Lines Matching +full:sig +full:- +full:dir +full:- +full:cmd
1 // SPDX-License-Identifier: GPL-2.0-only
8 * Casey Schaufler <casey@schaufler-ca.com>
11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
13 * Paul Moore <paul@paul-moore.com>
57 * SMACK64 - for access control,
58 * SMACK64TRANSMUTE - label initialization,
59 * Not saved on files - SMACK64IPIN and SMACK64IPOUT,
60 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP
71 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s}
77 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault},
123 s[i++] = '-'; in smk_bu_mode()
141 sskp->smk_known, oskp->smk_known, acc, note); in smk_bu_note()
162 tsp->smk_task->smk_known, oskp->smk_known, in smk_bu_current()
163 acc, current->comm, note); in smk_bu_current()
184 tsp->smk_task->smk_known, smk_task->smk_known, acc, in smk_bu_task()
185 current->comm, otp->comm); in smk_bu_task()
199 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_inode()
201 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_inode()
209 isp->smk_flags |= SMK_INODE_IMPURE; in smk_bu_inode()
214 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, in smk_bu_inode()
215 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_inode()
226 struct smack_known *sskp = tsp->smk_task; in smk_bu_file()
231 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_file()
233 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_file()
242 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, in smk_bu_file()
243 inode->i_sb->s_id, inode->i_ino, file, in smk_bu_file()
244 current->comm); in smk_bu_file()
256 struct smack_known *sskp = tsp->smk_task; in smk_bu_credfile()
261 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_credfile()
263 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_credfile()
272 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, in smk_bu_credfile()
273 inode->i_sb->s_id, inode->i_ino, file, in smk_bu_credfile()
274 current->comm); in smk_bu_credfile()
282 * smk_fetch - Fetch the smack label from a file.
297 if (!(ip->i_opflags & IOP_XATTR)) in smk_fetch()
298 return ERR_PTR(-EOPNOTSUPP); in smk_fetch()
302 return ERR_PTR(-ENOMEM); in smk_fetch()
318 * init_inode_smack - initialize an inode security blob
327 isp->smk_inode = skp; in init_inode_smack()
328 isp->smk_flags = 0; in init_inode_smack()
332 * init_task_smack - initialize a task security blob
341 tsp->smk_task = task; in init_task_smack()
342 tsp->smk_forked = forked; in init_task_smack()
343 INIT_LIST_HEAD(&tsp->smk_rules); in init_task_smack()
344 INIT_LIST_HEAD(&tsp->smk_relabel); in init_task_smack()
345 mutex_init(&tsp->smk_rules_lock); in init_task_smack()
349 * smk_copy_rules - copy a rule set
354 * Returns 0 on success, -ENOMEM on error
366 rc = -ENOMEM; in smk_copy_rules()
370 list_add_rcu(&nrp->list, nhead); in smk_copy_rules()
376 * smk_copy_relabel - copy smk_relabel labels list
381 * Returns 0 on success, -ENOMEM on error
393 return -ENOMEM; in smk_copy_relabel()
395 nklep->smk_label = oklep->smk_label; in smk_copy_relabel()
396 list_add(&nklep->list, nhead); in smk_copy_relabel()
403 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
419 * smk_ptrace_rule_check - helper for ptrace access
425 * Returns 0 on access granted, -error on error
451 if (tracer_known->smk_known == tracee_known->smk_known) in smk_ptrace_rule_check()
454 rc = -EACCES; in smk_ptrace_rule_check()
458 rc = -EACCES; in smk_ptrace_rule_check()
461 smack_log(tracer_known->smk_known, in smk_ptrace_rule_check()
462 tracee_known->smk_known, in smk_ptrace_rule_check()
482 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
500 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
517 * smack_syslog - Smack approval on syslog
531 rc = -EACCES; in smack_syslog()
541 * smack_sb_alloc_security - allocate a superblock blob
544 * Returns 0 on success or -ENOMEM on error.
550 sbsp->smk_root = &smack_known_floor; in smack_sb_alloc_security()
551 sbsp->smk_default = &smack_known_floor; in smack_sb_alloc_security()
552 sbsp->smk_floor = &smack_known_floor; in smack_sb_alloc_security()
553 sbsp->smk_hat = &smack_known_hat; in smack_sb_alloc_security()
582 return -ENOMEM; in smack_add_opt()
586 return -ENOMEM; in smack_add_opt()
594 if (opts->fsdefault) in smack_add_opt()
596 opts->fsdefault = skp->smk_known; in smack_add_opt()
599 if (opts->fsfloor) in smack_add_opt()
601 opts->fsfloor = skp->smk_known; in smack_add_opt()
604 if (opts->fshat) in smack_add_opt()
606 opts->fshat = skp->smk_known; in smack_add_opt()
609 if (opts->fsroot) in smack_add_opt()
611 opts->fsroot = skp->smk_known; in smack_add_opt()
614 if (opts->fstransmute) in smack_add_opt()
616 opts->fstransmute = skp->smk_known; in smack_add_opt()
623 return -EINVAL; in smack_add_opt()
627 * smack_fs_context_submount - Initialise security data for a filesystem context
631 * Returns 0 on success or -ENOMEM on error.
642 return -ENOMEM; in smack_fs_context_submount()
643 fc->security = ctx; in smack_fs_context_submount()
646 isp = smack_inode(reference->s_root->d_inode); in smack_fs_context_submount()
648 if (sbsp->smk_default) { in smack_fs_context_submount()
649 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); in smack_fs_context_submount()
650 if (!ctx->fsdefault) in smack_fs_context_submount()
651 return -ENOMEM; in smack_fs_context_submount()
654 if (sbsp->smk_floor) { in smack_fs_context_submount()
655 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); in smack_fs_context_submount()
656 if (!ctx->fsfloor) in smack_fs_context_submount()
657 return -ENOMEM; in smack_fs_context_submount()
660 if (sbsp->smk_hat) { in smack_fs_context_submount()
661 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); in smack_fs_context_submount()
662 if (!ctx->fshat) in smack_fs_context_submount()
663 return -ENOMEM; in smack_fs_context_submount()
666 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { in smack_fs_context_submount()
667 if (sbsp->smk_root) { in smack_fs_context_submount()
668 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); in smack_fs_context_submount()
669 if (!ctx->fstransmute) in smack_fs_context_submount()
670 return -ENOMEM; in smack_fs_context_submount()
677 * smack_fs_context_dup - Duplicate the security data on fs_context duplication
681 * Returns 0 on success or -ENOMEM on error.
