Merge branch 'smack-for-3.18' of git://git.gitorious.org/smack-next/kernel into next
This commit is contained in:
commit
6f98e89288
@ -12,3 +12,19 @@ config SECURITY_SMACK
|
|||||||
of other mandatory security schemes.
|
of other mandatory security schemes.
|
||||||
If you are unsure how to answer this question, answer N.
|
If you are unsure how to answer this question, answer N.
|
||||||
|
|
||||||
|
config SECURITY_SMACK_BRINGUP
|
||||||
|
bool "Reporting on access granted by Smack rules"
|
||||||
|
depends on SECURITY_SMACK
|
||||||
|
default n
|
||||||
|
help
|
||||||
|
Enable the bring-up ("b") access mode in Smack rules.
|
||||||
|
When access is granted by a rule with the "b" mode a
|
||||||
|
message about the access requested is generated. The
|
||||||
|
intention is that a process can be granted a wide set
|
||||||
|
of access initially with the bringup mode set on the
|
||||||
|
rules. The developer can use the information to
|
||||||
|
identify which rules are necessary and what accesses
|
||||||
|
may be inappropriate. The developer can reduce the
|
||||||
|
access rule set once the behavior is well understood.
|
||||||
|
This is a superior mechanism to the oft abused
|
||||||
|
"permissive" mode of other systems.
|
||||||
|
@ -71,11 +71,11 @@ struct smack_known {
|
|||||||
#define SMK_CIPSOLEN 24
|
#define SMK_CIPSOLEN 24
|
||||||
|
|
||||||
struct superblock_smack {
|
struct superblock_smack {
|
||||||
char *smk_root;
|
struct smack_known *smk_root;
|
||||||
char *smk_floor;
|
struct smack_known *smk_floor;
|
||||||
char *smk_hat;
|
struct smack_known *smk_hat;
|
||||||
char *smk_default;
|
struct smack_known *smk_default;
|
||||||
int smk_initialized;
|
int smk_initialized;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct socket_smack {
|
struct socket_smack {
|
||||||
@ -88,7 +88,7 @@ struct socket_smack {
|
|||||||
* Inode smack data
|
* Inode smack data
|
||||||
*/
|
*/
|
||||||
struct inode_smack {
|
struct inode_smack {
|
||||||
char *smk_inode; /* label of the fso */
|
struct smack_known *smk_inode; /* label of the fso */
|
||||||
struct smack_known *smk_task; /* label of the task */
|
struct smack_known *smk_task; /* label of the task */
|
||||||
struct smack_known *smk_mmap; /* label of the mmap domain */
|
struct smack_known *smk_mmap; /* label of the mmap domain */
|
||||||
struct mutex smk_lock; /* initialization lock */
|
struct mutex smk_lock; /* initialization lock */
|
||||||
@ -112,7 +112,7 @@ struct task_smack {
|
|||||||
struct smack_rule {
|
struct smack_rule {
|
||||||
struct list_head list;
|
struct list_head list;
|
||||||
struct smack_known *smk_subject;
|
struct smack_known *smk_subject;
|
||||||
char *smk_object;
|
struct smack_known *smk_object;
|
||||||
int smk_access;
|
int smk_access;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -123,7 +123,7 @@ struct smk_netlbladdr {
|
|||||||
struct list_head list;
|
struct list_head list;
|
||||||
struct sockaddr_in smk_host; /* network address */
|
struct sockaddr_in smk_host; /* network address */
|
||||||
struct in_addr smk_mask; /* network mask */
|
struct in_addr smk_mask; /* network mask */
|
||||||
char *smk_label; /* label */
|
struct smack_known *smk_label; /* label */
|
||||||
};
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -191,6 +191,7 @@ struct smk_port_label {
|
|||||||
*/
|
*/
|
||||||
#define MAY_TRANSMUTE 0x00001000 /* Controls directory labeling */
|
#define MAY_TRANSMUTE 0x00001000 /* Controls directory labeling */
|
||||||
#define MAY_LOCK 0x00002000 /* Locks should be writes, but ... */
|
#define MAY_LOCK 0x00002000 /* Locks should be writes, but ... */
|
||||||
|
#define MAY_BRINGUP 0x00004000 /* Report use of this rule */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Just to make the common cases easier to deal with
|
* Just to make the common cases easier to deal with
|
||||||
@ -200,9 +201,9 @@ struct smk_port_label {
|
|||||||
#define MAY_NOT 0
|
#define MAY_NOT 0
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Number of access types used by Smack (rwxatl)
|
* Number of access types used by Smack (rwxatlb)
|
||||||
*/
|
*/
|
||||||
#define SMK_NUM_ACCESS_TYPE 6
|
#define SMK_NUM_ACCESS_TYPE 7
|
||||||
|
|
||||||
/* SMACK data */
|
/* SMACK data */
|
||||||
struct smack_audit_data {
|
struct smack_audit_data {
|
||||||
@ -226,23 +227,23 @@ struct smk_audit_info {
|
|||||||
/*
|
/*
|
||||||
* These functions are in smack_lsm.c
|
* These functions are in smack_lsm.c
|
||||||
*/
|
*/
|
||||||
struct inode_smack *new_inode_smack(char *);
|
struct inode_smack *new_inode_smack(struct smack_known *);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* These functions are in smack_access.c
|
* These functions are in smack_access.c
|
||||||
*/
|
*/
|
||||||
int smk_access_entry(char *, char *, struct list_head *);
|
int smk_access_entry(char *, char *, struct list_head *);
|
||||||
int smk_access(struct smack_known *, char *, int, struct smk_audit_info *);
|
int smk_access(struct smack_known *, struct smack_known *,
|
||||||
int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *);
|
int, struct smk_audit_info *);
|
||||||
int smk_curacc(char *, u32, struct smk_audit_info *);
|
int smk_tskacc(struct task_smack *, struct smack_known *,
|
||||||
|
u32, struct smk_audit_info *);
|
||||||
|
int smk_curacc(struct smack_known *, u32, struct smk_audit_info *);
|
||||||
struct smack_known *smack_from_secid(const u32);
|
struct smack_known *smack_from_secid(const u32);
|
||||||
char *smk_parse_smack(const char *string, int len);
|
char *smk_parse_smack(const char *string, int len);
|
||||||
int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
|
int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
|
||||||
char *smk_import(const char *, int);
|
|
||||||
struct smack_known *smk_import_entry(const char *, int);
|
struct smack_known *smk_import_entry(const char *, int);
|
||||||
void smk_insert_entry(struct smack_known *skp);
|
void smk_insert_entry(struct smack_known *skp);
|
||||||
struct smack_known *smk_find_entry(const char *);
|
struct smack_known *smk_find_entry(const char *);
|
||||||
u32 smack_to_secid(const char *);
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Shared data.
|
* Shared data.
|
||||||
@ -252,7 +253,7 @@ extern int smack_cipso_mapped;
|
|||||||
extern struct smack_known *smack_net_ambient;
|
extern struct smack_known *smack_net_ambient;
|
||||||
extern struct smack_known *smack_onlycap;
|
extern struct smack_known *smack_onlycap;
|
||||||
extern struct smack_known *smack_syslog_label;
|
extern struct smack_known *smack_syslog_label;
|
||||||
extern const char *smack_cipso_option;
|
extern struct smack_known smack_cipso_option;
|
||||||
extern int smack_ptrace_rule;
|
extern int smack_ptrace_rule;
|
||||||
|
|
||||||
extern struct smack_known smack_known_floor;
|
extern struct smack_known smack_known_floor;
|
||||||
@ -281,9 +282,9 @@ static inline int smk_inode_transmutable(const struct inode *isp)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Present a pointer to the smack label in an inode blob.
|
* Present a pointer to the smack label entry in an inode blob.
|
||||||
*/
|
*/
|
||||||
static inline char *smk_of_inode(const struct inode *isp)
|
static inline struct smack_known *smk_of_inode(const struct inode *isp)
|
||||||
{
|
{
|
||||||
struct inode_smack *sip = isp->i_security;
|
struct inode_smack *sip = isp->i_security;
|
||||||
return sip->smk_inode;
|
return sip->smk_inode;
|
||||||
|
@ -94,7 +94,7 @@ int smk_access_entry(char *subject_label, char *object_label,
|
|||||||
struct smack_rule *srp;
|
struct smack_rule *srp;
|
||||||
|
|
||||||
list_for_each_entry_rcu(srp, rule_list, list) {
|
list_for_each_entry_rcu(srp, rule_list, list) {
|
||||||
if (srp->smk_object == object_label &&
|
if (srp->smk_object->smk_known == object_label &&
|
||||||
srp->smk_subject->smk_known == subject_label) {
|
srp->smk_subject->smk_known == subject_label) {
|
||||||
may = srp->smk_access;
|
may = srp->smk_access;
|
||||||
break;
|
break;
|
||||||
@ -111,8 +111,8 @@ int smk_access_entry(char *subject_label, char *object_label,
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* smk_access - determine if a subject has a specific access to an object
|
* smk_access - determine if a subject has a specific access to an object
|
||||||
* @subject_known: a pointer to the subject's Smack label entry
|
* @subject: a pointer to the subject's Smack label entry
|
||||||
* @object_label: a pointer to the object's Smack label
|
* @object: a pointer to the object's Smack label entry
|
||||||
* @request: the access requested, in "MAY" format
|
* @request: the access requested, in "MAY" format
|
||||||
* @a : a pointer to the audit data
|
* @a : a pointer to the audit data
|
||||||
*
|
*
|
||||||
@ -122,8 +122,8 @@ int smk_access_entry(char *subject_label, char *object_label,
|
|||||||
*
|
*
|
||||||
* Smack labels are shared on smack_list
|
* Smack labels are shared on smack_list
|
||||||
*/
|
*/
|
||||||
int smk_access(struct smack_known *subject_known, char *object_label,
|
int smk_access(struct smack_known *subject, struct smack_known *object,
|
||||||
int request, struct smk_audit_info *a)
|
int request, struct smk_audit_info *a)
|
||||||
{
|
{
|
||||||
int may = MAY_NOT;
|
int may = MAY_NOT;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
@ -133,7 +133,7 @@ int smk_access(struct smack_known *subject_known, char *object_label,
|
|||||||
*
|
*
|
||||||
* A star subject can't access any object.
|
* A star subject can't access any object.
|
||||||
*/
|
*/
|
||||||
if (subject_known == &smack_known_star) {
|
if (subject == &smack_known_star) {
|
||||||
rc = -EACCES;
|
rc = -EACCES;
|
||||||
goto out_audit;
|
goto out_audit;
|
||||||
}
|
}
|
||||||
@ -142,28 +142,28 @@ int smk_access(struct smack_known *subject_known, char *object_label,
|
|||||||
* Tasks cannot be assigned the internet label.
|
* Tasks cannot be assigned the internet label.
|
||||||
* An internet subject can access any object.
|
* An internet subject can access any object.
|
||||||
*/
|
*/
|
||||||
if (object_label == smack_known_web.smk_known ||
|
if (object == &smack_known_web ||
|
||||||
subject_known == &smack_known_web)
|
subject == &smack_known_web)
|
||||||
goto out_audit;
|
goto out_audit;
|
||||||
/*
|
/*
|
||||||
* A star object can be accessed by any subject.
|
* A star object can be accessed by any subject.
|
||||||
*/
|
*/
|
||||||
if (object_label == smack_known_star.smk_known)
|
if (object == &smack_known_star)
|
||||||
goto out_audit;
|
goto out_audit;
|
||||||
/*
|
/*
|
||||||
* An object can be accessed in any way by a subject
|
* An object can be accessed in any way by a subject
|
||||||
* with the same label.
|
* with the same label.
|
||||||
*/
|
*/
|
||||||
if (subject_known->smk_known == object_label)
|
if (subject->smk_known == object->smk_known)
|
||||||
goto out_audit;
|
goto out_audit;
|
||||||
/*
|
/*
|
||||||
* A hat subject can read any object.
