1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/slab.h> 32 #include <linux/mutex.h> 33 #include <linux/pipe_fs_i.h> 34 #include <net/cipso_ipv4.h> 35 #include <net/ip.h> 36 #include <net/ipv6.h> 37 #include <linux/audit.h> 38 #include <linux/magic.h> 39 #include <linux/dcache.h> 40 #include <linux/personality.h> 41 #include <linux/msg.h> 42 #include <linux/shm.h> 43 #include <linux/binfmts.h> 44 #include <linux/parser.h> 45 #include "smack.h" 46 47 #define TRANS_TRUE "TRUE" 48 #define TRANS_TRUE_SIZE 4 49 50 #define SMK_CONNECTING 0 51 #define SMK_RECEIVING 1 52 #define SMK_SENDING 2 53 54 #ifdef SMACK_IPV6_PORT_LABELING 55 static LIST_HEAD(smk_ipv6_port_list); 56 #endif 57 static struct kmem_cache *smack_inode_cache; 58 int smack_enabled; 59 60 static const match_table_t smk_mount_tokens = { 61 {Opt_fsdefault, SMK_FSDEFAULT "%s"}, 62 {Opt_fsfloor, SMK_FSFLOOR "%s"}, 63 {Opt_fshat, SMK_FSHAT "%s"}, 64 {Opt_fsroot, SMK_FSROOT "%s"}, 65 {Opt_fstransmute, SMK_FSTRANS "%s"}, 66 {Opt_error, NULL}, 67 }; 68 69 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 70 static char *smk_bu_mess[] = { 71 "Bringup Error", /* Unused */ 72 "Bringup", /* SMACK_BRINGUP_ALLOW */ 73 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 74 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 75 }; 76 77 static void smk_bu_mode(int mode, char *s) 78 { 79 int i = 0; 80 81 if (mode & MAY_READ) 82 s[i++] = 'r'; 83 if (mode & MAY_WRITE) 84 s[i++] = 'w'; 85 if (mode & MAY_EXEC) 86 s[i++] = 'x'; 87 if (mode & MAY_APPEND) 88 s[i++] = 'a'; 89 if (mode & MAY_TRANSMUTE) 90 s[i++] = 't'; 91 if (mode & MAY_LOCK) 92 s[i++] = 'l'; 93 if (i == 0) 94 s[i++] = '-'; 95 s[i] = '\0'; 96 } 97 #endif 98 99 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 100 static int smk_bu_note(char *note, struct smack_known *sskp, 101 struct smack_known *oskp, int mode, int rc) 102 { 103 char acc[SMK_NUM_ACCESS_TYPE + 1]; 104 105 if (rc <= 0) 106 return rc; 107 if (rc > SMACK_UNCONFINED_OBJECT) 108 rc = 0; 109 110 smk_bu_mode(mode, acc); 111 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 112 sskp->smk_known, oskp->smk_known, acc, note); 113 return 0; 114 } 115 #else 116 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 117 #endif 118 119 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 120 static int smk_bu_current(char *note, struct smack_known *oskp, 121 int mode, int rc) 122 { 123 struct task_smack *tsp = current_security(); 124 char acc[SMK_NUM_ACCESS_TYPE + 1]; 125 126 if (rc <= 0) 127 return rc; 128 if (rc > SMACK_UNCONFINED_OBJECT) 129 rc = 0; 130 131 smk_bu_mode(mode, acc); 132 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 133 tsp->smk_task->smk_known, oskp->smk_known, 134 acc, current->comm, note); 135 return 0; 136 } 137 #else 138 #define smk_bu_current(note, oskp, mode, RC) (RC) 139 #endif 140 141 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 142 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 143 { 144 struct task_smack *tsp = current_security(); 145 struct smack_known *smk_task = smk_of_task_struct(otp); 146 char acc[SMK_NUM_ACCESS_TYPE + 1]; 147 148 if (rc <= 0) 149 return rc; 150 if (rc > SMACK_UNCONFINED_OBJECT) 151 rc = 0; 152 153 smk_bu_mode(mode, acc); 154 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 155 tsp->smk_task->smk_known, smk_task->smk_known, acc, 156 current->comm, otp->comm); 157 return 0; 158 } 159 #else 160 #define smk_bu_task(otp, mode, RC) (RC) 161 #endif 162 163 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 164 static int smk_bu_inode(struct inode *inode, int mode, int rc) 165 { 166 struct task_smack *tsp = current_security(); 167 struct inode_smack *isp = inode->i_security; 168 char acc[SMK_NUM_ACCESS_TYPE + 1]; 169 170 if (isp->smk_flags & SMK_INODE_IMPURE) 171 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 172 inode->i_sb->s_id, inode->i_ino, current->comm); 173 174 if (rc <= 0) 175 return rc; 176 if (rc > SMACK_UNCONFINED_OBJECT) 177 rc = 0; 178 if (rc == SMACK_UNCONFINED_SUBJECT && 179 (mode & (MAY_WRITE | MAY_APPEND))) 180 isp->smk_flags |= SMK_INODE_IMPURE; 181 182 smk_bu_mode(mode, acc); 183 184 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 185 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 return 0; 188 } 189 #else 190 #define smk_bu_inode(inode, mode, RC) (RC) 191 #endif 192 193 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 194 static int smk_bu_file(struct file *file, int mode, int rc) 195 { 196 struct task_smack *tsp = current_security(); 197 struct smack_known *sskp = tsp->smk_task; 198 struct inode *inode = file_inode(file); 199 struct inode_smack *isp = inode->i_security; 200 char acc[SMK_NUM_ACCESS_TYPE + 1]; 201 202 if (isp->smk_flags & SMK_INODE_IMPURE) 203 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 204 inode->i_sb->s_id, inode->i_ino, current->comm); 205 206 if (rc <= 0) 207 return rc; 208 if (rc > SMACK_UNCONFINED_OBJECT) 209 rc = 0; 210 211 smk_bu_mode(mode, acc); 212 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 213 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 214 inode->i_sb->s_id, inode->i_ino, file, 215 current->comm); 216 return 0; 217 } 218 #else 219 #define smk_bu_file(file, mode, RC) (RC) 220 #endif 221 222 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 223 static int smk_bu_credfile(const struct cred *cred, struct file *file, 224 int mode, int rc) 225 { 226 struct task_smack *tsp = cred->security; 227 struct smack_known *sskp = tsp->smk_task; 228 struct inode *inode = file->f_inode; 229 struct inode_smack *isp = inode->i_security; 230 char acc[SMK_NUM_ACCESS_TYPE + 1]; 231 232 if (isp->smk_flags & SMK_INODE_IMPURE) 233 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 234 inode->i_sb->s_id, inode->i_ino, current->comm); 235 236 if (rc <= 0) 237 return rc; 238 if (rc > SMACK_UNCONFINED_OBJECT) 239 rc = 0; 240 241 smk_bu_mode(mode, acc); 242 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 243 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 244 inode->i_sb->s_id, inode->i_ino, file, 245 current->comm); 246 return 0; 247 } 248 #else 249 #define smk_bu_credfile(cred, file, mode, RC) (RC) 250 #endif 251 252 /** 253 * smk_fetch - Fetch the smack label from a file. 254 * @name: type of the label (attribute) 255 * @ip: a pointer to the inode 256 * @dp: a pointer to the dentry 257 * 258 * Returns a pointer to the master list entry for the Smack label, 259 * NULL if there was no label to fetch, or an error code. 260 */ 261 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 262 struct dentry *dp) 263 { 264 int rc; 265 char *buffer; 266 struct smack_known *skp = NULL; 267 268 if (ip->i_op->getxattr == NULL) 269 return ERR_PTR(-EOPNOTSUPP); 270 271 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 272 if (buffer == NULL) 273 return ERR_PTR(-ENOMEM); 274 275 rc = ip->i_op->getxattr(dp, name, buffer, SMK_LONGLABEL); 276 if (rc < 0) 277 skp = ERR_PTR(rc); 278 else if (rc == 0) 279 skp = NULL; 280 else 281 skp = smk_import_entry(buffer, rc); 282 283 kfree(buffer); 284 285 return skp; 286 } 287 288 /** 289 * new_inode_smack - allocate an inode security blob 290 * @skp: a pointer to the Smack label entry to use in the blob 291 * 292 * Returns the new blob or NULL if there's no memory available 293 */ 294 static struct inode_smack *new_inode_smack(struct smack_known *skp) 295 { 296 struct inode_smack *isp; 297 298 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); 299 if (isp == NULL) 300 return NULL; 301 302 isp->smk_inode = skp; 303 isp->smk_flags = 0; 304 mutex_init(&isp->smk_lock); 305 306 return isp; 307 } 308 309 /** 310 * new_task_smack - allocate a task security blob 311 * @task: a pointer to the Smack label for the running task 312 * @forked: a pointer to the Smack label for the forked task 313 * @gfp: type of the memory for the allocation 314 * 315 * Returns the new blob or NULL if there's no memory available 316 */ 317 static struct task_smack *new_task_smack(struct smack_known *task, 318 struct smack_known *forked, gfp_t gfp) 319 { 320 struct task_smack *tsp; 321 322 tsp = kzalloc(sizeof(struct task_smack), gfp); 323 if (tsp == NULL) 324 return NULL; 325 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 INIT_LIST_HEAD(&tsp->smk_relabel); 330 mutex_init(&tsp->smk_rules_lock); 331 332 return tsp; 333 } 334 335 /** 336 * smk_copy_rules - copy a rule set 337 * @nhead: new rules header pointer 338 * @ohead: old rules header pointer 339 * @gfp: type of the memory for the allocation 340 * 341 * Returns 0 on success, -ENOMEM on error 342 */ 343 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 344 gfp_t gfp) 345 { 346 struct smack_rule *nrp; 347 struct smack_rule *orp; 348 int rc = 0; 349 350 INIT_LIST_HEAD(nhead); 351 352 list_for_each_entry_rcu(orp, ohead, list) { 353 nrp = kzalloc(sizeof(struct smack_rule), gfp); 354 if (nrp == NULL) { 355 rc = -ENOMEM; 356 break; 357 } 358 *nrp = *orp; 359 list_add_rcu(&nrp->list, nhead); 360 } 361 return rc; 362 } 363 364 /** 365 * smk_copy_relabel - copy smk_relabel labels list 366 * @nhead: new rules header pointer 367 * @ohead: old rules header pointer 368 * @gfp: type of the memory for the allocation 369 * 370 * Returns 0 on success, -ENOMEM on error 371 */ 372 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 373 gfp_t gfp) 374 { 375 struct smack_known_list_elem *nklep; 376 struct smack_known_list_elem *oklep; 377 378 INIT_LIST_HEAD(nhead); 379 380 list_for_each_entry(oklep, ohead, list) { 381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 382 if (nklep == NULL) { 383 smk_destroy_label_list(nhead); 384 return -ENOMEM; 385 } 386 nklep->smk_label = oklep->smk_label; 387 list_add(&nklep->list, nhead); 388 } 389 390 return 0; 391 } 392 393 /** 394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 395 * @mode - input mode in form of PTRACE_MODE_* 396 * 397 * Returns a converted MAY_* mode usable by smack rules 398 */ 399 static inline unsigned int smk_ptrace_mode(unsigned int mode) 400 { 401 if (mode & PTRACE_MODE_ATTACH) 402 return MAY_READWRITE; 403 if (mode & PTRACE_MODE_READ) 404 return MAY_READ; 405 406 return 0; 407 } 408 409 /** 410 * smk_ptrace_rule_check - helper for ptrace access 411 * @tracer: tracer process 412 * @tracee_known: label entry of the process that's about to be traced 413 * @mode: ptrace attachment mode (PTRACE_MODE_*) 414 * @func: name of the function that called us, used for audit 415 * 416 * Returns 0 on access granted, -error on error 417 */ 418 static int smk_ptrace_rule_check(struct task_struct *tracer, 419 struct smack_known *tracee_known, 420 unsigned int mode, const char *func) 421 { 422 int rc; 423 struct smk_audit_info ad, *saip = NULL; 424 struct task_smack *tsp; 425 struct smack_known *tracer_known; 426 427 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 428 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 429 smk_ad_setfield_u_tsk(&ad, tracer); 430 saip = &ad; 431 } 432 433 rcu_read_lock(); 434 tsp = __task_cred(tracer)->security; 435 tracer_known = smk_of_task(tsp); 436 437 if ((mode & PTRACE_MODE_ATTACH) && 438 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 439 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 440 if (tracer_known->smk_known == tracee_known->smk_known) 441 rc = 0; 442 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 443 rc = -EACCES; 444 else if (capable(CAP_SYS_PTRACE)) 445 rc = 0; 446 else 447 rc = -EACCES; 448 449 if (saip) 450 smack_log(tracer_known->smk_known, 451 tracee_known->smk_known, 452 0, rc, saip); 453 454 rcu_read_unlock(); 455 return rc; 456 } 457 458 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 459 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 460 461 rcu_read_unlock(); 462 return rc; 463 } 464 465 /* 466 * LSM hooks. 467 * We he, that is fun! 468 */ 469 470 /** 471 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 472 * @ctp: child task pointer 473 * @mode: ptrace attachment mode (PTRACE_MODE_*) 474 * 475 * Returns 0 if access is OK, an error code otherwise 476 * 477 * Do the capability checks. 478 */ 479 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 480 { 481 struct smack_known *skp; 482 483 skp = smk_of_task_struct(ctp); 484 485 return smk_ptrace_rule_check(current, skp, mode, __func__); 486 } 487 488 /** 489 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 490 * @ptp: parent task pointer 491 * 492 * Returns 0 if access is OK, an error code otherwise 493 * 494 * Do the capability checks, and require PTRACE_MODE_ATTACH. 495 */ 496 static int smack_ptrace_traceme(struct task_struct *ptp) 497 { 498 int rc; 499 struct smack_known *skp; 500 501 skp = smk_of_task(current_security()); 502 503 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 504 return rc; 505 } 506 507 /** 508 * smack_syslog - Smack approval on syslog 509 * @type: message type 510 * 511 * Returns 0 on success, error code otherwise. 512 */ 513 static int smack_syslog(int typefrom_file) 514 { 515 int rc = 0; 516 struct smack_known *skp = smk_of_current(); 517 518 if (smack_privileged(CAP_MAC_OVERRIDE)) 519 return 0; 520 521 if (smack_syslog_label != NULL && smack_syslog_label != skp) 522 rc = -EACCES; 523 524 return rc; 525 } 526 527 528 /* 529 * Superblock Hooks. 530 */ 531 532 /** 533 * smack_sb_alloc_security - allocate a superblock blob 534 * @sb: the superblock getting the blob 535 * 536 * Returns 0 on success or -ENOMEM on error. 537 */ 538 static int smack_sb_alloc_security(struct super_block *sb) 539 { 540 struct superblock_smack *sbsp; 541 542 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 543 544 if (sbsp == NULL) 545 return -ENOMEM; 546 547 sbsp->smk_root = &smack_known_floor; 548 sbsp->smk_default = &smack_known_floor; 549 sbsp->smk_floor = &smack_known_floor; 550 sbsp->smk_hat = &smack_known_hat; 551 /* 552 * smk_initialized will be zero from kzalloc. 553 */ 554 sb->s_security = sbsp; 555 556 return 0; 557 } 558 559 /** 560 * smack_sb_free_security - free a superblock blob 561 * @sb: the superblock getting the blob 562 * 563 */ 564 static void smack_sb_free_security(struct super_block *sb) 565 { 566 kfree(sb->s_security); 567 sb->s_security = NULL; 568 } 569 570 /** 571 * smack_sb_copy_data - copy mount options data for processing 572 * @orig: where to start 573 * @smackopts: mount options string 574 * 575 * Returns 0 on success or -ENOMEM on error. 576 * 577 * Copy the Smack specific mount options out of the mount 578 * options list. 579 */ 580 static int smack_sb_copy_data(char *orig, char *smackopts) 581 { 582 char *cp, *commap, *otheropts, *dp; 583 584 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 585 if (otheropts == NULL) 586 return -ENOMEM; 587 588 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 589 if (strstr(cp, SMK_FSDEFAULT) == cp) 590 dp = smackopts; 591 else if (strstr(cp, SMK_FSFLOOR) == cp) 592 dp = smackopts; 593 else if (strstr(cp, SMK_FSHAT) == cp) 594 dp = smackopts; 595 else if (strstr(cp, SMK_FSROOT) == cp) 596 dp = smackopts; 597 else if (strstr(cp, SMK_FSTRANS) == cp) 598 dp = smackopts; 599 else 600 dp = otheropts; 601 602 commap = strchr(cp, ','); 603 if (commap != NULL) 604 *commap = '\0'; 605 606 if (*dp != '\0') 607 strcat(dp, ","); 608 strcat(dp, cp); 609 } 610 611 strcpy(orig, otheropts); 612 free_page((unsigned long)otheropts); 613 614 return 0; 615 } 616 617 /** 618 * smack_parse_opts_str - parse Smack specific mount options 619 * @options: mount options string 620 * @opts: where to store converted mount opts 621 * 622 * Returns 0 on success or -ENOMEM on error. 623 * 624 * converts Smack specific mount options to generic security option format 625 */ 626 static int smack_parse_opts_str(char *options, 627 struct security_mnt_opts *opts) 628 { 629 char *p; 630 char *fsdefault = NULL; 631 char *fsfloor = NULL; 632 char *fshat = NULL; 633 char *fsroot = NULL; 634 char *fstransmute = NULL; 635 int rc = -ENOMEM; 636 int num_mnt_opts = 0; 637 int token; 638 639 opts->num_mnt_opts = 0; 640 641 if (!options) 642 return 0; 643 644 while ((p = strsep(&options, ",")) != NULL) { 645 substring_t args[MAX_OPT_ARGS]; 646 647 if (!