1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <linux/pipe_fs_i.h> 32 #include <net/cipso_ipv4.h> 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <linux/audit.h> 36 #include <linux/magic.h> 37 #include <linux/dcache.h> 38 #include <linux/personality.h> 39 #include <linux/msg.h> 40 #include <linux/shm.h> 41 #include <linux/binfmts.h> 42 #include <linux/parser.h> 43 #include <linux/fs_context.h> 44 #include <linux/fs_parser.h> 45 #include "smack.h" 46 47 #define TRANS_TRUE "TRUE" 48 #define TRANS_TRUE_SIZE 4 49 50 #define SMK_CONNECTING 0 51 #define SMK_RECEIVING 1 52 #define SMK_SENDING 2 53 54 #ifdef SMACK_IPV6_PORT_LABELING 55 DEFINE_MUTEX(smack_ipv6_lock); 56 static LIST_HEAD(smk_ipv6_port_list); 57 #endif 58 static struct kmem_cache *smack_inode_cache; 59 struct kmem_cache *smack_rule_cache; 60 int smack_enabled; 61 62 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 63 static struct { 64 const char *name; 65 int len; 66 int opt; 67 } smk_mount_opts[] = { 68 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 69 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 70 }; 71 #undef A 72 73 static int match_opt_prefix(char *s, int l, char **arg) 74 { 75 int i; 76 77 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 78 size_t len = smk_mount_opts[i].len; 79 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 80 continue; 81 if (len == l || s[len] != '=') 82 continue; 83 *arg = s + len + 1; 84 return smk_mount_opts[i].opt; 85 } 86 return Opt_error; 87 } 88 89 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 90 static char *smk_bu_mess[] = { 91 "Bringup Error", /* Unused */ 92 "Bringup", /* SMACK_BRINGUP_ALLOW */ 93 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 94 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 95 }; 96 97 static void smk_bu_mode(int mode, char *s) 98 { 99 int i = 0; 100 101 if (mode & MAY_READ) 102 s[i++] = 'r'; 103 if (mode & MAY_WRITE) 104 s[i++] = 'w'; 105 if (mode & MAY_EXEC) 106 s[i++] = 'x'; 107 if (mode & MAY_APPEND) 108 s[i++] = 'a'; 109 if (mode & MAY_TRANSMUTE) 110 s[i++] = 't'; 111 if (mode & MAY_LOCK) 112 s[i++] = 'l'; 113 if (i == 0) 114 s[i++] = '-'; 115 s[i] = '\0'; 116 } 117 #endif 118 119 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 120 static int smk_bu_note(char *note, struct smack_known *sskp, 121 struct smack_known *oskp, int mode, int rc) 122 { 123 char acc[SMK_NUM_ACCESS_TYPE + 1]; 124 125 if (rc <= 0) 126 return rc; 127 if (rc > SMACK_UNCONFINED_OBJECT) 128 rc = 0; 129 130 smk_bu_mode(mode, acc); 131 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 132 sskp->smk_known, oskp->smk_known, acc, note); 133 return 0; 134 } 135 #else 136 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 137 #endif 138 139 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 140 static int smk_bu_current(char *note, struct smack_known *oskp, 141 int mode, int rc) 142 { 143 struct task_smack *tsp = smack_cred(current_cred()); 144 char acc[SMK_NUM_ACCESS_TYPE + 1]; 145 146 if (rc <= 0) 147 return rc; 148 if (rc > SMACK_UNCONFINED_OBJECT) 149 rc = 0; 150 151 smk_bu_mode(mode, acc); 152 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 153 tsp->smk_task->smk_known, oskp->smk_known, 154 acc, current->comm, note); 155 return 0; 156 } 157 #else 158 #define smk_bu_current(note, oskp, mode, RC) (RC) 159 #endif 160 161 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 162 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 163 { 164 struct task_smack *tsp = smack_cred(current_cred()); 165 struct smack_known *smk_task = smk_of_task_struct(otp); 166 char acc[SMK_NUM_ACCESS_TYPE + 1]; 167 168 if (rc <= 0) 169 return rc; 170 if (rc > SMACK_UNCONFINED_OBJECT) 171 rc = 0; 172 173 smk_bu_mode(mode, acc); 174 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 175 tsp->smk_task->smk_known, smk_task->smk_known, acc, 176 current->comm, otp->comm); 177 return 0; 178 } 179 #else 180 #define smk_bu_task(otp, mode, RC) (RC) 181 #endif 182 183 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 184 static int smk_bu_inode(struct inode *inode, int mode, int rc) 185 { 186 struct task_smack *tsp = smack_cred(current_cred()); 187 struct inode_smack *isp = smack_inode(inode); 188 char acc[SMK_NUM_ACCESS_TYPE + 1]; 189 190 if (isp->smk_flags & SMK_INODE_IMPURE) 191 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 192 inode->i_sb->s_id, inode->i_ino, current->comm); 193 194 if (rc <= 0) 195 return rc; 196 if (rc > SMACK_UNCONFINED_OBJECT) 197 rc = 0; 198 if (rc == SMACK_UNCONFINED_SUBJECT && 199 (mode & (MAY_WRITE | MAY_APPEND))) 200 isp->smk_flags |= SMK_INODE_IMPURE; 201 202 smk_bu_mode(mode, acc); 203 204 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 205 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 206 inode->i_sb->s_id, inode->i_ino, current->comm); 207 return 0; 208 } 209 #else 210 #define smk_bu_inode(inode, mode, RC) (RC) 211 #endif 212 213 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 214 static int smk_bu_file(struct file *file, int mode, int rc) 215 { 216 struct task_smack *tsp = smack_cred(current_cred()); 217 struct smack_known *sskp = tsp->smk_task; 218 struct inode *inode = file_inode(file); 219 struct inode_smack *isp = smack_inode(inode); 220 char acc[SMK_NUM_ACCESS_TYPE + 1]; 221 222 if (isp->smk_flags & SMK_INODE_IMPURE) 223 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 224 inode->i_sb->s_id, inode->i_ino, current->comm); 225 226 if (rc <= 0) 227 return rc; 228 if (rc > SMACK_UNCONFINED_OBJECT) 229 rc = 0; 230 231 smk_bu_mode(mode, acc); 232 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 233 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 234 inode->i_sb->s_id, inode->i_ino, file, 235 current->comm); 236 return 0; 237 } 238 #else 239 #define smk_bu_file(file, mode, RC) (RC) 240 #endif 241 242 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 243 static int smk_bu_credfile(const struct cred *cred, struct file *file, 244 int mode, int rc) 245 { 246 struct task_smack *tsp = smack_cred(cred); 247 struct smack_known *sskp = tsp->smk_task; 248 struct inode *inode = file_inode(file); 249 struct inode_smack *isp = smack_inode(inode); 250 char acc[SMK_NUM_ACCESS_TYPE + 1]; 251 252 if (isp->smk_flags & SMK_INODE_IMPURE) 253 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 254 inode->i_sb->s_id, inode->i_ino, current->comm); 255 256 if (rc <= 0) 257 return rc; 258 if (rc > SMACK_UNCONFINED_OBJECT) 259 rc = 0; 260 261 smk_bu_mode(mode, acc); 262 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 263 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 264 inode->i_sb->s_id, inode->i_ino, file, 265 current->comm); 266 return 0; 267 } 268 #else 269 #define smk_bu_credfile(cred, file, mode, RC) (RC) 270 #endif 271 272 /** 273 * smk_fetch - Fetch the smack label from a file. 274 * @name: type of the label (attribute) 275 * @ip: a pointer to the inode 276 * @dp: a pointer to the dentry 277 * 278 * Returns a pointer to the master list entry for the Smack label, 279 * NULL if there was no label to fetch, or an error code. 280 */ 281 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 282 struct dentry *dp) 283 { 284 int rc; 285 char *buffer; 286 struct smack_known *skp = NULL; 287 288 if (!(ip->i_opflags & IOP_XATTR)) 289 return ERR_PTR(-EOPNOTSUPP); 290 291 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 292 if (buffer == NULL) 293 return ERR_PTR(-ENOMEM); 294 295 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 296 if (rc < 0) 297 skp = ERR_PTR(rc); 298 else if (rc == 0) 299 skp = NULL; 300 else 301 skp = smk_import_entry(buffer, rc); 302 303 kfree(buffer); 304 305 return skp; 306 } 307 308 /** 309 * init_inode_smack - initialize an inode security blob 310 * @inode: inode to extract the info from 311 * @skp: a pointer to the Smack label entry to use in the blob 312 * 313 */ 314 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 315 { 316 struct inode_smack *isp = smack_inode(inode); 317 318 isp->smk_inode = skp; 319 isp->smk_flags = 0; 320 mutex_init(&isp->smk_lock); 321 } 322 323 /** 324 * init_task_smack - initialize a task security blob 325 * @tsp: blob to initialize 326 * @task: a pointer to the Smack label for the running task 327 * @forked: a pointer to the Smack label for the forked task 328 * 329 */ 330 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 331 struct smack_known *forked) 332 { 333 tsp->smk_task = task; 334 tsp->smk_forked = forked; 335 INIT_LIST_HEAD(&tsp->smk_rules); 336 INIT_LIST_HEAD(&tsp->smk_relabel); 337 mutex_init(&tsp->smk_rules_lock); 338 } 339 340 /** 341 * smk_copy_rules - copy a rule set 342 * @nhead: new rules header pointer 343 * @ohead: old rules header pointer 344 * @gfp: type of the memory for the allocation 345 * 346 * Returns 0 on success, -ENOMEM on error 347 */ 348 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 349 gfp_t gfp) 350 { 351 struct smack_rule *nrp; 352 struct smack_rule *orp; 353 int rc = 0; 354 355 list_for_each_entry_rcu(orp, ohead, list) { 356 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 357 if (nrp == NULL) { 358 rc = -ENOMEM; 359 break; 360 } 361 *nrp = *orp; 362 list_add_rcu(&nrp->list, nhead); 363 } 364 return rc; 365 } 366 367 /** 368 * smk_copy_relabel - copy smk_relabel labels list 369 * @nhead: new rules header pointer 370 * @ohead: old rules header pointer 371 * @gfp: type of the memory for the allocation 372 * 373 * Returns 0 on success, -ENOMEM on error 374 */ 375 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 376 gfp_t gfp) 377 { 378 struct smack_known_list_elem *nklep; 379 struct smack_known_list_elem *oklep; 380 381 list_for_each_entry(oklep, ohead, list) { 382 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 383 if (nklep == NULL) { 384 smk_destroy_label_list(nhead); 385 return -ENOMEM; 386 } 387 nklep->smk_label = oklep->smk_label; 388 list_add(&nklep->list, nhead); 389 } 390 391 return 0; 392 } 393 394 /** 395 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 396 * @mode - input mode in form of PTRACE_MODE_* 397 * 398 * Returns a converted MAY_* mode usable by smack rules 399 */ 400 static inline unsigned int smk_ptrace_mode(unsigned int mode) 401 { 402 if (mode & PTRACE_MODE_ATTACH) 403 return MAY_READWRITE; 404 if (mode & PTRACE_MODE_READ) 405 return MAY_READ; 406 407 return 0; 408 } 409 410 /** 411 * smk_ptrace_rule_check - helper for ptrace access 412 * @tracer: tracer process 413 * @tracee_known: label entry of the process that's about to be traced 414 * @mode: ptrace attachment mode (PTRACE_MODE_*) 415 * @func: name of the function that called us, used for audit 416 * 417 * Returns 0 on access granted, -error on error 418 */ 419 static int smk_ptrace_rule_check(struct task_struct *tracer, 420 struct smack_known *tracee_known, 421 unsigned int mode, const char *func) 422 { 423 int rc; 424 struct smk_audit_info ad, *saip = NULL; 425 struct task_smack *tsp; 426 struct smack_known *tracer_known; 427 const struct cred *tracercred; 428 429 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 430 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 431 smk_ad_setfield_u_tsk(&ad, tracer); 432 saip = &ad; 433 } 434 435 rcu_read_lock(); 436 tracercred = __task_cred(tracer); 437 tsp = smack_cred(tracercred); 438 tracer_known = smk_of_task(tsp); 439 440 if ((mode & PTRACE_MODE_ATTACH) && 441 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 442 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 443 if (tracer_known->smk_known == tracee_known->smk_known) 444 rc = 0; 445 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 446 rc = -EACCES; 447 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 448 rc = 0; 449 else 450 rc = -EACCES; 451 452 if (saip) 453 smack_log(tracer_known->smk_known, 454 tracee_known->smk_known, 455 0, rc, saip); 456 457 rcu_read_unlock(); 458 return rc; 459 } 460 461 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 462 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 463 464 rcu_read_unlock(); 465 return rc; 466 } 467 468 /* 469 * LSM hooks. 470 * We he, that is fun! 471 */ 472 473 /** 474 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 475 * @ctp: child task pointer 476 * @mode: ptrace attachment mode (PTRACE_MODE_*) 477 * 478 * Returns 0 if access is OK, an error code otherwise 479 * 480 * Do the capability checks. 481 */ 482 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 483 { 484 struct smack_known *skp; 485 486 skp = smk_of_task_struct(ctp); 487 488 return smk_ptrace_rule_check(current, skp, mode, __func__); 489 } 490 491 /** 492 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 493 * @ptp: parent task pointer 494 * 495 * Returns 0 if access is OK, an error code otherwise 496 * 497 * Do the capability checks, and require PTRACE_MODE_ATTACH. 498 */ 499 static int smack_ptrace_traceme(struct task_struct *ptp) 500 { 501 int rc; 502 struct smack_known *skp; 503 504 skp = smk_of_task(smack_cred(current_cred())); 505 506 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 507 return rc; 508 } 509 510 /** 511 * smack_syslog - Smack approval on syslog 512 * @typefrom_file: unused 513 * 514 * Returns 0 on success, error code otherwise. 515 */ 516 static int smack_syslog(int typefrom_file) 517 { 518 int rc = 0; 519 struct smack_known *skp = smk_of_current(); 520 521 if (smack_privileged(CAP_MAC_OVERRIDE)) 522 return 0; 523 524 if (smack_syslog_label != NULL && smack_syslog_label != skp) 525 rc = -EACCES; 526 527 return rc; 528 } 529 530 /* 531 * Superblock Hooks. 532 */ 533 534 /** 535 * smack_sb_alloc_security - allocate a superblock blob 536 * @sb: the superblock getting the blob 537 * 538 * Returns 0 on success or -ENOMEM on error. 539 */ 540 static int smack_sb_alloc_security(struct super_block *sb) 541 { 542 struct superblock_smack *sbsp; 543 544 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 545 546 if (sbsp == NULL) 547 return -ENOMEM; 548 549 sbsp->smk_root = &smack_known_floor; 550 sbsp->smk_default = &smack_known_floor; 551 sbsp->smk_floor = &smack_known_floor; 552 sbsp->smk_hat = &smack_known_hat; 553 /* 554 * SMK_SB_INITIALIZED will be zero from kzalloc. 555 */ 556 sb->s_security = sbsp; 557 558 return 0; 559 } 560 561 /** 562 * smack_sb_free_security - free a superblock blob 563 * @sb: the superblock getting the blob 564 * 565 */ 566 static void smack_sb_free_security(struct super_block *sb) 567 { 568 kfree(sb->s_security); 569 sb->s_security = NULL; 570 } 571 572 struct smack_mnt_opts { 573 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 574 }; 575 576 static void smack_free_mnt_opts(void *mnt_opts) 577 { 578 struct smack_mnt_opts *opts = mnt_opts; 579 kfree(opts->fsdefault); 580 kfree(opts->fsfloor); 581 kfree(opts->fshat); 582 kfree(opts->fsroot); 583 kfree(opts->fstransmute); 584 kfree(opts); 585 } 586 587 static int smack_add_opt(int token, const char *s, void **mnt_opts) 588 { 589 struct smack_mnt_opts *opts = *mnt_opts; 590 591 if (!opts) { 592 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 593 if (!opts) 594 return -ENOMEM; 595 *mnt_opts = opts; 596 } 597 if (!s) 598 return -ENOMEM; 599 600 switch (token) { 601 case Opt_fsdefault: 602 if (opts->fsdefault) 603 goto out_opt_err; 604 opts->fsdefault = s; 605 break; 606 case Opt_fsfloor: 607 if (opts->fsfloor) 608 goto out_opt_err; 609 opts->fsfloor = s; 610 break; 611 case Opt_fshat: 612 if (opts->fshat) 613 goto out_opt_err; 614 opts->fshat = s; 615 break; 616 case Opt_fsroot: 617 if (opts->fsroot) 618 goto out_opt_err; 619 opts->fsroot = s; 620 break; 621 case Opt_fstransmute: 622 if (opts->fstransmute) 623 goto out_opt_err; 624 opts->fstransmute = s; 625 break; 626 } 627 return 0; 628 629 out_opt_err: 630 pr_warn("Smack: duplicate mount options\n"); 631 return -EINVAL; 632 } 633 634 /** 635 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 636 * @fc: The new filesystem context. 637 * @src_fc: The source filesystem context being duplicated. 638 * 639 * Returns 0 on success or -ENOMEM on error. 