1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/icmpv6.h> 32 #include <linux/slab.h> 33 #include <linux/mutex.h> 34 #include <linux/pipe_fs_i.h> 35 #include <net/cipso_ipv4.h> 36 #include <net/ip.h> 37 #include <net/ipv6.h> 38 #include <linux/audit.h> 39 #include <linux/magic.h> 40 #include <linux/dcache.h> 41 #include <linux/personality.h> 42 #include <linux/msg.h> 43 #include <linux/shm.h> 44 #include <linux/binfmts.h> 45 #include <linux/parser.h> 46 #include "smack.h" 47 48 #define TRANS_TRUE "TRUE" 49 #define TRANS_TRUE_SIZE 4 50 51 #define SMK_CONNECTING 0 52 #define SMK_RECEIVING 1 53 #define SMK_SENDING 2 54 55 #ifdef SMACK_IPV6_PORT_LABELING 56 DEFINE_MUTEX(smack_ipv6_lock); 57 static LIST_HEAD(smk_ipv6_port_list); 58 #endif 59 static struct kmem_cache *smack_inode_cache; 60 int smack_enabled; 61 62 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 63 static struct { 64 const char *name; 65 int len; 66 int opt; 67 } smk_mount_opts[] = { 68 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 69 }; 70 #undef A 71 72 static int match_opt_prefix(char *s, int l, char **arg) 73 { 74 int i; 75 76 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 77 size_t len = smk_mount_opts[i].len; 78 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 79 continue; 80 if (len == l || s[len] != '=') 81 continue; 82 *arg = s + len + 1; 83 return smk_mount_opts[i].opt; 84 } 85 return Opt_error; 86 } 87 88 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 89 static char *smk_bu_mess[] = { 90 "Bringup Error", /* Unused */ 91 "Bringup", /* SMACK_BRINGUP_ALLOW */ 92 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 93 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 94 }; 95 96 static void smk_bu_mode(int mode, char *s) 97 { 98 int i = 0; 99 100 if (mode & MAY_READ) 101 s[i++] = 'r'; 102 if (mode & MAY_WRITE) 103 s[i++] = 'w'; 104 if (mode & MAY_EXEC) 105 s[i++] = 'x'; 106 if (mode & MAY_APPEND) 107 s[i++] = 'a'; 108 if (mode & MAY_TRANSMUTE) 109 s[i++] = 't'; 110 if (mode & MAY_LOCK) 111 s[i++] = 'l'; 112 if (i == 0) 113 s[i++] = '-'; 114 s[i] = '\0'; 115 } 116 #endif 117 118 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 119 static int smk_bu_note(char *note, struct smack_known *sskp, 120 struct smack_known *oskp, int mode, int rc) 121 { 122 char acc[SMK_NUM_ACCESS_TYPE + 1]; 123 124 if (rc <= 0) 125 return rc; 126 if (rc > SMACK_UNCONFINED_OBJECT) 127 rc = 0; 128 129 smk_bu_mode(mode, acc); 130 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 131 sskp->smk_known, oskp->smk_known, acc, note); 132 return 0; 133 } 134 #else 135 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 136 #endif 137 138 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 139 static int smk_bu_current(char *note, struct smack_known *oskp, 140 int mode, int rc) 141 { 142 struct task_smack *tsp = current_security(); 143 char acc[SMK_NUM_ACCESS_TYPE + 1]; 144 145 if (rc <= 0) 146 return rc; 147 if (rc > SMACK_UNCONFINED_OBJECT) 148 rc = 0; 149 150 smk_bu_mode(mode, acc); 151 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 152 tsp->smk_task->smk_known, oskp->smk_known, 153 acc, current->comm, note); 154 return 0; 155 } 156 #else 157 #define smk_bu_current(note, oskp, mode, RC) (RC) 158 #endif 159 160 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 161 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 162 { 163 struct task_smack *tsp = current_security(); 164 struct smack_known *smk_task = smk_of_task_struct(otp); 165 char acc[SMK_NUM_ACCESS_TYPE + 1]; 166 167 if (rc <= 0) 168 return rc; 169 if (rc > SMACK_UNCONFINED_OBJECT) 170 rc = 0; 171 172 smk_bu_mode(mode, acc); 173 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 174 tsp->smk_task->smk_known, smk_task->smk_known, acc, 175 current->comm, otp->comm); 176 return 0; 177 } 178 #else 179 #define smk_bu_task(otp, mode, RC) (RC) 180 #endif 181 182 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 183 static int smk_bu_inode(struct inode *inode, int mode, int rc) 184 { 185 struct task_smack *tsp = current_security(); 186 struct inode_smack *isp = inode->i_security; 187 char acc[SMK_NUM_ACCESS_TYPE + 1]; 188 189 if (isp->smk_flags & SMK_INODE_IMPURE) 190 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 191 inode->i_sb->s_id, inode->i_ino, current->comm); 192 193 if (rc <= 0) 194 return rc; 195 if (rc > SMACK_UNCONFINED_OBJECT) 196 rc = 0; 197 if (rc == SMACK_UNCONFINED_SUBJECT && 198 (mode & (MAY_WRITE | MAY_APPEND))) 199 isp->smk_flags |= SMK_INODE_IMPURE; 200 201 smk_bu_mode(mode, acc); 202 203 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 204 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 205 inode->i_sb->s_id, inode->i_ino, current->comm); 206 return 0; 207 } 208 #else 209 #define smk_bu_inode(inode, mode, RC) (RC) 210 #endif 211 212 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 213 static int smk_bu_file(struct file *file, int mode, int rc) 214 { 215 struct task_smack *tsp = current_security(); 216 struct smack_known *sskp = tsp->smk_task; 217 struct inode *inode = file_inode(file); 218 struct inode_smack *isp = inode->i_security; 219 char acc[SMK_NUM_ACCESS_TYPE + 1]; 220 221 if (isp->smk_flags & SMK_INODE_IMPURE) 222 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 223 inode->i_sb->s_id, inode->i_ino, current->comm); 224 225 if (rc <= 0) 226 return rc; 227 if (rc > SMACK_UNCONFINED_OBJECT) 228 rc = 0; 229 230 smk_bu_mode(mode, acc); 231 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 232 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 233 inode->i_sb->s_id, inode->i_ino, file, 234 current->comm); 235 return 0; 236 } 237 #else 238 #define smk_bu_file(file, mode, RC) (RC) 239 #endif 240 241 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 242 static int smk_bu_credfile(const struct cred *cred, struct file *file, 243 int mode, int rc) 244 { 245 struct task_smack *tsp = cred->security; 246 struct smack_known *sskp = tsp->smk_task; 247 struct inode *inode = file_inode(file); 248 struct inode_smack *isp = inode->i_security; 249 char acc[SMK_NUM_ACCESS_TYPE + 1]; 250 251 if (isp->smk_flags & SMK_INODE_IMPURE) 252 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 253 inode->i_sb->s_id, inode->i_ino, current->comm); 254 255 if (rc <= 0) 256 return rc; 257 if (rc > SMACK_UNCONFINED_OBJECT) 258 rc = 0; 259 260 smk_bu_mode(mode, acc); 261 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 262 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 263 inode->i_sb->s_id, inode->i_ino, file, 264 current->comm); 265 return 0; 266 } 267 #else 268 #define smk_bu_credfile(cred, file, mode, RC) (RC) 269 #endif 270 271 /** 272 * smk_fetch - Fetch the smack label from a file. 273 * @name: type of the label (attribute) 274 * @ip: a pointer to the inode 275 * @dp: a pointer to the dentry 276 * 277 * Returns a pointer to the master list entry for the Smack label, 278 * NULL if there was no label to fetch, or an error code. 279 */ 280 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 281 struct dentry *dp) 282 { 283 int rc; 284 char *buffer; 285 struct smack_known *skp = NULL; 286 287 if (!(ip->i_opflags & IOP_XATTR)) 288 return ERR_PTR(-EOPNOTSUPP); 289 290 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 291 if (buffer == NULL) 292 return ERR_PTR(-ENOMEM); 293 294 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 295 if (rc < 0) 296 skp = ERR_PTR(rc); 297 else if (rc == 0) 298 skp = NULL; 299 else 300 skp = smk_import_entry(buffer, rc); 301 302 kfree(buffer); 303 304 return skp; 305 } 306 307 /** 308 * new_inode_smack - allocate an inode security blob 309 * @skp: a pointer to the Smack label entry to use in the blob 310 * 311 * Returns the new blob or NULL if there's no memory available 312 */ 313 static struct inode_smack *new_inode_smack(struct smack_known *skp) 314 { 315 struct inode_smack *isp; 316 317 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); 318 if (isp == NULL) 319 return NULL; 320 321 isp->smk_inode = skp; 322 isp->smk_flags = 0; 323 mutex_init(&isp->smk_lock); 324 325 return isp; 326 } 327 328 /** 329 * new_task_smack - allocate a task security blob 330 * @task: a pointer to the Smack label for the running task 331 * @forked: a pointer to the Smack label for the forked task 332 * @gfp: type of the memory for the allocation 333 * 334 * Returns the new blob or NULL if there's no memory available 335 */ 336 static struct task_smack *new_task_smack(struct smack_known *task, 337 struct smack_known *forked, gfp_t gfp) 338 { 339 struct task_smack *tsp; 340 341 tsp = kzalloc(sizeof(struct task_smack), gfp); 342 if (tsp == NULL) 343 return NULL; 344 345 tsp->smk_task = task; 346 tsp->smk_forked = forked; 347 INIT_LIST_HEAD(&tsp->smk_rules); 348 INIT_LIST_HEAD(&tsp->smk_relabel); 349 mutex_init(&tsp->smk_rules_lock); 350 351 return tsp; 352 } 353 354 /** 355 * smk_copy_rules - copy a rule set 356 * @nhead: new rules header pointer 357 * @ohead: old rules header pointer 358 * @gfp: type of the memory for the allocation 359 * 360 * Returns 0 on success, -ENOMEM on error 361 */ 362 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 363 gfp_t gfp) 364 { 365 struct smack_rule *nrp; 366 struct smack_rule *orp; 367 int rc = 0; 368 369 list_for_each_entry_rcu(orp, ohead, list) { 370 nrp = kzalloc(sizeof(struct smack_rule), gfp); 371 if (nrp == NULL) { 372 rc = -ENOMEM; 373 break; 374 } 375 *nrp = *orp; 376 list_add_rcu(&nrp->list, nhead); 377 } 378 return rc; 379 } 380 381 /** 382 * smk_copy_relabel - copy smk_relabel labels list 383 * @nhead: new rules header pointer 384 * @ohead: old rules header pointer 385 * @gfp: type of the memory for the allocation 386 * 387 * Returns 0 on success, -ENOMEM on error 388 */ 389 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 390 gfp_t gfp) 391 { 392 struct smack_known_list_elem *nklep; 393 struct smack_known_list_elem *oklep; 394 395 list_for_each_entry(oklep, ohead, list) { 396 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 397 if (nklep == NULL) { 398 smk_destroy_label_list(nhead); 399 return -ENOMEM; 400 } 401 nklep->smk_label = oklep->smk_label; 402 list_add(&nklep->list, nhead); 403 } 404 405 return 0; 406 } 407 408 /** 409 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 410 * @mode - input mode in form of PTRACE_MODE_* 411 * 412 * Returns a converted MAY_* mode usable by smack rules 413 */ 414 static inline unsigned int smk_ptrace_mode(unsigned int mode) 415 { 416 if (mode & PTRACE_MODE_ATTACH) 417 return MAY_READWRITE; 418 if (mode & PTRACE_MODE_READ) 419 return MAY_READ; 420 421 return 0; 422 } 423 424 /** 425 * smk_ptrace_rule_check - helper for ptrace access 426 * @tracer: tracer process 427 * @tracee_known: label entry of the process that's about to be traced 428 * @mode: ptrace attachment mode (PTRACE_MODE_*) 429 * @func: name of the function that called us, used for audit 430 * 431 * Returns 0 on access granted, -error on error 432 */ 433 static int smk_ptrace_rule_check(struct task_struct *tracer, 434 struct smack_known *tracee_known, 435 unsigned int mode, const char *func) 436 { 437 int rc; 438 struct smk_audit_info ad, *saip = NULL; 439 struct task_smack *tsp; 440 struct smack_known *tracer_known; 441 const struct cred *tracercred; 442 443 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 444 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 445 smk_ad_setfield_u_tsk(&ad, tracer); 446 saip = &ad; 447 } 448 449 rcu_read_lock(); 450 tracercred = __task_cred(tracer); 451 tsp = tracercred->security; 452 tracer_known = smk_of_task(tsp); 453 454 if ((mode & PTRACE_MODE_ATTACH) && 455 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 456 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 457 if (tracer_known->smk_known == tracee_known->smk_known) 458 rc = 0; 459 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 460 rc = -EACCES; 461 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 462 rc = 0; 463 else 464 rc = -EACCES; 465 466 if (saip) 467 smack_log(tracer_known->smk_known, 468 tracee_known->smk_known, 469 0, rc, saip); 470 471 rcu_read_unlock(); 472 return rc; 473 } 474 475 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 476 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 477 478 rcu_read_unlock(); 479 return rc; 480 } 481 482 /* 483 * LSM hooks. 484 * We he, that is fun! 485 */ 486 487 /** 488 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 489 * @ctp: child task pointer 490 * @mode: ptrace attachment mode (PTRACE_MODE_*) 491 * 492 * Returns 0 if access is OK, an error code otherwise 493 * 494 * Do the capability checks. 495 */ 496 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 497 { 498 struct smack_known *skp; 499 500 skp = smk_of_task_struct(ctp); 501 502 return smk_ptrace_rule_check(current, skp, mode, __func__); 503 } 504 505 /** 506 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 507 * @ptp: parent task pointer 508 * 509 * Returns 0 if access is OK, an error code otherwise 510 * 511 * Do the capability checks, and require PTRACE_MODE_ATTACH. 512 */ 513 static int smack_ptrace_traceme(struct task_struct *ptp) 514 { 515 int rc; 516 struct smack_known *skp; 517 518 skp = smk_of_task(current_security()); 519 520 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 521 return rc; 522 } 523 524 /** 525 * smack_syslog - Smack approval on syslog 526 * @type: message type 527 * 528 * Returns 0 on success, error code otherwise. 529 */ 530 static int smack_syslog(int typefrom_file) 531 { 532 int rc = 0; 533 struct smack_known *skp = smk_of_current(); 534 535 if (smack_privileged(CAP_MAC_OVERRIDE)) 536 return 0; 537 538 if (smack_syslog_label != NULL && smack_syslog_label != skp) 539 rc = -EACCES; 540 541 return rc; 542 } 543 544 545 /* 546 * Superblock Hooks. 547 */ 548 549 /** 550 * smack_sb_alloc_security - allocate a superblock blob 551 * @sb: the superblock getting the blob 552 * 553 * Returns 0 on success or -ENOMEM on error. 554 */ 555 static int smack_sb_alloc_security(struct super_block *sb) 556 { 557 struct superblock_smack *sbsp; 558 559 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 560 561 if (sbsp == NULL) 562 return -ENOMEM; 563 564 sbsp->smk_root = &smack_known_floor; 565 sbsp->smk_default = &smack_known_floor; 566 sbsp->smk_floor = &smack_known_floor; 567 sbsp->smk_hat = &smack_known_hat; 568 /* 569 * SMK_SB_INITIALIZED will be zero from kzalloc. 570 */ 571 sb->s_security = sbsp; 572 573 return 0; 574 } 575 576 /** 577 * smack_sb_free_security - free a superblock blob 578 * @sb: the superblock getting the blob 579 * 580 */ 581 static void smack_sb_free_security(struct super_block *sb) 582 { 583 kfree(sb->s_security); 584 sb->s_security = NULL; 585 } 586 587 struct smack_mnt_opts { 588 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 589 }; 590 591 static void smack_free_mnt_opts(void *mnt_opts) 592 { 593 struct smack_mnt_opts *opts = mnt_opts; 594 kfree(opts->fsdefault); 595 kfree(opts->fsfloor); 596 kfree(opts->fshat); 597 kfree(opts->fsroot); 598 kfree(opts->fstransmute); 599 kfree(opts); 600 } 601 602 static int smack_add_opt(int token, const char *s, void **mnt_opts) 603 { 604 struct smack_mnt_opts *opts = *mnt_opts; 605 606 if (!opts) { 607 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 608 if (!opts) 609 return -ENOMEM; 610 *mnt_opts = opts; 611 } 612 if (!s) 613 return -ENOMEM; 614 615 switch (token) { 616 case Opt_fsdefault: 617 if (opts->fsdefault) 618 goto out_opt_err; 619 opts->fsdefault = s; 620 break; 621 case Opt_fsfloor: 622 if (opts->fsfloor) 623 goto out_opt_err; 624 opts->fsfloor = s; 625 break; 626 case Opt_fshat: 627 if (opts->fshat) 628 goto out_opt_err; 629 opts->fshat = s; 630 break; 631 case Opt_fsroot: 632 if (opts->fsroot) 633 goto out_opt_err; 634 opts->fsroot = s; 635 break; 636 case Opt_fstransmute: 637 if (opts->fstransmute) 638 goto out_opt_err; 639 opts->fstransmute = s; 640 break; 641 } 642 return 0; 643 644 out_opt_err: 645 pr_warn("Smack: duplicate mount options\n"); 646 return -EINVAL; 647 } 648 649 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 650 { 651 char *from = options, *to = options; 652 bool first = true; 653 654 while (1) { 655 char *next = strchr(from, ','); 656 int token, len, rc; 657 char *arg = NULL; 658 659 if (next) 660 len = next - from; 661 else 662 len = strlen(from); 663 664 token = match_opt_prefix(from, len, &arg); 665 if (token != Opt_error) { 666 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 667 rc = smack_add_opt(token, arg, mnt_opts); 668 if (unlikely(rc)) { 669 kfree(arg); 670 if (*mnt_opts) 671 smack_free_mnt_opts(*mnt_opts); 672 *mnt_opts = NULL; 673 return rc; 674 } 675 } else { 676 if (!first) { // copy with preceding comma 677 from--; 678 len++; 679 } 680 if (to != from) 681 memmove(to, from, len); 682 to += len; 683 first = false; 684 } 685 if (!from[len]) 686 break; 687 from += len + 1; 688 } 689 *to = '\0'; 690 return 0; 691 } 692 693 /** 694 * smack_set_mnt_opts - set Smack specific mount options 695 * @sb: the file system superblock 696 * @opts: Smack mount options 697 * @kern_flags: mount option from kernel space or user space 698 * @set_kern_flags: where to store converted mount opts 699 * 700 * Returns 0 on success, an error code on failure 701 * 702 * Allow filesystems with binary mount data to explicitly set Smack mount 703 * labels. 