search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
spi: bcm63xx-hsspi: add bcm63xx HSSPI driver
[linux-2.6/btrfs-unstable.git] / security / smack / smackfs.c
blob160aa08e3cd5ecd775c819941a056d5c04e1a13e
1 /*
2 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, version 2.
7 *
8 * Authors:
9 * Casey Schaufler <casey@schaufler-ca.com>
10 * Ahmed S. Darwish <darwish.07@gmail.com>
11 *
12 * Special thanks to the authors of selinuxfs.
13 *
14 * Karl MacMillan <kmacmillan@tresys.com>
15 * James Morris <jmorris@redhat.com>
16 *
17 */
18
19 #include <linux/kernel.h>
20 #include <linux/vmalloc.h>
21 #include <linux/security.h>
22 #include <linux/mutex.h>
23 #include <linux/slab.h>
24 #include <net/net_namespace.h>
25 #include <net/cipso_ipv4.h>
26 #include <linux/seq_file.h>
27 #include <linux/ctype.h>
28 #include <linux/audit.h>
29 #include <linux/magic.h>
30 #include "smack.h"
31
32 /*
33 * smackfs pseudo filesystem.
34 */
35
36 enum smk_inos {
37 SMK_ROOT_INO = 2,
38 SMK_LOAD = 3, /* load policy */
39 SMK_CIPSO = 4, /* load label -> CIPSO mapping */
40 SMK_DOI = 5, /* CIPSO DOI */
41 SMK_DIRECT = 6, /* CIPSO level indicating direct label */
42 SMK_AMBIENT = 7, /* internet ambient label */
43 SMK_NETLBLADDR = 8, /* single label hosts */
44 SMK_ONLYCAP = 9, /* the only "capable" label */
45 SMK_LOGGING = 10, /* logging */
46 SMK_LOAD_SELF = 11, /* task specific rules */
47 SMK_ACCESSES = 12, /* access policy */
48 SMK_MAPPED = 13, /* CIPSO level indicating mapped label */
49 SMK_LOAD2 = 14, /* load policy with long labels */
50 SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */
51 SMK_ACCESS2 = 16, /* make an access check with long labels */
52 SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */
53 SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */
54 SMK_CHANGE_RULE = 19, /* change or add rules (long labels) */
55 };
56
57 /*
58 * List locks
59 */
60 static DEFINE_MUTEX(smack_cipso_lock);
61 static DEFINE_MUTEX(smack_ambient_lock);
62 static DEFINE_MUTEX(smk_netlbladdr_lock);
63
64 /*
65 * This is the "ambient" label for network traffic.
66 * If it isn't somehow marked, use this.
67 * It can be reset via smackfs/ambient
68 */
69 struct smack_known *smack_net_ambient;
70
71 /*
72 * This is the level in a CIPSO header that indicates a
73 * smack label is contained directly in the category set.
74 * It can be reset via smackfs/direct
75 */
76 int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT;
77
78 /*
79 * This is the level in a CIPSO header that indicates a
80 * secid is contained directly in the category set.
81 * It can be reset via smackfs/mapped
82 */
83 int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT;
84
85 /*
86 * Unless a process is running with this label even
87 * having CAP_MAC_OVERRIDE isn't enough to grant
88 * privilege to violate MAC policy. If no label is
89 * designated (the NULL case) capabilities apply to
90 * everyone. It is expected that the hat (^) label
91 * will be used if any label is used.
92 */
93 char *smack_onlycap;
94
95 /*
96 * Certain IP addresses may be designated as single label hosts.
97 * Packets are sent there unlabeled, but only from tasks that
98 * can write to the specified label.
99 */
100
101 LIST_HEAD(smk_netlbladdr_list);
102
103 /*
104 * Rule lists are maintained for each label.
105 * This master list is just for reading /smack/load and /smack/load2.
106 */
107 struct smack_master_list {
108 struct list_head list;
109 struct smack_rule *smk_rule;
110 };
111
112 LIST_HEAD(smack_rule_list);
113
114 struct smack_parsed_rule {
115 struct smack_known *smk_subject;
116 char *smk_object;
117 int smk_access1;
118 int smk_access2;
119 };
120
121 static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
122
123 const char *smack_cipso_option = SMACK_CIPSO_OPTION;
124
125 /*
126 * Values for parsing cipso rules
127 * SMK_DIGITLEN: Length of a digit field in a rule.
128 * SMK_CIPSOMIN: Minimum possible cipso rule length.
129 * SMK_CIPSOMAX: Maximum possible cipso rule length.
130 */
131 #define SMK_DIGITLEN 4
132 #define SMK_CIPSOMIN (SMK_LABELLEN + 2 * SMK_DIGITLEN)
133 #define SMK_CIPSOMAX (SMK_CIPSOMIN + SMACK_CIPSO_MAXCATNUM * SMK_DIGITLEN)
134
135 /*
136 * Values for parsing MAC rules
137 * SMK_ACCESS: Maximum possible combination of access permissions
138 * SMK_ACCESSLEN: Maximum length for a rule access field
139 * SMK_LOADLEN: Smack rule length
140 */
141 #define SMK_OACCESS "rwxa"
142 #define SMK_ACCESS "rwxatl"
143 #define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1)
144 #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
145 #define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
146 #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
147
148 /*
149 * Stricly for CIPSO level manipulation.
150 * Set the category bit number in a smack label sized buffer.
151 */
152 static inline void smack_catset_bit(unsigned int cat, char *catsetp)
153 {
154 if (cat == 0 || cat > (SMK_CIPSOLEN * 8))
155 return;
156
157 catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8);
158 }
159
160 /**
161 * smk_netlabel_audit_set - fill a netlbl_audit struct
162 * @nap: structure to fill
163 */
164 static void smk_netlabel_audit_set(struct netlbl_audit *nap)
165 {
166 struct smack_known *skp = smk_of_current();
167
168 nap->loginuid = audit_get_loginuid(current);
169 nap->sessionid = audit_get_sessionid(current);
170 nap->secid = skp->smk_secid;
171 }
172
173 /*
174 * Value for parsing single label host rules
175 * "1.2.3.4 X"
176 */
177 #define SMK_NETLBLADDRMIN 9
178
179 /**
180 * smk_set_access - add a rule to the rule list or replace an old rule
181 * @srp: the rule to add or replace
182 * @rule_list: the list of rules
183 * @rule_lock: the rule list lock
184 * @global: if non-zero, indicates a global rule
185 *
186 * Looks through the current subject/object/access list for
187 * the subject/object pair and replaces the access that was
188 * there. If the pair isn't found add it with the specified
189 * access.
190 *
191 * Returns 0 if nothing goes wrong or -ENOMEM if it fails
192 * during the allocation of the new pair to add.
193 */
194 static int smk_set_access(struct smack_parsed_rule *srp,
195 struct list_head *rule_list,
196 struct mutex *rule_lock, int global)
197 {
198 struct smack_rule *sp;
199 struct smack_master_list *smlp;
200 int found = 0;
201 int rc = 0;
202
203 mutex_lock(rule_lock);
204
205 /*
206 * Because the object label is less likely to match
207 * than the subject label check it first
208 */
209 list_for_each_entry_rcu(sp, rule_list, list) {
210 if (sp->smk_object == srp->smk_object &&
211 sp->smk_subject == srp->smk_subject) {
212 found = 1;
213 sp->smk_access |= srp->smk_access1;
214 sp->smk_access &= ~srp->smk_access2;
215 break;
216 }
217 }
218
219 if (found == 0) {
220 sp = kzalloc(sizeof(*sp), GFP_KERNEL);
221 if (sp == NULL) {
222 rc = -ENOMEM;
223 goto out;
224 }
225
226 sp->smk_subject = srp->smk_subject;
227 sp->smk_object = srp->smk_object;
228 sp->smk_access = srp->smk_access1 & ~srp->smk_access2;
229
230 list_add_rcu(&sp->list, rule_list);
231 /*
232 * If this is a global as opposed to self and a new rule
233 * it needs to get added for reporting.
234 */
235 if (global) {
236 smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);
237 if (smlp != NULL) {
238 smlp->smk_rule = sp;
239 list_add_rcu(&smlp->list, &smack_rule_list);
240 } else
241 rc = -ENOMEM;
242 }
243 }
244
245 out:
246 mutex_unlock(rule_lock);
247 return rc;
248 }
249
250 /**
251 * smk_perm_from_str - parse smack accesses from a text string
252 * @string: a text string that contains a Smack accesses code
253 *
254 * Returns an integer with respective bits set for specified accesses.
