diff options
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r-- | security/smack/smack_lsm.c | 65 |
1 files changed, 60 insertions, 5 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0023182078c..acae7ef4092 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -91,7 +91,7 @@ struct inode_smack *new_inode_smack(char *smack) | |||
91 | */ | 91 | */ |
92 | 92 | ||
93 | /** | 93 | /** |
94 | * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH | 94 | * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH |
95 | * @ctp: child task pointer | 95 | * @ctp: child task pointer |
96 | * @mode: ptrace attachment mode | 96 | * @mode: ptrace attachment mode |
97 | * | 97 | * |
@@ -99,13 +99,13 @@ struct inode_smack *new_inode_smack(char *smack) | |||
99 | * | 99 | * |
100 | * Do the capability checks, and require read and write. | 100 | * Do the capability checks, and require read and write. |
101 | */ | 101 | */ |
102 | static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) | 102 | static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) |
103 | { | 103 | { |
104 | int rc; | 104 | int rc; |
105 | struct smk_audit_info ad; | 105 | struct smk_audit_info ad; |
106 | char *sp, *tsp; | 106 | char *sp, *tsp; |
107 | 107 | ||
108 | rc = cap_ptrace_may_access(ctp, mode); | 108 | rc = cap_ptrace_access_check(ctp, mode); |
109 | if (rc != 0) | 109 | if (rc != 0) |
110 | return rc; | 110 | return rc; |
111 | 111 | ||
@@ -1080,6 +1080,22 @@ static int smack_file_receive(struct file *file) | |||
1080 | */ | 1080 | */ |
1081 | 1081 | ||
1082 | /** | 1082 | /** |
1083 | * smack_cred_alloc_blank - "allocate" blank task-level security credentials | ||
1084 | * @new: the new credentials | ||
1085 | * @gfp: the atomicity of any memory allocations | ||
1086 | * | ||
1087 | * Prepare a blank set of credentials for modification. This must allocate all | ||
1088 | * the memory the LSM module might require such that cred_transfer() can | ||
1089 | * complete without error. | ||
1090 | */ | ||
1091 | static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) | ||
1092 | { | ||
1093 | cred->security = NULL; | ||
1094 | return 0; | ||
1095 | } | ||
1096 | |||
1097 | |||
1098 | /** | ||
1083 | * smack_cred_free - "free" task-level security credentials | 1099 | * smack_cred_free - "free" task-level security credentials |
1084 | * @cred: the credentials in question | 1100 | * @cred: the credentials in question |
1085 | * | 1101 | * |
@@ -1117,6 +1133,18 @@ static void smack_cred_commit(struct cred *new, const struct cred *old) | |||
1117 | } | 1133 | } |
1118 | 1134 | ||
1119 | /** | 1135 | /** |
1136 | * smack_cred_transfer - Transfer the old credentials to the new credentials | ||
1137 | * @new: the new credentials | ||
1138 | * @old: the original credentials | ||
1139 | * | ||
1140 | * Fill in a set of blank credentials from another set of credentials. | ||
1141 | */ | ||
1142 | static void smack_cred_transfer(struct cred *new, const struct cred *old) | ||
1143 | { | ||
1144 | new->security = old->security; | ||
1145 | } | ||
1146 | |||
1147 | /** | ||
1120 | * smack_kernel_act_as - Set the subjective context in a set of credentials | 1148 | * smack_kernel_act_as - Set the subjective context in a set of credentials |
1121 | * @new: points to the set of credentials to be modified. | 1149 | * @new: points to the set of credentials to be modified. |
1122 | * @secid: specifies the security ID to be set | 1150 | * @secid: specifies the security ID to be set |
@@ -1638,6 +1666,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, | |||
1638 | 1666 | ||
