1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
6 * Casey Schaufler <casey@schaufler-ca.com>
7 * Ahmed S. Darwish <darwish.07@gmail.com>
9 * Special thanks to the authors of selinuxfs.
11 * Karl MacMillan <kmacmillan@tresys.com>
12 * James Morris <jmorris@redhat.com>
15 #include <linux/kernel.h>
16 #include <linux/vmalloc.h>
17 #include <linux/security.h>
18 #include <linux/mutex.h>
19 #include <linux/slab.h>
20 #include <net/net_namespace.h>
21 #include <net/cipso_ipv4.h>
22 #include <linux/seq_file.h>
23 #include <linux/ctype.h>
24 #include <linux/audit.h>
25 #include <linux/magic.h>
26 #include <linux/fs_context.h>
29 #define BEBITS (sizeof(__be32) * 8)
31 * smackfs pseudo filesystem.
36 SMK_LOAD = 3, /* load policy */
37 SMK_CIPSO = 4, /* load label -> CIPSO mapping */
38 SMK_DOI = 5, /* CIPSO DOI */
39 SMK_DIRECT = 6, /* CIPSO level indicating direct label */
40 SMK_AMBIENT = 7, /* internet ambient label */
41 SMK_NET4ADDR = 8, /* single label hosts */
42 SMK_ONLYCAP = 9, /* the only "capable" label */
43 SMK_LOGGING = 10, /* logging */
44 SMK_LOAD_SELF = 11, /* task specific rules */
45 SMK_ACCESSES = 12, /* access policy */
46 SMK_MAPPED = 13, /* CIPSO level indicating mapped label */
47 SMK_LOAD2 = 14, /* load policy with long labels */
48 SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */
49 SMK_ACCESS2 = 16, /* make an access check with long labels */
50 SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */
51 SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */
52 SMK_CHANGE_RULE = 19, /* change or add rules (long labels) */
53 SMK_SYSLOG = 20, /* change syslog label) */
54 SMK_PTRACE = 21, /* set ptrace rule */
55 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
56 SMK_UNCONFINED = 22, /* define an unconfined label */
58 #if IS_ENABLED(CONFIG_IPV6)
59 SMK_NET6ADDR = 23, /* single label IPv6 hosts */
60 #endif /* CONFIG_IPV6 */
61 SMK_RELABEL_SELF = 24, /* relabel possible without CAP_MAC_ADMIN */
67 static DEFINE_MUTEX(smack_cipso_lock);
68 static DEFINE_MUTEX(smack_ambient_lock);
69 static DEFINE_MUTEX(smk_net4addr_lock);
70 #if IS_ENABLED(CONFIG_IPV6)
71 static DEFINE_MUTEX(smk_net6addr_lock);
72 #endif /* CONFIG_IPV6 */
75 * This is the "ambient" label for network traffic.
76 * If it isn't somehow marked, use this.
77 * It can be reset via smackfs/ambient
79 struct smack_known *smack_net_ambient;
82 * This is the level in a CIPSO header that indicates a
83 * smack label is contained directly in the category set.
84 * It can be reset via smackfs/direct
86 int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT;
89 * This is the level in a CIPSO header that indicates a
90 * secid is contained directly in the category set.
91 * It can be reset via smackfs/mapped
93 int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT;
95 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
97 * Allow one label to be unconfined. This is for
98 * debugging and application bring-up purposes only.
99 * It is bad and wrong, but everyone seems to expect
102 struct smack_known *smack_unconfined;
106 * If this value is set restrict syslog use to the label specified.
107 * It can be reset via smackfs/syslog
109 struct smack_known *smack_syslog_label;
112 * Ptrace current rule
113 * SMACK_PTRACE_DEFAULT regular smack ptrace rules (/proc based)
114 * SMACK_PTRACE_EXACT labels must match, but can be overriden with
116 * SMACK_PTRACE_DRACONIAN lables must match, CAP_SYS_PTRACE has no effect
118 int smack_ptrace_rule = SMACK_PTRACE_DEFAULT;
121 * Certain IP addresses may be designated as single label hosts.
122 * Packets are sent there unlabeled, but only from tasks that
123 * can write to the specified label.
126 LIST_HEAD(smk_net4addr_list);
127 #if IS_ENABLED(CONFIG_IPV6)
128 LIST_HEAD(smk_net6addr_list);
129 #endif /* CONFIG_IPV6 */
132 * Rule lists are maintained for each label.
134 struct smack_parsed_rule {
135 struct smack_known *smk_subject;
136 struct smack_known *smk_object;
141 static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
144 * Values for parsing cipso rules
145 * SMK_DIGITLEN: Length of a digit field in a rule.
146 * SMK_CIPSOMIN: Minimum possible cipso rule length.
147 * SMK_CIPSOMAX: Maximum possible cipso rule length.
149 #define SMK_DIGITLEN 4
150 #define SMK_CIPSOMIN (SMK_LABELLEN + 2 * SMK_DIGITLEN)
151 #define SMK_CIPSOMAX (SMK_CIPSOMIN + SMACK_CIPSO_MAXCATNUM * SMK_DIGITLEN)
154 * Values for parsing MAC rules
155 * SMK_ACCESS: Maximum possible combination of access permissions
156 * SMK_ACCESSLEN: Maximum length for a rule access field
157 * SMK_LOADLEN: Smack rule length
159 #define SMK_OACCESS "rwxa"
160 #define SMK_ACCESS "rwxatl"
161 #define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1)
162 #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
163 #define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
164 #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
167 * Stricly for CIPSO level manipulation.
168 * Set the category bit number in a smack label sized buffer.
170 static inline void smack_catset_bit(unsigned int cat, char *catsetp)
172 if (cat == 0 || cat > (SMK_CIPSOLEN * 8))
175 catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8);
179 * smk_netlabel_audit_set - fill a netlbl_audit struct
180 * @nap: structure to fill
182 static void smk_netlabel_audit_set(struct netlbl_audit *nap)
184 struct smack_known *skp = smk_of_current();
186 nap->loginuid = audit_get_loginuid(current);
187 nap->sessionid = audit_get_sessionid(current);
188 nap->secid = skp->smk_secid;
192 * Value for parsing single label host rules
195 #define SMK_NETLBLADDRMIN 9
198 * smk_set_access - add a rule to the rule list or replace an old rule
199 * @srp: the rule to add or replace
200 * @rule_list: the list of rules
201 * @rule_lock: the rule list lock
203 * Looks through the current subject/object/access list for
204 * the subject/object pair and replaces the access that was
205 * there. If the pair isn't found add it with the specified
208 * Returns 0 if nothing goes wrong or -ENOMEM if it fails
209 * during the allocation of the new pair to add.
211 static int smk_set_access(struct smack_parsed_rule *srp,
212 struct list_head *rule_list,
213 struct mutex *rule_lock)
215 struct smack_rule *sp;
219 mutex_lock(rule_lock);
222 * Because the object label is less likely to match
223 * than the subject label check it first
225 list_for_each_entry_rcu(sp, rule_list, list) {
226 if (sp->smk_object == srp->smk_object &&
227 sp->smk_subject == srp->smk_subject) {
229 sp->smk_access |= srp->smk_access1;
230 sp->smk_access &= ~srp->smk_access2;
236 sp = kmem_cache_zalloc(smack_rule_cache, GFP_KERNEL);
242 sp->smk_subject = srp->smk_subject;
243 sp->smk_object = srp->smk_object;
244 sp->smk_access = srp->smk_access1 & ~srp->smk_access2;
246 list_add_rcu(&sp->list, rule_list);
250 mutex_unlock(rule_lock);
255 * smk_perm_from_str - parse smack accesses from a text string
256 * @string: a text string that contains a Smack accesses code
258 * Returns an integer with respective bits set for specified accesses.
260 static int smk_perm_from_str(const char *string)
265 for (cp = string; ; cp++)
287 perm |= MAY_TRANSMUTE;
303 * smk_fill_rule - Fill Smack rule from strings
304 * @subject: subject label string
305 * @object: object label string
306 * @access1: access string
307 * @access2: string with permissions to be removed
309 * @import: if non-zero, import labels
310 * @len: label length limit
312 * Returns 0 on success, appropriate error code on failure.
314 static int smk_fill_rule(const char *subject, const char *object,
315 const char *access1, const char *access2,
316 struct smack_parsed_rule *rule, int import,
320 struct smack_known *skp;
323 rule->smk_subject = smk_import_entry(subject, len);
324 if (IS_ERR(rule->smk_subject))
325 return PTR_ERR(rule->smk_subject);
327 rule->smk_object = smk_import_entry(object, len);
328 if (IS_ERR(rule->smk_object))
329 return PTR_ERR(rule->smk_object);
331 cp = smk_parse_smack(subject, len);
334 skp = smk_find_entry(cp);
338 rule->smk_subject = skp;
340 cp = smk_parse_smack(object, len);
343 skp = smk_find_entry(cp);
347 rule->smk_object = skp;
350 rule->smk_access1 = smk_perm_from_str(access1);
352 rule->smk_access2 = smk_perm_from_str(access2);
354 rule->smk_access2 = ~rule->smk_access1;
360 * smk_parse_rule - parse Smack rule from load string
361 * @data: string to be parsed whose size is SMK_LOADLEN
363 * @import: if non-zero, import labels
365 * Returns 0 on success, -1 on errors.
