tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'serge-next-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security
Pull security layer updates from Serge Hallyn:
"This is a merge of James Morris' security-next tree from 3.14 to
yesterday's master, plus four patches from Paul Moore which are in
linux-next, plus one patch from Mimi"
* 'serge-next-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux-security:
ima: audit log files opened with O_DIRECT flag
selinux: conditionally reschedule in hashtab_insert while loading selinux policy
selinux: conditionally reschedule in mls_convert_context while loading selinux policy
selinux: reject setexeccon() on MNT_NOSUID applications with -EACCES
selinux: Report permissive mode in avc: denied messages.
Warning in scanf string typing
Smack: Label cgroup files for systemd
Smack: Verify read access on file open - v3
security: Convert use of typedef ctl_table to struct ctl_table
Smack: bidirectional UDS connect check
Smack: Correctly remove SMACK64TRANSMUTE attribute
SMACK: Fix handling value==NULL in post setxattr
bugfix patch for SMACK
Smack: adds smackfs/ptrace interface
Smack: unify all ptrace accesses in the smack
Smack: fix the subject/object order in smack_ptrace_traceme()
Minor improvement of 'smack_sb_kern_mount'
smack: fix key permission verification
KEYS: Move the flags representing required permission to linux/key.h
+407
-137
+1
-1
Documentation/ABI/testing/ima_policy
+1
-1
Documentation/ABI/testing/ima_policy
···
23
23
[fowner]]
24
24
lsm: [[subj_user=] [subj_role=] [subj_type=]
25
25
[obj_user=] [obj_role=] [obj_type=]]
26
-
option: [[appraise_type=]]
26
+
option: [[appraise_type=]] [permit_directio]
27
27
28
28
base: func:= [BPRM_CHECK][MMAP_CHECK][FILE_CHECK][MODULE_CHECK]
29
29
mask:= [MAY_READ] [MAY_WRITE] [MAY_APPEND] [MAY_EXEC]
+10
Documentation/security/Smack.txt
+10
Documentation/security/Smack.txt
···
204
204
these capabilities are effective at for processes with any
205
205
label. The value is set by writing the desired label to the
206
206
file or cleared by writing "-" to the file.
207
+
ptrace
208
+
This is used to define the current ptrace policy
209
+
0 - default: this is the policy that relies on smack access rules.
210
+
For the PTRACE_READ a subject needs to have a read access on
211
+
object. For the PTRACE_ATTACH a read-write access is required.
212
+
1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is
213
+
only allowed when subject's and object's labels are equal.
214
+
PTRACE_READ is not affected. Can be overriden with CAP_SYS_PTRACE.
215
+
2 - draconian: this policy behaves like the 'exact' above with an
216
+
exception that it can't be overriden with CAP_SYS_PTRACE.
207
217
revoke-subject
208
218
Writing a Smack label here sets the access to '-' for all access
209
219
rules with that subject label.
+11
include/linux/key.h
+11
include/linux/key.h
···
309
309
310
310
extern void key_set_timeout(struct key *, unsigned);
311
311
312
+
/*
313
+
* The permissions required on a key that we're looking up.
314
+
*/
315
+
#define KEY_NEED_VIEW 0x01 /* Require permission to view attributes */
316
+
#define KEY_NEED_READ 0x02 /* Require permission to read content */
317
+
#define KEY_NEED_WRITE 0x04 /* Require permission to update / modify */
318
+
#define KEY_NEED_SEARCH 0x08 /* Require permission to search (keyring) or find (key) */
319
+
#define KEY_NEED_LINK 0x10 /* Require permission to link */
320
+
#define KEY_NEED_SETATTR 0x20 /* Require permission to change attributes */
321
+
#define KEY_NEED_ALL 0x3f /* All the above permissions */
322
+
312
323
/**
313
324
* key_is_instantiated - Determine if a key has been positively instantiated
314
325
* @key: The key to check.
+3
-3
include/linux/security.h
+3
-3
include/linux/security.h
···
1708
1708
void (*key_free) (struct key *key);
1709
1709
int (*key_permission) (key_ref_t key_ref,
1710
1710
const struct cred *cred,
1711
-
key_perm_t perm);
1711
+
unsigned perm);
1712
1712
int (*key_getsecurity)(struct key *key, char **_buffer);
1713
1713
#endif /* CONFIG_KEYS */
1714
1714
···
3034
3034
int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags);
3035
3035
void security_key_free(struct key *key);
3036
3036
int security_key_permission(key_ref_t key_ref,
3037
-
const struct cred *cred, key_perm_t perm);
3037
+
const struct cred *cred, unsigned perm);
3038
3038
int security_key_getsecurity(struct key *key, char **_buffer);
3039
3039
3040
3040
#else
···
3052
3052
3053
3053
static inline int security_key_permission(key_ref_t key_ref,
3054
3054
const struct cred *cred,
3055
-
key_perm_t perm)
3055
+
unsigned perm)
3056
3056
{
3057
3057
return 0;
3058
3058
}
+1
-1
security/capability.c
+1
-1
security/capability.c
+9
-1
security/integrity/ima/ima_api.c
+9
-1
security/integrity/ima/ima_api.c
···
199
199
struct evm_ima_xattr_data **xattr_value,
200
200
int *xattr_len)
201
201
{
202
+
const char *audit_cause = "failed";
202
203
struct inode *inode = file_inode(file);
203
204
const char *filename = file->f_dentry->d_name.name;
204
205
int result = 0;
···
213
212
214
213
if (!(iint->flags & IMA_COLLECTED)) {
215
214
u64 i_version = file_inode(file)->i_version;
215
+
216
+
if (file->f_flags & O_DIRECT) {
217
+
audit_cause = "failed(directio)";
218
+
result = -EACCES;
219
+
goto out;
220
+
}
216
221
217
222
/* use default hash algorithm */
218
223
hash.hdr.algo = ima_hash_algo;
···
240
233
result = -ENOMEM;
241
234
}
242
235
}
236
+
out:
243
237
if (result)
244
238
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode,
245
-
filename, "collect_data", "failed",
239
+
filename, "collect_data", audit_cause,
246
240
result, 0);
247
241
return result;
248
242
}
+4
-1
security/integrity/ima/ima_main.c
+4
-1
security/integrity/ima/ima_main.c
···
214
214
xattr_ptr = &xattr_value;
215
215
216
216
rc = ima_collect_measurement(iint, file, xattr_ptr, &xattr_len);
217
-
if (rc != 0)
217
+
if (rc != 0) {
218
+
if (file->f_flags & O_DIRECT)
219
+
rc = (iint->flags & IMA_PERMIT_DIRECTIO) ? 0 : -EACCES;
218
220
goto out_digsig;
221
+
}
219
222
220
223
pathname = filename ?: ima_d_path(&file->f_path, &pathbuf);
221
224
+5
-1
security/integrity/ima/ima_policy.c
+5
-1
security/integrity/ima/ima_policy.c
···
353
353
Opt_obj_user, Opt_obj_role, Opt_obj_type,
354
354
Opt_subj_user, Opt_subj_role, Opt_subj_type,
355
355
Opt_func, Opt_mask, Opt_fsmagic, Opt_uid, Opt_fowner,
356
-
Opt_appraise_type, Opt_fsuuid
356
+
Opt_appraise_type, Opt_fsuuid, Opt_permit_directio
357
357
};
358
358
359
359
static match_table_t policy_tokens = {
···
375
375
{Opt_uid, "uid=%s"},
376
376
{Opt_fowner, "fowner=%s"},
377
377
{Opt_appraise_type, "appraise_type=%s"},
378
+
{Opt_permit_directio, "permit_directio"},
378
379
{Opt_err, NULL}
379
380
};
380
381
···
622
621
entry->flags |= IMA_DIGSIG_REQUIRED;
623
622
else
624
623
result = -EINVAL;
624
+
break;
625
+
case Opt_permit_directio:
626
+
entry->flags |= IMA_PERMIT_DIRECTIO;
625
627
break;
626
628
case Opt_err:
627
629
ima_log_string(ab, "UNKNOWN", p);
+1
security/integrity/integrity.h
+1
security/integrity/integrity.h
+1
-10
security/keys/internal.h
+1
-10
security/keys/internal.h
···
176
176
/*
177
177
* Check to see whether permission is granted to use a key in the desired way.