|
* A hat subject can read any object.
|
||||||
* A floor object can be read by any subject.
|
* A floor object can be read by any subject.
|
||||||
*/
|
*/
|
||||||
if ((request & MAY_ANYREAD) == request) {
|
if ((request & MAY_ANYREAD) == request) {
|
||||||
if (object_label == smack_known_floor.smk_known)
|
if (object == &smack_known_floor)
|
||||||
goto out_audit;
|
goto out_audit;
|
||||||
if (subject_known == &smack_known_hat)
|
if (subject == &smack_known_hat)
|
||||||
goto out_audit;
|
goto out_audit;
|
||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
@ -174,27 +174,38 @@ int smk_access(struct smack_known *subject_known, char *object_label,
|
|||||||
* indicates there is no entry for this pair.
|
* indicates there is no entry for this pair.
|
||||||
*/
|
*/
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
may = smk_access_entry(subject_known->smk_known, object_label,
|
may = smk_access_entry(subject->smk_known, object->smk_known,
|
||||||
&subject_known->smk_rules);
|
&subject->smk_rules);
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
|
||||||
if (may > 0 && (request & may) == request)
|
if (may <= 0 || (request & may) != request) {
|
||||||
|
rc = -EACCES;
|
||||||
goto out_audit;
|
goto out_audit;
|
||||||
|
}
|
||||||
|
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
|
||||||
|
/*
|
||||||
|
* Return a positive value if using bringup mode.
|
||||||
|
* This allows the hooks to identify checks that
|
||||||
|
* succeed because of "b" rules.
|
||||||
|
*/
|
||||||
|
if (may & MAY_BRINGUP)
|
||||||
|
rc = MAY_BRINGUP;
|
||||||
|
#endif
|
||||||
|
|
||||||
rc = -EACCES;
|
|
||||||
out_audit:
|
out_audit:
|
||||||
#ifdef CONFIG_AUDIT
|
#ifdef CONFIG_AUDIT
|
||||||
if (a)
|
if (a)
|
||||||
smack_log(subject_known->smk_known, object_label, request,
|
smack_log(subject->smk_known, object->smk_known,
|
||||||
rc, a);
|
request, rc, a);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* smk_tskacc - determine if a task has a specific access to an object
|
* smk_tskacc - determine if a task has a specific access to an object
|
||||||
* @tsp: a pointer to the subject task
|
* @tsp: a pointer to the subject's task
|
||||||
* @obj_label: a pointer to the object's Smack label
|
* @obj_known: a pointer to the object's label entry
|
||||||
* @mode: the access requested, in "MAY" format
|
* @mode: the access requested, in "MAY" format
|
||||||
* @a : common audit data
|
* @a : common audit data
|
||||||
*
|
*
|
||||||
@ -203,24 +214,25 @@ out_audit:
|
|||||||
* non zero otherwise. It allows that the task may have the capability
|
* non zero otherwise. It allows that the task may have the capability
|
||||||
* to override the rules.
|
* to override the rules.
|
||||||
*/
|
*/
|
||||||
int smk_tskacc(struct task_smack *subject, char *obj_label,
|
int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known,
|
||||||
u32 mode, struct smk_audit_info *a)
|
u32 mode, struct smk_audit_info *a)
|
||||||
{
|
{
|
||||||
struct smack_known *skp = smk_of_task(subject);
|
struct smack_known *sbj_known = smk_of_task(tsp);
|
||||||
int may;
|
int may;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check the global rule list
|
* Check the global rule list
|
||||||
*/
|
*/
|
||||||
rc = smk_access(skp, obj_label, mode, NULL);
|
rc = smk_access(sbj_known, obj_known, mode, NULL);
|
||||||
if (rc == 0) {
|
if (rc >= 0) {
|
||||||
/*
|
/*
|
||||||
* If there is an entry in the task's rule list
|
* If there is an entry in the task's rule list
|
||||||
* it can further restrict access.
|
* it can further restrict access.
