aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack/smack_lsm.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r--security/smack/smack_lsm.c390
1 files changed, 298 insertions, 92 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 921514902eca..f557767911c9 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -30,7 +30,6 @@
30#include <net/netlabel.h> 30#include <net/netlabel.h>
31#include <net/cipso_ipv4.h> 31#include <net/cipso_ipv4.h>
32#include <linux/audit.h> 32#include <linux/audit.h>
33
34#include "smack.h" 33#include "smack.h"
35 34
36#define task_security(task) (task_cred_xxx((task), security)) 35#define task_security(task) (task_cred_xxx((task), security))
@@ -103,14 +102,24 @@ struct inode_smack *new_inode_smack(char *smack)
103static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) 102static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode)
104{ 103{
105 int rc; 104 int rc;
105 struct smk_audit_info ad;
106 char *sp, *tsp;
106 107
107 rc = cap_ptrace_may_access(ctp, mode); 108 rc = cap_ptrace_may_access(ctp, mode);
108 if (rc != 0) 109 if (rc != 0)
109 return rc; 110 return rc;
110 111
111 rc = smk_access(current_security(), task_security(ctp), MAY_READWRITE); 112 sp = current_security();
113 tsp = task_security(ctp);
114 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
115 smk_ad_setfield_u_tsk(&ad, ctp);
116
117 /* we won't log here, because rc can be overriden */
118 rc = smk_access(sp, tsp, MAY_READWRITE, NULL);
112 if (rc != 0 && capable(CAP_MAC_OVERRIDE)) 119 if (rc != 0 && capable(CAP_MAC_OVERRIDE))
113 return 0; 120 rc = 0;
121
122 smack_log(sp, tsp, MAY_READWRITE, rc, &ad);
114 return rc; 123 return rc;
115} 124}
116 125
@@ -125,14 +134,24 @@ static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode)
125static int smack_ptrace_traceme(struct task_struct *ptp) 134static int smack_ptrace_traceme(struct task_struct *ptp)
126{ 135{
127 int rc; 136 int rc;
137 struct smk_audit_info ad;
138 char *sp, *tsp;
128 139
129 rc = cap_ptrace_traceme(ptp); 140 rc = cap_ptrace_traceme(ptp);
130 if (rc != 0) 141 if (rc != 0)
131 return rc; 142 return rc;
132 143
133 rc = smk_access(task_security(ptp), current_security(), MAY_READWRITE); 144 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
145 smk_ad_setfield_u_tsk(&ad, ptp);
146
147 sp = current_security();
148 tsp = task_security(ptp);
149 /* we won't log here, because rc can be overriden */
150 rc = smk_access(tsp, sp, MAY_READWRITE, NULL);
134 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) 151 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE))
135 return 0; 152 rc = 0;
153
154 smack_log(tsp, sp, MAY_READWRITE, rc, &ad);
136 return rc; 155 return rc;
137} 156}
138 157
@@ -327,8 +346,14 @@ static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
327static int smack_sb_statfs(struct dentry *dentry) 346static int smack_sb_statfs(struct dentry *dentry)
328{ 347{
329 struct superblock_smack *sbp = dentry->d_sb->s_security; 348 struct superblock_smack *sbp = dentry->d_sb->s_security;
349 int rc;
350 struct smk_audit_info ad;
330 351
331 return smk_curacc(sbp->smk_floor, MAY_READ); 352 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
353 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
354
355 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad);
356 return rc;
332} 357}
333 358
334/** 359/**
@@ -346,8 +371,12 @@ static int smack_sb_mount(char *dev_name, struct path *path,
346 char *type, unsigned long flags, void *data) 371 char *type, unsigned long flags, void *data)
347{ 372{
348 struct superblock_smack *sbp = path->mnt->mnt_sb->s_security; 373 struct superblock_smack *sbp = path->mnt->mnt_sb->s_security;
374 struct smk_audit_info ad;
375
376 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
377 smk_ad_setfield_u_fs_path(&ad, *path);
349 378
350 return smk_curacc(sbp->smk_floor, MAY_WRITE); 379 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
351} 380}
352 381
353/** 382/**
@@ -361,10 +390,14 @@ static int smack_sb_mount(char *dev_name, struct path *path,
361static int smack_sb_umount(struct vfsmount *mnt, int flags) 390static int smack_sb_umount(struct vfsmount *mnt, int flags)
362{ 391{
363 struct superblock_smack *sbp; 392 struct superblock_smack *sbp;
393 struct smk_audit_info ad;
364 394
365 sbp = mnt->mnt_sb->s_security; 395 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
396 smk_ad_setfield_u_fs_path_dentry(&ad, mnt->mnt_mountpoint);
397 smk_ad_setfield_u_fs_path_mnt(&ad, mnt);
366 398
367 return smk_curacc(sbp->smk_floor, MAY_WRITE); 399 sbp = mnt->mnt_sb->s_security;
400 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad);
368} 401}
369 402
370/* 403/*
@@ -441,15 +474,20 @@ static int smack_inode_init_security(struct inode *inode, struct inode *dir,
441static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 474static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
442 struct dentry *new_dentry) 475 struct dentry *new_dentry)
443{ 476{
444 int rc;
445 char *isp; 477 char *isp;
