Lines Matching +full:sig +full:- +full:dir +full:- +full:cmd
1 // SPDX-License-Identifier: GPL-2.0-only
8 * Casey Schaufler <casey@schaufler-ca.com>
11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
13 * Paul Moore <paul@paul-moore.com>
59 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s}
65 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault},
111 s[i++] = '-'; in smk_bu_mode()
129 sskp->smk_known, oskp->smk_known, acc, note); in smk_bu_note()
150 tsp->smk_task->smk_known, oskp->smk_known, in smk_bu_current()
151 acc, current->comm, note); in smk_bu_current()
172 tsp->smk_task->smk_known, smk_task->smk_known, acc, in smk_bu_task()
173 current->comm, otp->comm); in smk_bu_task()
187 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_inode()
189 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_inode()
197 isp->smk_flags |= SMK_INODE_IMPURE; in smk_bu_inode()
202 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, in smk_bu_inode()
203 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_inode()
214 struct smack_known *sskp = tsp->smk_task; in smk_bu_file()
219 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_file()
221 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_file()
230 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, in smk_bu_file()
231 inode->i_sb->s_id, inode->i_ino, file, in smk_bu_file()
232 current->comm); in smk_bu_file()
244 struct smack_known *sskp = tsp->smk_task; in smk_bu_credfile()
249 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_credfile()
251 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_credfile()
260 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, in smk_bu_credfile()
261 inode->i_sb->s_id, inode->i_ino, file, in smk_bu_credfile()
262 current->comm); in smk_bu_credfile()
270 * smk_fetch - Fetch the smack label from a file.
285 if (!(ip->i_opflags & IOP_XATTR)) in smk_fetch()
286 return ERR_PTR(-EOPNOTSUPP); in smk_fetch()
290 return ERR_PTR(-ENOMEM); in smk_fetch()
306 * init_inode_smack - initialize an inode security blob
315 isp->smk_inode = skp; in init_inode_smack()
316 isp->smk_flags = 0; in init_inode_smack()
320 * init_task_smack - initialize a task security blob
329 tsp->smk_task = task; in init_task_smack()
330 tsp->smk_forked = forked; in init_task_smack()
331 INIT_LIST_HEAD(&tsp->smk_rules); in init_task_smack()
332 INIT_LIST_HEAD(&tsp->smk_relabel); in init_task_smack()
333 mutex_init(&tsp->smk_rules_lock); in init_task_smack()
337 * smk_copy_rules - copy a rule set
342 * Returns 0 on success, -ENOMEM on error
354 rc = -ENOMEM; in smk_copy_rules()
358 list_add_rcu(&nrp->list, nhead); in smk_copy_rules()
364 * smk_copy_relabel - copy smk_relabel labels list
369 * Returns 0 on success, -ENOMEM on error
381 return -ENOMEM; in smk_copy_relabel()
383 nklep->smk_label = oklep->smk_label; in smk_copy_relabel()
384 list_add(&nklep->list, nhead); in smk_copy_relabel()
391 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
392 * @mode - input mode in form of PTRACE_MODE_*
407 * smk_ptrace_rule_check - helper for ptrace access
413 * Returns 0 on access granted, -error on error
439 if (tracer_known->smk_known == tracee_known->smk_known) in smk_ptrace_rule_check()
442 rc = -EACCES; in smk_ptrace_rule_check()
446 rc = -EACCES; in smk_ptrace_rule_check()
449 smack_log(tracer_known->smk_known, in smk_ptrace_rule_check()
450 tracee_known->smk_known, in smk_ptrace_rule_check()
470 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
488 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
507 * smack_syslog - Smack approval on syslog
521 rc = -EACCES; in smack_syslog()
531 * smack_sb_alloc_security - allocate a superblock blob
534 * Returns 0 on success or -ENOMEM on error.
540 sbsp->smk_root = &smack_known_floor; in smack_sb_alloc_security()
541 sbsp->smk_default = &smack_known_floor; in smack_sb_alloc_security()
542 sbsp->smk_floor = &smack_known_floor; in smack_sb_alloc_security()
543 sbsp->smk_hat = &smack_known_hat; in smack_sb_alloc_security()
558 kfree(opts->fsdefault); in smack_free_mnt_opts()
559 kfree(opts->fsfloor); in smack_free_mnt_opts()
560 kfree(opts->fshat); in smack_free_mnt_opts()
561 kfree(opts->fsroot); in smack_free_mnt_opts()
562 kfree(opts->fstransmute); in smack_free_mnt_opts()
573 return -ENOMEM; in smack_add_opt()
577 return -ENOMEM; in smack_add_opt()
581 if (opts->fsdefault) in smack_add_opt()
583 opts->fsdefault = s; in smack_add_opt()
586 if (opts->fsfloor) in smack_add_opt()
588 opts->fsfloor = s; in smack_add_opt()
591 if (opts->fshat) in smack_add_opt()
593 opts->fshat = s; in smack_add_opt()
596 if (opts->fsroot) in smack_add_opt()
598 opts->fsroot = s; in smack_add_opt()
601 if (opts->fstransmute) in smack_add_opt()
603 opts->fstransmute = s; in smack_add_opt()
610 return -EINVAL; in smack_add_opt()
614 * smack_fs_context_dup - Duplicate the security data on fs_context duplication
618 * Returns 0 on success or -ENOMEM on error.
