diff options
Diffstat (limited to 'security/smack')
-rw-r--r-- | security/smack/smack_lsm.c | 82 |
1 files changed, 47 insertions, 35 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 11167fd567b..e952b397153 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -104,8 +104,7 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) | |||
104 | if (rc != 0) | 104 | if (rc != 0) |
105 | return rc; | 105 | return rc; |
106 | 106 | ||
107 | rc = smk_access(current->cred->security, ctp->cred->security, | 107 | rc = smk_access(current_security(), task_security(ctp), MAY_READWRITE); |
108 | MAY_READWRITE); | ||
109 | if (rc != 0 && capable(CAP_MAC_OVERRIDE)) | 108 | if (rc != 0 && capable(CAP_MAC_OVERRIDE)) |
110 | return 0; | 109 | return 0; |
111 | return rc; | 110 | return rc; |
@@ -127,8 +126,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp) | |||
127 | if (rc != 0) | 126 | if (rc != 0) |
128 | return rc; | 127 | return rc; |
129 | 128 | ||
130 | rc = smk_access(ptp->cred->security, current->cred->security, | 129 | rc = smk_access(task_security(ptp), current_security(), MAY_READWRITE); |
131 | MAY_READWRITE); | ||
132 | if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) | 130 | if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) |
133 | return 0; | 131 | return 0; |
134 | return rc; | 132 | return rc; |
@@ -977,22 +975,6 @@ static int smack_file_receive(struct file *file) | |||
977 | */ | 975 | */ |
978 | 976 | ||
979 | /** | 977 | /** |
980 | * smack_cred_alloc_security - "allocate" a task cred blob | ||
981 | * @cred: the task creds in need of a blob | ||
982 | * | ||
983 | * Smack isn't using copies of blobs. Everyone | ||
984 | * points to an immutable list. No alloc required. | ||
985 | * No data copy required. | ||
986 | * | ||
987 | * Always returns 0 | ||
988 | */ | ||
989 | static int smack_cred_alloc_security(struct cred *cred) | ||
990 | { | ||
991 | cred->security = current_security(); | ||
992 | return 0; | ||
993 | } | ||
994 | |||
995 | /** | ||
996 | * smack_cred_free - "free" task-level security credentials | 978 | * smack_cred_free - "free" task-level security credentials |
997 | * @cred: the credentials in question | 979 | * @cred: the credentials in question |
998 | * | 980 | * |
@@ -1006,6 +988,30 @@ static void smack_cred_free(struct cred *cred) | |||
1006 | } | 988 | } |
1007 | 989 | ||
1008 | /** | 990 | /** |
991 | * smack_cred_prepare - prepare new set of credentials for modification | ||
992 | * @new: the new credentials | ||
993 | * @old: the original credentials | ||
994 | * @gfp: the atomicity of any memory allocations | ||
995 | * | ||
996 | * Prepare a new set of credentials for modification. | ||
997 | */ | ||
998 | static int smack_cred_prepare(struct cred *new, const struct cred *old, | ||
999 | gfp_t gfp) | ||
1000 | { | ||
1001 | new->security = old->security; | ||
1002 | return 0; | ||
1003 | } | ||
1004 | |||
1005 | /* | ||
1006 | * commit new credentials | ||
1007 | * @new: the new credentials | ||
1008 | * @old: the original credentials | ||
1009 | */ | ||
1010 | static void smack_cred_commit(struct cred *new, const struct cred *old) | ||
1011 | { | ||
1012 | } | ||
1013 | |||
1014 | /** | ||
1009 | * smack_task_setpgid - Smack check on setting pgid | 1015 | * smack_task_setpgid - Smack check on setting pgid |