255 */
256 static int smk_perm_from_str(const char *string)
257 {
258 int perm = 0;
259 const char *cp;
260
261 for (cp = string; ; cp++)
262 switch (*cp) {
263 case '-':
264 break;
265 case 'r':
266 case 'R':
267 perm |= MAY_READ;
268 break;
269 case 'w':
270 case 'W':
271 perm |= MAY_WRITE;
272 break;
273 case 'x':
274 case 'X':
275 perm |= MAY_EXEC;
276 break;
277 case 'a':
278 case 'A':
279 perm |= MAY_APPEND;
280 break;
281 case 't':
282 case 'T':
283 perm |= MAY_TRANSMUTE;
284 break;
285 case 'l':
286 case 'L':
287 perm |= MAY_LOCK;
288 break;
289 default:
290 return perm;
291 }
292 }
293
294 /**
295 * smk_fill_rule - Fill Smack rule from strings
296 * @subject: subject label string
297 * @object: object label string
298 * @access1: access string
299 * @access2: string with permissions to be removed
300 * @rule: Smack rule
301 * @import: if non-zero, import labels
302 * @len: label length limit
303 *
304 * Returns 0 on success, -1 on failure
305 */
306 static int smk_fill_rule(const char *subject, const char *object,
307 const char *access1, const char *access2,
308 struct smack_parsed_rule *rule, int import,
309 int len)
310 {
311 const char *cp;
312 struct smack_known *skp;
313
314 if (import) {
315 rule->smk_subject = smk_import_entry(subject, len);
316 if (rule->smk_subject == NULL)
317 return -1;
318
319 rule->smk_object = smk_import(object, len);
320 if (rule->smk_object == NULL)
321 return -1;
322 } else {
323 cp = smk_parse_smack(subject, len);
324 if (cp == NULL)
325 return -1;
326 skp = smk_find_entry(cp);
327 kfree(cp);
328 if (skp == NULL)
329 return -1;
330 rule->smk_subject = skp;
331
332 cp = smk_parse_smack(object, len);
333 if (cp == NULL)
334 return -1;
335 skp = smk_find_entry(cp);
336 kfree(cp);
337 if (skp == NULL)
338 return -1;
339 rule->smk_object = skp->smk_known;
340 }
341
342 rule->smk_access1 = smk_perm_from_str(access1);
343 if (access2)
344 rule->smk_access2 = smk_perm_from_str(access2);
345 else
346 rule->smk_access2 = ~rule->smk_access1;
347
348 return 0;
349 }
350
351 /**
352 * smk_parse_rule - parse Smack rule from load string
353 * @data: string to be parsed whose size is SMK_LOADLEN
354 * @rule: Smack rule
355 * @import: if non-zero, import labels
356 *
357 * Returns 0 on success, -1 on errors.
358 */
359 static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule,
360 int import)
361 {
362 int rc;
363
364 rc = smk_fill_rule(data, data + SMK_LABELLEN,
365 data + SMK_LABELLEN + SMK_LABELLEN, NULL, rule,
366 import, SMK_LABELLEN);
367 return rc;
368 }
369
370 /**
371 * smk_parse_long_rule - parse Smack rule from rule string
372 * @data: string to be parsed, null terminated
373 * @rule: Will be filled with Smack parsed rule
374 * @import: if non-zero, import labels
375 * @tokens: numer of substrings expected in data
376 *
377 * Returns number of processed bytes on success, -1 on failure.
378 */
379 static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule,
380 int import, int tokens)
381 {
382 ssize_t cnt = 0;
383 char *tok[4];
384 int i;
385
386 /*
387 * Parsing the rule in-place, filling all white-spaces with '\0'
388 */
389 for (i = 0; i < tokens; ++i) {
390 while (isspace(data[cnt]))
391 data[cnt++] = '\0';
392
393 if (data[cnt] == '\0')
394 /* Unexpected end of data */
395 return -1;
396
397 tok[i] = data + cnt;
398
399 while (data[cnt] && !isspace(data[cnt]))
400 ++cnt;
401 }
402 while (isspace(data[cnt]))
403 data[cnt++] = '\0';
404
405 while (i < 4)
406 tok[i++] = NULL;
407
408 if (smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0))
409 return -1;
410
411 return cnt;
412 }
413
414 #define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */
415 #define SMK_LONG_FMT 1 /* Variable long label format */
416 #define SMK_CHANGE_FMT 2 /* Rule modification format */
417 /**
418 * smk_write_rules_list - write() for any /smack rule file
419 * @file: file pointer, not actually used
420 * @buf: where to get the data from
421 * @count: bytes sent
422 * @ppos: where to start - must be 0
423 * @rule_list: the list of rules to write to
424 * @rule_lock: lock for the rule list
425 * @format: /smack/load or /smack/load2 or /smack/change-rule format.
426 *
427 * Get one smack access rule from above.
428 * The format for SMK_LONG_FMT is:
429 * "subject<whitespace>object<whitespace>access[<whitespace>...]"
430 * The format for SMK_FIXED24_FMT is exactly:
431 * "subject object rwxat"
432 * The format for SMK_CHANGE_FMT is:
433 * "subject<whitespace>object<whitespace>
434 * acc_enable<whitespace>acc_disable[<whitespace>...]"
435 */
436 static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
437 size_t count, loff_t *ppos,
438 struct list_head *rule_list,
439 struct mutex *rule_lock, int format)
440 {
441 struct smack_parsed_rule rule;
442 char *data;
443 int rc;
444 int trunc = 0;
445 int tokens;
446 ssize_t cnt = 0;
447
448 /*
449 * No partial writes.
450 * Enough data must be present.
451 */
452 if (*ppos != 0)
453 return -EINVAL;
454
455 if (format == SMK_FIXED24_FMT) {
456 /*
457 * Minor hack for backward compatibility
458 */
459 if (count < SMK_OLOADLEN || count > SMK_LOADLEN)
460 return -EINVAL;
461 } else {
462 if (count >= PAGE_SIZE) {
463 count = PAGE_SIZE - 1;
464 trunc = 1;
465 }
466 }
467
468 data = kmalloc(count + 1, GFP_KERNEL);
469 if (data == NULL)
470 return -ENOMEM;
471
472 if (copy_from_user(data, buf, count) != 0) {
473 rc = -EFAULT;
474 goto out;
475 }
476
477 /*
478 * In case of parsing only part of user buf,
479 * avoid having partial rule at the data buffer
480 */
481 if (trunc) {
482 while (count > 0 && (data[count - 1] != '\n'))
483 --count;
484 if (count == 0) {
485 rc = -EINVAL;
486 goto out;
487 }
488 }
489
490 data[count] = '\0';
491 tokens = (format == SMK_CHANGE_FMT ? 4 : 3);
492 while (cnt < count) {
493 if (format == SMK_FIXED24_FMT) {
494 rc = smk_parse_rule(data, &rule, 1);
495 if (rc != 0) {
496 rc = -EINVAL;
497 goto out;
498 }
499 cnt = count;
500 } else {
501 rc = smk_parse_long_rule(data + cnt, &rule, 1, tokens);
502 if (rc <= 0) {
503 rc = -EINVAL;
504 goto out;
505 }
506 cnt += rc;
507 }
508
509 if (rule_list == NULL)
510 rc = smk_set_access(&rule, &rule.smk_subject->smk_rules,
511 &rule.smk_subject->smk_rules_lock, 1);
512 else
513 rc = smk_set_access(&rule, rule_list, rule_lock, 0);
514
515 if (rc)
516 goto out;
517 }
518
519 rc = cnt;
520 out:
521 kfree(data);
522 return rc;
523 }
524
525 /*
526 * Core logic for smackfs seq list operations.
527 */
528
529 static void *smk_seq_start(struct seq_file *s, loff_t *pos,
530 struct list_head *head)
531 {
532 struct list_head *list;
533
534 /*
535 * This is 0 the first time through.
536 */
537 if (s->index == 0)
538 s->private = head;
539
540 if (s->private == NULL)
541 return NULL;
542
543 list = s->private;
544 if (list_empty(list))
545 return NULL;
546
547 if (s->index == 0)
548 return list->next;
549 return list;
550 }
551
552 static void *smk_seq_next(struct seq_file *s, void *v, loff_t *pos,
553 struct list_head *head)
554 {
555 struct list_head *list = v;
556
557 if (list_is_last(list, head)) {
558 s->private = NULL;
559 return NULL;
560 }
561 s->private = list->next;
562 return list->next;
563 }
564
565 static void smk_seq_stop(struct seq_file *s, void *v)
566 {
567 /* No-op */
568 }
569
570 static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
571 {
572 /*
573 * Don't show any rules with label names too long for
574 * interface file (/smack/load or /smack/load2)
575 * because you should expect to be able to write
576 * anything you read back.