|
||||||
*/
|
*/
|
||||||
may = smk_access_entry(skp->smk_known, obj_label,
|
may = smk_access_entry(sbj_known->smk_known,
|
||||||
&subject->smk_rules);
|
obj_known->smk_known,
|
||||||
|
&tsp->smk_rules);
|
||||||
if (may < 0)
|
if (may < 0)
|
||||||
goto out_audit;
|
goto out_audit;
|
||||||
if ((mode & may) == mode)
|
if ((mode & may) == mode)
|
||||||
@ -237,14 +249,15 @@ int smk_tskacc(struct task_smack *subject, char *obj_label,
|
|||||||
out_audit:
|
out_audit:
|
||||||
#ifdef CONFIG_AUDIT
|
#ifdef CONFIG_AUDIT
|
||||||
if (a)
|
if (a)
|
||||||
smack_log(skp->smk_known, obj_label, mode, rc, a);
|
smack_log(sbj_known->smk_known, obj_known->smk_known,
|
||||||
|
mode, rc, a);
|
||||||
#endif
|
#endif
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* smk_curacc - determine if current has a specific access to an object
|
* smk_curacc - determine if current has a specific access to an object
|
||||||
* @obj_label: a pointer to the object's Smack label
|
* @obj_known: a pointer to the object's Smack label entry
|
||||||
* @mode: the access requested, in "MAY" format
|
* @mode: the access requested, in "MAY" format
|
||||||
* @a : common audit data
|
* @a : common audit data
|
||||||
*
|
*
|
||||||
@ -253,11 +266,12 @@ out_audit:
|
|||||||
* non zero otherwise. It allows that current may have the capability
|
* non zero otherwise. It allows that current may have the capability
|
||||||
* to override the rules.
|
* to override the rules.
|
||||||
*/
|
*/
|
||||||
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
|
int smk_curacc(struct smack_known *obj_known,
|
||||||
|
u32 mode, struct smk_audit_info *a)
|
||||||
{
|
{
|
||||||
struct task_smack *tsp = current_security();
|
struct task_smack *tsp = current_security();
|
||||||
|
|
||||||
return smk_tskacc(tsp, obj_label, mode, a);
|
return smk_tskacc(tsp, obj_known, mode, a);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_AUDIT
|
#ifdef CONFIG_AUDIT
|
||||||
@ -328,6 +342,13 @@ void smack_log(char *subject_label, char *object_label, int request,
|
|||||||
struct smack_audit_data *sad;
|
struct smack_audit_data *sad;
|
||||||
struct common_audit_data *a = &ad->a;
|
struct common_audit_data *a = &ad->a;
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
|
||||||
|
/*
|
||||||
|
* The result may be positive in bringup mode.
|
||||||
|
*/
|
||||||
|
if (result > 0)
|
||||||
|
result = 0;
|
||||||
|
#endif
|
||||||
/* check if we have to log the current event */
|
/* check if we have to log the current event */
|
||||||
if (result != 0 && (log_policy & SMACK_AUDIT_DENIED) == 0)
|
if (result != 0 && (log_policy & SMACK_AUDIT_DENIED) == 0)
|
||||||
return;
|
return;
|
||||||
@ -543,27 +564,6 @@ unlockout:
|
|||||||
return skp;
|
return skp;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* smk_import - import a smack label
|
|
||||||
* @string: a text string that might be a Smack label
|
|
||||||
* @len: the maximum size, or zero if it is NULL terminated.
|
|
||||||
*
|
|
||||||
* Returns a pointer to the label in the label list that
|
|
||||||
* matches the passed string, adding it if necessary.
