1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/slab.h> 32 #include <linux/mutex.h> 33 #include <linux/pipe_fs_i.h> 34 #include <net/cipso_ipv4.h> 35 #include <net/ip.h> 36 #include <net/ipv6.h> 37 #include <linux/audit.h> 38 #include <linux/magic.h> 39 #include <linux/dcache.h> 40 #include <linux/personality.h> 41 #include <linux/msg.h> 42 #include <linux/shm.h> 43 #include <linux/binfmts.h> 44 #include <linux/parser.h> 45 #include "smack.h" 46 47 #define TRANS_TRUE "TRUE" 48 #define TRANS_TRUE_SIZE 4 49 50 #define SMK_CONNECTING 0 51 #define SMK_RECEIVING 1 52 #define SMK_SENDING 2 53 54 #ifdef SMACK_IPV6_PORT_LABELING 55 static LIST_HEAD(smk_ipv6_port_list); 56 #endif 57 static struct kmem_cache *smack_inode_cache; 58 int smack_enabled; 59 60 static const match_table_t smk_mount_tokens = { 61 {Opt_fsdefault, SMK_FSDEFAULT "%s"}, 62 {Opt_fsfloor, SMK_FSFLOOR "%s"}, 63 {Opt_fshat, SMK_FSHAT "%s"}, 64 {Opt_fsroot, SMK_FSROOT "%s"}, 65 {Opt_fstransmute, SMK_FSTRANS "%s"}, 66 {Opt_error, NULL}, 67 }; 68 69 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 70 static char *smk_bu_mess[] = { 71 "Bringup Error", /* Unused */ 72 "Bringup", /* SMACK_BRINGUP_ALLOW */ 73 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 74 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 75 }; 76 77 static void smk_bu_mode(int mode, char *s) 78 { 79 int i = 0; 80 81 if (mode & MAY_READ) 82 s[i++] = 'r'; 83 if (mode & MAY_WRITE) 84 s[i++] = 'w'; 85 if (mode & MAY_EXEC) 86 s[i++] = 'x'; 87 if (mode & MAY_APPEND) 88 s[i++] = 'a'; 89 if (mode & MAY_TRANSMUTE) 90 s[i++] = 't'; 91 if (mode & MAY_LOCK) 92 s[i++] = 'l'; 93 if (i == 0) 94 s[i++] = '-'; 95 s[i] = '\0'; 96 } 97 #endif 98 99 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 100 static int smk_bu_note(char *note, struct smack_known *sskp, 101 struct smack_known *oskp, int mode, int rc) 102 { 103 char acc[SMK_NUM_ACCESS_TYPE + 1]; 104 105 if (rc <= 0) 106 return rc; 107 if (rc > SMACK_UNCONFINED_OBJECT) 108 rc = 0; 109 110 smk_bu_mode(mode, acc); 111 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 112 sskp->smk_known, oskp->smk_known, acc, note); 113 return 0; 114 } 115 #else 116 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 117 #endif 118 119 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 120 static int smk_bu_current(char *note, struct smack_known *oskp, 121 int mode, int rc) 122 { 123 struct task_smack *tsp = current_security(); 124 char acc[SMK_NUM_ACCESS_TYPE + 1]; 125 126 if (rc <= 0) 127 return rc; 128 if (rc > SMACK_UNCONFINED_OBJECT) 129 rc = 0; 130 131 smk_bu_mode(mode, acc); 132 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 133 tsp->smk_task->smk_known, oskp->smk_known, 134 acc, current->comm, note); 135 return 0; 136 } 137 #else 138 #define smk_bu_current(note, oskp, mode, RC) (RC) 139 #endif 140 141 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 142 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 143 { 144 struct task_smack *tsp = current_security(); 145 struct smack_known *smk_task = smk_of_task_struct(otp); 146 char acc[SMK_NUM_ACCESS_TYPE + 1]; 147 148 if (rc <= 0) 149 return rc; 150 if (rc > SMACK_UNCONFINED_OBJECT) 151 rc = 0; 152 153 smk_bu_mode(mode, acc); 154 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 155 tsp->smk_task->smk_known, smk_task->smk_known, acc, 156 current->comm, otp->comm); 157 return 0; 158 } 159 #else 160 #define smk_bu_task(otp, mode, RC) (RC) 161 #endif 162 163 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 164 static int smk_bu_inode(struct inode *inode, int mode, int rc) 165 { 166 struct task_smack *tsp = current_security(); 167 struct inode_smack *isp = inode->i_security; 168 char acc[SMK_NUM_ACCESS_TYPE + 1]; 169 170 if (isp->smk_flags & SMK_INODE_IMPURE) 171 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 172 inode->i_sb->s_id, inode->i_ino, current->comm); 173 174 if (rc <= 0) 175 return rc; 176 if (rc > SMACK_UNCONFINED_OBJECT) 177 rc = 0; 178 if (rc == SMACK_UNCONFINED_SUBJECT && 179 (mode & (MAY_WRITE | MAY_APPEND))) 180 isp->smk_flags |= SMK_INODE_IMPURE; 181 182 smk_bu_mode(mode, acc); 183 184 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 185 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 return 0; 188 } 189 #else 190 #define smk_bu_inode(inode, mode, RC) (RC) 191 #endif 192 193 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 194 static int smk_bu_file(struct file *file, int mode, int rc) 195 { 196 struct task_smack *tsp = current_security(); 197 struct smack_known *sskp = tsp->smk_task; 198 struct inode *inode = file_inode(file); 199 struct inode_smack *isp = inode->i_security; 200 char acc[SMK_NUM_ACCESS_TYPE + 1]; 201 202 if (isp->smk_flags & SMK_INODE_IMPURE) 203 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 204 inode->i_sb->s_id, inode->i_ino, current->comm); 205 206 if (rc <= 0) 207 return rc; 208 if (rc > SMACK_UNCONFINED_OBJECT) 209 rc = 0; 210 211 smk_bu_mode(mode, acc); 212 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 213 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 214 inode->i_sb->s_id, inode->i_ino, file, 215 current->comm); 216 return 0; 217 } 218 #else 219 #define smk_bu_file(file, mode, RC) (RC) 220 #endif 221 222 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 223 static int smk_bu_credfile(const struct cred *cred, struct file *file, 224 int mode, int rc) 225 { 226 struct task_smack *tsp = cred->security; 227 struct smack_known *sskp = tsp->smk_task; 228 struct inode *inode = file->f_inode; 229 struct inode_smack *isp = inode->i_security; 230 char acc[SMK_NUM_ACCESS_TYPE + 1]; 231 232 if (isp->smk_flags & SMK_INODE_IMPURE) 233 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 234 inode->i_sb->s_id, inode->i_ino, current->comm); 235 236 if (rc <= 0) 237 return rc; 238 if (rc > SMACK_UNCONFINED_OBJECT) 239 rc = 0; 240 241 smk_bu_mode(mode, acc); 242 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 243 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 244 inode->i_sb->s_id, inode->i_ino, file, 245 current->comm); 246 return 0; 247 } 248 #else 249 #define smk_bu_credfile(cred, file, mode, RC) (RC) 250 #endif 251 252 /** 253 * smk_fetch - Fetch the smack label from a file. 254 * @name: type of the label (attribute) 255 * @ip: a pointer to the inode 256 * @dp: a pointer to the dentry 257 * 258 * Returns a pointer to the master list entry for the Smack label, 259 * NULL if there was no label to fetch, or an error code. 260 */ 261 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 262 struct dentry *dp) 263 { 264 int rc; 265 char *buffer; 266 struct smack_known *skp = NULL; 267 268 if (ip->i_op->getxattr == NULL) 269 return ERR_PTR(-EOPNOTSUPP); 270 271 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 272 if (buffer == NULL) 273 return ERR_PTR(-ENOMEM); 274 275 rc = ip->i_op->getxattr(dp, name, buffer, SMK_LONGLABEL); 276 if (rc < 0) 277 skp = ERR_PTR(rc); 278 else if (rc == 0) 279 skp = NULL; 280 else 281 skp = smk_import_entry(buffer, rc); 282 283 kfree(buffer); 284 285 return skp; 286 } 287 288 /** 289 * new_inode_smack - allocate an inode security blob 290 * @skp: a pointer to the Smack label entry to use in the blob 291 * 292 * Returns the new blob or NULL if there's no memory available 293 */ 294 static struct inode_smack *new_inode_smack(struct smack_known *skp) 295 { 296 struct inode_smack *isp; 297 298 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); 299 if (isp == NULL) 300 return NULL; 301 302 isp->smk_inode = skp; 303 isp->smk_flags = 0; 304 mutex_init(&isp->smk_lock); 305 306 return isp; 307 } 308 309 /** 310 * new_task_smack - allocate a task security blob 311 * @task: a pointer to the Smack label for the running task 312 * @forked: a pointer to the Smack label for the forked task 313 * @gfp: type of the memory for the allocation 314 * 315 * Returns the new blob or NULL if there's no memory available 316 */ 317 static struct task_smack *new_task_smack(struct smack_known *task, 318 struct smack_known *forked, gfp_t gfp) 319 { 320 struct task_smack *tsp; 321 322 tsp = kzalloc(sizeof(struct task_smack), gfp); 323 if (tsp == NULL) 324 return NULL; 325 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 INIT_LIST_HEAD(&tsp->smk_relabel); 330 mutex_init(&tsp->smk_rules_lock); 331 332 return tsp; 333 } 334 335 /** 336 * smk_copy_rules - copy a rule set 337 * @nhead: new rules header pointer 338 * @ohead: old rules header pointer 339 * @gfp: type of the memory for the allocation 340 * 341 * Returns 0 on success, -ENOMEM on error 342 */ 343 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 344 gfp_t gfp) 345 { 346 struct smack_rule *nrp; 347 struct smack_rule *orp; 348 int rc = 0; 349 350 INIT_LIST_HEAD(nhead); 351 352 list_for_each_entry_rcu(orp, ohead, list) { 353 nrp = kzalloc(sizeof(struct smack_rule), gfp); 354 if (nrp == NULL) { 355 rc = -ENOMEM; 356 break; 357 } 358 *nrp = *orp; 359 list_add_rcu(&nrp->list, nhead); 360 } 361 return rc; 362 } 363 364 /** 365 * smk_copy_relabel - copy smk_relabel labels list 366 * @nhead: new rules header pointer 367 * @ohead: old rules header pointer 368 * @gfp: type of the memory for the allocation 369 * 370 * Returns 0 on success, -ENOMEM on error 371 */ 372 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 373 gfp_t gfp) 374 { 375 struct smack_known_list_elem *nklep; 376 struct smack_known_list_elem *oklep; 377 378 INIT_LIST_HEAD(nhead); 379 380 list_for_each_entry(oklep, ohead, list) { 381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 382 if (nklep == NULL) { 383 smk_destroy_label_list(nhead); 384 return -ENOMEM; 385 } 386 nklep->smk_label = oklep->smk_label; 387 list_add(&nklep->list, nhead); 388 } 389 390 return 0; 391 } 392 393 /** 394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 395 * @mode - input mode in form of PTRACE_MODE_* 396 * 397 * Returns a converted MAY_* mode usable by smack rules 398 */ 399 static inline unsigned int smk_ptrace_mode(unsigned int mode) 400 { 401 switch (mode) { 402 case PTRACE_MODE_READ: 403 return MAY_READ; 404 case PTRACE_MODE_ATTACH: 405 return MAY_READWRITE; 406 } 407 408 return 0; 409 } 410 411 /** 412 * smk_ptrace_rule_check - helper for ptrace access 413 * @tracer: tracer process 414 * @tracee_known: label entry of the process that's about to be traced 415 * @mode: ptrace attachment mode (PTRACE_MODE_*) 416 * @func: name of the function that called us, used for audit 417 * 418 * Returns 0 on access granted, -error on error 419 */ 420 static int smk_ptrace_rule_check(struct task_struct *tracer, 421 struct smack_known *tracee_known, 422 unsigned int mode, const char *func) 423 { 424 int rc; 425 struct smk_audit_info ad, *saip = NULL; 426 struct task_smack *tsp; 427 struct smack_known *tracer_known; 428 429 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 430 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 431 smk_ad_setfield_u_tsk(&ad, tracer); 432 saip = &ad; 433 } 434 435 rcu_read_lock(); 436 tsp = __task_cred(tracer)->security; 437 tracer_known = smk_of_task(tsp); 438 439 if ((mode & PTRACE_MODE_ATTACH) && 440 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 441 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 442 if (tracer_known->smk_known == tracee_known->smk_known) 443 rc = 0; 444 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 445 rc = -EACCES; 446 else if (capable(CAP_SYS_PTRACE)) 447 rc = 0; 448 else 449 rc = -EACCES; 450 451 if (saip) 452 smack_log(tracer_known->smk_known, 453 tracee_known->smk_known, 454 0, rc, saip); 455 456 rcu_read_unlock(); 457 return rc; 458 } 459 460 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 461 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 462 463 rcu_read_unlock(); 464 return rc; 465 } 466 467 /* 468 * LSM hooks. 469 * We he, that is fun! 470 */ 471 472 /** 473 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 474 * @ctp: child task pointer 475 * @mode: ptrace attachment mode (PTRACE_MODE_*) 476 * 477 * Returns 0 if access is OK, an error code otherwise 478 * 479 * Do the capability checks. 480 */ 481 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 482 { 483 struct smack_known *skp; 484 485 skp = smk_of_task_struct(ctp); 486 487 return smk_ptrace_rule_check(current, skp, mode, __func__); 488 } 489 490 /** 491 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 492 * @ptp: parent task pointer 493 * 494 * Returns 0 if access is OK, an error code otherwise 495 * 496 * Do the capability checks, and require PTRACE_MODE_ATTACH. 497 */ 498 static int smack_ptrace_traceme(struct task_struct *ptp) 499 { 500 int rc; 501 struct smack_known *skp; 502 503 skp = smk_of_task(current_security()); 504 505 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 506 return rc; 507 } 508 509 /** 510 * smack_syslog - Smack approval on syslog 511 * @type: message type 512 * 513 * Returns 0 on success, error code otherwise. 514 */ 515 static int smack_syslog(int typefrom_file) 516 { 517 int rc = 0; 518 struct smack_known *skp = smk_of_current(); 519 520 if (smack_privileged(CAP_MAC_OVERRIDE)) 521 return 0; 522 523 if (smack_syslog_label != NULL && smack_syslog_label != skp) 524 rc = -EACCES; 525 526 return rc; 527 } 528 529 530 /* 531 * Superblock Hooks. 532 */ 533 534 /** 535 * smack_sb_alloc_security - allocate a superblock blob 536 * @sb: the superblock getting the blob 537 * 538 * Returns 0 on success or -ENOMEM on error. 539 */ 540 static int smack_sb_alloc_security(struct super_block *sb) 541 { 542 struct superblock_smack *sbsp; 543 544 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 545 546 if (sbsp == NULL) 547 return -ENOMEM; 548 549 sbsp->smk_root = &smack_known_floor; 550 sbsp->smk_default = &smack_known_floor; 551 sbsp->smk_floor = &smack_known_floor; 552 sbsp->smk_hat = &smack_known_hat; 553 /* 554 * smk_initialized will be zero from kzalloc. 555 */ 556 sb->s_security = sbsp; 557 558 return 0; 559 } 560 561 /** 562 * smack_sb_free_security - free a superblock blob 563 * @sb: the superblock getting the blob 564 * 565 */ 566 static void smack_sb_free_security(struct super_block *sb) 567 { 568 kfree(sb->s_security); 569 sb->s_security = NULL; 570 } 571 572 /** 573 * smack_sb_copy_data - copy mount options data for processing 574 * @orig: where to start 575 * @smackopts: mount options string 576 * 577 * Returns 0 on success or -ENOMEM on error. 578 * 579 * Copy the Smack specific mount options out of the mount 580 * options list. 581 */ 582 static int smack_sb_copy_data(char *orig, char *smackopts) 583 { 584 char *cp, *commap, *otheropts, *dp; 585 586 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 587 if (otheropts == NULL) 588 return -ENOMEM; 589 590 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 591 if (strstr(cp, SMK_FSDEFAULT) == cp) 592 dp = smackopts; 593 else if (strstr(cp, SMK_FSFLOOR) == cp) 594 dp = smackopts; 595 else if (strstr(cp, SMK_FSHAT) == cp) 596 dp = smackopts; 597 else if (strstr(cp, SMK_FSROOT) == cp) 598 dp = smackopts; 599 else if (strstr(cp, SMK_FSTRANS) == cp) 600 dp = smackopts; 601 else 602 dp = otheropts; 603 604 commap = strchr(cp, ','); 605 if (commap != NULL) 606 *commap = '\0'; 607 608 if (*dp != '\0') 609 strcat(dp, ","); 610 strcat(dp, cp); 611 } 612 613 strcpy(orig, otheropts); 614 free_page((unsigned long)otheropts); 615 616 return 0; 617 } 618 619 /** 620 * smack_parse_opts_str - parse Smack specific mount options 621 * @options: mount options string 622 * @opts: where to store converted mount opts 623 * 624 * Returns 0 on success or -ENOMEM on error. 625 * 626 * converts Smack specific mount options to generic security option format 627 */ 628 static int smack_parse_opts_str(char *options, 629 struct security_mnt_opts *opts) 630 { 631 char *p; 632 char *fsdefault = NULL; 633 char *fsfloor = NULL; 634 char *fshat = NULL; 635 char *fsroot = NULL; 636 char *fstransmute = NULL; 637 int rc = -ENOMEM; 638 int num_mnt_opts = 0; 639 int token; 640 641 opts->num_mnt_opts = 0; 642 643 if (!options) 644 return 0; 645 646 while ((p = strsep(&options, ",")) != NULL) { 647 substring_t args[MAX_OPT_ARGS]; 648 649 if (!*p) 650 continue; 651 652 token = match_token(p, smk_mount_tokens, args); 653 654 switch (token) { 655 case Opt_fsdefault: 656 if (fsdefault) 657 goto out_opt_err; 658 fsdefault = match_strdup(&args[0]); 659 if (!fsdefault) 660 goto out_err; 661 break; 662 case Opt_fsfloor: 663 if (fsfloor) 664 goto out_opt_err; 665 fsfloor = match_strdup(&args[0]); 666 if (!fsfloor) 667 goto out_err; 668 break; 669 case Opt_fshat: 670 if (fshat) 671 goto out_opt_err; 672 fshat = match_strdup(&args[0]); 673 if (!fshat) 674 goto out_err; 675 break; 676 case Opt_fsroot: 677 if (fsroot) 678 goto out_opt_err; 679 fsroot = match_strdup(&args[0]); 680 if (!fsroot) 681 goto out_err; 682 break; 683 case Opt_fstransmute: 684 if (fstransmute) 685 goto out_opt_err; 686 fstransmute = match_strdup(&args[0]); 687 if (!fstransmute) 688 goto out_err; 689 break; 690 default: 691 rc = -EINVAL; 692 pr_warn("Smack: unknown mount option\n"); 693 goto out_err; 694 } 695 } 696 697 opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 698 if (!opts->mnt_opts) 699 goto out_err; 700 701 opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), 702 GFP_ATOMIC); 703 if (!opts->mnt_opts_flags) { 704 kfree(opts->mnt_opts); 705 goto out_err; 706 } 707 708 if (fsdefault) { 709 opts->mnt_opts[num_mnt_opts] = fsdefault; 710 opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT; 711 } 712 if (fsfloor) { 713 opts->mnt_opts[num_mnt_opts] = fsfloor; 714 opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT; 715 } 716 if (fshat) { 717 opts->mnt_opts[num_mnt_opts] = fshat; 718 opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT; 719 } 720 if (fsroot) { 721 opts->mnt_opts[num_mnt_opts] = fsroot; 722 opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT; 723 } 724 if (fstransmute) { 725 opts->mnt_opts[num_mnt_opts] = fstransmute; 726 opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT; 727 } 728 729 opts->num_mnt_opts = num_mnt_opts; 730 return 0; 731 732 out_opt_err: 733 rc = -EINVAL; 734 pr_warn("Smack: duplicate mount options\n"); 735 736 out_err: 737 kfree(fsdefault); 738 kfree(fsfloor); 739 kfree(fshat); 740 kfree(fsroot); 741 kfree(fstransmute); 742 return rc; 743 } 744 745 /** 746 * smack_set_mnt_opts - set Smack specific mount options 747 * @sb: the file system superblock 748 * @opts: Smack mount options 749 * @kern_flags: mount option from kernel space or user space 750 * @set_kern_flags: where to store converted mount opts 751 * 752 * Returns 0 on success, an error code on failure 753 * 754 * Allow filesystems with binary mount data to explicitly set Smack mount 755 * labels. 756 */ 757 static int smack_set_mnt_opts(struct super_block *sb, 758 struct security_mnt_opts *opts, 759 unsigned long kern_flags, 760 unsigned long *set_kern_flags) 761 { 762 struct dentry *root = sb->s_root; 763 struct inode *inode = d_backing_inode(root); 764 struct superblock_smack *sp = sb->s_security; 765 struct inode_smack *isp; 766 struct smack_known *skp; 767 int i; 768 int num_opts = opts->num_mnt_opts; 769 int transmute = 0; 770 771 if (sp->smk_initialized) 772 return 0; 773 774 sp->smk_initialized = 1; 775 776 for (i = 0; i < num_opts; i++) { 777 switch (opts->mnt_opts_flags[i]) { 778 case FSDEFAULT_MNT: 779 skp = smk_import_entry(opts->mnt_opts[i], 0); 780 if (IS_ERR(skp)) 781 return PTR_ERR(skp); 782 sp->smk_default = skp; 783 break; 784 case FSFLOOR_MNT: 785 skp = smk_import_entry(opts->mnt_opts[i], 0); 786 if (IS_ERR(skp)) 787 return PTR_ERR(skp); 788 sp->smk_floor = skp; 789 break; 790 case FSHAT_MNT: 791 skp = smk_import_entry(opts->mnt_opts[i], 0); 792 if (IS_ERR(skp)) 793 return PTR_ERR(skp); 794 sp->smk_hat = skp; 795 break; 796 case FSROOT_MNT: 797 skp = smk_import_entry(opts->mnt_opts[i], 0); 798 if (IS_ERR(skp)) 799 return PTR_ERR(skp); 800 sp->smk_root = skp; 801 break; 802 case FSTRANS_MNT: 803 skp = smk_import_entry(opts->mnt_opts[i], 0); 804 if (IS_ERR(skp)) 805 return PTR_ERR(skp); 806 sp->smk_root = skp; 807 transmute = 1; 808 break; 809 default: 810 break; 811 } 812 } 813 814 if (!smack_privileged(CAP_MAC_ADMIN)) { 815 /* 816 * Unprivileged mounts don't get to specify Smack values. 817 */ 818 if (num_opts) 819 return -EPERM; 820 /* 821 * Unprivileged mounts get root and default from the caller. 822 */ 823 skp = smk_of_current(); 824 sp->smk_root = skp; 825 sp->smk_default = skp; 826 } 827 828 /* 829 * Initialize the root inode. 830 */ 831 isp = inode->i_security; 832 if (isp == NULL) { 833 isp = new_inode_smack(sp->smk_root); 834 if (isp == NULL) 835 return -ENOMEM; 836 inode->i_security = isp; 837 } else 838 isp->smk_inode = sp->smk_root; 839 840 if (transmute) 841 isp->smk_flags |= SMK_INODE_TRANSMUTE; 842 843 return 0; 844 } 845 846 /** 847 * smack_sb_kern_mount - Smack specific mount processing 848 * @sb: the file system superblock 849 * @flags: the mount flags 850 * @data: the smack mount options 851 * 852 * Returns 0 on success, an error code on failure 853 */ 854 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 855 { 856 int rc = 0; 857 char *options = data; 858 struct security_mnt_opts opts; 859 860 security_init_mnt_opts(&opts); 861 862 if (!options) 863 goto out; 864 865 rc = smack_parse_opts_str(options, &opts); 866 if (rc) 867 goto out_err; 868 869 out: 870 rc = smack_set_mnt_opts(sb, &opts, 0, NULL); 871 872 out_err: 873 security_free_mnt_opts(&opts); 874 return rc; 875 } 876 877 /** 878 * smack_sb_statfs - Smack check on statfs 879 * @dentry: identifies the file system in question 880 * 881 * Returns 0 if current can read the floor of the filesystem, 882 * and error code otherwise 883 */ 884 static int smack_sb_statfs(struct dentry *dentry) 885 { 886 struct superblock_smack *sbp = dentry->d_sb->s_security; 887 int rc; 888 struct smk_audit_info ad; 889 890 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 891 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 892 893 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 894 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 895 return rc; 896 } 897 898 /* 899 * BPRM hooks 900 */ 901 902 /** 903 * smack_bprm_set_creds - set creds for exec 904 * @bprm: the exec information 905 * 906 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 907 */ 908 static int smack_bprm_set_creds(struct linux_binprm *bprm) 909 { 910 struct inode *inode = file_inode(bprm->file); 911 struct task_smack *bsp = bprm->cred->security; 912 struct inode_smack *isp; 913 int rc; 914 915 if (bprm->cred_prepared) 916 return 0; 917 918 isp = inode->i_security; 919 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 920 return 0; 921 922 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 923 struct task_struct *tracer; 924 rc = 0; 925 926 rcu_read_lock(); 927 tracer = ptrace_parent(current); 928 if (likely(tracer != NULL)) 929 rc = smk_ptrace_rule_check(tracer, 930 isp->smk_task, 931 PTRACE_MODE_ATTACH, 932 __func__); 933 rcu_read_unlock(); 934 935 if (rc != 0) 936 return rc; 937 } else if (bprm->unsafe) 938 return -EPERM; 939 940 bsp->smk_task = isp->smk_task; 941 bprm->per_clear |= PER_CLEAR_ON_SETID; 942 943 return 0; 944 } 945 946 /** 947 * smack_bprm_committing_creds - Prepare to install the new credentials 948 * from bprm. 949 * 950 * @bprm: binprm for exec 951 */ 952 static void smack_bprm_committing_creds(struct linux_binprm *bprm) 953 { 954 struct task_smack *bsp = bprm->cred->security; 955 956 if (bsp->smk_task != bsp->smk_forked) 957 current->pdeath_signal = 0; 958 } 959 960 /** 961 * smack_bprm_secureexec - Return the decision to use secureexec. 962 * @bprm: binprm for exec 963 * 964 * Returns 0 on success. 965 */ 966 static int smack_bprm_secureexec(struct linux_binprm *bprm) 967 { 968 struct task_smack *tsp = current_security(); 969 970 if (tsp->smk_task != tsp->smk_forked) 971 return 1; 972 973 return 0; 974 } 975 976 /* 977 * Inode hooks 978 */ 979 980 /** 981 * smack_inode_alloc_security - allocate an inode blob 982 * @inode: the inode in need of a blob 983 * 984 * Returns 0 if it gets a blob, -ENOMEM otherwise 985 */ 986 static int smack_inode_alloc_security(struct inode *inode) 987 { 988 struct smack_known *skp = smk_of_current(); 989 990 inode->i_security = new_inode_smack(skp); 991 if (inode->i_security == NULL) 992 return -ENOMEM; 993 return 0; 994 } 995 996 /** 997 * smack_inode_free_security - free an inode blob 998 * @inode: the inode with a blob 999 * 1000 * Clears the blob pointer in inode 1001 */ 1002 static void smack_inode_free_security(struct inode *inode) 1003 { 1004 kmem_cache_free(smack_inode_cache, inode->i_security); 1005 inode->i_security = NULL; 1006 } 1007 1008 /** 1009 * smack_inode_init_security - copy out the smack from an inode 1010 * @inode: the newly created inode 1011 * @dir: containing directory object 1012 * @qstr: unused 1013 * @name: where to put the attribute name 1014 * @value: where to put the attribute value 1015 * @len: where to put the length of the attribute 1016 * 1017 * Returns 0 if it all works out, -ENOMEM if there's no memory 1018 */ 1019 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 1020 const struct qstr *qstr, const char **name, 1021 void **value, size_t *len) 1022 { 1023 struct inode_smack *issp = inode->i_security; 1024 struct smack_known *skp = smk_of_current(); 1025 struct smack_known *isp = smk_of_inode(inode); 1026 struct smack_known *dsp = smk_of_inode(dir); 1027 int may; 1028 1029 if (name) 1030 *name = XATTR_SMACK_SUFFIX; 1031 1032 if (value && len) { 1033 rcu_read_lock(); 1034 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1035 &skp->smk_rules); 1036 rcu_read_unlock(); 1037 1038 /* 1039 * If the access rule allows transmutation and 1040 * the directory requests transmutation then 1041 * by all means transmute. 1042 * Mark the inode as changed. 1043 */ 1044 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1045 smk_inode_transmutable(dir)) { 1046 isp = dsp; 1047 issp->smk_flags |= SMK_INODE_CHANGED; 1048 } 1049 1050 *value = kstrdup(isp->smk_known, GFP_NOFS); 1051 if (*value == NULL) 1052 return -ENOMEM; 1053 1054 *len = strlen(isp->smk_known); 1055 } 1056 1057 return 0; 1058 } 1059 1060 /** 1061 * smack_inode_link - Smack check on link 1062 * @old_dentry: the existing object 1063 * @dir: unused 1064 * @new_dentry: the new object 1065 * 1066 * Returns 0 if access is permitted, an error code otherwise 1067 */ 1068 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1069 struct dentry *new_dentry) 1070 { 1071 struct smack_known *isp; 1072 struct smk_audit_info ad; 1073 int rc; 1074 1075 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1076 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1077 1078 isp = smk_of_inode(d_backing_inode(old_dentry)); 1079 rc = smk_curacc(isp, MAY_WRITE, &ad); 1080 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1081 1082 if (rc == 0 && d_is_positive(new_dentry)) { 1083 isp = smk_of_inode(d_backing_inode(new_dentry)); 1084 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1085 rc = smk_curacc(isp, MAY_WRITE, &ad); 1086 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1087 } 1088 1089 return rc; 1090 } 1091 1092 /** 1093 * smack_inode_unlink - Smack check on inode deletion 1094 * @dir: containing directory object 1095 * @dentry: file to unlink 1096 * 1097 * Returns 0 if current can write the containing directory 1098 * and the object, error code otherwise 1099 */ 1100 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1101 { 1102 struct inode *ip = d_backing_inode(dentry); 1103 struct smk_audit_info ad; 1104 int rc; 1105 1106 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1107 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1108 1109 /* 1110 * You need write access to the thing you're unlinking 1111 */ 1112 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1113 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1114 if (rc == 0) { 1115 /* 1116 * You also need write access to the containing directory 1117 */ 1118 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1119 smk_ad_setfield_u_fs_inode(&ad, dir); 1120 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1121 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1122 } 1123 return rc; 1124 } 1125 1126 /** 1127 * smack_inode_rmdir - Smack check on directory deletion 1128 * @dir: containing directory object 1129 * @dentry: directory to unlink 1130 * 1131 * Returns 0 if current can write the containing directory 1132 * and the directory, error code otherwise 1133 */ 1134 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1135 { 1136 struct smk_audit_info ad; 1137 int rc; 1138 1139 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1140 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1141 1142 /* 1143 * You need write access to the thing you're removing 1144 */ 1145 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1146 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1147 if (rc == 0) { 1148 /* 1149 * You also need write access to the containing directory 1150 */ 1151 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1152 smk_ad_setfield_u_fs_inode(&ad, dir); 1153 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1154 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1155 } 1156 1157 return rc; 1158 } 1159 1160 /** 1161 * smack_inode_rename - Smack check on rename 1162 * @old_inode: unused 1163 * @old_dentry: the old object 1164 * @new_inode: unused 1165 * @new_dentry: the new object 1166 * 1167 * Read and write access is required on both the old and 1168 * new directories. 1169 * 1170 * Returns 0 if access is permitted, an error code otherwise 1171 */ 1172 static int smack_inode_rename(struct inode *old_inode, 1173 struct dentry *old_dentry, 1174 struct inode *new_inode, 1175 struct dentry *new_dentry) 1176 { 1177 int rc; 1178 struct smack_known *isp; 1179 struct smk_audit_info ad; 1180 1181 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1182 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1183 1184 isp = smk_of_inode(d_backing_inode(old_dentry)); 1185 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1186 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1187 1188 if (rc == 0 && d_is_positive(new_dentry)) { 1189 isp = smk_of_inode(d_backing_inode(new_dentry)); 1190 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1191 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1192 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1193 } 1194 return rc; 1195 } 1196 1197 /** 1198 * smack_inode_permission - Smack version of permission() 1199 * @inode: the inode in question 1200 * @mask: the access requested 1201 * 1202 * This is the important Smack hook. 1203 * 1204 * Returns 0 if access is permitted, -EACCES otherwise 1205 */ 1206 static int smack_inode_permission(struct inode *inode, int mask) 1207 { 1208 struct smk_audit_info ad; 1209 int no_block = mask & MAY_NOT_BLOCK; 1210 int rc; 1211 1212 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1213 /* 1214 * No permission to check. Existence test. Yup, it's there. 1215 */ 1216 if (mask == 0) 1217 return 0; 1218 1219 /* May be droppable after audit */ 1220 if (no_block) 1221 return -ECHILD; 1222 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1223 smk_ad_setfield_u_fs_inode(&ad, inode); 1224 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1225 rc = smk_bu_inode(inode, mask, rc); 1226 return rc; 1227 } 1228 1229 /** 1230 * smack_inode_setattr - Smack check for setting attributes 1231 * @dentry: the object 1232 * @iattr: for the force flag 1233 * 1234 * Returns 0 if access is permitted, an error code otherwise 1235 */ 1236 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1237 { 1238 struct smk_audit_info ad; 1239 int rc; 1240 1241 /* 1242 * Need to allow for clearing the setuid bit. 1243 */ 1244 if (iattr->ia_valid & ATTR_FORCE) 1245 return 0; 1246 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1247 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1248 1249 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1250 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1251 return rc; 1252 } 1253 1254 /** 1255 * smack_inode_getattr - Smack check for getting attributes 1256 * @mnt: vfsmount of the object 1257 * @dentry: the object 1258 * 1259 * Returns 0 if access is permitted, an error code otherwise 1260 */ 1261 static int smack_inode_getattr(const struct path *path) 1262 { 1263 struct smk_audit_info ad; 1264 struct inode *inode = d_backing_inode(path->dentry); 1265 int rc; 1266 1267 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1268 smk_ad_setfield_u_fs_path(&ad, *path); 1269 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1270 rc = smk_bu_inode(inode, MAY_READ, rc); 1271 return rc; 1272 } 1273 1274 /** 1275 * smack_inode_setxattr - Smack check for setting xattrs 1276 * @dentry: the object 1277 * @name: name of the attribute 1278 * @value: value of the attribute 1279 * @size: size of the value 1280 * @flags: unused 1281 * 1282 * This protects the Smack attribute explicitly. 1283 * 1284 * Returns 0 if access is permitted, an error code otherwise 1285 */ 1286 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1287 const void *value, size_t size, int flags) 1288 { 1289 struct smk_audit_info ad; 1290 struct smack_known *skp; 1291 int check_priv = 0; 1292 int check_import = 0; 1293 int check_star = 0; 1294 int rc = 0; 1295 1296 /* 1297 * Check label validity here so import won't fail in post_setxattr 1298 */ 1299 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1300 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1301 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1302 check_priv = 1; 1303 check_import = 1; 1304 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1305 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1306 check_priv = 1; 1307 check_import = 1; 1308 check_star = 1; 1309 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1310 check_priv = 1; 1311 if (size != TRANS_TRUE_SIZE || 1312 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1313 rc = -EINVAL; 1314 } else 1315 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1316 1317 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1318 rc = -EPERM; 1319 1320 if (rc == 0 && check_import) { 1321 skp = size ? smk_import_entry(value, size) : NULL; 1322 if (IS_ERR(skp)) 1323 rc = PTR_ERR(skp); 1324 else if (skp == NULL || (check_star && 1325 (skp == &smack_known_star || skp == &smack_known_web))) 1326 rc = -EINVAL; 1327 } 1328 1329 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1330 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1331 1332 if (rc == 0) { 1333 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1334 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1335 } 1336 1337 return rc; 1338 } 1339 1340 /** 1341 * smack_inode_post_setxattr - Apply the Smack update approved above 1342 * @dentry: object 1343 * @name: attribute name 1344 * @value: attribute value 1345 * @size: attribute size 1346 * @flags: unused 1347 * 1348 * Set the pointer in the inode blob to the entry found 1349 * in the master label list. 1350 */ 1351 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1352 const void *value, size_t size, int flags) 1353 { 1354 struct smack_known *skp; 1355 struct inode_smack *isp = d_backing_inode(dentry)->i_security; 1356 1357 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1358 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1359 return; 1360 } 1361 1362 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1363 skp = smk_import_entry(value, size); 1364 if (!IS_ERR(skp)) 1365 isp->smk_inode = skp; 1366 else 1367 isp->smk_inode = &smack_known_invalid; 1368 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1369 skp = smk_import_entry(value, size); 1370 if (!IS_ERR(skp)) 1371 isp->smk_task = skp; 1372 else 1373 isp->smk_task = &smack_known_invalid; 1374 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1375 skp = smk_import_entry(value, size); 1376 if (!IS_ERR(skp)) 1377 isp->smk_mmap = skp; 1378 else 1379 isp->smk_mmap = &smack_known_invalid; 1380 } 1381 1382 return; 1383 } 1384 1385 /** 1386 * smack_inode_getxattr - Smack check on getxattr 1387 * @dentry: the object 1388 * @name: unused 1389 * 1390 * Returns 0 if access is permitted, an error code otherwise 1391 */ 1392 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1393 { 1394 struct smk_audit_info ad; 1395 int rc; 1396 1397 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1398 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1399 1400 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1401 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1402 return rc; 1403 } 1404 1405 /** 1406 * smack_inode_removexattr - Smack check on removexattr 1407 * @dentry: the object 1408 * @name: name of the attribute 1409 * 1410 * Removing the Smack attribute requires CAP_MAC_ADMIN 1411 * 1412 * Returns 0 if access is permitted, an error code otherwise 1413 */ 1414 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1415 { 1416 struct inode_smack *isp; 1417 struct smk_audit_info ad; 1418 int rc = 0; 1419 1420 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1421 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1422 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1423 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1424 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1425 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1426 if (!smack_privileged(CAP_MAC_ADMIN)) 1427 rc = -EPERM; 1428 } else 1429 rc = cap_inode_removexattr(dentry, name); 1430 1431 if (rc != 0) 1432 return rc; 1433 1434 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1435 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1436 1437 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1438 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1439 if (rc != 0) 1440 return rc; 1441 1442 isp = d_backing_inode(dentry)->i_security; 1443 /* 1444 * Don't do anything special for these. 1445 * XATTR_NAME_SMACKIPIN 1446 * XATTR_NAME_SMACKIPOUT 1447 * XATTR_NAME_SMACKEXEC 1448 */ 1449 if (strcmp(name, XATTR_NAME_SMACK) == 0) 1450 isp->smk_task = NULL; 1451 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1452 isp->smk_mmap = NULL; 1453 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1454 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1455 1456 return 0; 1457 } 1458 1459 /** 1460 * smack_inode_getsecurity - get smack xattrs 1461 * @inode: the object 1462 * @name: attribute name 1463 * @buffer: where to put the result 1464 * @alloc: unused 1465 * 1466 * Returns the size of the attribute or an error code 1467 */ 1468 static int smack_inode_getsecurity(const struct inode *inode, 1469 const char *name, void **buffer, 1470 bool alloc) 1471 { 1472 struct socket_smack *ssp; 1473 struct socket *sock; 1474 struct super_block *sbp; 1475 struct inode *ip = (struct inode *)inode; 1476 struct smack_known *isp; 1477 int ilen; 1478 int rc = 0; 1479 1480 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1481 isp = smk_of_inode(inode); 1482 ilen = strlen(isp->smk_known); 1483 *buffer = isp->smk_known; 1484 return ilen; 1485 } 1486 1487 /* 1488 * The rest of the Smack xattrs are only on sockets. 1489 */ 1490 sbp = ip->i_sb; 1491 if (sbp->s_magic != SOCKFS_MAGIC) 1492 return -EOPNOTSUPP; 1493 1494 sock = SOCKET_I(ip); 1495 if (sock == NULL || sock->sk == NULL) 1496 return -EOPNOTSUPP; 1497 1498 ssp = sock->sk->sk_security; 1499 1500 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1501 isp = ssp->smk_in; 1502 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1503 isp = ssp->smk_out; 1504 else 1505 return -EOPNOTSUPP; 1506 1507 ilen = strlen(isp->smk_known); 1508 if (rc == 0) { 1509 *buffer = isp->smk_known; 1510 rc = ilen; 1511 } 1512 1513 return rc; 1514 } 1515 1516 1517 /** 1518 * smack_inode_listsecurity - list the Smack attributes 1519 * @inode: the object 1520 * @buffer: where they go 1521 * @buffer_size: size of buffer 1522 * 1523 * Returns 0 on success, -EINVAL otherwise 1524 */ 1525 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1526 size_t buffer_size) 1527 { 1528 int len = sizeof(XATTR_NAME_SMACK); 1529 1530 if (buffer != NULL && len <= buffer_size) 1531 memcpy(buffer, XATTR_NAME_SMACK, len); 1532 1533 return len; 1534 } 1535 1536 /** 1537 * smack_inode_getsecid - Extract inode's security id 1538 * @inode: inode to extract the info from 1539 * @secid: where result will be saved 1540 */ 1541 static void smack_inode_getsecid(const struct inode *inode, u32 *secid) 1542 { 1543 struct inode_smack *isp = inode->i_security; 1544 1545 *secid = isp->smk_inode->smk_secid; 1546 } 1547 1548 /* 1549 * File Hooks 1550 */ 1551 1552 /** 1553 * smack_file_permission - Smack check on file operations 1554 * @file: unused 1555 * @mask: unused 1556 * 1557 * Returns 0 1558 * 1559 * Should access checks be done on each read or write? 1560 * UNICOS and SELinux say yes. 1561 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1562 * 1563 * I'll say no for now. Smack does not do the frequent 1564 * label changing that SELinux does. 1565 */ 1566 static int smack_file_permission(struct file *file, int mask) 1567 { 1568 return 0; 1569 } 1570 1571 /** 1572 * smack_file_alloc_security - assign a file security blob 1573 * @file: the object 1574 * 1575 * The security blob for a file is a pointer to the master 1576 * label list, so no allocation is done. 1577 * 1578 * f_security is the owner security information. It 1579 * isn't used on file access checks, it's for send_sigio. 1580 * 1581 * Returns 0 1582 */ 1583 static int smack_file_alloc_security(struct file *file) 1584 { 1585 struct smack_known *skp = smk_of_current(); 1586 1587 file->f_security = skp; 1588 return 0; 1589 } 1590 1591 /** 1592 * smack_file_free_security - clear a file security blob 1593 * @file: the object 1594 * 1595 * The security blob for a file is a pointer to the master 1596 * label list, so no memory is freed. 1597 */ 1598 static void smack_file_free_security(struct file *file) 1599 { 1600 file->f_security = NULL; 1601 } 1602 1603 /** 1604 * smack_file_ioctl - Smack check on ioctls 1605 * @file: the object 1606 * @cmd: what to do 1607 * @arg: unused 1608 * 1609 * Relies heavily on the correct use of the ioctl command conventions. 1610 * 1611 * Returns 0 if allowed, error code otherwise 1612 */ 1613 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1614 unsigned long arg) 1615 { 1616 int rc = 0; 1617 struct smk_audit_info ad; 1618 struct inode *inode = file_inode(file); 1619 1620 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1621 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1622 1623 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1624 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1625 rc = smk_bu_file(file, MAY_WRITE, rc); 1626 } 1627 1628 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1629 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1630 rc = smk_bu_file(file, MAY_READ, rc); 1631 } 1632 1633 return rc; 1634 } 1635 1636 /** 1637 * smack_file_lock - Smack check on file locking 1638 * @file: the object 1639 * @cmd: unused 1640 * 1641 * Returns 0 if current has lock access, error code otherwise 1642 */ 1643 static int smack_file_lock(struct file *file, unsigned int cmd) 1644 { 1645 struct smk_audit_info ad; 1646 int rc; 1647 struct inode *inode = file_inode(file); 1648 1649 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1650 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1651 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1652 rc = smk_bu_file(file, MAY_LOCK, rc); 1653 return rc; 1654 } 1655 1656 /** 1657 * smack_file_fcntl - Smack check on fcntl 1658 * @file: the object 1659 * @cmd: what action to check 1660 * @arg: unused 1661 * 1662 * Generally these operations are harmless. 1663 * File locking operations present an obvious mechanism 1664 * for passing information, so they require write access. 1665 * 1666 * Returns 0 if current has access, error code otherwise 1667 */ 1668 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1669 unsigned long arg) 1670 { 1671 struct smk_audit_info ad; 1672 int rc = 0; 1673 struct inode *inode = file_inode(file); 1674 1675 switch (cmd) { 1676 case F_GETLK: 1677 break; 1678 case F_SETLK: 1679 case F_SETLKW: 1680 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1681 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1682 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1683 rc = smk_bu_file(file, MAY_LOCK, rc); 1684 break; 1685 case F_SETOWN: 1686 case F_SETSIG: 1687 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1688 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1689 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1690 rc = smk_bu_file(file, MAY_WRITE, rc); 1691 break; 1692 default: 1693 break; 1694 } 1695 1696 return rc; 1697 } 1698 1699 /** 1700 * smack_mmap_file : 1701 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1702 * if mapping anonymous memory. 1703 * @file contains the file structure for file to map (may be NULL). 1704 * @reqprot contains the protection requested by the application. 1705 * @prot contains the protection that will be applied by the kernel. 1706 * @flags contains the operational flags. 1707 * Return 0 if permission is granted. 1708 */ 1709 static int smack_mmap_file(struct file *file, 1710 unsigned long reqprot, unsigned long prot, 1711 unsigned long flags) 1712 { 1713 struct smack_known *skp; 1714 struct smack_known *mkp; 1715 struct smack_rule *srp; 1716 struct task_smack *tsp; 1717 struct smack_known *okp; 1718 struct inode_smack *isp; 1719 int may; 1720 int mmay; 1721 int tmay; 1722 int rc; 1723 1724 if (file == NULL) 1725 return 0; 1726 1727 isp = file_inode(file)->i_security; 1728 if (isp->smk_mmap == NULL) 1729 return 0; 1730 mkp = isp->smk_mmap; 1731 1732 tsp = current_security(); 1733 skp = smk_of_current(); 1734 rc = 0; 1735 1736 rcu_read_lock(); 1737 /* 1738 * For each Smack rule associated with the subject 1739 * label verify that the SMACK64MMAP also has access 1740 * to that rule's object label. 1741 */ 1742 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1743 okp = srp->smk_object; 1744 /* 1745 * Matching labels always allows access. 1746 */ 1747 if (mkp->smk_known == okp->smk_known) 1748 continue; 1749 /* 1750 * If there is a matching local rule take 1751 * that into account as well. 1752 */ 1753 may = smk_access_entry(srp->smk_subject->smk_known, 1754 okp->smk_known, 1755 &tsp->smk_rules); 1756 if (may == -ENOENT) 1757 may = srp->smk_access; 1758 else 1759 may &= srp->smk_access; 1760 /* 1761 * If may is zero the SMACK64MMAP subject can't 1762 * possibly have less access. 1763 */ 1764 if (may == 0) 1765 continue; 1766 1767 /* 1768 * Fetch the global list entry. 1769 * If there isn't one a SMACK64MMAP subject 1770 * can't have as much access as current. 1771 */ 1772 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1773 &mkp->smk_rules); 1774 if (mmay == -ENOENT) { 1775 rc = -EACCES; 1776 break; 1777 } 1778 /* 1779 * If there is a local entry it modifies the 1780 * potential access, too. 1781 */ 1782 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1783 &tsp->smk_rules); 1784 if (tmay != -ENOENT) 1785 mmay &= tmay; 1786 1787 /* 1788 * If there is any access available to current that is 1789 * not available to a SMACK64MMAP subject 1790 * deny access. 1791 */ 1792 if ((may | mmay) != mmay) { 1793 rc = -EACCES; 1794 break; 1795 } 1796 } 1797 1798 rcu_read_unlock(); 1799 1800 return rc; 1801 } 1802 1803 /** 1804 * smack_file_set_fowner - set the file security blob value 1805 * @file: object in question 1806 * 1807 */ 1808 static void smack_file_set_fowner(struct file *file) 1809 { 1810 file->f_security = smk_of_current(); 1811 } 1812 1813 /** 1814 * smack_file_send_sigiotask - Smack on sigio 1815 * @tsk: The target task 1816 * @fown: the object the signal come from 1817 * @signum: unused 1818 * 1819 * Allow a privileged task to get signals even if it shouldn't 1820 * 1821 * Returns 0 if a subject with the object's smack could 1822 * write to the task, an error code otherwise. 1823 */ 1824 static int smack_file_send_sigiotask(struct task_struct *tsk, 1825 struct fown_struct *fown, int signum) 1826 { 1827 struct smack_known *skp; 1828 struct smack_known *tkp = smk_of_task(tsk->cred->security); 1829 struct file *file; 1830 int rc; 1831 struct smk_audit_info ad; 1832 1833 /* 1834 * struct fown_struct is never outside the context of a struct file 1835 */ 1836 file = container_of(fown, struct file, f_owner); 1837 1838 /* we don't log here as rc can be overriden */ 1839 skp = file->f_security; 1840 rc = smk_access(skp, tkp, MAY_WRITE, NULL); 1841 rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc); 1842 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1843 rc = 0; 1844 1845 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1846 smk_ad_setfield_u_tsk(&ad, tsk); 1847 smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad); 1848 return rc; 1849 } 1850 1851 /** 1852 * smack_file_receive - Smack file receive check 1853 * @file: the object 1854 * 1855 * Returns 0 if current has access, error code otherwise 1856 */ 1857 static int smack_file_receive(struct file *file) 1858 { 1859 int rc; 1860 int may = 0; 1861 struct smk_audit_info ad; 1862 struct inode *inode = file_inode(file); 1863 1864 if (unlikely(IS_PRIVATE(inode))) 1865 return 0; 1866 1867 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1868 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1869 /* 1870 * This code relies on bitmasks. 