OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'smack-for-3.18' of git://git.gitorious.org/smack-next/kernel into next

This commit is contained in:
James Morris 2014-09-18 23:52:46 +10:00
parent ac60ab4b49 21c7eae21a
commit 6f98e89288
5 changed files with 520 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
security/smack/Kconfig
View File

@ -12,3 +12,19 @@ config SECURITY_SMACK
of other mandatory security schemes.
If you are unsure how to answer this question, answer N.
config SECURITY_SMACK_BRINGUP
bool "Reporting on access granted by Smack rules"
depends on SECURITY_SMACK
default n
help
Enable the bring-up ("b") access mode in Smack rules.
When access is granted by a rule with the "b" mode a
message about the access requested is generated. The
intention is that a process can be granted a wide set
of access initially with the bringup mode set on the
rules. The developer can use the information to
identify which rules are necessary and what accesses
may be inappropriate. The developer can reduce the
access rule set once the behavior is well understood.
This is a superior mechanism to the oft abused
"permissive" mode of other systems.

39
security/smack/smack.h
View File

@ -71,11 +71,11 @@ struct smack_known {
#define SMK_CIPSOLEN 24
struct superblock_smack {
char *smk_root;
char *smk_floor;
char *smk_hat;
char *smk_default;
int smk_initialized;
struct smack_known *smk_root;
struct smack_known *smk_floor;
struct smack_known *smk_hat;
struct smack_known *smk_default;
int smk_initialized;
};
struct socket_smack {
@ -88,7 +88,7 @@ struct socket_smack {
* Inode smack data
*/
struct inode_smack {
char *smk_inode; /* label of the fso */
struct smack_known *smk_inode; /* label of the fso */
struct smack_known *smk_task; /* label of the task */
struct smack_known *smk_mmap; /* label of the mmap domain */
struct mutex smk_lock; /* initialization lock */
@ -112,7 +112,7 @@ struct task_smack {
struct smack_rule {
struct list_head list;
struct smack_known *smk_subject;
char *smk_object;
struct smack_known *smk_object;
int smk_access;
};
@ -123,7 +123,7 @@ struct smk_netlbladdr {
struct list_head list;
struct sockaddr_in smk_host; /* network address */
struct in_addr smk_mask; /* network mask */
char *smk_label; /* label */
struct smack_known *smk_label; /* label */
};
/*
@ -191,6 +191,7 @@ struct smk_port_label {
*/
#define MAY_TRANSMUTE 0x00001000 /* Controls directory labeling */
#define MAY_LOCK 0x00002000 /* Locks should be writes, but ... */
#define MAY_BRINGUP 0x00004000 /* Report use of this rule */
/*
* Just to make the common cases easier to deal with
@ -200,9 +201,9 @@ struct smk_port_label {
#define MAY_NOT 0
/*
* Number of access types used by Smack (rwxatl)
* Number of access types used by Smack (rwxatlb)
*/
#define SMK_NUM_ACCESS_TYPE 6
#define SMK_NUM_ACCESS_TYPE 7
/* SMACK data */
struct smack_audit_data {
@ -226,23 +227,23 @@ struct smk_audit_info {
/*
* These functions are in smack_lsm.c
*/
struct inode_smack *new_inode_smack(char *);
struct inode_smack *new_inode_smack(struct smack_known *);
/*
* These functions are in smack_access.c
*/
int smk_access_entry(char *, char *, struct list_head *);
int smk_access(struct smack_known *, char *, int, struct smk_audit_info *);
int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *);
int smk_curacc(char *, u32, struct smk_audit_info *);
int smk_access(struct smack_known *, struct smack_known *,
int, struct smk_audit_info *);
int smk_tskacc(struct task_smack *, struct smack_known *,
u32, struct smk_audit_info *);
int smk_curacc(struct smack_known *, u32, struct smk_audit_info *);
struct smack_known *smack_from_secid(const u32);
char *smk_parse_smack(const char *string, int len);
int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
char *smk_import(const char *, int);
struct smack_known *smk_import_entry(const char *, int);
void smk_insert_entry(struct smack_known *skp);
struct smack_known *smk_find_entry(const char *);
u32 smack_to_secid(const char *);
/*
* Shared data.
@ -252,7 +253,7 @@ extern int smack_cipso_mapped;
extern struct smack_known *smack_net_ambient;
extern struct smack_known *smack_onlycap;
extern struct smack_known *smack_syslog_label;
extern const char *smack_cipso_option;
extern struct smack_known smack_cipso_option;
extern int smack_ptrace_rule;
extern struct smack_known smack_known_floor;
@ -281,9 +282,9 @@ static inline int smk_inode_transmutable(const struct inode *isp)
}
/*
* Present a pointer to the smack label in an inode blob.
* Present a pointer to the smack label entry in an inode blob.
*/
static inline char *smk_of_inode(const struct inode *isp)
static inline struct smack_known *smk_of_inode(const struct inode *isp)
{
struct inode_smack *sip = isp->i_security;
return sip->smk_inode;

