1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/slab.h> 32 #include <linux/mutex.h> 33 #include <linux/pipe_fs_i.h> 34 #include <net/cipso_ipv4.h> 35 #include <net/ip.h> 36 #include <net/ipv6.h> 37 #include <linux/audit.h> 38 #include <linux/magic.h> 39 #include <linux/dcache.h> 40 #include <linux/personality.h> 41 #include <linux/msg.h> 42 #include <linux/shm.h> 43 #include <linux/binfmts.h> 44 #include <linux/parser.h> 45 #include "smack.h" 46 47 #define TRANS_TRUE "TRUE" 48 #define TRANS_TRUE_SIZE 4 49 50 #define SMK_CONNECTING 0 51 #define SMK_RECEIVING 1 52 #define SMK_SENDING 2 53 54 #ifdef SMACK_IPV6_PORT_LABELING 55 DEFINE_MUTEX(smack_ipv6_lock); 56 static LIST_HEAD(smk_ipv6_port_list); 57 #endif 58 static struct kmem_cache *smack_inode_cache; 59 int smack_enabled; 60 61 static const match_table_t smk_mount_tokens = { 62 {Opt_fsdefault, SMK_FSDEFAULT "%s"}, 63 {Opt_fsfloor, SMK_FSFLOOR "%s"}, 64 {Opt_fshat, SMK_FSHAT "%s"}, 65 {Opt_fsroot, SMK_FSROOT "%s"}, 66 {Opt_fstransmute, SMK_FSTRANS "%s"}, 67 {Opt_error, NULL}, 68 }; 69 70 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 71 static char *smk_bu_mess[] = { 72 "Bringup Error", /* Unused */ 73 "Bringup", /* SMACK_BRINGUP_ALLOW */ 74 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 75 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 76 }; 77 78 static void smk_bu_mode(int mode, char *s) 79 { 80 int i = 0; 81 82 if (mode & MAY_READ) 83 s[i++] = 'r'; 84 if (mode & MAY_WRITE) 85 s[i++] = 'w'; 86 if (mode & MAY_EXEC) 87 s[i++] = 'x'; 88 if (mode & MAY_APPEND) 89 s[i++] = 'a'; 90 if (mode & MAY_TRANSMUTE) 91 s[i++] = 't'; 92 if (mode & MAY_LOCK) 93 s[i++] = 'l'; 94 if (i == 0) 95 s[i++] = '-'; 96 s[i] = '\0'; 97 } 98 #endif 99 100 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 101 static int smk_bu_note(char *note, struct smack_known *sskp, 102 struct smack_known *oskp, int mode, int rc) 103 { 104 char acc[SMK_NUM_ACCESS_TYPE + 1]; 105 106 if (rc <= 0) 107 return rc; 108 if (rc > SMACK_UNCONFINED_OBJECT) 109 rc = 0; 110 111 smk_bu_mode(mode, acc); 112 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 113 sskp->smk_known, oskp->smk_known, acc, note); 114 return 0; 115 } 116 #else 117 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 118 #endif 119 120 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 121 static int smk_bu_current(char *note, struct smack_known *oskp, 122 int mode, int rc) 123 { 124 struct task_smack *tsp = current_security(); 125 char acc[SMK_NUM_ACCESS_TYPE + 1]; 126 127 if (rc <= 0) 128 return rc; 129 if (rc > SMACK_UNCONFINED_OBJECT) 130 rc = 0; 131 132 smk_bu_mode(mode, acc); 133 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 134 tsp->smk_task->smk_known, oskp->smk_known, 135 acc, current->comm, note); 136 return 0; 137 } 138 #else 139 #define smk_bu_current(note, oskp, mode, RC) (RC) 140 #endif 141 142 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 143 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 144 { 145 struct task_smack *tsp = current_security(); 146 struct smack_known *smk_task = smk_of_task_struct(otp); 147 char acc[SMK_NUM_ACCESS_TYPE + 1]; 148 149 if (rc <= 0) 150 return rc; 151 if (rc > SMACK_UNCONFINED_OBJECT) 152 rc = 0; 153 154 smk_bu_mode(mode, acc); 155 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 156 tsp->smk_task->smk_known, smk_task->smk_known, acc, 157 current->comm, otp->comm); 158 return 0; 159 } 160 #else 161 #define smk_bu_task(otp, mode, RC) (RC) 162 #endif 163 164 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 165 static int smk_bu_inode(struct inode *inode, int mode, int rc) 166 { 167 struct task_smack *tsp = current_security(); 168 struct inode_smack *isp = inode->i_security; 169 char acc[SMK_NUM_ACCESS_TYPE + 1]; 170 171 if (isp->smk_flags & SMK_INODE_IMPURE) 172 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 173 inode->i_sb->s_id, inode->i_ino, current->comm); 174 175 if (rc <= 0) 176 return rc; 177 if (rc > SMACK_UNCONFINED_OBJECT) 178 rc = 0; 179 if (rc == SMACK_UNCONFINED_SUBJECT && 180 (mode & (MAY_WRITE | MAY_APPEND))) 181 isp->smk_flags |= SMK_INODE_IMPURE; 182 183 smk_bu_mode(mode, acc); 184 185 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 186 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 187 inode->i_sb->s_id, inode->i_ino, current->comm); 188 return 0; 189 } 190 #else 191 #define smk_bu_inode(inode, mode, RC) (RC) 192 #endif 193 194 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 195 static int smk_bu_file(struct file *file, int mode, int rc) 196 { 197 struct task_smack *tsp = current_security(); 198 struct smack_known *sskp = tsp->smk_task; 199 struct inode *inode = file_inode(file); 200 struct inode_smack *isp = inode->i_security; 201 char acc[SMK_NUM_ACCESS_TYPE + 1]; 202 203 if (isp->smk_flags & SMK_INODE_IMPURE) 204 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 205 inode->i_sb->s_id, inode->i_ino, current->comm); 206 207 if (rc <= 0) 208 return rc; 209 if (rc > SMACK_UNCONFINED_OBJECT) 210 rc = 0; 211 212 smk_bu_mode(mode, acc); 213 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 214 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 215 inode->i_sb->s_id, inode->i_ino, file, 216 current->comm); 217 return 0; 218 } 219 #else 220 #define smk_bu_file(file, mode, RC) (RC) 221 #endif 222 223 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 224 static int smk_bu_credfile(const struct cred *cred, struct file *file, 225 int mode, int rc) 226 { 227 struct task_smack *tsp = cred->security; 228 struct smack_known *sskp = tsp->smk_task; 229 struct inode *inode = file_inode(file); 230 struct inode_smack *isp = inode->i_security; 231 char acc[SMK_NUM_ACCESS_TYPE + 1]; 232 233 if (isp->smk_flags & SMK_INODE_IMPURE) 234 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 235 inode->i_sb->s_id, inode->i_ino, current->comm); 236 237 if (rc <= 0) 238 return rc; 239 if (rc > SMACK_UNCONFINED_OBJECT) 240 rc = 0; 241 242 smk_bu_mode(mode, acc); 243 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 244 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 245 inode->i_sb->s_id, inode->i_ino, file, 246 current->comm); 247 return 0; 248 } 249 #else 250 #define smk_bu_credfile(cred, file, mode, RC) (RC) 251 #endif 252 253 /** 254 * smk_fetch - Fetch the smack label from a file. 255 * @name: type of the label (attribute) 256 * @ip: a pointer to the inode 257 * @dp: a pointer to the dentry 258 * 259 * Returns a pointer to the master list entry for the Smack label, 260 * NULL if there was no label to fetch, or an error code. 261 */ 262 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 263 struct dentry *dp) 264 { 265 int rc; 266 char *buffer; 267 struct smack_known *skp = NULL; 268 269 if (!(ip->i_opflags & IOP_XATTR)) 270 return ERR_PTR(-EOPNOTSUPP); 271 272 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 273 if (buffer == NULL) 274 return ERR_PTR(-ENOMEM); 275 276 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 277 if (rc < 0) 278 skp = ERR_PTR(rc); 279 else if (rc == 0) 280 skp = NULL; 281 else 282 skp = smk_import_entry(buffer, rc); 283 284 kfree(buffer); 285 286 return skp; 287 } 288 289 /** 290 * new_inode_smack - allocate an inode security blob 291 * @skp: a pointer to the Smack label entry to use in the blob 292 * 293 * Returns the new blob or NULL if there's no memory available 294 */ 295 static struct inode_smack *new_inode_smack(struct smack_known *skp) 296 { 297 struct inode_smack *isp; 298 299 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); 300 if (isp == NULL) 301 return NULL; 302 303 isp->smk_inode = skp; 304 isp->smk_flags = 0; 305 mutex_init(&isp->smk_lock); 306 307 return isp; 308 } 309 310 /** 311 * new_task_smack - allocate a task security blob 312 * @task: a pointer to the Smack label for the running task 313 * @forked: a pointer to the Smack label for the forked task 314 * @gfp: type of the memory for the allocation 315 * 316 * Returns the new blob or NULL if there's no memory available 317 */ 318 static struct task_smack *new_task_smack(struct smack_known *task, 319 struct smack_known *forked, gfp_t gfp) 320 { 321 struct task_smack *tsp; 322 323 tsp = kzalloc(sizeof(struct task_smack), gfp); 324 if (tsp == NULL) 325 return NULL; 326 327 tsp->smk_task = task; 328 tsp->smk_forked = forked; 329 INIT_LIST_HEAD(&tsp->smk_rules); 330 INIT_LIST_HEAD(&tsp->smk_relabel); 331 mutex_init(&tsp->smk_rules_lock); 332 333 return tsp; 334 } 335 336 /** 337 * smk_copy_rules - copy a rule set 338 * @nhead: new rules header pointer 339 * @ohead: old rules header pointer 340 * @gfp: type of the memory for the allocation 341 * 342 * Returns 0 on success, -ENOMEM on error 343 */ 344 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 345 gfp_t gfp) 346 { 347 struct smack_rule *nrp; 348 struct smack_rule *orp; 349 int rc = 0; 350 351 list_for_each_entry_rcu(orp, ohead, list) { 352 nrp = kzalloc(sizeof(struct smack_rule), gfp); 353 if (nrp == NULL) { 354 rc = -ENOMEM; 355 break; 356 } 357 *nrp = *orp; 358 list_add_rcu(&nrp->list, nhead); 359 } 360 return rc; 361 } 362 363 /** 364 * smk_copy_relabel - copy smk_relabel labels list 365 * @nhead: new rules header pointer 366 * @ohead: old rules header pointer 367 * @gfp: type of the memory for the allocation 368 * 369 * Returns 0 on success, -ENOMEM on error 370 */ 371 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 372 gfp_t gfp) 373 { 374 struct smack_known_list_elem *nklep; 375 struct smack_known_list_elem *oklep; 376 377 list_for_each_entry(oklep, ohead, list) { 378 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 379 if (nklep == NULL) { 380 smk_destroy_label_list(nhead); 381 return -ENOMEM; 382 } 383 nklep->smk_label = oklep->smk_label; 384 list_add(&nklep->list, nhead); 385 } 386 387 return 0; 388 } 389 390 /** 391 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 392 * @mode - input mode in form of PTRACE_MODE_* 393 * 394 * Returns a converted MAY_* mode usable by smack rules 395 */ 396 static inline unsigned int smk_ptrace_mode(unsigned int mode) 397 { 398 if (mode & PTRACE_MODE_ATTACH) 399 return MAY_READWRITE; 400 if (mode & PTRACE_MODE_READ) 401 return MAY_READ; 402 403 return 0; 404 } 405 406 /** 407 * smk_ptrace_rule_check - helper for ptrace access 408 * @tracer: tracer process 409 * @tracee_known: label entry of the process that's about to be traced 410 * @mode: ptrace attachment mode (PTRACE_MODE_*) 411 * @func: name of the function that called us, used for audit 412 * 413 * Returns 0 on access granted, -error on error 414 */ 415 static int smk_ptrace_rule_check(struct task_struct *tracer, 416 struct smack_known *tracee_known, 417 unsigned int mode, const char *func) 418 { 419 int rc; 420 struct smk_audit_info ad, *saip = NULL; 421 struct task_smack *tsp; 422 struct smack_known *tracer_known; 423 424 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 425 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 426 smk_ad_setfield_u_tsk(&ad, tracer); 427 saip = &ad; 428 } 429 430 rcu_read_lock(); 431 tsp = __task_cred(tracer)->security; 432 tracer_known = smk_of_task(tsp); 433 434 if ((mode & PTRACE_MODE_ATTACH) && 435 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 436 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 437 if (tracer_known->smk_known == tracee_known->smk_known) 438 rc = 0; 439 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 440 rc = -EACCES; 441 else if (capable(CAP_SYS_PTRACE)) 442 rc = 0; 443 else 444 rc = -EACCES; 445 446 if (saip) 447 smack_log(tracer_known->smk_known, 448 tracee_known->smk_known, 449 0, rc, saip); 450 451 rcu_read_unlock(); 452 return rc; 453 } 454 455 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 456 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 457 458 rcu_read_unlock(); 459 return rc; 460 } 461 462 /* 463 * LSM hooks. 464 * We he, that is fun! 465 */ 466 467 /** 468 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 469 * @ctp: child task pointer 470 * @mode: ptrace attachment mode (PTRACE_MODE_*) 471 * 472 * Returns 0 if access is OK, an error code otherwise 473 * 474 * Do the capability checks. 475 */ 476 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 477 { 478 struct smack_known *skp; 479 480 skp = smk_of_task_struct(ctp); 481 482 return smk_ptrace_rule_check(current, skp, mode, __func__); 483 } 484 485 /** 486 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 487 * @ptp: parent task pointer 488 * 489 * Returns 0 if access is OK, an error code otherwise 490 * 491 * Do the capability checks, and require PTRACE_MODE_ATTACH. 492 */ 493 static int smack_ptrace_traceme(struct task_struct *ptp) 494 { 495 int rc; 496 struct smack_known *skp; 497 498 skp = smk_of_task(current_security()); 499 500 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 501 return rc; 502 } 503 504 /** 505 * smack_syslog - Smack approval on syslog 506 * @type: message type 507 * 508 * Returns 0 on success, error code otherwise. 509 */ 510 static int smack_syslog(int typefrom_file) 511 { 512 int rc = 0; 513 struct smack_known *skp = smk_of_current(); 514 515 if (smack_privileged(CAP_MAC_OVERRIDE)) 516 return 0; 517 518 if (smack_syslog_label != NULL && smack_syslog_label != skp) 519 rc = -EACCES; 520 521 return rc; 522 } 523 524 525 /* 526 * Superblock Hooks. 527 */ 528 529 /** 530 * smack_sb_alloc_security - allocate a superblock blob 531 * @sb: the superblock getting the blob 532 * 533 * Returns 0 on success or -ENOMEM on error. 534 */ 535 static int smack_sb_alloc_security(struct super_block *sb) 536 { 537 struct superblock_smack *sbsp; 538 539 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 540 541 if (sbsp == NULL) 542 return -ENOMEM; 543 544 sbsp->smk_root = &smack_known_floor; 545 sbsp->smk_default = &smack_known_floor; 546 sbsp->smk_floor = &smack_known_floor; 547 sbsp->smk_hat = &smack_known_hat; 548 /* 549 * SMK_SB_INITIALIZED will be zero from kzalloc. 550 */ 551 sb->s_security = sbsp; 552 553 return 0; 554 } 555 556 /** 557 * smack_sb_free_security - free a superblock blob 558 * @sb: the superblock getting the blob 559 * 560 */ 561 static void smack_sb_free_security(struct super_block *sb) 562 { 563 kfree(sb->s_security); 564 sb->s_security = NULL; 565 } 566 567 /** 568 * smack_sb_copy_data - copy mount options data for processing 569 * @orig: where to start 570 * @smackopts: mount options string 571 * 572 * Returns 0 on success or -ENOMEM on error. 573 * 574 * Copy the Smack specific mount options out of the mount 575 * options list. 576 */ 577 static int smack_sb_copy_data(char *orig, char *smackopts) 578 { 579 char *cp, *commap, *otheropts, *dp; 580 581 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 582 if (otheropts == NULL) 583 return -ENOMEM; 584 585 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 586 if (strstr(cp, SMK_FSDEFAULT) == cp) 587 dp = smackopts; 588 else if (strstr(cp, SMK_FSFLOOR) == cp) 589 dp = smackopts; 590 else if (strstr(cp, SMK_FSHAT) == cp) 591 dp = smackopts; 592 else if (strstr(cp, SMK_FSROOT) == cp) 593 dp = smackopts; 594 else if (strstr(cp, SMK_FSTRANS) == cp) 595 dp = smackopts; 596 else 597 dp = otheropts; 598 599 commap = strchr(cp, ','); 600 if (commap != NULL) 601 *commap = '\0'; 602 603 if (*dp != '\0') 604 strcat(dp, ","); 605 strcat(dp, cp); 606 } 607 608 strcpy(orig, otheropts); 609 free_page((unsigned long)otheropts); 610 611 return 0; 612 } 613 614 /** 615 * smack_parse_opts_str - parse Smack specific mount options 616 * @options: mount options string 617 * @opts: where to store converted mount opts 618 * 619 * Returns 0 on success or -ENOMEM on error. 620 * 621 * converts Smack specific mount options to generic security option format 622 */ 623 static int smack_parse_opts_str(char *options, 624 struct security_mnt_opts *opts) 625 { 626 char *p; 627 char *fsdefault = NULL; 628 char *fsfloor = NULL; 629 char *fshat = NULL; 630 char *fsroot = NULL; 631 char *fstransmute = NULL; 632 int rc = -ENOMEM; 633 int num_mnt_opts = 0; 634 int token; 635 636 opts->num_mnt_opts = 0; 637 638 if (!options) 639 return 0; 640 641 while ((p = strsep(&options, ",")) != NULL) { 642 substring_t args[MAX_OPT_ARGS]; 643 644 if (!