From 2e08fb550a2d1017052685a27691911a633c1771 Mon Sep 17 00:00:00 2001 From: Xiong Zhenwu Date: Thu, 18 Mar 2021 04:04:31 -0700 Subject: security/smack/: fix misspellings using codespell tool A typo is found out by codespell tool in 383th line of smackfs.c: $ codespell ./security/smack/ ./smackfs.c:383: numer ==> number Fix a typo found by codespell. Signed-off-by: Xiong Zhenwu Signed-off-by: Casey Schaufler --- security/smack/smackfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 22ded2c26089..66f3c539d504 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -380,7 +380,7 @@ static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule, * @data: string to be parsed, null terminated * @rule: Will be filled with Smack parsed rule * @import: if non-zero, import labels - * @tokens: numer of substrings expected in data + * @tokens: number of substrings expected in data * * Returns number of processed bytes on success, -ERRNO on failure. */ -- cgit v1.2.3-58-ga151 From 49ec114a6e62d8d320037ce71c1aaf9650b3cafd Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 12 Apr 2021 22:45:50 +0900 Subject: smackfs: restrict bytes count in smk_set_cipso() Oops, I failed to update subject line. From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Mon, 12 Apr 2021 22:25:06 +0900 Subject: [PATCH] smackfs: restrict bytes count in smk_set_cipso() Commit 7ef4c19d245f3dc2 ("smackfs: restrict bytes count in smackfs write functions") missed that count > SMK_CIPSOMAX check applies to only format == SMK_FIXED24_FMT case. Reported-by: syzbot Signed-off-by: Tetsuo Handa Signed-off-by: Casey Schaufler --- security/smack/smackfs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 66f3c539d504..3a75d2a8f517 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c @@ -855,6 +855,8 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, if (format == SMK_FIXED24_FMT && (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) return -EINVAL; + if (count > PAGE_SIZE) + return -EINVAL; data = memdup_user_nul(buf, count); if (IS_ERR(data)) -- cgit v1.2.3-58-ga151 From 0169d8f33ab7a58675a94c18122dba58d8f6a1b8 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Thu, 25 Mar 2021 18:42:50 -0600 Subject: Revert "Smack: Handle io_uring kernel thread privileges" This reverts commit 942cb357ae7d9249088e3687ee6a00ed2745a0c7. The io_uring PF_IO_WORKER threads no longer have PF_KTHREAD set, so no need to special case them for credential checks. Cc: Casey Schaufler Signed-off-by: Jens Axboe Signed-off-by: Casey Schaufler --- security/smack/smack_access.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index 7eabb448acab..efe2406a3960 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -688,10 +688,9 @@ bool smack_privileged_cred(int cap, const struct cred *cred) bool smack_privileged(int cap) { /* - * Kernel threads may not have credentials we can use. - * The io_uring kernel threads do have reliable credentials. + * All kernel tasks are privileged */ - if ((current->flags & (PF_KTHREAD | PF_IO_WORKER)) == PF_KTHREAD) + if (unlikely(current->flags & PF_KTHREAD)) return true; return smack_privileged_cred(cap, current_cred()); -- cgit v1.2.3-58-ga151 From fe6bde732be8c4711a878b11491d9a2749b03909 Mon Sep 17 00:00:00 2001 From: ChenXiaoSong Date: Mon, 7 Jun 2021 11:52:01 +0800 Subject: Smack: fix doc warning Fix gcc W=1 warning: security/smack/smack_access.c:342: warning: Function parameter or member 'ad' not described in 'smack_log' security/smack/smack_access.c:403: warning: Function parameter or member 'skp' not described in 'smk_insert_entry' security/smack/smack_access.c:487: warning: Function parameter or member 'level' not described in 'smk_netlbl_mls' security/smack/smack_access.c:487: warning: Function parameter or member 'len' not described in 'smk_netlbl_mls' Signed-off-by: ChenXiaoSong Signed-off-by: Casey Schaufler --- security/smack/smack_access.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c index efe2406a3960..1f391f6a3d47 100644 --- a/security/smack/smack_access.c +++ b/security/smack/smack_access.c @@ -332,7 +332,7 @@ static void smack_log_callback(struct audit_buffer *ab, void *a) * @object_label : smack label of the object being accessed * @request: requested permissions * @result: result from smk_access - * @a: auxiliary audit data + * @ad: auxiliary audit data * * Audit the granting or denial of permissions in accordance * with the policy. @@ -396,6 +396,7 @@ struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; /** * smk_insert_entry - insert a smack label into a hash map, + * @skp: smack label * * this function must be called under smack_known_lock */ @@ -476,8 +477,10 @@ char *smk_parse_smack(const char *string, int len) /** * smk_netlbl_mls - convert a catset to netlabel mls categories + * @level: MLS sensitivity level * @catset: the Smack categories * @sap: where to put the netlabel categories + * @len: number of bytes for the levels in a CIPSO IP option * * Allocates and fills attr.mls * Returns 0 on success, error code on failure. -- cgit v1.2.3-58-ga151