1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/icmpv6.h> 32 #include <linux/slab.h> 33 #include <linux/mutex.h> 34 #include <linux/pipe_fs_i.h> 35 #include <net/cipso_ipv4.h> 36 #include <net/ip.h> 37 #include <net/ipv6.h> 38 #include <linux/audit.h> 39 #include <linux/magic.h> 40 #include <linux/dcache.h> 41 #include <linux/personality.h> 42 #include <linux/msg.h> 43 #include <linux/shm.h> 44 #include <linux/binfmts.h> 45 #include <linux/parser.h> 46 #include <linux/fs_context.h> 47 #include <linux/fs_parser.h> 48 #include "smack.h" 49 50 #define TRANS_TRUE "TRUE" 51 #define TRANS_TRUE_SIZE 4 52 53 #define SMK_CONNECTING 0 54 #define SMK_RECEIVING 1 55 #define SMK_SENDING 2 56 57 #ifdef SMACK_IPV6_PORT_LABELING 58 DEFINE_MUTEX(smack_ipv6_lock); 59 static LIST_HEAD(smk_ipv6_port_list); 60 #endif 61 static struct kmem_cache *smack_inode_cache; 62 struct kmem_cache *smack_rule_cache; 63 int smack_enabled; 64 65 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 66 static struct { 67 const char *name; 68 int len; 69 int opt; 70 } smk_mount_opts[] = { 71 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 72 }; 73 #undef A 74 75 static int match_opt_prefix(char *s, int l, char **arg) 76 { 77 int i; 78 79 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 80 size_t len = smk_mount_opts[i].len; 81 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 82 continue; 83 if (len == l || s[len] != '=') 84 continue; 85 *arg = s + len + 1; 86 return smk_mount_opts[i].opt; 87 } 88 return Opt_error; 89 } 90 91 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 92 static char *smk_bu_mess[] = { 93 "Bringup Error", /* Unused */ 94 "Bringup", /* SMACK_BRINGUP_ALLOW */ 95 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 96 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 97 }; 98 99 static void smk_bu_mode(int mode, char *s) 100 { 101 int i = 0; 102 103 if (mode & MAY_READ) 104 s[i++] = 'r'; 105 if (mode & MAY_WRITE) 106 s[i++] = 'w'; 107 if (mode & MAY_EXEC) 108 s[i++] = 'x'; 109 if (mode & MAY_APPEND) 110 s[i++] = 'a'; 111 if (mode & MAY_TRANSMUTE) 112 s[i++] = 't'; 113 if (mode & MAY_LOCK) 114 s[i++] = 'l'; 115 if (i == 0) 116 s[i++] = '-'; 117 s[i] = '\0'; 118 } 119 #endif 120 121 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 122 static int smk_bu_note(char *note, struct smack_known *sskp, 123 struct smack_known *oskp, int mode, int rc) 124 { 125 char acc[SMK_NUM_ACCESS_TYPE + 1]; 126 127 if (rc <= 0) 128 return rc; 129 if (rc > SMACK_UNCONFINED_OBJECT) 130 rc = 0; 131 132 smk_bu_mode(mode, acc); 133 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 134 sskp->smk_known, oskp->smk_known, acc, note); 135 return 0; 136 } 137 #else 138 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 139 #endif 140 141 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 142 static int smk_bu_current(char *note, struct smack_known *oskp, 143 int mode, int rc) 144 { 145 struct task_smack *tsp = smack_cred(current_cred()); 146 char acc[SMK_NUM_ACCESS_TYPE + 1]; 147 148 if (rc <= 0) 149 return rc; 150 if (rc > SMACK_UNCONFINED_OBJECT) 151 rc = 0; 152 153 smk_bu_mode(mode, acc); 154 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 155 tsp->smk_task->smk_known, oskp->smk_known, 156 acc, current->comm, note); 157 return 0; 158 } 159 #else 160 #define smk_bu_current(note, oskp, mode, RC) (RC) 161 #endif 162 163 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 164 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 165 { 166 struct task_smack *tsp = smack_cred(current_cred()); 167 struct smack_known *smk_task = smk_of_task_struct(otp); 168 char acc[SMK_NUM_ACCESS_TYPE + 1]; 169 170 if (rc <= 0) 171 return rc; 172 if (rc > SMACK_UNCONFINED_OBJECT) 173 rc = 0; 174 175 smk_bu_mode(mode, acc); 176 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 177 tsp->smk_task->smk_known, smk_task->smk_known, acc, 178 current->comm, otp->comm); 179 return 0; 180 } 181 #else 182 #define smk_bu_task(otp, mode, RC) (RC) 183 #endif 184 185 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 186 static int smk_bu_inode(struct inode *inode, int mode, int rc) 187 { 188 struct task_smack *tsp = smack_cred(current_cred()); 189 struct inode_smack *isp = smack_inode(inode); 190 char acc[SMK_NUM_ACCESS_TYPE + 1]; 191 192 if (isp->smk_flags & SMK_INODE_IMPURE) 193 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 194 inode->i_sb->s_id, inode->i_ino, current->comm); 195 196 if (rc <= 0) 197 return rc; 198 if (rc > SMACK_UNCONFINED_OBJECT) 199 rc = 0; 200 if (rc == SMACK_UNCONFINED_SUBJECT && 201 (mode & (MAY_WRITE | MAY_APPEND))) 202 isp->smk_flags |= SMK_INODE_IMPURE; 203 204 smk_bu_mode(mode, acc); 205 206 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 207 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 208 inode->i_sb->s_id, inode->i_ino, current->comm); 209 return 0; 210 } 211 #else 212 #define smk_bu_inode(inode, mode, RC) (RC) 213 #endif 214 215 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 216 static int smk_bu_file(struct file *file, int mode, int rc) 217 { 218 struct task_smack *tsp = smack_cred(current_cred()); 219 struct smack_known *sskp = tsp->smk_task; 220 struct inode *inode = file_inode(file); 221 struct inode_smack *isp = smack_inode(inode); 222 char acc[SMK_NUM_ACCESS_TYPE + 1]; 223 224 if (isp->smk_flags & SMK_INODE_IMPURE) 225 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 226 inode->i_sb->s_id, inode->i_ino, current->comm); 227 228 if (rc <= 0) 229 return rc; 230 if (rc > SMACK_UNCONFINED_OBJECT) 231 rc = 0; 232 233 smk_bu_mode(mode, acc); 234 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 235 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 236 inode->i_sb->s_id, inode->i_ino, file, 237 current->comm); 238 return 0; 239 } 240 #else 241 #define smk_bu_file(file, mode, RC) (RC) 242 #endif 243 244 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 245 static int smk_bu_credfile(const struct cred *cred, struct file *file, 246 int mode, int rc) 247 { 248 struct task_smack *tsp = smack_cred(cred); 249 struct smack_known *sskp = tsp->smk_task; 250 struct inode *inode = file_inode(file); 251 struct inode_smack *isp = smack_inode(inode); 252 char acc[SMK_NUM_ACCESS_TYPE + 1]; 253 254 if (isp->smk_flags & SMK_INODE_IMPURE) 255 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 256 inode->i_sb->s_id, inode->i_ino, current->comm); 257 258 if (rc <= 0) 259 return rc; 260 if (rc > SMACK_UNCONFINED_OBJECT) 261 rc = 0; 262 263 smk_bu_mode(mode, acc); 264 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 265 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 266 inode->i_sb->s_id, inode->i_ino, file, 267 current->comm); 268 return 0; 269 } 270 #else 271 #define smk_bu_credfile(cred, file, mode, RC) (RC) 272 #endif 273 274 /** 275 * smk_fetch - Fetch the smack label from a file. 276 * @name: type of the label (attribute) 277 * @ip: a pointer to the inode 278 * @dp: a pointer to the dentry 279 * 280 * Returns a pointer to the master list entry for the Smack label, 281 * NULL if there was no label to fetch, or an error code. 282 */ 283 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 284 struct dentry *dp) 285 { 286 int rc; 287 char *buffer; 288 struct smack_known *skp = NULL; 289 290 if (!(ip->i_opflags & IOP_XATTR)) 291 return ERR_PTR(-EOPNOTSUPP); 292 293 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 294 if (buffer == NULL) 295 return ERR_PTR(-ENOMEM); 296 297 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 298 if (rc < 0) 299 skp = ERR_PTR(rc); 300 else if (rc == 0) 301 skp = NULL; 302 else 303 skp = smk_import_entry(buffer, rc); 304 305 kfree(buffer); 306 307 return skp; 308 } 309 310 /** 311 * init_inode_smack - initialize an inode security blob 312 * @isp: the blob to initialize 313 * @skp: a pointer to the Smack label entry to use in the blob 314 * 315 */ 316 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 317 { 318 struct inode_smack *isp = smack_inode(inode); 319 320 isp->smk_inode = skp; 321 isp->smk_flags = 0; 322 mutex_init(&isp->smk_lock); 323 } 324 325 /** 326 * init_task_smack - initialize a task security blob 327 * @tsp: blob to initialize 328 * @task: a pointer to the Smack label for the running task 329 * @forked: a pointer to the Smack label for the forked task 330 * 331 */ 332 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 333 struct smack_known *forked) 334 { 335 tsp->smk_task = task; 336 tsp->smk_forked = forked; 337 INIT_LIST_HEAD(&tsp->smk_rules); 338 INIT_LIST_HEAD(&tsp->smk_relabel); 339 mutex_init(&tsp->smk_rules_lock); 340 } 341 342 /** 343 * smk_copy_rules - copy a rule set 344 * @nhead: new rules header pointer 345 * @ohead: old rules header pointer 346 * @gfp: type of the memory for the allocation 347 * 348 * Returns 0 on success, -ENOMEM on error 349 */ 350 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 351 gfp_t gfp) 352 { 353 struct smack_rule *nrp; 354 struct smack_rule *orp; 355 int rc = 0; 356 357 list_for_each_entry_rcu(orp, ohead, list) { 358 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 359 if (nrp == NULL) { 360 rc = -ENOMEM; 361 break; 362 } 363 *nrp = *orp; 364 list_add_rcu(&nrp->list, nhead); 365 } 366 return rc; 367 } 368 369 /** 370 * smk_copy_relabel - copy smk_relabel labels list 371 * @nhead: new rules header pointer 372 * @ohead: old rules header pointer 373 * @gfp: type of the memory for the allocation 374 * 375 * Returns 0 on success, -ENOMEM on error 376 */ 377 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 378 gfp_t gfp) 379 { 380 struct smack_known_list_elem *nklep; 381 struct smack_known_list_elem *oklep; 382 383 list_for_each_entry(oklep, ohead, list) { 384 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 385 if (nklep == NULL) { 386 smk_destroy_label_list(nhead); 387 return -ENOMEM; 388 } 389 nklep->smk_label = oklep->smk_label; 390 list_add(&nklep->list, nhead); 391 } 392 393 return 0; 394 } 395 396 /** 397 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 398 * @mode - input mode in form of PTRACE_MODE_* 399 * 400 * Returns a converted MAY_* mode usable by smack rules 401 */ 402 static inline unsigned int smk_ptrace_mode(unsigned int mode) 403 { 404 if (mode & PTRACE_MODE_ATTACH) 405 return MAY_READWRITE; 406 if (mode & PTRACE_MODE_READ) 407 return MAY_READ; 408 409 return 0; 410 } 411 412 /** 413 * smk_ptrace_rule_check - helper for ptrace access 414 * @tracer: tracer process 415 * @tracee_known: label entry of the process that's about to be traced 416 * @mode: ptrace attachment mode (PTRACE_MODE_*) 417 * @func: name of the function that called us, used for audit 418 * 419 * Returns 0 on access granted, -error on error 420 */ 421 static int smk_ptrace_rule_check(struct task_struct *tracer, 422 struct smack_known *tracee_known, 423 unsigned int mode, const char *func) 424 { 425 int rc; 426 struct smk_audit_info ad, *saip = NULL; 427 struct task_smack *tsp; 428 struct smack_known *tracer_known; 429 const struct cred *tracercred; 430 431 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 432 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 433 smk_ad_setfield_u_tsk(&ad, tracer); 434 saip = &ad; 435 } 436 437 rcu_read_lock(); 438 tracercred = __task_cred(tracer); 439 tsp = smack_cred(tracercred); 440 tracer_known = smk_of_task(tsp); 441 442 if ((mode & PTRACE_MODE_ATTACH) && 443 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 444 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 445 if (tracer_known->smk_known == tracee_known->smk_known) 446 rc = 0; 447 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 448 rc = -EACCES; 449 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 450 rc = 0; 451 else 452 rc = -EACCES; 453 454 if (saip) 455 smack_log(tracer_known->smk_known, 456 tracee_known->smk_known, 457 0, rc, saip); 458 459 rcu_read_unlock(); 460 return rc; 461 } 462 463 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 464 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 465 466 rcu_read_unlock(); 467 return rc; 468 } 469 470 /* 471 * LSM hooks. 472 * We he, that is fun! 473 */ 474 475 /** 476 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 477 * @ctp: child task pointer 478 * @mode: ptrace attachment mode (PTRACE_MODE_*) 479 * 480 * Returns 0 if access is OK, an error code otherwise 481 * 482 * Do the capability checks. 483 */ 484 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 485 { 486 struct smack_known *skp; 487 488 skp = smk_of_task_struct(ctp); 489 490 return smk_ptrace_rule_check(current, skp, mode, __func__); 491 } 492 493 /** 494 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 495 * @ptp: parent task pointer 496 * 497 * Returns 0 if access is OK, an error code otherwise 498 * 499 * Do the capability checks, and require PTRACE_MODE_ATTACH. 500 */ 501 static int smack_ptrace_traceme(struct task_struct *ptp) 502 { 503 int rc; 504 struct smack_known *skp; 505 506 skp = smk_of_task(smack_cred(current_cred())); 507 508 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 509 return rc; 510 } 511 512 /** 513 * smack_syslog - Smack approval on syslog 514 * @type: message type 515 * 516 * Returns 0 on success, error code otherwise. 517 */ 518 static int smack_syslog(int typefrom_file) 519 { 520 int rc = 0; 521 struct smack_known *skp = smk_of_current(); 522 523 if (smack_privileged(CAP_MAC_OVERRIDE)) 524 return 0; 525 526 if (smack_syslog_label != NULL && smack_syslog_label != skp) 527 rc = -EACCES; 528 529 return rc; 530 } 531 532 /* 533 * Superblock Hooks. 534 */ 535 536 /** 537 * smack_sb_alloc_security - allocate a superblock blob 538 * @sb: the superblock getting the blob 539 * 540 * Returns 0 on success or -ENOMEM on error. 541 */ 542 static int smack_sb_alloc_security(struct super_block *sb) 543 { 544 struct superblock_smack *sbsp; 545 546 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 547 548 if (sbsp == NULL) 549 return -ENOMEM; 550 551 sbsp->smk_root = &smack_known_floor; 552 sbsp->smk_default = &smack_known_floor; 553 sbsp->smk_floor = &smack_known_floor; 554 sbsp->smk_hat = &smack_known_hat; 555 /* 556 * SMK_SB_INITIALIZED will be zero from kzalloc. 557 */ 558 sb->s_security = sbsp; 559 560 return 0; 561 } 562 563 /** 564 * smack_sb_free_security - free a superblock blob 565 * @sb: the superblock getting the blob 566 * 567 */ 568 static void smack_sb_free_security(struct super_block *sb) 569 { 570 kfree(sb->s_security); 571 sb->s_security = NULL; 572 } 573 574 struct smack_mnt_opts { 575 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 576 }; 577 578 static void smack_free_mnt_opts(void *mnt_opts) 579 { 580 struct smack_mnt_opts *opts = mnt_opts; 581 kfree(opts->fsdefault); 582 kfree(opts->fsfloor); 583 kfree(opts->fshat); 584 kfree(opts->fsroot); 585 kfree(opts->fstransmute); 586 kfree(opts); 587 } 588 589 static int smack_add_opt(int token, const char *s, void **mnt_opts) 590 { 591 struct smack_mnt_opts *opts = *mnt_opts; 592 593 if (!opts) { 594 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 595 if (!opts) 596 return -ENOMEM; 597 *mnt_opts = opts; 598 } 599 if (!s) 600 return -ENOMEM; 601 602 switch (token) { 603 case Opt_fsdefault: 604 if (opts->fsdefault) 605 goto out_opt_err; 606 opts->fsdefault = s; 607 break; 608 case Opt_fsfloor: 609 if (opts->fsfloor) 610 goto out_opt_err; 611 opts->fsfloor = s; 612 break; 613 case Opt_fshat: 614 if (opts->fshat) 615 goto out_opt_err; 616 opts->fshat = s; 617 break; 618 case Opt_fsroot: 619 if (opts->fsroot) 620 goto out_opt_err; 621 opts->fsroot = s; 622 break; 623 case Opt_fstransmute: 624 if (opts->fstransmute) 625 goto out_opt_err; 626 opts->fstransmute = s; 627 break; 628 } 629 return 0; 630 631 out_opt_err: 632 pr_warn("Smack: duplicate mount options\n"); 633 return -EINVAL; 634 } 635 636 /** 637 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 638 * @fc: The new filesystem context. 639 * @src_fc: The source filesystem context being duplicated. 640 * 641 * Returns 0 on success or -ENOMEM on error. 