 @@ static struct kdbus_conn *kdbus_conn_new(struct kdbus_ep *ep, bool privileged,
 		}
 	}
 
-	ret = security_kdbus_conn_alloc(conn);
-	if (ret)
-		goto exit_unref;
-
 	if (atomic_inc_return(&conn->user->connections) > KDBUS_USER_MAX_CONN) {
 		/* decremented by destructor as conn->user is valid */
 		ret = -EMFILE;
@@ -286,7 +281,6 @@ static void __kdbus_conn_free(struct kref *kref)
 	kdbus_pool_free(conn->pool);
 	kdbus_ep_unref(conn->ep);
 	put_cred(conn->cred);
-	security_kdbus_conn_free(conn);
 	kfree(conn->description);
 	kfree(conn->quota);
 	kfree(conn);
@@ -1126,10 +1120,6 @@ static int kdbus_conn_reply(struct kdbus_conn *src, struct kdbus_kmsg *kmsg)
 	if (ret < 0)
 		goto exit;
 
-	ret = security_kdbus_talk(src, dst);
-	if (ret)
-		goto exit;
-
 	mutex_lock(&dst->lock);
 	reply = kdbus_reply_find(src, dst, kmsg->msg.cookie_reply);
 	if (reply) {
@@ -1219,12 +1209,8 @@ static struct kdbus_reply *kdbus_conn_call(struct kdbus_conn *src,
 	if (ret < 0)
 		goto exit;
 
-	ret = security_kdbus_talk(src, dst);
-	if (ret)
-		goto exit;
-
 	/* Disable internal kdbus policy - possibilities of connections to own,
-	 * see and talk to well-known names are restricted by LSM hooks
+	 * see and talk to well-known names are restricted by libdbuspolicy
 	if (!kdbus_conn_policy_talk(src, current_cred(), dst)) {
 		ret = -EPERM;
 		goto exit;
@@ -1296,10 +1282,6 @@ static int kdbus_conn_unicast(struct kdbus_conn *src, struct kdbus_kmsg *kmsg)
 	if (ret < 0)
 		goto exit;
 
-	ret = security_kdbus_talk(src, dst);
-	if (ret)
-		goto exit;
-
 	if (is_signal) {
 		/* like broadcasts we eavesdrop even if the msg is dropped */
 		kdbus_bus_eavesdrop(bus, src, kmsg);
@@ -1308,12 +1290,9 @@ static int kdbus_conn_unicast(struct kdbus_conn *src, struct kdbus_kmsg *kmsg)
 		if (!kdbus_match_db_match_kmsg(dst->match_db, src, kmsg) ||
 		    !kdbus_conn_policy_talk(dst, NULL, src))
 			goto exit;
-        /* Disable internal kdbus policy - possibilities of connections to own,
-         * see and talk to well-known names are restricted by LSM hooks
 	} else if (!kdbus_conn_policy_talk(src, current_cred(), dst)) {
 		ret = -EPERM;
 		goto exit;
-	*/
 	} else if (kmsg->msg.flags & KDBUS_MSG_EXPECT_REPLY) {
 		wait = kdbus_reply_new(dst, src, &kmsg->msg, name, false);
 		if (IS_ERR(wait)) {
diff --git a/ipc/kdbus/connection.h b/ipc/kdbus/connection.h
index 4a5c1205b6d3..d1ffe909cb31 100644
--- a/ipc/kdbus/connection.h
+++ b/ipc/kdbus/connection.h
@@ -73,7 +73,6 @@ struct kdbus_kmsg;
  * @names_queue_list:	Well-known names this connection waits for
  * @privileged:		Whether this connection is privileged on the bus
  * @faked_meta:		Whether the metadata was faked on HELLO
- * @security:		LSM security blob
  */
 struct kdbus_conn {
 	struct kref kref;
@@ -114,10 +113,6 @@ struct kdbus_conn {
 
 	bool privileged:1;
 	bool faked_meta:1;
-
-#ifdef CONFIG_SECURITY
-	void *security;
-#endif
 };
 
 struct kdbus_conn *kdbus_conn_ref(struct kdbus_conn *conn);
diff --git a/ipc/kdbus/names.c b/ipc/kdbus/names.c
index 90e0c016f66e..df99e4df815b 100644
--- a/ipc/kdbus/names.c
+++ b/ipc/kdbus/names.c
@@ -290,13 +290,10 @@ int kdbus_name_acquire(struct kdbus_name_registry *reg,
 
 	down_write(&reg->rwlock);
 
-        /* Disable internal kdbus policy - possibilities of connections to own,
-         * see and talk to well-known names are restricted by LSM hooks
 	if (!kdbus_conn_policy_own_name(conn, current_cred(), name)) {
 		ret = -EPERM;
 		goto exit_unlock;
 	}
-	*/
 
 	hash = kdbus_strhash(name);
 	e = kdbus_name_find(reg, hash, name);
diff --git a/ipc/kdbus/queue.c b/ipc/kdbus/queue.c
index e04aee6786fc..a449464a3975 100644
--- a/ipc/kdbus/queue.c
+++ b/ipc/kdbus/queue.c
@@ -28,7 +28,6 @@
 #include <linux/slab.h>
 #include <linux/syscalls.h>
 #include <linux/uio.h>
-#include <linux/security.h>
 
 #include "util.h"
 #include "domain.h"
@@ -515,17 +514,12 @@ int kdbus_queue_entry_install(struct kdbus_queue_entry *entry,
 
 		for (i = 0; i < res->fds_count; i++) {
 			if (install_fds) {
-				if (security_file_receive(res->fds[i])) {
-					fds[i] = -1;
+				fds[i] = get_unused_fd_flags(O_CLOEXEC);
+				if (fds[i] >= 0)
+					fd_install(fds[i],
+						   get_file(res->fds[i]));
+				else
 					incomplete_fds = true;
-				} else {
-					fds[i] = get_unused_fd_flags(O_CLOEXEC);
-					if (fds[i] >= 0)
-						fd_install(fds[i],
-							get_file(res->fds[i]));
-					else
-						incomplete_fds = true;
-				}
 			} else {
 				fds[i] = -1;
 			}
@@ -563,17 +557,13 @@ int kdbus_queue_entry_install(struct kdbus_queue_entry *entry,
 		m.fd = -1;
 
 		if (install_fds) {
-			if (security_file_receive(d->memfd.file)) {
+			m.fd = get_unused_fd_flags(O_CLOEXEC);
+			if (m.fd < 0) {
+				m.fd = -1;
 				incomplete_fds = true;
 			} else {
-				m.fd = get_unused_fd_flags(O_CLOEXEC);
-				if (m.fd < 0) {
-					m.fd = -1;
-					incomplete_fds = true;
-				} else {
-					fd_install(m.fd,
-						get_file(d->memfd.file));
-				}
+				fd_install(m.fd,
+					   get_file(d->memfd.file));
 			}
 		}
author	Karol Lewandowski <k.lewandowsk@samsung.com>	2016-06-23 15:02:50 +0200
committer	Seung-Woo Kim <sw0312.kim@samsung.com>	2016-12-14 13:52:20 +0900
commit	6d83e3d703f7464ccd12b78c5b3e9041be24ea8c (patch)
tree	091ce555339a4dac9a7acfc14c618a27d338a478 /ipc
parent	c170bbb6cff411fb98f5624bde8e227fa32fcdc5 (diff)