118
security/smack/smack_access.c
View File

@ -94,7 +94,7 @@ int smk_access_entry(char *subject_label, char *object_label,
struct smack_rule *srp;
list_for_each_entry_rcu(srp, rule_list, list) {
if (srp->smk_object == object_label &&
if (srp->smk_object->smk_known == object_label &&
srp->smk_subject->smk_known == subject_label) {
may = srp->smk_access;
break;
@ -111,8 +111,8 @@ int smk_access_entry(char *subject_label, char *object_label,
/**
* smk_access - determine if a subject has a specific access to an object
* @subject_known: a pointer to the subject's Smack label entry
* @object_label: a pointer to the object's Smack label
* @subject: a pointer to the subject's Smack label entry
* @object: a pointer to the object's Smack label entry
* @request: the access requested, in "MAY" format
* @a : a pointer to the audit data
*
@ -122,8 +122,8 @@ int smk_access_entry(char *subject_label, char *object_label,
*
* Smack labels are shared on smack_list
*/
int smk_access(struct smack_known *subject_known, char *object_label,
int request, struct smk_audit_info *a)
int smk_access(struct smack_known *subject, struct smack_known *object,
int request, struct smk_audit_info *a)
{
int may = MAY_NOT;
int rc = 0;
@ -133,7 +133,7 @@ int smk_access(struct smack_known *subject_known, char *object_label,
*
* A star subject can't access any object.
*/
if (subject_known == &smack_known_star) {
if (subject == &smack_known_star) {
rc = -EACCES;
goto out_audit;
}
@ -142,28 +142,28 @@ int smk_access(struct smack_known *subject_known, char *object_label,
* Tasks cannot be assigned the internet label.
* An internet subject can access any object.
*/
if (object_label == smack_known_web.smk_known ||
subject_known == &smack_known_web)
if (object == &smack_known_web ||
subject == &smack_known_web)
goto out_audit;
/*
* A star object can be accessed by any subject.
*/
if (object_label == smack_known_star.smk_known)
if (object == &smack_known_star)
goto out_audit;
/*
* An object can be accessed in any way by a subject
* with the same label.
*/
if (subject_known->smk_known == object_label)
if (subject->smk_known == object->smk_known)
goto out_audit;
/*
* A hat subject can read any object.
* A floor object can be read by any subject.
*/
if ((request & MAY_ANYREAD) == request) {
if (object_label == smack_known_floor.smk_known)
if (object == &smack_known_floor)
goto out_audit;
if (subject_known == &smack_known_hat)
if (subject == &smack_known_hat)
goto out_audit;
}
/*
@ -174,27 +174,38 @@ int smk_access(struct smack_known *subject_known, char *object_label,
* indicates there is no entry for this pair.
*/
rcu_read_lock();
may = smk_access_entry(subject_known->smk_known, object_label,
&subject_known->smk_rules);
may = smk_access_entry(subject->smk_known, object->smk_known,
&subject->smk_rules);
rcu_read_unlock();
if (may > 0 && (request & may) == request)
if (may <= 0 || (request & may) != request) {
rc = -EACCES;
goto out_audit;
}
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
/*
* Return a positive value if using bringup mode.
* This allows the hooks to identify checks that
* succeed because of "b" rules.
*/
if (may & MAY_BRINGUP)
rc = MAY_BRINGUP;
#endif
rc = -EACCES;
out_audit:
#ifdef CONFIG_AUDIT
if (a)
smack_log(subject_known->smk_known, object_label, request,
rc, a);
smack_log(subject->smk_known, object->smk_known,
request, rc, a);
#endif
return rc;
}
/**
* smk_tskacc - determine if a task has a specific access to an object
* @tsp: a pointer to the subject task