1010 | * @p: the task object | 1016 | * @p: the task object |
1011 | * @pgid: unused | 1017 | * @pgid: unused |
@@ -2036,6 +2042,7 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value) | |||
2036 | static int smack_setprocattr(struct task_struct *p, char *name, | 2042 | static int smack_setprocattr(struct task_struct *p, char *name, |
2037 | void *value, size_t size) | 2043 | void *value, size_t size) |
2038 | { | 2044 | { |
2045 | struct cred *new; | ||
2039 | char *newsmack; | 2046 | char *newsmack; |
2040 | 2047 | ||
2041 | /* | 2048 | /* |
@@ -2058,7 +2065,11 @@ static int smack_setprocattr(struct task_struct *p, char *name, | |||
2058 | if (newsmack == NULL) | 2065 | if (newsmack == NULL) |
2059 | return -EINVAL; | 2066 | return -EINVAL; |
2060 | 2067 | ||
2061 | p->cred->security = newsmack; | 2068 | new = prepare_creds(); |
2069 | if (!new) | ||
2070 | return -ENOMEM; | ||
2071 | new->security = newsmack; | ||
2072 | commit_creds(new); | ||
2062 | return size; | 2073 | return size; |
2063 | } | 2074 | } |
2064 | 2075 | ||
@@ -2354,17 +2365,17 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, | |||
2354 | /** | 2365 | /** |
2355 | * smack_key_alloc - Set the key security blob | 2366 | * smack_key_alloc - Set the key security blob |
2356 | * @key: object | 2367 | * @key: object |
2357 | * @tsk: the task associated with the key | 2368 | * @cred: the credentials to use |
2358 | * @flags: unused | 2369 | * @flags: unused |
2359 | * | 2370 | * |
2360 | * No allocation required | 2371 | * No allocation required |
2361 | * | 2372 | * |
2362 | * Returns 0 | 2373 | * Returns 0 |
2363 | */ | 2374 | */ |
2364 | static int smack_key_alloc(struct key *key, struct task_struct *tsk, | 2375 | static int smack_key_alloc(struct key *key, const struct cred *cred, |
2365 | unsigned long flags) | 2376 | unsigned long flags) |
2366 | { | 2377 | { |
2367 | key->security = tsk->cred->security; | 2378 | key->security = cred->security; |
2368 | return 0; | 2379 | return 0; |
2369 | } | 2380 | } |
2370 | 2381 | ||
@@ -2382,14 +2393,14 @@ static void smack_key_free(struct key *key) | |||
2382 | /* | 2393 | /* |
2383 | * smack_key_permission - Smack access on a key | 2394 | * smack_key_permission - Smack access on a key |
2384 | * @key_ref: gets to the object | 2395 | * @key_ref: gets to the object |
2385 | * @context: task involved | 2396 | * @cred: the credentials to use |
2386 | * @perm: unused | 2397 | * @perm: unused |
2387 | * | 2398 | * |
2388 | * Return 0 if the task has read and write to the object, | 2399 | * Return 0 if the task has read and write to the object, |
2389 | * an error code otherwise | 2400 | * an error code otherwise |
2390 | */ | 2401 | */ |
2391 | static int smack_key_permission(key_ref_t key_ref, | 2402 | static int smack_key_permission(key_ref_t key_ref, |
2392 | struct task_struct *context, key_perm_t perm) | 2403 | const struct cred *cred, key_perm_t perm) |
2393 | { | 2404 | { |
2394 | struct key *keyp; | 2405 | struct key *keyp; |
2395 | 2406 | ||
@@ -2405,11 +2416,10 @@ static int smack_key_permission(key_ref_t key_ref, | |||
2405 | /* | 2416 | /* |
2406 | * This should not occur | 2417 | * This should not occur |
2407 | */ | 2418 | */ |
2408 | if (context->cred->security == NULL) | 2419 | if (cred->security == NULL) |
2409 | return -EACCES; | 2420 | return -EACCES; |
