diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2016-11-14 12:38:15 -0500 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2016-11-15 12:34:39 -0500 |
| commit | 152f91d4d11a30106b9cc0b27b47e0e80b633ee8 (patch) | |
| tree | 33fdd28f8075586b8c11ea4175400b51cd8eb38c /security/smack | |
| parent | 8c15d66e429afd099b66f05393527c23f85ca41c (diff) | |
Smack: Remove unnecessary smack_known_invalid
The invalid Smack label ("") and the Huh ("?") Smack label
serve the same purpose and having both is unnecessary.
While pulling out the invalid label it became clear that
the use of smack_from_secid() was inconsistent, so that
is repaired. The setting of inode labels to the invalid
label could never happen in a functional system, has
never been observed in the wild and is not what you'd
really want for a failure behavior in any case. That is
removed.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack')
| -rw-r--r-- | security/smack/smack.h | 1 | ||||
| -rw-r--r-- | security/smack/smack_access.c | 7 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 29 | ||||
| -rw-r--r-- | security/smack/smackfs.c | 3 |
4 files changed, 4 insertions, 36 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index 51fd30192c08..77abe2efacae 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h | |||
| @@ -336,7 +336,6 @@ extern int smack_ptrace_rule; | |||
| 336 | extern struct smack_known smack_known_floor; | 336 | extern struct smack_known smack_known_floor; |
| 337 | extern struct smack_known smack_known_hat; | 337 | extern struct smack_known smack_known_hat; |
| 338 | extern struct smack_known smack_known_huh; | 338 | extern struct smack_known smack_known_huh; |
| 339 | extern struct smack_known smack_known_invalid; | ||
| 340 | extern struct smack_known smack_known_star; | 339 | extern struct smack_known smack_known_star; |
| 341 | extern struct smack_known smack_known_web; | 340 | extern struct smack_known smack_known_web; |
| 342 | 341 | ||
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 23e5808a0970..356e3764cad9 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c | |||
| @@ -36,11 +36,6 @@ struct smack_known smack_known_floor = { | |||
| 36 | .smk_secid = 5, | 36 | .smk_secid = 5, |
| 37 | }; | 37 | }; |
| 38 | 38 | ||
| 39 | struct smack_known smack_known_invalid = { | ||
| 40 | .smk_known = "", | ||
| 41 | .smk_secid = 6, | ||
| 42 | }; | ||
| 43 | |||
| 44 | struct smack_known smack_known_web = { | 39 | struct smack_known smack_known_web = { |
| 45 | .smk_known = "@", | 40 | .smk_known = "@", |
| 46 | .smk_secid = 7, | 41 | .smk_secid = 7, |
| @@ -615,7 +610,7 @@ struct smack_known *smack_from_secid(const u32 secid) | |||
| 615 | * of a secid that is not on the list. | 610 | * of a secid that is not on the list. |
| 616 | */ | 611 | */ |
| 617 | rcu_read_unlock(); | 612 | rcu_read_unlock(); |
| 618 | return &smack_known_invalid; | 613 | return &smack_known_huh; |
| 619 | } | 614 | } |
| 620 | 615 | ||
| 621 | /* | 616 | /* |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 46d8be434466..4d90257d03ad 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -1384,20 +1384,14 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, | |||
| 1384 | skp = smk_import_entry(value, size); | 1384 | skp = smk_import_entry(value, size); |
| 1385 | if (!IS_ERR(skp)) | 1385 | if (!IS_ERR(skp)) |
| 1386 | isp->smk_inode = skp; | 1386 | isp->smk_inode = skp; |
| 1387 | else | ||
| 1388 | isp->smk_inode = &smack_known_invalid; | ||
| 1389 | } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { | 1387 | } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { |
| 1390 | skp = smk_import_entry(value, size); | 1388 | skp = smk_import_entry(value, size); |
| 1391 | if (!IS_ERR(skp)) | 1389 | if (!IS_ERR(skp)) |
| 1392 | isp->smk_task = skp; | 1390 | isp->smk_task = skp; |
| 1393 | else | ||
| 1394 | isp->smk_task = &smack_known_invalid; | ||
| 1395 | } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { | 1391 | } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { |
| 1396 | skp = smk_import_entry(value, size); | 1392 | skp = smk_import_entry(value, size); |
| 1397 | if (!IS_ERR(skp)) | 1393 | if (!IS_ERR(skp)) |
| 1398 | isp->smk_mmap = skp; | 1394 | isp->smk_mmap = skp; |
| 1399 | else | ||
| 1400 | isp->smk_mmap = &smack_known_invalid; | ||
| 1401 | } | 1395 | } |
| 1402 | 1396 | ||
| 1403 | return; | 1397 | return; |
| @@ -2068,12 +2062,8 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old) | |||
