diff options
Diffstat (limited to 'security/smack/smackfs.c')
| -rw-r--r-- | security/smack/smackfs.c | 37 |
1 files changed, 32 insertions, 5 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 01a0be93d8d..362d5eda948 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
| @@ -109,9 +109,12 @@ const char *smack_cipso_option = SMACK_CIPSO_OPTION; | |||
| 109 | * SMK_ACCESSLEN: Maximum length for a rule access field | 109 | * SMK_ACCESSLEN: Maximum length for a rule access field |
| 110 | * SMK_LOADLEN: Smack rule length | 110 | * SMK_LOADLEN: Smack rule length |
| 111 | */ | 111 | */ |
| 112 | #define SMK_ACCESS "rwxa" | 112 | #define SMK_OACCESS "rwxa" |
| 113 | #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1) | 113 | #define SMK_ACCESS "rwxat" |
| 114 | #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN) | 114 | #define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1) |
| 115 | #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1) | ||
| 116 | #define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN) | ||
| 117 | #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN) | ||
| 115 | 118 | ||
| 116 | /** | 119 | /** |
| 117 | * smk_netlabel_audit_set - fill a netlbl_audit struct | 120 | * smk_netlabel_audit_set - fill a netlbl_audit struct |
| @@ -175,6 +178,8 @@ static int load_seq_show(struct seq_file *s, void *v) | |||
| 175 | seq_putc(s, 'x'); | 178 | seq_putc(s, 'x'); |
| 176 | if (srp->smk_access & MAY_APPEND) | 179 | if (srp->smk_access & MAY_APPEND) |
| 177 | seq_putc(s, 'a'); | 180 | seq_putc(s, 'a'); |
| 181 | if (srp->smk_access & MAY_TRANSMUTE) | ||
| 182 | seq_putc(s, 't'); | ||
| 178 | if (srp->smk_access == 0) | 183 | if (srp->smk_access == 0) |
| 179 | seq_putc(s, '-'); | 184 | seq_putc(s, '-'); |
| 180 | 185 | ||
| @@ -273,10 +278,15 @@ static ssize_t smk_write_load(struct file *file, const char __user *buf, | |||
| 273 | if (!capable(CAP_MAC_ADMIN)) | 278 | if (!capable(CAP_MAC_ADMIN)) |
| 274 | return -EPERM; | 279 | return -EPERM; |
| 275 | 280 | ||
| 276 | if (*ppos != 0 || count != SMK_LOADLEN) | 281 | if (*ppos != 0) |
| 282 | return -EINVAL; | ||
| 283 | /* | ||
| 284 | * Minor hack for backward compatability | ||
| 285 | */ | ||
| 286 | if (count < (SMK_OLOADLEN) || count > SMK_LOADLEN) | ||
| 277 | return -EINVAL; | 287 | return -EINVAL; |
| 278 | 288 | ||
| 279 | data = kzalloc(count, GFP_KERNEL); | 289 | data = kzalloc(SMK_LOADLEN, GFP_KERNEL); |
| 280 | if (data == NULL) | 290 | if (data == NULL) |
| 281 | return -ENOMEM; | 291 | return -ENOMEM; |
| 282 | 292 | ||
| @@ -285,6 +295,12 @@ static ssize_t smk_write_load(struct file *file, const char __user *buf, | |||
| 285 | goto out; | 295 | goto out; |
| 286 | } | 296 | } |
| 287 | 297 | ||
| 298 | /* | ||
| 299 | * More on the minor hack for backward compatability | ||
| 300 | */ | ||
| 301 | if (count == (SMK_OLOADLEN)) | ||
| 302 | data[SMK_OLOADLEN] = '-'; | ||
| 303 | |||
| 288 | rule = kzalloc(sizeof(*rule), GFP_KERNEL); | 304 | rule = kzalloc(sizeof(*rule), GFP_KERNEL); |
| 289 | if (rule == NULL) { | 305 | if (rule == NULL) { |
| 290 | rc = -ENOMEM; | 306 | rc = -ENOMEM; |
| @@ -345,6 +361,17 @@ static ssize_t smk_write_load(struct file *file, const char __user *buf, | |||
| 345 | goto out_free_rule; | 361 | goto out_free_rule; |
| 346 | } | 362 | } |
| 347 | 363 | ||
| 364 | switch (data[SMK_LABELLEN + SMK_LABELLEN + 4]) { | ||
| 365 | case '-': | ||
| 366 | break; | ||
| 367 | case 't': | ||
| 368 | case 'T': | ||
| 369 | rule->smk_access |= MAY_TRANSMUTE; | ||
| 370 | break; | ||
| 371 | default: | ||
| 372 | goto out_free_rule; | ||
| 373 | } | ||
| 374 | |||
| 348 | rc = smk_set_access(rule); | 375 | rc = smk_set_access(rule); |
| 349 | 376 | ||
| 350 | if (!rc) | 377 | if (!rc) |