1 /* 2 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 3 * 4 * This program is free software; you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License as published by 6 * the Free Software Foundation, version 2. 7 * 8 * Author: 9 * Casey Schaufler <casey@schaufler-ca.com> 10 * 11 */ 12 13 #include <linux/types.h> 14 #include <linux/slab.h> 15 #include <linux/fs.h> 16 #include <linux/sched.h> 17 #include "smack.h" 18 19 struct smack_known smack_known_huh = { 20 .smk_known = "?", 21 .smk_secid = 2, 22 }; 23 24 struct smack_known smack_known_hat = { 25 .smk_known = "^", 26 .smk_secid = 3, 27 }; 28 29 struct smack_known smack_known_star = { 30 .smk_known = "*", 31 .smk_secid = 4, 32 }; 33 34 struct smack_known smack_known_floor = { 35 .smk_known = "_", 36 .smk_secid = 5, 37 }; 38 39 struct smack_known smack_known_invalid = { 40 .smk_known = "", 41 .smk_secid = 6, 42 }; 43 44 struct smack_known smack_known_web = { 45 .smk_known = "@", 46 .smk_secid = 7, 47 }; 48 49 LIST_HEAD(smack_known_list); 50 51 /* 52 * The initial value needs to be bigger than any of the 53 * known values above. 54 */ 55 static u32 smack_next_secid = 10; 56 57 /* 58 * what events do we log 59 * can be overwritten at run-time by /smack/logging 60 */ 61 int log_policy = SMACK_AUDIT_DENIED; 62 63 /** 64 * smk_access_entry - look up matching access rule 65 * @subject_label: a pointer to the subject's Smack label 66 * @object_label: a pointer to the object's Smack label 67 * @rule_list: the list of rules to search 68 * 69 * This function looks up the subject/object pair in the 70 * access rule list and returns the access mode. If no 71 * entry is found returns -ENOENT. 72 * 73 * NOTE: 74 * 75 * Earlier versions of this function allowed for labels that 76 * were not on the label list. This was done to allow for 77 * labels to come over the network that had never been seen 78 * before on this host. Unless the receiving socket has the 79 * star label this will always result in a failure check. The 80 * star labeled socket case is now handled in the networking 81 * hooks so there is no case where the label is not on the 82 * label list. Checking to see if the address of two labels 83 * is the same is now a reliable test. 84 * 85 * Do the object check first because that is more 86 * likely to differ. 87 * 88 * Allowing write access implies allowing locking. 89 */ 90 int smk_access_entry(char *subject_label, char *object_label, 91 struct list_head *rule_list) 92 { 93 int may = -ENOENT; 94 struct smack_rule *srp; 95 96 list_for_each_entry_rcu(srp, rule_list, list) { 97 if (srp->smk_object->smk_known == object_label && 98 srp->smk_subject->smk_known == subject_label) { 99 may = srp->smk_access; 100 break; 101 } 102 } 103 104 /* 105 * MAY_WRITE implies MAY_LOCK. 106 */ 107 if ((may & MAY_WRITE) == MAY_WRITE) 108 may |= MAY_LOCK; 109 return may; 110 } 111 112 /** 113 * smk_access - determine if a subject has a specific access to an object 114 * @subject: a pointer to the subject's Smack label entry 115 * @object: a pointer to the object's Smack label entry 116 * @request: the access requested, in "MAY" format 117 * @a : a pointer to the audit data 118 * 119 * This function looks up the subject/object pair in the 120 * access rule list and returns 0 if the access is permitted, 121 * non zero otherwise. 122 * 123 * Smack labels are shared on smack_list 124 */ 125 int smk_access(struct smack_known *subject, struct smack_known *object, 126 int request, struct smk_audit_info *a) 127 { 128 int may = MAY_NOT; 129 int rc = 0; 130 131 /* 132 * Hardcoded comparisons. 133 * 134 * A star subject can't access any object. 135 */ 136 if (subject == &smack_known_star) { 137 rc = -EACCES; 138 goto out_audit; 139 } 140 /* 141 * An internet object can be accessed by any subject. 142 * Tasks cannot be assigned the internet label. 143 * An internet subject can access any object. 144 */ 145 if (object == &smack_known_web || subject == &smack_known_web) 146 goto out_audit; 147 /* 148 * A star object can be accessed by any subject. 