367 static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule,
372 rc = smk_fill_rule(data, data + SMK_LABELLEN,
373 data + SMK_LABELLEN + SMK_LABELLEN, NULL, rule,
374 import, SMK_LABELLEN);
379 * smk_parse_long_rule - parse Smack rule from rule string
380 * @data: string to be parsed, null terminated
381 * @rule: Will be filled with Smack parsed rule
382 * @import: if non-zero, import labels
383 * @tokens: number of substrings expected in data
385 * Returns number of processed bytes on success, -ERRNO on failure.
387 static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule,
388 int import, int tokens)
396 * Parsing the rule in-place, filling all white-spaces with '\0'
398 for (i = 0; i < tokens; ++i) {
399 while (isspace(data[cnt]))
402 if (data[cnt] == '\0')
403 /* Unexpected end of data */
408 while (data[cnt] && !isspace(data[cnt]))
411 while (isspace(data[cnt]))
417 rc = smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0);
418 return rc == 0 ? cnt : rc;
421 #define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */
422 #define SMK_LONG_FMT 1 /* Variable long label format */
423 #define SMK_CHANGE_FMT 2 /* Rule modification format */
425 * smk_write_rules_list - write() for any /smack rule file
426 * @file: file pointer, not actually used
427 * @buf: where to get the data from
429 * @ppos: where to start - must be 0
430 * @rule_list: the list of rules to write to
431 * @rule_lock: lock for the rule list
432 * @format: /smack/load or /smack/load2 or /smack/change-rule format.
434 * Get one smack access rule from above.
435 * The format for SMK_LONG_FMT is:
436 * "subject<whitespace>object<whitespace>access[<whitespace>...]"
437 * The format for SMK_FIXED24_FMT is exactly:
438 * "subject object rwxat"
439 * The format for SMK_CHANGE_FMT is:
440 * "subject<whitespace>object<whitespace>
441 * acc_enable<whitespace>acc_disable[<whitespace>...]"
443 static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
444 size_t count, loff_t *ppos,
445 struct list_head *rule_list,
446 struct mutex *rule_lock, int format)
448 struct smack_parsed_rule rule;
457 * Enough data must be present.
462 if (format == SMK_FIXED24_FMT) {
464 * Minor hack for backward compatibility
466 if (count < SMK_OLOADLEN || count > SMK_LOADLEN)
469 if (count >= PAGE_SIZE) {
470 count = PAGE_SIZE - 1;
475 data = memdup_user_nul(buf, count);
477 return PTR_ERR(data);
480 * In case of parsing only part of user buf,
481 * avoid having partial rule at the data buffer
484 while (count > 0 && (data[count - 1] != '\n'))
493 tokens = (format == SMK_CHANGE_FMT ? 4 : 3);
494 while (cnt < count) {
495 if (format == SMK_FIXED24_FMT) {
496 rc = smk_parse_rule(data, &rule, 1);
501 rc = smk_parse_long_rule(data + cnt, &rule, 1, tokens);
511 if (rule_list == NULL)
512 rc = smk_set_access(&rule, &rule.smk_subject->smk_rules,
513 &rule.smk_subject->smk_rules_lock);
515 rc = smk_set_access(&rule, rule_list, rule_lock);
528 * Core logic for smackfs seq list operations.
531 static void *smk_seq_start(struct seq_file *s, loff_t *pos,
532 struct list_head *head)
534 struct list_head *list;
538 for (list = rcu_dereference(list_next_rcu(head));
540 list = rcu_dereference(list_next_rcu(list))) {
548 static void *smk_seq_next(struct seq_file *s, void *v, loff_t *pos,
549 struct list_head *head)
551 struct list_head *list = v;
554 list = rcu_dereference(list_next_rcu(list));
556 return (list == head) ? NULL : list;
559 static void smk_seq_stop(struct seq_file *s, void *v)
564 static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
567 * Don't show any rules with label names too long for
568 * interface file (/smack/load or /smack/load2)
569 * because you should expect to be able to write
570 * anything you read back.
572 if (strlen(srp->smk_subject->smk_known) >= max ||
573 strlen(srp->smk_object->smk_known) >= max)
576 if (srp->smk_access == 0)
579 seq_printf(s, "%s %s",
580 srp->smk_subject->smk_known,
581 srp->smk_object->smk_known);
585 if (srp->smk_access & MAY_READ)
587 if (srp->smk_access & MAY_WRITE)
589 if (srp->smk_access & MAY_EXEC)
591 if (srp->smk_access & MAY_APPEND)
593 if (srp->smk_access & MAY_TRANSMUTE)
595 if (srp->smk_access & MAY_LOCK)
597 if (srp->smk_access & MAY_BRINGUP)
604 * Seq_file read operations for /smack/load
607 static void *load2_seq_start(struct seq_file *s, loff_t *pos)
609 return smk_seq_start(s, pos, &smack_known_list);
612 static void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos)
614 return smk_seq_next(s, v, pos, &smack_known_list);
617 static int load_seq_show(struct seq_file *s, void *v)
619 struct list_head *list = v;
620 struct smack_rule *srp;
621 struct smack_known *skp =
622 list_entry_rcu(list, struct smack_known, list);
624 list_for_each_entry_rcu(srp, &skp->smk_rules, list)
625 smk_rule_show(s, srp, SMK_LABELLEN);
630 static const struct seq_operations load_seq_ops = {
631 .start = load2_seq_start,
632 .next = load2_seq_next,
633 .show = load_seq_show,
634 .stop = smk_seq_stop,
638 * smk_open_load - open() for /smack/load
639 * @inode: inode structure representing file
640 * @file: "load" file pointer
642 * For reading, use load_seq_* seq_file reading operations.
644 static int smk_open_load(struct inode *inode, struct file *file)
646 return seq_open(file, &load_seq_ops);
650 * smk_write_load - write() for /smack/load
651 * @file: file pointer, not actually used
652 * @buf: where to get the data from
654 * @ppos: where to start - must be 0
657 static ssize_t smk_write_load(struct file *file, const char __user *buf,
658 size_t count, loff_t *ppos)
661 * Must have privilege.
663 * Enough data must be present.
665 if (!smack_privileged(CAP_MAC_ADMIN))
668 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
672 static const struct file_operations smk_load_ops = {
673 .open = smk_open_load,
676 .write = smk_write_load,
677 .release = seq_release,
681 * smk_cipso_doi - initialize the CIPSO domain
683 static void smk_cipso_doi(void)
686 struct cipso_v4_doi *doip;
687 struct netlbl_audit nai;
689 smk_netlabel_audit_set(&nai);
691 rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
693 printk(KERN_WARNING "%s:%d remove rc = %d\n",
694 __func__, __LINE__, rc);
696 doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL);
697 doip->map.std = NULL;
698 doip->doi = smk_cipso_doi_value;
699 doip->type = CIPSO_V4_MAP_PASS;
700 doip->tags[0] = CIPSO_V4_TAG_RBITMAP;
701 for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++)
702 doip->tags[rc] = CIPSO_V4_TAG_INVALID;
704 rc = netlbl_cfg_cipsov4_add(doip, &nai);
706 printk(KERN_WARNING "%s:%d cipso add rc = %d\n",
707 __func__, __LINE__, rc);
711 rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai);
713 printk(KERN_WARNING "%s:%d map add rc = %d\n",
714 __func__, __LINE__, rc);
715 netlbl_cfg_cipsov4_del(doip->doi, &nai);
721 * smk_unlbl_ambient - initialize the unlabeled domain
722 * @oldambient: previous domain string
724 static void smk_unlbl_ambient(char *oldambient)
727 struct netlbl_audit nai;
729 smk_netlabel_audit_set(&nai);
731 if (oldambient != NULL) {
732 rc = netlbl_cfg_map_del(oldambient, PF_INET, NULL, NULL, &nai);
734 printk(KERN_WARNING "%s:%d remove rc = %d\n",
735 __func__, __LINE__, rc);
737 if (smack_net_ambient == NULL)
738 smack_net_ambient = &smack_known_floor;
740 rc = netlbl_cfg_unlbl_map_add(smack_net_ambient->smk_known, PF_INET,
743 printk(KERN_WARNING "%s:%d add rc = %d\n",
744 __func__, __LINE__, rc);
748 * Seq_file read operations for /smack/cipso
751 static void *cipso_seq_start(struct seq_file *s, loff_t *pos)
753 return smk_seq_start(s, pos, &smack_known_list);
756 static void *cipso_seq_next(struct seq_file *s, void *v, loff_t *pos)
758 return smk_seq_next(s, v, pos, &smack_known_list);
762 * Print cipso labels in format:
763 * label level[/cat[,cat]]
765 static int cipso_seq_show(struct seq_file *s, void *v)
767 struct list_head *list = v;
768 struct smack_known *skp =
769 list_entry_rcu(list, struct smack_known, list);
770 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
775 * Don't show a label that could not have been set using
776 * /smack/cipso. This is in support of the notion that
777 * anything read from /smack/cipso ought to be writeable
780 * /smack/cipso2 should be used instead.
