1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Author: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * 9 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 10 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 11 * Paul Moore <paul.moore@hp.com> 12 * 13 * This program is free software; you can redistribute it and/or modify 14 * it under the terms of the GNU General Public License version 2, 15 * as published by the Free Software Foundation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/ext2_fs.h> 23 #include <linux/kd.h> 24 #include <asm/ioctls.h> 25 #include <linux/ip.h> 26 #include <linux/tcp.h> 27 #include <linux/udp.h> 28 #include <linux/mutex.h> 29 #include <linux/pipe_fs_i.h> 30 #include <net/netlabel.h> 31 #include <net/cipso_ipv4.h> 32 #include <linux/audit.h> 33 34 #include "smack.h" 35 36 #define task_security(task) (task_cred_xxx((task), security)) 37 38 /* 39 * I hope these are the hokeyist lines of code in the module. Casey. 40 */ 41 #define DEVPTS_SUPER_MAGIC 0x1cd1 42 #define SOCKFS_MAGIC 0x534F434B 43 #define TMPFS_MAGIC 0x01021994 44 45 /** 46 * smk_fetch - Fetch the smack label from a file. 47 * @ip: a pointer to the inode 48 * @dp: a pointer to the dentry 49 * 50 * Returns a pointer to the master list entry for the Smack label 51 * or NULL if there was no label to fetch. 52 */ 53 static char *smk_fetch(struct inode *ip, struct dentry *dp) 54 { 55 int rc; 56 char in[SMK_LABELLEN]; 57 58 if (ip->i_op->getxattr == NULL) 59 return NULL; 60 61 rc = ip->i_op->getxattr(dp, XATTR_NAME_SMACK, in, SMK_LABELLEN); 62 if (rc < 0) 63 return NULL; 64 65 return smk_import(in, rc); 66 } 67 68 /** 69 * new_inode_smack - allocate an inode security blob 70 * @smack: a pointer to the Smack label to use in the blob 71 * 72 * Returns the new blob or NULL if there's no memory available 73 */ 74 struct inode_smack *new_inode_smack(char *smack) 75 { 76 struct inode_smack *isp; 77 78 isp = kzalloc(sizeof(struct inode_smack), GFP_KERNEL); 79 if (isp == NULL) 80 return NULL; 81 82 isp->smk_inode = smack; 83 isp->smk_flags = 0; 84 mutex_init(&isp->smk_lock); 85 86 return isp; 87 } 88 89 /* 90 * LSM hooks. 91 * We he, that is fun! 92 */ 93 94 /** 95 * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH 96 * @ctp: child task pointer 97 * @mode: ptrace attachment mode 98 * 99 * Returns 0 if access is OK, an error code otherwise 100 * 101 * Do the capability checks, and require read and write. 102 */ 103 static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) 104 { 105 int rc; 106 107 rc = cap_ptrace_may_access(ctp, mode); 108 if (rc != 0) 109 return rc; 110 111 rc = smk_access(current_security(), task_security(ctp), MAY_READWRITE); 112 if (rc != 0 && capable(CAP_MAC_OVERRIDE)) 113 return 0; 114 return rc; 115 } 116 117 /** 118 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 119 * @ptp: parent task pointer 120 * 121 * Returns 0 if access is OK, an error code otherwise 122 * 123 * Do the capability checks, and require read and write. 124 */ 125 static int smack_ptrace_traceme(struct task_struct *ptp) 126 { 127 int rc; 128 129 rc = cap_ptrace_traceme(ptp); 130 if (rc != 0) 131 return rc; 132 133 rc = smk_access(task_security(ptp), current_security(), MAY_READWRITE); 134 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) 135 return 0; 136 return rc; 137 } 138 139 /** 140 * smack_syslog - Smack approval on syslog 141 * @type: message type 142 * 143 * Require that the task has the floor label 144 * 145 * Returns 0 on success, error code otherwise. 146 */ 147 static int smack_syslog(int type) 148 { 149 int rc; 150 char *sp = current_security(); 151 152 rc = cap_syslog(type); 153 if (rc != 0) 154 return rc; 155 156 if (capable(CAP_MAC_OVERRIDE)) 157 return 0; 158 159 if (sp != smack_known_floor.smk_known) 160 rc = -EACCES; 161 162 return rc; 163 } 164 165 166 /* 167 * Superblock Hooks. 168 */ 169 170 /** 171 * smack_sb_alloc_security - allocate a superblock blob 172 * @sb: the superblock getting the blob 173 * 174 * Returns 0 on success or -ENOMEM on error. 175 */ 176 static int smack_sb_alloc_security(struct super_block *sb) 177 { 178 struct superblock_smack *sbsp; 179 180 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 181 182 if (sbsp == NULL) 183 return -ENOMEM; 184 185 sbsp->smk_root = smack_known_floor.smk_known; 186 sbsp->smk_default = smack_known_floor.smk_known; 187 sbsp->smk_floor = smack_known_floor.smk_known; 188 sbsp->smk_hat = smack_known_hat.smk_known; 189 sbsp->smk_initialized = 0; 190 spin_lock_init(&sbsp->smk_sblock); 191 192 sb->s_security = sbsp; 193 194 return 0; 195 } 196 197 /** 198 * smack_sb_free_security - free a superblock blob 199 * @sb: the superblock getting the blob 200 * 201 */ 202 static void smack_sb_free_security(struct super_block *sb) 203 { 204 kfree(sb->s_security); 205 sb->s_security = NULL; 206 } 207 208 /** 209 * smack_sb_copy_data - copy mount options data for processing 210 * @orig: where to start 211 * @smackopts: mount options string 212 * 213 * Returns 0 on success or -ENOMEM on error. 214 * 215 * Copy the Smack specific mount options out of the mount 216 * options list. 217 */ 218 static int smack_sb_copy_data(char *orig, char *smackopts) 219 { 220 char *cp, *commap, *otheropts, *dp; 221 222 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 223 if (otheropts == NULL) 224 return -ENOMEM; 225 226 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 227 if (strstr(cp, SMK_FSDEFAULT) == cp) 228 dp = smackopts; 229 else if (strstr(cp, SMK_FSFLOOR) == cp) 230 dp = smackopts; 231 else if (strstr(cp, SMK_FSHAT) == cp) 232 dp = smackopts; 233 else if (strstr(cp, SMK_FSROOT) == cp) 234 dp = smackopts; 235 else 236 dp = otheropts; 237 238 commap = strchr(cp, ','); 239 if (commap != NULL) 240 *commap = '\0'; 241 242 if (*dp != '\0') 243 strcat(dp, ","); 244 strcat(dp, cp); 245 } 246 247 strcpy(orig, otheropts); 248 free_page((unsigned long)otheropts); 249 250 return 0; 251 } 252 253 /** 254 * smack_sb_kern_mount - Smack specific mount processing 255 * @sb: the file system superblock 256 * @flags: the mount flags 257 * @data: the smack mount options 258 * 259 * Returns 0 on success, an error code on failure 260 */ 261 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 262 { 263 struct dentry *root = sb->s_root; 264 struct inode *inode = root->d_inode; 265 struct superblock_smack *sp = sb->s_security; 266 struct inode_smack *isp; 267 char *op; 268 char *commap; 269 char *nsp; 270 271 spin_lock(&sp->smk_sblock); 272 if (sp->smk_initialized != 0) { 273 spin_unlock(&sp->smk_sblock); 274 return 0; 275 } 276 sp->smk_initialized = 1; 277 spin_unlock(&sp->smk_sblock); 278 279 for (op = data; op != NULL; op = commap) { 280 commap = strchr(op, ','); 281 if (commap != NULL) 282 *commap++ = '\0'; 283 284 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) { 285 op += strlen(SMK_FSHAT); 286 nsp = smk_import(op, 0); 287 if (nsp != NULL) 288 sp->smk_hat = nsp; 289 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) { 290 op += strlen(SMK_FSFLOOR); 291 nsp = smk_import(op, 0); 292 if (nsp != NULL) 293 sp->smk_floor = nsp; 294 } else if (strncmp(op, SMK_FSDEFAULT, 295 strlen(SMK_FSDEFAULT)) == 0) { 296 op += strlen(SMK_FSDEFAULT); 297 nsp = smk_import(op, 0); 298 if (nsp != NULL) 299 sp->smk_default = nsp; 300 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) { 301 op += strlen(SMK_FSROOT); 302 nsp = smk_import(op, 0); 303 if (nsp != NULL) 304 sp->smk_root = nsp; 305 } 306 } 307 308 /* 309 * Initialize the root inode. 310 */ 311 isp = inode->i_security; 312 if (isp == NULL) 313 inode->i_security = new_inode_smack(sp->smk_root); 314 else 315 isp->smk_inode = sp->smk_root; 316 317 return 0; 318 } 319 320 /** 321 * smack_sb_statfs - Smack check on statfs 322 * @dentry: identifies the file system in question 323 * 324 * Returns 0 if current can read the floor of the filesystem, 325 * and error code otherwise 326 */ 327 static int smack_sb_statfs(struct dentry *dentry) 328 { 329 struct superblock_smack *sbp = dentry->d_sb->s_security; 330 331 return smk_curacc(sbp->smk_floor, MAY_READ); 332 } 333 334 /** 335 * smack_sb_mount - Smack check for mounting 336 * @dev_name: unused 337 * @path: mount point 338 * @type: unused 339 * @flags: unused 340 * @data: unused 341 * 342 * Returns 0 if current can write the floor of the filesystem 343 * being mounted on, an error code otherwise. 344 */ 345 static int smack_sb_mount(char *dev_name, struct path *path, 346 char *type, unsigned long flags, void *data) 347 { 348 struct superblock_smack *sbp = path->mnt->mnt_sb->s_security; 349 350 return smk_curacc(sbp->smk_floor, MAY_WRITE); 351 } 352 353 /** 354 * smack_sb_umount - Smack check for unmounting 355 * @mnt: file system to unmount 356 * @flags: unused 357 * 358 * Returns 0 if current can write the floor of the filesystem 359 * being unmounted, an error code otherwise. 360 */ 361 static int smack_sb_umount(struct vfsmount *mnt, int flags) 362 { 363 struct superblock_smack *sbp; 364 365 sbp = mnt->mnt_sb->s_security; 366 367 return smk_curacc(sbp->smk_floor, MAY_WRITE); 368 } 369 370 /* 371 * Inode hooks 372 */ 373 374 /** 375 * smack_inode_alloc_security - allocate an inode blob 376 * @inode: the inode in need of a blob 377 * 378 * Returns 0 if it gets a blob, -ENOMEM otherwise 379 */ 380 static int smack_inode_alloc_security(struct inode *inode) 381 { 382 inode->i_security = new_inode_smack(current_security()); 383 if (inode->i_security == NULL) 384 return -ENOMEM; 385 return 0; 386 } 387 388 /** 389 * smack_inode_free_security - free an inode blob 390 * @inode: the inode with a blob 391 * 392 * Clears the blob pointer in inode 393 */ 394 static void smack_inode_free_security(struct inode *inode) 395 { 396 kfree(inode->i_security); 397 inode->i_security = NULL; 398 } 399 400 /** 401 * smack_inode_init_security - copy out the smack from an inode 402 * @inode: the inode 403 * @dir: unused 404 * @name: where to put the attribute name 405 * @value: where to put the attribute value 406 * @len: where to put the length of the attribute 407 * 408 * Returns 0 if it all works out, -ENOMEM if there's no memory 409 */ 410 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 411 char **name, void **value, size_t *len) 412 { 413 char *isp = smk_of_inode(inode); 414 415 if (name) { 416 *name = kstrdup(XATTR_SMACK_SUFFIX, GFP_KERNEL); 417 if (*name == NULL) 418 return -ENOMEM; 419 } 420 421 if (value) { 422 *value = kstrdup(isp, GFP_KERNEL); 423 if (*value == NULL) 424 return -ENOMEM; 425 } 426 427 if (len) 428 *len = strlen(isp) + 1; 429 430 return 0; 431 } 432 433 /** 434 * smack_inode_link - Smack check on link 435 * @old_dentry: the existing object 436 * @dir: unused 437 * @new_dentry: the new object 438 * 439 * Returns 0 if access is permitted, an error code otherwise 440 */ 441 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 442 struct dentry *new_dentry) 443 { 444 int rc; 445 char *isp; 446 447 isp = smk_of_inode(old_dentry->d_inode); 448 rc = smk_curacc(isp, MAY_WRITE); 449 450 if (rc == 0 && new_dentry->d_inode != NULL) { 451 isp = smk_of_inode(new_dentry->d_inode); 452 rc = smk_curacc(isp, MAY_WRITE); 453 } 454 455 return rc; 456 } 457 458 /** 459 * smack_inode_unlink - Smack check on inode deletion 460 * @dir: containing directory object 461 * @dentry: file to unlink 462 * 463 * Returns 0 if current can write the containing directory 464 * and the object, error code otherwise 465 */ 466 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 467 { 468 struct inode *ip = dentry->d_inode; 469 int rc; 470 471 /* 472 * You need write access to the thing you're unlinking 473 */ 474 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE); 475 if (rc == 0) 476 /* 477 * You also need write access to the containing directory 478 */ 479 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE); 480 481 return rc; 482 } 483 484 /** 485 * smack_inode_rmdir - Smack check on directory deletion 486 * @dir: containing directory object 487 * @dentry: directory to unlink 488 * 489 * Returns 0 if current can write the containing directory 490 * and the directory, error code otherwise 491 */ 492 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 493 { 494 int rc; 495 496 /* 497 * You need write access to the thing you're removing 498 */ 499 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 500 if (rc == 0) 501 /* 502 * You also need write access to the containing directory 503 */ 504 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE); 505 506 return rc; 507 } 508 509 /** 510 * smack_inode_rename - Smack check on rename 511 * @old_inode: the old directory 512 * @old_dentry: unused 513 * @new_inode: the new directory 514 * @new_dentry: unused 515 * 516 * Read and write access is required on both the old and 517 * new directories. 518 * 519 * Returns 0 if access is permitted, an error code otherwise 520 */ 521 static int smack_inode_rename(struct inode *old_inode, 522 struct dentry *old_dentry, 523 struct inode *new_inode, 524 struct dentry *new_dentry) 525 { 526 int rc; 527 char *isp; 528 529 isp = smk_of_inode(old_dentry->d_inode); 530 rc = smk_curacc(isp, MAY_READWRITE); 531 532 if (rc == 0 && new_dentry->d_inode != NULL) { 533 isp = smk_of_inode(new_dentry->d_inode); 534 rc = smk_curacc(isp, MAY_READWRITE); 535 } 536 537 return rc; 538 } 539 540 /** 541 * smack_inode_permission - Smack version of permission() 542 * @inode: the inode in question 543 * @mask: the access requested 544 * 545 * This is the important Smack hook. 546 * 547 * Returns 0 if access is permitted, -EACCES otherwise 548 */ 549 static int smack_inode_permission(struct inode *inode, int mask) 550 { 551 /* 552 * No permission to check. Existence test. Yup, it's there. 553 */ 554 if (mask == 0) 555 return 0; 556 557 return smk_curacc(smk_of_inode(inode), mask); 558 } 559 560 /** 561 * smack_inode_setattr - Smack check for setting attributes 562 * @dentry: the object 563 * @iattr: for the force flag 564 * 565 * Returns 0 if access is permitted, an error code otherwise 566 */ 567 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 568 { 569 /* 570 * Need to allow for clearing the setuid bit. 571 */ 572 if (iattr->ia_valid & ATTR_FORCE) 573 return 0; 574 575 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 576 } 577 578 /** 579 * smack_inode_getattr - Smack check for getting attributes 580 * @mnt: unused 581 * @dentry: the object 582 * 583 * Returns 0 if access is permitted, an error code otherwise 584 */ 585 static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 586 { 587 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ); 588 } 589 590 /** 591 * smack_inode_setxattr - Smack check for setting xattrs 592 * @dentry: the object 593 * @name: name of the attribute 594 * @value: unused 595 * @size: unused 596 * @flags: unused 597 * 598 * This protects the Smack attribute explicitly. 599 * 600 * Returns 0 if access is permitted, an error code otherwise 601 */ 602 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 603 const void *value, size_t size, int flags) 604 { 605 int rc = 0; 606 607 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 608 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 609 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 610 if (!capable(CAP_MAC_ADMIN)) 611 rc = -EPERM; 612 /* a label cannot be void and cannot begin with '-' */ 613 if (size == 0 || (size > 0 && ((char *)value)[0] == '-')) 614 rc = -EINVAL; 615 } else 616 rc = cap_inode_setxattr(dentry, name, value, size, flags); 617 618 if (rc == 0) 619 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 620 621 return rc; 622 } 623 624 /** 625 * smack_inode_post_setxattr - Apply the Smack update approved above 626 * @dentry: object 627 * @name: attribute name 628 * @value: attribute value 629 * @size: attribute size 630 * @flags: unused 631 * 632 * Set the pointer in the inode blob to the entry found 633 * in the master label list. 634 */ 635 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 636 const void *value, size_t size, int flags) 637 { 638 struct inode_smack *isp; 639 char *nsp; 640 641 /* 642 * Not SMACK 643 */ 644 if (strcmp(name, XATTR_NAME_SMACK)) 645 return; 646 647 if (size >= SMK_LABELLEN) 648 return; 649 650 isp = dentry->d_inode->i_security; 651 652 /* 653 * No locking is done here. This is a pointer 654 * assignment. 655 */ 656 nsp = smk_import(value, size); 657 if (nsp != NULL) 658 isp->smk_inode = nsp; 659 else 660 isp->smk_inode = smack_known_invalid.smk_known; 661 662 return; 663 } 664 665 /* 666 * smack_inode_getxattr - Smack check on getxattr 667 * @dentry: the object 668 * @name: unused 669 * 670 * Returns 0 if access is permitted, an error code otherwise 671 */ 672 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 673 { 674 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ); 675 } 676 677 /* 678 * smack_inode_removexattr - Smack check on removexattr 679 * @dentry: the object 680 * @name: name of the attribute 681 * 682 * Removing the Smack attribute requires CAP_MAC_ADMIN 683 * 684 * Returns 0 if access is permitted, an error code otherwise 685 */ 686 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 687 { 688 int rc = 0; 689 690 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 691 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 692 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 693 if (!capable(CAP_MAC_ADMIN)) 694 rc = -EPERM; 695 } else 696 rc = cap_inode_removexattr(dentry, name); 697 698 if (rc == 0) 699 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 700 701 return rc; 702 } 703 704 /** 705 * smack_inode_getsecurity - get smack xattrs 706 * @inode: the object 707 * @name: attribute name 708 * @buffer: where to put the result 709 * @alloc: unused 710 * 711 * Returns the size of the attribute or an error code 712 */ 713 static int smack_inode_getsecurity(const struct inode *inode, 714 const char *name, void **buffer, 715 bool alloc) 716 { 717 struct socket_smack *ssp; 718 struct socket *sock; 719 struct super_block *sbp; 720 struct inode *ip = (struct inode *)inode; 721 char *isp; 722 int ilen; 723 int rc = 0; 724 725 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 726 isp = smk_of_inode(inode); 727 ilen = strlen(isp) + 1; 728 *buffer = isp; 729 return ilen; 730 } 731 732 /* 733 * The rest of the Smack xattrs are only on sockets. 734 */ 735 sbp = ip->i_sb; 736 if (sbp->s_magic != SOCKFS_MAGIC) 737 return -EOPNOTSUPP; 738 739 sock = SOCKET_I(ip); 740 if (sock == NULL || sock->sk == NULL) 741 return -EOPNOTSUPP; 742 743 ssp = sock->sk->sk_security; 744 745 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 746 isp = ssp->smk_in; 747 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 748 isp = ssp->smk_out; 749 else 750 return -EOPNOTSUPP; 751 752 ilen = strlen(isp) + 1; 753 if (rc == 0) { 754 *buffer = isp; 755 rc = ilen; 756 } 757 758 return rc; 759 } 760 761 762 /** 763 * smack_inode_listsecurity - list the Smack attributes 764 * @inode: the object 765 * @buffer: where they go 766 * @buffer_size: size of buffer 767 * 768 * Returns 0 on success, -EINVAL otherwise 769 */ 770 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 771 size_t buffer_size) 772 { 773 int len = strlen(XATTR_NAME_SMACK); 774 775 if (buffer != NULL && len <= buffer_size) { 776 memcpy(buffer, XATTR_NAME_SMACK, len); 777 return len; 778 } 779 return -EINVAL; 780 } 781 782 /** 783 * smack_inode_getsecid - Extract inode's security id 784 * @inode: inode to extract the info from 785 * @secid: where result will be saved 786 */ 787 static void smack_inode_getsecid(const struct inode *inode, u32 *secid) 788 { 789 struct inode_smack *isp = inode->i_security; 790 791 *secid = smack_to_secid(isp->smk_inode); 792 } 793 794 /* 795 * File Hooks 796 */ 797 798 /** 799 * smack_file_permission - Smack check on file operations 800 * @file: unused 801 * @mask: unused 802 * 803 * Returns 0 804 * 805 * Should access checks be done on each read or write? 