diff options
| author | David Howells <dhowells@redhat.com> | 2018-11-01 19:07:24 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2019-02-28 03:29:25 -0500 |
| commit | 2febd254adc4958b2388c7a49ddc85227f41a158 (patch) | |
| tree | 398ef4ff8f34dfea8bdbad444b9c2d3c823336ec /security | |
| parent | 442155c1bd84f82bff2d05d0ec4d0090df17ecfa (diff) | |
smack: Implement filesystem context security hooks
Implement filesystem context security hooks for the smack LSM.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Casey Schaufler <casey@schaufler-ca.com>
cc: linux-security-module@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'security')
| -rw-r--r-- | security/smack/smack.h | 19 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 43 |
2 files changed, 47 insertions, 15 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index f7db791fb566..0380a9c89d3b 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h | |||
| @@ -195,22 +195,13 @@ struct smack_known_list_elem { | |||
| 195 | 195 | ||
| 196 | enum { | 196 | enum { |
| 197 | Opt_error = -1, | 197 | Opt_error = -1, |
| 198 | Opt_fsdefault = 1, | 198 | Opt_fsdefault = 0, |
| 199 | Opt_fsfloor = 2, | 199 | Opt_fsfloor = 1, |
| 200 | Opt_fshat = 3, | 200 | Opt_fshat = 2, |
| 201 | Opt_fsroot = 4, | 201 | Opt_fsroot = 3, |
| 202 | Opt_fstransmute = 5, | 202 | Opt_fstransmute = 4, |
| 203 | }; | 203 | }; |
| 204 | 204 | ||
| 205 | /* | ||
| 206 | * Mount options | ||
| 207 | */ | ||
| 208 | #define SMK_FSDEFAULT "smackfsdef=" | ||
| 209 | #define SMK_FSFLOOR "smackfsfloor=" | ||
| 210 | #define SMK_FSHAT "smackfshat=" | ||
| 211 | #define SMK_FSROOT "smackfsroot=" | ||
| 212 | #define SMK_FSTRANS "smackfstransmute=" | ||
| 213 | |||
| 214 | #define SMACK_DELETE_OPTION "-DELETE" | 205 | #define SMACK_DELETE_OPTION "-DELETE" |
| 215 | #define SMACK_CIPSO_OPTION "-CIPSO" | 206 | #define SMACK_CIPSO_OPTION "-CIPSO" |
| 216 | 207 | ||
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 430d4f35e55c..5f93c4f84384 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -43,6 +43,8 @@ | |||
| 43 | #include <linux/shm.h> | 43 | #include <linux/shm.h> |
| 44 | #include <linux/binfmts.h> | 44 | #include <linux/binfmts.h> |
| 45 | #include <linux/parser.h> | 45 | #include <linux/parser.h> |
| 46 | #include <linux/fs_context.h> | ||
| 47 | #include <linux/fs_parser.h> | ||
| 46 | #include "smack.h" | 48 | #include "smack.h" |
| 47 | 49 | ||
| 48 | #define TRANS_TRUE "TRUE" | 50 | #define TRANS_TRUE "TRUE" |
| @@ -541,7 +543,6 @@ static int smack_syslog(int typefrom_file) | |||
| 541 | return rc; | 543 | return rc; |
| 542 | } | 544 | } |
| 543 | 545 | ||
| 544 | |||
| 545 | /* | 546 | /* |
| 546 | * Superblock Hooks. | 547 | * Superblock Hooks. |
| 547 | */ | 548 | */ |
| @@ -646,6 +647,44 @@ out_opt_err: | |||
| 646 | return -EINVAL; | 647 | return -EINVAL; |
| 647 | } | 648 | } |
| 648 | 649 | ||
| 650 | static const struct fs_parameter_spec smack_param_specs[] = { | ||
| 651 | fsparam_string("fsdefault", Opt_fsdefault), | ||
| 652 | fsparam_string("fsfloor", Opt_fsfloor), | ||
| 653 | fsparam_string("fshat", Opt_fshat), | ||
| 654 | fsparam_string("fsroot", Opt_fsroot), | ||
| 655 | fsparam_string("fstransmute", Opt_fstransmute), | ||
| 656 | {} | ||
| 657 | }; | ||
| 658 | |||
| 659 | static const struct fs_parameter_description smack_fs_parameters = { | ||
| 660 | .name = "smack", | ||
| 661 | .specs = smack_param_specs, | ||
| 662 | }; | ||
| 663 | |||
| 664 | /** | ||
| 665 | * smack_fs_context_parse_param - Parse a single mount parameter | ||
| 666 | * @fc: The new filesystem context being constructed. | ||
| 667 | * @param: The parameter. | ||
| 668 | * | ||
| 669 | * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on | ||
| 670 | * error. | ||
| 671 | */ | ||
| 672 | static int smack_fs_context_parse_param(struct fs_context *fc, | ||
| 673 | struct fs_parameter *param) | ||
| 674 | { | ||
| 675 | struct fs_parse_result result; | ||
| 676 | int opt, rc; | ||
| 677 | |||
| 678 | opt = fs_parse(fc, &smack_fs_parameters, param, &result); | ||
| 679 | if (opt < 0) | ||
| 680 | return opt; | ||
| 681 | |||
| 682 | rc = smack_add_opt(opt, param->string, &fc->security); | ||
| 683 | if (!rc) | ||
| 684 | param->string = NULL; | ||
| 685 | return rc; | ||
| 686 | } | ||
| 687 | |||
| 649 | static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) | 688 | static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) |
| 650 | { | 689 | { |
| 651 | char *from = options, *to = options; | 690 | char *from = options, *to = options; |
| @@ -4587,6 +4626,8 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { | |||
| 4587 | LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), | 4626 | LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), |
| 4588 | LSM_HOOK_INIT(syslog, smack_syslog), | 4627 | LSM_HOOK_INIT(syslog, smack_syslog), |
| 4589 | 4628 | ||
| 4629 | LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), | ||
| 4630 | |||
| 4590 | LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), | 4631 | LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), |
| 4591 | LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), | 4632 | LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), |
| 4592 | LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), | 4633 | LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), |