1 /* 2 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 3 * 4 * This program is free software; you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License as published by 6 * the Free Software Foundation, version 2. 7 * 8 * Author: 9 * Casey Schaufler <casey@schaufler-ca.com> 10 * 11 */ 12 13 #include <linux/types.h> 14 #include <linux/slab.h> 15 #include <linux/fs.h> 16 #include <linux/sched.h> 17 #include "smack.h" 18 19 struct smack_known smack_known_huh = { 20 .smk_known = "?", 21 .smk_secid = 2, 22 }; 23 24 struct smack_known smack_known_hat = { 25 .smk_known = "^", 26 .smk_secid = 3, 27 }; 28 29 struct smack_known smack_known_star = { 30 .smk_known = "*", 31 .smk_secid = 4, 32 }; 33 34 struct smack_known smack_known_floor = { 35 .smk_known = "_", 36 .smk_secid = 5, 37 }; 38 39 struct smack_known smack_known_invalid = { 40 .smk_known = "", 41 .smk_secid = 6, 42 }; 43 44 struct smack_known smack_known_web = { 45 .smk_known = "@", 46 .smk_secid = 7, 47 }; 48 49 LIST_HEAD(smack_known_list); 50 51 /* 52 * The initial value needs to be bigger than any of the 53 * known values above. 54 */ 55 static u32 smack_next_secid = 10; 56 57 /* 58 * what events do we log 59 * can be overwritten at run-time by /smack/logging 60 */ 61 int log_policy = SMACK_AUDIT_DENIED; 62 63 /** 64 * smk_access_entry - look up matching access rule 65 * @subject_label: a pointer to the subject's Smack label 66 * @object_label: a pointer to the object's Smack label 67 * @rule_list: the list of rules to search 68 * 69 * This function looks up the subject/object pair in the 70 * access rule list and returns the access mode. If no 71 * entry is found returns -ENOENT. 72 * 73 * NOTE: 74 * 75 * Earlier versions of this function allowed for labels that 76 * were not on the label list. This was done to allow for 77 * labels to come over the network that had never been seen 78 * before on this host. Unless the receiving socket has the 79 * star label this will always result in a failure check. The 80 * star labeled socket case is now handled in the networking 81 * hooks so there is no case where the label is not on the 82 * label list. Checking to see if the address of two labels 83 * is the same is now a reliable test. 84 * 85 * Do the object check first because that is more 86 * likely to differ. 87 */ 88 int smk_access_entry(char *subject_label, char *object_label, 89 struct list_head *rule_list) 90 { 91 int may = -ENOENT; 92 struct smack_rule *srp; 93 94 list_for_each_entry_rcu(srp, rule_list, list) { 95 if (srp->smk_object == object_label && 96 srp->smk_subject->smk_known == subject_label) { 97 may = srp->smk_access; 98 break; 99 } 100 } 101 102 return may; 103 } 104 105 /** 106 * smk_access - determine if a subject has a specific access to an object 107 * @subject_known: a pointer to the subject's Smack label entry 108 * @object_label: a pointer to the object's Smack label 109 * @request: the access requested, in "MAY" format 110 * @a : a pointer to the audit data 111 * 112 * This function looks up the subject/object pair in the 113 * access rule list and returns 0 if the access is permitted, 114 * non zero otherwise. 115 * 116 * Smack labels are shared on smack_list 117 */ 118 int smk_access(struct smack_known *subject_known, char *object_label, 119 int request, struct smk_audit_info *a) 120 { 121 int may = MAY_NOT; 122 int rc = 0; 123 124 /* 125 * Hardcoded comparisons. 126 * 127 * A star subject can't access any object. 128 */ 129 if (subject_known == &smack_known_star) { 130 rc = -EACCES; 131 goto out_audit; 132 } 133 /* 134 * An internet object can be accessed by any subject. 135 * Tasks cannot be assigned the internet label. 136 * An internet subject can access any object. 137 */ 138 if (object_label == smack_known_web.smk_known || 139 subject_known == &smack_known_web) 140 goto out_audit; 141 /* 142 * A star object can be accessed by any subject. 143 */ 144 if (object_label == smack_known_star.smk_known) 145 goto out_audit; 146 /* 147 * An object can be accessed in any way by a subject 148 * with the same label. 149 */ 150 if (subject_known->smk_known == object_label) 151 goto out_audit; 152 /* 153 * A hat subject can read any object. 154 * A floor object can be read by any subject. 155 */ 156 if ((request & MAY_ANYREAD) == request) { 157 if (object_label == smack_known_floor.smk_known) 158 goto out_audit; 159 if (subject_known == &smack_known_hat) 160 goto out_audit; 161 } 162 /* 163 * Beyond here an explicit relationship is required. 164 * If the requested access is contained in the available 165 * access (e.g. read is included in readwrite) it's 166 * good. A negative response from smk_access_entry() 167 * indicates there is no entry for this pair. 168 */ 169 rcu_read_lock(); 170 may = smk_access_entry(subject_known->smk_known, object_label, 171 &subject_known->smk_rules); 172 rcu_read_unlock(); 173 174 if (may > 0 && (request & may) == request) 175 goto out_audit; 176 177 rc = -EACCES; 178 out_audit: 179 #ifdef CONFIG_AUDIT 180 if (a) 181 smack_log(subject_known->smk_known, object_label, request, 182 rc, a); 183 #endif 184 return rc; 185 } 186 187 /** 188 * smk_curacc - determine if current has a specific access to an object 189 * @obj_label: a pointer to the object's Smack label 190 * @mode: the access requested, in "MAY" format 191 * @a : common audit data 192 * 193 * This function checks the current subject label/object label pair 194 * in the access rule list and returns 0 if the access is permitted, 195 * non zero otherwise. It allows that current may have the capability 196 * to override the rules. 197 */ 198 int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a) 199 { 200 struct task_smack *tsp = current_security(); 201 struct smack_known *skp = smk_of_task(tsp); 202 int may; 203 int rc; 204 205 /* 206 * Check the global rule list 207 */ 208 rc = smk_access(skp, obj_label, mode, NULL); 209 if (rc == 0) { 210 /* 211 * If there is an entry in the task's rule list 212 * it can further restrict access. 213 */ 214 may = smk_access_entry(skp->smk_known, obj_label, 215 &tsp->smk_rules); 216 if (may < 0) 217 goto out_audit; 218 if ((mode & may) == mode) 219 goto out_audit; 220 rc = -EACCES; 221 } 222 223 /* 224 * Allow for priviliged to override policy. 225 */ 226 if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE)) 227 rc = 0; 228 229 out_audit: 230 #ifdef CONFIG_AUDIT 231 if (a) 232 smack_log(skp->smk_known, obj_label, mode, rc, a); 233 #endif 234 return rc; 235 } 236 237 #ifdef CONFIG_AUDIT 238 /** 239 * smack_str_from_perm : helper to transalate an int to a 240 * readable string 241 * @string : the string to fill 242 * @access : the int 243 * 244 */ 245 static inline void smack_str_from_perm(char *string, int access) 246 { 247 int i = 0; 248 if (access & MAY_READ) 249 string[i++] = 'r'; 250 if (access & MAY_WRITE) 251 string[i++] = 'w'; 252 if (access & MAY_EXEC) 253 string[i++] = 'x'; 254 if (access & MAY_APPEND) 255 string[i++] = 'a'; 256 if (access & MAY_TRANSMUTE) 257 string[i++] = 't'; 258 string[i] = '\0'; 259 } 260 /** 261 * smack_log_callback - SMACK specific information 262 * will be called by generic audit code 263 * @ab : the audit_buffer 264 * @a : audit_data 265 * 266 */ 267 static void smack_log_callback(struct audit_buffer *ab, void *a) 268 { 269 struct common_audit_data *ad = a; 270 struct smack_audit_data *sad = ad->smack_audit_data; 271 audit_log_format(ab, "lsm=SMACK fn=%s action=%s", 272 ad->smack_audit_data->function, 273 sad->result ? "denied" : "granted"); 274 audit_log_format(ab, " subject="); 275 audit_log_untrustedstring(ab, sad->subject); 276 audit_log_format(ab, " object="); 277 audit_log_untrustedstring(ab, sad->object); 278 audit_log_format(ab, " requested=%s", sad->request); 279 } 280 281 /** 282 * smack_log - Audit the granting or denial of permissions. 