577 */
578 if (strlen(srp->smk_subject->smk_known) >= max ||
579 strlen(srp->smk_object) >= max)
580 return;
581
582 if (srp->smk_access == 0)
583 return;
584
585 seq_printf(s, "%s %s", srp->smk_subject->smk_known, srp->smk_object);
586
587 seq_putc(s, ' ');
588
589 if (srp->smk_access & MAY_READ)
590 seq_putc(s, 'r');
591 if (srp->smk_access & MAY_WRITE)
592 seq_putc(s, 'w');
593 if (srp->smk_access & MAY_EXEC)
594 seq_putc(s, 'x');
595 if (srp->smk_access & MAY_APPEND)
596 seq_putc(s, 'a');
597 if (srp->smk_access & MAY_TRANSMUTE)
598 seq_putc(s, 't');
599 if (srp->smk_access & MAY_LOCK)
600 seq_putc(s, 'l');
601
602 seq_putc(s, '\n');
603 }
604
605 /*
606 * Seq_file read operations for /smack/load
607 */
608
609 static void *load2_seq_start(struct seq_file *s, loff_t *pos)
610 {
611 return smk_seq_start(s, pos, &smack_rule_list);
612 }
613
614 static void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos)
615 {
616 return smk_seq_next(s, v, pos, &smack_rule_list);
617 }
618
619 static int load_seq_show(struct seq_file *s, void *v)
620 {
621 struct list_head *list = v;
622 struct smack_master_list *smlp =
623 list_entry(list, struct smack_master_list, list);
624
625 smk_rule_show(s, smlp->smk_rule, SMK_LABELLEN);
626
627 return 0;
628 }
629
630 static const struct seq_operations load_seq_ops = {
631 .start = load2_seq_start,
632 .next = load2_seq_next,
633 .show = load_seq_show,
634 .stop = smk_seq_stop,
635 };
636
637 /**
638 * smk_open_load - open() for /smack/load
639 * @inode: inode structure representing file
640 * @file: "load" file pointer
641 *
642 * For reading, use load_seq_* seq_file reading operations.
643 */
644 static int smk_open_load(struct inode *inode, struct file *file)
645 {
646 return seq_open(file, &load_seq_ops);
647 }
648
649 /**
650 * smk_write_load - write() for /smack/load
651 * @file: file pointer, not actually used
652 * @buf: where to get the data from
653 * @count: bytes sent
654 * @ppos: where to start - must be 0
655 *
656 */
657 static ssize_t smk_write_load(struct file *file, const char __user *buf,
658 size_t count, loff_t *ppos)
659 {
660 /*
661 * Must have privilege.
662 * No partial writes.
663 * Enough data must be present.
664 */
665 if (!smack_privileged(CAP_MAC_ADMIN))
666 return -EPERM;
667
668 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
669 SMK_FIXED24_FMT);
670 }
671
672 static const struct file_operations smk_load_ops = {
673 .open = smk_open_load,
674 .read = seq_read,
675 .llseek = seq_lseek,
676 .write = smk_write_load,
677 .release = seq_release,
678 };
679
680 /**
681 * smk_cipso_doi - initialize the CIPSO domain
682 */
683 static void smk_cipso_doi(void)
684 {
685 int rc;
686 struct cipso_v4_doi *doip;
687 struct netlbl_audit nai;
688
689 smk_netlabel_audit_set(&nai);
690
691 rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
692 if (rc != 0)
693 printk(KERN_WARNING "%s:%d remove rc = %d\n",
694 __func__, __LINE__, rc);
695
696 doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);
697 if (doip == NULL)
698 panic("smack: Failed to initialize cipso DOI.\n");
699 doip->map.std = NULL;
700 doip->doi = smk_cipso_doi_value;
701 doip->type = CIPSO_V4_MAP_PASS;
702 doip->tags[0] = CIPSO_V4_TAG_RBITMAP;
703 for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++)
704 doip->tags[rc] = CIPSO_V4_TAG_INVALID;
705
706 rc = netlbl_cfg_cipsov4_add(doip, &nai);
707 if (rc != 0) {
708 printk(KERN_WARNING "%s:%d cipso add rc = %d\n",
709 __func__, __LINE__, rc);
710 kfree(doip);
711 return;
712 }
713 rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai);
714 if (rc != 0) {
715 printk(KERN_WARNING "%s:%d map add rc = %d\n",
716 __func__, __LINE__, rc);
717 kfree(doip);
718 return;
719 }
720 }
721
722 /**
723 * smk_unlbl_ambient - initialize the unlabeled domain
724 * @oldambient: previous domain string
725 */
726 static void smk_unlbl_ambient(char *oldambient)
727 {
728 int rc;
729 struct netlbl_audit nai;
730
731 smk_netlabel_audit_set(&nai);
732
733 if (oldambient != NULL) {
734 rc = netlbl_cfg_map_del(oldambient, PF_INET, NULL, NULL, &nai);
735 if (rc != 0)
736 printk(KERN_WARNING "%s:%d remove rc = %d\n",
737 __func__, __LINE__, rc);
738 }
739 if (smack_net_ambient == NULL)
740 smack_net_ambient = &smack_known_floor;
741
742 rc = netlbl_cfg_unlbl_map_add(smack_net_ambient->smk_known, PF_INET,
743 NULL, NULL, &nai);
744 if (rc != 0)
745 printk(KERN_WARNING "%s:%d add rc = %d\n",
746 __func__, __LINE__, rc);
747 }
748
749 /*
750 * Seq_file read operations for /smack/cipso
751 */
752
753 static void *cipso_seq_start(struct seq_file *s, loff_t *pos)
754 {
755 return smk_seq_start(s, pos, &smack_known_list);
756 }
757
758 static void *cipso_seq_next(struct seq_file *s, void *v, loff_t *pos)
759 {
760 return smk_seq_next(s, v, pos, &smack_known_list);
761 }
762
763 /*
764 * Print cipso labels in format:
765 * label level[/cat[,cat]]
766 */
767 static int cipso_seq_show(struct seq_file *s, void *v)
768 {
769 struct list_head *list = v;
770 struct smack_known *skp =
771 list_entry(list, struct smack_known, list);
772 struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
773 char sep = '/';
774 int i;
775
776 /*
777 * Don't show a label that could not have been set using
778 * /smack/cipso. This is in support of the notion that
779 * anything read from /smack/cipso ought to be writeable
780 * to /smack/cipso.
781 *
782 * /smack/cipso2 should be used instead.
783 */
784 if (strlen(skp->smk_known) >= SMK_LABELLEN)
785 return 0;
786
787 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
788
789 for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
790 i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
791 seq_printf(s, "%c%d", sep, i);
792 sep = ',';
793 }
794
795 seq_putc(s, '\n');
796
797 return 0;
798 }
799
800 static const struct seq_operations cipso_seq_ops = {
801 .start = cipso_seq_start,
802 .next = cipso_seq_next,
803 .show = cipso_seq_show,
804 .stop = smk_seq_stop,
805 };
806
807 /**
808 * smk_open_cipso - open() for /smack/cipso
809 * @inode: inode structure representing file
810 * @file: "cipso" file pointer
811 *
812 * Connect our cipso_seq_* operations with /smack/cipso
813 * file_operations
814 */
815 static int smk_open_cipso(struct inode *inode, struct file *file)
816 {
817 return seq_open(file, &cipso_seq_ops);
818 }
819
820 /**
821 * smk_set_cipso - do the work for write() for cipso and cipso2
822 * @file: file pointer, not actually used
823 * @buf: where to get the data from
824 * @count: bytes sent
825 * @ppos: where to start
826 * @format: /smack/cipso or /smack/cipso2
827 *
828 * Accepts only one cipso rule per write call.
829 * Returns number of bytes written or error code, as appropriate
830 */
831 static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
832 size_t count, loff_t *ppos, int format)
833 {
834 struct smack_known *skp;
835 struct netlbl_lsm_secattr ncats;
836 char mapcatset[SMK_CIPSOLEN];
837 int maplevel;
838 unsigned int cat;
839 int catlen;
840 ssize_t rc = -EINVAL;
841 char *data = NULL;
842 char *rule;
843 int ret;
844 int i;
845
846 /*
847 * Must have privilege.
848 * No partial writes.
849 * Enough data must be present.
850 */
851 if (!smack_privileged(CAP_MAC_ADMIN))
852 return -EPERM;
853 if (*ppos != 0)
854 return -EINVAL;
855 if (format == SMK_FIXED24_FMT &&
856 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
857 return -EINVAL;
858
859 data = kzalloc(count + 1, GFP_KERNEL);
860 if (data == NULL)
861 return -ENOMEM;
862
863 if (copy_from_user(data, buf, count) != 0) {
864 rc = -EFAULT;
865 goto unlockedout;
866 }
867
868 data[count] = '\0';
869 rule = data;
870 /*
871 * Only allow one writer at a time. Writes should be
872 * quite rare and small in any case.
873 */
874 mutex_lock(&smack_cipso_lock);
875
876 skp = smk_import_entry(rule, 0);
877 if (skp == NULL)
878 goto out;
879
880 if (format == SMK_FIXED24_FMT)
881 rule += SMK_LABELLEN;
882 else
883 rule += strlen(skp->smk_known) + 1;
884
885 ret = sscanf(rule, "%d", &maplevel);
886 if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
887 goto out;
888
889 rule += SMK_DIGITLEN;
890 ret = sscanf(rule, "%d", &catlen);
891 if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)
892 goto out;
893
894 if (format == SMK_FIXED24_FMT &&
895 count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN))
896 goto out;
897
898 memset(mapcatset, 0, sizeof(mapcatset));
899
900 for (i = 0; i < catlen; i++) {
901 rule += SMK_DIGITLEN;
902 ret = sscanf(rule, "%u", &cat);
903 if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
904 goto out;
905
906 smack_catset_bit(cat, mapcatset);
907 }
908
909 rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
910 if (rc >= 0) {
911 netlbl_secattr_catmap_free(skp->smk_netlabel.attr.mls.cat);
912 skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
913 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
914 rc = count;
915 }
916
917 out:
918 mutex_unlock(&smack_cipso_lock);
919 unlockedout:
920 kfree(data);
921 return rc;
922 }
923
924 /**
925 * smk_write_cipso - write() for /smack/cipso
926 * @file: file pointer, not actually used
927 * @buf: where to get the data from
928 * @count: bytes sent
929 * @ppos: where to start
930 *
931 * Accepts only one cipso rule per write call.
