| smack_lsm.c (bbb20089a3275a19e475dbc21320c3742e3ca423) | smack_lsm.c (1ee65e37e904b959c24404139f5752edc66319d5) |
|---|---|
| 1/* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Author: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * --- 77 unchanged lines hidden (view full) --- 86} 87 88/* 89 * LSM hooks. 90 * We he, that is fun! 91 */ 92 93/** | 1/* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Author: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * --- 77 unchanged lines hidden (view full) --- 86} 87 88/* 89 * LSM hooks. 90 * We he, that is fun! 91 */ 92 93/** |
| 94 * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH | 94 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH |
| 95 * @ctp: child task pointer 96 * @mode: ptrace attachment mode 97 * 98 * Returns 0 if access is OK, an error code otherwise 99 * 100 * Do the capability checks, and require read and write. 101 */ | 95 * @ctp: child task pointer 96 * @mode: ptrace attachment mode 97 * 98 * Returns 0 if access is OK, an error code otherwise 99 * 100 * Do the capability checks, and require read and write. 101 */ |
| 102static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) | 102static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) |
| 103{ 104 int rc; 105 struct smk_audit_info ad; 106 char *sp, *tsp; 107 | 103{ 104 int rc; 105 struct smk_audit_info ad; 106 char *sp, *tsp; 107 |
| 108 rc = cap_ptrace_may_access(ctp, mode); | 108 rc = cap_ptrace_access_check(ctp, mode); |
| 109 if (rc != 0) 110 return rc; 111 112 sp = current_security(); 113 tsp = task_security(ctp); 114 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 115 smk_ad_setfield_u_tsk(&ad, ctp); 116 --- 958 unchanged lines hidden (view full) --- 1075 return smk_curacc(file->f_security, may, &ad); 1076} 1077 1078/* 1079 * Task hooks 1080 */ 1081 1082/** | 109 if (rc != 0) 110 return rc; 111 112 sp = current_security(); 113 tsp = task_security(ctp); 114 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 115 smk_ad_setfield_u_tsk(&ad, ctp); 116 --- 958 unchanged lines hidden (view full) --- 1075 return smk_curacc(file->f_security, may, &ad); 1076} 1077 1078/* 1079 * Task hooks 1080 */ 1081 1082/** |
| 1083 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1084 * @new: the new credentials 1085 * @gfp: the atomicity of any memory allocations 1086 * 1087 * Prepare a blank set of credentials for modification. This must allocate all 1088 * the memory the LSM module might require such that cred_transfer() can 1089 * complete without error. 1090 */ 1091static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1092{ 1093 cred->security = NULL; 1094 return 0; 1095} 1096 1097 1098/** |
|
| 1083 * smack_cred_free - "free" task-level security credentials 1084 * @cred: the credentials in question 1085 * 1086 * Smack isn't using copies of blobs. Everyone 1087 * points to an immutable list. The blobs never go away. 1088 * There is no leak here. 1089 */ 1090static void smack_cred_free(struct cred *cred) --- 21 unchanged lines hidden (view full) --- 1112 * @new: the new credentials 1113 * @old: the original credentials 1114 */ 1115static void smack_cred_commit(struct cred *new, const struct cred *old) 1116{ 1117} 1118 1119/** | 1099 * smack_cred_free - "free" task-level security credentials 1100 * @cred: the credentials in question 1101 * 1102 * Smack isn't using copies of blobs. Everyone 1103 * points to an immutable list. The blobs never go away. 1104 * There is no leak here. 1105 */ 1106static void smack_cred_free(struct cred *cred) --- 21 unchanged lines hidden (view full) --- 1128 * @new: the new credentials 1129 * @old: the original credentials 1130 */ 1131static void smack_cred_commit(struct cred *new, const struct cred *old) 1132{ 1133} 1134 1135/** |
| 1136 * smack_cred_transfer - Transfer the old credentials to the new credentials 1137 * @new: the new credentials 1138 * @old: the original credentials 1139 * 1140 * Fill in a set of blank credentials from another set of credentials. 1141 */ 1142static void smack_cred_transfer(struct cred *new, const struct cred *old) 1143{ 1144 new->security = old->security; 1145} 1146 1147/** |
|
| 1120 * smack_kernel_act_as - Set the subjective context in a set of credentials 1121 * @new: points to the set of credentials to be modified. 1122 * @secid: specifies the security ID to be set 1123 * 1124 * Set the security data for a kernel service. 1125 */ 1126static int smack_kernel_act_as(struct cred *new, u32 secid) 1127{ --- 1331 unchanged lines hidden (view full) --- 2459static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 2460 int size) 2461{ 2462 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 2463 2464 /* 2465 * Perfectly reasonable for this to be NULL 2466 */ | 1148 * smack_kernel_act_as - Set the subjective context in a set of credentials 1149 * @new: points to the set of credentials to be modified. 1150 * @secid: specifies the security ID to be set 1151 * 1152 * Set the security data for a kernel service. 1153 */ 1154static int smack_kernel_act_as(struct cred *new, u32 secid) 1155{ --- 1331 unchanged lines hidden (view full) --- 2487static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 2488 int size) 2489{ 2490 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 2491 2492 /* 2493 * Perfectly reasonable for this to be NULL 2494 */ |
| 2467 if (sip == NULL || sip->sin_family != PF_INET) | 2495 if (sip == NULL || sip->sin_family != AF_INET) |
| 2468 return 0; 2469 2470 return smack_netlabel_send(sock->sk, sip); 2471} 2472 2473 2474/** 2475 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack --- 548 unchanged lines hidden (view full) --- 3024 * @seclen: unused 3025 * 3026 * Exists to make sure nothing gets done, and properly 3027 */ 3028static void smack_release_secctx(char *secdata, u32 seclen) 3029{ 3030} 3031 | 2496 return 0; 2497 2498 return smack_netlabel_send(sock->sk, sip); 2499} 2500 2501 2502/** 2503 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack --- 548 unchanged lines hidden (view full) --- 3052 * @seclen: unused 3053 * 3054 * Exists to make sure nothing gets done, and properly 3055 */ 3056static void smack_release_secctx(char *secdata, u32 seclen) 3057{ 3058} 3059 |
| 3060static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 3061{ 3062 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 3063} 3064 3065static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 3066{ 3067 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 3068} 3069 3070static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 3071{ 3072 int len = 0; 3073 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 3074 3075 if (len < 0) 3076 return len; 3077 *ctxlen = len; 3078 return 0; 3079} 3080 |
|
| 3032struct security_operations smack_ops = { 3033 .name = "smack", 3034 | 3081struct security_operations smack_ops = { 3082 .name = "smack", 3083 |
| 3035 .ptrace_may_access = smack_ptrace_may_access, | 3084 .ptrace_access_check = smack_ptrace_access_check, |
| 3036 .ptrace_traceme = smack_ptrace_traceme, 3037 .syslog = smack_syslog, 3038 3039 .sb_alloc_security = smack_sb_alloc_security, 3040 .sb_free_security = smack_sb_free_security, 3041 .sb_copy_data = smack_sb_copy_data, 3042 .sb_kern_mount = smack_sb_kern_mount, 3043 .sb_statfs = smack_sb_statfs, --- 24 unchanged lines hidden (view full) --- 3068 .file_free_security = smack_file_free_security, 3069 .file_ioctl = smack_file_ioctl, 3070 .file_lock = smack_file_lock, 3071 .file_fcntl = smack_file_fcntl, 3072 .file_set_fowner = smack_file_set_fowner, 3073 .file_send_sigiotask = smack_file_send_sigiotask, 3074 .file_receive = smack_file_receive, 3075 | 3085 .ptrace_traceme = smack_ptrace_traceme, 3086 .syslog = smack_syslog, 3087 3088 .sb_alloc_security = smack_sb_alloc_security, 3089 .sb_free_security = smack_sb_free_security, 3090 .sb_copy_data = smack_sb_copy_data, 3091 .sb_kern_mount = smack_sb_kern_mount, 3092 .sb_statfs = smack_sb_statfs, --- 24 unchanged lines hidden (view full) --- 3117 .file_free_security = smack_file_free_security, 3118 .file_ioctl = smack_file_ioctl, 3119 .file_lock = smack_file_lock, 3120 .file_fcntl = smack_file_fcntl, 3121 .file_set_fowner = smack_file_set_fowner, 3122 .file_send_sigiotask = smack_file_send_sigiotask, 3123 .file_receive = smack_file_receive, 3124 |
| 3125 .cred_alloc_blank = smack_cred_alloc_blank, |
|
| 3076 .cred_free = smack_cred_free, 3077 .cred_prepare = smack_cred_prepare, 3078 .cred_commit = smack_cred_commit, | 3126 .cred_free = smack_cred_free, 3127 .cred_prepare = smack_cred_prepare, 3128 .cred_commit = smack_cred_commit, |
| 3129 .cred_transfer = smack_cred_transfer, |
|
| 3079 .kernel_act_as = smack_kernel_act_as, 3080 .kernel_create_files_as = smack_kernel_create_files_as, 3081 .task_setpgid = smack_task_setpgid, 3082 .task_getpgid = smack_task_getpgid, 3083 .task_getsid = smack_task_getsid, 3084 .task_getsecid = smack_task_getsecid, 3085 .task_setnice = smack_task_setnice, 3086 .task_setioprio = smack_task_setioprio, --- 63 unchanged lines hidden (view full) --- 3150 .audit_rule_known = smack_audit_rule_known, 3151 .audit_rule_match = smack_audit_rule_match, 3152 .audit_rule_free = smack_audit_rule_free, 3153#endif /* CONFIG_AUDIT */ 3154 3155 .secid_to_secctx = smack_secid_to_secctx, 3156 .secctx_to_secid = smack_secctx_to_secid, 3157 .release_secctx = smack_release_secctx, | 3130 .kernel_act_as = smack_kernel_act_as, 3131 .kernel_create_files_as = smack_kernel_create_files_as, 3132 .task_setpgid = smack_task_setpgid, 3133 .task_getpgid = smack_task_getpgid, 3134 .task_getsid = smack_task_getsid, 3135 .task_getsecid = smack_task_getsecid, 3136 .task_setnice = smack_task_setnice, 3137 .task_setioprio = smack_task_setioprio, --- 63 unchanged lines hidden (view full) --- 3201 .audit_rule_known = smack_audit_rule_known, 3202 .audit_rule_match = smack_audit_rule_match, 3203 .audit_rule_free = smack_audit_rule_free, 3204#endif /* CONFIG_AUDIT */ 3205 3206 .secid_to_secctx = smack_secid_to_secctx, 3207 .secctx_to_secid = smack_secctx_to_secid, 3208 .release_secctx = smack_release_secctx, |
| 3209 .inode_notifysecctx = smack_inode_notifysecctx, 3210 .inode_setsecctx = smack_inode_setsecctx, 3211 .inode_getsecctx = smack_inode_getsecctx, |
|
| 3158}; 3159 3160 3161static __init void init_smack_know_list(void) 3162{ 3163 list_add(&smack_known_huh.list, &smack_known_list); 3164 list_add(&smack_known_hat.list, &smack_known_list); 3165 list_add(&smack_known_star.list, &smack_known_list); --- 50 unchanged lines hidden --- | 3212}; 3213 3214 3215static __init void init_smack_know_list(void) 3216{ 3217 list_add(&smack_known_huh.list, &smack_known_list); 3218 list_add(&smack_known_hat.list, &smack_known_list); 3219 list_add(&smack_known_star.list, &smack_known_list); --- 50 unchanged lines hidden --- |