aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--security/smack/smack.h34
-rw-r--r--security/smack/smack_access.c94
-rw-r--r--security/smack/smack_lsm.c299
-rw-r--r--security/smack/smackfs.c61
4 files changed, 233 insertions, 255 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 2d13d5fb17ed..b828a379377c 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -71,11 +71,11 @@ struct smack_known {
71#define SMK_CIPSOLEN 24 71#define SMK_CIPSOLEN 24
72 72
73struct superblock_smack { 73struct superblock_smack {
74 char *smk_root; 74 struct smack_known *smk_root;
75 char *smk_floor; 75 struct smack_known *smk_floor;
76 char *smk_hat; 76 struct smack_known *smk_hat;
77 char *smk_default; 77 struct smack_known *smk_default;
78 int smk_initialized; 78 int smk_initialized;
79}; 79};
80 80
81struct socket_smack { 81struct socket_smack {
@@ -88,7 +88,7 @@ struct socket_smack {
88 * Inode smack data 88 * Inode smack data
89 */ 89 */
90struct inode_smack { 90struct inode_smack {
91 char *smk_inode; /* label of the fso */ 91 struct smack_known *smk_inode; /* label of the fso */
92 struct smack_known *smk_task; /* label of the task */ 92 struct smack_known *smk_task; /* label of the task */
93 struct smack_known *smk_mmap; /* label of the mmap domain */ 93 struct smack_known *smk_mmap; /* label of the mmap domain */
94 struct mutex smk_lock; /* initialization lock */ 94 struct mutex smk_lock; /* initialization lock */
@@ -112,7 +112,7 @@ struct task_smack {
112struct smack_rule { 112struct smack_rule {
113 struct list_head list; 113 struct list_head list;
114 struct smack_known *smk_subject; 114 struct smack_known *smk_subject;
115 char *smk_object; 115 struct smack_known *smk_object;
116 int smk_access; 116 int smk_access;
117}; 117};
118 118
@@ -123,7 +123,7 @@ struct smk_netlbladdr {
123 struct list_head list; 123 struct list_head list;
124 struct sockaddr_in smk_host; /* network address */ 124 struct sockaddr_in smk_host; /* network address */
125 struct in_addr smk_mask; /* network mask */ 125 struct in_addr smk_mask; /* network mask */
126 char *smk_label; /* label */ 126 struct smack_known *smk_label; /* label */
127}; 127};
128 128
129/* 129/*
@@ -227,23 +227,23 @@ struct smk_audit_info {
227/* 227/*
228 * These functions are in smack_lsm.c 228 * These functions are in smack_lsm.c
229 */ 229 */
230struct inode_smack *new_inode_smack(char *); 230struct inode_smack *new_inode_smack(struct smack_known *);
231 231
232/* 232/*
233 * These functions are in smack_access.c 233 * These functions are in smack_access.c
234 */ 234 */
235int smk_access_entry(char *, char *, struct list_head *); 235int smk_access_entry(char *, char *, struct list_head *);
236int smk_access(struct smack_known *, char *, int, struct smk_audit_info *); 236int smk_access(struct smack_known *, struct smack_known *,
237int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *); 237 int, struct smk_audit_info *);
238int smk_curacc(char *, u32, struct smk_audit_info *); 238int smk_tskacc(struct task_smack *, struct smack_known *,
239 u32, struct smk_audit_info *);
240int smk_curacc(struct smack_known *, u32, struct smk_audit_info *);
239struct smack_known *smack_from_secid(const u32); 241struct smack_known *smack_from_secid(const u32);
240char *smk_parse_smack(const char *string, int len); 242char *smk_parse_smack(const char *string, int len);
241int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int); 243int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
242char *smk_import(const char *, int);
243struct smack_known *smk_import_entry(const char *, int); 244struct smack_known *smk_import_entry(const char *, int);
244void smk_insert_entry(struct smack_known *skp); 245void smk_insert_entry(struct smack_known *skp);
245struct smack_known *smk_find_entry(const char *); 246struct smack_known *smk_find_entry(const char *);
246u32 smack_to_secid(const char *);
247 247
248/* 248/*
249 * Shared data. 249 * Shared data.
@@ -253,7 +253,7 @@ extern int smack_cipso_mapped;
253extern struct smack_known *smack_net_ambient; 253extern struct smack_known *smack_net_ambient;
254extern struct smack_known *smack_onlycap; 254extern struct smack_known *smack_onlycap;
255extern struct smack_known *smack_syslog_label; 255extern struct smack_known *smack_syslog_label;
256extern const char *smack_cipso_option; 256extern struct smack_known smack_cipso_option;
257extern int smack_ptrace_rule; 257extern int smack_ptrace_rule;
258 258
259extern struct smack_known smack_known_floor; 259extern struct smack_known smack_known_floor;
@@ -282,9 +282,9 @@ static inline int smk_inode_transmutable(const struct inode *isp)
282} 282}
283 283
284/* 284/*
285 * Present a pointer to the smack label in an inode blob. 285 * Present a pointer to the smack label entry in an inode blob.
286 */ 286 */
287static inline char *smk_of_inode(const struct inode *isp) 287static inline struct smack_known *smk_of_inode(const struct inode *isp)
288{ 288{
289 struct inode_smack *sip = isp->i_security; 289 struct inode_smack *sip = isp->i_security;
290 return sip->smk_inode; 290 return sip->smk_inode;
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 9f02cb0ac85e..5b970ffde024 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -94,7 +94,7 @@ int smk_access_entry(char *subject_label, char *object_label,
94 struct smack_rule *srp; 94 struct smack_rule *srp;
95 95
96 list_for_each_entry_rcu(srp, rule_list, list) { 96 list_for_each_entry_rcu(srp, rule_list, list) {
97 if (srp->smk_object == object_label && 97 if (srp->smk_object->smk_known == object_label &&
98 srp->smk_subject->smk_known == subject_label) { 98 srp->smk_subject->smk_known == subject_label) {
99 may = srp->smk_access; 99 may = srp->smk_access;
100 break; 100 break;
@@ -111,8 +111,8 @@ int smk_access_entry(char *subject_label, char *object_label,
111 111
112/** 112/**
113 * smk_access - determine if a subject has a specific access to an object 113 * smk_access - determine if a subject has a specific access to an object
114 * @subject_known: a pointer to the subject's Smack label entry 114 * @subject: a pointer to the subject's Smack label entry
115 * @object_label: a pointer to the object's Smack label 115 * @object: a pointer to the object's Smack label entry
116 * @request: the access requested, in "MAY" format 116 * @request: the access requested, in "MAY" format
117 * @a : a pointer to the audit data 117 * @a : a pointer to the audit data
118 * 118 *
@@ -122,8 +122,8 @@ int smk_access_entry(char *subject_label, char *object_label,
122 * 122 *
123 * Smack labels are shared on smack_list 123 * Smack labels are shared on smack_list
124 */ 124 */
125int smk_access(struct smack_known *subject_known, char *object_label, 125int smk_access(struct smack_known *subject, struct smack_known *object,
126 int request, struct smk_audit_info *a) 126 int request, struct smk_audit_info *a)
127{ 127{
128 int may = MAY_NOT; 128 int may = MAY_NOT;
129 int rc = 0; 129 int rc = 0;
@@ -133,7 +133,7 @@ int smk_access(struct smack_known *subject_known, char *object_label,
133 * 133 *
134 * A star subject can't access any object. 134 * A star subject can't access any object.
135 */ 135 */
136 if (subject_known == &smack_known_star) { 136 if (subject == &smack_known_star) {
137 rc = -EACCES; 137 rc = -EACCES;
138 goto out_audit; 138 goto out_audit;
139 } 139 }
@@ -142,28 +142,28 @@ int smk_access(struct smack_known *subject_known, char *object_label,
142 * Tasks cannot be assigned the internet label. 142 * Tasks cannot be assigned the internet label.
143 * An internet subject can access any object. 143 * An internet subject can access any object.
144 */ 144 */
145 if (object_label == smack_known_web.smk_known || 145 if (object == &smack_known_web ||
146 subject_known == &smack_known_web) 146 subject == &smack_known_web)
147 goto out_audit; 147 goto out_audit;
148 /* 148 /*
149 * A star object can be accessed by any subject. 149 * A star object can be accessed by any subject.
150 */ 150 */
151 if (object_label == smack_known_star.smk_known) 151 if (object == &smack_known_star)
152 goto out_audit; 152 goto out_audit;
153 /* 153 /*
154 * An object can be accessed in any way by a subject 154 * An object can be accessed in any way by a subject
155 * with the same label. 155 * with the same label.
156 */ 156 */
157 if (subject_known->smk_known == object_label) 157 if (subject->smk_known == object->smk_known)
158 goto out_audit; 158 goto out_audit;
159 /* 159 /*
160 * A hat subject can read any object. 160 * A hat subject can read any object.
161 * A floor object can be read by any subject. 161 * A floor object can be read by any subject.
162 */ 162 */
163 if ((request & MAY_ANYREAD) == request) { 163 if ((request & MAY_ANYREAD) == request) {
164 if (object_label == smack_known_floor.smk_known) 164 if (object == &smack_known_floor)
165 goto out_audit; 165 goto out_audit;
166 if (subject_known == &smack_known_hat) 166 if (subject == &smack_known_hat)
167 goto out_audit; 167 goto out_audit;
168 } 168 }
169 /* 169 /*
@@ -174,8 +174,8 @@ int smk_access(struct smack_known *subject_known, char *object_label,
174 * indicates there is no entry for this pair. 174 * indicates there is no entry for this pair.
