2 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, version 2.
9 * Casey Schaufler <casey@schaufler-ca.com>
10 * Ahmed S. Darwish <darwish.07@gmail.com>
12 * Special thanks to the authors of selinuxfs.
14 * Karl MacMillan <kmacmillan@tresys.com>
15 * James Morris <jmorris@redhat.com>
19 #include <linux/kernel.h>
20 #include <linux/vmalloc.h>
21 #include <linux/security.h>
22 #include <linux/mutex.h>
23 #include <linux/slab.h>
24 #include <net/net_namespace.h>
25 #include <net/cipso_ipv4.h>
26 #include <linux/seq_file.h>
27 #include <linux/ctype.h>
28 #include <linux/audit.h>
29 #include <linux/magic.h>
32 #define BEBITS (sizeof(__be32) * 8)
34 * smackfs pseudo filesystem.
39 SMK_LOAD = 3, /* load policy */
40 SMK_CIPSO = 4, /* load label -> CIPSO mapping */
41 SMK_DOI = 5, /* CIPSO DOI */
42 SMK_DIRECT = 6, /* CIPSO level indicating direct label */
43 SMK_AMBIENT = 7, /* internet ambient label */
44 SMK_NET4ADDR = 8, /* single label hosts */
45 SMK_ONLYCAP = 9, /* the only "capable" label */
46 SMK_LOGGING = 10, /* logging */
47 SMK_LOAD_SELF = 11, /* task specific rules */
48 SMK_ACCESSES = 12, /* access policy */
49 SMK_MAPPED = 13, /* CIPSO level indicating mapped label */
50 SMK_LOAD2 = 14, /* load policy with long labels */
51 SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */
52 SMK_ACCESS2 = 16, /* make an access check with long labels */
53 SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */
54 SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */
55 SMK_CHANGE_RULE = 19, /* change or add rules (long labels) */
56 SMK_SYSLOG = 20, /* change syslog label) */
57 SMK_PTRACE = 21, /* set ptrace rule */
58 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
59 SMK_UNCONFINED = 22, /* define an unconfined label */
61 #if IS_ENABLED(CONFIG_IPV6)
62 SMK_NET6ADDR = 23, /* single label IPv6 hosts */
63 #endif /* CONFIG_IPV6 */
64 SMK_RELABEL_SELF = 24, /* relabel possible without CAP_MAC_ADMIN */
70 static DEFINE_MUTEX(smack_cipso_lock);
71 static DEFINE_MUTEX(smack_ambient_lock);
72 static DEFINE_MUTEX(smk_net4addr_lock);
73 #if IS_ENABLED(CONFIG_IPV6)
74 static DEFINE_MUTEX(smk_net6addr_lock);
75 #endif /* CONFIG_IPV6 */
78 * This is the "ambient" label for network traffic.
79 * If it isn't somehow marked, use this.
80 * It can be reset via smackfs/ambient
82 struct smack_known *smack_net_ambient;
85 * This is the level in a CIPSO header that indicates a
86 * smack label is contained directly in the category set.
87 * It can be reset via smackfs/direct
89 int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT;
92 * This is the level in a CIPSO header that indicates a
93 * secid is contained directly in the category set.
94 * It can be reset via smackfs/mapped
96 int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT;
98 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
100 * Allow one label to be unconfined. This is for
101 * debugging and application bring-up purposes only.
102 * It is bad and wrong, but everyone seems to expect
105 struct smack_known *smack_unconfined;
109 * If this value is set restrict syslog use to the label specified.
110 * It can be reset via smackfs/syslog
112 struct smack_known *smack_syslog_label;
115 * Ptrace current rule
116 * SMACK_PTRACE_DEFAULT regular smack ptrace rules (/proc based)
117 * SMACK_PTRACE_EXACT labels must match, but can be overriden with
119 * SMACK_PTRACE_DRACONIAN lables must match, CAP_SYS_PTRACE has no effect
121 int smack_ptrace_rule = SMACK_PTRACE_DEFAULT;
124 * Certain IP addresses may be designated as single label hosts.
125 * Packets are sent there unlabeled, but only from tasks that
126 * can write to the specified label.
129 LIST_HEAD(smk_net4addr_list);
130 #if IS_ENABLED(CONFIG_IPV6)
131 LIST_HEAD(smk_net6addr_list);
132 #endif /* CONFIG_IPV6 */
135 * Rule lists are maintained for each label.
136 * This master list is just for reading /smack/load and /smack/load2.
138 struct smack_master_list {
139 struct list_head list;
140 struct smack_rule *smk_rule;
143 static LIST_HEAD(smack_rule_list);
145 struct smack_parsed_rule {
146 struct smack_known *smk_subject;
147 struct smack_known *smk_object;
152 static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
155 * Values for parsing cipso rules
156 * SMK_DIGITLEN: Length of a digit field in a rule.
157 * SMK_CIPSOMIN: Minimum possible cipso rule length.
158 * SMK_CIPSOMAX: Maximum possible cipso rule length.
160 #define SMK_DIGITLEN 4
161 #define SMK_CIPSOMIN (SMK_LABELLEN + 2 * SMK_DIGITLEN)
162 #define SMK_CIPSOMAX (SMK_CIPSOMIN + SMACK_CIPSO_MAXCATNUM * SMK_DIGITLEN)
165 * Values for parsing MAC rules
166 * SMK_ACCESS: Maximum possible combination of access permissions
167 * SMK_ACCESSLEN: Maximum length for a rule access field
168 * SMK_LOADLEN: Smack rule length
170 #define SMK_OACCESS "rwxa"
171 #define SMK_ACCESS "rwxatl"
172 #define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1)
173 #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
174 #define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
175 #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
178 * Stricly for CIPSO level manipulation.
179 * Set the category bit number in a smack label sized buffer.
181 static inline void smack_catset_bit(unsigned int cat, char *catsetp)
183 if (cat == 0 || cat > (SMK_CIPSOLEN * 8))
186 catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8);
190 * smk_netlabel_audit_set - fill a netlbl_audit struct
191 * @nap: structure to fill
193 static void smk_netlabel_audit_set(struct netlbl_audit *nap)
195 struct smack_known *skp = smk_of_current();
197 nap->loginuid = audit_get_loginuid(current);
198 nap->sessionid = audit_get_sessionid(current);
199 nap->secid = skp->smk_secid;
203 * Value for parsing single label host rules
206 #define SMK_NETLBLADDRMIN 9
209 * smk_set_access - add a rule to the rule list or replace an old rule
210 * @srp: the rule to add or replace
211 * @rule_list: the list of rules
212 * @rule_lock: the rule list lock
213 * @global: if non-zero, indicates a global rule
215 * Looks through the current subject/object/access list for
216 * the subject/object pair and replaces the access that was
217 * there. If the pair isn't found add it with the specified
220 * Returns 0 if nothing goes wrong or -ENOMEM if it fails
221 * during the allocation of the new pair to add.
223 static int smk_set_access(struct smack_parsed_rule *srp,
224 struct list_head *rule_list,
225 struct mutex *rule_lock, int global)
227 struct smack_rule *sp;
228 struct smack_master_list *smlp;
232 mutex_lock(rule_lock);
235 * Because the object label is less likely to match
236 * than the subject label check it first
238 list_for_each_entry_rcu(sp, rule_list, list) {
239 if (sp->smk_object == srp->smk_object &&
240 sp->smk_subject == srp->smk_subject) {
242 sp->smk_access |= srp->smk_access1;
243 sp->smk_access &= ~srp->smk_access2;
249 sp = kzalloc(sizeof(*sp), GFP_KERNEL);
255 sp->smk_subject = srp->smk_subject;
256 sp->smk_object = srp->smk_object;
257 sp->smk_access = srp->smk_access1 & ~srp->smk_access2;
259 list_add_rcu(&sp->list, rule_list);
261 * If this is a global as opposed to self and a new rule
262 * it needs to get added for reporting.
265 smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);
268 list_add_rcu(&smlp->list, &smack_rule_list);
275 mutex_unlock(rule_lock);
280 * smk_perm_from_str - parse smack accesses from a text string
281 * @string: a text string that contains a Smack accesses code
283 * Returns an integer with respective bits set for specified accesses.
285 static int smk_perm_from_str(const char *string)
290 for (cp = string; ; cp++)
312 perm |= MAY_TRANSMUTE;
328 * smk_fill_rule - Fill Smack rule from strings
329 * @subject: subject label string
330 * @object: object label string
331 * @access1: access string
332 * @access2: string with permissions to be removed
334 * @import: if non-zero, import labels
335 * @len: label length limit
337 * Returns 0 on success, appropriate error code on failure.