* @obj_label: a pointer to the object's Smack label
* @tsp: a pointer to the subject's task
* @obj_known: a pointer to the object's label entry
* @mode: the access requested, in "MAY" format
* @a : common audit data
*
@ -203,24 +214,25 @@ out_audit:
* non zero otherwise. It allows that the task may have the capability
* to override the rules.
*/
int smk_tskacc(struct task_smack *subject, char *obj_label,
int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known,
u32 mode, struct smk_audit_info *a)
{
struct smack_known *skp = smk_of_task(subject);
struct smack_known *sbj_known = smk_of_task(tsp);
int may;
int rc;
/*
* Check the global rule list
*/
rc = smk_access(skp, obj_label, mode, NULL);
if (rc == 0) {
rc = smk_access(sbj_known, obj_known, mode, NULL);
if (rc >= 0) {
/*
* If there is an entry in the task's rule list
* it can further restrict access.
*/
may = smk_access_entry(skp->smk_known, obj_label,
&subject->smk_rules);
may = smk_access_entry(sbj_known->smk_known,
obj_known->smk_known,
&tsp->smk_rules);
if (may < 0)
goto out_audit;
if ((mode & may) == mode)
@ -237,14 +249,15 @@ int smk_tskacc(struct task_smack *subject, char *obj_label,
out_audit:
#ifdef CONFIG_AUDIT
if (a)
smack_log(skp->smk_known, obj_label, mode, rc, a);
smack_log(sbj_known->smk_known, obj_known->smk_known,
mode, rc, a);
#endif
return rc;
}
/**
* smk_curacc - determine if current has a specific access to an object
* @obj_label: a pointer to the object's Smack label
* @obj_known: a pointer to the object's Smack label entry
* @mode: the access requested, in "MAY" format
* @a : common audit data
*
@ -253,11 +266,12 @@ out_audit:
* non zero otherwise. It allows that current may have the capability
* to override the rules.
*/
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
int smk_curacc(struct smack_known *obj_known,
u32 mode, struct smk_audit_info *a)
{
struct task_smack *tsp = current_security();
return smk_tskacc(tsp, obj_label, mode, a);
return smk_tskacc(tsp, obj_known, mode, a);
}
#ifdef CONFIG_AUDIT
@ -328,6 +342,13 @@ void smack_log(char *subject_label, char *object_label, int request,
struct smack_audit_data *sad;
struct common_audit_data *a = &ad->a;
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
/*
* The result may be positive in bringup mode.
*/
if (result > 0)
result = 0;
#endif
/* check if we have to log the current event */
if (result != 0 && (log_policy & SMACK_AUDIT_DENIED) == 0)
return;
@ -543,27 +564,6 @@ unlockout:
return skp;
}
/**
* smk_import - import a smack label
* @string: a text string that might be a Smack label
* @len: the maximum size, or zero if it is NULL terminated.
*
* Returns a pointer to the label in the label list that
* matches the passed string, adding it if necessary.
*/
char *smk_import(const char *string, int len)
{
struct smack_known *skp;
/* labels cannot begin with a '-' */
if (string[0] == '-')
return NULL;
skp = smk_import_entry(string, len);
if (skp == NULL)
return NULL;
return skp->smk_known;
}
/**
* smack_from_secid - find the Smack label associated with a secid
* @secid: an integer that might be associated with a Smack label
@ -590,19 +590,3 @@ struct smack_known *smack_from_secid(const u32 secid)
rcu_read_unlock();
return &smack_known_invalid;
}
/**
* smack_to_secid - find the secid associated with a Smack label
* @smack: the Smack label
*
* Returns the appropriate secid if there is one,
* otherwise 0
*/
u32 smack_to_secid(const char *smack)
{
struct smack_known *skp = smk_find_entry(smack);
if (skp == NULL)
return 0;
return skp->smk_secid;
}