623 struct smack_mnt_opts *dst, *src = src_fc->security; in smack_fs_context_dup()
628 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); in smack_fs_context_dup()
629 if (!fc->security) in smack_fs_context_dup()
630 return -ENOMEM; in smack_fs_context_dup()
631 dst = fc->security; in smack_fs_context_dup()
633 if (src->fsdefault) { in smack_fs_context_dup()
634 dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL); in smack_fs_context_dup()
635 if (!dst->fsdefault) in smack_fs_context_dup()
636 return -ENOMEM; in smack_fs_context_dup()
638 if (src->fsfloor) { in smack_fs_context_dup()
639 dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL); in smack_fs_context_dup()
640 if (!dst->fsfloor) in smack_fs_context_dup()
641 return -ENOMEM; in smack_fs_context_dup()
643 if (src->fshat) { in smack_fs_context_dup()
644 dst->fshat = kstrdup(src->fshat, GFP_KERNEL); in smack_fs_context_dup()
645 if (!dst->fshat) in smack_fs_context_dup()
646 return -ENOMEM; in smack_fs_context_dup()
648 if (src->fsroot) { in smack_fs_context_dup()
649 dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL); in smack_fs_context_dup()
650 if (!dst->fsroot) in smack_fs_context_dup()
651 return -ENOMEM; in smack_fs_context_dup()
653 if (src->fstransmute) { in smack_fs_context_dup()
654 dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL); in smack_fs_context_dup()
655 if (!dst->fstransmute) in smack_fs_context_dup()
656 return -ENOMEM; in smack_fs_context_dup()
672 * smack_fs_context_parse_param - Parse a single mount parameter
676 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on
689 rc = smack_add_opt(opt, param->string, &fc->security); in smack_fs_context_parse_param()
691 param->string = NULL; in smack_fs_context_parse_param()
706 len = next - from; in smack_sb_eat_lsm_opts()
712 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); in smack_sb_eat_lsm_opts()
723 from--; in smack_sb_eat_lsm_opts()
740 * smack_set_mnt_opts - set Smack specific mount options
756 struct dentry *root = sb->s_root; in smack_set_mnt_opts()
764 if (sp->smk_flags & SMK_SB_INITIALIZED) in smack_set_mnt_opts()
767 if (inode->i_security == NULL) { in smack_set_mnt_opts()
779 return -EPERM; in smack_set_mnt_opts()
784 sp->smk_root = skp; in smack_set_mnt_opts()
785 sp->smk_default = skp; in smack_set_mnt_opts()
787 * For a handful of fs types with no user-controlled in smack_set_mnt_opts()
791 if (sb->s_user_ns != &init_user_ns && in smack_set_mnt_opts()
792 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && in smack_set_mnt_opts()
793 sb->s_magic != RAMFS_MAGIC) { in smack_set_mnt_opts()
795 sp->smk_flags |= SMK_SB_UNTRUSTED; in smack_set_mnt_opts()
799 sp->smk_flags |= SMK_SB_INITIALIZED; in smack_set_mnt_opts()
802 if (opts->fsdefault) { in smack_set_mnt_opts()
803 skp = smk_import_entry(opts->fsdefault, 0); in smack_set_mnt_opts()
806 sp->smk_default = skp; in smack_set_mnt_opts()
808 if (opts->fsfloor) { in smack_set_mnt_opts()
809 skp = smk_import_entry(opts->fsfloor, 0); in smack_set_mnt_opts()
812 sp->smk_floor = skp; in smack_set_mnt_opts()
814 if (opts->fshat) { in smack_set_mnt_opts()
815 skp = smk_import_entry(opts->fshat, 0); in smack_set_mnt_opts()
818 sp->smk_hat = skp; in smack_set_mnt_opts()
820 if (opts->fsroot) { in smack_set_mnt_opts()
821 skp = smk_import_entry(opts->fsroot, 0); in smack_set_mnt_opts()
824 sp->smk_root = skp; in smack_set_mnt_opts()
826 if (opts->fstransmute) { in smack_set_mnt_opts()
827 skp = smk_import_entry(opts->fstransmute, 0); in smack_set_mnt_opts()
830 sp->smk_root = skp; in smack_set_mnt_opts()
838 init_inode_smack(inode, sp->smk_root); in smack_set_mnt_opts()
842 isp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_set_mnt_opts()
849 * smack_sb_statfs - Smack check on statfs
857 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); in smack_sb_statfs()
864 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); in smack_sb_statfs()
865 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); in smack_sb_statfs()
874 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec
877 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise
881 struct inode *inode = file_inode(bprm->file); in smack_bprm_creds_for_exec()
882 struct task_smack *bsp = smack_cred(bprm->cred); in smack_bprm_creds_for_exec()
888 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) in smack_bprm_creds_for_exec()
891 sbsp = smack_superblock(inode->i_sb); in smack_bprm_creds_for_exec()
892 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && in smack_bprm_creds_for_exec()
893 isp->smk_task != sbsp->smk_root) in smack_bprm_creds_for_exec()
896 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { in smack_bprm_creds_for_exec()
904 isp->smk_task, in smack_bprm_creds_for_exec()
912 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) in smack_bprm_creds_for_exec()
913 return -EPERM; in smack_bprm_creds_for_exec()
915 bsp->smk_task = isp->smk_task; in smack_bprm_creds_for_exec()
916 bprm->per_clear |= PER_CLEAR_ON_SETID; in smack_bprm_creds_for_exec()
919 if (bsp->smk_task != bsp->smk_forked) in smack_bprm_creds_for_exec()
920 bprm->secureexec = 1; in smack_bprm_creds_for_exec()
930 * smack_inode_alloc_security - allocate an inode blob
944 * smack_inode_init_security - copy out the smack from an inode
946 * @dir: containing directory object
952 * Returns 0 if it all works out, -ENOMEM if there's no memory
954 static int smack_inode_init_security(struct inode *inode, struct inode *dir, in smack_inode_init_security() argument
961 struct smack_known *dsp = smk_of_inode(dir); in smack_inode_init_security()
969 may = smk_access_entry(skp->smk_known, dsp->smk_known, in smack_inode_init_security()
970 &skp->smk_rules); in smack_inode_init_security()
980 smk_inode_transmutable(dir)) { in smack_inode_init_security()
982 issp->smk_flags |= SMK_INODE_CHANGED; in smack_inode_init_security()
985 *value = kstrdup(isp->smk_known, GFP_NOFS); in smack_inode_init_security()
987 return -ENOMEM; in smack_inode_init_security()
989 *len = strlen(isp->smk_known); in smack_inode_init_security()
996 * smack_inode_link - Smack check on link
998 * @dir: unused
1003 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, in smack_inode_link() argument
1028 * smack_inode_unlink - Smack check on inode deletion
1029 * @dir: containing directory object
1035 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) in smack_inode_unlink() argument
1054 smk_ad_setfield_u_fs_inode(&ad, dir); in smack_inode_unlink()
