1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/slab.h> 32 #include <linux/mutex.h> 33 #include <linux/pipe_fs_i.h> 34 #include <net/cipso_ipv4.h> 35 #include <net/ip.h> 36 #include <net/ipv6.h> 37 #include <linux/audit.h> 38 #include <linux/magic.h> 39 #include <linux/dcache.h> 40 #include <linux/personality.h> 41 #include <linux/msg.h> 42 #include <linux/shm.h> 43 #include <linux/binfmts.h> 44 #include <linux/parser.h> 45 #include "smack.h" 46 47 #define TRANS_TRUE "TRUE" 48 #define TRANS_TRUE_SIZE 4 49 50 #define SMK_CONNECTING 0 51 #define SMK_RECEIVING 1 52 #define SMK_SENDING 2 53 54 #ifdef SMACK_IPV6_PORT_LABELING 55 static LIST_HEAD(smk_ipv6_port_list); 56 #endif 57 static struct kmem_cache *smack_inode_cache; 58 int smack_enabled; 59 60 static const match_table_t smk_mount_tokens = { 61 {Opt_fsdefault, SMK_FSDEFAULT "%s"}, 62 {Opt_fsfloor, SMK_FSFLOOR "%s"}, 63 {Opt_fshat, SMK_FSHAT "%s"}, 64 {Opt_fsroot, SMK_FSROOT "%s"}, 65 {Opt_fstransmute, SMK_FSTRANS "%s"}, 66 {Opt_error, NULL}, 67 }; 68 69 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 70 static char *smk_bu_mess[] = { 71 "Bringup Error", /* Unused */ 72 "Bringup", /* SMACK_BRINGUP_ALLOW */ 73 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 74 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 75 }; 76 77 static void smk_bu_mode(int mode, char *s) 78 { 79 int i = 0; 80 81 if (mode & MAY_READ) 82 s[i++] = 'r'; 83 if (mode & MAY_WRITE) 84 s[i++] = 'w'; 85 if (mode & MAY_EXEC) 86 s[i++] = 'x'; 87 if (mode & MAY_APPEND) 88 s[i++] = 'a'; 89 if (mode & MAY_TRANSMUTE) 90 s[i++] = 't'; 91 if (mode & MAY_LOCK) 92 s[i++] = 'l'; 93 if (i == 0) 94 s[i++] = '-'; 95 s[i] = '\0'; 96 } 97 #endif 98 99 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 100 static int smk_bu_note(char *note, struct smack_known *sskp, 101 struct smack_known *oskp, int mode, int rc) 102 { 103 char acc[SMK_NUM_ACCESS_TYPE + 1]; 104 105 if (rc <= 0) 106 return rc; 107 if (rc > SMACK_UNCONFINED_OBJECT) 108 rc = 0; 109 110 smk_bu_mode(mode, acc); 111 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 112 sskp->smk_known, oskp->smk_known, acc, note); 113 return 0; 114 } 115 #else 116 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 117 #endif 118 119 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 120 static int smk_bu_current(char *note, struct smack_known *oskp, 121 int mode, int rc) 122 { 123 struct task_smack *tsp = current_security(); 124 char acc[SMK_NUM_ACCESS_TYPE + 1]; 125 126 if (rc <= 0) 127 return rc; 128 if (rc > SMACK_UNCONFINED_OBJECT) 129 rc = 0; 130 131 smk_bu_mode(mode, acc); 132 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 133 tsp->smk_task->smk_known, oskp->smk_known, 134 acc, current->comm, note); 135 return 0; 136 } 137 #else 138 #define smk_bu_current(note, oskp, mode, RC) (RC) 139 #endif 140 141 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 142 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 143 { 144 struct task_smack *tsp = current_security(); 145 struct smack_known *smk_task = smk_of_task_struct(otp); 146 char acc[SMK_NUM_ACCESS_TYPE + 1]; 147 148 if (rc <= 0) 149 return rc; 150 if (rc > SMACK_UNCONFINED_OBJECT) 151 rc = 0; 152 153 smk_bu_mode(mode, acc); 154 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 155 tsp->smk_task->smk_known, smk_task->smk_known, acc, 156 current->comm, otp->comm); 157 return 0; 158 } 159 #else 160 #define smk_bu_task(otp, mode, RC) (RC) 161 #endif 162 163 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 164 static int smk_bu_inode(struct inode *inode, int mode, int rc) 165 { 166 struct task_smack *tsp = current_security(); 167 struct inode_smack *isp = inode->i_security; 168 char acc[SMK_NUM_ACCESS_TYPE + 1]; 169 170 if (isp->smk_flags & SMK_INODE_IMPURE) 171 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 172 inode->i_sb->s_id, inode->i_ino, current->comm); 173 174 if (rc <= 0) 175 return rc; 176 if (rc > SMACK_UNCONFINED_OBJECT) 177 rc = 0; 178 if (rc == SMACK_UNCONFINED_SUBJECT && 179 (mode & (MAY_WRITE | MAY_APPEND))) 180 isp->smk_flags |= SMK_INODE_IMPURE; 181 182 smk_bu_mode(mode, acc); 183 184 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 185 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 return 0; 188 } 189 #else 190 #define smk_bu_inode(inode, mode, RC) (RC) 191 #endif 192 193 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 194 static int smk_bu_file(struct file *file, int mode, int rc) 195 { 196 struct task_smack *tsp = current_security(); 197 struct smack_known *sskp = tsp->smk_task; 198 struct inode *inode = file_inode(file); 199 struct inode_smack *isp = inode->i_security; 200 char acc[SMK_NUM_ACCESS_TYPE + 1]; 201 202 if (isp->smk_flags & SMK_INODE_IMPURE) 203 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 204 inode->i_sb->s_id, inode->i_ino, current->comm); 205 206 if (rc <= 0) 207 return rc; 208 if (rc > SMACK_UNCONFINED_OBJECT) 209 rc = 0; 210 211 smk_bu_mode(mode, acc); 212 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 213 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 214 inode->i_sb->s_id, inode->i_ino, file, 215 current->comm); 216 return 0; 217 } 218 #else 219 #define smk_bu_file(file, mode, RC) (RC) 220 #endif 221 222 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 223 static int smk_bu_credfile(const struct cred *cred, struct file *file, 224 int mode, int rc) 225 { 226 struct task_smack *tsp = cred->security; 227 struct smack_known *sskp = tsp->smk_task; 228 struct inode *inode = file_inode(file); 229 struct inode_smack *isp = inode->i_security; 230 char acc[SMK_NUM_ACCESS_TYPE + 1]; 231 232 if (isp->smk_flags & SMK_INODE_IMPURE) 233 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 234 inode->i_sb->s_id, inode->i_ino, current->comm); 235 236 if (rc <= 0) 237 return rc; 238 if (rc > SMACK_UNCONFINED_OBJECT) 239 rc = 0; 240 241 smk_bu_mode(mode, acc); 242 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 243 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 244 inode->i_sb->s_id, inode->i_ino, file, 245 current->comm); 246 return 0; 247 } 248 #else 249 #define smk_bu_credfile(cred, file, mode, RC) (RC) 250 #endif 251 252 /** 253 * smk_fetch - Fetch the smack label from a file. 254 * @name: type of the label (attribute) 255 * @ip: a pointer to the inode 256 * @dp: a pointer to the dentry 257 * 258 * Returns a pointer to the master list entry for the Smack label, 259 * NULL if there was no label to fetch, or an error code. 260 */ 261 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 262 struct dentry *dp) 263 { 264 int rc; 265 char *buffer; 266 struct smack_known *skp = NULL; 267 268 if (!(ip->i_opflags & IOP_XATTR)) 269 return ERR_PTR(-EOPNOTSUPP); 270 271 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 272 if (buffer == NULL) 273 return ERR_PTR(-ENOMEM); 274 275 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 276 if (rc < 0) 277 skp = ERR_PTR(rc); 278 else if (rc == 0) 279 skp = NULL; 280 else 281 skp = smk_import_entry(buffer, rc); 282 283 kfree(buffer); 284 285 return skp; 286 } 287 288 /** 289 * new_inode_smack - allocate an inode security blob 290 * @skp: a pointer to the Smack label entry to use in the blob 291 * 292 * Returns the new blob or NULL if there's no memory available 293 */ 294 static struct inode_smack *new_inode_smack(struct smack_known *skp) 295 { 296 struct inode_smack *isp; 297 298 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); 299 if (isp == NULL) 300 return NULL; 301 302 isp->smk_inode = skp; 303 isp->smk_flags = 0; 304 mutex_init(&isp->smk_lock); 305 306 return isp; 307 } 308 309 /** 310 * new_task_smack - allocate a task security blob 311 * @task: a pointer to the Smack label for the running task 312 * @forked: a pointer to the Smack label for the forked task 313 * @gfp: type of the memory for the allocation 314 * 315 * Returns the new blob or NULL if there's no memory available 316 */ 317 static struct task_smack *new_task_smack(struct smack_known *task, 318 struct smack_known *forked, gfp_t gfp) 319 { 320 struct task_smack *tsp; 321 322 tsp = kzalloc(sizeof(struct task_smack), gfp); 323 if (tsp == NULL) 324 return NULL; 325 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 INIT_LIST_HEAD(&tsp->smk_relabel); 330 mutex_init(&tsp->smk_rules_lock); 331 332 return tsp; 333 } 334 335 /** 336 * smk_copy_rules - copy a rule set 337 * @nhead: new rules header pointer 338 * @ohead: old rules header pointer 339 * @gfp: type of the memory for the allocation 340 * 341 * Returns 0 on success, -ENOMEM on error 342 */ 343 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 344 gfp_t gfp) 345 { 346 struct smack_rule *nrp; 347 struct smack_rule *orp; 348 int rc = 0; 349 350 INIT_LIST_HEAD(nhead); 351 352 list_for_each_entry_rcu(orp, ohead, list) { 353 nrp = kzalloc(sizeof(struct smack_rule), gfp); 354 if (nrp == NULL) { 355 rc = -ENOMEM; 356 break; 357 } 358 *nrp = *orp; 359 list_add_rcu(&nrp->list, nhead); 360 } 361 return rc; 362 } 363 364 /** 365 * smk_copy_relabel - copy smk_relabel labels list 366 * @nhead: new rules header pointer 367 * @ohead: old rules header pointer 368 * @gfp: type of the memory for the allocation 369 * 370 * Returns 0 on success, -ENOMEM on error 371 */ 372 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 373 gfp_t gfp) 374 { 375 struct smack_known_list_elem *nklep; 376 struct smack_known_list_elem *oklep; 377 378 INIT_LIST_HEAD(nhead); 379 380 list_for_each_entry(oklep, ohead, list) { 381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 382 if (nklep == NULL) { 383 smk_destroy_label_list(nhead); 384 return -ENOMEM; 385 } 386 nklep->smk_label = oklep->smk_label; 387 list_add(&nklep->list, nhead); 388 } 389 390 return 0; 391 } 392 393 /** 394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 395 * @mode - input mode in form of PTRACE_MODE_* 396 * 397 * Returns a converted MAY_* mode usable by smack rules 398 */ 399 static inline unsigned int smk_ptrace_mode(unsigned int mode) 400 { 401 if (mode & PTRACE_MODE_ATTACH) 402 return MAY_READWRITE; 403 if (mode & PTRACE_MODE_READ) 404 return MAY_READ; 405 406 return 0; 407 } 408 409 /** 410 * smk_ptrace_rule_check - helper for ptrace access 411 * @tracer: tracer process 412 * @tracee_known: label entry of the process that's about to be traced 413 * @mode: ptrace attachment mode (PTRACE_MODE_*) 414 * @func: name of the function that called us, used for audit 415 * 416 * Returns 0 on access granted, -error on error 417 */ 418 static int smk_ptrace_rule_check(struct task_struct *tracer, 419 struct smack_known *tracee_known, 420 unsigned int mode, const char *func) 421 { 422 int rc; 423 struct smk_audit_info ad, *saip = NULL; 424 struct task_smack *tsp; 425 struct smack_known *tracer_known; 426 427 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 428 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 429 smk_ad_setfield_u_tsk(&ad, tracer); 430 saip = &ad; 431 } 432 433 rcu_read_lock(); 434 tsp = __task_cred(tracer)->security; 435 tracer_known = smk_of_task(tsp); 436 437 if ((mode & PTRACE_MODE_ATTACH) && 438 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 439 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 440 if (tracer_known->smk_known == tracee_known->smk_known) 441 rc = 0; 442 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 443 rc = -EACCES; 444 else if (capable(CAP_SYS_PTRACE)) 445 rc = 0; 446 else 447 rc = -EACCES; 448 449 if (saip) 450 smack_log(tracer_known->smk_known, 451 tracee_known->smk_known, 452 0, rc, saip); 453 454 rcu_read_unlock(); 455 return rc; 456 } 457 458 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 459 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 460 461 rcu_read_unlock(); 462 return rc; 463 } 464 465 /* 466 * LSM hooks. 467 * We he, that is fun! 468 */ 469 470 /** 471 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 472 * @ctp: child task pointer 473 * @mode: ptrace attachment mode (PTRACE_MODE_*) 474 * 475 * Returns 0 if access is OK, an error code otherwise 476 * 477 * Do the capability checks. 478 */ 479 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 480 { 481 struct smack_known *skp; 482 483 skp = smk_of_task_struct(ctp); 484 485 return smk_ptrace_rule_check(current, skp, mode, __func__); 486 } 487 488 /** 489 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 490 * @ptp: parent task pointer 491 * 492 * Returns 0 if access is OK, an error code otherwise 493 * 494 * Do the capability checks, and require PTRACE_MODE_ATTACH. 495 */ 496 static int smack_ptrace_traceme(struct task_struct *ptp) 497 { 498 int rc; 499 struct smack_known *skp; 500 501 skp = smk_of_task(current_security()); 502 503 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 504 return rc; 505 } 506 507 /** 508 * smack_syslog - Smack approval on syslog 509 * @type: message type 510 * 511 * Returns 0 on success, error code otherwise. 512 */ 513 static int smack_syslog(int typefrom_file) 514 { 515 int rc = 0; 516 struct smack_known *skp = smk_of_current(); 517 518 if (smack_privileged(CAP_MAC_OVERRIDE)) 519 return 0; 520 521 if (smack_syslog_label != NULL && smack_syslog_label != skp) 522 rc = -EACCES; 523 524 return rc; 525 } 526 527 528 /* 529 * Superblock Hooks. 530 */ 531 532 /** 533 * smack_sb_alloc_security - allocate a superblock blob 534 * @sb: the superblock getting the blob 535 * 536 * Returns 0 on success or -ENOMEM on error. 537 */ 538 static int smack_sb_alloc_security(struct super_block *sb) 539 { 540 struct superblock_smack *sbsp; 541 542 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 543 544 if (sbsp == NULL) 545 return -ENOMEM; 546 547 sbsp->smk_root = &smack_known_floor; 548 sbsp->smk_default = &smack_known_floor; 549 sbsp->smk_floor = &smack_known_floor; 550 sbsp->smk_hat = &smack_known_hat; 551 /* 552 * SMK_SB_INITIALIZED will be zero from kzalloc. 553 */ 554 sb->s_security = sbsp; 555 556 return 0; 557 } 558 559 /** 560 * smack_sb_free_security - free a superblock blob 561 * @sb: the superblock getting the blob 562 * 563 */ 564 static void smack_sb_free_security(struct super_block *sb) 565 { 566 kfree(sb->s_security); 567 sb->s_security = NULL; 568 } 569 570 /** 571 * smack_sb_copy_data - copy mount options data for processing 572 * @orig: where to start 573 * @smackopts: mount options string 574 * 575 * Returns 0 on success or -ENOMEM on error. 576 * 577 * Copy the Smack specific mount options out of the mount 578 * options list. 579 */ 580 static int smack_sb_copy_data(char *orig, char *smackopts) 581 { 582 char *cp, *commap, *otheropts, *dp; 583 584 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 585 if (otheropts == NULL) 586 return -ENOMEM; 587 588 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 589 if (strstr(cp, SMK_FSDEFAULT) == cp) 590 dp = smackopts; 591 else if (strstr(cp, SMK_FSFLOOR) == cp) 592 dp = smackopts; 593 else if (strstr(cp, SMK_FSHAT) == cp) 594 dp = smackopts; 595 else if (strstr(cp, SMK_FSROOT) == cp) 596 dp = smackopts; 597 else if (strstr(cp, SMK_FSTRANS) == cp) 598 dp = smackopts; 599 else 600 dp = otheropts; 601 602 commap = strchr(cp, ','); 603 if (commap != NULL) 604 *commap = '\0'; 605 606 if (*dp != '\0') 607 strcat(dp, ","); 608 strcat(dp, cp); 609 } 610 611 strcpy(orig, otheropts); 612 free_page((unsigned long)otheropts); 613 614 return 0; 615 } 616 617 /** 618 * smack_parse_opts_str - parse Smack specific mount options 619 * @options: mount options string 620 * @opts: where to store converted mount opts 621 * 622 * Returns 0 on success or -ENOMEM on error. 623 * 624 * converts Smack specific mount options to generic security option format 625 */ 626 static int smack_parse_opts_str(char *options, 627 struct security_mnt_opts *opts) 628 { 629 char *p; 630 char *fsdefault = NULL; 631 char *fsfloor = NULL; 632 char *fshat = NULL; 633 char *fsroot = NULL; 634 char *fstransmute = NULL; 635 int rc = -ENOMEM; 636 int num_mnt_opts = 0; 637 int token; 638 639 opts->num_mnt_opts = 0; 640 641 if (!options) 642 return 0; 643 644 while ((p = strsep(&options, ",")) != NULL) { 645 substring_t args[MAX_OPT_ARGS]; 646 647 if (!