summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2011-10-22 22:23:58 +0200
committerJames Morris <jmorris@namei.org>2011-10-22 22:23:58 +0200
commitc45ed235abf1b0b6666417e3c394f18717976acd (patch)
treee41dd99f2c217a8ce160b24d81a4aec1cccbfe02 /security
parentTOMOYO: Fix incomplete read after seek. (diff)
parentSmack: allow to access /smack/access as normal user (diff)
downloadlinux-c45ed235abf1b0b6666417e3c394f18717976acd.tar.xz
linux-c45ed235abf1b0b6666417e3c394f18717976acd.zip
Merge branch 'master' of git://gitorious.org/smack-next/kernel into next
Diffstat (limited to 'security')
-rw-r--r--security/smack/smack.h1
-rw-r--r--security/smack/smack_access.c27
-rw-r--r--security/smack/smackfs.c47
3 files changed, 51 insertions, 24 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 9da2b2dfdefb..2ad00657b801 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -208,6 +208,7 @@ int smk_curacc(char *, u32, struct smk_audit_info *);
int smack_to_cipso(const char *, struct smack_cipso *);
char *smack_from_cipso(u32, char *);
char *smack_from_secid(const u32);
+void smk_parse_smack(const char *string, int len, char *smack);
char *smk_import(const char *, int);
struct smack_known *smk_import_entry(const char *, int);
struct smack_known *smk_find_entry(const char *);
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index a885f628f56e..cc7cb6edba08 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -353,17 +353,13 @@ struct smack_known *smk_find_entry(const char *string)
}
/**
- * smk_import_entry - import a label, return the list entry
- * @string: a text string that might be a Smack label
+ * smk_parse_smack - parse smack label from a text string
+ * @string: a text string that might contain a Smack label
* @len: the maximum size, or zero if it is NULL terminated.
- *
- * Returns a pointer to the entry in the label list that
- * matches the passed string, adding it if necessary.
+ * @smack: parsed smack label, or NULL if parse error
*/
-struct smack_known *smk_import_entry(const char *string, int len)
+void smk_parse_smack(const char *string, int len, char *smack)
{
- struct smack_known *skp;
- char smack[SMK_LABELLEN];
int found;
int i;
@@ -381,7 +377,22 @@ struct smack_known *smk_import_entry(const char *string, int len)
} else
smack[i] = string[i];
}
+}
+
+/**
+ * smk_import_entry - import a label, return the list entry
+ * @string: a text string that might be a Smack label
+ * @len: the maximum size, or zero if it is NULL terminated.
+ *
+ * Returns a pointer to the entry in the label list that
+ * matches the passed string, adding it if necessary.
+ */
+struct smack_known *smk_import_entry(const char *string, int len)
+{
+ struct smack_known *skp;
+ char smack[SMK_LABELLEN];
+ smk_parse_smack(string, len, smack);
if (smack[0] == '\0')
return NULL;
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 5498c4a2d1ae..6aceef518a41 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -191,19 +191,37 @@ static int smk_set_access(struct smack_rule *srp, struct list_head *rule_list,
}
/**
- * smk_parse_rule - parse subject, object and access type
+ * smk_parse_rule - parse Smack rule from load string
* @data: string to be parsed whose size is SMK_LOADLEN
- * @rule: parsed entities are stored in here
+ * @rule: Smack rule
+ * @import: if non-zero, import labels
*/
-static int smk_parse_rule(const char *data, struct smack_rule *rule)
+static int smk_parse_rule(const char *data, struct smack_rule *rule, int import)
{
- rule->smk_subject = smk_import(data, 0);
- if (rule->smk_subject == NULL)
- return -1;
+ char smack[SMK_LABELLEN];
+ struct smack_known *skp;
- rule->smk_object = smk_import(data + SMK_LABELLEN, 0);
- if (rule->smk_object == NULL)
- return -1;
+ if (import) {
+ rule->smk_subject = smk_import(data, 0);
+ if (rule->smk_subject == NULL)
+ return -1;
+
+ rule->smk_object = smk_import(data + SMK_LABELLEN, 0);
+ if (rule->smk_object == NULL)
+ return -1;
+ } else {
+ smk_parse_smack(data, 0, smack);
+ skp = smk_find_entry(smack);
+ if (skp == NULL)
+ return -1;
+ rule->smk_subject = skp->smk_known;
+
+ smk_parse_smack(data + SMK_LABELLEN, 0, smack);
+ skp = smk_find_entry(smack);
+ if (skp == NULL)
+ return -1;
+ rule->smk_object = skp->smk_known;
+ }
rule->smk_access = 0;
@@ -327,7 +345,7 @@ static ssize_t smk_write_load_list(struct file *file, const char __user *buf,
goto out;
}
- if (smk_parse_rule(data, rule))
+ if (smk_parse_rule(data, rule, 1))
goto out_free_rule;
if (rule_list == NULL) {
@@ -1499,14 +1517,11 @@ static ssize_t smk_write_access(struct file *file, const char __user *buf,
char *data;
int res;
- if (!capable(CAP_MAC_ADMIN))
- return -EPERM;
-
data = simple_transaction_get(file, buf, count);
if (IS_ERR(data))
return PTR_ERR(data);
- if (count < SMK_LOADLEN || smk_parse_rule(data, &rule))
+ if (count < SMK_LOADLEN || smk_parse_rule(data, &rule, 0))
return -EINVAL;
res = smk_access(rule.smk_subject, rule.smk_object, rule.smk_access,
@@ -1514,7 +1529,7 @@ static ssize_t smk_write_access(struct file *file, const char __user *buf,
data[0] = res == 0 ? '1' : '0';
data[1] = '\0';
- simple_transaction_set(file, 1);
+ simple_transaction_set(file, 2);
return SMK_LOADLEN;
}
@@ -1560,7 +1575,7 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
[SMK_LOAD_SELF] = {
"load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
[SMK_ACCESSES] = {
- "access", &smk_access_ops, S_IRUGO|S_IWUSR},
+ "access", &smk_access_ops, S_IRUGO|S_IWUGO},
/* last one */
{""}
};