Lines Matching +full:srp +full:- +full:capable
1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
6 * Casey Schaufler <casey@schaufler-ca.com>
38 SMK_CIPSO = 4, /* load label -> CIPSO mapping */
43 SMK_ONLYCAP = 9, /* the only "capable" label */
51 SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */
52 SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */
99 * debugging and application bring-up purposes only.
162 #define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1)
163 #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
176 catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8); in smack_catset_bit()
180 * smk_netlabel_audit_set - fill a netlbl_audit struct
185 nap->loginuid = audit_get_loginuid(current); in smk_netlabel_audit_set()
186 nap->sessionid = audit_get_sessionid(current); in smk_netlabel_audit_set()
187 nap->prop.smack.skp = smk_of_current(); in smk_netlabel_audit_set()
197 * smk_set_access - add a rule to the rule list or replace an old rule
198 * @srp: the rule to add or replace
207 * Returns 0 if nothing goes wrong or -ENOMEM if it fails
210 static int smk_set_access(struct smack_parsed_rule *srp, in smk_set_access() argument
225 if (sp->smk_object == srp->smk_object && in smk_set_access()
226 sp->smk_subject == srp->smk_subject) { in smk_set_access()
228 sp->smk_access |= srp->smk_access1; in smk_set_access()
229 sp->smk_access &= ~srp->smk_access2; in smk_set_access()
237 rc = -ENOMEM; in smk_set_access()
241 sp->smk_subject = srp->smk_subject; in smk_set_access()
242 sp->smk_object = srp->smk_object; in smk_set_access()
243 sp->smk_access = srp->smk_access1 & ~srp->smk_access2; in smk_set_access()
245 list_add_rcu(&sp->list, rule_list); in smk_set_access()
254 * smk_perm_from_str - parse smack accesses from a text string
266 case '-': in smk_perm_from_str()
302 * smk_fill_rule - Fill Smack rule from strings
308 * @import: if non-zero, import labels
322 rule->smk_subject = smk_import_entry(subject, len); in smk_fill_rule()
323 if (IS_ERR(rule->smk_subject)) in smk_fill_rule()
324 return PTR_ERR(rule->smk_subject); in smk_fill_rule()
326 rule->smk_object = smk_import_entry(object, len); in smk_fill_rule()
327 if (IS_ERR(rule->smk_object)) in smk_fill_rule()
328 return PTR_ERR(rule->smk_object); in smk_fill_rule()
336 return -ENOENT; in smk_fill_rule()
337 rule->smk_subject = skp; in smk_fill_rule()
345 return -ENOENT; in smk_fill_rule()
346 rule->smk_object = skp; in smk_fill_rule()
349 rule->smk_access1 = smk_perm_from_str(access1); in smk_fill_rule()
351 rule->smk_access2 = smk_perm_from_str(access2); in smk_fill_rule()
353 rule->smk_access2 = ~rule->smk_access1; in smk_fill_rule()
359 * smk_parse_rule - parse Smack rule from load string
362 * @import: if non-zero, import labels
364 * Returns 0 on success, -1 on errors.
378 * smk_parse_long_rule - parse Smack rule from rule string
381 * @import: if non-zero, import labels
384 * Returns number of processed bytes on success, -ERRNO on failure.
395 * Parsing the rule in-place, filling all white-spaces with '\0' in smk_parse_long_rule()
403 return -EINVAL; in smk_parse_long_rule()
424 * smk_write_rules_list - write() for any /smack rule file
428 * @ppos: where to start - must be 0
431 * @format: /smack/load or /smack/load2 or /smack/change-rule format.