932 * Returns number of bytes written or error code, as appropriate
933 */
934 static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
935 size_t count, loff_t *ppos)
936 {
937 return smk_set_cipso(file, buf, count, ppos, SMK_FIXED24_FMT);
938 }
939
940 static const struct file_operations smk_cipso_ops = {
941 .open = smk_open_cipso,
942 .read = seq_read,
943 .llseek = seq_lseek,
944 .write = smk_write_cipso,
945 .release = seq_release,
946 };
947
948 /*
949 * Seq_file read operations for /smack/cipso2
950 */
951
952 /*
953 * Print cipso labels in format:
954 * label level[/cat[,cat]]
955 */
956 static int cipso2_seq_show(struct seq_file *s, void *v)
957 {
958 struct list_head *list = v;
959 struct smack_known *skp =
960 list_entry(list, struct smack_known, list);
961 struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
962 char sep = '/';
963 int i;
964
965 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
966
967 for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
968 i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
969 seq_printf(s, "%c%d", sep, i);
970 sep = ',';
971 }
972
973 seq_putc(s, '\n');
974
975 return 0;
976 }
977
978 static const struct seq_operations cipso2_seq_ops = {
979 .start = cipso_seq_start,
980 .next = cipso_seq_next,
981 .show = cipso2_seq_show,
982 .stop = smk_seq_stop,
983 };
984
985 /**
986 * smk_open_cipso2 - open() for /smack/cipso2
987 * @inode: inode structure representing file
988 * @file: "cipso2" file pointer
989 *
990 * Connect our cipso_seq_* operations with /smack/cipso2
991 * file_operations
992 */
993 static int smk_open_cipso2(struct inode *inode, struct file *file)
994 {
995 return seq_open(file, &cipso2_seq_ops);
996 }
997
998 /**
999 * smk_write_cipso2 - write() for /smack/cipso2
1000 * @file: file pointer, not actually used
1001 * @buf: where to get the data from
1002 * @count: bytes sent
1003 * @ppos: where to start
1004 *
1005 * Accepts only one cipso rule per write call.
1006 * Returns number of bytes written or error code, as appropriate
1007 */
1008 static ssize_t smk_write_cipso2(struct file *file, const char __user *buf,
1009 size_t count, loff_t *ppos)
1010 {
1011 return smk_set_cipso(file, buf, count, ppos, SMK_LONG_FMT);
1012 }
1013
1014 static const struct file_operations smk_cipso2_ops = {
1015 .open = smk_open_cipso2,
1016 .read = seq_read,
1017 .llseek = seq_lseek,
1018 .write = smk_write_cipso2,
1019 .release = seq_release,
1020 };
1021
1022 /*
1023 * Seq_file read operations for /smack/netlabel
1024 */
1025
1026 static void *netlbladdr_seq_start(struct seq_file *s, loff_t *pos)
1027 {
1028 return smk_seq_start(s, pos, &smk_netlbladdr_list);
1029 }
1030
1031 static void *netlbladdr_seq_next(struct seq_file *s, void *v, loff_t *pos)
1032 {
1033 return smk_seq_next(s, v, pos, &smk_netlbladdr_list);
1034 }
1035 #define BEBITS (sizeof(__be32) * 8)
1036
1037 /*
1038 * Print host/label pairs
1039 */
1040 static int netlbladdr_seq_show(struct seq_file *s, void *v)
1041 {
1042 struct list_head *list = v;
1043 struct smk_netlbladdr *skp =
1044 list_entry(list, struct smk_netlbladdr, list);
1045 unsigned char *hp = (char *) &skp->smk_host.sin_addr.s_addr;
1046 int maskn;
1047 u32 temp_mask = be32_to_cpu(skp->smk_mask.s_addr);
1048
1049 for (maskn = 0; temp_mask; temp_mask <<= 1, maskn++);
1050
1051 seq_printf(s, "%u.%u.%u.%u/%d %s\n",
1052 hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label);
1053
1054 return 0;
1055 }
1056
1057 static const struct seq_operations netlbladdr_seq_ops = {
1058 .start = netlbladdr_seq_start,
1059 .next = netlbladdr_seq_next,
1060 .show = netlbladdr_seq_show,
1061 .stop = smk_seq_stop,
1062 };
1063
1064 /**
1065 * smk_open_netlbladdr - open() for /smack/netlabel
1066 * @inode: inode structure representing file
1067 * @file: "netlabel" file pointer
1068 *
1069 * Connect our netlbladdr_seq_* operations with /smack/netlabel
1070 * file_operations
1071 */
1072 static int smk_open_netlbladdr(struct inode *inode, struct file *file)
1073 {
1074 return seq_open(file, &netlbladdr_seq_ops);
1075 }
1076
1077 /**
1078 * smk_netlbladdr_insert
1079 * @new : netlabel to insert
1080 *
1081 * This helper insert netlabel in the smack_netlbladdrs list
1082 * sorted by netmask length (longest to smallest)
1083 * locked by &smk_netlbladdr_lock in smk_write_netlbladdr
1084 *
1085 */
1086 static void smk_netlbladdr_insert(struct smk_netlbladdr *new)
1087 {
1088 struct smk_netlbladdr *m, *m_next;
1089
1090 if (list_empty(&smk_netlbladdr_list)) {
1091 list_add_rcu(&new->list, &smk_netlbladdr_list);
1092 return;
1093 }
1094
1095 m = list_entry_rcu(smk_netlbladdr_list.next,
1096 struct smk_netlbladdr, list);
1097
1098 /* the comparison '>' is a bit hacky, but works */
1099 if (new->smk_mask.s_addr > m->smk_mask.s_addr) {
1100 list_add_rcu(&new->list, &smk_netlbladdr_list);
1101 return;
1102 }
1103
1104 list_for_each_entry_rcu(m, &smk_netlbladdr_list, list) {
1105 if (list_is_last(&m->list, &smk_netlbladdr_list)) {
1106 list_add_rcu(&new->list, &m->list);
1107 return;
1108 }
1109 m_next = list_entry_rcu(m->list.next,
1110 struct smk_netlbladdr, list);
1111 if (new->smk_mask.s_addr > m_next->smk_mask.s_addr) {
1112 list_add_rcu(&new->list, &m->list);
1113 return;
1114 }
1115 }
1116 }
1117
1118
1119 /**
1120 * smk_write_netlbladdr - write() for /smack/netlabel
1121 * @file: file pointer, not actually used
1122 * @buf: where to get the data from
1123 * @count: bytes sent
1124 * @ppos: where to start
1125 *
1126 * Accepts only one netlbladdr per write call.
1127 * Returns number of bytes written or error code, as appropriate
1128 */
1129 static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
1130 size_t count, loff_t *ppos)
1131 {
1132 struct smk_netlbladdr *skp;
1133 struct sockaddr_in newname;
1134 char *smack;
1135 char *sp;
1136 char *data;
1137 char *host = (char *)&newname.sin_addr.s_addr;
1138 int rc;
1139 struct netlbl_audit audit_info;
1140 struct in_addr mask;
1141 unsigned int m;
1142 int found;
1143 u32 mask_bits = (1<<31);
1144 __be32 nsa;
1145 u32 temp_mask;
1146
1147 /*
1148 * Must have privilege.
1149 * No partial writes.
1150 * Enough data must be present.
1151 * "<addr/mask, as a.b.c.d/e><space><label>"
1152 * "<addr, as a.b.c.d><space><label>"
1153 */
1154 if (!smack_privileged(CAP_MAC_ADMIN))
1155 return -EPERM;
1156 if (*ppos != 0)
1157 return -EINVAL;
1158 if (count < SMK_NETLBLADDRMIN)
1159 return -EINVAL;
1160
1161 data = kzalloc(count + 1, GFP_KERNEL);
1162 if (data == NULL)
1163 return -ENOMEM;
1164
1165 if (copy_from_user(data, buf, count) != 0) {
1166 rc = -EFAULT;
1167 goto free_data_out;
1168 }
1169
1170 smack = kzalloc(count + 1, GFP_KERNEL);
1171 if (smack == NULL) {
1172 rc = -ENOMEM;
1173 goto free_data_out;
1174 }
1175
1176 data[count] = '\0';
1177
1178 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%d %s",
1179 &host[0], &host[1], &host[2], &host[3], &m, smack);
1180 if (rc != 6) {
1181 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
1182 &host[0], &host[1], &host[2], &host[3], smack);
1183 if (rc != 5) {
1184 rc = -EINVAL;
1185 goto free_out;
1186 }
1187 m = BEBITS;
1188 }
1189 if (m > BEBITS) {
1190 rc = -EINVAL;
1191 goto free_out;
1192 }
1193
1194 /*
1195 * If smack begins with '-', it is an option, don't import it
1196 */
1197 if (smack[0] != '-') {
1198 sp = smk_import(smack, 0);
1199 if (sp == NULL) {
1200 rc = -EINVAL;
1201 goto free_out;
1202 }
1203 } else {
1204 /* check known options */
1205 if (strcmp(smack, smack_cipso_option) == 0)
1206 sp = (char *)smack_cipso_option;
1207 else {
1208 rc = -EINVAL;
1209 goto free_out;
1210 }
1211 }
1212
1213 for (temp_mask = 0; m > 0; m--) {
1214 temp_mask |= mask_bits;
1215 mask_bits >>= 1;
1216 }
1217 mask.s_addr = cpu_to_be32(temp_mask);
1218
1219 newname.sin_addr.s_addr &= mask.s_addr;
1220 /*
1221 * Only allow one writer at a time. Writes should be
1222 * quite rare and small in any case.