1055 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); in smack_inode_unlink()
1056 rc = smk_bu_inode(dir, MAY_WRITE, rc); in smack_inode_unlink()
1062 * smack_inode_rmdir - Smack check on directory deletion
1063 * @dir: containing directory object
1069 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) in smack_inode_rmdir() argument
1087 smk_ad_setfield_u_fs_inode(&ad, dir); in smack_inode_rmdir()
1088 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); in smack_inode_rmdir()
1089 rc = smk_bu_inode(dir, MAY_WRITE, rc); in smack_inode_rmdir()
1096 * smack_inode_rename - Smack check on rename
1133 * smack_inode_permission - Smack version of permission()
1143 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); in smack_inode_permission()
1155 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { in smack_inode_permission()
1156 if (smk_of_inode(inode) != sbsp->smk_root) in smack_inode_permission()
1157 return -EACCES; in smack_inode_permission()
1162 return -ECHILD; in smack_inode_permission()
1171 * smack_inode_setattr - Smack check for setting attributes
1185 if (iattr->ia_valid & ATTR_FORCE) in smack_inode_setattr()
1196 * smack_inode_getattr - Smack check for getting attributes
1204 struct inode *inode = d_backing_inode(path->dentry); in smack_inode_getattr()
1215 * smack_inode_setxattr - Smack check for setting xattrs
1254 rc = -EINVAL; in smack_inode_setxattr()
1259 rc = -EPERM; in smack_inode_setxattr()
1267 rc = -EINVAL; in smack_inode_setxattr()
1282 * smack_inode_post_setxattr - Apply the Smack update approved above
1299 isp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_inode_post_setxattr()
1306 isp->smk_inode = skp; in smack_inode_post_setxattr()
1310 isp->smk_task = skp; in smack_inode_post_setxattr()
1314 isp->smk_mmap = skp; in smack_inode_post_setxattr()
1321 * smack_inode_getxattr - Smack check on getxattr
1341 * smack_inode_removexattr - Smack check on removexattr
1363 rc = -EPERM; in smack_inode_removexattr()
1385 struct super_block *sbp = dentry->d_sb; in smack_inode_removexattr()
1388 isp->smk_inode = sbsp->smk_default; in smack_inode_removexattr()
1390 isp->smk_task = NULL; in smack_inode_removexattr()
1392 isp->smk_mmap = NULL; in smack_inode_removexattr()
1394 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; in smack_inode_removexattr()
1400 * smack_inode_getsecurity - get smack xattrs
1424 sbp = ip->i_sb; in smack_inode_getsecurity()
1425 if (sbp->s_magic != SOCKFS_MAGIC) in smack_inode_getsecurity()
1426 return -EOPNOTSUPP; in smack_inode_getsecurity()
1429 if (sock == NULL || sock->sk == NULL) in smack_inode_getsecurity()
1430 return -EOPNOTSUPP; in smack_inode_getsecurity()
1432 ssp = sock->sk->sk_security; in smack_inode_getsecurity()
1435 isp = ssp->smk_in; in smack_inode_getsecurity()
1437 isp = ssp->smk_out; in smack_inode_getsecurity()
1439 return -EOPNOTSUPP; in smack_inode_getsecurity()
1443 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); in smack_inode_getsecurity()
1445 return -ENOMEM; in smack_inode_getsecurity()
1448 return strlen(isp->smk_known); in smack_inode_getsecurity()
1453 * smack_inode_listsecurity - list the Smack attributes
1470 * smack_inode_getsecid - Extract inode's security id
1478 *secid = skp->smk_secid; in smack_inode_getsecid()
1497 * smack_file_alloc_security - assign a file security blob
1517 * smack_file_ioctl - Smack check on ioctls
1519 * @cmd: what to do
1526 static int smack_file_ioctl(struct file *file, unsigned int cmd, in smack_file_ioctl() argument
1537 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_ioctl()
1539 if (_IOC_DIR(cmd) & _IOC_WRITE) { in smack_file_ioctl()
1544 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { in smack_file_ioctl()
1553 * smack_file_lock - Smack check on file locking
1555 * @cmd: unused
1559 static int smack_file_lock(struct file *file, unsigned int cmd) in smack_file_lock() argument
1569 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_lock()
1576 * smack_file_fcntl - Smack check on fcntl
1578 * @cmd: what action to check
1587 static int smack_file_fcntl(struct file *file, unsigned int cmd, in smack_file_fcntl() argument
1597 switch (cmd) { in smack_file_fcntl()
1603 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_fcntl()
1610 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_fcntl()
1654 if (isp->smk_mmap == NULL) in smack_mmap_file()
1656 sbsp = smack_superblock(file_inode(file)->i_sb); in smack_mmap_file()
1657 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && in smack_mmap_file()
1658 isp->smk_mmap != sbsp->smk_root) in smack_mmap_file()
1659 return -EACCES; in smack_mmap_file()
1660 mkp = isp->smk_mmap; in smack_mmap_file()
1672 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { in smack_mmap_file()
1673 okp = srp->smk_object; in smack_mmap_file()
1677 if (mkp->smk_known == okp->smk_known) in smack_mmap_file()
1683 may = smk_access_entry(srp->smk_subject->smk_known, in smack_mmap_file()
1684 okp->smk_known, in smack_mmap_file()
1685 &tsp->smk_rules); in smack_mmap_file()
1686 if (may == -ENOENT) in smack_mmap_file()
1687 may = srp->smk_access; in smack_mmap_file()
1689 may &= srp->smk_access; in smack_mmap_file()
1702 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, in smack_mmap_file()
1703 &mkp->smk_rules); in smack_mmap_file()
1704 if (mmay == -ENOENT) { in smack_mmap_file()
1705 rc = -EACCES; in smack_mmap_file()
1712 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, in smack_mmap_file()
1713 &tsp->smk_rules); in smack_mmap_file()
1714 if (tmay != -ENOENT) in smack_mmap_file()
1723 rc = -EACCES; in smack_mmap_file()
1734 * smack_file_set_fowner - set the file security blob value
1746 * smack_file_send_sigiotask - Smack on sigio
1761 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); in smack_file_send_sigiotask()
1786 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); in smack_file_send_sigiotask()
1791 * smack_file_receive - Smack file receive check
1810 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_receive()
1812 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { in smack_file_receive()
1814 ssp = sock->sk->sk_security; in smack_file_receive()
1822 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); in smack_file_receive()
1826 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); in smack_file_receive()
1833 if (file->f_mode & FMODE_READ) in smack_file_receive()
1835 if (file->f_mode & FMODE_WRITE) in smack_file_receive()
1844 * smack_file_open - Smack dentry open processing
1850 * fd even if you have the file open write-only.