704 */ 705 static int smack_set_mnt_opts(struct super_block *sb, 706 void *mnt_opts, 707 unsigned long kern_flags, 708 unsigned long *set_kern_flags) 709 { 710 struct dentry *root = sb->s_root; 711 struct inode *inode = d_backing_inode(root); 712 struct superblock_smack *sp = sb->s_security; 713 struct inode_smack *isp; 714 struct smack_known *skp; 715 struct smack_mnt_opts *opts = mnt_opts; 716 bool transmute = false; 717 718 if (sp->smk_flags & SMK_SB_INITIALIZED) 719 return 0; 720 721 if (!smack_privileged(CAP_MAC_ADMIN)) { 722 /* 723 * Unprivileged mounts don't get to specify Smack values. 724 */ 725 if (opts) 726 return -EPERM; 727 /* 728 * Unprivileged mounts get root and default from the caller. 729 */ 730 skp = smk_of_current(); 731 sp->smk_root = skp; 732 sp->smk_default = skp; 733 /* 734 * For a handful of fs types with no user-controlled 735 * backing store it's okay to trust security labels 736 * in the filesystem. The rest are untrusted. 737 */ 738 if (sb->s_user_ns != &init_user_ns && 739 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 740 sb->s_magic != RAMFS_MAGIC) { 741 transmute = true; 742 sp->smk_flags |= SMK_SB_UNTRUSTED; 743 } 744 } 745 746 sp->smk_flags |= SMK_SB_INITIALIZED; 747 748 if (opts) { 749 if (opts->fsdefault) { 750 skp = smk_import_entry(opts->fsdefault, 0); 751 if (IS_ERR(skp)) 752 return PTR_ERR(skp); 753 sp->smk_default = skp; 754 } 755 if (opts->fsfloor) { 756 skp = smk_import_entry(opts->fsfloor, 0); 757 if (IS_ERR(skp)) 758 return PTR_ERR(skp); 759 sp->smk_floor = skp; 760 } 761 if (opts->fshat) { 762 skp = smk_import_entry(opts->fshat, 0); 763 if (IS_ERR(skp)) 764 return PTR_ERR(skp); 765 sp->smk_hat = skp; 766 } 767 if (opts->fsroot) { 768 skp = smk_import_entry(opts->fsroot, 0); 769 if (IS_ERR(skp)) 770 return PTR_ERR(skp); 771 sp->smk_root = skp; 772 } 773 if (opts->fstransmute) { 774 skp = smk_import_entry(opts->fstransmute, 0); 775 if (IS_ERR(skp)) 776 return PTR_ERR(skp); 777 sp->smk_root = skp; 778 transmute = true; 779 } 780 } 781 782 /* 783 * Initialize the root inode. 784 */ 785 isp = inode->i_security; 786 if (isp == NULL) { 787 isp = new_inode_smack(sp->smk_root); 788 if (isp == NULL) 789 return -ENOMEM; 790 inode->i_security = isp; 791 } else 792 isp->smk_inode = sp->smk_root; 793 794 if (transmute) 795 isp->smk_flags |= SMK_INODE_TRANSMUTE; 796 797 return 0; 798 } 799 800 /** 801 * smack_sb_statfs - Smack check on statfs 802 * @dentry: identifies the file system in question 803 * 804 * Returns 0 if current can read the floor of the filesystem, 805 * and error code otherwise 806 */ 807 static int smack_sb_statfs(struct dentry *dentry) 808 { 809 struct superblock_smack *sbp = dentry->d_sb->s_security; 810 int rc; 811 struct smk_audit_info ad; 812 813 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 814 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 815 816 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 817 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 818 return rc; 819 } 820 821 /* 822 * BPRM hooks 823 */ 824 825 /** 826 * smack_bprm_set_creds - set creds for exec 827 * @bprm: the exec information 828 * 829 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 830 */ 831 static int smack_bprm_set_creds(struct linux_binprm *bprm) 832 { 833 struct inode *inode = file_inode(bprm->file); 834 struct task_smack *bsp = bprm->cred->security; 835 struct inode_smack *isp; 836 struct superblock_smack *sbsp; 837 int rc; 838 839 if (bprm->called_set_creds) 840 return 0; 841 842 isp = inode->i_security; 843 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 844 return 0; 845 846 sbsp = inode->i_sb->s_security; 847 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 848 isp->smk_task != sbsp->smk_root) 849 return 0; 850 851 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 852 struct task_struct *tracer; 853 rc = 0; 854 855 rcu_read_lock(); 856 tracer = ptrace_parent(current); 857 if (likely(tracer != NULL)) 858 rc = smk_ptrace_rule_check(tracer, 859 isp->smk_task, 860 PTRACE_MODE_ATTACH, 861 __func__); 862 rcu_read_unlock(); 863 864 if (rc != 0) 865 return rc; 866 } else if (bprm->unsafe) 867 return -EPERM; 868 869 bsp->smk_task = isp->smk_task; 870 bprm->per_clear |= PER_CLEAR_ON_SETID; 871 872 /* Decide if this is a secure exec. */ 873 if (bsp->smk_task != bsp->smk_forked) 874 bprm->secureexec = 1; 875 876 return 0; 877 } 878 879 /* 880 * Inode hooks 881 */ 882 883 /** 884 * smack_inode_alloc_security - allocate an inode blob 885 * @inode: the inode in need of a blob 886 * 887 * Returns 0 if it gets a blob, -ENOMEM otherwise 888 */ 889 static int smack_inode_alloc_security(struct inode *inode) 890 { 891 struct smack_known *skp = smk_of_current(); 892 893 inode->i_security = new_inode_smack(skp); 894 if (inode->i_security == NULL) 895 return -ENOMEM; 896 return 0; 897 } 898 899 /** 900 * smack_inode_free_rcu - Free inode_smack blob from cache 901 * @head: the rcu_head for getting inode_smack pointer 902 * 903 * Call back function called from call_rcu() to free 904 * the i_security blob pointer in inode 905 */ 906 static void smack_inode_free_rcu(struct rcu_head *head) 907 { 908 struct inode_smack *issp; 909 910 issp = container_of(head, struct inode_smack, smk_rcu); 911 kmem_cache_free(smack_inode_cache, issp); 912 } 913 914 /** 915 * smack_inode_free_security - free an inode blob using call_rcu() 916 * @inode: the inode with a blob 917 * 918 * Clears the blob pointer in inode using RCU 919 */ 920 static void smack_inode_free_security(struct inode *inode) 921 { 922 struct inode_smack *issp = inode->i_security; 923 924 /* 925 * The inode may still be referenced in a path walk and 926 * a call to smack_inode_permission() can be made 927 * after smack_inode_free_security() is called. 928 * To avoid race condition free the i_security via RCU 929 * and leave the current inode->i_security pointer intact. 930 * The inode will be freed after the RCU grace period too. 931 */ 932 call_rcu(&issp->smk_rcu, smack_inode_free_rcu); 933 } 934 935 /** 936 * smack_inode_init_security - copy out the smack from an inode 937 * @inode: the newly created inode 938 * @dir: containing directory object 939 * @qstr: unused 940 * @name: where to put the attribute name 941 * @value: where to put the attribute value 942 * @len: where to put the length of the attribute 943 * 944 * Returns 0 if it all works out, -ENOMEM if there's no memory 945 */ 946 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 947 const struct qstr *qstr, const char **name, 948 void **value, size_t *len) 949 { 950 struct inode_smack *issp = inode->i_security; 951 struct smack_known *skp = smk_of_current(); 952 struct smack_known *isp = smk_of_inode(inode); 953 struct smack_known *dsp = smk_of_inode(dir); 954 int may; 955 956 if (name) 957 *name = XATTR_SMACK_SUFFIX; 958 959 if (value && len) { 960 rcu_read_lock(); 961 may = smk_access_entry(skp->smk_known, dsp->smk_known, 962 &skp->smk_rules); 963 rcu_read_unlock(); 964 965 /* 966 * If the access rule allows transmutation and 967 * the directory requests transmutation then 968 * by all means transmute. 969 * Mark the inode as changed. 970 */ 971 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 972 smk_inode_transmutable(dir)) { 973 isp = dsp; 974 issp->smk_flags |= SMK_INODE_CHANGED; 975 } 976 977 *value = kstrdup(isp->smk_known, GFP_NOFS); 978 if (*value == NULL) 979 return -ENOMEM; 980 981 *len = strlen(isp->smk_known); 982 } 983 984 return 0; 985 } 986 987 /** 988 * smack_inode_link - Smack check on link 989 * @old_dentry: the existing object 990 * @dir: unused 991 * @new_dentry: the new object 992 * 993 * Returns 0 if access is permitted, an error code otherwise 994 */ 995 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 996 struct dentry *new_dentry) 997 { 998 struct smack_known *isp; 999 struct smk_audit_info ad; 1000 int rc; 1001 1002 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1003 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1004 1005 isp = smk_of_inode(d_backing_inode(old_dentry)); 1006 rc = smk_curacc(isp, MAY_WRITE, &ad); 1007 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1008 1009 if (rc == 0 && d_is_positive(new_dentry)) { 1010 isp = smk_of_inode(d_backing_inode(new_dentry)); 1011 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1012 rc = smk_curacc(isp, MAY_WRITE, &ad); 1013 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1014 } 1015 1016 return rc; 1017 } 1018 1019 /** 1020 * smack_inode_unlink - Smack check on inode deletion 1021 * @dir: containing directory object 1022 * @dentry: file to unlink 1023 * 1024 * Returns 0 if current can write the containing directory 1025 * and the object, error code otherwise 1026 */ 1027 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1028 { 1029 struct inode *ip = d_backing_inode(dentry); 1030 struct smk_audit_info ad; 1031 int rc; 1032 1033 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1034 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1035 1036 /* 1037 * You need write access to the thing you're unlinking 1038 */ 1039 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1040 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1041 if (rc == 0) { 1042 /* 1043 * You also need write access to the containing directory 1044 */ 1045 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1046 smk_ad_setfield_u_fs_inode(&ad, dir); 1047 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1048 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1049 } 1050 return rc; 1051 } 1052 1053 /** 1054 * smack_inode_rmdir - Smack check on directory deletion 1055 * @dir: containing directory object 1056 * @dentry: directory to unlink 1057 * 1058 * Returns 0 if current can write the containing directory 1059 * and the directory, error code otherwise 1060 */ 1061 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1062 { 1063 struct smk_audit_info ad; 1064 int rc; 1065 1066 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1067 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1068 1069 /* 1070 * You need write access to the thing you're removing 1071 */ 1072 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1073 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1074 if (rc == 0) { 1075 /* 1076 * You also need write access to the containing directory 1077 */ 1078 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1079 smk_ad_setfield_u_fs_inode(&ad, dir); 1080 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1081 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1082 } 1083 1084 return rc; 1085 } 1086 1087 /** 1088 * smack_inode_rename - Smack check on rename 1089 * @old_inode: unused 1090 * @old_dentry: the old object 1091 * @new_inode: unused 1092 * @new_dentry: the new object 1093 * 1094 * Read and write access is required on both the old and 1095 * new directories. 1096 * 1097 * Returns 0 if access is permitted, an error code otherwise 1098 */ 1099 static int smack_inode_rename(struct inode *old_inode, 1100 struct dentry *old_dentry, 1101 struct inode *new_inode, 1102 struct dentry *new_dentry) 1103 { 1104 int rc; 1105 struct smack_known *isp; 1106 struct smk_audit_info ad; 1107 1108 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1109 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1110 1111 isp = smk_of_inode(d_backing_inode(old_dentry)); 1112 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1113 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1114 1115 if (rc == 0 && d_is_positive(new_dentry)) { 1116 isp = smk_of_inode(d_backing_inode(new_dentry)); 1117 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1118 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1119 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1120 } 1121 return rc; 1122 } 1123 1124 /** 1125 * smack_inode_permission - Smack version of permission() 1126 * @inode: the inode in question 1127 * @mask: the access requested 1128 * 1129 * This is the important Smack hook. 1130 * 1131 * Returns 0 if access is permitted, -EACCES otherwise 1132 */ 1133 static int smack_inode_permission(struct inode *inode, int mask) 1134 { 1135 struct superblock_smack *sbsp = inode->i_sb->s_security; 1136 struct smk_audit_info ad; 1137 int no_block = mask & MAY_NOT_BLOCK; 1138 int rc; 1139 1140 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1141 /* 1142 * No permission to check. Existence test. Yup, it's there. 1143 */ 1144 if (mask == 0) 1145 return 0; 1146 1147 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1148 if (smk_of_inode(inode) != sbsp->smk_root) 1149 return -EACCES; 1150 } 1151 1152 /* May be droppable after audit */ 1153 if (no_block) 1154 return -ECHILD; 1155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1156 smk_ad_setfield_u_fs_inode(&ad, inode); 1157 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1158 rc = smk_bu_inode(inode, mask, rc); 1159 return rc; 1160 } 1161 1162 /** 1163 * smack_inode_setattr - Smack check for setting attributes 1164 * @dentry: the object 1165 * @iattr: for the force flag 1166 * 1167 * Returns 0 if access is permitted, an error code otherwise 1168 */ 1169 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1170 { 1171 struct smk_audit_info ad; 1172 int rc; 1173 1174 /* 1175 * Need to allow for clearing the setuid bit. 1176 */ 1177 if (iattr->ia_valid & ATTR_FORCE) 1178 return 0; 1179 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1180 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1181 1182 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1183 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1184 return rc; 1185 } 1186 1187 /** 1188 * smack_inode_getattr - Smack check for getting attributes 1189 * @mnt: vfsmount of the object 1190 * @dentry: the object 1191 * 1192 * Returns 0 if access is permitted, an error code otherwise 1193 */ 1194 static int smack_inode_getattr(const struct path *path) 1195 { 1196 struct smk_audit_info ad; 1197 struct inode *inode = d_backing_inode(path->dentry); 1198 int rc; 1199 1200 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1201 smk_ad_setfield_u_fs_path(&ad, *path); 1202 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1203 rc = smk_bu_inode(inode, MAY_READ, rc); 1204 return rc; 1205 } 1206 1207 /** 1208 * smack_inode_setxattr - Smack check for setting xattrs 1209 * @dentry: the object 1210 * @name: name of the attribute 1211 * @value: value of the attribute 1212 * @size: size of the value 1213 * @flags: unused 1214 * 1215 * This protects the Smack attribute explicitly. 