*p) 648 continue; 649 650 token = match_token(p, smk_mount_tokens, args); 651 652 switch (token) { 653 case Opt_fsdefault: 654 if (fsdefault) 655 goto out_opt_err; 656 fsdefault = match_strdup(&args[0]); 657 if (!fsdefault) 658 goto out_err; 659 break; 660 case Opt_fsfloor: 661 if (fsfloor) 662 goto out_opt_err; 663 fsfloor = match_strdup(&args[0]); 664 if (!fsfloor) 665 goto out_err; 666 break; 667 case Opt_fshat: 668 if (fshat) 669 goto out_opt_err; 670 fshat = match_strdup(&args[0]); 671 if (!fshat) 672 goto out_err; 673 break; 674 case Opt_fsroot: 675 if (fsroot) 676 goto out_opt_err; 677 fsroot = match_strdup(&args[0]); 678 if (!fsroot) 679 goto out_err; 680 break; 681 case Opt_fstransmute: 682 if (fstransmute) 683 goto out_opt_err; 684 fstransmute = match_strdup(&args[0]); 685 if (!fstransmute) 686 goto out_err; 687 break; 688 default: 689 rc = -EINVAL; 690 pr_warn("Smack: unknown mount option\n"); 691 goto out_err; 692 } 693 } 694 695 opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_KERNEL); 696 if (!opts->mnt_opts) 697 goto out_err; 698 699 opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), 700 GFP_KERNEL); 701 if (!opts->mnt_opts_flags) { 702 kfree(opts->mnt_opts); 703 goto out_err; 704 } 705 706 if (fsdefault) { 707 opts->mnt_opts[num_mnt_opts] = fsdefault; 708 opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT; 709 } 710 if (fsfloor) { 711 opts->mnt_opts[num_mnt_opts] = fsfloor; 712 opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT; 713 } 714 if (fshat) { 715 opts->mnt_opts[num_mnt_opts] = fshat; 716 opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT; 717 } 718 if (fsroot) { 719 opts->mnt_opts[num_mnt_opts] = fsroot; 720 opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT; 721 } 722 if (fstransmute) { 723 opts->mnt_opts[num_mnt_opts] = fstransmute; 724 opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT; 725 } 726 727 opts->num_mnt_opts = num_mnt_opts; 728 return 0; 729 730 out_opt_err: 731 rc = -EINVAL; 732 pr_warn("Smack: duplicate mount options\n"); 733 734 out_err: 735 kfree(fsdefault); 736 kfree(fsfloor); 737 kfree(fshat); 738 kfree(fsroot); 739 kfree(fstransmute); 740 return rc; 741 } 742 743 /** 744 * smack_set_mnt_opts - set Smack specific mount options 745 * @sb: the file system superblock 746 * @opts: Smack mount options 747 * @kern_flags: mount option from kernel space or user space 748 * @set_kern_flags: where to store converted mount opts 749 * 750 * Returns 0 on success, an error code on failure 751 * 752 * Allow filesystems with binary mount data to explicitly set Smack mount 753 * labels. 754 */ 755 static int smack_set_mnt_opts(struct super_block *sb, 756 struct security_mnt_opts *opts, 757 unsigned long kern_flags, 758 unsigned long *set_kern_flags) 759 { 760 struct dentry *root = sb->s_root; 761 struct inode *inode = d_backing_inode(root); 762 struct superblock_smack *sp = sb->s_security; 763 struct inode_smack *isp; 764 struct smack_known *skp; 765 int i; 766 int num_opts = opts->num_mnt_opts; 767 int transmute = 0; 768 769 if (sp->smk_flags & SMK_SB_INITIALIZED) 770 return 0; 771 772 if (!smack_privileged(CAP_MAC_ADMIN)) { 773 /* 774 * Unprivileged mounts don't get to specify Smack values. 775 */ 776 if (num_opts) 777 return -EPERM; 778 /* 779 * Unprivileged mounts get root and default from the caller. 780 */ 781 skp = smk_of_current(); 782 sp->smk_root = skp; 783 sp->smk_default = skp; 784 /* 785 * For a handful of fs types with no user-controlled 786 * backing store it's okay to trust security labels 787 * in the filesystem. The rest are untrusted. 788 */ 789 if (sb->s_user_ns != &init_user_ns && 790 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 791 sb->s_magic != RAMFS_MAGIC) { 792 transmute = 1; 793 sp->smk_flags |= SMK_SB_UNTRUSTED; 794 } 795 } 796 797 sp->smk_flags |= SMK_SB_INITIALIZED; 798 799 for (i = 0; i < num_opts; i++) { 800 switch (opts->mnt_opts_flags[i]) { 801 case FSDEFAULT_MNT: 802 skp = smk_import_entry(opts->mnt_opts[i], 0); 803 if (IS_ERR(skp)) 804 return PTR_ERR(skp); 805 sp->smk_default = skp; 806 break; 807 case FSFLOOR_MNT: 808 skp = smk_import_entry(opts->mnt_opts[i], 0); 809 if (IS_ERR(skp)) 810 return PTR_ERR(skp); 811 sp->smk_floor = skp; 812 break; 813 case FSHAT_MNT: 814 skp = smk_import_entry(opts->mnt_opts[i], 0); 815 if (IS_ERR(skp)) 816 return PTR_ERR(skp); 817 sp->smk_hat = skp; 818 break; 819 case FSROOT_MNT: 820 skp = smk_import_entry(opts->mnt_opts[i], 0); 821 if (IS_ERR(skp)) 822 return PTR_ERR(skp); 823 sp->smk_root = skp; 824 break; 825 case FSTRANS_MNT: 826 skp = smk_import_entry(opts->mnt_opts[i], 0); 827 if (IS_ERR(skp)) 828 return PTR_ERR(skp); 829 sp->smk_root = skp; 830 transmute = 1; 831 break; 832 default: 833 break; 834 } 835 } 836 837 /* 838 * Initialize the root inode. 839 */ 840 isp = inode->i_security; 841 if (isp == NULL) { 842 isp = new_inode_smack(sp->smk_root); 843 if (isp == NULL) 844 return -ENOMEM; 845 inode->i_security = isp; 846 } else 847 isp->smk_inode = sp->smk_root; 848 849 if (transmute) 850 isp->smk_flags |= SMK_INODE_TRANSMUTE; 851 852 return 0; 853 } 854 855 /** 856 * smack_sb_kern_mount - Smack specific mount processing 857 * @sb: the file system superblock 858 * @flags: the mount flags 859 * @data: the smack mount options 860 * 861 * Returns 0 on success, an error code on failure 862 */ 863 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 864 { 865 int rc = 0; 866 char *options = data; 867 struct security_mnt_opts opts; 868 869 security_init_mnt_opts(&opts); 870 871 if (!options) 872 goto out; 873 874 rc = smack_parse_opts_str(options, &opts); 875 if (rc) 876 goto out_err; 877 878 out: 879 rc = smack_set_mnt_opts(sb, &opts, 0, NULL); 880 881 out_err: 882 security_free_mnt_opts(&opts); 883 return rc; 884 } 885 886 /** 887 * smack_sb_statfs - Smack check on statfs 888 * @dentry: identifies the file system in question 889 * 890 * Returns 0 if current can read the floor of the filesystem, 891 * and error code otherwise 892 */ 893 static int smack_sb_statfs(struct dentry *dentry) 894 { 895 struct superblock_smack *sbp = dentry->d_sb->s_security; 896 int rc; 897 struct smk_audit_info ad; 898 899 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 900 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 901 902 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 903 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 904 return rc; 905 } 906 907 /* 908 * BPRM hooks 909 */ 910 911 /** 912 * smack_bprm_set_creds - set creds for exec 913 * @bprm: the exec information 914 * 915 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 916 */ 917 static int smack_bprm_set_creds(struct linux_binprm *bprm) 918 { 919 struct inode *inode = file_inode(bprm->file); 920 struct task_smack *bsp = bprm->cred->security; 921 struct inode_smack *isp; 922 struct superblock_smack *sbsp; 923 int rc; 924 925 if (bprm->cred_prepared) 926 return 0; 927 928 isp = inode->i_security; 929 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 930 return 0; 931 932 sbsp = inode->i_sb->s_security; 933 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 934 isp->smk_task != sbsp->smk_root) 935 return 0; 936 937 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 938 struct task_struct *tracer; 939 rc = 0; 940 941 rcu_read_lock(); 942 tracer = ptrace_parent(current); 943 if (likely(tracer != NULL)) 944 rc = smk_ptrace_rule_check(tracer, 945 isp->smk_task, 946 PTRACE_MODE_ATTACH, 947 __func__); 948 rcu_read_unlock(); 949 950 if (rc != 0) 951 return rc; 952 } else if (bprm->unsafe) 953 return -EPERM; 954 955 bsp->smk_task = isp->smk_task; 956 bprm->per_clear |= PER_CLEAR_ON_SETID; 957 958 return 0; 959 } 960 961 /** 962 * smack_bprm_committing_creds - Prepare to install the new credentials 963 * from bprm. 964 * 965 * @bprm: binprm for exec 966 */ 967 static void smack_bprm_committing_creds(struct linux_binprm *bprm) 968 { 969 struct task_smack *bsp = bprm->cred->security; 970 971 if (bsp->smk_task != bsp->smk_forked) 972 current->pdeath_signal = 0; 973 } 974 975 /** 976 * smack_bprm_secureexec - Return the decision to use secureexec. 977 * @bprm: binprm for exec 978 * 979 * Returns 0 on success. 980 */ 981 static int smack_bprm_secureexec(struct linux_binprm *bprm) 982 { 983 struct task_smack *tsp = current_security(); 984 985 if (tsp->smk_task != tsp->smk_forked) 986 return 1; 987 988 return 0; 989 } 990 991 /* 992 * Inode hooks 993 */ 994 995 /** 996 * smack_inode_alloc_security - allocate an inode blob 997 * @inode: the inode in need of a blob 998 * 999 * Returns 0 if it gets a blob, -ENOMEM otherwise 1000 */ 1001 static int smack_inode_alloc_security(struct inode *inode) 1002 { 1003 struct smack_known *skp = smk_of_current(); 1004 1005 inode->i_security = new_inode_smack(skp); 1006 if (inode->i_security == NULL) 1007 return -ENOMEM; 1008 return 0; 1009 } 1010 1011 /** 1012 * smack_inode_free_security - free an inode blob 1013 * @inode: the inode with a blob 1014 * 1015 * Clears the blob pointer in inode 1016 */ 1017 static void smack_inode_free_security(struct inode *inode) 1018 { 1019 kmem_cache_free(smack_inode_cache, inode->i_security); 1020 inode->i_security = NULL; 1021 } 1022 1023 /** 1024 * smack_inode_init_security - copy out the smack from an inode 1025 * @inode: the newly created inode 1026 * @dir: containing directory object 1027 * @qstr: unused 1028 * @name: where to put the attribute name 1029 * @value: where to put the attribute value 1030 * @len: where to put the length of the attribute 1031 * 1032 * Returns 0 if it all works out, -ENOMEM if there's no memory 1033 */ 1034 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 1035 const struct qstr *qstr, const char **name, 1036 void **value, size_t *len) 1037 { 1038 struct inode_smack *issp = inode->i_security; 1039 struct smack_known *skp = smk_of_current(); 1040 struct smack_known *isp = smk_of_inode(inode); 1041 struct smack_known *dsp = smk_of_inode(dir); 1042 int may; 1043 1044 if (name) 1045 *name = XATTR_SMACK_SUFFIX; 1046 1047 if (value && len) { 1048 rcu_read_lock(); 1049 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1050 &skp->smk_rules); 1051 rcu_read_unlock(); 1052 1053 /* 1054 * If the access rule allows transmutation and 1055 * the directory requests transmutation then 1056 * by all means transmute. 1057 * Mark the inode as changed. 1058 */ 1059 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1060 smk_inode_transmutable(dir)) { 1061 isp = dsp; 1062 issp->smk_flags |= SMK_INODE_CHANGED; 1063 } 1064 1065 *value = kstrdup(isp->smk_known, GFP_NOFS); 1066 if (*value == NULL) 1067 return -ENOMEM; 1068 1069 *len = strlen(isp->smk_known); 1070 } 1071 1072 return 0; 1073 } 1074 1075 /** 1076 * smack_inode_link - Smack check on link 1077 * @old_dentry: the existing object 1078 * @dir: unused 1079 * @new_dentry: the new object 1080 * 1081 * Returns 0 if access is permitted, an error code otherwise 1082 */ 1083 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1084 struct dentry *new_dentry) 1085 { 1086 struct smack_known *isp; 1087 struct smk_audit_info ad; 1088 int rc; 1089 1090 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1091 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1092 1093 isp = smk_of_inode(d_backing_inode(old_dentry)); 1094 rc = smk_curacc(isp, MAY_WRITE, &ad); 1095 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1096 1097 if (rc == 0 && d_is_positive(new_dentry)) { 1098 isp = smk_of_inode(d_backing_inode(new_dentry)); 1099 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1100 rc = smk_curacc(isp, MAY_WRITE, &ad); 1101 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1102 } 1103 1104 return rc; 1105 } 1106 1107 /** 1108 * smack_inode_unlink - Smack check on inode deletion 1109 * @dir: containing directory object 1110 * @dentry: file to unlink 1111 * 1112 * Returns 0 if current can write the containing directory 1113 * and the object, error code otherwise 1114 */ 1115 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1116 { 1117 struct inode *ip = d_backing_inode(dentry); 1118 struct smk_audit_info ad; 1119 int rc; 1120 1121 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1122 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1123 1124 /* 1125 * You need write access to the thing you're unlinking 1126 */ 1127 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1128 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1129 if (rc == 0) { 1130 /* 1131 * You also need write access to the containing directory 1132 */ 1133 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1134 smk_ad_setfield_u_fs_inode(&ad, dir); 1135 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1136 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1137 } 1138 return rc; 1139 } 1140 1141 /** 1142 * smack_inode_rmdir - Smack check on directory deletion 1143 * @dir: containing directory object 1144 * @dentry: directory to unlink 1145 * 1146 * Returns 0 if current can write the containing directory 1147 * and the directory, error code otherwise 1148 */ 1149 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1150 { 1151 struct smk_audit_info ad; 1152 int rc; 1153 1154 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1155 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1156 1157 /* 1158 * You need write access to the thing you're removing 1159 */ 1160 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1161 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1162 if (rc == 0) { 1163 /* 1164 * You also need write access to the containing directory 1165 */ 1166 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1167 smk_ad_setfield_u_fs_inode(&ad, dir); 1168 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1169 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1170 } 1171 1172 return rc; 1173 } 1174 1175 /** 1176 * smack_inode_rename - Smack check on rename 1177 * @old_inode: unused 1178 * @old_dentry: the old object 1179 * @new_inode: unused 1180 * @new_dentry: the new object 1181 * 1182 * Read and write access is required on both the old and 1183 * new directories. 1184 * 1185 * Returns 0 if access is permitted, an error code otherwise 1186 */ 1187 static int smack_inode_rename(struct inode *old_inode, 1188 struct dentry *old_dentry, 1189 struct inode *new_inode, 1190 struct dentry *new_dentry) 1191 { 1192 int rc; 1193 struct smack_known *isp; 1194 struct smk_audit_info ad; 1195 1196 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1197 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1198 1199 isp = smk_of_inode(d_backing_inode(old_dentry)); 1200 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1201 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1202 1203 if (rc == 0 && d_is_positive(new_dentry)) { 1204 isp = smk_of_inode(d_backing_inode(new_dentry)); 1205 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1206 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1207 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1208 } 1209 return rc; 1210 } 1211 1212 /** 1213 * smack_inode_permission - Smack version of permission() 1214 * @inode: the inode in question 1215 * @mask: the access requested 1216 * 1217 * This is the important Smack hook. 1218 * 1219 * Returns 0 if access is permitted, -EACCES otherwise 1220 */ 1221 static int smack_inode_permission(struct inode *inode, int mask) 1222 { 1223 struct superblock_smack *sbsp = inode->i_sb->s_security; 1224 struct smk_audit_info ad; 1225 int no_block = mask & MAY_NOT_BLOCK; 1226 int rc; 1227 1228 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1229 /* 1230 * No permission to check. Existence test. Yup, it's there. 1231 */ 1232 if (mask == 0) 1233 return 0; 1234 1235 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1236 if (smk_of_inode(inode) != sbsp->smk_root) 1237 return -EACCES; 1238 } 1239 1240 /* May be droppable after audit */ 1241 if (no_block) 1242 return -ECHILD; 1243 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1244 smk_ad_setfield_u_fs_inode(&ad, inode); 1245 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1246 rc = smk_bu_inode(inode, mask, rc); 1247 return rc; 1248 } 1249 1250 /** 1251 * smack_inode_setattr - Smack check for setting attributes 1252 * @dentry: the object 1253 * @iattr: for the force flag 1254 * 1255 * Returns 0 if access is permitted, an error code otherwise 1256 */ 1257 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1258 { 1259 struct smk_audit_info ad; 1260 int rc; 1261 1262 /* 1263 * Need to allow for clearing the setuid bit. 1264 */ 1265 if (iattr->ia_valid & ATTR_FORCE) 1266 return 0; 1267 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1268 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1269 1270 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1271 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1272 return rc; 1273 } 1274 1275 /** 1276 * smack_inode_getattr - Smack check for getting attributes 1277 * @mnt: vfsmount of the object 1278 * @dentry: the object 1279 * 1280 * Returns 0 if access is permitted, an error code otherwise 1281 */ 1282 static int smack_inode_getattr(const struct path *path) 1283 { 1284 struct smk_audit_info ad; 1285 struct inode *inode = d_backing_inode(path->dentry); 1286 int rc; 1287 1288 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1289 smk_ad_setfield_u_fs_path(&ad, *path); 1290 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1291 rc = smk_bu_inode(inode, MAY_READ, rc); 1292 return rc; 1293 } 1294 1295 /** 1296 * smack_inode_setxattr - Smack check for setting xattrs 1297 * @dentry: the object 1298 * @name: name of the attribute 1299 * @value: value of the attribute 1300 * @size: size of the value 1301 * @flags: unused 1302 * 1303 * This protects the Smack attribute explicitly. 