1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/icmpv6.h> 32 #include <linux/slab.h> 33 #include <linux/mutex.h> 34 #include <linux/pipe_fs_i.h> 35 #include <net/cipso_ipv4.h> 36 #include <net/ip.h> 37 #include <net/ipv6.h> 38 #include <linux/audit.h> 39 #include <linux/magic.h> 40 #include <linux/dcache.h> 41 #include <linux/personality.h> 42 #include <linux/msg.h> 43 #include <linux/shm.h> 44 #include <linux/binfmts.h> 45 #include <linux/parser.h> 46 #include <linux/fs_context.h> 47 #include <linux/fs_parser.h> 48 #include "smack.h" 49 50 #define TRANS_TRUE "TRUE" 51 #define TRANS_TRUE_SIZE 4 52 53 #define SMK_CONNECTING 0 54 #define SMK_RECEIVING 1 55 #define SMK_SENDING 2 56 57 #ifdef SMACK_IPV6_PORT_LABELING 58 DEFINE_MUTEX(smack_ipv6_lock); 59 static LIST_HEAD(smk_ipv6_port_list); 60 #endif 61 static struct kmem_cache *smack_inode_cache; 62 int smack_enabled; 63 64 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 65 static struct { 66 const char *name; 67 int len; 68 int opt; 69 } smk_mount_opts[] = { 70 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 71 }; 72 #undef A 73 74 static int match_opt_prefix(char *s, int l, char **arg) 75 { 76 int i; 77 78 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 79 size_t len = smk_mount_opts[i].len; 80 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 81 continue; 82 if (len == l || s[len] != '=') 83 continue; 84 *arg = s + len + 1; 85 return smk_mount_opts[i].opt; 86 } 87 return Opt_error; 88 } 89 90 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 91 static char *smk_bu_mess[] = { 92 "Bringup Error", /* Unused */ 93 "Bringup", /* SMACK_BRINGUP_ALLOW */ 94 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 95 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 96 }; 97 98 static void smk_bu_mode(int mode, char *s) 99 { 100 int i = 0; 101 102 if (mode & MAY_READ) 103 s[i++] = 'r'; 104 if (mode & MAY_WRITE) 105 s[i++] = 'w'; 106 if (mode & MAY_EXEC) 107 s[i++] = 'x'; 108 if (mode & MAY_APPEND) 109 s[i++] = 'a'; 110 if (mode & MAY_TRANSMUTE) 111 s[i++] = 't'; 112 if (mode & MAY_LOCK) 113 s[i++] = 'l'; 114 if (i == 0) 115 s[i++] = '-'; 116 s[i] = '\0'; 117 } 118 #endif 119 120 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 121 static int smk_bu_note(char *note, struct smack_known *sskp, 122 struct smack_known *oskp, int mode, int rc) 123 { 124 char acc[SMK_NUM_ACCESS_TYPE + 1]; 125 126 if (rc <= 0) 127 return rc; 128 if (rc > SMACK_UNCONFINED_OBJECT) 129 rc = 0; 130 131 smk_bu_mode(mode, acc); 132 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 133 sskp->smk_known, oskp->smk_known, acc, note); 134 return 0; 135 } 136 #else 137 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 138 #endif 139 140 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 141 static int smk_bu_current(char *note, struct smack_known *oskp, 142 int mode, int rc) 143 { 144 struct task_smack *tsp = smack_cred(current_cred()); 145 char acc[SMK_NUM_ACCESS_TYPE + 1]; 146 147 if (rc <= 0) 148 return rc; 149 if (rc > SMACK_UNCONFINED_OBJECT) 150 rc = 0; 151 152 smk_bu_mode(mode, acc); 153 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 154 tsp->smk_task->smk_known, oskp->smk_known, 155 acc, current->comm, note); 156 return 0; 157 } 158 #else 159 #define smk_bu_current(note, oskp, mode, RC) (RC) 160 #endif 161 162 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 163 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 164 { 165 struct task_smack *tsp = smack_cred(current_cred()); 166 struct smack_known *smk_task = smk_of_task_struct(otp); 167 char acc[SMK_NUM_ACCESS_TYPE + 1]; 168 169 if (rc <= 0) 170 return rc; 171 if (rc > SMACK_UNCONFINED_OBJECT) 172 rc = 0; 173 174 smk_bu_mode(mode, acc); 175 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 176 tsp->smk_task->smk_known, smk_task->smk_known, acc, 177 current->comm, otp->comm); 178 return 0; 179 } 180 #else 181 #define smk_bu_task(otp, mode, RC) (RC) 182 #endif 183 184 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 185 static int smk_bu_inode(struct inode *inode, int mode, int rc) 186 { 187 struct task_smack *tsp = smack_cred(current_cred()); 188 struct inode_smack *isp = smack_inode(inode); 189 char acc[SMK_NUM_ACCESS_TYPE + 1]; 190 191 if (isp->smk_flags & SMK_INODE_IMPURE) 192 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 193 inode->i_sb->s_id, inode->i_ino, current->comm); 194 195 if (rc <= 0) 196 return rc; 197 if (rc > SMACK_UNCONFINED_OBJECT) 198 rc = 0; 199 if (rc == SMACK_UNCONFINED_SUBJECT && 200 (mode & (MAY_WRITE | MAY_APPEND))) 201 isp->smk_flags |= SMK_INODE_IMPURE; 202 203 smk_bu_mode(mode, acc); 204 205 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 206 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 207 inode->i_sb->s_id, inode->i_ino, current->comm); 208 return 0; 209 } 210 #else 211 #define smk_bu_inode(inode, mode, RC) (RC) 212 #endif 213 214 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 215 static int smk_bu_file(struct file *file, int mode, int rc) 216 { 217 struct task_smack *tsp = smack_cred(current_cred()); 218 struct smack_known *sskp = tsp->smk_task; 219 struct inode *inode = file_inode(file); 220 struct inode_smack *isp = smack_inode(inode); 221 char acc[SMK_NUM_ACCESS_TYPE + 1]; 222 223 if (isp->smk_flags & SMK_INODE_IMPURE) 224 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 225 inode->i_sb->s_id, inode->i_ino, current->comm); 226 227 if (rc <= 0) 228 return rc; 229 if (rc > SMACK_UNCONFINED_OBJECT) 230 rc = 0; 231 232 smk_bu_mode(mode, acc); 233 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 234 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 235 inode->i_sb->s_id, inode->i_ino, file, 236 current->comm); 237 return 0; 238 } 239 #else 240 #define smk_bu_file(file, mode, RC) (RC) 241 #endif 242 243 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 244 static int smk_bu_credfile(const struct cred *cred, struct file *file, 245 int mode, int rc) 246 { 247 struct task_smack *tsp = smack_cred(cred); 248 struct smack_known *sskp = tsp->smk_task; 249 struct inode *inode = file_inode(file); 250 struct inode_smack *isp = smack_inode(inode); 251 char acc[SMK_NUM_ACCESS_TYPE + 1]; 252 253 if (isp->smk_flags & SMK_INODE_IMPURE) 254 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 255 inode->i_sb->s_id, inode->i_ino, current->comm); 256 257 if (rc <= 0) 258 return rc; 259 if (rc > SMACK_UNCONFINED_OBJECT) 260 rc = 0; 261 262 smk_bu_mode(mode, acc); 263 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 264 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 265 inode->i_sb->s_id, inode->i_ino, file, 266 current->comm); 267 return 0; 268 } 269 #else 270 #define smk_bu_credfile(cred, file, mode, RC) (RC) 271 #endif 272 273 /** 274 * smk_fetch - Fetch the smack label from a file. 275 * @name: type of the label (attribute) 276 * @ip: a pointer to the inode 277 * @dp: a pointer to the dentry 278 * 279 * Returns a pointer to the master list entry for the Smack label, 280 * NULL if there was no label to fetch, or an error code. 281 */ 282 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 283 struct dentry *dp) 284 { 285 int rc; 286 char *buffer; 287 struct smack_known *skp = NULL; 288 289 if (!(ip->i_opflags & IOP_XATTR)) 290 return ERR_PTR(-EOPNOTSUPP); 291 292 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 293 if (buffer == NULL) 294 return ERR_PTR(-ENOMEM); 295 296 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 297 if (rc < 0) 298 skp = ERR_PTR(rc); 299 else if (rc == 0) 300 skp = NULL; 301 else 302 skp = smk_import_entry(buffer, rc); 303 304 kfree(buffer); 305 306 return skp; 307 } 308 309 /** 310 * init_inode_smack - initialize an inode security blob 311 * @isp: the blob to initialize 312 * @skp: a pointer to the Smack label entry to use in the blob 313 * 314 */ 315 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 316 { 317 struct inode_smack *isp = smack_inode(inode); 318 319 isp->smk_inode = skp; 320 isp->smk_flags = 0; 321 mutex_init(&isp->smk_lock); 322 } 323 324 /** 325 * init_task_smack - initialize a task security blob 326 * @tsp: blob to initialize 327 * @task: a pointer to the Smack label for the running task 328 * @forked: a pointer to the Smack label for the forked task 329 * 330 */ 331 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 332 struct smack_known *forked) 333 { 334 tsp->smk_task = task; 335 tsp->smk_forked = forked; 336 INIT_LIST_HEAD(&tsp->smk_rules); 337 INIT_LIST_HEAD(&tsp->smk_relabel); 338 mutex_init(&tsp->smk_rules_lock); 339 } 340 341 /** 342 * smk_copy_rules - copy a rule set 343 * @nhead: new rules header pointer 344 * @ohead: old rules header pointer 345 * @gfp: type of the memory for the allocation 346 * 347 * Returns 0 on success, -ENOMEM on error 348 */ 349 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 350 gfp_t gfp) 351 { 352 struct smack_rule *nrp; 353 struct smack_rule *orp; 354 int rc = 0; 355 356 list_for_each_entry_rcu(orp, ohead, list) { 357 nrp = kzalloc(sizeof(struct smack_rule), gfp); 358 if (nrp == NULL) { 359 rc = -ENOMEM; 360 break; 361 } 362 *nrp = *orp; 363 list_add_rcu(&nrp->list, nhead); 364 } 365 return rc; 366 } 367 368 /** 369 * smk_copy_relabel - copy smk_relabel labels list 370 * @nhead: new rules header pointer 371 * @ohead: old rules header pointer 372 * @gfp: type of the memory for the allocation 373 * 374 * Returns 0 on success, -ENOMEM on error 375 */ 376 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 377 gfp_t gfp) 378 { 379 struct smack_known_list_elem *nklep; 380 struct smack_known_list_elem *oklep; 381 382 list_for_each_entry(oklep, ohead, list) { 383 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 384 if (nklep == NULL) { 385 smk_destroy_label_list(nhead); 386 return -ENOMEM; 387 } 388 nklep->smk_label = oklep->smk_label; 389 list_add(&nklep->list, nhead); 390 } 391 392 return 0; 393 } 394 395 /** 396 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 397 * @mode - input mode in form of PTRACE_MODE_* 398 * 399 * Returns a converted MAY_* mode usable by smack rules 400 */ 401 static inline unsigned int smk_ptrace_mode(unsigned int mode) 402 { 403 if (mode & PTRACE_MODE_ATTACH) 404 return MAY_READWRITE; 405 if (mode & PTRACE_MODE_READ) 406 return MAY_READ; 407 408 return 0; 409 } 410 411 /** 412 * smk_ptrace_rule_check - helper for ptrace access 413 * @tracer: tracer process 414 * @tracee_known: label entry of the process that's about to be traced 415 * @mode: ptrace attachment mode (PTRACE_MODE_*) 416 * @func: name of the function that called us, used for audit 417 * 418 * Returns 0 on access granted, -error on error 419 */ 420 static int smk_ptrace_rule_check(struct task_struct *tracer, 421 struct smack_known *tracee_known, 422 unsigned int mode, const char *func) 423 { 424 int rc; 425 struct smk_audit_info ad, *saip = NULL; 426 struct task_smack *tsp; 427 struct smack_known *tracer_known; 428 const struct cred *tracercred; 429 430 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 431 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 432 smk_ad_setfield_u_tsk(&ad, tracer); 433 saip = &ad; 434 } 435 436 rcu_read_lock(); 437 tracercred = __task_cred(tracer); 438 tsp = smack_cred(tracercred); 439 tracer_known = smk_of_task(tsp); 440 441 if ((mode & PTRACE_MODE_ATTACH) && 442 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 443 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 444 if (tracer_known->smk_known == tracee_known->smk_known) 445 rc = 0; 446 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 447 rc = -EACCES; 448 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 449 rc = 0; 450 else 451 rc = -EACCES; 452 453 if (saip) 454 smack_log(tracer_known->smk_known, 455 tracee_known->smk_known, 456 0, rc, saip); 457 458 rcu_read_unlock(); 459 return rc; 460 } 461 462 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 463 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 464 465 rcu_read_unlock(); 466 return rc; 467 } 468 469 /* 470 * LSM hooks. 471 * We he, that is fun! 472 */ 473 474 /** 475 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 476 * @ctp: child task pointer 477 * @mode: ptrace attachment mode (PTRACE_MODE_*) 478 * 479 * Returns 0 if access is OK, an error code otherwise 480 * 481 * Do the capability checks. 482 */ 483 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 484 { 485 struct smack_known *skp; 486 487 skp = smk_of_task_struct(ctp); 488 489 return smk_ptrace_rule_check(current, skp, mode, __func__); 490 } 491 492 /** 493 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 494 * @ptp: parent task pointer 495 * 496 * Returns 0 if access is OK, an error code otherwise 497 * 498 * Do the capability checks, and require PTRACE_MODE_ATTACH. 499 */ 500 static int smack_ptrace_traceme(struct task_struct *ptp) 501 { 502 int rc; 503 struct smack_known *skp; 504 505 skp = smk_of_task(smack_cred(current_cred())); 506 507 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 508 return rc; 509 } 510 511 /** 512 * smack_syslog - Smack approval on syslog 513 * @type: message type 514 * 515 * Returns 0 on success, error code otherwise. 516 */ 517 static int smack_syslog(int typefrom_file) 518 { 519 int rc = 0; 520 struct smack_known *skp = smk_of_current(); 521 522 if (smack_privileged(CAP_MAC_OVERRIDE)) 523 return 0; 524 525 if (smack_syslog_label != NULL && smack_syslog_label != skp) 526 rc = -EACCES; 527 528 return rc; 529 } 530 531 /* 532 * Superblock Hooks. 533 */ 534 535 /** 536 * smack_sb_alloc_security - allocate a superblock blob 537 * @sb: the superblock getting the blob 538 * 539 * Returns 0 on success or -ENOMEM on error. 540 */ 541 static int smack_sb_alloc_security(struct super_block *sb) 542 { 543 struct superblock_smack *sbsp; 544 545 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 546 547 if (sbsp == NULL) 548 return -ENOMEM; 549 550 sbsp->smk_root = &smack_known_floor; 551 sbsp->smk_default = &smack_known_floor; 552 sbsp->smk_floor = &smack_known_floor; 553 sbsp->smk_hat = &smack_known_hat; 554 /* 555 * SMK_SB_INITIALIZED will be zero from kzalloc. 556 */ 557 sb->s_security = sbsp; 558 559 return 0; 560 } 561 562 /** 563 * smack_sb_free_security - free a superblock blob 564 * @sb: the superblock getting the blob 565 * 566 */ 567 static void smack_sb_free_security(struct super_block *sb) 568 { 569 kfree(sb->s_security); 570 sb->s_security = NULL; 571 } 572 573 struct smack_mnt_opts { 574 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 575 }; 576 577 static void smack_free_mnt_opts(void *mnt_opts) 578 { 579 struct smack_mnt_opts *opts = mnt_opts; 580 kfree(opts->fsdefault); 581 kfree(opts->fsfloor); 582 kfree(opts->fshat); 583 kfree(opts->fsroot); 584 kfree(opts->fstransmute); 585 kfree(opts); 586 } 587 588 static int smack_add_opt(int token, const char *s, void **mnt_opts) 589 { 590 struct smack_mnt_opts *opts = *mnt_opts; 591 592 if (!opts) { 593 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 594 if (!opts) 595 return -ENOMEM; 596 *mnt_opts = opts; 597 } 598 if (!s) 599 return -ENOMEM; 600 601 switch (token) { 602 case Opt_fsdefault: 603 if (opts->fsdefault) 604 goto out_opt_err; 605 opts->fsdefault = s; 606 break; 607 case Opt_fsfloor: 608 if (opts->fsfloor) 609 goto out_opt_err; 610 opts->fsfloor = s; 611 break; 612 case Opt_fshat: 613 if (opts->fshat) 614 goto out_opt_err; 615 opts->fshat = s; 616 break; 617 case Opt_fsroot: 618 if (opts->fsroot) 619 goto out_opt_err; 620 opts->fsroot = s; 621 break; 622 case Opt_fstransmute: 623 if (opts->fstransmute) 624 goto out_opt_err; 625 opts->fstransmute = s; 626 break; 627 } 628 return 0; 629 630 out_opt_err: 631 pr_warn("Smack: duplicate mount options\n"); 632 return -EINVAL; 633 } 634 635 /** 636 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 637 * @fc: The new filesystem context. 638 * @src_fc: The source filesystem context being duplicated. 639 * 640 * Returns 0 on success or -ENOMEM on error. 