175 */ 175 */
176 rcu_read_lock(); 176 rcu_read_lock();
177 may = smk_access_entry(subject_known->smk_known, object_label, 177 may = smk_access_entry(subject->smk_known, object->smk_known,
178 &subject_known->smk_rules); 178 &subject->smk_rules);
179 rcu_read_unlock(); 179 rcu_read_unlock();
180 180
181 if (may <= 0 || (request & may) != request) { 181 if (may <= 0 || (request & may) != request) {
@@ -195,8 +195,8 @@ int smk_access(struct smack_known *subject_known, char *object_label,
195out_audit: 195out_audit:
196#ifdef CONFIG_AUDIT 196#ifdef CONFIG_AUDIT
197 if (a) 197 if (a)
198 smack_log(subject_known->smk_known, object_label, request, 198 smack_log(subject->smk_known, object->smk_known,
199 rc, a); 199 request, rc, a);
200#endif 200#endif
201 201
202 return rc; 202 return rc;
@@ -204,8 +204,8 @@ out_audit:
204 204
205/** 205/**
206 * smk_tskacc - determine if a task has a specific access to an object 206 * smk_tskacc - determine if a task has a specific access to an object
207 * @tsp: a pointer to the subject task 207 * @tsp: a pointer to the subject's task
208 * @obj_label: a pointer to the object's Smack label 208 * @obj_known: a pointer to the object's label entry
209 * @mode: the access requested, in "MAY" format 209 * @mode: the access requested, in "MAY" format
210 * @a : common audit data 210 * @a : common audit data
211 * 211 *
@@ -214,24 +214,25 @@ out_audit:
214 * non zero otherwise. It allows that the task may have the capability 214 * non zero otherwise. It allows that the task may have the capability
215 * to override the rules. 215 * to override the rules.
216 */ 216 */
217int smk_tskacc(struct task_smack *subject, char *obj_label, 217int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known,
218 u32 mode, struct smk_audit_info *a) 218 u32 mode, struct smk_audit_info *a)
219{ 219{
220 struct smack_known *skp = smk_of_task(subject); 220 struct smack_known *sbj_known = smk_of_task(tsp);
221 int may; 221 int may;
222 int rc; 222 int rc;
223 223
224 /* 224 /*
225 * Check the global rule list 225 * Check the global rule list
226 */ 226 */
227 rc = smk_access(skp, obj_label, mode, NULL); 227 rc = smk_access(sbj_known, obj_known, mode, NULL);
228 if (rc >= 0) { 228 if (rc >= 0) {
229 /* 229 /*
230 * If there is an entry in the task's rule list 230 * If there is an entry in the task's rule list
231 * it can further restrict access. 231 * it can further restrict access.
232 */ 232 */
233 may = smk_access_entry(skp->smk_known, obj_label, 233 may = smk_access_entry(sbj_known->smk_known,
234 &subject->smk_rules); 234 obj_known->smk_known,
235 &tsp->smk_rules);
235 if (may < 0) 236 if (may < 0)
236 goto out_audit; 237 goto out_audit;
237 if ((mode & may) == mode) 238 if ((mode & may) == mode)
@@ -248,14 +249,15 @@ int smk_tskacc(struct task_smack *subject, char *obj_label,
248out_audit: 249out_audit:
249#ifdef CONFIG_AUDIT 250#ifdef CONFIG_AUDIT
250 if (a) 251 if (a)
251 smack_log(skp->smk_known, obj_label, mode, rc, a); 252 smack_log(sbj_known->smk_known, obj_known->smk_known,
253 mode, rc, a);
252#endif 254#endif
253 return rc; 255 return rc;
254} 256}
255 257
256/** 258/**
257 * smk_curacc - determine if current has a specific access to an object 259 * smk_curacc - determine if current has a specific access to an object
258 * @obj_label: a pointer to the object's Smack label 260 * @obj_known: a pointer to the object's Smack label entry
259 * @mode: the access requested, in "MAY" format 261 * @mode: the access requested, in "MAY" format
260 * @a : common audit data 262 * @a : common audit data
261 * 263 *
@@ -264,11 +266,12 @@ out_audit:
264 * non zero otherwise. It allows that current may have the capability 266 * non zero otherwise. It allows that current may have the capability
265 * to override the rules. 267 * to override the rules.
266 */ 268 */
267int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) 269int smk_curacc(struct smack_known *obj_known,
270 u32 mode, struct smk_audit_info *a)
268{ 271{
269 struct task_smack *tsp = current_security(); 272 struct task_smack *tsp = current_security();
270 273
271 return smk_tskacc(tsp, obj_label, mode, a); 274 return smk_tskacc(tsp, obj_known, mode, a);
272} 275}
273 276
274#ifdef CONFIG_AUDIT 277#ifdef CONFIG_AUDIT
@@ -562,27 +565,6 @@ unlockout:
562} 565}
563 566
564/** 567/**
565 * smk_import - import a smack label
566 * @string: a text string that might be a Smack label
567 * @len: the maximum size, or zero if it is NULL terminated.
568 *
569 * Returns a pointer to the label in the label list that
570 * matches the passed string, adding it if necessary.
571 */
572char *smk_import(const char *string, int len)
573{
574 struct smack_known *skp;
575
576 /* labels cannot begin with a '-' */
577 if (string[0] == '-')
578 return NULL;
579 skp = smk_import_entry(string, len);
580 if (skp == NULL)
581 return NULL;
582 return skp->smk_known;
583}
584
585/**
586 * smack_from_secid - find the Smack label associated with a secid 568 * smack_from_secid - find the Smack label associated with a secid
587 * @secid: an integer that might be associated with a Smack label 569 * @secid: an integer that might be associated with a Smack label
588 * 570 *
@@ -608,19 +590,3 @@ struct smack_known *smack_from_secid(const u32 secid)
608 rcu_read_unlock(); 590 rcu_read_unlock();
609 return &smack_known_invalid; 591 return &smack_known_invalid;
610} 592}
611
612/**
613 * smack_to_secid - find the secid associated with a Smack label
614 * @smack: the Smack label
615 *
616 * Returns the appropriate secid if there is one,
617 * otherwise 0
618 */
619u32 smack_to_secid(const char *smack)
620{
621 struct smack_known *skp = smk_find_entry(smack);
622
623 if (skp == NULL)
624 return 0;
625 return skp->smk_secid;
626}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 00443a9039b8..93dc876734a4 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -78,8 +78,8 @@ static void smk_bu_mode(int mode, char *s)
78#endif 78#endif
79 79
80#ifdef CONFIG_SECURITY_SMACK_BRINGUP 80#ifdef CONFIG_SECURITY_SMACK_BRINGUP
81static int smk_bu_note(char *note, struct smack_known *sskp, char *osp, 81static int smk_bu_note(char *note, struct smack_known *sskp,
82 int mode, int rc) 82 struct smack_known *oskp, int mode, int rc)
83{ 83{
84 char acc[SMK_NUM_ACCESS_TYPE + 1]; 84 char acc[SMK_NUM_ACCESS_TYPE + 1];
85 85
@@ -88,15 +88,16 @@ static int smk_bu_note(char *note, struct smack_known *sskp, char *osp,
88 88
89 smk_bu_mode(mode, acc); 89 smk_bu_mode(mode, acc);
90 pr_info("Smack Bringup: (%s %s %s) %s\n", 90 pr_info("Smack Bringup: (%s %s %s) %s\n",
91 sskp->smk_known, osp, acc, note); 91 sskp->smk_known, oskp->smk_known, acc, note);
92 return 0; 92 return 0;
93} 93}
94#else 94#else
95#define smk_bu_note(note, sskp, osp, mode, RC) (RC) 95#define smk_bu_note(note, sskp, oskp, mode, RC) (RC)
96#endif 96#endif
97 97
98#ifdef CONFIG_SECURITY_SMACK_BRINGUP 98#ifdef CONFIG_SECURITY_SMACK_BRINGUP
99static int smk_bu_current(char *note, char *osp, int mode, int rc) 99static int smk_bu_current(char *note, struct smack_known *oskp,
100 int mode, int rc)
100{ 101{
101 struct task_smack *tsp = current_security(); 102 struct task_smack *tsp = current_security();
102 char acc[SMK_NUM_ACCESS_TYPE + 1]; 103 char acc[SMK_NUM_ACCESS_TYPE + 1];
@@ -106,11 +107,12 @@ static int smk_bu_current(char *note, char *osp, int mode, int rc)
106 107
107 smk_bu_mode(mode, acc); 108 smk_bu_mode(mode, acc);
108 pr_info("Smack Bringup: (%s %s %s) %s %s\n", 109 pr_info("Smack Bringup: (%s %s %s) %s %s\n",
109 tsp->smk_task->smk_known, osp, acc, current->comm, note); 110 tsp->smk_task->smk_known, oskp->smk_known,
111 acc, current->comm, note);
110 return 0; 112 return 0;
111} 113}
112#else 114#else
113#define smk_bu_current(note, osp, mode, RC) (RC) 115#define smk_bu_current(note, oskp, mode, RC) (RC)
114#endif 116#endif
115 117
116#ifdef CONFIG_SECURITY_SMACK_BRINGUP 118#ifdef CONFIG_SECURITY_SMACK_BRINGUP
@@ -144,7 +146,7 @@ static int smk_bu_inode(struct inode *inode, int mode, int rc)
144 146
145 smk_bu_mode(mode, acc); 147 smk_bu_mode(mode, acc);
146 pr_info("Smack Bringup: (%s %s %s) inode=(%s %ld) %s\n", 148 pr_info("Smack Bringup: (%s %s %s) inode=(%s %ld) %s\n",
147 tsp->smk_task->smk_known, smk_of_inode(inode), acc, 149 tsp->smk_task->smk_known, smk_of_inode(inode)->smk_known, acc,
148 inode->i_sb->s_id, inode->i_ino, current->comm); 150 inode->i_sb->s_id, inode->i_ino, current->comm);
149 return 0; 151 return 0;
150} 152}
@@ -188,7 +190,7 @@ static int smk_bu_credfile(const struct cred *cred, struct file *file,
188 190
189 smk_bu_mode(mode, acc); 191 smk_bu_mode(mode, acc);
