Re: [PATCH v4 07/11] smack: abstraction layer for 2 common Smack operations

2015-10-30 Thread Casey Schaufler 
On 10/14/2015 5:42 AM, Lukasz Pawelczyk wrote:
> This patch adds two new functions that provide an abstraction layer for
> two common internal Smack operations:
>
> smk_find_label_name() - returns a label name (char*) from a struct
> smack_known pointer
> smk_get_label()   - either finds or imports a label from a raw label
> name (char*) and returns struct smack_known
> pointer
>
> This patch also simplifies some pieces of code due to addition of those
> 2 functions (e.g. smack_inode_post_setxattr, smk_fill_rule,
> smk_write_revoke_subj).
>
> It is meant as a preparation for namespaces patches. Those 2 functions
> will serve as entry points for namespace operations.
>
> This patch should not change the Smack behaviour in any way.
>
> Signed-off-by: Lukasz Pawelczyk 
> Reviewed-by: Casey Schaufler 

Acked-by: Casey Schaufler 


> ---
>  security/smack/smack.h|   2 +
>  security/smack/smack_access.c |  41 
>  security/smack/smack_lsm.c|  78 +++---
>  security/smack/smackfs.c  | 147 
> +++---
>  4 files changed, 166 insertions(+), 102 deletions(-)
>
> diff --git a/security/smack/smack.h b/security/smack/smack.h
> index ca8fb7c..091efc2 100644
> --- a/security/smack/smack.h
> +++ b/security/smack/smack.h
> @@ -306,6 +306,8 @@ int smack_has_ns_privilege(struct task_struct *task,
>  int smack_has_privilege(struct task_struct *task, int cap);
>  int smack_ns_privileged(struct user_namespace *user_ns, int cap);
>  int smack_privileged(int cap);
> +char *smk_find_label_name(struct smack_known *skp);
> +struct smack_known *smk_get_label(const char *string, int len, bool import);
>  
>  /*
>   * Shared data.
> diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
> index 72f848e..131c742 100644
> --- a/security/smack/smack_access.c
> +++ b/security/smack/smack_access.c
> @@ -716,3 +716,44 @@ int smack_privileged(int cap)
>  {
>   return smack_ns_privileged(_user_ns, cap);
>  }
> +
> +/**
> + * smk_find_label_name - A helper to get a string value of a label
> + * @skp: a label we want a string value from
> + *
> + * Returns a pointer to a label name or NULL if label name not found.
> + */
> +char *smk_find_label_name(struct smack_known *skp)
> +{
> + return skp->smk_known;
> +}
> +
> +/**
> + * smk_get_label - A helper to get the smack_known value from a string using
> + * either import or find functions if it already exists
> + * @string: a name of a label we look for or want to import
> + * @len: the string size, or zero if it is NULL terminated
> + * @import: whether we should import the label if not found
> + *
> + * Returns a smack_known label that is either imported or found.
> + * NULL if label not found (only when import == false).
> + * Error code otherwise.
> + */
> +struct smack_known *smk_get_label(const char *string, int len, bool import)
> +{
> + struct smack_known *skp;
> + char *cp;
> +
> + if (import) {
> + skp = smk_import_entry(string, len);
> + } else {
> + cp = smk_parse_smack(string, len);
> + if (IS_ERR(cp))
> + return ERR_CAST(cp);
> +
> + skp = smk_find_entry(cp);
> + kfree(cp);
> + }
> +
> + return skp;
> +}
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index 198d3d6..7303c37 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -746,31 +746,31 @@ static int smack_set_mnt_opts(struct super_block *sb,
>   for (i = 0; i < num_opts; i++) {
>   switch (opts->mnt_opts_flags[i]) {
>   case FSDEFAULT_MNT:
> - skp = smk_import_entry(opts->mnt_opts[i], 0);
> + skp = smk_get_label(opts->mnt_opts[i], 0, true);
>   if (IS_ERR(skp))
>   return PTR_ERR(skp);
>   sp->smk_default = skp;
>   break;
>   case FSFLOOR_MNT:
> - skp = smk_import_entry(opts->mnt_opts[i], 0);
> + skp = smk_get_label(opts->mnt_opts[i], 0, true);
>   if (IS_ERR(skp))
>   return PTR_ERR(skp);
>   sp->smk_floor = skp;
>   break;
>   case FSHAT_MNT:
> - skp = smk_import_entry(opts->mnt_opts[i], 0);
> + skp = smk_get_label(opts->mnt_opts[i], 0, true);
>   if (IS_ERR(skp))
>   return PTR_ERR(skp);
>   sp->smk_hat = skp;
>   break;
>   case FSROOT_MNT:
> - skp = smk_import_entry(opts->mnt_opts[i], 0);
> + skp =

