PATCH for kernel 3.14.28 The LSM Smack isn't currently implementing the retrieval of the contexts of the keys.
In other words, the LSM Samck doesn't implement the LSM side part of the system call keyctl for the function KEYCTL_GET_SECURITY. It is causing difficulties when trying to investigate reasons of some system failures. For example, it is currently impossible to get the context of the user session key using the command "keyctl security @s". This patch (attached) is obvious, it simply implements the missing part of the LSM Smack. I tested and it works fine. Best regards José bollo
From af6307c38154b96f007bc2c3db01e192a69f9baf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <[email protected]> Date: Sat, 15 Nov 2014 11:19:23 +0100 Subject: [PATCH] Smack: adding retrieval of key's context MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: I140648f08dd8fd991be6a9b3a2e649a3677c1be5 Signed-off-by: José Bollo <[email protected]> --- security/smack/smack_lsm.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 47ed6a4..285d908 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -3657,6 +3657,35 @@ static int smack_key_permission(key_ref_t key_ref, request = MAY_WRITE; return smk_access(tkp, keyp->security, request, &ad); } + +/* + * smack_key_getsecurity - Smack label tagging the key + * @key points to the key to be queried + * @_buffer points to a pointer that should be set to point to the + * resulting string (if no label or an error occurs). + * Return the length of the string (including terminating NUL) or -ve if + * an error. + * May also return 0 (and a NULL buffer pointer) if there is no label. + */ +static int smack_key_getsecurity(struct key *key, char **_buffer) +{ + int length; + char *copy; + + if (key->security == NULL) { + *_buffer = NULL; + return 0; + } + + length = (int)strlen(key->security) + 1; + copy = kmalloc((size_t)length, GFP_KERNEL); + if (copy == NULL) + return -ENOMEM; + + memcpy(copy, key->security, (size_t)length); + *_buffer = copy; + return length; +} #endif /* CONFIG_KEYS */ /* @@ -3971,6 +4000,7 @@ struct security_operations smack_ops = { .key_alloc = smack_key_alloc, .key_free = smack_key_free, .key_permission = smack_key_permission, + .key_getsecurity = smack_key_getsecurity, #endif /* CONFIG_KEYS */ /* Audit hooks */ -- 2.1.2