190 pr_info("Smack Bringup: (%s %s %s) file=(%s %ld %s) %s\n", 192 pr_info("Smack Bringup: (%s %s %s) file=(%s %ld %s) %s\n",
191 sskp->smk_known, smk_of_inode(inode), acc, 193 sskp->smk_known, smk_of_inode(inode)->smk_known, acc,
192 inode->i_sb->s_id, inode->i_ino, file->f_dentry->d_name.name, 194 inode->i_sb->s_id, inode->i_ino, file->f_dentry->d_name.name,
193 current->comm); 195 current->comm);
194 return 0; 196 return 0;
@@ -230,11 +232,11 @@ static struct smack_known *smk_fetch(const char *name, struct inode *ip,
230 232
231/** 233/**
232 * new_inode_smack - allocate an inode security blob 234 * new_inode_smack - allocate an inode security blob
233 * @smack: a pointer to the Smack label to use in the blob 235 * @skp: a pointer to the Smack label entry to use in the blob
234 * 236 *
235 * Returns the new blob or NULL if there's no memory available 237 * Returns the new blob or NULL if there's no memory available
236 */ 238 */
237struct inode_smack *new_inode_smack(char *smack) 239struct inode_smack *new_inode_smack(struct smack_known *skp)
238{ 240{
239 struct inode_smack *isp; 241 struct inode_smack *isp;
240 242
@@ -242,7 +244,7 @@ struct inode_smack *new_inode_smack(char *smack)
242 if (isp == NULL) 244 if (isp == NULL)
243 return NULL; 245 return NULL;
244 246
245 isp->smk_inode = smack; 247 isp->smk_inode = skp;
246 isp->smk_flags = 0; 248 isp->smk_flags = 0;
247 mutex_init(&isp->smk_lock); 249 mutex_init(&isp->smk_lock);
248 250
@@ -321,20 +323,20 @@ static inline unsigned int smk_ptrace_mode(unsigned int mode)
321/** 323/**
322 * smk_ptrace_rule_check - helper for ptrace access 324 * smk_ptrace_rule_check - helper for ptrace access
323 * @tracer: tracer process 325 * @tracer: tracer process
324 * @tracee_label: label of the process that's about to be traced, 326 * @tracee_known: label entry of the process that's about to be traced
325 * the pointer must originate from smack structures
326 * @mode: ptrace attachment mode (PTRACE_MODE_*) 327 * @mode: ptrace attachment mode (PTRACE_MODE_*)
327 * @func: name of the function that called us, used for audit 328 * @func: name of the function that called us, used for audit
328 * 329 *
329 * Returns 0 on access granted, -error on error 330 * Returns 0 on access granted, -error on error
330 */ 331 */
331static int smk_ptrace_rule_check(struct task_struct *tracer, char *tracee_label, 332static int smk_ptrace_rule_check(struct task_struct *tracer,
333 struct smack_known *tracee_known,
332 unsigned int mode, const char *func) 334 unsigned int mode, const char *func)
333{ 335{
334 int rc; 336 int rc;
335 struct smk_audit_info ad, *saip = NULL; 337 struct smk_audit_info ad, *saip = NULL;
336 struct task_smack *tsp; 338 struct task_smack *tsp;
337 struct smack_known *skp; 339 struct smack_known *tracer_known;
338 340
339 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 341 if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
340 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 342 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
@@ -343,12 +345,12 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, char *tracee_label,
343 } 345 }
344 346
345 tsp = task_security(tracer); 347 tsp = task_security(tracer);
346 skp = smk_of_task(tsp); 348 tracer_known = smk_of_task(tsp);
347 349
348 if ((mode & PTRACE_MODE_ATTACH) && 350 if ((mode & PTRACE_MODE_ATTACH) &&
349 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 351 (smack_ptrace_rule == SMACK_PTRACE_EXACT ||
350 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 352 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) {
351 if (skp->smk_known == tracee_label) 353 if (tracer_known->smk_known == tracee_known->smk_known)
352 rc = 0; 354 rc = 0;
353 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 355 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
354 rc = -EACCES; 356 rc = -EACCES;
@@ -358,13 +360,15 @@ static int smk_ptrace_rule_check(struct task_struct *tracer, char *tracee_label,
358 rc = -EACCES; 360 rc = -EACCES;
359 361
360 if (saip) 362 if (saip)
361 smack_log(skp->smk_known, tracee_label, 0, rc, saip); 363 smack_log(tracer_known->smk_known,
364 tracee_known->smk_known,
365 0, rc, saip);
362 366
363 return rc; 367 return rc;
364 } 368 }
365 369
366 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 370 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */
367 rc = smk_tskacc(tsp, tracee_label, smk_ptrace_mode(mode), saip); 371 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip);
368 return rc; 372 return rc;
369} 373}
370 374
@@ -393,7 +397,7 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
393 397
394 skp = smk_of_task(task_security(ctp)); 398 skp = smk_of_task(task_security(ctp));
395 399
396 rc = smk_ptrace_rule_check(current, skp->smk_known, mode, __func__); 400 rc = smk_ptrace_rule_check(current, skp, mode, __func__);
397 return rc; 401 return rc;
398} 402}
399 403
@@ -416,8 +420,7 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
416 420
417 skp = smk_of_task(current_security()); 421 skp = smk_of_task(current_security());
418 422
419 rc = smk_ptrace_rule_check(ptp, skp->smk_known, 423 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
420 PTRACE_MODE_ATTACH, __func__);
421 return rc; 424 return rc;
422} 425}
423 426
@@ -461,10 +464,10 @@ static int smack_sb_alloc_security(struct super_block *sb)
461 if (sbsp == NULL) 464 if (sbsp == NULL)
462 return -ENOMEM; 465 return -ENOMEM;
463 466
464 sbsp->smk_root = smack_known_floor.smk_known; 467 sbsp->smk_root = &smack_known_floor;
465 sbsp->smk_default = smack_known_floor.smk_known; 468 sbsp->smk_default = &smack_known_floor;
466 sbsp->smk_floor = smack_known_floor.smk_known; 469 sbsp->smk_floor = &smack_known_floor;
467 sbsp->smk_hat = smack_known_hat.smk_known; 470 sbsp->smk_hat = &smack_known_hat;
468 /* 471 /*
469 * smk_initialized will be zero from kzalloc. 472 * smk_initialized will be zero from kzalloc.
470 */ 473 */
@@ -548,7 +551,6 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
548 struct smack_known *skp; 551 struct smack_known *skp;
549 char *op; 552 char *op;
550 char *commap; 553 char *commap;
551 char *nsp;
552 int transmute = 0; 554 int transmute = 0;
553 int specified = 0; 555 int specified = 0;
554 556
@@ -564,38 +566,38 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
564 566
565 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) { 567 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) {
566 op += strlen(SMK_FSHAT); 568 op += strlen(SMK_FSHAT);
567 nsp = smk_import(op, 0); 569 skp = smk_import_entry(op, 0);
568 if (nsp != NULL) { 570 if (skp != NULL) {
569 sp->smk_hat = nsp; 571 sp->smk_hat = skp;
570 specified = 1; 572 specified = 1;
571 } 573 }
572 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) { 574 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) {
573 op += strlen(SMK_FSFLOOR); 575 op += strlen(SMK_FSFLOOR);
574 nsp = smk_import(op, 0); 576 skp = smk_import_entry(op, 0);
575 if (nsp != NULL) { 577 if (skp != NULL) {
576 sp->smk_floor = nsp; 578 sp->smk_floor = skp;
577 specified = 1; 579 specified = 1;
578 } 580 }
579 } else if (strncmp(op, SMK_FSDEFAULT, 581 } else if (strncmp(op, SMK_FSDEFAULT,
580 strlen(SMK_FSDEFAULT)) == 0) { 582 strlen(SMK_FSDEFAULT)) == 0) {
581 op += strlen(SMK_FSDEFAULT); 583 op += strlen(SMK_FSDEFAULT);
582 nsp = smk_import(op, 0); 584 skp = smk_import_entry(op, 0);
583 if (nsp != NULL) { 585 if (skp != NULL) {
584 sp->smk_default = nsp; 586 sp->smk_default = skp;
585 specified = 1; 587 specified = 1;
586 } 588 }
587 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) { 589 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) {
588 op += strlen(SMK_FSROOT); 590 op += strlen(SMK_FSROOT);
589 nsp = smk_import(op, 0); 591 skp = smk_import_entry(op, 0);
590 if (nsp != NULL) { 592 if (skp != NULL) {
591 sp->smk_root = nsp; 593 sp->smk_root = skp;
592 specified = 1; 594 specified = 1;
593 } 595 }
594 } else if (strncmp(op, SMK_FSTRANS, strlen(SMK_FSTRANS)) == 0) { 596 } else if (strncmp(op, SMK_FSTRANS, strlen(SMK_FSTRANS)) == 0) {
595 op += strlen(SMK_FSTRANS); 597 op += strlen(SMK_FSTRANS);
596 nsp = smk_import(op, 0); 598 skp = smk_import_entry(op, 0);
597 if (nsp != NULL) { 599 if (skp != NULL) {
598 sp->smk_root = nsp; 600 sp->smk_root = skp;
599 transmute = 1; 601 transmute = 1;
600 specified = 1; 602 specified = 1;
601 } 603 }
@@ -612,8 +614,8 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
612 * Unprivileged mounts get root and default from the caller. 614 * Unprivileged mounts get root and default from the caller.