641 */ 642 static int smack_fs_context_dup(struct fs_context *fc, 643 struct fs_context *src_fc) 644 { 645 struct smack_mnt_opts *dst, *src = src_fc->security; 646 647 if (!src) 648 return 0; 649 650 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 651 if (!fc->security) 652 return -ENOMEM; 653 dst = fc->security; 654 655 if (src->fsdefault) { 656 dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL); 657 if (!dst->fsdefault) 658 return -ENOMEM; 659 } 660 if (src->fsfloor) { 661 dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL); 662 if (!dst->fsfloor) 663 return -ENOMEM; 664 } 665 if (src->fshat) { 666 dst->fshat = kstrdup(src->fshat, GFP_KERNEL); 667 if (!dst->fshat) 668 return -ENOMEM; 669 } 670 if (src->fsroot) { 671 dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL); 672 if (!dst->fsroot) 673 return -ENOMEM; 674 } 675 if (src->fstransmute) { 676 dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL); 677 if (!dst->fstransmute) 678 return -ENOMEM; 679 } 680 return 0; 681 } 682 683 static const struct fs_parameter_spec smack_param_specs[] = { 684 fsparam_string("fsdefault", Opt_fsdefault), 685 fsparam_string("fsfloor", Opt_fsfloor), 686 fsparam_string("fshat", Opt_fshat), 687 fsparam_string("fsroot", Opt_fsroot), 688 fsparam_string("fstransmute", Opt_fstransmute), 689 {} 690 }; 691 692 static const struct fs_parameter_description smack_fs_parameters = { 693 .name = "smack", 694 .specs = smack_param_specs, 695 }; 696 697 /** 698 * smack_fs_context_parse_param - Parse a single mount parameter 699 * @fc: The new filesystem context being constructed. 700 * @param: The parameter. 701 * 702 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 703 * error. 704 */ 705 static int smack_fs_context_parse_param(struct fs_context *fc, 706 struct fs_parameter *param) 707 { 708 struct fs_parse_result result; 709 int opt, rc; 710 711 opt = fs_parse(fc, &smack_fs_parameters, param, &result); 712 if (opt < 0) 713 return opt; 714 715 rc = smack_add_opt(opt, param->string, &fc->security); 716 if (!rc) 717 param->string = NULL; 718 return rc; 719 } 720 721 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 722 { 723 char *from = options, *to = options; 724 bool first = true; 725 726 while (1) { 727 char *next = strchr(from, ','); 728 int token, len, rc; 729 char *arg = NULL; 730 731 if (next) 732 len = next - from; 733 else 734 len = strlen(from); 735 736 token = match_opt_prefix(from, len, &arg); 737 if (token != Opt_error) { 738 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 739 rc = smack_add_opt(token, arg, mnt_opts); 740 if (unlikely(rc)) { 741 kfree(arg); 742 if (*mnt_opts) 743 smack_free_mnt_opts(*mnt_opts); 744 *mnt_opts = NULL; 745 return rc; 746 } 747 } else { 748 if (!first) { // copy with preceding comma 749 from--; 750 len++; 751 } 752 if (to != from) 753 memmove(to, from, len); 754 to += len; 755 first = false; 756 } 757 if (!from[len]) 758 break; 759 from += len + 1; 760 } 761 *to = '\0'; 762 return 0; 763 } 764 765 /** 766 * smack_set_mnt_opts - set Smack specific mount options 767 * @sb: the file system superblock 768 * @opts: Smack mount options 769 * @kern_flags: mount option from kernel space or user space 770 * @set_kern_flags: where to store converted mount opts 771 * 772 * Returns 0 on success, an error code on failure 773 * 774 * Allow filesystems with binary mount data to explicitly set Smack mount 775 * labels. 776 */ 777 static int smack_set_mnt_opts(struct super_block *sb, 778 void *mnt_opts, 779 unsigned long kern_flags, 780 unsigned long *set_kern_flags) 781 { 782 struct dentry *root = sb->s_root; 783 struct inode *inode = d_backing_inode(root); 784 struct superblock_smack *sp = sb->s_security; 785 struct inode_smack *isp; 786 struct smack_known *skp; 787 struct smack_mnt_opts *opts = mnt_opts; 788 bool transmute = false; 789 790 if (sp->smk_flags & SMK_SB_INITIALIZED) 791 return 0; 792 793 if (inode->i_security == NULL) { 794 int rc = lsm_inode_alloc(inode); 795 796 if (rc) 797 return rc; 798 } 799 800 if (!smack_privileged(CAP_MAC_ADMIN)) { 801 /* 802 * Unprivileged mounts don't get to specify Smack values. 803 */ 804 if (opts) 805 return -EPERM; 806 /* 807 * Unprivileged mounts get root and default from the caller. 808 */ 809 skp = smk_of_current(); 810 sp->smk_root = skp; 811 sp->smk_default = skp; 812 /* 813 * For a handful of fs types with no user-controlled 814 * backing store it's okay to trust security labels 815 * in the filesystem. The rest are untrusted. 816 */ 817 if (sb->s_user_ns != &init_user_ns && 818 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 819 sb->s_magic != RAMFS_MAGIC) { 820 transmute = true; 821 sp->smk_flags |= SMK_SB_UNTRUSTED; 822 } 823 } 824 825 sp->smk_flags |= SMK_SB_INITIALIZED; 826 827 if (opts) { 828 if (opts->fsdefault) { 829 skp = smk_import_entry(opts->fsdefault, 0); 830 if (IS_ERR(skp)) 831 return PTR_ERR(skp); 832 sp->smk_default = skp; 833 } 834 if (opts->fsfloor) { 835 skp = smk_import_entry(opts->fsfloor, 0); 836 if (IS_ERR(skp)) 837 return PTR_ERR(skp); 838 sp->smk_floor = skp; 839 } 840 if (opts->fshat) { 841 skp = smk_import_entry(opts->fshat, 0); 842 if (IS_ERR(skp)) 843 return PTR_ERR(skp); 844 sp->smk_hat = skp; 845 } 846 if (opts->fsroot) { 847 skp = smk_import_entry(opts->fsroot, 0); 848 if (IS_ERR(skp)) 849 return PTR_ERR(skp); 850 sp->smk_root = skp; 851 } 852 if (opts->fstransmute) { 853 skp = smk_import_entry(opts->fstransmute, 0); 854 if (IS_ERR(skp)) 855 return PTR_ERR(skp); 856 sp->smk_root = skp; 857 transmute = true; 858 } 859 } 860 861 /* 862 * Initialize the root inode. 863 */ 864 init_inode_smack(inode, sp->smk_root); 865 866 if (transmute) { 867 isp = smack_inode(inode); 868 isp->smk_flags |= SMK_INODE_TRANSMUTE; 869 } 870 871 return 0; 872 } 873 874 /** 875 * smack_sb_statfs - Smack check on statfs 876 * @dentry: identifies the file system in question 877 * 878 * Returns 0 if current can read the floor of the filesystem, 879 * and error code otherwise 880 */ 881 static int smack_sb_statfs(struct dentry *dentry) 882 { 883 struct superblock_smack *sbp = dentry->d_sb->s_security; 884 int rc; 885 struct smk_audit_info ad; 886 887 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 888 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 889 890 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 891 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 892 return rc; 893 } 894 895 /* 896 * BPRM hooks 897 */ 898 899 /** 900 * smack_bprm_set_creds - set creds for exec 901 * @bprm: the exec information 902 * 903 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 904 */ 905 static int smack_bprm_set_creds(struct linux_binprm *bprm) 906 { 907 struct inode *inode = file_inode(bprm->file); 908 struct task_smack *bsp = smack_cred(bprm->cred); 909 struct inode_smack *isp; 910 struct superblock_smack *sbsp; 911 int rc; 912 913 if (bprm->called_set_creds) 914 return 0; 915 916 isp = smack_inode(inode); 917 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 918 return 0; 919 920 sbsp = inode->i_sb->s_security; 921 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 922 isp->smk_task != sbsp->smk_root) 923 return 0; 924 925 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 926 struct task_struct *tracer; 927 rc = 0; 928 929 rcu_read_lock(); 930 tracer = ptrace_parent(current); 931 if (likely(tracer != NULL)) 932 rc = smk_ptrace_rule_check(tracer, 933 isp->smk_task, 934 PTRACE_MODE_ATTACH, 935 __func__); 936 rcu_read_unlock(); 937 938 if (rc != 0) 939 return rc; 940 } else if (bprm->unsafe) 941 return -EPERM; 942 943 bsp->smk_task = isp->smk_task; 944 bprm->per_clear |= PER_CLEAR_ON_SETID; 945 946 /* Decide if this is a secure exec. */ 947 if (bsp->smk_task != bsp->smk_forked) 948 bprm->secureexec = 1; 949 950 return 0; 951 } 952 953 /* 954 * Inode hooks 955 */ 956 957 /** 958 * smack_inode_alloc_security - allocate an inode blob 959 * @inode: the inode in need of a blob 960 * 961 * Returns 0 if it gets a blob, -ENOMEM otherwise 962 */ 963 static int smack_inode_alloc_security(struct inode *inode) 964 { 965 struct smack_known *skp = smk_of_current(); 966 967 init_inode_smack(inode, skp); 968 return 0; 969 } 970 971 /** 972 * smack_inode_init_security - copy out the smack from an inode 973 * @inode: the newly created inode 974 * @dir: containing directory object 975 * @qstr: unused 976 * @name: where to put the attribute name 977 * @value: where to put the attribute value 978 * @len: where to put the length of the attribute 979 * 980 * Returns 0 if it all works out, -ENOMEM if there's no memory 981 */ 982 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 983 const struct qstr *qstr, const char **name, 984 void **value, size_t *len) 985 { 986 struct inode_smack *issp = smack_inode(inode); 987 struct smack_known *skp = smk_of_current(); 988 struct smack_known *isp = smk_of_inode(inode); 989 struct smack_known *dsp = smk_of_inode(dir); 990 int may; 991 992 if (name) 993 *name = XATTR_SMACK_SUFFIX; 994 995 if (value && len) { 996 rcu_read_lock(); 997 may = smk_access_entry(skp->smk_known, dsp->smk_known, 998 &skp->smk_rules); 999 rcu_read_unlock(); 1000 1001 /* 1002 * If the access rule allows transmutation and 1003 * the directory requests transmutation then 1004 * by all means transmute. 1005 * Mark the inode as changed. 1006 */ 1007 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1008 smk_inode_transmutable(dir)) { 1009 isp = dsp; 1010 issp->smk_flags |= SMK_INODE_CHANGED; 1011 } 1012 1013 *value = kstrdup(isp->smk_known, GFP_NOFS); 1014 if (*value == NULL) 1015 return -ENOMEM; 1016 1017 *len = strlen(isp->smk_known); 1018 } 1019 1020 return 0; 1021 } 1022 1023 /** 1024 * smack_inode_link - Smack check on link 1025 * @old_dentry: the existing object 1026 * @dir: unused 1027 * @new_dentry: the new object 1028 * 1029 * Returns 0 if access is permitted, an error code otherwise 1030 */ 1031 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1032 struct dentry *new_dentry) 1033 { 1034 struct smack_known *isp; 1035 struct smk_audit_info ad; 1036 int rc; 1037 1038 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1039 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1040 1041 isp = smk_of_inode(d_backing_inode(old_dentry)); 1042 rc = smk_curacc(isp, MAY_WRITE, &ad); 1043 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1044 1045 if (rc == 0 && d_is_positive(new_dentry)) { 1046 isp = smk_of_inode(d_backing_inode(new_dentry)); 1047 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1048 rc = smk_curacc(isp, MAY_WRITE, &ad); 1049 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1050 } 1051 1052 return rc; 1053 } 1054 1055 /** 1056 * smack_inode_unlink - Smack check on inode deletion 1057 * @dir: containing directory object 1058 * @dentry: file to unlink 1059 * 1060 * Returns 0 if current can write the containing directory 1061 * and the object, error code otherwise 1062 */ 1063 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1064 { 1065 struct inode *ip = d_backing_inode(dentry); 1066 struct smk_audit_info ad; 1067 int rc; 1068 1069 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1070 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1071 1072 /* 1073 * You need write access to the thing you're unlinking 1074 */ 1075 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1076 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1077 if (rc == 0) { 1078 /* 1079 * You also need write access to the containing directory 1080 */ 1081 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1082 smk_ad_setfield_u_fs_inode(&ad, dir); 1083 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1084 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1085 } 1086 return rc; 1087 } 1088 1089 /** 1090 * smack_inode_rmdir - Smack check on directory deletion 1091 * @dir: containing directory object 1092 * @dentry: directory to unlink 1093 * 1094 * Returns 0 if current can write the containing directory 1095 * and the directory, error code otherwise 1096 */ 1097 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1098 { 1099 struct smk_audit_info ad; 1100 int rc; 1101 1102 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1103 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1104 1105 /* 1106 * You need write access to the thing you're removing 1107 */ 1108 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1109 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1110 if (rc == 0) { 1111 /* 1112 * You also need write access to the containing directory 1113 */ 1114 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1115 smk_ad_setfield_u_fs_inode(&ad, dir); 1116 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1117 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1118 } 1119 1120 return rc; 1121 } 1122 1123 /** 1124 * smack_inode_rename - Smack check on rename 1125 * @old_inode: unused 1126 * @old_dentry: the old object 1127 * @new_inode: unused 1128 * @new_dentry: the new object 1129 * 1130 * Read and write access is required on both the old and 1131 * new directories. 1132 * 1133 * Returns 0 if access is permitted, an error code otherwise 1134 */ 1135 static int smack_inode_rename(struct inode *old_inode, 1136 struct dentry *old_dentry, 1137 struct inode *new_inode, 1138 struct dentry *new_dentry) 1139 { 1140 int rc; 1141 struct smack_known *isp; 1142 struct smk_audit_info ad; 1143 1144 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1145 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1146 1147 isp = smk_of_inode(d_backing_inode(old_dentry)); 1148 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1149 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1150 1151 if (rc == 0 && d_is_positive(new_dentry)) { 1152 isp = smk_of_inode(d_backing_inode(new_dentry)); 1153 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1154 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1155 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1156 } 1157 return rc; 1158 } 1159 1160 /** 1161 * smack_inode_permission - Smack version of permission() 1162 * @inode: the inode in question 1163 * @mask: the access requested 1164 * 1165 * This is the important Smack hook. 1166 * 1167 * Returns 0 if access is permitted, -EACCES otherwise 1168 */ 1169 static int smack_inode_permission(struct inode *inode, int mask) 1170 { 1171 struct superblock_smack *sbsp = inode->i_sb->s_security; 1172 struct smk_audit_info ad; 1173 int no_block = mask & MAY_NOT_BLOCK; 1174 int rc; 1175 1176 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1177 /* 1178 * No permission to check. Existence test. Yup, it's there. 1179 */ 1180 if (mask == 0) 1181 return 0; 1182 1183 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1184 if (smk_of_inode(inode) != sbsp->smk_root) 1185 return -EACCES; 1186 } 1187 1188 /* May be droppable after audit */ 1189 if (no_block) 1190 return -ECHILD; 1191 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1192 smk_ad_setfield_u_fs_inode(&ad, inode); 1193 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1194 rc = smk_bu_inode(inode, mask, rc); 1195 return rc; 1196 } 1197 1198 /** 1199 * smack_inode_setattr - Smack check for setting attributes 1200 * @dentry: the object 1201 * @iattr: for the force flag 1202 * 1203 * Returns 0 if access is permitted, an error code otherwise 1204 */ 1205 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1206 { 1207 struct smk_audit_info ad; 1208 int rc; 1209 1210 /* 1211 * Need to allow for clearing the setuid bit. 1212 */ 1213 if (iattr->ia_valid & ATTR_FORCE) 1214 return 0; 1215 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1216 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1217 1218 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1219 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1220 return rc; 1221 } 1222 1223 /** 1224 * smack_inode_getattr - Smack check for getting attributes 1225 * @mnt: vfsmount of the object 1226 * @dentry: the object 1227 * 1228 * Returns 0 if access is permitted, an error code otherwise 1229 */ 1230 static int smack_inode_getattr(const struct path *path) 1231 { 1232 struct smk_audit_info ad; 1233 struct inode *inode = d_backing_inode(path->dentry); 1234 int rc; 1235 1236 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1237 smk_ad_setfield_u_fs_path(&ad, *path); 1238 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1239 rc = smk_bu_inode(inode, MAY_READ, rc); 1240 return rc; 1241 } 1242 1243 /** 1244 * smack_inode_setxattr - Smack check for setting xattrs 1245 * @dentry: the object 1246 * @name: name of the attribute 1247 * @value: value of the attribute 1248 * @size: size of the value 1249 * @flags: unused 1250 * 1251 * This protects the Smack attribute explicitly. 1252 * 1253 * Returns 0 if access is permitted, an error code otherwise 1254 */ 1255 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1256 const void *value, size_t size, int flags) 1257 { 1258 struct smk_audit_info ad; 1259 struct smack_known *skp; 1260 int check_priv = 0; 1261 int check_import = 0; 1262 int check_star = 0; 1263 int rc = 0; 1264 1265 /* 1266 * Check label validity here so import won't fail in post_setxattr 1267 */ 1268 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1269 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1270 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1271 check_priv = 1; 1272 check_import = 1; 1273 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1274 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1275 check_priv = 1; 1276 check_import = 1; 1277 check_star = 1; 1278 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1279 check_priv = 1; 1280 if (size != TRANS_TRUE_SIZE || 1281 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1282 rc = -EINVAL; 1283 } else 1284 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1285 1286 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1287 rc = -EPERM; 1288 1289 if (rc == 0 && check_import) { 1290 skp = size ? smk_import_entry(value, size) : NULL; 1291 if (IS_ERR(skp)) 1292 rc = PTR_ERR(skp); 1293 else if (skp == NULL || (check_star && 1294 (skp == &smack_known_star || skp == &smack_known_web))) 1295 rc = -EINVAL; 1296 } 1297 1298 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1299 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1300 1301 if (rc == 0) { 1302 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1303 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1304 } 1305 1306 return rc; 1307 } 1308 1309 /** 1310 * smack_inode_post_setxattr - Apply the Smack update approved above 1311 * @dentry: object 1312 * @name: attribute name 1313 * @value: attribute value 1314 * @size: attribute size 1315 * @flags: unused 1316 * 1317 * Set the pointer in the inode blob to the entry found 1318 * in the master label list. 1319 */ 1320 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1321 const void *value, size_t size, int flags) 1322 { 1323 struct smack_known *skp; 1324 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1325 1326 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1327 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1328 return; 1329 } 1330 1331 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1332 skp = smk_import_entry(value, size); 1333 if (!IS_ERR(skp)) 1334 isp->smk_inode = skp; 1335 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1336 skp = smk_import_entry(value, size); 1337 if (!IS_ERR(skp)) 1338 isp->smk_task = skp; 1339 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1340 skp = smk_import_entry(value, size); 1341 if (!IS_ERR(skp)) 1342 isp->smk_mmap = skp; 1343 } 1344 1345 return; 1346 } 1347 1348 /** 1349 * smack_inode_getxattr - Smack check on getxattr 1350 * @dentry: the object 1351 * @name: unused 1352 * 1353 * Returns 0 if access is permitted, an error code otherwise 1354 */ 1355 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1356 { 1357 struct smk_audit_info ad; 1358 int rc; 1359 1360 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1361 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1362 1363 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1364 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1365 return rc; 1366 } 1367 1368 /** 1369 * smack_inode_removexattr - Smack check on removexattr 1370 * @dentry: the object 1371 * @name: name of the attribute 1372 * 1373 * Removing the Smack attribute requires CAP_MAC_ADMIN 1374 * 1375 * Returns 0 if access is permitted, an error code otherwise 1376 */ 1377 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1378 { 1379 struct inode_smack *isp; 1380 struct smk_audit_info ad; 1381 int rc = 0; 1382 1383 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1384 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1385 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1386 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1387 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1388 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1389 if (!smack_privileged(CAP_MAC_ADMIN)) 1390 rc = -EPERM; 1391 } else 1392 rc = cap_inode_removexattr(dentry, name); 1393 1394 if (rc != 0) 1395 return rc; 1396 1397 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1398 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1399 1400 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1401 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1402 if (rc != 0) 1403 return rc; 1404 1405 isp = smack_inode(d_backing_inode(dentry)); 1406 /* 1407 * Don't do anything special for these. 1408 * XATTR_NAME_SMACKIPIN 1409 * XATTR_NAME_SMACKIPOUT 1410 */ 1411 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1412 struct super_block *sbp = dentry->d_sb; 1413 struct superblock_smack *sbsp = sbp->s_security; 1414 1415 isp->smk_inode = sbsp->smk_default; 1416 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1417 isp->smk_task = NULL; 1418 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1419 isp->smk_mmap = NULL; 1420 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1421 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1422 1423 return 0; 1424 } 1425 1426 /** 1427 * smack_inode_getsecurity - get smack xattrs 1428 * @inode: the object 1429 * @name: attribute name 1430 * @buffer: where to put the result 1431 * @alloc: duplicate memory 1432 * 1433 * Returns the size of the attribute or an error code 1434 */ 1435 static int smack_inode_getsecurity(struct inode *inode, 1436 const char *name, void **buffer, 1437 bool alloc) 1438 { 1439 struct socket_smack *ssp; 1440 struct socket *sock; 1441 struct super_block *sbp; 1442 struct inode *ip = (struct inode *)inode; 1443 struct smack_known *isp; 1444 1445 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1446 isp = smk_of_inode(inode); 1447 else { 1448 /* 1449 * The rest of the Smack xattrs are only on sockets. 1450 */ 1451 sbp = ip->i_sb; 1452 if (sbp->s_magic != SOCKFS_MAGIC) 1453 return -EOPNOTSUPP; 1454 1455 sock = SOCKET_I(ip); 1456 if (sock == NULL || sock->sk == NULL) 1457 return -EOPNOTSUPP; 1458 1459 ssp = sock->sk->sk_security; 1460 1461 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1462 isp = ssp->smk_in; 1463 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1464 isp = ssp->smk_out; 1465 else 1466 return -EOPNOTSUPP; 1467 } 1468 1469 if (alloc) { 1470 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1471 if (*buffer == NULL) 1472 return -ENOMEM; 1473 } 1474 1475 return strlen(isp->smk_known); 1476 } 1477 1478 1479 /** 1480 * smack_inode_listsecurity - list the Smack attributes 1481 * @inode: the object 1482 * @buffer: where they go 1483 * @buffer_size: size of buffer 1484 */ 1485 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1486 size_t buffer_size) 1487 { 1488 int len = sizeof(XATTR_NAME_SMACK); 1489 1490 if (buffer != NULL && len <= buffer_size) 1491 memcpy(buffer, XATTR_NAME_SMACK, len); 1492 1493 return len; 1494 } 1495 1496 /** 1497 * smack_inode_getsecid - Extract inode's security id 1498 * @inode: inode to extract the info from 1499 * @secid: where result will be saved 1500 */ 1501 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1502 { 1503 struct smack_known *skp = smk_of_inode(inode); 1504 1505 *secid = skp->smk_secid; 1506 } 1507 1508 /* 1509 * File Hooks 1510 */ 1511 1512 /* 1513 * There is no smack_file_permission hook 1514 * 1515 * Should access checks be done on each read or write? 1516 * UNICOS and SELinux say yes. 1517 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1518 * 1519 * I'll say no for now. Smack does not do the frequent 1520 * label changing that SELinux does. 1521 */ 1522 1523 /** 1524 * smack_file_alloc_security - assign a file security blob 1525 * @file: the object 1526 * 1527 * The security blob for a file is a pointer to the master 1528 * label list, so no allocation is done. 1529 * 1530 * f_security is the owner security information. It 1531 * isn't used on file access checks, it's for send_sigio. 1532 * 1533 * Returns 0 1534 */ 1535 static int smack_file_alloc_security(struct file *file) 1536 { 1537 struct smack_known **blob = smack_file(file); 1538 1539 *blob = smk_of_current(); 1540 return 0; 1541 } 1542 1543 /** 1544 * smack_file_ioctl - Smack check on ioctls 1545 * @file: the object 1546 * @cmd: what to do 1547 * @arg: unused 1548 * 1549 * Relies heavily on the correct use of the ioctl command conventions. 1550 * 1551 * Returns 0 if allowed, error code otherwise 1552 */ 1553 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1554 unsigned long arg) 1555 { 1556 int rc = 0; 1557 struct smk_audit_info ad; 1558 struct inode *inode = file_inode(file); 1559 1560 if (unlikely(IS_PRIVATE(inode))) 1561 return 0; 1562 1563 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1564 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1565 1566 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1567 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1568 rc = smk_bu_file(file, MAY_WRITE, rc); 1569 } 1570 1571 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1572 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1573 rc = smk_bu_file(file, MAY_READ, rc); 1574 } 1575 1576 return rc; 1577 } 1578 1579 /** 1580 * smack_file_lock - Smack check on file locking 1581 * @file: the object 1582 * @cmd: unused 1583 * 1584 * Returns 0 if current has lock access, error code otherwise 1585 */ 1586 static int smack_file_lock(struct file *file, unsigned int cmd) 1587 { 1588 struct smk_audit_info ad; 1589 int rc; 1590 struct inode *inode = file_inode(file); 1591 1592 if (unlikely(IS_PRIVATE(inode))) 1593 return 0; 1594 1595 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1596 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1597 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1598 rc = smk_bu_file(file, MAY_LOCK, rc); 1599 return rc; 1600 } 1601 1602 /** 1603 * smack_file_fcntl - Smack check on fcntl 1604 * @file: the object 1605 * @cmd: what action to check 1606 * @arg: unused 1607 * 1608 * Generally these operations are harmless. 1609 * File locking operations present an obvious mechanism 1610 * for passing information, so they require write access. 1611 * 1612 * Returns 0 if current has access, error code otherwise 1613 */ 1614 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1615 unsigned long arg) 1616 { 1617 struct smk_audit_info ad; 1618 int rc = 0; 1619 struct inode *inode = file_inode(file); 1620 1621 if (unlikely(IS_PRIVATE(inode))) 1622 return 0; 1623 1624 switch (cmd) { 1625 case F_GETLK: 1626 break; 1627 case F_SETLK: 1628 case F_SETLKW: 1629 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1630 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1631 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1632 rc = smk_bu_file(file, MAY_LOCK, rc); 1633 break; 1634 case F_SETOWN: 1635 case F_SETSIG: 1636 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1637 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1638 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1639 rc = smk_bu_file(file, MAY_WRITE, rc); 1640 break; 1641 default: 1642 break; 1643 } 1644 1645 return rc; 1646 } 1647 1648 /** 1649 * smack_mmap_file : 1650 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1651 * if mapping anonymous memory. 1652 * @file contains the file structure for file to map (may be NULL). 1653 * @reqprot contains the protection requested by the application. 1654 * @prot contains the protection that will be applied by the kernel. 1655 * @flags contains the operational flags. 1656 * Return 0 if permission is granted. 1657 */ 1658 static int smack_mmap_file(struct file *file, 1659 unsigned long reqprot, unsigned long prot, 1660 unsigned long flags) 1661 { 1662 struct smack_known *skp; 1663 struct smack_known *mkp; 1664 struct smack_rule *srp; 1665 struct task_smack *tsp; 1666 struct smack_known *okp; 1667 struct inode_smack *isp; 1668 struct superblock_smack *sbsp; 1669 int may; 1670 int mmay; 1671 int tmay; 1672 int rc; 1673 1674 if (file == NULL) 1675 return 0; 1676 1677 if (unlikely(IS_PRIVATE(file_inode(file)))) 1678 return 0; 1679 1680 isp = smack_inode(file_inode(file)); 1681 if (isp->smk_mmap == NULL) 1682 return 0; 1683 sbsp = file_inode(file)->i_sb->s_security; 1684 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1685 isp->smk_mmap != sbsp->smk_root) 1686 return -EACCES; 1687 mkp = isp->smk_mmap; 1688 1689 tsp = smack_cred(current_cred()); 1690 skp = smk_of_current(); 1691 rc = 0; 1692 1693 rcu_read_lock(); 1694 /* 1695 * For each Smack rule associated with the subject 1696 * label verify that the SMACK64MMAP also has access 1697 * to that rule's object label. 1698 */ 1699 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1700 okp = srp->smk_object; 1701 /* 1702 * Matching labels always allows access. 1703 */ 1704 if (mkp->smk_known == okp->smk_known) 1705 continue; 1706 /* 1707 * If there is a matching local rule take 1708 * that into account as well. 1709 */ 1710 may = smk_access_entry(srp->smk_subject->smk_known, 1711 okp->smk_known, 1712 &tsp->smk_rules); 1713 if (may == -ENOENT) 1714 may = srp->smk_access; 1715 else 1716 may &= srp->smk_access; 1717 /* 1718 * If may is zero the SMACK64MMAP subject can't 1719 * possibly have less access. 1720 */ 1721 if (may == 0) 1722 continue; 1723 1724 /* 1725 * Fetch the global list entry. 1726 * If there isn't one a SMACK64MMAP subject 1727 * can't have as much access as current. 1728 */ 1729 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1730 &mkp->smk_rules); 1731 if (mmay == -ENOENT) { 1732 rc = -EACCES; 1733 break; 1734 } 1735 /* 1736 * If there is a local entry it modifies the 1737 * potential access, too. 1738 */ 1739 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1740 &tsp->smk_rules); 1741 if (tmay != -ENOENT) 1742 mmay &= tmay; 1743 1744 /* 1745 * If there is any access available to current that is 1746 * not available to a SMACK64MMAP subject 1747 * deny access. 1748 */ 1749 if ((may | mmay) != mmay) { 1750 rc = -EACCES; 1751 break; 1752 } 1753 } 1754 1755 rcu_read_unlock(); 1756 1757 return rc; 1758 } 1759 1760 /** 1761 * smack_file_set_fowner - set the file security blob value 1762 * @file: object in question 1763 * 1764 */ 1765 static void smack_file_set_fowner(struct file *file) 1766 { 1767 struct smack_known **blob = smack_file(file); 1768 1769 *blob = smk_of_current(); 1770 } 1771 1772 /** 1773 * smack_file_send_sigiotask - Smack on sigio 1774 * @tsk: The target task 1775 * @fown: the object the signal come from 1776 * @signum: unused 1777 * 1778 * Allow a privileged task to get signals even if it shouldn't 1779 * 1780 * Returns 0 if a subject with the object's smack could 1781 * write to the task, an error code otherwise. 1782 */ 1783 static int smack_file_send_sigiotask(struct task_struct *tsk, 1784 struct fown_struct *fown, int signum) 1785 { 1786 struct smack_known **blob; 1787 struct smack_known *skp; 1788 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1789 const struct cred *tcred; 1790 struct file *file; 1791 int rc; 1792 struct smk_audit_info ad; 1793 1794 /* 1795 * struct fown_struct is never outside the context of a struct file 1796 */ 1797 file = container_of(fown, struct file, f_owner); 1798 1799 /* we don't log here as rc can be overriden */ 1800 blob = smack_file(file); 1801 skp = *blob; 1802 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1803 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1804 1805 rcu_read_lock(); 1806 tcred = __task_cred(tsk); 1807 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1808 rc = 0; 1809 rcu_read_unlock(); 1810 1811 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1812 smk_ad_setfield_u_tsk(&ad, tsk); 1813 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1814 return rc; 1815 } 1816 1817 /** 1818 * smack_file_receive - Smack file receive check 1819 * @file: the object 1820 * 1821 * Returns 0 if current has access, error code otherwise 1822 */ 1823 static int smack_file_receive(struct file *file) 1824 { 1825 int rc; 1826 int may = 0; 1827 struct smk_audit_info ad; 1828 struct inode *inode = file_inode(file); 1829 struct socket *sock; 1830 struct task_smack *tsp; 1831 struct socket_smack *ssp; 1832 1833 if (unlikely(IS_PRIVATE(inode))) 1834 return 0; 1835 1836 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1837 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1838 1839 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1840 sock = SOCKET_I(inode); 1841 ssp = sock->sk->sk_security; 1842 tsp = smack_cred(current_cred()); 1843 /* 1844 * If the receiving process can't write to the 1845 * passed socket or if the passed socket can't 1846 * write to the receiving process don't accept 1847 * the passed socket. 