686 struct smack_mnt_opts *dst, *src = src_fc->security; in smack_fs_context_dup()
691 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); in smack_fs_context_dup()
692 if (!fc->security) in smack_fs_context_dup()
693 return -ENOMEM; in smack_fs_context_dup()
695 dst = fc->security; in smack_fs_context_dup()
696 dst->fsdefault = src->fsdefault; in smack_fs_context_dup()
697 dst->fsfloor = src->fsfloor; in smack_fs_context_dup()
698 dst->fshat = src->fshat; in smack_fs_context_dup()
699 dst->fsroot = src->fsroot; in smack_fs_context_dup()
700 dst->fstransmute = src->fstransmute; in smack_fs_context_dup()
716 * smack_fs_context_parse_param - Parse a single mount parameter
720 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on
733 rc = smack_add_opt(opt, param->string, &fc->security); in smack_fs_context_parse_param()
735 param->string = NULL; in smack_fs_context_parse_param()
750 len = next - from; in smack_sb_eat_lsm_opts()
756 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); in smack_sb_eat_lsm_opts()
767 from--; in smack_sb_eat_lsm_opts()
784 * smack_set_mnt_opts - set Smack specific mount options
800 struct dentry *root = sb->s_root; in smack_set_mnt_opts()
808 if (sp->smk_flags & SMK_SB_INITIALIZED) in smack_set_mnt_opts()
816 return -EPERM; in smack_set_mnt_opts()
821 sp->smk_root = skp; in smack_set_mnt_opts()
822 sp->smk_default = skp; in smack_set_mnt_opts()
824 * For a handful of fs types with no user-controlled in smack_set_mnt_opts()
828 if (sb->s_user_ns != &init_user_ns && in smack_set_mnt_opts()
829 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && in smack_set_mnt_opts()
830 sb->s_magic != RAMFS_MAGIC) { in smack_set_mnt_opts()
832 sp->smk_flags |= SMK_SB_UNTRUSTED; in smack_set_mnt_opts()
836 sp->smk_flags |= SMK_SB_INITIALIZED; in smack_set_mnt_opts()
839 if (opts->fsdefault) { in smack_set_mnt_opts()
840 skp = smk_import_entry(opts->fsdefault, 0); in smack_set_mnt_opts()
843 sp->smk_default = skp; in smack_set_mnt_opts()
845 if (opts->fsfloor) { in smack_set_mnt_opts()
846 skp = smk_import_entry(opts->fsfloor, 0); in smack_set_mnt_opts()
849 sp->smk_floor = skp; in smack_set_mnt_opts()
851 if (opts->fshat) { in smack_set_mnt_opts()
852 skp = smk_import_entry(opts->fshat, 0); in smack_set_mnt_opts()
855 sp->smk_hat = skp; in smack_set_mnt_opts()
857 if (opts->fsroot) { in smack_set_mnt_opts()
858 skp = smk_import_entry(opts->fsroot, 0); in smack_set_mnt_opts()
861 sp->smk_root = skp; in smack_set_mnt_opts()
863 if (opts->fstransmute) { in smack_set_mnt_opts()
864 skp = smk_import_entry(opts->fstransmute, 0); in smack_set_mnt_opts()
867 sp->smk_root = skp; in smack_set_mnt_opts()
875 init_inode_smack(inode, sp->smk_root); in smack_set_mnt_opts()
879 isp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_set_mnt_opts()
886 * smack_sb_statfs - Smack check on statfs
894 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); in smack_sb_statfs()
901 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); in smack_sb_statfs()
902 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); in smack_sb_statfs()
911 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec
914 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise
918 struct inode *inode = file_inode(bprm->file); in smack_bprm_creds_for_exec()
919 struct task_smack *bsp = smack_cred(bprm->cred); in smack_bprm_creds_for_exec()
925 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) in smack_bprm_creds_for_exec()
928 sbsp = smack_superblock(inode->i_sb); in smack_bprm_creds_for_exec()
929 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && in smack_bprm_creds_for_exec()
930 isp->smk_task != sbsp->smk_root) in smack_bprm_creds_for_exec()
933 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { in smack_bprm_creds_for_exec()
941 isp->smk_task, in smack_bprm_creds_for_exec()
949 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) in smack_bprm_creds_for_exec()
950 return -EPERM; in smack_bprm_creds_for_exec()
952 bsp->smk_task = isp->smk_task; in smack_bprm_creds_for_exec()
953 bprm->per_clear |= PER_CLEAR_ON_SETID; in smack_bprm_creds_for_exec()
956 if (bsp->smk_task != bsp->smk_forked) in smack_bprm_creds_for_exec()
957 bprm->secureexec = 1; in smack_bprm_creds_for_exec()
967 * smack_inode_alloc_security - allocate an inode blob
981 * smack_inode_init_security - copy out the smack from an inode
983 * @dir: containing directory object
986 * @xattr_count: current number of LSM-provided xattrs (updated)
988 * Returns 0 if it all works out, -ENOMEM if there's no memory
990 static int smack_inode_init_security(struct inode *inode, struct inode *dir, in smack_inode_init_security() argument
997 struct smack_known *dsp = smk_of_inode(dir); in smack_inode_init_security()
1006 if (tsp->smk_task != tsp->smk_transmuted) { in smack_inode_init_security()
1008 may = smk_access_entry(skp->smk_known, dsp->smk_known, in smack_inode_init_security()
1009 &skp->smk_rules); in smack_inode_init_security()
1019 if ((tsp->smk_task == tsp->smk_transmuted) || in smack_inode_init_security()
1021 smk_inode_transmutable(dir))) { in smack_inode_init_security()
1030 if (tsp->smk_task != tsp->smk_transmuted) in smack_inode_init_security()
1035 xattr_transmute->value = kmemdup(TRANS_TRUE, in smack_inode_init_security()
1038 if (!xattr_transmute->value) in smack_inode_init_security()
1039 return -ENOMEM; in smack_inode_init_security()
1041 xattr_transmute->value_len = TRANS_TRUE_SIZE; in smack_inode_init_security()
1042 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; in smack_inode_init_security()
1046 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); in smack_inode_init_security()
1047 if (!xattr->value) in smack_inode_init_security()
1048 return -ENOMEM; in smack_inode_init_security()
1050 xattr->value_len = strlen(isp->smk_known); in smack_inode_init_security()
1051 xattr->name = XATTR_SMACK_SUFFIX; in smack_inode_init_security()
1058 * smack_inode_link - Smack check on link
1060 * @dir: unused
1065 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, in smack_inode_link() argument
1090 * smack_inode_unlink - Smack check on inode deletion
1091 * @dir: containing directory object
1097 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) in smack_inode_unlink() argument
1116 smk_ad_setfield_u_fs_inode(&ad, dir); in smack_inode_unlink()
1117 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); in smack_inode_unlink()
1118 rc = smk_bu_inode(dir, MAY_WRITE, rc); in smack_inode_unlink()
1124 * smack_inode_rmdir - Smack check on directory deletion
1125 * @dir: containing directory object