613 */ 615 */
614 skp = smk_of_current(); 616 skp = smk_of_current();
615 sp->smk_root = skp->smk_known; 617 sp->smk_root = skp;
616 sp->smk_default = skp->smk_known; 618 sp->smk_default = skp;
617 } 619 }
618 /* 620 /*
619 * Initialize the root inode. 621 * Initialize the root inode.
@@ -690,7 +692,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
690 tracer = ptrace_parent(current); 692 tracer = ptrace_parent(current);
691 if (likely(tracer != NULL)) 693 if (likely(tracer != NULL))
692 rc = smk_ptrace_rule_check(tracer, 694 rc = smk_ptrace_rule_check(tracer,
693 isp->smk_task->smk_known, 695 isp->smk_task,
694 PTRACE_MODE_ATTACH, 696 PTRACE_MODE_ATTACH,
695 __func__); 697 __func__);
696 rcu_read_unlock(); 698 rcu_read_unlock();
@@ -751,7 +753,7 @@ static int smack_inode_alloc_security(struct inode *inode)
751{ 753{
752 struct smack_known *skp = smk_of_current(); 754 struct smack_known *skp = smk_of_current();
753 755
754 inode->i_security = new_inode_smack(skp->smk_known); 756 inode->i_security = new_inode_smack(skp);
755 if (inode->i_security == NULL) 757 if (inode->i_security == NULL)
756 return -ENOMEM; 758 return -ENOMEM;
757 return 0; 759 return 0;
@@ -786,8 +788,8 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
786{ 788{
787 struct inode_smack *issp = inode->i_security; 789 struct inode_smack *issp = inode->i_security;
788 struct smack_known *skp = smk_of_current(); 790 struct smack_known *skp = smk_of_current();
789 char *isp = smk_of_inode(inode); 791 struct smack_known *isp = smk_of_inode(inode);
790 char *dsp = smk_of_inode(dir); 792 struct smack_known *dsp = smk_of_inode(dir);
791 int may; 793 int may;
792 794
793 if (name) 795 if (name)
@@ -795,7 +797,8 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
795 797
796 if (value) { 798 if (value) {
797 rcu_read_lock(); 799 rcu_read_lock();
798 may = smk_access_entry(skp->smk_known, dsp, &skp->smk_rules); 800 may = smk_access_entry(skp->smk_known, dsp->smk_known,
801 &skp->smk_rules);
799 rcu_read_unlock(); 802 rcu_read_unlock();
800 803
801 /* 804 /*
@@ -810,13 +813,13 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
810 issp->smk_flags |= SMK_INODE_CHANGED; 813 issp->smk_flags |= SMK_INODE_CHANGED;
811 } 814 }
812 815
813 *value = kstrdup(isp, GFP_NOFS); 816 *value = kstrdup(isp->smk_known, GFP_NOFS);
814 if (*value == NULL) 817 if (*value == NULL)
815 return -ENOMEM; 818 return -ENOMEM;
816 } 819 }
817 820
818 if (len) 821 if (len)
819 *len = strlen(isp); 822 *len = strlen(isp->smk_known);
820 823
821 return 0; 824 return 0;
822} 825}
@@ -832,7 +835,7 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
832static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 835static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
833 struct dentry *new_dentry) 836 struct dentry *new_dentry)
834{ 837{
835 char *isp; 838 struct smack_known *isp;
836 struct smk_audit_info ad; 839 struct smk_audit_info ad;
837 int rc; 840 int rc;
838 841
@@ -939,7 +942,7 @@ static int smack_inode_rename(struct inode *old_inode,
939 struct dentry *new_dentry) 942 struct dentry *new_dentry)
940{ 943{
941 int rc; 944 int rc;
942 char *isp; 945 struct smack_known *isp;
943 struct smk_audit_info ad; 946 struct smk_audit_info ad;
944 947
945 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 948 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
@@ -1127,9 +1130,9 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
1127 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1130 if (strcmp(name, XATTR_NAME_SMACK) == 0) {
1128 skp = smk_import_entry(value, size); 1131 skp = smk_import_entry(value, size);
1129 if (skp != NULL) 1132 if (skp != NULL)
1130 isp->smk_inode = skp->smk_known; 1133 isp->smk_inode = skp;
1131 else 1134 else
1132 isp->smk_inode = smack_known_invalid.smk_known; 1135 isp->smk_inode = &smack_known_invalid;
1133 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1136 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {
1134 skp = smk_import_entry(value, size); 1137 skp = smk_import_entry(value, size);
1135 if (skp != NULL) 1138 if (skp != NULL)
@@ -1238,14 +1241,14 @@ static int smack_inode_getsecurity(const struct inode *inode,
1238 struct socket *sock; 1241 struct socket *sock;
1239 struct super_block *sbp; 1242 struct super_block *sbp;
1240 struct inode *ip = (struct inode *)inode; 1243 struct inode *ip = (struct inode *)inode;
1241 char *isp; 1244 struct smack_known *isp;
1242 int ilen; 1245 int ilen;
1243 int rc = 0; 1246 int rc = 0;
1244 1247
1245 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1248 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
1246 isp = smk_of_inode(inode); 1249 isp = smk_of_inode(inode);
1247 ilen = strlen(isp); 1250 ilen = strlen(isp->smk_known);
1248 *buffer = isp; 1251 *buffer = isp->smk_known;
1249 return ilen; 1252 return ilen;
1250 } 1253 }
1251 1254
@@ -1263,15 +1266,15 @@ static int smack_inode_getsecurity(const struct inode *inode,
1263 ssp = sock->sk->sk_security; 1266 ssp = sock->sk->sk_security;
1264 1267
1265 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1268 if (strcmp(name, XATTR_SMACK_IPIN) == 0)
1266 isp = ssp->smk_in->smk_known; 1269 isp = ssp->smk_in;
1267 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1270 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
1268 isp = ssp->smk_out->smk_known; 1271 isp = ssp->smk_out;
1269 else 1272 else
1270 return -EOPNOTSUPP; 1273 return -EOPNOTSUPP;
1271 1274
1272 ilen = strlen(isp); 1275 ilen = strlen(isp->smk_known);
1273 if (rc == 0) { 1276 if (rc == 0) {
1274 *buffer = isp; 1277 *buffer = isp->smk_known;
1275 rc = ilen; 1278 rc = ilen;
1276 } 1279 }
1277 1280
@@ -1307,7 +1310,7 @@ static void smack_inode_getsecid(const struct inode *inode, u32 *secid)
1307{ 1310{
1308 struct inode_smack *isp = inode->i_security; 1311 struct inode_smack *isp = inode->i_security;
1309 1312
1310 *secid = smack_to_secid(isp->smk_inode); 1313 *secid = isp->smk_inode->smk_secid;
1311} 1314}
1312 1315
1313/* 1316/*
@@ -1346,7 +1349,7 @@ static int smack_file_alloc_security(struct file *file)
1346{ 1349{
1347 struct smack_known *skp = smk_of_current(); 1350 struct smack_known *skp = smk_of_current();
1348 1351
1349 file->f_security = skp->smk_known; 1352 file->f_security = skp;
1350 return 0; 1353 return 0;
1351} 1354}
1352 1355
@@ -1474,7 +1477,7 @@ static int smack_mmap_file(struct file *file,
1474 struct smack_known *mkp; 1477 struct smack_known *mkp;
1475 struct smack_rule *srp; 1478 struct smack_rule *srp;
1476 struct task_smack *tsp; 1479 struct task_smack *tsp;
1477 char *osmack; 1480 struct smack_known *okp;
1478 struct inode_smack *isp; 1481 struct inode_smack *isp;
1479 int may; 1482 int may;
1480 int mmay; 1483 int mmay;
@@ -1500,18 +1503,19 @@ static int smack_mmap_file(struct file *file,
1500 * to that rule's object label. 1503 * to that rule's object label.
