aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack
diff options
context:
space:
mode:
Diffstat (limited to 'security/smack')
-rw-r--r--security/smack/smack_lsm.c82
1 files changed, 47 insertions, 35 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 11167fd567b..e952b397153 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -104,8 +104,7 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode)
104 if (rc != 0) 104 if (rc != 0)
105 return rc; 105 return rc;
106 106
107 rc = smk_access(current->cred->security, ctp->cred->security, 107 rc = smk_access(current_security(), task_security(ctp), MAY_READWRITE);
108 MAY_READWRITE);
109 if (rc != 0 && capable(CAP_MAC_OVERRIDE)) 108 if (rc != 0 && capable(CAP_MAC_OVERRIDE))
110 return 0; 109 return 0;
111 return rc; 110 return rc;
@@ -127,8 +126,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
127 if (rc != 0) 126 if (rc != 0)
128 return rc; 127 return rc;
129 128
130 rc = smk_access(ptp->cred->security, current->cred->security, 129 rc = smk_access(task_security(ptp), current_security(), MAY_READWRITE);
131 MAY_READWRITE);
132 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) 130 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE))
133 return 0; 131 return 0;
134 return rc; 132 return rc;
@@ -977,22 +975,6 @@ static int smack_file_receive(struct file *file)
977 */ 975 */
978 976
979/** 977/**
980 * smack_cred_alloc_security - "allocate" a task cred blob
981 * @cred: the task creds in need of a blob
982 *
983 * Smack isn't using copies of blobs. Everyone
984 * points to an immutable list. No alloc required.
985 * No data copy required.
986 *
987 * Always returns 0
988 */
989static int smack_cred_alloc_security(struct cred *cred)
990{
991 cred->security = current_security();
992 return 0;
993}
994
995/**
996 * smack_cred_free - "free" task-level security credentials 978 * smack_cred_free - "free" task-level security credentials
997 * @cred: the credentials in question 979 * @cred: the credentials in question
998 * 980 *
@@ -1006,6 +988,30 @@ static void smack_cred_free(struct cred *cred)
1006} 988}
1007 989
1008/** 990/**
991 * smack_cred_prepare - prepare new set of credentials for modification
992 * @new: the new credentials
993 * @old: the original credentials
994 * @gfp: the atomicity of any memory allocations
995 *
996 * Prepare a new set of credentials for modification.
997 */
998static int smack_cred_prepare(struct cred *new, const struct cred *old,
999 gfp_t gfp)
1000{
1001 new->security = old->security;
1002 return 0;
1003}
1004
1005/*
1006 * commit new credentials
1007 * @new: the new credentials
1008 * @old: the original credentials
1009 */
1010static void smack_cred_commit(struct cred *new, const struct cred *old)
1011{
1012}
1013
1014/**
1009 * smack_task_setpgid - Smack check on setting pgid 1015 * smack_task_setpgid - Smack check on setting pgid
1010 * @p: the task object 1016 * @p: the task object
1011 * @pgid: unused 1017 * @pgid: unused
@@ -2036,6 +2042,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
2036static int smack_setprocattr(struct task_struct *p, char *name, 2042static int smack_setprocattr(struct task_struct *p, char *name,
2037 void *value, size_t size) 2043 void *value, size_t size)
2038{ 2044{
2045 struct cred *new;
2039 char *newsmack; 2046 char *newsmack;
2040 2047
2041 /* 2048 /*
@@ -2058,7 +2065,11 @@ static int smack_setprocattr(struct task_struct *p, char *name,
2058 if (newsmack == NULL) 2065 if (newsmack == NULL)
2059 return -EINVAL; 2066 return -EINVAL;
2060 2067
2061 p->cred->security = newsmack; 2068 new = prepare_creds();
2069 if (!new)
2070 return -ENOMEM;
2071 new->security = newsmack;
2072 commit_creds(new);
2062 return size; 2073 return size;
2063} 2074}
2064 2075
@@ -2354,17 +2365,17 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
2354/** 2365/**
2355 * smack_key_alloc - Set the key security blob 2366 * smack_key_alloc - Set the key security blob
2356 * @key: object 2367 * @key: object
2357 * @tsk: the task associated with the key 2368 * @cred: the credentials to use
2358 * @flags: unused 2369 * @flags: unused
2359 * 2370 *
2360 * No allocation required 2371 * No allocation required
2361 * 2372 *
2362 * Returns 0 2373 * Returns 0
2363 */ 2374 */
