Smack changes for 5.16

Multiple corrections to smackfs. W=1 fixes Fix for overlayfs. -----BEGIN PGP SIGNATURE----- iQJLBAABCAA1FiEEC+9tH1YyUwIQzUIeOKUVfIxDyBEFAmGALSwXHGNhc2V5QHNj aGF1Zmxlci1jYS5jb20ACgkQOKUVfIxDyBECcRAAuFN3uiptwLHC0P/Yy5VtANF4 kvRV7egXeIp8tYl6zVb+VIa3AgQMTB0BfdpSVMq8YyTtp5olczlM2b00zN4cVZq0 VO7XlTUfoljdsi4IysaA5rZZtjT5entoNl6eiCrMVwpvC4ZrlTqebOJteXDAnEQP zI+smzc5mUFn1FUkGaQ+ciLHv2wyT39Wmk78BDKI/UAl09xV6Kxfci15Q9UPpZ94 CnYMfrjsinUCzQ+gbj9FIe5vXvcGwVoO7jJUNda5kuCSM3N4TTxD/fDkVxWEwOD2 eNjemub5RkxVWSlzRtVQgEFsssRsd6VYEKop34jyojDOGDj+JVQ03ntnFUfWScUz 8BkwyYsE8I+f878f0wAaz+8xrefjnwnRUHFzkF5hd6wLFCvQlCKULL/naRtig7pJ x1V6Q+AC/Qyu0rNrSH5UCDgsvDQ3YzKocWhnvgCqJa8bd/QlfMKu8sxIwetNlctz +TG+GwBLKaVmdiwWoI/CF3PkM4xYo4DtJtDnvlzAiEjGEYosEXilgDBq6IAD8vLa cuSXtWCIpBk5VKkglvAvsIbXxnWa0W45j7PXyf8b7YXRWF511I8zBHjpDx6XP/Ko FywGEaRDeNO3KZJxw9e39FUdyl1MT+s+gN3sERomUTig9RaPhp87pC/kWMWxVj+Y fU/iIgrRTqa2spQgYNg= =lPZg -----END PGP SIGNATURE----- Merge tag 'Smack-for-5.16' of https://github.com/cschaufler/smack-next Pull smack updates from Casey Schaufler: "Multiple corrections to smackfs: - a change for overlayfs support that corrects the initial attributes on created files - code clean-up for netlabel processing - several fixes in smackfs for a variety of reasons - Errors reported by W=1 have been addressed All told, nothing challenging" * tag 'Smack-for-5.16' of https://github.com/cschaufler/smack-next: smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi smackfs: use __GFP_NOFAIL for smk_cipso_doi() Smack: fix W=1 build warnings smack: remove duplicated hook function Smack:- Use overlay inode label in smack_inode_copy_up() smack: Guard smack_ipv6_lock definition within a SMACK_IPV6_PORT_LABELING block smackfs: Fix use-after-free in netlbl_catmap_walk()
2021-11-01 17:34:02 -07:00 · 2021-11-01 17:34:02 -07:00 · 6f2b76a4a3
parent f2786f43c9 0934ad42bb
commit 6f2b76a4a3
3 changed files with 34 additions and 44 deletions
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@ -51,8 +51,10 @@
 #define SMK_RECEIVING	1
 #define SMK_SENDING	2
 #ifdef SMACK_IPV6_PORT_LABELING
 static DEFINE_MUTEX(smack_ipv6_lock);
 static LIST_HEAD(smk_ipv6_port_list);
 #endif
 struct kmem_cache *smack_rule_cache;
 int smack_enabled __initdata;
@ -389,7 +391,7 @@ static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead,
 /**
 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
- * @mode - input mode in form of PTRACE_MODE_*
+ * @mode: input mode in form of PTRACE_MODE_*
 *
 * Returns a converted MAY_* mode usable by smack rules
 */
@ -1213,6 +1215,7 @@ static int smack_inode_getattr(const struct path *path)
 /**
 * smack_inode_setxattr - Smack check for setting xattrs
 * @mnt_userns: active user namespace
 * @dentry: the object
 * @name: name of the attribute
 * @value: value of the attribute
@ -1339,6 +1342,7 @@ static int smack_inode_getxattr(struct dentry *dentry, const char *name)
 /**
 * smack_inode_removexattr - Smack check on removexattr
 * @mnt_userns: active user namespace
 * @dentry: the object
 * @name: name of the attribute
 *
@ -1398,6 +1402,7 @@ static int smack_inode_removexattr(struct user_namespace *mnt_userns,
 /**
 * smack_inode_getsecurity - get smack xattrs
 * @mnt_userns: active user namespace
 * @inode: the object
 * @name: attribute name
 * @buffer: where to put the result
@ -1619,13 +1624,14 @@ static int smack_file_fcntl(struct file *file, unsigned int cmd,
 }
 /**
- * smack_mmap_file :
+ * smack_mmap_file - Check permissions for a mmap operation.
- * Check permissions for a mmap operation.  The @file may be NULL, e.g.
+ * @file: contains the file structure for file to map (may be NULL).
- * if mapping anonymous memory.
+ * @reqprot: contains the protection requested by the application.
- * @file contains the file structure for file to map (may be NULL).
+ * @prot: contains the protection that will be applied by the kernel.
- * @reqprot contains the protection requested by the application.
+ * @flags: contains the operational flags.
- * @prot contains the protection that will be applied by the kernel.
+ *
- * @flags contains the operational flags.