478 struct smk_audit_info ad;
479 int rc;
480
481 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
482 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
446 483
447 isp = smk_of_inode(old_dentry->d_inode); 484 isp = smk_of_inode(old_dentry->d_inode);
448 rc = smk_curacc(isp, MAY_WRITE); 485 rc = smk_curacc(isp, MAY_WRITE, &ad);
449 486
450 if (rc == 0 && new_dentry->d_inode != NULL) { 487 if (rc == 0 && new_dentry->d_inode != NULL) {
451 isp = smk_of_inode(new_dentry->d_inode); 488 isp = smk_of_inode(new_dentry->d_inode);
452 rc = smk_curacc(isp, MAY_WRITE); 489 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
490 rc = smk_curacc(isp, MAY_WRITE, &ad);
453 } 491 }
454 492
455 return rc; 493 return rc;
@@ -466,18 +504,24 @@ static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
466static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 504static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
467{ 505{
468 struct inode *ip = dentry->d_inode; 506 struct inode *ip = dentry->d_inode;
507 struct smk_audit_info ad;
469 int rc; 508 int rc;
470 509
510 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
511 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
512
471 /* 513 /*
472 * You need write access to the thing you're unlinking 514 * You need write access to the thing you're unlinking
473 */ 515 */
474 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE); 516 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
475 if (rc == 0) 517 if (rc == 0) {
476 /* 518 /*
477 * You also need write access to the containing directory 519 * You also need write access to the containing directory
478 */ 520 */
479 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE); 521 smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
480 522 smk_ad_setfield_u_fs_inode(&ad, dir);
523 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
524 }
481 return rc; 525 return rc;
482} 526}
483 527
@@ -491,17 +535,24 @@ static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
491 */ 535 */
492static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 536static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
493{ 537{
538 struct smk_audit_info ad;
494 int rc; 539 int rc;
495 540
541 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
542 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
543
496 /* 544 /*
497 * You need write access to the thing you're removing 545 * You need write access to the thing you're removing
498 */ 546 */
499 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 547 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
500 if (rc == 0) 548 if (rc == 0) {
501 /* 549 /*
502 * You also need write access to the containing directory 550 * You also need write access to the containing directory
503 */ 551 */
504 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE); 552 smk_ad_setfield_u_fs_path_dentry(&ad, NULL);
553 smk_ad_setfield_u_fs_inode(&ad, dir);
554 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
555 }
505 556
506 return rc; 557 return rc;
507} 558}
@@ -525,15 +576,19 @@ static int smack_inode_rename(struct inode *old_inode,
525{ 576{
526 int rc; 577 int rc;
527 char *isp; 578 char *isp;
579 struct smk_audit_info ad;
580
581 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
582 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
528 583
529 isp = smk_of_inode(old_dentry->d_inode); 584 isp = smk_of_inode(old_dentry->d_inode);
530 rc = smk_curacc(isp, MAY_READWRITE); 585 rc = smk_curacc(isp, MAY_READWRITE, &ad);
531 586
532 if (rc == 0 && new_dentry->d_inode != NULL) { 587 if (rc == 0 && new_dentry->d_inode != NULL) {
533 isp = smk_of_inode(new_dentry->d_inode); 588 isp = smk_of_inode(new_dentry->d_inode);
534 rc = smk_curacc(isp, MAY_READWRITE); 589 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
590 rc = smk_curacc(isp, MAY_READWRITE, &ad);
535 } 591 }
536
537 return rc; 592 return rc;
538} 593}
539 594
@@ -548,13 +603,15 @@ static int smack_inode_rename(struct inode *old_inode,
548 */ 603 */
549static int smack_inode_permission(struct inode *inode, int mask) 604static int smack_inode_permission(struct inode *inode, int mask)
550{ 605{
606 struct smk_audit_info ad;
551 /* 607 /*
552 * No permission to check. Existence test. Yup, it's there. 608 * No permission to check. Existence test. Yup, it's there.
553 */ 609 */
554 if (mask == 0) 610 if (mask == 0)
555 return 0; 611 return 0;
556 612 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
557 return smk_curacc(smk_of_inode(inode), mask); 613 smk_ad_setfield_u_fs_inode(&ad, inode);
614 return smk_curacc(smk_of_inode(inode), mask, &ad);
558} 615}
559 616
560/** 617/**
@@ -566,13 +623,16 @@ static int smack_inode_permission(struct inode *inode, int mask)
566 */ 623 */
567static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 624static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
568{ 625{
626 struct smk_audit_info ad;
569 /* 627 /*
570 * Need to allow for clearing the setuid bit. 628 * Need to allow for clearing the setuid bit.
