Merge branch 'next' of git://git.infradead.org/users/pcmoore/selinux into next

[sfrench/cifs-2.6.git] / security / smack / smack_lsm.c

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 3d1c9086d0d6dc3632fa2e4f33640417091f1761..e6ab307ce86e2fc1d1d04d35d2869fe1385ea724 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1095,7 +1095,7 @@ static int smack_inode_getsecurity(const struct inode *inode,
        ssp = sock->sk->sk_security;
 
        if (strcmp(name, XATTR_SMACK_IPIN) == 0)
-               isp = ssp->smk_in;
+               isp = ssp->smk_in->smk_known;
        else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
                isp = ssp->smk_out->smk_known;
        else
@@ -1462,19 +1462,32 @@ static int smack_file_receive(struct file *file)
 /**
  * smack_file_open - Smack dentry open processing
  * @file: the object
- * @cred: unused
+ * @cred: task credential
  *
  * Set the security blob in the file structure.
+ * Allow the open only if the task has read access. There are
+ * many read operations (e.g. fstat) that you can do with an
+ * fd even if you have the file open write-only.
  *
  * Returns 0
  */
 static int smack_file_open(struct file *file, const struct cred *cred)
 {
+       struct task_smack *tsp = cred->security;
        struct inode_smack *isp = file_inode(file)->i_security;
+       struct smk_audit_info ad;
+       int rc;
+
+       if (smack_privileged(CAP_MAC_OVERRIDE))
+               return 0;
 
-       file->f_security = isp->smk_inode;
+       smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
+       smk_ad_setfield_u_fs_path(&ad, file->f_path);
+       rc = smk_access(tsp->smk_task, isp->smk_inode, MAY_READ, &ad);
+       if (rc == 0)
+               file->f_security = isp->smk_inode;
 
-       return 0;
+       return rc;
 }
 
 /*
@@ -1859,7 +1872,7 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
        if (ssp == NULL)
                return -ENOMEM;
 
-       ssp->smk_in = skp->smk_known;
+       ssp->smk_in = skp;
        ssp->smk_out = skp;
        ssp->smk_packet = NULL;
 
@@ -2099,7 +2112,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
 
        if (act == SMK_RECEIVING) {
                skp = smack_net_ambient;
-               object = ssp->smk_in;
+               object = ssp->smk_in->smk_known;
        } else {
                skp = ssp->smk_out;
                object = smack_net_ambient->smk_known;
@@ -2129,9 +2142,9 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
        list_for_each_entry(spp, &smk_ipv6_port_list, list) {
                if (spp->smk_port != port)
                        continue;
-               object = spp->smk_in;
+               object = spp->smk_in->smk_known;
                if (act == SMK_CONNECTING)
-                       ssp->smk_packet = spp->smk_out->smk_known;
+                       ssp->smk_packet = spp->smk_out;
                break;
        }
 
@@ -2195,7 +2208,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
        ssp = sock->sk->sk_security;
 
        if (strcmp(name, XATTR_SMACK_IPIN) == 0)
-               ssp->smk_in = skp->smk_known;
+               ssp->smk_in = skp;
        else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
                ssp->smk_out = skp;
                if (sock->sk->sk_family == PF_INET) {
@@ -2808,6 +2821,15 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
         * of the superblock.
         */
        if (opt_dentry->d_parent == opt_dentry) {
+               if (sbp->s_magic == CGROUP_SUPER_MAGIC) {
+                       /*
+                        * The cgroup filesystem is never mounted,
+                        * so there's no opportunity to set the mount
+                        * options.
+                        */
+                       sbsp->smk_root = smack_known_star.smk_known;
+                       sbsp->smk_default = smack_known_star.smk_known;
+               }
                isp->smk_inode = sbsp->smk_root;
                isp->smk_flags |= SMK_INODE_INSTANT;
                goto unlockandout;
@@ -2821,16 +2843,20 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
         */
        switch (sbp->s_magic) {
        case SMACK_MAGIC:
+       case PIPEFS_MAGIC:
+       case SOCKFS_MAGIC:
+       case CGROUP_SUPER_MAGIC:
                /*
                 * Casey says that it's a little embarrassing
                 * that the smack file system doesn't do
                 * extended attributes.
-                */
-               final = smack_known_star.smk_known;
-               break;
-       case PIPEFS_MAGIC:
-               /*
+                *
                 * Casey says pipes are easy (?)
+                *
+                * Socket access is controlled by the socket
+                * structures associated with the task involved.
+                *
+                * Cgroupfs is special
                 */
                final = smack_known_star.smk_known;
                break;
@@ -2842,13 +2868,6 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
                 */
                final = ckp->smk_known;
                break;
-       case SOCKFS_MAGIC:
-               /*
-                * Socket access is controlled by the socket
-                * structures associated with the task involved.
-                */
-               final = smack_known_star.smk_known;
-               break;
        case PROC_SUPER_MAGIC:
                /*
                 * Casey says procfs appears not to care.
@@ -3054,30 +3073,34 @@ static int smack_unix_stream_connect(struct sock *sock,
                                     struct sock *other, struct sock *newsk)
 {
        struct smack_known *skp;
+       struct smack_known *okp;
        struct socket_smack *ssp = sock->sk_security;
        struct socket_smack *osp = other->sk_security;
        struct socket_smack *nsp = newsk->sk_security;
        struct smk_audit_info ad;
        int rc = 0;
-
 #ifdef CONFIG_AUDIT
        struct lsm_network_audit net;
-
-       smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
-       smk_ad_setfield_u_net_sk(&ad, other);
 #endif
 
        if (!smack_privileged(CAP_MAC_OVERRIDE)) {
                skp = ssp->smk_out;
-               rc = smk_access(skp, osp->smk_in, MAY_WRITE, &ad);
+               okp = osp->smk_out;
+#ifdef CONFIG_AUDIT
+               smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
+               smk_ad_setfield_u_net_sk(&ad, other);
+#endif
+               rc = smk_access(skp, okp->smk_known, MAY_WRITE, &ad);
+               if (rc == 0)
+                       rc = smk_access(okp, okp->smk_known, MAY_WRITE, NULL);
        }
 