782 if (strlen(skp->smk_known) >= SMK_LABELLEN)
785 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
787 for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
788 i = netlbl_catmap_walk(cmp, i + 1)) {
789 seq_printf(s, "%c%d", sep, i);
798 static const struct seq_operations cipso_seq_ops = {
799 .start = cipso_seq_start,
800 .next = cipso_seq_next,
801 .show = cipso_seq_show,
802 .stop = smk_seq_stop,
806 * smk_open_cipso - open() for /smack/cipso
807 * @inode: inode structure representing file
808 * @file: "cipso" file pointer
810 * Connect our cipso_seq_* operations with /smack/cipso
813 static int smk_open_cipso(struct inode *inode, struct file *file)
815 return seq_open(file, &cipso_seq_ops);
819 * smk_set_cipso - do the work for write() for cipso and cipso2
820 * @file: file pointer, not actually used
821 * @buf: where to get the data from
823 * @ppos: where to start
824 * @format: /smack/cipso or /smack/cipso2
826 * Accepts only one cipso rule per write call.
827 * Returns number of bytes written or error code, as appropriate
829 static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
830 size_t count, loff_t *ppos, int format)
832 struct netlbl_lsm_catmap *old_cat;
833 struct smack_known *skp;
834 struct netlbl_lsm_secattr ncats;
835 char mapcatset[SMK_CIPSOLEN];
839 ssize_t rc = -EINVAL;
846 * Must have privilege.
848 * Enough data must be present.
850 if (!smack_privileged(CAP_MAC_ADMIN))
854 if (format == SMK_FIXED24_FMT &&
855 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
857 if (count > PAGE_SIZE)
860 data = memdup_user_nul(buf, count);
862 return PTR_ERR(data);
866 * Only allow one writer at a time. Writes should be
867 * quite rare and small in any case.
869 mutex_lock(&smack_cipso_lock);
871 skp = smk_import_entry(rule, 0);
877 if (format == SMK_FIXED24_FMT)
878 rule += SMK_LABELLEN;
880 rule += strlen(skp->smk_known) + 1;
882 if (rule > data + count) {
887 ret = sscanf(rule, "%d", &maplevel);
888 if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL)
891 rule += SMK_DIGITLEN;
892 if (rule > data + count) {
897 ret = sscanf(rule, "%d", &catlen);
898 if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)
901 if (format == SMK_FIXED24_FMT &&
902 count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN))
905 memset(mapcatset, 0, sizeof(mapcatset));
907 for (i = 0; i < catlen; i++) {
908 rule += SMK_DIGITLEN;
909 if (rule > data + count) {
913 ret = sscanf(rule, "%u", &cat);
914 if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
917 smack_catset_bit(cat, mapcatset);
920 rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
922 old_cat = skp->smk_netlabel.attr.mls.cat;
923 skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
924 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
926 netlbl_catmap_free(old_cat);
929 * This mapping may have been cached, so clear the cache.
931 netlbl_cache_invalidate();
935 mutex_unlock(&smack_cipso_lock);
941 * smk_write_cipso - write() for /smack/cipso
942 * @file: file pointer, not actually used
943 * @buf: where to get the data from
945 * @ppos: where to start
947 * Accepts only one cipso rule per write call.
948 * Returns number of bytes written or error code, as appropriate
950 static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
951 size_t count, loff_t *ppos)
953 return smk_set_cipso(file, buf, count, ppos, SMK_FIXED24_FMT);
956 static const struct file_operations smk_cipso_ops = {
957 .open = smk_open_cipso,
960 .write = smk_write_cipso,
961 .release = seq_release,
965 * Seq_file read operations for /smack/cipso2
969 * Print cipso labels in format:
970 * label level[/cat[,cat]]
972 static int cipso2_seq_show(struct seq_file *s, void *v)
974 struct list_head *list = v;
975 struct smack_known *skp =
976 list_entry_rcu(list, struct smack_known, list);
977 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
981 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
983 for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
984 i = netlbl_catmap_walk(cmp, i + 1)) {
985 seq_printf(s, "%c%d", sep, i);
994 static const struct seq_operations cipso2_seq_ops = {
995 .start = cipso_seq_start,
996 .next = cipso_seq_next,
997 .show = cipso2_seq_show,
998 .stop = smk_seq_stop,
1002 * smk_open_cipso2 - open() for /smack/cipso2
1003 * @inode: inode structure representing file
1004 * @file: "cipso2" file pointer
1006 * Connect our cipso_seq_* operations with /smack/cipso2
1009 static int smk_open_cipso2(struct inode *inode, struct file *file)
1011 return seq_open(file, &cipso2_seq_ops);
1015 * smk_write_cipso2 - write() for /smack/cipso2
1016 * @file: file pointer, not actually used
1017 * @buf: where to get the data from
1018 * @count: bytes sent
1019 * @ppos: where to start
1021 * Accepts only one cipso rule per write call.
1022 * Returns number of bytes written or error code, as appropriate
1024 static ssize_t smk_write_cipso2(struct file *file, const char __user *buf,
1025 size_t count, loff_t *ppos)
1027 return smk_set_cipso(file, buf, count, ppos, SMK_LONG_FMT);
1030 static const struct file_operations smk_cipso2_ops = {
1031 .open = smk_open_cipso2,
1033 .llseek = seq_lseek,
1034 .write = smk_write_cipso2,
1035 .release = seq_release,
1039 * Seq_file read operations for /smack/netlabel
1042 static void *net4addr_seq_start(struct seq_file *s, loff_t *pos)
1044 return smk_seq_start(s, pos, &smk_net4addr_list);
1047 static void *net4addr_seq_next(struct seq_file *s, void *v, loff_t *pos)
1049 return smk_seq_next(s, v, pos, &smk_net4addr_list);
1053 * Print host/label pairs
1055 static int net4addr_seq_show(struct seq_file *s, void *v)
1057 struct list_head *list = v;
1058 struct smk_net4addr *skp =
1059 list_entry_rcu(list, struct smk_net4addr, list);
1060 char *kp = SMACK_CIPSO_OPTION;
1062 if (skp->smk_label != NULL)
1063 kp = skp->smk_label->smk_known;
1064 seq_printf(s, "%pI4/%d %s\n", &skp->smk_host.s_addr,
1065 skp->smk_masks, kp);
1070 static const struct seq_operations net4addr_seq_ops = {
1071 .start = net4addr_seq_start,
1072 .next = net4addr_seq_next,
1073 .show = net4addr_seq_show,
1074 .stop = smk_seq_stop,
1078 * smk_open_net4addr - open() for /smack/netlabel
1079 * @inode: inode structure representing file
1080 * @file: "netlabel" file pointer
1082 * Connect our net4addr_seq_* operations with /smack/netlabel
1085 static int smk_open_net4addr(struct inode *inode, struct file *file)
1087 return seq_open(file, &net4addr_seq_ops);
1091 * smk_net4addr_insert
1092 * @new : netlabel to insert
1094 * This helper insert netlabel in the smack_net4addrs list
1095 * sorted by netmask length (longest to smallest)
1096 * locked by &smk_net4addr_lock in smk_write_net4addr
1099 static void smk_net4addr_insert(struct smk_net4addr *new)
1101 struct smk_net4addr *m;
1102 struct smk_net4addr *m_next;
1104 if (list_empty(&smk_net4addr_list)) {
1105 list_add_rcu(&new->list, &smk_net4addr_list);
1109 m = list_entry_rcu(smk_net4addr_list.next,
1110 struct smk_net4addr, list);
1112 /* the comparison '>' is a bit hacky, but works */
1113 if (new->smk_masks > m->smk_masks) {
1114 list_add_rcu(&new->list, &smk_net4addr_list);
1118 list_for_each_entry_rcu(m, &smk_net4addr_list, list) {
1119 if (list_is_last(&m->list, &smk_net4addr_list)) {
1120 list_add_rcu(&new->list, &m->list);
1123 m_next = list_entry_rcu(m->list.next,
1124 struct smk_net4addr, list);
1125 if (new->smk_masks > m_next->smk_masks) {
1126 list_add_rcu(&new->list, &m->list);
1134 * smk_write_net4addr - write() for /smack/netlabel
1135 * @file: file pointer, not actually used
1136 * @buf: where to get the data from
1137 * @count: bytes sent
1138 * @ppos: where to start
1140 * Accepts only one net4addr per write call.