149 */ 150 if (object == &smack_known_star) 151 goto out_audit; 152 /* 153 * An object can be accessed in any way by a subject 154 * with the same label. 155 */ 156 if (subject->smk_known == object->smk_known) 157 goto out_audit; 158 /* 159 * A hat subject can read or lock any object. 160 * A floor object can be read or locked by any subject. 161 */ 162 if ((request & MAY_ANYREAD) == request || 163 (request & MAY_LOCK) == request) { 164 if (object == &smack_known_floor) 165 goto out_audit; 166 if (subject == &smack_known_hat) 167 goto out_audit; 168 } 169 /* 170 * Beyond here an explicit relationship is required. 171 * If the requested access is contained in the available 172 * access (e.g. read is included in readwrite) it's 173 * good. A negative response from smk_access_entry() 174 * indicates there is no entry for this pair. 175 */ 176 rcu_read_lock(); 177 may = smk_access_entry(subject->smk_known, object->smk_known, 178 &subject->smk_rules); 179 rcu_read_unlock(); 180 181 if (may <= 0 || (request & may) != request) { 182 rc = -EACCES; 183 goto out_audit; 184 } 185 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 186 /* 187 * Return a positive value if using bringup mode. 188 * This allows the hooks to identify checks that 189 * succeed because of "b" rules. 190 */ 191 if (may & MAY_BRINGUP) 192 rc = MAY_BRINGUP; 193 #endif 194 195 out_audit: 196 #ifdef CONFIG_AUDIT 197 if (a) 198 smack_log(subject->smk_known, object->smk_known, 199 request, rc, a); 200 #endif 201 202 return rc; 203 } 204 205 /** 206 * smk_tskacc - determine if a task has a specific access to an object 207 * @tsp: a pointer to the subject's task 208 * @obj_known: a pointer to the object's label entry 209 * @mode: the access requested, in "MAY" format 210 * @a : common audit data 211 * 212 * This function checks the subject task's label/object label pair 213 * in the access rule list and returns 0 if the access is permitted, 214 * non zero otherwise. It allows that the task may have the capability 215 * to override the rules. 216 */ 217 int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known, 218 u32 mode, struct smk_audit_info *a) 219 { 220 struct smack_known *sbj_known = smk_of_task(tsp); 221 int may; 222 int rc; 223 224 /* 225 * Check the global rule list 226 */ 227 rc = smk_access(sbj_known, obj_known, mode, NULL); 228 if (rc >= 0) { 229 /* 230 * If there is an entry in the task's rule list 231 * it can further restrict access. 232 */ 233 may = smk_access_entry(sbj_known->smk_known, 234 obj_known->smk_known, 235 &tsp->smk_rules); 236 if (may < 0) 237 goto out_audit; 238 if ((mode & may) == mode) 239 goto out_audit; 240 rc = -EACCES; 241 } 242 243 /* 244 * Allow for priviliged to override policy. 245 */ 246 if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE)) 247 rc = 0; 248 249 out_audit: 250 #ifdef CONFIG_AUDIT 251 if (a) 252 smack_log(sbj_known->smk_known, obj_known->smk_known, 253 mode, rc, a); 254 #endif 255 return rc; 256 } 257 258 /** 259 * smk_curacc - determine if current has a specific access to an object 260 * @obj_known: a pointer to the object's Smack label entry 261 * @mode: the access requested, in "MAY" format 262 * @a : common audit data 263 * 264 * This function checks the current subject label/object label pair 265 * in the access rule list and returns 0 if the access is permitted, 266 * non zero otherwise. It allows that current may have the capability 267 * to override the rules. 268 */ 269 int smk_curacc(struct smack_known *obj_known, 270 u32 mode, struct smk_audit_info *a) 271 { 272 struct task_smack *tsp = current_security(); 273 274 return smk_tskacc(tsp, obj_known, mode, a); 275 } 276 277 #ifdef CONFIG_AUDIT 278 /** 279 * smack_str_from_perm : helper to transalate an int to a 280 * readable string 281 * @string : the string to fill 282 * @access : the int 283 * 284 */ 285 static inline void smack_str_from_perm(char *string, int access) 286 { 287 int i = 0; 288 289 if (access & MAY_READ) 290 string[i++] = 'r'; 291 if (access & MAY_WRITE) 292 string[i++] = 'w'; 293 if (access & MAY_EXEC) 294 string[i++] = 'x'; 295 if (access & MAY_APPEND) 296 string[i++] = 'a'; 297 if (access & MAY_TRANSMUTE) 298 string[i++] = 't'; 299 if (access & MAY_LOCK) 300 string[i++] = 'l'; 301 string[i] = '\0'; 302 } 303 /** 304 * smack_log_callback - SMACK specific information 305 * will be called by generic audit code 306 * @ab : the audit_buffer 307 * @a : audit_data 308 * 309 */ 310 static void smack_log_callback(struct audit_buffer *ab, void *a) 311 { 312 struct common_audit_data *ad = a; 313 struct smack_audit_data *sad = ad->smack_audit_data; 314 audit_log_format(ab, "lsm=SMACK fn=%s action=%s", 315 ad->smack_audit_data->function, 316 sad->result ? "denied" : "granted"); 317 audit_log_format(ab, " subject="); 318 audit_log_untrustedstring(ab, sad->subject); 319 audit_log_format(ab, " object="); 320 audit_log_untrustedstring(ab, sad->object); 321 if (sad->request[0] == '\0') 322 audit_log_format(ab, " labels_differ"); 323 else 324 audit_log_format(ab, " requested=%s", sad->request); 325 } 326 327 /** 328 * smack_log - Audit the granting or denial of permissions. 329 * @subject_label : smack label of the requester 330 * @object_label : smack label of the object being accessed 331 * @request: requested permissions 332 * @result: result from smk_access 333 * @a: auxiliary audit data 334 * 335 * Audit the granting or denial of permissions in accordance 336 * with the policy. 337 */ 338 void smack_log(char *subject_label, char *object_label, int request, 339 int result, struct smk_audit_info *ad) 340 { 341 char request_buffer[SMK_NUM_ACCESS_TYPE + 1]; 342 struct smack_audit_data *sad; 343 struct common_audit_data *a = &ad->a; 344 345 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 346 /* 347 * The result may be positive in bringup mode. 348 */ 349 if (result > 0) 350 result = 0; 351 #endif 352 /* check if we have to log the current event */ 353 if (result != 0 && (log_policy & SMACK_AUDIT_DENIED) == 0) 354 return; 355 if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0) 356 return; 357 358 sad = a->smack_audit_data; 359 360 if (sad->function == NULL) 361 sad->function = "unknown"; 362 363 /* end preparing the audit data */ 364 smack_str_from_perm(request_buffer, request); 365 sad->subject = subject_label; 366 sad->object = object_label; 367 sad->request = request_buffer; 368 sad->result = result; 369 370 common_lsm_audit(a, smack_log_callback, NULL); 371 } 372 #else /* #ifdef CONFIG_AUDIT */ 373 void smack_log(char *subject_label, char *object_label, int request, 374 int result, struct smk_audit_info *ad) 375 { 376 } 377 #endif 378 379 DEFINE_MUTEX(smack_known_lock); 380 381 struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; 382 383 /** 384 * smk_insert_entry - insert a smack label into a hash map, 385 * 386 * this function must be called under smack_known_lock 387 */ 388 void smk_insert_entry(struct smack_known *skp) 389 { 390 unsigned int hash; 391 struct hlist_head *head; 392 393 hash = full_name_hash(skp->smk_known, strlen(skp->smk_known)); 394 head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; 395 396 hlist_add_head_rcu(&skp->smk_hashed, head); 397 list_add_rcu(&skp->list, &smack_known_list); 398 } 399 400 /** 401 * smk_find_entry - find a label on the list, return the list entry 402 * @string: a text string that might be a Smack label 403 * 404 * Returns a pointer to the entry in the label list that 405 * matches the passed string. 406 */ 407 struct smack_known *smk_find_entry(const char *string) 408 { 409 unsigned int hash; 410 struct hlist_head *head; 411 struct smack_known *skp; 412 413 hash = full_name_hash(string, strlen(string)); 414 head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; 415 416 hlist_for_each_entry_rcu(skp, head, smk_hashed) 417 if (strcmp(skp->smk_known, string) == 0) 418 return skp; 419 420 return NULL; 421 } 422 423 /** 424 * smk_parse_smack - parse smack label from a text string 425 * @string: a text string that might contain a Smack label 426 * @len: the maximum size, or zero if it is NULL terminated. 