571 */ 629 */
572 if (iattr->ia_valid & ATTR_FORCE) 630 if (iattr->ia_valid & ATTR_FORCE)
573 return 0; 631 return 0;
632 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
633 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
574 634
575 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 635 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
576} 636}
577 637
578/** 638/**
@@ -584,7 +644,12 @@ static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
584 */ 644 */
585static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 645static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
586{ 646{
587 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ); 647 struct smk_audit_info ad;
648
649 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
650 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
651 smk_ad_setfield_u_fs_path_mnt(&ad, mnt);
652 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);
588} 653}
589 654
590/** 655/**
@@ -602,6 +667,7 @@ static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
602static int smack_inode_setxattr(struct dentry *dentry, const char *name, 667static int smack_inode_setxattr(struct dentry *dentry, const char *name,
603 const void *value, size_t size, int flags) 668 const void *value, size_t size, int flags)
604{ 669{
670 struct smk_audit_info ad;
605 int rc = 0; 671 int rc = 0;
606 672
607 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 673 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
@@ -615,8 +681,11 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
615 } else 681 } else
616 rc = cap_inode_setxattr(dentry, name, value, size, flags); 682 rc = cap_inode_setxattr(dentry, name, value, size, flags);
617 683
684 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
685 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
686
618 if (rc == 0) 687 if (rc == 0)
619 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 688 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
620 689
621 return rc; 690 return rc;
622} 691}
@@ -671,7 +740,12 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
671 */ 740 */
672static int smack_inode_getxattr(struct dentry *dentry, const char *name) 741static int smack_inode_getxattr(struct dentry *dentry, const char *name)
673{ 742{
674 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ); 743 struct smk_audit_info ad;
744
745 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
746 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
747
748 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad);
675} 749}
676 750
677/* 751/*
@@ -685,6 +759,7 @@ static int smack_inode_getxattr(struct dentry *dentry, const char *name)
685 */ 759 */
686static int smack_inode_removexattr(struct dentry *dentry, const char *name) 760static int smack_inode_removexattr(struct dentry *dentry, const char *name)
687{ 761{
762 struct smk_audit_info ad;
688 int rc = 0; 763 int rc = 0;
689 764
690 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 765 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
@@ -695,8 +770,10 @@ static int smack_inode_removexattr(struct dentry *dentry, const char *name)
695 } else 770 } else
696 rc = cap_inode_removexattr(dentry, name); 771 rc = cap_inode_removexattr(dentry, name);
697 772
773 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
774 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
698 if (rc == 0) 775 if (rc == 0)
699 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 776 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
700 777
701 return rc; 778 return rc;
702} 779}
@@ -855,12 +932,16 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd,
855 unsigned long arg) 932 unsigned long arg)
856{ 933{
857 int rc = 0; 934 int rc = 0;
935 struct smk_audit_info ad;
936
937 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
938 smk_ad_setfield_u_fs_path(&ad, file->f_path);
858 939
859 if (_IOC_DIR(cmd) & _IOC_WRITE) 940 if (_IOC_DIR(cmd) & _IOC_WRITE)
860 rc = smk_curacc(file->f_security, MAY_WRITE); 941 rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
861 942
862 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) 943 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ))
863 rc = smk_curacc(file->f_security, MAY_READ); 944 rc = smk_curacc(file->f_security, MAY_READ, &ad);
864 945
865 return rc; 946 return rc;
866} 947}
@@ -874,7 +955,11 @@ static int smack_file_ioctl(struct file *file, unsigned int cmd,
874 */ 955 */
875static int smack_file_lock(struct file *file, unsigned int cmd) 956static int smack_file_lock(struct file *file, unsigned int cmd)
876{ 957{
877 return smk_curacc(file->f_security, MAY_WRITE); 958 struct smk_audit_info ad;
959
960 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
961 smk_ad_setfield_u_fs_path_dentry(&ad, file->f_path.dentry);
962 return smk_curacc(file->f_security, MAY_WRITE, &ad);
878} 963}
879 964
880/** 965/**
@@ -888,8 +973,12 @@ static int smack_file_lock(struct file *file, unsigned int cmd)
888static int smack_file_fcntl(struct file *file, unsigned int cmd, 973static int smack_file_fcntl(struct file *file, unsigned int cmd,
889 unsigned long arg) 974 unsigned long arg)
890{ 975{
976 struct smk_audit_info ad;
891 int rc; 977 int rc;
892 978
979 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS);
980 smk_ad_setfield_u_fs_path(&ad, file->f_path);
981
893 switch (cmd) { 982 switch (cmd) {
894 case F_DUPFD: 983 case F_DUPFD:
895 case F_GETFD: 984 case F_GETFD:
@@ -897,7 +986,7 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
897 case F_GETLK: 986 case F_GETLK:
898 case F_GETOWN: 987 case F_GETOWN:
899 case F_GETSIG: 988 case F_GETSIG:
900 rc = smk_curacc(file->f_security, MAY_READ); 989 rc = smk_curacc(file->f_security, MAY_READ, &ad);
901 break; 990 break;
902 case F_SETFD: 991 case F_SETFD:
903 case F_SETFL: 992 case F_SETFL:
@@ -905,10 +994,10 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
905 case F_SETLKW: 994 case F_SETLKW:
906 case F_SETOWN: 995 case F_SETOWN:
907 case F_SETSIG: 996 case F_SETSIG:
908 rc = smk_curacc(file->f_security, MAY_WRITE); 997 rc = smk_curacc(file->f_security, MAY_WRITE, &ad);
909 break; 998 break;
910 default: 999 default:
911 rc = smk_curacc(file->f_security, MAY_READWRITE); 1000 rc = smk_curacc(file->f_security, MAY_READWRITE, &ad);
912 } 1001 }
913 1002
914 return rc; 1003 return rc;
@@ -943,14 +1032,21 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
943{ 1032{
944 struct file *file; 1033 struct file *file;
945 int rc; 1034 int rc;
1035 char *tsp = tsk->cred->security;
1036 struct smk_audit_info ad;
946 1037
947 /* 1038 /*
948 * struct fown_struct is never outside the context of a struct file 1039 * struct fown_struct is never outside the context of a struct file
949 */ 1040 */
950 file = container_of(fown, struct file, f_owner); 1041 file = container_of(fown, struct file, f_owner);
951 rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE); 1042 /* we don't log here as rc can be overriden */
1043 rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL);
952 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1044 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
953 return 0; 1045 rc = 0;
1046
1047 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1048 smk_ad_setfield_u_tsk(&ad, tsk);
1049 smack_log(file->f_security, tsp, MAY_WRITE, rc, &ad);
954 return rc; 1050 return rc;
955} 1051}
956 1052
@@ -963,7 +1059,10 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
963static int smack_file_receive(struct file *file) 1059static int smack_file_receive(struct file *file)
964{ 1060{
965 int may = 0; 1061 int may = 0;
1062 struct smk_audit_info ad;
966 1063
1064 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1065 smk_ad_setfield_u_fs_path(&ad, file->f_path);
967 /* 1066 /*
968 * This code relies on bitmasks. 1067 * This code relies on bitmasks.