*p) 645 continue; 646 647 token = match_token(p, smk_mount_tokens, args); 648 649 switch (token) { 650 case Opt_fsdefault: 651 if (fsdefault) 652 goto out_opt_err; 653 fsdefault = match_strdup(&args[0]); 654 if (!fsdefault) 655 goto out_err; 656 break; 657 case Opt_fsfloor: 658 if (fsfloor) 659 goto out_opt_err; 660 fsfloor = match_strdup(&args[0]); 661 if (!fsfloor) 662 goto out_err; 663 break; 664 case Opt_fshat: 665 if (fshat) 666 goto out_opt_err; 667 fshat = match_strdup(&args[0]); 668 if (!fshat) 669 goto out_err; 670 break; 671 case Opt_fsroot: 672 if (fsroot) 673 goto out_opt_err; 674 fsroot = match_strdup(&args[0]); 675 if (!fsroot) 676 goto out_err; 677 break; 678 case Opt_fstransmute: 679 if (fstransmute) 680 goto out_opt_err; 681 fstransmute = match_strdup(&args[0]); 682 if (!fstransmute) 683 goto out_err; 684 break; 685 default: 686 rc = -EINVAL; 687 pr_warn("Smack: unknown mount option\n"); 688 goto out_err; 689 } 690 } 691 692 opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_KERNEL); 693 if (!opts->mnt_opts) 694 goto out_err; 695 696 opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), 697 GFP_KERNEL); 698 if (!opts->mnt_opts_flags) { 699 kfree(opts->mnt_opts); 700 goto out_err; 701 } 702 703 if (fsdefault) { 704 opts->mnt_opts[num_mnt_opts] = fsdefault; 705 opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT; 706 } 707 if (fsfloor) { 708 opts->mnt_opts[num_mnt_opts] = fsfloor; 709 opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT; 710 } 711 if (fshat) { 712 opts->mnt_opts[num_mnt_opts] = fshat; 713 opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT; 714 } 715 if (fsroot) { 716 opts->mnt_opts[num_mnt_opts] = fsroot; 717 opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT; 718 } 719 if (fstransmute) { 720 opts->mnt_opts[num_mnt_opts] = fstransmute; 721 opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT; 722 } 723 724 opts->num_mnt_opts = num_mnt_opts; 725 return 0; 726 727 out_opt_err: 728 rc = -EINVAL; 729 pr_warn("Smack: duplicate mount options\n"); 730 731 out_err: 732 kfree(fsdefault); 733 kfree(fsfloor); 734 kfree(fshat); 735 kfree(fsroot); 736 kfree(fstransmute); 737 return rc; 738 } 739 740 /** 741 * smack_set_mnt_opts - set Smack specific mount options 742 * @sb: the file system superblock 743 * @opts: Smack mount options 744 * @kern_flags: mount option from kernel space or user space 745 * @set_kern_flags: where to store converted mount opts 746 * 747 * Returns 0 on success, an error code on failure 748 * 749 * Allow filesystems with binary mount data to explicitly set Smack mount 750 * labels. 751 */ 752 static int smack_set_mnt_opts(struct super_block *sb, 753 struct security_mnt_opts *opts, 754 unsigned long kern_flags, 755 unsigned long *set_kern_flags) 756 { 757 struct dentry *root = sb->s_root; 758 struct inode *inode = d_backing_inode(root); 759 struct superblock_smack *sp = sb->s_security; 760 struct inode_smack *isp; 761 struct smack_known *skp; 762 int i; 763 int num_opts = opts->num_mnt_opts; 764 int transmute = 0; 765 766 if (sp->smk_flags & SMK_SB_INITIALIZED) 767 return 0; 768 769 if (!smack_privileged(CAP_MAC_ADMIN)) { 770 /* 771 * Unprivileged mounts don't get to specify Smack values. 772 */ 773 if (num_opts) 774 return -EPERM; 775 /* 776 * Unprivileged mounts get root and default from the caller. 777 */ 778 skp = smk_of_current(); 779 sp->smk_root = skp; 780 sp->smk_default = skp; 781 /* 782 * For a handful of fs types with no user-controlled 783 * backing store it's okay to trust security labels 784 * in the filesystem. The rest are untrusted. 785 */ 786 if (sb->s_user_ns != &init_user_ns && 787 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 788 sb->s_magic != RAMFS_MAGIC) { 789 transmute = 1; 790 sp->smk_flags |= SMK_SB_UNTRUSTED; 791 } 792 } 793 794 sp->smk_flags |= SMK_SB_INITIALIZED; 795 796 for (i = 0; i < num_opts; i++) { 797 switch (opts->mnt_opts_flags[i]) { 798 case FSDEFAULT_MNT: 799 skp = smk_import_entry(opts->mnt_opts[i], 0); 800 if (IS_ERR(skp)) 801 return PTR_ERR(skp); 802 sp->smk_default = skp; 803 break; 804 case FSFLOOR_MNT: 805 skp = smk_import_entry(opts->mnt_opts[i], 0); 806 if (IS_ERR(skp)) 807 return PTR_ERR(skp); 808 sp->smk_floor = skp; 809 break; 810 case FSHAT_MNT: 811 skp = smk_import_entry(opts->mnt_opts[i], 0); 812 if (IS_ERR(skp)) 813 return PTR_ERR(skp); 814 sp->smk_hat = skp; 815 break; 816 case FSROOT_MNT: 817 skp = smk_import_entry(opts->mnt_opts[i], 0); 818 if (IS_ERR(skp)) 819 return PTR_ERR(skp); 820 sp->smk_root = skp; 821 break; 822 case FSTRANS_MNT: 823 skp = smk_import_entry(opts->mnt_opts[i], 0); 824 if (IS_ERR(skp)) 825 return PTR_ERR(skp); 826 sp->smk_root = skp; 827 transmute = 1; 828 break; 829 default: 830 break; 831 } 832 } 833 834 /* 835 * Initialize the root inode. 836 */ 837 isp = inode->i_security; 838 if (isp == NULL) { 839 isp = new_inode_smack(sp->smk_root); 840 if (isp == NULL) 841 return -ENOMEM; 842 inode->i_security = isp; 843 } else 844 isp->smk_inode = sp->smk_root; 845 846 if (transmute) 847 isp->smk_flags |= SMK_INODE_TRANSMUTE; 848 849 return 0; 850 } 851 852 /** 853 * smack_sb_kern_mount - Smack specific mount processing 854 * @sb: the file system superblock 855 * @flags: the mount flags 856 * @data: the smack mount options 857 * 858 * Returns 0 on success, an error code on failure 859 */ 860 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 861 { 862 int rc = 0; 863 char *options = data; 864 struct security_mnt_opts opts; 865 866 security_init_mnt_opts(&opts); 867 868 if (!options) 869 goto out; 870 871 rc = smack_parse_opts_str(options, &opts); 872 if (rc) 873 goto out_err; 874 875 out: 876 rc = smack_set_mnt_opts(sb, &opts, 0, NULL); 877 878 out_err: 879 security_free_mnt_opts(&opts); 880 return rc; 881 } 882 883 /** 884 * smack_sb_statfs - Smack check on statfs 885 * @dentry: identifies the file system in question 886 * 887 * Returns 0 if current can read the floor of the filesystem, 888 * and error code otherwise 889 */ 890 static int smack_sb_statfs(struct dentry *dentry) 891 { 892 struct superblock_smack *sbp = dentry->d_sb->s_security; 893 int rc; 894 struct smk_audit_info ad; 895 896 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 897 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 898 899 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 900 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 901 return rc; 902 } 903 904 /* 905 * BPRM hooks 906 */ 907 908 /** 909 * smack_bprm_set_creds - set creds for exec 910 * @bprm: the exec information 911 * 912 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 913 */ 914 static int smack_bprm_set_creds(struct linux_binprm *bprm) 915 { 916 struct inode *inode = file_inode(bprm->file); 917 struct task_smack *bsp = bprm->cred->security; 918 struct inode_smack *isp; 919 struct superblock_smack *sbsp; 920 int rc; 921 922 if (bprm->cred_prepared) 923 return 0; 924 925 isp = inode->i_security; 926 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 927 return 0; 928 929 sbsp = inode->i_sb->s_security; 930 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 931 isp->smk_task != sbsp->smk_root) 932 return 0; 933 934 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 935 struct task_struct *tracer; 936 rc = 0; 937 938 rcu_read_lock(); 939 tracer = ptrace_parent(current); 940 if (likely(tracer != NULL)) 941 rc = smk_ptrace_rule_check(tracer, 942 isp->smk_task, 943 PTRACE_MODE_ATTACH, 944 __func__); 945 rcu_read_unlock(); 946 947 if (rc != 0) 948 return rc; 949 } else if (bprm->unsafe) 950 return -EPERM; 951 952 bsp->smk_task = isp->smk_task; 953 bprm->per_clear |= PER_CLEAR_ON_SETID; 954 955 return 0; 956 } 957 958 /** 959 * smack_bprm_committing_creds - Prepare to install the new credentials 960 * from bprm. 961 * 962 * @bprm: binprm for exec 963 */ 964 static void smack_bprm_committing_creds(struct linux_binprm *bprm) 965 { 966 struct task_smack *bsp = bprm->cred->security; 967 968 if (bsp->smk_task != bsp->smk_forked) 969 current->pdeath_signal = 0; 970 } 971 972 /** 973 * smack_bprm_secureexec - Return the decision to use secureexec. 974 * @bprm: binprm for exec 975 * 976 * Returns 0 on success. 977 */ 978 static int smack_bprm_secureexec(struct linux_binprm *bprm) 979 { 980 struct task_smack *tsp = current_security(); 981 982 if (tsp->smk_task != tsp->smk_forked) 983 return 1; 984 985 return 0; 986 } 987 988 /* 989 * Inode hooks 990 */ 991 992 /** 993 * smack_inode_alloc_security - allocate an inode blob 994 * @inode: the inode in need of a blob 995 * 996 * Returns 0 if it gets a blob, -ENOMEM otherwise 997 */ 998 static int smack_inode_alloc_security(struct inode *inode) 999 { 1000 struct smack_known *skp = smk_of_current(); 1001 1002 inode->i_security = new_inode_smack(skp); 1003 if (inode->i_security == NULL) 1004 return -ENOMEM; 1005 return 0; 1006 } 1007 1008 /** 1009 * smack_inode_free_rcu - Free inode_smack blob from cache 1010 * @head: the rcu_head for getting inode_smack pointer 1011 * 1012 * Call back function called from call_rcu() to free 1013 * the i_security blob pointer in inode 1014 */ 1015 static void smack_inode_free_rcu(struct rcu_head *head) 1016 { 1017 struct inode_smack *issp; 1018 1019 issp = container_of(head, struct inode_smack, smk_rcu); 1020 kmem_cache_free(smack_inode_cache, issp); 1021 } 1022 1023 /** 1024 * smack_inode_free_security - free an inode blob using call_rcu() 1025 * @inode: the inode with a blob 1026 * 1027 * Clears the blob pointer in inode using RCU 1028 */ 1029 static void smack_inode_free_security(struct inode *inode) 1030 { 1031 struct inode_smack *issp = inode->i_security; 1032 1033 /* 1034 * The inode may still be referenced in a path walk and 1035 * a call to smack_inode_permission() can be made 1036 * after smack_inode_free_security() is called. 1037 * To avoid race condition free the i_security via RCU 1038 * and leave the current inode->i_security pointer intact. 1039 * The inode will be freed after the RCU grace period too. 1040 */ 1041 call_rcu(&issp->smk_rcu, smack_inode_free_rcu); 1042 } 1043 1044 /** 1045 * smack_inode_init_security - copy out the smack from an inode 1046 * @inode: the newly created inode 1047 * @dir: containing directory object 1048 * @qstr: unused 1049 * @name: where to put the attribute name 1050 * @value: where to put the attribute value 1051 * @len: where to put the length of the attribute 1052 * 1053 * Returns 0 if it all works out, -ENOMEM if there's no memory 1054 */ 1055 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 1056 const struct qstr *qstr, const char **name, 1057 void **value, size_t *len) 1058 { 1059 struct inode_smack *issp = inode->i_security; 1060 struct smack_known *skp = smk_of_current(); 1061 struct smack_known *isp = smk_of_inode(inode); 1062 struct smack_known *dsp = smk_of_inode(dir); 1063 int may; 1064 1065 if (name) 1066 *name = XATTR_SMACK_SUFFIX; 1067 1068 if (value && len) { 1069 rcu_read_lock(); 1070 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1071 &skp->smk_rules); 1072 rcu_read_unlock(); 1073 1074 /* 1075 * If the access rule allows transmutation and 1076 * the directory requests transmutation then 1077 * by all means transmute. 1078 * Mark the inode as changed. 1079 */ 1080 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1081 smk_inode_transmutable(dir)) { 1082 isp = dsp; 1083 issp->smk_flags |= SMK_INODE_CHANGED; 1084 } 1085 1086 *value = kstrdup(isp->smk_known, GFP_NOFS); 1087 if (*value == NULL) 1088 return -ENOMEM; 1089 1090 *len = strlen(isp->smk_known); 1091 } 1092 1093 return 0; 1094 } 1095 1096 /** 1097 * smack_inode_link - Smack check on link 1098 * @old_dentry: the existing object 1099 * @dir: unused 1100 * @new_dentry: the new object 1101 * 1102 * Returns 0 if access is permitted, an error code otherwise 1103 */ 1104 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1105 struct dentry *new_dentry) 1106 { 1107 struct smack_known *isp; 1108 struct smk_audit_info ad; 1109 int rc; 1110 1111 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1112 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1113 1114 isp = smk_of_inode(d_backing_inode(old_dentry)); 1115 rc = smk_curacc(isp, MAY_WRITE, &ad); 1116 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1117 1118 if (rc == 0 && d_is_positive(new_dentry)) { 1119 isp = smk_of_inode(d_backing_inode(new_dentry)); 1120 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1121 rc = smk_curacc(isp, MAY_WRITE, &ad); 1122 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1123 } 1124 1125 return rc; 1126 } 1127 1128 /** 1129 * smack_inode_unlink - Smack check on inode deletion 1130 * @dir: containing directory object 1131 * @dentry: file to unlink 1132 * 1133 * Returns 0 if current can write the containing directory 1134 * and the object, error code otherwise 1135 */ 1136 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1137 { 1138 struct inode *ip = d_backing_inode(dentry); 1139 struct smk_audit_info ad; 1140 int rc; 1141 1142 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1143 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1144 1145 /* 1146 * You need write access to the thing you're unlinking 1147 */ 1148 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1149 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1150 if (rc == 0) { 1151 /* 1152 * You also need write access to the containing directory 1153 */ 1154 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1155 smk_ad_setfield_u_fs_inode(&ad, dir); 1156 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1157 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1158 } 1159 return rc; 1160 } 1161 1162 /** 1163 * smack_inode_rmdir - Smack check on directory deletion 1164 * @dir: containing directory object 1165 * @dentry: directory to unlink 1166 * 1167 * Returns 0 if current can write the containing directory 1168 * and the directory, error code otherwise 1169 */ 1170 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1171 { 1172 struct smk_audit_info ad; 1173 int rc; 1174 1175 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1176 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1177 1178 /* 1179 * You need write access to the thing you're removing 1180 */ 1181 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1182 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1183 if (rc == 0) { 1184 /* 1185 * You also need write access to the containing directory 1186 */ 1187 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1188 smk_ad_setfield_u_fs_inode(&ad, dir); 1189 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1190 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1191 } 1192 1193 return rc; 1194 } 1195 1196 /** 1197 * smack_inode_rename - Smack check on rename 1198 * @old_inode: unused 1199 * @old_dentry: the old object 1200 * @new_inode: unused 1201 * @new_dentry: the new object 1202 * 1203 * Read and write access is required on both the old and 1204 * new directories. 1205 * 1206 * Returns 0 if access is permitted, an error code otherwise 1207 */ 1208 static int smack_inode_rename(struct inode *old_inode, 1209 struct dentry *old_dentry, 1210 struct inode *new_inode, 1211 struct dentry *new_dentry) 1212 { 1213 int rc; 1214 struct smack_known *isp; 1215 struct smk_audit_info ad; 1216 1217 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1218 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1219 1220 isp = smk_of_inode(d_backing_inode(old_dentry)); 1221 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1222 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1223 1224 if (rc == 0 && d_is_positive(new_dentry)) { 1225 isp = smk_of_inode(d_backing_inode(new_dentry)); 1226 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1227 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1228 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1229 } 1230 return rc; 1231 } 1232 1233 /** 1234 * smack_inode_permission - Smack version of permission() 1235 * @inode: the inode in question 1236 * @mask: the access requested 1237 * 1238 * This is the important Smack hook. 1239 * 1240 * Returns 0 if access is permitted, -EACCES otherwise 1241 */ 1242 static int smack_inode_permission(struct inode *inode, int mask) 1243 { 1244 struct superblock_smack *sbsp = inode->i_sb->s_security; 1245 struct smk_audit_info ad; 1246 int no_block = mask & MAY_NOT_BLOCK; 1247 int rc; 1248 1249 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1250 /* 1251 * No permission to check. Existence test. Yup, it's there. 