1304 * 1305 * Returns 0 if access is permitted, an error code otherwise 1306 */ 1307 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1308 const void *value, size_t size, int flags) 1309 { 1310 struct smk_audit_info ad; 1311 struct smack_known *skp; 1312 int check_priv = 0; 1313 int check_import = 0; 1314 int check_star = 0; 1315 int rc = 0; 1316 1317 /* 1318 * Check label validity here so import won't fail in post_setxattr 1319 */ 1320 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1321 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1322 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1323 check_priv = 1; 1324 check_import = 1; 1325 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1326 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1327 check_priv = 1; 1328 check_import = 1; 1329 check_star = 1; 1330 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1331 check_priv = 1; 1332 if (size != TRANS_TRUE_SIZE || 1333 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1334 rc = -EINVAL; 1335 } else 1336 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1337 1338 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1339 rc = -EPERM; 1340 1341 if (rc == 0 && check_import) { 1342 skp = size ? smk_import_entry(value, size) : NULL; 1343 if (IS_ERR(skp)) 1344 rc = PTR_ERR(skp); 1345 else if (skp == NULL || (check_star && 1346 (skp == &smack_known_star || skp == &smack_known_web))) 1347 rc = -EINVAL; 1348 } 1349 1350 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1351 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1352 1353 if (rc == 0) { 1354 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1355 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1356 } 1357 1358 return rc; 1359 } 1360 1361 /** 1362 * smack_inode_post_setxattr - Apply the Smack update approved above 1363 * @dentry: object 1364 * @name: attribute name 1365 * @value: attribute value 1366 * @size: attribute size 1367 * @flags: unused 1368 * 1369 * Set the pointer in the inode blob to the entry found 1370 * in the master label list. 1371 */ 1372 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1373 const void *value, size_t size, int flags) 1374 { 1375 struct smack_known *skp; 1376 struct inode_smack *isp = d_backing_inode(dentry)->i_security; 1377 1378 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1379 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1380 return; 1381 } 1382 1383 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1384 skp = smk_import_entry(value, size); 1385 if (!IS_ERR(skp)) 1386 isp->smk_inode = skp; 1387 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1388 skp = smk_import_entry(value, size); 1389 if (!IS_ERR(skp)) 1390 isp->smk_task = skp; 1391 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1392 skp = smk_import_entry(value, size); 1393 if (!IS_ERR(skp)) 1394 isp->smk_mmap = skp; 1395 } 1396 1397 return; 1398 } 1399 1400 /** 1401 * smack_inode_getxattr - Smack check on getxattr 1402 * @dentry: the object 1403 * @name: unused 1404 * 1405 * Returns 0 if access is permitted, an error code otherwise 1406 */ 1407 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1408 { 1409 struct smk_audit_info ad; 1410 int rc; 1411 1412 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1413 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1414 1415 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1416 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1417 return rc; 1418 } 1419 1420 /** 1421 * smack_inode_removexattr - Smack check on removexattr 1422 * @dentry: the object 1423 * @name: name of the attribute 1424 * 1425 * Removing the Smack attribute requires CAP_MAC_ADMIN 1426 * 1427 * Returns 0 if access is permitted, an error code otherwise 1428 */ 1429 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1430 { 1431 struct inode_smack *isp; 1432 struct smk_audit_info ad; 1433 int rc = 0; 1434 1435 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1436 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1437 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1438 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1439 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1440 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1441 if (!smack_privileged(CAP_MAC_ADMIN)) 1442 rc = -EPERM; 1443 } else 1444 rc = cap_inode_removexattr(dentry, name); 1445 1446 if (rc != 0) 1447 return rc; 1448 1449 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1450 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1451 1452 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1453 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1454 if (rc != 0) 1455 return rc; 1456 1457 isp = d_backing_inode(dentry)->i_security; 1458 /* 1459 * Don't do anything special for these. 1460 * XATTR_NAME_SMACKIPIN 1461 * XATTR_NAME_SMACKIPOUT 1462 */ 1463 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1464 struct super_block *sbp = dentry->d_sb; 1465 struct superblock_smack *sbsp = sbp->s_security; 1466 1467 isp->smk_inode = sbsp->smk_default; 1468 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1469 isp->smk_task = NULL; 1470 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1471 isp->smk_mmap = NULL; 1472 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1473 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1474 1475 return 0; 1476 } 1477 1478 /** 1479 * smack_inode_getsecurity - get smack xattrs 1480 * @inode: the object 1481 * @name: attribute name 1482 * @buffer: where to put the result 1483 * @alloc: unused 1484 * 1485 * Returns the size of the attribute or an error code 1486 */ 1487 static int smack_inode_getsecurity(struct inode *inode, 1488 const char *name, void **buffer, 1489 bool alloc) 1490 { 1491 struct socket_smack *ssp; 1492 struct socket *sock; 1493 struct super_block *sbp; 1494 struct inode *ip = (struct inode *)inode; 1495 struct smack_known *isp; 1496 int ilen; 1497 int rc = 0; 1498 1499 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1500 isp = smk_of_inode(inode); 1501 ilen = strlen(isp->smk_known); 1502 *buffer = isp->smk_known; 1503 return ilen; 1504 } 1505 1506 /* 1507 * The rest of the Smack xattrs are only on sockets. 1508 */ 1509 sbp = ip->i_sb; 1510 if (sbp->s_magic != SOCKFS_MAGIC) 1511 return -EOPNOTSUPP; 1512 1513 sock = SOCKET_I(ip); 1514 if (sock == NULL || sock->sk == NULL) 1515 return -EOPNOTSUPP; 1516 1517 ssp = sock->sk->sk_security; 1518 1519 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1520 isp = ssp->smk_in; 1521 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1522 isp = ssp->smk_out; 1523 else 1524 return -EOPNOTSUPP; 1525 1526 ilen = strlen(isp->smk_known); 1527 if (rc == 0) { 1528 *buffer = isp->smk_known; 1529 rc = ilen; 1530 } 1531 1532 return rc; 1533 } 1534 1535 1536 /** 1537 * smack_inode_listsecurity - list the Smack attributes 1538 * @inode: the object 1539 * @buffer: where they go 1540 * @buffer_size: size of buffer 1541 */ 1542 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1543 size_t buffer_size) 1544 { 1545 int len = sizeof(XATTR_NAME_SMACK); 1546 1547 if (buffer != NULL && len <= buffer_size) 1548 memcpy(buffer, XATTR_NAME_SMACK, len); 1549 1550 return len; 1551 } 1552 1553 /** 1554 * smack_inode_getsecid - Extract inode's security id 1555 * @inode: inode to extract the info from 1556 * @secid: where result will be saved 1557 */ 1558 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1559 { 1560 struct inode_smack *isp = inode->i_security; 1561 1562 *secid = isp->smk_inode->smk_secid; 1563 } 1564 1565 /* 1566 * File Hooks 1567 */ 1568 1569 /* 1570 * There is no smack_file_permission hook 1571 * 1572 * Should access checks be done on each read or write? 1573 * UNICOS and SELinux say yes. 1574 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1575 * 1576 * I'll say no for now. Smack does not do the frequent 1577 * label changing that SELinux does. 1578 */ 1579 1580 /** 1581 * smack_file_alloc_security - assign a file security blob 1582 * @file: the object 1583 * 1584 * The security blob for a file is a pointer to the master 1585 * label list, so no allocation is done. 1586 * 1587 * f_security is the owner security information. It 1588 * isn't used on file access checks, it's for send_sigio. 1589 * 1590 * Returns 0 1591 */ 1592 static int smack_file_alloc_security(struct file *file) 1593 { 1594 struct smack_known *skp = smk_of_current(); 1595 1596 file->f_security = skp; 1597 return 0; 1598 } 1599 1600 /** 1601 * smack_file_free_security - clear a file security blob 1602 * @file: the object 1603 * 1604 * The security blob for a file is a pointer to the master 1605 * label list, so no memory is freed. 1606 */ 1607 static void smack_file_free_security(struct file *file) 1608 { 1609 file->f_security = NULL; 1610 } 1611 1612 /** 1613 * smack_file_ioctl - Smack check on ioctls 1614 * @file: the object 1615 * @cmd: what to do 1616 * @arg: unused 1617 * 1618 * Relies heavily on the correct use of the ioctl command conventions. 1619 * 1620 * Returns 0 if allowed, error code otherwise 1621 */ 1622 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1623 unsigned long arg) 1624 { 1625 int rc = 0; 1626 struct smk_audit_info ad; 1627 struct inode *inode = file_inode(file); 1628 1629 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1630 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1631 1632 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1633 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1634 rc = smk_bu_file(file, MAY_WRITE, rc); 1635 } 1636 1637 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1638 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1639 rc = smk_bu_file(file, MAY_READ, rc); 1640 } 1641 1642 return rc; 1643 } 1644 1645 /** 1646 * smack_file_lock - Smack check on file locking 1647 * @file: the object 1648 * @cmd: unused 1649 * 1650 * Returns 0 if current has lock access, error code otherwise 1651 */ 1652 static int smack_file_lock(struct file *file, unsigned int cmd) 1653 { 1654 struct smk_audit_info ad; 1655 int rc; 1656 struct inode *inode = file_inode(file); 1657 1658 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1659 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1660 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1661 rc = smk_bu_file(file, MAY_LOCK, rc); 1662 return rc; 1663 } 1664 1665 /** 1666 * smack_file_fcntl - Smack check on fcntl 1667 * @file: the object 1668 * @cmd: what action to check 1669 * @arg: unused 1670 * 1671 * Generally these operations are harmless. 1672 * File locking operations present an obvious mechanism 1673 * for passing information, so they require write access. 1674 * 1675 * Returns 0 if current has access, error code otherwise 1676 */ 1677 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1678 unsigned long arg) 1679 { 1680 struct smk_audit_info ad; 1681 int rc = 0; 1682 struct inode *inode = file_inode(file); 1683 1684 switch (cmd) { 1685 case F_GETLK: 1686 break; 1687 case F_SETLK: 1688 case F_SETLKW: 1689 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1690 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1691 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1692 rc = smk_bu_file(file, MAY_LOCK, rc); 1693 break; 1694 case F_SETOWN: 1695 case F_SETSIG: 1696 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1697 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1698 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1699 rc = smk_bu_file(file, MAY_WRITE, rc); 1700 break; 1701 default: 1702 break; 1703 } 1704 1705 return rc; 1706 } 1707 1708 /** 1709 * smack_mmap_file : 1710 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1711 * if mapping anonymous memory. 1712 * @file contains the file structure for file to map (may be NULL). 1713 * @reqprot contains the protection requested by the application. 1714 * @prot contains the protection that will be applied by the kernel. 1715 * @flags contains the operational flags. 1716 * Return 0 if permission is granted. 1717 */ 1718 static int smack_mmap_file(struct file *file, 1719 unsigned long reqprot, unsigned long prot, 1720 unsigned long flags) 1721 { 1722 struct smack_known *skp; 1723 struct smack_known *mkp; 1724 struct smack_rule *srp; 1725 struct task_smack *tsp; 1726 struct smack_known *okp; 1727 struct inode_smack *isp; 1728 struct superblock_smack *sbsp; 1729 int may; 1730 int mmay; 1731 int tmay; 1732 int rc; 1733 1734 if (file == NULL) 1735 return 0; 1736 1737 isp = file_inode(file)->i_security; 1738 if (isp->smk_mmap == NULL) 1739 return 0; 1740 sbsp = file_inode(file)->i_sb->s_security; 1741 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1742 isp->smk_mmap != sbsp->smk_root) 1743 return -EACCES; 1744 mkp = isp->smk_mmap; 1745 1746 tsp = current_security(); 1747 skp = smk_of_current(); 1748 rc = 0; 1749 1750 rcu_read_lock(); 1751 /* 1752 * For each Smack rule associated with the subject 1753 * label verify that the SMACK64MMAP also has access 1754 * to that rule's object label. 1755 */ 1756 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1757 okp = srp->smk_object; 1758 /* 1759 * Matching labels always allows access. 1760 */ 1761 if (mkp->smk_known == okp->smk_known) 1762 continue; 1763 /* 1764 * If there is a matching local rule take 1765 * that into account as well. 1766 */ 1767 may = smk_access_entry(srp->smk_subject->smk_known, 1768 okp->smk_known, 1769 &tsp->smk_rules); 1770 if (may == -ENOENT) 1771 may = srp->smk_access; 1772 else 1773 may &= srp->smk_access; 1774 /* 1775 * If may is zero the SMACK64MMAP subject can't 1776 * possibly have less access. 1777 */ 1778 if (may == 0) 1779 continue; 1780 1781 /* 1782 * Fetch the global list entry. 1783 * If there isn't one a SMACK64MMAP subject 1784 * can't have as much access as current. 1785 */ 1786 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1787 &mkp->smk_rules); 1788 if (mmay == -ENOENT) { 1789 rc = -EACCES; 1790 break; 1791 } 1792 /* 1793 * If there is a local entry it modifies the 1794 * potential access, too. 1795 */ 1796 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1797 &tsp->smk_rules); 1798 if (tmay != -ENOENT) 1799 mmay &= tmay; 1800 1801 /* 1802 * If there is any access available to current that is 1803 * not available to a SMACK64MMAP subject 1804 * deny access. 1805 */ 1806 if ((may | mmay) != mmay) { 1807 rc = -EACCES; 1808 break; 1809 } 1810 } 1811 1812 rcu_read_unlock(); 1813 1814 return rc; 1815 } 1816 1817 /** 1818 * smack_file_set_fowner - set the file security blob value 1819 * @file: object in question 1820 * 1821 */ 1822 static void smack_file_set_fowner(struct file *file) 1823 { 1824 file->f_security = smk_of_current(); 1825 } 1826 1827 /** 1828 * smack_file_send_sigiotask - Smack on sigio 1829 * @tsk: The target task 1830 * @fown: the object the signal come from 1831 * @signum: unused 1832 * 1833 * Allow a privileged task to get signals even if it shouldn't 1834 * 1835 * Returns 0 if a subject with the object's smack could 1836 * write to the task, an error code otherwise. 1837 */ 1838 static int smack_file_send_sigiotask(struct task_struct *tsk, 1839 struct fown_struct *fown, int signum) 1840 { 1841 struct smack_known *skp; 1842 struct smack_known *tkp = smk_of_task(tsk->cred->security); 1843 struct file *file; 1844 int rc; 1845 struct smk_audit_info ad; 1846 1847 /* 1848 * struct fown_struct is never outside the context of a struct file 1849 */ 1850 file = container_of(fown, struct file, f_owner); 1851 1852 /* we don't log here as rc can be overriden */ 1853 skp = file->f_security; 1854 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1855 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1856 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1857 rc = 0; 1858 1859 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1860 smk_ad_setfield_u_tsk(&ad, tsk); 1861 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1862 return rc; 1863 } 1864 1865 /** 1866 * smack_file_receive - Smack file receive check 1867 * @file: the object 1868 * 1869 * Returns 0 if current has access, error code otherwise 1870 */ 1871 static int smack_file_receive(struct file *file) 1872 { 1873 int rc; 1874 int may = 0; 1875 struct smk_audit_info ad; 1876 struct inode *inode = file_inode(file); 1877 struct socket *sock; 1878 struct task_smack *tsp; 1879 struct socket_smack *ssp; 1880 1881 if (unlikely(IS_PRIVATE(inode))) 1882 return 0; 1883 1884 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1885 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1886 1887 if (S_ISSOCK(inode->i_mode)) { 1888 sock = SOCKET_I(inode); 1889 ssp = sock->sk->sk_security; 1890 tsp = current_security(); 1891 /* 1892 * If the receiving process can't write to the 1893 * passed socket or if the passed socket can't 1894 * write to the receiving process don't accept 1895 * the passed socket. 