1848 */ 1849 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1850 rc = smk_bu_file(file, may, rc); 1851 if (rc < 0) 1852 return rc; 1853 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1854 rc = smk_bu_file(file, may, rc); 1855 return rc; 1856 } 1857 /* 1858 * This code relies on bitmasks. 1859 */ 1860 if (file->f_mode & FMODE_READ) 1861 may = MAY_READ; 1862 if (file->f_mode & FMODE_WRITE) 1863 may |= MAY_WRITE; 1864 1865 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1866 rc = smk_bu_file(file, may, rc); 1867 return rc; 1868 } 1869 1870 /** 1871 * smack_file_open - Smack dentry open processing 1872 * @file: the object 1873 * @cred: task credential 1874 * 1875 * Set the security blob in the file structure. 1876 * Allow the open only if the task has read access. There are 1877 * many read operations (e.g. fstat) that you can do with an 1878 * fd even if you have the file open write-only. 1879 * 1880 * Returns 0 1881 */ 1882 static int smack_file_open(struct file *file) 1883 { 1884 struct task_smack *tsp = smack_cred(file->f_cred); 1885 struct inode *inode = file_inode(file); 1886 struct smk_audit_info ad; 1887 int rc; 1888 1889 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1890 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1891 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1892 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1893 1894 return rc; 1895 } 1896 1897 /* 1898 * Task hooks 1899 */ 1900 1901 /** 1902 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1903 * @new: the new credentials 1904 * @gfp: the atomicity of any memory allocations 1905 * 1906 * Prepare a blank set of credentials for modification. This must allocate all 1907 * the memory the LSM module might require such that cred_transfer() can 1908 * complete without error. 1909 */ 1910 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1911 { 1912 init_task_smack(smack_cred(cred), NULL, NULL); 1913 return 0; 1914 } 1915 1916 1917 /** 1918 * smack_cred_free - "free" task-level security credentials 1919 * @cred: the credentials in question 1920 * 1921 */ 1922 static void smack_cred_free(struct cred *cred) 1923 { 1924 struct task_smack *tsp = smack_cred(cred); 1925 struct smack_rule *rp; 1926 struct list_head *l; 1927 struct list_head *n; 1928 1929 smk_destroy_label_list(&tsp->smk_relabel); 1930 1931 list_for_each_safe(l, n, &tsp->smk_rules) { 1932 rp = list_entry(l, struct smack_rule, list); 1933 list_del(&rp->list); 1934 kfree(rp); 1935 } 1936 } 1937 1938 /** 1939 * smack_cred_prepare - prepare new set of credentials for modification 1940 * @new: the new credentials 1941 * @old: the original credentials 1942 * @gfp: the atomicity of any memory allocations 1943 * 1944 * Prepare a new set of credentials for modification. 1945 */ 1946 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1947 gfp_t gfp) 1948 { 1949 struct task_smack *old_tsp = smack_cred(old); 1950 struct task_smack *new_tsp = smack_cred(new); 1951 int rc; 1952 1953 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 1954 1955 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1956 if (rc != 0) 1957 return rc; 1958 1959 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1960 gfp); 1961 return rc; 1962 } 1963 1964 /** 1965 * smack_cred_transfer - Transfer the old credentials to the new credentials 1966 * @new: the new credentials 1967 * @old: the original credentials 1968 * 1969 * Fill in a set of blank credentials from another set of credentials. 1970 */ 1971 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1972 { 1973 struct task_smack *old_tsp = smack_cred(old); 1974 struct task_smack *new_tsp = smack_cred(new); 1975 1976 new_tsp->smk_task = old_tsp->smk_task; 1977 new_tsp->smk_forked = old_tsp->smk_task; 1978 mutex_init(&new_tsp->smk_rules_lock); 1979 INIT_LIST_HEAD(&new_tsp->smk_rules); 1980 1981 /* cbs copy rule list */ 1982 } 1983 1984 /** 1985 * smack_cred_getsecid - get the secid corresponding to a creds structure 1986 * @c: the object creds 1987 * @secid: where to put the result 1988 * 1989 * Sets the secid to contain a u32 version of the smack label. 1990 */ 1991 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 1992 { 1993 struct smack_known *skp; 1994 1995 rcu_read_lock(); 1996 skp = smk_of_task(smack_cred(cred)); 1997 *secid = skp->smk_secid; 1998 rcu_read_unlock(); 1999 } 2000 2001 /** 2002 * smack_kernel_act_as - Set the subjective context in a set of credentials 2003 * @new: points to the set of credentials to be modified. 2004 * @secid: specifies the security ID to be set 2005 * 2006 * Set the security data for a kernel service. 2007 */ 2008 static int smack_kernel_act_as(struct cred *new, u32 secid) 2009 { 2010 struct task_smack *new_tsp = smack_cred(new); 2011 2012 new_tsp->smk_task = smack_from_secid(secid); 2013 return 0; 2014 } 2015 2016 /** 2017 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2018 * @new: points to the set of credentials to be modified 2019 * @inode: points to the inode to use as a reference 2020 * 2021 * Set the file creation context in a set of credentials to the same 2022 * as the objective context of the specified inode 2023 */ 2024 static int smack_kernel_create_files_as(struct cred *new, 2025 struct inode *inode) 2026 { 2027 struct inode_smack *isp = smack_inode(inode); 2028 struct task_smack *tsp = smack_cred(new); 2029 2030 tsp->smk_forked = isp->smk_inode; 2031 tsp->smk_task = tsp->smk_forked; 2032 return 0; 2033 } 2034 2035 /** 2036 * smk_curacc_on_task - helper to log task related access 2037 * @p: the task object 2038 * @access: the access requested 2039 * @caller: name of the calling function for audit 2040 * 2041 * Return 0 if access is permitted 2042 */ 2043 static int smk_curacc_on_task(struct task_struct *p, int access, 2044 const char *caller) 2045 { 2046 struct smk_audit_info ad; 2047 struct smack_known *skp = smk_of_task_struct(p); 2048 int rc; 2049 2050 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2051 smk_ad_setfield_u_tsk(&ad, p); 2052 rc = smk_curacc(skp, access, &ad); 2053 rc = smk_bu_task(p, access, rc); 2054 return rc; 2055 } 2056 2057 /** 2058 * smack_task_setpgid - Smack check on setting pgid 2059 * @p: the task object 2060 * @pgid: unused 2061 * 2062 * Return 0 if write access is permitted 2063 */ 2064 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2065 { 2066 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2067 } 2068 2069 /** 2070 * smack_task_getpgid - Smack access check for getpgid 2071 * @p: the object task 2072 * 2073 * Returns 0 if current can read the object task, error code otherwise 2074 */ 2075 static int smack_task_getpgid(struct task_struct *p) 2076 { 2077 return smk_curacc_on_task(p, MAY_READ, __func__); 2078 } 2079 2080 /** 2081 * smack_task_getsid - Smack access check for getsid 2082 * @p: the object task 2083 * 2084 * Returns 0 if current can read the object task, error code otherwise 2085 */ 2086 static int smack_task_getsid(struct task_struct *p) 2087 { 2088 return smk_curacc_on_task(p, MAY_READ, __func__); 2089 } 2090 2091 /** 2092 * smack_task_getsecid - get the secid of the task 2093 * @p: the object task 2094 * @secid: where to put the result 2095 * 2096 * Sets the secid to contain a u32 version of the smack label. 2097 */ 2098 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2099 { 2100 struct smack_known *skp = smk_of_task_struct(p); 2101 2102 *secid = skp->smk_secid; 2103 } 2104 2105 /** 2106 * smack_task_setnice - Smack check on setting nice 2107 * @p: the task object 2108 * @nice: unused 2109 * 2110 * Return 0 if write access is permitted 2111 */ 2112 static int smack_task_setnice(struct task_struct *p, int nice) 2113 { 2114 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2115 } 2116 2117 /** 2118 * smack_task_setioprio - Smack check on setting ioprio 2119 * @p: the task object 2120 * @ioprio: unused 2121 * 2122 * Return 0 if write access is permitted 2123 */ 2124 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2125 { 2126 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2127 } 2128 2129 /** 2130 * smack_task_getioprio - Smack check on reading ioprio 2131 * @p: the task object 2132 * 2133 * Return 0 if read access is permitted 2134 */ 2135 static int smack_task_getioprio(struct task_struct *p) 2136 { 2137 return smk_curacc_on_task(p, MAY_READ, __func__); 2138 } 2139 2140 /** 2141 * smack_task_setscheduler - Smack check on setting scheduler 2142 * @p: the task object 2143 * @policy: unused 2144 * @lp: unused 2145 * 2146 * Return 0 if read access is permitted 2147 */ 2148 static int smack_task_setscheduler(struct task_struct *p) 2149 { 2150 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2151 } 2152 2153 /** 2154 * smack_task_getscheduler - Smack check on reading scheduler 2155 * @p: the task object 2156 * 2157 * Return 0 if read access is permitted 2158 */ 2159 static int smack_task_getscheduler(struct task_struct *p) 2160 { 2161 return smk_curacc_on_task(p, MAY_READ, __func__); 2162 } 2163 2164 /** 2165 * smack_task_movememory - Smack check on moving memory 2166 * @p: the task object 2167 * 2168 * Return 0 if write access is permitted 2169 */ 2170 static int smack_task_movememory(struct task_struct *p) 2171 { 2172 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2173 } 2174 2175 /** 2176 * smack_task_kill - Smack check on signal delivery 2177 * @p: the task object 2178 * @info: unused 2179 * @sig: unused 2180 * @cred: identifies the cred to use in lieu of current's 2181 * 2182 * Return 0 if write access is permitted 2183 * 2184 */ 2185 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2186 int sig, const struct cred *cred) 2187 { 2188 struct smk_audit_info ad; 2189 struct smack_known *skp; 2190 struct smack_known *tkp = smk_of_task_struct(p); 2191 int rc; 2192 2193 if (!sig) 2194 return 0; /* null signal; existence test */ 2195 2196 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2197 smk_ad_setfield_u_tsk(&ad, p); 2198 /* 2199 * Sending a signal requires that the sender 2200 * can write the receiver. 2201 */ 2202 if (cred == NULL) { 2203 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2204 rc = smk_bu_task(p, MAY_DELIVER, rc); 2205 return rc; 2206 } 2207 /* 2208 * If the cred isn't NULL we're dealing with some USB IO 2209 * specific behavior. This is not clean. For one thing 2210 * we can't take privilege into account. 2211 */ 2212 skp = smk_of_task(smack_cred(cred)); 2213 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2214 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2215 return rc; 2216 } 2217 2218 /** 2219 * smack_task_to_inode - copy task smack into the inode blob 2220 * @p: task to copy from 2221 * @inode: inode to copy to 2222 * 2223 * Sets the smack pointer in the inode security blob 2224 */ 2225 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2226 { 2227 struct inode_smack *isp = smack_inode(inode); 2228 struct smack_known *skp = smk_of_task_struct(p); 2229 2230 isp->smk_inode = skp; 2231 isp->smk_flags |= SMK_INODE_INSTANT; 2232 } 2233 2234 /* 2235 * Socket hooks. 2236 */ 2237 2238 /** 2239 * smack_sk_alloc_security - Allocate a socket blob 2240 * @sk: the socket 2241 * @family: unused 2242 * @gfp_flags: memory allocation flags 2243 * 2244 * Assign Smack pointers to current 2245 * 2246 * Returns 0 on success, -ENOMEM is there's no memory 2247 */ 2248 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2249 { 2250 struct smack_known *skp = smk_of_current(); 2251 struct socket_smack *ssp; 2252 2253 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2254 if (ssp == NULL) 2255 return -ENOMEM; 2256 2257 /* 2258 * Sockets created by kernel threads receive web label. 2259 */ 2260 if (unlikely(current->flags & PF_KTHREAD)) { 2261 ssp->smk_in = &smack_known_web; 2262 ssp->smk_out = &smack_known_web; 2263 } else { 2264 ssp->smk_in = skp; 2265 ssp->smk_out = skp; 2266 } 2267 ssp->smk_packet = NULL; 2268 2269 sk->sk_security = ssp; 2270 2271 return 0; 2272 } 2273 2274 /** 2275 * smack_sk_free_security - Free a socket blob 2276 * @sk: the socket 2277 * 2278 * Clears the blob pointer 2279 */ 2280 static void smack_sk_free_security(struct sock *sk) 2281 { 2282 #ifdef SMACK_IPV6_PORT_LABELING 2283 struct smk_port_label *spp; 2284 2285 if (sk->sk_family == PF_INET6) { 2286 rcu_read_lock(); 2287 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2288 if (spp->smk_sock != sk) 2289 continue; 2290 spp->smk_can_reuse = 1; 2291 break; 2292 } 2293 rcu_read_unlock(); 2294 } 2295 #endif 2296 kfree(sk->sk_security); 2297 } 2298 2299 /** 2300 * smack_ipv4host_label - check host based restrictions 2301 * @sip: the object end 2302 * 2303 * looks for host based access restrictions 2304 * 2305 * This version will only be appropriate for really small sets of single label 2306 * hosts. The caller is responsible for ensuring that the RCU read lock is 2307 * taken before calling this function. 2308 * 2309 * Returns the label of the far end or NULL if it's not special. 2310 */ 2311 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2312 { 2313 struct smk_net4addr *snp; 2314 struct in_addr *siap = &sip->sin_addr; 2315 2316 if (siap->s_addr == 0) 2317 return NULL; 2318 2319 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2320 /* 2321 * we break after finding the first match because 2322 * the list is sorted from longest to shortest mask 2323 * so we have found the most specific match 2324 */ 2325 if (snp->smk_host.s_addr == 2326 (siap->s_addr & snp->smk_mask.s_addr)) 2327 return snp->smk_label; 2328 2329 return NULL; 2330 } 2331 2332 #if IS_ENABLED(CONFIG_IPV6) 2333 /* 2334 * smk_ipv6_localhost - Check for local ipv6 host address 2335 * @sip: the address 2336 * 2337 * Returns boolean true if this is the localhost address 2338 */ 2339 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2340 { 2341 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2342 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2343 2344 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2345 ntohs(be16p[7]) == 1) 2346 return true; 2347 return false; 2348 } 2349 2350 /** 2351 * smack_ipv6host_label - check host based restrictions 2352 * @sip: the object end 2353 * 2354 * looks for host based access restrictions 2355 * 2356 * This version will only be appropriate for really small sets of single label 2357 * hosts. The caller is responsible for ensuring that the RCU read lock is 2358 * taken before calling this function. 2359 * 2360 * Returns the label of the far end or NULL if it's not special. 2361 */ 2362 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2363 { 2364 struct smk_net6addr *snp; 2365 struct in6_addr *sap = &sip->sin6_addr; 2366 int i; 2367 int found = 0; 2368 2369 /* 2370 * It's local. Don't look for a host label. 2371 */ 2372 if (smk_ipv6_localhost(sip)) 2373 return NULL; 2374 2375 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2376 /* 2377 * If the label is NULL the entry has 2378 * been renounced. Ignore it. 2379 */ 2380 if (snp->smk_label == NULL) 2381 continue; 2382 /* 2383 * we break after finding the first match because 2384 * the list is sorted from longest to shortest mask 2385 * so we have found the most specific match 2386 */ 2387 for (found = 1, i = 0; i < 8; i++) { 2388 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2389 snp->smk_host.s6_addr16[i]) { 2390 found = 0; 2391 break; 2392 } 2393 } 2394 if (found) 2395 return snp->smk_label; 2396 } 2397 2398 return NULL; 2399 } 2400 #endif /* CONFIG_IPV6 */ 2401 2402 /** 2403 * smack_netlabel - Set the secattr on a socket 2404 * @sk: the socket 2405 * @labeled: socket label scheme 2406 * 2407 * Convert the outbound smack value (smk_out) to a 2408 * secattr and attach it to the socket. 2409 * 2410 * Returns 0 on success or an error code 2411 */ 2412 static int smack_netlabel(struct sock *sk, int labeled) 2413 { 2414 struct smack_known *skp; 2415 struct socket_smack *ssp = sk->sk_security; 2416 int rc = 0; 2417 2418 /* 2419 * Usually the netlabel code will handle changing the 2420 * packet labeling based on the label. 2421 * The case of a single label host is different, because 2422 * a single label host should never get a labeled packet 2423 * even though the label is usually associated with a packet 2424 * label. 2425 */ 2426 local_bh_disable(); 2427 bh_lock_sock_nested(sk); 2428 2429 if (ssp->smk_out == smack_net_ambient || 2430 labeled == SMACK_UNLABELED_SOCKET) 2431 netlbl_sock_delattr(sk); 2432 else { 2433 skp = ssp->smk_out; 2434 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2435 } 2436 2437 bh_unlock_sock(sk); 2438 local_bh_enable(); 2439 2440 return rc; 2441 } 2442 2443 /** 2444 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2445 * @sk: the socket 2446 * @sap: the destination address 2447 * 2448 * Set the correct secattr for the given socket based on the destination 2449 * address and perform any outbound access checks needed. 