1871 */ 1872 if (file->f_mode & FMODE_READ) 1873 may = MAY_READ; 1874 if (file->f_mode & FMODE_WRITE) 1875 may |= MAY_WRITE; 1876 1877 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1878 rc = smk_bu_file(file, may, rc); 1879 return rc; 1880 } 1881 1882 /** 1883 * smack_file_open - Smack dentry open processing 1884 * @file: the object 1885 * @cred: task credential 1886 * 1887 * Set the security blob in the file structure. 1888 * Allow the open only if the task has read access. There are 1889 * many read operations (e.g. fstat) that you can do with an 1890 * fd even if you have the file open write-only. 1891 * 1892 * Returns 0 1893 */ 1894 static int smack_file_open(struct file *file, const struct cred *cred) 1895 { 1896 struct task_smack *tsp = cred->security; 1897 struct inode *inode = file_inode(file); 1898 struct smk_audit_info ad; 1899 int rc; 1900 1901 if (smack_privileged(CAP_MAC_OVERRIDE)) 1902 return 0; 1903 1904 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1905 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1906 rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad); 1907 rc = smk_bu_credfile(cred, file, MAY_READ, rc); 1908 1909 return rc; 1910 } 1911 1912 /* 1913 * Task hooks 1914 */ 1915 1916 /** 1917 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1918 * @new: the new credentials 1919 * @gfp: the atomicity of any memory allocations 1920 * 1921 * Prepare a blank set of credentials for modification. This must allocate all 1922 * the memory the LSM module might require such that cred_transfer() can 1923 * complete without error. 1924 */ 1925 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1926 { 1927 struct task_smack *tsp; 1928 1929 tsp = new_task_smack(NULL, NULL, gfp); 1930 if (tsp == NULL) 1931 return -ENOMEM; 1932 1933 cred->security = tsp; 1934 1935 return 0; 1936 } 1937 1938 1939 /** 1940 * smack_cred_free - "free" task-level security credentials 1941 * @cred: the credentials in question 1942 * 1943 */ 1944 static void smack_cred_free(struct cred *cred) 1945 { 1946 struct task_smack *tsp = cred->security; 1947 struct smack_rule *rp; 1948 struct list_head *l; 1949 struct list_head *n; 1950 1951 if (tsp == NULL) 1952 return; 1953 cred->security = NULL; 1954 1955 smk_destroy_label_list(&tsp->smk_relabel); 1956 1957 list_for_each_safe(l, n, &tsp->smk_rules) { 1958 rp = list_entry(l, struct smack_rule, list); 1959 list_del(&rp->list); 1960 kfree(rp); 1961 } 1962 kfree(tsp); 1963 } 1964 1965 /** 1966 * smack_cred_prepare - prepare new set of credentials for modification 1967 * @new: the new credentials 1968 * @old: the original credentials 1969 * @gfp: the atomicity of any memory allocations 1970 * 1971 * Prepare a new set of credentials for modification. 1972 */ 1973 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1974 gfp_t gfp) 1975 { 1976 struct task_smack *old_tsp = old->security; 1977 struct task_smack *new_tsp; 1978 int rc; 1979 1980 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 1981 if (new_tsp == NULL) 1982 return -ENOMEM; 1983 1984 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1985 if (rc != 0) 1986 return rc; 1987 1988 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1989 gfp); 1990 if (rc != 0) 1991 return rc; 1992 1993 new->security = new_tsp; 1994 return 0; 1995 } 1996 1997 /** 1998 * smack_cred_transfer - Transfer the old credentials to the new credentials 1999 * @new: the new credentials 2000 * @old: the original credentials 2001 * 2002 * Fill in a set of blank credentials from another set of credentials. 2003 */ 2004 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2005 { 2006 struct task_smack *old_tsp = old->security; 2007 struct task_smack *new_tsp = new->security; 2008 2009 new_tsp->smk_task = old_tsp->smk_task; 2010 new_tsp->smk_forked = old_tsp->smk_task; 2011 mutex_init(&new_tsp->smk_rules_lock); 2012 INIT_LIST_HEAD(&new_tsp->smk_rules); 2013 2014 2015 /* cbs copy rule list */ 2016 } 2017 2018 /** 2019 * smack_kernel_act_as - Set the subjective context in a set of credentials 2020 * @new: points to the set of credentials to be modified. 2021 * @secid: specifies the security ID to be set 2022 * 2023 * Set the security data for a kernel service. 2024 */ 2025 static int smack_kernel_act_as(struct cred *new, u32 secid) 2026 { 2027 struct task_smack *new_tsp = new->security; 2028 struct smack_known *skp = smack_from_secid(secid); 2029 2030 if (skp == NULL) 2031 return -EINVAL; 2032 2033 new_tsp->smk_task = skp; 2034 return 0; 2035 } 2036 2037 /** 2038 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2039 * @new: points to the set of credentials to be modified 2040 * @inode: points to the inode to use as a reference 2041 * 2042 * Set the file creation context in a set of credentials to the same 2043 * as the objective context of the specified inode 2044 */ 2045 static int smack_kernel_create_files_as(struct cred *new, 2046 struct inode *inode) 2047 { 2048 struct inode_smack *isp = inode->i_security; 2049 struct task_smack *tsp = new->security; 2050 2051 tsp->smk_forked = isp->smk_inode; 2052 tsp->smk_task = tsp->smk_forked; 2053 return 0; 2054 } 2055 2056 /** 2057 * smk_curacc_on_task - helper to log task related access 2058 * @p: the task object 2059 * @access: the access requested 2060 * @caller: name of the calling function for audit 2061 * 2062 * Return 0 if access is permitted 2063 */ 2064 static int smk_curacc_on_task(struct task_struct *p, int access, 2065 const char *caller) 2066 { 2067 struct smk_audit_info ad; 2068 struct smack_known *skp = smk_of_task_struct(p); 2069 int rc; 2070 2071 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2072 smk_ad_setfield_u_tsk(&ad, p); 2073 rc = smk_curacc(skp, access, &ad); 2074 rc = smk_bu_task(p, access, rc); 2075 return rc; 2076 } 2077 2078 /** 2079 * smack_task_setpgid - Smack check on setting pgid 2080 * @p: the task object 2081 * @pgid: unused 2082 * 2083 * Return 0 if write access is permitted 2084 */ 2085 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2086 { 2087 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2088 } 2089 2090 /** 2091 * smack_task_getpgid - Smack access check for getpgid 2092 * @p: the object task 2093 * 2094 * Returns 0 if current can read the object task, error code otherwise 2095 */ 2096 static int smack_task_getpgid(struct task_struct *p) 2097 { 2098 return smk_curacc_on_task(p, MAY_READ, __func__); 2099 } 2100 2101 /** 2102 * smack_task_getsid - Smack access check for getsid 2103 * @p: the object task 2104 * 2105 * Returns 0 if current can read the object task, error code otherwise 2106 */ 2107 static int smack_task_getsid(struct task_struct *p) 2108 { 2109 return smk_curacc_on_task(p, MAY_READ, __func__); 2110 } 2111 2112 /** 2113 * smack_task_getsecid - get the secid of the task 2114 * @p: the object task 2115 * @secid: where to put the result 2116 * 2117 * Sets the secid to contain a u32 version of the smack label. 2118 */ 2119 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2120 { 2121 struct smack_known *skp = smk_of_task_struct(p); 2122 2123 *secid = skp->smk_secid; 2124 } 2125 2126 /** 2127 * smack_task_setnice - Smack check on setting nice 2128 * @p: the task object 2129 * @nice: unused 2130 * 2131 * Return 0 if write access is permitted 2132 */ 2133 static int smack_task_setnice(struct task_struct *p, int nice) 2134 { 2135 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2136 } 2137 2138 /** 2139 * smack_task_setioprio - Smack check on setting ioprio 2140 * @p: the task object 2141 * @ioprio: unused 2142 * 2143 * Return 0 if write access is permitted 2144 */ 2145 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2146 { 2147 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2148 } 2149 2150 /** 2151 * smack_task_getioprio - Smack check on reading ioprio 2152 * @p: the task object 2153 * 2154 * Return 0 if read access is permitted 2155 */ 2156 static int smack_task_getioprio(struct task_struct *p) 2157 { 2158 return smk_curacc_on_task(p, MAY_READ, __func__); 2159 } 2160 2161 /** 2162 * smack_task_setscheduler - Smack check on setting scheduler 2163 * @p: the task object 2164 * @policy: unused 2165 * @lp: unused 2166 * 2167 * Return 0 if read access is permitted 2168 */ 2169 static int smack_task_setscheduler(struct task_struct *p) 2170 { 2171 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2172 } 2173 2174 /** 2175 * smack_task_getscheduler - Smack check on reading scheduler 2176 * @p: the task object 2177 * 2178 * Return 0 if read access is permitted 2179 */ 2180 static int smack_task_getscheduler(struct task_struct *p) 2181 { 2182 return smk_curacc_on_task(p, MAY_READ, __func__); 2183 } 2184 2185 /** 2186 * smack_task_movememory - Smack check on moving memory 2187 * @p: the task object 2188 * 2189 * Return 0 if write access is permitted 2190 */ 2191 static int smack_task_movememory(struct task_struct *p) 2192 { 2193 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2194 } 2195 2196 /** 2197 * smack_task_kill - Smack check on signal delivery 2198 * @p: the task object 2199 * @info: unused 2200 * @sig: unused 2201 * @secid: identifies the smack to use in lieu of current's 2202 * 2203 * Return 0 if write access is permitted 2204 * 2205 * The secid behavior is an artifact of an SELinux hack 2206 * in the USB code. Someday it may go away. 2207 */ 2208 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 2209 int sig, u32 secid) 2210 { 2211 struct smk_audit_info ad; 2212 struct smack_known *skp; 2213 struct smack_known *tkp = smk_of_task_struct(p); 2214 int rc; 2215 2216 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2217 smk_ad_setfield_u_tsk(&ad, p); 2218 /* 2219 * Sending a signal requires that the sender 2220 * can write the receiver. 2221 */ 2222 if (secid == 0) { 2223 rc = smk_curacc(tkp, MAY_WRITE, &ad); 2224 rc = smk_bu_task(p, MAY_WRITE, rc); 2225 return rc; 2226 } 2227 /* 2228 * If the secid isn't 0 we're dealing with some USB IO 2229 * specific behavior. This is not clean. For one thing 2230 * we can't take privilege into account. 2231 */ 2232 skp = smack_from_secid(secid); 2233 rc = smk_access(skp, tkp, MAY_WRITE, &ad); 2234 rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc); 2235 return rc; 2236 } 2237 2238 /** 2239 * smack_task_wait - Smack access check for waiting 2240 * @p: task to wait for 2241 * 2242 * Returns 0 2243 */ 2244 static int smack_task_wait(struct task_struct *p) 2245 { 2246 /* 2247 * Allow the operation to succeed. 2248 * Zombies are bad. 2249 * In userless environments (e.g. phones) programs 2250 * get marked with SMACK64EXEC and even if the parent 2251 * and child shouldn't be talking the parent still 2252 * may expect to know when the child exits. 2253 */ 2254 return 0; 2255 } 2256 2257 /** 2258 * smack_task_to_inode - copy task smack into the inode blob 2259 * @p: task to copy from 2260 * @inode: inode to copy to 2261 * 2262 * Sets the smack pointer in the inode security blob 2263 */ 2264 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2265 { 2266 struct inode_smack *isp = inode->i_security; 2267 struct smack_known *skp = smk_of_task_struct(p); 2268 2269 isp->smk_inode = skp; 2270 } 2271 2272 /* 2273 * Socket hooks. 2274 */ 2275 2276 /** 2277 * smack_sk_alloc_security - Allocate a socket blob 2278 * @sk: the socket 2279 * @family: unused 2280 * @gfp_flags: memory allocation flags 2281 * 2282 * Assign Smack pointers to current 2283 * 2284 * Returns 0 on success, -ENOMEM is there's no memory 2285 */ 2286 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2287 { 2288 struct smack_known *skp = smk_of_current(); 2289 struct socket_smack *ssp; 2290 2291 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2292 if (ssp == NULL) 2293 return -ENOMEM; 2294 2295 ssp->smk_in = skp; 2296 ssp->smk_out = skp; 2297 ssp->smk_packet = NULL; 2298 2299 sk->sk_security = ssp; 2300 2301 return 0; 2302 } 2303 2304 /** 2305 * smack_sk_free_security - Free a socket blob 2306 * @sk: the socket 2307 * 2308 * Clears the blob pointer 2309 */ 2310 static void smack_sk_free_security(struct sock *sk) 2311 { 2312 kfree(sk->sk_security); 2313 } 2314 2315 /** 2316 * smack_ipv4host_label - check host based restrictions 2317 * @sip: the object end 2318 * 2319 * looks for host based access restrictions 2320 * 2321 * This version will only be appropriate for really small sets of single label 2322 * hosts. The caller is responsible for ensuring that the RCU read lock is 2323 * taken before calling this function. 2324 * 2325 * Returns the label of the far end or NULL if it's not special. 2326 */ 2327 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2328 { 2329 struct smk_net4addr *snp; 2330 struct in_addr *siap = &sip->sin_addr; 2331 2332 if (siap->s_addr == 0) 2333 return NULL; 2334 2335 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2336 /* 2337 * we break after finding the first match because 2338 * the list is sorted from longest to shortest mask 2339 * so we have found the most specific match 2340 */ 2341 if (snp->smk_host.s_addr == 2342 (siap->s_addr & snp->smk_mask.s_addr)) 2343 return snp->smk_label; 2344 2345 return NULL; 2346 } 2347 2348 #if IS_ENABLED(CONFIG_IPV6) 2349 /* 2350 * smk_ipv6_localhost - Check for local ipv6 host address 2351 * @sip: the address 2352 * 2353 * Returns boolean true if this is the localhost address 2354 */ 2355 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2356 { 2357 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2358 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2359 2360 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2361 ntohs(be16p[7]) == 1) 2362 return true; 2363 return false; 2364 } 2365 2366 /** 2367 * smack_ipv6host_label - check host based restrictions 2368 * @sip: the object end 2369 * 2370 * looks for host based access restrictions 2371 * 2372 * This version will only be appropriate for really small sets of single label 2373 * hosts. The caller is responsible for ensuring that the RCU read lock is 2374 * taken before calling this function. 2375 * 2376 * Returns the label of the far end or NULL if it's not special. 2377 */ 2378 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2379 { 2380 struct smk_net6addr *snp; 2381 struct in6_addr *sap = &sip->sin6_addr; 2382 int i; 2383 int found = 0; 2384 2385 /* 2386 * It's local. Don't look for a host label. 2387 */ 2388 if (smk_ipv6_localhost(sip)) 2389 return NULL; 2390 2391 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2392 /* 2393 * we break after finding the first match because 2394 * the list is sorted from longest to shortest mask 2395 * so we have found the most specific match 2396 */ 2397 for (found = 1, i = 0; i < 8; i++) { 2398 /* 2399 * If the label is NULL the entry has 2400 * been renounced. Ignore it. 2401 */ 2402 if (snp->smk_label == NULL) 2403 continue; 2404 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2405 snp->smk_host.s6_addr16[i]) { 2406 found = 0; 2407 break; 2408 } 2409 } 2410 if (found) 2411 return snp->smk_label; 2412 } 2413 2414 return NULL; 2415 } 2416 #endif /* CONFIG_IPV6 */ 2417 2418 /** 2419 * smack_netlabel - Set the secattr on a socket 2420 * @sk: the socket 2421 * @labeled: socket label scheme 2422 * 2423 * Convert the outbound smack value (smk_out) to a 2424 * secattr and attach it to the socket. 2425 * 2426 * Returns 0 on success or an error code 2427 */ 2428 static int smack_netlabel(struct sock *sk, int labeled) 2429 { 2430 struct smack_known *skp; 2431 struct socket_smack *ssp = sk->sk_security; 2432 int rc = 0; 2433 2434 /* 2435 * Usually the netlabel code will handle changing the 2436 * packet labeling based on the label. 2437 * The case of a single label host is different, because 2438 * a single label host should never get a labeled packet 2439 * even though the label is usually associated with a packet 2440 * label. 2441 */ 2442 local_bh_disable(); 2443 bh_lock_sock_nested(sk); 2444 2445 if (ssp->smk_out == smack_net_ambient || 2446 labeled == SMACK_UNLABELED_SOCKET) 2447 netlbl_sock_delattr(sk); 2448 else { 2449 skp = ssp->smk_out; 2450 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2451 } 2452 2453 bh_unlock_sock(sk); 2454 local_bh_enable(); 2455 2456 return rc; 2457 } 2458 2459 /** 2460 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2461 * @sk: the socket 2462 * @sap: the destination address 2463 * 2464 * Set the correct secattr for the given socket based on the destination 2465 * address and perform any outbound access checks needed. 2466 * 2467 * Returns 0 on success or an error code. 2468 * 2469 */ 2470 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2471 { 2472 struct smack_known *skp; 2473 int rc; 2474 int sk_lbl; 2475 struct smack_known *hkp; 2476 struct socket_smack *ssp = sk->sk_security; 2477 struct smk_audit_info ad; 2478 2479 rcu_read_lock(); 2480 hkp = smack_ipv4host_label(sap); 2481 if (hkp != NULL) { 2482 #ifdef CONFIG_AUDIT 2483 struct lsm_network_audit net; 2484 2485 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2486 ad.a.u.net->family = sap->sin_family; 2487 ad.a.u.net->dport = sap->sin_port; 2488 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2489 #endif 2490 sk_lbl = SMACK_UNLABELED_SOCKET; 2491 skp = ssp->smk_out; 2492 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2493 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2494 } else { 2495 sk_lbl = SMACK_CIPSO_SOCKET; 2496 rc = 0; 2497 } 2498 rcu_read_unlock(); 2499 if (rc != 0) 2500 return rc; 2501 2502 return smack_netlabel(sk, sk_lbl); 2503 } 2504 2505 #if IS_ENABLED(CONFIG_IPV6) 2506 /** 2507 * smk_ipv6_check - check Smack access 2508 * @subject: subject Smack label 2509 * @object: object Smack label 2510 * @address: address 2511 * @act: the action being taken 2512 * 2513 * Check an IPv6 access 2514 */ 2515 static int smk_ipv6_check(struct smack_known *subject, 2516 struct smack_known *object, 2517 struct sockaddr_in6 *address, int act) 2518 { 2519 #ifdef CONFIG_AUDIT 2520 struct lsm_network_audit net; 2521 #endif 2522 struct smk_audit_info ad; 2523 int rc; 2524 2525 #ifdef CONFIG_AUDIT 2526 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2527 ad.a.u.net->family = PF_INET6; 2528 ad.a.u.net->dport = ntohs(address->sin6_port); 2529 if (act == SMK_RECEIVING) 2530 ad.a.u.net->v6info.saddr = address->sin6_addr; 2531 else 2532 ad.a.u.net->v6info.daddr = address->sin6_addr; 2533 #endif 2534 rc = smk_access(subject, object, MAY_WRITE, &ad); 2535 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2536 return rc; 2537 } 2538 #endif /* CONFIG_IPV6 */ 2539 2540 #ifdef SMACK_IPV6_PORT_LABELING 2541 /** 2542 * smk_ipv6_port_label - Smack port access table management 2543 * @sock: socket 2544 * @address: address 2545 * 2546 * Create or update the port list entry 2547 */ 2548 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2549 { 2550 struct sock *sk = sock->sk; 2551 struct sockaddr_in6 *addr6; 2552 struct socket_smack *ssp = sock->sk->sk_security; 2553 struct smk_port_label *spp; 2554 unsigned short port = 0; 2555 2556 if (address == NULL) { 2557 /* 2558 * This operation is changing the Smack information 2559 * on the bound socket. Take the changes to the port 2560 * as well. 2561 */ 2562 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2563 if (sk != spp->smk_sock) 2564 continue; 2565 spp->smk_in = ssp->smk_in; 2566 spp->smk_out = ssp->smk_out; 2567 return; 2568 } 2569 /* 2570 * A NULL address is only used for updating existing 2571 * bound entries. If there isn't one, it's OK. 2572 */ 2573 return; 2574 } 2575 2576 addr6 = (struct sockaddr_in6 *)address; 2577 port = ntohs(addr6->sin6_port); 2578 /* 2579 * This is a special case that is safely ignored. 2580 */ 2581 if (port == 0) 2582 return; 2583 2584 /* 2585 * Look for an existing port list entry. 2586 * This is an indication that a port is getting reused. 2587 */ 2588 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2589 if (spp->smk_port != port) 2590 continue; 2591 spp->smk_port = port; 2592 spp->smk_sock = sk; 2593 spp->smk_in = ssp->smk_in; 2594 spp->smk_out = ssp->smk_out; 2595 return; 2596 } 2597 2598 /* 2599 * A new port entry is required. 2600 */ 2601 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2602 if (spp == NULL) 2603 return; 2604 2605 spp->smk_port = port; 2606 spp->smk_sock = sk; 2607 spp->smk_in = ssp->smk_in; 2608 spp->smk_out = ssp->smk_out; 2609 2610 list_add(&spp->list, &smk_ipv6_port_list); 2611 return; 2612 } 2613 2614 /** 2615 * smk_ipv6_port_check - check Smack port access 2616 * @sock: socket 2617 * @address: address 2618 * 2619 * Create or update the port list entry 2620 */ 2621 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2622 int act) 2623 { 2624 struct smk_port_label *spp; 2625 struct socket_smack *ssp = sk->sk_security; 2626 struct smack_known *skp = NULL; 2627 unsigned short port; 2628 struct smack_known *object; 2629 2630 if (act == SMK_RECEIVING) { 2631 skp = smack_ipv6host_label(address); 2632 object = ssp->smk_in; 2633 } else { 2634 skp = ssp->smk_out; 2635 object = smack_ipv6host_label(address); 2636 } 2637 2638 /* 2639 * The other end is a single label host. 2640 */ 2641 if (skp != NULL && object != NULL) 2642 return smk_ipv6_check(skp, object, address, act); 2643 if (skp == NULL) 2644 skp = smack_net_ambient; 2645 if (object == NULL) 2646 object = smack_net_ambient; 2647 2648 /* 2649 * It's remote, so port lookup does no good. 2650 */ 2651 if (!smk_ipv6_localhost(address)) 2652 return smk_ipv6_check(skp, object, address, act); 2653 2654 /* 2655 * It's local so the send check has to have passed. 2656 */ 2657 if (act == SMK_RECEIVING) 2658 return 0; 2659 2660 port = ntohs(address->sin6_port); 2661 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2662 if (spp->smk_port != port) 2663 continue; 2664 object = spp->smk_in; 2665 if (act == SMK_CONNECTING) 2666 ssp->smk_packet = spp->smk_out; 2667 break; 2668 } 2669 2670 return smk_ipv6_check(skp, object, address, act); 2671 } 2672 #endif /* SMACK_IPV6_PORT_LABELING */ 2673 2674 /** 2675 * smack_inode_setsecurity - set smack xattrs 2676 * @inode: the object 2677 * @name: attribute name 2678 * @value: attribute value 2679 * @size: size of the attribute 2680 * @flags: unused 2681 * 2682 * Sets the named attribute in the appropriate blob 2683 * 2684 * Returns 0 on success, or an error code 2685 */ 2686 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2687 const void *value, size_t size, int flags) 2688 { 2689 struct smack_known *skp; 2690 struct inode_smack *nsp = inode->i_security; 2691 struct socket_smack *ssp; 2692 struct socket *sock; 2693 int rc = 0; 2694 2695 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2696 return -EINVAL; 2697 2698 skp = smk_import_entry(value, size); 2699 if (IS_ERR(skp)) 2700 return PTR_ERR(skp); 2701 2702 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2703 nsp->smk_inode = skp; 2704 nsp->smk_flags |= SMK_INODE_INSTANT; 2705 return 0; 2706 } 2707 /* 2708 * The rest of the Smack xattrs are only on sockets. 2709 */ 2710 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2711 return -EOPNOTSUPP; 2712 2713 sock = SOCKET_I(inode); 2714 if (sock == NULL || sock->sk == NULL) 2715 return -EOPNOTSUPP; 2716 2717 ssp = sock->sk->sk_security; 2718 2719 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2720 ssp->smk_in = skp; 2721 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2722 ssp->smk_out = skp; 2723 if (sock->sk->sk_family == PF_INET) { 2724 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2725 if (rc != 0) 2726 printk(KERN_WARNING 2727 "Smack: \"%s\" netlbl error %d.\n", 2728 __func__, -rc); 2729 } 2730 } else 2731 return -EOPNOTSUPP; 2732 2733 #ifdef SMACK_IPV6_PORT_LABELING 2734 if (sock->sk->sk_family == PF_INET6) 2735 smk_ipv6_port_label(sock, NULL); 2736 #endif 2737 2738 return 0; 2739 } 2740 2741 /** 2742 * smack_socket_post_create - finish socket setup 2743 * @sock: the socket 2744 * @family: protocol family 2745 * @type: unused 2746 * @protocol: unused 2747 * @kern: unused 2748 * 2749 * Sets the netlabel information on the socket 2750 * 2751 * Returns 0 on success, and error code otherwise 2752 */ 2753 static int smack_socket_post_create(struct socket *sock, int family, 2754 int type, int protocol, int kern) 2755 { 2756 struct socket_smack *ssp; 2757 2758 if (sock->sk == NULL) 2759 return 0; 2760 2761 /* 2762 * Sockets created by kernel threads receive web label. 2763 */ 2764 if (unlikely(current->flags & PF_KTHREAD)) { 2765 ssp = sock->sk->sk_security; 2766 ssp->smk_in = &smack_known_web; 2767 ssp->smk_out = &smack_known_web; 2768 } 2769 2770 if (family != PF_INET) 2771 return 0; 2772 /* 2773 * Set the outbound netlbl. 2774 */ 2775 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2776 } 2777 2778 #ifdef SMACK_IPV6_PORT_LABELING 2779 /** 2780 * smack_socket_bind - record port binding information. 2781 * @sock: the socket 2782 * @address: the port address 2783 * @addrlen: size of the address 2784 * 2785 * Records the label bound to a port. 2786 * 2787 * Returns 0 2788 */ 2789 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2790 int addrlen) 2791 { 2792 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2793 smk_ipv6_port_label(sock, address); 2794 return 0; 2795 } 2796 #endif /* SMACK_IPV6_PORT_LABELING */ 2797 2798 /** 2799 * smack_socket_connect - connect access check 2800 * @sock: the socket 2801 * @sap: the other end 2802 * @addrlen: size of sap 2803 * 2804 * Verifies that a connection may be possible 2805 * 2806 * Returns 0 on success, and error code otherwise 2807 */ 2808 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2809 int addrlen) 2810 { 2811 int rc = 0; 2812 #if IS_ENABLED(CONFIG_IPV6) 2813 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2814 #endif 2815 #ifdef SMACK_IPV6_SECMARK_LABELING 2816 struct smack_known *rsp; 2817 struct socket_smack *ssp = sock->sk->sk_security; 2818 #endif 2819 2820 if (sock->sk == NULL) 2821 return 0; 2822 2823 switch (sock->sk->sk_family) { 2824 case PF_INET: 2825 if (addrlen < sizeof(struct sockaddr_in)) 2826 return -EINVAL; 2827 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2828 break; 2829 case PF_INET6: 2830 if (addrlen < sizeof(struct sockaddr_in6)) 2831 return -EINVAL; 2832 #ifdef SMACK_IPV6_SECMARK_LABELING 2833 rsp = smack_ipv6host_label(sip); 2834 if (rsp != NULL) 2835 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2836 SMK_CONNECTING); 2837 #endif 2838 #ifdef SMACK_IPV6_PORT_LABELING 2839 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2840 #endif 2841 break; 2842 } 2843 return rc; 2844 } 2845 2846 /** 2847 * smack_flags_to_may - convert S_ to MAY_ values 2848 * @flags: the S_ value 2849 * 2850 * Returns the equivalent MAY_ value 2851 */ 2852 static int smack_flags_to_may(int flags) 2853 { 2854 int may = 0; 2855 2856 if (flags & S_IRUGO) 2857 may |= MAY_READ; 2858 if (flags & S_IWUGO) 2859 may |= MAY_WRITE; 2860 if (flags & S_IXUGO) 2861 may |= MAY_EXEC; 2862 2863 return may; 2864 } 2865 2866 /** 2867 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2868 * @msg: the object 2869 * 2870 * Returns 0 2871 */ 2872 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2873 { 2874 struct smack_known *skp = smk_of_current(); 2875 2876 msg->security = skp; 2877 return 0; 2878 } 2879 2880 /** 2881 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2882 * @msg: the object 2883 * 2884 * Clears the blob pointer 2885 */ 2886 static void smack_msg_msg_free_security(struct msg_msg *msg) 2887 { 2888 msg->security = NULL; 2889 } 2890 2891 /** 2892 * smack_of_shm - the smack pointer for the shm 2893 * @shp: the object 2894 * 2895 * Returns a pointer to the smack value 2896 */ 2897 static struct smack_known *smack_of_shm(struct shmid_kernel *shp) 2898 { 2899 return (struct smack_known *)shp->shm_perm.security; 2900 } 2901 2902 /** 2903 * smack_shm_alloc_security - Set the security blob for shm 2904 * @shp: the object 2905 * 2906 * Returns 0 2907 */ 2908 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2909 { 2910 struct kern_ipc_perm *isp = &shp->shm_perm; 2911 struct smack_known *skp = smk_of_current(); 2912 2913 isp->security = skp; 2914 return 0; 2915 } 2916 2917 /** 2918 * smack_shm_free_security - Clear the security blob for shm 2919 * @shp: the object 2920 * 2921 * Clears the blob pointer 2922 */ 2923 static void smack_shm_free_security(struct shmid_kernel *shp) 2924 { 2925 struct kern_ipc_perm *isp = &shp->shm_perm; 2926 2927 isp->security = NULL; 2928 } 2929 2930 /** 2931 * smk_curacc_shm : check if current has access on shm 2932 * @shp : the object 2933 * @access : access requested 2934 * 2935 * Returns 0 if current has the requested access, error code otherwise 2936 */ 2937 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2938 { 2939 struct smack_known *ssp = smack_of_shm(shp); 2940 struct smk_audit_info ad; 2941 int rc; 2942 2943 #ifdef CONFIG_AUDIT 2944 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2945 ad.a.u.ipc_id = shp->shm_perm.id; 2946 #endif 2947 rc = smk_curacc(ssp, access, &ad); 2948 rc = smk_bu_current("shm", ssp, access, rc); 2949 return rc; 2950 } 2951 2952 /** 2953 * smack_shm_associate - Smack access check for shm 2954 * @shp: the object 2955 * @shmflg: access requested 2956 * 2957 * Returns 0 if current has the requested access, error code otherwise 2958 */ 2959 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 2960 { 2961 int may; 2962 2963 may = smack_flags_to_may(shmflg); 2964 return smk_curacc_shm(shp, may); 2965 } 2966 2967 /** 2968 * smack_shm_shmctl - Smack access check for shm 2969 * @shp: the object 2970 * @cmd: what it wants to do 2971 * 2972 * Returns 0 if current has the requested access, error code otherwise 2973 */ 2974 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 2975 { 2976 int may; 2977 2978 switch (cmd) { 2979 case IPC_STAT: 2980 case SHM_STAT: 2981 may = MAY_READ; 2982 break; 2983 case IPC_SET: 2984 case SHM_LOCK: 2985 case SHM_UNLOCK: 2986 case IPC_RMID: 2987 may = MAY_READWRITE; 2988 break; 2989 case IPC_INFO: 2990 case SHM_INFO: 2991 /* 2992 * System level information. 2993 */ 2994 return 0; 2995 default: 2996 return -EINVAL; 2997 } 2998 return smk_curacc_shm(shp, may); 2999 } 3000 3001 /** 3002 * smack_shm_shmat - Smack access for shmat 3003 * @shp: the object 3004 * @shmaddr: unused 3005 * @shmflg: access requested 3006 * 3007 * Returns 0 if current has the requested access, error code otherwise 3008 */ 3009 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 3010 int shmflg) 3011 { 3012 int may; 3013 3014 may = smack_flags_to_may(shmflg); 3015 return smk_curacc_shm(shp, may); 3016 } 3017 3018 /** 3019 * smack_of_sem - the smack pointer for the sem 3020 * @sma: the object 3021 * 3022 * Returns a pointer to the smack value 3023 */ 3024 static struct smack_known *smack_of_sem(struct sem_array *sma) 3025 { 3026 return (struct smack_known *)sma->sem_perm.security; 3027 } 3028 3029 /** 3030 * smack_sem_alloc_security - Set the security blob for sem 3031 * @sma: the object 3032 * 3033 * Returns 0 3034 */ 3035 static int smack_sem_alloc_security(struct sem_array *sma) 3036 { 3037 struct kern_ipc_perm *isp = &sma->sem_perm; 3038 struct smack_known *skp = smk_of_current(); 3039 3040 isp->security = skp; 3041 return 0; 3042 } 3043 3044 /** 3045 * smack_sem_free_security - Clear the security blob for sem 3046 * @sma: the object 3047 * 3048 * Clears the blob pointer 3049 */ 3050 static void smack_sem_free_security(struct sem_array *sma) 3051 { 3052 struct kern_ipc_perm *isp = &sma->sem_perm; 3053 3054 isp->security = NULL; 3055 } 3056 3057 /** 3058 * smk_curacc_sem : check if current has access on sem 3059 * @sma : the object 3060 * @access : access requested 3061 * 3062 * Returns 0 if current has the requested access, error code otherwise 3063 */ 3064 static int smk_curacc_sem(struct sem_array *sma, int access) 3065 { 3066 struct smack_known *ssp = smack_of_sem(sma); 3067 struct smk_audit_info ad; 3068 int rc; 3069 3070 #ifdef CONFIG_AUDIT 3071 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3072 ad.a.u.ipc_id = sma->sem_perm.id; 3073 #endif 3074 rc = smk_curacc(ssp, access, &ad); 3075 rc = smk_bu_current("sem", ssp, access, rc); 3076 return rc; 3077 } 3078 3079 /** 3080 * smack_sem_associate - Smack access check for sem 3081 * @sma: the object 3082 * @semflg: access requested 3083 * 3084 * Returns 0 if current has the requested access, error code otherwise 3085 */ 3086 static int smack_sem_associate(struct sem_array *sma, int semflg) 3087 { 3088 int may; 3089 3090 may = smack_flags_to_may(semflg); 3091 return smk_curacc_sem(sma, may); 3092 } 3093 3094 /** 3095 * smack_sem_shmctl - Smack access check for sem 3096 * @sma: the object 3097 * @cmd: what it wants to do 3098 * 3099 * Returns 0 if current has the requested access, error code otherwise 3100 */ 3101 static int smack_sem_semctl(struct sem_array *sma, int cmd) 3102 { 3103 int may; 3104 3105 switch (cmd) { 3106 case GETPID: 3107 case GETNCNT: 3108 case GETZCNT: 3109 case GETVAL: 3110 case GETALL: 3111 case IPC_STAT: 3112 case SEM_STAT: 3113 may = MAY_READ; 3114 break; 3115 case SETVAL: 3116 case SETALL: 3117 case IPC_RMID: 3118 case IPC_SET: 3119 may = MAY_READWRITE; 3120 break; 3121 case IPC_INFO: 3122 case SEM_INFO: 3123 /* 3124 * System level information 3125 */ 3126 return 0; 3127 default: 3128 return -EINVAL; 3129 } 3130 3131 return smk_curacc_sem(sma, may); 3132 } 3133 3134 /** 3135 * smack_sem_semop - Smack checks of semaphore operations 3136 * @sma: the object 3137 * @sops: unused 3138 * @nsops: unused 3139 * @alter: unused 3140 * 3141 * Treated as read and write in all cases. 