969 */ 1068 */
@@ -972,7 +1071,7 @@ static int smack_file_receive(struct file *file)
972 if (file->f_mode & FMODE_WRITE) 1071 if (file->f_mode & FMODE_WRITE)
973 may |= MAY_WRITE; 1072 may |= MAY_WRITE;
974 1073
975 return smk_curacc(file->f_security, may); 1074 return smk_curacc(file->f_security, may, &ad);
976} 1075}
977 1076
978/* 1077/*
@@ -1052,6 +1151,22 @@ static int smack_kernel_create_files_as(struct cred *new,
1052} 1151}
1053 1152
1054/** 1153/**
1154 * smk_curacc_on_task - helper to log task related access
1155 * @p: the task object
1156 * @access : the access requested
1157 *
1158 * Return 0 if access is permitted
1159 */
1160static int smk_curacc_on_task(struct task_struct *p, int access)
1161{
1162 struct smk_audit_info ad;
1163
1164 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1165 smk_ad_setfield_u_tsk(&ad, p);
1166 return smk_curacc(task_security(p), access, &ad);
1167}
1168
1169/**
1055 * smack_task_setpgid - Smack check on setting pgid 1170 * smack_task_setpgid - Smack check on setting pgid
1056 * @p: the task object 1171 * @p: the task object
1057 * @pgid: unused 1172 * @pgid: unused
@@ -1060,7 +1175,7 @@ static int smack_kernel_create_files_as(struct cred *new,
1060 */ 1175 */
1061static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1176static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1062{ 1177{
1063 return smk_curacc(task_security(p), MAY_WRITE); 1178 return smk_curacc_on_task(p, MAY_WRITE);
1064} 1179}
1065 1180
1066/** 1181/**
@@ -1071,7 +1186,7 @@ static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
1071 */ 1186 */
1072static int smack_task_getpgid(struct task_struct *p) 1187static int smack_task_getpgid(struct task_struct *p)
1073{ 1188{
1074 return smk_curacc(task_security(p), MAY_READ); 1189 return smk_curacc_on_task(p, MAY_READ);
1075} 1190}
1076 1191
1077/** 1192/**
@@ -1082,7 +1197,7 @@ static int smack_task_getpgid(struct task_struct *p)
1082 */ 1197 */
1083static int smack_task_getsid(struct task_struct *p) 1198static int smack_task_getsid(struct task_struct *p)
1084{ 1199{
1085 return smk_curacc(task_security(p), MAY_READ); 1200 return smk_curacc_on_task(p, MAY_READ);
1086} 1201}
1087 1202
1088/** 1203/**
@@ -1110,7 +1225,7 @@ static int smack_task_setnice(struct task_struct *p, int nice)
1110 1225
1111 rc = cap_task_setnice(p, nice); 1226 rc = cap_task_setnice(p, nice);
1112 if (rc == 0) 1227 if (rc == 0)
1113 rc = smk_curacc(task_security(p), MAY_WRITE); 1228 rc = smk_curacc_on_task(p, MAY_WRITE);
1114 return rc; 1229 return rc;
1115} 1230}
1116 1231
@@ -1127,7 +1242,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1127 1242
1128 rc = cap_task_setioprio(p, ioprio); 1243 rc = cap_task_setioprio(p, ioprio);
1129 if (rc == 0) 1244 if (rc == 0)
1130 rc = smk_curacc(task_security(p), MAY_WRITE); 1245 rc = smk_curacc_on_task(p, MAY_WRITE);
1131 return rc; 1246 return rc;
1132} 1247}
1133 1248
@@ -1139,7 +1254,7 @@ static int smack_task_setioprio(struct task_struct *p, int ioprio)
1139 */ 1254 */
1140static int smack_task_getioprio(struct task_struct *p) 1255static int smack_task_getioprio(struct task_struct *p)
1141{ 1256{
1142 return smk_curacc(task_security(p), MAY_READ); 1257 return smk_curacc_on_task(p, MAY_READ);
1143} 1258}
1144 1259
1145/** 1260/**
