Merge tag 'Smack-for-6.15' of https://github.com/cschaufler/smack-next

+13 -7

security/smack/smack.h

··· 42 42 43 43 /* 44 44 * This is the repository for labels seen so that it is 45 - * not necessary to keep allocating tiny chuncks of memory 45 + * not necessary to keep allocating tiny chunks of memory 46 46 * and so that they can be shared. 47 47 * 48 48 * Labels are never modified in place. Anytime a label ··· 152 152 struct smack_known *smk_label; /* label */ 153 153 }; 154 154 155 + #if IS_ENABLED(CONFIG_IPV6) 155 156 /* 156 157 * An entry in the table identifying IPv6 hosts. 157 158 */ ··· 163 162 int smk_masks; /* mask size */ 164 163 struct smack_known *smk_label; /* label */ 165 164 }; 165 + #endif /* CONFIG_IPV6 */ 166 166 167 + #ifdef SMACK_IPV6_PORT_LABELING 167 168 /* 168 169 * An entry in the table identifying ports. 169 170 */ ··· 178 175 short smk_sock_type; /* Socket type */ 179 176 short smk_can_reuse; 180 177 }; 178 + #endif /* SMACK_IPV6_PORT_LABELING */ 181 179 182 180 struct smack_known_list_elem { 183 181 struct list_head list; ··· 319 315 extern struct mutex smack_known_lock; 320 316 extern struct list_head smack_known_list; 321 317 extern struct list_head smk_net4addr_list; 318 + #if IS_ENABLED(CONFIG_IPV6) 322 319 extern struct list_head smk_net6addr_list; 320 + #endif /* CONFIG_IPV6 */ 323 321 324 322 extern struct mutex smack_onlycap_lock; 325 323 extern struct list_head smack_onlycap_list; ··· 432 426 return smk_of_task(smack_cred(current_cred())); 433 427 } 434 428 429 + void smack_log(char *subject_label, char *object_label, 430 + int request, 431 + int result, struct smk_audit_info *auditdata); 432 + 433 + #ifdef CONFIG_AUDIT 434 + 435 435 /* 436 436 * logging functions 437 437 */ 438 438 #define SMACK_AUDIT_DENIED 0x1 439 439 #define SMACK_AUDIT_ACCEPT 0x2 440 440 extern int log_policy; 441 - 442 - void smack_log(char *subject_label, char *object_label, 443 - int request, 444 - int result, struct smk_audit_info *auditdata); 445 - 446 - #ifdef CONFIG_AUDIT 447 441 448 442 /* 449 443 * some inline functions to set up audit data

+4 -2

security/smack/smack_access.c

··· 45 45 */ 46 46 static u32 smack_next_secid = 10; 47 47 48 + #ifdef CONFIG_AUDIT 48 49 /* 49 50 * what events do we log 50 51 * can be overwritten at run-time by /smack/logging 51 52 */ 52 53 int log_policy = SMACK_AUDIT_DENIED; 54 + #endif /* CONFIG_AUDIT */ 53 55 54 56 /** 55 57 * smk_access_entry - look up matching access rule ··· 244 242 } 245 243 246 244 /* 247 - * Allow for priviliged to override policy. 245 + * Allow for privileged to override policy. 248 246 */ 249 247 if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE)) 250 248 rc = 0; ··· 278 276 } 279 277 280 278 /** 281 - * smack_str_from_perm : helper to transalate an int to a 279 + * smack_str_from_perm : helper to translate an int to a 282 280 * readable string 283 281 * @string : the string to fill 284 282 * @access : the int

+12 -28

security/smack/smack_lsm.c

··· 1934 1934 */ 1935 1935 file = fown->file; 1936 1936 1937 - /* we don't log here as rc can be overriden */ 1937 + /* we don't log here as rc can be overridden */ 1938 1938 blob = smack_file(file); 1939 1939 skp = *blob; 1940 1940 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); ··· 2492 2492 return NULL; 2493 2493 } 2494 2494 2495 + #if IS_ENABLED(CONFIG_IPV6) 2495 2496 /* 2496 2497 * smk_ipv6_localhost - Check for local ipv6 host address 2497 2498 * @sip: the address ··· 2560 2559 2561 2560 return NULL; 2562 2561 } 2562 + #endif /* CONFIG_IPV6 */ 2563 2563 2564 2564 /** 2565 2565 * smack_netlbl_add - Set the secattr on a socket ··· 2665 2663 return rc; 2666 2664 } 2667 2665 2666 + #if IS_ENABLED(CONFIG_IPV6) 2668 2667 /** 2669 2668 * smk_ipv6_check - check Smack access 2670 2669 * @subject: subject Smack label ··· 2698 2695 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2699 2696 return rc; 2700 2697 } 2698 + #endif /* CONFIG_IPV6 */ 2701 2699 2702 2700 #ifdef SMACK_IPV6_PORT_LABELING 2703 2701 /** ··· 3031 3027 return 0; 3032 3028 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3033 3029 return 0; 3034 - if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { 3030 + 3031 + #if IS_ENABLED(CONFIG_IPV6) 3032 + if (sap->sa_family == AF_INET6) { 3035 3033 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3036 3034 struct smack_known *rsp = NULL; 3037 3035 ··· 3053 3047 3054 3048 return rc; 3055 3049 } 3050 + #endif /* CONFIG_IPV6 */ 3051 + 3056 3052 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3057 3053 return 0; 3058 3054 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); ··· 4203 4195 /* 4204 4196 * Receiving a packet requires that the other end 4205 4197 * be able to write here. Read access is not required. 4206 - * This is the simplist possible security model 4198 + * This is the simplest possible security model 4207 4199 * for networking. 4208 4200 */ 4209 4201 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); ··· 4348 4340 if (s == 0) 4349 4341 return -EINVAL; 4350 4342 return 0; 4351 - } 4352 - 4353 - /** 4354 - * smack_sock_graft - Initialize a newly created socket with an existing sock 4355 - * @sk: child sock 4356 - * @parent: parent socket 4357 - * 4358 - * Set the smk_{in,out} state of an existing sock based on the process that 4359 - * is creating the new socket. 4360 - */ 4361 - static void smack_sock_graft(struct sock *sk, struct socket *parent) 4362 - { 4363 - struct socket_smack *ssp; 4364 - struct smack_known *skp = smk_of_current(); 4365 - 4366 - if (sk == NULL || 4367 - (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4368 - return; 4369 - 4370 - ssp = smack_sock(sk); 4371 - ssp->smk_in = skp; 4372 - ssp->smk_out = skp; 4373 - /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4374 4343 } 4375 4344 4376 4345 /** ··· 4686 4701 * @gfp: type of the memory for the allocation 4687 4702 * 4688 4703 * Prepare to audit cases where (@field @op @rulestr) is true. 4689 - * The label to be audited is created if necessay. 4704 + * The label to be audited is created if necessary. 4690 4705 */ 4691 4706 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4692 4707 gfp_t gfp) ··· 5164 5179 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5165 5180 #endif 5166 5181 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5167 - LSM_HOOK_INIT(sock_graft, smack_sock_graft), 5168 5182 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5169 5183 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5170 5184

