Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752236AbbGIKIT (ORCPT ); Thu, 9 Jul 2015 06:08:19 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:45678 "EHLO out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751298AbbGIKIL (ORCPT ); Thu, 9 Jul 2015 06:08:11 -0400 X-Sasl-enc: 7YNGHh8IwECmA6ckGD1RCw3+Qh2FjM1ZTWgpLUF+mIIi 1436436489 Date: Thu, 9 Jul 2015 13:08:08 +0300 From: Sergei Zviagintsev To: Paul Osmialowski Cc: Paul Moore , James Morris , Casey Schaufler , "Serge E. Hallyn" , Kees Cook , Tetsuo Handa , Stephen Smalley , Neil Brown , Mark Rustad , Greg Kroah-Hartman , Daniel Mack , David Herrmann , Djalal Harouni , Shuah Khan , Al Viro , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Karol Lewandowski , Lukasz Skalski Subject: Re: [RFC 4/8] lsm: smack: smack callbacks for kdbus security hooks Message-ID: <20150709100808.GH25971@localhost.localdomain> References: <1436351110-5902-1-git-send-email-p.osmialowsk@samsung.com> <1436351110-5902-5-git-send-email-p.osmialowsk@samsung.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1436351110-5902-5-git-send-email-p.osmialowsk@samsung.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3997 Lines: 134 Hi, On Wed, Jul 08, 2015 at 12:25:06PM +0200, Paul Osmialowski wrote: > This adds implementation of three smack callbacks sitting behind kdbus > security hooks as proposed by Karol Lewandowski. > > Originates from: > > git://git.infradead.org/users/pcmoore/selinux (branch: working-kdbus) > commit: fc3505d058c001fe72a6f66b833e0be5b2d118f3 > > https://github.com/lmctl/linux.git (branch: kdbus-lsm-v4.for-systemd-v212) > commit: 103c26fd27d1ec8c32d85dd3d85681f936ac66fb > > Signed-off-by: Karol Lewandowski > Signed-off-by: Paul Osmialowski > --- > security/smack/smack_lsm.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 68 insertions(+) > > diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c > index a143328..033b756 100644 > --- a/security/smack/smack_lsm.c > +++ b/security/smack/smack_lsm.c > @@ -41,6 +41,7 @@ > #include > #include > #include > +#include > #include "smack.h" > > #define TRANS_TRUE "TRUE" > @@ -3336,6 +3337,69 @@ static int smack_setprocattr(struct task_struct *p, char *name, > } > > /** > + * smack_kdbus_connect - Set the security blob for a KDBus connection > + * @conn: the connection > + * @secctx: smack label > + * @seclen: smack label length > + * > + * Returns 0 > + */ > +static int smack_kdbus_connect(struct kdbus_conn *conn, > + const char *secctx, u32 seclen) > +{ > + struct smack_known *skp; > + > + if (secctx && seclen > 0) > + skp = smk_import_entry(secctx, seclen); > + else > + skp = smk_of_current(); > + conn->security = skp; > + > + return 0; > +} > + > +/** > + * smack_kdbus_conn_free - Clear the security blob for a KDBus connection > + * @conn: the connection > + * > + * Clears the blob pointer > + */ > +static void smack_kdbus_conn_free(struct kdbus_conn *conn) > +{ > + conn->security = NULL; > +} > + > +/** > + * smack_kdbus_talk - Smack access on KDBus > + * @src: source kdbus connection > + * @dst: destination kdbus connection > + * > + * Return 0 if a subject with the smack of sock could access > + * an object with the smack of other, otherwise an error code > + */ > +static int smack_kdbus_talk(const struct kdbus_conn *src, > + const struct kdbus_conn *dst) > +{ > + struct smk_audit_info ad; > + struct smack_known *sskp = src->security; > + struct smack_known *dskp = dst->security; > + int ret; > + > + BUG_ON(sskp == NULL); > + BUG_ON(dskp == NULL); I am not familiar with the smack code so far, but I see that current security/smack/smack_lsm.c contains only one BUG_ON and this patch adds another two. > + > + if (smack_privileged(CAP_MAC_OVERRIDE)) > + return 0; > + > + smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NONE); > + > + ret = smk_access(sskp, dskp, MAY_WRITE, &ad); > + if (ret) > + return ret; > + return 0; Three redundant lines here. > +} > + > +/** > * smack_unix_stream_connect - Smack access on UDS > * @sock: one sock > * @other: the other sock > @@ -4393,6 +4457,10 @@ struct security_hook_list smack_hooks[] = { > LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), > LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), > LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), > + > + LSM_HOOK_INIT(kdbus_connect, smack_kdbus_connect), > + LSM_HOOK_INIT(kdbus_conn_free, smack_kdbus_conn_free), > + LSM_HOOK_INIT(kdbus_talk, smack_kdbus_talk), > }; > > > -- > 1.9.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/