kernel: smack security backport from kernel 4

Here is the backport of all patches relating to smack support on kernel side. For more details, see file: meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/README Please note that patches are applied only if "smack" is in the ditro features. Here are the 2 lines to add in the local.conf OVERRIDES .= ":smack" DISTRO_FEATURES_append = " smack" Change-Id: I147a3532aec531f977d6ec34c576261835711f1e Signed-off-by: Yannick GICQUEL <yannick.gicquel@iot.bzh> Signed-off-by: José Bollo <jose.bollo@iot.bzh>
author: Yannick GICQUEL <yannick.gicquel@iot.bzh> 2015-10-19 15:57:07 +0200
committer: Gerrit Code Review <gerrit@172.30.200.200> 2015-11-06 15:23:36 +0000
commit: ede19ea0c47fb23f3fc779833d1e57cf76f3371e (patch)
tree: 47d6fae2283c54def1871aaf2a73828ac68b1b34 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch
parent: 1cd8ab18abca96e4ee108f80225058d875b28347 (diff)
1 files changed, 252 insertions, 0 deletions
diff --git a/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch
new file mode 100644
index 0000000..a1bb4bf
--- /dev/null
+++ b/meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch
@@ -0,0 +1,252 @@
+From c7928b67e3b2cd91da4cec3ae3bff33306efebe4 Mon Sep 17 00:00:00 2001
+From: Casey Schaufler <casey@schaufler-ca.com>
+Date: Mon, 23 Dec 2013 11:07:10 -0800
+Subject: [PATCH 17/54] Smack: Make the syslog control configurable
+
+The syslog control requires that the calling proccess
+have the floor ("_") Smack label. Tizen does not run any
+processes except for kernel helpers with the floor label.
+This changes allows the admin to configure a specific
+label for syslog. The default value is the star ("*")
+label, effectively removing the restriction. The value
+can be set using smackfs/syslog for anyone who wants
+a more restrictive behavior.
+
+Targeted for git://git.gitorious.org/smack-next/kernel.git
+
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+---
+ security/smack/smack.h     |   5 ++-
+ security/smack/smack_lsm.c |   4 +-
+ security/smack/smackfs.c   | 103 +++++++++++++++++++++++++++++++++++++++++----
+ 3 files changed, 99 insertions(+), 13 deletions(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index 364cc64..d072fd3 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -241,7 +241,8 @@ u32 smack_to_secid(const char *);
+ extern int smack_cipso_direct;
+ extern int smack_cipso_mapped;
+ extern struct smack_known *smack_net_ambient;
+-extern char *smack_onlycap;
++extern struct smack_known *smack_onlycap;
++extern struct smack_known *smack_syslog_label;
+ extern const char *smack_cipso_option;
+ 
+ extern struct smack_known smack_known_floor;
+@@ -312,7 +313,7 @@ static inline int smack_privileged(int cap)
+ 
+ 	if (!capable(cap))
+ 		return 0;
+-	if (smack_onlycap == NULL || smack_onlycap == skp->smk_known)
++	if (smack_onlycap == NULL || smack_onlycap == skp)
+ 		return 1;
+ 	return 0;
+ }
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 62ebf4f..67b7381d 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -219,8 +219,6 @@ static int smack_ptrace_traceme(struct task_struct *ptp)
+  * smack_syslog - Smack approval on syslog
+  * @type: message type
+  *
+- * Require that the task has the floor label
+- *
+  * Returns 0 on success, error code otherwise.
+  */
+ static int smack_syslog(int typefrom_file)
+@@ -231,7 +229,7 @@ static int smack_syslog(int typefrom_file)
+ 	if (smack_privileged(CAP_MAC_OVERRIDE))
+ 		return 0;
+ 
+-	 if (skp != &smack_known_floor)
++	 if (smack_syslog_label != NULL && smack_syslog_label != skp)
+ 		rc = -EACCES;
+ 
+ 	return rc;
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 1c89ade..f5a6bb8 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -52,6 +52,7 @@ enum smk_inos {
+ 	SMK_CIPSO2	= 17,	/* load long label -> CIPSO mapping */
+ 	SMK_REVOKE_SUBJ	= 18,	/* set rules with subject label to '-' */
+ 	SMK_CHANGE_RULE	= 19,	/* change or add rules (long labels) */
++	SMK_SYSLOG	= 20,	/* change syslog label) */
+ };
+ 
+ /*
+@@ -59,6 +60,7 @@ enum smk_inos {
+  */
+ static DEFINE_MUTEX(smack_cipso_lock);
+ static DEFINE_MUTEX(smack_ambient_lock);
++static DEFINE_MUTEX(smack_syslog_lock);
+ static DEFINE_MUTEX(smk_netlbladdr_lock);
+ 
+ /*
+@@ -90,7 +92,13 @@ int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT;
+  * everyone. It is expected that the hat (^) label
+  * will be used if any label is used.
+  */
+-char *smack_onlycap;
++struct smack_known *smack_onlycap;
++
++/*
++ * If this value is set restrict syslog use to the label specified.
++ * It can be reset via smackfs/syslog
++ */
++struct smack_known *smack_syslog_label;
+ 
+ /*
+  * Certain IP addresses may be designated as single label hosts.
