diff options
Diffstat (limited to 'security/smack/smack_access.c')
| -rw-r--r-- | security/smack/smack_access.c | 43 |
1 files changed, 23 insertions, 20 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 2e397a88d410..6a0377f38620 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c | |||
| @@ -93,7 +93,7 @@ int smk_access_entry(char *subject_label, char *object_label, | |||
| 93 | 93 | ||
| 94 | list_for_each_entry_rcu(srp, rule_list, list) { | 94 | list_for_each_entry_rcu(srp, rule_list, list) { |
| 95 | if (srp->smk_object == object_label && | 95 | if (srp->smk_object == object_label && |
| 96 | srp->smk_subject == subject_label) { | 96 | srp->smk_subject->smk_known == subject_label) { |
| 97 | may = srp->smk_access; | 97 | may = srp->smk_access; |
| 98 | break; | 98 | break; |
| 99 | } | 99 | } |
| @@ -104,7 +104,7 @@ int smk_access_entry(char *subject_label, char *object_label, | |||
| 104 | 104 | ||
| 105 | /** | 105 | /** |
| 106 | * smk_access - determine if a subject has a specific access to an object | 106 | * smk_access - determine if a subject has a specific access to an object |
| 107 | * @subject_label: a pointer to the subject's Smack label | 107 | * @subject_known: a pointer to the subject's Smack label entry |
| 108 | * @object_label: a pointer to the object's Smack label | 108 | * @object_label: a pointer to the object's Smack label |
| 109 | * @request: the access requested, in "MAY" format | 109 | * @request: the access requested, in "MAY" format |
| 110 | * @a : a pointer to the audit data | 110 | * @a : a pointer to the audit data |
| @@ -115,10 +115,9 @@ int smk_access_entry(char *subject_label, char *object_label, | |||
| 115 | * | 115 | * |
| 116 | * Smack labels are shared on smack_list | 116 | * Smack labels are shared on smack_list |
| 117 | */ | 117 | */ |
| 118 | int smk_access(char *subject_label, char *object_label, int request, | 118 | int smk_access(struct smack_known *subject_known, char *object_label, |
| 119 | struct smk_audit_info *a) | 119 | int request, struct smk_audit_info *a) |
| 120 | { | 120 | { |
| 121 | struct smack_known *skp; | ||
| 122 | int may = MAY_NOT; | 121 | int may = MAY_NOT; |
| 123 | int rc = 0; | 122 | int rc = 0; |
| 124 | 123 | ||
| @@ -127,7 +126,7 @@ int smk_access(char *subject_label, char *object_label, int request, | |||
| 127 | * | 126 | * |
| 128 | * A star subject can't access any object. | 127 | * A star subject can't access any object. |
| 129 | */ | 128 | */ |
| 130 | if (subject_label == smack_known_star.smk_known) { | 129 | if (subject_known == &smack_known_star) { |
| 131 | rc = -EACCES; | 130 | rc = -EACCES; |
| 132 | goto out_audit; | 131 | goto out_audit; |
| 133 | } | 132 | } |
| @@ -137,7 +136,7 @@ int smk_access(char *subject_label, char *object_label, int request, | |||
| 137 | * An internet subject can access any object. | 136 | * An internet subject can access any object. |
| 138 | */ | 137 | */ |
| 139 | if (object_label == smack_known_web.smk_known || | 138 | if (object_label == smack_known_web.smk_known || |
| 140 | subject_label == smack_known_web.smk_known) | 139 | subject_known == &smack_known_web) |
| 141 | goto out_audit; | 140 | goto out_audit; |
| 142 | /* | 141 | /* |
| 143 | * A star object can be accessed by any subject. | 142 | * A star object can be accessed by any subject. |
| @@ -148,7 +147,7 @@ int smk_access(char *subject_label, char *object_label, int request, | |||
| 148 | * An object can be accessed in any way by a subject | 147 | * An object can be accessed in any way by a subject |
| 149 | * with the same label. | 148 | * with the same label. |
| 150 | */ | 149 | */ |
| 151 | if (subject_label == object_label) | 150 | if (subject_known->smk_known == object_label) |
| 152 | goto out_audit; | 151 | goto out_audit; |
| 153 | /* | 152 | /* |
| 154 | * A hat subject can read any object. | 153 | * A hat subject can read any object. |
| @@ -157,7 +156,7 @@ int smk_access(char *subject_label, char *object_label, int request, | |||
| 157 | if ((request & MAY_ANYREAD) == request) { | 156 | if ((request & MAY_ANYREAD) == request) { |
| 158 | if (object_label == smack_known_floor.smk_known) | 157 | if (object_label == smack_known_floor.smk_known) |
| 159 | goto out_audit; | 158 | goto out_audit; |
| 160 | if (subject_label == smack_known_hat.smk_known) | 159 | if (subject_known == &smack_known_hat) |
| 161 | goto out_audit; | 160 | goto out_audit; |
| 162 | } | 161 | } |
| 163 | /* | 162 | /* |
| @@ -167,9 +166,9 @@ int smk_access(char *subject_label, char *object_label, int request, | |||
| 167 | * good. A negative response from smk_access_entry() | 166 | * good. A negative response from smk_access_entry() |
| 168 | * indicates there is no entry for this pair. | 167 | * indicates there is no entry for this pair. |
| 169 | */ | 168 | */ |
| 170 | skp = smk_find_entry(subject_label); | ||
| 171 | rcu_read_lock(); | 169 | rcu_read_lock(); |
