1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <net/cipso_ipv4.h> 32 #include <net/ip.h> 33 #include <net/ipv6.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <linux/binfmts.h> 41 #include <linux/parser.h> 42 #include <linux/fs_context.h> 43 #include <linux/fs_parser.h> 44 #include <linux/watch_queue.h> 45 #include <linux/io_uring.h> 46 #include "smack.h" 47 48 #define TRANS_TRUE "TRUE" 49 #define TRANS_TRUE_SIZE 4 50 51 #define SMK_CONNECTING 0 52 #define SMK_RECEIVING 1 53 #define SMK_SENDING 2 54 55 #ifdef SMACK_IPV6_PORT_LABELING 56 static DEFINE_MUTEX(smack_ipv6_lock); 57 static LIST_HEAD(smk_ipv6_port_list); 58 #endif 59 struct kmem_cache *smack_rule_cache; 60 int smack_enabled __initdata; 61 62 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 63 static struct { 64 const char *name; 65 int len; 66 int opt; 67 } smk_mount_opts[] = { 68 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 69 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 70 }; 71 #undef A 72 73 static int match_opt_prefix(char *s, int l, char **arg) 74 { 75 int i; 76 77 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 78 size_t len = smk_mount_opts[i].len; 79 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 80 continue; 81 if (len == l || s[len] != '=') 82 continue; 83 *arg = s + len + 1; 84 return smk_mount_opts[i].opt; 85 } 86 return Opt_error; 87 } 88 89 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 90 static char *smk_bu_mess[] = { 91 "Bringup Error", /* Unused */ 92 "Bringup", /* SMACK_BRINGUP_ALLOW */ 93 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 94 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 95 }; 96 97 static void smk_bu_mode(int mode, char *s) 98 { 99 int i = 0; 100 101 if (mode & MAY_READ) 102 s[i++] = 'r'; 103 if (mode & MAY_WRITE) 104 s[i++] = 'w'; 105 if (mode & MAY_EXEC) 106 s[i++] = 'x'; 107 if (mode & MAY_APPEND) 108 s[i++] = 'a'; 109 if (mode & MAY_TRANSMUTE) 110 s[i++] = 't'; 111 if (mode & MAY_LOCK) 112 s[i++] = 'l'; 113 if (i == 0) 114 s[i++] = '-'; 115 s[i] = '\0'; 116 } 117 #endif 118 119 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 120 static int smk_bu_note(char *note, struct smack_known *sskp, 121 struct smack_known *oskp, int mode, int rc) 122 { 123 char acc[SMK_NUM_ACCESS_TYPE + 1]; 124 125 if (rc <= 0) 126 return rc; 127 if (rc > SMACK_UNCONFINED_OBJECT) 128 rc = 0; 129 130 smk_bu_mode(mode, acc); 131 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 132 sskp->smk_known, oskp->smk_known, acc, note); 133 return 0; 134 } 135 #else 136 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 137 #endif 138 139 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 140 static int smk_bu_current(char *note, struct smack_known *oskp, 141 int mode, int rc) 142 { 143 struct task_smack *tsp = smack_cred(current_cred()); 144 char acc[SMK_NUM_ACCESS_TYPE + 1]; 145 146 if (rc <= 0) 147 return rc; 148 if (rc > SMACK_UNCONFINED_OBJECT) 149 rc = 0; 150 151 smk_bu_mode(mode, acc); 152 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 153 tsp->smk_task->smk_known, oskp->smk_known, 154 acc, current->comm, note); 155 return 0; 156 } 157 #else 158 #define smk_bu_current(note, oskp, mode, RC) (RC) 159 #endif 160 161 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 162 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 163 { 164 struct task_smack *tsp = smack_cred(current_cred()); 165 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 166 char acc[SMK_NUM_ACCESS_TYPE + 1]; 167 168 if (rc <= 0) 169 return rc; 170 if (rc > SMACK_UNCONFINED_OBJECT) 171 rc = 0; 172 173 smk_bu_mode(mode, acc); 174 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 175 tsp->smk_task->smk_known, smk_task->smk_known, acc, 176 current->comm, otp->comm); 177 return 0; 178 } 179 #else 180 #define smk_bu_task(otp, mode, RC) (RC) 181 #endif 182 183 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 184 static int smk_bu_inode(struct inode *inode, int mode, int rc) 185 { 186 struct task_smack *tsp = smack_cred(current_cred()); 187 struct inode_smack *isp = smack_inode(inode); 188 char acc[SMK_NUM_ACCESS_TYPE + 1]; 189 190 if (isp->smk_flags & SMK_INODE_IMPURE) 191 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 192 inode->i_sb->s_id, inode->i_ino, current->comm); 193 194 if (rc <= 0) 195 return rc; 196 if (rc > SMACK_UNCONFINED_OBJECT) 197 rc = 0; 198 if (rc == SMACK_UNCONFINED_SUBJECT && 199 (mode & (MAY_WRITE | MAY_APPEND))) 200 isp->smk_flags |= SMK_INODE_IMPURE; 201 202 smk_bu_mode(mode, acc); 203 204 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 205 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 206 inode->i_sb->s_id, inode->i_ino, current->comm); 207 return 0; 208 } 209 #else 210 #define smk_bu_inode(inode, mode, RC) (RC) 211 #endif 212 213 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 214 static int smk_bu_file(struct file *file, int mode, int rc) 215 { 216 struct task_smack *tsp = smack_cred(current_cred()); 217 struct smack_known *sskp = tsp->smk_task; 218 struct inode *inode = file_inode(file); 219 struct inode_smack *isp = smack_inode(inode); 220 char acc[SMK_NUM_ACCESS_TYPE + 1]; 221 222 if (isp->smk_flags & SMK_INODE_IMPURE) 223 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 224 inode->i_sb->s_id, inode->i_ino, current->comm); 225 226 if (rc <= 0) 227 return rc; 228 if (rc > SMACK_UNCONFINED_OBJECT) 229 rc = 0; 230 231 smk_bu_mode(mode, acc); 232 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 233 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 234 inode->i_sb->s_id, inode->i_ino, file, 235 current->comm); 236 return 0; 237 } 238 #else 239 #define smk_bu_file(file, mode, RC) (RC) 240 #endif 241 242 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 243 static int smk_bu_credfile(const struct cred *cred, struct file *file, 244 int mode, int rc) 245 { 246 struct task_smack *tsp = smack_cred(cred); 247 struct smack_known *sskp = tsp->smk_task; 248 struct inode *inode = file_inode(file); 249 struct inode_smack *isp = smack_inode(inode); 250 char acc[SMK_NUM_ACCESS_TYPE + 1]; 251 252 if (isp->smk_flags & SMK_INODE_IMPURE) 253 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 254 inode->i_sb->s_id, inode->i_ino, current->comm); 255 256 if (rc <= 0) 257 return rc; 258 if (rc > SMACK_UNCONFINED_OBJECT) 259 rc = 0; 260 261 smk_bu_mode(mode, acc); 262 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 263 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 264 inode->i_sb->s_id, inode->i_ino, file, 265 current->comm); 266 return 0; 267 } 268 #else 269 #define smk_bu_credfile(cred, file, mode, RC) (RC) 270 #endif 271 272 /** 273 * smk_fetch - Fetch the smack label from a file. 274 * @name: type of the label (attribute) 275 * @ip: a pointer to the inode 276 * @dp: a pointer to the dentry 277 * 278 * Returns a pointer to the master list entry for the Smack label, 279 * NULL if there was no label to fetch, or an error code. 280 */ 281 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 282 struct dentry *dp) 283 { 284 int rc; 285 char *buffer; 286 struct smack_known *skp = NULL; 287 288 if (!(ip->i_opflags & IOP_XATTR)) 289 return ERR_PTR(-EOPNOTSUPP); 290 291 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 292 if (buffer == NULL) 293 return ERR_PTR(-ENOMEM); 294 295 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 296 if (rc < 0) 297 skp = ERR_PTR(rc); 298 else if (rc == 0) 299 skp = NULL; 300 else 301 skp = smk_import_entry(buffer, rc); 302 303 kfree(buffer); 304 305 return skp; 306 } 307 308 /** 309 * init_inode_smack - initialize an inode security blob 310 * @inode: inode to extract the info from 311 * @skp: a pointer to the Smack label entry to use in the blob 312 * 313 */ 314 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 315 { 316 struct inode_smack *isp = smack_inode(inode); 317 318 isp->smk_inode = skp; 319 isp->smk_flags = 0; 320 } 321 322 /** 323 * init_task_smack - initialize a task security blob 324 * @tsp: blob to initialize 325 * @task: a pointer to the Smack label for the running task 326 * @forked: a pointer to the Smack label for the forked task 327 * 328 */ 329 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 330 struct smack_known *forked) 331 { 332 tsp->smk_task = task; 333 tsp->smk_forked = forked; 334 INIT_LIST_HEAD(&tsp->smk_rules); 335 INIT_LIST_HEAD(&tsp->smk_relabel); 336 mutex_init(&tsp->smk_rules_lock); 337 } 338 339 /** 340 * smk_copy_rules - copy a rule set 341 * @nhead: new rules header pointer 342 * @ohead: old rules header pointer 343 * @gfp: type of the memory for the allocation 344 * 345 * Returns 0 on success, -ENOMEM on error 346 */ 347 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 348 gfp_t gfp) 349 { 350 struct smack_rule *nrp; 351 struct smack_rule *orp; 352 int rc = 0; 353 354 list_for_each_entry_rcu(orp, ohead, list) { 355 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 356 if (nrp == NULL) { 357 rc = -ENOMEM; 358 break; 359 } 360 *nrp = *orp; 361 list_add_rcu(&nrp->list, nhead); 362 } 363 return rc; 364 } 365 366 /** 367 * smk_copy_relabel - copy smk_relabel labels list 368 * @nhead: new rules header pointer 369 * @ohead: old rules header pointer 370 * @gfp: type of the memory for the allocation 371 * 372 * Returns 0 on success, -ENOMEM on error 373 */ 374 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 375 gfp_t gfp) 376 { 377 struct smack_known_list_elem *nklep; 378 struct smack_known_list_elem *oklep; 379 380 list_for_each_entry(oklep, ohead, list) { 381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 382 if (nklep == NULL) { 383 smk_destroy_label_list(nhead); 384 return -ENOMEM; 385 } 386 nklep->smk_label = oklep->smk_label; 387 list_add(&nklep->list, nhead); 388 } 389 390 return 0; 391 } 392 393 /** 394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 395 * @mode: input mode in form of PTRACE_MODE_* 396 * 397 * Returns a converted MAY_* mode usable by smack rules 398 */ 399 static inline unsigned int smk_ptrace_mode(unsigned int mode) 400 { 401 if (mode & PTRACE_MODE_ATTACH) 402 return MAY_READWRITE; 403 if (mode & PTRACE_MODE_READ) 404 return MAY_READ; 405 406 return 0; 407 } 408 409 /** 410 * smk_ptrace_rule_check - helper for ptrace access 411 * @tracer: tracer process 412 * @tracee_known: label entry of the process that's about to be traced 413 * @mode: ptrace attachment mode (PTRACE_MODE_*) 414 * @func: name of the function that called us, used for audit 415 * 416 * Returns 0 on access granted, -error on error 417 */ 418 static int smk_ptrace_rule_check(struct task_struct *tracer, 419 struct smack_known *tracee_known, 420 unsigned int mode, const char *func) 421 { 422 int rc; 423 struct smk_audit_info ad, *saip = NULL; 424 struct task_smack *tsp; 425 struct smack_known *tracer_known; 426 const struct cred *tracercred; 427 428 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 429 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 430 smk_ad_setfield_u_tsk(&ad, tracer); 431 saip = &ad; 432 } 433 434 rcu_read_lock(); 435 tracercred = __task_cred(tracer); 436 tsp = smack_cred(tracercred); 437 tracer_known = smk_of_task(tsp); 438 439 if ((mode & PTRACE_MODE_ATTACH) && 440 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 441 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 442 if (tracer_known->smk_known == tracee_known->smk_known) 443 rc = 0; 444 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 445 rc = -EACCES; 446 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 447 rc = 0; 448 else 449 rc = -EACCES; 450 451 if (saip) 452 smack_log(tracer_known->smk_known, 453 tracee_known->smk_known, 454 0, rc, saip); 455 456 rcu_read_unlock(); 457 return rc; 458 } 459 460 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 461 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 462 463 rcu_read_unlock(); 464 return rc; 465 } 466 467 /* 468 * LSM hooks. 469 * We he, that is fun! 470 */ 471 472 /** 473 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 474 * @ctp: child task pointer 475 * @mode: ptrace attachment mode (PTRACE_MODE_*) 476 * 477 * Returns 0 if access is OK, an error code otherwise 478 * 479 * Do the capability checks. 480 */ 481 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 482 { 483 struct smack_known *skp; 484 485 skp = smk_of_task_struct_obj(ctp); 486 487 return smk_ptrace_rule_check(current, skp, mode, __func__); 488 } 489 490 /** 491 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 492 * @ptp: parent task pointer 493 * 494 * Returns 0 if access is OK, an error code otherwise 495 * 496 * Do the capability checks, and require PTRACE_MODE_ATTACH. 497 */ 498 static int smack_ptrace_traceme(struct task_struct *ptp) 499 { 500 struct smack_known *skp; 501 502 skp = smk_of_task(smack_cred(current_cred())); 503 504 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 505 } 506 507 /** 508 * smack_syslog - Smack approval on syslog 509 * @typefrom_file: unused 510 * 511 * Returns 0 on success, error code otherwise. 512 */ 513 static int smack_syslog(int typefrom_file) 514 { 515 int rc = 0; 516 struct smack_known *skp = smk_of_current(); 517 518 if (smack_privileged(CAP_MAC_OVERRIDE)) 519 return 0; 520 521 if (smack_syslog_label != NULL && smack_syslog_label != skp) 522 rc = -EACCES; 523 524 return rc; 525 } 526 527 /* 528 * Superblock Hooks. 529 */ 530 531 /** 532 * smack_sb_alloc_security - allocate a superblock blob 533 * @sb: the superblock getting the blob 534 * 535 * Returns 0 on success or -ENOMEM on error. 536 */ 537 static int smack_sb_alloc_security(struct super_block *sb) 538 { 539 struct superblock_smack *sbsp = smack_superblock(sb); 540 541 sbsp->smk_root = &smack_known_floor; 542 sbsp->smk_default = &smack_known_floor; 543 sbsp->smk_floor = &smack_known_floor; 544 sbsp->smk_hat = &smack_known_hat; 545 /* 546 * SMK_SB_INITIALIZED will be zero from kzalloc. 547 */ 548 549 return 0; 550 } 551 552 struct smack_mnt_opts { 553 const char *fsdefault; 554 const char *fsfloor; 555 const char *fshat; 556 const char *fsroot; 557 const char *fstransmute; 558 }; 559 560 static void smack_free_mnt_opts(void *mnt_opts) 561 { 562 kfree(mnt_opts); 563 } 564 565 static int smack_add_opt(int token, const char *s, void **mnt_opts) 566 { 567 struct smack_mnt_opts *opts = *mnt_opts; 568 struct smack_known *skp; 569 570 if (!opts) { 571 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 572 if (!opts) 573 return -ENOMEM; 574 *mnt_opts = opts; 575 } 576 if (!s) 577 return -ENOMEM; 578 579 skp = smk_import_entry(s, 0); 580 if (IS_ERR(skp)) 581 return PTR_ERR(skp); 582 583 switch (token) { 584 case Opt_fsdefault: 585 if (opts->fsdefault) 586 goto out_opt_err; 587 opts->fsdefault = skp->smk_known; 588 break; 589 case Opt_fsfloor: 590 if (opts->fsfloor) 591 goto out_opt_err; 592 opts->fsfloor = skp->smk_known; 593 break; 594 case Opt_fshat: 595 if (opts->fshat) 596 goto out_opt_err; 597 opts->fshat = skp->smk_known; 598 break; 599 case Opt_fsroot: 600 if (opts->fsroot) 601 goto out_opt_err; 602 opts->fsroot = skp->smk_known; 603 break; 604 case Opt_fstransmute: 605 if (opts->fstransmute) 606 goto out_opt_err; 607 opts->fstransmute = skp->smk_known; 608 break; 609 } 610 return 0; 611 612 out_opt_err: 613 pr_warn("Smack: duplicate mount options\n"); 614 return -EINVAL; 615 } 616 617 /** 618 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 619 * @fc: The new filesystem context. 620 * @src_fc: The source filesystem context being duplicated. 621 * 622 * Returns 0 on success or -ENOMEM on error. 623 */ 624 static int smack_fs_context_dup(struct fs_context *fc, 625 struct fs_context *src_fc) 626 { 627 struct smack_mnt_opts *dst, *src = src_fc->security; 628 629 if (!src) 630 return 0; 631 632 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 633 if (!fc->security) 634 return -ENOMEM; 635 636 dst = fc->security; 637 dst->fsdefault = src->fsdefault; 638 dst->fsfloor = src->fsfloor; 639 dst->fshat = src->fshat; 640 dst->fsroot = src->fsroot; 641 dst->fstransmute = src->fstransmute; 642 643 return 0; 644 } 645 646 static const struct fs_parameter_spec smack_fs_parameters[] = { 647 fsparam_string("smackfsdef", Opt_fsdefault), 648 fsparam_string("smackfsdefault", Opt_fsdefault), 649 fsparam_string("smackfsfloor", Opt_fsfloor), 650 fsparam_string("smackfshat", Opt_fshat), 651 fsparam_string("smackfsroot", Opt_fsroot), 652 fsparam_string("smackfstransmute", Opt_fstransmute), 653 {} 654 }; 655 656 /** 657 * smack_fs_context_parse_param - Parse a single mount parameter 658 * @fc: The new filesystem context being constructed. 659 * @param: The parameter. 660 * 661 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 662 * error. 663 */ 664 static int smack_fs_context_parse_param(struct fs_context *fc, 665 struct fs_parameter *param) 666 { 667 struct fs_parse_result result; 668 int opt, rc; 669 670 opt = fs_parse(fc, smack_fs_parameters, param, &result); 671 if (opt < 0) 672 return opt; 673 674 rc = smack_add_opt(opt, param->string, &fc->security); 675 if (!rc) 676 param->string = NULL; 677 return rc; 678 } 679 680 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 681 { 682 char *from = options, *to = options; 683 bool first = true; 684 685 while (1) { 686 char *next = strchr(from, ','); 687 int token, len, rc; 688 char *arg = NULL; 689 690 if (next) 691 len = next - from; 692 else 693 len = strlen(from); 694 695 token = match_opt_prefix(from, len, &arg); 696 if (token != Opt_error) { 697 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 698 rc = smack_add_opt(token, arg, mnt_opts); 699 kfree(arg); 700 if (unlikely(rc)) { 701 if (*mnt_opts) 702 smack_free_mnt_opts(*mnt_opts); 703 *mnt_opts = NULL; 704 return rc; 705 } 706 } else { 707 if (!first) { // copy with preceding comma 708 from--; 709 len++; 710 } 711 if (to != from) 712 memmove(to, from, len); 713 to += len; 714 first = false; 715 } 716 if (!from[len]) 717 break; 718 from += len + 1; 719 } 720 *to = '\0'; 721 return 0; 722 } 723 724 /** 725 * smack_set_mnt_opts - set Smack specific mount options 726 * @sb: the file system superblock 727 * @mnt_opts: Smack mount options 728 * @kern_flags: mount option from kernel space or user space 729 * @set_kern_flags: where to store converted mount opts 730 * 731 * Returns 0 on success, an error code on failure 732 * 733 * Allow filesystems with binary mount data to explicitly set Smack mount 734 * labels. 