2364static int smack_key_alloc(struct key *key, struct task_struct *tsk, 2375static int smack_key_alloc(struct key *key, const struct cred *cred,
2365 unsigned long flags) 2376 unsigned long flags)
2366{ 2377{
2367 key->security = tsk->cred->security; 2378 key->security = cred->security;
2368 return 0; 2379 return 0;
2369} 2380}
2370 2381
@@ -2382,14 +2393,14 @@ static void smack_key_free(struct key *key)
2382/* 2393/*
2383 * smack_key_permission - Smack access on a key 2394 * smack_key_permission - Smack access on a key
2384 * @key_ref: gets to the object 2395 * @key_ref: gets to the object
2385 * @context: task involved 2396 * @cred: the credentials to use
2386 * @perm: unused 2397 * @perm: unused
2387 * 2398 *
2388 * Return 0 if the task has read and write to the object, 2399 * Return 0 if the task has read and write to the object,
2389 * an error code otherwise 2400 * an error code otherwise
2390 */ 2401 */
2391static int smack_key_permission(key_ref_t key_ref, 2402static int smack_key_permission(key_ref_t key_ref,
2392 struct task_struct *context, key_perm_t perm) 2403 const struct cred *cred, key_perm_t perm)
2393{ 2404{
2394 struct key *keyp; 2405 struct key *keyp;
2395 2406
@@ -2405,11 +2416,10 @@ static int smack_key_permission(key_ref_t key_ref,
2405 /* 2416 /*
2406 * This should not occur 2417 * This should not occur
2407 */ 2418 */
2408 if (context->cred->security == NULL) 2419 if (cred->security == NULL)
2409 return -EACCES; 2420 return -EACCES;
2410 2421
2411 return smk_access(context->cred->security, keyp->security, 2422 return smk_access(cred->security, keyp->security, MAY_READWRITE);
2412 MAY_READWRITE);
2413} 2423}
2414#endif /* CONFIG_KEYS */ 2424#endif /* CONFIG_KEYS */
2415 2425
@@ -2580,8 +2590,7 @@ struct security_operations smack_ops = {
2580 .ptrace_may_access = smack_ptrace_may_access, 2590 .ptrace_may_access = smack_ptrace_may_access,
2581 .ptrace_traceme = smack_ptrace_traceme, 2591 .ptrace_traceme = smack_ptrace_traceme,
2582 .capget = cap_capget, 2592 .capget = cap_capget,
2583 .capset_check = cap_capset_check, 2593 .capset = cap_capset,
2584 .capset_set = cap_capset_set,
2585 .capable = cap_capable, 2594 .capable = cap_capable,
2586 .syslog = smack_syslog, 2595 .syslog = smack_syslog,
2587 .settime = cap_settime, 2596 .settime = cap_settime,
@@ -2630,9 +2639,10 @@ struct security_operations smack_ops = {
2630 .file_send_sigiotask = smack_file_send_sigiotask, 2639 .file_send_sigiotask = smack_file_send_sigiotask,
2631 .file_receive = smack_file_receive, 2640 .file_receive = smack_file_receive,
2632 2641
2633 .cred_alloc_security = smack_cred_alloc_security,
2634 .cred_free = smack_cred_free, 2642 .cred_free = smack_cred_free,
2635 .task_post_setuid = cap_task_post_setuid, 2643 .cred_prepare = smack_cred_prepare,
2644 .cred_commit = smack_cred_commit,
2645 .task_fix_setuid = cap_task_fix_setuid,
2636 .task_setpgid = smack_task_setpgid, 2646 .task_setpgid = smack_task_setpgid,
2637 .task_getpgid = smack_task_getpgid, 2647 .task_getpgid = smack_task_getpgid,
2638 .task_getsid = smack_task_getsid, 2648 .task_getsid = smack_task_getsid,
@@ -2645,7 +2655,6 @@ struct security_operations smack_ops = {
2645 .task_movememory = smack_task_movememory, 2655 .task_movememory = smack_task_movememory,
2646 .task_kill = smack_task_kill, 2656 .task_kill = smack_task_kill,
2647 .task_wait = smack_task_wait, 2657 .task_wait = smack_task_wait,
2648 .task_reparent_to_init = cap_task_reparent_to_init,
2649 .task_to_inode = smack_task_to_inode, 2658 .task_to_inode = smack_task_to_inode,
2650 .task_prctl = cap_task_prctl, 2659 .task_prctl = cap_task_prctl,
2651 2660
@@ -2721,6 +2730,8 @@ struct security_operations smack_ops = {
2721 */ 2730 */
2722static __init int smack_init(void) 2731static __init int smack_init(void)
2723{ 2732{
2733 struct cred *cred;
2734
2724 if (!security_module_enable(&smack_ops)) 2735 if (!security_module_enable(&smack_ops))
2725 return 0; 2736 return 0;
2726 2737
@@ -2729,7 +2740,8 @@ static __init int smack_init(void)
2729 /* 2740 /*
2730 * Set the security state for the initial task. 2741 * Set the security state for the initial task.
2731 */ 2742 */
2732 current->cred->security = &smack_known_floor.smk_known; 2743 cred = (struct cred *) current->cred;
2744 cred->security = &smack_known_floor.smk_known;
2733 2745
2734 /* 2746 /*
2735 * Initialize locks 2747 * Initialize locks