640 */ 641 static int smack_fs_context_dup(struct fs_context *fc, 642 struct fs_context *src_fc) 643 { 644 struct smack_mnt_opts *dst, *src = src_fc->security; 645 646 if (!src) 647 return 0; 648 649 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 650 if (!fc->security) 651 return -ENOMEM; 652 dst = fc->security; 653 654 if (src->fsdefault) { 655 dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL); 656 if (!dst->fsdefault) 657 return -ENOMEM; 658 } 659 if (src->fsfloor) { 660 dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL); 661 if (!dst->fsfloor) 662 return -ENOMEM; 663 } 664 if (src->fshat) { 665 dst->fshat = kstrdup(src->fshat, GFP_KERNEL); 666 if (!dst->fshat) 667 return -ENOMEM; 668 } 669 if (src->fsroot) { 670 dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL); 671 if (!dst->fsroot) 672 return -ENOMEM; 673 } 674 if (src->fstransmute) { 675 dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL); 676 if (!dst->fstransmute) 677 return -ENOMEM; 678 } 679 return 0; 680 } 681 682 static const struct fs_parameter_spec smack_param_specs[] = { 683 fsparam_string("smackfsdef", Opt_fsdefault), 684 fsparam_string("smackfsdefault", Opt_fsdefault), 685 fsparam_string("smackfsfloor", Opt_fsfloor), 686 fsparam_string("smackfshat", Opt_fshat), 687 fsparam_string("smackfsroot", Opt_fsroot), 688 fsparam_string("smackfstransmute", Opt_fstransmute), 689 {} 690 }; 691 692 static const struct fs_parameter_description smack_fs_parameters = { 693 .name = "smack", 694 .specs = smack_param_specs, 695 }; 696 697 /** 698 * smack_fs_context_parse_param - Parse a single mount parameter 699 * @fc: The new filesystem context being constructed. 700 * @param: The parameter. 701 * 702 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 703 * error. 704 */ 705 static int smack_fs_context_parse_param(struct fs_context *fc, 706 struct fs_parameter *param) 707 { 708 struct fs_parse_result result; 709 int opt, rc; 710 711 opt = fs_parse(fc, &smack_fs_parameters, param, &result); 712 if (opt < 0) 713 return opt; 714 715 rc = smack_add_opt(opt, param->string, &fc->security); 716 if (!rc) 717 param->string = NULL; 718 return rc; 719 } 720 721 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 722 { 723 char *from = options, *to = options; 724 bool first = true; 725 726 while (1) { 727 char *next = strchr(from, ','); 728 int token, len, rc; 729 char *arg = NULL; 730 731 if (next) 732 len = next - from; 733 else 734 len = strlen(from); 735 736 token = match_opt_prefix(from, len, &arg); 737 if (token != Opt_error) { 738 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 739 rc = smack_add_opt(token, arg, mnt_opts); 740 if (unlikely(rc)) { 741 kfree(arg); 742 if (*mnt_opts) 743 smack_free_mnt_opts(*mnt_opts); 744 *mnt_opts = NULL; 745 return rc; 746 } 747 } else { 748 if (!first) { // copy with preceding comma 749 from--; 750 len++; 751 } 752 if (to != from) 753 memmove(to, from, len); 754 to += len; 755 first = false; 756 } 757 if (!from[len]) 758 break; 759 from += len + 1; 760 } 761 *to = '\0'; 762 return 0; 763 } 764 765 /** 766 * smack_set_mnt_opts - set Smack specific mount options 767 * @sb: the file system superblock 768 * @mnt_opts: Smack mount options 769 * @kern_flags: mount option from kernel space or user space 770 * @set_kern_flags: where to store converted mount opts 771 * 772 * Returns 0 on success, an error code on failure 773 * 774 * Allow filesystems with binary mount data to explicitly set Smack mount 775 * labels. 776 */ 777 static int smack_set_mnt_opts(struct super_block *sb, 778 void *mnt_opts, 779 unsigned long kern_flags, 780 unsigned long *set_kern_flags) 781 { 782 struct dentry *root = sb->s_root; 783 struct inode *inode = d_backing_inode(root); 784 struct superblock_smack *sp = sb->s_security; 785 struct inode_smack *isp; 786 struct smack_known *skp; 787 struct smack_mnt_opts *opts = mnt_opts; 788 bool transmute = false; 789 790 if (sp->smk_flags & SMK_SB_INITIALIZED) 791 return 0; 792 793 if (inode->i_security == NULL) { 794 int rc = lsm_inode_alloc(inode); 795 796 if (rc) 797 return rc; 798 } 799 800 if (!smack_privileged(CAP_MAC_ADMIN)) { 801 /* 802 * Unprivileged mounts don't get to specify Smack values. 803 */ 804 if (opts) 805 return -EPERM; 806 /* 807 * Unprivileged mounts get root and default from the caller. 808 */ 809 skp = smk_of_current(); 810 sp->smk_root = skp; 811 sp->smk_default = skp; 812 /* 813 * For a handful of fs types with no user-controlled 814 * backing store it's okay to trust security labels 815 * in the filesystem. The rest are untrusted. 816 */ 817 if (sb->s_user_ns != &init_user_ns && 818 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 819 sb->s_magic != RAMFS_MAGIC) { 820 transmute = true; 821 sp->smk_flags |= SMK_SB_UNTRUSTED; 822 } 823 } 824 825 sp->smk_flags |= SMK_SB_INITIALIZED; 826 827 if (opts) { 828 if (opts->fsdefault) { 829 skp = smk_import_entry(opts->fsdefault, 0); 830 if (IS_ERR(skp)) 831 return PTR_ERR(skp); 832 sp->smk_default = skp; 833 } 834 if (opts->fsfloor) { 835 skp = smk_import_entry(opts->fsfloor, 0); 836 if (IS_ERR(skp)) 837 return PTR_ERR(skp); 838 sp->smk_floor = skp; 839 } 840 if (opts->fshat) { 841 skp = smk_import_entry(opts->fshat, 0); 842 if (IS_ERR(skp)) 843 return PTR_ERR(skp); 844 sp->smk_hat = skp; 845 } 846 if (opts->fsroot) { 847 skp = smk_import_entry(opts->fsroot, 0); 848 if (IS_ERR(skp)) 849 return PTR_ERR(skp); 850 sp->smk_root = skp; 851 } 852 if (opts->fstransmute) { 853 skp = smk_import_entry(opts->fstransmute, 0); 854 if (IS_ERR(skp)) 855 return PTR_ERR(skp); 856 sp->smk_root = skp; 857 transmute = true; 858 } 859 } 860 861 /* 862 * Initialize the root inode. 863 */ 864 init_inode_smack(inode, sp->smk_root); 865 866 if (transmute) { 867 isp = smack_inode(inode); 868 isp->smk_flags |= SMK_INODE_TRANSMUTE; 869 } 870 871 return 0; 872 } 873 874 /** 875 * smack_sb_statfs - Smack check on statfs 876 * @dentry: identifies the file system in question 877 * 878 * Returns 0 if current can read the floor of the filesystem, 879 * and error code otherwise 880 */ 881 static int smack_sb_statfs(struct dentry *dentry) 882 { 883 struct superblock_smack *sbp = dentry->d_sb->s_security; 884 int rc; 885 struct smk_audit_info ad; 886 887 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 888 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 889 890 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 891 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 892 return rc; 893 } 894 895 /* 896 * BPRM hooks 897 */ 898 899 /** 900 * smack_bprm_set_creds - set creds for exec 901 * @bprm: the exec information 902 * 903 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 904 */ 905 static int smack_bprm_set_creds(struct linux_binprm *bprm) 906 { 907 struct inode *inode = file_inode(bprm->file); 908 struct task_smack *bsp = smack_cred(bprm->cred); 909 struct inode_smack *isp; 910 struct superblock_smack *sbsp; 911 int rc; 912 913 if (bprm->called_set_creds) 914 return 0; 915 916 isp = smack_inode(inode); 917 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 918 return 0; 919 920 sbsp = inode->i_sb->s_security; 921 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 922 isp->smk_task != sbsp->smk_root) 923 return 0; 924 925 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 926 struct task_struct *tracer; 927 rc = 0; 928 929 rcu_read_lock(); 930 tracer = ptrace_parent(current); 931 if (likely(tracer != NULL)) 932 rc = smk_ptrace_rule_check(tracer, 933 isp->smk_task, 934 PTRACE_MODE_ATTACH, 935 __func__); 936 rcu_read_unlock(); 937 938 if (rc != 0) 939 return rc; 940 } 941 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 942 return -EPERM; 943 944 bsp->smk_task = isp->smk_task; 945 bprm->per_clear |= PER_CLEAR_ON_SETID; 946 947 /* Decide if this is a secure exec. */ 948 if (bsp->smk_task != bsp->smk_forked) 949 bprm->secureexec = 1; 950 951 return 0; 952 } 953 954 /* 955 * Inode hooks 956 */ 957 958 /** 959 * smack_inode_alloc_security - allocate an inode blob 960 * @inode: the inode in need of a blob 961 * 962 * Returns 0 963 */ 964 static int smack_inode_alloc_security(struct inode *inode) 965 { 966 struct smack_known *skp = smk_of_current(); 967 968 init_inode_smack(inode, skp); 969 return 0; 970 } 971 972 /** 973 * smack_inode_init_security - copy out the smack from an inode 974 * @inode: the newly created inode 975 * @dir: containing directory object 976 * @qstr: unused 977 * @name: where to put the attribute name 978 * @value: where to put the attribute value 979 * @len: where to put the length of the attribute 980 * 981 * Returns 0 if it all works out, -ENOMEM if there's no memory 982 */ 983 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 984 const struct qstr *qstr, const char **name, 985 void **value, size_t *len) 986 { 987 struct inode_smack *issp = smack_inode(inode); 988 struct smack_known *skp = smk_of_current(); 989 struct smack_known *isp = smk_of_inode(inode); 990 struct smack_known *dsp = smk_of_inode(dir); 991 int may; 992 993 if (name) 994 *name = XATTR_SMACK_SUFFIX; 995 996 if (value && len) { 997 rcu_read_lock(); 998 may = smk_access_entry(skp->smk_known, dsp->smk_known, 999 &skp->smk_rules); 1000 rcu_read_unlock(); 1001 1002 /* 1003 * If the access rule allows transmutation and 1004 * the directory requests transmutation then 1005 * by all means transmute. 1006 * Mark the inode as changed. 1007 */ 1008 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1009 smk_inode_transmutable(dir)) { 1010 isp = dsp; 1011 issp->smk_flags |= SMK_INODE_CHANGED; 1012 } 1013 1014 *value = kstrdup(isp->smk_known, GFP_NOFS); 1015 if (*value == NULL) 1016 return -ENOMEM; 1017 1018 *len = strlen(isp->smk_known); 1019 } 1020 1021 return 0; 1022 } 1023 1024 /** 1025 * smack_inode_link - Smack check on link 1026 * @old_dentry: the existing object 1027 * @dir: unused 1028 * @new_dentry: the new object 1029 * 1030 * Returns 0 if access is permitted, an error code otherwise 1031 */ 1032 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1033 struct dentry *new_dentry) 1034 { 1035 struct smack_known *isp; 1036 struct smk_audit_info ad; 1037 int rc; 1038 1039 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1040 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1041 1042 isp = smk_of_inode(d_backing_inode(old_dentry)); 1043 rc = smk_curacc(isp, MAY_WRITE, &ad); 1044 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1045 1046 if (rc == 0 && d_is_positive(new_dentry)) { 1047 isp = smk_of_inode(d_backing_inode(new_dentry)); 1048 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1049 rc = smk_curacc(isp, MAY_WRITE, &ad); 1050 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1051 } 1052 1053 return rc; 1054 } 1055 1056 /** 1057 * smack_inode_unlink - Smack check on inode deletion 1058 * @dir: containing directory object 1059 * @dentry: file to unlink 1060 * 1061 * Returns 0 if current can write the containing directory 1062 * and the object, error code otherwise 1063 */ 1064 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1065 { 1066 struct inode *ip = d_backing_inode(dentry); 1067 struct smk_audit_info ad; 1068 int rc; 1069 1070 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1071 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1072 1073 /* 1074 * You need write access to the thing you're unlinking 1075 */ 1076 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1077 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1078 if (rc == 0) { 1079 /* 1080 * You also need write access to the containing directory 1081 */ 1082 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1083 smk_ad_setfield_u_fs_inode(&ad, dir); 1084 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1085 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1086 } 1087 return rc; 1088 } 1089 1090 /** 1091 * smack_inode_rmdir - Smack check on directory deletion 1092 * @dir: containing directory object 1093 * @dentry: directory to unlink 1094 * 1095 * Returns 0 if current can write the containing directory 1096 * and the directory, error code otherwise 1097 */ 1098 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1099 { 1100 struct smk_audit_info ad; 1101 int rc; 1102 1103 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1104 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1105 1106 /* 1107 * You need write access to the thing you're removing 1108 */ 1109 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1110 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1111 if (rc == 0) { 1112 /* 1113 * You also need write access to the containing directory 1114 */ 1115 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1116 smk_ad_setfield_u_fs_inode(&ad, dir); 1117 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1118 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1119 } 1120 1121 return rc; 1122 } 1123 1124 /** 1125 * smack_inode_rename - Smack check on rename 1126 * @old_inode: unused 1127 * @old_dentry: the old object 1128 * @new_inode: unused 1129 * @new_dentry: the new object 1130 * 1131 * Read and write access is required on both the old and 1132 * new directories. 1133 * 1134 * Returns 0 if access is permitted, an error code otherwise 1135 */ 1136 static int smack_inode_rename(struct inode *old_inode, 1137 struct dentry *old_dentry, 1138 struct inode *new_inode, 1139 struct dentry *new_dentry) 1140 { 1141 int rc; 1142 struct smack_known *isp; 1143 struct smk_audit_info ad; 1144 1145 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1146 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1147 1148 isp = smk_of_inode(d_backing_inode(old_dentry)); 1149 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1150 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1151 1152 if (rc == 0 && d_is_positive(new_dentry)) { 1153 isp = smk_of_inode(d_backing_inode(new_dentry)); 1154 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1155 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1156 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1157 } 1158 return rc; 1159 } 1160 1161 /** 1162 * smack_inode_permission - Smack version of permission() 1163 * @inode: the inode in question 1164 * @mask: the access requested 1165 * 1166 * This is the important Smack hook. 1167 * 1168 * Returns 0 if access is permitted, an error code otherwise 1169 */ 1170 static int smack_inode_permission(struct inode *inode, int mask) 1171 { 1172 struct superblock_smack *sbsp = inode->i_sb->s_security; 1173 struct smk_audit_info ad; 1174 int no_block = mask & MAY_NOT_BLOCK; 1175 int rc; 1176 1177 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1178 /* 1179 * No permission to check. Existence test. Yup, it's there. 1180 */ 1181 if (mask == 0) 1182 return 0; 1183 1184 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1185 if (smk_of_inode(inode) != sbsp->smk_root) 1186 return -EACCES; 1187 } 1188 1189 /* May be droppable after audit */ 1190 if (no_block) 1191 return -ECHILD; 1192 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1193 smk_ad_setfield_u_fs_inode(&ad, inode); 1194 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1195 rc = smk_bu_inode(inode, mask, rc); 1196 return rc; 1197 } 1198 1199 /** 1200 * smack_inode_setattr - Smack check for setting attributes 1201 * @dentry: the object 1202 * @iattr: for the force flag 1203 * 1204 * Returns 0 if access is permitted, an error code otherwise 1205 */ 1206 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1207 { 1208 struct smk_audit_info ad; 1209 int rc; 1210 1211 /* 1212 * Need to allow for clearing the setuid bit. 1213 */ 1214 if (iattr->ia_valid & ATTR_FORCE) 1215 return 0; 1216 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1217 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1218 1219 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1220 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1221 return rc; 1222 } 1223 1224 /** 1225 * smack_inode_getattr - Smack check for getting attributes 1226 * @path: path to extract the info from 1227 * 1228 * Returns 0 if access is permitted, an error code otherwise 1229 */ 1230 static int smack_inode_getattr(const struct path *path) 1231 { 1232 struct smk_audit_info ad; 1233 struct inode *inode = d_backing_inode(path->dentry); 1234 int rc; 1235 1236 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1237 smk_ad_setfield_u_fs_path(&ad, *path); 1238 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1239 rc = smk_bu_inode(inode, MAY_READ, rc); 1240 return rc; 1241 } 1242 1243 /** 1244 * smack_inode_setxattr - Smack check for setting xattrs 1245 * @dentry: the object 1246 * @name: name of the attribute 1247 * @value: value of the attribute 1248 * @size: size of the value 1249 * @flags: unused 1250 * 1251 * This protects the Smack attribute explicitly. 