459 return -EINVAL; in smk_write_rules_list()
466 return -EINVAL; in smk_write_rules_list()
469 count = PAGE_SIZE - 1; in smk_write_rules_list()
483 while (count > 0 && (data[count - 1] != '\n')) in smk_write_rules_list()
484 --count; in smk_write_rules_list()
486 rc = -EINVAL; in smk_write_rules_list()
504 rc = -EINVAL; in smk_write_rules_list()
511 rc = smk_set_access(&rule, &rule.smk_subject->smk_rules, in smk_write_rules_list()
512 &rule.smk_subject->smk_rules_lock); in smk_write_rules_list()
540 if (i-- == 0) in smk_seq_start()
563 static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max) in smk_rule_show() argument
572 if (strlen(srp->smk_subject->smk_known) >= max || in smk_rule_show()
573 strlen(srp->smk_object->smk_known) >= max) in smk_rule_show()
576 if (srp->smk_access == 0) in smk_rule_show()
579 smack_str_from_perm(acc, srp->smk_access); in smk_rule_show()
581 srp->smk_subject->smk_known, in smk_rule_show()
582 srp->smk_object->smk_known, in smk_rule_show()
603 struct smack_rule *srp; in load_seq_show() local
607 list_for_each_entry_rcu(srp, &skp->smk_rules, list) in load_seq_show()
608 smk_rule_show(s, srp, SMK_LABELLEN); in load_seq_show()
621 * smk_open_load - open() for /smack/load
633 * smk_write_load - write() for /smack/load
637 * @ppos: where to start - must be 0
649 return -EPERM; in smk_write_load()
664 * smk_cipso_doi - initialize the CIPSO domain
680 doip->map.std = NULL; in smk_cipso_doi()
681 doip->doi = smk_cipso_doi_value; in smk_cipso_doi()
682 doip->type = CIPSO_V4_MAP_PASS; in smk_cipso_doi()
683 doip->tags[0] = CIPSO_V4_TAG_RBITMAP; in smk_cipso_doi()
685 doip->tags[rc] = CIPSO_V4_TAG_INVALID; in smk_cipso_doi()
694 rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai); in smk_cipso_doi()
698 netlbl_cfg_cipsov4_del(doip->doi, &nai); in smk_cipso_doi()
704 * smk_unlbl_ambient - initialize the unlabeled domain
723 rc = netlbl_cfg_unlbl_map_add(smack_net_ambient->smk_known, PF_INET, in smk_unlbl_ambient()
753 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat; in cipso_seq_show()
765 if (strlen(skp->smk_known) >= SMK_LABELLEN) in cipso_seq_show()
768 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl); in cipso_seq_show()
789 * smk_open_cipso - open() for /smack/cipso
802 * smk_set_cipso - do the work for write() for cipso and cipso2
822 ssize_t rc = -EINVAL; in smk_set_cipso()
834 return -EPERM; in smk_set_cipso()
836 return -EINVAL; in smk_set_cipso()
839 return -EINVAL; in smk_set_cipso()
841 return -EINVAL; in smk_set_cipso()
863 rule += strlen(skp->smk_known) + 1; in smk_set_cipso()
866 rc = -EOVERFLOW; in smk_set_cipso()
876 rc = -EOVERFLOW; in smk_set_cipso()
893 rc = -EOVERFLOW; in smk_set_cipso()
908 new_cat->next = ncats.attr.mls.cat; in smk_set_cipso()
910 skp->smk_netlabel.flags &= ~(1U << 3); in smk_set_cipso()
916 old_cat = skp->smk_netlabel.attr.mls.cat; in smk_set_cipso()
917 rcu_assign_pointer(skp->smk_netlabel.attr.mls.cat, ncats.attr.mls.cat); in smk_set_cipso()
918 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; in smk_set_cipso()
935 * smk_write_cipso - write() for /smack/cipso
971 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat; in cipso2_seq_show()
975 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl); in cipso2_seq_show()
996 * smk_open_cipso2 - open() for /smack/cipso2
1009 * smk_write_cipso2 - write() for /smack/cipso2