*p) 648 continue; 649 650 token = match_token(p, smk_mount_tokens, args); 651 652 switch (token) { 653 case Opt_fsdefault: 654 if (fsdefault) 655 goto out_opt_err; 656 fsdefault = match_strdup(&args[0]); 657 if (!fsdefault) 658 goto out_err; 659 break; 660 case Opt_fsfloor: 661 if (fsfloor) 662 goto out_opt_err; 663 fsfloor = match_strdup(&args[0]); 664 if (!fsfloor) 665 goto out_err; 666 break; 667 case Opt_fshat: 668 if (fshat) 669 goto out_opt_err; 670 fshat = match_strdup(&args[0]); 671 if (!fshat) 672 goto out_err; 673 break; 674 case Opt_fsroot: 675 if (fsroot) 676 goto out_opt_err; 677 fsroot = match_strdup(&args[0]); 678 if (!fsroot) 679 goto out_err; 680 break; 681 case Opt_fstransmute: 682 if (fstransmute) 683 goto out_opt_err; 684 fstransmute = match_strdup(&args[0]); 685 if (!fstransmute) 686 goto out_err; 687 break; 688 default: 689 rc = -EINVAL; 690 pr_warn("Smack: unknown mount option\n"); 691 goto out_err; 692 } 693 } 694 695 opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 696 if (!opts->mnt_opts) 697 goto out_err; 698 699 opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), 700 GFP_ATOMIC); 701 if (!opts->mnt_opts_flags) { 702 kfree(opts->mnt_opts); 703 goto out_err; 704 } 705 706 if (fsdefault) { 707 opts->mnt_opts[num_mnt_opts] = fsdefault; 708 opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT; 709 } 710 if (fsfloor) { 711 opts->mnt_opts[num_mnt_opts] = fsfloor; 712 opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT; 713 } 714 if (fshat) { 715 opts->mnt_opts[num_mnt_opts] = fshat; 716 opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT; 717 } 718 if (fsroot) { 719 opts->mnt_opts[num_mnt_opts] = fsroot; 720 opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT; 721 } 722 if (fstransmute) { 723 opts->mnt_opts[num_mnt_opts] = fstransmute; 724 opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT; 725 } 726 727 opts->num_mnt_opts = num_mnt_opts; 728 return 0; 729 730 out_opt_err: 731 rc = -EINVAL; 732 pr_warn("Smack: duplicate mount options\n"); 733 734 out_err: 735 kfree(fsdefault); 736 kfree(fsfloor); 737 kfree(fshat); 738 kfree(fsroot); 739 kfree(fstransmute); 740 return rc; 741 } 742 743 /** 744 * smack_set_mnt_opts - set Smack specific mount options 745 * @sb: the file system superblock 746 * @opts: Smack mount options 747 * @kern_flags: mount option from kernel space or user space 748 * @set_kern_flags: where to store converted mount opts 749 * 750 * Returns 0 on success, an error code on failure 751 * 752 * Allow filesystems with binary mount data to explicitly set Smack mount 753 * labels. 754 */ 755 static int smack_set_mnt_opts(struct super_block *sb, 756 struct security_mnt_opts *opts, 757 unsigned long kern_flags, 758 unsigned long *set_kern_flags) 759 { 760 struct dentry *root = sb->s_root; 761 struct inode *inode = d_backing_inode(root); 762 struct superblock_smack *sp = sb->s_security; 763 struct inode_smack *isp; 764 struct smack_known *skp; 765 int i; 766 int num_opts = opts->num_mnt_opts; 767 int transmute = 0; 768 769 if (sp->smk_initialized) 770 return 0; 771 772 sp->smk_initialized = 1; 773 774 for (i = 0; i < num_opts; i++) { 775 switch (opts->mnt_opts_flags[i]) { 776 case FSDEFAULT_MNT: 777 skp = smk_import_entry(opts->mnt_opts[i], 0); 778 if (IS_ERR(skp)) 779 return PTR_ERR(skp); 780 sp->smk_default = skp; 781 break; 782 case FSFLOOR_MNT: 783 skp = smk_import_entry(opts->mnt_opts[i], 0); 784 if (IS_ERR(skp)) 785 return PTR_ERR(skp); 786 sp->smk_floor = skp; 787 break; 788 case FSHAT_MNT: 789 skp = smk_import_entry(opts->mnt_opts[i], 0); 790 if (IS_ERR(skp)) 791 return PTR_ERR(skp); 792 sp->smk_hat = skp; 793 break; 794 case FSROOT_MNT: 795 skp = smk_import_entry(opts->mnt_opts[i], 0); 796 if (IS_ERR(skp)) 797 return PTR_ERR(skp); 798 sp->smk_root = skp; 799 break; 800 case FSTRANS_MNT: 801 skp = smk_import_entry(opts->mnt_opts[i], 0); 802 if (IS_ERR(skp)) 803 return PTR_ERR(skp); 804 sp->smk_root = skp; 805 transmute = 1; 806 break; 807 default: 808 break; 809 } 810 } 811 812 if (!smack_privileged(CAP_MAC_ADMIN)) { 813 /* 814 * Unprivileged mounts don't get to specify Smack values. 815 */ 816 if (num_opts) 817 return -EPERM; 818 /* 819 * Unprivileged mounts get root and default from the caller. 820 */ 821 skp = smk_of_current(); 822 sp->smk_root = skp; 823 sp->smk_default = skp; 824 } 825 826 /* 827 * Initialize the root inode. 828 */ 829 isp = inode->i_security; 830 if (isp == NULL) { 831 isp = new_inode_smack(sp->smk_root); 832 if (isp == NULL) 833 return -ENOMEM; 834 inode->i_security = isp; 835 } else 836 isp->smk_inode = sp->smk_root; 837 838 if (transmute) 839 isp->smk_flags |= SMK_INODE_TRANSMUTE; 840 841 return 0; 842 } 843 844 /** 845 * smack_sb_kern_mount - Smack specific mount processing 846 * @sb: the file system superblock 847 * @flags: the mount flags 848 * @data: the smack mount options 849 * 850 * Returns 0 on success, an error code on failure 851 */ 852 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 853 { 854 int rc = 0; 855 char *options = data; 856 struct security_mnt_opts opts; 857 858 security_init_mnt_opts(&opts); 859 860 if (!options) 861 goto out; 862 863 rc = smack_parse_opts_str(options, &opts); 864 if (rc) 865 goto out_err; 866 867 out: 868 rc = smack_set_mnt_opts(sb, &opts, 0, NULL); 869 870 out_err: 871 security_free_mnt_opts(&opts); 872 return rc; 873 } 874 875 /** 876 * smack_sb_statfs - Smack check on statfs 877 * @dentry: identifies the file system in question 878 * 879 * Returns 0 if current can read the floor of the filesystem, 880 * and error code otherwise 881 */ 882 static int smack_sb_statfs(struct dentry *dentry) 883 { 884 struct superblock_smack *sbp = dentry->d_sb->s_security; 885 int rc; 886 struct smk_audit_info ad; 887 888 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 889 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 890 891 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 892 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 893 return rc; 894 } 895 896 /* 897 * BPRM hooks 898 */ 899 900 /** 901 * smack_bprm_set_creds - set creds for exec 902 * @bprm: the exec information 903 * 904 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 905 */ 906 static int smack_bprm_set_creds(struct linux_binprm *bprm) 907 { 908 struct inode *inode = file_inode(bprm->file); 909 struct task_smack *bsp = bprm->cred->security; 910 struct inode_smack *isp; 911 int rc; 912 913 if (bprm->cred_prepared) 914 return 0; 915 916 isp = inode->i_security; 917 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 918 return 0; 919 920 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 921 struct task_struct *tracer; 922 rc = 0; 923 924 rcu_read_lock(); 925 tracer = ptrace_parent(current); 926 if (likely(tracer != NULL)) 927 rc = smk_ptrace_rule_check(tracer, 928 isp->smk_task, 929 PTRACE_MODE_ATTACH, 930 __func__); 931 rcu_read_unlock(); 932 933 if (rc != 0) 934 return rc; 935 } else if (bprm->unsafe) 936 return -EPERM; 937 938 bsp->smk_task = isp->smk_task; 939 bprm->per_clear |= PER_CLEAR_ON_SETID; 940 941 return 0; 942 } 943 944 /** 945 * smack_bprm_committing_creds - Prepare to install the new credentials 946 * from bprm. 947 * 948 * @bprm: binprm for exec 949 */ 950 static void smack_bprm_committing_creds(struct linux_binprm *bprm) 951 { 952 struct task_smack *bsp = bprm->cred->security; 953 954 if (bsp->smk_task != bsp->smk_forked) 955 current->pdeath_signal = 0; 956 } 957 958 /** 959 * smack_bprm_secureexec - Return the decision to use secureexec. 960 * @bprm: binprm for exec 961 * 962 * Returns 0 on success. 963 */ 964 static int smack_bprm_secureexec(struct linux_binprm *bprm) 965 { 966 struct task_smack *tsp = current_security(); 967 968 if (tsp->smk_task != tsp->smk_forked) 969 return 1; 970 971 return 0; 972 } 973 974 /* 975 * Inode hooks 976 */ 977 978 /** 979 * smack_inode_alloc_security - allocate an inode blob 980 * @inode: the inode in need of a blob 981 * 982 * Returns 0 if it gets a blob, -ENOMEM otherwise 983 */ 984 static int smack_inode_alloc_security(struct inode *inode) 985 { 986 struct smack_known *skp = smk_of_current(); 987 988 inode->i_security = new_inode_smack(skp); 989 if (inode->i_security == NULL) 990 return -ENOMEM; 991 return 0; 992 } 993 994 /** 995 * smack_inode_free_security - free an inode blob 996 * @inode: the inode with a blob 997 * 998 * Clears the blob pointer in inode 999 */ 1000 static void smack_inode_free_security(struct inode *inode) 1001 { 1002 kmem_cache_free(smack_inode_cache, inode->i_security); 1003 inode->i_security = NULL; 1004 } 1005 1006 /** 1007 * smack_inode_init_security - copy out the smack from an inode 1008 * @inode: the newly created inode 1009 * @dir: containing directory object 1010 * @qstr: unused 1011 * @name: where to put the attribute name 1012 * @value: where to put the attribute value 1013 * @len: where to put the length of the attribute 1014 * 1015 * Returns 0 if it all works out, -ENOMEM if there's no memory 1016 */ 1017 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 1018 const struct qstr *qstr, const char **name, 1019 void **value, size_t *len) 1020 { 1021 struct inode_smack *issp = inode->i_security; 1022 struct smack_known *skp = smk_of_current(); 1023 struct smack_known *isp = smk_of_inode(inode); 1024 struct smack_known *dsp = smk_of_inode(dir); 1025 int may; 1026 1027 if (name) 1028 *name = XATTR_SMACK_SUFFIX; 1029 1030 if (value && len) { 1031 rcu_read_lock(); 1032 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1033 &skp->smk_rules); 1034 rcu_read_unlock(); 1035 1036 /* 1037 * If the access rule allows transmutation and 1038 * the directory requests transmutation then 1039 * by all means transmute. 1040 * Mark the inode as changed. 1041 */ 1042 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1043 smk_inode_transmutable(dir)) { 1044 isp = dsp; 1045 issp->smk_flags |= SMK_INODE_CHANGED; 1046 } 1047 1048 *value = kstrdup(isp->smk_known, GFP_NOFS); 1049 if (*value == NULL) 1050 return -ENOMEM; 1051 1052 *len = strlen(isp->smk_known); 1053 } 1054 1055 return 0; 1056 } 1057 1058 /** 1059 * smack_inode_link - Smack check on link 1060 * @old_dentry: the existing object 1061 * @dir: unused 1062 * @new_dentry: the new object 1063 * 1064 * Returns 0 if access is permitted, an error code otherwise 1065 */ 1066 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1067 struct dentry *new_dentry) 1068 { 1069 struct smack_known *isp; 1070 struct smk_audit_info ad; 1071 int rc; 1072 1073 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1074 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1075 1076 isp = smk_of_inode(d_backing_inode(old_dentry)); 1077 rc = smk_curacc(isp, MAY_WRITE, &ad); 1078 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1079 1080 if (rc == 0 && d_is_positive(new_dentry)) { 1081 isp = smk_of_inode(d_backing_inode(new_dentry)); 1082 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1083 rc = smk_curacc(isp, MAY_WRITE, &ad); 1084 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1085 } 1086 1087 return rc; 1088 } 1089 1090 /** 1091 * smack_inode_unlink - Smack check on inode deletion 1092 * @dir: containing directory object 1093 * @dentry: file to unlink 1094 * 1095 * Returns 0 if current can write the containing directory 1096 * and the object, error code otherwise 1097 */ 1098 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1099 { 1100 struct inode *ip = d_backing_inode(dentry); 1101 struct smk_audit_info ad; 1102 int rc; 1103 1104 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1105 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1106 1107 /* 1108 * You need write access to the thing you're unlinking 1109 */ 1110 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1111 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1112 if (rc == 0) { 1113 /* 1114 * You also need write access to the containing directory 1115 */ 1116 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1117 smk_ad_setfield_u_fs_inode(&ad, dir); 1118 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1119 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1120 } 1121 return rc; 1122 } 1123 1124 /** 1125 * smack_inode_rmdir - Smack check on directory deletion 1126 * @dir: containing directory object 1127 * @dentry: directory to unlink 1128 * 1129 * Returns 0 if current can write the containing directory 1130 * and the directory, error code otherwise 1131 */ 1132 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1133 { 1134 struct smk_audit_info ad; 1135 int rc; 1136 1137 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1138 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1139 1140 /* 1141 * You need write access to the thing you're removing 1142 */ 1143 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1144 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1145 if (rc == 0) { 1146 /* 1147 * You also need write access to the containing directory 1148 */ 1149 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1150 smk_ad_setfield_u_fs_inode(&ad, dir); 1151 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1152 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1153 } 1154 1155 return rc; 1156 } 1157 1158 /** 1159 * smack_inode_rename - Smack check on rename 1160 * @old_inode: unused 1161 * @old_dentry: the old object 1162 * @new_inode: unused 1163 * @new_dentry: the new object 1164 * 1165 * Read and write access is required on both the old and 1166 * new directories. 1167 * 1168 * Returns 0 if access is permitted, an error code otherwise 1169 */ 1170 static int smack_inode_rename(struct inode *old_inode, 1171 struct dentry *old_dentry, 1172 struct inode *new_inode, 1173 struct dentry *new_dentry) 1174 { 1175 int rc; 1176 struct smack_known *isp; 1177 struct smk_audit_info ad; 1178 1179 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1180 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1181 1182 isp = smk_of_inode(d_backing_inode(old_dentry)); 1183 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1184 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1185 1186 if (rc == 0 && d_is_positive(new_dentry)) { 1187 isp = smk_of_inode(d_backing_inode(new_dentry)); 1188 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1189 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1190 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1191 } 1192 return rc; 1193 } 1194 1195 /** 1196 * smack_inode_permission - Smack version of permission() 1197 * @inode: the inode in question 1198 * @mask: the access requested 1199 * 1200 * This is the important Smack hook. 1201 * 1202 * Returns 0 if access is permitted, -EACCES otherwise 1203 */ 1204 static int smack_inode_permission(struct inode *inode, int mask) 1205 { 1206 struct smk_audit_info ad; 1207 int no_block = mask & MAY_NOT_BLOCK; 1208 int rc; 1209 1210 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1211 /* 1212 * No permission to check. Existence test. Yup, it's there. 1213 */ 1214 if (mask == 0) 1215 return 0; 1216 1217 /* May be droppable after audit */ 1218 if (no_block) 1219 return -ECHILD; 1220 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1221 smk_ad_setfield_u_fs_inode(&ad, inode); 1222 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1223 rc = smk_bu_inode(inode, mask, rc); 1224 return rc; 1225 } 1226 1227 /** 1228 * smack_inode_setattr - Smack check for setting attributes 1229 * @dentry: the object 1230 * @iattr: for the force flag 1231 * 1232 * Returns 0 if access is permitted, an error code otherwise 1233 */ 1234 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1235 { 1236 struct smk_audit_info ad; 1237 int rc; 1238 1239 /* 1240 * Need to allow for clearing the setuid bit. 1241 */ 1242 if (iattr->ia_valid & ATTR_FORCE) 1243 return 0; 1244 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1245 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1246 1247 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1248 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1249 return rc; 1250 } 1251 1252 /** 1253 * smack_inode_getattr - Smack check for getting attributes 1254 * @mnt: vfsmount of the object 1255 * @dentry: the object 1256 * 1257 * Returns 0 if access is permitted, an error code otherwise 1258 */ 1259 static int smack_inode_getattr(const struct path *path) 1260 { 1261 struct smk_audit_info ad; 1262 struct inode *inode = d_backing_inode(path->dentry); 1263 int rc; 1264 1265 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1266 smk_ad_setfield_u_fs_path(&ad, *path); 1267 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1268 rc = smk_bu_inode(inode, MAY_READ, rc); 1269 return rc; 1270 } 1271 1272 /** 1273 * smack_inode_setxattr - Smack check for setting xattrs 1274 * @dentry: the object 1275 * @name: name of the attribute 1276 * @value: value of the attribute 1277 * @size: size of the value 1278 * @flags: unused 1279 * 1280 * This protects the Smack attribute explicitly. 