@@ -1157,7 +1272,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1157 1272
1158 rc = cap_task_setscheduler(p, policy, lp); 1273 rc = cap_task_setscheduler(p, policy, lp);
1159 if (rc == 0) 1274 if (rc == 0)
1160 rc = smk_curacc(task_security(p), MAY_WRITE); 1275 rc = smk_curacc_on_task(p, MAY_WRITE);
1161 return rc; 1276 return rc;
1162} 1277}
1163 1278
@@ -1169,7 +1284,7 @@ static int smack_task_setscheduler(struct task_struct *p, int policy,
1169 */ 1284 */
1170static int smack_task_getscheduler(struct task_struct *p) 1285static int smack_task_getscheduler(struct task_struct *p)
1171{ 1286{
1172 return smk_curacc(task_security(p), MAY_READ); 1287 return smk_curacc_on_task(p, MAY_READ);
1173} 1288}
1174 1289
1175/** 1290/**
@@ -1180,7 +1295,7 @@ static int smack_task_getscheduler(struct task_struct *p)
1180 */ 1295 */
1181static int smack_task_movememory(struct task_struct *p) 1296static int smack_task_movememory(struct task_struct *p)
1182{ 1297{
1183 return smk_curacc(task_security(p), MAY_WRITE); 1298 return smk_curacc_on_task(p, MAY_WRITE);
1184} 1299}
1185 1300
1186/** 1301/**
@@ -1198,18 +1313,23 @@ static int smack_task_movememory(struct task_struct *p)
1198static int smack_task_kill(struct task_struct *p, struct siginfo *info, 1313static int smack_task_kill(struct task_struct *p, struct siginfo *info,
1199 int sig, u32 secid) 1314 int sig, u32 secid)
1200{ 1315{
1316 struct smk_audit_info ad;
1317
1318 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1319 smk_ad_setfield_u_tsk(&ad, p);
1201 /* 1320 /*
1202 * Sending a signal requires that the sender 1321 * Sending a signal requires that the sender
1203 * can write the receiver. 1322 * can write the receiver.
1204 */ 1323 */
1205 if (secid == 0) 1324 if (secid == 0)
1206 return smk_curacc(task_security(p), MAY_WRITE); 1325 return smk_curacc(task_security(p), MAY_WRITE, &ad);
1207 /* 1326 /*
1208 * If the secid isn't 0 we're dealing with some USB IO 1327 * If the secid isn't 0 we're dealing with some USB IO
1209 * specific behavior. This is not clean. For one thing 1328 * specific behavior. This is not clean. For one thing
1210 * we can't take privilege into account. 1329 * we can't take privilege into account.
1211 */ 1330 */
1212 return smk_access(smack_from_secid(secid), task_security(p), MAY_WRITE); 1331 return smk_access(smack_from_secid(secid), task_security(p),
1332 MAY_WRITE, &ad);
1213} 1333}
1214 1334
1215/** 1335/**
@@ -1220,11 +1340,15 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
1220 */ 1340 */
1221static int smack_task_wait(struct task_struct *p) 1341static int smack_task_wait(struct task_struct *p)
1222{ 1342{
1343 struct smk_audit_info ad;
1344 char *sp = current_security();
1345 char *tsp = task_security(p);
1223 int rc; 1346 int rc;
1224 1347
1225 rc = smk_access(current_security(), task_security(p), MAY_WRITE); 1348 /* we don't log here, we can be overriden */
1349 rc = smk_access(sp, tsp, MAY_WRITE, NULL);
1226 if (rc == 0) 1350 if (rc == 0)
1227 return 0; 1351 goto out_log;
1228 1352
1229 /* 1353 /*
1230 * Allow the operation to succeed if either task 1354 * Allow the operation to succeed if either task
@@ -1238,8 +1362,12 @@ static int smack_task_wait(struct task_struct *p)
1238 * the smack value. 1362 * the smack value.
