Loading security/smack/Kconfig +12 −0 Original line number Diff line number Diff line Loading @@ -40,3 +40,15 @@ config SECURITY_SMACK_NETFILTER This enables security marking of network packets using Smack labels. If you are unsure how to answer this question, answer N. config SECURITY_SMACK_APPEND_SIGNALS bool "Treat delivering signals as an append operation" depends on SECURITY_SMACK default n help Sending a signal has been treated as a write operation to the receiving process. If this option is selected, the delivery will be an append operation instead. This makes it possible to differentiate between delivering a network packet and delivering a signal in the Smack rules. If you are unsure how to answer this question, answer N. security/smack/smack.h +10 −0 Original line number Diff line number Diff line Loading @@ -256,6 +256,16 @@ enum { #define MAY_LOCK 0x00002000 /* Locks should be writes, but ... */ #define MAY_BRINGUP 0x00004000 /* Report use of this rule */ /* * The policy for delivering signals is configurable. * It is usually "write", but can be "append". */ #ifdef CONFIG_SECURITY_SMACK_APPEND_SIGNALS #define MAY_DELIVER MAY_APPEND /* Signal delivery requires append */ #else #define MAY_DELIVER MAY_WRITE /* Signal delivery requires write */ #endif #define SMACK_BRINGUP_ALLOW 1 /* Allow bringup mode */ #define SMACK_UNCONFINED_SUBJECT 2 /* Allow unconfined label */ #define SMACK_UNCONFINED_OBJECT 3 /* Allow unconfined label */ Loading security/smack/smack_lsm.c +7 −7 Original line number Diff line number Diff line Loading @@ -1857,14 +1857,14 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, /* we don't log here as rc can be overriden */ skp = file->f_security; rc = smk_access(skp, tkp, MAY_WRITE, NULL); rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc); rc = smk_access(skp, tkp, MAY_DELIVER, NULL); rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) rc = 0; smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); smk_ad_setfield_u_tsk(&ad, tsk); smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad); smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); return rc; } Loading Loading @@ -2265,8 +2265,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, * can write the receiver. */ if (secid == 0) { rc = smk_curacc(tkp, MAY_WRITE, &ad); rc = smk_bu_task(p, MAY_WRITE, rc); rc = smk_curacc(tkp, MAY_DELIVER, &ad); rc = smk_bu_task(p, MAY_DELIVER, rc); return rc; } /* Loading @@ -2275,8 +2275,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, * we can't take privilege into account. */ skp = smack_from_secid(secid); rc = smk_access(skp, tkp, MAY_WRITE, &ad); rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc); rc = smk_access(skp, tkp, MAY_DELIVER, &ad); rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); return rc; } Loading security/smack/smackfs.c +3 −8 Original line number Diff line number Diff line Loading @@ -2523,14 +2523,9 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf, if (count == 0 || count > SMK_LONGLABEL) return -EINVAL; data = kzalloc(count, GFP_KERNEL); if (data == NULL) return -ENOMEM; if (copy_from_user(data, buf, count) != 0) { rc = -EFAULT; goto out_data; } data = memdup_user(buf, count); if (IS_ERR(data)) return PTR_ERR(data); cp = smk_parse_smack(data, count); if (IS_ERR(cp)) { Loading Loading
security/smack/Kconfig +12 −0 Original line number Diff line number Diff line Loading @@ -40,3 +40,15 @@ config SECURITY_SMACK_NETFILTER This enables security marking of network packets using Smack labels. If you are unsure how to answer this question, answer N. config SECURITY_SMACK_APPEND_SIGNALS bool "Treat delivering signals as an append operation" depends on SECURITY_SMACK default n help Sending a signal has been treated as a write operation to the receiving process. If this option is selected, the delivery will be an append operation instead. This makes it possible to differentiate between delivering a network packet and delivering a signal in the Smack rules. If you are unsure how to answer this question, answer N.
security/smack/smack.h +10 −0 Original line number Diff line number Diff line Loading @@ -256,6 +256,16 @@ enum { #define MAY_LOCK 0x00002000 /* Locks should be writes, but ... */ #define MAY_BRINGUP 0x00004000 /* Report use of this rule */ /* * The policy for delivering signals is configurable. * It is usually "write", but can be "append". */ #ifdef CONFIG_SECURITY_SMACK_APPEND_SIGNALS #define MAY_DELIVER MAY_APPEND /* Signal delivery requires append */ #else #define MAY_DELIVER MAY_WRITE /* Signal delivery requires write */ #endif #define SMACK_BRINGUP_ALLOW 1 /* Allow bringup mode */ #define SMACK_UNCONFINED_SUBJECT 2 /* Allow unconfined label */ #define SMACK_UNCONFINED_OBJECT 3 /* Allow unconfined label */ Loading
security/smack/smack_lsm.c +7 −7 Original line number Diff line number Diff line Loading @@ -1857,14 +1857,14 @@ static int smack_file_send_sigiotask(struct task_struct *tsk, /* we don't log here as rc can be overriden */ skp = file->f_security; rc = smk_access(skp, tkp, MAY_WRITE, NULL); rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc); rc = smk_access(skp, tkp, MAY_DELIVER, NULL); rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) rc = 0; smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); smk_ad_setfield_u_tsk(&ad, tsk); smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad); smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); return rc; } Loading Loading @@ -2265,8 +2265,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, * can write the receiver. */ if (secid == 0) { rc = smk_curacc(tkp, MAY_WRITE, &ad); rc = smk_bu_task(p, MAY_WRITE, rc); rc = smk_curacc(tkp, MAY_DELIVER, &ad); rc = smk_bu_task(p, MAY_DELIVER, rc); return rc; } /* Loading @@ -2275,8 +2275,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info, * we can't take privilege into account. */ skp = smack_from_secid(secid); rc = smk_access(skp, tkp, MAY_WRITE, &ad); rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc); rc = smk_access(skp, tkp, MAY_DELIVER, &ad); rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); return rc; } Loading
security/smack/smackfs.c +3 −8 Original line number Diff line number Diff line Loading @@ -2523,14 +2523,9 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf, if (count == 0 || count > SMK_LONGLABEL) return -EINVAL; data = kzalloc(count, GFP_KERNEL); if (data == NULL) return -ENOMEM; if (copy_from_user(data, buf, count) != 0) { rc = -EFAULT; goto out_data; } data = memdup_user(buf, count); if (IS_ERR(data)) return PTR_ERR(data); cp = smk_parse_smack(data, count); if (IS_ERR(cp)) { Loading