1131 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) in smack_inode_rmdir() argument
1149 smk_ad_setfield_u_fs_inode(&ad, dir); in smack_inode_rmdir()
1150 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); in smack_inode_rmdir()
1151 rc = smk_bu_inode(dir, MAY_WRITE, rc); in smack_inode_rmdir()
1158 * smack_inode_rename - Smack check on rename
1195 * smack_inode_permission - Smack version of permission()
1205 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); in smack_inode_permission()
1217 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { in smack_inode_permission()
1218 if (smk_of_inode(inode) != sbsp->smk_root) in smack_inode_permission()
1219 return -EACCES; in smack_inode_permission()
1224 return -ECHILD; in smack_inode_permission()
1233 * smack_inode_setattr - Smack check for setting attributes
1247 if (iattr->ia_valid & ATTR_FORCE) in smack_inode_setattr()
1258 * smack_inode_getattr - Smack check for getting attributes
1266 struct inode *inode = d_backing_inode(path->dentry); in smack_inode_getattr()
1277 * smack_inode_setxattr - Smack check for setting xattrs
1315 if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || in smack_inode_setxattr()
1318 rc = -EINVAL; in smack_inode_setxattr()
1323 rc = -EPERM; in smack_inode_setxattr()
1331 rc = -EINVAL; in smack_inode_setxattr()
1346 * smack_inode_post_setxattr - Apply the Smack update approved above
1363 isp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_inode_post_setxattr()
1370 isp->smk_inode = skp; in smack_inode_post_setxattr()
1374 isp->smk_task = skp; in smack_inode_post_setxattr()
1378 isp->smk_mmap = skp; in smack_inode_post_setxattr()
1385 * smack_inode_getxattr - Smack check on getxattr
1405 * smack_inode_removexattr - Smack check on removexattr
1428 rc = -EPERM; in smack_inode_removexattr()
1450 struct super_block *sbp = dentry->d_sb; in smack_inode_removexattr()
1453 isp->smk_inode = sbsp->smk_default; in smack_inode_removexattr()
1455 isp->smk_task = NULL; in smack_inode_removexattr()
1457 isp->smk_mmap = NULL; in smack_inode_removexattr()
1459 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; in smack_inode_removexattr()
1465 * smack_inode_set_acl - Smack check for setting posix acls
1489 * smack_inode_get_acl - Smack check for getting posix acls
1511 * smack_inode_remove_acl - Smack check for getting posix acls
1533 * smack_inode_getsecurity - get smack xattrs
1559 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) in smack_inode_getsecurity()
1567 sbp = ip->i_sb; in smack_inode_getsecurity()
1568 if (sbp->s_magic != SOCKFS_MAGIC) in smack_inode_getsecurity()
1569 return -EOPNOTSUPP; in smack_inode_getsecurity()
1572 if (sock == NULL || sock->sk == NULL) in smack_inode_getsecurity()
1573 return -EOPNOTSUPP; in smack_inode_getsecurity()
1575 ssp = sock->sk->sk_security; in smack_inode_getsecurity()
1578 isp = ssp->smk_in; in smack_inode_getsecurity()
1580 isp = ssp->smk_out; in smack_inode_getsecurity()
1582 return -EOPNOTSUPP; in smack_inode_getsecurity()
1586 label = isp->smk_known; in smack_inode_getsecurity()
1593 return -ENOMEM; in smack_inode_getsecurity()
1601 * smack_inode_listsecurity - list the Smack attributes
1618 * smack_inode_getsecid - Extract inode's security id
1626 *secid = skp->smk_secid; in smack_inode_getsecid()
1645 * smack_file_alloc_security - assign a file security blob
1665 * smack_file_ioctl - Smack check on ioctls
1667 * @cmd: what to do
1674 static int smack_file_ioctl(struct file *file, unsigned int cmd, in smack_file_ioctl() argument
1685 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_ioctl()
1687 if (_IOC_DIR(cmd) & _IOC_WRITE) { in smack_file_ioctl()
1692 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { in smack_file_ioctl()
1701 * smack_file_lock - Smack check on file locking
1703 * @cmd: unused
1707 static int smack_file_lock(struct file *file, unsigned int cmd) in smack_file_lock() argument
1717 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_lock()
1724 * smack_file_fcntl - Smack check on fcntl
1726 * @cmd: what action to check
1735 static int smack_file_fcntl(struct file *file, unsigned int cmd, in smack_file_fcntl() argument
1745 switch (cmd) { in smack_file_fcntl()
1751 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_fcntl()
1758 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_fcntl()
1770 * smack_mmap_file - Check permissions for a mmap operation.
1803 if (isp->smk_mmap == NULL) in smack_mmap_file()
1805 sbsp = smack_superblock(file_inode(file)->i_sb); in smack_mmap_file()
1806 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && in smack_mmap_file()
1807 isp->smk_mmap != sbsp->smk_root) in smack_mmap_file()
1808 return -EACCES; in smack_mmap_file()
1809 mkp = isp->smk_mmap; in smack_mmap_file()
1821 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { in smack_mmap_file()
1822 okp = srp->smk_object; in smack_mmap_file()
1826 if (mkp->smk_known == okp->smk_known) in smack_mmap_file()
1832 may = smk_access_entry(srp->smk_subject->smk_known, in smack_mmap_file()
1833 okp->smk_known, in smack_mmap_file()
1834 &tsp->smk_rules); in smack_mmap_file()
1835 if (may == -ENOENT) in smack_mmap_file()
1836 may = srp->smk_access; in smack_mmap_file()
1838 may &= srp->smk_access; in smack_mmap_file()
1851 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, in smack_mmap_file()
1852 &mkp->smk_rules); in smack_mmap_file()
1853 if (mmay == -ENOENT) { in smack_mmap_file()
1854 rc = -EACCES; in smack_mmap_file()
1861 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, in smack_mmap_file()
1862 &tsp->smk_rules); in smack_mmap_file()
1863 if (tmay != -ENOENT) in smack_mmap_file()
1872 rc = -EACCES; in smack_mmap_file()
1883 * smack_file_set_fowner - set the file security blob value
1895 * smack_file_send_sigiotask - Smack on sigio
1910 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); in smack_file_send_sigiotask()
1935 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); in smack_file_send_sigiotask()
1940 * smack_file_receive - Smack file receive check
1959 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_receive()
1961 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { in smack_file_receive()
1963 ssp = sock->sk->sk_security; in smack_file_receive()
1971 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); in smack_file_receive()
1975 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); in smack_file_receive()
1982 if (file->f_mode & FMODE_READ) in smack_file_receive()
1984 if (file->f_mode & FMODE_WRITE) in smack_file_receive()
1993 * smack_file_open - Smack dentry open processing
1999 * fd even if you have the file open write-only.