339 static int smk_fill_rule(const char *subject, const char *object,
340 const char *access1, const char *access2,
341 struct smack_parsed_rule *rule, int import,
345 struct smack_known *skp;
348 rule->smk_subject = smk_import_entry(subject, len);
349 if (IS_ERR(rule->smk_subject))
350 return PTR_ERR(rule->smk_subject);
352 rule->smk_object = smk_import_entry(object, len);
353 if (IS_ERR(rule->smk_object))
354 return PTR_ERR(rule->smk_object);
356 cp = smk_parse_smack(subject, len);
359 skp = smk_find_entry(cp);
363 rule->smk_subject = skp;
365 cp = smk_parse_smack(object, len);
368 skp = smk_find_entry(cp);
372 rule->smk_object = skp;
375 rule->smk_access1 = smk_perm_from_str(access1);
377 rule->smk_access2 = smk_perm_from_str(access2);
379 rule->smk_access2 = ~rule->smk_access1;
385 * smk_parse_rule - parse Smack rule from load string
386 * @data: string to be parsed whose size is SMK_LOADLEN
388 * @import: if non-zero, import labels
390 * Returns 0 on success, -1 on errors.
392 static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule,
397 rc = smk_fill_rule(data, data + SMK_LABELLEN,
398 data + SMK_LABELLEN + SMK_LABELLEN, NULL, rule,
399 import, SMK_LABELLEN);
404 * smk_parse_long_rule - parse Smack rule from rule string
405 * @data: string to be parsed, null terminated
406 * @rule: Will be filled with Smack parsed rule
407 * @import: if non-zero, import labels
408 * @tokens: numer of substrings expected in data
410 * Returns number of processed bytes on success, -ERRNO on failure.
412 static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule,
413 int import, int tokens)
421 * Parsing the rule in-place, filling all white-spaces with '\0'
423 for (i = 0; i < tokens; ++i) {
424 while (isspace(data[cnt]))
427 if (data[cnt] == '\0')
428 /* Unexpected end of data */
433 while (data[cnt] && !isspace(data[cnt]))
436 while (isspace(data[cnt]))
442 rc = smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0);
443 return rc == 0 ? cnt : rc;
446 #define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */
447 #define SMK_LONG_FMT 1 /* Variable long label format */
448 #define SMK_CHANGE_FMT 2 /* Rule modification format */
450 * smk_write_rules_list - write() for any /smack rule file
451 * @file: file pointer, not actually used
452 * @buf: where to get the data from
454 * @ppos: where to start - must be 0
455 * @rule_list: the list of rules to write to
456 * @rule_lock: lock for the rule list
457 * @format: /smack/load or /smack/load2 or /smack/change-rule format.
459 * Get one smack access rule from above.
460 * The format for SMK_LONG_FMT is:
461 * "subject<whitespace>object<whitespace>access[<whitespace>...]"
462 * The format for SMK_FIXED24_FMT is exactly:
463 * "subject object rwxat"
464 * The format for SMK_CHANGE_FMT is:
465 * "subject<whitespace>object<whitespace>
466 * acc_enable<whitespace>acc_disable[<whitespace>...]"
468 static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
469 size_t count, loff_t *ppos,
470 struct list_head *rule_list,
471 struct mutex *rule_lock, int format)
473 struct smack_parsed_rule rule;
482 * Enough data must be present.
487 if (format == SMK_FIXED24_FMT) {
489 * Minor hack for backward compatibility
491 if (count < SMK_OLOADLEN || count > SMK_LOADLEN)
494 if (count >= PAGE_SIZE) {
495 count = PAGE_SIZE - 1;
500 data = kmalloc(count + 1, GFP_KERNEL);
504 if (copy_from_user(data, buf, count) != 0) {
510 * In case of parsing only part of user buf,
511 * avoid having partial rule at the data buffer
514 while (count > 0 && (data[count - 1] != '\n'))
523 tokens = (format == SMK_CHANGE_FMT ? 4 : 3);
524 while (cnt < count) {
525 if (format == SMK_FIXED24_FMT) {
526 rc = smk_parse_rule(data, &rule, 1);
531 rc = smk_parse_long_rule(data + cnt, &rule, 1, tokens);
541 if (rule_list == NULL)
542 rc = smk_set_access(&rule, &rule.smk_subject->smk_rules,
543 &rule.smk_subject->smk_rules_lock, 1);
545 rc = smk_set_access(&rule, rule_list, rule_lock, 0);
558 * Core logic for smackfs seq list operations.
561 static void *smk_seq_start(struct seq_file *s, loff_t *pos,
562 struct list_head *head)
564 struct list_head *list;
568 for (list = rcu_dereference(list_next_rcu(head));
570 list = rcu_dereference(list_next_rcu(list))) {
578 static void *smk_seq_next(struct seq_file *s, void *v, loff_t *pos,
579 struct list_head *head)
581 struct list_head *list = v;
584 list = rcu_dereference(list_next_rcu(list));
586 return (list == head) ? NULL : list;
589 static void smk_seq_stop(struct seq_file *s, void *v)
594 static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
597 * Don't show any rules with label names too long for
598 * interface file (/smack/load or /smack/load2)
599 * because you should expect to be able to write
600 * anything you read back.
602 if (strlen(srp->smk_subject->smk_known) >= max ||
603 strlen(srp->smk_object->smk_known) >= max)
606 if (srp->smk_access == 0)
609 seq_printf(s, "%s %s",
610 srp->smk_subject->smk_known,
611 srp->smk_object->smk_known);
615 if (srp->smk_access & MAY_READ)
617 if (srp->smk_access & MAY_WRITE)
619 if (srp->smk_access & MAY_EXEC)
621 if (srp->smk_access & MAY_APPEND)
623 if (srp->smk_access & MAY_TRANSMUTE)
625 if (srp->smk_access & MAY_LOCK)
627 if (srp->smk_access & MAY_BRINGUP)
634 * Seq_file read operations for /smack/load
637 static void *load2_seq_start(struct seq_file *s, loff_t *pos)
639 return smk_seq_start(s, pos, &smack_rule_list);
642 static void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos)
644 return smk_seq_next(s, v, pos, &smack_rule_list);
647 static int load_seq_show(struct seq_file *s, void *v)
649 struct list_head *list = v;
650 struct smack_master_list *smlp =
651 list_entry_rcu(list, struct smack_master_list, list);
653 smk_rule_show(s, smlp->smk_rule, SMK_LABELLEN);
658 static const struct seq_operations load_seq_ops = {
659 .start = load2_seq_start,
660 .next = load2_seq_next,
661 .show = load_seq_show,
662 .stop = smk_seq_stop,
666 * smk_open_load - open() for /smack/load
667 * @inode: inode structure representing file
668 * @file: "load" file pointer
670 * For reading, use load_seq_* seq_file reading operations.
672 static int smk_open_load(struct inode *inode, struct file *file)
674 return seq_open(file, &load_seq_ops);
678 * smk_write_load - write() for /smack/load
679 * @file: file pointer, not actually used
680 * @buf: where to get the data from
682 * @ppos: where to start - must be 0
685 static ssize_t smk_write_load(struct file *file, const char __user *buf,
686 size_t count, loff_t *ppos)
689 * Must have privilege.
691 * Enough data must be present.
693 if (!smack_privileged(CAP_MAC_ADMIN))
696 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
700 static const struct file_operations smk_load_ops = {
701 .open = smk_open_load,
704 .write = smk_write_load,
705 .release = seq_release,
709 * smk_cipso_doi - initialize the CIPSO domain
711 static void smk_cipso_doi(void)
714 struct cipso_v4_doi *doip;
715 struct netlbl_audit nai;
717 smk_netlabel_audit_set(&nai);
719 rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
721 printk(KERN_WARNING "%s:%d remove rc = %d\n",
722 __func__, __LINE__, rc);
724 doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);
726 panic("smack: Failed to initialize cipso DOI.\n");
727 doip->map.std = NULL;
728 doip->doi = smk_cipso_doi_value;
729 doip->type = CIPSO_V4_MAP_PASS;
730 doip->tags[0] = CIPSO_V4_TAG_RBITMAP;
731 for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++)
732 doip->tags[rc] = CIPSO_V4_TAG_INVALID;
734 rc = netlbl_cfg_cipsov4_add(doip, &nai);
736 printk(KERN_WARNING "%s:%d cipso add rc = %d\n",
737 __func__, __LINE__, rc);
741 rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai);
743 printk(KERN_WARNING "%s:%d map add rc = %d\n",
744 __func__, __LINE__, rc);
751 * smk_unlbl_ambient - initialize the unlabeled domain
752 * @oldambient: previous domain string
754 static void smk_unlbl_ambient(char *oldambient)
757 struct netlbl_audit nai;
759 smk_netlabel_audit_set(&nai);
761 if (oldambient != NULL) {
762 rc = netlbl_cfg_map_del(oldambient, PF_INET, NULL, NULL, &nai);
764 printk(KERN_WARNING "%s:%d remove rc = %d\n",
765 __func__, __LINE__, rc);
767 if (smack_net_ambient == NULL)
768 smack_net_ambient = &smack_known_floor;
770 rc = netlbl_cfg_unlbl_map_add(smack_net_ambient->smk_known, PF_INET,
773 printk(KERN_WARNING "%s:%d add rc = %d\n",
774 __func__, __LINE__, rc);
778 * Seq_file read operations for /smack/cipso
781 static void *cipso_seq_start(struct seq_file *s, loff_t *pos)
783 return smk_seq_start(s, pos, &smack_known_list);
786 static void *cipso_seq_next(struct seq_file *s, void *v, loff_t *pos)
788 return smk_seq_next(s, v, pos, &smack_known_list);
792 * Print cipso labels in format:
793 * label level[/cat[,cat]]
795 static int cipso_seq_show(struct seq_file *s, void *v)
797 struct list_head *list = v;
798 struct smack_known *skp =
799 list_entry_rcu(list, struct smack_known, list);
800 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
805 * Don't show a label that could not have been set using
806 * /smack/cipso. This is in support of the notion that
807 * anything read from /smack/cipso ought to be writeable
810 * /smack/cipso2 should be used instead.