1252 * 1253 * Returns 0 if access is permitted, an error code otherwise 1254 */ 1255 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1256 const void *value, size_t size, int flags) 1257 { 1258 struct smk_audit_info ad; 1259 struct smack_known *skp; 1260 int check_priv = 0; 1261 int check_import = 0; 1262 int check_star = 0; 1263 int rc = 0; 1264 1265 /* 1266 * Check label validity here so import won't fail in post_setxattr 1267 */ 1268 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1269 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1270 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1271 check_priv = 1; 1272 check_import = 1; 1273 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1274 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1275 check_priv = 1; 1276 check_import = 1; 1277 check_star = 1; 1278 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1279 check_priv = 1; 1280 if (size != TRANS_TRUE_SIZE || 1281 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1282 rc = -EINVAL; 1283 } else 1284 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1285 1286 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1287 rc = -EPERM; 1288 1289 if (rc == 0 && check_import) { 1290 skp = size ? smk_import_entry(value, size) : NULL; 1291 if (IS_ERR(skp)) 1292 rc = PTR_ERR(skp); 1293 else if (skp == NULL || (check_star && 1294 (skp == &smack_known_star || skp == &smack_known_web))) 1295 rc = -EINVAL; 1296 } 1297 1298 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1299 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1300 1301 if (rc == 0) { 1302 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1303 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1304 } 1305 1306 return rc; 1307 } 1308 1309 /** 1310 * smack_inode_post_setxattr - Apply the Smack update approved above 1311 * @dentry: object 1312 * @name: attribute name 1313 * @value: attribute value 1314 * @size: attribute size 1315 * @flags: unused 1316 * 1317 * Set the pointer in the inode blob to the entry found 1318 * in the master label list. 1319 */ 1320 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1321 const void *value, size_t size, int flags) 1322 { 1323 struct smack_known *skp; 1324 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1325 1326 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1327 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1328 return; 1329 } 1330 1331 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1332 skp = smk_import_entry(value, size); 1333 if (!IS_ERR(skp)) 1334 isp->smk_inode = skp; 1335 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1336 skp = smk_import_entry(value, size); 1337 if (!IS_ERR(skp)) 1338 isp->smk_task = skp; 1339 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1340 skp = smk_import_entry(value, size); 1341 if (!IS_ERR(skp)) 1342 isp->smk_mmap = skp; 1343 } 1344 1345 return; 1346 } 1347 1348 /** 1349 * smack_inode_getxattr - Smack check on getxattr 1350 * @dentry: the object 1351 * @name: unused 1352 * 1353 * Returns 0 if access is permitted, an error code otherwise 1354 */ 1355 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1356 { 1357 struct smk_audit_info ad; 1358 int rc; 1359 1360 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1361 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1362 1363 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1364 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1365 return rc; 1366 } 1367 1368 /** 1369 * smack_inode_removexattr - Smack check on removexattr 1370 * @dentry: the object 1371 * @name: name of the attribute 1372 * 1373 * Removing the Smack attribute requires CAP_MAC_ADMIN 1374 * 1375 * Returns 0 if access is permitted, an error code otherwise 1376 */ 1377 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1378 { 1379 struct inode_smack *isp; 1380 struct smk_audit_info ad; 1381 int rc = 0; 1382 1383 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1384 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1385 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1386 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1387 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1388 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1389 if (!smack_privileged(CAP_MAC_ADMIN)) 1390 rc = -EPERM; 1391 } else 1392 rc = cap_inode_removexattr(dentry, name); 1393 1394 if (rc != 0) 1395 return rc; 1396 1397 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1398 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1399 1400 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1401 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1402 if (rc != 0) 1403 return rc; 1404 1405 isp = smack_inode(d_backing_inode(dentry)); 1406 /* 1407 * Don't do anything special for these. 1408 * XATTR_NAME_SMACKIPIN 1409 * XATTR_NAME_SMACKIPOUT 1410 */ 1411 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1412 struct super_block *sbp = dentry->d_sb; 1413 struct superblock_smack *sbsp = sbp->s_security; 1414 1415 isp->smk_inode = sbsp->smk_default; 1416 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1417 isp->smk_task = NULL; 1418 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1419 isp->smk_mmap = NULL; 1420 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1421 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1422 1423 return 0; 1424 } 1425 1426 /** 1427 * smack_inode_getsecurity - get smack xattrs 1428 * @inode: the object 1429 * @name: attribute name 1430 * @buffer: where to put the result 1431 * @alloc: duplicate memory 1432 * 1433 * Returns the size of the attribute or an error code 1434 */ 1435 static int smack_inode_getsecurity(struct inode *inode, 1436 const char *name, void **buffer, 1437 bool alloc) 1438 { 1439 struct socket_smack *ssp; 1440 struct socket *sock; 1441 struct super_block *sbp; 1442 struct inode *ip = (struct inode *)inode; 1443 struct smack_known *isp; 1444 1445 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1446 isp = smk_of_inode(inode); 1447 else { 1448 /* 1449 * The rest of the Smack xattrs are only on sockets. 1450 */ 1451 sbp = ip->i_sb; 1452 if (sbp->s_magic != SOCKFS_MAGIC) 1453 return -EOPNOTSUPP; 1454 1455 sock = SOCKET_I(ip); 1456 if (sock == NULL || sock->sk == NULL) 1457 return -EOPNOTSUPP; 1458 1459 ssp = sock->sk->sk_security; 1460 1461 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1462 isp = ssp->smk_in; 1463 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1464 isp = ssp->smk_out; 1465 else 1466 return -EOPNOTSUPP; 1467 } 1468 1469 if (alloc) { 1470 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1471 if (*buffer == NULL) 1472 return -ENOMEM; 1473 } 1474 1475 return strlen(isp->smk_known); 1476 } 1477 1478 1479 /** 1480 * smack_inode_listsecurity - list the Smack attributes 1481 * @inode: the object 1482 * @buffer: where they go 1483 * @buffer_size: size of buffer 1484 */ 1485 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1486 size_t buffer_size) 1487 { 1488 int len = sizeof(XATTR_NAME_SMACK); 1489 1490 if (buffer != NULL && len <= buffer_size) 1491 memcpy(buffer, XATTR_NAME_SMACK, len); 1492 1493 return len; 1494 } 1495 1496 /** 1497 * smack_inode_getsecid - Extract inode's security id 1498 * @inode: inode to extract the info from 1499 * @secid: where result will be saved 1500 */ 1501 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1502 { 1503 struct smack_known *skp = smk_of_inode(inode); 1504 1505 *secid = skp->smk_secid; 1506 } 1507 1508 /* 1509 * File Hooks 1510 */ 1511 1512 /* 1513 * There is no smack_file_permission hook 1514 * 1515 * Should access checks be done on each read or write? 1516 * UNICOS and SELinux say yes. 1517 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1518 * 1519 * I'll say no for now. Smack does not do the frequent 1520 * label changing that SELinux does. 1521 */ 1522 1523 /** 1524 * smack_file_alloc_security - assign a file security blob 1525 * @file: the object 1526 * 1527 * The security blob for a file is a pointer to the master 1528 * label list, so no allocation is done. 1529 * 1530 * f_security is the owner security information. It 1531 * isn't used on file access checks, it's for send_sigio. 1532 * 1533 * Returns 0 1534 */ 1535 static int smack_file_alloc_security(struct file *file) 1536 { 1537 struct smack_known **blob = smack_file(file); 1538 1539 *blob = smk_of_current(); 1540 return 0; 1541 } 1542 1543 /** 1544 * smack_file_ioctl - Smack check on ioctls 1545 * @file: the object 1546 * @cmd: what to do 1547 * @arg: unused 1548 * 1549 * Relies heavily on the correct use of the ioctl command conventions. 1550 * 1551 * Returns 0 if allowed, error code otherwise 1552 */ 1553 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1554 unsigned long arg) 1555 { 1556 int rc = 0; 1557 struct smk_audit_info ad; 1558 struct inode *inode = file_inode(file); 1559 1560 if (unlikely(IS_PRIVATE(inode))) 1561 return 0; 1562 1563 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1564 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1565 1566 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1567 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1568 rc = smk_bu_file(file, MAY_WRITE, rc); 1569 } 1570 1571 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1572 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1573 rc = smk_bu_file(file, MAY_READ, rc); 1574 } 1575 1576 return rc; 1577 } 1578 1579 /** 1580 * smack_file_lock - Smack check on file locking 1581 * @file: the object 1582 * @cmd: unused 1583 * 1584 * Returns 0 if current has lock access, error code otherwise 1585 */ 1586 static int smack_file_lock(struct file *file, unsigned int cmd) 1587 { 1588 struct smk_audit_info ad; 1589 int rc; 1590 struct inode *inode = file_inode(file); 1591 1592 if (unlikely(IS_PRIVATE(inode))) 1593 return 0; 1594 1595 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1596 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1597 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1598 rc = smk_bu_file(file, MAY_LOCK, rc); 1599 return rc; 1600 } 1601 1602 /** 1603 * smack_file_fcntl - Smack check on fcntl 1604 * @file: the object 1605 * @cmd: what action to check 1606 * @arg: unused 1607 * 1608 * Generally these operations are harmless. 1609 * File locking operations present an obvious mechanism 1610 * for passing information, so they require write access. 1611 * 1612 * Returns 0 if current has access, error code otherwise 1613 */ 1614 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1615 unsigned long arg) 1616 { 1617 struct smk_audit_info ad; 1618 int rc = 0; 1619 struct inode *inode = file_inode(file); 1620 1621 if (unlikely(IS_PRIVATE(inode))) 1622 return 0; 1623 1624 switch (cmd) { 1625 case F_GETLK: 1626 break; 1627 case F_SETLK: 1628 case F_SETLKW: 1629 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1630 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1631 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1632 rc = smk_bu_file(file, MAY_LOCK, rc); 1633 break; 1634 case F_SETOWN: 1635 case F_SETSIG: 1636 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1637 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1638 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1639 rc = smk_bu_file(file, MAY_WRITE, rc); 1640 break; 1641 default: 1642 break; 1643 } 1644 1645 return rc; 1646 } 1647 1648 /** 1649 * smack_mmap_file : 1650 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1651 * if mapping anonymous memory. 1652 * @file contains the file structure for file to map (may be NULL). 1653 * @reqprot contains the protection requested by the application. 1654 * @prot contains the protection that will be applied by the kernel. 1655 * @flags contains the operational flags. 1656 * Return 0 if permission is granted. 1657 */ 1658 static int smack_mmap_file(struct file *file, 1659 unsigned long reqprot, unsigned long prot, 1660 unsigned long flags) 1661 { 1662 struct smack_known *skp; 1663 struct smack_known *mkp; 1664 struct smack_rule *srp; 1665 struct task_smack *tsp; 1666 struct smack_known *okp; 1667 struct inode_smack *isp; 1668 struct superblock_smack *sbsp; 1669 int may; 1670 int mmay; 1671 int tmay; 1672 int rc; 1673 1674 if (file == NULL) 1675 return 0; 1676 1677 if (unlikely(IS_PRIVATE(file_inode(file)))) 1678 return 0; 1679 1680 isp = smack_inode(file_inode(file)); 1681 if (isp->smk_mmap == NULL) 1682 return 0; 1683 sbsp = file_inode(file)->i_sb->s_security; 1684 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1685 isp->smk_mmap != sbsp->smk_root) 1686 return -EACCES; 1687 mkp = isp->smk_mmap; 1688 1689 tsp = smack_cred(current_cred()); 1690 skp = smk_of_current(); 1691 rc = 0; 1692 1693 rcu_read_lock(); 1694 /* 1695 * For each Smack rule associated with the subject 1696 * label verify that the SMACK64MMAP also has access 1697 * to that rule's object label. 1698 */ 1699 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1700 okp = srp->smk_object; 1701 /* 1702 * Matching labels always allows access. 1703 */ 1704 if (mkp->smk_known == okp->smk_known) 1705 continue; 1706 /* 1707 * If there is a matching local rule take 1708 * that into account as well. 1709 */ 1710 may = smk_access_entry(srp->smk_subject->smk_known, 1711 okp->smk_known, 1712 &tsp->smk_rules); 1713 if (may == -ENOENT) 1714 may = srp->smk_access; 1715 else 1716 may &= srp->smk_access; 1717 /* 1718 * If may is zero the SMACK64MMAP subject can't 1719 * possibly have less access. 1720 */ 1721 if (may == 0) 1722 continue; 1723 1724 /* 1725 * Fetch the global list entry. 1726 * If there isn't one a SMACK64MMAP subject 1727 * can't have as much access as current. 1728 */ 1729 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1730 &mkp->smk_rules); 1731 if (mmay == -ENOENT) { 1732 rc = -EACCES; 1733 break; 1734 } 1735 /* 1736 * If there is a local entry it modifies the 1737 * potential access, too. 1738 */ 1739 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1740 &tsp->smk_rules); 1741 if (tmay != -ENOENT) 1742 mmay &= tmay; 1743 1744 /* 1745 * If there is any access available to current that is 1746 * not available to a SMACK64MMAP subject 1747 * deny access. 1748 */ 1749 if ((may | mmay) != mmay) { 1750 rc = -EACCES; 1751 break; 1752 } 1753 } 1754 1755 rcu_read_unlock(); 1756 1757 return rc; 1758 } 1759 1760 /** 1761 * smack_file_set_fowner - set the file security blob value 1762 * @file: object in question 1763 * 1764 */ 1765 static void smack_file_set_fowner(struct file *file) 1766 { 1767 struct smack_known **blob = smack_file(file); 1768 1769 *blob = smk_of_current(); 1770 } 1771 1772 /** 1773 * smack_file_send_sigiotask - Smack on sigio 1774 * @tsk: The target task 1775 * @fown: the object the signal come from 1776 * @signum: unused 1777 * 1778 * Allow a privileged task to get signals even if it shouldn't 1779 * 1780 * Returns 0 if a subject with the object's smack could 1781 * write to the task, an error code otherwise. 1782 */ 1783 static int smack_file_send_sigiotask(struct task_struct *tsk, 1784 struct fown_struct *fown, int signum) 1785 { 1786 struct smack_known **blob; 1787 struct smack_known *skp; 1788 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1789 const struct cred *tcred; 1790 struct file *file; 1791 int rc; 1792 struct smk_audit_info ad; 1793 1794 /* 1795 * struct fown_struct is never outside the context of a struct file 1796 */ 1797 file = container_of(fown, struct file, f_owner); 1798 1799 /* we don't log here as rc can be overriden */ 1800 blob = smack_file(file); 1801 skp = *blob; 1802 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1803 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1804 1805 rcu_read_lock(); 1806 tcred = __task_cred(tsk); 1807 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1808 rc = 0; 1809 rcu_read_unlock(); 1810 1811 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1812 smk_ad_setfield_u_tsk(&ad, tsk); 1813 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1814 return rc; 1815 } 1816 1817 /** 1818 * smack_file_receive - Smack file receive check 1819 * @file: the object 1820 * 1821 * Returns 0 if current has access, error code otherwise 1822 */ 1823 static int smack_file_receive(struct file *file) 1824 { 1825 int rc; 1826 int may = 0; 1827 struct smk_audit_info ad; 1828 struct inode *inode = file_inode(file); 1829 struct socket *sock; 1830 struct task_smack *tsp; 1831 struct socket_smack *ssp; 1832 1833 if (unlikely(IS_PRIVATE(inode))) 1834 return 0; 1835 1836 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1837 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1838 1839 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1840 sock = SOCKET_I(inode); 1841 ssp = sock->sk->sk_security; 1842 tsp = smack_cred(current_cred()); 1843 /* 1844 * If the receiving process can't write to the 1845 * passed socket or if the passed socket can't 1846 * write to the receiving process don't accept 1847 * the passed socket. 1848 */ 1849 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1850 rc = smk_bu_file(file, may, rc); 1851 if (rc < 0) 1852 return rc; 1853 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1854 rc = smk_bu_file(file, may, rc); 1855 return rc; 1856 } 1857 /* 1858 * This code relies on bitmasks. 