1856 struct task_smack *tsp = smack_cred(file->f_cred); in smack_file_open()
1862 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_open()
1864 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); in smack_file_open()
1874 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
1890 * smack_cred_free - "free" task-level security credentials
1901 smk_destroy_label_list(&tsp->smk_relabel); in smack_cred_free()
1903 list_for_each_safe(l, n, &tsp->smk_rules) { in smack_cred_free()
1905 list_del(&rp->list); in smack_cred_free()
1911 * smack_cred_prepare - prepare new set of credentials for modification
1925 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); in smack_cred_prepare()
1927 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); in smack_cred_prepare()
1931 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, in smack_cred_prepare()
1937 * smack_cred_transfer - Transfer the old credentials to the new credentials
1948 new_tsp->smk_task = old_tsp->smk_task; in smack_cred_transfer()
1949 new_tsp->smk_forked = old_tsp->smk_task; in smack_cred_transfer()
1950 mutex_init(&new_tsp->smk_rules_lock); in smack_cred_transfer()
1951 INIT_LIST_HEAD(&new_tsp->smk_rules); in smack_cred_transfer()
1957 * smack_cred_getsecid - get the secid corresponding to a creds structure
1969 *secid = skp->smk_secid; in smack_cred_getsecid()
1974 * smack_kernel_act_as - Set the subjective context in a set of credentials
1984 new_tsp->smk_task = smack_from_secid(secid); in smack_kernel_act_as()
1989 * smack_kernel_create_files_as - Set the file creation label in a set of creds
2002 tsp->smk_forked = isp->smk_inode; in smack_kernel_create_files_as()
2003 tsp->smk_task = tsp->smk_forked; in smack_kernel_create_files_as()
2008 * smk_curacc_on_task - helper to log task related access
2030 * smack_task_setpgid - Smack check on setting pgid
2042 * smack_task_getpgid - Smack access check for getpgid
2053 * smack_task_getsid - Smack access check for getsid
2064 * smack_task_getsecid_subj - get the subjective secid of the task
2074 *secid = skp->smk_secid; in smack_task_getsecid_subj()
2078 * smack_task_getsecid_obj - get the objective secid of the task
2088 *secid = skp->smk_secid; in smack_task_getsecid_obj()
2092 * smack_task_setnice - Smack check on setting nice
2104 * smack_task_setioprio - Smack check on setting ioprio
2116 * smack_task_getioprio - Smack check on reading ioprio
2127 * smack_task_setscheduler - Smack check on setting scheduler
2138 * smack_task_getscheduler - Smack check on reading scheduler
2149 * smack_task_movememory - Smack check on moving memory
2160 * smack_task_kill - Smack check on signal delivery
2163 * @sig: unused
2170 int sig, const struct cred *cred) in smack_task_kill() argument
2177 if (!sig) in smack_task_kill()
2203 * smack_task_to_inode - copy task smack into the inode blob
2214 isp->smk_inode = skp; in smack_task_to_inode()
2215 isp->smk_flags |= SMK_INODE_INSTANT; in smack_task_to_inode()
2223 * smack_sk_alloc_security - Allocate a socket blob
2230 * Returns 0 on success, -ENOMEM is there's no memory
2239 return -ENOMEM; in smack_sk_alloc_security()
2244 if (unlikely(current->flags & PF_KTHREAD)) { in smack_sk_alloc_security()
2245 ssp->smk_in = &smack_known_web; in smack_sk_alloc_security()
2246 ssp->smk_out = &smack_known_web; in smack_sk_alloc_security()
2248 ssp->smk_in = skp; in smack_sk_alloc_security()
2249 ssp->smk_out = skp; in smack_sk_alloc_security()
2251 ssp->smk_packet = NULL; in smack_sk_alloc_security()
2253 sk->sk_security = ssp; in smack_sk_alloc_security()
2259 * smack_sk_free_security - Free a socket blob
2269 if (sk->sk_family == PF_INET6) { in smack_sk_free_security()
2272 if (spp->smk_sock != sk) in smack_sk_free_security()
2274 spp->smk_can_reuse = 1; in smack_sk_free_security()
2280 kfree(sk->sk_security); in smack_sk_free_security()
2284 * smack_ipv4host_label - check host based restrictions
2298 struct in_addr *siap = &sip->sin_addr; in smack_ipv4host_label()
2300 if (siap->s_addr == 0) in smack_ipv4host_label()
2309 if (snp->smk_host.s_addr == in smack_ipv4host_label()
2310 (siap->s_addr & snp->smk_mask.s_addr)) in smack_ipv4host_label()
2311 return snp->smk_label; in smack_ipv4host_label()
2317 * smk_ipv6_localhost - Check for local ipv6 host address
2324 __be16 *be16p = (__be16 *)&sip->sin6_addr; in smk_ipv6_localhost()
2325 __be32 *be32p = (__be32 *)&sip->sin6_addr; in smk_ipv6_localhost()
2334 * smack_ipv6host_label - check host based restrictions
2348 struct in6_addr *sap = &sip->sin6_addr; in smack_ipv6host_label()
2363 if (snp->smk_label == NULL) in smack_ipv6host_label()
2371 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != in smack_ipv6host_label()
2372 snp->smk_host.s6_addr16[i]) { in smack_ipv6host_label()
2378 return snp->smk_label; in smack_ipv6host_label()
2385 * smack_netlbl_add - Set the secattr on a socket
2394 struct socket_smack *ssp = sk->sk_security; in smack_netlbl_add()
