summaryrefslogtreecommitdiffstats
path: root/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch
diff options
context:
space:
mode:
authorYannick GICQUEL <yannick.gicquel@iot.bzh>2015-10-19 15:57:07 +0200
committerGerrit Code Review <gerrit@172.30.200.200>2015-11-06 15:23:36 +0000
commitede19ea0c47fb23f3fc779833d1e57cf76f3371e (patch)
tree47d6fae2283c54def1871aaf2a73828ac68b1b34 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch
parent1cd8ab18abca96e4ee108f80225058d875b28347 (diff)
kernel: smack security backport from kernel 4
Here is the backport of all patches relating to smack support on kernel side. For more details, see file: meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README Please note that patches are applied only if "smack" is in the ditro features. Here are the 2 lines to add in the local.conf OVERRIDES .= ":smack" DISTRO_FEATURES_append = " smack" Change-Id: I147a3532aec531f977d6ec34c576261835711f1e Signed-off-by: Yannick GICQUEL <yannick.gicquel@iot.bzh> Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch')
-rw-r--r--meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch252
1 files changed, 252 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch
new file mode 100644
index 0000000..a1bb4bf
--- /dev/null
+++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch
@@ -0,0 +1,252 @@
+From c7928b67e3b2cd91da4cec3ae3bff33306efebe4 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 23 Dec 2013 11:07:10 -0800
+Subject: [PATCH 17/54] Smack: Make the syslog control configurable
+
+The syslog control requires that the calling proccess
+have the floor ("_") Smack label. Tizen does not run any
+processes except for kernel helpers with the floor label.
+This changes allows the admin to configure a specific
+label for syslog. The default value is the star ("*")
+label, effectively removing the restriction. The value
+can be set using smackfs/syslog for anyone who wants
+a more restrictive behavior.
+
+Targeted for git://git.gitorious.org/smack-next/kernel.git
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack.h | 5 ++-
+ security/smack/smack_lsm.c | 4 +-
+ security/smack/smackfs.c | 103 +++++++++++++++++++++++++++++++++++++++++----
+ 3 files changed, 99 insertions(+), 13 deletions(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index 364cc64..d072fd3 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -241,7 +241,8 @@ u32 smack_to_secid(const char *);
+ extern int smack_cipso_direct;
+ extern int smack_cipso_mapped;
+ extern struct smack_known *smack_net_ambient;
+-extern char *smack_onlycap;
++extern struct smack_known *smack_onlycap;
++extern struct smack_known *smack_syslog_label;
+ extern const char *smack_cipso_option;
+
+ extern struct smack_known smack_known_floor;
+@@ -312,7 +313,7 @@ static inline int smack_privileged(int cap)
+
+ if (!capable(cap))
+ return 0;
+- if (smack_onlycap == NULL || smack_onlycap == skp->smk_known)
++ if (smack_onlycap == NULL || smack_onlycap == skp)
+ return 1;
+ return 0;
+ }
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 62ebf4f..67b7381d 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -219,8 +219,6 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
+ * smack_syslog - Smack approval on syslog
+ * @type: message type
+ *
+- * Require that the task has the floor label
+- *
+ * Returns 0 on success, error code otherwise.
+ */
+ static int smack_syslog(int typefrom_file)
+@@ -231,7 +229,7 @@ static int smack_syslog(int typefrom_file)
+ if (smack_privileged(CAP_MAC_OVERRIDE))
+ return 0;
+
+- if (skp != &smack_known_floor)
++ if (smack_syslog_label != NULL && smack_syslog_label != skp)
+ rc = -EACCES;
+
+ return rc;
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 1c89ade..f5a6bb8 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -52,6 +52,7 @@ enum smk_inos {
+ SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */
+ SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */
+ SMK_CHANGE_RULE = 19, /* change or add rules (long labels) */
++ SMK_SYSLOG = 20, /* change syslog label) */
+ };
+
+ /*
+@@ -59,6 +60,7 @@ enum smk_inos {
+ */
+ static DEFINE_MUTEX(smack_cipso_lock);
+ static DEFINE_MUTEX(smack_ambient_lock);
++static DEFINE_MUTEX(smack_syslog_lock);
+ static DEFINE_MUTEX(smk_netlbladdr_lock);
+
+ /*
+@@ -90,7 +92,13 @@ int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT;
+ * everyone. It is expected that the hat (^) label
+ * will be used if any label is used.
+ */
+-char *smack_onlycap;
++struct smack_known *smack_onlycap;
++
++/*
++ * If this value is set restrict syslog use to the label specified.