178
178
*/
179
-
static inline int key_permission(const key_ref_t key_ref, key_perm_t perm)
179
+
static inline int key_permission(const key_ref_t key_ref, unsigned perm)
180
180
{
181
181
return key_task_permission(key_ref, current_cred(), perm);
182
182
}
183
-
184
-
/* required permissions */
185
-
#define KEY_VIEW 0x01 /* require permission to view attributes */
186
-
#define KEY_READ 0x02 /* require permission to read content */
187
-
#define KEY_WRITE 0x04 /* require permission to update / modify */
188
-
#define KEY_SEARCH 0x08 /* require permission to search (keyring) or find (key) */
189
-
#define KEY_LINK 0x10 /* require permission to link */
190
-
#define KEY_SETATTR 0x20 /* require permission to change attributes */
191
-
#define KEY_ALL 0x3f /* all the above permissions */
192
183
193
184
/*
194
185
* Authorisation record for request_key().
+3
-3
security/keys/key.c
+3
-3
security/keys/key.c
···
714
714
int ret;
715
715
716
716
/* need write permission on the key to update it */
717
-
ret = key_permission(key_ref, KEY_WRITE);
717
+
ret = key_permission(key_ref, KEY_NEED_WRITE);
718
718
if (ret < 0)
719
719
goto error;
720
720
···
838
838
839
839
/* if we're going to allocate a new key, we're going to have
840
840
* to modify the keyring */
841
-
ret = key_permission(keyring_ref, KEY_WRITE);
841
+
ret = key_permission(keyring_ref, KEY_NEED_WRITE);
842
842
if (ret < 0) {
843
843
key_ref = ERR_PTR(ret);
844
844
goto error_link_end;
···
928
928
key_check(key);
929
929
930
930
/* the key must be writable */
931
-
ret = key_permission(key_ref, KEY_WRITE);
931
+
ret = key_permission(key_ref, KEY_NEED_WRITE);
932
932
if (ret < 0)
933
933
goto error;
934
934
+22
-22
security/keys/keyctl.c
+22
-22
security/keys/keyctl.c
···
111
111
}
112
112
113
113
/* find the target keyring (which must be writable) */
114
-
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
114
+
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
115
115
if (IS_ERR(keyring_ref)) {
116
116
ret = PTR_ERR(keyring_ref);
117
117
goto error3;
···
195
195
dest_ref = NULL;
196
196
if (destringid) {
197
197
dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
198
-
KEY_WRITE);
198
+
KEY_NEED_WRITE);
199
199
if (IS_ERR(dest_ref)) {
200
200
ret = PTR_ERR(dest_ref);
201
201
goto error3;
···
253
253
long ret;
254
254
255
255
lflags = create ? KEY_LOOKUP_CREATE : 0;
256
-
key_ref = lookup_user_key(id, lflags, KEY_SEARCH);
256
+
key_ref = lookup_user_key(id, lflags, KEY_NEED_SEARCH);
257
257
if (IS_ERR(key_ref)) {
258
258
ret = PTR_ERR(key_ref);
259
259
goto error;
···
334
334
}
335
335
336
336
/* find the target key (which must be writable) */
337
-
key_ref = lookup_user_key(id, 0, KEY_WRITE);
337
+
key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
338
338
if (IS_ERR(key_ref)) {
339
339
ret = PTR_ERR(key_ref);
340
340
goto error2;
···
365
365
key_ref_t key_ref;
366
366
long ret;
367
367
368
-
key_ref = lookup_user_key(id, 0, KEY_WRITE);
368
+
key_ref = lookup_user_key(id, 0, KEY_NEED_WRITE);
369
369
if (IS_ERR(key_ref)) {
370
370
ret = PTR_ERR(key_ref);
371
371
if (ret != -EACCES)
372
372
goto error;
373
-
key_ref = lookup_user_key(id, 0, KEY_SETATTR);
373
+
key_ref = lookup_user_key(id, 0, KEY_NEED_SETATTR);
374
374
if (IS_ERR(key_ref)) {
375
375
ret = PTR_ERR(key_ref);
376
376
goto error;
···
401
401
402
402
kenter("%d", id);
403
403
404
-
key_ref = lookup_user_key(id, 0, KEY_SEARCH);
404
+
key_ref = lookup_user_key(id, 0, KEY_NEED_SEARCH);
405
405
if (IS_ERR(key_ref)) {
406
406
ret = PTR_ERR(key_ref);
407
407
goto error;
···
428
428
key_ref_t keyring_ref;
429
429
long ret;
430
430
431
-
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
431
+
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
432
432
if (IS_ERR(keyring_ref)) {
433
433
ret = PTR_ERR(keyring_ref);
434
434
···
470
470
key_ref_t keyring_ref, key_ref;
471
471
long ret;
472
472
473
-
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
473
+
keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
474
474
if (IS_ERR(keyring_ref)) {
475
475
ret = PTR_ERR(keyring_ref);
476
476
goto error;
477
477
}
478
478
479
-
key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_LINK);
479
+
key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE, KEY_NEED_LINK);
480
480
if (IS_ERR(key_ref)) {
481
481
ret = PTR_ERR(key_ref);
482
482
goto error2;
···
505
505
key_ref_t keyring_ref, key_ref;
506
506
long ret;
507
507
508
-
keyring_ref = lookup_user_key(ringid, 0, KEY_WRITE);
508
+
keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE);
509
509
if (IS_ERR(keyring_ref)) {