1501 */ 1504 */
1502 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1505 list_for_each_entry_rcu(srp, &skp->smk_rules, list) {
1503 osmack = srp->smk_object; 1506 okp = srp->smk_object;
1504 /* 1507 /*
1505 * Matching labels always allows access. 1508 * Matching labels always allows access.
1506 */ 1509 */
1507 if (mkp->smk_known == osmack) 1510 if (mkp->smk_known == okp->smk_known)
1508 continue; 1511 continue;
1509 /* 1512 /*
1510 * If there is a matching local rule take 1513 * If there is a matching local rule take
1511 * that into account as well. 1514 * that into account as well.
1512 */ 1515 */
1513 may = smk_access_entry(srp->smk_subject->smk_known, osmack, 1516 may = smk_access_entry(srp->smk_subject->smk_known,
1514 &tsp->smk_rules); 1517 okp->smk_known,
1518 &tsp->smk_rules);
1515 if (may == -ENOENT) 1519 if (may == -ENOENT)
1516 may = srp->smk_access; 1520 may = srp->smk_access;
1517 else 1521 else
@@ -1528,8 +1532,8 @@ static int smack_mmap_file(struct file *file,
1528 * If there isn't one a SMACK64MMAP subject 1532 * If there isn't one a SMACK64MMAP subject
1529 * can't have as much access as current. 1533 * can't have as much access as current.
1530 */ 1534 */
1531 mmay = smk_access_entry(mkp->smk_known, osmack, 1535 mmay = smk_access_entry(mkp->smk_known, okp->smk_known,
1532 &mkp->smk_rules); 1536 &mkp->smk_rules);
1533 if (mmay == -ENOENT) { 1537 if (mmay == -ENOENT) {
1534 rc = -EACCES; 1538 rc = -EACCES;
1535 break; 1539 break;
@@ -1538,8 +1542,8 @@ static int smack_mmap_file(struct file *file,
1538 * If there is a local entry it modifies the 1542 * If there is a local entry it modifies the
1539 * potential access, too. 1543 * potential access, too.
1540 */ 1544 */
1541 tmay = smk_access_entry(mkp->smk_known, osmack, 1545 tmay = smk_access_entry(mkp->smk_known, okp->smk_known,
1542 &tsp->smk_rules); 1546 &tsp->smk_rules);
1543 if (tmay != -ENOENT) 1547 if (tmay != -ENOENT)
1544 mmay &= tmay; 1548 mmay &= tmay;
1545 1549
@@ -1570,7 +1574,7 @@ static int smack_file_set_fowner(struct file *file)
1570{ 1574{
1571 struct smack_known *skp = smk_of_current(); 1575 struct smack_known *skp = smk_of_current();
1572 1576
1573 file->f_security = skp->smk_known; 1577 file->f_security = skp;
1574 return 0; 1578 return 0;
1575} 1579}
1576 1580
@@ -1600,15 +1604,15 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
1600 file = container_of(fown, struct file, f_owner); 1604 file = container_of(fown, struct file, f_owner);
1601 1605
1602 /* we don't log here as rc can be overriden */ 1606 /* we don't log here as rc can be overriden */
1603 skp = smk_find_entry(file->f_security); 1607 skp = file->f_security;
1604 rc = smk_access(skp, tkp->smk_known, MAY_WRITE, NULL); 1608 rc = smk_access(skp, tkp, MAY_WRITE, NULL);
1605 rc = smk_bu_note("sigiotask", skp, tkp->smk_known, MAY_WRITE, rc); 1609 rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc);
1606 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1610 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
1607 rc = 0; 1611 rc = 0;
1608 1612
1609 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1613 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1610 smk_ad_setfield_u_tsk(&ad, tsk); 1614 smk_ad_setfield_u_tsk(&ad, tsk);
1611 smack_log(file->f_security, tkp->smk_known, MAY_WRITE, rc, &ad); 1615 smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad);
1612 return rc; 1616 return rc;
1613} 1617}
1614 1618
@@ -1805,7 +1809,7 @@ static int smack_kernel_create_files_as(struct cred *new,
1805 struct inode_smack *isp = inode->i_security; 1809 struct inode_smack *isp = inode->i_security;
1806 struct task_smack *tsp = new->security; 1810 struct task_smack *tsp = new->security;
1807 1811
1808 tsp->smk_forked = smk_find_entry(isp->smk_inode); 1812 tsp->smk_forked = isp->smk_inode;
1809 tsp->smk_task = tsp->smk_forked; 1813 tsp->smk_task = tsp->smk_forked;
1810 return 0; 1814 return 0;
1811} 1815}
@@ -1827,7 +1831,7 @@ static int smk_curacc_on_task(struct task_struct *p, int access,
1827 1831
1828 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 1832 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK);
1829 smk_ad_setfield_u_tsk(&ad, p); 1833 smk_ad_setfield_u_tsk(&ad, p);
1830 rc = smk_curacc(skp->smk_known, access, &ad); 1834 rc = smk_curacc(skp, access, &ad);
1831 rc = smk_bu_task(p, access, rc); 1835 rc = smk_bu_task(p, access, rc);
1832 return rc; 1836 return rc;
1833} 1837}
@@ -1992,7 +1996,7 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
1992 * can write the receiver. 1996 * can write the receiver.
1993 */ 1997 */
1994 if (secid == 0) { 1998 if (secid == 0) {
1995 rc = smk_curacc(tkp->smk_known, MAY_WRITE, &ad); 1999 rc = smk_curacc(tkp, MAY_WRITE, &ad);
1996 rc = smk_bu_task(p, MAY_WRITE, rc); 2000 rc = smk_bu_task(p, MAY_WRITE, rc);
1997 return rc; 2001 return rc;
1998 } 2002 }
@@ -2002,8 +2006,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
2002 * we can't take privilege into account. 2006 * we can't take privilege into account.
2003 */ 2007 */
2004 skp = smack_from_secid(secid); 2008 skp = smack_from_secid(secid);
2005 rc = smk_access(skp, tkp->smk_known, MAY_WRITE, &ad); 2009 rc = smk_access(skp, tkp, MAY_WRITE, &ad);
2006 rc = smk_bu_note("USB signal", skp, tkp->smk_known, MAY_WRITE, rc); 2010 rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc);
2007 return rc; 2011 return rc;
2008} 2012}
2009 2013
@@ -2038,7 +2042,7 @@ static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
2038 struct inode_smack *isp = inode->i_security; 2042 struct inode_smack *isp = inode->i_security;
2039 struct smack_known *skp = smk_of_task(task_security(p)); 2043 struct smack_known *skp = smk_of_task(task_security(p));
2040 2044
2041 isp->smk_inode = skp->smk_known; 2045 isp->smk_inode = skp;
2042} 2046}
2043 2047
2044/* 2048/*
@@ -2096,7 +2100,7 @@ static void smack_sk_free_security(struct sock *sk)
2096* 2100*
2097* Returns the label of the far end or NULL if it's not special. 2101* Returns the label of the far end or NULL if it's not special.