1239 */ 1363 */
1240 if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE)) 1364 if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE))
1241 return 0; 1365 rc = 0;
1242 1366 /* we log only if we didn't get overriden */
1367 out_log:
1368 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1369 smk_ad_setfield_u_tsk(&ad, p);
1370 smack_log(sp, tsp, MAY_WRITE, rc, &ad);
1243 return rc; 1371 return rc;
1244} 1372}
1245 1373
@@ -1455,12 +1583,19 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
1455 int sk_lbl; 1583 int sk_lbl;
1456 char *hostsp; 1584 char *hostsp;
1457 struct socket_smack *ssp = sk->sk_security; 1585 struct socket_smack *ssp = sk->sk_security;
1586 struct smk_audit_info ad;
1458 1587
1459 rcu_read_lock(); 1588 rcu_read_lock();
1460 hostsp = smack_host_label(sap); 1589 hostsp = smack_host_label(sap);
1461 if (hostsp != NULL) { 1590 if (hostsp != NULL) {
1462 sk_lbl = SMACK_UNLABELED_SOCKET; 1591 sk_lbl = SMACK_UNLABELED_SOCKET;
1463 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE); 1592#ifdef CONFIG_AUDIT
1593 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
1594 ad.a.u.net.family = sap->sin_family;
1595 ad.a.u.net.dport = sap->sin_port;
1596 ad.a.u.net.v4info.daddr = sap->sin_addr.s_addr;
1597#endif
1598 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad);
1464 } else { 1599 } else {
1465 sk_lbl = SMACK_CIPSO_SOCKET; 1600 sk_lbl = SMACK_CIPSO_SOCKET;
1466 rc = 0; 1601 rc = 0;
@@ -1656,6 +1791,25 @@ static void smack_shm_free_security(struct shmid_kernel *shp)
1656} 1791}
1657 1792
1658/** 1793/**
1794 * smk_curacc_shm : check if current has access on shm
1795 * @shp : the object
1796 * @access : access requested
1797 *
1798 * Returns 0 if current has the requested access, error code otherwise
1799 */
1800static int smk_curacc_shm(struct shmid_kernel *shp, int access)
1801{
1802 char *ssp = smack_of_shm(shp);
1803 struct smk_audit_info ad;
1804
1805#ifdef CONFIG_AUDIT
1806 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
1807 ad.a.u.ipc_id = shp->shm_perm.id;
1808#endif
1809 return smk_curacc(ssp, access, &ad);
1810}
1811
1812/**
1659 * smack_shm_associate - Smack access check for shm 1813 * smack_shm_associate - Smack access check for shm
1660 * @shp: the object 1814 * @shp: the object
1661 * @shmflg: access requested 1815 * @shmflg: access requested
@@ -1664,11 +1818,10 @@ static void smack_shm_free_security(struct shmid_kernel *shp)
1664 */ 1818 */
1665static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 1819static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
1666{ 1820{
1667 char *ssp = smack_of_shm(shp);
1668 int may; 1821 int may;
1669 1822
1670 may = smack_flags_to_may(shmflg); 1823 may = smack_flags_to_may(shmflg);
1671 return smk_curacc(ssp, may); 1824 return smk_curacc_shm(shp, may);
1672} 1825}
1673 1826
1674/** 1827/**
@@ -1680,7 +1833,6 @@ static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
1680 */ 1833 */
1681static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 1834static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd)
1682{ 1835{
1683 char *ssp;
1684 int may; 1836 int may;
1685 1837
1686 switch (cmd) { 1838 switch (cmd) {
@@ -1703,9 +1855,7 @@ static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd)
1703 default: 1855 default:
1704 return -EINVAL; 1856 return -EINVAL;
1705 } 1857 }
1706 1858 return smk_curacc_shm(shp, may);
1707 ssp = smack_of_shm(shp);
1708 return smk_curacc(ssp, may);
1709} 1859}
1710 1860
1711/** 1861/**
@@ -1719,11 +1869,10 @@ static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd)
1719static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 1869static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
1720 int shmflg) 1870 int shmflg)
1721{ 1871{
1722 char *ssp = smack_of_shm(shp);
1723 int may; 1872 int may;
1724 1873
1725 may = smack_flags_to_may(shmflg); 1874 may = smack_flags_to_may(shmflg);
1726 return smk_curacc(ssp, may); 1875 return smk_curacc_shm(shp, may);
1727} 1876}
1728 1877
1729/** 1878/**
@@ -1765,6 +1914,25 @@ static void smack_sem_free_security(struct sem_array *sma)
1765} 1914}
1766 1915
1767/** 1916/**
1917 * smk_curacc_sem : check if current has access on sem
1918 * @sma : the object
1919 * @access : access requested
1920 *
1921 * Returns 0 if current has the requested access, error code otherwise
1922 */
1923static int smk_curacc_sem(struct sem_array *sma, int access)
1924{
1925 char *ssp = smack_of_sem(sma);
1926 struct smk_audit_info ad;
1927
1928#ifdef CONFIG_AUDIT
1929 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
1930 ad.a.u.ipc_id = sma->sem_perm.id;
1931#endif
1932 return smk_curacc(ssp, access, &ad);
1933}
1934
1935/**
1768 * smack_sem_associate - Smack access check for sem 1936 * smack_sem_associate - Smack access check for sem
1769 * @sma: the object 1937 * @sma: the object
1770 * @semflg: access requested 1938 * @semflg: access requested
@@ -1773,11 +1941,10 @@ static void smack_sem_free_security(struct sem_array *sma)
1773 */ 1941 */
1774static int smack_sem_associate(struct sem_array *sma, int semflg) 1942static int smack_sem_associate(struct sem_array *sma, int semflg)
1775{ 1943{
1776 char *ssp = smack_of_sem(sma);
1777 int may; 1944 int may;
1778 1945
1779 may = smack_flags_to_may(semflg); 1946 may = smack_flags_to_may(semflg);
1780 return smk_curacc(ssp, may); 1947 return smk_curacc_sem(sma, may);
1781} 1948}
1782 1949
1783/** 1950/**
@@ -1789,7 +1956,6 @@ static int smack_sem_associate(struct sem_array *sma, int semflg)
1789 */ 1956 */
1790static int smack_sem_semctl(struct sem_array *sma, int cmd) 1957static int smack_sem_semctl(struct sem_array *sma, int cmd)
1791{ 1958{
1792 char *ssp;
1793 int may; 1959 int may;
1794 1960
1795 switch (cmd) { 1961 switch (cmd) {
@@ -1818,8 +1984,7 @@ static int smack_sem_semctl(struct sem_array *sma, int cmd)
1818 return -EINVAL; 1984 return -EINVAL;
1819 } 1985 }
1820 1986
1821 ssp = smack_of_sem(sma); 1987 return smk_curacc_sem(sma, may);
1822 return smk_curacc(ssp, may);
1823} 1988}
1824 1989
1825/** 1990/**
@@ -1836,9 +2001,7 @@ static int smack_sem_semctl(struct sem_array *sma, int cmd)
1836static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 2001static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
1837 unsigned nsops, int alter) 2002 unsigned nsops, int alter)
1838{ 2003{
1839 char *ssp = smack_of_sem(sma); 2004 return smk_curacc_sem(sma, MAY_READWRITE);
1840
1841 return smk_curacc(ssp, MAY_READWRITE);
1842} 2005}
1843 2006
1844/** 2007/**
@@ -1880,6 +2043,25 @@ static char *smack_of_msq(struct msg_queue *msq)
1880} 2043}
1881 2044
1882/** 2045/**
2046 * smk_curacc_msq : helper to check if current has access on msq
2047 * @msq : the msq
2048 * @access : access requested
2049 *
2050 * return 0 if current has access, error otherwise
2051 */
2052static int smk_curacc_msq(struct msg_queue *msq, int access)
2053{
2054 char *msp = smack_of_msq(msq);
2055 struct smk_audit_info ad;
2056
2057#ifdef CONFIG_AUDIT
2058 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
2059 ad.a.u.ipc_id = msq->q_perm.id;
2060#endif
2061 return smk_curacc(msp, access, &ad);
2062}
2063
2064/**
1883 * smack_msg_queue_associate - Smack access check for msg_queue 2065 * smack_msg_queue_associate - Smack access check for msg_queue
1884 * @msq: the object 2066 * @msq: the object
1885 * @msqflg: access requested 2067 * @msqflg: access requested
@@ -1888,11 +2070,10 @@ static char *smack_of_msq(struct msg_queue *msq)
1888 */ 2070 */
1889static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 2071static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg)
1890{ 2072{
1891 char *msp = smack_of_msq(msq);
1892 int may; 2073 int may;
1893 2074
1894 may = smack_flags_to_may(msqflg); 2075 may = smack_flags_to_may(msqflg);
1895 return smk_curacc(msp, may); 2076 return smk_curacc_msq(msq, may);
1896} 2077}
1897 2078
1898/** 2079/**
@@ -1904,7 +2085,6 @@ static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg)
1904 */ 2085 */
1905static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 2086static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd)
1906{ 2087{
1907 char *msp;
1908 int may; 2088 int may;
1909 2089
1910 switch (cmd) { 2090 switch (cmd) {
@@ -1926,8 +2106,7 @@ static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd)
1926 return -EINVAL; 2106 return -EINVAL;
1927 } 2107 }
1928 2108
1929 msp = smack_of_msq(msq); 2109 return smk_curacc_msq(msq, may);
1930 return smk_curacc(msp, may);
1931} 2110}
1932 2111
1933/** 2112/**
@@ -1941,11 +2120,10 @@ static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd)
1941static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 2120static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
1942 int msqflg) 2121 int msqflg)
1943{ 2122{
1944 char *msp = smack_of_msq(msq); 2123 int may;
1945 int rc;
1946 2124
1947 rc = smack_flags_to_may(msqflg); 2125 may = smack_flags_to_may(msqflg);
1948 return smk_curacc(msp, rc); 2126 return smk_curacc_msq(msq, may);
1949} 2127}
1950 2128
1951/** 2129/**
@@ -1961,9 +2139,7 @@ static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
1961static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 2139static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
1962 struct task_struct *target, long type, int mode) 2140 struct task_struct *target, long type, int mode)
1963{ 2141{
1964 char *msp = smack_of_msq(msq); 2142 return smk_curacc_msq(msq, MAY_READWRITE);
1965
1966 return smk_curacc(msp, MAY_READWRITE);
1967} 2143}
1968 2144
1969/** 2145/**
@@ -1976,10 +2152,14 @@ static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
1976static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 2152static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
1977{ 2153{
1978 char *isp = ipp->security; 2154 char *isp = ipp->security;
1979 int may; 2155 int may = smack_flags_to_may(flag);
2156 struct smk_audit_info ad;
1980 2157
1981 may = smack_flags_to_may(flag); 2158#ifdef CONFIG_AUDIT
1982 return smk_curacc(isp, may); 2159 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
2160 ad.a.u.ipc_id = ipp->id;
2161#endif
2162 return smk_curacc(isp, may, &ad);
1983} 2163}
1984 2164
1985/** 2165/**
@@ -2238,8 +2418,12 @@ static int smack_unix_stream_connect(struct socket *sock,
2238{ 2418{
2239 struct inode *sp = SOCK_INODE(sock); 2419 struct inode *sp = SOCK_INODE(sock);
2240 struct inode *op = SOCK_INODE(other); 2420 struct inode *op = SOCK_INODE(other);
2421 struct smk_audit_info ad;
2241 2422
2242 return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_READWRITE); 2423 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
2424 smk_ad_setfield_u_net_sk(&ad, other->sk);
2425 return smk_access(smk_of_inode(sp), smk_of_inode(op),
2426 MAY_READWRITE, &ad);
2243} 2427}
2244 2428
2245/** 2429/**
@@ -2254,8 +2438,11 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
2254{ 2438{
2255 struct inode *sp = SOCK_INODE(sock); 2439 struct inode *sp = SOCK_INODE(sock);
2256 struct inode *op = SOCK_INODE(other); 2440 struct inode *op = SOCK_INODE(other);
2441 struct smk_audit_info ad;
2257 2442
2258 return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_WRITE); 2443 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
2444 smk_ad_setfield_u_net_sk(&ad, other->sk);
2445 return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_WRITE, &ad);
2259} 2446}
2260 2447
2261/** 2448/**
@@ -2370,7 +2557,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
2370 char smack[SMK_LABELLEN]; 2557 char smack[SMK_LABELLEN];
2371 char *csp; 2558 char *csp;
2372 int rc; 2559 int rc;
2373 2560 struct smk_audit_info ad;
2374 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2561 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
2375 return 0; 2562 return 0;
2376 2563
@@ -2388,13 +2575,19 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
2388 2575
2389 netlbl_secattr_destroy(&secattr); 2576 netlbl_secattr_destroy(&secattr);
2390 2577
2578#ifdef CONFIG_AUDIT
2579 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
2580 ad.a.u.net.family = sk->sk_family;
2581 ad.a.u.net.netif = skb->iif;
2582 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
2583#endif
2391 /* 2584 /*
2392 * Receiving a packet requires that the other end 2585 * Receiving a packet requires that the other end
2393 * be able to write here. Read access is not required. 2586 * be able to write here. Read access is not required.
2394 * This is the simplist possible security model 2587 * This is the simplist possible security model
2395 * for networking. 2588 * for networking.
2396 */ 2589 */
2397 rc = smk_access(csp, ssp->smk_in, MAY_WRITE); 2590 rc = smk_access(csp, ssp->smk_in, MAY_WRITE, &ad);
2398 if (rc != 0) 2591 if (rc != 0)
2399 netlbl_skbuff_err(skb, rc, 0); 2592 netlbl_skbuff_err(skb, rc, 0);
2400 return rc; 2593 return rc;
@@ -2523,6 +2716,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
2523 struct iphdr *hdr; 2716 struct iphdr *hdr;
2524 char smack[SMK_LABELLEN]; 2717 char smack[SMK_LABELLEN];
2525 int rc; 2718 int rc;
2719 struct smk_audit_info ad;
2526 2720
2527 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 2721 /* handle mapped IPv4 packets arriving via IPv6 sockets */
2528 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 2722 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
@@ -2536,11 +2730,17 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
2536 strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN); 2730 strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN);
2537 netlbl_secattr_destroy(&secattr); 2731 netlbl_secattr_destroy(&secattr);
2538 2732
2733#ifdef CONFIG_AUDIT
2734 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
2735 ad.a.u.net.family = family;
2736 ad.a.u.net.netif = skb->iif;
2737 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
2738#endif
2539 /* 2739 /*
2540 * Receiving a packet requires that the other end be able to write 2740 * Receiving a packet requires that the other end be able to write
2541 * here. Read access is not required. 2741 * here. Read access is not required.
2542 */ 2742 */
2543 rc = smk_access(smack, ssp->smk_in, MAY_WRITE); 2743 rc = smk_access(smack, ssp->smk_in, MAY_WRITE, &ad);
2544 if (rc != 0) 2744 if (rc != 0)
2545 return rc; 2745 return rc;
2546 2746
@@ -2642,6 +2842,7 @@ static int smack_key_permission(key_ref_t key_ref,
2642 const struct cred *cred, key_perm_t perm) 2842 const struct cred *cred, key_perm_t perm)
2643{ 2843{
2644 struct key *keyp; 2844 struct key *keyp;
2845 struct smk_audit_info ad;
2645 2846
2646 keyp = key_ref_to_ptr(key_ref); 2847 keyp = key_ref_to_ptr(key_ref);
2647 if (keyp == NULL) 2848 if (keyp == NULL)
@@ -2657,8 +2858,13 @@ static int smack_key_permission(key_ref_t key_ref,
2657 */ 2858 */
2658 if (cred->security == NULL) 2859 if (cred->security == NULL)
2659 return -EACCES; 2860 return -EACCES;
2660 2861#ifdef CONFIG_AUDIT
2661 return smk_access(cred->security, keyp->security, MAY_READWRITE); 2862 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
2863 ad.a.u.key_struct.key = keyp->serial;
2864 ad.a.u.key_struct.key_desc = keyp->description;
2865#endif
2866 return smk_access(cred->security, keyp->security,
2867 MAY_READWRITE, &ad);
2662} 2868}
2663#endif /* CONFIG_KEYS */ 2869#endif /* CONFIG_KEYS */
2664 2870
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-27 23:00:59 -0500