aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2008-02-23 18:24:04 -0500
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2008-02-23 20:13:24 -0500
commitbcdca225bfa016100985e5fc7e51cdc1d68beaa6 (patch)
tree4af588f69c754a6380dae17b00de20b0f2f3b149
parent43627582799db317e966ecb0002c2c3c9805ec0f (diff)
Smack: update for file capabilities
Update the Smack LSM to allow the registration of the capability "module" as a secondary LSM. Integrate the new hooks required for file based capabilities. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc: Serge Hallyn <serue@us.ibm.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Paul Moore <paul.moore@hp.com> Cc: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--security/smack/smack_lsm.c87
1 files changed, 74 insertions, 13 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 25cbfa3f71f4..770eb067e165 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -584,14 +584,20 @@ static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
584static int smack_inode_setxattr(struct dentry *dentry, char *name, 584static int smack_inode_setxattr(struct dentry *dentry, char *name,
585 void *value, size_t size, int flags) 585 void *value, size_t size, int flags)
586{ 586{
587 if (!capable(CAP_MAC_ADMIN)) { 587 int rc = 0;
588 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
589 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
590 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0)
591 return -EPERM;
592 }
593 588
594 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 589 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
590 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
591 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
592 if (!capable(CAP_MAC_ADMIN))
593 rc = -EPERM;
594 } else
595 rc = cap_inode_setxattr(dentry, name, value, size, flags);
596
597 if (rc == 0)
598 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
599
600 return rc;
595} 601}
596 602
597/** 603/**
@@ -658,10 +664,20 @@ static int smack_inode_getxattr(struct dentry *dentry, char *name)
658 */ 664 */
659static int smack_inode_removexattr(struct dentry *dentry, char *name) 665static int smack_inode_removexattr(struct dentry *dentry, char *name)
660{ 666{
661 if (strcmp(name, XATTR_NAME_SMACK) == 0 && !capable(CAP_MAC_ADMIN)) 667 int rc = 0;
662 return -EPERM;
663 668
664 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 669 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
670 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
671 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
672 if (!capable(CAP_MAC_ADMIN))
673 rc = -EPERM;
674 } else
675 rc = cap_inode_removexattr(dentry, name);
676
677 if (rc == 0)
678 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE);
679
680 return rc;
665} 681}
666 682
667/** 683/**
@@ -1016,7 +1032,12 @@ static void smack_task_getsecid(struct task_struct *p, u32 *secid)
1016 */ 1032 */
1017static int smack_task_setnice(struct task_struct *p, int nice) 1033static int smack_task_setnice(struct task_struct *p, int nice)
1018{ 1034{
1019 return smk_curacc(p->security, MAY_WRITE); 1035 int rc;
1036
1037 rc = cap_task_setnice(p, nice);
1038 if (rc == 0)
1039 rc = smk_curacc(p->security, MAY_WRITE);
1040 return rc;
1020} 1041}
1021 1042
1022/** 1043/**
@@ -1028,7 +1049,12 @@ static int smack_task_setnice(struct task_struct *p, int nice)
1028 */ 1049 */
1029static int smack_task_setioprio(struct task_struct *p, int ioprio) 1050static int smack_task_setioprio(struct task_struct *p, int ioprio)
1030{ 1051{
1031 return smk_curacc(p->security, MAY_WRITE); 1052 int rc;
1053
1054 rc = cap_task_setioprio(p, ioprio);
1055 if (rc == 0)
1056 rc = smk_curacc(p->security, MAY_WRITE);
1057 return rc;
1032} 1058}
1033 1059
1034/** 1060/**
@@ -1053,7 +1079,12 @@ static int smack_task_getioprio(struct task_struct *p)
1053static int smack_task_setscheduler(struct task_struct *p, int policy, 1079static int smack_task_setscheduler(struct task_struct *p, int policy,
1054 struct sched_param *lp) 1080 struct sched_param *lp)
1055{ 1081{
1056 return smk_curacc(p->security, MAY_WRITE); 1082 int rc;
1083
1084 rc = cap_task_setscheduler(p, policy, lp);
1085 if (rc == 0)
1086 rc = smk_curacc(p->security, MAY_WRITE);
1087 return rc;
1057} 1088}
1058 1089
1059/** 1090/**
@@ -1093,6 +1124,11 @@ static int smack_task_movememory(struct task_struct *p)
1093static int smack_task_kill(struct task_struct *p, struct siginfo *info, 1124static int smack_task_kill(struct task_struct *p, struct siginfo *info,
1094 int sig, u32 secid) 1125 int sig, u32 secid)
1095{ 1126{
1127 int rc;
1128
1129 rc = cap_task_kill(p, info, sig, secid);
1130 if (rc != 0)
1131 return rc;
1096 /* 1132 /*
1097 * Special cases where signals really ought to go through 1133 * Special cases where signals really ought to go through
1098 * in spite of policy. Stephen Smalley suggests it may 1134 * in spite of policy. Stephen Smalley suggests it may
@@ -1778,6 +1814,27 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
1778 return smk_curacc(isp, may); 1814 return smk_curacc(isp, may);
1779} 1815}
1780 1816
1817/* module stacking operations */
1818
1819/**
1820 * smack_register_security - stack capability module
1821 * @name: module name
1822 * @ops: module operations - ignored
1823 *
1824 * Allow the capability module to register.
1825 */
1826static int smack_register_security(const char *name,
1827 struct security_operations *ops)
1828{
1829 if (strcmp(name, "capability") != 0)
1830 return -EINVAL;
1831
1832 printk(KERN_INFO "%s: Registering secondary module %s\n",
1833 __func__, name);
1834
1835 return 0;
1836}
1837
1781/** 1838/**
1782 * smack_d_instantiate - Make sure the blob is correct on an inode 1839 * smack_d_instantiate - Make sure the blob is correct on an inode
1783 * @opt_dentry: unused 1840 * @opt_dentry: unused
@@ -2412,6 +2469,8 @@ static struct security_operations smack_ops = {
2412 .inode_post_setxattr = smack_inode_post_setxattr, 2469 .inode_post_setxattr = smack_inode_post_setxattr,
2413 .inode_getxattr = smack_inode_getxattr, 2470 .inode_getxattr = smack_inode_getxattr,
2414 .inode_removexattr = smack_inode_removexattr, 2471 .inode_removexattr = smack_inode_removexattr,
2472 .inode_need_killpriv = cap_inode_need_killpriv,
2473 .inode_killpriv = cap_inode_killpriv,
2415 .inode_getsecurity = smack_inode_getsecurity, 2474 .inode_getsecurity = smack_inode_getsecurity,
2416 .inode_setsecurity = smack_inode_setsecurity, 2475 .inode_setsecurity = smack_inode_setsecurity,
2417 .inode_listsecurity = smack_inode_listsecurity, 2476 .inode_listsecurity = smack_inode_listsecurity,
@@ -2471,6 +2530,8 @@ static struct security_operations smack_ops = {
2471 .netlink_send = cap_netlink_send, 2530 .netlink_send = cap_netlink_send,
2472 .netlink_recv = cap_netlink_recv, 2531 .netlink_recv = cap_netlink_recv,
2473 2532
2533 .register_security = smack_register_security,
2534
2474 .d_instantiate = smack_d_instantiate, 2535 .d_instantiate = smack_d_instantiate,
2475 2536
2476 .getprocattr = smack_getprocattr, 2537 .getprocattr = smack_getprocattr,