| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jul 2015 12:04:41 +0200
From: Lukasz Pawelczyk <l.pawelczyk@...sung.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>,
"Serge E. Hallyn" <serge@...lyn.com>,
Al Viro <viro@...iv.linux.org.uk>,
Alexey Dobriyan <adobriyan@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Andy Lutomirski <luto@...capital.net>,
Arnd Bergmann <arnd@...db.de>,
Casey Schaufler <casey@...aufler-ca.com>,
David Howells <dhowells@...hat.com>,
Eric Dumazet <edumazet@...gle.com>,
Eric Paris <eparis@...isplace.org>,
Fabian Frederick <fabf@...net.be>,
Greg KH <gregkh@...uxfoundation.org>,
James Morris <james.l.morris@...cle.com>,
Jiri Slaby <jslaby@...e.com>, Joe Perches <joe@...ches.com>,
John Johansen <john.johansen@...onical.com>,
Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Lukasz Pawelczyk <l.pawelczyk@...sung.com>,
Mauro Carvalho Chehab <mchehab@....samsung.com>,
NeilBrown <neilb@...e.de>, Oleg Nesterov <oleg@...hat.com>,
Paul Moore <paul@...l-moore.com>,
Stephen Smalley <sds@...ho.nsa.gov>,
Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
Zefan Li <lizefan@...wei.com>, linux-doc@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov
Cc: havner@...il.com
Subject: [PATCH v3 07/11] smack: abstraction layer for 2 common Smack operations
This patch adds two new functions that provide an abstraction layer for
two common internal Smack operations:
smk_find_label_name() - returns a label name (char*) from a struct
smack_known pointer
smk_get_label() - either finds or imports a label from a raw label
name (char*) and returns struct smack_known
pointer
This patch also simplifies some pieces of code due to addition of those
2 functions (e.g. smack_inode_post_setxattr, smk_fill_rule,
smk_write_revoke_subj).
It is meant as a preparation for namespaces patches. Those 2 functions
will serve as entry points for namespace operations.
This patch should not change the Smack behaviour in any way.
Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@...sung.com>
Reviewed-by: Casey Schaufler <casey@...aufler-ca.com>
---
security/smack/smack.h | 2 +
security/smack/smack_access.c | 41 +++++++++++++
security/smack/smack_lsm.c | 76 ++++++++++++------------
security/smack/smackfs.c | 131 +++++++++++++++++++++++-------------------
4 files changed, 154 insertions(+), 96 deletions(-)
diff --git a/security/smack/smack.h b/security/smack/smack.h
index e11cc13..1e225b0 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -278,6 +278,8 @@ int smack_has_ns_privilege(struct task_struct *task,
int smack_has_privilege(struct task_struct *task, int cap);
int smack_ns_privileged(struct user_namespace *user_ns, int cap);
int smack_privileged(int cap);
+char *smk_find_label_name(struct smack_known *skp);
+struct smack_known *smk_get_label(const char *string, int len, bool import);
/*
* Shared data.
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 188b354..eb7c1cc 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -710,3 +710,44 @@ int smack_privileged(int cap)
{
return smack_ns_privileged(&init_user_ns, cap);
}
+
+/**
+ * smk_find_label_name - A helper to get a string value of a label
+ * @skp: a label we want a string value from
+ *
+ * Returns a pointer to a label name or NULL if label name not found.
+ */
+char *smk_find_label_name(struct smack_known *skp)
+{
+ return skp->smk_known;
+}
+
+/**
+ * smk_get_label - A helper to get the smack_known value from a string using
+ * either import or find functions if it already exists
+ * @string: a name of a label we look for or want to import
+ * @len: the string size, or zero if it is NULL terminated
+ * @import: whether we should import the label if not found
+ *
+ * Returns a smack_known label that is either imported or found.
+ * NULL if label not found (only when import == false).
+ * Error code otherwise.