2395 struct smack_known *skp = ssp->smk_out; in smack_netlbl_add()
2401 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); in smack_netlbl_add()
2404 ssp->smk_state = SMK_NETLBL_LABELED; in smack_netlbl_add()
2406 case -EDESTADDRREQ: in smack_netlbl_add()
2407 ssp->smk_state = SMK_NETLBL_REQSKB; in smack_netlbl_add()
2419 * smack_netlbl_delete - Remove the secattr from a socket
2426 struct socket_smack *ssp = sk->sk_security; in smack_netlbl_delete()
2431 if (ssp->smk_state != SMK_NETLBL_LABELED) in smack_netlbl_delete()
2439 ssp->smk_state = SMK_NETLBL_UNLABELED; in smack_netlbl_delete()
2443 * smk_ipv4_check - Perform IPv4 host access checks
2458 struct socket_smack *ssp = sk->sk_security; in smk_ipv4_check()
2468 ad.a.u.net->family = sap->sin_family; in smk_ipv4_check()
2469 ad.a.u.net->dport = sap->sin_port; in smk_ipv4_check()
2470 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; in smk_ipv4_check()
2472 skp = ssp->smk_out; in smk_ipv4_check()
2487 * smk_ipv6_check - check Smack access
2507 ad.a.u.net->family = PF_INET6; in smk_ipv6_check()
2508 ad.a.u.net->dport = ntohs(address->sin6_port); in smk_ipv6_check()
2510 ad.a.u.net->v6info.saddr = address->sin6_addr; in smk_ipv6_check()
2512 ad.a.u.net->v6info.daddr = address->sin6_addr; in smk_ipv6_check()
2521 * smk_ipv6_port_label - Smack port access table management
2529 struct sock *sk = sock->sk; in smk_ipv6_port_label()
2531 struct socket_smack *ssp = sock->sk->sk_security; in smk_ipv6_port_label()
2543 if (sk != spp->smk_sock) in smk_ipv6_port_label()
2545 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2546 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2559 port = ntohs(addr6->sin6_port); in smk_ipv6_port_label()
2572 if (spp->smk_port != port || spp->smk_sock_type != sock->type) in smk_ipv6_port_label()
2574 if (spp->smk_can_reuse != 1) { in smk_ipv6_port_label()
2578 spp->smk_port = port; in smk_ipv6_port_label()
2579 spp->smk_sock = sk; in smk_ipv6_port_label()
2580 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2581 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2582 spp->smk_can_reuse = 0; in smk_ipv6_port_label()
2594 spp->smk_port = port; in smk_ipv6_port_label()
2595 spp->smk_sock = sk; in smk_ipv6_port_label()
2596 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2597 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2598 spp->smk_sock_type = sock->type; in smk_ipv6_port_label()
2599 spp->smk_can_reuse = 0; in smk_ipv6_port_label()
2602 list_add_rcu(&spp->list, &smk_ipv6_port_list); in smk_ipv6_port_label()
2609 * smk_ipv6_port_check - check Smack port access
2620 struct socket_smack *ssp = sk->sk_security; in smk_ipv6_port_check()
2627 object = ssp->smk_in; in smk_ipv6_port_check()
2629 skp = ssp->smk_out; in smk_ipv6_port_check()
2655 port = ntohs(address->sin6_port); in smk_ipv6_port_check()
2658 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) in smk_ipv6_port_check()
2660 object = spp->smk_in; in smk_ipv6_port_check()
2662 ssp->smk_packet = spp->smk_out; in smk_ipv6_port_check()
2671 * smack_inode_setsecurity - set smack xattrs
2692 return -EINVAL; in smack_inode_setsecurity()
2699 nsp->smk_inode = skp; in smack_inode_setsecurity()
2700 nsp->smk_flags |= SMK_INODE_INSTANT; in smack_inode_setsecurity()
2706 if (inode->i_sb->s_magic != SOCKFS_MAGIC) in smack_inode_setsecurity()
2707 return -EOPNOTSUPP; in smack_inode_setsecurity()
2710 if (sock == NULL || sock->sk == NULL) in smack_inode_setsecurity()
2711 return -EOPNOTSUPP; in smack_inode_setsecurity()
2713 ssp = sock->sk->sk_security; in smack_inode_setsecurity()
2716 ssp->smk_in = skp; in smack_inode_setsecurity()
2718 ssp->smk_out = skp; in smack_inode_setsecurity()
2719 if (sock->sk->sk_family == PF_INET) { in smack_inode_setsecurity()
2720 rc = smack_netlbl_add(sock->sk); in smack_inode_setsecurity()
2724 __func__, -rc); in smack_inode_setsecurity()
2727 return -EOPNOTSUPP; in smack_inode_setsecurity()
2730 if (sock->sk->sk_family == PF_INET6) in smack_inode_setsecurity()
2738 * smack_socket_post_create - finish socket setup
2754 if (sock->sk == NULL) in smack_socket_post_create()
2760 if (unlikely(current->flags & PF_KTHREAD)) { in smack_socket_post_create()
2761 ssp = sock->sk->sk_security; in smack_socket_post_create()
2762 ssp->smk_in = &smack_known_web; in smack_socket_post_create()
2763 ssp->smk_out = &smack_known_web; in smack_socket_post_create()
2771 return smack_netlbl_add(sock->sk); in smack_socket_post_create()
2775 * smack_socket_socketpair - create socket pair
2786 struct socket_smack *asp = socka->sk->sk_security; in smack_socket_socketpair()
2787 struct socket_smack *bsp = sockb->sk->sk_security; in smack_socket_socketpair()
2789 asp->smk_packet = bsp->smk_out; in smack_socket_socketpair()
2790 bsp->smk_packet = asp->smk_out; in smack_socket_socketpair()
2797 * smack_socket_bind - record port binding information.