1252 */ 1253 if (mask == 0) 1254 return 0; 1255 1256 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1257 if (smk_of_inode(inode) != sbsp->smk_root) 1258 return -EACCES; 1259 } 1260 1261 /* May be droppable after audit */ 1262 if (no_block) 1263 return -ECHILD; 1264 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1265 smk_ad_setfield_u_fs_inode(&ad, inode); 1266 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1267 rc = smk_bu_inode(inode, mask, rc); 1268 return rc; 1269 } 1270 1271 /** 1272 * smack_inode_setattr - Smack check for setting attributes 1273 * @dentry: the object 1274 * @iattr: for the force flag 1275 * 1276 * Returns 0 if access is permitted, an error code otherwise 1277 */ 1278 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1279 { 1280 struct smk_audit_info ad; 1281 int rc; 1282 1283 /* 1284 * Need to allow for clearing the setuid bit. 1285 */ 1286 if (iattr->ia_valid & ATTR_FORCE) 1287 return 0; 1288 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1289 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1290 1291 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1292 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1293 return rc; 1294 } 1295 1296 /** 1297 * smack_inode_getattr - Smack check for getting attributes 1298 * @mnt: vfsmount of the object 1299 * @dentry: the object 1300 * 1301 * Returns 0 if access is permitted, an error code otherwise 1302 */ 1303 static int smack_inode_getattr(const struct path *path) 1304 { 1305 struct smk_audit_info ad; 1306 struct inode *inode = d_backing_inode(path->dentry); 1307 int rc; 1308 1309 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1310 smk_ad_setfield_u_fs_path(&ad, *path); 1311 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1312 rc = smk_bu_inode(inode, MAY_READ, rc); 1313 return rc; 1314 } 1315 1316 /** 1317 * smack_inode_setxattr - Smack check for setting xattrs 1318 * @dentry: the object 1319 * @name: name of the attribute 1320 * @value: value of the attribute 1321 * @size: size of the value 1322 * @flags: unused 1323 * 1324 * This protects the Smack attribute explicitly. 1325 * 1326 * Returns 0 if access is permitted, an error code otherwise 1327 */ 1328 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1329 const void *value, size_t size, int flags) 1330 { 1331 struct smk_audit_info ad; 1332 struct smack_known *skp; 1333 int check_priv = 0; 1334 int check_import = 0; 1335 int check_star = 0; 1336 int rc = 0; 1337 1338 /* 1339 * Check label validity here so import won't fail in post_setxattr 1340 */ 1341 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1342 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1343 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1344 check_priv = 1; 1345 check_import = 1; 1346 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1347 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1348 check_priv = 1; 1349 check_import = 1; 1350 check_star = 1; 1351 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1352 check_priv = 1; 1353 if (size != TRANS_TRUE_SIZE || 1354 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1355 rc = -EINVAL; 1356 } else 1357 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1358 1359 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1360 rc = -EPERM; 1361 1362 if (rc == 0 && check_import) { 1363 skp = size ? smk_import_entry(value, size) : NULL; 1364 if (IS_ERR(skp)) 1365 rc = PTR_ERR(skp); 1366 else if (skp == NULL || (check_star && 1367 (skp == &smack_known_star || skp == &smack_known_web))) 1368 rc = -EINVAL; 1369 } 1370 1371 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1372 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1373 1374 if (rc == 0) { 1375 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1376 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1377 } 1378 1379 return rc; 1380 } 1381 1382 /** 1383 * smack_inode_post_setxattr - Apply the Smack update approved above 1384 * @dentry: object 1385 * @name: attribute name 1386 * @value: attribute value 1387 * @size: attribute size 1388 * @flags: unused 1389 * 1390 * Set the pointer in the inode blob to the entry found 1391 * in the master label list. 1392 */ 1393 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1394 const void *value, size_t size, int flags) 1395 { 1396 struct smack_known *skp; 1397 struct inode_smack *isp = d_backing_inode(dentry)->i_security; 1398 1399 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1400 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1401 return; 1402 } 1403 1404 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1405 skp = smk_import_entry(value, size); 1406 if (!IS_ERR(skp)) 1407 isp->smk_inode = skp; 1408 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1409 skp = smk_import_entry(value, size); 1410 if (!IS_ERR(skp)) 1411 isp->smk_task = skp; 1412 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1413 skp = smk_import_entry(value, size); 1414 if (!IS_ERR(skp)) 1415 isp->smk_mmap = skp; 1416 } 1417 1418 return; 1419 } 1420 1421 /** 1422 * smack_inode_getxattr - Smack check on getxattr 1423 * @dentry: the object 1424 * @name: unused 1425 * 1426 * Returns 0 if access is permitted, an error code otherwise 1427 */ 1428 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1429 { 1430 struct smk_audit_info ad; 1431 int rc; 1432 1433 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1434 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1435 1436 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1437 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1438 return rc; 1439 } 1440 1441 /** 1442 * smack_inode_removexattr - Smack check on removexattr 1443 * @dentry: the object 1444 * @name: name of the attribute 1445 * 1446 * Removing the Smack attribute requires CAP_MAC_ADMIN 1447 * 1448 * Returns 0 if access is permitted, an error code otherwise 1449 */ 1450 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1451 { 1452 struct inode_smack *isp; 1453 struct smk_audit_info ad; 1454 int rc = 0; 1455 1456 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1457 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1458 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1459 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1460 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1461 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1462 if (!smack_privileged(CAP_MAC_ADMIN)) 1463 rc = -EPERM; 1464 } else 1465 rc = cap_inode_removexattr(dentry, name); 1466 1467 if (rc != 0) 1468 return rc; 1469 1470 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1471 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1472 1473 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1474 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1475 if (rc != 0) 1476 return rc; 1477 1478 isp = d_backing_inode(dentry)->i_security; 1479 /* 1480 * Don't do anything special for these. 1481 * XATTR_NAME_SMACKIPIN 1482 * XATTR_NAME_SMACKIPOUT 1483 */ 1484 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1485 struct super_block *sbp = dentry->d_sb; 1486 struct superblock_smack *sbsp = sbp->s_security; 1487 1488 isp->smk_inode = sbsp->smk_default; 1489 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1490 isp->smk_task = NULL; 1491 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1492 isp->smk_mmap = NULL; 1493 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1494 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1495 1496 return 0; 1497 } 1498 1499 /** 1500 * smack_inode_getsecurity - get smack xattrs 1501 * @inode: the object 1502 * @name: attribute name 1503 * @buffer: where to put the result 1504 * @alloc: unused 1505 * 1506 * Returns the size of the attribute or an error code 1507 */ 1508 static int smack_inode_getsecurity(struct inode *inode, 1509 const char *name, void **buffer, 1510 bool alloc) 1511 { 1512 struct socket_smack *ssp; 1513 struct socket *sock; 1514 struct super_block *sbp; 1515 struct inode *ip = (struct inode *)inode; 1516 struct smack_known *isp; 1517 int ilen; 1518 int rc = 0; 1519 1520 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1521 isp = smk_of_inode(inode); 1522 ilen = strlen(isp->smk_known); 1523 *buffer = isp->smk_known; 1524 return ilen; 1525 } 1526 1527 /* 1528 * The rest of the Smack xattrs are only on sockets. 1529 */ 1530 sbp = ip->i_sb; 1531 if (sbp->s_magic != SOCKFS_MAGIC) 1532 return -EOPNOTSUPP; 1533 1534 sock = SOCKET_I(ip); 1535 if (sock == NULL || sock->sk == NULL) 1536 return -EOPNOTSUPP; 1537 1538 ssp = sock->sk->sk_security; 1539 1540 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1541 isp = ssp->smk_in; 1542 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1543 isp = ssp->smk_out; 1544 else 1545 return -EOPNOTSUPP; 1546 1547 ilen = strlen(isp->smk_known); 1548 if (rc == 0) { 1549 *buffer = isp->smk_known; 1550 rc = ilen; 1551 } 1552 1553 return rc; 1554 } 1555 1556 1557 /** 1558 * smack_inode_listsecurity - list the Smack attributes 1559 * @inode: the object 1560 * @buffer: where they go 1561 * @buffer_size: size of buffer 1562 */ 1563 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1564 size_t buffer_size) 1565 { 1566 int len = sizeof(XATTR_NAME_SMACK); 1567 1568 if (buffer != NULL && len <= buffer_size) 1569 memcpy(buffer, XATTR_NAME_SMACK, len); 1570 1571 return len; 1572 } 1573 1574 /** 1575 * smack_inode_getsecid - Extract inode's security id 1576 * @inode: inode to extract the info from 1577 * @secid: where result will be saved 1578 */ 1579 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1580 { 1581 struct inode_smack *isp = inode->i_security; 1582 1583 *secid = isp->smk_inode->smk_secid; 1584 } 1585 1586 /* 1587 * File Hooks 1588 */ 1589 1590 /* 1591 * There is no smack_file_permission hook 1592 * 1593 * Should access checks be done on each read or write? 1594 * UNICOS and SELinux say yes. 1595 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1596 * 1597 * I'll say no for now. Smack does not do the frequent 1598 * label changing that SELinux does. 1599 */ 1600 1601 /** 1602 * smack_file_alloc_security - assign a file security blob 1603 * @file: the object 1604 * 1605 * The security blob for a file is a pointer to the master 1606 * label list, so no allocation is done. 1607 * 1608 * f_security is the owner security information. It 1609 * isn't used on file access checks, it's for send_sigio. 1610 * 1611 * Returns 0 1612 */ 1613 static int smack_file_alloc_security(struct file *file) 1614 { 1615 struct smack_known *skp = smk_of_current(); 1616 1617 file->f_security = skp; 1618 return 0; 1619 } 1620 1621 /** 1622 * smack_file_free_security - clear a file security blob 1623 * @file: the object 1624 * 1625 * The security blob for a file is a pointer to the master 1626 * label list, so no memory is freed. 1627 */ 1628 static void smack_file_free_security(struct file *file) 1629 { 1630 file->f_security = NULL; 1631 } 1632 1633 /** 1634 * smack_file_ioctl - Smack check on ioctls 1635 * @file: the object 1636 * @cmd: what to do 1637 * @arg: unused 1638 * 1639 * Relies heavily on the correct use of the ioctl command conventions. 1640 * 1641 * Returns 0 if allowed, error code otherwise 1642 */ 1643 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1644 unsigned long arg) 1645 { 1646 int rc = 0; 1647 struct smk_audit_info ad; 1648 struct inode *inode = file_inode(file); 1649 1650 if (unlikely(IS_PRIVATE(inode))) 1651 return 0; 1652 1653 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1654 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1655 1656 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1657 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1658 rc = smk_bu_file(file, MAY_WRITE, rc); 1659 } 1660 1661 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1662 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1663 rc = smk_bu_file(file, MAY_READ, rc); 1664 } 1665 1666 return rc; 1667 } 1668 1669 /** 1670 * smack_file_lock - Smack check on file locking 1671 * @file: the object 1672 * @cmd: unused 1673 * 1674 * Returns 0 if current has lock access, error code otherwise 1675 */ 1676 static int smack_file_lock(struct file *file, unsigned int cmd) 1677 { 1678 struct smk_audit_info ad; 1679 int rc; 1680 struct inode *inode = file_inode(file); 1681 1682 if (unlikely(IS_PRIVATE(inode))) 1683 return 0; 1684 1685 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1686 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1687 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1688 rc = smk_bu_file(file, MAY_LOCK, rc); 1689 return rc; 1690 } 1691 1692 /** 1693 * smack_file_fcntl - Smack check on fcntl 1694 * @file: the object 1695 * @cmd: what action to check 1696 * @arg: unused 1697 * 1698 * Generally these operations are harmless. 1699 * File locking operations present an obvious mechanism 1700 * for passing information, so they require write access. 1701 * 1702 * Returns 0 if current has access, error code otherwise 1703 */ 1704 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1705 unsigned long arg) 1706 { 1707 struct smk_audit_info ad; 1708 int rc = 0; 1709 struct inode *inode = file_inode(file); 1710 1711 if (unlikely(IS_PRIVATE(inode))) 1712 return 0; 1713 1714 switch (cmd) { 1715 case F_GETLK: 1716 break; 1717 case F_SETLK: 1718 case F_SETLKW: 1719 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1720 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1721 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1722 rc = smk_bu_file(file, MAY_LOCK, rc); 1723 break; 1724 case F_SETOWN: 1725 case F_SETSIG: 1726 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1727 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1728 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1729 rc = smk_bu_file(file, MAY_WRITE, rc); 1730 break; 1731 default: 1732 break; 1733 } 1734 1735 return rc; 1736 } 1737 1738 /** 1739 * smack_mmap_file : 1740 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1741 * if mapping anonymous memory. 1742 * @file contains the file structure for file to map (may be NULL). 1743 * @reqprot contains the protection requested by the application. 1744 * @prot contains the protection that will be applied by the kernel. 1745 * @flags contains the operational flags. 1746 * Return 0 if permission is granted. 1747 */ 1748 static int smack_mmap_file(struct file *file, 1749 unsigned long reqprot, unsigned long prot, 1750 unsigned long flags) 1751 { 1752 struct smack_known *skp; 1753 struct smack_known *mkp; 1754 struct smack_rule *srp; 1755 struct task_smack *tsp; 1756 struct smack_known *okp; 1757 struct inode_smack *isp; 1758 struct superblock_smack *sbsp; 1759 int may; 1760 int mmay; 1761 int tmay; 1762 int rc; 1763 1764 if (file == NULL) 1765 return 0; 1766 1767 if (unlikely(IS_PRIVATE(file_inode(file)))) 1768 return 0; 1769 1770 isp = file_inode(file)->i_security; 1771 if (isp->smk_mmap == NULL) 1772 return 0; 1773 sbsp = file_inode(file)->i_sb->s_security; 1774 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1775 isp->smk_mmap != sbsp->smk_root) 1776 return -EACCES; 1777 mkp = isp->smk_mmap; 1778 1779 tsp = current_security(); 1780 skp = smk_of_current(); 1781 rc = 0; 1782 1783 rcu_read_lock(); 1784 /* 1785 * For each Smack rule associated with the subject 1786 * label verify that the SMACK64MMAP also has access 1787 * to that rule's object label. 1788 */ 1789 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1790 okp = srp->smk_object; 1791 /* 1792 * Matching labels always allows access. 1793 */ 1794 if (mkp->smk_known == okp->smk_known) 1795 continue; 1796 /* 1797 * If there is a matching local rule take 1798 * that into account as well. 1799 */ 1800 may = smk_access_entry(srp->smk_subject->smk_known, 1801 okp->smk_known, 1802 &tsp->smk_rules); 1803 if (may == -ENOENT) 1804 may = srp->smk_access; 1805 else 1806 may &= srp->smk_access; 1807 /* 1808 * If may is zero the SMACK64MMAP subject can't 1809 * possibly have less access. 1810 */ 1811 if (may == 0) 1812 continue; 1813 1814 /* 1815 * Fetch the global list entry. 1816 * If there isn't one a SMACK64MMAP subject 1817 * can't have as much access as current. 1818 */ 1819 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1820 &mkp->smk_rules); 1821 if (mmay == -ENOENT) { 1822 rc = -EACCES; 1823 break; 1824 } 1825 /* 1826 * If there is a local entry it modifies the 1827 * potential access, too. 1828 */ 1829 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1830 &tsp->smk_rules); 1831 if (tmay != -ENOENT) 1832 mmay &= tmay; 1833 1834 /* 1835 * If there is any access available to current that is 1836 * not available to a SMACK64MMAP subject 1837 * deny access. 1838 */ 1839 if ((may | mmay) != mmay) { 1840 rc = -EACCES; 1841 break; 1842 } 1843 } 1844 1845 rcu_read_unlock(); 1846 1847 return rc; 1848 } 1849 1850 /** 1851 * smack_file_set_fowner - set the file security blob value 1852 * @file: object in question 1853 * 1854 */ 1855 static void smack_file_set_fowner(struct file *file) 1856 { 1857 file->f_security = smk_of_current(); 1858 } 1859 1860 /** 1861 * smack_file_send_sigiotask - Smack on sigio 1862 * @tsk: The target task 1863 * @fown: the object the signal come from 1864 * @signum: unused 1865 * 1866 * Allow a privileged task to get signals even if it shouldn't 1867 * 1868 * Returns 0 if a subject with the object's smack could 1869 * write to the task, an error code otherwise. 