1223 */
1224 mutex_lock(&smk_netlbladdr_lock);
1225
1226 nsa = newname.sin_addr.s_addr;
1227 /* try to find if the prefix is already in the list */
1228 found = 0;
1229 list_for_each_entry_rcu(skp, &smk_netlbladdr_list, list) {
1230 if (skp->smk_host.sin_addr.s_addr == nsa &&
1231 skp->smk_mask.s_addr == mask.s_addr) {
1232 found = 1;
1233 break;
1234 }
1235 }
1236 smk_netlabel_audit_set(&audit_info);
1237
1238 if (found == 0) {
1239 skp = kzalloc(sizeof(*skp), GFP_KERNEL);
1240 if (skp == NULL)
1241 rc = -ENOMEM;
1242 else {
1243 rc = 0;
1244 skp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
1245 skp->smk_mask.s_addr = mask.s_addr;
1246 skp->smk_label = sp;
1247 smk_netlbladdr_insert(skp);
1248 }
1249 } else {
1250 /* we delete the unlabeled entry, only if the previous label
1251 * wasn't the special CIPSO option */
1252 if (skp->smk_label != smack_cipso_option)
1253 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
1254 &skp->smk_host.sin_addr, &skp->smk_mask,
1255 PF_INET, &audit_info);
1256 else
1257 rc = 0;
1258 skp->smk_label = sp;
1259 }
1260
1261 /*
1262 * Now tell netlabel about the single label nature of
1263 * this host so that incoming packets get labeled.
1264 * but only if we didn't get the special CIPSO option
1265 */
1266 if (rc == 0 && sp != smack_cipso_option)
1267 rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
1268 &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
1269 smack_to_secid(skp->smk_label), &audit_info);
1270
1271 if (rc == 0)
1272 rc = count;
1273
1274 mutex_unlock(&smk_netlbladdr_lock);
1275
1276 free_out:
1277 kfree(smack);
1278 free_data_out:
1279 kfree(data);
1280
1281 return rc;
1282 }
1283
1284 static const struct file_operations smk_netlbladdr_ops = {
1285 .open = smk_open_netlbladdr,
1286 .read = seq_read,
1287 .llseek = seq_lseek,
1288 .write = smk_write_netlbladdr,
1289 .release = seq_release,
1290 };
1291
1292 /**
1293 * smk_read_doi - read() for /smack/doi
1294 * @filp: file pointer, not actually used
1295 * @buf: where to put the result
1296 * @count: maximum to send along
1297 * @ppos: where to start
1298 *
1299 * Returns number of bytes read or error code, as appropriate
1300 */
1301 static ssize_t smk_read_doi(struct file *filp, char __user *buf,
1302 size_t count, loff_t *ppos)
1303 {
1304 char temp[80];
1305 ssize_t rc;
1306
1307 if (*ppos != 0)
1308 return 0;
1309
1310 sprintf(temp, "%d", smk_cipso_doi_value);
1311 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1312
1313 return rc;
1314 }
1315
1316 /**
1317 * smk_write_doi - write() for /smack/doi
1318 * @file: file pointer, not actually used
1319 * @buf: where to get the data from
1320 * @count: bytes sent
1321 * @ppos: where to start
1322 *
1323 * Returns number of bytes written or error code, as appropriate
1324 */
1325 static ssize_t smk_write_doi(struct file *file, const char __user *buf,
1326 size_t count, loff_t *ppos)
1327 {
1328 char temp[80];
1329 int i;
1330
1331 if (!smack_privileged(CAP_MAC_ADMIN))
1332 return -EPERM;
1333
1334 if (count >= sizeof(temp) || count == 0)
1335 return -EINVAL;
1336
1337 if (copy_from_user(temp, buf, count) != 0)
1338 return -EFAULT;
1339
1340 temp[count] = '\0';
1341
1342 if (sscanf(temp, "%d", &i) != 1)
1343 return -EINVAL;
1344
1345 smk_cipso_doi_value = i;
1346
1347 smk_cipso_doi();
1348
1349 return count;
1350 }
1351
1352 static const struct file_operations smk_doi_ops = {
1353 .read = smk_read_doi,
1354 .write = smk_write_doi,
1355 .llseek = default_llseek,
1356 };
1357
1358 /**
1359 * smk_read_direct - read() for /smack/direct
1360 * @filp: file pointer, not actually used
1361 * @buf: where to put the result
1362 * @count: maximum to send along
1363 * @ppos: where to start
1364 *
1365 * Returns number of bytes read or error code, as appropriate
1366 */
1367 static ssize_t smk_read_direct(struct file *filp, char __user *buf,
1368 size_t count, loff_t *ppos)
1369 {
1370 char temp[80];
1371 ssize_t rc;
1372
1373 if (*ppos != 0)
1374 return 0;
1375
1376 sprintf(temp, "%d", smack_cipso_direct);
1377 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1378
1379 return rc;
1380 }
1381
1382 /**
1383 * smk_write_direct - write() for /smack/direct
1384 * @file: file pointer, not actually used
1385 * @buf: where to get the data from
1386 * @count: bytes sent
1387 * @ppos: where to start
1388 *
1389 * Returns number of bytes written or error code, as appropriate
1390 */
1391 static ssize_t smk_write_direct(struct file *file, const char __user *buf,
1392 size_t count, loff_t *ppos)
1393 {
1394 struct smack_known *skp;
1395 char temp[80];
1396 int i;
1397
1398 if (!smack_privileged(CAP_MAC_ADMIN))
1399 return -EPERM;
1400
1401 if (count >= sizeof(temp) || count == 0)
1402 return -EINVAL;
1403
1404 if (copy_from_user(temp, buf, count) != 0)
1405 return -EFAULT;
1406
1407 temp[count] = '\0';
1408
1409 if (sscanf(temp, "%d", &i) != 1)
1410 return -EINVAL;
1411
1412 /*
1413 * Don't do anything if the value hasn't actually changed.
1414 * If it is changing reset the level on entries that were
1415 * set up to be direct when they were created.
1416 */
1417 if (smack_cipso_direct != i) {
1418 mutex_lock(&smack_known_lock);
1419 list_for_each_entry_rcu(skp, &smack_known_list, list)
1420 if (skp->smk_netlabel.attr.mls.lvl ==
1421 smack_cipso_direct)
1422 skp->smk_netlabel.attr.mls.lvl = i;
1423 smack_cipso_direct = i;
1424 mutex_unlock(&smack_known_lock);
1425 }
1426
1427 return count;
1428 }
1429
1430 static const struct file_operations smk_direct_ops = {
1431 .read = smk_read_direct,
1432 .write = smk_write_direct,
1433 .llseek = default_llseek,
1434 };
1435
1436 /**
1437 * smk_read_mapped - read() for /smack/mapped
1438 * @filp: file pointer, not actually used
1439 * @buf: where to put the result
1440 * @count: maximum to send along
1441 * @ppos: where to start
1442 *
1443 * Returns number of bytes read or error code, as appropriate
1444 */
1445 static ssize_t smk_read_mapped(struct file *filp, char __user *buf,
1446 size_t count, loff_t *ppos)
1447 {
1448 char temp[80];
1449 ssize_t rc;
1450
1451 if (*ppos != 0)
1452 return 0;
1453
1454 sprintf(temp, "%d", smack_cipso_mapped);
1455 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1456
1457 return rc;
1458 }
1459
1460 /**
1461 * smk_write_mapped - write() for /smack/mapped
1462 * @file: file pointer, not actually used
1463 * @buf: where to get the data from
1464 * @count: bytes sent
1465 * @ppos: where to start
1466 *
1467 * Returns number of bytes written or error code, as appropriate
1468 */
1469 static ssize_t smk_write_mapped(struct file *file, const char __user *buf,
1470 size_t count, loff_t *ppos)
1471 {
1472 struct smack_known *skp;
1473 char temp[80];
1474 int i;
1475
1476 if (!smack_privileged(CAP_MAC_ADMIN))
1477 return -EPERM;
1478
1479 if (count >= sizeof(temp) || count == 0)
1480 return -EINVAL;
1481
1482 if (copy_from_user(temp, buf, count) != 0)
1483 return -EFAULT;
1484
1485 temp[count] = '\0';
1486
1487 if (sscanf(temp, "%d", &i) != 1)
1488 return -EINVAL;
1489
1490 /*
1491 * Don't do anything if the value hasn't actually changed.
