Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934766AbbGHKZq (ORCPT ); Wed, 8 Jul 2015 06:25:46 -0400 Received: from mailout3.w1.samsung.com ([210.118.77.13]:47992 "EHLO mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934666AbbGHKZe (ORCPT ); Wed, 8 Jul 2015 06:25:34 -0400 X-AuditID: cbfec7f4-f79c56d0000012ee-da-559cfa9a8968 From: Paul Osmialowski To: Paul Moore , James Morris , Casey Schaufler , "Serge E. Hallyn" , Kees Cook , Tetsuo Handa , Stephen Smalley , Neil Brown , Mark Rustad , Greg Kroah-Hartman , Daniel Mack , David Herrmann , Djalal Harouni , Shuah Khan , Al Viro , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org Cc: Karol Lewandowski , Paul Osmialowski , Lukasz Skalski Subject: [RFC 4/8] lsm: smack: smack callbacks for kdbus security hooks Date: Wed, 08 Jul 2015 12:25:06 +0200 Message-id: <1436351110-5902-5-git-send-email-p.osmialowsk@samsung.com> X-Mailer: git-send-email 1.9.1 In-reply-to: <1436351110-5902-1-git-send-email-p.osmialowsk@samsung.com> References: <1436351110-5902-1-git-send-email-p.osmialowsk@samsung.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplkeLIzCtJLcpLzFFi42I5/e/4Vd1Zv+aEGsxvErC4t+0Xm0XT31cs Fosvi1k0L17PZtH3OMii8dNcZosz3bkWc841Mlls/t7BZnF51xw2iw89j9gs5rx9y2axd34D i8WENweYLWa3vGO1+HztF7vF4d2LmS3OXzjHbjH1ywcWi5W/t7NZnP97nNVB1GN2w0UWj6cT JrN7XNsd6bFz7Somj8V7XjJ57J+7ht1jxa8j7B4fn95i8djSf5fd4/2+q2wefVtWMXoc3b+I zWPz6WqPrdP/s3p83iTnsenJW6YAwSgum5TUnMyy1CJ9uwSujJPTfrEUbJeoaH+9nbmBcapI FyMnh4SAicTrs29YIWwxiQv31rN1MXJxCAksZZRYdLiVGcJpZJLYf/0wO0gVm4ChxM3/hxlB bBGBXawSb3bEgRQxC3QySszpOscEkhAWcJf4sWsCmM0ioCrxde5PsGZeoPjJd9PYINbJSZw8 NhlsNaeAh8TCl1+ZQWwhoJqNq/+xTWDkXcDIsIpRNLU0uaA4KT3XUK84Mbe4NC9dLzk/dxMj JJK+7GBcfMzqEKMAB6MSD69HzJxQIdbEsuLK3EOMEhzMSiK8uy4AhXhTEiurUovy44tKc1KL DzFKc7AoifPO3fU+REggPbEkNTs1tSC1CCbLxMEp1cDYoSdxeVnANEGp1KbdWXyLLwvZ/RWY 9u5kbeFjo0dHDyxcpXAgT8VD42Zwrk310U085967PNkms+O/nD/nN1HWJ/ftdPJ5Dgm0fJf8 5WLYdu7Z4p1/e1W3vqx+s1359cKtEt8ZxU1T3IsmN0xYX3uvbE2j1pdX3LecLiVsa/q1hKlq n4N80KMZSizFGYmGWsxFxYkAxillwKACAAA= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3259 Lines: 118 This adds implementation of three smack callbacks sitting behind kdbus security hooks as proposed by Karol Lewandowski. Originates from: git://git.infradead.org/users/pcmoore/selinux (branch: working-kdbus) commit: fc3505d058c001fe72a6f66b833e0be5b2d118f3 https://github.com/lmctl/linux.git (branch: kdbus-lsm-v4.for-systemd-v212) commit: 103c26fd27d1ec8c32d85dd3d85681f936ac66fb Signed-off-by: Karol Lewandowski Signed-off-by: Paul Osmialowski --- security/smack/smack_lsm.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index a143328..033b756 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -41,6 +41,7 @@ #include #include #include +#include #include "smack.h" #define TRANS_TRUE "TRUE" @@ -3336,6 +3337,69 @@ static int smack_setprocattr(struct task_struct *p, char *name, } /** + * smack_kdbus_connect - Set the security blob for a KDBus connection + * @conn: the connection + * @secctx: smack label + * @seclen: smack label length + * + * Returns 0 + */ +static int smack_kdbus_connect(struct kdbus_conn *conn, + const char *secctx, u32 seclen) +{ + struct smack_known *skp; + + if (secctx && seclen > 0) + skp = smk_import_entry(secctx, seclen); + else + skp = smk_of_current(); + conn->security = skp; + + return 0; +} + +/** + * smack_kdbus_conn_free - Clear the security blob for a KDBus connection + * @conn: the connection + * + * Clears the blob pointer + */ +static void smack_kdbus_conn_free(struct kdbus_conn *conn) +{ + conn->security = NULL; +} + +/** + * smack_kdbus_talk - Smack access on KDBus + * @src: source kdbus connection + * @dst: destination kdbus connection + * + * Return 0 if a subject with the smack of sock could access + * an object with the smack of other, otherwise an error code + */ +static int smack_kdbus_talk(const struct kdbus_conn *src, + const struct kdbus_conn *dst) +{ + struct smk_audit_info ad; + struct smack_known *sskp = src->security; + struct smack_known *dskp = dst->security; + int ret; + + BUG_ON(sskp == NULL); + BUG_ON(dskp == NULL); + + if (smack_privileged(CAP_MAC_OVERRIDE)) + return 0; + + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NONE); + + ret = smk_access(sskp, dskp, MAY_WRITE, &ad); + if (ret) + return ret; + return 0; +} + +/** * smack_unix_stream_connect - Smack access on UDS * @sock: one sock * @other: the other sock @@ -4393,6 +4457,10 @@ struct security_hook_list smack_hooks[] = { LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), + + LSM_HOOK_INIT(kdbus_connect, smack_kdbus_connect), + LSM_HOOK_INIT(kdbus_conn_free, smack_kdbus_conn_free), + LSM_HOOK_INIT(kdbus_talk, smack_kdbus_talk), }; -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/