aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJames Morris <james.l.morris@oracle.com>2017-06-20 21:30:20 -0400
committerJames Morris <james.l.morris@oracle.com>2017-06-20 21:30:20 -0400
commitcdac74ddf28e2f07319cc89446f9dea35d22d999 (patch)
treea834000d6eef03e194cc40a964191e583595b5b8 /security
parente4b0852798bc15ed1a3ed6768ef2c4d2a1cb7599 (diff)
parentf28e783ff668cf5757182f6b00d488be37226bff (diff)
Merge branch 'smack-for-4.13' of git://github.com/cschaufler/smack-next into next
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack.h2
-rw-r--r--security/smack/smack_access.c19
-rw-r--r--security/smack/smack_lsm.c2
-rw-r--r--security/smack/smack_netfilter.c26
4 files changed, 31 insertions, 18 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 612b810fbbc6..6a71fc7831ab 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -320,7 +320,7 @@ int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
320struct smack_known *smk_import_entry(const char *, int); 320struct smack_known *smk_import_entry(const char *, int);
321void smk_insert_entry(struct smack_known *skp); 321void smk_insert_entry(struct smack_known *skp);
322struct smack_known *smk_find_entry(const char *); 322struct smack_known *smk_find_entry(const char *);
323int smack_privileged(int cap); 323bool smack_privileged(int cap);
324void smk_destroy_label_list(struct list_head *list); 324void smk_destroy_label_list(struct list_head *list);
325 325
326/* 326/*
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index a4b2e6b94abd..1a3004189447 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -627,35 +627,38 @@ DEFINE_MUTEX(smack_onlycap_lock);
627 * Is the task privileged and allowed to be privileged 627 * Is the task privileged and allowed to be privileged
628 * by the onlycap rule. 628 * by the onlycap rule.
629 * 629 *
630 * Returns 1 if the task is allowed to be privileged, 0 if it's not. 630 * Returns true if the task is allowed to be privileged, false if it's not.
631 */ 631 */
632int smack_privileged(int cap) 632bool smack_privileged(int cap)
633{ 633{
634 struct smack_known *skp = smk_of_current(); 634 struct smack_known *skp = smk_of_current();
635 struct smack_known_list_elem *sklep; 635 struct smack_known_list_elem *sklep;
636 int rc;
636 637
637 /* 638 /*
638 * All kernel tasks are privileged 639 * All kernel tasks are privileged
639 */ 640 */
640 if (unlikely(current->flags & PF_KTHREAD)) 641 if (unlikely(current->flags & PF_KTHREAD))
641 return 1; 642 return true;
642 643
643 if (!capable(cap)) 644 rc = cap_capable(current_cred(), &init_user_ns, cap,
644 return 0; 645 SECURITY_CAP_AUDIT);
646 if (rc)
647 return false;
645 648
646 rcu_read_lock(); 649 rcu_read_lock();
647 if (list_empty(&smack_onlycap_list)) { 650 if (list_empty(&smack_onlycap_list)) {
648 rcu_read_unlock(); 651 rcu_read_unlock();
649 return 1; 652 return true;
650 } 653 }
651 654
652 list_for_each_entry_rcu(sklep, &smack_onlycap_list, list) { 655 list_for_each_entry_rcu(sklep, &smack_onlycap_list, list) {
653 if (sklep->smk_label == skp) { 656 if (sklep->smk_label == skp) {
654 rcu_read_unlock(); 657 rcu_read_unlock();
655 return 1; 658 return true;
656 } 659 }
657 } 660 }
658 rcu_read_unlock(); 661 rcu_read_unlock();
659 662
660 return 0; 663 return false;
661} 664}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 658f5d8c7e76..463af86812c7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1915,7 +1915,7 @@ static int smack_file_receive(struct file *file)
1915 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1915 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1916 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1916 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1917 1917
1918 if (S_ISSOCK(inode->i_mode)) { 1918 if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
1919 sock = SOCKET_I(inode); 1919 sock = SOCKET_I(inode);
1920 ssp = sock->sk->sk_security; 1920 ssp = sock->sk->sk_security;
1921 tsp = current_security(); 1921 tsp = current_security();
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
index 205b785fb400..cdeb0f3243dd 100644
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@@ -18,6 +18,7 @@
18#include <linux/netfilter_ipv6.h> 18#include <linux/netfilter_ipv6.h>
19#include <linux/netdevice.h> 19#include <linux/netdevice.h>
20#include <net/inet_sock.h> 20#include <net/inet_sock.h>
21#include <net/net_namespace.h>
21#include "smack.h" 22#include "smack.h"
22 23
23#if IS_ENABLED(CONFIG_IPV6) 24#if IS_ENABLED(CONFIG_IPV6)
@@ -74,20 +75,29 @@ static struct nf_hook_ops smack_nf_ops[] = {
74#endif /* IPV6 */ 75#endif /* IPV6 */
75}; 76};
76 77
77static int __init smack_nf_ip_init(void) 78static int __net_init smack_nf_register(struct net *net)
79{
80 return nf_register_net_hooks(net, smack_nf_ops,
81 ARRAY_SIZE(smack_nf_ops));
82}
83
84static void __net_exit smack_nf_unregister(struct net *net)
78{ 85{
79 int err; 86 nf_unregister_net_hooks(net, smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
87}
80 88
89static struct pernet_operations smack_net_ops = {
90 .init = smack_nf_register,
91 .exit = smack_nf_unregister,
92};
93
94static int __init smack_nf_ip_init(void)
95{
81 if (smack_enabled == 0) 96 if (smack_enabled == 0)
82 return 0; 97 return 0;
83 98
84 printk(KERN_DEBUG "Smack: Registering netfilter hooks\n"); 99 printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
85 100 return register_pernet_subsys(&smack_net_ops);
86 err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
87 if (err)
88 pr_info("Smack: nf_register_hooks: error %d\n", err);
89
90 return 0;
91} 101}
92 102
93__initcall(smack_nf_ip_init); 103__initcall(smack_nf_ip_init);
generated by cgit v1.2.2 (git 2.25.0) at 2026-04-18 15:43:21 -0400