aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--security/smack/smack.h8
-rw-r--r--security/smack/smack_lsm.c30
-rw-r--r--security/smack/smackfs.c2
3 files changed, 31 insertions, 9 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index e80597a3048a..076b8e8a51ab 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -168,9 +168,13 @@ struct smk_port_label {
168#define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */ 168#define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */
169#define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */ 169#define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */
170#define SMACK_CIPSO_MAPPED_DEFAULT 251 /* Also arbitrary */ 170#define SMACK_CIPSO_MAPPED_DEFAULT 251 /* Also arbitrary */
171#define SMACK_CIPSO_MAXCATVAL 63 /* Bigger gets harder */
172#define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */ 171#define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */
173#define SMACK_CIPSO_MAXCATNUM 239 /* CIPSO 2.2 standard */ 172/*
173 * CIPSO 2.2 standard is 239, but Smack wants to use the
174 * categories in a structured way that limits the value to
175 * the bits in 23 bytes, hence the unusual number.
176 */
177#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */
174 178
175/* 179/*
176 * Flag for transmute access 180 * Flag for transmute access
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index ce000a81caf7..19204e11c02c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3066,6 +3066,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
3066{ 3066{
3067 struct smack_known *skp; 3067 struct smack_known *skp;
3068 int found = 0; 3068 int found = 0;
3069 int acat;
3070 int kcat;
3069 3071
3070 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3072 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
3071 /* 3073 /*
@@ -3082,12 +3084,28 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
3082 list_for_each_entry(skp, &smack_known_list, list) { 3084 list_for_each_entry(skp, &smack_known_list, list) {
3083 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3085 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl)
3084 continue; 3086 continue;
3085 if (memcmp(sap->attr.mls.cat, 3087 /*
3086 skp->smk_netlabel.attr.mls.cat, 3088 * Compare the catsets. Use the netlbl APIs.
3087 SMK_CIPSOLEN) != 0) 3089 */
3088 continue; 3090 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) {
3089 found = 1; 3091 if ((skp->smk_netlabel.flags &
3090 break; 3092 NETLBL_SECATTR_MLS_CAT) == 0)
3093 found = 1;
3094 break;
3095 }
3096 for (acat = -1, kcat = -1; acat == kcat; ) {
3097 acat = netlbl_secattr_catmap_walk(
3098 sap->attr.mls.cat, acat + 1);
3099 kcat = netlbl_secattr_catmap_walk(
3100 skp->smk_netlabel.attr.mls.cat,
3101 kcat + 1);
3102 if (acat < 0 || kcat < 0)
3103 break;
3104 }
3105 if (acat == kcat) {
3106 found = 1;
3107 break;
3108 }
3091 } 3109 }
3092 rcu_read_unlock(); 3110 rcu_read_unlock();
3093 3111
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 269b270c6473..a07e93f00a0f 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -890,7 +890,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
890 for (i = 0; i < catlen; i++) { 890 for (i = 0; i < catlen; i++) {
891 rule += SMK_DIGITLEN; 891 rule += SMK_DIGITLEN;
892 ret = sscanf(rule, "%u", &cat); 892 ret = sscanf(rule, "%u", &cat);
893 if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL) 893 if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
894 goto out; 894 goto out;
895 895
896 smack_catset_bit(cat, mapcatset); 896 smack_catset_bit(cat, mapcatset);
generated by cgit v1.2.2 (git 2.25.0) at 2025-06-15 09:05:43 -0400