812 if (strlen(skp->smk_known) >= SMK_LABELLEN)
815 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
817 for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
818 i = netlbl_catmap_walk(cmp, i + 1)) {
819 seq_printf(s, "%c%d", sep, i);
828 static const struct seq_operations cipso_seq_ops = {
829 .start = cipso_seq_start,
830 .next = cipso_seq_next,
831 .show = cipso_seq_show,
832 .stop = smk_seq_stop,
836 * smk_open_cipso - open() for /smack/cipso
837 * @inode: inode structure representing file
838 * @file: "cipso" file pointer
840 * Connect our cipso_seq_* operations with /smack/cipso
843 static int smk_open_cipso(struct inode *inode, struct file *file)
845 return seq_open(file, &cipso_seq_ops);
849 * smk_set_cipso - do the work for write() for cipso and cipso2
850 * @file: file pointer, not actually used
851 * @buf: where to get the data from
853 * @ppos: where to start
854 * @format: /smack/cipso or /smack/cipso2
856 * Accepts only one cipso rule per write call.
857 * Returns number of bytes written or error code, as appropriate
859 static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
860 size_t count, loff_t *ppos, int format)
862 struct smack_known *skp;
863 struct netlbl_lsm_secattr ncats;
864 char mapcatset[SMK_CIPSOLEN];
868 ssize_t rc = -EINVAL;
875 * Must have privilege.
877 * Enough data must be present.
879 if (!smack_privileged(CAP_MAC_ADMIN))
883 if (format == SMK_FIXED24_FMT &&
884 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
887 data = kzalloc(count + 1, GFP_KERNEL);
891 if (copy_from_user(data, buf, count) != 0) {
899 * Only allow one writer at a time. Writes should be
900 * quite rare and small in any case.
902 mutex_lock(&smack_cipso_lock);
904 skp = smk_import_entry(rule, 0);
910 if (format == SMK_FIXED24_FMT)
911 rule += SMK_LABELLEN;
913 rule += strlen(skp->smk_known) + 1;
915 ret = sscanf(rule, "%d", &maplevel);
916 if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
919 rule += SMK_DIGITLEN;
920 ret = sscanf(rule, "%d", &catlen);
921 if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)
924 if (format == SMK_FIXED24_FMT &&
925 count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN))
928 memset(mapcatset, 0, sizeof(mapcatset));
930 for (i = 0; i < catlen; i++) {
931 rule += SMK_DIGITLEN;
932 ret = sscanf(rule, "%u", &cat);
933 if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
936 smack_catset_bit(cat, mapcatset);
939 rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
941 netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat);
942 skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
943 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
948 mutex_unlock(&smack_cipso_lock);
955 * smk_write_cipso - write() for /smack/cipso
956 * @file: file pointer, not actually used
957 * @buf: where to get the data from
959 * @ppos: where to start
961 * Accepts only one cipso rule per write call.
962 * Returns number of bytes written or error code, as appropriate
964 static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
965 size_t count, loff_t *ppos)
967 return smk_set_cipso(file, buf, count, ppos, SMK_FIXED24_FMT);
970 static const struct file_operations smk_cipso_ops = {
971 .open = smk_open_cipso,
974 .write = smk_write_cipso,
975 .release = seq_release,
979 * Seq_file read operations for /smack/cipso2
983 * Print cipso labels in format:
984 * label level[/cat[,cat]]
986 static int cipso2_seq_show(struct seq_file *s, void *v)
988 struct list_head *list = v;
989 struct smack_known *skp =
990 list_entry_rcu(list, struct smack_known, list);
991 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
995 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
997 for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
998 i = netlbl_catmap_walk(cmp, i + 1)) {
999 seq_printf(s, "%c%d", sep, i);
1008 static const struct seq_operations cipso2_seq_ops = {
1009 .start = cipso_seq_start,
1010 .next = cipso_seq_next,
1011 .show = cipso2_seq_show,
1012 .stop = smk_seq_stop,
1016 * smk_open_cipso2 - open() for /smack/cipso2
1017 * @inode: inode structure representing file
1018 * @file: "cipso2" file pointer
1020 * Connect our cipso_seq_* operations with /smack/cipso2
1023 static int smk_open_cipso2(struct inode *inode, struct file *file)
1025 return seq_open(file, &cipso2_seq_ops);
1029 * smk_write_cipso2 - write() for /smack/cipso2
1030 * @file: file pointer, not actually used
1031 * @buf: where to get the data from
1032 * @count: bytes sent
1033 * @ppos: where to start
1035 * Accepts only one cipso rule per write call.
1036 * Returns number of bytes written or error code, as appropriate
1038 static ssize_t smk_write_cipso2(struct file *file, const char __user *buf,
1039 size_t count, loff_t *ppos)
1041 return smk_set_cipso(file, buf, count, ppos, SMK_LONG_FMT);
1044 static const struct file_operations smk_cipso2_ops = {
1045 .open = smk_open_cipso2,
1047 .llseek = seq_lseek,
1048 .write = smk_write_cipso2,
1049 .release = seq_release,
1053 * Seq_file read operations for /smack/netlabel
1056 static void *net4addr_seq_start(struct seq_file *s, loff_t *pos)
1058 return smk_seq_start(s, pos, &smk_net4addr_list);
1061 static void *net4addr_seq_next(struct seq_file *s, void *v, loff_t *pos)
1063 return smk_seq_next(s, v, pos, &smk_net4addr_list);
1067 * Print host/label pairs
1069 static int net4addr_seq_show(struct seq_file *s, void *v)
1071 struct list_head *list = v;
1072 struct smk_net4addr *skp =
1073 list_entry_rcu(list, struct smk_net4addr, list);
1074 char *kp = SMACK_CIPSO_OPTION;
1076 if (skp->smk_label != NULL)
1077 kp = skp->smk_label->smk_known;
1078 seq_printf(s, "%pI4/%d %s\n", &skp->smk_host.s_addr,
1079 skp->smk_masks, kp);
1084 static const struct seq_operations net4addr_seq_ops = {
1085 .start = net4addr_seq_start,
1086 .next = net4addr_seq_next,
1087 .show = net4addr_seq_show,
1088 .stop = smk_seq_stop,
1092 * smk_open_net4addr - open() for /smack/netlabel
1093 * @inode: inode structure representing file
1094 * @file: "netlabel" file pointer
1096 * Connect our net4addr_seq_* operations with /smack/netlabel
1099 static int smk_open_net4addr(struct inode *inode, struct file *file)
1101 return seq_open(file, &net4addr_seq_ops);
1105 * smk_net4addr_insert
1106 * @new : netlabel to insert
1108 * This helper insert netlabel in the smack_net4addrs list
1109 * sorted by netmask length (longest to smallest)
1110 * locked by &smk_net4addr_lock in smk_write_net4addr
1113 static void smk_net4addr_insert(struct smk_net4addr *new)
1115 struct smk_net4addr *m;
1116 struct smk_net4addr *m_next;
1118 if (list_empty(&smk_net4addr_list)) {
1119 list_add_rcu(&new->list, &smk_net4addr_list);
1123 m = list_entry_rcu(smk_net4addr_list.next,
1124 struct smk_net4addr, list);
1126 /* the comparison '>' is a bit hacky, but works */
1127 if (new->smk_masks > m->smk_masks) {
1128 list_add_rcu(&new->list, &smk_net4addr_list);
1132 list_for_each_entry_rcu(m, &smk_net4addr_list, list) {
1133 if (list_is_last(&m->list, &smk_net4addr_list)) {
1134 list_add_rcu(&new->list, &m->list);
1137 m_next = list_entry_rcu(m->list.next,
1138 struct smk_net4addr, list);
1139 if (new->smk_masks > m_next->smk_masks) {
1140 list_add_rcu(&new->list, &m->list);
1148 * smk_write_net4addr - write() for /smack/netlabel
1149 * @file: file pointer, not actually used
1150 * @buf: where to get the data from
1151 * @count: bytes sent
1152 * @ppos: where to start
1154 * Accepts only one net4addr per write call.
