Merge tag 'Smack-for-5.16' of https://github.com/cschaufler/smack-next

#define SMK_RECEIVING	1

#define SMK_SENDING	2

#ifdef SMACK_IPV6_PORT_LABELING

static DEFINE_MUTEX(smack_ipv6_lock);

static LIST_HEAD(smk_ipv6_port_list);

#endif

struct kmem_cache *smack_rule_cache;

int smack_enabled __initdata;

/**

 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*

 * @mode - input mode in form of PTRACE_MODE_*

 * @mode: input mode in form of PTRACE_MODE_*

 *

 * Returns a converted MAY_* mode usable by smack rules

 */

/**

 * smack_inode_setxattr - Smack check for setting xattrs

 * @mnt_userns: active user namespace

 * @dentry: the object

 * @name: name of the attribute

 * @value: value of the attribute

/**

 * smack_inode_removexattr - Smack check on removexattr

 * @mnt_userns: active user namespace

 * @dentry: the object

 * @name: name of the attribute

 *

/**

 * smack_inode_getsecurity - get smack xattrs

 * @mnt_userns: active user namespace

 * @inode: the object

 * @name: attribute name

 * @buffer: where to put the result

}

/**

 * smack_mmap_file :

 * Check permissions for a mmap operation.  The @file may be NULL, e.g.

 * if mapping anonymous memory.

 * @file contains the file structure for file to map (may be NULL).

 * @reqprot contains the protection requested by the application.

 * @prot contains the protection that will be applied by the kernel.

 * @flags contains the operational flags.

 * smack_mmap_file - Check permissions for a mmap operation.

 * @file: contains the file structure for file to map (may be NULL).

 * @reqprot: contains the protection requested by the application.

 * @prot: contains the protection that will be applied by the kernel.

 * @flags: contains the operational flags.

 *

 * The @file may be NULL, e.g. if mapping anonymous memory.

 *

 * Return 0 if permission is granted.

 */

static int smack_mmap_file(struct file *file,

	mutex_unlock(&smack_ipv6_lock);

	return;

}

#endif

/**

 * smk_ipv6_port_check - check Smack port access

	return smk_ipv6_check(skp, object, address, act);

}

#endif

/**

 * smack_inode_setsecurity - set smack xattrs

			rc = smk_ipv6_check(ssp->smk_out, rsp, sip,

					    SMK_CONNECTING);

		}

		if (__is_defined(SMACK_IPV6_PORT_LABELING))

#ifdef SMACK_IPV6_PORT_LABELING

		rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);

#endif

		return rc;

	}

}

/**

 * smack_sem_shmctl - Smack access check for sem

 * smack_sem_semctl - Smack access check for sem

 * @isp: the object

 * @cmd: what it wants to do

 *

}

/**

 * smack_msg_queue_msgsnd - Smack access check for msg_queue

 * smack_msg_queue_msgrcv - Smack access check for msg_queue

 * @isp: the object

 * @msg: unused

 * @target: unused

 *

 * Returns 0 if current has read and write access, error code otherwise

 */

static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg,

			struct task_struct *target, long type, int mode)

static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp,

				  struct msg_msg *msg,

				  struct task_struct *target, long type,

				  int mode)

{

	return smk_curacc_msq(isp, MAY_READWRITE);

}

	/*

	 * Get label from overlay inode and set it in create_sid

	 */

	isp = smack_inode(d_inode(dentry->d_parent));

	isp = smack_inode(d_inode(dentry));

	skp = isp->smk_inode;

	tsp->smk_task = skp;

	*new = new_creds;

#include <net/net_namespace.h>

#include "smack.h"

#if IS_ENABLED(CONFIG_IPV6)

static unsigned int smack_ipv6_output(void *priv,

					struct sk_buff *skb,

					const struct nf_hook_state *state)

{

	struct sock *sk = skb_to_full_sk(skb);

	struct socket_smack *ssp;

	struct smack_known *skp;

	if (sk && sk->sk_security) {

		ssp = sk->sk_security;

		skp = ssp->smk_out;

		skb->secmark = skp->smk_secid;

	}

	return NF_ACCEPT;

}

#endif	/* IPV6 */

static unsigned int smack_ipv4_output(void *priv,

static unsigned int smack_ip_output(void *priv,

					struct sk_buff *skb,

					const struct nf_hook_state *state)

{

static const struct nf_hook_ops smack_nf_ops[] = {

	{

		.hook =		smack_ipv4_output,

		.hook =		smack_ip_output,

		.pf =		NFPROTO_IPV4,

		.hooknum =	NF_INET_LOCAL_OUT,

		.priority =	NF_IP_PRI_SELINUX_FIRST,

	},

#if IS_ENABLED(CONFIG_IPV6)

	{

		.hook =		smack_ipv6_output,

		.hook =		smack_ip_output,

		.pf =		NFPROTO_IPV6,

		.hooknum =	NF_INET_LOCAL_OUT,

		.priority =	NF_IP6_PRI_SELINUX_FIRST,

		printk(KERN_WARNING "%s:%d remove rc = %d\n",

		       __func__, __LINE__, rc);

	doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);

	if (doip == NULL)

		panic("smack:  Failed to initialize cipso DOI.\n");

	doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL);

	doip->map.std = NULL;

	doip->doi = smk_cipso_doi_value;

	doip->type = CIPSO_V4_MAP_PASS;

	if (rc != 0) {

		printk(KERN_WARNING "%s:%d map add rc = %d\n",

		       __func__, __LINE__, rc);

		kfree(doip);

		netlbl_cfg_cipsov4_del(doip->doi, &nai);

		return;

	}

}

static ssize_t smk_set_cipso(struct file *file, const char __user *buf,

				size_t count, loff_t *ppos, int format)

{

	struct netlbl_lsm_catmap *old_cat;

	struct smack_known *skp;

	struct netlbl_lsm_secattr ncats;

	char mapcatset[SMK_CIPSOLEN];

	rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);

	if (rc >= 0) {

		netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat);

		old_cat = skp->smk_netlabel.attr.mls.cat;

		skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;

		skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;

		synchronize_rcu();

		netlbl_catmap_free(old_cat);

		rc = count;

		/*

		 * This mapping may have been cached, so clear the cache.