From: Kitae Kim <kt920.kim@samsung.com>
Date: Fri, 28 Jun 2013 01:42:43 +0000 (+0900)
Subject: Smack: applied network-label-match patch.
X-Git-Tag: 2.2.1_release~3
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e5f8a3495b5bdcefa68fdec2284f1a0b3003683d;p=sdk%2Femulator%2Femulator-kernel.git

Smack: applied network-label-match patch.

This patch solved the problem that Smack recognizes incorrectly subject object pair
when checking IP packet access.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Tested-by: Bumjin Im <bj.im@samsung.com>

Change-Id: I8b702adc78f52f03629a2b951af6040147366a5b
---

diff --git a/security/smack/smack.h b/security/smack/smack.h
index 791658718a5b..54dbc156bf0b 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -160,9 +160,13 @@ struct smack_known {
 #define SMACK_CIPSO_DOI_INVALID		-1	/* Not a DOI */
 #define SMACK_CIPSO_DIRECT_DEFAULT	250	/* Arbitrary */
 #define SMACK_CIPSO_MAPPED_DEFAULT	251	/* Also arbitrary */
-#define SMACK_CIPSO_MAXCATVAL		63	/* Bigger gets harder */
 #define SMACK_CIPSO_MAXLEVEL            255     /* CIPSO 2.2 standard */
-#define SMACK_CIPSO_MAXCATNUM           239     /* CIPSO 2.2 standard */
+/*
+ * CIPSO 2.2 standard is 239, but Smack wants to use the
+ * categories in a structured way that limits the value to
+ * the bits in 23 bytes, hence the unusual number.
+ */
+#define SMACK_CIPSO_MAXCATNUM           184     /* 23 * 8 */
 
 /*
  * Flag for transmute access
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 68c0536b3c75..27fa2b0d5de0 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2835,6 +2835,8 @@ static char *smack_from_secattr(struct netlbl_lsm_secattr *sap,
 	struct smack_known *kp;
 	char *sp;
 	int found = 0;
+	int acat;
+	int kcat;
 
 	if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
 		/*
@@ -2851,12 +2853,28 @@ static char *smack_from_secattr(struct netlbl_lsm_secattr *sap,
 		list_for_each_entry(kp, &smack_known_list, list) {
 			if (sap->attr.mls.lvl != kp->smk_netlabel.attr.mls.lvl)
 				continue;
-			if (memcmp(sap->attr.mls.cat,
-				kp->smk_netlabel.attr.mls.cat,
-				SMK_CIPSOLEN) != 0)
-				continue;
-			found = 1;
-			break;
+			/*
+			 * Compare the catsets. Use the netlbl APIs.
+			 */
+			if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) {
+				if ((kp->smk_netlabel.flags &
+							NETLBL_SECATTR_MLS_CAT) == 0)
+					found = 1;
+				break;
+			}
+			for (acat = -1, kcat = -1; acat == kcat; ) {
+				acat = netlbl_secattr_catmap_walk(
+						sap->attr.mls.cat, acat + 1);
+				kcat = netlbl_secattr_catmap_walk(
+						kp->smk_netlabel.attr.mls.cat,
+						kcat + 1);
+				if (acat < 0 || kcat < 0)
+					break;
+			}
+			if (acat == kcat) {
+				found = 1;
+				break;
+			}
 		}
 		rcu_read_unlock();
 
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 53a08b85bda4..06c1cbb57992 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -901,7 +901,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 	for (i = 0; i < catlen; i++) {
 		rule += SMK_DIGITLEN;
 		ret = sscanf(rule, "%u", &cat);
-		if (ret != 1 || cat > SMACK_CIPSO_MAXCATVAL)
+		if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
 			goto out;
 
 		smack_catset_bit(cat, mapcatset);