2005 struct task_smack *tsp = smack_cred(file->f_cred); in smack_file_open()
2011 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_open()
2013 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); in smack_file_open()
2023 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
2039 * smack_cred_free - "free" task-level security credentials
2050 smk_destroy_label_list(&tsp->smk_relabel); in smack_cred_free()
2052 list_for_each_safe(l, n, &tsp->smk_rules) { in smack_cred_free()
2054 list_del(&rp->list); in smack_cred_free()
2060 * smack_cred_prepare - prepare new set of credentials for modification
2074 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); in smack_cred_prepare()
2076 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); in smack_cred_prepare()
2080 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, in smack_cred_prepare()
2086 * smack_cred_transfer - Transfer the old credentials to the new credentials
2097 new_tsp->smk_task = old_tsp->smk_task; in smack_cred_transfer()
2098 new_tsp->smk_forked = old_tsp->smk_task; in smack_cred_transfer()
2099 mutex_init(&new_tsp->smk_rules_lock); in smack_cred_transfer()
2100 INIT_LIST_HEAD(&new_tsp->smk_rules); in smack_cred_transfer()
2106 * smack_cred_getsecid - get the secid corresponding to a creds structure
2118 *secid = skp->smk_secid; in smack_cred_getsecid()
2123 * smack_kernel_act_as - Set the subjective context in a set of credentials
2133 new_tsp->smk_task = smack_from_secid(secid); in smack_kernel_act_as()
2138 * smack_kernel_create_files_as - Set the file creation label in a set of creds
2151 tsp->smk_forked = isp->smk_inode; in smack_kernel_create_files_as()
2152 tsp->smk_task = tsp->smk_forked; in smack_kernel_create_files_as()
2157 * smk_curacc_on_task - helper to log task related access
2179 * smack_task_setpgid - Smack check on setting pgid
2191 * smack_task_getpgid - Smack access check for getpgid
2202 * smack_task_getsid - Smack access check for getsid
2213 * smack_current_getsecid_subj - get the subjective secid of the current task
2222 *secid = skp->smk_secid; in smack_current_getsecid_subj()
2226 * smack_task_getsecid_obj - get the objective secid of the task
2236 *secid = skp->smk_secid; in smack_task_getsecid_obj()
2240 * smack_task_setnice - Smack check on setting nice
2252 * smack_task_setioprio - Smack check on setting ioprio
2264 * smack_task_getioprio - Smack check on reading ioprio
2275 * smack_task_setscheduler - Smack check on setting scheduler
2286 * smack_task_getscheduler - Smack check on reading scheduler
2297 * smack_task_movememory - Smack check on moving memory
2308 * smack_task_kill - Smack check on signal delivery
2311 * @sig: unused
2318 int sig, const struct cred *cred) in smack_task_kill() argument
2325 if (!sig) in smack_task_kill()
2351 * smack_task_to_inode - copy task smack into the inode blob
2362 isp->smk_inode = skp; in smack_task_to_inode()
2363 isp->smk_flags |= SMK_INODE_INSTANT; in smack_task_to_inode()
2371 * smack_sk_alloc_security - Allocate a socket blob
2378 * Returns 0 on success, -ENOMEM is there's no memory
2387 return -ENOMEM; in smack_sk_alloc_security()
2392 if (unlikely(current->flags & PF_KTHREAD)) { in smack_sk_alloc_security()
2393 ssp->smk_in = &smack_known_web; in smack_sk_alloc_security()
2394 ssp->smk_out = &smack_known_web; in smack_sk_alloc_security()
2396 ssp->smk_in = skp; in smack_sk_alloc_security()
2397 ssp->smk_out = skp; in smack_sk_alloc_security()
2399 ssp->smk_packet = NULL; in smack_sk_alloc_security()
2401 sk->sk_security = ssp; in smack_sk_alloc_security()
2407 * smack_sk_free_security - Free a socket blob
2417 if (sk->sk_family == PF_INET6) { in smack_sk_free_security()
2420 if (spp->smk_sock != sk) in smack_sk_free_security()
2422 spp->smk_can_reuse = 1; in smack_sk_free_security()
2428 kfree(sk->sk_security); in smack_sk_free_security()
2432 * smack_sk_clone_security - Copy security context
2440 struct socket_smack *ssp_old = sk->sk_security; in smack_sk_clone_security()
2441 struct socket_smack *ssp_new = newsk->sk_security; in smack_sk_clone_security()
2447 * smack_ipv4host_label - check host based restrictions
2461 struct in_addr *siap = &sip->sin_addr; in smack_ipv4host_label()
2463 if (siap->s_addr == 0) in smack_ipv4host_label()
2472 if (snp->smk_host.s_addr == in smack_ipv4host_label()
2473 (siap->s_addr & snp->smk_mask.s_addr)) in smack_ipv4host_label()
2474 return snp->smk_label; in smack_ipv4host_label()
2480 * smk_ipv6_localhost - Check for local ipv6 host address
2487 __be16 *be16p = (__be16 *)&sip->sin6_addr; in smk_ipv6_localhost()
2488 __be32 *be32p = (__be32 *)&sip->sin6_addr; in smk_ipv6_localhost()
2497 * smack_ipv6host_label - check host based restrictions
2511 struct in6_addr *sap = &sip->sin6_addr; in smack_ipv6host_label()
2526 if (snp->smk_label == NULL) in smack_ipv6host_label()
2534 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != in smack_ipv6host_label()
2535 snp->smk_host.s6_addr16[i]) { in smack_ipv6host_label()
2541 return snp->smk_label; in smack_ipv6host_label()
2548 * smack_netlbl_add - Set the secattr on a socket
2557 struct socket_smack *ssp = sk->sk_security; in smack_netlbl_add()