1216 * 1217 * Returns 0 if access is permitted, an error code otherwise 1218 */ 1219 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1220 const void *value, size_t size, int flags) 1221 { 1222 struct smk_audit_info ad; 1223 struct smack_known *skp; 1224 int check_priv = 0; 1225 int check_import = 0; 1226 int check_star = 0; 1227 int rc = 0; 1228 1229 /* 1230 * Check label validity here so import won't fail in post_setxattr 1231 */ 1232 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1233 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1234 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1235 check_priv = 1; 1236 check_import = 1; 1237 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1238 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1239 check_priv = 1; 1240 check_import = 1; 1241 check_star = 1; 1242 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1243 check_priv = 1; 1244 if (size != TRANS_TRUE_SIZE || 1245 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1246 rc = -EINVAL; 1247 } else 1248 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1249 1250 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1251 rc = -EPERM; 1252 1253 if (rc == 0 && check_import) { 1254 skp = size ? smk_import_entry(value, size) : NULL; 1255 if (IS_ERR(skp)) 1256 rc = PTR_ERR(skp); 1257 else if (skp == NULL || (check_star && 1258 (skp == &smack_known_star || skp == &smack_known_web))) 1259 rc = -EINVAL; 1260 } 1261 1262 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1263 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1264 1265 if (rc == 0) { 1266 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1267 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1268 } 1269 1270 return rc; 1271 } 1272 1273 /** 1274 * smack_inode_post_setxattr - Apply the Smack update approved above 1275 * @dentry: object 1276 * @name: attribute name 1277 * @value: attribute value 1278 * @size: attribute size 1279 * @flags: unused 1280 * 1281 * Set the pointer in the inode blob to the entry found 1282 * in the master label list. 1283 */ 1284 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1285 const void *value, size_t size, int flags) 1286 { 1287 struct smack_known *skp; 1288 struct inode_smack *isp = d_backing_inode(dentry)->i_security; 1289 1290 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1291 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1292 return; 1293 } 1294 1295 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1296 skp = smk_import_entry(value, size); 1297 if (!IS_ERR(skp)) 1298 isp->smk_inode = skp; 1299 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1300 skp = smk_import_entry(value, size); 1301 if (!IS_ERR(skp)) 1302 isp->smk_task = skp; 1303 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1304 skp = smk_import_entry(value, size); 1305 if (!IS_ERR(skp)) 1306 isp->smk_mmap = skp; 1307 } 1308 1309 return; 1310 } 1311 1312 /** 1313 * smack_inode_getxattr - Smack check on getxattr 1314 * @dentry: the object 1315 * @name: unused 1316 * 1317 * Returns 0 if access is permitted, an error code otherwise 1318 */ 1319 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1320 { 1321 struct smk_audit_info ad; 1322 int rc; 1323 1324 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1325 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1326 1327 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1328 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1329 return rc; 1330 } 1331 1332 /** 1333 * smack_inode_removexattr - Smack check on removexattr 1334 * @dentry: the object 1335 * @name: name of the attribute 1336 * 1337 * Removing the Smack attribute requires CAP_MAC_ADMIN 1338 * 1339 * Returns 0 if access is permitted, an error code otherwise 1340 */ 1341 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1342 { 1343 struct inode_smack *isp; 1344 struct smk_audit_info ad; 1345 int rc = 0; 1346 1347 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1348 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1349 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1350 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1351 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1352 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1353 if (!smack_privileged(CAP_MAC_ADMIN)) 1354 rc = -EPERM; 1355 } else 1356 rc = cap_inode_removexattr(dentry, name); 1357 1358 if (rc != 0) 1359 return rc; 1360 1361 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1362 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1363 1364 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1365 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1366 if (rc != 0) 1367 return rc; 1368 1369 isp = d_backing_inode(dentry)->i_security; 1370 /* 1371 * Don't do anything special for these. 1372 * XATTR_NAME_SMACKIPIN 1373 * XATTR_NAME_SMACKIPOUT 1374 */ 1375 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1376 struct super_block *sbp = dentry->d_sb; 1377 struct superblock_smack *sbsp = sbp->s_security; 1378 1379 isp->smk_inode = sbsp->smk_default; 1380 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1381 isp->smk_task = NULL; 1382 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1383 isp->smk_mmap = NULL; 1384 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1385 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1386 1387 return 0; 1388 } 1389 1390 /** 1391 * smack_inode_getsecurity - get smack xattrs 1392 * @inode: the object 1393 * @name: attribute name 1394 * @buffer: where to put the result 1395 * @alloc: duplicate memory 1396 * 1397 * Returns the size of the attribute or an error code 1398 */ 1399 static int smack_inode_getsecurity(struct inode *inode, 1400 const char *name, void **buffer, 1401 bool alloc) 1402 { 1403 struct socket_smack *ssp; 1404 struct socket *sock; 1405 struct super_block *sbp; 1406 struct inode *ip = (struct inode *)inode; 1407 struct smack_known *isp; 1408 1409 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1410 isp = smk_of_inode(inode); 1411 else { 1412 /* 1413 * The rest of the Smack xattrs are only on sockets. 1414 */ 1415 sbp = ip->i_sb; 1416 if (sbp->s_magic != SOCKFS_MAGIC) 1417 return -EOPNOTSUPP; 1418 1419 sock = SOCKET_I(ip); 1420 if (sock == NULL || sock->sk == NULL) 1421 return -EOPNOTSUPP; 1422 1423 ssp = sock->sk->sk_security; 1424 1425 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1426 isp = ssp->smk_in; 1427 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1428 isp = ssp->smk_out; 1429 else 1430 return -EOPNOTSUPP; 1431 } 1432 1433 if (alloc) { 1434 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1435 if (*buffer == NULL) 1436 return -ENOMEM; 1437 } 1438 1439 return strlen(isp->smk_known); 1440 } 1441 1442 1443 /** 1444 * smack_inode_listsecurity - list the Smack attributes 1445 * @inode: the object 1446 * @buffer: where they go 1447 * @buffer_size: size of buffer 1448 */ 1449 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1450 size_t buffer_size) 1451 { 1452 int len = sizeof(XATTR_NAME_SMACK); 1453 1454 if (buffer != NULL && len <= buffer_size) 1455 memcpy(buffer, XATTR_NAME_SMACK, len); 1456 1457 return len; 1458 } 1459 1460 /** 1461 * smack_inode_getsecid - Extract inode's security id 1462 * @inode: inode to extract the info from 1463 * @secid: where result will be saved 1464 */ 1465 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1466 { 1467 struct smack_known *skp = smk_of_inode(inode); 1468 1469 *secid = skp->smk_secid; 1470 } 1471 1472 /* 1473 * File Hooks 1474 */ 1475 1476 /* 1477 * There is no smack_file_permission hook 1478 * 1479 * Should access checks be done on each read or write? 1480 * UNICOS and SELinux say yes. 1481 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1482 * 1483 * I'll say no for now. Smack does not do the frequent 1484 * label changing that SELinux does. 1485 */ 1486 1487 /** 1488 * smack_file_alloc_security - assign a file security blob 1489 * @file: the object 1490 * 1491 * The security blob for a file is a pointer to the master 1492 * label list, so no allocation is done. 1493 * 1494 * f_security is the owner security information. It 1495 * isn't used on file access checks, it's for send_sigio. 1496 * 1497 * Returns 0 1498 */ 1499 static int smack_file_alloc_security(struct file *file) 1500 { 1501 struct smack_known *skp = smk_of_current(); 1502 1503 file->f_security = skp; 1504 return 0; 1505 } 1506 1507 /** 1508 * smack_file_free_security - clear a file security blob 1509 * @file: the object 1510 * 1511 * The security blob for a file is a pointer to the master 1512 * label list, so no memory is freed. 1513 */ 1514 static void smack_file_free_security(struct file *file) 1515 { 1516 file->f_security = NULL; 1517 } 1518 1519 /** 1520 * smack_file_ioctl - Smack check on ioctls 1521 * @file: the object 1522 * @cmd: what to do 1523 * @arg: unused 1524 * 1525 * Relies heavily on the correct use of the ioctl command conventions. 1526 * 1527 * Returns 0 if allowed, error code otherwise 1528 */ 1529 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1530 unsigned long arg) 1531 { 1532 int rc = 0; 1533 struct smk_audit_info ad; 1534 struct inode *inode = file_inode(file); 1535 1536 if (unlikely(IS_PRIVATE(inode))) 1537 return 0; 1538 1539 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1540 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1541 1542 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1543 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1544 rc = smk_bu_file(file, MAY_WRITE, rc); 1545 } 1546 1547 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1548 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1549 rc = smk_bu_file(file, MAY_READ, rc); 1550 } 1551 1552 return rc; 1553 } 1554 1555 /** 1556 * smack_file_lock - Smack check on file locking 1557 * @file: the object 1558 * @cmd: unused 1559 * 1560 * Returns 0 if current has lock access, error code otherwise 1561 */ 1562 static int smack_file_lock(struct file *file, unsigned int cmd) 1563 { 1564 struct smk_audit_info ad; 1565 int rc; 1566 struct inode *inode = file_inode(file); 1567 1568 if (unlikely(IS_PRIVATE(inode))) 1569 return 0; 1570 1571 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1572 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1573 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1574 rc = smk_bu_file(file, MAY_LOCK, rc); 1575 return rc; 1576 } 1577 1578 /** 1579 * smack_file_fcntl - Smack check on fcntl 1580 * @file: the object 1581 * @cmd: what action to check 1582 * @arg: unused 1583 * 1584 * Generally these operations are harmless. 1585 * File locking operations present an obvious mechanism 1586 * for passing information, so they require write access. 1587 * 1588 * Returns 0 if current has access, error code otherwise 1589 */ 1590 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1591 unsigned long arg) 1592 { 1593 struct smk_audit_info ad; 1594 int rc = 0; 1595 struct inode *inode = file_inode(file); 1596 1597 if (unlikely(IS_PRIVATE(inode))) 1598 return 0; 1599 1600 switch (cmd) { 1601 case F_GETLK: 1602 break; 1603 case F_SETLK: 1604 case F_SETLKW: 1605 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1606 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1607 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1608 rc = smk_bu_file(file, MAY_LOCK, rc); 1609 break; 1610 case F_SETOWN: 1611 case F_SETSIG: 1612 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1613 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1614 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1615 rc = smk_bu_file(file, MAY_WRITE, rc); 1616 break; 1617 default: 1618 break; 1619 } 1620 1621 return rc; 1622 } 1623 1624 /** 1625 * smack_mmap_file : 1626 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1627 * if mapping anonymous memory. 1628 * @file contains the file structure for file to map (may be NULL). 1629 * @reqprot contains the protection requested by the application. 1630 * @prot contains the protection that will be applied by the kernel. 1631 * @flags contains the operational flags. 1632 * Return 0 if permission is granted. 1633 */ 1634 static int smack_mmap_file(struct file *file, 1635 unsigned long reqprot, unsigned long prot, 1636 unsigned long flags) 1637 { 1638 struct smack_known *skp; 1639 struct smack_known *mkp; 1640 struct smack_rule *srp; 1641 struct task_smack *tsp; 1642 struct smack_known *okp; 1643 struct inode_smack *isp; 1644 struct superblock_smack *sbsp; 1645 int may; 1646 int mmay; 1647 int tmay; 1648 int rc; 1649 1650 if (file == NULL) 1651 return 0; 1652 1653 if (unlikely(IS_PRIVATE(file_inode(file)))) 1654 return 0; 1655 1656 isp = file_inode(file)->i_security; 1657 if (isp->smk_mmap == NULL) 1658 return 0; 1659 sbsp = file_inode(file)->i_sb->s_security; 1660 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1661 isp->smk_mmap != sbsp->smk_root) 1662 return -EACCES; 1663 mkp = isp->smk_mmap; 1664 1665 tsp = current_security(); 1666 skp = smk_of_current(); 1667 rc = 0; 1668 1669 rcu_read_lock(); 1670 /* 1671 * For each Smack rule associated with the subject 1672 * label verify that the SMACK64MMAP also has access 1673 * to that rule's object label. 1674 */ 1675 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1676 okp = srp->smk_object; 1677 /* 1678 * Matching labels always allows access. 1679 */ 1680 if (mkp->smk_known == okp->smk_known) 1681 continue; 1682 /* 1683 * If there is a matching local rule take 1684 * that into account as well. 1685 */ 1686 may = smk_access_entry(srp->smk_subject->smk_known, 1687 okp->smk_known, 1688 &tsp->smk_rules); 1689 if (may == -ENOENT) 1690 may = srp->smk_access; 1691 else 1692 may &= srp->smk_access; 1693 /* 1694 * If may is zero the SMACK64MMAP subject can't 1695 * possibly have less access. 1696 */ 1697 if (may == 0) 1698 continue; 1699 1700 /* 1701 * Fetch the global list entry. 1702 * If there isn't one a SMACK64MMAP subject 1703 * can't have as much access as current. 1704 */ 1705 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1706 &mkp->smk_rules); 1707 if (mmay == -ENOENT) { 1708 rc = -EACCES; 1709 break; 1710 } 1711 /* 1712 * If there is a local entry it modifies the 1713 * potential access, too. 1714 */ 1715 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1716 &tsp->smk_rules); 1717 if (tmay != -ENOENT) 1718 mmay &= tmay; 1719 1720 /* 1721 * If there is any access available to current that is 1722 * not available to a SMACK64MMAP subject 1723 * deny access. 1724 */ 1725 if ((may | mmay) != mmay) { 1726 rc = -EACCES; 1727 break; 1728 } 1729 } 1730 1731 rcu_read_unlock(); 1732 1733 return rc; 1734 } 1735 1736 /** 1737 * smack_file_set_fowner - set the file security blob value 1738 * @file: object in question 1739 * 1740 */ 1741 static void smack_file_set_fowner(struct file *file) 1742 { 1743 file->f_security = smk_of_current(); 1744 } 1745 1746 /** 1747 * smack_file_send_sigiotask - Smack on sigio 1748 * @tsk: The target task 1749 * @fown: the object the signal come from 1750 * @signum: unused 1751 * 1752 * Allow a privileged task to get signals even if it shouldn't 1753 * 1754 * Returns 0 if a subject with the object's smack could 1755 * write to the task, an error code otherwise. 1756 */ 1757 static int smack_file_send_sigiotask(struct task_struct *tsk, 1758 struct fown_struct *fown, int signum) 1759 { 1760 struct smack_known *skp; 1761 struct smack_known *tkp = smk_of_task(tsk->cred->security); 1762 const struct cred *tcred; 1763 struct file *file; 1764 int rc; 1765 struct smk_audit_info ad; 1766 1767 /* 1768 * struct fown_struct is never outside the context of a struct file 1769 */ 1770 file = container_of(fown, struct file, f_owner); 1771 1772 /* we don't log here as rc can be overriden */ 1773 skp = file->f_security; 1774 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1775 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1776 1777 rcu_read_lock(); 1778 tcred = __task_cred(tsk); 1779 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1780 rc = 0; 1781 rcu_read_unlock(); 1782 1783 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1784 smk_ad_setfield_u_tsk(&ad, tsk); 1785 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1786 return rc; 1787 } 1788 1789 /** 1790 * smack_file_receive - Smack file receive check 1791 * @file: the object 1792 * 1793 * Returns 0 if current has access, error code otherwise 1794 */ 1795 static int smack_file_receive(struct file *file) 1796 { 1797 int rc; 1798 int may = 0; 1799 struct smk_audit_info ad; 1800 struct inode *inode = file_inode(file); 1801 struct socket *sock; 1802 struct task_smack *tsp; 1803 struct socket_smack *ssp; 1804 1805 if (unlikely(IS_PRIVATE(inode))) 1806 return 0; 1807 1808 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1809 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1810 1811 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1812 sock = SOCKET_I(inode); 1813 ssp = sock->sk->sk_security; 1814 tsp = current_security(); 1815 /* 1816 * If the receiving process can't write to the 1817 * passed socket or if the passed socket can't 1818 * write to the receiving process don't accept 1819 * the passed socket. 1820 */ 1821 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1822 rc = smk_bu_file(file, may, rc); 1823 if (rc < 0) 1824 return rc; 1825 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1826 rc = smk_bu_file(file, may, rc); 1827 return rc; 1828 } 1829 /* 1830 * This code relies on bitmasks. 1831 */ 1832 if (file->f_mode & FMODE_READ) 1833 may = MAY_READ; 1834 if (file->f_mode & FMODE_WRITE) 1835 may |= MAY_WRITE; 1836 1837 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1838 rc = smk_bu_file(file, may, rc); 1839 return rc; 1840 } 1841 1842 /** 1843 * smack_file_open - Smack dentry open processing 1844 * @file: the object 1845 * @cred: task credential 1846 * 1847 * Set the security blob in the file structure. 