mirrors/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-02-12 09:56:47 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'Smack-for-7.0' of https://github.com/cschaufler/smack-next

Browse Source 
Pull smack updates from Casey Schaufler:
 "Two improvements to the code for setting the CIPSO Domain Of
  Interpretation (DOI), a seldom used feature, and a formatting change"

* tag 'Smack-for-7.0' of https://github.com/cschaufler/smack-next:
  smack: /smack/doi: accept previously used values
  smack: /smack/doi must be > 0
  security: smack: fix indentation in smack_access.c
This commit is contained in:
Linus Torvalds
2026-02-11 15:47:37 -08:00
parent db9571a661 33d589ed60
commit 146fa666d8
2 changed files with 51 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
security/smack/smack_access.c
View File

@@ -392,7 +392,7 @@ void smack_log(char *subject_label, char *object_label, int request,
}
#else /* #ifdef CONFIG_AUDIT */
void smack_log(char *subject_label, char *object_label, int request,
int result, struct smk_audit_info *ad)
int result, struct smk_audit_info *ad)
{
}
#endif

79
security/smack/smackfs.c
View File

@@ -70,6 +70,7 @@ enum smk_inos {
static DEFINE_MUTEX(smack_cipso_lock);
static DEFINE_MUTEX(smack_ambient_lock);
static DEFINE_MUTEX(smk_net4addr_lock);
static DEFINE_MUTEX(smk_cipso_doi_lock);
#if IS_ENABLED(CONFIG_IPV6)
static DEFINE_MUTEX(smk_net6addr_lock);
#endif /* CONFIG_IPV6 */
@@ -141,7 +142,7 @@ struct smack_parsed_rule {
int smk_access2;
};
static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
static u32 smk_cipso_doi_value = CIPSO_V4_DOI_UNKNOWN;
/*
* Values for parsing cipso rules
@@ -663,43 +664,60 @@ static const struct file_operations smk_load_ops = {
};
/**
* smk_cipso_doi - initialize the CIPSO domain
* smk_cipso_doi - set netlabel maps
* @ndoi: new value for our CIPSO DOI
* @gfp_flags: kmalloc allocation context
*/
static void smk_cipso_doi(void)
static int
smk_cipso_doi(u32 ndoi, gfp_t gfp_flags)
{
int rc;
int rc = 0;
struct cipso_v4_doi *doip;
struct netlbl_audit nai;
mutex_lock(&smk_cipso_doi_lock);
if (smk_cipso_doi_value == ndoi)
goto clr_doi_lock;
smk_netlabel_audit_set(&nai);
rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
if (rc != 0)
printk(KERN_WARNING "%s:%d remove rc = %d\n",
__func__, __LINE__, rc);
doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL);
doip = kmalloc(sizeof(struct cipso_v4_doi), gfp_flags);
if (!doip) {
rc = -ENOMEM;
goto clr_doi_lock;
}
doip->map.std = NULL;
doip->doi = smk_cipso_doi_value;
doip->doi = ndoi;
doip->type = CIPSO_V4_MAP_PASS;
doip->tags[0] = CIPSO_V4_TAG_RBITMAP;
for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++)
doip->tags[rc] = CIPSO_V4_TAG_INVALID;
rc = netlbl_cfg_cipsov4_add(doip, &nai);
if (rc != 0) {
printk(KERN_WARNING "%s:%d cipso add rc = %d\n",
__func__, __LINE__, rc);
if (rc) {
kfree(doip);
return;
goto clr_doi_lock;
}
rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai);
if (rc != 0) {
printk(KERN_WARNING "%s:%d map add rc = %d\n",
__func__, __LINE__, rc);
netlbl_cfg_cipsov4_del(doip->doi, &nai);
return;
if (smk_cipso_doi_value != CIPSO_V4_DOI_UNKNOWN) {
rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
if (rc && rc != -ENOENT)
goto clr_ndoi_def;
netlbl_cfg_cipsov4_del(smk_cipso_doi_value, &nai);
}
rc = netlbl_cfg_cipsov4_map_add(ndoi, NULL, NULL, NULL, &nai);
if (rc) {
smk_cipso_doi_value = CIPSO_V4_DOI_UNKNOWN; // no default map
clr_ndoi_def: netlbl_cfg_cipsov4_del(ndoi, &nai);
} else
smk_cipso_doi_value = ndoi;
clr_doi_lock:
mutex_unlock(&smk_cipso_doi_lock);
return rc;
}
/**
@@ -1562,7 +1580,7 @@ static ssize_t smk_read_doi(struct file *filp, char __user *buf,
if (*ppos != 0)
return 0;
sprintf(temp, "%d", smk_cipso_doi_value);
sprintf(temp, "%lu", (unsigned long)smk_cipso_doi_value);
rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
return rc;
@@ -1581,7 +1599,7 @@ static ssize_t smk_write_doi(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
{
char temp[80];
int i;
unsigned long u;
if (!smack_privileged(CAP_MAC_ADMIN))
return -EPERM;
@@ -1594,14 +1612,13 @@ static ssize_t smk_write_doi(struct file *file, const char __user *buf,
temp[count] = '\0';
if (sscanf(temp, "%d", &i) != 1)
if (kstrtoul(temp, 10, &u))
return -EINVAL;
smk_cipso_doi_value = i;
if (u == CIPSO_V4_DOI_UNKNOWN || u > U32_MAX)
return -EINVAL;
smk_cipso_doi();
return count;
return smk_cipso_doi(u, GFP_KERNEL) ? : count;
}
static const struct file_operations smk_doi_ops = {
@@ -2982,6 +2999,7 @@ int __init init_smk_fs(void)
{
int err;
int rc;
struct netlbl_audit nai;
if (smack_enabled == 0)
return 0;
@@ -3000,7 +3018,10 @@ int __init init_smk_fs(void)
}
}
smk_cipso_doi();
smk_netlabel_audit_set(&nai);
(void) netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
(void) smk_cipso_doi(SMACK_CIPSO_DOI_DEFAULT,
GFP_KERNEL | __GFP_NOFAIL);
smk_unlbl_ambient(NULL);
rc = smack_populate_secattr(&smack_known_floor);