Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
5ab16579
Commit
5ab16579
authored
Aug 11, 2015
by
James Morris
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'smack-for-4.3' of
https://github.com/cschaufler/smack-next
into next
parents
459c15e5
41a2d575
Changes
5
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
833 additions
and
209 deletions
+833
-209
Documentation/security/Smack.txt
Documentation/security/Smack.txt
+26
-1
security/smack/smack.h
security/smack/smack.h
+57
-9
security/smack/smack_access.c
security/smack/smack_access.c
+6
-0
security/smack/smack_lsm.c
security/smack/smack_lsm.c
+390
-117
security/smack/smackfs.c
security/smack/smackfs.c
+354
-82
No files found.
Documentation/security/Smack.txt
View file @
5ab16579
...
...
@@ -28,6 +28,10 @@ Smack kernels use the CIPSO IP option. Some network
configurations are intolerant of IP options and can impede
access to systems that use them as Smack does.
Smack is used in the Tizen operating system. Please
go to http://wiki.tizen.org for information about how
Smack is used in Tizen.
The current git repository for Smack user space is:
git://github.com/smack-team/smack.git
...
...
@@ -108,6 +112,8 @@ in the smackfs filesystem. This pseudo-filesystem is mounted
on /sys/fs/smackfs.
access
Provided for backward compatibility. The access2 interface
is preferred and should be used instead.
This interface reports whether a subject with the specified
Smack label has a particular access to an object with a
specified Smack label. Write a fixed format access rule to
...
...
@@ -136,6 +142,8 @@ change-rule
those in the fourth string. If there is no such rule it will be
created using the access specified in the third and the fourth strings.
cipso
Provided for backward compatibility. The cipso2 interface
is preferred and should be used instead.
This interface allows a specific CIPSO header to be assigned
to a Smack label. The format accepted on write is:
"%24s%4d%4d"["%4d"]...
...
...
@@ -157,7 +165,19 @@ direct
doi
This contains the CIPSO domain of interpretation used in
network packets.
ipv6host
This interface allows specific IPv6 internet addresses to be
treated as single label hosts. Packets are sent to single
label hosts only from processes that have Smack write access
to the host label. All packets received from single label hosts
are given the specified label. The format accepted on write is:
"%h:%h:%h:%h:%h:%h:%h:%h label" or
"%h:%h:%h:%h:%h:%h:%h:%h/%d label".
The "::" address shortcut is not supported.
If label is "-DELETE" a matched entry will be deleted.
load
Provided for backward compatibility. The load2 interface
is preferred and should be used instead.
This interface allows access control rules in addition to
the system defined rules to be specified. The format accepted
on write is:
...
...
@@ -181,6 +201,8 @@ load2
permissions that are not allowed. The string "r-x--" would
specify read and execute access.
load-self
Provided for backward compatibility. The load-self2 interface
is preferred and should be used instead.
This interface allows process specific access rules to be
defined. These rules are only consulted if access would
otherwise be permitted, and are intended to provide additional
...
...
@@ -205,6 +227,8 @@ netlabel
received from single label hosts are given the specified
label. The format accepted on write is:
"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".
If the label specified is "-CIPSO" the address is treated
as a host that supports CIPSO headers.
onlycap
This contains labels processes must have for CAP_MAC_ADMIN
and CAP_MAC_OVERRIDE to be effective. If this file is empty
...
...
@@ -232,7 +256,8 @@ unconfined
is dangerous and can ruin the proper labeling of your system.
It should never be used in production.
You can add access rules in /etc/smack/accesses. They take the form:
If you are using the smackload utility
you can add access rules in /etc/smack/accesses. They take the form:
subjectlabel objectlabel access
...
...
security/smack/smack.h
View file @
5ab16579
...
...
@@ -17,11 +17,26 @@
#include <linux/spinlock.h>
#include <linux/lsm_hooks.h>
#include <linux/in.h>
#if IS_ENABLED(CONFIG_IPV6)
#include <linux/in6.h>
#endif
/* CONFIG_IPV6 */
#include <net/netlabel.h>
#include <linux/list.h>
#include <linux/rculist.h>
#include <linux/lsm_audit.h>
/*
* Use IPv6 port labeling if IPv6 is enabled and secmarks
* are not being used.
*/
#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
#define SMACK_IPV6_PORT_LABELING 1
#endif
#if IS_ENABLED(CONFIG_IPV6) && defined(CONFIG_SECURITY_SMACK_NETFILTER)
#define SMACK_IPV6_SECMARK_LABELING 1
#endif
/*
* Smack labels were limited to 23 characters for a long time.