642 */ 643 static int smack_fs_context_dup(struct fs_context *fc, 644 struct fs_context *src_fc) 645 { 646 struct smack_mnt_opts *dst, *src = src_fc->security; 647 648 if (!src) 649 return 0; 650 651 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 652 if (!fc->security) 653 return -ENOMEM; 654 dst = fc->security; 655 656 if (src->fsdefault) { 657 dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL); 658 if (!dst->fsdefault) 659 return -ENOMEM; 660 } 661 if (src->fsfloor) { 662 dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL); 663 if (!dst->fsfloor) 664 return -ENOMEM; 665 } 666 if (src->fshat) { 667 dst->fshat = kstrdup(src->fshat, GFP_KERNEL); 668 if (!dst->fshat) 669 return -ENOMEM; 670 } 671 if (src->fsroot) { 672 dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL); 673 if (!dst->fsroot) 674 return -ENOMEM; 675 } 676 if (src->fstransmute) { 677 dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL); 678 if (!dst->fstransmute) 679 return -ENOMEM; 680 } 681 return 0; 682 } 683 684 static const struct fs_parameter_spec smack_param_specs[] = { 685 fsparam_string("fsdefault", Opt_fsdefault), 686 fsparam_string("fsfloor", Opt_fsfloor), 687 fsparam_string("fshat", Opt_fshat), 688 fsparam_string("fsroot", Opt_fsroot), 689 fsparam_string("fstransmute", Opt_fstransmute), 690 {} 691 }; 692 693 static const struct fs_parameter_description smack_fs_parameters = { 694 .name = "smack", 695 .specs = smack_param_specs, 696 }; 697 698 /** 699 * smack_fs_context_parse_param - Parse a single mount parameter 700 * @fc: The new filesystem context being constructed. 701 * @param: The parameter. 702 * 703 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 704 * error. 705 */ 706 static int smack_fs_context_parse_param(struct fs_context *fc, 707 struct fs_parameter *param) 708 { 709 struct fs_parse_result result; 710 int opt, rc; 711 712 opt = fs_parse(fc, &smack_fs_parameters, param, &result); 713 if (opt < 0) 714 return opt; 715 716 rc = smack_add_opt(opt, param->string, &fc->security); 717 if (!rc) 718 param->string = NULL; 719 return rc; 720 } 721 722 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 723 { 724 char *from = options, *to = options; 725 bool first = true; 726 727 while (1) { 728 char *next = strchr(from, ','); 729 int token, len, rc; 730 char *arg = NULL; 731 732 if (next) 733 len = next - from; 734 else 735 len = strlen(from); 736 737 token = match_opt_prefix(from, len, &arg); 738 if (token != Opt_error) { 739 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 740 rc = smack_add_opt(token, arg, mnt_opts); 741 if (unlikely(rc)) { 742 kfree(arg); 743 if (*mnt_opts) 744 smack_free_mnt_opts(*mnt_opts); 745 *mnt_opts = NULL; 746 return rc; 747 } 748 } else { 749 if (!first) { // copy with preceding comma 750 from--; 751 len++; 752 } 753 if (to != from) 754 memmove(to, from, len); 755 to += len; 756 first = false; 757 } 758 if (!from[len]) 759 break; 760 from += len + 1; 761 } 762 *to = '\0'; 763 return 0; 764 } 765 766 /** 767 * smack_set_mnt_opts - set Smack specific mount options 768 * @sb: the file system superblock 769 * @opts: Smack mount options 770 * @kern_flags: mount option from kernel space or user space 771 * @set_kern_flags: where to store converted mount opts 772 * 773 * Returns 0 on success, an error code on failure 774 * 775 * Allow filesystems with binary mount data to explicitly set Smack mount 776 * labels. 777 */ 778 static int smack_set_mnt_opts(struct super_block *sb, 779 void *mnt_opts, 780 unsigned long kern_flags, 781 unsigned long *set_kern_flags) 782 { 783 struct dentry *root = sb->s_root; 784 struct inode *inode = d_backing_inode(root); 785 struct superblock_smack *sp = sb->s_security; 786 struct inode_smack *isp; 787 struct smack_known *skp; 788 struct smack_mnt_opts *opts = mnt_opts; 789 bool transmute = false; 790 791 if (sp->smk_flags & SMK_SB_INITIALIZED) 792 return 0; 793 794 if (inode->i_security == NULL) { 795 int rc = lsm_inode_alloc(inode); 796 797 if (rc) 798 return rc; 799 } 800 801 if (!smack_privileged(CAP_MAC_ADMIN)) { 802 /* 803 * Unprivileged mounts don't get to specify Smack values. 804 */ 805 if (opts) 806 return -EPERM; 807 /* 808 * Unprivileged mounts get root and default from the caller. 809 */ 810 skp = smk_of_current(); 811 sp->smk_root = skp; 812 sp->smk_default = skp; 813 /* 814 * For a handful of fs types with no user-controlled 815 * backing store it's okay to trust security labels 816 * in the filesystem. The rest are untrusted. 817 */ 818 if (sb->s_user_ns != &init_user_ns && 819 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 820 sb->s_magic != RAMFS_MAGIC) { 821 transmute = true; 822 sp->smk_flags |= SMK_SB_UNTRUSTED; 823 } 824 } 825 826 sp->smk_flags |= SMK_SB_INITIALIZED; 827 828 if (opts) { 829 if (opts->fsdefault) { 830 skp = smk_import_entry(opts->fsdefault, 0); 831 if (IS_ERR(skp)) 832 return PTR_ERR(skp); 833 sp->smk_default = skp; 834 } 835 if (opts->fsfloor) { 836 skp = smk_import_entry(opts->fsfloor, 0); 837 if (IS_ERR(skp)) 838 return PTR_ERR(skp); 839 sp->smk_floor = skp; 840 } 841 if (opts->fshat) { 842 skp = smk_import_entry(opts->fshat, 0); 843 if (IS_ERR(skp)) 844 return PTR_ERR(skp); 845 sp->smk_hat = skp; 846 } 847 if (opts->fsroot) { 848 skp = smk_import_entry(opts->fsroot, 0); 849 if (IS_ERR(skp)) 850 return PTR_ERR(skp); 851 sp->smk_root = skp; 852 } 853 if (opts->fstransmute) { 854 skp = smk_import_entry(opts->fstransmute, 0); 855 if (IS_ERR(skp)) 856 return PTR_ERR(skp); 857 sp->smk_root = skp; 858 transmute = true; 859 } 860 } 861 862 /* 863 * Initialize the root inode. 864 */ 865 init_inode_smack(inode, sp->smk_root); 866 867 if (transmute) { 868 isp = smack_inode(inode); 869 isp->smk_flags |= SMK_INODE_TRANSMUTE; 870 } 871 872 return 0; 873 } 874 875 /** 876 * smack_sb_statfs - Smack check on statfs 877 * @dentry: identifies the file system in question 878 * 879 * Returns 0 if current can read the floor of the filesystem, 880 * and error code otherwise 881 */ 882 static int smack_sb_statfs(struct dentry *dentry) 883 { 884 struct superblock_smack *sbp = dentry->d_sb->s_security; 885 int rc; 886 struct smk_audit_info ad; 887 888 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 889 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 890 891 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 892 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 893 return rc; 894 } 895 896 /* 897 * BPRM hooks 898 */ 899 900 /** 901 * smack_bprm_set_creds - set creds for exec 902 * @bprm: the exec information 903 * 904 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 905 */ 906 static int smack_bprm_set_creds(struct linux_binprm *bprm) 907 { 908 struct inode *inode = file_inode(bprm->file); 909 struct task_smack *bsp = smack_cred(bprm->cred); 910 struct inode_smack *isp; 911 struct superblock_smack *sbsp; 912 int rc; 913 914 if (bprm->called_set_creds) 915 return 0; 916 917 isp = smack_inode(inode); 918 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 919 return 0; 920 921 sbsp = inode->i_sb->s_security; 922 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 923 isp->smk_task != sbsp->smk_root) 924 return 0; 925 926 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 927 struct task_struct *tracer; 928 rc = 0; 929 930 rcu_read_lock(); 931 tracer = ptrace_parent(current); 932 if (likely(tracer != NULL)) 933 rc = smk_ptrace_rule_check(tracer, 934 isp->smk_task, 935 PTRACE_MODE_ATTACH, 936 __func__); 937 rcu_read_unlock(); 938 939 if (rc != 0) 940 return rc; 941 } else if (bprm->unsafe) 942 return -EPERM; 943 944 bsp->smk_task = isp->smk_task; 945 bprm->per_clear |= PER_CLEAR_ON_SETID; 946 947 /* Decide if this is a secure exec. */ 948 if (bsp->smk_task != bsp->smk_forked) 949 bprm->secureexec = 1; 950 951 return 0; 952 } 953 954 /* 955 * Inode hooks 956 */ 957 958 /** 959 * smack_inode_alloc_security - allocate an inode blob 960 * @inode: the inode in need of a blob 961 * 962 * Returns 0 if it gets a blob, -ENOMEM otherwise 963 */ 964 static int smack_inode_alloc_security(struct inode *inode) 965 { 966 struct smack_known *skp = smk_of_current(); 967 968 init_inode_smack(inode, skp); 969 return 0; 970 } 971 972 /** 973 * smack_inode_init_security - copy out the smack from an inode 974 * @inode: the newly created inode 975 * @dir: containing directory object 976 * @qstr: unused 977 * @name: where to put the attribute name 978 * @value: where to put the attribute value 979 * @len: where to put the length of the attribute 980 * 981 * Returns 0 if it all works out, -ENOMEM if there's no memory 982 */ 983 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 984 const struct qstr *qstr, const char **name, 985 void **value, size_t *len) 986 { 987 struct inode_smack *issp = smack_inode(inode); 988 struct smack_known *skp = smk_of_current(); 989 struct smack_known *isp = smk_of_inode(inode); 990 struct smack_known *dsp = smk_of_inode(dir); 991 int may; 992 993 if (name) 994 *name = XATTR_SMACK_SUFFIX; 995 996 if (value && len) { 997 rcu_read_lock(); 998 may = smk_access_entry(skp->smk_known, dsp->smk_known, 999 &skp->smk_rules); 1000 rcu_read_unlock(); 1001 1002 /* 1003 * If the access rule allows transmutation and 1004 * the directory requests transmutation then 1005 * by all means transmute. 1006 * Mark the inode as changed. 1007 */ 1008 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1009 smk_inode_transmutable(dir)) { 1010 isp = dsp; 1011 issp->smk_flags |= SMK_INODE_CHANGED; 1012 } 1013 1014 *value = kstrdup(isp->smk_known, GFP_NOFS); 1015 if (*value == NULL) 1016 return -ENOMEM; 1017 1018 *len = strlen(isp->smk_known); 1019 } 1020 1021 return 0; 1022 } 1023 1024 /** 1025 * smack_inode_link - Smack check on link 1026 * @old_dentry: the existing object 1027 * @dir: unused 1028 * @new_dentry: the new object 1029 * 1030 * Returns 0 if access is permitted, an error code otherwise 1031 */ 1032 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1033 struct dentry *new_dentry) 1034 { 1035 struct smack_known *isp; 1036 struct smk_audit_info ad; 1037 int rc; 1038 1039 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1040 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1041 1042 isp = smk_of_inode(d_backing_inode(old_dentry)); 1043 rc = smk_curacc(isp, MAY_WRITE, &ad); 1044 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1045 1046 if (rc == 0 && d_is_positive(new_dentry)) { 1047 isp = smk_of_inode(d_backing_inode(new_dentry)); 1048 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1049 rc = smk_curacc(isp, MAY_WRITE, &ad); 1050 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1051 } 1052 1053 return rc; 1054 } 1055 1056 /** 1057 * smack_inode_unlink - Smack check on inode deletion 1058 * @dir: containing directory object 1059 * @dentry: file to unlink 1060 * 1061 * Returns 0 if current can write the containing directory 1062 * and the object, error code otherwise 1063 */ 1064 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1065 { 1066 struct inode *ip = d_backing_inode(dentry); 1067 struct smk_audit_info ad; 1068 int rc; 1069 1070 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1071 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1072 1073 /* 1074 * You need write access to the thing you're unlinking 1075 */ 1076 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1077 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1078 if (rc == 0) { 1079 /* 1080 * You also need write access to the containing directory 1081 */ 1082 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1083 smk_ad_setfield_u_fs_inode(&ad, dir); 1084 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1085 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1086 } 1087 return rc; 1088 } 1089 1090 /** 1091 * smack_inode_rmdir - Smack check on directory deletion 1092 * @dir: containing directory object 1093 * @dentry: directory to unlink 1094 * 1095 * Returns 0 if current can write the containing directory 1096 * and the directory, error code otherwise 1097 */ 1098 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1099 { 1100 struct smk_audit_info ad; 1101 int rc; 1102 1103 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1104 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1105 1106 /* 1107 * You need write access to the thing you're removing 1108 */ 1109 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1110 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1111 if (rc == 0) { 1112 /* 1113 * You also need write access to the containing directory 1114 */ 1115 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1116 smk_ad_setfield_u_fs_inode(&ad, dir); 1117 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1118 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1119 } 1120 1121 return rc; 1122 } 1123 1124 /** 1125 * smack_inode_rename - Smack check on rename 1126 * @old_inode: unused 1127 * @old_dentry: the old object 1128 * @new_inode: unused 1129 * @new_dentry: the new object 1130 * 1131 * Read and write access is required on both the old and 1132 * new directories. 1133 * 1134 * Returns 0 if access is permitted, an error code otherwise 1135 */ 1136 static int smack_inode_rename(struct inode *old_inode, 1137 struct dentry *old_dentry, 1138 struct inode *new_inode, 1139 struct dentry *new_dentry) 1140 { 1141 int rc; 1142 struct smack_known *isp; 1143 struct smk_audit_info ad; 1144 1145 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1146 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1147 1148 isp = smk_of_inode(d_backing_inode(old_dentry)); 1149 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1150 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1151 1152 if (rc == 0 && d_is_positive(new_dentry)) { 1153 isp = smk_of_inode(d_backing_inode(new_dentry)); 1154 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1155 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1156 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1157 } 1158 return rc; 1159 } 1160 1161 /** 1162 * smack_inode_permission - Smack version of permission() 1163 * @inode: the inode in question 1164 * @mask: the access requested 1165 * 1166 * This is the important Smack hook. 1167 * 1168 * Returns 0 if access is permitted, -EACCES otherwise 1169 */ 1170 static int smack_inode_permission(struct inode *inode, int mask) 1171 { 1172 struct superblock_smack *sbsp = inode->i_sb->s_security; 1173 struct smk_audit_info ad; 1174 int no_block = mask & MAY_NOT_BLOCK; 1175 int rc; 1176 1177 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1178 /* 1179 * No permission to check. Existence test. Yup, it's there. 1180 */ 1181 if (mask == 0) 1182 return 0; 1183 1184 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1185 if (smk_of_inode(inode) != sbsp->smk_root) 1186 return -EACCES; 1187 } 1188 1189 /* May be droppable after audit */ 1190 if (no_block) 1191 return -ECHILD; 1192 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1193 smk_ad_setfield_u_fs_inode(&ad, inode); 1194 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1195 rc = smk_bu_inode(inode, mask, rc); 1196 return rc; 1197 } 1198 1199 /** 1200 * smack_inode_setattr - Smack check for setting attributes 1201 * @dentry: the object 1202 * @iattr: for the force flag 1203 * 1204 * Returns 0 if access is permitted, an error code otherwise 1205 */ 1206 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1207 { 1208 struct smk_audit_info ad; 1209 int rc; 1210 1211 /* 1212 * Need to allow for clearing the setuid bit. 1213 */ 1214 if (iattr->ia_valid & ATTR_FORCE) 1215 return 0; 1216 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1217 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1218 1219 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1220 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1221 return rc; 1222 } 1223 1224 /** 1225 * smack_inode_getattr - Smack check for getting attributes 1226 * @mnt: vfsmount of the object 1227 * @dentry: the object 1228 * 1229 * Returns 0 if access is permitted, an error code otherwise 1230 */ 1231 static int smack_inode_getattr(const struct path *path) 1232 { 1233 struct smk_audit_info ad; 1234 struct inode *inode = d_backing_inode(path->dentry); 1235 int rc; 1236 1237 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1238 smk_ad_setfield_u_fs_path(&ad, *path); 1239 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1240 rc = smk_bu_inode(inode, MAY_READ, rc); 1241 return rc; 1242 } 1243 1244 /** 1245 * smack_inode_setxattr - Smack check for setting xattrs 1246 * @dentry: the object 1247 * @name: name of the attribute 1248 * @value: value of the attribute 1249 * @size: size of the value 1250 * @flags: unused 1251 * 1252 * This protects the Smack attribute explicitly. 