1859 */ 1860 if (file->f_mode & FMODE_READ) 1861 may = MAY_READ; 1862 if (file->f_mode & FMODE_WRITE) 1863 may |= MAY_WRITE; 1864 1865 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1866 rc = smk_bu_file(file, may, rc); 1867 return rc; 1868 } 1869 1870 /** 1871 * smack_file_open - Smack dentry open processing 1872 * @file: the object 1873 * 1874 * Set the security blob in the file structure. 1875 * Allow the open only if the task has read access. There are 1876 * many read operations (e.g. fstat) that you can do with an 1877 * fd even if you have the file open write-only. 1878 * 1879 * Returns 0 if current has access, error code otherwise 1880 */ 1881 static int smack_file_open(struct file *file) 1882 { 1883 struct task_smack *tsp = smack_cred(file->f_cred); 1884 struct inode *inode = file_inode(file); 1885 struct smk_audit_info ad; 1886 int rc; 1887 1888 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1889 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1890 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1891 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1892 1893 return rc; 1894 } 1895 1896 /* 1897 * Task hooks 1898 */ 1899 1900 /** 1901 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1902 * @cred: the new credentials 1903 * @gfp: the atomicity of any memory allocations 1904 * 1905 * Prepare a blank set of credentials for modification. This must allocate all 1906 * the memory the LSM module might require such that cred_transfer() can 1907 * complete without error. 1908 */ 1909 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1910 { 1911 init_task_smack(smack_cred(cred), NULL, NULL); 1912 return 0; 1913 } 1914 1915 1916 /** 1917 * smack_cred_free - "free" task-level security credentials 1918 * @cred: the credentials in question 1919 * 1920 */ 1921 static void smack_cred_free(struct cred *cred) 1922 { 1923 struct task_smack *tsp = smack_cred(cred); 1924 struct smack_rule *rp; 1925 struct list_head *l; 1926 struct list_head *n; 1927 1928 smk_destroy_label_list(&tsp->smk_relabel); 1929 1930 list_for_each_safe(l, n, &tsp->smk_rules) { 1931 rp = list_entry(l, struct smack_rule, list); 1932 list_del(&rp->list); 1933 kmem_cache_free(smack_rule_cache, rp); 1934 } 1935 } 1936 1937 /** 1938 * smack_cred_prepare - prepare new set of credentials for modification 1939 * @new: the new credentials 1940 * @old: the original credentials 1941 * @gfp: the atomicity of any memory allocations 1942 * 1943 * Prepare a new set of credentials for modification. 1944 */ 1945 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1946 gfp_t gfp) 1947 { 1948 struct task_smack *old_tsp = smack_cred(old); 1949 struct task_smack *new_tsp = smack_cred(new); 1950 int rc; 1951 1952 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 1953 1954 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1955 if (rc != 0) 1956 return rc; 1957 1958 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1959 gfp); 1960 return rc; 1961 } 1962 1963 /** 1964 * smack_cred_transfer - Transfer the old credentials to the new credentials 1965 * @new: the new credentials 1966 * @old: the original credentials 1967 * 1968 * Fill in a set of blank credentials from another set of credentials. 1969 */ 1970 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1971 { 1972 struct task_smack *old_tsp = smack_cred(old); 1973 struct task_smack *new_tsp = smack_cred(new); 1974 1975 new_tsp->smk_task = old_tsp->smk_task; 1976 new_tsp->smk_forked = old_tsp->smk_task; 1977 mutex_init(&new_tsp->smk_rules_lock); 1978 INIT_LIST_HEAD(&new_tsp->smk_rules); 1979 1980 /* cbs copy rule list */ 1981 } 1982 1983 /** 1984 * smack_cred_getsecid - get the secid corresponding to a creds structure 1985 * @cred: the object creds 1986 * @secid: where to put the result 1987 * 1988 * Sets the secid to contain a u32 version of the smack label. 1989 */ 1990 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 1991 { 1992 struct smack_known *skp; 1993 1994 rcu_read_lock(); 1995 skp = smk_of_task(smack_cred(cred)); 1996 *secid = skp->smk_secid; 1997 rcu_read_unlock(); 1998 } 1999 2000 /** 2001 * smack_kernel_act_as - Set the subjective context in a set of credentials 2002 * @new: points to the set of credentials to be modified. 2003 * @secid: specifies the security ID to be set 2004 * 2005 * Set the security data for a kernel service. 2006 */ 2007 static int smack_kernel_act_as(struct cred *new, u32 secid) 2008 { 2009 struct task_smack *new_tsp = smack_cred(new); 2010 2011 new_tsp->smk_task = smack_from_secid(secid); 2012 return 0; 2013 } 2014 2015 /** 2016 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2017 * @new: points to the set of credentials to be modified 2018 * @inode: points to the inode to use as a reference 2019 * 2020 * Set the file creation context in a set of credentials to the same 2021 * as the objective context of the specified inode 2022 */ 2023 static int smack_kernel_create_files_as(struct cred *new, 2024 struct inode *inode) 2025 { 2026 struct inode_smack *isp = smack_inode(inode); 2027 struct task_smack *tsp = smack_cred(new); 2028 2029 tsp->smk_forked = isp->smk_inode; 2030 tsp->smk_task = tsp->smk_forked; 2031 return 0; 2032 } 2033 2034 /** 2035 * smk_curacc_on_task - helper to log task related access 2036 * @p: the task object 2037 * @access: the access requested 2038 * @caller: name of the calling function for audit 2039 * 2040 * Return 0 if access is permitted 2041 */ 2042 static int smk_curacc_on_task(struct task_struct *p, int access, 2043 const char *caller) 2044 { 2045 struct smk_audit_info ad; 2046 struct smack_known *skp = smk_of_task_struct(p); 2047 int rc; 2048 2049 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2050 smk_ad_setfield_u_tsk(&ad, p); 2051 rc = smk_curacc(skp, access, &ad); 2052 rc = smk_bu_task(p, access, rc); 2053 return rc; 2054 } 2055 2056 /** 2057 * smack_task_setpgid - Smack check on setting pgid 2058 * @p: the task object 2059 * @pgid: unused 2060 * 2061 * Return 0 if write access is permitted 2062 */ 2063 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2064 { 2065 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2066 } 2067 2068 /** 2069 * smack_task_getpgid - Smack access check for getpgid 2070 * @p: the object task 2071 * 2072 * Returns 0 if current can read the object task, error code otherwise 2073 */ 2074 static int smack_task_getpgid(struct task_struct *p) 2075 { 2076 return smk_curacc_on_task(p, MAY_READ, __func__); 2077 } 2078 2079 /** 2080 * smack_task_getsid - Smack access check for getsid 2081 * @p: the object task 2082 * 2083 * Returns 0 if current can read the object task, error code otherwise 2084 */ 2085 static int smack_task_getsid(struct task_struct *p) 2086 { 2087 return smk_curacc_on_task(p, MAY_READ, __func__); 2088 } 2089 2090 /** 2091 * smack_task_getsecid - get the secid of the task 2092 * @p: the object task 2093 * @secid: where to put the result 2094 * 2095 * Sets the secid to contain a u32 version of the smack label. 2096 */ 2097 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2098 { 2099 struct smack_known *skp = smk_of_task_struct(p); 2100 2101 *secid = skp->smk_secid; 2102 } 2103 2104 /** 2105 * smack_task_setnice - Smack check on setting nice 2106 * @p: the task object 2107 * @nice: unused 2108 * 2109 * Return 0 if write access is permitted 2110 */ 2111 static int smack_task_setnice(struct task_struct *p, int nice) 2112 { 2113 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2114 } 2115 2116 /** 2117 * smack_task_setioprio - Smack check on setting ioprio 2118 * @p: the task object 2119 * @ioprio: unused 2120 * 2121 * Return 0 if write access is permitted 2122 */ 2123 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2124 { 2125 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2126 } 2127 2128 /** 2129 * smack_task_getioprio - Smack check on reading ioprio 2130 * @p: the task object 2131 * 2132 * Return 0 if read access is permitted 2133 */ 2134 static int smack_task_getioprio(struct task_struct *p) 2135 { 2136 return smk_curacc_on_task(p, MAY_READ, __func__); 2137 } 2138 2139 /** 2140 * smack_task_setscheduler - Smack check on setting scheduler 2141 * @p: the task object 2142 * 2143 * Return 0 if read access is permitted 2144 */ 2145 static int smack_task_setscheduler(struct task_struct *p) 2146 { 2147 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2148 } 2149 2150 /** 2151 * smack_task_getscheduler - Smack check on reading scheduler 2152 * @p: the task object 2153 * 2154 * Return 0 if read access is permitted 2155 */ 2156 static int smack_task_getscheduler(struct task_struct *p) 2157 { 2158 return smk_curacc_on_task(p, MAY_READ, __func__); 2159 } 2160 2161 /** 2162 * smack_task_movememory - Smack check on moving memory 2163 * @p: the task object 2164 * 2165 * Return 0 if write access is permitted 2166 */ 2167 static int smack_task_movememory(struct task_struct *p) 2168 { 2169 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2170 } 2171 2172 /** 2173 * smack_task_kill - Smack check on signal delivery 2174 * @p: the task object 2175 * @info: unused 2176 * @sig: unused 2177 * @cred: identifies the cred to use in lieu of current's 2178 * 2179 * Return 0 if write access is permitted 2180 * 2181 */ 2182 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2183 int sig, const struct cred *cred) 2184 { 2185 struct smk_audit_info ad; 2186 struct smack_known *skp; 2187 struct smack_known *tkp = smk_of_task_struct(p); 2188 int rc; 2189 2190 if (!sig) 2191 return 0; /* null signal; existence test */ 2192 2193 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2194 smk_ad_setfield_u_tsk(&ad, p); 2195 /* 2196 * Sending a signal requires that the sender 2197 * can write the receiver. 2198 */ 2199 if (cred == NULL) { 2200 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2201 rc = smk_bu_task(p, MAY_DELIVER, rc); 2202 return rc; 2203 } 2204 /* 2205 * If the cred isn't NULL we're dealing with some USB IO 2206 * specific behavior. This is not clean. For one thing 2207 * we can't take privilege into account. 2208 */ 2209 skp = smk_of_task(smack_cred(cred)); 2210 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2211 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2212 return rc; 2213 } 2214 2215 /** 2216 * smack_task_to_inode - copy task smack into the inode blob 2217 * @p: task to copy from 2218 * @inode: inode to copy to 2219 * 2220 * Sets the smack pointer in the inode security blob 2221 */ 2222 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2223 { 2224 struct inode_smack *isp = smack_inode(inode); 2225 struct smack_known *skp = smk_of_task_struct(p); 2226 2227 isp->smk_inode = skp; 2228 isp->smk_flags |= SMK_INODE_INSTANT; 2229 } 2230 2231 /* 2232 * Socket hooks. 2233 */ 2234 2235 /** 2236 * smack_sk_alloc_security - Allocate a socket blob 2237 * @sk: the socket 2238 * @family: unused 2239 * @gfp_flags: memory allocation flags 2240 * 2241 * Assign Smack pointers to current 2242 * 2243 * Returns 0 on success, -ENOMEM is there's no memory 2244 */ 2245 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2246 { 2247 struct smack_known *skp = smk_of_current(); 2248 struct socket_smack *ssp; 2249 2250 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2251 if (ssp == NULL) 2252 return -ENOMEM; 2253 2254 /* 2255 * Sockets created by kernel threads receive web label. 2256 */ 2257 if (unlikely(current->flags & PF_KTHREAD)) { 2258 ssp->smk_in = &smack_known_web; 2259 ssp->smk_out = &smack_known_web; 2260 } else { 2261 ssp->smk_in = skp; 2262 ssp->smk_out = skp; 2263 } 2264 ssp->smk_packet = NULL; 2265 2266 sk->sk_security = ssp; 2267 2268 return 0; 2269 } 2270 2271 /** 2272 * smack_sk_free_security - Free a socket blob 2273 * @sk: the socket 2274 * 2275 * Clears the blob pointer 2276 */ 2277 static void smack_sk_free_security(struct sock *sk) 2278 { 2279 #ifdef SMACK_IPV6_PORT_LABELING 2280 struct smk_port_label *spp; 2281 2282 if (sk->sk_family == PF_INET6) { 2283 rcu_read_lock(); 2284 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2285 if (spp->smk_sock != sk) 2286 continue; 2287 spp->smk_can_reuse = 1; 2288 break; 2289 } 2290 rcu_read_unlock(); 2291 } 2292 #endif 2293 kfree(sk->sk_security); 2294 } 2295 2296 /** 2297 * smack_ipv4host_label - check host based restrictions 2298 * @sip: the object end 2299 * 2300 * looks for host based access restrictions 2301 * 2302 * This version will only be appropriate for really small sets of single label 2303 * hosts. The caller is responsible for ensuring that the RCU read lock is 2304 * taken before calling this function. 2305 * 2306 * Returns the label of the far end or NULL if it's not special. 2307 */ 2308 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2309 { 2310 struct smk_net4addr *snp; 2311 struct in_addr *siap = &sip->sin_addr; 2312 2313 if (siap->s_addr == 0) 2314 return NULL; 2315 2316 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2317 /* 2318 * we break after finding the first match because 2319 * the list is sorted from longest to shortest mask 2320 * so we have found the most specific match 2321 */ 2322 if (snp->smk_host.s_addr == 2323 (siap->s_addr & snp->smk_mask.s_addr)) 2324 return snp->smk_label; 2325 2326 return NULL; 2327 } 2328 2329 #if IS_ENABLED(CONFIG_IPV6) 2330 /* 2331 * smk_ipv6_localhost - Check for local ipv6 host address 2332 * @sip: the address 2333 * 2334 * Returns boolean true if this is the localhost address 2335 */ 2336 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2337 { 2338 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2339 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2340 2341 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2342 ntohs(be16p[7]) == 1) 2343 return true; 2344 return false; 2345 } 2346 2347 /** 2348 * smack_ipv6host_label - check host based restrictions 2349 * @sip: the object end 2350 * 2351 * looks for host based access restrictions 2352 * 2353 * This version will only be appropriate for really small sets of single label 2354 * hosts. The caller is responsible for ensuring that the RCU read lock is 2355 * taken before calling this function. 2356 * 2357 * Returns the label of the far end or NULL if it's not special. 2358 */ 2359 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2360 { 2361 struct smk_net6addr *snp; 2362 struct in6_addr *sap = &sip->sin6_addr; 2363 int i; 2364 int found = 0; 2365 2366 /* 2367 * It's local. Don't look for a host label. 2368 */ 2369 if (smk_ipv6_localhost(sip)) 2370 return NULL; 2371 2372 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2373 /* 2374 * If the label is NULL the entry has 2375 * been renounced. Ignore it. 2376 */ 2377 if (snp->smk_label == NULL) 2378 continue; 2379 /* 2380 * we break after finding the first match because 2381 * the list is sorted from longest to shortest mask 2382 * so we have found the most specific match 2383 */ 2384 for (found = 1, i = 0; i < 8; i++) { 2385 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2386 snp->smk_host.s6_addr16[i]) { 2387 found = 0; 2388 break; 2389 } 2390 } 2391 if (found) 2392 return snp->smk_label; 2393 } 2394 2395 return NULL; 2396 } 2397 #endif /* CONFIG_IPV6 */ 2398 2399 /** 2400 * smack_netlabel - Set the secattr on a socket 2401 * @sk: the socket 2402 * @labeled: socket label scheme 2403 * 2404 * Convert the outbound smack value (smk_out) to a 2405 * secattr and attach it to the socket. 2406 * 2407 * Returns 0 on success or an error code 2408 */ 2409 static int smack_netlabel(struct sock *sk, int labeled) 2410 { 2411 struct smack_known *skp; 2412 struct socket_smack *ssp = sk->sk_security; 2413 int rc = 0; 2414 2415 /* 2416 * Usually the netlabel code will handle changing the 2417 * packet labeling based on the label. 2418 * The case of a single label host is different, because 2419 * a single label host should never get a labeled packet 2420 * even though the label is usually associated with a packet 2421 * label. 2422 */ 2423 local_bh_disable(); 2424 bh_lock_sock_nested(sk); 2425 2426 if (ssp->smk_out == smack_net_ambient || 2427 labeled == SMACK_UNLABELED_SOCKET) 2428 netlbl_sock_delattr(sk); 2429 else { 2430 skp = ssp->smk_out; 2431 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2432 } 2433 2434 bh_unlock_sock(sk); 2435 local_bh_enable(); 2436 2437 return rc; 2438 } 2439 2440 /** 2441 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2442 * @sk: the socket 2443 * @sap: the destination address 2444 * 2445 * Set the correct secattr for the given socket based on the destination 2446 * address and perform any outbound access checks needed. 