1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/slab.h> 32 #include <linux/mutex.h> 33 #include <linux/pipe_fs_i.h> 34 #include <net/cipso_ipv4.h> 35 #include <net/ip.h> 36 #include <net/ipv6.h> 37 #include <linux/audit.h> 38 #include <linux/magic.h> 39 #include <linux/dcache.h> 40 #include <linux/personality.h> 41 #include <linux/msg.h> 42 #include <linux/shm.h> 43 #include <linux/binfmts.h> 44 #include <linux/parser.h> 45 #include "smack.h" 46 47 #define TRANS_TRUE "TRUE" 48 #define TRANS_TRUE_SIZE 4 49 50 #define SMK_CONNECTING 0 51 #define SMK_RECEIVING 1 52 #define SMK_SENDING 2 53 54 #ifdef SMACK_IPV6_PORT_LABELING 55 static LIST_HEAD(smk_ipv6_port_list); 56 #endif 57 static struct kmem_cache *smack_inode_cache; 58 int smack_enabled; 59 60 static const match_table_t smk_mount_tokens = { 61 {Opt_fsdefault, SMK_FSDEFAULT "%s"}, 62 {Opt_fsfloor, SMK_FSFLOOR "%s"}, 63 {Opt_fshat, SMK_FSHAT "%s"}, 64 {Opt_fsroot, SMK_FSROOT "%s"}, 65 {Opt_fstransmute, SMK_FSTRANS "%s"}, 66 {Opt_error, NULL}, 67 }; 68 69 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 70 static char *smk_bu_mess[] = { 71 "Bringup Error", /* Unused */ 72 "Bringup", /* SMACK_BRINGUP_ALLOW */ 73 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 74 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 75 }; 76 77 static void smk_bu_mode(int mode, char *s) 78 { 79 int i = 0; 80 81 if (mode & MAY_READ) 82 s[i++] = 'r'; 83 if (mode & MAY_WRITE) 84 s[i++] = 'w'; 85 if (mode & MAY_EXEC) 86 s[i++] = 'x'; 87 if (mode & MAY_APPEND) 88 s[i++] = 'a'; 89 if (mode & MAY_TRANSMUTE) 90 s[i++] = 't'; 91 if (mode & MAY_LOCK) 92 s[i++] = 'l'; 93 if (i == 0) 94 s[i++] = '-'; 95 s[i] = '\0'; 96 } 97 #endif 98 99 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 100 static int smk_bu_note(char *note, struct smack_known *sskp, 101 struct smack_known *oskp, int mode, int rc) 102 { 103 char acc[SMK_NUM_ACCESS_TYPE + 1]; 104 105 if (rc <= 0) 106 return rc; 107 if (rc > SMACK_UNCONFINED_OBJECT) 108 rc = 0; 109 110 smk_bu_mode(mode, acc); 111 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 112 sskp->smk_known, oskp->smk_known, acc, note); 113 return 0; 114 } 115 #else 116 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 117 #endif 118 119 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 120 static int smk_bu_current(char *note, struct smack_known *oskp, 121 int mode, int rc) 122 { 123 struct task_smack *tsp = current_security(); 124 char acc[SMK_NUM_ACCESS_TYPE + 1]; 125 126 if (rc <= 0) 127 return rc; 128 if (rc > SMACK_UNCONFINED_OBJECT) 129 rc = 0; 130 131 smk_bu_mode(mode, acc); 132 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 133 tsp->smk_task->smk_known, oskp->smk_known, 134 acc, current->comm, note); 135 return 0; 136 } 137 #else 138 #define smk_bu_current(note, oskp, mode, RC) (RC) 139 #endif 140 141 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 142 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 143 { 144 struct task_smack *tsp = current_security(); 145 struct smack_known *smk_task = smk_of_task_struct(otp); 146 char acc[SMK_NUM_ACCESS_TYPE + 1]; 147 148 if (rc <= 0) 149 return rc; 150 if (rc > SMACK_UNCONFINED_OBJECT) 151 rc = 0; 152 153 smk_bu_mode(mode, acc); 154 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 155 tsp->smk_task->smk_known, smk_task->smk_known, acc, 156 current->comm, otp->comm); 157 return 0; 158 } 159 #else 160 #define smk_bu_task(otp, mode, RC) (RC) 161 #endif 162 163 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 164 static int smk_bu_inode(struct inode *inode, int mode, int rc) 165 { 166 struct task_smack *tsp = current_security(); 167 struct inode_smack *isp = inode->i_security; 168 char acc[SMK_NUM_ACCESS_TYPE + 1]; 169 170 if (isp->smk_flags & SMK_INODE_IMPURE) 171 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 172 inode->i_sb->s_id, inode->i_ino, current->comm); 173 174 if (rc <= 0) 175 return rc; 176 if (rc > SMACK_UNCONFINED_OBJECT) 177 rc = 0; 178 if (rc == SMACK_UNCONFINED_SUBJECT && 179 (mode & (MAY_WRITE | MAY_APPEND))) 180 isp->smk_flags |= SMK_INODE_IMPURE; 181 182 smk_bu_mode(mode, acc); 183 184 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 185 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 return 0; 188 } 189 #else 190 #define smk_bu_inode(inode, mode, RC) (RC) 191 #endif 192 193 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 194 static int smk_bu_file(struct file *file, int mode, int rc) 195 { 196 struct task_smack *tsp = current_security(); 197 struct smack_known *sskp = tsp->smk_task; 198 struct inode *inode = file_inode(file); 199 struct inode_smack *isp = inode->i_security; 200 char acc[SMK_NUM_ACCESS_TYPE + 1]; 201 202 if (isp->smk_flags & SMK_INODE_IMPURE) 203 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 204 inode->i_sb->s_id, inode->i_ino, current->comm); 205 206 if (rc <= 0) 207 return rc; 208 if (rc > SMACK_UNCONFINED_OBJECT) 209 rc = 0; 210 211 smk_bu_mode(mode, acc); 212 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 213 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 214 inode->i_sb->s_id, inode->i_ino, file, 215 current->comm); 216 return 0; 217 } 218 #else 219 #define smk_bu_file(file, mode, RC) (RC) 220 #endif 221 222 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 223 static int smk_bu_credfile(const struct cred *cred, struct file *file, 224 int mode, int rc) 225 { 226 struct task_smack *tsp = cred->security; 227 struct smack_known *sskp = tsp->smk_task; 228 struct inode *inode = file->f_inode; 229 struct inode_smack *isp = inode->i_security; 230 char acc[SMK_NUM_ACCESS_TYPE + 1]; 231 232 if (isp->smk_flags & SMK_INODE_IMPURE) 233 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 234 inode->i_sb->s_id, inode->i_ino, current->comm); 235 236 if (rc <= 0) 237 return rc; 238 if (rc > SMACK_UNCONFINED_OBJECT) 239 rc = 0; 240 241 smk_bu_mode(mode, acc); 242 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 243 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 244 inode->i_sb->s_id, inode->i_ino, file, 245 current->comm); 246 return 0; 247 } 248 #else 249 #define smk_bu_credfile(cred, file, mode, RC) (RC) 250 #endif 251 252 /** 253 * smk_fetch - Fetch the smack label from a file. 254 * @name: type of the label (attribute) 255 * @ip: a pointer to the inode 256 * @dp: a pointer to the dentry 257 * 258 * Returns a pointer to the master list entry for the Smack label, 259 * NULL if there was no label to fetch, or an error code. 260 */ 261 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 262 struct dentry *dp) 263 { 264 int rc; 265 char *buffer; 266 struct smack_known *skp = NULL; 267 268 if (ip->i_op->getxattr == NULL) 269 return ERR_PTR(-EOPNOTSUPP); 270 271 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 272 if (buffer == NULL) 273 return ERR_PTR(-ENOMEM); 274 275 rc = ip->i_op->getxattr(dp, name, buffer, SMK_LONGLABEL); 276 if (rc < 0) 277 skp = ERR_PTR(rc); 278 else if (rc == 0) 279 skp = NULL; 280 else 281 skp = smk_import_entry(buffer, rc); 282 283 kfree(buffer); 284 285 return skp; 286 } 287 288 /** 289 * new_inode_smack - allocate an inode security blob 290 * @skp: a pointer to the Smack label entry to use in the blob 291 * 292 * Returns the new blob or NULL if there's no memory available 293 */ 294 static struct inode_smack *new_inode_smack(struct smack_known *skp) 295 { 296 struct inode_smack *isp; 297 298 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); 299 if (isp == NULL) 300 return NULL; 301 302 isp->smk_inode = skp; 303 isp->smk_flags = 0; 304 mutex_init(&isp->smk_lock); 305 306 return isp; 307 } 308 309 /** 310 * new_task_smack - allocate a task security blob 311 * @task: a pointer to the Smack label for the running task 312 * @forked: a pointer to the Smack label for the forked task 313 * @gfp: type of the memory for the allocation 314 * 315 * Returns the new blob or NULL if there's no memory available 316 */ 317 static struct task_smack *new_task_smack(struct smack_known *task, 318 struct smack_known *forked, gfp_t gfp) 319 { 320 struct task_smack *tsp; 321 322 tsp = kzalloc(sizeof(struct task_smack), gfp); 323 if (tsp == NULL) 324 return NULL; 325 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 INIT_LIST_HEAD(&tsp->smk_relabel); 330 mutex_init(&tsp->smk_rules_lock); 331 332 return tsp; 333 } 334 335 /** 336 * smk_copy_rules - copy a rule set 337 * @nhead: new rules header pointer 338 * @ohead: old rules header pointer 339 * @gfp: type of the memory for the allocation 340 * 341 * Returns 0 on success, -ENOMEM on error 342 */ 343 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 344 gfp_t gfp) 345 { 346 struct smack_rule *nrp; 347 struct smack_rule *orp; 348 int rc = 0; 349 350 INIT_LIST_HEAD(nhead); 351 352 list_for_each_entry_rcu(orp, ohead, list) { 353 nrp = kzalloc(sizeof(struct smack_rule), gfp); 354 if (nrp == NULL) { 355 rc = -ENOMEM; 356 break; 357 } 358 *nrp = *orp; 359 list_add_rcu(&nrp->list, nhead); 360 } 361 return rc; 362 } 363 364 /** 365 * smk_copy_relabel - copy smk_relabel labels list 366 * @nhead: new rules header pointer 367 * @ohead: old rules header pointer 368 * @gfp: type of the memory for the allocation 369 * 370 * Returns 0 on success, -ENOMEM on error 371 */ 372 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 373 gfp_t gfp) 374 { 375 struct smack_known_list_elem *nklep; 376 struct smack_known_list_elem *oklep; 377 378 INIT_LIST_HEAD(nhead); 379 380 list_for_each_entry(oklep, ohead, list) { 381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 382 if (nklep == NULL) { 383 smk_destroy_label_list(nhead); 384 return -ENOMEM; 385 } 386 nklep->smk_label = oklep->smk_label; 387 list_add(&nklep->list, nhead); 388 } 389 390 return 0; 391 } 392 393 /** 394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 395 * @mode - input mode in form of PTRACE_MODE_* 396 * 397 * Returns a converted MAY_* mode usable by smack rules 398 */ 399 static inline unsigned int smk_ptrace_mode(unsigned int mode) 400 { 401 if (mode & PTRACE_MODE_ATTACH) 402 return MAY_READWRITE; 403 if (mode & PTRACE_MODE_READ) 404 return MAY_READ; 405 406 return 0; 407 } 408 409 /** 410 * smk_ptrace_rule_check - helper for ptrace access 411 * @tracer: tracer process 412 * @tracee_known: label entry of the process that's about to be traced 413 * @mode: ptrace attachment mode (PTRACE_MODE_*) 414 * @func: name of the function that called us, used for audit 415 * 416 * Returns 0 on access granted, -error on error 417 */ 418 static int smk_ptrace_rule_check(struct task_struct *tracer, 419 struct smack_known *tracee_known, 420 unsigned int mode, const char *func) 421 { 422 int rc; 423 struct smk_audit_info ad, *saip = NULL; 424 struct task_smack *tsp; 425 struct smack_known *tracer_known; 426 427 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 428 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 429 smk_ad_setfield_u_tsk(&ad, tracer); 430 saip = &ad; 431 } 432 433 rcu_read_lock(); 434 tsp = __task_cred(tracer)->security; 435 tracer_known = smk_of_task(tsp); 436 437 if ((mode & PTRACE_MODE_ATTACH) && 438 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 439 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 440 if (tracer_known->smk_known == tracee_known->smk_known) 441 rc = 0; 442 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 443 rc = -EACCES; 444 else if (capable(CAP_SYS_PTRACE)) 445 rc = 0; 446 else 447 rc = -EACCES; 448 449 if (saip) 450 smack_log(tracer_known->smk_known, 451 tracee_known->smk_known, 452 0, rc, saip); 453 454 rcu_read_unlock(); 455 return rc; 456 } 457 458 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 459 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 460 461 rcu_read_unlock(); 462 return rc; 463 } 464 465 /* 466 * LSM hooks. 467 * We he, that is fun! 468 */ 469 470 /** 471 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 472 * @ctp: child task pointer 473 * @mode: ptrace attachment mode (PTRACE_MODE_*) 474 * 475 * Returns 0 if access is OK, an error code otherwise 476 * 477 * Do the capability checks. 478 */ 479 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 480 { 481 struct smack_known *skp; 482 483 skp = smk_of_task_struct(ctp); 484 485 return smk_ptrace_rule_check(current, skp, mode, __func__); 486 } 487 488 /** 489 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 490 * @ptp: parent task pointer 491 * 492 * Returns 0 if access is OK, an error code otherwise 493 * 494 * Do the capability checks, and require PTRACE_MODE_ATTACH. 495 */ 496 static int smack_ptrace_traceme(struct task_struct *ptp) 497 { 498 int rc; 499 struct smack_known *skp; 500 501 skp = smk_of_task(current_security()); 502 503 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 504 return rc; 505 } 506 507 /** 508 * smack_syslog - Smack approval on syslog 509 * @type: message type 510 * 511 * Returns 0 on success, error code otherwise. 512 */ 513 static int smack_syslog(int typefrom_file) 514 { 515 int rc = 0; 516 struct smack_known *skp = smk_of_current(); 517 518 if (smack_privileged(CAP_MAC_OVERRIDE)) 519 return 0; 520 521 if (smack_syslog_label != NULL && smack_syslog_label != skp) 522 rc = -EACCES; 523 524 return rc; 525 } 526 527 528 /* 529 * Superblock Hooks. 530 */ 531 532 /** 533 * smack_sb_alloc_security - allocate a superblock blob 534 * @sb: the superblock getting the blob 535 * 536 * Returns 0 on success or -ENOMEM on error. 537 */ 538 static int smack_sb_alloc_security(struct super_block *sb) 539 { 540 struct superblock_smack *sbsp; 541 542 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 543 544 if (sbsp == NULL) 545 return -ENOMEM; 546 547 sbsp->smk_root = &smack_known_floor; 548 sbsp->smk_default = &smack_known_floor; 549 sbsp->smk_floor = &smack_known_floor; 550 sbsp->smk_hat = &smack_known_hat; 551 /* 552 * smk_initialized will be zero from kzalloc. 553 */ 554 sb->s_security = sbsp; 555 556 return 0; 557 } 558 559 /** 560 * smack_sb_free_security - free a superblock blob 561 * @sb: the superblock getting the blob 562 * 563 */ 564 static void smack_sb_free_security(struct super_block *sb) 565 { 566 kfree(sb->s_security); 567 sb->s_security = NULL; 568 } 569 570 /** 571 * smack_sb_copy_data - copy mount options data for processing 572 * @orig: where to start 573 * @smackopts: mount options string 574 * 575 * Returns 0 on success or -ENOMEM on error. 576 * 577 * Copy the Smack specific mount options out of the mount 578 * options list. 579 */ 580 static int smack_sb_copy_data(char *orig, char *smackopts) 581 { 582 char *cp, *commap, *otheropts, *dp; 583 584 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 585 if (otheropts == NULL) 586 return -ENOMEM; 587 588 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 589 if (strstr(cp, SMK_FSDEFAULT) == cp) 590 dp = smackopts; 591 else if (strstr(cp, SMK_FSFLOOR) == cp) 592 dp = smackopts; 593 else if (strstr(cp, SMK_FSHAT) == cp) 594 dp = smackopts; 595 else if (strstr(cp, SMK_FSROOT) == cp) 596 dp = smackopts; 597 else if (strstr(cp, SMK_FSTRANS) == cp) 598 dp = smackopts; 599 else 600 dp = otheropts; 601 602 commap = strchr(cp, ','); 603 if (commap != NULL) 604 *commap = '\0'; 605 606 if (*dp != '\0') 607 strcat(dp, ","); 608 strcat(dp, cp); 609 } 610 611 strcpy(orig, otheropts); 612 free_page((unsigned long)otheropts); 613 614 return 0; 615 } 616 617 /** 618 * smack_parse_opts_str - parse Smack specific mount options 619 * @options: mount options string 620 * @opts: where to store converted mount opts 621 * 622 * Returns 0 on success or -ENOMEM on error. 623 * 624 * converts Smack specific mount options to generic security option format 625 */ 626 static int smack_parse_opts_str(char *options, 627 struct security_mnt_opts *opts) 628 { 629 char *p; 630 char *fsdefault = NULL; 631 char *fsfloor = NULL; 632 char *fshat = NULL; 633 char *fsroot = NULL; 634 char *fstransmute = NULL; 635 int rc = -ENOMEM; 636 int num_mnt_opts = 0; 637 int token; 638 639 opts->num_mnt_opts = 0; 640 641 if (!options) 642 return 0; 643 644 while ((p = strsep(&options, ",")) != NULL) { 645 substring_t args[MAX_OPT_ARGS]; 646 647 if (!*p) 648 continue; 649 650 token = match_token(p, smk_mount_tokens, args); 651 652 switch (token) { 653 case Opt_fsdefault: 654 if (fsdefault) 655 goto out_opt_err; 656 fsdefault = match_strdup(&args[0]); 657 if (!fsdefault) 658 goto out_err; 659 break; 660 case Opt_fsfloor: 661 if (fsfloor) 662 goto out_opt_err; 663 fsfloor = match_strdup(&args[0]); 664 if (!fsfloor) 665 goto out_err; 666 break; 667 case Opt_fshat: 668 if (fshat) 669 goto out_opt_err; 670 fshat = match_strdup(&args[0]); 671 if (!fshat) 672 goto out_err; 673 break; 674 case Opt_fsroot: 675 if (fsroot) 676 goto out_opt_err; 677 fsroot = match_strdup(&args[0]); 678 if (!fsroot) 679 goto out_err; 680 break; 681 case Opt_fstransmute: 682 if (fstransmute) 683 goto out_opt_err; 684 fstransmute = match_strdup(&args[0]); 685 if (!fstransmute) 686 goto out_err; 687 break; 688 default: 689 rc = -EINVAL; 690 pr_warn("Smack: unknown mount option\n"); 691 goto out_err; 692 } 693 } 694 695 opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 696 if (!opts->mnt_opts) 697 goto out_err; 698 699 opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), 700 GFP_ATOMIC); 701 if (!opts->mnt_opts_flags) { 702 kfree(opts->mnt_opts); 703 goto out_err; 704 } 705 706 if (fsdefault) { 707 opts->mnt_opts[num_mnt_opts] = fsdefault; 708 opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT; 709 } 710 if (fsfloor) { 711 opts->mnt_opts[num_mnt_opts] = fsfloor; 712 opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT; 713 } 714 if (fshat) { 715 opts->mnt_opts[num_mnt_opts] = fshat; 716 opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT; 717 } 718 if (fsroot) { 719 opts->mnt_opts[num_mnt_opts] = fsroot; 720 opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT; 721 } 722 if (fstransmute) { 723 opts->mnt_opts[num_mnt_opts] = fstransmute; 724 opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT; 725 } 726 727 opts->num_mnt_opts = num_mnt_opts; 728 return 0; 729 730 out_opt_err: 731 rc = -EINVAL; 732 pr_warn("Smack: duplicate mount options\n"); 733 734 out_err: 735 kfree(fsdefault); 736 kfree(fsfloor); 737 kfree(fshat); 738 kfree(fsroot); 739 kfree(fstransmute); 740 return rc; 741 } 742 743 /** 744 * smack_set_mnt_opts - set Smack specific mount options 745 * @sb: the file system superblock 746 * @opts: Smack mount options 747 * @kern_flags: mount option from kernel space or user space 748 * @set_kern_flags: where to store converted mount opts 749 * 750 * Returns 0 on success, an error code on failure 751 * 752 * Allow filesystems with binary mount data to explicitly set Smack mount 753 * labels. 754 */ 755 static int smack_set_mnt_opts(struct super_block *sb, 756 struct security_mnt_opts *opts, 757 unsigned long kern_flags, 758 unsigned long *set_kern_flags) 759 { 760 struct dentry *root = sb->s_root; 761 struct inode *inode = d_backing_inode(root); 762 struct superblock_smack *sp = sb->s_security; 763 struct inode_smack *isp; 764 struct smack_known *skp; 765 int i; 766 int num_opts = opts->num_mnt_opts; 767 int transmute = 0; 768 769 if (sp->smk_initialized) 770 return 0; 771 772 sp->smk_initialized = 1; 773 774 for (i = 0; i < num_opts; i++) { 775 switch (opts->mnt_opts_flags[i]) { 776 case FSDEFAULT_MNT: 777 skp = smk_import_entry(opts->mnt_opts[i], 0); 778 if (IS_ERR(skp)) 779 return PTR_ERR(skp); 780 sp->smk_default = skp; 781 break; 782 case FSFLOOR_MNT: 783 skp = smk_import_entry(opts->mnt_opts[i], 0); 784 if (IS_ERR(skp)) 785 return PTR_ERR(skp); 786 sp->smk_floor = skp; 787 break; 788 case FSHAT_MNT: 789 skp = smk_import_entry(opts->mnt_opts[i], 0); 790 if (IS_ERR(skp)) 791 return PTR_ERR(skp); 792 sp->smk_hat = skp; 793 break; 794 case FSROOT_MNT: 795 skp = smk_import_entry(opts->mnt_opts[i], 0); 796 if (IS_ERR(skp)) 797 return PTR_ERR(skp); 798 sp->smk_root = skp; 799 break; 800 case FSTRANS_MNT: 801 skp = smk_import_entry(opts->mnt_opts[i], 0); 802 if (IS_ERR(skp)) 803 return PTR_ERR(skp); 804 sp->smk_root = skp; 805 transmute = 1; 806 break; 807 default: 808 break; 809 } 810 } 811 812 if (!smack_privileged(CAP_MAC_ADMIN)) { 813 /* 814 * Unprivileged mounts don't get to specify Smack values. 815 */ 816 if (num_opts) 817 return -EPERM; 818 /* 819 * Unprivileged mounts get root and default from the caller. 820 */ 821 skp = smk_of_current(); 822 sp->smk_root = skp; 823 sp->smk_default = skp; 824 } 825 826 /* 827 * Initialize the root inode. 828 */ 829 isp = inode->i_security; 830 if (isp == NULL) { 831 isp = new_inode_smack(sp->smk_root); 832 if (isp == NULL) 833 return -ENOMEM; 834 inode->i_security = isp; 835 } else 836 isp->smk_inode = sp->smk_root; 837 838 if (transmute) 839 isp->smk_flags |= SMK_INODE_TRANSMUTE; 840 841 return 0; 842 } 843 844 /** 845 * smack_sb_kern_mount - Smack specific mount processing 846 * @sb: the file system superblock 847 * @flags: the mount flags 848 * @data: the smack mount options 849 * 850 * Returns 0 on success, an error code on failure 851 */ 852 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 853 { 854 int rc = 0; 855 char *options = data; 856 struct security_mnt_opts opts; 857 858 security_init_mnt_opts(&opts); 859 860 if (!options) 861 goto out; 862 863 rc = smack_parse_opts_str(options, &opts); 864 if (rc) 865 goto out_err; 866 867 out: 868 rc = smack_set_mnt_opts(sb, &opts, 0, NULL); 869 870 out_err: 871 security_free_mnt_opts(&opts); 872 return rc; 873 } 874 875 /** 876 * smack_sb_statfs - Smack check on statfs 877 * @dentry: identifies the file system in question 878 * 879 * Returns 0 if current can read the floor of the filesystem, 880 * and error code otherwise 881 */ 882 static int smack_sb_statfs(struct dentry *dentry) 883 { 884 struct superblock_smack *sbp = dentry->d_sb->s_security; 885 int rc; 886 struct smk_audit_info ad; 887 888 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 889 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 890 891 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 892 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 893 return rc; 894 } 895 896 /* 897 * BPRM hooks 898 */ 899 900 /** 901 * smack_bprm_set_creds - set creds for exec 902 * @bprm: the exec information 903 * 904 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 905 */ 906 static int smack_bprm_set_creds(struct linux_binprm *bprm) 907 { 908 struct inode *inode = file_inode(bprm->file); 909 struct task_smack *bsp = bprm->cred->security; 910 struct inode_smack *isp; 911 int rc; 912 913 if (bprm->cred_prepared) 914 return 0; 915 916 isp = inode->i_security; 917 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 918 return 0; 919 920 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 921 struct task_struct *tracer; 922 rc = 0; 923 924 rcu_read_lock(); 925 tracer = ptrace_parent(current); 926 if (likely(tracer != NULL)) 927 rc = smk_ptrace_rule_check(tracer, 928 isp->smk_task, 929 PTRACE_MODE_ATTACH, 930 __func__); 931 rcu_read_unlock(); 932 933 if (rc != 0) 934 return rc; 935 } else if (bprm->unsafe) 936 return -EPERM; 937 938 bsp->smk_task = isp->smk_task; 939 bprm->per_clear |= PER_CLEAR_ON_SETID; 940 941 return 0; 942 } 943 944 /** 945 * smack_bprm_committing_creds - Prepare to install the new credentials 946 * from bprm. 947 * 948 * @bprm: binprm for exec 949 */ 950 static void smack_bprm_committing_creds(struct linux_binprm *bprm) 951 { 952 struct task_smack *bsp = bprm->cred->security; 953 954 if (bsp->smk_task != bsp->smk_forked) 955 current->pdeath_signal = 0; 956 } 957 958 /** 959 * smack_bprm_secureexec - Return the decision to use secureexec. 960 * @bprm: binprm for exec 961 * 962 * Returns 0 on success. 963 */ 964 static int smack_bprm_secureexec(struct linux_binprm *bprm) 965 { 966 struct task_smack *tsp = current_security(); 967 968 if (tsp->smk_task != tsp->smk_forked) 969 return 1; 970 971 return 0; 972 } 973 974 /* 975 * Inode hooks 976 */ 977 978 /** 979 * smack_inode_alloc_security - allocate an inode blob 980 * @inode: the inode in need of a blob 981 * 982 * Returns 0 if it gets a blob, -ENOMEM otherwise 983 */ 984 static int smack_inode_alloc_security(struct inode *inode) 985 { 986 struct smack_known *skp = smk_of_current(); 987 988 inode->i_security = new_inode_smack(skp); 989 if (inode->i_security == NULL) 990 return -ENOMEM; 991 return 0; 992 } 993 994 /** 995 * smack_inode_free_security - free an inode blob 996 * @inode: the inode with a blob 997 * 998 * Clears the blob pointer in inode 999 */ 1000 static void smack_inode_free_security(struct inode *inode) 1001 { 1002 kmem_cache_free(smack_inode_cache, inode->i_security); 1003 inode->i_security = NULL; 1004 } 1005 1006 /** 1007 * smack_inode_init_security - copy out the smack from an inode 1008 * @inode: the newly created inode 1009 * @dir: containing directory object 1010 * @qstr: unused 1011 * @name: where to put the attribute name 1012 * @value: where to put the attribute value 1013 * @len: where to put the length of the attribute 1014 * 1015 * Returns 0 if it all works out, -ENOMEM if there's no memory 1016 */ 1017 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 1018 const struct qstr *qstr, const char **name, 1019 void **value, size_t *len) 1020 { 1021 struct inode_smack *issp = inode->i_security; 1022 struct smack_known *skp = smk_of_current(); 1023 struct smack_known *isp = smk_of_inode(inode); 1024 struct smack_known *dsp = smk_of_inode(dir); 1025 int may; 1026 1027 if (name) 1028 *name = XATTR_SMACK_SUFFIX; 1029 1030 if (value && len) { 1031 rcu_read_lock(); 1032 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1033 &skp->smk_rules); 1034 rcu_read_unlock(); 1035 1036 /* 1037 * If the access rule allows transmutation and 1038 * the directory requests transmutation then 1039 * by all means transmute. 1040 * Mark the inode as changed. 1041 */ 1042 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1043 smk_inode_transmutable(dir)) { 1044 isp = dsp; 1045 issp->smk_flags |= SMK_INODE_CHANGED; 1046 } 1047 1048 *value = kstrdup(isp->smk_known, GFP_NOFS); 1049 if (*value == NULL) 1050 return -ENOMEM; 1051 1052 *len = strlen(isp->smk_known); 1053 } 1054 1055 return 0; 1056 } 1057 1058 /** 1059 * smack_inode_link - Smack check on link 1060 * @old_dentry: the existing object 1061 * @dir: unused 1062 * @new_dentry: the new object 1063 * 1064 * Returns 0 if access is permitted, an error code otherwise 1065 */ 1066 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1067 struct dentry *new_dentry) 1068 { 1069 struct smack_known *isp; 1070 struct smk_audit_info ad; 1071 int rc; 1072 1073 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1074 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1075 1076 isp = smk_of_inode(d_backing_inode(old_dentry)); 1077 rc = smk_curacc(isp, MAY_WRITE, &ad); 1078 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1079 1080 if (rc == 0 && d_is_positive(new_dentry)) { 1081 isp = smk_of_inode(d_backing_inode(new_dentry)); 1082 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1083 rc = smk_curacc(isp, MAY_WRITE, &ad); 1084 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1085 } 1086 1087 return rc; 1088 } 1089 1090 /** 1091 * smack_inode_unlink - Smack check on inode deletion 1092 * @dir: containing directory object 1093 * @dentry: file to unlink 1094 * 1095 * Returns 0 if current can write the containing directory 1096 * and the object, error code otherwise 1097 */ 1098 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1099 { 1100 struct inode *ip = d_backing_inode(dentry); 1101 struct smk_audit_info ad; 1102 int rc; 1103 1104 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1105 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1106 1107 /* 1108 * You need write access to the thing you're unlinking 1109 */ 1110 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1111 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1112 if (rc == 0) { 1113 /* 1114 * You also need write access to the containing directory 1115 */ 1116 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1117 smk_ad_setfield_u_fs_inode(&ad, dir); 1118 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1119 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1120 } 1121 return rc; 1122 } 1123 1124 /** 1125 * smack_inode_rmdir - Smack check on directory deletion 1126 * @dir: containing directory object 1127 * @dentry: directory to unlink 1128 * 1129 * Returns 0 if current can write the containing directory 1130 * and the directory, error code otherwise 1131 */ 1132 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1133 { 1134 struct smk_audit_info ad; 1135 int rc; 1136 1137 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1138 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1139 1140 /* 1141 * You need write access to the thing you're removing 1142 */ 1143 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1144 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1145 if (rc == 0) { 1146 /* 1147 * You also need write access to the containing directory 1148 */ 1149 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1150 smk_ad_setfield_u_fs_inode(&ad, dir); 1151 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1152 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1153 } 1154 1155 return rc; 1156 } 1157 1158 /** 1159 * smack_inode_rename - Smack check on rename 1160 * @old_inode: unused 1161 * @old_dentry: the old object 1162 * @new_inode: unused 1163 * @new_dentry: the new object 1164 * 1165 * Read and write access is required on both the old and 1166 * new directories. 1167 * 1168 * Returns 0 if access is permitted, an error code otherwise 1169 */ 1170 static int smack_inode_rename(struct inode *old_inode, 1171 struct dentry *old_dentry, 1172 struct inode *new_inode, 1173 struct dentry *new_dentry) 1174 { 1175 int rc; 1176 struct smack_known *isp; 1177 struct smk_audit_info ad; 1178 1179 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1180 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1181 1182 isp = smk_of_inode(d_backing_inode(old_dentry)); 1183 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1184 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1185 1186 if (rc == 0 && d_is_positive(new_dentry)) { 1187 isp = smk_of_inode(d_backing_inode(new_dentry)); 1188 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1189 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1190 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1191 } 1192 return rc; 1193 } 1194 1195 /** 1196 * smack_inode_permission - Smack version of permission() 1197 * @inode: the inode in question 1198 * @mask: the access requested 1199 * 1200 * This is the important Smack hook. 1201 * 1202 * Returns 0 if access is permitted, -EACCES otherwise 1203 */ 1204 static int smack_inode_permission(struct inode *inode, int mask) 1205 { 1206 struct smk_audit_info ad; 1207 int no_block = mask & MAY_NOT_BLOCK; 1208 int rc; 1209 1210 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1211 /* 1212 * No permission to check. Existence test. Yup, it's there. 1213 */ 1214 if (mask == 0) 1215 return 0; 1216 1217 /* May be droppable after audit */ 1218 if (no_block) 1219 return -ECHILD; 1220 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1221 smk_ad_setfield_u_fs_inode(&ad, inode); 1222 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1223 rc = smk_bu_inode(inode, mask, rc); 1224 return rc; 1225 } 1226 1227 /** 1228 * smack_inode_setattr - Smack check for setting attributes 1229 * @dentry: the object 1230 * @iattr: for the force flag 1231 * 1232 * Returns 0 if access is permitted, an error code otherwise 1233 */ 1234 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1235 { 1236 struct smk_audit_info ad; 1237 int rc; 1238 1239 /* 1240 * Need to allow for clearing the setuid bit. 1241 */ 1242 if (iattr->ia_valid & ATTR_FORCE) 1243 return 0; 1244 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1245 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1246 1247 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1248 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1249 return rc; 1250 } 1251 1252 /** 1253 * smack_inode_getattr - Smack check for getting attributes 1254 * @mnt: vfsmount of the object 1255 * @dentry: the object 1256 * 1257 * Returns 0 if access is permitted, an error code otherwise 1258 */ 1259 static int smack_inode_getattr(const struct path *path) 1260 { 1261 struct smk_audit_info ad; 1262 struct inode *inode = d_backing_inode(path->dentry); 1263 int rc; 1264 1265 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1266 smk_ad_setfield_u_fs_path(&ad, *path); 1267 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1268 rc = smk_bu_inode(inode, MAY_READ, rc); 1269 return rc; 1270 } 1271 1272 /** 1273 * smack_inode_setxattr - Smack check for setting xattrs 1274 * @dentry: the object 1275 * @name: name of the attribute 1276 * @value: value of the attribute 1277 * @size: size of the value 1278 * @flags: unused 1279 * 1280 * This protects the Smack attribute explicitly. 1281 * 1282 * Returns 0 if access is permitted, an error code otherwise 1283 */ 1284 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1285 const void *value, size_t size, int flags) 1286 { 1287 struct smk_audit_info ad; 1288 struct smack_known *skp; 1289 int check_priv = 0; 1290 int check_import = 0; 1291 int check_star = 0; 1292 int rc = 0; 1293 1294 /* 1295 * Check label validity here so import won't fail in post_setxattr 1296 */ 1297 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1298 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1299 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1300 check_priv = 1; 1301 check_import = 1; 1302 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1303 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1304 check_priv = 1; 1305 check_import = 1; 1306 check_star = 1; 1307 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1308 check_priv = 1; 1309 if (size != TRANS_TRUE_SIZE || 1310 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1311 rc = -EINVAL; 1312 } else 1313 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1314 1315 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1316 rc = -EPERM; 1317 1318 if (rc == 0 && check_import) { 1319 skp = size ? smk_import_entry(value, size) : NULL; 1320 if (IS_ERR(skp)) 1321 rc = PTR_ERR(skp); 1322 else if (skp == NULL || (check_star && 1323 (skp == &smack_known_star || skp == &smack_known_web))) 1324 rc = -EINVAL; 1325 } 1326 1327 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1328 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1329 1330 if (rc == 0) { 1331 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1332 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1333 } 1334 1335 return rc; 1336 } 1337 1338 /** 1339 * smack_inode_post_setxattr - Apply the Smack update approved above 1340 * @dentry: object 1341 * @name: attribute name 1342 * @value: attribute value 1343 * @size: attribute size 1344 * @flags: unused 1345 * 1346 * Set the pointer in the inode blob to the entry found 1347 * in the master label list. 1348 */ 1349 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1350 const void *value, size_t size, int flags) 1351 { 1352 struct smack_known *skp; 1353 struct inode_smack *isp = d_backing_inode(dentry)->i_security; 1354 1355 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1356 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1357 return; 1358 } 1359 1360 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1361 skp = smk_import_entry(value, size); 1362 if (!IS_ERR(skp)) 1363 isp->smk_inode = skp; 1364 else 1365 isp->smk_inode = &smack_known_invalid; 1366 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1367 skp = smk_import_entry(value, size); 1368 if (!IS_ERR(skp)) 1369 isp->smk_task = skp; 1370 else 1371 isp->smk_task = &smack_known_invalid; 1372 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1373 skp = smk_import_entry(value, size); 1374 if (!IS_ERR(skp)) 1375 isp->smk_mmap = skp; 1376 else 1377 isp->smk_mmap = &smack_known_invalid; 1378 } 1379 1380 return; 1381 } 1382 1383 /** 1384 * smack_inode_getxattr - Smack check on getxattr 1385 * @dentry: the object 1386 * @name: unused 1387 * 1388 * Returns 0 if access is permitted, an error code otherwise 1389 */ 1390 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1391 { 1392 struct smk_audit_info ad; 1393 int rc; 1394 1395 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1396 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1397 1398 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1399 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1400 return rc; 1401 } 1402 1403 /** 1404 * smack_inode_removexattr - Smack check on removexattr 1405 * @dentry: the object 1406 * @name: name of the attribute 1407 * 1408 * Removing the Smack attribute requires CAP_MAC_ADMIN 1409 * 1410 * Returns 0 if access is permitted, an error code otherwise 1411 */ 1412 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1413 { 1414 struct inode_smack *isp; 1415 struct smk_audit_info ad; 1416 int rc = 0; 1417 1418 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1419 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1420 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1421 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1422 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1423 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1424 if (!smack_privileged(CAP_MAC_ADMIN)) 1425 rc = -EPERM; 1426 } else 1427 rc = cap_inode_removexattr(dentry, name); 1428 1429 if (rc != 0) 1430 return rc; 1431 1432 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1433 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1434 1435 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1436 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1437 if (rc != 0) 1438 return rc; 1439 1440 isp = d_backing_inode(dentry)->i_security; 1441 /* 1442 * Don't do anything special for these. 1443 * XATTR_NAME_SMACKIPIN 1444 * XATTR_NAME_SMACKIPOUT 1445 */ 1446 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1447 struct super_block *sbp = d_backing_inode(dentry)->i_sb; 1448 struct superblock_smack *sbsp = sbp->s_security; 1449 1450 isp->smk_inode = sbsp->smk_default; 1451 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1452 isp->smk_task = NULL; 1453 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1454 isp->smk_mmap = NULL; 1455 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1456 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1457 1458 return 0; 1459 } 1460 1461 /** 1462 * smack_inode_getsecurity - get smack xattrs 1463 * @inode: the object 1464 * @name: attribute name 1465 * @buffer: where to put the result 1466 * @alloc: unused 1467 * 1468 * Returns the size of the attribute or an error code 1469 */ 1470 static int smack_inode_getsecurity(struct inode *inode, 1471 const char *name, void **buffer, 1472 bool alloc) 1473 { 1474 struct socket_smack *ssp; 1475 struct socket *sock; 1476 struct super_block *sbp; 1477 struct inode *ip = (struct inode *)inode; 1478 struct smack_known *isp; 1479 int ilen; 1480 int rc = 0; 1481 1482 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1483 isp = smk_of_inode(inode); 1484 ilen = strlen(isp->smk_known); 1485 *buffer = isp->smk_known; 1486 return ilen; 1487 } 1488 1489 /* 1490 * The rest of the Smack xattrs are only on sockets. 1491 */ 1492 sbp = ip->i_sb; 1493 if (sbp->s_magic != SOCKFS_MAGIC) 1494 return -EOPNOTSUPP; 1495 1496 sock = SOCKET_I(ip); 1497 if (sock == NULL || sock->sk == NULL) 1498 return -EOPNOTSUPP; 1499 1500 ssp = sock->sk->sk_security; 1501 1502 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1503 isp = ssp->smk_in; 1504 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1505 isp = ssp->smk_out; 1506 else 1507 return -EOPNOTSUPP; 1508 1509 ilen = strlen(isp->smk_known); 1510 if (rc == 0) { 1511 *buffer = isp->smk_known; 1512 rc = ilen; 1513 } 1514 1515 return rc; 1516 } 1517 1518 1519 /** 1520 * smack_inode_listsecurity - list the Smack attributes 1521 * @inode: the object 1522 * @buffer: where they go 1523 * @buffer_size: size of buffer 1524 */ 1525 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1526 size_t buffer_size) 1527 { 1528 int len = sizeof(XATTR_NAME_SMACK); 1529 1530 if (buffer != NULL && len <= buffer_size) 1531 memcpy(buffer, XATTR_NAME_SMACK, len); 1532 1533 return len; 1534 } 1535 1536 /** 1537 * smack_inode_getsecid - Extract inode's security id 1538 * @inode: inode to extract the info from 1539 * @secid: where result will be saved 1540 */ 1541 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1542 { 1543 struct inode_smack *isp = inode->i_security; 1544 1545 *secid = isp->smk_inode->smk_secid; 1546 } 1547 1548 /* 1549 * File Hooks 1550 */ 1551 1552 /* 1553 * There is no smack_file_permission hook 1554 * 1555 * Should access checks be done on each read or write? 1556 * UNICOS and SELinux say yes. 1557 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1558 * 1559 * I'll say no for now. Smack does not do the frequent 1560 * label changing that SELinux does. 1561 */ 1562 1563 /** 1564 * smack_file_alloc_security - assign a file security blob 1565 * @file: the object 1566 * 1567 * The security blob for a file is a pointer to the master 1568 * label list, so no allocation is done. 1569 * 1570 * f_security is the owner security information. It 1571 * isn't used on file access checks, it's for send_sigio. 1572 * 1573 * Returns 0 1574 */ 1575 static int smack_file_alloc_security(struct file *file) 1576 { 1577 struct smack_known *skp = smk_of_current(); 1578 1579 file->f_security = skp; 1580 return 0; 1581 } 1582 1583 /** 1584 * smack_file_free_security - clear a file security blob 1585 * @file: the object 1586 * 1587 * The security blob for a file is a pointer to the master 1588 * label list, so no memory is freed. 1589 */ 1590 static void smack_file_free_security(struct file *file) 1591 { 1592 file->f_security = NULL; 1593 } 1594 1595 /** 1596 * smack_file_ioctl - Smack check on ioctls 1597 * @file: the object 1598 * @cmd: what to do 1599 * @arg: unused 1600 * 1601 * Relies heavily on the correct use of the ioctl command conventions. 1602 * 1603 * Returns 0 if allowed, error code otherwise 1604 */ 1605 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1606 unsigned long arg) 1607 { 1608 int rc = 0; 1609 struct smk_audit_info ad; 1610 struct inode *inode = file_inode(file); 1611 1612 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1613 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1614 1615 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1616 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1617 rc = smk_bu_file(file, MAY_WRITE, rc); 1618 } 1619 1620 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1621 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1622 rc = smk_bu_file(file, MAY_READ, rc); 1623 } 1624 1625 return rc; 1626 } 1627 1628 /** 1629 * smack_file_lock - Smack check on file locking 1630 * @file: the object 1631 * @cmd: unused 1632 * 1633 * Returns 0 if current has lock access, error code otherwise 1634 */ 1635 static int smack_file_lock(struct file *file, unsigned int cmd) 1636 { 1637 struct smk_audit_info ad; 1638 int rc; 1639 struct inode *inode = file_inode(file); 1640 1641 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1642 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1643 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1644 rc = smk_bu_file(file, MAY_LOCK, rc); 1645 return rc; 1646 } 1647 1648 /** 1649 * smack_file_fcntl - Smack check on fcntl 1650 * @file: the object 1651 * @cmd: what action to check 1652 * @arg: unused 1653 * 1654 * Generally these operations are harmless. 1655 * File locking operations present an obvious mechanism 1656 * for passing information, so they require write access. 1657 * 1658 * Returns 0 if current has access, error code otherwise 1659 */ 1660 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1661 unsigned long arg) 1662 { 1663 struct smk_audit_info ad; 1664 int rc = 0; 1665 struct inode *inode = file_inode(file); 1666 1667 switch (cmd) { 1668 case F_GETLK: 1669 break; 1670 case F_SETLK: 1671 case F_SETLKW: 1672 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1673 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1674 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1675 rc = smk_bu_file(file, MAY_LOCK, rc); 1676 break; 1677 case F_SETOWN: 1678 case F_SETSIG: 1679 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1680 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1681 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1682 rc = smk_bu_file(file, MAY_WRITE, rc); 1683 break; 1684 default: 1685 break; 1686 } 1687 1688 return rc; 1689 } 1690 1691 /** 1692 * smack_mmap_file : 1693 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1694 * if mapping anonymous memory. 1695 * @file contains the file structure for file to map (may be NULL). 1696 * @reqprot contains the protection requested by the application. 1697 * @prot contains the protection that will be applied by the kernel. 1698 * @flags contains the operational flags. 1699 * Return 0 if permission is granted. 1700 */ 1701 static int smack_mmap_file(struct file *file, 1702 unsigned long reqprot, unsigned long prot, 1703 unsigned long flags) 1704 { 1705 struct smack_known *skp; 1706 struct smack_known *mkp; 1707 struct smack_rule *srp; 1708 struct task_smack *tsp; 1709 struct smack_known *okp; 1710 struct inode_smack *isp; 1711 int may; 1712 int mmay; 1713 int tmay; 1714 int rc; 1715 1716 if (file == NULL) 1717 return 0; 1718 1719 isp = file_inode(file)->i_security; 1720 if (isp->smk_mmap == NULL) 1721 return 0; 1722 mkp = isp->smk_mmap; 1723 1724 tsp = current_security(); 1725 skp = smk_of_current(); 1726 rc = 0; 1727 1728 rcu_read_lock(); 1729 /* 1730 * For each Smack rule associated with the subject 1731 * label verify that the SMACK64MMAP also has access 1732 * to that rule's object label. 1733 */ 1734 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1735 okp = srp->smk_object; 1736 /* 1737 * Matching labels always allows access. 1738 */ 1739 if (mkp->smk_known == okp->smk_known) 1740 continue; 1741 /* 1742 * If there is a matching local rule take 1743 * that into account as well. 1744 */ 1745 may = smk_access_entry(srp->smk_subject->smk_known, 1746 okp->smk_known, 1747 &tsp->smk_rules); 1748 if (may == -ENOENT) 1749 may = srp->smk_access; 1750 else 1751 may &= srp->smk_access; 1752 /* 1753 * If may is zero the SMACK64MMAP subject can't 1754 * possibly have less access. 1755 */ 1756 if (may == 0) 1757 continue; 1758 1759 /* 1760 * Fetch the global list entry. 1761 * If there isn't one a SMACK64MMAP subject 1762 * can't have as much access as current. 1763 */ 1764 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1765 &mkp->smk_rules); 1766 if (mmay == -ENOENT) { 1767 rc = -EACCES; 1768 break; 1769 } 1770 /* 1771 * If there is a local entry it modifies the 1772 * potential access, too. 1773 */ 1774 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1775 &tsp->smk_rules); 1776 if (tmay != -ENOENT) 1777 mmay &= tmay; 1778 1779 /* 1780 * If there is any access available to current that is 1781 * not available to a SMACK64MMAP subject 1782 * deny access. 1783 */ 1784 if ((may | mmay) != mmay) { 1785 rc = -EACCES; 1786 break; 1787 } 1788 } 1789 1790 rcu_read_unlock(); 1791 1792 return rc; 1793 } 1794 1795 /** 1796 * smack_file_set_fowner - set the file security blob value 1797 * @file: object in question 1798 * 1799 */ 1800 static void smack_file_set_fowner(struct file *file) 1801 { 1802 file->f_security = smk_of_current(); 1803 } 1804 1805 /** 1806 * smack_file_send_sigiotask - Smack on sigio 1807 * @tsk: The target task 1808 * @fown: the object the signal come from 1809 * @signum: unused 1810 * 1811 * Allow a privileged task to get signals even if it shouldn't 1812 * 1813 * Returns 0 if a subject with the object's smack could 1814 * write to the task, an error code otherwise. 1815 */ 1816 static int smack_file_send_sigiotask(struct task_struct *tsk, 1817 struct fown_struct *fown, int signum) 1818 { 1819 struct smack_known *skp; 1820 struct smack_known *tkp = smk_of_task(tsk->cred->security); 1821 struct file *file; 1822 int rc; 1823 struct smk_audit_info ad; 1824 1825 /* 1826 * struct fown_struct is never outside the context of a struct file 1827 */ 1828 file = container_of(fown, struct file, f_owner); 1829 1830 /* we don't log here as rc can be overriden */ 1831 skp = file->f_security; 1832 rc = smk_access(skp, tkp, MAY_WRITE, NULL); 1833 rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc); 1834 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1835 rc = 0; 1836 1837 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1838 smk_ad_setfield_u_tsk(&ad, tsk); 1839 smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad); 1840 return rc; 1841 } 1842 1843 /** 1844 * smack_file_receive - Smack file receive check 1845 * @file: the object 1846 * 1847 * Returns 0 if current has access, error code otherwise 1848 */ 1849 static int smack_file_receive(struct file *file) 1850 { 1851 int rc; 1852 int may = 0; 1853 struct smk_audit_info ad; 1854 struct inode *inode = file_inode(file); 1855 struct socket *sock; 1856 struct task_smack *tsp; 1857 struct socket_smack *ssp; 1858 1859 if (unlikely(IS_PRIVATE(inode))) 1860 return 0; 1861 1862 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1863 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1864 1865 if (S_ISSOCK(inode->i_mode)) { 1866 sock = SOCKET_I(inode); 1867 ssp = sock->sk->sk_security; 1868 tsp = current_security(); 1869 /* 1870 * If the receiving process can't write to the 1871 * passed socket or if the passed socket can't 1872 * write to the receiving process don't accept 1873 * the passed socket. 1874 */ 1875 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1876 rc = smk_bu_file(file, may, rc); 1877 if (rc < 0) 1878 return rc; 1879 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1880 rc = smk_bu_file(file, may, rc); 1881 return rc; 1882 } 1883 /* 1884 * This code relies on bitmasks. 1885 */ 1886 if (file->f_mode & FMODE_READ) 1887 may = MAY_READ; 1888 if (file->f_mode & FMODE_WRITE) 1889 may |= MAY_WRITE; 1890 1891 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1892 rc = smk_bu_file(file, may, rc); 1893 return rc; 1894 } 1895 1896 /** 1897 * smack_file_open - Smack dentry open processing 1898 * @file: the object 1899 * @cred: task credential 1900 * 1901 * Set the security blob in the file structure. 1902 * Allow the open only if the task has read access. There are 1903 * many read operations (e.g. fstat) that you can do with an 1904 * fd even if you have the file open write-only. 1905 * 1906 * Returns 0 1907 */ 1908 static int smack_file_open(struct file *file, const struct cred *cred) 1909 { 1910 struct task_smack *tsp = cred->security; 1911 struct inode *inode = file_inode(file); 1912 struct smk_audit_info ad; 1913 int rc; 1914 1915 if (smack_privileged(CAP_MAC_OVERRIDE)) 1916 return 0; 1917 1918 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1919 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1920 rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad); 1921 rc = smk_bu_credfile(cred, file, MAY_READ, rc); 1922 1923 return rc; 1924 } 1925 1926 /* 1927 * Task hooks 1928 */ 1929 1930 /** 1931 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1932 * @new: the new credentials 1933 * @gfp: the atomicity of any memory allocations 1934 * 1935 * Prepare a blank set of credentials for modification. This must allocate all 1936 * the memory the LSM module might require such that cred_transfer() can 1937 * complete without error. 1938 */ 1939 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1940 { 1941 struct task_smack *tsp; 1942 1943 tsp = new_task_smack(NULL, NULL, gfp); 1944 if (tsp == NULL) 1945 return -ENOMEM; 1946 1947 cred->security = tsp; 1948 1949 return 0; 1950 } 1951 1952 1953 /** 1954 * smack_cred_free - "free" task-level security credentials 1955 * @cred: the credentials in question 1956 * 1957 */ 1958 static void smack_cred_free(struct cred *cred) 1959 { 1960 struct task_smack *tsp = cred->security; 1961 struct smack_rule *rp; 1962 struct list_head *l; 1963 struct list_head *n; 1964 1965 if (tsp == NULL) 1966 return; 1967 cred->security = NULL; 1968 1969 smk_destroy_label_list(&tsp->smk_relabel); 1970 1971 list_for_each_safe(l, n, &tsp->smk_rules) { 1972 rp = list_entry(l, struct smack_rule, list); 1973 list_del(&rp->list); 1974 kfree(rp); 1975 } 1976 kfree(tsp); 1977 } 1978 1979 /** 1980 * smack_cred_prepare - prepare new set of credentials for modification 1981 * @new: the new credentials 1982 * @old: the original credentials 1983 * @gfp: the atomicity of any memory allocations 1984 * 1985 * Prepare a new set of credentials for modification. 1986 */ 1987 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1988 gfp_t gfp) 1989 { 1990 struct task_smack *old_tsp = old->security; 1991 struct task_smack *new_tsp; 1992 int rc; 1993 1994 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 1995 if (new_tsp == NULL) 1996 return -ENOMEM; 1997 1998 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1999 if (rc != 0) 2000 return rc; 2001 2002 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2003 gfp); 2004 if (rc != 0) 2005 return rc; 2006 2007 new->security = new_tsp; 2008 return 0; 2009 } 2010 2011 /** 2012 * smack_cred_transfer - Transfer the old credentials to the new credentials 2013 * @new: the new credentials 2014 * @old: the original credentials 2015 * 2016 * Fill in a set of blank credentials from another set of credentials. 2017 */ 2018 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2019 { 2020 struct task_smack *old_tsp = old->security; 2021 struct task_smack *new_tsp = new->security; 2022 2023 new_tsp->smk_task = old_tsp->smk_task; 2024 new_tsp->smk_forked = old_tsp->smk_task; 2025 mutex_init(&new_tsp->smk_rules_lock); 2026 INIT_LIST_HEAD(&new_tsp->smk_rules); 2027 2028 2029 /* cbs copy rule list */ 2030 } 2031 2032 /** 2033 * smack_kernel_act_as - Set the subjective context in a set of credentials 2034 * @new: points to the set of credentials to be modified. 2035 * @secid: specifies the security ID to be set 2036 * 2037 * Set the security data for a kernel service. 2038 */ 2039 static int smack_kernel_act_as(struct cred *new, u32 secid) 2040 { 2041 struct task_smack *new_tsp = new->security; 2042 struct smack_known *skp = smack_from_secid(secid); 2043 2044 if (skp == NULL) 2045 return -EINVAL; 2046 2047 new_tsp->smk_task = skp; 2048 return 0; 2049 } 2050 2051 /** 2052 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2053 * @new: points to the set of credentials to be modified 2054 * @inode: points to the inode to use as a reference 2055 * 2056 * Set the file creation context in a set of credentials to the same 2057 * as the objective context of the specified inode 2058 */ 2059 static int smack_kernel_create_files_as(struct cred *new, 2060 struct inode *inode) 2061 { 2062 struct inode_smack *isp = inode->i_security; 2063 struct task_smack *tsp = new->security; 2064 2065 tsp->smk_forked = isp->smk_inode; 2066 tsp->smk_task = tsp->smk_forked; 2067 return 0; 2068 } 2069 2070 /** 2071 * smk_curacc_on_task - helper to log task related access 2072 * @p: the task object 2073 * @access: the access requested 2074 * @caller: name of the calling function for audit 2075 * 2076 * Return 0 if access is permitted 2077 */ 2078 static int smk_curacc_on_task(struct task_struct *p, int access, 2079 const char *caller) 2080 { 2081 struct smk_audit_info ad; 2082 struct smack_known *skp = smk_of_task_struct(p); 2083 int rc; 2084 2085 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2086 smk_ad_setfield_u_tsk(&ad, p); 2087 rc = smk_curacc(skp, access, &ad); 2088 rc = smk_bu_task(p, access, rc); 2089 return rc; 2090 } 2091 2092 /** 2093 * smack_task_setpgid - Smack check on setting pgid 2094 * @p: the task object 2095 * @pgid: unused 2096 * 2097 * Return 0 if write access is permitted 2098 */ 2099 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2100 { 2101 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2102 } 2103 2104 /** 2105 * smack_task_getpgid - Smack access check for getpgid 2106 * @p: the object task 2107 * 2108 * Returns 0 if current can read the object task, error code otherwise 2109 */ 2110 static int smack_task_getpgid(struct task_struct *p) 2111 { 2112 return smk_curacc_on_task(p, MAY_READ, __func__); 2113 } 2114 2115 /** 2116 * smack_task_getsid - Smack access check for getsid 2117 * @p: the object task 2118 * 2119 * Returns 0 if current can read the object task, error code otherwise 2120 */ 2121 static int smack_task_getsid(struct task_struct *p) 2122 { 2123 return smk_curacc_on_task(p, MAY_READ, __func__); 2124 } 2125 2126 /** 2127 * smack_task_getsecid - get the secid of the task 2128 * @p: the object task 2129 * @secid: where to put the result 2130 * 2131 * Sets the secid to contain a u32 version of the smack label. 2132 */ 2133 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2134 { 2135 struct smack_known *skp = smk_of_task_struct(p); 2136 2137 *secid = skp->smk_secid; 2138 } 2139 2140 /** 2141 * smack_task_setnice - Smack check on setting nice 2142 * @p: the task object 2143 * @nice: unused 2144 * 2145 * Return 0 if write access is permitted 2146 */ 2147 static int smack_task_setnice(struct task_struct *p, int nice) 2148 { 2149 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2150 } 2151 2152 /** 2153 * smack_task_setioprio - Smack check on setting ioprio 2154 * @p: the task object 2155 * @ioprio: unused 2156 * 2157 * Return 0 if write access is permitted 2158 */ 2159 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2160 { 2161 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2162 } 2163 2164 /** 2165 * smack_task_getioprio - Smack check on reading ioprio 2166 * @p: the task object 2167 * 2168 * Return 0 if read access is permitted 2169 */ 2170 static int smack_task_getioprio(struct task_struct *p) 2171 { 2172 return smk_curacc_on_task(p, MAY_READ, __func__); 2173 } 2174 2175 /** 2176 * smack_task_setscheduler - Smack check on setting scheduler 2177 * @p: the task object 2178 * @policy: unused 2179 * @lp: unused 2180 * 2181 * Return 0 if read access is permitted 2182 */ 2183 static int smack_task_setscheduler(struct task_struct *p) 2184 { 2185 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2186 } 2187 2188 /** 2189 * smack_task_getscheduler - Smack check on reading scheduler 2190 * @p: the task object 2191 * 2192 * Return 0 if read access is permitted 2193 */ 2194 static int smack_task_getscheduler(struct task_struct *p) 2195 { 2196 return smk_curacc_on_task(p, MAY_READ, __func__); 2197 } 2198 2199 /** 2200 * smack_task_movememory - Smack check on moving memory 2201 * @p: the task object 2202 * 2203 * Return 0 if write access is permitted 2204 */ 2205 static int smack_task_movememory(struct task_struct *p) 2206 { 2207 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2208 } 2209 2210 /** 2211 * smack_task_kill - Smack check on signal delivery 2212 * @p: the task object 2213 * @info: unused 2214 * @sig: unused 2215 * @secid: identifies the smack to use in lieu of current's 2216 * 2217 * Return 0 if write access is permitted 2218 * 2219 * The secid behavior is an artifact of an SELinux hack 2220 * in the USB code. Someday it may go away. 2221 */ 2222 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 2223 int sig, u32 secid) 2224 { 2225 struct smk_audit_info ad; 2226 struct smack_known *skp; 2227 struct smack_known *tkp = smk_of_task_struct(p); 2228 int rc; 2229 2230 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2231 smk_ad_setfield_u_tsk(&ad, p); 2232 /* 2233 * Sending a signal requires that the sender 2234 * can write the receiver. 2235 */ 2236 if (secid == 0) { 2237 rc = smk_curacc(tkp, MAY_WRITE, &ad); 2238 rc = smk_bu_task(p, MAY_WRITE, rc); 2239 return rc; 2240 } 2241 /* 2242 * If the secid isn't 0 we're dealing with some USB IO 2243 * specific behavior. This is not clean. For one thing 2244 * we can't take privilege into account. 2245 */ 2246 skp = smack_from_secid(secid); 2247 rc = smk_access(skp, tkp, MAY_WRITE, &ad); 2248 rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc); 2249 return rc; 2250 } 2251 2252 /** 2253 * smack_task_wait - Smack access check for waiting 2254 * @p: task to wait for 2255 * 2256 * Returns 0 2257 */ 2258 static int smack_task_wait(struct task_struct *p) 2259 { 2260 /* 2261 * Allow the operation to succeed. 2262 * Zombies are bad. 2263 * In userless environments (e.g. phones) programs 2264 * get marked with SMACK64EXEC and even if the parent 2265 * and child shouldn't be talking the parent still 2266 * may expect to know when the child exits. 2267 */ 2268 return 0; 2269 } 2270 2271 /** 2272 * smack_task_to_inode - copy task smack into the inode blob 2273 * @p: task to copy from 2274 * @inode: inode to copy to 2275 * 2276 * Sets the smack pointer in the inode security blob 2277 */ 2278 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2279 { 2280 struct inode_smack *isp = inode->i_security; 2281 struct smack_known *skp = smk_of_task_struct(p); 2282 2283 isp->smk_inode = skp; 2284 } 2285 2286 /* 2287 * Socket hooks. 2288 */ 2289 2290 /** 2291 * smack_sk_alloc_security - Allocate a socket blob 2292 * @sk: the socket 2293 * @family: unused 2294 * @gfp_flags: memory allocation flags 2295 * 2296 * Assign Smack pointers to current 2297 * 2298 * Returns 0 on success, -ENOMEM is there's no memory 2299 */ 2300 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2301 { 2302 struct smack_known *skp = smk_of_current(); 2303 struct socket_smack *ssp; 2304 2305 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2306 if (ssp == NULL) 2307 return -ENOMEM; 2308 2309 ssp->smk_in = skp; 2310 ssp->smk_out = skp; 2311 ssp->smk_packet = NULL; 2312 2313 sk->sk_security = ssp; 2314 2315 return 0; 2316 } 2317 2318 /** 2319 * smack_sk_free_security - Free a socket blob 2320 * @sk: the socket 2321 * 2322 * Clears the blob pointer 2323 */ 2324 static void smack_sk_free_security(struct sock *sk) 2325 { 2326 kfree(sk->sk_security); 2327 } 2328 2329 /** 2330 * smack_ipv4host_label - check host based restrictions 2331 * @sip: the object end 2332 * 2333 * looks for host based access restrictions 2334 * 2335 * This version will only be appropriate for really small sets of single label 2336 * hosts. The caller is responsible for ensuring that the RCU read lock is 2337 * taken before calling this function. 2338 * 2339 * Returns the label of the far end or NULL if it's not special. 2340 */ 2341 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2342 { 2343 struct smk_net4addr *snp; 2344 struct in_addr *siap = &sip->sin_addr; 2345 2346 if (siap->s_addr == 0) 2347 return NULL; 2348 2349 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2350 /* 2351 * we break after finding the first match because 2352 * the list is sorted from longest to shortest mask 2353 * so we have found the most specific match 2354 */ 2355 if (snp->smk_host.s_addr == 2356 (siap->s_addr & snp->smk_mask.s_addr)) 2357 return snp->smk_label; 2358 2359 return NULL; 2360 } 2361 2362 #if IS_ENABLED(CONFIG_IPV6) 2363 /* 2364 * smk_ipv6_localhost - Check for local ipv6 host address 2365 * @sip: the address 2366 * 2367 * Returns boolean true if this is the localhost address 2368 */ 2369 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2370 { 2371 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2372 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2373 2374 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2375 ntohs(be16p[7]) == 1) 2376 return true; 2377 return false; 2378 } 2379 2380 /** 2381 * smack_ipv6host_label - check host based restrictions 2382 * @sip: the object end 2383 * 2384 * looks for host based access restrictions 2385 * 2386 * This version will only be appropriate for really small sets of single label 2387 * hosts. The caller is responsible for ensuring that the RCU read lock is 2388 * taken before calling this function. 2389 * 2390 * Returns the label of the far end or NULL if it's not special. 2391 */ 2392 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2393 { 2394 struct smk_net6addr *snp; 2395 struct in6_addr *sap = &sip->sin6_addr; 2396 int i; 2397 int found = 0; 2398 2399 /* 2400 * It's local. Don't look for a host label. 2401 */ 2402 if (smk_ipv6_localhost(sip)) 2403 return NULL; 2404 2405 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2406 /* 2407 * we break after finding the first match because 2408 * the list is sorted from longest to shortest mask 2409 * so we have found the most specific match 2410 */ 2411 for (found = 1, i = 0; i < 8; i++) { 2412 /* 2413 * If the label is NULL the entry has 2414 * been renounced. Ignore it. 2415 */ 2416 if (snp->smk_label == NULL) 2417 continue; 2418 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2419 snp->smk_host.s6_addr16[i]) { 2420 found = 0; 2421 break; 2422 } 2423 } 2424 if (found) 2425 return snp->smk_label; 2426 } 2427 2428 return NULL; 2429 } 2430 #endif /* CONFIG_IPV6 */ 2431 2432 /** 2433 * smack_netlabel - Set the secattr on a socket 2434 * @sk: the socket 2435 * @labeled: socket label scheme 2436 * 2437 * Convert the outbound smack value (smk_out) to a 2438 * secattr and attach it to the socket. 2439 * 2440 * Returns 0 on success or an error code 2441 */ 2442 static int smack_netlabel(struct sock *sk, int labeled) 2443 { 2444 struct smack_known *skp; 2445 struct socket_smack *ssp = sk->sk_security; 2446 int rc = 0; 2447 2448 /* 2449 * Usually the netlabel code will handle changing the 2450 * packet labeling based on the label. 2451 * The case of a single label host is different, because 2452 * a single label host should never get a labeled packet 2453 * even though the label is usually associated with a packet 2454 * label. 2455 */ 2456 local_bh_disable(); 2457 bh_lock_sock_nested(sk); 2458 2459 if (ssp->smk_out == smack_net_ambient || 2460 labeled == SMACK_UNLABELED_SOCKET) 2461 netlbl_sock_delattr(sk); 2462 else { 2463 skp = ssp->smk_out; 2464 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2465 } 2466 2467 bh_unlock_sock(sk); 2468 local_bh_enable(); 2469 2470 return rc; 2471 } 2472 2473 /** 2474 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2475 * @sk: the socket 2476 * @sap: the destination address 2477 * 2478 * Set the correct secattr for the given socket based on the destination 2479 * address and perform any outbound access checks needed. 2480 * 2481 * Returns 0 on success or an error code. 2482 * 2483 */ 2484 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2485 { 2486 struct smack_known *skp; 2487 int rc; 2488 int sk_lbl; 2489 struct smack_known *hkp; 2490 struct socket_smack *ssp = sk->sk_security; 2491 struct smk_audit_info ad; 2492 2493 rcu_read_lock(); 2494 hkp = smack_ipv4host_label(sap); 2495 if (hkp != NULL) { 2496 #ifdef CONFIG_AUDIT 2497 struct lsm_network_audit net; 2498 2499 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2500 ad.a.u.net->family = sap->sin_family; 2501 ad.a.u.net->dport = sap->sin_port; 2502 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2503 #endif 2504 sk_lbl = SMACK_UNLABELED_SOCKET; 2505 skp = ssp->smk_out; 2506 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2507 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2508 } else { 2509 sk_lbl = SMACK_CIPSO_SOCKET; 2510 rc = 0; 2511 } 2512 rcu_read_unlock(); 2513 if (rc != 0) 2514 return rc; 2515 2516 return smack_netlabel(sk, sk_lbl); 2517 } 2518 2519 #if IS_ENABLED(CONFIG_IPV6) 2520 /** 2521 * smk_ipv6_check - check Smack access 2522 * @subject: subject Smack label 2523 * @object: object Smack label 2524 * @address: address 2525 * @act: the action being taken 2526 * 2527 * Check an IPv6 access 2528 */ 2529 static int smk_ipv6_check(struct smack_known *subject, 2530 struct smack_known *object, 2531 struct sockaddr_in6 *address, int act) 2532 { 2533 #ifdef CONFIG_AUDIT 2534 struct lsm_network_audit net; 2535 #endif 2536 struct smk_audit_info ad; 2537 int rc; 2538 2539 #ifdef CONFIG_AUDIT 2540 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2541 ad.a.u.net->family = PF_INET6; 2542 ad.a.u.net->dport = ntohs(address->sin6_port); 2543 if (act == SMK_RECEIVING) 2544 ad.a.u.net->v6info.saddr = address->sin6_addr; 2545 else 2546 ad.a.u.net->v6info.daddr = address->sin6_addr; 2547 #endif 2548 rc = smk_access(subject, object, MAY_WRITE, &ad); 2549 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2550 return rc; 2551 } 2552 #endif /* CONFIG_IPV6 */ 2553 2554 #ifdef SMACK_IPV6_PORT_LABELING 2555 /** 2556 * smk_ipv6_port_label - Smack port access table management 2557 * @sock: socket 2558 * @address: address 2559 * 2560 * Create or update the port list entry 2561 */ 2562 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2563 { 2564 struct sock *sk = sock->sk; 2565 struct sockaddr_in6 *addr6; 2566 struct socket_smack *ssp = sock->sk->sk_security; 2567 struct smk_port_label *spp; 2568 unsigned short port = 0; 2569 2570 if (address == NULL) { 2571 /* 2572 * This operation is changing the Smack information 2573 * on the bound socket. Take the changes to the port 2574 * as well. 2575 */ 2576 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2577 if (sk != spp->smk_sock) 2578 continue; 2579 spp->smk_in = ssp->smk_in; 2580 spp->smk_out = ssp->smk_out; 2581 return; 2582 } 2583 /* 2584 * A NULL address is only used for updating existing 2585 * bound entries. If there isn't one, it's OK. 2586 */ 2587 return; 2588 } 2589 2590 addr6 = (struct sockaddr_in6 *)address; 2591 port = ntohs(addr6->sin6_port); 2592 /* 2593 * This is a special case that is safely ignored. 2594 */ 2595 if (port == 0) 2596 return; 2597 2598 /* 2599 * Look for an existing port list entry. 2600 * This is an indication that a port is getting reused. 2601 */ 2602 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2603 if (spp->smk_port != port) 2604 continue; 2605 spp->smk_port = port; 2606 spp->smk_sock = sk; 2607 spp->smk_in = ssp->smk_in; 2608 spp->smk_out = ssp->smk_out; 2609 return; 2610 } 2611 2612 /* 2613 * A new port entry is required. 2614 */ 2615 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2616 if (spp == NULL) 2617 return; 2618 2619 spp->smk_port = port; 2620 spp->smk_sock = sk; 2621 spp->smk_in = ssp->smk_in; 2622 spp->smk_out = ssp->smk_out; 2623 2624 list_add(&spp->list, &smk_ipv6_port_list); 2625 return; 2626 } 2627 2628 /** 2629 * smk_ipv6_port_check - check Smack port access 2630 * @sock: socket 2631 * @address: address 2632 * 2633 * Create or update the port list entry 2634 */ 2635 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2636 int act) 2637 { 2638 struct smk_port_label *spp; 2639 struct socket_smack *ssp = sk->sk_security; 2640 struct smack_known *skp = NULL; 2641 unsigned short port; 2642 struct smack_known *object; 2643 2644 if (act == SMK_RECEIVING) { 2645 skp = smack_ipv6host_label(address); 2646 object = ssp->smk_in; 2647 } else { 2648 skp = ssp->smk_out; 2649 object = smack_ipv6host_label(address); 2650 } 2651 2652 /* 2653 * The other end is a single label host. 2654 */ 2655 if (skp != NULL && object != NULL) 2656 return smk_ipv6_check(skp, object, address, act); 2657 if (skp == NULL) 2658 skp = smack_net_ambient; 2659 if (object == NULL) 2660 object = smack_net_ambient; 2661 2662 /* 2663 * It's remote, so port lookup does no good. 2664 */ 2665 if (!smk_ipv6_localhost(address)) 2666 return smk_ipv6_check(skp, object, address, act); 2667 2668 /* 2669 * It's local so the send check has to have passed. 2670 */ 2671 if (act == SMK_RECEIVING) 2672 return 0; 2673 2674 port = ntohs(address->sin6_port); 2675 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2676 if (spp->smk_port != port) 2677 continue; 2678 object = spp->smk_in; 2679 if (act == SMK_CONNECTING) 2680 ssp->smk_packet = spp->smk_out; 2681 break; 2682 } 2683 2684 return smk_ipv6_check(skp, object, address, act); 2685 } 2686 #endif /* SMACK_IPV6_PORT_LABELING */ 2687 2688 /** 2689 * smack_inode_setsecurity - set smack xattrs 2690 * @inode: the object 2691 * @name: attribute name 2692 * @value: attribute value 2693 * @size: size of the attribute 2694 * @flags: unused 2695 * 2696 * Sets the named attribute in the appropriate blob 2697 * 2698 * Returns 0 on success, or an error code 2699 */ 2700 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2701 const void *value, size_t size, int flags) 2702 { 2703 struct smack_known *skp; 2704 struct inode_smack *nsp = inode->i_security; 2705 struct socket_smack *ssp; 2706 struct socket *sock; 2707 int rc = 0; 2708 2709 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2710 return -EINVAL; 2711 2712 skp = smk_import_entry(value, size); 2713 if (IS_ERR(skp)) 2714 return PTR_ERR(skp); 2715 2716 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2717 nsp->smk_inode = skp; 2718 nsp->smk_flags |= SMK_INODE_INSTANT; 2719 return 0; 2720 } 2721 /* 2722 * The rest of the Smack xattrs are only on sockets. 2723 */ 2724 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2725 return -EOPNOTSUPP; 2726 2727 sock = SOCKET_I(inode); 2728 if (sock == NULL || sock->sk == NULL) 2729 return -EOPNOTSUPP; 2730 2731 ssp = sock->sk->sk_security; 2732 2733 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2734 ssp->smk_in = skp; 2735 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2736 ssp->smk_out = skp; 2737 if (sock->sk->sk_family == PF_INET) { 2738 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2739 if (rc != 0) 2740 printk(KERN_WARNING 2741 "Smack: \"%s\" netlbl error %d.\n", 2742 __func__, -rc); 2743 } 2744 } else 2745 return -EOPNOTSUPP; 2746 2747 #ifdef SMACK_IPV6_PORT_LABELING 2748 if (sock->sk->sk_family == PF_INET6) 2749 smk_ipv6_port_label(sock, NULL); 2750 #endif 2751 2752 return 0; 2753 } 2754 2755 /** 2756 * smack_socket_post_create - finish socket setup 2757 * @sock: the socket 2758 * @family: protocol family 2759 * @type: unused 2760 * @protocol: unused 2761 * @kern: unused 2762 * 2763 * Sets the netlabel information on the socket 2764 * 2765 * Returns 0 on success, and error code otherwise 2766 */ 2767 static int smack_socket_post_create(struct socket *sock, int family, 2768 int type, int protocol, int kern) 2769 { 2770 struct socket_smack *ssp; 2771 2772 if (sock->sk == NULL) 2773 return 0; 2774 2775 /* 2776 * Sockets created by kernel threads receive web label. 2777 */ 2778 if (unlikely(current->flags & PF_KTHREAD)) { 2779 ssp = sock->sk->sk_security; 2780 ssp->smk_in = &smack_known_web; 2781 ssp->smk_out = &smack_known_web; 2782 } 2783 2784 if (family != PF_INET) 2785 return 0; 2786 /* 2787 * Set the outbound netlbl. 2788 */ 2789 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2790 } 2791 2792 #ifdef SMACK_IPV6_PORT_LABELING 2793 /** 2794 * smack_socket_bind - record port binding information. 2795 * @sock: the socket 2796 * @address: the port address 2797 * @addrlen: size of the address 2798 * 2799 * Records the label bound to a port. 2800 * 2801 * Returns 0 2802 */ 2803 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2804 int addrlen) 2805 { 2806 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2807 smk_ipv6_port_label(sock, address); 2808 return 0; 2809 } 2810 #endif /* SMACK_IPV6_PORT_LABELING */ 2811 2812 /** 2813 * smack_socket_connect - connect access check 2814 * @sock: the socket 2815 * @sap: the other end 2816 * @addrlen: size of sap 2817 * 2818 * Verifies that a connection may be possible 2819 * 2820 * Returns 0 on success, and error code otherwise 2821 */ 2822 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2823 int addrlen) 2824 { 2825 int rc = 0; 2826 #if IS_ENABLED(CONFIG_IPV6) 2827 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2828 #endif 2829 #ifdef SMACK_IPV6_SECMARK_LABELING 2830 struct smack_known *rsp; 2831 struct socket_smack *ssp = sock->sk->sk_security; 2832 #endif 2833 2834 if (sock->sk == NULL) 2835 return 0; 2836 2837 switch (sock->sk->sk_family) { 2838 case PF_INET: 2839 if (addrlen < sizeof(struct sockaddr_in)) 2840 return -EINVAL; 2841 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2842 break; 2843 case PF_INET6: 2844 if (addrlen < sizeof(struct sockaddr_in6)) 2845 return -EINVAL; 2846 #ifdef SMACK_IPV6_SECMARK_LABELING 2847 rsp = smack_ipv6host_label(sip); 2848 if (rsp != NULL) 2849 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2850 SMK_CONNECTING); 2851 #endif 2852 #ifdef SMACK_IPV6_PORT_LABELING 2853 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2854 #endif 2855 break; 2856 } 2857 return rc; 2858 } 2859 2860 /** 2861 * smack_flags_to_may - convert S_ to MAY_ values 2862 * @flags: the S_ value 2863 * 2864 * Returns the equivalent MAY_ value 2865 */ 2866 static int smack_flags_to_may(int flags) 2867 { 2868 int may = 0; 2869 2870 if (flags & S_IRUGO) 2871 may |= MAY_READ; 2872 if (flags & S_IWUGO) 2873 may |= MAY_WRITE; 2874 if (flags & S_IXUGO) 2875 may |= MAY_EXEC; 2876 2877 return may; 2878 } 2879 2880 /** 2881 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2882 * @msg: the object 2883 * 2884 * Returns 0 2885 */ 2886 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2887 { 2888 struct smack_known *skp = smk_of_current(); 2889 2890 msg->security = skp; 2891 return 0; 2892 } 2893 2894 /** 2895 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2896 * @msg: the object 2897 * 2898 * Clears the blob pointer 2899 */ 2900 static void smack_msg_msg_free_security(struct msg_msg *msg) 2901 { 2902 msg->security = NULL; 2903 } 2904 2905 /** 2906 * smack_of_shm - the smack pointer for the shm 2907 * @shp: the object 2908 * 2909 * Returns a pointer to the smack value 2910 */ 2911 static struct smack_known *smack_of_shm(struct shmid_kernel *shp) 2912 { 2913 return (struct smack_known *)shp->shm_perm.security; 2914 } 2915 2916 /** 2917 * smack_shm_alloc_security - Set the security blob for shm 2918 * @shp: the object 2919 * 2920 * Returns 0 2921 */ 2922 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2923 { 2924 struct kern_ipc_perm *isp = &shp->shm_perm; 2925 struct smack_known *skp = smk_of_current(); 2926 2927 isp->security = skp; 2928 return 0; 2929 } 2930 2931 /** 2932 * smack_shm_free_security - Clear the security blob for shm 2933 * @shp: the object 2934 * 2935 * Clears the blob pointer 2936 */ 2937 static void smack_shm_free_security(struct shmid_kernel *shp) 2938 { 2939 struct kern_ipc_perm *isp = &shp->shm_perm; 2940 2941 isp->security = NULL; 2942 } 2943 2944 /** 2945 * smk_curacc_shm : check if current has access on shm 2946 * @shp : the object 2947 * @access : access requested 2948 * 2949 * Returns 0 if current has the requested access, error code otherwise 2950 */ 2951 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2952 { 2953 struct smack_known *ssp = smack_of_shm(shp); 2954 struct smk_audit_info ad; 2955 int rc; 2956 2957 #ifdef CONFIG_AUDIT 2958 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2959 ad.a.u.ipc_id = shp->shm_perm.id; 2960 #endif 2961 rc = smk_curacc(ssp, access, &ad); 2962 rc = smk_bu_current("shm", ssp, access, rc); 2963 return rc; 2964 } 2965 2966 /** 2967 * smack_shm_associate - Smack access check for shm 2968 * @shp: the object 2969 * @shmflg: access requested 2970 * 2971 * Returns 0 if current has the requested access, error code otherwise 2972 */ 2973 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 2974 { 2975 int may; 2976 2977 may = smack_flags_to_may(shmflg); 2978 return smk_curacc_shm(shp, may); 2979 } 2980 2981 /** 2982 * smack_shm_shmctl - Smack access check for shm 2983 * @shp: the object 2984 * @cmd: what it wants to do 2985 * 2986 * Returns 0 if current has the requested access, error code otherwise 2987 */ 2988 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 2989 { 2990 int may; 2991 2992 switch (cmd) { 2993 case IPC_STAT: 2994 case SHM_STAT: 2995 may = MAY_READ; 2996 break; 2997 case IPC_SET: 2998 case SHM_LOCK: 2999 case SHM_UNLOCK: 3000 case IPC_RMID: 3001 may = MAY_READWRITE; 3002 break; 3003 case IPC_INFO: 3004 case SHM_INFO: 3005 /* 3006 * System level information. 3007 */ 3008 return 0; 3009 default: 3010 return -EINVAL; 3011 } 3012 return smk_curacc_shm(shp, may); 3013 } 3014 3015 /** 3016 * smack_shm_shmat - Smack access for shmat 3017 * @shp: the object 3018 * @shmaddr: unused 3019 * @shmflg: access requested 3020 * 3021 * Returns 0 if current has the requested access, error code otherwise 3022 */ 3023 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 3024 int shmflg) 3025 { 3026 int may; 3027 3028 may = smack_flags_to_may(shmflg); 3029 return smk_curacc_shm(shp, may); 3030 } 3031 3032 /** 3033 * smack_of_sem - the smack pointer for the sem 3034 * @sma: the object 3035 * 3036 * Returns a pointer to the smack value 3037 */ 3038 static struct smack_known *smack_of_sem(struct sem_array *sma) 3039 { 3040 return (struct smack_known *)sma->sem_perm.security; 3041 } 3042 3043 /** 3044 * smack_sem_alloc_security - Set the security blob for sem 3045 * @sma: the object 3046 * 3047 * Returns 0 3048 */ 3049 static int smack_sem_alloc_security(struct sem_array *sma) 3050 { 3051 struct kern_ipc_perm *isp = &sma->sem_perm; 3052 struct smack_known *skp = smk_of_current(); 3053 3054 isp->security = skp; 3055 return 0; 3056 } 3057 3058 /** 3059 * smack_sem_free_security - Clear the security blob for sem 3060 * @sma: the object 3061 * 3062 * Clears the blob pointer 3063 */ 3064 static void smack_sem_free_security(struct sem_array *sma) 3065 { 3066 struct kern_ipc_perm *isp = &sma->sem_perm; 3067 3068 isp->security = NULL; 3069 } 3070 3071 /** 3072 * smk_curacc_sem : check if current has access on sem 3073 * @sma : the object 3074 * @access : access requested 3075 * 3076 * Returns 0 if current has the requested access, error code otherwise 3077 */ 3078 static int smk_curacc_sem(struct sem_array *sma, int access) 3079 { 3080 struct smack_known *ssp = smack_of_sem(sma); 3081 struct smk_audit_info ad; 3082 int rc; 3083 3084 #ifdef CONFIG_AUDIT 3085 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3086 ad.a.u.ipc_id = sma->sem_perm.id; 3087 #endif 3088 rc = smk_curacc(ssp, access, &ad); 3089 rc = smk_bu_current("sem", ssp, access, rc); 3090 return rc; 3091 } 3092 3093 /** 3094 * smack_sem_associate - Smack access check for sem 3095 * @sma: the object 3096 * @semflg: access requested 3097 * 3098 * Returns 0 if current has the requested access, error code otherwise 3099 */ 3100 static int smack_sem_associate(struct sem_array *sma, int semflg) 3101 { 3102 int may; 3103 3104 may = smack_flags_to_may(semflg); 3105 return smk_curacc_sem(sma, may); 3106 } 3107 3108 /** 3109 * smack_sem_shmctl - Smack access check for sem 3110 * @sma: the object 3111 * @cmd: what it wants to do 3112 * 3113 * Returns 0 if current has the requested access, error code otherwise 3114 */ 3115 static int smack_sem_semctl(struct sem_array *sma, int cmd) 3116 { 3117 int may; 3118 3119 switch (cmd) { 3120 case GETPID: 3121 case GETNCNT: 3122 case GETZCNT: 3123 case GETVAL: 3124 case GETALL: 3125 case IPC_STAT: 3126 case SEM_STAT: 3127 may = MAY_READ; 3128 break; 3129 case SETVAL: 3130 case SETALL: 3131 case IPC_RMID: 3132 case IPC_SET: 3133 may = MAY_READWRITE; 3134 break; 3135 case IPC_INFO: 3136 case SEM_INFO: 3137 /* 3138 * System level information 3139 */ 3140 return 0; 3141 default: 3142 return -EINVAL; 3143 } 3144 3145 return smk_curacc_sem(sma, may); 3146 } 3147 3148 /** 3149 * smack_sem_semop - Smack checks of semaphore operations 3150 * @sma: the object 3151 * @sops: unused 3152 * @nsops: unused 3153 * @alter: unused 3154 * 3155 * Treated as read and write in all cases. 3156 * 3157 * Returns 0 if access is allowed, error code otherwise 3158 */ 3159 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 3160 unsigned nsops, int alter) 3161 { 3162 return smk_curacc_sem(sma, MAY_READWRITE); 3163 } 3164 3165 /** 3166 * smack_msg_alloc_security - Set the security blob for msg 3167 * @msq: the object 3168 * 3169 * Returns 0 3170 */ 3171 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 3172 { 3173 struct kern_ipc_perm *kisp = &msq->q_perm; 3174 struct smack_known *skp = smk_of_current(); 3175 3176 kisp->security = skp; 3177 return 0; 3178 } 3179 3180 /** 3181 * smack_msg_free_security - Clear the security blob for msg 3182 * @msq: the object 3183 * 3184 * Clears the blob pointer 3185 */ 3186 static void smack_msg_queue_free_security(struct msg_queue *msq) 3187 { 3188 struct kern_ipc_perm *kisp = &msq->q_perm; 3189 3190 kisp->security = NULL; 3191 } 3192 3193 /** 3194 * smack_of_msq - the smack pointer for the msq 3195 * @msq: the object 3196 * 3197 * Returns a pointer to the smack label entry 3198 */ 3199 static struct smack_known *smack_of_msq(struct msg_queue *msq) 3200 { 3201 return (struct smack_known *)msq->q_perm.security; 3202 } 3203 3204 /** 3205 * smk_curacc_msq : helper to check if current has access on msq 3206 * @msq : the msq 3207 * @access : access requested 3208 * 3209 * return 0 if current has access, error otherwise 3210 */ 3211 static int smk_curacc_msq(struct msg_queue *msq, int access) 3212 { 3213 struct smack_known *msp = smack_of_msq(msq); 3214 struct smk_audit_info ad; 3215 int rc; 3216 3217 #ifdef CONFIG_AUDIT 3218 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3219 ad.a.u.ipc_id = msq->q_perm.id; 3220 #endif 3221 rc = smk_curacc(msp, access, &ad); 3222 rc = smk_bu_current("msq", msp, access, rc); 3223 return rc; 3224 } 3225 3226 /** 3227 * smack_msg_queue_associate - Smack access check for msg_queue 3228 * @msq: the object 3229 * @msqflg: access requested 3230 * 3231 * Returns 0 if current has the requested access, error code otherwise 3232 */ 3233 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 3234 { 3235 int may; 3236 3237 may = smack_flags_to_may(msqflg); 3238 return smk_curacc_msq(msq, may); 3239 } 3240 3241 /** 3242 * smack_msg_queue_msgctl - Smack access check for msg_queue 3243 * @msq: the object 3244 * @cmd: what it wants to do 3245 * 3246 * Returns 0 if current has the requested access, error code otherwise 3247 */ 3248 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3249 { 3250 int may; 3251 3252 switch (cmd) { 3253 case IPC_STAT: 3254 case MSG_STAT: 3255 may = MAY_READ; 3256 break; 3257 case IPC_SET: 3258 case IPC_RMID: 3259 may = MAY_READWRITE; 3260 break; 3261 case IPC_INFO: 3262 case MSG_INFO: 3263 /* 3264 * System level information 3265 */ 3266 return 0; 3267 default: 3268 return -EINVAL; 3269 } 3270 3271 return smk_curacc_msq(msq, may); 3272 } 3273 3274 /** 3275 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3276 * @msq: the object 3277 * @msg: unused 3278 * @msqflg: access requested 3279 * 3280 * Returns 0 if current has the requested access, error code otherwise 3281 */ 3282 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 3283 int msqflg) 3284 { 3285 int may; 3286 3287 may = smack_flags_to_may(msqflg); 3288 return smk_curacc_msq(msq, may); 3289 } 3290 3291 /** 3292 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3293 * @msq: the object 3294 * @msg: unused 3295 * @target: unused 3296 * @type: unused 3297 * @mode: unused 3298 * 3299 * Returns 0 if current has read and write access, error code otherwise 3300 */ 3301 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3302 struct task_struct *target, long type, int mode) 3303 { 3304 return smk_curacc_msq(msq, MAY_READWRITE); 3305 } 3306 3307 /** 3308 * smack_ipc_permission - Smack access for ipc_permission() 3309 * @ipp: the object permissions 3310 * @flag: access requested 3311 * 3312 * Returns 0 if current has read and write access, error code otherwise 3313 */ 3314 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3315 { 3316 struct smack_known *iskp = ipp->security; 3317 int may = smack_flags_to_may(flag); 3318 struct smk_audit_info ad; 3319 int rc; 3320 3321 #ifdef CONFIG_AUDIT 3322 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3323 ad.a.u.ipc_id = ipp->id; 3324 #endif 3325 rc = smk_curacc(iskp, may, &ad); 3326 rc = smk_bu_current("svipc", iskp, may, rc); 3327 return rc; 3328 } 3329 3330 /** 3331 * smack_ipc_getsecid - Extract smack security id 3332 * @ipp: the object permissions 3333 * @secid: where result will be saved 3334 */ 3335 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3336 { 3337 struct smack_known *iskp = ipp->security; 3338 3339 *secid = iskp->smk_secid; 3340 } 3341 3342 /** 3343 * smack_d_instantiate - Make sure the blob is correct on an inode 3344 * @opt_dentry: dentry where inode will be attached 3345 * @inode: the object 3346 * 3347 * Set the inode's security blob if it hasn't been done already. 3348 */ 3349 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3350 { 3351 struct super_block *sbp; 3352 struct superblock_smack *sbsp; 3353 struct inode_smack *isp; 3354 struct smack_known *skp; 3355 struct smack_known *ckp = smk_of_current(); 3356 struct smack_known *final; 3357 char trattr[TRANS_TRUE_SIZE]; 3358 int transflag = 0; 3359 int rc; 3360 struct dentry *dp; 3361 3362 if (inode == NULL) 3363 return; 3364 3365 isp = inode->i_security; 3366 3367 mutex_lock(&isp->smk_lock); 3368 /* 3369 * If the inode is already instantiated 3370 * take the quick way out 3371 */ 3372 if (isp->smk_flags & SMK_INODE_INSTANT) 3373 goto unlockandout; 3374 3375 sbp = inode->i_sb; 3376 sbsp = sbp->s_security; 3377 /* 3378 * We're going to use the superblock default label 3379 * if there's no label on the file. 3380 */ 3381 final = sbsp->smk_default; 3382 3383 /* 3384 * If this is the root inode the superblock 3385 * may be in the process of initialization. 3386 * If that is the case use the root value out 3387 * of the superblock. 3388 */ 3389 if (opt_dentry->d_parent == opt_dentry) { 3390 switch (sbp->s_magic) { 3391 case CGROUP_SUPER_MAGIC: 3392 /* 3393 * The cgroup filesystem is never mounted, 3394 * so there's no opportunity to set the mount 3395 * options. 3396 */ 3397 sbsp->smk_root = &smack_known_star; 3398 sbsp->smk_default = &smack_known_star; 3399 isp->smk_inode = sbsp->smk_root; 3400 break; 3401 case TMPFS_MAGIC: 3402 /* 3403 * What about shmem/tmpfs anonymous files with dentry 3404 * obtained from d_alloc_pseudo()? 3405 */ 3406 isp->smk_inode = smk_of_current(); 3407 break; 3408 case PIPEFS_MAGIC: 3409 isp->smk_inode = smk_of_current(); 3410 break; 3411 default: 3412 isp->smk_inode = sbsp->smk_root; 3413 break; 3414 } 3415 isp->smk_flags |= SMK_INODE_INSTANT; 3416 goto unlockandout; 3417 } 3418 3419 /* 3420 * This is pretty hackish. 3421 * Casey says that we shouldn't have to do 3422 * file system specific code, but it does help 3423 * with keeping it simple. 3424 */ 3425 switch (sbp->s_magic) { 3426 case SMACK_MAGIC: 3427 case PIPEFS_MAGIC: 3428 case SOCKFS_MAGIC: 3429 case CGROUP_SUPER_MAGIC: 3430 /* 3431 * Casey says that it's a little embarrassing 3432 * that the smack file system doesn't do 3433 * extended attributes. 3434 * 3435 * Casey says pipes are easy (?) 3436 * 3437 * Socket access is controlled by the socket 3438 * structures associated with the task involved. 3439 * 3440 * Cgroupfs is special 3441 */ 3442 final = &smack_known_star; 3443 break; 3444 case DEVPTS_SUPER_MAGIC: 3445 /* 3446 * devpts seems content with the label of the task. 3447 * Programs that change smack have to treat the 3448 * pty with respect. 3449 */ 3450 final = ckp; 3451 break; 3452 case PROC_SUPER_MAGIC: 3453 /* 3454 * Casey says procfs appears not to care. 3455 * The superblock default suffices. 3456 */ 3457 break; 3458 case TMPFS_MAGIC: 3459 /* 3460 * Device labels should come from the filesystem, 3461 * but watch out, because they're volitile, 3462 * getting recreated on every reboot. 3463 */ 3464 final = &smack_known_star; 3465 /* 3466 * No break. 3467 * 3468 * If a smack value has been set we want to use it, 3469 * but since tmpfs isn't giving us the opportunity 3470 * to set mount options simulate setting the 3471 * superblock default. 3472 */ 3473 default: 3474 /* 3475 * This isn't an understood special case. 3476 * Get the value from the xattr. 3477 */ 3478 3479 /* 3480 * UNIX domain sockets use lower level socket data. 3481 */ 3482 if (S_ISSOCK(inode->i_mode)) { 3483 final = &smack_known_star; 3484 break; 3485 } 3486 /* 3487 * No xattr support means, alas, no SMACK label. 3488 * Use the aforeapplied default. 3489 * It would be curious if the label of the task 3490 * does not match that assigned. 3491 */ 3492 if (inode->i_op->getxattr == NULL) 3493 break; 3494 /* 3495 * Get the dentry for xattr. 3496 */ 3497 dp = dget(opt_dentry); 3498 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3499 if (!IS_ERR_OR_NULL(skp)) 3500 final = skp; 3501 3502 /* 3503 * Transmuting directory 3504 */ 3505 if (S_ISDIR(inode->i_mode)) { 3506 /* 3507 * If this is a new directory and the label was 3508 * transmuted when the inode was initialized 3509 * set the transmute attribute on the directory 3510 * and mark the inode. 3511 * 3512 * If there is a transmute attribute on the 3513 * directory mark the inode. 3514 */ 3515 if (isp->smk_flags & SMK_INODE_CHANGED) { 3516 isp->smk_flags &= ~SMK_INODE_CHANGED; 3517 rc = inode->i_op->setxattr(dp, 3518 XATTR_NAME_SMACKTRANSMUTE, 3519 TRANS_TRUE, TRANS_TRUE_SIZE, 3520 0); 3521 } else { 3522 rc = inode->i_op->getxattr(dp, 3523 XATTR_NAME_SMACKTRANSMUTE, trattr, 3524 TRANS_TRUE_SIZE); 3525 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3526 TRANS_TRUE_SIZE) != 0) 3527 rc = -EINVAL; 3528 } 3529 if (rc >= 0) 3530 transflag = SMK_INODE_TRANSMUTE; 3531 } 3532 /* 3533 * Don't let the exec or mmap label be "*" or "@". 3534 */ 3535 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3536 if (IS_ERR(skp) || skp == &smack_known_star || 3537 skp == &smack_known_web) 3538 skp = NULL; 3539 isp->smk_task = skp; 3540 3541 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3542 if (IS_ERR(skp) || skp == &smack_known_star || 3543 skp == &smack_known_web) 3544 skp = NULL; 3545 isp->smk_mmap = skp; 3546 3547 dput(dp); 3548 break; 3549 } 3550 3551 if (final == NULL) 3552 isp->smk_inode = ckp; 3553 else 3554 isp->smk_inode = final; 3555 3556 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3557 3558 unlockandout: 3559 mutex_unlock(&isp->smk_lock); 3560 return; 3561 } 3562 3563 /** 3564 * smack_getprocattr - Smack process attribute access 3565 * @p: the object task 3566 * @name: the name of the attribute in /proc/.../attr 3567 * @value: where to put the result 3568 * 3569 * Places a copy of the task Smack into value 3570 * 3571 * Returns the length of the smack label or an error code 3572 */ 3573 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3574 { 3575 struct smack_known *skp = smk_of_task_struct(p); 3576 char *cp; 3577 int slen; 3578 3579 if (strcmp(name, "current") != 0) 3580 return -EINVAL; 3581 3582 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3583 if (cp == NULL) 3584 return -ENOMEM; 3585 3586 slen = strlen(cp); 3587 *value = cp; 3588 return slen; 3589 } 3590 3591 /** 3592 * smack_setprocattr - Smack process attribute setting 3593 * @p: the object task 3594 * @name: the name of the attribute in /proc/.../attr 3595 * @value: the value to set 3596 * @size: the size of the value 3597 * 3598 * Sets the Smack value of the task. Only setting self 3599 * is permitted and only with privilege 3600 * 3601 * Returns the length of the smack label or an error code 3602 */ 3603 static int smack_setprocattr(struct task_struct *p, char *name, 3604 void *value, size_t size) 3605 { 3606 struct task_smack *tsp = current_security(); 3607 struct cred *new; 3608 struct smack_known *skp; 3609 struct smack_known_list_elem *sklep; 3610 int rc; 3611 3612 /* 3613 * Changing another process' Smack value is too dangerous 3614 * and supports no sane use case. 3615 */ 3616 if (p != current) 3617 return -EPERM; 3618 3619 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3620 return -EPERM; 3621 3622 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3623 return -EINVAL; 3624 3625 if (strcmp(name, "current") != 0) 3626 return -EINVAL; 3627 3628 skp = smk_import_entry(value, size); 3629 if (IS_ERR(skp)) 3630 return PTR_ERR(skp); 3631 3632 /* 3633 * No process is ever allowed the web ("@") label. 3634 */ 3635 if (skp == &smack_known_web) 3636 return -EPERM; 3637 3638 if (!smack_privileged(CAP_MAC_ADMIN)) { 3639 rc = -EPERM; 3640 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3641 if (sklep->smk_label == skp) { 3642 rc = 0; 3643 break; 3644 } 3645 if (rc) 3646 return rc; 3647 } 3648 3649 new = prepare_creds(); 3650 if (new == NULL) 3651 return -ENOMEM; 3652 3653 tsp = new->security; 3654 tsp->smk_task = skp; 3655 /* 3656 * process can change its label only once 3657 */ 3658 smk_destroy_label_list(&tsp->smk_relabel); 3659 3660 commit_creds(new); 3661 return size; 3662 } 3663 3664 /** 3665 * smack_unix_stream_connect - Smack access on UDS 3666 * @sock: one sock 3667 * @other: the other sock 3668 * @newsk: unused 3669 * 3670 * Return 0 if a subject with the smack of sock could access 3671 * an object with the smack of other, otherwise an error code 3672 */ 3673 static int smack_unix_stream_connect(struct sock *sock, 3674 struct sock *other, struct sock *newsk) 3675 { 3676 struct smack_known *skp; 3677 struct smack_known *okp; 3678 struct socket_smack *ssp = sock->sk_security; 3679 struct socket_smack *osp = other->sk_security; 3680 struct socket_smack *nsp = newsk->sk_security; 3681 struct smk_audit_info ad; 3682 int rc = 0; 3683 #ifdef CONFIG_AUDIT 3684 struct lsm_network_audit net; 3685 #endif 3686 3687 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3688 skp = ssp->smk_out; 3689 okp = osp->smk_in; 3690 #ifdef CONFIG_AUDIT 3691 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3692 smk_ad_setfield_u_net_sk(&ad, other); 3693 #endif 3694 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3695 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3696 if (rc == 0) { 3697 okp = osp->smk_out; 3698 skp = ssp->smk_in; 3699 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3700 rc = smk_bu_note("UDS connect", okp, skp, 3701 MAY_WRITE, rc); 3702 } 3703 } 3704 3705 /* 3706 * Cross reference the peer labels for SO_PEERSEC. 3707 */ 3708 if (rc == 0) { 3709 nsp->smk_packet = ssp->smk_out; 3710 ssp->smk_packet = osp->smk_out; 3711 } 3712 3713 return rc; 3714 } 3715 3716 /** 3717 * smack_unix_may_send - Smack access on UDS 3718 * @sock: one socket 3719 * @other: the other socket 3720 * 3721 * Return 0 if a subject with the smack of sock could access 3722 * an object with the smack of other, otherwise an error code 3723 */ 3724 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3725 { 3726 struct socket_smack *ssp = sock->sk->sk_security; 3727 struct socket_smack *osp = other->sk->sk_security; 3728 struct smk_audit_info ad; 3729 int rc; 3730 3731 #ifdef CONFIG_AUDIT 3732 struct lsm_network_audit net; 3733 3734 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3735 smk_ad_setfield_u_net_sk(&ad, other->sk); 3736 #endif 3737 3738 if (smack_privileged(CAP_MAC_OVERRIDE)) 3739 return 0; 3740 3741 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3742 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3743 return rc; 3744 } 3745 3746 /** 3747 * smack_socket_sendmsg - Smack check based on destination host 3748 * @sock: the socket 3749 * @msg: the message 3750 * @size: the size of the message 3751 * 3752 * Return 0 if the current subject can write to the destination host. 3753 * For IPv4 this is only a question if the destination is a single label host. 3754 * For IPv6 this is a check against the label of the port. 3755 */ 3756 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3757 int size) 3758 { 3759 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3760 #if IS_ENABLED(CONFIG_IPV6) 3761 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3762 #endif 3763 #ifdef SMACK_IPV6_SECMARK_LABELING 3764 struct socket_smack *ssp = sock->sk->sk_security; 3765 struct smack_known *rsp; 3766 #endif 3767 int rc = 0; 3768 3769 /* 3770 * Perfectly reasonable for this to be NULL 3771 */ 3772 if (sip == NULL) 3773 return 0; 3774 3775 switch (sock->sk->sk_family) { 3776 case AF_INET: 3777 rc = smack_netlabel_send(sock->sk, sip); 3778 break; 3779 case AF_INET6: 3780 #ifdef SMACK_IPV6_SECMARK_LABELING 3781 rsp = smack_ipv6host_label(sap); 3782 if (rsp != NULL) 3783 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3784 SMK_CONNECTING); 3785 #endif 3786 #ifdef SMACK_IPV6_PORT_LABELING 3787 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3788 #endif 3789 break; 3790 } 3791 return rc; 3792 } 3793 3794 /** 3795 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3796 * @sap: netlabel secattr 3797 * @ssp: socket security information 3798 * 3799 * Returns a pointer to a Smack label entry found on the label list. 3800 */ 3801 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3802 struct socket_smack *ssp) 3803 { 3804 struct smack_known *skp; 3805 int found = 0; 3806 int acat; 3807 int kcat; 3808 3809 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3810 /* 3811 * Looks like a CIPSO packet. 3812 * If there are flags but no level netlabel isn't 3813 * behaving the way we expect it to. 3814 * 3815 * Look it up in the label table 3816 * Without guidance regarding the smack value 3817 * for the packet fall back on the network 3818 * ambient value. 3819 */ 3820 rcu_read_lock(); 3821 list_for_each_entry(skp, &smack_known_list, list) { 3822 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3823 continue; 3824 /* 3825 * Compare the catsets. Use the netlbl APIs. 3826 */ 3827 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3828 if ((skp->smk_netlabel.flags & 3829 NETLBL_SECATTR_MLS_CAT) == 0) 3830 found = 1; 3831 break; 3832 } 3833 for (acat = -1, kcat = -1; acat == kcat; ) { 3834 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3835 acat + 1); 3836 kcat = netlbl_catmap_walk( 3837 skp->smk_netlabel.attr.mls.cat, 3838 kcat + 1); 3839 if (acat < 0 || kcat < 0) 3840 break; 3841 } 3842 if (acat == kcat) { 3843 found = 1; 3844 break; 3845 } 3846 } 3847 rcu_read_unlock(); 3848 3849 if (found) 3850 return skp; 3851 3852 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3853 return &smack_known_web; 3854 return &smack_known_star; 3855 } 3856 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 3857 /* 3858 * Looks like a fallback, which gives us a secid. 3859 */ 3860 skp = smack_from_secid(sap->attr.secid); 3861 /* 3862 * This has got to be a bug because it is 3863 * impossible to specify a fallback without 3864 * specifying the label, which will ensure 3865 * it has a secid, and the only way to get a 3866 * secid is from a fallback. 3867 */ 3868 BUG_ON(skp == NULL); 3869 return skp; 3870 } 3871 /* 3872 * Without guidance regarding the smack value 3873 * for the packet fall back on the network 3874 * ambient value. 3875 */ 3876 return smack_net_ambient; 3877 } 3878 3879 #if IS_ENABLED(CONFIG_IPV6) 3880 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3881 { 3882 u8 nexthdr; 3883 int offset; 3884 int proto = -EINVAL; 3885 struct ipv6hdr _ipv6h; 3886 struct ipv6hdr *ip6; 3887 __be16 frag_off; 3888 struct tcphdr _tcph, *th; 3889 struct udphdr _udph, *uh; 3890 struct dccp_hdr _dccph, *dh; 3891 3892 sip->sin6_port = 0; 3893 3894 offset = skb_network_offset(skb); 3895 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3896 if (ip6 == NULL) 3897 return -EINVAL; 3898 sip->sin6_addr = ip6->saddr; 3899 3900 nexthdr = ip6->nexthdr; 3901 offset += sizeof(_ipv6h); 3902 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3903 if (offset < 0) 3904 return -EINVAL; 3905 3906 proto = nexthdr; 3907 switch (proto) { 3908 case IPPROTO_TCP: 3909 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3910 if (th != NULL) 3911 sip->sin6_port = th->source; 3912 break; 3913 case IPPROTO_UDP: 3914 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3915 if (uh != NULL) 3916 sip->sin6_port = uh->source; 3917 break; 3918 case IPPROTO_DCCP: 3919 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3920 if (dh != NULL) 3921 sip->sin6_port = dh->dccph_sport; 3922 break; 3923 } 3924 return proto; 3925 } 3926 #endif /* CONFIG_IPV6 */ 3927 3928 /** 3929 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3930 * @sk: socket 3931 * @skb: packet 3932 * 3933 * Returns 0 if the packet should be delivered, an error code otherwise 3934 */ 3935 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3936 { 3937 struct netlbl_lsm_secattr secattr; 3938 struct socket_smack *ssp = sk->sk_security; 3939 struct smack_known *skp = NULL; 3940 int rc = 0; 3941 struct smk_audit_info ad; 3942 #ifdef CONFIG_AUDIT 3943 struct lsm_network_audit net; 3944 #endif 3945 #if IS_ENABLED(CONFIG_IPV6) 3946 struct sockaddr_in6 sadd; 3947 int proto; 3948 #endif /* CONFIG_IPV6 */ 3949 3950 switch (sk->sk_family) { 3951 case PF_INET: 3952 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3953 /* 3954 * If there is a secmark use it rather than the CIPSO label. 3955 * If there is no secmark fall back to CIPSO. 3956 * The secmark is assumed to reflect policy better. 3957 */ 3958 if (skb && skb->secmark != 0) { 3959 skp = smack_from_secid(skb->secmark); 3960 goto access_check; 3961 } 3962 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3963 /* 3964 * Translate what netlabel gave us. 3965 */ 3966 netlbl_secattr_init(&secattr); 3967 3968 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 3969 if (rc == 0) 3970 skp = smack_from_secattr(&secattr, ssp); 3971 else 3972 skp = smack_net_ambient; 3973 3974 netlbl_secattr_destroy(&secattr); 3975 3976 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3977 access_check: 3978 #endif 3979 #ifdef CONFIG_AUDIT 3980 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3981 ad.a.u.net->family = sk->sk_family; 3982 ad.a.u.net->netif = skb->skb_iif; 3983 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3984 #endif 3985 /* 3986 * Receiving a packet requires that the other end 3987 * be able to write here. Read access is not required. 3988 * This is the simplist possible security model 3989 * for networking. 3990 */ 3991 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3992 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3993 MAY_WRITE, rc); 3994 if (rc != 0) 3995 netlbl_skbuff_err(skb, rc, 0); 3996 break; 3997 #if IS_ENABLED(CONFIG_IPV6) 3998 case PF_INET6: 3999 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4000 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 4001 break; 4002 #ifdef SMACK_IPV6_SECMARK_LABELING 4003 if (skb && skb->secmark != 0) 4004 skp = smack_from_secid(skb->secmark); 4005 else 4006 skp = smack_ipv6host_label(&sadd); 4007 if (skp == NULL) 4008 skp = smack_net_ambient; 4009 #ifdef CONFIG_AUDIT 4010 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4011 ad.a.u.net->family = sk->sk_family; 4012 ad.a.u.net->netif = skb->skb_iif; 4013 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4014 #endif /* CONFIG_AUDIT */ 4015 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4016 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4017 MAY_WRITE, rc); 4018 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4019 #ifdef SMACK_IPV6_PORT_LABELING 4020 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4021 #endif /* SMACK_IPV6_PORT_LABELING */ 4022 break; 4023 #endif /* CONFIG_IPV6 */ 4024 } 4025 4026 return rc; 4027 } 4028 4029 /** 4030 * smack_socket_getpeersec_stream - pull in packet label 4031 * @sock: the socket 4032 * @optval: user's destination 4033 * @optlen: size thereof 4034 * @len: max thereof 4035 * 4036 * returns zero on success, an error code otherwise 4037 */ 4038 static int smack_socket_getpeersec_stream(struct socket *sock, 4039 char __user *optval, 4040 int __user *optlen, unsigned len) 4041 { 4042 struct socket_smack *ssp; 4043 char *rcp = ""; 4044 int slen = 1; 4045 int rc = 0; 4046 4047 ssp = sock->sk->sk_security; 4048 if (ssp->smk_packet != NULL) { 4049 rcp = ssp->smk_packet->smk_known; 4050 slen = strlen(rcp) + 1; 4051 } 4052 4053 if (slen > len) 4054 rc = -ERANGE; 4055 else if (copy_to_user(optval, rcp, slen) != 0) 4056 rc = -EFAULT; 4057 4058 if (put_user(slen, optlen) != 0) 4059 rc = -EFAULT; 4060 4061 return rc; 4062 } 4063 4064 4065 /** 4066 * smack_socket_getpeersec_dgram - pull in packet label 4067 * @sock: the peer socket 4068 * @skb: packet data 4069 * @secid: pointer to where to put the secid of the packet 4070 * 4071 * Sets the netlabel socket state on sk from parent 4072 */ 4073 static int smack_socket_getpeersec_dgram(struct socket *sock, 4074 struct sk_buff *skb, u32 *secid) 4075 4076 { 4077 struct netlbl_lsm_secattr secattr; 4078 struct socket_smack *ssp = NULL; 4079 struct smack_known *skp; 4080 int family = PF_UNSPEC; 4081 u32 s = 0; /* 0 is the invalid secid */ 4082 int rc; 4083 4084 if (skb != NULL) { 4085 if (skb->protocol == htons(ETH_P_IP)) 4086 family = PF_INET; 4087 #if IS_ENABLED(CONFIG_IPV6) 4088 else if (skb->protocol == htons(ETH_P_IPV6)) 4089 family = PF_INET6; 4090 #endif /* CONFIG_IPV6 */ 4091 } 4092 if (family == PF_UNSPEC && sock != NULL) 4093 family = sock->sk->sk_family; 4094 4095 switch (family) { 4096 case PF_UNIX: 4097 ssp = sock->sk->sk_security; 4098 s = ssp->smk_out->smk_secid; 4099 break; 4100 case PF_INET: 4101 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4102 s = skb->secmark; 4103 if (s != 0) 4104 break; 4105 #endif 4106 /* 4107 * Translate what netlabel gave us. 4108 */ 4109 if (sock != NULL && sock->sk != NULL) 4110 ssp = sock->sk->sk_security; 4111 netlbl_secattr_init(&secattr); 4112 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4113 if (rc == 0) { 4114 skp = smack_from_secattr(&secattr, ssp); 4115 s = skp->smk_secid; 4116 } 4117 netlbl_secattr_destroy(&secattr); 4118 break; 4119 case PF_INET6: 4120 #ifdef SMACK_IPV6_SECMARK_LABELING 4121 s = skb->secmark; 4122 #endif 4123 break; 4124 } 4125 *secid = s; 4126 if (s == 0) 4127 return -EINVAL; 4128 return 0; 4129 } 4130 4131 /** 4132 * smack_sock_graft - Initialize a newly created socket with an existing sock 4133 * @sk: child sock 4134 * @parent: parent socket 4135 * 4136 * Set the smk_{in,out} state of an existing sock based on the process that 4137 * is creating the new socket. 4138 */ 4139 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4140 { 4141 struct socket_smack *ssp; 4142 struct smack_known *skp = smk_of_current(); 4143 4144 if (sk == NULL || 4145 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4146 return; 4147 4148 ssp = sk->sk_security; 4149 ssp->smk_in = skp; 4150 ssp->smk_out = skp; 4151 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4152 } 4153 4154 /** 4155 * smack_inet_conn_request - Smack access check on connect 4156 * @sk: socket involved 4157 * @skb: packet 4158 * @req: unused 4159 * 4160 * Returns 0 if a task with the packet label could write to 4161 * the socket, otherwise an error code 4162 */ 4163 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4164 struct request_sock *req) 4165 { 4166 u16 family = sk->sk_family; 4167 struct smack_known *skp; 4168 struct socket_smack *ssp = sk->sk_security; 4169 struct netlbl_lsm_secattr secattr; 4170 struct sockaddr_in addr; 4171 struct iphdr *hdr; 4172 struct smack_known *hskp; 4173 int rc; 4174 struct smk_audit_info ad; 4175 #ifdef CONFIG_AUDIT 4176 struct lsm_network_audit net; 4177 #endif 4178 4179 #if IS_ENABLED(CONFIG_IPV6) 4180 if (family == PF_INET6) { 4181 /* 4182 * Handle mapped IPv4 packets arriving 4183 * via IPv6 sockets. Don't set up netlabel 4184 * processing on IPv6. 4185 */ 4186 if (skb->protocol == htons(ETH_P_IP)) 4187 family = PF_INET; 4188 else 4189 return 0; 4190 } 4191 #endif /* CONFIG_IPV6 */ 4192 4193 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4194 /* 4195 * If there is a secmark use it rather than the CIPSO label. 4196 * If there is no secmark fall back to CIPSO. 4197 * The secmark is assumed to reflect policy better. 4198 */ 4199 if (skb && skb->secmark != 0) { 4200 skp = smack_from_secid(skb->secmark); 4201 goto access_check; 4202 } 4203 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4204 4205 netlbl_secattr_init(&secattr); 4206 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4207 if (rc == 0) 4208 skp = smack_from_secattr(&secattr, ssp); 4209 else 4210 skp = &smack_known_huh; 4211 netlbl_secattr_destroy(&secattr); 4212 4213 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4214 access_check: 4215 #endif 4216 4217 #ifdef CONFIG_AUDIT 4218 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4219 ad.a.u.net->family = family; 4220 ad.a.u.net->netif = skb->skb_iif; 4221 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4222 #endif 4223 /* 4224 * Receiving a packet requires that the other end be able to write 4225 * here. Read access is not required. 4226 */ 4227 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4228 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4229 if (rc != 0) 4230 return rc; 4231 4232 /* 4233 * Save the peer's label in the request_sock so we can later setup 4234 * smk_packet in the child socket so that SO_PEERCRED can report it. 4235 */ 4236 req->peer_secid = skp->smk_secid; 4237 4238 /* 4239 * We need to decide if we want to label the incoming connection here 4240 * if we do we only need to label the request_sock and the stack will 4241 * propagate the wire-label to the sock when it is created. 4242 */ 4243 hdr = ip_hdr(skb); 4244 addr.sin_addr.s_addr = hdr->saddr; 4245 rcu_read_lock(); 4246 hskp = smack_ipv4host_label(&addr); 4247 rcu_read_unlock(); 4248 4249 if (hskp == NULL) 4250 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4251 else 4252 netlbl_req_delattr(req); 4253 4254 return rc; 4255 } 4256 4257 /** 4258 * smack_inet_csk_clone - Copy the connection information to the new socket 4259 * @sk: the new socket 4260 * @req: the connection's request_sock 4261 * 4262 * Transfer the connection's peer label to the newly created socket. 4263 */ 4264 static void smack_inet_csk_clone(struct sock *sk, 4265 const struct request_sock *req) 4266 { 4267 struct socket_smack *ssp = sk->sk_security; 4268 struct smack_known *skp; 4269 4270 if (req->peer_secid != 0) { 4271 skp = smack_from_secid(req->peer_secid); 4272 ssp->smk_packet = skp; 4273 } else 4274 ssp->smk_packet = NULL; 4275 } 4276 4277 /* 4278 * Key management security hooks 4279 * 4280 * Casey has not tested key support very heavily. 4281 * The permission check is most likely too restrictive. 4282 * If you care about keys please have a look. 4283 */ 4284 #ifdef CONFIG_KEYS 4285 4286 /** 4287 * smack_key_alloc - Set the key security blob 4288 * @key: object 4289 * @cred: the credentials to use 4290 * @flags: unused 4291 * 4292 * No allocation required 4293 * 4294 * Returns 0 4295 */ 4296 static int smack_key_alloc(struct key *key, const struct cred *cred, 4297 unsigned long flags) 4298 { 4299 struct smack_known *skp = smk_of_task(cred->security); 4300 4301 key->security = skp; 4302 return 0; 4303 } 4304 4305 /** 4306 * smack_key_free - Clear the key security blob 4307 * @key: the object 4308 * 4309 * Clear the blob pointer 4310 */ 4311 static void smack_key_free(struct key *key) 4312 { 4313 key->security = NULL; 4314 } 4315 4316 /** 4317 * smack_key_permission - Smack access on a key 4318 * @key_ref: gets to the object 4319 * @cred: the credentials to use 4320 * @perm: requested key permissions 4321 * 4322 * Return 0 if the task has read and write to the object, 4323 * an error code otherwise 4324 */ 4325 static int smack_key_permission(key_ref_t key_ref, 4326 const struct cred *cred, unsigned perm) 4327 { 4328 struct key *keyp; 4329 struct smk_audit_info ad; 4330 struct smack_known *tkp = smk_of_task(cred->security); 4331 int request = 0; 4332 int rc; 4333 4334 keyp = key_ref_to_ptr(key_ref); 4335 if (keyp == NULL) 4336 return -EINVAL; 4337 /* 4338 * If the key hasn't been initialized give it access so that 4339 * it may do so. 4340 */ 4341 if (keyp->security == NULL) 4342 return 0; 4343 /* 4344 * This should not occur 4345 */ 4346 if (tkp == NULL) 4347 return -EACCES; 4348 #ifdef CONFIG_AUDIT 4349 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4350 ad.a.u.key_struct.key = keyp->serial; 4351 ad.a.u.key_struct.key_desc = keyp->description; 4352 #endif 4353 if (perm & KEY_NEED_READ) 4354 request = MAY_READ; 4355 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4356 request = MAY_WRITE; 4357 rc = smk_access(tkp, keyp->security, request, &ad); 4358 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4359 return rc; 4360 } 4361 4362 /* 4363 * smack_key_getsecurity - Smack label tagging the key 4364 * @key points to the key to be queried 4365 * @_buffer points to a pointer that should be set to point to the 4366 * resulting string (if no label or an error occurs). 