427 * 428 * Returns a pointer to the clean label, or NULL 429 */ 430 char *smk_parse_smack(const char *string, int len) 431 { 432 char *smack; 433 int i; 434 435 if (len <= 0) 436 len = strlen(string) + 1; 437 438 /* 439 * Reserve a leading '-' as an indicator that 440 * this isn't a label, but an option to interfaces 441 * including /smack/cipso and /smack/cipso2 442 */ 443 if (string[0] == '-') 444 return NULL; 445 446 for (i = 0; i < len; i++) 447 if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' || 448 string[i] == '"' || string[i] == '\\' || string[i] == '\'') 449 break; 450 451 if (i == 0 || i >= SMK_LONGLABEL) 452 return NULL; 453 454 smack = kzalloc(i + 1, GFP_KERNEL); 455 if (smack != NULL) 456 strncpy(smack, string, i); 457 458 return smack; 459 } 460 461 /** 462 * smk_netlbl_mls - convert a catset to netlabel mls categories 463 * @catset: the Smack categories 464 * @sap: where to put the netlabel categories 465 * 466 * Allocates and fills attr.mls 467 * Returns 0 on success, error code on failure. 468 */ 469 int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap, 470 int len) 471 { 472 unsigned char *cp; 473 unsigned char m; 474 int cat; 475 int rc; 476 int byte; 477 478 sap->flags |= NETLBL_SECATTR_MLS_CAT; 479 sap->attr.mls.lvl = level; 480 sap->attr.mls.cat = NULL; 481 482 for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++) 483 for (m = 0x80; m != 0; m >>= 1, cat++) { 484 if ((m & *cp) == 0) 485 continue; 486 rc = netlbl_catmap_setbit(&sap->attr.mls.cat, 487 cat, GFP_ATOMIC); 488 if (rc < 0) { 489 netlbl_catmap_free(sap->attr.mls.cat); 490 return rc; 491 } 492 } 493 494 return 0; 495 } 496 497 /** 498 * smk_import_entry - import a label, return the list entry 499 * @string: a text string that might be a Smack label 500 * @len: the maximum size, or zero if it is NULL terminated. 501 * 502 * Returns a pointer to the entry in the label list that 503 * matches the passed string, adding it if necessary. 504 */ 505 struct smack_known *smk_import_entry(const char *string, int len) 506 { 507 struct smack_known *skp; 508 char *smack; 509 int slen; 510 int rc; 511 512 smack = smk_parse_smack(string, len); 513 if (smack == NULL) 514 return NULL; 515 516 mutex_lock(&smack_known_lock); 517 518 skp = smk_find_entry(smack); 519 if (skp != NULL) 520 goto freeout; 521 522 skp = kzalloc(sizeof(*skp), GFP_KERNEL); 523 if (skp == NULL) 524 goto freeout; 525 526 skp->smk_known = smack; 527 skp->smk_secid = smack_next_secid++; 528 skp->smk_netlabel.domain = skp->smk_known; 529 skp->smk_netlabel.flags = 530 NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; 531 /* 532 * If direct labeling works use it. 533 * Otherwise use mapped labeling. 534 */ 535 slen = strlen(smack); 536 if (slen < SMK_CIPSOLEN) 537 rc = smk_netlbl_mls(smack_cipso_direct, skp->smk_known, 538 &skp->smk_netlabel, slen); 539 else 540 rc = smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid, 541 &skp->smk_netlabel, sizeof(skp->smk_secid)); 542 543 if (rc >= 0) { 544 INIT_LIST_HEAD(&skp->smk_rules); 545 mutex_init(&skp->smk_rules_lock); 546 /* 547 * Make sure that the entry is actually 548 * filled before putting it on the list. 549 */ 550 smk_insert_entry(skp); 551 goto unlockout; 552 } 553 /* 554 * smk_netlbl_mls failed. 555 */ 556 kfree(skp); 557 skp = NULL; 558 freeout: 559 kfree(smack); 560 unlockout: 561 mutex_unlock(&smack_known_lock); 562 563 return skp; 564 } 565 566 /** 567 * smack_from_secid - find the Smack label associated with a secid 568 * @secid: an integer that might be associated with a Smack label 569 * 570 * Returns a pointer to the appropriate Smack label entry if there is one, 571 * otherwise a pointer to the invalid Smack label. 572 */ 573 struct smack_known *smack_from_secid(const u32 secid) 574 { 575 struct smack_known *skp; 576 577 rcu_read_lock(); 578 list_for_each_entry_rcu(skp, &smack_known_list, list) { 579 if (skp->smk_secid == secid) { 580 rcu_read_unlock(); 581 return skp; 582 } 583 } 584 585 /* 586 * If we got this far someone asked for the translation 587 * of a secid that is not on the list. 588 */ 589 rcu_read_unlock(); 590 return &smack_known_invalid; 591 } 592