diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-01-10 11:18:59 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-01-10 11:18:59 -0800 |
commit | e0e736fc0d33861335e2a132e4f688f7fd380c61 (patch) | |
tree | d9febe9ca1ef1e24efc5e6e1e34e412316d246bd /security/smack/smack.h | |
parent | a08948812b30653eb2c536ae613b635a989feb6f (diff) | |
parent | aeda4ac3efc29e4d55989abd0a73530453aa69ba (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits)
MAINTAINERS: Add tomoyo-dev-en ML.
SELinux: define permissions for DCB netlink messages
encrypted-keys: style and other cleanup
encrypted-keys: verify datablob size before converting to binary
trusted-keys: kzalloc and other cleanup
trusted-keys: additional TSS return code and other error handling
syslog: check cap_syslog when dmesg_restrict
Smack: Transmute labels on specified directories
selinux: cache sidtab_context_to_sid results
SELinux: do not compute transition labels on mountpoint labeled filesystems
This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running.
SELinux: merge policydb_index_classes and policydb_index_others
selinux: convert part of the sym_val_to_name array to use flex_array
selinux: convert type_val_to_struct to flex_array
flex_array: fix flex_array_put_ptr macro to be valid C
SELinux: do not set automatic i_ino in selinuxfs
selinux: rework security_netlbl_secattr_to_sid
SELinux: standardize return code handling in selinuxfs.c
SELinux: standardize return code handling in selinuxfs.c
SELinux: standardize return code handling in policydb.c
...
Diffstat (limited to 'security/smack/smack.h')
-rw-r--r-- | security/smack/smack.h | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index 43ae747a5aa4..129c4eb8ffb1 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -51,11 +51,18 @@ struct socket_smack { */ struct inode_smack { char *smk_inode; /* label of the fso */ + char *smk_task; /* label of the task */ struct mutex smk_lock; /* initialization lock */ int smk_flags; /* smack inode flags */ }; +struct task_smack { + char *smk_task; /* label used for access control */ + char *smk_forked; /* label when forked */ +}; + #define SMK_INODE_INSTANT 0x01 /* inode is instantiated */ +#define SMK_INODE_TRANSMUTE 0x02 /* directory is transmuting */ /* * A label access rule. @@ -161,6 +168,10 @@ struct smack_known { #define SMACK_CIPSO_MAXCATNUM 239 /* CIPSO 2.2 standard */ /* + * Flag for transmute access + */ +#define MAY_TRANSMUTE 64 +/* * Just to make the common cases easier to deal with */ #define MAY_ANY (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) @@ -191,6 +202,7 @@ struct inode_smack *new_inode_smack(char *); /* * These functions are in smack_access.c */ +int smk_access_entry(char *, char *); int smk_access(char *, char *, int, struct smk_audit_info *); int smk_curacc(char *, u32, struct smk_audit_info *); int smack_to_cipso(const char *, struct smack_cipso *); @@ -234,6 +246,15 @@ static inline void smack_catset_bit(int cat, char *catsetp) } /* + * Is the directory transmuting? + */ +static inline int smk_inode_transmutable(const struct inode *isp) +{ + struct inode_smack *sip = isp->i_security; + return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0; +} + +/* * Present a pointer to the smack label in an inode blob. */ static inline char *smk_of_inode(const struct inode *isp) @@ -243,6 +264,30 @@ static inline char *smk_of_inode(const struct inode *isp) } /* + * Present a pointer to the smack label in an task blob. + */ +static inline char *smk_of_task(const struct task_smack *tsp) +{ + return tsp->smk_task; +} + +/* + * Present a pointer to the forked smack label in an task blob. + */ +static inline char *smk_of_forked(const struct task_smack *tsp) +{ + return tsp->smk_forked; +} + +/* + * Present a pointer to the smack label in the current task blob. + */ +static inline char *smk_of_current(void) +{ + return smk_of_task(current_security()); +} + +/* * logging functions */ #define SMACK_AUDIT_DENIED 0x1 |