1253 * 1254 * Returns 0 if access is permitted, an error code otherwise 1255 */ 1256 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1257 const void *value, size_t size, int flags) 1258 { 1259 struct smk_audit_info ad; 1260 struct smack_known *skp; 1261 int check_priv = 0; 1262 int check_import = 0; 1263 int check_star = 0; 1264 int rc = 0; 1265 1266 /* 1267 * Check label validity here so import won't fail in post_setxattr 1268 */ 1269 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1270 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1271 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1272 check_priv = 1; 1273 check_import = 1; 1274 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1275 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1276 check_priv = 1; 1277 check_import = 1; 1278 check_star = 1; 1279 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1280 check_priv = 1; 1281 if (size != TRANS_TRUE_SIZE || 1282 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1283 rc = -EINVAL; 1284 } else 1285 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1286 1287 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1288 rc = -EPERM; 1289 1290 if (rc == 0 && check_import) { 1291 skp = size ? smk_import_entry(value, size) : NULL; 1292 if (IS_ERR(skp)) 1293 rc = PTR_ERR(skp); 1294 else if (skp == NULL || (check_star && 1295 (skp == &smack_known_star || skp == &smack_known_web))) 1296 rc = -EINVAL; 1297 } 1298 1299 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1300 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1301 1302 if (rc == 0) { 1303 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1304 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1305 } 1306 1307 return rc; 1308 } 1309 1310 /** 1311 * smack_inode_post_setxattr - Apply the Smack update approved above 1312 * @dentry: object 1313 * @name: attribute name 1314 * @value: attribute value 1315 * @size: attribute size 1316 * @flags: unused 1317 * 1318 * Set the pointer in the inode blob to the entry found 1319 * in the master label list. 1320 */ 1321 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1322 const void *value, size_t size, int flags) 1323 { 1324 struct smack_known *skp; 1325 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1326 1327 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1328 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1329 return; 1330 } 1331 1332 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1333 skp = smk_import_entry(value, size); 1334 if (!IS_ERR(skp)) 1335 isp->smk_inode = skp; 1336 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1337 skp = smk_import_entry(value, size); 1338 if (!IS_ERR(skp)) 1339 isp->smk_task = skp; 1340 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1341 skp = smk_import_entry(value, size); 1342 if (!IS_ERR(skp)) 1343 isp->smk_mmap = skp; 1344 } 1345 1346 return; 1347 } 1348 1349 /** 1350 * smack_inode_getxattr - Smack check on getxattr 1351 * @dentry: the object 1352 * @name: unused 1353 * 1354 * Returns 0 if access is permitted, an error code otherwise 1355 */ 1356 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1357 { 1358 struct smk_audit_info ad; 1359 int rc; 1360 1361 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1362 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1363 1364 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1365 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1366 return rc; 1367 } 1368 1369 /** 1370 * smack_inode_removexattr - Smack check on removexattr 1371 * @dentry: the object 1372 * @name: name of the attribute 1373 * 1374 * Removing the Smack attribute requires CAP_MAC_ADMIN 1375 * 1376 * Returns 0 if access is permitted, an error code otherwise 1377 */ 1378 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1379 { 1380 struct inode_smack *isp; 1381 struct smk_audit_info ad; 1382 int rc = 0; 1383 1384 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1385 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1386 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1387 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1388 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1389 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1390 if (!smack_privileged(CAP_MAC_ADMIN)) 1391 rc = -EPERM; 1392 } else 1393 rc = cap_inode_removexattr(dentry, name); 1394 1395 if (rc != 0) 1396 return rc; 1397 1398 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1399 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1400 1401 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1402 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1403 if (rc != 0) 1404 return rc; 1405 1406 isp = smack_inode(d_backing_inode(dentry)); 1407 /* 1408 * Don't do anything special for these. 1409 * XATTR_NAME_SMACKIPIN 1410 * XATTR_NAME_SMACKIPOUT 1411 */ 1412 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1413 struct super_block *sbp = dentry->d_sb; 1414 struct superblock_smack *sbsp = sbp->s_security; 1415 1416 isp->smk_inode = sbsp->smk_default; 1417 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1418 isp->smk_task = NULL; 1419 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1420 isp->smk_mmap = NULL; 1421 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1422 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1423 1424 return 0; 1425 } 1426 1427 /** 1428 * smack_inode_getsecurity - get smack xattrs 1429 * @inode: the object 1430 * @name: attribute name 1431 * @buffer: where to put the result 1432 * @alloc: duplicate memory 1433 * 1434 * Returns the size of the attribute or an error code 1435 */ 1436 static int smack_inode_getsecurity(struct inode *inode, 1437 const char *name, void **buffer, 1438 bool alloc) 1439 { 1440 struct socket_smack *ssp; 1441 struct socket *sock; 1442 struct super_block *sbp; 1443 struct inode *ip = (struct inode *)inode; 1444 struct smack_known *isp; 1445 1446 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1447 isp = smk_of_inode(inode); 1448 else { 1449 /* 1450 * The rest of the Smack xattrs are only on sockets. 1451 */ 1452 sbp = ip->i_sb; 1453 if (sbp->s_magic != SOCKFS_MAGIC) 1454 return -EOPNOTSUPP; 1455 1456 sock = SOCKET_I(ip); 1457 if (sock == NULL || sock->sk == NULL) 1458 return -EOPNOTSUPP; 1459 1460 ssp = sock->sk->sk_security; 1461 1462 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1463 isp = ssp->smk_in; 1464 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1465 isp = ssp->smk_out; 1466 else 1467 return -EOPNOTSUPP; 1468 } 1469 1470 if (alloc) { 1471 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1472 if (*buffer == NULL) 1473 return -ENOMEM; 1474 } 1475 1476 return strlen(isp->smk_known); 1477 } 1478 1479 1480 /** 1481 * smack_inode_listsecurity - list the Smack attributes 1482 * @inode: the object 1483 * @buffer: where they go 1484 * @buffer_size: size of buffer 1485 */ 1486 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1487 size_t buffer_size) 1488 { 1489 int len = sizeof(XATTR_NAME_SMACK); 1490 1491 if (buffer != NULL && len <= buffer_size) 1492 memcpy(buffer, XATTR_NAME_SMACK, len); 1493 1494 return len; 1495 } 1496 1497 /** 1498 * smack_inode_getsecid - Extract inode's security id 1499 * @inode: inode to extract the info from 1500 * @secid: where result will be saved 1501 */ 1502 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1503 { 1504 struct smack_known *skp = smk_of_inode(inode); 1505 1506 *secid = skp->smk_secid; 1507 } 1508 1509 /* 1510 * File Hooks 1511 */ 1512 1513 /* 1514 * There is no smack_file_permission hook 1515 * 1516 * Should access checks be done on each read or write? 1517 * UNICOS and SELinux say yes. 1518 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1519 * 1520 * I'll say no for now. Smack does not do the frequent 1521 * label changing that SELinux does. 1522 */ 1523 1524 /** 1525 * smack_file_alloc_security - assign a file security blob 1526 * @file: the object 1527 * 1528 * The security blob for a file is a pointer to the master 1529 * label list, so no allocation is done. 1530 * 1531 * f_security is the owner security information. It 1532 * isn't used on file access checks, it's for send_sigio. 1533 * 1534 * Returns 0 1535 */ 1536 static int smack_file_alloc_security(struct file *file) 1537 { 1538 struct smack_known **blob = smack_file(file); 1539 1540 *blob = smk_of_current(); 1541 return 0; 1542 } 1543 1544 /** 1545 * smack_file_ioctl - Smack check on ioctls 1546 * @file: the object 1547 * @cmd: what to do 1548 * @arg: unused 1549 * 1550 * Relies heavily on the correct use of the ioctl command conventions. 1551 * 1552 * Returns 0 if allowed, error code otherwise 1553 */ 1554 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1555 unsigned long arg) 1556 { 1557 int rc = 0; 1558 struct smk_audit_info ad; 1559 struct inode *inode = file_inode(file); 1560 1561 if (unlikely(IS_PRIVATE(inode))) 1562 return 0; 1563 1564 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1565 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1566 1567 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1568 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1569 rc = smk_bu_file(file, MAY_WRITE, rc); 1570 } 1571 1572 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1573 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1574 rc = smk_bu_file(file, MAY_READ, rc); 1575 } 1576 1577 return rc; 1578 } 1579 1580 /** 1581 * smack_file_lock - Smack check on file locking 1582 * @file: the object 1583 * @cmd: unused 1584 * 1585 * Returns 0 if current has lock access, error code otherwise 1586 */ 1587 static int smack_file_lock(struct file *file, unsigned int cmd) 1588 { 1589 struct smk_audit_info ad; 1590 int rc; 1591 struct inode *inode = file_inode(file); 1592 1593 if (unlikely(IS_PRIVATE(inode))) 1594 return 0; 1595 1596 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1597 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1598 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1599 rc = smk_bu_file(file, MAY_LOCK, rc); 1600 return rc; 1601 } 1602 1603 /** 1604 * smack_file_fcntl - Smack check on fcntl 1605 * @file: the object 1606 * @cmd: what action to check 1607 * @arg: unused 1608 * 1609 * Generally these operations are harmless. 1610 * File locking operations present an obvious mechanism 1611 * for passing information, so they require write access. 1612 * 1613 * Returns 0 if current has access, error code otherwise 1614 */ 1615 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1616 unsigned long arg) 1617 { 1618 struct smk_audit_info ad; 1619 int rc = 0; 1620 struct inode *inode = file_inode(file); 1621 1622 if (unlikely(IS_PRIVATE(inode))) 1623 return 0; 1624 1625 switch (cmd) { 1626 case F_GETLK: 1627 break; 1628 case F_SETLK: 1629 case F_SETLKW: 1630 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1631 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1632 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1633 rc = smk_bu_file(file, MAY_LOCK, rc); 1634 break; 1635 case F_SETOWN: 1636 case F_SETSIG: 1637 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1638 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1639 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1640 rc = smk_bu_file(file, MAY_WRITE, rc); 1641 break; 1642 default: 1643 break; 1644 } 1645 1646 return rc; 1647 } 1648 1649 /** 1650 * smack_mmap_file : 1651 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1652 * if mapping anonymous memory. 1653 * @file contains the file structure for file to map (may be NULL). 1654 * @reqprot contains the protection requested by the application. 1655 * @prot contains the protection that will be applied by the kernel. 1656 * @flags contains the operational flags. 1657 * Return 0 if permission is granted. 1658 */ 1659 static int smack_mmap_file(struct file *file, 1660 unsigned long reqprot, unsigned long prot, 1661 unsigned long flags) 1662 { 1663 struct smack_known *skp; 1664 struct smack_known *mkp; 1665 struct smack_rule *srp; 1666 struct task_smack *tsp; 1667 struct smack_known *okp; 1668 struct inode_smack *isp; 1669 struct superblock_smack *sbsp; 1670 int may; 1671 int mmay; 1672 int tmay; 1673 int rc; 1674 1675 if (file == NULL) 1676 return 0; 1677 1678 if (unlikely(IS_PRIVATE(file_inode(file)))) 1679 return 0; 1680 1681 isp = smack_inode(file_inode(file)); 1682 if (isp->smk_mmap == NULL) 1683 return 0; 1684 sbsp = file_inode(file)->i_sb->s_security; 1685 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1686 isp->smk_mmap != sbsp->smk_root) 1687 return -EACCES; 1688 mkp = isp->smk_mmap; 1689 1690 tsp = smack_cred(current_cred()); 1691 skp = smk_of_current(); 1692 rc = 0; 1693 1694 rcu_read_lock(); 1695 /* 1696 * For each Smack rule associated with the subject 1697 * label verify that the SMACK64MMAP also has access 1698 * to that rule's object label. 1699 */ 1700 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1701 okp = srp->smk_object; 1702 /* 1703 * Matching labels always allows access. 1704 */ 1705 if (mkp->smk_known == okp->smk_known) 1706 continue; 1707 /* 1708 * If there is a matching local rule take 1709 * that into account as well. 1710 */ 1711 may = smk_access_entry(srp->smk_subject->smk_known, 1712 okp->smk_known, 1713 &tsp->smk_rules); 1714 if (may == -ENOENT) 1715 may = srp->smk_access; 1716 else 1717 may &= srp->smk_access; 1718 /* 1719 * If may is zero the SMACK64MMAP subject can't 1720 * possibly have less access. 1721 */ 1722 if (may == 0) 1723 continue; 1724 1725 /* 1726 * Fetch the global list entry. 1727 * If there isn't one a SMACK64MMAP subject 1728 * can't have as much access as current. 1729 */ 1730 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1731 &mkp->smk_rules); 1732 if (mmay == -ENOENT) { 1733 rc = -EACCES; 1734 break; 1735 } 1736 /* 1737 * If there is a local entry it modifies the 1738 * potential access, too. 1739 */ 1740 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1741 &tsp->smk_rules); 1742 if (tmay != -ENOENT) 1743 mmay &= tmay; 1744 1745 /* 1746 * If there is any access available to current that is 1747 * not available to a SMACK64MMAP subject 1748 * deny access. 1749 */ 1750 if ((may | mmay) != mmay) { 1751 rc = -EACCES; 1752 break; 1753 } 1754 } 1755 1756 rcu_read_unlock(); 1757 1758 return rc; 1759 } 1760 1761 /** 1762 * smack_file_set_fowner - set the file security blob value 1763 * @file: object in question 1764 * 1765 */ 1766 static void smack_file_set_fowner(struct file *file) 1767 { 1768 struct smack_known **blob = smack_file(file); 1769 1770 *blob = smk_of_current(); 1771 } 1772 1773 /** 1774 * smack_file_send_sigiotask - Smack on sigio 1775 * @tsk: The target task 1776 * @fown: the object the signal come from 1777 * @signum: unused 1778 * 1779 * Allow a privileged task to get signals even if it shouldn't 1780 * 1781 * Returns 0 if a subject with the object's smack could 1782 * write to the task, an error code otherwise. 1783 */ 1784 static int smack_file_send_sigiotask(struct task_struct *tsk, 1785 struct fown_struct *fown, int signum) 1786 { 1787 struct smack_known **blob; 1788 struct smack_known *skp; 1789 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1790 const struct cred *tcred; 1791 struct file *file; 1792 int rc; 1793 struct smk_audit_info ad; 1794 1795 /* 1796 * struct fown_struct is never outside the context of a struct file 1797 */ 1798 file = container_of(fown, struct file, f_owner); 1799 1800 /* we don't log here as rc can be overriden */ 1801 blob = smack_file(file); 1802 skp = *blob; 1803 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1804 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1805 1806 rcu_read_lock(); 1807 tcred = __task_cred(tsk); 1808 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1809 rc = 0; 1810 rcu_read_unlock(); 1811 1812 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1813 smk_ad_setfield_u_tsk(&ad, tsk); 1814 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1815 return rc; 1816 } 1817 1818 /** 1819 * smack_file_receive - Smack file receive check 1820 * @file: the object 1821 * 1822 * Returns 0 if current has access, error code otherwise 1823 */ 1824 static int smack_file_receive(struct file *file) 1825 { 1826 int rc; 1827 int may = 0; 1828 struct smk_audit_info ad; 1829 struct inode *inode = file_inode(file); 1830 struct socket *sock; 1831 struct task_smack *tsp; 1832 struct socket_smack *ssp; 1833 1834 if (unlikely(IS_PRIVATE(inode))) 1835 return 0; 1836 1837 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1838 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1839 1840 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1841 sock = SOCKET_I(inode); 1842 ssp = sock->sk->sk_security; 1843 tsp = smack_cred(current_cred()); 1844 /* 1845 * If the receiving process can't write to the 1846 * passed socket or if the passed socket can't 1847 * write to the receiving process don't accept 1848 * the passed socket. 1849 */ 1850 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1851 rc = smk_bu_file(file, may, rc); 1852 if (rc < 0) 1853 return rc; 1854 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1855 rc = smk_bu_file(file, may, rc); 1856 return rc; 1857 } 1858 /* 1859 * This code relies on bitmasks. 