2450 * 2451 * Returns 0 on success or an error code. 2452 * 2453 */ 2454 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2455 { 2456 struct smack_known *skp; 2457 int rc; 2458 int sk_lbl; 2459 struct smack_known *hkp; 2460 struct socket_smack *ssp = sk->sk_security; 2461 struct smk_audit_info ad; 2462 2463 rcu_read_lock(); 2464 hkp = smack_ipv4host_label(sap); 2465 if (hkp != NULL) { 2466 #ifdef CONFIG_AUDIT 2467 struct lsm_network_audit net; 2468 2469 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2470 ad.a.u.net->family = sap->sin_family; 2471 ad.a.u.net->dport = sap->sin_port; 2472 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2473 #endif 2474 sk_lbl = SMACK_UNLABELED_SOCKET; 2475 skp = ssp->smk_out; 2476 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2477 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2478 } else { 2479 sk_lbl = SMACK_CIPSO_SOCKET; 2480 rc = 0; 2481 } 2482 rcu_read_unlock(); 2483 if (rc != 0) 2484 return rc; 2485 2486 return smack_netlabel(sk, sk_lbl); 2487 } 2488 2489 #if IS_ENABLED(CONFIG_IPV6) 2490 /** 2491 * smk_ipv6_check - check Smack access 2492 * @subject: subject Smack label 2493 * @object: object Smack label 2494 * @address: address 2495 * @act: the action being taken 2496 * 2497 * Check an IPv6 access 2498 */ 2499 static int smk_ipv6_check(struct smack_known *subject, 2500 struct smack_known *object, 2501 struct sockaddr_in6 *address, int act) 2502 { 2503 #ifdef CONFIG_AUDIT 2504 struct lsm_network_audit net; 2505 #endif 2506 struct smk_audit_info ad; 2507 int rc; 2508 2509 #ifdef CONFIG_AUDIT 2510 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2511 ad.a.u.net->family = PF_INET6; 2512 ad.a.u.net->dport = ntohs(address->sin6_port); 2513 if (act == SMK_RECEIVING) 2514 ad.a.u.net->v6info.saddr = address->sin6_addr; 2515 else 2516 ad.a.u.net->v6info.daddr = address->sin6_addr; 2517 #endif 2518 rc = smk_access(subject, object, MAY_WRITE, &ad); 2519 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2520 return rc; 2521 } 2522 #endif /* CONFIG_IPV6 */ 2523 2524 #ifdef SMACK_IPV6_PORT_LABELING 2525 /** 2526 * smk_ipv6_port_label - Smack port access table management 2527 * @sock: socket 2528 * @address: address 2529 * 2530 * Create or update the port list entry 2531 */ 2532 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2533 { 2534 struct sock *sk = sock->sk; 2535 struct sockaddr_in6 *addr6; 2536 struct socket_smack *ssp = sock->sk->sk_security; 2537 struct smk_port_label *spp; 2538 unsigned short port = 0; 2539 2540 if (address == NULL) { 2541 /* 2542 * This operation is changing the Smack information 2543 * on the bound socket. Take the changes to the port 2544 * as well. 2545 */ 2546 rcu_read_lock(); 2547 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2548 if (sk != spp->smk_sock) 2549 continue; 2550 spp->smk_in = ssp->smk_in; 2551 spp->smk_out = ssp->smk_out; 2552 rcu_read_unlock(); 2553 return; 2554 } 2555 /* 2556 * A NULL address is only used for updating existing 2557 * bound entries. If there isn't one, it's OK. 2558 */ 2559 rcu_read_unlock(); 2560 return; 2561 } 2562 2563 addr6 = (struct sockaddr_in6 *)address; 2564 port = ntohs(addr6->sin6_port); 2565 /* 2566 * This is a special case that is safely ignored. 2567 */ 2568 if (port == 0) 2569 return; 2570 2571 /* 2572 * Look for an existing port list entry. 2573 * This is an indication that a port is getting reused. 2574 */ 2575 rcu_read_lock(); 2576 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2577 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2578 continue; 2579 if (spp->smk_can_reuse != 1) { 2580 rcu_read_unlock(); 2581 return; 2582 } 2583 spp->smk_port = port; 2584 spp->smk_sock = sk; 2585 spp->smk_in = ssp->smk_in; 2586 spp->smk_out = ssp->smk_out; 2587 spp->smk_can_reuse = 0; 2588 rcu_read_unlock(); 2589 return; 2590 } 2591 rcu_read_unlock(); 2592 /* 2593 * A new port entry is required. 2594 */ 2595 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2596 if (spp == NULL) 2597 return; 2598 2599 spp->smk_port = port; 2600 spp->smk_sock = sk; 2601 spp->smk_in = ssp->smk_in; 2602 spp->smk_out = ssp->smk_out; 2603 spp->smk_sock_type = sock->type; 2604 spp->smk_can_reuse = 0; 2605 2606 mutex_lock(&smack_ipv6_lock); 2607 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2608 mutex_unlock(&smack_ipv6_lock); 2609 return; 2610 } 2611 2612 /** 2613 * smk_ipv6_port_check - check Smack port access 2614 * @sock: socket 2615 * @address: address 2616 * 2617 * Create or update the port list entry 2618 */ 2619 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2620 int act) 2621 { 2622 struct smk_port_label *spp; 2623 struct socket_smack *ssp = sk->sk_security; 2624 struct smack_known *skp = NULL; 2625 unsigned short port; 2626 struct smack_known *object; 2627 2628 if (act == SMK_RECEIVING) { 2629 skp = smack_ipv6host_label(address); 2630 object = ssp->smk_in; 2631 } else { 2632 skp = ssp->smk_out; 2633 object = smack_ipv6host_label(address); 2634 } 2635 2636 /* 2637 * The other end is a single label host. 2638 */ 2639 if (skp != NULL && object != NULL) 2640 return smk_ipv6_check(skp, object, address, act); 2641 if (skp == NULL) 2642 skp = smack_net_ambient; 2643 if (object == NULL) 2644 object = smack_net_ambient; 2645 2646 /* 2647 * It's remote, so port lookup does no good. 2648 */ 2649 if (!smk_ipv6_localhost(address)) 2650 return smk_ipv6_check(skp, object, address, act); 2651 2652 /* 2653 * It's local so the send check has to have passed. 2654 */ 2655 if (act == SMK_RECEIVING) 2656 return 0; 2657 2658 port = ntohs(address->sin6_port); 2659 rcu_read_lock(); 2660 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2661 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2662 continue; 2663 object = spp->smk_in; 2664 if (act == SMK_CONNECTING) 2665 ssp->smk_packet = spp->smk_out; 2666 break; 2667 } 2668 rcu_read_unlock(); 2669 2670 return smk_ipv6_check(skp, object, address, act); 2671 } 2672 #endif /* SMACK_IPV6_PORT_LABELING */ 2673 2674 /** 2675 * smack_inode_setsecurity - set smack xattrs 2676 * @inode: the object 2677 * @name: attribute name 2678 * @value: attribute value 2679 * @size: size of the attribute 2680 * @flags: unused 2681 * 2682 * Sets the named attribute in the appropriate blob 2683 * 2684 * Returns 0 on success, or an error code 2685 */ 2686 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2687 const void *value, size_t size, int flags) 2688 { 2689 struct smack_known *skp; 2690 struct inode_smack *nsp = smack_inode(inode); 2691 struct socket_smack *ssp; 2692 struct socket *sock; 2693 int rc = 0; 2694 2695 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2696 return -EINVAL; 2697 2698 skp = smk_import_entry(value, size); 2699 if (IS_ERR(skp)) 2700 return PTR_ERR(skp); 2701 2702 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2703 nsp->smk_inode = skp; 2704 nsp->smk_flags |= SMK_INODE_INSTANT; 2705 return 0; 2706 } 2707 /* 2708 * The rest of the Smack xattrs are only on sockets. 2709 */ 2710 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2711 return -EOPNOTSUPP; 2712 2713 sock = SOCKET_I(inode); 2714 if (sock == NULL || sock->sk == NULL) 2715 return -EOPNOTSUPP; 2716 2717 ssp = sock->sk->sk_security; 2718 2719 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2720 ssp->smk_in = skp; 2721 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2722 ssp->smk_out = skp; 2723 if (sock->sk->sk_family == PF_INET) { 2724 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2725 if (rc != 0) 2726 printk(KERN_WARNING 2727 "Smack: \"%s\" netlbl error %d.\n", 2728 __func__, -rc); 2729 } 2730 } else 2731 return -EOPNOTSUPP; 2732 2733 #ifdef SMACK_IPV6_PORT_LABELING 2734 if (sock->sk->sk_family == PF_INET6) 2735 smk_ipv6_port_label(sock, NULL); 2736 #endif 2737 2738 return 0; 2739 } 2740 2741 /** 2742 * smack_socket_post_create - finish socket setup 2743 * @sock: the socket 2744 * @family: protocol family 2745 * @type: unused 2746 * @protocol: unused 2747 * @kern: unused 2748 * 2749 * Sets the netlabel information on the socket 2750 * 2751 * Returns 0 on success, and error code otherwise 2752 */ 2753 static int smack_socket_post_create(struct socket *sock, int family, 2754 int type, int protocol, int kern) 2755 { 2756 struct socket_smack *ssp; 2757 2758 if (sock->sk == NULL) 2759 return 0; 2760 2761 /* 2762 * Sockets created by kernel threads receive web label. 2763 */ 2764 if (unlikely(current->flags & PF_KTHREAD)) { 2765 ssp = sock->sk->sk_security; 2766 ssp->smk_in = &smack_known_web; 2767 ssp->smk_out = &smack_known_web; 2768 } 2769 2770 if (family != PF_INET) 2771 return 0; 2772 /* 2773 * Set the outbound netlbl. 2774 */ 2775 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2776 } 2777 2778 /** 2779 * smack_socket_socketpair - create socket pair 2780 * @socka: one socket 2781 * @sockb: another socket 2782 * 2783 * Cross reference the peer labels for SO_PEERSEC 2784 * 2785 * Returns 0 on success, and error code otherwise 2786 */ 2787 static int smack_socket_socketpair(struct socket *socka, 2788 struct socket *sockb) 2789 { 2790 struct socket_smack *asp = socka->sk->sk_security; 2791 struct socket_smack *bsp = sockb->sk->sk_security; 2792 2793 asp->smk_packet = bsp->smk_out; 2794 bsp->smk_packet = asp->smk_out; 2795 2796 return 0; 2797 } 2798 2799 #ifdef SMACK_IPV6_PORT_LABELING 2800 /** 2801 * smack_socket_bind - record port binding information. 2802 * @sock: the socket 2803 * @address: the port address 2804 * @addrlen: size of the address 2805 * 2806 * Records the label bound to a port. 2807 * 2808 * Returns 0 2809 */ 2810 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2811 int addrlen) 2812 { 2813 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2814 smk_ipv6_port_label(sock, address); 2815 return 0; 2816 } 2817 #endif /* SMACK_IPV6_PORT_LABELING */ 2818 2819 /** 2820 * smack_socket_connect - connect access check 2821 * @sock: the socket 2822 * @sap: the other end 2823 * @addrlen: size of sap 2824 * 2825 * Verifies that a connection may be possible 2826 * 2827 * Returns 0 on success, and error code otherwise 2828 */ 2829 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2830 int addrlen) 2831 { 2832 int rc = 0; 2833 #if IS_ENABLED(CONFIG_IPV6) 2834 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2835 #endif 2836 #ifdef SMACK_IPV6_SECMARK_LABELING 2837 struct smack_known *rsp; 2838 struct socket_smack *ssp; 2839 #endif 2840 2841 if (sock->sk == NULL) 2842 return 0; 2843 2844 #ifdef SMACK_IPV6_SECMARK_LABELING 2845 ssp = sock->sk->sk_security; 2846 #endif 2847 2848 switch (sock->sk->sk_family) { 2849 case PF_INET: 2850 if (addrlen < sizeof(struct sockaddr_in)) 2851 return -EINVAL; 2852 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2853 break; 2854 case PF_INET6: 2855 if (addrlen < sizeof(struct sockaddr_in6)) 2856 return -EINVAL; 2857 #ifdef SMACK_IPV6_SECMARK_LABELING 2858 rsp = smack_ipv6host_label(sip); 2859 if (rsp != NULL) 2860 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2861 SMK_CONNECTING); 2862 #endif 2863 #ifdef SMACK_IPV6_PORT_LABELING 2864 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2865 #endif 2866 break; 2867 } 2868 return rc; 2869 } 2870 2871 /** 2872 * smack_flags_to_may - convert S_ to MAY_ values 2873 * @flags: the S_ value 2874 * 2875 * Returns the equivalent MAY_ value 2876 */ 2877 static int smack_flags_to_may(int flags) 2878 { 2879 int may = 0; 2880 2881 if (flags & S_IRUGO) 2882 may |= MAY_READ; 2883 if (flags & S_IWUGO) 2884 may |= MAY_WRITE; 2885 if (flags & S_IXUGO) 2886 may |= MAY_EXEC; 2887 2888 return may; 2889 } 2890 2891 /** 2892 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2893 * @msg: the object 2894 * 2895 * Returns 0 2896 */ 2897 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2898 { 2899 struct smack_known **blob = smack_msg_msg(msg); 2900 2901 *blob = smk_of_current(); 2902 return 0; 2903 } 2904 2905 /** 2906 * smack_of_ipc - the smack pointer for the ipc 2907 * @isp: the object 2908 * 2909 * Returns a pointer to the smack value 2910 */ 2911 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2912 { 2913 struct smack_known **blob = smack_ipc(isp); 2914 2915 return *blob; 2916 } 2917 2918 /** 2919 * smack_ipc_alloc_security - Set the security blob for ipc 2920 * @isp: the object 2921 * 2922 * Returns 0 2923 */ 2924 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2925 { 2926 struct smack_known **blob = smack_ipc(isp); 2927 2928 *blob = smk_of_current(); 2929 return 0; 2930 } 2931 2932 /** 2933 * smk_curacc_shm : check if current has access on shm 2934 * @isp : the object 2935 * @access : access requested 2936 * 2937 * Returns 0 if current has the requested access, error code otherwise 2938 */ 2939 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2940 { 2941 struct smack_known *ssp = smack_of_ipc(isp); 2942 struct smk_audit_info ad; 2943 int rc; 2944 2945 #ifdef CONFIG_AUDIT 2946 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2947 ad.a.u.ipc_id = isp->id; 2948 #endif 2949 rc = smk_curacc(ssp, access, &ad); 2950 rc = smk_bu_current("shm", ssp, access, rc); 2951 return rc; 2952 } 2953 2954 /** 2955 * smack_shm_associate - Smack access check for shm 2956 * @isp: the object 2957 * @shmflg: access requested 2958 * 2959 * Returns 0 if current has the requested access, error code otherwise 2960 */ 2961 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 2962 { 2963 int may; 2964 2965 may = smack_flags_to_may(shmflg); 2966 return smk_curacc_shm(isp, may); 2967 } 2968 2969 /** 2970 * smack_shm_shmctl - Smack access check for shm 2971 * @isp: the object 2972 * @cmd: what it wants to do 2973 * 2974 * Returns 0 if current has the requested access, error code otherwise 2975 */ 2976 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 2977 { 2978 int may; 2979 2980 switch (cmd) { 2981 case IPC_STAT: 2982 case SHM_STAT: 2983 case SHM_STAT_ANY: 2984 may = MAY_READ; 2985 break; 2986 case IPC_SET: 2987 case SHM_LOCK: 2988 case SHM_UNLOCK: 2989 case IPC_RMID: 2990 may = MAY_READWRITE; 2991 break; 2992 case IPC_INFO: 2993 case SHM_INFO: 2994 /* 2995 * System level information. 2996 */ 2997 return 0; 2998 default: 2999 return -EINVAL; 3000 } 3001 return smk_curacc_shm(isp, may); 3002 } 3003 3004 /** 3005 * smack_shm_shmat - Smack access for shmat 3006 * @isp: the object 3007 * @shmaddr: unused 3008 * @shmflg: access requested 3009 * 3010 * Returns 0 if current has the requested access, error code otherwise 3011 */ 3012 static int smack_shm_shmat(struct kern_ipc_perm *ipc, char __user *shmaddr, 3013 int shmflg) 3014 { 3015 int may; 3016 3017 may = smack_flags_to_may(shmflg); 3018 return smk_curacc_shm(ipc, may); 3019 } 3020 3021 /** 3022 * smk_curacc_sem : check if current has access on sem 3023 * @isp : the object 3024 * @access : access requested 3025 * 3026 * Returns 0 if current has the requested access, error code otherwise 3027 */ 3028 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3029 { 3030 struct smack_known *ssp = smack_of_ipc(isp); 3031 struct smk_audit_info ad; 3032 int rc; 3033 3034 #ifdef CONFIG_AUDIT 3035 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3036 ad.a.u.ipc_id = isp->id; 3037 #endif 3038 rc = smk_curacc(ssp, access, &ad); 3039 rc = smk_bu_current("sem", ssp, access, rc); 3040 return rc; 3041 } 3042 3043 /** 3044 * smack_sem_associate - Smack access check for sem 3045 * @isp: the object 3046 * @semflg: access requested 3047 * 3048 * Returns 0 if current has the requested access, error code otherwise 3049 */ 3050 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3051 { 3052 int may; 3053 3054 may = smack_flags_to_may(semflg); 3055 return smk_curacc_sem(isp, may); 3056 } 3057 3058 /** 3059 * smack_sem_shmctl - Smack access check for sem 3060 * @isp: the object 3061 * @cmd: what it wants to do 3062 * 3063 * Returns 0 if current has the requested access, error code otherwise 3064 */ 3065 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3066 { 3067 int may; 3068 3069 switch (cmd) { 3070 case GETPID: 3071 case GETNCNT: 3072 case GETZCNT: 3073 case GETVAL: 3074 case GETALL: 3075 case IPC_STAT: 3076 case SEM_STAT: 3077 case SEM_STAT_ANY: 3078 may = MAY_READ; 3079 break; 3080 case SETVAL: 3081 case SETALL: 3082 case IPC_RMID: 3083 case IPC_SET: 3084 may = MAY_READWRITE; 3085 break; 3086 case IPC_INFO: 3087 case SEM_INFO: 3088 /* 3089 * System level information 3090 */ 3091 return 0; 3092 default: 3093 return -EINVAL; 3094 } 3095 3096 return smk_curacc_sem(isp, may); 3097 } 3098 3099 /** 3100 * smack_sem_semop - Smack checks of semaphore operations 3101 * @isp: the object 3102 * @sops: unused 3103 * @nsops: unused 3104 * @alter: unused 3105 * 3106 * Treated as read and write in all cases. 