4367 * Return the length of the string (including terminating NUL) or -ve if 4368 * an error. 4369 * May also return 0 (and a NULL buffer pointer) if there is no label. 4370 */ 4371 static int smack_key_getsecurity(struct key *key, char **_buffer) 4372 { 4373 struct smack_known *skp = key->security; 4374 size_t length; 4375 char *copy; 4376 4377 if (key->security == NULL) { 4378 *_buffer = NULL; 4379 return 0; 4380 } 4381 4382 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4383 if (copy == NULL) 4384 return -ENOMEM; 4385 length = strlen(copy) + 1; 4386 4387 *_buffer = copy; 4388 return length; 4389 } 4390 4391 #endif /* CONFIG_KEYS */ 4392 4393 /* 4394 * Smack Audit hooks 4395 * 4396 * Audit requires a unique representation of each Smack specific 4397 * rule. This unique representation is used to distinguish the 4398 * object to be audited from remaining kernel objects and also 4399 * works as a glue between the audit hooks. 4400 * 4401 * Since repository entries are added but never deleted, we'll use 4402 * the smack_known label address related to the given audit rule as 4403 * the needed unique representation. This also better fits the smack 4404 * model where nearly everything is a label. 4405 */ 4406 #ifdef CONFIG_AUDIT 4407 4408 /** 4409 * smack_audit_rule_init - Initialize a smack audit rule 4410 * @field: audit rule fields given from user-space (audit.h) 4411 * @op: required testing operator (=, !=, >, <, ...) 4412 * @rulestr: smack label to be audited 4413 * @vrule: pointer to save our own audit rule representation 4414 * 4415 * Prepare to audit cases where (@field @op @rulestr) is true. 4416 * The label to be audited is created if necessay. 4417 */ 4418 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4419 { 4420 struct smack_known *skp; 4421 char **rule = (char **)vrule; 4422 *rule = NULL; 4423 4424 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4425 return -EINVAL; 4426 4427 if (op != Audit_equal && op != Audit_not_equal) 4428 return -EINVAL; 4429 4430 skp = smk_import_entry(rulestr, 0); 4431 if (IS_ERR(skp)) 4432 return PTR_ERR(skp); 4433 4434 *rule = skp->smk_known; 4435 4436 return 0; 4437 } 4438 4439 /** 4440 * smack_audit_rule_known - Distinguish Smack audit rules 4441 * @krule: rule of interest, in Audit kernel representation format 4442 * 4443 * This is used to filter Smack rules from remaining Audit ones. 4444 * If it's proved that this rule belongs to us, the 4445 * audit_rule_match hook will be called to do the final judgement. 4446 */ 4447 static int smack_audit_rule_known(struct audit_krule *krule) 4448 { 4449 struct audit_field *f; 4450 int i; 4451 4452 for (i = 0; i < krule->field_count; i++) { 4453 f = &krule->fields[i]; 4454 4455 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4456 return 1; 4457 } 4458 4459 return 0; 4460 } 4461 4462 /** 4463 * smack_audit_rule_match - Audit given object ? 4464 * @secid: security id for identifying the object to test 4465 * @field: audit rule flags given from user-space 4466 * @op: required testing operator 4467 * @vrule: smack internal rule presentation 4468 * @actx: audit context associated with the check 4469 * 4470 * The core Audit hook. It's used to take the decision of 4471 * whether to audit or not to audit a given object. 4472 */ 4473 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4474 struct audit_context *actx) 4475 { 4476 struct smack_known *skp; 4477 char *rule = vrule; 4478 4479 if (unlikely(!rule)) { 4480 WARN_ONCE(1, "Smack: missing rule\n"); 4481 return -ENOENT; 4482 } 4483 4484 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4485 return 0; 4486 4487 skp = smack_from_secid(secid); 4488 4489 /* 4490 * No need to do string comparisons. If a match occurs, 4491 * both pointers will point to the same smack_known 4492 * label. 4493 */ 4494 if (op == Audit_equal) 4495 return (rule == skp->smk_known); 4496 if (op == Audit_not_equal) 4497 return (rule != skp->smk_known); 4498 4499 return 0; 4500 } 4501 4502 /* 4503 * There is no need for a smack_audit_rule_free hook. 4504 * No memory was allocated. 4505 */ 4506 4507 #endif /* CONFIG_AUDIT */ 4508 4509 /** 4510 * smack_ismaclabel - check if xattr @name references a smack MAC label 4511 * @name: Full xattr name to check. 4512 */ 4513 static int smack_ismaclabel(const char *name) 4514 { 4515 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4516 } 4517 4518 4519 /** 4520 * smack_secid_to_secctx - return the smack label for a secid 4521 * @secid: incoming integer 4522 * @secdata: destination 4523 * @seclen: how long it is 4524 * 4525 * Exists for networking code. 4526 */ 4527 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4528 { 4529 struct smack_known *skp = smack_from_secid(secid); 4530 4531 if (secdata) 4532 *secdata = skp->smk_known; 4533 *seclen = strlen(skp->smk_known); 4534 return 0; 4535 } 4536 4537 /** 4538 * smack_secctx_to_secid - return the secid for a smack label 4539 * @secdata: smack label 4540 * @seclen: how long result is 4541 * @secid: outgoing integer 4542 * 4543 * Exists for audit and networking code. 4544 */ 4545 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4546 { 4547 struct smack_known *skp = smk_find_entry(secdata); 4548 4549 if (skp) 4550 *secid = skp->smk_secid; 4551 else 4552 *secid = 0; 4553 return 0; 4554 } 4555 4556 /* 4557 * There used to be a smack_release_secctx hook 4558 * that did nothing back when hooks were in a vector. 4559 * Now that there's a list such a hook adds cost. 4560 */ 4561 4562 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4563 { 4564 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4565 } 4566 4567 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4568 { 4569 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4570 } 4571 4572 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4573 { 4574 int len = 0; 4575 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 4576 4577 if (len < 0) 4578 return len; 4579 *ctxlen = len; 4580 return 0; 4581 } 4582 4583 static struct security_hook_list smack_hooks[] = { 4584 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4585 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4586 LSM_HOOK_INIT(syslog, smack_syslog), 4587 4588 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4589 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4590 LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data), 4591 LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount), 4592 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4593 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4594 LSM_HOOK_INIT(sb_parse_opts_str, smack_parse_opts_str), 4595 4596 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4597 LSM_HOOK_INIT(bprm_committing_creds, smack_bprm_committing_creds), 4598 LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec), 4599 4600 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4601 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), 4602 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4603 LSM_HOOK_INIT(inode_link, smack_inode_link), 4604 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4605 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4606 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4607 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4608 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4609 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4610 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4611 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4612 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4613 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4614 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4615 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4616 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4617 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4618 4619 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4620 LSM_HOOK_INIT(file_free_security, smack_file_free_security), 4621 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4622 LSM_HOOK_INIT(file_lock, smack_file_lock), 4623 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4624 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4625 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4626 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4627 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4628 LSM_HOOK_INIT(file_receive, smack_file_receive), 4629 4630 LSM_HOOK_INIT(file_open, smack_file_open), 4631 4632 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4633 LSM_HOOK_INIT(cred_free, smack_cred_free), 4634 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4635 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4636 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4637 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4638 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4639 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4640 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4641 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4642 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4643 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4644 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4645 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4646 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4647 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4648 LSM_HOOK_INIT(task_kill, smack_task_kill), 4649 LSM_HOOK_INIT(task_wait, smack_task_wait), 4650 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4651 4652 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4653 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4654 4655 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4656 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), 4657 4658 LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security), 4659 LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security), 4660 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4661 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4662 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4663 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4664 4665 LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security), 4666 LSM_HOOK_INIT(shm_free_security, smack_shm_free_security), 4667 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4668 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4669 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4670 4671 LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security), 4672 LSM_HOOK_INIT(sem_free_security, smack_sem_free_security), 4673 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4674 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4675 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4676 4677 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4678 4679 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4680 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4681 4682 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4683 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4684 4685 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4686 #ifdef SMACK_IPV6_PORT_LABELING 4687 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4688 #endif 4689 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4690 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4691 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4692 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4693 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4694 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4695 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4696 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4697 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4698 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4699 4700 /* key management security hooks */ 4701 #ifdef CONFIG_KEYS 4702 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4703 LSM_HOOK_INIT(key_free, smack_key_free), 4704 LSM_HOOK_INIT(key_permission, smack_key_permission), 4705 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4706 #endif /* CONFIG_KEYS */ 4707 4708 /* Audit hooks */ 4709 #ifdef CONFIG_AUDIT 4710 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4711 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4712 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4713 #endif /* CONFIG_AUDIT */ 4714 4715 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4716 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4717 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4718 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4719 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4720 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4721 }; 4722 4723 4724 static __init void init_smack_known_list(void) 4725 { 4726 /* 4727 * Initialize rule list locks 4728 */ 4729 mutex_init(&smack_known_huh.smk_rules_lock); 4730 mutex_init(&smack_known_hat.smk_rules_lock); 4731 mutex_init(&smack_known_floor.smk_rules_lock); 4732 mutex_init(&smack_known_star.smk_rules_lock); 4733 mutex_init(&smack_known_invalid.smk_rules_lock); 4734 mutex_init(&smack_known_web.smk_rules_lock); 4735 /* 4736 * Initialize rule lists 4737 */ 4738 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4739 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4740 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4741 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4742 INIT_LIST_HEAD(&smack_known_invalid.smk_rules); 4743 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4744 /* 4745 * Create the known labels list 4746 */ 4747 smk_insert_entry(&smack_known_huh); 4748 smk_insert_entry(&smack_known_hat); 4749 smk_insert_entry(&smack_known_star); 4750 smk_insert_entry(&smack_known_floor); 4751 smk_insert_entry(&smack_known_invalid); 4752 smk_insert_entry(&smack_known_web); 4753 } 4754 4755 /** 4756 * smack_init - initialize the smack system 4757 * 4758 * Returns 0 4759 */ 4760 static __init int smack_init(void) 4761 { 4762 struct cred *cred; 4763 struct task_smack *tsp; 4764 4765 if (!security_module_enable("smack")) 4766 return 0; 4767 4768 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4769 if (!smack_inode_cache) 4770 return -ENOMEM; 4771 4772 tsp = new_task_smack(&smack_known_floor, &smack_known_floor, 4773 GFP_KERNEL); 4774 if (tsp == NULL) { 4775 kmem_cache_destroy(smack_inode_cache); 4776 return -ENOMEM; 4777 } 4778 4779 smack_enabled = 1; 4780 4781 pr_info("Smack: Initializing.\n"); 4782 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4783 pr_info("Smack: Netfilter enabled.\n"); 4784 #endif 4785 #ifdef SMACK_IPV6_PORT_LABELING 4786 pr_info("Smack: IPv6 port labeling enabled.\n"); 4787 #endif 4788 #ifdef SMACK_IPV6_SECMARK_LABELING 4789 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4790 #endif 4791 4792 /* 4793 * Set the security state for the initial task. 4794 */ 4795 cred = (struct cred *) current->cred; 4796 cred->security = tsp; 4797 4798 /* initialize the smack_known_list */ 4799 init_smack_known_list(); 4800 4801 /* 4802 * Register with LSM 4803 */ 4804 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks)); 4805 4806 return 0; 4807 } 4808 4809 /* 4810 * Smack requires early initialization in order to label 4811 * all processes and objects when they are created. 4812 */ 4813 security_initcall(smack_init); 4814