283 * @subject_label : smack label of the requester 284 * @object_label : smack label of the object being accessed 285 * @request: requested permissions 286 * @result: result from smk_access 287 * @a: auxiliary audit data 288 * 289 * Audit the granting or denial of permissions in accordance 290 * with the policy. 291 */ 292 void smack_log(char *subject_label, char *object_label, int request, 293 int result, struct smk_audit_info *ad) 294 { 295 char request_buffer[SMK_NUM_ACCESS_TYPE + 1]; 296 struct smack_audit_data *sad; 297 struct common_audit_data *a = &ad->a; 298 299 /* check if we have to log the current event */ 300 if (result != 0 && (log_policy & SMACK_AUDIT_DENIED) == 0) 301 return; 302 if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0) 303 return; 304 305 sad = a->smack_audit_data; 306 307 if (sad->function == NULL) 308 sad->function = "unknown"; 309 310 /* end preparing the audit data */ 311 smack_str_from_perm(request_buffer, request); 312 sad->subject = subject_label; 313 sad->object = object_label; 314 sad->request = request_buffer; 315 sad->result = result; 316 317 common_lsm_audit(a, smack_log_callback, NULL); 318 } 319 #else /* #ifdef CONFIG_AUDIT */ 320 void smack_log(char *subject_label, char *object_label, int request, 321 int result, struct smk_audit_info *ad) 322 { 323 } 324 #endif 325 326 DEFINE_MUTEX(smack_known_lock); 327 328 /** 329 * smk_find_entry - find a label on the list, return the list entry 330 * @string: a text string that might be a Smack label 331 * 332 * Returns a pointer to the entry in the label list that 333 * matches the passed string. 334 */ 335 struct smack_known *smk_find_entry(const char *string) 336 { 337 struct smack_known *skp; 338 339 list_for_each_entry_rcu(skp, &smack_known_list, list) { 340 if (strcmp(skp->smk_known, string) == 0) 341 return skp; 342 } 343 344 return NULL; 345 } 346 347 /** 348 * smk_parse_smack - parse smack label from a text string 349 * @string: a text string that might contain a Smack label 350 * @len: the maximum size, or zero if it is NULL terminated. 351 * 352 * Returns a pointer to the clean label, or NULL 353 */ 354 char *smk_parse_smack(const char *string, int len) 355 { 356 char *smack; 357 int i; 358 359 if (len <= 0) 360 len = strlen(string) + 1; 361 362 /* 363 * Reserve a leading '-' as an indicator that 364 * this isn't a label, but an option to interfaces 365 * including /smack/cipso and /smack/cipso2 366 */ 367 if (string[0] == '-') 368 return NULL; 369 370 for (i = 0; i < len; i++) 371 if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' || 372 string[i] == '"' || string[i] == '\\' || string[i] == '\'') 373 break; 374 375 if (i == 0 || i >= SMK_LONGLABEL) 376 return NULL; 377 378 smack = kzalloc(i + 1, GFP_KERNEL); 379 if (smack != NULL) { 380 strncpy(smack, string, i + 1); 381 smack[i] = '\0'; 382 } 383 return smack; 384 } 385 386 /** 387 * smk_netlbl_mls - convert a catset to netlabel mls categories 388 * @catset: the Smack categories 389 * @sap: where to put the netlabel categories 390 * 391 * Allocates and fills attr.mls 392 * Returns 0 on success, error code on failure. 