1155 * Returns number of bytes written or error code, as appropriate
1157 static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
1158 size_t count, loff_t *ppos)
1160 struct smk_net4addr *snp;
1161 struct sockaddr_in newname;
1163 struct smack_known *skp = NULL;
1165 char *host = (char *)&newname.sin_addr.s_addr;
1167 struct netlbl_audit audit_info;
1168 struct in_addr mask;
1172 u32 mask_bits = (1<<31);
1177 * Must have privilege.
1178 * No partial writes.
1179 * Enough data must be present.
1180 * "<addr/mask, as a.b.c.d/e><space><label>"
1181 * "<addr, as a.b.c.d><space><label>"
1183 if (!smack_privileged(CAP_MAC_ADMIN))
1187 if (count < SMK_NETLBLADDRMIN)
1190 data = kzalloc(count + 1, GFP_KERNEL);
1194 if (copy_from_user(data, buf, count) != 0) {
1199 smack = kzalloc(count + 1, GFP_KERNEL);
1200 if (smack == NULL) {
1207 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s",
1208 &host[0], &host[1], &host[2], &host[3], &masks, smack);
1210 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
1211 &host[0], &host[1], &host[2], &host[3], smack);
1219 if (masks > BEBITS) {
1225 * If smack begins with '-', it is an option, don't import it
1227 if (smack[0] != '-') {
1228 skp = smk_import_entry(smack, 0);
1235 * Only the -CIPSO option is supported for IPv4
1237 if (strcmp(smack, SMACK_CIPSO_OPTION) != 0) {
1243 for (m = masks, temp_mask = 0; m > 0; m--) {
1244 temp_mask |= mask_bits;
1247 mask.s_addr = cpu_to_be32(temp_mask);
1249 newname.sin_addr.s_addr &= mask.s_addr;
1251 * Only allow one writer at a time. Writes should be
1252 * quite rare and small in any case.
1254 mutex_lock(&smk_net4addr_lock);
1256 nsa = newname.sin_addr.s_addr;
1257 /* try to find if the prefix is already in the list */
1259 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) {
1260 if (snp->smk_host.s_addr == nsa && snp->smk_masks == masks) {
1265 smk_netlabel_audit_set(&audit_info);
1268 snp = kzalloc(sizeof(*snp), GFP_KERNEL);
1273 snp->smk_host.s_addr = newname.sin_addr.s_addr;
1274 snp->smk_mask.s_addr = mask.s_addr;
1275 snp->smk_label = skp;
1276 snp->smk_masks = masks;
1277 smk_net4addr_insert(snp);
1281 * Delete the unlabeled entry, only if the previous label
1282 * wasn't the special CIPSO option
1284 if (snp->smk_label != NULL)
1285 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
1286 &snp->smk_host, &snp->smk_mask,
1287 PF_INET, &audit_info);
1290 snp->smk_label = skp;
1294 * Now tell netlabel about the single label nature of
1295 * this host so that incoming packets get labeled.
1296 * but only if we didn't get the special CIPSO option
1298 if (rc == 0 && skp != NULL)
1299 rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
1300 &snp->smk_host, &snp->smk_mask, PF_INET,
1301 snp->smk_label->smk_secid, &audit_info);
1306 mutex_unlock(&smk_net4addr_lock);
1316 static const struct file_operations smk_net4addr_ops = {
1317 .open = smk_open_net4addr,
1319 .llseek = seq_lseek,
1320 .write = smk_write_net4addr,
1321 .release = seq_release,
1324 #if IS_ENABLED(CONFIG_IPV6)
1326 * Seq_file read operations for /smack/netlabel6
1329 static void *net6addr_seq_start(struct seq_file *s, loff_t *pos)
1331 return smk_seq_start(s, pos, &smk_net6addr_list);
1334 static void *net6addr_seq_next(struct seq_file *s, void *v, loff_t *pos)
1336 return smk_seq_next(s, v, pos, &smk_net6addr_list);
1340 * Print host/label pairs
1342 static int net6addr_seq_show(struct seq_file *s, void *v)
1344 struct list_head *list = v;
1345 struct smk_net6addr *skp =
1346 list_entry(list, struct smk_net6addr, list);
1348 if (skp->smk_label != NULL)
1349 seq_printf(s, "%pI6/%d %s\n", &skp->smk_host, skp->smk_masks,
1350 skp->smk_label->smk_known);
1355 static const struct seq_operations net6addr_seq_ops = {
1356 .start = net6addr_seq_start,
1357 .next = net6addr_seq_next,
1358 .show = net6addr_seq_show,
1359 .stop = smk_seq_stop,
1363 * smk_open_net6addr - open() for /smack/netlabel
1364 * @inode: inode structure representing file
1365 * @file: "netlabel" file pointer
1367 * Connect our net6addr_seq_* operations with /smack/netlabel
1370 static int smk_open_net6addr(struct inode *inode, struct file *file)
1372 return seq_open(file, &net6addr_seq_ops);
1376 * smk_net6addr_insert
1377 * @new : entry to insert
1379 * This inserts an entry in the smack_net6addrs list
1380 * sorted by netmask length (longest to smallest)
1381 * locked by &smk_net6addr_lock in smk_write_net6addr
1384 static void smk_net6addr_insert(struct smk_net6addr *new)
1386 struct smk_net6addr *m_next;
1387 struct smk_net6addr *m;
1389 if (list_empty(&smk_net6addr_list)) {
1390 list_add_rcu(&new->list, &smk_net6addr_list);
1394 m = list_entry_rcu(smk_net6addr_list.next,
1395 struct smk_net6addr, list);
1397 if (new->smk_masks > m->smk_masks) {
1398 list_add_rcu(&new->list, &smk_net6addr_list);
1402 list_for_each_entry_rcu(m, &smk_net6addr_list, list) {
1403 if (list_is_last(&m->list, &smk_net6addr_list)) {
1404 list_add_rcu(&new->list, &m->list);
1407 m_next = list_entry_rcu(m->list.next,
1408 struct smk_net6addr, list);
1409 if (new->smk_masks > m_next->smk_masks) {
1410 list_add_rcu(&new->list, &m->list);
1418 * smk_write_net6addr - write() for /smack/netlabel
1419 * @file: file pointer, not actually used
1420 * @buf: where to get the data from
1421 * @count: bytes sent
1422 * @ppos: where to start
1424 * Accepts only one net6addr per write call.
1425 * Returns number of bytes written or error code, as appropriate
1427 static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
1428 size_t count, loff_t *ppos)
1430 struct smk_net6addr *snp;
1431 struct in6_addr newname;
1432 struct in6_addr fullmask;
1433 struct smack_known *skp = NULL;
1439 unsigned int scanned[8];
1441 unsigned int mask = 128;
1444 * Must have privilege.
1445 * No partial writes.
1446 * Enough data must be present.
1447 * "<addr/mask, as a:b:c:d:e:f:g:h/e><space><label>"
1448 * "<addr, as a:b:c:d:e:f:g:h><space><label>"
1450 if (!smack_privileged(CAP_MAC_ADMIN))
1454 if (count < SMK_NETLBLADDRMIN)
1457 data = kzalloc(count + 1, GFP_KERNEL);
1461 if (copy_from_user(data, buf, count) != 0) {
1466 smack = kzalloc(count + 1, GFP_KERNEL);
1467 if (smack == NULL) {
1474 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s",
1475 &scanned[0], &scanned[1], &scanned[2], &scanned[3],
1476 &scanned[4], &scanned[5], &scanned[6], &scanned[7],
1479 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x %s",
1480 &scanned[0], &scanned[1], &scanned[2],
1481 &scanned[3], &scanned[4], &scanned[5],
1482 &scanned[6], &scanned[7], smack);
1492 for (i = 0; i < 8; i++) {
1493 if (scanned[i] > 0xffff) {
1497 newname.s6_addr16[i] = htons(scanned[i]);
1501 * If smack begins with '-', it is an option, don't import it
1503 if (smack[0] != '-') {
1504 skp = smk_import_entry(smack, 0);
1511 * Only -DELETE is supported for IPv6
1513 if (strcmp(smack, SMACK_DELETE_OPTION) != 0) {
1519 for (i = 0, m = mask; i < 8; i++) {
1521 fullmask.s6_addr16[i] = 0xffff;
1524 fullmask.s6_addr16[i] = (1 << m) - 1;
1527 fullmask.s6_addr16[i] = 0;
1528 newname.s6_addr16[i] &= fullmask.s6_addr16[i];
1532 * Only allow one writer at a time. Writes should be
1533 * quite rare and small in any case.
