aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack/smack_lsm.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r--security/smack/smack_lsm.c83
1 files changed, 29 insertions, 54 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 67b7381d0244..d5528324a637 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -229,7 +229,7 @@ static int smack_syslog(int typefrom_file)
229 if (smack_privileged(CAP_MAC_OVERRIDE)) 229 if (smack_privileged(CAP_MAC_OVERRIDE))
230 return 0; 230 return 0;
231 231
232 if (smack_syslog_label != NULL && smack_syslog_label != skp) 232 if (smack_syslog_label != NULL && smack_syslog_label != skp)
233 rc = -EACCES; 233 rc = -EACCES;
234 234
235 return rc; 235 return rc;
@@ -339,10 +339,12 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
339 struct inode *inode = root->d_inode; 339 struct inode *inode = root->d_inode;
340 struct superblock_smack *sp = sb->s_security; 340 struct superblock_smack *sp = sb->s_security;
341 struct inode_smack *isp; 341 struct inode_smack *isp;
342 struct smack_known *skp;
342 char *op; 343 char *op;
343 char *commap; 344 char *commap;
344 char *nsp; 345 char *nsp;
345 int transmute = 0; 346 int transmute = 0;
347 int specified = 0;
346 348
347 if (sp->smk_initialized) 349 if (sp->smk_initialized)
348 return 0; 350 return 0;
@@ -357,34 +359,56 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
357 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) { 359 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) {
358 op += strlen(SMK_FSHAT); 360 op += strlen(SMK_FSHAT);
359 nsp = smk_import(op, 0); 361 nsp = smk_import(op, 0);
360 if (nsp != NULL) 362 if (nsp != NULL) {
361 sp->smk_hat = nsp; 363 sp->smk_hat = nsp;
364 specified = 1;
365 }
362 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) { 366 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) {
363 op += strlen(SMK_FSFLOOR); 367 op += strlen(SMK_FSFLOOR);
364 nsp = smk_import(op, 0); 368 nsp = smk_import(op, 0);
365 if (nsp != NULL) 369 if (nsp != NULL) {
366 sp->smk_floor = nsp; 370 sp->smk_floor = nsp;
371 specified = 1;
372 }
367 } else if (strncmp(op, SMK_FSDEFAULT, 373 } else if (strncmp(op, SMK_FSDEFAULT,
368 strlen(SMK_FSDEFAULT)) == 0) { 374 strlen(SMK_FSDEFAULT)) == 0) {
369 op += strlen(SMK_FSDEFAULT); 375 op += strlen(SMK_FSDEFAULT);
370 nsp = smk_import(op, 0); 376 nsp = smk_import(op, 0);
371 if (nsp != NULL) 377 if (nsp != NULL) {
372 sp->smk_default = nsp; 378 sp->smk_default = nsp;
379 specified = 1;
380 }
373 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) { 381 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) {
374 op += strlen(SMK_FSROOT); 382 op += strlen(SMK_FSROOT);
375 nsp = smk_import(op, 0); 383 nsp = smk_import(op, 0);
376 if (nsp != NULL) 384 if (nsp != NULL) {
377 sp->smk_root = nsp; 385 sp->smk_root = nsp;
386 specified = 1;
387 }
378 } else if (strncmp(op, SMK_FSTRANS, strlen(SMK_FSTRANS)) == 0) { 388 } else if (strncmp(op, SMK_FSTRANS, strlen(SMK_FSTRANS)) == 0) {
379 op += strlen(SMK_FSTRANS); 389 op += strlen(SMK_FSTRANS);
380 nsp = smk_import(op, 0); 390 nsp = smk_import(op, 0);
381 if (nsp != NULL) { 391 if (nsp != NULL) {
382 sp->smk_root = nsp; 392 sp->smk_root = nsp;
383 transmute = 1; 393 transmute = 1;
394 specified = 1;
384 } 395 }
385 } 396 }
386 } 397 }
387 398
399 if (!smack_privileged(CAP_MAC_ADMIN)) {
400 /*
401 * Unprivileged mounts don't get to specify Smack values.
402 */
403 if (specified)
404 return -EPERM;
405 /*
406 * Unprivileged mounts get root and default from the caller.
407 */
408 skp = smk_of_current();
409 sp->smk_root = skp->smk_known;
410 sp->smk_default = skp->smk_known;
411 }
388 /* 412 /*
389 * Initialize the root inode. 413 * Initialize the root inode.
390 */ 414 */
@@ -421,53 +445,6 @@ static int smack_sb_statfs(struct dentry *dentry)
421 return rc; 445 return rc;
422} 446}
423 447
424/**
425 * smack_sb_mount - Smack check for mounting
426 * @dev_name: unused
427 * @path: mount point
428 * @type: unused
429 * @flags: unused
430 * @data: unused
431 *
432 * Returns 0 if current can write the floor of the filesystem
433 * being mounted on, an error code otherwise.
434 */
435static int smack_sb_mount(const char *dev_name, struct path *path,
436 const char *type, unsigned long flags, void *data)
437{
438 struct superblock_smack *sbp = path->dentry->d_sb->s_security;
439 struct smk_audit_info ad;
440
441 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
442 smk_ad_setfield_u_fs_path(&ad, *path);
443
444 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
445}
446
447/**
448 * smack_sb_umount - Smack check for unmounting
449 * @mnt: file system to unmount
450 * @flags: unused
451 *
452 * Returns 0 if current can write the floor of the filesystem
453 * being unmounted, an error code otherwise.
454 */
455static int smack_sb_umount(struct vfsmount *mnt, int flags)
456{
457 struct superblock_smack *sbp;
458 struct smk_audit_info ad;
459 struct path path;
460
461 path.dentry = mnt->mnt_root;
462 path.mnt = mnt;
463
464 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
465 smk_ad_setfield_u_fs_path(&ad, path);
466
467 sbp = path.dentry->d_sb->s_security;
468 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
469}
470
471/* 448/*
472 * BPRM hooks 449 * BPRM hooks
473 */ 450 */
@@ -3762,8 +3739,6 @@ struct security_operations smack_ops = {
3762 .sb_copy_data = smack_sb_copy_data, 3739 .sb_copy_data = smack_sb_copy_data,
3763 .sb_kern_mount = smack_sb_kern_mount, 3740 .sb_kern_mount = smack_sb_kern_mount,
3764 .sb_statfs = smack_sb_statfs, 3741 .sb_statfs = smack_sb_statfs,
3765 .sb_mount = smack_sb_mount,
3766 .sb_umount = smack_sb_umount,
3767 3742
3768 .bprm_set_creds = smack_bprm_set_creds, 3743 .bprm_set_creds = smack_bprm_set_creds,
3769 .bprm_committing_creds = smack_bprm_committing_creds, 3744 .bprm_committing_creds = smack_bprm_committing_creds,
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-31 19:58:36 -0500