3142 * 3143 * Returns 0 if access is allowed, error code otherwise 3144 */ 3145 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 3146 unsigned nsops, int alter) 3147 { 3148 return smk_curacc_sem(sma, MAY_READWRITE); 3149 } 3150 3151 /** 3152 * smack_msg_alloc_security - Set the security blob for msg 3153 * @msq: the object 3154 * 3155 * Returns 0 3156 */ 3157 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 3158 { 3159 struct kern_ipc_perm *kisp = &msq->q_perm; 3160 struct smack_known *skp = smk_of_current(); 3161 3162 kisp->security = skp; 3163 return 0; 3164 } 3165 3166 /** 3167 * smack_msg_free_security - Clear the security blob for msg 3168 * @msq: the object 3169 * 3170 * Clears the blob pointer 3171 */ 3172 static void smack_msg_queue_free_security(struct msg_queue *msq) 3173 { 3174 struct kern_ipc_perm *kisp = &msq->q_perm; 3175 3176 kisp->security = NULL; 3177 } 3178 3179 /** 3180 * smack_of_msq - the smack pointer for the msq 3181 * @msq: the object 3182 * 3183 * Returns a pointer to the smack label entry 3184 */ 3185 static struct smack_known *smack_of_msq(struct msg_queue *msq) 3186 { 3187 return (struct smack_known *)msq->q_perm.security; 3188 } 3189 3190 /** 3191 * smk_curacc_msq : helper to check if current has access on msq 3192 * @msq : the msq 3193 * @access : access requested 3194 * 3195 * return 0 if current has access, error otherwise 3196 */ 3197 static int smk_curacc_msq(struct msg_queue *msq, int access) 3198 { 3199 struct smack_known *msp = smack_of_msq(msq); 3200 struct smk_audit_info ad; 3201 int rc; 3202 3203 #ifdef CONFIG_AUDIT 3204 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3205 ad.a.u.ipc_id = msq->q_perm.id; 3206 #endif 3207 rc = smk_curacc(msp, access, &ad); 3208 rc = smk_bu_current("msq", msp, access, rc); 3209 return rc; 3210 } 3211 3212 /** 3213 * smack_msg_queue_associate - Smack access check for msg_queue 3214 * @msq: the object 3215 * @msqflg: access requested 3216 * 3217 * Returns 0 if current has the requested access, error code otherwise 3218 */ 3219 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 3220 { 3221 int may; 3222 3223 may = smack_flags_to_may(msqflg); 3224 return smk_curacc_msq(msq, may); 3225 } 3226 3227 /** 3228 * smack_msg_queue_msgctl - Smack access check for msg_queue 3229 * @msq: the object 3230 * @cmd: what it wants to do 3231 * 3232 * Returns 0 if current has the requested access, error code otherwise 3233 */ 3234 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3235 { 3236 int may; 3237 3238 switch (cmd) { 3239 case IPC_STAT: 3240 case MSG_STAT: 3241 may = MAY_READ; 3242 break; 3243 case IPC_SET: 3244 case IPC_RMID: 3245 may = MAY_READWRITE; 3246 break; 3247 case IPC_INFO: 3248 case MSG_INFO: 3249 /* 3250 * System level information 3251 */ 3252 return 0; 3253 default: 3254 return -EINVAL; 3255 } 3256 3257 return smk_curacc_msq(msq, may); 3258 } 3259 3260 /** 3261 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3262 * @msq: the object 3263 * @msg: unused 3264 * @msqflg: access requested 3265 * 3266 * Returns 0 if current has the requested access, error code otherwise 3267 */ 3268 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 3269 int msqflg) 3270 { 3271 int may; 3272 3273 may = smack_flags_to_may(msqflg); 3274 return smk_curacc_msq(msq, may); 3275 } 3276 3277 /** 3278 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3279 * @msq: the object 3280 * @msg: unused 3281 * @target: unused 3282 * @type: unused 3283 * @mode: unused 3284 * 3285 * Returns 0 if current has read and write access, error code otherwise 3286 */ 3287 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3288 struct task_struct *target, long type, int mode) 3289 { 3290 return smk_curacc_msq(msq, MAY_READWRITE); 3291 } 3292 3293 /** 3294 * smack_ipc_permission - Smack access for ipc_permission() 3295 * @ipp: the object permissions 3296 * @flag: access requested 3297 * 3298 * Returns 0 if current has read and write access, error code otherwise 3299 */ 3300 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3301 { 3302 struct smack_known *iskp = ipp->security; 3303 int may = smack_flags_to_may(flag); 3304 struct smk_audit_info ad; 3305 int rc; 3306 3307 #ifdef CONFIG_AUDIT 3308 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3309 ad.a.u.ipc_id = ipp->id; 3310 #endif 3311 rc = smk_curacc(iskp, may, &ad); 3312 rc = smk_bu_current("svipc", iskp, may, rc); 3313 return rc; 3314 } 3315 3316 /** 3317 * smack_ipc_getsecid - Extract smack security id 3318 * @ipp: the object permissions 3319 * @secid: where result will be saved 3320 */ 3321 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3322 { 3323 struct smack_known *iskp = ipp->security; 3324 3325 *secid = iskp->smk_secid; 3326 } 3327 3328 /** 3329 * smack_d_instantiate - Make sure the blob is correct on an inode 3330 * @opt_dentry: dentry where inode will be attached 3331 * @inode: the object 3332 * 3333 * Set the inode's security blob if it hasn't been done already. 3334 */ 3335 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3336 { 3337 struct super_block *sbp; 3338 struct superblock_smack *sbsp; 3339 struct inode_smack *isp; 3340 struct smack_known *skp; 3341 struct smack_known *ckp = smk_of_current(); 3342 struct smack_known *final; 3343 char trattr[TRANS_TRUE_SIZE]; 3344 int transflag = 0; 3345 int rc; 3346 struct dentry *dp; 3347 3348 if (inode == NULL) 3349 return; 3350 3351 isp = inode->i_security; 3352 3353 mutex_lock(&isp->smk_lock); 3354 /* 3355 * If the inode is already instantiated 3356 * take the quick way out 3357 */ 3358 if (isp->smk_flags & SMK_INODE_INSTANT) 3359 goto unlockandout; 3360 3361 sbp = inode->i_sb; 3362 sbsp = sbp->s_security; 3363 /* 3364 * We're going to use the superblock default label 3365 * if there's no label on the file. 3366 */ 3367 final = sbsp->smk_default; 3368 3369 /* 3370 * If this is the root inode the superblock 3371 * may be in the process of initialization. 3372 * If that is the case use the root value out 3373 * of the superblock. 3374 */ 3375 if (opt_dentry->d_parent == opt_dentry) { 3376 switch (sbp->s_magic) { 3377 case CGROUP_SUPER_MAGIC: 3378 /* 3379 * The cgroup filesystem is never mounted, 3380 * so there's no opportunity to set the mount 3381 * options. 3382 */ 3383 sbsp->smk_root = &smack_known_star; 3384 sbsp->smk_default = &smack_known_star; 3385 isp->smk_inode = sbsp->smk_root; 3386 break; 3387 case TMPFS_MAGIC: 3388 /* 3389 * What about shmem/tmpfs anonymous files with dentry 3390 * obtained from d_alloc_pseudo()? 3391 */ 3392 isp->smk_inode = smk_of_current(); 3393 break; 3394 case PIPEFS_MAGIC: 3395 isp->smk_inode = smk_of_current(); 3396 break; 3397 default: 3398 isp->smk_inode = sbsp->smk_root; 3399 break; 3400 } 3401 isp->smk_flags |= SMK_INODE_INSTANT; 3402 goto unlockandout; 3403 } 3404 3405 /* 3406 * This is pretty hackish. 3407 * Casey says that we shouldn't have to do 3408 * file system specific code, but it does help 3409 * with keeping it simple. 3410 */ 3411 switch (sbp->s_magic) { 3412 case SMACK_MAGIC: 3413 case PIPEFS_MAGIC: 3414 case SOCKFS_MAGIC: 3415 case CGROUP_SUPER_MAGIC: 3416 /* 3417 * Casey says that it's a little embarrassing 3418 * that the smack file system doesn't do 3419 * extended attributes. 3420 * 3421 * Casey says pipes are easy (?) 3422 * 3423 * Socket access is controlled by the socket 3424 * structures associated with the task involved. 3425 * 3426 * Cgroupfs is special 3427 */ 3428 final = &smack_known_star; 3429 break; 3430 case DEVPTS_SUPER_MAGIC: 3431 /* 3432 * devpts seems content with the label of the task. 3433 * Programs that change smack have to treat the 3434 * pty with respect. 3435 */ 3436 final = ckp; 3437 break; 3438 case PROC_SUPER_MAGIC: 3439 /* 3440 * Casey says procfs appears not to care. 3441 * The superblock default suffices. 3442 */ 3443 break; 3444 case TMPFS_MAGIC: 3445 /* 3446 * Device labels should come from the filesystem, 3447 * but watch out, because they're volitile, 3448 * getting recreated on every reboot. 3449 */ 3450 final = &smack_known_star; 3451 /* 3452 * No break. 3453 * 3454 * If a smack value has been set we want to use it, 3455 * but since tmpfs isn't giving us the opportunity 3456 * to set mount options simulate setting the 3457 * superblock default. 3458 */ 3459 default: 3460 /* 3461 * This isn't an understood special case. 3462 * Get the value from the xattr. 3463 */ 3464 3465 /* 3466 * UNIX domain sockets use lower level socket data. 3467 */ 3468 if (S_ISSOCK(inode->i_mode)) { 3469 final = &smack_known_star; 3470 break; 3471 } 3472 /* 3473 * No xattr support means, alas, no SMACK label. 3474 * Use the aforeapplied default. 3475 * It would be curious if the label of the task 3476 * does not match that assigned. 3477 */ 3478 if (inode->i_op->getxattr == NULL) 3479 break; 3480 /* 3481 * Get the dentry for xattr. 3482 */ 3483 dp = dget(opt_dentry); 3484 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3485 if (!IS_ERR_OR_NULL(skp)) 3486 final = skp; 3487 3488 /* 3489 * Transmuting directory 3490 */ 3491 if (S_ISDIR(inode->i_mode)) { 3492 /* 3493 * If this is a new directory and the label was 3494 * transmuted when the inode was initialized 3495 * set the transmute attribute on the directory 3496 * and mark the inode. 3497 * 3498 * If there is a transmute attribute on the 3499 * directory mark the inode. 3500 */ 3501 if (isp->smk_flags & SMK_INODE_CHANGED) { 3502 isp->smk_flags &= ~SMK_INODE_CHANGED; 3503 rc = inode->i_op->setxattr(dp, 3504 XATTR_NAME_SMACKTRANSMUTE, 3505 TRANS_TRUE, TRANS_TRUE_SIZE, 3506 0); 3507 } else { 3508 rc = inode->i_op->getxattr(dp, 3509 XATTR_NAME_SMACKTRANSMUTE, trattr, 3510 TRANS_TRUE_SIZE); 3511 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3512 TRANS_TRUE_SIZE) != 0) 3513 rc = -EINVAL; 3514 } 3515 if (rc >= 0) 3516 transflag = SMK_INODE_TRANSMUTE; 3517 } 3518 /* 3519 * Don't let the exec or mmap label be "*" or "@". 3520 */ 3521 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3522 if (IS_ERR(skp) || skp == &smack_known_star || 3523 skp == &smack_known_web) 3524 skp = NULL; 3525 isp->smk_task = skp; 3526 3527 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3528 if (IS_ERR(skp) || skp == &smack_known_star || 3529 skp == &smack_known_web) 3530 skp = NULL; 3531 isp->smk_mmap = skp; 3532 3533 dput(dp); 3534 break; 3535 } 3536 3537 if (final == NULL) 3538 isp->smk_inode = ckp; 3539 else 3540 isp->smk_inode = final; 3541 3542 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3543 3544 unlockandout: 3545 mutex_unlock(&isp->smk_lock); 3546 return; 3547 } 3548 3549 /** 3550 * smack_getprocattr - Smack process attribute access 3551 * @p: the object task 3552 * @name: the name of the attribute in /proc/.../attr 3553 * @value: where to put the result 3554 * 3555 * Places a copy of the task Smack into value 3556 * 3557 * Returns the length of the smack label or an error code 3558 */ 3559 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3560 { 3561 struct smack_known *skp = smk_of_task_struct(p); 3562 char *cp; 3563 int slen; 3564 3565 if (strcmp(name, "current") != 0) 3566 return -EINVAL; 3567 3568 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3569 if (cp == NULL) 3570 return -ENOMEM; 3571 3572 slen = strlen(cp); 3573 *value = cp; 3574 return slen; 3575 } 3576 3577 /** 3578 * smack_setprocattr - Smack process attribute setting 3579 * @p: the object task 3580 * @name: the name of the attribute in /proc/.../attr 3581 * @value: the value to set 3582 * @size: the size of the value 3583 * 3584 * Sets the Smack value of the task. Only setting self 3585 * is permitted and only with privilege 3586 * 3587 * Returns the length of the smack label or an error code 3588 */ 3589 static int smack_setprocattr(struct task_struct *p, char *name, 3590 void *value, size_t size) 3591 { 3592 struct task_smack *tsp = current_security(); 3593 struct cred *new; 3594 struct smack_known *skp; 3595 struct smack_known_list_elem *sklep; 3596 int rc; 3597 3598 /* 3599 * Changing another process' Smack value is too dangerous 3600 * and supports no sane use case. 3601 */ 3602 if (p != current) 3603 return -EPERM; 3604 3605 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3606 return -EPERM; 3607 3608 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3609 return -EINVAL; 3610 3611 if (strcmp(name, "current") != 0) 3612 return -EINVAL; 3613 3614 skp = smk_import_entry(value, size); 3615 if (IS_ERR(skp)) 3616 return PTR_ERR(skp); 3617 3618 /* 3619 * No process is ever allowed the web ("@") label. 3620 */ 3621 if (skp == &smack_known_web) 3622 return -EPERM; 3623 3624 if (!smack_privileged(CAP_MAC_ADMIN)) { 3625 rc = -EPERM; 3626 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3627 if (sklep->smk_label == skp) { 3628 rc = 0; 3629 break; 3630 } 3631 if (rc) 3632 return rc; 3633 } 3634 3635 new = prepare_creds(); 3636 if (new == NULL) 3637 return -ENOMEM; 3638 3639 tsp = new->security; 3640 tsp->smk_task = skp; 3641 /* 3642 * process can change its label only once 3643 */ 3644 smk_destroy_label_list(&tsp->smk_relabel); 3645 3646 commit_creds(new); 3647 return size; 3648 } 3649 3650 /** 3651 * smack_unix_stream_connect - Smack access on UDS 3652 * @sock: one sock 3653 * @other: the other sock 3654 * @newsk: unused 3655 * 3656 * Return 0 if a subject with the smack of sock could access 3657 * an object with the smack of other, otherwise an error code 3658 */ 3659 static int smack_unix_stream_connect(struct sock *sock, 3660 struct sock *other, struct sock *newsk) 3661 { 3662 struct smack_known *skp; 3663 struct smack_known *okp; 3664 struct socket_smack *ssp = sock->sk_security; 3665 struct socket_smack *osp = other->sk_security; 3666 struct socket_smack *nsp = newsk->sk_security; 3667 struct smk_audit_info ad; 3668 int rc = 0; 3669 #ifdef CONFIG_AUDIT 3670 struct lsm_network_audit net; 3671 #endif 3672 3673 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3674 skp = ssp->smk_out; 3675 okp = osp->smk_in; 3676 #ifdef CONFIG_AUDIT 3677 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3678 smk_ad_setfield_u_net_sk(&ad, other); 3679 #endif 3680 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3681 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3682 if (rc == 0) { 3683 okp = osp->smk_out; 3684 skp = ssp->smk_in; 3685 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3686 rc = smk_bu_note("UDS connect", okp, skp, 3687 MAY_WRITE, rc); 3688 } 3689 } 3690 3691 /* 3692 * Cross reference the peer labels for SO_PEERSEC. 