From patchwork Mon Nov 14 17:38:15 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Casey Schaufler <casey@schaufler-ca.com>
X-Patchwork-Id: 9428087
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	C0213602F0
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 14 Nov 2016 17:38:32 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B468D28A56
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 14 Nov 2016 17:38:32 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A8E6328AA3; Mon, 14 Nov 2016 17:38:32 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D9BCC28A56
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Mon, 14 Nov 2016 17:38:31 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934382AbcKNRiW (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Mon, 14 Nov 2016 12:38:22 -0500
Received: from nm19-vm2.bullet.mail.ne1.yahoo.com ([98.138.91.95]:59352 "EHLO
	nm19-vm2.bullet.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S932849AbcKNRiV (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Mon, 14 Nov 2016 12:38:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
	t=1479145100; bh=B32TphJXFkqBfmRdti+Otz0siUo13187dFvIhJY+gE8=;
	h=From:To:Cc:Subject:Date:From:Subject;
	b=lCpqLAxrP9K8LEbPsNVavBhRpjcTtNUEy+4xFA+4vurjsxvDbQhNoSKsulXwcpySeZdO4wC2oV6grKio36zPW43RW8vLzozBSHDoY0qHXMtcl8FQqTgqiVYQb8qVw78A8PQpE23GJAsH6GnQA32i/JWLz7wIjgXYFe3iLnpv2kACc895D+GbiMRVyOxefJsYeOppL43Xy4RZ4C1qH28VCN736o7g7c5+xCd2InVqjh0NMH3Bk6VC3++hpfYcqYTS9hqdsdkSN2WH4AN/PqyA7vnkbZcMRoyyuL0RHoL8gB1tt+zOUTrHx2fnXApIIG+JqO0ZA5nthU3UiDVrLzkdsg==
Received: from [98.138.101.128] by nm19.bullet.mail.ne1.yahoo.com with NNFMP;
	14 Nov 2016 17:38:20 -0000
Received: from [98.138.226.58] by tm16.bullet.mail.ne1.yahoo.com with NNFMP;
	14 Nov 2016 17:38:18 -0000
Received: from [127.0.0.1] by smtp209.mail.ne1.yahoo.com with NNFMP;
	14 Nov 2016 17:38:20 -0000
X-Yahoo-Newman-Id: 152505.7451.bm@smtp209.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: zw4CosMVM1nIuTyhCGF6XHyuPfnr1XGNXDujIDwsDmTgTP2
	A3kURbCDLYqHdhJMKLOvlyEPs9Z7aEmF772jPFtdLOYvhTKF9FVTnRMyrT8w
	wh3xSW_qyu_OU3WojmJmaP4TBevmsSN2pscTr6aMDkSwgO5.dUaApNgUxuWe
	Zq4PZX3k9aZsNrTba3St6qAXhb7GB0TQ7KeOncUeQWxM3h5dvEBQJzXoMFzZ
	b1rozIxCeLkBwHDECgBZ0yxdiaxlEGQ.xBthHK.XfDon87H9oK83PF6RvdhW
	t2aYdBBDB2ss0NhoUN.PurIGj3VmJB7UW6LBHyHwbDo01o4.ZYAP22lupziI
	0kHg_LJuCfupnSJrZ7MReVT4zfNcDzNHbr8m7pU_8WY40nJwZF_Kz9mPj5fl
	FcCek5ospyCJMYGDRHOkCkpSrLDQvVVg.P9.0Ge_KhcHNEMxZOgESqCbu76B
	EV7zaP2Y9UexwLM.0IDHXRyU.Ii_XyzHTtotDs6q1vxDaWwx3MSzqEXdhn4k
	z2zmDJM9xcoC9dZC3.P99O4Ogj0e.RqwiB6xI_MdHaX7xYs1N83rrBeKQAUT
	vnbdYa_7kbwZU
X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw--
From: Casey Schaufler <casey@schaufler-ca.com>
To: LSM <linux-security-module@vger.kernel.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Subject: [PATCH] Smack: Remove unnecessary smack_known_invalid
Message-ID: <c07855d4-2305-9e73-5413-8ac20c923d00@schaufler-ca.com>
Date: Mon, 14 Nov 2016 09:38:15 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
	Thunderbird/45.4.0
MIME-Version: 1.0
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Subject: [PATCH] Smack: Remove unnecessary smack_known_invalid

The invalid Smack label ("") and the Huh ("?") Smack label
serve the same purpose and having both is unnecessary.
While pulling out the invalid label it became clear that
the use of smack_from_secid() was inconsistent, so that
is repaired. The setting of inode labels to the invalid
label could never happen in a functional system, has
never been observed in the wild and is not what you'd
really want for a failure behavior in any case. That is
removed.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/smack/smack.h        |  1 -
 security/smack/smack_access.c |  7 +------
 security/smack/smack_lsm.c    | 29 +++--------------------------
 security/smack/smackfs.c      |  3 ---
 4 files changed, 4 insertions(+), 36 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/security/smack/smack.h b/security/smack/smack.h
index 51fd301..77abe2e 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -336,7 +336,6 @@ extern int smack_ptrace_rule;
 extern struct smack_known smack_known_floor;
 extern struct smack_known smack_known_hat;
 extern struct smack_known smack_known_huh;
-extern struct smack_known smack_known_invalid;
 extern struct smack_known smack_known_star;
 extern struct smack_known smack_known_web;
 