545
security/smack/smack_lsm.c
View File

File diff suppressed because it is too large Load Diff

76
security/smack/smackfs.c
View File

@ -131,14 +131,17 @@ LIST_HEAD(smack_rule_list);
struct smack_parsed_rule {
struct smack_known *smk_subject;
char *smk_object;
struct smack_known *smk_object;
int smk_access1;
int smk_access2;
};
static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
const char *smack_cipso_option = SMACK_CIPSO_OPTION;
struct smack_known smack_cipso_option = {
.smk_known = SMACK_CIPSO_OPTION,
.smk_secid = 0,
};
/*
* Values for parsing cipso rules
@ -304,6 +307,10 @@ static int smk_perm_from_str(const char *string)
case 'L':
perm |= MAY_LOCK;
break;
case 'b':
case 'B':
perm |= MAY_BRINGUP;
break;
default:
return perm;
}
@ -335,7 +342,7 @@ static int smk_fill_rule(const char *subject, const char *object,
if (rule->smk_subject == NULL)
return -EINVAL;
rule->smk_object = smk_import(object, len);
rule->smk_object = smk_import_entry(object, len);
if (rule->smk_object == NULL)
return -EINVAL;
} else {
@ -355,7 +362,7 @@ static int smk_fill_rule(const char *subject, const char *object,
kfree(cp);
if (skp == NULL)
return -ENOENT;
rule->smk_object = skp->smk_known;
rule->smk_object = skp;
}
rule->smk_access1 = smk_perm_from_str(access1);
@ -594,13 +601,15 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
* anything you read back.
*/
if (strlen(srp->smk_subject->smk_known) >= max ||
strlen(srp->smk_object) >= max)
strlen(srp->smk_object->smk_known) >= max)
return;
if (srp->smk_access == 0)
return;
seq_printf(s, "%s %s", srp->smk_subject->smk_known, srp->smk_object);
seq_printf(s, "%s %s",
srp->smk_subject->smk_known,
srp->smk_object->smk_known);
seq_putc(s, ' ');
@ -616,6 +625,8 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
seq_putc(s, 't');
if (srp->smk_access & MAY_LOCK)
seq_putc(s, 'l');
if (srp->smk_access & MAY_BRINGUP)
seq_putc(s, 'b');
seq_putc(s, '\n');
}
@ -1067,7 +1078,7 @@ static int netlbladdr_seq_show(struct seq_file *s, void *v)
for (maskn = 0; temp_mask; temp_mask <<= 1, maskn++);
seq_printf(s, "%u.%u.%u.%u/%d %s\n",
hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label);
hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label->smk_known);
return 0;
}
@ -1147,10 +1158,10 @@ static void smk_netlbladdr_insert(struct smk_netlbladdr *new)
static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
struct smk_netlbladdr *skp;
struct smk_netlbladdr *snp;
struct sockaddr_in newname;
char *smack;
char *sp;
struct smack_known *skp;
char *data;
char *host = (char *)&newname.sin_addr.s_addr;
int rc;
@ -1213,15 +1224,15 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
* If smack begins with '-', it is an option, don't import it
*/
if (smack[0] != '-') {
sp = smk_import(smack, 0);
if (sp == NULL) {
skp = smk_import_entry(smack, 0);
if (skp == NULL) {
rc = -EINVAL;
goto free_out;
}
} else {
/* check known options */
if (strcmp(smack, smack_cipso_option) == 0)
sp = (char *)smack_cipso_option;
if (strcmp(smack, smack_cipso_option.smk_known) == 0)
skp = &smack_cipso_option;
else {
rc = -EINVAL;
goto free_out;
@ -1244,9 +1255,9 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
nsa = newname.sin_addr.s_addr;
/* try to find if the prefix is already in the list */
found = 0;
list_for_each_entry_rcu(skp, &smk_netlbladdr_list, list) {
if (skp->smk_host.sin_addr.s_addr == nsa &&
skp->smk_mask.s_addr == mask.s_addr) {
list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list) {
if (snp->smk_host.sin_addr.s_addr == nsa &&
snp->smk_mask.s_addr == mask.s_addr) {
found = 1;
break;
}
@ -1254,26 +1265,26 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
smk_netlabel_audit_set(&audit_info);
if (found == 0) {
skp = kzalloc(sizeof(*skp), GFP_KERNEL);
if (skp == NULL)
snp = kzalloc(sizeof(*snp), GFP_KERNEL);
if (snp == NULL)
rc = -ENOMEM;
else {
rc = 0;
skp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
skp->smk_mask.s_addr = mask.s_addr;
skp->smk_label = sp;
smk_netlbladdr_insert(skp);
snp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
snp->smk_mask.s_addr = mask.s_addr;
snp->smk_label = skp;
smk_netlbladdr_insert(snp);
}
} else {
/* we delete the unlabeled entry, only if the previous label
* wasn't the special CIPSO option */
if (skp->smk_label != smack_cipso_option)
if (snp->smk_label != &smack_cipso_option)
rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
&skp->smk_host.sin_addr, &skp->smk_mask,
&snp->smk_host.sin_addr, &snp->smk_mask,
PF_INET, &audit_info);
else
rc = 0;
skp->smk_label = sp;
snp->smk_label = skp;
}
/*
@ -1281,10 +1292,10 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
* this host so that incoming packets get labeled.
* but only if we didn't get the special CIPSO option
*/
if (rc == 0 && sp != smack_cipso_option)
if (rc == 0 && skp != &smack_cipso_option)
rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
&skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
smack_to_secid(skp->smk_label), &audit_info);
&snp->smk_host.sin_addr, &snp->smk_mask, PF_INET,
snp->smk_label->smk_secid, &audit_info);
if (rc == 0)
rc = count;
@ -1677,7 +1688,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
if (smack_onlycap != NULL && smack_onlycap != skp)
return -EPERM;
data = kzalloc(count, GFP_KERNEL);
data = kzalloc(count + 1, GFP_KERNEL);
if (data == NULL)
return -ENOMEM;
@ -1880,7 +1891,10 @@ static ssize_t smk_user_access(struct file *file, const char __user *buf,
else if (res != -ENOENT)
return -EINVAL;
data[0] = res == 0 ? '1' : '0';
/*
* smk_access() can return a value > 0 in the "bringup" case.
*/
data[0] = res >= 0 ? '1' : '0';
data[1] = '\0';
simple_transaction_set(file, 2);
@ -2228,7 +2242,7 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
data = kzalloc(count, GFP_KERNEL);
data = kzalloc(count + 1, GFP_KERNEL);
if (data == NULL)
return -ENOMEM;