Commit 676dac4b authored by Casey Schaufler's avatar Casey Schaufler

This patch adds a new security attribute to Smack called

SMACK64EXEC. It defines label that is used while task is
running.

Exception: in smack_task_wait() child task is checked
for write access to parent task using label inherited
from the task that forked it.

Fixed issues from previous submit:
- SMACK64EXEC was not read when SMACK64 was not set.
- inode security blob was not updated after setting
  SMACK64EXEC
- inode security blob was not updated when removing
  SMACK64EXEC
parent 93ae86e7
...@@ -40,9 +40,11 @@ ...@@ -40,9 +40,11 @@
#define XATTR_SMACK_SUFFIX "SMACK64" #define XATTR_SMACK_SUFFIX "SMACK64"
#define XATTR_SMACK_IPIN "SMACK64IPIN" #define XATTR_SMACK_IPIN "SMACK64IPIN"
#define XATTR_SMACK_IPOUT "SMACK64IPOUT" #define XATTR_SMACK_IPOUT "SMACK64IPOUT"
#define XATTR_SMACK_EXEC "SMACK64EXEC"
#define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX #define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX
#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN #define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN
#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT #define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
#define XATTR_NAME_SMACKEXEC XATTR_SECURITY_PREFIX XATTR_SMACK_EXEC
#define XATTR_CAPS_SUFFIX "capability" #define XATTR_CAPS_SUFFIX "capability"
#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
......
...@@ -51,10 +51,16 @@ struct socket_smack { ...@@ -51,10 +51,16 @@ struct socket_smack {
*/ */
struct inode_smack { struct inode_smack {
char *smk_inode; /* label of the fso */ char *smk_inode; /* label of the fso */
char *smk_task; /* label of the task */
struct mutex smk_lock; /* initialization lock */ struct mutex smk_lock; /* initialization lock */
int smk_flags; /* smack inode flags */ int smk_flags; /* smack inode flags */
}; };
struct task_smack {
char *smk_task; /* label used for access control */
char *smk_forked; /* label when forked */
};
#define SMK_INODE_INSTANT 0x01 /* inode is instantiated */ #define SMK_INODE_INSTANT 0x01 /* inode is instantiated */
/* /*
...@@ -242,6 +248,30 @@ static inline char *smk_of_inode(const struct inode *isp) ...@@ -242,6 +248,30 @@ static inline char *smk_of_inode(const struct inode *isp)
return sip->smk_inode; return sip->smk_inode;
} }
/*
* Present a pointer to the smack label in an task blob.
*/
static inline char *smk_of_task(const struct task_smack *tsp)
{
return tsp->smk_task;
}
/*
* Present a pointer to the forked smack label in an task blob.
*/
static inline char *smk_of_forked(const struct task_smack *tsp)
{
return tsp->smk_forked;
}
/*
* Present a pointer to the smack label in the curren task blob.
*/
static inline char *smk_of_current(void)
{
return smk_of_task(current_security());
}
/* /*
* logging functions * logging functions
*/ */
......
...@@ -185,7 +185,7 @@ int smk_access(char *subject_label, char *object_label, int request, ...@@ -185,7 +185,7 @@ int smk_access(char *subject_label, char *object_label, int request,
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
{ {
int rc; int rc;
char *sp = current_security(); char *sp = smk_of_current();
rc = smk_access(sp, obj_label, mode, NULL); rc = smk_access(sp, obj_label, mode, NULL);
if (rc == 0) if (rc == 0)
...@@ -196,7 +196,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) ...@@ -196,7 +196,7 @@ int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
* only one that gets privilege and current does not * only one that gets privilege and current does not
* have that label. * have that label.
*/ */
if (smack_onlycap != NULL && smack_onlycap != current->cred->security) if (smack_onlycap != NULL && smack_onlycap != sp)
goto out_audit; goto out_audit;
if (capable(CAP_MAC_OVERRIDE)) if (capable(CAP_MAC_OVERRIDE))
......
This diff is collapsed.
...@@ -121,7 +121,7 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap) ...@@ -121,7 +121,7 @@ static void smk_netlabel_audit_set(struct netlbl_audit *nap)
{ {
nap->loginuid = audit_get_loginuid(current); nap->loginuid = audit_get_loginuid(current);
nap->sessionid = audit_get_sessionid(current); nap->sessionid = audit_get_sessionid(current);
nap->secid = smack_to_secid(current_security()); nap->secid = smack_to_secid(smk_of_current());
} }
/* /*
...@@ -1160,7 +1160,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf, ...@@ -1160,7 +1160,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
size_t count, loff_t *ppos) size_t count, loff_t *ppos)
{ {
char in[SMK_LABELLEN]; char in[SMK_LABELLEN];
char *sp = current->cred->security; char *sp = smk_of_task(current->cred->security);
if (!capable(CAP_MAC_ADMIN)) if (!capable(CAP_MAC_ADMIN))
return -EPERM; return -EPERM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment