aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorEtienne Basset <etienne.basset@numericable.fr>2009-03-27 17:11:01 -0400
committerJames Morris <jmorris@namei.org>2009-03-28 00:01:37 -0400
commit4303154e86597885bc3cbc178a48ccbc8213875f (patch)
tree11989bcc2ec5d9cd5a1b7952f169ec5cbd8abb8e /security
parent07feee8f812f7327a46186f7604df312c8c81962 (diff)
smack: Add a new '-CIPSO' option to the network address label configuration
This patch adds a new special option '-CIPSO' to the Smack subsystem. When used in the netlabel list, it means "use CIPSO networking". A use case is when your local network speaks CIPSO and you want also to connect to the unlabeled Internet. This patch also add some documentation describing that. The patch also corrects an oops when setting a '' SMACK64 xattr to a file. Signed-off-by: Etienne Basset <etienne.basset@numericable.fr> Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack.h3
-rw-r--r--security/smack/smack_access.c3
-rw-r--r--security/smack/smack_lsm.c11
-rw-r--r--security/smack/smackfs.c38
4 files changed, 45 insertions, 10 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 5e5a3bcb599a..42ef313f9856 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -132,6 +132,8 @@ struct smack_known {
132#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN 132#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN
133#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT 133#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
134 134
135#define SMACK_CIPSO_OPTION "-CIPSO"
136
135/* 137/*
136 * How communications on this socket are treated. 138 * How communications on this socket are treated.
137 * Usually it's determined by the underlying netlabel code 139 * Usually it's determined by the underlying netlabel code
@@ -199,6 +201,7 @@ u32 smack_to_secid(const char *);
199extern int smack_cipso_direct; 201extern int smack_cipso_direct;
200extern char *smack_net_ambient; 202extern char *smack_net_ambient;
201extern char *smack_onlycap; 203extern char *smack_onlycap;
204extern const char *smack_cipso_option;
202 205
203extern struct smack_known smack_known_floor; 206extern struct smack_known smack_known_floor;
204extern struct smack_known smack_known_hat; 207extern struct smack_known smack_known_hat;
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 58564195bb09..ac0a2707f6d4 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -261,6 +261,9 @@ char *smk_import(const char *string, int len)
261{ 261{
262 struct smack_known *skp; 262 struct smack_known *skp;
263 263
264 /* labels cannot begin with a '-' */
265 if (string[0] == '-')
266 return NULL;
264 skp = smk_import_entry(string, len); 267 skp = smk_import_entry(string, len);
265 if (skp == NULL) 268 if (skp == NULL)
266 return NULL; 269 return NULL;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 8ed502c2ad45..921514902eca 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -609,6 +609,9 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
609 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 609 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
610 if (!capable(CAP_MAC_ADMIN)) 610 if (!capable(CAP_MAC_ADMIN))
611 rc = -EPERM; 611 rc = -EPERM;
612 /* a label cannot be void and cannot begin with '-' */
613 if (size == 0 || (size > 0 && ((char *)value)[0] == '-'))
614 rc = -EINVAL;
612 } else 615 } else
613 rc = cap_inode_setxattr(dentry, name, value, size, flags); 616 rc = cap_inode_setxattr(dentry, name, value, size, flags);
614 617
@@ -1323,8 +1326,12 @@ static char *smack_host_label(struct sockaddr_in *sip)
1323 * so we have found the most specific match 1326 * so we have found the most specific match
1324 */ 1327 */
1325 if ((&snp->smk_host.sin_addr)->s_addr == 1328 if ((&snp->smk_host.sin_addr)->s_addr ==
1326 (siap->s_addr & (&snp->smk_mask)->s_addr)) 1329 (siap->s_addr & (&snp->smk_mask)->s_addr)) {
1330 /* we have found the special CIPSO option */
1331 if (snp->smk_label == smack_cipso_option)
1332 return NULL;
1327 return snp->smk_label; 1333 return snp->smk_label;
1334 }
1328 1335
1329 return NULL; 1336 return NULL;
1330} 1337}
@@ -1486,7 +1493,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
1486 struct socket *sock; 1493 struct socket *sock;
1487 int rc = 0; 1494 int rc = 0;
1488 1495
1489 if (value == NULL || size > SMK_LABELLEN) 1496 if (value == NULL || size > SMK_LABELLEN || size == 0)
1490 return -EACCES; 1497 return -EACCES;
1491 1498
1492 sp = smk_import(value, size); 1499 sp = smk_import(value, size);
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 856c8a287523..e03a7e19c73b 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -86,6 +86,9 @@ LIST_HEAD(smack_rule_list);
86 86
87static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT; 87static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
88 88
89const char *smack_cipso_option = SMACK_CIPSO_OPTION;
90
91
89#define SEQ_READ_FINISHED 1 92#define SEQ_READ_FINISHED 1
90 93
91/* 94/*
@@ -565,6 +568,11 @@ static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
565 goto unlockedout; 568 goto unlockedout;
566 } 569 }
567 570
571 /* labels cannot begin with a '-' */
572 if (data[0] == '-') {
573 rc = -EINVAL;
574 goto unlockedout;
575 }
568 data[count] = '\0'; 576 data[count] = '\0';
569 rule = data; 577 rule = data;
570 /* 578 /*
@@ -808,9 +816,18 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
808 if (m > BEBITS) 816 if (m > BEBITS)
809 return -EINVAL; 817 return -EINVAL;
810 818
811 sp = smk_import(smack, 0); 819 /* if smack begins with '-', its an option, don't import it */
812 if (sp == NULL) 820 if (smack[0] != '-') {
813 return -EINVAL; 821 sp = smk_import(smack, 0);
822 if (sp == NULL)
823 return -EINVAL;
824 } else {
825 /* check known options */
826 if (strcmp(smack, smack_cipso_option) == 0)
827 sp = (char *)smack_cipso_option;
828 else
829 return -EINVAL;
830 }
814 831
815 for (temp_mask = 0; m > 0; m--) { 832 for (temp_mask = 0; m > 0; m--) {
816 temp_mask |= mask_bits; 833 temp_mask |= mask_bits;
@@ -849,18 +866,23 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
849 smk_netlbladdr_insert(skp); 866 smk_netlbladdr_insert(skp);
850 } 867 }
851 } else { 868 } else {
852 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL, 869 /* we delete the unlabeled entry, only if the previous label
853 &skp->smk_host.sin_addr, &skp->smk_mask, 870 * wasnt the special CIPSO option */
854 PF_INET, &audit_info); 871 if (skp->smk_label != smack_cipso_option)
872 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
873 &skp->smk_host.sin_addr, &skp->smk_mask,
874 PF_INET, &audit_info);
875 else
876 rc = 0;
855 skp->smk_label = sp; 877 skp->smk_label = sp;
856 } 878 }
857 879
858 /* 880 /*
859 * Now tell netlabel about the single label nature of 881 * Now tell netlabel about the single label nature of
860 * this host so that incoming packets get labeled. 882 * this host so that incoming packets get labeled.
883 * but only if we didn't get the special CIPSO option
861 */ 884 */
862 885 if (rc == 0 && sp != smack_cipso_option)
863 if (rc == 0)
864 rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, 886 rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
865 &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET, 887 &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
866 smack_to_secid(skp->smk_label), &audit_info); 888 smack_to_secid(skp->smk_label), &audit_info);