3693 */ 3694 if (rc == 0) { 3695 nsp->smk_packet = ssp->smk_out; 3696 ssp->smk_packet = osp->smk_out; 3697 } 3698 3699 return rc; 3700 } 3701 3702 /** 3703 * smack_unix_may_send - Smack access on UDS 3704 * @sock: one socket 3705 * @other: the other socket 3706 * 3707 * Return 0 if a subject with the smack of sock could access 3708 * an object with the smack of other, otherwise an error code 3709 */ 3710 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3711 { 3712 struct socket_smack *ssp = sock->sk->sk_security; 3713 struct socket_smack *osp = other->sk->sk_security; 3714 struct smk_audit_info ad; 3715 int rc; 3716 3717 #ifdef CONFIG_AUDIT 3718 struct lsm_network_audit net; 3719 3720 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3721 smk_ad_setfield_u_net_sk(&ad, other->sk); 3722 #endif 3723 3724 if (smack_privileged(CAP_MAC_OVERRIDE)) 3725 return 0; 3726 3727 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3728 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3729 return rc; 3730 } 3731 3732 /** 3733 * smack_socket_sendmsg - Smack check based on destination host 3734 * @sock: the socket 3735 * @msg: the message 3736 * @size: the size of the message 3737 * 3738 * Return 0 if the current subject can write to the destination host. 3739 * For IPv4 this is only a question if the destination is a single label host. 3740 * For IPv6 this is a check against the label of the port. 3741 */ 3742 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3743 int size) 3744 { 3745 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3746 #if IS_ENABLED(CONFIG_IPV6) 3747 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3748 #endif 3749 #ifdef SMACK_IPV6_SECMARK_LABELING 3750 struct socket_smack *ssp = sock->sk->sk_security; 3751 struct smack_known *rsp; 3752 #endif 3753 int rc = 0; 3754 3755 /* 3756 * Perfectly reasonable for this to be NULL 3757 */ 3758 if (sip == NULL) 3759 return 0; 3760 3761 switch (sip->sin_family) { 3762 case AF_INET: 3763 rc = smack_netlabel_send(sock->sk, sip); 3764 break; 3765 case AF_INET6: 3766 #ifdef SMACK_IPV6_SECMARK_LABELING 3767 rsp = smack_ipv6host_label(sap); 3768 if (rsp != NULL) 3769 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3770 SMK_CONNECTING); 3771 #endif 3772 #ifdef SMACK_IPV6_PORT_LABELING 3773 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3774 #endif 3775 break; 3776 } 3777 return rc; 3778 } 3779 3780 /** 3781 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3782 * @sap: netlabel secattr 3783 * @ssp: socket security information 3784 * 3785 * Returns a pointer to a Smack label entry found on the label list. 3786 */ 3787 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3788 struct socket_smack *ssp) 3789 { 3790 struct smack_known *skp; 3791 int found = 0; 3792 int acat; 3793 int kcat; 3794 3795 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3796 /* 3797 * Looks like a CIPSO packet. 3798 * If there are flags but no level netlabel isn't 3799 * behaving the way we expect it to. 3800 * 3801 * Look it up in the label table 3802 * Without guidance regarding the smack value 3803 * for the packet fall back on the network 3804 * ambient value. 3805 */ 3806 rcu_read_lock(); 3807 list_for_each_entry(skp, &smack_known_list, list) { 3808 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3809 continue; 3810 /* 3811 * Compare the catsets. Use the netlbl APIs. 3812 */ 3813 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3814 if ((skp->smk_netlabel.flags & 3815 NETLBL_SECATTR_MLS_CAT) == 0) 3816 found = 1; 3817 break; 3818 } 3819 for (acat = -1, kcat = -1; acat == kcat; ) { 3820 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3821 acat + 1); 3822 kcat = netlbl_catmap_walk( 3823 skp->smk_netlabel.attr.mls.cat, 3824 kcat + 1); 3825 if (acat < 0 || kcat < 0) 3826 break; 3827 } 3828 if (acat == kcat) { 3829 found = 1; 3830 break; 3831 } 3832 } 3833 rcu_read_unlock(); 3834 3835 if (found) 3836 return skp; 3837 3838 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3839 return &smack_known_web; 3840 return &smack_known_star; 3841 } 3842 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 3843 /* 3844 * Looks like a fallback, which gives us a secid. 3845 */ 3846 skp = smack_from_secid(sap->attr.secid); 3847 /* 3848 * This has got to be a bug because it is 3849 * impossible to specify a fallback without 3850 * specifying the label, which will ensure 3851 * it has a secid, and the only way to get a 3852 * secid is from a fallback. 3853 */ 3854 BUG_ON(skp == NULL); 3855 return skp; 3856 } 3857 /* 3858 * Without guidance regarding the smack value 3859 * for the packet fall back on the network 3860 * ambient value. 3861 */ 3862 return smack_net_ambient; 3863 } 3864 3865 #if IS_ENABLED(CONFIG_IPV6) 3866 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3867 { 3868 u8 nexthdr; 3869 int offset; 3870 int proto = -EINVAL; 3871 struct ipv6hdr _ipv6h; 3872 struct ipv6hdr *ip6; 3873 __be16 frag_off; 3874 struct tcphdr _tcph, *th; 3875 struct udphdr _udph, *uh; 3876 struct dccp_hdr _dccph, *dh; 3877 3878 sip->sin6_port = 0; 3879 3880 offset = skb_network_offset(skb); 3881 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3882 if (ip6 == NULL) 3883 return -EINVAL; 3884 sip->sin6_addr = ip6->saddr; 3885 3886 nexthdr = ip6->nexthdr; 3887 offset += sizeof(_ipv6h); 3888 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3889 if (offset < 0) 3890 return -EINVAL; 3891 3892 proto = nexthdr; 3893 switch (proto) { 3894 case IPPROTO_TCP: 3895 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3896 if (th != NULL) 3897 sip->sin6_port = th->source; 3898 break; 3899 case IPPROTO_UDP: 3900 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3901 if (uh != NULL) 3902 sip->sin6_port = uh->source; 3903 break; 3904 case IPPROTO_DCCP: 3905 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3906 if (dh != NULL) 3907 sip->sin6_port = dh->dccph_sport; 3908 break; 3909 } 3910 return proto; 3911 } 3912 #endif /* CONFIG_IPV6 */ 3913 3914 /** 3915 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3916 * @sk: socket 3917 * @skb: packet 3918 * 3919 * Returns 0 if the packet should be delivered, an error code otherwise 3920 */ 3921 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3922 { 3923 struct netlbl_lsm_secattr secattr; 3924 struct socket_smack *ssp = sk->sk_security; 3925 struct smack_known *skp = NULL; 3926 int rc = 0; 3927 struct smk_audit_info ad; 3928 #ifdef CONFIG_AUDIT 3929 struct lsm_network_audit net; 3930 #endif 3931 #if IS_ENABLED(CONFIG_IPV6) 3932 struct sockaddr_in6 sadd; 3933 int proto; 3934 #endif /* CONFIG_IPV6 */ 3935 3936 switch (sk->sk_family) { 3937 case PF_INET: 3938 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3939 /* 3940 * If there is a secmark use it rather than the CIPSO label. 3941 * If there is no secmark fall back to CIPSO. 3942 * The secmark is assumed to reflect policy better. 3943 */ 3944 if (skb && skb->secmark != 0) { 3945 skp = smack_from_secid(skb->secmark); 3946 goto access_check; 3947 } 3948 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3949 /* 3950 * Translate what netlabel gave us. 3951 */ 3952 netlbl_secattr_init(&secattr); 3953 3954 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 3955 if (rc == 0) 3956 skp = smack_from_secattr(&secattr, ssp); 3957 else 3958 skp = smack_net_ambient; 3959 3960 netlbl_secattr_destroy(&secattr); 3961 3962 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3963 access_check: 3964 #endif 3965 #ifdef CONFIG_AUDIT 3966 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3967 ad.a.u.net->family = sk->sk_family; 3968 ad.a.u.net->netif = skb->skb_iif; 3969 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3970 #endif 3971 /* 3972 * Receiving a packet requires that the other end 3973 * be able to write here. Read access is not required. 3974 * This is the simplist possible security model 3975 * for networking. 3976 */ 3977 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3978 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3979 MAY_WRITE, rc); 3980 if (rc != 0) 3981 netlbl_skbuff_err(skb, rc, 0); 3982 break; 3983 #if IS_ENABLED(CONFIG_IPV6) 3984 case PF_INET6: 3985 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3986 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 3987 break; 3988 #ifdef SMACK_IPV6_SECMARK_LABELING 3989 if (skb && skb->secmark != 0) 3990 skp = smack_from_secid(skb->secmark); 3991 else 3992 skp = smack_ipv6host_label(&sadd); 3993 if (skp == NULL) 3994 skp = smack_net_ambient; 3995 #ifdef CONFIG_AUDIT 3996 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3997 ad.a.u.net->family = sk->sk_family; 3998 ad.a.u.net->netif = skb->skb_iif; 3999 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4000 #endif /* CONFIG_AUDIT */ 4001 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4002 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4003 MAY_WRITE, rc); 4004 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4005 #ifdef SMACK_IPV6_PORT_LABELING 4006 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4007 #endif /* SMACK_IPV6_PORT_LABELING */ 4008 break; 4009 #endif /* CONFIG_IPV6 */ 4010 } 4011 4012 return rc; 4013 } 4014 4015 /** 4016 * smack_socket_getpeersec_stream - pull in packet label 4017 * @sock: the socket 4018 * @optval: user's destination 4019 * @optlen: size thereof 4020 * @len: max thereof 4021 * 4022 * returns zero on success, an error code otherwise 4023 */ 4024 static int smack_socket_getpeersec_stream(struct socket *sock, 4025 char __user *optval, 4026 int __user *optlen, unsigned len) 4027 { 4028 struct socket_smack *ssp; 4029 char *rcp = ""; 4030 int slen = 1; 4031 int rc = 0; 4032 4033 ssp = sock->sk->sk_security; 4034 if (ssp->smk_packet != NULL) { 4035 rcp = ssp->smk_packet->smk_known; 4036 slen = strlen(rcp) + 1; 4037 } 4038 4039 if (slen > len) 4040 rc = -ERANGE; 4041 else if (copy_to_user(optval, rcp, slen) != 0) 4042 rc = -EFAULT; 4043 4044 if (put_user(slen, optlen) != 0) 4045 rc = -EFAULT; 4046 4047 return rc; 4048 } 4049 4050 4051 /** 4052 * smack_socket_getpeersec_dgram - pull in packet label 4053 * @sock: the peer socket 4054 * @skb: packet data 4055 * @secid: pointer to where to put the secid of the packet 4056 * 4057 * Sets the netlabel socket state on sk from parent 4058 */ 4059 static int smack_socket_getpeersec_dgram(struct socket *sock, 4060 struct sk_buff *skb, u32 *secid) 4061 4062 { 4063 struct netlbl_lsm_secattr secattr; 4064 struct socket_smack *ssp = NULL; 4065 struct smack_known *skp; 4066 int family = PF_UNSPEC; 4067 u32 s = 0; /* 0 is the invalid secid */ 4068 int rc; 4069 4070 if (skb != NULL) { 4071 if (skb->protocol == htons(ETH_P_IP)) 4072 family = PF_INET; 4073 #if IS_ENABLED(CONFIG_IPV6) 4074 else if (skb->protocol == htons(ETH_P_IPV6)) 4075 family = PF_INET6; 4076 #endif /* CONFIG_IPV6 */ 4077 } 4078 if (family == PF_UNSPEC && sock != NULL) 4079 family = sock->sk->sk_family; 4080 4081 switch (family) { 4082 case PF_UNIX: 4083 ssp = sock->sk->sk_security; 4084 s = ssp->smk_out->smk_secid; 4085 break; 4086 case PF_INET: 4087 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4088 s = skb->secmark; 4089 if (s != 0) 4090 break; 4091 #endif 4092 /* 4093 * Translate what netlabel gave us. 4094 */ 4095 if (sock != NULL && sock->sk != NULL) 4096 ssp = sock->sk->sk_security; 4097 netlbl_secattr_init(&secattr); 4098 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4099 if (rc == 0) { 4100 skp = smack_from_secattr(&secattr, ssp); 4101 s = skp->smk_secid; 4102 } 4103 netlbl_secattr_destroy(&secattr); 4104 break; 4105 case PF_INET6: 4106 #ifdef SMACK_IPV6_SECMARK_LABELING 4107 s = skb->secmark; 4108 #endif 4109 break; 4110 } 4111 *secid = s; 4112 if (s == 0) 4113 return -EINVAL; 4114 return 0; 4115 } 4116 4117 /** 4118 * smack_sock_graft - Initialize a newly created socket with an existing sock 4119 * @sk: child sock 4120 * @parent: parent socket 4121 * 4122 * Set the smk_{in,out} state of an existing sock based on the process that 4123 * is creating the new socket. 4124 */ 4125 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4126 { 4127 struct socket_smack *ssp; 4128 struct smack_known *skp = smk_of_current(); 4129 4130 if (sk == NULL || 4131 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4132 return; 4133 4134 ssp = sk->sk_security; 4135 ssp->smk_in = skp; 4136 ssp->smk_out = skp; 4137 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4138 } 4139 4140 /** 4141 * smack_inet_conn_request - Smack access check on connect 4142 * @sk: socket involved 4143 * @skb: packet 4144 * @req: unused 4145 * 4146 * Returns 0 if a task with the packet label could write to 4147 * the socket, otherwise an error code 4148 */ 4149 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4150 struct request_sock *req) 4151 { 4152 u16 family = sk->sk_family; 4153 struct smack_known *skp; 4154 struct socket_smack *ssp = sk->sk_security; 4155 struct netlbl_lsm_secattr secattr; 4156 struct sockaddr_in addr; 4157 struct iphdr *hdr; 4158 struct smack_known *hskp; 4159 int rc; 4160 struct smk_audit_info ad; 4161 #ifdef CONFIG_AUDIT 4162 struct lsm_network_audit net; 4163 #endif 4164 4165 #if IS_ENABLED(CONFIG_IPV6) 4166 if (family == PF_INET6) { 4167 /* 4168 * Handle mapped IPv4 packets arriving 4169 * via IPv6 sockets. Don't set up netlabel 4170 * processing on IPv6. 4171 */ 4172 if (skb->protocol == htons(ETH_P_IP)) 4173 family = PF_INET; 4174 else 4175 return 0; 4176 } 4177 #endif /* CONFIG_IPV6 */ 4178 4179 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4180 /* 4181 * If there is a secmark use it rather than the CIPSO label. 4182 * If there is no secmark fall back to CIPSO. 4183 * The secmark is assumed to reflect policy better. 4184 */ 4185 if (skb && skb->secmark != 0) { 4186 skp = smack_from_secid(skb->secmark); 4187 goto access_check; 4188 } 4189 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4190 4191 netlbl_secattr_init(&secattr); 4192 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4193 if (rc == 0) 4194 skp = smack_from_secattr(&secattr, ssp); 4195 else 4196 skp = &smack_known_huh; 4197 netlbl_secattr_destroy(&secattr); 4198 4199 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4200 access_check: 4201 #endif 4202 4203 #ifdef CONFIG_AUDIT 4204 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4205 ad.a.u.net->family = family; 4206 ad.a.u.net->netif = skb->skb_iif; 4207 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4208 #endif 4209 /* 4210 * Receiving a packet requires that the other end be able to write 4211 * here. Read access is not required. 4212 */ 4213 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4214 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4215 if (rc != 0) 4216 return rc; 4217 4218 /* 4219 * Save the peer's label in the request_sock so we can later setup 4220 * smk_packet in the child socket so that SO_PEERCRED can report it. 4221 */ 4222 req->peer_secid = skp->smk_secid; 4223 4224 /* 4225 * We need to decide if we want to label the incoming connection here 4226 * if we do we only need to label the request_sock and the stack will 4227 * propagate the wire-label to the sock when it is created. 4228 */ 4229 hdr = ip_hdr(skb); 4230 addr.sin_addr.s_addr = hdr->saddr; 4231 rcu_read_lock(); 4232 hskp = smack_ipv4host_label(&addr); 4233 rcu_read_unlock(); 4234 4235 if (hskp == NULL) 4236 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4237 else 4238 netlbl_req_delattr(req); 4239 4240 return rc; 4241 } 4242 4243 /** 4244 * smack_inet_csk_clone - Copy the connection information to the new socket 4245 * @sk: the new socket 4246 * @req: the connection's request_sock 4247 * 4248 * Transfer the connection's peer label to the newly created socket. 4249 */ 4250 static void smack_inet_csk_clone(struct sock *sk, 4251 const struct request_sock *req) 4252 { 4253 struct socket_smack *ssp = sk->sk_security; 4254 struct smack_known *skp; 4255 4256 if (req->peer_secid != 0) { 4257 skp = smack_from_secid(req->peer_secid); 4258 ssp->smk_packet = skp; 4259 } else 4260 ssp->smk_packet = NULL; 4261 } 4262 4263 /* 4264 * Key management security hooks 4265 * 4266 * Casey has not tested key support very heavily. 4267 * The permission check is most likely too restrictive. 4268 * If you care about keys please have a look. 4269 */ 4270 #ifdef CONFIG_KEYS 4271 4272 /** 4273 * smack_key_alloc - Set the key security blob 4274 * @key: object 4275 * @cred: the credentials to use 4276 * @flags: unused 4277 * 4278 * No allocation required 4279 * 4280 * Returns 0 4281 */ 4282 static int smack_key_alloc(struct key *key, const struct cred *cred, 4283 unsigned long flags) 4284 { 4285 struct smack_known *skp = smk_of_task(cred->security); 4286 4287 key->security = skp; 4288 return 0; 4289 } 4290 4291 /** 4292 * smack_key_free - Clear the key security blob 4293 * @key: the object 4294 * 4295 * Clear the blob pointer 4296 */ 4297 static void smack_key_free(struct key *key) 4298 { 4299 key->security = NULL; 4300 } 4301 4302 /** 4303 * smack_key_permission - Smack access on a key 4304 * @key_ref: gets to the object 4305 * @cred: the credentials to use 4306 * @perm: requested key permissions 4307 * 4308 * Return 0 if the task has read and write to the object, 4309 * an error code otherwise 4310 */ 4311 static int smack_key_permission(key_ref_t key_ref, 4312 const struct cred *cred, unsigned perm) 4313 { 4314 struct key *keyp; 4315 struct smk_audit_info ad; 4316 struct smack_known *tkp = smk_of_task(cred->security); 4317 int request = 0; 4318 int rc; 4319 4320 keyp = key_ref_to_ptr(key_ref); 4321 if (keyp == NULL) 4322 return -EINVAL; 4323 /* 4324 * If the key hasn't been initialized give it access so that 4325 * it may do so. 4326 */ 4327 if (keyp->security == NULL) 4328 return 0; 4329 /* 4330 * This should not occur 4331 */ 4332 if (tkp == NULL) 4333 return -EACCES; 4334 #ifdef CONFIG_AUDIT 4335 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4336 ad.a.u.key_struct.key = keyp->serial; 4337 ad.a.u.key_struct.key_desc = keyp->description; 4338 #endif 4339 if (perm & KEY_NEED_READ) 4340 request = MAY_READ; 4341 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4342 request = MAY_WRITE; 4343 rc = smk_access(tkp, keyp->security, request, &ad); 4344 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4345 return rc; 4346 } 4347 4348 /* 4349 * smack_key_getsecurity - Smack label tagging the key 4350 * @key points to the key to be queried 4351 * @_buffer points to a pointer that should be set to point to the 4352 * resulting string (if no label or an error occurs). 