1896 */ 1897 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1898 rc = smk_bu_file(file, may, rc); 1899 if (rc < 0) 1900 return rc; 1901 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1902 rc = smk_bu_file(file, may, rc); 1903 return rc; 1904 } 1905 /* 1906 * This code relies on bitmasks. 1907 */ 1908 if (file->f_mode & FMODE_READ) 1909 may = MAY_READ; 1910 if (file->f_mode & FMODE_WRITE) 1911 may |= MAY_WRITE; 1912 1913 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1914 rc = smk_bu_file(file, may, rc); 1915 return rc; 1916 } 1917 1918 /** 1919 * smack_file_open - Smack dentry open processing 1920 * @file: the object 1921 * @cred: task credential 1922 * 1923 * Set the security blob in the file structure. 1924 * Allow the open only if the task has read access. There are 1925 * many read operations (e.g. fstat) that you can do with an 1926 * fd even if you have the file open write-only. 1927 * 1928 * Returns 0 1929 */ 1930 static int smack_file_open(struct file *file, const struct cred *cred) 1931 { 1932 struct task_smack *tsp = cred->security; 1933 struct inode *inode = file_inode(file); 1934 struct smk_audit_info ad; 1935 int rc; 1936 1937 if (smack_privileged(CAP_MAC_OVERRIDE)) 1938 return 0; 1939 1940 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1941 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1942 rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad); 1943 rc = smk_bu_credfile(cred, file, MAY_READ, rc); 1944 1945 return rc; 1946 } 1947 1948 /* 1949 * Task hooks 1950 */ 1951 1952 /** 1953 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1954 * @new: the new credentials 1955 * @gfp: the atomicity of any memory allocations 1956 * 1957 * Prepare a blank set of credentials for modification. This must allocate all 1958 * the memory the LSM module might require such that cred_transfer() can 1959 * complete without error. 1960 */ 1961 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1962 { 1963 struct task_smack *tsp; 1964 1965 tsp = new_task_smack(NULL, NULL, gfp); 1966 if (tsp == NULL) 1967 return -ENOMEM; 1968 1969 cred->security = tsp; 1970 1971 return 0; 1972 } 1973 1974 1975 /** 1976 * smack_cred_free - "free" task-level security credentials 1977 * @cred: the credentials in question 1978 * 1979 */ 1980 static void smack_cred_free(struct cred *cred) 1981 { 1982 struct task_smack *tsp = cred->security; 1983 struct smack_rule *rp; 1984 struct list_head *l; 1985 struct list_head *n; 1986 1987 if (tsp == NULL) 1988 return; 1989 cred->security = NULL; 1990 1991 smk_destroy_label_list(&tsp->smk_relabel); 1992 1993 list_for_each_safe(l, n, &tsp->smk_rules) { 1994 rp = list_entry(l, struct smack_rule, list); 1995 list_del(&rp->list); 1996 kfree(rp); 1997 } 1998 kfree(tsp); 1999 } 2000 2001 /** 2002 * smack_cred_prepare - prepare new set of credentials for modification 2003 * @new: the new credentials 2004 * @old: the original credentials 2005 * @gfp: the atomicity of any memory allocations 2006 * 2007 * Prepare a new set of credentials for modification. 2008 */ 2009 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2010 gfp_t gfp) 2011 { 2012 struct task_smack *old_tsp = old->security; 2013 struct task_smack *new_tsp; 2014 int rc; 2015 2016 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 2017 if (new_tsp == NULL) 2018 return -ENOMEM; 2019 2020 new->security = new_tsp; 2021 2022 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2023 if (rc != 0) 2024 return rc; 2025 2026 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2027 gfp); 2028 if (rc != 0) 2029 return rc; 2030 2031 return 0; 2032 } 2033 2034 /** 2035 * smack_cred_transfer - Transfer the old credentials to the new credentials 2036 * @new: the new credentials 2037 * @old: the original credentials 2038 * 2039 * Fill in a set of blank credentials from another set of credentials. 2040 */ 2041 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2042 { 2043 struct task_smack *old_tsp = old->security; 2044 struct task_smack *new_tsp = new->security; 2045 2046 new_tsp->smk_task = old_tsp->smk_task; 2047 new_tsp->smk_forked = old_tsp->smk_task; 2048 mutex_init(&new_tsp->smk_rules_lock); 2049 INIT_LIST_HEAD(&new_tsp->smk_rules); 2050 2051 2052 /* cbs copy rule list */ 2053 } 2054 2055 /** 2056 * smack_kernel_act_as - Set the subjective context in a set of credentials 2057 * @new: points to the set of credentials to be modified. 2058 * @secid: specifies the security ID to be set 2059 * 2060 * Set the security data for a kernel service. 2061 */ 2062 static int smack_kernel_act_as(struct cred *new, u32 secid) 2063 { 2064 struct task_smack *new_tsp = new->security; 2065 2066 new_tsp->smk_task = smack_from_secid(secid); 2067 return 0; 2068 } 2069 2070 /** 2071 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2072 * @new: points to the set of credentials to be modified 2073 * @inode: points to the inode to use as a reference 2074 * 2075 * Set the file creation context in a set of credentials to the same 2076 * as the objective context of the specified inode 2077 */ 2078 static int smack_kernel_create_files_as(struct cred *new, 2079 struct inode *inode) 2080 { 2081 struct inode_smack *isp = inode->i_security; 2082 struct task_smack *tsp = new->security; 2083 2084 tsp->smk_forked = isp->smk_inode; 2085 tsp->smk_task = tsp->smk_forked; 2086 return 0; 2087 } 2088 2089 /** 2090 * smk_curacc_on_task - helper to log task related access 2091 * @p: the task object 2092 * @access: the access requested 2093 * @caller: name of the calling function for audit 2094 * 2095 * Return 0 if access is permitted 2096 */ 2097 static int smk_curacc_on_task(struct task_struct *p, int access, 2098 const char *caller) 2099 { 2100 struct smk_audit_info ad; 2101 struct smack_known *skp = smk_of_task_struct(p); 2102 int rc; 2103 2104 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2105 smk_ad_setfield_u_tsk(&ad, p); 2106 rc = smk_curacc(skp, access, &ad); 2107 rc = smk_bu_task(p, access, rc); 2108 return rc; 2109 } 2110 2111 /** 2112 * smack_task_setpgid - Smack check on setting pgid 2113 * @p: the task object 2114 * @pgid: unused 2115 * 2116 * Return 0 if write access is permitted 2117 */ 2118 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2119 { 2120 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2121 } 2122 2123 /** 2124 * smack_task_getpgid - Smack access check for getpgid 2125 * @p: the object task 2126 * 2127 * Returns 0 if current can read the object task, error code otherwise 2128 */ 2129 static int smack_task_getpgid(struct task_struct *p) 2130 { 2131 return smk_curacc_on_task(p, MAY_READ, __func__); 2132 } 2133 2134 /** 2135 * smack_task_getsid - Smack access check for getsid 2136 * @p: the object task 2137 * 2138 * Returns 0 if current can read the object task, error code otherwise 2139 */ 2140 static int smack_task_getsid(struct task_struct *p) 2141 { 2142 return smk_curacc_on_task(p, MAY_READ, __func__); 2143 } 2144 2145 /** 2146 * smack_task_getsecid - get the secid of the task 2147 * @p: the object task 2148 * @secid: where to put the result 2149 * 2150 * Sets the secid to contain a u32 version of the smack label. 2151 */ 2152 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2153 { 2154 struct smack_known *skp = smk_of_task_struct(p); 2155 2156 *secid = skp->smk_secid; 2157 } 2158 2159 /** 2160 * smack_task_setnice - Smack check on setting nice 2161 * @p: the task object 2162 * @nice: unused 2163 * 2164 * Return 0 if write access is permitted 2165 */ 2166 static int smack_task_setnice(struct task_struct *p, int nice) 2167 { 2168 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2169 } 2170 2171 /** 2172 * smack_task_setioprio - Smack check on setting ioprio 2173 * @p: the task object 2174 * @ioprio: unused 2175 * 2176 * Return 0 if write access is permitted 2177 */ 2178 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2179 { 2180 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2181 } 2182 2183 /** 2184 * smack_task_getioprio - Smack check on reading ioprio 2185 * @p: the task object 2186 * 2187 * Return 0 if read access is permitted 2188 */ 2189 static int smack_task_getioprio(struct task_struct *p) 2190 { 2191 return smk_curacc_on_task(p, MAY_READ, __func__); 2192 } 2193 2194 /** 2195 * smack_task_setscheduler - Smack check on setting scheduler 2196 * @p: the task object 2197 * @policy: unused 2198 * @lp: unused 2199 * 2200 * Return 0 if read access is permitted 2201 */ 2202 static int smack_task_setscheduler(struct task_struct *p) 2203 { 2204 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2205 } 2206 2207 /** 2208 * smack_task_getscheduler - Smack check on reading scheduler 2209 * @p: the task object 2210 * 2211 * Return 0 if read access is permitted 2212 */ 2213 static int smack_task_getscheduler(struct task_struct *p) 2214 { 2215 return smk_curacc_on_task(p, MAY_READ, __func__); 2216 } 2217 2218 /** 2219 * smack_task_movememory - Smack check on moving memory 2220 * @p: the task object 2221 * 2222 * Return 0 if write access is permitted 2223 */ 2224 static int smack_task_movememory(struct task_struct *p) 2225 { 2226 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2227 } 2228 2229 /** 2230 * smack_task_kill - Smack check on signal delivery 2231 * @p: the task object 2232 * @info: unused 2233 * @sig: unused 2234 * @secid: identifies the smack to use in lieu of current's 2235 * 2236 * Return 0 if write access is permitted 2237 * 2238 * The secid behavior is an artifact of an SELinux hack 2239 * in the USB code. Someday it may go away. 2240 */ 2241 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 2242 int sig, u32 secid) 2243 { 2244 struct smk_audit_info ad; 2245 struct smack_known *skp; 2246 struct smack_known *tkp = smk_of_task_struct(p); 2247 int rc; 2248 2249 if (!sig) 2250 return 0; /* null signal; existence test */ 2251 2252 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2253 smk_ad_setfield_u_tsk(&ad, p); 2254 /* 2255 * Sending a signal requires that the sender 2256 * can write the receiver. 2257 */ 2258 if (secid == 0) { 2259 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2260 rc = smk_bu_task(p, MAY_DELIVER, rc); 2261 return rc; 2262 } 2263 /* 2264 * If the secid isn't 0 we're dealing with some USB IO 2265 * specific behavior. This is not clean. For one thing 2266 * we can't take privilege into account. 2267 */ 2268 skp = smack_from_secid(secid); 2269 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2270 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2271 return rc; 2272 } 2273 2274 /** 2275 * smack_task_wait - Smack access check for waiting 2276 * @p: task to wait for 2277 * 2278 * Returns 0 2279 */ 2280 static int smack_task_wait(struct task_struct *p) 2281 { 2282 /* 2283 * Allow the operation to succeed. 2284 * Zombies are bad. 2285 * In userless environments (e.g. phones) programs 2286 * get marked with SMACK64EXEC and even if the parent 2287 * and child shouldn't be talking the parent still 2288 * may expect to know when the child exits. 2289 */ 2290 return 0; 2291 } 2292 2293 /** 2294 * smack_task_to_inode - copy task smack into the inode blob 2295 * @p: task to copy from 2296 * @inode: inode to copy to 2297 * 2298 * Sets the smack pointer in the inode security blob 2299 */ 2300 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2301 { 2302 struct inode_smack *isp = inode->i_security; 2303 struct smack_known *skp = smk_of_task_struct(p); 2304 2305 isp->smk_inode = skp; 2306 } 2307 2308 /* 2309 * Socket hooks. 2310 */ 2311 2312 /** 2313 * smack_sk_alloc_security - Allocate a socket blob 2314 * @sk: the socket 2315 * @family: unused 2316 * @gfp_flags: memory allocation flags 2317 * 2318 * Assign Smack pointers to current 2319 * 2320 * Returns 0 on success, -ENOMEM is there's no memory 2321 */ 2322 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2323 { 2324 struct smack_known *skp = smk_of_current(); 2325 struct socket_smack *ssp; 2326 2327 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2328 if (ssp == NULL) 2329 return -ENOMEM; 2330 2331 /* 2332 * Sockets created by kernel threads receive web label. 2333 */ 2334 if (unlikely(current->flags & PF_KTHREAD)) { 2335 ssp->smk_in = &smack_known_web; 2336 ssp->smk_out = &smack_known_web; 2337 } else { 2338 ssp->smk_in = skp; 2339 ssp->smk_out = skp; 2340 } 2341 ssp->smk_packet = NULL; 2342 2343 sk->sk_security = ssp; 2344 2345 return 0; 2346 } 2347 2348 /** 2349 * smack_sk_free_security - Free a socket blob 2350 * @sk: the socket 2351 * 2352 * Clears the blob pointer 2353 */ 2354 static void smack_sk_free_security(struct sock *sk) 2355 { 2356 kfree(sk->sk_security); 2357 } 2358 2359 /** 2360 * smack_ipv4host_label - check host based restrictions 2361 * @sip: the object end 2362 * 2363 * looks for host based access restrictions 2364 * 2365 * This version will only be appropriate for really small sets of single label 2366 * hosts. The caller is responsible for ensuring that the RCU read lock is 2367 * taken before calling this function. 2368 * 2369 * Returns the label of the far end or NULL if it's not special. 2370 */ 2371 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2372 { 2373 struct smk_net4addr *snp; 2374 struct in_addr *siap = &sip->sin_addr; 2375 2376 if (siap->s_addr == 0) 2377 return NULL; 2378 2379 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2380 /* 2381 * we break after finding the first match because 2382 * the list is sorted from longest to shortest mask 2383 * so we have found the most specific match 2384 */ 2385 if (snp->smk_host.s_addr == 2386 (siap->s_addr & snp->smk_mask.s_addr)) 2387 return snp->smk_label; 2388 2389 return NULL; 2390 } 2391 2392 #if IS_ENABLED(CONFIG_IPV6) 2393 /* 2394 * smk_ipv6_localhost - Check for local ipv6 host address 2395 * @sip: the address 2396 * 2397 * Returns boolean true if this is the localhost address 2398 */ 2399 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2400 { 2401 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2402 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2403 2404 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2405 ntohs(be16p[7]) == 1) 2406 return true; 2407 return false; 2408 } 2409 2410 /** 2411 * smack_ipv6host_label - check host based restrictions 2412 * @sip: the object end 2413 * 2414 * looks for host based access restrictions 2415 * 2416 * This version will only be appropriate for really small sets of single label 2417 * hosts. The caller is responsible for ensuring that the RCU read lock is 2418 * taken before calling this function. 2419 * 2420 * Returns the label of the far end or NULL if it's not special. 2421 */ 2422 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2423 { 2424 struct smk_net6addr *snp; 2425 struct in6_addr *sap = &sip->sin6_addr; 2426 int i; 2427 int found = 0; 2428 2429 /* 2430 * It's local. Don't look for a host label. 2431 */ 2432 if (smk_ipv6_localhost(sip)) 2433 return NULL; 2434 2435 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2436 /* 2437 * If the label is NULL the entry has 2438 * been renounced. Ignore it. 2439 */ 2440 if (snp->smk_label == NULL) 2441 continue; 2442 /* 2443 * we break after finding the first match because 2444 * the list is sorted from longest to shortest mask 2445 * so we have found the most specific match 2446 */ 2447 for (found = 1, i = 0; i < 8; i++) { 2448 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2449 snp->smk_host.s6_addr16[i]) { 2450 found = 0; 2451 break; 2452 } 2453 } 2454 if (found) 2455 return snp->smk_label; 2456 } 2457 2458 return NULL; 2459 } 2460 #endif /* CONFIG_IPV6 */ 2461 2462 /** 2463 * smack_netlabel - Set the secattr on a socket 2464 * @sk: the socket 2465 * @labeled: socket label scheme 2466 * 2467 * Convert the outbound smack value (smk_out) to a 2468 * secattr and attach it to the socket. 