1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/icmpv6.h> 32 #include <linux/slab.h> 33 #include <linux/mutex.h> 34 #include <linux/pipe_fs_i.h> 35 #include <net/cipso_ipv4.h> 36 #include <net/ip.h> 37 #include <net/ipv6.h> 38 #include <linux/audit.h> 39 #include <linux/magic.h> 40 #include <linux/dcache.h> 41 #include <linux/personality.h> 42 #include <linux/msg.h> 43 #include <linux/shm.h> 44 #include <linux/binfmts.h> 45 #include <linux/parser.h> 46 #include "smack.h" 47 48 #define TRANS_TRUE "TRUE" 49 #define TRANS_TRUE_SIZE 4 50 51 #define SMK_CONNECTING 0 52 #define SMK_RECEIVING 1 53 #define SMK_SENDING 2 54 55 #ifdef SMACK_IPV6_PORT_LABELING 56 DEFINE_MUTEX(smack_ipv6_lock); 57 static LIST_HEAD(smk_ipv6_port_list); 58 #endif 59 static struct kmem_cache *smack_inode_cache; 60 int smack_enabled; 61 62 static const match_table_t smk_mount_tokens = { 63 {Opt_fsdefault, SMK_FSDEFAULT "%s"}, 64 {Opt_fsfloor, SMK_FSFLOOR "%s"}, 65 {Opt_fshat, SMK_FSHAT "%s"}, 66 {Opt_fsroot, SMK_FSROOT "%s"}, 67 {Opt_fstransmute, SMK_FSTRANS "%s"}, 68 {Opt_error, NULL}, 69 }; 70 71 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 72 static char *smk_bu_mess[] = { 73 "Bringup Error", /* Unused */ 74 "Bringup", /* SMACK_BRINGUP_ALLOW */ 75 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 76 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 77 }; 78 79 static void smk_bu_mode(int mode, char *s) 80 { 81 int i = 0; 82 83 if (mode & MAY_READ) 84 s[i++] = 'r'; 85 if (mode & MAY_WRITE) 86 s[i++] = 'w'; 87 if (mode & MAY_EXEC) 88 s[i++] = 'x'; 89 if (mode & MAY_APPEND) 90 s[i++] = 'a'; 91 if (mode & MAY_TRANSMUTE) 92 s[i++] = 't'; 93 if (mode & MAY_LOCK) 94 s[i++] = 'l'; 95 if (i == 0) 96 s[i++] = '-'; 97 s[i] = '\0'; 98 } 99 #endif 100 101 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 102 static int smk_bu_note(char *note, struct smack_known *sskp, 103 struct smack_known *oskp, int mode, int rc) 104 { 105 char acc[SMK_NUM_ACCESS_TYPE + 1]; 106 107 if (rc <= 0) 108 return rc; 109 if (rc > SMACK_UNCONFINED_OBJECT) 110 rc = 0; 111 112 smk_bu_mode(mode, acc); 113 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 114 sskp->smk_known, oskp->smk_known, acc, note); 115 return 0; 116 } 117 #else 118 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 119 #endif 120 121 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 122 static int smk_bu_current(char *note, struct smack_known *oskp, 123 int mode, int rc) 124 { 125 struct task_smack *tsp = current_security(); 126 char acc[SMK_NUM_ACCESS_TYPE + 1]; 127 128 if (rc <= 0) 129 return rc; 130 if (rc > SMACK_UNCONFINED_OBJECT) 131 rc = 0; 132 133 smk_bu_mode(mode, acc); 134 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 135 tsp->smk_task->smk_known, oskp->smk_known, 136 acc, current->comm, note); 137 return 0; 138 } 139 #else 140 #define smk_bu_current(note, oskp, mode, RC) (RC) 141 #endif 142 143 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 144 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 145 { 146 struct task_smack *tsp = current_security(); 147 struct smack_known *smk_task = smk_of_task_struct(otp); 148 char acc[SMK_NUM_ACCESS_TYPE + 1]; 149 150 if (rc <= 0) 151 return rc; 152 if (rc > SMACK_UNCONFINED_OBJECT) 153 rc = 0; 154 155 smk_bu_mode(mode, acc); 156 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 157 tsp->smk_task->smk_known, smk_task->smk_known, acc, 158 current->comm, otp->comm); 159 return 0; 160 } 161 #else 162 #define smk_bu_task(otp, mode, RC) (RC) 163 #endif 164 165 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 166 static int smk_bu_inode(struct inode *inode, int mode, int rc) 167 { 168 struct task_smack *tsp = current_security(); 169 struct inode_smack *isp = inode->i_security; 170 char acc[SMK_NUM_ACCESS_TYPE + 1]; 171 172 if (isp->smk_flags & SMK_INODE_IMPURE) 173 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 174 inode->i_sb->s_id, inode->i_ino, current->comm); 175 176 if (rc <= 0) 177 return rc; 178 if (rc > SMACK_UNCONFINED_OBJECT) 179 rc = 0; 180 if (rc == SMACK_UNCONFINED_SUBJECT && 181 (mode & (MAY_WRITE | MAY_APPEND))) 182 isp->smk_flags |= SMK_INODE_IMPURE; 183 184 smk_bu_mode(mode, acc); 185 186 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 187 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 188 inode->i_sb->s_id, inode->i_ino, current->comm); 189 return 0; 190 } 191 #else 192 #define smk_bu_inode(inode, mode, RC) (RC) 193 #endif 194 195 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 196 static int smk_bu_file(struct file *file, int mode, int rc) 197 { 198 struct task_smack *tsp = current_security(); 199 struct smack_known *sskp = tsp->smk_task; 200 struct inode *inode = file_inode(file); 201 struct inode_smack *isp = inode->i_security; 202 char acc[SMK_NUM_ACCESS_TYPE + 1]; 203 204 if (isp->smk_flags & SMK_INODE_IMPURE) 205 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 206 inode->i_sb->s_id, inode->i_ino, current->comm); 207 208 if (rc <= 0) 209 return rc; 210 if (rc > SMACK_UNCONFINED_OBJECT) 211 rc = 0; 212 213 smk_bu_mode(mode, acc); 214 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 215 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 216 inode->i_sb->s_id, inode->i_ino, file, 217 current->comm); 218 return 0; 219 } 220 #else 221 #define smk_bu_file(file, mode, RC) (RC) 222 #endif 223 224 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 225 static int smk_bu_credfile(const struct cred *cred, struct file *file, 226 int mode, int rc) 227 { 228 struct task_smack *tsp = cred->security; 229 struct smack_known *sskp = tsp->smk_task; 230 struct inode *inode = file_inode(file); 231 struct inode_smack *isp = inode->i_security; 232 char acc[SMK_NUM_ACCESS_TYPE + 1]; 233 234 if (isp->smk_flags & SMK_INODE_IMPURE) 235 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 236 inode->i_sb->s_id, inode->i_ino, current->comm); 237 238 if (rc <= 0) 239 return rc; 240 if (rc > SMACK_UNCONFINED_OBJECT) 241 rc = 0; 242 243 smk_bu_mode(mode, acc); 244 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 245 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 246 inode->i_sb->s_id, inode->i_ino, file, 247 current->comm); 248 return 0; 249 } 250 #else 251 #define smk_bu_credfile(cred, file, mode, RC) (RC) 252 #endif 253 254 /** 255 * smk_fetch - Fetch the smack label from a file. 256 * @name: type of the label (attribute) 257 * @ip: a pointer to the inode 258 * @dp: a pointer to the dentry 259 * 260 * Returns a pointer to the master list entry for the Smack label, 261 * NULL if there was no label to fetch, or an error code. 262 */ 263 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 264 struct dentry *dp) 265 { 266 int rc; 267 char *buffer; 268 struct smack_known *skp = NULL; 269 270 if (!(ip->i_opflags & IOP_XATTR)) 271 return ERR_PTR(-EOPNOTSUPP); 272 273 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 274 if (buffer == NULL) 275 return ERR_PTR(-ENOMEM); 276 277 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 278 if (rc < 0) 279 skp = ERR_PTR(rc); 280 else if (rc == 0) 281 skp = NULL; 282 else 283 skp = smk_import_entry(buffer, rc); 284 285 kfree(buffer); 286 287 return skp; 288 } 289 290 /** 291 * new_inode_smack - allocate an inode security blob 292 * @skp: a pointer to the Smack label entry to use in the blob 293 * 294 * Returns the new blob or NULL if there's no memory available 295 */ 296 static struct inode_smack *new_inode_smack(struct smack_known *skp) 297 { 298 struct inode_smack *isp; 299 300 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); 301 if (isp == NULL) 302 return NULL; 303 304 isp->smk_inode = skp; 305 isp->smk_flags = 0; 306 mutex_init(&isp->smk_lock); 307 308 return isp; 309 } 310 311 /** 312 * new_task_smack - allocate a task security blob 313 * @task: a pointer to the Smack label for the running task 314 * @forked: a pointer to the Smack label for the forked task 315 * @gfp: type of the memory for the allocation 316 * 317 * Returns the new blob or NULL if there's no memory available 318 */ 319 static struct task_smack *new_task_smack(struct smack_known *task, 320 struct smack_known *forked, gfp_t gfp) 321 { 322 struct task_smack *tsp; 323 324 tsp = kzalloc(sizeof(struct task_smack), gfp); 325 if (tsp == NULL) 326 return NULL; 327 328 tsp->smk_task = task; 329 tsp->smk_forked = forked; 330 INIT_LIST_HEAD(&tsp->smk_rules); 331 INIT_LIST_HEAD(&tsp->smk_relabel); 332 mutex_init(&tsp->smk_rules_lock); 333 334 return tsp; 335 } 336 337 /** 338 * smk_copy_rules - copy a rule set 339 * @nhead: new rules header pointer 340 * @ohead: old rules header pointer 341 * @gfp: type of the memory for the allocation 342 * 343 * Returns 0 on success, -ENOMEM on error 344 */ 345 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 346 gfp_t gfp) 347 { 348 struct smack_rule *nrp; 349 struct smack_rule *orp; 350 int rc = 0; 351 352 list_for_each_entry_rcu(orp, ohead, list) { 353 nrp = kzalloc(sizeof(struct smack_rule), gfp); 354 if (nrp == NULL) { 355 rc = -ENOMEM; 356 break; 357 } 358 *nrp = *orp; 359 list_add_rcu(&nrp->list, nhead); 360 } 361 return rc; 362 } 363 364 /** 365 * smk_copy_relabel - copy smk_relabel labels list 366 * @nhead: new rules header pointer 367 * @ohead: old rules header pointer 368 * @gfp: type of the memory for the allocation 369 * 370 * Returns 0 on success, -ENOMEM on error 371 */ 372 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 373 gfp_t gfp) 374 { 375 struct smack_known_list_elem *nklep; 376 struct smack_known_list_elem *oklep; 377 378 list_for_each_entry(oklep, ohead, list) { 379 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 380 if (nklep == NULL) { 381 smk_destroy_label_list(nhead); 382 return -ENOMEM; 383 } 384 nklep->smk_label = oklep->smk_label; 385 list_add(&nklep->list, nhead); 386 } 387 388 return 0; 389 } 390 391 /** 392 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 393 * @mode - input mode in form of PTRACE_MODE_* 394 * 395 * Returns a converted MAY_* mode usable by smack rules 396 */ 397 static inline unsigned int smk_ptrace_mode(unsigned int mode) 398 { 399 if (mode & PTRACE_MODE_ATTACH) 400 return MAY_READWRITE; 401 if (mode & PTRACE_MODE_READ) 402 return MAY_READ; 403 404 return 0; 405 } 406 407 /** 408 * smk_ptrace_rule_check - helper for ptrace access 409 * @tracer: tracer process 410 * @tracee_known: label entry of the process that's about to be traced 411 * @mode: ptrace attachment mode (PTRACE_MODE_*) 412 * @func: name of the function that called us, used for audit 413 * 414 * Returns 0 on access granted, -error on error 415 */ 416 static int smk_ptrace_rule_check(struct task_struct *tracer, 417 struct smack_known *tracee_known, 418 unsigned int mode, const char *func) 419 { 420 int rc; 421 struct smk_audit_info ad, *saip = NULL; 422 struct task_smack *tsp; 423 struct smack_known *tracer_known; 424 const struct cred *tracercred; 425 426 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 427 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 428 smk_ad_setfield_u_tsk(&ad, tracer); 429 saip = &ad; 430 } 431 432 rcu_read_lock(); 433 tracercred = __task_cred(tracer); 434 tsp = tracercred->security; 435 tracer_known = smk_of_task(tsp); 436 437 if ((mode & PTRACE_MODE_ATTACH) && 438 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 439 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 440 if (tracer_known->smk_known == tracee_known->smk_known) 441 rc = 0; 442 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 443 rc = -EACCES; 444 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 445 rc = 0; 446 else 447 rc = -EACCES; 448 449 if (saip) 450 smack_log(tracer_known->smk_known, 451 tracee_known->smk_known, 452 0, rc, saip); 453 454 rcu_read_unlock(); 455 return rc; 456 } 457 458 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 459 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 460 461 rcu_read_unlock(); 462 return rc; 463 } 464 465 /* 466 * LSM hooks. 467 * We he, that is fun! 468 */ 469 470 /** 471 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 472 * @ctp: child task pointer 473 * @mode: ptrace attachment mode (PTRACE_MODE_*) 474 * 475 * Returns 0 if access is OK, an error code otherwise 476 * 477 * Do the capability checks. 478 */ 479 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 480 { 481 struct smack_known *skp; 482 483 skp = smk_of_task_struct(ctp); 484 485 return smk_ptrace_rule_check(current, skp, mode, __func__); 486 } 487 488 /** 489 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 490 * @ptp: parent task pointer 491 * 492 * Returns 0 if access is OK, an error code otherwise 493 * 494 * Do the capability checks, and require PTRACE_MODE_ATTACH. 495 */ 496 static int smack_ptrace_traceme(struct task_struct *ptp) 497 { 498 int rc; 499 struct smack_known *skp; 500 501 skp = smk_of_task(current_security()); 502 503 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 504 return rc; 505 } 506 507 /** 508 * smack_syslog - Smack approval on syslog 509 * @type: message type 510 * 511 * Returns 0 on success, error code otherwise. 512 */ 513 static int smack_syslog(int typefrom_file) 514 { 515 int rc = 0; 516 struct smack_known *skp = smk_of_current(); 517 518 if (smack_privileged(CAP_MAC_OVERRIDE)) 519 return 0; 520 521 if (smack_syslog_label != NULL && smack_syslog_label != skp) 522 rc = -EACCES; 523 524 return rc; 525 } 526 527 528 /* 529 * Superblock Hooks. 530 */ 531 532 /** 533 * smack_sb_alloc_security - allocate a superblock blob 534 * @sb: the superblock getting the blob 535 * 536 * Returns 0 on success or -ENOMEM on error. 537 */ 538 static int smack_sb_alloc_security(struct super_block *sb) 539 { 540 struct superblock_smack *sbsp; 541 542 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 543 544 if (sbsp == NULL) 545 return -ENOMEM; 546 547 sbsp->smk_root = &smack_known_floor; 548 sbsp->smk_default = &smack_known_floor; 549 sbsp->smk_floor = &smack_known_floor; 550 sbsp->smk_hat = &smack_known_hat; 551 /* 552 * SMK_SB_INITIALIZED will be zero from kzalloc. 553 */ 554 sb->s_security = sbsp; 555 556 return 0; 557 } 558 559 /** 560 * smack_sb_free_security - free a superblock blob 561 * @sb: the superblock getting the blob 562 * 563 */ 564 static void smack_sb_free_security(struct super_block *sb) 565 { 566 kfree(sb->s_security); 567 sb->s_security = NULL; 568 } 569 570 struct smack_mnt_opts { 571 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 572 }; 573 574 static void smack_free_mnt_opts(void *mnt_opts) 575 { 576 struct smack_mnt_opts *opts = mnt_opts; 577 kfree(opts->fsdefault); 578 kfree(opts->fsfloor); 579 kfree(opts->fshat); 580 kfree(opts->fsroot); 581 kfree(opts->fstransmute); 582 kfree(opts); 583 } 584 585 /** 586 * smack_sb_copy_data - copy mount options data for processing 587 * @orig: where to start 588 * @smackopts: mount options string 589 * 590 * Returns 0 on success or -ENOMEM on error. 591 * 592 * Copy the Smack specific mount options out of the mount 593 * options list. 594 */ 595 static int smack_sb_copy_data(char *orig, char *smackopts) 596 { 597 char *cp, *commap, *otheropts, *dp; 598 599 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 600 if (otheropts == NULL) 601 return -ENOMEM; 602 603 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 604 if (strstr(cp, SMK_FSDEFAULT) == cp) 605 dp = smackopts; 606 else if (strstr(cp, SMK_FSFLOOR) == cp) 607 dp = smackopts; 608 else if (strstr(cp, SMK_FSHAT) == cp) 609 dp = smackopts; 610 else if (strstr(cp, SMK_FSROOT) == cp) 611 dp = smackopts; 612 else if (strstr(cp, SMK_FSTRANS) == cp) 613 dp = smackopts; 614 else 615 dp = otheropts; 616 617 commap = strchr(cp, ','); 618 if (commap != NULL) 619 *commap = '\0'; 620 621 if (*dp != '\0') 622 strcat(dp, ","); 623 strcat(dp, cp); 624 } 625 626 strcpy(orig, otheropts); 627 free_page((unsigned long)otheropts); 628 629 return 0; 630 } 631 632 /** 633 * smack_parse_opts_str - parse Smack specific mount options 634 * @options: mount options string 635 * @opts: where to store converted mount opts 636 * 637 * Returns 0 on success or -ENOMEM on error. 638 * 639 * converts Smack specific mount options to generic security option format 640 */ 641 static int smack_parse_opts_str(char *options, 642 void **mnt_opts) 643 { 644 struct smack_mnt_opts *opts = *mnt_opts; 645 char *p; 646 int rc = -ENOMEM; 647 int token; 648 649 if (!options) 650 return 0; 651 652 while ((p = strsep(&options, ",")) != NULL) { 653 substring_t args[MAX_OPT_ARGS]; 654 655 if (!