tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'Smack-for-7.0' of https://github.com/cschaufler/smack-next

Pull smack updates from Casey Schaufler:
"Two improvements to the code for setting the CIPSO Domain Of
Interpretation (DOI), a seldom used feature, and a formatting change"

* tag 'Smack-for-7.0' of https://github.com/cschaufler/smack-next:
smack: /smack/doi: accept previously used values
smack: /smack/doi must be > 0
security: smack: fix indentation in smack_access.c

Linus Torvalds 146fa666 db9571a6

+51 -30
+1 -1
security/smack/smack_access.c
··· 392 392 } 393 393 #else /* #ifdef CONFIG_AUDIT */ 394 394 void smack_log(char *subject_label, char *object_label, int request, 395 - int result, struct smk_audit_info *ad) 395 + int result, struct smk_audit_info *ad) 396 396 { 397 397 } 398 398 #endif
+50 -29
security/smack/smackfs.c
··· 70 70 static DEFINE_MUTEX(smack_cipso_lock); 71 71 static DEFINE_MUTEX(smack_ambient_lock); 72 72 static DEFINE_MUTEX(smk_net4addr_lock); 73 + static DEFINE_MUTEX(smk_cipso_doi_lock); 73 74 #if IS_ENABLED(CONFIG_IPV6) 74 75 static DEFINE_MUTEX(smk_net6addr_lock); 75 76 #endif /* CONFIG_IPV6 */ ··· 142 141 int smk_access2; 143 142 }; 144 143 145 - static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT; 144 + static u32 smk_cipso_doi_value = CIPSO_V4_DOI_UNKNOWN; 146 145 147 146 /* 148 147 * Values for parsing cipso rules ··· 664 663 }; 665 664 666 665 /** 667 - * smk_cipso_doi - initialize the CIPSO domain 666 + * smk_cipso_doi - set netlabel maps 667 + * @ndoi: new value for our CIPSO DOI 668 + * @gfp_flags: kmalloc allocation context 668 669 */ 669 - static void smk_cipso_doi(void) 670 + static int 671 + smk_cipso_doi(u32 ndoi, gfp_t gfp_flags) 670 672 { 671 - int rc; 673 + int rc = 0; 672 674 struct cipso_v4_doi *doip; 673 675 struct netlbl_audit nai; 674 676 677 + mutex_lock(&smk_cipso_doi_lock); 678 + 679 + if (smk_cipso_doi_value == ndoi) 680 + goto clr_doi_lock; 681 + 675 682 smk_netlabel_audit_set(&nai); 676 683 677 - rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai); 678 - if (rc != 0) 679 - printk(KERN_WARNING "%s:%d remove rc = %d\n", 680 - __func__, __LINE__, rc); 681 - 682 - doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL); 684 + doip = kmalloc(sizeof(struct cipso_v4_doi), gfp_flags); 685 + if (!doip) { 686 + rc = -ENOMEM; 687 + goto clr_doi_lock; 688 + } 683 689 doip->map.std = NULL; 684 - doip->doi = smk_cipso_doi_value; 690 + doip->doi = ndoi; 685 691 doip->type = CIPSO_V4_MAP_PASS; 686 692 doip->tags[0] = CIPSO_V4_TAG_RBITMAP; 687 693 for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++) 688 694 doip->tags[rc] = CIPSO_V4_TAG_INVALID; 689 695 690 696 rc = netlbl_cfg_cipsov4_add(doip, &nai); 691 - if (rc != 0) { 692 - printk(KERN_WARNING "%s:%d cipso add rc = %d\n", 693 - __func__, __LINE__, rc); 697 + if (rc) { 694 698 kfree(doip); 695 - return; 699 + goto clr_doi_lock; 696 700 } 697 - rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai); 698 - if (rc != 0) { 699 - printk(KERN_WARNING "%s:%d map add rc = %d\n", 700 - __func__, __LINE__, rc); 701 - netlbl_cfg_cipsov4_del(doip->doi, &nai); 702 - return; 701 + 702 + if (smk_cipso_doi_value != CIPSO_V4_DOI_UNKNOWN) { 703 + rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai); 704 + if (rc && rc != -ENOENT) 705 + goto clr_ndoi_def; 706 + 707 + netlbl_cfg_cipsov4_del(smk_cipso_doi_value, &nai); 703 708 } 709 + 710 + rc = netlbl_cfg_cipsov4_map_add(ndoi, NULL, NULL, NULL, &nai); 711 + if (rc) { 712 + smk_cipso_doi_value = CIPSO_V4_DOI_UNKNOWN; // no default map 713 + clr_ndoi_def: netlbl_cfg_cipsov4_del(ndoi, &nai); 714 + } else 715 + smk_cipso_doi_value = ndoi; 716 + 717 + clr_doi_lock: 718 + mutex_unlock(&smk_cipso_doi_lock); 719 + return rc; 704 720 } 705 721 706 722 /** ··· 1580 1562 if (*ppos != 0) 1581 1563 return 0; 1582 1564 1583 - sprintf(temp, "%d", smk_cipso_doi_value); 1565 + sprintf(temp, "%lu", (unsigned long)smk_cipso_doi_value); 1584 1566 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 1585 1567 1586 1568 return rc; ··· 1599 1581 size_t count, loff_t *ppos) 1600 1582 { 1601 1583 char temp[80]; 1602 - int i; 1584 + unsigned long u; 1603 1585 1604 1586 if (!smack_privileged(CAP_MAC_ADMIN)) 1605 1587 return -EPERM; ··· 1612 1594 1613 1595 temp[count] = '\0'; 1614 1596 1615 - if (sscanf(temp, "%d", &i) != 1) 1597 + if (kstrtoul(temp, 10, &u)) 1616 1598 return -EINVAL; 1617 1599 1618 - smk_cipso_doi_value = i; 1600 + if (u == CIPSO_V4_DOI_UNKNOWN || u > U32_MAX) 1601 + return -EINVAL; 1619 1602 1620 - smk_cipso_doi(); 1621 - 1622 - return count; 1603 + return smk_cipso_doi(u, GFP_KERNEL) ? : count; 1623 1604 } 1624 1605 1625 1606 static const struct file_operations smk_doi_ops = { ··· 2999 2982 { 3000 2983 int err; 3001 2984 int rc; 2985 + struct netlbl_audit nai; 3002 2986 3003 2987 if (smack_enabled == 0) 3004 2988 return 0; ··· 3018 3000 } 3019 3001 } 3020 3002 3021 - smk_cipso_doi(); 3003 + smk_netlabel_audit_set(&nai); 3004 + (void) netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai); 3005 + (void) smk_cipso_doi(SMACK_CIPSO_DOI_DEFAULT, 3006 + GFP_KERNEL | __GFP_NOFAIL); 3022 3007 smk_unlbl_ambient(NULL); 3023 3008 3024 3009 rc = smack_populate_secattr(&smack_known_floor);