18
18
struct smack_known smack_known_huh = {
25
24
struct smack_known smack_known_hat = {
26
.smk_next = &smack_known_huh,
32
30
struct smack_known smack_known_star = {
33
.smk_next = &smack_known_hat,
39
36
struct smack_known smack_known_floor = {
40
.smk_next = &smack_known_star,
46
42
struct smack_known smack_known_invalid = {
47
.smk_next = &smack_known_floor,
53
48
struct smack_known smack_known_web = {
54
.smk_next = &smack_known_invalid,
60
struct smack_known *smack_known = &smack_known_web;
54
LIST_HEAD(smack_known_list);
63
57
* The initial value needs to be bigger than any of the
66
60
static u32 smack_next_secid = 10;
63
* what events do we log
64
* can be overwritten at run-time by /smack/logging
66
int log_policy = SMACK_AUDIT_DENIED;
69
69
* smk_access - determine if a subject has a specific access to an object
70
70
* @subject_label: a pointer to the subject's Smack label
71
71
* @object_label: a pointer to the object's Smack label
72
72
* @request: the access requested, in "MAY" format
73
* @a : a pointer to the audit data
74
75
* This function looks up the subject/object pair in the
75
76
* access rule list and returns 0 if the access is permitted,
84
85
* will be on the list, so checking the pointers may be a worthwhile
87
int smk_access(char *subject_label, char *object_label, int request)
88
int smk_access(char *subject_label, char *object_label, int request,
89
struct smk_audit_info *a)
90
struct smk_list_entry *sp;
91
92
struct smack_rule *srp;
94
96
* Hardcoded comparisons.
107
111
subject_label == smack_known_web.smk_known ||
108
112
strcmp(object_label, smack_known_web.smk_known) == 0 ||
109
113
strcmp(subject_label, smack_known_web.smk_known) == 0)
112
116
* A star object can be accessed by any subject.
114
118
if (object_label == smack_known_star.smk_known ||
115
119
strcmp(object_label, smack_known_star.smk_known) == 0)
118
122
* An object can be accessed in any way by a subject
119
123
* with the same label.
121
125
if (subject_label == object_label ||
122
126
strcmp(subject_label, object_label) == 0)
125
129
* A hat subject can read any object.
126
130
* A floor object can be read by any subject.
155
159
* This is a bit map operation.
157
161
if ((request & may) == request)
168
smack_log(subject_label, object_label, request, rc, a);
164
174
* smk_curacc - determine if current has a specific access to an object
165
* @object_label: a pointer to the object's Smack label
166
* @request: the access requested, in "MAY" format
175
* @obj_label: a pointer to the object's Smack label
176
* @mode: the access requested, in "MAY" format
177
* @a : common audit data
168
179
* This function checks the current subject label/object label pair
169
180
* in the access rule list and returns 0 if the access is permitted,
170
181
* non zero otherwise. It allows that current may have the capability
171
182
* to override the rules.
173
int smk_curacc(char *obj_label, u32 mode)
184
int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)
187
char *sp = current_security();
177
rc = smk_access(current_security(), obj_label, mode);
189
rc = smk_access(sp, obj_label, mode, NULL);
182
194
* Return if a specific label has been designated as the
184
196
* have that label.
186
198
if (smack_onlycap != NULL && smack_onlycap != current->cred->security)
189
201
if (capable(CAP_MAC_OVERRIDE))
207
smack_log(sp, obj_label, mode, rc, a);
214
* smack_str_from_perm : helper to transalate an int to a
216
* @string : the string to fill
220
static inline void smack_str_from_perm(char *string, int access)
223
if (access & MAY_READ)
225
if (access & MAY_WRITE)
227
if (access & MAY_EXEC)
229
if (access & MAY_APPEND)
234
* smack_log_callback - SMACK specific information
235
* will be called by generic audit code
236
* @ab : the audit_buffer
240
static void smack_log_callback(struct audit_buffer *ab, void *a)
242
struct common_audit_data *ad = a;
243
struct smack_audit_data *sad = &ad->lsm_priv.smack_audit_data;
244
audit_log_format(ab, "lsm=SMACK fn=%s action=%s", ad->function,
245
sad->result ? "denied" : "granted");
246
audit_log_format(ab, " subject=");
247
audit_log_untrustedstring(ab, sad->subject);
248
audit_log_format(ab, " object=");
249
audit_log_untrustedstring(ab, sad->object);
250
audit_log_format(ab, " requested=%s", sad->request);
254
* smack_log - Audit the granting or denial of permissions.
255
* @subject_label : smack label of the requester
256
* @object_label : smack label of the object being accessed
257
* @request: requested permissions
258
* @result: result from smk_access
259
* @a: auxiliary audit data
261
* Audit the granting or denial of permissions in accordance
264
void smack_log(char *subject_label, char *object_label, int request,
265
int result, struct smk_audit_info *ad)
267
char request_buffer[SMK_NUM_ACCESS_TYPE + 1];
268
struct smack_audit_data *sad;
269
struct common_audit_data *a = &ad->a;
271
/* check if we have to log the current event */
272
if (result != 0 && (log_policy & SMACK_AUDIT_DENIED) == 0)
274
if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0)
277
if (a->function == NULL)
278
a->function = "unknown";
280
/* end preparing the audit data */
281
sad = &a->lsm_priv.smack_audit_data;
282
smack_str_from_perm(request_buffer, request);
283
sad->subject = subject_label;
284
sad->object = object_label;
285
sad->request = request_buffer;
286
sad->result = result;
287
a->lsm_pre_audit = smack_log_callback;
291
#else /* #ifdef CONFIG_AUDIT */
292
void smack_log(char *subject_label, char *object_label, int request,
293
int result, struct smk_audit_info *ad)
195
298
static DEFINE_MUTEX(smack_known_lock);
229
333
mutex_lock(&smack_known_lock);
231
for (skp = smack_known; skp != NULL; skp = skp->smk_next)
232
if (strncmp(skp->smk_known, smack, SMK_MAXLEN) == 0)
336
list_for_each_entry_rcu(skp, &smack_known_list, list) {
337
if (strncmp(skp->smk_known, smack, SMK_MAXLEN) == 0) {
236
344
skp = kzalloc(sizeof(struct smack_known), GFP_KERNEL);
237
345
if (skp != NULL) {
238
skp->smk_next = smack_known;
239
346
strncpy(skp->smk_known, smack, SMK_MAXLEN);
240
347
skp->smk_secid = smack_next_secid++;
241
348
skp->smk_cipso = NULL;
284
393
struct smack_known *skp;
286
for (skp = smack_known; skp != NULL; skp = skp->smk_next)
287
if (skp->smk_secid == secid)
396
list_for_each_entry_rcu(skp, &smack_known_list, list) {
397
if (skp->smk_secid == secid) {
288
399
return skp->smk_known;
291
404
* If we got this far someone asked for the translation
292
405
* of a secid that is not on the list.
294
408
return smack_known_invalid.smk_known;
360
481
int smack_to_cipso(const char *smack, struct smack_cipso *cp)
362
483
struct smack_known *kp;
364
for (kp = smack_known; kp != NULL; kp = kp->smk_next)
487
list_for_each_entry_rcu(kp, &smack_known_list, list) {
365
488
if (kp->smk_known == smack ||
366
strcmp(kp->smk_known, smack) == 0)
489
strcmp(kp->smk_known, smack) == 0) {
369
if (kp == NULL || kp->smk_cipso == NULL)
496
if (found == 0 || kp->smk_cipso == NULL)
372
499
memcpy(cp, kp->smk_cipso, sizeof(struct smack_cipso));