2098*/ 2102*/
2099static char *smack_host_label(struct sockaddr_in *sip) 2103static struct smack_known *smack_host_label(struct sockaddr_in *sip)
2100{ 2104{
2101 struct smk_netlbladdr *snp; 2105 struct smk_netlbladdr *snp;
2102 struct in_addr *siap = &sip->sin_addr; 2106 struct in_addr *siap = &sip->sin_addr;
@@ -2113,7 +2117,7 @@ static char *smack_host_label(struct sockaddr_in *sip)
2113 if ((&snp->smk_host.sin_addr)->s_addr == 2117 if ((&snp->smk_host.sin_addr)->s_addr ==
2114 (siap->s_addr & (&snp->smk_mask)->s_addr)) { 2118 (siap->s_addr & (&snp->smk_mask)->s_addr)) {
2115 /* we have found the special CIPSO option */ 2119 /* we have found the special CIPSO option */
2116 if (snp->smk_label == smack_cipso_option) 2120 if (snp->smk_label == &smack_cipso_option)
2117 return NULL; 2121 return NULL;
2118 return snp->smk_label; 2122 return snp->smk_label;
2119 } 2123 }
@@ -2178,13 +2182,13 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
2178 struct smack_known *skp; 2182 struct smack_known *skp;
2179 int rc; 2183 int rc;
2180 int sk_lbl; 2184 int sk_lbl;
2181 char *hostsp; 2185 struct smack_known *hkp;
2182 struct socket_smack *ssp = sk->sk_security; 2186 struct socket_smack *ssp = sk->sk_security;
2183 struct smk_audit_info ad; 2187 struct smk_audit_info ad;
2184 2188
2185 rcu_read_lock(); 2189 rcu_read_lock();
2186 hostsp = smack_host_label(sap); 2190 hkp = smack_host_label(sap);
2187 if (hostsp != NULL) { 2191 if (hkp != NULL) {
2188#ifdef CONFIG_AUDIT 2192#ifdef CONFIG_AUDIT
2189 struct lsm_network_audit net; 2193 struct lsm_network_audit net;
2190 2194
@@ -2195,8 +2199,8 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
2195#endif 2199#endif
2196 sk_lbl = SMACK_UNLABELED_SOCKET; 2200 sk_lbl = SMACK_UNLABELED_SOCKET;
2197 skp = ssp->smk_out; 2201 skp = ssp->smk_out;
2198 rc = smk_access(skp, hostsp, MAY_WRITE, &ad); 2202 rc = smk_access(skp, hkp, MAY_WRITE, &ad);
2199 rc = smk_bu_note("IPv4 host check", skp, hostsp, MAY_WRITE, rc); 2203 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc);
2200 } else { 2204 } else {
2201 sk_lbl = SMACK_CIPSO_SOCKET; 2205 sk_lbl = SMACK_CIPSO_SOCKET;
2202 rc = 0; 2206 rc = 0;
@@ -2297,7 +2301,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
2297 struct socket_smack *ssp = sk->sk_security; 2301 struct socket_smack *ssp = sk->sk_security;
2298 struct smack_known *skp; 2302 struct smack_known *skp;
2299 unsigned short port = 0; 2303 unsigned short port = 0;
2300 char *object; 2304 struct smack_known *object;
2301 struct smk_audit_info ad; 2305 struct smk_audit_info ad;
2302 int rc; 2306 int rc;
2303#ifdef CONFIG_AUDIT 2307#ifdef CONFIG_AUDIT
@@ -2306,10 +2310,10 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
2306 2310
2307 if (act == SMK_RECEIVING) { 2311 if (act == SMK_RECEIVING) {
2308 skp = smack_net_ambient; 2312 skp = smack_net_ambient;
2309 object = ssp->smk_in->smk_known; 2313 object = ssp->smk_in;
2310 } else { 2314 } else {
2311 skp = ssp->smk_out; 2315 skp = ssp->smk_out;
2312 object = smack_net_ambient->smk_known; 2316 object = smack_net_ambient;
2313 } 2317 }
2314 2318
2315 /* 2319 /*
@@ -2336,7 +2340,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
2336 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2340 list_for_each_entry(spp, &smk_ipv6_port_list, list) {
2337 if (spp->smk_port != port) 2341 if (spp->smk_port != port)
2338 continue; 2342 continue;
2339 object = spp->smk_in->smk_known; 2343 object = spp->smk_in;
2340 if (act == SMK_CONNECTING) 2344 if (act == SMK_CONNECTING)
2341 ssp->smk_packet = spp->smk_out; 2345 ssp->smk_packet = spp->smk_out;
2342 break; 2346 break;
@@ -2387,7 +2391,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
2387 return -EINVAL; 2391 return -EINVAL;
2388 2392
2389 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2393 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
2390 nsp->smk_inode = skp->smk_known; 2394 nsp->smk_inode = skp;
2391 nsp->smk_flags |= SMK_INODE_INSTANT; 2395 nsp->smk_flags |= SMK_INODE_INSTANT;
2392 return 0; 2396 return 0;
2393 } 2397 }
@@ -2529,7 +2533,7 @@ static int smack_msg_msg_alloc_security(struct msg_msg *msg)
2529{ 2533{
2530 struct smack_known *skp = smk_of_current(); 2534 struct smack_known *skp = smk_of_current();
2531 2535
2532 msg->security = skp->smk_known; 2536 msg->security = skp;
2533 return 0; 2537 return 0;
2534} 2538}
2535 2539
@@ -2550,9 +2554,9 @@ static void smack_msg_msg_free_security(struct msg_msg *msg)
2550 * 2554 *
2551 * Returns a pointer to the smack value 2555 * Returns a pointer to the smack value
2552 */ 2556 */
2553static char *smack_of_shm(struct shmid_kernel *shp) 2557static struct smack_known *smack_of_shm(struct shmid_kernel *shp)
2554{ 2558{
2555 return (char *)shp->shm_perm.security; 2559 return (struct smack_known *)shp->shm_perm.security;
2556} 2560}
2557 2561
2558/** 2562/**
@@ -2566,7 +2570,7 @@ static int smack_shm_alloc_security(struct shmid_kernel *shp)
2566 struct kern_ipc_perm *isp = &shp->shm_perm; 2570 struct kern_ipc_perm *isp = &shp->shm_perm;
2567 struct smack_known *skp = smk_of_current(); 2571 struct smack_known *skp = smk_of_current();
2568 2572
2569 isp->security = skp->smk_known; 2573 isp->security = skp;
2570 return 0; 2574 return 0;
2571} 2575}
2572 2576
@@ -2592,7 +2596,7 @@ static void smack_shm_free_security(struct shmid_kernel *shp)
2592 */ 2596 */
2593static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2597static int smk_curacc_shm(struct shmid_kernel *shp, int access)
2594{ 2598{
2595 char *ssp = smack_of_shm(shp); 2599 struct smack_known *ssp = smack_of_shm(shp);
2596 struct smk_audit_info ad; 2600 struct smk_audit_info ad;
2597 int rc; 2601 int rc;
2598 2602
@@ -2677,9 +2681,9 @@ static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
2677 * 2681 *
2678 * Returns a pointer to the smack value 2682 * Returns a pointer to the smack value
2679 */ 2683 */
2680static char *smack_of_sem(struct sem_array *sma) 2684static struct smack_known *smack_of_sem(struct sem_array *sma)
2681{ 2685{
2682 return (char *)sma->sem_perm.security; 2686 return (struct smack_known *)sma->sem_perm.security;
2683} 2687}
2684 2688
2685/** 2689/**
@@ -2693,7 +2697,7 @@ static int smack_sem_alloc_security(struct sem_array *sma)
2693 struct kern_ipc_perm *isp = &sma->sem_perm; 2697 struct kern_ipc_perm *isp = &sma->sem_perm;
2694 struct smack_known *skp = smk_of_current(); 2698 struct smack_known *skp = smk_of_current();
2695 2699
2696 isp->security = skp->smk_known; 2700 isp->security = skp;
2697 return 0; 2701 return 0;
2698} 2702}
2699 2703
@@ -2719,7 +2723,7 @@ static void smack_sem_free_security(struct sem_array *sma)
2719 */ 2723 */
2720static int smk_curacc_sem(struct sem_array *sma, int access) 2724static int smk_curacc_sem(struct sem_array *sma, int access)
2721{ 2725{
2722 char *ssp = smack_of_sem(sma); 2726 struct smack_known *ssp = smack_of_sem(sma);
2723 struct smk_audit_info ad; 2727 struct smk_audit_info ad;
2724 int rc; 2728 int rc;
2725 2729
@@ -2815,7 +2819,7 @@ static int smack_msg_queue_alloc_security(struct msg_queue *msq)
2815 struct kern_ipc_perm *kisp = &msq->q_perm; 2819 struct kern_ipc_perm *kisp = &msq->q_perm;
2816 struct smack_known *skp = smk_of_current(); 2820 struct smack_known *skp = smk_of_current();
2817 2821
2818 kisp->security = skp->smk_known; 2822 kisp->security = skp;
2819 return 0; 2823 return 0;
2820} 2824}
2821 2825
@@ -2836,11 +2840,11 @@ static void smack_msg_queue_free_security(struct msg_queue *msq)
2836 * smack_of_msq - the smack pointer for the msq 2840 * smack_of_msq - the smack pointer for the msq
2837 * @msq: the object 2841 * @msq: the object
2838 * 2842 *
2839 * Returns a pointer to the smack value 2843 * Returns a pointer to the smack label entry
2840 */ 2844 */
2841static char *smack_of_msq(struct msg_queue *msq) 2845static struct smack_known *smack_of_msq(struct msg_queue *msq)
2842{ 2846{
2843 return (char *)msq->q_perm.security; 2847 return (struct smack_known *)msq->q_perm.security;
2844} 2848}
2845 2849
2846/** 2850/**
@@ -2852,7 +2856,7 @@ static char *smack_of_msq(struct msg_queue *msq)
2852 */ 2856 */
2853static int smk_curacc_msq(struct msg_queue *msq, int access) 2857static int smk_curacc_msq(struct msg_queue *msq, int access)
2854{ 2858{
2855 char *msp = smack_of_msq(msq); 2859 struct smack_known *msp = smack_of_msq(msq);
2856 struct smk_audit_info ad; 2860 struct smk_audit_info ad;
2857 int rc; 2861 int rc;
2858 2862
@@ -2955,7 +2959,7 @@ static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
2955 */ 2959 */
2956static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 2960static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
2957{ 2961{
2958 char *isp = ipp->security; 2962 struct smack_known *iskp = ipp->security;
2959 int may = smack_flags_to_may(flag); 2963 int may = smack_flags_to_may(flag);
2960 struct smk_audit_info ad; 2964 struct smk_audit_info ad;
2961 int rc; 2965 int rc;
@@ -2964,8 +2968,8 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
2964 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2968 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
2965 ad.a.u.ipc_id = ipp->id; 2969 ad.a.u.ipc_id = ipp->id;
2966#endif 2970#endif
2967 rc = smk_curacc(isp, may, &ad); 2971 rc = smk_curacc(iskp, may, &ad);
2968 rc = smk_bu_current("svipc", isp, may, rc); 2972 rc = smk_bu_current("svipc", iskp, may, rc);
2969 return rc; 2973 return rc;
2970} 2974}
2971 2975
@@ -2976,9 +2980,9 @@ static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
2976 */ 2980 */
2977static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 2981static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
2978{ 2982{
2979 char *smack = ipp->security; 2983 struct smack_known *iskp = ipp->security;
2980 2984
2981 *secid = smack_to_secid(smack); 2985 *secid = iskp->smk_secid;
2982} 2986}
2983 2987
2984/** 2988/**
@@ -2995,7 +2999,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
2995 struct inode_smack *isp; 2999 struct inode_smack *isp;
2996 struct smack_known *skp; 3000 struct smack_known *skp;
2997 struct smack_known *ckp = smk_of_current(); 3001 struct smack_known *ckp = smk_of_current();
2998 char *final; 3002 struct smack_known *final;
2999 char trattr[TRANS_TRUE_SIZE]; 3003 char trattr[TRANS_TRUE_SIZE];
3000 int transflag = 0; 3004 int transflag = 0;
3001 int rc; 3005 int rc;
@@ -3035,8 +3039,8 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3035 * so there's no opportunity to set the mount 3039 * so there's no opportunity to set the mount
3036 * options. 3040 * options.
