Skip to content

Commit 99a6740

Browse files
torvaldstorvalds
committed
Merge tag 'Smack-for-5.10' of git://github.com/cschaufler/smack-next
Pull smack updates from Casey Schaufler: "Two minor fixes and one performance enhancement to Smack. The performance improvement is significant and the new code is more like its counterpart in SELinux. - Two kernel test robot suggested clean-ups. - Teach Smack to use the IPv4 netlabel cache. This results in a 12-14% improvement on TCP benchmarks" * tag 'Smack-for-5.10' of git://github.com/cschaufler/smack-next: Smack: Remove unnecessary variable initialization Smack: Fix build when NETWORK_SECMARK is not set Smack: Use the netlabel cache Smack: Set socket labels only once Smack: Consolidate uses of secmark into a function
2 parents b274279 + edd6153 commit 99a6740

4 files changed

Lines changed: 200 additions & 149 deletions

File tree

security/smack/smack.h

Lines changed: 6 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,12 @@ struct socket_smack {
100100
struct smack_known *smk_out; /* outbound label */
101101
struct smack_known *smk_in; /* inbound label */
102102
struct smack_known *smk_packet; /* TCP peer label */
103+
int smk_state; /* netlabel socket states */
103104
};
105+
#define SMK_NETLBL_UNSET 0
106+
#define SMK_NETLBL_UNLABELED 1
107+
#define SMK_NETLBL_LABELED 2
108+
#define SMK_NETLBL_REQSKB 3
104109

105110
/*
106111
* Inode smack data
@@ -196,19 +201,6 @@ enum {
196201
#define SMACK_DELETE_OPTION "-DELETE"
197202
#define SMACK_CIPSO_OPTION "-CIPSO"
198203

199-
/*
200-
* How communications on this socket are treated.
201-
* Usually it's determined by the underlying netlabel code
202-
* but there are certain cases, including single label hosts
203-
* and potentially single label interfaces for which the
204-
* treatment can not be known in advance.
205-
*
206-
* The possibility of additional labeling schemes being
207-
* introduced in the future exists as well.
208-
*/
209-
#define SMACK_UNLABELED_SOCKET 0
210-
#define SMACK_CIPSO_SOCKET 1
211-
212204
/*
213205
* CIPSO defaults.
214206
*/
@@ -305,6 +297,7 @@ struct smack_known *smk_find_entry(const char *);
305297
bool smack_privileged(int cap);
306298
bool smack_privileged_cred(int cap, const struct cred *cred);
307299
void smk_destroy_label_list(struct list_head *list);
300+
int smack_populate_secattr(struct smack_known *skp);
308301

309302
/*
310303
* Shared data.

security/smack/smack_access.c

Lines changed: 37 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -510,6 +510,42 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
510510
return 0;
511511
}
512512

513+
/**
514+
* smack_populate_secattr - fill in the smack_known netlabel information
515+
* @skp: pointer to the structure to fill
516+
*
517+
* Populate the netlabel secattr structure for a Smack label.
518+
*
519+
* Returns 0 unless creating the category mapping fails
520+
*/
521+
int smack_populate_secattr(struct smack_known *skp)
522+
{
523+
int slen;
524+
525+
skp->smk_netlabel.attr.secid = skp->smk_secid;
526+
skp->smk_netlabel.domain = skp->smk_known;
527+
skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
528+
if (skp->smk_netlabel.cache != NULL) {
529+
skp->smk_netlabel.flags |= NETLBL_SECATTR_CACHE;
530+
skp->smk_netlabel.cache->free = NULL;
531+
skp->smk_netlabel.cache->data = skp;
532+
}
533+
skp->smk_netlabel.flags |= NETLBL_SECATTR_SECID |
534+
NETLBL_SECATTR_MLS_LVL |
535+
NETLBL_SECATTR_DOMAIN;
536+
/*
537+
* If direct labeling works use it.
538+
* Otherwise use mapped labeling.
539+
*/
540+
slen = strlen(skp->smk_known);
541+
if (slen < SMK_CIPSOLEN)
542+
return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
543+
&skp->smk_netlabel, slen);
544+
545+
return smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid,
546+
&skp->smk_netlabel, sizeof(skp->smk_secid));
547+
}
548+
513549
/**
514550
* smk_import_entry - import a label, return the list entry
515551
* @string: a text string that might be a Smack label
@@ -523,7 +559,6 @@ struct smack_known *smk_import_entry(const char *string, int len)
523559
{
524560
struct smack_known *skp;
525561
char *smack;
526-
int slen;
527562
int rc;
528563

529564
smack = smk_parse_smack(string, len);
@@ -544,21 +579,8 @@ struct smack_known *smk_import_entry(const char *string, int len)
544579

545580
skp->smk_known = smack;
546581
skp->smk_secid = smack_next_secid++;
547-
skp->smk_netlabel.domain = skp->smk_known;
548-
skp->smk_netlabel.flags =
549-
NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
550-
/*
551-
* If direct labeling works use it.
552-
* Otherwise use mapped labeling.
553-
*/
554-
slen = strlen(smack);
555-
if (slen < SMK_CIPSOLEN)
556-
rc = smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
557-
&skp->smk_netlabel, slen);
558-
else
559-
rc = smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid,
560-
&skp->smk_netlabel, sizeof(skp->smk_secid));
561582

583+
rc = smack_populate_secattr(skp);
562584
if (rc >= 0) {
563585
INIT_LIST_HEAD(&skp->smk_rules);
564586
mutex_init(&skp->smk_rules_lock);
@@ -569,9 +591,6 @@ struct smack_known *smk_import_entry(const char *string, int len)
569591
smk_insert_entry(skp);
570592
goto unlockout;
571593
}
572-
/*
573-
* smk_netlbl_mls failed.
574-
*/
575594
kfree(skp);
576595
skp = ERR_PTR(rc);
577596
freeout:

0 commit comments

Comments
 (0)