806 * UNICOS and SELinux say yes. 807 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 808 * 809 * I'll say no for now. Smack does not do the frequent 810 * label changing that SELinux does. 811 */ 812 static int smack_file_permission(struct file *file, int mask) 813 { 814 return 0; 815 } 816 817 /** 818 * smack_file_alloc_security - assign a file security blob 819 * @file: the object 820 * 821 * The security blob for a file is a pointer to the master 822 * label list, so no allocation is done. 823 * 824 * Returns 0 825 */ 826 static int smack_file_alloc_security(struct file *file) 827 { 828 file->f_security = current_security(); 829 return 0; 830 } 831 832 /** 833 * smack_file_free_security - clear a file security blob 834 * @file: the object 835 * 836 * The security blob for a file is a pointer to the master 837 * label list, so no memory is freed. 838 */ 839 static void smack_file_free_security(struct file *file) 840 { 841 file->f_security = NULL; 842 } 843 844 /** 845 * smack_file_ioctl - Smack check on ioctls 846 * @file: the object 847 * @cmd: what to do 848 * @arg: unused 849 * 850 * Relies heavily on the correct use of the ioctl command conventions. 851 * 852 * Returns 0 if allowed, error code otherwise 853 */ 854 static int smack_file_ioctl(struct file *file, unsigned int cmd, 855 unsigned long arg) 856 { 857 int rc = 0; 858 859 if (_IOC_DIR(cmd) & _IOC_WRITE) 860 rc = smk_curacc(file->f_security, MAY_WRITE); 861 862 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) 863 rc = smk_curacc(file->f_security, MAY_READ); 864 865 return rc; 866 } 867 868 /** 869 * smack_file_lock - Smack check on file locking 870 * @file: the object 871 * @cmd: unused 872 * 873 * Returns 0 if current has write access, error code otherwise 874 */ 875 static int smack_file_lock(struct file *file, unsigned int cmd) 876 { 877 return smk_curacc(file->f_security, MAY_WRITE); 878 } 879 880 /** 881 * smack_file_fcntl - Smack check on fcntl 882 * @file: the object 883 * @cmd: what action to check 884 * @arg: unused 885 * 886 * Returns 0 if current has access, error code otherwise 887 */ 888 static int smack_file_fcntl(struct file *file, unsigned int cmd, 889 unsigned long arg) 890 { 891 int rc; 892 893 switch (cmd) { 894 case F_DUPFD: 895 case F_GETFD: 896 case F_GETFL: 897 case F_GETLK: 898 case F_GETOWN: 899 case F_GETSIG: 900 rc = smk_curacc(file->f_security, MAY_READ); 901 break; 902 case F_SETFD: 903 case F_SETFL: 904 case F_SETLK: 905 case F_SETLKW: 906 case F_SETOWN: 907 case F_SETSIG: 908 rc = smk_curacc(file->f_security, MAY_WRITE); 909 break; 910 default: 911 rc = smk_curacc(file->f_security, MAY_READWRITE); 912 } 913 914 return rc; 915 } 916 917 /** 918 * smack_file_set_fowner - set the file security blob value 919 * @file: object in question 920 * 921 * Returns 0 922 * Further research may be required on this one. 923 */ 924 static int smack_file_set_fowner(struct file *file) 925 { 926 file->f_security = current_security(); 927 return 0; 928 } 929 930 /** 931 * smack_file_send_sigiotask - Smack on sigio 932 * @tsk: The target task 933 * @fown: the object the signal come from 934 * @signum: unused 935 * 936 * Allow a privileged task to get signals even if it shouldn't 937 * 938 * Returns 0 if a subject with the object's smack could 939 * write to the task, an error code otherwise. 940 */ 941 static int smack_file_send_sigiotask(struct task_struct *tsk, 942 struct fown_struct *fown, int signum) 943 { 944 struct file *file; 945 int rc; 946 947 /* 948 * struct fown_struct is never outside the context of a struct file 949 */ 950 file = container_of(fown, struct file, f_owner); 951 rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE); 952 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 953 return 0; 954 return rc; 955 } 956 957 /** 958 * smack_file_receive - Smack file receive check 959 * @file: the object 960 * 961 * Returns 0 if current has access, error code otherwise 962 */ 963 static int smack_file_receive(struct file *file) 964 { 965 int may = 0; 966 967 /* 968 * This code relies on bitmasks. 969 */ 970 if (file->f_mode & FMODE_READ) 971 may = MAY_READ; 972 if (file->f_mode & FMODE_WRITE) 973 may |= MAY_WRITE; 974 975 return smk_curacc(file->f_security, may); 976 } 977 978 /* 979 * Task hooks 980 */ 981 982 /** 983 * smack_cred_free - "free" task-level security credentials 984 * @cred: the credentials in question 985 * 986 * Smack isn't using copies of blobs. Everyone 987 * points to an immutable list. The blobs never go away. 988 * There is no leak here. 989 */ 990 static void smack_cred_free(struct cred *cred) 991 { 992 cred->security = NULL; 993 } 994 995 /** 996 * smack_cred_prepare - prepare new set of credentials for modification 997 * @new: the new credentials 998 * @old: the original credentials 999 * @gfp: the atomicity of any memory allocations 1000 * 1001 * Prepare a new set of credentials for modification. 1002 */ 1003 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1004 gfp_t gfp) 1005 { 1006 new->security = old->security; 1007 return 0; 1008 } 1009 1010 /** 1011 * smack_cred_commit - commit new credentials 1012 * @new: the new credentials 1013 * @old: the original credentials 1014 */ 1015 static void smack_cred_commit(struct cred *new, const struct cred *old) 1016 { 1017 } 1018 1019 /** 1020 * smack_kernel_act_as - Set the subjective context in a set of credentials 1021 * @new: points to the set of credentials to be modified. 1022 * @secid: specifies the security ID to be set 1023 * 1024 * Set the security data for a kernel service. 1025 */ 1026 static int smack_kernel_act_as(struct cred *new, u32 secid) 1027 { 1028 char *smack = smack_from_secid(secid); 1029 1030 if (smack == NULL) 1031 return -EINVAL; 1032 1033 new->security = smack; 1034 return 0; 1035 } 1036 1037 /** 1038 * smack_kernel_create_files_as - Set the file creation label in a set of creds 1039 * @new: points to the set of credentials to be modified 1040 * @inode: points to the inode to use as a reference 1041 * 1042 * Set the file creation context in a set of credentials to the same 1043 * as the objective context of the specified inode 1044 */ 1045 static int smack_kernel_create_files_as(struct cred *new, 1046 struct inode *inode) 1047 { 1048 struct inode_smack *isp = inode->i_security; 1049 1050 new->security = isp->smk_inode; 1051 return 0; 1052 } 1053 1054 /** 1055 * smack_task_setpgid - Smack check on setting pgid 1056 * @p: the task object 1057 * @pgid: unused 1058 * 1059 * Return 0 if write access is permitted 1060 */ 1061 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1062 { 1063 return smk_curacc(task_security(p), MAY_WRITE); 1064 } 1065 1066 /** 1067 * smack_task_getpgid - Smack access check for getpgid 1068 * @p: the object task 1069 * 1070 * Returns 0 if current can read the object task, error code otherwise 1071 */ 1072 static int smack_task_getpgid(struct task_struct *p) 1073 { 1074 return smk_curacc(task_security(p), MAY_READ); 1075 } 1076 1077 /** 1078 * smack_task_getsid - Smack access check for getsid 1079 * @p: the object task 1080 * 1081 * Returns 0 if current can read the object task, error code otherwise 1082 */ 1083 static int smack_task_getsid(struct task_struct *p) 1084 { 1085 return smk_curacc(task_security(p), MAY_READ); 1086 } 1087 1088 /** 1089 * smack_task_getsecid - get the secid of the task 1090 * @p: the object task 1091 * @secid: where to put the result 1092 * 1093 * Sets the secid to contain a u32 version of the smack label. 1094 */ 1095 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1096 { 1097 *secid = smack_to_secid(task_security(p)); 1098 } 1099 1100 /** 1101 * smack_task_setnice - Smack check on setting nice 1102 * @p: the task object 1103 * @nice: unused 1104 * 1105 * Return 0 if write access is permitted 1106 */ 1107 static int smack_task_setnice(struct task_struct *p, int nice) 1108 { 1109 int rc; 1110 1111 rc = cap_task_setnice(p, nice); 1112 if (rc == 0) 1113 rc = smk_curacc(task_security(p), MAY_WRITE); 1114 return rc; 1115 } 1116 1117 /** 1118 * smack_task_setioprio - Smack check on setting ioprio 1119 * @p: the task object 1120 * @ioprio: unused 1121 * 1122 * Return 0 if write access is permitted 1123 */ 1124 static int smack_task_setioprio(struct task_struct *p, int ioprio) 1125 { 1126 int rc; 1127 1128 rc = cap_task_setioprio(p, ioprio); 1129 if (rc == 0) 1130 rc = smk_curacc(task_security(p), MAY_WRITE); 1131 return rc; 1132 } 1133 1134 /** 1135 * smack_task_getioprio - Smack check on reading ioprio 1136 * @p: the task object 1137 * 1138 * Return 0 if read access is permitted 1139 */ 1140 static int smack_task_getioprio(struct task_struct *p) 1141 { 1142 return smk_curacc(task_security(p), MAY_READ); 1143 } 1144 1145 /** 1146 * smack_task_setscheduler - Smack check on setting scheduler 1147 * @p: the task object 1148 * @policy: unused 1149 * @lp: unused 1150 * 1151 * Return 0 if read access is permitted 1152 */ 1153 static int smack_task_setscheduler(struct task_struct *p, int policy, 1154 struct sched_param *lp) 1155 { 1156 int rc; 1157 1158 rc = cap_task_setscheduler(p, policy, lp); 1159 if (rc == 0) 1160 rc = smk_curacc(task_security(p), MAY_WRITE); 1161 return rc; 1162 } 1163 1164 /** 1165 * smack_task_getscheduler - Smack check on reading scheduler 1166 * @p: the task object 1167 * 1168 * Return 0 if read access is permitted 1169 */ 1170 static int smack_task_getscheduler(struct task_struct *p) 1171 { 1172 return smk_curacc(task_security(p), MAY_READ); 1173 } 1174 1175 /** 1176 * smack_task_movememory - Smack check on moving memory 1177 * @p: the task object 1178 * 1179 * Return 0 if write access is permitted 1180 */ 1181 static int smack_task_movememory(struct task_struct *p) 1182 { 1183 return smk_curacc(task_security(p), MAY_WRITE); 1184 } 1185 1186 /** 1187 * smack_task_kill - Smack check on signal delivery 1188 * @p: the task object 1189 * @info: unused 1190 * @sig: unused 1191 * @secid: identifies the smack to use in lieu of current's 1192 * 1193 * Return 0 if write access is permitted 1194 * 1195 * The secid behavior is an artifact of an SELinux hack 1196 * in the USB code. Someday it may go away. 1197 */ 1198 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 1199 int sig, u32 secid) 1200 { 1201 /* 1202 * Sending a signal requires that the sender 1203 * can write the receiver. 1204 */ 1205 if (secid == 0) 1206 return smk_curacc(task_security(p), MAY_WRITE); 1207 /* 1208 * If the secid isn't 0 we're dealing with some USB IO 1209 * specific behavior. This is not clean. For one thing 1210 * we can't take privilege into account. 1211 */ 1212 return smk_access(smack_from_secid(secid), task_security(p), MAY_WRITE); 1213 } 1214 1215 /** 1216 * smack_task_wait - Smack access check for waiting 1217 * @p: task to wait for 1218 * 1219 * Returns 0 if current can wait for p, error code otherwise 1220 */ 1221 static int smack_task_wait(struct task_struct *p) 1222 { 1223 int rc; 1224 1225 rc = smk_access(current_security(), task_security(p), MAY_WRITE); 1226 if (rc == 0) 1227 return 0; 1228 1229 /* 1230 * Allow the operation to succeed if either task 1231 * has privilege to perform operations that might 1232 * account for the smack labels having gotten to 1233 * be different in the first place. 1234 * 1235 * This breaks the strict subject/object access 1236 * control ideal, taking the object's privilege 1237 * state into account in the decision as well as 1238 * the smack value. 1239 */ 1240 if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE)) 1241 return 0; 1242 1243 return rc; 1244 } 1245 1246 /** 1247 * smack_task_to_inode - copy task smack into the inode blob 1248 * @p: task to copy from 1249 * @inode: inode to copy to 1250 * 1251 * Sets the smack pointer in the inode security blob 1252 */ 1253 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1254 { 1255 struct inode_smack *isp = inode->i_security; 1256 isp->smk_inode = task_security(p); 1257 } 1258 1259 /* 1260 * Socket hooks. 1261 */ 1262 1263 /** 1264 * smack_sk_alloc_security - Allocate a socket blob 1265 * @sk: the socket 1266 * @family: unused 1267 * @gfp_flags: memory allocation flags 1268 * 1269 * Assign Smack pointers to current 1270 * 1271 * Returns 0 on success, -ENOMEM is there's no memory 1272 */ 1273 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1274 { 1275 char *csp = current_security(); 1276 struct socket_smack *ssp; 1277 1278 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1279 if (ssp == NULL) 1280 return -ENOMEM; 1281 1282 ssp->smk_in = csp; 1283 ssp->smk_out = csp; 1284 ssp->smk_packet[0] = '\0'; 1285 1286 sk->sk_security = ssp; 1287 1288 return 0; 1289 } 1290 1291 /** 1292 * smack_sk_free_security - Free a socket blob 1293 * @sk: the socket 1294 * 1295 * Clears the blob pointer 1296 */ 1297 static void smack_sk_free_security(struct sock *sk) 1298 { 1299 kfree(sk->sk_security); 1300 } 1301 1302 /** 1303 * smack_host_label - check host based restrictions 1304 * @sip: the object end 1305 * 1306 * looks for host based access restrictions 1307 * 1308 * This version will only be appropriate for really small sets of single label 1309 * hosts. The caller is responsible for ensuring that the RCU read lock is 1310 * taken before calling this function. 1311 * 1312 * Returns the label of the far end or NULL if it's not special. 1313 */ 1314 static char *smack_host_label(struct sockaddr_in *sip) 1315 { 1316 struct smk_netlbladdr *snp; 1317 struct in_addr *siap = &sip->sin_addr; 1318 1319 if (siap->s_addr == 0) 1320 return NULL; 1321 1322 list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list) 1323 /* 1324 * we break after finding the first match because 1325 * the list is sorted from longest to shortest mask 1326 * so we have found the most specific match 1327 */ 1328 if ((&snp->smk_host.sin_addr)->s_addr == 1329 (siap->s_addr & (&snp->smk_mask)->s_addr)) { 1330 /* we have found the special CIPSO option */ 1331 if (snp->smk_label == smack_cipso_option) 1332 return NULL; 1333 return snp->smk_label; 1334 } 1335 1336 return NULL; 1337 } 1338 1339 /** 1340 * smack_set_catset - convert a capset to netlabel mls categories 1341 * @catset: the Smack categories 1342 * @sap: where to put the netlabel categories 1343 * 1344 * Allocates and fills attr.mls.cat 1345 */ 1346 static void smack_set_catset(char *catset, struct netlbl_lsm_secattr *sap) 1347 { 1348 unsigned char *cp; 1349 unsigned char m; 1350 int cat; 1351 int rc; 1352 int byte; 1353 1354 if (!catset) 1355 return; 1356 1357 sap->flags |= NETLBL_SECATTR_MLS_CAT; 1358 sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); 1359 sap->attr.mls.cat->startbit = 0; 1360 1361 for (cat = 1, cp = catset, byte = 0; byte < SMK_LABELLEN; cp++, byte++) 1362 for (m = 0x80; m != 0; m >>= 1, cat++) { 1363 if ((m & *cp) == 0) 1364 continue; 1365 rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat, 1366 cat, GFP_ATOMIC); 1367 } 1368 } 1369 1370 /** 1371 * smack_to_secattr - fill a secattr from a smack value 1372 * @smack: the smack value 1373 * @nlsp: where the result goes 1374 * 1375 * Casey says that CIPSO is good enough for now. 1376 * It can be used to effect. 1377 * It can also be abused to effect when necessary. 1378 * Appologies to the TSIG group in general and GW in particular. 1379 */ 1380 static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) 1381 { 1382 struct smack_cipso cipso; 1383 int rc; 1384 1385 nlsp->domain = smack; 1386 nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; 1387 1388 rc = smack_to_cipso(smack, &cipso); 1389 if (rc == 0) { 1390 nlsp->attr.mls.lvl = cipso.smk_level; 1391 smack_set_catset(cipso.smk_catset, nlsp); 1392 } else { 1393 nlsp->attr.mls.lvl = smack_cipso_direct; 1394 smack_set_catset(smack, nlsp); 1395 } 1396 } 1397 1398 /** 1399 * smack_netlabel - Set the secattr on a socket 1400 * @sk: the socket 1401 * @labeled: socket label scheme 1402 * 1403 * Convert the outbound smack value (smk_out) to a 1404 * secattr and attach it to the socket. 1405 * 1406 * Returns 0 on success or an error code 1407 */ 1408 static int smack_netlabel(struct sock *sk, int labeled) 1409 { 1410 struct socket_smack *ssp = sk->sk_security; 1411 struct netlbl_lsm_secattr secattr; 1412 int rc = 0; 1413 1414 /* 1415 * Usually the netlabel code will handle changing the 1416 * packet labeling based on the label. 1417 * The case of a single label host is different, because 1418 * a single label host should never get a labeled packet 1419 * even though the label is usually associated with a packet 1420 * label. 1421 */ 1422 local_bh_disable(); 1423 bh_lock_sock_nested(sk); 1424 1425 if (ssp->smk_out == smack_net_ambient || 1426 labeled == SMACK_UNLABELED_SOCKET) 1427 netlbl_sock_delattr(sk); 1428 else { 1429 netlbl_secattr_init(&secattr); 1430 smack_to_secattr(ssp->smk_out, &secattr); 1431 rc = netlbl_sock_setattr(sk, sk->sk_family, &secattr); 1432 netlbl_secattr_destroy(&secattr); 1433 } 1434 1435 bh_unlock_sock(sk); 1436 local_bh_enable(); 1437 1438 return rc; 1439 } 1440 1441 /** 1442 * smack_netlbel_send - Set the secattr on a socket and perform access checks 1443 * @sk: the socket 1444 * @sap: the destination address 1445 * 1446 * Set the correct secattr for the given socket based on the destination 1447 * address and perform any outbound access checks needed. 1448 * 1449 * Returns 0 on success or an error code. 1450 * 1451 */ 1452 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 1453 { 1454 int rc; 1455 int sk_lbl; 1456 char *hostsp; 1457 struct socket_smack *ssp = sk->sk_security; 1458 1459 rcu_read_lock(); 1460 hostsp = smack_host_label(sap); 1461 if (hostsp != NULL) { 1462 sk_lbl = SMACK_UNLABELED_SOCKET; 1463 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE); 1464 } else { 1465 sk_lbl = SMACK_CIPSO_SOCKET; 1466 rc = 0; 1467 } 1468 rcu_read_unlock(); 1469 if (rc != 0) 1470 return rc; 1471 1472 return smack_netlabel(sk, sk_lbl); 1473 } 1474 1475 /** 1476 * smack_inode_setsecurity - set smack xattrs 1477 * @inode: the object 1478 * @name: attribute name 1479 * @value: attribute value 1480 * @size: size of the attribute 1481 * @flags: unused 1482 * 1483 * Sets the named attribute in the appropriate blob 1484 * 1485 * Returns 0 on success, or an error code 1486 */ 1487 static int smack_inode_setsecurity(struct inode *inode, const char *name, 1488 const void *value, size_t size, int flags) 1489 { 1490 char *sp; 1491 struct inode_smack *nsp = inode->i_security; 1492 struct socket_smack *ssp; 1493 struct socket *sock; 1494 int rc = 0; 1495 1496 if (value == NULL || size > SMK_LABELLEN || size == 0) 1497 return -EACCES; 1498 1499 sp = smk_import(value, size); 1500 if (sp == NULL) 1501 return -EINVAL; 1502 1503 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1504 nsp->smk_inode = sp; 1505 return 0; 1506 } 1507 /* 1508 * The rest of the Smack xattrs are only on sockets. 1509 */ 1510 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 1511 return -EOPNOTSUPP; 1512 1513 sock = SOCKET_I(inode); 1514 if (sock == NULL || sock->sk == NULL) 1515 return -EOPNOTSUPP; 1516 1517 ssp = sock->sk->sk_security; 1518 1519 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1520 ssp->smk_in = sp; 1521 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 1522 ssp->smk_out = sp; 1523 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1524 if (rc != 0) 1525 printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n", 1526 __func__, -rc); 1527 } else 1528 return -EOPNOTSUPP; 1529 1530 return 0; 1531 } 1532 1533 /** 1534 * smack_socket_post_create - finish socket setup 1535 * @sock: the socket 1536 * @family: protocol family 1537 * @type: unused 1538 * @protocol: unused 1539 * @kern: unused 1540 * 1541 * Sets the netlabel information on the socket 1542 * 1543 * Returns 0 on success, and error code otherwise 1544 */ 1545 static int smack_socket_post_create(struct socket *sock, int family, 1546 int type, int protocol, int kern) 1547 { 1548 if (family != PF_INET || sock->sk == NULL) 1549 return 0; 1550 /* 1551 * Set the outbound netlbl. 1552 */ 1553 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1554 } 1555 1556 /** 1557 * smack_socket_connect - connect access check 1558 * @sock: the socket 1559 * @sap: the other end 1560 * @addrlen: size of sap 1561 * 1562 * Verifies that a connection may be possible 1563 * 1564 * Returns 0 on success, and error code otherwise 1565 */ 1566 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 1567 int addrlen) 1568 { 1569 if (sock->sk == NULL || sock->sk->sk_family != PF_INET) 1570 return 0; 1571 if (addrlen < sizeof(struct sockaddr_in)) 1572 return -EINVAL; 1573 1574 return smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 1575 } 1576 1577 /** 1578 * smack_flags_to_may - convert S_ to MAY_ values 1579 * @flags: the S_ value 1580 * 1581 * Returns the equivalent MAY_ value 1582 */ 1583 static int smack_flags_to_may(int flags) 1584 { 1585 int may = 0; 1586 1587 if (flags & S_IRUGO) 1588 may |= MAY_READ; 1589 if (flags & S_IWUGO) 1590 may |= MAY_WRITE; 1591 if (flags & S_IXUGO) 1592 may |= MAY_EXEC; 1593 1594 return may; 1595 } 1596 1597 /** 1598 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 1599 * @msg: the object 1600 * 1601 * Returns 0 1602 */ 1603 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 1604 { 1605 msg->security = current_security(); 1606 return 0; 1607 } 1608 1609 /** 1610 * smack_msg_msg_free_security - Clear the security blob for msg_msg 1611 * @msg: the object 1612 * 1613 * Clears the blob pointer 1614 */ 1615 static void smack_msg_msg_free_security(struct msg_msg *msg) 1616 { 1617 msg->security = NULL; 1618 } 1619 1620 /** 1621 * smack_of_shm - the smack pointer for the shm 1622 * @shp: the object 1623 * 1624 * Returns a pointer to the smack value 1625 */ 1626 static char *smack_of_shm(struct shmid_kernel *shp) 1627 { 1628 return (char *)shp->shm_perm.security; 1629 } 1630 1631 /** 1632 * smack_shm_alloc_security - Set the security blob for shm 1633 * @shp: the object 1634 * 1635 * Returns 0 1636 */ 1637 static int smack_shm_alloc_security(struct shmid_kernel *shp) 1638 { 1639 struct kern_ipc_perm *isp = &shp->shm_perm; 1640 1641 isp->security = current_security(); 1642 return 0; 1643 } 1644 1645 /** 1646 * smack_shm_free_security - Clear the security blob for shm 1647 * @shp: the object 1648 * 1649 * Clears the blob pointer 1650 */ 1651 static void smack_shm_free_security(struct shmid_kernel *shp) 1652 { 1653 struct kern_ipc_perm *isp = &shp->shm_perm; 1654 1655 isp->security = NULL; 1656 } 1657 1658 /** 1659 * smack_shm_associate - Smack access check for shm 1660 * @shp: the object 1661 * @shmflg: access requested 1662 * 1663 * Returns 0 if current has the requested access, error code otherwise 1664 */ 1665 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 1666 { 1667 char *ssp = smack_of_shm(shp); 1668 int may; 1669 1670 may = smack_flags_to_may(shmflg); 1671 return smk_curacc(ssp, may); 1672 } 1673 1674 /** 1675 * smack_shm_shmctl - Smack access check for shm 1676 * @shp: the object 1677 * @cmd: what it wants to do 1678 * 1679 * Returns 0 if current has the requested access, error code otherwise 1680 */ 1681 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 1682 { 1683 char *ssp; 1684 int may; 1685 1686 switch (cmd) { 1687 case IPC_STAT: 1688 case SHM_STAT: 1689 may = MAY_READ; 1690 break; 1691 case IPC_SET: 1692 case SHM_LOCK: 1693 case SHM_UNLOCK: 1694 case IPC_RMID: 1695 may = MAY_READWRITE; 1696 break; 1697 case IPC_INFO: 1698 case SHM_INFO: 1699 /* 1700 * System level information. 1701 */ 1702 return 0; 1703 default: 1704 return -EINVAL; 1705 } 1706 1707 ssp = smack_of_shm(shp); 1708 return smk_curacc(ssp, may); 1709 } 1710 1711 /** 1712 * smack_shm_shmat - Smack access for shmat 1713 * @shp: the object 1714 * @shmaddr: unused 1715 * @shmflg: access requested 1716 * 1717 * Returns 0 if current has the requested access, error code otherwise 1718 */ 1719 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 1720 int shmflg) 1721 { 1722 char *ssp = smack_of_shm(shp); 1723 int may; 1724 1725 may = smack_flags_to_may(shmflg); 1726 return smk_curacc(ssp, may); 1727 } 1728 1729 /** 1730 * smack_of_sem - the smack pointer for the sem 1731 * @sma: the object 1732 * 1733 * Returns a pointer to the smack value 1734 */ 1735 static char *smack_of_sem(struct sem_array *sma) 1736 { 1737 return (char *)sma->sem_perm.security; 1738 } 1739 1740 /** 1741 * smack_sem_alloc_security - Set the security blob for sem 1742 * @sma: the object 1743 * 1744 * Returns 0 1745 */ 1746 static int smack_sem_alloc_security(struct sem_array *sma) 1747 { 1748 struct kern_ipc_perm *isp = &sma->sem_perm; 1749 1750 isp->security = current_security(); 1751 return 0; 1752 } 1753 1754 /** 1755 * smack_sem_free_security - Clear the security blob for sem 1756 * @sma: the object 1757 * 1758 * Clears the blob pointer 1759 */ 1760 static void smack_sem_free_security(struct sem_array *sma) 1761 { 1762 struct kern_ipc_perm *isp = &sma->sem_perm; 1763 1764 isp->security = NULL; 1765 } 1766 1767 /** 1768 * smack_sem_associate - Smack access check for sem 1769 * @sma: the object 1770 * @semflg: access requested 1771 * 1772 * Returns 0 if current has the requested access, error code otherwise 1773 */ 1774 static int smack_sem_associate(struct sem_array *sma, int semflg) 1775 { 1776 char *ssp = smack_of_sem(sma); 1777 int may; 1778 1779 may = smack_flags_to_may(semflg); 1780 return smk_curacc(ssp, may); 1781 } 1782 1783 /** 1784 * smack_sem_shmctl - Smack access check for sem 1785 * @sma: the object 1786 * @cmd: what it wants to do 1787 * 1788 * Returns 0 if current has the requested access, error code otherwise 1789 */ 1790 static int smack_sem_semctl(struct sem_array *sma, int cmd) 1791 { 1792 char *ssp; 1793 int may; 1794 1795 switch (cmd) { 1796 case GETPID: 1797 case GETNCNT: 1798 case GETZCNT: 1799 case GETVAL: 1800 case GETALL: 1801 case IPC_STAT: 1802 case SEM_STAT: 1803 may = MAY_READ; 1804 break; 1805 case SETVAL: 1806 case SETALL: 1807 case IPC_RMID: 1808 case IPC_SET: 1809 may = MAY_READWRITE; 1810 break; 1811 case IPC_INFO: 1812 case SEM_INFO: 1813 /* 1814 * System level information 1815 */ 1816 return 0; 1817 default: 1818 return -EINVAL; 1819 } 1820 1821 ssp = smack_of_sem(sma); 1822 return smk_curacc(ssp, may); 1823 } 1824 1825 /** 1826 * smack_sem_semop - Smack checks of semaphore operations 1827 * @sma: the object 1828 * @sops: unused 1829 * @nsops: unused 1830 * @alter: unused 1831 * 1832 * Treated as read and write in all cases. 1833 * 1834 * Returns 0 if access is allowed, error code otherwise 1835 */ 1836 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 1837 unsigned nsops, int alter) 1838 { 1839 char *ssp = smack_of_sem(sma); 1840 1841 return smk_curacc(ssp, MAY_READWRITE); 1842 } 1843 1844 /** 1845 * smack_msg_alloc_security - Set the security blob for msg 1846 * @msq: the object 1847 * 1848 * Returns 0 1849 */ 1850 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 1851 { 1852 struct kern_ipc_perm *kisp = &msq->q_perm; 1853 1854 kisp->security = current_security(); 1855 return 0; 1856 } 1857 1858 /** 1859 * smack_msg_free_security - Clear the security blob for msg 1860 * @msq: the object 1861 * 1862 * Clears the blob pointer 1863 */ 1864 static void smack_msg_queue_free_security(struct msg_queue *msq) 1865 { 1866 struct kern_ipc_perm *kisp = &msq->q_perm; 1867 1868 kisp->security = NULL; 1869 } 1870 1871 /** 1872 * smack_of_msq - the smack pointer for the msq 1873 * @msq: the object 1874 * 1875 * Returns a pointer to the smack value 1876 */ 1877 static char *smack_of_msq(struct msg_queue *msq) 1878 { 1879 return (char *)msq->q_perm.security; 1880 } 1881 1882 /** 1883 * smack_msg_queue_associate - Smack access check for msg_queue 1884 * @msq: the object 1885 * @msqflg: access requested 1886 * 1887 * Returns 0 if current has the requested access, error code otherwise 1888 */ 1889 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 1890 { 1891 char *msp = smack_of_msq(msq); 1892 int may; 1893 1894 may = smack_flags_to_may(msqflg); 1895 return smk_curacc(msp, may); 1896 } 1897 1898 /** 1899 * smack_msg_queue_msgctl - Smack access check for msg_queue 1900 * @msq: the object 1901 * @cmd: what it wants to do 1902 * 1903 * Returns 0 if current has the requested access, error code otherwise 1904 */ 1905 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 1906 { 1907 char *msp; 1908 int may; 1909 1910 switch (cmd) { 1911 case IPC_STAT: 1912 case MSG_STAT: 1913 may = MAY_READ; 1914 break; 1915 case IPC_SET: 1916 case IPC_RMID: 1917 may = MAY_READWRITE; 1918 break; 1919 case IPC_INFO: 1920 case MSG_INFO: 1921 /* 1922 * System level information 1923 */ 1924 return 0; 1925 default: 1926 return -EINVAL; 1927 } 1928 1929 msp = smack_of_msq(msq); 1930 return smk_curacc(msp, may); 1931 } 1932 1933 /** 1934 * smack_msg_queue_msgsnd - Smack access check for msg_queue 1935 * @msq: the object 1936 * @msg: unused 1937 * @msqflg: access requested 1938 * 1939 * Returns 0 if current has the requested access, error code otherwise 1940 */ 1941 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 1942 int msqflg) 1943 { 1944 char *msp = smack_of_msq(msq); 1945 int rc; 1946 1947 rc = smack_flags_to_may(msqflg); 1948 return smk_curacc(msp, rc); 1949 } 1950 1951 /** 1952 * smack_msg_queue_msgsnd - Smack access check for msg_queue 1953 * @msq: the object 1954 * @msg: unused 1955 * @target: unused 1956 * @type: unused 1957 * @mode: unused 1958 * 1959 * Returns 0 if current has read and write access, error code otherwise 1960 */ 1961 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 1962 struct task_struct *target, long type, int mode) 1963 { 1964 char *msp = smack_of_msq(msq); 1965 1966 return smk_curacc(msp, MAY_READWRITE); 1967 } 1968 1969 /** 1970 * smack_ipc_permission - Smack access for ipc_permission() 1971 * @ipp: the object permissions 1972 * @flag: access requested 1973 * 1974 * Returns 0 if current has read and write access, error code otherwise 1975 */ 1976 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 1977 { 1978 char *isp = ipp->security; 1979 int may; 1980 1981 may = smack_flags_to_may(flag); 1982 return smk_curacc(isp, may); 1983 } 1984 1985 /** 1986 * smack_ipc_getsecid - Extract smack security id 1987 * @ipp: the object permissions 1988 * @secid: where result will be saved 1989 */ 1990 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 1991 { 1992 char *smack = ipp->security; 1993 1994 *secid = smack_to_secid(smack); 1995 } 1996 1997 /** 1998 * smack_d_instantiate - Make sure the blob is correct on an inode 1999 * @opt_dentry: unused 2000 * @inode: the object 2001 * 2002 * Set the inode's security blob if it hasn't been done already. 