1848 * Allow the open only if the task has read access. There are 1849 * many read operations (e.g. fstat) that you can do with an 1850 * fd even if you have the file open write-only. 1851 * 1852 * Returns 0 1853 */ 1854 static int smack_file_open(struct file *file) 1855 { 1856 struct task_smack *tsp = file->f_cred->security; 1857 struct inode *inode = file_inode(file); 1858 struct smk_audit_info ad; 1859 int rc; 1860 1861 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1862 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1863 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1864 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1865 1866 return rc; 1867 } 1868 1869 /* 1870 * Task hooks 1871 */ 1872 1873 /** 1874 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1875 * @new: the new credentials 1876 * @gfp: the atomicity of any memory allocations 1877 * 1878 * Prepare a blank set of credentials for modification. This must allocate all 1879 * the memory the LSM module might require such that cred_transfer() can 1880 * complete without error. 1881 */ 1882 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1883 { 1884 struct task_smack *tsp; 1885 1886 tsp = new_task_smack(NULL, NULL, gfp); 1887 if (tsp == NULL) 1888 return -ENOMEM; 1889 1890 cred->security = tsp; 1891 1892 return 0; 1893 } 1894 1895 1896 /** 1897 * smack_cred_free - "free" task-level security credentials 1898 * @cred: the credentials in question 1899 * 1900 */ 1901 static void smack_cred_free(struct cred *cred) 1902 { 1903 struct task_smack *tsp = cred->security; 1904 struct smack_rule *rp; 1905 struct list_head *l; 1906 struct list_head *n; 1907 1908 if (tsp == NULL) 1909 return; 1910 cred->security = NULL; 1911 1912 smk_destroy_label_list(&tsp->smk_relabel); 1913 1914 list_for_each_safe(l, n, &tsp->smk_rules) { 1915 rp = list_entry(l, struct smack_rule, list); 1916 list_del(&rp->list); 1917 kfree(rp); 1918 } 1919 kfree(tsp); 1920 } 1921 1922 /** 1923 * smack_cred_prepare - prepare new set of credentials for modification 1924 * @new: the new credentials 1925 * @old: the original credentials 1926 * @gfp: the atomicity of any memory allocations 1927 * 1928 * Prepare a new set of credentials for modification. 1929 */ 1930 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1931 gfp_t gfp) 1932 { 1933 struct task_smack *old_tsp = old->security; 1934 struct task_smack *new_tsp; 1935 int rc; 1936 1937 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 1938 if (new_tsp == NULL) 1939 return -ENOMEM; 1940 1941 new->security = new_tsp; 1942 1943 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1944 if (rc != 0) 1945 return rc; 1946 1947 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1948 gfp); 1949 if (rc != 0) 1950 return rc; 1951 1952 return 0; 1953 } 1954 1955 /** 1956 * smack_cred_transfer - Transfer the old credentials to the new credentials 1957 * @new: the new credentials 1958 * @old: the original credentials 1959 * 1960 * Fill in a set of blank credentials from another set of credentials. 1961 */ 1962 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1963 { 1964 struct task_smack *old_tsp = old->security; 1965 struct task_smack *new_tsp = new->security; 1966 1967 new_tsp->smk_task = old_tsp->smk_task; 1968 new_tsp->smk_forked = old_tsp->smk_task; 1969 mutex_init(&new_tsp->smk_rules_lock); 1970 INIT_LIST_HEAD(&new_tsp->smk_rules); 1971 1972 1973 /* cbs copy rule list */ 1974 } 1975 1976 /** 1977 * smack_cred_getsecid - get the secid corresponding to a creds structure 1978 * @c: the object creds 1979 * @secid: where to put the result 1980 * 1981 * Sets the secid to contain a u32 version of the smack label. 1982 */ 1983 static void smack_cred_getsecid(const struct cred *c, u32 *secid) 1984 { 1985 struct smack_known *skp; 1986 1987 rcu_read_lock(); 1988 skp = smk_of_task(c->security); 1989 *secid = skp->smk_secid; 1990 rcu_read_unlock(); 1991 } 1992 1993 /** 1994 * smack_kernel_act_as - Set the subjective context in a set of credentials 1995 * @new: points to the set of credentials to be modified. 1996 * @secid: specifies the security ID to be set 1997 * 1998 * Set the security data for a kernel service. 1999 */ 2000 static int smack_kernel_act_as(struct cred *new, u32 secid) 2001 { 2002 struct task_smack *new_tsp = new->security; 2003 2004 new_tsp->smk_task = smack_from_secid(secid); 2005 return 0; 2006 } 2007 2008 /** 2009 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2010 * @new: points to the set of credentials to be modified 2011 * @inode: points to the inode to use as a reference 2012 * 2013 * Set the file creation context in a set of credentials to the same 2014 * as the objective context of the specified inode 2015 */ 2016 static int smack_kernel_create_files_as(struct cred *new, 2017 struct inode *inode) 2018 { 2019 struct inode_smack *isp = inode->i_security; 2020 struct task_smack *tsp = new->security; 2021 2022 tsp->smk_forked = isp->smk_inode; 2023 tsp->smk_task = tsp->smk_forked; 2024 return 0; 2025 } 2026 2027 /** 2028 * smk_curacc_on_task - helper to log task related access 2029 * @p: the task object 2030 * @access: the access requested 2031 * @caller: name of the calling function for audit 2032 * 2033 * Return 0 if access is permitted 2034 */ 2035 static int smk_curacc_on_task(struct task_struct *p, int access, 2036 const char *caller) 2037 { 2038 struct smk_audit_info ad; 2039 struct smack_known *skp = smk_of_task_struct(p); 2040 int rc; 2041 2042 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2043 smk_ad_setfield_u_tsk(&ad, p); 2044 rc = smk_curacc(skp, access, &ad); 2045 rc = smk_bu_task(p, access, rc); 2046 return rc; 2047 } 2048 2049 /** 2050 * smack_task_setpgid - Smack check on setting pgid 2051 * @p: the task object 2052 * @pgid: unused 2053 * 2054 * Return 0 if write access is permitted 2055 */ 2056 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2057 { 2058 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2059 } 2060 2061 /** 2062 * smack_task_getpgid - Smack access check for getpgid 2063 * @p: the object task 2064 * 2065 * Returns 0 if current can read the object task, error code otherwise 2066 */ 2067 static int smack_task_getpgid(struct task_struct *p) 2068 { 2069 return smk_curacc_on_task(p, MAY_READ, __func__); 2070 } 2071 2072 /** 2073 * smack_task_getsid - Smack access check for getsid 2074 * @p: the object task 2075 * 2076 * Returns 0 if current can read the object task, error code otherwise 2077 */ 2078 static int smack_task_getsid(struct task_struct *p) 2079 { 2080 return smk_curacc_on_task(p, MAY_READ, __func__); 2081 } 2082 2083 /** 2084 * smack_task_getsecid - get the secid of the task 2085 * @p: the object task 2086 * @secid: where to put the result 2087 * 2088 * Sets the secid to contain a u32 version of the smack label. 2089 */ 2090 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2091 { 2092 struct smack_known *skp = smk_of_task_struct(p); 2093 2094 *secid = skp->smk_secid; 2095 } 2096 2097 /** 2098 * smack_task_setnice - Smack check on setting nice 2099 * @p: the task object 2100 * @nice: unused 2101 * 2102 * Return 0 if write access is permitted 2103 */ 2104 static int smack_task_setnice(struct task_struct *p, int nice) 2105 { 2106 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2107 } 2108 2109 /** 2110 * smack_task_setioprio - Smack check on setting ioprio 2111 * @p: the task object 2112 * @ioprio: unused 2113 * 2114 * Return 0 if write access is permitted 2115 */ 2116 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2117 { 2118 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2119 } 2120 2121 /** 2122 * smack_task_getioprio - Smack check on reading ioprio 2123 * @p: the task object 2124 * 2125 * Return 0 if read access is permitted 2126 */ 2127 static int smack_task_getioprio(struct task_struct *p) 2128 { 2129 return smk_curacc_on_task(p, MAY_READ, __func__); 2130 } 2131 2132 /** 2133 * smack_task_setscheduler - Smack check on setting scheduler 2134 * @p: the task object 2135 * @policy: unused 2136 * @lp: unused 2137 * 2138 * Return 0 if read access is permitted 2139 */ 2140 static int smack_task_setscheduler(struct task_struct *p) 2141 { 2142 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2143 } 2144 2145 /** 2146 * smack_task_getscheduler - Smack check on reading scheduler 2147 * @p: the task object 2148 * 2149 * Return 0 if read access is permitted 2150 */ 2151 static int smack_task_getscheduler(struct task_struct *p) 2152 { 2153 return smk_curacc_on_task(p, MAY_READ, __func__); 2154 } 2155 2156 /** 2157 * smack_task_movememory - Smack check on moving memory 2158 * @p: the task object 2159 * 2160 * Return 0 if write access is permitted 2161 */ 2162 static int smack_task_movememory(struct task_struct *p) 2163 { 2164 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2165 } 2166 2167 /** 2168 * smack_task_kill - Smack check on signal delivery 2169 * @p: the task object 2170 * @info: unused 2171 * @sig: unused 2172 * @cred: identifies the cred to use in lieu of current's 2173 * 2174 * Return 0 if write access is permitted 2175 * 2176 */ 2177 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2178 int sig, const struct cred *cred) 2179 { 2180 struct smk_audit_info ad; 2181 struct smack_known *skp; 2182 struct smack_known *tkp = smk_of_task_struct(p); 2183 int rc; 2184 2185 if (!sig) 2186 return 0; /* null signal; existence test */ 2187 2188 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2189 smk_ad_setfield_u_tsk(&ad, p); 2190 /* 2191 * Sending a signal requires that the sender 2192 * can write the receiver. 2193 */ 2194 if (cred == NULL) { 2195 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2196 rc = smk_bu_task(p, MAY_DELIVER, rc); 2197 return rc; 2198 } 2199 /* 2200 * If the cred isn't NULL we're dealing with some USB IO 2201 * specific behavior. This is not clean. For one thing 2202 * we can't take privilege into account. 2203 */ 2204 skp = smk_of_task(cred->security); 2205 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2206 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2207 return rc; 2208 } 2209 2210 /** 2211 * smack_task_to_inode - copy task smack into the inode blob 2212 * @p: task to copy from 2213 * @inode: inode to copy to 2214 * 2215 * Sets the smack pointer in the inode security blob 2216 */ 2217 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2218 { 2219 struct inode_smack *isp = inode->i_security; 2220 struct smack_known *skp = smk_of_task_struct(p); 2221 2222 isp->smk_inode = skp; 2223 isp->smk_flags |= SMK_INODE_INSTANT; 2224 } 2225 2226 /* 2227 * Socket hooks. 2228 */ 2229 2230 /** 2231 * smack_sk_alloc_security - Allocate a socket blob 2232 * @sk: the socket 2233 * @family: unused 2234 * @gfp_flags: memory allocation flags 2235 * 2236 * Assign Smack pointers to current 2237 * 2238 * Returns 0 on success, -ENOMEM is there's no memory 2239 */ 2240 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2241 { 2242 struct smack_known *skp = smk_of_current(); 2243 struct socket_smack *ssp; 2244 2245 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2246 if (ssp == NULL) 2247 return -ENOMEM; 2248 2249 /* 2250 * Sockets created by kernel threads receive web label. 2251 */ 2252 if (unlikely(current->flags & PF_KTHREAD)) { 2253 ssp->smk_in = &smack_known_web; 2254 ssp->smk_out = &smack_known_web; 2255 } else { 2256 ssp->smk_in = skp; 2257 ssp->smk_out = skp; 2258 } 2259 ssp->smk_packet = NULL; 2260 2261 sk->sk_security = ssp; 2262 2263 return 0; 2264 } 2265 2266 /** 2267 * smack_sk_free_security - Free a socket blob 2268 * @sk: the socket 2269 * 2270 * Clears the blob pointer 2271 */ 2272 static void smack_sk_free_security(struct sock *sk) 2273 { 2274 #ifdef SMACK_IPV6_PORT_LABELING 2275 struct smk_port_label *spp; 2276 2277 if (sk->sk_family == PF_INET6) { 2278 rcu_read_lock(); 2279 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2280 if (spp->smk_sock != sk) 2281 continue; 2282 spp->smk_can_reuse = 1; 2283 break; 2284 } 2285 rcu_read_unlock(); 2286 } 2287 #endif 2288 kfree(sk->sk_security); 2289 } 2290 2291 /** 2292 * smack_ipv4host_label - check host based restrictions 2293 * @sip: the object end 2294 * 2295 * looks for host based access restrictions 2296 * 2297 * This version will only be appropriate for really small sets of single label 2298 * hosts. The caller is responsible for ensuring that the RCU read lock is 2299 * taken before calling this function. 2300 * 2301 * Returns the label of the far end or NULL if it's not special. 2302 */ 2303 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2304 { 2305 struct smk_net4addr *snp; 2306 struct in_addr *siap = &sip->sin_addr; 2307 2308 if (siap->s_addr == 0) 2309 return NULL; 2310 2311 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2312 /* 2313 * we break after finding the first match because 2314 * the list is sorted from longest to shortest mask 2315 * so we have found the most specific match 2316 */ 2317 if (snp->smk_host.s_addr == 2318 (siap->s_addr & snp->smk_mask.s_addr)) 2319 return snp->smk_label; 2320 2321 return NULL; 2322 } 2323 2324 #if IS_ENABLED(CONFIG_IPV6) 2325 /* 2326 * smk_ipv6_localhost - Check for local ipv6 host address 2327 * @sip: the address 2328 * 2329 * Returns boolean true if this is the localhost address 2330 */ 2331 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2332 { 2333 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2334 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2335 2336 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2337 ntohs(be16p[7]) == 1) 2338 return true; 2339 return false; 2340 } 2341 2342 /** 2343 * smack_ipv6host_label - check host based restrictions 2344 * @sip: the object end 2345 * 2346 * looks for host based access restrictions 2347 * 2348 * This version will only be appropriate for really small sets of single label 2349 * hosts. The caller is responsible for ensuring that the RCU read lock is 2350 * taken before calling this function. 2351 * 2352 * Returns the label of the far end or NULL if it's not special. 2353 */ 2354 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2355 { 2356 struct smk_net6addr *snp; 2357 struct in6_addr *sap = &sip->sin6_addr; 2358 int i; 2359 int found = 0; 2360 2361 /* 2362 * It's local. Don't look for a host label. 2363 */ 2364 if (smk_ipv6_localhost(sip)) 2365 return NULL; 2366 2367 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2368 /* 2369 * If the label is NULL the entry has 2370 * been renounced. Ignore it. 2371 */ 2372 if (snp->smk_label == NULL) 2373 continue; 2374 /* 2375 * we break after finding the first match because 2376 * the list is sorted from longest to shortest mask 2377 * so we have found the most specific match 2378 */ 2379 for (found = 1, i = 0; i < 8; i++) { 2380 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2381 snp->smk_host.s6_addr16[i]) { 2382 found = 0; 2383 break; 2384 } 2385 } 2386 if (found) 2387 return snp->smk_label; 2388 } 2389 2390 return NULL; 2391 } 2392 #endif /* CONFIG_IPV6 */ 2393 2394 /** 2395 * smack_netlabel - Set the secattr on a socket 2396 * @sk: the socket 2397 * @labeled: socket label scheme 2398 * 2399 * Convert the outbound smack value (smk_out) to a 2400 * secattr and attach it to the socket. 2401 * 2402 * Returns 0 on success or an error code 2403 */ 2404 static int smack_netlabel(struct sock *sk, int labeled) 2405 { 2406 struct smack_known *skp; 2407 struct socket_smack *ssp = sk->sk_security; 2408 int rc = 0; 2409 2410 /* 2411 * Usually the netlabel code will handle changing the 2412 * packet labeling based on the label. 2413 * The case of a single label host is different, because 2414 * a single label host should never get a labeled packet 2415 * even though the label is usually associated with a packet 2416 * label. 2417 */ 2418 local_bh_disable(); 2419 bh_lock_sock_nested(sk); 2420 2421 if (ssp->smk_out == smack_net_ambient || 2422 labeled == SMACK_UNLABELED_SOCKET) 2423 netlbl_sock_delattr(sk); 2424 else { 2425 skp = ssp->smk_out; 2426 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2427 } 2428 2429 bh_unlock_sock(sk); 2430 local_bh_enable(); 2431 2432 return rc; 2433 } 2434 2435 /** 2436 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2437 * @sk: the socket 2438 * @sap: the destination address 2439 * 2440 * Set the correct secattr for the given socket based on the destination 2441 * address and perform any outbound access checks needed. 