735 */ 736 static int smack_set_mnt_opts(struct super_block *sb, 737 void *mnt_opts, 738 unsigned long kern_flags, 739 unsigned long *set_kern_flags) 740 { 741 struct dentry *root = sb->s_root; 742 struct inode *inode = d_backing_inode(root); 743 struct superblock_smack *sp = smack_superblock(sb); 744 struct inode_smack *isp; 745 struct smack_known *skp; 746 struct smack_mnt_opts *opts = mnt_opts; 747 bool transmute = false; 748 749 if (sp->smk_flags & SMK_SB_INITIALIZED) 750 return 0; 751 752 if (!smack_privileged(CAP_MAC_ADMIN)) { 753 /* 754 * Unprivileged mounts don't get to specify Smack values. 755 */ 756 if (opts) 757 return -EPERM; 758 /* 759 * Unprivileged mounts get root and default from the caller. 760 */ 761 skp = smk_of_current(); 762 sp->smk_root = skp; 763 sp->smk_default = skp; 764 /* 765 * For a handful of fs types with no user-controlled 766 * backing store it's okay to trust security labels 767 * in the filesystem. The rest are untrusted. 768 */ 769 if (sb->s_user_ns != &init_user_ns && 770 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 771 sb->s_magic != RAMFS_MAGIC) { 772 transmute = true; 773 sp->smk_flags |= SMK_SB_UNTRUSTED; 774 } 775 } 776 777 sp->smk_flags |= SMK_SB_INITIALIZED; 778 779 if (opts) { 780 if (opts->fsdefault) { 781 skp = smk_import_entry(opts->fsdefault, 0); 782 if (IS_ERR(skp)) 783 return PTR_ERR(skp); 784 sp->smk_default = skp; 785 } 786 if (opts->fsfloor) { 787 skp = smk_import_entry(opts->fsfloor, 0); 788 if (IS_ERR(skp)) 789 return PTR_ERR(skp); 790 sp->smk_floor = skp; 791 } 792 if (opts->fshat) { 793 skp = smk_import_entry(opts->fshat, 0); 794 if (IS_ERR(skp)) 795 return PTR_ERR(skp); 796 sp->smk_hat = skp; 797 } 798 if (opts->fsroot) { 799 skp = smk_import_entry(opts->fsroot, 0); 800 if (IS_ERR(skp)) 801 return PTR_ERR(skp); 802 sp->smk_root = skp; 803 } 804 if (opts->fstransmute) { 805 skp = smk_import_entry(opts->fstransmute, 0); 806 if (IS_ERR(skp)) 807 return PTR_ERR(skp); 808 sp->smk_root = skp; 809 transmute = true; 810 } 811 } 812 813 /* 814 * Initialize the root inode. 815 */ 816 init_inode_smack(inode, sp->smk_root); 817 818 if (transmute) { 819 isp = smack_inode(inode); 820 isp->smk_flags |= SMK_INODE_TRANSMUTE; 821 } 822 823 return 0; 824 } 825 826 /** 827 * smack_sb_statfs - Smack check on statfs 828 * @dentry: identifies the file system in question 829 * 830 * Returns 0 if current can read the floor of the filesystem, 831 * and error code otherwise 832 */ 833 static int smack_sb_statfs(struct dentry *dentry) 834 { 835 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 836 int rc; 837 struct smk_audit_info ad; 838 839 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 840 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 841 842 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 843 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 844 return rc; 845 } 846 847 /* 848 * BPRM hooks 849 */ 850 851 /** 852 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 853 * @bprm: the exec information 854 * 855 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 856 */ 857 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 858 { 859 struct inode *inode = file_inode(bprm->file); 860 struct task_smack *bsp = smack_cred(bprm->cred); 861 struct inode_smack *isp; 862 struct superblock_smack *sbsp; 863 int rc; 864 865 isp = smack_inode(inode); 866 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 867 return 0; 868 869 sbsp = smack_superblock(inode->i_sb); 870 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 871 isp->smk_task != sbsp->smk_root) 872 return 0; 873 874 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 875 struct task_struct *tracer; 876 rc = 0; 877 878 rcu_read_lock(); 879 tracer = ptrace_parent(current); 880 if (likely(tracer != NULL)) 881 rc = smk_ptrace_rule_check(tracer, 882 isp->smk_task, 883 PTRACE_MODE_ATTACH, 884 __func__); 885 rcu_read_unlock(); 886 887 if (rc != 0) 888 return rc; 889 } 890 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 891 return -EPERM; 892 893 bsp->smk_task = isp->smk_task; 894 bprm->per_clear |= PER_CLEAR_ON_SETID; 895 896 /* Decide if this is a secure exec. */ 897 if (bsp->smk_task != bsp->smk_forked) 898 bprm->secureexec = 1; 899 900 return 0; 901 } 902 903 /* 904 * Inode hooks 905 */ 906 907 /** 908 * smack_inode_alloc_security - allocate an inode blob 909 * @inode: the inode in need of a blob 910 * 911 * Returns 0 912 */ 913 static int smack_inode_alloc_security(struct inode *inode) 914 { 915 struct smack_known *skp = smk_of_current(); 916 917 init_inode_smack(inode, skp); 918 return 0; 919 } 920 921 /** 922 * smack_inode_init_security - copy out the smack from an inode 923 * @inode: the newly created inode 924 * @dir: containing directory object 925 * @qstr: unused 926 * @name: where to put the attribute name 927 * @value: where to put the attribute value 928 * @len: where to put the length of the attribute 929 * 930 * Returns 0 if it all works out, -ENOMEM if there's no memory 931 */ 932 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 933 const struct qstr *qstr, const char **name, 934 void **value, size_t *len) 935 { 936 struct inode_smack *issp = smack_inode(inode); 937 struct smack_known *skp = smk_of_current(); 938 struct smack_known *isp = smk_of_inode(inode); 939 struct smack_known *dsp = smk_of_inode(dir); 940 int may; 941 942 if (name) 943 *name = XATTR_SMACK_SUFFIX; 944 945 if (value && len) { 946 rcu_read_lock(); 947 may = smk_access_entry(skp->smk_known, dsp->smk_known, 948 &skp->smk_rules); 949 rcu_read_unlock(); 950 951 /* 952 * If the access rule allows transmutation and 953 * the directory requests transmutation then 954 * by all means transmute. 955 * Mark the inode as changed. 956 */ 957 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 958 smk_inode_transmutable(dir)) { 959 isp = dsp; 960 issp->smk_flags |= SMK_INODE_CHANGED; 961 } 962 963 *value = kstrdup(isp->smk_known, GFP_NOFS); 964 if (*value == NULL) 965 return -ENOMEM; 966 967 *len = strlen(isp->smk_known); 968 } 969 970 return 0; 971 } 972 973 /** 974 * smack_inode_link - Smack check on link 975 * @old_dentry: the existing object 976 * @dir: unused 977 * @new_dentry: the new object 978 * 979 * Returns 0 if access is permitted, an error code otherwise 980 */ 981 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 982 struct dentry *new_dentry) 983 { 984 struct smack_known *isp; 985 struct smk_audit_info ad; 986 int rc; 987 988 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 989 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 990 991 isp = smk_of_inode(d_backing_inode(old_dentry)); 992 rc = smk_curacc(isp, MAY_WRITE, &ad); 993 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 994 995 if (rc == 0 && d_is_positive(new_dentry)) { 996 isp = smk_of_inode(d_backing_inode(new_dentry)); 997 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 998 rc = smk_curacc(isp, MAY_WRITE, &ad); 999 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1000 } 1001 1002 return rc; 1003 } 1004 1005 /** 1006 * smack_inode_unlink - Smack check on inode deletion 1007 * @dir: containing directory object 1008 * @dentry: file to unlink 1009 * 1010 * Returns 0 if current can write the containing directory 1011 * and the object, error code otherwise 1012 */ 1013 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1014 { 1015 struct inode *ip = d_backing_inode(dentry); 1016 struct smk_audit_info ad; 1017 int rc; 1018 1019 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1020 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1021 1022 /* 1023 * You need write access to the thing you're unlinking 1024 */ 1025 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1026 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1027 if (rc == 0) { 1028 /* 1029 * You also need write access to the containing directory 1030 */ 1031 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1032 smk_ad_setfield_u_fs_inode(&ad, dir); 1033 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1034 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1035 } 1036 return rc; 1037 } 1038 1039 /** 1040 * smack_inode_rmdir - Smack check on directory deletion 1041 * @dir: containing directory object 1042 * @dentry: directory to unlink 1043 * 1044 * Returns 0 if current can write the containing directory 1045 * and the directory, error code otherwise 1046 */ 1047 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1048 { 1049 struct smk_audit_info ad; 1050 int rc; 1051 1052 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1053 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1054 1055 /* 1056 * You need write access to the thing you're removing 1057 */ 1058 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1059 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1060 if (rc == 0) { 1061 /* 1062 * You also need write access to the containing directory 1063 */ 1064 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1065 smk_ad_setfield_u_fs_inode(&ad, dir); 1066 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1067 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1068 } 1069 1070 return rc; 1071 } 1072 1073 /** 1074 * smack_inode_rename - Smack check on rename 1075 * @old_inode: unused 1076 * @old_dentry: the old object 1077 * @new_inode: unused 1078 * @new_dentry: the new object 1079 * 1080 * Read and write access is required on both the old and 1081 * new directories. 1082 * 1083 * Returns 0 if access is permitted, an error code otherwise 1084 */ 1085 static int smack_inode_rename(struct inode *old_inode, 1086 struct dentry *old_dentry, 1087 struct inode *new_inode, 1088 struct dentry *new_dentry) 1089 { 1090 int rc; 1091 struct smack_known *isp; 1092 struct smk_audit_info ad; 1093 1094 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1095 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1096 1097 isp = smk_of_inode(d_backing_inode(old_dentry)); 1098 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1099 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1100 1101 if (rc == 0 && d_is_positive(new_dentry)) { 1102 isp = smk_of_inode(d_backing_inode(new_dentry)); 1103 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1104 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1105 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1106 } 1107 return rc; 1108 } 1109 1110 /** 1111 * smack_inode_permission - Smack version of permission() 1112 * @inode: the inode in question 1113 * @mask: the access requested 1114 * 1115 * This is the important Smack hook. 1116 * 1117 * Returns 0 if access is permitted, an error code otherwise 1118 */ 1119 static int smack_inode_permission(struct inode *inode, int mask) 1120 { 1121 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1122 struct smk_audit_info ad; 1123 int no_block = mask & MAY_NOT_BLOCK; 1124 int rc; 1125 1126 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1127 /* 1128 * No permission to check. Existence test. Yup, it's there. 1129 */ 1130 if (mask == 0) 1131 return 0; 1132 1133 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1134 if (smk_of_inode(inode) != sbsp->smk_root) 1135 return -EACCES; 1136 } 1137 1138 /* May be droppable after audit */ 1139 if (no_block) 1140 return -ECHILD; 1141 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1142 smk_ad_setfield_u_fs_inode(&ad, inode); 1143 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1144 rc = smk_bu_inode(inode, mask, rc); 1145 return rc; 1146 } 1147 1148 /** 1149 * smack_inode_setattr - Smack check for setting attributes 1150 * @dentry: the object 1151 * @iattr: for the force flag 1152 * 1153 * Returns 0 if access is permitted, an error code otherwise 1154 */ 1155 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1156 { 1157 struct smk_audit_info ad; 1158 int rc; 1159 1160 /* 1161 * Need to allow for clearing the setuid bit. 1162 */ 1163 if (iattr->ia_valid & ATTR_FORCE) 1164 return 0; 1165 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1166 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1167 1168 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1169 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1170 return rc; 1171 } 1172 1173 /** 1174 * smack_inode_getattr - Smack check for getting attributes 1175 * @path: path to extract the info from 1176 * 1177 * Returns 0 if access is permitted, an error code otherwise 1178 */ 1179 static int smack_inode_getattr(const struct path *path) 1180 { 1181 struct smk_audit_info ad; 1182 struct inode *inode = d_backing_inode(path->dentry); 1183 int rc; 1184 1185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1186 smk_ad_setfield_u_fs_path(&ad, *path); 1187 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1188 rc = smk_bu_inode(inode, MAY_READ, rc); 1189 return rc; 1190 } 1191 1192 /** 1193 * smack_inode_setxattr - Smack check for setting xattrs 1194 * @idmap: idmap of the mount 1195 * @dentry: the object 1196 * @name: name of the attribute 1197 * @value: value of the attribute 1198 * @size: size of the value 1199 * @flags: unused 1200 * 1201 * This protects the Smack attribute explicitly. 1202 * 1203 * Returns 0 if access is permitted, an error code otherwise 1204 */ 1205 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1206 struct dentry *dentry, const char *name, 1207 const void *value, size_t size, int flags) 1208 { 1209 struct smk_audit_info ad; 1210 struct smack_known *skp; 1211 int check_priv = 0; 1212 int check_import = 0; 1213 int check_star = 0; 1214 int rc = 0; 1215 1216 /* 1217 * Check label validity here so import won't fail in post_setxattr 1218 */ 1219 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1220 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1221 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1222 check_priv = 1; 1223 check_import = 1; 1224 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1225 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1226 check_priv = 1; 1227 check_import = 1; 1228 check_star = 1; 1229 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1230 check_priv = 1; 1231 if (size != TRANS_TRUE_SIZE || 1232 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1233 rc = -EINVAL; 1234 } else 1235 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1236 1237 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1238 rc = -EPERM; 1239 1240 if (rc == 0 && check_import) { 1241 skp = size ? smk_import_entry(value, size) : NULL; 1242 if (IS_ERR(skp)) 1243 rc = PTR_ERR(skp); 1244 else if (skp == NULL || (check_star && 1245 (skp == &smack_known_star || skp == &smack_known_web))) 1246 rc = -EINVAL; 1247 } 1248 1249 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1250 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1251 1252 if (rc == 0) { 1253 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1254 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1255 } 1256 1257 return rc; 1258 } 1259 1260 /** 1261 * smack_inode_post_setxattr - Apply the Smack update approved above 1262 * @dentry: object 1263 * @name: attribute name 1264 * @value: attribute value 1265 * @size: attribute size 1266 * @flags: unused 1267 * 1268 * Set the pointer in the inode blob to the entry found 1269 * in the master label list. 1270 */ 1271 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1272 const void *value, size_t size, int flags) 1273 { 1274 struct smack_known *skp; 1275 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1276 1277 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1278 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1279 return; 1280 } 1281 1282 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1283 skp = smk_import_entry(value, size); 1284 if (!IS_ERR(skp)) 1285 isp->smk_inode = skp; 1286 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1287 skp = smk_import_entry(value, size); 1288 if (!IS_ERR(skp)) 1289 isp->smk_task = skp; 1290 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1291 skp = smk_import_entry(value, size); 1292 if (!IS_ERR(skp)) 1293 isp->smk_mmap = skp; 1294 } 1295 1296 return; 1297 } 1298 1299 /** 1300 * smack_inode_getxattr - Smack check on getxattr 1301 * @dentry: the object 1302 * @name: unused 1303 * 1304 * Returns 0 if access is permitted, an error code otherwise 1305 */ 1306 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1307 { 1308 struct smk_audit_info ad; 1309 int rc; 1310 1311 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1312 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1313 1314 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1315 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1316 return rc; 1317 } 1318 1319 /** 1320 * smack_inode_removexattr - Smack check on removexattr 1321 * @idmap: idmap of the mount 1322 * @dentry: the object 1323 * @name: name of the attribute 1324 * 1325 * Removing the Smack attribute requires CAP_MAC_ADMIN 1326 * 1327 * Returns 0 if access is permitted, an error code otherwise 1328 */ 1329 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1330 struct dentry *dentry, const char *name) 1331 { 1332 struct inode_smack *isp; 1333 struct smk_audit_info ad; 1334 int rc = 0; 1335 1336 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1337 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1338 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1339 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1340 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1341 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1342 if (!smack_privileged(CAP_MAC_ADMIN)) 1343 rc = -EPERM; 1344 } else 1345 rc = cap_inode_removexattr(idmap, dentry, name); 1346 1347 if (rc != 0) 1348 return rc; 1349 1350 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1351 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1352 1353 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1354 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1355 if (rc != 0) 1356 return rc; 1357 1358 isp = smack_inode(d_backing_inode(dentry)); 1359 /* 1360 * Don't do anything special for these. 1361 * XATTR_NAME_SMACKIPIN 1362 * XATTR_NAME_SMACKIPOUT 1363 */ 1364 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1365 struct super_block *sbp = dentry->d_sb; 1366 struct superblock_smack *sbsp = smack_superblock(sbp); 1367 1368 isp->smk_inode = sbsp->smk_default; 1369 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1370 isp->smk_task = NULL; 1371 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1372 isp->smk_mmap = NULL; 1373 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1374 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1375 1376 return 0; 1377 } 1378 1379 /** 1380 * smack_inode_set_acl - Smack check for setting posix acls 1381 * @idmap: idmap of the mnt this request came from 1382 * @dentry: the object 1383 * @acl_name: name of the posix acl 1384 * @kacl: the posix acls 1385 * 1386 * Returns 0 if access is permitted, an error code otherwise 1387 */ 1388 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1389 struct dentry *dentry, const char *acl_name, 1390 struct posix_acl *kacl) 1391 { 1392 struct smk_audit_info ad; 1393 int rc; 1394 1395 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1396 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1397 1398 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1399 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1400 return rc; 1401 } 1402 1403 /** 1404 * smack_inode_get_acl - Smack check for getting posix acls 1405 * @idmap: idmap of the mnt this request came from 1406 * @dentry: the object 1407 * @acl_name: name of the posix acl 1408 * 1409 * Returns 0 if access is permitted, an error code otherwise 1410 */ 1411 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1412 struct dentry *dentry, const char *acl_name) 1413 { 1414 struct smk_audit_info ad; 1415 int rc; 1416 1417 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1418 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1419 1420 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1421 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1422 return rc; 1423 } 1424 1425 /** 1426 * smack_inode_remove_acl - Smack check for getting posix acls 1427 * @idmap: idmap of the mnt this request came from 1428 * @dentry: the object 1429 * @acl_name: name of the posix acl 1430 * 1431 * Returns 0 if access is permitted, an error code otherwise 1432 */ 1433 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1434 struct dentry *dentry, const char *acl_name) 1435 { 1436 struct smk_audit_info ad; 1437 int rc; 1438 1439 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1440 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1441 1442 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1443 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1444 return rc; 1445 } 1446 1447 /** 1448 * smack_inode_getsecurity - get smack xattrs 1449 * @idmap: idmap of the mount 1450 * @inode: the object 1451 * @name: attribute name 1452 * @buffer: where to put the result 1453 * @alloc: duplicate memory 1454 * 1455 * Returns the size of the attribute or an error code 1456 */ 1457 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1458 struct inode *inode, const char *name, 1459 void **buffer, bool alloc) 1460 { 1461 struct socket_smack *ssp; 1462 struct socket *sock; 1463 struct super_block *sbp; 1464 struct inode *ip = inode; 1465 struct smack_known *isp; 1466 1467 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1468 isp = smk_of_inode(inode); 1469 else { 1470 /* 1471 * The rest of the Smack xattrs are only on sockets. 1472 */ 1473 sbp = ip->i_sb; 1474 if (sbp->s_magic != SOCKFS_MAGIC) 1475 return -EOPNOTSUPP; 1476 1477 sock = SOCKET_I(ip); 1478 if (sock == NULL || sock->sk == NULL) 1479 return -EOPNOTSUPP; 1480 1481 ssp = sock->sk->sk_security; 1482 1483 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1484 isp = ssp->smk_in; 1485 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1486 isp = ssp->smk_out; 1487 else 1488 return -EOPNOTSUPP; 1489 } 1490 1491 if (alloc) { 1492 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1493 if (*buffer == NULL) 1494 return -ENOMEM; 1495 } 1496 1497 return strlen(isp->smk_known); 1498 } 1499 1500 1501 /** 1502 * smack_inode_listsecurity - list the Smack attributes 1503 * @inode: the object 1504 * @buffer: where they go 1505 * @buffer_size: size of buffer 1506 */ 1507 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1508 size_t buffer_size) 1509 { 1510 int len = sizeof(XATTR_NAME_SMACK); 1511 1512 if (buffer != NULL && len <= buffer_size) 1513 memcpy(buffer, XATTR_NAME_SMACK, len); 1514 1515 return len; 1516 } 1517 1518 /** 1519 * smack_inode_getsecid - Extract inode's security id 1520 * @inode: inode to extract the info from 1521 * @secid: where result will be saved 1522 */ 1523 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1524 { 1525 struct smack_known *skp = smk_of_inode(inode); 1526 1527 *secid = skp->smk_secid; 1528 } 1529 1530 /* 1531 * File Hooks 1532 */ 1533 1534 /* 1535 * There is no smack_file_permission hook 1536 * 1537 * Should access checks be done on each read or write? 1538 * UNICOS and SELinux say yes. 1539 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1540 * 1541 * I'll say no for now. Smack does not do the frequent 1542 * label changing that SELinux does. 1543 */ 1544 1545 /** 1546 * smack_file_alloc_security - assign a file security blob 1547 * @file: the object 1548 * 1549 * The security blob for a file is a pointer to the master 1550 * label list, so no allocation is done. 1551 * 1552 * f_security is the owner security information. It 1553 * isn't used on file access checks, it's for send_sigio. 1554 * 1555 * Returns 0 1556 */ 1557 static int smack_file_alloc_security(struct file *file) 1558 { 1559 struct smack_known **blob = smack_file(file); 1560 1561 *blob = smk_of_current(); 1562 return 0; 1563 } 1564 1565 /** 1566 * smack_file_ioctl - Smack check on ioctls 1567 * @file: the object 1568 * @cmd: what to do 1569 * @arg: unused 1570 * 1571 * Relies heavily on the correct use of the ioctl command conventions. 1572 * 1573 * Returns 0 if allowed, error code otherwise 1574 */ 1575 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1576 unsigned long arg) 1577 { 1578 int rc = 0; 1579 struct smk_audit_info ad; 1580 struct inode *inode = file_inode(file); 1581 1582 if (unlikely(IS_PRIVATE(inode))) 1583 return 0; 1584 1585 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1586 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1587 1588 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1589 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1590 rc = smk_bu_file(file, MAY_WRITE, rc); 1591 } 1592 1593 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1594 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1595 rc = smk_bu_file(file, MAY_READ, rc); 1596 } 1597 1598 return rc; 1599 } 1600 1601 /** 1602 * smack_file_lock - Smack check on file locking 1603 * @file: the object 1604 * @cmd: unused 1605 * 1606 * Returns 0 if current has lock access, error code otherwise 1607 */ 1608 static int smack_file_lock(struct file *file, unsigned int cmd) 1609 { 1610 struct smk_audit_info ad; 1611 int rc; 1612 struct inode *inode = file_inode(file); 1613 1614 if (unlikely(IS_PRIVATE(inode))) 1615 return 0; 1616 1617 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1618 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1619 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1620 rc = smk_bu_file(file, MAY_LOCK, rc); 1621 return rc; 1622 } 1623 1624 /** 1625 * smack_file_fcntl - Smack check on fcntl 1626 * @file: the object 1627 * @cmd: what action to check 1628 * @arg: unused 1629 * 1630 * Generally these operations are harmless. 1631 * File locking operations present an obvious mechanism 1632 * for passing information, so they require write access. 1633 * 1634 * Returns 0 if current has access, error code otherwise 1635 */ 1636 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1637 unsigned long arg) 1638 { 1639 struct smk_audit_info ad; 1640 int rc = 0; 1641 struct inode *inode = file_inode(file); 1642 1643 if (unlikely(IS_PRIVATE(inode))) 1644 return 0; 1645 1646 switch (cmd) { 1647 case F_GETLK: 1648 break; 1649 case F_SETLK: 1650 case F_SETLKW: 1651 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1652 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1653 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1654 rc = smk_bu_file(file, MAY_LOCK, rc); 1655 break; 1656 case F_SETOWN: 1657 case F_SETSIG: 1658 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1659 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1660 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1661 rc = smk_bu_file(file, MAY_WRITE, rc); 1662 break; 1663 default: 1664 break; 1665 } 1666 1667 return rc; 1668 } 1669 1670 /** 1671 * smack_mmap_file - Check permissions for a mmap operation. 1672 * @file: contains the file structure for file to map (may be NULL). 1673 * @reqprot: contains the protection requested by the application. 1674 * @prot: contains the protection that will be applied by the kernel. 1675 * @flags: contains the operational flags. 1676 * 1677 * The @file may be NULL, e.g. if mapping anonymous memory. 1678 * 1679 * Return 0 if permission is granted. 1680 */ 1681 static int smack_mmap_file(struct file *file, 1682 unsigned long reqprot, unsigned long prot, 1683 unsigned long flags) 1684 { 1685 struct smack_known *skp; 1686 struct smack_known *mkp; 1687 struct smack_rule *srp; 1688 struct task_smack *tsp; 1689 struct smack_known *okp; 1690 struct inode_smack *isp; 1691 struct superblock_smack *sbsp; 1692 int may; 1693 int mmay; 1694 int tmay; 1695 int rc; 1696 1697 if (file == NULL) 1698 return 0; 1699 1700 if (unlikely(IS_PRIVATE(file_inode(file)))) 1701 return 0; 1702 1703 isp = smack_inode(file_inode(file)); 1704 if (isp->smk_mmap == NULL) 1705 return 0; 1706 sbsp = smack_superblock(file_inode(file)->i_sb); 1707 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1708 isp->smk_mmap != sbsp->smk_root) 1709 return -EACCES; 1710 mkp = isp->smk_mmap; 1711 1712 tsp = smack_cred(current_cred()); 1713 skp = smk_of_current(); 1714 rc = 0; 1715 1716 rcu_read_lock(); 1717 /* 1718 * For each Smack rule associated with the subject 1719 * label verify that the SMACK64MMAP also has access 1720 * to that rule's object label. 1721 */ 1722 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1723 okp = srp->smk_object; 1724 /* 1725 * Matching labels always allows access. 1726 */ 1727 if (mkp->smk_known == okp->smk_known) 1728 continue; 1729 /* 1730 * If there is a matching local rule take 1731 * that into account as well. 1732 */ 1733 may = smk_access_entry(srp->smk_subject->smk_known, 1734 okp->smk_known, 1735 &tsp->smk_rules); 1736 if (may == -ENOENT) 1737 may = srp->smk_access; 1738 else 1739 may &= srp->smk_access; 1740 /* 1741 * If may is zero the SMACK64MMAP subject can't 1742 * possibly have less access. 1743 */ 1744 if (may == 0) 1745 continue; 1746 1747 /* 1748 * Fetch the global list entry. 1749 * If there isn't one a SMACK64MMAP subject 1750 * can't have as much access as current. 1751 */ 1752 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1753 &mkp->smk_rules); 1754 if (mmay == -ENOENT) { 1755 rc = -EACCES; 1756 break; 1757 } 1758 /* 1759 * If there is a local entry it modifies the 1760 * potential access, too. 1761 */ 1762 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1763 &tsp->smk_rules); 1764 if (tmay != -ENOENT) 1765 mmay &= tmay; 1766 1767 /* 1768 * If there is any access available to current that is 1769 * not available to a SMACK64MMAP subject 1770 * deny access. 1771 */ 1772 if ((may | mmay) != mmay) { 1773 rc = -EACCES; 1774 break; 1775 } 1776 } 1777 1778 rcu_read_unlock(); 1779 1780 return rc; 1781 } 1782 1783 /** 1784 * smack_file_set_fowner - set the file security blob value 1785 * @file: object in question 1786 * 1787 */ 1788 static void smack_file_set_fowner(struct file *file) 1789 { 1790 struct smack_known **blob = smack_file(file); 1791 1792 *blob = smk_of_current(); 1793 } 1794 1795 /** 1796 * smack_file_send_sigiotask - Smack on sigio 1797 * @tsk: The target task 1798 * @fown: the object the signal come from 1799 * @signum: unused 1800 * 1801 * Allow a privileged task to get signals even if it shouldn't 1802 * 1803 * Returns 0 if a subject with the object's smack could 1804 * write to the task, an error code otherwise. 1805 */ 1806 static int smack_file_send_sigiotask(struct task_struct *tsk, 1807 struct fown_struct *fown, int signum) 1808 { 1809 struct smack_known **blob; 1810 struct smack_known *skp; 1811 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1812 const struct cred *tcred; 1813 struct file *file; 1814 int rc; 1815 struct smk_audit_info ad; 1816 1817 /* 1818 * struct fown_struct is never outside the context of a struct file 1819 */ 1820 file = container_of(fown, struct file, f_owner); 1821 1822 /* we don't log here as rc can be overriden */ 1823 blob = smack_file(file); 1824 skp = *blob; 1825 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1826 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1827 1828 rcu_read_lock(); 1829 tcred = __task_cred(tsk); 1830 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1831 rc = 0; 1832 rcu_read_unlock(); 1833 1834 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1835 smk_ad_setfield_u_tsk(&ad, tsk); 1836 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1837 return rc; 1838 } 1839 1840 /** 1841 * smack_file_receive - Smack file receive check 1842 * @file: the object 1843 * 1844 * Returns 0 if current has access, error code otherwise 1845 */ 1846 static int smack_file_receive(struct file *file) 1847 { 1848 int rc; 1849 int may = 0; 1850 struct smk_audit_info ad; 1851 struct inode *inode = file_inode(file); 1852 struct socket *sock; 1853 struct task_smack *tsp; 1854 struct socket_smack *ssp; 1855 1856 if (unlikely(IS_PRIVATE(inode))) 1857 return 0; 1858 1859 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1860 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1861 1862 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1863 sock = SOCKET_I(inode); 1864 ssp = sock->sk->sk_security; 1865 tsp = smack_cred(current_cred()); 1866 /* 1867 * If the receiving process can't write to the 1868 * passed socket or if the passed socket can't 1869 * write to the receiving process don't accept 1870 * the passed socket. 1871 */ 1872 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1873 rc = smk_bu_file(file, may, rc); 1874 if (rc < 0) 1875 return rc; 1876 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1877 rc = smk_bu_file(file, may, rc); 1878 return rc; 1879 } 1880 /* 1881 * This code relies on bitmasks. 1882 */ 1883 if (file->f_mode & FMODE_READ) 1884 may = MAY_READ; 1885 if (file->f_mode & FMODE_WRITE) 1886 may |= MAY_WRITE; 1887 1888 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1889 rc = smk_bu_file(file, may, rc); 1890 return rc; 1891 } 1892 1893 /** 1894 * smack_file_open - Smack dentry open processing 1895 * @file: the object 1896 * 1897 * Set the security blob in the file structure. 1898 * Allow the open only if the task has read access. There are 1899 * many read operations (e.g. fstat) that you can do with an 1900 * fd even if you have the file open write-only. 1901 * 1902 * Returns 0 if current has access, error code otherwise 1903 */ 1904 static int smack_file_open(struct file *file) 1905 { 1906 struct task_smack *tsp = smack_cred(file->f_cred); 1907 struct inode *inode = file_inode(file); 1908 struct smk_audit_info ad; 1909 int rc; 1910 1911 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1912 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1913 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1914 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1915 1916 return rc; 1917 } 1918 1919 /* 1920 * Task hooks 1921 */ 1922 1923 /** 1924 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1925 * @cred: the new credentials 1926 * @gfp: the atomicity of any memory allocations 1927 * 1928 * Prepare a blank set of credentials for modification. This must allocate all 1929 * the memory the LSM module might require such that cred_transfer() can 1930 * complete without error. 1931 */ 1932 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1933 { 1934 init_task_smack(smack_cred(cred), NULL, NULL); 1935 return 0; 1936 } 1937 1938 1939 /** 1940 * smack_cred_free - "free" task-level security credentials 1941 * @cred: the credentials in question 1942 * 1943 */ 1944 static void smack_cred_free(struct cred *cred) 1945 { 1946 struct task_smack *tsp = smack_cred(cred); 1947 struct smack_rule *rp; 1948 struct list_head *l; 1949 struct list_head *n; 1950 1951 smk_destroy_label_list(&tsp->smk_relabel); 1952 1953 list_for_each_safe(l, n, &tsp->smk_rules) { 1954 rp = list_entry(l, struct smack_rule, list); 1955 list_del(&rp->list); 1956 kmem_cache_free(smack_rule_cache, rp); 1957 } 1958 } 1959 1960 /** 1961 * smack_cred_prepare - prepare new set of credentials for modification 1962 * @new: the new credentials 1963 * @old: the original credentials 1964 * @gfp: the atomicity of any memory allocations 1965 * 1966 * Prepare a new set of credentials for modification. 1967 */ 1968 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1969 gfp_t gfp) 1970 { 1971 struct task_smack *old_tsp = smack_cred(old); 1972 struct task_smack *new_tsp = smack_cred(new); 1973 int rc; 1974 1975 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 1976 1977 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1978 if (rc != 0) 1979 return rc; 1980 1981 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1982 gfp); 1983 return rc; 1984 } 1985 1986 /** 1987 * smack_cred_transfer - Transfer the old credentials to the new credentials 1988 * @new: the new credentials 1989 * @old: the original credentials 1990 * 1991 * Fill in a set of blank credentials from another set of credentials. 1992 */ 1993 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1994 { 1995 struct task_smack *old_tsp = smack_cred(old); 1996 struct task_smack *new_tsp = smack_cred(new); 1997 1998 new_tsp->smk_task = old_tsp->smk_task; 1999 new_tsp->smk_forked = old_tsp->smk_task; 2000 mutex_init(&new_tsp->smk_rules_lock); 2001 INIT_LIST_HEAD(&new_tsp->smk_rules); 2002 2003 /* cbs copy rule list */ 2004 } 2005 2006 /** 2007 * smack_cred_getsecid - get the secid corresponding to a creds structure 2008 * @cred: the object creds 2009 * @secid: where to put the result 2010 * 2011 * Sets the secid to contain a u32 version of the smack label. 2012 */ 2013 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2014 { 2015 struct smack_known *skp; 2016 2017 rcu_read_lock(); 2018 skp = smk_of_task(smack_cred(cred)); 2019 *secid = skp->smk_secid; 2020 rcu_read_unlock(); 2021 } 2022 2023 /** 2024 * smack_kernel_act_as - Set the subjective context in a set of credentials 2025 * @new: points to the set of credentials to be modified. 2026 * @secid: specifies the security ID to be set 2027 * 2028 * Set the security data for a kernel service. 2029 */ 2030 static int smack_kernel_act_as(struct cred *new, u32 secid) 2031 { 2032 struct task_smack *new_tsp = smack_cred(new); 2033 2034 new_tsp->smk_task = smack_from_secid(secid); 2035 return 0; 2036 } 2037 2038 /** 2039 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2040 * @new: points to the set of credentials to be modified 2041 * @inode: points to the inode to use as a reference 2042 * 2043 * Set the file creation context in a set of credentials to the same 2044 * as the objective context of the specified inode 2045 */ 2046 static int smack_kernel_create_files_as(struct cred *new, 2047 struct inode *inode) 2048 { 2049 struct inode_smack *isp = smack_inode(inode); 2050 struct task_smack *tsp = smack_cred(new); 2051 2052 tsp->smk_forked = isp->smk_inode; 2053 tsp->smk_task = tsp->smk_forked; 2054 return 0; 2055 } 2056 2057 /** 2058 * smk_curacc_on_task - helper to log task related access 2059 * @p: the task object 2060 * @access: the access requested 2061 * @caller: name of the calling function for audit 2062 * 2063 * Return 0 if access is permitted 2064 */ 2065 static int smk_curacc_on_task(struct task_struct *p, int access, 2066 const char *caller) 2067 { 2068 struct smk_audit_info ad; 2069 struct smack_known *skp = smk_of_task_struct_obj(p); 2070 int rc; 2071 2072 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2073 smk_ad_setfield_u_tsk(&ad, p); 2074 rc = smk_curacc(skp, access, &ad); 2075 rc = smk_bu_task(p, access, rc); 2076 return rc; 2077 } 2078 2079 /** 2080 * smack_task_setpgid - Smack check on setting pgid 2081 * @p: the task object 2082 * @pgid: unused 2083 * 2084 * Return 0 if write access is permitted 2085 */ 2086 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2087 { 2088 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2089 } 2090 2091 /** 2092 * smack_task_getpgid - Smack access check for getpgid 2093 * @p: the object task 2094 * 2095 * Returns 0 if current can read the object task, error code otherwise 2096 */ 2097 static int smack_task_getpgid(struct task_struct *p) 2098 { 2099 return smk_curacc_on_task(p, MAY_READ, __func__); 2100 } 2101 2102 /** 2103 * smack_task_getsid - Smack access check for getsid 2104 * @p: the object task 2105 * 2106 * Returns 0 if current can read the object task, error code otherwise 2107 */ 2108 static int smack_task_getsid(struct task_struct *p) 2109 { 2110 return smk_curacc_on_task(p, MAY_READ, __func__); 2111 } 2112 2113 /** 2114 * smack_current_getsecid_subj - get the subjective secid of the current task 2115 * @secid: where to put the result 2116 * 2117 * Sets the secid to contain a u32 version of the task's subjective smack label. 2118 */ 2119 static void smack_current_getsecid_subj(u32 *secid) 2120 { 2121 struct smack_known *skp = smk_of_current(); 2122 2123 *secid = skp->smk_secid; 2124 } 2125 2126 /** 2127 * smack_task_getsecid_obj - get the objective secid of the task 2128 * @p: the task 2129 * @secid: where to put the result 2130 * 2131 * Sets the secid to contain a u32 version of the task's objective smack label. 2132 */ 2133 static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid) 2134 { 2135 struct smack_known *skp = smk_of_task_struct_obj(p); 2136 2137 *secid = skp->smk_secid; 2138 } 2139 2140 /** 2141 * smack_task_setnice - Smack check on setting nice 2142 * @p: the task object 2143 * @nice: unused 2144 * 2145 * Return 0 if write access is permitted 2146 */ 2147 static int smack_task_setnice(struct task_struct *p, int nice) 2148 { 2149 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2150 } 2151 2152 /** 2153 * smack_task_setioprio - Smack check on setting ioprio 2154 * @p: the task object 2155 * @ioprio: unused 2156 * 2157 * Return 0 if write access is permitted 2158 */ 2159 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2160 { 2161 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2162 } 2163 2164 /** 2165 * smack_task_getioprio - Smack check on reading ioprio 2166 * @p: the task object 2167 * 2168 * Return 0 if read access is permitted 2169 */ 2170 static int smack_task_getioprio(struct task_struct *p) 2171 { 2172 return smk_curacc_on_task(p, MAY_READ, __func__); 2173 } 2174 2175 /** 2176 * smack_task_setscheduler - Smack check on setting scheduler 2177 * @p: the task object 2178 * 2179 * Return 0 if read access is permitted 2180 */ 2181 static int smack_task_setscheduler(struct task_struct *p) 2182 { 2183 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2184 } 2185 2186 /** 2187 * smack_task_getscheduler - Smack check on reading scheduler 2188 * @p: the task object 2189 * 2190 * Return 0 if read access is permitted 2191 */ 2192 static int smack_task_getscheduler(struct task_struct *p) 2193 { 2194 return smk_curacc_on_task(p, MAY_READ, __func__); 2195 } 2196 2197 /** 2198 * smack_task_movememory - Smack check on moving memory 2199 * @p: the task object 2200 * 2201 * Return 0 if write access is permitted 2202 */ 2203 static int smack_task_movememory(struct task_struct *p) 2204 { 2205 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2206 } 2207 2208 /** 2209 * smack_task_kill - Smack check on signal delivery 2210 * @p: the task object 2211 * @info: unused 2212 * @sig: unused 2213 * @cred: identifies the cred to use in lieu of current's 2214 * 2215 * Return 0 if write access is permitted 2216 * 2217 */ 2218 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2219 int sig, const struct cred *cred) 2220 { 2221 struct smk_audit_info ad; 2222 struct smack_known *skp; 2223 struct smack_known *tkp = smk_of_task_struct_obj(p); 2224 int rc; 2225 2226 if (!sig) 2227 return 0; /* null signal; existence test */ 2228 2229 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2230 smk_ad_setfield_u_tsk(&ad, p); 2231 /* 2232 * Sending a signal requires that the sender 2233 * can write the receiver. 2234 */ 2235 if (cred == NULL) { 2236 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2237 rc = smk_bu_task(p, MAY_DELIVER, rc); 2238 return rc; 2239 } 2240 /* 2241 * If the cred isn't NULL we're dealing with some USB IO 2242 * specific behavior. This is not clean. For one thing 2243 * we can't take privilege into account. 2244 */ 2245 skp = smk_of_task(smack_cred(cred)); 2246 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2247 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2248 return rc; 2249 } 2250 2251 /** 2252 * smack_task_to_inode - copy task smack into the inode blob 2253 * @p: task to copy from 2254 * @inode: inode to copy to 2255 * 2256 * Sets the smack pointer in the inode security blob 2257 */ 2258 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2259 { 2260 struct inode_smack *isp = smack_inode(inode); 2261 struct smack_known *skp = smk_of_task_struct_obj(p); 2262 2263 isp->smk_inode = skp; 2264 isp->smk_flags |= SMK_INODE_INSTANT; 2265 } 2266 2267 /* 2268 * Socket hooks. 2269 */ 2270 2271 /** 2272 * smack_sk_alloc_security - Allocate a socket blob 2273 * @sk: the socket 2274 * @family: unused 2275 * @gfp_flags: memory allocation flags 2276 * 2277 * Assign Smack pointers to current 2278 * 2279 * Returns 0 on success, -ENOMEM is there's no memory 2280 */ 2281 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2282 { 2283 struct smack_known *skp = smk_of_current(); 2284 struct socket_smack *ssp; 2285 2286 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2287 if (ssp == NULL) 2288 return -ENOMEM; 2289 2290 /* 2291 * Sockets created by kernel threads receive web label. 2292 */ 2293 if (unlikely(current->flags & PF_KTHREAD)) { 2294 ssp->smk_in = &smack_known_web; 2295 ssp->smk_out = &smack_known_web; 2296 } else { 2297 ssp->smk_in = skp; 2298 ssp->smk_out = skp; 2299 } 2300 ssp->smk_packet = NULL; 2301 2302 sk->sk_security = ssp; 2303 2304 return 0; 2305 } 2306 2307 /** 2308 * smack_sk_free_security - Free a socket blob 2309 * @sk: the socket 2310 * 2311 * Clears the blob pointer 2312 */ 2313 static void smack_sk_free_security(struct sock *sk) 2314 { 2315 #ifdef SMACK_IPV6_PORT_LABELING 2316 struct smk_port_label *spp; 2317 2318 if (sk->sk_family == PF_INET6) { 2319 rcu_read_lock(); 2320 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2321 if (spp->smk_sock != sk) 2322 continue; 2323 spp->smk_can_reuse = 1; 2324 break; 2325 } 2326 rcu_read_unlock(); 2327 } 2328 #endif 2329 kfree(sk->sk_security); 2330 } 2331 2332 /** 2333 * smack_sk_clone_security - Copy security context 2334 * @sk: the old socket 2335 * @newsk: the new socket 2336 * 2337 * Copy the security context of the old socket pointer to the cloned 2338 */ 2339 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2340 { 2341 struct socket_smack *ssp_old = sk->sk_security; 2342 struct socket_smack *ssp_new = newsk->sk_security; 2343 2344 *ssp_new = *ssp_old; 2345 } 2346 2347 /** 2348 * smack_ipv4host_label - check host based restrictions 2349 * @sip: the object end 2350 * 2351 * looks for host based access restrictions 2352 * 2353 * This version will only be appropriate for really small sets of single label 2354 * hosts. The caller is responsible for ensuring that the RCU read lock is 2355 * taken before calling this function. 2356 * 2357 * Returns the label of the far end or NULL if it's not special. 2358 */ 2359 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2360 { 2361 struct smk_net4addr *snp; 2362 struct in_addr *siap = &sip->sin_addr; 2363 2364 if (siap->s_addr == 0) 2365 return NULL; 2366 2367 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2368 /* 2369 * we break after finding the first match because 2370 * the list is sorted from longest to shortest mask 2371 * so we have found the most specific match 2372 */ 2373 if (snp->smk_host.s_addr == 2374 (siap->s_addr & snp->smk_mask.s_addr)) 2375 return snp->smk_label; 2376 2377 return NULL; 2378 } 2379 2380 /* 2381 * smk_ipv6_localhost - Check for local ipv6 host address 2382 * @sip: the address 2383 * 2384 * Returns boolean true if this is the localhost address 2385 */ 2386 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2387 { 2388 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2389 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2390 2391 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2392 ntohs(be16p[7]) == 1) 2393 return true; 2394 return false; 2395 } 2396 2397 /** 2398 * smack_ipv6host_label - check host based restrictions 2399 * @sip: the object end 2400 * 2401 * looks for host based access restrictions 2402 * 2403 * This version will only be appropriate for really small sets of single label 2404 * hosts. The caller is responsible for ensuring that the RCU read lock is 2405 * taken before calling this function. 2406 * 2407 * Returns the label of the far end or NULL if it's not special. 2408 */ 2409 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2410 { 2411 struct smk_net6addr *snp; 2412 struct in6_addr *sap = &sip->sin6_addr; 2413 int i; 2414 int found = 0; 2415 2416 /* 2417 * It's local. Don't look for a host label. 2418 */ 2419 if (smk_ipv6_localhost(sip)) 2420 return NULL; 2421 2422 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2423 /* 2424 * If the label is NULL the entry has 2425 * been renounced. Ignore it. 2426 */ 2427 if (snp->smk_label == NULL) 2428 continue; 2429 /* 2430 * we break after finding the first match because 2431 * the list is sorted from longest to shortest mask 2432 * so we have found the most specific match 2433 */ 2434 for (found = 1, i = 0; i < 8; i++) { 2435 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2436 snp->smk_host.s6_addr16[i]) { 2437 found = 0; 2438 break; 2439 } 2440 } 2441 if (found) 2442 return snp->smk_label; 2443 } 2444 2445 return NULL; 2446 } 2447 2448 /** 2449 * smack_netlbl_add - Set the secattr on a socket 2450 * @sk: the socket 2451 * 2452 * Attach the outbound smack value (smk_out) to the socket. 2453 * 2454 * Returns 0 on success or an error code 2455 */ 2456 static int smack_netlbl_add(struct sock *sk) 2457 { 2458 struct socket_smack *ssp = sk->sk_security; 2459 struct smack_known *skp = ssp->smk_out; 2460 int rc; 2461 2462 local_bh_disable(); 2463 bh_lock_sock_nested(sk); 2464 2465 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2466 switch (rc) { 2467 case 0: 2468 ssp->smk_state = SMK_NETLBL_LABELED; 2469 break; 2470 case -EDESTADDRREQ: 2471 ssp->smk_state = SMK_NETLBL_REQSKB; 2472 rc = 0; 2473 break; 2474 } 2475 2476 bh_unlock_sock(sk); 2477 local_bh_enable(); 2478 2479 return rc; 2480 } 2481 2482 /** 2483 * smack_netlbl_delete - Remove the secattr from a socket 2484 * @sk: the socket 2485 * 2486 * Remove the outbound smack value from a socket 2487 */ 2488 static void smack_netlbl_delete(struct sock *sk) 2489 { 2490 struct socket_smack *ssp = sk->sk_security; 2491 2492 /* 2493 * Take the label off the socket if one is set. 2494 */ 2495 if (ssp->smk_state != SMK_NETLBL_LABELED) 2496 return; 2497 2498 local_bh_disable(); 2499 bh_lock_sock_nested(sk); 2500 netlbl_sock_delattr(sk); 2501 bh_unlock_sock(sk); 2502 local_bh_enable(); 2503 ssp->smk_state = SMK_NETLBL_UNLABELED; 2504 } 2505 2506 /** 2507 * smk_ipv4_check - Perform IPv4 host access checks 2508 * @sk: the socket 2509 * @sap: the destination address 2510 * 2511 * Set the correct secattr for the given socket based on the destination 2512 * address and perform any outbound access checks needed. 2513 * 2514 * Returns 0 on success or an error code. 2515 * 2516 */ 2517 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2518 { 2519 struct smack_known *skp; 2520 int rc = 0; 2521 struct smack_known *hkp; 2522 struct socket_smack *ssp = sk->sk_security; 2523 struct smk_audit_info ad; 2524 2525 rcu_read_lock(); 2526 hkp = smack_ipv4host_label(sap); 2527 if (hkp != NULL) { 2528 #ifdef CONFIG_AUDIT 2529 struct lsm_network_audit net; 2530 2531 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2532 ad.a.u.net->family = sap->sin_family; 2533 ad.a.u.net->dport = sap->sin_port; 2534 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2535 #endif 2536 skp = ssp->smk_out; 2537 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2538 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2539 /* 2540 * Clear the socket netlabel if it's set. 2541 */ 2542 if (!rc) 2543 smack_netlbl_delete(sk); 2544 } 2545 rcu_read_unlock(); 2546 2547 return rc; 2548 } 2549 2550 /** 2551 * smk_ipv6_check - check Smack access 2552 * @subject: subject Smack label 2553 * @object: object Smack label 2554 * @address: address 2555 * @act: the action being taken 2556 * 2557 * Check an IPv6 access 2558 */ 2559 static int smk_ipv6_check(struct smack_known *subject, 2560 struct smack_known *object, 2561 struct sockaddr_in6 *address, int act) 2562 { 2563 #ifdef CONFIG_AUDIT 2564 struct lsm_network_audit net; 2565 #endif 2566 struct smk_audit_info ad; 2567 int rc; 2568 2569 #ifdef CONFIG_AUDIT 2570 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2571 ad.a.u.net->family = PF_INET6; 2572 ad.a.u.net->dport = address->sin6_port; 2573 if (act == SMK_RECEIVING) 2574 ad.a.u.net->v6info.saddr = address->sin6_addr; 2575 else 2576 ad.a.u.net->v6info.daddr = address->sin6_addr; 2577 #endif 2578 rc = smk_access(subject, object, MAY_WRITE, &ad); 2579 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2580 return rc; 2581 } 2582 2583 #ifdef SMACK_IPV6_PORT_LABELING 2584 /** 2585 * smk_ipv6_port_label - Smack port access table management 2586 * @sock: socket 2587 * @address: address 2588 * 2589 * Create or update the port list entry 2590 */ 2591 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2592 { 2593 struct sock *sk = sock->sk; 2594 struct sockaddr_in6 *addr6; 2595 struct socket_smack *ssp = sock->sk->sk_security; 2596 struct smk_port_label *spp; 2597 unsigned short port = 0; 2598 2599 if (address == NULL) { 2600 /* 2601 * This operation is changing the Smack information 2602 * on the bound socket. Take the changes to the port 2603 * as well. 2604 */ 2605 rcu_read_lock(); 2606 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2607 if (sk != spp->smk_sock) 2608 continue; 2609 spp->smk_in = ssp->smk_in; 2610 spp->smk_out = ssp->smk_out; 2611 rcu_read_unlock(); 2612 return; 2613 } 2614 /* 2615 * A NULL address is only used for updating existing 2616 * bound entries. If there isn't one, it's OK. 2617 */ 2618 rcu_read_unlock(); 2619 return; 2620 } 2621 2622 addr6 = (struct sockaddr_in6 *)address; 2623 port = ntohs(addr6->sin6_port); 2624 /* 2625 * This is a special case that is safely ignored. 2626 */ 2627 if (port == 0) 2628 return; 2629 2630 /* 2631 * Look for an existing port list entry. 2632 * This is an indication that a port is getting reused. 2633 */ 2634 rcu_read_lock(); 2635 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2636 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2637 continue; 2638 if (spp->smk_can_reuse != 1) { 2639 rcu_read_unlock(); 2640 return; 2641 } 2642 spp->smk_port = port; 2643 spp->smk_sock = sk; 2644 spp->smk_in = ssp->smk_in; 2645 spp->smk_out = ssp->smk_out; 2646 spp->smk_can_reuse = 0; 2647 rcu_read_unlock(); 2648 return; 2649 } 2650 rcu_read_unlock(); 2651 /* 2652 * A new port entry is required. 2653 */ 2654 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2655 if (spp == NULL) 2656 return; 2657 2658 spp->smk_port = port; 2659 spp->smk_sock = sk; 2660 spp->smk_in = ssp->smk_in; 2661 spp->smk_out = ssp->smk_out; 2662 spp->smk_sock_type = sock->type; 2663 spp->smk_can_reuse = 0; 2664 2665 mutex_lock(&smack_ipv6_lock); 2666 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2667 mutex_unlock(&smack_ipv6_lock); 2668 return; 2669 } 2670 2671 /** 2672 * smk_ipv6_port_check - check Smack port access 2673 * @sk: socket 2674 * @address: address 2675 * @act: the action being taken 2676 * 2677 * Create or update the port list entry 2678 */ 2679 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2680 int act) 2681 { 2682 struct smk_port_label *spp; 2683 struct socket_smack *ssp = sk->sk_security; 2684 struct smack_known *skp = NULL; 2685 unsigned short port; 2686 struct smack_known *object; 2687 2688 if (act == SMK_RECEIVING) { 2689 skp = smack_ipv6host_label(address); 2690 object = ssp->smk_in; 2691 } else { 2692 skp = ssp->smk_out; 2693 object = smack_ipv6host_label(address); 2694 } 2695 2696 /* 2697 * The other end is a single label host. 2698 */ 2699 if (skp != NULL && object != NULL) 2700 return smk_ipv6_check(skp, object, address, act); 2701 if (skp == NULL) 2702 skp = smack_net_ambient; 2703 if (object == NULL) 2704 object = smack_net_ambient; 2705 2706 /* 2707 * It's remote, so port lookup does no good. 2708 */ 2709 if (!smk_ipv6_localhost(address)) 2710 return smk_ipv6_check(skp, object, address, act); 2711 2712 /* 2713 * It's local so the send check has to have passed. 2714 */ 2715 if (act == SMK_RECEIVING) 2716 return 0; 2717 2718 port = ntohs(address->sin6_port); 2719 rcu_read_lock(); 2720 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2721 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2722 continue; 2723 object = spp->smk_in; 2724 if (act == SMK_CONNECTING) 2725 ssp->smk_packet = spp->smk_out; 2726 break; 2727 } 2728 rcu_read_unlock(); 2729 2730 return smk_ipv6_check(skp, object, address, act); 2731 } 2732 #endif 2733 2734 /** 2735 * smack_inode_setsecurity - set smack xattrs 2736 * @inode: the object 2737 * @name: attribute name 2738 * @value: attribute value 2739 * @size: size of the attribute 2740 * @flags: unused 2741 * 2742 * Sets the named attribute in the appropriate blob 2743 * 2744 * Returns 0 on success, or an error code 2745 */ 2746 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2747 const void *value, size_t size, int flags) 2748 { 2749 struct smack_known *skp; 2750 struct inode_smack *nsp = smack_inode(inode); 2751 struct socket_smack *ssp; 2752 struct socket *sock; 2753 int rc = 0; 2754 2755 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2756 return -EINVAL; 2757 2758 skp = smk_import_entry(value, size); 2759 if (IS_ERR(skp)) 2760 return PTR_ERR(skp); 2761 2762 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2763 nsp->smk_inode = skp; 2764 nsp->smk_flags |= SMK_INODE_INSTANT; 2765 return 0; 2766 } 2767 /* 2768 * The rest of the Smack xattrs are only on sockets. 2769 */ 2770 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2771 return -EOPNOTSUPP; 2772 2773 sock = SOCKET_I(inode); 2774 if (sock == NULL || sock->sk == NULL) 2775 return -EOPNOTSUPP; 2776 2777 ssp = sock->sk->sk_security; 2778 2779 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2780 ssp->smk_in = skp; 2781 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2782 ssp->smk_out = skp; 2783 if (sock->sk->sk_family == PF_INET) { 2784 rc = smack_netlbl_add(sock->sk); 2785 if (rc != 0) 2786 printk(KERN_WARNING 2787 "Smack: \"%s\" netlbl error %d.\n", 2788 __func__, -rc); 2789 } 2790 } else 2791 return -EOPNOTSUPP; 2792 2793 #ifdef SMACK_IPV6_PORT_LABELING 2794 if (sock->sk->sk_family == PF_INET6) 2795 smk_ipv6_port_label(sock, NULL); 2796 #endif 2797 2798 return 0; 2799 } 2800 2801 /** 2802 * smack_socket_post_create - finish socket setup 2803 * @sock: the socket 2804 * @family: protocol family 2805 * @type: unused 2806 * @protocol: unused 2807 * @kern: unused 2808 * 2809 * Sets the netlabel information on the socket 2810 * 2811 * Returns 0 on success, and error code otherwise 2812 */ 2813 static int smack_socket_post_create(struct socket *sock, int family, 2814 int type, int protocol, int kern) 2815 { 2816 struct socket_smack *ssp; 2817 2818 if (sock->sk == NULL) 2819 return 0; 2820 2821 /* 2822 * Sockets created by kernel threads receive web label. 2823 */ 2824 if (unlikely(current->flags & PF_KTHREAD)) { 2825 ssp = sock->sk->sk_security; 2826 ssp->smk_in = &smack_known_web; 2827 ssp->smk_out = &smack_known_web; 2828 } 2829 2830 if (family != PF_INET) 2831 return 0; 2832 /* 2833 * Set the outbound netlbl. 2834 */ 2835 return smack_netlbl_add(sock->sk); 2836 } 2837 2838 /** 2839 * smack_socket_socketpair - create socket pair 2840 * @socka: one socket 2841 * @sockb: another socket 2842 * 2843 * Cross reference the peer labels for SO_PEERSEC 2844 * 2845 * Returns 0 2846 */ 2847 static int smack_socket_socketpair(struct socket *socka, 2848 struct socket *sockb) 2849 { 2850 struct socket_smack *asp = socka->sk->sk_security; 2851 struct socket_smack *bsp = sockb->sk->sk_security; 2852 2853 asp->smk_packet = bsp->smk_out; 2854 bsp->smk_packet = asp->smk_out; 2855 2856 return 0; 2857 } 2858 2859 #ifdef SMACK_IPV6_PORT_LABELING 2860 /** 2861 * smack_socket_bind - record port binding information. 2862 * @sock: the socket 2863 * @address: the port address 2864 * @addrlen: size of the address 2865 * 2866 * Records the label bound to a port. 2867 * 2868 * Returns 0 on success, and error code otherwise 2869 */ 2870 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2871 int addrlen) 2872 { 2873 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2874 if (addrlen < SIN6_LEN_RFC2133 || 2875 address->sa_family != AF_INET6) 2876 return -EINVAL; 2877 smk_ipv6_port_label(sock, address); 2878 } 2879 return 0; 2880 } 2881 #endif /* SMACK_IPV6_PORT_LABELING */ 2882 2883 /** 2884 * smack_socket_connect - connect access check 2885 * @sock: the socket 2886 * @sap: the other end 2887 * @addrlen: size of sap 2888 * 2889 * Verifies that a connection may be possible 2890 * 2891 * Returns 0 on success, and error code otherwise 2892 */ 2893 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2894 int addrlen) 2895 { 2896 int rc = 0; 2897 2898 if (sock->sk == NULL) 2899 return 0; 2900 if (sock->sk->sk_family != PF_INET && 2901 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 2902 return 0; 2903 if (addrlen < offsetofend(struct sockaddr, sa_family)) 2904 return 0; 2905 if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { 2906 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2907 struct smack_known *rsp = NULL; 2908 2909 if (addrlen < SIN6_LEN_RFC2133) 2910 return 0; 2911 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 2912 rsp = smack_ipv6host_label(sip); 2913 if (rsp != NULL) { 2914 struct socket_smack *ssp = sock->sk->sk_security; 2915 2916 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2917 SMK_CONNECTING); 2918 } 2919 #ifdef SMACK_IPV6_PORT_LABELING 2920 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2921 #endif 2922 2923 return rc; 2924 } 2925 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 2926 return 0; 2927 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 2928 return rc; 2929 } 2930 2931 /** 2932 * smack_flags_to_may - convert S_ to MAY_ values 2933 * @flags: the S_ value 2934 * 2935 * Returns the equivalent MAY_ value 2936 */ 2937 static int smack_flags_to_may(int flags) 2938 { 2939 int may = 0; 2940 2941 if (flags & S_IRUGO) 2942 may |= MAY_READ; 2943 if (flags & S_IWUGO) 2944 may |= MAY_WRITE; 2945 if (flags & S_IXUGO) 2946 may |= MAY_EXEC; 2947 2948 return may; 2949 } 2950 2951 /** 2952 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2953 * @msg: the object 2954 * 2955 * Returns 0 2956 */ 2957 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2958 { 2959 struct smack_known **blob = smack_msg_msg(msg); 2960 2961 *blob = smk_of_current(); 2962 return 0; 2963 } 2964 2965 /** 2966 * smack_of_ipc - the smack pointer for the ipc 2967 * @isp: the object 2968 * 2969 * Returns a pointer to the smack value 2970 */ 2971 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2972 { 2973 struct smack_known **blob = smack_ipc(isp); 2974 2975 return *blob; 2976 } 2977 2978 /** 2979 * smack_ipc_alloc_security - Set the security blob for ipc 2980 * @isp: the object 2981 * 2982 * Returns 0 2983 */ 2984 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2985 { 2986 struct smack_known **blob = smack_ipc(isp); 2987 2988 *blob = smk_of_current(); 2989 return 0; 2990 } 2991 2992 /** 2993 * smk_curacc_shm : check if current has access on shm 2994 * @isp : the object 2995 * @access : access requested 2996 * 2997 * Returns 0 if current has the requested access, error code otherwise 2998 */ 2999 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3000 { 3001 struct smack_known *ssp = smack_of_ipc(isp); 3002 struct smk_audit_info ad; 3003 int rc; 3004 3005 #ifdef CONFIG_AUDIT 3006 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3007 ad.a.u.ipc_id = isp->id; 3008 #endif 3009 rc = smk_curacc(ssp, access, &ad); 3010 rc = smk_bu_current("shm", ssp, access, rc); 3011 return rc; 3012 } 3013 3014 /** 3015 * smack_shm_associate - Smack access check for shm 3016 * @isp: the object 3017 * @shmflg: access requested 3018 * 3019 * Returns 0 if current has the requested access, error code otherwise 3020 */ 3021 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3022 { 3023 int may; 3024 3025 may = smack_flags_to_may(shmflg); 3026 return smk_curacc_shm(isp, may); 3027 } 3028 3029 /** 3030 * smack_shm_shmctl - Smack access check for shm 3031 * @isp: the object 3032 * @cmd: what it wants to do 3033 * 3034 * Returns 0 if current has the requested access, error code otherwise 3035 */ 3036 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3037 { 3038 int may; 3039 3040 switch (cmd) { 3041 case IPC_STAT: 3042 case SHM_STAT: 3043 case SHM_STAT_ANY: 3044 may = MAY_READ; 3045 break; 3046 case IPC_SET: 3047 case SHM_LOCK: 3048 case SHM_UNLOCK: 3049 case IPC_RMID: 3050 may = MAY_READWRITE; 3051 break; 3052 case IPC_INFO: 3053 case SHM_INFO: 3054 /* 3055 * System level information. 3056 */ 3057 return 0; 3058 default: 3059 return -EINVAL; 3060 } 3061 return smk_curacc_shm(isp, may); 3062 } 3063 3064 /** 3065 * smack_shm_shmat - Smack access for shmat 3066 * @isp: the object 3067 * @shmaddr: unused 3068 * @shmflg: access requested 3069 * 3070 * Returns 0 if current has the requested access, error code otherwise 3071 */ 3072 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3073 int shmflg) 3074 { 3075 int may; 3076 3077 may = smack_flags_to_may(shmflg); 3078 return smk_curacc_shm(isp, may); 3079 } 3080 3081 /** 3082 * smk_curacc_sem : check if current has access on sem 3083 * @isp : the object 3084 * @access : access requested 3085 * 3086 * Returns 0 if current has the requested access, error code otherwise 3087 */ 3088 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3089 { 3090 struct smack_known *ssp = smack_of_ipc(isp); 3091 struct smk_audit_info ad; 3092 int rc; 3093 3094 #ifdef CONFIG_AUDIT 3095 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3096 ad.a.u.ipc_id = isp->id; 3097 #endif 3098 rc = smk_curacc(ssp, access, &ad); 3099 rc = smk_bu_current("sem", ssp, access, rc); 3100 return rc; 3101 } 3102 3103 /** 3104 * smack_sem_associate - Smack access check for sem 3105 * @isp: the object 3106 * @semflg: access requested 3107 * 3108 * Returns 0 if current has the requested access, error code otherwise 3109 */ 3110 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3111 { 3112 int may; 3113 3114 may = smack_flags_to_may(semflg); 3115 return smk_curacc_sem(isp, may); 3116 } 3117 3118 /** 3119 * smack_sem_semctl - Smack access check for sem 3120 * @isp: the object 3121 * @cmd: what it wants to do 3122 * 3123 * Returns 0 if current has the requested access, error code otherwise 3124 */ 3125 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3126 { 3127 int may; 3128 3129 switch (cmd) { 3130 case GETPID: 3131 case GETNCNT: 3132 case GETZCNT: 3133 case GETVAL: 3134 case GETALL: 3135 case IPC_STAT: 3136 case SEM_STAT: 3137 case SEM_STAT_ANY: 3138 may = MAY_READ; 3139 break; 3140 case SETVAL: 3141 case SETALL: 3142 case IPC_RMID: 3143 case IPC_SET: 3144 may = MAY_READWRITE; 3145 break; 3146 case IPC_INFO: 3147 case SEM_INFO: 3148 /* 3149 * System level information 3150 */ 3151 return 0; 3152 default: 3153 return -EINVAL; 3154 } 3155 3156 return smk_curacc_sem(isp, may); 3157 } 3158 3159 /** 3160 * smack_sem_semop - Smack checks of semaphore operations 3161 * @isp: the object 3162 * @sops: unused 3163 * @nsops: unused 3164 * @alter: unused 3165 * 3166 * Treated as read and write in all cases. 3167 * 3168 * Returns 0 if access is allowed, error code otherwise 3169 */ 3170 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3171 unsigned nsops, int alter) 3172 { 3173 return smk_curacc_sem(isp, MAY_READWRITE); 3174 } 3175 3176 /** 3177 * smk_curacc_msq : helper to check if current has access on msq 3178 * @isp : the msq 3179 * @access : access requested 3180 * 3181 * return 0 if current has access, error otherwise 3182 */ 3183 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3184 { 3185 struct smack_known *msp = smack_of_ipc(isp); 3186 struct smk_audit_info ad; 3187 int rc; 3188 3189 #ifdef CONFIG_AUDIT 3190 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3191 ad.a.u.ipc_id = isp->id; 3192 #endif 3193 rc = smk_curacc(msp, access, &ad); 3194 rc = smk_bu_current("msq", msp, access, rc); 3195 return rc; 3196 } 3197 3198 /** 3199 * smack_msg_queue_associate - Smack access check for msg_queue 3200 * @isp: the object 3201 * @msqflg: access requested 3202 * 3203 * Returns 0 if current has the requested access, error code otherwise 3204 */ 3205 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3206 { 3207 int may; 3208 3209 may = smack_flags_to_may(msqflg); 3210 return smk_curacc_msq(isp, may); 3211 } 3212 3213 /** 3214 * smack_msg_queue_msgctl - Smack access check for msg_queue 3215 * @isp: the object 3216 * @cmd: what it wants to do 3217 * 3218 * Returns 0 if current has the requested access, error code otherwise 3219 */ 3220 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3221 { 3222 int may; 3223 3224 switch (cmd) { 3225 case IPC_STAT: 3226 case MSG_STAT: 3227 case MSG_STAT_ANY: 3228 may = MAY_READ; 3229 break; 3230 case IPC_SET: 3231 case IPC_RMID: 3232 may = MAY_READWRITE; 3233 break; 3234 case IPC_INFO: 3235 case MSG_INFO: 3236 /* 3237 * System level information 3238 */ 3239 return 0; 3240 default: 3241 return -EINVAL; 3242 } 3243 3244 return smk_curacc_msq(isp, may); 3245 } 3246 3247 /** 3248 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3249 * @isp: the object 3250 * @msg: unused 3251 * @msqflg: access requested 3252 * 3253 * Returns 0 if current has the requested access, error code otherwise 3254 */ 3255 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3256 int msqflg) 3257 { 3258 int may; 3259 3260 may = smack_flags_to_may(msqflg); 3261 return smk_curacc_msq(isp, may); 3262 } 3263 3264 /** 3265 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3266 * @isp: the object 3267 * @msg: unused 3268 * @target: unused 3269 * @type: unused 3270 * @mode: unused 3271 * 3272 * Returns 0 if current has read and write access, error code otherwise 3273 */ 3274 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3275 struct msg_msg *msg, 3276 struct task_struct *target, long type, 3277 int mode) 3278 { 3279 return smk_curacc_msq(isp, MAY_READWRITE); 3280 } 3281 3282 /** 3283 * smack_ipc_permission - Smack access for ipc_permission() 3284 * @ipp: the object permissions 3285 * @flag: access requested 3286 * 3287 * Returns 0 if current has read and write access, error code otherwise 3288 */ 3289 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3290 { 3291 struct smack_known **blob = smack_ipc(ipp); 3292 struct smack_known *iskp = *blob; 3293 int may = smack_flags_to_may(flag); 3294 struct smk_audit_info ad; 3295 int rc; 3296 3297 #ifdef CONFIG_AUDIT 3298 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3299 ad.a.u.ipc_id = ipp->id; 3300 #endif 3301 rc = smk_curacc(iskp, may, &ad); 3302 rc = smk_bu_current("svipc", iskp, may, rc); 3303 return rc; 3304 } 3305 3306 /** 3307 * smack_ipc_getsecid - Extract smack security id 3308 * @ipp: the object permissions 3309 * @secid: where result will be saved 3310 */ 3311 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3312 { 3313 struct smack_known **blob = smack_ipc(ipp); 3314 struct smack_known *iskp = *blob; 3315 3316 *secid = iskp->smk_secid; 3317 } 3318 3319 /** 3320 * smack_d_instantiate - Make sure the blob is correct on an inode 3321 * @opt_dentry: dentry where inode will be attached 3322 * @inode: the object 3323 * 3324 * Set the inode's security blob if it hasn't been done already. 3325 */ 3326 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3327 { 3328 struct super_block *sbp; 3329 struct superblock_smack *sbsp; 3330 struct inode_smack *isp; 3331 struct smack_known *skp; 3332 struct smack_known *ckp = smk_of_current(); 3333 struct smack_known *final; 3334 char trattr[TRANS_TRUE_SIZE]; 3335 int transflag = 0; 3336 int rc; 3337 struct dentry *dp; 3338 3339 if (inode == NULL) 3340 return; 3341 3342 isp = smack_inode(inode); 3343 3344 /* 3345 * If the inode is already instantiated 3346 * take the quick way out 3347 */ 3348 if (isp->smk_flags & SMK_INODE_INSTANT) 3349 return; 3350 3351 sbp = inode->i_sb; 3352 sbsp = smack_superblock(sbp); 3353 /* 3354 * We're going to use the superblock default label 3355 * if there's no label on the file. 3356 */ 3357 final = sbsp->smk_default; 3358 3359 /* 3360 * If this is the root inode the superblock 3361 * may be in the process of initialization. 3362 * If that is the case use the root value out 3363 * of the superblock. 3364 */ 3365 if (opt_dentry->d_parent == opt_dentry) { 3366 switch (sbp->s_magic) { 3367 case CGROUP_SUPER_MAGIC: 3368 case CGROUP2_SUPER_MAGIC: 3369 /* 3370 * The cgroup filesystem is never mounted, 3371 * so there's no opportunity to set the mount 3372 * options. 3373 */ 3374 sbsp->smk_root = &smack_known_star; 3375 sbsp->smk_default = &smack_known_star; 3376 isp->smk_inode = sbsp->smk_root; 3377 break; 3378 case TMPFS_MAGIC: 3379 /* 3380 * What about shmem/tmpfs anonymous files with dentry 3381 * obtained from d_alloc_pseudo()? 3382 */ 3383 isp->smk_inode = smk_of_current(); 3384 break; 3385 case PIPEFS_MAGIC: 3386 isp->smk_inode = smk_of_current(); 3387 break; 3388 case SOCKFS_MAGIC: 3389 /* 3390 * Socket access is controlled by the socket 3391 * structures associated with the task involved. 3392 */ 3393 isp->smk_inode = &smack_known_star; 3394 break; 3395 default: 3396 isp->smk_inode = sbsp->smk_root; 3397 break; 3398 } 3399 isp->smk_flags |= SMK_INODE_INSTANT; 3400 return; 3401 } 3402 3403 /* 3404 * This is pretty hackish. 3405 * Casey says that we shouldn't have to do 3406 * file system specific code, but it does help 3407 * with keeping it simple. 3408 */ 3409 switch (sbp->s_magic) { 3410 case SMACK_MAGIC: 3411 case CGROUP_SUPER_MAGIC: 3412 case CGROUP2_SUPER_MAGIC: 3413 /* 3414 * Casey says that it's a little embarrassing 3415 * that the smack file system doesn't do 3416 * extended attributes. 3417 * 3418 * Cgroupfs is special 3419 */ 3420 final = &smack_known_star; 3421 break; 3422 case DEVPTS_SUPER_MAGIC: 3423 /* 3424 * devpts seems content with the label of the task. 3425 * Programs that change smack have to treat the 3426 * pty with respect. 3427 */ 3428 final = ckp; 3429 break; 3430 case PROC_SUPER_MAGIC: 3431 /* 3432 * Casey says procfs appears not to care. 3433 * The superblock default suffices. 3434 */ 3435 break; 3436 case TMPFS_MAGIC: 3437 /* 3438 * Device labels should come from the filesystem, 3439 * but watch out, because they're volitile, 3440 * getting recreated on every reboot. 3441 */ 3442 final = &smack_known_star; 3443 /* 3444 * If a smack value has been set we want to use it, 3445 * but since tmpfs isn't giving us the opportunity 3446 * to set mount options simulate setting the 3447 * superblock default. 3448 */ 3449 fallthrough; 3450 default: 3451 /* 3452 * This isn't an understood special case. 3453 * Get the value from the xattr. 3454 */ 3455 3456 /* 3457 * UNIX domain sockets use lower level socket data. 3458 */ 3459 if (S_ISSOCK(inode->i_mode)) { 3460 final = &smack_known_star; 3461 break; 3462 } 3463 /* 3464 * No xattr support means, alas, no SMACK label. 3465 * Use the aforeapplied default. 3466 * It would be curious if the label of the task 3467 * does not match that assigned. 3468 */ 3469 if (!(inode->i_opflags & IOP_XATTR)) 3470 break; 3471 /* 3472 * Get the dentry for xattr. 3473 */ 3474 dp = dget(opt_dentry); 3475 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3476 if (!IS_ERR_OR_NULL(skp)) 3477 final = skp; 3478 3479 /* 3480 * Transmuting directory 3481 */ 3482 if (S_ISDIR(inode->i_mode)) { 3483 /* 3484 * If this is a new directory and the label was 3485 * transmuted when the inode was initialized 3486 * set the transmute attribute on the directory 3487 * and mark the inode. 3488 * 3489 * If there is a transmute attribute on the 3490 * directory mark the inode. 3491 */ 3492 if (isp->smk_flags & SMK_INODE_CHANGED) { 3493 isp->smk_flags &= ~SMK_INODE_CHANGED; 3494 rc = __vfs_setxattr(&nop_mnt_idmap, dp, inode, 3495 XATTR_NAME_SMACKTRANSMUTE, 3496 TRANS_TRUE, TRANS_TRUE_SIZE, 3497 0); 3498 } else { 3499 rc = __vfs_getxattr(dp, inode, 3500 XATTR_NAME_SMACKTRANSMUTE, trattr, 3501 TRANS_TRUE_SIZE); 3502 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3503 TRANS_TRUE_SIZE) != 0) 3504 rc = -EINVAL; 3505 } 3506 if (rc >= 0) 3507 transflag = SMK_INODE_TRANSMUTE; 3508 } 3509 /* 3510 * Don't let the exec or mmap label be "*" or "@". 3511 */ 3512 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3513 if (IS_ERR(skp) || skp == &smack_known_star || 3514 skp == &smack_known_web) 3515 skp = NULL; 3516 isp->smk_task = skp; 3517 3518 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3519 if (IS_ERR(skp) || skp == &smack_known_star || 3520 skp == &smack_known_web) 3521 skp = NULL; 3522 isp->smk_mmap = skp; 3523 3524 dput(dp); 3525 break; 3526 } 3527 3528 if (final == NULL) 3529 isp->smk_inode = ckp; 3530 else 3531 isp->smk_inode = final; 3532 3533 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3534 3535 return; 3536 } 3537 3538 /** 3539 * smack_getprocattr - Smack process attribute access 3540 * @p: the object task 3541 * @name: the name of the attribute in /proc/.../attr 3542 * @value: where to put the result 3543 * 3544 * Places a copy of the task Smack into value 3545 * 3546 * Returns the length of the smack label or an error code 3547 */ 3548 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3549 { 3550 struct smack_known *skp = smk_of_task_struct_obj(p); 3551 char *cp; 3552 int slen; 3553 3554 if (strcmp(name, "current") != 0) 3555 return -EINVAL; 3556 3557 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3558 if (cp == NULL) 3559 return -ENOMEM; 3560 3561 slen = strlen(cp); 3562 *value = cp; 3563 return slen; 3564 } 3565 3566 /** 3567 * smack_setprocattr - Smack process attribute setting 3568 * @name: the name of the attribute in /proc/.../attr 3569 * @value: the value to set 3570 * @size: the size of the value 3571 * 3572 * Sets the Smack value of the task. Only setting self 3573 * is permitted and only with privilege 3574 * 3575 * Returns the length of the smack label or an error code 3576 */ 3577 static int smack_setprocattr(const char *name, void *value, size_t size) 3578 { 3579 struct task_smack *tsp = smack_cred(current_cred()); 3580 struct cred *new; 3581 struct smack_known *skp; 3582 struct smack_known_list_elem *sklep; 3583 int rc; 3584 3585 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3586 return -EPERM; 3587 3588 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3589 return -EINVAL; 3590 3591 if (strcmp(name, "current") != 0) 3592 return -EINVAL; 3593 3594 skp = smk_import_entry(value, size); 3595 if (IS_ERR(skp)) 3596 return PTR_ERR(skp); 3597 3598 /* 3599 * No process is ever allowed the web ("@") label 3600 * and the star ("*") label. 3601 */ 3602 if (skp == &smack_known_web || skp == &smack_known_star) 3603 return -EINVAL; 3604 3605 if (!smack_privileged(CAP_MAC_ADMIN)) { 3606 rc = -EPERM; 3607 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3608 if (sklep->smk_label == skp) { 3609 rc = 0; 3610 break; 3611 } 3612 if (rc) 3613 return rc; 3614 } 3615 3616 new = prepare_creds(); 3617 if (new == NULL) 3618 return -ENOMEM; 3619 3620 tsp = smack_cred(new); 3621 tsp->smk_task = skp; 3622 /* 3623 * process can change its label only once 3624 */ 3625 smk_destroy_label_list(&tsp->smk_relabel); 3626 3627 commit_creds(new); 3628 return size; 3629 } 3630 3631 /** 3632 * smack_unix_stream_connect - Smack access on UDS 3633 * @sock: one sock 3634 * @other: the other sock 3635 * @newsk: unused 3636 * 3637 * Return 0 if a subject with the smack of sock could access 3638 * an object with the smack of other, otherwise an error code 3639 */ 3640 static int smack_unix_stream_connect(struct sock *sock, 3641 struct sock *other, struct sock *newsk) 3642 { 3643 struct smack_known *skp; 3644 struct smack_known *okp; 3645 struct socket_smack *ssp = sock->sk_security; 3646 struct socket_smack *osp = other->sk_security; 3647 struct socket_smack *nsp = newsk->sk_security; 3648 struct smk_audit_info ad; 3649 int rc = 0; 3650 #ifdef CONFIG_AUDIT 3651 struct lsm_network_audit net; 3652 #endif 3653 3654 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3655 skp = ssp->smk_out; 3656 okp = osp->smk_in; 3657 #ifdef CONFIG_AUDIT 3658 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3659 smk_ad_setfield_u_net_sk(&ad, other); 3660 #endif 3661 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3662 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3663 if (rc == 0) { 3664 okp = osp->smk_out; 3665 skp = ssp->smk_in; 3666 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3667 rc = smk_bu_note("UDS connect", okp, skp, 3668 MAY_WRITE, rc); 3669 } 3670 } 3671 3672 /* 3673 * Cross reference the peer labels for SO_PEERSEC. 3674 */ 3675 if (rc == 0) { 3676 nsp->smk_packet = ssp->smk_out; 3677 ssp->smk_packet = osp->smk_out; 3678 } 3679 3680 return rc; 3681 } 3682 3683 /** 3684 * smack_unix_may_send - Smack access on UDS 3685 * @sock: one socket 3686 * @other: the other socket 3687 * 3688 * Return 0 if a subject with the smack of sock could access 3689 * an object with the smack of other, otherwise an error code 3690 */ 3691 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3692 { 3693 struct socket_smack *ssp = sock->sk->sk_security; 3694 struct socket_smack *osp = other->sk->sk_security; 3695 struct smk_audit_info ad; 3696 int rc; 3697 3698 #ifdef CONFIG_AUDIT 3699 struct lsm_network_audit net; 3700 3701 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3702 smk_ad_setfield_u_net_sk(&ad, other->sk); 3703 #endif 3704 3705 if (smack_privileged(CAP_MAC_OVERRIDE)) 3706 return 0; 3707 3708 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3709 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3710 return rc; 3711 } 3712 3713 /** 3714 * smack_socket_sendmsg - Smack check based on destination host 3715 * @sock: the socket 3716 * @msg: the message 3717 * @size: the size of the message 3718 * 3719 * Return 0 if the current subject can write to the destination host. 3720 * For IPv4 this is only a question if the destination is a single label host. 3721 * For IPv6 this is a check against the label of the port. 3722 */ 3723 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3724 int size) 3725 { 3726 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3727 #if IS_ENABLED(CONFIG_IPV6) 3728 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3729 #endif 3730 #ifdef SMACK_IPV6_SECMARK_LABELING 3731 struct socket_smack *ssp = sock->sk->sk_security; 3732 struct smack_known *rsp; 3733 #endif 3734 int rc = 0; 3735 3736 /* 3737 * Perfectly reasonable for this to be NULL 3738 */ 3739 if (sip == NULL) 3740 return 0; 3741 3742 switch (sock->sk->sk_family) { 3743 case AF_INET: 3744 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3745 sip->sin_family != AF_INET) 3746 return -EINVAL; 3747 rc = smk_ipv4_check(sock->sk, sip); 3748 break; 3749 #if IS_ENABLED(CONFIG_IPV6) 3750 case AF_INET6: 3751 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3752 sap->sin6_family != AF_INET6) 3753 return -EINVAL; 3754 #ifdef SMACK_IPV6_SECMARK_LABELING 3755 rsp = smack_ipv6host_label(sap); 3756 if (rsp != NULL) 3757 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3758 SMK_CONNECTING); 3759 #endif 3760 #ifdef SMACK_IPV6_PORT_LABELING 3761 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3762 #endif 3763 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3764 break; 3765 } 3766 return rc; 3767 } 3768 3769 /** 3770 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3771 * @sap: netlabel secattr 3772 * @ssp: socket security information 3773 * 3774 * Returns a pointer to a Smack label entry found on the label list. 3775 */ 3776 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3777 struct socket_smack *ssp) 3778 { 3779 struct smack_known *skp; 3780 int found = 0; 3781 int acat; 3782 int kcat; 3783 3784 /* 3785 * Netlabel found it in the cache. 3786 */ 3787 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 3788 return (struct smack_known *)sap->cache->data; 3789 3790 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3791 /* 3792 * Looks like a fallback, which gives us a secid. 3793 */ 3794 return smack_from_secid(sap->attr.secid); 3795 3796 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3797 /* 3798 * Looks like a CIPSO packet. 3799 * If there are flags but no level netlabel isn't 3800 * behaving the way we expect it to. 3801 * 3802 * Look it up in the label table 3803 * Without guidance regarding the smack value 3804 * for the packet fall back on the network 3805 * ambient value. 3806 */ 3807 rcu_read_lock(); 3808 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3809 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3810 continue; 3811 /* 3812 * Compare the catsets. Use the netlbl APIs. 3813 */ 3814 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3815 if ((skp->smk_netlabel.flags & 3816 NETLBL_SECATTR_MLS_CAT) == 0) 3817 found = 1; 3818 break; 3819 } 3820 for (acat = -1, kcat = -1; acat == kcat; ) { 3821 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3822 acat + 1); 3823 kcat = netlbl_catmap_walk( 3824 skp->smk_netlabel.attr.mls.cat, 3825 kcat + 1); 3826 if (acat < 0 || kcat < 0) 3827 break; 3828 } 3829 if (acat == kcat) { 3830 found = 1; 3831 break; 3832 } 3833 } 3834 rcu_read_unlock(); 3835 3836 if (found) 3837 return skp; 3838 3839 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3840 return &smack_known_web; 3841 return &smack_known_star; 3842 } 3843 /* 3844 * Without guidance regarding the smack value 3845 * for the packet fall back on the network 3846 * ambient value. 3847 */ 3848 return smack_net_ambient; 3849 } 3850 3851 #if IS_ENABLED(CONFIG_IPV6) 3852 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3853 { 3854 u8 nexthdr; 3855 int offset; 3856 int proto = -EINVAL; 3857 struct ipv6hdr _ipv6h; 3858 struct ipv6hdr *ip6; 3859 __be16 frag_off; 3860 struct tcphdr _tcph, *th; 3861 struct udphdr _udph, *uh; 3862 struct dccp_hdr _dccph, *dh; 3863 3864 sip->sin6_port = 0; 3865 3866 offset = skb_network_offset(skb); 3867 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3868 if (ip6 == NULL) 3869 return -EINVAL; 3870 sip->sin6_addr = ip6->saddr; 3871 3872 nexthdr = ip6->nexthdr; 3873 offset += sizeof(_ipv6h); 3874 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3875 if (offset < 0) 3876 return -EINVAL; 3877 3878 proto = nexthdr; 3879 switch (proto) { 3880 case IPPROTO_TCP: 3881 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3882 if (th != NULL) 3883 sip->sin6_port = th->source; 3884 break; 3885 case IPPROTO_UDP: 3886 case IPPROTO_UDPLITE: 3887 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3888 if (uh != NULL) 3889 sip->sin6_port = uh->source; 3890 break; 3891 case IPPROTO_DCCP: 3892 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3893 if (dh != NULL) 3894 sip->sin6_port = dh->dccph_sport; 3895 break; 3896 } 3897 return proto; 3898 } 3899 #endif /* CONFIG_IPV6 */ 3900 3901 /** 3902 * smack_from_skb - Smack data from the secmark in an skb 3903 * @skb: packet 3904 * 3905 * Returns smack_known of the secmark or NULL if that won't work. 3906 */ 3907 #ifdef CONFIG_NETWORK_SECMARK 3908 static struct smack_known *smack_from_skb(struct sk_buff *skb) 3909 { 3910 if (skb == NULL || skb->secmark == 0) 3911 return NULL; 3912 3913 return smack_from_secid(skb->secmark); 3914 } 3915 #else 3916 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 3917 { 3918 return NULL; 3919 } 3920 #endif 3921 3922 /** 3923 * smack_from_netlbl - Smack data from the IP options in an skb 3924 * @sk: socket data came in on 3925 * @family: address family 3926 * @skb: packet 3927 * 3928 * Find the Smack label in the IP options. If it hasn't been 3929 * added to the netlabel cache, add it here. 3930 * 3931 * Returns smack_known of the IP options or NULL if that won't work. 3932 */ 3933 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 3934 struct sk_buff *skb) 3935 { 3936 struct netlbl_lsm_secattr secattr; 3937 struct socket_smack *ssp = NULL; 3938 struct smack_known *skp = NULL; 3939 3940 netlbl_secattr_init(&secattr); 3941 3942 if (sk) 3943 ssp = sk->sk_security; 3944 3945 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 3946 skp = smack_from_secattr(&secattr, ssp); 3947 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 3948 netlbl_cache_add(skb, family, &skp->smk_netlabel); 3949 } 3950 3951 netlbl_secattr_destroy(&secattr); 3952 3953 return skp; 3954 } 3955 3956 /** 3957 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3958 * @sk: socket 3959 * @skb: packet 3960 * 3961 * Returns 0 if the packet should be delivered, an error code otherwise 3962 */ 3963 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3964 { 3965 struct socket_smack *ssp = sk->sk_security; 3966 struct smack_known *skp = NULL; 3967 int rc = 0; 3968 struct smk_audit_info ad; 3969 u16 family = sk->sk_family; 3970 #ifdef CONFIG_AUDIT 3971 struct lsm_network_audit net; 3972 #endif 3973 #if IS_ENABLED(CONFIG_IPV6) 3974 struct sockaddr_in6 sadd; 3975 int proto; 3976 3977 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3978 family = PF_INET; 3979 #endif /* CONFIG_IPV6 */ 3980 3981 switch (family) { 3982 case PF_INET: 3983 /* 3984 * If there is a secmark use it rather than the CIPSO label. 