smack: Add a new '-CIPSO' option to the network address label configuration

This patch adds a new special option '-CIPSO' to the Smack subsystem. When used in the netlabel list, it means "use CIPSO networking". A use case is when your local network speaks CIPSO and you want also to connect to the unlabeled Internet. This patch also add some documentation describing that. The patch also corrects an oops when setting a '' SMACK64 xattr to a file. Signed-off-by: Etienne Basset <etienne.basset@numericable.fr> Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Etienne Basset <etienne.basset@numericable.fr> 2009-03-27 17:11:01 -0400
committer: James Morris <jmorris@namei.org> 2009-03-28 00:01:37 -0400
commit: 4303154e86597885bc3cbc178a48ccbc8213875f (patch)
tree: 11989bcc2ec5d9cd5a1b7952f169ec5cbd8abb8e /security/smack/smackfs.c
parent: 07feee8f812f7327a46186f7604df312c8c81962 (diff)
1 files changed, 30 insertions, 8 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 856c8a287523..e03a7e19c73b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -86,6 +86,9 @@ LIST_HEAD(smack_rule_list);
 static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
+const char *smack_cipso_option = SMACK_CIPSO_OPTION;
 #define SEQ_READ_FINISHED       1
 /*
@@ -565,6 +568,11 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
                goto unlockedout;
        }
+        /* labels cannot begin with a '-' */
+        if (data[0] == '-') {
+                rc = -EINVAL;
+                goto unlockedout;
+        }
        data[count] = '\0';
        rule = data;
        /*
@@ -808,9 +816,18 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
        if (m > BEBITS)
                return -EINVAL;
-        sp = smk_import(smack, 0);
+        /* if smack begins with '-', its an option, don't import it */
-        if (sp == NULL)
+        if (smack[0] != '-') {
-                return -EINVAL;
+                sp = smk_import(smack, 0);
+                if (sp == NULL)
+                        return -EINVAL;
+        } else {
+                /* check known options */
+                if (strcmp(smack, smack_cipso_option) == 0)
+                        sp = (char *)smack_cipso_option;
+                else
+                        return -EINVAL;
+        }
        for (temp_mask = 0; m > 0; m--) {
                temp_mask |= mask_bits;
@@ -849,18 +866,23 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
                        smk_netlbladdr_insert(skp);
                }
        } else {
-                rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
+                /* we delete the unlabeled entry, only if the previous label
-                        &skp->smk_host.sin_addr, &skp->smk_mask,
+                 * wasnt the special CIPSO option */
-                        PF_INET, &audit_info);
+                if (skp->smk_label != smack_cipso_option)
+                        rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
+                                        &skp->smk_host.sin_addr, &skp->smk_mask,
+                                        PF_INET, &audit_info);
+                else
+                        rc = 0;
                skp->smk_label = sp;
        }
        /*
         * Now tell netlabel about the single label nature of
         * this host so that incoming packets get labeled.
+         * but only if we didn't get the special CIPSO option
         */
+        if (rc == 0 && sp != smack_cipso_option)
-        if (rc == 0)
                rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
                        &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
                        smack_to_secid(skp->smk_label), &audit_info);
author	Etienne Basset <etienne.basset@numericable.fr>	2009-03-27 17:11:01 -0400
committer	James Morris <jmorris@namei.org>	2009-03-28 00:01:37 -0400
commit	4303154e86597885bc3cbc178a48ccbc8213875f (patch)
tree	11989bcc2ec5d9cd5a1b7952f169ec5cbd8abb8e /security/smack/smackfs.c
parent	07feee8f812f7327a46186f7604df312c8c81962 (diff)

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 856c8a287523..e03a7e19c73b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c
@@ -86,6 +86,9 @@ LIST_HEAD(smack_rule_list);
86		86
87	static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;	87	static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
88		88
		89	const char *smack_cipso_option = SMACK_CIPSO_OPTION;
		90
		91
89	#define SEQ_READ_FINISHED 1	92	#define SEQ_READ_FINISHED 1
90		93
91	/*	94	/*
@@ -565,6 +568,11 @@ static ssize_t smk_write_cipso(struct file file, const char __user buf,
565	goto unlockedout;	568	goto unlockedout;
566	}	569	}
567		570
		571	/* labels cannot begin with a '-' */
		572	if (data[0] == '-') {
		573	rc = -EINVAL;
		574	goto unlockedout;
		575	}
568	data[count] = '\0';	576	data[count] = '\0';
569	rule = data;	577	rule = data;
570	/*	578	/*
@@ -808,9 +816,18 @@ static ssize_t smk_write_netlbladdr(struct file file, const char __user buf,
808	if (m > BEBITS)	816	if (m > BEBITS)
809	return -EINVAL;	817	return -EINVAL;
810		818
811	sp = smk_import(smack, 0);	819	/* if smack begins with '-', its an option, don't import it */
812	if (sp == NULL)	820	if (smack[0] != '-') {
813	return -EINVAL;	821	sp = smk_import(smack, 0);
		822	if (sp == NULL)
		823	return -EINVAL;
		824	} else {
		825	/* check known options */
		826	if (strcmp(smack, smack_cipso_option) == 0)
		827	sp = (char *)smack_cipso_option;
		828	else
		829	return -EINVAL;
		830	}
814		831
815	for (temp_mask = 0; m > 0; m--) {	832	for (temp_mask = 0; m > 0; m--) {
816	temp_mask \|= mask_bits;	833	temp_mask \|= mask_bits;
@@ -849,18 +866,23 @@ static ssize_t smk_write_netlbladdr(struct file file, const char __user buf,
849	smk_netlbladdr_insert(skp);	866	smk_netlbladdr_insert(skp);
850	}	867	}
851	} else {	868	} else {
852	rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,	869	/* we delete the unlabeled entry, only if the previous label
853	&skp->smk_host.sin_addr, &skp->smk_mask,	870	* wasnt the special CIPSO option */
854	PF_INET, &audit_info);	871	if (skp->smk_label != smack_cipso_option)
		872	rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
		873	&skp->smk_host.sin_addr, &skp->smk_mask,
		874	PF_INET, &audit_info);
		875	else
		876	rc = 0;
855	skp->smk_label = sp;	877	skp->smk_label = sp;
856	}	878	}
857		879
858	/*	880	/*
859	* Now tell netlabel about the single label nature of	881	* Now tell netlabel about the single label nature of
860	* this host so that incoming packets get labeled.	882	* this host so that incoming packets get labeled.
		883	* but only if we didn't get the special CIPSO option
861	*/	884	*/
862		885	if (rc == 0 && sp != smack_cipso_option)
863	if (rc == 0)
864	rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,	886	rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
865	&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,	887	&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
866	smack_to_secid(skp->smk_label), &audit_info);	888	smack_to_secid(skp->smk_label), &audit_info);