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index 23e5808..356e376 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -36,11 +36,6 @@ struct smack_known smack_known_floor = {
 	.smk_secid	= 5,
 };
 
-struct smack_known smack_known_invalid = {
-	.smk_known	= "",
-	.smk_secid	= 6,
-};
-
 struct smack_known smack_known_web = {
 	.smk_known	= "@",
 	.smk_secid	= 7,
@@ -615,7 +610,7 @@ struct smack_known *smack_from_secid(const u32 secid)
 	 * of a secid that is not on the list.
 	 */
 	rcu_read_unlock();
-	return &smack_known_invalid;
+	return &smack_known_huh;
 }
 
 /*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 9cf0dd7..df73115 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1384,20 +1384,14 @@ static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
 		skp = smk_import_entry(value, size);
 		if (!IS_ERR(skp))
 			isp->smk_inode = skp;
-		else
-			isp->smk_inode = &smack_known_invalid;
 	} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {
 		skp = smk_import_entry(value, size);
 		if (!IS_ERR(skp))
 			isp->smk_task = skp;
-		else
-			isp->smk_task = &smack_known_invalid;
 	} else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
 		skp = smk_import_entry(value, size);
 		if (!IS_ERR(skp))
 			isp->smk_mmap = skp;
-		else
-			isp->smk_mmap = &smack_known_invalid;
 	}
 
 	return;
@@ -2067,12 +2061,8 @@ static void smack_cred_transfer(struct cred *new, const struct cred *old)
 static int smack_kernel_act_as(struct cred *new, u32 secid)
 {
 	struct task_smack *new_tsp = new->security;
-	struct smack_known *skp = smack_from_secid(secid);
-
-	if (skp == NULL)
-		return -EINVAL;
 
-	new_tsp->smk_task = skp;
+	new_tsp->smk_task = smack_from_secid(secid);
 	return 0;
 }
 
@@ -3892,21 +3882,11 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
 			return &smack_known_web;
 		return &smack_known_star;
 	}
-	if ((sap->flags & NETLBL_SECATTR_SECID) != 0) {
+	if ((sap->flags & NETLBL_SECATTR_SECID) != 0)
 		/*
 		 * Looks like a fallback, which gives us a secid.
 		 */
-		skp = smack_from_secid(sap->attr.secid);
-		/*
-		 * This has got to be a bug because it is
-		 * impossible to specify a fallback without
-		 * specifying the label, which will ensure
-		 * it has a secid, and the only way to get a
-		 * secid is from a fallback.
-		 */
-		BUG_ON(skp == NULL);
-		return skp;
-	}
+		return smack_from_secid(sap->attr.secid);
 	/*
 	 * Without guidance regarding the smack value
 	 * for the packet fall back on the network
@@ -4769,7 +4749,6 @@ static __init void init_smack_known_list(void)
 	mutex_init(&smack_known_hat.smk_rules_lock);
 	mutex_init(&smack_known_floor.smk_rules_lock);
 	mutex_init(&smack_known_star.smk_rules_lock);
-	mutex_init(&smack_known_invalid.smk_rules_lock);
 	mutex_init(&smack_known_web.smk_rules_lock);
 	/*
 	 * Initialize rule lists
@@ -4778,7 +4757,6 @@ static __init void init_smack_known_list(void)
 	INIT_LIST_HEAD(&smack_known_hat.smk_rules);
 	INIT_LIST_HEAD(&smack_known_star.smk_rules);
 	INIT_LIST_HEAD(&smack_known_floor.smk_rules);
-	INIT_LIST_HEAD(&smack_known_invalid.smk_rules);
 	INIT_LIST_HEAD(&smack_known_web.smk_rules);
 	/*
 	 * Create the known labels list
@@ -4787,7 +4765,6 @@ static __init void init_smack_known_list(void)
 	smk_insert_entry(&smack_known_hat);
 	smk_insert_entry(&smack_known_star);
 	smk_insert_entry(&smack_known_floor);
-	smk_insert_entry(&smack_known_invalid);
 	smk_insert_entry(&smack_known_web);
 }
 
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 6492fe9..13743a0 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -2998,9 +2998,6 @@ static int __init init_smk_fs(void)
 	rc = smk_preset_netlabel(&smack_known_huh);
 	if (err == 0 && rc < 0)
 		err = rc;
-	rc = smk_preset_netlabel(&smack_known_invalid);
-	if (err == 0 && rc < 0)
-		err = rc;
 	rc = smk_preset_netlabel(&smack_known_star);
 	if (err == 0 && rc < 0)
 		err = rc;