1056 if (skp->smk_label != NULL) in net4addr_seq_show()
1057 kp = skp->smk_label->smk_known; in net4addr_seq_show()
1058 seq_printf(s, "%pI4/%d %s\n", &skp->smk_host.s_addr, in net4addr_seq_show()
1059 skp->smk_masks, kp); in net4addr_seq_show()
1072 * smk_open_net4addr - open() for /smack/netlabel
1099 list_add_rcu(&new->list, &smk_net4addr_list); in smk_net4addr_insert()
1107 if (new->smk_masks > m->smk_masks) { in smk_net4addr_insert()
1108 list_add_rcu(&new->list, &smk_net4addr_list); in smk_net4addr_insert()
1113 if (list_is_last(&m->list, &smk_net4addr_list)) { in smk_net4addr_insert()
1114 list_add_rcu(&new->list, &m->list); in smk_net4addr_insert()
1117 m_next = list_entry_rcu(m->list.next, in smk_net4addr_insert()
1119 if (new->smk_masks > m_next->smk_masks) { in smk_net4addr_insert()
1120 list_add_rcu(&new->list, &m->list); in smk_net4addr_insert()
1128 * smk_write_net4addr - write() for /smack/netlabel
1164 return -EPERM; in smk_write_net4addr()
1166 return -EINVAL; in smk_write_net4addr()
1167 if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) in smk_write_net4addr()
1168 return -EINVAL; in smk_write_net4addr()
1176 rc = -ENOMEM; in smk_write_net4addr()
1186 rc = -EINVAL; in smk_write_net4addr()
1192 rc = -EINVAL; in smk_write_net4addr()
1197 * If smack begins with '-', it is an option, don't import it in smk_write_net4addr()
1199 if (smack[0] != '-') { in smk_write_net4addr()
1207 * Only the -CIPSO option is supported for IPv4 in smk_write_net4addr()
1210 rc = -EINVAL; in smk_write_net4addr()
1215 for (m = masks, temp_mask = 0; m > 0; m--) { in smk_write_net4addr()
1232 if (snp->smk_host.s_addr == nsa && snp->smk_masks == masks) { in smk_write_net4addr()
1242 rc = -ENOMEM; in smk_write_net4addr()
1245 snp->smk_host.s_addr = newname.sin_addr.s_addr; in smk_write_net4addr()
1246 snp->smk_mask.s_addr = mask.s_addr; in smk_write_net4addr()
1247 snp->smk_label = skp; in smk_write_net4addr()
1248 snp->smk_masks = masks; in smk_write_net4addr()
1256 if (snp->smk_label != NULL) in smk_write_net4addr()
1258 &snp->smk_host, &snp->smk_mask, in smk_write_net4addr()
1262 snp->smk_label = skp; in smk_write_net4addr()
1272 &snp->smk_host, &snp->smk_mask, PF_INET, in smk_write_net4addr()
1273 snp->smk_label->smk_secid, &audit_info); in smk_write_net4addr()
1320 if (skp->smk_label != NULL) in net6addr_seq_show()
1321 seq_printf(s, "%pI6/%d %s\n", &skp->smk_host, skp->smk_masks, in net6addr_seq_show()
1322 skp->smk_label->smk_known); in net6addr_seq_show()
1335 * smk_open_net6addr - open() for /smack/netlabel
1362 list_add_rcu(&new->list, &smk_net6addr_list); in smk_net6addr_insert()
1369 if (new->smk_masks > m->smk_masks) { in smk_net6addr_insert()
1370 list_add_rcu(&new->list, &smk_net6addr_list); in smk_net6addr_insert()
1375 if (list_is_last(&m->list, &smk_net6addr_list)) { in smk_net6addr_insert()
1376 list_add_rcu(&new->list, &m->list); in smk_net6addr_insert()
1379 m_next = list_entry_rcu(m->list.next, in smk_net6addr_insert()
1381 if (new->smk_masks > m_next->smk_masks) { in smk_net6addr_insert()
1382 list_add_rcu(&new->list, &m->list); in smk_net6addr_insert()
1390 * smk_write_net6addr - write() for /smack/netlabel
1423 return -EPERM; in smk_write_net6addr()
1425 return -EINVAL; in smk_write_net6addr()
1426 if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) in smk_write_net6addr()