2442 * 2443 * Returns 0 on success or an error code. 2444 * 2445 */ 2446 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2447 { 2448 struct smack_known *skp; 2449 int rc; 2450 int sk_lbl; 2451 struct smack_known *hkp; 2452 struct socket_smack *ssp = sk->sk_security; 2453 struct smk_audit_info ad; 2454 2455 rcu_read_lock(); 2456 hkp = smack_ipv4host_label(sap); 2457 if (hkp != NULL) { 2458 #ifdef CONFIG_AUDIT 2459 struct lsm_network_audit net; 2460 2461 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2462 ad.a.u.net->family = sap->sin_family; 2463 ad.a.u.net->dport = sap->sin_port; 2464 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2465 #endif 2466 sk_lbl = SMACK_UNLABELED_SOCKET; 2467 skp = ssp->smk_out; 2468 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2469 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2470 } else { 2471 sk_lbl = SMACK_CIPSO_SOCKET; 2472 rc = 0; 2473 } 2474 rcu_read_unlock(); 2475 if (rc != 0) 2476 return rc; 2477 2478 return smack_netlabel(sk, sk_lbl); 2479 } 2480 2481 #if IS_ENABLED(CONFIG_IPV6) 2482 /** 2483 * smk_ipv6_check - check Smack access 2484 * @subject: subject Smack label 2485 * @object: object Smack label 2486 * @address: address 2487 * @act: the action being taken 2488 * 2489 * Check an IPv6 access 2490 */ 2491 static int smk_ipv6_check(struct smack_known *subject, 2492 struct smack_known *object, 2493 struct sockaddr_in6 *address, int act) 2494 { 2495 #ifdef CONFIG_AUDIT 2496 struct lsm_network_audit net; 2497 #endif 2498 struct smk_audit_info ad; 2499 int rc; 2500 2501 #ifdef CONFIG_AUDIT 2502 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2503 ad.a.u.net->family = PF_INET6; 2504 ad.a.u.net->dport = ntohs(address->sin6_port); 2505 if (act == SMK_RECEIVING) 2506 ad.a.u.net->v6info.saddr = address->sin6_addr; 2507 else 2508 ad.a.u.net->v6info.daddr = address->sin6_addr; 2509 #endif 2510 rc = smk_access(subject, object, MAY_WRITE, &ad); 2511 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2512 return rc; 2513 } 2514 #endif /* CONFIG_IPV6 */ 2515 2516 #ifdef SMACK_IPV6_PORT_LABELING 2517 /** 2518 * smk_ipv6_port_label - Smack port access table management 2519 * @sock: socket 2520 * @address: address 2521 * 2522 * Create or update the port list entry 2523 */ 2524 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2525 { 2526 struct sock *sk = sock->sk; 2527 struct sockaddr_in6 *addr6; 2528 struct socket_smack *ssp = sock->sk->sk_security; 2529 struct smk_port_label *spp; 2530 unsigned short port = 0; 2531 2532 if (address == NULL) { 2533 /* 2534 * This operation is changing the Smack information 2535 * on the bound socket. Take the changes to the port 2536 * as well. 2537 */ 2538 rcu_read_lock(); 2539 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2540 if (sk != spp->smk_sock) 2541 continue; 2542 spp->smk_in = ssp->smk_in; 2543 spp->smk_out = ssp->smk_out; 2544 rcu_read_unlock(); 2545 return; 2546 } 2547 /* 2548 * A NULL address is only used for updating existing 2549 * bound entries. If there isn't one, it's OK. 2550 */ 2551 rcu_read_unlock(); 2552 return; 2553 } 2554 2555 addr6 = (struct sockaddr_in6 *)address; 2556 port = ntohs(addr6->sin6_port); 2557 /* 2558 * This is a special case that is safely ignored. 2559 */ 2560 if (port == 0) 2561 return; 2562 2563 /* 2564 * Look for an existing port list entry. 2565 * This is an indication that a port is getting reused. 2566 */ 2567 rcu_read_lock(); 2568 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2569 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2570 continue; 2571 if (spp->smk_can_reuse != 1) { 2572 rcu_read_unlock(); 2573 return; 2574 } 2575 spp->smk_port = port; 2576 spp->smk_sock = sk; 2577 spp->smk_in = ssp->smk_in; 2578 spp->smk_out = ssp->smk_out; 2579 spp->smk_can_reuse = 0; 2580 rcu_read_unlock(); 2581 return; 2582 } 2583 rcu_read_unlock(); 2584 /* 2585 * A new port entry is required. 2586 */ 2587 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2588 if (spp == NULL) 2589 return; 2590 2591 spp->smk_port = port; 2592 spp->smk_sock = sk; 2593 spp->smk_in = ssp->smk_in; 2594 spp->smk_out = ssp->smk_out; 2595 spp->smk_sock_type = sock->type; 2596 spp->smk_can_reuse = 0; 2597 2598 mutex_lock(&smack_ipv6_lock); 2599 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2600 mutex_unlock(&smack_ipv6_lock); 2601 return; 2602 } 2603 2604 /** 2605 * smk_ipv6_port_check - check Smack port access 2606 * @sock: socket 2607 * @address: address 2608 * 2609 * Create or update the port list entry 2610 */ 2611 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2612 int act) 2613 { 2614 struct smk_port_label *spp; 2615 struct socket_smack *ssp = sk->sk_security; 2616 struct smack_known *skp = NULL; 2617 unsigned short port; 2618 struct smack_known *object; 2619 2620 if (act == SMK_RECEIVING) { 2621 skp = smack_ipv6host_label(address); 2622 object = ssp->smk_in; 2623 } else { 2624 skp = ssp->smk_out; 2625 object = smack_ipv6host_label(address); 2626 } 2627 2628 /* 2629 * The other end is a single label host. 2630 */ 2631 if (skp != NULL && object != NULL) 2632 return smk_ipv6_check(skp, object, address, act); 2633 if (skp == NULL) 2634 skp = smack_net_ambient; 2635 if (object == NULL) 2636 object = smack_net_ambient; 2637 2638 /* 2639 * It's remote, so port lookup does no good. 2640 */ 2641 if (!smk_ipv6_localhost(address)) 2642 return smk_ipv6_check(skp, object, address, act); 2643 2644 /* 2645 * It's local so the send check has to have passed. 2646 */ 2647 if (act == SMK_RECEIVING) 2648 return 0; 2649 2650 port = ntohs(address->sin6_port); 2651 rcu_read_lock(); 2652 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2653 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2654 continue; 2655 object = spp->smk_in; 2656 if (act == SMK_CONNECTING) 2657 ssp->smk_packet = spp->smk_out; 2658 break; 2659 } 2660 rcu_read_unlock(); 2661 2662 return smk_ipv6_check(skp, object, address, act); 2663 } 2664 #endif /* SMACK_IPV6_PORT_LABELING */ 2665 2666 /** 2667 * smack_inode_setsecurity - set smack xattrs 2668 * @inode: the object 2669 * @name: attribute name 2670 * @value: attribute value 2671 * @size: size of the attribute 2672 * @flags: unused 2673 * 2674 * Sets the named attribute in the appropriate blob 2675 * 2676 * Returns 0 on success, or an error code 2677 */ 2678 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2679 const void *value, size_t size, int flags) 2680 { 2681 struct smack_known *skp; 2682 struct inode_smack *nsp = inode->i_security; 2683 struct socket_smack *ssp; 2684 struct socket *sock; 2685 int rc = 0; 2686 2687 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2688 return -EINVAL; 2689 2690 skp = smk_import_entry(value, size); 2691 if (IS_ERR(skp)) 2692 return PTR_ERR(skp); 2693 2694 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2695 nsp->smk_inode = skp; 2696 nsp->smk_flags |= SMK_INODE_INSTANT; 2697 return 0; 2698 } 2699 /* 2700 * The rest of the Smack xattrs are only on sockets. 2701 */ 2702 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2703 return -EOPNOTSUPP; 2704 2705 sock = SOCKET_I(inode); 2706 if (sock == NULL || sock->sk == NULL) 2707 return -EOPNOTSUPP; 2708 2709 ssp = sock->sk->sk_security; 2710 2711 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2712 ssp->smk_in = skp; 2713 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2714 ssp->smk_out = skp; 2715 if (sock->sk->sk_family == PF_INET) { 2716 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2717 if (rc != 0) 2718 printk(KERN_WARNING 2719 "Smack: \"%s\" netlbl error %d.\n", 2720 __func__, -rc); 2721 } 2722 } else 2723 return -EOPNOTSUPP; 2724 2725 #ifdef SMACK_IPV6_PORT_LABELING 2726 if (sock->sk->sk_family == PF_INET6) 2727 smk_ipv6_port_label(sock, NULL); 2728 #endif 2729 2730 return 0; 2731 } 2732 2733 /** 2734 * smack_socket_post_create - finish socket setup 2735 * @sock: the socket 2736 * @family: protocol family 2737 * @type: unused 2738 * @protocol: unused 2739 * @kern: unused 2740 * 2741 * Sets the netlabel information on the socket 2742 * 2743 * Returns 0 on success, and error code otherwise 2744 */ 2745 static int smack_socket_post_create(struct socket *sock, int family, 2746 int type, int protocol, int kern) 2747 { 2748 struct socket_smack *ssp; 2749 2750 if (sock->sk == NULL) 2751 return 0; 2752 2753 /* 2754 * Sockets created by kernel threads receive web label. 2755 */ 2756 if (unlikely(current->flags & PF_KTHREAD)) { 2757 ssp = sock->sk->sk_security; 2758 ssp->smk_in = &smack_known_web; 2759 ssp->smk_out = &smack_known_web; 2760 } 2761 2762 if (family != PF_INET) 2763 return 0; 2764 /* 2765 * Set the outbound netlbl. 2766 */ 2767 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2768 } 2769 2770 /** 2771 * smack_socket_socketpair - create socket pair 2772 * @socka: one socket 2773 * @sockb: another socket 2774 * 2775 * Cross reference the peer labels for SO_PEERSEC 2776 * 2777 * Returns 0 on success, and error code otherwise 2778 */ 2779 static int smack_socket_socketpair(struct socket *socka, 2780 struct socket *sockb) 2781 { 2782 struct socket_smack *asp = socka->sk->sk_security; 2783 struct socket_smack *bsp = sockb->sk->sk_security; 2784 2785 asp->smk_packet = bsp->smk_out; 2786 bsp->smk_packet = asp->smk_out; 2787 2788 return 0; 2789 } 2790 2791 #ifdef SMACK_IPV6_PORT_LABELING 2792 /** 2793 * smack_socket_bind - record port binding information. 2794 * @sock: the socket 2795 * @address: the port address 2796 * @addrlen: size of the address 2797 * 2798 * Records the label bound to a port. 2799 * 2800 * Returns 0 2801 */ 2802 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2803 int addrlen) 2804 { 2805 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2806 smk_ipv6_port_label(sock, address); 2807 return 0; 2808 } 2809 #endif /* SMACK_IPV6_PORT_LABELING */ 2810 2811 /** 2812 * smack_socket_connect - connect access check 2813 * @sock: the socket 2814 * @sap: the other end 2815 * @addrlen: size of sap 2816 * 2817 * Verifies that a connection may be possible 2818 * 2819 * Returns 0 on success, and error code otherwise 2820 */ 2821 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2822 int addrlen) 2823 { 2824 int rc = 0; 2825 #if IS_ENABLED(CONFIG_IPV6) 2826 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2827 #endif 2828 #ifdef SMACK_IPV6_SECMARK_LABELING 2829 struct smack_known *rsp; 2830 struct socket_smack *ssp; 2831 #endif 2832 2833 if (sock->sk == NULL) 2834 return 0; 2835 2836 #ifdef SMACK_IPV6_SECMARK_LABELING 2837 ssp = sock->sk->sk_security; 2838 #endif 2839 2840 switch (sock->sk->sk_family) { 2841 case PF_INET: 2842 if (addrlen < sizeof(struct sockaddr_in)) 2843 return -EINVAL; 2844 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2845 break; 2846 case PF_INET6: 2847 if (addrlen < sizeof(struct sockaddr_in6)) 2848 return -EINVAL; 2849 #ifdef SMACK_IPV6_SECMARK_LABELING 2850 rsp = smack_ipv6host_label(sip); 2851 if (rsp != NULL) 2852 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2853 SMK_CONNECTING); 2854 #endif 2855 #ifdef SMACK_IPV6_PORT_LABELING 2856 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2857 #endif 2858 break; 2859 } 2860 return rc; 2861 } 2862 2863 /** 2864 * smack_flags_to_may - convert S_ to MAY_ values 2865 * @flags: the S_ value 2866 * 2867 * Returns the equivalent MAY_ value 2868 */ 2869 static int smack_flags_to_may(int flags) 2870 { 2871 int may = 0; 2872 2873 if (flags & S_IRUGO) 2874 may |= MAY_READ; 2875 if (flags & S_IWUGO) 2876 may |= MAY_WRITE; 2877 if (flags & S_IXUGO) 2878 may |= MAY_EXEC; 2879 2880 return may; 2881 } 2882 2883 /** 2884 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2885 * @msg: the object 2886 * 2887 * Returns 0 2888 */ 2889 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2890 { 2891 struct smack_known *skp = smk_of_current(); 2892 2893 msg->security = skp; 2894 return 0; 2895 } 2896 2897 /** 2898 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2899 * @msg: the object 2900 * 2901 * Clears the blob pointer 2902 */ 2903 static void smack_msg_msg_free_security(struct msg_msg *msg) 2904 { 2905 msg->security = NULL; 2906 } 2907 2908 /** 2909 * smack_of_ipc - the smack pointer for the ipc 2910 * @isp: the object 2911 * 2912 * Returns a pointer to the smack value 2913 */ 2914 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2915 { 2916 return (struct smack_known *)isp->security; 2917 } 2918 2919 /** 2920 * smack_ipc_alloc_security - Set the security blob for ipc 2921 * @isp: the object 2922 * 2923 * Returns 0 2924 */ 2925 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2926 { 2927 struct smack_known *skp = smk_of_current(); 2928 2929 isp->security = skp; 2930 return 0; 2931 } 2932 2933 /** 2934 * smack_ipc_free_security - Clear the security blob for ipc 2935 * @isp: the object 2936 * 2937 * Clears the blob pointer 2938 */ 2939 static void smack_ipc_free_security(struct kern_ipc_perm *isp) 2940 { 2941 isp->security = NULL; 2942 } 2943 2944 /** 2945 * smk_curacc_shm : check if current has access on shm 2946 * @isp : the object 2947 * @access : access requested 2948 * 2949 * Returns 0 if current has the requested access, error code otherwise 2950 */ 2951 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2952 { 2953 struct smack_known *ssp = smack_of_ipc(isp); 2954 struct smk_audit_info ad; 2955 int rc; 2956 2957 #ifdef CONFIG_AUDIT 2958 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2959 ad.a.u.ipc_id = isp->id; 2960 #endif 2961 rc = smk_curacc(ssp, access, &ad); 2962 rc = smk_bu_current("shm", ssp, access, rc); 2963 return rc; 2964 } 2965 2966 /** 2967 * smack_shm_associate - Smack access check for shm 2968 * @isp: the object 2969 * @shmflg: access requested 2970 * 2971 * Returns 0 if current has the requested access, error code otherwise 2972 */ 2973 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 2974 { 2975 int may; 2976 2977 may = smack_flags_to_may(shmflg); 2978 return smk_curacc_shm(isp, may); 2979 } 2980 2981 /** 2982 * smack_shm_shmctl - Smack access check for shm 2983 * @isp: the object 2984 * @cmd: what it wants to do 2985 * 2986 * Returns 0 if current has the requested access, error code otherwise 2987 */ 2988 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 2989 { 2990 int may; 2991 2992 switch (cmd) { 2993 case IPC_STAT: 2994 case SHM_STAT: 2995 case SHM_STAT_ANY: 2996 may = MAY_READ; 2997 break; 2998 case IPC_SET: 2999 case SHM_LOCK: 3000 case SHM_UNLOCK: 3001 case IPC_RMID: 3002 may = MAY_READWRITE; 3003 break; 3004 case IPC_INFO: 3005 case SHM_INFO: 3006 /* 3007 * System level information. 3008 */ 3009 return 0; 3010 default: 3011 return -EINVAL; 3012 } 3013 return smk_curacc_shm(isp, may); 3014 } 3015 3016 /** 3017 * smack_shm_shmat - Smack access for shmat 3018 * @isp: the object 3019 * @shmaddr: unused 3020 * @shmflg: access requested 3021 * 3022 * Returns 0 if current has the requested access, error code otherwise 3023 */ 3024 static int smack_shm_shmat(struct kern_ipc_perm *ipc, char __user *shmaddr, 3025 int shmflg) 3026 { 3027 int may; 3028 3029 may = smack_flags_to_may(shmflg); 3030 return smk_curacc_shm(ipc, may); 3031 } 3032 3033 /** 3034 * smk_curacc_sem : check if current has access on sem 3035 * @isp : the object 3036 * @access : access requested 3037 * 3038 * Returns 0 if current has the requested access, error code otherwise 3039 */ 3040 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3041 { 3042 struct smack_known *ssp = smack_of_ipc(isp); 3043 struct smk_audit_info ad; 3044 int rc; 3045 3046 #ifdef CONFIG_AUDIT 3047 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3048 ad.a.u.ipc_id = isp->id; 3049 #endif 3050 rc = smk_curacc(ssp, access, &ad); 3051 rc = smk_bu_current("sem", ssp, access, rc); 3052 return rc; 3053 } 3054 3055 /** 3056 * smack_sem_associate - Smack access check for sem 3057 * @isp: the object 3058 * @semflg: access requested 3059 * 3060 * Returns 0 if current has the requested access, error code otherwise 3061 */ 3062 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3063 { 3064 int may; 3065 3066 may = smack_flags_to_may(semflg); 3067 return smk_curacc_sem(isp, may); 3068 } 3069 3070 /** 3071 * smack_sem_shmctl - Smack access check for sem 3072 * @isp: the object 3073 * @cmd: what it wants to do 3074 * 3075 * Returns 0 if current has the requested access, error code otherwise 3076 */ 3077 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3078 { 3079 int may; 3080 3081 switch (cmd) { 3082 case GETPID: 3083 case GETNCNT: 3084 case GETZCNT: 3085 case GETVAL: 3086 case GETALL: 3087 case IPC_STAT: 3088 case SEM_STAT: 3089 case SEM_STAT_ANY: 3090 may = MAY_READ; 3091 break; 3092 case SETVAL: 3093 case SETALL: 3094 case IPC_RMID: 3095 case IPC_SET: 3096 may = MAY_READWRITE; 3097 break; 3098 case IPC_INFO: 3099 case SEM_INFO: 3100 /* 3101 * System level information 3102 */ 3103 return 0; 3104 default: 3105 return -EINVAL; 3106 } 3107 3108 return smk_curacc_sem(isp, may); 3109 } 3110 3111 /** 3112 * smack_sem_semop - Smack checks of semaphore operations 3113 * @isp: the object 3114 * @sops: unused 3115 * @nsops: unused 3116 * @alter: unused 3117 * 3118 * Treated as read and write in all cases. 