diff options
Diffstat (limited to 'security/smack/smack_lsm.c')
| -rw-r--r-- | security/smack/smack_lsm.c | 65 |
1 files changed, 60 insertions, 5 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 0023182078c7..acae7ef4092d 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -91,7 +91,7 @@ struct inode_smack *new_inode_smack(char *smack) | |||
| 91 | */ | 91 | */ |
| 92 | 92 | ||
| 93 | /** | 93 | /** |
| 94 | * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH | 94 | * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH |
| 95 | * @ctp: child task pointer | 95 | * @ctp: child task pointer |
| 96 | * @mode: ptrace attachment mode | 96 | * @mode: ptrace attachment mode |
| 97 | * | 97 | * |
| @@ -99,13 +99,13 @@ struct inode_smack *new_inode_smack(char *smack) | |||
| 99 | * | 99 | * |
| 100 | * Do the capability checks, and require read and write. | 100 | * Do the capability checks, and require read and write. |
| 101 | */ | 101 | */ |
| 102 | static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) | 102 | static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) |
| 103 | { | 103 | { |
| 104 | int rc; | 104 | int rc; |
| 105 | struct smk_audit_info ad; | 105 | struct smk_audit_info ad; |
| 106 | char *sp, *tsp; | 106 | char *sp, *tsp; |
| 107 | 107 | ||
| 108 | rc = cap_ptrace_may_access(ctp, mode); | 108 | rc = cap_ptrace_access_check(ctp, mode); |
| 109 | if (rc != 0) | 109 | if (rc != 0) |
| 110 | return rc; | 110 | return rc; |
| 111 | 111 | ||
| @@ -1080,6 +1080,22 @@ static int smack_file_receive(struct file *file) | |||
| 1080 | */ | 1080 | */ |
| 1081 | 1081 | ||
| 1082 | /** | 1082 | /** |
| 1083 | * smack_cred_alloc_blank - "allocate" blank task-level security credentials | ||
| 1084 | * @new: the new credentials | ||
| 1085 | * @gfp: the atomicity of any memory allocations | ||
| 1086 | * | ||
| 1087 | * Prepare a blank set of credentials for modification. This must allocate all | ||
| 1088 | * the memory the LSM module might require such that cred_transfer() can | ||
| 1089 | * complete without error. | ||
| 1090 | */ | ||
| 1091 | static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) | ||
| 1092 | { | ||
| 1093 | cred->security = NULL; | ||
| 1094 | return 0; | ||
| 1095 | } | ||
| 1096 | |||
| 1097 | |||
| 1098 | /** | ||
| 1083 | * smack_cred_free - "free" task-level security credentials | 1099 | * smack_cred_free - "free" task-level security credentials |
| 1084 | * @cred: the credentials in question | 1100 | * @cred: the credentials in question |
| 1085 | * | 1101 | * |
| @@ -1117,6 +1133,18 @@ static void smack_cred_commit(struct cred *new, const struct cred *old) | |||
| 1117 | } | 1133 | } |
| 1118 | 1134 | ||
| 1119 | /** | 1135 | /** |
| 1136 | * smack_cred_transfer - Transfer the old credentials to the new credentials | ||
| 1137 | * @new: the new credentials | ||
| 1138 | * @old: the original credentials | ||
| 1139 | * | ||
| 1140 | * Fill in a set of blank credentials from another set of credentials. | ||
| 1141 | */ | ||
| 1142 | static void smack_cred_transfer(struct cred *new, const struct cred *old) | ||
| 1143 | { | ||
| 1144 | new->security = old->security; | ||
| 1145 | } | ||
| 1146 | |||
| 1147 | /** | ||
| 1120 | * smack_kernel_act_as - Set the subjective context in a set of credentials | 1148 | * smack_kernel_act_as - Set the subjective context in a set of credentials |
| 1121 | * @new: points to the set of credentials to be modified. | 1149 | * @new: points to the set of credentials to be modified. |
| 1122 | * @secid: specifies the security ID to be set | 1150 | * @secid: specifies the security ID to be set |
| @@ -1638,6 +1666,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name, | |||
| 1638 | 1666 | ||
