aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack/smack_lsm.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r--security/smack/smack_lsm.c65
1 files changed, 60 insertions, 5 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 0023182078c..acae7ef4092 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -91,7 +91,7 @@ struct inode_smack *new_inode_smack(char *smack)
91 */ 91 */
92 92
93/** 93/**
94 * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH 94 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
95 * @ctp: child task pointer 95 * @ctp: child task pointer
96 * @mode: ptrace attachment mode 96 * @mode: ptrace attachment mode
97 * 97 *
@@ -99,13 +99,13 @@ struct inode_smack *new_inode_smack(char *smack)
99 * 99 *
100 * Do the capability checks, and require read and write. 100 * Do the capability checks, and require read and write.
101 */ 101 */
102static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) 102static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
103{ 103{
104 int rc; 104 int rc;
105 struct smk_audit_info ad; 105 struct smk_audit_info ad;
106 char *sp, *tsp; 106 char *sp, *tsp;
107 107
108 rc = cap_ptrace_may_access(ctp, mode); 108 rc = cap_ptrace_access_check(ctp, mode);
109 if (rc != 0) 109 if (rc != 0)
110 return rc; 110 return rc;
111 111
@@ -1080,6 +1080,22 @@ static int smack_file_receive(struct file *file)
1080 */ 1080 */
1081 1081
1082/** 1082/**
1083 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
1084 * @new: the new credentials
1085 * @gfp: the atomicity of any memory allocations
1086 *
1087 * Prepare a blank set of credentials for modification. This must allocate all
1088 * the memory the LSM module might require such that cred_transfer() can
1089 * complete without error.
1090 */
1091static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
1092{
1093 cred->security = NULL;
1094 return 0;
1095}
1096
1097
1098/**
1083 * smack_cred_free - "free" task-level security credentials 1099 * smack_cred_free - "free" task-level security credentials
1084 * @cred: the credentials in question 1100 * @cred: the credentials in question
1085 * 1101 *
@@ -1117,6 +1133,18 @@ static void smack_cred_commit(struct cred *new, const struct cred *old)
1117} 1133}
1118 1134
1119/** 1135/**
1136 * smack_cred_transfer - Transfer the old credentials to the new credentials
1137 * @new: the new credentials
1138 * @old: the original credentials
1139 *
1140 * Fill in a set of blank credentials from another set of credentials.
1141 */
1142static void smack_cred_transfer(struct cred *new, const struct cred *old)
1143{
1144 new->security = old->security;
1145}
1146
1147/**
1120 * smack_kernel_act_as - Set the subjective context in a set of credentials 1148 * smack_kernel_act_as - Set the subjective context in a set of credentials
1121 * @new: points to the set of credentials to be modified. 1149 * @new: points to the set of credentials to be modified.
1122 * @secid: specifies the security ID to be set 1150 * @secid: specifies the security ID to be set
@@ -1638,6 +1666,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
1638 1666
1639 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1667 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
1640 nsp->smk_inode = sp; 1668 nsp->smk_inode = sp;
1669 nsp->smk_flags |= SMK_INODE_INSTANT;
1641 return 0; 1670 return 0;
1642 } 1671 }
1643 /* 1672 /*
@@ -2464,7 +2493,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
2464 /* 2493 /*
2465 * Perfectly reasonable for this to be NULL 2494 * Perfectly reasonable for this to be NULL
2466 */ 2495 */
2467 if (sip == NULL || sip->sin_family != PF_INET) 2496 if (sip == NULL || sip->sin_family != AF_INET)
2468 return 0; 2497 return 0;
2469 2498
2470 return smack_netlabel_send(sock->sk, sip); 2499 return smack_netlabel_send(sock->sk, sip);
@@ -3029,10 +3058,31 @@ static void smack_release_secctx(char *secdata, u32 seclen)
3029{ 3058{
3030} 3059}
3031 3060
3061static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
3062{
3063 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0);
3064}
3065
3066static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
3067{
3068 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0);
3069}
3070
3071static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
3072{
3073 int len = 0;
3074 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true);
3075
3076 if (len < 0)
3077 return len;
3078 *ctxlen = len;
3079 return 0;
3080}
3081
3032struct security_operations smack_ops = { 3082struct security_operations smack_ops = {
3033 .name = "smack", 3083 .name = "smack",
3034 3084
3035 .ptrace_may_access = smack_ptrace_may_access, 3085 .ptrace_access_check = smack_ptrace_access_check,
3036 .ptrace_traceme = smack_ptrace_traceme, 3086 .ptrace_traceme = smack_ptrace_traceme,
3037 .syslog = smack_syslog, 3087 .syslog = smack_syslog,
3038 3088
@@ -3073,9 +3123,11 @@ struct security_operations smack_ops = {
3073 .file_send_sigiotask = smack_file_send_sigiotask, 3123 .file_send_sigiotask = smack_file_send_sigiotask,
3074 .file_receive = smack_file_receive, 3124 .file_receive = smack_file_receive,
3075 3125
3126 .cred_alloc_blank = smack_cred_alloc_blank,
3076 .cred_free = smack_cred_free, 3127 .cred_free = smack_cred_free,
3077 .cred_prepare = smack_cred_prepare, 3128 .cred_prepare = smack_cred_prepare,
3078 .cred_commit = smack_cred_commit, 3129 .cred_commit = smack_cred_commit,
3130 .cred_transfer = smack_cred_transfer,
3079 .kernel_act_as = smack_kernel_act_as, 3131 .kernel_act_as = smack_kernel_act_as,
3080 .kernel_create_files_as = smack_kernel_create_files_as, 3132 .kernel_create_files_as = smack_kernel_create_files_as,
3081 .task_setpgid = smack_task_setpgid, 3133 .task_setpgid = smack_task_setpgid,
@@ -3155,6 +3207,9 @@ struct security_operations smack_ops = {
3155 .secid_to_secctx = smack_secid_to_secctx, 3207 .secid_to_secctx = smack_secid_to_secctx,
3156 .secctx_to_secid = smack_secctx_to_secid, 3208 .secctx_to_secid = smack_secctx_to_secid,
3157 .release_secctx = smack_release_secctx, 3209 .release_secctx = smack_release_secctx,
3210 .inode_notifysecctx = smack_inode_notifysecctx,
3211 .inode_setsecctx = smack_inode_setsecctx,
3212 .inode_getsecctx = smack_inode_getsecctx,
3158}; 3213};
3159 3214
3160 3215