510
510
ret = PTR_ERR(keyring_ref);
511
511
goto error;
···
548
548
char *tmpbuf;
549
549
long ret;
550
550
551
-
key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_VIEW);
551
+
key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW);
552
552
if (IS_ERR(key_ref)) {
553
553
/* viewing a key under construction is permitted if we have the
554
554
* authorisation token handy */
···
639
639
}
640
640
641
641
/* get the keyring at which to begin the search */
642
-
keyring_ref = lookup_user_key(ringid, 0, KEY_SEARCH);
642
+
keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_SEARCH);
643
643
if (IS_ERR(keyring_ref)) {
644
644
ret = PTR_ERR(keyring_ref);
645
645
goto error2;
···
649
649
dest_ref = NULL;
650
650
if (destringid) {
651
651
dest_ref = lookup_user_key(destringid, KEY_LOOKUP_CREATE,
652
-
KEY_WRITE);
652
+
KEY_NEED_WRITE);
653
653
if (IS_ERR(dest_ref)) {
654
654
ret = PTR_ERR(dest_ref);
655
655
goto error3;
···
676
676
677
677
/* link the resulting key to the destination keyring if we can */
678
678
if (dest_ref) {
679
-
ret = key_permission(key_ref, KEY_LINK);
679
+
ret = key_permission(key_ref, KEY_NEED_LINK);
680
680
if (ret < 0)
681
681
goto error6;
682
682
···
727
727
key = key_ref_to_ptr(key_ref);
728
728
729
729
/* see if we can read it directly */
730
-
ret = key_permission(key_ref, KEY_READ);
730
+
ret = key_permission(key_ref, KEY_NEED_READ);
731
731
if (ret == 0)
732
732
goto can_read_key;
733
733
if (ret != -EACCES)
···
799
799
goto error;
800
800
801
801
key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
802
-
KEY_SETATTR);
802
+
KEY_NEED_SETATTR);
803
803
if (IS_ERR(key_ref)) {
804
804
ret = PTR_ERR(key_ref);
805
805
goto error;
···
905
905
goto error;
906
906
907
907
key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
908
-
KEY_SETATTR);
908
+
KEY_NEED_SETATTR);
909
909
if (IS_ERR(key_ref)) {
910
910
ret = PTR_ERR(key_ref);
911
911
goto error;
···
947
947
948
948
/* if a specific keyring is nominated by ID, then use that */
949
949
if (ringid > 0) {
950
-
dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_WRITE);
950
+
dkref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
951
951
if (IS_ERR(dkref))
952
952
return PTR_ERR(dkref);
953
953
*_dest_keyring = key_ref_to_ptr(dkref);
···
1315
1315
long ret;
1316
1316
1317
1317
key_ref = lookup_user_key(id, KEY_LOOKUP_CREATE | KEY_LOOKUP_PARTIAL,
1318
-
KEY_SETATTR);
1318
+
KEY_NEED_SETATTR);
1319
1319
if (IS_ERR(key_ref)) {
1320
1320
/* setting the timeout on a key under construction is permitted
1321
1321
* if we have the authorisation token handy */
···
1418
1418
char *context;
1419
1419
long ret;
1420
1420
1421
-
key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_VIEW);
1421
+
key_ref = lookup_user_key(keyid, KEY_LOOKUP_PARTIAL, KEY_NEED_VIEW);
1422
1422
if (IS_ERR(key_ref)) {
1423
1423
if (PTR_ERR(key_ref) != -EACCES)
1424
1424
return PTR_ERR(key_ref);
···
1482
1482
struct cred *cred;
1483
1483
int ret;
1484
1484
1485
-
keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_LINK);
1485
+
keyring_r = lookup_user_key(KEY_SPEC_SESSION_KEYRING, 0, KEY_NEED_LINK);
1486
1486
if (IS_ERR(keyring_r))
1487
1487
return PTR_ERR(keyring_r);
1488
1488
+4
-4
security/keys/keyring.c
+4
-4
security/keys/keyring.c
···
541
541
/* key must have search permissions */
542
542
if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
543
543
key_task_permission(make_key_ref(key, ctx->possessed),
544
-
ctx->cred, KEY_SEARCH) < 0) {
544
+
ctx->cred, KEY_NEED_SEARCH) < 0) {
545
545
ctx->result = ERR_PTR(-EACCES);
546
546
kleave(" = %d [!perm]", ctx->skipped_ret);
547
547
goto skipped;
···
721
721
/* Search a nested keyring */
722
722
if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
723
723
key_task_permission(make_key_ref(key, ctx->possessed),
724
-
ctx->cred, KEY_SEARCH) < 0)
724
+
ctx->cred, KEY_NEED_SEARCH) < 0)
725
725
continue;
726
726
727
727
/* stack the current position */
···
843
843
return ERR_PTR(-ENOTDIR);
844
844
845
845
if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
846
-
err = key_task_permission(keyring_ref, ctx->cred, KEY_SEARCH);
846
+
err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH);
847
847
if (err < 0)
848
848
return ERR_PTR(err);
849
849
}
···
973
973
974
974
if (!skip_perm_check &&
975
975
key_permission(make_key_ref(keyring, 0),
976
-
KEY_SEARCH) < 0)
976
+
KEY_NEED_SEARCH) < 0)
977
977
continue;
978
978
979
979
/* we've got a match but we might end up racing with
+2
-2
security/keys/permission.c
+2
-2
security/keys/permission.c
···
28
28
* permissions bits or the LSM check.