1639 | if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { | 1667 | if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { |
1640 | nsp->smk_inode = sp; | 1668 | nsp->smk_inode = sp; |
1669 | nsp->smk_flags |= SMK_INODE_INSTANT; | ||
1641 | return 0; | 1670 | return 0; |
1642 | } | 1671 | } |
1643 | /* | 1672 | /* |
@@ -2464,7 +2493,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, | |||
2464 | /* | 2493 | /* |
2465 | * Perfectly reasonable for this to be NULL | 2494 | * Perfectly reasonable for this to be NULL |
2466 | */ | 2495 | */ |
2467 | if (sip == NULL || sip->sin_family != PF_INET) | 2496 | if (sip == NULL || sip->sin_family != AF_INET) |
2468 | return 0; | 2497 | return 0; |
2469 | 2498 | ||
2470 | return smack_netlabel_send(sock->sk, sip); | 2499 | return smack_netlabel_send(sock->sk, sip); |
@@ -3029,10 +3058,31 @@ static void smack_release_secctx(char *secdata, u32 seclen) | |||
3029 | { | 3058 | { |
3030 | } | 3059 | } |
3031 | 3060 | ||
3061 | static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) | ||
3062 | { | ||
3063 | return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); | ||
3064 | } | ||
3065 | |||
3066 | static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) | ||
3067 | { | ||
3068 | return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); | ||
3069 | } | ||
3070 | |||
3071 | static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) | ||
3072 | { | ||
3073 | int len = 0; | ||
3074 | len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); | ||
3075 | |||
3076 | if (len < 0) | ||
3077 | return len; | ||
3078 | *ctxlen = len; | ||
3079 | return 0; | ||
3080 | } | ||
3081 | |||
3032 | struct security_operations smack_ops = { | 3082 | struct security_operations smack_ops = { |
3033 | .name = "smack", | 3083 | .name = "smack", |
3034 | 3084 | ||
3035 | .ptrace_may_access = smack_ptrace_may_access, | 3085 | .ptrace_access_check = smack_ptrace_access_check, |
3036 | .ptrace_traceme = smack_ptrace_traceme, | 3086 | .ptrace_traceme = smack_ptrace_traceme, |
3037 | .syslog = smack_syslog, | 3087 | .syslog = smack_syslog, |
3038 | 3088 | ||
@@ -3073,9 +3123,11 @@ struct security_operations smack_ops = { | |||
3073 | .file_send_sigiotask = smack_file_send_sigiotask, | 3123 | .file_send_sigiotask = smack_file_send_sigiotask, |
3074 | .file_receive = smack_file_receive, | 3124 | .file_receive = smack_file_receive, |
3075 | 3125 | ||
3126 | .cred_alloc_blank = smack_cred_alloc_blank, | ||
3076 | .cred_free = smack_cred_free, | 3127 | .cred_free = smack_cred_free, |
3077 | .cred_prepare = smack_cred_prepare, | 3128 | .cred_prepare = smack_cred_prepare, |
3078 | .cred_commit = smack_cred_commit, | 3129 | .cred_commit = smack_cred_commit, |
3130 | .cred_transfer = smack_cred_transfer, | ||
3079 | .kernel_act_as = smack_kernel_act_as, | 3131 | .kernel_act_as = smack_kernel_act_as, |
3080 | .kernel_create_files_as = smack_kernel_create_files_as, | 3132 | .kernel_create_files_as = smack_kernel_create_files_as, |
3081 | .task_setpgid = smack_task_setpgid, | 3133 | .task_setpgid = smack_task_setpgid, |
@@ -3155,6 +3207,9 @@ struct security_operations smack_ops = { | |||
3155 | .secid_to_secctx = smack_secid_to_secctx, | 3207 | .secid_to_secctx = smack_secid_to_secctx, |
3156 | .secctx_to_secid = smack_secctx_to_secid, | 3208 | .secctx_to_secid = smack_secctx_to_secid, |
3157 | .release_secctx = smack_release_secctx, | 3209 | .release_secctx = smack_release_secctx, |
3210 | .inode_notifysecctx = smack_inode_notifysecctx, | ||
3211 | .inode_setsecctx = smack_inode_setsecctx, | ||
3212 | .inode_getsecctx = smack_inode_getsecctx, | ||
3158 | }; | 3213 | }; |
3159 | 3214 | ||
3160 | 3215 | ||