2003 */ 2004 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 2005 { 2006 struct super_block *sbp; 2007 struct superblock_smack *sbsp; 2008 struct inode_smack *isp; 2009 char *csp = current_security(); 2010 char *fetched; 2011 char *final; 2012 struct dentry *dp; 2013 2014 if (inode == NULL) 2015 return; 2016 2017 isp = inode->i_security; 2018 2019 mutex_lock(&isp->smk_lock); 2020 /* 2021 * If the inode is already instantiated 2022 * take the quick way out 2023 */ 2024 if (isp->smk_flags & SMK_INODE_INSTANT) 2025 goto unlockandout; 2026 2027 sbp = inode->i_sb; 2028 sbsp = sbp->s_security; 2029 /* 2030 * We're going to use the superblock default label 2031 * if there's no label on the file. 2032 */ 2033 final = sbsp->smk_default; 2034 2035 /* 2036 * If this is the root inode the superblock 2037 * may be in the process of initialization. 2038 * If that is the case use the root value out 2039 * of the superblock. 2040 */ 2041 if (opt_dentry->d_parent == opt_dentry) { 2042 isp->smk_inode = sbsp->smk_root; 2043 isp->smk_flags |= SMK_INODE_INSTANT; 2044 goto unlockandout; 2045 } 2046 2047 /* 2048 * This is pretty hackish. 2049 * Casey says that we shouldn't have to do 2050 * file system specific code, but it does help 2051 * with keeping it simple. 2052 */ 2053 switch (sbp->s_magic) { 2054 case SMACK_MAGIC: 2055 /* 2056 * Casey says that it's a little embarassing 2057 * that the smack file system doesn't do 2058 * extended attributes. 2059 */ 2060 final = smack_known_star.smk_known; 2061 break; 2062 case PIPEFS_MAGIC: 2063 /* 2064 * Casey says pipes are easy (?) 2065 */ 2066 final = smack_known_star.smk_known; 2067 break; 2068 case DEVPTS_SUPER_MAGIC: 2069 /* 2070 * devpts seems content with the label of the task. 2071 * Programs that change smack have to treat the 2072 * pty with respect. 2073 */ 2074 final = csp; 2075 break; 2076 case SOCKFS_MAGIC: 2077 /* 2078 * Casey says sockets get the smack of the task. 2079 */ 2080 final = csp; 2081 break; 2082 case PROC_SUPER_MAGIC: 2083 /* 2084 * Casey says procfs appears not to care. 2085 * The superblock default suffices. 2086 */ 2087 break; 2088 case TMPFS_MAGIC: 2089 /* 2090 * Device labels should come from the filesystem, 2091 * but watch out, because they're volitile, 2092 * getting recreated on every reboot. 2093 */ 2094 final = smack_known_star.smk_known; 2095 /* 2096 * No break. 2097 * 2098 * If a smack value has been set we want to use it, 2099 * but since tmpfs isn't giving us the opportunity 2100 * to set mount options simulate setting the 2101 * superblock default. 2102 */ 2103 default: 2104 /* 2105 * This isn't an understood special case. 2106 * Get the value from the xattr. 2107 * 2108 * No xattr support means, alas, no SMACK label. 2109 * Use the aforeapplied default. 2110 * It would be curious if the label of the task 2111 * does not match that assigned. 2112 */ 2113 if (inode->i_op->getxattr == NULL) 2114 break; 2115 /* 2116 * Get the dentry for xattr. 2117 */ 2118 if (opt_dentry == NULL) { 2119 dp = d_find_alias(inode); 2120 if (dp == NULL) 2121 break; 2122 } else { 2123 dp = dget(opt_dentry); 2124 if (dp == NULL) 2125 break; 2126 } 2127 2128 fetched = smk_fetch(inode, dp); 2129 if (fetched != NULL) 2130 final = fetched; 2131 2132 dput(dp); 2133 break; 2134 } 2135 2136 if (final == NULL) 2137 isp->smk_inode = csp; 2138 else 2139 isp->smk_inode = final; 2140 2141 isp->smk_flags |= SMK_INODE_INSTANT; 2142 2143 unlockandout: 2144 mutex_unlock(&isp->smk_lock); 2145 return; 2146 } 2147 2148 /** 2149 * smack_getprocattr - Smack process attribute access 2150 * @p: the object task 2151 * @name: the name of the attribute in /proc/.../attr 2152 * @value: where to put the result 2153 * 2154 * Places a copy of the task Smack into value 2155 * 2156 * Returns the length of the smack label or an error code 2157 */ 2158 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 2159 { 2160 char *cp; 2161 int slen; 2162 2163 if (strcmp(name, "current") != 0) 2164 return -EINVAL; 2165 2166 cp = kstrdup(task_security(p), GFP_KERNEL); 2167 if (cp == NULL) 2168 return -ENOMEM; 2169 2170 slen = strlen(cp); 2171 *value = cp; 2172 return slen; 2173 } 2174 2175 /** 2176 * smack_setprocattr - Smack process attribute setting 2177 * @p: the object task 2178 * @name: the name of the attribute in /proc/.../attr 2179 * @value: the value to set 2180 * @size: the size of the value 2181 * 2182 * Sets the Smack value of the task. Only setting self 2183 * is permitted and only with privilege 2184 * 2185 * Returns the length of the smack label or an error code 2186 */ 2187 static int smack_setprocattr(struct task_struct *p, char *name, 2188 void *value, size_t size) 2189 { 2190 struct cred *new; 2191 char *newsmack; 2192 2193 /* 2194 * Changing another process' Smack value is too dangerous 2195 * and supports no sane use case. 2196 */ 2197 if (p != current) 2198 return -EPERM; 2199 2200 if (!capable(CAP_MAC_ADMIN)) 2201 return -EPERM; 2202 2203 if (value == NULL || size == 0 || size >= SMK_LABELLEN) 2204 return -EINVAL; 2205 2206 if (strcmp(name, "current") != 0) 2207 return -EINVAL; 2208 2209 newsmack = smk_import(value, size); 2210 if (newsmack == NULL) 2211 return -EINVAL; 2212 2213 /* 2214 * No process is ever allowed the web ("@") label. 2215 */ 2216 if (newsmack == smack_known_web.smk_known) 2217 return -EPERM; 2218 2219 new = prepare_creds(); 2220 if (new == NULL) 2221 return -ENOMEM; 2222 new->security = newsmack; 2223 commit_creds(new); 2224 return size; 2225 } 2226 2227 /** 2228 * smack_unix_stream_connect - Smack access on UDS 2229 * @sock: one socket 2230 * @other: the other socket 2231 * @newsk: unused 2232 * 2233 * Return 0 if a subject with the smack of sock could access 2234 * an object with the smack of other, otherwise an error code 2235 */ 2236 static int smack_unix_stream_connect(struct socket *sock, 2237 struct socket *other, struct sock *newsk) 2238 { 2239 struct inode *sp = SOCK_INODE(sock); 2240 struct inode *op = SOCK_INODE(other); 2241 2242 return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_READWRITE); 2243 } 2244 2245 /** 2246 * smack_unix_may_send - Smack access on UDS 2247 * @sock: one socket 2248 * @other: the other socket 2249 * 2250 * Return 0 if a subject with the smack of sock could access 2251 * an object with the smack of other, otherwise an error code 2252 */ 2253 static int smack_unix_may_send(struct socket *sock, struct socket *other) 2254 { 2255 struct inode *sp = SOCK_INODE(sock); 2256 struct inode *op = SOCK_INODE(other); 2257 2258 return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_WRITE); 2259 } 2260 2261 /** 2262 * smack_socket_sendmsg - Smack check based on destination host 2263 * @sock: the socket 2264 * @msg: the message 2265 * @size: the size of the message 2266 * 2267 * Return 0 if the current subject can write to the destination 2268 * host. This is only a question if the destination is a single 2269 * label host. 2270 */ 2271 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 2272 int size) 2273 { 2274 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 2275 2276 /* 2277 * Perfectly reasonable for this to be NULL 2278 */ 2279 if (sip == NULL || sip->sin_family != PF_INET) 2280 return 0; 2281 2282 return smack_netlabel_send(sock->sk, sip); 2283 } 2284 2285 2286 /** 2287 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 2288 * @sap: netlabel secattr 2289 * @sip: where to put the result 2290 * 2291 * Copies a smack label into sip 2292 */ 2293 static void smack_from_secattr(struct netlbl_lsm_secattr *sap, char *sip) 2294 { 2295 char smack[SMK_LABELLEN]; 2296 char *sp; 2297 int pcat; 2298 2299 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 2300 /* 2301 * Looks like a CIPSO packet. 2302 * If there are flags but no level netlabel isn't 2303 * behaving the way we expect it to. 2304 * 2305 * Get the categories, if any 2306 * Without guidance regarding the smack value 2307 * for the packet fall back on the network 2308 * ambient value. 2309 */ 2310 memset(smack, '\0', SMK_LABELLEN); 2311 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) != 0) 2312 for (pcat = -1;;) { 2313 pcat = netlbl_secattr_catmap_walk( 2314 sap->attr.mls.cat, pcat + 1); 2315 if (pcat < 0) 2316 break; 2317 smack_catset_bit(pcat, smack); 2318 } 2319 /* 2320 * If it is CIPSO using smack direct mapping 2321 * we are already done. WeeHee. 2322 */ 2323 if (sap->attr.mls.lvl == smack_cipso_direct) { 2324 memcpy(sip, smack, SMK_MAXLEN); 2325 return; 2326 } 2327 /* 2328 * Look it up in the supplied table if it is not 2329 * a direct mapping. 2330 */ 2331 smack_from_cipso(sap->attr.mls.lvl, smack, sip); 2332 return; 2333 } 2334 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 2335 /* 2336 * Looks like a fallback, which gives us a secid. 2337 */ 2338 sp = smack_from_secid(sap->attr.secid); 2339 /* 2340 * This has got to be a bug because it is 2341 * impossible to specify a fallback without 2342 * specifying the label, which will ensure 2343 * it has a secid, and the only way to get a 2344 * secid is from a fallback. 2345 */ 2346 BUG_ON(sp == NULL); 2347 strncpy(sip, sp, SMK_MAXLEN); 2348 return; 2349 } 2350 /* 2351 * Without guidance regarding the smack value 2352 * for the packet fall back on the network 2353 * ambient value. 