2558 struct smack_known *skp = ssp->smk_out; in smack_netlbl_add()
2564 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); in smack_netlbl_add()
2567 ssp->smk_state = SMK_NETLBL_LABELED; in smack_netlbl_add()
2569 case -EDESTADDRREQ: in smack_netlbl_add()
2570 ssp->smk_state = SMK_NETLBL_REQSKB; in smack_netlbl_add()
2582 * smack_netlbl_delete - Remove the secattr from a socket
2589 struct socket_smack *ssp = sk->sk_security; in smack_netlbl_delete()
2594 if (ssp->smk_state != SMK_NETLBL_LABELED) in smack_netlbl_delete()
2602 ssp->smk_state = SMK_NETLBL_UNLABELED; in smack_netlbl_delete()
2606 * smk_ipv4_check - Perform IPv4 host access checks
2621 struct socket_smack *ssp = sk->sk_security; in smk_ipv4_check()
2631 ad.a.u.net->family = sap->sin_family; in smk_ipv4_check()
2632 ad.a.u.net->dport = sap->sin_port; in smk_ipv4_check()
2633 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; in smk_ipv4_check()
2635 skp = ssp->smk_out; in smk_ipv4_check()
2650 * smk_ipv6_check - check Smack access
2670 ad.a.u.net->family = PF_INET6; in smk_ipv6_check()
2671 ad.a.u.net->dport = address->sin6_port; in smk_ipv6_check()
2673 ad.a.u.net->v6info.saddr = address->sin6_addr; in smk_ipv6_check()
2675 ad.a.u.net->v6info.daddr = address->sin6_addr; in smk_ipv6_check()
2684 * smk_ipv6_port_label - Smack port access table management
2692 struct sock *sk = sock->sk; in smk_ipv6_port_label()
2694 struct socket_smack *ssp = sock->sk->sk_security; in smk_ipv6_port_label()
2706 if (sk != spp->smk_sock) in smk_ipv6_port_label()
2708 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2709 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2722 port = ntohs(addr6->sin6_port); in smk_ipv6_port_label()
2735 if (spp->smk_port != port || spp->smk_sock_type != sock->type) in smk_ipv6_port_label()
2737 if (spp->smk_can_reuse != 1) { in smk_ipv6_port_label()
2741 spp->smk_port = port; in smk_ipv6_port_label()
2742 spp->smk_sock = sk; in smk_ipv6_port_label()
2743 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2744 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2745 spp->smk_can_reuse = 0; in smk_ipv6_port_label()
2757 spp->smk_port = port; in smk_ipv6_port_label()
2758 spp->smk_sock = sk; in smk_ipv6_port_label()
2759 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2760 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2761 spp->smk_sock_type = sock->type; in smk_ipv6_port_label()
2762 spp->smk_can_reuse = 0; in smk_ipv6_port_label()
2765 list_add_rcu(&spp->list, &smk_ipv6_port_list); in smk_ipv6_port_label()
2771 * smk_ipv6_port_check - check Smack port access
2782 struct socket_smack *ssp = sk->sk_security; in smk_ipv6_port_check()
2789 object = ssp->smk_in; in smk_ipv6_port_check()
2791 skp = ssp->smk_out; in smk_ipv6_port_check()
2817 port = ntohs(address->sin6_port); in smk_ipv6_port_check()
2820 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) in smk_ipv6_port_check()
2822 object = spp->smk_in; in smk_ipv6_port_check()
2824 ssp->smk_packet = spp->smk_out; in smk_ipv6_port_check()
2834 * smack_inode_setsecurity - set smack xattrs
2855 return -EINVAL; in smack_inode_setsecurity()
2858 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || in smack_inode_setsecurity()
2860 return -EINVAL; in smack_inode_setsecurity()
2862 nsp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_inode_setsecurity()
2871 nsp->smk_inode = skp; in smack_inode_setsecurity()
2872 nsp->smk_flags |= SMK_INODE_INSTANT; in smack_inode_setsecurity()
2878 if (inode->i_sb->s_magic != SOCKFS_MAGIC) in smack_inode_setsecurity()
2879 return -EOPNOTSUPP; in smack_inode_setsecurity()
2882 if (sock == NULL || sock->sk == NULL) in smack_inode_setsecurity()
2883 return -EOPNOTSUPP; in smack_inode_setsecurity()
2885 ssp = sock->sk->sk_security; in smack_inode_setsecurity()
2888 ssp->smk_in = skp; in smack_inode_setsecurity()
2890 ssp->smk_out = skp; in smack_inode_setsecurity()
2891 if (sock->sk->sk_family == PF_INET) { in smack_inode_setsecurity()
2892 rc = smack_netlbl_add(sock->sk); in smack_inode_setsecurity()
2896 __func__, -rc); in smack_inode_setsecurity()
2899 return -EOPNOTSUPP; in smack_inode_setsecurity()
2902 if (sock->sk->sk_family == PF_INET6) in smack_inode_setsecurity()
2910 * smack_socket_post_create - finish socket setup
2926 if (sock->sk == NULL) in smack_socket_post_create()
2932 if (unlikely(current->flags & PF_KTHREAD)) { in smack_socket_post_create()
2933 ssp = sock->sk->sk_security; in smack_socket_post_create()
2934 ssp->smk_in = &smack_known_web; in smack_socket_post_create()
2935 ssp->smk_out = &smack_known_web; in smack_socket_post_create()
2943 return smack_netlbl_add(sock->sk); in smack_socket_post_create()
2947 * smack_socket_socketpair - create socket pair
2958 struct socket_smack *asp = socka->sk->sk_security; in smack_socket_socketpair()
2959 struct socket_smack *bsp = sockb->sk->sk_security; in smack_socket_socketpair()
2961 asp->smk_packet = bsp->smk_out; in smack_socket_socketpair()
2962 bsp->smk_packet = asp->smk_out; in smack_socket_socketpair()
2969 * smack_socket_bind - record port binding information.