2410 | 2421 | ||
2411 | return smk_access(context->cred->security, keyp->security, | 2422 | return smk_access(cred->security, keyp->security, MAY_READWRITE); |
2412 | MAY_READWRITE); | ||
2413 | } | 2423 | } |
2414 | #endif /* CONFIG_KEYS */ | 2424 | #endif /* CONFIG_KEYS */ |
2415 | 2425 | ||
@@ -2580,8 +2590,7 @@ struct security_operations smack_ops = { | |||
2580 | .ptrace_may_access = smack_ptrace_may_access, | 2590 | .ptrace_may_access = smack_ptrace_may_access, |
2581 | .ptrace_traceme = smack_ptrace_traceme, | 2591 | .ptrace_traceme = smack_ptrace_traceme, |
2582 | .capget = cap_capget, | 2592 | .capget = cap_capget, |
2583 | .capset_check = cap_capset_check, | 2593 | .capset = cap_capset, |
2584 | .capset_set = cap_capset_set, | ||
2585 | .capable = cap_capable, | 2594 | .capable = cap_capable, |
2586 | .syslog = smack_syslog, | 2595 | .syslog = smack_syslog, |
2587 | .settime = cap_settime, | 2596 | .settime = cap_settime, |
@@ -2630,9 +2639,10 @@ struct security_operations smack_ops = { | |||
2630 | .file_send_sigiotask = smack_file_send_sigiotask, | 2639 | .file_send_sigiotask = smack_file_send_sigiotask, |
2631 | .file_receive = smack_file_receive, | 2640 | .file_receive = smack_file_receive, |
2632 | 2641 | ||
2633 | .cred_alloc_security = smack_cred_alloc_security, | ||
2634 | .cred_free = smack_cred_free, | 2642 | .cred_free = smack_cred_free, |
2635 | .task_post_setuid = cap_task_post_setuid, | 2643 | .cred_prepare = smack_cred_prepare, |
2644 | .cred_commit = smack_cred_commit, | ||
2645 | .task_fix_setuid = cap_task_fix_setuid, | ||
2636 | .task_setpgid = smack_task_setpgid, | 2646 | .task_setpgid = smack_task_setpgid, |
2637 | .task_getpgid = smack_task_getpgid, | 2647 | .task_getpgid = smack_task_getpgid, |
2638 | .task_getsid = smack_task_getsid, | 2648 | .task_getsid = smack_task_getsid, |
@@ -2645,7 +2655,6 @@ struct security_operations smack_ops = { | |||
2645 | .task_movememory = smack_task_movememory, | 2655 | .task_movememory = smack_task_movememory, |
2646 | .task_kill = smack_task_kill, | 2656 | .task_kill = smack_task_kill, |
2647 | .task_wait = smack_task_wait, | 2657 | .task_wait = smack_task_wait, |
2648 | .task_reparent_to_init = cap_task_reparent_to_init, | ||
2649 | .task_to_inode = smack_task_to_inode, | 2658 | .task_to_inode = smack_task_to_inode, |
2650 | .task_prctl = cap_task_prctl, | 2659 | .task_prctl = cap_task_prctl, |
2651 | 2660 | ||
@@ -2721,6 +2730,8 @@ struct security_operations smack_ops = { | |||
2721 | */ | 2730 | */ |
2722 | static __init int smack_init(void) | 2731 | static __init int smack_init(void) |
2723 | { | 2732 | { |
2733 | struct cred *cred; | ||
2734 | |||
2724 | if (!security_module_enable(&smack_ops)) | 2735 | if (!security_module_enable(&smack_ops)) |
2725 | return 0; | 2736 | return 0; |
2726 | 2737 | ||
@@ -2729,7 +2740,8 @@ static __init int smack_init(void) | |||
2729 | /* | 2740 | /* |
2730 | * Set the security state for the initial task. | 2741 | * Set the security state for the initial task. |
2731 | */ | 2742 | */ |
2732 | current->cred->security = &smack_known_floor.smk_known; | 2743 | cred = (struct cred *) current->cred; |
2744 | cred->security = &smack_known_floor.smk_known; | ||
2733 | 2745 | ||
2734 | /* | 2746 | /* |
2735 | * Initialize locks | 2747 | * Initialize locks |