aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack/smack_access.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/smack/smack_access.c')
-rw-r--r--security/smack/smack_access.c43
1 files changed, 33 insertions, 10 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 1158430f5bb9..0f410fc56e33 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -130,7 +130,8 @@ int smk_access(struct smack_known *subject, struct smack_known *object,
130 130
131 /* 131 /*
132 * Hardcoded comparisons. 132 * Hardcoded comparisons.
133 * 133 */
134 /*
134 * A star subject can't access any object. 135 * A star subject can't access any object.
135 */ 136 */
136 if (subject == &smack_known_star) { 137 if (subject == &smack_known_star) {
@@ -189,10 +190,20 @@ int smk_access(struct smack_known *subject, struct smack_known *object,
189 * succeed because of "b" rules. 190 * succeed because of "b" rules.
190 */ 191 */
191 if (may & MAY_BRINGUP) 192 if (may & MAY_BRINGUP)
192 rc = MAY_BRINGUP; 193 rc = SMACK_BRINGUP_ALLOW;
193#endif 194#endif
194 195
195out_audit: 196out_audit:
197
198#ifdef CONFIG_SECURITY_SMACK_BRINGUP
199 if (rc < 0) {
200 if (object == smack_unconfined)
201 rc = SMACK_UNCONFINED_OBJECT;
202 if (subject == smack_unconfined)
203 rc = SMACK_UNCONFINED_SUBJECT;
204 }
205#endif
206
196#ifdef CONFIG_AUDIT 207#ifdef CONFIG_AUDIT
197 if (a) 208 if (a)
198 smack_log(subject->smk_known, object->smk_known, 209 smack_log(subject->smk_known, object->smk_known,
@@ -338,19 +349,16 @@ static void smack_log_callback(struct audit_buffer *ab, void *a)
338void smack_log(char *subject_label, char *object_label, int request, 349void smack_log(char *subject_label, char *object_label, int request,
339 int result, struct smk_audit_info *ad) 350 int result, struct smk_audit_info *ad)
340{ 351{
352#ifdef CONFIG_SECURITY_SMACK_BRINGUP
353 char request_buffer[SMK_NUM_ACCESS_TYPE + 5];
354#else
341 char request_buffer[SMK_NUM_ACCESS_TYPE + 1]; 355 char request_buffer[SMK_NUM_ACCESS_TYPE + 1];
356#endif
342 struct smack_audit_data *sad; 357 struct smack_audit_data *sad;
343 struct common_audit_data *a = &ad->a; 358 struct common_audit_data *a = &ad->a;
344 359
345#ifdef CONFIG_SECURITY_SMACK_BRINGUP
346 /*
347 * The result may be positive in bringup mode.
348 */
349 if (result > 0)
350 result = 0;
351#endif
352 /* check if we have to log the current event */ 360 /* check if we have to log the current event */
353 if (result != 0 && (log_policy & SMACK_AUDIT_DENIED) == 0) 361 if (result < 0 && (log_policy & SMACK_AUDIT_DENIED) == 0)
354 return; 362 return;
355 if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0) 363 if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0)
356 return; 364 return;
@@ -364,6 +372,21 @@ void smack_log(char *subject_label, char *object_label, int request,
364 smack_str_from_perm(request_buffer, request); 372 smack_str_from_perm(request_buffer, request);
365 sad->subject = subject_label; 373 sad->subject = subject_label;
366 sad->object = object_label; 374 sad->object = object_label;
375#ifdef CONFIG_SECURITY_SMACK_BRINGUP
376 /*
377 * The result may be positive in bringup mode.
378 * A positive result is an allow, but not for normal reasons.
379 * Mark it as successful, but don't filter it out even if
380 * the logging policy says to do so.
381 */
382 if (result == SMACK_UNCONFINED_SUBJECT)
383 strcat(request_buffer, "(US)");
384 else if (result == SMACK_UNCONFINED_OBJECT)
385 strcat(request_buffer, "(UO)");
386
387 if (result > 0)
388 result = 0;
389#endif
367 sad->request = request_buffer; 390 sad->request = request_buffer;
368 sad->result = result; 391 sad->result = result;
369 392