Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.1 2025-12-03T18:58:59+00:00 2025-12-03T18:58:59+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-03T18:58:59+00:00 urn:sha1:204a920f284e7264aa6dcd5876cbb1e03a7e4ebc Pull smack updates from Casey Schaufler: - fix several cases where labels were treated inconsistently when imported from user space - clean up the assignment of extended attributes - documentation improvements * tag 'Smack-for-6.19' of https://github.com/cschaufler/smack-next: Smack: function parameter 'gfp' not described smack: fix kernel-doc warnings for smk_import_valid_label() smack: fix bug: setting task label silently ignores input garbage smack: fix bug: unprivileged task can create labels smack: fix bug: invalid label of unix socket file smack: always "instantiate" inode in smack_inode_init_security() smack: deduplicate xattr setting in smack_inode_init_security() smack: fix bug: SMACK64TRANSMUTE set on non-directory smack: deduplicate "does access rule request transmutation" 2025-10-22T23:24:25+00:00 Paul Moore paul@paul-moore.com 2025-02-18T22:22:31+00:00 urn:sha1:06643d5584f9efa19804d17435169a63412b4eae As the LSM framework only supports one LSM initcall callback for each initcall type, the init_smk_fs() and smack_nf_ip_init() functions were wrapped with a new function, smack_initcall() that is registered with the LSM framework. Acked-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johhansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2025-06-24T23:30:24+00:00 Konstantin Andreev andreev@swemel.ru 2025-06-16T21:32:17+00:00 urn:sha1:674e2b24791cbe8fd5dc8a0aed4cb4404fcd2028 This command: # echo foo/bar >/proc/$$/attr/smack/current gives the task a label 'foo' w/o indication that label does not match input. Setting the label with lsm_set_self_attr() syscall behaves identically. This occures because: 1) smk_parse_smack() is used to convert input to a label 2) smk_parse_smack() takes only that part from the beginning of the input that looks like a label. 3) `/' is prohibited in labels, so only "foo" is taken. (2) is by design, because smk_parse_smack() is used for parsing strings which are more than just a label. Silent failure is not a good thing, and there are two indicators that this was not done intentionally: (size >= SMK_LONGLABEL) ~> invalid clause at the beginning of the do_setattr() and the "Returns the length of the smack label" claim in the do_setattr() description. So I fixed this by adding one tiny check: the taken label length == input length. Since input length is now strictly controlled, I changed the two ways of setting label smack_setselfattr(): lsm_set_self_attr() syscall smack_setprocattr(): > /proc/.../current to accommodate the divergence in what they understand by "input length": smack_setselfattr counts mandatory \0 into input length, smack_setprocattr does not. smack_setprocattr allows various trailers after label Related changes: * fixed description for smk_parse_smack * allow unprivileged tasks validate label syntax. * extract smk_parse_label_len() from smk_parse_smack() so parsing may be done w/o string allocation. * extract smk_import_valid_label() from smk_import_entry() to avoid repeated parsing. * smk_parse_smack(): scan null-terminated strings for no more than SMK_LONGLABEL(256) characters * smack_setselfattr(): require struct lsm_ctx . flags == 0 to reserve them for future. Fixes: e114e473771c ("Smack: Simplified Mandatory Access Control Kernel") Signed-off-by: Konstantin Andreev <andreev@swemel.ru> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2025-02-14T02:33:55+00:00 Konstantin Andreev andreev@swemel.ru 2025-01-17T21:46:46+00:00 urn:sha1:bf9f14c91a05ec77ee3710703b699c2a32f80ae4 If CONFIG_AUDIT is not set then SMACK does not generate audit messages, however, keeps audit control file, /smack/logging, while there is no entity to control. This change removes audit control file /smack/logging when audit is not configured in the kernel Signed-off-by: Konstantin Andreev <andreev@swemel.ru> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2025-02-12T21:05:15+00:00 Konstantin Andreev andreev@swemel.ru 2025-01-17T16:36:42+00:00 urn:sha1:bfcf4004bcbce2cb674b4e8dbd31ce0891766bac I want to be sure that ipv6-specific code is not compiled in kernel binaries if ipv6 is not configured. [1] was getting rid of "unused variable" warning, but, with that, it also mandated compilation of a handful ipv6- specific functions in ipv4-only kernel configurations: smk_ipv6_localhost, smack_ipv6host_label, smk_ipv6_check. Their compiled bodies are likely to be removed by compiler from the resulting binary, but, to be on the safe side, I remove them from the compiler view. [1] Fixes: 00720f0e7f28 ("smack: avoid unused 'sip' variable warning") Signed-off-by: Konstantin Andreev <andreev@swemel.ru> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2025-02-11T22:34:02+00:00 Casey Schaufler casey@schaufler-ca.com 2025-02-11T22:34:02+00:00 urn:sha1:2aad5cd1dbeb20baf13d9bbb963afc4aa7fa0e34 Fix typos and spelling errors in security/smack module comments that were identified using the codespell tool. No functional changes - documentation only. Signed-off-by: Tanya Agarwal <tanyaagarwal25699@gmail.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2024-12-06T21:21:12+00:00 Konstantin Andreev andreev@swemel.ru 2024-09-13T14:46:59+00:00 urn:sha1:6f71ad02aae83f7032255863e374acadaa852bea Signed-off-by: Konstantin Andreev <andreev@swemel.ru> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2024-07-29T20:54:51+00:00 Casey Schaufler casey@schaufler-ca.com 2024-07-10T21:32:26+00:00 urn:sha1:5f8d28f6d7d568dbbc8c5bce94894474c07afd4f Move management of the key->security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. There are no existing modules that require a key_free hook, so the call to it and the definition for it have been removed. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: John Johansen <john.johansen@canonical.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 2024-07-29T20:54:50+00:00 Casey Schaufler casey@schaufler-ca.com 2024-07-10T21:32:25+00:00 urn:sha1:2aff9d20d50ac45dd13a013ef5231f4fb8912356 Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-07-10T17:59:38+00:00 Roberto Sassu roberto.sassu@huawei.com 2023-06-10T07:57:36+00:00 urn:sha1:baed456a6a2f6b8bec2913a6c6a72cc811252c6e With the newly added ability of LSMs to supply multiple xattrs, set SMACK64TRASMUTE in smack_inode_init_security(), instead of d_instantiate(). Do it by incrementing SMACK_INODE_INIT_XATTRS to 2 and by calling lsm_get_xattr_slot() a second time, if the transmuting conditions are met. The LSM infrastructure passes all xattrs provided by LSMs to the filesystems through the initxattrs() callback, so that filesystems can store xattrs in the disk. After the change, the SMK_INODE_TRANSMUTE inode flag is always set by d_instantiate() after fetching SMACK64TRANSMUTE from the disk. Before it was done by smack_inode_post_setxattr() as result of the __vfs_setxattr() call. Removing __vfs_setxattr() also prevents invalidating the EVM HMAC, by adding a new xattr without checking and updating the existing HMAC. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com>