2 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, version 2.
9 * Casey Schaufler <casey@schaufler-ca.com>
10 * Ahmed S. Darwish <darwish.07@gmail.com>
12 * Special thanks to the authors of selinuxfs.
14 * Karl MacMillan <kmacmillan@tresys.com>
15 * James Morris <jmorris@redhat.com>
19 #include <linux/kernel.h>
20 #include <linux/vmalloc.h>
21 #include <linux/security.h>
22 #include <linux/mutex.h>
23 #include <linux/slab.h>
24 #include <net/net_namespace.h>
25 #include <net/cipso_ipv4.h>
26 #include <linux/seq_file.h>
27 #include <linux/ctype.h>
28 #include <linux/audit.h>
32 * smackfs pseudo filesystem.
37 SMK_LOAD = 3, /* load policy */
38 SMK_CIPSO = 4, /* load label -> CIPSO mapping */
39 SMK_DOI = 5, /* CIPSO DOI */
40 SMK_DIRECT = 6, /* CIPSO level indicating direct label */
41 SMK_AMBIENT = 7, /* internet ambient label */
42 SMK_NETLBLADDR = 8, /* single label hosts */
43 SMK_ONLYCAP = 9, /* the only "capable" label */
44 SMK_LOGGING = 10, /* logging */
45 SMK_LOAD_SELF = 11, /* task specific rules */
46 SMK_ACCESSES = 12, /* access policy */
47 SMK_MAPPED = 13, /* CIPSO level indicating mapped label */
48 SMK_LOAD2 = 14, /* load policy with long labels */
49 SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */
50 SMK_ACCESS2 = 16, /* make an access check with long labels */
51 SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */
57 static DEFINE_MUTEX(smack_list_lock);
58 static DEFINE_MUTEX(smack_cipso_lock);
59 static DEFINE_MUTEX(smack_ambient_lock);
60 static DEFINE_MUTEX(smk_netlbladdr_lock);
63 * This is the "ambient" label for network traffic.
64 * If it isn't somehow marked, use this.
65 * It can be reset via smackfs/ambient
67 char *smack_net_ambient;
70 * This is the level in a CIPSO header that indicates a
71 * smack label is contained directly in the category set.
72 * It can be reset via smackfs/direct
74 int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT;
77 * This is the level in a CIPSO header that indicates a
78 * secid is contained directly in the category set.
79 * It can be reset via smackfs/mapped
81 int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT;
84 * Unless a process is running with this label even
85 * having CAP_MAC_OVERRIDE isn't enough to grant
86 * privilege to violate MAC policy. If no label is
87 * designated (the NULL case) capabilities apply to
88 * everyone. It is expected that the hat (^) label
89 * will be used if any label is used.
94 * Certain IP addresses may be designated as single label hosts.
95 * Packets are sent there unlabeled, but only from tasks that
96 * can write to the specified label.
99 LIST_HEAD(smk_netlbladdr_list);
102 * Rule lists are maintained for each label.
103 * This master list is just for reading /smack/load and /smack/load2.
105 struct smack_master_list {
106 struct list_head list;
107 struct smack_rule *smk_rule;
110 LIST_HEAD(smack_rule_list);
112 static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
114 const char *smack_cipso_option = SMACK_CIPSO_OPTION;
117 * Values for parsing cipso rules
118 * SMK_DIGITLEN: Length of a digit field in a rule.
119 * SMK_CIPSOMIN: Minimum possible cipso rule length.
120 * SMK_CIPSOMAX: Maximum possible cipso rule length.
122 #define SMK_DIGITLEN 4
123 #define SMK_CIPSOMIN (SMK_LABELLEN + 2 * SMK_DIGITLEN)
124 #define SMK_CIPSOMAX (SMK_CIPSOMIN + SMACK_CIPSO_MAXCATNUM * SMK_DIGITLEN)
127 * Values for parsing MAC rules
128 * SMK_ACCESS: Maximum possible combination of access permissions
129 * SMK_ACCESSLEN: Maximum length for a rule access field
130 * SMK_LOADLEN: Smack rule length
132 #define SMK_OACCESS "rwxa"
133 #define SMK_ACCESS "rwxat"
134 #define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1)
135 #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
136 #define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
137 #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
140 * Stricly for CIPSO level manipulation.
141 * Set the category bit number in a smack label sized buffer.
143 static inline void smack_catset_bit(unsigned int cat, char *catsetp)
145 if (cat == 0 || cat > (SMK_CIPSOLEN * 8))
148 catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8);
152 * smk_netlabel_audit_set - fill a netlbl_audit struct
153 * @nap: structure to fill
155 static void smk_netlabel_audit_set(struct netlbl_audit *nap)
157 nap->loginuid = audit_get_loginuid(current);
158 nap->sessionid = audit_get_sessionid(current);
159 nap->secid = smack_to_secid(smk_of_current());
163 * Value for parsing single label host rules
166 #define SMK_NETLBLADDRMIN 9
169 * smk_set_access - add a rule to the rule list
170 * @srp: the new rule to add
171 * @rule_list: the list of rules
172 * @rule_lock: the rule list lock
174 * Looks through the current subject/object/access list for
175 * the subject/object pair and replaces the access that was
176 * there. If the pair isn't found add it with the specified
179 * Returns 1 if a rule was found to exist already, 0 if it is new
180 * Returns 0 if nothing goes wrong or -ENOMEM if it fails
181 * during the allocation of the new pair to add.