1535 mutex_lock(&smk_net6addr_lock);
1537 * Try to find the prefix in the list
1539 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) {
1540 if (mask != snp->smk_masks)
1542 for (found = 1, i = 0; i < 8; i++) {
1543 if (newname.s6_addr16[i] !=
1544 snp->smk_host.s6_addr16[i]) {
1553 snp = kzalloc(sizeof(*snp), GFP_KERNEL);
1557 snp->smk_host = newname;
1558 snp->smk_mask = fullmask;
1559 snp->smk_masks = mask;
1560 snp->smk_label = skp;
1561 smk_net6addr_insert(snp);
1564 snp->smk_label = skp;
1570 mutex_unlock(&smk_net6addr_lock);
1580 static const struct file_operations smk_net6addr_ops = {
1581 .open = smk_open_net6addr,
1583 .llseek = seq_lseek,
1584 .write = smk_write_net6addr,
1585 .release = seq_release,
1587 #endif /* CONFIG_IPV6 */
1590 * smk_read_doi - read() for /smack/doi
1591 * @filp: file pointer, not actually used
1592 * @buf: where to put the result
1593 * @count: maximum to send along
1594 * @ppos: where to start
1596 * Returns number of bytes read or error code, as appropriate
1598 static ssize_t smk_read_doi(struct file *filp, char __user *buf,
1599 size_t count, loff_t *ppos)
1607 sprintf(temp, "%d", smk_cipso_doi_value);
1608 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1614 * smk_write_doi - write() for /smack/doi
1615 * @file: file pointer, not actually used
1616 * @buf: where to get the data from
1617 * @count: bytes sent
1618 * @ppos: where to start
1620 * Returns number of bytes written or error code, as appropriate
1622 static ssize_t smk_write_doi(struct file *file, const char __user *buf,
1623 size_t count, loff_t *ppos)
1628 if (!smack_privileged(CAP_MAC_ADMIN))
1631 if (count >= sizeof(temp) || count == 0)
1634 if (copy_from_user(temp, buf, count) != 0)
1639 if (sscanf(temp, "%d", &i) != 1)
1642 smk_cipso_doi_value = i;
1649 static const struct file_operations smk_doi_ops = {
1650 .read = smk_read_doi,
1651 .write = smk_write_doi,
1652 .llseek = default_llseek,
1656 * smk_read_direct - read() for /smack/direct
1657 * @filp: file pointer, not actually used
1658 * @buf: where to put the result
1659 * @count: maximum to send along
1660 * @ppos: where to start
1662 * Returns number of bytes read or error code, as appropriate
1664 static ssize_t smk_read_direct(struct file *filp, char __user *buf,
1665 size_t count, loff_t *ppos)
1673 sprintf(temp, "%d", smack_cipso_direct);
1674 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1680 * smk_write_direct - write() for /smack/direct
1681 * @file: file pointer, not actually used
1682 * @buf: where to get the data from
1683 * @count: bytes sent
1684 * @ppos: where to start
1686 * Returns number of bytes written or error code, as appropriate
1688 static ssize_t smk_write_direct(struct file *file, const char __user *buf,
1689 size_t count, loff_t *ppos)
1691 struct smack_known *skp;
1695 if (!smack_privileged(CAP_MAC_ADMIN))
1698 if (count >= sizeof(temp) || count == 0)
1701 if (copy_from_user(temp, buf, count) != 0)
1706 if (sscanf(temp, "%d", &i) != 1)
1710 * Don't do anything if the value hasn't actually changed.
1711 * If it is changing reset the level on entries that were
1712 * set up to be direct when they were created.
1714 if (smack_cipso_direct != i) {
1715 mutex_lock(&smack_known_lock);
1716 list_for_each_entry_rcu(skp, &smack_known_list, list)
1717 if (skp->smk_netlabel.attr.mls.lvl ==
1719 skp->smk_netlabel.attr.mls.lvl = i;
1720 smack_cipso_direct = i;
1721 mutex_unlock(&smack_known_lock);
1727 static const struct file_operations smk_direct_ops = {
1728 .read = smk_read_direct,
1729 .write = smk_write_direct,
1730 .llseek = default_llseek,
1734 * smk_read_mapped - read() for /smack/mapped
1735 * @filp: file pointer, not actually used
1736 * @buf: where to put the result
1737 * @count: maximum to send along
1738 * @ppos: where to start
1740 * Returns number of bytes read or error code, as appropriate
1742 static ssize_t smk_read_mapped(struct file *filp, char __user *buf,
1743 size_t count, loff_t *ppos)
1751 sprintf(temp, "%d", smack_cipso_mapped);
1752 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1758 * smk_write_mapped - write() for /smack/mapped
1759 * @file: file pointer, not actually used
1760 * @buf: where to get the data from
1761 * @count: bytes sent
1762 * @ppos: where to start
1764 * Returns number of bytes written or error code, as appropriate
1766 static ssize_t smk_write_mapped(struct file *file, const char __user *buf,
1767 size_t count, loff_t *ppos)
1769 struct smack_known *skp;
1773 if (!smack_privileged(CAP_MAC_ADMIN))
1776 if (count >= sizeof(temp) || count == 0)
1779 if (copy_from_user(temp, buf, count) != 0)
1784 if (sscanf(temp, "%d", &i) != 1)
1788 * Don't do anything if the value hasn't actually changed.
1789 * If it is changing reset the level on entries that were
1790 * set up to be mapped when they were created.
1792 if (smack_cipso_mapped != i) {
1793 mutex_lock(&smack_known_lock);
1794 list_for_each_entry_rcu(skp, &smack_known_list, list)
1795 if (skp->smk_netlabel.attr.mls.lvl ==
1797 skp->smk_netlabel.attr.mls.lvl = i;
1798 smack_cipso_mapped = i;
1799 mutex_unlock(&smack_known_lock);
1805 static const struct file_operations smk_mapped_ops = {
1806 .read = smk_read_mapped,
1807 .write = smk_write_mapped,
1808 .llseek = default_llseek,
1812 * smk_read_ambient - read() for /smack/ambient
1813 * @filp: file pointer, not actually used
1814 * @buf: where to put the result
1815 * @cn: maximum to send along
1816 * @ppos: where to start
1818 * Returns number of bytes read or error code, as appropriate
1820 static ssize_t smk_read_ambient(struct file *filp, char __user *buf,
1821 size_t cn, loff_t *ppos)
1829 * Being careful to avoid a problem in the case where
1830 * smack_net_ambient gets changed in midstream.
1832 mutex_lock(&smack_ambient_lock);
1834 asize = strlen(smack_net_ambient->smk_known) + 1;
1837 rc = simple_read_from_buffer(buf, cn, ppos,
1838 smack_net_ambient->smk_known,
1843 mutex_unlock(&smack_ambient_lock);
1849 * smk_write_ambient - write() for /smack/ambient
1850 * @file: file pointer, not actually used
1851 * @buf: where to get the data from
1852 * @count: bytes sent
1853 * @ppos: where to start
1855 * Returns number of bytes written or error code, as appropriate
1857 static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
1858 size_t count, loff_t *ppos)
1860 struct smack_known *skp;
1865 if (!smack_privileged(CAP_MAC_ADMIN))
1868 data = kzalloc(count + 1, GFP_KERNEL);
1872 if (copy_from_user(data, buf, count) != 0) {
1877 skp = smk_import_entry(data, count);
1883 mutex_lock(&smack_ambient_lock);
1885 oldambient = smack_net_ambient->smk_known;
1886 smack_net_ambient = skp;
1887 smk_unlbl_ambient(oldambient);
1889 mutex_unlock(&smack_ambient_lock);
1896 static const struct file_operations smk_ambient_ops = {
1897 .read = smk_read_ambient,
1898 .write = smk_write_ambient,
1899 .llseek = default_llseek,
1903 * Seq_file operations for /smack/onlycap
1905 static void *onlycap_seq_start(struct seq_file *s, loff_t *pos)
1907 return smk_seq_start(s, pos, &smack_onlycap_list);
1910 static void *onlycap_seq_next(struct seq_file *s, void *v, loff_t *pos)
1912 return smk_seq_next(s, v, pos, &smack_onlycap_list);
1915 static int onlycap_seq_show(struct seq_file *s, void *v)
1917 struct list_head *list = v;
1918 struct smack_known_list_elem *sklep =
1919 list_entry_rcu(list, struct smack_known_list_elem, list);
1921 seq_puts(s, sklep->smk_label->smk_known);
1927 static const struct seq_operations onlycap_seq_ops = {
1928 .start = onlycap_seq_start,
1929 .next = onlycap_seq_next,
1930 .show = onlycap_seq_show,
1931 .stop = smk_seq_stop,
1934 static int smk_open_onlycap(struct inode *inode, struct file *file)
1936 return seq_open(file, &onlycap_seq_ops);
1940 * smk_list_swap_rcu - swap public list with a private one in RCU-safe way
1941 * The caller must hold appropriate mutex to prevent concurrent modifications
1942 * to the public list.