1870 */ 1871 static int smack_file_send_sigiotask(struct task_struct *tsk, 1872 struct fown_struct *fown, int signum) 1873 { 1874 struct smack_known *skp; 1875 struct smack_known *tkp = smk_of_task(tsk->cred->security); 1876 struct file *file; 1877 int rc; 1878 struct smk_audit_info ad; 1879 1880 /* 1881 * struct fown_struct is never outside the context of a struct file 1882 */ 1883 file = container_of(fown, struct file, f_owner); 1884 1885 /* we don't log here as rc can be overriden */ 1886 skp = file->f_security; 1887 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1888 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1889 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1890 rc = 0; 1891 1892 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1893 smk_ad_setfield_u_tsk(&ad, tsk); 1894 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1895 return rc; 1896 } 1897 1898 /** 1899 * smack_file_receive - Smack file receive check 1900 * @file: the object 1901 * 1902 * Returns 0 if current has access, error code otherwise 1903 */ 1904 static int smack_file_receive(struct file *file) 1905 { 1906 int rc; 1907 int may = 0; 1908 struct smk_audit_info ad; 1909 struct inode *inode = file_inode(file); 1910 struct socket *sock; 1911 struct task_smack *tsp; 1912 struct socket_smack *ssp; 1913 1914 if (unlikely(IS_PRIVATE(inode))) 1915 return 0; 1916 1917 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1918 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1919 1920 if (S_ISSOCK(inode->i_mode)) { 1921 sock = SOCKET_I(inode); 1922 ssp = sock->sk->sk_security; 1923 tsp = current_security(); 1924 /* 1925 * If the receiving process can't write to the 1926 * passed socket or if the passed socket can't 1927 * write to the receiving process don't accept 1928 * the passed socket. 1929 */ 1930 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1931 rc = smk_bu_file(file, may, rc); 1932 if (rc < 0) 1933 return rc; 1934 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1935 rc = smk_bu_file(file, may, rc); 1936 return rc; 1937 } 1938 /* 1939 * This code relies on bitmasks. 1940 */ 1941 if (file->f_mode & FMODE_READ) 1942 may = MAY_READ; 1943 if (file->f_mode & FMODE_WRITE) 1944 may |= MAY_WRITE; 1945 1946 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1947 rc = smk_bu_file(file, may, rc); 1948 return rc; 1949 } 1950 1951 /** 1952 * smack_file_open - Smack dentry open processing 1953 * @file: the object 1954 * @cred: task credential 1955 * 1956 * Set the security blob in the file structure. 1957 * Allow the open only if the task has read access. There are 1958 * many read operations (e.g. fstat) that you can do with an 1959 * fd even if you have the file open write-only. 1960 * 1961 * Returns 0 1962 */ 1963 static int smack_file_open(struct file *file, const struct cred *cred) 1964 { 1965 struct task_smack *tsp = cred->security; 1966 struct inode *inode = file_inode(file); 1967 struct smk_audit_info ad; 1968 int rc; 1969 1970 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1971 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1972 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1973 rc = smk_bu_credfile(cred, file, MAY_READ, rc); 1974 1975 return rc; 1976 } 1977 1978 /* 1979 * Task hooks 1980 */ 1981 1982 /** 1983 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1984 * @new: the new credentials 1985 * @gfp: the atomicity of any memory allocations 1986 * 1987 * Prepare a blank set of credentials for modification. This must allocate all 1988 * the memory the LSM module might require such that cred_transfer() can 1989 * complete without error. 1990 */ 1991 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1992 { 1993 struct task_smack *tsp; 1994 1995 tsp = new_task_smack(NULL, NULL, gfp); 1996 if (tsp == NULL) 1997 return -ENOMEM; 1998 1999 cred->security = tsp; 2000 2001 return 0; 2002 } 2003 2004 2005 /** 2006 * smack_cred_free - "free" task-level security credentials 2007 * @cred: the credentials in question 2008 * 2009 */ 2010 static void smack_cred_free(struct cred *cred) 2011 { 2012 struct task_smack *tsp = cred->security; 2013 struct smack_rule *rp; 2014 struct list_head *l; 2015 struct list_head *n; 2016 2017 if (tsp == NULL) 2018 return; 2019 cred->security = NULL; 2020 2021 smk_destroy_label_list(&tsp->smk_relabel); 2022 2023 list_for_each_safe(l, n, &tsp->smk_rules) { 2024 rp = list_entry(l, struct smack_rule, list); 2025 list_del(&rp->list); 2026 kfree(rp); 2027 } 2028 kfree(tsp); 2029 } 2030 2031 /** 2032 * smack_cred_prepare - prepare new set of credentials for modification 2033 * @new: the new credentials 2034 * @old: the original credentials 2035 * @gfp: the atomicity of any memory allocations 2036 * 2037 * Prepare a new set of credentials for modification. 2038 */ 2039 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2040 gfp_t gfp) 2041 { 2042 struct task_smack *old_tsp = old->security; 2043 struct task_smack *new_tsp; 2044 int rc; 2045 2046 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 2047 if (new_tsp == NULL) 2048 return -ENOMEM; 2049 2050 new->security = new_tsp; 2051 2052 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2053 if (rc != 0) 2054 return rc; 2055 2056 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2057 gfp); 2058 if (rc != 0) 2059 return rc; 2060 2061 return 0; 2062 } 2063 2064 /** 2065 * smack_cred_transfer - Transfer the old credentials to the new credentials 2066 * @new: the new credentials 2067 * @old: the original credentials 2068 * 2069 * Fill in a set of blank credentials from another set of credentials. 2070 */ 2071 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2072 { 2073 struct task_smack *old_tsp = old->security; 2074 struct task_smack *new_tsp = new->security; 2075 2076 new_tsp->smk_task = old_tsp->smk_task; 2077 new_tsp->smk_forked = old_tsp->smk_task; 2078 mutex_init(&new_tsp->smk_rules_lock); 2079 INIT_LIST_HEAD(&new_tsp->smk_rules); 2080 2081 2082 /* cbs copy rule list */ 2083 } 2084 2085 /** 2086 * smack_kernel_act_as - Set the subjective context in a set of credentials 2087 * @new: points to the set of credentials to be modified. 2088 * @secid: specifies the security ID to be set 2089 * 2090 * Set the security data for a kernel service. 2091 */ 2092 static int smack_kernel_act_as(struct cred *new, u32 secid) 2093 { 2094 struct task_smack *new_tsp = new->security; 2095 2096 new_tsp->smk_task = smack_from_secid(secid); 2097 return 0; 2098 } 2099 2100 /** 2101 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2102 * @new: points to the set of credentials to be modified 2103 * @inode: points to the inode to use as a reference 2104 * 2105 * Set the file creation context in a set of credentials to the same 2106 * as the objective context of the specified inode 2107 */ 2108 static int smack_kernel_create_files_as(struct cred *new, 2109 struct inode *inode) 2110 { 2111 struct inode_smack *isp = inode->i_security; 2112 struct task_smack *tsp = new->security; 2113 2114 tsp->smk_forked = isp->smk_inode; 2115 tsp->smk_task = tsp->smk_forked; 2116 return 0; 2117 } 2118 2119 /** 2120 * smk_curacc_on_task - helper to log task related access 2121 * @p: the task object 2122 * @access: the access requested 2123 * @caller: name of the calling function for audit 2124 * 2125 * Return 0 if access is permitted 2126 */ 2127 static int smk_curacc_on_task(struct task_struct *p, int access, 2128 const char *caller) 2129 { 2130 struct smk_audit_info ad; 2131 struct smack_known *skp = smk_of_task_struct(p); 2132 int rc; 2133 2134 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2135 smk_ad_setfield_u_tsk(&ad, p); 2136 rc = smk_curacc(skp, access, &ad); 2137 rc = smk_bu_task(p, access, rc); 2138 return rc; 2139 } 2140 2141 /** 2142 * smack_task_setpgid - Smack check on setting pgid 2143 * @p: the task object 2144 * @pgid: unused 2145 * 2146 * Return 0 if write access is permitted 2147 */ 2148 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2149 { 2150 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2151 } 2152 2153 /** 2154 * smack_task_getpgid - Smack access check for getpgid 2155 * @p: the object task 2156 * 2157 * Returns 0 if current can read the object task, error code otherwise 2158 */ 2159 static int smack_task_getpgid(struct task_struct *p) 2160 { 2161 return smk_curacc_on_task(p, MAY_READ, __func__); 2162 } 2163 2164 /** 2165 * smack_task_getsid - Smack access check for getsid 2166 * @p: the object task 2167 * 2168 * Returns 0 if current can read the object task, error code otherwise 2169 */ 2170 static int smack_task_getsid(struct task_struct *p) 2171 { 2172 return smk_curacc_on_task(p, MAY_READ, __func__); 2173 } 2174 2175 /** 2176 * smack_task_getsecid - get the secid of the task 2177 * @p: the object task 2178 * @secid: where to put the result 2179 * 2180 * Sets the secid to contain a u32 version of the smack label. 2181 */ 2182 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2183 { 2184 struct smack_known *skp = smk_of_task_struct(p); 2185 2186 *secid = skp->smk_secid; 2187 } 2188 2189 /** 2190 * smack_task_setnice - Smack check on setting nice 2191 * @p: the task object 2192 * @nice: unused 2193 * 2194 * Return 0 if write access is permitted 2195 */ 2196 static int smack_task_setnice(struct task_struct *p, int nice) 2197 { 2198 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2199 } 2200 2201 /** 2202 * smack_task_setioprio - Smack check on setting ioprio 2203 * @p: the task object 2204 * @ioprio: unused 2205 * 2206 * Return 0 if write access is permitted 2207 */ 2208 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2209 { 2210 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2211 } 2212 2213 /** 2214 * smack_task_getioprio - Smack check on reading ioprio 2215 * @p: the task object 2216 * 2217 * Return 0 if read access is permitted 2218 */ 2219 static int smack_task_getioprio(struct task_struct *p) 2220 { 2221 return smk_curacc_on_task(p, MAY_READ, __func__); 2222 } 2223 2224 /** 2225 * smack_task_setscheduler - Smack check on setting scheduler 2226 * @p: the task object 2227 * @policy: unused 2228 * @lp: unused 2229 * 2230 * Return 0 if read access is permitted 2231 */ 2232 static int smack_task_setscheduler(struct task_struct *p) 2233 { 2234 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2235 } 2236 2237 /** 2238 * smack_task_getscheduler - Smack check on reading scheduler 2239 * @p: the task object 2240 * 2241 * Return 0 if read access is permitted 2242 */ 2243 static int smack_task_getscheduler(struct task_struct *p) 2244 { 2245 return smk_curacc_on_task(p, MAY_READ, __func__); 2246 } 2247 2248 /** 2249 * smack_task_movememory - Smack check on moving memory 2250 * @p: the task object 2251 * 2252 * Return 0 if write access is permitted 2253 */ 2254 static int smack_task_movememory(struct task_struct *p) 2255 { 2256 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2257 } 2258 2259 /** 2260 * smack_task_kill - Smack check on signal delivery 2261 * @p: the task object 2262 * @info: unused 2263 * @sig: unused 2264 * @secid: identifies the smack to use in lieu of current's 2265 * 2266 * Return 0 if write access is permitted 2267 * 2268 * The secid behavior is an artifact of an SELinux hack 2269 * in the USB code. Someday it may go away. 2270 */ 2271 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 2272 int sig, u32 secid) 2273 { 2274 struct smk_audit_info ad; 2275 struct smack_known *skp; 2276 struct smack_known *tkp = smk_of_task_struct(p); 2277 int rc; 2278 2279 if (!sig) 2280 return 0; /* null signal; existence test */ 2281 2282 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2283 smk_ad_setfield_u_tsk(&ad, p); 2284 /* 2285 * Sending a signal requires that the sender 2286 * can write the receiver. 2287 */ 2288 if (secid == 0) { 2289 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2290 rc = smk_bu_task(p, MAY_DELIVER, rc); 2291 return rc; 2292 } 2293 /* 2294 * If the secid isn't 0 we're dealing with some USB IO 2295 * specific behavior. This is not clean. For one thing 2296 * we can't take privilege into account. 2297 */ 2298 skp = smack_from_secid(secid); 2299 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2300 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2301 return rc; 2302 } 2303 2304 /** 2305 * smack_task_to_inode - copy task smack into the inode blob 2306 * @p: task to copy from 2307 * @inode: inode to copy to 2308 * 2309 * Sets the smack pointer in the inode security blob 2310 */ 2311 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2312 { 2313 struct inode_smack *isp = inode->i_security; 2314 struct smack_known *skp = smk_of_task_struct(p); 2315 2316 isp->smk_inode = skp; 2317 } 2318 2319 /* 2320 * Socket hooks. 2321 */ 2322 2323 /** 2324 * smack_sk_alloc_security - Allocate a socket blob 2325 * @sk: the socket 2326 * @family: unused 2327 * @gfp_flags: memory allocation flags 2328 * 2329 * Assign Smack pointers to current 2330 * 2331 * Returns 0 on success, -ENOMEM is there's no memory 2332 */ 2333 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2334 { 2335 struct smack_known *skp = smk_of_current(); 2336 struct socket_smack *ssp; 2337 2338 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2339 if (ssp == NULL) 2340 return -ENOMEM; 2341 2342 /* 2343 * Sockets created by kernel threads receive web label. 2344 */ 2345 if (unlikely(current->flags & PF_KTHREAD)) { 2346 ssp->smk_in = &smack_known_web; 2347 ssp->smk_out = &smack_known_web; 2348 } else { 2349 ssp->smk_in = skp; 2350 ssp->smk_out = skp; 2351 } 2352 ssp->smk_packet = NULL; 2353 2354 sk->sk_security = ssp; 2355 2356 return 0; 2357 } 2358 2359 /** 2360 * smack_sk_free_security - Free a socket blob 2361 * @sk: the socket 2362 * 2363 * Clears the blob pointer 2364 */ 2365 static void smack_sk_free_security(struct sock *sk) 2366 { 2367 #ifdef SMACK_IPV6_PORT_LABELING 2368 struct smk_port_label *spp; 2369 2370 if (sk->sk_family == PF_INET6) { 2371 rcu_read_lock(); 2372 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2373 if (spp->smk_sock != sk) 2374 continue; 2375 spp->smk_can_reuse = 1; 2376 break; 2377 } 2378 rcu_read_unlock(); 2379 } 2380 #endif 2381 kfree(sk->sk_security); 2382 } 2383 2384 /** 2385 * smack_ipv4host_label - check host based restrictions 2386 * @sip: the object end 2387 * 2388 * looks for host based access restrictions 2389 * 2390 * This version will only be appropriate for really small sets of single label 2391 * hosts. The caller is responsible for ensuring that the RCU read lock is 2392 * taken before calling this function. 2393 * 2394 * Returns the label of the far end or NULL if it's not special. 2395 */ 2396 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2397 { 2398 struct smk_net4addr *snp; 2399 struct in_addr *siap = &sip->sin_addr; 2400 2401 if (siap->s_addr == 0) 2402 return NULL; 2403 2404 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2405 /* 2406 * we break after finding the first match because 2407 * the list is sorted from longest to shortest mask 2408 * so we have found the most specific match 2409 */ 2410 if (snp->smk_host.s_addr == 2411 (siap->s_addr & snp->smk_mask.s_addr)) 2412 return snp->smk_label; 2413 2414 return NULL; 2415 } 2416 2417 #if IS_ENABLED(CONFIG_IPV6) 2418 /* 2419 * smk_ipv6_localhost - Check for local ipv6 host address 2420 * @sip: the address 2421 * 2422 * Returns boolean true if this is the localhost address 2423 */ 2424 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2425 { 2426 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2427 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2428 2429 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2430 ntohs(be16p[7]) == 1) 2431 return true; 2432 return false; 2433 } 2434 2435 /** 2436 * smack_ipv6host_label - check host based restrictions 2437 * @sip: the object end 2438 * 2439 * looks for host based access restrictions 2440 * 2441 * This version will only be appropriate for really small sets of single label 2442 * hosts. The caller is responsible for ensuring that the RCU read lock is 2443 * taken before calling this function. 2444 * 2445 * Returns the label of the far end or NULL if it's not special. 2446 */ 2447 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2448 { 2449 struct smk_net6addr *snp; 2450 struct in6_addr *sap = &sip->sin6_addr; 2451 int i; 2452 int found = 0; 2453 2454 /* 2455 * It's local. Don't look for a host label. 2456 */ 2457 if (smk_ipv6_localhost(sip)) 2458 return NULL; 2459 2460 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2461 /* 2462 * If the label is NULL the entry has 2463 * been renounced. Ignore it. 2464 */ 2465 if (snp->smk_label == NULL) 2466 continue; 2467 /* 2468 * we break after finding the first match because 2469 * the list is sorted from longest to shortest mask 2470 * so we have found the most specific match 2471 */ 2472 for (found = 1, i = 0; i < 8; i++) { 2473 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2474 snp->smk_host.s6_addr16[i]) { 2475 found = 0; 2476 break; 2477 } 2478 } 2479 if (found) 2480 return snp->smk_label; 2481 } 2482 2483 return NULL; 2484 } 2485 #endif /* CONFIG_IPV6 */ 2486 2487 /** 2488 * smack_netlabel - Set the secattr on a socket 2489 * @sk: the socket 2490 * @labeled: socket label scheme 2491 * 2492 * Convert the outbound smack value (smk_out) to a 2493 * secattr and attach it to the socket. 