2809 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { in smack_socket_bind()
2811 address->sa_family != AF_INET6) in smack_socket_bind()
2812 return -EINVAL; in smack_socket_bind()
2820 * smack_socket_connect - connect access check
2834 if (sock->sk == NULL) in smack_socket_connect()
2836 if (sock->sk->sk_family != PF_INET && in smack_socket_connect()
2837 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) in smack_socket_connect()
2841 if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { in smack_socket_connect()
2850 struct socket_smack *ssp = sock->sk->sk_security; in smack_socket_connect()
2852 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, in smack_socket_connect()
2856 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); in smack_socket_connect()
2860 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) in smack_socket_connect()
2862 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); in smack_socket_connect()
2867 * smack_flags_to_may - convert S_ to MAY_ values
2887 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
2901 * smack_of_ipc - the smack pointer for the ipc
2914 * smack_ipc_alloc_security - Set the security blob for ipc
2942 ad.a.u.ipc_id = isp->id; in smk_curacc_shm()
2950 * smack_shm_associate - Smack access check for shm
2965 * smack_shm_shmctl - Smack access check for shm
2967 * @cmd: what it wants to do
2971 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) in smack_shm_shmctl() argument
2975 switch (cmd) { in smack_shm_shmctl()
2994 return -EINVAL; in smack_shm_shmctl()
3000 * smack_shm_shmat - Smack access for shmat
3031 ad.a.u.ipc_id = isp->id; in smk_curacc_sem()
3039 * smack_sem_associate - Smack access check for sem
3054 * smack_sem_shmctl - Smack access check for sem
3056 * @cmd: what it wants to do
3060 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) in smack_sem_semctl() argument
3064 switch (cmd) { in smack_sem_semctl()
3088 return -EINVAL; in smack_sem_semctl()
3095 * smack_sem_semop - Smack checks of semaphore operations
3126 ad.a.u.ipc_id = isp->id; in smk_curacc_msq()
3134 * smack_msg_queue_associate - Smack access check for msg_queue
3149 * smack_msg_queue_msgctl - Smack access check for msg_queue
3151 * @cmd: what it wants to do
3155 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) in smack_msg_queue_msgctl() argument
3159 switch (cmd) { in smack_msg_queue_msgctl()
3176 return -EINVAL; in smack_msg_queue_msgctl()
3183 * smack_msg_queue_msgsnd - Smack access check for msg_queue
3200 * smack_msg_queue_msgsnd - Smack access check for msg_queue
3216 * smack_ipc_permission - Smack access for ipc_permission()
3232 ad.a.u.ipc_id = ipp->id; in smack_ipc_permission()
3240 * smack_ipc_getsecid - Extract smack security id
3249 *secid = iskp->smk_secid; in smack_ipc_getsecid()
3253 * smack_d_instantiate - Make sure the blob is correct on an inode
3281 if (isp->smk_flags & SMK_INODE_INSTANT) in smack_d_instantiate()
3284 sbp = inode->i_sb; in smack_d_instantiate()
3290 final = sbsp->smk_default; in smack_d_instantiate()
3298 if (opt_dentry->d_parent == opt_dentry) { in smack_d_instantiate()
3299 switch (sbp->s_magic) { in smack_d_instantiate()
3307 sbsp->smk_root = &smack_known_star; in smack_d_instantiate()
3308 sbsp->smk_default = &smack_known_star; in smack_d_instantiate()
3309 isp->smk_inode = sbsp->smk_root; in smack_d_instantiate()
3316 isp->smk_inode = smk_of_current(); in smack_d_instantiate()
3319 isp->smk_inode = smk_of_current(); in smack_d_instantiate()
3326 isp->smk_inode = &smack_known_star; in smack_d_instantiate()
3329 isp->smk_inode = sbsp->smk_root; in smack_d_instantiate()
3332 isp->smk_flags |= SMK_INODE_INSTANT; in smack_d_instantiate()
3342 switch (sbp->s_magic) { in smack_d_instantiate()
3392 if (S_ISSOCK(inode->i_mode)) { in smack_d_instantiate()
3402 if (!(inode->i_opflags & IOP_XATTR)) in smack_d_instantiate()
3415 if (S_ISDIR(inode->i_mode)) { in smack_d_instantiate()
3425 if (isp->smk_flags & SMK_INODE_CHANGED) { in smack_d_instantiate()
3426 isp->smk_flags &= ~SMK_INODE_CHANGED; in smack_d_instantiate()
3437 rc = -EINVAL; in smack_d_instantiate()
3449 isp->smk_task = skp; in smack_d_instantiate()
3455 isp->smk_mmap = skp; in smack_d_instantiate()
3462 isp->smk_inode = ckp; in smack_d_instantiate()
3464 isp->smk_inode = final; in smack_d_instantiate()
3466 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); in smack_d_instantiate()
3472 * smack_getprocattr - Smack process attribute access
3488 return -EINVAL; in smack_getprocattr()
3490 cp = kstrdup(skp->smk_known, GFP_KERNEL); in smack_getprocattr()
3492 return -ENOMEM; in smack_getprocattr()
3500 * smack_setprocattr - Smack process attribute setting
3518 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) in smack_setprocattr()
3519 return -EPERM; in smack_setprocattr()
3522 return -EINVAL; in smack_setprocattr()
3525 return -EINVAL; in smack_setprocattr()
3536 return -EINVAL; in smack_setprocattr()
3539 rc = -EPERM; in smack_setprocattr()
3540 list_for_each_entry(sklep, &tsp->smk_relabel, list) in smack_setprocattr()
3541 if (sklep->smk_label == skp) { in smack_setprocattr()
3551 return -ENOMEM; in smack_setprocattr()
3554 tsp->smk_task = skp; in smack_setprocattr()
3558 smk_destroy_label_list(&tsp->smk_relabel); in smack_setprocattr()
3565 * smack_unix_stream_connect - Smack access on UDS
3578 struct socket_smack *ssp = sock->sk_security; in smack_unix_stream_connect()
3579 struct socket_smack *osp = other->sk_security; in smack_unix_stream_connect()
3580 struct socket_smack *nsp = newsk->sk_security; in smack_unix_stream_connect()
3588 skp = ssp->smk_out; in smack_unix_stream_connect()
3589 okp = osp->smk_in; in smack_unix_stream_connect()
3597 okp = osp->smk_out; in smack_unix_stream_connect()