+14 -15

security/smack/smackfs.c

··· 41 41 SMK_AMBIENT = 7, /* internet ambient label */ 42 42 SMK_NET4ADDR = 8, /* single label hosts */ 43 43 SMK_ONLYCAP = 9, /* the only "capable" label */ 44 + #ifdef CONFIG_AUDIT 44 45 SMK_LOGGING = 10, /* logging */ 46 + #endif /* CONFIG_AUDIT */ 45 47 SMK_LOAD_SELF = 11, /* task specific rules */ 46 48 SMK_ACCESSES = 12, /* access policy */ 47 49 SMK_MAPPED = 13, /* CIPSO level indicating mapped label */ ··· 167 165 #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN) 168 166 169 167 /* 170 - * Stricly for CIPSO level manipulation. 168 + * Strictly for CIPSO level manipulation. 171 169 * Set the category bit number in a smack label sized buffer. 172 170 */ 173 171 static inline void smack_catset_bit(unsigned int cat, char *catsetp) ··· 814 812 static ssize_t smk_set_cipso(struct file *file, const char __user *buf, 815 813 size_t count, loff_t *ppos, int format) 816 814 { 817 - struct netlbl_lsm_catmap *old_cat, *new_cat = NULL; 815 + struct netlbl_lsm_catmap *old_cat; 818 816 struct smack_known *skp; 819 817 struct netlbl_lsm_secattr ncats; 820 818 char mapcatset[SMK_CIPSOLEN]; ··· 901 899 902 900 smack_catset_bit(cat, mapcatset); 903 901 } 904 - ncats.flags = 0; 905 - if (catlen == 0) { 906 - ncats.attr.mls.cat = NULL; 907 - ncats.attr.mls.lvl = maplevel; 908 - new_cat = netlbl_catmap_alloc(GFP_ATOMIC); 909 - if (new_cat) 910 - new_cat->next = ncats.attr.mls.cat; 911 - ncats.attr.mls.cat = new_cat; 912 - skp->smk_netlabel.flags &= ~(1U << 3); 913 - rc = 0; 914 - } else { 915 - rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); 916 - } 902 + 903 + rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); 917 904 if (rc >= 0) { 918 905 old_cat = skp->smk_netlabel.attr.mls.cat; 919 906 rcu_assign_pointer(skp->smk_netlabel.attr.mls.cat, ncats.attr.mls.cat); 907 + if (ncats.attr.mls.cat) 908 + skp->smk_netlabel.flags |= NETLBL_SECATTR_MLS_CAT; 909 + else 910 + skp->smk_netlabel.flags &= ~(u32)NETLBL_SECATTR_MLS_CAT; 920 911 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; 921 912 synchronize_rcu(); 922 913 netlbl_catmap_free(old_cat); ··· 2128 2133 }; 2129 2134 #endif /* CONFIG_SECURITY_SMACK_BRINGUP */ 2130 2135 2136 + #ifdef CONFIG_AUDIT 2131 2137 /** 2132 2138 * smk_read_logging - read() for /smack/logging 2133 2139 * @filp: file pointer, not actually used ··· 2193 2197 .write = smk_write_logging, 2194 2198 .llseek = default_llseek, 2195 2199 }; 2200 + #endif /* CONFIG_AUDIT */ 2196 2201 2197 2202 /* 2198 2203 * Seq_file read operations for /smack/load-self ··· 2880 2883 "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR}, 2881 2884 [SMK_ONLYCAP] = { 2882 2885 "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR}, 2886 + #ifdef CONFIG_AUDIT 2883 2887 [SMK_LOGGING] = { 2884 2888 "logging", &smk_logging_ops, S_IRUGO|S_IWUSR}, 2889 + #endif /* CONFIG_AUDIT */ 2885 2890 [SMK_LOAD_SELF] = { 2886 2891 "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO}, 2887 2892 [SMK_ACCESSES] = {

Configure Feed

Configure Feed