2494 * 2495 * Returns 0 on success or an error code 2496 */ 2497 static int smack_netlabel(struct sock *sk, int labeled) 2498 { 2499 struct smack_known *skp; 2500 struct socket_smack *ssp = sk->sk_security; 2501 int rc = 0; 2502 2503 /* 2504 * Usually the netlabel code will handle changing the 2505 * packet labeling based on the label. 2506 * The case of a single label host is different, because 2507 * a single label host should never get a labeled packet 2508 * even though the label is usually associated with a packet 2509 * label. 2510 */ 2511 local_bh_disable(); 2512 bh_lock_sock_nested(sk); 2513 2514 if (ssp->smk_out == smack_net_ambient || 2515 labeled == SMACK_UNLABELED_SOCKET) 2516 netlbl_sock_delattr(sk); 2517 else { 2518 skp = ssp->smk_out; 2519 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2520 } 2521 2522 bh_unlock_sock(sk); 2523 local_bh_enable(); 2524 2525 return rc; 2526 } 2527 2528 /** 2529 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2530 * @sk: the socket 2531 * @sap: the destination address 2532 * 2533 * Set the correct secattr for the given socket based on the destination 2534 * address and perform any outbound access checks needed. 2535 * 2536 * Returns 0 on success or an error code. 2537 * 2538 */ 2539 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2540 { 2541 struct smack_known *skp; 2542 int rc; 2543 int sk_lbl; 2544 struct smack_known *hkp; 2545 struct socket_smack *ssp = sk->sk_security; 2546 struct smk_audit_info ad; 2547 2548 rcu_read_lock(); 2549 hkp = smack_ipv4host_label(sap); 2550 if (hkp != NULL) { 2551 #ifdef CONFIG_AUDIT 2552 struct lsm_network_audit net; 2553 2554 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2555 ad.a.u.net->family = sap->sin_family; 2556 ad.a.u.net->dport = sap->sin_port; 2557 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2558 #endif 2559 sk_lbl = SMACK_UNLABELED_SOCKET; 2560 skp = ssp->smk_out; 2561 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2562 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2563 } else { 2564 sk_lbl = SMACK_CIPSO_SOCKET; 2565 rc = 0; 2566 } 2567 rcu_read_unlock(); 2568 if (rc != 0) 2569 return rc; 2570 2571 return smack_netlabel(sk, sk_lbl); 2572 } 2573 2574 #if IS_ENABLED(CONFIG_IPV6) 2575 /** 2576 * smk_ipv6_check - check Smack access 2577 * @subject: subject Smack label 2578 * @object: object Smack label 2579 * @address: address 2580 * @act: the action being taken 2581 * 2582 * Check an IPv6 access 2583 */ 2584 static int smk_ipv6_check(struct smack_known *subject, 2585 struct smack_known *object, 2586 struct sockaddr_in6 *address, int act) 2587 { 2588 #ifdef CONFIG_AUDIT 2589 struct lsm_network_audit net; 2590 #endif 2591 struct smk_audit_info ad; 2592 int rc; 2593 2594 #ifdef CONFIG_AUDIT 2595 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2596 ad.a.u.net->family = PF_INET6; 2597 ad.a.u.net->dport = ntohs(address->sin6_port); 2598 if (act == SMK_RECEIVING) 2599 ad.a.u.net->v6info.saddr = address->sin6_addr; 2600 else 2601 ad.a.u.net->v6info.daddr = address->sin6_addr; 2602 #endif 2603 rc = smk_access(subject, object, MAY_WRITE, &ad); 2604 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2605 return rc; 2606 } 2607 #endif /* CONFIG_IPV6 */ 2608 2609 #ifdef SMACK_IPV6_PORT_LABELING 2610 /** 2611 * smk_ipv6_port_label - Smack port access table management 2612 * @sock: socket 2613 * @address: address 2614 * 2615 * Create or update the port list entry 2616 */ 2617 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2618 { 2619 struct sock *sk = sock->sk; 2620 struct sockaddr_in6 *addr6; 2621 struct socket_smack *ssp = sock->sk->sk_security; 2622 struct smk_port_label *spp; 2623 unsigned short port = 0; 2624 2625 if (address == NULL) { 2626 /* 2627 * This operation is changing the Smack information 2628 * on the bound socket. Take the changes to the port 2629 * as well. 2630 */ 2631 rcu_read_lock(); 2632 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2633 if (sk != spp->smk_sock) 2634 continue; 2635 spp->smk_in = ssp->smk_in; 2636 spp->smk_out = ssp->smk_out; 2637 rcu_read_unlock(); 2638 return; 2639 } 2640 /* 2641 * A NULL address is only used for updating existing 2642 * bound entries. If there isn't one, it's OK. 2643 */ 2644 rcu_read_unlock(); 2645 return; 2646 } 2647 2648 addr6 = (struct sockaddr_in6 *)address; 2649 port = ntohs(addr6->sin6_port); 2650 /* 2651 * This is a special case that is safely ignored. 2652 */ 2653 if (port == 0) 2654 return; 2655 2656 /* 2657 * Look for an existing port list entry. 2658 * This is an indication that a port is getting reused. 2659 */ 2660 rcu_read_lock(); 2661 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2662 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2663 continue; 2664 if (spp->smk_can_reuse != 1) { 2665 rcu_read_unlock(); 2666 return; 2667 } 2668 spp->smk_port = port; 2669 spp->smk_sock = sk; 2670 spp->smk_in = ssp->smk_in; 2671 spp->smk_out = ssp->smk_out; 2672 spp->smk_can_reuse = 0; 2673 rcu_read_unlock(); 2674 return; 2675 } 2676 rcu_read_unlock(); 2677 /* 2678 * A new port entry is required. 2679 */ 2680 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2681 if (spp == NULL) 2682 return; 2683 2684 spp->smk_port = port; 2685 spp->smk_sock = sk; 2686 spp->smk_in = ssp->smk_in; 2687 spp->smk_out = ssp->smk_out; 2688 spp->smk_sock_type = sock->type; 2689 spp->smk_can_reuse = 0; 2690 2691 mutex_lock(&smack_ipv6_lock); 2692 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2693 mutex_unlock(&smack_ipv6_lock); 2694 return; 2695 } 2696 2697 /** 2698 * smk_ipv6_port_check - check Smack port access 2699 * @sock: socket 2700 * @address: address 2701 * 2702 * Create or update the port list entry 2703 */ 2704 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2705 int act) 2706 { 2707 struct smk_port_label *spp; 2708 struct socket_smack *ssp = sk->sk_security; 2709 struct smack_known *skp = NULL; 2710 unsigned short port; 2711 struct smack_known *object; 2712 2713 if (act == SMK_RECEIVING) { 2714 skp = smack_ipv6host_label(address); 2715 object = ssp->smk_in; 2716 } else { 2717 skp = ssp->smk_out; 2718 object = smack_ipv6host_label(address); 2719 } 2720 2721 /* 2722 * The other end is a single label host. 2723 */ 2724 if (skp != NULL && object != NULL) 2725 return smk_ipv6_check(skp, object, address, act); 2726 if (skp == NULL) 2727 skp = smack_net_ambient; 2728 if (object == NULL) 2729 object = smack_net_ambient; 2730 2731 /* 2732 * It's remote, so port lookup does no good. 2733 */ 2734 if (!smk_ipv6_localhost(address)) 2735 return smk_ipv6_check(skp, object, address, act); 2736 2737 /* 2738 * It's local so the send check has to have passed. 2739 */ 2740 if (act == SMK_RECEIVING) 2741 return 0; 2742 2743 port = ntohs(address->sin6_port); 2744 rcu_read_lock(); 2745 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2746 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2747 continue; 2748 object = spp->smk_in; 2749 if (act == SMK_CONNECTING) 2750 ssp->smk_packet = spp->smk_out; 2751 break; 2752 } 2753 rcu_read_unlock(); 2754 2755 return smk_ipv6_check(skp, object, address, act); 2756 } 2757 #endif /* SMACK_IPV6_PORT_LABELING */ 2758 2759 /** 2760 * smack_inode_setsecurity - set smack xattrs 2761 * @inode: the object 2762 * @name: attribute name 2763 * @value: attribute value 2764 * @size: size of the attribute 2765 * @flags: unused 2766 * 2767 * Sets the named attribute in the appropriate blob 2768 * 2769 * Returns 0 on success, or an error code 2770 */ 2771 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2772 const void *value, size_t size, int flags) 2773 { 2774 struct smack_known *skp; 2775 struct inode_smack *nsp = inode->i_security; 2776 struct socket_smack *ssp; 2777 struct socket *sock; 2778 int rc = 0; 2779 2780 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2781 return -EINVAL; 2782 2783 skp = smk_import_entry(value, size); 2784 if (IS_ERR(skp)) 2785 return PTR_ERR(skp); 2786 2787 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2788 nsp->smk_inode = skp; 2789 nsp->smk_flags |= SMK_INODE_INSTANT; 2790 return 0; 2791 } 2792 /* 2793 * The rest of the Smack xattrs are only on sockets. 2794 */ 2795 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2796 return -EOPNOTSUPP; 2797 2798 sock = SOCKET_I(inode); 2799 if (sock == NULL || sock->sk == NULL) 2800 return -EOPNOTSUPP; 2801 2802 ssp = sock->sk->sk_security; 2803 2804 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2805 ssp->smk_in = skp; 2806 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2807 ssp->smk_out = skp; 2808 if (sock->sk->sk_family == PF_INET) { 2809 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2810 if (rc != 0) 2811 printk(KERN_WARNING 2812 "Smack: \"%s\" netlbl error %d.\n", 2813 __func__, -rc); 2814 } 2815 } else 2816 return -EOPNOTSUPP; 2817 2818 #ifdef SMACK_IPV6_PORT_LABELING 2819 if (sock->sk->sk_family == PF_INET6) 2820 smk_ipv6_port_label(sock, NULL); 2821 #endif 2822 2823 return 0; 2824 } 2825 2826 /** 2827 * smack_socket_post_create - finish socket setup 2828 * @sock: the socket 2829 * @family: protocol family 2830 * @type: unused 2831 * @protocol: unused 2832 * @kern: unused 2833 * 2834 * Sets the netlabel information on the socket 2835 * 2836 * Returns 0 on success, and error code otherwise 2837 */ 2838 static int smack_socket_post_create(struct socket *sock, int family, 2839 int type, int protocol, int kern) 2840 { 2841 struct socket_smack *ssp; 2842 2843 if (sock->sk == NULL) 2844 return 0; 2845 2846 /* 2847 * Sockets created by kernel threads receive web label. 2848 */ 2849 if (unlikely(current->flags & PF_KTHREAD)) { 2850 ssp = sock->sk->sk_security; 2851 ssp->smk_in = &smack_known_web; 2852 ssp->smk_out = &smack_known_web; 2853 } 2854 2855 if (family != PF_INET) 2856 return 0; 2857 /* 2858 * Set the outbound netlbl. 2859 */ 2860 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2861 } 2862 2863 #ifdef SMACK_IPV6_PORT_LABELING 2864 /** 2865 * smack_socket_bind - record port binding information. 2866 * @sock: the socket 2867 * @address: the port address 2868 * @addrlen: size of the address 2869 * 2870 * Records the label bound to a port. 2871 * 2872 * Returns 0 2873 */ 2874 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2875 int addrlen) 2876 { 2877 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2878 smk_ipv6_port_label(sock, address); 2879 return 0; 2880 } 2881 #endif /* SMACK_IPV6_PORT_LABELING */ 2882 2883 /** 2884 * smack_socket_connect - connect access check 2885 * @sock: the socket 2886 * @sap: the other end 2887 * @addrlen: size of sap 2888 * 2889 * Verifies that a connection may be possible 2890 * 2891 * Returns 0 on success, and error code otherwise 2892 */ 2893 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2894 int addrlen) 2895 { 2896 int rc = 0; 2897 #if IS_ENABLED(CONFIG_IPV6) 2898 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2899 #endif 2900 #ifdef SMACK_IPV6_SECMARK_LABELING 2901 struct smack_known *rsp; 2902 struct socket_smack *ssp = sock->sk->sk_security; 2903 #endif 2904 2905 if (sock->sk == NULL) 2906 return 0; 2907 2908 switch (sock->sk->sk_family) { 2909 case PF_INET: 2910 if (addrlen < sizeof(struct sockaddr_in)) 2911 return -EINVAL; 2912 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2913 break; 2914 case PF_INET6: 2915 if (addrlen < sizeof(struct sockaddr_in6)) 2916 return -EINVAL; 2917 #ifdef SMACK_IPV6_SECMARK_LABELING 2918 rsp = smack_ipv6host_label(sip); 2919 if (rsp != NULL) 2920 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2921 SMK_CONNECTING); 2922 #endif 2923 #ifdef SMACK_IPV6_PORT_LABELING 2924 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2925 #endif 2926 break; 2927 } 2928 return rc; 2929 } 2930 2931 /** 2932 * smack_flags_to_may - convert S_ to MAY_ values 2933 * @flags: the S_ value 2934 * 2935 * Returns the equivalent MAY_ value 2936 */ 2937 static int smack_flags_to_may(int flags) 2938 { 2939 int may = 0; 2940 2941 if (flags & S_IRUGO) 2942 may |= MAY_READ; 2943 if (flags & S_IWUGO) 2944 may |= MAY_WRITE; 2945 if (flags & S_IXUGO) 2946 may |= MAY_EXEC; 2947 2948 return may; 2949 } 2950 2951 /** 2952 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2953 * @msg: the object 2954 * 2955 * Returns 0 2956 */ 2957 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2958 { 2959 struct smack_known *skp = smk_of_current(); 2960 2961 msg->security = skp; 2962 return 0; 2963 } 2964 2965 /** 2966 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2967 * @msg: the object 2968 * 2969 * Clears the blob pointer 2970 */ 2971 static void smack_msg_msg_free_security(struct msg_msg *msg) 2972 { 2973 msg->security = NULL; 2974 } 2975 2976 /** 2977 * smack_of_shm - the smack pointer for the shm 2978 * @shp: the object 2979 * 2980 * Returns a pointer to the smack value 2981 */ 2982 static struct smack_known *smack_of_shm(struct shmid_kernel *shp) 2983 { 2984 return (struct smack_known *)shp->shm_perm.security; 2985 } 2986 2987 /** 2988 * smack_shm_alloc_security - Set the security blob for shm 2989 * @shp: the object 2990 * 2991 * Returns 0 2992 */ 2993 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2994 { 2995 struct kern_ipc_perm *isp = &shp->shm_perm; 2996 struct smack_known *skp = smk_of_current(); 2997 2998 isp->security = skp; 2999 return 0; 3000 } 3001 3002 /** 3003 * smack_shm_free_security - Clear the security blob for shm 3004 * @shp: the object 3005 * 3006 * Clears the blob pointer 3007 */ 3008 static void smack_shm_free_security(struct shmid_kernel *shp) 3009 { 3010 struct kern_ipc_perm *isp = &shp->shm_perm; 3011 3012 isp->security = NULL; 3013 } 3014 3015 /** 3016 * smk_curacc_shm : check if current has access on shm 3017 * @shp : the object 3018 * @access : access requested 3019 * 3020 * Returns 0 if current has the requested access, error code otherwise 3021 */ 3022 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 3023 { 3024 struct smack_known *ssp = smack_of_shm(shp); 3025 struct smk_audit_info ad; 3026 int rc; 3027 3028 #ifdef CONFIG_AUDIT 3029 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3030 ad.a.u.ipc_id = shp->shm_perm.id; 3031 #endif 3032 rc = smk_curacc(ssp, access, &ad); 3033 rc = smk_bu_current("shm", ssp, access, rc); 3034 return rc; 3035 } 3036 3037 /** 3038 * smack_shm_associate - Smack access check for shm 3039 * @shp: the object 3040 * @shmflg: access requested 3041 * 3042 * Returns 0 if current has the requested access, error code otherwise 3043 */ 3044 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 3045 { 3046 int may; 3047 3048 may = smack_flags_to_may(shmflg); 3049 return smk_curacc_shm(shp, may); 3050 } 3051 3052 /** 3053 * smack_shm_shmctl - Smack access check for shm 3054 * @shp: the object 3055 * @cmd: what it wants to do 3056 * 3057 * Returns 0 if current has the requested access, error code otherwise 3058 */ 3059 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 3060 { 3061 int may; 3062 3063 switch (cmd) { 3064 case IPC_STAT: 3065 case SHM_STAT: 3066 may = MAY_READ; 3067 break; 3068 case IPC_SET: 3069 case SHM_LOCK: 3070 case SHM_UNLOCK: 3071 case IPC_RMID: 3072 may = MAY_READWRITE; 3073 break; 3074 case IPC_INFO: 3075 case SHM_INFO: 3076 /* 3077 * System level information. 