1943 * Private list is assumed to be not accessible to other threads yet.
1945 * @public: public list
1946 * @private: private list
1948 static void smk_list_swap_rcu(struct list_head *public,
1949 struct list_head *private)
1951 struct list_head *first, *last;
1953 if (list_empty(public)) {
1954 list_splice_init_rcu(private, public, synchronize_rcu);
1956 /* Remember public list before replacing it */
1957 first = public->next;
1958 last = public->prev;
1960 /* Publish private list in place of public in RCU-safe way */
1961 private->prev->next = public;
1962 private->next->prev = public;
1963 rcu_assign_pointer(public->next, private->next);
1964 public->prev = private->prev;
1968 /* When all readers are done with the old public list,
1969 * attach it in place of private */
1970 private->next = first;
1971 private->prev = last;
1972 first->prev = private;
1973 last->next = private;
1978 * smk_parse_label_list - parse list of Smack labels, separated by spaces
1980 * @data: the string to parse
1981 * @private: destination list
1983 * Returns zero on success or error code, as appropriate
1985 static int smk_parse_label_list(char *data, struct list_head *list)
1988 struct smack_known *skp;
1989 struct smack_known_list_elem *sklep;
1991 while ((tok = strsep(&data, " ")) != NULL) {
1995 skp = smk_import_entry(tok, 0);
1997 return PTR_ERR(skp);
1999 sklep = kzalloc(sizeof(*sklep), GFP_KERNEL);
2003 sklep->smk_label = skp;
2004 list_add(&sklep->list, list);
2011 * smk_destroy_label_list - destroy a list of smack_known_list_elem
2012 * @head: header pointer of the list to destroy
2014 void smk_destroy_label_list(struct list_head *list)
2016 struct smack_known_list_elem *sklep;
2017 struct smack_known_list_elem *sklep2;
2019 list_for_each_entry_safe(sklep, sklep2, list, list)
2022 INIT_LIST_HEAD(list);
2026 * smk_write_onlycap - write() for smackfs/onlycap
2027 * @file: file pointer, not actually used
2028 * @buf: where to get the data from
2029 * @count: bytes sent
2030 * @ppos: where to start
2032 * Returns number of bytes written or error code, as appropriate
2034 static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
2035 size_t count, loff_t *ppos)
2038 LIST_HEAD(list_tmp);
2041 if (!smack_privileged(CAP_MAC_ADMIN))
2044 data = kzalloc(count + 1, GFP_KERNEL);
2048 if (copy_from_user(data, buf, count) != 0) {
2053 rc = smk_parse_label_list(data, &list_tmp);
2057 * Clear the smack_onlycap on invalid label errors. This means
2058 * that we can pass a null string to unset the onlycap value.
2060 * Importing will also reject a label beginning with '-',
2061 * so "-usecapabilities" will also work.
2063 * But do so only on invalid label, not on system errors.
2064 * The invalid label must be first to count as clearing attempt.
2066 if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
2067 mutex_lock(&smack_onlycap_lock);
2068 smk_list_swap_rcu(&smack_onlycap_list, &list_tmp);
2069 mutex_unlock(&smack_onlycap_lock);
2073 smk_destroy_label_list(&list_tmp);
2078 static const struct file_operations smk_onlycap_ops = {
2079 .open = smk_open_onlycap,
2081 .write = smk_write_onlycap,
2082 .llseek = seq_lseek,
2083 .release = seq_release,
2086 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
2088 * smk_read_unconfined - read() for smackfs/unconfined
2089 * @filp: file pointer, not actually used
2090 * @buf: where to put the result
2091 * @cn: maximum to send along
2092 * @ppos: where to start
2094 * Returns number of bytes read or error code, as appropriate
2096 static ssize_t smk_read_unconfined(struct file *filp, char __user *buf,
2097 size_t cn, loff_t *ppos)
2100 ssize_t rc = -EINVAL;
2106 if (smack_unconfined != NULL)
2107 smack = smack_unconfined->smk_known;
2109 asize = strlen(smack) + 1;
2112 rc = simple_read_from_buffer(buf, cn, ppos, smack, asize);
2118 * smk_write_unconfined - write() for smackfs/unconfined
2119 * @file: file pointer, not actually used
2120 * @buf: where to get the data from
2121 * @count: bytes sent
2122 * @ppos: where to start
2124 * Returns number of bytes written or error code, as appropriate
2126 static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
2127 size_t count, loff_t *ppos)
2130 struct smack_known *skp;
2133 if (!smack_privileged(CAP_MAC_ADMIN))
2136 data = kzalloc(count + 1, GFP_KERNEL);
2140 if (copy_from_user(data, buf, count) != 0) {
2146 * Clear the smack_unconfined on invalid label errors. This means
2147 * that we can pass a null string to unset the unconfined value.
2149 * Importing will also reject a label beginning with '-',
2150 * so "-confine" will also work.
2152 * But do so only on invalid label, not on system errors.
2154 skp = smk_import_entry(data, count);
2155 if (PTR_ERR(skp) == -EINVAL)
2157 else if (IS_ERR(skp)) {
2162 smack_unconfined = skp;
2169 static const struct file_operations smk_unconfined_ops = {
2170 .read = smk_read_unconfined,
2171 .write = smk_write_unconfined,
2172 .llseek = default_llseek,
2174 #endif /* CONFIG_SECURITY_SMACK_BRINGUP */
2177 * smk_read_logging - read() for /smack/logging
2178 * @filp: file pointer, not actually used
2179 * @buf: where to put the result
2180 * @cn: maximum to send along
2181 * @ppos: where to start
2183 * Returns number of bytes read or error code, as appropriate
2185 static ssize_t smk_read_logging(struct file *filp, char __user *buf,
2186 size_t count, loff_t *ppos)
2194 sprintf(temp, "%d\n", log_policy);
2195 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
2200 * smk_write_logging - write() for /smack/logging
2201 * @file: file pointer, not actually used
2202 * @buf: where to get the data from
2203 * @count: bytes sent
2204 * @ppos: where to start
2206 * Returns number of bytes written or error code, as appropriate
2208 static ssize_t smk_write_logging(struct file *file, const char __user *buf,
2209 size_t count, loff_t *ppos)
2214 if (!smack_privileged(CAP_MAC_ADMIN))
2217 if (count >= sizeof(temp) || count == 0)
2220 if (copy_from_user(temp, buf, count) != 0)
2225 if (sscanf(temp, "%d", &i) != 1)
2235 static const struct file_operations smk_logging_ops = {
2236 .read = smk_read_logging,
2237 .write = smk_write_logging,
2238 .llseek = default_llseek,
2242 * Seq_file read operations for /smack/load-self
2245 static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
2247 struct task_smack *tsp = current_security();
2249 return smk_seq_start(s, pos, &tsp->smk_rules);
2252 static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
2254 struct task_smack *tsp = current_security();
2256 return smk_seq_next(s, v, pos, &tsp->smk_rules);
2259 static int load_self_seq_show(struct seq_file *s, void *v)
2261 struct list_head *list = v;
2262 struct smack_rule *srp =
2263 list_entry_rcu(list, struct smack_rule, list);
2265 smk_rule_show(s, srp, SMK_LABELLEN);
2270 static const struct seq_operations load_self_seq_ops = {
2271 .start = load_self_seq_start,
2272 .next = load_self_seq_next,
2273 .show = load_self_seq_show,
2274 .stop = smk_seq_stop,
2279 * smk_open_load_self - open() for /smack/load-self2
2280 * @inode: inode structure representing file
2281 * @file: "load" file pointer
2283 * For reading, use load_seq_* seq_file reading operations.
2285 static int smk_open_load_self(struct inode *inode, struct file *file)
2287 return seq_open(file, &load_self_seq_ops);
2291 * smk_write_load_self - write() for /smack/load-self
2292 * @file: file pointer, not actually used
2293 * @buf: where to get the data from
2294 * @count: bytes sent
2295 * @ppos: where to start - must be 0
2298 static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
2299 size_t count, loff_t *ppos)
2301 struct task_smack *tsp = current_security();
2303 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
2304 &tsp->smk_rules_lock, SMK_FIXED24_FMT);
2307 static const struct file_operations smk_load_self_ops = {
2308 .open = smk_open_load_self,
2310 .llseek = seq_lseek,
2311 .write = smk_write_load_self,
2312 .release = seq_release,
2316 * smk_user_access - handle access check transaction
2317 * @file: file pointer
2318 * @buf: data from user space
2319 * @count: bytes sent
2320 * @ppos: where to start - must be 0
2322 static ssize_t smk_user_access(struct file *file, const char __user *buf,
2323 size_t count, loff_t *ppos, int format)
2325 struct smack_parsed_rule rule;
2329 data = simple_transaction_get(file, buf, count);
2331 return PTR_ERR(data);
2333 if (format == SMK_FIXED24_FMT) {
2334 if (count < SMK_LOADLEN)
2336 res = smk_parse_rule(data, &rule, 0);
2339 * simple_transaction_get() returns null-terminated data
2341 res = smk_parse_long_rule(data, &rule, 0, 3);
2345 res = smk_access(rule.smk_subject, rule.smk_object,
2346 rule.smk_access1, NULL);
2347 else if (res != -ENOENT)
2351 * smk_access() can return a value > 0 in the "bringup" case.
