diff options
author | Etienne Basset <etienne.basset@numericable.fr> | 2009-03-27 17:11:01 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-03-28 00:01:37 -0400 |
commit | 4303154e86597885bc3cbc178a48ccbc8213875f (patch) | |
tree | 11989bcc2ec5d9cd5a1b7952f169ec5cbd8abb8e /security | |
parent | 07feee8f812f7327a46186f7604df312c8c81962 (diff) |
smack: Add a new '-CIPSO' option to the network address label configuration
This patch adds a new special option '-CIPSO' to the Smack subsystem. When used
in the netlabel list, it means "use CIPSO networking". A use case is when your
local network speaks CIPSO and you want also to connect to the unlabeled
Internet. This patch also add some documentation describing that. The patch
also corrects an oops when setting a '' SMACK64 xattr to a file.
Signed-off-by: Etienne Basset <etienne.basset@numericable.fr>
Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/smack/smack.h | 3 | ||||
-rw-r--r-- | security/smack/smack_access.c | 3 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 11 | ||||
-rw-r--r-- | security/smack/smackfs.c | 38 |
4 files changed, 45 insertions, 10 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index 5e5a3bcb599a..42ef313f9856 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h | |||
@@ -132,6 +132,8 @@ struct smack_known { | |||
132 | #define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN | 132 | #define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN |
133 | #define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT | 133 | #define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT |
134 | 134 | ||
135 | #define SMACK_CIPSO_OPTION "-CIPSO" | ||
136 | |||
135 | /* | 137 | /* |
136 | * How communications on this socket are treated. | 138 | * How communications on this socket are treated. |
137 | * Usually it's determined by the underlying netlabel code | 139 | * Usually it's determined by the underlying netlabel code |
@@ -199,6 +201,7 @@ u32 smack_to_secid(const char *); | |||
199 | extern int smack_cipso_direct; | 201 | extern int smack_cipso_direct; |
200 | extern char *smack_net_ambient; | 202 | extern char *smack_net_ambient; |
201 | extern char *smack_onlycap; | 203 | extern char *smack_onlycap; |
204 | extern const char *smack_cipso_option; | ||
202 | 205 | ||
203 | extern struct smack_known smack_known_floor; | 206 | extern struct smack_known smack_known_floor; |
204 | extern struct smack_known smack_known_hat; | 207 | extern struct smack_known smack_known_hat; |
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 58564195bb09..ac0a2707f6d4 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c | |||
@@ -261,6 +261,9 @@ char *smk_import(const char *string, int len) | |||
261 | { | 261 | { |
262 | struct smack_known *skp; | 262 | struct smack_known *skp; |
263 | 263 | ||
264 | /* labels cannot begin with a '-' */ | ||
265 | if (string[0] == '-') | ||
266 | return NULL; | ||
264 | skp = smk_import_entry(string, len); | 267 | skp = smk_import_entry(string, len); |
265 | if (skp == NULL) | 268 | if (skp == NULL) |
266 | return NULL; | 269 | return NULL; |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 8ed502c2ad45..921514902eca 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
@@ -609,6 +609,9 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name, | |||
609 | strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { | 609 | strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { |
610 | if (!capable(CAP_MAC_ADMIN)) | 610 | if (!capable(CAP_MAC_ADMIN)) |
611 | rc = -EPERM; | 611 | rc = -EPERM; |
612 | /* a label cannot be void and cannot begin with '-' */ | ||
613 | if (size == 0 || (size > 0 && ((char *)value)[0] == '-')) | ||
614 | rc = -EINVAL; | ||
612 | } else | 615 | } else |
613 | rc = cap_inode_setxattr(dentry, name, value, size, flags); | 616 | rc = cap_inode_setxattr(dentry, name, value, size, flags); |
614 | 617 | ||
@@ -1323,8 +1326,12 @@ static char *smack_host_label(struct sockaddr_in *sip) | |||
1323 | * so we have found the most specific match | 1326 | * so we have found the most specific match |
1324 | */ | 1327 | */ |
1325 | if ((&snp->smk_host.sin_addr)->s_addr == | 1328 | if ((&snp->smk_host.sin_addr)->s_addr == |
1326 | (siap->s_addr & (&snp->smk_mask)->s_addr)) | 1329 | (siap->s_addr & (&snp->smk_mask)->s_addr)) { |
1330 | /* we have found the special CIPSO option */ | ||
1331 | if (snp->smk_label == smack_cipso_option) | ||
1332 | return NULL; | ||
1327 | return snp->smk_label; | 1333 | return snp->smk_label; |
1334 | } | ||
1328 | 1335 | ||
1329 | return NULL; | 1336 | return NULL; |
1330 | } | 1337 | } |
@@ -1486,7 +1493,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, | |||
1486 | struct socket *sock; | 1493 | struct socket *sock; |
1487 | int rc = 0; | 1494 | int rc = 0; |
1488 | 1495 | ||
1489 | if (value == NULL || size > SMK_LABELLEN) | 1496 | if (value == NULL || size > SMK_LABELLEN || size == 0) |
1490 | return -EACCES; | 1497 | return -EACCES; |
1491 | 1498 | ||
1492 | sp = smk_import(value, size); | 1499 | sp = smk_import(value, size); |
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 856c8a287523..e03a7e19c73b 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
@@ -86,6 +86,9 @@ LIST_HEAD(smack_rule_list); | |||
86 | 86 | ||
87 | static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT; | 87 | static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT; |
88 | 88 | ||
89 | const char *smack_cipso_option = SMACK_CIPSO_OPTION; | ||
90 | |||
91 | |||
89 | #define SEQ_READ_FINISHED 1 | 92 | #define SEQ_READ_FINISHED 1 |
90 | 93 | ||
91 | /* | 94 | /* |
@@ -565,6 +568,11 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf, | |||
565 | goto unlockedout; | 568 | goto unlockedout; |
566 | } | 569 | } |
567 | 570 | ||
571 | /* labels cannot begin with a '-' */ | ||
572 | if (data[0] == '-') { | ||
573 | rc = -EINVAL; | ||
574 | goto unlockedout; | ||
575 | } | ||
568 | data[count] = '\0'; | 576 | data[count] = '\0'; |
569 | rule = data; | 577 | rule = data; |
570 | /* | 578 | /* |
@@ -808,9 +816,18 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf, | |||
808 | if (m > BEBITS) | 816 | if (m > BEBITS) |
809 | return -EINVAL; | 817 | return -EINVAL; |
810 | 818 | ||
811 | sp = smk_import(smack, 0); | 819 | /* if smack begins with '-', its an option, don't import it */ |
812 | if (sp == NULL) | 820 | if (smack[0] != '-') { |
813 | return -EINVAL; | 821 | sp = smk_import(smack, 0); |
822 | if (sp == NULL) | ||
823 | return -EINVAL; | ||
824 | } else { | ||
825 | /* check known options */ | ||
826 | if (strcmp(smack, smack_cipso_option) == 0) | ||
827 | sp = (char *)smack_cipso_option; | ||
828 | else | ||
829 | return -EINVAL; | ||
830 | } | ||
814 | 831 | ||
815 | for (temp_mask = 0; m > 0; m--) { | 832 | for (temp_mask = 0; m > 0; m--) { |
816 | temp_mask |= mask_bits; | 833 | temp_mask |= mask_bits; |
@@ -849,18 +866,23 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf, | |||
849 | smk_netlbladdr_insert(skp); | 866 | smk_netlbladdr_insert(skp); |
850 | } | 867 | } |
851 | } else { | 868 | } else { |
852 | rc = netlbl_cfg_unlbl_static_del(&init_net, NULL, | 869 | /* we delete the unlabeled entry, only if the previous label |
853 | &skp->smk_host.sin_addr, &skp->smk_mask, | 870 | * wasnt the special CIPSO option */ |
854 | PF_INET, &audit_info); | 871 | if (skp->smk_label != smack_cipso_option) |
872 | rc = netlbl_cfg_unlbl_static_del(&init_net, NULL, | ||
873 | &skp->smk_host.sin_addr, &skp->smk_mask, | ||
874 | PF_INET, &audit_info); | ||
875 | else | ||
876 | rc = 0; | ||
855 | skp->smk_label = sp; | 877 | skp->smk_label = sp; |
856 | } | 878 | } |
857 | 879 | ||
858 | /* | 880 | /* |
859 | * Now tell netlabel about the single label nature of | 881 | * Now tell netlabel about the single label nature of |
860 | * this host so that incoming packets get labeled. | 882 | * this host so that incoming packets get labeled. |
883 | * but only if we didn't get the special CIPSO option | ||
861 | */ | 884 | */ |
862 | 885 | if (rc == 0 && sp != smack_cipso_option) | |
863 | if (rc == 0) | ||
864 | rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, | 886 | rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, |
865 | &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET, | 887 | &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET, |
866 | smack_to_secid(skp->smk_label), &audit_info); | 888 | smack_to_secid(skp->smk_label), &audit_info); |