2469 * 2470 * Returns 0 on success or an error code 2471 */ 2472 static int smack_netlabel(struct sock *sk, int labeled) 2473 { 2474 struct smack_known *skp; 2475 struct socket_smack *ssp = sk->sk_security; 2476 int rc = 0; 2477 2478 /* 2479 * Usually the netlabel code will handle changing the 2480 * packet labeling based on the label. 2481 * The case of a single label host is different, because 2482 * a single label host should never get a labeled packet 2483 * even though the label is usually associated with a packet 2484 * label. 2485 */ 2486 local_bh_disable(); 2487 bh_lock_sock_nested(sk); 2488 2489 if (ssp->smk_out == smack_net_ambient || 2490 labeled == SMACK_UNLABELED_SOCKET) 2491 netlbl_sock_delattr(sk); 2492 else { 2493 skp = ssp->smk_out; 2494 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2495 } 2496 2497 bh_unlock_sock(sk); 2498 local_bh_enable(); 2499 2500 return rc; 2501 } 2502 2503 /** 2504 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2505 * @sk: the socket 2506 * @sap: the destination address 2507 * 2508 * Set the correct secattr for the given socket based on the destination 2509 * address and perform any outbound access checks needed. 2510 * 2511 * Returns 0 on success or an error code. 2512 * 2513 */ 2514 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2515 { 2516 struct smack_known *skp; 2517 int rc; 2518 int sk_lbl; 2519 struct smack_known *hkp; 2520 struct socket_smack *ssp = sk->sk_security; 2521 struct smk_audit_info ad; 2522 2523 rcu_read_lock(); 2524 hkp = smack_ipv4host_label(sap); 2525 if (hkp != NULL) { 2526 #ifdef CONFIG_AUDIT 2527 struct lsm_network_audit net; 2528 2529 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2530 ad.a.u.net->family = sap->sin_family; 2531 ad.a.u.net->dport = sap->sin_port; 2532 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2533 #endif 2534 sk_lbl = SMACK_UNLABELED_SOCKET; 2535 skp = ssp->smk_out; 2536 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2537 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2538 } else { 2539 sk_lbl = SMACK_CIPSO_SOCKET; 2540 rc = 0; 2541 } 2542 rcu_read_unlock(); 2543 if (rc != 0) 2544 return rc; 2545 2546 return smack_netlabel(sk, sk_lbl); 2547 } 2548 2549 #if IS_ENABLED(CONFIG_IPV6) 2550 /** 2551 * smk_ipv6_check - check Smack access 2552 * @subject: subject Smack label 2553 * @object: object Smack label 2554 * @address: address 2555 * @act: the action being taken 2556 * 2557 * Check an IPv6 access 2558 */ 2559 static int smk_ipv6_check(struct smack_known *subject, 2560 struct smack_known *object, 2561 struct sockaddr_in6 *address, int act) 2562 { 2563 #ifdef CONFIG_AUDIT 2564 struct lsm_network_audit net; 2565 #endif 2566 struct smk_audit_info ad; 2567 int rc; 2568 2569 #ifdef CONFIG_AUDIT 2570 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2571 ad.a.u.net->family = PF_INET6; 2572 ad.a.u.net->dport = ntohs(address->sin6_port); 2573 if (act == SMK_RECEIVING) 2574 ad.a.u.net->v6info.saddr = address->sin6_addr; 2575 else 2576 ad.a.u.net->v6info.daddr = address->sin6_addr; 2577 #endif 2578 rc = smk_access(subject, object, MAY_WRITE, &ad); 2579 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2580 return rc; 2581 } 2582 #endif /* CONFIG_IPV6 */ 2583 2584 #ifdef SMACK_IPV6_PORT_LABELING 2585 /** 2586 * smk_ipv6_port_label - Smack port access table management 2587 * @sock: socket 2588 * @address: address 2589 * 2590 * Create or update the port list entry 2591 */ 2592 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2593 { 2594 struct sock *sk = sock->sk; 2595 struct sockaddr_in6 *addr6; 2596 struct socket_smack *ssp = sock->sk->sk_security; 2597 struct smk_port_label *spp; 2598 unsigned short port = 0; 2599 2600 if (address == NULL) { 2601 /* 2602 * This operation is changing the Smack information 2603 * on the bound socket. Take the changes to the port 2604 * as well. 2605 */ 2606 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2607 if (sk != spp->smk_sock) 2608 continue; 2609 spp->smk_in = ssp->smk_in; 2610 spp->smk_out = ssp->smk_out; 2611 return; 2612 } 2613 /* 2614 * A NULL address is only used for updating existing 2615 * bound entries. If there isn't one, it's OK. 2616 */ 2617 return; 2618 } 2619 2620 addr6 = (struct sockaddr_in6 *)address; 2621 port = ntohs(addr6->sin6_port); 2622 /* 2623 * This is a special case that is safely ignored. 2624 */ 2625 if (port == 0) 2626 return; 2627 2628 /* 2629 * Look for an existing port list entry. 2630 * This is an indication that a port is getting reused. 2631 */ 2632 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2633 if (spp->smk_port != port) 2634 continue; 2635 spp->smk_port = port; 2636 spp->smk_sock = sk; 2637 spp->smk_in = ssp->smk_in; 2638 spp->smk_out = ssp->smk_out; 2639 return; 2640 } 2641 2642 /* 2643 * A new port entry is required. 2644 */ 2645 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2646 if (spp == NULL) 2647 return; 2648 2649 spp->smk_port = port; 2650 spp->smk_sock = sk; 2651 spp->smk_in = ssp->smk_in; 2652 spp->smk_out = ssp->smk_out; 2653 2654 list_add(&spp->list, &smk_ipv6_port_list); 2655 return; 2656 } 2657 2658 /** 2659 * smk_ipv6_port_check - check Smack port access 2660 * @sock: socket 2661 * @address: address 2662 * 2663 * Create or update the port list entry 2664 */ 2665 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2666 int act) 2667 { 2668 struct smk_port_label *spp; 2669 struct socket_smack *ssp = sk->sk_security; 2670 struct smack_known *skp = NULL; 2671 unsigned short port; 2672 struct smack_known *object; 2673 2674 if (act == SMK_RECEIVING) { 2675 skp = smack_ipv6host_label(address); 2676 object = ssp->smk_in; 2677 } else { 2678 skp = ssp->smk_out; 2679 object = smack_ipv6host_label(address); 2680 } 2681 2682 /* 2683 * The other end is a single label host. 2684 */ 2685 if (skp != NULL && object != NULL) 2686 return smk_ipv6_check(skp, object, address, act); 2687 if (skp == NULL) 2688 skp = smack_net_ambient; 2689 if (object == NULL) 2690 object = smack_net_ambient; 2691 2692 /* 2693 * It's remote, so port lookup does no good. 2694 */ 2695 if (!smk_ipv6_localhost(address)) 2696 return smk_ipv6_check(skp, object, address, act); 2697 2698 /* 2699 * It's local so the send check has to have passed. 2700 */ 2701 if (act == SMK_RECEIVING) 2702 return 0; 2703 2704 port = ntohs(address->sin6_port); 2705 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2706 if (spp->smk_port != port) 2707 continue; 2708 object = spp->smk_in; 2709 if (act == SMK_CONNECTING) 2710 ssp->smk_packet = spp->smk_out; 2711 break; 2712 } 2713 2714 return smk_ipv6_check(skp, object, address, act); 2715 } 2716 #endif /* SMACK_IPV6_PORT_LABELING */ 2717 2718 /** 2719 * smack_inode_setsecurity - set smack xattrs 2720 * @inode: the object 2721 * @name: attribute name 2722 * @value: attribute value 2723 * @size: size of the attribute 2724 * @flags: unused 2725 * 2726 * Sets the named attribute in the appropriate blob 2727 * 2728 * Returns 0 on success, or an error code 2729 */ 2730 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2731 const void *value, size_t size, int flags) 2732 { 2733 struct smack_known *skp; 2734 struct inode_smack *nsp = inode->i_security; 2735 struct socket_smack *ssp; 2736 struct socket *sock; 2737 int rc = 0; 2738 2739 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2740 return -EINVAL; 2741 2742 skp = smk_import_entry(value, size); 2743 if (IS_ERR(skp)) 2744 return PTR_ERR(skp); 2745 2746 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2747 nsp->smk_inode = skp; 2748 nsp->smk_flags |= SMK_INODE_INSTANT; 2749 return 0; 2750 } 2751 /* 2752 * The rest of the Smack xattrs are only on sockets. 2753 */ 2754 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2755 return -EOPNOTSUPP; 2756 2757 sock = SOCKET_I(inode); 2758 if (sock == NULL || sock->sk == NULL) 2759 return -EOPNOTSUPP; 2760 2761 ssp = sock->sk->sk_security; 2762 2763 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2764 ssp->smk_in = skp; 2765 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2766 ssp->smk_out = skp; 2767 if (sock->sk->sk_family == PF_INET) { 2768 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2769 if (rc != 0) 2770 printk(KERN_WARNING 2771 "Smack: \"%s\" netlbl error %d.\n", 2772 __func__, -rc); 2773 } 2774 } else 2775 return -EOPNOTSUPP; 2776 2777 #ifdef SMACK_IPV6_PORT_LABELING 2778 if (sock->sk->sk_family == PF_INET6) 2779 smk_ipv6_port_label(sock, NULL); 2780 #endif 2781 2782 return 0; 2783 } 2784 2785 /** 2786 * smack_socket_post_create - finish socket setup 2787 * @sock: the socket 2788 * @family: protocol family 2789 * @type: unused 2790 * @protocol: unused 2791 * @kern: unused 2792 * 2793 * Sets the netlabel information on the socket 2794 * 2795 * Returns 0 on success, and error code otherwise 2796 */ 2797 static int smack_socket_post_create(struct socket *sock, int family, 2798 int type, int protocol, int kern) 2799 { 2800 struct socket_smack *ssp; 2801 2802 if (sock->sk == NULL) 2803 return 0; 2804 2805 /* 2806 * Sockets created by kernel threads receive web label. 2807 */ 2808 if (unlikely(current->flags & PF_KTHREAD)) { 2809 ssp = sock->sk->sk_security; 2810 ssp->smk_in = &smack_known_web; 2811 ssp->smk_out = &smack_known_web; 2812 } 2813 2814 if (family != PF_INET) 2815 return 0; 2816 /* 2817 * Set the outbound netlbl. 2818 */ 2819 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2820 } 2821 2822 #ifdef SMACK_IPV6_PORT_LABELING 2823 /** 2824 * smack_socket_bind - record port binding information. 2825 * @sock: the socket 2826 * @address: the port address 2827 * @addrlen: size of the address 2828 * 2829 * Records the label bound to a port. 2830 * 2831 * Returns 0 2832 */ 2833 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2834 int addrlen) 2835 { 2836 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2837 smk_ipv6_port_label(sock, address); 2838 return 0; 2839 } 2840 #endif /* SMACK_IPV6_PORT_LABELING */ 2841 2842 /** 2843 * smack_socket_connect - connect access check 2844 * @sock: the socket 2845 * @sap: the other end 2846 * @addrlen: size of sap 2847 * 2848 * Verifies that a connection may be possible 2849 * 2850 * Returns 0 on success, and error code otherwise 2851 */ 2852 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2853 int addrlen) 2854 { 2855 int rc = 0; 2856 #if IS_ENABLED(CONFIG_IPV6) 2857 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2858 #endif 2859 #ifdef SMACK_IPV6_SECMARK_LABELING 2860 struct smack_known *rsp; 2861 struct socket_smack *ssp = sock->sk->sk_security; 2862 #endif 2863 2864 if (sock->sk == NULL) 2865 return 0; 2866 2867 switch (sock->sk->sk_family) { 2868 case PF_INET: 2869 if (addrlen < sizeof(struct sockaddr_in)) 2870 return -EINVAL; 2871 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2872 break; 2873 case PF_INET6: 2874 if (addrlen < sizeof(struct sockaddr_in6)) 2875 return -EINVAL; 2876 #ifdef SMACK_IPV6_SECMARK_LABELING 2877 rsp = smack_ipv6host_label(sip); 2878 if (rsp != NULL) 2879 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2880 SMK_CONNECTING); 2881 #endif 2882 #ifdef SMACK_IPV6_PORT_LABELING 2883 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2884 #endif 2885 break; 2886 } 2887 return rc; 2888 } 2889 2890 /** 2891 * smack_flags_to_may - convert S_ to MAY_ values 2892 * @flags: the S_ value 2893 * 2894 * Returns the equivalent MAY_ value 2895 */ 2896 static int smack_flags_to_may(int flags) 2897 { 2898 int may = 0; 2899 2900 if (flags & S_IRUGO) 2901 may |= MAY_READ; 2902 if (flags & S_IWUGO) 2903 may |= MAY_WRITE; 2904 if (flags & S_IXUGO) 2905 may |= MAY_EXEC; 2906 2907 return may; 2908 } 2909 2910 /** 2911 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2912 * @msg: the object 2913 * 2914 * Returns 0 2915 */ 2916 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2917 { 2918 struct smack_known *skp = smk_of_current(); 2919 2920 msg->security = skp; 2921 return 0; 2922 } 2923 2924 /** 2925 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2926 * @msg: the object 2927 * 2928 * Clears the blob pointer 2929 */ 2930 static void smack_msg_msg_free_security(struct msg_msg *msg) 2931 { 2932 msg->security = NULL; 2933 } 2934 2935 /** 2936 * smack_of_shm - the smack pointer for the shm 2937 * @shp: the object 2938 * 2939 * Returns a pointer to the smack value 2940 */ 2941 static struct smack_known *smack_of_shm(struct shmid_kernel *shp) 2942 { 2943 return (struct smack_known *)shp->shm_perm.security; 2944 } 2945 2946 /** 2947 * smack_shm_alloc_security - Set the security blob for shm 2948 * @shp: the object 2949 * 2950 * Returns 0 2951 */ 2952 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2953 { 2954 struct kern_ipc_perm *isp = &shp->shm_perm; 2955 struct smack_known *skp = smk_of_current(); 2956 2957 isp->security = skp; 2958 return 0; 2959 } 2960 2961 /** 2962 * smack_shm_free_security - Clear the security blob for shm 2963 * @shp: the object 2964 * 2965 * Clears the blob pointer 2966 */ 2967 static void smack_shm_free_security(struct shmid_kernel *shp) 2968 { 2969 struct kern_ipc_perm *isp = &shp->shm_perm; 2970 2971 isp->security = NULL; 2972 } 2973 2974 /** 2975 * smk_curacc_shm : check if current has access on shm 2976 * @shp : the object 2977 * @access : access requested 2978 * 2979 * Returns 0 if current has the requested access, error code otherwise 2980 */ 2981 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2982 { 2983 struct smack_known *ssp = smack_of_shm(shp); 2984 struct smk_audit_info ad; 2985 int rc; 2986 2987 #ifdef CONFIG_AUDIT 2988 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2989 ad.a.u.ipc_id = shp->shm_perm.id; 2990 #endif 2991 rc = smk_curacc(ssp, access, &ad); 2992 rc = smk_bu_current("shm", ssp, access, rc); 2993 return rc; 2994 } 2995 2996 /** 2997 * smack_shm_associate - Smack access check for shm 2998 * @shp: the object 2999 * @shmflg: access requested 3000 * 3001 * Returns 0 if current has the requested access, error code otherwise 3002 */ 3003 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 3004 { 3005 int may; 3006 3007 may = smack_flags_to_may(shmflg); 3008 return smk_curacc_shm(shp, may); 3009 } 3010 3011 /** 3012 * smack_shm_shmctl - Smack access check for shm 3013 * @shp: the object 3014 * @cmd: what it wants to do 3015 * 3016 * Returns 0 if current has the requested access, error code otherwise 3017 */ 3018 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 3019 { 3020 int may; 3021 3022 switch (cmd) { 3023 case IPC_STAT: 3024 case SHM_STAT: 3025 may = MAY_READ; 3026 break; 3027 case IPC_SET: 3028 case SHM_LOCK: 3029 case SHM_UNLOCK: 3030 case IPC_RMID: 3031 may = MAY_READWRITE; 3032 break; 3033 case IPC_INFO: 3034 case SHM_INFO: 3035 /* 3036 * System level information. 3037 */ 3038 return 0; 3039 default: 3040 return -EINVAL; 3041 } 3042 return smk_curacc_shm(shp, may); 3043 } 3044 3045 /** 3046 * smack_shm_shmat - Smack access for shmat 3047 * @shp: the object 3048 * @shmaddr: unused 3049 * @shmflg: access requested 3050 * 3051 * Returns 0 if current has the requested access, error code otherwise 3052 */ 3053 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 3054 int shmflg) 3055 { 3056 int may; 3057 3058 may = smack_flags_to_may(shmflg); 3059 return smk_curacc_shm(shp, may); 3060 } 3061 3062 /** 3063 * smack_of_sem - the smack pointer for the sem 3064 * @sma: the object 3065 * 3066 * Returns a pointer to the smack value 3067 */ 3068 static struct smack_known *smack_of_sem(struct sem_array *sma) 3069 { 3070 return (struct smack_known *)sma->sem_perm.security; 3071 } 3072 3073 /** 3074 * smack_sem_alloc_security - Set the security blob for sem 3075 * @sma: the object 3076 * 3077 * Returns 0 3078 */ 3079 static int smack_sem_alloc_security(struct sem_array *sma) 3080 { 3081 struct kern_ipc_perm *isp = &sma->sem_perm; 3082 struct smack_known *skp = smk_of_current(); 3083 3084 isp->security = skp; 3085 return 0; 3086 } 3087 3088 /** 3089 * smack_sem_free_security - Clear the security blob for sem 3090 * @sma: the object 3091 * 3092 * Clears the blob pointer 3093 */ 3094 static void smack_sem_free_security(struct sem_array *sma) 3095 { 3096 struct kern_ipc_perm *isp = &sma->sem_perm; 3097 3098 isp->security = NULL; 3099 } 3100 3101 /** 3102 * smk_curacc_sem : check if current has access on sem 3103 * @sma : the object 3104 * @access : access requested 3105 * 3106 * Returns 0 if current has the requested access, error code otherwise 3107 */ 3108 static int smk_curacc_sem(struct sem_array *sma, int access) 3109 { 3110 struct smack_known *ssp = smack_of_sem(sma); 3111 struct smk_audit_info ad; 3112 int rc; 3113 3114 #ifdef CONFIG_AUDIT 3115 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3116 ad.a.u.ipc_id = sma->sem_perm.id; 3117 #endif 3118 rc = smk_curacc(ssp, access, &ad); 3119 rc = smk_bu_current("sem", ssp, access, rc); 3120 return rc; 3121 } 3122 3123 /** 3124 * smack_sem_associate - Smack access check for sem 3125 * @sma: the object 3126 * @semflg: access requested 3127 * 3128 * Returns 0 if current has the requested access, error code otherwise 3129 */ 3130 static int smack_sem_associate(struct sem_array *sma, int semflg) 3131 { 3132 int may; 3133 3134 may = smack_flags_to_may(semflg); 3135 return smk_curacc_sem(sma, may); 3136 } 3137 3138 /** 3139 * smack_sem_shmctl - Smack access check for sem 3140 * @sma: the object 3141 * @cmd: what it wants to do 3142 * 3143 * Returns 0 if current has the requested access, error code otherwise 3144 */ 3145 static int smack_sem_semctl(struct sem_array *sma, int cmd) 3146 { 3147 int may; 3148 3149 switch (cmd) { 3150 case GETPID: 3151 case GETNCNT: 3152 case GETZCNT: 3153 case GETVAL: 3154 case GETALL: 3155 case IPC_STAT: 3156 case SEM_STAT: 3157 may = MAY_READ; 3158 break; 3159 case SETVAL: 3160 case SETALL: 3161 case IPC_RMID: 3162 case IPC_SET: 3163 may = MAY_READWRITE; 3164 break; 3165 case IPC_INFO: 3166 case SEM_INFO: 3167 /* 3168 * System level information 3169 */ 3170 return 0; 3171 default: 3172 return -EINVAL; 3173 } 3174 3175 return smk_curacc_sem(sma, may); 3176 } 3177 3178 /** 3179 * smack_sem_semop - Smack checks of semaphore operations 3180 * @sma: the object 3181 * @sops: unused 3182 * @nsops: unused 3183 * @alter: unused 3184 * 3185 * Treated as read and write in all cases. 3186 * 3187 * Returns 0 if access is allowed, error code otherwise 3188 */ 3189 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 3190 unsigned nsops, int alter) 3191 { 3192 return smk_curacc_sem(sma, MAY_READWRITE); 3193 } 3194 3195 /** 3196 * smack_msg_alloc_security - Set the security blob for msg 3197 * @msq: the object 3198 * 3199 * Returns 0 3200 */ 3201 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 3202 { 3203 struct kern_ipc_perm *kisp = &msq->q_perm; 3204 struct smack_known *skp = smk_of_current(); 3205 3206 kisp->security = skp; 3207 return 0; 3208 } 3209 3210 /** 3211 * smack_msg_free_security - Clear the security blob for msg 3212 * @msq: the object 3213 * 3214 * Clears the blob pointer 3215 */ 3216 static void smack_msg_queue_free_security(struct msg_queue *msq) 3217 { 3218 struct kern_ipc_perm *kisp = &msq->q_perm; 3219 3220 kisp->security = NULL; 3221 } 3222 3223 /** 3224 * smack_of_msq - the smack pointer for the msq 3225 * @msq: the object 3226 * 3227 * Returns a pointer to the smack label entry 3228 */ 3229 static struct smack_known *smack_of_msq(struct msg_queue *msq) 3230 { 3231 return (struct smack_known *)msq->q_perm.security; 3232 } 3233 3234 /** 3235 * smk_curacc_msq : helper to check if current has access on msq 3236 * @msq : the msq 3237 * @access : access requested 3238 * 3239 * return 0 if current has access, error otherwise 3240 */ 3241 static int smk_curacc_msq(struct msg_queue *msq, int access) 3242 { 3243 struct smack_known *msp = smack_of_msq(msq); 3244 struct smk_audit_info ad; 3245 int rc; 3246 3247 #ifdef CONFIG_AUDIT 3248 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3249 ad.a.u.ipc_id = msq->q_perm.id; 3250 #endif 3251 rc = smk_curacc(msp, access, &ad); 3252 rc = smk_bu_current("msq", msp, access, rc); 3253 return rc; 3254 } 3255 3256 /** 3257 * smack_msg_queue_associate - Smack access check for msg_queue 3258 * @msq: the object 3259 * @msqflg: access requested 3260 * 3261 * Returns 0 if current has the requested access, error code otherwise 3262 */ 3263 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 3264 { 3265 int may; 3266 3267 may = smack_flags_to_may(msqflg); 3268 return smk_curacc_msq(msq, may); 3269 } 3270 3271 /** 3272 * smack_msg_queue_msgctl - Smack access check for msg_queue 3273 * @msq: the object 3274 * @cmd: what it wants to do 3275 * 3276 * Returns 0 if current has the requested access, error code otherwise 3277 */ 3278 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3279 { 3280 int may; 3281 3282 switch (cmd) { 3283 case IPC_STAT: 3284 case MSG_STAT: 3285 may = MAY_READ; 3286 break; 3287 case IPC_SET: 3288 case IPC_RMID: 3289 may = MAY_READWRITE; 3290 break; 3291 case IPC_INFO: 3292 case MSG_INFO: 3293 /* 3294 * System level information 3295 */ 3296 return 0; 3297 default: 3298 return -EINVAL; 3299 } 3300 3301 return smk_curacc_msq(msq, may); 3302 } 3303 3304 /** 3305 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3306 * @msq: the object 3307 * @msg: unused 3308 * @msqflg: access requested 3309 * 3310 * Returns 0 if current has the requested access, error code otherwise 3311 */ 3312 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 3313 int msqflg) 3314 { 3315 int may; 3316 3317 may = smack_flags_to_may(msqflg); 3318 return smk_curacc_msq(msq, may); 3319 } 3320 3321 /** 3322 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3323 * @msq: the object 3324 * @msg: unused 3325 * @target: unused 3326 * @type: unused 3327 * @mode: unused 3328 * 3329 * Returns 0 if current has read and write access, error code otherwise 3330 */ 3331 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3332 struct task_struct *target, long type, int mode) 3333 { 3334 return smk_curacc_msq(msq, MAY_READWRITE); 3335 } 3336 3337 /** 3338 * smack_ipc_permission - Smack access for ipc_permission() 3339 * @ipp: the object permissions 3340 * @flag: access requested 3341 * 3342 * Returns 0 if current has read and write access, error code otherwise 3343 */ 3344 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3345 { 3346 struct smack_known *iskp = ipp->security; 3347 int may = smack_flags_to_may(flag); 3348 struct smk_audit_info ad; 3349 int rc; 3350 3351 #ifdef CONFIG_AUDIT 3352 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3353 ad.a.u.ipc_id = ipp->id; 3354 #endif 3355 rc = smk_curacc(iskp, may, &ad); 3356 rc = smk_bu_current("svipc", iskp, may, rc); 3357 return rc; 3358 } 3359 3360 /** 3361 * smack_ipc_getsecid - Extract smack security id 3362 * @ipp: the object permissions 3363 * @secid: where result will be saved 3364 */ 3365 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3366 { 3367 struct smack_known *iskp = ipp->security; 3368 3369 *secid = iskp->smk_secid; 3370 } 3371 3372 /** 3373 * smack_d_instantiate - Make sure the blob is correct on an inode 3374 * @opt_dentry: dentry where inode will be attached 3375 * @inode: the object 3376 * 3377 * Set the inode's security blob if it hasn't been done already. 3378 */ 3379 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3380 { 3381 struct super_block *sbp; 3382 struct superblock_smack *sbsp; 3383 struct inode_smack *isp; 3384 struct smack_known *skp; 3385 struct smack_known *ckp = smk_of_current(); 3386 struct smack_known *final; 3387 char trattr[TRANS_TRUE_SIZE]; 3388 int transflag = 0; 3389 int rc; 3390 struct dentry *dp; 3391 3392 if (inode == NULL) 3393 return; 3394 3395 isp = inode->i_security; 3396 3397 mutex_lock(&isp->smk_lock); 3398 /* 3399 * If the inode is already instantiated 3400 * take the quick way out 3401 */ 3402 if (isp->smk_flags & SMK_INODE_INSTANT) 3403 goto unlockandout; 3404 3405 sbp = inode->i_sb; 3406 sbsp = sbp->s_security; 3407 /* 3408 * We're going to use the superblock default label 3409 * if there's no label on the file. 3410 */ 3411 final = sbsp->smk_default; 3412 3413 /* 3414 * If this is the root inode the superblock 3415 * may be in the process of initialization. 3416 * If that is the case use the root value out 3417 * of the superblock. 3418 */ 3419 if (opt_dentry->d_parent == opt_dentry) { 3420 switch (sbp->s_magic) { 3421 case CGROUP_SUPER_MAGIC: 3422 /* 3423 * The cgroup filesystem is never mounted, 3424 * so there's no opportunity to set the mount 3425 * options. 3426 */ 3427 sbsp->smk_root = &smack_known_star; 3428 sbsp->smk_default = &smack_known_star; 3429 isp->smk_inode = sbsp->smk_root; 3430 break; 3431 case TMPFS_MAGIC: 3432 /* 3433 * What about shmem/tmpfs anonymous files with dentry 3434 * obtained from d_alloc_pseudo()? 3435 */ 3436 isp->smk_inode = smk_of_current(); 3437 break; 3438 case PIPEFS_MAGIC: 3439 isp->smk_inode = smk_of_current(); 3440 break; 3441 default: 3442 isp->smk_inode = sbsp->smk_root; 3443 break; 3444 } 3445 isp->smk_flags |= SMK_INODE_INSTANT; 3446 goto unlockandout; 3447 } 3448 3449 /* 3450 * This is pretty hackish. 3451 * Casey says that we shouldn't have to do 3452 * file system specific code, but it does help 3453 * with keeping it simple. 3454 */ 3455 switch (sbp->s_magic) { 3456 case SMACK_MAGIC: 3457 case PIPEFS_MAGIC: 3458 case SOCKFS_MAGIC: 3459 case CGROUP_SUPER_MAGIC: 3460 /* 3461 * Casey says that it's a little embarrassing 3462 * that the smack file system doesn't do 3463 * extended attributes. 3464 * 3465 * Casey says pipes are easy (?) 3466 * 3467 * Socket access is controlled by the socket 3468 * structures associated with the task involved. 3469 * 3470 * Cgroupfs is special 3471 */ 3472 final = &smack_known_star; 3473 break; 3474 case DEVPTS_SUPER_MAGIC: 3475 /* 3476 * devpts seems content with the label of the task. 3477 * Programs that change smack have to treat the 3478 * pty with respect. 3479 */ 3480 final = ckp; 3481 break; 3482 case PROC_SUPER_MAGIC: 3483 /* 3484 * Casey says procfs appears not to care. 3485 * The superblock default suffices. 3486 */ 3487 break; 3488 case TMPFS_MAGIC: 3489 /* 3490 * Device labels should come from the filesystem, 3491 * but watch out, because they're volitile, 3492 * getting recreated on every reboot. 3493 */ 3494 final = &smack_known_star; 3495 /* 3496 * No break. 3497 * 3498 * If a smack value has been set we want to use it, 3499 * but since tmpfs isn't giving us the opportunity 3500 * to set mount options simulate setting the 3501 * superblock default. 3502 */ 3503 default: 3504 /* 3505 * This isn't an understood special case. 3506 * Get the value from the xattr. 3507 */ 3508 3509 /* 3510 * UNIX domain sockets use lower level socket data. 3511 */ 3512 if (S_ISSOCK(inode->i_mode)) { 3513 final = &smack_known_star; 3514 break; 3515 } 3516 /* 3517 * No xattr support means, alas, no SMACK label. 3518 * Use the aforeapplied default. 3519 * It would be curious if the label of the task 3520 * does not match that assigned. 3521 */ 3522 if (!(inode->i_opflags & IOP_XATTR)) 3523 break; 3524 /* 3525 * Get the dentry for xattr. 3526 */ 3527 dp = dget(opt_dentry); 3528 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3529 if (!IS_ERR_OR_NULL(skp)) 3530 final = skp; 3531 3532 /* 3533 * Transmuting directory 3534 */ 3535 if (S_ISDIR(inode->i_mode)) { 3536 /* 3537 * If this is a new directory and the label was 3538 * transmuted when the inode was initialized 3539 * set the transmute attribute on the directory 3540 * and mark the inode. 3541 * 3542 * If there is a transmute attribute on the 3543 * directory mark the inode. 3544 */ 3545 if (isp->smk_flags & SMK_INODE_CHANGED) { 3546 isp->smk_flags &= ~SMK_INODE_CHANGED; 3547 rc = __vfs_setxattr(dp, inode, 3548 XATTR_NAME_SMACKTRANSMUTE, 3549 TRANS_TRUE, TRANS_TRUE_SIZE, 3550 0); 3551 } else { 3552 rc = __vfs_getxattr(dp, inode, 3553 XATTR_NAME_SMACKTRANSMUTE, trattr, 3554 TRANS_TRUE_SIZE); 3555 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3556 TRANS_TRUE_SIZE) != 0) 3557 rc = -EINVAL; 3558 } 3559 if (rc >= 0) 3560 transflag = SMK_INODE_TRANSMUTE; 3561 } 3562 /* 3563 * Don't let the exec or mmap label be "*" or "@". 3564 */ 3565 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3566 if (IS_ERR(skp) || skp == &smack_known_star || 3567 skp == &smack_known_web) 3568 skp = NULL; 3569 isp->smk_task = skp; 3570 3571 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3572 if (IS_ERR(skp) || skp == &smack_known_star || 3573 skp == &smack_known_web) 3574 skp = NULL; 3575 isp->smk_mmap = skp; 3576 3577 dput(dp); 3578 break; 3579 } 3580 3581 if (final == NULL) 3582 isp->smk_inode = ckp; 3583 else 3584 isp->smk_inode = final; 3585 3586 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3587 3588 unlockandout: 3589 mutex_unlock(&isp->smk_lock); 3590 return; 3591 } 3592 3593 /** 3594 * smack_getprocattr - Smack process attribute access 3595 * @p: the object task 3596 * @name: the name of the attribute in /proc/.../attr 3597 * @value: where to put the result 3598 * 3599 * Places a copy of the task Smack into value 3600 * 3601 * Returns the length of the smack label or an error code 3602 */ 3603 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3604 { 3605 struct smack_known *skp = smk_of_task_struct(p); 3606 char *cp; 3607 int slen; 3608 3609 if (strcmp(name, "current") != 0) 3610 return -EINVAL; 3611 3612 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3613 if (cp == NULL) 3614 return -ENOMEM; 3615 3616 slen = strlen(cp); 3617 *value = cp; 3618 return slen; 3619 } 3620 3621 /** 3622 * smack_setprocattr - Smack process attribute setting 3623 * @p: the object task 3624 * @name: the name of the attribute in /proc/.../attr 3625 * @value: the value to set 3626 * @size: the size of the value 3627 * 3628 * Sets the Smack value of the task. Only setting self 3629 * is permitted and only with privilege 3630 * 3631 * Returns the length of the smack label or an error code 3632 */ 3633 static int smack_setprocattr(struct task_struct *p, char *name, 3634 void *value, size_t size) 3635 { 3636 struct task_smack *tsp = current_security(); 3637 struct cred *new; 3638 struct smack_known *skp; 3639 struct smack_known_list_elem *sklep; 3640 int rc; 3641 3642 /* 3643 * Changing another process' Smack value is too dangerous 3644 * and supports no sane use case. 3645 */ 3646 if (p != current) 3647 return -EPERM; 3648 3649 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3650 return -EPERM; 3651 3652 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3653 return -EINVAL; 3654 3655 if (strcmp(name, "current") != 0) 3656 return -EINVAL; 3657 3658 skp = smk_import_entry(value, size); 3659 if (IS_ERR(skp)) 3660 return PTR_ERR(skp); 3661 3662 /* 3663 * No process is ever allowed the web ("@") label 3664 * and the star ("*") label. 3665 */ 3666 if (skp == &smack_known_web || skp == &smack_known_star) 3667 return -EINVAL; 3668 3669 if (!smack_privileged(CAP_MAC_ADMIN)) { 3670 rc = -EPERM; 3671 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3672 if (sklep->smk_label == skp) { 3673 rc = 0; 3674 break; 3675 } 3676 if (rc) 3677 return rc; 3678 } 3679 3680 new = prepare_creds(); 3681 if (new == NULL) 3682 return -ENOMEM; 3683 3684 tsp = new->security; 3685 tsp->smk_task = skp; 3686 /* 3687 * process can change its label only once 3688 */ 3689 smk_destroy_label_list(&tsp->smk_relabel); 3690 3691 commit_creds(new); 3692 return size; 3693 } 3694 3695 /** 3696 * smack_unix_stream_connect - Smack access on UDS 3697 * @sock: one sock 3698 * @other: the other sock 3699 * @newsk: unused 3700 * 3701 * Return 0 if a subject with the smack of sock could access 3702 * an object with the smack of other, otherwise an error code 3703 */ 3704 static int smack_unix_stream_connect(struct sock *sock, 3705 struct sock *other, struct sock *newsk) 3706 { 3707 struct smack_known *skp; 3708 struct smack_known *okp; 3709 struct socket_smack *ssp = sock->sk_security; 3710 struct socket_smack *osp = other->sk_security; 3711 struct socket_smack *nsp = newsk->sk_security; 3712 struct smk_audit_info ad; 3713 int rc = 0; 3714 #ifdef CONFIG_AUDIT 3715 struct lsm_network_audit net; 3716 #endif 3717 3718 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3719 skp = ssp->smk_out; 3720 okp = osp->smk_in; 3721 #ifdef CONFIG_AUDIT 3722 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3723 smk_ad_setfield_u_net_sk(&ad, other); 3724 #endif 3725 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3726 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3727 if (rc == 0) { 3728 okp = osp->smk_out; 3729 skp = ssp->smk_in; 3730 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3731 rc = smk_bu_note("UDS connect", okp, skp, 3732 MAY_WRITE, rc); 3733 } 3734 } 3735 3736 /* 3737 * Cross reference the peer labels for SO_PEERSEC. 