3119 * 3120 * Returns 0 if access is allowed, error code otherwise 3121 */ 3122 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3123 unsigned nsops, int alter) 3124 { 3125 return smk_curacc_sem(isp, MAY_READWRITE); 3126 } 3127 3128 /** 3129 * smk_curacc_msq : helper to check if current has access on msq 3130 * @isp : the msq 3131 * @access : access requested 3132 * 3133 * return 0 if current has access, error otherwise 3134 */ 3135 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3136 { 3137 struct smack_known *msp = smack_of_ipc(isp); 3138 struct smk_audit_info ad; 3139 int rc; 3140 3141 #ifdef CONFIG_AUDIT 3142 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3143 ad.a.u.ipc_id = isp->id; 3144 #endif 3145 rc = smk_curacc(msp, access, &ad); 3146 rc = smk_bu_current("msq", msp, access, rc); 3147 return rc; 3148 } 3149 3150 /** 3151 * smack_msg_queue_associate - Smack access check for msg_queue 3152 * @isp: the object 3153 * @msqflg: access requested 3154 * 3155 * Returns 0 if current has the requested access, error code otherwise 3156 */ 3157 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3158 { 3159 int may; 3160 3161 may = smack_flags_to_may(msqflg); 3162 return smk_curacc_msq(isp, may); 3163 } 3164 3165 /** 3166 * smack_msg_queue_msgctl - Smack access check for msg_queue 3167 * @isp: the object 3168 * @cmd: what it wants to do 3169 * 3170 * Returns 0 if current has the requested access, error code otherwise 3171 */ 3172 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3173 { 3174 int may; 3175 3176 switch (cmd) { 3177 case IPC_STAT: 3178 case MSG_STAT: 3179 case MSG_STAT_ANY: 3180 may = MAY_READ; 3181 break; 3182 case IPC_SET: 3183 case IPC_RMID: 3184 may = MAY_READWRITE; 3185 break; 3186 case IPC_INFO: 3187 case MSG_INFO: 3188 /* 3189 * System level information 3190 */ 3191 return 0; 3192 default: 3193 return -EINVAL; 3194 } 3195 3196 return smk_curacc_msq(isp, may); 3197 } 3198 3199 /** 3200 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3201 * @isp: the object 3202 * @msg: unused 3203 * @msqflg: access requested 3204 * 3205 * Returns 0 if current has the requested access, error code otherwise 3206 */ 3207 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3208 int msqflg) 3209 { 3210 int may; 3211 3212 may = smack_flags_to_may(msqflg); 3213 return smk_curacc_msq(isp, may); 3214 } 3215 3216 /** 3217 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3218 * @isp: the object 3219 * @msg: unused 3220 * @target: unused 3221 * @type: unused 3222 * @mode: unused 3223 * 3224 * Returns 0 if current has read and write access, error code otherwise 3225 */ 3226 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3227 struct task_struct *target, long type, int mode) 3228 { 3229 return smk_curacc_msq(isp, MAY_READWRITE); 3230 } 3231 3232 /** 3233 * smack_ipc_permission - Smack access for ipc_permission() 3234 * @ipp: the object permissions 3235 * @flag: access requested 3236 * 3237 * Returns 0 if current has read and write access, error code otherwise 3238 */ 3239 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3240 { 3241 struct smack_known *iskp = ipp->security; 3242 int may = smack_flags_to_may(flag); 3243 struct smk_audit_info ad; 3244 int rc; 3245 3246 #ifdef CONFIG_AUDIT 3247 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3248 ad.a.u.ipc_id = ipp->id; 3249 #endif 3250 rc = smk_curacc(iskp, may, &ad); 3251 rc = smk_bu_current("svipc", iskp, may, rc); 3252 return rc; 3253 } 3254 3255 /** 3256 * smack_ipc_getsecid - Extract smack security id 3257 * @ipp: the object permissions 3258 * @secid: where result will be saved 3259 */ 3260 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3261 { 3262 struct smack_known *iskp = ipp->security; 3263 3264 *secid = iskp->smk_secid; 3265 } 3266 3267 /** 3268 * smack_d_instantiate - Make sure the blob is correct on an inode 3269 * @opt_dentry: dentry where inode will be attached 3270 * @inode: the object 3271 * 3272 * Set the inode's security blob if it hasn't been done already. 3273 */ 3274 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3275 { 3276 struct super_block *sbp; 3277 struct superblock_smack *sbsp; 3278 struct inode_smack *isp; 3279 struct smack_known *skp; 3280 struct smack_known *ckp = smk_of_current(); 3281 struct smack_known *final; 3282 char trattr[TRANS_TRUE_SIZE]; 3283 int transflag = 0; 3284 int rc; 3285 struct dentry *dp; 3286 3287 if (inode == NULL) 3288 return; 3289 3290 isp = inode->i_security; 3291 3292 mutex_lock(&isp->smk_lock); 3293 /* 3294 * If the inode is already instantiated 3295 * take the quick way out 3296 */ 3297 if (isp->smk_flags & SMK_INODE_INSTANT) 3298 goto unlockandout; 3299 3300 sbp = inode->i_sb; 3301 sbsp = sbp->s_security; 3302 /* 3303 * We're going to use the superblock default label 3304 * if there's no label on the file. 3305 */ 3306 final = sbsp->smk_default; 3307 3308 /* 3309 * If this is the root inode the superblock 3310 * may be in the process of initialization. 3311 * If that is the case use the root value out 3312 * of the superblock. 3313 */ 3314 if (opt_dentry->d_parent == opt_dentry) { 3315 switch (sbp->s_magic) { 3316 case CGROUP_SUPER_MAGIC: 3317 case CGROUP2_SUPER_MAGIC: 3318 /* 3319 * The cgroup filesystem is never mounted, 3320 * so there's no opportunity to set the mount 3321 * options. 3322 */ 3323 sbsp->smk_root = &smack_known_star; 3324 sbsp->smk_default = &smack_known_star; 3325 isp->smk_inode = sbsp->smk_root; 3326 break; 3327 case TMPFS_MAGIC: 3328 /* 3329 * What about shmem/tmpfs anonymous files with dentry 3330 * obtained from d_alloc_pseudo()? 3331 */ 3332 isp->smk_inode = smk_of_current(); 3333 break; 3334 case PIPEFS_MAGIC: 3335 isp->smk_inode = smk_of_current(); 3336 break; 3337 case SOCKFS_MAGIC: 3338 /* 3339 * Socket access is controlled by the socket 3340 * structures associated with the task involved. 3341 */ 3342 isp->smk_inode = &smack_known_star; 3343 break; 3344 default: 3345 isp->smk_inode = sbsp->smk_root; 3346 break; 3347 } 3348 isp->smk_flags |= SMK_INODE_INSTANT; 3349 goto unlockandout; 3350 } 3351 3352 /* 3353 * This is pretty hackish. 3354 * Casey says that we shouldn't have to do 3355 * file system specific code, but it does help 3356 * with keeping it simple. 3357 */ 3358 switch (sbp->s_magic) { 3359 case SMACK_MAGIC: 3360 case CGROUP_SUPER_MAGIC: 3361 case CGROUP2_SUPER_MAGIC: 3362 /* 3363 * Casey says that it's a little embarrassing 3364 * that the smack file system doesn't do 3365 * extended attributes. 3366 * 3367 * Cgroupfs is special 3368 */ 3369 final = &smack_known_star; 3370 break; 3371 case DEVPTS_SUPER_MAGIC: 3372 /* 3373 * devpts seems content with the label of the task. 3374 * Programs that change smack have to treat the 3375 * pty with respect. 3376 */ 3377 final = ckp; 3378 break; 3379 case PROC_SUPER_MAGIC: 3380 /* 3381 * Casey says procfs appears not to care. 3382 * The superblock default suffices. 3383 */ 3384 break; 3385 case TMPFS_MAGIC: 3386 /* 3387 * Device labels should come from the filesystem, 3388 * but watch out, because they're volitile, 3389 * getting recreated on every reboot. 3390 */ 3391 final = &smack_known_star; 3392 /* 3393 * Fall through. 3394 * 3395 * If a smack value has been set we want to use it, 3396 * but since tmpfs isn't giving us the opportunity 3397 * to set mount options simulate setting the 3398 * superblock default. 3399 */ 3400 default: 3401 /* 3402 * This isn't an understood special case. 3403 * Get the value from the xattr. 3404 */ 3405 3406 /* 3407 * UNIX domain sockets use lower level socket data. 3408 */ 3409 if (S_ISSOCK(inode->i_mode)) { 3410 final = &smack_known_star; 3411 break; 3412 } 3413 /* 3414 * No xattr support means, alas, no SMACK label. 3415 * Use the aforeapplied default. 3416 * It would be curious if the label of the task 3417 * does not match that assigned. 3418 */ 3419 if (!(inode->i_opflags & IOP_XATTR)) 3420 break; 3421 /* 3422 * Get the dentry for xattr. 3423 */ 3424 dp = dget(opt_dentry); 3425 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3426 if (!IS_ERR_OR_NULL(skp)) 3427 final = skp; 3428 3429 /* 3430 * Transmuting directory 3431 */ 3432 if (S_ISDIR(inode->i_mode)) { 3433 /* 3434 * If this is a new directory and the label was 3435 * transmuted when the inode was initialized 3436 * set the transmute attribute on the directory 3437 * and mark the inode. 3438 * 3439 * If there is a transmute attribute on the 3440 * directory mark the inode. 3441 */ 3442 if (isp->smk_flags & SMK_INODE_CHANGED) { 3443 isp->smk_flags &= ~SMK_INODE_CHANGED; 3444 rc = __vfs_setxattr(dp, inode, 3445 XATTR_NAME_SMACKTRANSMUTE, 3446 TRANS_TRUE, TRANS_TRUE_SIZE, 3447 0); 3448 } else { 3449 rc = __vfs_getxattr(dp, inode, 3450 XATTR_NAME_SMACKTRANSMUTE, trattr, 3451 TRANS_TRUE_SIZE); 3452 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3453 TRANS_TRUE_SIZE) != 0) 3454 rc = -EINVAL; 3455 } 3456 if (rc >= 0) 3457 transflag = SMK_INODE_TRANSMUTE; 3458 } 3459 /* 3460 * Don't let the exec or mmap label be "*" or "@". 3461 */ 3462 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3463 if (IS_ERR(skp) || skp == &smack_known_star || 3464 skp == &smack_known_web) 3465 skp = NULL; 3466 isp->smk_task = skp; 3467 3468 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3469 if (IS_ERR(skp) || skp == &smack_known_star || 3470 skp == &smack_known_web) 3471 skp = NULL; 3472 isp->smk_mmap = skp; 3473 3474 dput(dp); 3475 break; 3476 } 3477 3478 if (final == NULL) 3479 isp->smk_inode = ckp; 3480 else 3481 isp->smk_inode = final; 3482 3483 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3484 3485 unlockandout: 3486 mutex_unlock(&isp->smk_lock); 3487 return; 3488 } 3489 3490 /** 3491 * smack_getprocattr - Smack process attribute access 3492 * @p: the object task 3493 * @name: the name of the attribute in /proc/.../attr 3494 * @value: where to put the result 3495 * 3496 * Places a copy of the task Smack into value 3497 * 3498 * Returns the length of the smack label or an error code 3499 */ 3500 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3501 { 3502 struct smack_known *skp = smk_of_task_struct(p); 3503 char *cp; 3504 int slen; 3505 3506 if (strcmp(name, "current") != 0) 3507 return -EINVAL; 3508 3509 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3510 if (cp == NULL) 3511 return -ENOMEM; 3512 3513 slen = strlen(cp); 3514 *value = cp; 3515 return slen; 3516 } 3517 3518 /** 3519 * smack_setprocattr - Smack process attribute setting 3520 * @name: the name of the attribute in /proc/.../attr 3521 * @value: the value to set 3522 * @size: the size of the value 3523 * 3524 * Sets the Smack value of the task. Only setting self 3525 * is permitted and only with privilege 3526 * 3527 * Returns the length of the smack label or an error code 3528 */ 3529 static int smack_setprocattr(const char *name, void *value, size_t size) 3530 { 3531 struct task_smack *tsp = current_security(); 3532 struct cred *new; 3533 struct smack_known *skp; 3534 struct smack_known_list_elem *sklep; 3535 int rc; 3536 3537 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3538 return -EPERM; 3539 3540 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3541 return -EINVAL; 3542 3543 if (strcmp(name, "current") != 0) 3544 return -EINVAL; 3545 3546 skp = smk_import_entry(value, size); 3547 if (IS_ERR(skp)) 3548 return PTR_ERR(skp); 3549 3550 /* 3551 * No process is ever allowed the web ("@") label 3552 * and the star ("*") label. 3553 */ 3554 if (skp == &smack_known_web || skp == &smack_known_star) 3555 return -EINVAL; 3556 3557 if (!smack_privileged(CAP_MAC_ADMIN)) { 3558 rc = -EPERM; 3559 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3560 if (sklep->smk_label == skp) { 3561 rc = 0; 3562 break; 3563 } 3564 if (rc) 3565 return rc; 3566 } 3567 3568 new = prepare_creds(); 3569 if (new == NULL) 3570 return -ENOMEM; 3571 3572 tsp = new->security; 3573 tsp->smk_task = skp; 3574 /* 3575 * process can change its label only once 3576 */ 3577 smk_destroy_label_list(&tsp->smk_relabel); 3578 3579 commit_creds(new); 3580 return size; 3581 } 3582 3583 /** 3584 * smack_unix_stream_connect - Smack access on UDS 3585 * @sock: one sock 3586 * @other: the other sock 3587 * @newsk: unused 3588 * 3589 * Return 0 if a subject with the smack of sock could access 3590 * an object with the smack of other, otherwise an error code 3591 */ 3592 static int smack_unix_stream_connect(struct sock *sock, 3593 struct sock *other, struct sock *newsk) 3594 { 3595 struct smack_known *skp; 3596 struct smack_known *okp; 3597 struct socket_smack *ssp = sock->sk_security; 3598 struct socket_smack *osp = other->sk_security; 3599 struct socket_smack *nsp = newsk->sk_security; 3600 struct smk_audit_info ad; 3601 int rc = 0; 3602 #ifdef CONFIG_AUDIT 3603 struct lsm_network_audit net; 3604 #endif 3605 3606 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3607 skp = ssp->smk_out; 3608 okp = osp->smk_in; 3609 #ifdef CONFIG_AUDIT 3610 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3611 smk_ad_setfield_u_net_sk(&ad, other); 3612 #endif 3613 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3614 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3615 if (rc == 0) { 3616 okp = osp->smk_out; 3617 skp = ssp->smk_in; 3618 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3619 rc = smk_bu_note("UDS connect", okp, skp, 3620 MAY_WRITE, rc); 3621 } 3622 } 3623 3624 /* 3625 * Cross reference the peer labels for SO_PEERSEC. 3626 */ 3627 if (rc == 0) { 3628 nsp->smk_packet = ssp->smk_out; 3629 ssp->smk_packet = osp->smk_out; 3630 } 3631 3632 return rc; 3633 } 3634 3635 /** 3636 * smack_unix_may_send - Smack access on UDS 3637 * @sock: one socket 3638 * @other: the other socket 3639 * 3640 * Return 0 if a subject with the smack of sock could access 3641 * an object with the smack of other, otherwise an error code 3642 */ 3643 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3644 { 3645 struct socket_smack *ssp = sock->sk->sk_security; 3646 struct socket_smack *osp = other->sk->sk_security; 3647 struct smk_audit_info ad; 3648 int rc; 3649 3650 #ifdef CONFIG_AUDIT 3651 struct lsm_network_audit net; 3652 3653 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3654 smk_ad_setfield_u_net_sk(&ad, other->sk); 3655 #endif 3656 3657 if (smack_privileged(CAP_MAC_OVERRIDE)) 3658 return 0; 3659 3660 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3661 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3662 return rc; 3663 } 3664 3665 /** 3666 * smack_socket_sendmsg - Smack check based on destination host 3667 * @sock: the socket 3668 * @msg: the message 3669 * @size: the size of the message 3670 * 3671 * Return 0 if the current subject can write to the destination host. 3672 * For IPv4 this is only a question if the destination is a single label host. 3673 * For IPv6 this is a check against the label of the port. 3674 */ 3675 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3676 int size) 3677 { 3678 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3679 #if IS_ENABLED(CONFIG_IPV6) 3680 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3681 #endif 3682 #ifdef SMACK_IPV6_SECMARK_LABELING 3683 struct socket_smack *ssp = sock->sk->sk_security; 3684 struct smack_known *rsp; 3685 #endif 3686 int rc = 0; 3687 3688 /* 3689 * Perfectly reasonable for this to be NULL 3690 */ 3691 if (sip == NULL) 3692 return 0; 3693 3694 switch (sock->sk->sk_family) { 3695 case AF_INET: 3696 rc = smack_netlabel_send(sock->sk, sip); 3697 break; 3698 case AF_INET6: 3699 #ifdef SMACK_IPV6_SECMARK_LABELING 3700 rsp = smack_ipv6host_label(sap); 3701 if (rsp != NULL) 3702 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3703 SMK_CONNECTING); 3704 #endif 3705 #ifdef SMACK_IPV6_PORT_LABELING 3706 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3707 #endif 3708 break; 3709 } 3710 return rc; 3711 } 3712 3713 /** 3714 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3715 * @sap: netlabel secattr 3716 * @ssp: socket security information 3717 * 3718 * Returns a pointer to a Smack label entry found on the label list. 3719 */ 3720 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3721 struct socket_smack *ssp) 3722 { 3723 struct smack_known *skp; 3724 int found = 0; 3725 int acat; 3726 int kcat; 3727 3728 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3729 /* 3730 * Looks like a CIPSO packet. 