29
29
*/
30
30
int key_task_permission(const key_ref_t key_ref, const struct cred *cred,
31
-
key_perm_t perm)
31
+
unsigned perm)
32
32
{
33
33
struct key *key;
34
34
key_perm_t kperm;
···
68
68
if (is_key_possessed(key_ref))
69
69
kperm |= key->perm >> 24;
70
70
71
-
kperm = kperm & perm & KEY_ALL;
71
+
kperm = kperm & perm & KEY_NEED_ALL;
72
72
73
73
if (kperm != perm)
74
74
return -EACCES;
+2
-2
security/keys/persistent.c
+2
-2
security/keys/persistent.c
···
108
108
return PTR_ERR(persistent_ref);
109
109
110
110
found:
111
-
ret = key_task_permission(persistent_ref, current_cred(), KEY_LINK);
111
+
ret = key_task_permission(persistent_ref, current_cred(), KEY_NEED_LINK);
112
112
if (ret == 0) {
113
113
persistent = key_ref_to_ptr(persistent_ref);
114
114
ret = key_link(key_ref_to_ptr(dest_ref), persistent);
···
151
151
}
152
152
153
153
/* There must be a destination keyring */
154
-
dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_WRITE);
154
+
dest_ref = lookup_user_key(destid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE);
155
155
if (IS_ERR(dest_ref))
156
156
return PTR_ERR(dest_ref);
157
157
if (key_ref_to_ptr(dest_ref)->type != &key_type_keyring) {
+1
-1
security/keys/proc.c
+1
-1
security/keys/proc.c
···
218
218
* - the caller holds a spinlock, and thus the RCU read lock, making our
219
219
* access to __current_cred() safe
220
220
*/
221
-
rc = key_task_permission(key_ref, ctx.cred, KEY_VIEW);
221
+
rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
222
222
if (rc < 0)
223
223
return 0;
224
224
+1
-1
security/keys/sysctl.c
+1
-1
security/keys/sysctl.c
+1
-1
security/security.c
+1
-1
security/security.c
+6
-1
security/selinux/avc.c
+6
-1
security/selinux/avc.c
···
444
444
avc_dump_query(ab, ad->selinux_audit_data->ssid,
445
445
ad->selinux_audit_data->tsid,
446
446
ad->selinux_audit_data->tclass);
447
+
if (ad->selinux_audit_data->denied) {
448
+
audit_log_format(ab, " permissive=%u",
449
+
ad->selinux_audit_data->result ? 0 : 1);
450
+
}
447
451
}
448
452
449
453
/* This is the slow part of avc audit with big stack footprint */
450
454
noinline int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
451
-
u32 requested, u32 audited, u32 denied,
455
+
u32 requested, u32 audited, u32 denied, int result,
452
456
struct common_audit_data *a,
453
457
unsigned flags)
454
458
{
···
481
477
sad.tsid = tsid;
482
478
sad.audited = audited;
483
479
sad.denied = denied;
480
+
sad.result = result;
484
481
485
482
a->selinux_audit_data = &sad;
486
483
+8
-5
security/selinux/hooks.c
+8
-5
security/selinux/hooks.c
···
2123
2123
new_tsec->exec_sid = 0;
2124
2124
2125
2125
/*
2126
-
* Minimize confusion: if no_new_privs and a transition is
2127
-
* explicitly requested, then fail the exec.
2126
+
* Minimize confusion: if no_new_privs or nosuid and a
2127
+
* transition is explicitly requested, then fail the exec.
2128
2128
*/
2129
2129
if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2130
2130
return -EPERM;
2131
+
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2132
+
return -EACCES;
2131
2133
} else {
2132
2134
/* Check for a default transition on this program. */
2133
2135
rc = security_transition_sid(old_tsec->sid, isec->sid,
···
2772
2770
2773
2771
static noinline int audit_inode_permission(struct inode *inode,
2774
2772
u32 perms, u32 audited, u32 denied,
2773
+
int result,
2775
2774
unsigned flags)
2776
2775
{
2777
2776
struct common_audit_data ad;
···
2783
2780
ad.u.inode = inode;
2784
2781
2785
2782
rc = slow_avc_audit(current_sid(), isec->sid, isec->sclass, perms,
2786
-
audited, denied, &ad, flags);
2783
+
audited, denied, result, &ad, flags);
2787
2784
if (rc)
2788
2785
return rc;
2789
2786
return 0;
···
2825
2822
if (likely(!audited))
2826
2823
return rc;
2827
2824
2828
-
rc2 = audit_inode_permission(inode, perms, audited, denied, flags);
2825
+
rc2 = audit_inode_permission(inode, perms, audited, denied, rc, flags);
2829
2826
if (rc2)
2830
2827
return rc2;
2831
2828
return rc;
···
5725
5722
5726
5723
static int selinux_key_permission(key_ref_t key_ref,
5727
5724
const struct cred *cred,
5728
-
key_perm_t perm)
5725
+
unsigned perm)
5729
5726
{
5730
5727
struct key *key;
5731
5728
struct key_security_struct *ksec;
+2
-2
security/selinux/include/avc.h
+2
-2
security/selinux/include/avc.h
···
102
102
}
103
103
104
104
int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass,
105
-
u32 requested, u32 audited, u32 denied,
105
+
u32 requested, u32 audited, u32 denied, int result,
106
106
struct common_audit_data *a,
107
107
unsigned flags);
108
108
···
137
137
if (likely(!audited))
138
138
return 0;
139
139
return slow_avc_audit(ssid, tsid, tclass,
140
-
requested, audited, denied,
140
+
requested, audited, denied, result,
141
141
a, 0);
142
142
}
143
143
+3
security/selinux/ss/hashtab.c
+3
security/selinux/ss/hashtab.c
···
6
6
#include <linux/kernel.h>
7
7
#include <linux/slab.h>
8
8
#include <linux/errno.h>
9
+
#include <linux/sched.h>
9
10
#include "hashtab.h"
10
11
11
12
struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
···
40
39
{
41
40
u32 hvalue;
42
41
struct hashtab_node *prev, *cur, *newnode;
42
+
43
+
cond_resched();
43
44
44
45
if (!h || h->nel == HASHTAB_MAX_NODES)
45
46
return -EINVAL;
+2
security/selinux/ss/mls.c
+2
security/selinux/ss/mls.c
+13
-3
security/smack/smack.h
+13
-3
security/smack/smack.h
···
80
80
81
81
struct socket_smack {
82
82
struct smack_known *smk_out; /* outbound label */
83
-
char *smk_in; /* inbound label */
84
-
char *smk_packet; /* TCP peer label */
83
+
struct smack_known *smk_in; /* inbound label */
84
+
struct smack_known *smk_packet; /* TCP peer label */
85
85
};
86
86
87
87
/*
···
133
133
struct list_head list;
134
134
struct sock *smk_sock; /* socket initialized on */
135
135
unsigned short smk_port; /* the port number */
136
-
char *smk_in; /* incoming label */
136
+
struct smack_known *smk_in; /* inbound label */
137
137
struct smack_known *smk_out; /* outgoing label */
138
138
};
139
139
···
175
175
* the bits in 23 bytes, hence the unusual number.
176
176
*/
177
177
#define SMACK_CIPSO_MAXCATNUM 184 /* 23 * 8 */
178
+
179
+
/*
180
+
* Ptrace rules
181
+
*/
182
+
#define SMACK_PTRACE_DEFAULT 0
183
+
#define SMACK_PTRACE_EXACT 1
184
+
#define SMACK_PTRACE_DRACONIAN 2
185
+
#define SMACK_PTRACE_MAX SMACK_PTRACE_DRACONIAN
178
186
179
187
/*
180
188
* Flags for untraditional access modes.