2981 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { in smack_socket_bind()
2983 address->sa_family != AF_INET6) in smack_socket_bind()
2984 return -EINVAL; in smack_socket_bind()
2992 * smack_socket_connect - connect access check
3006 if (sock->sk == NULL) in smack_socket_connect()
3008 if (sock->sk->sk_family != PF_INET && in smack_socket_connect()
3009 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) in smack_socket_connect()
3013 if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { in smack_socket_connect()
3022 struct socket_smack *ssp = sock->sk->sk_security; in smack_socket_connect()
3024 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, in smack_socket_connect()
3028 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); in smack_socket_connect()
3033 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) in smack_socket_connect()
3035 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); in smack_socket_connect()
3040 * smack_flags_to_may - convert S_ to MAY_ values
3060 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
3074 * smack_of_ipc - the smack pointer for the ipc
3087 * smack_ipc_alloc_security - Set the security blob for ipc
3115 ad.a.u.ipc_id = isp->id; in smk_curacc_shm()
3123 * smack_shm_associate - Smack access check for shm
3138 * smack_shm_shmctl - Smack access check for shm
3140 * @cmd: what it wants to do
3144 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) in smack_shm_shmctl() argument
3148 switch (cmd) { in smack_shm_shmctl()
3167 return -EINVAL; in smack_shm_shmctl()
3173 * smack_shm_shmat - Smack access for shmat
3204 ad.a.u.ipc_id = isp->id; in smk_curacc_sem()
3212 * smack_sem_associate - Smack access check for sem
3227 * smack_sem_semctl - Smack access check for sem
3229 * @cmd: what it wants to do
3233 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) in smack_sem_semctl() argument
3237 switch (cmd) { in smack_sem_semctl()
3261 return -EINVAL; in smack_sem_semctl()
3268 * smack_sem_semop - Smack checks of semaphore operations
3299 ad.a.u.ipc_id = isp->id; in smk_curacc_msq()
3307 * smack_msg_queue_associate - Smack access check for msg_queue
3322 * smack_msg_queue_msgctl - Smack access check for msg_queue
3324 * @cmd: what it wants to do
3328 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) in smack_msg_queue_msgctl() argument
3332 switch (cmd) { in smack_msg_queue_msgctl()
3349 return -EINVAL; in smack_msg_queue_msgctl()
3356 * smack_msg_queue_msgsnd - Smack access check for msg_queue
3373 * smack_msg_queue_msgrcv - Smack access check for msg_queue
3391 * smack_ipc_permission - Smack access for ipc_permission()
3407 ad.a.u.ipc_id = ipp->id; in smack_ipc_permission()
3415 * smack_ipc_getsecid - Extract smack security id
3424 *secid = iskp->smk_secid; in smack_ipc_getsecid()
3428 * smack_d_instantiate - Make sure the blob is correct on an inode
3456 if (isp->smk_flags & SMK_INODE_INSTANT) in smack_d_instantiate()
3459 sbp = inode->i_sb; in smack_d_instantiate()
3465 final = sbsp->smk_default; in smack_d_instantiate()
3473 if (opt_dentry->d_parent == opt_dentry) { in smack_d_instantiate()
3474 switch (sbp->s_magic) { in smack_d_instantiate()
3482 sbsp->smk_root = &smack_known_star; in smack_d_instantiate()
3483 sbsp->smk_default = &smack_known_star; in smack_d_instantiate()
3484 isp->smk_inode = sbsp->smk_root; in smack_d_instantiate()
3491 isp->smk_inode = smk_of_current(); in smack_d_instantiate()
3494 isp->smk_inode = smk_of_current(); in smack_d_instantiate()
3501 isp->smk_inode = &smack_known_star; in smack_d_instantiate()
3504 isp->smk_inode = sbsp->smk_root; in smack_d_instantiate()
3507 isp->smk_flags |= SMK_INODE_INSTANT; in smack_d_instantiate()
3517 switch (sbp->s_magic) { in smack_d_instantiate()
3567 if (S_ISSOCK(inode->i_mode)) { in smack_d_instantiate()
3577 if (!(inode->i_opflags & IOP_XATTR)) in smack_d_instantiate()
3590 if (S_ISDIR(inode->i_mode)) { in smack_d_instantiate()
3605 rc = -EINVAL; in smack_d_instantiate()
3616 isp->smk_task = skp; in smack_d_instantiate()
3622 isp->smk_mmap = skp; in smack_d_instantiate()
3629 isp->smk_inode = ckp; in smack_d_instantiate()
3631 isp->smk_inode = final; in smack_d_instantiate()
3633 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); in smack_d_instantiate()
3639 * smack_getprocattr - Smack process attribute access
3655 return -EINVAL; in smack_getprocattr()
3657 cp = kstrdup(skp->smk_known, GFP_KERNEL); in smack_getprocattr()
3659 return -ENOMEM; in smack_getprocattr()
3667 * smack_setprocattr - Smack process attribute setting
3685 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) in smack_setprocattr()
3686 return -EPERM; in smack_setprocattr()
3689 return -EINVAL; in smack_setprocattr()
3692 return -EINVAL; in smack_setprocattr()
3703 return -EINVAL; in smack_setprocattr()
3706 rc = -EPERM; in smack_setprocattr()
3707 list_for_each_entry(sklep, &tsp->smk_relabel, list) in smack_setprocattr()
3708 if (sklep->smk_label == skp) { in smack_setprocattr()
3718 return -ENOMEM; in smack_setprocattr()
3721 tsp->smk_task = skp; in smack_setprocattr()
3725 smk_destroy_label_list(&tsp->smk_relabel); in smack_setprocattr()
3732 * smack_unix_stream_connect - Smack access on UDS
3745 struct socket_smack *ssp = sock->sk_security; in smack_unix_stream_connect()
3746 struct socket_smack *osp = other->sk_security; in smack_unix_stream_connect()
3747 struct socket_smack *nsp = newsk->sk_security; in smack_unix_stream_connect()
3755 skp = ssp->smk_out; in smack_unix_stream_connect()
3756 okp = osp->smk_in; in smack_unix_stream_connect()
3764 okp = osp->smk_out; in smack_unix_stream_connect()
3765 skp = ssp->smk_in; in smack_unix_stream_connect()
3776 nsp->smk_packet = ssp->smk_out; in smack_unix_stream_connect()
3777 ssp->smk_packet = osp->smk_out; in smack_unix_stream_connect()
3782 nsp->smk_out = osp->smk_out; in smack_unix_stream_connect()
3783 nsp->smk_in = osp->smk_in; in smack_unix_stream_connect()
3790 * smack_unix_may_send - Smack access on UDS