183 static int smk_set_access(struct smack_rule *srp, struct list_head *rule_list,
184 struct mutex *rule_lock)
186 struct smack_rule *sp;
189 mutex_lock(rule_lock);
192 * Because the object label is less likely to match
193 * than the subject label check it first
195 list_for_each_entry_rcu(sp, rule_list, list) {
196 if (sp->smk_object == srp->smk_object &&
197 sp->smk_subject == srp->smk_subject) {
199 sp->smk_access = srp->smk_access;
204 list_add_rcu(&srp->list, rule_list);
206 mutex_unlock(rule_lock);
212 * smk_fill_rule - Fill Smack rule from strings
213 * @subject: subject label string
214 * @object: object label string
215 * @access: access string
217 * @import: if non-zero, import labels
218 * @len: label length limit
220 * Returns 0 on success, -1 on failure
222 static int smk_fill_rule(const char *subject, const char *object,
223 const char *access, struct smack_rule *rule,
227 struct smack_known *skp;
230 rule->smk_subject = smk_import(subject, len);
231 if (rule->smk_subject == NULL)
234 rule->smk_object = smk_import(object, len);
235 if (rule->smk_object == NULL)
238 cp = smk_parse_smack(subject, len);
241 skp = smk_find_entry(cp);
245 rule->smk_subject = skp->smk_known;
247 cp = smk_parse_smack(object, len);
250 skp = smk_find_entry(cp);
254 rule->smk_object = skp->smk_known;
257 rule->smk_access = 0;
259 for (cp = access; *cp != '\0'; cp++) {
265 rule->smk_access |= MAY_READ;
269 rule->smk_access |= MAY_WRITE;
273 rule->smk_access |= MAY_EXEC;
277 rule->smk_access |= MAY_APPEND;
281 rule->smk_access |= MAY_TRANSMUTE;
292 * smk_parse_rule - parse Smack rule from load string
293 * @data: string to be parsed whose size is SMK_LOADLEN
295 * @import: if non-zero, import labels
297 * Returns 0 on success, -1 on errors.
299 static int smk_parse_rule(const char *data, struct smack_rule *rule, int import)
303 rc = smk_fill_rule(data, data + SMK_LABELLEN,
304 data + SMK_LABELLEN + SMK_LABELLEN, rule, import,
310 * smk_parse_long_rule - parse Smack rule from rule string
311 * @data: string to be parsed, null terminated
313 * @import: if non-zero, import labels
315 * Returns 0 on success, -1 on failure
317 static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
327 * This is probably inefficient, but safe.
329 datalen = strlen(data);
330 subject = kzalloc(datalen, GFP_KERNEL);
333 object = kzalloc(datalen, GFP_KERNEL);
336 access = kzalloc(datalen, GFP_KERNEL);
340 if (sscanf(data, "%s %s %s", subject, object, access) == 3)
341 rc = smk_fill_rule(subject, object, access, rule, import, 0);
351 #define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */
352 #define SMK_LONG_FMT 1 /* Variable long label format */
354 * smk_write_rules_list - write() for any /smack rule file
355 * @file: file pointer, not actually used
356 * @buf: where to get the data from
358 * @ppos: where to start - must be 0
359 * @rule_list: the list of rules to write to
360 * @rule_lock: lock for the rule list
361 * @format: /smack/load or /smack/load2 format.
363 * Get one smack access rule from above.
364 * The format for SMK_LONG_FMT is:
365 * "subject<whitespace>object<whitespace>access[<whitespace>...]"
366 * The format for SMK_FIXED24_FMT is exactly:
367 * "subject object rwxat"
369 static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
370 size_t count, loff_t *ppos,
371 struct list_head *rule_list,
372 struct mutex *rule_lock, int format)
374 struct smack_master_list *smlp;
375 struct smack_known *skp;
376 struct smack_rule *rule;
384 * Enough data must be present.
389 if (format == SMK_FIXED24_FMT) {
391 * Minor hack for backward compatibility
393 if (count != SMK_OLOADLEN && count != SMK_LOADLEN)
395 datalen = SMK_LOADLEN;
399 data = kzalloc(datalen, GFP_KERNEL);
403 if (copy_from_user(data, buf, count) != 0) {
408 rule = kzalloc(sizeof(*rule), GFP_KERNEL);
414 if (format == SMK_LONG_FMT) {
416 * Be sure the data string is terminated.
419 if (smk_parse_long_rule(data, rule, 1))
423 * More on the minor hack for backward compatibility
425 if (count == (SMK_OLOADLEN))
426 data[SMK_OLOADLEN] = '-';
427 if (smk_parse_rule(data, rule, 1))
432 if (rule_list == NULL) {
434 skp = smk_find_entry(rule->smk_subject);
435 rule_list = &skp->smk_rules;
436 rule_lock = &skp->smk_rules_lock;
441 * If this is a global as opposed to self and a new rule
442 * it needs to get added for reporting.
443 * smk_set_access returns true if there was already a rule
444 * for the subject/object pair, and false if it was new.
446 if (!smk_set_access(rule, rule_list, rule_lock)) {
448 smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);
450 smlp->smk_rule = rule;
451 list_add_rcu(&smlp->list, &smack_rule_list);
466 * Core logic for smackfs seq list operations.
469 static void *smk_seq_start(struct seq_file *s, loff_t *pos,
470 struct list_head *head)
472 struct list_head *list;
475 * This is 0 the first time through.
480 if (s->private == NULL)
484 if (list_empty(list))
492 static void *smk_seq_next(struct seq_file *s, void *v, loff_t *pos,
493 struct list_head *head)
495 struct list_head *list = v;
497 if (list_is_last(list, head)) {
501 s->private = list->next;
505 static void smk_seq_stop(struct seq_file *s, void *v)
510 static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
513 * Don't show any rules with label names too long for
514 * interface file (/smack/load or /smack/load2)
515 * because you should expect to be able to write
516 * anything you read back.
518 if (strlen(srp->smk_subject) >= max || strlen(srp->smk_object) >= max)
521 if (srp->smk_access == 0)
524 seq_printf(s, "%s %s", srp->smk_subject, srp->smk_object);
528 if (srp->smk_access & MAY_READ)
530 if (srp->smk_access & MAY_WRITE)
532 if (srp->smk_access & MAY_EXEC)
534 if (srp->smk_access & MAY_APPEND)
536 if (srp->smk_access & MAY_TRANSMUTE)
543 * Seq_file read operations for /smack/load
546 static void *load2_seq_start(struct seq_file *s, loff_t *pos)
548 return smk_seq_start(s, pos, &smack_rule_list);
551 static void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos)
553 return smk_seq_next(s, v, pos, &smack_rule_list);
556 static int load_seq_show(struct seq_file *s, void *v)
558 struct list_head *list = v;
559 struct smack_master_list *smlp =
560 list_entry(list, struct smack_master_list, list);
562 smk_rule_show(s, smlp->smk_rule, SMK_LABELLEN);
567 static const struct seq_operations load_seq_ops = {
568 .start = load2_seq_start,
569 .next = load2_seq_next,
570 .show = load_seq_show,
571 .stop = smk_seq_stop,
575 * smk_open_load - open() for /smack/load
576 * @inode: inode structure representing file
577 * @file: "load" file pointer
579 * For reading, use load_seq_* seq_file reading operations.