2354 */ 2355 strncpy(sip, smack_net_ambient, SMK_MAXLEN); 2356 return; 2357 } 2358 2359 /** 2360 * smack_socket_sock_rcv_skb - Smack packet delivery access check 2361 * @sk: socket 2362 * @skb: packet 2363 * 2364 * Returns 0 if the packet should be delivered, an error code otherwise 2365 */ 2366 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 2367 { 2368 struct netlbl_lsm_secattr secattr; 2369 struct socket_smack *ssp = sk->sk_security; 2370 char smack[SMK_LABELLEN]; 2371 char *csp; 2372 int rc; 2373 2374 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2375 return 0; 2376 2377 /* 2378 * Translate what netlabel gave us. 2379 */ 2380 netlbl_secattr_init(&secattr); 2381 2382 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 2383 if (rc == 0) { 2384 smack_from_secattr(&secattr, smack); 2385 csp = smack; 2386 } else 2387 csp = smack_net_ambient; 2388 2389 netlbl_secattr_destroy(&secattr); 2390 2391 /* 2392 * Receiving a packet requires that the other end 2393 * be able to write here. Read access is not required. 2394 * This is the simplist possible security model 2395 * for networking. 2396 */ 2397 rc = smk_access(csp, ssp->smk_in, MAY_WRITE); 2398 if (rc != 0) 2399 netlbl_skbuff_err(skb, rc, 0); 2400 return rc; 2401 } 2402 2403 /** 2404 * smack_socket_getpeersec_stream - pull in packet label 2405 * @sock: the socket 2406 * @optval: user's destination 2407 * @optlen: size thereof 2408 * @len: max thereof 2409 * 2410 * returns zero on success, an error code otherwise 2411 */ 2412 static int smack_socket_getpeersec_stream(struct socket *sock, 2413 char __user *optval, 2414 int __user *optlen, unsigned len) 2415 { 2416 struct socket_smack *ssp; 2417 int slen; 2418 int rc = 0; 2419 2420 ssp = sock->sk->sk_security; 2421 slen = strlen(ssp->smk_packet) + 1; 2422 2423 if (slen > len) 2424 rc = -ERANGE; 2425 else if (copy_to_user(optval, ssp->smk_packet, slen) != 0) 2426 rc = -EFAULT; 2427 2428 if (put_user(slen, optlen) != 0) 2429 rc = -EFAULT; 2430 2431 return rc; 2432 } 2433 2434 2435 /** 2436 * smack_socket_getpeersec_dgram - pull in packet label 2437 * @sock: the socket 2438 * @skb: packet data 2439 * @secid: pointer to where to put the secid of the packet 2440 * 2441 * Sets the netlabel socket state on sk from parent 2442 */ 2443 static int smack_socket_getpeersec_dgram(struct socket *sock, 2444 struct sk_buff *skb, u32 *secid) 2445 2446 { 2447 struct netlbl_lsm_secattr secattr; 2448 struct sock *sk; 2449 char smack[SMK_LABELLEN]; 2450 int family = PF_INET; 2451 u32 s; 2452 int rc; 2453 2454 /* 2455 * Only works for families with packets. 2456 */ 2457 if (sock != NULL) { 2458 sk = sock->sk; 2459 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2460 return 0; 2461 family = sk->sk_family; 2462 } 2463 /* 2464 * Translate what netlabel gave us. 2465 */ 2466 netlbl_secattr_init(&secattr); 2467 rc = netlbl_skbuff_getattr(skb, family, &secattr); 2468 if (rc == 0) 2469 smack_from_secattr(&secattr, smack); 2470 netlbl_secattr_destroy(&secattr); 2471 2472 /* 2473 * Give up if we couldn't get anything 2474 */ 2475 if (rc != 0) 2476 return rc; 2477 2478 s = smack_to_secid(smack); 2479 if (s == 0) 2480 return -EINVAL; 2481 2482 *secid = s; 2483 return 0; 2484 } 2485 2486 /** 2487 * smack_sock_graft - Initialize a newly created socket with an existing sock 2488 * @sk: child sock 2489 * @parent: parent socket 2490 * 2491 * Set the smk_{in,out} state of an existing sock based on the process that 2492 * is creating the new socket. 2493 */ 2494 static void smack_sock_graft(struct sock *sk, struct socket *parent) 2495 { 2496 struct socket_smack *ssp; 2497 2498 if (sk == NULL || 2499 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 2500 return; 2501 2502 ssp = sk->sk_security; 2503 ssp->smk_in = ssp->smk_out = current_security(); 2504 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 2505 } 2506 2507 /** 2508 * smack_inet_conn_request - Smack access check on connect 2509 * @sk: socket involved 2510 * @skb: packet 2511 * @req: unused 2512 * 2513 * Returns 0 if a task with the packet label could write to 2514 * the socket, otherwise an error code 2515 */ 2516 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 2517 struct request_sock *req) 2518 { 2519 u16 family = sk->sk_family; 2520 struct socket_smack *ssp = sk->sk_security; 2521 struct netlbl_lsm_secattr secattr; 2522 struct sockaddr_in addr; 2523 struct iphdr *hdr; 2524 char smack[SMK_LABELLEN]; 2525 int rc; 2526 2527 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 2528 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 2529 family = PF_INET; 2530 2531 netlbl_secattr_init(&secattr); 2532 rc = netlbl_skbuff_getattr(skb, family, &secattr); 2533 if (rc == 0) 2534 smack_from_secattr(&secattr, smack); 2535 else 2536 strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN); 2537 netlbl_secattr_destroy(&secattr); 2538 2539 /* 2540 * Receiving a packet requires that the other end be able to write 2541 * here. Read access is not required. 2542 */ 2543 rc = smk_access(smack, ssp->smk_in, MAY_WRITE); 2544 if (rc != 0) 2545 return rc; 2546 2547 /* 2548 * Save the peer's label in the request_sock so we can later setup 2549 * smk_packet in the child socket so that SO_PEERCRED can report it. 2550 */ 2551 req->peer_secid = smack_to_secid(smack); 2552 2553 /* 2554 * We need to decide if we want to label the incoming connection here 2555 * if we do we only need to label the request_sock and the stack will 2556 * propogate the wire-label to the sock when it is created. 2557 */ 2558 hdr = ip_hdr(skb); 2559 addr.sin_addr.s_addr = hdr->saddr; 2560 rcu_read_lock(); 2561 if (smack_host_label(&addr) == NULL) { 2562 rcu_read_unlock(); 2563 netlbl_secattr_init(&secattr); 2564 smack_to_secattr(smack, &secattr); 2565 rc = netlbl_req_setattr(req, &secattr); 2566 netlbl_secattr_destroy(&secattr); 2567 } else { 2568 rcu_read_unlock(); 2569 netlbl_req_delattr(req); 2570 } 2571 2572 return rc; 2573 } 2574 2575 /** 2576 * smack_inet_csk_clone - Copy the connection information to the new socket 2577 * @sk: the new socket 2578 * @req: the connection's request_sock 2579 * 2580 * Transfer the connection's peer label to the newly created socket. 2581 */ 2582 static void smack_inet_csk_clone(struct sock *sk, 2583 const struct request_sock *req) 2584 { 2585 struct socket_smack *ssp = sk->sk_security; 2586 char *smack; 2587 2588 if (req->peer_secid != 0) { 2589 smack = smack_from_secid(req->peer_secid); 2590 strncpy(ssp->smk_packet, smack, SMK_MAXLEN); 2591 } else 2592 ssp->smk_packet[0] = '\0'; 2593 } 2594 2595 /* 2596 * Key management security hooks 2597 * 2598 * Casey has not tested key support very heavily. 2599 * The permission check is most likely too restrictive. 2600 * If you care about keys please have a look. 2601 */ 2602 #ifdef CONFIG_KEYS 2603 2604 /** 2605 * smack_key_alloc - Set the key security blob 2606 * @key: object 2607 * @cred: the credentials to use 2608 * @flags: unused 2609 * 2610 * No allocation required 2611 * 2612 * Returns 0 2613 */ 2614 static int smack_key_alloc(struct key *key, const struct cred *cred, 2615 unsigned long flags) 2616 { 2617 key->security = cred->security; 2618 return 0; 2619 } 2620 2621 /** 2622 * smack_key_free - Clear the key security blob 2623 * @key: the object 2624 * 2625 * Clear the blob pointer 2626 */ 2627 static void smack_key_free(struct key *key) 2628 { 2629 key->security = NULL; 2630 } 2631 2632 /* 2633 * smack_key_permission - Smack access on a key 2634 * @key_ref: gets to the object 2635 * @cred: the credentials to use 2636 * @perm: unused 2637 * 2638 * Return 0 if the task has read and write to the object, 2639 * an error code otherwise 2640 */ 2641 static int smack_key_permission(key_ref_t key_ref, 2642 const struct cred *cred, key_perm_t perm) 2643 { 2644 struct key *keyp; 2645 2646 keyp = key_ref_to_ptr(key_ref); 2647 if (keyp == NULL) 2648 return -EINVAL; 2649 /* 2650 * If the key hasn't been initialized give it access so that 2651 * it may do so. 2652 */ 2653 if (keyp->security == NULL) 2654 return 0; 2655 /* 2656 * This should not occur 2657 */ 2658 if (cred->security == NULL) 2659 return -EACCES; 2660 2661 return smk_access(cred->security, keyp->security, MAY_READWRITE); 2662 } 2663 #endif /* CONFIG_KEYS */ 2664 2665 /* 2666 * Smack Audit hooks 2667 * 2668 * Audit requires a unique representation of each Smack specific 2669 * rule. This unique representation is used to distinguish the 2670 * object to be audited from remaining kernel objects and also 2671 * works as a glue between the audit hooks. 2672 * 2673 * Since repository entries are added but never deleted, we'll use 2674 * the smack_known label address related to the given audit rule as 2675 * the needed unique representation. This also better fits the smack 2676 * model where nearly everything is a label. 2677 */ 2678 #ifdef CONFIG_AUDIT 2679 2680 /** 2681 * smack_audit_rule_init - Initialize a smack audit rule 2682 * @field: audit rule fields given from user-space (audit.h) 2683 * @op: required testing operator (=, !=, >, <, ...) 2684 * @rulestr: smack label to be audited 2685 * @vrule: pointer to save our own audit rule representation 2686 * 2687 * Prepare to audit cases where (@field @op @rulestr) is true. 2688 * The label to be audited is created if necessay. 2689 */ 2690 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 2691 { 2692 char **rule = (char **)vrule; 2693 *rule = NULL; 2694 2695 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 2696 return -EINVAL; 2697 2698 if (op != Audit_equal && op != Audit_not_equal) 2699 return -EINVAL; 2700 2701 *rule = smk_import(rulestr, 0); 2702 2703 return 0; 2704 } 2705 2706 /** 2707 * smack_audit_rule_known - Distinguish Smack audit rules 2708 * @krule: rule of interest, in Audit kernel representation format 2709 * 2710 * This is used to filter Smack rules from remaining Audit ones. 2711 * If it's proved that this rule belongs to us, the 2712 * audit_rule_match hook will be called to do the final judgement. 