*/
...
...
@@ -118,15 +133,30 @@ struct smack_rule {
};
/*
* An entry in the table identifying hosts.
* An entry in the table identifying
IPv4
hosts.
*/
struct
smk_net
lbl
addr
{
struct
smk_net
4
addr
{
struct
list_head
list
;
struct
sockaddr_in
smk_host
;
/* network address */
struct
in_addr
smk_host
;
/* network address */
struct
in_addr
smk_mask
;
/* network mask */
int
smk_masks
;
/* mask size */
struct
smack_known
*
smk_label
;
/* label */
};
#if IS_ENABLED(CONFIG_IPV6)
/*
* An entry in the table identifying IPv6 hosts.
*/
struct
smk_net6addr
{
struct
list_head
list
;
struct
in6_addr
smk_host
;
/* network address */
struct
in6_addr
smk_mask
;
/* network mask */
int
smk_masks
;
/* mask size */
struct
smack_known
*
smk_label
;
/* label */
};
#endif
/* CONFIG_IPV6 */
#ifdef SMACK_IPV6_PORT_LABELING
/*
* An entry in the table identifying ports.
*/
...
...
@@ -137,12 +167,31 @@ struct smk_port_label {
struct
smack_known
*
smk_in
;
/* inbound label */
struct
smack_known
*
smk_out
;
/* outgoing label */
};
#endif
/* SMACK_IPV6_PORT_LABELING */
struct
smack_onlycap
{
struct
list_head
list
;
struct
smack_known
*
smk_label
;
};
/* Super block security struct flags for mount options */
#define FSDEFAULT_MNT 0x01
#define FSFLOOR_MNT 0x02
#define FSHAT_MNT 0x04
#define FSROOT_MNT 0x08
#define FSTRANS_MNT 0x10
#define NUM_SMK_MNT_OPTS 5
enum
{
Opt_error
=
-
1
,
Opt_fsdefault
=
1
,
Opt_fsfloor
=
2
,
Opt_fshat
=
3
,
Opt_fsroot
=
4
,
Opt_fstransmute
=
5
,
};
/*
* Mount options
*/
...
...
@@ -152,6 +201,7 @@ struct smack_onlycap {
#define SMK_FSROOT "smackfsroot="
#define SMK_FSTRANS "smackfstransmute="
#define SMACK_DELETE_OPTION "-DELETE"
#define SMACK_CIPSO_OPTION "-CIPSO"
/*
...
...
@@ -234,10 +284,6 @@ struct smk_audit_info {
struct
smack_audit_data
sad
;
#endif
};
/*
* These functions are in smack_lsm.c
*/
struct
inode_smack
*
new_inode_smack
(
struct
smack_known
*
);
/*
* These functions are in smack_access.c
...
...
@@ -267,7 +313,6 @@ extern struct smack_known *smack_syslog_label;
#ifdef CONFIG_SECURITY_SMACK_BRINGUP
extern
struct
smack_known
*
smack_unconfined
;
#endif
extern
struct
smack_known
smack_cipso_option
;
extern
int
smack_ptrace_rule
;
extern
struct
smack_known
smack_known_floor
;
...
...
@@ -279,7 +324,10 @@ extern struct smack_known smack_known_web;
extern
struct
mutex
smack_known_lock
;
extern
struct
list_head
smack_known_list
;
extern
struct
list_head
smk_netlbladdr_list
;
extern
struct
list_head
smk_net4addr_list
;
#if IS_ENABLED(CONFIG_IPV6)
extern
struct
list_head
smk_net6addr_list
;
#endif
/* CONFIG_IPV6 */
extern
struct
mutex
smack_onlycap_lock
;
extern
struct
list_head
smack_onlycap_list
;
...
...
security/smack/smack_access.c
View file @
5ab16579
...
...
@@ -639,6 +639,12 @@ int smack_privileged(int cap)
struct
smack_known
*
skp
=
smk_of_current
();
struct
smack_onlycap
*
sop
;
/*
* All kernel tasks are privileged
*/
if
(
unlikely
(
current
->
flags
&
PF_KTHREAD
))
return
1
;
if
(
!
capable
(
cap
))
return
0
;
...
...
security/smack/smack_lsm.c
View file @
5ab16579
This diff is collapsed.
Click to expand it.
security/smack/smackfs.c
View file @
5ab16579
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment