1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <net/cipso_ipv4.h> 32 #include <net/ip.h> 33 #include <net/ipv6.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <linux/binfmts.h> 41 #include <linux/parser.h> 42 #include <linux/fs_context.h> 43 #include <linux/fs_parser.h> 44 #include "smack.h" 45 46 #define TRANS_TRUE "TRUE" 47 #define TRANS_TRUE_SIZE 4 48 49 #define SMK_CONNECTING 0 50 #define SMK_RECEIVING 1 51 #define SMK_SENDING 2 52 53 #ifdef SMACK_IPV6_PORT_LABELING 54 DEFINE_MUTEX(smack_ipv6_lock); 55 static LIST_HEAD(smk_ipv6_port_list); 56 #endif 57 static struct kmem_cache *smack_inode_cache; 58 struct kmem_cache *smack_rule_cache; 59 int smack_enabled; 60 61 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 62 static struct { 63 const char *name; 64 int len; 65 int opt; 66 } smk_mount_opts[] = { 67 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 68 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 69 }; 70 #undef A 71 72 static int match_opt_prefix(char *s, int l, char **arg) 73 { 74 int i; 75 76 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 77 size_t len = smk_mount_opts[i].len; 78 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 79 continue; 80 if (len == l || s[len] != '=') 81 continue; 82 *arg = s + len + 1; 83 return smk_mount_opts[i].opt; 84 } 85 return Opt_error; 86 } 87 88 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 89 static char *smk_bu_mess[] = { 90 "Bringup Error", /* Unused */ 91 "Bringup", /* SMACK_BRINGUP_ALLOW */ 92 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 93 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 94 }; 95 96 static void smk_bu_mode(int mode, char *s) 97 { 98 int i = 0; 99 100 if (mode & MAY_READ) 101 s[i++] = 'r'; 102 if (mode & MAY_WRITE) 103 s[i++] = 'w'; 104 if (mode & MAY_EXEC) 105 s[i++] = 'x'; 106 if (mode & MAY_APPEND) 107 s[i++] = 'a'; 108 if (mode & MAY_TRANSMUTE) 109 s[i++] = 't'; 110 if (mode & MAY_LOCK) 111 s[i++] = 'l'; 112 if (i == 0) 113 s[i++] = '-'; 114 s[i] = '\0'; 115 } 116 #endif 117 118 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 119 static int smk_bu_note(char *note, struct smack_known *sskp, 120 struct smack_known *oskp, int mode, int rc) 121 { 122 char acc[SMK_NUM_ACCESS_TYPE + 1]; 123 124 if (rc <= 0) 125 return rc; 126 if (rc > SMACK_UNCONFINED_OBJECT) 127 rc = 0; 128 129 smk_bu_mode(mode, acc); 130 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 131 sskp->smk_known, oskp->smk_known, acc, note); 132 return 0; 133 } 134 #else 135 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 136 #endif 137 138 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 139 static int smk_bu_current(char *note, struct smack_known *oskp, 140 int mode, int rc) 141 { 142 struct task_smack *tsp = smack_cred(current_cred()); 143 char acc[SMK_NUM_ACCESS_TYPE + 1]; 144 145 if (rc <= 0) 146 return rc; 147 if (rc > SMACK_UNCONFINED_OBJECT) 148 rc = 0; 149 150 smk_bu_mode(mode, acc); 151 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 152 tsp->smk_task->smk_known, oskp->smk_known, 153 acc, current->comm, note); 154 return 0; 155 } 156 #else 157 #define smk_bu_current(note, oskp, mode, RC) (RC) 158 #endif 159 160 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 161 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 162 { 163 struct task_smack *tsp = smack_cred(current_cred()); 164 struct smack_known *smk_task = smk_of_task_struct(otp); 165 char acc[SMK_NUM_ACCESS_TYPE + 1]; 166 167 if (rc <= 0) 168 return rc; 169 if (rc > SMACK_UNCONFINED_OBJECT) 170 rc = 0; 171 172 smk_bu_mode(mode, acc); 173 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 174 tsp->smk_task->smk_known, smk_task->smk_known, acc, 175 current->comm, otp->comm); 176 return 0; 177 } 178 #else 179 #define smk_bu_task(otp, mode, RC) (RC) 180 #endif 181 182 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 183 static int smk_bu_inode(struct inode *inode, int mode, int rc) 184 { 185 struct task_smack *tsp = smack_cred(current_cred()); 186 struct inode_smack *isp = smack_inode(inode); 187 char acc[SMK_NUM_ACCESS_TYPE + 1]; 188 189 if (isp->smk_flags & SMK_INODE_IMPURE) 190 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 191 inode->i_sb->s_id, inode->i_ino, current->comm); 192 193 if (rc <= 0) 194 return rc; 195 if (rc > SMACK_UNCONFINED_OBJECT) 196 rc = 0; 197 if (rc == SMACK_UNCONFINED_SUBJECT && 198 (mode & (MAY_WRITE | MAY_APPEND))) 199 isp->smk_flags |= SMK_INODE_IMPURE; 200 201 smk_bu_mode(mode, acc); 202 203 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 204 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 205 inode->i_sb->s_id, inode->i_ino, current->comm); 206 return 0; 207 } 208 #else 209 #define smk_bu_inode(inode, mode, RC) (RC) 210 #endif 211 212 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 213 static int smk_bu_file(struct file *file, int mode, int rc) 214 { 215 struct task_smack *tsp = smack_cred(current_cred()); 216 struct smack_known *sskp = tsp->smk_task; 217 struct inode *inode = file_inode(file); 218 struct inode_smack *isp = smack_inode(inode); 219 char acc[SMK_NUM_ACCESS_TYPE + 1]; 220 221 if (isp->smk_flags & SMK_INODE_IMPURE) 222 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 223 inode->i_sb->s_id, inode->i_ino, current->comm); 224 225 if (rc <= 0) 226 return rc; 227 if (rc > SMACK_UNCONFINED_OBJECT) 228 rc = 0; 229 230 smk_bu_mode(mode, acc); 231 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 232 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 233 inode->i_sb->s_id, inode->i_ino, file, 234 current->comm); 235 return 0; 236 } 237 #else 238 #define smk_bu_file(file, mode, RC) (RC) 239 #endif 240 241 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 242 static int smk_bu_credfile(const struct cred *cred, struct file *file, 243 int mode, int rc) 244 { 245 struct task_smack *tsp = smack_cred(cred); 246 struct smack_known *sskp = tsp->smk_task; 247 struct inode *inode = file_inode(file); 248 struct inode_smack *isp = smack_inode(inode); 249 char acc[SMK_NUM_ACCESS_TYPE + 1]; 250 251 if (isp->smk_flags & SMK_INODE_IMPURE) 252 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 253 inode->i_sb->s_id, inode->i_ino, current->comm); 254 255 if (rc <= 0) 256 return rc; 257 if (rc > SMACK_UNCONFINED_OBJECT) 258 rc = 0; 259 260 smk_bu_mode(mode, acc); 261 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 262 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 263 inode->i_sb->s_id, inode->i_ino, file, 264 current->comm); 265 return 0; 266 } 267 #else 268 #define smk_bu_credfile(cred, file, mode, RC) (RC) 269 #endif 270 271 /** 272 * smk_fetch - Fetch the smack label from a file. 273 * @name: type of the label (attribute) 274 * @ip: a pointer to the inode 275 * @dp: a pointer to the dentry 276 * 277 * Returns a pointer to the master list entry for the Smack label, 278 * NULL if there was no label to fetch, or an error code. 279 */ 280 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 281 struct dentry *dp) 282 { 283 int rc; 284 char *buffer; 285 struct smack_known *skp = NULL; 286 287 if (!(ip->i_opflags & IOP_XATTR)) 288 return ERR_PTR(-EOPNOTSUPP); 289 290 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 291 if (buffer == NULL) 292 return ERR_PTR(-ENOMEM); 293 294 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 295 if (rc < 0) 296 skp = ERR_PTR(rc); 297 else if (rc == 0) 298 skp = NULL; 299 else 300 skp = smk_import_entry(buffer, rc); 301 302 kfree(buffer); 303 304 return skp; 305 } 306 307 /** 308 * init_inode_smack - initialize an inode security blob 309 * @inode: inode to extract the info from 310 * @skp: a pointer to the Smack label entry to use in the blob 311 * 312 */ 313 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 314 { 315 struct inode_smack *isp = smack_inode(inode); 316 317 isp->smk_inode = skp; 318 isp->smk_flags = 0; 319 mutex_init(&isp->smk_lock); 320 } 321 322 /** 323 * init_task_smack - initialize a task security blob 324 * @tsp: blob to initialize 325 * @task: a pointer to the Smack label for the running task 326 * @forked: a pointer to the Smack label for the forked task 327 * 328 */ 329 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 330 struct smack_known *forked) 331 { 332 tsp->smk_task = task; 333 tsp->smk_forked = forked; 334 INIT_LIST_HEAD(&tsp->smk_rules); 335 INIT_LIST_HEAD(&tsp->smk_relabel); 336 mutex_init(&tsp->smk_rules_lock); 337 } 338 339 /** 340 * smk_copy_rules - copy a rule set 341 * @nhead: new rules header pointer 342 * @ohead: old rules header pointer 343 * @gfp: type of the memory for the allocation 344 * 345 * Returns 0 on success, -ENOMEM on error 346 */ 347 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 348 gfp_t gfp) 349 { 350 struct smack_rule *nrp; 351 struct smack_rule *orp; 352 int rc = 0; 353 354 list_for_each_entry_rcu(orp, ohead, list) { 355 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 356 if (nrp == NULL) { 357 rc = -ENOMEM; 358 break; 359 } 360 *nrp = *orp; 361 list_add_rcu(&nrp->list, nhead); 362 } 363 return rc; 364 } 365 366 /** 367 * smk_copy_relabel - copy smk_relabel labels list 368 * @nhead: new rules header pointer 369 * @ohead: old rules header pointer 370 * @gfp: type of the memory for the allocation 371 * 372 * Returns 0 on success, -ENOMEM on error 373 */ 374 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 375 gfp_t gfp) 376 { 377 struct smack_known_list_elem *nklep; 378 struct smack_known_list_elem *oklep; 379 380 list_for_each_entry(oklep, ohead, list) { 381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 382 if (nklep == NULL) { 383 smk_destroy_label_list(nhead); 384 return -ENOMEM; 385 } 386 nklep->smk_label = oklep->smk_label; 387 list_add(&nklep->list, nhead); 388 } 389 390 return 0; 391 } 392 393 /** 394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 395 * @mode - input mode in form of PTRACE_MODE_* 396 * 397 * Returns a converted MAY_* mode usable by smack rules 398 */ 399 static inline unsigned int smk_ptrace_mode(unsigned int mode) 400 { 401 if (mode & PTRACE_MODE_ATTACH) 402 return MAY_READWRITE; 403 if (mode & PTRACE_MODE_READ) 404 return MAY_READ; 405 406 return 0; 407 } 408 409 /** 410 * smk_ptrace_rule_check - helper for ptrace access 411 * @tracer: tracer process 412 * @tracee_known: label entry of the process that's about to be traced 413 * @mode: ptrace attachment mode (PTRACE_MODE_*) 414 * @func: name of the function that called us, used for audit 415 * 416 * Returns 0 on access granted, -error on error 417 */ 418 static int smk_ptrace_rule_check(struct task_struct *tracer, 419 struct smack_known *tracee_known, 420 unsigned int mode, const char *func) 421 { 422 int rc; 423 struct smk_audit_info ad, *saip = NULL; 424 struct task_smack *tsp; 425 struct smack_known *tracer_known; 426 const struct cred *tracercred; 427 428 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 429 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 430 smk_ad_setfield_u_tsk(&ad, tracer); 431 saip = &ad; 432 } 433 434 rcu_read_lock(); 435 tracercred = __task_cred(tracer); 436 tsp = smack_cred(tracercred); 437 tracer_known = smk_of_task(tsp); 438 439 if ((mode & PTRACE_MODE_ATTACH) && 440 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 441 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 442 if (tracer_known->smk_known == tracee_known->smk_known) 443 rc = 0; 444 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 445 rc = -EACCES; 446 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 447 rc = 0; 448 else 449 rc = -EACCES; 450 451 if (saip) 452 smack_log(tracer_known->smk_known, 453 tracee_known->smk_known, 454 0, rc, saip); 455 456 rcu_read_unlock(); 457 return rc; 458 } 459 460 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 461 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 462 463 rcu_read_unlock(); 464 return rc; 465 } 466 467 /* 468 * LSM hooks. 469 * We he, that is fun! 470 */ 471 472 /** 473 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 474 * @ctp: child task pointer 475 * @mode: ptrace attachment mode (PTRACE_MODE_*) 476 * 477 * Returns 0 if access is OK, an error code otherwise 478 * 479 * Do the capability checks. 480 */ 481 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 482 { 483 struct smack_known *skp; 484 485 skp = smk_of_task_struct(ctp); 486 487 return smk_ptrace_rule_check(current, skp, mode, __func__); 488 } 489 490 /** 491 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 492 * @ptp: parent task pointer 493 * 494 * Returns 0 if access is OK, an error code otherwise 495 * 496 * Do the capability checks, and require PTRACE_MODE_ATTACH. 497 */ 498 static int smack_ptrace_traceme(struct task_struct *ptp) 499 { 500 int rc; 501 struct smack_known *skp; 502 503 skp = smk_of_task(smack_cred(current_cred())); 504 505 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 506 return rc; 507 } 508 509 /** 510 * smack_syslog - Smack approval on syslog 511 * @typefrom_file: unused 512 * 513 * Returns 0 on success, error code otherwise. 514 */ 515 static int smack_syslog(int typefrom_file) 516 { 517 int rc = 0; 518 struct smack_known *skp = smk_of_current(); 519 520 if (smack_privileged(CAP_MAC_OVERRIDE)) 521 return 0; 522 523 if (smack_syslog_label != NULL && smack_syslog_label != skp) 524 rc = -EACCES; 525 526 return rc; 527 } 528 529 /* 530 * Superblock Hooks. 531 */ 532 533 /** 534 * smack_sb_alloc_security - allocate a superblock blob 535 * @sb: the superblock getting the blob 536 * 537 * Returns 0 on success or -ENOMEM on error. 538 */ 539 static int smack_sb_alloc_security(struct super_block *sb) 540 { 541 struct superblock_smack *sbsp; 542 543 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 544 545 if (sbsp == NULL) 546 return -ENOMEM; 547 548 sbsp->smk_root = &smack_known_floor; 549 sbsp->smk_default = &smack_known_floor; 550 sbsp->smk_floor = &smack_known_floor; 551 sbsp->smk_hat = &smack_known_hat; 552 /* 553 * SMK_SB_INITIALIZED will be zero from kzalloc. 554 */ 555 sb->s_security = sbsp; 556 557 return 0; 558 } 559 560 /** 561 * smack_sb_free_security - free a superblock blob 562 * @sb: the superblock getting the blob 563 * 564 */ 565 static void smack_sb_free_security(struct super_block *sb) 566 { 567 kfree(sb->s_security); 568 sb->s_security = NULL; 569 } 570 571 struct smack_mnt_opts { 572 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 573 }; 574 575 static void smack_free_mnt_opts(void *mnt_opts) 576 { 577 struct smack_mnt_opts *opts = mnt_opts; 578 kfree(opts->fsdefault); 579 kfree(opts->fsfloor); 580 kfree(opts->fshat); 581 kfree(opts->fsroot); 582 kfree(opts->fstransmute); 583 kfree(opts); 584 } 585 586 static int smack_add_opt(int token, const char *s, void **mnt_opts) 587 { 588 struct smack_mnt_opts *opts = *mnt_opts; 589 590 if (!opts) { 591 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 592 if (!opts) 593 return -ENOMEM; 594 *mnt_opts = opts; 595 } 596 if (!s) 597 return -ENOMEM; 598 599 switch (token) { 600 case Opt_fsdefault: 601 if (opts->fsdefault) 602 goto out_opt_err; 603 opts->fsdefault = s; 604 break; 605 case Opt_fsfloor: 606 if (opts->fsfloor) 607 goto out_opt_err; 608 opts->fsfloor = s; 609 break; 610 case Opt_fshat: 611 if (opts->fshat) 612 goto out_opt_err; 613 opts->fshat = s; 614 break; 615 case Opt_fsroot: 616 if (opts->fsroot) 617 goto out_opt_err; 618 opts->fsroot = s; 619 break; 620 case Opt_fstransmute: 621 if (opts->fstransmute) 622 goto out_opt_err; 623 opts->fstransmute = s; 624 break; 625 } 626 return 0; 627 628 out_opt_err: 629 pr_warn("Smack: duplicate mount options\n"); 630 return -EINVAL; 631 } 632 633 /** 634 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 635 * @fc: The new filesystem context. 636 * @src_fc: The source filesystem context being duplicated. 637 * 638 * Returns 0 on success or -ENOMEM on error. 639 */ 640 static int smack_fs_context_dup(struct fs_context *fc, 641 struct fs_context *src_fc) 642 { 643 struct smack_mnt_opts *dst, *src = src_fc->security; 644 645 if (!src) 646 return 0; 647 648 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 649 if (!fc->security) 650 return -ENOMEM; 651 dst = fc->security; 652 653 if (src->fsdefault) { 654 dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL); 655 if (!dst->fsdefault) 656 return -ENOMEM; 657 } 658 if (src->fsfloor) { 659 dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL); 660 if (!dst->fsfloor) 661 return -ENOMEM; 662 } 663 if (src->fshat) { 664 dst->fshat = kstrdup(src->fshat, GFP_KERNEL); 665 if (!dst->fshat) 666 return -ENOMEM; 667 } 668 if (src->fsroot) { 669 dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL); 670 if (!dst->fsroot) 671 return -ENOMEM; 672 } 673 if (src->fstransmute) { 674 dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL); 675 if (!dst->fstransmute) 676 return -ENOMEM; 677 } 678 return 0; 679 } 680 681 static const struct fs_parameter_spec smack_fs_parameters[] = { 682 fsparam_string("smackfsdef", Opt_fsdefault), 683 fsparam_string("smackfsdefault", Opt_fsdefault), 684 fsparam_string("smackfsfloor", Opt_fsfloor), 685 fsparam_string("smackfshat", Opt_fshat), 686 fsparam_string("smackfsroot", Opt_fsroot), 687 fsparam_string("smackfstransmute", Opt_fstransmute), 688 {} 689 }; 690 691 /** 692 * smack_fs_context_parse_param - Parse a single mount parameter 693 * @fc: The new filesystem context being constructed. 694 * @param: The parameter. 695 * 696 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 697 * error. 698 */ 699 static int smack_fs_context_parse_param(struct fs_context *fc, 700 struct fs_parameter *param) 701 { 702 struct fs_parse_result result; 703 int opt, rc; 704 705 opt = fs_parse(fc, smack_fs_parameters, param, &result); 706 if (opt < 0) 707 return opt; 708 709 rc = smack_add_opt(opt, param->string, &fc->security); 710 if (!rc) 711 param->string = NULL; 712 return rc; 713 } 714 715 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 716 { 717 char *from = options, *to = options; 718 bool first = true; 719 720 while (1) { 721 char *next = strchr(from, ','); 722 int token, len, rc; 723 char *arg = NULL; 724 725 if (next) 726 len = next - from; 727 else 728 len = strlen(from); 729 730 token = match_opt_prefix(from, len, &arg); 731 if (token != Opt_error) { 732 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 733 rc = smack_add_opt(token, arg, mnt_opts); 734 if (unlikely(rc)) { 735 kfree(arg); 736 if (*mnt_opts) 737 smack_free_mnt_opts(*mnt_opts); 738 *mnt_opts = NULL; 739 return rc; 740 } 741 } else { 742 if (!first) { // copy with preceding comma 743 from--; 744 len++; 745 } 746 if (to != from) 747 memmove(to, from, len); 748 to += len; 749 first = false; 750 } 751 if (!from[len]) 752 break; 753 from += len + 1; 754 } 755 *to = '\0'; 756 return 0; 757 } 758 759 /** 760 * smack_set_mnt_opts - set Smack specific mount options 761 * @sb: the file system superblock 762 * @mnt_opts: Smack mount options 763 * @kern_flags: mount option from kernel space or user space 764 * @set_kern_flags: where to store converted mount opts 765 * 766 * Returns 0 on success, an error code on failure 767 * 768 * Allow filesystems with binary mount data to explicitly set Smack mount 769 * labels. 770 */ 771 static int smack_set_mnt_opts(struct super_block *sb, 772 void *mnt_opts, 773 unsigned long kern_flags, 774 unsigned long *set_kern_flags) 775 { 776 struct dentry *root = sb->s_root; 777 struct inode *inode = d_backing_inode(root); 778 struct superblock_smack *sp = sb->s_security; 779 struct inode_smack *isp; 780 struct smack_known *skp; 781 struct smack_mnt_opts *opts = mnt_opts; 782 bool transmute = false; 783 784 if (sp->smk_flags & SMK_SB_INITIALIZED) 785 return 0; 786 787 if (inode->i_security == NULL) { 788 int rc = lsm_inode_alloc(inode); 789 790 if (rc) 791 return rc; 792 } 793 794 if (!smack_privileged(CAP_MAC_ADMIN)) { 795 /* 796 * Unprivileged mounts don't get to specify Smack values. 797 */ 798 if (opts) 799 return -EPERM; 800 /* 801 * Unprivileged mounts get root and default from the caller. 802 */ 803 skp = smk_of_current(); 804 sp->smk_root = skp; 805 sp->smk_default = skp; 806 /* 807 * For a handful of fs types with no user-controlled 808 * backing store it's okay to trust security labels 809 * in the filesystem. The rest are untrusted. 810 */ 811 if (sb->s_user_ns != &init_user_ns && 812 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 813 sb->s_magic != RAMFS_MAGIC) { 814 transmute = true; 815 sp->smk_flags |= SMK_SB_UNTRUSTED; 816 } 817 } 818 819 sp->smk_flags |= SMK_SB_INITIALIZED; 820 821 if (opts) { 822 if (opts->fsdefault) { 823 skp = smk_import_entry(opts->fsdefault, 0); 824 if (IS_ERR(skp)) 825 return PTR_ERR(skp); 826 sp->smk_default = skp; 827 } 828 if (opts->fsfloor) { 829 skp = smk_import_entry(opts->fsfloor, 0); 830 if (IS_ERR(skp)) 831 return PTR_ERR(skp); 832 sp->smk_floor = skp; 833 } 834 if (opts->fshat) { 835 skp = smk_import_entry(opts->fshat, 0); 836 if (IS_ERR(skp)) 837 return PTR_ERR(skp); 838 sp->smk_hat = skp; 839 } 840 if (opts->fsroot) { 841 skp = smk_import_entry(opts->fsroot, 0); 842 if (IS_ERR(skp)) 843 return PTR_ERR(skp); 844 sp->smk_root = skp; 845 } 846 if (opts->fstransmute) { 847 skp = smk_import_entry(opts->fstransmute, 0); 848 if (IS_ERR(skp)) 849 return PTR_ERR(skp); 850 sp->smk_root = skp; 851 transmute = true; 852 } 853 } 854 855 /* 856 * Initialize the root inode. 857 */ 858 init_inode_smack(inode, sp->smk_root); 859 860 if (transmute) { 861 isp = smack_inode(inode); 862 isp->smk_flags |= SMK_INODE_TRANSMUTE; 863 } 864 865 return 0; 866 } 867 868 /** 869 * smack_sb_statfs - Smack check on statfs 870 * @dentry: identifies the file system in question 871 * 872 * Returns 0 if current can read the floor of the filesystem, 873 * and error code otherwise 874 */ 875 static int smack_sb_statfs(struct dentry *dentry) 876 { 877 struct superblock_smack *sbp = dentry->d_sb->s_security; 878 int rc; 879 struct smk_audit_info ad; 880 881 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 882 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 883 884 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 885 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 886 return rc; 887 } 888 889 /* 890 * BPRM hooks 891 */ 892 893 /** 894 * smack_bprm_set_creds - set creds for exec 895 * @bprm: the exec information 896 * 897 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 898 */ 899 static int smack_bprm_set_creds(struct linux_binprm *bprm) 900 { 901 struct inode *inode = file_inode(bprm->file); 902 struct task_smack *bsp = smack_cred(bprm->cred); 903 struct inode_smack *isp; 904 struct superblock_smack *sbsp; 905 int rc; 906 907 if (bprm->called_set_creds) 908 return 0; 909 910 isp = smack_inode(inode); 911 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 912 return 0; 913 914 sbsp = inode->i_sb->s_security; 915 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 916 isp->smk_task != sbsp->smk_root) 917 return 0; 918 919 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 920 struct task_struct *tracer; 921 rc = 0; 922 923 rcu_read_lock(); 924 tracer = ptrace_parent(current); 925 if (likely(tracer != NULL)) 926 rc = smk_ptrace_rule_check(tracer, 927 isp->smk_task, 928 PTRACE_MODE_ATTACH, 929 __func__); 930 rcu_read_unlock(); 931 932 if (rc != 0) 933 return rc; 934 } 935 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 936 return -EPERM; 937 938 bsp->smk_task = isp->smk_task; 939 bprm->per_clear |= PER_CLEAR_ON_SETID; 940 941 /* Decide if this is a secure exec. */ 942 if (bsp->smk_task != bsp->smk_forked) 943 bprm->secureexec = 1; 944 945 return 0; 946 } 947 948 /* 949 * Inode hooks 950 */ 951 952 /** 953 * smack_inode_alloc_security - allocate an inode blob 954 * @inode: the inode in need of a blob 955 * 956 * Returns 0 957 */ 958 static int smack_inode_alloc_security(struct inode *inode) 959 { 960 struct smack_known *skp = smk_of_current(); 961 962 init_inode_smack(inode, skp); 963 return 0; 964 } 965 966 /** 967 * smack_inode_init_security - copy out the smack from an inode 968 * @inode: the newly created inode 969 * @dir: containing directory object 970 * @qstr: unused 971 * @name: where to put the attribute name 972 * @value: where to put the attribute value 973 * @len: where to put the length of the attribute 974 * 975 * Returns 0 if it all works out, -ENOMEM if there's no memory 976 */ 977 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 978 const struct qstr *qstr, const char **name, 979 void **value, size_t *len) 980 { 981 struct inode_smack *issp = smack_inode(inode); 982 struct smack_known *skp = smk_of_current(); 983 struct smack_known *isp = smk_of_inode(inode); 984 struct smack_known *dsp = smk_of_inode(dir); 985 int may; 986 987 if (name) 988 *name = XATTR_SMACK_SUFFIX; 989 990 if (value && len) { 991 rcu_read_lock(); 992 may = smk_access_entry(skp->smk_known, dsp->smk_known, 993 &skp->smk_rules); 994 rcu_read_unlock(); 995 996 /* 997 * If the access rule allows transmutation and 998 * the directory requests transmutation then 999 * by all means transmute. 1000 * Mark the inode as changed. 1001 */ 1002 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1003 smk_inode_transmutable(dir)) { 1004 isp = dsp; 1005 issp->smk_flags |= SMK_INODE_CHANGED; 1006 } 1007 1008 *value = kstrdup(isp->smk_known, GFP_NOFS); 1009 if (*value == NULL) 1010 return -ENOMEM; 1011 1012 *len = strlen(isp->smk_known); 1013 } 1014 1015 return 0; 1016 } 1017 1018 /** 1019 * smack_inode_link - Smack check on link 1020 * @old_dentry: the existing object 1021 * @dir: unused 1022 * @new_dentry: the new object 1023 * 1024 * Returns 0 if access is permitted, an error code otherwise 1025 */ 1026 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1027 struct dentry *new_dentry) 1028 { 1029 struct smack_known *isp; 1030 struct smk_audit_info ad; 1031 int rc; 1032 1033 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1034 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1035 1036 isp = smk_of_inode(d_backing_inode(old_dentry)); 1037 rc = smk_curacc(isp, MAY_WRITE, &ad); 1038 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1039 1040 if (rc == 0 && d_is_positive(new_dentry)) { 1041 isp = smk_of_inode(d_backing_inode(new_dentry)); 1042 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1043 rc = smk_curacc(isp, MAY_WRITE, &ad); 1044 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1045 } 1046 1047 return rc; 1048 } 1049 1050 /** 1051 * smack_inode_unlink - Smack check on inode deletion 1052 * @dir: containing directory object 1053 * @dentry: file to unlink 1054 * 1055 * Returns 0 if current can write the containing directory 1056 * and the object, error code otherwise 1057 */ 1058 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1059 { 1060 struct inode *ip = d_backing_inode(dentry); 1061 struct smk_audit_info ad; 1062 int rc; 1063 1064 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1065 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1066 1067 /* 1068 * You need write access to the thing you're unlinking 1069 */ 1070 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1071 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1072 if (rc == 0) { 1073 /* 1074 * You also need write access to the containing directory 1075 */ 1076 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1077 smk_ad_setfield_u_fs_inode(&ad, dir); 1078 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1079 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1080 } 1081 return rc; 1082 } 1083 1084 /** 1085 * smack_inode_rmdir - Smack check on directory deletion 1086 * @dir: containing directory object 1087 * @dentry: directory to unlink 1088 * 1089 * Returns 0 if current can write the containing directory 1090 * and the directory, error code otherwise 1091 */ 1092 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1093 { 1094 struct smk_audit_info ad; 1095 int rc; 1096 1097 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1098 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1099 1100 /* 1101 * You need write access to the thing you're removing 1102 */ 1103 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1104 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1105 if (rc == 0) { 1106 /* 1107 * You also need write access to the containing directory 1108 */ 1109 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1110 smk_ad_setfield_u_fs_inode(&ad, dir); 1111 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1112 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1113 } 1114 1115 return rc; 1116 } 1117 1118 /** 1119 * smack_inode_rename - Smack check on rename 1120 * @old_inode: unused 1121 * @old_dentry: the old object 1122 * @new_inode: unused 1123 * @new_dentry: the new object 1124 * 1125 * Read and write access is required on both the old and 1126 * new directories. 1127 * 1128 * Returns 0 if access is permitted, an error code otherwise 1129 */ 1130 static int smack_inode_rename(struct inode *old_inode, 1131 struct dentry *old_dentry, 1132 struct inode *new_inode, 1133 struct dentry *new_dentry) 1134 { 1135 int rc; 1136 struct smack_known *isp; 1137 struct smk_audit_info ad; 1138 1139 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1140 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1141 1142 isp = smk_of_inode(d_backing_inode(old_dentry)); 1143 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1144 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1145 1146 if (rc == 0 && d_is_positive(new_dentry)) { 1147 isp = smk_of_inode(d_backing_inode(new_dentry)); 1148 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1149 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1150 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1151 } 1152 return rc; 1153 } 1154 1155 /** 1156 * smack_inode_permission - Smack version of permission() 1157 * @inode: the inode in question 1158 * @mask: the access requested 1159 * 1160 * This is the important Smack hook. 1161 * 1162 * Returns 0 if access is permitted, an error code otherwise 1163 */ 1164 static int smack_inode_permission(struct inode *inode, int mask) 1165 { 1166 struct superblock_smack *sbsp = inode->i_sb->s_security; 1167 struct smk_audit_info ad; 1168 int no_block = mask & MAY_NOT_BLOCK; 1169 int rc; 1170 1171 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1172 /* 1173 * No permission to check. Existence test. Yup, it's there. 1174 */ 1175 if (mask == 0) 1176 return 0; 1177 1178 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1179 if (smk_of_inode(inode) != sbsp->smk_root) 1180 return -EACCES; 1181 } 1182 1183 /* May be droppable after audit */ 1184 if (no_block) 1185 return -ECHILD; 1186 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1187 smk_ad_setfield_u_fs_inode(&ad, inode); 1188 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1189 rc = smk_bu_inode(inode, mask, rc); 1190 return rc; 1191 } 1192 1193 /** 1194 * smack_inode_setattr - Smack check for setting attributes 1195 * @dentry: the object 1196 * @iattr: for the force flag 1197 * 1198 * Returns 0 if access is permitted, an error code otherwise 1199 */ 1200 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1201 { 1202 struct smk_audit_info ad; 1203 int rc; 1204 1205 /* 1206 * Need to allow for clearing the setuid bit. 1207 */ 1208 if (iattr->ia_valid & ATTR_FORCE) 1209 return 0; 1210 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1211 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1212 1213 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1214 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1215 return rc; 1216 } 1217 1218 /** 1219 * smack_inode_getattr - Smack check for getting attributes 1220 * @path: path to extract the info from 1221 * 1222 * Returns 0 if access is permitted, an error code otherwise 1223 */ 1224 static int smack_inode_getattr(const struct path *path) 1225 { 1226 struct smk_audit_info ad; 1227 struct inode *inode = d_backing_inode(path->dentry); 1228 int rc; 1229 1230 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1231 smk_ad_setfield_u_fs_path(&ad, *path); 1232 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1233 rc = smk_bu_inode(inode, MAY_READ, rc); 1234 return rc; 1235 } 1236 1237 /** 1238 * smack_inode_setxattr - Smack check for setting xattrs 1239 * @dentry: the object 1240 * @name: name of the attribute 1241 * @value: value of the attribute 1242 * @size: size of the value 1243 * @flags: unused 1244 * 1245 * This protects the Smack attribute explicitly. 1246 * 1247 * Returns 0 if access is permitted, an error code otherwise 1248 */ 1249 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1250 const void *value, size_t size, int flags) 1251 { 1252 struct smk_audit_info ad; 1253 struct smack_known *skp; 1254 int check_priv = 0; 1255 int check_import = 0; 1256 int check_star = 0; 1257 int rc = 0; 1258 1259 /* 1260 * Check label validity here so import won't fail in post_setxattr 1261 */ 1262 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1263 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1264 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1265 check_priv = 1; 1266 check_import = 1; 1267 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1268 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1269 check_priv = 1; 1270 check_import = 1; 1271 check_star = 1; 1272 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1273 check_priv = 1; 1274 if (size != TRANS_TRUE_SIZE || 1275 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1276 rc = -EINVAL; 1277 } else 1278 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1279 1280 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1281 rc = -EPERM; 1282 1283 if (rc == 0 && check_import) { 1284 skp = size ? smk_import_entry(value, size) : NULL; 1285 if (IS_ERR(skp)) 1286 rc = PTR_ERR(skp); 1287 else if (skp == NULL || (check_star && 1288 (skp == &smack_known_star || skp == &smack_known_web))) 1289 rc = -EINVAL; 1290 } 1291 1292 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1293 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1294 1295 if (rc == 0) { 1296 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1297 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1298 } 1299 1300 return rc; 1301 } 1302 1303 /** 1304 * smack_inode_post_setxattr - Apply the Smack update approved above 1305 * @dentry: object 1306 * @name: attribute name 1307 * @value: attribute value 1308 * @size: attribute size 1309 * @flags: unused 1310 * 1311 * Set the pointer in the inode blob to the entry found 1312 * in the master label list. 1313 */ 1314 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1315 const void *value, size_t size, int flags) 1316 { 1317 struct smack_known *skp; 1318 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1319 1320 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1321 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1322 return; 1323 } 1324 1325 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1326 skp = smk_import_entry(value, size); 1327 if (!IS_ERR(skp)) 1328 isp->smk_inode = skp; 1329 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1330 skp = smk_import_entry(value, size); 1331 if (!IS_ERR(skp)) 1332 isp->smk_task = skp; 1333 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1334 skp = smk_import_entry(value, size); 1335 if (!IS_ERR(skp)) 1336 isp->smk_mmap = skp; 1337 } 1338 1339 return; 1340 } 1341 1342 /** 1343 * smack_inode_getxattr - Smack check on getxattr 1344 * @dentry: the object 1345 * @name: unused 1346 * 1347 * Returns 0 if access is permitted, an error code otherwise 1348 */ 1349 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1350 { 1351 struct smk_audit_info ad; 1352 int rc; 1353 1354 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1355 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1356 1357 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1358 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1359 return rc; 1360 } 1361 1362 /** 1363 * smack_inode_removexattr - Smack check on removexattr 1364 * @dentry: the object 1365 * @name: name of the attribute 1366 * 1367 * Removing the Smack attribute requires CAP_MAC_ADMIN 1368 * 1369 * Returns 0 if access is permitted, an error code otherwise 1370 */ 1371 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1372 { 1373 struct inode_smack *isp; 1374 struct smk_audit_info ad; 1375 int rc = 0; 1376 1377 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1378 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1379 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1380 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1381 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1382 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1383 if (!smack_privileged(CAP_MAC_ADMIN)) 1384 rc = -EPERM; 1385 } else 1386 rc = cap_inode_removexattr(dentry, name); 1387 1388 if (rc != 0) 1389 return rc; 1390 1391 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1392 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1393 1394 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1395 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1396 if (rc != 0) 1397 return rc; 1398 1399 isp = smack_inode(d_backing_inode(dentry)); 1400 /* 1401 * Don't do anything special for these. 1402 * XATTR_NAME_SMACKIPIN 1403 * XATTR_NAME_SMACKIPOUT 1404 */ 1405 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1406 struct super_block *sbp = dentry->d_sb; 1407 struct superblock_smack *sbsp = sbp->s_security; 1408 1409 isp->smk_inode = sbsp->smk_default; 1410 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1411 isp->smk_task = NULL; 1412 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1413 isp->smk_mmap = NULL; 1414 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1415 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1416 1417 return 0; 1418 } 1419 1420 /** 1421 * smack_inode_getsecurity - get smack xattrs 1422 * @inode: the object 1423 * @name: attribute name 1424 * @buffer: where to put the result 1425 * @alloc: duplicate memory 1426 * 1427 * Returns the size of the attribute or an error code 1428 */ 1429 static int smack_inode_getsecurity(struct inode *inode, 1430 const char *name, void **buffer, 1431 bool alloc) 1432 { 1433 struct socket_smack *ssp; 1434 struct socket *sock; 1435 struct super_block *sbp; 1436 struct inode *ip = (struct inode *)inode; 1437 struct smack_known *isp; 1438 1439 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1440 isp = smk_of_inode(inode); 1441 else { 1442 /* 1443 * The rest of the Smack xattrs are only on sockets. 1444 */ 1445 sbp = ip->i_sb; 1446 if (sbp->s_magic != SOCKFS_MAGIC) 1447 return -EOPNOTSUPP; 1448 1449 sock = SOCKET_I(ip); 1450 if (sock == NULL || sock->sk == NULL) 1451 return -EOPNOTSUPP; 1452 1453 ssp = sock->sk->sk_security; 1454 1455 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1456 isp = ssp->smk_in; 1457 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1458 isp = ssp->smk_out; 1459 else 1460 return -EOPNOTSUPP; 1461 } 1462 1463 if (alloc) { 1464 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1465 if (*buffer == NULL) 1466 return -ENOMEM; 1467 } 1468 1469 return strlen(isp->smk_known); 1470 } 1471 1472 1473 /** 1474 * smack_inode_listsecurity - list the Smack attributes 1475 * @inode: the object 1476 * @buffer: where they go 1477 * @buffer_size: size of buffer 1478 */ 1479 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1480 size_t buffer_size) 1481 { 1482 int len = sizeof(XATTR_NAME_SMACK); 1483 1484 if (buffer != NULL && len <= buffer_size) 1485 memcpy(buffer, XATTR_NAME_SMACK, len); 1486 1487 return len; 1488 } 1489 1490 /** 1491 * smack_inode_getsecid - Extract inode's security id 1492 * @inode: inode to extract the info from 1493 * @secid: where result will be saved 1494 */ 1495 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1496 { 1497 struct smack_known *skp = smk_of_inode(inode); 1498 1499 *secid = skp->smk_secid; 1500 } 1501 1502 /* 1503 * File Hooks 1504 */ 1505 1506 /* 1507 * There is no smack_file_permission hook 1508 * 1509 * Should access checks be done on each read or write? 1510 * UNICOS and SELinux say yes. 1511 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1512 * 1513 * I'll say no for now. Smack does not do the frequent 1514 * label changing that SELinux does. 1515 */ 1516 1517 /** 1518 * smack_file_alloc_security - assign a file security blob 1519 * @file: the object 1520 * 1521 * The security blob for a file is a pointer to the master 1522 * label list, so no allocation is done. 1523 * 1524 * f_security is the owner security information. It 1525 * isn't used on file access checks, it's for send_sigio. 1526 * 1527 * Returns 0 1528 */ 1529 static int smack_file_alloc_security(struct file *file) 1530 { 1531 struct smack_known **blob = smack_file(file); 1532 1533 *blob = smk_of_current(); 1534 return 0; 1535 } 1536 1537 /** 1538 * smack_file_ioctl - Smack check on ioctls 1539 * @file: the object 1540 * @cmd: what to do 1541 * @arg: unused 1542 * 1543 * Relies heavily on the correct use of the ioctl command conventions. 1544 * 1545 * Returns 0 if allowed, error code otherwise 1546 */ 1547 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1548 unsigned long arg) 1549 { 1550 int rc = 0; 1551 struct smk_audit_info ad; 1552 struct inode *inode = file_inode(file); 1553 1554 if (unlikely(IS_PRIVATE(inode))) 1555 return 0; 1556 1557 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1558 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1559 1560 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1561 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1562 rc = smk_bu_file(file, MAY_WRITE, rc); 1563 } 1564 1565 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1566 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1567 rc = smk_bu_file(file, MAY_READ, rc); 1568 } 1569 1570 return rc; 1571 } 1572 1573 /** 1574 * smack_file_lock - Smack check on file locking 1575 * @file: the object 1576 * @cmd: unused 1577 * 1578 * Returns 0 if current has lock access, error code otherwise 1579 */ 1580 static int smack_file_lock(struct file *file, unsigned int cmd) 1581 { 1582 struct smk_audit_info ad; 1583 int rc; 1584 struct inode *inode = file_inode(file); 1585 1586 if (unlikely(IS_PRIVATE(inode))) 1587 return 0; 1588 1589 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1590 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1591 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1592 rc = smk_bu_file(file, MAY_LOCK, rc); 1593 return rc; 1594 } 1595 1596 /** 1597 * smack_file_fcntl - Smack check on fcntl 1598 * @file: the object 1599 * @cmd: what action to check 1600 * @arg: unused 1601 * 1602 * Generally these operations are harmless. 1603 * File locking operations present an obvious mechanism 1604 * for passing information, so they require write access. 1605 * 1606 * Returns 0 if current has access, error code otherwise 1607 */ 1608 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1609 unsigned long arg) 1610 { 1611 struct smk_audit_info ad; 1612 int rc = 0; 1613 struct inode *inode = file_inode(file); 1614 1615 if (unlikely(IS_PRIVATE(inode))) 1616 return 0; 1617 1618 switch (cmd) { 1619 case F_GETLK: 1620 break; 1621 case F_SETLK: 1622 case F_SETLKW: 1623 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1624 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1625 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1626 rc = smk_bu_file(file, MAY_LOCK, rc); 1627 break; 1628 case F_SETOWN: 1629 case F_SETSIG: 1630 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1631 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1632 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1633 rc = smk_bu_file(file, MAY_WRITE, rc); 1634 break; 1635 default: 1636 break; 1637 } 1638 1639 return rc; 1640 } 1641 1642 /** 1643 * smack_mmap_file : 1644 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1645 * if mapping anonymous memory. 1646 * @file contains the file structure for file to map (may be NULL). 1647 * @reqprot contains the protection requested by the application. 1648 * @prot contains the protection that will be applied by the kernel. 1649 * @flags contains the operational flags. 1650 * Return 0 if permission is granted. 1651 */ 1652 static int smack_mmap_file(struct file *file, 1653 unsigned long reqprot, unsigned long prot, 1654 unsigned long flags) 1655 { 1656 struct smack_known *skp; 1657 struct smack_known *mkp; 1658 struct smack_rule *srp; 1659 struct task_smack *tsp; 1660 struct smack_known *okp; 1661 struct inode_smack *isp; 1662 struct superblock_smack *sbsp; 1663 int may; 1664 int mmay; 1665 int tmay; 1666 int rc; 1667 1668 if (file == NULL) 1669 return 0; 1670 1671 if (unlikely(IS_PRIVATE(file_inode(file)))) 1672 return 0; 1673 1674 isp = smack_inode(file_inode(file)); 1675 if (isp->smk_mmap == NULL) 1676 return 0; 1677 sbsp = file_inode(file)->i_sb->s_security; 1678 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1679 isp->smk_mmap != sbsp->smk_root) 1680 return -EACCES; 1681 mkp = isp->smk_mmap; 1682 1683 tsp = smack_cred(current_cred()); 1684 skp = smk_of_current(); 1685 rc = 0; 1686 1687 rcu_read_lock(); 1688 /* 1689 * For each Smack rule associated with the subject 1690 * label verify that the SMACK64MMAP also has access 1691 * to that rule's object label. 1692 */ 1693 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1694 okp = srp->smk_object; 1695 /* 1696 * Matching labels always allows access. 1697 */ 1698 if (mkp->smk_known == okp->smk_known) 1699 continue; 1700 /* 1701 * If there is a matching local rule take 1702 * that into account as well. 1703 */ 1704 may = smk_access_entry(srp->smk_subject->smk_known, 1705 okp->smk_known, 1706 &tsp->smk_rules); 1707 if (may == -ENOENT) 1708 may = srp->smk_access; 1709 else 1710 may &= srp->smk_access; 1711 /* 1712 * If may is zero the SMACK64MMAP subject can't 1713 * possibly have less access. 1714 */ 1715 if (may == 0) 1716 continue; 1717 1718 /* 1719 * Fetch the global list entry. 1720 * If there isn't one a SMACK64MMAP subject 1721 * can't have as much access as current. 1722 */ 1723 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1724 &mkp->smk_rules); 1725 if (mmay == -ENOENT) { 1726 rc = -EACCES; 1727 break; 1728 } 1729 /* 1730 * If there is a local entry it modifies the 1731 * potential access, too. 1732 */ 1733 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1734 &tsp->smk_rules); 1735 if (tmay != -ENOENT) 1736 mmay &= tmay; 1737 1738 /* 1739 * If there is any access available to current that is 1740 * not available to a SMACK64MMAP subject 1741 * deny access. 1742 */ 1743 if ((may | mmay) != mmay) { 1744 rc = -EACCES; 1745 break; 1746 } 1747 } 1748 1749 rcu_read_unlock(); 1750 1751 return rc; 1752 } 1753 1754 /** 1755 * smack_file_set_fowner - set the file security blob value 1756 * @file: object in question 1757 * 1758 */ 1759 static void smack_file_set_fowner(struct file *file) 1760 { 1761 struct smack_known **blob = smack_file(file); 1762 1763 *blob = smk_of_current(); 1764 } 1765 1766 /** 1767 * smack_file_send_sigiotask - Smack on sigio 1768 * @tsk: The target task 1769 * @fown: the object the signal come from 1770 * @signum: unused 1771 * 1772 * Allow a privileged task to get signals even if it shouldn't 1773 * 1774 * Returns 0 if a subject with the object's smack could 1775 * write to the task, an error code otherwise. 1776 */ 1777 static int smack_file_send_sigiotask(struct task_struct *tsk, 1778 struct fown_struct *fown, int signum) 1779 { 1780 struct smack_known **blob; 1781 struct smack_known *skp; 1782 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1783 const struct cred *tcred; 1784 struct file *file; 1785 int rc; 1786 struct smk_audit_info ad; 1787 1788 /* 1789 * struct fown_struct is never outside the context of a struct file 1790 */ 1791 file = container_of(fown, struct file, f_owner); 1792 1793 /* we don't log here as rc can be overriden */ 1794 blob = smack_file(file); 1795 skp = *blob; 1796 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1797 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1798 1799 rcu_read_lock(); 1800 tcred = __task_cred(tsk); 1801 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1802 rc = 0; 1803 rcu_read_unlock(); 1804 1805 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1806 smk_ad_setfield_u_tsk(&ad, tsk); 1807 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1808 return rc; 1809 } 1810 1811 /** 1812 * smack_file_receive - Smack file receive check 1813 * @file: the object 1814 * 1815 * Returns 0 if current has access, error code otherwise 1816 */ 1817 static int smack_file_receive(struct file *file) 1818 { 1819 int rc; 1820 int may = 0; 1821 struct smk_audit_info ad; 1822 struct inode *inode = file_inode(file); 1823 struct socket *sock; 1824 struct task_smack *tsp; 1825 struct socket_smack *ssp; 1826 1827 if (unlikely(IS_PRIVATE(inode))) 1828 return 0; 1829 1830 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1831 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1832 1833 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1834 sock = SOCKET_I(inode); 1835 ssp = sock->sk->sk_security; 1836 tsp = smack_cred(current_cred()); 1837 /* 1838 * If the receiving process can't write to the 1839 * passed socket or if the passed socket can't 1840 * write to the receiving process don't accept 1841 * the passed socket. 1842 */ 1843 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1844 rc = smk_bu_file(file, may, rc); 1845 if (rc < 0) 1846 return rc; 1847 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1848 rc = smk_bu_file(file, may, rc); 1849 return rc; 1850 } 1851 /* 1852 * This code relies on bitmasks. 1853 */ 1854 if (file->f_mode & FMODE_READ) 1855 may = MAY_READ; 1856 if (file->f_mode & FMODE_WRITE) 1857 may |= MAY_WRITE; 1858 1859 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1860 rc = smk_bu_file(file, may, rc); 1861 return rc; 1862 } 1863 1864 /** 1865 * smack_file_open - Smack dentry open processing 1866 * @file: the object 1867 * 1868 * Set the security blob in the file structure. 1869 * Allow the open only if the task has read access. There are 1870 * many read operations (e.g. fstat) that you can do with an 1871 * fd even if you have the file open write-only. 1872 * 1873 * Returns 0 if current has access, error code otherwise 1874 */ 1875 static int smack_file_open(struct file *file) 1876 { 1877 struct task_smack *tsp = smack_cred(file->f_cred); 1878 struct inode *inode = file_inode(file); 1879 struct smk_audit_info ad; 1880 int rc; 1881 1882 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1883 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1884 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1885 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1886 1887 return rc; 1888 } 1889 1890 /* 1891 * Task hooks 1892 */ 1893 1894 /** 1895 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1896 * @cred: the new credentials 1897 * @gfp: the atomicity of any memory allocations 1898 * 1899 * Prepare a blank set of credentials for modification. This must allocate all 1900 * the memory the LSM module might require such that cred_transfer() can 1901 * complete without error. 1902 */ 1903 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1904 { 1905 init_task_smack(smack_cred(cred), NULL, NULL); 1906 return 0; 1907 } 1908 1909 1910 /** 1911 * smack_cred_free - "free" task-level security credentials 1912 * @cred: the credentials in question 1913 * 1914 */ 1915 static void smack_cred_free(struct cred *cred) 1916 { 1917 struct task_smack *tsp = smack_cred(cred); 1918 struct smack_rule *rp; 1919 struct list_head *l; 1920 struct list_head *n; 1921 1922 smk_destroy_label_list(&tsp->smk_relabel); 1923 1924 list_for_each_safe(l, n, &tsp->smk_rules) { 1925 rp = list_entry(l, struct smack_rule, list); 1926 list_del(&rp->list); 1927 kmem_cache_free(smack_rule_cache, rp); 1928 } 1929 } 1930 1931 /** 1932 * smack_cred_prepare - prepare new set of credentials for modification 1933 * @new: the new credentials 1934 * @old: the original credentials 1935 * @gfp: the atomicity of any memory allocations 1936 * 1937 * Prepare a new set of credentials for modification. 1938 */ 1939 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1940 gfp_t gfp) 1941 { 1942 struct task_smack *old_tsp = smack_cred(old); 1943 struct task_smack *new_tsp = smack_cred(new); 1944 int rc; 1945 1946 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 1947 1948 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1949 if (rc != 0) 1950 return rc; 1951 1952 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1953 gfp); 1954 return rc; 1955 } 1956 1957 /** 1958 * smack_cred_transfer - Transfer the old credentials to the new credentials 1959 * @new: the new credentials 1960 * @old: the original credentials 1961 * 1962 * Fill in a set of blank credentials from another set of credentials. 1963 */ 1964 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1965 { 1966 struct task_smack *old_tsp = smack_cred(old); 1967 struct task_smack *new_tsp = smack_cred(new); 1968 1969 new_tsp->smk_task = old_tsp->smk_task; 1970 new_tsp->smk_forked = old_tsp->smk_task; 1971 mutex_init(&new_tsp->smk_rules_lock); 1972 INIT_LIST_HEAD(&new_tsp->smk_rules); 1973 1974 /* cbs copy rule list */ 1975 } 1976 1977 /** 1978 * smack_cred_getsecid - get the secid corresponding to a creds structure 1979 * @cred: the object creds 1980 * @secid: where to put the result 1981 * 1982 * Sets the secid to contain a u32 version of the smack label. 1983 */ 1984 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 1985 { 1986 struct smack_known *skp; 1987 1988 rcu_read_lock(); 1989 skp = smk_of_task(smack_cred(cred)); 1990 *secid = skp->smk_secid; 1991 rcu_read_unlock(); 1992 } 1993 1994 /** 1995 * smack_kernel_act_as - Set the subjective context in a set of credentials 1996 * @new: points to the set of credentials to be modified. 1997 * @secid: specifies the security ID to be set 1998 * 1999 * Set the security data for a kernel service. 2000 */ 2001 static int smack_kernel_act_as(struct cred *new, u32 secid) 2002 { 2003 struct task_smack *new_tsp = smack_cred(new); 2004 2005 new_tsp->smk_task = smack_from_secid(secid); 2006 return 0; 2007 } 2008 2009 /** 2010 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2011 * @new: points to the set of credentials to be modified 2012 * @inode: points to the inode to use as a reference 2013 * 2014 * Set the file creation context in a set of credentials to the same 2015 * as the objective context of the specified inode 2016 */ 2017 static int smack_kernel_create_files_as(struct cred *new, 2018 struct inode *inode) 2019 { 2020 struct inode_smack *isp = smack_inode(inode); 2021 struct task_smack *tsp = smack_cred(new); 2022 2023 tsp->smk_forked = isp->smk_inode; 2024 tsp->smk_task = tsp->smk_forked; 2025 return 0; 2026 } 2027 2028 /** 2029 * smk_curacc_on_task - helper to log task related access 2030 * @p: the task object 2031 * @access: the access requested 2032 * @caller: name of the calling function for audit 2033 * 2034 * Return 0 if access is permitted 2035 */ 2036 static int smk_curacc_on_task(struct task_struct *p, int access, 2037 const char *caller) 2038 { 2039 struct smk_audit_info ad; 2040 struct smack_known *skp = smk_of_task_struct(p); 2041 int rc; 2042 2043 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2044 smk_ad_setfield_u_tsk(&ad, p); 2045 rc = smk_curacc(skp, access, &ad); 2046 rc = smk_bu_task(p, access, rc); 2047 return rc; 2048 } 2049 2050 /** 2051 * smack_task_setpgid - Smack check on setting pgid 2052 * @p: the task object 2053 * @pgid: unused 2054 * 2055 * Return 0 if write access is permitted 2056 */ 2057 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2058 { 2059 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2060 } 2061 2062 /** 2063 * smack_task_getpgid - Smack access check for getpgid 2064 * @p: the object task 2065 * 2066 * Returns 0 if current can read the object task, error code otherwise 2067 */ 2068 static int smack_task_getpgid(struct task_struct *p) 2069 { 2070 return smk_curacc_on_task(p, MAY_READ, __func__); 2071 } 2072 2073 /** 2074 * smack_task_getsid - Smack access check for getsid 2075 * @p: the object task 2076 * 2077 * Returns 0 if current can read the object task, error code otherwise 2078 */ 2079 static int smack_task_getsid(struct task_struct *p) 2080 { 2081 return smk_curacc_on_task(p, MAY_READ, __func__); 2082 } 2083 2084 /** 2085 * smack_task_getsecid - get the secid of the task 2086 * @p: the object task 2087 * @secid: where to put the result 2088 * 2089 * Sets the secid to contain a u32 version of the smack label. 2090 */ 2091 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2092 { 2093 struct smack_known *skp = smk_of_task_struct(p); 2094 2095 *secid = skp->smk_secid; 2096 } 2097 2098 /** 2099 * smack_task_setnice - Smack check on setting nice 2100 * @p: the task object 2101 * @nice: unused 2102 * 2103 * Return 0 if write access is permitted 2104 */ 2105 static int smack_task_setnice(struct task_struct *p, int nice) 2106 { 2107 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2108 } 2109 2110 /** 2111 * smack_task_setioprio - Smack check on setting ioprio 2112 * @p: the task object 2113 * @ioprio: unused 2114 * 2115 * Return 0 if write access is permitted 2116 */ 2117 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2118 { 2119 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2120 } 2121 2122 /** 2123 * smack_task_getioprio - Smack check on reading ioprio 2124 * @p: the task object 2125 * 2126 * Return 0 if read access is permitted 2127 */ 2128 static int smack_task_getioprio(struct task_struct *p) 2129 { 2130 return smk_curacc_on_task(p, MAY_READ, __func__); 2131 } 2132 2133 /** 2134 * smack_task_setscheduler - Smack check on setting scheduler 2135 * @p: the task object 2136 * 2137 * Return 0 if read access is permitted 2138 */ 2139 static int smack_task_setscheduler(struct task_struct *p) 2140 { 2141 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2142 } 2143 2144 /** 2145 * smack_task_getscheduler - Smack check on reading scheduler 2146 * @p: the task object 2147 * 2148 * Return 0 if read access is permitted 2149 */ 2150 static int smack_task_getscheduler(struct task_struct *p) 2151 { 2152 return smk_curacc_on_task(p, MAY_READ, __func__); 2153 } 2154 2155 /** 2156 * smack_task_movememory - Smack check on moving memory 2157 * @p: the task object 2158 * 2159 * Return 0 if write access is permitted 2160 */ 2161 static int smack_task_movememory(struct task_struct *p) 2162 { 2163 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2164 } 2165 2166 /** 2167 * smack_task_kill - Smack check on signal delivery 2168 * @p: the task object 2169 * @info: unused 2170 * @sig: unused 2171 * @cred: identifies the cred to use in lieu of current's 2172 * 2173 * Return 0 if write access is permitted 2174 * 2175 */ 2176 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2177 int sig, const struct cred *cred) 2178 { 2179 struct smk_audit_info ad; 2180 struct smack_known *skp; 2181 struct smack_known *tkp = smk_of_task_struct(p); 2182 int rc; 2183 2184 if (!sig) 2185 return 0; /* null signal; existence test */ 2186 2187 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2188 smk_ad_setfield_u_tsk(&ad, p); 2189 /* 2190 * Sending a signal requires that the sender 2191 * can write the receiver. 2192 */ 2193 if (cred == NULL) { 2194 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2195 rc = smk_bu_task(p, MAY_DELIVER, rc); 2196 return rc; 2197 } 2198 /* 2199 * If the cred isn't NULL we're dealing with some USB IO 2200 * specific behavior. This is not clean. For one thing 2201 * we can't take privilege into account. 2202 */ 2203 skp = smk_of_task(smack_cred(cred)); 2204 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2205 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2206 return rc; 2207 } 2208 2209 /** 2210 * smack_task_to_inode - copy task smack into the inode blob 2211 * @p: task to copy from 2212 * @inode: inode to copy to 2213 * 2214 * Sets the smack pointer in the inode security blob 2215 */ 2216 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2217 { 2218 struct inode_smack *isp = smack_inode(inode); 2219 struct smack_known *skp = smk_of_task_struct(p); 2220 2221 isp->smk_inode = skp; 2222 isp->smk_flags |= SMK_INODE_INSTANT; 2223 } 2224 2225 /* 2226 * Socket hooks. 2227 */ 2228 2229 /** 2230 * smack_sk_alloc_security - Allocate a socket blob 2231 * @sk: the socket 2232 * @family: unused 2233 * @gfp_flags: memory allocation flags 2234 * 2235 * Assign Smack pointers to current 2236 * 2237 * Returns 0 on success, -ENOMEM is there's no memory 2238 */ 2239 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2240 { 2241 struct smack_known *skp = smk_of_current(); 2242 struct socket_smack *ssp; 2243 2244 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2245 if (ssp == NULL) 2246 return -ENOMEM; 2247 2248 /* 2249 * Sockets created by kernel threads receive web label. 2250 */ 2251 if (unlikely(current->flags & PF_KTHREAD)) { 2252 ssp->smk_in = &smack_known_web; 2253 ssp->smk_out = &smack_known_web; 2254 } else { 2255 ssp->smk_in = skp; 2256 ssp->smk_out = skp; 2257 } 2258 ssp->smk_packet = NULL; 2259 2260 sk->sk_security = ssp; 2261 2262 return 0; 2263 } 2264 2265 /** 2266 * smack_sk_free_security - Free a socket blob 2267 * @sk: the socket 2268 * 2269 * Clears the blob pointer 2270 */ 2271 static void smack_sk_free_security(struct sock *sk) 2272 { 2273 #ifdef SMACK_IPV6_PORT_LABELING 2274 struct smk_port_label *spp; 2275 2276 if (sk->sk_family == PF_INET6) { 2277 rcu_read_lock(); 2278 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2279 if (spp->smk_sock != sk) 2280 continue; 2281 spp->smk_can_reuse = 1; 2282 break; 2283 } 2284 rcu_read_unlock(); 2285 } 2286 #endif 2287 kfree(sk->sk_security); 2288 } 2289 2290 /** 2291 * smack_ipv4host_label - check host based restrictions 2292 * @sip: the object end 2293 * 2294 * looks for host based access restrictions 2295 * 2296 * This version will only be appropriate for really small sets of single label 2297 * hosts. The caller is responsible for ensuring that the RCU read lock is 2298 * taken before calling this function. 2299 * 2300 * Returns the label of the far end or NULL if it's not special. 2301 */ 2302 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2303 { 2304 struct smk_net4addr *snp; 2305 struct in_addr *siap = &sip->sin_addr; 2306 2307 if (siap->s_addr == 0) 2308 return NULL; 2309 2310 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2311 /* 2312 * we break after finding the first match because 2313 * the list is sorted from longest to shortest mask 2314 * so we have found the most specific match 2315 */ 2316 if (snp->smk_host.s_addr == 2317 (siap->s_addr & snp->smk_mask.s_addr)) 2318 return snp->smk_label; 2319 2320 return NULL; 2321 } 2322 2323 #if IS_ENABLED(CONFIG_IPV6) 2324 /* 2325 * smk_ipv6_localhost - Check for local ipv6 host address 2326 * @sip: the address 2327 * 2328 * Returns boolean true if this is the localhost address 2329 */ 2330 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2331 { 2332 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2333 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2334 2335 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2336 ntohs(be16p[7]) == 1) 2337 return true; 2338 return false; 2339 } 2340 2341 /** 2342 * smack_ipv6host_label - check host based restrictions 2343 * @sip: the object end 2344 * 2345 * looks for host based access restrictions 2346 * 2347 * This version will only be appropriate for really small sets of single label 2348 * hosts. The caller is responsible for ensuring that the RCU read lock is 2349 * taken before calling this function. 2350 * 2351 * Returns the label of the far end or NULL if it's not special. 2352 */ 2353 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2354 { 2355 struct smk_net6addr *snp; 2356 struct in6_addr *sap = &sip->sin6_addr; 2357 int i; 2358 int found = 0; 2359 2360 /* 2361 * It's local. Don't look for a host label. 2362 */ 2363 if (smk_ipv6_localhost(sip)) 2364 return NULL; 2365 2366 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2367 /* 2368 * If the label is NULL the entry has 2369 * been renounced. Ignore it. 2370 */ 2371 if (snp->smk_label == NULL) 2372 continue; 2373 /* 2374 * we break after finding the first match because 2375 * the list is sorted from longest to shortest mask 2376 * so we have found the most specific match 2377 */ 2378 for (found = 1, i = 0; i < 8; i++) { 2379 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2380 snp->smk_host.s6_addr16[i]) { 2381 found = 0; 2382 break; 2383 } 2384 } 2385 if (found) 2386 return snp->smk_label; 2387 } 2388 2389 return NULL; 2390 } 2391 #endif /* CONFIG_IPV6 */ 2392 2393 /** 2394 * smack_netlabel - Set the secattr on a socket 2395 * @sk: the socket 2396 * @labeled: socket label scheme 2397 * 2398 * Convert the outbound smack value (smk_out) to a 2399 * secattr and attach it to the socket. 2400 * 2401 * Returns 0 on success or an error code 2402 */ 2403 static int smack_netlabel(struct sock *sk, int labeled) 2404 { 2405 struct smack_known *skp; 2406 struct socket_smack *ssp = sk->sk_security; 2407 int rc = 0; 2408 2409 /* 2410 * Usually the netlabel code will handle changing the 2411 * packet labeling based on the label. 2412 * The case of a single label host is different, because 2413 * a single label host should never get a labeled packet 2414 * even though the label is usually associated with a packet 2415 * label. 2416 */ 2417 local_bh_disable(); 2418 bh_lock_sock_nested(sk); 2419 2420 if (ssp->smk_out == smack_net_ambient || 2421 labeled == SMACK_UNLABELED_SOCKET) 2422 netlbl_sock_delattr(sk); 2423 else { 2424 skp = ssp->smk_out; 2425 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2426 } 2427 2428 bh_unlock_sock(sk); 2429 local_bh_enable(); 2430 2431 return rc; 2432 } 2433 2434 /** 2435 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2436 * @sk: the socket 2437 * @sap: the destination address 2438 * 2439 * Set the correct secattr for the given socket based on the destination 2440 * address and perform any outbound access checks needed. 2441 * 2442 * Returns 0 on success or an error code. 2443 * 2444 */ 2445 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2446 { 2447 struct smack_known *skp; 2448 int rc; 2449 int sk_lbl; 2450 struct smack_known *hkp; 2451 struct socket_smack *ssp = sk->sk_security; 2452 struct smk_audit_info ad; 2453 2454 rcu_read_lock(); 2455 hkp = smack_ipv4host_label(sap); 2456 if (hkp != NULL) { 2457 #ifdef CONFIG_AUDIT 2458 struct lsm_network_audit net; 2459 2460 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2461 ad.a.u.net->family = sap->sin_family; 2462 ad.a.u.net->dport = sap->sin_port; 2463 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2464 #endif 2465 sk_lbl = SMACK_UNLABELED_SOCKET; 2466 skp = ssp->smk_out; 2467 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2468 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2469 } else { 2470 sk_lbl = SMACK_CIPSO_SOCKET; 2471 rc = 0; 2472 } 2473 rcu_read_unlock(); 2474 if (rc != 0) 2475 return rc; 2476 2477 return smack_netlabel(sk, sk_lbl); 2478 } 2479 2480 #if IS_ENABLED(CONFIG_IPV6) 2481 /** 2482 * smk_ipv6_check - check Smack access 2483 * @subject: subject Smack label 2484 * @object: object Smack label 2485 * @address: address 2486 * @act: the action being taken 2487 * 2488 * Check an IPv6 access 2489 */ 2490 static int smk_ipv6_check(struct smack_known *subject, 2491 struct smack_known *object, 2492 struct sockaddr_in6 *address, int act) 2493 { 2494 #ifdef CONFIG_AUDIT 2495 struct lsm_network_audit net; 2496 #endif 2497 struct smk_audit_info ad; 2498 int rc; 2499 2500 #ifdef CONFIG_AUDIT 2501 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2502 ad.a.u.net->family = PF_INET6; 2503 ad.a.u.net->dport = ntohs(address->sin6_port); 2504 if (act == SMK_RECEIVING) 2505 ad.a.u.net->v6info.saddr = address->sin6_addr; 2506 else 2507 ad.a.u.net->v6info.daddr = address->sin6_addr; 2508 #endif 2509 rc = smk_access(subject, object, MAY_WRITE, &ad); 2510 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2511 return rc; 2512 } 2513 #endif /* CONFIG_IPV6 */ 2514 2515 #ifdef SMACK_IPV6_PORT_LABELING 2516 /** 2517 * smk_ipv6_port_label - Smack port access table management 2518 * @sock: socket 2519 * @address: address 2520 * 2521 * Create or update the port list entry 2522 */ 2523 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2524 { 2525 struct sock *sk = sock->sk; 2526 struct sockaddr_in6 *addr6; 2527 struct socket_smack *ssp = sock->sk->sk_security; 2528 struct smk_port_label *spp; 2529 unsigned short port = 0; 2530 2531 if (address == NULL) { 2532 /* 2533 * This operation is changing the Smack information 2534 * on the bound socket. Take the changes to the port 2535 * as well. 2536 */ 2537 rcu_read_lock(); 2538 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2539 if (sk != spp->smk_sock) 2540 continue; 2541 spp->smk_in = ssp->smk_in; 2542 spp->smk_out = ssp->smk_out; 2543 rcu_read_unlock(); 2544 return; 2545 } 2546 /* 2547 * A NULL address is only used for updating existing 2548 * bound entries. If there isn't one, it's OK. 2549 */ 2550 rcu_read_unlock(); 2551 return; 2552 } 2553 2554 addr6 = (struct sockaddr_in6 *)address; 2555 port = ntohs(addr6->sin6_port); 2556 /* 2557 * This is a special case that is safely ignored. 2558 */ 2559 if (port == 0) 2560 return; 2561 2562 /* 2563 * Look for an existing port list entry. 2564 * This is an indication that a port is getting reused. 2565 */ 2566 rcu_read_lock(); 2567 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2568 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2569 continue; 2570 if (spp->smk_can_reuse != 1) { 2571 rcu_read_unlock(); 2572 return; 2573 } 2574 spp->smk_port = port; 2575 spp->smk_sock = sk; 2576 spp->smk_in = ssp->smk_in; 2577 spp->smk_out = ssp->smk_out; 2578 spp->smk_can_reuse = 0; 2579 rcu_read_unlock(); 2580 return; 2581 } 2582 rcu_read_unlock(); 2583 /* 2584 * A new port entry is required. 2585 */ 2586 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2587 if (spp == NULL) 2588 return; 2589 2590 spp->smk_port = port; 2591 spp->smk_sock = sk; 2592 spp->smk_in = ssp->smk_in; 2593 spp->smk_out = ssp->smk_out; 2594 spp->smk_sock_type = sock->type; 2595 spp->smk_can_reuse = 0; 2596 2597 mutex_lock(&smack_ipv6_lock); 2598 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2599 mutex_unlock(&smack_ipv6_lock); 2600 return; 2601 } 2602 2603 /** 2604 * smk_ipv6_port_check - check Smack port access 2605 * @sk: socket 2606 * @address: address 2607 * @act: the action being taken 2608 * 2609 * Create or update the port list entry 2610 */ 2611 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2612 int act) 2613 { 2614 struct smk_port_label *spp; 2615 struct socket_smack *ssp = sk->sk_security; 2616 struct smack_known *skp = NULL; 2617 unsigned short port; 2618 struct smack_known *object; 2619 2620 if (act == SMK_RECEIVING) { 2621 skp = smack_ipv6host_label(address); 2622 object = ssp->smk_in; 2623 } else { 2624 skp = ssp->smk_out; 2625 object = smack_ipv6host_label(address); 2626 } 2627 2628 /* 2629 * The other end is a single label host. 2630 */ 2631 if (skp != NULL && object != NULL) 2632 return smk_ipv6_check(skp, object, address, act); 2633 if (skp == NULL) 2634 skp = smack_net_ambient; 2635 if (object == NULL) 2636 object = smack_net_ambient; 2637 2638 /* 2639 * It's remote, so port lookup does no good. 2640 */ 2641 if (!smk_ipv6_localhost(address)) 2642 return smk_ipv6_check(skp, object, address, act); 2643 2644 /* 2645 * It's local so the send check has to have passed. 2646 */ 2647 if (act == SMK_RECEIVING) 2648 return 0; 2649 2650 port = ntohs(address->sin6_port); 2651 rcu_read_lock(); 2652 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2653 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2654 continue; 2655 object = spp->smk_in; 2656 if (act == SMK_CONNECTING) 2657 ssp->smk_packet = spp->smk_out; 2658 break; 2659 } 2660 rcu_read_unlock(); 2661 2662 return smk_ipv6_check(skp, object, address, act); 2663 } 2664 #endif /* SMACK_IPV6_PORT_LABELING */ 2665 2666 /** 2667 * smack_inode_setsecurity - set smack xattrs 2668 * @inode: the object 2669 * @name: attribute name 2670 * @value: attribute value 2671 * @size: size of the attribute 2672 * @flags: unused 2673 * 2674 * Sets the named attribute in the appropriate blob 2675 * 2676 * Returns 0 on success, or an error code 2677 */ 2678 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2679 const void *value, size_t size, int flags) 2680 { 2681 struct smack_known *skp; 2682 struct inode_smack *nsp = smack_inode(inode); 2683 struct socket_smack *ssp; 2684 struct socket *sock; 2685 int rc = 0; 2686 2687 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2688 return -EINVAL; 2689 2690 skp = smk_import_entry(value, size); 2691 if (IS_ERR(skp)) 2692 return PTR_ERR(skp); 2693 2694 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2695 nsp->smk_inode = skp; 2696 nsp->smk_flags |= SMK_INODE_INSTANT; 2697 return 0; 2698 } 2699 /* 2700 * The rest of the Smack xattrs are only on sockets. 2701 */ 2702 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2703 return -EOPNOTSUPP; 2704 2705 sock = SOCKET_I(inode); 2706 if (sock == NULL || sock->sk == NULL) 2707 return -EOPNOTSUPP; 2708 2709 ssp = sock->sk->sk_security; 2710 2711 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2712 ssp->smk_in = skp; 2713 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2714 ssp->smk_out = skp; 2715 if (sock->sk->sk_family == PF_INET) { 2716 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2717 if (rc != 0) 2718 printk(KERN_WARNING 2719 "Smack: \"%s\" netlbl error %d.\n", 2720 __func__, -rc); 2721 } 2722 } else 2723 return -EOPNOTSUPP; 2724 2725 #ifdef SMACK_IPV6_PORT_LABELING 2726 if (sock->sk->sk_family == PF_INET6) 2727 smk_ipv6_port_label(sock, NULL); 2728 #endif 2729 2730 return 0; 2731 } 2732 2733 /** 2734 * smack_socket_post_create - finish socket setup 2735 * @sock: the socket 2736 * @family: protocol family 2737 * @type: unused 2738 * @protocol: unused 2739 * @kern: unused 2740 * 2741 * Sets the netlabel information on the socket 2742 * 2743 * Returns 0 on success, and error code otherwise 2744 */ 2745 static int smack_socket_post_create(struct socket *sock, int family, 2746 int type, int protocol, int kern) 2747 { 2748 struct socket_smack *ssp; 2749 2750 if (sock->sk == NULL) 2751 return 0; 2752 2753 /* 2754 * Sockets created by kernel threads receive web label. 2755 */ 2756 if (unlikely(current->flags & PF_KTHREAD)) { 2757 ssp = sock->sk->sk_security; 2758 ssp->smk_in = &smack_known_web; 2759 ssp->smk_out = &smack_known_web; 2760 } 2761 2762 if (family != PF_INET) 2763 return 0; 2764 /* 2765 * Set the outbound netlbl. 2766 */ 2767 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2768 } 2769 2770 /** 2771 * smack_socket_socketpair - create socket pair 2772 * @socka: one socket 2773 * @sockb: another socket 2774 * 2775 * Cross reference the peer labels for SO_PEERSEC 2776 * 2777 * Returns 0 2778 */ 2779 static int smack_socket_socketpair(struct socket *socka, 2780 struct socket *sockb) 2781 { 2782 struct socket_smack *asp = socka->sk->sk_security; 2783 struct socket_smack *bsp = sockb->sk->sk_security; 2784 2785 asp->smk_packet = bsp->smk_out; 2786 bsp->smk_packet = asp->smk_out; 2787 2788 return 0; 2789 } 2790 2791 #ifdef SMACK_IPV6_PORT_LABELING 2792 /** 2793 * smack_socket_bind - record port binding information. 2794 * @sock: the socket 2795 * @address: the port address 2796 * @addrlen: size of the address 2797 * 2798 * Records the label bound to a port. 2799 * 2800 * Returns 0 on success, and error code otherwise 2801 */ 2802 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2803 int addrlen) 2804 { 2805 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2806 if (addrlen < SIN6_LEN_RFC2133 || 2807 address->sa_family != AF_INET6) 2808 return -EINVAL; 2809 smk_ipv6_port_label(sock, address); 2810 } 2811 return 0; 2812 } 2813 #endif /* SMACK_IPV6_PORT_LABELING */ 2814 2815 /** 2816 * smack_socket_connect - connect access check 2817 * @sock: the socket 2818 * @sap: the other end 2819 * @addrlen: size of sap 2820 * 2821 * Verifies that a connection may be possible 2822 * 2823 * Returns 0 on success, and error code otherwise 2824 */ 2825 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2826 int addrlen) 2827 { 2828 int rc = 0; 2829 2830 if (sock->sk == NULL) 2831 return 0; 2832 if (sock->sk->sk_family != PF_INET && 2833 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 2834 return 0; 2835 if (addrlen < offsetofend(struct sockaddr, sa_family)) 2836 return 0; 2837 if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { 2838 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2839 #ifdef SMACK_IPV6_SECMARK_LABELING 2840 struct smack_known *rsp; 2841 #endif 2842 2843 if (addrlen < SIN6_LEN_RFC2133) 2844 return 0; 2845 #ifdef SMACK_IPV6_SECMARK_LABELING 2846 rsp = smack_ipv6host_label(sip); 2847 if (rsp != NULL) { 2848 struct socket_smack *ssp = sock->sk->sk_security; 2849 2850 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2851 SMK_CONNECTING); 2852 } 2853 #endif 2854 #ifdef SMACK_IPV6_PORT_LABELING 2855 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2856 #endif 2857 return rc; 2858 } 2859 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 2860 return 0; 2861 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2862 return rc; 2863 } 2864 2865 /** 2866 * smack_flags_to_may - convert S_ to MAY_ values 2867 * @flags: the S_ value 2868 * 2869 * Returns the equivalent MAY_ value 2870 */ 2871 static int smack_flags_to_may(int flags) 2872 { 2873 int may = 0; 2874 2875 if (flags & S_IRUGO) 2876 may |= MAY_READ; 2877 if (flags & S_IWUGO) 2878 may |= MAY_WRITE; 2879 if (flags & S_IXUGO) 2880 may |= MAY_EXEC; 2881 2882 return may; 2883 } 2884 2885 /** 2886 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2887 * @msg: the object 2888 * 2889 * Returns 0 2890 */ 2891 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2892 { 2893 struct smack_known **blob = smack_msg_msg(msg); 2894 2895 *blob = smk_of_current(); 2896 return 0; 2897 } 2898 2899 /** 2900 * smack_of_ipc - the smack pointer for the ipc 2901 * @isp: the object 2902 * 2903 * Returns a pointer to the smack value 2904 */ 2905 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2906 { 2907 struct smack_known **blob = smack_ipc(isp); 2908 2909 return *blob; 2910 } 2911 2912 /** 2913 * smack_ipc_alloc_security - Set the security blob for ipc 2914 * @isp: the object 2915 * 2916 * Returns 0 2917 */ 2918 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2919 { 2920 struct smack_known **blob = smack_ipc(isp); 2921 2922 *blob = smk_of_current(); 2923 return 0; 2924 } 2925 2926 /** 2927 * smk_curacc_shm : check if current has access on shm 2928 * @isp : the object 2929 * @access : access requested 2930 * 2931 * Returns 0 if current has the requested access, error code otherwise 2932 */ 2933 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2934 { 2935 struct smack_known *ssp = smack_of_ipc(isp); 2936 struct smk_audit_info ad; 2937 int rc; 2938 2939 #ifdef CONFIG_AUDIT 2940 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2941 ad.a.u.ipc_id = isp->id; 2942 #endif 2943 rc = smk_curacc(ssp, access, &ad); 2944 rc = smk_bu_current("shm", ssp, access, rc); 2945 return rc; 2946 } 2947 2948 /** 2949 * smack_shm_associate - Smack access check for shm 2950 * @isp: the object 2951 * @shmflg: access requested 2952 * 2953 * Returns 0 if current has the requested access, error code otherwise 2954 */ 2955 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 2956 { 2957 int may; 2958 2959 may = smack_flags_to_may(shmflg); 2960 return smk_curacc_shm(isp, may); 2961 } 2962 2963 /** 2964 * smack_shm_shmctl - Smack access check for shm 2965 * @isp: the object 2966 * @cmd: what it wants to do 2967 * 2968 * Returns 0 if current has the requested access, error code otherwise 2969 */ 2970 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 2971 { 2972 int may; 2973 2974 switch (cmd) { 2975 case IPC_STAT: 2976 case SHM_STAT: 2977 case SHM_STAT_ANY: 2978 may = MAY_READ; 2979 break; 2980 case IPC_SET: 2981 case SHM_LOCK: 2982 case SHM_UNLOCK: 2983 case IPC_RMID: 2984 may = MAY_READWRITE; 2985 break; 2986 case IPC_INFO: 2987 case SHM_INFO: 2988 /* 2989 * System level information. 2990 */ 2991 return 0; 2992 default: 2993 return -EINVAL; 2994 } 2995 return smk_curacc_shm(isp, may); 2996 } 2997 2998 /** 2999 * smack_shm_shmat - Smack access for shmat 3000 * @isp: the object 3001 * @shmaddr: unused 3002 * @shmflg: access requested 3003 * 3004 * Returns 0 if current has the requested access, error code otherwise 3005 */ 3006 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3007 int shmflg) 3008 { 3009 int may; 3010 3011 may = smack_flags_to_may(shmflg); 3012 return smk_curacc_shm(isp, may); 3013 } 3014 3015 /** 3016 * smk_curacc_sem : check if current has access on sem 3017 * @isp : the object 3018 * @access : access requested 3019 * 3020 * Returns 0 if current has the requested access, error code otherwise 3021 */ 3022 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3023 { 3024 struct smack_known *ssp = smack_of_ipc(isp); 3025 struct smk_audit_info ad; 3026 int rc; 3027 3028 #ifdef CONFIG_AUDIT 3029 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3030 ad.a.u.ipc_id = isp->id; 3031 #endif 3032 rc = smk_curacc(ssp, access, &ad); 3033 rc = smk_bu_current("sem", ssp, access, rc); 3034 return rc; 3035 } 3036 3037 /** 3038 * smack_sem_associate - Smack access check for sem 3039 * @isp: the object 3040 * @semflg: access requested 3041 * 3042 * Returns 0 if current has the requested access, error code otherwise 3043 */ 3044 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3045 { 3046 int may; 3047 3048 may = smack_flags_to_may(semflg); 3049 return smk_curacc_sem(isp, may); 3050 } 3051 3052 /** 3053 * smack_sem_shmctl - Smack access check for sem 3054 * @isp: the object 3055 * @cmd: what it wants to do 3056 * 3057 * Returns 0 if current has the requested access, error code otherwise 3058 */ 3059 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3060 { 3061 int may; 3062 3063 switch (cmd) { 3064 case GETPID: 3065 case GETNCNT: 3066 case GETZCNT: 3067 case GETVAL: 3068 case GETALL: 3069 case IPC_STAT: 3070 case SEM_STAT: 3071 case SEM_STAT_ANY: 3072 may = MAY_READ; 3073 break; 3074 case SETVAL: 3075 case SETALL: 3076 case IPC_RMID: 3077 case IPC_SET: 3078 may = MAY_READWRITE; 3079 break; 3080 case IPC_INFO: 3081 case SEM_INFO: 3082 /* 3083 * System level information 3084 */ 3085 return 0; 3086 default: 3087 return -EINVAL; 3088 } 3089 3090 return smk_curacc_sem(isp, may); 3091 } 3092 3093 /** 3094 * smack_sem_semop - Smack checks of semaphore operations 3095 * @isp: the object 3096 * @sops: unused 3097 * @nsops: unused 3098 * @alter: unused 3099 * 3100 * Treated as read and write in all cases. 3101 * 3102 * Returns 0 if access is allowed, error code otherwise 3103 */ 3104 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3105 unsigned nsops, int alter) 3106 { 3107 return smk_curacc_sem(isp, MAY_READWRITE); 3108 } 3109 3110 /** 3111 * smk_curacc_msq : helper to check if current has access on msq 3112 * @isp : the msq 3113 * @access : access requested 3114 * 3115 * return 0 if current has access, error otherwise 3116 */ 3117 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3118 { 3119 struct smack_known *msp = smack_of_ipc(isp); 3120 struct smk_audit_info ad; 3121 int rc; 3122 3123 #ifdef CONFIG_AUDIT 3124 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3125 ad.a.u.ipc_id = isp->id; 3126 #endif 3127 rc = smk_curacc(msp, access, &ad); 3128 rc = smk_bu_current("msq", msp, access, rc); 3129 return rc; 3130 } 3131 3132 /** 3133 * smack_msg_queue_associate - Smack access check for msg_queue 3134 * @isp: the object 3135 * @msqflg: access requested 3136 * 3137 * Returns 0 if current has the requested access, error code otherwise 3138 */ 3139 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3140 { 3141 int may; 3142 3143 may = smack_flags_to_may(msqflg); 3144 return smk_curacc_msq(isp, may); 3145 } 3146 3147 /** 3148 * smack_msg_queue_msgctl - Smack access check for msg_queue 3149 * @isp: the object 3150 * @cmd: what it wants to do 3151 * 3152 * Returns 0 if current has the requested access, error code otherwise 3153 */ 3154 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3155 { 3156 int may; 3157 3158 switch (cmd) { 3159 case IPC_STAT: 3160 case MSG_STAT: 3161 case MSG_STAT_ANY: 3162 may = MAY_READ; 3163 break; 3164 case IPC_SET: 3165 case IPC_RMID: 3166 may = MAY_READWRITE; 3167 break; 3168 case IPC_INFO: 3169 case MSG_INFO: 3170 /* 3171 * System level information 3172 */ 3173 return 0; 3174 default: 3175 return -EINVAL; 3176 } 3177 3178 return smk_curacc_msq(isp, may); 3179 } 3180 3181 /** 3182 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3183 * @isp: the object 3184 * @msg: unused 3185 * @msqflg: access requested 3186 * 3187 * Returns 0 if current has the requested access, error code otherwise 3188 */ 3189 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3190 int msqflg) 3191 { 3192 int may; 3193 3194 may = smack_flags_to_may(msqflg); 3195 return smk_curacc_msq(isp, may); 3196 } 3197 3198 /** 3199 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3200 * @isp: the object 3201 * @msg: unused 3202 * @target: unused 3203 * @type: unused 3204 * @mode: unused 3205 * 3206 * Returns 0 if current has read and write access, error code otherwise 3207 */ 3208 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3209 struct task_struct *target, long type, int mode) 3210 { 3211 return smk_curacc_msq(isp, MAY_READWRITE); 3212 } 3213 3214 /** 3215 * smack_ipc_permission - Smack access for ipc_permission() 3216 * @ipp: the object permissions 3217 * @flag: access requested 3218 * 3219 * Returns 0 if current has read and write access, error code otherwise 3220 */ 3221 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3222 { 3223 struct smack_known **blob = smack_ipc(ipp); 3224 struct smack_known *iskp = *blob; 3225 int may = smack_flags_to_may(flag); 3226 struct smk_audit_info ad; 3227 int rc; 3228 3229 #ifdef CONFIG_AUDIT 3230 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3231 ad.a.u.ipc_id = ipp->id; 3232 #endif 3233 rc = smk_curacc(iskp, may, &ad); 3234 rc = smk_bu_current("svipc", iskp, may, rc); 3235 return rc; 3236 } 3237 3238 /** 3239 * smack_ipc_getsecid - Extract smack security id 3240 * @ipp: the object permissions 3241 * @secid: where result will be saved 3242 */ 3243 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3244 { 3245 struct smack_known **blob = smack_ipc(ipp); 3246 struct smack_known *iskp = *blob; 3247 3248 *secid = iskp->smk_secid; 3249 } 3250 3251 /** 3252 * smack_d_instantiate - Make sure the blob is correct on an inode 3253 * @opt_dentry: dentry where inode will be attached 3254 * @inode: the object 3255 * 3256 * Set the inode's security blob if it hasn't been done already. 3257 */ 3258 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3259 { 3260 struct super_block *sbp; 3261 struct superblock_smack *sbsp; 3262 struct inode_smack *isp; 3263 struct smack_known *skp; 3264 struct smack_known *ckp = smk_of_current(); 3265 struct smack_known *final; 3266 char trattr[TRANS_TRUE_SIZE]; 3267 int transflag = 0; 3268 int rc; 3269 struct dentry *dp; 3270 3271 if (inode == NULL) 3272 return; 3273 3274 isp = smack_inode(inode); 3275 3276 mutex_lock(&isp->smk_lock); 3277 /* 3278 * If the inode is already instantiated 3279 * take the quick way out 3280 */ 3281 if (isp->smk_flags & SMK_INODE_INSTANT) 3282 goto unlockandout; 3283 3284 sbp = inode->i_sb; 3285 sbsp = sbp->s_security; 3286 /* 3287 * We're going to use the superblock default label 3288 * if there's no label on the file. 3289 */ 3290 final = sbsp->smk_default; 3291 3292 /* 3293 * If this is the root inode the superblock 3294 * may be in the process of initialization. 3295 * If that is the case use the root value out 3296 * of the superblock. 3297 */ 3298 if (opt_dentry->d_parent == opt_dentry) { 3299 switch (sbp->s_magic) { 3300 case CGROUP_SUPER_MAGIC: 3301 case CGROUP2_SUPER_MAGIC: 3302 /* 3303 * The cgroup filesystem is never mounted, 3304 * so there's no opportunity to set the mount 3305 * options. 3306 */ 3307 sbsp->smk_root = &smack_known_star; 3308 sbsp->smk_default = &smack_known_star; 3309 isp->smk_inode = sbsp->smk_root; 3310 break; 3311 case TMPFS_MAGIC: 3312 /* 3313 * What about shmem/tmpfs anonymous files with dentry 3314 * obtained from d_alloc_pseudo()? 3315 */ 3316 isp->smk_inode = smk_of_current(); 3317 break; 3318 case PIPEFS_MAGIC: 3319 isp->smk_inode = smk_of_current(); 3320 break; 3321 case SOCKFS_MAGIC: 3322 /* 3323 * Socket access is controlled by the socket 3324 * structures associated with the task involved. 3325 */ 3326 isp->smk_inode = &smack_known_star; 3327 break; 3328 default: 3329 isp->smk_inode = sbsp->smk_root; 3330 break; 3331 } 3332 isp->smk_flags |= SMK_INODE_INSTANT; 3333 goto unlockandout; 3334 } 3335 3336 /* 3337 * This is pretty hackish. 3338 * Casey says that we shouldn't have to do 3339 * file system specific code, but it does help 3340 * with keeping it simple. 3341 */ 3342 switch (sbp->s_magic) { 3343 case SMACK_MAGIC: 3344 case CGROUP_SUPER_MAGIC: 3345 case CGROUP2_SUPER_MAGIC: 3346 /* 3347 * Casey says that it's a little embarrassing 3348 * that the smack file system doesn't do 3349 * extended attributes. 3350 * 3351 * Cgroupfs is special 3352 */ 3353 final = &smack_known_star; 3354 break; 3355 case DEVPTS_SUPER_MAGIC: 3356 /* 3357 * devpts seems content with the label of the task. 3358 * Programs that change smack have to treat the 3359 * pty with respect. 3360 */ 3361 final = ckp; 3362 break; 3363 case PROC_SUPER_MAGIC: 3364 /* 3365 * Casey says procfs appears not to care. 3366 * The superblock default suffices. 3367 */ 3368 break; 3369 case TMPFS_MAGIC: 3370 /* 3371 * Device labels should come from the filesystem, 3372 * but watch out, because they're volitile, 3373 * getting recreated on every reboot. 3374 */ 3375 final = &smack_known_star; 3376 /* 3377 * If a smack value has been set we want to use it, 3378 * but since tmpfs isn't giving us the opportunity 3379 * to set mount options simulate setting the 3380 * superblock default. 3381 */ 3382 /* Fall through */ 3383 default: 3384 /* 3385 * This isn't an understood special case. 3386 * Get the value from the xattr. 3387 */ 3388 3389 /* 3390 * UNIX domain sockets use lower level socket data. 3391 */ 3392 if (S_ISSOCK(inode->i_mode)) { 3393 final = &smack_known_star; 3394 break; 3395 } 3396 /* 3397 * No xattr support means, alas, no SMACK label. 3398 * Use the aforeapplied default. 3399 * It would be curious if the label of the task 3400 * does not match that assigned. 3401 */ 3402 if (!(inode->i_opflags & IOP_XATTR)) 3403 break; 3404 /* 3405 * Get the dentry for xattr. 3406 */ 3407 dp = dget(opt_dentry); 3408 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3409 if (!IS_ERR_OR_NULL(skp)) 3410 final = skp; 3411 3412 /* 3413 * Transmuting directory 3414 */ 3415 if (S_ISDIR(inode->i_mode)) { 3416 /* 3417 * If this is a new directory and the label was 3418 * transmuted when the inode was initialized 3419 * set the transmute attribute on the directory 3420 * and mark the inode. 3421 * 3422 * If there is a transmute attribute on the 3423 * directory mark the inode. 3424 */ 3425 if (isp->smk_flags & SMK_INODE_CHANGED) { 3426 isp->smk_flags &= ~SMK_INODE_CHANGED; 3427 rc = __vfs_setxattr(dp, inode, 3428 XATTR_NAME_SMACKTRANSMUTE, 3429 TRANS_TRUE, TRANS_TRUE_SIZE, 3430 0); 3431 } else { 3432 rc = __vfs_getxattr(dp, inode, 3433 XATTR_NAME_SMACKTRANSMUTE, trattr, 3434 TRANS_TRUE_SIZE); 3435 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3436 TRANS_TRUE_SIZE) != 0) 3437 rc = -EINVAL; 3438 } 3439 if (rc >= 0) 3440 transflag = SMK_INODE_TRANSMUTE; 3441 } 3442 /* 3443 * Don't let the exec or mmap label be "*" or "@". 3444 */ 3445 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3446 if (IS_ERR(skp) || skp == &smack_known_star || 3447 skp == &smack_known_web) 3448 skp = NULL; 3449 isp->smk_task = skp; 3450 3451 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3452 if (IS_ERR(skp) || skp == &smack_known_star || 3453 skp == &smack_known_web) 3454 skp = NULL; 3455 isp->smk_mmap = skp; 3456 3457 dput(dp); 3458 break; 3459 } 3460 3461 if (final == NULL) 3462 isp->smk_inode = ckp; 3463 else 3464 isp->smk_inode = final; 3465 3466 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3467 3468 unlockandout: 3469 mutex_unlock(&isp->smk_lock); 3470 return; 3471 } 3472 3473 /** 3474 * smack_getprocattr - Smack process attribute access 3475 * @p: the object task 3476 * @name: the name of the attribute in /proc/.../attr 3477 * @value: where to put the result 3478 * 3479 * Places a copy of the task Smack into value 3480 * 3481 * Returns the length of the smack label or an error code 3482 */ 3483 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3484 { 3485 struct smack_known *skp = smk_of_task_struct(p); 3486 char *cp; 3487 int slen; 3488 3489 if (strcmp(name, "current") != 0) 3490 return -EINVAL; 3491 3492 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3493 if (cp == NULL) 3494 return -ENOMEM; 3495 3496 slen = strlen(cp); 3497 *value = cp; 3498 return slen; 3499 } 3500 3501 /** 3502 * smack_setprocattr - Smack process attribute setting 3503 * @name: the name of the attribute in /proc/.../attr 3504 * @value: the value to set 3505 * @size: the size of the value 3506 * 3507 * Sets the Smack value of the task. Only setting self 3508 * is permitted and only with privilege 3509 * 3510 * Returns the length of the smack label or an error code 3511 */ 3512 static int smack_setprocattr(const char *name, void *value, size_t size) 3513 { 3514 struct task_smack *tsp = smack_cred(current_cred()); 3515 struct cred *new; 3516 struct smack_known *skp; 3517 struct smack_known_list_elem *sklep; 3518 int rc; 3519 3520 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3521 return -EPERM; 3522 3523 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3524 return -EINVAL; 3525 3526 if (strcmp(name, "current") != 0) 3527 return -EINVAL; 3528 3529 skp = smk_import_entry(value, size); 3530 if (IS_ERR(skp)) 3531 return PTR_ERR(skp); 3532 3533 /* 3534 * No process is ever allowed the web ("@") label 3535 * and the star ("*") label. 3536 */ 3537 if (skp == &smack_known_web || skp == &smack_known_star) 3538 return -EINVAL; 3539 3540 if (!smack_privileged(CAP_MAC_ADMIN)) { 3541 rc = -EPERM; 3542 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3543 if (sklep->smk_label == skp) { 3544 rc = 0; 3545 break; 3546 } 3547 if (rc) 3548 return rc; 3549 } 3550 3551 new = prepare_creds(); 3552 if (new == NULL) 3553 return -ENOMEM; 3554 3555 tsp = smack_cred(new); 3556 tsp->smk_task = skp; 3557 /* 3558 * process can change its label only once 3559 */ 3560 smk_destroy_label_list(&tsp->smk_relabel); 3561 3562 commit_creds(new); 3563 return size; 3564 } 3565 3566 /** 3567 * smack_unix_stream_connect - Smack access on UDS 3568 * @sock: one sock 3569 * @other: the other sock 3570 * @newsk: unused 3571 * 3572 * Return 0 if a subject with the smack of sock could access 3573 * an object with the smack of other, otherwise an error code 3574 */ 3575 static int smack_unix_stream_connect(struct sock *sock, 3576 struct sock *other, struct sock *newsk) 3577 { 3578 struct smack_known *skp; 3579 struct smack_known *okp; 3580 struct socket_smack *ssp = sock->sk_security; 3581 struct socket_smack *osp = other->sk_security; 3582 struct socket_smack *nsp = newsk->sk_security; 3583 struct smk_audit_info ad; 3584 int rc = 0; 3585 #ifdef CONFIG_AUDIT 3586 struct lsm_network_audit net; 3587 #endif 3588 3589 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3590 skp = ssp->smk_out; 3591 okp = osp->smk_in; 3592 #ifdef CONFIG_AUDIT 3593 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3594 smk_ad_setfield_u_net_sk(&ad, other); 3595 #endif 3596 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3597 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3598 if (rc == 0) { 3599 okp = osp->smk_out; 3600 skp = ssp->smk_in; 3601 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3602 rc = smk_bu_note("UDS connect", okp, skp, 3603 MAY_WRITE, rc); 3604 } 3605 } 3606 3607 /* 3608 * Cross reference the peer labels for SO_PEERSEC. 3609 */ 3610 if (rc == 0) { 3611 nsp->smk_packet = ssp->smk_out; 3612 ssp->smk_packet = osp->smk_out; 3613 } 3614 3615 return rc; 3616 } 3617 3618 /** 3619 * smack_unix_may_send - Smack access on UDS 3620 * @sock: one socket 3621 * @other: the other socket 3622 * 3623 * Return 0 if a subject with the smack of sock could access 3624 * an object with the smack of other, otherwise an error code 3625 */ 3626 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3627 { 3628 struct socket_smack *ssp = sock->sk->sk_security; 3629 struct socket_smack *osp = other->sk->sk_security; 3630 struct smk_audit_info ad; 3631 int rc; 3632 3633 #ifdef CONFIG_AUDIT 3634 struct lsm_network_audit net; 3635 3636 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3637 smk_ad_setfield_u_net_sk(&ad, other->sk); 3638 #endif 3639 3640 if (smack_privileged(CAP_MAC_OVERRIDE)) 3641 return 0; 3642 3643 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3644 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3645 return rc; 3646 } 3647 3648 /** 3649 * smack_socket_sendmsg - Smack check based on destination host 3650 * @sock: the socket 3651 * @msg: the message 3652 * @size: the size of the message 3653 * 3654 * Return 0 if the current subject can write to the destination host. 3655 * For IPv4 this is only a question if the destination is a single label host. 3656 * For IPv6 this is a check against the label of the port. 3657 */ 3658 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3659 int size) 3660 { 3661 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3662 #if IS_ENABLED(CONFIG_IPV6) 3663 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3664 #endif 3665 #ifdef SMACK_IPV6_SECMARK_LABELING 3666 struct socket_smack *ssp = sock->sk->sk_security; 3667 struct smack_known *rsp; 3668 #endif 3669 int rc = 0; 3670 3671 /* 3672 * Perfectly reasonable for this to be NULL 3673 */ 3674 if (sip == NULL) 3675 return 0; 3676 3677 switch (sock->sk->sk_family) { 3678 case AF_INET: 3679 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3680 sip->sin_family != AF_INET) 3681 return -EINVAL; 3682 rc = smack_netlabel_send(sock->sk, sip); 3683 break; 3684 #if IS_ENABLED(CONFIG_IPV6) 3685 case AF_INET6: 3686 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3687 sap->sin6_family != AF_INET6) 3688 return -EINVAL; 3689 #ifdef SMACK_IPV6_SECMARK_LABELING 3690 rsp = smack_ipv6host_label(sap); 3691 if (rsp != NULL) 3692 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3693 SMK_CONNECTING); 3694 #endif 3695 #ifdef SMACK_IPV6_PORT_LABELING 3696 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3697 #endif 3698 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3699 break; 3700 } 3701 return rc; 3702 } 3703 3704 /** 3705 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3706 * @sap: netlabel secattr 3707 * @ssp: socket security information 3708 * 3709 * Returns a pointer to a Smack label entry found on the label list. 3710 */ 3711 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3712 struct socket_smack *ssp) 3713 { 3714 struct smack_known *skp; 3715 int found = 0; 3716 int acat; 3717 int kcat; 3718 3719 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3720 /* 3721 * Looks like a CIPSO packet. 3722 * If there are flags but no level netlabel isn't 3723 * behaving the way we expect it to. 3724 * 3725 * Look it up in the label table 3726 * Without guidance regarding the smack value 3727 * for the packet fall back on the network 3728 * ambient value. 3729 */ 3730 rcu_read_lock(); 3731 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3732 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3733 continue; 3734 /* 3735 * Compare the catsets. Use the netlbl APIs. 3736 */ 3737 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3738 if ((skp->smk_netlabel.flags & 3739 NETLBL_SECATTR_MLS_CAT) == 0) 3740 found = 1; 3741 break; 3742 } 3743 for (acat = -1, kcat = -1; acat == kcat; ) { 3744 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3745 acat + 1); 3746 kcat = netlbl_catmap_walk( 3747 skp->smk_netlabel.attr.mls.cat, 3748 kcat + 1); 3749 if (acat < 0 || kcat < 0) 3750 break; 3751 } 3752 if (acat == kcat) { 3753 found = 1; 3754 break; 3755 } 3756 } 3757 rcu_read_unlock(); 3758 3759 if (found) 3760 return skp; 3761 3762 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3763 return &smack_known_web; 3764 return &smack_known_star; 3765 } 3766 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3767 /* 3768 * Looks like a fallback, which gives us a secid. 3769 */ 3770 return smack_from_secid(sap->attr.secid); 3771 /* 3772 * Without guidance regarding the smack value 3773 * for the packet fall back on the network 3774 * ambient value. 3775 */ 3776 return smack_net_ambient; 3777 } 3778 3779 #if IS_ENABLED(CONFIG_IPV6) 3780 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3781 { 3782 u8 nexthdr; 3783 int offset; 3784 int proto = -EINVAL; 3785 struct ipv6hdr _ipv6h; 3786 struct ipv6hdr *ip6; 3787 __be16 frag_off; 3788 struct tcphdr _tcph, *th; 3789 struct udphdr _udph, *uh; 3790 struct dccp_hdr _dccph, *dh; 3791 3792 sip->sin6_port = 0; 3793 3794 offset = skb_network_offset(skb); 3795 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3796 if (ip6 == NULL) 3797 return -EINVAL; 3798 sip->sin6_addr = ip6->saddr; 3799 3800 nexthdr = ip6->nexthdr; 3801 offset += sizeof(_ipv6h); 3802 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3803 if (offset < 0) 3804 return -EINVAL; 3805 3806 proto = nexthdr; 3807 switch (proto) { 3808 case IPPROTO_TCP: 3809 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3810 if (th != NULL) 3811 sip->sin6_port = th->source; 3812 break; 3813 case IPPROTO_UDP: 3814 case IPPROTO_UDPLITE: 3815 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3816 if (uh != NULL) 3817 sip->sin6_port = uh->source; 3818 break; 3819 case IPPROTO_DCCP: 3820 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3821 if (dh != NULL) 3822 sip->sin6_port = dh->dccph_sport; 3823 break; 3824 } 3825 return proto; 3826 } 3827 #endif /* CONFIG_IPV6 */ 3828 3829 /** 3830 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3831 * @sk: socket 3832 * @skb: packet 3833 * 3834 * Returns 0 if the packet should be delivered, an error code otherwise 3835 */ 3836 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3837 { 3838 struct netlbl_lsm_secattr secattr; 3839 struct socket_smack *ssp = sk->sk_security; 3840 struct smack_known *skp = NULL; 3841 int rc = 0; 3842 struct smk_audit_info ad; 3843 u16 family = sk->sk_family; 3844 #ifdef CONFIG_AUDIT 3845 struct lsm_network_audit net; 3846 #endif 3847 #if IS_ENABLED(CONFIG_IPV6) 3848 struct sockaddr_in6 sadd; 3849 int proto; 3850 3851 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3852 family = PF_INET; 3853 #endif /* CONFIG_IPV6 */ 3854 3855 switch (family) { 3856 case PF_INET: 3857 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3858 /* 3859 * If there is a secmark use it rather than the CIPSO label. 3860 * If there is no secmark fall back to CIPSO. 3861 * The secmark is assumed to reflect policy better. 3862 */ 3863 if (skb && skb->secmark != 0) { 3864 skp = smack_from_secid(skb->secmark); 3865 goto access_check; 3866 } 3867 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3868 /* 3869 * Translate what netlabel gave us. 3870 */ 3871 netlbl_secattr_init(&secattr); 3872 3873 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3874 if (rc == 0) 3875 skp = smack_from_secattr(&secattr, ssp); 3876 else 3877 skp = smack_net_ambient; 3878 3879 netlbl_secattr_destroy(&secattr); 3880 3881 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3882 access_check: 3883 #endif 3884 #ifdef CONFIG_AUDIT 3885 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3886 ad.a.u.net->family = family; 3887 ad.a.u.net->netif = skb->skb_iif; 3888 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3889 #endif 3890 /* 3891 * Receiving a packet requires that the other end 3892 * be able to write here. Read access is not required. 3893 * This is the simplist possible security model 3894 * for networking. 3895 */ 3896 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3897 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3898 MAY_WRITE, rc); 3899 if (rc != 0) 3900 netlbl_skbuff_err(skb, family, rc, 0); 3901 break; 3902 #if IS_ENABLED(CONFIG_IPV6) 3903 case PF_INET6: 3904 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3905 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3906 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3907 break; 3908 #ifdef SMACK_IPV6_SECMARK_LABELING 3909 if (skb && skb->secmark != 0) 3910 skp = smack_from_secid(skb->secmark); 3911 else if (smk_ipv6_localhost(&sadd)) 3912 break; 3913 else 3914 skp = smack_ipv6host_label(&sadd); 3915 if (skp == NULL) 3916 skp = smack_net_ambient; 3917 if (skb == NULL) 3918 break; 3919 #ifdef CONFIG_AUDIT 3920 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3921 ad.a.u.net->family = family; 3922 ad.a.u.net->netif = skb->skb_iif; 3923 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3924 #endif /* CONFIG_AUDIT */ 3925 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3926 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3927 MAY_WRITE, rc); 3928 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3929 #ifdef SMACK_IPV6_PORT_LABELING 3930 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3931 #endif /* SMACK_IPV6_PORT_LABELING */ 3932 if (rc != 0) 3933 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3934 ICMPV6_ADM_PROHIBITED, 0); 3935 break; 3936 #endif /* CONFIG_IPV6 */ 3937 } 3938 3939 return rc; 3940 } 3941 3942 /** 3943 * smack_socket_getpeersec_stream - pull in packet label 3944 * @sock: the socket 3945 * @optval: user's destination 3946 * @optlen: size thereof 3947 * @len: max thereof 3948 * 3949 * returns zero on success, an error code otherwise 3950 */ 3951 static int smack_socket_getpeersec_stream(struct socket *sock, 3952 char __user *optval, 3953 int __user *optlen, unsigned len) 3954 { 3955 struct socket_smack *ssp; 3956 char *rcp = ""; 3957 int slen = 1; 3958 int rc = 0; 3959 3960 ssp = sock->sk->sk_security; 3961 if (ssp->smk_packet != NULL) { 3962 rcp = ssp->smk_packet->smk_known; 3963 slen = strlen(rcp) + 1; 3964 } 3965 3966 if (slen > len) 3967 rc = -ERANGE; 3968 else if (copy_to_user(optval, rcp, slen) != 0) 3969 rc = -EFAULT; 3970 3971 if (put_user(slen, optlen) != 0) 3972 rc = -EFAULT; 3973 3974 return rc; 3975 } 3976 3977 3978 /** 3979 * smack_socket_getpeersec_dgram - pull in packet label 3980 * @sock: the peer socket 3981 * @skb: packet data 3982 * @secid: pointer to where to put the secid of the packet 3983 * 3984 * Sets the netlabel socket state on sk from parent 3985 */ 3986 static int smack_socket_getpeersec_dgram(struct socket *sock, 3987 struct sk_buff *skb, u32 *secid) 3988 3989 { 3990 struct netlbl_lsm_secattr secattr; 3991 struct socket_smack *ssp = NULL; 3992 struct smack_known *skp; 3993 int family = PF_UNSPEC; 3994 u32 s = 0; /* 0 is the invalid secid */ 3995 int rc; 3996 3997 if (skb != NULL) { 3998 if (skb->protocol == htons(ETH_P_IP)) 3999 family = PF_INET; 4000 #if IS_ENABLED(CONFIG_IPV6) 4001 else if (skb->protocol == htons(ETH_P_IPV6)) 4002 family = PF_INET6; 4003 #endif /* CONFIG_IPV6 */ 4004 } 4005 if (family == PF_UNSPEC && sock != NULL) 4006 family = sock->sk->sk_family; 4007 4008 switch (family) { 4009 case PF_UNIX: 4010 ssp = sock->sk->sk_security; 4011 s = ssp->smk_out->smk_secid; 4012 break; 4013 case PF_INET: 4014 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4015 s = skb->secmark; 4016 if (s != 0) 4017 break; 4018 #endif 4019 /* 4020 * Translate what netlabel gave us. 4021 */ 4022 if (sock != NULL && sock->sk != NULL) 4023 ssp = sock->sk->sk_security; 4024 netlbl_secattr_init(&secattr); 4025 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4026 if (rc == 0) { 4027 skp = smack_from_secattr(&secattr, ssp); 4028 s = skp->smk_secid; 4029 } 4030 netlbl_secattr_destroy(&secattr); 4031 break; 4032 case PF_INET6: 4033 #ifdef SMACK_IPV6_SECMARK_LABELING 4034 s = skb->secmark; 4035 #endif 4036 break; 4037 } 4038 *secid = s; 4039 if (s == 0) 4040 return -EINVAL; 4041 return 0; 4042 } 4043 4044 /** 4045 * smack_sock_graft - Initialize a newly created socket with an existing sock 4046 * @sk: child sock 4047 * @parent: parent socket 4048 * 4049 * Set the smk_{in,out} state of an existing sock based on the process that 4050 * is creating the new socket. 4051 */ 4052 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4053 { 4054 struct socket_smack *ssp; 4055 struct smack_known *skp = smk_of_current(); 4056 4057 if (sk == NULL || 4058 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4059 return; 4060 4061 ssp = sk->sk_security; 4062 ssp->smk_in = skp; 4063 ssp->smk_out = skp; 4064 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4065 } 4066 4067 /** 4068 * smack_inet_conn_request - Smack access check on connect 4069 * @sk: socket involved 4070 * @skb: packet 4071 * @req: unused 4072 * 4073 * Returns 0 if a task with the packet label could write to 4074 * the socket, otherwise an error code 4075 */ 4076 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4077 struct request_sock *req) 4078 { 4079 u16 family = sk->sk_family; 4080 struct smack_known *skp; 4081 struct socket_smack *ssp = sk->sk_security; 4082 struct netlbl_lsm_secattr secattr; 4083 struct sockaddr_in addr; 4084 struct iphdr *hdr; 4085 struct smack_known *hskp; 4086 int rc; 4087 struct smk_audit_info ad; 4088 #ifdef CONFIG_AUDIT 4089 struct lsm_network_audit net; 4090 #endif 4091 4092 #if IS_ENABLED(CONFIG_IPV6) 4093 if (family == PF_INET6) { 4094 /* 4095 * Handle mapped IPv4 packets arriving 4096 * via IPv6 sockets. Don't set up netlabel 4097 * processing on IPv6. 4098 */ 4099 if (skb->protocol == htons(ETH_P_IP)) 4100 family = PF_INET; 4101 else 4102 return 0; 4103 } 4104 #endif /* CONFIG_IPV6 */ 4105 4106 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4107 /* 4108 * If there is a secmark use it rather than the CIPSO label. 4109 * If there is no secmark fall back to CIPSO. 4110 * The secmark is assumed to reflect policy better. 4111 */ 4112 if (skb && skb->secmark != 0) { 4113 skp = smack_from_secid(skb->secmark); 4114 goto access_check; 4115 } 4116 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4117 4118 netlbl_secattr_init(&secattr); 4119 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4120 if (rc == 0) 4121 skp = smack_from_secattr(&secattr, ssp); 4122 else 4123 skp = &smack_known_huh; 4124 netlbl_secattr_destroy(&secattr); 4125 4126 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4127 access_check: 4128 #endif 4129 4130 #ifdef CONFIG_AUDIT 4131 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4132 ad.a.u.net->family = family; 4133 ad.a.u.net->netif = skb->skb_iif; 4134 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4135 #endif 4136 /* 4137 * Receiving a packet requires that the other end be able to write 4138 * here. Read access is not required. 4139 */ 4140 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4141 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4142 if (rc != 0) 4143 return rc; 4144 4145 /* 4146 * Save the peer's label in the request_sock so we can later setup 4147 * smk_packet in the child socket so that SO_PEERCRED can report it. 4148 */ 4149 req->peer_secid = skp->smk_secid; 4150 4151 /* 4152 * We need to decide if we want to label the incoming connection here 4153 * if we do we only need to label the request_sock and the stack will 4154 * propagate the wire-label to the sock when it is created. 4155 */ 4156 hdr = ip_hdr(skb); 4157 addr.sin_addr.s_addr = hdr->saddr; 4158 rcu_read_lock(); 4159 hskp = smack_ipv4host_label(&addr); 4160 rcu_read_unlock(); 4161 4162 if (hskp == NULL) 4163 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4164 else 4165 netlbl_req_delattr(req); 4166 4167 return rc; 4168 } 4169 4170 /** 4171 * smack_inet_csk_clone - Copy the connection information to the new socket 4172 * @sk: the new socket 4173 * @req: the connection's request_sock 4174 * 4175 * Transfer the connection's peer label to the newly created socket. 4176 */ 4177 static void smack_inet_csk_clone(struct sock *sk, 4178 const struct request_sock *req) 4179 { 4180 struct socket_smack *ssp = sk->sk_security; 4181 struct smack_known *skp; 4182 4183 if (req->peer_secid != 0) { 4184 skp = smack_from_secid(req->peer_secid); 4185 ssp->smk_packet = skp; 4186 } else 4187 ssp->smk_packet = NULL; 4188 } 4189 4190 /* 4191 * Key management security hooks 4192 * 4193 * Casey has not tested key support very heavily. 4194 * The permission check is most likely too restrictive. 4195 * If you care about keys please have a look. 4196 */ 4197 #ifdef CONFIG_KEYS 4198 4199 /** 4200 * smack_key_alloc - Set the key security blob 4201 * @key: object 4202 * @cred: the credentials to use 4203 * @flags: unused 4204 * 4205 * No allocation required 4206 * 4207 * Returns 0 4208 */ 4209 static int smack_key_alloc(struct key *key, const struct cred *cred, 4210 unsigned long flags) 4211 { 4212 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4213 4214 key->security = skp; 4215 return 0; 4216 } 4217 4218 /** 4219 * smack_key_free - Clear the key security blob 4220 * @key: the object 4221 * 4222 * Clear the blob pointer 4223 */ 4224 static void smack_key_free(struct key *key) 4225 { 4226 key->security = NULL; 4227 } 4228 4229 /** 4230 * smack_key_permission - Smack access on a key 4231 * @key_ref: gets to the object 4232 * @cred: the credentials to use 4233 * @perm: requested key permissions 4234 * 4235 * Return 0 if the task has read and write to the object, 4236 * an error code otherwise 4237 */ 4238 static int smack_key_permission(key_ref_t key_ref, 4239 const struct cred *cred, unsigned perm) 4240 { 4241 struct key *keyp; 4242 struct smk_audit_info ad; 4243 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4244 int request = 0; 4245 int rc; 4246 4247 /* 4248 * Validate requested permissions 4249 */ 4250 if (perm & ~KEY_NEED_ALL) 4251 return -EINVAL; 4252 4253 keyp = key_ref_to_ptr(key_ref); 4254 if (keyp == NULL) 4255 return -EINVAL; 4256 /* 4257 * If the key hasn't been initialized give it access so that 4258 * it may do so. 4259 */ 4260 if (keyp->security == NULL) 4261 return 0; 4262 /* 4263 * This should not occur 4264 */ 4265 if (tkp == NULL) 4266 return -EACCES; 4267 4268 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4269 return 0; 4270 4271 #ifdef CONFIG_AUDIT 4272 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4273 ad.a.u.key_struct.key = keyp->serial; 4274 ad.a.u.key_struct.key_desc = keyp->description; 4275 #endif 4276 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) 4277 request |= MAY_READ; 4278 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4279 request |= MAY_WRITE; 4280 rc = smk_access(tkp, keyp->security, request, &ad); 4281 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4282 return rc; 4283 } 4284 4285 /* 4286 * smack_key_getsecurity - Smack label tagging the key 4287 * @key points to the key to be queried 4288 * @_buffer points to a pointer that should be set to point to the 4289 * resulting string (if no label or an error occurs). 4290 * Return the length of the string (including terminating NUL) or -ve if 4291 * an error. 4292 * May also return 0 (and a NULL buffer pointer) if there is no label. 4293 */ 4294 static int smack_key_getsecurity(struct key *key, char **_buffer) 4295 { 4296 struct smack_known *skp = key->security; 4297 size_t length; 4298 char *copy; 4299 4300 if (key->security == NULL) { 4301 *_buffer = NULL; 4302 return 0; 4303 } 4304 4305 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4306 if (copy == NULL) 4307 return -ENOMEM; 4308 length = strlen(copy) + 1; 4309 4310 *_buffer = copy; 4311 return length; 4312 } 4313 4314 #endif /* CONFIG_KEYS */ 4315 4316 /* 4317 * Smack Audit hooks 4318 * 4319 * Audit requires a unique representation of each Smack specific 4320 * rule. This unique representation is used to distinguish the 4321 * object to be audited from remaining kernel objects and also 4322 * works as a glue between the audit hooks. 