summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorCasey Schaufler <casey@schaufler-ca.com>2012-06-18 19:01:36 -0700
committerCasey Schaufler <casey@schaufler-ca.com>2012-07-13 15:49:24 -0700
commit3518721a8932b2a243f415c374aef020380efc9d (patch)
treef16a039687aaf395e6751b7a9edda85e83b52502 /security
parent1880eff77e7a7cb46c68fae7cfa33f72f0a6e70e (diff)
Smack: user access check bounds
Some of the bounds checking used on the /smack/access interface was lost when support for long labels was added. No kernel access checks are affected, however this is a case where /smack/access could be used incorrectly and fail to detect the error. This patch reintroduces the original checks. Targeted for git://git.gitorious.org/smack-next/kernel.git Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security')
-rw-r--r--security/smack/smackfs.c26
1 files changed, 12 insertions, 14 deletions
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 21529658662..29b760d6b74 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -215,28 +215,27 @@ static int smk_set_access(struct smack_rule *srp, struct list_head *rule_list,
* @access: access string
* @rule: Smack rule
* @import: if non-zero, import labels
+ * @len: label length limit
*
* Returns 0 on success, -1 on failure
*/
static int smk_fill_rule(const char *subject, const char *object,
const char *access, struct smack_rule *rule,
- int import)
+ int import, int len)
{
- int rc = -1;
- int done;
const char *cp;
struct smack_known *skp;
if (import) {
- rule->smk_subject = smk_import(subject, 0);
+ rule->smk_subject = smk_import(subject, len);
if (rule->smk_subject == NULL)
return -1;
- rule->smk_object = smk_import(object, 0);
+ rule->smk_object = smk_import(object, len);
if (rule->smk_object == NULL)
return -1;
} else {
- cp = smk_parse_smack(subject, 0);
+ cp = smk_parse_smack(subject, len);
if (cp == NULL)
return -1;
skp = smk_find_entry(cp);
@@ -245,7 +244,7 @@ static int smk_fill_rule(const char *subject, const char *object,
return -1;
rule->smk_subject = skp->smk_known;
- cp = smk_parse_smack(object, 0);
+ cp = smk_parse_smack(object, len);
if (cp == NULL)
return -1;
skp = smk_find_entry(cp);
@@ -257,7 +256,7 @@ static int smk_fill_rule(const char *subject, const char *object,
rule->smk_access = 0;
- for (cp = access, done = 0; *cp && !done; cp++) {
+ for (cp = access; *cp != '\0'; cp++) {
switch (*cp) {
case '-':
break;
@@ -282,13 +281,11 @@ static int smk_fill_rule(const char *subject, const char *object,
rule->smk_access |= MAY_TRANSMUTE;
break;
default:
- done = 1;
- break;
+ return 0;
}
}
- rc = 0;
- return rc;
+ return 0;
}
/**
@@ -304,7 +301,8 @@ static int smk_parse_rule(const char *data, struct smack_rule *rule, int import)
int rc;
rc = smk_fill_rule(data, data + SMK_LABELLEN,
- data + SMK_LABELLEN + SMK_LABELLEN, rule, import);
+ data + SMK_LABELLEN + SMK_LABELLEN, rule, import,
+ SMK_LABELLEN);
return rc;
}
@@ -340,7 +338,7 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
goto free_out_o;
if (sscanf(data, "%s %s %s", subject, object, access) == 3)
- rc = smk_fill_rule(subject, object, access, rule, import);
+ rc = smk_fill_rule(subject, object, access, rule, import, 0);
kfree(access);
free_out_o: