From 4ca165fc6c49c3b0100f61524ffbca4743d46e8d Mon Sep 17 00:00:00 2001 From: Lontke Michael Date: Wed, 31 Aug 2022 14:03:26 +0200 Subject: SMACK: Add sk_clone_security LSM hook Using smk_of_current() during sk_alloc_security hook leads in rare cases to a faulty initialization of the security context of the created socket. By adding the LSM hook sk_clone_security to SMACK this initialization fault is corrected by copying the security context of the old socket pointer to the newly cloned one. Co-authored-by: Martin Ostertag: Signed-off-by: Lontke Michael Signed-off-by: Casey Schaufler --- security/smack/smack_lsm.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'security') diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 001831458fa2..077bf6fd569b 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -2278,6 +2278,21 @@ static void smack_sk_free_security(struct sock *sk) kfree(sk->sk_security); } +/** + * smack_sk_clone_security - Copy security context + * @sk: the old socket + * @newsk: the new socket + * + * Copy the security context of the old socket pointer to the cloned + */ +static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) +{ + struct socket_smack *ssp_old = sk->sk_security; + struct socket_smack *ssp_new = newsk->sk_security; + + *ssp_new = *ssp_old; +} + /** * smack_ipv4host_label - check host based restrictions * @sip: the object end @@ -4851,6 +4866,7 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), + LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), LSM_HOOK_INIT(sock_graft, smack_sock_graft), LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), -- cgit v1.2.3-58-ga151 From d3f84f5c9627576b555976c7584514a2ca3ed02e Mon Sep 17 00:00:00 2001 From: Xu Panda Date: Mon, 12 Sep 2022 10:05:36 +0000 Subject: smack: lsm: remove the unneeded result variable Return the value smk_ptrace_rule_check() directly instead of storing it in another redundant variable. Reported-by: Zeal Robot Signed-off-by: Xu Panda Signed-off-by: Casey Schaufler --- security/smack/smack_lsm.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'security') diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 077bf6fd569b..de7db0b18cd5 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -496,13 +496,11 @@ static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) */ static int smack_ptrace_traceme(struct task_struct *ptp) { - int rc; struct smack_known *skp; skp = smk_of_task(smack_cred(current_cred())); - rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); - return rc; + return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); } /** -- cgit v1.2.3-58-ga151 From cc71271f5b793d619f8a7d2ef905374102533c75 Mon Sep 17 00:00:00 2001 From: Xiu Jianfeng Date: Thu, 8 Sep 2022 18:35:43 +0800 Subject: smack: cleanup obsolete mount option flags These mount option flags are obsolete since commit 12085b14a444 ("smack: switch to private smack_mnt_opts"), remove them. Signed-off-by: Xiu Jianfeng Signed-off-by: Casey Schaufler --- security/smack/smack.h | 9 --------- 1 file changed, 9 deletions(-) (limited to 'security') diff --git a/security/smack/smack.h b/security/smack/smack.h index fc837dcebf96..e2239be7bd60 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -180,15 +180,6 @@ struct smack_known_list_elem { struct smack_known *smk_label; }; -/* Super block security struct flags for mount options */ -#define FSDEFAULT_MNT 0x01 -#define FSFLOOR_MNT 0x02 -#define FSHAT_MNT 0x04 -#define FSROOT_MNT 0x08 -#define FSTRANS_MNT 0x10 - -#define NUM_SMK_MNT_OPTS 5 - enum { Opt_error = -1, Opt_fsdefault = 0, -- cgit v1.2.3-58-ga151