3598 skp = ssp->smk_in; in smack_unix_stream_connect()
3609 nsp->smk_packet = ssp->smk_out; in smack_unix_stream_connect()
3610 ssp->smk_packet = osp->smk_out; in smack_unix_stream_connect()
3617 * smack_unix_may_send - Smack access on UDS
3626 struct socket_smack *ssp = sock->sk->sk_security; in smack_unix_may_send()
3627 struct socket_smack *osp = other->sk->sk_security; in smack_unix_may_send()
3635 smk_ad_setfield_u_net_sk(&ad, other->sk); in smack_unix_may_send()
3641 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); in smack_unix_may_send()
3642 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); in smack_unix_may_send()
3647 * smack_socket_sendmsg - Smack check based on destination host
3659 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; in smack_socket_sendmsg()
3661 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; in smack_socket_sendmsg()
3664 struct socket_smack *ssp = sock->sk->sk_security; in smack_socket_sendmsg()
3675 switch (sock->sk->sk_family) { in smack_socket_sendmsg()
3677 if (msg->msg_namelen < sizeof(struct sockaddr_in) || in smack_socket_sendmsg()
3678 sip->sin_family != AF_INET) in smack_socket_sendmsg()
3679 return -EINVAL; in smack_socket_sendmsg()
3680 rc = smk_ipv4_check(sock->sk, sip); in smack_socket_sendmsg()
3684 if (msg->msg_namelen < SIN6_LEN_RFC2133 || in smack_socket_sendmsg()
3685 sap->sin6_family != AF_INET6) in smack_socket_sendmsg()
3686 return -EINVAL; in smack_socket_sendmsg()
3690 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, in smack_socket_sendmsg()
3694 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); in smack_socket_sendmsg()
3703 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
3720 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) in smack_from_secattr()
3721 return (struct smack_known *)sap->cache->data; in smack_from_secattr()
3723 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) in smack_from_secattr()
3727 return smack_from_secid(sap->attr.secid); in smack_from_secattr()
3729 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { in smack_from_secattr()
3742 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) in smack_from_secattr()
3747 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { in smack_from_secattr()
3748 if ((skp->smk_netlabel.flags & in smack_from_secattr()
3753 for (acat = -1, kcat = -1; acat == kcat; ) { in smack_from_secattr()
3754 acat = netlbl_catmap_walk(sap->attr.mls.cat, in smack_from_secattr()
3757 skp->smk_netlabel.attr.mls.cat, in smack_from_secattr()
3772 if (ssp != NULL && ssp->smk_in == &smack_known_star) in smack_from_secattr()
3789 int proto = -EINVAL; in smk_skb_to_addr_ipv6()
3797 sip->sin6_port = 0; in smk_skb_to_addr_ipv6()
3802 return -EINVAL; in smk_skb_to_addr_ipv6()
3803 sip->sin6_addr = ip6->saddr; in smk_skb_to_addr_ipv6()
3805 nexthdr = ip6->nexthdr; in smk_skb_to_addr_ipv6()
3809 return -EINVAL; in smk_skb_to_addr_ipv6()
3816 sip->sin6_port = th->source; in smk_skb_to_addr_ipv6()
3822 sip->sin6_port = uh->source; in smk_skb_to_addr_ipv6()
3827 sip->sin6_port = dh->dccph_sport; in smk_skb_to_addr_ipv6()
3835 * smack_from_skb - Smack data from the secmark in an skb
3843 if (skb == NULL || skb->secmark == 0) in smack_from_skb()
3846 return smack_from_secid(skb->secmark); in smack_from_skb()
3856 * smack_from_netlbl - Smack data from the IP options in an skb
3876 ssp = sk->sk_security; in smack_from_netlbl()
3881 netlbl_cache_add(skb, family, &skp->smk_netlabel); in smack_from_netlbl()
3890 * smack_socket_sock_rcv_skb - Smack packet delivery access check
3898 struct socket_smack *ssp = sk->sk_security; in smack_socket_sock_rcv_skb()
3902 u16 family = sk->sk_family; in smack_socket_sock_rcv_skb()
3910 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) in smack_socket_sock_rcv_skb()
3930 ad.a.u.net->family = family; in smack_socket_sock_rcv_skb()
3931 ad.a.u.net->netif = skb->skb_iif; in smack_socket_sock_rcv_skb()
3940 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_socket_sock_rcv_skb()
3941 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, in smack_socket_sock_rcv_skb()
3963 ad.a.u.net->family = family; in smack_socket_sock_rcv_skb()
3964 ad.a.u.net->netif = skb->skb_iif; in smack_socket_sock_rcv_skb()
3967 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_socket_sock_rcv_skb()
3968 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, in smack_socket_sock_rcv_skb()
3985 * smack_socket_getpeersec_stream - pull in packet label
4002 ssp = sock->sk->sk_security; in smack_socket_getpeersec_stream()
4003 if (ssp->smk_packet != NULL) { in smack_socket_getpeersec_stream()
4004 rcp = ssp->smk_packet->smk_known; in smack_socket_getpeersec_stream()
4009 rc = -ERANGE; in smack_socket_getpeersec_stream()
4011 rc = -EFAULT; in smack_socket_getpeersec_stream()
4014 rc = -EFAULT; in smack_socket_getpeersec_stream()
4021 * smack_socket_getpeersec_dgram - pull in packet label
4039 if (skb->protocol == htons(ETH_P_IP)) in smack_socket_getpeersec_dgram()
4042 else if (skb->protocol == htons(ETH_P_IPV6)) in smack_socket_getpeersec_dgram()
4047 family = sock->sk->sk_family; in smack_socket_getpeersec_dgram()
4051 ssp = sock->sk->sk_security; in smack_socket_getpeersec_dgram()
4052 s = ssp->smk_out->smk_secid; in smack_socket_getpeersec_dgram()
4057 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4064 sk = sock->sk; in smack_socket_getpeersec_dgram()
4067 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4073 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4079 return -EINVAL; in smack_socket_getpeersec_dgram()
4084 * smack_sock_graft - Initialize a newly created socket with an existing sock
4097 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) in smack_sock_graft()
4100 ssp = sk->sk_security; in smack_sock_graft()