1860 */ 1861 if (file->f_mode & FMODE_READ) 1862 may = MAY_READ; 1863 if (file->f_mode & FMODE_WRITE) 1864 may |= MAY_WRITE; 1865 1866 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1867 rc = smk_bu_file(file, may, rc); 1868 return rc; 1869 } 1870 1871 /** 1872 * smack_file_open - Smack dentry open processing 1873 * @file: the object 1874 * @cred: task credential 1875 * 1876 * Set the security blob in the file structure. 1877 * Allow the open only if the task has read access. There are 1878 * many read operations (e.g. fstat) that you can do with an 1879 * fd even if you have the file open write-only. 1880 * 1881 * Returns 0 1882 */ 1883 static int smack_file_open(struct file *file) 1884 { 1885 struct task_smack *tsp = smack_cred(file->f_cred); 1886 struct inode *inode = file_inode(file); 1887 struct smk_audit_info ad; 1888 int rc; 1889 1890 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1891 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1892 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1893 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1894 1895 return rc; 1896 } 1897 1898 /* 1899 * Task hooks 1900 */ 1901 1902 /** 1903 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1904 * @new: the new credentials 1905 * @gfp: the atomicity of any memory allocations 1906 * 1907 * Prepare a blank set of credentials for modification. This must allocate all 1908 * the memory the LSM module might require such that cred_transfer() can 1909 * complete without error. 1910 */ 1911 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1912 { 1913 init_task_smack(smack_cred(cred), NULL, NULL); 1914 return 0; 1915 } 1916 1917 1918 /** 1919 * smack_cred_free - "free" task-level security credentials 1920 * @cred: the credentials in question 1921 * 1922 */ 1923 static void smack_cred_free(struct cred *cred) 1924 { 1925 struct task_smack *tsp = smack_cred(cred); 1926 struct smack_rule *rp; 1927 struct list_head *l; 1928 struct list_head *n; 1929 1930 smk_destroy_label_list(&tsp->smk_relabel); 1931 1932 list_for_each_safe(l, n, &tsp->smk_rules) { 1933 rp = list_entry(l, struct smack_rule, list); 1934 list_del(&rp->list); 1935 kmem_cache_free(smack_rule_cache, rp); 1936 } 1937 } 1938 1939 /** 1940 * smack_cred_prepare - prepare new set of credentials for modification 1941 * @new: the new credentials 1942 * @old: the original credentials 1943 * @gfp: the atomicity of any memory allocations 1944 * 1945 * Prepare a new set of credentials for modification. 1946 */ 1947 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1948 gfp_t gfp) 1949 { 1950 struct task_smack *old_tsp = smack_cred(old); 1951 struct task_smack *new_tsp = smack_cred(new); 1952 int rc; 1953 1954 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 1955 1956 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1957 if (rc != 0) 1958 return rc; 1959 1960 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1961 gfp); 1962 return rc; 1963 } 1964 1965 /** 1966 * smack_cred_transfer - Transfer the old credentials to the new credentials 1967 * @new: the new credentials 1968 * @old: the original credentials 1969 * 1970 * Fill in a set of blank credentials from another set of credentials. 1971 */ 1972 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1973 { 1974 struct task_smack *old_tsp = smack_cred(old); 1975 struct task_smack *new_tsp = smack_cred(new); 1976 1977 new_tsp->smk_task = old_tsp->smk_task; 1978 new_tsp->smk_forked = old_tsp->smk_task; 1979 mutex_init(&new_tsp->smk_rules_lock); 1980 INIT_LIST_HEAD(&new_tsp->smk_rules); 1981 1982 /* cbs copy rule list */ 1983 } 1984 1985 /** 1986 * smack_cred_getsecid - get the secid corresponding to a creds structure 1987 * @c: the object creds 1988 * @secid: where to put the result 1989 * 1990 * Sets the secid to contain a u32 version of the smack label. 1991 */ 1992 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 1993 { 1994 struct smack_known *skp; 1995 1996 rcu_read_lock(); 1997 skp = smk_of_task(smack_cred(cred)); 1998 *secid = skp->smk_secid; 1999 rcu_read_unlock(); 2000 } 2001 2002 /** 2003 * smack_kernel_act_as - Set the subjective context in a set of credentials 2004 * @new: points to the set of credentials to be modified. 2005 * @secid: specifies the security ID to be set 2006 * 2007 * Set the security data for a kernel service. 2008 */ 2009 static int smack_kernel_act_as(struct cred *new, u32 secid) 2010 { 2011 struct task_smack *new_tsp = smack_cred(new); 2012 2013 new_tsp->smk_task = smack_from_secid(secid); 2014 return 0; 2015 } 2016 2017 /** 2018 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2019 * @new: points to the set of credentials to be modified 2020 * @inode: points to the inode to use as a reference 2021 * 2022 * Set the file creation context in a set of credentials to the same 2023 * as the objective context of the specified inode 2024 */ 2025 static int smack_kernel_create_files_as(struct cred *new, 2026 struct inode *inode) 2027 { 2028 struct inode_smack *isp = smack_inode(inode); 2029 struct task_smack *tsp = smack_cred(new); 2030 2031 tsp->smk_forked = isp->smk_inode; 2032 tsp->smk_task = tsp->smk_forked; 2033 return 0; 2034 } 2035 2036 /** 2037 * smk_curacc_on_task - helper to log task related access 2038 * @p: the task object 2039 * @access: the access requested 2040 * @caller: name of the calling function for audit 2041 * 2042 * Return 0 if access is permitted 2043 */ 2044 static int smk_curacc_on_task(struct task_struct *p, int access, 2045 const char *caller) 2046 { 2047 struct smk_audit_info ad; 2048 struct smack_known *skp = smk_of_task_struct(p); 2049 int rc; 2050 2051 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2052 smk_ad_setfield_u_tsk(&ad, p); 2053 rc = smk_curacc(skp, access, &ad); 2054 rc = smk_bu_task(p, access, rc); 2055 return rc; 2056 } 2057 2058 /** 2059 * smack_task_setpgid - Smack check on setting pgid 2060 * @p: the task object 2061 * @pgid: unused 2062 * 2063 * Return 0 if write access is permitted 2064 */ 2065 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2066 { 2067 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2068 } 2069 2070 /** 2071 * smack_task_getpgid - Smack access check for getpgid 2072 * @p: the object task 2073 * 2074 * Returns 0 if current can read the object task, error code otherwise 2075 */ 2076 static int smack_task_getpgid(struct task_struct *p) 2077 { 2078 return smk_curacc_on_task(p, MAY_READ, __func__); 2079 } 2080 2081 /** 2082 * smack_task_getsid - Smack access check for getsid 2083 * @p: the object task 2084 * 2085 * Returns 0 if current can read the object task, error code otherwise 2086 */ 2087 static int smack_task_getsid(struct task_struct *p) 2088 { 2089 return smk_curacc_on_task(p, MAY_READ, __func__); 2090 } 2091 2092 /** 2093 * smack_task_getsecid - get the secid of the task 2094 * @p: the object task 2095 * @secid: where to put the result 2096 * 2097 * Sets the secid to contain a u32 version of the smack label. 2098 */ 2099 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2100 { 2101 struct smack_known *skp = smk_of_task_struct(p); 2102 2103 *secid = skp->smk_secid; 2104 } 2105 2106 /** 2107 * smack_task_setnice - Smack check on setting nice 2108 * @p: the task object 2109 * @nice: unused 2110 * 2111 * Return 0 if write access is permitted 2112 */ 2113 static int smack_task_setnice(struct task_struct *p, int nice) 2114 { 2115 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2116 } 2117 2118 /** 2119 * smack_task_setioprio - Smack check on setting ioprio 2120 * @p: the task object 2121 * @ioprio: unused 2122 * 2123 * Return 0 if write access is permitted 2124 */ 2125 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2126 { 2127 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2128 } 2129 2130 /** 2131 * smack_task_getioprio - Smack check on reading ioprio 2132 * @p: the task object 2133 * 2134 * Return 0 if read access is permitted 2135 */ 2136 static int smack_task_getioprio(struct task_struct *p) 2137 { 2138 return smk_curacc_on_task(p, MAY_READ, __func__); 2139 } 2140 2141 /** 2142 * smack_task_setscheduler - Smack check on setting scheduler 2143 * @p: the task object 2144 * @policy: unused 2145 * @lp: unused 2146 * 2147 * Return 0 if read access is permitted 2148 */ 2149 static int smack_task_setscheduler(struct task_struct *p) 2150 { 2151 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2152 } 2153 2154 /** 2155 * smack_task_getscheduler - Smack check on reading scheduler 2156 * @p: the task object 2157 * 2158 * Return 0 if read access is permitted 2159 */ 2160 static int smack_task_getscheduler(struct task_struct *p) 2161 { 2162 return smk_curacc_on_task(p, MAY_READ, __func__); 2163 } 2164 2165 /** 2166 * smack_task_movememory - Smack check on moving memory 2167 * @p: the task object 2168 * 2169 * Return 0 if write access is permitted 2170 */ 2171 static int smack_task_movememory(struct task_struct *p) 2172 { 2173 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2174 } 2175 2176 /** 2177 * smack_task_kill - Smack check on signal delivery 2178 * @p: the task object 2179 * @info: unused 2180 * @sig: unused 2181 * @cred: identifies the cred to use in lieu of current's 2182 * 2183 * Return 0 if write access is permitted 2184 * 2185 */ 2186 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2187 int sig, const struct cred *cred) 2188 { 2189 struct smk_audit_info ad; 2190 struct smack_known *skp; 2191 struct smack_known *tkp = smk_of_task_struct(p); 2192 int rc; 2193 2194 if (!sig) 2195 return 0; /* null signal; existence test */ 2196 2197 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2198 smk_ad_setfield_u_tsk(&ad, p); 2199 /* 2200 * Sending a signal requires that the sender 2201 * can write the receiver. 2202 */ 2203 if (cred == NULL) { 2204 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2205 rc = smk_bu_task(p, MAY_DELIVER, rc); 2206 return rc; 2207 } 2208 /* 2209 * If the cred isn't NULL we're dealing with some USB IO 2210 * specific behavior. This is not clean. For one thing 2211 * we can't take privilege into account. 2212 */ 2213 skp = smk_of_task(smack_cred(cred)); 2214 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2215 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2216 return rc; 2217 } 2218 2219 /** 2220 * smack_task_to_inode - copy task smack into the inode blob 2221 * @p: task to copy from 2222 * @inode: inode to copy to 2223 * 2224 * Sets the smack pointer in the inode security blob 2225 */ 2226 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2227 { 2228 struct inode_smack *isp = smack_inode(inode); 2229 struct smack_known *skp = smk_of_task_struct(p); 2230 2231 isp->smk_inode = skp; 2232 isp->smk_flags |= SMK_INODE_INSTANT; 2233 } 2234 2235 /* 2236 * Socket hooks. 2237 */ 2238 2239 /** 2240 * smack_sk_alloc_security - Allocate a socket blob 2241 * @sk: the socket 2242 * @family: unused 2243 * @gfp_flags: memory allocation flags 2244 * 2245 * Assign Smack pointers to current 2246 * 2247 * Returns 0 on success, -ENOMEM is there's no memory 2248 */ 2249 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2250 { 2251 struct smack_known *skp = smk_of_current(); 2252 struct socket_smack *ssp; 2253 2254 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2255 if (ssp == NULL) 2256 return -ENOMEM; 2257 2258 /* 2259 * Sockets created by kernel threads receive web label. 2260 */ 2261 if (unlikely(current->flags & PF_KTHREAD)) { 2262 ssp->smk_in = &smack_known_web; 2263 ssp->smk_out = &smack_known_web; 2264 } else { 2265 ssp->smk_in = skp; 2266 ssp->smk_out = skp; 2267 } 2268 ssp->smk_packet = NULL; 2269 2270 sk->sk_security = ssp; 2271 2272 return 0; 2273 } 2274 2275 /** 2276 * smack_sk_free_security - Free a socket blob 2277 * @sk: the socket 2278 * 2279 * Clears the blob pointer 2280 */ 2281 static void smack_sk_free_security(struct sock *sk) 2282 { 2283 #ifdef SMACK_IPV6_PORT_LABELING 2284 struct smk_port_label *spp; 2285 2286 if (sk->sk_family == PF_INET6) { 2287 rcu_read_lock(); 2288 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2289 if (spp->smk_sock != sk) 2290 continue; 2291 spp->smk_can_reuse = 1; 2292 break; 2293 } 2294 rcu_read_unlock(); 2295 } 2296 #endif 2297 kfree(sk->sk_security); 2298 } 2299 2300 /** 2301 * smack_ipv4host_label - check host based restrictions 2302 * @sip: the object end 2303 * 2304 * looks for host based access restrictions 2305 * 2306 * This version will only be appropriate for really small sets of single label 2307 * hosts. The caller is responsible for ensuring that the RCU read lock is 2308 * taken before calling this function. 2309 * 2310 * Returns the label of the far end or NULL if it's not special. 2311 */ 2312 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2313 { 2314 struct smk_net4addr *snp; 2315 struct in_addr *siap = &sip->sin_addr; 2316 2317 if (siap->s_addr == 0) 2318 return NULL; 2319 2320 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2321 /* 2322 * we break after finding the first match because 2323 * the list is sorted from longest to shortest mask 2324 * so we have found the most specific match 2325 */ 2326 if (snp->smk_host.s_addr == 2327 (siap->s_addr & snp->smk_mask.s_addr)) 2328 return snp->smk_label; 2329 2330 return NULL; 2331 } 2332 2333 #if IS_ENABLED(CONFIG_IPV6) 2334 /* 2335 * smk_ipv6_localhost - Check for local ipv6 host address 2336 * @sip: the address 2337 * 2338 * Returns boolean true if this is the localhost address 2339 */ 2340 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2341 { 2342 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2343 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2344 2345 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2346 ntohs(be16p[7]) == 1) 2347 return true; 2348 return false; 2349 } 2350 2351 /** 2352 * smack_ipv6host_label - check host based restrictions 2353 * @sip: the object end 2354 * 2355 * looks for host based access restrictions 2356 * 2357 * This version will only be appropriate for really small sets of single label 2358 * hosts. The caller is responsible for ensuring that the RCU read lock is 2359 * taken before calling this function. 2360 * 2361 * Returns the label of the far end or NULL if it's not special. 2362 */ 2363 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2364 { 2365 struct smk_net6addr *snp; 2366 struct in6_addr *sap = &sip->sin6_addr; 2367 int i; 2368 int found = 0; 2369 2370 /* 2371 * It's local. Don't look for a host label. 2372 */ 2373 if (smk_ipv6_localhost(sip)) 2374 return NULL; 2375 2376 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2377 /* 2378 * If the label is NULL the entry has 2379 * been renounced. Ignore it. 2380 */ 2381 if (snp->smk_label == NULL) 2382 continue; 2383 /* 2384 * we break after finding the first match because 2385 * the list is sorted from longest to shortest mask 2386 * so we have found the most specific match 2387 */ 2388 for (found = 1, i = 0; i < 8; i++) { 2389 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2390 snp->smk_host.s6_addr16[i]) { 2391 found = 0; 2392 break; 2393 } 2394 } 2395 if (found) 2396 return snp->smk_label; 2397 } 2398 2399 return NULL; 2400 } 2401 #endif /* CONFIG_IPV6 */ 2402 2403 /** 2404 * smack_netlabel - Set the secattr on a socket 2405 * @sk: the socket 2406 * @labeled: socket label scheme 2407 * 2408 * Convert the outbound smack value (smk_out) to a 2409 * secattr and attach it to the socket. 2410 * 2411 * Returns 0 on success or an error code 2412 */ 2413 static int smack_netlabel(struct sock *sk, int labeled) 2414 { 2415 struct smack_known *skp; 2416 struct socket_smack *ssp = sk->sk_security; 2417 int rc = 0; 2418 2419 /* 2420 * Usually the netlabel code will handle changing the 2421 * packet labeling based on the label. 2422 * The case of a single label host is different, because 2423 * a single label host should never get a labeled packet 2424 * even though the label is usually associated with a packet 2425 * label. 2426 */ 2427 local_bh_disable(); 2428 bh_lock_sock_nested(sk); 2429 2430 if (ssp->smk_out == smack_net_ambient || 2431 labeled == SMACK_UNLABELED_SOCKET) 2432 netlbl_sock_delattr(sk); 2433 else { 2434 skp = ssp->smk_out; 2435 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2436 } 2437 2438 bh_unlock_sock(sk); 2439 local_bh_enable(); 2440 2441 return rc; 2442 } 2443 2444 /** 2445 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2446 * @sk: the socket 2447 * @sap: the destination address 2448 * 2449 * Set the correct secattr for the given socket based on the destination 2450 * address and perform any outbound access checks needed. 