Smack: create a sysfs mount point for smackfs

[platform/adaptation/renesas_rcar/renesas_kernel.git] / security / smack / smackfs.c

diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index b1b768e..76a5dca 100644 (file)
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -49,6 +49,7 @@ enum smk_inos {
        SMK_LOAD_SELF2  = 15,   /* load task specific rules with long labels */
        SMK_ACCESS2     = 16,   /* make an access check with long labels */
        SMK_CIPSO2      = 17,   /* load long label -> CIPSO mapping */
+       SMK_REVOKE_SUBJ = 18,   /* set rules with subject label to '-' */
 };
 
 /*
@@ -1992,6 +1993,90 @@ static const struct file_operations smk_access2_ops = {
 };
 
 /**
+ * smk_write_revoke_subj - write() for /smack/revoke-subject
+ * @file: file pointer
+ * @buf: data from user space
+ * @count: bytes sent
+ * @ppos: where to start - must be 0
+ */
+static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
+                               size_t count, loff_t *ppos)
+{
+       char *data = NULL;
+       const char *cp = NULL;
+       struct smack_known *skp;
+       struct smack_rule *sp;
+       struct list_head *rule_list;
+       struct mutex *rule_lock;
+       int rc = count;
+
+       if (*ppos != 0)
+               return -EINVAL;
+
+       if (!smack_privileged(CAP_MAC_ADMIN))
+               return -EPERM;
+
+       if (count == 0 || count > SMK_LONGLABEL)
+               return -EINVAL;
+
+       data = kzalloc(count, GFP_KERNEL);
+       if (data == NULL)
+               return -ENOMEM;
+
+       if (copy_from_user(data, buf, count) != 0) {
+               rc = -EFAULT;
+               goto free_out;
+       }
+
+       cp = smk_parse_smack(data, count);
+       if (cp == NULL) {
+               rc = -EINVAL;
+               goto free_out;
+       }
+
+       skp = smk_find_entry(cp);
+       if (skp == NULL) {
+               rc = -EINVAL;
+               goto free_out;
+       }
+
+       rule_list = &skp->smk_rules;
+       rule_lock = &skp->smk_rules_lock;
+
+       mutex_lock(rule_lock);
+
+       list_for_each_entry_rcu(sp, rule_list, list)
+               sp->smk_access = 0;
+
+       mutex_unlock(rule_lock);
+
+free_out:
+       kfree(data);
+       kfree(cp);
+       return rc;
+}
+
+static const struct file_operations smk_revoke_subj_ops = {
+       .write          = smk_write_revoke_subj,
+       .read           = simple_transaction_read,
+       .release        = simple_transaction_release,
+       .llseek         = generic_file_llseek,
+};
+
+static struct kset *smackfs_kset;
+/**
+ * smk_init_sysfs - initialize /sys/fs/smackfs
+ *
+ */
+static int smk_init_sysfs(void)
+{
+       smackfs_kset = kset_create_and_add("smackfs", NULL, fs_kobj);
+       if (!smackfs_kset)
+               return -ENOMEM;
+       return 0;
+}
+
+/**
  * smk_fill_super - fill the /smackfs superblock
  * @sb: the empty superblock
  * @data: unused
@@ -2037,6 +2122,9 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
                        "access2", &smk_access2_ops, S_IRUGO|S_IWUGO},
                [SMK_CIPSO2] = {
                        "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR},
+               [SMK_REVOKE_SUBJ] = {
+                       "revoke-subject", &smk_revoke_subj_ops,
+                       S_IRUGO|S_IWUSR},
                /* last one */
                        {""}
        };
@@ -2108,6 +2196,10 @@ static int __init init_smk_fs(void)
        if (!security_module_enable(&smack_ops))
                return 0;
 
+       err = smk_init_sysfs();
+       if (err)
+               printk(KERN_ERR "smackfs: sysfs mountpoint problem.\n");
+
        err = register_filesystem(&smk_fs_type);
        if (!err) {
                smackfs_mount = kern_mount(&smk_fs_type);