| 1639 | if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { | 1667 | if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { |
| 1640 | nsp->smk_inode = sp; | 1668 | nsp->smk_inode = sp; |
| 1669 | nsp->smk_flags |= SMK_INODE_INSTANT; | ||
| 1641 | return 0; | 1670 | return 0; |
| 1642 | } | 1671 | } |
| 1643 | /* | 1672 | /* |
| @@ -2464,7 +2493,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, | |||
| 2464 | /* | 2493 | /* |
| 2465 | * Perfectly reasonable for this to be NULL | 2494 | * Perfectly reasonable for this to be NULL |
| 2466 | */ | 2495 | */ |
| 2467 | if (sip == NULL || sip->sin_family != PF_INET) | 2496 | if (sip == NULL || sip->sin_family != AF_INET) |
| 2468 | return 0; | 2497 | return 0; |
| 2469 | 2498 | ||
| 2470 | return smack_netlabel_send(sock->sk, sip); | 2499 | return smack_netlabel_send(sock->sk, sip); |
| @@ -3029,10 +3058,31 @@ static void smack_release_secctx(char *secdata, u32 seclen) | |||
| 3029 | { | 3058 | { |
| 3030 | } | 3059 | } |
| 3031 | 3060 | ||
| 3061 | static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) | ||
| 3062 | { | ||
| 3063 | return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); | ||
| 3064 | } | ||
| 3065 | |||
| 3066 | static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) | ||
| 3067 | { | ||
| 3068 | return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); | ||
| 3069 | } | ||
| 3070 | |||
| 3071 | static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) | ||
| 3072 | { | ||
| 3073 | int len = 0; | ||
| 3074 | len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); | ||
| 3075 | |||
| 3076 | if (len < 0) | ||
| 3077 | return len; | ||
| 3078 | *ctxlen = len; | ||
| 3079 | return 0; | ||
| 3080 | } | ||
| 3081 | |||
| 3032 | struct security_operations smack_ops = { | 3082 | struct security_operations smack_ops = { |
| 3033 | .name = "smack", | 3083 | .name = "smack", |
| 3034 | 3084 | ||
| 3035 | .ptrace_may_access = smack_ptrace_may_access, | 3085 | .ptrace_access_check = smack_ptrace_access_check, |
| 3036 | .ptrace_traceme = smack_ptrace_traceme, | 3086 | .ptrace_traceme = smack_ptrace_traceme, |
| 3037 | .syslog = smack_syslog, | 3087 | .syslog = smack_syslog, |
| 3038 | 3088 | ||
| @@ -3073,9 +3123,11 @@ struct security_operations smack_ops = { | |||
| 3073 | .file_send_sigiotask = smack_file_send_sigiotask, | 3123 | .file_send_sigiotask = smack_file_send_sigiotask, |
| 3074 | .file_receive = smack_file_receive, | 3124 | .file_receive = smack_file_receive, |
| 3075 | 3125 | ||
| 3126 | .cred_alloc_blank = smack_cred_alloc_blank, | ||
| 3076 | .cred_free = smack_cred_free, | 3127 | .cred_free = smack_cred_free, |
| 3077 | .cred_prepare = smack_cred_prepare, | 3128 | .cred_prepare = smack_cred_prepare, |
| 3078 | .cred_commit = smack_cred_commit, | 3129 | .cred_commit = smack_cred_commit, |
| 3130 | .cred_transfer = smack_cred_transfer, | ||
| 3079 | .kernel_act_as = smack_kernel_act_as, | 3131 | .kernel_act_as = smack_kernel_act_as, |
| 3080 | .kernel_create_files_as = smack_kernel_create_files_as, | 3132 | .kernel_create_files_as = smack_kernel_create_files_as, |
| 3081 | .task_setpgid = smack_task_setpgid, | 3133 | .task_setpgid = smack_task_setpgid, |
| @@ -3155,6 +3207,9 @@ struct security_operations smack_ops = { | |||
| 3155 | .secid_to_secctx = smack_secid_to_secctx, | 3207 | .secid_to_secctx = smack_secid_to_secctx, |
| 3156 | .secctx_to_secid = smack_secctx_to_secid, | 3208 | .secctx_to_secid = smack_secctx_to_secid, |
| 3157 | .release_secctx = smack_release_secctx, | 3209 | .release_secctx = smack_release_secctx, |
| 3210 | .inode_notifysecctx = smack_inode_notifysecctx, | ||
| 3211 | .inode_setsecctx = smack_inode_setsecctx, | ||
| 3212 | .inode_getsecctx = smack_inode_getsecctx, | ||
| 3158 | }; | 3213 | }; |
| 3159 | 3214 | ||
| 3160 | 3215 | ||