2451 * 2452 * Returns 0 on success or an error code. 2453 * 2454 */ 2455 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2456 { 2457 struct smack_known *skp; 2458 int rc; 2459 int sk_lbl; 2460 struct smack_known *hkp; 2461 struct socket_smack *ssp = sk->sk_security; 2462 struct smk_audit_info ad; 2463 2464 rcu_read_lock(); 2465 hkp = smack_ipv4host_label(sap); 2466 if (hkp != NULL) { 2467 #ifdef CONFIG_AUDIT 2468 struct lsm_network_audit net; 2469 2470 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2471 ad.a.u.net->family = sap->sin_family; 2472 ad.a.u.net->dport = sap->sin_port; 2473 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2474 #endif 2475 sk_lbl = SMACK_UNLABELED_SOCKET; 2476 skp = ssp->smk_out; 2477 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2478 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2479 } else { 2480 sk_lbl = SMACK_CIPSO_SOCKET; 2481 rc = 0; 2482 } 2483 rcu_read_unlock(); 2484 if (rc != 0) 2485 return rc; 2486 2487 return smack_netlabel(sk, sk_lbl); 2488 } 2489 2490 #if IS_ENABLED(CONFIG_IPV6) 2491 /** 2492 * smk_ipv6_check - check Smack access 2493 * @subject: subject Smack label 2494 * @object: object Smack label 2495 * @address: address 2496 * @act: the action being taken 2497 * 2498 * Check an IPv6 access 2499 */ 2500 static int smk_ipv6_check(struct smack_known *subject, 2501 struct smack_known *object, 2502 struct sockaddr_in6 *address, int act) 2503 { 2504 #ifdef CONFIG_AUDIT 2505 struct lsm_network_audit net; 2506 #endif 2507 struct smk_audit_info ad; 2508 int rc; 2509 2510 #ifdef CONFIG_AUDIT 2511 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2512 ad.a.u.net->family = PF_INET6; 2513 ad.a.u.net->dport = ntohs(address->sin6_port); 2514 if (act == SMK_RECEIVING) 2515 ad.a.u.net->v6info.saddr = address->sin6_addr; 2516 else 2517 ad.a.u.net->v6info.daddr = address->sin6_addr; 2518 #endif 2519 rc = smk_access(subject, object, MAY_WRITE, &ad); 2520 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2521 return rc; 2522 } 2523 #endif /* CONFIG_IPV6 */ 2524 2525 #ifdef SMACK_IPV6_PORT_LABELING 2526 /** 2527 * smk_ipv6_port_label - Smack port access table management 2528 * @sock: socket 2529 * @address: address 2530 * 2531 * Create or update the port list entry 2532 */ 2533 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2534 { 2535 struct sock *sk = sock->sk; 2536 struct sockaddr_in6 *addr6; 2537 struct socket_smack *ssp = sock->sk->sk_security; 2538 struct smk_port_label *spp; 2539 unsigned short port = 0; 2540 2541 if (address == NULL) { 2542 /* 2543 * This operation is changing the Smack information 2544 * on the bound socket. Take the changes to the port 2545 * as well. 2546 */ 2547 rcu_read_lock(); 2548 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2549 if (sk != spp->smk_sock) 2550 continue; 2551 spp->smk_in = ssp->smk_in; 2552 spp->smk_out = ssp->smk_out; 2553 rcu_read_unlock(); 2554 return; 2555 } 2556 /* 2557 * A NULL address is only used for updating existing 2558 * bound entries. If there isn't one, it's OK. 2559 */ 2560 rcu_read_unlock(); 2561 return; 2562 } 2563 2564 addr6 = (struct sockaddr_in6 *)address; 2565 port = ntohs(addr6->sin6_port); 2566 /* 2567 * This is a special case that is safely ignored. 2568 */ 2569 if (port == 0) 2570 return; 2571 2572 /* 2573 * Look for an existing port list entry. 2574 * This is an indication that a port is getting reused. 2575 */ 2576 rcu_read_lock(); 2577 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2578 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2579 continue; 2580 if (spp->smk_can_reuse != 1) { 2581 rcu_read_unlock(); 2582 return; 2583 } 2584 spp->smk_port = port; 2585 spp->smk_sock = sk; 2586 spp->smk_in = ssp->smk_in; 2587 spp->smk_out = ssp->smk_out; 2588 spp->smk_can_reuse = 0; 2589 rcu_read_unlock(); 2590 return; 2591 } 2592 rcu_read_unlock(); 2593 /* 2594 * A new port entry is required. 2595 */ 2596 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2597 if (spp == NULL) 2598 return; 2599 2600 spp->smk_port = port; 2601 spp->smk_sock = sk; 2602 spp->smk_in = ssp->smk_in; 2603 spp->smk_out = ssp->smk_out; 2604 spp->smk_sock_type = sock->type; 2605 spp->smk_can_reuse = 0; 2606 2607 mutex_lock(&smack_ipv6_lock); 2608 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2609 mutex_unlock(&smack_ipv6_lock); 2610 return; 2611 } 2612 2613 /** 2614 * smk_ipv6_port_check - check Smack port access 2615 * @sock: socket 2616 * @address: address 2617 * 2618 * Create or update the port list entry 2619 */ 2620 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2621 int act) 2622 { 2623 struct smk_port_label *spp; 2624 struct socket_smack *ssp = sk->sk_security; 2625 struct smack_known *skp = NULL; 2626 unsigned short port; 2627 struct smack_known *object; 2628 2629 if (act == SMK_RECEIVING) { 2630 skp = smack_ipv6host_label(address); 2631 object = ssp->smk_in; 2632 } else { 2633 skp = ssp->smk_out; 2634 object = smack_ipv6host_label(address); 2635 } 2636 2637 /* 2638 * The other end is a single label host. 2639 */ 2640 if (skp != NULL && object != NULL) 2641 return smk_ipv6_check(skp, object, address, act); 2642 if (skp == NULL) 2643 skp = smack_net_ambient; 2644 if (object == NULL) 2645 object = smack_net_ambient; 2646 2647 /* 2648 * It's remote, so port lookup does no good. 2649 */ 2650 if (!smk_ipv6_localhost(address)) 2651 return smk_ipv6_check(skp, object, address, act); 2652 2653 /* 2654 * It's local so the send check has to have passed. 2655 */ 2656 if (act == SMK_RECEIVING) 2657 return 0; 2658 2659 port = ntohs(address->sin6_port); 2660 rcu_read_lock(); 2661 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2662 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2663 continue; 2664 object = spp->smk_in; 2665 if (act == SMK_CONNECTING) 2666 ssp->smk_packet = spp->smk_out; 2667 break; 2668 } 2669 rcu_read_unlock(); 2670 2671 return smk_ipv6_check(skp, object, address, act); 2672 } 2673 #endif /* SMACK_IPV6_PORT_LABELING */ 2674 2675 /** 2676 * smack_inode_setsecurity - set smack xattrs 2677 * @inode: the object 2678 * @name: attribute name 2679 * @value: attribute value 2680 * @size: size of the attribute 2681 * @flags: unused 2682 * 2683 * Sets the named attribute in the appropriate blob 2684 * 2685 * Returns 0 on success, or an error code 2686 */ 2687 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2688 const void *value, size_t size, int flags) 2689 { 2690 struct smack_known *skp; 2691 struct inode_smack *nsp = smack_inode(inode); 2692 struct socket_smack *ssp; 2693 struct socket *sock; 2694 int rc = 0; 2695 2696 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2697 return -EINVAL; 2698 2699 skp = smk_import_entry(value, size); 2700 if (IS_ERR(skp)) 2701 return PTR_ERR(skp); 2702 2703 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2704 nsp->smk_inode = skp; 2705 nsp->smk_flags |= SMK_INODE_INSTANT; 2706 return 0; 2707 } 2708 /* 2709 * The rest of the Smack xattrs are only on sockets. 2710 */ 2711 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2712 return -EOPNOTSUPP; 2713 2714 sock = SOCKET_I(inode); 2715 if (sock == NULL || sock->sk == NULL) 2716 return -EOPNOTSUPP; 2717 2718 ssp = sock->sk->sk_security; 2719 2720 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2721 ssp->smk_in = skp; 2722 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2723 ssp->smk_out = skp; 2724 if (sock->sk->sk_family == PF_INET) { 2725 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2726 if (rc != 0) 2727 printk(KERN_WARNING 2728 "Smack: \"%s\" netlbl error %d.\n", 2729 __func__, -rc); 2730 } 2731 } else 2732 return -EOPNOTSUPP; 2733 2734 #ifdef SMACK_IPV6_PORT_LABELING 2735 if (sock->sk->sk_family == PF_INET6) 2736 smk_ipv6_port_label(sock, NULL); 2737 #endif 2738 2739 return 0; 2740 } 2741 2742 /** 2743 * smack_socket_post_create - finish socket setup 2744 * @sock: the socket 2745 * @family: protocol family 2746 * @type: unused 2747 * @protocol: unused 2748 * @kern: unused 2749 * 2750 * Sets the netlabel information on the socket 2751 * 2752 * Returns 0 on success, and error code otherwise 2753 */ 2754 static int smack_socket_post_create(struct socket *sock, int family, 2755 int type, int protocol, int kern) 2756 { 2757 struct socket_smack *ssp; 2758 2759 if (sock->sk == NULL) 2760 return 0; 2761 2762 /* 2763 * Sockets created by kernel threads receive web label. 2764 */ 2765 if (unlikely(current->flags & PF_KTHREAD)) { 2766 ssp = sock->sk->sk_security; 2767 ssp->smk_in = &smack_known_web; 2768 ssp->smk_out = &smack_known_web; 2769 } 2770 2771 if (family != PF_INET) 2772 return 0; 2773 /* 2774 * Set the outbound netlbl. 2775 */ 2776 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2777 } 2778 2779 /** 2780 * smack_socket_socketpair - create socket pair 2781 * @socka: one socket 2782 * @sockb: another socket 2783 * 2784 * Cross reference the peer labels for SO_PEERSEC 2785 * 2786 * Returns 0 on success, and error code otherwise 2787 */ 2788 static int smack_socket_socketpair(struct socket *socka, 2789 struct socket *sockb) 2790 { 2791 struct socket_smack *asp = socka->sk->sk_security; 2792 struct socket_smack *bsp = sockb->sk->sk_security; 2793 2794 asp->smk_packet = bsp->smk_out; 2795 bsp->smk_packet = asp->smk_out; 2796 2797 return 0; 2798 } 2799 2800 #ifdef SMACK_IPV6_PORT_LABELING 2801 /** 2802 * smack_socket_bind - record port binding information. 2803 * @sock: the socket 2804 * @address: the port address 2805 * @addrlen: size of the address 2806 * 2807 * Records the label bound to a port. 2808 * 2809 * Returns 0 on success, and error code otherwise 2810 */ 2811 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2812 int addrlen) 2813 { 2814 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2815 if (addrlen < SIN6_LEN_RFC2133 || 2816 address->sa_family != AF_INET6) 2817 return -EINVAL; 2818 smk_ipv6_port_label(sock, address); 2819 } 2820 return 0; 2821 } 2822 #endif /* SMACK_IPV6_PORT_LABELING */ 2823 2824 /** 2825 * smack_socket_connect - connect access check 2826 * @sock: the socket 2827 * @sap: the other end 2828 * @addrlen: size of sap 2829 * 2830 * Verifies that a connection may be possible 2831 * 2832 * Returns 0 on success, and error code otherwise 2833 */ 2834 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2835 int addrlen) 2836 { 2837 int rc = 0; 2838 #if IS_ENABLED(CONFIG_IPV6) 2839 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2840 #endif 2841 #ifdef SMACK_IPV6_SECMARK_LABELING 2842 struct smack_known *rsp; 2843 struct socket_smack *ssp; 2844 #endif 2845 2846 if (sock->sk == NULL) 2847 return 0; 2848 2849 #ifdef SMACK_IPV6_SECMARK_LABELING 2850 ssp = sock->sk->sk_security; 2851 #endif 2852 2853 switch (sock->sk->sk_family) { 2854 case PF_INET: 2855 if (addrlen < sizeof(struct sockaddr_in) || 2856 sap->sa_family != AF_INET) 2857 return -EINVAL; 2858 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2859 break; 2860 case PF_INET6: 2861 if (addrlen < SIN6_LEN_RFC2133 || sap->sa_family != AF_INET6) 2862 return -EINVAL; 2863 #ifdef SMACK_IPV6_SECMARK_LABELING 2864 rsp = smack_ipv6host_label(sip); 2865 if (rsp != NULL) 2866 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2867 SMK_CONNECTING); 2868 #endif 2869 #ifdef SMACK_IPV6_PORT_LABELING 2870 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2871 #endif 2872 break; 2873 } 2874 return rc; 2875 } 2876 2877 /** 2878 * smack_flags_to_may - convert S_ to MAY_ values 2879 * @flags: the S_ value 2880 * 2881 * Returns the equivalent MAY_ value 2882 */ 2883 static int smack_flags_to_may(int flags) 2884 { 2885 int may = 0; 2886 2887 if (flags & S_IRUGO) 2888 may |= MAY_READ; 2889 if (flags & S_IWUGO) 2890 may |= MAY_WRITE; 2891 if (flags & S_IXUGO) 2892 may |= MAY_EXEC; 2893 2894 return may; 2895 } 2896 2897 /** 2898 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2899 * @msg: the object 2900 * 2901 * Returns 0 2902 */ 2903 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2904 { 2905 struct smack_known **blob = smack_msg_msg(msg); 2906 2907 *blob = smk_of_current(); 2908 return 0; 2909 } 2910 2911 /** 2912 * smack_of_ipc - the smack pointer for the ipc 2913 * @isp: the object 2914 * 2915 * Returns a pointer to the smack value 2916 */ 2917 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2918 { 2919 struct smack_known **blob = smack_ipc(isp); 2920 2921 return *blob; 2922 } 2923 2924 /** 2925 * smack_ipc_alloc_security - Set the security blob for ipc 2926 * @isp: the object 2927 * 2928 * Returns 0 2929 */ 2930 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2931 { 2932 struct smack_known **blob = smack_ipc(isp); 2933 2934 *blob = smk_of_current(); 2935 return 0; 2936 } 2937 2938 /** 2939 * smk_curacc_shm : check if current has access on shm 2940 * @isp : the object 2941 * @access : access requested 2942 * 2943 * Returns 0 if current has the requested access, error code otherwise 2944 */ 2945 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2946 { 2947 struct smack_known *ssp = smack_of_ipc(isp); 2948 struct smk_audit_info ad; 2949 int rc; 2950 2951 #ifdef CONFIG_AUDIT 2952 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2953 ad.a.u.ipc_id = isp->id; 2954 #endif 2955 rc = smk_curacc(ssp, access, &ad); 2956 rc = smk_bu_current("shm", ssp, access, rc); 2957 return rc; 2958 } 2959 2960 /** 2961 * smack_shm_associate - Smack access check for shm 2962 * @isp: the object 2963 * @shmflg: access requested 2964 * 2965 * Returns 0 if current has the requested access, error code otherwise 2966 */ 2967 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 2968 { 2969 int may; 2970 2971 may = smack_flags_to_may(shmflg); 2972 return smk_curacc_shm(isp, may); 2973 } 2974 2975 /** 2976 * smack_shm_shmctl - Smack access check for shm 2977 * @isp: the object 2978 * @cmd: what it wants to do 2979 * 2980 * Returns 0 if current has the requested access, error code otherwise 2981 */ 2982 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 2983 { 2984 int may; 2985 2986 switch (cmd) { 2987 case IPC_STAT: 2988 case SHM_STAT: 2989 case SHM_STAT_ANY: 2990 may = MAY_READ; 2991 break; 2992 case IPC_SET: 2993 case SHM_LOCK: 2994 case SHM_UNLOCK: 2995 case IPC_RMID: 2996 may = MAY_READWRITE; 2997 break; 2998 case IPC_INFO: 2999 case SHM_INFO: 3000 /* 3001 * System level information. 3002 */ 3003 return 0; 3004 default: 3005 return -EINVAL; 3006 } 3007 return smk_curacc_shm(isp, may); 3008 } 3009 3010 /** 3011 * smack_shm_shmat - Smack access for shmat 3012 * @isp: the object 3013 * @shmaddr: unused 3014 * @shmflg: access requested 3015 * 3016 * Returns 0 if current has the requested access, error code otherwise 3017 */ 3018 static int smack_shm_shmat(struct kern_ipc_perm *ipc, char __user *shmaddr, 3019 int shmflg) 3020 { 3021 int may; 3022 3023 may = smack_flags_to_may(shmflg); 3024 return smk_curacc_shm(ipc, may); 3025 } 3026 3027 /** 3028 * smk_curacc_sem : check if current has access on sem 3029 * @isp : the object 3030 * @access : access requested 3031 * 3032 * Returns 0 if current has the requested access, error code otherwise 3033 */ 3034 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3035 { 3036 struct smack_known *ssp = smack_of_ipc(isp); 3037 struct smk_audit_info ad; 3038 int rc; 3039 3040 #ifdef CONFIG_AUDIT 3041 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3042 ad.a.u.ipc_id = isp->id; 3043 #endif 3044 rc = smk_curacc(ssp, access, &ad); 3045 rc = smk_bu_current("sem", ssp, access, rc); 3046 return rc; 3047 } 3048 3049 /** 3050 * smack_sem_associate - Smack access check for sem 3051 * @isp: the object 3052 * @semflg: access requested 3053 * 3054 * Returns 0 if current has the requested access, error code otherwise 3055 */ 3056 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3057 { 3058 int may; 3059 3060 may = smack_flags_to_may(semflg); 3061 return smk_curacc_sem(isp, may); 3062 } 3063 3064 /** 3065 * smack_sem_shmctl - Smack access check for sem 3066 * @isp: the object 3067 * @cmd: what it wants to do 3068 * 3069 * Returns 0 if current has the requested access, error code otherwise 3070 */ 3071 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3072 { 3073 int may; 3074 3075 switch (cmd) { 3076 case GETPID: 3077 case GETNCNT: 3078 case GETZCNT: 3079 case GETVAL: 3080 case GETALL: 3081 case IPC_STAT: 3082 case SEM_STAT: 3083 case SEM_STAT_ANY: 3084 may = MAY_READ; 3085 break; 3086 case SETVAL: 3087 case SETALL: 3088 case IPC_RMID: 3089 case IPC_SET: 3090 may = MAY_READWRITE; 3091 break; 3092 case IPC_INFO: 3093 case SEM_INFO: 3094 /* 3095 * System level information 3096 */ 3097 return 0; 3098 default: 3099 return -EINVAL; 3100 } 3101 3102 return smk_curacc_sem(isp, may); 3103 } 3104 3105 /** 3106 * smack_sem_semop - Smack checks of semaphore operations 3107 * @isp: the object 3108 * @sops: unused 3109 * @nsops: unused 3110 * @alter: unused 3111 * 3112 * Treated as read and write in all cases. 