+ */
+struct smack_known *smk_get_label(const char *string, int len, bool import)
+{
+ struct smack_known *skp;
+ char *cp;
+
+ if (import) {
+ skp = smk_import_entry(string, len);
+ } else {
+ cp = smk_parse_smack(string, len);
+ if (IS_ERR(cp))
+ return ERR_CAST(cp);
+
+ skp = smk_find_entry(cp);
+ kfree(cp);
+ }
+
+ return skp;
+}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6098518..8fe6ccc 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -742,31 +742,31 @@ static int smack_set_mnt_opts(struct super_block *sb,
for (i = 0; i < num_opts; i++) {
switch (opts->mnt_opts_flags[i]) {
case FSDEFAULT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_get_label(opts->mnt_opts[i], 0, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_default = skp;
break;
case FSFLOOR_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_get_label(opts->mnt_opts[i], 0, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_floor = skp;
break;
case FSHAT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_get_label(opts->mnt_opts[i], 0, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_hat = skp;
break;
case FSROOT_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_get_label(opts->mnt_opts[i], 0, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_root = skp;
break;
case FSTRANS_MNT:
- skp = smk_import_entry(opts->mnt_opts[i], 0);
+ skp = smk_get_label(opts->mnt_opts[i], 0, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_root = skp;
@@ -1284,7 +1284,7 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
rc = -EPERM;
if (rc == 0 && check_import) {
- skp = size ? smk_import_entry(value, size) : NULL;
+ skp = size ? smk_get_label(value, size, true) : NULL;
if (IS_ERR(skp))
rc = PTR_ERR(skp);
else if (skp == NULL || (check_star &&
@@ -1318,6 +1318,7 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags)
{
struct smack_known *skp;
+ struct smack_known **skpp = NULL;
struct inode_smack *isp = d_backing_inode(dentry)->i_security;
if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
@@ -1325,27 +1326,21 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
return;
}
- if (strcmp(name, XATTR_NAME_SMACK) == 0) {
- skp = smk_import_entry(value, size);
- if (!IS_ERR(skp))
- isp->smk_inode = skp;
- else
- isp->smk_inode = &smack_known_invalid;
- } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {
- skp = smk_import_entry(value, size);
- if (!IS_ERR(skp))
- isp->smk_task = skp;
- else
- isp->smk_task = &smack_known_invalid;
- } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
- skp = smk_import_entry(value, size);
+ if (strcmp(name, XATTR_NAME_SMACK) == 0)
+ skpp = &isp->smk_inode;
+ else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
+ skpp = &isp->smk_task;
+ else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
+ skpp = &isp->smk_mmap;
+
+ if (skpp) {
+ skp = smk_get_label(value, size, true);
+
if (!IS_ERR(skp))
- isp->smk_mmap = skp;
+ *skpp = skp;
else
- isp->smk_mmap = &smack_known_invalid;
+ *skpp = &smack_known_invalid;
}
-
- return;
}
/**
@@ -1439,15 +1434,17 @@ static int smack_inode_getsecurity(const struct inode *inode,
struct socket *sock;
struct super_block *sbp;
struct inode *ip = (struct inode *)inode;
- struct smack_known *isp;
- int ilen;
+ struct smack_known *isp = NULL;
int rc = 0;
- if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+ if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
isp = smk_of_inode(inode);
- ilen = strlen(isp->smk_known);
- *buffer = isp->smk_known;
- return ilen;
+
+ if (isp) {
+ *buffer = smk_find_label_name(isp);
+ if (*buffer == NULL)
+ *buffer = smack_known_huh.smk_known;
+ return strlen(*buffer);
}
/*
@@ -1470,10 +1467,11 @@ static int smack_inode_getsecurity(const struct inode *inode,
else
return -EOPNOTSUPP;
- ilen = strlen(isp->smk_known);
if (rc == 0) {
- *buffer = isp->smk_known;
- rc = ilen;
+ *buffer = smk_find_label_name(isp);
+ if (*buffer == NULL)
+ *buffer = smack_known_huh.smk_known;
+ rc = strlen(*buffer);
}
return rc;
@@ -3429,7 +3427,10 @@ static int smack_getprocattr(struct task_struct *p, char *name, char **value)
if (strcmp(name, "current") != 0)
return -EINVAL;
- cp = kstrdup(skp->smk_known, GFP_KERNEL);
+ cp = smk_find_label_name(skp);
+ if (cp == NULL)
+ cp = smack_known_huh.smk_known;