|
|
||||||
*/
|
|
||||||
char *smk_import(const char *string, int len)
|
|
||||||
{
|
|
||||||
struct smack_known *skp;
|
|
||||||
|
|
||||||
/* labels cannot begin with a '-' */
|
|
||||||
if (string[0] == '-')
|
|
||||||
return NULL;
|
|
||||||
skp = smk_import_entry(string, len);
|
|
||||||
if (skp == NULL)
|
|
||||||
return NULL;
|
|
||||||
return skp->smk_known;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* smack_from_secid - find the Smack label associated with a secid
|
* smack_from_secid - find the Smack label associated with a secid
|
||||||
* @secid: an integer that might be associated with a Smack label
|
* @secid: an integer that might be associated with a Smack label
|
||||||
@ -590,19 +590,3 @@ struct smack_known *smack_from_secid(const u32 secid)
|
|||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
return &smack_known_invalid;
|
return &smack_known_invalid;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* smack_to_secid - find the secid associated with a Smack label
|
|
||||||
* @smack: the Smack label
|
|
||||||
*
|
|
||||||
* Returns the appropriate secid if there is one,
|
|
||||||
* otherwise 0
|
|
||||||
*/
|
|
||||||
u32 smack_to_secid(const char *smack)
|
|
||||||
{
|
|
||||||
struct smack_known *skp = smk_find_entry(smack);
|
|
||||||
|
|
||||||
if (skp == NULL)
|
|
||||||
return 0;
|
|
||||||
return skp->smk_secid;
|
|
||||||
}
|
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -131,14 +131,17 @@ LIST_HEAD(smack_rule_list);
|
|||||||
|
|
||||||
struct smack_parsed_rule {
|
struct smack_parsed_rule {
|
||||||
struct smack_known *smk_subject;
|
struct smack_known *smk_subject;
|
||||||
char *smk_object;
|
struct smack_known *smk_object;
|
||||||
int smk_access1;
|
int smk_access1;
|
||||||
int smk_access2;
|
int smk_access2;
|
||||||
};
|
};
|
||||||
|
|
||||||
static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
|
static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
|
||||||
|
|
||||||
const char *smack_cipso_option = SMACK_CIPSO_OPTION;
|
struct smack_known smack_cipso_option = {
|
||||||
|
.smk_known = SMACK_CIPSO_OPTION,
|
||||||
|
.smk_secid = 0,
|
||||||
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Values for parsing cipso rules
|
* Values for parsing cipso rules
|
||||||
@ -304,6 +307,10 @@ static int smk_perm_from_str(const char *string)
|
|||||||
case 'L':
|
case 'L':
|
||||||
perm |= MAY_LOCK;
|
perm |= MAY_LOCK;
|
||||||
break;
|
break;
|
||||||
|
case 'b':
|
||||||
|
case 'B':
|
||||||
|
perm |= MAY_BRINGUP;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
return perm;
|
return perm;
|
||||||
}
|
}
|
||||||
@ -335,7 +342,7 @@ static int smk_fill_rule(const char *subject, const char *object,
|
|||||||
if (rule->smk_subject == NULL)
|
if (rule->smk_subject == NULL)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
rule->smk_object = smk_import(object, len);
|
rule->smk_object = smk_import_entry(object, len);
|
||||||
if (rule->smk_object == NULL)
|
if (rule->smk_object == NULL)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
} else {
|
} else {
|
||||||
@ -355,7 +362,7 @@ static int smk_fill_rule(const char *subject, const char *object,
|
|||||||
kfree(cp);
|
kfree(cp);
|
||||||
if (skp == NULL)
|
if (skp == NULL)
|
||||||
return -ENOENT;
|
return -ENOENT;
|
||||||
rule->smk_object = skp->smk_known;
|
rule->smk_object = skp;
|
||||||
}
|
}
|
||||||
|
|
||||||
rule->smk_access1 = smk_perm_from_str(access1);
|
rule->smk_access1 = smk_perm_from_str(access1);
|
||||||
@ -594,13 +601,15 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
|
|||||||
* anything you read back.
|
* anything you read back.