*p) 656 continue; 657 658 token = match_token(p, smk_mount_tokens, args); 659 660 if (!opts) { 661 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 662 if (!opts) 663 return -ENOMEM; 664 } 665 666 switch (token) { 667 case Opt_fsdefault: 668 if (opts->fsdefault) 669 goto out_opt_err; 670 opts->fsdefault = match_strdup(&args[0]); 671 if (!opts->fsdefault) 672 goto out_err; 673 break; 674 case Opt_fsfloor: 675 if (opts->fsfloor) 676 goto out_opt_err; 677 opts->fsfloor = match_strdup(&args[0]); 678 if (!opts->fsfloor) 679 goto out_err; 680 break; 681 case Opt_fshat: 682 if (opts->fshat) 683 goto out_opt_err; 684 opts->fshat = match_strdup(&args[0]); 685 if (!opts->fshat) 686 goto out_err; 687 break; 688 case Opt_fsroot: 689 if (opts->fsroot) 690 goto out_opt_err; 691 opts->fsroot = match_strdup(&args[0]); 692 if (!opts->fsroot) 693 goto out_err; 694 break; 695 case Opt_fstransmute: 696 if (opts->fstransmute) 697 goto out_opt_err; 698 opts->fstransmute = match_strdup(&args[0]); 699 if (!opts->fstransmute) 700 goto out_err; 701 break; 702 default: 703 rc = -EINVAL; 704 pr_warn("Smack: unknown mount option\n"); 705 goto out_err; 706 } 707 } 708 *mnt_opts = opts; 709 return 0; 710 711 out_opt_err: 712 rc = -EINVAL; 713 pr_warn("Smack: duplicate mount options\n"); 714 715 out_err: 716 if (opts) 717 smack_free_mnt_opts(opts); 718 return rc; 719 } 720 721 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 722 { 723 char *s = (char *)get_zeroed_page(GFP_KERNEL); 724 int err; 725 726 if (!s) 727 return -ENOMEM; 728 err = smack_sb_copy_data(options, s); 729 if (!err) 730 err = smack_parse_opts_str(s, mnt_opts); 731 free_page((unsigned long)s); 732 return err; 733 } 734 735 /** 736 * smack_set_mnt_opts - set Smack specific mount options 737 * @sb: the file system superblock 738 * @opts: Smack mount options 739 * @kern_flags: mount option from kernel space or user space 740 * @set_kern_flags: where to store converted mount opts 741 * 742 * Returns 0 on success, an error code on failure 743 * 744 * Allow filesystems with binary mount data to explicitly set Smack mount 745 * labels. 746 */ 747 static int smack_set_mnt_opts(struct super_block *sb, 748 void *mnt_opts, 749 unsigned long kern_flags, 750 unsigned long *set_kern_flags) 751 { 752 struct dentry *root = sb->s_root; 753 struct inode *inode = d_backing_inode(root); 754 struct superblock_smack *sp = sb->s_security; 755 struct inode_smack *isp; 756 struct smack_known *skp; 757 struct smack_mnt_opts *opts = mnt_opts; 758 bool transmute = false; 759 760 if (sp->smk_flags & SMK_SB_INITIALIZED) 761 return 0; 762 763 if (!smack_privileged(CAP_MAC_ADMIN)) { 764 /* 765 * Unprivileged mounts don't get to specify Smack values. 766 */ 767 if (opts) 768 return -EPERM; 769 /* 770 * Unprivileged mounts get root and default from the caller. 771 */ 772 skp = smk_of_current(); 773 sp->smk_root = skp; 774 sp->smk_default = skp; 775 /* 776 * For a handful of fs types with no user-controlled 777 * backing store it's okay to trust security labels 778 * in the filesystem. The rest are untrusted. 779 */ 780 if (sb->s_user_ns != &init_user_ns && 781 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 782 sb->s_magic != RAMFS_MAGIC) { 783 transmute = true; 784 sp->smk_flags |= SMK_SB_UNTRUSTED; 785 } 786 } 787 788 sp->smk_flags |= SMK_SB_INITIALIZED; 789 790 if (opts) { 791 if (opts->fsdefault) { 792 skp = smk_import_entry(opts->fsdefault, 0); 793 if (IS_ERR(skp)) 794 return PTR_ERR(skp); 795 sp->smk_default = skp; 796 } 797 if (opts->fsfloor) { 798 skp = smk_import_entry(opts->fsfloor, 0); 799 if (IS_ERR(skp)) 800 return PTR_ERR(skp); 801 sp->smk_floor = skp; 802 } 803 if (opts->fshat) { 804 skp = smk_import_entry(opts->fshat, 0); 805 if (IS_ERR(skp)) 806 return PTR_ERR(skp); 807 sp->smk_hat = skp; 808 } 809 if (opts->fsroot) { 810 skp = smk_import_entry(opts->fsroot, 0); 811 if (IS_ERR(skp)) 812 return PTR_ERR(skp); 813 sp->smk_root = skp; 814 } 815 if (opts->fstransmute) { 816 skp = smk_import_entry(opts->fstransmute, 0); 817 if (IS_ERR(skp)) 818 return PTR_ERR(skp); 819 sp->smk_root = skp; 820 transmute = true; 821 } 822 } 823 824 /* 825 * Initialize the root inode. 826 */ 827 isp = inode->i_security; 828 if (isp == NULL) { 829 isp = new_inode_smack(sp->smk_root); 830 if (isp == NULL) 831 return -ENOMEM; 832 inode->i_security = isp; 833 } else 834 isp->smk_inode = sp->smk_root; 835 836 if (transmute) 837 isp->smk_flags |= SMK_INODE_TRANSMUTE; 838 839 return 0; 840 } 841 842 /** 843 * smack_sb_statfs - Smack check on statfs 844 * @dentry: identifies the file system in question 845 * 846 * Returns 0 if current can read the floor of the filesystem, 847 * and error code otherwise 848 */ 849 static int smack_sb_statfs(struct dentry *dentry) 850 { 851 struct superblock_smack *sbp = dentry->d_sb->s_security; 852 int rc; 853 struct smk_audit_info ad; 854 855 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 856 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 857 858 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 859 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 860 return rc; 861 } 862 863 /* 864 * BPRM hooks 865 */ 866 867 /** 868 * smack_bprm_set_creds - set creds for exec 869 * @bprm: the exec information 870 * 871 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 872 */ 873 static int smack_bprm_set_creds(struct linux_binprm *bprm) 874 { 875 struct inode *inode = file_inode(bprm->file); 876 struct task_smack *bsp = bprm->cred->security; 877 struct inode_smack *isp; 878 struct superblock_smack *sbsp; 879 int rc; 880 881 if (bprm->called_set_creds) 882 return 0; 883 884 isp = inode->i_security; 885 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 886 return 0; 887 888 sbsp = inode->i_sb->s_security; 889 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 890 isp->smk_task != sbsp->smk_root) 891 return 0; 892 893 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 894 struct task_struct *tracer; 895 rc = 0; 896 897 rcu_read_lock(); 898 tracer = ptrace_parent(current); 899 if (likely(tracer != NULL)) 900 rc = smk_ptrace_rule_check(tracer, 901 isp->smk_task, 902 PTRACE_MODE_ATTACH, 903 __func__); 904 rcu_read_unlock(); 905 906 if (rc != 0) 907 return rc; 908 } else if (bprm->unsafe) 909 return -EPERM; 910 911 bsp->smk_task = isp->smk_task; 912 bprm->per_clear |= PER_CLEAR_ON_SETID; 913 914 /* Decide if this is a secure exec. */ 915 if (bsp->smk_task != bsp->smk_forked) 916 bprm->secureexec = 1; 917 918 return 0; 919 } 920 921 /* 922 * Inode hooks 923 */ 924 925 /** 926 * smack_inode_alloc_security - allocate an inode blob 927 * @inode: the inode in need of a blob 928 * 929 * Returns 0 if it gets a blob, -ENOMEM otherwise 930 */ 931 static int smack_inode_alloc_security(struct inode *inode) 932 { 933 struct smack_known *skp = smk_of_current(); 934 935 inode->i_security = new_inode_smack(skp); 936 if (inode->i_security == NULL) 937 return -ENOMEM; 938 return 0; 939 } 940 941 /** 942 * smack_inode_free_rcu - Free inode_smack blob from cache 943 * @head: the rcu_head for getting inode_smack pointer 944 * 945 * Call back function called from call_rcu() to free 946 * the i_security blob pointer in inode 947 */ 948 static void smack_inode_free_rcu(struct rcu_head *head) 949 { 950 struct inode_smack *issp; 951 952 issp = container_of(head, struct inode_smack, smk_rcu); 953 kmem_cache_free(smack_inode_cache, issp); 954 } 955 956 /** 957 * smack_inode_free_security - free an inode blob using call_rcu() 958 * @inode: the inode with a blob 959 * 960 * Clears the blob pointer in inode using RCU 961 */ 962 static void smack_inode_free_security(struct inode *inode) 963 { 964 struct inode_smack *issp = inode->i_security; 965 966 /* 967 * The inode may still be referenced in a path walk and 968 * a call to smack_inode_permission() can be made 969 * after smack_inode_free_security() is called. 970 * To avoid race condition free the i_security via RCU 971 * and leave the current inode->i_security pointer intact. 972 * The inode will be freed after the RCU grace period too. 973 */ 974 call_rcu(&issp->smk_rcu, smack_inode_free_rcu); 975 } 976 977 /** 978 * smack_inode_init_security - copy out the smack from an inode 979 * @inode: the newly created inode 980 * @dir: containing directory object 981 * @qstr: unused 982 * @name: where to put the attribute name 983 * @value: where to put the attribute value 984 * @len: where to put the length of the attribute 985 * 986 * Returns 0 if it all works out, -ENOMEM if there's no memory 987 */ 988 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 989 const struct qstr *qstr, const char **name, 990 void **value, size_t *len) 991 { 992 struct inode_smack *issp = inode->i_security; 993 struct smack_known *skp = smk_of_current(); 994 struct smack_known *isp = smk_of_inode(inode); 995 struct smack_known *dsp = smk_of_inode(dir); 996 int may; 997 998 if (name) 999 *name = XATTR_SMACK_SUFFIX; 1000 1001 if (value && len) { 1002 rcu_read_lock(); 1003 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1004 &skp->smk_rules); 1005 rcu_read_unlock(); 1006 1007 /* 1008 * If the access rule allows transmutation and 1009 * the directory requests transmutation then 1010 * by all means transmute. 1011 * Mark the inode as changed. 1012 */ 1013 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1014 smk_inode_transmutable(dir)) { 1015 isp = dsp; 1016 issp->smk_flags |= SMK_INODE_CHANGED; 1017 } 1018 1019 *value = kstrdup(isp->smk_known, GFP_NOFS); 1020 if (*value == NULL) 1021 return -ENOMEM; 1022 1023 *len = strlen(isp->smk_known); 1024 } 1025 1026 return 0; 1027 } 1028 1029 /** 1030 * smack_inode_link - Smack check on link 1031 * @old_dentry: the existing object 1032 * @dir: unused 1033 * @new_dentry: the new object 1034 * 1035 * Returns 0 if access is permitted, an error code otherwise 1036 */ 1037 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1038 struct dentry *new_dentry) 1039 { 1040 struct smack_known *isp; 1041 struct smk_audit_info ad; 1042 int rc; 1043 1044 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1045 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1046 1047 isp = smk_of_inode(d_backing_inode(old_dentry)); 1048 rc = smk_curacc(isp, MAY_WRITE, &ad); 1049 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1050 1051 if (rc == 0 && d_is_positive(new_dentry)) { 1052 isp = smk_of_inode(d_backing_inode(new_dentry)); 1053 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1054 rc = smk_curacc(isp, MAY_WRITE, &ad); 1055 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1056 } 1057 1058 return rc; 1059 } 1060 1061 /** 1062 * smack_inode_unlink - Smack check on inode deletion 1063 * @dir: containing directory object 1064 * @dentry: file to unlink 1065 * 1066 * Returns 0 if current can write the containing directory 1067 * and the object, error code otherwise 1068 */ 1069 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1070 { 1071 struct inode *ip = d_backing_inode(dentry); 1072 struct smk_audit_info ad; 1073 int rc; 1074 1075 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1076 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1077 1078 /* 1079 * You need write access to the thing you're unlinking 1080 */ 1081 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1082 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1083 if (rc == 0) { 1084 /* 1085 * You also need write access to the containing directory 1086 */ 1087 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1088 smk_ad_setfield_u_fs_inode(&ad, dir); 1089 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1090 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1091 } 1092 return rc; 1093 } 1094 1095 /** 1096 * smack_inode_rmdir - Smack check on directory deletion 1097 * @dir: containing directory object 1098 * @dentry: directory to unlink 1099 * 1100 * Returns 0 if current can write the containing directory 1101 * and the directory, error code otherwise 1102 */ 1103 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1104 { 1105 struct smk_audit_info ad; 1106 int rc; 1107 1108 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1109 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1110 1111 /* 1112 * You need write access to the thing you're removing 1113 */ 1114 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1115 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1116 if (rc == 0) { 1117 /* 1118 * You also need write access to the containing directory 1119 */ 1120 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1121 smk_ad_setfield_u_fs_inode(&ad, dir); 1122 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1123 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1124 } 1125 1126 return rc; 1127 } 1128 1129 /** 1130 * smack_inode_rename - Smack check on rename 1131 * @old_inode: unused 1132 * @old_dentry: the old object 1133 * @new_inode: unused 1134 * @new_dentry: the new object 1135 * 1136 * Read and write access is required on both the old and 1137 * new directories. 1138 * 1139 * Returns 0 if access is permitted, an error code otherwise 1140 */ 1141 static int smack_inode_rename(struct inode *old_inode, 1142 struct dentry *old_dentry, 1143 struct inode *new_inode, 1144 struct dentry *new_dentry) 1145 { 1146 int rc; 1147 struct smack_known *isp; 1148 struct smk_audit_info ad; 1149 1150 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1151 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1152 1153 isp = smk_of_inode(d_backing_inode(old_dentry)); 1154 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1155 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1156 1157 if (rc == 0 && d_is_positive(new_dentry)) { 1158 isp = smk_of_inode(d_backing_inode(new_dentry)); 1159 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1160 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1161 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1162 } 1163 return rc; 1164 } 1165 1166 /** 1167 * smack_inode_permission - Smack version of permission() 1168 * @inode: the inode in question 1169 * @mask: the access requested 1170 * 1171 * This is the important Smack hook. 1172 * 1173 * Returns 0 if access is permitted, -EACCES otherwise 1174 */ 1175 static int smack_inode_permission(struct inode *inode, int mask) 1176 { 1177 struct superblock_smack *sbsp = inode->i_sb->s_security; 1178 struct smk_audit_info ad; 1179 int no_block = mask & MAY_NOT_BLOCK; 1180 int rc; 1181 1182 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1183 /* 1184 * No permission to check. Existence test. Yup, it's there. 1185 */ 1186 if (mask == 0) 1187 return 0; 1188 1189 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1190 if (smk_of_inode(inode) != sbsp->smk_root) 1191 return -EACCES; 1192 } 1193 1194 /* May be droppable after audit */ 1195 if (no_block) 1196 return -ECHILD; 1197 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1198 smk_ad_setfield_u_fs_inode(&ad, inode); 1199 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1200 rc = smk_bu_inode(inode, mask, rc); 1201 return rc; 1202 } 1203 1204 /** 1205 * smack_inode_setattr - Smack check for setting attributes 1206 * @dentry: the object 1207 * @iattr: for the force flag 1208 * 1209 * Returns 0 if access is permitted, an error code otherwise 1210 */ 1211 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1212 { 1213 struct smk_audit_info ad; 1214 int rc; 1215 1216 /* 1217 * Need to allow for clearing the setuid bit. 1218 */ 1219 if (iattr->ia_valid & ATTR_FORCE) 1220 return 0; 1221 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1222 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1223 1224 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1225 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1226 return rc; 1227 } 1228 1229 /** 1230 * smack_inode_getattr - Smack check for getting attributes 1231 * @mnt: vfsmount of the object 1232 * @dentry: the object 1233 * 1234 * Returns 0 if access is permitted, an error code otherwise 1235 */ 1236 static int smack_inode_getattr(const struct path *path) 1237 { 1238 struct smk_audit_info ad; 1239 struct inode *inode = d_backing_inode(path->dentry); 1240 int rc; 1241 1242 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1243 smk_ad_setfield_u_fs_path(&ad, *path); 1244 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1245 rc = smk_bu_inode(inode, MAY_READ, rc); 1246 return rc; 1247 } 1248 1249 /** 1250 * smack_inode_setxattr - Smack check for setting xattrs 1251 * @dentry: the object 1252 * @name: name of the attribute 1253 * @value: value of the attribute 1254 * @size: size of the value 1255 * @flags: unused 1256 * 1257 * This protects the Smack attribute explicitly. 