···
233
225
*/
234
226
int smk_access_entry(char *, char *, struct list_head *);
235
227
int smk_access(struct smack_known *, char *, int, struct smk_audit_info *);
228
+
int smk_tskacc(struct task_smack *, char *, u32, struct smk_audit_info *);
236
229
int smk_curacc(char *, u32, struct smk_audit_info *);
237
230
struct smack_known *smack_from_secid(const u32);
238
231
char *smk_parse_smack(const char *string, int len);
···
253
244
extern struct smack_known *smack_onlycap;
254
245
extern struct smack_known *smack_syslog_label;
255
246
extern const char *smack_cipso_option;
247
+
extern int smack_ptrace_rule;
256
248
257
249
extern struct smack_known smack_known_floor;
258
250
extern struct smack_known smack_known_hat;
+30
-8
security/smack/smack_access.c
+30
-8
security/smack/smack_access.c
···
192
192
}
193
193
194
194
/**
195
-
* smk_curacc - determine if current has a specific access to an object
195
+
* smk_tskacc - determine if a task has a specific access to an object
196
+
* @tsp: a pointer to the subject task
196
197
* @obj_label: a pointer to the object's Smack label
197
198
* @mode: the access requested, in "MAY" format
198
199
* @a : common audit data
199
200
*
200
-
* This function checks the current subject label/object label pair
201
+
* This function checks the subject task's label/object label pair
201
202
* in the access rule list and returns 0 if the access is permitted,
202
-
* non zero otherwise. It allows that current may have the capability
203
+
* non zero otherwise. It allows that the task may have the capability
203
204
* to override the rules.
204
205
*/
205
-
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
206
+
int smk_tskacc(struct task_smack *subject, char *obj_label,
207
+
u32 mode, struct smk_audit_info *a)
206
208
{
207
-
struct task_smack *tsp = current_security();
208
-
struct smack_known *skp = smk_of_task(tsp);
209
+
struct smack_known *skp = smk_of_task(subject);
209
210
int may;
210
211
int rc;
211
212
···
220
219
* it can further restrict access.
221
220
*/
222
221
may = smk_access_entry(skp->smk_known, obj_label,
223
-
&tsp->smk_rules);
222
+
&subject->smk_rules);
224
223
if (may < 0)
225
224
goto out_audit;
226
225
if ((mode & may) == mode)
···
240
239
smack_log(skp->smk_known, obj_label, mode, rc, a);
241
240
#endif
242
241
return rc;
242
+
}
243
+
244
+
/**
245
+
* smk_curacc - determine if current has a specific access to an object
246
+
* @obj_label: a pointer to the object's Smack label
247
+
* @mode: the access requested, in "MAY" format
248
+
* @a : common audit data
249
+
*
250
+
* This function checks the current subject label/object label pair
251
+
* in the access rule list and returns 0 if the access is permitted,
252
+
* non zero otherwise. It allows that current may have the capability
253
+
* to override the rules.
254
+
*/
255
+
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
256
+
{
257
+
struct task_smack *tsp = current_security();
258
+
259
+
return smk_tskacc(tsp, obj_label, mode, a);
243
260
}
244
261
245
262
#ifdef CONFIG_AUDIT
···
304
285
audit_log_untrustedstring(ab, sad->subject);
305
286
audit_log_format(ab, " object=");
306
287
audit_log_untrustedstring(ab, sad->object);
307
-
audit_log_format(ab, " requested=%s", sad->request);
288
+
if (sad->request[0] == '\0')
289
+
audit_log_format(ab, " labels_differ");
290
+
else
291
+
audit_log_format(ab, " requested=%s", sad->request);
308
292
}
309
293
310
294
/**
+186
-63
security/smack/smack_lsm.c
+186
-63
security/smack/smack_lsm.c
···
157
157
return rc;
158
158
}
159
159
160
+
/**
161
+
* smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
162
+
* @mode - input mode in form of PTRACE_MODE_*
163
+
*
164
+
* Returns a converted MAY_* mode usable by smack rules
165
+
*/
166
+
static inline unsigned int smk_ptrace_mode(unsigned int mode)
167
+
{
168
+
switch (mode) {
169
+
case PTRACE_MODE_READ:
170
+
return MAY_READ;
171
+
case PTRACE_MODE_ATTACH:
172
+
return MAY_READWRITE;
173
+
}
174
+
175
+
return 0;
176
+
}
177
+
178
+
/**
179
+
* smk_ptrace_rule_check - helper for ptrace access
180
+
* @tracer: tracer process
181
+
* @tracee_label: label of the process that's about to be traced,
182
+
* the pointer must originate from smack structures
183
+
* @mode: ptrace attachment mode (PTRACE_MODE_*)
184
+
* @func: name of the function that called us, used for audit
185
+
*
186
+
* Returns 0 on access granted, -error on error
187
+
*/
188
+
static int smk_ptrace_rule_check(struct task_struct *tracer, char *tracee_label,
189
+
unsigned int mode, const char *func)
190
+
{
191
+
int rc;
192
+
struct smk_audit_info ad, *saip = NULL;
193
+
struct task_smack *tsp;
194
+
struct smack_known *skp;
195
+
196
+
if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
197
+
smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
198
+
smk_ad_setfield_u_tsk(&ad, tracer);
199
+
saip = &ad;
200
+
}
201
+
202
+
tsp = task_security(tracer);
203
+
skp = smk_of_task(tsp);
204
+
205
+
if ((mode & PTRACE_MODE_ATTACH) &&
206
+
(smack_ptrace_rule == SMACK_PTRACE_EXACT ||
207
+
smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) {
208
+
if (skp->smk_known == tracee_label)
209
+
rc = 0;
210
+
else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
211
+
rc = -EACCES;
212
+
else if (capable(CAP_SYS_PTRACE))
213
+
rc = 0;
214
+
else
215
+
rc = -EACCES;
216
+
217
+
if (saip)
218
+
smack_log(skp->smk_known, tracee_label, 0, rc, saip);
219
+
220
+
return rc;
221
+
}
222
+
223
+
/* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */
224
+
rc = smk_tskacc(tsp, tracee_label, smk_ptrace_mode(mode), saip);
225
+
return rc;
226
+
}
227
+
160
228
/*
161
229
* LSM hooks.
162
230
* We he, that is fun!
···
233
165
/**
234
166
* smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
235
167
* @ctp: child task pointer
236
-
* @mode: ptrace attachment mode
168
+
* @mode: ptrace attachment mode (PTRACE_MODE_*)
237
169
*
238
170
* Returns 0 if access is OK, an error code otherwise
239
171
*
240
-
* Do the capability checks, and require read and write.
172
+
* Do the capability checks.
241
173
*/
242
174
static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
243
175
{
244
176
int rc;
245
-
struct smk_audit_info ad;
246
177
struct smack_known *skp;
247
178
248
179
rc = cap_ptrace_access_check(ctp, mode);
···
249
182
return rc;
250
183
251
184
skp = smk_of_task(task_security(ctp));
252
-
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
253
-
smk_ad_setfield_u_tsk(&ad, ctp);
254
185
255
-
rc = smk_curacc(skp->smk_known, mode, &ad);
186
+
rc = smk_ptrace_rule_check(current, skp->smk_known, mode, __func__);
256
187
return rc;
257
188
}
258
189
···
260
195
*
261
196
* Returns 0 if access is OK, an error code otherwise
262
197
*
263
-
* Do the capability checks, and require read and write.