2447 * 2448 * Returns 0 on success or an error code. 2449 * 2450 */ 2451 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2452 { 2453 struct smack_known *skp; 2454 int rc; 2455 int sk_lbl; 2456 struct smack_known *hkp; 2457 struct socket_smack *ssp = sk->sk_security; 2458 struct smk_audit_info ad; 2459 2460 rcu_read_lock(); 2461 hkp = smack_ipv4host_label(sap); 2462 if (hkp != NULL) { 2463 #ifdef CONFIG_AUDIT 2464 struct lsm_network_audit net; 2465 2466 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2467 ad.a.u.net->family = sap->sin_family; 2468 ad.a.u.net->dport = sap->sin_port; 2469 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2470 #endif 2471 sk_lbl = SMACK_UNLABELED_SOCKET; 2472 skp = ssp->smk_out; 2473 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2474 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2475 } else { 2476 sk_lbl = SMACK_CIPSO_SOCKET; 2477 rc = 0; 2478 } 2479 rcu_read_unlock(); 2480 if (rc != 0) 2481 return rc; 2482 2483 return smack_netlabel(sk, sk_lbl); 2484 } 2485 2486 #if IS_ENABLED(CONFIG_IPV6) 2487 /** 2488 * smk_ipv6_check - check Smack access 2489 * @subject: subject Smack label 2490 * @object: object Smack label 2491 * @address: address 2492 * @act: the action being taken 2493 * 2494 * Check an IPv6 access 2495 */ 2496 static int smk_ipv6_check(struct smack_known *subject, 2497 struct smack_known *object, 2498 struct sockaddr_in6 *address, int act) 2499 { 2500 #ifdef CONFIG_AUDIT 2501 struct lsm_network_audit net; 2502 #endif 2503 struct smk_audit_info ad; 2504 int rc; 2505 2506 #ifdef CONFIG_AUDIT 2507 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2508 ad.a.u.net->family = PF_INET6; 2509 ad.a.u.net->dport = ntohs(address->sin6_port); 2510 if (act == SMK_RECEIVING) 2511 ad.a.u.net->v6info.saddr = address->sin6_addr; 2512 else 2513 ad.a.u.net->v6info.daddr = address->sin6_addr; 2514 #endif 2515 rc = smk_access(subject, object, MAY_WRITE, &ad); 2516 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2517 return rc; 2518 } 2519 #endif /* CONFIG_IPV6 */ 2520 2521 #ifdef SMACK_IPV6_PORT_LABELING 2522 /** 2523 * smk_ipv6_port_label - Smack port access table management 2524 * @sock: socket 2525 * @address: address 2526 * 2527 * Create or update the port list entry 2528 */ 2529 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2530 { 2531 struct sock *sk = sock->sk; 2532 struct sockaddr_in6 *addr6; 2533 struct socket_smack *ssp = sock->sk->sk_security; 2534 struct smk_port_label *spp; 2535 unsigned short port = 0; 2536 2537 if (address == NULL) { 2538 /* 2539 * This operation is changing the Smack information 2540 * on the bound socket. Take the changes to the port 2541 * as well. 2542 */ 2543 rcu_read_lock(); 2544 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2545 if (sk != spp->smk_sock) 2546 continue; 2547 spp->smk_in = ssp->smk_in; 2548 spp->smk_out = ssp->smk_out; 2549 rcu_read_unlock(); 2550 return; 2551 } 2552 /* 2553 * A NULL address is only used for updating existing 2554 * bound entries. If there isn't one, it's OK. 2555 */ 2556 rcu_read_unlock(); 2557 return; 2558 } 2559 2560 addr6 = (struct sockaddr_in6 *)address; 2561 port = ntohs(addr6->sin6_port); 2562 /* 2563 * This is a special case that is safely ignored. 2564 */ 2565 if (port == 0) 2566 return; 2567 2568 /* 2569 * Look for an existing port list entry. 2570 * This is an indication that a port is getting reused. 2571 */ 2572 rcu_read_lock(); 2573 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2574 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2575 continue; 2576 if (spp->smk_can_reuse != 1) { 2577 rcu_read_unlock(); 2578 return; 2579 } 2580 spp->smk_port = port; 2581 spp->smk_sock = sk; 2582 spp->smk_in = ssp->smk_in; 2583 spp->smk_out = ssp->smk_out; 2584 spp->smk_can_reuse = 0; 2585 rcu_read_unlock(); 2586 return; 2587 } 2588 rcu_read_unlock(); 2589 /* 2590 * A new port entry is required. 2591 */ 2592 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2593 if (spp == NULL) 2594 return; 2595 2596 spp->smk_port = port; 2597 spp->smk_sock = sk; 2598 spp->smk_in = ssp->smk_in; 2599 spp->smk_out = ssp->smk_out; 2600 spp->smk_sock_type = sock->type; 2601 spp->smk_can_reuse = 0; 2602 2603 mutex_lock(&smack_ipv6_lock); 2604 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2605 mutex_unlock(&smack_ipv6_lock); 2606 return; 2607 } 2608 2609 /** 2610 * smk_ipv6_port_check - check Smack port access 2611 * @sk: socket 2612 * @address: address 2613 * @act: the action being taken 2614 * 2615 * Create or update the port list entry 2616 */ 2617 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2618 int act) 2619 { 2620 struct smk_port_label *spp; 2621 struct socket_smack *ssp = sk->sk_security; 2622 struct smack_known *skp = NULL; 2623 unsigned short port; 2624 struct smack_known *object; 2625 2626 if (act == SMK_RECEIVING) { 2627 skp = smack_ipv6host_label(address); 2628 object = ssp->smk_in; 2629 } else { 2630 skp = ssp->smk_out; 2631 object = smack_ipv6host_label(address); 2632 } 2633 2634 /* 2635 * The other end is a single label host. 2636 */ 2637 if (skp != NULL && object != NULL) 2638 return smk_ipv6_check(skp, object, address, act); 2639 if (skp == NULL) 2640 skp = smack_net_ambient; 2641 if (object == NULL) 2642 object = smack_net_ambient; 2643 2644 /* 2645 * It's remote, so port lookup does no good. 2646 */ 2647 if (!smk_ipv6_localhost(address)) 2648 return smk_ipv6_check(skp, object, address, act); 2649 2650 /* 2651 * It's local so the send check has to have passed. 2652 */ 2653 if (act == SMK_RECEIVING) 2654 return 0; 2655 2656 port = ntohs(address->sin6_port); 2657 rcu_read_lock(); 2658 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2659 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2660 continue; 2661 object = spp->smk_in; 2662 if (act == SMK_CONNECTING) 2663 ssp->smk_packet = spp->smk_out; 2664 break; 2665 } 2666 rcu_read_unlock(); 2667 2668 return smk_ipv6_check(skp, object, address, act); 2669 } 2670 #endif /* SMACK_IPV6_PORT_LABELING */ 2671 2672 /** 2673 * smack_inode_setsecurity - set smack xattrs 2674 * @inode: the object 2675 * @name: attribute name 2676 * @value: attribute value 2677 * @size: size of the attribute 2678 * @flags: unused 2679 * 2680 * Sets the named attribute in the appropriate blob 2681 * 2682 * Returns 0 on success, or an error code 2683 */ 2684 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2685 const void *value, size_t size, int flags) 2686 { 2687 struct smack_known *skp; 2688 struct inode_smack *nsp = smack_inode(inode); 2689 struct socket_smack *ssp; 2690 struct socket *sock; 2691 int rc = 0; 2692 2693 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2694 return -EINVAL; 2695 2696 skp = smk_import_entry(value, size); 2697 if (IS_ERR(skp)) 2698 return PTR_ERR(skp); 2699 2700 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2701 nsp->smk_inode = skp; 2702 nsp->smk_flags |= SMK_INODE_INSTANT; 2703 return 0; 2704 } 2705 /* 2706 * The rest of the Smack xattrs are only on sockets. 2707 */ 2708 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2709 return -EOPNOTSUPP; 2710 2711 sock = SOCKET_I(inode); 2712 if (sock == NULL || sock->sk == NULL) 2713 return -EOPNOTSUPP; 2714 2715 ssp = sock->sk->sk_security; 2716 2717 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2718 ssp->smk_in = skp; 2719 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2720 ssp->smk_out = skp; 2721 if (sock->sk->sk_family == PF_INET) { 2722 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2723 if (rc != 0) 2724 printk(KERN_WARNING 2725 "Smack: \"%s\" netlbl error %d.\n", 2726 __func__, -rc); 2727 } 2728 } else 2729 return -EOPNOTSUPP; 2730 2731 #ifdef SMACK_IPV6_PORT_LABELING 2732 if (sock->sk->sk_family == PF_INET6) 2733 smk_ipv6_port_label(sock, NULL); 2734 #endif 2735 2736 return 0; 2737 } 2738 2739 /** 2740 * smack_socket_post_create - finish socket setup 2741 * @sock: the socket 2742 * @family: protocol family 2743 * @type: unused 2744 * @protocol: unused 2745 * @kern: unused 2746 * 2747 * Sets the netlabel information on the socket 2748 * 2749 * Returns 0 on success, and error code otherwise 2750 */ 2751 static int smack_socket_post_create(struct socket *sock, int family, 2752 int type, int protocol, int kern) 2753 { 2754 struct socket_smack *ssp; 2755 2756 if (sock->sk == NULL) 2757 return 0; 2758 2759 /* 2760 * Sockets created by kernel threads receive web label. 2761 */ 2762 if (unlikely(current->flags & PF_KTHREAD)) { 2763 ssp = sock->sk->sk_security; 2764 ssp->smk_in = &smack_known_web; 2765 ssp->smk_out = &smack_known_web; 2766 } 2767 2768 if (family != PF_INET) 2769 return 0; 2770 /* 2771 * Set the outbound netlbl. 2772 */ 2773 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2774 } 2775 2776 /** 2777 * smack_socket_socketpair - create socket pair 2778 * @socka: one socket 2779 * @sockb: another socket 2780 * 2781 * Cross reference the peer labels for SO_PEERSEC 2782 * 2783 * Returns 0 2784 */ 2785 static int smack_socket_socketpair(struct socket *socka, 2786 struct socket *sockb) 2787 { 2788 struct socket_smack *asp = socka->sk->sk_security; 2789 struct socket_smack *bsp = sockb->sk->sk_security; 2790 2791 asp->smk_packet = bsp->smk_out; 2792 bsp->smk_packet = asp->smk_out; 2793 2794 return 0; 2795 } 2796 2797 #ifdef SMACK_IPV6_PORT_LABELING 2798 /** 2799 * smack_socket_bind - record port binding information. 2800 * @sock: the socket 2801 * @address: the port address 2802 * @addrlen: size of the address 2803 * 2804 * Records the label bound to a port. 2805 * 2806 * Returns 0 on success, and error code otherwise 2807 */ 2808 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2809 int addrlen) 2810 { 2811 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2812 if (addrlen < SIN6_LEN_RFC2133 || 2813 address->sa_family != AF_INET6) 2814 return -EINVAL; 2815 smk_ipv6_port_label(sock, address); 2816 } 2817 return 0; 2818 } 2819 #endif /* SMACK_IPV6_PORT_LABELING */ 2820 2821 /** 2822 * smack_socket_connect - connect access check 2823 * @sock: the socket 2824 * @sap: the other end 2825 * @addrlen: size of sap 2826 * 2827 * Verifies that a connection may be possible 2828 * 2829 * Returns 0 on success, and error code otherwise 2830 */ 2831 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2832 int addrlen) 2833 { 2834 int rc = 0; 2835 #if IS_ENABLED(CONFIG_IPV6) 2836 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2837 #endif 2838 #ifdef SMACK_IPV6_SECMARK_LABELING 2839 struct smack_known *rsp; 2840 struct socket_smack *ssp; 2841 #endif 2842 2843 if (sock->sk == NULL) 2844 return 0; 2845 2846 #ifdef SMACK_IPV6_SECMARK_LABELING 2847 ssp = sock->sk->sk_security; 2848 #endif 2849 2850 switch (sock->sk->sk_family) { 2851 case PF_INET: 2852 if (addrlen < sizeof(struct sockaddr_in) || 2853 sap->sa_family != AF_INET) 2854 return -EINVAL; 2855 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2856 break; 2857 case PF_INET6: 2858 if (addrlen < SIN6_LEN_RFC2133 || sap->sa_family != AF_INET6) 2859 return -EINVAL; 2860 #ifdef SMACK_IPV6_SECMARK_LABELING 2861 rsp = smack_ipv6host_label(sip); 2862 if (rsp != NULL) 2863 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2864 SMK_CONNECTING); 2865 #endif 2866 #ifdef SMACK_IPV6_PORT_LABELING 2867 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2868 #endif 2869 break; 2870 } 2871 return rc; 2872 } 2873 2874 /** 2875 * smack_flags_to_may - convert S_ to MAY_ values 2876 * @flags: the S_ value 2877 * 2878 * Returns the equivalent MAY_ value 2879 */ 2880 static int smack_flags_to_may(int flags) 2881 { 2882 int may = 0; 2883 2884 if (flags & S_IRUGO) 2885 may |= MAY_READ; 2886 if (flags & S_IWUGO) 2887 may |= MAY_WRITE; 2888 if (flags & S_IXUGO) 2889 may |= MAY_EXEC; 2890 2891 return may; 2892 } 2893 2894 /** 2895 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2896 * @msg: the object 2897 * 2898 * Returns 0 2899 */ 2900 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2901 { 2902 struct smack_known **blob = smack_msg_msg(msg); 2903 2904 *blob = smk_of_current(); 2905 return 0; 2906 } 2907 2908 /** 2909 * smack_of_ipc - the smack pointer for the ipc 2910 * @isp: the object 2911 * 2912 * Returns a pointer to the smack value 2913 */ 2914 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2915 { 2916 struct smack_known **blob = smack_ipc(isp); 2917 2918 return *blob; 2919 } 2920 2921 /** 2922 * smack_ipc_alloc_security - Set the security blob for ipc 2923 * @isp: the object 2924 * 2925 * Returns 0 2926 */ 2927 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2928 { 2929 struct smack_known **blob = smack_ipc(isp); 2930 2931 *blob = smk_of_current(); 2932 return 0; 2933 } 2934 2935 /** 2936 * smk_curacc_shm : check if current has access on shm 2937 * @isp : the object 2938 * @access : access requested 2939 * 2940 * Returns 0 if current has the requested access, error code otherwise 2941 */ 2942 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2943 { 2944 struct smack_known *ssp = smack_of_ipc(isp); 2945 struct smk_audit_info ad; 2946 int rc; 2947 2948 #ifdef CONFIG_AUDIT 2949 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2950 ad.a.u.ipc_id = isp->id; 2951 #endif 2952 rc = smk_curacc(ssp, access, &ad); 2953 rc = smk_bu_current("shm", ssp, access, rc); 2954 return rc; 2955 } 2956 2957 /** 2958 * smack_shm_associate - Smack access check for shm 2959 * @isp: the object 2960 * @shmflg: access requested 2961 * 2962 * Returns 0 if current has the requested access, error code otherwise 2963 */ 2964 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 2965 { 2966 int may; 2967 2968 may = smack_flags_to_may(shmflg); 2969 return smk_curacc_shm(isp, may); 2970 } 2971 2972 /** 2973 * smack_shm_shmctl - Smack access check for shm 2974 * @isp: the object 2975 * @cmd: what it wants to do 2976 * 2977 * Returns 0 if current has the requested access, error code otherwise 2978 */ 2979 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 2980 { 2981 int may; 2982 2983 switch (cmd) { 2984 case IPC_STAT: 2985 case SHM_STAT: 2986 case SHM_STAT_ANY: 2987 may = MAY_READ; 2988 break; 2989 case IPC_SET: 2990 case SHM_LOCK: 2991 case SHM_UNLOCK: 2992 case IPC_RMID: 2993 may = MAY_READWRITE; 2994 break; 2995 case IPC_INFO: 2996 case SHM_INFO: 2997 /* 2998 * System level information. 2999 */ 3000 return 0; 3001 default: 3002 return -EINVAL; 3003 } 3004 return smk_curacc_shm(isp, may); 3005 } 3006 3007 /** 3008 * smack_shm_shmat - Smack access for shmat 3009 * @isp: the object 3010 * @shmaddr: unused 3011 * @shmflg: access requested 3012 * 3013 * Returns 0 if current has the requested access, error code otherwise 3014 */ 3015 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3016 int shmflg) 3017 { 3018 int may; 3019 3020 may = smack_flags_to_may(shmflg); 3021 return smk_curacc_shm(isp, may); 3022 } 3023 3024 /** 3025 * smk_curacc_sem : check if current has access on sem 3026 * @isp : the object 3027 * @access : access requested 3028 * 3029 * Returns 0 if current has the requested access, error code otherwise 3030 */ 3031 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3032 { 3033 struct smack_known *ssp = smack_of_ipc(isp); 3034 struct smk_audit_info ad; 3035 int rc; 3036 3037 #ifdef CONFIG_AUDIT 3038 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3039 ad.a.u.ipc_id = isp->id; 3040 #endif 3041 rc = smk_curacc(ssp, access, &ad); 3042 rc = smk_bu_current("sem", ssp, access, rc); 3043 return rc; 3044 } 3045 3046 /** 3047 * smack_sem_associate - Smack access check for sem 3048 * @isp: the object 3049 * @semflg: access requested 3050 * 3051 * Returns 0 if current has the requested access, error code otherwise 3052 */ 3053 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3054 { 3055 int may; 3056 3057 may = smack_flags_to_may(semflg); 3058 return smk_curacc_sem(isp, may); 3059 } 3060 3061 /** 3062 * smack_sem_shmctl - Smack access check for sem 3063 * @isp: the object 3064 * @cmd: what it wants to do 3065 * 3066 * Returns 0 if current has the requested access, error code otherwise 3067 */ 3068 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3069 { 3070 int may; 3071 3072 switch (cmd) { 3073 case GETPID: 3074 case GETNCNT: 3075 case GETZCNT: 3076 case GETVAL: 3077 case GETALL: 3078 case IPC_STAT: 3079 case SEM_STAT: 3080 case SEM_STAT_ANY: 3081 may = MAY_READ; 3082 break; 3083 case SETVAL: 3084 case SETALL: 3085 case IPC_RMID: 3086 case IPC_SET: 3087 may = MAY_READWRITE; 3088 break; 3089 case IPC_INFO: 3090 case SEM_INFO: 3091 /* 3092 * System level information 3093 */ 3094 return 0; 3095 default: 3096 return -EINVAL; 3097 } 3098 3099 return smk_curacc_sem(isp, may); 3100 } 3101 3102 /** 3103 * smack_sem_semop - Smack checks of semaphore operations 3104 * @isp: the object 3105 * @sops: unused 3106 * @nsops: unused 3107 * @alter: unused 3108 * 3109 * Treated as read and write in all cases. 