3731 * If there are flags but no level netlabel isn't 3732 * behaving the way we expect it to. 3733 * 3734 * Look it up in the label table 3735 * Without guidance regarding the smack value 3736 * for the packet fall back on the network 3737 * ambient value. 3738 */ 3739 rcu_read_lock(); 3740 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3741 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3742 continue; 3743 /* 3744 * Compare the catsets. Use the netlbl APIs. 3745 */ 3746 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3747 if ((skp->smk_netlabel.flags & 3748 NETLBL_SECATTR_MLS_CAT) == 0) 3749 found = 1; 3750 break; 3751 } 3752 for (acat = -1, kcat = -1; acat == kcat; ) { 3753 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3754 acat + 1); 3755 kcat = netlbl_catmap_walk( 3756 skp->smk_netlabel.attr.mls.cat, 3757 kcat + 1); 3758 if (acat < 0 || kcat < 0) 3759 break; 3760 } 3761 if (acat == kcat) { 3762 found = 1; 3763 break; 3764 } 3765 } 3766 rcu_read_unlock(); 3767 3768 if (found) 3769 return skp; 3770 3771 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3772 return &smack_known_web; 3773 return &smack_known_star; 3774 } 3775 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3776 /* 3777 * Looks like a fallback, which gives us a secid. 3778 */ 3779 return smack_from_secid(sap->attr.secid); 3780 /* 3781 * Without guidance regarding the smack value 3782 * for the packet fall back on the network 3783 * ambient value. 3784 */ 3785 return smack_net_ambient; 3786 } 3787 3788 #if IS_ENABLED(CONFIG_IPV6) 3789 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3790 { 3791 u8 nexthdr; 3792 int offset; 3793 int proto = -EINVAL; 3794 struct ipv6hdr _ipv6h; 3795 struct ipv6hdr *ip6; 3796 __be16 frag_off; 3797 struct tcphdr _tcph, *th; 3798 struct udphdr _udph, *uh; 3799 struct dccp_hdr _dccph, *dh; 3800 3801 sip->sin6_port = 0; 3802 3803 offset = skb_network_offset(skb); 3804 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3805 if (ip6 == NULL) 3806 return -EINVAL; 3807 sip->sin6_addr = ip6->saddr; 3808 3809 nexthdr = ip6->nexthdr; 3810 offset += sizeof(_ipv6h); 3811 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3812 if (offset < 0) 3813 return -EINVAL; 3814 3815 proto = nexthdr; 3816 switch (proto) { 3817 case IPPROTO_TCP: 3818 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3819 if (th != NULL) 3820 sip->sin6_port = th->source; 3821 break; 3822 case IPPROTO_UDP: 3823 case IPPROTO_UDPLITE: 3824 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3825 if (uh != NULL) 3826 sip->sin6_port = uh->source; 3827 break; 3828 case IPPROTO_DCCP: 3829 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3830 if (dh != NULL) 3831 sip->sin6_port = dh->dccph_sport; 3832 break; 3833 } 3834 return proto; 3835 } 3836 #endif /* CONFIG_IPV6 */ 3837 3838 /** 3839 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3840 * @sk: socket 3841 * @skb: packet 3842 * 3843 * Returns 0 if the packet should be delivered, an error code otherwise 3844 */ 3845 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3846 { 3847 struct netlbl_lsm_secattr secattr; 3848 struct socket_smack *ssp = sk->sk_security; 3849 struct smack_known *skp = NULL; 3850 int rc = 0; 3851 struct smk_audit_info ad; 3852 u16 family = sk->sk_family; 3853 #ifdef CONFIG_AUDIT 3854 struct lsm_network_audit net; 3855 #endif 3856 #if IS_ENABLED(CONFIG_IPV6) 3857 struct sockaddr_in6 sadd; 3858 int proto; 3859 3860 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3861 family = PF_INET; 3862 #endif /* CONFIG_IPV6 */ 3863 3864 switch (family) { 3865 case PF_INET: 3866 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3867 /* 3868 * If there is a secmark use it rather than the CIPSO label. 3869 * If there is no secmark fall back to CIPSO. 3870 * The secmark is assumed to reflect policy better. 3871 */ 3872 if (skb && skb->secmark != 0) { 3873 skp = smack_from_secid(skb->secmark); 3874 goto access_check; 3875 } 3876 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3877 /* 3878 * Translate what netlabel gave us. 3879 */ 3880 netlbl_secattr_init(&secattr); 3881 3882 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3883 if (rc == 0) 3884 skp = smack_from_secattr(&secattr, ssp); 3885 else 3886 skp = smack_net_ambient; 3887 3888 netlbl_secattr_destroy(&secattr); 3889 3890 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3891 access_check: 3892 #endif 3893 #ifdef CONFIG_AUDIT 3894 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3895 ad.a.u.net->family = family; 3896 ad.a.u.net->netif = skb->skb_iif; 3897 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3898 #endif 3899 /* 3900 * Receiving a packet requires that the other end 3901 * be able to write here. Read access is not required. 3902 * This is the simplist possible security model 3903 * for networking. 3904 */ 3905 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3906 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3907 MAY_WRITE, rc); 3908 if (rc != 0) 3909 netlbl_skbuff_err(skb, family, rc, 0); 3910 break; 3911 #if IS_ENABLED(CONFIG_IPV6) 3912 case PF_INET6: 3913 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3914 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3915 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3916 break; 3917 #ifdef SMACK_IPV6_SECMARK_LABELING 3918 if (skb && skb->secmark != 0) 3919 skp = smack_from_secid(skb->secmark); 3920 else 3921 skp = smack_ipv6host_label(&sadd); 3922 if (skp == NULL) 3923 skp = smack_net_ambient; 3924 #ifdef CONFIG_AUDIT 3925 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3926 ad.a.u.net->family = family; 3927 ad.a.u.net->netif = skb->skb_iif; 3928 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3929 #endif /* CONFIG_AUDIT */ 3930 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3931 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3932 MAY_WRITE, rc); 3933 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3934 #ifdef SMACK_IPV6_PORT_LABELING 3935 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3936 #endif /* SMACK_IPV6_PORT_LABELING */ 3937 if (rc != 0) 3938 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3939 ICMPV6_ADM_PROHIBITED, 0); 3940 break; 3941 #endif /* CONFIG_IPV6 */ 3942 } 3943 3944 return rc; 3945 } 3946 3947 /** 3948 * smack_socket_getpeersec_stream - pull in packet label 3949 * @sock: the socket 3950 * @optval: user's destination 3951 * @optlen: size thereof 3952 * @len: max thereof 3953 * 3954 * returns zero on success, an error code otherwise 3955 */ 3956 static int smack_socket_getpeersec_stream(struct socket *sock, 3957 char __user *optval, 3958 int __user *optlen, unsigned len) 3959 { 3960 struct socket_smack *ssp; 3961 char *rcp = ""; 3962 int slen = 1; 3963 int rc = 0; 3964 3965 ssp = sock->sk->sk_security; 3966 if (ssp->smk_packet != NULL) { 3967 rcp = ssp->smk_packet->smk_known; 3968 slen = strlen(rcp) + 1; 3969 } 3970 3971 if (slen > len) 3972 rc = -ERANGE; 3973 else if (copy_to_user(optval, rcp, slen) != 0) 3974 rc = -EFAULT; 3975 3976 if (put_user(slen, optlen) != 0) 3977 rc = -EFAULT; 3978 3979 return rc; 3980 } 3981 3982 3983 /** 3984 * smack_socket_getpeersec_dgram - pull in packet label 3985 * @sock: the peer socket 3986 * @skb: packet data 3987 * @secid: pointer to where to put the secid of the packet 3988 * 3989 * Sets the netlabel socket state on sk from parent 3990 */ 3991 static int smack_socket_getpeersec_dgram(struct socket *sock, 3992 struct sk_buff *skb, u32 *secid) 3993 3994 { 3995 struct netlbl_lsm_secattr secattr; 3996 struct socket_smack *ssp = NULL; 3997 struct smack_known *skp; 3998 int family = PF_UNSPEC; 3999 u32 s = 0; /* 0 is the invalid secid */ 4000 int rc; 4001 4002 if (skb != NULL) { 4003 if (skb->protocol == htons(ETH_P_IP)) 4004 family = PF_INET; 4005 #if IS_ENABLED(CONFIG_IPV6) 4006 else if (skb->protocol == htons(ETH_P_IPV6)) 4007 family = PF_INET6; 4008 #endif /* CONFIG_IPV6 */ 4009 } 4010 if (family == PF_UNSPEC && sock != NULL) 4011 family = sock->sk->sk_family; 4012 4013 switch (family) { 4014 case PF_UNIX: 4015 ssp = sock->sk->sk_security; 4016 s = ssp->smk_out->smk_secid; 4017 break; 4018 case PF_INET: 4019 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4020 s = skb->secmark; 4021 if (s != 0) 4022 break; 4023 #endif 4024 /* 4025 * Translate what netlabel gave us. 4026 */ 4027 if (sock != NULL && sock->sk != NULL) 4028 ssp = sock->sk->sk_security; 4029 netlbl_secattr_init(&secattr); 4030 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4031 if (rc == 0) { 4032 skp = smack_from_secattr(&secattr, ssp); 4033 s = skp->smk_secid; 4034 } 4035 netlbl_secattr_destroy(&secattr); 4036 break; 4037 case PF_INET6: 4038 #ifdef SMACK_IPV6_SECMARK_LABELING 4039 s = skb->secmark; 4040 #endif 4041 break; 4042 } 4043 *secid = s; 4044 if (s == 0) 4045 return -EINVAL; 4046 return 0; 4047 } 4048 4049 /** 4050 * smack_sock_graft - Initialize a newly created socket with an existing sock 4051 * @sk: child sock 4052 * @parent: parent socket 4053 * 4054 * Set the smk_{in,out} state of an existing sock based on the process that 4055 * is creating the new socket. 4056 */ 4057 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4058 { 4059 struct socket_smack *ssp; 4060 struct smack_known *skp = smk_of_current(); 4061 4062 if (sk == NULL || 4063 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4064 return; 4065 4066 ssp = sk->sk_security; 4067 ssp->smk_in = skp; 4068 ssp->smk_out = skp; 4069 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4070 } 4071 4072 /** 4073 * smack_inet_conn_request - Smack access check on connect 4074 * @sk: socket involved 4075 * @skb: packet 4076 * @req: unused 4077 * 4078 * Returns 0 if a task with the packet label could write to 4079 * the socket, otherwise an error code 4080 */ 4081 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4082 struct request_sock *req) 4083 { 4084 u16 family = sk->sk_family; 4085 struct smack_known *skp; 4086 struct socket_smack *ssp = sk->sk_security; 4087 struct netlbl_lsm_secattr secattr; 4088 struct sockaddr_in addr; 4089 struct iphdr *hdr; 4090 struct smack_known *hskp; 4091 int rc; 4092 struct smk_audit_info ad; 4093 #ifdef CONFIG_AUDIT 4094 struct lsm_network_audit net; 4095 #endif 4096 4097 #if IS_ENABLED(CONFIG_IPV6) 4098 if (family == PF_INET6) { 4099 /* 4100 * Handle mapped IPv4 packets arriving 4101 * via IPv6 sockets. Don't set up netlabel 4102 * processing on IPv6. 4103 */ 4104 if (skb->protocol == htons(ETH_P_IP)) 4105 family = PF_INET; 4106 else 4107 return 0; 4108 } 4109 #endif /* CONFIG_IPV6 */ 4110 4111 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4112 /* 4113 * If there is a secmark use it rather than the CIPSO label. 4114 * If there is no secmark fall back to CIPSO. 4115 * The secmark is assumed to reflect policy better. 4116 */ 4117 if (skb && skb->secmark != 0) { 4118 skp = smack_from_secid(skb->secmark); 4119 goto access_check; 4120 } 4121 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4122 4123 netlbl_secattr_init(&secattr); 4124 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4125 if (rc == 0) 4126 skp = smack_from_secattr(&secattr, ssp); 4127 else 4128 skp = &smack_known_huh; 4129 netlbl_secattr_destroy(&secattr); 4130 4131 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4132 access_check: 4133 #endif 4134 4135 #ifdef CONFIG_AUDIT 4136 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4137 ad.a.u.net->family = family; 4138 ad.a.u.net->netif = skb->skb_iif; 4139 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4140 #endif 4141 /* 4142 * Receiving a packet requires that the other end be able to write 4143 * here. Read access is not required. 4144 */ 4145 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4146 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4147 if (rc != 0) 4148 return rc; 4149 4150 /* 4151 * Save the peer's label in the request_sock so we can later setup 4152 * smk_packet in the child socket so that SO_PEERCRED can report it. 4153 */ 4154 req->peer_secid = skp->smk_secid; 4155 4156 /* 4157 * We need to decide if we want to label the incoming connection here 4158 * if we do we only need to label the request_sock and the stack will 4159 * propagate the wire-label to the sock when it is created. 4160 */ 4161 hdr = ip_hdr(skb); 4162 addr.sin_addr.s_addr = hdr->saddr; 4163 rcu_read_lock(); 4164 hskp = smack_ipv4host_label(&addr); 4165 rcu_read_unlock(); 4166 4167 if (hskp == NULL) 4168 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4169 else 4170 netlbl_req_delattr(req); 4171 4172 return rc; 4173 } 4174 4175 /** 4176 * smack_inet_csk_clone - Copy the connection information to the new socket 4177 * @sk: the new socket 4178 * @req: the connection's request_sock 4179 * 4180 * Transfer the connection's peer label to the newly created socket. 4181 */ 4182 static void smack_inet_csk_clone(struct sock *sk, 4183 const struct request_sock *req) 4184 { 4185 struct socket_smack *ssp = sk->sk_security; 4186 struct smack_known *skp; 4187 4188 if (req->peer_secid != 0) { 4189 skp = smack_from_secid(req->peer_secid); 4190 ssp->smk_packet = skp; 4191 } else 4192 ssp->smk_packet = NULL; 4193 } 4194 4195 /* 4196 * Key management security hooks 4197 * 4198 * Casey has not tested key support very heavily. 4199 * The permission check is most likely too restrictive. 4200 * If you care about keys please have a look. 4201 */ 4202 #ifdef CONFIG_KEYS 4203 4204 /** 4205 * smack_key_alloc - Set the key security blob 4206 * @key: object 4207 * @cred: the credentials to use 4208 * @flags: unused 4209 * 4210 * No allocation required 4211 * 4212 * Returns 0 4213 */ 4214 static int smack_key_alloc(struct key *key, const struct cred *cred, 4215 unsigned long flags) 4216 { 4217 struct smack_known *skp = smk_of_task(cred->security); 4218 4219 key->security = skp; 4220 return 0; 4221 } 4222 4223 /** 4224 * smack_key_free - Clear the key security blob 4225 * @key: the object 4226 * 4227 * Clear the blob pointer 4228 */ 4229 static void smack_key_free(struct key *key) 4230 { 4231 key->security = NULL; 4232 } 4233 4234 /** 4235 * smack_key_permission - Smack access on a key 4236 * @key_ref: gets to the object 4237 * @cred: the credentials to use 4238 * @perm: requested key permissions 4239 * 4240 * Return 0 if the task has read and write to the object, 4241 * an error code otherwise 4242 */ 4243 static int smack_key_permission(key_ref_t key_ref, 4244 const struct cred *cred, unsigned perm) 4245 { 4246 struct key *keyp; 4247 struct smk_audit_info ad; 4248 struct smack_known *tkp = smk_of_task(cred->security); 4249 int request = 0; 4250 int rc; 4251 4252 /* 4253 * Validate requested permissions 4254 */ 4255 if (perm & ~KEY_NEED_ALL) 4256 return -EINVAL; 4257 4258 keyp = key_ref_to_ptr(key_ref); 4259 if (keyp == NULL) 4260 return -EINVAL; 4261 /* 4262 * If the key hasn't been initialized give it access so that 4263 * it may do so. 4264 */ 4265 if (keyp->security == NULL) 4266 return 0; 4267 /* 4268 * This should not occur 4269 */ 4270 if (tkp == NULL) 4271 return -EACCES; 4272 4273 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4274 return 0; 4275 4276 #ifdef CONFIG_AUDIT 4277 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4278 ad.a.u.key_struct.key = keyp->serial; 4279 ad.a.u.key_struct.key_desc = keyp->description; 4280 #endif 4281 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) 4282 request |= MAY_READ; 4283 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4284 request |= MAY_WRITE; 4285 rc = smk_access(tkp, keyp->security, request, &ad); 4286 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4287 return rc; 4288 } 4289 4290 /* 4291 * smack_key_getsecurity - Smack label tagging the key 4292 * @key points to the key to be queried 4293 * @_buffer points to a pointer that should be set to point to the 4294 * resulting string (if no label or an error occurs). 4295 * Return the length of the string (including terminating NUL) or -ve if 4296 * an error. 4297 * May also return 0 (and a NULL buffer pointer) if there is no label. 4298 */ 4299 static int smack_key_getsecurity(struct key *key, char **_buffer) 4300 { 4301 struct smack_known *skp = key->security; 4302 size_t length; 4303 char *copy; 4304 4305 if (key->security == NULL) { 4306 *_buffer = NULL; 4307 return 0; 4308 } 4309 4310 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4311 if (copy == NULL) 4312 return -ENOMEM; 4313 length = strlen(copy) + 1; 4314 4315 *_buffer = copy; 4316 return length; 4317 } 4318 4319 #endif /* CONFIG_KEYS */ 4320 4321 /* 4322 * Smack Audit hooks 4323 * 4324 * Audit requires a unique representation of each Smack specific 4325 * rule. This unique representation is used to distinguish the 4326 * object to be audited from remaining kernel objects and also 4327 * works as a glue between the audit hooks. 