tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'Smack-for-5.16' of https://github.com/cschaufler/smack-next

Pull smack updates from Casey Schaufler:
"Multiple corrections to smackfs:

- a change for overlayfs support that corrects the initial attributes
on created files

- code clean-up for netlabel processing

- several fixes in smackfs for a variety of reasons

- Errors reported by W=1 have been addressed

All told, nothing challenging"

* tag 'Smack-for-5.16' of https://github.com/cschaufler/smack-next:
smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
smackfs: use __GFP_NOFAIL for smk_cipso_doi()
Smack: fix W=1 build warnings
smack: remove duplicated hook function
Smack:- Use overlay inode label in smack_inode_copy_up()
smack: Guard smack_ipv6_lock definition within a SMACK_IPV6_PORT_LABELING block
smackfs: Fix use-after-free in netlbl_catmap_walk()

Linus Torvalds 6f2b76a4 f2786f43

+34 -44
+25 -16
security/smack/smack_lsm.c
··· 51 51 #define SMK_RECEIVING 1 52 52 #define SMK_SENDING 2 53 53 54 + #ifdef SMACK_IPV6_PORT_LABELING 54 55 static DEFINE_MUTEX(smack_ipv6_lock); 55 56 static LIST_HEAD(smk_ipv6_port_list); 57 + #endif 56 58 struct kmem_cache *smack_rule_cache; 57 59 int smack_enabled __initdata; 58 60 ··· 391 389 392 390 /** 393 391 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 394 - * @mode - input mode in form of PTRACE_MODE_* 392 + * @mode: input mode in form of PTRACE_MODE_* 395 393 * 396 394 * Returns a converted MAY_* mode usable by smack rules 397 395 */ ··· 1215 1213 1216 1214 /** 1217 1215 * smack_inode_setxattr - Smack check for setting xattrs 1216 + * @mnt_userns: active user namespace 1218 1217 * @dentry: the object 1219 1218 * @name: name of the attribute 1220 1219 * @value: value of the attribute ··· 1342 1339 1343 1340 /** 1344 1341 * smack_inode_removexattr - Smack check on removexattr 1342 + * @mnt_userns: active user namespace 1345 1343 * @dentry: the object 1346 1344 * @name: name of the attribute 1347 1345 * ··· 1402 1398 1403 1399 /** 1404 1400 * smack_inode_getsecurity - get smack xattrs 1401 + * @mnt_userns: active user namespace 1405 1402 * @inode: the object 1406 1403 * @name: attribute name 1407 1404 * @buffer: where to put the result ··· 1624 1619 } 1625 1620 1626 1621 /** 1627 - * smack_mmap_file : 1628 - * Check permissions for a mmap operation. The @file may be NULL, e.g. 1629 - * if mapping anonymous memory. 1630 - * @file contains the file structure for file to map (may be NULL). 1631 - * @reqprot contains the protection requested by the application. 1632 - * @prot contains the protection that will be applied by the kernel. 1633 - * @flags contains the operational flags. 1622 + * smack_mmap_file - Check permissions for a mmap operation. 1623 + * @file: contains the file structure for file to map (may be NULL). 1624 + * @reqprot: contains the protection requested by the application. 1625 + * @prot: contains the protection that will be applied by the kernel. 1626 + * @flags: contains the operational flags. 1627 + * 1628 + * The @file may be NULL, e.g. if mapping anonymous memory. 1629 + * 1634 1630 * Return 0 if permission is granted. 1635 1631 */ 1636 1632 static int smack_mmap_file(struct file *file, ··· 2609 2603 mutex_unlock(&smack_ipv6_lock); 2610 2604 return; 2611 2605 } 2612 - #endif 2613 2606 2614 2607 /** 2615 2608 * smk_ipv6_port_check - check Smack port access ··· 2671 2666 2672 2667 return smk_ipv6_check(skp, object, address, act); 2673 2668 } 2669 + #endif 2674 2670 2675 2671 /** 2676 2672 * smack_inode_setsecurity - set smack xattrs ··· 2858 2852 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2859 2853 SMK_CONNECTING); 2860 2854 } 2861 - if (__is_defined(SMACK_IPV6_PORT_LABELING)) 2862 - rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2855 + #ifdef SMACK_IPV6_PORT_LABELING 2856 + rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2857 + #endif 2863 2858 2864 2859 return