+ cp = kstrdup(cp, GFP_KERNEL);
if (cp == NULL)
return -ENOMEM;
@@ -3473,7 +3474,7 @@ static int smack_setprocattr(struct task_struct *p, const struct cred *f_cred,
if (strcmp(name, "current") != 0)
return -EINVAL;
- skp = smk_import_entry(value, size);
+ skp = smk_get_label(value, size, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
@@ -4201,7 +4202,10 @@ static int smack_key_getsecurity(struct key *key, char **_buffer)
return 0;
}
- copy = kstrdup(skp->smk_known, GFP_KERNEL);
+ copy = smk_find_label_name(skp);
+ if (copy == NULL)
+ copy = smack_known_huh.smk_known;
+ copy = kstrdup(copy, GFP_KERNEL);
if (copy == NULL)
return -ENOMEM;
length = strlen(copy) + 1;
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 89f847bba..6a0a1ec 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -335,36 +335,17 @@ static int smk_fill_rule(const char *subject, const char *object,
struct smack_parsed_rule *rule, int import,
int len)
{
- const char *cp;
- struct smack_known *skp;
-
- if (import) {
- rule->smk_subject = smk_import_entry(subject, len);
- if (IS_ERR(rule->smk_subject))
- return PTR_ERR(rule->smk_subject);
-
- rule->smk_object = smk_import_entry(object, len);
- if (IS_ERR(rule->smk_object))
- return PTR_ERR(rule->smk_object);
- } else {
- cp = smk_parse_smack(subject, len);
- if (IS_ERR(cp))
- return PTR_ERR(cp);
- skp = smk_find_entry(cp);
- kfree(cp);
- if (skp == NULL)
- return -ENOENT;
- rule->smk_subject = skp;
-
- cp = smk_parse_smack(object, len);
- if (IS_ERR(cp))
- return PTR_ERR(cp);
- skp = smk_find_entry(cp);
- kfree(cp);
- if (skp == NULL)
- return -ENOENT;
- rule->smk_object = skp;
- }
+ rule->smk_subject = smk_get_label(subject, len, import);
+ if (IS_ERR(rule->smk_subject))
+ return PTR_ERR(rule->smk_subject);
+ if (rule->smk_subject == NULL)
+ return -ENOENT;
+
+ rule->smk_object = smk_get_label(object, len, import);
+ if (IS_ERR(rule->smk_object))
+ return PTR_ERR(rule->smk_object);
+ if (rule->smk_object == NULL)
+ return -ENOENT;
rule->smk_access1 = smk_perm_from_str(access1);
if (access2)
@@ -587,6 +568,9 @@ static void smk_seq_stop(struct seq_file *s, void *v)
static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
{
+ char *sbj;
+ char *obj;
+
/*
* Don't show any rules with label names too long for
* interface file (/smack/load or /smack/load2)
@@ -600,9 +584,13 @@ static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
if (srp->smk_access == 0)
return;
- seq_printf(s, "%s %s",
- srp->smk_subject->smk_known,
- srp->smk_object->smk_known);
+ sbj = smk_find_label_name(srp->smk_subject);
+ obj = smk_find_label_name(srp->smk_object);
+
+ if (sbj == NULL || obj == NULL)
+ return;
+
+ seq_printf(s, "%s %s", sbj, obj);
seq_putc(s, ' ');
@@ -793,6 +781,7 @@ static int cipso_seq_show(struct seq_file *s, void *v)
list_entry_rcu(list, struct smack_known, list);
struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
char sep = '/';
+ char *cp;
int i;
/*
@@ -806,7 +795,11 @@ static int cipso_seq_show(struct seq_file *s, void *v)
if (strlen(skp->smk_known) >= SMK_LABELLEN)
return 0;
- seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
+ cp = smk_find_label_name(skp);
+ if (cp == NULL)
+ return 0;
+
+ seq_printf(s, "%s %3d", cp, skp->smk_netlabel.attr.mls.lvl);
for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
i = netlbl_catmap_walk(cmp, i + 1)) {
@@ -895,7 +888,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
*/
mutex_lock(&smack_cipso_lock);
- skp = smk_import_entry(rule, 0);
+ skp = smk_get_label(rule, 0, true);
if (IS_ERR(skp)) {
rc = PTR_ERR(skp);
goto out;
@@ -984,9 +977,14 @@ static int cipso2_seq_show(struct seq_file *s, void *v)
list_entry_rcu(list, struct smack_known, list);
struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
char sep = '/';
+ char *cp;
int i;
- seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
+ cp = smk_find_label_name(skp);
+ if (cp == NULL)
+ return 0;
+
+ seq_printf(s, "%s %3d", cp, skp->smk_netlabel.attr.mls.lvl);
for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
i = netlbl_catmap_walk(cmp, i + 1)) {
@@ -1069,11 +1067,15 @@ static int netlbladdr_seq_show(struct seq_file *s, void *v)
unsigned char *hp = (char *) &skp->smk_host.sin_addr.s_addr;
int maskn;
u32 temp_mask = be32_to_cpu(skp->smk_mask.s_addr);
