| smack_lsm.c (b7f8f259896f669f131713b0c74ba4d008daa71d) | smack_lsm.c (1aea7808372eee4ad01f98e064c88c57f1e94855) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> --- 521 unchanged lines hidden (view full) --- 530/** 531 * smack_sb_alloc_security - allocate a superblock blob 532 * @sb: the superblock getting the blob 533 * 534 * Returns 0 on success or -ENOMEM on error. 535 */ 536static int smack_sb_alloc_security(struct super_block *sb) 537{ | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> --- 521 unchanged lines hidden (view full) --- 530/** 531 * smack_sb_alloc_security - allocate a superblock blob 532 * @sb: the superblock getting the blob 533 * 534 * Returns 0 on success or -ENOMEM on error. 535 */ 536static int smack_sb_alloc_security(struct super_block *sb) 537{ |
| 538 struct superblock_smack *sbsp; | 538 struct superblock_smack *sbsp = smack_superblock(sb); |
| 539 | 539 |
| 540 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 541 542 if (sbsp == NULL) 543 return -ENOMEM; 544 | |
| 545 sbsp->smk_root = &smack_known_floor; 546 sbsp->smk_default = &smack_known_floor; 547 sbsp->smk_floor = &smack_known_floor; 548 sbsp->smk_hat = &smack_known_hat; 549 /* 550 * SMK_SB_INITIALIZED will be zero from kzalloc. 551 */ | 540 sbsp->smk_root = &smack_known_floor; 541 sbsp->smk_default = &smack_known_floor; 542 sbsp->smk_floor = &smack_known_floor; 543 sbsp->smk_hat = &smack_known_hat; 544 /* 545 * SMK_SB_INITIALIZED will be zero from kzalloc. 546 */ |
| 552 sb->s_security = sbsp; | |
| 553 554 return 0; 555} 556 | 547 548 return 0; 549} 550 |
| 557/** 558 * smack_sb_free_security - free a superblock blob 559 * @sb: the superblock getting the blob 560 * 561 */ 562static void smack_sb_free_security(struct super_block *sb) 563{ 564 kfree(sb->s_security); 565 sb->s_security = NULL; 566} 567 | |
| 568struct smack_mnt_opts { 569 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 570}; 571 572static void smack_free_mnt_opts(void *mnt_opts) 573{ 574 struct smack_mnt_opts *opts = mnt_opts; 575 kfree(opts->fsdefault); --- 191 unchanged lines hidden (view full) --- 767 */ 768static int smack_set_mnt_opts(struct super_block *sb, 769 void *mnt_opts, 770 unsigned long kern_flags, 771 unsigned long *set_kern_flags) 772{ 773 struct dentry *root = sb->s_root; 774 struct inode *inode = d_backing_inode(root); | 551struct smack_mnt_opts { 552 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 553}; 554 555static void smack_free_mnt_opts(void *mnt_opts) 556{ 557 struct smack_mnt_opts *opts = mnt_opts; 558 kfree(opts->fsdefault); --- 191 unchanged lines hidden (view full) --- 750 */ 751static int smack_set_mnt_opts(struct super_block *sb, 752 void *mnt_opts, 753 unsigned long kern_flags, 754 unsigned long *set_kern_flags) 755{ 756 struct dentry *root = sb->s_root; 757 struct inode *inode = d_backing_inode(root); |
| 775 struct superblock_smack *sp = sb->s_security; | 758 struct superblock_smack *sp = smack_superblock(sb); |
| 776 struct inode_smack *isp; 777 struct smack_known *skp; 778 struct smack_mnt_opts *opts = mnt_opts; 779 bool transmute = false; 780 781 if (sp->smk_flags & SMK_SB_INITIALIZED) 782 return 0; 783 --- 82 unchanged lines hidden (view full) --- 866 * smack_sb_statfs - Smack check on statfs 867 * @dentry: identifies the file system in question 868 * 869 * Returns 0 if current can read the floor of the filesystem, 870 * and error code otherwise 871 */ 872static int smack_sb_statfs(struct dentry *dentry) 873{ | 759 struct inode_smack *isp; 760 struct smack_known *skp; 761 struct smack_mnt_opts *opts = mnt_opts; 762 bool transmute = false; 763 764 if (sp->smk_flags & SMK_SB_INITIALIZED) 765 return 0; 766 --- 82 unchanged lines hidden (view full) --- 849 * smack_sb_statfs - Smack check on statfs 850 * @dentry: identifies the file system in question 851 * 852 * Returns 0 if current can read the floor of the filesystem, 853 * and error code otherwise 854 */ 855static int smack_sb_statfs(struct dentry *dentry) 856{ |
| 874 struct superblock_smack *sbp = dentry->d_sb->s_security; | 857 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); |