|
||||||
*/
|
*/
|
||||||
if (strlen(srp->smk_subject->smk_known) >= max ||
|
if (strlen(srp->smk_subject->smk_known) >= max ||
|
||||||
strlen(srp->smk_object) >= max)
|
strlen(srp->smk_object->smk_known) >= max)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
if (srp->smk_access == 0)
|
if (srp->smk_access == 0)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
seq_printf(s, "%s %s", srp->smk_subject->smk_known, srp->smk_object);
|
seq_printf(s, "%s %s",
|
||||||
|
srp->smk_subject->smk_known,
|
||||||
|
srp->smk_object->smk_known);
|
||||||
|
|
||||||
seq_putc(s, ' ');
|
seq_putc(s, ' ');
|
||||||
|
|
||||||
@ -616,6 +625,8 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
|
|||||||
seq_putc(s, 't');
|
seq_putc(s, 't');
|
||||||
if (srp->smk_access & MAY_LOCK)
|
if (srp->smk_access & MAY_LOCK)
|
||||||
seq_putc(s, 'l');
|
seq_putc(s, 'l');
|
||||||
|
if (srp->smk_access & MAY_BRINGUP)
|
||||||
|
seq_putc(s, 'b');
|
||||||
|
|
||||||
seq_putc(s, '\n');
|
seq_putc(s, '\n');
|
||||||
}
|
}
|
||||||
@ -1067,7 +1078,7 @@ static int netlbladdr_seq_show(struct seq_file *s, void *v)
|
|||||||
for (maskn = 0; temp_mask; temp_mask <<= 1, maskn++);
|
for (maskn = 0; temp_mask; temp_mask <<= 1, maskn++);
|
||||||
|
|
||||||
seq_printf(s, "%u.%u.%u.%u/%d %s\n",
|
seq_printf(s, "%u.%u.%u.%u/%d %s\n",
|
||||||
hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label);
|
hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label->smk_known);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -1147,10 +1158,10 @@ static void smk_netlbladdr_insert(struct smk_netlbladdr *new)
|
|||||||
static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
|
static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
|
||||||
size_t count, loff_t *ppos)
|
size_t count, loff_t *ppos)
|
||||||
{
|
{
|
||||||
struct smk_netlbladdr *skp;
|
struct smk_netlbladdr *snp;
|
||||||
struct sockaddr_in newname;
|
struct sockaddr_in newname;
|
||||||
char *smack;
|
char *smack;
|
||||||
char *sp;
|
struct smack_known *skp;
|
||||||
char *data;
|
char *data;
|
||||||
char *host = (char *)&newname.sin_addr.s_addr;
|
char *host = (char *)&newname.sin_addr.s_addr;
|
||||||
int rc;
|
int rc;
|
||||||
@ -1213,15 +1224,15 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
|
|||||||
* If smack begins with '-', it is an option, don't import it
|
* If smack begins with '-', it is an option, don't import it
|
||||||
*/
|
*/
|
||||||
if (smack[0] != '-') {
|
if (smack[0] != '-') {
|
||||||
sp = smk_import(smack, 0);
|
skp = smk_import_entry(smack, 0);
|
||||||
if (sp == NULL) {
|
if (skp == NULL) {
|
||||||
rc = -EINVAL;
|
rc = -EINVAL;
|
||||||
goto free_out;
|
goto free_out;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
/* check known options */
|
/* check known options */
|
||||||
if (strcmp(smack, smack_cipso_option) == 0)
|
if (strcmp(smack, smack_cipso_option.smk_known) == 0)
|
||||||
sp = (char *)smack_cipso_option;
|
skp = &smack_cipso_option;
|
||||||
else {
|
else {
|
||||||
rc = -EINVAL;
|
rc = -EINVAL;
|
||||||
goto free_out;
|
goto free_out;
|
||||||
@ -1244,9 +1255,9 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
|
|||||||
nsa = newname.sin_addr.s_addr;
|
nsa = newname.sin_addr.s_addr;
|
||||||
/* try to find if the prefix is already in the list */
|
/* try to find if the prefix is already in the list */
|
||||||
found = 0;
|
found = 0;
|
||||||
list_for_each_entry_rcu(skp, &smk_netlbladdr_list, list) {
|
list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list) {
|
||||||
if (skp->smk_host.sin_addr.s_addr == nsa &&
|
if (snp->smk_host.sin_addr.s_addr == nsa &&
|
||||||
skp->smk_mask.s_addr == mask.s_addr) {
|
snp->smk_mask.s_addr == mask.s_addr) {
|
||||||
found = 1;
|