1492 * If it is changing reset the level on entries that were
1493 * set up to be mapped when they were created.
1494 */
1495 if (smack_cipso_mapped != i) {
1496 mutex_lock(&smack_known_lock);
1497 list_for_each_entry_rcu(skp, &smack_known_list, list)
1498 if (skp->smk_netlabel.attr.mls.lvl ==
1499 smack_cipso_mapped)
1500 skp->smk_netlabel.attr.mls.lvl = i;
1501 smack_cipso_mapped = i;
1502 mutex_unlock(&smack_known_lock);
1503 }
1504
1505 return count;
1506 }
1507
1508 static const struct file_operations smk_mapped_ops = {
1509 .read = smk_read_mapped,
1510 .write = smk_write_mapped,
1511 .llseek = default_llseek,
1512 };
1513
1514 /**
1515 * smk_read_ambient - read() for /smack/ambient
1516 * @filp: file pointer, not actually used
1517 * @buf: where to put the result
1518 * @cn: maximum to send along
1519 * @ppos: where to start
1520 *
1521 * Returns number of bytes read or error code, as appropriate
1522 */
1523 static ssize_t smk_read_ambient(struct file *filp, char __user *buf,
1524 size_t cn, loff_t *ppos)
1525 {
1526 ssize_t rc;
1527 int asize;
1528
1529 if (*ppos != 0)
1530 return 0;
1531 /*
1532 * Being careful to avoid a problem in the case where
1533 * smack_net_ambient gets changed in midstream.
1534 */
1535 mutex_lock(&smack_ambient_lock);
1536
1537 asize = strlen(smack_net_ambient->smk_known) + 1;
1538
1539 if (cn >= asize)
1540 rc = simple_read_from_buffer(buf, cn, ppos,
1541 smack_net_ambient->smk_known,
1542 asize);
1543 else
1544 rc = -EINVAL;
1545
1546 mutex_unlock(&smack_ambient_lock);
1547
1548 return rc;
1549 }
1550
1551 /**
1552 * smk_write_ambient - write() for /smack/ambient
1553 * @file: file pointer, not actually used
1554 * @buf: where to get the data from
1555 * @count: bytes sent
1556 * @ppos: where to start
1557 *
1558 * Returns number of bytes written or error code, as appropriate
1559 */
1560 static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
1561 size_t count, loff_t *ppos)
1562 {
1563 struct smack_known *skp;
1564 char *oldambient;
1565 char *data;
1566 int rc = count;
1567
1568 if (!smack_privileged(CAP_MAC_ADMIN))
1569 return -EPERM;
1570
1571 data = kzalloc(count + 1, GFP_KERNEL);
1572 if (data == NULL)
1573 return -ENOMEM;
1574
1575 if (copy_from_user(data, buf, count) != 0) {
1576 rc = -EFAULT;
1577 goto out;
1578 }
1579
1580 skp = smk_import_entry(data, count);
1581 if (skp == NULL) {
1582 rc = -EINVAL;
1583 goto out;
1584 }
1585
1586 mutex_lock(&smack_ambient_lock);
1587
1588 oldambient = smack_net_ambient->smk_known;
1589 smack_net_ambient = skp;
1590 smk_unlbl_ambient(oldambient);
1591
1592 mutex_unlock(&smack_ambient_lock);
1593
1594 out:
1595 kfree(data);
1596 return rc;
1597 }
1598
1599 static const struct file_operations smk_ambient_ops = {
1600 .read = smk_read_ambient,
1601 .write = smk_write_ambient,
1602 .llseek = default_llseek,
1603 };
1604
1605 /**
1606 * smk_read_onlycap - read() for /smack/onlycap
1607 * @filp: file pointer, not actually used
1608 * @buf: where to put the result
1609 * @cn: maximum to send along
1610 * @ppos: where to start
1611 *
1612 * Returns number of bytes read or error code, as appropriate
1613 */
1614 static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
1615 size_t cn, loff_t *ppos)
1616 {
1617 char *smack = "";
1618 ssize_t rc = -EINVAL;
1619 int asize;
1620
1621 if (*ppos != 0)
1622 return 0;
1623
1624 if (smack_onlycap != NULL)
1625 smack = smack_onlycap;
1626
1627 asize = strlen(smack) + 1;
1628
1629 if (cn >= asize)
1630 rc = simple_read_from_buffer(buf, cn, ppos, smack, asize);
1631
1632 return rc;
1633 }
1634
1635 /**
1636 * smk_write_onlycap - write() for /smack/onlycap
1637 * @file: file pointer, not actually used
1638 * @buf: where to get the data from
1639 * @count: bytes sent
1640 * @ppos: where to start
1641 *
1642 * Returns number of bytes written or error code, as appropriate
1643 */
1644 static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
1645 size_t count, loff_t *ppos)
1646 {
1647 char *data;
1648 struct smack_known *skp = smk_of_task(current->cred->security);
1649 int rc = count;
1650
1651 if (!smack_privileged(CAP_MAC_ADMIN))
1652 return -EPERM;
1653
1654 /*
1655 * This can be done using smk_access() but is done
1656 * explicitly for clarity. The smk_access() implementation
1657 * would use smk_access(smack_onlycap, MAY_WRITE)
1658 */
1659 if (smack_onlycap != NULL && smack_onlycap != skp->smk_known)
1660 return -EPERM;
1661
1662 data = kzalloc(count, GFP_KERNEL);
1663 if (data == NULL)
1664 return -ENOMEM;
1665
1666 /*
1667 * Should the null string be passed in unset the onlycap value.
1668 * This seems like something to be careful with as usually
1669 * smk_import only expects to return NULL for errors. It
1670 * is usually the case that a nullstring or "\n" would be
1671 * bad to pass to smk_import but in fact this is useful here.
1672 *
1673 * smk_import will also reject a label beginning with '-',
1674 * so "-usecapabilities" will also work.
1675 */
1676 if (copy_from_user(data, buf, count) != 0)
1677 rc = -EFAULT;
1678 else
1679 smack_onlycap = smk_import(data, count);
1680
1681 kfree(data);
1682 return rc;
1683 }
1684
1685 static const struct file_operations smk_onlycap_ops = {
1686 .read = smk_read_onlycap,
1687 .write = smk_write_onlycap,
1688 .llseek = default_llseek,
1689 };
1690
1691 /**
1692 * smk_read_logging - read() for /smack/logging
1693 * @filp: file pointer, not actually used
1694 * @buf: where to put the result
1695 * @cn: maximum to send along
1696 * @ppos: where to start
1697 *
1698 * Returns number of bytes read or error code, as appropriate
1699 */
1700 static ssize_t smk_read_logging(struct file *filp, char __user *buf,
1701 size_t count, loff_t *ppos)
1702 {
1703 char temp[32];
1704 ssize_t rc;
1705
1706 if (*ppos != 0)
1707 return 0;
1708
1709 sprintf(temp, "%d\n", log_policy);
1710 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1711 return rc;
1712 }
1713
1714 /**
1715 * smk_write_logging - write() for /smack/logging
1716 * @file: file pointer, not actually used
1717 * @buf: where to get the data from
1718 * @count: bytes sent
1719 * @ppos: where to start
1720 *
1721 * Returns number of bytes written or error code, as appropriate
1722 */
1723 static ssize_t smk_write_logging(struct file *file, const char __user *buf,
1724 size_t count, loff_t *ppos)
1725 {
1726 char temp[32];
1727 int i;
1728
1729 if (!smack_privileged(CAP_MAC_ADMIN))
1730 return -EPERM;
1731
1732 if (count >= sizeof(temp) || count == 0)
1733 return -EINVAL;
1734
1735 if (copy_from_user(temp, buf, count) != 0)
1736 return -EFAULT;
1737
1738 temp[count] = '\0';
1739
1740 if (sscanf(temp, "%d", &i) != 1)
1741 return -EINVAL;
1742 if (i < 0 || i > 3)
1743 return -EINVAL;
1744 log_policy = i;
1745 return count;
1746 }
1747
1748
1749
1750 static const struct file_operations smk_logging_ops = {
1751 .read = smk_read_logging,
1752 .write = smk_write_logging,
1753 .llseek = default_llseek,
1754 };
1755
1756 /*
1757 * Seq_file read operations for /smack/load-self
1758 */
1759
1760 static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
1761 {
1762 struct task_smack *tsp = current_security();
1763
1764 return smk_seq_start(s, pos, &tsp->smk_rules);
1765 }
1766
1767 static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
1768 {
1769 struct task_smack *tsp = current_security();
1770
1771 return smk_seq_next(s, v, pos, &tsp->smk_rules);
1772 }
1773
1774 static int load_self_seq_show(struct seq_file *s, void *v)
1775 {
1776 struct list_head *list = v;
1777 struct smack_rule *srp =
1778 list_entry(list, struct smack_rule, list);
1779
1780 smk_rule_show(s, srp, SMK_LABELLEN);
1781
1782 return 0;
1783 }
1784
1785 static const struct seq_operations load_self_seq_ops = {
1786 .start = load_self_seq_start,
1787 .next = load_self_seq_next,
1788 .show = load_self_seq_show,
1789 .stop = smk_seq_stop,
1790 };
1791
1792
1793 /**
1794 * smk_open_load_self - open() for /smack/load-self2
1795 * @inode: inode structure representing file
1796 * @file: "load" file pointer
1797 *
1798 * For reading, use load_seq_* seq_file reading operations.