3799 struct socket_smack *ssp = sock->sk->sk_security; in smack_unix_may_send()
3800 struct socket_smack *osp = other->sk->sk_security; in smack_unix_may_send()
3808 smk_ad_setfield_u_net_sk(&ad, other->sk); in smack_unix_may_send()
3814 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); in smack_unix_may_send()
3815 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); in smack_unix_may_send()
3820 * smack_socket_sendmsg - Smack check based on destination host
3832 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; in smack_socket_sendmsg()
3834 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; in smack_socket_sendmsg()
3837 struct socket_smack *ssp = sock->sk->sk_security; in smack_socket_sendmsg()
3848 switch (sock->sk->sk_family) { in smack_socket_sendmsg()
3850 if (msg->msg_namelen < sizeof(struct sockaddr_in) || in smack_socket_sendmsg()
3851 sip->sin_family != AF_INET) in smack_socket_sendmsg()
3852 return -EINVAL; in smack_socket_sendmsg()
3853 rc = smk_ipv4_check(sock->sk, sip); in smack_socket_sendmsg()
3857 if (msg->msg_namelen < SIN6_LEN_RFC2133 || in smack_socket_sendmsg()
3858 sap->sin6_family != AF_INET6) in smack_socket_sendmsg()
3859 return -EINVAL; in smack_socket_sendmsg()
3863 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, in smack_socket_sendmsg()
3867 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); in smack_socket_sendmsg()
3876 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
3893 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) in smack_from_secattr()
3894 return (struct smack_known *)sap->cache->data; in smack_from_secattr()
3896 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) in smack_from_secattr()
3900 return smack_from_secid(sap->attr.secid); in smack_from_secattr()
3902 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { in smack_from_secattr()
3915 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) in smack_from_secattr()
3920 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { in smack_from_secattr()
3921 if ((skp->smk_netlabel.flags & in smack_from_secattr()
3926 for (acat = -1, kcat = -1; acat == kcat; ) { in smack_from_secattr()
3927 acat = netlbl_catmap_walk(sap->attr.mls.cat, in smack_from_secattr()
3930 skp->smk_netlabel.attr.mls.cat, in smack_from_secattr()
3945 if (ssp != NULL && ssp->smk_in == &smack_known_star) in smack_from_secattr()
3962 int proto = -EINVAL; in smk_skb_to_addr_ipv6()
3970 sip->sin6_port = 0; in smk_skb_to_addr_ipv6()
3975 return -EINVAL; in smk_skb_to_addr_ipv6()
3976 sip->sin6_addr = ip6->saddr; in smk_skb_to_addr_ipv6()
3978 nexthdr = ip6->nexthdr; in smk_skb_to_addr_ipv6()
3982 return -EINVAL; in smk_skb_to_addr_ipv6()
3989 sip->sin6_port = th->source; in smk_skb_to_addr_ipv6()
3995 sip->sin6_port = uh->source; in smk_skb_to_addr_ipv6()
4000 sip->sin6_port = dh->dccph_sport; in smk_skb_to_addr_ipv6()
4008 * smack_from_skb - Smack data from the secmark in an skb
4016 if (skb == NULL || skb->secmark == 0) in smack_from_skb()
4019 return smack_from_secid(skb->secmark); in smack_from_skb()
4029 * smack_from_netlbl - Smack data from the IP options in an skb
4049 ssp = sk->sk_security; in smack_from_netlbl()
4054 netlbl_cache_add(skb, family, &skp->smk_netlabel); in smack_from_netlbl()
4063 * smack_socket_sock_rcv_skb - Smack packet delivery access check
4071 struct socket_smack *ssp = sk->sk_security; in smack_socket_sock_rcv_skb()
4075 u16 family = sk->sk_family; in smack_socket_sock_rcv_skb()
4083 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) in smack_socket_sock_rcv_skb()
4103 ad.a.u.net->family = family; in smack_socket_sock_rcv_skb()
4104 ad.a.u.net->netif = skb->skb_iif; in smack_socket_sock_rcv_skb()
4113 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_socket_sock_rcv_skb()
4114 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, in smack_socket_sock_rcv_skb()
4136 ad.a.u.net->family = family; in smack_socket_sock_rcv_skb()
4137 ad.a.u.net->netif = skb->skb_iif; in smack_socket_sock_rcv_skb()
4140 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_socket_sock_rcv_skb()
4141 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, in smack_socket_sock_rcv_skb()
4158 * smack_socket_getpeersec_stream - pull in packet label
4175 ssp = sock->sk->sk_security; in smack_socket_getpeersec_stream()
4176 if (ssp->smk_packet != NULL) { in smack_socket_getpeersec_stream()
4177 rcp = ssp->smk_packet->smk_known; in smack_socket_getpeersec_stream()
4181 rc = -ERANGE; in smack_socket_getpeersec_stream()
4186 rc = -EFAULT; in smack_socket_getpeersec_stream()
4189 rc = -EFAULT; in smack_socket_getpeersec_stream()
4195 * smack_socket_getpeersec_dgram - pull in packet label
4213 if (skb->protocol == htons(ETH_P_IP)) in smack_socket_getpeersec_dgram()
4216 else if (skb->protocol == htons(ETH_P_IPV6)) in smack_socket_getpeersec_dgram()
4221 family = sock->sk->sk_family; in smack_socket_getpeersec_dgram()
4225 ssp = sock->sk->sk_security; in smack_socket_getpeersec_dgram()
4226 s = ssp->smk_out->smk_secid; in smack_socket_getpeersec_dgram()
4231 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4238 sk = sock->sk; in smack_socket_getpeersec_dgram()
4241 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4247 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4253 return -EINVAL; in smack_socket_getpeersec_dgram()
4258 * smack_sock_graft - Initialize a newly created socket with an existing sock
4271 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) in smack_sock_graft()
4274 ssp = sk->sk_security; in smack_sock_graft()
4275 ssp->smk_in = skp; in smack_sock_graft()
4276 ssp->smk_out = skp; in smack_sock_graft()
4277 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ in smack_sock_graft()
4281 * smack_inet_conn_request - Smack access check on connect
4292 u16 family = sk->sk_family; in smack_inet_conn_request()
4294 struct socket_smack *ssp = sk->sk_security; in smack_inet_conn_request()
4311 if (skb->protocol == htons(ETH_P_IP)) in smack_inet_conn_request()