3078 */ 3079 return 0; 3080 default: 3081 return -EINVAL; 3082 } 3083 return smk_curacc_shm(shp, may); 3084 } 3085 3086 /** 3087 * smack_shm_shmat - Smack access for shmat 3088 * @shp: the object 3089 * @shmaddr: unused 3090 * @shmflg: access requested 3091 * 3092 * Returns 0 if current has the requested access, error code otherwise 3093 */ 3094 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 3095 int shmflg) 3096 { 3097 int may; 3098 3099 may = smack_flags_to_may(shmflg); 3100 return smk_curacc_shm(shp, may); 3101 } 3102 3103 /** 3104 * smack_of_sem - the smack pointer for the sem 3105 * @sma: the object 3106 * 3107 * Returns a pointer to the smack value 3108 */ 3109 static struct smack_known *smack_of_sem(struct sem_array *sma) 3110 { 3111 return (struct smack_known *)sma->sem_perm.security; 3112 } 3113 3114 /** 3115 * smack_sem_alloc_security - Set the security blob for sem 3116 * @sma: the object 3117 * 3118 * Returns 0 3119 */ 3120 static int smack_sem_alloc_security(struct sem_array *sma) 3121 { 3122 struct kern_ipc_perm *isp = &sma->sem_perm; 3123 struct smack_known *skp = smk_of_current(); 3124 3125 isp->security = skp; 3126 return 0; 3127 } 3128 3129 /** 3130 * smack_sem_free_security - Clear the security blob for sem 3131 * @sma: the object 3132 * 3133 * Clears the blob pointer 3134 */ 3135 static void smack_sem_free_security(struct sem_array *sma) 3136 { 3137 struct kern_ipc_perm *isp = &sma->sem_perm; 3138 3139 isp->security = NULL; 3140 } 3141 3142 /** 3143 * smk_curacc_sem : check if current has access on sem 3144 * @sma : the object 3145 * @access : access requested 3146 * 3147 * Returns 0 if current has the requested access, error code otherwise 3148 */ 3149 static int smk_curacc_sem(struct sem_array *sma, int access) 3150 { 3151 struct smack_known *ssp = smack_of_sem(sma); 3152 struct smk_audit_info ad; 3153 int rc; 3154 3155 #ifdef CONFIG_AUDIT 3156 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3157 ad.a.u.ipc_id = sma->sem_perm.id; 3158 #endif 3159 rc = smk_curacc(ssp, access, &ad); 3160 rc = smk_bu_current("sem", ssp, access, rc); 3161 return rc; 3162 } 3163 3164 /** 3165 * smack_sem_associate - Smack access check for sem 3166 * @sma: the object 3167 * @semflg: access requested 3168 * 3169 * Returns 0 if current has the requested access, error code otherwise 3170 */ 3171 static int smack_sem_associate(struct sem_array *sma, int semflg) 3172 { 3173 int may; 3174 3175 may = smack_flags_to_may(semflg); 3176 return smk_curacc_sem(sma, may); 3177 } 3178 3179 /** 3180 * smack_sem_shmctl - Smack access check for sem 3181 * @sma: the object 3182 * @cmd: what it wants to do 3183 * 3184 * Returns 0 if current has the requested access, error code otherwise 3185 */ 3186 static int smack_sem_semctl(struct sem_array *sma, int cmd) 3187 { 3188 int may; 3189 3190 switch (cmd) { 3191 case GETPID: 3192 case GETNCNT: 3193 case GETZCNT: 3194 case GETVAL: 3195 case GETALL: 3196 case IPC_STAT: 3197 case SEM_STAT: 3198 may = MAY_READ; 3199 break; 3200 case SETVAL: 3201 case SETALL: 3202 case IPC_RMID: 3203 case IPC_SET: 3204 may = MAY_READWRITE; 3205 break; 3206 case IPC_INFO: 3207 case SEM_INFO: 3208 /* 3209 * System level information 3210 */ 3211 return 0; 3212 default: 3213 return -EINVAL; 3214 } 3215 3216 return smk_curacc_sem(sma, may); 3217 } 3218 3219 /** 3220 * smack_sem_semop - Smack checks of semaphore operations 3221 * @sma: the object 3222 * @sops: unused 3223 * @nsops: unused 3224 * @alter: unused 3225 * 3226 * Treated as read and write in all cases. 3227 * 3228 * Returns 0 if access is allowed, error code otherwise 3229 */ 3230 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 3231 unsigned nsops, int alter) 3232 { 3233 return smk_curacc_sem(sma, MAY_READWRITE); 3234 } 3235 3236 /** 3237 * smack_msg_alloc_security - Set the security blob for msg 3238 * @msq: the object 3239 * 3240 * Returns 0 3241 */ 3242 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 3243 { 3244 struct kern_ipc_perm *kisp = &msq->q_perm; 3245 struct smack_known *skp = smk_of_current(); 3246 3247 kisp->security = skp; 3248 return 0; 3249 } 3250 3251 /** 3252 * smack_msg_free_security - Clear the security blob for msg 3253 * @msq: the object 3254 * 3255 * Clears the blob pointer 3256 */ 3257 static void smack_msg_queue_free_security(struct msg_queue *msq) 3258 { 3259 struct kern_ipc_perm *kisp = &msq->q_perm; 3260 3261 kisp->security = NULL; 3262 } 3263 3264 /** 3265 * smack_of_msq - the smack pointer for the msq 3266 * @msq: the object 3267 * 3268 * Returns a pointer to the smack label entry 3269 */ 3270 static struct smack_known *smack_of_msq(struct msg_queue *msq) 3271 { 3272 return (struct smack_known *)msq->q_perm.security; 3273 } 3274 3275 /** 3276 * smk_curacc_msq : helper to check if current has access on msq 3277 * @msq : the msq 3278 * @access : access requested 3279 * 3280 * return 0 if current has access, error otherwise 3281 */ 3282 static int smk_curacc_msq(struct msg_queue *msq, int access) 3283 { 3284 struct smack_known *msp = smack_of_msq(msq); 3285 struct smk_audit_info ad; 3286 int rc; 3287 3288 #ifdef CONFIG_AUDIT 3289 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3290 ad.a.u.ipc_id = msq->q_perm.id; 3291 #endif 3292 rc = smk_curacc(msp, access, &ad); 3293 rc = smk_bu_current("msq", msp, access, rc); 3294 return rc; 3295 } 3296 3297 /** 3298 * smack_msg_queue_associate - Smack access check for msg_queue 3299 * @msq: the object 3300 * @msqflg: access requested 3301 * 3302 * Returns 0 if current has the requested access, error code otherwise 3303 */ 3304 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 3305 { 3306 int may; 3307 3308 may = smack_flags_to_may(msqflg); 3309 return smk_curacc_msq(msq, may); 3310 } 3311 3312 /** 3313 * smack_msg_queue_msgctl - Smack access check for msg_queue 3314 * @msq: the object 3315 * @cmd: what it wants to do 3316 * 3317 * Returns 0 if current has the requested access, error code otherwise 3318 */ 3319 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3320 { 3321 int may; 3322 3323 switch (cmd) { 3324 case IPC_STAT: 3325 case MSG_STAT: 3326 may = MAY_READ; 3327 break; 3328 case IPC_SET: 3329 case IPC_RMID: 3330 may = MAY_READWRITE; 3331 break; 3332 case IPC_INFO: 3333 case MSG_INFO: 3334 /* 3335 * System level information 3336 */ 3337 return 0; 3338 default: 3339 return -EINVAL; 3340 } 3341 3342 return smk_curacc_msq(msq, may); 3343 } 3344 3345 /** 3346 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3347 * @msq: the object 3348 * @msg: unused 3349 * @msqflg: access requested 3350 * 3351 * Returns 0 if current has the requested access, error code otherwise 3352 */ 3353 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 3354 int msqflg) 3355 { 3356 int may; 3357 3358 may = smack_flags_to_may(msqflg); 3359 return smk_curacc_msq(msq, may); 3360 } 3361 3362 /** 3363 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3364 * @msq: the object 3365 * @msg: unused 3366 * @target: unused 3367 * @type: unused 3368 * @mode: unused 3369 * 3370 * Returns 0 if current has read and write access, error code otherwise 3371 */ 3372 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3373 struct task_struct *target, long type, int mode) 3374 { 3375 return smk_curacc_msq(msq, MAY_READWRITE); 3376 } 3377 3378 /** 3379 * smack_ipc_permission - Smack access for ipc_permission() 3380 * @ipp: the object permissions 3381 * @flag: access requested 3382 * 3383 * Returns 0 if current has read and write access, error code otherwise 3384 */ 3385 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3386 { 3387 struct smack_known *iskp = ipp->security; 3388 int may = smack_flags_to_may(flag); 3389 struct smk_audit_info ad; 3390 int rc; 3391 3392 #ifdef CONFIG_AUDIT 3393 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3394 ad.a.u.ipc_id = ipp->id; 3395 #endif 3396 rc = smk_curacc(iskp, may, &ad); 3397 rc = smk_bu_current("svipc", iskp, may, rc); 3398 return rc; 3399 } 3400 3401 /** 3402 * smack_ipc_getsecid - Extract smack security id 3403 * @ipp: the object permissions 3404 * @secid: where result will be saved 3405 */ 3406 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3407 { 3408 struct smack_known *iskp = ipp->security; 3409 3410 *secid = iskp->smk_secid; 3411 } 3412 3413 /** 3414 * smack_d_instantiate - Make sure the blob is correct on an inode 3415 * @opt_dentry: dentry where inode will be attached 3416 * @inode: the object 3417 * 3418 * Set the inode's security blob if it hasn't been done already. 3419 */ 3420 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3421 { 3422 struct super_block *sbp; 3423 struct superblock_smack *sbsp; 3424 struct inode_smack *isp; 3425 struct smack_known *skp; 3426 struct smack_known *ckp = smk_of_current(); 3427 struct smack_known *final; 3428 char trattr[TRANS_TRUE_SIZE]; 3429 int transflag = 0; 3430 int rc; 3431 struct dentry *dp; 3432 3433 if (inode == NULL) 3434 return; 3435 3436 isp = inode->i_security; 3437 3438 mutex_lock(&isp->smk_lock); 3439 /* 3440 * If the inode is already instantiated 3441 * take the quick way out 3442 */ 3443 if (isp->smk_flags & SMK_INODE_INSTANT) 3444 goto unlockandout; 3445 3446 sbp = inode->i_sb; 3447 sbsp = sbp->s_security; 3448 /* 3449 * We're going to use the superblock default label 3450 * if there's no label on the file. 3451 */ 3452 final = sbsp->smk_default; 3453 3454 /* 3455 * If this is the root inode the superblock 3456 * may be in the process of initialization. 3457 * If that is the case use the root value out 3458 * of the superblock. 3459 */ 3460 if (opt_dentry->d_parent == opt_dentry) { 3461 switch (sbp->s_magic) { 3462 case CGROUP_SUPER_MAGIC: 3463 /* 3464 * The cgroup filesystem is never mounted, 3465 * so there's no opportunity to set the mount 3466 * options. 3467 */ 3468 sbsp->smk_root = &smack_known_star; 3469 sbsp->smk_default = &smack_known_star; 3470 isp->smk_inode = sbsp->smk_root; 3471 break; 3472 case TMPFS_MAGIC: 3473 /* 3474 * What about shmem/tmpfs anonymous files with dentry 3475 * obtained from d_alloc_pseudo()? 3476 */ 3477 isp->smk_inode = smk_of_current(); 3478 break; 3479 case PIPEFS_MAGIC: 3480 isp->smk_inode = smk_of_current(); 3481 break; 3482 case SOCKFS_MAGIC: 3483 /* 3484 * Socket access is controlled by the socket 3485 * structures associated with the task involved. 3486 */ 3487 isp->smk_inode = &smack_known_star; 3488 break; 3489 default: 3490 isp->smk_inode = sbsp->smk_root; 3491 break; 3492 } 3493 isp->smk_flags |= SMK_INODE_INSTANT; 3494 goto unlockandout; 3495 } 3496 3497 /* 3498 * This is pretty hackish. 3499 * Casey says that we shouldn't have to do 3500 * file system specific code, but it does help 3501 * with keeping it simple. 3502 */ 3503 switch (sbp->s_magic) { 3504 case SMACK_MAGIC: 3505 case CGROUP_SUPER_MAGIC: 3506 /* 3507 * Casey says that it's a little embarrassing 3508 * that the smack file system doesn't do 3509 * extended attributes. 3510 * 3511 * Cgroupfs is special 3512 */ 3513 final = &smack_known_star; 3514 break; 3515 case DEVPTS_SUPER_MAGIC: 3516 /* 3517 * devpts seems content with the label of the task. 3518 * Programs that change smack have to treat the 3519 * pty with respect. 3520 */ 3521 final = ckp; 3522 break; 3523 case PROC_SUPER_MAGIC: 3524 /* 3525 * Casey says procfs appears not to care. 3526 * The superblock default suffices. 3527 */ 3528 break; 3529 case TMPFS_MAGIC: 3530 /* 3531 * Device labels should come from the filesystem, 3532 * but watch out, because they're volitile, 3533 * getting recreated on every reboot. 3534 */ 3535 final = &smack_known_star; 3536 /* 3537 * No break. 3538 * 3539 * If a smack value has been set we want to use it, 3540 * but since tmpfs isn't giving us the opportunity 3541 * to set mount options simulate setting the 3542 * superblock default. 3543 */ 3544 default: 3545 /* 3546 * This isn't an understood special case. 3547 * Get the value from the xattr. 3548 */ 3549 3550 /* 3551 * UNIX domain sockets use lower level socket data. 3552 */ 3553 if (S_ISSOCK(inode->i_mode)) { 3554 final = &smack_known_star; 3555 break; 3556 } 3557 /* 3558 * No xattr support means, alas, no SMACK label. 3559 * Use the aforeapplied default. 3560 * It would be curious if the label of the task 3561 * does not match that assigned. 3562 */ 3563 if (!(inode->i_opflags & IOP_XATTR)) 3564 break; 3565 /* 3566 * Get the dentry for xattr. 3567 */ 3568 dp = dget(opt_dentry); 3569 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3570 if (!IS_ERR_OR_NULL(skp)) 3571 final = skp; 3572 3573 /* 3574 * Transmuting directory 3575 */ 3576 if (S_ISDIR(inode->i_mode)) { 3577 /* 3578 * If this is a new directory and the label was 3579 * transmuted when the inode was initialized 3580 * set the transmute attribute on the directory 3581 * and mark the inode. 3582 * 3583 * If there is a transmute attribute on the 3584 * directory mark the inode. 3585 */ 3586 if (isp->smk_flags & SMK_INODE_CHANGED) { 3587 isp->smk_flags &= ~SMK_INODE_CHANGED; 3588 rc = __vfs_setxattr(dp, inode, 3589 XATTR_NAME_SMACKTRANSMUTE, 3590 TRANS_TRUE, TRANS_TRUE_SIZE, 3591 0); 3592 } else { 3593 rc = __vfs_getxattr(dp, inode, 3594 XATTR_NAME_SMACKTRANSMUTE, trattr, 3595 TRANS_TRUE_SIZE); 3596 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3597 TRANS_TRUE_SIZE) != 0) 3598 rc = -EINVAL; 3599 } 3600 if (rc >= 0) 3601 transflag = SMK_INODE_TRANSMUTE; 3602 } 3603 /* 3604 * Don't let the exec or mmap label be "*" or "@". 3605 */ 3606 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3607 if (IS_ERR(skp) || skp == &smack_known_star || 3608 skp == &smack_known_web) 3609 skp = NULL; 3610 isp->smk_task = skp; 3611 3612 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3613 if (IS_ERR(skp) || skp == &smack_known_star || 3614 skp == &smack_known_web) 3615 skp = NULL; 3616 isp->smk_mmap = skp; 3617 3618 dput(dp); 3619 break; 3620 } 3621 3622 if (final == NULL) 3623 isp->smk_inode = ckp; 3624 else 3625 isp->smk_inode = final; 3626 3627 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3628 3629 unlockandout: 3630 mutex_unlock(&isp->smk_lock); 3631 return; 3632 } 3633 3634 /** 3635 * smack_getprocattr - Smack process attribute access 3636 * @p: the object task 3637 * @name: the name of the attribute in /proc/.../attr 3638 * @value: where to put the result 3639 * 3640 * Places a copy of the task Smack into value 3641 * 3642 * Returns the length of the smack label or an error code 3643 */ 3644 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3645 { 3646 struct smack_known *skp = smk_of_task_struct(p); 3647 char *cp; 3648 int slen; 3649 3650 if (strcmp(name, "current") != 0) 3651 return -EINVAL; 3652 3653 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3654 if (cp == NULL) 3655 return -ENOMEM; 3656 3657 slen = strlen(cp); 3658 *value = cp; 3659 return slen; 3660 } 3661 3662 /** 3663 * smack_setprocattr - Smack process attribute setting 3664 * @name: the name of the attribute in /proc/.../attr 3665 * @value: the value to set 3666 * @size: the size of the value 3667 * 3668 * Sets the Smack value of the task. Only setting self 3669 * is permitted and only with privilege 3670 * 3671 * Returns the length of the smack label or an error code 3672 */ 3673 static int smack_setprocattr(const char *name, void *value, size_t size) 3674 { 3675 struct task_smack *tsp = current_security(); 3676 struct cred *new; 3677 struct smack_known *skp; 3678 struct smack_known_list_elem *sklep; 3679 int rc; 3680 3681 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3682 return -EPERM; 3683 3684 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3685 return -EINVAL; 3686 3687 if (strcmp(name, "current") != 0) 3688 return -EINVAL; 3689 3690 skp = smk_import_entry(value, size); 3691 if (IS_ERR(skp)) 3692 return PTR_ERR(skp); 3693 3694 /* 3695 * No process is ever allowed the web ("@") label 3696 * and the star ("*") label. 3697 */ 3698 if (skp == &smack_known_web || skp == &smack_known_star) 3699 return -EINVAL; 3700 3701 if (!smack_privileged(CAP_MAC_ADMIN)) { 3702 rc = -EPERM; 3703 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3704 if (sklep->smk_label == skp) { 3705 rc = 0; 3706 break; 3707 } 3708 if (rc) 3709 return rc; 3710 } 3711 3712 new = prepare_creds(); 3713 if (new == NULL) 3714 return -ENOMEM; 3715 3716 tsp = new->security; 3717 tsp->smk_task = skp; 3718 /* 3719 * process can change its label only once 3720 */ 3721 smk_destroy_label_list(&tsp->smk_relabel); 3722 3723 commit_creds(new); 3724 return size; 3725 } 3726 3727 /** 3728 * smack_unix_stream_connect - Smack access on UDS 3729 * @sock: one sock 3730 * @other: the other sock 3731 * @newsk: unused 3732 * 3733 * Return 0 if a subject with the smack of sock could access 3734 * an object with the smack of other, otherwise an error code 3735 */ 3736 static int smack_unix_stream_connect(struct sock *sock, 3737 struct sock *other, struct sock *newsk) 3738 { 3739 struct smack_known *skp; 3740 struct smack_known *okp; 3741 struct socket_smack *ssp = sock->sk_security; 3742 struct socket_smack *osp = other->sk_security; 3743 struct socket_smack *nsp = newsk->sk_security; 3744 struct smk_audit_info ad; 3745 int rc = 0; 3746 #ifdef CONFIG_AUDIT 3747 struct lsm_network_audit net; 3748 #endif 3749 3750 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3751 skp = ssp->smk_out; 3752 okp = osp->smk_in; 3753 #ifdef CONFIG_AUDIT 3754 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3755 smk_ad_setfield_u_net_sk(&ad, other); 3756 #endif 3757 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3758 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3759 if (rc == 0) { 3760 okp = osp->smk_out; 3761 skp = ssp->smk_in; 3762 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3763 rc = smk_bu_note("UDS connect", okp, skp, 3764 MAY_WRITE, rc); 3765 } 3766 } 3767 3768 /* 3769 * Cross reference the peer labels for SO_PEERSEC. 