~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,13 +1,9 @@
	1	+// SPDX-License-Identifier: GPL-2.0-only
1	2	/*
2	3	* Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
3	4	*
4		- * This program is free software; you can redistribute it and/or modify
5		- * it under the terms of the GNU General Public License as published by
6		- * the Free Software Foundation, version 2.
7		- *
8	5	* Author:
9	6	* Casey Schaufler <casey@schaufler-ca.com>
10		- *
11	7	*/
12	8
13	9	#include <linux/types.h>
..	..	@@ -274,7 +270,7 @@
274	270	int smk_curacc(struct smack_known *obj_known,
275	271	u32 mode, struct smk_audit_info *a)
276	272	{
277		- struct task_smack *tsp = current_security();
	273	+ struct task_smack *tsp = smack_cred(current_cred());
278	274
279	275	return smk_tskacc(tsp, obj_known, mode, a);
280	276	}
..	..	@@ -514,6 +510,42 @@
514	510	}
515	511
516	512	/**
	513	+ * smack_populate_secattr - fill in the smack_known netlabel information
	514	+ * @skp: pointer to the structure to fill
	515	+ *
	516	+ * Populate the netlabel secattr structure for a Smack label.
	517	+ *
	518	+ * Returns 0 unless creating the category mapping fails
	519	+ */
	520	+int smack_populate_secattr(struct smack_known *skp)
	521	+{
	522	+ int slen;
	523	+
	524	+ skp->smk_netlabel.attr.secid = skp->smk_secid;
	525	+ skp->smk_netlabel.domain = skp->smk_known;
	526	+ skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);
	527	+ if (skp->smk_netlabel.cache != NULL) {
	528	+ skp->smk_netlabel.flags \|= NETLBL_SECATTR_CACHE;
	529	+ skp->smk_netlabel.cache->free = NULL;
	530	+ skp->smk_netlabel.cache->data = skp;
	531	+ }
	532	+ skp->smk_netlabel.flags \|= NETLBL_SECATTR_SECID \|
	533	+ NETLBL_SECATTR_MLS_LVL \|
	534	+ NETLBL_SECATTR_DOMAIN;
	535	+ /*
	536	+ * If direct labeling works use it.
	537	+ * Otherwise use mapped labeling.
	538	+ */
	539	+ slen = strlen(skp->smk_known);
	540	+ if (slen < SMK_CIPSOLEN)
	541	+ return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
	542	+ &skp->smk_netlabel, slen);
	543	+
	544	+ return smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid,
	545	+ &skp->smk_netlabel, sizeof(skp->smk_secid));
	546	+}
	547	+
	548	+/**
517	549	* smk_import_entry - import a label, return the list entry
518	550	* @string: a text string that might be a Smack label
519	551	* @len: the maximum size, or zero if it is NULL terminated.
..	..	@@ -526,7 +558,6 @@
526	558	{
527	559	struct smack_known *skp;
528	560	char *smack;
529		- int slen;
530	561	int rc;
531	562
532	563	smack = smk_parse_smack(string, len);
..	..	@@ -547,21 +578,8 @@
547	578
548	579	skp->smk_known = smack;
549	580	skp->smk_secid = smack_next_secid++;
550		- skp->smk_netlabel.domain = skp->smk_known;
551		- skp->smk_netlabel.flags =
552		- NETLBL_SECATTR_DOMAIN \| NETLBL_SECATTR_MLS_LVL;
553		- /*
554		- * If direct labeling works use it.
555		- * Otherwise use mapped labeling.
556		- */
557		- slen = strlen(smack);
558		- if (slen < SMK_CIPSOLEN)
559		- rc = smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
560		- &skp->smk_netlabel, slen);
561		- else
562		- rc = smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid,
563		- &skp->smk_netlabel, sizeof(skp->smk_secid));
564	581
	582	+ rc = smack_populate_secattr(skp);
565	583	if (rc >= 0) {
566	584	INIT_LIST_HEAD(&skp->smk_rules);
567	585	mutex_init(&skp->smk_rules_lock);
..	..	@@ -572,9 +590,6 @@
572	590	smk_insert_entry(skp);
573	591	goto unlockout;
574	592	}
575		- /*
576		- * smk_netlbl_mls failed.
577		- */
578	593	kfree(skp);
579	594	skp = ERR_PTR(rc);
580	595	freeout:
..	..	@@ -634,7 +649,7 @@
634	649	*/
635	650	bool smack_privileged_cred(int cap, const struct cred *cred)
636	651	{
637		- struct task_smack *tsp = cred->security;
	652	+ struct task_smack *tsp = smack_cred(cred);
638	653	struct smack_known *skp = tsp->smk_task;
639	654	struct smack_known_list_elem *sklep;
640	655	int rc;
..	..	@@ -672,9 +687,10 @@
672	687	bool smack_privileged(int cap)
673	688	{
674	689	/*
675		- * All kernel tasks are privileged
	690	+ * Kernel threads may not have credentials we can use.
	691	+ * The io_uring kernel threads do have reliable credentials.
676	692	*/
677		- if (unlikely(current->flags & PF_KTHREAD))
	693	+ if ((current->flags & (PF_KTHREAD \| PF_IO_WORKER)) == PF_KTHREAD)
678	694	return true;
679	695
680	696	return smack_privileged_cred(cap, current_cred());