Commit acf25aa6 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'Smack-for-5.8' of git://github.com/cschaufler/smack-next 

Pull smack updates from Casey Schaufler:
 "Clean out dead code and repair an out-of-bounds warning"

* tag 'Smack-for-5.8' of git://github.com/cschaufler/smack-next:
  Smack: Remove unused inline function smk_ad_setfield_u_fs_path_mnt
  Smack:- Remove redundant inode_smack cache
  Smack:- Remove mutex lock "smk_lock" from inode_smack
  Smack: slab-out-of-bounds in vsscanf
  smack: remove redundant structure variable from header.
  smack: avoid unused 'sip' variable warning
parents a484a497 ef26650a

security/smack/smack.h

+0 −12
Original line number Diff line number Diff line
@@ -109,9 +109,7 @@ struct inode_smack { 
	struct smack_known	*smk_inode;	/* label of the fso */

	struct smack_known	*smk_task;	/* label of the task */

	struct smack_known	*smk_mmap;	/* label of the mmap domain */

	struct mutex		smk_lock;	/* initialization lock */

	int			smk_flags;	/* smack inode flags */

	struct rcu_head         smk_rcu;	/* for freeing inode_smack */

};



struct task_smack {
@@ -148,7 +146,6 @@ struct smk_net4addr { 
	struct smack_known	*smk_label;	/* label */

};



#if IS_ENABLED(CONFIG_IPV6)

/*

 * An entry in the table identifying IPv6 hosts.

 */
@@ -159,9 +156,7 @@ struct smk_net6addr { 
	int			smk_masks;	/* mask size */

	struct smack_known	*smk_label;	/* label */

};

#endif /* CONFIG_IPV6 */



#ifdef SMACK_IPV6_PORT_LABELING

/*

 * An entry in the table identifying ports.

 */
@@ -174,7 +169,6 @@ struct smk_port_label { 
	short			smk_sock_type;	/* Socket type */

	short			smk_can_reuse;

};

#endif /* SMACK_IPV6_PORT_LABELING */



struct smack_known_list_elem {

	struct list_head	list;
@@ -335,9 +329,7 @@ extern struct smack_known smack_known_web; 
extern struct mutex	smack_known_lock;

extern struct list_head smack_known_list;

extern struct list_head smk_net4addr_list;

#if IS_ENABLED(CONFIG_IPV6)

extern struct list_head smk_net6addr_list;

#endif /* CONFIG_IPV6 */



extern struct mutex     smack_onlycap_lock;

extern struct list_head smack_onlycap_list;
@@ -505,10 +497,6 @@ static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a, 
						    struct dentry *d)

{

}

static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,

						 struct vfsmount *m)

{

}

static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,

					      struct inode *i)

{

security/smack/smack_lsm.c

+11 −31
Original line number Diff line number Diff line
@@ -50,11 +50,8 @@ 
#define SMK_RECEIVING	1

#define SMK_SENDING	2



#ifdef SMACK_IPV6_PORT_LABELING

DEFINE_MUTEX(smack_ipv6_lock);

static DEFINE_MUTEX(smack_ipv6_lock);

static LIST_HEAD(smk_ipv6_port_list);

#endif

static struct kmem_cache *smack_inode_cache;

struct kmem_cache *smack_rule_cache;

int smack_enabled;
@@ -316,7 +313,6 @@ static void init_inode_smack(struct inode *inode, struct smack_known *skp) 


	isp->smk_inode = skp;

	isp->smk_flags = 0;

	mutex_init(&isp->smk_lock);

}



/**
@@ -2320,7 +2316,6 @@ static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 
	return NULL;

}



#if IS_ENABLED(CONFIG_IPV6)

/*

 * smk_ipv6_localhost - Check for local ipv6 host address

 * @sip: the address
@@ -2388,7 +2383,6 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 


	return NULL;