1281 * 1282 * Returns 0 if access is permitted, an error code otherwise 1283 */ 1284 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1285 const void *value, size_t size, int flags) 1286 { 1287 struct smk_audit_info ad; 1288 struct smack_known *skp; 1289 int check_priv = 0; 1290 int check_import = 0; 1291 int check_star = 0; 1292 int rc = 0; 1293 1294 /* 1295 * Check label validity here so import won't fail in post_setxattr 1296 */ 1297 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1298 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1299 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1300 check_priv = 1; 1301 check_import = 1; 1302 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1303 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1304 check_priv = 1; 1305 check_import = 1; 1306 check_star = 1; 1307 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1308 check_priv = 1; 1309 if (size != TRANS_TRUE_SIZE || 1310 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1311 rc = -EINVAL; 1312 } else 1313 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1314 1315 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1316 rc = -EPERM; 1317 1318 if (rc == 0 && check_import) { 1319 skp = size ? smk_import_entry(value, size) : NULL; 1320 if (IS_ERR(skp)) 1321 rc = PTR_ERR(skp); 1322 else if (skp == NULL || (check_star && 1323 (skp == &smack_known_star || skp == &smack_known_web))) 1324 rc = -EINVAL; 1325 } 1326 1327 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1328 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1329 1330 if (rc == 0) { 1331 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1332 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1333 } 1334 1335 return rc; 1336 } 1337 1338 /** 1339 * smack_inode_post_setxattr - Apply the Smack update approved above 1340 * @dentry: object 1341 * @name: attribute name 1342 * @value: attribute value 1343 * @size: attribute size 1344 * @flags: unused 1345 * 1346 * Set the pointer in the inode blob to the entry found 1347 * in the master label list. 1348 */ 1349 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1350 const void *value, size_t size, int flags) 1351 { 1352 struct smack_known *skp; 1353 struct inode_smack *isp = d_backing_inode(dentry)->i_security; 1354 1355 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1356 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1357 return; 1358 } 1359 1360 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1361 skp = smk_import_entry(value, size); 1362 if (!IS_ERR(skp)) 1363 isp->smk_inode = skp; 1364 else 1365 isp->smk_inode = &smack_known_invalid; 1366 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1367 skp = smk_import_entry(value, size); 1368 if (!IS_ERR(skp)) 1369 isp->smk_task = skp; 1370 else 1371 isp->smk_task = &smack_known_invalid; 1372 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1373 skp = smk_import_entry(value, size); 1374 if (!IS_ERR(skp)) 1375 isp->smk_mmap = skp; 1376 else 1377 isp->smk_mmap = &smack_known_invalid; 1378 } 1379 1380 return; 1381 } 1382 1383 /** 1384 * smack_inode_getxattr - Smack check on getxattr 1385 * @dentry: the object 1386 * @name: unused 1387 * 1388 * Returns 0 if access is permitted, an error code otherwise 1389 */ 1390 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1391 { 1392 struct smk_audit_info ad; 1393 int rc; 1394 1395 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1396 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1397 1398 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1399 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1400 return rc; 1401 } 1402 1403 /** 1404 * smack_inode_removexattr - Smack check on removexattr 1405 * @dentry: the object 1406 * @name: name of the attribute 1407 * 1408 * Removing the Smack attribute requires CAP_MAC_ADMIN 1409 * 1410 * Returns 0 if access is permitted, an error code otherwise 1411 */ 1412 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1413 { 1414 struct inode_smack *isp; 1415 struct smk_audit_info ad; 1416 int rc = 0; 1417 1418 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1419 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1420 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1421 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1422 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1423 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1424 if (!smack_privileged(CAP_MAC_ADMIN)) 1425 rc = -EPERM; 1426 } else 1427 rc = cap_inode_removexattr(dentry, name); 1428 1429 if (rc != 0) 1430 return rc; 1431 1432 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1433 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1434 1435 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1436 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1437 if (rc != 0) 1438 return rc; 1439 1440 isp = d_backing_inode(dentry)->i_security; 1441 /* 1442 * Don't do anything special for these. 1443 * XATTR_NAME_SMACKIPIN 1444 * XATTR_NAME_SMACKIPOUT 1445 * XATTR_NAME_SMACKEXEC 1446 */ 1447 if (strcmp(name, XATTR_NAME_SMACK) == 0) 1448 isp->smk_task = NULL; 1449 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1450 isp->smk_mmap = NULL; 1451 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1452 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1453 1454 return 0; 1455 } 1456 1457 /** 1458 * smack_inode_getsecurity - get smack xattrs 1459 * @inode: the object 1460 * @name: attribute name 1461 * @buffer: where to put the result 1462 * @alloc: unused 1463 * 1464 * Returns the size of the attribute or an error code 1465 */ 1466 static int smack_inode_getsecurity(struct inode *inode, 1467 const char *name, void **buffer, 1468 bool alloc) 1469 { 1470 struct socket_smack *ssp; 1471 struct socket *sock; 1472 struct super_block *sbp; 1473 struct inode *ip = (struct inode *)inode; 1474 struct smack_known *isp; 1475 int ilen; 1476 int rc = 0; 1477 1478 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1479 isp = smk_of_inode(inode); 1480 ilen = strlen(isp->smk_known); 1481 *buffer = isp->smk_known; 1482 return ilen; 1483 } 1484 1485 /* 1486 * The rest of the Smack xattrs are only on sockets. 1487 */ 1488 sbp = ip->i_sb; 1489 if (sbp->s_magic != SOCKFS_MAGIC) 1490 return -EOPNOTSUPP; 1491 1492 sock = SOCKET_I(ip); 1493 if (sock == NULL || sock->sk == NULL) 1494 return -EOPNOTSUPP; 1495 1496 ssp = sock->sk->sk_security; 1497 1498 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1499 isp = ssp->smk_in; 1500 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1501 isp = ssp->smk_out; 1502 else 1503 return -EOPNOTSUPP; 1504 1505 ilen = strlen(isp->smk_known); 1506 if (rc == 0) { 1507 *buffer = isp->smk_known; 1508 rc = ilen; 1509 } 1510 1511 return rc; 1512 } 1513 1514 1515 /** 1516 * smack_inode_listsecurity - list the Smack attributes 1517 * @inode: the object 1518 * @buffer: where they go 1519 * @buffer_size: size of buffer 1520 */ 1521 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1522 size_t buffer_size) 1523 { 1524 int len = sizeof(XATTR_NAME_SMACK); 1525 1526 if (buffer != NULL && len <= buffer_size) 1527 memcpy(buffer, XATTR_NAME_SMACK, len); 1528 1529 return len; 1530 } 1531 1532 /** 1533 * smack_inode_getsecid - Extract inode's security id 1534 * @inode: inode to extract the info from 1535 * @secid: where result will be saved 1536 */ 1537 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1538 { 1539 struct inode_smack *isp = inode->i_security; 1540 1541 *secid = isp->smk_inode->smk_secid; 1542 } 1543 1544 /* 1545 * File Hooks 1546 */ 1547 1548 /** 1549 * smack_file_permission - Smack check on file operations 1550 * @file: unused 1551 * @mask: unused 1552 * 1553 * Returns 0 1554 * 1555 * Should access checks be done on each read or write? 1556 * UNICOS and SELinux say yes. 1557 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1558 * 1559 * I'll say no for now. Smack does not do the frequent 1560 * label changing that SELinux does. 1561 */ 1562 static int smack_file_permission(struct file *file, int mask) 1563 { 1564 return 0; 1565 } 1566 1567 /** 1568 * smack_file_alloc_security - assign a file security blob 1569 * @file: the object 1570 * 1571 * The security blob for a file is a pointer to the master 1572 * label list, so no allocation is done. 1573 * 1574 * f_security is the owner security information. It 1575 * isn't used on file access checks, it's for send_sigio. 1576 * 1577 * Returns 0 1578 */ 1579 static int smack_file_alloc_security(struct file *file) 1580 { 1581 struct smack_known *skp = smk_of_current(); 1582 1583 file->f_security = skp; 1584 return 0; 1585 } 1586 1587 /** 1588 * smack_file_free_security - clear a file security blob 1589 * @file: the object 1590 * 1591 * The security blob for a file is a pointer to the master 1592 * label list, so no memory is freed. 1593 */ 1594 static void smack_file_free_security(struct file *file) 1595 { 1596 file->f_security = NULL; 1597 } 1598 1599 /** 1600 * smack_file_ioctl - Smack check on ioctls 1601 * @file: the object 1602 * @cmd: what to do 1603 * @arg: unused 1604 * 1605 * Relies heavily on the correct use of the ioctl command conventions. 1606 * 1607 * Returns 0 if allowed, error code otherwise 1608 */ 1609 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1610 unsigned long arg) 1611 { 1612 int rc = 0; 1613 struct smk_audit_info ad; 1614 struct inode *inode = file_inode(file); 1615 1616 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1617 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1618 1619 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1620 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1621 rc = smk_bu_file(file, MAY_WRITE, rc); 1622 } 1623 1624 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1625 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1626 rc = smk_bu_file(file, MAY_READ, rc); 1627 } 1628 1629 return rc; 1630 } 1631 1632 /** 1633 * smack_file_lock - Smack check on file locking 1634 * @file: the object 1635 * @cmd: unused 1636 * 1637 * Returns 0 if current has lock access, error code otherwise 1638 */ 1639 static int smack_file_lock(struct file *file, unsigned int cmd) 1640 { 1641 struct smk_audit_info ad; 1642 int rc; 1643 struct inode *inode = file_inode(file); 1644 1645 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1646 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1647 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1648 rc = smk_bu_file(file, MAY_LOCK, rc); 1649 return rc; 1650 } 1651 1652 /** 1653 * smack_file_fcntl - Smack check on fcntl 1654 * @file: the object 1655 * @cmd: what action to check 1656 * @arg: unused 1657 * 1658 * Generally these operations are harmless. 1659 * File locking operations present an obvious mechanism 1660 * for passing information, so they require write access. 1661 * 1662 * Returns 0 if current has access, error code otherwise 1663 */ 1664 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1665 unsigned long arg) 1666 { 1667 struct smk_audit_info ad; 1668 int rc = 0; 1669 struct inode *inode = file_inode(file); 1670 1671 switch (cmd) { 1672 case F_GETLK: 1673 break; 1674 case F_SETLK: 1675 case F_SETLKW: 1676 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1677 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1678 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1679 rc = smk_bu_file(file, MAY_LOCK, rc); 1680 break; 1681 case F_SETOWN: 1682 case F_SETSIG: 1683 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1684 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1685 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1686 rc = smk_bu_file(file, MAY_WRITE, rc); 1687 break; 1688 default: 1689 break; 1690 } 1691 1692 return rc; 1693 } 1694 1695 /** 1696 * smack_mmap_file : 1697 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1698 * if mapping anonymous memory. 1699 * @file contains the file structure for file to map (may be NULL). 1700 * @reqprot contains the protection requested by the application. 1701 * @prot contains the protection that will be applied by the kernel. 1702 * @flags contains the operational flags. 1703 * Return 0 if permission is granted. 1704 */ 1705 static int smack_mmap_file(struct file *file, 1706 unsigned long reqprot, unsigned long prot, 1707 unsigned long flags) 1708 { 1709 struct smack_known *skp; 1710 struct smack_known *mkp; 1711 struct smack_rule *srp; 1712 struct task_smack *tsp; 1713 struct smack_known *okp; 1714 struct inode_smack *isp; 1715 int may; 1716 int mmay; 1717 int tmay; 1718 int rc; 1719 1720 if (file == NULL) 1721 return 0; 1722 1723 isp = file_inode(file)->i_security; 1724 if (isp->smk_mmap == NULL) 1725 return 0; 1726 mkp = isp->smk_mmap; 1727 1728 tsp = current_security(); 1729 skp = smk_of_current(); 1730 rc = 0; 1731 1732 rcu_read_lock(); 1733 /* 1734 * For each Smack rule associated with the subject 1735 * label verify that the SMACK64MMAP also has access 1736 * to that rule's object label. 1737 */ 1738 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1739 okp = srp->smk_object; 1740 /* 1741 * Matching labels always allows access. 1742 */ 1743 if (mkp->smk_known == okp->smk_known) 1744 continue; 1745 /* 1746 * If there is a matching local rule take 1747 * that into account as well. 1748 */ 1749 may = smk_access_entry(srp->smk_subject->smk_known, 1750 okp->smk_known, 1751 &tsp->smk_rules); 1752 if (may == -ENOENT) 1753 may = srp->smk_access; 1754 else 1755 may &= srp->smk_access; 1756 /* 1757 * If may is zero the SMACK64MMAP subject can't 1758 * possibly have less access. 1759 */ 1760 if (may == 0) 1761 continue; 1762 1763 /* 1764 * Fetch the global list entry. 1765 * If there isn't one a SMACK64MMAP subject 1766 * can't have as much access as current. 1767 */ 1768 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1769 &mkp->smk_rules); 1770 if (mmay == -ENOENT) { 1771 rc = -EACCES; 1772 break; 1773 } 1774 /* 1775 * If there is a local entry it modifies the 1776 * potential access, too. 1777 */ 1778 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1779 &tsp->smk_rules); 1780 if (tmay != -ENOENT) 1781 mmay &= tmay; 1782 1783 /* 1784 * If there is any access available to current that is 1785 * not available to a SMACK64MMAP subject 1786 * deny access. 1787 */ 1788 if ((may | mmay) != mmay) { 1789 rc = -EACCES; 1790 break; 1791 } 1792 } 1793 1794 rcu_read_unlock(); 1795 1796 return rc; 1797 } 1798 1799 /** 1800 * smack_file_set_fowner - set the file security blob value 1801 * @file: object in question 1802 * 1803 */ 1804 static void smack_file_set_fowner(struct file *file) 1805 { 1806 file->f_security = smk_of_current(); 1807 } 1808 1809 /** 1810 * smack_file_send_sigiotask - Smack on sigio 1811 * @tsk: The target task 1812 * @fown: the object the signal come from 1813 * @signum: unused 1814 * 1815 * Allow a privileged task to get signals even if it shouldn't 1816 * 1817 * Returns 0 if a subject with the object's smack could 1818 * write to the task, an error code otherwise. 1819 */ 1820 static int smack_file_send_sigiotask(struct task_struct *tsk, 1821 struct fown_struct *fown, int signum) 1822 { 1823 struct smack_known *skp; 1824 struct smack_known *tkp = smk_of_task(tsk->cred->security); 1825 struct file *file; 1826 int rc; 1827 struct smk_audit_info ad; 1828 1829 /* 1830 * struct fown_struct is never outside the context of a struct file 1831 */ 1832 file = container_of(fown, struct file, f_owner); 1833 1834 /* we don't log here as rc can be overriden */ 1835 skp = file->f_security; 1836 rc = smk_access(skp, tkp, MAY_WRITE, NULL); 1837 rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc); 1838 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1839 rc = 0; 1840 1841 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1842 smk_ad_setfield_u_tsk(&ad, tsk); 1843 smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad); 1844 return rc; 1845 } 1846 1847 /** 1848 * smack_file_receive - Smack file receive check 1849 * @file: the object 1850 * 1851 * Returns 0 if current has access, error code otherwise 1852 */ 1853 static int smack_file_receive(struct file *file) 1854 { 1855 int rc; 1856 int may = 0; 1857 struct smk_audit_info ad; 1858 struct inode *inode = file_inode(file); 1859 struct socket *sock; 1860 struct task_smack *tsp; 1861 struct socket_smack *ssp; 1862 1863 if (unlikely(IS_PRIVATE(inode))) 1864 return 0; 1865 1866 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1867 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1868 1869 if (S_ISSOCK(inode->i_mode)) { 1870 sock = SOCKET_I(inode); 1871 ssp = sock->sk->sk_security; 1872 tsp = current_security(); 1873 /* 1874 * If the receiving process can't write to the 1875 * passed socket or if the passed socket can't 1876 * write to the receiving process don't accept 1877 * the passed socket. 1878 */ 1879 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1880 rc = smk_bu_file(file, may, rc); 1881 if (rc < 0) 1882 return rc; 1883 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1884 rc = smk_bu_file(file, may, rc); 1885 return rc; 1886 } 1887 /* 1888 * This code relies on bitmasks. 1889 */ 1890 if (file->f_mode & FMODE_READ) 1891 may = MAY_READ; 1892 if (file->f_mode & FMODE_WRITE) 1893 may |= MAY_WRITE; 1894 1895 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1896 rc = smk_bu_file(file, may, rc); 1897 return rc; 1898 } 1899 1900 /** 1901 * smack_file_open - Smack dentry open processing 1902 * @file: the object 1903 * @cred: task credential 1904 * 1905 * Set the security blob in the file structure. 1906 * Allow the open only if the task has read access. There are 1907 * many read operations (e.g. fstat) that you can do with an 1908 * fd even if you have the file open write-only. 1909 * 1910 * Returns 0 1911 */ 1912 static int smack_file_open(struct file *file, const struct cred *cred) 1913 { 1914 struct task_smack *tsp = cred->security; 1915 struct inode *inode = file_inode(file); 1916 struct smk_audit_info ad; 1917 int rc; 1918 1919 if (smack_privileged(CAP_MAC_OVERRIDE)) 1920 return 0; 1921 1922 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1923 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1924 rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad); 1925 rc = smk_bu_credfile(cred, file, MAY_READ, rc); 1926 1927 return rc; 1928 } 1929 1930 /* 1931 * Task hooks 1932 */ 1933 1934 /** 1935 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1936 * @new: the new credentials 1937 * @gfp: the atomicity of any memory allocations 1938 * 1939 * Prepare a blank set of credentials for modification. This must allocate all 1940 * the memory the LSM module might require such that cred_transfer() can 1941 * complete without error. 1942 */ 1943 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1944 { 1945 struct task_smack *tsp; 1946 1947 tsp = new_task_smack(NULL, NULL, gfp); 1948 if (tsp == NULL) 1949 return -ENOMEM; 1950 1951 cred->security = tsp; 1952 1953 return 0; 1954 } 1955 1956 1957 /** 1958 * smack_cred_free - "free" task-level security credentials 1959 * @cred: the credentials in question 1960 * 1961 */ 1962 static void smack_cred_free(struct cred *cred) 1963 { 1964 struct task_smack *tsp = cred->security; 1965 struct smack_rule *rp; 1966 struct list_head *l; 1967 struct list_head *n; 1968 1969 if (tsp == NULL) 1970 return; 1971 cred->security = NULL; 1972 1973 smk_destroy_label_list(&tsp->smk_relabel); 1974 1975 list_for_each_safe(l, n, &tsp->smk_rules) { 1976 rp = list_entry(l, struct smack_rule, list); 1977 list_del(&rp->list); 1978 kfree(rp); 1979 } 1980 kfree(tsp); 1981 } 1982 1983 /** 1984 * smack_cred_prepare - prepare new set of credentials for modification 1985 * @new: the new credentials 1986 * @old: the original credentials 1987 * @gfp: the atomicity of any memory allocations 1988 * 1989 * Prepare a new set of credentials for modification. 1990 */ 1991 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1992 gfp_t gfp) 1993 { 1994 struct task_smack *old_tsp = old->security; 1995 struct task_smack *new_tsp; 1996 int rc; 1997 1998 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 1999 if (new_tsp == NULL) 2000 return -ENOMEM; 2001 2002 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2003 if (rc != 0) 2004 return rc; 2005 2006 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2007 gfp); 2008 if (rc != 0) 2009 return rc; 2010 2011 new->security = new_tsp; 2012 return 0; 2013 } 2014 2015 /** 2016 * smack_cred_transfer - Transfer the old credentials to the new credentials 2017 * @new: the new credentials 2018 * @old: the original credentials 2019 * 2020 * Fill in a set of blank credentials from another set of credentials. 2021 */ 2022 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2023 { 2024 struct task_smack *old_tsp = old->security; 2025 struct task_smack *new_tsp = new->security; 2026 2027 new_tsp->smk_task = old_tsp->smk_task; 2028 new_tsp->smk_forked = old_tsp->smk_task; 2029 mutex_init(&new_tsp->smk_rules_lock); 2030 INIT_LIST_HEAD(&new_tsp->smk_rules); 2031 2032 2033 /* cbs copy rule list */ 2034 } 2035 2036 /** 2037 * smack_kernel_act_as - Set the subjective context in a set of credentials 2038 * @new: points to the set of credentials to be modified. 2039 * @secid: specifies the security ID to be set 2040 * 2041 * Set the security data for a kernel service. 2042 */ 2043 static int smack_kernel_act_as(struct cred *new, u32 secid) 2044 { 2045 struct task_smack *new_tsp = new->security; 2046 struct smack_known *skp = smack_from_secid(secid); 2047 2048 if (skp == NULL) 2049 return -EINVAL; 2050 2051 new_tsp->smk_task = skp; 2052 return 0; 2053 } 2054 2055 /** 2056 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2057 * @new: points to the set of credentials to be modified 2058 * @inode: points to the inode to use as a reference 2059 * 2060 * Set the file creation context in a set of credentials to the same 2061 * as the objective context of the specified inode 2062 */ 2063 static int smack_kernel_create_files_as(struct cred *new, 2064 struct inode *inode) 2065 { 2066 struct inode_smack *isp = inode->i_security; 2067 struct task_smack *tsp = new->security; 2068 2069 tsp->smk_forked = isp->smk_inode; 2070 tsp->smk_task = tsp->smk_forked; 2071 return 0; 2072 } 2073 2074 /** 2075 * smk_curacc_on_task - helper to log task related access 2076 * @p: the task object 2077 * @access: the access requested 2078 * @caller: name of the calling function for audit 2079 * 2080 * Return 0 if access is permitted 2081 */ 2082 static int smk_curacc_on_task(struct task_struct *p, int access, 2083 const char *caller) 2084 { 2085 struct smk_audit_info ad; 2086 struct smack_known *skp = smk_of_task_struct(p); 2087 int rc; 2088 2089 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2090 smk_ad_setfield_u_tsk(&ad, p); 2091 rc = smk_curacc(skp, access, &ad); 2092 rc = smk_bu_task(p, access, rc); 2093 return rc; 2094 } 2095 2096 /** 2097 * smack_task_setpgid - Smack check on setting pgid 2098 * @p: the task object 2099 * @pgid: unused 2100 * 2101 * Return 0 if write access is permitted 2102 */ 2103 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2104 { 2105 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2106 } 2107 2108 /** 2109 * smack_task_getpgid - Smack access check for getpgid 2110 * @p: the object task 2111 * 2112 * Returns 0 if current can read the object task, error code otherwise 2113 */ 2114 static int smack_task_getpgid(struct task_struct *p) 2115 { 2116 return smk_curacc_on_task(p, MAY_READ, __func__); 2117 } 2118 2119 /** 2120 * smack_task_getsid - Smack access check for getsid 2121 * @p: the object task 2122 * 2123 * Returns 0 if current can read the object task, error code otherwise 2124 */ 2125 static int smack_task_getsid(struct task_struct *p) 2126 { 2127 return smk_curacc_on_task(p, MAY_READ, __func__); 2128 } 2129 2130 /** 2131 * smack_task_getsecid - get the secid of the task 2132 * @p: the object task 2133 * @secid: where to put the result 2134 * 2135 * Sets the secid to contain a u32 version of the smack label. 2136 */ 2137 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2138 { 2139 struct smack_known *skp = smk_of_task_struct(p); 2140 2141 *secid = skp->smk_secid; 2142 } 2143 2144 /** 2145 * smack_task_setnice - Smack check on setting nice 2146 * @p: the task object 2147 * @nice: unused 2148 * 2149 * Return 0 if write access is permitted 2150 */ 2151 static int smack_task_setnice(struct task_struct *p, int nice) 2152 { 2153 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2154 } 2155 2156 /** 2157 * smack_task_setioprio - Smack check on setting ioprio 2158 * @p: the task object 2159 * @ioprio: unused 2160 * 2161 * Return 0 if write access is permitted 2162 */ 2163 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2164 { 2165 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2166 } 2167 2168 /** 2169 * smack_task_getioprio - Smack check on reading ioprio 2170 * @p: the task object 2171 * 2172 * Return 0 if read access is permitted 2173 */ 2174 static int smack_task_getioprio(struct task_struct *p) 2175 { 2176 return smk_curacc_on_task(p, MAY_READ, __func__); 2177 } 2178 2179 /** 2180 * smack_task_setscheduler - Smack check on setting scheduler 2181 * @p: the task object 2182 * @policy: unused 2183 * @lp: unused 2184 * 2185 * Return 0 if read access is permitted 2186 */ 2187 static int smack_task_setscheduler(struct task_struct *p) 2188 { 2189 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2190 } 2191 2192 /** 2193 * smack_task_getscheduler - Smack check on reading scheduler 2194 * @p: the task object 2195 * 2196 * Return 0 if read access is permitted 2197 */ 2198 static int smack_task_getscheduler(struct task_struct *p) 2199 { 2200 return smk_curacc_on_task(p, MAY_READ, __func__); 2201 } 2202 2203 /** 2204 * smack_task_movememory - Smack check on moving memory 2205 * @p: the task object 2206 * 2207 * Return 0 if write access is permitted 2208 */ 2209 static int smack_task_movememory(struct task_struct *p) 2210 { 2211 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2212 } 2213 2214 /** 2215 * smack_task_kill - Smack check on signal delivery 2216 * @p: the task object 2217 * @info: unused 2218 * @sig: unused 2219 * @secid: identifies the smack to use in lieu of current's 2220 * 2221 * Return 0 if write access is permitted 2222 * 2223 * The secid behavior is an artifact of an SELinux hack 2224 * in the USB code. Someday it may go away. 2225 */ 2226 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 2227 int sig, u32 secid) 2228 { 2229 struct smk_audit_info ad; 2230 struct smack_known *skp; 2231 struct smack_known *tkp = smk_of_task_struct(p); 2232 int rc; 2233 2234 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2235 smk_ad_setfield_u_tsk(&ad, p); 2236 /* 2237 * Sending a signal requires that the sender 2238 * can write the receiver. 2239 */ 2240 if (secid == 0) { 2241 rc = smk_curacc(tkp, MAY_WRITE, &ad); 2242 rc = smk_bu_task(p, MAY_WRITE, rc); 2243 return rc; 2244 } 2245 /* 2246 * If the secid isn't 0 we're dealing with some USB IO 2247 * specific behavior. This is not clean. For one thing 2248 * we can't take privilege into account. 2249 */ 2250 skp = smack_from_secid(secid); 2251 rc = smk_access(skp, tkp, MAY_WRITE, &ad); 2252 rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc); 2253 return rc; 2254 } 2255 2256 /** 2257 * smack_task_wait - Smack access check for waiting 2258 * @p: task to wait for 2259 * 2260 * Returns 0 2261 */ 2262 static int smack_task_wait(struct task_struct *p) 2263 { 2264 /* 2265 * Allow the operation to succeed. 2266 * Zombies are bad. 2267 * In userless environments (e.g. phones) programs 2268 * get marked with SMACK64EXEC and even if the parent 2269 * and child shouldn't be talking the parent still 2270 * may expect to know when the child exits. 2271 */ 2272 return 0; 2273 } 2274 2275 /** 2276 * smack_task_to_inode - copy task smack into the inode blob 2277 * @p: task to copy from 2278 * @inode: inode to copy to 2279 * 2280 * Sets the smack pointer in the inode security blob 2281 */ 2282 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2283 { 2284 struct inode_smack *isp = inode->i_security; 2285 struct smack_known *skp = smk_of_task_struct(p); 2286 2287 isp->smk_inode = skp; 2288 } 2289 2290 /* 2291 * Socket hooks. 2292 */ 2293 2294 /** 2295 * smack_sk_alloc_security - Allocate a socket blob 2296 * @sk: the socket 2297 * @family: unused 2298 * @gfp_flags: memory allocation flags 2299 * 2300 * Assign Smack pointers to current 2301 * 2302 * Returns 0 on success, -ENOMEM is there's no memory 2303 */ 2304 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2305 { 2306 struct smack_known *skp = smk_of_current(); 2307 struct socket_smack *ssp; 2308 2309 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2310 if (ssp == NULL) 2311 return -ENOMEM; 2312 2313 ssp->smk_in = skp; 2314 ssp->smk_out = skp; 2315 ssp->smk_packet = NULL; 2316 2317 sk->sk_security = ssp; 2318 2319 return 0; 2320 } 2321 2322 /** 2323 * smack_sk_free_security - Free a socket blob 2324 * @sk: the socket 2325 * 2326 * Clears the blob pointer 2327 */ 2328 static void smack_sk_free_security(struct sock *sk) 2329 { 2330 kfree(sk->sk_security); 2331 } 2332 2333 /** 2334 * smack_ipv4host_label - check host based restrictions 2335 * @sip: the object end 2336 * 2337 * looks for host based access restrictions 2338 * 2339 * This version will only be appropriate for really small sets of single label 2340 * hosts. The caller is responsible for ensuring that the RCU read lock is 2341 * taken before calling this function. 2342 * 2343 * Returns the label of the far end or NULL if it's not special. 2344 */ 2345 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2346 { 2347 struct smk_net4addr *snp; 2348 struct in_addr *siap = &sip->sin_addr; 2349 2350 if (siap->s_addr == 0) 2351 return NULL; 2352 2353 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2354 /* 2355 * we break after finding the first match because 2356 * the list is sorted from longest to shortest mask 2357 * so we have found the most specific match 2358 */ 2359 if (snp->smk_host.s_addr == 2360 (siap->s_addr & snp->smk_mask.s_addr)) 2361 return snp->smk_label; 2362 2363 return NULL; 2364 } 2365 2366 #if IS_ENABLED(CONFIG_IPV6) 2367 /* 2368 * smk_ipv6_localhost - Check for local ipv6 host address 2369 * @sip: the address 2370 * 2371 * Returns boolean true if this is the localhost address 2372 */ 2373 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2374 { 2375 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2376 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2377 2378 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2379 ntohs(be16p[7]) == 1) 2380 return true; 2381 return false; 2382 } 2383 2384 /** 2385 * smack_ipv6host_label - check host based restrictions 2386 * @sip: the object end 2387 * 2388 * looks for host based access restrictions 2389 * 2390 * This version will only be appropriate for really small sets of single label 2391 * hosts. The caller is responsible for ensuring that the RCU read lock is 2392 * taken before calling this function. 2393 * 2394 * Returns the label of the far end or NULL if it's not special. 2395 */ 2396 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2397 { 2398 struct smk_net6addr *snp; 2399 struct in6_addr *sap = &sip->sin6_addr; 2400 int i; 2401 int found = 0; 2402 2403 /* 2404 * It's local. Don't look for a host label. 2405 */ 2406 if (smk_ipv6_localhost(sip)) 2407 return NULL; 2408 2409 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2410 /* 2411 * we break after finding the first match because 2412 * the list is sorted from longest to shortest mask 2413 * so we have found the most specific match 2414 */ 2415 for (found = 1, i = 0; i < 8; i++) { 2416 /* 2417 * If the label is NULL the entry has 2418 * been renounced. Ignore it. 2419 */ 2420 if (snp->smk_label == NULL) 2421 continue; 2422 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2423 snp->smk_host.s6_addr16[i]) { 2424 found = 0; 2425 break; 2426 } 2427 } 2428 if (found) 2429 return snp->smk_label; 2430 } 2431 2432 return NULL; 2433 } 2434 #endif /* CONFIG_IPV6 */ 2435 2436 /** 2437 * smack_netlabel - Set the secattr on a socket 2438 * @sk: the socket 2439 * @labeled: socket label scheme 2440 * 2441 * Convert the outbound smack value (smk_out) to a 2442 * secattr and attach it to the socket. 2443 * 2444 * Returns 0 on success or an error code 2445 */ 2446 static int smack_netlabel(struct sock *sk, int labeled) 2447 { 2448 struct smack_known *skp; 2449 struct socket_smack *ssp = sk->sk_security; 2450 int rc = 0; 2451 2452 /* 2453 * Usually the netlabel code will handle changing the 2454 * packet labeling based on the label. 2455 * The case of a single label host is different, because 2456 * a single label host should never get a labeled packet 2457 * even though the label is usually associated with a packet 2458 * label. 2459 */ 2460 local_bh_disable(); 2461 bh_lock_sock_nested(sk); 2462 2463 if (ssp->smk_out == smack_net_ambient || 2464 labeled == SMACK_UNLABELED_SOCKET) 2465 netlbl_sock_delattr(sk); 2466 else { 2467 skp = ssp->smk_out; 2468 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2469 } 2470 2471 bh_unlock_sock(sk); 2472 local_bh_enable(); 2473 2474 return rc; 2475 } 2476 2477 /** 2478 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2479 * @sk: the socket 2480 * @sap: the destination address 2481 * 2482 * Set the correct secattr for the given socket based on the destination 2483 * address and perform any outbound access checks needed. 2484 * 2485 * Returns 0 on success or an error code. 2486 * 2487 */ 2488 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2489 { 2490 struct smack_known *skp; 2491 int rc; 2492 int sk_lbl; 2493 struct smack_known *hkp; 2494 struct socket_smack *ssp = sk->sk_security; 2495 struct smk_audit_info ad; 2496 2497 rcu_read_lock(); 2498 hkp = smack_ipv4host_label(sap); 2499 if (hkp != NULL) { 2500 #ifdef CONFIG_AUDIT 2501 struct lsm_network_audit net; 2502 2503 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2504 ad.a.u.net->family = sap->sin_family; 2505 ad.a.u.net->dport = sap->sin_port; 2506 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2507 #endif 2508 sk_lbl = SMACK_UNLABELED_SOCKET; 2509 skp = ssp->smk_out; 2510 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2511 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2512 } else { 2513 sk_lbl = SMACK_CIPSO_SOCKET; 2514 rc = 0; 2515 } 2516 rcu_read_unlock(); 2517 if (rc != 0) 2518 return rc; 2519 2520 return smack_netlabel(sk, sk_lbl); 2521 } 2522 2523 #if IS_ENABLED(CONFIG_IPV6) 2524 /** 2525 * smk_ipv6_check - check Smack access 2526 * @subject: subject Smack label 2527 * @object: object Smack label 2528 * @address: address 2529 * @act: the action being taken 2530 * 2531 * Check an IPv6 access 2532 */ 2533 static int smk_ipv6_check(struct smack_known *subject, 2534 struct smack_known *object, 2535 struct sockaddr_in6 *address, int act) 2536 { 2537 #ifdef CONFIG_AUDIT 2538 struct lsm_network_audit net; 2539 #endif 2540 struct smk_audit_info ad; 2541 int rc; 2542 2543 #ifdef CONFIG_AUDIT 2544 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2545 ad.a.u.net->family = PF_INET6; 2546 ad.a.u.net->dport = ntohs(address->sin6_port); 2547 if (act == SMK_RECEIVING) 2548 ad.a.u.net->v6info.saddr = address->sin6_addr; 2549 else 2550 ad.a.u.net->v6info.daddr = address->sin6_addr; 2551 #endif 2552 rc = smk_access(subject, object, MAY_WRITE, &ad); 2553 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2554 return rc; 2555 } 2556 #endif /* CONFIG_IPV6 */ 2557 2558 #ifdef SMACK_IPV6_PORT_LABELING 2559 /** 2560 * smk_ipv6_port_label - Smack port access table management 2561 * @sock: socket 2562 * @address: address 2563 * 2564 * Create or update the port list entry 2565 */ 2566 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2567 { 2568 struct sock *sk = sock->sk; 2569 struct sockaddr_in6 *addr6; 2570 struct socket_smack *ssp = sock->sk->sk_security; 2571 struct smk_port_label *spp; 2572 unsigned short port = 0; 2573 2574 if (address == NULL) { 2575 /* 2576 * This operation is changing the Smack information 2577 * on the bound socket. Take the changes to the port 2578 * as well. 2579 */ 2580 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2581 if (sk != spp->smk_sock) 2582 continue; 2583 spp->smk_in = ssp->smk_in; 2584 spp->smk_out = ssp->smk_out; 2585 return; 2586 } 2587 /* 2588 * A NULL address is only used for updating existing 2589 * bound entries. If there isn't one, it's OK. 2590 */ 2591 return; 2592 } 2593 2594 addr6 = (struct sockaddr_in6 *)address; 2595 port = ntohs(addr6->sin6_port); 2596 /* 2597 * This is a special case that is safely ignored. 2598 */ 2599 if (port == 0) 2600 return; 2601 2602 /* 2603 * Look for an existing port list entry. 2604 * This is an indication that a port is getting reused. 2605 */ 2606 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2607 if (spp->smk_port != port) 2608 continue; 2609 spp->smk_port = port; 2610 spp->smk_sock = sk; 2611 spp->smk_in = ssp->smk_in; 2612 spp->smk_out = ssp->smk_out; 2613 return; 2614 } 2615 2616 /* 2617 * A new port entry is required. 2618 */ 2619 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2620 if (spp == NULL) 2621 return; 2622 2623 spp->smk_port = port; 2624 spp->smk_sock = sk; 2625 spp->smk_in = ssp->smk_in; 2626 spp->smk_out = ssp->smk_out; 2627 2628 list_add(&spp->list, &smk_ipv6_port_list); 2629 return; 2630 } 2631 2632 /** 2633 * smk_ipv6_port_check - check Smack port access 2634 * @sock: socket 2635 * @address: address 2636 * 2637 * Create or update the port list entry 2638 */ 2639 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2640 int act) 2641 { 2642 struct smk_port_label *spp; 2643 struct socket_smack *ssp = sk->sk_security; 2644 struct smack_known *skp = NULL; 2645 unsigned short port; 2646 struct smack_known *object; 2647 2648 if (act == SMK_RECEIVING) { 2649 skp = smack_ipv6host_label(address); 2650 object = ssp->smk_in; 2651 } else { 2652 skp = ssp->smk_out; 2653 object = smack_ipv6host_label(address); 2654 } 2655 2656 /* 2657 * The other end is a single label host. 2658 */ 2659 if (skp != NULL && object != NULL) 2660 return smk_ipv6_check(skp, object, address, act); 2661 if (skp == NULL) 2662 skp = smack_net_ambient; 2663 if (object == NULL) 2664 object = smack_net_ambient; 2665 2666 /* 2667 * It's remote, so port lookup does no good. 2668 */ 2669 if (!smk_ipv6_localhost(address)) 2670 return smk_ipv6_check(skp, object, address, act); 2671 2672 /* 2673 * It's local so the send check has to have passed. 2674 */ 2675 if (act == SMK_RECEIVING) 2676 return 0; 2677 2678 port = ntohs(address->sin6_port); 2679 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2680 if (spp->smk_port != port) 2681 continue; 2682 object = spp->smk_in; 2683 if (act == SMK_CONNECTING) 2684 ssp->smk_packet = spp->smk_out; 2685 break; 2686 } 2687 2688 return smk_ipv6_check(skp, object, address, act); 2689 } 2690 #endif /* SMACK_IPV6_PORT_LABELING */ 2691 2692 /** 2693 * smack_inode_setsecurity - set smack xattrs 2694 * @inode: the object 2695 * @name: attribute name 2696 * @value: attribute value 2697 * @size: size of the attribute 2698 * @flags: unused 2699 * 2700 * Sets the named attribute in the appropriate blob 2701 * 2702 * Returns 0 on success, or an error code 2703 */ 2704 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2705 const void *value, size_t size, int flags) 2706 { 2707 struct smack_known *skp; 2708 struct inode_smack *nsp = inode->i_security; 2709 struct socket_smack *ssp; 2710 struct socket *sock; 2711 int rc = 0; 2712 2713 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2714 return -EINVAL; 2715 2716 skp = smk_import_entry(value, size); 2717 if (IS_ERR(skp)) 2718 return PTR_ERR(skp); 2719 2720 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2721 nsp->smk_inode = skp; 2722 nsp->smk_flags |= SMK_INODE_INSTANT; 2723 return 0; 2724 } 2725 /* 2726 * The rest of the Smack xattrs are only on sockets. 2727 */ 2728 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2729 return -EOPNOTSUPP; 2730 2731 sock = SOCKET_I(inode); 2732 if (sock == NULL || sock->sk == NULL) 2733 return -EOPNOTSUPP; 2734 2735 ssp = sock->sk->sk_security; 2736 2737 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2738 ssp->smk_in = skp; 2739 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2740 ssp->smk_out = skp; 2741 if (sock->sk->sk_family == PF_INET) { 2742 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2743 if (rc != 0) 2744 printk(KERN_WARNING 2745 "Smack: \"%s\" netlbl error %d.\n", 2746 __func__, -rc); 2747 } 2748 } else 2749 return -EOPNOTSUPP; 2750 2751 #ifdef SMACK_IPV6_PORT_LABELING 2752 if (sock->sk->sk_family == PF_INET6) 2753 smk_ipv6_port_label(sock, NULL); 2754 #endif 2755 2756 return 0; 2757 } 2758 2759 /** 2760 * smack_socket_post_create - finish socket setup 2761 * @sock: the socket 2762 * @family: protocol family 2763 * @type: unused 2764 * @protocol: unused 2765 * @kern: unused 2766 * 2767 * Sets the netlabel information on the socket 2768 * 2769 * Returns 0 on success, and error code otherwise 2770 */ 2771 static int smack_socket_post_create(struct socket *sock, int family, 2772 int type, int protocol, int kern) 2773 { 2774 struct socket_smack *ssp; 2775 2776 if (sock->sk == NULL) 2777 return 0; 2778 2779 /* 2780 * Sockets created by kernel threads receive web label. 2781 */ 2782 if (unlikely(current->flags & PF_KTHREAD)) { 2783 ssp = sock->sk->sk_security; 2784 ssp->smk_in = &smack_known_web; 2785 ssp->smk_out = &smack_known_web; 2786 } 2787 2788 if (family != PF_INET) 2789 return 0; 2790 /* 2791 * Set the outbound netlbl. 2792 */ 2793 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2794 } 2795 2796 #ifdef SMACK_IPV6_PORT_LABELING 2797 /** 2798 * smack_socket_bind - record port binding information. 2799 * @sock: the socket 2800 * @address: the port address 2801 * @addrlen: size of the address 2802 * 2803 * Records the label bound to a port. 2804 * 2805 * Returns 0 2806 */ 2807 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2808 int addrlen) 2809 { 2810 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2811 smk_ipv6_port_label(sock, address); 2812 return 0; 2813 } 2814 #endif /* SMACK_IPV6_PORT_LABELING */ 2815 2816 /** 2817 * smack_socket_connect - connect access check 2818 * @sock: the socket 2819 * @sap: the other end 2820 * @addrlen: size of sap 2821 * 2822 * Verifies that a connection may be possible 2823 * 2824 * Returns 0 on success, and error code otherwise 2825 */ 2826 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2827 int addrlen) 2828 { 2829 int rc = 0; 2830 #if IS_ENABLED(CONFIG_IPV6) 2831 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2832 #endif 2833 #ifdef SMACK_IPV6_SECMARK_LABELING 2834 struct smack_known *rsp; 2835 struct socket_smack *ssp = sock->sk->sk_security; 2836 #endif 2837 2838 if (sock->sk == NULL) 2839 return 0; 2840 2841 switch (sock->sk->sk_family) { 2842 case PF_INET: 2843 if (addrlen < sizeof(struct sockaddr_in)) 2844 return -EINVAL; 2845 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2846 break; 2847 case PF_INET6: 2848 if (addrlen < sizeof(struct sockaddr_in6)) 2849 return -EINVAL; 2850 #ifdef SMACK_IPV6_SECMARK_LABELING 2851 rsp = smack_ipv6host_label(sip); 2852 if (rsp != NULL) 2853 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2854 SMK_CONNECTING); 2855 #endif 2856 #ifdef SMACK_IPV6_PORT_LABELING 2857 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2858 #endif 2859 break; 2860 } 2861 return rc; 2862 } 2863 2864 /** 2865 * smack_flags_to_may - convert S_ to MAY_ values 2866 * @flags: the S_ value 2867 * 2868 * Returns the equivalent MAY_ value 2869 */ 2870 static int smack_flags_to_may(int flags) 2871 { 2872 int may = 0; 2873 2874 if (flags & S_IRUGO) 2875 may |= MAY_READ; 2876 if (flags & S_IWUGO) 2877 may |= MAY_WRITE; 2878 if (flags & S_IXUGO) 2879 may |= MAY_EXEC; 2880 2881 return may; 2882 } 2883 2884 /** 2885 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2886 * @msg: the object 2887 * 2888 * Returns 0 2889 */ 2890 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2891 { 2892 struct smack_known *skp = smk_of_current(); 2893 2894 msg->security = skp; 2895 return 0; 2896 } 2897 2898 /** 2899 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2900 * @msg: the object 2901 * 2902 * Clears the blob pointer 2903 */ 2904 static void smack_msg_msg_free_security(struct msg_msg *msg) 2905 { 2906 msg->security = NULL; 2907 } 2908 2909 /** 2910 * smack_of_shm - the smack pointer for the shm 2911 * @shp: the object 2912 * 2913 * Returns a pointer to the smack value 2914 */ 2915 static struct smack_known *smack_of_shm(struct shmid_kernel *shp) 2916 { 2917 return (struct smack_known *)shp->shm_perm.security; 2918 } 2919 2920 /** 2921 * smack_shm_alloc_security - Set the security blob for shm 2922 * @shp: the object 2923 * 2924 * Returns 0 2925 */ 2926 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2927 { 2928 struct kern_ipc_perm *isp = &shp->shm_perm; 2929 struct smack_known *skp = smk_of_current(); 2930 2931 isp->security = skp; 2932 return 0; 2933 } 2934 2935 /** 2936 * smack_shm_free_security - Clear the security blob for shm 2937 * @shp: the object 2938 * 2939 * Clears the blob pointer 2940 */ 2941 static void smack_shm_free_security(struct shmid_kernel *shp) 2942 { 2943 struct kern_ipc_perm *isp = &shp->shm_perm; 2944 2945 isp->security = NULL; 2946 } 2947 2948 /** 2949 * smk_curacc_shm : check if current has access on shm 2950 * @shp : the object 2951 * @access : access requested 2952 * 2953 * Returns 0 if current has the requested access, error code otherwise 2954 */ 2955 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2956 { 2957 struct smack_known *ssp = smack_of_shm(shp); 2958 struct smk_audit_info ad; 2959 int rc; 2960 2961 #ifdef CONFIG_AUDIT 2962 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2963 ad.a.u.ipc_id = shp->shm_perm.id; 2964 #endif 2965 rc = smk_curacc(ssp, access, &ad); 2966 rc = smk_bu_current("shm", ssp, access, rc); 2967 return rc; 2968 } 2969 2970 /** 2971 * smack_shm_associate - Smack access check for shm 2972 * @shp: the object 2973 * @shmflg: access requested 2974 * 2975 * Returns 0 if current has the requested access, error code otherwise 2976 */ 2977 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 2978 { 2979 int may; 2980 2981 may = smack_flags_to_may(shmflg); 2982 return smk_curacc_shm(shp, may); 2983 } 2984 2985 /** 2986 * smack_shm_shmctl - Smack access check for shm 2987 * @shp: the object 2988 * @cmd: what it wants to do 2989 * 2990 * Returns 0 if current has the requested access, error code otherwise 2991 */ 2992 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 2993 { 2994 int may; 2995 2996 switch (cmd) { 2997 case IPC_STAT: 2998 case SHM_STAT: 2999 may = MAY_READ; 3000 break; 3001 case IPC_SET: 3002 case SHM_LOCK: 3003 case SHM_UNLOCK: 3004 case IPC_RMID: 3005 may = MAY_READWRITE; 3006 break; 3007 case IPC_INFO: 3008 case SHM_INFO: 3009 /* 3010 * System level information. 3011 */ 3012 return 0; 3013 default: 3014 return -EINVAL; 3015 } 3016 return smk_curacc_shm(shp, may); 3017 } 3018 3019 /** 3020 * smack_shm_shmat - Smack access for shmat 3021 * @shp: the object 3022 * @shmaddr: unused 3023 * @shmflg: access requested 3024 * 3025 * Returns 0 if current has the requested access, error code otherwise 3026 */ 3027 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 3028 int shmflg) 3029 { 3030 int may; 3031 3032 may = smack_flags_to_may(shmflg); 3033 return smk_curacc_shm(shp, may); 3034 } 3035 3036 /** 3037 * smack_of_sem - the smack pointer for the sem 3038 * @sma: the object 3039 * 3040 * Returns a pointer to the smack value 3041 */ 3042 static struct smack_known *smack_of_sem(struct sem_array *sma) 3043 { 3044 return (struct smack_known *)sma->sem_perm.security; 3045 } 3046 3047 /** 3048 * smack_sem_alloc_security - Set the security blob for sem 3049 * @sma: the object 3050 * 3051 * Returns 0 3052 */ 3053 static int smack_sem_alloc_security(struct sem_array *sma) 3054 { 3055 struct kern_ipc_perm *isp = &sma->sem_perm; 3056 struct smack_known *skp = smk_of_current(); 3057 3058 isp->security = skp; 3059 return 0; 3060 } 3061 3062 /** 3063 * smack_sem_free_security - Clear the security blob for sem 3064 * @sma: the object 3065 * 3066 * Clears the blob pointer 3067 */ 3068 static void smack_sem_free_security(struct sem_array *sma) 3069 { 3070 struct kern_ipc_perm *isp = &sma->sem_perm; 3071 3072 isp->security = NULL; 3073 } 3074 3075 /** 3076 * smk_curacc_sem : check if current has access on sem 3077 * @sma : the object 3078 * @access : access requested 3079 * 3080 * Returns 0 if current has the requested access, error code otherwise 3081 */ 3082 static int smk_curacc_sem(struct sem_array *sma, int access) 3083 { 3084 struct smack_known *ssp = smack_of_sem(sma); 3085 struct smk_audit_info ad; 3086 int rc; 3087 3088 #ifdef CONFIG_AUDIT 3089 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3090 ad.a.u.ipc_id = sma->sem_perm.id; 3091 #endif 3092 rc = smk_curacc(ssp, access, &ad); 3093 rc = smk_bu_current("sem", ssp, access, rc); 3094 return rc; 3095 } 3096 3097 /** 3098 * smack_sem_associate - Smack access check for sem 3099 * @sma: the object 3100 * @semflg: access requested 3101 * 3102 * Returns 0 if current has the requested access, error code otherwise 3103 */ 3104 static int smack_sem_associate(struct sem_array *sma, int semflg) 3105 { 3106 int may; 3107 3108 may = smack_flags_to_may(semflg); 3109 return smk_curacc_sem(sma, may); 3110 } 3111 3112 /** 3113 * smack_sem_shmctl - Smack access check for sem 3114 * @sma: the object 3115 * @cmd: what it wants to do 3116 * 3117 * Returns 0 if current has the requested access, error code otherwise 3118 */ 3119 static int smack_sem_semctl(struct sem_array *sma, int cmd) 3120 { 3121 int may; 3122 3123 switch (cmd) { 3124 case GETPID: 3125 case GETNCNT: 3126 case GETZCNT: 3127 case GETVAL: 3128 case GETALL: 3129 case IPC_STAT: 3130 case SEM_STAT: 3131 may = MAY_READ; 3132 break; 3133 case SETVAL: 3134 case SETALL: 3135 case IPC_RMID: 3136 case IPC_SET: 3137 may = MAY_READWRITE; 3138 break; 3139 case IPC_INFO: 3140 case SEM_INFO: 3141 /* 3142 * System level information 3143 */ 3144 return 0; 3145 default: 3146 return -EINVAL; 3147 } 3148 3149 return smk_curacc_sem(sma, may); 3150 } 3151 3152 /** 3153 * smack_sem_semop - Smack checks of semaphore operations 3154 * @sma: the object 3155 * @sops: unused 3156 * @nsops: unused 3157 * @alter: unused 3158 * 3159 * Treated as read and write in all cases. 