3770 */ 3771 if (rc == 0) { 3772 nsp->smk_packet = ssp->smk_out; 3773 ssp->smk_packet = osp->smk_out; 3774 } 3775 3776 return rc; 3777 } 3778 3779 /** 3780 * smack_unix_may_send - Smack access on UDS 3781 * @sock: one socket 3782 * @other: the other socket 3783 * 3784 * Return 0 if a subject with the smack of sock could access 3785 * an object with the smack of other, otherwise an error code 3786 */ 3787 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3788 { 3789 struct socket_smack *ssp = sock->sk->sk_security; 3790 struct socket_smack *osp = other->sk->sk_security; 3791 struct smk_audit_info ad; 3792 int rc; 3793 3794 #ifdef CONFIG_AUDIT 3795 struct lsm_network_audit net; 3796 3797 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3798 smk_ad_setfield_u_net_sk(&ad, other->sk); 3799 #endif 3800 3801 if (smack_privileged(CAP_MAC_OVERRIDE)) 3802 return 0; 3803 3804 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3805 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3806 return rc; 3807 } 3808 3809 /** 3810 * smack_socket_sendmsg - Smack check based on destination host 3811 * @sock: the socket 3812 * @msg: the message 3813 * @size: the size of the message 3814 * 3815 * Return 0 if the current subject can write to the destination host. 3816 * For IPv4 this is only a question if the destination is a single label host. 3817 * For IPv6 this is a check against the label of the port. 3818 */ 3819 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3820 int size) 3821 { 3822 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3823 #if IS_ENABLED(CONFIG_IPV6) 3824 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3825 #endif 3826 #ifdef SMACK_IPV6_SECMARK_LABELING 3827 struct socket_smack *ssp = sock->sk->sk_security; 3828 struct smack_known *rsp; 3829 #endif 3830 int rc = 0; 3831 3832 /* 3833 * Perfectly reasonable for this to be NULL 3834 */ 3835 if (sip == NULL) 3836 return 0; 3837 3838 switch (sock->sk->sk_family) { 3839 case AF_INET: 3840 rc = smack_netlabel_send(sock->sk, sip); 3841 break; 3842 case AF_INET6: 3843 #ifdef SMACK_IPV6_SECMARK_LABELING 3844 rsp = smack_ipv6host_label(sap); 3845 if (rsp != NULL) 3846 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3847 SMK_CONNECTING); 3848 #endif 3849 #ifdef SMACK_IPV6_PORT_LABELING 3850 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3851 #endif 3852 break; 3853 } 3854 return rc; 3855 } 3856 3857 /** 3858 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3859 * @sap: netlabel secattr 3860 * @ssp: socket security information 3861 * 3862 * Returns a pointer to a Smack label entry found on the label list. 3863 */ 3864 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3865 struct socket_smack *ssp) 3866 { 3867 struct smack_known *skp; 3868 int found = 0; 3869 int acat; 3870 int kcat; 3871 3872 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3873 /* 3874 * Looks like a CIPSO packet. 3875 * If there are flags but no level netlabel isn't 3876 * behaving the way we expect it to. 3877 * 3878 * Look it up in the label table 3879 * Without guidance regarding the smack value 3880 * for the packet fall back on the network 3881 * ambient value. 3882 */ 3883 rcu_read_lock(); 3884 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3885 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3886 continue; 3887 /* 3888 * Compare the catsets. Use the netlbl APIs. 3889 */ 3890 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3891 if ((skp->smk_netlabel.flags & 3892 NETLBL_SECATTR_MLS_CAT) == 0) 3893 found = 1; 3894 break; 3895 } 3896 for (acat = -1, kcat = -1; acat == kcat; ) { 3897 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3898 acat + 1); 3899 kcat = netlbl_catmap_walk( 3900 skp->smk_netlabel.attr.mls.cat, 3901 kcat + 1); 3902 if (acat < 0 || kcat < 0) 3903 break; 3904 } 3905 if (acat == kcat) { 3906 found = 1; 3907 break; 3908 } 3909 } 3910 rcu_read_unlock(); 3911 3912 if (found) 3913 return skp; 3914 3915 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3916 return &smack_known_web; 3917 return &smack_known_star; 3918 } 3919 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3920 /* 3921 * Looks like a fallback, which gives us a secid. 3922 */ 3923 return smack_from_secid(sap->attr.secid); 3924 /* 3925 * Without guidance regarding the smack value 3926 * for the packet fall back on the network 3927 * ambient value. 3928 */ 3929 return smack_net_ambient; 3930 } 3931 3932 #if IS_ENABLED(CONFIG_IPV6) 3933 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3934 { 3935 u8 nexthdr; 3936 int offset; 3937 int proto = -EINVAL; 3938 struct ipv6hdr _ipv6h; 3939 struct ipv6hdr *ip6; 3940 __be16 frag_off; 3941 struct tcphdr _tcph, *th; 3942 struct udphdr _udph, *uh; 3943 struct dccp_hdr _dccph, *dh; 3944 3945 sip->sin6_port = 0; 3946 3947 offset = skb_network_offset(skb); 3948 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3949 if (ip6 == NULL) 3950 return -EINVAL; 3951 sip->sin6_addr = ip6->saddr; 3952 3953 nexthdr = ip6->nexthdr; 3954 offset += sizeof(_ipv6h); 3955 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3956 if (offset < 0) 3957 return -EINVAL; 3958 3959 proto = nexthdr; 3960 switch (proto) { 3961 case IPPROTO_TCP: 3962 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3963 if (th != NULL) 3964 sip->sin6_port = th->source; 3965 break; 3966 case IPPROTO_UDP: 3967 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3968 if (uh != NULL) 3969 sip->sin6_port = uh->source; 3970 break; 3971 case IPPROTO_DCCP: 3972 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3973 if (dh != NULL) 3974 sip->sin6_port = dh->dccph_sport; 3975 break; 3976 } 3977 return proto; 3978 } 3979 #endif /* CONFIG_IPV6 */ 3980 3981 /** 3982 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3983 * @sk: socket 3984 * @skb: packet 3985 * 3986 * Returns 0 if the packet should be delivered, an error code otherwise 3987 */ 3988 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3989 { 3990 struct netlbl_lsm_secattr secattr; 3991 struct socket_smack *ssp = sk->sk_security; 3992 struct smack_known *skp = NULL; 3993 int rc = 0; 3994 struct smk_audit_info ad; 3995 #ifdef CONFIG_AUDIT 3996 struct lsm_network_audit net; 3997 #endif 3998 #if IS_ENABLED(CONFIG_IPV6) 3999 struct sockaddr_in6 sadd; 4000 int proto; 4001 #endif /* CONFIG_IPV6 */ 4002 4003 switch (sk->sk_family) { 4004 case PF_INET: 4005 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4006 /* 4007 * If there is a secmark use it rather than the CIPSO label. 4008 * If there is no secmark fall back to CIPSO. 4009 * The secmark is assumed to reflect policy better. 4010 */ 4011 if (skb && skb->secmark != 0) { 4012 skp = smack_from_secid(skb->secmark); 4013 goto access_check; 4014 } 4015 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4016 /* 4017 * Translate what netlabel gave us. 4018 */ 4019 netlbl_secattr_init(&secattr); 4020 4021 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 4022 if (rc == 0) 4023 skp = smack_from_secattr(&secattr, ssp); 4024 else 4025 skp = smack_net_ambient; 4026 4027 netlbl_secattr_destroy(&secattr); 4028 4029 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4030 access_check: 4031 #endif 4032 #ifdef CONFIG_AUDIT 4033 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4034 ad.a.u.net->family = sk->sk_family; 4035 ad.a.u.net->netif = skb->skb_iif; 4036 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4037 #endif 4038 /* 4039 * Receiving a packet requires that the other end 4040 * be able to write here. Read access is not required. 4041 * This is the simplist possible security model 4042 * for networking. 4043 */ 4044 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4045 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4046 MAY_WRITE, rc); 4047 if (rc != 0) 4048 netlbl_skbuff_err(skb, sk->sk_family, rc, 0); 4049 break; 4050 #if IS_ENABLED(CONFIG_IPV6) 4051 case PF_INET6: 4052 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4053 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 4054 break; 4055 #ifdef SMACK_IPV6_SECMARK_LABELING 4056 if (skb && skb->secmark != 0) 4057 skp = smack_from_secid(skb->secmark); 4058 else 4059 skp = smack_ipv6host_label(&sadd); 4060 if (skp == NULL) 4061 skp = smack_net_ambient; 4062 #ifdef CONFIG_AUDIT 4063 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4064 ad.a.u.net->family = sk->sk_family; 4065 ad.a.u.net->netif = skb->skb_iif; 4066 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4067 #endif /* CONFIG_AUDIT */ 4068 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4069 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4070 MAY_WRITE, rc); 4071 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4072 #ifdef SMACK_IPV6_PORT_LABELING 4073 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4074 #endif /* SMACK_IPV6_PORT_LABELING */ 4075 break; 4076 #endif /* CONFIG_IPV6 */ 4077 } 4078 4079 return rc; 4080 } 4081 4082 /** 4083 * smack_socket_getpeersec_stream - pull in packet label 4084 * @sock: the socket 4085 * @optval: user's destination 4086 * @optlen: size thereof 4087 * @len: max thereof 4088 * 4089 * returns zero on success, an error code otherwise 4090 */ 4091 static int smack_socket_getpeersec_stream(struct socket *sock, 4092 char __user *optval, 4093 int __user *optlen, unsigned len) 4094 { 4095 struct socket_smack *ssp; 4096 char *rcp = ""; 4097 int slen = 1; 4098 int rc = 0; 4099 4100 ssp = sock->sk->sk_security; 4101 if (ssp->smk_packet != NULL) { 4102 rcp = ssp->smk_packet->smk_known; 4103 slen = strlen(rcp) + 1; 4104 } 4105 4106 if (slen > len) 4107 rc = -ERANGE; 4108 else if (copy_to_user(optval, rcp, slen) != 0) 4109 rc = -EFAULT; 4110 4111 if (put_user(slen, optlen) != 0) 4112 rc = -EFAULT; 4113 4114 return rc; 4115 } 4116 4117 4118 /** 4119 * smack_socket_getpeersec_dgram - pull in packet label 4120 * @sock: the peer socket 4121 * @skb: packet data 4122 * @secid: pointer to where to put the secid of the packet 4123 * 4124 * Sets the netlabel socket state on sk from parent 4125 */ 4126 static int smack_socket_getpeersec_dgram(struct socket *sock, 4127 struct sk_buff *skb, u32 *secid) 4128 4129 { 4130 struct netlbl_lsm_secattr secattr; 4131 struct socket_smack *ssp = NULL; 4132 struct smack_known *skp; 4133 int family = PF_UNSPEC; 4134 u32 s = 0; /* 0 is the invalid secid */ 4135 int rc; 4136 4137 if (skb != NULL) { 4138 if (skb->protocol == htons(ETH_P_IP)) 4139 family = PF_INET; 4140 #if IS_ENABLED(CONFIG_IPV6) 4141 else if (skb->protocol == htons(ETH_P_IPV6)) 4142 family = PF_INET6; 4143 #endif /* CONFIG_IPV6 */ 4144 } 4145 if (family == PF_UNSPEC && sock != NULL) 4146 family = sock->sk->sk_family; 4147 4148 switch (family) { 4149 case PF_UNIX: 4150 ssp = sock->sk->sk_security; 4151 s = ssp->smk_out->smk_secid; 4152 break; 4153 case PF_INET: 4154 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4155 s = skb->secmark; 4156 if (s != 0) 4157 break; 4158 #endif 4159 /* 4160 * Translate what netlabel gave us. 4161 */ 4162 if (sock != NULL && sock->sk != NULL) 4163 ssp = sock->sk->sk_security; 4164 netlbl_secattr_init(&secattr); 4165 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4166 if (rc == 0) { 4167 skp = smack_from_secattr(&secattr, ssp); 4168 s = skp->smk_secid; 4169 } 4170 netlbl_secattr_destroy(&secattr); 4171 break; 4172 case PF_INET6: 4173 #ifdef SMACK_IPV6_SECMARK_LABELING 4174 s = skb->secmark; 4175 #endif 4176 break; 4177 } 4178 *secid = s; 4179 if (s == 0) 4180 return -EINVAL; 4181 return 0; 4182 } 4183 4184 /** 4185 * smack_sock_graft - Initialize a newly created socket with an existing sock 4186 * @sk: child sock 4187 * @parent: parent socket 4188 * 4189 * Set the smk_{in,out} state of an existing sock based on the process that 4190 * is creating the new socket. 4191 */ 4192 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4193 { 4194 struct socket_smack *ssp; 4195 struct smack_known *skp = smk_of_current(); 4196 4197 if (sk == NULL || 4198 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4199 return; 4200 4201 ssp = sk->sk_security; 4202 ssp->smk_in = skp; 4203 ssp->smk_out = skp; 4204 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4205 } 4206 4207 /** 4208 * smack_inet_conn_request - Smack access check on connect 4209 * @sk: socket involved 4210 * @skb: packet 4211 * @req: unused 4212 * 4213 * Returns 0 if a task with the packet label could write to 4214 * the socket, otherwise an error code 4215 */ 4216 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4217 struct request_sock *req) 4218 { 4219 u16 family = sk->sk_family; 4220 struct smack_known *skp; 4221 struct socket_smack *ssp = sk->sk_security; 4222 struct netlbl_lsm_secattr secattr; 4223 struct sockaddr_in addr; 4224 struct iphdr *hdr; 4225 struct smack_known *hskp; 4226 int rc; 4227 struct smk_audit_info ad; 4228 #ifdef CONFIG_AUDIT 4229 struct lsm_network_audit net; 4230 #endif 4231 4232 #if IS_ENABLED(CONFIG_IPV6) 4233 if (family == PF_INET6) { 4234 /* 4235 * Handle mapped IPv4 packets arriving 4236 * via IPv6 sockets. Don't set up netlabel 4237 * processing on IPv6. 4238 */ 4239 if (skb->protocol == htons(ETH_P_IP)) 4240 family = PF_INET; 4241 else 4242 return 0; 4243 } 4244 #endif /* CONFIG_IPV6 */ 4245 4246 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4247 /* 4248 * If there is a secmark use it rather than the CIPSO label. 4249 * If there is no secmark fall back to CIPSO. 4250 * The secmark is assumed to reflect policy better. 4251 */ 4252 if (skb && skb->secmark != 0) { 4253 skp = smack_from_secid(skb->secmark); 4254 goto access_check; 4255 } 4256 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4257 4258 netlbl_secattr_init(&secattr); 4259 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4260 if (rc == 0) 4261 skp = smack_from_secattr(&secattr, ssp); 4262 else 4263 skp = &smack_known_huh; 4264 netlbl_secattr_destroy(&secattr); 4265 4266 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4267 access_check: 4268 #endif 4269 4270 #ifdef CONFIG_AUDIT 4271 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4272 ad.a.u.net->family = family; 4273 ad.a.u.net->netif = skb->skb_iif; 4274 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4275 #endif 4276 /* 4277 * Receiving a packet requires that the other end be able to write 4278 * here. Read access is not required. 4279 */ 4280 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4281 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4282 if (rc != 0) 4283 return rc; 4284 4285 /* 4286 * Save the peer's label in the request_sock so we can later setup 4287 * smk_packet in the child socket so that SO_PEERCRED can report it. 4288 */ 4289 req->peer_secid = skp->smk_secid; 4290 4291 /* 4292 * We need to decide if we want to label the incoming connection here 4293 * if we do we only need to label the request_sock and the stack will 4294 * propagate the wire-label to the sock when it is created. 4295 */ 4296 hdr = ip_hdr(skb); 4297 addr.sin_addr.s_addr = hdr->saddr; 4298 rcu_read_lock(); 4299 hskp = smack_ipv4host_label(&addr); 4300 rcu_read_unlock(); 4301 4302 if (hskp == NULL) 4303 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4304 else 4305 netlbl_req_delattr(req); 4306 4307 return rc; 4308 } 4309 4310 /** 4311 * smack_inet_csk_clone - Copy the connection information to the new socket 4312 * @sk: the new socket 4313 * @req: the connection's request_sock 4314 * 4315 * Transfer the connection's peer label to the newly created socket. 4316 */ 4317 static void smack_inet_csk_clone(struct sock *sk, 4318 const struct request_sock *req) 4319 { 4320 struct socket_smack *ssp = sk->sk_security; 4321 struct smack_known *skp; 4322 4323 if (req->peer_secid != 0) { 4324 skp = smack_from_secid(req->peer_secid); 4325 ssp->smk_packet = skp; 4326 } else 4327 ssp->smk_packet = NULL; 4328 } 4329 4330 /* 4331 * Key management security hooks 4332 * 4333 * Casey has not tested key support very heavily. 4334 * The permission check is most likely too restrictive. 