[PATCH v4 07/11] smack: abstraction layer for 2 common Smack operations

2015-10-14 Thread Lukasz Pawelczyk 
This patch adds two new functions that provide an abstraction layer for
two common internal Smack operations:

smk_find_label_name() - returns a label name (char*) from a struct
smack_known pointer
smk_get_label()   - either finds or imports a label from a raw label
name (char*) and returns struct smack_known
pointer

This patch also simplifies some pieces of code due to addition of those
2 functions (e.g. smack_inode_post_setxattr, smk_fill_rule,
smk_write_revoke_subj).

It is meant as a preparation for namespaces patches. Those 2 functions
will serve as entry points for namespace operations.

This patch should not change the Smack behaviour in any way.

Signed-off-by: Lukasz Pawelczyk 
Reviewed-by: Casey Schaufler 
---
 security/smack/smack.h|   2 +
 security/smack/smack_access.c |  41 
 security/smack/smack_lsm.c|  78 +++---
 security/smack/smackfs.c  | 147 +++---
 4 files changed, 166 insertions(+), 102 deletions(-)

diff --git a/security/smack/smack.h b/security/smack/smack.h
index ca8fb7c..091efc2 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -306,6 +306,8 @@ int smack_has_ns_privilege(struct task_struct *task,
 int smack_has_privilege(struct task_struct *task, int cap);
 int smack_ns_privileged(struct user_namespace *user_ns, int cap);
 int smack_privileged(int cap);
+char *smk_find_label_name(struct smack_known *skp);
+struct smack_known *smk_get_label(const char *string, int len, bool import);
 
 /*
  * Shared data.
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 72f848e..131c742 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -716,3 +716,44 @@ int smack_privileged(int cap)
 {
return smack_ns_privileged(_user_ns, cap);
 }
+
+/**
+ * smk_find_label_name - A helper to get a string value of a label
+ * @skp: a label we want a string value from
+ *
+ * Returns a pointer to a label name or NULL if label name not found.
+ */
+char *smk_find_label_name(struct smack_known *skp)
+{
+   return skp->smk_known;
+}
+
+/**
+ * smk_get_label - A helper to get the smack_known value from a string using
+ * either import or find functions if it already exists
+ * @string: a name of a label we look for or want to import
+ * @len: the string size, or zero if it is NULL terminated
+ * @import: whether we should import the label if not found
+ *
+ * Returns a smack_known label that is either imported or found.
+ * NULL if label not found (only when import == false).
+ * Error code otherwise.
+ */
+struct smack_known *smk_get_label(const char *string, int len, bool import)
+{
+   struct smack_known *skp;
+   char *cp;
+
+   if (import) {
+   skp = smk_import_entry(string, len);
+   } else {
+   cp = smk_parse_smack(string, len);
+   if (IS_ERR(cp))
+   return ERR_CAST(cp);
+
+   skp = smk_find_entry(cp);
+   kfree(cp);
+   }
+
+   return skp;
+}
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 198d3d6..7303c37 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -746,31 +746,31 @@ static int smack_set_mnt_opts(struct super_block *sb,
for (i = 0; i < num_opts; i++) {
switch (opts->mnt_opts_flags[i]) {
case FSDEFAULT_MNT:
-   skp = smk_import_entry(opts->mnt_opts[i], 0);
+   skp = smk_get_label(opts->mnt_opts[i], 0, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_default = skp;
break;
case FSFLOOR_MNT:
-   skp = smk_import_entry(opts->mnt_opts[i], 0);
+   skp = smk_get_label(opts->mnt_opts[i], 0, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_floor = skp;
break;
case FSHAT_MNT:
-   skp = smk_import_entry(opts->mnt_opts[i], 0);
+   skp = smk_get_label(opts->mnt_opts[i], 0, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_hat = skp;
break;
case FSROOT_MNT:
-   skp = smk_import_entry(opts->mnt_opts[i], 0);
+   skp = smk_get_label(opts->mnt_opts[i], 0, true);
if (IS_ERR(skp))
return PTR_ERR(skp);
sp->smk_root = skp;
break;
case FSTRANS_MNT:
-   skp =