1427 return -EINVAL; in smk_write_net6addr()
1435 rc = -ENOMEM; in smk_write_net6addr()
1449 rc = -EINVAL; in smk_write_net6addr()
1454 rc = -EINVAL; in smk_write_net6addr()
1459 rc = -EINVAL; in smk_write_net6addr()
1466 * If smack begins with '-', it is an option, don't import it in smk_write_net6addr()
1468 if (smack[0] != '-') { in smk_write_net6addr()
1476 * Only -DELETE is supported for IPv6 in smk_write_net6addr()
1479 rc = -EINVAL; in smk_write_net6addr()
1487 m -= 16; in smk_write_net6addr()
1489 fullmask.s6_addr16[i] = (1 << m) - 1; in smk_write_net6addr()
1505 if (mask != snp->smk_masks) in smk_write_net6addr()
1509 snp->smk_host.s6_addr16[i]) { in smk_write_net6addr()
1520 rc = -ENOMEM; in smk_write_net6addr()
1522 snp->smk_host = newname; in smk_write_net6addr()
1523 snp->smk_mask = fullmask; in smk_write_net6addr()
1524 snp->smk_masks = mask; in smk_write_net6addr()
1525 snp->smk_label = skp; in smk_write_net6addr()
1529 snp->smk_label = skp; in smk_write_net6addr()
1555 * smk_read_doi - read() for /smack/doi
1579 * smk_write_doi - write() for /smack/doi
1594 return -EPERM; in smk_write_doi()
1597 return -EINVAL; in smk_write_doi()
1600 return -EFAULT; in smk_write_doi()
1605 return -EINVAL; in smk_write_doi()
1621 * smk_read_direct - read() for /smack/direct
1645 * smk_write_direct - write() for /smack/direct
1661 return -EPERM; in smk_write_direct()
1664 return -EINVAL; in smk_write_direct()
1667 return -EFAULT; in smk_write_direct()
1672 return -EINVAL; in smk_write_direct()
1682 if (skp->smk_netlabel.attr.mls.lvl == in smk_write_direct()
1684 skp->smk_netlabel.attr.mls.lvl = i; in smk_write_direct()
1699 * smk_read_mapped - read() for /smack/mapped
1723 * smk_write_mapped - write() for /smack/mapped
1739 return -EPERM; in smk_write_mapped()
1742 return -EINVAL; in smk_write_mapped()
1745 return -EFAULT; in smk_write_mapped()
1750 return -EINVAL; in smk_write_mapped()
1760 if (skp->smk_netlabel.attr.mls.lvl == in smk_write_mapped()
1762 skp->smk_netlabel.attr.mls.lvl = i; in smk_write_mapped()
1777 * smk_read_ambient - read() for /smack/ambient
1799 asize = strlen(smack_net_ambient->smk_known) + 1; in smk_read_ambient()
1803 smack_net_ambient->smk_known, in smk_read_ambient()
1806 rc = -EINVAL; in smk_read_ambient()
1814 * smk_write_ambient - write() for /smack/ambient
1831 return -EPERM; in smk_write_ambient()
1835 return -EINVAL; in smk_write_ambient()
1849 oldambient = smack_net_ambient->smk_known; in smk_write_ambient()
1885 seq_puts(s, sklep->smk_label->smk_known); in onlycap_seq_show()
1904 * smk_list_swap_rcu - swap public list with a private one in RCU-safe way
1921 first = public->next; in smk_list_swap_rcu()
1922 last = public->prev; in smk_list_swap_rcu()
1924 /* Publish private list in place of public in RCU-safe way */ in smk_list_swap_rcu()
1925 private->prev->next = public; in smk_list_swap_rcu()
1926 private->next->prev = public; in smk_list_swap_rcu()
1927 rcu_assign_pointer(public->next, private->next); in smk_list_swap_rcu()
1928 public->prev = private->prev; in smk_list_swap_rcu()
1934 private->next = first; in smk_list_swap_rcu()
1935 private->prev = last; in smk_list_swap_rcu()
1936 first->prev = private; in smk_list_swap_rcu()
1937 last->next = private; in smk_list_swap_rcu()
1942 * smk_parse_label_list - parse list of Smack labels, separated by spaces
