Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
a39f44fa
cloud-kernel
项目概览
openanolis
/
cloud-kernel
接近 2 年 前同步成功
通知
170
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
a39f44fa
编写于
9月 15, 2016
作者:
J
James Morris
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'smack-for-4.9' of
http://github.com/cschaufler/smack-next
into next
上级
8ccc7d6b
c60b9066
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
32 addition
and
15 deletion
+32
-15
security/smack/Kconfig
security/smack/Kconfig
+12
-0
security/smack/smack.h
security/smack/smack.h
+10
-0
security/smack/smack_lsm.c
security/smack/smack_lsm.c
+7
-7
security/smack/smackfs.c
security/smack/smackfs.c
+3
-8
未找到文件。
security/smack/Kconfig
浏览文件 @
a39f44fa
...
@@ -40,3 +40,15 @@ config SECURITY_SMACK_NETFILTER
...
@@ -40,3 +40,15 @@ config SECURITY_SMACK_NETFILTER
This enables security marking of network packets using
This enables security marking of network packets using
Smack labels.
Smack labels.
If you are unsure how to answer this question, answer N.
If you are unsure how to answer this question, answer N.
config SECURITY_SMACK_APPEND_SIGNALS
bool "Treat delivering signals as an append operation"
depends on SECURITY_SMACK
default n
help
Sending a signal has been treated as a write operation to the
receiving process. If this option is selected, the delivery
will be an append operation instead. This makes it possible
to differentiate between delivering a network packet and
delivering a signal in the Smack rules.
If you are unsure how to answer this question, answer N.
security/smack/smack.h
浏览文件 @
a39f44fa
...
@@ -256,6 +256,16 @@ enum {
...
@@ -256,6 +256,16 @@ enum {
#define MAY_LOCK 0x00002000
/* Locks should be writes, but ... */
#define MAY_LOCK 0x00002000
/* Locks should be writes, but ... */
#define MAY_BRINGUP 0x00004000
/* Report use of this rule */
#define MAY_BRINGUP 0x00004000
/* Report use of this rule */
/*
* The policy for delivering signals is configurable.
* It is usually "write", but can be "append".
*/
#ifdef CONFIG_SECURITY_SMACK_APPEND_SIGNALS
#define MAY_DELIVER MAY_APPEND
/* Signal delivery requires append */
#else
#define MAY_DELIVER MAY_WRITE
/* Signal delivery requires write */
#endif
#define SMACK_BRINGUP_ALLOW 1
/* Allow bringup mode */
#define SMACK_BRINGUP_ALLOW 1
/* Allow bringup mode */
#define SMACK_UNCONFINED_SUBJECT 2
/* Allow unconfined label */
#define SMACK_UNCONFINED_SUBJECT 2
/* Allow unconfined label */
#define SMACK_UNCONFINED_OBJECT 3
/* Allow unconfined label */
#define SMACK_UNCONFINED_OBJECT 3
/* Allow unconfined label */
...
...
security/smack/smack_lsm.c
浏览文件 @
a39f44fa
...
@@ -1857,14 +1857,14 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
...
@@ -1857,14 +1857,14 @@ static int smack_file_send_sigiotask(struct task_struct *tsk,
/* we don't log here as rc can be overriden */
/* we don't log here as rc can be overriden */
skp
=
file
->
f_security
;
skp
=
file
->
f_security
;
rc
=
smk_access
(
skp
,
tkp
,
MAY_
WRITE
,
NULL
);
rc
=
smk_access
(
skp
,
tkp
,
MAY_
DELIVER
,
NULL
);
rc
=
smk_bu_note
(
"sigiotask"
,
skp
,
tkp
,
MAY_
WRITE
,
rc
);
rc
=
smk_bu_note
(
"sigiotask"
,
skp
,
tkp
,
MAY_
DELIVER
,
rc
);
if
(
rc
!=
0
&&
has_capability
(
tsk
,
CAP_MAC_OVERRIDE
))
if
(
rc
!=
0
&&
has_capability
(
tsk
,
CAP_MAC_OVERRIDE
))
rc
=
0
;
rc
=
0
;
smk_ad_init
(
&
ad
,
__func__
,
LSM_AUDIT_DATA_TASK
);
smk_ad_init
(
&
ad
,
__func__
,
LSM_AUDIT_DATA_TASK
);
smk_ad_setfield_u_tsk
(
&
ad
,
tsk
);
smk_ad_setfield_u_tsk
(
&
ad
,
tsk
);
smack_log
(
skp
->
smk_known
,
tkp
->
smk_known
,
MAY_
WRITE
,
rc
,
&
ad
);
smack_log
(
skp
->
smk_known
,
tkp
->
smk_known
,
MAY_
DELIVER
,
rc
,
&
ad
);
return
rc
;
return
rc
;
}
}
...
@@ -2265,8 +2265,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
...
@@ -2265,8 +2265,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
* can write the receiver.
* can write the receiver.
*/
*/
if
(
secid
==
0
)
{
if
(
secid
==
0
)
{
rc
=
smk_curacc
(
tkp
,
MAY_
WRITE
,
&
ad
);
rc
=
smk_curacc
(
tkp
,
MAY_
DELIVER
,
&
ad
);
rc
=
smk_bu_task
(
p
,
MAY_
WRITE
,
rc
);
rc
=
smk_bu_task
(
p
,
MAY_
DELIVER
,
rc
);
return
rc
;
return
rc
;
}
}
/*
/*
...
@@ -2275,8 +2275,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
...
@@ -2275,8 +2275,8 @@ static int smack_task_kill(struct task_struct *p, struct siginfo *info,
* we can't take privilege into account.
* we can't take privilege into account.
*/
*/
skp
=
smack_from_secid
(
secid
);
skp
=
smack_from_secid
(
secid
);
rc
=
smk_access
(
skp
,
tkp
,
MAY_
WRITE
,
&
ad
);
rc
=
smk_access
(
skp
,
tkp
,
MAY_
DELIVER
,
&
ad
);
rc
=
smk_bu_note
(
"USB signal"
,
skp
,
tkp
,
MAY_
WRITE
,
rc
);
rc
=
smk_bu_note
(
"USB signal"
,
skp
,
tkp
,
MAY_
DELIVER
,
rc
);
return
rc
;
return
rc
;
}
}
...
...
security/smack/smackfs.c
浏览文件 @
a39f44fa
...
@@ -2523,14 +2523,9 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
...
@@ -2523,14 +2523,9 @@ static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
if
(
count
==
0
||
count
>
SMK_LONGLABEL
)
if
(
count
==
0
||
count
>
SMK_LONGLABEL
)
return
-
EINVAL
;
return
-
EINVAL
;
data
=
kzalloc
(
count
,
GFP_KERNEL
);
data
=
memdup_user
(
buf
,
count
);
if
(
data
==
NULL
)
if
(
IS_ERR
(
data
))
return
-
ENOMEM
;
return
PTR_ERR
(
data
);
if
(
copy_from_user
(
data
,
buf
,
count
)
!=
0
)
{
rc
=
-
EFAULT
;
goto
out_data
;
}
cp
=
smk_parse_smack
(
data
,
count
);
cp
=
smk_parse_smack
(
data
,
count
);
if
(
IS_ERR
(
cp
))
{
if
(
IS_ERR
(
cp
))
{
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录