393 */ 394 int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap, 395 int len) 396 { 397 unsigned char *cp; 398 unsigned char m; 399 int cat; 400 int rc; 401 int byte; 402 403 sap->flags |= NETLBL_SECATTR_MLS_CAT; 404 sap->attr.mls.lvl = level; 405 sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); 406 if (!sap->attr.mls.cat) 407 return -ENOMEM; 408 sap->attr.mls.cat->startbit = 0; 409 410 for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++) 411 for (m = 0x80; m != 0; m >>= 1, cat++) { 412 if ((m & *cp) == 0) 413 continue; 414 rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat, 415 cat, GFP_ATOMIC); 416 if (rc < 0) { 417 netlbl_secattr_catmap_free(sap->attr.mls.cat); 418 return rc; 419 } 420 } 421 422 return 0; 423 } 424 425 /** 426 * smk_import_entry - import a label, return the list entry 427 * @string: a text string that might be a Smack label 428 * @len: the maximum size, or zero if it is NULL terminated. 429 * 430 * Returns a pointer to the entry in the label list that 431 * matches the passed string, adding it if necessary. 432 */ 433 struct smack_known *smk_import_entry(const char *string, int len) 434 { 435 struct smack_known *skp; 436 char *smack; 437 int slen; 438 int rc; 439 440 smack = smk_parse_smack(string, len); 441 if (smack == NULL) 442 return NULL; 443 444 mutex_lock(&smack_known_lock); 445 446 skp = smk_find_entry(smack); 447 if (skp != NULL) 448 goto freeout; 449 450 skp = kzalloc(sizeof(*skp), GFP_KERNEL); 451 if (skp == NULL) 452 goto freeout; 453 454 skp->smk_known = smack; 455 skp->smk_secid = smack_next_secid++; 456 skp->smk_netlabel.domain = skp->smk_known; 457 skp->smk_netlabel.flags = 458 NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; 459 /* 460 * If direct labeling works use it. 461 * Otherwise use mapped labeling. 462 */ 463 slen = strlen(smack); 464 if (slen < SMK_CIPSOLEN) 465 rc = smk_netlbl_mls(smack_cipso_direct, skp->smk_known, 466 &skp->smk_netlabel, slen); 467 else 468 rc = smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid, 469 &skp->smk_netlabel, sizeof(skp->smk_secid)); 470 471 if (rc >= 0) { 472 INIT_LIST_HEAD(&skp->smk_rules); 473 mutex_init(&skp->smk_rules_lock); 474 /* 475 * Make sure that the entry is actually 476 * filled before putting it on the list. 477 */ 478 list_add_rcu(&skp->list, &smack_known_list); 479 goto unlockout; 480 } 481 /* 482 * smk_netlbl_mls failed. 483 */ 484 kfree(skp); 485 skp = NULL; 486 freeout: 487 kfree(smack); 488 unlockout: 489 mutex_unlock(&smack_known_lock); 490 491 return skp; 492 } 493 494 /** 495 * smk_import - import a smack label 496 * @string: a text string that might be a Smack label 497 * @len: the maximum size, or zero if it is NULL terminated. 498 * 499 * Returns a pointer to the label in the label list that 500 * matches the passed string, adding it if necessary. 501 */ 502 char *smk_import(const char *string, int len) 503 { 504 struct smack_known *skp; 505 506 /* labels cannot begin with a '-' */ 507 if (string[0] == '-') 508 return NULL; 509 skp = smk_import_entry(string, len); 510 if (skp == NULL) 511 return NULL; 512 return skp->smk_known; 513 } 514 515 /** 516 * smack_from_secid - find the Smack label associated with a secid 517 * @secid: an integer that might be associated with a Smack label 518 * 519 * Returns a pointer to the appropriate Smack label entry if there is one, 520 * otherwise a pointer to the invalid Smack label. 521 */ 522 struct smack_known *smack_from_secid(const u32 secid) 523 { 524 struct smack_known *skp; 525 526 rcu_read_lock(); 527 list_for_each_entry_rcu(skp, &smack_known_list, list) { 528 if (skp->smk_secid == secid) { 529 rcu_read_unlock(); 530 return skp; 531 } 532 } 533 534 /* 535 * If we got this far someone asked for the translation 536 * of a secid that is not on the list. 537 */ 538 rcu_read_unlock(); 539 return &smack_known_invalid; 540 } 541 542 /** 543 * smack_to_secid - find the secid associated with a Smack label 544 * @smack: the Smack label 545 * 546 * Returns the appropriate secid if there is one, 547 * otherwise 0 548 */ 549 u32 smack_to_secid(const char *smack) 550 { 551 struct smack_known *skp = smk_find_entry(smack); 552 553 if (skp == NULL) 554 return 0; 555 return skp->smk_secid; 556 } 557