+@@ -1603,7 +1611,7 @@ static const struct file_operations smk_ambient_ops = {
+ };
+ 
+ /**
+- * smk_read_onlycap - read() for /smack/onlycap
++ * smk_read_onlycap - read() for smackfs/onlycap
+  * @filp: file pointer, not actually used
+  * @buf: where to put the result
+  * @cn: maximum to send along
+@@ -1622,7 +1630,7 @@ static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
+ 		return 0;
+ 
+ 	if (smack_onlycap != NULL)
+-		smack = smack_onlycap;
++		smack = smack_onlycap->smk_known;
+ 
+ 	asize = strlen(smack) + 1;
+ 
+@@ -1633,7 +1641,7 @@ static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
+ }
+ 
+ /**
+- * smk_write_onlycap - write() for /smack/onlycap
++ * smk_write_onlycap - write() for smackfs/onlycap
+  * @file: file pointer, not actually used
+  * @buf: where to get the data from
+  * @count: bytes sent
+@@ -1656,7 +1664,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
+ 	 * explicitly for clarity. The smk_access() implementation
+ 	 * would use smk_access(smack_onlycap, MAY_WRITE)
+ 	 */
+-	if (smack_onlycap != NULL && smack_onlycap != skp->smk_known)
++	if (smack_onlycap != NULL && smack_onlycap != skp)
+ 		return -EPERM;
+ 
+ 	data = kzalloc(count, GFP_KERNEL);
+@@ -1676,7 +1684,7 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
+ 	if (copy_from_user(data, buf, count) != 0)
+ 		rc = -EFAULT;
+ 	else
+-		smack_onlycap = smk_import(data, count);
++		smack_onlycap = smk_import_entry(data, count);
+ 
+ 	kfree(data);
+ 	return rc;
+@@ -2159,12 +2167,89 @@ static const struct file_operations smk_change_rule_ops = {
+ };
+ 
+ /**
+- * smk_fill_super - fill the /smackfs superblock
++ * smk_read_syslog - read() for smackfs/syslog
++ * @filp: file pointer, not actually used
++ * @buf: where to put the result
++ * @cn: maximum to send along
++ * @ppos: where to start
++ *
++ * Returns number of bytes read or error code, as appropriate
++ */
++static ssize_t smk_read_syslog(struct file *filp, char __user *buf,
++				size_t cn, loff_t *ppos)
++{
++	struct smack_known *skp;
++	ssize_t rc = -EINVAL;
++	int asize;
++
++	if (*ppos != 0)
++		return 0;
++
++	if (smack_syslog_label == NULL)
++		skp = &smack_known_star;
++	else
++		skp = smack_syslog_label;
++
++	asize = strlen(skp->smk_known) + 1;
++
++	if (cn >= asize)
++		rc = simple_read_from_buffer(buf, cn, ppos, skp->smk_known,
++						asize);
++
++	return rc;
++}
++
++/**
++ * smk_write_syslog - write() for smackfs/syslog
++ * @file: file pointer, not actually used
++ * @buf: where to get the data from
++ * @count: bytes sent
++ * @ppos: where to start
++ *
++ * Returns number of bytes written or error code, as appropriate
++ */
++static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
++				size_t count, loff_t *ppos)
++{
++	char *data;
++	struct smack_known *skp;
++	int rc = count;
++
++	if (!smack_privileged(CAP_MAC_ADMIN))
++		return -EPERM;
++
++	data = kzalloc(count, GFP_KERNEL);
++	if (data == NULL)
++		return -ENOMEM;
++
++	if (copy_from_user(data, buf, count) != 0)
++		rc = -EFAULT;
++	else {
++		skp = smk_import_entry(data, count);
++		if (skp == NULL)
++			rc = -EINVAL;
++		else
++			smack_syslog_label = smk_import_entry(data, count);
++	}
++
++	kfree(data);
++	return rc;
++}
++
++static const struct file_operations smk_syslog_ops = {
++	.read		= smk_read_syslog,
++	.write		= smk_write_syslog,
++	.llseek		= default_llseek,
++};
++
++
++/**
++ * smk_fill_super - fill the smackfs superblock
+  * @sb: the empty superblock
+  * @data: unused
+  * @silent: unused
+  *
+- * Fill in the well known entries for /smack
++ * Fill in the well known entries for the smack filesystem
+  *
+  * Returns 0 on success, an error code on failure
+  */
+@@ -2209,6 +2294,8 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
+ 			S_IRUGO|S_IWUSR},
+ 		[SMK_CHANGE_RULE] = {
+ 			"change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
++		[SMK_SYSLOG] = {
++			"syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR},
+ 		/* last one */
+ 			{""}
+ 	};
+-- 
+2.1.4
+
author	Yannick GICQUEL <yannick.gicquel@iot.bzh>	2015-10-19 15:57:07 +0200
committer	Gerrit Code Review <gerrit@172.30.200.200>	2015-11-06 15:23:36 +0000
commit	ede19ea0c47fb23f3fc779833d1e57cf76f3371e (patch)
tree	47d6fae2283c54def1871aaf2a73828ac68b1b34 /meta-rcar-gen2/recipes-kernel/linux/linux-renesas/smack/0017-Smack-Make-the-syslog-control-configurable.patch
parent	1cd8ab18abca96e4ee108f80225058d875b28347 (diff)