3738 */ 3739 if (rc == 0) { 3740 nsp->smk_packet = ssp->smk_out; 3741 ssp->smk_packet = osp->smk_out; 3742 } 3743 3744 return rc; 3745 } 3746 3747 /** 3748 * smack_unix_may_send - Smack access on UDS 3749 * @sock: one socket 3750 * @other: the other socket 3751 * 3752 * Return 0 if a subject with the smack of sock could access 3753 * an object with the smack of other, otherwise an error code 3754 */ 3755 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3756 { 3757 struct socket_smack *ssp = sock->sk->sk_security; 3758 struct socket_smack *osp = other->sk->sk_security; 3759 struct smk_audit_info ad; 3760 int rc; 3761 3762 #ifdef CONFIG_AUDIT 3763 struct lsm_network_audit net; 3764 3765 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3766 smk_ad_setfield_u_net_sk(&ad, other->sk); 3767 #endif 3768 3769 if (smack_privileged(CAP_MAC_OVERRIDE)) 3770 return 0; 3771 3772 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3773 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3774 return rc; 3775 } 3776 3777 /** 3778 * smack_socket_sendmsg - Smack check based on destination host 3779 * @sock: the socket 3780 * @msg: the message 3781 * @size: the size of the message 3782 * 3783 * Return 0 if the current subject can write to the destination host. 3784 * For IPv4 this is only a question if the destination is a single label host. 3785 * For IPv6 this is a check against the label of the port. 3786 */ 3787 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3788 int size) 3789 { 3790 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3791 #if IS_ENABLED(CONFIG_IPV6) 3792 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3793 #endif 3794 #ifdef SMACK_IPV6_SECMARK_LABELING 3795 struct socket_smack *ssp = sock->sk->sk_security; 3796 struct smack_known *rsp; 3797 #endif 3798 int rc = 0; 3799 3800 /* 3801 * Perfectly reasonable for this to be NULL 3802 */ 3803 if (sip == NULL) 3804 return 0; 3805 3806 switch (sock->sk->sk_family) { 3807 case AF_INET: 3808 rc = smack_netlabel_send(sock->sk, sip); 3809 break; 3810 case AF_INET6: 3811 #ifdef SMACK_IPV6_SECMARK_LABELING 3812 rsp = smack_ipv6host_label(sap); 3813 if (rsp != NULL) 3814 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3815 SMK_CONNECTING); 3816 #endif 3817 #ifdef SMACK_IPV6_PORT_LABELING 3818 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3819 #endif 3820 break; 3821 } 3822 return rc; 3823 } 3824 3825 /** 3826 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3827 * @sap: netlabel secattr 3828 * @ssp: socket security information 3829 * 3830 * Returns a pointer to a Smack label entry found on the label list. 3831 */ 3832 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3833 struct socket_smack *ssp) 3834 { 3835 struct smack_known *skp; 3836 int found = 0; 3837 int acat; 3838 int kcat; 3839 3840 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3841 /* 3842 * Looks like a CIPSO packet. 3843 * If there are flags but no level netlabel isn't 3844 * behaving the way we expect it to. 3845 * 3846 * Look it up in the label table 3847 * Without guidance regarding the smack value 3848 * for the packet fall back on the network 3849 * ambient value. 3850 */ 3851 rcu_read_lock(); 3852 list_for_each_entry(skp, &smack_known_list, list) { 3853 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3854 continue; 3855 /* 3856 * Compare the catsets. Use the netlbl APIs. 3857 */ 3858 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3859 if ((skp->smk_netlabel.flags & 3860 NETLBL_SECATTR_MLS_CAT) == 0) 3861 found = 1; 3862 break; 3863 } 3864 for (acat = -1, kcat = -1; acat == kcat; ) { 3865 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3866 acat + 1); 3867 kcat = netlbl_catmap_walk( 3868 skp->smk_netlabel.attr.mls.cat, 3869 kcat + 1); 3870 if (acat < 0 || kcat < 0) 3871 break; 3872 } 3873 if (acat == kcat) { 3874 found = 1; 3875 break; 3876 } 3877 } 3878 rcu_read_unlock(); 3879 3880 if (found) 3881 return skp; 3882 3883 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3884 return &smack_known_web; 3885 return &smack_known_star; 3886 } 3887 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3888 /* 3889 * Looks like a fallback, which gives us a secid. 3890 */ 3891 return smack_from_secid(sap->attr.secid); 3892 /* 3893 * Without guidance regarding the smack value 3894 * for the packet fall back on the network 3895 * ambient value. 3896 */ 3897 return smack_net_ambient; 3898 } 3899 3900 #if IS_ENABLED(CONFIG_IPV6) 3901 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3902 { 3903 u8 nexthdr; 3904 int offset; 3905 int proto = -EINVAL; 3906 struct ipv6hdr _ipv6h; 3907 struct ipv6hdr *ip6; 3908 __be16 frag_off; 3909 struct tcphdr _tcph, *th; 3910 struct udphdr _udph, *uh; 3911 struct dccp_hdr _dccph, *dh; 3912 3913 sip->sin6_port = 0; 3914 3915 offset = skb_network_offset(skb); 3916 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3917 if (ip6 == NULL) 3918 return -EINVAL; 3919 sip->sin6_addr = ip6->saddr; 3920 3921 nexthdr = ip6->nexthdr; 3922 offset += sizeof(_ipv6h); 3923 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3924 if (offset < 0) 3925 return -EINVAL; 3926 3927 proto = nexthdr; 3928 switch (proto) { 3929 case IPPROTO_TCP: 3930 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3931 if (th != NULL) 3932 sip->sin6_port = th->source; 3933 break; 3934 case IPPROTO_UDP: 3935 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3936 if (uh != NULL) 3937 sip->sin6_port = uh->source; 3938 break; 3939 case IPPROTO_DCCP: 3940 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3941 if (dh != NULL) 3942 sip->sin6_port = dh->dccph_sport; 3943 break; 3944 } 3945 return proto; 3946 } 3947 #endif /* CONFIG_IPV6 */ 3948 3949 /** 3950 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3951 * @sk: socket 3952 * @skb: packet 3953 * 3954 * Returns 0 if the packet should be delivered, an error code otherwise 3955 */ 3956 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3957 { 3958 struct netlbl_lsm_secattr secattr; 3959 struct socket_smack *ssp = sk->sk_security; 3960 struct smack_known *skp = NULL; 3961 int rc = 0; 3962 struct smk_audit_info ad; 3963 #ifdef CONFIG_AUDIT 3964 struct lsm_network_audit net; 3965 #endif 3966 #if IS_ENABLED(CONFIG_IPV6) 3967 struct sockaddr_in6 sadd; 3968 int proto; 3969 #endif /* CONFIG_IPV6 */ 3970 3971 switch (sk->sk_family) { 3972 case PF_INET: 3973 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3974 /* 3975 * If there is a secmark use it rather than the CIPSO label. 3976 * If there is no secmark fall back to CIPSO. 3977 * The secmark is assumed to reflect policy better. 3978 */ 3979 if (skb && skb->secmark != 0) { 3980 skp = smack_from_secid(skb->secmark); 3981 goto access_check; 3982 } 3983 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3984 /* 3985 * Translate what netlabel gave us. 3986 */ 3987 netlbl_secattr_init(&secattr); 3988 3989 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 3990 if (rc == 0) 3991 skp = smack_from_secattr(&secattr, ssp); 3992 else 3993 skp = smack_net_ambient; 3994 3995 netlbl_secattr_destroy(&secattr); 3996 3997 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3998 access_check: 3999 #endif 4000 #ifdef CONFIG_AUDIT 4001 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4002 ad.a.u.net->family = sk->sk_family; 4003 ad.a.u.net->netif = skb->skb_iif; 4004 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4005 #endif 4006 /* 4007 * Receiving a packet requires that the other end 4008 * be able to write here. Read access is not required. 4009 * This is the simplist possible security model 4010 * for networking. 4011 */ 4012 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4013 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4014 MAY_WRITE, rc); 4015 if (rc != 0) 4016 netlbl_skbuff_err(skb, sk->sk_family, rc, 0); 4017 break; 4018 #if IS_ENABLED(CONFIG_IPV6) 4019 case PF_INET6: 4020 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4021 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 4022 break; 4023 #ifdef SMACK_IPV6_SECMARK_LABELING 4024 if (skb && skb->secmark != 0) 4025 skp = smack_from_secid(skb->secmark); 4026 else 4027 skp = smack_ipv6host_label(&sadd); 4028 if (skp == NULL) 4029 skp = smack_net_ambient; 4030 #ifdef CONFIG_AUDIT 4031 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4032 ad.a.u.net->family = sk->sk_family; 4033 ad.a.u.net->netif = skb->skb_iif; 4034 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4035 #endif /* CONFIG_AUDIT */ 4036 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4037 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4038 MAY_WRITE, rc); 4039 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4040 #ifdef SMACK_IPV6_PORT_LABELING 4041 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4042 #endif /* SMACK_IPV6_PORT_LABELING */ 4043 break; 4044 #endif /* CONFIG_IPV6 */ 4045 } 4046 4047 return rc; 4048 } 4049 4050 /** 4051 * smack_socket_getpeersec_stream - pull in packet label 4052 * @sock: the socket 4053 * @optval: user's destination 4054 * @optlen: size thereof 4055 * @len: max thereof 4056 * 4057 * returns zero on success, an error code otherwise 4058 */ 4059 static int smack_socket_getpeersec_stream(struct socket *sock, 4060 char __user *optval, 4061 int __user *optlen, unsigned len) 4062 { 4063 struct socket_smack *ssp; 4064 char *rcp = ""; 4065 int slen = 1; 4066 int rc = 0; 4067 4068 ssp = sock->sk->sk_security; 4069 if (ssp->smk_packet != NULL) { 4070 rcp = ssp->smk_packet->smk_known; 4071 slen = strlen(rcp) + 1; 4072 } 4073 4074 if (slen > len) 4075 rc = -ERANGE; 4076 else if (copy_to_user(optval, rcp, slen) != 0) 4077 rc = -EFAULT; 4078 4079 if (put_user(slen, optlen) != 0) 4080 rc = -EFAULT; 4081 4082 return rc; 4083 } 4084 4085 4086 /** 4087 * smack_socket_getpeersec_dgram - pull in packet label 4088 * @sock: the peer socket 4089 * @skb: packet data 4090 * @secid: pointer to where to put the secid of the packet 4091 * 4092 * Sets the netlabel socket state on sk from parent 4093 */ 4094 static int smack_socket_getpeersec_dgram(struct socket *sock, 4095 struct sk_buff *skb, u32 *secid) 4096 4097 { 4098 struct netlbl_lsm_secattr secattr; 4099 struct socket_smack *ssp = NULL; 4100 struct smack_known *skp; 4101 int family = PF_UNSPEC; 4102 u32 s = 0; /* 0 is the invalid secid */ 4103 int rc; 4104 4105 if (skb != NULL) { 4106 if (skb->protocol == htons(ETH_P_IP)) 4107 family = PF_INET; 4108 #if IS_ENABLED(CONFIG_IPV6) 4109 else if (skb->protocol == htons(ETH_P_IPV6)) 4110 family = PF_INET6; 4111 #endif /* CONFIG_IPV6 */ 4112 } 4113 if (family == PF_UNSPEC && sock != NULL) 4114 family = sock->sk->sk_family; 4115 4116 switch (family) { 4117 case PF_UNIX: 4118 ssp = sock->sk->sk_security; 4119 s = ssp->smk_out->smk_secid; 4120 break; 4121 case PF_INET: 4122 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4123 s = skb->secmark; 4124 if (s != 0) 4125 break; 4126 #endif 4127 /* 4128 * Translate what netlabel gave us. 4129 */ 4130 if (sock != NULL && sock->sk != NULL) 4131 ssp = sock->sk->sk_security; 4132 netlbl_secattr_init(&secattr); 4133 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4134 if (rc == 0) { 4135 skp = smack_from_secattr(&secattr, ssp); 4136 s = skp->smk_secid; 4137 } 4138 netlbl_secattr_destroy(&secattr); 4139 break; 4140 case PF_INET6: 4141 #ifdef SMACK_IPV6_SECMARK_LABELING 4142 s = skb->secmark; 4143 #endif 4144 break; 4145 } 4146 *secid = s; 4147 if (s == 0) 4148 return -EINVAL; 4149 return 0; 4150 } 4151 4152 /** 4153 * smack_sock_graft - Initialize a newly created socket with an existing sock 4154 * @sk: child sock 4155 * @parent: parent socket 4156 * 4157 * Set the smk_{in,out} state of an existing sock based on the process that 4158 * is creating the new socket. 4159 */ 4160 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4161 { 4162 struct socket_smack *ssp; 4163 struct smack_known *skp = smk_of_current(); 4164 4165 if (sk == NULL || 4166 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4167 return; 4168 4169 ssp = sk->sk_security; 4170 ssp->smk_in = skp; 4171 ssp->smk_out = skp; 4172 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4173 } 4174 4175 /** 4176 * smack_inet_conn_request - Smack access check on connect 4177 * @sk: socket involved 4178 * @skb: packet 4179 * @req: unused 4180 * 4181 * Returns 0 if a task with the packet label could write to 4182 * the socket, otherwise an error code 4183 */ 4184 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4185 struct request_sock *req) 4186 { 4187 u16 family = sk->sk_family; 4188 struct smack_known *skp; 4189 struct socket_smack *ssp = sk->sk_security; 4190 struct netlbl_lsm_secattr secattr; 4191 struct sockaddr_in addr; 4192 struct iphdr *hdr; 4193 struct smack_known *hskp; 4194 int rc; 4195 struct smk_audit_info ad; 4196 #ifdef CONFIG_AUDIT 4197 struct lsm_network_audit net; 4198 #endif 4199 4200 #if IS_ENABLED(CONFIG_IPV6) 4201 if (family == PF_INET6) { 4202 /* 4203 * Handle mapped IPv4 packets arriving 4204 * via IPv6 sockets. Don't set up netlabel 4205 * processing on IPv6. 4206 */ 4207 if (skb->protocol == htons(ETH_P_IP)) 4208 family = PF_INET; 4209 else 4210 return 0; 4211 } 4212 #endif /* CONFIG_IPV6 */ 4213 4214 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4215 /* 4216 * If there is a secmark use it rather than the CIPSO label. 4217 * If there is no secmark fall back to CIPSO. 4218 * The secmark is assumed to reflect policy better. 4219 */ 4220 if (skb && skb->secmark != 0) { 4221 skp = smack_from_secid(skb->secmark); 4222 goto access_check; 4223 } 4224 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4225 4226 netlbl_secattr_init(&secattr); 4227 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4228 if (rc == 0) 4229 skp = smack_from_secattr(&secattr, ssp); 4230 else 4231 skp = &smack_known_huh; 4232 netlbl_secattr_destroy(&secattr); 4233 4234 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4235 access_check: 4236 #endif 4237 4238 #ifdef CONFIG_AUDIT 4239 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4240 ad.a.u.net->family = family; 4241 ad.a.u.net->netif = skb->skb_iif; 4242 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4243 #endif 4244 /* 4245 * Receiving a packet requires that the other end be able to write 4246 * here. Read access is not required. 4247 */ 4248 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4249 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4250 if (rc != 0) 4251 return rc; 4252 4253 /* 4254 * Save the peer's label in the request_sock so we can later setup 4255 * smk_packet in the child socket so that SO_PEERCRED can report it. 4256 */ 4257 req->peer_secid = skp->smk_secid; 4258 4259 /* 4260 * We need to decide if we want to label the incoming connection here 4261 * if we do we only need to label the request_sock and the stack will 4262 * propagate the wire-label to the sock when it is created. 4263 */ 4264 hdr = ip_hdr(skb); 4265 addr.sin_addr.s_addr = hdr->saddr; 4266 rcu_read_lock(); 4267 hskp = smack_ipv4host_label(&addr); 4268 rcu_read_unlock(); 4269 4270 if (hskp == NULL) 4271 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4272 else 4273 netlbl_req_delattr(req); 4274 4275 return rc; 4276 } 4277 4278 /** 4279 * smack_inet_csk_clone - Copy the connection information to the new socket 4280 * @sk: the new socket 4281 * @req: the connection's request_sock 4282 * 4283 * Transfer the connection's peer label to the newly created socket. 4284 */ 4285 static void smack_inet_csk_clone(struct sock *sk, 4286 const struct request_sock *req) 4287 { 4288 struct socket_smack *ssp = sk->sk_security; 4289 struct smack_known *skp; 4290 4291 if (req->peer_secid != 0) { 4292 skp = smack_from_secid(req->peer_secid); 4293 ssp->smk_packet = skp; 4294 } else 4295 ssp->smk_packet = NULL; 4296 } 4297 4298 /* 4299 * Key management security hooks 4300 * 4301 * Casey has not tested key support very heavily. 4302 * The permission check is most likely too restrictive. 