4332 ad.a.u.net->family = family; in smack_inet_conn_request()
4333 ad.a.u.net->netif = skb->skb_iif; in smack_inet_conn_request()
4340 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_inet_conn_request()
4341 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); in smack_inet_conn_request()
4349 req->peer_secid = skp->smk_secid; in smack_inet_conn_request()
4354 * propagate the wire-label to the sock when it is created. in smack_inet_conn_request()
4357 addr.sin_addr.s_addr = hdr->saddr; in smack_inet_conn_request()
4363 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); in smack_inet_conn_request()
4371 * smack_inet_csk_clone - Copy the connection information to the new socket
4380 struct socket_smack *ssp = sk->sk_security; in smack_inet_csk_clone()
4383 if (req->peer_secid != 0) { in smack_inet_csk_clone()
4384 skp = smack_from_secid(req->peer_secid); in smack_inet_csk_clone()
4385 ssp->smk_packet = skp; in smack_inet_csk_clone()
4387 ssp->smk_packet = NULL; in smack_inet_csk_clone()
4400 * smack_key_alloc - Set the key security blob
4414 key->security = skp; in smack_key_alloc()
4419 * smack_key_free - Clear the key security blob
4426 key->security = NULL; in smack_key_free()
4430 * smack_key_permission - Smack access on a key
4469 return -EINVAL; in smack_key_permission()
4474 return -EINVAL; in smack_key_permission()
4479 if (keyp->security == NULL) in smack_key_permission()
4485 return -EACCES; in smack_key_permission()
4492 ad.a.u.key_struct.key = keyp->serial; in smack_key_permission()
4493 ad.a.u.key_struct.key_desc = keyp->description; in smack_key_permission()
4495 rc = smk_access(tkp, keyp->security, request, &ad); in smack_key_permission()
4496 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); in smack_key_permission()
4501 * smack_key_getsecurity - Smack label tagging the key
4505 * Return the length of the string (including terminating NUL) or -ve if
4511 struct smack_known *skp = key->security; in smack_key_getsecurity()
4515 if (key->security == NULL) { in smack_key_getsecurity()
4520 copy = kstrdup(skp->smk_known, GFP_KERNEL); in smack_key_getsecurity()
4522 return -ENOMEM; in smack_key_getsecurity()
4532 * smack_watch_key - Smack access to watch a key for notifications.
4535 * Return 0 if the @watch->cred has permission to read from the key object and
4545 return -EINVAL; in smack_watch_key()
4550 if (key->security == NULL) in smack_watch_key()
4556 return -EACCES; in smack_watch_key()
4563 ad.a.u.key_struct.key = key->serial; in smack_watch_key()
4564 ad.a.u.key_struct.key_desc = key->description; in smack_watch_key()
4566 rc = smk_access(tkp, key->security, MAY_READ, &ad); in smack_watch_key()
4567 rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc); in smack_watch_key()
4575 * smack_post_notification - Smack access to post a notification to a queue
4589 if (n->type == WATCH_TYPE_META) in smack_post_notification()
4620 * smack_audit_rule_init - Initialize a smack audit rule
4621 * @field: audit rule fields given from user-space (audit.h)
4638 return -EINVAL; in smack_audit_rule_init()
4641 return -EINVAL; in smack_audit_rule_init()
4647 *rule = skp->smk_known; in smack_audit_rule_init()
4653 * smack_audit_rule_known - Distinguish Smack audit rules
4665 for (i = 0; i < krule->field_count; i++) { in smack_audit_rule_known()
4666 f = &krule->fields[i]; in smack_audit_rule_known()
4668 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) in smack_audit_rule_known()
4676 * smack_audit_rule_match - Audit given object ?
4678 * @field: audit rule flags given from user-space
4692 return -ENOENT; in smack_audit_rule_match()
4706 return (rule == skp->smk_known); in smack_audit_rule_match()
4708 return (rule != skp->smk_known); in smack_audit_rule_match()
4721 * smack_ismaclabel - check if xattr @name references a smack MAC label
4731 * smack_secid_to_secctx - return the smack label for a secid
4743 *secdata = skp->smk_known; in smack_secid_to_secctx()
4744 *seclen = strlen(skp->smk_known); in smack_secid_to_secctx()
4749 * smack_secctx_to_secid - return the secid for a smack label
4761 *secid = skp->smk_secid; in smack_secctx_to_secid()
4789 *ctx = skp->smk_known; in smack_inode_getsecctx()
4790 *ctxlen = strlen(skp->smk_known); in smack_inode_getsecctx()
4805 return -ENOMEM; in smack_inode_copy_up()
4814 skp = isp->smk_inode; in smack_inode_copy_up()
4815 tsp->smk_task = skp; in smack_inode_copy_up()
4828 return -EOPNOTSUPP; in smack_inode_copy_up_xattr()
4845 ntsp->smk_task = otsp->smk_task; in smack_dentry_create_files_as()
4850 isp = smack_inode(d_inode(dentry->d_parent)); in smack_dentry_create_files_as()
4852 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { in smack_dentry_create_files_as()
4854 may = smk_access_entry(otsp->smk_task->smk_known, in smack_dentry_create_files_as()
4855 isp->smk_inode->smk_known, in smack_dentry_create_files_as()
4856 &otsp->smk_task->smk_rules); in smack_dentry_create_files_as()
4865 ntsp->smk_task = isp->smk_inode; in smack_dentry_create_files_as()
4866 ntsp->smk_transmuted = ntsp->smk_task; in smack_dentry_create_files_as()
4874 * smack_uring_override_creds - Is io_uring cred override allowed?
4889 if (tsp->smk_task == nsp->smk_task) in smack_uring_override_creds()
4895 return -EPERM; in smack_uring_override_creds()
4899 * smack_uring_sqpoll - check if a io_uring polling thread can be created
4909 return -EPERM; in smack_uring_sqpoll()
4913 * smack_uring_cmd - check on file operations for io_uring
4922 struct file *file = ioucmd->file; in smack_uring_cmd()
4929 return -EINVAL; in smack_uring_cmd()
4931 tsp = smack_cred(file->f_cred); in smack_uring_cmd()
4935 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_uring_cmd()
4937 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); in smack_uring_cmd()
5140 * smack_init - initialize the smack system
5142 * Returns 0 on success, -ENOMEM is there's no memory
5146 struct cred *cred = (struct cred *) current->cred; in smack_init()
5151 return -ENOMEM; in smack_init()