| 2068 | static int smack_kernel_act_as(struct cred *new, u32 secid) | 2062 | static int smack_kernel_act_as(struct cred *new, u32 secid) |
| 2069 | { | 2063 | { |
| 2070 | struct task_smack *new_tsp = new->security; | 2064 | struct task_smack *new_tsp = new->security; |
| 2071 | struct smack_known *skp = smack_from_secid(secid); | ||
| 2072 | |||
| 2073 | if (skp == NULL) | ||
| 2074 | return -EINVAL; | ||
| 2075 | 2065 | ||
| 2076 | new_tsp->smk_task = skp; | 2066 | new_tsp->smk_task = smack_from_secid(secid); |
| 2077 | return 0; | 2067 | return 0; |
| 2078 | } | 2068 | } |
| 2079 | 2069 | ||
| @@ -3894,21 +3884,11 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, | |||
| 3894 | return &smack_known_web; | 3884 | return &smack_known_web; |
| 3895 | return &smack_known_star; | 3885 | return &smack_known_star; |
| 3896 | } | 3886 | } |
| 3897 | if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { | 3887 | if ((sap->flags & NETLBL_SECATTR_SECID) != 0) |
| 3898 | /* | 3888 | /* |
| 3899 | * Looks like a fallback, which gives us a secid. | 3889 | * Looks like a fallback, which gives us a secid. |
| 3900 | */ | 3890 | */ |
| 3901 | skp = smack_from_secid(sap->attr.secid); | 3891 | return smack_from_secid(sap->attr.secid); |
| 3902 | /* | ||
| 3903 | * This has got to be a bug because it is | ||
| 3904 | * impossible to specify a fallback without | ||
| 3905 | * specifying the label, which will ensure | ||
| 3906 | * it has a secid, and the only way to get a | ||
| 3907 | * secid is from a fallback. | ||
| 3908 | */ | ||
| 3909 | BUG_ON(skp == NULL); | ||
| 3910 | return skp; | ||
| 3911 | } | ||
| 3912 | /* | 3892 | /* |
| 3913 | * Without guidance regarding the smack value | 3893 | * Without guidance regarding the smack value |
| 3914 | * for the packet fall back on the network | 3894 | * for the packet fall back on the network |
| @@ -4771,7 +4751,6 @@ static __init void init_smack_known_list(void) | |||
| 4771 | mutex_init(&smack_known_hat.smk_rules_lock); | 4751 | mutex_init(&smack_known_hat.smk_rules_lock); |
| 4772 | mutex_init(&smack_known_floor.smk_rules_lock); | 4752 | mutex_init(&smack_known_floor.smk_rules_lock); |
| 4773 | mutex_init(&smack_known_star.smk_rules_lock); | 4753 | mutex_init(&smack_known_star.smk_rules_lock); |
| 4774 | mutex_init(&smack_known_invalid.smk_rules_lock); | ||
| 4775 | mutex_init(&smack_known_web.smk_rules_lock); | 4754 | mutex_init(&smack_known_web.smk_rules_lock); |
| 4776 | /* | 4755 | /* |
| 4777 | * Initialize rule lists | 4756 | * Initialize rule lists |
| @@ -4780,7 +4759,6 @@ static __init void init_smack_known_list(void) | |||
| 4780 | INIT_LIST_HEAD(&smack_known_hat.smk_rules); | 4759 | INIT_LIST_HEAD(&smack_known_hat.smk_rules); |
| 4781 | INIT_LIST_HEAD(&smack_known_star.smk_rules); | 4760 | INIT_LIST_HEAD(&smack_known_star.smk_rules); |
| 4782 | INIT_LIST_HEAD(&smack_known_floor.smk_rules); | 4761 | INIT_LIST_HEAD(&smack_known_floor.smk_rules); |
| 4783 | INIT_LIST_HEAD(&smack_known_invalid.smk_rules); | ||
| 4784 | INIT_LIST_HEAD(&smack_known_web.smk_rules); | 4762 | INIT_LIST_HEAD(&smack_known_web.smk_rules); |
| 4785 | /* | 4763 | /* |
| 4786 | * Create the known labels list | 4764 | * Create the known labels list |
| @@ -4789,7 +4767,6 @@ static __init void init_smack_known_list(void) | |||
| 4789 | smk_insert_entry(&smack_known_hat); | 4767 | smk_insert_entry(&smack_known_hat); |
| 4790 | smk_insert_entry(&smack_known_star); | 4768 | smk_insert_entry(&smack_known_star); |
| 4791 | smk_insert_entry(&smack_known_floor); | 4769 | smk_insert_entry(&smack_known_floor); |
| 4792 | smk_insert_entry(&smack_known_invalid); | ||
| 4793 | smk_insert_entry(&smack_known_web); | 4770 | smk_insert_entry(&smack_known_web); |
| 4794 | } | 4771 | } |
| 4795 | 4772 | ||
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 6492fe96cae4..13743a01b35b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
| @@ -2998,9 +2998,6 @@ static int __init init_smk_fs(void) | |||
| 2998 | rc = smk_preset_netlabel(&smack_known_huh); | 2998 | rc = smk_preset_netlabel(&smack_known_huh); |
| 2999 | if (err == 0 && rc < 0) | 2999 | if (err == 0 && rc < 0) |
| 3000 | err = rc; | 3000 | err = rc; |
| 3001 | rc = smk_preset_netlabel(&smack_known_invalid); | ||
| 3002 | if (err == 0 && rc < 0) | ||
| 3003 | err = rc; | ||
| 3004 | rc = smk_preset_netlabel(&smack_known_star); | 3001 | rc = smk_preset_netlabel(&smack_known_star); |
| 3005 | if (err == 0 && rc < 0) | 3002 | if (err == 0 && rc < 0) |
| 3006 | err = rc; | 3003 | err = rc; |