3107 * 3108 * Returns 0 if access is allowed, error code otherwise 3109 */ 3110 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3111 unsigned nsops, int alter) 3112 { 3113 return smk_curacc_sem(isp, MAY_READWRITE); 3114 } 3115 3116 /** 3117 * smk_curacc_msq : helper to check if current has access on msq 3118 * @isp : the msq 3119 * @access : access requested 3120 * 3121 * return 0 if current has access, error otherwise 3122 */ 3123 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3124 { 3125 struct smack_known *msp = smack_of_ipc(isp); 3126 struct smk_audit_info ad; 3127 int rc; 3128 3129 #ifdef CONFIG_AUDIT 3130 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3131 ad.a.u.ipc_id = isp->id; 3132 #endif 3133 rc = smk_curacc(msp, access, &ad); 3134 rc = smk_bu_current("msq", msp, access, rc); 3135 return rc; 3136 } 3137 3138 /** 3139 * smack_msg_queue_associate - Smack access check for msg_queue 3140 * @isp: the object 3141 * @msqflg: access requested 3142 * 3143 * Returns 0 if current has the requested access, error code otherwise 3144 */ 3145 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3146 { 3147 int may; 3148 3149 may = smack_flags_to_may(msqflg); 3150 return smk_curacc_msq(isp, may); 3151 } 3152 3153 /** 3154 * smack_msg_queue_msgctl - Smack access check for msg_queue 3155 * @isp: the object 3156 * @cmd: what it wants to do 3157 * 3158 * Returns 0 if current has the requested access, error code otherwise 3159 */ 3160 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3161 { 3162 int may; 3163 3164 switch (cmd) { 3165 case IPC_STAT: 3166 case MSG_STAT: 3167 case MSG_STAT_ANY: 3168 may = MAY_READ; 3169 break; 3170 case IPC_SET: 3171 case IPC_RMID: 3172 may = MAY_READWRITE; 3173 break; 3174 case IPC_INFO: 3175 case MSG_INFO: 3176 /* 3177 * System level information 3178 */ 3179 return 0; 3180 default: 3181 return -EINVAL; 3182 } 3183 3184 return smk_curacc_msq(isp, may); 3185 } 3186 3187 /** 3188 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3189 * @isp: the object 3190 * @msg: unused 3191 * @msqflg: access requested 3192 * 3193 * Returns 0 if current has the requested access, error code otherwise 3194 */ 3195 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3196 int msqflg) 3197 { 3198 int may; 3199 3200 may = smack_flags_to_may(msqflg); 3201 return smk_curacc_msq(isp, may); 3202 } 3203 3204 /** 3205 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3206 * @isp: the object 3207 * @msg: unused 3208 * @target: unused 3209 * @type: unused 3210 * @mode: unused 3211 * 3212 * Returns 0 if current has read and write access, error code otherwise 3213 */ 3214 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3215 struct task_struct *target, long type, int mode) 3216 { 3217 return smk_curacc_msq(isp, MAY_READWRITE); 3218 } 3219 3220 /** 3221 * smack_ipc_permission - Smack access for ipc_permission() 3222 * @ipp: the object permissions 3223 * @flag: access requested 3224 * 3225 * Returns 0 if current has read and write access, error code otherwise 3226 */ 3227 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3228 { 3229 struct smack_known **blob = smack_ipc(ipp); 3230 struct smack_known *iskp = *blob; 3231 int may = smack_flags_to_may(flag); 3232 struct smk_audit_info ad; 3233 int rc; 3234 3235 #ifdef CONFIG_AUDIT 3236 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3237 ad.a.u.ipc_id = ipp->id; 3238 #endif 3239 rc = smk_curacc(iskp, may, &ad); 3240 rc = smk_bu_current("svipc", iskp, may, rc); 3241 return rc; 3242 } 3243 3244 /** 3245 * smack_ipc_getsecid - Extract smack security id 3246 * @ipp: the object permissions 3247 * @secid: where result will be saved 3248 */ 3249 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3250 { 3251 struct smack_known **blob = smack_ipc(ipp); 3252 struct smack_known *iskp = *blob; 3253 3254 *secid = iskp->smk_secid; 3255 } 3256 3257 /** 3258 * smack_d_instantiate - Make sure the blob is correct on an inode 3259 * @opt_dentry: dentry where inode will be attached 3260 * @inode: the object 3261 * 3262 * Set the inode's security blob if it hasn't been done already. 3263 */ 3264 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3265 { 3266 struct super_block *sbp; 3267 struct superblock_smack *sbsp; 3268 struct inode_smack *isp; 3269 struct smack_known *skp; 3270 struct smack_known *ckp = smk_of_current(); 3271 struct smack_known *final; 3272 char trattr[TRANS_TRUE_SIZE]; 3273 int transflag = 0; 3274 int rc; 3275 struct dentry *dp; 3276 3277 if (inode == NULL) 3278 return; 3279 3280 isp = smack_inode(inode); 3281 3282 mutex_lock(&isp->smk_lock); 3283 /* 3284 * If the inode is already instantiated 3285 * take the quick way out 3286 */ 3287 if (isp->smk_flags & SMK_INODE_INSTANT) 3288 goto unlockandout; 3289 3290 sbp = inode->i_sb; 3291 sbsp = sbp->s_security; 3292 /* 3293 * We're going to use the superblock default label 3294 * if there's no label on the file. 3295 */ 3296 final = sbsp->smk_default; 3297 3298 /* 3299 * If this is the root inode the superblock 3300 * may be in the process of initialization. 3301 * If that is the case use the root value out 3302 * of the superblock. 3303 */ 3304 if (opt_dentry->d_parent == opt_dentry) { 3305 switch (sbp->s_magic) { 3306 case CGROUP_SUPER_MAGIC: 3307 case CGROUP2_SUPER_MAGIC: 3308 /* 3309 * The cgroup filesystem is never mounted, 3310 * so there's no opportunity to set the mount 3311 * options. 3312 */ 3313 sbsp->smk_root = &smack_known_star; 3314 sbsp->smk_default = &smack_known_star; 3315 isp->smk_inode = sbsp->smk_root; 3316 break; 3317 case TMPFS_MAGIC: 3318 /* 3319 * What about shmem/tmpfs anonymous files with dentry 3320 * obtained from d_alloc_pseudo()? 3321 */ 3322 isp->smk_inode = smk_of_current(); 3323 break; 3324 case PIPEFS_MAGIC: 3325 isp->smk_inode = smk_of_current(); 3326 break; 3327 case SOCKFS_MAGIC: 3328 /* 3329 * Socket access is controlled by the socket 3330 * structures associated with the task involved. 3331 */ 3332 isp->smk_inode = &smack_known_star; 3333 break; 3334 default: 3335 isp->smk_inode = sbsp->smk_root; 3336 break; 3337 } 3338 isp->smk_flags |= SMK_INODE_INSTANT; 3339 goto unlockandout; 3340 } 3341 3342 /* 3343 * This is pretty hackish. 3344 * Casey says that we shouldn't have to do 3345 * file system specific code, but it does help 3346 * with keeping it simple. 3347 */ 3348 switch (sbp->s_magic) { 3349 case SMACK_MAGIC: 3350 case CGROUP_SUPER_MAGIC: 3351 case CGROUP2_SUPER_MAGIC: 3352 /* 3353 * Casey says that it's a little embarrassing 3354 * that the smack file system doesn't do 3355 * extended attributes. 3356 * 3357 * Cgroupfs is special 3358 */ 3359 final = &smack_known_star; 3360 break; 3361 case DEVPTS_SUPER_MAGIC: 3362 /* 3363 * devpts seems content with the label of the task. 3364 * Programs that change smack have to treat the 3365 * pty with respect. 3366 */ 3367 final = ckp; 3368 break; 3369 case PROC_SUPER_MAGIC: 3370 /* 3371 * Casey says procfs appears not to care. 3372 * The superblock default suffices. 3373 */ 3374 break; 3375 case TMPFS_MAGIC: 3376 /* 3377 * Device labels should come from the filesystem, 3378 * but watch out, because they're volitile, 3379 * getting recreated on every reboot. 3380 */ 3381 final = &smack_known_star; 3382 /* 3383 * If a smack value has been set we want to use it, 3384 * but since tmpfs isn't giving us the opportunity 3385 * to set mount options simulate setting the 3386 * superblock default. 3387 */ 3388 /* Fall through */ 3389 default: 3390 /* 3391 * This isn't an understood special case. 3392 * Get the value from the xattr. 3393 */ 3394 3395 /* 3396 * UNIX domain sockets use lower level socket data. 3397 */ 3398 if (S_ISSOCK(inode->i_mode)) { 3399 final = &smack_known_star; 3400 break; 3401 } 3402 /* 3403 * No xattr support means, alas, no SMACK label. 3404 * Use the aforeapplied default. 3405 * It would be curious if the label of the task 3406 * does not match that assigned. 3407 */ 3408 if (!(inode->i_opflags & IOP_XATTR)) 3409 break; 3410 /* 3411 * Get the dentry for xattr. 3412 */ 3413 dp = dget(opt_dentry); 3414 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3415 if (!IS_ERR_OR_NULL(skp)) 3416 final = skp; 3417 3418 /* 3419 * Transmuting directory 3420 */ 3421 if (S_ISDIR(inode->i_mode)) { 3422 /* 3423 * If this is a new directory and the label was 3424 * transmuted when the inode was initialized 3425 * set the transmute attribute on the directory 3426 * and mark the inode. 3427 * 3428 * If there is a transmute attribute on the 3429 * directory mark the inode. 3430 */ 3431 if (isp->smk_flags & SMK_INODE_CHANGED) { 3432 isp->smk_flags &= ~SMK_INODE_CHANGED; 3433 rc = __vfs_setxattr(dp, inode, 3434 XATTR_NAME_SMACKTRANSMUTE, 3435 TRANS_TRUE, TRANS_TRUE_SIZE, 3436 0); 3437 } else { 3438 rc = __vfs_getxattr(dp, inode, 3439 XATTR_NAME_SMACKTRANSMUTE, trattr, 3440 TRANS_TRUE_SIZE); 3441 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3442 TRANS_TRUE_SIZE) != 0) 3443 rc = -EINVAL; 3444 } 3445 if (rc >= 0) 3446 transflag = SMK_INODE_TRANSMUTE; 3447 } 3448 /* 3449 * Don't let the exec or mmap label be "*" or "@". 3450 */ 3451 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3452 if (IS_ERR(skp) || skp == &smack_known_star || 3453 skp == &smack_known_web) 3454 skp = NULL; 3455 isp->smk_task = skp; 3456 3457 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3458 if (IS_ERR(skp) || skp == &smack_known_star || 3459 skp == &smack_known_web) 3460 skp = NULL; 3461 isp->smk_mmap = skp; 3462 3463 dput(dp); 3464 break; 3465 } 3466 3467 if (final == NULL) 3468 isp->smk_inode = ckp; 3469 else 3470 isp->smk_inode = final; 3471 3472 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3473 3474 unlockandout: 3475 mutex_unlock(&isp->smk_lock); 3476 return; 3477 } 3478 3479 /** 3480 * smack_getprocattr - Smack process attribute access 3481 * @p: the object task 3482 * @name: the name of the attribute in /proc/.../attr 3483 * @value: where to put the result 3484 * 3485 * Places a copy of the task Smack into value 3486 * 3487 * Returns the length of the smack label or an error code 3488 */ 3489 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3490 { 3491 struct smack_known *skp = smk_of_task_struct(p); 3492 char *cp; 3493 int slen; 3494 3495 if (strcmp(name, "current") != 0) 3496 return -EINVAL; 3497 3498 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3499 if (cp == NULL) 3500 return -ENOMEM; 3501 3502 slen = strlen(cp); 3503 *value = cp; 3504 return slen; 3505 } 3506 3507 /** 3508 * smack_setprocattr - Smack process attribute setting 3509 * @name: the name of the attribute in /proc/.../attr 3510 * @value: the value to set 3511 * @size: the size of the value 3512 * 3513 * Sets the Smack value of the task. Only setting self 3514 * is permitted and only with privilege 3515 * 3516 * Returns the length of the smack label or an error code 3517 */ 3518 static int smack_setprocattr(const char *name, void *value, size_t size) 3519 { 3520 struct task_smack *tsp = smack_cred(current_cred()); 3521 struct cred *new; 3522 struct smack_known *skp; 3523 struct smack_known_list_elem *sklep; 3524 int rc; 3525 3526 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3527 return -EPERM; 3528 3529 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3530 return -EINVAL; 3531 3532 if (strcmp(name, "current") != 0) 3533 return -EINVAL; 3534 3535 skp = smk_import_entry(value, size); 3536 if (IS_ERR(skp)) 3537 return PTR_ERR(skp); 3538 3539 /* 3540 * No process is ever allowed the web ("@") label 3541 * and the star ("*") label. 3542 */ 3543 if (skp == &smack_known_web || skp == &smack_known_star) 3544 return -EINVAL; 3545 3546 if (!smack_privileged(CAP_MAC_ADMIN)) { 3547 rc = -EPERM; 3548 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3549 if (sklep->smk_label == skp) { 3550 rc = 0; 3551 break; 3552 } 3553 if (rc) 3554 return rc; 3555 } 3556 3557 new = prepare_creds(); 3558 if (new == NULL) 3559 return -ENOMEM; 3560 3561 tsp = smack_cred(new); 3562 tsp->smk_task = skp; 3563 /* 3564 * process can change its label only once 3565 */ 3566 smk_destroy_label_list(&tsp->smk_relabel); 3567 3568 commit_creds(new); 3569 return size; 3570 } 3571 3572 /** 3573 * smack_unix_stream_connect - Smack access on UDS 3574 * @sock: one sock 3575 * @other: the other sock 3576 * @newsk: unused 3577 * 3578 * Return 0 if a subject with the smack of sock could access 3579 * an object with the smack of other, otherwise an error code 3580 */ 3581 static int smack_unix_stream_connect(struct sock *sock, 3582 struct sock *other, struct sock *newsk) 3583 { 3584 struct smack_known *skp; 3585 struct smack_known *okp; 3586 struct socket_smack *ssp = sock->sk_security; 3587 struct socket_smack *osp = other->sk_security; 3588 struct socket_smack *nsp = newsk->sk_security; 3589 struct smk_audit_info ad; 3590 int rc = 0; 3591 #ifdef CONFIG_AUDIT 3592 struct lsm_network_audit net; 3593 #endif 3594 3595 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3596 skp = ssp->smk_out; 3597 okp = osp->smk_in; 3598 #ifdef CONFIG_AUDIT 3599 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3600 smk_ad_setfield_u_net_sk(&ad, other); 3601 #endif 3602 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3603 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3604 if (rc == 0) { 3605 okp = osp->smk_out; 3606 skp = ssp->smk_in; 3607 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3608 rc = smk_bu_note("UDS connect", okp, skp, 3609 MAY_WRITE, rc); 3610 } 3611 } 3612 3613 /* 3614 * Cross reference the peer labels for SO_PEERSEC. 3615 */ 3616 if (rc == 0) { 3617 nsp->smk_packet = ssp->smk_out; 3618 ssp->smk_packet = osp->smk_out; 3619 } 3620 3621 return rc; 3622 } 3623 3624 /** 3625 * smack_unix_may_send - Smack access on UDS 3626 * @sock: one socket 3627 * @other: the other socket 3628 * 3629 * Return 0 if a subject with the smack of sock could access 3630 * an object with the smack of other, otherwise an error code 3631 */ 3632 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3633 { 3634 struct socket_smack *ssp = sock->sk->sk_security; 3635 struct socket_smack *osp = other->sk->sk_security; 3636 struct smk_audit_info ad; 3637 int rc; 3638 3639 #ifdef CONFIG_AUDIT 3640 struct lsm_network_audit net; 3641 3642 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3643 smk_ad_setfield_u_net_sk(&ad, other->sk); 3644 #endif 3645 3646 if (smack_privileged(CAP_MAC_OVERRIDE)) 3647 return 0; 3648 3649 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3650 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3651 return rc; 3652 } 3653 3654 /** 3655 * smack_socket_sendmsg - Smack check based on destination host 3656 * @sock: the socket 3657 * @msg: the message 3658 * @size: the size of the message 3659 * 3660 * Return 0 if the current subject can write to the destination host. 3661 * For IPv4 this is only a question if the destination is a single label host. 3662 * For IPv6 this is a check against the label of the port. 3663 */ 3664 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3665 int size) 3666 { 3667 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3668 #if IS_ENABLED(CONFIG_IPV6) 3669 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3670 #endif 3671 #ifdef SMACK_IPV6_SECMARK_LABELING 3672 struct socket_smack *ssp = sock->sk->sk_security; 3673 struct smack_known *rsp; 3674 #endif 3675 int rc = 0; 3676 3677 /* 3678 * Perfectly reasonable for this to be NULL 3679 */ 3680 if (sip == NULL) 3681 return 0; 3682 3683 switch (sock->sk->sk_family) { 3684 case AF_INET: 3685 rc = smack_netlabel_send(sock->sk, sip); 3686 break; 3687 case AF_INET6: 3688 #ifdef SMACK_IPV6_SECMARK_LABELING 3689 rsp = smack_ipv6host_label(sap); 3690 if (rsp != NULL) 3691 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3692 SMK_CONNECTING); 3693 #endif 3694 #ifdef SMACK_IPV6_PORT_LABELING 3695 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3696 #endif 3697 break; 3698 } 3699 return rc; 3700 } 3701 3702 /** 3703 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3704 * @sap: netlabel secattr 3705 * @ssp: socket security information 3706 * 3707 * Returns a pointer to a Smack label entry found on the label list. 3708 */ 3709 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3710 struct socket_smack *ssp) 3711 { 3712 struct smack_known *skp; 3713 int found = 0; 3714 int acat; 3715 int kcat; 3716 3717 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3718 /* 3719 * Looks like a CIPSO packet. 