found = 1;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -1254,26 +1265,26 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
|
|||||||
smk_netlabel_audit_set(&audit_info);
|
smk_netlabel_audit_set(&audit_info);
|
||||||
|
|
||||||
if (found == 0) {
|
if (found == 0) {
|
||||||
skp = kzalloc(sizeof(*skp), GFP_KERNEL);
|
snp = kzalloc(sizeof(*snp), GFP_KERNEL);
|
||||||
if (skp == NULL)
|
if (snp == NULL)
|
||||||
rc = -ENOMEM;
|
rc = -ENOMEM;
|
||||||
else {
|
else {
|
||||||
rc = 0;
|
rc = 0;
|
||||||
skp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
|
snp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
|
||||||
skp->smk_mask.s_addr = mask.s_addr;
|
snp->smk_mask.s_addr = mask.s_addr;
|
||||||
skp->smk_label = sp;
|
snp->smk_label = skp;
|
||||||
smk_netlbladdr_insert(skp);
|
smk_netlbladdr_insert(snp);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
/* we delete the unlabeled entry, only if the previous label
|
/* we delete the unlabeled entry, only if the previous label
|
||||||
* wasn't the special CIPSO option */
|
* wasn't the special CIPSO option */
|
||||||
if (skp->smk_label != smack_cipso_option)
|
if (snp->smk_label != &smack_cipso_option)
|
||||||
rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
|
rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
|
||||||
&skp->smk_host.sin_addr, &skp->smk_mask,
|
&snp->smk_host.sin_addr, &snp->smk_mask,
|
||||||
PF_INET, &audit_info);
|
PF_INET, &audit_info);
|
||||||
else
|
else
|
||||||
rc = 0;
|
rc = 0;
|
||||||
skp->smk_label = sp;
|
snp->smk_label = skp;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -1281,10 +1292,10 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
|
|||||||
* this host so that incoming packets get labeled.
|
* this host so that incoming packets get labeled.
|
||||||
* but only if we didn't get the special CIPSO option
|
* but only if we didn't get the special CIPSO option
|
||||||
*/
|
*/
|
||||||
if (rc == 0 && sp != smack_cipso_option)
|
if (rc == 0 && skp != &smack_cipso_option)
|
||||||
rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
|
rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
|
||||||
&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
|
&snp->smk_host.sin_addr, &snp->smk_mask, PF_INET,
|
||||||
smack_to_secid(skp->smk_label), &audit_info);
|
snp->smk_label->smk_secid, &audit_info);
|
||||||
|
|
||||||
if (rc == 0)
|
if (rc == 0)
|
||||||
rc = count;
|
rc = count;
|
||||||
@ -1677,7 +1688,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
|
|||||||
if (smack_onlycap != NULL && smack_onlycap != skp)
|
if (smack_onlycap != NULL && smack_onlycap != skp)
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
data = kzalloc(count, GFP_KERNEL);
|
data = kzalloc(count + 1, GFP_KERNEL);
|
||||||
if (data == NULL)
|
if (data == NULL)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
@ -1880,7 +1891,10 @@ static ssize_t smk_user_access(struct file *file, const char __user *buf,
|
|||||||
else if (res != -ENOENT)
|
else if (res != -ENOENT)
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
data[0] = res == 0 ? '1' : '0';
|
/*
|
||||||
|
* smk_access() can return a value > 0 in the "bringup" case.
|
||||||
|
*/
|
||||||
|
data[0] = res >= 0 ? '1' : '0';
|
||||||
data[1] = '\0';
|
data[1] = '\0';
|
||||||
|
|
||||||
simple_transaction_set(file, 2);
|
simple_transaction_set(file, 2);
|
||||||
@ -2228,7 +2242,7 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
|
|||||||
if (!smack_privileged(CAP_MAC_ADMIN))
|
if (!smack_privileged(CAP_MAC_ADMIN))
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
data = kzalloc(count, GFP_KERNEL);
|
data = kzalloc(count + 1, GFP_KERNEL);
|
||||||
if (data == NULL)
|
if (data == NULL)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user