4353 * Return the length of the string (including terminating NUL) or -ve if 4354 * an error. 4355 * May also return 0 (and a NULL buffer pointer) if there is no label. 4356 */ 4357 static int smack_key_getsecurity(struct key *key, char **_buffer) 4358 { 4359 struct smack_known *skp = key->security; 4360 size_t length; 4361 char *copy; 4362 4363 if (key->security == NULL) { 4364 *_buffer = NULL; 4365 return 0; 4366 } 4367 4368 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4369 if (copy == NULL) 4370 return -ENOMEM; 4371 length = strlen(copy) + 1; 4372 4373 *_buffer = copy; 4374 return length; 4375 } 4376 4377 #endif /* CONFIG_KEYS */ 4378 4379 /* 4380 * Smack Audit hooks 4381 * 4382 * Audit requires a unique representation of each Smack specific 4383 * rule. This unique representation is used to distinguish the 4384 * object to be audited from remaining kernel objects and also 4385 * works as a glue between the audit hooks. 4386 * 4387 * Since repository entries are added but never deleted, we'll use 4388 * the smack_known label address related to the given audit rule as 4389 * the needed unique representation. This also better fits the smack 4390 * model where nearly everything is a label. 4391 */ 4392 #ifdef CONFIG_AUDIT 4393 4394 /** 4395 * smack_audit_rule_init - Initialize a smack audit rule 4396 * @field: audit rule fields given from user-space (audit.h) 4397 * @op: required testing operator (=, !=, >, <, ...) 4398 * @rulestr: smack label to be audited 4399 * @vrule: pointer to save our own audit rule representation 4400 * 4401 * Prepare to audit cases where (@field @op @rulestr) is true. 4402 * The label to be audited is created if necessay. 4403 */ 4404 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4405 { 4406 struct smack_known *skp; 4407 char **rule = (char **)vrule; 4408 *rule = NULL; 4409 4410 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4411 return -EINVAL; 4412 4413 if (op != Audit_equal && op != Audit_not_equal) 4414 return -EINVAL; 4415 4416 skp = smk_import_entry(rulestr, 0); 4417 if (IS_ERR(skp)) 4418 return PTR_ERR(skp); 4419 4420 *rule = skp->smk_known; 4421 4422 return 0; 4423 } 4424 4425 /** 4426 * smack_audit_rule_known - Distinguish Smack audit rules 4427 * @krule: rule of interest, in Audit kernel representation format 4428 * 4429 * This is used to filter Smack rules from remaining Audit ones. 4430 * If it's proved that this rule belongs to us, the 4431 * audit_rule_match hook will be called to do the final judgement. 4432 */ 4433 static int smack_audit_rule_known(struct audit_krule *krule) 4434 { 4435 struct audit_field *f; 4436 int i; 4437 4438 for (i = 0; i < krule->field_count; i++) { 4439 f = &krule->fields[i]; 4440 4441 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4442 return 1; 4443 } 4444 4445 return 0; 4446 } 4447 4448 /** 4449 * smack_audit_rule_match - Audit given object ? 4450 * @secid: security id for identifying the object to test 4451 * @field: audit rule flags given from user-space 4452 * @op: required testing operator 4453 * @vrule: smack internal rule presentation 4454 * @actx: audit context associated with the check 4455 * 4456 * The core Audit hook. It's used to take the decision of 4457 * whether to audit or not to audit a given object. 4458 */ 4459 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4460 struct audit_context *actx) 4461 { 4462 struct smack_known *skp; 4463 char *rule = vrule; 4464 4465 if (unlikely(!rule)) { 4466 WARN_ONCE(1, "Smack: missing rule\n"); 4467 return -ENOENT; 4468 } 4469 4470 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4471 return 0; 4472 4473 skp = smack_from_secid(secid); 4474 4475 /* 4476 * No need to do string comparisons. If a match occurs, 4477 * both pointers will point to the same smack_known 4478 * label. 4479 */ 4480 if (op == Audit_equal) 4481 return (rule == skp->smk_known); 4482 if (op == Audit_not_equal) 4483 return (rule != skp->smk_known); 4484 4485 return 0; 4486 } 4487 4488 /** 4489 * smack_audit_rule_free - free smack rule representation 4490 * @vrule: rule to be freed. 4491 * 4492 * No memory was allocated. 4493 */ 4494 static void smack_audit_rule_free(void *vrule) 4495 { 4496 /* No-op */ 4497 } 4498 4499 #endif /* CONFIG_AUDIT */ 4500 4501 /** 4502 * smack_ismaclabel - check if xattr @name references a smack MAC label 4503 * @name: Full xattr name to check. 4504 */ 4505 static int smack_ismaclabel(const char *name) 4506 { 4507 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4508 } 4509 4510 4511 /** 4512 * smack_secid_to_secctx - return the smack label for a secid 4513 * @secid: incoming integer 4514 * @secdata: destination 4515 * @seclen: how long it is 4516 * 4517 * Exists for networking code. 4518 */ 4519 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4520 { 4521 struct smack_known *skp = smack_from_secid(secid); 4522 4523 if (secdata) 4524 *secdata = skp->smk_known; 4525 *seclen = strlen(skp->smk_known); 4526 return 0; 4527 } 4528 4529 /** 4530 * smack_secctx_to_secid - return the secid for a smack label 4531 * @secdata: smack label 4532 * @seclen: how long result is 4533 * @secid: outgoing integer 4534 * 4535 * Exists for audit and networking code. 4536 */ 4537 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4538 { 4539 struct smack_known *skp = smk_find_entry(secdata); 4540 4541 if (skp) 4542 *secid = skp->smk_secid; 4543 else 4544 *secid = 0; 4545 return 0; 4546 } 4547 4548 /** 4549 * smack_release_secctx - don't do anything. 4550 * @secdata: unused 4551 * @seclen: unused 4552 * 4553 * Exists to make sure nothing gets done, and properly 4554 */ 4555 static void smack_release_secctx(char *secdata, u32 seclen) 4556 { 4557 } 4558 4559 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4560 { 4561 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4562 } 4563 4564 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4565 { 4566 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4567 } 4568 4569 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4570 { 4571 int len = 0; 4572 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 4573 4574 if (len < 0) 4575 return len; 4576 *ctxlen = len; 4577 return 0; 4578 } 4579 4580 static struct security_hook_list smack_hooks[] = { 4581 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4582 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4583 LSM_HOOK_INIT(syslog, smack_syslog), 4584 4585 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4586 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4587 LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data), 4588 LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount), 4589 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4590 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4591 LSM_HOOK_INIT(sb_parse_opts_str, smack_parse_opts_str), 4592 4593 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4594 LSM_HOOK_INIT(bprm_committing_creds, smack_bprm_committing_creds), 4595 LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec), 4596 4597 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4598 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), 4599 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4600 LSM_HOOK_INIT(inode_link, smack_inode_link), 4601 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4602 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4603 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4604 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4605 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4606 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4607 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4608 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4609 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4610 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4611 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4612 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4613 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4614 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4615 4616 LSM_HOOK_INIT(file_permission, smack_file_permission), 4617 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4618 LSM_HOOK_INIT(file_free_security, smack_file_free_security), 4619 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4620 LSM_HOOK_INIT(file_lock, smack_file_lock), 4621 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4622 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4623 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4624 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4625 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4626 LSM_HOOK_INIT(file_receive, smack_file_receive), 4627 4628 LSM_HOOK_INIT(file_open, smack_file_open), 4629 4630 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4631 LSM_HOOK_INIT(cred_free, smack_cred_free), 4632 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4633 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4634 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4635 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4636 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4637 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4638 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4639 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4640 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4641 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4642 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4643 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4644 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4645 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4646 LSM_HOOK_INIT(task_kill, smack_task_kill), 4647 LSM_HOOK_INIT(task_wait, smack_task_wait), 4648 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4649 4650 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4651 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4652 4653 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4654 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), 4655 4656 LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security), 4657 LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security), 4658 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4659 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4660 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4661 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4662 4663 LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security), 4664 LSM_HOOK_INIT(shm_free_security, smack_shm_free_security), 4665 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4666 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4667 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4668 4669 LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security), 4670 LSM_HOOK_INIT(sem_free_security, smack_sem_free_security), 4671 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4672 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4673 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4674 4675 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4676 4677 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4678 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4679 4680 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4681 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4682 4683 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4684 #ifdef SMACK_IPV6_PORT_LABELING 4685 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4686 #endif 4687 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4688 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4689 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4690 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4691 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4692 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4693 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4694 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4695 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4696 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4697 4698 /* key management security hooks */ 4699 #ifdef CONFIG_KEYS 4700 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4701 LSM_HOOK_INIT(key_free, smack_key_free), 4702 LSM_HOOK_INIT(key_permission, smack_key_permission), 4703 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4704 #endif /* CONFIG_KEYS */ 4705 4706 /* Audit hooks */ 4707 #ifdef CONFIG_AUDIT 4708 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4709 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4710 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4711 LSM_HOOK_INIT(audit_rule_free, smack_audit_rule_free), 4712 #endif /* CONFIG_AUDIT */ 4713 4714 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4715 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4716 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4717 LSM_HOOK_INIT(release_secctx, smack_release_secctx), 4718 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4719 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4720 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4721 }; 4722 4723 4724 static __init void init_smack_known_list(void) 4725 { 4726 /* 4727 * Initialize rule list locks 4728 */ 4729 mutex_init(&smack_known_huh.smk_rules_lock); 4730 mutex_init(&smack_known_hat.smk_rules_lock); 4731 mutex_init(&smack_known_floor.smk_rules_lock); 4732 mutex_init(&smack_known_star.smk_rules_lock); 4733 mutex_init(&smack_known_invalid.smk_rules_lock); 4734 mutex_init(&smack_known_web.smk_rules_lock); 4735 /* 4736 * Initialize rule lists 4737 */ 4738 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4739 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4740 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4741 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4742 INIT_LIST_HEAD(&smack_known_invalid.smk_rules); 4743 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4744 /* 4745 * Create the known labels list 4746 */ 4747 smk_insert_entry(&smack_known_huh); 4748 smk_insert_entry(&smack_known_hat); 4749 smk_insert_entry(&smack_known_star); 4750 smk_insert_entry(&smack_known_floor); 4751 smk_insert_entry(&smack_known_invalid); 4752 smk_insert_entry(&smack_known_web); 4753 } 4754 4755 /** 4756 * smack_init - initialize the smack system 4757 * 4758 * Returns 0 4759 */ 4760 static __init int smack_init(void) 4761 { 4762 struct cred *cred; 4763 struct task_smack *tsp; 4764 4765 if (!security_module_enable("smack")) 4766 return 0; 4767 4768 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4769 if (!smack_inode_cache) 4770 return -ENOMEM; 4771 4772 tsp = new_task_smack(&smack_known_floor, &smack_known_floor, 4773 GFP_KERNEL); 4774 if (tsp == NULL) { 4775 kmem_cache_destroy(smack_inode_cache); 4776 return -ENOMEM; 4777 } 4778 4779 smack_enabled = 1; 4780 4781 pr_info("Smack: Initializing.\n"); 4782 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4783 pr_info("Smack: Netfilter enabled.\n"); 4784 #endif 4785 #ifdef SMACK_IPV6_PORT_LABELING 4786 pr_info("Smack: IPv6 port labeling enabled.\n"); 4787 #endif 4788 #ifdef SMACK_IPV6_SECMARK_LABELING 4789 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4790 #endif 4791 4792 /* 4793 * Set the security state for the initial task. 4794 */ 4795 cred = (struct cred *) current->cred; 4796 cred->security = tsp; 4797 4798 /* initialize the smack_known_list */ 4799 init_smack_known_list(); 4800 4801 /* 4802 * Register with LSM 4803 */ 4804 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks)); 4805 4806 return 0; 4807 } 4808 4809 /* 4810 * Smack requires early initialization in order to label 4811 * all processes and objects when they are created. 4812 */ 4813 security_initcall(smack_init); 4814