diff options
Diffstat (limited to 'security/smack/smack_access.c')
-rw-r--r-- | security/smack/smack_access.c | 43 |
1 files changed, 33 insertions, 10 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 1158430f5bb9..0f410fc56e33 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c | |||
@@ -130,7 +130,8 @@ int smk_access(struct smack_known *subject, struct smack_known *object, | |||
130 | 130 | ||
131 | /* | 131 | /* |
132 | * Hardcoded comparisons. | 132 | * Hardcoded comparisons. |
133 | * | 133 | */ |
134 | /* | ||
134 | * A star subject can't access any object. | 135 | * A star subject can't access any object. |
135 | */ | 136 | */ |
136 | if (subject == &smack_known_star) { | 137 | if (subject == &smack_known_star) { |
@@ -189,10 +190,20 @@ int smk_access(struct smack_known *subject, struct smack_known *object, | |||
189 | * succeed because of "b" rules. | 190 | * succeed because of "b" rules. |
190 | */ | 191 | */ |
191 | if (may & MAY_BRINGUP) | 192 | if (may & MAY_BRINGUP) |
192 | rc = MAY_BRINGUP; | 193 | rc = SMACK_BRINGUP_ALLOW; |
193 | #endif | 194 | #endif |
194 | 195 | ||
195 | out_audit: | 196 | out_audit: |
197 | |||
198 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP | ||
199 | if (rc < 0) { | ||
200 | if (object == smack_unconfined) | ||
201 | rc = SMACK_UNCONFINED_OBJECT; | ||
202 | if (subject == smack_unconfined) | ||
203 | rc = SMACK_UNCONFINED_SUBJECT; | ||
204 | } | ||
205 | #endif | ||
206 | |||
196 | #ifdef CONFIG_AUDIT | 207 | #ifdef CONFIG_AUDIT |
197 | if (a) | 208 | if (a) |
198 | smack_log(subject->smk_known, object->smk_known, | 209 | smack_log(subject->smk_known, object->smk_known, |
@@ -338,19 +349,16 @@ static void smack_log_callback(struct audit_buffer *ab, void *a) | |||
338 | void smack_log(char *subject_label, char *object_label, int request, | 349 | void smack_log(char *subject_label, char *object_label, int request, |
339 | int result, struct smk_audit_info *ad) | 350 | int result, struct smk_audit_info *ad) |
340 | { | 351 | { |
352 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP | ||
353 | char request_buffer[SMK_NUM_ACCESS_TYPE + 5]; | ||
354 | #else | ||
341 | char request_buffer[SMK_NUM_ACCESS_TYPE + 1]; | 355 | char request_buffer[SMK_NUM_ACCESS_TYPE + 1]; |
356 | #endif | ||
342 | struct smack_audit_data *sad; | 357 | struct smack_audit_data *sad; |
343 | struct common_audit_data *a = &ad->a; | 358 | struct common_audit_data *a = &ad->a; |
344 | 359 | ||
345 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP | ||
346 | /* | ||
347 | * The result may be positive in bringup mode. | ||
348 | */ | ||
349 | if (result > 0) | ||
350 | result = 0; | ||
351 | #endif | ||
352 | /* check if we have to log the current event */ | 360 | /* check if we have to log the current event */ |
353 | if (result != 0 && (log_policy & SMACK_AUDIT_DENIED) == 0) | 361 | if (result < 0 && (log_policy & SMACK_AUDIT_DENIED) == 0) |
354 | return; | 362 | return; |
355 | if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0) | 363 | if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0) |
356 | return; | 364 | return; |
@@ -364,6 +372,21 @@ void smack_log(char *subject_label, char *object_label, int request, | |||
364 | smack_str_from_perm(request_buffer, request); | 372 | smack_str_from_perm(request_buffer, request); |
365 | sad->subject = subject_label; | 373 | sad->subject = subject_label; |
366 | sad->object = object_label; | 374 | sad->object = object_label; |
375 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP | ||
376 | /* | ||
377 | * The result may be positive in bringup mode. | ||
378 | * A positive result is an allow, but not for normal reasons. | ||
379 | * Mark it as successful, but don't filter it out even if | ||
380 | * the logging policy says to do so. | ||
381 | */ | ||
382 | if (result == SMACK_UNCONFINED_SUBJECT) | ||
383 | strcat(request_buffer, "(US)"); | ||
384 | else if (result == SMACK_UNCONFINED_OBJECT) | ||
385 | strcat(request_buffer, "(UO)"); | ||
386 | |||
387 | if (result > 0) | ||
388 | result = 0; | ||
389 | #endif | ||
367 | sad->request = request_buffer; | 390 | sad->request = request_buffer; |
368 | sad->result = result; | 391 | sad->result = result; |
369 | 392 | ||