3985 * If there is no secmark fall back to CIPSO. 3986 * The secmark is assumed to reflect policy better. 3987 */ 3988 skp = smack_from_skb(skb); 3989 if (skp == NULL) { 3990 skp = smack_from_netlbl(sk, family, skb); 3991 if (skp == NULL) 3992 skp = smack_net_ambient; 3993 } 3994 3995 #ifdef CONFIG_AUDIT 3996 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3997 ad.a.u.net->family = family; 3998 ad.a.u.net->netif = skb->skb_iif; 3999 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4000 #endif 4001 /* 4002 * Receiving a packet requires that the other end 4003 * be able to write here. Read access is not required. 4004 * This is the simplist possible security model 4005 * for networking. 4006 */ 4007 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4008 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4009 MAY_WRITE, rc); 4010 if (rc != 0) 4011 netlbl_skbuff_err(skb, family, rc, 0); 4012 break; 4013 #if IS_ENABLED(CONFIG_IPV6) 4014 case PF_INET6: 4015 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4016 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4017 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 4018 break; 4019 #ifdef SMACK_IPV6_SECMARK_LABELING 4020 skp = smack_from_skb(skb); 4021 if (skp == NULL) { 4022 if (smk_ipv6_localhost(&sadd)) 4023 break; 4024 skp = smack_ipv6host_label(&sadd); 4025 if (skp == NULL) 4026 skp = smack_net_ambient; 4027 } 4028 #ifdef CONFIG_AUDIT 4029 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4030 ad.a.u.net->family = family; 4031 ad.a.u.net->netif = skb->skb_iif; 4032 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4033 #endif /* CONFIG_AUDIT */ 4034 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4035 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4036 MAY_WRITE, rc); 4037 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4038 #ifdef SMACK_IPV6_PORT_LABELING 4039 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4040 #endif /* SMACK_IPV6_PORT_LABELING */ 4041 if (rc != 0) 4042 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4043 ICMPV6_ADM_PROHIBITED, 0); 4044 break; 4045 #endif /* CONFIG_IPV6 */ 4046 } 4047 4048 return rc; 4049 } 4050 4051 /** 4052 * smack_socket_getpeersec_stream - pull in packet label 4053 * @sock: the socket 4054 * @optval: user's destination 4055 * @optlen: size thereof 4056 * @len: max thereof 4057 * 4058 * returns zero on success, an error code otherwise 4059 */ 4060 static int smack_socket_getpeersec_stream(struct socket *sock, 4061 sockptr_t optval, sockptr_t optlen, 4062 unsigned int len) 4063 { 4064 struct socket_smack *ssp; 4065 char *rcp = ""; 4066 u32 slen = 1; 4067 int rc = 0; 4068 4069 ssp = sock->sk->sk_security; 4070 if (ssp->smk_packet != NULL) { 4071 rcp = ssp->smk_packet->smk_known; 4072 slen = strlen(rcp) + 1; 4073 } 4074 if (slen > len) { 4075 rc = -ERANGE; 4076 goto out_len; 4077 } 4078 4079 if (copy_to_sockptr(optval, rcp, slen)) 4080 rc = -EFAULT; 4081 out_len: 4082 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4083 rc = -EFAULT; 4084 return rc; 4085 } 4086 4087 4088 /** 4089 * smack_socket_getpeersec_dgram - pull in packet label 4090 * @sock: the peer socket 4091 * @skb: packet data 4092 * @secid: pointer to where to put the secid of the packet 4093 * 4094 * Sets the netlabel socket state on sk from parent 4095 */ 4096 static int smack_socket_getpeersec_dgram(struct socket *sock, 4097 struct sk_buff *skb, u32 *secid) 4098 4099 { 4100 struct socket_smack *ssp = NULL; 4101 struct smack_known *skp; 4102 struct sock *sk = NULL; 4103 int family = PF_UNSPEC; 4104 u32 s = 0; /* 0 is the invalid secid */ 4105 4106 if (skb != NULL) { 4107 if (skb->protocol == htons(ETH_P_IP)) 4108 family = PF_INET; 4109 #if IS_ENABLED(CONFIG_IPV6) 4110 else if (skb->protocol == htons(ETH_P_IPV6)) 4111 family = PF_INET6; 4112 #endif /* CONFIG_IPV6 */ 4113 } 4114 if (family == PF_UNSPEC && sock != NULL) 4115 family = sock->sk->sk_family; 4116 4117 switch (family) { 4118 case PF_UNIX: 4119 ssp = sock->sk->sk_security; 4120 s = ssp->smk_out->smk_secid; 4121 break; 4122 case PF_INET: 4123 skp = smack_from_skb(skb); 4124 if (skp) { 4125 s = skp->smk_secid; 4126 break; 4127 } 4128 /* 4129 * Translate what netlabel gave us. 4130 */ 4131 if (sock != NULL) 4132 sk = sock->sk; 4133 skp = smack_from_netlbl(sk, family, skb); 4134 if (skp != NULL) 4135 s = skp->smk_secid; 4136 break; 4137 case PF_INET6: 4138 #ifdef SMACK_IPV6_SECMARK_LABELING 4139 skp = smack_from_skb(skb); 4140 if (skp) 4141 s = skp->smk_secid; 4142 #endif 4143 break; 4144 } 4145 *secid = s; 4146 if (s == 0) 4147 return -EINVAL; 4148 return 0; 4149 } 4150 4151 /** 4152 * smack_sock_graft - Initialize a newly created socket with an existing sock 4153 * @sk: child sock 4154 * @parent: parent socket 4155 * 4156 * Set the smk_{in,out} state of an existing sock based on the process that 4157 * is creating the new socket. 4158 */ 4159 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4160 { 4161 struct socket_smack *ssp; 4162 struct smack_known *skp = smk_of_current(); 4163 4164 if (sk == NULL || 4165 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4166 return; 4167 4168 ssp = sk->sk_security; 4169 ssp->smk_in = skp; 4170 ssp->smk_out = skp; 4171 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4172 } 4173 4174 /** 4175 * smack_inet_conn_request - Smack access check on connect 4176 * @sk: socket involved 4177 * @skb: packet 4178 * @req: unused 4179 * 4180 * Returns 0 if a task with the packet label could write to 4181 * the socket, otherwise an error code 4182 */ 4183 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4184 struct request_sock *req) 4185 { 4186 u16 family = sk->sk_family; 4187 struct smack_known *skp; 4188 struct socket_smack *ssp = sk->sk_security; 4189 struct sockaddr_in addr; 4190 struct iphdr *hdr; 4191 struct smack_known *hskp; 4192 int rc; 4193 struct smk_audit_info ad; 4194 #ifdef CONFIG_AUDIT 4195 struct lsm_network_audit net; 4196 #endif 4197 4198 #if IS_ENABLED(CONFIG_IPV6) 4199 if (family == PF_INET6) { 4200 /* 4201 * Handle mapped IPv4 packets arriving 4202 * via IPv6 sockets. Don't set up netlabel 4203 * processing on IPv6. 4204 */ 4205 if (skb->protocol == htons(ETH_P_IP)) 4206 family = PF_INET; 4207 else 4208 return 0; 4209 } 4210 #endif /* CONFIG_IPV6 */ 4211 4212 /* 4213 * If there is a secmark use it rather than the CIPSO label. 4214 * If there is no secmark fall back to CIPSO. 4215 * The secmark is assumed to reflect policy better. 4216 */ 4217 skp = smack_from_skb(skb); 4218 if (skp == NULL) { 4219 skp = smack_from_netlbl(sk, family, skb); 4220 if (skp == NULL) 4221 skp = &smack_known_huh; 4222 } 4223 4224 #ifdef CONFIG_AUDIT 4225 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4226 ad.a.u.net->family = family; 4227 ad.a.u.net->netif = skb->skb_iif; 4228 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4229 #endif 4230 /* 4231 * Receiving a packet requires that the other end be able to write 4232 * here. Read access is not required. 4233 */ 4234 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4235 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4236 if (rc != 0) 4237 return rc; 4238 4239 /* 4240 * Save the peer's label in the request_sock so we can later setup 4241 * smk_packet in the child socket so that SO_PEERCRED can report it. 4242 */ 4243 req->peer_secid = skp->smk_secid; 4244 4245 /* 4246 * We need to decide if we want to label the incoming connection here 4247 * if we do we only need to label the request_sock and the stack will 4248 * propagate the wire-label to the sock when it is created. 4249 */ 4250 hdr = ip_hdr(skb); 4251 addr.sin_addr.s_addr = hdr->saddr; 4252 rcu_read_lock(); 4253 hskp = smack_ipv4host_label(&addr); 4254 rcu_read_unlock(); 4255 4256 if (hskp == NULL) 4257 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4258 else 4259 netlbl_req_delattr(req); 4260 4261 return rc; 4262 } 4263 4264 /** 4265 * smack_inet_csk_clone - Copy the connection information to the new socket 4266 * @sk: the new socket 4267 * @req: the connection's request_sock 4268 * 4269 * Transfer the connection's peer label to the newly created socket. 4270 */ 4271 static void smack_inet_csk_clone(struct sock *sk, 4272 const struct request_sock *req) 4273 { 4274 struct socket_smack *ssp = sk->sk_security; 4275 struct smack_known *skp; 4276 4277 if (req->peer_secid != 0) { 4278 skp = smack_from_secid(req->peer_secid); 4279 ssp->smk_packet = skp; 4280 } else 4281 ssp->smk_packet = NULL; 4282 } 4283 4284 /* 4285 * Key management security hooks 4286 * 4287 * Casey has not tested key support very heavily. 4288 * The permission check is most likely too restrictive. 4289 * If you care about keys please have a look. 4290 */ 4291 #ifdef CONFIG_KEYS 4292 4293 /** 4294 * smack_key_alloc - Set the key security blob 4295 * @key: object 4296 * @cred: the credentials to use 4297 * @flags: unused 4298 * 4299 * No allocation required 4300 * 4301 * Returns 0 4302 */ 4303 static int smack_key_alloc(struct key *key, const struct cred *cred, 4304 unsigned long flags) 4305 { 4306 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4307 4308 key->security = skp; 4309 return 0; 4310 } 4311 4312 /** 4313 * smack_key_free - Clear the key security blob 4314 * @key: the object 4315 * 4316 * Clear the blob pointer 4317 */ 4318 static void smack_key_free(struct key *key) 4319 { 4320 key->security = NULL; 4321 } 4322 4323 /** 4324 * smack_key_permission - Smack access on a key 4325 * @key_ref: gets to the object 4326 * @cred: the credentials to use 4327 * @need_perm: requested key permission 4328 * 4329 * Return 0 if the task has read and write to the object, 4330 * an error code otherwise 4331 */ 4332 static int smack_key_permission(key_ref_t key_ref, 4333 const struct cred *cred, 4334 enum key_need_perm need_perm) 4335 { 4336 struct key *keyp; 4337 struct smk_audit_info ad; 4338 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4339 int request = 0; 4340 int rc; 4341 4342 /* 4343 * Validate requested permissions 4344 */ 4345 switch (need_perm) { 4346 case KEY_NEED_READ: 4347 case KEY_NEED_SEARCH: 4348 case KEY_NEED_VIEW: 4349 request |= MAY_READ; 4350 break; 4351 case KEY_NEED_WRITE: 4352 case KEY_NEED_LINK: 4353 case KEY_NEED_SETATTR: 4354 request |= MAY_WRITE; 4355 break; 4356 case KEY_NEED_UNSPECIFIED: 4357 case KEY_NEED_UNLINK: 4358 case KEY_SYSADMIN_OVERRIDE: 4359 case KEY_AUTHTOKEN_OVERRIDE: 4360 case KEY_DEFER_PERM_CHECK: 4361 return 0; 4362 default: 4363 return -EINVAL; 4364 } 4365 4366 keyp = key_ref_to_ptr(key_ref); 4367 if (keyp == NULL) 4368 return -EINVAL; 4369 /* 4370 * If the key hasn't been initialized give it access so that 4371 * it may do so. 4372 */ 4373 if (keyp->security == NULL) 4374 return 0; 4375 /* 4376 * This should not occur 4377 */ 4378 if (tkp == NULL) 4379 return -EACCES; 4380 4381 if (smack_privileged(CAP_MAC_OVERRIDE)) 4382 return 0; 4383 4384 #ifdef CONFIG_AUDIT 4385 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4386 ad.a.u.key_struct.key = keyp->serial; 4387 ad.a.u.key_struct.key_desc = keyp->description; 4388 #endif 4389 rc = smk_access(tkp, keyp->security, request, &ad); 4390 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4391 return rc; 4392 } 4393 4394 /* 4395 * smack_key_getsecurity - Smack label tagging the key 4396 * @key points to the key to be queried 4397 * @_buffer points to a pointer that should be set to point to the 4398 * resulting string (if no label or an error occurs). 4399 * Return the length of the string (including terminating NUL) or -ve if 4400 * an error. 4401 * May also return 0 (and a NULL buffer pointer) if there is no label. 4402 */ 4403 static int smack_key_getsecurity(struct key *key, char **_buffer) 4404 { 4405 struct smack_known *skp = key->security; 4406 size_t length; 4407 char *copy; 4408 4409 if (key->security == NULL) { 4410 *_buffer = NULL; 4411 return 0; 4412 } 4413 4414 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4415 if (copy == NULL) 4416 return -ENOMEM; 4417 length = strlen(copy) + 1; 4418 4419 *_buffer = copy; 4420 return length; 4421 } 4422 4423 4424 #ifdef CONFIG_KEY_NOTIFICATIONS 4425 /** 4426 * smack_watch_key - Smack access to watch a key for notifications. 4427 * @key: The key to be watched 4428 * 4429 * Return 0 if the @watch->cred has permission to read from the key object and 4430 * an error otherwise. 4431 */ 4432 static int smack_watch_key(struct key *key) 4433 { 4434 struct smk_audit_info ad; 4435 struct smack_known *tkp = smk_of_current(); 4436 int rc; 4437 4438 if (key == NULL) 4439 return -EINVAL; 4440 /* 4441 * If the key hasn't been initialized give it access so that 4442 * it may do so. 4443 */ 4444 if (key->security == NULL) 4445 return 0; 4446 /* 4447 * This should not occur 4448 */ 4449 if (tkp == NULL) 4450 return -EACCES; 4451 4452 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4453 return 0; 4454 4455 #ifdef CONFIG_AUDIT 4456 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4457 ad.a.u.key_struct.key = key->serial; 4458 ad.a.u.key_struct.key_desc = key->description; 4459 #endif 4460 rc = smk_access(tkp, key->security, MAY_READ, &ad); 4461 rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc); 4462 return rc; 4463 } 4464 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4465 #endif /* CONFIG_KEYS */ 4466 4467 #ifdef CONFIG_WATCH_QUEUE 4468 /** 4469 * smack_post_notification - Smack access to post a notification to a queue 4470 * @w_cred: The credentials of the watcher. 4471 * @cred: The credentials of the event source (may be NULL). 4472 * @n: The notification message to be posted. 4473 */ 4474 static int smack_post_notification(const struct cred *w_cred, 4475 const struct cred *cred, 4476 struct watch_notification *n) 4477 { 4478 struct smk_audit_info ad; 4479 struct smack_known *subj, *obj; 4480 int rc; 4481 4482 /* Always let maintenance notifications through. */ 4483 if (n->type == WATCH_TYPE_META) 4484 return 0; 4485 4486 if (!cred) 4487 return 0; 4488 subj = smk_of_task(smack_cred(cred)); 4489 obj = smk_of_task(smack_cred(w_cred)); 4490 4491 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4492 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4493 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4494 return rc; 4495 } 4496 #endif /* CONFIG_WATCH_QUEUE */ 4497 4498 /* 4499 * Smack Audit hooks 4500 * 4501 * Audit requires a unique representation of each Smack specific 4502 * rule. This unique representation is used to distinguish the 4503 * object to be audited from remaining kernel objects and also 4504 * works as a glue between the audit hooks. 4505 * 4506 * Since repository entries are added but never deleted, we'll use 4507 * the smack_known label address related to the given audit rule as 4508 * the needed unique representation. This also better fits the smack 4509 * model where nearly everything is a label. 4510 */ 4511 #ifdef CONFIG_AUDIT 4512 4513 /** 4514 * smack_audit_rule_init - Initialize a smack audit rule 4515 * @field: audit rule fields given from user-space (audit.h) 4516 * @op: required testing operator (=, !=, >, <, ...) 4517 * @rulestr: smack label to be audited 4518 * @vrule: pointer to save our own audit rule representation 4519 * 4520 * Prepare to audit cases where (@field @op @rulestr) is true. 4521 * The label to be audited is created if necessay. 4522 */ 4523 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4524 { 4525 struct smack_known *skp; 4526 char **rule = (char **)vrule; 4527 *rule = NULL; 4528 4529 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4530 return -EINVAL; 4531 4532 if (op != Audit_equal && op != Audit_not_equal) 4533 return -EINVAL; 4534 4535 skp = smk_import_entry(rulestr, 0); 4536 if (IS_ERR(skp)) 4537 return PTR_ERR(skp); 4538 4539 *rule = skp->smk_known; 4540 4541 return 0; 4542 } 4543 4544 /** 4545 * smack_audit_rule_known - Distinguish Smack audit rules 4546 * @krule: rule of interest, in Audit kernel representation format 4547 * 4548 * This is used to filter Smack rules from remaining Audit ones. 4549 * If it's proved that this rule belongs to us, the 4550 * audit_rule_match hook will be called to do the final judgement. 