1965 return -ENOMEM; in smk_parse_label_list()
1967 sklep->smk_label = skp; in smk_parse_label_list()
1968 list_add(&sklep->list, list); in smk_parse_label_list()
1975 * smk_destroy_label_list - destroy a list of smack_known_list_elem
1990 * smk_write_onlycap - write() for smackfs/onlycap
2006 return -EPERM; in smk_write_onlycap()
2009 return -EINVAL; in smk_write_onlycap()
2022 * Importing will also reject a label beginning with '-', in smk_write_onlycap()
2023 * so "-usecapabilities" will also work. in smk_write_onlycap()
2028 if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { in smk_write_onlycap()
2050 * smk_read_unconfined - read() for smackfs/unconfined
2062 ssize_t rc = -EINVAL; in smk_read_unconfined()
2069 smack = smack_unconfined->smk_known; in smk_read_unconfined()
2080 * smk_write_unconfined - write() for smackfs/unconfined
2096 return -EPERM; in smk_write_unconfined()
2099 return -EINVAL; in smk_write_unconfined()
2109 * Importing will also reject a label beginning with '-', in smk_write_unconfined()
2110 * so "-confine" will also work. in smk_write_unconfined()
2115 if (PTR_ERR(skp) == -EINVAL) in smk_write_unconfined()
2137 * smk_read_logging - read() for /smack/logging
2160 * smk_write_logging - write() for /smack/logging
2175 return -EPERM; in smk_write_logging()
2178 return -EINVAL; in smk_write_logging()
2181 return -EFAULT; in smk_write_logging()
2186 return -EINVAL; in smk_write_logging()
2188 return -EINVAL; in smk_write_logging()
2202 * Seq_file read operations for /smack/load-self
2209 return smk_seq_start(s, pos, &tsp->smk_rules); in load_self_seq_start()
2216 return smk_seq_next(s, v, pos, &tsp->smk_rules); in load_self_seq_next()
2222 struct smack_rule *srp = in load_self_seq_show() local
2225 smk_rule_show(s, srp, SMK_LABELLEN); in load_self_seq_show()
2239 * smk_open_load_self - open() for /smack/load-self2
2251 * smk_write_load_self - write() for /smack/load-self
2255 * @ppos: where to start - must be 0
2263 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, in smk_write_load_self()
2264 &tsp->smk_rules_lock, SMK_FIXED24_FMT); in smk_write_load_self()
2276 * smk_user_access - handle access check transaction
2280 * @ppos: where to start - must be 0
2281 * @format: /smack/load or /smack/load2 or /smack/change-rule format.
2296 return -EINVAL; in smk_user_access()
2300 * simple_transaction_get() returns null-terminated data in smk_user_access()
2308 else if (res != -ENOENT) in smk_user_access()
2325 * smk_write_access - handle access check transaction
2329 * @ppos: where to start - must be 0
2352 struct smack_rule *srp; in load2_seq_show() local
2356 list_for_each_entry_rcu(srp, &skp->smk_rules, list) in load2_seq_show()
2357 smk_rule_show(s, srp, SMK_LONGLABEL); in load2_seq_show()
2370 * smk_open_load2 - open() for /smack/load2
2382 * smk_write_load2 - write() for /smack/load2
2386 * @ppos: where to start - must be 0
2396 return -EPERM; in smk_write_load2()
2411 * Seq_file read operations for /smack/load-self2
2418 return smk_seq_start(s, pos, &tsp->smk_rules); in load_self2_seq_start()
2425 return smk_seq_next(s, v, pos, &tsp->smk_rules); in load_self2_seq_next()
2431 struct smack_rule *srp = in load_self2_seq_show() local
2434 smk_rule_show(s, srp, SMK_LONGLABEL); in load_self2_seq_show()
2447 * smk_open_load_self2 - open() for /smack/load-self2