        /*
         * Cross reference the peer labels for SO_PEERSEC.
         */
        if (rc == 0) {
-               nsp->smk_packet = ssp->smk_out->smk_known;
-               ssp->smk_packet = osp->smk_out->smk_known;
+               nsp->smk_packet = ssp->smk_out;
+               ssp->smk_packet = osp->smk_out;
        }
 
        return rc;
@@ -3109,7 +3132,7 @@ static int smack_unix_may_send(struct socket *sock, struct socket *other)
                return 0;
 
        skp = ssp->smk_out;
-       return smk_access(skp, osp->smk_in, MAY_WRITE, &ad);
+       return smk_access(skp, osp->smk_in->smk_known, MAY_WRITE, &ad);
 }
 
 /**
@@ -3186,9 +3209,9 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
                                break;
                        }
                        for (acat = -1, kcat = -1; acat == kcat; ) {
-                               acat = netlbl_secattr_catmap_walk(
-                                       sap->attr.mls.cat, acat + 1);
-                               kcat = netlbl_secattr_catmap_walk(
+                               acat = netlbl_catmap_walk(sap->attr.mls.cat,
+                                                         acat + 1);
+                               kcat = netlbl_catmap_walk(
                                        skp->smk_netlabel.attr.mls.cat,
                                        kcat + 1);
                                if (acat < 0 || kcat < 0)
@@ -3204,7 +3227,7 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
                if (found)
                        return skp;
 
-               if (ssp != NULL && ssp->smk_in == smack_known_star.smk_known)
+               if (ssp != NULL && ssp->smk_in == &smack_known_star)
                        return &smack_known_web;
                return &smack_known_star;
        }
@@ -3323,7 +3346,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
                 * This is the simplist possible security model
                 * for networking.
                 */
-               rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
+               rc = smk_access(skp, ssp->smk_in->smk_known, MAY_WRITE, &ad);
                if (rc != 0)
                        netlbl_skbuff_err(skb, rc, 0);
                break;
@@ -3358,7 +3381,7 @@ static int smack_socket_getpeersec_stream(struct socket *sock,
 
        ssp = sock->sk->sk_security;
        if (ssp->smk_packet != NULL) {
-               rcp = ssp->smk_packet;
+               rcp = ssp->smk_packet->smk_known;
                slen = strlen(rcp) + 1;
        }
 
@@ -3443,7 +3466,7 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
                return;
 
        ssp = sk->sk_security;
-       ssp->smk_in = skp->smk_known;
+       ssp->smk_in = skp;
        ssp->smk_out = skp;
        /* cssp->smk_packet is already set in smack_inet_csk_clone() */
 }
@@ -3503,7 +3526,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
         * Receiving a packet requires that the other end be able to write
         * here. Read access is not required.
         */
-       rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
+       rc = smk_access(skp, ssp->smk_in->smk_known, MAY_WRITE, &ad);
        if (rc != 0)
                return rc;
 
@@ -3547,7 +3570,7 @@ static void smack_inet_csk_clone(struct sock *sk,
 
        if (req->peer_secid != 0) {
                skp = smack_from_secid(req->peer_secid);
-               ssp->smk_packet = skp->smk_known;
+               ssp->smk_packet = skp;
        } else
                ssp->smk_packet = NULL;
 }
@@ -3601,11 +3624,12 @@ static void smack_key_free(struct key *key)
  * an error code otherwise
  */
 static int smack_key_permission(key_ref_t key_ref,
-                               const struct cred *cred, key_perm_t perm)
+                               const struct cred *cred, unsigned perm)
 {
        struct key *keyp;
        struct smk_audit_info ad;
        struct smack_known *tkp = smk_of_task(cred->security);
+       int request = 0;
 
        keyp = key_ref_to_ptr(key_ref);
        if (keyp == NULL)
@@ -3626,7 +3650,11 @@ static int smack_key_permission(key_ref_t key_ref,
        ad.a.u.key_struct.key = keyp->serial;
        ad.a.u.key_struct.key_desc = keyp->description;
 #endif
-       return smk_access(tkp, keyp->security, MAY_READWRITE, &ad);
+       if (perm & KEY_NEED_READ)
+               request = MAY_READ;
+       if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
+               request = MAY_WRITE;
+       return smk_access(tkp, keyp->security, request, &ad);
 }
 #endif /* CONFIG_KEYS */
 
@@ -3711,9 +3739,8 @@ static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
        struct smack_known *skp;
        char *rule = vrule;
 
-       if (!rule) {
-               audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR,
-                         "Smack: missing rule\n");
+       if (unlikely(!rule)) {
+               WARN_ONCE(1, "Smack: missing rule\n");
                return -ENOENT;
        }