rc; 2865 2860 } ··· 3058 3051 } 3059 3052 3060 3053 /** 3061 - * smack_sem_shmctl - Smack access check for sem 3054 + * smack_sem_semctl - Smack access check for sem 3062 3055 * @isp: the object 3063 3056 * @cmd: what it wants to do 3064 3057 * ··· 3204 3197 } 3205 3198 3206 3199 /** 3207 - * smack_msg_queue_msgsnd - Smack access check for msg_queue 3200 + * smack_msg_queue_msgrcv - Smack access check for msg_queue 3208 3201 * @isp: the object 3209 3202 * @msg: unused 3210 3203 * @target: unused ··· 3213 3206 * 3214 3207 * Returns 0 if current has read and write access, error code otherwise 3215 3208 */ 3216 - static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3217 - struct task_struct *target, long type, int mode) 3209 + static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3210 + struct msg_msg *msg, 3211 + struct task_struct *target, long type, 3212 + int mode) 3218 3213 { 3219 3214 return smk_curacc_msq(isp, MAY_READWRITE); 3220 3215 } ··· 4643 4634 /* 4644 4635 * Get label from overlay inode and set it in create_sid 4645 4636 */ 4646 - isp = smack_inode(d_inode(dentry->d_parent)); 4637 + isp = smack_inode(d_inode(dentry)); 4647 4638 skp = isp->smk_inode; 4648 4639 tsp->smk_task = skp; 4649 4640 *new = new_creds;
+3 -23
security/smack/smack_netfilter.c
··· 18 18 #include <net/net_namespace.h> 19 19 #include "smack.h" 20 20 21 - #if IS_ENABLED(CONFIG_IPV6) 22 - 23 - static unsigned int smack_ipv6_output(void *priv, 24 - struct sk_buff *skb, 25 - const struct nf_hook_state *state) 26 - { 27 - struct sock *sk = skb_to_full_sk(skb); 28 - struct socket_smack *ssp; 29 - struct smack_known *skp; 30 - 31 - if (sk && sk->sk_security) { 32 - ssp = sk->sk_security; 33 - skp = ssp->smk_out; 34 - skb->secmark = skp->smk_secid; 35 - } 36 - 37 - return NF_ACCEPT; 38 - } 39 - #endif /* IPV6 */ 40 - 41 - static unsigned int smack_ipv4_output(void *priv, 21 + static unsigned int smack_ip_output(void *priv, 42 22 struct sk_buff *skb, 43 23 const struct nf_hook_state *state) 44 24 { ··· 37 57 38 58 static const struct nf_hook_ops smack_nf_ops[] = { 39 59 { 40 - .hook = smack_ipv4_output, 60 + .hook = smack_ip_output, 41 61 .pf = NFPROTO_IPV4, 42 62 .hooknum = NF_INET_LOCAL_OUT, 43 63 .priority = NF_IP_PRI_SELINUX_FIRST, 44 64 }, 45 65 #if IS_ENABLED(CONFIG_IPV6) 46 66 { 47 - .hook = smack_ipv6_output, 67 + .hook = smack_ip_output, 48 68 .pf = NFPROTO_IPV6, 49 69 .hooknum = NF_INET_LOCAL_OUT, 50 70 .priority = NF_IP6_PRI_SELINUX_FIRST,
+6 -5
security/smack/smackfs.c
··· 693 693 printk(KERN_WARNING "%s:%d remove rc = %d\n", 694 694 __func__, __LINE__, rc); 695 695 696 - doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL); 697 - if (doip == NULL) 698 - panic("smack: Failed to initialize cipso DOI.\n"); 696 + doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL); 699 697 doip->map.std = NULL; 700 698 doip->doi = smk_cipso_doi_value; 701 699 doip->type = CIPSO_V4_MAP_PASS; ··· 712 714 if (rc != 0) { 713 715 printk(KERN_WARNING "%s:%d map add rc = %d\n", 714 716 __func__, __LINE__, rc); 715 - kfree(doip); 717 + netlbl_cfg_cipsov4_del(doip->doi, &nai); 716 718 return; 717 719 } 718 720 } ··· 829 831 static ssize_t smk_set_cipso(struct file *file, const char __user *buf, 830 832 size_t count, loff_t *ppos, int format) 831 833 { 834 + struct netlbl_lsm_catmap *old_cat; 832 835 struct smack_known *skp; 833 836 struct netlbl_lsm_secattr ncats; 834 837 char mapcatset[SMK_CIPSOLEN]; ··· 919 920 920 921 rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); 921 922 if (rc >= 0) { 922 - netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat); 923 + old_cat = skp->smk_netlabel.attr.mls.cat; 923 924 skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; 924 925 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; 926 + synchronize_rcu(); 927 + netlbl_catmap_free(old_cat); 925 928 rc = count; 926 929 /* 927 930 * This mapping may have been cached, so clear the cache.