Commit 146fa666 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'Smack-for-7.0' of https://github.com/cschaufler/smack-next 

Pull smack updates from Casey Schaufler:
 "Two improvements to the code for setting the CIPSO Domain Of
  Interpretation (DOI), a seldom used feature, and a formatting change"

* tag 'Smack-for-7.0' of https://github.com/cschaufler/smack-next:
  smack: /smack/doi: accept previously used values
  smack: /smack/doi must be > 0
  security: smack: fix indentation in smack_access.c
parents db9571a6 33d589ed

security/smack/smackfs.c

+50 −29
Original line number Diff line number Diff line
@@ -70,6 +70,7 @@ enum smk_inos { 
static DEFINE_MUTEX(smack_cipso_lock);

static DEFINE_MUTEX(smack_ambient_lock);

static DEFINE_MUTEX(smk_net4addr_lock);

static DEFINE_MUTEX(smk_cipso_doi_lock);

#if IS_ENABLED(CONFIG_IPV6)

static DEFINE_MUTEX(smk_net6addr_lock);

#endif /* CONFIG_IPV6 */
@@ -141,7 +142,7 @@ struct smack_parsed_rule { 
	int			smk_access2;

};



static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;

static u32 smk_cipso_doi_value = CIPSO_V4_DOI_UNKNOWN;



/*

 * Values for parsing cipso rules
@@ -663,43 +664,60 @@ static const struct file_operations smk_load_ops = { 
};



/**

 * smk_cipso_doi - initialize the CIPSO domain

 * smk_cipso_doi - set netlabel maps

 * @ndoi: new value for our CIPSO DOI

 * @gfp_flags: kmalloc allocation context

 */

static void smk_cipso_doi(void)

static int

smk_cipso_doi(u32 ndoi, gfp_t gfp_flags)

{

	int rc;

	int rc = 0;

	struct cipso_v4_doi *doip;

	struct netlbl_audit nai;



	smk_netlabel_audit_set(&nai);

	mutex_lock(&smk_cipso_doi_lock);



	rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);

	if (rc != 0)

		printk(KERN_WARNING "%s:%d remove rc = %d\n",

		       __func__, __LINE__, rc);

	if (smk_cipso_doi_value == ndoi)

		goto clr_doi_lock;



	smk_netlabel_audit_set(&nai);



	doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL);

	doip = kmalloc(sizeof(struct cipso_v4_doi), gfp_flags);

	if (!doip) {

		rc = -ENOMEM;

		goto clr_doi_lock;

	}

	doip->map.std = NULL;

	doip->doi = smk_cipso_doi_value;

	doip->doi = ndoi;

	doip->type = CIPSO_V4_MAP_PASS;

	doip->tags[0] = CIPSO_V4_TAG_RBITMAP;

	for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++)

		doip->tags[rc] = CIPSO_V4_TAG_INVALID;



	rc = netlbl_cfg_cipsov4_add(doip, &nai);

	if (rc != 0) {

		printk(KERN_WARNING "%s:%d cipso add rc = %d\n",

		       __func__, __LINE__, rc);

	if (rc) {

		kfree(doip);

		return;

		goto clr_doi_lock;

	}

	rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai);

	if (rc != 0) {

		printk(KERN_WARNING "%s:%d map add rc = %d\n",

		       __func__, __LINE__, rc);

		netlbl_cfg_cipsov4_del(doip->doi, &nai);

		return;



	if (smk_cipso_doi_value != CIPSO_V4_DOI_UNKNOWN) {

		rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);

		if (rc && rc != -ENOENT)

			goto clr_ndoi_def;



		netlbl_cfg_cipsov4_del(smk_cipso_doi_value, &nai);

	}



	rc = netlbl_cfg_cipsov4_map_add(ndoi, NULL, NULL, NULL, &nai);

	if (rc) {

		smk_cipso_doi_value = CIPSO_V4_DOI_UNKNOWN; // no default map

clr_ndoi_def:	netlbl_cfg_cipsov4_del(ndoi, &nai);

	} else

		smk_cipso_doi_value = ndoi;



clr_doi_lock:

	mutex_unlock(&smk_cipso_doi_lock);

	return rc;

}



/**
@@ -1562,7 +1580,7 @@ static ssize_t smk_read_doi(struct file *filp, char __user *buf, 
	if (*ppos != 0)

		return 0;



	sprintf(temp, "%d", smk_cipso_doi_value);

	sprintf(temp, "%lu", (unsigned long)smk_cipso_doi_value);

	rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));



	return rc;
@@ -1581,7 +1599,7 @@ static ssize_t smk_write_doi(struct file *file, const char __user *buf, 
			     size_t count, loff_t *ppos)

{

	char temp[80];

	int i;

	unsigned long u;



	if (!smack_privileged(CAP_MAC_ADMIN))

		return -EPERM;
@@ -1594,14 +1612,13 @@ static ssize_t smk_write_doi(struct file *file, const char __user *buf, 


	temp[count] = '\0';



	if (sscanf(temp, "%d", &i) != 1)

	if (kstrtoul(temp, 10, &u))

		return -EINVAL;



	smk_cipso_doi_value = i;



	smk_cipso_doi();

	if (u == CIPSO_V4_DOI_UNKNOWN || u > U32_MAX)

		return -EINVAL;



	return count;

	return smk_cipso_doi(u, GFP_KERNEL) ? : count;

}



static const struct file_operations smk_doi_ops = {
@@ -2982,6 +2999,7 @@ int __init init_smk_fs(void) 
{

	int err;

	int rc;

	struct netlbl_audit nai;



	if (smack_enabled == 0)

		return 0;
@@ -3000,7 +3018,10 @@ int __init init_smk_fs(void) 
		}

	}



	smk_cipso_doi();

	smk_netlabel_audit_set(&nai);

	(void) netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);

	(void) smk_cipso_doi(SMACK_CIPSO_DOI_DEFAULT,

			     GFP_KERNEL | __GFP_NOFAIL);

	smk_unlbl_ambient(NULL);



	rc = smack_populate_secattr(&smack_known_floor);

security/smack/smack_access.c

+1 −1

File changed.

Contains only whitespace changes.