3720 * If there are flags but no level netlabel isn't 3721 * behaving the way we expect it to. 3722 * 3723 * Look it up in the label table 3724 * Without guidance regarding the smack value 3725 * for the packet fall back on the network 3726 * ambient value. 3727 */ 3728 rcu_read_lock(); 3729 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3730 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3731 continue; 3732 /* 3733 * Compare the catsets. Use the netlbl APIs. 3734 */ 3735 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3736 if ((skp->smk_netlabel.flags & 3737 NETLBL_SECATTR_MLS_CAT) == 0) 3738 found = 1; 3739 break; 3740 } 3741 for (acat = -1, kcat = -1; acat == kcat; ) { 3742 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3743 acat + 1); 3744 kcat = netlbl_catmap_walk( 3745 skp->smk_netlabel.attr.mls.cat, 3746 kcat + 1); 3747 if (acat < 0 || kcat < 0) 3748 break; 3749 } 3750 if (acat == kcat) { 3751 found = 1; 3752 break; 3753 } 3754 } 3755 rcu_read_unlock(); 3756 3757 if (found) 3758 return skp; 3759 3760 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3761 return &smack_known_web; 3762 return &smack_known_star; 3763 } 3764 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3765 /* 3766 * Looks like a fallback, which gives us a secid. 3767 */ 3768 return smack_from_secid(sap->attr.secid); 3769 /* 3770 * Without guidance regarding the smack value 3771 * for the packet fall back on the network 3772 * ambient value. 3773 */ 3774 return smack_net_ambient; 3775 } 3776 3777 #if IS_ENABLED(CONFIG_IPV6) 3778 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3779 { 3780 u8 nexthdr; 3781 int offset; 3782 int proto = -EINVAL; 3783 struct ipv6hdr _ipv6h; 3784 struct ipv6hdr *ip6; 3785 __be16 frag_off; 3786 struct tcphdr _tcph, *th; 3787 struct udphdr _udph, *uh; 3788 struct dccp_hdr _dccph, *dh; 3789 3790 sip->sin6_port = 0; 3791 3792 offset = skb_network_offset(skb); 3793 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3794 if (ip6 == NULL) 3795 return -EINVAL; 3796 sip->sin6_addr = ip6->saddr; 3797 3798 nexthdr = ip6->nexthdr; 3799 offset += sizeof(_ipv6h); 3800 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3801 if (offset < 0) 3802 return -EINVAL; 3803 3804 proto = nexthdr; 3805 switch (proto) { 3806 case IPPROTO_TCP: 3807 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3808 if (th != NULL) 3809 sip->sin6_port = th->source; 3810 break; 3811 case IPPROTO_UDP: 3812 case IPPROTO_UDPLITE: 3813 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3814 if (uh != NULL) 3815 sip->sin6_port = uh->source; 3816 break; 3817 case IPPROTO_DCCP: 3818 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3819 if (dh != NULL) 3820 sip->sin6_port = dh->dccph_sport; 3821 break; 3822 } 3823 return proto; 3824 } 3825 #endif /* CONFIG_IPV6 */ 3826 3827 /** 3828 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3829 * @sk: socket 3830 * @skb: packet 3831 * 3832 * Returns 0 if the packet should be delivered, an error code otherwise 3833 */ 3834 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3835 { 3836 struct netlbl_lsm_secattr secattr; 3837 struct socket_smack *ssp = sk->sk_security; 3838 struct smack_known *skp = NULL; 3839 int rc = 0; 3840 struct smk_audit_info ad; 3841 u16 family = sk->sk_family; 3842 #ifdef CONFIG_AUDIT 3843 struct lsm_network_audit net; 3844 #endif 3845 #if IS_ENABLED(CONFIG_IPV6) 3846 struct sockaddr_in6 sadd; 3847 int proto; 3848 3849 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3850 family = PF_INET; 3851 #endif /* CONFIG_IPV6 */ 3852 3853 switch (family) { 3854 case PF_INET: 3855 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3856 /* 3857 * If there is a secmark use it rather than the CIPSO label. 3858 * If there is no secmark fall back to CIPSO. 3859 * The secmark is assumed to reflect policy better. 3860 */ 3861 if (skb && skb->secmark != 0) { 3862 skp = smack_from_secid(skb->secmark); 3863 goto access_check; 3864 } 3865 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3866 /* 3867 * Translate what netlabel gave us. 3868 */ 3869 netlbl_secattr_init(&secattr); 3870 3871 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3872 if (rc == 0) 3873 skp = smack_from_secattr(&secattr, ssp); 3874 else 3875 skp = smack_net_ambient; 3876 3877 netlbl_secattr_destroy(&secattr); 3878 3879 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3880 access_check: 3881 #endif 3882 #ifdef CONFIG_AUDIT 3883 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3884 ad.a.u.net->family = family; 3885 ad.a.u.net->netif = skb->skb_iif; 3886 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3887 #endif 3888 /* 3889 * Receiving a packet requires that the other end 3890 * be able to write here. Read access is not required. 3891 * This is the simplist possible security model 3892 * for networking. 3893 */ 3894 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3895 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3896 MAY_WRITE, rc); 3897 if (rc != 0) 3898 netlbl_skbuff_err(skb, family, rc, 0); 3899 break; 3900 #if IS_ENABLED(CONFIG_IPV6) 3901 case PF_INET6: 3902 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3903 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3904 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3905 break; 3906 #ifdef SMACK_IPV6_SECMARK_LABELING 3907 if (skb && skb->secmark != 0) 3908 skp = smack_from_secid(skb->secmark); 3909 else 3910 skp = smack_ipv6host_label(&sadd); 3911 if (skp == NULL) 3912 skp = smack_net_ambient; 3913 #ifdef CONFIG_AUDIT 3914 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3915 ad.a.u.net->family = family; 3916 ad.a.u.net->netif = skb->skb_iif; 3917 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3918 #endif /* CONFIG_AUDIT */ 3919 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3920 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3921 MAY_WRITE, rc); 3922 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3923 #ifdef SMACK_IPV6_PORT_LABELING 3924 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3925 #endif /* SMACK_IPV6_PORT_LABELING */ 3926 if (rc != 0) 3927 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3928 ICMPV6_ADM_PROHIBITED, 0); 3929 break; 3930 #endif /* CONFIG_IPV6 */ 3931 } 3932 3933 return rc; 3934 } 3935 3936 /** 3937 * smack_socket_getpeersec_stream - pull in packet label 3938 * @sock: the socket 3939 * @optval: user's destination 3940 * @optlen: size thereof 3941 * @len: max thereof 3942 * 3943 * returns zero on success, an error code otherwise 3944 */ 3945 static int smack_socket_getpeersec_stream(struct socket *sock, 3946 char __user *optval, 3947 int __user *optlen, unsigned len) 3948 { 3949 struct socket_smack *ssp; 3950 char *rcp = ""; 3951 int slen = 1; 3952 int rc = 0; 3953 3954 ssp = sock->sk->sk_security; 3955 if (ssp->smk_packet != NULL) { 3956 rcp = ssp->smk_packet->smk_known; 3957 slen = strlen(rcp) + 1; 3958 } 3959 3960 if (slen > len) 3961 rc = -ERANGE; 3962 else if (copy_to_user(optval, rcp, slen) != 0) 3963 rc = -EFAULT; 3964 3965 if (put_user(slen, optlen) != 0) 3966 rc = -EFAULT; 3967 3968 return rc; 3969 } 3970 3971 3972 /** 3973 * smack_socket_getpeersec_dgram - pull in packet label 3974 * @sock: the peer socket 3975 * @skb: packet data 3976 * @secid: pointer to where to put the secid of the packet 3977 * 3978 * Sets the netlabel socket state on sk from parent 3979 */ 3980 static int smack_socket_getpeersec_dgram(struct socket *sock, 3981 struct sk_buff *skb, u32 *secid) 3982 3983 { 3984 struct netlbl_lsm_secattr secattr; 3985 struct socket_smack *ssp = NULL; 3986 struct smack_known *skp; 3987 int family = PF_UNSPEC; 3988 u32 s = 0; /* 0 is the invalid secid */ 3989 int rc; 3990 3991 if (skb != NULL) { 3992 if (skb->protocol == htons(ETH_P_IP)) 3993 family = PF_INET; 3994 #if IS_ENABLED(CONFIG_IPV6) 3995 else if (skb->protocol == htons(ETH_P_IPV6)) 3996 family = PF_INET6; 3997 #endif /* CONFIG_IPV6 */ 3998 } 3999 if (family == PF_UNSPEC && sock != NULL) 4000 family = sock->sk->sk_family; 4001 4002 switch (family) { 4003 case PF_UNIX: 4004 ssp = sock->sk->sk_security; 4005 s = ssp->smk_out->smk_secid; 4006 break; 4007 case PF_INET: 4008 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4009 s = skb->secmark; 4010 if (s != 0) 4011 break; 4012 #endif 4013 /* 4014 * Translate what netlabel gave us. 4015 */ 4016 if (sock != NULL && sock->sk != NULL) 4017 ssp = sock->sk->sk_security; 4018 netlbl_secattr_init(&secattr); 4019 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4020 if (rc == 0) { 4021 skp = smack_from_secattr(&secattr, ssp); 4022 s = skp->smk_secid; 4023 } 4024 netlbl_secattr_destroy(&secattr); 4025 break; 4026 case PF_INET6: 4027 #ifdef SMACK_IPV6_SECMARK_LABELING 4028 s = skb->secmark; 4029 #endif 4030 break; 4031 } 4032 *secid = s; 4033 if (s == 0) 4034 return -EINVAL; 4035 return 0; 4036 } 4037 4038 /** 4039 * smack_sock_graft - Initialize a newly created socket with an existing sock 4040 * @sk: child sock 4041 * @parent: parent socket 4042 * 4043 * Set the smk_{in,out} state of an existing sock based on the process that 4044 * is creating the new socket. 4045 */ 4046 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4047 { 4048 struct socket_smack *ssp; 4049 struct smack_known *skp = smk_of_current(); 4050 4051 if (sk == NULL || 4052 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4053 return; 4054 4055 ssp = sk->sk_security; 4056 ssp->smk_in = skp; 4057 ssp->smk_out = skp; 4058 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4059 } 4060 4061 /** 4062 * smack_inet_conn_request - Smack access check on connect 4063 * @sk: socket involved 4064 * @skb: packet 4065 * @req: unused 4066 * 4067 * Returns 0 if a task with the packet label could write to 4068 * the socket, otherwise an error code 4069 */ 4070 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4071 struct request_sock *req) 4072 { 4073 u16 family = sk->sk_family; 4074 struct smack_known *skp; 4075 struct socket_smack *ssp = sk->sk_security; 4076 struct netlbl_lsm_secattr secattr; 4077 struct sockaddr_in addr; 4078 struct iphdr *hdr; 4079 struct smack_known *hskp; 4080 int rc; 4081 struct smk_audit_info ad; 4082 #ifdef CONFIG_AUDIT 4083 struct lsm_network_audit net; 4084 #endif 4085 4086 #if IS_ENABLED(CONFIG_IPV6) 4087 if (family == PF_INET6) { 4088 /* 4089 * Handle mapped IPv4 packets arriving 4090 * via IPv6 sockets. Don't set up netlabel 4091 * processing on IPv6. 4092 */ 4093 if (skb->protocol == htons(ETH_P_IP)) 4094 family = PF_INET; 4095 else 4096 return 0; 4097 } 4098 #endif /* CONFIG_IPV6 */ 4099 4100 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4101 /* 4102 * If there is a secmark use it rather than the CIPSO label. 4103 * If there is no secmark fall back to CIPSO. 4104 * The secmark is assumed to reflect policy better. 4105 */ 4106 if (skb && skb->secmark != 0) { 4107 skp = smack_from_secid(skb->secmark); 4108 goto access_check; 4109 } 4110 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4111 4112 netlbl_secattr_init(&secattr); 4113 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4114 if (rc == 0) 4115 skp = smack_from_secattr(&secattr, ssp); 4116 else 4117 skp = &smack_known_huh; 4118 netlbl_secattr_destroy(&secattr); 4119 4120 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4121 access_check: 4122 #endif 4123 4124 #ifdef CONFIG_AUDIT 4125 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4126 ad.a.u.net->family = family; 4127 ad.a.u.net->netif = skb->skb_iif; 4128 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4129 #endif 4130 /* 4131 * Receiving a packet requires that the other end be able to write 4132 * here. Read access is not required. 4133 */ 4134 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4135 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4136 if (rc != 0) 4137 return rc; 4138 4139 /* 4140 * Save the peer's label in the request_sock so we can later setup 4141 * smk_packet in the child socket so that SO_PEERCRED can report it. 4142 */ 4143 req->peer_secid = skp->smk_secid; 4144 4145 /* 4146 * We need to decide if we want to label the incoming connection here 4147 * if we do we only need to label the request_sock and the stack will 4148 * propagate the wire-label to the sock when it is created. 4149 */ 4150 hdr = ip_hdr(skb); 4151 addr.sin_addr.s_addr = hdr->saddr; 4152 rcu_read_lock(); 4153 hskp = smack_ipv4host_label(&addr); 4154 rcu_read_unlock(); 4155 4156 if (hskp == NULL) 4157 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4158 else 4159 netlbl_req_delattr(req); 4160 4161 return rc; 4162 } 4163 4164 /** 4165 * smack_inet_csk_clone - Copy the connection information to the new socket 4166 * @sk: the new socket 4167 * @req: the connection's request_sock 4168 * 4169 * Transfer the connection's peer label to the newly created socket. 4170 */ 4171 static void smack_inet_csk_clone(struct sock *sk, 4172 const struct request_sock *req) 4173 { 4174 struct socket_smack *ssp = sk->sk_security; 4175 struct smack_known *skp; 4176 4177 if (req->peer_secid != 0) { 4178 skp = smack_from_secid(req->peer_secid); 4179 ssp->smk_packet = skp; 4180 } else 4181 ssp->smk_packet = NULL; 4182 } 4183 4184 /* 4185 * Key management security hooks 4186 * 4187 * Casey has not tested key support very heavily. 4188 * The permission check is most likely too restrictive. 4189 * If you care about keys please have a look. 4190 */ 4191 #ifdef CONFIG_KEYS 4192 4193 /** 4194 * smack_key_alloc - Set the key security blob 4195 * @key: object 4196 * @cred: the credentials to use 4197 * @flags: unused 4198 * 4199 * No allocation required 4200 * 4201 * Returns 0 4202 */ 4203 static int smack_key_alloc(struct key *key, const struct cred *cred, 4204 unsigned long flags) 4205 { 4206 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4207 4208 key->security = skp; 4209 return 0; 4210 } 4211 4212 /** 4213 * smack_key_free - Clear the key security blob 4214 * @key: the object 4215 * 4216 * Clear the blob pointer 4217 */ 4218 static void smack_key_free(struct key *key) 4219 { 4220 key->security = NULL; 4221 } 4222 4223 /** 4224 * smack_key_permission - Smack access on a key 4225 * @key_ref: gets to the object 4226 * @cred: the credentials to use 4227 * @perm: requested key permissions 4228 * 4229 * Return 0 if the task has read and write to the object, 4230 * an error code otherwise 4231 */ 4232 static int smack_key_permission(key_ref_t key_ref, 4233 const struct cred *cred, unsigned perm) 4234 { 4235 struct key *keyp; 4236 struct smk_audit_info ad; 4237 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4238 int request = 0; 4239 int rc; 4240 4241 /* 4242 * Validate requested permissions 4243 */ 4244 if (perm & ~KEY_NEED_ALL) 4245 return -EINVAL; 4246 4247 keyp = key_ref_to_ptr(key_ref); 4248 if (keyp == NULL) 4249 return -EINVAL; 4250 /* 4251 * If the key hasn't been initialized give it access so that 4252 * it may do so. 4253 */ 4254 if (keyp->security == NULL) 4255 return 0; 4256 /* 4257 * This should not occur 4258 */ 4259 if (tkp == NULL) 4260 return -EACCES; 4261 4262 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4263 return 0; 4264 4265 #ifdef CONFIG_AUDIT 4266 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4267 ad.a.u.key_struct.key = keyp->serial; 4268 ad.a.u.key_struct.key_desc = keyp->description; 4269 #endif 4270 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) 4271 request |= MAY_READ; 4272 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4273 request |= MAY_WRITE; 4274 rc = smk_access(tkp, keyp->security, request, &ad); 4275 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4276 return rc; 4277 } 4278 4279 /* 4280 * smack_key_getsecurity - Smack label tagging the key 4281 * @key points to the key to be queried 4282 * @_buffer points to a pointer that should be set to point to the 4283 * resulting string (if no label or an error occurs). 4284 * Return the length of the string (including terminating NUL) or -ve if 4285 * an error. 4286 * May also return 0 (and a NULL buffer pointer) if there is no label. 