3113 * 3114 * Returns 0 if access is allowed, error code otherwise 3115 */ 3116 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3117 unsigned nsops, int alter) 3118 { 3119 return smk_curacc_sem(isp, MAY_READWRITE); 3120 } 3121 3122 /** 3123 * smk_curacc_msq : helper to check if current has access on msq 3124 * @isp : the msq 3125 * @access : access requested 3126 * 3127 * return 0 if current has access, error otherwise 3128 */ 3129 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3130 { 3131 struct smack_known *msp = smack_of_ipc(isp); 3132 struct smk_audit_info ad; 3133 int rc; 3134 3135 #ifdef CONFIG_AUDIT 3136 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3137 ad.a.u.ipc_id = isp->id; 3138 #endif 3139 rc = smk_curacc(msp, access, &ad); 3140 rc = smk_bu_current("msq", msp, access, rc); 3141 return rc; 3142 } 3143 3144 /** 3145 * smack_msg_queue_associate - Smack access check for msg_queue 3146 * @isp: the object 3147 * @msqflg: access requested 3148 * 3149 * Returns 0 if current has the requested access, error code otherwise 3150 */ 3151 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3152 { 3153 int may; 3154 3155 may = smack_flags_to_may(msqflg); 3156 return smk_curacc_msq(isp, may); 3157 } 3158 3159 /** 3160 * smack_msg_queue_msgctl - Smack access check for msg_queue 3161 * @isp: the object 3162 * @cmd: what it wants to do 3163 * 3164 * Returns 0 if current has the requested access, error code otherwise 3165 */ 3166 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3167 { 3168 int may; 3169 3170 switch (cmd) { 3171 case IPC_STAT: 3172 case MSG_STAT: 3173 case MSG_STAT_ANY: 3174 may = MAY_READ; 3175 break; 3176 case IPC_SET: 3177 case IPC_RMID: 3178 may = MAY_READWRITE; 3179 break; 3180 case IPC_INFO: 3181 case MSG_INFO: 3182 /* 3183 * System level information 3184 */ 3185 return 0; 3186 default: 3187 return -EINVAL; 3188 } 3189 3190 return smk_curacc_msq(isp, may); 3191 } 3192 3193 /** 3194 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3195 * @isp: the object 3196 * @msg: unused 3197 * @msqflg: access requested 3198 * 3199 * Returns 0 if current has the requested access, error code otherwise 3200 */ 3201 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3202 int msqflg) 3203 { 3204 int may; 3205 3206 may = smack_flags_to_may(msqflg); 3207 return smk_curacc_msq(isp, may); 3208 } 3209 3210 /** 3211 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3212 * @isp: the object 3213 * @msg: unused 3214 * @target: unused 3215 * @type: unused 3216 * @mode: unused 3217 * 3218 * Returns 0 if current has read and write access, error code otherwise 3219 */ 3220 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3221 struct task_struct *target, long type, int mode) 3222 { 3223 return smk_curacc_msq(isp, MAY_READWRITE); 3224 } 3225 3226 /** 3227 * smack_ipc_permission - Smack access for ipc_permission() 3228 * @ipp: the object permissions 3229 * @flag: access requested 3230 * 3231 * Returns 0 if current has read and write access, error code otherwise 3232 */ 3233 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3234 { 3235 struct smack_known **blob = smack_ipc(ipp); 3236 struct smack_known *iskp = *blob; 3237 int may = smack_flags_to_may(flag); 3238 struct smk_audit_info ad; 3239 int rc; 3240 3241 #ifdef CONFIG_AUDIT 3242 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3243 ad.a.u.ipc_id = ipp->id; 3244 #endif 3245 rc = smk_curacc(iskp, may, &ad); 3246 rc = smk_bu_current("svipc", iskp, may, rc); 3247 return rc; 3248 } 3249 3250 /** 3251 * smack_ipc_getsecid - Extract smack security id 3252 * @ipp: the object permissions 3253 * @secid: where result will be saved 3254 */ 3255 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3256 { 3257 struct smack_known **blob = smack_ipc(ipp); 3258 struct smack_known *iskp = *blob; 3259 3260 *secid = iskp->smk_secid; 3261 } 3262 3263 /** 3264 * smack_d_instantiate - Make sure the blob is correct on an inode 3265 * @opt_dentry: dentry where inode will be attached 3266 * @inode: the object 3267 * 3268 * Set the inode's security blob if it hasn't been done already. 3269 */ 3270 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3271 { 3272 struct super_block *sbp; 3273 struct superblock_smack *sbsp; 3274 struct inode_smack *isp; 3275 struct smack_known *skp; 3276 struct smack_known *ckp = smk_of_current(); 3277 struct smack_known *final; 3278 char trattr[TRANS_TRUE_SIZE]; 3279 int transflag = 0; 3280 int rc; 3281 struct dentry *dp; 3282 3283 if (inode == NULL) 3284 return; 3285 3286 isp = smack_inode(inode); 3287 3288 mutex_lock(&isp->smk_lock); 3289 /* 3290 * If the inode is already instantiated 3291 * take the quick way out 3292 */ 3293 if (isp->smk_flags & SMK_INODE_INSTANT) 3294 goto unlockandout; 3295 3296 sbp = inode->i_sb; 3297 sbsp = sbp->s_security; 3298 /* 3299 * We're going to use the superblock default label 3300 * if there's no label on the file. 3301 */ 3302 final = sbsp->smk_default; 3303 3304 /* 3305 * If this is the root inode the superblock 3306 * may be in the process of initialization. 3307 * If that is the case use the root value out 3308 * of the superblock. 3309 */ 3310 if (opt_dentry->d_parent == opt_dentry) { 3311 switch (sbp->s_magic) { 3312 case CGROUP_SUPER_MAGIC: 3313 case CGROUP2_SUPER_MAGIC: 3314 /* 3315 * The cgroup filesystem is never mounted, 3316 * so there's no opportunity to set the mount 3317 * options. 3318 */ 3319 sbsp->smk_root = &smack_known_star; 3320 sbsp->smk_default = &smack_known_star; 3321 isp->smk_inode = sbsp->smk_root; 3322 break; 3323 case TMPFS_MAGIC: 3324 /* 3325 * What about shmem/tmpfs anonymous files with dentry 3326 * obtained from d_alloc_pseudo()? 3327 */ 3328 isp->smk_inode = smk_of_current(); 3329 break; 3330 case PIPEFS_MAGIC: 3331 isp->smk_inode = smk_of_current(); 3332 break; 3333 case SOCKFS_MAGIC: 3334 /* 3335 * Socket access is controlled by the socket 3336 * structures associated with the task involved. 3337 */ 3338 isp->smk_inode = &smack_known_star; 3339 break; 3340 default: 3341 isp->smk_inode = sbsp->smk_root; 3342 break; 3343 } 3344 isp->smk_flags |= SMK_INODE_INSTANT; 3345 goto unlockandout; 3346 } 3347 3348 /* 3349 * This is pretty hackish. 3350 * Casey says that we shouldn't have to do 3351 * file system specific code, but it does help 3352 * with keeping it simple. 3353 */ 3354 switch (sbp->s_magic) { 3355 case SMACK_MAGIC: 3356 case CGROUP_SUPER_MAGIC: 3357 case CGROUP2_SUPER_MAGIC: 3358 /* 3359 * Casey says that it's a little embarrassing 3360 * that the smack file system doesn't do 3361 * extended attributes. 3362 * 3363 * Cgroupfs is special 3364 */ 3365 final = &smack_known_star; 3366 break; 3367 case DEVPTS_SUPER_MAGIC: 3368 /* 3369 * devpts seems content with the label of the task. 3370 * Programs that change smack have to treat the 3371 * pty with respect. 3372 */ 3373 final = ckp; 3374 break; 3375 case PROC_SUPER_MAGIC: 3376 /* 3377 * Casey says procfs appears not to care. 3378 * The superblock default suffices. 3379 */ 3380 break; 3381 case TMPFS_MAGIC: 3382 /* 3383 * Device labels should come from the filesystem, 3384 * but watch out, because they're volitile, 3385 * getting recreated on every reboot. 3386 */ 3387 final = &smack_known_star; 3388 /* 3389 * If a smack value has been set we want to use it, 3390 * but since tmpfs isn't giving us the opportunity 3391 * to set mount options simulate setting the 3392 * superblock default. 3393 */ 3394 /* Fall through */ 3395 default: 3396 /* 3397 * This isn't an understood special case. 3398 * Get the value from the xattr. 3399 */ 3400 3401 /* 3402 * UNIX domain sockets use lower level socket data. 3403 */ 3404 if (S_ISSOCK(inode->i_mode)) { 3405 final = &smack_known_star; 3406 break; 3407 } 3408 /* 3409 * No xattr support means, alas, no SMACK label. 3410 * Use the aforeapplied default. 3411 * It would be curious if the label of the task 3412 * does not match that assigned. 3413 */ 3414 if (!(inode->i_opflags & IOP_XATTR)) 3415 break; 3416 /* 3417 * Get the dentry for xattr. 3418 */ 3419 dp = dget(opt_dentry); 3420 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3421 if (!IS_ERR_OR_NULL(skp)) 3422 final = skp; 3423 3424 /* 3425 * Transmuting directory 3426 */ 3427 if (S_ISDIR(inode->i_mode)) { 3428 /* 3429 * If this is a new directory and the label was 3430 * transmuted when the inode was initialized 3431 * set the transmute attribute on the directory 3432 * and mark the inode. 3433 * 3434 * If there is a transmute attribute on the 3435 * directory mark the inode. 3436 */ 3437 if (isp->smk_flags & SMK_INODE_CHANGED) { 3438 isp->smk_flags &= ~SMK_INODE_CHANGED; 3439 rc = __vfs_setxattr(dp, inode, 3440 XATTR_NAME_SMACKTRANSMUTE, 3441 TRANS_TRUE, TRANS_TRUE_SIZE, 3442 0); 3443 } else { 3444 rc = __vfs_getxattr(dp, inode, 3445 XATTR_NAME_SMACKTRANSMUTE, trattr, 3446 TRANS_TRUE_SIZE); 3447 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3448 TRANS_TRUE_SIZE) != 0) 3449 rc = -EINVAL; 3450 } 3451 if (rc >= 0) 3452 transflag = SMK_INODE_TRANSMUTE; 3453 } 3454 /* 3455 * Don't let the exec or mmap label be "*" or "@". 3456 */ 3457 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3458 if (IS_ERR(skp) || skp == &smack_known_star || 3459 skp == &smack_known_web) 3460 skp = NULL; 3461 isp->smk_task = skp; 3462 3463 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3464 if (IS_ERR(skp) || skp == &smack_known_star || 3465 skp == &smack_known_web) 3466 skp = NULL; 3467 isp->smk_mmap = skp; 3468 3469 dput(dp); 3470 break; 3471 } 3472 3473 if (final == NULL) 3474 isp->smk_inode = ckp; 3475 else 3476 isp->smk_inode = final; 3477 3478 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3479 3480 unlockandout: 3481 mutex_unlock(&isp->smk_lock); 3482 return; 3483 } 3484 3485 /** 3486 * smack_getprocattr - Smack process attribute access 3487 * @p: the object task 3488 * @name: the name of the attribute in /proc/.../attr 3489 * @value: where to put the result 3490 * 3491 * Places a copy of the task Smack into value 3492 * 3493 * Returns the length of the smack label or an error code 3494 */ 3495 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3496 { 3497 struct smack_known *skp = smk_of_task_struct(p); 3498 char *cp; 3499 int slen; 3500 3501 if (strcmp(name, "current") != 0) 3502 return -EINVAL; 3503 3504 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3505 if (cp == NULL) 3506 return -ENOMEM; 3507 3508 slen = strlen(cp); 3509 *value = cp; 3510 return slen; 3511 } 3512 3513 /** 3514 * smack_setprocattr - Smack process attribute setting 3515 * @name: the name of the attribute in /proc/.../attr 3516 * @value: the value to set 3517 * @size: the size of the value 3518 * 3519 * Sets the Smack value of the task. Only setting self 3520 * is permitted and only with privilege 3521 * 3522 * Returns the length of the smack label or an error code 3523 */ 3524 static int smack_setprocattr(const char *name, void *value, size_t size) 3525 { 3526 struct task_smack *tsp = smack_cred(current_cred()); 3527 struct cred *new; 3528 struct smack_known *skp; 3529 struct smack_known_list_elem *sklep; 3530 int rc; 3531 3532 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3533 return -EPERM; 3534 3535 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3536 return -EINVAL; 3537 3538 if (strcmp(name, "current") != 0) 3539 return -EINVAL; 3540 3541 skp = smk_import_entry(value, size); 3542 if (IS_ERR(skp)) 3543 return PTR_ERR(skp); 3544 3545 /* 3546 * No process is ever allowed the web ("@") label 3547 * and the star ("*") label. 3548 */ 3549 if (skp == &smack_known_web || skp == &smack_known_star) 3550 return -EINVAL; 3551 3552 if (!smack_privileged(CAP_MAC_ADMIN)) { 3553 rc = -EPERM; 3554 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3555 if (sklep->smk_label == skp) { 3556 rc = 0; 3557 break; 3558 } 3559 if (rc) 3560 return rc; 3561 } 3562 3563 new = prepare_creds(); 3564 if (new == NULL) 3565 return -ENOMEM; 3566 3567 tsp = smack_cred(new); 3568 tsp->smk_task = skp; 3569 /* 3570 * process can change its label only once 3571 */ 3572 smk_destroy_label_list(&tsp->smk_relabel); 3573 3574 commit_creds(new); 3575 return size; 3576 } 3577 3578 /** 3579 * smack_unix_stream_connect - Smack access on UDS 3580 * @sock: one sock 3581 * @other: the other sock 3582 * @newsk: unused 3583 * 3584 * Return 0 if a subject with the smack of sock could access 3585 * an object with the smack of other, otherwise an error code 3586 */ 3587 static int smack_unix_stream_connect(struct sock *sock, 3588 struct sock *other, struct sock *newsk) 3589 { 3590 struct smack_known *skp; 3591 struct smack_known *okp; 3592 struct socket_smack *ssp = sock->sk_security; 3593 struct socket_smack *osp = other->sk_security; 3594 struct socket_smack *nsp = newsk->sk_security; 3595 struct smk_audit_info ad; 3596 int rc = 0; 3597 #ifdef CONFIG_AUDIT 3598 struct lsm_network_audit net; 3599 #endif 3600 3601 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3602 skp = ssp->smk_out; 3603 okp = osp->smk_in; 3604 #ifdef CONFIG_AUDIT 3605 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3606 smk_ad_setfield_u_net_sk(&ad, other); 3607 #endif 3608 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3609 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3610 if (rc == 0) { 3611 okp = osp->smk_out; 3612 skp = ssp->smk_in; 3613 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3614 rc = smk_bu_note("UDS connect", okp, skp, 3615 MAY_WRITE, rc); 3616 } 3617 } 3618 3619 /* 3620 * Cross reference the peer labels for SO_PEERSEC. 3621 */ 3622 if (rc == 0) { 3623 nsp->smk_packet = ssp->smk_out; 3624 ssp->smk_packet = osp->smk_out; 3625 } 3626 3627 return rc; 3628 } 3629 3630 /** 3631 * smack_unix_may_send - Smack access on UDS 3632 * @sock: one socket 3633 * @other: the other socket 3634 * 3635 * Return 0 if a subject with the smack of sock could access 3636 * an object with the smack of other, otherwise an error code 3637 */ 3638 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3639 { 3640 struct socket_smack *ssp = sock->sk->sk_security; 3641 struct socket_smack *osp = other->sk->sk_security; 3642 struct smk_audit_info ad; 3643 int rc; 3644 3645 #ifdef CONFIG_AUDIT 3646 struct lsm_network_audit net; 3647 3648 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3649 smk_ad_setfield_u_net_sk(&ad, other->sk); 3650 #endif 3651 3652 if (smack_privileged(CAP_MAC_OVERRIDE)) 3653 return 0; 3654 3655 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3656 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3657 return rc; 3658 } 3659 3660 /** 3661 * smack_socket_sendmsg - Smack check based on destination host 3662 * @sock: the socket 3663 * @msg: the message 3664 * @size: the size of the message 3665 * 3666 * Return 0 if the current subject can write to the destination host. 3667 * For IPv4 this is only a question if the destination is a single label host. 3668 * For IPv6 this is a check against the label of the port. 3669 */ 3670 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3671 int size) 3672 { 3673 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3674 #if IS_ENABLED(CONFIG_IPV6) 3675 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3676 #endif 3677 #ifdef SMACK_IPV6_SECMARK_LABELING 3678 struct socket_smack *ssp = sock->sk->sk_security; 3679 struct smack_known *rsp; 3680 #endif 3681 int rc = 0; 3682 3683 /* 3684 * Perfectly reasonable for this to be NULL 3685 */ 3686 if (sip == NULL) 3687 return 0; 3688 3689 switch (sock->sk->sk_family) { 3690 case AF_INET: 3691 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3692 sip->sin_family != AF_INET) 3693 return -EINVAL; 3694 rc = smack_netlabel_send(sock->sk, sip); 3695 break; 3696 #if IS_ENABLED(CONFIG_IPV6) 3697 case AF_INET6: 3698 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3699 sap->sin6_family != AF_INET6) 3700 return -EINVAL; 3701 #ifdef SMACK_IPV6_SECMARK_LABELING 3702 rsp = smack_ipv6host_label(sap); 3703 if (rsp != NULL) 3704 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3705 SMK_CONNECTING); 3706 #endif 3707 #ifdef SMACK_IPV6_PORT_LABELING 3708 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3709 #endif 3710 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3711 break; 3712 } 3713 return rc; 3714 } 3715 3716 /** 3717 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3718 * @sap: netlabel secattr 3719 * @ssp: socket security information 3720 * 3721 * Returns a pointer to a Smack label entry found on the label list. 3722 */ 3723 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3724 struct socket_smack *ssp) 3725 { 3726 struct smack_known *skp; 3727 int found = 0; 3728 int acat; 3729 int kcat; 3730 3731 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3732 /* 3733 * Looks like a CIPSO packet. 