1141 * Returns number of bytes written or error code, as appropriate
1143 static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
1144 size_t count, loff_t *ppos)
1146 struct smk_net4addr *snp;
1147 struct sockaddr_in newname;
1149 struct smack_known *skp = NULL;
1151 char *host = (char *)&newname.sin_addr.s_addr;
1153 struct netlbl_audit audit_info;
1154 struct in_addr mask;
1158 u32 mask_bits = (1<<31);
1163 * Must have privilege.
1164 * No partial writes.
1165 * Enough data must be present.
1166 * "<addr/mask, as a.b.c.d/e><space><label>"
1167 * "<addr, as a.b.c.d><space><label>"
1169 if (!smack_privileged(CAP_MAC_ADMIN))
1173 if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
1176 data = memdup_user_nul(buf, count);
1178 return PTR_ERR(data);
1180 smack = kzalloc(count + 1, GFP_KERNEL);
1181 if (smack == NULL) {
1186 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s",
1187 &host[0], &host[1], &host[2], &host[3], &masks, smack);
1189 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
1190 &host[0], &host[1], &host[2], &host[3], smack);
1198 if (masks > BEBITS) {
1204 * If smack begins with '-', it is an option, don't import it
1206 if (smack[0] != '-') {
1207 skp = smk_import_entry(smack, 0);
1214 * Only the -CIPSO option is supported for IPv4
1216 if (strcmp(smack, SMACK_CIPSO_OPTION) != 0) {
1222 for (m = masks, temp_mask = 0; m > 0; m--) {
1223 temp_mask |= mask_bits;
1226 mask.s_addr = cpu_to_be32(temp_mask);
1228 newname.sin_addr.s_addr &= mask.s_addr;
1230 * Only allow one writer at a time. Writes should be
1231 * quite rare and small in any case.
1233 mutex_lock(&smk_net4addr_lock);
1235 nsa = newname.sin_addr.s_addr;
1236 /* try to find if the prefix is already in the list */
1238 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) {
1239 if (snp->smk_host.s_addr == nsa && snp->smk_masks == masks) {
1244 smk_netlabel_audit_set(&audit_info);
1247 snp = kzalloc(sizeof(*snp), GFP_KERNEL);
1252 snp->smk_host.s_addr = newname.sin_addr.s_addr;
1253 snp->smk_mask.s_addr = mask.s_addr;
1254 snp->smk_label = skp;
1255 snp->smk_masks = masks;
1256 smk_net4addr_insert(snp);
1260 * Delete the unlabeled entry, only if the previous label
1261 * wasn't the special CIPSO option
1263 if (snp->smk_label != NULL)
1264 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
1265 &snp->smk_host, &snp->smk_mask,
1266 PF_INET, &audit_info);
1269 snp->smk_label = skp;
1273 * Now tell netlabel about the single label nature of
1274 * this host so that incoming packets get labeled.
1275 * but only if we didn't get the special CIPSO option
1277 if (rc == 0 && skp != NULL)
1278 rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
1279 &snp->smk_host, &snp->smk_mask, PF_INET,
1280 snp->smk_label->smk_secid, &audit_info);
1285 mutex_unlock(&smk_net4addr_lock);
1295 static const struct file_operations smk_net4addr_ops = {
1296 .open = smk_open_net4addr,
1298 .llseek = seq_lseek,
1299 .write = smk_write_net4addr,
1300 .release = seq_release,
1303 #if IS_ENABLED(CONFIG_IPV6)
1305 * Seq_file read operations for /smack/netlabel6
1308 static void *net6addr_seq_start(struct seq_file *s, loff_t *pos)
1310 return smk_seq_start(s, pos, &smk_net6addr_list);
1313 static void *net6addr_seq_next(struct seq_file *s, void *v, loff_t *pos)
1315 return smk_seq_next(s, v, pos, &smk_net6addr_list);
1319 * Print host/label pairs
1321 static int net6addr_seq_show(struct seq_file *s, void *v)
1323 struct list_head *list = v;
1324 struct smk_net6addr *skp =
1325 list_entry(list, struct smk_net6addr, list);
1327 if (skp->smk_label != NULL)
1328 seq_printf(s, "%pI6/%d %s\n", &skp->smk_host, skp->smk_masks,
1329 skp->smk_label->smk_known);
1334 static const struct seq_operations net6addr_seq_ops = {
1335 .start = net6addr_seq_start,
1336 .next = net6addr_seq_next,
1337 .show = net6addr_seq_show,
1338 .stop = smk_seq_stop,
1342 * smk_open_net6addr - open() for /smack/netlabel
1343 * @inode: inode structure representing file
1344 * @file: "netlabel" file pointer
1346 * Connect our net6addr_seq_* operations with /smack/netlabel
1349 static int smk_open_net6addr(struct inode *inode, struct file *file)
1351 return seq_open(file, &net6addr_seq_ops);
1355 * smk_net6addr_insert
1356 * @new : entry to insert
1358 * This inserts an entry in the smack_net6addrs list
1359 * sorted by netmask length (longest to smallest)
1360 * locked by &smk_net6addr_lock in smk_write_net6addr
1363 static void smk_net6addr_insert(struct smk_net6addr *new)
1365 struct smk_net6addr *m_next;
1366 struct smk_net6addr *m;
1368 if (list_empty(&smk_net6addr_list)) {
1369 list_add_rcu(&new->list, &smk_net6addr_list);
1373 m = list_entry_rcu(smk_net6addr_list.next,
1374 struct smk_net6addr, list);
1376 if (new->smk_masks > m->smk_masks) {
1377 list_add_rcu(&new->list, &smk_net6addr_list);
1381 list_for_each_entry_rcu(m, &smk_net6addr_list, list) {
1382 if (list_is_last(&m->list, &smk_net6addr_list)) {
1383 list_add_rcu(&new->list, &m->list);
1386 m_next = list_entry_rcu(m->list.next,
1387 struct smk_net6addr, list);
1388 if (new->smk_masks > m_next->smk_masks) {
1389 list_add_rcu(&new->list, &m->list);
1397 * smk_write_net6addr - write() for /smack/netlabel
1398 * @file: file pointer, not actually used
1399 * @buf: where to get the data from
1400 * @count: bytes sent
1401 * @ppos: where to start
1403 * Accepts only one net6addr per write call.
1404 * Returns number of bytes written or error code, as appropriate
1406 static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
1407 size_t count, loff_t *ppos)
1409 struct smk_net6addr *snp;
1410 struct in6_addr newname;
1411 struct in6_addr fullmask;
1412 struct smack_known *skp = NULL;
1418 unsigned int scanned[8];
1420 unsigned int mask = 128;
1423 * Must have privilege.
1424 * No partial writes.
1425 * Enough data must be present.
1426 * "<addr/mask, as a:b:c:d:e:f:g:h/e><space><label>"
1427 * "<addr, as a:b:c:d:e:f:g:h><space><label>"
1429 if (!smack_privileged(CAP_MAC_ADMIN))
1433 if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1)
1436 data = memdup_user_nul(buf, count);
1438 return PTR_ERR(data);
1440 smack = kzalloc(count + 1, GFP_KERNEL);
1441 if (smack == NULL) {
1446 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s",
1447 &scanned[0], &scanned[1], &scanned[2], &scanned[3],
1448 &scanned[4], &scanned[5], &scanned[6], &scanned[7],
1451 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x %s",
1452 &scanned[0], &scanned[1], &scanned[2],
1453 &scanned[3], &scanned[4], &scanned[5],
1454 &scanned[6], &scanned[7], smack);
1464 for (i = 0; i < 8; i++) {
1465 if (scanned[i] > 0xffff) {
1469 newname.s6_addr16[i] = htons(scanned[i]);
1473 * If smack begins with '-', it is an option, don't import it
1475 if (smack[0] != '-') {
1476 skp = smk_import_entry(smack, 0);
1483 * Only -DELETE is supported for IPv6
1485 if (strcmp(smack, SMACK_DELETE_OPTION) != 0) {
1491 for (i = 0, m = mask; i < 8; i++) {
1493 fullmask.s6_addr16[i] = 0xffff;
1496 fullmask.s6_addr16[i] = (1 << m) - 1;
1499 fullmask.s6_addr16[i] = 0;
1500 newname.s6_addr16[i] &= fullmask.s6_addr16[i];
1504 * Only allow one writer at a time. Writes should be
1505 * quite rare and small in any case.