3037 */ 3041 */
3038 sbsp->smk_root = smack_known_star.smk_known; 3042 sbsp->smk_root = &smack_known_star;
3039 sbsp->smk_default = smack_known_star.smk_known; 3043 sbsp->smk_default = &smack_known_star;
3040 } 3044 }
3041 isp->smk_inode = sbsp->smk_root; 3045 isp->smk_inode = sbsp->smk_root;
3042 isp->smk_flags |= SMK_INODE_INSTANT; 3046 isp->smk_flags |= SMK_INODE_INSTANT;
@@ -3066,7 +3070,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3066 * 3070 *
3067 * Cgroupfs is special 3071 * Cgroupfs is special
3068 */ 3072 */
3069 final = smack_known_star.smk_known; 3073 final = &smack_known_star;
3070 break; 3074 break;
3071 case DEVPTS_SUPER_MAGIC: 3075 case DEVPTS_SUPER_MAGIC:
3072 /* 3076 /*
@@ -3074,7 +3078,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3074 * Programs that change smack have to treat the 3078 * Programs that change smack have to treat the
3075 * pty with respect. 3079 * pty with respect.
3076 */ 3080 */
3077 final = ckp->smk_known; 3081 final = ckp;
3078 break; 3082 break;
3079 case PROC_SUPER_MAGIC: 3083 case PROC_SUPER_MAGIC:
3080 /* 3084 /*
@@ -3088,7 +3092,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3088 * but watch out, because they're volitile, 3092 * but watch out, because they're volitile,
3089 * getting recreated on every reboot. 3093 * getting recreated on every reboot.
3090 */ 3094 */
3091 final = smack_known_star.smk_known; 3095 final = &smack_known_star;
3092 /* 3096 /*
3093 * No break. 3097 * No break.
3094 * 3098 *
@@ -3107,7 +3111,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3107 * UNIX domain sockets use lower level socket data. 3111 * UNIX domain sockets use lower level socket data.
3108 */ 3112 */
3109 if (S_ISSOCK(inode->i_mode)) { 3113 if (S_ISSOCK(inode->i_mode)) {
3110 final = smack_known_star.smk_known; 3114 final = &smack_known_star;
3111 break; 3115 break;
3112 } 3116 }
3113 /* 3117 /*
@@ -3124,7 +3128,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3124 dp = dget(opt_dentry); 3128 dp = dget(opt_dentry);
3125 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3129 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp);
3126 if (skp != NULL) 3130 if (skp != NULL)
3127 final = skp->smk_known; 3131 final = skp;
3128 3132
3129 /* 3133 /*
3130 * Transmuting directory 3134 * Transmuting directory
@@ -3173,7 +3177,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3173 } 3177 }
3174 3178
3175 if (final == NULL) 3179 if (final == NULL)
3176 isp->smk_inode = ckp->smk_known; 3180 isp->smk_inode = ckp;
3177 else 3181 else
3178 isp->smk_inode = final; 3182 isp->smk_inode = final;
3179 3183
@@ -3298,12 +3302,11 @@ static int smack_unix_stream_connect(struct sock *sock,
3298 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3302 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3299 smk_ad_setfield_u_net_sk(&ad, other); 3303 smk_ad_setfield_u_net_sk(&ad, other);
3300#endif 3304#endif
3301 rc = smk_access(skp, okp->smk_known, MAY_WRITE, &ad); 3305 rc = smk_access(skp, okp, MAY_WRITE, &ad);
3302 rc = smk_bu_note("UDS connect", skp, okp->smk_known, 3306 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc);
3303 MAY_WRITE, rc);
3304 if (rc == 0) { 3307 if (rc == 0) {
3305 rc = smk_access(okp, skp->smk_known, MAY_WRITE, NULL); 3308 rc = smk_access(okp, skp, MAY_WRITE, NULL);
3306 rc = smk_bu_note("UDS connect", okp, skp->smk_known, 3309 rc = smk_bu_note("UDS connect", okp, skp,
3307 MAY_WRITE, rc); 3310 MAY_WRITE, rc);
3308 } 3311 }
3309 } 3312 }
@@ -3331,7 +3334,6 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
3331{ 3334{
3332 struct socket_smack *ssp = sock->sk->sk_security; 3335 struct socket_smack *ssp = sock->sk->sk_security;
3333 struct socket_smack *osp = other->sk->sk_security; 3336 struct socket_smack *osp = other->sk->sk_security;
3334 struct smack_known *skp;
3335 struct smk_audit_info ad; 3337 struct smk_audit_info ad;
3336 int rc; 3338 int rc;
3337 3339
@@ -3345,10 +3347,8 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
3345 if (smack_privileged(CAP_MAC_OVERRIDE)) 3347 if (smack_privileged(CAP_MAC_OVERRIDE))
3346 return 0; 3348 return 0;
3347 3349
3348 skp = ssp->smk_out; 3350 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad);
3349 rc = smk_access(skp, osp->smk_in->smk_known, MAY_WRITE, &ad); 3351 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc);
3350 rc = smk_bu_note("UDS send", skp, osp->smk_in->smk_known,
3351 MAY_WRITE, rc);
3352 return rc; 3352 return rc;
3353} 3353}
3354 3354
@@ -3563,8 +3563,8 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3563 * This is the simplist possible security model 3563 * This is the simplist possible security model
3564 * for networking. 3564 * for networking.
3565 */ 3565 */
3566 rc = smk_access(skp, ssp->smk_in->smk_known, MAY_WRITE, &ad); 3566 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3567 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in->smk_known, 3567 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
3568 MAY_WRITE, rc); 3568 MAY_WRITE, rc);
3569 if (rc != 0) 3569 if (rc != 0)
3570 netlbl_skbuff_err(skb, rc, 0); 3570 netlbl_skbuff_err(skb, rc, 0);
@@ -3708,7 +3708,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3708 struct netlbl_lsm_secattr secattr; 3708 struct netlbl_lsm_secattr secattr;
3709 struct sockaddr_in addr; 3709 struct sockaddr_in addr;
3710 struct iphdr *hdr; 3710 struct iphdr *hdr;
3711 char *hsp; 3711 struct smack_known *hskp;
3712 int rc; 3712 int rc;
3713 struct smk_audit_info ad; 3713 struct smk_audit_info ad;
3714#ifdef CONFIG_AUDIT 3714#ifdef CONFIG_AUDIT
@@ -3745,9 +3745,8 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3745 * Receiving a packet requires that the other end be able to write 3745 * Receiving a packet requires that the other end be able to write
3746 * here. Read access is not required. 3746 * here. Read access is not required.