3734 * If there are flags but no level netlabel isn't 3735 * behaving the way we expect it to. 3736 * 3737 * Look it up in the label table 3738 * Without guidance regarding the smack value 3739 * for the packet fall back on the network 3740 * ambient value. 3741 */ 3742 rcu_read_lock(); 3743 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3744 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3745 continue; 3746 /* 3747 * Compare the catsets. Use the netlbl APIs. 3748 */ 3749 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3750 if ((skp->smk_netlabel.flags & 3751 NETLBL_SECATTR_MLS_CAT) == 0) 3752 found = 1; 3753 break; 3754 } 3755 for (acat = -1, kcat = -1; acat == kcat; ) { 3756 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3757 acat + 1); 3758 kcat = netlbl_catmap_walk( 3759 skp->smk_netlabel.attr.mls.cat, 3760 kcat + 1); 3761 if (acat < 0 || kcat < 0) 3762 break; 3763 } 3764 if (acat == kcat) { 3765 found = 1; 3766 break; 3767 } 3768 } 3769 rcu_read_unlock(); 3770 3771 if (found) 3772 return skp; 3773 3774 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3775 return &smack_known_web; 3776 return &smack_known_star; 3777 } 3778 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3779 /* 3780 * Looks like a fallback, which gives us a secid. 3781 */ 3782 return smack_from_secid(sap->attr.secid); 3783 /* 3784 * Without guidance regarding the smack value 3785 * for the packet fall back on the network 3786 * ambient value. 3787 */ 3788 return smack_net_ambient; 3789 } 3790 3791 #if IS_ENABLED(CONFIG_IPV6) 3792 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3793 { 3794 u8 nexthdr; 3795 int offset; 3796 int proto = -EINVAL; 3797 struct ipv6hdr _ipv6h; 3798 struct ipv6hdr *ip6; 3799 __be16 frag_off; 3800 struct tcphdr _tcph, *th; 3801 struct udphdr _udph, *uh; 3802 struct dccp_hdr _dccph, *dh; 3803 3804 sip->sin6_port = 0; 3805 3806 offset = skb_network_offset(skb); 3807 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3808 if (ip6 == NULL) 3809 return -EINVAL; 3810 sip->sin6_addr = ip6->saddr; 3811 3812 nexthdr = ip6->nexthdr; 3813 offset += sizeof(_ipv6h); 3814 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3815 if (offset < 0) 3816 return -EINVAL; 3817 3818 proto = nexthdr; 3819 switch (proto) { 3820 case IPPROTO_TCP: 3821 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3822 if (th != NULL) 3823 sip->sin6_port = th->source; 3824 break; 3825 case IPPROTO_UDP: 3826 case IPPROTO_UDPLITE: 3827 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3828 if (uh != NULL) 3829 sip->sin6_port = uh->source; 3830 break; 3831 case IPPROTO_DCCP: 3832 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3833 if (dh != NULL) 3834 sip->sin6_port = dh->dccph_sport; 3835 break; 3836 } 3837 return proto; 3838 } 3839 #endif /* CONFIG_IPV6 */ 3840 3841 /** 3842 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3843 * @sk: socket 3844 * @skb: packet 3845 * 3846 * Returns 0 if the packet should be delivered, an error code otherwise 3847 */ 3848 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3849 { 3850 struct netlbl_lsm_secattr secattr; 3851 struct socket_smack *ssp = sk->sk_security; 3852 struct smack_known *skp = NULL; 3853 int rc = 0; 3854 struct smk_audit_info ad; 3855 u16 family = sk->sk_family; 3856 #ifdef CONFIG_AUDIT 3857 struct lsm_network_audit net; 3858 #endif 3859 #if IS_ENABLED(CONFIG_IPV6) 3860 struct sockaddr_in6 sadd; 3861 int proto; 3862 3863 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3864 family = PF_INET; 3865 #endif /* CONFIG_IPV6 */ 3866 3867 switch (family) { 3868 case PF_INET: 3869 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3870 /* 3871 * If there is a secmark use it rather than the CIPSO label. 3872 * If there is no secmark fall back to CIPSO. 3873 * The secmark is assumed to reflect policy better. 3874 */ 3875 if (skb && skb->secmark != 0) { 3876 skp = smack_from_secid(skb->secmark); 3877 goto access_check; 3878 } 3879 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3880 /* 3881 * Translate what netlabel gave us. 3882 */ 3883 netlbl_secattr_init(&secattr); 3884 3885 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3886 if (rc == 0) 3887 skp = smack_from_secattr(&secattr, ssp); 3888 else 3889 skp = smack_net_ambient; 3890 3891 netlbl_secattr_destroy(&secattr); 3892 3893 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3894 access_check: 3895 #endif 3896 #ifdef CONFIG_AUDIT 3897 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3898 ad.a.u.net->family = family; 3899 ad.a.u.net->netif = skb->skb_iif; 3900 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3901 #endif 3902 /* 3903 * Receiving a packet requires that the other end 3904 * be able to write here. Read access is not required. 3905 * This is the simplist possible security model 3906 * for networking. 3907 */ 3908 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3909 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3910 MAY_WRITE, rc); 3911 if (rc != 0) 3912 netlbl_skbuff_err(skb, family, rc, 0); 3913 break; 3914 #if IS_ENABLED(CONFIG_IPV6) 3915 case PF_INET6: 3916 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3917 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3918 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3919 break; 3920 #ifdef SMACK_IPV6_SECMARK_LABELING 3921 if (skb && skb->secmark != 0) 3922 skp = smack_from_secid(skb->secmark); 3923 else if (smk_ipv6_localhost(&sadd)) 3924 break; 3925 else 3926 skp = smack_ipv6host_label(&sadd); 3927 if (skp == NULL) 3928 skp = smack_net_ambient; 3929 #ifdef CONFIG_AUDIT 3930 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3931 ad.a.u.net->family = family; 3932 ad.a.u.net->netif = skb->skb_iif; 3933 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3934 #endif /* CONFIG_AUDIT */ 3935 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3936 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3937 MAY_WRITE, rc); 3938 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3939 #ifdef SMACK_IPV6_PORT_LABELING 3940 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3941 #endif /* SMACK_IPV6_PORT_LABELING */ 3942 if (rc != 0) 3943 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3944 ICMPV6_ADM_PROHIBITED, 0); 3945 break; 3946 #endif /* CONFIG_IPV6 */ 3947 } 3948 3949 return rc; 3950 } 3951 3952 /** 3953 * smack_socket_getpeersec_stream - pull in packet label 3954 * @sock: the socket 3955 * @optval: user's destination 3956 * @optlen: size thereof 3957 * @len: max thereof 3958 * 3959 * returns zero on success, an error code otherwise 3960 */ 3961 static int smack_socket_getpeersec_stream(struct socket *sock, 3962 char __user *optval, 3963 int __user *optlen, unsigned len) 3964 { 3965 struct socket_smack *ssp; 3966 char *rcp = ""; 3967 int slen = 1; 3968 int rc = 0; 3969 3970 ssp = sock->sk->sk_security; 3971 if (ssp->smk_packet != NULL) { 3972 rcp = ssp->smk_packet->smk_known; 3973 slen = strlen(rcp) + 1; 3974 } 3975 3976 if (slen > len) 3977 rc = -ERANGE; 3978 else if (copy_to_user(optval, rcp, slen) != 0) 3979 rc = -EFAULT; 3980 3981 if (put_user(slen, optlen) != 0) 3982 rc = -EFAULT; 3983 3984 return rc; 3985 } 3986 3987 3988 /** 3989 * smack_socket_getpeersec_dgram - pull in packet label 3990 * @sock: the peer socket 3991 * @skb: packet data 3992 * @secid: pointer to where to put the secid of the packet 3993 * 3994 * Sets the netlabel socket state on sk from parent 3995 */ 3996 static int smack_socket_getpeersec_dgram(struct socket *sock, 3997 struct sk_buff *skb, u32 *secid) 3998 3999 { 4000 struct netlbl_lsm_secattr secattr; 4001 struct socket_smack *ssp = NULL; 4002 struct smack_known *skp; 4003 int family = PF_UNSPEC; 4004 u32 s = 0; /* 0 is the invalid secid */ 4005 int rc; 4006 4007 if (skb != NULL) { 4008 if (skb->protocol == htons(ETH_P_IP)) 4009 family = PF_INET; 4010 #if IS_ENABLED(CONFIG_IPV6) 4011 else if (skb->protocol == htons(ETH_P_IPV6)) 4012 family = PF_INET6; 4013 #endif /* CONFIG_IPV6 */ 4014 } 4015 if (family == PF_UNSPEC && sock != NULL) 4016 family = sock->sk->sk_family; 4017 4018 switch (family) { 4019 case PF_UNIX: 4020 ssp = sock->sk->sk_security; 4021 s = ssp->smk_out->smk_secid; 4022 break; 4023 case PF_INET: 4024 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4025 s = skb->secmark; 4026 if (s != 0) 4027 break; 4028 #endif 4029 /* 4030 * Translate what netlabel gave us. 4031 */ 4032 if (sock != NULL && sock->sk != NULL) 4033 ssp = sock->sk->sk_security; 4034 netlbl_secattr_init(&secattr); 4035 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4036 if (rc == 0) { 4037 skp = smack_from_secattr(&secattr, ssp); 4038 s = skp->smk_secid; 4039 } 4040 netlbl_secattr_destroy(&secattr); 4041 break; 4042 case PF_INET6: 4043 #ifdef SMACK_IPV6_SECMARK_LABELING 4044 s = skb->secmark; 4045 #endif 4046 break; 4047 } 4048 *secid = s; 4049 if (s == 0) 4050 return -EINVAL; 4051 return 0; 4052 } 4053 4054 /** 4055 * smack_sock_graft - Initialize a newly created socket with an existing sock 4056 * @sk: child sock 4057 * @parent: parent socket 4058 * 4059 * Set the smk_{in,out} state of an existing sock based on the process that 4060 * is creating the new socket. 4061 */ 4062 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4063 { 4064 struct socket_smack *ssp; 4065 struct smack_known *skp = smk_of_current(); 4066 4067 if (sk == NULL || 4068 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4069 return; 4070 4071 ssp = sk->sk_security; 4072 ssp->smk_in = skp; 4073 ssp->smk_out = skp; 4074 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4075 } 4076 4077 /** 4078 * smack_inet_conn_request - Smack access check on connect 4079 * @sk: socket involved 4080 * @skb: packet 4081 * @req: unused 4082 * 4083 * Returns 0 if a task with the packet label could write to 4084 * the socket, otherwise an error code 4085 */ 4086 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4087 struct request_sock *req) 4088 { 4089 u16 family = sk->sk_family; 4090 struct smack_known *skp; 4091 struct socket_smack *ssp = sk->sk_security; 4092 struct netlbl_lsm_secattr secattr; 4093 struct sockaddr_in addr; 4094 struct iphdr *hdr; 4095 struct smack_known *hskp; 4096 int rc; 4097 struct smk_audit_info ad; 4098 #ifdef CONFIG_AUDIT 4099 struct lsm_network_audit net; 4100 #endif 4101 4102 #if IS_ENABLED(CONFIG_IPV6) 4103 if (family == PF_INET6) { 4104 /* 4105 * Handle mapped IPv4 packets arriving 4106 * via IPv6 sockets. Don't set up netlabel 4107 * processing on IPv6. 4108 */ 4109 if (skb->protocol == htons(ETH_P_IP)) 4110 family = PF_INET; 4111 else 4112 return 0; 4113 } 4114 #endif /* CONFIG_IPV6 */ 4115 4116 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4117 /* 4118 * If there is a secmark use it rather than the CIPSO label. 4119 * If there is no secmark fall back to CIPSO. 4120 * The secmark is assumed to reflect policy better. 4121 */ 4122 if (skb && skb->secmark != 0) { 4123 skp = smack_from_secid(skb->secmark); 4124 goto access_check; 4125 } 4126 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4127 4128 netlbl_secattr_init(&secattr); 4129 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4130 if (rc == 0) 4131 skp = smack_from_secattr(&secattr, ssp); 4132 else 4133 skp = &smack_known_huh; 4134 netlbl_secattr_destroy(&secattr); 4135 4136 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4137 access_check: 4138 #endif 4139 4140 #ifdef CONFIG_AUDIT 4141 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4142 ad.a.u.net->family = family; 4143 ad.a.u.net->netif = skb->skb_iif; 4144 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4145 #endif 4146 /* 4147 * Receiving a packet requires that the other end be able to write 4148 * here. Read access is not required. 4149 */ 4150 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4151 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4152 if (rc != 0) 4153 return rc; 4154 4155 /* 4156 * Save the peer's label in the request_sock so we can later setup 4157 * smk_packet in the child socket so that SO_PEERCRED can report it. 4158 */ 4159 req->peer_secid = skp->smk_secid; 4160 4161 /* 4162 * We need to decide if we want to label the incoming connection here 4163 * if we do we only need to label the request_sock and the stack will 4164 * propagate the wire-label to the sock when it is created. 4165 */ 4166 hdr = ip_hdr(skb); 4167 addr.sin_addr.s_addr = hdr->saddr; 4168 rcu_read_lock(); 4169 hskp = smack_ipv4host_label(&addr); 4170 rcu_read_unlock(); 4171 4172 if (hskp == NULL) 4173 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4174 else 4175 netlbl_req_delattr(req); 4176 4177 return rc; 4178 } 4179 4180 /** 4181 * smack_inet_csk_clone - Copy the connection information to the new socket 4182 * @sk: the new socket 4183 * @req: the connection's request_sock 4184 * 4185 * Transfer the connection's peer label to the newly created socket. 4186 */ 4187 static void smack_inet_csk_clone(struct sock *sk, 4188 const struct request_sock *req) 4189 { 4190 struct socket_smack *ssp = sk->sk_security; 4191 struct smack_known *skp; 4192 4193 if (req->peer_secid != 0) { 4194 skp = smack_from_secid(req->peer_secid); 4195 ssp->smk_packet = skp; 4196 } else 4197 ssp->smk_packet = NULL; 4198 } 4199 4200 /* 4201 * Key management security hooks 4202 * 4203 * Casey has not tested key support very heavily. 4204 * The permission check is most likely too restrictive. 4205 * If you care about keys please have a look. 4206 */ 4207 #ifdef CONFIG_KEYS 4208 4209 /** 4210 * smack_key_alloc - Set the key security blob 4211 * @key: object 4212 * @cred: the credentials to use 4213 * @flags: unused 4214 * 4215 * No allocation required 4216 * 4217 * Returns 0 4218 */ 4219 static int smack_key_alloc(struct key *key, const struct cred *cred, 4220 unsigned long flags) 4221 { 4222 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4223 4224 key->security = skp; 4225 return 0; 4226 } 4227 4228 /** 4229 * smack_key_free - Clear the key security blob 4230 * @key: the object 4231 * 4232 * Clear the blob pointer 4233 */ 4234 static void smack_key_free(struct key *key) 4235 { 4236 key->security = NULL; 4237 } 4238 4239 /** 4240 * smack_key_permission - Smack access on a key 4241 * @key_ref: gets to the object 4242 * @cred: the credentials to use 4243 * @perm: requested key permissions 4244 * 4245 * Return 0 if the task has read and write to the object, 4246 * an error code otherwise 4247 */ 4248 static int smack_key_permission(key_ref_t key_ref, 4249 const struct cred *cred, unsigned perm) 4250 { 4251 struct key *keyp; 4252 struct smk_audit_info ad; 4253 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4254 int request = 0; 4255 int rc; 4256 4257 /* 4258 * Validate requested permissions 4259 */ 4260 if (perm & ~KEY_NEED_ALL) 4261 return -EINVAL; 4262 4263 keyp = key_ref_to_ptr(key_ref); 4264 if (keyp == NULL) 4265 return -EINVAL; 4266 /* 4267 * If the key hasn't been initialized give it access so that 4268 * it may do so. 4269 */ 4270 if (keyp->security == NULL) 4271 return 0; 4272 /* 4273 * This should not occur 4274 */ 4275 if (tkp == NULL) 4276 return -EACCES; 4277 4278 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4279 return 0; 4280 4281 #ifdef CONFIG_AUDIT 4282 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4283 ad.a.u.key_struct.key = keyp->serial; 4284 ad.a.u.key_struct.key_desc = keyp->description; 4285 #endif 4286 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) 4287 request |= MAY_READ; 4288 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4289 request |= MAY_WRITE; 4290 rc = smk_access(tkp, keyp->security, request, &ad); 4291 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4292 return rc; 4293 } 4294 4295 /* 4296 * smack_key_getsecurity - Smack label tagging the key 4297 * @key points to the key to be queried 4298 * @_buffer points to a pointer that should be set to point to the 4299 * resulting string (if no label or an error occurs). 4300 * Return the length of the string (including terminating NUL) or -ve if 4301 * an error. 4302 * May also return 0 (and a NULL buffer pointer) if there is no label. 4303 */ 4304 static int smack_key_getsecurity(struct key *key, char **_buffer) 4305 { 4306 struct smack_known *skp = key->security; 4307 size_t length; 4308 char *copy; 4309 4310 if (key->security == NULL) { 4311 *_buffer = NULL; 4312 return 0; 4313 } 4314 4315 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4316 if (copy == NULL) 4317 return -ENOMEM; 4318 length = strlen(copy) + 1; 4319 4320 *_buffer = copy; 4321 return length; 4322 } 4323 4324 #endif /* CONFIG_KEYS */ 4325 4326 /* 4327 * Smack Audit hooks 4328 * 4329 * Audit requires a unique representation of each Smack specific 4330 * rule. This unique representation is used to distinguish the 4331 * object to be audited from remaining kernel objects and also 4332 * works as a glue between the audit hooks. 