1258 * 1259 * Returns 0 if access is permitted, an error code otherwise 1260 */ 1261 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1262 const void *value, size_t size, int flags) 1263 { 1264 struct smk_audit_info ad; 1265 struct smack_known *skp; 1266 int check_priv = 0; 1267 int check_import = 0; 1268 int check_star = 0; 1269 int rc = 0; 1270 1271 /* 1272 * Check label validity here so import won't fail in post_setxattr 1273 */ 1274 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1275 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1276 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1277 check_priv = 1; 1278 check_import = 1; 1279 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1280 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1281 check_priv = 1; 1282 check_import = 1; 1283 check_star = 1; 1284 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1285 check_priv = 1; 1286 if (size != TRANS_TRUE_SIZE || 1287 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1288 rc = -EINVAL; 1289 } else 1290 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1291 1292 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1293 rc = -EPERM; 1294 1295 if (rc == 0 && check_import) { 1296 skp = size ? smk_import_entry(value, size) : NULL; 1297 if (IS_ERR(skp)) 1298 rc = PTR_ERR(skp); 1299 else if (skp == NULL || (check_star && 1300 (skp == &smack_known_star || skp == &smack_known_web))) 1301 rc = -EINVAL; 1302 } 1303 1304 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1305 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1306 1307 if (rc == 0) { 1308 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1309 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1310 } 1311 1312 return rc; 1313 } 1314 1315 /** 1316 * smack_inode_post_setxattr - Apply the Smack update approved above 1317 * @dentry: object 1318 * @name: attribute name 1319 * @value: attribute value 1320 * @size: attribute size 1321 * @flags: unused 1322 * 1323 * Set the pointer in the inode blob to the entry found 1324 * in the master label list. 1325 */ 1326 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1327 const void *value, size_t size, int flags) 1328 { 1329 struct smack_known *skp; 1330 struct inode_smack *isp = d_backing_inode(dentry)->i_security; 1331 1332 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1333 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1334 return; 1335 } 1336 1337 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1338 skp = smk_import_entry(value, size); 1339 if (!IS_ERR(skp)) 1340 isp->smk_inode = skp; 1341 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1342 skp = smk_import_entry(value, size); 1343 if (!IS_ERR(skp)) 1344 isp->smk_task = skp; 1345 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1346 skp = smk_import_entry(value, size); 1347 if (!IS_ERR(skp)) 1348 isp->smk_mmap = skp; 1349 } 1350 1351 return; 1352 } 1353 1354 /** 1355 * smack_inode_getxattr - Smack check on getxattr 1356 * @dentry: the object 1357 * @name: unused 1358 * 1359 * Returns 0 if access is permitted, an error code otherwise 1360 */ 1361 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1362 { 1363 struct smk_audit_info ad; 1364 int rc; 1365 1366 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1367 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1368 1369 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1370 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1371 return rc; 1372 } 1373 1374 /** 1375 * smack_inode_removexattr - Smack check on removexattr 1376 * @dentry: the object 1377 * @name: name of the attribute 1378 * 1379 * Removing the Smack attribute requires CAP_MAC_ADMIN 1380 * 1381 * Returns 0 if access is permitted, an error code otherwise 1382 */ 1383 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1384 { 1385 struct inode_smack *isp; 1386 struct smk_audit_info ad; 1387 int rc = 0; 1388 1389 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1390 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1391 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1392 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1393 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1394 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1395 if (!smack_privileged(CAP_MAC_ADMIN)) 1396 rc = -EPERM; 1397 } else 1398 rc = cap_inode_removexattr(dentry, name); 1399 1400 if (rc != 0) 1401 return rc; 1402 1403 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1404 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1405 1406 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1407 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1408 if (rc != 0) 1409 return rc; 1410 1411 isp = d_backing_inode(dentry)->i_security; 1412 /* 1413 * Don't do anything special for these. 1414 * XATTR_NAME_SMACKIPIN 1415 * XATTR_NAME_SMACKIPOUT 1416 */ 1417 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1418 struct super_block *sbp = dentry->d_sb; 1419 struct superblock_smack *sbsp = sbp->s_security; 1420 1421 isp->smk_inode = sbsp->smk_default; 1422 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1423 isp->smk_task = NULL; 1424 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1425 isp->smk_mmap = NULL; 1426 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1427 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1428 1429 return 0; 1430 } 1431 1432 /** 1433 * smack_inode_getsecurity - get smack xattrs 1434 * @inode: the object 1435 * @name: attribute name 1436 * @buffer: where to put the result 1437 * @alloc: duplicate memory 1438 * 1439 * Returns the size of the attribute or an error code 1440 */ 1441 static int smack_inode_getsecurity(struct inode *inode, 1442 const char *name, void **buffer, 1443 bool alloc) 1444 { 1445 struct socket_smack *ssp; 1446 struct socket *sock; 1447 struct super_block *sbp; 1448 struct inode *ip = (struct inode *)inode; 1449 struct smack_known *isp; 1450 1451 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1452 isp = smk_of_inode(inode); 1453 else { 1454 /* 1455 * The rest of the Smack xattrs are only on sockets. 1456 */ 1457 sbp = ip->i_sb; 1458 if (sbp->s_magic != SOCKFS_MAGIC) 1459 return -EOPNOTSUPP; 1460 1461 sock = SOCKET_I(ip); 1462 if (sock == NULL || sock->sk == NULL) 1463 return -EOPNOTSUPP; 1464 1465 ssp = sock->sk->sk_security; 1466 1467 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1468 isp = ssp->smk_in; 1469 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1470 isp = ssp->smk_out; 1471 else 1472 return -EOPNOTSUPP; 1473 } 1474 1475 if (alloc) { 1476 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1477 if (*buffer == NULL) 1478 return -ENOMEM; 1479 } 1480 1481 return strlen(isp->smk_known); 1482 } 1483 1484 1485 /** 1486 * smack_inode_listsecurity - list the Smack attributes 1487 * @inode: the object 1488 * @buffer: where they go 1489 * @buffer_size: size of buffer 1490 */ 1491 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1492 size_t buffer_size) 1493 { 1494 int len = sizeof(XATTR_NAME_SMACK); 1495 1496 if (buffer != NULL && len <= buffer_size) 1497 memcpy(buffer, XATTR_NAME_SMACK, len); 1498 1499 return len; 1500 } 1501 1502 /** 1503 * smack_inode_getsecid - Extract inode's security id 1504 * @inode: inode to extract the info from 1505 * @secid: where result will be saved 1506 */ 1507 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1508 { 1509 struct smack_known *skp = smk_of_inode(inode); 1510 1511 *secid = skp->smk_secid; 1512 } 1513 1514 /* 1515 * File Hooks 1516 */ 1517 1518 /* 1519 * There is no smack_file_permission hook 1520 * 1521 * Should access checks be done on each read or write? 1522 * UNICOS and SELinux say yes. 1523 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1524 * 1525 * I'll say no for now. Smack does not do the frequent 1526 * label changing that SELinux does. 1527 */ 1528 1529 /** 1530 * smack_file_alloc_security - assign a file security blob 1531 * @file: the object 1532 * 1533 * The security blob for a file is a pointer to the master 1534 * label list, so no allocation is done. 1535 * 1536 * f_security is the owner security information. It 1537 * isn't used on file access checks, it's for send_sigio. 1538 * 1539 * Returns 0 1540 */ 1541 static int smack_file_alloc_security(struct file *file) 1542 { 1543 struct smack_known *skp = smk_of_current(); 1544 1545 file->f_security = skp; 1546 return 0; 1547 } 1548 1549 /** 1550 * smack_file_free_security - clear a file security blob 1551 * @file: the object 1552 * 1553 * The security blob for a file is a pointer to the master 1554 * label list, so no memory is freed. 1555 */ 1556 static void smack_file_free_security(struct file *file) 1557 { 1558 file->f_security = NULL; 1559 } 1560 1561 /** 1562 * smack_file_ioctl - Smack check on ioctls 1563 * @file: the object 1564 * @cmd: what to do 1565 * @arg: unused 1566 * 1567 * Relies heavily on the correct use of the ioctl command conventions. 1568 * 1569 * Returns 0 if allowed, error code otherwise 1570 */ 1571 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1572 unsigned long arg) 1573 { 1574 int rc = 0; 1575 struct smk_audit_info ad; 1576 struct inode *inode = file_inode(file); 1577 1578 if (unlikely(IS_PRIVATE(inode))) 1579 return 0; 1580 1581 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1582 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1583 1584 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1585 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1586 rc = smk_bu_file(file, MAY_WRITE, rc); 1587 } 1588 1589 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1590 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1591 rc = smk_bu_file(file, MAY_READ, rc); 1592 } 1593 1594 return rc; 1595 } 1596 1597 /** 1598 * smack_file_lock - Smack check on file locking 1599 * @file: the object 1600 * @cmd: unused 1601 * 1602 * Returns 0 if current has lock access, error code otherwise 1603 */ 1604 static int smack_file_lock(struct file *file, unsigned int cmd) 1605 { 1606 struct smk_audit_info ad; 1607 int rc; 1608 struct inode *inode = file_inode(file); 1609 1610 if (unlikely(IS_PRIVATE(inode))) 1611 return 0; 1612 1613 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1614 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1615 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1616 rc = smk_bu_file(file, MAY_LOCK, rc); 1617 return rc; 1618 } 1619 1620 /** 1621 * smack_file_fcntl - Smack check on fcntl 1622 * @file: the object 1623 * @cmd: what action to check 1624 * @arg: unused 1625 * 1626 * Generally these operations are harmless. 1627 * File locking operations present an obvious mechanism 1628 * for passing information, so they require write access. 1629 * 1630 * Returns 0 if current has access, error code otherwise 1631 */ 1632 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1633 unsigned long arg) 1634 { 1635 struct smk_audit_info ad; 1636 int rc = 0; 1637 struct inode *inode = file_inode(file); 1638 1639 if (unlikely(IS_PRIVATE(inode))) 1640 return 0; 1641 1642 switch (cmd) { 1643 case F_GETLK: 1644 break; 1645 case F_SETLK: 1646 case F_SETLKW: 1647 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1648 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1649 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1650 rc = smk_bu_file(file, MAY_LOCK, rc); 1651 break; 1652 case F_SETOWN: 1653 case F_SETSIG: 1654 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1655 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1656 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1657 rc = smk_bu_file(file, MAY_WRITE, rc); 1658 break; 1659 default: 1660 break; 1661 } 1662 1663 return rc; 1664 } 1665 1666 /** 1667 * smack_mmap_file : 1668 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1669 * if mapping anonymous memory. 1670 * @file contains the file structure for file to map (may be NULL). 1671 * @reqprot contains the protection requested by the application. 1672 * @prot contains the protection that will be applied by the kernel. 1673 * @flags contains the operational flags. 1674 * Return 0 if permission is granted. 1675 */ 1676 static int smack_mmap_file(struct file *file, 1677 unsigned long reqprot, unsigned long prot, 1678 unsigned long flags) 1679 { 1680 struct smack_known *skp; 1681 struct smack_known *mkp; 1682 struct smack_rule *srp; 1683 struct task_smack *tsp; 1684 struct smack_known *okp; 1685 struct inode_smack *isp; 1686 struct superblock_smack *sbsp; 1687 int may; 1688 int mmay; 1689 int tmay; 1690 int rc; 1691 1692 if (file == NULL) 1693 return 0; 1694 1695 if (unlikely(IS_PRIVATE(file_inode(file)))) 1696 return 0; 1697 1698 isp = file_inode(file)->i_security; 1699 if (isp->smk_mmap == NULL) 1700 return 0; 1701 sbsp = file_inode(file)->i_sb->s_security; 1702 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1703 isp->smk_mmap != sbsp->smk_root) 1704 return -EACCES; 1705 mkp = isp->smk_mmap; 1706 1707 tsp = current_security(); 1708 skp = smk_of_current(); 1709 rc = 0; 1710 1711 rcu_read_lock(); 1712 /* 1713 * For each Smack rule associated with the subject 1714 * label verify that the SMACK64MMAP also has access 1715 * to that rule's object label. 1716 */ 1717 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1718 okp = srp->smk_object; 1719 /* 1720 * Matching labels always allows access. 1721 */ 1722 if (mkp->smk_known == okp->smk_known) 1723 continue; 1724 /* 1725 * If there is a matching local rule take 1726 * that into account as well. 1727 */ 1728 may = smk_access_entry(srp->smk_subject->smk_known, 1729 okp->smk_known, 1730 &tsp->smk_rules); 1731 if (may == -ENOENT) 1732 may = srp->smk_access; 1733 else 1734 may &= srp->smk_access; 1735 /* 1736 * If may is zero the SMACK64MMAP subject can't 1737 * possibly have less access. 1738 */ 1739 if (may == 0) 1740 continue; 1741 1742 /* 1743 * Fetch the global list entry. 1744 * If there isn't one a SMACK64MMAP subject 1745 * can't have as much access as current. 1746 */ 1747 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1748 &mkp->smk_rules); 1749 if (mmay == -ENOENT) { 1750 rc = -EACCES; 1751 break; 1752 } 1753 /* 1754 * If there is a local entry it modifies the 1755 * potential access, too. 1756 */ 1757 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1758 &tsp->smk_rules); 1759 if (tmay != -ENOENT) 1760 mmay &= tmay; 1761 1762 /* 1763 * If there is any access available to current that is 1764 * not available to a SMACK64MMAP subject 1765 * deny access. 1766 */ 1767 if ((may | mmay) != mmay) { 1768 rc = -EACCES; 1769 break; 1770 } 1771 } 1772 1773 rcu_read_unlock(); 1774 1775 return rc; 1776 } 1777 1778 /** 1779 * smack_file_set_fowner - set the file security blob value 1780 * @file: object in question 1781 * 1782 */ 1783 static void smack_file_set_fowner(struct file *file) 1784 { 1785 file->f_security = smk_of_current(); 1786 } 1787 1788 /** 1789 * smack_file_send_sigiotask - Smack on sigio 1790 * @tsk: The target task 1791 * @fown: the object the signal come from 1792 * @signum: unused 1793 * 1794 * Allow a privileged task to get signals even if it shouldn't 1795 * 1796 * Returns 0 if a subject with the object's smack could 1797 * write to the task, an error code otherwise. 1798 */ 1799 static int smack_file_send_sigiotask(struct task_struct *tsk, 1800 struct fown_struct *fown, int signum) 1801 { 1802 struct smack_known *skp; 1803 struct smack_known *tkp = smk_of_task(tsk->cred->security); 1804 const struct cred *tcred; 1805 struct file *file; 1806 int rc; 1807 struct smk_audit_info ad; 1808 1809 /* 1810 * struct fown_struct is never outside the context of a struct file 1811 */ 1812 file = container_of(fown, struct file, f_owner); 1813 1814 /* we don't log here as rc can be overriden */ 1815 skp = file->f_security; 1816 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1817 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1818 1819 rcu_read_lock(); 1820 tcred = __task_cred(tsk); 1821 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1822 rc = 0; 1823 rcu_read_unlock(); 1824 1825 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1826 smk_ad_setfield_u_tsk(&ad, tsk); 1827 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1828 return rc; 1829 } 1830 1831 /** 1832 * smack_file_receive - Smack file receive check 1833 * @file: the object 1834 * 1835 * Returns 0 if current has access, error code otherwise 1836 */ 1837 static int smack_file_receive(struct file *file) 1838 { 1839 int rc; 1840 int may = 0; 1841 struct smk_audit_info ad; 1842 struct inode *inode = file_inode(file); 1843 struct socket *sock; 1844 struct task_smack *tsp; 1845 struct socket_smack *ssp; 1846 1847 if (unlikely(IS_PRIVATE(inode))) 1848 return 0; 1849 1850 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1851 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1852 1853 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1854 sock = SOCKET_I(inode); 1855 ssp = sock->sk->sk_security; 1856 tsp = current_security(); 1857 /* 1858 * If the receiving process can't write to the 1859 * passed socket or if the passed socket can't 1860 * write to the receiving process don't accept 1861 * the passed socket. 