3110 * 3111 * Returns 0 if access is allowed, error code otherwise 3112 */ 3113 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3114 unsigned nsops, int alter) 3115 { 3116 return smk_curacc_sem(isp, MAY_READWRITE); 3117 } 3118 3119 /** 3120 * smk_curacc_msq : helper to check if current has access on msq 3121 * @isp : the msq 3122 * @access : access requested 3123 * 3124 * return 0 if current has access, error otherwise 3125 */ 3126 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3127 { 3128 struct smack_known *msp = smack_of_ipc(isp); 3129 struct smk_audit_info ad; 3130 int rc; 3131 3132 #ifdef CONFIG_AUDIT 3133 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3134 ad.a.u.ipc_id = isp->id; 3135 #endif 3136 rc = smk_curacc(msp, access, &ad); 3137 rc = smk_bu_current("msq", msp, access, rc); 3138 return rc; 3139 } 3140 3141 /** 3142 * smack_msg_queue_associate - Smack access check for msg_queue 3143 * @isp: the object 3144 * @msqflg: access requested 3145 * 3146 * Returns 0 if current has the requested access, error code otherwise 3147 */ 3148 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3149 { 3150 int may; 3151 3152 may = smack_flags_to_may(msqflg); 3153 return smk_curacc_msq(isp, may); 3154 } 3155 3156 /** 3157 * smack_msg_queue_msgctl - Smack access check for msg_queue 3158 * @isp: the object 3159 * @cmd: what it wants to do 3160 * 3161 * Returns 0 if current has the requested access, error code otherwise 3162 */ 3163 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3164 { 3165 int may; 3166 3167 switch (cmd) { 3168 case IPC_STAT: 3169 case MSG_STAT: 3170 case MSG_STAT_ANY: 3171 may = MAY_READ; 3172 break; 3173 case IPC_SET: 3174 case IPC_RMID: 3175 may = MAY_READWRITE; 3176 break; 3177 case IPC_INFO: 3178 case MSG_INFO: 3179 /* 3180 * System level information 3181 */ 3182 return 0; 3183 default: 3184 return -EINVAL; 3185 } 3186 3187 return smk_curacc_msq(isp, may); 3188 } 3189 3190 /** 3191 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3192 * @isp: the object 3193 * @msg: unused 3194 * @msqflg: access requested 3195 * 3196 * Returns 0 if current has the requested access, error code otherwise 3197 */ 3198 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3199 int msqflg) 3200 { 3201 int may; 3202 3203 may = smack_flags_to_may(msqflg); 3204 return smk_curacc_msq(isp, may); 3205 } 3206 3207 /** 3208 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3209 * @isp: the object 3210 * @msg: unused 3211 * @target: unused 3212 * @type: unused 3213 * @mode: unused 3214 * 3215 * Returns 0 if current has read and write access, error code otherwise 3216 */ 3217 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3218 struct task_struct *target, long type, int mode) 3219 { 3220 return smk_curacc_msq(isp, MAY_READWRITE); 3221 } 3222 3223 /** 3224 * smack_ipc_permission - Smack access for ipc_permission() 3225 * @ipp: the object permissions 3226 * @flag: access requested 3227 * 3228 * Returns 0 if current has read and write access, error code otherwise 3229 */ 3230 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3231 { 3232 struct smack_known **blob = smack_ipc(ipp); 3233 struct smack_known *iskp = *blob; 3234 int may = smack_flags_to_may(flag); 3235 struct smk_audit_info ad; 3236 int rc; 3237 3238 #ifdef CONFIG_AUDIT 3239 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3240 ad.a.u.ipc_id = ipp->id; 3241 #endif 3242 rc = smk_curacc(iskp, may, &ad); 3243 rc = smk_bu_current("svipc", iskp, may, rc); 3244 return rc; 3245 } 3246 3247 /** 3248 * smack_ipc_getsecid - Extract smack security id 3249 * @ipp: the object permissions 3250 * @secid: where result will be saved 3251 */ 3252 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3253 { 3254 struct smack_known **blob = smack_ipc(ipp); 3255 struct smack_known *iskp = *blob; 3256 3257 *secid = iskp->smk_secid; 3258 } 3259 3260 /** 3261 * smack_d_instantiate - Make sure the blob is correct on an inode 3262 * @opt_dentry: dentry where inode will be attached 3263 * @inode: the object 3264 * 3265 * Set the inode's security blob if it hasn't been done already. 3266 */ 3267 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3268 { 3269 struct super_block *sbp; 3270 struct superblock_smack *sbsp; 3271 struct inode_smack *isp; 3272 struct smack_known *skp; 3273 struct smack_known *ckp = smk_of_current(); 3274 struct smack_known *final; 3275 char trattr[TRANS_TRUE_SIZE]; 3276 int transflag = 0; 3277 int rc; 3278 struct dentry *dp; 3279 3280 if (inode == NULL) 3281 return; 3282 3283 isp = smack_inode(inode); 3284 3285 mutex_lock(&isp->smk_lock); 3286 /* 3287 * If the inode is already instantiated 3288 * take the quick way out 3289 */ 3290 if (isp->smk_flags & SMK_INODE_INSTANT) 3291 goto unlockandout; 3292 3293 sbp = inode->i_sb; 3294 sbsp = sbp->s_security; 3295 /* 3296 * We're going to use the superblock default label 3297 * if there's no label on the file. 3298 */ 3299 final = sbsp->smk_default; 3300 3301 /* 3302 * If this is the root inode the superblock 3303 * may be in the process of initialization. 3304 * If that is the case use the root value out 3305 * of the superblock. 3306 */ 3307 if (opt_dentry->d_parent == opt_dentry) { 3308 switch (sbp->s_magic) { 3309 case CGROUP_SUPER_MAGIC: 3310 case CGROUP2_SUPER_MAGIC: 3311 /* 3312 * The cgroup filesystem is never mounted, 3313 * so there's no opportunity to set the mount 3314 * options. 3315 */ 3316 sbsp->smk_root = &smack_known_star; 3317 sbsp->smk_default = &smack_known_star; 3318 isp->smk_inode = sbsp->smk_root; 3319 break; 3320 case TMPFS_MAGIC: 3321 /* 3322 * What about shmem/tmpfs anonymous files with dentry 3323 * obtained from d_alloc_pseudo()? 3324 */ 3325 isp->smk_inode = smk_of_current(); 3326 break; 3327 case PIPEFS_MAGIC: 3328 isp->smk_inode = smk_of_current(); 3329 break; 3330 case SOCKFS_MAGIC: 3331 /* 3332 * Socket access is controlled by the socket 3333 * structures associated with the task involved. 3334 */ 3335 isp->smk_inode = &smack_known_star; 3336 break; 3337 default: 3338 isp->smk_inode = sbsp->smk_root; 3339 break; 3340 } 3341 isp->smk_flags |= SMK_INODE_INSTANT; 3342 goto unlockandout; 3343 } 3344 3345 /* 3346 * This is pretty hackish. 3347 * Casey says that we shouldn't have to do 3348 * file system specific code, but it does help 3349 * with keeping it simple. 3350 */ 3351 switch (sbp->s_magic) { 3352 case SMACK_MAGIC: 3353 case CGROUP_SUPER_MAGIC: 3354 case CGROUP2_SUPER_MAGIC: 3355 /* 3356 * Casey says that it's a little embarrassing 3357 * that the smack file system doesn't do 3358 * extended attributes. 3359 * 3360 * Cgroupfs is special 3361 */ 3362 final = &smack_known_star; 3363 break; 3364 case DEVPTS_SUPER_MAGIC: 3365 /* 3366 * devpts seems content with the label of the task. 3367 * Programs that change smack have to treat the 3368 * pty with respect. 3369 */ 3370 final = ckp; 3371 break; 3372 case PROC_SUPER_MAGIC: 3373 /* 3374 * Casey says procfs appears not to care. 3375 * The superblock default suffices. 3376 */ 3377 break; 3378 case TMPFS_MAGIC: 3379 /* 3380 * Device labels should come from the filesystem, 3381 * but watch out, because they're volitile, 3382 * getting recreated on every reboot. 3383 */ 3384 final = &smack_known_star; 3385 /* 3386 * If a smack value has been set we want to use it, 3387 * but since tmpfs isn't giving us the opportunity 3388 * to set mount options simulate setting the 3389 * superblock default. 3390 */ 3391 /* Fall through */ 3392 default: 3393 /* 3394 * This isn't an understood special case. 3395 * Get the value from the xattr. 3396 */ 3397 3398 /* 3399 * UNIX domain sockets use lower level socket data. 3400 */ 3401 if (S_ISSOCK(inode->i_mode)) { 3402 final = &smack_known_star; 3403 break; 3404 } 3405 /* 3406 * No xattr support means, alas, no SMACK label. 3407 * Use the aforeapplied default. 3408 * It would be curious if the label of the task 3409 * does not match that assigned. 3410 */ 3411 if (!(inode->i_opflags & IOP_XATTR)) 3412 break; 3413 /* 3414 * Get the dentry for xattr. 3415 */ 3416 dp = dget(opt_dentry); 3417 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3418 if (!IS_ERR_OR_NULL(skp)) 3419 final = skp; 3420 3421 /* 3422 * Transmuting directory 3423 */ 3424 if (S_ISDIR(inode->i_mode)) { 3425 /* 3426 * If this is a new directory and the label was 3427 * transmuted when the inode was initialized 3428 * set the transmute attribute on the directory 3429 * and mark the inode. 3430 * 3431 * If there is a transmute attribute on the 3432 * directory mark the inode. 3433 */ 3434 if (isp->smk_flags & SMK_INODE_CHANGED) { 3435 isp->smk_flags &= ~SMK_INODE_CHANGED; 3436 rc = __vfs_setxattr(dp, inode, 3437 XATTR_NAME_SMACKTRANSMUTE, 3438 TRANS_TRUE, TRANS_TRUE_SIZE, 3439 0); 3440 } else { 3441 rc = __vfs_getxattr(dp, inode, 3442 XATTR_NAME_SMACKTRANSMUTE, trattr, 3443 TRANS_TRUE_SIZE); 3444 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3445 TRANS_TRUE_SIZE) != 0) 3446 rc = -EINVAL; 3447 } 3448 if (rc >= 0) 3449 transflag = SMK_INODE_TRANSMUTE; 3450 } 3451 /* 3452 * Don't let the exec or mmap label be "*" or "@". 3453 */ 3454 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3455 if (IS_ERR(skp) || skp == &smack_known_star || 3456 skp == &smack_known_web) 3457 skp = NULL; 3458 isp->smk_task = skp; 3459 3460 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3461 if (IS_ERR(skp) || skp == &smack_known_star || 3462 skp == &smack_known_web) 3463 skp = NULL; 3464 isp->smk_mmap = skp; 3465 3466 dput(dp); 3467 break; 3468 } 3469 3470 if (final == NULL) 3471 isp->smk_inode = ckp; 3472 else 3473 isp->smk_inode = final; 3474 3475 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3476 3477 unlockandout: 3478 mutex_unlock(&isp->smk_lock); 3479 return; 3480 } 3481 3482 /** 3483 * smack_getprocattr - Smack process attribute access 3484 * @p: the object task 3485 * @name: the name of the attribute in /proc/.../attr 3486 * @value: where to put the result 3487 * 3488 * Places a copy of the task Smack into value 3489 * 3490 * Returns the length of the smack label or an error code 3491 */ 3492 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3493 { 3494 struct smack_known *skp = smk_of_task_struct(p); 3495 char *cp; 3496 int slen; 3497 3498 if (strcmp(name, "current") != 0) 3499 return -EINVAL; 3500 3501 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3502 if (cp == NULL) 3503 return -ENOMEM; 3504 3505 slen = strlen(cp); 3506 *value = cp; 3507 return slen; 3508 } 3509 3510 /** 3511 * smack_setprocattr - Smack process attribute setting 3512 * @name: the name of the attribute in /proc/.../attr 3513 * @value: the value to set 3514 * @size: the size of the value 3515 * 3516 * Sets the Smack value of the task. Only setting self 3517 * is permitted and only with privilege 3518 * 3519 * Returns the length of the smack label or an error code 3520 */ 3521 static int smack_setprocattr(const char *name, void *value, size_t size) 3522 { 3523 struct task_smack *tsp = smack_cred(current_cred()); 3524 struct cred *new; 3525 struct smack_known *skp; 3526 struct smack_known_list_elem *sklep; 3527 int rc; 3528 3529 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3530 return -EPERM; 3531 3532 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3533 return -EINVAL; 3534 3535 if (strcmp(name, "current") != 0) 3536 return -EINVAL; 3537 3538 skp = smk_import_entry(value, size); 3539 if (IS_ERR(skp)) 3540 return PTR_ERR(skp); 3541 3542 /* 3543 * No process is ever allowed the web ("@") label 3544 * and the star ("*") label. 3545 */ 3546 if (skp == &smack_known_web || skp == &smack_known_star) 3547 return -EINVAL; 3548 3549 if (!smack_privileged(CAP_MAC_ADMIN)) { 3550 rc = -EPERM; 3551 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3552 if (sklep->smk_label == skp) { 3553 rc = 0; 3554 break; 3555 } 3556 if (rc) 3557 return rc; 3558 } 3559 3560 new = prepare_creds(); 3561 if (new == NULL) 3562 return -ENOMEM; 3563 3564 tsp = smack_cred(new); 3565 tsp->smk_task = skp; 3566 /* 3567 * process can change its label only once 3568 */ 3569 smk_destroy_label_list(&tsp->smk_relabel); 3570 3571 commit_creds(new); 3572 return size; 3573 } 3574 3575 /** 3576 * smack_unix_stream_connect - Smack access on UDS 3577 * @sock: one sock 3578 * @other: the other sock 3579 * @newsk: unused 3580 * 3581 * Return 0 if a subject with the smack of sock could access 3582 * an object with the smack of other, otherwise an error code 3583 */ 3584 static int smack_unix_stream_connect(struct sock *sock, 3585 struct sock *other, struct sock *newsk) 3586 { 3587 struct smack_known *skp; 3588 struct smack_known *okp; 3589 struct socket_smack *ssp = sock->sk_security; 3590 struct socket_smack *osp = other->sk_security; 3591 struct socket_smack *nsp = newsk->sk_security; 3592 struct smk_audit_info ad; 3593 int rc = 0; 3594 #ifdef CONFIG_AUDIT 3595 struct lsm_network_audit net; 3596 #endif 3597 3598 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3599 skp = ssp->smk_out; 3600 okp = osp->smk_in; 3601 #ifdef CONFIG_AUDIT 3602 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3603 smk_ad_setfield_u_net_sk(&ad, other); 3604 #endif 3605 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3606 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3607 if (rc == 0) { 3608 okp = osp->smk_out; 3609 skp = ssp->smk_in; 3610 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3611 rc = smk_bu_note("UDS connect", okp, skp, 3612 MAY_WRITE, rc); 3613 } 3614 } 3615 3616 /* 3617 * Cross reference the peer labels for SO_PEERSEC. 3618 */ 3619 if (rc == 0) { 3620 nsp->smk_packet = ssp->smk_out; 3621 ssp->smk_packet = osp->smk_out; 3622 } 3623 3624 return rc; 3625 } 3626 3627 /** 3628 * smack_unix_may_send - Smack access on UDS 3629 * @sock: one socket 3630 * @other: the other socket 3631 * 3632 * Return 0 if a subject with the smack of sock could access 3633 * an object with the smack of other, otherwise an error code 3634 */ 3635 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3636 { 3637 struct socket_smack *ssp = sock->sk->sk_security; 3638 struct socket_smack *osp = other->sk->sk_security; 3639 struct smk_audit_info ad; 3640 int rc; 3641 3642 #ifdef CONFIG_AUDIT 3643 struct lsm_network_audit net; 3644 3645 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3646 smk_ad_setfield_u_net_sk(&ad, other->sk); 3647 #endif 3648 3649 if (smack_privileged(CAP_MAC_OVERRIDE)) 3650 return 0; 3651 3652 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3653 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3654 return rc; 3655 } 3656 3657 /** 3658 * smack_socket_sendmsg - Smack check based on destination host 3659 * @sock: the socket 3660 * @msg: the message 3661 * @size: the size of the message 3662 * 3663 * Return 0 if the current subject can write to the destination host. 3664 * For IPv4 this is only a question if the destination is a single label host. 3665 * For IPv6 this is a check against the label of the port. 3666 */ 3667 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3668 int size) 3669 { 3670 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3671 #if IS_ENABLED(CONFIG_IPV6) 3672 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3673 #endif 3674 #ifdef SMACK_IPV6_SECMARK_LABELING 3675 struct socket_smack *ssp = sock->sk->sk_security; 3676 struct smack_known *rsp; 3677 #endif 3678 int rc = 0; 3679 3680 /* 3681 * Perfectly reasonable for this to be NULL 3682 */ 3683 if (sip == NULL) 3684 return 0; 3685 3686 switch (sock->sk->sk_family) { 3687 case AF_INET: 3688 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3689 sip->sin_family != AF_INET) 3690 return -EINVAL; 3691 rc = smack_netlabel_send(sock->sk, sip); 3692 break; 3693 #if IS_ENABLED(CONFIG_IPV6) 3694 case AF_INET6: 3695 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3696 sap->sin6_family != AF_INET6) 3697 return -EINVAL; 3698 #ifdef SMACK_IPV6_SECMARK_LABELING 3699 rsp = smack_ipv6host_label(sap); 3700 if (rsp != NULL) 3701 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3702 SMK_CONNECTING); 3703 #endif 3704 #ifdef SMACK_IPV6_PORT_LABELING 3705 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3706 #endif 3707 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3708 break; 3709 } 3710 return rc; 3711 } 3712 3713 /** 3714 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3715 * @sap: netlabel secattr 3716 * @ssp: socket security information 3717 * 3718 * Returns a pointer to a Smack label entry found on the label list. 3719 */ 3720 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3721 struct socket_smack *ssp) 3722 { 3723 struct smack_known *skp; 3724 int found = 0; 3725 int acat; 3726 int kcat; 3727 3728 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3729 /* 3730 * Looks like a CIPSO packet. 