| 172 | may = smk_access_entry(subject_label, object_label, &skp->smk_rules); | 170 | may = smk_access_entry(subject_known->smk_known, object_label, |
| 171 | &subject_known->smk_rules); | ||
| 173 | rcu_read_unlock(); | 172 | rcu_read_unlock(); |
| 174 | 173 | ||
| 175 | if (may > 0 && (request & may) == request) | 174 | if (may > 0 && (request & may) == request) |
| @@ -179,7 +178,8 @@ int smk_access(char *subject_label, char *object_label, int request, | |||
| 179 | out_audit: | 178 | out_audit: |
| 180 | #ifdef CONFIG_AUDIT | 179 | #ifdef CONFIG_AUDIT |
| 181 | if (a) | 180 | if (a) |
| 182 | smack_log(subject_label, object_label, request, rc, a); | 181 | smack_log(subject_known->smk_known, object_label, request, |
| 182 | rc, a); | ||
| 183 | #endif | 183 | #endif |
| 184 | return rc; | 184 | return rc; |
| 185 | } | 185 | } |
| @@ -198,20 +198,21 @@ out_audit: | |||
| 198 | int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) | 198 | int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) |
| 199 | { | 199 | { |
| 200 | struct task_smack *tsp = current_security(); | 200 | struct task_smack *tsp = current_security(); |
| 201 | char *sp = smk_of_task(tsp); | 201 | struct smack_known *skp = smk_of_task(tsp); |
| 202 | int may; | 202 | int may; |
| 203 | int rc; | 203 | int rc; |
| 204 | 204 | ||
| 205 | /* | 205 | /* |
| 206 | * Check the global rule list | 206 | * Check the global rule list |
| 207 | */ | 207 | */ |
| 208 | rc = smk_access(sp, obj_label, mode, NULL); | 208 | rc = smk_access(skp, obj_label, mode, NULL); |
| 209 | if (rc == 0) { | 209 | if (rc == 0) { |
| 210 | /* | 210 | /* |
| 211 | * If there is an entry in the task's rule list | 211 | * If there is an entry in the task's rule list |
| 212 | * it can further restrict access. | 212 | * it can further restrict access. |
| 213 | */ | 213 | */ |
| 214 | may = smk_access_entry(sp, obj_label, &tsp->smk_rules); | 214 | may = smk_access_entry(skp->smk_known, obj_label, |
| 215 | &tsp->smk_rules); | ||
| 215 | if (may < 0) | 216 | if (may < 0) |
| 216 | goto out_audit; | 217 | goto out_audit; |
| 217 | if ((mode & may) == mode) | 218 | if ((mode & may) == mode) |
| @@ -228,7 +229,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) | |||
| 228 | out_audit: | 229 | out_audit: |
| 229 | #ifdef CONFIG_AUDIT | 230 | #ifdef CONFIG_AUDIT |
| 230 | if (a) | 231 | if (a) |
| 231 | smack_log(sp, obj_label, mode, rc, a); | 232 | smack_log(skp->smk_known, obj_label, mode, rc, a); |
| 232 | #endif | 233 | #endif |
| 233 | return rc; | 234 | return rc; |
| 234 | } | 235 | } |
| @@ -402,6 +403,8 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap, | |||
| 402 | sap->flags |= NETLBL_SECATTR_MLS_CAT; | 403 | sap->flags |= NETLBL_SECATTR_MLS_CAT; |
| 403 | sap->attr.mls.lvl = level; | 404 | sap->attr.mls.lvl = level; |
| 404 | sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); | 405 | sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); |
| 406 | if (!sap->attr.mls.cat) | ||
| 407 | return -ENOMEM; | ||
| 405 | sap->attr.mls.cat->startbit = 0; | 408 | sap->attr.mls.cat->startbit = 0; |
| 406 | 409 | ||
| 407 | for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++) | 410 | for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++) |
| @@ -513,10 +516,10 @@ char *smk_import(const char *string, int len) | |||
| 513 | * smack_from_secid - find the Smack label associated with a secid | 516 | * smack_from_secid - find the Smack label associated with a secid |
| 514 | * @secid: an integer that might be associated with a Smack label | 517 | * @secid: an integer that might be associated with a Smack label |
| 515 | * | 518 | * |
| 516 | * Returns a pointer to the appropriate Smack label if there is one, | 519 | * Returns a pointer to the appropriate Smack label entry if there is one, |
| 517 | * otherwise a pointer to the invalid Smack label. | 520 | * otherwise a pointer to the invalid Smack label. |
| 518 | */ | 521 | */ |
| 519 | char *smack_from_secid(const u32 secid) | 522 | struct smack_known *smack_from_secid(const u32 secid) |
| 520 | { | 523 | { |
| 521 | struct smack_known *skp; | 524 | struct smack_known *skp; |
| 522 | 525 | ||
| @@ -524,7 +527,7 @@ char *smack_from_secid(const u32 secid) | |||
| 524 | list_for_each_entry_rcu(skp, &smack_known_list, list) { | 527 | list_for_each_entry_rcu(skp, &smack_known_list, list) { |
| 525 | if (skp->smk_secid == secid) { | 528 | if (skp->smk_secid == secid) { |
| 526 | rcu_read_unlock(); | 529 | rcu_read_unlock(); |
| 527 | return skp->smk_known; | 530 | return skp; |
| 528 | } | 531 | } |
| 529 | } | 532 | } |
| 530 | 533 | ||
| @@ -533,7 +536,7 @@ char *smack_from_secid(const u32 secid) | |||
| 533 | * of a secid that is not on the list. | 536 | * of a secid that is not on the list. |
| 534 | */ | 537 | */ |
| 535 | rcu_read_unlock(); | 538 | rcu_read_unlock(); |
| 536 | return smack_known_invalid.smk_known; | 539 | return &smack_known_invalid; |
| 537 | } | 540 | } |
| 538 | 541 | ||
| 539 | /** | 542 | /** |