1862 */ 1863 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1864 rc = smk_bu_file(file, may, rc); 1865 if (rc < 0) 1866 return rc; 1867 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1868 rc = smk_bu_file(file, may, rc); 1869 return rc; 1870 } 1871 /* 1872 * This code relies on bitmasks. 1873 */ 1874 if (file->f_mode & FMODE_READ) 1875 may = MAY_READ; 1876 if (file->f_mode & FMODE_WRITE) 1877 may |= MAY_WRITE; 1878 1879 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1880 rc = smk_bu_file(file, may, rc); 1881 return rc; 1882 } 1883 1884 /** 1885 * smack_file_open - Smack dentry open processing 1886 * @file: the object 1887 * @cred: task credential 1888 * 1889 * Set the security blob in the file structure. 1890 * Allow the open only if the task has read access. There are 1891 * many read operations (e.g. fstat) that you can do with an 1892 * fd even if you have the file open write-only. 1893 * 1894 * Returns 0 1895 */ 1896 static int smack_file_open(struct file *file) 1897 { 1898 struct task_smack *tsp = file->f_cred->security; 1899 struct inode *inode = file_inode(file); 1900 struct smk_audit_info ad; 1901 int rc; 1902 1903 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1904 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1905 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1906 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1907 1908 return rc; 1909 } 1910 1911 /* 1912 * Task hooks 1913 */ 1914 1915 /** 1916 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1917 * @new: the new credentials 1918 * @gfp: the atomicity of any memory allocations 1919 * 1920 * Prepare a blank set of credentials for modification. This must allocate all 1921 * the memory the LSM module might require such that cred_transfer() can 1922 * complete without error. 1923 */ 1924 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1925 { 1926 struct task_smack *tsp; 1927 1928 tsp = new_task_smack(NULL, NULL, gfp); 1929 if (tsp == NULL) 1930 return -ENOMEM; 1931 1932 cred->security = tsp; 1933 1934 return 0; 1935 } 1936 1937 1938 /** 1939 * smack_cred_free - "free" task-level security credentials 1940 * @cred: the credentials in question 1941 * 1942 */ 1943 static void smack_cred_free(struct cred *cred) 1944 { 1945 struct task_smack *tsp = cred->security; 1946 struct smack_rule *rp; 1947 struct list_head *l; 1948 struct list_head *n; 1949 1950 if (tsp == NULL) 1951 return; 1952 cred->security = NULL; 1953 1954 smk_destroy_label_list(&tsp->smk_relabel); 1955 1956 list_for_each_safe(l, n, &tsp->smk_rules) { 1957 rp = list_entry(l, struct smack_rule, list); 1958 list_del(&rp->list); 1959 kfree(rp); 1960 } 1961 kfree(tsp); 1962 } 1963 1964 /** 1965 * smack_cred_prepare - prepare new set of credentials for modification 1966 * @new: the new credentials 1967 * @old: the original credentials 1968 * @gfp: the atomicity of any memory allocations 1969 * 1970 * Prepare a new set of credentials for modification. 1971 */ 1972 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1973 gfp_t gfp) 1974 { 1975 struct task_smack *old_tsp = old->security; 1976 struct task_smack *new_tsp; 1977 int rc; 1978 1979 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 1980 if (new_tsp == NULL) 1981 return -ENOMEM; 1982 1983 new->security = new_tsp; 1984 1985 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1986 if (rc != 0) 1987 return rc; 1988 1989 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1990 gfp); 1991 if (rc != 0) 1992 return rc; 1993 1994 return 0; 1995 } 1996 1997 /** 1998 * smack_cred_transfer - Transfer the old credentials to the new credentials 1999 * @new: the new credentials 2000 * @old: the original credentials 2001 * 2002 * Fill in a set of blank credentials from another set of credentials. 2003 */ 2004 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2005 { 2006 struct task_smack *old_tsp = old->security; 2007 struct task_smack *new_tsp = new->security; 2008 2009 new_tsp->smk_task = old_tsp->smk_task; 2010 new_tsp->smk_forked = old_tsp->smk_task; 2011 mutex_init(&new_tsp->smk_rules_lock); 2012 INIT_LIST_HEAD(&new_tsp->smk_rules); 2013 2014 2015 /* cbs copy rule list */ 2016 } 2017 2018 /** 2019 * smack_cred_getsecid - get the secid corresponding to a creds structure 2020 * @c: the object creds 2021 * @secid: where to put the result 2022 * 2023 * Sets the secid to contain a u32 version of the smack label. 2024 */ 2025 static void smack_cred_getsecid(const struct cred *c, u32 *secid) 2026 { 2027 struct smack_known *skp; 2028 2029 rcu_read_lock(); 2030 skp = smk_of_task(c->security); 2031 *secid = skp->smk_secid; 2032 rcu_read_unlock(); 2033 } 2034 2035 /** 2036 * smack_kernel_act_as - Set the subjective context in a set of credentials 2037 * @new: points to the set of credentials to be modified. 2038 * @secid: specifies the security ID to be set 2039 * 2040 * Set the security data for a kernel service. 2041 */ 2042 static int smack_kernel_act_as(struct cred *new, u32 secid) 2043 { 2044 struct task_smack *new_tsp = new->security; 2045 2046 new_tsp->smk_task = smack_from_secid(secid); 2047 return 0; 2048 } 2049 2050 /** 2051 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2052 * @new: points to the set of credentials to be modified 2053 * @inode: points to the inode to use as a reference 2054 * 2055 * Set the file creation context in a set of credentials to the same 2056 * as the objective context of the specified inode 2057 */ 2058 static int smack_kernel_create_files_as(struct cred *new, 2059 struct inode *inode) 2060 { 2061 struct inode_smack *isp = inode->i_security; 2062 struct task_smack *tsp = new->security; 2063 2064 tsp->smk_forked = isp->smk_inode; 2065 tsp->smk_task = tsp->smk_forked; 2066 return 0; 2067 } 2068 2069 /** 2070 * smk_curacc_on_task - helper to log task related access 2071 * @p: the task object 2072 * @access: the access requested 2073 * @caller: name of the calling function for audit 2074 * 2075 * Return 0 if access is permitted 2076 */ 2077 static int smk_curacc_on_task(struct task_struct *p, int access, 2078 const char *caller) 2079 { 2080 struct smk_audit_info ad; 2081 struct smack_known *skp = smk_of_task_struct(p); 2082 int rc; 2083 2084 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2085 smk_ad_setfield_u_tsk(&ad, p); 2086 rc = smk_curacc(skp, access, &ad); 2087 rc = smk_bu_task(p, access, rc); 2088 return rc; 2089 } 2090 2091 /** 2092 * smack_task_setpgid - Smack check on setting pgid 2093 * @p: the task object 2094 * @pgid: unused 2095 * 2096 * Return 0 if write access is permitted 2097 */ 2098 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2099 { 2100 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2101 } 2102 2103 /** 2104 * smack_task_getpgid - Smack access check for getpgid 2105 * @p: the object task 2106 * 2107 * Returns 0 if current can read the object task, error code otherwise 2108 */ 2109 static int smack_task_getpgid(struct task_struct *p) 2110 { 2111 return smk_curacc_on_task(p, MAY_READ, __func__); 2112 } 2113 2114 /** 2115 * smack_task_getsid - Smack access check for getsid 2116 * @p: the object task 2117 * 2118 * Returns 0 if current can read the object task, error code otherwise 2119 */ 2120 static int smack_task_getsid(struct task_struct *p) 2121 { 2122 return smk_curacc_on_task(p, MAY_READ, __func__); 2123 } 2124 2125 /** 2126 * smack_task_getsecid - get the secid of the task 2127 * @p: the object task 2128 * @secid: where to put the result 2129 * 2130 * Sets the secid to contain a u32 version of the smack label. 2131 */ 2132 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2133 { 2134 struct smack_known *skp = smk_of_task_struct(p); 2135 2136 *secid = skp->smk_secid; 2137 } 2138 2139 /** 2140 * smack_task_setnice - Smack check on setting nice 2141 * @p: the task object 2142 * @nice: unused 2143 * 2144 * Return 0 if write access is permitted 2145 */ 2146 static int smack_task_setnice(struct task_struct *p, int nice) 2147 { 2148 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2149 } 2150 2151 /** 2152 * smack_task_setioprio - Smack check on setting ioprio 2153 * @p: the task object 2154 * @ioprio: unused 2155 * 2156 * Return 0 if write access is permitted 2157 */ 2158 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2159 { 2160 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2161 } 2162 2163 /** 2164 * smack_task_getioprio - Smack check on reading ioprio 2165 * @p: the task object 2166 * 2167 * Return 0 if read access is permitted 2168 */ 2169 static int smack_task_getioprio(struct task_struct *p) 2170 { 2171 return smk_curacc_on_task(p, MAY_READ, __func__); 2172 } 2173 2174 /** 2175 * smack_task_setscheduler - Smack check on setting scheduler 2176 * @p: the task object 2177 * @policy: unused 2178 * @lp: unused 2179 * 2180 * Return 0 if read access is permitted 2181 */ 2182 static int smack_task_setscheduler(struct task_struct *p) 2183 { 2184 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2185 } 2186 2187 /** 2188 * smack_task_getscheduler - Smack check on reading scheduler 2189 * @p: the task object 2190 * 2191 * Return 0 if read access is permitted 2192 */ 2193 static int smack_task_getscheduler(struct task_struct *p) 2194 { 2195 return smk_curacc_on_task(p, MAY_READ, __func__); 2196 } 2197 2198 /** 2199 * smack_task_movememory - Smack check on moving memory 2200 * @p: the task object 2201 * 2202 * Return 0 if write access is permitted 2203 */ 2204 static int smack_task_movememory(struct task_struct *p) 2205 { 2206 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2207 } 2208 2209 /** 2210 * smack_task_kill - Smack check on signal delivery 2211 * @p: the task object 2212 * @info: unused 2213 * @sig: unused 2214 * @cred: identifies the cred to use in lieu of current's 2215 * 2216 * Return 0 if write access is permitted 2217 * 2218 */ 2219 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2220 int sig, const struct cred *cred) 2221 { 2222 struct smk_audit_info ad; 2223 struct smack_known *skp; 2224 struct smack_known *tkp = smk_of_task_struct(p); 2225 int rc; 2226 2227 if (!sig) 2228 return 0; /* null signal; existence test */ 2229 2230 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2231 smk_ad_setfield_u_tsk(&ad, p); 2232 /* 2233 * Sending a signal requires that the sender 2234 * can write the receiver. 2235 */ 2236 if (cred == NULL) { 2237 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2238 rc = smk_bu_task(p, MAY_DELIVER, rc); 2239 return rc; 2240 } 2241 /* 2242 * If the cred isn't NULL we're dealing with some USB IO 2243 * specific behavior. This is not clean. For one thing 2244 * we can't take privilege into account. 2245 */ 2246 skp = smk_of_task(cred->security); 2247 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2248 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2249 return rc; 2250 } 2251 2252 /** 2253 * smack_task_to_inode - copy task smack into the inode blob 2254 * @p: task to copy from 2255 * @inode: inode to copy to 2256 * 2257 * Sets the smack pointer in the inode security blob 2258 */ 2259 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2260 { 2261 struct inode_smack *isp = inode->i_security; 2262 struct smack_known *skp = smk_of_task_struct(p); 2263 2264 isp->smk_inode = skp; 2265 isp->smk_flags |= SMK_INODE_INSTANT; 2266 } 2267 2268 /* 2269 * Socket hooks. 2270 */ 2271 2272 /** 2273 * smack_sk_alloc_security - Allocate a socket blob 2274 * @sk: the socket 2275 * @family: unused 2276 * @gfp_flags: memory allocation flags 2277 * 2278 * Assign Smack pointers to current 2279 * 2280 * Returns 0 on success, -ENOMEM is there's no memory 2281 */ 2282 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2283 { 2284 struct smack_known *skp = smk_of_current(); 2285 struct socket_smack *ssp; 2286 2287 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2288 if (ssp == NULL) 2289 return -ENOMEM; 2290 2291 /* 2292 * Sockets created by kernel threads receive web label. 2293 */ 2294 if (unlikely(current->flags & PF_KTHREAD)) { 2295 ssp->smk_in = &smack_known_web; 2296 ssp->smk_out = &smack_known_web; 2297 } else { 2298 ssp->smk_in = skp; 2299 ssp->smk_out = skp; 2300 } 2301 ssp->smk_packet = NULL; 2302 2303 sk->sk_security = ssp; 2304 2305 return 0; 2306 } 2307 2308 /** 2309 * smack_sk_free_security - Free a socket blob 2310 * @sk: the socket 2311 * 2312 * Clears the blob pointer 2313 */ 2314 static void smack_sk_free_security(struct sock *sk) 2315 { 2316 #ifdef SMACK_IPV6_PORT_LABELING 2317 struct smk_port_label *spp; 2318 2319 if (sk->sk_family == PF_INET6) { 2320 rcu_read_lock(); 2321 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2322 if (spp->smk_sock != sk) 2323 continue; 2324 spp->smk_can_reuse = 1; 2325 break; 2326 } 2327 rcu_read_unlock(); 2328 } 2329 #endif 2330 kfree(sk->sk_security); 2331 } 2332 2333 /** 2334 * smack_ipv4host_label - check host based restrictions 2335 * @sip: the object end 2336 * 2337 * looks for host based access restrictions 2338 * 2339 * This version will only be appropriate for really small sets of single label 2340 * hosts. The caller is responsible for ensuring that the RCU read lock is 2341 * taken before calling this function. 2342 * 2343 * Returns the label of the far end or NULL if it's not special. 2344 */ 2345 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2346 { 2347 struct smk_net4addr *snp; 2348 struct in_addr *siap = &sip->sin_addr; 2349 2350 if (siap->s_addr == 0) 2351 return NULL; 2352 2353 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2354 /* 2355 * we break after finding the first match because 2356 * the list is sorted from longest to shortest mask 2357 * so we have found the most specific match 2358 */ 2359 if (snp->smk_host.s_addr == 2360 (siap->s_addr & snp->smk_mask.s_addr)) 2361 return snp->smk_label; 2362 2363 return NULL; 2364 } 2365 2366 #if IS_ENABLED(CONFIG_IPV6) 2367 /* 2368 * smk_ipv6_localhost - Check for local ipv6 host address 2369 * @sip: the address 2370 * 2371 * Returns boolean true if this is the localhost address 2372 */ 2373 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2374 { 2375 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2376 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2377 2378 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2379 ntohs(be16p[7]) == 1) 2380 return true; 2381 return false; 2382 } 2383 2384 /** 2385 * smack_ipv6host_label - check host based restrictions 2386 * @sip: the object end 2387 * 2388 * looks for host based access restrictions 2389 * 2390 * This version will only be appropriate for really small sets of single label 2391 * hosts. The caller is responsible for ensuring that the RCU read lock is 2392 * taken before calling this function. 2393 * 2394 * Returns the label of the far end or NULL if it's not special. 2395 */ 2396 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2397 { 2398 struct smk_net6addr *snp; 2399 struct in6_addr *sap = &sip->sin6_addr; 2400 int i; 2401 int found = 0; 2402 2403 /* 2404 * It's local. Don't look for a host label. 2405 */ 2406 if (smk_ipv6_localhost(sip)) 2407 return NULL; 2408 2409 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2410 /* 2411 * If the label is NULL the entry has 2412 * been renounced. Ignore it. 2413 */ 2414 if (snp->smk_label == NULL) 2415 continue; 2416 /* 2417 * we break after finding the first match because 2418 * the list is sorted from longest to shortest mask 2419 * so we have found the most specific match 2420 */ 2421 for (found = 1, i = 0; i < 8; i++) { 2422 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2423 snp->smk_host.s6_addr16[i]) { 2424 found = 0; 2425 break; 2426 } 2427 } 2428 if (found) 2429 return snp->smk_label; 2430 } 2431 2432 return NULL; 2433 } 2434 #endif /* CONFIG_IPV6 */ 2435 2436 /** 2437 * smack_netlabel - Set the secattr on a socket 2438 * @sk: the socket 2439 * @labeled: socket label scheme 2440 * 2441 * Convert the outbound smack value (smk_out) to a 2442 * secattr and attach it to the socket. 2443 * 2444 * Returns 0 on success or an error code 2445 */ 2446 static int smack_netlabel(struct sock *sk, int labeled) 2447 { 2448 struct smack_known *skp; 2449 struct socket_smack *ssp = sk->sk_security; 2450 int rc = 0; 2451 2452 /* 2453 * Usually the netlabel code will handle changing the 2454 * packet labeling based on the label. 2455 * The case of a single label host is different, because 2456 * a single label host should never get a labeled packet 2457 * even though the label is usually associated with a packet 2458 * label. 