smack: add kdbus access controls

[v1 Initial version] Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com> [v2 Fixup the Smack LSM hook implementations to match the updated LSM hooks] Signed-off-by: Paul Moore <pmoore@redhat.com> [v3 Adjust to hook changes - replace _recv/send with _talk()] Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
lmctl · May 28, 2014 · 103c26f · 103c26f
1 parent 482712e
commit 103c26f
Showing 1 changed file with 65 additions and 0 deletions.
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
@@ -38,6 +38,7 @@
 #include <linux/msg.h>
 #include <linux/shm.h>
 #include <linux/binfmts.h>
+#include <linux/kdbus/connection.h>
 #include "smack.h"
 
 #define task_security(task)	(task_cred_xxx((task), security))
@@ -2719,6 +2720,66 @@ static int smack_setprocattr(struct task_struct *p, char *name,
 	return size;
 }
 
+/**
+ * smack_kdbus_connect - Set the security blob for a KDBus connection
+ * @conn: the connection
+ * @secctx: smack label
+ * @seclen: smack label length
+ *
+ * Returns 0
+ */
+static int smack_kdbus_connect(struct kdbus_conn *conn,
+			       const char *secctx, u32 seclen)
+{
+	struct smack_known *skp;
+
+	if (secctx && seclen > 0)
+		skp = smk_import_entry(secctx, seclen);
+	else
+		skp = smk_of_current();
+	conn->security = skp;
+
+	return 0;
+}
+
+/**
+ * smack_kdbus_conn_free - Clear the security blob for a KDBus connection
+ * @conn: the connection
+ *
+ * Clears the blob pointer
+ */
+static void smack_kdbus_conn_free(struct kdbus_conn *conn)
+{
+	conn->security = NULL;
+}
+
+/**
+ * smack_kdbus_talk - Smack access on KDBus
+ * @src: source kdbus connection
+ * @dst: destination kdbus connection
+ *
+ * Return 0 if a subject with the smack of sock could access
+ * an object with the smack of other, otherwise an error code
+ */
+static int smack_kdbus_talk(const struct kdbus_conn *src,
+			    const struct kdbus_conn *dst)
+{
+	struct smk_audit_info ad;
+	struct smack_known *sskp = src->security;
+	struct smack_known *dskp = dst->security;
+
+	BUG_ON(sskp == NULL);
+	BUG_ON(dskp == NULL);
+
+	if (smack_privileged(CAP_MAC_OVERRIDE))
+		return 0;
+
+	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NONE);
+
+	return smk_access(sskp, dskp->smk_known, MAY_WRITE, &ad)
+	     && smk_access(dskp, sskp->smk_known, MAY_READ, &ad);
+}
+
 /**
  * smack_unix_stream_connect - Smack access on UDS
  * @sock: one sock
@@ -3494,6 +3555,10 @@ struct security_operations smack_ops = {
 	.getprocattr = 			smack_getprocattr,
 	.setprocattr = 			smack_setprocattr,
 
+	.kdbus_connect =		smack_kdbus_connect,
+	.kdbus_conn_free =		smack_kdbus_conn_free,
+	.kdbus_talk =			smack_kdbus_talk,
+
 	.unix_stream_connect = 		smack_unix_stream_connect,
 	.unix_may_send = 		smack_unix_may_send,