581 static int smk_open_load(struct inode *inode, struct file *file)
583 return seq_open(file, &load_seq_ops);
587 * smk_write_load - write() for /smack/load
588 * @file: file pointer, not actually used
589 * @buf: where to get the data from
591 * @ppos: where to start - must be 0
594 static ssize_t smk_write_load(struct file *file, const char __user *buf,
595 size_t count, loff_t *ppos)
598 * Must have privilege.
600 * Enough data must be present.
602 if (!smack_privileged(CAP_MAC_ADMIN))
605 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
609 static const struct file_operations smk_load_ops = {
610 .open = smk_open_load,
613 .write = smk_write_load,
614 .release = seq_release,
618 * smk_cipso_doi - initialize the CIPSO domain
620 static void smk_cipso_doi(void)
623 struct cipso_v4_doi *doip;
624 struct netlbl_audit nai;
626 smk_netlabel_audit_set(&nai);
628 rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
630 printk(KERN_WARNING "%s:%d remove rc = %d\n",
631 __func__, __LINE__, rc);
633 doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);
635 panic("smack: Failed to initialize cipso DOI.\n");
636 doip->map.std = NULL;
637 doip->doi = smk_cipso_doi_value;
638 doip->type = CIPSO_V4_MAP_PASS;
639 doip->tags[0] = CIPSO_V4_TAG_RBITMAP;
640 for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++)
641 doip->tags[rc] = CIPSO_V4_TAG_INVALID;
643 rc = netlbl_cfg_cipsov4_add(doip, &nai);
645 printk(KERN_WARNING "%s:%d cipso add rc = %d\n",
646 __func__, __LINE__, rc);
650 rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai);
652 printk(KERN_WARNING "%s:%d map add rc = %d\n",
653 __func__, __LINE__, rc);
660 * smk_unlbl_ambient - initialize the unlabeled domain
661 * @oldambient: previous domain string
663 static void smk_unlbl_ambient(char *oldambient)
666 struct netlbl_audit nai;
668 smk_netlabel_audit_set(&nai);
670 if (oldambient != NULL) {
671 rc = netlbl_cfg_map_del(oldambient, PF_INET, NULL, NULL, &nai);
673 printk(KERN_WARNING "%s:%d remove rc = %d\n",
674 __func__, __LINE__, rc);
676 if (smack_net_ambient == NULL)
677 smack_net_ambient = smack_known_floor.smk_known;
679 rc = netlbl_cfg_unlbl_map_add(smack_net_ambient, PF_INET,
682 printk(KERN_WARNING "%s:%d add rc = %d\n",
683 __func__, __LINE__, rc);
687 * Seq_file read operations for /smack/cipso
690 static void *cipso_seq_start(struct seq_file *s, loff_t *pos)
692 return smk_seq_start(s, pos, &smack_known_list);
695 static void *cipso_seq_next(struct seq_file *s, void *v, loff_t *pos)
697 return smk_seq_next(s, v, pos, &smack_known_list);
701 * Print cipso labels in format:
702 * label level[/cat[,cat]]
704 static int cipso_seq_show(struct seq_file *s, void *v)
706 struct list_head *list = v;
707 struct smack_known *skp =
708 list_entry(list, struct smack_known, list);
709 struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
714 * Don't show a label that could not have been set using
715 * /smack/cipso. This is in support of the notion that
716 * anything read from /smack/cipso ought to be writeable
719 * /smack/cipso2 should be used instead.
721 if (strlen(skp->smk_known) >= SMK_LABELLEN)
724 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
726 for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
727 i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
728 seq_printf(s, "%c%d", sep, i);
737 static const struct seq_operations cipso_seq_ops = {
738 .start = cipso_seq_start,
739 .next = cipso_seq_next,
740 .show = cipso_seq_show,
741 .stop = smk_seq_stop,
745 * smk_open_cipso - open() for /smack/cipso
746 * @inode: inode structure representing file
747 * @file: "cipso" file pointer
749 * Connect our cipso_seq_* operations with /smack/cipso
752 static int smk_open_cipso(struct inode *inode, struct file *file)
754 return seq_open(file, &cipso_seq_ops);
758 * smk_set_cipso - do the work for write() for cipso and cipso2
759 * @file: file pointer, not actually used
760 * @buf: where to get the data from
762 * @ppos: where to start
763 * @format: /smack/cipso or /smack/cipso2
765 * Accepts only one cipso rule per write call.
766 * Returns number of bytes written or error code, as appropriate
768 static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
769 size_t count, loff_t *ppos, int format)
771 struct smack_known *skp;
772 struct netlbl_lsm_secattr ncats;
773 char mapcatset[SMK_CIPSOLEN];
777 ssize_t rc = -EINVAL;
784 * Must have privilege.
786 * Enough data must be present.
788 if (!smack_privileged(CAP_MAC_ADMIN))
792 if (format == SMK_FIXED24_FMT &&
793 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
796 data = kzalloc(count + 1, GFP_KERNEL);
800 if (copy_from_user(data, buf, count) != 0) {
808 * Only allow one writer at a time. Writes should be
809 * quite rare and small in any case.
811 mutex_lock(&smack_cipso_lock);
813 skp = smk_import_entry(rule, 0);
817 if (format == SMK_FIXED24_FMT)
818 rule += SMK_LABELLEN;
820 rule += strlen(skp->smk_known);
822 ret = sscanf(rule, "%d", &maplevel);
823 if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
826 rule += SMK_DIGITLEN;
827 ret = sscanf(rule, "%d", &catlen);
828 if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)
831 if (format == SMK_FIXED24_FMT &&
832 count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN))
835 memset(mapcatset, 0, sizeof(mapcatset));
837 for (i = 0; i < catlen; i++) {
838 rule += SMK_DIGITLEN;
839 ret = sscanf(rule, "%u", &cat);
840 if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL)
843 smack_catset_bit(cat, mapcatset);
846 rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
848 netlbl_secattr_catmap_free(skp->smk_netlabel.attr.mls.cat);
849 skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
850 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
855 mutex_unlock(&smack_cipso_lock);
862 * smk_write_cipso - write() for /smack/cipso
863 * @file: file pointer, not actually used
864 * @buf: where to get the data from
866 * @ppos: where to start
868 * Accepts only one cipso rule per write call.
869 * Returns number of bytes written or error code, as appropriate
871 static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
872 size_t count, loff_t *ppos)
874 return smk_set_cipso(file, buf, count, ppos, SMK_FIXED24_FMT);
877 static const struct file_operations smk_cipso_ops = {
878 .open = smk_open_cipso,
881 .write = smk_write_cipso,
882 .release = seq_release,
886 * Seq_file read operations for /smack/cipso2
890 * Print cipso labels in format:
891 * label level[/cat[,cat]]
893 static int cipso2_seq_show(struct seq_file *s, void *v)
895 struct list_head *list = v;
896 struct smack_known *skp =
897 list_entry(list, struct smack_known, list);
898 struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
902 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
904 for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0;
905 i = netlbl_secattr_catmap_walk(cmp, i + 1)) {
906 seq_printf(s, "%c%d", sep, i);
915 static const struct seq_operations cipso2_seq_ops = {
916 .start = cipso_seq_start,
917 .next = cipso_seq_next,
918 .show = cipso2_seq_show,
919 .stop = smk_seq_stop,
923 * smk_open_cipso2 - open() for /smack/cipso2
924 * @inode: inode structure representing file
925 * @file: "cipso2" file pointer
927 * Connect our cipso_seq_* operations with /smack/cipso2
930 static int smk_open_cipso2(struct inode *inode, struct file *file)
932 return seq_open(file, &cipso2_seq_ops);
936 * smk_write_cipso2 - write() for /smack/cipso2
937 * @file: file pointer, not actually used
938 * @buf: where to get the data from
940 * @ppos: where to start
942 * Accepts only one cipso rule per write call.
943 * Returns number of bytes written or error code, as appropriate
945 static ssize_t smk_write_cipso2(struct file *file, const char __user *buf,
946 size_t count, loff_t *ppos)
948 return smk_set_cipso(file, buf, count, ppos, SMK_LONG_FMT);
951 static const struct file_operations smk_cipso2_ops = {
952 .open = smk_open_cipso2,
955 .write = smk_write_cipso2,
956 .release = seq_release,
960 * Seq_file read operations for /smack/netlabel
963 static void *netlbladdr_seq_start(struct seq_file *s, loff_t *pos)
965 return smk_seq_start(s, pos, &smk_netlbladdr_list);
968 static void *netlbladdr_seq_next(struct seq_file *s, void *v, loff_t *pos)
970 return smk_seq_next(s, v, pos, &smk_netlbladdr_list);
972 #define BEBITS (sizeof(__be32) * 8)
975 * Print host/label pairs
977 static int netlbladdr_seq_show(struct seq_file *s, void *v)
979 struct list_head *list = v;
980 struct smk_netlbladdr *skp =
981 list_entry(list, struct smk_netlbladdr, list);
982 unsigned char *hp = (char *) &skp->smk_host.sin_addr.s_addr;
984 u32 temp_mask = be32_to_cpu(skp->smk_mask.s_addr);
986 for (maskn = 0; temp_mask; temp_mask <<= 1, maskn++);
988 seq_printf(s, "%u.%u.%u.%u/%d %s\n",
989 hp[0], hp[1], hp[2], hp[3], maskn, skp->smk_label);
994 static const struct seq_operations netlbladdr_seq_ops = {
995 .start = netlbladdr_seq_start,
996 .next = netlbladdr_seq_next,
997 .show = netlbladdr_seq_show,
998 .stop = smk_seq_stop,
1002 * smk_open_netlbladdr - open() for /smack/netlabel
1003 * @inode: inode structure representing file
1004 * @file: "netlabel" file pointer
1006 * Connect our netlbladdr_seq_* operations with /smack/netlabel
1009 static int smk_open_netlbladdr(struct inode *inode, struct file *file)
1011 return seq_open(file, &netlbladdr_seq_ops);
1015 * smk_netlbladdr_insert
1016 * @new : netlabel to insert
1018 * This helper insert netlabel in the smack_netlbladdrs list
1019 * sorted by netmask length (longest to smallest)
1020 * locked by &smk_netlbladdr_lock in smk_write_netlbladdr
1023 static void smk_netlbladdr_insert(struct smk_netlbladdr *new)
1025 struct smk_netlbladdr *m, *m_next;
1027 if (list_empty(&smk_netlbladdr_list)) {
1028 list_add_rcu(&new->list, &smk_netlbladdr_list);
1032 m = list_entry_rcu(smk_netlbladdr_list.next,
1033 struct smk_netlbladdr, list);
1035 /* the comparison '>' is a bit hacky, but works */
1036 if (new->smk_mask.s_addr > m->smk_mask.s_addr) {
1037 list_add_rcu(&new->list, &smk_netlbladdr_list);
1041 list_for_each_entry_rcu(m, &smk_netlbladdr_list, list) {
1042 if (list_is_last(&m->list, &smk_netlbladdr_list)) {
1043 list_add_rcu(&new->list, &m->list);
1046 m_next = list_entry_rcu(m->list.next,
1047 struct smk_netlbladdr, list);
1048 if (new->smk_mask.s_addr > m_next->smk_mask.s_addr) {
1049 list_add_rcu(&new->list, &m->list);
1057 * smk_write_netlbladdr - write() for /smack/netlabel
1058 * @file: file pointer, not actually used
1059 * @buf: where to get the data from
1060 * @count: bytes sent
1061 * @ppos: where to start
1063 * Accepts only one netlbladdr per write call.
1064 * Returns number of bytes written or error code, as appropriate
1066 static ssize_t smk_write_netlbladdr(struct file *file, const char __user *buf,
1067 size_t count, loff_t *ppos)
1069 struct smk_netlbladdr *skp;
1070 struct sockaddr_in newname;
1074 char *host = (char *)&newname.sin_addr.s_addr;
1076 struct netlbl_audit audit_info;
1077 struct in_addr mask;
1080 u32 mask_bits = (1<<31);
1085 * Must have privilege.
1086 * No partial writes.
1087 * Enough data must be present.
1088 * "<addr/mask, as a.b.c.d/e><space><label>"
1089 * "<addr, as a.b.c.d><space><label>"
1091 if (!smack_privileged(CAP_MAC_ADMIN))
1095 if (count < SMK_NETLBLADDRMIN)
1098 data = kzalloc(count + 1, GFP_KERNEL);
1102 if (copy_from_user(data, buf, count) != 0) {
1107 smack = kzalloc(count + 1, GFP_KERNEL);
1108 if (smack == NULL) {
1115 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%d %s",
1116 &host[0], &host[1], &host[2], &host[3], &m, smack);
1118 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
1119 &host[0], &host[1], &host[2], &host[3], smack);
1132 * If smack begins with '-', it is an option, don't import it
1134 if (smack[0] != '-') {
1135 sp = smk_import(smack, 0);
1141 /* check known options */
1142 if (strcmp(smack, smack_cipso_option) == 0)
1143 sp = (char *)smack_cipso_option;
1150 for (temp_mask = 0; m > 0; m--) {
1151 temp_mask |= mask_bits;
1154 mask.s_addr = cpu_to_be32(temp_mask);
1156 newname.sin_addr.s_addr &= mask.s_addr;
1158 * Only allow one writer at a time. Writes should be
1159 * quite rare and small in any case.
1161 mutex_lock(&smk_netlbladdr_lock);
1163 nsa = newname.sin_addr.s_addr;
1164 /* try to find if the prefix is already in the list */
1166 list_for_each_entry_rcu(skp, &smk_netlbladdr_list, list) {
1167 if (skp->smk_host.sin_addr.s_addr == nsa &&
1168 skp->smk_mask.s_addr == mask.s_addr) {
1173 smk_netlabel_audit_set(&audit_info);
1176 skp = kzalloc(sizeof(*skp), GFP_KERNEL);
1181 skp->smk_host.sin_addr.s_addr = newname.sin_addr.s_addr;
1182 skp->smk_mask.s_addr = mask.s_addr;
1183 skp->smk_label = sp;
1184 smk_netlbladdr_insert(skp);
1187 /* we delete the unlabeled entry, only if the previous label
1188 * wasn't the special CIPSO option */
1189 if (skp->smk_label != smack_cipso_option)
1190 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
1191 &skp->smk_host.sin_addr, &skp->smk_mask,
1192 PF_INET, &audit_info);
1195 skp->smk_label = sp;
1199 * Now tell netlabel about the single label nature of
1200 * this host so that incoming packets get labeled.
1201 * but only if we didn't get the special CIPSO option
1203 if (rc == 0 && sp != smack_cipso_option)
1204 rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
1205 &skp->smk_host.sin_addr, &skp->smk_mask, PF_INET,
1206 smack_to_secid(skp->smk_label), &audit_info);
1211 mutex_unlock(&smk_netlbladdr_lock);
1221 static const struct file_operations smk_netlbladdr_ops = {
1222 .open = smk_open_netlbladdr,
1224 .llseek = seq_lseek,
1225 .write = smk_write_netlbladdr,
1226 .release = seq_release,
1230 * smk_read_doi - read() for /smack/doi
1231 * @filp: file pointer, not actually used
1232 * @buf: where to put the result
1233 * @count: maximum to send along
1234 * @ppos: where to start
1236 * Returns number of bytes read or error code, as appropriate
1238 static ssize_t smk_read_doi(struct file *filp, char __user *buf,
1239 size_t count, loff_t *ppos)
1247 sprintf(temp, "%d", smk_cipso_doi_value);
1248 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1254 * smk_write_doi - write() for /smack/doi
1255 * @file: file pointer, not actually used
1256 * @buf: where to get the data from
1257 * @count: bytes sent
1258 * @ppos: where to start
1260 * Returns number of bytes written or error code, as appropriate
1262 static ssize_t smk_write_doi(struct file *file, const char __user *buf,
1263 size_t count, loff_t *ppos)
1268 if (!smack_privileged(CAP_MAC_ADMIN))
1271 if (count >= sizeof(temp) || count == 0)
1274 if (copy_from_user(temp, buf, count) != 0)
1279 if (sscanf(temp, "%d", &i) != 1)
1282 smk_cipso_doi_value = i;
1289 static const struct file_operations smk_doi_ops = {
1290 .read = smk_read_doi,
1291 .write = smk_write_doi,
1292 .llseek = default_llseek,
1296 * smk_read_direct - read() for /smack/direct
1297 * @filp: file pointer, not actually used
1298 * @buf: where to put the result
1299 * @count: maximum to send along
1300 * @ppos: where to start
1302 * Returns number of bytes read or error code, as appropriate
1304 static ssize_t smk_read_direct(struct file *filp, char __user *buf,
1305 size_t count, loff_t *ppos)
1313 sprintf(temp, "%d", smack_cipso_direct);
1314 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1320 * smk_write_direct - write() for /smack/direct
1321 * @file: file pointer, not actually used
1322 * @buf: where to get the data from
1323 * @count: bytes sent
1324 * @ppos: where to start
1326 * Returns number of bytes written or error code, as appropriate
1328 static ssize_t smk_write_direct(struct file *file, const char __user *buf,
1329 size_t count, loff_t *ppos)
1331 struct smack_known *skp;
1335 if (!smack_privileged(CAP_MAC_ADMIN))
1338 if (count >= sizeof(temp) || count == 0)
1341 if (copy_from_user(temp, buf, count) != 0)
1346 if (sscanf(temp, "%d", &i) != 1)
1350 * Don't do anything if the value hasn't actually changed.
1351 * If it is changing reset the level on entries that were
1352 * set up to be direct when they were created.
1354 if (smack_cipso_direct != i) {
1355 mutex_lock(&smack_known_lock);
1356 list_for_each_entry_rcu(skp, &smack_known_list, list)
1357 if (skp->smk_netlabel.attr.mls.lvl ==
1359 skp->smk_netlabel.attr.mls.lvl = i;
1360 smack_cipso_direct = i;
1361 mutex_unlock(&smack_known_lock);
1367 static const struct file_operations smk_direct_ops = {
1368 .read = smk_read_direct,
1369 .write = smk_write_direct,
1370 .llseek = default_llseek,
1374 * smk_read_mapped - read() for /smack/mapped
1375 * @filp: file pointer, not actually used
1376 * @buf: where to put the result
1377 * @count: maximum to send along
1378 * @ppos: where to start
1380 * Returns number of bytes read or error code, as appropriate
1382 static ssize_t smk_read_mapped(struct file *filp, char __user *buf,
1383 size_t count, loff_t *ppos)
1391 sprintf(temp, "%d", smack_cipso_mapped);
1392 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1398 * smk_write_mapped - write() for /smack/mapped
1399 * @file: file pointer, not actually used
1400 * @buf: where to get the data from
1401 * @count: bytes sent
1402 * @ppos: where to start
1404 * Returns number of bytes written or error code, as appropriate
1406 static ssize_t smk_write_mapped(struct file *file, const char __user *buf,
1407 size_t count, loff_t *ppos)
1409 struct smack_known *skp;
1413 if (!smack_privileged(CAP_MAC_ADMIN))
1416 if (count >= sizeof(temp) || count == 0)
1419 if (copy_from_user(temp, buf, count) != 0)
1424 if (sscanf(temp, "%d", &i) != 1)
1428 * Don't do anything if the value hasn't actually changed.
1429 * If it is changing reset the level on entries that were
1430 * set up to be mapped when they were created.
1432 if (smack_cipso_mapped != i) {
1433 mutex_lock(&smack_known_lock);
1434 list_for_each_entry_rcu(skp, &smack_known_list, list)
1435 if (skp->smk_netlabel.attr.mls.lvl ==
1437 skp->smk_netlabel.attr.mls.lvl = i;
1438 smack_cipso_mapped = i;
1439 mutex_unlock(&smack_known_lock);
1445 static const struct file_operations smk_mapped_ops = {
1446 .read = smk_read_mapped,
1447 .write = smk_write_mapped,
1448 .llseek = default_llseek,
1452 * smk_read_ambient - read() for /smack/ambient
1453 * @filp: file pointer, not actually used
1454 * @buf: where to put the result
1455 * @cn: maximum to send along
1456 * @ppos: where to start
1458 * Returns number of bytes read or error code, as appropriate
1460 static ssize_t smk_read_ambient(struct file *filp, char __user *buf,
1461 size_t cn, loff_t *ppos)
1469 * Being careful to avoid a problem in the case where
1470 * smack_net_ambient gets changed in midstream.
1472 mutex_lock(&smack_ambient_lock);
1474 asize = strlen(smack_net_ambient) + 1;
1477 rc = simple_read_from_buffer(buf, cn, ppos,
1478 smack_net_ambient, asize);
1482 mutex_unlock(&smack_ambient_lock);
1488 * smk_write_ambient - write() for /smack/ambient
1489 * @file: file pointer, not actually used
1490 * @buf: where to get the data from
1491 * @count: bytes sent
1492 * @ppos: where to start
1494 * Returns number of bytes written or error code, as appropriate
1496 static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
1497 size_t count, loff_t *ppos)
1504 if (!smack_privileged(CAP_MAC_ADMIN))
1507 data = kzalloc(count + 1, GFP_KERNEL);
1511 if (copy_from_user(data, buf, count) != 0) {
1516 smack = smk_import(data, count);
1517 if (smack == NULL) {
1522 mutex_lock(&smack_ambient_lock);
1524 oldambient = smack_net_ambient;
1525 smack_net_ambient = smack;
1526 smk_unlbl_ambient(oldambient);
1528 mutex_unlock(&smack_ambient_lock);
1535 static const struct file_operations smk_ambient_ops = {
1536 .read = smk_read_ambient,
1537 .write = smk_write_ambient,
1538 .llseek = default_llseek,
1542 * smk_read_onlycap - read() for /smack/onlycap
1543 * @filp: file pointer, not actually used
1544 * @buf: where to put the result
1545 * @cn: maximum to send along
1546 * @ppos: where to start
1548 * Returns number of bytes read or error code, as appropriate
1550 static ssize_t smk_read_onlycap(struct file *filp, char __user *buf,
1551 size_t cn, loff_t *ppos)
1554 ssize_t rc = -EINVAL;
1560 if (smack_onlycap != NULL)
1561 smack = smack_onlycap;
1563 asize = strlen(smack) + 1;
1566 rc = simple_read_from_buffer(buf, cn, ppos, smack, asize);
1572 * smk_write_onlycap - write() for /smack/onlycap
1573 * @file: file pointer, not actually used
1574 * @buf: where to get the data from
1575 * @count: bytes sent
1576 * @ppos: where to start
1578 * Returns number of bytes written or error code, as appropriate
1580 static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
1581 size_t count, loff_t *ppos)
1584 char *sp = smk_of_task(current->cred->security);
1587 if (!smack_privileged(CAP_MAC_ADMIN))
1591 * This can be done using smk_access() but is done
1592 * explicitly for clarity. The smk_access() implementation
1593 * would use smk_access(smack_onlycap, MAY_WRITE)
1595 if (smack_onlycap != NULL && smack_onlycap != sp)
1598 data = kzalloc(count, GFP_KERNEL);
1603 * Should the null string be passed in unset the onlycap value.
1604 * This seems like something to be careful with as usually
1605 * smk_import only expects to return NULL for errors. It
1606 * is usually the case that a nullstring or "\n" would be
1607 * bad to pass to smk_import but in fact this is useful here.
1609 * smk_import will also reject a label beginning with '-',
1610 * so "-usecapabilities" will also work.
1612 if (copy_from_user(data, buf, count) != 0)
1615 smack_onlycap = smk_import(data, count);
1621 static const struct file_operations smk_onlycap_ops = {
1622 .read = smk_read_onlycap,
1623 .write = smk_write_onlycap,
1624 .llseek = default_llseek,
1628 * smk_read_logging - read() for /smack/logging
1629 * @filp: file pointer, not actually used
1630 * @buf: where to put the result
1631 * @cn: maximum to send along
1632 * @ppos: where to start
1634 * Returns number of bytes read or error code, as appropriate
1636 static ssize_t smk_read_logging(struct file *filp, char __user *buf,
1637 size_t count, loff_t *ppos)
1645 sprintf(temp, "%d\n", log_policy);
1646 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1651 * smk_write_logging - write() for /smack/logging
1652 * @file: file pointer, not actually used
1653 * @buf: where to get the data from
1654 * @count: bytes sent
1655 * @ppos: where to start
1657 * Returns number of bytes written or error code, as appropriate
1659 static ssize_t smk_write_logging(struct file *file, const char __user *buf,
1660 size_t count, loff_t *ppos)
1665 if (!smack_privileged(CAP_MAC_ADMIN))
1668 if (count >= sizeof(temp) || count == 0)
1671 if (copy_from_user(temp, buf, count) != 0)
1676 if (sscanf(temp, "%d", &i) != 1)
1686 static const struct file_operations smk_logging_ops = {
1687 .read = smk_read_logging,
1688 .write = smk_write_logging,
1689 .llseek = default_llseek,
1693 * Seq_file read operations for /smack/load-self
1696 static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
1698 struct task_smack *tsp = current_security();
1700 return smk_seq_start(s, pos, &tsp->smk_rules);
1703 static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
1705 struct task_smack *tsp = current_security();
1707 return smk_seq_next(s, v, pos, &tsp->smk_rules);
1710 static int load_self_seq_show(struct seq_file *s, void *v)
1712 struct list_head *list = v;
1713 struct smack_rule *srp =
1714 list_entry(list, struct smack_rule, list);
1716 smk_rule_show(s, srp, SMK_LABELLEN);
1721 static const struct seq_operations load_self_seq_ops = {
1722 .start = load_self_seq_start,
1723 .next = load_self_seq_next,
1724 .show = load_self_seq_show,
1725 .stop = smk_seq_stop,
1730 * smk_open_load_self - open() for /smack/load-self2
1731 * @inode: inode structure representing file
1732 * @file: "load" file pointer
1734 * For reading, use load_seq_* seq_file reading operations.
1736 static int smk_open_load_self(struct inode *inode, struct file *file)
1738 return seq_open(file, &load_self_seq_ops);
1742 * smk_write_load_self - write() for /smack/load-self
1743 * @file: file pointer, not actually used
1744 * @buf: where to get the data from
1745 * @count: bytes sent
1746 * @ppos: where to start - must be 0
1749 static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
1750 size_t count, loff_t *ppos)
1752 struct task_smack *tsp = current_security();
1754 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
1755 &tsp->smk_rules_lock, SMK_FIXED24_FMT);
1758 static const struct file_operations smk_load_self_ops = {
1759 .open = smk_open_load_self,
1761 .llseek = seq_lseek,
1762 .write = smk_write_load_self,
1763 .release = seq_release,
1767 * smk_user_access - handle access check transaction
1768 * @file: file pointer
1769 * @buf: data from user space
1770 * @count: bytes sent
1771 * @ppos: where to start - must be 0
1773 static ssize_t smk_user_access(struct file *file, const char __user *buf,
1774 size_t count, loff_t *ppos, int format)
1776 struct smack_rule rule;
1781 data = simple_transaction_get(file, buf, count);
1783 return PTR_ERR(data);
1785 if (format == SMK_FIXED24_FMT) {
1786 if (count < SMK_LOADLEN)
1788 res = smk_parse_rule(data, &rule, 0);
1791 * Copy the data to make sure the string is terminated.
1793 cod = kzalloc(count + 1, GFP_KERNEL);
1796 memcpy(cod, data, count);
1798 res = smk_parse_long_rule(cod, &rule, 0);
1805 res = smk_access(rule.smk_subject, rule.smk_object, rule.smk_access,
1807 data[0] = res == 0 ? '1' : '0';
1810 simple_transaction_set(file, 2);
1812 if (format == SMK_FIXED24_FMT)
1818 * smk_write_access - handle access check transaction
1819 * @file: file pointer
1820 * @buf: data from user space
1821 * @count: bytes sent
1822 * @ppos: where to start - must be 0
1824 static ssize_t smk_write_access(struct file *file, const char __user *buf,
1825 size_t count, loff_t *ppos)
1827 return smk_user_access(file, buf, count, ppos, SMK_FIXED24_FMT);
1830 static const struct file_operations smk_access_ops = {
1831 .write = smk_write_access,
1832 .read = simple_transaction_read,
1833 .release = simple_transaction_release,
1834 .llseek = generic_file_llseek,
1839 * Seq_file read operations for /smack/load2
1842 static int load2_seq_show(struct seq_file *s, void *v)
1844 struct list_head *list = v;
1845 struct smack_master_list *smlp =
1846 list_entry(list, struct smack_master_list, list);
1848 smk_rule_show(s, smlp->smk_rule, SMK_LONGLABEL);
1853 static const struct seq_operations load2_seq_ops = {
1854 .start = load2_seq_start,
1855 .next = load2_seq_next,
1856 .show = load2_seq_show,
1857 .stop = smk_seq_stop,
1861 * smk_open_load2 - open() for /smack/load2
1862 * @inode: inode structure representing file
1863 * @file: "load2" file pointer
1865 * For reading, use load2_seq_* seq_file reading operations.
1867 static int smk_open_load2(struct inode *inode, struct file *file)
1869 return seq_open(file, &load2_seq_ops);
1873 * smk_write_load2 - write() for /smack/load2
1874 * @file: file pointer, not actually used
1875 * @buf: where to get the data from
1876 * @count: bytes sent
1877 * @ppos: where to start - must be 0
1880 static ssize_t smk_write_load2(struct file *file, const char __user *buf,
1881 size_t count, loff_t *ppos)
1884 * Must have privilege.
1886 if (!smack_privileged(CAP_MAC_ADMIN))
1889 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
1893 static const struct file_operations smk_load2_ops = {
1894 .open = smk_open_load2,
1896 .llseek = seq_lseek,
1897 .write = smk_write_load2,
1898 .release = seq_release,
1902 * Seq_file read operations for /smack/load-self2
1905 static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
1907 struct task_smack *tsp = current_security();
1909 return smk_seq_start(s, pos, &tsp->smk_rules);
1912 static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
1914 struct task_smack *tsp = current_security();
1916 return smk_seq_next(s, v, pos, &tsp->smk_rules);
1919 static int load_self2_seq_show(struct seq_file *s, void *v)
1921 struct list_head *list = v;
1922 struct smack_rule *srp =
1923 list_entry(list, struct smack_rule, list);
1925 smk_rule_show(s, srp, SMK_LONGLABEL);
1930 static const struct seq_operations load_self2_seq_ops = {
1931 .start = load_self2_seq_start,
1932 .next = load_self2_seq_next,
1933 .show = load_self2_seq_show,
1934 .stop = smk_seq_stop,
1938 * smk_open_load_self2 - open() for /smack/load-self2
1939 * @inode: inode structure representing file
1940 * @file: "load" file pointer
1942 * For reading, use load_seq_* seq_file reading operations.