2459 */ 2460 local_bh_disable(); 2461 bh_lock_sock_nested(sk); 2462 2463 if (ssp->smk_out == smack_net_ambient || 2464 labeled == SMACK_UNLABELED_SOCKET) 2465 netlbl_sock_delattr(sk); 2466 else { 2467 skp = ssp->smk_out; 2468 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2469 } 2470 2471 bh_unlock_sock(sk); 2472 local_bh_enable(); 2473 2474 return rc; 2475 } 2476 2477 /** 2478 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2479 * @sk: the socket 2480 * @sap: the destination address 2481 * 2482 * Set the correct secattr for the given socket based on the destination 2483 * address and perform any outbound access checks needed. 2484 * 2485 * Returns 0 on success or an error code. 2486 * 2487 */ 2488 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2489 { 2490 struct smack_known *skp; 2491 int rc; 2492 int sk_lbl; 2493 struct smack_known *hkp; 2494 struct socket_smack *ssp = sk->sk_security; 2495 struct smk_audit_info ad; 2496 2497 rcu_read_lock(); 2498 hkp = smack_ipv4host_label(sap); 2499 if (hkp != NULL) { 2500 #ifdef CONFIG_AUDIT 2501 struct lsm_network_audit net; 2502 2503 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2504 ad.a.u.net->family = sap->sin_family; 2505 ad.a.u.net->dport = sap->sin_port; 2506 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2507 #endif 2508 sk_lbl = SMACK_UNLABELED_SOCKET; 2509 skp = ssp->smk_out; 2510 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2511 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2512 } else { 2513 sk_lbl = SMACK_CIPSO_SOCKET; 2514 rc = 0; 2515 } 2516 rcu_read_unlock(); 2517 if (rc != 0) 2518 return rc; 2519 2520 return smack_netlabel(sk, sk_lbl); 2521 } 2522 2523 #if IS_ENABLED(CONFIG_IPV6) 2524 /** 2525 * smk_ipv6_check - check Smack access 2526 * @subject: subject Smack label 2527 * @object: object Smack label 2528 * @address: address 2529 * @act: the action being taken 2530 * 2531 * Check an IPv6 access 2532 */ 2533 static int smk_ipv6_check(struct smack_known *subject, 2534 struct smack_known *object, 2535 struct sockaddr_in6 *address, int act) 2536 { 2537 #ifdef CONFIG_AUDIT 2538 struct lsm_network_audit net; 2539 #endif 2540 struct smk_audit_info ad; 2541 int rc; 2542 2543 #ifdef CONFIG_AUDIT 2544 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2545 ad.a.u.net->family = PF_INET6; 2546 ad.a.u.net->dport = ntohs(address->sin6_port); 2547 if (act == SMK_RECEIVING) 2548 ad.a.u.net->v6info.saddr = address->sin6_addr; 2549 else 2550 ad.a.u.net->v6info.daddr = address->sin6_addr; 2551 #endif 2552 rc = smk_access(subject, object, MAY_WRITE, &ad); 2553 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2554 return rc; 2555 } 2556 #endif /* CONFIG_IPV6 */ 2557 2558 #ifdef SMACK_IPV6_PORT_LABELING 2559 /** 2560 * smk_ipv6_port_label - Smack port access table management 2561 * @sock: socket 2562 * @address: address 2563 * 2564 * Create or update the port list entry 2565 */ 2566 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2567 { 2568 struct sock *sk = sock->sk; 2569 struct sockaddr_in6 *addr6; 2570 struct socket_smack *ssp = sock->sk->sk_security; 2571 struct smk_port_label *spp; 2572 unsigned short port = 0; 2573 2574 if (address == NULL) { 2575 /* 2576 * This operation is changing the Smack information 2577 * on the bound socket. Take the changes to the port 2578 * as well. 2579 */ 2580 rcu_read_lock(); 2581 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2582 if (sk != spp->smk_sock) 2583 continue; 2584 spp->smk_in = ssp->smk_in; 2585 spp->smk_out = ssp->smk_out; 2586 rcu_read_unlock(); 2587 return; 2588 } 2589 /* 2590 * A NULL address is only used for updating existing 2591 * bound entries. If there isn't one, it's OK. 2592 */ 2593 rcu_read_unlock(); 2594 return; 2595 } 2596 2597 addr6 = (struct sockaddr_in6 *)address; 2598 port = ntohs(addr6->sin6_port); 2599 /* 2600 * This is a special case that is safely ignored. 2601 */ 2602 if (port == 0) 2603 return; 2604 2605 /* 2606 * Look for an existing port list entry. 2607 * This is an indication that a port is getting reused. 2608 */ 2609 rcu_read_lock(); 2610 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2611 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2612 continue; 2613 if (spp->smk_can_reuse != 1) { 2614 rcu_read_unlock(); 2615 return; 2616 } 2617 spp->smk_port = port; 2618 spp->smk_sock = sk; 2619 spp->smk_in = ssp->smk_in; 2620 spp->smk_out = ssp->smk_out; 2621 spp->smk_can_reuse = 0; 2622 rcu_read_unlock(); 2623 return; 2624 } 2625 rcu_read_unlock(); 2626 /* 2627 * A new port entry is required. 2628 */ 2629 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2630 if (spp == NULL) 2631 return; 2632 2633 spp->smk_port = port; 2634 spp->smk_sock = sk; 2635 spp->smk_in = ssp->smk_in; 2636 spp->smk_out = ssp->smk_out; 2637 spp->smk_sock_type = sock->type; 2638 spp->smk_can_reuse = 0; 2639 2640 mutex_lock(&smack_ipv6_lock); 2641 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2642 mutex_unlock(&smack_ipv6_lock); 2643 return; 2644 } 2645 2646 /** 2647 * smk_ipv6_port_check - check Smack port access 2648 * @sock: socket 2649 * @address: address 2650 * 2651 * Create or update the port list entry 2652 */ 2653 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2654 int act) 2655 { 2656 struct smk_port_label *spp; 2657 struct socket_smack *ssp = sk->sk_security; 2658 struct smack_known *skp = NULL; 2659 unsigned short port; 2660 struct smack_known *object; 2661 2662 if (act == SMK_RECEIVING) { 2663 skp = smack_ipv6host_label(address); 2664 object = ssp->smk_in; 2665 } else { 2666 skp = ssp->smk_out; 2667 object = smack_ipv6host_label(address); 2668 } 2669 2670 /* 2671 * The other end is a single label host. 2672 */ 2673 if (skp != NULL && object != NULL) 2674 return smk_ipv6_check(skp, object, address, act); 2675 if (skp == NULL) 2676 skp = smack_net_ambient; 2677 if (object == NULL) 2678 object = smack_net_ambient; 2679 2680 /* 2681 * It's remote, so port lookup does no good. 2682 */ 2683 if (!smk_ipv6_localhost(address)) 2684 return smk_ipv6_check(skp, object, address, act); 2685 2686 /* 2687 * It's local so the send check has to have passed. 2688 */ 2689 if (act == SMK_RECEIVING) 2690 return 0; 2691 2692 port = ntohs(address->sin6_port); 2693 rcu_read_lock(); 2694 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2695 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2696 continue; 2697 object = spp->smk_in; 2698 if (act == SMK_CONNECTING) 2699 ssp->smk_packet = spp->smk_out; 2700 break; 2701 } 2702 rcu_read_unlock(); 2703 2704 return smk_ipv6_check(skp, object, address, act); 2705 } 2706 #endif /* SMACK_IPV6_PORT_LABELING */ 2707 2708 /** 2709 * smack_inode_setsecurity - set smack xattrs 2710 * @inode: the object 2711 * @name: attribute name 2712 * @value: attribute value 2713 * @size: size of the attribute 2714 * @flags: unused 2715 * 2716 * Sets the named attribute in the appropriate blob 2717 * 2718 * Returns 0 on success, or an error code 2719 */ 2720 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2721 const void *value, size_t size, int flags) 2722 { 2723 struct smack_known *skp; 2724 struct inode_smack *nsp = inode->i_security; 2725 struct socket_smack *ssp; 2726 struct socket *sock; 2727 int rc = 0; 2728 2729 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2730 return -EINVAL; 2731 2732 skp = smk_import_entry(value, size); 2733 if (IS_ERR(skp)) 2734 return PTR_ERR(skp); 2735 2736 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2737 nsp->smk_inode = skp; 2738 nsp->smk_flags |= SMK_INODE_INSTANT; 2739 return 0; 2740 } 2741 /* 2742 * The rest of the Smack xattrs are only on sockets. 2743 */ 2744 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2745 return -EOPNOTSUPP; 2746 2747 sock = SOCKET_I(inode); 2748 if (sock == NULL || sock->sk == NULL) 2749 return -EOPNOTSUPP; 2750 2751 ssp = sock->sk->sk_security; 2752 2753 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2754 ssp->smk_in = skp; 2755 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2756 ssp->smk_out = skp; 2757 if (sock->sk->sk_family == PF_INET) { 2758 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2759 if (rc != 0) 2760 printk(KERN_WARNING 2761 "Smack: \"%s\" netlbl error %d.\n", 2762 __func__, -rc); 2763 } 2764 } else 2765 return -EOPNOTSUPP; 2766 2767 #ifdef SMACK_IPV6_PORT_LABELING 2768 if (sock->sk->sk_family == PF_INET6) 2769 smk_ipv6_port_label(sock, NULL); 2770 #endif 2771 2772 return 0; 2773 } 2774 2775 /** 2776 * smack_socket_post_create - finish socket setup 2777 * @sock: the socket 2778 * @family: protocol family 2779 * @type: unused 2780 * @protocol: unused 2781 * @kern: unused 2782 * 2783 * Sets the netlabel information on the socket 2784 * 2785 * Returns 0 on success, and error code otherwise 2786 */ 2787 static int smack_socket_post_create(struct socket *sock, int family, 2788 int type, int protocol, int kern) 2789 { 2790 struct socket_smack *ssp; 2791 2792 if (sock->sk == NULL) 2793 return 0; 2794 2795 /* 2796 * Sockets created by kernel threads receive web label. 2797 */ 2798 if (unlikely(current->flags & PF_KTHREAD)) { 2799 ssp = sock->sk->sk_security; 2800 ssp->smk_in = &smack_known_web; 2801 ssp->smk_out = &smack_known_web; 2802 } 2803 2804 if (family != PF_INET) 2805 return 0; 2806 /* 2807 * Set the outbound netlbl. 2808 */ 2809 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2810 } 2811 2812 /** 2813 * smack_socket_socketpair - create socket pair 2814 * @socka: one socket 2815 * @sockb: another socket 2816 * 2817 * Cross reference the peer labels for SO_PEERSEC 2818 * 2819 * Returns 0 on success, and error code otherwise 2820 */ 2821 static int smack_socket_socketpair(struct socket *socka, 2822 struct socket *sockb) 2823 { 2824 struct socket_smack *asp = socka->sk->sk_security; 2825 struct socket_smack *bsp = sockb->sk->sk_security; 2826 2827 asp->smk_packet = bsp->smk_out; 2828 bsp->smk_packet = asp->smk_out; 2829 2830 return 0; 2831 } 2832 2833 #ifdef SMACK_IPV6_PORT_LABELING 2834 /** 2835 * smack_socket_bind - record port binding information. 2836 * @sock: the socket 2837 * @address: the port address 2838 * @addrlen: size of the address 2839 * 2840 * Records the label bound to a port. 2841 * 2842 * Returns 0 2843 */ 2844 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2845 int addrlen) 2846 { 2847 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2848 smk_ipv6_port_label(sock, address); 2849 return 0; 2850 } 2851 #endif /* SMACK_IPV6_PORT_LABELING */ 2852 2853 /** 2854 * smack_socket_connect - connect access check 2855 * @sock: the socket 2856 * @sap: the other end 2857 * @addrlen: size of sap 2858 * 2859 * Verifies that a connection may be possible 2860 * 2861 * Returns 0 on success, and error code otherwise 2862 */ 2863 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2864 int addrlen) 2865 { 2866 int rc = 0; 2867 #if IS_ENABLED(CONFIG_IPV6) 2868 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2869 #endif 2870 #ifdef SMACK_IPV6_SECMARK_LABELING 2871 struct smack_known *rsp; 2872 struct socket_smack *ssp; 2873 #endif 2874 2875 if (sock->sk == NULL) 2876 return 0; 2877 2878 #ifdef SMACK_IPV6_SECMARK_LABELING 2879 ssp = sock->sk->sk_security; 2880 #endif 2881 2882 switch (sock->sk->sk_family) { 2883 case PF_INET: 2884 if (addrlen < sizeof(struct sockaddr_in)) 2885 return -EINVAL; 2886 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2887 break; 2888 case PF_INET6: 2889 if (addrlen < sizeof(struct sockaddr_in6)) 2890 return -EINVAL; 2891 #ifdef SMACK_IPV6_SECMARK_LABELING 2892 rsp = smack_ipv6host_label(sip); 2893 if (rsp != NULL) 2894 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2895 SMK_CONNECTING); 2896 #endif 2897 #ifdef SMACK_IPV6_PORT_LABELING 2898 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2899 #endif 2900 break; 2901 } 2902 return rc; 2903 } 2904 2905 /** 2906 * smack_flags_to_may - convert S_ to MAY_ values 2907 * @flags: the S_ value 2908 * 2909 * Returns the equivalent MAY_ value 2910 */ 2911 static int smack_flags_to_may(int flags) 2912 { 2913 int may = 0; 2914 2915 if (flags & S_IRUGO) 2916 may |= MAY_READ; 2917 if (flags & S_IWUGO) 2918 may |= MAY_WRITE; 2919 if (flags & S_IXUGO) 2920 may |= MAY_EXEC; 2921 2922 return may; 2923 } 2924 2925 /** 2926 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2927 * @msg: the object 2928 * 2929 * Returns 0 2930 */ 2931 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2932 { 2933 struct smack_known *skp = smk_of_current(); 2934 2935 msg->security = skp; 2936 return 0; 2937 } 2938 2939 /** 2940 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2941 * @msg: the object 2942 * 2943 * Clears the blob pointer 2944 */ 2945 static void smack_msg_msg_free_security(struct msg_msg *msg) 2946 { 2947 msg->security = NULL; 2948 } 2949 2950 /** 2951 * smack_of_ipc - the smack pointer for the ipc 2952 * @isp: the object 2953 * 2954 * Returns a pointer to the smack value 2955 */ 2956 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2957 { 2958 return (struct smack_known *)isp->security; 2959 } 2960 2961 /** 2962 * smack_ipc_alloc_security - Set the security blob for ipc 2963 * @isp: the object 2964 * 2965 * Returns 0 2966 */ 2967 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2968 { 2969 struct smack_known *skp = smk_of_current(); 2970 2971 isp->security = skp; 2972 return 0; 2973 } 2974 2975 /** 2976 * smack_ipc_free_security - Clear the security blob for ipc 2977 * @isp: the object 2978 * 2979 * Clears the blob pointer 2980 */ 2981 static void smack_ipc_free_security(struct kern_ipc_perm *isp) 2982 { 2983 isp->security = NULL; 2984 } 2985 2986 /** 2987 * smk_curacc_shm : check if current has access on shm 2988 * @isp : the object 2989 * @access : access requested 2990 * 2991 * Returns 0 if current has the requested access, error code otherwise 2992 */ 2993 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2994 { 2995 struct smack_known *ssp = smack_of_ipc(isp); 2996 struct smk_audit_info ad; 2997 int rc; 2998 2999 #ifdef CONFIG_AUDIT 3000 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3001 ad.a.u.ipc_id = isp->id; 3002 #endif 3003 rc = smk_curacc(ssp, access, &ad); 3004 rc = smk_bu_current("shm", ssp, access, rc); 3005 return rc; 3006 } 3007 3008 /** 3009 * smack_shm_associate - Smack access check for shm 3010 * @isp: the object 3011 * @shmflg: access requested 3012 * 3013 * Returns 0 if current has the requested access, error code otherwise 3014 */ 3015 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3016 { 3017 int may; 3018 3019 may = smack_flags_to_may(shmflg); 3020 return smk_curacc_shm(isp, may); 3021 } 3022 3023 /** 3024 * smack_shm_shmctl - Smack access check for shm 3025 * @isp: the object 3026 * @cmd: what it wants to do 3027 * 3028 * Returns 0 if current has the requested access, error code otherwise 3029 */ 3030 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3031 { 3032 int may; 3033 3034 switch (cmd) { 3035 case IPC_STAT: 3036 case SHM_STAT: 3037 case SHM_STAT_ANY: 3038 may = MAY_READ; 3039 break; 3040 case IPC_SET: 3041 case SHM_LOCK: 3042 case SHM_UNLOCK: 3043 case IPC_RMID: 3044 may = MAY_READWRITE; 3045 break; 3046 case IPC_INFO: 3047 case SHM_INFO: 3048 /* 3049 * System level information. 3050 */ 3051 return 0; 3052 default: 3053 return -EINVAL; 3054 } 3055 return smk_curacc_shm(isp, may); 3056 } 3057 3058 /** 3059 * smack_shm_shmat - Smack access for shmat 3060 * @isp: the object 3061 * @shmaddr: unused 3062 * @shmflg: access requested 3063 * 3064 * Returns 0 if current has the requested access, error code otherwise 3065 */ 3066 static int smack_shm_shmat(struct kern_ipc_perm *ipc, char __user *shmaddr, 3067 int shmflg) 3068 { 3069 int may; 3070 3071 may = smack_flags_to_may(shmflg); 3072 return smk_curacc_shm(ipc, may); 3073 } 3074 3075 /** 3076 * smk_curacc_sem : check if current has access on sem 3077 * @isp : the object 3078 * @access : access requested 3079 * 3080 * Returns 0 if current has the requested access, error code otherwise 3081 */ 3082 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3083 { 3084 struct smack_known *ssp = smack_of_ipc(isp); 3085 struct smk_audit_info ad; 3086 int rc; 3087 3088 #ifdef CONFIG_AUDIT 3089 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3090 ad.a.u.ipc_id = isp->id; 3091 #endif 3092 rc = smk_curacc(ssp, access, &ad); 3093 rc = smk_bu_current("sem", ssp, access, rc); 3094 return rc; 3095 } 3096 3097 /** 3098 * smack_sem_associate - Smack access check for sem 3099 * @isp: the object 3100 * @semflg: access requested 3101 * 3102 * Returns 0 if current has the requested access, error code otherwise 3103 */ 3104 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3105 { 3106 int may; 3107 3108 may = smack_flags_to_may(semflg); 3109 return smk_curacc_sem(isp, may); 3110 } 3111 3112 /** 3113 * smack_sem_shmctl - Smack access check for sem 3114 * @isp: the object 3115 * @cmd: what it wants to do 3116 * 3117 * Returns 0 if current has the requested access, error code otherwise 3118 */ 3119 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3120 { 3121 int may; 3122 3123 switch (cmd) { 3124 case GETPID: 3125 case GETNCNT: 3126 case GETZCNT: 3127 case GETVAL: 3128 case GETALL: 3129 case IPC_STAT: 3130 case SEM_STAT: 3131 case SEM_STAT_ANY: 3132 may = MAY_READ; 3133 break; 3134 case SETVAL: 3135 case SETALL: 3136 case IPC_RMID: 3137 case IPC_SET: 3138 may = MAY_READWRITE; 3139 break; 3140 case IPC_INFO: 3141 case SEM_INFO: 3142 /* 3143 * System level information 3144 */ 3145 return 0; 3146 default: 3147 return -EINVAL; 3148 } 3149 3150 return smk_curacc_sem(isp, may); 3151 } 3152 3153 /** 3154 * smack_sem_semop - Smack checks of semaphore operations 3155 * @isp: the object 3156 * @sops: unused 3157 * @nsops: unused 3158 * @alter: unused 3159 * 3160 * Treated as read and write in all cases. 