2353 data[0] = res >= 0 ? '1' : '0';
2356 simple_transaction_set(file, 2);
2358 if (format == SMK_FIXED24_FMT)
2364 * smk_write_access - handle access check transaction
2365 * @file: file pointer
2366 * @buf: data from user space
2367 * @count: bytes sent
2368 * @ppos: where to start - must be 0
2370 static ssize_t smk_write_access(struct file *file, const char __user *buf,
2371 size_t count, loff_t *ppos)
2373 return smk_user_access(file, buf, count, ppos, SMK_FIXED24_FMT);
2376 static const struct file_operations smk_access_ops = {
2377 .write = smk_write_access,
2378 .read = simple_transaction_read,
2379 .release = simple_transaction_release,
2380 .llseek = generic_file_llseek,
2385 * Seq_file read operations for /smack/load2
2388 static int load2_seq_show(struct seq_file *s, void *v)
2390 struct list_head *list = v;
2391 struct smack_master_list *smlp =
2392 list_entry_rcu(list, struct smack_master_list, list);
2394 smk_rule_show(s, smlp->smk_rule, SMK_LONGLABEL);
2399 static const struct seq_operations load2_seq_ops = {
2400 .start = load2_seq_start,
2401 .next = load2_seq_next,
2402 .show = load2_seq_show,
2403 .stop = smk_seq_stop,
2407 * smk_open_load2 - open() for /smack/load2
2408 * @inode: inode structure representing file
2409 * @file: "load2" file pointer
2411 * For reading, use load2_seq_* seq_file reading operations.
2413 static int smk_open_load2(struct inode *inode, struct file *file)
2415 return seq_open(file, &load2_seq_ops);
2419 * smk_write_load2 - write() for /smack/load2
2420 * @file: file pointer, not actually used
2421 * @buf: where to get the data from
2422 * @count: bytes sent
2423 * @ppos: where to start - must be 0
2426 static ssize_t smk_write_load2(struct file *file, const char __user *buf,
2427 size_t count, loff_t *ppos)
2430 * Must have privilege.
2432 if (!smack_privileged(CAP_MAC_ADMIN))
2435 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
2439 static const struct file_operations smk_load2_ops = {
2440 .open = smk_open_load2,
2442 .llseek = seq_lseek,
2443 .write = smk_write_load2,
2444 .release = seq_release,
2448 * Seq_file read operations for /smack/load-self2
2451 static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
2453 struct task_smack *tsp = current_security();
2455 return smk_seq_start(s, pos, &tsp->smk_rules);
2458 static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
2460 struct task_smack *tsp = current_security();
2462 return smk_seq_next(s, v, pos, &tsp->smk_rules);
2465 static int load_self2_seq_show(struct seq_file *s, void *v)
2467 struct list_head *list = v;
2468 struct smack_rule *srp =
2469 list_entry_rcu(list, struct smack_rule, list);
2471 smk_rule_show(s, srp, SMK_LONGLABEL);
2476 static const struct seq_operations load_self2_seq_ops = {
2477 .start = load_self2_seq_start,
2478 .next = load_self2_seq_next,
2479 .show = load_self2_seq_show,
2480 .stop = smk_seq_stop,
2484 * smk_open_load_self2 - open() for /smack/load-self2
2485 * @inode: inode structure representing file
2486 * @file: "load" file pointer
2488 * For reading, use load_seq_* seq_file reading operations.
2490 static int smk_open_load_self2(struct inode *inode, struct file *file)
2492 return seq_open(file, &load_self2_seq_ops);
2496 * smk_write_load_self2 - write() for /smack/load-self2
2497 * @file: file pointer, not actually used
2498 * @buf: where to get the data from
2499 * @count: bytes sent
2500 * @ppos: where to start - must be 0
2503 static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
2504 size_t count, loff_t *ppos)
2506 struct task_smack *tsp = current_security();
2508 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
2509 &tsp->smk_rules_lock, SMK_LONG_FMT);
2512 static const struct file_operations smk_load_self2_ops = {
2513 .open = smk_open_load_self2,
2515 .llseek = seq_lseek,
2516 .write = smk_write_load_self2,
2517 .release = seq_release,
2521 * smk_write_access2 - handle access check transaction
2522 * @file: file pointer
2523 * @buf: data from user space
2524 * @count: bytes sent
2525 * @ppos: where to start - must be 0
2527 static ssize_t smk_write_access2(struct file *file, const char __user *buf,
2528 size_t count, loff_t *ppos)
2530 return smk_user_access(file, buf, count, ppos, SMK_LONG_FMT);
2533 static const struct file_operations smk_access2_ops = {
2534 .write = smk_write_access2,
2535 .read = simple_transaction_read,
2536 .release = simple_transaction_release,
2537 .llseek = generic_file_llseek,
2541 * smk_write_revoke_subj - write() for /smack/revoke-subject
2542 * @file: file pointer
2543 * @buf: data from user space
2544 * @count: bytes sent
2545 * @ppos: where to start - must be 0
2547 static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
2548 size_t count, loff_t *ppos)
2552 struct smack_known *skp;
2553 struct smack_rule *sp;
2554 struct list_head *rule_list;
2555 struct mutex *rule_lock;
2561 if (!smack_privileged(CAP_MAC_ADMIN))
2564 if (count == 0 || count > SMK_LONGLABEL)
2567 data = kzalloc(count, GFP_KERNEL);
2571 if (copy_from_user(data, buf, count) != 0) {
2576 cp = smk_parse_smack(data, count);
2582 skp = smk_find_entry(cp);
2586 rule_list = &skp->smk_rules;
2587 rule_lock = &skp->smk_rules_lock;
2589 mutex_lock(rule_lock);
2591 list_for_each_entry_rcu(sp, rule_list, list)
2594 mutex_unlock(rule_lock);
2604 static const struct file_operations smk_revoke_subj_ops = {
2605 .write = smk_write_revoke_subj,
2606 .read = simple_transaction_read,
2607 .release = simple_transaction_release,
2608 .llseek = generic_file_llseek,
2612 * smk_init_sysfs - initialize /sys/fs/smackfs
2615 static int smk_init_sysfs(void)
2617 return sysfs_create_mount_point(fs_kobj, "smackfs");
2621 * smk_write_change_rule - write() for /smack/change-rule
2622 * @file: file pointer
2623 * @buf: data from user space
2624 * @count: bytes sent
2625 * @ppos: where to start - must be 0
2627 static ssize_t smk_write_change_rule(struct file *file, const char __user *buf,
2628 size_t count, loff_t *ppos)
2631 * Must have privilege.
2633 if (!smack_privileged(CAP_MAC_ADMIN))
2636 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
2640 static const struct file_operations smk_change_rule_ops = {
2641 .write = smk_write_change_rule,
2642 .read = simple_transaction_read,
2643 .release = simple_transaction_release,
2644 .llseek = generic_file_llseek,
2648 * smk_read_syslog - read() for smackfs/syslog
2649 * @filp: file pointer, not actually used
2650 * @buf: where to put the result
2651 * @cn: maximum to send along
2652 * @ppos: where to start
2654 * Returns number of bytes read or error code, as appropriate
2656 static ssize_t smk_read_syslog(struct file *filp, char __user *buf,
2657 size_t cn, loff_t *ppos)
2659 struct smack_known *skp;
2660 ssize_t rc = -EINVAL;
2666 if (smack_syslog_label == NULL)
2667 skp = &smack_known_star;
2669 skp = smack_syslog_label;
2671 asize = strlen(skp->smk_known) + 1;
2674 rc = simple_read_from_buffer(buf, cn, ppos, skp->smk_known,
2681 * smk_write_syslog - write() for smackfs/syslog
2682 * @file: file pointer, not actually used
2683 * @buf: where to get the data from
2684 * @count: bytes sent
2685 * @ppos: where to start
2687 * Returns number of bytes written or error code, as appropriate
2689 static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
2690 size_t count, loff_t *ppos)
2693 struct smack_known *skp;
2696 if (!smack_privileged(CAP_MAC_ADMIN))
2699 data = kzalloc(count + 1, GFP_KERNEL);
2703 if (copy_from_user(data, buf, count) != 0)
2706 skp = smk_import_entry(data, count);
2710 smack_syslog_label = skp;
2717 static const struct file_operations smk_syslog_ops = {
2718 .read = smk_read_syslog,
2719 .write = smk_write_syslog,
2720 .llseek = default_llseek,
2724 * Seq_file read operations for /smack/relabel-self
2727 static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos)
2729 struct task_smack *tsp = current_security();
2731 return smk_seq_start(s, pos, &tsp->smk_relabel);
2734 static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
2736 struct task_smack *tsp = current_security();
2738 return smk_seq_next(s, v, pos, &tsp->smk_relabel);
2741 static int relabel_self_seq_show(struct seq_file *s, void *v)
2743 struct list_head *list = v;
2744 struct smack_known_list_elem *sklep =
2745 list_entry(list, struct smack_known_list_elem, list);
2747 seq_puts(s, sklep->smk_label->smk_known);
2753 static const struct seq_operations relabel_self_seq_ops = {
2754 .start = relabel_self_seq_start,
2755 .next = relabel_self_seq_next,
2756 .show = relabel_self_seq_show,
2757 .stop = smk_seq_stop,
2761 * smk_open_relabel_self - open() for /smack/relabel-self
2762 * @inode: inode structure representing file
2763 * @file: "relabel-self" file pointer
2765 * Connect our relabel_self_seq_* operations with /smack/relabel-self
2768 static int smk_open_relabel_self(struct inode *inode, struct file *file)
2770 return seq_open(file, &relabel_self_seq_ops);
2774 * smk_write_relabel_self - write() for /smack/relabel-self
2775 * @file: file pointer, not actually used
2776 * @buf: where to get the data from
2777 * @count: bytes sent
2778 * @ppos: where to start - must be 0
2781 static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
2782 size_t count, loff_t *ppos)
2784 struct task_smack *tsp = current_security();
2787 LIST_HEAD(list_tmp);
2790 * Must have privilege.