2459 * smk_write_load_self2 - write() for /smack/load-self2
2463 * @ppos: where to start - must be 0
2471 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, in smk_write_load_self2()
2472 &tsp->smk_rules_lock, SMK_LONG_FMT); in smk_write_load_self2()
2484 * smk_write_access2 - handle access check transaction
2488 * @ppos: where to start - must be 0
2504 * smk_write_revoke_subj - write() for /smack/revoke-subject
2508 * @ppos: where to start - must be 0
2522 return -EINVAL; in smk_write_revoke_subj()
2525 return -EPERM; in smk_write_revoke_subj()
2528 return -EINVAL; in smk_write_revoke_subj()
2544 rule_list = &skp->smk_rules; in smk_write_revoke_subj()
2545 rule_lock = &skp->smk_rules_lock; in smk_write_revoke_subj()
2550 sp->smk_access = 0; in smk_write_revoke_subj()
2570 * smk_init_sysfs - initialize /sys/fs/smackfs
2579 * smk_write_change_rule - write() for /smack/change-rule
2583 * @ppos: where to start - must be 0
2592 return -EPERM; in smk_write_change_rule()
2606 * smk_read_syslog - read() for smackfs/syslog
2618 ssize_t rc = -EINVAL; in smk_read_syslog()
2629 asize = strlen(skp->smk_known) + 1; in smk_read_syslog()
2632 rc = simple_read_from_buffer(buf, cn, ppos, skp->smk_known, in smk_read_syslog()
2639 * smk_write_syslog - write() for smackfs/syslog
2655 return -EPERM; in smk_write_syslog()
2659 return -EINVAL; in smk_write_syslog()
2682 * Seq_file read operations for /smack/relabel-self
2689 return smk_seq_start(s, pos, &tsp->smk_relabel); in relabel_self_seq_start()
2696 return smk_seq_next(s, v, pos, &tsp->smk_relabel); in relabel_self_seq_next()
2705 seq_puts(s, sklep->smk_label->smk_known); in relabel_self_seq_show()
2719 * smk_open_relabel_self - open() for /smack/relabel-self
2721 * @file: "relabel-self" file pointer
2723 * Connect our relabel_self_seq_* operations with /smack/relabel-self
2732 * smk_write_relabel_self - write() for /smack/relabel-self
2736 * @ppos: where to start - must be 0
2750 return -EPERM; in smk_write_relabel_self()
2757 return -EINVAL; in smk_write_relabel_self()
2759 return -EINVAL; in smk_write_relabel_self()
2768 if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { in smk_write_relabel_self()
2774 rc = -ENOMEM; in smk_write_relabel_self()
2778 smk_destroy_label_list(&tsp->smk_relabel); in smk_write_relabel_self()
2779 list_splice(&list_tmp, &tsp->smk_relabel); in smk_write_relabel_self()
2797 * smk_read_ptrace - read() for /smack/ptrace
2820 * smk_write_ptrace - write() for /smack/ptrace
2824 * @ppos: where to start - must be 0
2833 return -EPERM; in smk_write_ptrace()
2836 return -EINVAL; in smk_write_ptrace()
2839 return -EFAULT; in smk_write_ptrace()
2844 return -EINVAL; in smk_write_ptrace()
2846 return -EINVAL; in smk_write_ptrace()
2859 * smk_fill_super - fill the smackfs superblock
2889 "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO}, in smk_fill_super()
2897 "load-self2", &smk_load_self2_ops, S_IRUGO|S_IWUGO}, in smk_fill_super()
2903 "revoke-subject", &smk_revoke_subj_ops, in smk_fill_super()
2906 "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR}, in smk_fill_super()
2920 "relabel-self", &smk_relabel_self_ops, in smk_fill_super()
2937 * smk_get_tree - get the smackfs superblock
2954 * smk_init_fs_context - Initialise a filesystem context for smackfs
2959 fc->ops = &smk_context_ops; in smk_init_fs_context()
2972 * init_smk_fs - get the smackfs superblock