3161 * 3162 * Returns 0 if access is allowed, error code otherwise 3163 */ 3164 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3165 unsigned nsops, int alter) 3166 { 3167 return smk_curacc_sem(isp, MAY_READWRITE); 3168 } 3169 3170 /** 3171 * smk_curacc_msq : helper to check if current has access on msq 3172 * @isp : the msq 3173 * @access : access requested 3174 * 3175 * return 0 if current has access, error otherwise 3176 */ 3177 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3178 { 3179 struct smack_known *msp = smack_of_ipc(isp); 3180 struct smk_audit_info ad; 3181 int rc; 3182 3183 #ifdef CONFIG_AUDIT 3184 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3185 ad.a.u.ipc_id = isp->id; 3186 #endif 3187 rc = smk_curacc(msp, access, &ad); 3188 rc = smk_bu_current("msq", msp, access, rc); 3189 return rc; 3190 } 3191 3192 /** 3193 * smack_msg_queue_associate - Smack access check for msg_queue 3194 * @isp: the object 3195 * @msqflg: access requested 3196 * 3197 * Returns 0 if current has the requested access, error code otherwise 3198 */ 3199 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3200 { 3201 int may; 3202 3203 may = smack_flags_to_may(msqflg); 3204 return smk_curacc_msq(isp, may); 3205 } 3206 3207 /** 3208 * smack_msg_queue_msgctl - Smack access check for msg_queue 3209 * @isp: the object 3210 * @cmd: what it wants to do 3211 * 3212 * Returns 0 if current has the requested access, error code otherwise 3213 */ 3214 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3215 { 3216 int may; 3217 3218 switch (cmd) { 3219 case IPC_STAT: 3220 case MSG_STAT: 3221 case MSG_STAT_ANY: 3222 may = MAY_READ; 3223 break; 3224 case IPC_SET: 3225 case IPC_RMID: 3226 may = MAY_READWRITE; 3227 break; 3228 case IPC_INFO: 3229 case MSG_INFO: 3230 /* 3231 * System level information 3232 */ 3233 return 0; 3234 default: 3235 return -EINVAL; 3236 } 3237 3238 return smk_curacc_msq(isp, may); 3239 } 3240 3241 /** 3242 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3243 * @isp: the object 3244 * @msg: unused 3245 * @msqflg: access requested 3246 * 3247 * Returns 0 if current has the requested access, error code otherwise 3248 */ 3249 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3250 int msqflg) 3251 { 3252 int may; 3253 3254 may = smack_flags_to_may(msqflg); 3255 return smk_curacc_msq(isp, may); 3256 } 3257 3258 /** 3259 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3260 * @isp: the object 3261 * @msg: unused 3262 * @target: unused 3263 * @type: unused 3264 * @mode: unused 3265 * 3266 * Returns 0 if current has read and write access, error code otherwise 3267 */ 3268 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3269 struct task_struct *target, long type, int mode) 3270 { 3271 return smk_curacc_msq(isp, MAY_READWRITE); 3272 } 3273 3274 /** 3275 * smack_ipc_permission - Smack access for ipc_permission() 3276 * @ipp: the object permissions 3277 * @flag: access requested 3278 * 3279 * Returns 0 if current has read and write access, error code otherwise 3280 */ 3281 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3282 { 3283 struct smack_known *iskp = ipp->security; 3284 int may = smack_flags_to_may(flag); 3285 struct smk_audit_info ad; 3286 int rc; 3287 3288 #ifdef CONFIG_AUDIT 3289 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3290 ad.a.u.ipc_id = ipp->id; 3291 #endif 3292 rc = smk_curacc(iskp, may, &ad); 3293 rc = smk_bu_current("svipc", iskp, may, rc); 3294 return rc; 3295 } 3296 3297 /** 3298 * smack_ipc_getsecid - Extract smack security id 3299 * @ipp: the object permissions 3300 * @secid: where result will be saved 3301 */ 3302 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3303 { 3304 struct smack_known *iskp = ipp->security; 3305 3306 *secid = iskp->smk_secid; 3307 } 3308 3309 /** 3310 * smack_d_instantiate - Make sure the blob is correct on an inode 3311 * @opt_dentry: dentry where inode will be attached 3312 * @inode: the object 3313 * 3314 * Set the inode's security blob if it hasn't been done already. 3315 */ 3316 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3317 { 3318 struct super_block *sbp; 3319 struct superblock_smack *sbsp; 3320 struct inode_smack *isp; 3321 struct smack_known *skp; 3322 struct smack_known *ckp = smk_of_current(); 3323 struct smack_known *final; 3324 char trattr[TRANS_TRUE_SIZE]; 3325 int transflag = 0; 3326 int rc; 3327 struct dentry *dp; 3328 3329 if (inode == NULL) 3330 return; 3331 3332 isp = inode->i_security; 3333 3334 mutex_lock(&isp->smk_lock); 3335 /* 3336 * If the inode is already instantiated 3337 * take the quick way out 3338 */ 3339 if (isp->smk_flags & SMK_INODE_INSTANT) 3340 goto unlockandout; 3341 3342 sbp = inode->i_sb; 3343 sbsp = sbp->s_security; 3344 /* 3345 * We're going to use the superblock default label 3346 * if there's no label on the file. 3347 */ 3348 final = sbsp->smk_default; 3349 3350 /* 3351 * If this is the root inode the superblock 3352 * may be in the process of initialization. 3353 * If that is the case use the root value out 3354 * of the superblock. 3355 */ 3356 if (opt_dentry->d_parent == opt_dentry) { 3357 switch (sbp->s_magic) { 3358 case CGROUP_SUPER_MAGIC: 3359 case CGROUP2_SUPER_MAGIC: 3360 /* 3361 * The cgroup filesystem is never mounted, 3362 * so there's no opportunity to set the mount 3363 * options. 3364 */ 3365 sbsp->smk_root = &smack_known_star; 3366 sbsp->smk_default = &smack_known_star; 3367 isp->smk_inode = sbsp->smk_root; 3368 break; 3369 case TMPFS_MAGIC: 3370 /* 3371 * What about shmem/tmpfs anonymous files with dentry 3372 * obtained from d_alloc_pseudo()? 3373 */ 3374 isp->smk_inode = smk_of_current(); 3375 break; 3376 case PIPEFS_MAGIC: 3377 isp->smk_inode = smk_of_current(); 3378 break; 3379 case SOCKFS_MAGIC: 3380 /* 3381 * Socket access is controlled by the socket 3382 * structures associated with the task involved. 3383 */ 3384 isp->smk_inode = &smack_known_star; 3385 break; 3386 default: 3387 isp->smk_inode = sbsp->smk_root; 3388 break; 3389 } 3390 isp->smk_flags |= SMK_INODE_INSTANT; 3391 goto unlockandout; 3392 } 3393 3394 /* 3395 * This is pretty hackish. 3396 * Casey says that we shouldn't have to do 3397 * file system specific code, but it does help 3398 * with keeping it simple. 3399 */ 3400 switch (sbp->s_magic) { 3401 case SMACK_MAGIC: 3402 case CGROUP_SUPER_MAGIC: 3403 case CGROUP2_SUPER_MAGIC: 3404 /* 3405 * Casey says that it's a little embarrassing 3406 * that the smack file system doesn't do 3407 * extended attributes. 3408 * 3409 * Cgroupfs is special 3410 */ 3411 final = &smack_known_star; 3412 break; 3413 case DEVPTS_SUPER_MAGIC: 3414 /* 3415 * devpts seems content with the label of the task. 3416 * Programs that change smack have to treat the 3417 * pty with respect. 3418 */ 3419 final = ckp; 3420 break; 3421 case PROC_SUPER_MAGIC: 3422 /* 3423 * Casey says procfs appears not to care. 3424 * The superblock default suffices. 3425 */ 3426 break; 3427 case TMPFS_MAGIC: 3428 /* 3429 * Device labels should come from the filesystem, 3430 * but watch out, because they're volitile, 3431 * getting recreated on every reboot. 3432 */ 3433 final = &smack_known_star; 3434 /* 3435 * Fall through. 3436 * 3437 * If a smack value has been set we want to use it, 3438 * but since tmpfs isn't giving us the opportunity 3439 * to set mount options simulate setting the 3440 * superblock default. 3441 */ 3442 default: 3443 /* 3444 * This isn't an understood special case. 3445 * Get the value from the xattr. 3446 */ 3447 3448 /* 3449 * UNIX domain sockets use lower level socket data. 3450 */ 3451 if (S_ISSOCK(inode->i_mode)) { 3452 final = &smack_known_star; 3453 break; 3454 } 3455 /* 3456 * No xattr support means, alas, no SMACK label. 3457 * Use the aforeapplied default. 3458 * It would be curious if the label of the task 3459 * does not match that assigned. 3460 */ 3461 if (!(inode->i_opflags & IOP_XATTR)) 3462 break; 3463 /* 3464 * Get the dentry for xattr. 3465 */ 3466 dp = dget(opt_dentry); 3467 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3468 if (!IS_ERR_OR_NULL(skp)) 3469 final = skp; 3470 3471 /* 3472 * Transmuting directory 3473 */ 3474 if (S_ISDIR(inode->i_mode)) { 3475 /* 3476 * If this is a new directory and the label was 3477 * transmuted when the inode was initialized 3478 * set the transmute attribute on the directory 3479 * and mark the inode. 3480 * 3481 * If there is a transmute attribute on the 3482 * directory mark the inode. 3483 */ 3484 if (isp->smk_flags & SMK_INODE_CHANGED) { 3485 isp->smk_flags &= ~SMK_INODE_CHANGED; 3486 rc = __vfs_setxattr(dp, inode, 3487 XATTR_NAME_SMACKTRANSMUTE, 3488 TRANS_TRUE, TRANS_TRUE_SIZE, 3489 0); 3490 } else { 3491 rc = __vfs_getxattr(dp, inode, 3492 XATTR_NAME_SMACKTRANSMUTE, trattr, 3493 TRANS_TRUE_SIZE); 3494 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3495 TRANS_TRUE_SIZE) != 0) 3496 rc = -EINVAL; 3497 } 3498 if (rc >= 0) 3499 transflag = SMK_INODE_TRANSMUTE; 3500 } 3501 /* 3502 * Don't let the exec or mmap label be "*" or "@". 3503 */ 3504 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3505 if (IS_ERR(skp) || skp == &smack_known_star || 3506 skp == &smack_known_web) 3507 skp = NULL; 3508 isp->smk_task = skp; 3509 3510 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3511 if (IS_ERR(skp) || skp == &smack_known_star || 3512 skp == &smack_known_web) 3513 skp = NULL; 3514 isp->smk_mmap = skp; 3515 3516 dput(dp); 3517 break; 3518 } 3519 3520 if (final == NULL) 3521 isp->smk_inode = ckp; 3522 else 3523 isp->smk_inode = final; 3524 3525 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3526 3527 unlockandout: 3528 mutex_unlock(&isp->smk_lock); 3529 return; 3530 } 3531 3532 /** 3533 * smack_getprocattr - Smack process attribute access 3534 * @p: the object task 3535 * @name: the name of the attribute in /proc/.../attr 3536 * @value: where to put the result 3537 * 3538 * Places a copy of the task Smack into value 3539 * 3540 * Returns the length of the smack label or an error code 3541 */ 3542 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3543 { 3544 struct smack_known *skp = smk_of_task_struct(p); 3545 char *cp; 3546 int slen; 3547 3548 if (strcmp(name, "current") != 0) 3549 return -EINVAL; 3550 3551 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3552 if (cp == NULL) 3553 return -ENOMEM; 3554 3555 slen = strlen(cp); 3556 *value = cp; 3557 return slen; 3558 } 3559 3560 /** 3561 * smack_setprocattr - Smack process attribute setting 3562 * @name: the name of the attribute in /proc/.../attr 3563 * @value: the value to set 3564 * @size: the size of the value 3565 * 3566 * Sets the Smack value of the task. Only setting self 3567 * is permitted and only with privilege 3568 * 3569 * Returns the length of the smack label or an error code 3570 */ 3571 static int smack_setprocattr(const char *name, void *value, size_t size) 3572 { 3573 struct task_smack *tsp = current_security(); 3574 struct cred *new; 3575 struct smack_known *skp; 3576 struct smack_known_list_elem *sklep; 3577 int rc; 3578 3579 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3580 return -EPERM; 3581 3582 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3583 return -EINVAL; 3584 3585 if (strcmp(name, "current") != 0) 3586 return -EINVAL; 3587 3588 skp = smk_import_entry(value, size); 3589 if (IS_ERR(skp)) 3590 return PTR_ERR(skp); 3591 3592 /* 3593 * No process is ever allowed the web ("@") label 3594 * and the star ("*") label. 3595 */ 3596 if (skp == &smack_known_web || skp == &smack_known_star) 3597 return -EINVAL; 3598 3599 if (!smack_privileged(CAP_MAC_ADMIN)) { 3600 rc = -EPERM; 3601 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3602 if (sklep->smk_label == skp) { 3603 rc = 0; 3604 break; 3605 } 3606 if (rc) 3607 return rc; 3608 } 3609 3610 new = prepare_creds(); 3611 if (new == NULL) 3612 return -ENOMEM; 3613 3614 tsp = new->security; 3615 tsp->smk_task = skp; 3616 /* 3617 * process can change its label only once 3618 */ 3619 smk_destroy_label_list(&tsp->smk_relabel); 3620 3621 commit_creds(new); 3622 return size; 3623 } 3624 3625 /** 3626 * smack_unix_stream_connect - Smack access on UDS 3627 * @sock: one sock 3628 * @other: the other sock 3629 * @newsk: unused 3630 * 3631 * Return 0 if a subject with the smack of sock could access 3632 * an object with the smack of other, otherwise an error code 3633 */ 3634 static int smack_unix_stream_connect(struct sock *sock, 3635 struct sock *other, struct sock *newsk) 3636 { 3637 struct smack_known *skp; 3638 struct smack_known *okp; 3639 struct socket_smack *ssp = sock->sk_security; 3640 struct socket_smack *osp = other->sk_security; 3641 struct socket_smack *nsp = newsk->sk_security; 3642 struct smk_audit_info ad; 3643 int rc = 0; 3644 #ifdef CONFIG_AUDIT 3645 struct lsm_network_audit net; 3646 #endif 3647 3648 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3649 skp = ssp->smk_out; 3650 okp = osp->smk_in; 3651 #ifdef CONFIG_AUDIT 3652 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3653 smk_ad_setfield_u_net_sk(&ad, other); 3654 #endif 3655 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3656 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3657 if (rc == 0) { 3658 okp = osp->smk_out; 3659 skp = ssp->smk_in; 3660 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3661 rc = smk_bu_note("UDS connect", okp, skp, 3662 MAY_WRITE, rc); 3663 } 3664 } 3665 3666 /* 3667 * Cross reference the peer labels for SO_PEERSEC. 3668 */ 3669 if (rc == 0) { 3670 nsp->smk_packet = ssp->smk_out; 3671 ssp->smk_packet = osp->smk_out; 3672 } 3673 3674 return rc; 3675 } 3676 3677 /** 3678 * smack_unix_may_send - Smack access on UDS 3679 * @sock: one socket 3680 * @other: the other socket 3681 * 3682 * Return 0 if a subject with the smack of sock could access 3683 * an object with the smack of other, otherwise an error code 3684 */ 3685 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3686 { 3687 struct socket_smack *ssp = sock->sk->sk_security; 3688 struct socket_smack *osp = other->sk->sk_security; 3689 struct smk_audit_info ad; 3690 int rc; 3691 3692 #ifdef CONFIG_AUDIT 3693 struct lsm_network_audit net; 3694 3695 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3696 smk_ad_setfield_u_net_sk(&ad, other->sk); 3697 #endif 3698 3699 if (smack_privileged(CAP_MAC_OVERRIDE)) 3700 return 0; 3701 3702 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3703 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3704 return rc; 3705 } 3706 3707 /** 3708 * smack_socket_sendmsg - Smack check based on destination host 3709 * @sock: the socket 3710 * @msg: the message 3711 * @size: the size of the message 3712 * 3713 * Return 0 if the current subject can write to the destination host. 3714 * For IPv4 this is only a question if the destination is a single label host. 3715 * For IPv6 this is a check against the label of the port. 3716 */ 3717 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3718 int size) 3719 { 3720 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3721 #if IS_ENABLED(CONFIG_IPV6) 3722 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3723 #endif 3724 #ifdef SMACK_IPV6_SECMARK_LABELING 3725 struct socket_smack *ssp = sock->sk->sk_security; 3726 struct smack_known *rsp; 3727 #endif 3728 int rc = 0; 3729 3730 /* 3731 * Perfectly reasonable for this to be NULL 3732 */ 3733 if (sip == NULL) 3734 return 0; 3735 3736 switch (sock->sk->sk_family) { 3737 case AF_INET: 3738 rc = smack_netlabel_send(sock->sk, sip); 3739 break; 3740 case AF_INET6: 3741 #ifdef SMACK_IPV6_SECMARK_LABELING 3742 rsp = smack_ipv6host_label(sap); 3743 if (rsp != NULL) 3744 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3745 SMK_CONNECTING); 3746 #endif 3747 #ifdef SMACK_IPV6_PORT_LABELING 3748 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3749 #endif 3750 break; 3751 } 3752 return rc; 3753 } 3754 3755 /** 3756 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3757 * @sap: netlabel secattr 3758 * @ssp: socket security information 3759 * 3760 * Returns a pointer to a Smack label entry found on the label list. 3761 */ 3762 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3763 struct socket_smack *ssp) 3764 { 3765 struct smack_known *skp; 3766 int found = 0; 3767 int acat; 3768 int kcat; 3769 3770 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3771 /* 3772 * Looks like a CIPSO packet. 