Smack: Remove unnecessary smack_known_invalid
authorCasey Schaufler <casey@schaufler-ca.com>
Mon, 14 Nov 2016 17:38:15 +0000 (09:38 -0800)
committerCasey Schaufler <casey@schaufler-ca.com>
Tue, 15 Nov 2016 17:34:39 +0000 (09:34 -0800)
The invalid Smack label ("") and the Huh ("?") Smack label
serve the same purpose and having both is unnecessary.
While pulling out the invalid label it became clear that
the use of smack_from_secid() was inconsistent, so that
is repaired. The setting of inode labels to the invalid
label could never happen in a functional system, has
never been observed in the wild and is not what you'd
really want for a failure behavior in any case. That is
removed.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
security/smack/smack.h
security/smack/smack_access.c
security/smack/smack_lsm.c
security/smack/smackfs.c

index 51fd30192c085b08049f93d8d3f8ca3d7ff99ead..77abe2efacae47f121c348c74801a0c0831fc793 100644 (file)
@@ -336,7 +336,6 @@ extern int smack_ptrace_rule;
 extern struct smack_known smack_known_floor;
 extern struct smack_known smack_known_hat;
 extern struct smack_known smack_known_huh;
-extern struct smack_known smack_known_invalid;
 extern struct smack_known smack_known_star;
 extern struct smack_known smack_known_web;
 
index 23e5808a0970b69bfed64a92d608b05537bbc074..356e3764cad9e93b80dfeac5a3010e391e9339c1 100644 (file)
@@ -36,11 +36,6 @@ struct smack_known smack_known_floor = {
        .smk_secid      = 5,
 };
 
-struct smack_known smack_known_invalid = {
-       .smk_known      = "",
-       .smk_secid      = 6,
-};
-
 struct smack_known smack_known_web = {
        .smk_known      = "@",
        .smk_secid      = 7,
@@ -615,7 +610,7 @@ struct smack_known *smack_from_secid(const u32 secid)
         * of a secid that is not on the list.
         */
        rcu_read_unlock();
-       return &smack_known_invalid;
+       return &smack_known_huh;
 }
 
 /*
index 46d8be4344666abac5f7c221401359c38ebf2b63..4d90257d03ad168d0245ebee626ab2462fd2de13 100644 (file)
@@ -1384,20 +1384,14 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
                skp = smk_import_entry(value, size);
                if (!IS_ERR(skp))
                        isp->smk_inode = skp;
-               else
-                       isp->smk_inode = &smack_known_invalid;
        } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {
                skp = smk_import_entry(value, size);
                if (!IS_ERR(skp))
                        isp->smk_task = skp;
-               else
-                       isp->smk_task = &smack_known_invalid;
        } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
                skp = smk_import_entry(value, size);
                if (!IS_ERR(skp))
                        isp->smk_mmap = skp;
-               else
-                       isp->smk_mmap = &smack_known_invalid;
        }
 
        return;
@@ -2068,12 +2062,8 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
 static int smack_kernel_act_as(struct cred *new, u32 secid)
 {
        struct task_smack *new_tsp = new->security;
-       struct smack_known *skp = smack_from_secid(secid);
-
-       if (skp == NULL)
-               return -EINVAL;
 
-       new_tsp->smk_task = skp;
+       new_tsp->smk_task = smack_from_secid(secid);
        return 0;
 }
 
@@ -3894,21 +3884,11 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
                        return &smack_known_web;
                return &smack_known_star;
        }
-       if ((sap->flags & NETLBL_SECATTR_SECID) != 0) {
+       if ((sap->flags & NETLBL_SECATTR_SECID) != 0)
                /*
                 * Looks like a fallback, which gives us a secid.
                 */
-               skp = smack_from_secid(sap->attr.secid);
-               /*
-                * This has got to be a bug because it is
-                * impossible to specify a fallback without
-                * specifying the label, which will ensure
-                * it has a secid, and the only way to get a
-                * secid is from a fallback.
-                */
-               BUG_ON(skp == NULL);
-               return skp;
-       }
+               return smack_from_secid(sap->attr.secid);
        /*
         * Without guidance regarding the smack value
         * for the packet fall back on the network
@@ -4771,7 +4751,6 @@ static __init void init_smack_known_list(void)
        mutex_init(&smack_known_hat.smk_rules_lock);
        mutex_init(&smack_known_floor.smk_rules_lock);
        mutex_init(&smack_known_star.smk_rules_lock);
-       mutex_init(&smack_known_invalid.smk_rules_lock);
        mutex_init(&smack_known_web.smk_rules_lock);
        /*
         * Initialize rule lists
@@ -4780,7 +4759,6 @@ static __init void init_smack_known_list(void)
        INIT_LIST_HEAD(&smack_known_hat.smk_rules);
        INIT_LIST_HEAD(&smack_known_star.smk_rules);
        INIT_LIST_HEAD(&smack_known_floor.smk_rules);
-       INIT_LIST_HEAD(&smack_known_invalid.smk_rules);
        INIT_LIST_HEAD(&smack_known_web.smk_rules);
        /*
         * Create the known labels list
@@ -4789,7 +4767,6 @@ static __init void init_smack_known_list(void)
        smk_insert_entry(&smack_known_hat);
        smk_insert_entry(&smack_known_star);
        smk_insert_entry(&smack_known_floor);
-       smk_insert_entry(&smack_known_invalid);
        smk_insert_entry(&smack_known_web);
 }
 
index 6492fe96cae4c11a91c776cf4aa3f6effd4c4a32..13743a01b35b5000c56e2a83bd2f973dbf787127 100644 (file)
@@ -2996,9 +2996,6 @@ static int __init init_smk_fs(void)
        if (err == 0 && rc < 0)
                err = rc;
        rc = smk_preset_netlabel(&smack_known_huh);
-       if (err == 0 && rc < 0)
-               err = rc;
-       rc = smk_preset_netlabel(&smack_known_invalid);
        if (err == 0 && rc < 0)
                err = rc;
        rc = smk_preset_netlabel(&smack_known_star);