3160 * 3161 * Returns 0 if access is allowed, error code otherwise 3162 */ 3163 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 3164 unsigned nsops, int alter) 3165 { 3166 return smk_curacc_sem(sma, MAY_READWRITE); 3167 } 3168 3169 /** 3170 * smack_msg_alloc_security - Set the security blob for msg 3171 * @msq: the object 3172 * 3173 * Returns 0 3174 */ 3175 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 3176 { 3177 struct kern_ipc_perm *kisp = &msq->q_perm; 3178 struct smack_known *skp = smk_of_current(); 3179 3180 kisp->security = skp; 3181 return 0; 3182 } 3183 3184 /** 3185 * smack_msg_free_security - Clear the security blob for msg 3186 * @msq: the object 3187 * 3188 * Clears the blob pointer 3189 */ 3190 static void smack_msg_queue_free_security(struct msg_queue *msq) 3191 { 3192 struct kern_ipc_perm *kisp = &msq->q_perm; 3193 3194 kisp->security = NULL; 3195 } 3196 3197 /** 3198 * smack_of_msq - the smack pointer for the msq 3199 * @msq: the object 3200 * 3201 * Returns a pointer to the smack label entry 3202 */ 3203 static struct smack_known *smack_of_msq(struct msg_queue *msq) 3204 { 3205 return (struct smack_known *)msq->q_perm.security; 3206 } 3207 3208 /** 3209 * smk_curacc_msq : helper to check if current has access on msq 3210 * @msq : the msq 3211 * @access : access requested 3212 * 3213 * return 0 if current has access, error otherwise 3214 */ 3215 static int smk_curacc_msq(struct msg_queue *msq, int access) 3216 { 3217 struct smack_known *msp = smack_of_msq(msq); 3218 struct smk_audit_info ad; 3219 int rc; 3220 3221 #ifdef CONFIG_AUDIT 3222 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3223 ad.a.u.ipc_id = msq->q_perm.id; 3224 #endif 3225 rc = smk_curacc(msp, access, &ad); 3226 rc = smk_bu_current("msq", msp, access, rc); 3227 return rc; 3228 } 3229 3230 /** 3231 * smack_msg_queue_associate - Smack access check for msg_queue 3232 * @msq: the object 3233 * @msqflg: access requested 3234 * 3235 * Returns 0 if current has the requested access, error code otherwise 3236 */ 3237 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 3238 { 3239 int may; 3240 3241 may = smack_flags_to_may(msqflg); 3242 return smk_curacc_msq(msq, may); 3243 } 3244 3245 /** 3246 * smack_msg_queue_msgctl - Smack access check for msg_queue 3247 * @msq: the object 3248 * @cmd: what it wants to do 3249 * 3250 * Returns 0 if current has the requested access, error code otherwise 3251 */ 3252 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3253 { 3254 int may; 3255 3256 switch (cmd) { 3257 case IPC_STAT: 3258 case MSG_STAT: 3259 may = MAY_READ; 3260 break; 3261 case IPC_SET: 3262 case IPC_RMID: 3263 may = MAY_READWRITE; 3264 break; 3265 case IPC_INFO: 3266 case MSG_INFO: 3267 /* 3268 * System level information 3269 */ 3270 return 0; 3271 default: 3272 return -EINVAL; 3273 } 3274 3275 return smk_curacc_msq(msq, may); 3276 } 3277 3278 /** 3279 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3280 * @msq: the object 3281 * @msg: unused 3282 * @msqflg: access requested 3283 * 3284 * Returns 0 if current has the requested access, error code otherwise 3285 */ 3286 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 3287 int msqflg) 3288 { 3289 int may; 3290 3291 may = smack_flags_to_may(msqflg); 3292 return smk_curacc_msq(msq, may); 3293 } 3294 3295 /** 3296 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3297 * @msq: the object 3298 * @msg: unused 3299 * @target: unused 3300 * @type: unused 3301 * @mode: unused 3302 * 3303 * Returns 0 if current has read and write access, error code otherwise 3304 */ 3305 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3306 struct task_struct *target, long type, int mode) 3307 { 3308 return smk_curacc_msq(msq, MAY_READWRITE); 3309 } 3310 3311 /** 3312 * smack_ipc_permission - Smack access for ipc_permission() 3313 * @ipp: the object permissions 3314 * @flag: access requested 3315 * 3316 * Returns 0 if current has read and write access, error code otherwise 3317 */ 3318 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3319 { 3320 struct smack_known *iskp = ipp->security; 3321 int may = smack_flags_to_may(flag); 3322 struct smk_audit_info ad; 3323 int rc; 3324 3325 #ifdef CONFIG_AUDIT 3326 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3327 ad.a.u.ipc_id = ipp->id; 3328 #endif 3329 rc = smk_curacc(iskp, may, &ad); 3330 rc = smk_bu_current("svipc", iskp, may, rc); 3331 return rc; 3332 } 3333 3334 /** 3335 * smack_ipc_getsecid - Extract smack security id 3336 * @ipp: the object permissions 3337 * @secid: where result will be saved 3338 */ 3339 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3340 { 3341 struct smack_known *iskp = ipp->security; 3342 3343 *secid = iskp->smk_secid; 3344 } 3345 3346 /** 3347 * smack_d_instantiate - Make sure the blob is correct on an inode 3348 * @opt_dentry: dentry where inode will be attached 3349 * @inode: the object 3350 * 3351 * Set the inode's security blob if it hasn't been done already. 3352 */ 3353 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3354 { 3355 struct super_block *sbp; 3356 struct superblock_smack *sbsp; 3357 struct inode_smack *isp; 3358 struct smack_known *skp; 3359 struct smack_known *ckp = smk_of_current(); 3360 struct smack_known *final; 3361 char trattr[TRANS_TRUE_SIZE]; 3362 int transflag = 0; 3363 int rc; 3364 struct dentry *dp; 3365 3366 if (inode == NULL) 3367 return; 3368 3369 isp = inode->i_security; 3370 3371 mutex_lock(&isp->smk_lock); 3372 /* 3373 * If the inode is already instantiated 3374 * take the quick way out 3375 */ 3376 if (isp->smk_flags & SMK_INODE_INSTANT) 3377 goto unlockandout; 3378 3379 sbp = inode->i_sb; 3380 sbsp = sbp->s_security; 3381 /* 3382 * We're going to use the superblock default label 3383 * if there's no label on the file. 3384 */ 3385 final = sbsp->smk_default; 3386 3387 /* 3388 * If this is the root inode the superblock 3389 * may be in the process of initialization. 3390 * If that is the case use the root value out 3391 * of the superblock. 3392 */ 3393 if (opt_dentry->d_parent == opt_dentry) { 3394 switch (sbp->s_magic) { 3395 case CGROUP_SUPER_MAGIC: 3396 /* 3397 * The cgroup filesystem is never mounted, 3398 * so there's no opportunity to set the mount 3399 * options. 3400 */ 3401 sbsp->smk_root = &smack_known_star; 3402 sbsp->smk_default = &smack_known_star; 3403 isp->smk_inode = sbsp->smk_root; 3404 break; 3405 case TMPFS_MAGIC: 3406 /* 3407 * What about shmem/tmpfs anonymous files with dentry 3408 * obtained from d_alloc_pseudo()? 3409 */ 3410 isp->smk_inode = smk_of_current(); 3411 break; 3412 case PIPEFS_MAGIC: 3413 isp->smk_inode = smk_of_current(); 3414 break; 3415 default: 3416 isp->smk_inode = sbsp->smk_root; 3417 break; 3418 } 3419 isp->smk_flags |= SMK_INODE_INSTANT; 3420 goto unlockandout; 3421 } 3422 3423 /* 3424 * This is pretty hackish. 3425 * Casey says that we shouldn't have to do 3426 * file system specific code, but it does help 3427 * with keeping it simple. 3428 */ 3429 switch (sbp->s_magic) { 3430 case SMACK_MAGIC: 3431 case PIPEFS_MAGIC: 3432 case SOCKFS_MAGIC: 3433 case CGROUP_SUPER_MAGIC: 3434 /* 3435 * Casey says that it's a little embarrassing 3436 * that the smack file system doesn't do 3437 * extended attributes. 3438 * 3439 * Casey says pipes are easy (?) 3440 * 3441 * Socket access is controlled by the socket 3442 * structures associated with the task involved. 3443 * 3444 * Cgroupfs is special 3445 */ 3446 final = &smack_known_star; 3447 break; 3448 case DEVPTS_SUPER_MAGIC: 3449 /* 3450 * devpts seems content with the label of the task. 3451 * Programs that change smack have to treat the 3452 * pty with respect. 3453 */ 3454 final = ckp; 3455 break; 3456 case PROC_SUPER_MAGIC: 3457 /* 3458 * Casey says procfs appears not to care. 3459 * The superblock default suffices. 3460 */ 3461 break; 3462 case TMPFS_MAGIC: 3463 /* 3464 * Device labels should come from the filesystem, 3465 * but watch out, because they're volitile, 3466 * getting recreated on every reboot. 3467 */ 3468 final = &smack_known_star; 3469 /* 3470 * No break. 3471 * 3472 * If a smack value has been set we want to use it, 3473 * but since tmpfs isn't giving us the opportunity 3474 * to set mount options simulate setting the 3475 * superblock default. 3476 */ 3477 default: 3478 /* 3479 * This isn't an understood special case. 3480 * Get the value from the xattr. 3481 */ 3482 3483 /* 3484 * UNIX domain sockets use lower level socket data. 3485 */ 3486 if (S_ISSOCK(inode->i_mode)) { 3487 final = &smack_known_star; 3488 break; 3489 } 3490 /* 3491 * No xattr support means, alas, no SMACK label. 3492 * Use the aforeapplied default. 3493 * It would be curious if the label of the task 3494 * does not match that assigned. 3495 */ 3496 if (inode->i_op->getxattr == NULL) 3497 break; 3498 /* 3499 * Get the dentry for xattr. 3500 */ 3501 dp = dget(opt_dentry); 3502 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3503 if (!IS_ERR_OR_NULL(skp)) 3504 final = skp; 3505 3506 /* 3507 * Transmuting directory 3508 */ 3509 if (S_ISDIR(inode->i_mode)) { 3510 /* 3511 * If this is a new directory and the label was 3512 * transmuted when the inode was initialized 3513 * set the transmute attribute on the directory 3514 * and mark the inode. 3515 * 3516 * If there is a transmute attribute on the 3517 * directory mark the inode. 3518 */ 3519 if (isp->smk_flags & SMK_INODE_CHANGED) { 3520 isp->smk_flags &= ~SMK_INODE_CHANGED; 3521 rc = inode->i_op->setxattr(dp, 3522 XATTR_NAME_SMACKTRANSMUTE, 3523 TRANS_TRUE, TRANS_TRUE_SIZE, 3524 0); 3525 } else { 3526 rc = inode->i_op->getxattr(dp, 3527 XATTR_NAME_SMACKTRANSMUTE, trattr, 3528 TRANS_TRUE_SIZE); 3529 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3530 TRANS_TRUE_SIZE) != 0) 3531 rc = -EINVAL; 3532 } 3533 if (rc >= 0) 3534 transflag = SMK_INODE_TRANSMUTE; 3535 } 3536 /* 3537 * Don't let the exec or mmap label be "*" or "@". 3538 */ 3539 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3540 if (IS_ERR(skp) || skp == &smack_known_star || 3541 skp == &smack_known_web) 3542 skp = NULL; 3543 isp->smk_task = skp; 3544 3545 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3546 if (IS_ERR(skp) || skp == &smack_known_star || 3547 skp == &smack_known_web) 3548 skp = NULL; 3549 isp->smk_mmap = skp; 3550 3551 dput(dp); 3552 break; 3553 } 3554 3555 if (final == NULL) 3556 isp->smk_inode = ckp; 3557 else 3558 isp->smk_inode = final; 3559 3560 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3561 3562 unlockandout: 3563 mutex_unlock(&isp->smk_lock); 3564 return; 3565 } 3566 3567 /** 3568 * smack_getprocattr - Smack process attribute access 3569 * @p: the object task 3570 * @name: the name of the attribute in /proc/.../attr 3571 * @value: where to put the result 3572 * 3573 * Places a copy of the task Smack into value 3574 * 3575 * Returns the length of the smack label or an error code 3576 */ 3577 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3578 { 3579 struct smack_known *skp = smk_of_task_struct(p); 3580 char *cp; 3581 int slen; 3582 3583 if (strcmp(name, "current") != 0) 3584 return -EINVAL; 3585 3586 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3587 if (cp == NULL) 3588 return -ENOMEM; 3589 3590 slen = strlen(cp); 3591 *value = cp; 3592 return slen; 3593 } 3594 3595 /** 3596 * smack_setprocattr - Smack process attribute setting 3597 * @p: the object task 3598 * @name: the name of the attribute in /proc/.../attr 3599 * @value: the value to set 3600 * @size: the size of the value 3601 * 3602 * Sets the Smack value of the task. Only setting self 3603 * is permitted and only with privilege 3604 * 3605 * Returns the length of the smack label or an error code 3606 */ 3607 static int smack_setprocattr(struct task_struct *p, char *name, 3608 void *value, size_t size) 3609 { 3610 struct task_smack *tsp = current_security(); 3611 struct cred *new; 3612 struct smack_known *skp; 3613 struct smack_known_list_elem *sklep; 3614 int rc; 3615 3616 /* 3617 * Changing another process' Smack value is too dangerous 3618 * and supports no sane use case. 3619 */ 3620 if (p != current) 3621 return -EPERM; 3622 3623 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3624 return -EPERM; 3625 3626 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3627 return -EINVAL; 3628 3629 if (strcmp(name, "current") != 0) 3630 return -EINVAL; 3631 3632 skp = smk_import_entry(value, size); 3633 if (IS_ERR(skp)) 3634 return PTR_ERR(skp); 3635 3636 /* 3637 * No process is ever allowed the web ("@") label. 3638 */ 3639 if (skp == &smack_known_web) 3640 return -EPERM; 3641 3642 if (!smack_privileged(CAP_MAC_ADMIN)) { 3643 rc = -EPERM; 3644 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3645 if (sklep->smk_label == skp) { 3646 rc = 0; 3647 break; 3648 } 3649 if (rc) 3650 return rc; 3651 } 3652 3653 new = prepare_creds(); 3654 if (new == NULL) 3655 return -ENOMEM; 3656 3657 tsp = new->security; 3658 tsp->smk_task = skp; 3659 /* 3660 * process can change its label only once 3661 */ 3662 smk_destroy_label_list(&tsp->smk_relabel); 3663 3664 commit_creds(new); 3665 return size; 3666 } 3667 3668 /** 3669 * smack_unix_stream_connect - Smack access on UDS 3670 * @sock: one sock 3671 * @other: the other sock 3672 * @newsk: unused 3673 * 3674 * Return 0 if a subject with the smack of sock could access 3675 * an object with the smack of other, otherwise an error code 3676 */ 3677 static int smack_unix_stream_connect(struct sock *sock, 3678 struct sock *other, struct sock *newsk) 3679 { 3680 struct smack_known *skp; 3681 struct smack_known *okp; 3682 struct socket_smack *ssp = sock->sk_security; 3683 struct socket_smack *osp = other->sk_security; 3684 struct socket_smack *nsp = newsk->sk_security; 3685 struct smk_audit_info ad; 3686 int rc = 0; 3687 #ifdef CONFIG_AUDIT 3688 struct lsm_network_audit net; 3689 #endif 3690 3691 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3692 skp = ssp->smk_out; 3693 okp = osp->smk_in; 3694 #ifdef CONFIG_AUDIT 3695 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3696 smk_ad_setfield_u_net_sk(&ad, other); 3697 #endif 3698 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3699 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3700 if (rc == 0) { 3701 okp = osp->smk_out; 3702 skp = ssp->smk_in; 3703 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3704 rc = smk_bu_note("UDS connect", okp, skp, 3705 MAY_WRITE, rc); 3706 } 3707 } 3708 3709 /* 3710 * Cross reference the peer labels for SO_PEERSEC. 3711 */ 3712 if (rc == 0) { 3713 nsp->smk_packet = ssp->smk_out; 3714 ssp->smk_packet = osp->smk_out; 3715 } 3716 3717 return rc; 3718 } 3719 3720 /** 3721 * smack_unix_may_send - Smack access on UDS 3722 * @sock: one socket 3723 * @other: the other socket 3724 * 3725 * Return 0 if a subject with the smack of sock could access 3726 * an object with the smack of other, otherwise an error code 3727 */ 3728 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3729 { 3730 struct socket_smack *ssp = sock->sk->sk_security; 3731 struct socket_smack *osp = other->sk->sk_security; 3732 struct smk_audit_info ad; 3733 int rc; 3734 3735 #ifdef CONFIG_AUDIT 3736 struct lsm_network_audit net; 3737 3738 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3739 smk_ad_setfield_u_net_sk(&ad, other->sk); 3740 #endif 3741 3742 if (smack_privileged(CAP_MAC_OVERRIDE)) 3743 return 0; 3744 3745 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3746 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3747 return rc; 3748 } 3749 3750 /** 3751 * smack_socket_sendmsg - Smack check based on destination host 3752 * @sock: the socket 3753 * @msg: the message 3754 * @size: the size of the message 3755 * 3756 * Return 0 if the current subject can write to the destination host. 3757 * For IPv4 this is only a question if the destination is a single label host. 3758 * For IPv6 this is a check against the label of the port. 3759 */ 3760 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3761 int size) 3762 { 3763 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3764 #if IS_ENABLED(CONFIG_IPV6) 3765 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3766 #endif 3767 #ifdef SMACK_IPV6_SECMARK_LABELING 3768 struct socket_smack *ssp = sock->sk->sk_security; 3769 struct smack_known *rsp; 3770 #endif 3771 int rc = 0; 3772 3773 /* 3774 * Perfectly reasonable for this to be NULL 3775 */ 3776 if (sip == NULL) 3777 return 0; 3778 3779 switch (sock->sk->sk_family) { 3780 case AF_INET: 3781 rc = smack_netlabel_send(sock->sk, sip); 3782 break; 3783 case AF_INET6: 3784 #ifdef SMACK_IPV6_SECMARK_LABELING 3785 rsp = smack_ipv6host_label(sap); 3786 if (rsp != NULL) 3787 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3788 SMK_CONNECTING); 3789 #endif 3790 #ifdef SMACK_IPV6_PORT_LABELING 3791 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3792 #endif 3793 break; 3794 } 3795 return rc; 3796 } 3797 3798 /** 3799 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3800 * @sap: netlabel secattr 3801 * @ssp: socket security information 3802 * 3803 * Returns a pointer to a Smack label entry found on the label list. 3804 */ 3805 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3806 struct socket_smack *ssp) 3807 { 3808 struct smack_known *skp; 3809 int found = 0; 3810 int acat; 3811 int kcat; 3812 3813 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3814 /* 3815 * Looks like a CIPSO packet. 3816 * If there are flags but no level netlabel isn't 3817 * behaving the way we expect it to. 3818 * 3819 * Look it up in the label table 3820 * Without guidance regarding the smack value 3821 * for the packet fall back on the network 3822 * ambient value. 3823 */ 3824 rcu_read_lock(); 3825 list_for_each_entry(skp, &smack_known_list, list) { 3826 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3827 continue; 3828 /* 3829 * Compare the catsets. Use the netlbl APIs. 3830 */ 3831 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3832 if ((skp->smk_netlabel.flags & 3833 NETLBL_SECATTR_MLS_CAT) == 0) 3834 found = 1; 3835 break; 3836 } 3837 for (acat = -1, kcat = -1; acat == kcat; ) { 3838 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3839 acat + 1); 3840 kcat = netlbl_catmap_walk( 3841 skp->smk_netlabel.attr.mls.cat, 3842 kcat + 1); 3843 if (acat < 0 || kcat < 0) 3844 break; 3845 } 3846 if (acat == kcat) { 3847 found = 1; 3848 break; 3849 } 3850 } 3851 rcu_read_unlock(); 3852 3853 if (found) 3854 return skp; 3855 3856 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3857 return &smack_known_web; 3858 return &smack_known_star; 3859 } 3860 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 3861 /* 3862 * Looks like a fallback, which gives us a secid. 3863 */ 3864 skp = smack_from_secid(sap->attr.secid); 3865 /* 3866 * This has got to be a bug because it is 3867 * impossible to specify a fallback without 3868 * specifying the label, which will ensure 3869 * it has a secid, and the only way to get a 3870 * secid is from a fallback. 3871 */ 3872 BUG_ON(skp == NULL); 3873 return skp; 3874 } 3875 /* 3876 * Without guidance regarding the smack value 3877 * for the packet fall back on the network 3878 * ambient value. 3879 */ 3880 return smack_net_ambient; 3881 } 3882 3883 #if IS_ENABLED(CONFIG_IPV6) 3884 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3885 { 3886 u8 nexthdr; 3887 int offset; 3888 int proto = -EINVAL; 3889 struct ipv6hdr _ipv6h; 3890 struct ipv6hdr *ip6; 3891 __be16 frag_off; 3892 struct tcphdr _tcph, *th; 3893 struct udphdr _udph, *uh; 3894 struct dccp_hdr _dccph, *dh; 3895 3896 sip->sin6_port = 0; 3897 3898 offset = skb_network_offset(skb); 3899 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3900 if (ip6 == NULL) 3901 return -EINVAL; 3902 sip->sin6_addr = ip6->saddr; 3903 3904 nexthdr = ip6->nexthdr; 3905 offset += sizeof(_ipv6h); 3906 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3907 if (offset < 0) 3908 return -EINVAL; 3909 3910 proto = nexthdr; 3911 switch (proto) { 3912 case IPPROTO_TCP: 3913 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3914 if (th != NULL) 3915 sip->sin6_port = th->source; 3916 break; 3917 case IPPROTO_UDP: 3918 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3919 if (uh != NULL) 3920 sip->sin6_port = uh->source; 3921 break; 3922 case IPPROTO_DCCP: 3923 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3924 if (dh != NULL) 3925 sip->sin6_port = dh->dccph_sport; 3926 break; 3927 } 3928 return proto; 3929 } 3930 #endif /* CONFIG_IPV6 */ 3931 3932 /** 3933 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3934 * @sk: socket 3935 * @skb: packet 3936 * 3937 * Returns 0 if the packet should be delivered, an error code otherwise 3938 */ 3939 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3940 { 3941 struct netlbl_lsm_secattr secattr; 3942 struct socket_smack *ssp = sk->sk_security; 3943 struct smack_known *skp = NULL; 3944 int rc = 0; 3945 struct smk_audit_info ad; 3946 #ifdef CONFIG_AUDIT 3947 struct lsm_network_audit net; 3948 #endif 3949 #if IS_ENABLED(CONFIG_IPV6) 3950 struct sockaddr_in6 sadd; 3951 int proto; 3952 #endif /* CONFIG_IPV6 */ 3953 3954 switch (sk->sk_family) { 3955 case PF_INET: 3956 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3957 /* 3958 * If there is a secmark use it rather than the CIPSO label. 3959 * If there is no secmark fall back to CIPSO. 3960 * The secmark is assumed to reflect policy better. 3961 */ 3962 if (skb && skb->secmark != 0) { 3963 skp = smack_from_secid(skb->secmark); 3964 goto access_check; 3965 } 3966 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3967 /* 3968 * Translate what netlabel gave us. 3969 */ 3970 netlbl_secattr_init(&secattr); 3971 3972 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 3973 if (rc == 0) 3974 skp = smack_from_secattr(&secattr, ssp); 3975 else 3976 skp = smack_net_ambient; 3977 3978 netlbl_secattr_destroy(&secattr); 3979 3980 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3981 access_check: 3982 #endif 3983 #ifdef CONFIG_AUDIT 3984 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3985 ad.a.u.net->family = sk->sk_family; 3986 ad.a.u.net->netif = skb->skb_iif; 3987 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3988 #endif 3989 /* 3990 * Receiving a packet requires that the other end 3991 * be able to write here. Read access is not required. 3992 * This is the simplist possible security model 3993 * for networking. 3994 */ 3995 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3996 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3997 MAY_WRITE, rc); 3998 if (rc != 0) 3999 netlbl_skbuff_err(skb, rc, 0); 4000 break; 4001 #if IS_ENABLED(CONFIG_IPV6) 4002 case PF_INET6: 4003 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4004 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 4005 break; 4006 #ifdef SMACK_IPV6_SECMARK_LABELING 4007 if (skb && skb->secmark != 0) 4008 skp = smack_from_secid(skb->secmark); 4009 else 4010 skp = smack_ipv6host_label(&sadd); 4011 if (skp == NULL) 4012 skp = smack_net_ambient; 4013 #ifdef CONFIG_AUDIT 4014 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4015 ad.a.u.net->family = sk->sk_family; 4016 ad.a.u.net->netif = skb->skb_iif; 4017 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4018 #endif /* CONFIG_AUDIT */ 4019 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4020 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4021 MAY_WRITE, rc); 4022 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4023 #ifdef SMACK_IPV6_PORT_LABELING 4024 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4025 #endif /* SMACK_IPV6_PORT_LABELING */ 4026 break; 4027 #endif /* CONFIG_IPV6 */ 4028 } 4029 4030 return rc; 4031 } 4032 4033 /** 4034 * smack_socket_getpeersec_stream - pull in packet label 4035 * @sock: the socket 4036 * @optval: user's destination 4037 * @optlen: size thereof 4038 * @len: max thereof 4039 * 4040 * returns zero on success, an error code otherwise 4041 */ 4042 static int smack_socket_getpeersec_stream(struct socket *sock, 4043 char __user *optval, 4044 int __user *optlen, unsigned len) 4045 { 4046 struct socket_smack *ssp; 4047 char *rcp = ""; 4048 int slen = 1; 4049 int rc = 0; 4050 4051 ssp = sock->sk->sk_security; 4052 if (ssp->smk_packet != NULL) { 4053 rcp = ssp->smk_packet->smk_known; 4054 slen = strlen(rcp) + 1; 4055 } 4056 4057 if (slen > len) 4058 rc = -ERANGE; 4059 else if (copy_to_user(optval, rcp, slen) != 0) 4060 rc = -EFAULT; 4061 4062 if (put_user(slen, optlen) != 0) 4063 rc = -EFAULT; 4064 4065 return rc; 4066 } 4067 4068 4069 /** 4070 * smack_socket_getpeersec_dgram - pull in packet label 4071 * @sock: the peer socket 4072 * @skb: packet data 4073 * @secid: pointer to where to put the secid of the packet 4074 * 4075 * Sets the netlabel socket state on sk from parent 4076 */ 4077 static int smack_socket_getpeersec_dgram(struct socket *sock, 4078 struct sk_buff *skb, u32 *secid) 4079 4080 { 4081 struct netlbl_lsm_secattr secattr; 4082 struct socket_smack *ssp = NULL; 4083 struct smack_known *skp; 4084 int family = PF_UNSPEC; 4085 u32 s = 0; /* 0 is the invalid secid */ 4086 int rc; 4087 4088 if (skb != NULL) { 4089 if (skb->protocol == htons(ETH_P_IP)) 4090 family = PF_INET; 4091 #if IS_ENABLED(CONFIG_IPV6) 4092 else if (skb->protocol == htons(ETH_P_IPV6)) 4093 family = PF_INET6; 4094 #endif /* CONFIG_IPV6 */ 4095 } 4096 if (family == PF_UNSPEC && sock != NULL) 4097 family = sock->sk->sk_family; 4098 4099 switch (family) { 4100 case PF_UNIX: 4101 ssp = sock->sk->sk_security; 4102 s = ssp->smk_out->smk_secid; 4103 break; 4104 case PF_INET: 4105 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4106 s = skb->secmark; 4107 if (s != 0) 4108 break; 4109 #endif 4110 /* 4111 * Translate what netlabel gave us. 4112 */ 4113 if (sock != NULL && sock->sk != NULL) 4114 ssp = sock->sk->sk_security; 4115 netlbl_secattr_init(&secattr); 4116 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4117 if (rc == 0) { 4118 skp = smack_from_secattr(&secattr, ssp); 4119 s = skp->smk_secid; 4120 } 4121 netlbl_secattr_destroy(&secattr); 4122 break; 4123 case PF_INET6: 4124 #ifdef SMACK_IPV6_SECMARK_LABELING 4125 s = skb->secmark; 4126 #endif 4127 break; 4128 } 4129 *secid = s; 4130 if (s == 0) 4131 return -EINVAL; 4132 return 0; 4133 } 4134 4135 /** 4136 * smack_sock_graft - Initialize a newly created socket with an existing sock 4137 * @sk: child sock 4138 * @parent: parent socket 4139 * 4140 * Set the smk_{in,out} state of an existing sock based on the process that 4141 * is creating the new socket. 4142 */ 4143 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4144 { 4145 struct socket_smack *ssp; 4146 struct smack_known *skp = smk_of_current(); 4147 4148 if (sk == NULL || 4149 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4150 return; 4151 4152 ssp = sk->sk_security; 4153 ssp->smk_in = skp; 4154 ssp->smk_out = skp; 4155 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4156 } 4157 4158 /** 4159 * smack_inet_conn_request - Smack access check on connect 4160 * @sk: socket involved 4161 * @skb: packet 4162 * @req: unused 4163 * 4164 * Returns 0 if a task with the packet label could write to 4165 * the socket, otherwise an error code 4166 */ 4167 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4168 struct request_sock *req) 4169 { 4170 u16 family = sk->sk_family; 4171 struct smack_known *skp; 4172 struct socket_smack *ssp = sk->sk_security; 4173 struct netlbl_lsm_secattr secattr; 4174 struct sockaddr_in addr; 4175 struct iphdr *hdr; 4176 struct smack_known *hskp; 4177 int rc; 4178 struct smk_audit_info ad; 4179 #ifdef CONFIG_AUDIT 4180 struct lsm_network_audit net; 4181 #endif 4182 4183 #if IS_ENABLED(CONFIG_IPV6) 4184 if (family == PF_INET6) { 4185 /* 4186 * Handle mapped IPv4 packets arriving 4187 * via IPv6 sockets. Don't set up netlabel 4188 * processing on IPv6. 4189 */ 4190 if (skb->protocol == htons(ETH_P_IP)) 4191 family = PF_INET; 4192 else 4193 return 0; 4194 } 4195 #endif /* CONFIG_IPV6 */ 4196 4197 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4198 /* 4199 * If there is a secmark use it rather than the CIPSO label. 4200 * If there is no secmark fall back to CIPSO. 4201 * The secmark is assumed to reflect policy better. 4202 */ 4203 if (skb && skb->secmark != 0) { 4204 skp = smack_from_secid(skb->secmark); 4205 goto access_check; 4206 } 4207 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4208 4209 netlbl_secattr_init(&secattr); 4210 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4211 if (rc == 0) 4212 skp = smack_from_secattr(&secattr, ssp); 4213 else 4214 skp = &smack_known_huh; 4215 netlbl_secattr_destroy(&secattr); 4216 4217 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4218 access_check: 4219 #endif 4220 4221 #ifdef CONFIG_AUDIT 4222 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4223 ad.a.u.net->family = family; 4224 ad.a.u.net->netif = skb->skb_iif; 4225 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4226 #endif 4227 /* 4228 * Receiving a packet requires that the other end be able to write 4229 * here. Read access is not required. 4230 */ 4231 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4232 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4233 if (rc != 0) 4234 return rc; 4235 4236 /* 4237 * Save the peer's label in the request_sock so we can later setup 4238 * smk_packet in the child socket so that SO_PEERCRED can report it. 4239 */ 4240 req->peer_secid = skp->smk_secid; 4241 4242 /* 4243 * We need to decide if we want to label the incoming connection here 4244 * if we do we only need to label the request_sock and the stack will 4245 * propagate the wire-label to the sock when it is created. 4246 */ 4247 hdr = ip_hdr(skb); 4248 addr.sin_addr.s_addr = hdr->saddr; 4249 rcu_read_lock(); 4250 hskp = smack_ipv4host_label(&addr); 4251 rcu_read_unlock(); 4252 4253 if (hskp == NULL) 4254 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4255 else 4256 netlbl_req_delattr(req); 4257 4258 return rc; 4259 } 4260 4261 /** 4262 * smack_inet_csk_clone - Copy the connection information to the new socket 4263 * @sk: the new socket 4264 * @req: the connection's request_sock 4265 * 4266 * Transfer the connection's peer label to the newly created socket. 4267 */ 4268 static void smack_inet_csk_clone(struct sock *sk, 4269 const struct request_sock *req) 4270 { 4271 struct socket_smack *ssp = sk->sk_security; 4272 struct smack_known *skp; 4273 4274 if (req->peer_secid != 0) { 4275 skp = smack_from_secid(req->peer_secid); 4276 ssp->smk_packet = skp; 4277 } else 4278 ssp->smk_packet = NULL; 4279 } 4280 4281 /* 4282 * Key management security hooks 4283 * 4284 * Casey has not tested key support very heavily. 4285 * The permission check is most likely too restrictive. 4286 * If you care about keys please have a look. 4287 */ 4288 #ifdef CONFIG_KEYS 4289 4290 /** 4291 * smack_key_alloc - Set the key security blob 4292 * @key: object 4293 * @cred: the credentials to use 4294 * @flags: unused 4295 * 4296 * No allocation required 4297 * 4298 * Returns 0 4299 */ 4300 static int smack_key_alloc(struct key *key, const struct cred *cred, 4301 unsigned long flags) 4302 { 4303 struct smack_known *skp = smk_of_task(cred->security); 4304 4305 key->security = skp; 4306 return 0; 4307 } 4308 4309 /** 4310 * smack_key_free - Clear the key security blob 4311 * @key: the object 4312 * 4313 * Clear the blob pointer 4314 */ 4315 static void smack_key_free(struct key *key) 4316 { 4317 key->security = NULL; 4318 } 4319 4320 /** 4321 * smack_key_permission - Smack access on a key 4322 * @key_ref: gets to the object 4323 * @cred: the credentials to use 4324 * @perm: requested key permissions 4325 * 4326 * Return 0 if the task has read and write to the object, 4327 * an error code otherwise 4328 */ 4329 static int smack_key_permission(key_ref_t key_ref, 4330 const struct cred *cred, unsigned perm) 4331 { 4332 struct key *keyp; 4333 struct smk_audit_info ad; 4334 struct smack_known *tkp = smk_of_task(cred->security); 4335 int request = 0; 4336 int rc; 4337 4338 keyp = key_ref_to_ptr(key_ref); 4339 if (keyp == NULL) 4340 return -EINVAL; 4341 /* 4342 * If the key hasn't been initialized give it access so that 4343 * it may do so. 4344 */ 4345 if (keyp->security == NULL) 4346 return 0; 4347 /* 4348 * This should not occur 4349 */ 4350 if (tkp == NULL) 4351 return -EACCES; 4352 #ifdef CONFIG_AUDIT 4353 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4354 ad.a.u.key_struct.key = keyp->serial; 4355 ad.a.u.key_struct.key_desc = keyp->description; 4356 #endif 4357 if (perm & KEY_NEED_READ) 4358 request = MAY_READ; 4359 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4360 request = MAY_WRITE; 4361 rc = smk_access(tkp, keyp->security, request, &ad); 4362 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4363 return rc; 4364 } 4365 4366 /* 4367 * smack_key_getsecurity - Smack label tagging the key 4368 * @key points to the key to be queried 4369 * @_buffer points to a pointer that should be set to point to the 4370 * resulting string (if no label or an error occurs). 