4335 * If you care about keys please have a look. 4336 */ 4337 #ifdef CONFIG_KEYS 4338 4339 /** 4340 * smack_key_alloc - Set the key security blob 4341 * @key: object 4342 * @cred: the credentials to use 4343 * @flags: unused 4344 * 4345 * No allocation required 4346 * 4347 * Returns 0 4348 */ 4349 static int smack_key_alloc(struct key *key, const struct cred *cred, 4350 unsigned long flags) 4351 { 4352 struct smack_known *skp = smk_of_task(cred->security); 4353 4354 key->security = skp; 4355 return 0; 4356 } 4357 4358 /** 4359 * smack_key_free - Clear the key security blob 4360 * @key: the object 4361 * 4362 * Clear the blob pointer 4363 */ 4364 static void smack_key_free(struct key *key) 4365 { 4366 key->security = NULL; 4367 } 4368 4369 /** 4370 * smack_key_permission - Smack access on a key 4371 * @key_ref: gets to the object 4372 * @cred: the credentials to use 4373 * @perm: requested key permissions 4374 * 4375 * Return 0 if the task has read and write to the object, 4376 * an error code otherwise 4377 */ 4378 static int smack_key_permission(key_ref_t key_ref, 4379 const struct cred *cred, unsigned perm) 4380 { 4381 struct key *keyp; 4382 struct smk_audit_info ad; 4383 struct smack_known *tkp = smk_of_task(cred->security); 4384 int request = 0; 4385 int rc; 4386 4387 keyp = key_ref_to_ptr(key_ref); 4388 if (keyp == NULL) 4389 return -EINVAL; 4390 /* 4391 * If the key hasn't been initialized give it access so that 4392 * it may do so. 4393 */ 4394 if (keyp->security == NULL) 4395 return 0; 4396 /* 4397 * This should not occur 4398 */ 4399 if (tkp == NULL) 4400 return -EACCES; 4401 #ifdef CONFIG_AUDIT 4402 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4403 ad.a.u.key_struct.key = keyp->serial; 4404 ad.a.u.key_struct.key_desc = keyp->description; 4405 #endif 4406 if (perm & KEY_NEED_READ) 4407 request = MAY_READ; 4408 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4409 request = MAY_WRITE; 4410 rc = smk_access(tkp, keyp->security, request, &ad); 4411 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4412 return rc; 4413 } 4414 4415 /* 4416 * smack_key_getsecurity - Smack label tagging the key 4417 * @key points to the key to be queried 4418 * @_buffer points to a pointer that should be set to point to the 4419 * resulting string (if no label or an error occurs). 4420 * Return the length of the string (including terminating NUL) or -ve if 4421 * an error. 4422 * May also return 0 (and a NULL buffer pointer) if there is no label. 4423 */ 4424 static int smack_key_getsecurity(struct key *key, char **_buffer) 4425 { 4426 struct smack_known *skp = key->security; 4427 size_t length; 4428 char *copy; 4429 4430 if (key->security == NULL) { 4431 *_buffer = NULL; 4432 return 0; 4433 } 4434 4435 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4436 if (copy == NULL) 4437 return -ENOMEM; 4438 length = strlen(copy) + 1; 4439 4440 *_buffer = copy; 4441 return length; 4442 } 4443 4444 #endif /* CONFIG_KEYS */ 4445 4446 /* 4447 * Smack Audit hooks 4448 * 4449 * Audit requires a unique representation of each Smack specific 4450 * rule. This unique representation is used to distinguish the 4451 * object to be audited from remaining kernel objects and also 4452 * works as a glue between the audit hooks. 4453 * 4454 * Since repository entries are added but never deleted, we'll use 4455 * the smack_known label address related to the given audit rule as 4456 * the needed unique representation. This also better fits the smack 4457 * model where nearly everything is a label. 4458 */ 4459 #ifdef CONFIG_AUDIT 4460 4461 /** 4462 * smack_audit_rule_init - Initialize a smack audit rule 4463 * @field: audit rule fields given from user-space (audit.h) 4464 * @op: required testing operator (=, !=, >, <, ...) 4465 * @rulestr: smack label to be audited 4466 * @vrule: pointer to save our own audit rule representation 4467 * 4468 * Prepare to audit cases where (@field @op @rulestr) is true. 4469 * The label to be audited is created if necessay. 4470 */ 4471 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4472 { 4473 struct smack_known *skp; 4474 char **rule = (char **)vrule; 4475 *rule = NULL; 4476 4477 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4478 return -EINVAL; 4479 4480 if (op != Audit_equal && op != Audit_not_equal) 4481 return -EINVAL; 4482 4483 skp = smk_import_entry(rulestr, 0); 4484 if (IS_ERR(skp)) 4485 return PTR_ERR(skp); 4486 4487 *rule = skp->smk_known; 4488 4489 return 0; 4490 } 4491 4492 /** 4493 * smack_audit_rule_known - Distinguish Smack audit rules 4494 * @krule: rule of interest, in Audit kernel representation format 4495 * 4496 * This is used to filter Smack rules from remaining Audit ones. 4497 * If it's proved that this rule belongs to us, the 4498 * audit_rule_match hook will be called to do the final judgement. 4499 */ 4500 static int smack_audit_rule_known(struct audit_krule *krule) 4501 { 4502 struct audit_field *f; 4503 int i; 4504 4505 for (i = 0; i < krule->field_count; i++) { 4506 f = &krule->fields[i]; 4507 4508 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4509 return 1; 4510 } 4511 4512 return 0; 4513 } 4514 4515 /** 4516 * smack_audit_rule_match - Audit given object ? 4517 * @secid: security id for identifying the object to test 4518 * @field: audit rule flags given from user-space 4519 * @op: required testing operator 4520 * @vrule: smack internal rule presentation 4521 * @actx: audit context associated with the check 4522 * 4523 * The core Audit hook. It's used to take the decision of 4524 * whether to audit or not to audit a given object. 4525 */ 4526 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4527 struct audit_context *actx) 4528 { 4529 struct smack_known *skp; 4530 char *rule = vrule; 4531 4532 if (unlikely(!rule)) { 4533 WARN_ONCE(1, "Smack: missing rule\n"); 4534 return -ENOENT; 4535 } 4536 4537 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4538 return 0; 4539 4540 skp = smack_from_secid(secid); 4541 4542 /* 4543 * No need to do string comparisons. If a match occurs, 4544 * both pointers will point to the same smack_known 4545 * label. 4546 */ 4547 if (op == Audit_equal) 4548 return (rule == skp->smk_known); 4549 if (op == Audit_not_equal) 4550 return (rule != skp->smk_known); 4551 4552 return 0; 4553 } 4554 4555 /* 4556 * There is no need for a smack_audit_rule_free hook. 4557 * No memory was allocated. 4558 */ 4559 4560 #endif /* CONFIG_AUDIT */ 4561 4562 /** 4563 * smack_ismaclabel - check if xattr @name references a smack MAC label 4564 * @name: Full xattr name to check. 4565 */ 4566 static int smack_ismaclabel(const char *name) 4567 { 4568 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4569 } 4570 4571 4572 /** 4573 * smack_secid_to_secctx - return the smack label for a secid 4574 * @secid: incoming integer 4575 * @secdata: destination 4576 * @seclen: how long it is 4577 * 4578 * Exists for networking code. 4579 */ 4580 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4581 { 4582 struct smack_known *skp = smack_from_secid(secid); 4583 4584 if (secdata) 4585 *secdata = skp->smk_known; 4586 *seclen = strlen(skp->smk_known); 4587 return 0; 4588 } 4589 4590 /** 4591 * smack_secctx_to_secid - return the secid for a smack label 4592 * @secdata: smack label 4593 * @seclen: how long result is 4594 * @secid: outgoing integer 4595 * 4596 * Exists for audit and networking code. 4597 */ 4598 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4599 { 4600 struct smack_known *skp = smk_find_entry(secdata); 4601 4602 if (skp) 4603 *secid = skp->smk_secid; 4604 else 4605 *secid = 0; 4606 return 0; 4607 } 4608 4609 /* 4610 * There used to be a smack_release_secctx hook 4611 * that did nothing back when hooks were in a vector. 4612 * Now that there's a list such a hook adds cost. 4613 */ 4614 4615 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4616 { 4617 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4618 } 4619 4620 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4621 { 4622 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4623 } 4624 4625 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4626 { 4627 int len = 0; 4628 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 4629 4630 if (len < 0) 4631 return len; 4632 *ctxlen = len; 4633 return 0; 4634 } 4635 4636 static struct security_hook_list smack_hooks[] = { 4637 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4638 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4639 LSM_HOOK_INIT(syslog, smack_syslog), 4640 4641 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4642 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4643 LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data), 4644 LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount), 4645 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4646 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4647 LSM_HOOK_INIT(sb_parse_opts_str, smack_parse_opts_str), 4648 4649 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4650 LSM_HOOK_INIT(bprm_committing_creds, smack_bprm_committing_creds), 4651 LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec), 4652 4653 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4654 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), 4655 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4656 LSM_HOOK_INIT(inode_link, smack_inode_link), 4657 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4658 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4659 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4660 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4661 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4662 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4663 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4664 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4665 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4666 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4667 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4668 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4669 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4670 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4671 4672 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4673 LSM_HOOK_INIT(file_free_security, smack_file_free_security), 4674 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4675 LSM_HOOK_INIT(file_lock, smack_file_lock), 4676 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4677 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4678 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4679 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4680 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4681 LSM_HOOK_INIT(file_receive, smack_file_receive), 4682 4683 LSM_HOOK_INIT(file_open, smack_file_open), 4684 4685 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4686 LSM_HOOK_INIT(cred_free, smack_cred_free), 4687 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4688 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4689 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4690 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4691 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4692 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4693 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4694 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4695 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4696 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4697 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4698 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4699 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4700 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4701 LSM_HOOK_INIT(task_kill, smack_task_kill), 4702 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4703 4704 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4705 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4706 4707 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4708 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), 4709 4710 LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security), 4711 LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security), 4712 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4713 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4714 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4715 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4716 4717 LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security), 4718 LSM_HOOK_INIT(shm_free_security, smack_shm_free_security), 4719 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4720 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4721 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4722 4723 LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security), 4724 LSM_HOOK_INIT(sem_free_security, smack_sem_free_security), 4725 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4726 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4727 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4728 4729 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4730 4731 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4732 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4733 4734 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4735 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4736 4737 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4738 #ifdef SMACK_IPV6_PORT_LABELING 4739 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4740 #endif 4741 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4742 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4743 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4744 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4745 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4746 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4747 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4748 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4749 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4750 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4751 4752 /* key management security hooks */ 4753 #ifdef CONFIG_KEYS 4754 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4755 LSM_HOOK_INIT(key_free, smack_key_free), 4756 LSM_HOOK_INIT(key_permission, smack_key_permission), 4757 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4758 #endif /* CONFIG_KEYS */ 4759 4760 /* Audit hooks */ 4761 #ifdef CONFIG_AUDIT 4762 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4763 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4764 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4765 #endif /* CONFIG_AUDIT */ 4766 4767 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4768 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4769 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4770 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4771 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4772 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4773 }; 4774 4775 4776 static __init void init_smack_known_list(void) 4777 { 4778 /* 4779 * Initialize rule list locks 4780 */ 4781 mutex_init(&smack_known_huh.smk_rules_lock); 4782 mutex_init(&smack_known_hat.smk_rules_lock); 4783 mutex_init(&smack_known_floor.smk_rules_lock); 4784 mutex_init(&smack_known_star.smk_rules_lock); 4785 mutex_init(&smack_known_web.smk_rules_lock); 4786 /* 4787 * Initialize rule lists 4788 */ 4789 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4790 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4791 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4792 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4793 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4794 /* 4795 * Create the known labels list 4796 */ 4797 smk_insert_entry(&smack_known_huh); 4798 smk_insert_entry(&smack_known_hat); 4799 smk_insert_entry(&smack_known_star); 4800 smk_insert_entry(&smack_known_floor); 4801 smk_insert_entry(&smack_known_web); 4802 } 4803 4804 /** 4805 * smack_init - initialize the smack system 4806 * 4807 * Returns 0 4808 */ 4809 static __init int smack_init(void) 4810 { 4811 struct cred *cred; 4812 struct task_smack *tsp; 4813 4814 if (!security_module_enable("smack")) 4815 return 0; 4816 4817 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4818 if (!smack_inode_cache) 4819 return -ENOMEM; 4820 4821 tsp = new_task_smack(&smack_known_floor, &smack_known_floor, 4822 GFP_KERNEL); 4823 if (tsp == NULL) { 4824 kmem_cache_destroy(smack_inode_cache); 4825 return -ENOMEM; 4826 } 4827 4828 smack_enabled = 1; 4829 4830 pr_info("Smack: Initializing.\n"); 4831 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4832 pr_info("Smack: Netfilter enabled.\n"); 4833 #endif 4834 #ifdef SMACK_IPV6_PORT_LABELING 4835 pr_info("Smack: IPv6 port labeling enabled.\n"); 4836 #endif 4837 #ifdef SMACK_IPV6_SECMARK_LABELING 4838 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4839 #endif 4840 4841 /* 4842 * Set the security state for the initial task. 4843 */ 4844 cred = (struct cred *) current->cred; 4845 cred->security = tsp; 4846 4847 /* initialize the smack_known_list */ 4848 init_smack_known_list(); 4849 4850 /* 4851 * Register with LSM 4852 */ 4853 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4854 4855 return 0; 4856 } 4857 4858 /* 4859 * Smack requires early initialization in order to label 4860 * all processes and objects when they are created. 4861 */ 4862 security_initcall(smack_init); 4863