3731 * If there are flags but no level netlabel isn't 3732 * behaving the way we expect it to. 3733 * 3734 * Look it up in the label table 3735 * Without guidance regarding the smack value 3736 * for the packet fall back on the network 3737 * ambient value. 3738 */ 3739 rcu_read_lock(); 3740 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3741 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3742 continue; 3743 /* 3744 * Compare the catsets. Use the netlbl APIs. 3745 */ 3746 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3747 if ((skp->smk_netlabel.flags & 3748 NETLBL_SECATTR_MLS_CAT) == 0) 3749 found = 1; 3750 break; 3751 } 3752 for (acat = -1, kcat = -1; acat == kcat; ) { 3753 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3754 acat + 1); 3755 kcat = netlbl_catmap_walk( 3756 skp->smk_netlabel.attr.mls.cat, 3757 kcat + 1); 3758 if (acat < 0 || kcat < 0) 3759 break; 3760 } 3761 if (acat == kcat) { 3762 found = 1; 3763 break; 3764 } 3765 } 3766 rcu_read_unlock(); 3767 3768 if (found) 3769 return skp; 3770 3771 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3772 return &smack_known_web; 3773 return &smack_known_star; 3774 } 3775 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3776 /* 3777 * Looks like a fallback, which gives us a secid. 3778 */ 3779 return smack_from_secid(sap->attr.secid); 3780 /* 3781 * Without guidance regarding the smack value 3782 * for the packet fall back on the network 3783 * ambient value. 3784 */ 3785 return smack_net_ambient; 3786 } 3787 3788 #if IS_ENABLED(CONFIG_IPV6) 3789 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3790 { 3791 u8 nexthdr; 3792 int offset; 3793 int proto = -EINVAL; 3794 struct ipv6hdr _ipv6h; 3795 struct ipv6hdr *ip6; 3796 __be16 frag_off; 3797 struct tcphdr _tcph, *th; 3798 struct udphdr _udph, *uh; 3799 struct dccp_hdr _dccph, *dh; 3800 3801 sip->sin6_port = 0; 3802 3803 offset = skb_network_offset(skb); 3804 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3805 if (ip6 == NULL) 3806 return -EINVAL; 3807 sip->sin6_addr = ip6->saddr; 3808 3809 nexthdr = ip6->nexthdr; 3810 offset += sizeof(_ipv6h); 3811 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3812 if (offset < 0) 3813 return -EINVAL; 3814 3815 proto = nexthdr; 3816 switch (proto) { 3817 case IPPROTO_TCP: 3818 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3819 if (th != NULL) 3820 sip->sin6_port = th->source; 3821 break; 3822 case IPPROTO_UDP: 3823 case IPPROTO_UDPLITE: 3824 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3825 if (uh != NULL) 3826 sip->sin6_port = uh->source; 3827 break; 3828 case IPPROTO_DCCP: 3829 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3830 if (dh != NULL) 3831 sip->sin6_port = dh->dccph_sport; 3832 break; 3833 } 3834 return proto; 3835 } 3836 #endif /* CONFIG_IPV6 */ 3837 3838 /** 3839 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3840 * @sk: socket 3841 * @skb: packet 3842 * 3843 * Returns 0 if the packet should be delivered, an error code otherwise 3844 */ 3845 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3846 { 3847 struct netlbl_lsm_secattr secattr; 3848 struct socket_smack *ssp = sk->sk_security; 3849 struct smack_known *skp = NULL; 3850 int rc = 0; 3851 struct smk_audit_info ad; 3852 u16 family = sk->sk_family; 3853 #ifdef CONFIG_AUDIT 3854 struct lsm_network_audit net; 3855 #endif 3856 #if IS_ENABLED(CONFIG_IPV6) 3857 struct sockaddr_in6 sadd; 3858 int proto; 3859 3860 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3861 family = PF_INET; 3862 #endif /* CONFIG_IPV6 */ 3863 3864 switch (family) { 3865 case PF_INET: 3866 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3867 /* 3868 * If there is a secmark use it rather than the CIPSO label. 3869 * If there is no secmark fall back to CIPSO. 3870 * The secmark is assumed to reflect policy better. 3871 */ 3872 if (skb && skb->secmark != 0) { 3873 skp = smack_from_secid(skb->secmark); 3874 goto access_check; 3875 } 3876 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3877 /* 3878 * Translate what netlabel gave us. 3879 */ 3880 netlbl_secattr_init(&secattr); 3881 3882 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3883 if (rc == 0) 3884 skp = smack_from_secattr(&secattr, ssp); 3885 else 3886 skp = smack_net_ambient; 3887 3888 netlbl_secattr_destroy(&secattr); 3889 3890 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3891 access_check: 3892 #endif 3893 #ifdef CONFIG_AUDIT 3894 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3895 ad.a.u.net->family = family; 3896 ad.a.u.net->netif = skb->skb_iif; 3897 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3898 #endif 3899 /* 3900 * Receiving a packet requires that the other end 3901 * be able to write here. Read access is not required. 3902 * This is the simplist possible security model 3903 * for networking. 3904 */ 3905 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3906 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3907 MAY_WRITE, rc); 3908 if (rc != 0) 3909 netlbl_skbuff_err(skb, family, rc, 0); 3910 break; 3911 #if IS_ENABLED(CONFIG_IPV6) 3912 case PF_INET6: 3913 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3914 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3915 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3916 break; 3917 #ifdef SMACK_IPV6_SECMARK_LABELING 3918 if (skb && skb->secmark != 0) 3919 skp = smack_from_secid(skb->secmark); 3920 else if (smk_ipv6_localhost(&sadd)) 3921 break; 3922 else 3923 skp = smack_ipv6host_label(&sadd); 3924 if (skp == NULL) 3925 skp = smack_net_ambient; 3926 if (skb == NULL) 3927 break; 3928 #ifdef CONFIG_AUDIT 3929 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3930 ad.a.u.net->family = family; 3931 ad.a.u.net->netif = skb->skb_iif; 3932 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3933 #endif /* CONFIG_AUDIT */ 3934 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3935 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3936 MAY_WRITE, rc); 3937 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3938 #ifdef SMACK_IPV6_PORT_LABELING 3939 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3940 #endif /* SMACK_IPV6_PORT_LABELING */ 3941 if (rc != 0) 3942 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3943 ICMPV6_ADM_PROHIBITED, 0); 3944 break; 3945 #endif /* CONFIG_IPV6 */ 3946 } 3947 3948 return rc; 3949 } 3950 3951 /** 3952 * smack_socket_getpeersec_stream - pull in packet label 3953 * @sock: the socket 3954 * @optval: user's destination 3955 * @optlen: size thereof 3956 * @len: max thereof 3957 * 3958 * returns zero on success, an error code otherwise 3959 */ 3960 static int smack_socket_getpeersec_stream(struct socket *sock, 3961 char __user *optval, 3962 int __user *optlen, unsigned len) 3963 { 3964 struct socket_smack *ssp; 3965 char *rcp = ""; 3966 int slen = 1; 3967 int rc = 0; 3968 3969 ssp = sock->sk->sk_security; 3970 if (ssp->smk_packet != NULL) { 3971 rcp = ssp->smk_packet->smk_known; 3972 slen = strlen(rcp) + 1; 3973 } 3974 3975 if (slen > len) 3976 rc = -ERANGE; 3977 else if (copy_to_user(optval, rcp, slen) != 0) 3978 rc = -EFAULT; 3979 3980 if (put_user(slen, optlen) != 0) 3981 rc = -EFAULT; 3982 3983 return rc; 3984 } 3985 3986 3987 /** 3988 * smack_socket_getpeersec_dgram - pull in packet label 3989 * @sock: the peer socket 3990 * @skb: packet data 3991 * @secid: pointer to where to put the secid of the packet 3992 * 3993 * Sets the netlabel socket state on sk from parent 3994 */ 3995 static int smack_socket_getpeersec_dgram(struct socket *sock, 3996 struct sk_buff *skb, u32 *secid) 3997 3998 { 3999 struct netlbl_lsm_secattr secattr; 4000 struct socket_smack *ssp = NULL; 4001 struct smack_known *skp; 4002 int family = PF_UNSPEC; 4003 u32 s = 0; /* 0 is the invalid secid */ 4004 int rc; 4005 4006 if (skb != NULL) { 4007 if (skb->protocol == htons(ETH_P_IP)) 4008 family = PF_INET; 4009 #if IS_ENABLED(CONFIG_IPV6) 4010 else if (skb->protocol == htons(ETH_P_IPV6)) 4011 family = PF_INET6; 4012 #endif /* CONFIG_IPV6 */ 4013 } 4014 if (family == PF_UNSPEC && sock != NULL) 4015 family = sock->sk->sk_family; 4016 4017 switch (family) { 4018 case PF_UNIX: 4019 ssp = sock->sk->sk_security; 4020 s = ssp->smk_out->smk_secid; 4021 break; 4022 case PF_INET: 4023 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4024 s = skb->secmark; 4025 if (s != 0) 4026 break; 4027 #endif 4028 /* 4029 * Translate what netlabel gave us. 4030 */ 4031 if (sock != NULL && sock->sk != NULL) 4032 ssp = sock->sk->sk_security; 4033 netlbl_secattr_init(&secattr); 4034 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4035 if (rc == 0) { 4036 skp = smack_from_secattr(&secattr, ssp); 4037 s = skp->smk_secid; 4038 } 4039 netlbl_secattr_destroy(&secattr); 4040 break; 4041 case PF_INET6: 4042 #ifdef SMACK_IPV6_SECMARK_LABELING 4043 s = skb->secmark; 4044 #endif 4045 break; 4046 } 4047 *secid = s; 4048 if (s == 0) 4049 return -EINVAL; 4050 return 0; 4051 } 4052 4053 /** 4054 * smack_sock_graft - Initialize a newly created socket with an existing sock 4055 * @sk: child sock 4056 * @parent: parent socket 4057 * 4058 * Set the smk_{in,out} state of an existing sock based on the process that 4059 * is creating the new socket. 4060 */ 4061 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4062 { 4063 struct socket_smack *ssp; 4064 struct smack_known *skp = smk_of_current(); 4065 4066 if (sk == NULL || 4067 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4068 return; 4069 4070 ssp = sk->sk_security; 4071 ssp->smk_in = skp; 4072 ssp->smk_out = skp; 4073 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4074 } 4075 4076 /** 4077 * smack_inet_conn_request - Smack access check on connect 4078 * @sk: socket involved 4079 * @skb: packet 4080 * @req: unused 4081 * 4082 * Returns 0 if a task with the packet label could write to 4083 * the socket, otherwise an error code 4084 */ 4085 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4086 struct request_sock *req) 4087 { 4088 u16 family = sk->sk_family; 4089 struct smack_known *skp; 4090 struct socket_smack *ssp = sk->sk_security; 4091 struct netlbl_lsm_secattr secattr; 4092 struct sockaddr_in addr; 4093 struct iphdr *hdr; 4094 struct smack_known *hskp; 4095 int rc; 4096 struct smk_audit_info ad; 4097 #ifdef CONFIG_AUDIT 4098 struct lsm_network_audit net; 4099 #endif 4100 4101 #if IS_ENABLED(CONFIG_IPV6) 4102 if (family == PF_INET6) { 4103 /* 4104 * Handle mapped IPv4 packets arriving 4105 * via IPv6 sockets. Don't set up netlabel 4106 * processing on IPv6. 4107 */ 4108 if (skb->protocol == htons(ETH_P_IP)) 4109 family = PF_INET; 4110 else 4111 return 0; 4112 } 4113 #endif /* CONFIG_IPV6 */ 4114 4115 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4116 /* 4117 * If there is a secmark use it rather than the CIPSO label. 4118 * If there is no secmark fall back to CIPSO. 4119 * The secmark is assumed to reflect policy better. 4120 */ 4121 if (skb && skb->secmark != 0) { 4122 skp = smack_from_secid(skb->secmark); 4123 goto access_check; 4124 } 4125 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4126 4127 netlbl_secattr_init(&secattr); 4128 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4129 if (rc == 0) 4130 skp = smack_from_secattr(&secattr, ssp); 4131 else 4132 skp = &smack_known_huh; 4133 netlbl_secattr_destroy(&secattr); 4134 4135 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4136 access_check: 4137 #endif 4138 4139 #ifdef CONFIG_AUDIT 4140 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4141 ad.a.u.net->family = family; 4142 ad.a.u.net->netif = skb->skb_iif; 4143 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4144 #endif 4145 /* 4146 * Receiving a packet requires that the other end be able to write 4147 * here. Read access is not required. 4148 */ 4149 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4150 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4151 if (rc != 0) 4152 return rc; 4153 4154 /* 4155 * Save the peer's label in the request_sock so we can later setup 4156 * smk_packet in the child socket so that SO_PEERCRED can report it. 4157 */ 4158 req->peer_secid = skp->smk_secid; 4159 4160 /* 4161 * We need to decide if we want to label the incoming connection here 4162 * if we do we only need to label the request_sock and the stack will 4163 * propagate the wire-label to the sock when it is created. 4164 */ 4165 hdr = ip_hdr(skb); 4166 addr.sin_addr.s_addr = hdr->saddr; 4167 rcu_read_lock(); 4168 hskp = smack_ipv4host_label(&addr); 4169 rcu_read_unlock(); 4170 4171 if (hskp == NULL) 4172 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4173 else 4174 netlbl_req_delattr(req); 4175 4176 return rc; 4177 } 4178 4179 /** 4180 * smack_inet_csk_clone - Copy the connection information to the new socket 4181 * @sk: the new socket 4182 * @req: the connection's request_sock 4183 * 4184 * Transfer the connection's peer label to the newly created socket. 4185 */ 4186 static void smack_inet_csk_clone(struct sock *sk, 4187 const struct request_sock *req) 4188 { 4189 struct socket_smack *ssp = sk->sk_security; 4190 struct smack_known *skp; 4191 4192 if (req->peer_secid != 0) { 4193 skp = smack_from_secid(req->peer_secid); 4194 ssp->smk_packet = skp; 4195 } else 4196 ssp->smk_packet = NULL; 4197 } 4198 4199 /* 4200 * Key management security hooks 4201 * 4202 * Casey has not tested key support very heavily. 4203 * The permission check is most likely too restrictive. 4204 * If you care about keys please have a look. 4205 */ 4206 #ifdef CONFIG_KEYS 4207 4208 /** 4209 * smack_key_alloc - Set the key security blob 4210 * @key: object 4211 * @cred: the credentials to use 4212 * @flags: unused 4213 * 4214 * No allocation required 4215 * 4216 * Returns 0 4217 */ 4218 static int smack_key_alloc(struct key *key, const struct cred *cred, 4219 unsigned long flags) 4220 { 4221 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4222 4223 key->security = skp; 4224 return 0; 4225 } 4226 4227 /** 4228 * smack_key_free - Clear the key security blob 4229 * @key: the object 4230 * 4231 * Clear the blob pointer 4232 */ 4233 static void smack_key_free(struct key *key) 4234 { 4235 key->security = NULL; 4236 } 4237 4238 /** 4239 * smack_key_permission - Smack access on a key 4240 * @key_ref: gets to the object 4241 * @cred: the credentials to use 4242 * @perm: requested key permissions 4243 * 4244 * Return 0 if the task has read and write to the object, 4245 * an error code otherwise 4246 */ 4247 static int smack_key_permission(key_ref_t key_ref, 4248 const struct cred *cred, unsigned perm) 4249 { 4250 struct key *keyp; 4251 struct smk_audit_info ad; 4252 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4253 int request = 0; 4254 int rc; 4255 4256 /* 4257 * Validate requested permissions 4258 */ 4259 if (perm & ~KEY_NEED_ALL) 4260 return -EINVAL; 4261 4262 keyp = key_ref_to_ptr(key_ref); 4263 if (keyp == NULL) 4264 return -EINVAL; 4265 /* 4266 * If the key hasn't been initialized give it access so that 4267 * it may do so. 4268 */ 4269 if (keyp->security == NULL) 4270 return 0; 4271 /* 4272 * This should not occur 4273 */ 4274 if (tkp == NULL) 4275 return -EACCES; 4276 4277 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4278 return 0; 4279 4280 #ifdef CONFIG_AUDIT 4281 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4282 ad.a.u.key_struct.key = keyp->serial; 4283 ad.a.u.key_struct.key_desc = keyp->description; 4284 #endif 4285 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) 4286 request |= MAY_READ; 4287 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4288 request |= MAY_WRITE; 4289 rc = smk_access(tkp, keyp->security, request, &ad); 4290 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4291 return rc; 4292 } 4293 4294 /* 4295 * smack_key_getsecurity - Smack label tagging the key 4296 * @key points to the key to be queried 4297 * @_buffer points to a pointer that should be set to point to the 4298 * resulting string (if no label or an error occurs). 4299 * Return the length of the string (including terminating NUL) or -ve if 4300 * an error. 4301 * May also return 0 (and a NULL buffer pointer) if there is no label. 4302 */ 4303 static int smack_key_getsecurity(struct key *key, char **_buffer) 4304 { 4305 struct smack_known *skp = key->security; 4306 size_t length; 4307 char *copy; 4308 4309 if (key->security == NULL) { 4310 *_buffer = NULL; 4311 return 0; 4312 } 4313 4314 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4315 if (copy == NULL) 4316 return -ENOMEM; 4317 length = strlen(copy) + 1; 4318 4319 *_buffer = copy; 4320 return length; 4321 } 4322 4323 #endif /* CONFIG_KEYS */ 4324 4325 /* 4326 * Smack Audit hooks 4327 * 4328 * Audit requires a unique representation of each Smack specific 4329 * rule. This unique representation is used to distinguish the 4330 * object to be audited from remaining kernel objects and also 4331 * works as a glue between the audit hooks. 4332 * 4333 * Since repository entries are added but never deleted, we'll use 4334 * the smack_known label address related to the given audit rule as 4335 * the needed unique representation. This also better fits the smack 4336 * model where nearly everything is a label. 4337 */ 4338 #ifdef CONFIG_AUDIT 4339 4340 /** 4341 * smack_audit_rule_init - Initialize a smack audit rule 4342 * @field: audit rule fields given from user-space (audit.h) 4343 * @op: required testing operator (=, !=, >, <, ...) 4344 * @rulestr: smack label to be audited 4345 * @vrule: pointer to save our own audit rule representation 4346 * 4347 * Prepare to audit cases where (@field @op @rulestr) is true. 4348 * The label to be audited is created if necessay. 4349 */ 4350 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4351 { 4352 struct smack_known *skp; 4353 char **rule = (char **)vrule; 4354 *rule = NULL; 4355 4356 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4357 return -EINVAL; 4358 4359 if (op != Audit_equal && op != Audit_not_equal) 4360 return -EINVAL; 4361 4362 skp = smk_import_entry(rulestr, 0); 4363 if (IS_ERR(skp)) 4364 return PTR_ERR(skp); 4365 4366 *rule = skp->smk_known; 4367 4368 return 0; 4369 } 4370 4371 /** 4372 * smack_audit_rule_known - Distinguish Smack audit rules 4373 * @krule: rule of interest, in Audit kernel representation format 4374 * 4375 * This is used to filter Smack rules from remaining Audit ones. 4376 * If it's proved that this rule belongs to us, the 4377 * audit_rule_match hook will be called to do the final judgement. 4378 */ 4379 static int smack_audit_rule_known(struct audit_krule *krule) 4380 { 4381 struct audit_field *f; 4382 int i; 4383 4384 for (i = 0; i < krule->field_count; i++) { 4385 f = &krule->fields[i]; 4386 4387 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4388 return 1; 4389 } 4390 4391 return 0; 4392 } 4393 4394 /** 4395 * smack_audit_rule_match - Audit given object ? 4396 * @secid: security id for identifying the object to test 4397 * @field: audit rule flags given from user-space 4398 * @op: required testing operator 4399 * @vrule: smack internal rule presentation 4400 * 4401 * The core Audit hook. It's used to take the decision of 4402 * whether to audit or not to audit a given object. 4403 */ 4404 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4405 { 4406 struct smack_known *skp; 4407 char *rule = vrule; 4408 4409 if (unlikely(!rule)) { 4410 WARN_ONCE(1, "Smack: missing rule\n"); 4411 return -ENOENT; 4412 } 4413 4414 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4415 return 0; 4416 4417 skp = smack_from_secid(secid); 4418 4419 /* 4420 * No need to do string comparisons. If a match occurs, 4421 * both pointers will point to the same smack_known 4422 * label. 4423 */ 4424 if (op == Audit_equal) 4425 return (rule == skp->smk_known); 4426 if (op == Audit_not_equal) 4427 return (rule != skp->smk_known); 4428 4429 return 0; 4430 } 4431 4432 /* 4433 * There is no need for a smack_audit_rule_free hook. 4434 * No memory was allocated. 4435 */ 4436 4437 #endif /* CONFIG_AUDIT */ 4438 4439 /** 4440 * smack_ismaclabel - check if xattr @name references a smack MAC label 4441 * @name: Full xattr name to check. 4442 */ 4443 static int smack_ismaclabel(const char *name) 4444 { 4445 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4446 } 4447 4448 4449 /** 4450 * smack_secid_to_secctx - return the smack label for a secid 4451 * @secid: incoming integer 4452 * @secdata: destination 4453 * @seclen: how long it is 4454 * 4455 * Exists for networking code. 4456 */ 4457 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4458 { 4459 struct smack_known *skp = smack_from_secid(secid); 4460 4461 if (secdata) 4462 *secdata = skp->smk_known; 4463 *seclen = strlen(skp->smk_known); 4464 return 0; 4465 } 4466 4467 /** 4468 * smack_secctx_to_secid - return the secid for a smack label 4469 * @secdata: smack label 4470 * @seclen: how long result is 4471 * @secid: outgoing integer 4472 * 4473 * Exists for audit and networking code. 4474 */ 4475 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4476 { 4477 struct smack_known *skp = smk_find_entry(secdata); 4478 4479 if (skp) 4480 *secid = skp->smk_secid; 4481 else 4482 *secid = 0; 4483 return 0; 4484 } 4485 4486 /* 4487 * There used to be a smack_release_secctx hook 4488 * that did nothing back when hooks were in a vector. 4489 * Now that there's a list such a hook adds cost. 4490 */ 4491 4492 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4493 { 4494 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4495 } 4496 4497 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4498 { 4499 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4500 } 4501 4502 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4503 { 4504 struct smack_known *skp = smk_of_inode(inode); 4505 4506 *ctx = skp->smk_known; 4507 *ctxlen = strlen(skp->smk_known); 4508 return 0; 4509 } 4510 4511 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4512 { 4513 4514 struct task_smack *tsp; 4515 struct smack_known *skp; 4516 struct inode_smack *isp; 4517 struct cred *new_creds = *new; 4518 4519 if (new_creds == NULL) { 4520 new_creds = prepare_creds(); 4521 if (new_creds == NULL) 4522 return -ENOMEM; 4523 } 4524 4525 tsp = smack_cred(new_creds); 4526 4527 /* 4528 * Get label from overlay inode and set it in create_sid 4529 */ 4530 isp = smack_inode(d_inode(dentry->d_parent)); 4531 skp = isp->smk_inode; 4532 tsp->smk_task = skp; 4533 *new = new_creds; 4534 return 0; 4535 } 4536 4537 static int smack_inode_copy_up_xattr(const char *name) 4538 { 4539 /* 4540 * Return 1 if this is the smack access Smack attribute. 4541 */ 4542 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4543 return 1; 4544 4545 return -EOPNOTSUPP; 4546 } 4547 4548 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4549 struct qstr *name, 4550 const struct cred *old, 4551 struct cred *new) 4552 { 4553 struct task_smack *otsp = smack_cred(old); 4554 struct task_smack *ntsp = smack_cred(new); 4555 struct inode_smack *isp; 4556 int may; 4557 4558 /* 4559 * Use the process credential unless all of 4560 * the transmuting criteria are met 4561 */ 4562 ntsp->smk_task = otsp->smk_task; 4563 4564 /* 4565 * the attribute of the containing directory 4566 */ 4567 isp = smack_inode(d_inode(dentry->d_parent)); 4568 4569 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4570 rcu_read_lock(); 4571 may = smk_access_entry(otsp->smk_task->smk_known, 4572 isp->smk_inode->smk_known, 4573 &otsp->smk_task->smk_rules); 4574 rcu_read_unlock(); 4575 4576 /* 4577 * If the directory is transmuting and the rule 4578 * providing access is transmuting use the containing 4579 * directory label instead of the process label. 4580 */ 4581 if (may > 0 && (may & MAY_TRANSMUTE)) 4582 ntsp->smk_task = isp->smk_inode; 4583 } 4584 return 0; 4585 } 4586 4587 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4588 .lbs_cred = sizeof(struct task_smack), 4589 .lbs_file = sizeof(struct smack_known *), 4590 .lbs_inode = sizeof(struct inode_smack), 4591 .lbs_ipc = sizeof(struct smack_known *), 4592 .lbs_msg_msg = sizeof(struct smack_known *), 4593 }; 4594 4595 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4596 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4597 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4598 LSM_HOOK_INIT(syslog, smack_syslog), 4599 4600 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4601 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4602 4603 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4604 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4605 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4606 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4607 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4608 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4609 4610 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4611 4612 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4613 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4614 LSM_HOOK_INIT(inode_link, smack_inode_link), 4615 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4616 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4617 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4618 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4619 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4620 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4621 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4622 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4623 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4624 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4625 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4626 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4627 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4628 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4629 4630 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4631 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4632 LSM_HOOK_INIT(file_lock, smack_file_lock), 4633 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4634 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4635 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4636 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4637 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4638 LSM_HOOK_INIT(file_receive, smack_file_receive), 4639 4640 LSM_HOOK_INIT(file_open, smack_file_open), 4641 4642 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4643 LSM_HOOK_INIT(cred_free, smack_cred_free), 4644 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4645 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4646 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4647 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4648 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4649 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4650 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4651 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4652 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4653 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4654 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4655 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4656 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4657 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4658 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4659 LSM_HOOK_INIT(task_kill, smack_task_kill), 4660 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4661 4662 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4663 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4664 4665 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4666 4667 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4668 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4669 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4670 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4671 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4672 4673 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4674 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4675 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4676 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4677 4678 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4679 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4680 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4681 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4682 4683 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4684 4685 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4686 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4687 4688 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4689 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4690 4691 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4692 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4693 #ifdef SMACK_IPV6_PORT_LABELING 4694 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4695 #endif 4696 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4697 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4698 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4699 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4700 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4701 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4702 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4703 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4704 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4705 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4706 4707 /* key management security hooks */ 4708 #ifdef CONFIG_KEYS 4709 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4710 LSM_HOOK_INIT(key_free, smack_key_free), 4711 LSM_HOOK_INIT(key_permission, smack_key_permission), 4712 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4713 #endif /* CONFIG_KEYS */ 4714 4715 /* Audit hooks */ 4716 #ifdef CONFIG_AUDIT 4717 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4718 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4719 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4720 #endif /* CONFIG_AUDIT */ 4721 4722 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4723 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4724 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4725 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4726 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4727 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4728 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4729 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4730 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4731 }; 4732 4733 4734 static __init void init_smack_known_list(void) 4735 { 4736 /* 4737 * Initialize rule list locks 4738 */ 4739 mutex_init(&smack_known_huh.smk_rules_lock); 4740 mutex_init(&smack_known_hat.smk_rules_lock); 4741 mutex_init(&smack_known_floor.smk_rules_lock); 4742 mutex_init(&smack_known_star.smk_rules_lock); 4743 mutex_init(&smack_known_web.smk_rules_lock); 4744 /* 4745 * Initialize rule lists 4746 */ 4747 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4748 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4749 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4750 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4751 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4752 /* 4753 * Create the known labels list 4754 */ 4755 smk_insert_entry(&smack_known_huh); 4756 smk_insert_entry(&smack_known_hat); 4757 smk_insert_entry(&smack_known_star); 4758 smk_insert_entry(&smack_known_floor); 4759 smk_insert_entry(&smack_known_web); 4760 } 4761 4762 /** 4763 * smack_init - initialize the smack system 4764 * 4765 * Returns 0 on success, -ENOMEM is there's no memory 4766 */ 4767 static __init int smack_init(void) 4768 { 4769 struct cred *cred = (struct cred *) current->cred; 4770 struct task_smack *tsp; 4771 4772 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4773 if (!smack_inode_cache) 4774 return -ENOMEM; 4775 4776 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 4777 if (!smack_rule_cache) { 4778 kmem_cache_destroy(smack_inode_cache); 4779 return -ENOMEM; 4780 } 4781 4782 /* 4783 * Set the security state for the initial task. 4784 */ 4785 tsp = smack_cred(cred); 4786 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 4787 4788 /* 4789 * Register with LSM 4790 */ 4791 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4792 smack_enabled = 1; 4793 4794 pr_info("Smack: Initializing.\n"); 4795 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4796 pr_info("Smack: Netfilter enabled.\n"); 4797 #endif 4798 #ifdef SMACK_IPV6_PORT_LABELING 4799 pr_info("Smack: IPv6 port labeling enabled.\n"); 4800 #endif 4801 #ifdef SMACK_IPV6_SECMARK_LABELING 4802 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4803 #endif 4804 4805 /* initialize the smack_known_list */ 4806 init_smack_known_list(); 4807 4808 return 0; 4809 } 4810 4811 /* 4812 * Smack requires early initialization in order to label 4813 * all processes and objects when they are created. 4814 */ 4815 DEFINE_LSM(smack) = { 4816 .name = "smack", 4817 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 4818 .blobs = &smack_blob_sizes, 4819 .init = smack_init, 4820 }; 4821