2713 */ 2714 static int smack_audit_rule_known(struct audit_krule *krule) 2715 { 2716 struct audit_field *f; 2717 int i; 2718 2719 for (i = 0; i < krule->field_count; i++) { 2720 f = &krule->fields[i]; 2721 2722 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 2723 return 1; 2724 } 2725 2726 return 0; 2727 } 2728 2729 /** 2730 * smack_audit_rule_match - Audit given object ? 2731 * @secid: security id for identifying the object to test 2732 * @field: audit rule flags given from user-space 2733 * @op: required testing operator 2734 * @vrule: smack internal rule presentation 2735 * @actx: audit context associated with the check 2736 * 2737 * The core Audit hook. It's used to take the decision of 2738 * whether to audit or not to audit a given object. 2739 */ 2740 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 2741 struct audit_context *actx) 2742 { 2743 char *smack; 2744 char *rule = vrule; 2745 2746 if (!rule) { 2747 audit_log(actx, GFP_KERNEL, AUDIT_SELINUX_ERR, 2748 "Smack: missing rule\n"); 2749 return -ENOENT; 2750 } 2751 2752 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 2753 return 0; 2754 2755 smack = smack_from_secid(secid); 2756 2757 /* 2758 * No need to do string comparisons. If a match occurs, 2759 * both pointers will point to the same smack_known 2760 * label. 2761 */ 2762 if (op == Audit_equal) 2763 return (rule == smack); 2764 if (op == Audit_not_equal) 2765 return (rule != smack); 2766 2767 return 0; 2768 } 2769 2770 /** 2771 * smack_audit_rule_free - free smack rule representation 2772 * @vrule: rule to be freed. 2773 * 2774 * No memory was allocated. 2775 */ 2776 static void smack_audit_rule_free(void *vrule) 2777 { 2778 /* No-op */ 2779 } 2780 2781 #endif /* CONFIG_AUDIT */ 2782 2783 /** 2784 * smack_secid_to_secctx - return the smack label for a secid 2785 * @secid: incoming integer 2786 * @secdata: destination 2787 * @seclen: how long it is 2788 * 2789 * Exists for networking code. 2790 */ 2791 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 2792 { 2793 char *sp = smack_from_secid(secid); 2794 2795 *secdata = sp; 2796 *seclen = strlen(sp); 2797 return 0; 2798 } 2799 2800 /** 2801 * smack_secctx_to_secid - return the secid for a smack label 2802 * @secdata: smack label 2803 * @seclen: how long result is 2804 * @secid: outgoing integer 2805 * 2806 * Exists for audit and networking code. 2807 */ 2808 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 2809 { 2810 *secid = smack_to_secid(secdata); 2811 return 0; 2812 } 2813 2814 /** 2815 * smack_release_secctx - don't do anything. 2816 * @secdata: unused 2817 * @seclen: unused 2818 * 2819 * Exists to make sure nothing gets done, and properly 2820 */ 2821 static void smack_release_secctx(char *secdata, u32 seclen) 2822 { 2823 } 2824 2825 struct security_operations smack_ops = { 2826 .name = "smack", 2827 2828 .ptrace_may_access = smack_ptrace_may_access, 2829 .ptrace_traceme = smack_ptrace_traceme, 2830 .capget = cap_capget, 2831 .capset = cap_capset, 2832 .capable = cap_capable, 2833 .syslog = smack_syslog, 2834 .settime = cap_settime, 2835 .vm_enough_memory = cap_vm_enough_memory, 2836 2837 .bprm_set_creds = cap_bprm_set_creds, 2838 .bprm_secureexec = cap_bprm_secureexec, 2839 2840 .sb_alloc_security = smack_sb_alloc_security, 2841 .sb_free_security = smack_sb_free_security, 2842 .sb_copy_data = smack_sb_copy_data, 2843 .sb_kern_mount = smack_sb_kern_mount, 2844 .sb_statfs = smack_sb_statfs, 2845 .sb_mount = smack_sb_mount, 2846 .sb_umount = smack_sb_umount, 2847 2848 .inode_alloc_security = smack_inode_alloc_security, 2849 .inode_free_security = smack_inode_free_security, 2850 .inode_init_security = smack_inode_init_security, 2851 .inode_link = smack_inode_link, 2852 .inode_unlink = smack_inode_unlink, 2853 .inode_rmdir = smack_inode_rmdir, 2854 .inode_rename = smack_inode_rename, 2855 .inode_permission = smack_inode_permission, 2856 .inode_setattr = smack_inode_setattr, 2857 .inode_getattr = smack_inode_getattr, 2858 .inode_setxattr = smack_inode_setxattr, 2859 .inode_post_setxattr = smack_inode_post_setxattr, 2860 .inode_getxattr = smack_inode_getxattr, 2861 .inode_removexattr = smack_inode_removexattr, 2862 .inode_need_killpriv = cap_inode_need_killpriv, 2863 .inode_killpriv = cap_inode_killpriv, 2864 .inode_getsecurity = smack_inode_getsecurity, 2865 .inode_setsecurity = smack_inode_setsecurity, 2866 .inode_listsecurity = smack_inode_listsecurity, 2867 .inode_getsecid = smack_inode_getsecid, 2868 2869 .file_permission = smack_file_permission, 2870 .file_alloc_security = smack_file_alloc_security, 2871 .file_free_security = smack_file_free_security, 2872 .file_ioctl = smack_file_ioctl, 2873 .file_lock = smack_file_lock, 2874 .file_fcntl = smack_file_fcntl, 2875 .file_set_fowner = smack_file_set_fowner, 2876 .file_send_sigiotask = smack_file_send_sigiotask, 2877 .file_receive = smack_file_receive, 2878 2879 .cred_free = smack_cred_free, 2880 .cred_prepare = smack_cred_prepare, 2881 .cred_commit = smack_cred_commit, 2882 .kernel_act_as = smack_kernel_act_as, 2883 .kernel_create_files_as = smack_kernel_create_files_as, 2884 .task_fix_setuid = cap_task_fix_setuid, 2885 .task_setpgid = smack_task_setpgid, 2886 .task_getpgid = smack_task_getpgid, 2887 .task_getsid = smack_task_getsid, 2888 .task_getsecid = smack_task_getsecid, 2889 .task_setnice = smack_task_setnice, 2890 .task_setioprio = smack_task_setioprio, 2891 .task_getioprio = smack_task_getioprio, 2892 .task_setscheduler = smack_task_setscheduler, 2893 .task_getscheduler = smack_task_getscheduler, 2894 .task_movememory = smack_task_movememory, 2895 .task_kill = smack_task_kill, 2896 .task_wait = smack_task_wait, 2897 .task_to_inode = smack_task_to_inode, 2898 .task_prctl = cap_task_prctl, 2899 2900 .ipc_permission = smack_ipc_permission, 2901 .ipc_getsecid = smack_ipc_getsecid, 2902 2903 .msg_msg_alloc_security = smack_msg_msg_alloc_security, 2904 .msg_msg_free_security = smack_msg_msg_free_security, 2905 2906 .msg_queue_alloc_security = smack_msg_queue_alloc_security, 2907 .msg_queue_free_security = smack_msg_queue_free_security, 2908 .msg_queue_associate = smack_msg_queue_associate, 2909 .msg_queue_msgctl = smack_msg_queue_msgctl, 2910 .msg_queue_msgsnd = smack_msg_queue_msgsnd, 2911 .msg_queue_msgrcv = smack_msg_queue_msgrcv, 2912 2913 .shm_alloc_security = smack_shm_alloc_security, 2914 .shm_free_security = smack_shm_free_security, 2915 .shm_associate = smack_shm_associate, 2916 .shm_shmctl = smack_shm_shmctl, 2917 .shm_shmat = smack_shm_shmat, 2918 2919 .sem_alloc_security = smack_sem_alloc_security, 2920 .sem_free_security = smack_sem_free_security, 2921 .sem_associate = smack_sem_associate, 2922 .sem_semctl = smack_sem_semctl, 2923 .sem_semop = smack_sem_semop, 2924 2925 .netlink_send = cap_netlink_send, 2926 .netlink_recv = cap_netlink_recv, 2927 2928 .d_instantiate = smack_d_instantiate, 2929 2930 .getprocattr = smack_getprocattr, 2931 .setprocattr = smack_setprocattr, 2932 2933 .unix_stream_connect = smack_unix_stream_connect, 2934 .unix_may_send = smack_unix_may_send, 2935 2936 .socket_post_create = smack_socket_post_create, 2937 .socket_connect = smack_socket_connect, 2938 .socket_sendmsg = smack_socket_sendmsg, 2939 .socket_sock_rcv_skb = smack_socket_sock_rcv_skb, 2940 .socket_getpeersec_stream = smack_socket_getpeersec_stream, 2941 .socket_getpeersec_dgram = smack_socket_getpeersec_dgram, 2942 .sk_alloc_security = smack_sk_alloc_security, 2943 .sk_free_security = smack_sk_free_security, 2944 .sock_graft = smack_sock_graft, 2945 .inet_conn_request = smack_inet_conn_request, 2946 .inet_csk_clone = smack_inet_csk_clone, 2947 2948 /* key management security hooks */ 2949 #ifdef CONFIG_KEYS 2950 .key_alloc = smack_key_alloc, 2951 .key_free = smack_key_free, 2952 .key_permission = smack_key_permission, 2953 #endif /* CONFIG_KEYS */ 2954 2955 /* Audit hooks */ 2956 #ifdef CONFIG_AUDIT 2957 .audit_rule_init = smack_audit_rule_init, 2958 .audit_rule_known = smack_audit_rule_known, 2959 .audit_rule_match = smack_audit_rule_match, 2960 .audit_rule_free = smack_audit_rule_free, 2961 #endif /* CONFIG_AUDIT */ 2962 2963 .secid_to_secctx = smack_secid_to_secctx, 2964 .secctx_to_secid = smack_secctx_to_secid, 2965 .release_secctx = smack_release_secctx, 2966 }; 2967 2968 2969 static __init void init_smack_know_list(void) 2970 { 2971 list_add(&smack_known_huh.list, &smack_known_list); 2972 list_add(&smack_known_hat.list, &smack_known_list); 2973 list_add(&smack_known_star.list, &smack_known_list); 2974 list_add(&smack_known_floor.list, &smack_known_list); 2975 list_add(&smack_known_invalid.list, &smack_known_list); 2976 list_add(&smack_known_web.list, &smack_known_list); 2977 } 2978 2979 /** 2980 * smack_init - initialize the smack system 2981 * 2982 * Returns 0 2983 */ 2984 static __init int smack_init(void) 2985 { 2986 struct cred *cred; 2987 2988 if (!security_module_enable(&smack_ops)) 2989 return 0; 2990 2991 printk(KERN_INFO "Smack: Initializing.\n"); 2992 2993 /* 2994 * Set the security state for the initial task. 2995 */ 2996 cred = (struct cred *) current->cred; 2997 cred->security = &smack_known_floor.smk_known; 2998 2999 /* initilize the smack_know_list */ 3000 init_smack_know_list(); 3001 /* 3002 * Initialize locks 3003 */ 3004 spin_lock_init(&smack_known_huh.smk_cipsolock); 3005 spin_lock_init(&smack_known_hat.smk_cipsolock); 3006 spin_lock_init(&smack_known_star.smk_cipsolock); 3007 spin_lock_init(&smack_known_floor.smk_cipsolock); 3008 spin_lock_init(&smack_known_invalid.smk_cipsolock); 3009 3010 /* 3011 * Register with LSM 3012 */ 3013 if (register_security(&smack_ops)) 3014 panic("smack: Unable to register with kernel.\n"); 3015 3016 return 0; 3017 } 3018 3019 /* 3020 * Smack requires early initialization in order to label 3021 * all processes and objects when they are created. 3022 */ 3023 security_initcall(smack_init); 3024