++ * It can be reset via smackfs/syslog
++ */
++struct smack_known *smack_syslog_label;
+
+ /*
+ * Certain IP addresses may be designated as single label hosts.
+@@ -1603,7 +1611,7 @@ static const struct file_operations smk_ambient_ops = {
+ };
+
+ /**
+- * smk_read_onlycap - read() for /smack/onlycap
++ * smk_read_onlycap - read() for smackfs/onlycap
+ * @filp: file pointer, not actually used
+ * @buf: where to put the result
+ * @cn: maximum to send along
+@@ -1622,7 +1630,7 @@ static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
+ return 0;
+
+ if (smack_onlycap != NULL)
+- smack = smack_onlycap;
++ smack = smack_onlycap->smk_known;
+
+ asize = strlen(smack) + 1;
+
+@@ -1633,7 +1641,7 @@ static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
+ }
+
+ /**
+- * smk_write_onlycap - write() for /smack/onlycap
++ * smk_write_onlycap - write() for smackfs/onlycap
+ * @file: file pointer, not actually used
+ * @buf: where to get the data from
+ * @count: bytes sent
+@@ -1656,7 +1664,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
+ * explicitly for clarity. The smk_access() implementation
+ * would use smk_access(smack_onlycap, MAY_WRITE)
+ */
+- if (smack_onlycap != NULL && smack_onlycap != skp->smk_known)
++ if (smack_onlycap != NULL && smack_onlycap != skp)
+ return -EPERM;
+
+ data = kzalloc(count, GFP_KERNEL);
+@@ -1676,7 +1684,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
+ if (copy_from_user(data, buf, count) != 0)
+ rc = -EFAULT;
+ else
+- smack_onlycap = smk_import(data, count);
++ smack_onlycap = smk_import_entry(data, count);
+
+ kfree(data);
+ return rc;
+@@ -2159,12 +2167,89 @@ static const struct file_operations smk_change_rule_ops = {
+ };
+
+ /**
+- * smk_fill_super - fill the /smackfs superblock
++ * smk_read_syslog - read() for smackfs/syslog
++ * @filp: file pointer, not actually used
++ * @buf: where to put the result
++ * @cn: maximum to send along
++ * @ppos: where to start
++ *
++ * Returns number of bytes read or error code, as appropriate
++ */
++static ssize_t smk_read_syslog(struct file *filp, char __user *buf,
++ size_t cn, loff_t *ppos)
++{
++ struct smack_known *skp;
++ ssize_t rc = -EINVAL;
++ int asize;
++
++ if (*ppos != 0)
++ return 0;
++
++ if (smack_syslog_label == NULL)
++ skp = &smack_known_star;
++ else
++ skp = smack_syslog_label;
++
++ asize = strlen(skp->smk_known) + 1;
++
++ if (cn >= asize)
++ rc = simple_read_from_buffer(buf, cn, ppos, skp->smk_known,
++ asize);
++
++ return rc;
++}
++
++/**
++ * smk_write_syslog - write() for smackfs/syslog
++ * @file: file pointer, not actually used
++ * @buf: where to get the data from
++ * @count: bytes sent
++ * @ppos: where to start
++ *
++ * Returns number of bytes written or error code, as appropriate
++ */
++static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
++ size_t count, loff_t *ppos)
++{
++ char *data;
++ struct smack_known *skp;
++ int rc = count;
++
++ if (!smack_privileged(CAP_MAC_ADMIN))
++ return -EPERM;
++
++ data = kzalloc(count, GFP_KERNEL);
++ if (data == NULL)
++ return -ENOMEM;
++
++ if (copy_from_user(data, buf, count) != 0)
++ rc = -EFAULT;
++ else {
++ skp = smk_import_entry(data, count);
++ if (skp == NULL)
++ rc = -EINVAL;
++ else
++ smack_syslog_label = smk_import_entry(data, count);
++ }
++
++ kfree(data);
++ return rc;
++}
++
++static const struct file_operations smk_syslog_ops = {
++ .read = smk_read_syslog,
++ .write = smk_write_syslog,
++ .llseek = default_llseek,
++};
++
++
++/**
++ * smk_fill_super - fill the smackfs superblock
+ * @sb: the empty superblock
+ * @data: unused
+ * @silent: unused
+ *
+- * Fill in the well known entries for /smack
++ * Fill in the well known entries for the smack filesystem
+ *
+ * Returns 0 on success, an error code on failure
+ */
+@@ -2209,6 +2294,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
+ S_IRUGO|S_IWUSR},
+ [SMK_CHANGE_RULE] = {
+ "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
++ [SMK_SYSLOG] = {
++ "syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR},
+ /* last one */
+ {""}
+ };
+--
+2.1.4
+