4323 * 4324 * Since repository entries are added but never deleted, we'll use 4325 * the smack_known label address related to the given audit rule as 4326 * the needed unique representation. This also better fits the smack 4327 * model where nearly everything is a label. 4328 */ 4329 #ifdef CONFIG_AUDIT 4330 4331 /** 4332 * smack_audit_rule_init - Initialize a smack audit rule 4333 * @field: audit rule fields given from user-space (audit.h) 4334 * @op: required testing operator (=, !=, >, <, ...) 4335 * @rulestr: smack label to be audited 4336 * @vrule: pointer to save our own audit rule representation 4337 * 4338 * Prepare to audit cases where (@field @op @rulestr) is true. 4339 * The label to be audited is created if necessay. 4340 */ 4341 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4342 { 4343 struct smack_known *skp; 4344 char **rule = (char **)vrule; 4345 *rule = NULL; 4346 4347 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4348 return -EINVAL; 4349 4350 if (op != Audit_equal && op != Audit_not_equal) 4351 return -EINVAL; 4352 4353 skp = smk_import_entry(rulestr, 0); 4354 if (IS_ERR(skp)) 4355 return PTR_ERR(skp); 4356 4357 *rule = skp->smk_known; 4358 4359 return 0; 4360 } 4361 4362 /** 4363 * smack_audit_rule_known - Distinguish Smack audit rules 4364 * @krule: rule of interest, in Audit kernel representation format 4365 * 4366 * This is used to filter Smack rules from remaining Audit ones. 4367 * If it's proved that this rule belongs to us, the 4368 * audit_rule_match hook will be called to do the final judgement. 4369 */ 4370 static int smack_audit_rule_known(struct audit_krule *krule) 4371 { 4372 struct audit_field *f; 4373 int i; 4374 4375 for (i = 0; i < krule->field_count; i++) { 4376 f = &krule->fields[i]; 4377 4378 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4379 return 1; 4380 } 4381 4382 return 0; 4383 } 4384 4385 /** 4386 * smack_audit_rule_match - Audit given object ? 4387 * @secid: security id for identifying the object to test 4388 * @field: audit rule flags given from user-space 4389 * @op: required testing operator 4390 * @vrule: smack internal rule presentation 4391 * 4392 * The core Audit hook. It's used to take the decision of 4393 * whether to audit or not to audit a given object. 4394 */ 4395 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4396 { 4397 struct smack_known *skp; 4398 char *rule = vrule; 4399 4400 if (unlikely(!rule)) { 4401 WARN_ONCE(1, "Smack: missing rule\n"); 4402 return -ENOENT; 4403 } 4404 4405 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4406 return 0; 4407 4408 skp = smack_from_secid(secid); 4409 4410 /* 4411 * No need to do string comparisons. If a match occurs, 4412 * both pointers will point to the same smack_known 4413 * label. 4414 */ 4415 if (op == Audit_equal) 4416 return (rule == skp->smk_known); 4417 if (op == Audit_not_equal) 4418 return (rule != skp->smk_known); 4419 4420 return 0; 4421 } 4422 4423 /* 4424 * There is no need for a smack_audit_rule_free hook. 4425 * No memory was allocated. 4426 */ 4427 4428 #endif /* CONFIG_AUDIT */ 4429 4430 /** 4431 * smack_ismaclabel - check if xattr @name references a smack MAC label 4432 * @name: Full xattr name to check. 4433 */ 4434 static int smack_ismaclabel(const char *name) 4435 { 4436 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4437 } 4438 4439 4440 /** 4441 * smack_secid_to_secctx - return the smack label for a secid 4442 * @secid: incoming integer 4443 * @secdata: destination 4444 * @seclen: how long it is 4445 * 4446 * Exists for networking code. 4447 */ 4448 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4449 { 4450 struct smack_known *skp = smack_from_secid(secid); 4451 4452 if (secdata) 4453 *secdata = skp->smk_known; 4454 *seclen = strlen(skp->smk_known); 4455 return 0; 4456 } 4457 4458 /** 4459 * smack_secctx_to_secid - return the secid for a smack label 4460 * @secdata: smack label 4461 * @seclen: how long result is 4462 * @secid: outgoing integer 4463 * 4464 * Exists for audit and networking code. 4465 */ 4466 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4467 { 4468 struct smack_known *skp = smk_find_entry(secdata); 4469 4470 if (skp) 4471 *secid = skp->smk_secid; 4472 else 4473 *secid = 0; 4474 return 0; 4475 } 4476 4477 /* 4478 * There used to be a smack_release_secctx hook 4479 * that did nothing back when hooks were in a vector. 4480 * Now that there's a list such a hook adds cost. 4481 */ 4482 4483 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4484 { 4485 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4486 } 4487 4488 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4489 { 4490 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4491 } 4492 4493 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4494 { 4495 struct smack_known *skp = smk_of_inode(inode); 4496 4497 *ctx = skp->smk_known; 4498 *ctxlen = strlen(skp->smk_known); 4499 return 0; 4500 } 4501 4502 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4503 { 4504 4505 struct task_smack *tsp; 4506 struct smack_known *skp; 4507 struct inode_smack *isp; 4508 struct cred *new_creds = *new; 4509 4510 if (new_creds == NULL) { 4511 new_creds = prepare_creds(); 4512 if (new_creds == NULL) 4513 return -ENOMEM; 4514 } 4515 4516 tsp = smack_cred(new_creds); 4517 4518 /* 4519 * Get label from overlay inode and set it in create_sid 4520 */ 4521 isp = smack_inode(d_inode(dentry->d_parent)); 4522 skp = isp->smk_inode; 4523 tsp->smk_task = skp; 4524 *new = new_creds; 4525 return 0; 4526 } 4527 4528 static int smack_inode_copy_up_xattr(const char *name) 4529 { 4530 /* 4531 * Return 1 if this is the smack access Smack attribute. 4532 */ 4533 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4534 return 1; 4535 4536 return -EOPNOTSUPP; 4537 } 4538 4539 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4540 struct qstr *name, 4541 const struct cred *old, 4542 struct cred *new) 4543 { 4544 struct task_smack *otsp = smack_cred(old); 4545 struct task_smack *ntsp = smack_cred(new); 4546 struct inode_smack *isp; 4547 int may; 4548 4549 /* 4550 * Use the process credential unless all of 4551 * the transmuting criteria are met 4552 */ 4553 ntsp->smk_task = otsp->smk_task; 4554 4555 /* 4556 * the attribute of the containing directory 4557 */ 4558 isp = smack_inode(d_inode(dentry->d_parent)); 4559 4560 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4561 rcu_read_lock(); 4562 may = smk_access_entry(otsp->smk_task->smk_known, 4563 isp->smk_inode->smk_known, 4564 &otsp->smk_task->smk_rules); 4565 rcu_read_unlock(); 4566 4567 /* 4568 * If the directory is transmuting and the rule 4569 * providing access is transmuting use the containing 4570 * directory label instead of the process label. 4571 */ 4572 if (may > 0 && (may & MAY_TRANSMUTE)) 4573 ntsp->smk_task = isp->smk_inode; 4574 } 4575 return 0; 4576 } 4577 4578 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4579 .lbs_cred = sizeof(struct task_smack), 4580 .lbs_file = sizeof(struct smack_known *), 4581 .lbs_inode = sizeof(struct inode_smack), 4582 .lbs_ipc = sizeof(struct smack_known *), 4583 .lbs_msg_msg = sizeof(struct smack_known *), 4584 }; 4585 4586 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4587 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4588 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4589 LSM_HOOK_INIT(syslog, smack_syslog), 4590 4591 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4592 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4593 4594 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4595 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4596 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4597 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4598 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4599 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4600 4601 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4602 4603 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4604 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4605 LSM_HOOK_INIT(inode_link, smack_inode_link), 4606 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4607 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4608 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4609 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4610 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4611 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4612 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4613 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4614 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4615 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4616 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4617 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4618 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4619 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4620 4621 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4622 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4623 LSM_HOOK_INIT(file_lock, smack_file_lock), 4624 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4625 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4626 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4627 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4628 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4629 LSM_HOOK_INIT(file_receive, smack_file_receive), 4630 4631 LSM_HOOK_INIT(file_open, smack_file_open), 4632 4633 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4634 LSM_HOOK_INIT(cred_free, smack_cred_free), 4635 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4636 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4637 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4638 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4639 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4640 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4641 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4642 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4643 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4644 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4645 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4646 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4647 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4648 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4649 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4650 LSM_HOOK_INIT(task_kill, smack_task_kill), 4651 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4652 4653 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4654 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4655 4656 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4657 4658 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4659 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4660 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4661 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4662 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4663 4664 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4665 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4666 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4667 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4668 4669 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4670 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4671 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4672 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4673 4674 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4675 4676 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4677 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4678 4679 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4680 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4681 4682 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4683 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4684 #ifdef SMACK_IPV6_PORT_LABELING 4685 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4686 #endif 4687 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4688 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4689 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4690 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4691 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4692 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4693 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4694 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4695 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4696 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4697 4698 /* key management security hooks */ 4699 #ifdef CONFIG_KEYS 4700 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4701 LSM_HOOK_INIT(key_free, smack_key_free), 4702 LSM_HOOK_INIT(key_permission, smack_key_permission), 4703 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4704 #endif /* CONFIG_KEYS */ 4705 4706 /* Audit hooks */ 4707 #ifdef CONFIG_AUDIT 4708 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4709 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4710 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4711 #endif /* CONFIG_AUDIT */ 4712 4713 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4714 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4715 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4716 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4717 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4718 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4719 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4720 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4721 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4722 }; 4723 4724 4725 static __init void init_smack_known_list(void) 4726 { 4727 /* 4728 * Initialize rule list locks 4729 */ 4730 mutex_init(&smack_known_huh.smk_rules_lock); 4731 mutex_init(&smack_known_hat.smk_rules_lock); 4732 mutex_init(&smack_known_floor.smk_rules_lock); 4733 mutex_init(&smack_known_star.smk_rules_lock); 4734 mutex_init(&smack_known_web.smk_rules_lock); 4735 /* 4736 * Initialize rule lists 4737 */ 4738 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4739 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4740 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4741 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4742 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4743 /* 4744 * Create the known labels list 4745 */ 4746 smk_insert_entry(&smack_known_huh); 4747 smk_insert_entry(&smack_known_hat); 4748 smk_insert_entry(&smack_known_star); 4749 smk_insert_entry(&smack_known_floor); 4750 smk_insert_entry(&smack_known_web); 4751 } 4752 4753 /** 4754 * smack_init - initialize the smack system 4755 * 4756 * Returns 0 on success, -ENOMEM is there's no memory 4757 */ 4758 static __init int smack_init(void) 4759 { 4760 struct cred *cred = (struct cred *) current->cred; 4761 struct task_smack *tsp; 4762 4763 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4764 if (!smack_inode_cache) 4765 return -ENOMEM; 4766 4767 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 4768 if (!smack_rule_cache) { 4769 kmem_cache_destroy(smack_inode_cache); 4770 return -ENOMEM; 4771 } 4772 4773 /* 4774 * Set the security state for the initial task. 4775 */ 4776 tsp = smack_cred(cred); 4777 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 4778 4779 /* 4780 * Register with LSM 4781 */ 4782 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4783 smack_enabled = 1; 4784 4785 pr_info("Smack: Initializing.\n"); 4786 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4787 pr_info("Smack: Netfilter enabled.\n"); 4788 #endif 4789 #ifdef SMACK_IPV6_PORT_LABELING 4790 pr_info("Smack: IPv6 port labeling enabled.\n"); 4791 #endif 4792 #ifdef SMACK_IPV6_SECMARK_LABELING 4793 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4794 #endif 4795 4796 /* initialize the smack_known_list */ 4797 init_smack_known_list(); 4798 4799 return 0; 4800 } 4801 4802 /* 4803 * Smack requires early initialization in order to label 4804 * all processes and objects when they are created. 4805 */ 4806 DEFINE_LSM(smack) = { 4807 .name = "smack", 4808 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 4809 .blobs = &smack_blob_sizes, 4810 .init = smack_init, 4811 }; 4812