1799 */
1800 static int smk_open_load_self(struct inode *inode, struct file *file)
1801 {
1802 return seq_open(file, &load_self_seq_ops);
1803 }
1804
1805 /**
1806 * smk_write_load_self - write() for /smack/load-self
1807 * @file: file pointer, not actually used
1808 * @buf: where to get the data from
1809 * @count: bytes sent
1810 * @ppos: where to start - must be 0
1811 *
1812 */
1813 static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
1814 size_t count, loff_t *ppos)
1815 {
1816 struct task_smack *tsp = current_security();
1817
1818 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
1819 &tsp->smk_rules_lock, SMK_FIXED24_FMT);
1820 }
1821
1822 static const struct file_operations smk_load_self_ops = {
1823 .open = smk_open_load_self,
1824 .read = seq_read,
1825 .llseek = seq_lseek,
1826 .write = smk_write_load_self,
1827 .release = seq_release,
1828 };
1829
1830 /**
1831 * smk_user_access - handle access check transaction
1832 * @file: file pointer
1833 * @buf: data from user space
1834 * @count: bytes sent
1835 * @ppos: where to start - must be 0
1836 */
1837 static ssize_t smk_user_access(struct file *file, const char __user *buf,
1838 size_t count, loff_t *ppos, int format)
1839 {
1840 struct smack_parsed_rule rule;
1841 char *data;
1842 int res;
1843
1844 data = simple_transaction_get(file, buf, count);
1845 if (IS_ERR(data))
1846 return PTR_ERR(data);
1847
1848 if (format == SMK_FIXED24_FMT) {
1849 if (count < SMK_LOADLEN)
1850 return -EINVAL;
1851 res = smk_parse_rule(data, &rule, 0);
1852 } else {
1853 /*
1854 * simple_transaction_get() returns null-terminated data
1855 */
1856 res = smk_parse_long_rule(data, &rule, 0, 3);
1857 }
1858
1859 if (res < 0)
1860 return -EINVAL;
1861
1862 res = smk_access(rule.smk_subject, rule.smk_object,
1863 rule.smk_access1, NULL);
1864 data[0] = res == 0 ? '1' : '0';
1865 data[1] = '\0';
1866
1867 simple_transaction_set(file, 2);
1868
1869 if (format == SMK_FIXED24_FMT)
1870 return SMK_LOADLEN;
1871 return count;
1872 }
1873
1874 /**
1875 * smk_write_access - handle access check transaction
1876 * @file: file pointer
1877 * @buf: data from user space
1878 * @count: bytes sent
1879 * @ppos: where to start - must be 0
1880 */
1881 static ssize_t smk_write_access(struct file *file, const char __user *buf,
1882 size_t count, loff_t *ppos)
1883 {
1884 return smk_user_access(file, buf, count, ppos, SMK_FIXED24_FMT);
1885 }
1886
1887 static const struct file_operations smk_access_ops = {
1888 .write = smk_write_access,
1889 .read = simple_transaction_read,
1890 .release = simple_transaction_release,
1891 .llseek = generic_file_llseek,
1892 };
1893
1894
1895 /*
1896 * Seq_file read operations for /smack/load2
1897 */
1898
1899 static int load2_seq_show(struct seq_file *s, void *v)
1900 {
1901 struct list_head *list = v;
1902 struct smack_master_list *smlp =
1903 list_entry(list, struct smack_master_list, list);
1904
1905 smk_rule_show(s, smlp->smk_rule, SMK_LONGLABEL);
1906
1907 return 0;
1908 }
1909
1910 static const struct seq_operations load2_seq_ops = {
1911 .start = load2_seq_start,
1912 .next = load2_seq_next,
1913 .show = load2_seq_show,
1914 .stop = smk_seq_stop,
1915 };
1916
1917 /**
1918 * smk_open_load2 - open() for /smack/load2
1919 * @inode: inode structure representing file
1920 * @file: "load2" file pointer
1921 *
1922 * For reading, use load2_seq_* seq_file reading operations.
1923 */
1924 static int smk_open_load2(struct inode *inode, struct file *file)
1925 {
1926 return seq_open(file, &load2_seq_ops);
1927 }
1928
1929 /**
1930 * smk_write_load2 - write() for /smack/load2
1931 * @file: file pointer, not actually used
1932 * @buf: where to get the data from
1933 * @count: bytes sent
1934 * @ppos: where to start - must be 0
1935 *
1936 */
1937 static ssize_t smk_write_load2(struct file *file, const char __user *buf,
1938 size_t count, loff_t *ppos)
1939 {
1940 /*
1941 * Must have privilege.
1942 */
1943 if (!smack_privileged(CAP_MAC_ADMIN))
1944 return -EPERM;
1945
1946 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
1947 SMK_LONG_FMT);
1948 }
1949
1950 static const struct file_operations smk_load2_ops = {
1951 .open = smk_open_load2,
1952 .read = seq_read,
1953 .llseek = seq_lseek,
1954 .write = smk_write_load2,
1955 .release = seq_release,
1956 };
1957
1958 /*
1959 * Seq_file read operations for /smack/load-self2
1960 */
1961
1962 static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
1963 {
1964 struct task_smack *tsp = current_security();
1965
1966 return smk_seq_start(s, pos, &tsp->smk_rules);
1967 }
1968
1969 static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
1970 {
1971 struct task_smack *tsp = current_security();
1972
1973 return smk_seq_next(s, v, pos, &tsp->smk_rules);
1974 }
1975
1976 static int load_self2_seq_show(struct seq_file *s, void *v)
1977 {
1978 struct list_head *list = v;
1979 struct smack_rule *srp =
1980 list_entry(list, struct smack_rule, list);
1981
1982 smk_rule_show(s, srp, SMK_LONGLABEL);
1983
1984 return 0;
1985 }
1986
1987 static const struct seq_operations load_self2_seq_ops = {
1988 .start = load_self2_seq_start,
1989 .next = load_self2_seq_next,
1990 .show = load_self2_seq_show,
1991 .stop = smk_seq_stop,
1992 };
1993
1994 /**
1995 * smk_open_load_self2 - open() for /smack/load-self2
1996 * @inode: inode structure representing file
1997 * @file: "load" file pointer
1998 *
1999 * For reading, use load_seq_* seq_file reading operations.
