security: Constify sk in the sk_getsecid hook.

The sk_getsecid hook shouldn't need to modify its socket argument.
Make it const so that callers of security_sk_classify_flow() can use a
const struct sock *.

Signed-off-by: Guillaume Nault <gnault@redhat.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Guillaume Nault 2023-07-11 15:06:08 +02:00 committed by David S. Miller
parent def3833fc6
commit 5b52ad34f9
4 changed files with 7 additions and 6 deletions

View File

@ -316,7 +316,7 @@ LSM_HOOK(int, 0, sk_alloc_security, struct sock *sk, int family, gfp_t priority)
LSM_HOOK(void, LSM_RET_VOID, sk_free_security, struct sock *sk) LSM_HOOK(void, LSM_RET_VOID, sk_free_security, struct sock *sk)
LSM_HOOK(void, LSM_RET_VOID, sk_clone_security, const struct sock *sk, LSM_HOOK(void, LSM_RET_VOID, sk_clone_security, const struct sock *sk,
struct sock *newsk) struct sock *newsk)
LSM_HOOK(void, LSM_RET_VOID, sk_getsecid, struct sock *sk, u32 *secid) LSM_HOOK(void, LSM_RET_VOID, sk_getsecid, const struct sock *sk, u32 *secid)
LSM_HOOK(void, LSM_RET_VOID, sock_graft, struct sock *sk, struct socket *parent) LSM_HOOK(void, LSM_RET_VOID, sock_graft, struct sock *sk, struct socket *parent)
LSM_HOOK(int, 0, inet_conn_request, const struct sock *sk, struct sk_buff *skb, LSM_HOOK(int, 0, inet_conn_request, const struct sock *sk, struct sk_buff *skb,
struct request_sock *req) struct request_sock *req)

View File

@ -1439,7 +1439,8 @@ int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u
int security_sk_alloc(struct sock *sk, int family, gfp_t priority); int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
void security_sk_free(struct sock *sk); void security_sk_free(struct sock *sk);
void security_sk_clone(const struct sock *sk, struct sock *newsk); void security_sk_clone(const struct sock *sk, struct sock *newsk);
void security_sk_classify_flow(struct sock *sk, struct flowi_common *flic); void security_sk_classify_flow(const struct sock *sk,
struct flowi_common *flic);
void security_req_classify_flow(const struct request_sock *req, void security_req_classify_flow(const struct request_sock *req,
struct flowi_common *flic); struct flowi_common *flic);
void security_sock_graft(struct sock*sk, struct socket *parent); void security_sock_graft(struct sock*sk, struct socket *parent);
@ -1597,7 +1598,7 @@ static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
{ {
} }
static inline void security_sk_classify_flow(struct sock *sk, static inline void security_sk_classify_flow(const struct sock *sk,
struct flowi_common *flic) struct flowi_common *flic)
{ {
} }

View File

@ -4396,7 +4396,7 @@ void security_sk_clone(const struct sock *sk, struct sock *newsk)
} }
EXPORT_SYMBOL(security_sk_clone); EXPORT_SYMBOL(security_sk_clone);
void security_sk_classify_flow(struct sock *sk, struct flowi_common *flic) void security_sk_classify_flow(const struct sock *sk, struct flowi_common *flic)
{ {
call_void_hook(sk_getsecid, sk, &flic->flowic_secid); call_void_hook(sk_getsecid, sk, &flic->flowic_secid);
} }

View File

@ -5167,12 +5167,12 @@ static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
selinux_netlbl_sk_security_reset(newsksec); selinux_netlbl_sk_security_reset(newsksec);
} }
static void selinux_sk_getsecid(struct sock *sk, u32 *secid) static void selinux_sk_getsecid(const struct sock *sk, u32 *secid)
{ {
if (!sk) if (!sk)
*secid = SECINITSID_ANY_SOCKET; *secid = SECINITSID_ANY_SOCKET;
else { else {
struct sk_security_struct *sksec = sk->sk_security; const struct sk_security_struct *sksec = sk->sk_security;
*secid = sksec->sid; *secid = sksec->sid;
} }