+ * The @file may be NULL, e.g. if mapping anonymous memory.
 *
 * Return 0 if permission is granted.
 */
 static int smack_mmap_file(struct file *file,
@ -2603,7 +2609,6 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
 	mutex_unlock(&smack_ipv6_lock);
 	return;
 }
 #endif
 /**
 * smk_ipv6_port_check - check Smack port access
@ -2666,6 +2671,7 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
 	return smk_ipv6_check(skp, object, address, act);
 }
 #endif
 /**
 * smack_inode_setsecurity - set smack xattrs
@ -2852,8 +2858,9 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
 			rc = smk_ipv6_check(ssp->smk_out, rsp, sip,
 					    SMK_CONNECTING);
 		}
-		if (__is_defined(SMACK_IPV6_PORT_LABELING))
+#ifdef SMACK_IPV6_PORT_LABELING
 		rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);
 #endif
 		return rc;
 	}
@ -3051,7 +3058,7 @@ static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg)
 }
 /**
- * smack_sem_shmctl - Smack access check for sem
+ * smack_sem_semctl - Smack access check for sem
 * @isp: the object
 * @cmd: what it wants to do
 *
@ -3197,7 +3204,7 @@ static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg
 }
 /**
- * smack_msg_queue_msgsnd - Smack access check for msg_queue
+ * smack_msg_queue_msgrcv - Smack access check for msg_queue
 * @isp: the object
 * @msg: unused
 * @target: unused
@ -3206,8 +3213,10 @@ static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg
 *
 * Returns 0 if current has read and write access, error code otherwise
 */
-static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg,
+static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp,
-			struct task_struct *target, long type, int mode)
+				  struct msg_msg *msg,
 				  struct task_struct *target, long type,
 				  int mode)
 {
 	return smk_curacc_msq(isp, MAY_READWRITE);
 }
@ -4634,7 +4643,7 @@ static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
 	/*
 	 * Get label from overlay inode and set it in create_sid
 	 */
-	isp = smack_inode(d_inode(dentry->d_parent));
+	isp = smack_inode(d_inode(dentry));
 	skp = isp->smk_inode;
 	tsp->smk_task = skp;
 	*new = new_creds;
--- a/security/smack/smack_netfilter.c
+++ b/security/smack/smack_netfilter.c
@ -18,27 +18,7 @@
 #include <net/net_namespace.h>
 #include "smack.h"
-#if IS_ENABLED(CONFIG_IPV6)
+static unsigned int smack_ip_output(void *priv,
 static unsigned int smack_ipv6_output(void *priv,
 					struct sk_buff *skb,
 					const struct nf_hook_state *state)
 {
 	struct sock *sk = skb_to_full_sk(skb);
 	struct socket_smack *ssp;
 	struct smack_known *skp;
 	if (sk && sk->sk_security) {
 		ssp = sk->sk_security;
 		skp = ssp->smk_out;
 		skb->secmark = skp->smk_secid;
 	}
 	return NF_ACCEPT;
 }
 #endif	/* IPV6 */
 static unsigned int smack_ipv4_output(void *priv,
 					struct sk_buff *skb,
 					const struct nf_hook_state *state)
 {
@ -57,14 +37,14 @@ static unsigned int smack_ipv4_output(void *priv,
 static const struct nf_hook_ops smack_nf_ops[] = {
 	{
-		.hook =		smack_ipv4_output,
+		.hook =		smack_ip_output,
 		.pf =		NFPROTO_IPV4,
 		.hooknum =	NF_INET_LOCAL_OUT,
 		.priority =	NF_IP_PRI_SELINUX_FIRST,
 	},
 #if IS_ENABLED(CONFIG_IPV6)
 	{
-		.hook =		smack_ipv6_output,
+		.hook =		smack_ip_output,
 		.pf =		NFPROTO_IPV6,
 		.hooknum =	NF_INET_LOCAL_OUT,
 		.priority =	NF_IP6_PRI_SELINUX_FIRST,
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@ -693,9 +693,7 @@ static void smk_cipso_doi(void)
 		printk(KERN_WARNING "%s:%d remove rc = %d\n",
 		       __func__, __LINE__, rc);
-	doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);
+	doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL);
 	if (doip == NULL)
 		panic("smack:  Failed to initialize cipso DOI.\n");
 	doip->map.std = NULL;
 	doip->doi = smk_cipso_doi_value;
 	doip->type = CIPSO_V4_MAP_PASS;
@ -714,7 +712,7 @@ static void smk_cipso_doi(void)
 	if (rc != 0) {
 		printk(KERN_WARNING "%s:%d map add rc = %d\n",
 		       __func__, __LINE__, rc);
-		kfree(doip);
+		netlbl_cfg_cipsov4_del(doip->doi, &nai);
 		return;
 	}
 }
@ -831,6 +829,7 @@ static int smk_open_cipso(struct inode *inode, struct file *file)
 static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 				size_t count, loff_t *ppos, int format)
 {
 	struct netlbl_lsm_catmap *old_cat;
 	struct smack_known *skp;
 	struct netlbl_lsm_secattr ncats;
 	char mapcatset[SMK_CIPSOLEN];
@ -920,9 +919,11 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 	rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
 	if (rc >= 0) {
-		netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat);
+		old_cat = skp->smk_netlabel.attr.mls.cat;
 		skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
 		skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
 		synchronize_rcu();
 		netlbl_catmap_free(old_cat);
 		rc = count;
 		/*
 		 * This mapping may have been cached, so clear the cache.