4333 * 4334 * Since repository entries are added but never deleted, we'll use 4335 * the smack_known label address related to the given audit rule as 4336 * the needed unique representation. This also better fits the smack 4337 * model where nearly everything is a label. 4338 */ 4339 #ifdef CONFIG_AUDIT 4340 4341 /** 4342 * smack_audit_rule_init - Initialize a smack audit rule 4343 * @field: audit rule fields given from user-space (audit.h) 4344 * @op: required testing operator (=, !=, >, <, ...) 4345 * @rulestr: smack label to be audited 4346 * @vrule: pointer to save our own audit rule representation 4347 * 4348 * Prepare to audit cases where (@field @op @rulestr) is true. 4349 * The label to be audited is created if necessay. 4350 */ 4351 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4352 { 4353 struct smack_known *skp; 4354 char **rule = (char **)vrule; 4355 *rule = NULL; 4356 4357 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4358 return -EINVAL; 4359 4360 if (op != Audit_equal && op != Audit_not_equal) 4361 return -EINVAL; 4362 4363 skp = smk_import_entry(rulestr, 0); 4364 if (IS_ERR(skp)) 4365 return PTR_ERR(skp); 4366 4367 *rule = skp->smk_known; 4368 4369 return 0; 4370 } 4371 4372 /** 4373 * smack_audit_rule_known - Distinguish Smack audit rules 4374 * @krule: rule of interest, in Audit kernel representation format 4375 * 4376 * This is used to filter Smack rules from remaining Audit ones. 4377 * If it's proved that this rule belongs to us, the 4378 * audit_rule_match hook will be called to do the final judgement. 4379 */ 4380 static int smack_audit_rule_known(struct audit_krule *krule) 4381 { 4382 struct audit_field *f; 4383 int i; 4384 4385 for (i = 0; i < krule->field_count; i++) { 4386 f = &krule->fields[i]; 4387 4388 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4389 return 1; 4390 } 4391 4392 return 0; 4393 } 4394 4395 /** 4396 * smack_audit_rule_match - Audit given object ? 4397 * @secid: security id for identifying the object to test 4398 * @field: audit rule flags given from user-space 4399 * @op: required testing operator 4400 * @vrule: smack internal rule presentation 4401 * 4402 * The core Audit hook. It's used to take the decision of 4403 * whether to audit or not to audit a given object. 4404 */ 4405 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4406 { 4407 struct smack_known *skp; 4408 char *rule = vrule; 4409 4410 if (unlikely(!rule)) { 4411 WARN_ONCE(1, "Smack: missing rule\n"); 4412 return -ENOENT; 4413 } 4414 4415 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4416 return 0; 4417 4418 skp = smack_from_secid(secid); 4419 4420 /* 4421 * No need to do string comparisons. If a match occurs, 4422 * both pointers will point to the same smack_known 4423 * label. 4424 */ 4425 if (op == Audit_equal) 4426 return (rule == skp->smk_known); 4427 if (op == Audit_not_equal) 4428 return (rule != skp->smk_known); 4429 4430 return 0; 4431 } 4432 4433 /* 4434 * There is no need for a smack_audit_rule_free hook. 4435 * No memory was allocated. 4436 */ 4437 4438 #endif /* CONFIG_AUDIT */ 4439 4440 /** 4441 * smack_ismaclabel - check if xattr @name references a smack MAC label 4442 * @name: Full xattr name to check. 4443 */ 4444 static int smack_ismaclabel(const char *name) 4445 { 4446 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4447 } 4448 4449 4450 /** 4451 * smack_secid_to_secctx - return the smack label for a secid 4452 * @secid: incoming integer 4453 * @secdata: destination 4454 * @seclen: how long it is 4455 * 4456 * Exists for networking code. 4457 */ 4458 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4459 { 4460 struct smack_known *skp = smack_from_secid(secid); 4461 4462 if (secdata) 4463 *secdata = skp->smk_known; 4464 *seclen = strlen(skp->smk_known); 4465 return 0; 4466 } 4467 4468 /** 4469 * smack_secctx_to_secid - return the secid for a smack label 4470 * @secdata: smack label 4471 * @seclen: how long result is 4472 * @secid: outgoing integer 4473 * 4474 * Exists for audit and networking code. 4475 */ 4476 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4477 { 4478 struct smack_known *skp = smk_find_entry(secdata); 4479 4480 if (skp) 4481 *secid = skp->smk_secid; 4482 else 4483 *secid = 0; 4484 return 0; 4485 } 4486 4487 /* 4488 * There used to be a smack_release_secctx hook 4489 * that did nothing back when hooks were in a vector. 4490 * Now that there's a list such a hook adds cost. 4491 */ 4492 4493 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4494 { 4495 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4496 } 4497 4498 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4499 { 4500 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4501 } 4502 4503 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4504 { 4505 struct smack_known *skp = smk_of_inode(inode); 4506 4507 *ctx = skp->smk_known; 4508 *ctxlen = strlen(skp->smk_known); 4509 return 0; 4510 } 4511 4512 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4513 { 4514 4515 struct task_smack *tsp; 4516 struct smack_known *skp; 4517 struct inode_smack *isp; 4518 struct cred *new_creds = *new; 4519 4520 if (new_creds == NULL) { 4521 new_creds = prepare_creds(); 4522 if (new_creds == NULL) 4523 return -ENOMEM; 4524 } 4525 4526 tsp = smack_cred(new_creds); 4527 4528 /* 4529 * Get label from overlay inode and set it in create_sid 4530 */ 4531 isp = smack_inode(d_inode(dentry->d_parent)); 4532 skp = isp->smk_inode; 4533 tsp->smk_task = skp; 4534 *new = new_creds; 4535 return 0; 4536 } 4537 4538 static int smack_inode_copy_up_xattr(const char *name) 4539 { 4540 /* 4541 * Return 1 if this is the smack access Smack attribute. 4542 */ 4543 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4544 return 1; 4545 4546 return -EOPNOTSUPP; 4547 } 4548 4549 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4550 struct qstr *name, 4551 const struct cred *old, 4552 struct cred *new) 4553 { 4554 struct task_smack *otsp = smack_cred(old); 4555 struct task_smack *ntsp = smack_cred(new); 4556 struct inode_smack *isp; 4557 int may; 4558 4559 /* 4560 * Use the process credential unless all of 4561 * the transmuting criteria are met 4562 */ 4563 ntsp->smk_task = otsp->smk_task; 4564 4565 /* 4566 * the attribute of the containing directory 4567 */ 4568 isp = smack_inode(d_inode(dentry->d_parent)); 4569 4570 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4571 rcu_read_lock(); 4572 may = smk_access_entry(otsp->smk_task->smk_known, 4573 isp->smk_inode->smk_known, 4574 &otsp->smk_task->smk_rules); 4575 rcu_read_unlock(); 4576 4577 /* 4578 * If the directory is transmuting and the rule 4579 * providing access is transmuting use the containing 4580 * directory label instead of the process label. 4581 */ 4582 if (may > 0 && (may & MAY_TRANSMUTE)) 4583 ntsp->smk_task = isp->smk_inode; 4584 } 4585 return 0; 4586 } 4587 4588 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4589 .lbs_cred = sizeof(struct task_smack), 4590 .lbs_file = sizeof(struct smack_known *), 4591 .lbs_inode = sizeof(struct inode_smack), 4592 .lbs_ipc = sizeof(struct smack_known *), 4593 .lbs_msg_msg = sizeof(struct smack_known *), 4594 }; 4595 4596 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4597 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4598 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4599 LSM_HOOK_INIT(syslog, smack_syslog), 4600 4601 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4602 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4603 4604 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4605 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4606 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4607 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4608 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4609 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4610 4611 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4612 4613 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4614 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4615 LSM_HOOK_INIT(inode_link, smack_inode_link), 4616 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4617 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4618 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4619 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4620 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4621 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4622 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4623 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4624 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4625 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4626 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4627 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4628 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4629 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4630 4631 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4632 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4633 LSM_HOOK_INIT(file_lock, smack_file_lock), 4634 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4635 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4636 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4637 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4638 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4639 LSM_HOOK_INIT(file_receive, smack_file_receive), 4640 4641 LSM_HOOK_INIT(file_open, smack_file_open), 4642 4643 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4644 LSM_HOOK_INIT(cred_free, smack_cred_free), 4645 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4646 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4647 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4648 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4649 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4650 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4651 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4652 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4653 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4654 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4655 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4656 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4657 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4658 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4659 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4660 LSM_HOOK_INIT(task_kill, smack_task_kill), 4661 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4662 4663 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4664 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4665 4666 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4667 4668 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4669 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4670 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4671 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4672 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4673 4674 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4675 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4676 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4677 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4678 4679 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4680 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4681 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4682 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4683 4684 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4685 4686 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4687 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4688 4689 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4690 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4691 4692 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4693 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4694 #ifdef SMACK_IPV6_PORT_LABELING 4695 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4696 #endif 4697 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4698 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4699 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4700 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4701 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4702 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4703 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4704 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4705 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4706 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4707 4708 /* key management security hooks */ 4709 #ifdef CONFIG_KEYS 4710 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4711 LSM_HOOK_INIT(key_free, smack_key_free), 4712 LSM_HOOK_INIT(key_permission, smack_key_permission), 4713 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4714 #endif /* CONFIG_KEYS */ 4715 4716 /* Audit hooks */ 4717 #ifdef CONFIG_AUDIT 4718 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4719 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4720 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4721 #endif /* CONFIG_AUDIT */ 4722 4723 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4724 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4725 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4726 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4727 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4728 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4729 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4730 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4731 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4732 }; 4733 4734 4735 static __init void init_smack_known_list(void) 4736 { 4737 /* 4738 * Initialize rule list locks 4739 */ 4740 mutex_init(&smack_known_huh.smk_rules_lock); 4741 mutex_init(&smack_known_hat.smk_rules_lock); 4742 mutex_init(&smack_known_floor.smk_rules_lock); 4743 mutex_init(&smack_known_star.smk_rules_lock); 4744 mutex_init(&smack_known_web.smk_rules_lock); 4745 /* 4746 * Initialize rule lists 4747 */ 4748 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4749 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4750 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4751 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4752 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4753 /* 4754 * Create the known labels list 4755 */ 4756 smk_insert_entry(&smack_known_huh); 4757 smk_insert_entry(&smack_known_hat); 4758 smk_insert_entry(&smack_known_star); 4759 smk_insert_entry(&smack_known_floor); 4760 smk_insert_entry(&smack_known_web); 4761 } 4762 4763 /** 4764 * smack_init - initialize the smack system 4765 * 4766 * Returns 0 4767 */ 4768 static __init int smack_init(void) 4769 { 4770 struct cred *cred = (struct cred *) current->cred; 4771 struct task_smack *tsp; 4772 4773 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4774 if (!smack_inode_cache) 4775 return -ENOMEM; 4776 4777 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 4778 if (!smack_rule_cache) { 4779 kmem_cache_destroy(smack_inode_cache); 4780 return -ENOMEM; 4781 } 4782 4783 /* 4784 * Set the security state for the initial task. 4785 */ 4786 tsp = smack_cred(cred); 4787 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 4788 4789 /* 4790 * Register with LSM 4791 */ 4792 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4793 smack_enabled = 1; 4794 4795 pr_info("Smack: Initializing.\n"); 4796 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4797 pr_info("Smack: Netfilter enabled.\n"); 4798 #endif 4799 #ifdef SMACK_IPV6_PORT_LABELING 4800 pr_info("Smack: IPv6 port labeling enabled.\n"); 4801 #endif 4802 #ifdef SMACK_IPV6_SECMARK_LABELING 4803 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4804 #endif 4805 4806 /* initialize the smack_known_list */ 4807 init_smack_known_list(); 4808 4809 return 0; 4810 } 4811 4812 /* 4813 * Smack requires early initialization in order to label 4814 * all processes and objects when they are created. 4815 */ 4816 DEFINE_LSM(smack) = { 4817 .name = "smack", 4818 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 4819 .blobs = &smack_blob_sizes, 4820 .init = smack_init, 4821 }; 4822