2792 if (!smack_privileged(CAP_MAC_ADMIN))
2796 * Enough data must be present.
2801 data = kzalloc(count + 1, GFP_KERNEL);
2805 if (copy_from_user(data, buf, count) != 0) {
2810 rc = smk_parse_label_list(data, &list_tmp);
2813 if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
2814 smk_destroy_label_list(&tsp->smk_relabel);
2815 list_splice(&list_tmp, &tsp->smk_relabel);
2819 smk_destroy_label_list(&list_tmp);
2823 static const struct file_operations smk_relabel_self_ops = {
2824 .open = smk_open_relabel_self,
2826 .llseek = seq_lseek,
2827 .write = smk_write_relabel_self,
2828 .release = seq_release,
2832 * smk_read_ptrace - read() for /smack/ptrace
2833 * @filp: file pointer, not actually used
2834 * @buf: where to put the result
2835 * @count: maximum to send along
2836 * @ppos: where to start
2838 * Returns number of bytes read or error code, as appropriate
2840 static ssize_t smk_read_ptrace(struct file *filp, char __user *buf,
2841 size_t count, loff_t *ppos)
2849 sprintf(temp, "%d\n", smack_ptrace_rule);
2850 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
2855 * smk_write_ptrace - write() for /smack/ptrace
2856 * @file: file pointer
2857 * @buf: data from user space
2858 * @count: bytes sent
2859 * @ppos: where to start - must be 0
2861 static ssize_t smk_write_ptrace(struct file *file, const char __user *buf,
2862 size_t count, loff_t *ppos)
2867 if (!smack_privileged(CAP_MAC_ADMIN))
2870 if (*ppos != 0 || count >= sizeof(temp) || count == 0)
2873 if (copy_from_user(temp, buf, count) != 0)
2878 if (sscanf(temp, "%d", &i) != 1)
2880 if (i < SMACK_PTRACE_DEFAULT || i > SMACK_PTRACE_MAX)
2882 smack_ptrace_rule = i;
2887 static const struct file_operations smk_ptrace_ops = {
2888 .write = smk_write_ptrace,
2889 .read = smk_read_ptrace,
2890 .llseek = default_llseek,
2894 * smk_fill_super - fill the smackfs superblock
2895 * @sb: the empty superblock
2899 * Fill in the well known entries for the smack filesystem
2901 * Returns 0 on success, an error code on failure
2903 static int smk_fill_super(struct super_block *sb, void *data, int silent)
2906 struct inode *root_inode;
2908 static struct tree_descr smack_files[] = {
2910 "load", &smk_load_ops, S_IRUGO|S_IWUSR},
2912 "cipso", &smk_cipso_ops, S_IRUGO|S_IWUSR},
2914 "doi", &smk_doi_ops, S_IRUGO|S_IWUSR},
2916 "direct", &smk_direct_ops, S_IRUGO|S_IWUSR},
2918 "ambient", &smk_ambient_ops, S_IRUGO|S_IWUSR},
2920 "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR},
2922 "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
2924 "logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
2926 "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
2928 "access", &smk_access_ops, S_IRUGO|S_IWUGO},
2930 "mapped", &smk_mapped_ops, S_IRUGO|S_IWUSR},
2932 "load2", &smk_load2_ops, S_IRUGO|S_IWUSR},
2933 [SMK_LOAD_SELF2] = {
2934 "load-self2", &smk_load_self2_ops, S_IRUGO|S_IWUGO},
2936 "access2", &smk_access2_ops, S_IRUGO|S_IWUGO},
2938 "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR},
2939 [SMK_REVOKE_SUBJ] = {
2940 "revoke-subject", &smk_revoke_subj_ops,
2942 [SMK_CHANGE_RULE] = {
2943 "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
2945 "syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR},
2947 "ptrace", &smk_ptrace_ops, S_IRUGO|S_IWUSR},
2948 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
2949 [SMK_UNCONFINED] = {
2950 "unconfined", &smk_unconfined_ops, S_IRUGO|S_IWUSR},
2952 #if IS_ENABLED(CONFIG_IPV6)
2954 "ipv6host", &smk_net6addr_ops, S_IRUGO|S_IWUSR},
2955 #endif /* CONFIG_IPV6 */
2956 [SMK_RELABEL_SELF] = {
2957 "relabel-self", &smk_relabel_self_ops,
2963 rc = simple_fill_super(sb, SMACK_MAGIC, smack_files);
2965 printk(KERN_ERR "%s failed %d while creating inodes\n",
2970 root_inode = d_inode(sb->s_root);
2976 * smk_mount - get the smackfs superblock
2977 * @fs_type: passed along without comment
2978 * @flags: passed along without comment
2979 * @dev_name: passed along without comment
2980 * @data: passed along without comment
2982 * Just passes everything along.
2984 * Returns what the lower level code does.
2986 static struct dentry *smk_mount(struct file_system_type *fs_type,
2987 int flags, const char *dev_name, void *data)
2989 return mount_single(fs_type, flags, data, smk_fill_super);
2992 static struct file_system_type smk_fs_type = {
2995 .kill_sb = kill_litter_super,
2998 static struct vfsmount *smackfs_mount;
3000 static int __init smk_preset_netlabel(struct smack_known *skp)
3002 skp->smk_netlabel.domain = skp->smk_known;
3003 skp->smk_netlabel.flags =
3004 NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
3005 return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
3006 &skp->smk_netlabel, strlen(skp->smk_known));
3010 * init_smk_fs - get the smackfs superblock
3012 * register the smackfs
3014 * Do not register smackfs if Smack wasn't enabled
3015 * on boot. We can not put this method normally under the
3016 * smack_init() code path since the security subsystem get
3017 * initialized before the vfs caches.
3019 * Returns true if we were not chosen on boot or if
3020 * we were chosen and filesystem registration succeeded.
3022 static int __init init_smk_fs(void)
3027 if (smack_enabled == 0)
3030 err = smk_init_sysfs();
3032 printk(KERN_ERR "smackfs: sysfs mountpoint problem.\n");
3034 err = register_filesystem(&smk_fs_type);
3036 smackfs_mount = kern_mount(&smk_fs_type);
3037 if (IS_ERR(smackfs_mount)) {
3038 printk(KERN_ERR "smackfs: could not mount!\n");
3039 err = PTR_ERR(smackfs_mount);
3040 smackfs_mount = NULL;
3045 smk_unlbl_ambient(NULL);
3047 rc = smk_preset_netlabel(&smack_known_floor);
3048 if (err == 0 && rc < 0)
3050 rc = smk_preset_netlabel(&smack_known_hat);
3051 if (err == 0 && rc < 0)
3053 rc = smk_preset_netlabel(&smack_known_huh);
3054 if (err == 0 && rc < 0)
3056 rc = smk_preset_netlabel(&smack_known_invalid);
3057 if (err == 0 && rc < 0)
3059 rc = smk_preset_netlabel(&smack_known_star);
3060 if (err == 0 && rc < 0)
3062 rc = smk_preset_netlabel(&smack_known_web);
3063 if (err == 0 && rc < 0)
3069 __initcall(init_smk_fs);
projects / firefly-linux-kernel-4.4.55.git / blob