3747 */ 3747 */
3748 rc = smk_access(skp, ssp->smk_in->smk_known, MAY_WRITE, &ad); 3748 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3749 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in->smk_known, 3749 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc);
3750 MAY_WRITE, rc);
3751 if (rc != 0) 3750 if (rc != 0)
3752 return rc; 3751 return rc;
3753 3752
@@ -3765,10 +3764,10 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
3765 hdr = ip_hdr(skb); 3764 hdr = ip_hdr(skb);
3766 addr.sin_addr.s_addr = hdr->saddr; 3765 addr.sin_addr.s_addr = hdr->saddr;
3767 rcu_read_lock(); 3766 rcu_read_lock();
3768 hsp = smack_host_label(&addr); 3767 hskp = smack_host_label(&addr);
3769 rcu_read_unlock(); 3768 rcu_read_unlock();
3770 3769
3771 if (hsp == NULL) 3770 if (hskp == NULL)
3772 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 3771 rc = netlbl_req_setattr(req, &skp->smk_netlabel);
3773 else 3772 else
3774 netlbl_req_delattr(req); 3773 netlbl_req_delattr(req);
@@ -3820,7 +3819,7 @@ static int smack_key_alloc(struct key *key, const struct cred *cred,
3820{ 3819{
3821 struct smack_known *skp = smk_of_task(cred->security); 3820 struct smack_known *skp = smk_of_task(cred->security);
3822 3821
3823 key->security = skp->smk_known; 3822 key->security = skp;
3824 return 0; 3823 return 0;
3825} 3824}
3826 3825
@@ -3909,6 +3908,7 @@ static int smack_key_permission(key_ref_t key_ref,
3909 */ 3908 */
3910static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3909static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
3911{ 3910{
3911 struct smack_known *skp;
3912 char **rule = (char **)vrule; 3912 char **rule = (char **)vrule;
3913 *rule = NULL; 3913 *rule = NULL;
3914 3914
@@ -3918,7 +3918,9 @@ static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
3918 if (op != Audit_equal && op != Audit_not_equal) 3918 if (op != Audit_equal && op != Audit_not_equal)
3919 return -EINVAL; 3919 return -EINVAL;
3920 3920
3921 *rule = smk_import(rulestr, 0); 3921 skp = smk_import_entry(rulestr, 0);
3922 if (skp)
3923 *rule = skp->smk_known;
3922 3924
3923 return 0; 3925 return 0;
3924} 3926}
@@ -4037,7 +4039,12 @@ static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4037 */ 4039 */
4038static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4040static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
4039{ 4041{
4040 *secid = smack_to_secid(secdata); 4042 struct smack_known *skp = smk_find_entry(secdata);
4043
4044 if (skp)
4045 *secid = skp->smk_secid;
4046 else
4047 *secid = 0;
4041 return 0; 4048 return 0;
4042} 4049}
4043 4050
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 49a2248b525c..bce4e8f1b267 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -131,14 +131,17 @@ LIST_HEAD(smack_rule_list);
131 131
132struct smack_parsed_rule { 132struct smack_parsed_rule {
133 struct smack_known *smk_subject; 133 struct smack_known *smk_subject;
134 char *smk_object; 134 struct smack_known *smk_object;
135 int smk_access1; 135 int smk_access1;
136 int smk_access2; 136 int smk_access2;
137}; 137};
138 138
139static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT; 139static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
140 140
141const char *smack_cipso_option = SMACK_CIPSO_OPTION; 141struct smack_known smack_cipso_option = {
142 .smk_known = SMACK_CIPSO_OPTION,
143 .smk_secid = 0,
144};
142 145
143/* 146/*
144 * Values for parsing cipso rules 147 * Values for parsing cipso rules
@@ -339,7 +342,7 @@ static int smk_fill_rule(const char *subject, const char *object,
339 if (rule->smk_subject == NULL) 342 if (rule->smk_subject == NULL)
340 return -EINVAL; 343 return -EINVAL;
341 344
342 rule->smk_object = smk_import(object, len); 345 rule->smk_object = smk_import_entry(object, len);
343 if (rule->smk_object == NULL) 346 if (rule->smk_object == NULL)
344 return -EINVAL; 347 return -EINVAL;
345 } else { 348 } else {
@@ -359,7 +362,7 @@ static int smk_fill_rule(const char *subject, const char *object,
359 kfree(cp); 362 kfree(cp);
360 if (skp == NULL) 363 if (skp == NULL)
361 return -ENOENT; 364 return -ENOENT;
362 rule->smk_object = skp->smk_known; 365 rule->smk_object = skp;
363 } 366 }
364 367
365 rule->smk_access1 = smk_perm_from_str(access1); 368 rule->smk_access1 = smk_perm_from_str(access1);
@@ -598,13 +601,15 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
598 * anything you read back. 601 * anything you read back.
599 */ 602 */
600 if (strlen(srp->smk_subject->smk_known) >= max || 603 if (strlen(srp->smk_subject->smk_known) >= max ||
601 strlen(srp->smk_object) >= max) 604 strlen(srp->smk_object->smk_known) >= max)
602 return; 605 return;
603 606
604 if (srp->smk_access == 0) 607 if (srp->smk_access == 0)
605 return; 608 return;
606 609
607 seq_printf(s, "%s %s", srp->smk_subject->smk_known, srp->smk_object); 610 seq_printf(s, "%s %s",
611 srp->smk_subject->smk_known,
612 srp->smk_object->smk_known);
608 613
609 seq_putc(s, ' '); 614 seq_putc(s, ' ');
610 615
@@ -1073,7 +1078,7 @@ static int netlbladdr_seq_show(struct seq_file *s, void *v)
1073 for (maskn = 0; temp_mask; temp_mask <<= 1, maskn++); 1078 for (maskn = 0; temp_mask; temp_mask <<= 1, maskn++);
1074 1079
1075 seq_printf(s, "%u.%u.%u.%u/%d %s\n", 1080 seq_printf(s, "%u.%u.%u.%u/%d %s\n",
1076 hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label); 1081 hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label->smk_known);
1077 1082
1078 return 0; 1083 return 0;
1079} 1084}
@@ -1153,10 +1158,10 @@ static void smk_netlbladdr_insert(struct smk_netlbladdr *new)
1153static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf, 1158static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
1154 size_t count, loff_t *ppos) 1159 size_t count, loff_t *ppos)
1155{ 1160{
1156 struct smk_netlbladdr *skp; 1161 struct smk_netlbladdr *snp;
1157 struct sockaddr_in newname; 1162 struct sockaddr_in newname;
1158 char *smack; 1163 char *smack;
1159 char *sp; 1164 struct smack_known *skp;
1160 char *data; 1165 char *data;
1161 char *host = (char *)&newname.sin_addr.s_addr; 1166 char *host = (char *)&newname.sin_addr.s_addr;
1162 int rc; 1167 int rc;
@@ -1219,15 +1224,15 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
1219 * If smack begins with '-', it is an option, don't import it 1224 * If smack begins with '-', it is an option, don't import it
1220 */ 1225 */
1221 if (smack[0] != '-') { 1226 if (smack[0] != '-') {
1222 sp = smk_import(smack, 0); 1227 skp = smk_import_entry(smack, 0);
1223 if (sp == NULL) { 1228 if (skp == NULL) {
1224 rc = -EINVAL; 1229 rc = -EINVAL;
1225 goto free_out; 1230 goto free_out;
1226 } 1231 }
1227 } else { 1232 } else {
1228 /* check known options */ 1233 /* check known options */
1229 if (strcmp(smack, smack_cipso_option) == 0) 1234 if (strcmp(smack, smack_cipso_option.smk_known) == 0)
1230 sp = (char *)smack_cipso_option; 1235 skp = &smack_cipso_option;
1231 else { 1236 else {
1232 rc = -EINVAL; 1237 rc = -EINVAL;
1233 goto free_out; 1238 goto free_out;
@@ -1250,9 +1255,9 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
1250 nsa = newname.sin_addr.s_addr; 1255 nsa = newname.sin_addr.s_addr;
1251 /* try to find if the prefix is already in the list */ 1256 /* try to find if the prefix is already in the list */
1252 found = 0; 1257 found = 0;
1253 list_for_each_entry_rcu(skp, &smk_netlbladdr_list, list) { 1258 list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list) {
1254 if (skp->smk_host.sin_addr.s_addr == nsa && 1259 if (snp->smk_host.sin_addr.s_addr == nsa &&
1255 skp->smk_mask.s_addr == mask.s_addr) { 1260 snp->smk_mask.s_addr == mask.s_addr) {
1256 found = 1; 1261 found = 1;
1257 break; 1262 break;
1258 } 1263 }
@@ -1260,26 +1265,26 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
1260 smk_netlabel_audit_set(&audit_info); 1265 smk_netlabel_audit_set(&audit_info);
1261 1266
1262 if (found == 0) { 1267 if (found == 0) {
1263 skp = kzalloc(sizeof(*skp), GFP_KERNEL); 1268 snp = kzalloc(sizeof(*snp), GFP_KERNEL);
1264 if (skp == NULL) 1269 if (snp == NULL)
1265 rc = -ENOMEM; 1270 rc = -ENOMEM;
1266 else { 1271 else {
1267 rc = 0; 1272 rc = 0;
1268 skp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr; 1273 snp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
1269 skp->smk_mask.s_addr = mask.s_addr; 1274 snp->smk_mask.s_addr = mask.s_addr;
1270 skp->smk_label = sp; 1275 snp->smk_label = skp;
1271 smk_netlbladdr_insert(skp); 1276 smk_netlbladdr_insert(snp);
1272 } 1277 }
1273 } else { 1278 } else {
1274 /* we delete the unlabeled entry, only if the previous label 1279 /* we delete the unlabeled entry, only if the previous label
1275 * wasn't the special CIPSO option */ 1280 * wasn't the special CIPSO option */
1276 if (skp->smk_label != smack_cipso_option) 1281 if (snp->smk_label != &smack_cipso_option)
1277 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL, 1282 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
1278 &skp->smk_host.sin_addr, &skp->smk_mask, 1283 &snp->smk_host.sin_addr, &snp->smk_mask,
1279 PF_INET, &audit_info); 1284 PF_INET, &audit_info);
1280 else 1285 else
1281 rc = 0; 1286 rc = 0;
1282 skp->smk_label = sp; 1287 snp->smk_label = skp;
1283 } 1288 }
1284 1289
1285 /* 1290 /*
@@ -1287,10 +1292,10 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
1287 * this host so that incoming packets get labeled. 1292 * this host so that incoming packets get labeled.
1288 * but only if we didn't get the special CIPSO option 1293 * but only if we didn't get the special CIPSO option
1289 */ 1294 */
1290 if (rc == 0 && sp != smack_cipso_option) 1295 if (rc == 0 && skp != &smack_cipso_option)
1291 rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, 1296 rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
1292 &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET, 1297 &snp->smk_host.sin_addr, &snp->smk_mask, PF_INET,
1293 smack_to_secid(skp->smk_label), &audit_info); 1298 snp->smk_label->smk_secid, &audit_info);
1294 1299
1295 if (rc == 0) 1300 if (rc == 0)
1296 rc = count; 1301 rc = count;
generated by cgit v1.2.2 (git 2.25.0) at 2026-05-27 19:57:01 -0400