3773 * If there are flags but no level netlabel isn't 3774 * behaving the way we expect it to. 3775 * 3776 * Look it up in the label table 3777 * Without guidance regarding the smack value 3778 * for the packet fall back on the network 3779 * ambient value. 3780 */ 3781 rcu_read_lock(); 3782 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3783 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3784 continue; 3785 /* 3786 * Compare the catsets. Use the netlbl APIs. 3787 */ 3788 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3789 if ((skp->smk_netlabel.flags & 3790 NETLBL_SECATTR_MLS_CAT) == 0) 3791 found = 1; 3792 break; 3793 } 3794 for (acat = -1, kcat = -1; acat == kcat; ) { 3795 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3796 acat + 1); 3797 kcat = netlbl_catmap_walk( 3798 skp->smk_netlabel.attr.mls.cat, 3799 kcat + 1); 3800 if (acat < 0 || kcat < 0) 3801 break; 3802 } 3803 if (acat == kcat) { 3804 found = 1; 3805 break; 3806 } 3807 } 3808 rcu_read_unlock(); 3809 3810 if (found) 3811 return skp; 3812 3813 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3814 return &smack_known_web; 3815 return &smack_known_star; 3816 } 3817 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3818 /* 3819 * Looks like a fallback, which gives us a secid. 3820 */ 3821 return smack_from_secid(sap->attr.secid); 3822 /* 3823 * Without guidance regarding the smack value 3824 * for the packet fall back on the network 3825 * ambient value. 3826 */ 3827 return smack_net_ambient; 3828 } 3829 3830 #if IS_ENABLED(CONFIG_IPV6) 3831 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3832 { 3833 u8 nexthdr; 3834 int offset; 3835 int proto = -EINVAL; 3836 struct ipv6hdr _ipv6h; 3837 struct ipv6hdr *ip6; 3838 __be16 frag_off; 3839 struct tcphdr _tcph, *th; 3840 struct udphdr _udph, *uh; 3841 struct dccp_hdr _dccph, *dh; 3842 3843 sip->sin6_port = 0; 3844 3845 offset = skb_network_offset(skb); 3846 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3847 if (ip6 == NULL) 3848 return -EINVAL; 3849 sip->sin6_addr = ip6->saddr; 3850 3851 nexthdr = ip6->nexthdr; 3852 offset += sizeof(_ipv6h); 3853 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3854 if (offset < 0) 3855 return -EINVAL; 3856 3857 proto = nexthdr; 3858 switch (proto) { 3859 case IPPROTO_TCP: 3860 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3861 if (th != NULL) 3862 sip->sin6_port = th->source; 3863 break; 3864 case IPPROTO_UDP: 3865 case IPPROTO_UDPLITE: 3866 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3867 if (uh != NULL) 3868 sip->sin6_port = uh->source; 3869 break; 3870 case IPPROTO_DCCP: 3871 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3872 if (dh != NULL) 3873 sip->sin6_port = dh->dccph_sport; 3874 break; 3875 } 3876 return proto; 3877 } 3878 #endif /* CONFIG_IPV6 */ 3879 3880 /** 3881 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3882 * @sk: socket 3883 * @skb: packet 3884 * 3885 * Returns 0 if the packet should be delivered, an error code otherwise 3886 */ 3887 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3888 { 3889 struct netlbl_lsm_secattr secattr; 3890 struct socket_smack *ssp = sk->sk_security; 3891 struct smack_known *skp = NULL; 3892 int rc = 0; 3893 struct smk_audit_info ad; 3894 u16 family = sk->sk_family; 3895 #ifdef CONFIG_AUDIT 3896 struct lsm_network_audit net; 3897 #endif 3898 #if IS_ENABLED(CONFIG_IPV6) 3899 struct sockaddr_in6 sadd; 3900 int proto; 3901 3902 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3903 family = PF_INET; 3904 #endif /* CONFIG_IPV6 */ 3905 3906 switch (family) { 3907 case PF_INET: 3908 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3909 /* 3910 * If there is a secmark use it rather than the CIPSO label. 3911 * If there is no secmark fall back to CIPSO. 3912 * The secmark is assumed to reflect policy better. 3913 */ 3914 if (skb && skb->secmark != 0) { 3915 skp = smack_from_secid(skb->secmark); 3916 goto access_check; 3917 } 3918 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3919 /* 3920 * Translate what netlabel gave us. 3921 */ 3922 netlbl_secattr_init(&secattr); 3923 3924 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3925 if (rc == 0) 3926 skp = smack_from_secattr(&secattr, ssp); 3927 else 3928 skp = smack_net_ambient; 3929 3930 netlbl_secattr_destroy(&secattr); 3931 3932 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3933 access_check: 3934 #endif 3935 #ifdef CONFIG_AUDIT 3936 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3937 ad.a.u.net->family = family; 3938 ad.a.u.net->netif = skb->skb_iif; 3939 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3940 #endif 3941 /* 3942 * Receiving a packet requires that the other end 3943 * be able to write here. Read access is not required. 3944 * This is the simplist possible security model 3945 * for networking. 3946 */ 3947 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3948 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3949 MAY_WRITE, rc); 3950 if (rc != 0) 3951 netlbl_skbuff_err(skb, family, rc, 0); 3952 break; 3953 #if IS_ENABLED(CONFIG_IPV6) 3954 case PF_INET6: 3955 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3956 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3957 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3958 break; 3959 #ifdef SMACK_IPV6_SECMARK_LABELING 3960 if (skb && skb->secmark != 0) 3961 skp = smack_from_secid(skb->secmark); 3962 else 3963 skp = smack_ipv6host_label(&sadd); 3964 if (skp == NULL) 3965 skp = smack_net_ambient; 3966 #ifdef CONFIG_AUDIT 3967 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3968 ad.a.u.net->family = family; 3969 ad.a.u.net->netif = skb->skb_iif; 3970 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3971 #endif /* CONFIG_AUDIT */ 3972 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3973 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3974 MAY_WRITE, rc); 3975 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3976 #ifdef SMACK_IPV6_PORT_LABELING 3977 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3978 #endif /* SMACK_IPV6_PORT_LABELING */ 3979 if (rc != 0) 3980 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3981 ICMPV6_ADM_PROHIBITED, 0); 3982 break; 3983 #endif /* CONFIG_IPV6 */ 3984 } 3985 3986 return rc; 3987 } 3988 3989 /** 3990 * smack_socket_getpeersec_stream - pull in packet label 3991 * @sock: the socket 3992 * @optval: user's destination 3993 * @optlen: size thereof 3994 * @len: max thereof 3995 * 3996 * returns zero on success, an error code otherwise 3997 */ 3998 static int smack_socket_getpeersec_stream(struct socket *sock, 3999 char __user *optval, 4000 int __user *optlen, unsigned len) 4001 { 4002 struct socket_smack *ssp; 4003 char *rcp = ""; 4004 int slen = 1; 4005 int rc = 0; 4006 4007 ssp = sock->sk->sk_security; 4008 if (ssp->smk_packet != NULL) { 4009 rcp = ssp->smk_packet->smk_known; 4010 slen = strlen(rcp) + 1; 4011 } 4012 4013 if (slen > len) 4014 rc = -ERANGE; 4015 else if (copy_to_user(optval, rcp, slen) != 0) 4016 rc = -EFAULT; 4017 4018 if (put_user(slen, optlen) != 0) 4019 rc = -EFAULT; 4020 4021 return rc; 4022 } 4023 4024 4025 /** 4026 * smack_socket_getpeersec_dgram - pull in packet label 4027 * @sock: the peer socket 4028 * @skb: packet data 4029 * @secid: pointer to where to put the secid of the packet 4030 * 4031 * Sets the netlabel socket state on sk from parent 4032 */ 4033 static int smack_socket_getpeersec_dgram(struct socket *sock, 4034 struct sk_buff *skb, u32 *secid) 4035 4036 { 4037 struct netlbl_lsm_secattr secattr; 4038 struct socket_smack *ssp = NULL; 4039 struct smack_known *skp; 4040 int family = PF_UNSPEC; 4041 u32 s = 0; /* 0 is the invalid secid */ 4042 int rc; 4043 4044 if (skb != NULL) { 4045 if (skb->protocol == htons(ETH_P_IP)) 4046 family = PF_INET; 4047 #if IS_ENABLED(CONFIG_IPV6) 4048 else if (skb->protocol == htons(ETH_P_IPV6)) 4049 family = PF_INET6; 4050 #endif /* CONFIG_IPV6 */ 4051 } 4052 if (family == PF_UNSPEC && sock != NULL) 4053 family = sock->sk->sk_family; 4054 4055 switch (family) { 4056 case PF_UNIX: 4057 ssp = sock->sk->sk_security; 4058 s = ssp->smk_out->smk_secid; 4059 break; 4060 case PF_INET: 4061 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4062 s = skb->secmark; 4063 if (s != 0) 4064 break; 4065 #endif 4066 /* 4067 * Translate what netlabel gave us. 4068 */ 4069 if (sock != NULL && sock->sk != NULL) 4070 ssp = sock->sk->sk_security; 4071 netlbl_secattr_init(&secattr); 4072 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4073 if (rc == 0) { 4074 skp = smack_from_secattr(&secattr, ssp); 4075 s = skp->smk_secid; 4076 } 4077 netlbl_secattr_destroy(&secattr); 4078 break; 4079 case PF_INET6: 4080 #ifdef SMACK_IPV6_SECMARK_LABELING 4081 s = skb->secmark; 4082 #endif 4083 break; 4084 } 4085 *secid = s; 4086 if (s == 0) 4087 return -EINVAL; 4088 return 0; 4089 } 4090 4091 /** 4092 * smack_sock_graft - Initialize a newly created socket with an existing sock 4093 * @sk: child sock 4094 * @parent: parent socket 4095 * 4096 * Set the smk_{in,out} state of an existing sock based on the process that 4097 * is creating the new socket. 4098 */ 4099 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4100 { 4101 struct socket_smack *ssp; 4102 struct smack_known *skp = smk_of_current(); 4103 4104 if (sk == NULL || 4105 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4106 return; 4107 4108 ssp = sk->sk_security; 4109 ssp->smk_in = skp; 4110 ssp->smk_out = skp; 4111 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4112 } 4113 4114 /** 4115 * smack_inet_conn_request - Smack access check on connect 4116 * @sk: socket involved 4117 * @skb: packet 4118 * @req: unused 4119 * 4120 * Returns 0 if a task with the packet label could write to 4121 * the socket, otherwise an error code 4122 */ 4123 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4124 struct request_sock *req) 4125 { 4126 u16 family = sk->sk_family; 4127 struct smack_known *skp; 4128 struct socket_smack *ssp = sk->sk_security; 4129 struct netlbl_lsm_secattr secattr; 4130 struct sockaddr_in addr; 4131 struct iphdr *hdr; 4132 struct smack_known *hskp; 4133 int rc; 4134 struct smk_audit_info ad; 4135 #ifdef CONFIG_AUDIT 4136 struct lsm_network_audit net; 4137 #endif 4138 4139 #if IS_ENABLED(CONFIG_IPV6) 4140 if (family == PF_INET6) { 4141 /* 4142 * Handle mapped IPv4 packets arriving 4143 * via IPv6 sockets. Don't set up netlabel 4144 * processing on IPv6. 4145 */ 4146 if (skb->protocol == htons(ETH_P_IP)) 4147 family = PF_INET; 4148 else 4149 return 0; 4150 } 4151 #endif /* CONFIG_IPV6 */ 4152 4153 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4154 /* 4155 * If there is a secmark use it rather than the CIPSO label. 4156 * If there is no secmark fall back to CIPSO. 4157 * The secmark is assumed to reflect policy better. 4158 */ 4159 if (skb && skb->secmark != 0) { 4160 skp = smack_from_secid(skb->secmark); 4161 goto access_check; 4162 } 4163 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4164 4165 netlbl_secattr_init(&secattr); 4166 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4167 if (rc == 0) 4168 skp = smack_from_secattr(&secattr, ssp); 4169 else 4170 skp = &smack_known_huh; 4171 netlbl_secattr_destroy(&secattr); 4172 4173 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4174 access_check: 4175 #endif 4176 4177 #ifdef CONFIG_AUDIT 4178 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4179 ad.a.u.net->family = family; 4180 ad.a.u.net->netif = skb->skb_iif; 4181 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4182 #endif 4183 /* 4184 * Receiving a packet requires that the other end be able to write 4185 * here. Read access is not required. 4186 */ 4187 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4188 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4189 if (rc != 0) 4190 return rc; 4191 4192 /* 4193 * Save the peer's label in the request_sock so we can later setup 4194 * smk_packet in the child socket so that SO_PEERCRED can report it. 4195 */ 4196 req->peer_secid = skp->smk_secid; 4197 4198 /* 4199 * We need to decide if we want to label the incoming connection here 4200 * if we do we only need to label the request_sock and the stack will 4201 * propagate the wire-label to the sock when it is created. 4202 */ 4203 hdr = ip_hdr(skb); 4204 addr.sin_addr.s_addr = hdr->saddr; 4205 rcu_read_lock(); 4206 hskp = smack_ipv4host_label(&addr); 4207 rcu_read_unlock(); 4208 4209 if (hskp == NULL) 4210 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4211 else 4212 netlbl_req_delattr(req); 4213 4214 return rc; 4215 } 4216 4217 /** 4218 * smack_inet_csk_clone - Copy the connection information to the new socket 4219 * @sk: the new socket 4220 * @req: the connection's request_sock 4221 * 4222 * Transfer the connection's peer label to the newly created socket. 4223 */ 4224 static void smack_inet_csk_clone(struct sock *sk, 4225 const struct request_sock *req) 4226 { 4227 struct socket_smack *ssp = sk->sk_security; 4228 struct smack_known *skp; 4229 4230 if (req->peer_secid != 0) { 4231 skp = smack_from_secid(req->peer_secid); 4232 ssp->smk_packet = skp; 4233 } else 4234 ssp->smk_packet = NULL; 4235 } 4236 4237 /* 4238 * Key management security hooks 4239 * 4240 * Casey has not tested key support very heavily. 4241 * The permission check is most likely too restrictive. 4242 * If you care about keys please have a look. 4243 */ 4244 #ifdef CONFIG_KEYS 4245 4246 /** 4247 * smack_key_alloc - Set the key security blob 4248 * @key: object 4249 * @cred: the credentials to use 4250 * @flags: unused 4251 * 4252 * No allocation required 4253 * 4254 * Returns 0 4255 */ 4256 static int smack_key_alloc(struct key *key, const struct cred *cred, 4257 unsigned long flags) 4258 { 4259 struct smack_known *skp = smk_of_task(cred->security); 4260 4261 key->security = skp; 4262 return 0; 4263 } 4264 4265 /** 4266 * smack_key_free - Clear the key security blob 4267 * @key: the object 4268 * 4269 * Clear the blob pointer 4270 */ 4271 static void smack_key_free(struct key *key) 4272 { 4273 key->security = NULL; 4274 } 4275 4276 /** 4277 * smack_key_permission - Smack access on a key 4278 * @key_ref: gets to the object 4279 * @cred: the credentials to use 4280 * @perm: requested key permissions 4281 * 4282 * Return 0 if the task has read and write to the object, 4283 * an error code otherwise 4284 */ 4285 static int smack_key_permission(key_ref_t key_ref, 4286 const struct cred *cred, unsigned perm) 4287 { 4288 struct key *keyp; 4289 struct smk_audit_info ad; 4290 struct smack_known *tkp = smk_of_task(cred->security); 4291 int request = 0; 4292 int rc; 4293 4294 keyp = key_ref_to_ptr(key_ref); 4295 if (keyp == NULL) 4296 return -EINVAL; 4297 /* 4298 * If the key hasn't been initialized give it access so that 4299 * it may do so. 4300 */ 4301 if (keyp->security == NULL) 4302 return 0; 4303 /* 4304 * This should not occur 4305 */ 4306 if (tkp == NULL) 4307 return -EACCES; 4308 4309 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4310 return 0; 4311 4312 #ifdef CONFIG_AUDIT 4313 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4314 ad.a.u.key_struct.key = keyp->serial; 4315 ad.a.u.key_struct.key_desc = keyp->description; 4316 #endif 4317 if (perm & KEY_NEED_READ) 4318 request = MAY_READ; 4319 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4320 request = MAY_WRITE; 4321 rc = smk_access(tkp, keyp->security, request, &ad); 4322 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4323 return rc; 4324 } 4325 4326 /* 4327 * smack_key_getsecurity - Smack label tagging the key 4328 * @key points to the key to be queried 4329 * @_buffer points to a pointer that should be set to point to the 4330 * resulting string (if no label or an error occurs). 4331 * Return the length of the string (including terminating NUL) or -ve if 4332 * an error. 4333 * May also return 0 (and a NULL buffer pointer) if there is no label. 