4303 * If you care about keys please have a look. 4304 */ 4305 #ifdef CONFIG_KEYS 4306 4307 /** 4308 * smack_key_alloc - Set the key security blob 4309 * @key: object 4310 * @cred: the credentials to use 4311 * @flags: unused 4312 * 4313 * No allocation required 4314 * 4315 * Returns 0 4316 */ 4317 static int smack_key_alloc(struct key *key, const struct cred *cred, 4318 unsigned long flags) 4319 { 4320 struct smack_known *skp = smk_of_task(cred->security); 4321 4322 key->security = skp; 4323 return 0; 4324 } 4325 4326 /** 4327 * smack_key_free - Clear the key security blob 4328 * @key: the object 4329 * 4330 * Clear the blob pointer 4331 */ 4332 static void smack_key_free(struct key *key) 4333 { 4334 key->security = NULL; 4335 } 4336 4337 /** 4338 * smack_key_permission - Smack access on a key 4339 * @key_ref: gets to the object 4340 * @cred: the credentials to use 4341 * @perm: requested key permissions 4342 * 4343 * Return 0 if the task has read and write to the object, 4344 * an error code otherwise 4345 */ 4346 static int smack_key_permission(key_ref_t key_ref, 4347 const struct cred *cred, unsigned perm) 4348 { 4349 struct key *keyp; 4350 struct smk_audit_info ad; 4351 struct smack_known *tkp = smk_of_task(cred->security); 4352 int request = 0; 4353 int rc; 4354 4355 keyp = key_ref_to_ptr(key_ref); 4356 if (keyp == NULL) 4357 return -EINVAL; 4358 /* 4359 * If the key hasn't been initialized give it access so that 4360 * it may do so. 4361 */ 4362 if (keyp->security == NULL) 4363 return 0; 4364 /* 4365 * This should not occur 4366 */ 4367 if (tkp == NULL) 4368 return -EACCES; 4369 #ifdef CONFIG_AUDIT 4370 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4371 ad.a.u.key_struct.key = keyp->serial; 4372 ad.a.u.key_struct.key_desc = keyp->description; 4373 #endif 4374 if (perm & KEY_NEED_READ) 4375 request = MAY_READ; 4376 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4377 request = MAY_WRITE; 4378 rc = smk_access(tkp, keyp->security, request, &ad); 4379 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4380 return rc; 4381 } 4382 4383 /* 4384 * smack_key_getsecurity - Smack label tagging the key 4385 * @key points to the key to be queried 4386 * @_buffer points to a pointer that should be set to point to the 4387 * resulting string (if no label or an error occurs). 4388 * Return the length of the string (including terminating NUL) or -ve if 4389 * an error. 4390 * May also return 0 (and a NULL buffer pointer) if there is no label. 4391 */ 4392 static int smack_key_getsecurity(struct key *key, char **_buffer) 4393 { 4394 struct smack_known *skp = key->security; 4395 size_t length; 4396 char *copy; 4397 4398 if (key->security == NULL) { 4399 *_buffer = NULL; 4400 return 0; 4401 } 4402 4403 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4404 if (copy == NULL) 4405 return -ENOMEM; 4406 length = strlen(copy) + 1; 4407 4408 *_buffer = copy; 4409 return length; 4410 } 4411 4412 #endif /* CONFIG_KEYS */ 4413 4414 /* 4415 * Smack Audit hooks 4416 * 4417 * Audit requires a unique representation of each Smack specific 4418 * rule. This unique representation is used to distinguish the 4419 * object to be audited from remaining kernel objects and also 4420 * works as a glue between the audit hooks. 4421 * 4422 * Since repository entries are added but never deleted, we'll use 4423 * the smack_known label address related to the given audit rule as 4424 * the needed unique representation. This also better fits the smack 4425 * model where nearly everything is a label. 4426 */ 4427 #ifdef CONFIG_AUDIT 4428 4429 /** 4430 * smack_audit_rule_init - Initialize a smack audit rule 4431 * @field: audit rule fields given from user-space (audit.h) 4432 * @op: required testing operator (=, !=, >, <, ...) 4433 * @rulestr: smack label to be audited 4434 * @vrule: pointer to save our own audit rule representation 4435 * 4436 * Prepare to audit cases where (@field @op @rulestr) is true. 4437 * The label to be audited is created if necessay. 4438 */ 4439 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4440 { 4441 struct smack_known *skp; 4442 char **rule = (char **)vrule; 4443 *rule = NULL; 4444 4445 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4446 return -EINVAL; 4447 4448 if (op != Audit_equal && op != Audit_not_equal) 4449 return -EINVAL; 4450 4451 skp = smk_import_entry(rulestr, 0); 4452 if (IS_ERR(skp)) 4453 return PTR_ERR(skp); 4454 4455 *rule = skp->smk_known; 4456 4457 return 0; 4458 } 4459 4460 /** 4461 * smack_audit_rule_known - Distinguish Smack audit rules 4462 * @krule: rule of interest, in Audit kernel representation format 4463 * 4464 * This is used to filter Smack rules from remaining Audit ones. 4465 * If it's proved that this rule belongs to us, the 4466 * audit_rule_match hook will be called to do the final judgement. 4467 */ 4468 static int smack_audit_rule_known(struct audit_krule *krule) 4469 { 4470 struct audit_field *f; 4471 int i; 4472 4473 for (i = 0; i < krule->field_count; i++) { 4474 f = &krule->fields[i]; 4475 4476 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4477 return 1; 4478 } 4479 4480 return 0; 4481 } 4482 4483 /** 4484 * smack_audit_rule_match - Audit given object ? 4485 * @secid: security id for identifying the object to test 4486 * @field: audit rule flags given from user-space 4487 * @op: required testing operator 4488 * @vrule: smack internal rule presentation 4489 * @actx: audit context associated with the check 4490 * 4491 * The core Audit hook. It's used to take the decision of 4492 * whether to audit or not to audit a given object. 4493 */ 4494 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4495 struct audit_context *actx) 4496 { 4497 struct smack_known *skp; 4498 char *rule = vrule; 4499 4500 if (unlikely(!rule)) { 4501 WARN_ONCE(1, "Smack: missing rule\n"); 4502 return -ENOENT; 4503 } 4504 4505 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4506 return 0; 4507 4508 skp = smack_from_secid(secid); 4509 4510 /* 4511 * No need to do string comparisons. If a match occurs, 4512 * both pointers will point to the same smack_known 4513 * label. 4514 */ 4515 if (op == Audit_equal) 4516 return (rule == skp->smk_known); 4517 if (op == Audit_not_equal) 4518 return (rule != skp->smk_known); 4519 4520 return 0; 4521 } 4522 4523 /* 4524 * There is no need for a smack_audit_rule_free hook. 4525 * No memory was allocated. 4526 */ 4527 4528 #endif /* CONFIG_AUDIT */ 4529 4530 /** 4531 * smack_ismaclabel - check if xattr @name references a smack MAC label 4532 * @name: Full xattr name to check. 4533 */ 4534 static int smack_ismaclabel(const char *name) 4535 { 4536 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4537 } 4538 4539 4540 /** 4541 * smack_secid_to_secctx - return the smack label for a secid 4542 * @secid: incoming integer 4543 * @secdata: destination 4544 * @seclen: how long it is 4545 * 4546 * Exists for networking code. 4547 */ 4548 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4549 { 4550 struct smack_known *skp = smack_from_secid(secid); 4551 4552 if (secdata) 4553 *secdata = skp->smk_known; 4554 *seclen = strlen(skp->smk_known); 4555 return 0; 4556 } 4557 4558 /** 4559 * smack_secctx_to_secid - return the secid for a smack label 4560 * @secdata: smack label 4561 * @seclen: how long result is 4562 * @secid: outgoing integer 4563 * 4564 * Exists for audit and networking code. 4565 */ 4566 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4567 { 4568 struct smack_known *skp = smk_find_entry(secdata); 4569 4570 if (skp) 4571 *secid = skp->smk_secid; 4572 else 4573 *secid = 0; 4574 return 0; 4575 } 4576 4577 /* 4578 * There used to be a smack_release_secctx hook 4579 * that did nothing back when hooks were in a vector. 4580 * Now that there's a list such a hook adds cost. 4581 */ 4582 4583 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4584 { 4585 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4586 } 4587 4588 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4589 { 4590 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4591 } 4592 4593 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4594 { 4595 int len = 0; 4596 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 4597 4598 if (len < 0) 4599 return len; 4600 *ctxlen = len; 4601 return 0; 4602 } 4603 4604 static struct security_hook_list smack_hooks[] = { 4605 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4606 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4607 LSM_HOOK_INIT(syslog, smack_syslog), 4608 4609 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4610 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4611 LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data), 4612 LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount), 4613 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4614 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4615 LSM_HOOK_INIT(sb_parse_opts_str, smack_parse_opts_str), 4616 4617 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4618 LSM_HOOK_INIT(bprm_committing_creds, smack_bprm_committing_creds), 4619 LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec), 4620 4621 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4622 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), 4623 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4624 LSM_HOOK_INIT(inode_link, smack_inode_link), 4625 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4626 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4627 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4628 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4629 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4630 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4631 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4632 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4633 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4634 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4635 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4636 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4637 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4638 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4639 4640 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4641 LSM_HOOK_INIT(file_free_security, smack_file_free_security), 4642 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4643 LSM_HOOK_INIT(file_lock, smack_file_lock), 4644 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4645 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4646 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4647 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4648 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4649 LSM_HOOK_INIT(file_receive, smack_file_receive), 4650 4651 LSM_HOOK_INIT(file_open, smack_file_open), 4652 4653 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4654 LSM_HOOK_INIT(cred_free, smack_cred_free), 4655 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4656 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4657 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4658 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4659 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4660 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4661 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4662 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4663 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4664 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4665 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4666 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4667 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4668 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4669 LSM_HOOK_INIT(task_kill, smack_task_kill), 4670 LSM_HOOK_INIT(task_wait, smack_task_wait), 4671 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4672 4673 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4674 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4675 4676 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4677 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), 4678 4679 LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security), 4680 LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security), 4681 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4682 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4683 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4684 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4685 4686 LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security), 4687 LSM_HOOK_INIT(shm_free_security, smack_shm_free_security), 4688 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4689 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4690 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4691 4692 LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security), 4693 LSM_HOOK_INIT(sem_free_security, smack_sem_free_security), 4694 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4695 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4696 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4697 4698 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4699 4700 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4701 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4702 4703 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4704 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4705 4706 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4707 #ifdef SMACK_IPV6_PORT_LABELING 4708 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4709 #endif 4710 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4711 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4712 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4713 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4714 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4715 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4716 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4717 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4718 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4719 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4720 4721 /* key management security hooks */ 4722 #ifdef CONFIG_KEYS 4723 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4724 LSM_HOOK_INIT(key_free, smack_key_free), 4725 LSM_HOOK_INIT(key_permission, smack_key_permission), 4726 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4727 #endif /* CONFIG_KEYS */ 4728 4729 /* Audit hooks */ 4730 #ifdef CONFIG_AUDIT 4731 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4732 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4733 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4734 #endif /* CONFIG_AUDIT */ 4735 4736 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4737 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4738 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4739 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4740 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4741 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4742 }; 4743 4744 4745 static __init void init_smack_known_list(void) 4746 { 4747 /* 4748 * Initialize rule list locks 4749 */ 4750 mutex_init(&smack_known_huh.smk_rules_lock); 4751 mutex_init(&smack_known_hat.smk_rules_lock); 4752 mutex_init(&smack_known_floor.smk_rules_lock); 4753 mutex_init(&smack_known_star.smk_rules_lock); 4754 mutex_init(&smack_known_web.smk_rules_lock); 4755 /* 4756 * Initialize rule lists 4757 */ 4758 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4759 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4760 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4761 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4762 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4763 /* 4764 * Create the known labels list 4765 */ 4766 smk_insert_entry(&smack_known_huh); 4767 smk_insert_entry(&smack_known_hat); 4768 smk_insert_entry(&smack_known_star); 4769 smk_insert_entry(&smack_known_floor); 4770 smk_insert_entry(&smack_known_web); 4771 } 4772 4773 /** 4774 * smack_init - initialize the smack system 4775 * 4776 * Returns 0 4777 */ 4778 static __init int smack_init(void) 4779 { 4780 struct cred *cred; 4781 struct task_smack *tsp; 4782 4783 if (!security_module_enable("smack")) 4784 return 0; 4785 4786 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4787 if (!smack_inode_cache) 4788 return -ENOMEM; 4789 4790 tsp = new_task_smack(&smack_known_floor, &smack_known_floor, 4791 GFP_KERNEL); 4792 if (tsp == NULL) { 4793 kmem_cache_destroy(smack_inode_cache); 4794 return -ENOMEM; 4795 } 4796 4797 smack_enabled = 1; 4798 4799 pr_info("Smack: Initializing.\n"); 4800 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4801 pr_info("Smack: Netfilter enabled.\n"); 4802 #endif 4803 #ifdef SMACK_IPV6_PORT_LABELING 4804 pr_info("Smack: IPv6 port labeling enabled.\n"); 4805 #endif 4806 #ifdef SMACK_IPV6_SECMARK_LABELING 4807 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4808 #endif 4809 4810 /* 4811 * Set the security state for the initial task. 4812 */ 4813 cred = (struct cred *) current->cred; 4814 cred->security = tsp; 4815 4816 /* initialize the smack_known_list */ 4817 init_smack_known_list(); 4818 4819 /* 4820 * Register with LSM 4821 */ 4822 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks)); 4823 4824 return 0; 4825 } 4826 4827 /* 4828 * Smack requires early initialization in order to label 4829 * all processes and objects when they are created. 4830 */ 4831 security_initcall(smack_init); 4832