diff options
| author | Etienne Basset <etienne.basset@numericable.fr> | 2009-03-27 17:11:01 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2009-03-28 00:01:37 -0400 |
| commit | 4303154e86597885bc3cbc178a48ccbc8213875f (patch) | |
| tree | 11989bcc2ec5d9cd5a1b7952f169ec5cbd8abb8e /security/smack/smack_lsm.c | |
| parent | 07feee8f812f7327a46186f7604df312c8c81962 (diff) | |
smack: Add a new '-CIPSO' option to the network address label configuration
This patch adds a new special option '-CIPSO' to the Smack subsystem. When used
in the netlabel list, it means "use CIPSO networking". A use case is when your
local network speaks CIPSO and you want also to connect to the unlabeled
Internet. This patch also add some documentation describing that. The patch
also corrects an oops when setting a '' SMACK64 xattr to a file.
Signed-off-by: Etienne Basset <etienne.basset@numericable.fr>
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/smack/smack_lsm.c')
| -rw-r--r-- | security/smack/smack_lsm.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8ed502c2ad45..921514902eca 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -609,6 +609,9 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name, | |||
| 609 | strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { | 609 | strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { |
| 610 | if (!capable(CAP_MAC_ADMIN)) | 610 | if (!capable(CAP_MAC_ADMIN)) |
| 611 | rc = -EPERM; | 611 | rc = -EPERM; |
| 612 | /* a label cannot be void and cannot begin with '-' */ | ||
| 613 | if (size == 0 || (size > 0 && ((char *)value)[0] == '-')) | ||
| 614 | rc = -EINVAL; | ||
| 612 | } else | 615 | } else |
| 613 | rc = cap_inode_setxattr(dentry, name, value, size, flags); | 616 | rc = cap_inode_setxattr(dentry, name, value, size, flags); |
| 614 | 617 | ||
| @@ -1323,8 +1326,12 @@ static char *smack_host_label(struct sockaddr_in *sip) | |||
| 1323 | * so we have found the most specific match | 1326 | * so we have found the most specific match |
| 1324 | */ | 1327 | */ |
| 1325 | if ((&snp->smk_host.sin_addr)->s_addr == | 1328 | if ((&snp->smk_host.sin_addr)->s_addr == |
| 1326 | (siap->s_addr & (&snp->smk_mask)->s_addr)) | 1329 | (siap->s_addr & (&snp->smk_mask)->s_addr)) { |
| 1330 | /* we have found the special CIPSO option */ | ||
| 1331 | if (snp->smk_label == smack_cipso_option) | ||
| 1332 | return NULL; | ||
| 1327 | return snp->smk_label; | 1333 | return snp->smk_label; |
| 1334 | } | ||
| 1328 | 1335 | ||
| 1329 | return NULL; | 1336 | return NULL; |
| 1330 | } | 1337 | } |
| @@ -1486,7 +1493,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, | |||
| 1486 | struct socket *sock; | 1493 | struct socket *sock; |
| 1487 | int rc = 0; | 1494 | int rc = 0; |
| 1488 | 1495 | ||
| 1489 | if (value == NULL || size > SMK_LABELLEN) | 1496 | if (value == NULL || size > SMK_LABELLEN || size == 0) |
| 1490 | return -EACCES; | 1497 | return -EACCES; |
| 1491 | 1498 | ||
| 1492 | sp = smk_import(value, size); | 1499 | sp = smk_import(value, size); |