• Casey Schaufler's avatar
    Smack: allow for significantly longer Smack labels v4 · f7112e6c
    Casey Schaufler authored
    V4 updated to current linux-security#next
    Targeted for git://gitorious.org/smack-next/kernel.git
    
    Modern application runtime environments like to use
    naming schemes that are structured and generated without
    human intervention. Even though the Smack limit of 23
    characters for a label name is perfectly rational for
    human use there have been complaints that the limit is
    a problem in environments where names are composed from
    a set or sources, including vendor, author, distribution
    channel and application name. Names like
    
    	softwarehouse-pgwodehouse-coolappstore-mellowmuskrats
    
    are becoming harder to avoid. This patch introduces long
    label support in Smack. Labels are now limited to 255
    characters instead of the old 23.
    
    The primary reason for limiting the labels to 23 characters
    was so they could be directly contained in CIPSO category sets.
    This is still done were possible, but for labels that are too
    large a mapping is required. This is perfectly safe for communication
    that stays "on the box" and doesn't require much coordination
    between boxes beyond what would have been required to keep label
    names consistent.
    
    The bulk of this patch is in smackfs, adding and updating
    administrative interfaces. Because existing APIs can't be
    changed new ones that do much the same things as old ones
    have been introduced.
    
    The Smack specific CIPSO data representation has been removed
    and replaced with the data format used by netlabel. The CIPSO
    header is now computed when a label is imported rather than
    on use. This results in improved IP performance. The smack
    label is now allocated separately from the containing structure,
    allowing for larger strings.
    
    Four new /smack interfaces have been introduced as four
    of the old interfaces strictly required labels be specified
    in fixed length arrays.
    
    The access interface is supplemented with the check interface:
    	access  "Subject                 Object                  rwxat"
    	access2 "Subject Object rwaxt"
    
    The load interface is supplemented with the rules interface:
    	load   "Subject                 Object                  rwxat"
    	load2  "Subject Object rwaxt"
    
    The load-self interface is supplemented with the self-rules interface:
    	load-self   "Subject                 Object                  rwxat"
    	load-self2  "Subject Object rwaxt"
    
    The cipso interface is supplemented with the wire interface:
    	cipso  "Subject                  lvl cnt  c1  c2 ..."
    	cipso2 "Subject lvl cnt  c1  c2 ..."
    
    The old interfaces are maintained for compatibility.
    Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    f7112e6c
smackfs.c 49.8 KB