}

#endif /* CONFIG_IPV6 */



/**

 * smack_netlabel - Set the secattr on a socket
@@ -2477,7 +2471,6 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 
	return smack_netlabel(sk, sk_lbl);

}



#if IS_ENABLED(CONFIG_IPV6)

/**

 * smk_ipv6_check - check Smack access

 * @subject: subject Smack label
@@ -2510,7 +2503,6 @@ static int smk_ipv6_check(struct smack_known *subject, 
	rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc);

	return rc;

}

#endif /* CONFIG_IPV6 */



#ifdef SMACK_IPV6_PORT_LABELING

/**
@@ -2599,6 +2591,7 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 
	mutex_unlock(&smack_ipv6_lock);

	return;

}

#endif



/**

 * smk_ipv6_port_check - check Smack port access
@@ -2661,7 +2654,6 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 


	return smk_ipv6_check(skp, object, address, act);

}

#endif /* SMACK_IPV6_PORT_LABELING */



/**

 * smack_inode_setsecurity - set smack xattrs
@@ -2836,13 +2828,11 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 
		return 0;

	if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) {

		struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;

#ifdef SMACK_IPV6_SECMARK_LABELING

		struct smack_known *rsp;

#endif

		struct smack_known *rsp = NULL;



		if (addrlen < SIN6_LEN_RFC2133)

			return 0;

#ifdef SMACK_IPV6_SECMARK_LABELING

		if (__is_defined(SMACK_IPV6_SECMARK_LABELING))

			rsp = smack_ipv6host_label(sip);

		if (rsp != NULL) {

			struct socket_smack *ssp = sock->sk->sk_security;
@@ -2850,10 +2840,9 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 
			rc = smk_ipv6_check(ssp->smk_out, rsp, sip,

					    SMK_CONNECTING);

		}

#endif

#ifdef SMACK_IPV6_PORT_LABELING

		if (__is_defined(SMACK_IPV6_PORT_LABELING))

			rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);

#endif



		return rc;

	}

	if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in))
@@ -3273,13 +3262,12 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 


	isp = smack_inode(inode);



	mutex_lock(&isp->smk_lock);

	/*

	 * If the inode is already instantiated

	 * take the quick way out

	 */

	if (isp->smk_flags & SMK_INODE_INSTANT)

		goto unlockandout;

		return;



	sbp = inode->i_sb;

	sbsp = sbp->s_security;
@@ -3330,7 +3318,7 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 
			break;

		}

		isp->smk_flags |= SMK_INODE_INSTANT;

		goto unlockandout;

		return;

	}



	/*
@@ -3465,8 +3453,6 @@ static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 


	isp->smk_flags |= (SMK_INODE_INSTANT | transflag);



unlockandout:

	mutex_unlock(&isp->smk_lock);

	return;

}
@@ -4760,15 +4746,9 @@ static __init int smack_init(void) 
	struct cred *cred = (struct cred *) current->cred;

	struct task_smack *tsp;



	smack_inode_cache = KMEM_CACHE(inode_smack, 0);

	if (!smack_inode_cache)

		return -ENOMEM;



	smack_rule_cache = KMEM_CACHE(smack_rule, 0);

	if (!smack_rule_cache) {

		kmem_cache_destroy(smack_inode_cache);

	if (!smack_rule_cache)

		return -ENOMEM;

	}



	/*

	 * Set the security state for the initial task.

security/smack/smackfs.c

+10 −0
Original line number Diff line number Diff line
@@ -878,11 +878,21 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, 
	else

		rule += strlen(skp->smk_known) + 1;



	if (rule > data + count) {

		rc = -EOVERFLOW;

		goto out;

	}



	ret = sscanf(rule, "%d", &maplevel);

	if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)

		goto out;



	rule += SMK_DIGITLEN;

	if (rule > data + count) {

		rc = -EOVERFLOW;

		goto out;

	}



	ret = sscanf(rule, "%d", &catlen);

	if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)

		goto out;

CRA Git | Maintained and supported by SUSTech CRA and CCSE