diff options
| author | Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> | 2013-11-28 12:16:46 -0500 |
|---|---|---|
| committer | Casey Schaufler <casey@schaufler-ca.com> | 2013-12-11 13:48:55 -0500 |
| commit | 398ce073700a2a3e86b5a0b1edecdddfa3996b27 (patch) | |
| tree | 81ebb8780ddfdd38590e1f5ba578a0aa087181b1 /security | |
| parent | 217091dd7a7a1bdac027ddb7c5a25f6ac0b8e241 (diff) | |
smack: fix: allow either entry be missing on access/access2 check (v2)
This is a regression caused by f7112e6c. When either subject or
object is not found the answer for access should be no. This
patch fixes the situation. '0' is written back instead of failing
with -EINVAL.
v2: cosmetic style fixes
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/smack/smackfs.c | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 160aa08e3cd5..1c89ade186b6 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c | |||
| @@ -301,7 +301,8 @@ static int smk_perm_from_str(const char *string) | |||
| 301 | * @import: if non-zero, import labels | 301 | * @import: if non-zero, import labels |
| 302 | * @len: label length limit | 302 | * @len: label length limit |
| 303 | * | 303 | * |
| 304 | * Returns 0 on success, -1 on failure | 304 | * Returns 0 on success, -EINVAL on failure and -ENOENT when either subject |
| 305 | * or object is missing. | ||
| 305 | */ | 306 | */ |
| 306 | static int smk_fill_rule(const char *subject, const char *object, | 307 | static int smk_fill_rule(const char *subject, const char *object, |
| 307 | const char *access1, const char *access2, | 308 | const char *access1, const char *access2, |
| @@ -314,28 +315,28 @@ static int smk_fill_rule(const char *subject, const char *object, | |||
| 314 | if (import) { | 315 | if (import) { |
| 315 | rule->smk_subject = smk_import_entry(subject, len); | 316 | rule->smk_subject = smk_import_entry(subject, len); |
| 316 | if (rule->smk_subject == NULL) | 317 | if (rule->smk_subject == NULL) |
| 317 | return -1; | 318 | return -EINVAL; |
| 318 | 319 | ||
| 319 | rule->smk_object = smk_import(object, len); | 320 | rule->smk_object = smk_import(object, len); |
| 320 | if (rule->smk_object == NULL) | 321 | if (rule->smk_object == NULL) |
| 321 | return -1; | 322 | return -EINVAL; |
| 322 | } else { | 323 | } else { |
| 323 | cp = smk_parse_smack(subject, len); | 324 | cp = smk_parse_smack(subject, len); |
| 324 | if (cp == NULL) | 325 | if (cp == NULL) |
| 325 | return -1; | 326 | return -EINVAL; |
| 326 | skp = smk_find_entry(cp); | 327 | skp = smk_find_entry(cp); |
| 327 | kfree(cp); | 328 | kfree(cp); |
| 328 | if (skp == NULL) | 329 | if (skp == NULL) |
| 329 | return -1; | 330 | return -ENOENT; |
| 330 | rule->smk_subject = skp; | 331 | rule->smk_subject = skp; |
| 331 | 332 | ||
| 332 | cp = smk_parse_smack(object, len); | 333 | cp = smk_parse_smack(object, len); |
| 333 | if (cp == NULL) | 334 | if (cp == NULL) |
| 334 | return -1; | 335 | return -EINVAL; |
| 335 | skp = smk_find_entry(cp); | 336 | skp = smk_find_entry(cp); |
| 336 | kfree(cp); | 337 | kfree(cp); |
| 337 | if (skp == NULL) | 338 | if (skp == NULL) |
| 338 | return -1; | 339 | return -ENOENT; |
| 339 | rule->smk_object = skp->smk_known; | 340 | rule->smk_object = skp->smk_known; |
| 340 | } | 341 | } |
| 341 | 342 | ||
| @@ -381,6 +382,7 @@ static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule, | |||
| 381 | { | 382 | { |
| 382 | ssize_t cnt = 0; | 383 | ssize_t cnt = 0; |
| 383 | char *tok[4]; | 384 | char *tok[4]; |
| 385 | int rc; | ||
| 384 | int i; | 386 | int i; |
| 385 | 387 | ||
| 386 | /* | 388 | /* |
| @@ -405,10 +407,8 @@ static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule, | |||
| 405 | while (i < 4) | 407 | while (i < 4) |
| 406 | tok[i++] = NULL; | 408 | tok[i++] = NULL; |
| 407 | 409 | ||
| 408 | if (smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0)) | 410 | rc = smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0); |
| 409 | return -1; | 411 | return rc == 0 ? cnt : rc; |
| 410 | |||
| 411 | return cnt; | ||
| 412 | } | 412 | } |
| 413 | 413 | ||
| 414 | #define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */ | 414 | #define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */ |
| @@ -1856,11 +1856,12 @@ static ssize_t smk_user_access(struct file *file, const char __user *buf, | |||
| 1856 | res = smk_parse_long_rule(data, &rule, 0, 3); | 1856 | res = smk_parse_long_rule(data, &rule, 0, 3); |
| 1857 | } | 1857 | } |
| 1858 | 1858 | ||
| 1859 | if (res < 0) | 1859 | if (res >= 0) |
| 1860 | res = smk_access(rule.smk_subject, rule.smk_object, | ||
| 1861 | rule.smk_access1, NULL); | ||
| 1862 | else if (res != -ENOENT) | ||
| 1860 | return -EINVAL; | 1863 | return -EINVAL; |
| 1861 | 1864 | ||
| 1862 | res = smk_access(rule.smk_subject, rule.smk_object, | ||
| 1863 | rule.smk_access1, NULL); | ||
| 1864 | data[0] = res == 0 ? '1' : '0'; | 1865 | data[0] = res == 0 ? '1' : '0'; |
| 1865 | data[1] = '\0'; | 1866 | data[1] = '\0'; |
| 1866 | 1867 | ||