| 875 int rc; 876 struct smk_audit_info ad; 877 878 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 879 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 880 881 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 882 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); --- 17 unchanged lines hidden (view full) --- 900 struct inode_smack *isp; 901 struct superblock_smack *sbsp; 902 int rc; 903 904 isp = smack_inode(inode); 905 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 906 return 0; 907 | 858 int rc; 859 struct smk_audit_info ad; 860 861 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 862 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 863 864 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 865 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); --- 17 unchanged lines hidden (view full) --- 883 struct inode_smack *isp; 884 struct superblock_smack *sbsp; 885 int rc; 886 887 isp = smack_inode(inode); 888 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 889 return 0; 890 |
| 908 sbsp = inode->i_sb->s_security; | 891 sbsp = smack_superblock(inode->i_sb); |
| 909 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 910 isp->smk_task != sbsp->smk_root) 911 return 0; 912 913 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 914 struct task_struct *tracer; 915 rc = 0; 916 --- 235 unchanged lines hidden (view full) --- 1152 * @mask: the access requested 1153 * 1154 * This is the important Smack hook. 1155 * 1156 * Returns 0 if access is permitted, an error code otherwise 1157 */ 1158static int smack_inode_permission(struct inode *inode, int mask) 1159{ | 892 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 893 isp->smk_task != sbsp->smk_root) 894 return 0; 895 896 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 897 struct task_struct *tracer; 898 rc = 0; 899 --- 235 unchanged lines hidden (view full) --- 1135 * @mask: the access requested 1136 * 1137 * This is the important Smack hook. 1138 * 1139 * Returns 0 if access is permitted, an error code otherwise 1140 */ 1141static int smack_inode_permission(struct inode *inode, int mask) 1142{ |
| 1160 struct superblock_smack *sbsp = inode->i_sb->s_security; | 1143 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); |
| 1161 struct smk_audit_info ad; 1162 int no_block = mask & MAY_NOT_BLOCK; 1163 int rc; 1164 1165 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1166 /* 1167 * No permission to check. Existence test. Yup, it's there. 1168 */ --- 226 unchanged lines hidden (view full) --- 1395 isp = smack_inode(d_backing_inode(dentry)); 1396 /* 1397 * Don't do anything special for these. 1398 * XATTR_NAME_SMACKIPIN 1399 * XATTR_NAME_SMACKIPOUT 1400 */ 1401 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1402 struct super_block *sbp = dentry->d_sb; | 1144 struct smk_audit_info ad; 1145 int no_block = mask & MAY_NOT_BLOCK; 1146 int rc; 1147 1148 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1149 /* 1150 * No permission to check. Existence test. Yup, it's there. 1151 */ --- 226 unchanged lines hidden (view full) --- 1378 isp = smack_inode(d_backing_inode(dentry)); 1379 /* 1380 * Don't do anything special for these. 1381 * XATTR_NAME_SMACKIPIN 1382 * XATTR_NAME_SMACKIPOUT 1383 */ 1384 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1385 struct super_block *sbp = dentry->d_sb; |
| 1403 struct superblock_smack *sbsp = sbp->s_security; | 1386 struct superblock_smack *sbsp = smack_superblock(sbp); |
| 1404 1405 isp->smk_inode = sbsp->smk_default; 1406 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1407 isp->smk_task = NULL; 1408 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1409 isp->smk_mmap = NULL; 1410 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1411 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; --- 253 unchanged lines hidden (view full) --- 1665 return 0; 1666 1667 if (unlikely(IS_PRIVATE(file_inode(file)))) 1668 return 0; 1669 1670 isp = smack_inode(file_inode(file)); 1671 if (isp->smk_mmap == NULL) 1672 return 0; | 1387 1388 isp->smk_inode = sbsp->smk_default; 1389 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1390 isp->smk_task = NULL; 1391 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1392 isp->smk_mmap = NULL; 1393 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1394 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; --- 253 unchanged lines hidden (view full) --- 1648 return 0; 1649 1650 if (unlikely(IS_PRIVATE(file_inode(file)))) 1651 return 0; 1652 1653 isp = smack_inode(file_inode(file)); 1654 if (isp->smk_mmap == NULL) 1655 return 0; |
| 1673 sbsp = file_inode(file)->i_sb->s_security; | 1656 sbsp = smack_superblock(file_inode(file)->i_sb); |
| 1674 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1675 isp->smk_mmap != sbsp->smk_root) 1676 return -EACCES; 1677 mkp = isp->smk_mmap; 1678 1679 tsp = smack_cred(current_cred()); 1680 skp = smk_of_current(); 1681 rc = 0; --- 1598 unchanged lines hidden (view full) --- 3280 /* 3281 * If the inode is already instantiated 3282 * take the quick way out 3283 */ 3284 if (isp->smk_flags & SMK_INODE_INSTANT) 3285 return; 3286 3287 sbp = inode->i_sb; | 1657 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1658 isp->smk_mmap != sbsp->smk_root) 1659 return -EACCES; 1660 mkp = isp->smk_mmap; 1661 1662 tsp = smack_cred(current_cred()); 1663 skp = smk_of_current(); 1664 rc = 0; --- 1598 unchanged lines hidden (view full) --- 3263 /* 3264 * If the inode is already instantiated 3265 * take the quick way out 3266 */ 3267 if (isp->smk_flags & SMK_INODE_INSTANT) 3268 return; 3269 3270 sbp = inode->i_sb; |
| 3288 sbsp = sbp->s_security; | 3271 sbsp = smack_superblock(sbp); |
| 3289 /* 3290 * We're going to use the superblock default label 3291 * if there's no label on the file. 3292 */ 3293 final = sbsp->smk_default; 3294 3295 /* 3296 * If this is the root inode the superblock --- 1398 unchanged lines hidden (view full) --- 4695} 4696 4697struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4698 .lbs_cred = sizeof(struct task_smack), 4699 .lbs_file = sizeof(struct smack_known *), 4700 .lbs_inode = sizeof(struct inode_smack), 4701 .lbs_ipc = sizeof(struct smack_known *), 4702 .lbs_msg_msg = sizeof(struct smack_known *), | 3272 /* 3273 * We're going to use the superblock default label 3274 * if there's no label on the file. 3275 */ 3276 final = sbsp->smk_default; 3277 3278 /* 3279 * If this is the root inode the superblock --- 1398 unchanged lines hidden (view full) --- 4678} 4679 4680struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4681 .lbs_cred = sizeof(struct task_smack), 4682 .lbs_file = sizeof(struct smack_known *), 4683 .lbs_inode = sizeof(struct inode_smack), 4684 .lbs_ipc = sizeof(struct smack_known *), 4685 .lbs_msg_msg = sizeof(struct smack_known *), |
| 4686 .lbs_superblock = sizeof(struct superblock_smack), |
|
| 4703}; 4704 4705static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4706 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4707 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4708 LSM_HOOK_INIT(syslog, smack_syslog), 4709 4710 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4711 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4712 4713 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), | 4687}; 4688 4689static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4690 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4691 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4692 LSM_HOOK_INIT(syslog, smack_syslog), 4693 4694 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4695 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4696 4697 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), |
| 4714 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), | |
| 4715 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4716 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4717 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4718 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4719 4720 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 4721 4722 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), --- 209 unchanged lines hidden --- | 4698 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4699 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4700 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4701 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4702 4703 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 4704 4705 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), --- 209 unchanged lines hidden --- |