198
+
* Do the capability checks, and require PTRACE_MODE_ATTACH.
264
199
*/
265
200
static int smack_ptrace_traceme(struct task_struct *ptp)
266
201
{
267
202
int rc;
268
-
struct smk_audit_info ad;
269
203
struct smack_known *skp;
270
204
271
205
rc = cap_ptrace_traceme(ptp);
272
206
if (rc != 0)
273
207
return rc;
274
208
275
-
skp = smk_of_task(task_security(ptp));
276
-
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
277
-
smk_ad_setfield_u_tsk(&ad, ptp);
209
+
skp = smk_of_task(current_security());
278
210
279
-
rc = smk_curacc(skp->smk_known, MAY_READWRITE, &ad);
211
+
rc = smk_ptrace_rule_check(ptp, skp->smk_known,
212
+
PTRACE_MODE_ATTACH, __func__);
280
213
return rc;
281
214
}
282
215
···
476
413
* Initialize the root inode.
477
414
*/
478
415
isp = inode->i_security;
479
-
if (inode->i_security == NULL) {
480
-
inode->i_security = new_inode_smack(sp->smk_root);
481
-
isp = inode->i_security;
416
+
if (isp == NULL) {
417
+
isp = new_inode_smack(sp->smk_root);
418
+
if (isp == NULL)
419
+
return -ENOMEM;
420
+
inode->i_security = isp;
482
421
} else
483
422
isp->smk_inode = sp->smk_root;
484
423
···
518
453
* smack_bprm_set_creds - set creds for exec
519
454
* @bprm: the exec information
520
455
*
521
-
* Returns 0 if it gets a blob, -ENOMEM otherwise
456
+
* Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise
522
457
*/
523
458
static int smack_bprm_set_creds(struct linux_binprm *bprm)
524
459
{
···
538
473
if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
539
474
return 0;
540
475
541
-
if (bprm->unsafe)
476
+
if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
477
+
struct task_struct *tracer;
478
+
rc = 0;
479
+
480
+
rcu_read_lock();
481
+
tracer = ptrace_parent(current);
482
+
if (likely(tracer != NULL))
483
+
rc = smk_ptrace_rule_check(tracer,
484
+
isp->smk_task->smk_known,
485
+
PTRACE_MODE_ATTACH,
486
+
__func__);
487
+
rcu_read_unlock();
488
+
489
+
if (rc != 0)
490
+
return rc;
491
+
} else if (bprm->unsafe)
542
492
return -EPERM;
543
493
544
494
bsp->smk_task = isp->smk_task;
···
960
880
return;
961
881
}
962
882
963
-
skp = smk_import_entry(value, size);
964
883
if (strcmp(name, XATTR_NAME_SMACK) == 0) {
884
+
skp = smk_import_entry(value, size);
965
885
if (skp != NULL)
966
886
isp->smk_inode = skp->smk_known;
967
887
else
968
888
isp->smk_inode = smack_known_invalid.smk_known;
969
889
} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {
890
+
skp = smk_import_entry(value, size);
970
891
if (skp != NULL)
971
892
isp->smk_task = skp;
972
893
else
973
894
isp->smk_task = &smack_known_invalid;
974
895
} else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
896
+
skp = smk_import_entry(value, size);
975
897
if (skp != NULL)
976
898
isp->smk_mmap = skp;
977
899
else
···
1020
938
strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
1021
939
strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
1022
940
strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 ||
1023
-
strcmp(name, XATTR_NAME_SMACKMMAP)) {
941
+
strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1024
942
if (!smack_privileged(CAP_MAC_ADMIN))
1025
943
rc = -EPERM;
1026
944
} else
1027
945
rc = cap_inode_removexattr(dentry, name);
1028
946
947
+
if (rc != 0)
948
+
return rc;
949
+
1029
950
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1030
951
smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1031
-
if (rc == 0)
1032
-
rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
1033
952
1034
-
if (rc == 0) {
1035
-
isp = dentry->d_inode->i_security;
953
+
rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad);
954
+
if (rc != 0)
955
+
return rc;
956
+
957
+
isp = dentry->d_inode->i_security;
958
+
/*
959
+
* Don't do anything special for these.
960
+
* XATTR_NAME_SMACKIPIN
961
+
* XATTR_NAME_SMACKIPOUT
962
+
* XATTR_NAME_SMACKEXEC
963
+
*/
964
+
if (strcmp(name, XATTR_NAME_SMACK) == 0)
1036
965
isp->smk_task = NULL;
966
+
else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
1037
967
isp->smk_mmap = NULL;
1038
-
}
968
+
else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0)
969
+
isp->smk_flags &= ~SMK_INODE_TRANSMUTE;
1039
970
1040
-
return rc;
971
+
return 0;
1041
972
}
1042
973
1043
974
/**
···
1095
1000
ssp = sock->sk->sk_security;
1096
1001
1097
1002
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
1098
-
isp = ssp->smk_in;
1003
+
isp = ssp->smk_in->smk_known;
1099
1004
else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
1100
1005
isp = ssp->smk_out->smk_known;
1101
1006
else
···
1462
1367
/**
1463
1368
* smack_file_open - Smack dentry open processing
1464
1369
* @file: the object
1465
-
* @cred: unused
1370
+
* @cred: task credential
1466
1371
*
1467
1372
* Set the security blob in the file structure.
1373
+
* Allow the open only if the task has read access. There are
1374
+
* many read operations (e.g. fstat) that you can do with an
1375
+
* fd even if you have the file open write-only.