2000 */
2001 static int smk_open_load_self2(struct inode *inode, struct file *file)
2002 {
2003 return seq_open(file, &load_self2_seq_ops);
2004 }
2005
2006 /**
2007 * smk_write_load_self2 - write() for /smack/load-self2
2008 * @file: file pointer, not actually used
2009 * @buf: where to get the data from
2010 * @count: bytes sent
2011 * @ppos: where to start - must be 0
2012 *
2013 */
2014 static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
2015 size_t count, loff_t *ppos)
2016 {
2017 struct task_smack *tsp = current_security();
2018
2019 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
2020 &tsp->smk_rules_lock, SMK_LONG_FMT);
2021 }
2022
2023 static const struct file_operations smk_load_self2_ops = {
2024 .open = smk_open_load_self2,
2025 .read = seq_read,
2026 .llseek = seq_lseek,
2027 .write = smk_write_load_self2,
2028 .release = seq_release,
2029 };
2030
2031 /**
2032 * smk_write_access2 - handle access check transaction
2033 * @file: file pointer
2034 * @buf: data from user space
2035 * @count: bytes sent
2036 * @ppos: where to start - must be 0
2037 */
2038 static ssize_t smk_write_access2(struct file *file, const char __user *buf,
2039 size_t count, loff_t *ppos)
2040 {
2041 return smk_user_access(file, buf, count, ppos, SMK_LONG_FMT);
2042 }
2043
2044 static const struct file_operations smk_access2_ops = {
2045 .write = smk_write_access2,
2046 .read = simple_transaction_read,
2047 .release = simple_transaction_release,
2048 .llseek = generic_file_llseek,
2049 };
2050
2051 /**
2052 * smk_write_revoke_subj - write() for /smack/revoke-subject
2053 * @file: file pointer
2054 * @buf: data from user space
2055 * @count: bytes sent
2056 * @ppos: where to start - must be 0
2057 */
2058 static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
2059 size_t count, loff_t *ppos)
2060 {
2061 char *data = NULL;
2062 const char *cp = NULL;
2063 struct smack_known *skp;
2064 struct smack_rule *sp;
2065 struct list_head *rule_list;
2066 struct mutex *rule_lock;
2067 int rc = count;
2068
2069 if (*ppos != 0)
2070 return -EINVAL;
2071
2072 if (!smack_privileged(CAP_MAC_ADMIN))
2073 return -EPERM;
2074
2075 if (count == 0 || count > SMK_LONGLABEL)
2076 return -EINVAL;
2077
2078 data = kzalloc(count, GFP_KERNEL);
2079 if (data == NULL)
2080 return -ENOMEM;
2081
2082 if (copy_from_user(data, buf, count) != 0) {
2083 rc = -EFAULT;
2084 goto free_out;
2085 }
2086
2087 cp = smk_parse_smack(data, count);
2088 if (cp == NULL) {
2089 rc = -EINVAL;
2090 goto free_out;
2091 }
2092
2093 skp = smk_find_entry(cp);
2094 if (skp == NULL)
2095 goto free_out;
2096
2097 rule_list = &skp->smk_rules;
2098 rule_lock = &skp->smk_rules_lock;
2099
2100 mutex_lock(rule_lock);
2101
2102 list_for_each_entry_rcu(sp, rule_list, list)
2103 sp->smk_access = 0;
2104
2105 mutex_unlock(rule_lock);
2106
2107 free_out:
2108 kfree(data);
2109 kfree(cp);
2110 return rc;
2111 }
2112
2113 static const struct file_operations smk_revoke_subj_ops = {
2114 .write = smk_write_revoke_subj,
2115 .read = simple_transaction_read,
2116 .release = simple_transaction_release,
2117 .llseek = generic_file_llseek,
2118 };
2119
2120 static struct kset *smackfs_kset;
2121 /**
2122 * smk_init_sysfs - initialize /sys/fs/smackfs
2123 *
2124 */
2125 static int smk_init_sysfs(void)
2126 {
2127 smackfs_kset = kset_create_and_add("smackfs", NULL, fs_kobj);
2128 if (!smackfs_kset)
2129 return -ENOMEM;
2130 return 0;
2131 }
2132
2133 /**
2134 * smk_write_change_rule - write() for /smack/change-rule
2135 * @file: file pointer
2136 * @buf: data from user space
2137 * @count: bytes sent
2138 * @ppos: where to start - must be 0
2139 */
2140 static ssize_t smk_write_change_rule(struct file *file, const char __user *buf,
2141 size_t count, loff_t *ppos)
2142 {
2143 /*
2144 * Must have privilege.
2145 */
2146 if (!capable(CAP_MAC_ADMIN))
2147 return -EPERM;
2148
2149 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
2150 SMK_CHANGE_FMT);
2151 }
2152
2153 static const struct file_operations smk_change_rule_ops = {
2154 .write = smk_write_change_rule,
2155 .read = simple_transaction_read,
2156 .release = simple_transaction_release,
2157 .llseek = generic_file_llseek,
2158 };
2159
2160 /**
2161 * smk_fill_super - fill the /smackfs superblock
2162 * @sb: the empty superblock
2163 * @data: unused
2164 * @silent: unused
2165 *
2166 * Fill in the well known entries for /smack
2167 *
2168 * Returns 0 on success, an error code on failure
2169 */
2170 static int smk_fill_super(struct super_block *sb, void *data, int silent)
2171 {
2172 int rc;
2173 struct inode *root_inode;
2174
2175 static struct tree_descr smack_files[] = {
2176 [SMK_LOAD] = {
2177 "load", &smk_load_ops, S_IRUGO|S_IWUSR},
2178 [SMK_CIPSO] = {
2179 "cipso", &smk_cipso_ops, S_IRUGO|S_IWUSR},
2180 [SMK_DOI] = {
2181 "doi", &smk_doi_ops, S_IRUGO|S_IWUSR},
2182 [SMK_DIRECT] = {
2183 "direct", &smk_direct_ops, S_IRUGO|S_IWUSR},
2184 [SMK_AMBIENT] = {
2185 "ambient", &smk_ambient_ops, S_IRUGO|S_IWUSR},
2186 [SMK_NETLBLADDR] = {
2187 "netlabel", &smk_netlbladdr_ops, S_IRUGO|S_IWUSR},
2188 [SMK_ONLYCAP] = {
2189 "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
2190 [SMK_LOGGING] = {
2191 "logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
2192 [SMK_LOAD_SELF] = {
2193 "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
2194 [SMK_ACCESSES] = {
2195 "access", &smk_access_ops, S_IRUGO|S_IWUGO},
2196 [SMK_MAPPED] = {
2197 "mapped", &smk_mapped_ops, S_IRUGO|S_IWUSR},
2198 [SMK_LOAD2] = {
2199 "load2", &smk_load2_ops, S_IRUGO|S_IWUSR},
2200 [SMK_LOAD_SELF2] = {
2201 "load-self2", &smk_load_self2_ops, S_IRUGO|S_IWUGO},
2202 [SMK_ACCESS2] = {
2203 "access2", &smk_access2_ops, S_IRUGO|S_IWUGO},
2204 [SMK_CIPSO2] = {
2205 "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR},
2206 [SMK_REVOKE_SUBJ] = {
2207 "revoke-subject", &smk_revoke_subj_ops,
2208 S_IRUGO|S_IWUSR},
2209 [SMK_CHANGE_RULE] = {
2210 "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
2211 /* last one */
2212 {""}
2213 };
2214
2215 rc = simple_fill_super(sb, SMACK_MAGIC, smack_files);
2216 if (rc != 0) {
2217 printk(KERN_ERR "%s failed %d while creating inodes\n",
2218 __func__, rc);
2219 return rc;
2220 }
2221
2222 root_inode = sb->s_root->d_inode;
2223
2224 return 0;
2225 }
2226
2227 /**
2228 * smk_mount - get the smackfs superblock
2229 * @fs_type: passed along without comment
2230 * @flags: passed along without comment
2231 * @dev_name: passed along without comment
2232 * @data: passed along without comment
2233 *
2234 * Just passes everything along.
2235 *
2236 * Returns what the lower level code does.
2237 */
2238 static struct dentry *smk_mount(struct file_system_type *fs_type,
2239 int flags, const char *dev_name, void *data)
2240 {
2241 return mount_single(fs_type, flags, data, smk_fill_super);
2242 }
2243
2244 static struct file_system_type smk_fs_type = {
2245 .name = "smackfs",
2246 .mount = smk_mount,
2247 .kill_sb = kill_litter_super,
2248 };
2249
2250 static struct vfsmount *smackfs_mount;
2251
2252 static int __init smk_preset_netlabel(struct smack_known *skp)
2253 {
2254 skp->smk_netlabel.domain = skp->smk_known;
2255 skp->smk_netlabel.flags =
2256 NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
2257 return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
2258 &skp->smk_netlabel, strlen(skp->smk_known));
2259 }
2260
2261 /**
2262 * init_smk_fs - get the smackfs superblock
2263 *
2264 * register the smackfs
2265 *
2266 * Do not register smackfs if Smack wasn't enabled
2267 * on boot. We can not put this method normally under the
2268 * smack_init() code path since the security subsystem get
2269 * initialized before the vfs caches.
2270 *
2271 * Returns true if we were not chosen on boot or if
2272 * we were chosen and filesystem registration succeeded.
2273 */
2274 static int __init init_smk_fs(void)
2275 {
2276 int err;
2277 int rc;
2278
2279 if (!security_module_enable(&smack_ops))
2280 return 0;
2281
2282 err = smk_init_sysfs();
2283 if (err)
2284 printk(KERN_ERR "smackfs: sysfs mountpoint problem.\n");
2285
2286 err = register_filesystem(&smk_fs_type);
2287 if (!err) {
2288 smackfs_mount = kern_mount(&smk_fs_type);
2289 if (IS_ERR(smackfs_mount)) {
2290 printk(KERN_ERR "smackfs: could not mount!\n");
2291 err = PTR_ERR(smackfs_mount);
2292 smackfs_mount = NULL;
2293 }
2294 }
2295
2296 smk_cipso_doi();
2297 smk_unlbl_ambient(NULL);
2298
2299 rc = smk_preset_netlabel(&smack_known_floor);
2300 if (err == 0 && rc < 0)
2301 err = rc;
2302 rc = smk_preset_netlabel(&smack_known_hat);
2303 if (err == 0 && rc < 0)
2304 err = rc;
2305 rc = smk_preset_netlabel(&smack_known_huh);
2306 if (err == 0 && rc < 0)
2307 err = rc;
2308 rc = smk_preset_netlabel(&smack_known_invalid);
2309 if (err == 0 && rc < 0)
2310 err = rc;
2311 rc = smk_preset_netlabel(&smack_known_star);
2312 if (err == 0 && rc < 0)
2313 err = rc;
2314 rc = smk_preset_netlabel(&smack_known_web);
2315 if (err == 0 && rc < 0)
2316 err = rc;
2317
2318 return err;
2319 }
2320
2321 __initcall(init_smk_fs);
(deprecated) Btrfs devel tree