1944 static int smk_open_load_self2(struct inode *inode, struct file *file)
1946 return seq_open(file, &load_self2_seq_ops);
1950 * smk_write_load_self2 - write() for /smack/load-self2
1951 * @file: file pointer, not actually used
1952 * @buf: where to get the data from
1953 * @count: bytes sent
1954 * @ppos: where to start - must be 0
1957 static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
1958 size_t count, loff_t *ppos)
1960 struct task_smack *tsp = current_security();
1962 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
1963 &tsp->smk_rules_lock, SMK_LONG_FMT);
1966 static const struct file_operations smk_load_self2_ops = {
1967 .open = smk_open_load_self2,
1969 .llseek = seq_lseek,
1970 .write = smk_write_load_self2,
1971 .release = seq_release,
1975 * smk_write_access2 - handle access check transaction
1976 * @file: file pointer
1977 * @buf: data from user space
1978 * @count: bytes sent
1979 * @ppos: where to start - must be 0
1981 static ssize_t smk_write_access2(struct file *file, const char __user *buf,
1982 size_t count, loff_t *ppos)
1984 return smk_user_access(file, buf, count, ppos, SMK_LONG_FMT);
1987 static const struct file_operations smk_access2_ops = {
1988 .write = smk_write_access2,
1989 .read = simple_transaction_read,
1990 .release = simple_transaction_release,
1991 .llseek = generic_file_llseek,
1995 * smk_fill_super - fill the /smackfs superblock
1996 * @sb: the empty superblock
2000 * Fill in the well known entries for /smack
2002 * Returns 0 on success, an error code on failure
2004 static int smk_fill_super(struct super_block *sb, void *data, int silent)
2007 struct inode *root_inode;
2009 static struct tree_descr smack_files[] = {
2011 "load", &smk_load_ops, S_IRUGO|S_IWUSR},
2013 "cipso", &smk_cipso_ops, S_IRUGO|S_IWUSR},
2015 "doi", &smk_doi_ops, S_IRUGO|S_IWUSR},
2017 "direct", &smk_direct_ops, S_IRUGO|S_IWUSR},
2019 "ambient", &smk_ambient_ops, S_IRUGO|S_IWUSR},
2020 [SMK_NETLBLADDR] = {
2021 "netlabel", &smk_netlbladdr_ops, S_IRUGO|S_IWUSR},
2023 "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
2025 "logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
2027 "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
2029 "access", &smk_access_ops, S_IRUGO|S_IWUGO},
2031 "mapped", &smk_mapped_ops, S_IRUGO|S_IWUSR},
2033 "load2", &smk_load2_ops, S_IRUGO|S_IWUSR},
2034 [SMK_LOAD_SELF2] = {
2035 "load-self2", &smk_load_self2_ops, S_IRUGO|S_IWUGO},
2037 "access2", &smk_access2_ops, S_IRUGO|S_IWUGO},
2039 "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR},
2044 rc = simple_fill_super(sb, SMACK_MAGIC, smack_files);
2046 printk(KERN_ERR "%s failed %d while creating inodes\n",
2051 root_inode = sb->s_root->d_inode;
2057 * smk_mount - get the smackfs superblock
2058 * @fs_type: passed along without comment
2059 * @flags: passed along without comment
2060 * @dev_name: passed along without comment
2061 * @data: passed along without comment
2063 * Just passes everything along.
2065 * Returns what the lower level code does.
2067 static struct dentry *smk_mount(struct file_system_type *fs_type,
2068 int flags, const char *dev_name, void *data)
2070 return mount_single(fs_type, flags, data, smk_fill_super);
2073 static struct file_system_type smk_fs_type = {
2076 .kill_sb = kill_litter_super,
2079 static struct vfsmount *smackfs_mount;
2081 static int __init smk_preset_netlabel(struct smack_known *skp)
2083 skp->smk_netlabel.domain = skp->smk_known;
2084 skp->smk_netlabel.flags =
2085 NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
2086 return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
2087 &skp->smk_netlabel, strlen(skp->smk_known));
2091 * init_smk_fs - get the smackfs superblock
2093 * register the smackfs
2095 * Do not register smackfs if Smack wasn't enabled
2096 * on boot. We can not put this method normally under the
2097 * smack_init() code path since the security subsystem get
2098 * initialized before the vfs caches.
2100 * Returns true if we were not chosen on boot or if
2101 * we were chosen and filesystem registration succeeded.
2103 static int __init init_smk_fs(void)
2108 if (!security_module_enable(&smack_ops))
2111 err = register_filesystem(&smk_fs_type);
2113 smackfs_mount = kern_mount(&smk_fs_type);
2114 if (IS_ERR(smackfs_mount)) {
2115 printk(KERN_ERR "smackfs: could not mount!\n");
2116 err = PTR_ERR(smackfs_mount);
2117 smackfs_mount = NULL;
2122 smk_unlbl_ambient(NULL);
2124 rc = smk_preset_netlabel(&smack_known_floor);
2125 if (err == 0 && rc < 0)
2127 rc = smk_preset_netlabel(&smack_known_hat);
2128 if (err == 0 && rc < 0)
2130 rc = smk_preset_netlabel(&smack_known_huh);
2131 if (err == 0 && rc < 0)
2133 rc = smk_preset_netlabel(&smack_known_invalid);
2134 if (err == 0 && rc < 0)
2136 rc = smk_preset_netlabel(&smack_known_star);
2137 if (err == 0 && rc < 0)
2139 rc = smk_preset_netlabel(&smack_known_web);
2140 if (err == 0 && rc < 0)
2146 __initcall(init_smk_fs);
git.openpandora.org / pandora-kernel.git / blob