4551 */ 4552 static int smack_audit_rule_known(struct audit_krule *krule) 4553 { 4554 struct audit_field *f; 4555 int i; 4556 4557 for (i = 0; i < krule->field_count; i++) { 4558 f = &krule->fields[i]; 4559 4560 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4561 return 1; 4562 } 4563 4564 return 0; 4565 } 4566 4567 /** 4568 * smack_audit_rule_match - Audit given object ? 4569 * @secid: security id for identifying the object to test 4570 * @field: audit rule flags given from user-space 4571 * @op: required testing operator 4572 * @vrule: smack internal rule presentation 4573 * 4574 * The core Audit hook. It's used to take the decision of 4575 * whether to audit or not to audit a given object. 4576 */ 4577 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4578 { 4579 struct smack_known *skp; 4580 char *rule = vrule; 4581 4582 if (unlikely(!rule)) { 4583 WARN_ONCE(1, "Smack: missing rule\n"); 4584 return -ENOENT; 4585 } 4586 4587 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4588 return 0; 4589 4590 skp = smack_from_secid(secid); 4591 4592 /* 4593 * No need to do string comparisons. If a match occurs, 4594 * both pointers will point to the same smack_known 4595 * label. 4596 */ 4597 if (op == Audit_equal) 4598 return (rule == skp->smk_known); 4599 if (op == Audit_not_equal) 4600 return (rule != skp->smk_known); 4601 4602 return 0; 4603 } 4604 4605 /* 4606 * There is no need for a smack_audit_rule_free hook. 4607 * No memory was allocated. 4608 */ 4609 4610 #endif /* CONFIG_AUDIT */ 4611 4612 /** 4613 * smack_ismaclabel - check if xattr @name references a smack MAC label 4614 * @name: Full xattr name to check. 4615 */ 4616 static int smack_ismaclabel(const char *name) 4617 { 4618 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4619 } 4620 4621 4622 /** 4623 * smack_secid_to_secctx - return the smack label for a secid 4624 * @secid: incoming integer 4625 * @secdata: destination 4626 * @seclen: how long it is 4627 * 4628 * Exists for networking code. 4629 */ 4630 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4631 { 4632 struct smack_known *skp = smack_from_secid(secid); 4633 4634 if (secdata) 4635 *secdata = skp->smk_known; 4636 *seclen = strlen(skp->smk_known); 4637 return 0; 4638 } 4639 4640 /** 4641 * smack_secctx_to_secid - return the secid for a smack label 4642 * @secdata: smack label 4643 * @seclen: how long result is 4644 * @secid: outgoing integer 4645 * 4646 * Exists for audit and networking code. 4647 */ 4648 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4649 { 4650 struct smack_known *skp = smk_find_entry(secdata); 4651 4652 if (skp) 4653 *secid = skp->smk_secid; 4654 else 4655 *secid = 0; 4656 return 0; 4657 } 4658 4659 /* 4660 * There used to be a smack_release_secctx hook 4661 * that did nothing back when hooks were in a vector. 4662 * Now that there's a list such a hook adds cost. 4663 */ 4664 4665 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4666 { 4667 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4668 ctxlen, 0); 4669 } 4670 4671 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4672 { 4673 return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4674 ctx, ctxlen, 0); 4675 } 4676 4677 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4678 { 4679 struct smack_known *skp = smk_of_inode(inode); 4680 4681 *ctx = skp->smk_known; 4682 *ctxlen = strlen(skp->smk_known); 4683 return 0; 4684 } 4685 4686 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4687 { 4688 4689 struct task_smack *tsp; 4690 struct smack_known *skp; 4691 struct inode_smack *isp; 4692 struct cred *new_creds = *new; 4693 4694 if (new_creds == NULL) { 4695 new_creds = prepare_creds(); 4696 if (new_creds == NULL) 4697 return -ENOMEM; 4698 } 4699 4700 tsp = smack_cred(new_creds); 4701 4702 /* 4703 * Get label from overlay inode and set it in create_sid 4704 */ 4705 isp = smack_inode(d_inode(dentry)); 4706 skp = isp->smk_inode; 4707 tsp->smk_task = skp; 4708 *new = new_creds; 4709 return 0; 4710 } 4711 4712 static int smack_inode_copy_up_xattr(const char *name) 4713 { 4714 /* 4715 * Return 1 if this is the smack access Smack attribute. 4716 */ 4717 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4718 return 1; 4719 4720 return -EOPNOTSUPP; 4721 } 4722 4723 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4724 struct qstr *name, 4725 const struct cred *old, 4726 struct cred *new) 4727 { 4728 struct task_smack *otsp = smack_cred(old); 4729 struct task_smack *ntsp = smack_cred(new); 4730 struct inode_smack *isp; 4731 int may; 4732 4733 /* 4734 * Use the process credential unless all of 4735 * the transmuting criteria are met 4736 */ 4737 ntsp->smk_task = otsp->smk_task; 4738 4739 /* 4740 * the attribute of the containing directory 4741 */ 4742 isp = smack_inode(d_inode(dentry->d_parent)); 4743 4744 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4745 rcu_read_lock(); 4746 may = smk_access_entry(otsp->smk_task->smk_known, 4747 isp->smk_inode->smk_known, 4748 &otsp->smk_task->smk_rules); 4749 rcu_read_unlock(); 4750 4751 /* 4752 * If the directory is transmuting and the rule 4753 * providing access is transmuting use the containing 4754 * directory label instead of the process label. 4755 */ 4756 if (may > 0 && (may & MAY_TRANSMUTE)) 4757 ntsp->smk_task = isp->smk_inode; 4758 } 4759 return 0; 4760 } 4761 4762 #ifdef CONFIG_IO_URING 4763 /** 4764 * smack_uring_override_creds - Is io_uring cred override allowed? 4765 * @new: the target creds 4766 * 4767 * Check to see if the current task is allowed to override it's credentials 4768 * to service an io_uring operation. 4769 */ 4770 static int smack_uring_override_creds(const struct cred *new) 4771 { 4772 struct task_smack *tsp = smack_cred(current_cred()); 4773 struct task_smack *nsp = smack_cred(new); 4774 4775 /* 4776 * Allow the degenerate case where the new Smack value is 4777 * the same as the current Smack value. 4778 */ 4779 if (tsp->smk_task == nsp->smk_task) 4780 return 0; 4781 4782 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4783 return 0; 4784 4785 return -EPERM; 4786 } 4787 4788 /** 4789 * smack_uring_sqpoll - check if a io_uring polling thread can be created 4790 * 4791 * Check to see if the current task is allowed to create a new io_uring 4792 * kernel polling thread. 4793 */ 4794 static int smack_uring_sqpoll(void) 4795 { 4796 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 4797 return 0; 4798 4799 return -EPERM; 4800 } 4801 4802 /** 4803 * smack_uring_cmd - check on file operations for io_uring 4804 * @ioucmd: the command in question 4805 * 4806 * Make a best guess about whether a io_uring "command" should 4807 * be allowed. Use the same logic used for determining if the 4808 * file could be opened for read in the absence of better criteria. 4809 */ 4810 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 4811 { 4812 struct file *file = ioucmd->file; 4813 struct smk_audit_info ad; 4814 struct task_smack *tsp; 4815 struct inode *inode; 4816 int rc; 4817 4818 if (!file) 4819 return -EINVAL; 4820 4821 tsp = smack_cred(file->f_cred); 4822 inode = file_inode(file); 4823 4824 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 4825 smk_ad_setfield_u_fs_path(&ad, file->f_path); 4826 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 4827 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 4828 4829 return rc; 4830 } 4831 4832 #endif /* CONFIG_IO_URING */ 4833 4834 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 4835 .lbs_cred = sizeof(struct task_smack), 4836 .lbs_file = sizeof(struct smack_known *), 4837 .lbs_inode = sizeof(struct inode_smack), 4838 .lbs_ipc = sizeof(struct smack_known *), 4839 .lbs_msg_msg = sizeof(struct smack_known *), 4840 .lbs_superblock = sizeof(struct superblock_smack), 4841 }; 4842 4843 static struct security_hook_list smack_hooks[] __ro_after_init = { 4844 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4845 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4846 LSM_HOOK_INIT(syslog, smack_syslog), 4847 4848 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4849 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4850 4851 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4852 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4853 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4854 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4855 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4856 4857 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 4858 4859 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4860 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4861 LSM_HOOK_INIT(inode_link, smack_inode_link), 4862 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4863 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4864 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4865 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4866 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4867 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4868 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4869 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4870 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4871 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4872 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 4873 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 4874 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 4875 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4876 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4877 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4878 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4879 4880 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4881 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4882 LSM_HOOK_INIT(file_lock, smack_file_lock), 4883 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4884 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4885 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4886 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4887 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4888 LSM_HOOK_INIT(file_receive, smack_file_receive), 4889 4890 LSM_HOOK_INIT(file_open, smack_file_open), 4891 4892 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4893 LSM_HOOK_INIT(cred_free, smack_cred_free), 4894 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4895 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4896 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4897 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4898 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4899 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4900 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4901 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4902 LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj), 4903 LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj), 4904 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4905 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4906 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4907 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4908 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4909 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4910 LSM_HOOK_INIT(task_kill, smack_task_kill), 4911 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4912 4913 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4914 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4915 4916 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4917 4918 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4919 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4920 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4921 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4922 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4923 4924 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4925 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4926 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4927 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4928 4929 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4930 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4931 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4932 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4933 4934 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4935 4936 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4937 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4938 4939 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4940 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4941 4942 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4943 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4944 #ifdef SMACK_IPV6_PORT_LABELING 4945 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4946 #endif 4947 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4948 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4949 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4950 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4951 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4952 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4953 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4954 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 4955 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4956 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4957 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4958 4959 /* key management security hooks */ 4960 #ifdef CONFIG_KEYS 4961 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4962 LSM_HOOK_INIT(key_free, smack_key_free), 4963 LSM_HOOK_INIT(key_permission, smack_key_permission), 4964 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4965 #ifdef CONFIG_KEY_NOTIFICATIONS 4966 LSM_HOOK_INIT(watch_key, smack_watch_key), 4967 #endif 4968 #endif /* CONFIG_KEYS */ 4969 4970 #ifdef CONFIG_WATCH_QUEUE 4971 LSM_HOOK_INIT(post_notification, smack_post_notification), 4972 #endif 4973 4974 /* Audit hooks */ 4975 #ifdef CONFIG_AUDIT 4976 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4977 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4978 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4979 #endif /* CONFIG_AUDIT */ 4980 4981 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4982 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4983 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4984 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4985 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4986 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4987 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4988 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4989 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4990 #ifdef CONFIG_IO_URING 4991 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 4992 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 4993 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 4994 #endif 4995 }; 4996 4997 4998 static __init void init_smack_known_list(void) 4999 { 5000 /* 5001 * Initialize rule list locks 5002 */ 5003 mutex_init(&smack_known_huh.smk_rules_lock); 5004 mutex_init(&smack_known_hat.smk_rules_lock); 5005 mutex_init(&smack_known_floor.smk_rules_lock); 5006 mutex_init(&smack_known_star.smk_rules_lock); 5007 mutex_init(&smack_known_web.smk_rules_lock); 5008 /* 5009 * Initialize rule lists 5010 */ 5011 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5012 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5013 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5014 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5015 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5016 /* 5017 * Create the known labels list 5018 */ 5019 smk_insert_entry(&smack_known_huh); 5020 smk_insert_entry(&smack_known_hat); 5021 smk_insert_entry(&smack_known_star); 5022 smk_insert_entry(&smack_known_floor); 5023 smk_insert_entry(&smack_known_web); 5024 } 5025 5026 /** 5027 * smack_init - initialize the smack system 5028 * 5029 * Returns 0 on success, -ENOMEM is there's no memory 5030 */ 5031 static __init int smack_init(void) 5032 { 5033 struct cred *cred = (struct cred *) current->cred; 5034 struct task_smack *tsp; 5035 5036 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5037 if (!smack_rule_cache) 5038 return -ENOMEM; 5039 5040 /* 5041 * Set the security state for the initial task. 5042 */ 5043 tsp = smack_cred(cred); 5044 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5045 5046 /* 5047 * Register with LSM 5048 */ 5049 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 5050 smack_enabled = 1; 5051 5052 pr_info("Smack: Initializing.\n"); 5053 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5054 pr_info("Smack: Netfilter enabled.\n"); 5055 #endif 5056 #ifdef SMACK_IPV6_PORT_LABELING 5057 pr_info("Smack: IPv6 port labeling enabled.\n"); 5058 #endif 5059 #ifdef SMACK_IPV6_SECMARK_LABELING 5060 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5061 #endif 5062 5063 /* initialize the smack_known_list */ 5064 init_smack_known_list(); 5065 5066 return 0; 5067 } 5068 5069 /* 5070 * Smack requires early initialization in order to label 5071 * all processes and objects when they are created. 5072 */ 5073 DEFINE_LSM(smack) = { 5074 .name = "smack", 5075 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5076 .blobs = &smack_blob_sizes, 5077 .init = smack_init, 5078 }; 5079