4287 */ 4288 static int smack_key_getsecurity(struct key *key, char **_buffer) 4289 { 4290 struct smack_known *skp = key->security; 4291 size_t length; 4292 char *copy; 4293 4294 if (key->security == NULL) { 4295 *_buffer = NULL; 4296 return 0; 4297 } 4298 4299 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4300 if (copy == NULL) 4301 return -ENOMEM; 4302 length = strlen(copy) + 1; 4303 4304 *_buffer = copy; 4305 return length; 4306 } 4307 4308 #endif /* CONFIG_KEYS */ 4309 4310 /* 4311 * Smack Audit hooks 4312 * 4313 * Audit requires a unique representation of each Smack specific 4314 * rule. This unique representation is used to distinguish the 4315 * object to be audited from remaining kernel objects and also 4316 * works as a glue between the audit hooks. 4317 * 4318 * Since repository entries are added but never deleted, we'll use 4319 * the smack_known label address related to the given audit rule as 4320 * the needed unique representation. This also better fits the smack 4321 * model where nearly everything is a label. 4322 */ 4323 #ifdef CONFIG_AUDIT 4324 4325 /** 4326 * smack_audit_rule_init - Initialize a smack audit rule 4327 * @field: audit rule fields given from user-space (audit.h) 4328 * @op: required testing operator (=, !=, >, <, ...) 4329 * @rulestr: smack label to be audited 4330 * @vrule: pointer to save our own audit rule representation 4331 * 4332 * Prepare to audit cases where (@field @op @rulestr) is true. 4333 * The label to be audited is created if necessay. 4334 */ 4335 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4336 { 4337 struct smack_known *skp; 4338 char **rule = (char **)vrule; 4339 *rule = NULL; 4340 4341 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4342 return -EINVAL; 4343 4344 if (op != Audit_equal && op != Audit_not_equal) 4345 return -EINVAL; 4346 4347 skp = smk_import_entry(rulestr, 0); 4348 if (IS_ERR(skp)) 4349 return PTR_ERR(skp); 4350 4351 *rule = skp->smk_known; 4352 4353 return 0; 4354 } 4355 4356 /** 4357 * smack_audit_rule_known - Distinguish Smack audit rules 4358 * @krule: rule of interest, in Audit kernel representation format 4359 * 4360 * This is used to filter Smack rules from remaining Audit ones. 4361 * If it's proved that this rule belongs to us, the 4362 * audit_rule_match hook will be called to do the final judgement. 4363 */ 4364 static int smack_audit_rule_known(struct audit_krule *krule) 4365 { 4366 struct audit_field *f; 4367 int i; 4368 4369 for (i = 0; i < krule->field_count; i++) { 4370 f = &krule->fields[i]; 4371 4372 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4373 return 1; 4374 } 4375 4376 return 0; 4377 } 4378 4379 /** 4380 * smack_audit_rule_match - Audit given object ? 4381 * @secid: security id for identifying the object to test 4382 * @field: audit rule flags given from user-space 4383 * @op: required testing operator 4384 * @vrule: smack internal rule presentation 4385 * 4386 * The core Audit hook. It's used to take the decision of 4387 * whether to audit or not to audit a given object. 4388 */ 4389 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4390 { 4391 struct smack_known *skp; 4392 char *rule = vrule; 4393 4394 if (unlikely(!rule)) { 4395 WARN_ONCE(1, "Smack: missing rule\n"); 4396 return -ENOENT; 4397 } 4398 4399 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4400 return 0; 4401 4402 skp = smack_from_secid(secid); 4403 4404 /* 4405 * No need to do string comparisons. If a match occurs, 4406 * both pointers will point to the same smack_known 4407 * label. 4408 */ 4409 if (op == Audit_equal) 4410 return (rule == skp->smk_known); 4411 if (op == Audit_not_equal) 4412 return (rule != skp->smk_known); 4413 4414 return 0; 4415 } 4416 4417 /* 4418 * There is no need for a smack_audit_rule_free hook. 4419 * No memory was allocated. 4420 */ 4421 4422 #endif /* CONFIG_AUDIT */ 4423 4424 /** 4425 * smack_ismaclabel - check if xattr @name references a smack MAC label 4426 * @name: Full xattr name to check. 4427 */ 4428 static int smack_ismaclabel(const char *name) 4429 { 4430 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4431 } 4432 4433 4434 /** 4435 * smack_secid_to_secctx - return the smack label for a secid 4436 * @secid: incoming integer 4437 * @secdata: destination 4438 * @seclen: how long it is 4439 * 4440 * Exists for networking code. 4441 */ 4442 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4443 { 4444 struct smack_known *skp = smack_from_secid(secid); 4445 4446 if (secdata) 4447 *secdata = skp->smk_known; 4448 *seclen = strlen(skp->smk_known); 4449 return 0; 4450 } 4451 4452 /** 4453 * smack_secctx_to_secid - return the secid for a smack label 4454 * @secdata: smack label 4455 * @seclen: how long result is 4456 * @secid: outgoing integer 4457 * 4458 * Exists for audit and networking code. 4459 */ 4460 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4461 { 4462 struct smack_known *skp = smk_find_entry(secdata); 4463 4464 if (skp) 4465 *secid = skp->smk_secid; 4466 else 4467 *secid = 0; 4468 return 0; 4469 } 4470 4471 /* 4472 * There used to be a smack_release_secctx hook 4473 * that did nothing back when hooks were in a vector. 4474 * Now that there's a list such a hook adds cost. 4475 */ 4476 4477 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4478 { 4479 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4480 } 4481 4482 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4483 { 4484 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4485 } 4486 4487 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4488 { 4489 struct smack_known *skp = smk_of_inode(inode); 4490 4491 *ctx = skp->smk_known; 4492 *ctxlen = strlen(skp->smk_known); 4493 return 0; 4494 } 4495 4496 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4497 { 4498 4499 struct task_smack *tsp; 4500 struct smack_known *skp; 4501 struct inode_smack *isp; 4502 struct cred *new_creds = *new; 4503 4504 if (new_creds == NULL) { 4505 new_creds = prepare_creds(); 4506 if (new_creds == NULL) 4507 return -ENOMEM; 4508 } 4509 4510 tsp = smack_cred(new_creds); 4511 4512 /* 4513 * Get label from overlay inode and set it in create_sid 4514 */ 4515 isp = smack_inode(d_inode(dentry->d_parent)); 4516 skp = isp->smk_inode; 4517 tsp->smk_task = skp; 4518 *new = new_creds; 4519 return 0; 4520 } 4521 4522 static int smack_inode_copy_up_xattr(const char *name) 4523 { 4524 /* 4525 * Return 1 if this is the smack access Smack attribute. 4526 */ 4527 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4528 return 1; 4529 4530 return -EOPNOTSUPP; 4531 } 4532 4533 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4534 struct qstr *name, 4535 const struct cred *old, 4536 struct cred *new) 4537 { 4538 struct task_smack *otsp = smack_cred(old); 4539 struct task_smack *ntsp = smack_cred(new); 4540 struct inode_smack *isp; 4541 int may; 4542 4543 /* 4544 * Use the process credential unless all of 4545 * the transmuting criteria are met 4546 */ 4547 ntsp->smk_task = otsp->smk_task; 4548 4549 /* 4550 * the attribute of the containing directory 4551 */ 4552 isp = smack_inode(d_inode(dentry->d_parent)); 4553 4554 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4555 rcu_read_lock(); 4556 may = smk_access_entry(otsp->smk_task->smk_known, 4557 isp->smk_inode->smk_known, 4558 &otsp->smk_task->smk_rules); 4559 rcu_read_unlock(); 4560 4561 /* 4562 * If the directory is transmuting and the rule 4563 * providing access is transmuting use the containing 4564 * directory label instead of the process label. 4565 */ 4566 if (may > 0 && (may & MAY_TRANSMUTE)) 4567 ntsp->smk_task = isp->smk_inode; 4568 } 4569 return 0; 4570 } 4571 4572 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4573 .lbs_cred = sizeof(struct task_smack), 4574 .lbs_file = sizeof(struct smack_known *), 4575 .lbs_inode = sizeof(struct inode_smack), 4576 .lbs_ipc = sizeof(struct smack_known *), 4577 .lbs_msg_msg = sizeof(struct smack_known *), 4578 }; 4579 4580 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4581 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4582 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4583 LSM_HOOK_INIT(syslog, smack_syslog), 4584 4585 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4586 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4587 4588 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4589 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4590 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4591 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4592 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4593 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4594 4595 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4596 4597 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4598 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4599 LSM_HOOK_INIT(inode_link, smack_inode_link), 4600 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4601 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4602 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4603 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4604 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4605 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4606 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4607 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4608 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4609 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4610 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4611 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4612 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4613 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4614 4615 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4616 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4617 LSM_HOOK_INIT(file_lock, smack_file_lock), 4618 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4619 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4620 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4621 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4622 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4623 LSM_HOOK_INIT(file_receive, smack_file_receive), 4624 4625 LSM_HOOK_INIT(file_open, smack_file_open), 4626 4627 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4628 LSM_HOOK_INIT(cred_free, smack_cred_free), 4629 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4630 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4631 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4632 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4633 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4634 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4635 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4636 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4637 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4638 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4639 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4640 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4641 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4642 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4643 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4644 LSM_HOOK_INIT(task_kill, smack_task_kill), 4645 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4646 4647 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4648 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4649 4650 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4651 4652 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4653 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4654 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4655 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4656 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4657 4658 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4659 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4660 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4661 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4662 4663 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4664 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4665 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4666 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4667 4668 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4669 4670 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4671 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4672 4673 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4674 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4675 4676 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4677 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4678 #ifdef SMACK_IPV6_PORT_LABELING 4679 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4680 #endif 4681 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4682 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4683 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4684 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4685 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4686 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4687 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4688 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4689 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4690 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4691 4692 /* key management security hooks */ 4693 #ifdef CONFIG_KEYS 4694 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4695 LSM_HOOK_INIT(key_free, smack_key_free), 4696 LSM_HOOK_INIT(key_permission, smack_key_permission), 4697 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4698 #endif /* CONFIG_KEYS */ 4699 4700 /* Audit hooks */ 4701 #ifdef CONFIG_AUDIT 4702 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4703 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4704 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4705 #endif /* CONFIG_AUDIT */ 4706 4707 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4708 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4709 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4710 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4711 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4712 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4713 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4714 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4715 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4716 }; 4717 4718 4719 static __init void init_smack_known_list(void) 4720 { 4721 /* 4722 * Initialize rule list locks 4723 */ 4724 mutex_init(&smack_known_huh.smk_rules_lock); 4725 mutex_init(&smack_known_hat.smk_rules_lock); 4726 mutex_init(&smack_known_floor.smk_rules_lock); 4727 mutex_init(&smack_known_star.smk_rules_lock); 4728 mutex_init(&smack_known_web.smk_rules_lock); 4729 /* 4730 * Initialize rule lists 4731 */ 4732 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4733 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4734 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4735 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4736 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4737 /* 4738 * Create the known labels list 4739 */ 4740 smk_insert_entry(&smack_known_huh); 4741 smk_insert_entry(&smack_known_hat); 4742 smk_insert_entry(&smack_known_star); 4743 smk_insert_entry(&smack_known_floor); 4744 smk_insert_entry(&smack_known_web); 4745 } 4746 4747 /** 4748 * smack_init - initialize the smack system 4749 * 4750 * Returns 0 4751 */ 4752 static __init int smack_init(void) 4753 { 4754 struct cred *cred = (struct cred *) current->cred; 4755 struct task_smack *tsp; 4756 4757 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4758 if (!smack_inode_cache) 4759 return -ENOMEM; 4760 4761 /* 4762 * Set the security state for the initial task. 4763 */ 4764 tsp = smack_cred(cred); 4765 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 4766 4767 /* 4768 * Register with LSM 4769 */ 4770 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4771 smack_enabled = 1; 4772 4773 pr_info("Smack: Initializing.\n"); 4774 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4775 pr_info("Smack: Netfilter enabled.\n"); 4776 #endif 4777 #ifdef SMACK_IPV6_PORT_LABELING 4778 pr_info("Smack: IPv6 port labeling enabled.\n"); 4779 #endif 4780 #ifdef SMACK_IPV6_SECMARK_LABELING 4781 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4782 #endif 4783 4784 /* initialize the smack_known_list */ 4785 init_smack_known_list(); 4786 4787 return 0; 4788 } 4789 4790 /* 4791 * Smack requires early initialization in order to label 4792 * all processes and objects when they are created. 4793 */ 4794 DEFINE_LSM(smack) = { 4795 .name = "smack", 4796 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 4797 .blobs = &smack_blob_sizes, 4798 .init = smack_init, 4799 }; 4800