1507 mutex_lock(&smk_net6addr_lock);
1509 * Try to find the prefix in the list
1511 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) {
1512 if (mask != snp->smk_masks)
1514 for (found = 1, i = 0; i < 8; i++) {
1515 if (newname.s6_addr16[i] !=
1516 snp->smk_host.s6_addr16[i]) {
1525 snp = kzalloc(sizeof(*snp), GFP_KERNEL);
1529 snp->smk_host = newname;
1530 snp->smk_mask = fullmask;
1531 snp->smk_masks = mask;
1532 snp->smk_label = skp;
1533 smk_net6addr_insert(snp);
1536 snp->smk_label = skp;
1542 mutex_unlock(&smk_net6addr_lock);
1552 static const struct file_operations smk_net6addr_ops = {
1553 .open = smk_open_net6addr,
1555 .llseek = seq_lseek,
1556 .write = smk_write_net6addr,
1557 .release = seq_release,
1559 #endif /* CONFIG_IPV6 */
1562 * smk_read_doi - read() for /smack/doi
1563 * @filp: file pointer, not actually used
1564 * @buf: where to put the result
1565 * @count: maximum to send along
1566 * @ppos: where to start
1568 * Returns number of bytes read or error code, as appropriate
1570 static ssize_t smk_read_doi(struct file *filp, char __user *buf,
1571 size_t count, loff_t *ppos)
1579 sprintf(temp, "%d", smk_cipso_doi_value);
1580 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1586 * smk_write_doi - write() for /smack/doi
1587 * @file: file pointer, not actually used
1588 * @buf: where to get the data from
1589 * @count: bytes sent
1590 * @ppos: where to start
1592 * Returns number of bytes written or error code, as appropriate
1594 static ssize_t smk_write_doi(struct file *file, const char __user *buf,
1595 size_t count, loff_t *ppos)
1600 if (!smack_privileged(CAP_MAC_ADMIN))
1603 if (count >= sizeof(temp) || count == 0)
1606 if (copy_from_user(temp, buf, count) != 0)
1611 if (sscanf(temp, "%d", &i) != 1)
1614 smk_cipso_doi_value = i;
1621 static const struct file_operations smk_doi_ops = {
1622 .read = smk_read_doi,
1623 .write = smk_write_doi,
1624 .llseek = default_llseek,
1628 * smk_read_direct - read() for /smack/direct
1629 * @filp: file pointer, not actually used
1630 * @buf: where to put the result
1631 * @count: maximum to send along
1632 * @ppos: where to start
1634 * Returns number of bytes read or error code, as appropriate
1636 static ssize_t smk_read_direct(struct file *filp, char __user *buf,
1637 size_t count, loff_t *ppos)
1645 sprintf(temp, "%d", smack_cipso_direct);
1646 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1652 * smk_write_direct - write() for /smack/direct
1653 * @file: file pointer, not actually used
1654 * @buf: where to get the data from
1655 * @count: bytes sent
1656 * @ppos: where to start
1658 * Returns number of bytes written or error code, as appropriate
1660 static ssize_t smk_write_direct(struct file *file, const char __user *buf,
1661 size_t count, loff_t *ppos)
1663 struct smack_known *skp;
1667 if (!smack_privileged(CAP_MAC_ADMIN))
1670 if (count >= sizeof(temp) || count == 0)
1673 if (copy_from_user(temp, buf, count) != 0)
1678 if (sscanf(temp, "%d", &i) != 1)
1682 * Don't do anything if the value hasn't actually changed.
1683 * If it is changing reset the level on entries that were
1684 * set up to be direct when they were created.
1686 if (smack_cipso_direct != i) {
1687 mutex_lock(&smack_known_lock);
1688 list_for_each_entry_rcu(skp, &smack_known_list, list)
1689 if (skp->smk_netlabel.attr.mls.lvl ==
1691 skp->smk_netlabel.attr.mls.lvl = i;
1692 smack_cipso_direct = i;
1693 mutex_unlock(&smack_known_lock);
1699 static const struct file_operations smk_direct_ops = {
1700 .read = smk_read_direct,
1701 .write = smk_write_direct,
1702 .llseek = default_llseek,
1706 * smk_read_mapped - read() for /smack/mapped
1707 * @filp: file pointer, not actually used
1708 * @buf: where to put the result
1709 * @count: maximum to send along
1710 * @ppos: where to start
1712 * Returns number of bytes read or error code, as appropriate
1714 static ssize_t smk_read_mapped(struct file *filp, char __user *buf,
1715 size_t count, loff_t *ppos)
1723 sprintf(temp, "%d", smack_cipso_mapped);
1724 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1730 * smk_write_mapped - write() for /smack/mapped
1731 * @file: file pointer, not actually used
1732 * @buf: where to get the data from
1733 * @count: bytes sent
1734 * @ppos: where to start
1736 * Returns number of bytes written or error code, as appropriate
1738 static ssize_t smk_write_mapped(struct file *file, const char __user *buf,
1739 size_t count, loff_t *ppos)
1741 struct smack_known *skp;
1745 if (!smack_privileged(CAP_MAC_ADMIN))
1748 if (count >= sizeof(temp) || count == 0)
1751 if (copy_from_user(temp, buf, count) != 0)
1756 if (sscanf(temp, "%d", &i) != 1)
1760 * Don't do anything if the value hasn't actually changed.
1761 * If it is changing reset the level on entries that were
1762 * set up to be mapped when they were created.
1764 if (smack_cipso_mapped != i) {
1765 mutex_lock(&smack_known_lock);
1766 list_for_each_entry_rcu(skp, &smack_known_list, list)
1767 if (skp->smk_netlabel.attr.mls.lvl ==
1769 skp->smk_netlabel.attr.mls.lvl = i;
1770 smack_cipso_mapped = i;
1771 mutex_unlock(&smack_known_lock);
1777 static const struct file_operations smk_mapped_ops = {
1778 .read = smk_read_mapped,
1779 .write = smk_write_mapped,
1780 .llseek = default_llseek,
1784 * smk_read_ambient - read() for /smack/ambient
1785 * @filp: file pointer, not actually used
1786 * @buf: where to put the result
1787 * @cn: maximum to send along
1788 * @ppos: where to start
1790 * Returns number of bytes read or error code, as appropriate
1792 static ssize_t smk_read_ambient(struct file *filp, char __user *buf,
1793 size_t cn, loff_t *ppos)
1801 * Being careful to avoid a problem in the case where
1802 * smack_net_ambient gets changed in midstream.
1804 mutex_lock(&smack_ambient_lock);
1806 asize = strlen(smack_net_ambient->smk_known) + 1;
1809 rc = simple_read_from_buffer(buf, cn, ppos,
1810 smack_net_ambient->smk_known,
1815 mutex_unlock(&smack_ambient_lock);
1821 * smk_write_ambient - write() for /smack/ambient
1822 * @file: file pointer, not actually used
1823 * @buf: where to get the data from
1824 * @count: bytes sent
1825 * @ppos: where to start
1827 * Returns number of bytes written or error code, as appropriate
1829 static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
1830 size_t count, loff_t *ppos)
1832 struct smack_known *skp;
1837 if (!smack_privileged(CAP_MAC_ADMIN))
1840 /* Enough data must be present */
1841 if (count == 0 || count > PAGE_SIZE)
1844 data = memdup_user_nul(buf, count);
1846 return PTR_ERR(data);
1848 skp = smk_import_entry(data, count);
1854 mutex_lock(&smack_ambient_lock);
1856 oldambient = smack_net_ambient->smk_known;
1857 smack_net_ambient = skp;
1858 smk_unlbl_ambient(oldambient);
1860 mutex_unlock(&smack_ambient_lock);
1867 static const struct file_operations smk_ambient_ops = {
1868 .read = smk_read_ambient,
1869 .write = smk_write_ambient,
1870 .llseek = default_llseek,
1874 * Seq_file operations for /smack/onlycap
1876 static void *onlycap_seq_start(struct seq_file *s, loff_t *pos)
1878 return smk_seq_start(s, pos, &smack_onlycap_list);
1881 static void *onlycap_seq_next(struct seq_file *s, void *v, loff_t *pos)
1883 return smk_seq_next(s, v, pos, &smack_onlycap_list);
1886 static int onlycap_seq_show(struct seq_file *s, void *v)
1888 struct list_head *list = v;
1889 struct smack_known_list_elem *sklep =
1890 list_entry_rcu(list, struct smack_known_list_elem, list);
1892 seq_puts(s, sklep->smk_label->smk_known);
1898 static const struct seq_operations onlycap_seq_ops = {
1899 .start = onlycap_seq_start,
1900 .next = onlycap_seq_next,
1901 .show = onlycap_seq_show,
1902 .stop = smk_seq_stop,
1905 static int smk_open_onlycap(struct inode *inode, struct file *file)
1907 return seq_open(file, &onlycap_seq_ops);
1911 * smk_list_swap_rcu - swap public list with a private one in RCU-safe way
1912 * The caller must hold appropriate mutex to prevent concurrent modifications
1913 * to the public list.
1914 * Private list is assumed to be not accessible to other threads yet.
1916 * @public: public list
1917 * @private: private list
1919 static void smk_list_swap_rcu(struct list_head *public,
1920 struct list_head *private)
1922 struct list_head *first, *last;
1924 if (list_empty(public)) {
1925 list_splice_init_rcu(private, public, synchronize_rcu);
1927 /* Remember public list before replacing it */
1928 first = public->next;
1929 last = public->prev;
1931 /* Publish private list in place of public in RCU-safe way */
1932 private->prev->next = public;
1933 private->next->prev = public;
1934 rcu_assign_pointer(public->next, private->next);
1935 public->prev = private->prev;
1939 /* When all readers are done with the old public list,
1940 * attach it in place of private */
1941 private->next = first;
1942 private->prev = last;
1943 first->prev = private;
1944 last->next = private;
1949 * smk_parse_label_list - parse list of Smack labels, separated by spaces
1951 * @data: the string to parse
1952 * @list: destination list
1954 * Returns zero on success or error code, as appropriate
1956 static int smk_parse_label_list(char *data, struct list_head *list)
1959 struct smack_known *skp;
1960 struct smack_known_list_elem *sklep;
1962 while ((tok = strsep(&data, " ")) != NULL) {
1966 skp = smk_import_entry(tok, 0);
1968 return PTR_ERR(skp);
1970 sklep = kzalloc(sizeof(*sklep), GFP_KERNEL);
1974 sklep->smk_label = skp;
1975 list_add(&sklep->list, list);
1982 * smk_destroy_label_list - destroy a list of smack_known_list_elem
1983 * @list: header pointer of the list to destroy
1985 void smk_destroy_label_list(struct list_head *list)
1987 struct smack_known_list_elem *sklep;
1988 struct smack_known_list_elem *sklep2;
1990 list_for_each_entry_safe(sklep, sklep2, list, list)
1993 INIT_LIST_HEAD(list);
1997 * smk_write_onlycap - write() for smackfs/onlycap
1998 * @file: file pointer, not actually used
1999 * @buf: where to get the data from
2000 * @count: bytes sent
2001 * @ppos: where to start
2003 * Returns number of bytes written or error code, as appropriate
2005 static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
2006 size_t count, loff_t *ppos)
2009 LIST_HEAD(list_tmp);
2012 if (!smack_privileged(CAP_MAC_ADMIN))
2015 if (count > PAGE_SIZE)
2018 data = memdup_user_nul(buf, count);
2020 return PTR_ERR(data);
2022 rc = smk_parse_label_list(data, &list_tmp);
2026 * Clear the smack_onlycap on invalid label errors. This means
2027 * that we can pass a null string to unset the onlycap value.
2029 * Importing will also reject a label beginning with '-',
2030 * so "-usecapabilities" will also work.
2032 * But do so only on invalid label, not on system errors.
2033 * The invalid label must be first to count as clearing attempt.
2035 if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
2036 mutex_lock(&smack_onlycap_lock);
2037 smk_list_swap_rcu(&smack_onlycap_list, &list_tmp);
2038 mutex_unlock(&smack_onlycap_lock);
2042 smk_destroy_label_list(&list_tmp);
2047 static const struct file_operations smk_onlycap_ops = {
2048 .open = smk_open_onlycap,
2050 .write = smk_write_onlycap,
2051 .llseek = seq_lseek,
2052 .release = seq_release,
2055 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
2057 * smk_read_unconfined - read() for smackfs/unconfined
2058 * @filp: file pointer, not actually used
2059 * @buf: where to put the result
2060 * @cn: maximum to send along
2061 * @ppos: where to start
2063 * Returns number of bytes read or error code, as appropriate
2065 static ssize_t smk_read_unconfined(struct file *filp, char __user *buf,
2066 size_t cn, loff_t *ppos)
2069 ssize_t rc = -EINVAL;
2075 if (smack_unconfined != NULL)
2076 smack = smack_unconfined->smk_known;
2078 asize = strlen(smack) + 1;
2081 rc = simple_read_from_buffer(buf, cn, ppos, smack, asize);
2087 * smk_write_unconfined - write() for smackfs/unconfined
2088 * @file: file pointer, not actually used
2089 * @buf: where to get the data from
2090 * @count: bytes sent
2091 * @ppos: where to start
2093 * Returns number of bytes written or error code, as appropriate
2095 static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
2096 size_t count, loff_t *ppos)
2099 struct smack_known *skp;
2102 if (!smack_privileged(CAP_MAC_ADMIN))
2105 if (count > PAGE_SIZE)
2108 data = memdup_user_nul(buf, count);
2110 return PTR_ERR(data);
2113 * Clear the smack_unconfined on invalid label errors. This means
2114 * that we can pass a null string to unset the unconfined value.
2116 * Importing will also reject a label beginning with '-',
2117 * so "-confine" will also work.
2119 * But do so only on invalid label, not on system errors.
2121 skp = smk_import_entry(data, count);
2122 if (PTR_ERR(skp) == -EINVAL)
2124 else if (IS_ERR(skp)) {
2129 smack_unconfined = skp;
2136 static const struct file_operations smk_unconfined_ops = {
2137 .read = smk_read_unconfined,
2138 .write = smk_write_unconfined,
2139 .llseek = default_llseek,
2141 #endif /* CONFIG_SECURITY_SMACK_BRINGUP */
2144 * smk_read_logging - read() for /smack/logging
2145 * @filp: file pointer, not actually used
2146 * @buf: where to put the result
2147 * @count: maximum to send along
2148 * @ppos: where to start
2150 * Returns number of bytes read or error code, as appropriate
2152 static ssize_t smk_read_logging(struct file *filp, char __user *buf,
2153 size_t count, loff_t *ppos)
2161 sprintf(temp, "%d\n", log_policy);
2162 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
2167 * smk_write_logging - write() for /smack/logging
2168 * @file: file pointer, not actually used
2169 * @buf: where to get the data from
2170 * @count: bytes sent
2171 * @ppos: where to start
2173 * Returns number of bytes written or error code, as appropriate
2175 static ssize_t smk_write_logging(struct file *file, const char __user *buf,
2176 size_t count, loff_t *ppos)
2181 if (!smack_privileged(CAP_MAC_ADMIN))
2184 if (count >= sizeof(temp) || count == 0)
2187 if (copy_from_user(temp, buf, count) != 0)
2192 if (sscanf(temp, "%d", &i) != 1)
2202 static const struct file_operations smk_logging_ops = {
2203 .read = smk_read_logging,
2204 .write = smk_write_logging,
2205 .llseek = default_llseek,
2209 * Seq_file read operations for /smack/load-self
2212 static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
2214 struct task_smack *tsp = smack_cred(current_cred());
2216 return smk_seq_start(s, pos, &tsp->smk_rules);
2219 static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
2221 struct task_smack *tsp = smack_cred(current_cred());
2223 return smk_seq_next(s, v, pos, &tsp->smk_rules);
2226 static int load_self_seq_show(struct seq_file *s, void *v)
2228 struct list_head *list = v;
2229 struct smack_rule *srp =
2230 list_entry_rcu(list, struct smack_rule, list);
2232 smk_rule_show(s, srp, SMK_LABELLEN);
2237 static const struct seq_operations load_self_seq_ops = {
2238 .start = load_self_seq_start,
2239 .next = load_self_seq_next,
2240 .show = load_self_seq_show,
2241 .stop = smk_seq_stop,
2246 * smk_open_load_self - open() for /smack/load-self2
2247 * @inode: inode structure representing file
2248 * @file: "load" file pointer
2250 * For reading, use load_seq_* seq_file reading operations.
2252 static int smk_open_load_self(struct inode *inode, struct file *file)
2254 return seq_open(file, &load_self_seq_ops);
2258 * smk_write_load_self - write() for /smack/load-self
2259 * @file: file pointer, not actually used
2260 * @buf: where to get the data from
2261 * @count: bytes sent
2262 * @ppos: where to start - must be 0
2265 static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
2266 size_t count, loff_t *ppos)
2268 struct task_smack *tsp = smack_cred(current_cred());
2270 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
2271 &tsp->smk_rules_lock, SMK_FIXED24_FMT);
2274 static const struct file_operations smk_load_self_ops = {
2275 .open = smk_open_load_self,
2277 .llseek = seq_lseek,
2278 .write = smk_write_load_self,
2279 .release = seq_release,
2283 * smk_user_access - handle access check transaction
2284 * @file: file pointer
2285 * @buf: data from user space
2286 * @count: bytes sent
2287 * @ppos: where to start - must be 0
2288 * @format: /smack/load or /smack/load2 or /smack/change-rule format.
2290 static ssize_t smk_user_access(struct file *file, const char __user *buf,
2291 size_t count, loff_t *ppos, int format)
2293 struct smack_parsed_rule rule;
2297 data = simple_transaction_get(file, buf, count);
2299 return PTR_ERR(data);
2301 if (format == SMK_FIXED24_FMT) {
2302 if (count < SMK_LOADLEN)
2304 res = smk_parse_rule(data, &rule, 0);
2307 * simple_transaction_get() returns null-terminated data
2309 res = smk_parse_long_rule(data, &rule, 0, 3);
2313 res = smk_access(rule.smk_subject, rule.smk_object,
2314 rule.smk_access1, NULL);
2315 else if (res != -ENOENT)
2319 * smk_access() can return a value > 0 in the "bringup" case.
2321 data[0] = res >= 0 ? '1' : '0';
2324 simple_transaction_set(file, 2);
2326 if (format == SMK_FIXED24_FMT)
2332 * smk_write_access - handle access check transaction
2333 * @file: file pointer
2334 * @buf: data from user space
2335 * @count: bytes sent
2336 * @ppos: where to start - must be 0
2338 static ssize_t smk_write_access(struct file *file, const char __user *buf,
2339 size_t count, loff_t *ppos)
2341 return smk_user_access(file, buf, count, ppos, SMK_FIXED24_FMT);
2344 static const struct file_operations smk_access_ops = {
2345 .write = smk_write_access,
2346 .read = simple_transaction_read,
2347 .release = simple_transaction_release,
2348 .llseek = generic_file_llseek,
2353 * Seq_file read operations for /smack/load2
2356 static int load2_seq_show(struct seq_file *s, void *v)
2358 struct list_head *list = v;
2359 struct smack_rule *srp;
2360 struct smack_known *skp =
2361 list_entry_rcu(list, struct smack_known, list);
2363 list_for_each_entry_rcu(srp, &skp->smk_rules, list)
2364 smk_rule_show(s, srp, SMK_LONGLABEL);
2369 static const struct seq_operations load2_seq_ops = {
2370 .start = load2_seq_start,
2371 .next = load2_seq_next,
2372 .show = load2_seq_show,
2373 .stop = smk_seq_stop,
2377 * smk_open_load2 - open() for /smack/load2
2378 * @inode: inode structure representing file
2379 * @file: "load2" file pointer
2381 * For reading, use load2_seq_* seq_file reading operations.
2383 static int smk_open_load2(struct inode *inode, struct file *file)
2385 return seq_open(file, &load2_seq_ops);
2389 * smk_write_load2 - write() for /smack/load2
2390 * @file: file pointer, not actually used
2391 * @buf: where to get the data from
2392 * @count: bytes sent
2393 * @ppos: where to start - must be 0
2396 static ssize_t smk_write_load2(struct file *file, const char __user *buf,
2397 size_t count, loff_t *ppos)
2400 * Must have privilege.
2402 if (!smack_privileged(CAP_MAC_ADMIN))
2405 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
2409 static const struct file_operations smk_load2_ops = {
2410 .open = smk_open_load2,
2412 .llseek = seq_lseek,
2413 .write = smk_write_load2,
2414 .release = seq_release,
2418 * Seq_file read operations for /smack/load-self2
2421 static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
2423 struct task_smack *tsp = smack_cred(current_cred());
2425 return smk_seq_start(s, pos, &tsp->smk_rules);
2428 static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
2430 struct task_smack *tsp = smack_cred(current_cred());
2432 return smk_seq_next(s, v, pos, &tsp->smk_rules);
2435 static int load_self2_seq_show(struct seq_file *s, void *v)
2437 struct list_head *list = v;
2438 struct smack_rule *srp =
2439 list_entry_rcu(list, struct smack_rule, list);
2441 smk_rule_show(s, srp, SMK_LONGLABEL);
2446 static const struct seq_operations load_self2_seq_ops = {
2447 .start = load_self2_seq_start,
2448 .next = load_self2_seq_next,
2449 .show = load_self2_seq_show,
2450 .stop = smk_seq_stop,
2454 * smk_open_load_self2 - open() for /smack/load-self2
2455 * @inode: inode structure representing file
2456 * @file: "load" file pointer
2458 * For reading, use load_seq_* seq_file reading operations.
2460 static int smk_open_load_self2(struct inode *inode, struct file *file)
2462 return seq_open(file, &load_self2_seq_ops);
2466 * smk_write_load_self2 - write() for /smack/load-self2
2467 * @file: file pointer, not actually used
2468 * @buf: where to get the data from
2469 * @count: bytes sent
2470 * @ppos: where to start - must be 0
2473 static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
2474 size_t count, loff_t *ppos)
2476 struct task_smack *tsp = smack_cred(current_cred());
2478 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
2479 &tsp->smk_rules_lock, SMK_LONG_FMT);
2482 static const struct file_operations smk_load_self2_ops = {
2483 .open = smk_open_load_self2,
2485 .llseek = seq_lseek,
2486 .write = smk_write_load_self2,
2487 .release = seq_release,
2491 * smk_write_access2 - handle access check transaction
2492 * @file: file pointer
2493 * @buf: data from user space
2494 * @count: bytes sent
2495 * @ppos: where to start - must be 0
2497 static ssize_t smk_write_access2(struct file *file, const char __user *buf,
2498 size_t count, loff_t *ppos)
2500 return smk_user_access(file, buf, count, ppos, SMK_LONG_FMT);
2503 static const struct file_operations smk_access2_ops = {
2504 .write = smk_write_access2,
2505 .read = simple_transaction_read,
2506 .release = simple_transaction_release,
2507 .llseek = generic_file_llseek,
2511 * smk_write_revoke_subj - write() for /smack/revoke-subject
2512 * @file: file pointer
2513 * @buf: data from user space
2514 * @count: bytes sent
2515 * @ppos: where to start - must be 0
2517 static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
2518 size_t count, loff_t *ppos)
2522 struct smack_known *skp;
2523 struct smack_rule *sp;
2524 struct list_head *rule_list;
2525 struct mutex *rule_lock;
2531 if (!smack_privileged(CAP_MAC_ADMIN))
2534 if (count == 0 || count > SMK_LONGLABEL)
2537 data = memdup_user(buf, count);
2539 return PTR_ERR(data);
2541 cp = smk_parse_smack(data, count);
2547 skp = smk_find_entry(cp);
2551 rule_list = &skp->smk_rules;
2552 rule_lock = &skp->smk_rules_lock;
2554 mutex_lock(rule_lock);
2556 list_for_each_entry_rcu(sp, rule_list, list)
2559 mutex_unlock(rule_lock);
2569 static const struct file_operations smk_revoke_subj_ops = {
2570 .write = smk_write_revoke_subj,
2571 .read = simple_transaction_read,
2572 .release = simple_transaction_release,
2573 .llseek = generic_file_llseek,
2577 * smk_init_sysfs - initialize /sys/fs/smackfs
2580 static int smk_init_sysfs(void)
2582 return sysfs_create_mount_point(fs_kobj, "smackfs");
2586 * smk_write_change_rule - write() for /smack/change-rule
2587 * @file: file pointer
2588 * @buf: data from user space
2589 * @count: bytes sent
2590 * @ppos: where to start - must be 0
2592 static ssize_t smk_write_change_rule(struct file *file, const char __user *buf,
2593 size_t count, loff_t *ppos)
2596 * Must have privilege.
2598 if (!smack_privileged(CAP_MAC_ADMIN))
2601 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
2605 static const struct file_operations smk_change_rule_ops = {
2606 .write = smk_write_change_rule,
2607 .read = simple_transaction_read,
2608 .release = simple_transaction_release,
2609 .llseek = generic_file_llseek,
2613 * smk_read_syslog - read() for smackfs/syslog
2614 * @filp: file pointer, not actually used
2615 * @buf: where to put the result
2616 * @cn: maximum to send along
2617 * @ppos: where to start
2619 * Returns number of bytes read or error code, as appropriate
2621 static ssize_t smk_read_syslog(struct file *filp, char __user *buf,
2622 size_t cn, loff_t *ppos)
2624 struct smack_known *skp;
2625 ssize_t rc = -EINVAL;
2631 if (smack_syslog_label == NULL)
2632 skp = &smack_known_star;
2634 skp = smack_syslog_label;
2636 asize = strlen(skp->smk_known) + 1;
2639 rc = simple_read_from_buffer(buf, cn, ppos, skp->smk_known,
2646 * smk_write_syslog - write() for smackfs/syslog
2647 * @file: file pointer, not actually used
2648 * @buf: where to get the data from
2649 * @count: bytes sent
2650 * @ppos: where to start
2652 * Returns number of bytes written or error code, as appropriate
2654 static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
2655 size_t count, loff_t *ppos)
2658 struct smack_known *skp;
2661 if (!smack_privileged(CAP_MAC_ADMIN))
2664 /* Enough data must be present */
2665 if (count == 0 || count > PAGE_SIZE)
2668 data = memdup_user_nul(buf, count);
2670 return PTR_ERR(data);
2672 skp = smk_import_entry(data, count);
2676 smack_syslog_label = skp;
2682 static const struct file_operations smk_syslog_ops = {
2683 .read = smk_read_syslog,
2684 .write = smk_write_syslog,
2685 .llseek = default_llseek,
2689 * Seq_file read operations for /smack/relabel-self
2692 static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos)
2694 struct task_smack *tsp = smack_cred(current_cred());
2696 return smk_seq_start(s, pos, &tsp->smk_relabel);
2699 static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
2701 struct task_smack *tsp = smack_cred(current_cred());
2703 return smk_seq_next(s, v, pos, &tsp->smk_relabel);
2706 static int relabel_self_seq_show(struct seq_file *s, void *v)
2708 struct list_head *list = v;
2709 struct smack_known_list_elem *sklep =
2710 list_entry(list, struct smack_known_list_elem, list);
2712 seq_puts(s, sklep->smk_label->smk_known);
2718 static const struct seq_operations relabel_self_seq_ops = {
2719 .start = relabel_self_seq_start,
2720 .next = relabel_self_seq_next,
2721 .show = relabel_self_seq_show,
2722 .stop = smk_seq_stop,
2726 * smk_open_relabel_self - open() for /smack/relabel-self
2727 * @inode: inode structure representing file
2728 * @file: "relabel-self" file pointer
2730 * Connect our relabel_self_seq_* operations with /smack/relabel-self
2733 static int smk_open_relabel_self(struct inode *inode, struct file *file)
2735 return seq_open(file, &relabel_self_seq_ops);
2739 * smk_write_relabel_self - write() for /smack/relabel-self
2740 * @file: file pointer, not actually used
2741 * @buf: where to get the data from
2742 * @count: bytes sent
2743 * @ppos: where to start - must be 0
2746 static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
2747 size_t count, loff_t *ppos)
2751 LIST_HEAD(list_tmp);
2754 * Must have privilege.
2756 if (!smack_privileged(CAP_MAC_ADMIN))
2761 * Enough data must be present.
2765 if (count == 0 || count > PAGE_SIZE)
2768 data = memdup_user_nul(buf, count);
2770 return PTR_ERR(data);
2772 rc = smk_parse_label_list(data, &list_tmp);
2775 if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
2777 struct task_smack *tsp;
2779 new = prepare_creds();
2784 tsp = smack_cred(new);
2785 smk_destroy_label_list(&tsp->smk_relabel);
2786 list_splice(&list_tmp, &tsp->smk_relabel);
2791 smk_destroy_label_list(&list_tmp);
2795 static const struct file_operations smk_relabel_self_ops = {
2796 .open = smk_open_relabel_self,
2798 .llseek = seq_lseek,
2799 .write = smk_write_relabel_self,
2800 .release = seq_release,
2804 * smk_read_ptrace - read() for /smack/ptrace
2805 * @filp: file pointer, not actually used
2806 * @buf: where to put the result
2807 * @count: maximum to send along
2808 * @ppos: where to start
2810 * Returns number of bytes read or error code, as appropriate
2812 static ssize_t smk_read_ptrace(struct file *filp, char __user *buf,
2813 size_t count, loff_t *ppos)
2821 sprintf(temp, "%d\n", smack_ptrace_rule);
2822 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
2827 * smk_write_ptrace - write() for /smack/ptrace
2828 * @file: file pointer
2829 * @buf: data from user space
2830 * @count: bytes sent
2831 * @ppos: where to start - must be 0
2833 static ssize_t smk_write_ptrace(struct file *file, const char __user *buf,
2834 size_t count, loff_t *ppos)
2839 if (!smack_privileged(CAP_MAC_ADMIN))
2842 if (*ppos != 0 || count >= sizeof(temp) || count == 0)
2845 if (copy_from_user(temp, buf, count) != 0)
2850 if (sscanf(temp, "%d", &i) != 1)
2852 if (i < SMACK_PTRACE_DEFAULT || i > SMACK_PTRACE_MAX)
2854 smack_ptrace_rule = i;
2859 static const struct file_operations smk_ptrace_ops = {
2860 .write = smk_write_ptrace,
2861 .read = smk_read_ptrace,
2862 .llseek = default_llseek,
2866 * smk_fill_super - fill the smackfs superblock
2867 * @sb: the empty superblock
2870 * Fill in the well known entries for the smack filesystem
2872 * Returns 0 on success, an error code on failure
2874 static int smk_fill_super(struct super_block *sb, struct fs_context *fc)
2878 static const struct tree_descr smack_files[] = {
2880 "load", &smk_load_ops, S_IRUGO|S_IWUSR},
2882 "cipso", &smk_cipso_ops, S_IRUGO|S_IWUSR},
2884 "doi", &smk_doi_ops, S_IRUGO|S_IWUSR},
2886 "direct", &smk_direct_ops, S_IRUGO|S_IWUSR},
2888 "ambient", &smk_ambient_ops, S_IRUGO|S_IWUSR},
2890 "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR},
2892 "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
2894 "logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
2896 "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
2898 "access", &smk_access_ops, S_IRUGO|S_IWUGO},
2900 "mapped", &smk_mapped_ops, S_IRUGO|S_IWUSR},
2902 "load2", &smk_load2_ops, S_IRUGO|S_IWUSR},
2903 [SMK_LOAD_SELF2] = {
2904 "load-self2", &smk_load_self2_ops, S_IRUGO|S_IWUGO},
2906 "access2", &smk_access2_ops, S_IRUGO|S_IWUGO},
2908 "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR},
2909 [SMK_REVOKE_SUBJ] = {
2910 "revoke-subject", &smk_revoke_subj_ops,
2912 [SMK_CHANGE_RULE] = {
2913 "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
2915 "syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR},
2917 "ptrace", &smk_ptrace_ops, S_IRUGO|S_IWUSR},
2918 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
2919 [SMK_UNCONFINED] = {
2920 "unconfined", &smk_unconfined_ops, S_IRUGO|S_IWUSR},
2922 #if IS_ENABLED(CONFIG_IPV6)
2924 "ipv6host", &smk_net6addr_ops, S_IRUGO|S_IWUSR},
2925 #endif /* CONFIG_IPV6 */
2926 [SMK_RELABEL_SELF] = {
2927 "relabel-self", &smk_relabel_self_ops,
2933 rc = simple_fill_super(sb, SMACK_MAGIC, smack_files);
2935 printk(KERN_ERR "%s failed %d while creating inodes\n",
2944 * smk_get_tree - get the smackfs superblock
2945 * @fc: The mount context, including any options
2947 * Just passes everything along.
2949 * Returns what the lower level code does.
2951 static int smk_get_tree(struct fs_context *fc)
2953 return get_tree_single(fc, smk_fill_super);
2956 static const struct fs_context_operations smk_context_ops = {
2957 .get_tree = smk_get_tree,
2961 * smk_init_fs_context - Initialise a filesystem context for smackfs
2962 * @fc: The blank mount context
2964 static int smk_init_fs_context(struct fs_context *fc)
2966 fc->ops = &smk_context_ops;
2970 static struct file_system_type smk_fs_type = {
2972 .init_fs_context = smk_init_fs_context,
2973 .kill_sb = kill_litter_super,
2976 static struct vfsmount *smackfs_mount;
2979 * init_smk_fs - get the smackfs superblock
2981 * register the smackfs
2983 * Do not register smackfs if Smack wasn't enabled
2984 * on boot. We can not put this method normally under the
2985 * smack_init() code path since the security subsystem get
2986 * initialized before the vfs caches.
2988 * Returns true if we were not chosen on boot or if
2989 * we were chosen and filesystem registration succeeded.
2991 static int __init init_smk_fs(void)
2996 if (smack_enabled == 0)
2999 err = smk_init_sysfs();
3001 printk(KERN_ERR "smackfs: sysfs mountpoint problem.\n");
3003 err = register_filesystem(&smk_fs_type);
3005 smackfs_mount = kern_mount(&smk_fs_type);
3006 if (IS_ERR(smackfs_mount)) {
3007 printk(KERN_ERR "smackfs: could not mount!\n");
3008 err = PTR_ERR(smackfs_mount);
3009 smackfs_mount = NULL;
3014 smk_unlbl_ambient(NULL);
3016 rc = smack_populate_secattr(&smack_known_floor);
3017 if (err == 0 && rc < 0)
3019 rc = smack_populate_secattr(&smack_known_hat);
3020 if (err == 0 && rc < 0)
3022 rc = smack_populate_secattr(&smack_known_huh);
3023 if (err == 0 && rc < 0)
3025 rc = smack_populate_secattr(&smack_known_star);
3026 if (err == 0 && rc < 0)
3028 rc = smack_populate_secattr(&smack_known_web);
3029 if (err == 0 && rc < 0)
3035 __initcall(init_smk_fs);
projects / linux-2.6-microblaze.git / blob