4371 * Return the length of the string (including terminating NUL) or -ve if 4372 * an error. 4373 * May also return 0 (and a NULL buffer pointer) if there is no label. 4374 */ 4375 static int smack_key_getsecurity(struct key *key, char **_buffer) 4376 { 4377 struct smack_known *skp = key->security; 4378 size_t length; 4379 char *copy; 4380 4381 if (key->security == NULL) { 4382 *_buffer = NULL; 4383 return 0; 4384 } 4385 4386 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4387 if (copy == NULL) 4388 return -ENOMEM; 4389 length = strlen(copy) + 1; 4390 4391 *_buffer = copy; 4392 return length; 4393 } 4394 4395 #endif /* CONFIG_KEYS */ 4396 4397 /* 4398 * Smack Audit hooks 4399 * 4400 * Audit requires a unique representation of each Smack specific 4401 * rule. This unique representation is used to distinguish the 4402 * object to be audited from remaining kernel objects and also 4403 * works as a glue between the audit hooks. 4404 * 4405 * Since repository entries are added but never deleted, we'll use 4406 * the smack_known label address related to the given audit rule as 4407 * the needed unique representation. This also better fits the smack 4408 * model where nearly everything is a label. 4409 */ 4410 #ifdef CONFIG_AUDIT 4411 4412 /** 4413 * smack_audit_rule_init - Initialize a smack audit rule 4414 * @field: audit rule fields given from user-space (audit.h) 4415 * @op: required testing operator (=, !=, >, <, ...) 4416 * @rulestr: smack label to be audited 4417 * @vrule: pointer to save our own audit rule representation 4418 * 4419 * Prepare to audit cases where (@field @op @rulestr) is true. 4420 * The label to be audited is created if necessay. 4421 */ 4422 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4423 { 4424 struct smack_known *skp; 4425 char **rule = (char **)vrule; 4426 *rule = NULL; 4427 4428 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4429 return -EINVAL; 4430 4431 if (op != Audit_equal && op != Audit_not_equal) 4432 return -EINVAL; 4433 4434 skp = smk_import_entry(rulestr, 0); 4435 if (IS_ERR(skp)) 4436 return PTR_ERR(skp); 4437 4438 *rule = skp->smk_known; 4439 4440 return 0; 4441 } 4442 4443 /** 4444 * smack_audit_rule_known - Distinguish Smack audit rules 4445 * @krule: rule of interest, in Audit kernel representation format 4446 * 4447 * This is used to filter Smack rules from remaining Audit ones. 4448 * If it's proved that this rule belongs to us, the 4449 * audit_rule_match hook will be called to do the final judgement. 4450 */ 4451 static int smack_audit_rule_known(struct audit_krule *krule) 4452 { 4453 struct audit_field *f; 4454 int i; 4455 4456 for (i = 0; i < krule->field_count; i++) { 4457 f = &krule->fields[i]; 4458 4459 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4460 return 1; 4461 } 4462 4463 return 0; 4464 } 4465 4466 /** 4467 * smack_audit_rule_match - Audit given object ? 4468 * @secid: security id for identifying the object to test 4469 * @field: audit rule flags given from user-space 4470 * @op: required testing operator 4471 * @vrule: smack internal rule presentation 4472 * @actx: audit context associated with the check 4473 * 4474 * The core Audit hook. It's used to take the decision of 4475 * whether to audit or not to audit a given object. 4476 */ 4477 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4478 struct audit_context *actx) 4479 { 4480 struct smack_known *skp; 4481 char *rule = vrule; 4482 4483 if (unlikely(!rule)) { 4484 WARN_ONCE(1, "Smack: missing rule\n"); 4485 return -ENOENT; 4486 } 4487 4488 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4489 return 0; 4490 4491 skp = smack_from_secid(secid); 4492 4493 /* 4494 * No need to do string comparisons. If a match occurs, 4495 * both pointers will point to the same smack_known 4496 * label. 4497 */ 4498 if (op == Audit_equal) 4499 return (rule == skp->smk_known); 4500 if (op == Audit_not_equal) 4501 return (rule != skp->smk_known); 4502 4503 return 0; 4504 } 4505 4506 /** 4507 * smack_audit_rule_free - free smack rule representation 4508 * @vrule: rule to be freed. 4509 * 4510 * No memory was allocated. 4511 */ 4512 static void smack_audit_rule_free(void *vrule) 4513 { 4514 /* No-op */ 4515 } 4516 4517 #endif /* CONFIG_AUDIT */ 4518 4519 /** 4520 * smack_ismaclabel - check if xattr @name references a smack MAC label 4521 * @name: Full xattr name to check. 4522 */ 4523 static int smack_ismaclabel(const char *name) 4524 { 4525 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4526 } 4527 4528 4529 /** 4530 * smack_secid_to_secctx - return the smack label for a secid 4531 * @secid: incoming integer 4532 * @secdata: destination 4533 * @seclen: how long it is 4534 * 4535 * Exists for networking code. 4536 */ 4537 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4538 { 4539 struct smack_known *skp = smack_from_secid(secid); 4540 4541 if (secdata) 4542 *secdata = skp->smk_known; 4543 *seclen = strlen(skp->smk_known); 4544 return 0; 4545 } 4546 4547 /** 4548 * smack_secctx_to_secid - return the secid for a smack label 4549 * @secdata: smack label 4550 * @seclen: how long result is 4551 * @secid: outgoing integer 4552 * 4553 * Exists for audit and networking code. 4554 */ 4555 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4556 { 4557 struct smack_known *skp = smk_find_entry(secdata); 4558 4559 if (skp) 4560 *secid = skp->smk_secid; 4561 else 4562 *secid = 0; 4563 return 0; 4564 } 4565 4566 /** 4567 * smack_release_secctx - don't do anything. 4568 * @secdata: unused 4569 * @seclen: unused 4570 * 4571 * Exists to make sure nothing gets done, and properly 4572 */ 4573 static void smack_release_secctx(char *secdata, u32 seclen) 4574 { 4575 } 4576 4577 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4578 { 4579 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4580 } 4581 4582 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4583 { 4584 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4585 } 4586 4587 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4588 { 4589 int len = 0; 4590 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 4591 4592 if (len < 0) 4593 return len; 4594 *ctxlen = len; 4595 return 0; 4596 } 4597 4598 static struct security_hook_list smack_hooks[] = { 4599 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4600 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4601 LSM_HOOK_INIT(syslog, smack_syslog), 4602 4603 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4604 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4605 LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data), 4606 LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount), 4607 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4608 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4609 LSM_HOOK_INIT(sb_parse_opts_str, smack_parse_opts_str), 4610 4611 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4612 LSM_HOOK_INIT(bprm_committing_creds, smack_bprm_committing_creds), 4613 LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec), 4614 4615 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4616 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), 4617 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4618 LSM_HOOK_INIT(inode_link, smack_inode_link), 4619 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4620 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4621 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4622 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4623 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4624 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4625 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4626 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4627 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4628 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4629 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4630 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4631 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4632 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4633 4634 LSM_HOOK_INIT(file_permission, smack_file_permission), 4635 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4636 LSM_HOOK_INIT(file_free_security, smack_file_free_security), 4637 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4638 LSM_HOOK_INIT(file_lock, smack_file_lock), 4639 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4640 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4641 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4642 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4643 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4644 LSM_HOOK_INIT(file_receive, smack_file_receive), 4645 4646 LSM_HOOK_INIT(file_open, smack_file_open), 4647 4648 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4649 LSM_HOOK_INIT(cred_free, smack_cred_free), 4650 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4651 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4652 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4653 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4654 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4655 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4656 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4657 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4658 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4659 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4660 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4661 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4662 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4663 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4664 LSM_HOOK_INIT(task_kill, smack_task_kill), 4665 LSM_HOOK_INIT(task_wait, smack_task_wait), 4666 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4667 4668 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4669 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4670 4671 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4672 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), 4673 4674 LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security), 4675 LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security), 4676 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4677 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4678 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4679 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4680 4681 LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security), 4682 LSM_HOOK_INIT(shm_free_security, smack_shm_free_security), 4683 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4684 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4685 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4686 4687 LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security), 4688 LSM_HOOK_INIT(sem_free_security, smack_sem_free_security), 4689 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4690 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4691 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4692 4693 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4694 4695 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4696 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4697 4698 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4699 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4700 4701 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4702 #ifdef SMACK_IPV6_PORT_LABELING 4703 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4704 #endif 4705 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4706 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4707 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4708 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4709 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4710 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4711 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4712 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4713 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4714 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4715 4716 /* key management security hooks */ 4717 #ifdef CONFIG_KEYS 4718 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4719 LSM_HOOK_INIT(key_free, smack_key_free), 4720 LSM_HOOK_INIT(key_permission, smack_key_permission), 4721 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4722 #endif /* CONFIG_KEYS */ 4723 4724 /* Audit hooks */ 4725 #ifdef CONFIG_AUDIT 4726 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4727 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4728 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4729 LSM_HOOK_INIT(audit_rule_free, smack_audit_rule_free), 4730 #endif /* CONFIG_AUDIT */ 4731 4732 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4733 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4734 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4735 LSM_HOOK_INIT(release_secctx, smack_release_secctx), 4736 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4737 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4738 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4739 }; 4740 4741 4742 static __init void init_smack_known_list(void) 4743 { 4744 /* 4745 * Initialize rule list locks 4746 */ 4747 mutex_init(&smack_known_huh.smk_rules_lock); 4748 mutex_init(&smack_known_hat.smk_rules_lock); 4749 mutex_init(&smack_known_floor.smk_rules_lock); 4750 mutex_init(&smack_known_star.smk_rules_lock); 4751 mutex_init(&smack_known_invalid.smk_rules_lock); 4752 mutex_init(&smack_known_web.smk_rules_lock); 4753 /* 4754 * Initialize rule lists 4755 */ 4756 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4757 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4758 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4759 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4760 INIT_LIST_HEAD(&smack_known_invalid.smk_rules); 4761 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4762 /* 4763 * Create the known labels list 4764 */ 4765 smk_insert_entry(&smack_known_huh); 4766 smk_insert_entry(&smack_known_hat); 4767 smk_insert_entry(&smack_known_star); 4768 smk_insert_entry(&smack_known_floor); 4769 smk_insert_entry(&smack_known_invalid); 4770 smk_insert_entry(&smack_known_web); 4771 } 4772 4773 /** 4774 * smack_init - initialize the smack system 4775 * 4776 * Returns 0 4777 */ 4778 static __init int smack_init(void) 4779 { 4780 struct cred *cred; 4781 struct task_smack *tsp; 4782 4783 if (!security_module_enable("smack")) 4784 return 0; 4785 4786 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4787 if (!smack_inode_cache) 4788 return -ENOMEM; 4789 4790 tsp = new_task_smack(&smack_known_floor, &smack_known_floor, 4791 GFP_KERNEL); 4792 if (tsp == NULL) { 4793 kmem_cache_destroy(smack_inode_cache); 4794 return -ENOMEM; 4795 } 4796 4797 smack_enabled = 1; 4798 4799 pr_info("Smack: Initializing.\n"); 4800 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4801 pr_info("Smack: Netfilter enabled.\n"); 4802 #endif 4803 #ifdef SMACK_IPV6_PORT_LABELING 4804 pr_info("Smack: IPv6 port labeling enabled.\n"); 4805 #endif 4806 #ifdef SMACK_IPV6_SECMARK_LABELING 4807 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4808 #endif 4809 4810 /* 4811 * Set the security state for the initial task. 4812 */ 4813 cred = (struct cred *) current->cred; 4814 cred->security = tsp; 4815 4816 /* initialize the smack_known_list */ 4817 init_smack_known_list(); 4818 4819 /* 4820 * Register with LSM 4821 */ 4822 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks)); 4823 4824 return 0; 4825 } 4826 4827 /* 4828 * Smack requires early initialization in order to label 4829 * all processes and objects when they are created. 4830 */ 4831 security_initcall(smack_init); 4832