4328 * 4329 * Since repository entries are added but never deleted, we'll use 4330 * the smack_known label address related to the given audit rule as 4331 * the needed unique representation. This also better fits the smack 4332 * model where nearly everything is a label. 4333 */ 4334 #ifdef CONFIG_AUDIT 4335 4336 /** 4337 * smack_audit_rule_init - Initialize a smack audit rule 4338 * @field: audit rule fields given from user-space (audit.h) 4339 * @op: required testing operator (=, !=, >, <, ...) 4340 * @rulestr: smack label to be audited 4341 * @vrule: pointer to save our own audit rule representation 4342 * 4343 * Prepare to audit cases where (@field @op @rulestr) is true. 4344 * The label to be audited is created if necessay. 4345 */ 4346 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4347 { 4348 struct smack_known *skp; 4349 char **rule = (char **)vrule; 4350 *rule = NULL; 4351 4352 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4353 return -EINVAL; 4354 4355 if (op != Audit_equal && op != Audit_not_equal) 4356 return -EINVAL; 4357 4358 skp = smk_import_entry(rulestr, 0); 4359 if (IS_ERR(skp)) 4360 return PTR_ERR(skp); 4361 4362 *rule = skp->smk_known; 4363 4364 return 0; 4365 } 4366 4367 /** 4368 * smack_audit_rule_known - Distinguish Smack audit rules 4369 * @krule: rule of interest, in Audit kernel representation format 4370 * 4371 * This is used to filter Smack rules from remaining Audit ones. 4372 * If it's proved that this rule belongs to us, the 4373 * audit_rule_match hook will be called to do the final judgement. 4374 */ 4375 static int smack_audit_rule_known(struct audit_krule *krule) 4376 { 4377 struct audit_field *f; 4378 int i; 4379 4380 for (i = 0; i < krule->field_count; i++) { 4381 f = &krule->fields[i]; 4382 4383 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4384 return 1; 4385 } 4386 4387 return 0; 4388 } 4389 4390 /** 4391 * smack_audit_rule_match - Audit given object ? 4392 * @secid: security id for identifying the object to test 4393 * @field: audit rule flags given from user-space 4394 * @op: required testing operator 4395 * @vrule: smack internal rule presentation 4396 * @actx: audit context associated with the check 4397 * 4398 * The core Audit hook. It's used to take the decision of 4399 * whether to audit or not to audit a given object. 4400 */ 4401 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4402 struct audit_context *actx) 4403 { 4404 struct smack_known *skp; 4405 char *rule = vrule; 4406 4407 if (unlikely(!rule)) { 4408 WARN_ONCE(1, "Smack: missing rule\n"); 4409 return -ENOENT; 4410 } 4411 4412 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4413 return 0; 4414 4415 skp = smack_from_secid(secid); 4416 4417 /* 4418 * No need to do string comparisons. If a match occurs, 4419 * both pointers will point to the same smack_known 4420 * label. 4421 */ 4422 if (op == Audit_equal) 4423 return (rule == skp->smk_known); 4424 if (op == Audit_not_equal) 4425 return (rule != skp->smk_known); 4426 4427 return 0; 4428 } 4429 4430 /* 4431 * There is no need for a smack_audit_rule_free hook. 4432 * No memory was allocated. 4433 */ 4434 4435 #endif /* CONFIG_AUDIT */ 4436 4437 /** 4438 * smack_ismaclabel - check if xattr @name references a smack MAC label 4439 * @name: Full xattr name to check. 4440 */ 4441 static int smack_ismaclabel(const char *name) 4442 { 4443 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4444 } 4445 4446 4447 /** 4448 * smack_secid_to_secctx - return the smack label for a secid 4449 * @secid: incoming integer 4450 * @secdata: destination 4451 * @seclen: how long it is 4452 * 4453 * Exists for networking code. 4454 */ 4455 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4456 { 4457 struct smack_known *skp = smack_from_secid(secid); 4458 4459 if (secdata) 4460 *secdata = skp->smk_known; 4461 *seclen = strlen(skp->smk_known); 4462 return 0; 4463 } 4464 4465 /** 4466 * smack_secctx_to_secid - return the secid for a smack label 4467 * @secdata: smack label 4468 * @seclen: how long result is 4469 * @secid: outgoing integer 4470 * 4471 * Exists for audit and networking code. 4472 */ 4473 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4474 { 4475 struct smack_known *skp = smk_find_entry(secdata); 4476 4477 if (skp) 4478 *secid = skp->smk_secid; 4479 else 4480 *secid = 0; 4481 return 0; 4482 } 4483 4484 /* 4485 * There used to be a smack_release_secctx hook 4486 * that did nothing back when hooks were in a vector. 4487 * Now that there's a list such a hook adds cost. 4488 */ 4489 4490 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4491 { 4492 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4493 } 4494 4495 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4496 { 4497 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4498 } 4499 4500 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4501 { 4502 struct smack_known *skp = smk_of_inode(inode); 4503 4504 *ctx = skp->smk_known; 4505 *ctxlen = strlen(skp->smk_known); 4506 return 0; 4507 } 4508 4509 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4510 { 4511 4512 struct task_smack *tsp; 4513 struct smack_known *skp; 4514 struct inode_smack *isp; 4515 struct cred *new_creds = *new; 4516 4517 if (new_creds == NULL) { 4518 new_creds = prepare_creds(); 4519 if (new_creds == NULL) 4520 return -ENOMEM; 4521 } 4522 4523 tsp = new_creds->security; 4524 4525 /* 4526 * Get label from overlay inode and set it in create_sid 4527 */ 4528 isp = d_inode(dentry->d_parent)->i_security; 4529 skp = isp->smk_inode; 4530 tsp->smk_task = skp; 4531 *new = new_creds; 4532 return 0; 4533 } 4534 4535 static int smack_inode_copy_up_xattr(const char *name) 4536 { 4537 /* 4538 * Return 1 if this is the smack access Smack attribute. 4539 */ 4540 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4541 return 1; 4542 4543 return -EOPNOTSUPP; 4544 } 4545 4546 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4547 struct qstr *name, 4548 const struct cred *old, 4549 struct cred *new) 4550 { 4551 struct task_smack *otsp = old->security; 4552 struct task_smack *ntsp = new->security; 4553 struct inode_smack *isp; 4554 int may; 4555 4556 /* 4557 * Use the process credential unless all of 4558 * the transmuting criteria are met 4559 */ 4560 ntsp->smk_task = otsp->smk_task; 4561 4562 /* 4563 * the attribute of the containing directory 4564 */ 4565 isp = d_inode(dentry->d_parent)->i_security; 4566 4567 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4568 rcu_read_lock(); 4569 may = smk_access_entry(otsp->smk_task->smk_known, 4570 isp->smk_inode->smk_known, 4571 &otsp->smk_task->smk_rules); 4572 rcu_read_unlock(); 4573 4574 /* 4575 * If the directory is transmuting and the rule 4576 * providing access is transmuting use the containing 4577 * directory label instead of the process label. 4578 */ 4579 if (may > 0 && (may & MAY_TRANSMUTE)) 4580 ntsp->smk_task = isp->smk_inode; 4581 } 4582 return 0; 4583 } 4584 4585 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4586 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4587 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4588 LSM_HOOK_INIT(syslog, smack_syslog), 4589 4590 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4591 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4592 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4593 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4594 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4595 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4596 4597 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4598 4599 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4600 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), 4601 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4602 LSM_HOOK_INIT(inode_link, smack_inode_link), 4603 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4604 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4605 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4606 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4607 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4608 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4609 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4610 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4611 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4612 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4613 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4614 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4615 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4616 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4617 4618 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4619 LSM_HOOK_INIT(file_free_security, smack_file_free_security), 4620 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4621 LSM_HOOK_INIT(file_lock, smack_file_lock), 4622 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4623 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4624 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4625 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4626 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4627 LSM_HOOK_INIT(file_receive, smack_file_receive), 4628 4629 LSM_HOOK_INIT(file_open, smack_file_open), 4630 4631 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4632 LSM_HOOK_INIT(cred_free, smack_cred_free), 4633 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4634 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4635 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4636 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4637 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4638 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4639 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4640 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4641 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4642 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4643 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4644 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4645 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4646 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4647 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4648 LSM_HOOK_INIT(task_kill, smack_task_kill), 4649 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4650 4651 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4652 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4653 4654 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4655 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), 4656 4657 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4658 LSM_HOOK_INIT(msg_queue_free_security, smack_ipc_free_security), 4659 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4660 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4661 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4662 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4663 4664 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4665 LSM_HOOK_INIT(shm_free_security, smack_ipc_free_security), 4666 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4667 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4668 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4669 4670 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4671 LSM_HOOK_INIT(sem_free_security, smack_ipc_free_security), 4672 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4673 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4674 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4675 4676 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4677 4678 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4679 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4680 4681 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4682 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4683 4684 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4685 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4686 #ifdef SMACK_IPV6_PORT_LABELING 4687 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4688 #endif 4689 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4690 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4691 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4692 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4693 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4694 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4695 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4696 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4697 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4698 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4699 4700 /* key management security hooks */ 4701 #ifdef CONFIG_KEYS 4702 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4703 LSM_HOOK_INIT(key_free, smack_key_free), 4704 LSM_HOOK_INIT(key_permission, smack_key_permission), 4705 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4706 #endif /* CONFIG_KEYS */ 4707 4708 /* Audit hooks */ 4709 #ifdef CONFIG_AUDIT 4710 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4711 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4712 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4713 #endif /* CONFIG_AUDIT */ 4714 4715 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4716 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4717 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4718 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4719 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4720 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4721 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4722 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4723 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4724 }; 4725 4726 4727 static __init void init_smack_known_list(void) 4728 { 4729 /* 4730 * Initialize rule list locks 4731 */ 4732 mutex_init(&smack_known_huh.smk_rules_lock); 4733 mutex_init(&smack_known_hat.smk_rules_lock); 4734 mutex_init(&smack_known_floor.smk_rules_lock); 4735 mutex_init(&smack_known_star.smk_rules_lock); 4736 mutex_init(&smack_known_web.smk_rules_lock); 4737 /* 4738 * Initialize rule lists 4739 */ 4740 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4741 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4742 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4743 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4744 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4745 /* 4746 * Create the known labels list 4747 */ 4748 smk_insert_entry(&smack_known_huh); 4749 smk_insert_entry(&smack_known_hat); 4750 smk_insert_entry(&smack_known_star); 4751 smk_insert_entry(&smack_known_floor); 4752 smk_insert_entry(&smack_known_web); 4753 } 4754 4755 /** 4756 * smack_init - initialize the smack system 4757 * 4758 * Returns 0 4759 */ 4760 static __init int smack_init(void) 4761 { 4762 struct cred *cred; 4763 struct task_smack *tsp; 4764 4765 if (!security_module_enable("smack")) 4766 return 0; 4767 4768 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4769 if (!smack_inode_cache) 4770 return -ENOMEM; 4771 4772 tsp = new_task_smack(&smack_known_floor, &smack_known_floor, 4773 GFP_KERNEL); 4774 if (tsp == NULL) { 4775 kmem_cache_destroy(smack_inode_cache); 4776 return -ENOMEM; 4777 } 4778 4779 smack_enabled = 1; 4780 4781 pr_info("Smack: Initializing.\n"); 4782 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4783 pr_info("Smack: Netfilter enabled.\n"); 4784 #endif 4785 #ifdef SMACK_IPV6_PORT_LABELING 4786 pr_info("Smack: IPv6 port labeling enabled.\n"); 4787 #endif 4788 #ifdef SMACK_IPV6_SECMARK_LABELING 4789 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4790 #endif 4791 4792 /* 4793 * Set the security state for the initial task. 4794 */ 4795 cred = (struct cred *) current->cred; 4796 cred->security = tsp; 4797 4798 /* initialize the smack_known_list */ 4799 init_smack_known_list(); 4800 4801 /* 4802 * Register with LSM 4803 */ 4804 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4805 4806 return 0; 4807 } 4808 4809 /* 4810 * Smack requires early initialization in order to label 4811 * all processes and objects when they are created. 4812 */ 4813 DEFINE_LSM(smack) = { 4814 .name = "smack", 4815 .init = smack_init, 4816 }; 4817