4334 */ 4335 static int smack_key_getsecurity(struct key *key, char **_buffer) 4336 { 4337 struct smack_known *skp = key->security; 4338 size_t length; 4339 char *copy; 4340 4341 if (key->security == NULL) { 4342 *_buffer = NULL; 4343 return 0; 4344 } 4345 4346 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4347 if (copy == NULL) 4348 return -ENOMEM; 4349 length = strlen(copy) + 1; 4350 4351 *_buffer = copy; 4352 return length; 4353 } 4354 4355 #endif /* CONFIG_KEYS */ 4356 4357 /* 4358 * Smack Audit hooks 4359 * 4360 * Audit requires a unique representation of each Smack specific 4361 * rule. This unique representation is used to distinguish the 4362 * object to be audited from remaining kernel objects and also 4363 * works as a glue between the audit hooks. 4364 * 4365 * Since repository entries are added but never deleted, we'll use 4366 * the smack_known label address related to the given audit rule as 4367 * the needed unique representation. This also better fits the smack 4368 * model where nearly everything is a label. 4369 */ 4370 #ifdef CONFIG_AUDIT 4371 4372 /** 4373 * smack_audit_rule_init - Initialize a smack audit rule 4374 * @field: audit rule fields given from user-space (audit.h) 4375 * @op: required testing operator (=, !=, >, <, ...) 4376 * @rulestr: smack label to be audited 4377 * @vrule: pointer to save our own audit rule representation 4378 * 4379 * Prepare to audit cases where (@field @op @rulestr) is true. 4380 * The label to be audited is created if necessay. 4381 */ 4382 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4383 { 4384 struct smack_known *skp; 4385 char **rule = (char **)vrule; 4386 *rule = NULL; 4387 4388 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4389 return -EINVAL; 4390 4391 if (op != Audit_equal && op != Audit_not_equal) 4392 return -EINVAL; 4393 4394 skp = smk_import_entry(rulestr, 0); 4395 if (IS_ERR(skp)) 4396 return PTR_ERR(skp); 4397 4398 *rule = skp->smk_known; 4399 4400 return 0; 4401 } 4402 4403 /** 4404 * smack_audit_rule_known - Distinguish Smack audit rules 4405 * @krule: rule of interest, in Audit kernel representation format 4406 * 4407 * This is used to filter Smack rules from remaining Audit ones. 4408 * If it's proved that this rule belongs to us, the 4409 * audit_rule_match hook will be called to do the final judgement. 4410 */ 4411 static int smack_audit_rule_known(struct audit_krule *krule) 4412 { 4413 struct audit_field *f; 4414 int i; 4415 4416 for (i = 0; i < krule->field_count; i++) { 4417 f = &krule->fields[i]; 4418 4419 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4420 return 1; 4421 } 4422 4423 return 0; 4424 } 4425 4426 /** 4427 * smack_audit_rule_match - Audit given object ? 4428 * @secid: security id for identifying the object to test 4429 * @field: audit rule flags given from user-space 4430 * @op: required testing operator 4431 * @vrule: smack internal rule presentation 4432 * @actx: audit context associated with the check 4433 * 4434 * The core Audit hook. It's used to take the decision of 4435 * whether to audit or not to audit a given object. 4436 */ 4437 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4438 struct audit_context *actx) 4439 { 4440 struct smack_known *skp; 4441 char *rule = vrule; 4442 4443 if (unlikely(!rule)) { 4444 WARN_ONCE(1, "Smack: missing rule\n"); 4445 return -ENOENT; 4446 } 4447 4448 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4449 return 0; 4450 4451 skp = smack_from_secid(secid); 4452 4453 /* 4454 * No need to do string comparisons. If a match occurs, 4455 * both pointers will point to the same smack_known 4456 * label. 4457 */ 4458 if (op == Audit_equal) 4459 return (rule == skp->smk_known); 4460 if (op == Audit_not_equal) 4461 return (rule != skp->smk_known); 4462 4463 return 0; 4464 } 4465 4466 /* 4467 * There is no need for a smack_audit_rule_free hook. 4468 * No memory was allocated. 4469 */ 4470 4471 #endif /* CONFIG_AUDIT */ 4472 4473 /** 4474 * smack_ismaclabel - check if xattr @name references a smack MAC label 4475 * @name: Full xattr name to check. 4476 */ 4477 static int smack_ismaclabel(const char *name) 4478 { 4479 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4480 } 4481 4482 4483 /** 4484 * smack_secid_to_secctx - return the smack label for a secid 4485 * @secid: incoming integer 4486 * @secdata: destination 4487 * @seclen: how long it is 4488 * 4489 * Exists for networking code. 4490 */ 4491 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4492 { 4493 struct smack_known *skp = smack_from_secid(secid); 4494 4495 if (secdata) 4496 *secdata = skp->smk_known; 4497 *seclen = strlen(skp->smk_known); 4498 return 0; 4499 } 4500 4501 /** 4502 * smack_secctx_to_secid - return the secid for a smack label 4503 * @secdata: smack label 4504 * @seclen: how long result is 4505 * @secid: outgoing integer 4506 * 4507 * Exists for audit and networking code. 4508 */ 4509 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4510 { 4511 struct smack_known *skp = smk_find_entry(secdata); 4512 4513 if (skp) 4514 *secid = skp->smk_secid; 4515 else 4516 *secid = 0; 4517 return 0; 4518 } 4519 4520 /* 4521 * There used to be a smack_release_secctx hook 4522 * that did nothing back when hooks were in a vector. 4523 * Now that there's a list such a hook adds cost. 4524 */ 4525 4526 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4527 { 4528 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4529 } 4530 4531 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4532 { 4533 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4534 } 4535 4536 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4537 { 4538 struct smack_known *skp = smk_of_inode(inode); 4539 4540 *ctx = skp->smk_known; 4541 *ctxlen = strlen(skp->smk_known); 4542 return 0; 4543 } 4544 4545 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4546 { 4547 4548 struct task_smack *tsp; 4549 struct smack_known *skp; 4550 struct inode_smack *isp; 4551 struct cred *new_creds = *new; 4552 4553 if (new_creds == NULL) { 4554 new_creds = prepare_creds(); 4555 if (new_creds == NULL) 4556 return -ENOMEM; 4557 } 4558 4559 tsp = new_creds->security; 4560 4561 /* 4562 * Get label from overlay inode and set it in create_sid 4563 */ 4564 isp = d_inode(dentry->d_parent)->i_security; 4565 skp = isp->smk_inode; 4566 tsp->smk_task = skp; 4567 *new = new_creds; 4568 return 0; 4569 } 4570 4571 static int smack_inode_copy_up_xattr(const char *name) 4572 { 4573 /* 4574 * Return 1 if this is the smack access Smack attribute. 4575 */ 4576 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4577 return 1; 4578 4579 return -EOPNOTSUPP; 4580 } 4581 4582 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4583 struct qstr *name, 4584 const struct cred *old, 4585 struct cred *new) 4586 { 4587 struct task_smack *otsp = old->security; 4588 struct task_smack *ntsp = new->security; 4589 struct inode_smack *isp; 4590 int may; 4591 4592 /* 4593 * Use the process credential unless all of 4594 * the transmuting criteria are met 4595 */ 4596 ntsp->smk_task = otsp->smk_task; 4597 4598 /* 4599 * the attribute of the containing directory 4600 */ 4601 isp = d_inode(dentry->d_parent)->i_security; 4602 4603 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4604 rcu_read_lock(); 4605 may = smk_access_entry(otsp->smk_task->smk_known, 4606 isp->smk_inode->smk_known, 4607 &otsp->smk_task->smk_rules); 4608 rcu_read_unlock(); 4609 4610 /* 4611 * If the directory is transmuting and the rule 4612 * providing access is transmuting use the containing 4613 * directory label instead of the process label. 4614 */ 4615 if (may > 0 && (may & MAY_TRANSMUTE)) 4616 ntsp->smk_task = isp->smk_inode; 4617 } 4618 return 0; 4619 } 4620 4621 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4622 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4623 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4624 LSM_HOOK_INIT(syslog, smack_syslog), 4625 4626 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4627 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4628 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4629 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4630 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4631 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4632 4633 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4634 4635 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4636 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), 4637 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4638 LSM_HOOK_INIT(inode_link, smack_inode_link), 4639 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4640 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4641 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4642 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4643 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4644 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4645 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4646 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4647 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4648 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4649 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4650 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4651 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4652 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4653 4654 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4655 LSM_HOOK_INIT(file_free_security, smack_file_free_security), 4656 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4657 LSM_HOOK_INIT(file_lock, smack_file_lock), 4658 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4659 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4660 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4661 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4662 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4663 LSM_HOOK_INIT(file_receive, smack_file_receive), 4664 4665 LSM_HOOK_INIT(file_open, smack_file_open), 4666 4667 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4668 LSM_HOOK_INIT(cred_free, smack_cred_free), 4669 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4670 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4671 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4672 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4673 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4674 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4675 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4676 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4677 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4678 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4679 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4680 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4681 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4682 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4683 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4684 LSM_HOOK_INIT(task_kill, smack_task_kill), 4685 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4686 4687 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4688 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4689 4690 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4691 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), 4692 4693 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4694 LSM_HOOK_INIT(msg_queue_free_security, smack_ipc_free_security), 4695 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4696 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4697 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4698 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4699 4700 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4701 LSM_HOOK_INIT(shm_free_security, smack_ipc_free_security), 4702 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4703 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4704 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4705 4706 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4707 LSM_HOOK_INIT(sem_free_security, smack_ipc_free_security), 4708 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4709 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4710 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4711 4712 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4713 4714 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4715 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4716 4717 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4718 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4719 4720 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4721 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4722 #ifdef SMACK_IPV6_PORT_LABELING 4723 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4724 #endif 4725 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4726 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4727 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4728 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4729 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4730 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4731 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4732 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4733 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4734 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4735 4736 /* key management security hooks */ 4737 #ifdef CONFIG_KEYS 4738 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4739 LSM_HOOK_INIT(key_free, smack_key_free), 4740 LSM_HOOK_INIT(key_permission, smack_key_permission), 4741 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4742 #endif /* CONFIG_KEYS */ 4743 4744 /* Audit hooks */ 4745 #ifdef CONFIG_AUDIT 4746 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4747 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4748 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4749 #endif /* CONFIG_AUDIT */ 4750 4751 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4752 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4753 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4754 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4755 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4756 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4757 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4758 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4759 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4760 }; 4761 4762 4763 static __init void init_smack_known_list(void) 4764 { 4765 /* 4766 * Initialize rule list locks 4767 */ 4768 mutex_init(&smack_known_huh.smk_rules_lock); 4769 mutex_init(&smack_known_hat.smk_rules_lock); 4770 mutex_init(&smack_known_floor.smk_rules_lock); 4771 mutex_init(&smack_known_star.smk_rules_lock); 4772 mutex_init(&smack_known_web.smk_rules_lock); 4773 /* 4774 * Initialize rule lists 4775 */ 4776 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4777 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4778 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4779 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4780 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4781 /* 4782 * Create the known labels list 4783 */ 4784 smk_insert_entry(&smack_known_huh); 4785 smk_insert_entry(&smack_known_hat); 4786 smk_insert_entry(&smack_known_star); 4787 smk_insert_entry(&smack_known_floor); 4788 smk_insert_entry(&smack_known_web); 4789 } 4790 4791 /** 4792 * smack_init - initialize the smack system 4793 * 4794 * Returns 0 4795 */ 4796 static __init int smack_init(void) 4797 { 4798 struct cred *cred; 4799 struct task_smack *tsp; 4800 4801 if (!security_module_enable("smack")) 4802 return 0; 4803 4804 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4805 if (!smack_inode_cache) 4806 return -ENOMEM; 4807 4808 tsp = new_task_smack(&smack_known_floor, &smack_known_floor, 4809 GFP_KERNEL); 4810 if (tsp == NULL) { 4811 kmem_cache_destroy(smack_inode_cache); 4812 return -ENOMEM; 4813 } 4814 4815 smack_enabled = 1; 4816 4817 pr_info("Smack: Initializing.\n"); 4818 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4819 pr_info("Smack: Netfilter enabled.\n"); 4820 #endif 4821 #ifdef SMACK_IPV6_PORT_LABELING 4822 pr_info("Smack: IPv6 port labeling enabled.\n"); 4823 #endif 4824 #ifdef SMACK_IPV6_SECMARK_LABELING 4825 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4826 #endif 4827 4828 /* 4829 * Set the security state for the initial task. 4830 */ 4831 cred = (struct cred *) current->cred; 4832 cred->security = tsp; 4833 4834 /* initialize the smack_known_list */ 4835 init_smack_known_list(); 4836 4837 /* 4838 * Register with LSM 4839 */ 4840 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4841 4842 return 0; 4843 } 4844 4845 /* 4846 * Smack requires early initialization in order to label 4847 * all processes and objects when they are created. 4848 */ 4849 DEFINE_LSM(smack) = { 4850 .name = "smack", 4851 .init = smack_init, 4852 }; 4853