1468
1376
*
1469
1377
* Returns 0
1470
1378
*/
1471
1379
static int smack_file_open(struct file *file, const struct cred *cred)
1472
1380
{
1381
+
struct task_smack *tsp = cred->security;
1473
1382
struct inode_smack *isp = file_inode(file)->i_security;
1383
+
struct smk_audit_info ad;
1384
+
int rc;
1474
1385
1475
-
file->f_security = isp->smk_inode;
1386
+
if (smack_privileged(CAP_MAC_OVERRIDE))
1387
+
return 0;
1476
1388
1477
-
return 0;
1389
+
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1390
+
smk_ad_setfield_u_fs_path(&ad, file->f_path);
1391
+
rc = smk_access(tsp->smk_task, isp->smk_inode, MAY_READ, &ad);
1392
+
if (rc == 0)
1393
+
file->f_security = isp->smk_inode;
1394
+
1395
+
return rc;
1478
1396
}
1479
1397
1480
1398
/*
···
1872
1764
if (ssp == NULL)
1873
1765
return -ENOMEM;
1874
1766
1875
-
ssp->smk_in = skp->smk_known;
1767
+
ssp->smk_in = skp;
1876
1768
ssp->smk_out = skp;
1877
1769
ssp->smk_packet = NULL;
1878
1770
···
2112
2004
2113
2005
if (act == SMK_RECEIVING) {
2114
2006
skp = smack_net_ambient;
2115
-
object = ssp->smk_in;
2007
+
object = ssp->smk_in->smk_known;
2116
2008
} else {
2117
2009
skp = ssp->smk_out;
2118
2010
object = smack_net_ambient->smk_known;
···
2142
2034
list_for_each_entry(spp, &smk_ipv6_port_list, list) {
2143
2035
if (spp->smk_port != port)
2144
2036
continue;
2145
-
object = spp->smk_in;
2037
+
object = spp->smk_in->smk_known;
2146
2038
if (act == SMK_CONNECTING)
2147
-
ssp->smk_packet = spp->smk_out->smk_known;
2039
+
ssp->smk_packet = spp->smk_out;
2148
2040
break;
2149
2041
}
2150
2042
···
2184
2076
int rc = 0;
2185
2077
2186
2078
if (value == NULL || size > SMK_LONGLABEL || size == 0)
2187
-
return -EACCES;
2079
+
return -EINVAL;
2188
2080
2189
2081
skp = smk_import_entry(value, size);
2190
2082
if (skp == NULL)
···
2208
2100
ssp = sock->sk->sk_security;
2209
2101
2210
2102
if (strcmp(name, XATTR_SMACK_IPIN) == 0)
2211
-
ssp->smk_in = skp->smk_known;
2103
+
ssp->smk_in = skp;
2212
2104
else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
2213
2105
ssp->smk_out = skp;
2214
2106
if (sock->sk->sk_family == PF_INET) {
···
2821
2713
* of the superblock.
2822
2714
*/
2823
2715
if (opt_dentry->d_parent == opt_dentry) {
2716
+
if (sbp->s_magic == CGROUP_SUPER_MAGIC) {
2717
+
/*
2718
+
* The cgroup filesystem is never mounted,
2719
+
* so there's no opportunity to set the mount
2720
+
* options.
2721
+
*/
2722
+
sbsp->smk_root = smack_known_star.smk_known;
2723
+
sbsp->smk_default = smack_known_star.smk_known;
2724
+
}
2824
2725
isp->smk_inode = sbsp->smk_root;
2825
2726
isp->smk_flags |= SMK_INODE_INSTANT;
2826
2727
goto unlockandout;
···
2843
2726
*/
2844
2727
switch (sbp->s_magic) {
2845
2728
case SMACK_MAGIC:
2729
+
case PIPEFS_MAGIC:
2730
+
case SOCKFS_MAGIC:
2731
+
case CGROUP_SUPER_MAGIC:
2846
2732
/*
2847
2733
* Casey says that it's a little embarrassing
2848
2734
* that the smack file system doesn't do
2849
2735
* extended attributes.
2850
-
*/
2851
-
final = smack_known_star.smk_known;
2852
-
break;
2853
-
case PIPEFS_MAGIC:
2854
-
/*
2736
+
*
2855
2737
* Casey says pipes are easy (?)
2738
+
*
2739
+
* Socket access is controlled by the socket
2740
+
* structures associated with the task involved.
2741
+
*
2742
+
* Cgroupfs is special
2856
2743
*/
2857
2744
final = smack_known_star.smk_known;
2858
2745
break;
···
2867
2746
* pty with respect.
2868
2747
*/
2869
2748
final = ckp->smk_known;
2870
-
break;
2871
-
case SOCKFS_MAGIC:
2872
-
/*
2873
-
* Socket access is controlled by the socket
2874
-
* structures associated with the task involved.
2875
-
*/
2876
-
final = smack_known_star.smk_known;
2877
2749
break;
2878
2750
case PROC_SUPER_MAGIC:
2879
2751
/*
···
3073
2959
struct sock *other, struct sock *newsk)
3074
2960
{
3075
2961
struct smack_known *skp;
2962
+
struct smack_known *okp;
3076
2963
struct socket_smack *ssp = sock->sk_security;
3077
2964
struct socket_smack *osp = other->sk_security;
3078
2965
struct socket_smack *nsp = newsk->sk_security;
3079
2966
struct smk_audit_info ad;
3080
2967
int rc = 0;
3081
-
3082
2968
#ifdef CONFIG_AUDIT
3083
2969
struct lsm_network_audit net;
3084
-
3085
-
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3086
-
smk_ad_setfield_u_net_sk(&ad, other);
3087
2970
#endif
3088
2971
3089
2972
if (!smack_privileged(CAP_MAC_OVERRIDE)) {
3090
2973
skp = ssp->smk_out;
3091
-
rc = smk_access(skp, osp->smk_in, MAY_WRITE, &ad);
2974
+
okp = osp->smk_out;
2975
+
#ifdef CONFIG_AUDIT
2976
+
smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
2977
+
smk_ad_setfield_u_net_sk(&ad, other);
2978
+
#endif
2979
+
rc = smk_access(skp, okp->smk_known, MAY_WRITE, &ad);
2980
+
if (rc == 0)
2981
+
rc = smk_access(okp, okp->smk_known, MAY_WRITE, NULL);
3092
2982
}
3093
2983
3094
2984
/*
3095
2985
* Cross reference the peer labels for SO_PEERSEC.
3096
2986
*/
3097
2987
if (rc == 0) {
3098
-
nsp->smk_packet = ssp->smk_out->smk_known;
3099
-
ssp->smk_packet = osp->smk_out->smk_known;
2988
+
nsp->smk_packet = ssp->smk_out;
2989
+
ssp->smk_packet = osp->smk_out;
3100
2990
}
3101
2991
3102
2992
return rc;
···
3132
3014
return 0;
3133
3015
3134
3016
skp = ssp->smk_out;
3135
-
return smk_access(skp, osp->smk_in, MAY_WRITE, &ad);
3017
+
return smk_access(skp, osp->smk_in->smk_known, MAY_WRITE, &ad);
3136
3018
}
3137
3019
3138
3020
/**
···
3227
3109
if (found)
3228
3110
return skp;
3229
3111
3230
-
if (ssp != NULL && ssp->smk_in == smack_known_star.smk_known)
3112
+
if (ssp != NULL && ssp->smk_in == &smack_known_star)
3231
3113
return &smack_known_web;
3232
3114
return &smack_known_star;
3233
3115
}
···
3346
3228
* This is the simplist possible security model
3347
3229
* for networking.
3348
3230
*/
3349
-
rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3231
+
rc = smk_access(skp, ssp->smk_in->smk_known, MAY_WRITE, &ad);
3350
3232
if (rc != 0)
3351
3233
netlbl_skbuff_err(skb, rc, 0);
3352
3234
break;
···
3381
3263
3382
3264
ssp = sock->sk->sk_security;
3383
3265
if (ssp->smk_packet != NULL) {
3384
-
rcp = ssp->smk_packet;
3266
+
rcp = ssp->smk_packet->smk_known;
3385
3267
slen = strlen(rcp) + 1;
3386
3268
}
3387
3269
···
3466
3348
return;
3467
3349
3468
3350
ssp = sk->sk_security;
3469
-
ssp->smk_in = skp->smk_known;
3351
+
ssp->smk_in = skp;
3470
3352
ssp->smk_out = skp;
3471
3353
/* cssp->smk_packet is already set in smack_inet_csk_clone() */
3472
3354
}
···
3526
3408
* Receiving a packet requires that the other end be able to write
3527
3409
* here. Read access is not required.
3528
3410
*/
3529
-
rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3411
+
rc = smk_access(skp, ssp->smk_in->smk_known, MAY_WRITE, &ad);
3530
3412
if (rc != 0)
3531
3413
return rc;
3532
3414
···
3570
3452
3571
3453
if (req->peer_secid != 0) {
3572
3454
skp = smack_from_secid(req->peer_secid);
3573
-
ssp->smk_packet = skp->smk_known;
3455
+
ssp->smk_packet = skp;
3574
3456
} else
3575
3457
ssp->smk_packet = NULL;
3576
3458
}
···
3624
3506
* an error code otherwise
3625
3507
*/
3626
3508
static int smack_key_permission(key_ref_t key_ref,
3627
-
const struct cred *cred, key_perm_t perm)
3509
+
const struct cred *cred, unsigned perm)
3628
3510
{
3629
3511
struct key *keyp;
3630
3512
struct smk_audit_info ad;
3631
3513
struct smack_known *tkp = smk_of_task(cred->security);
3514
+
int request = 0;
3632
3515
3633
3516
keyp = key_ref_to_ptr(key_ref);
3634
3517
if (keyp == NULL)
···
3650
3531
ad.a.u.key_struct.key = keyp->serial;
3651
3532
ad.a.u.key_struct.key_desc = keyp->description;
3652
3533
#endif
3653
-
return smk_access(tkp, keyp->security, MAY_READWRITE, &ad);
3534
+
if (perm & KEY_NEED_READ)
3535
+
request = MAY_READ;
3536
+
if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
3537
+
request = MAY_WRITE;
3538
+
return smk_access(tkp, keyp->security, request, &ad);
3654
3539
}
3655
3540
#endif /* CONFIG_KEYS */
3656
3541
+75
-1
security/smack/smackfs.c
+75
-1
security/smack/smackfs.c
···
53
53
SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */
54
54
SMK_CHANGE_RULE = 19, /* change or add rules (long labels) */
55
55
SMK_SYSLOG = 20, /* change syslog label) */
56
+
SMK_PTRACE = 21, /* set ptrace rule */
56
57
};
57
58
58
59
/*
···
100
99
* It can be reset via smackfs/syslog
101
100
*/
102
101
struct smack_known *smack_syslog_label;
102
+
103
+
/*
104
+
* Ptrace current rule
105
+
* SMACK_PTRACE_DEFAULT regular smack ptrace rules (/proc based)
106
+
* SMACK_PTRACE_EXACT labels must match, but can be overriden with
107
+
* CAP_SYS_PTRACE
108
+
* SMACK_PTRACE_DRACONIAN lables must match, CAP_SYS_PTRACE has no effect
109
+
*/
110
+
int smack_ptrace_rule = SMACK_PTRACE_DEFAULT;
103
111
104
112
/*
105
113
* Certain IP addresses may be designated as single label hosts.
···
1193
1183
1194
1184
data[count] = '\0';
1195
1185
1196
-
rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%d %s",
1186
+
rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s",
1197
1187
&host[0], &host[1], &host[2], &host[3], &m, smack);
1198
1188
if (rc != 6) {
1199
1189
rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
···
2254
2244
2255
2245
2256
2246
/**
2247
+
* smk_read_ptrace - read() for /smack/ptrace
2248
+
* @filp: file pointer, not actually used
2249
+
* @buf: where to put the result
2250
+
* @count: maximum to send along
2251
+
* @ppos: where to start
2252
+
*
2253
+
* Returns number of bytes read or error code, as appropriate
2254
+
*/
2255
+
static ssize_t smk_read_ptrace(struct file *filp, char __user *buf,
2256
+
size_t count, loff_t *ppos)
2257
+
{
2258
+
char temp[32];
2259
+
ssize_t rc;
2260
+
2261
+
if (*ppos != 0)
2262
+
return 0;
2263
+
2264
+
sprintf(temp, "%d\n", smack_ptrace_rule);
2265
+
rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
2266
+
return rc;
2267
+
}
2268
+
2269
+
/**
2270
+
* smk_write_ptrace - write() for /smack/ptrace
2271
+
* @file: file pointer
2272
+
* @buf: data from user space
2273
+
* @count: bytes sent
2274
+
* @ppos: where to start - must be 0
2275
+
*/
2276
+
static ssize_t smk_write_ptrace(struct file *file, const char __user *buf,
2277
+
size_t count, loff_t *ppos)
2278
+
{
2279
+
char temp[32];
2280
+
int i;
2281
+
2282
+
if (!smack_privileged(CAP_MAC_ADMIN))
2283
+
return -EPERM;
2284
+
2285
+
if (*ppos != 0 || count >= sizeof(temp) || count == 0)
2286
+
return -EINVAL;
2287
+
2288
+
if (copy_from_user(temp, buf, count) != 0)
2289
+
return -EFAULT;
2290
+
2291
+
temp[count] = '\0';
2292
+
2293
+
if (sscanf(temp, "%d", &i) != 1)
2294
+
return -EINVAL;
2295
+
if (i < SMACK_PTRACE_DEFAULT || i > SMACK_PTRACE_MAX)
2296
+
return -EINVAL;
2297
+
smack_ptrace_rule = i;
2298
+
2299
+
return count;
2300
+
}
2301
+
2302
+
static const struct file_operations smk_ptrace_ops = {
2303
+
.write = smk_write_ptrace,
2304
+
.read = smk_read_ptrace,
2305
+
.llseek = default_llseek,
2306
+
};
2307
+
2308
+
/**
2257
2309
* smk_fill_super - fill the smackfs superblock
2258
2310
* @sb: the empty superblock
2259
2311
* @data: unused
···
2368
2296
"change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
2369
2297
[SMK_SYSLOG] = {
2370
2298
"syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR},
2299
+
[SMK_PTRACE] = {
2300
+
"ptrace", &smk_ptrace_ops, S_IRUGO|S_IWUSR},
2371
2301
/* last one */
2372
2302
{""}
2373
2303
};