4101 ssp->smk_in = skp; in smack_sock_graft()
4102 ssp->smk_out = skp; in smack_sock_graft()
4103 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ in smack_sock_graft()
4107 * smack_inet_conn_request - Smack access check on connect
4118 u16 family = sk->sk_family; in smack_inet_conn_request()
4120 struct socket_smack *ssp = sk->sk_security; in smack_inet_conn_request()
4137 if (skb->protocol == htons(ETH_P_IP)) in smack_inet_conn_request()
4158 ad.a.u.net->family = family; in smack_inet_conn_request()
4159 ad.a.u.net->netif = skb->skb_iif; in smack_inet_conn_request()
4166 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_inet_conn_request()
4167 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); in smack_inet_conn_request()
4175 req->peer_secid = skp->smk_secid; in smack_inet_conn_request()
4180 * propagate the wire-label to the sock when it is created. in smack_inet_conn_request()
4183 addr.sin_addr.s_addr = hdr->saddr; in smack_inet_conn_request()
4189 rc = netlbl_req_setattr(req, &skp->smk_netlabel); in smack_inet_conn_request()
4197 * smack_inet_csk_clone - Copy the connection information to the new socket
4206 struct socket_smack *ssp = sk->sk_security; in smack_inet_csk_clone()
4209 if (req->peer_secid != 0) { in smack_inet_csk_clone()
4210 skp = smack_from_secid(req->peer_secid); in smack_inet_csk_clone()
4211 ssp->smk_packet = skp; in smack_inet_csk_clone()
4213 ssp->smk_packet = NULL; in smack_inet_csk_clone()
4226 * smack_key_alloc - Set the key security blob
4240 key->security = skp; in smack_key_alloc()
4245 * smack_key_free - Clear the key security blob
4252 key->security = NULL; in smack_key_free()
4256 * smack_key_permission - Smack access on a key
4295 return -EINVAL; in smack_key_permission()
4300 return -EINVAL; in smack_key_permission()
4305 if (keyp->security == NULL) in smack_key_permission()
4311 return -EACCES; in smack_key_permission()
4318 ad.a.u.key_struct.key = keyp->serial; in smack_key_permission()
4319 ad.a.u.key_struct.key_desc = keyp->description; in smack_key_permission()
4321 rc = smk_access(tkp, keyp->security, request, &ad); in smack_key_permission()
4322 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); in smack_key_permission()
4327 * smack_key_getsecurity - Smack label tagging the key
4331 * Return the length of the string (including terminating NUL) or -ve if
4337 struct smack_known *skp = key->security; in smack_key_getsecurity()
4341 if (key->security == NULL) { in smack_key_getsecurity()
4346 copy = kstrdup(skp->smk_known, GFP_KERNEL); in smack_key_getsecurity()
4348 return -ENOMEM; in smack_key_getsecurity()
4358 * smack_watch_key - Smack access to watch a key for notifications.
4361 * Return 0 if the @watch->cred has permission to read from the key object and
4371 return -EINVAL; in smack_watch_key()
4376 if (key->security == NULL) in smack_watch_key()
4382 return -EACCES; in smack_watch_key()
4389 ad.a.u.key_struct.key = key->serial; in smack_watch_key()
4390 ad.a.u.key_struct.key_desc = key->description; in smack_watch_key()
4392 rc = smk_access(tkp, key->security, MAY_READ, &ad); in smack_watch_key()
4393 rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc); in smack_watch_key()
4401 * smack_post_notification - Smack access to post a notification to a queue
4415 if (n->type == WATCH_TYPE_META) in smack_post_notification()
4446 * smack_audit_rule_init - Initialize a smack audit rule
4447 * @field: audit rule fields given from user-space (audit.h)
4462 return -EINVAL; in smack_audit_rule_init()
4465 return -EINVAL; in smack_audit_rule_init()
4471 *rule = skp->smk_known; in smack_audit_rule_init()
4477 * smack_audit_rule_known - Distinguish Smack audit rules
4489 for (i = 0; i < krule->field_count; i++) { in smack_audit_rule_known()
4490 f = &krule->fields[i]; in smack_audit_rule_known()
4492 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) in smack_audit_rule_known()
4500 * smack_audit_rule_match - Audit given object ?
4502 * @field: audit rule flags given from user-space
4516 return -ENOENT; in smack_audit_rule_match()
4530 return (rule == skp->smk_known); in smack_audit_rule_match()
4532 return (rule != skp->smk_known); in smack_audit_rule_match()
4545 * smack_ismaclabel - check if xattr @name references a smack MAC label
4555 * smack_secid_to_secctx - return the smack label for a secid
4567 *secdata = skp->smk_known; in smack_secid_to_secctx()
4568 *seclen = strlen(skp->smk_known); in smack_secid_to_secctx()
4573 * smack_secctx_to_secid - return the secid for a smack label
4585 *secid = skp->smk_secid; in smack_secctx_to_secid()
4613 *ctx = skp->smk_known; in smack_inode_getsecctx()
4614 *ctxlen = strlen(skp->smk_known); in smack_inode_getsecctx()
4629 return -ENOMEM; in smack_inode_copy_up()
4637 isp = smack_inode(d_inode(dentry->d_parent)); in smack_inode_copy_up()
4638 skp = isp->smk_inode; in smack_inode_copy_up()
4639 tsp->smk_task = skp; in smack_inode_copy_up()
4652 return -EOPNOTSUPP; in smack_inode_copy_up_xattr()
4669 ntsp->smk_task = otsp->smk_task; in smack_dentry_create_files_as()
4674 isp = smack_inode(d_inode(dentry->d_parent)); in smack_dentry_create_files_as()
4676 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { in smack_dentry_create_files_as()
4678 may = smk_access_entry(otsp->smk_task->smk_known, in smack_dentry_create_files_as()
4679 isp->smk_inode->smk_known, in smack_dentry_create_files_as()
4680 &otsp->smk_task->smk_rules); in smack_dentry_create_files_as()
4689 ntsp->smk_task = isp->smk_inode; in smack_dentry_create_files_as()
4878 * smack_init - initialize the smack system
4880 * Returns 0 on success, -ENOMEM is there's no memory
4884 struct cred *cred = (struct cred *) current->cred; in smack_init()
4889 return -ENOMEM; in smack_init()