+ char *label = smk_find_label_name(skp->smk_label);
+
+ if (label == NULL)
+ return 0;
for (maskn = 0; temp_mask; temp_mask <<= 1, maskn++);
seq_printf(s, "%u.%u.%u.%u/%d %s\n",
- hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label->smk_known);
+ hp[0], hp[1], hp[2], hp[3], maskn, label);
return 0;
}
@@ -1219,7 +1221,7 @@ static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
* If smack begins with '-', it is an option, don't import it
*/
if (smack[0] != '-') {
- skp = smk_import_entry(smack, 0);
+ skp = smk_get_label(smack, 0, true);
if (IS_ERR(skp)) {
rc = PTR_ERR(skp);
goto free_out;
@@ -1548,6 +1550,7 @@ static ssize_t smk_read_ambient(struct file *filp, char __user *buf,
size_t cn, loff_t *ppos)
{
ssize_t rc;
+ char *cp;
int asize;
if (*ppos != 0)
@@ -1558,12 +1561,14 @@ static ssize_t smk_read_ambient(struct file *filp, char __user *buf,
*/
mutex_lock(&smack_ambient_lock);
- asize = strlen(smack_net_ambient->smk_known) + 1;
+ cp = smk_find_label_name(smack_net_ambient);
+ if (cp == NULL)
+ cp = smack_known_huh.smk_known;
+
+ asize = strlen(cp) + 1;
if (cn >= asize)
- rc = simple_read_from_buffer(buf, cn, ppos,
- smack_net_ambient->smk_known,
- asize);
+ rc = simple_read_from_buffer(buf, cn, ppos, cp, asize);
else
rc = -EINVAL;
@@ -1601,7 +1606,7 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
goto out;
}
- skp = smk_import_entry(data, count);
+ skp = smk_get_label(data, count, true);
if (IS_ERR(skp)) {
rc = PTR_ERR(skp);
goto out;
@@ -1641,11 +1646,16 @@ static void *onlycap_seq_next(struct seq_file *s, void *v, loff_t *pos)
static int onlycap_seq_show(struct seq_file *s, void *v)
{
+ char *smack;
struct list_head *list = v;
struct smack_onlycap *sop =
list_entry_rcu(list, struct smack_onlycap, list);
- seq_puts(s, sop->smk_label->smk_known);
+ smack = smk_find_label_name(sop->smk_label);
+ if (smack == NULL)
+ smack = smack_known_huh.smk_known;
+
+ seq_puts(s, smack);
seq_putc(s, ' ');
return 0;
@@ -1739,7 +1749,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
if (!*tok)
continue;
- skp = smk_import_entry(tok, 0);
+ skp = smk_get_label(tok, 0, true);
if (IS_ERR(skp)) {
rc = PTR_ERR(skp);
break;
@@ -1809,8 +1819,11 @@ static ssize_t smk_read_unconfined(struct file *filp, char __user *buf,
if (*ppos != 0)
return 0;
- if (smack_unconfined != NULL)
- smack = smack_unconfined->smk_known;
+ if (smack_unconfined != NULL) {
+ smack = smk_find_label_name(smack_unconfined);
+ if (smack == NULL)
+ smack = smack_known_huh.smk_known;
+ }
asize = strlen(smack) + 1;
@@ -1857,7 +1870,7 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
*
* But do so only on invalid label, not on system errors.
*/
- skp = smk_import_entry(data, count);
+ skp = smk_get_label(data, count, true);
if (PTR_ERR(skp) == -EINVAL)
skp = NULL;
else if (IS_ERR(skp)) {
@@ -2254,7 +2267,6 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char *data;
- const char *cp;
struct smack_known *skp;
struct smack_rule *sp;
struct list_head *rule_list;
@@ -2279,15 +2291,13 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
goto out_data;
}
- cp = smk_parse_smack(data, count);
- if (IS_ERR(cp)) {
- rc = PTR_ERR(cp);
+ skp = smk_get_label(data, count, false);
+ if (IS_ERR(skp)) {
+ rc = PTR_ERR(skp);
goto out_data;
}
-
- skp = smk_find_entry(cp);
if (skp == NULL)
- goto out_cp;
+ goto out_data;
rule_list = &skp->smk_rules;
rule_lock = &skp->smk_rules_lock;
@@ -2299,8 +2309,6 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
mutex_unlock(rule_lock);
-out_cp:
- kfree(cp);
out_data:
kfree(data);
@@ -2369,8 +2377,11 @@ static ssize_t smk_read_syslog(struct file *filp, char __user *buf,
if (*ppos != 0)
return 0;
- if (smack_syslog_label != NULL)
- smack = smack_syslog_label->smk_known;
+ if (smack_syslog_label != NULL) {
+ smack = smk_find_label_name(smack_syslog_label);
+ if (smack == NULL)
+ smack = smack_known_huh.smk_known;
+ }
asize = strlen(smack) + 1;
@@ -2417,7 +2428,7 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
*
* But do so only on invalid label, not on system errors.
*/
- skp = smk_import_entry(data, count);
+ skp = smk_get_label(data, count, true);
if (PTR_ERR(skp) == -EINVAL)
skp = NULL;
else if (IS_ERR(skp)) {
--
2.4.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists