1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/icmpv6.h> 32 #include <linux/slab.h> 33 #include <linux/mutex.h> 34 #include <linux/pipe_fs_i.h> 35 #include <net/cipso_ipv4.h> 36 #include <net/ip.h> 37 #include <net/ipv6.h> 38 #include <linux/audit.h> 39 #include <linux/magic.h> 40 #include <linux/dcache.h> 41 #include <linux/personality.h> 42 #include <linux/msg.h> 43 #include <linux/shm.h> 44 #include <linux/binfmts.h> 45 #include <linux/parser.h> 46 #include "smack.h" 47 48 #define TRANS_TRUE "TRUE" 49 #define TRANS_TRUE_SIZE 4 50 51 #define SMK_CONNECTING 0 52 #define SMK_RECEIVING 1 53 #define SMK_SENDING 2 54 55 #ifdef SMACK_IPV6_PORT_LABELING 56 DEFINE_MUTEX(smack_ipv6_lock); 57 static LIST_HEAD(smk_ipv6_port_list); 58 #endif 59 static struct kmem_cache *smack_inode_cache; 60 int smack_enabled; 61 62 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 63 static struct { 64 const char *name; 65 int len; 66 int opt; 67 } smk_mount_opts[] = { 68 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 69 }; 70 #undef A 71 72 static int match_opt_prefix(char *s, int l, char **arg) 73 { 74 int i; 75 76 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 77 size_t len = smk_mount_opts[i].len; 78 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 79 continue; 80 if (len == l || s[len] != '=') 81 continue; 82 *arg = s + len + 1; 83 return smk_mount_opts[i].opt; 84 } 85 return Opt_error; 86 } 87 88 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 89 static char *smk_bu_mess[] = { 90 "Bringup Error", /* Unused */ 91 "Bringup", /* SMACK_BRINGUP_ALLOW */ 92 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 93 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 94 }; 95 96 static void smk_bu_mode(int mode, char *s) 97 { 98 int i = 0; 99 100 if (mode & MAY_READ) 101 s[i++] = 'r'; 102 if (mode & MAY_WRITE) 103 s[i++] = 'w'; 104 if (mode & MAY_EXEC) 105 s[i++] = 'x'; 106 if (mode & MAY_APPEND) 107 s[i++] = 'a'; 108 if (mode & MAY_TRANSMUTE) 109 s[i++] = 't'; 110 if (mode & MAY_LOCK) 111 s[i++] = 'l'; 112 if (i == 0) 113 s[i++] = '-'; 114 s[i] = '\0'; 115 } 116 #endif 117 118 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 119 static int smk_bu_note(char *note, struct smack_known *sskp, 120 struct smack_known *oskp, int mode, int rc) 121 { 122 char acc[SMK_NUM_ACCESS_TYPE + 1]; 123 124 if (rc <= 0) 125 return rc; 126 if (rc > SMACK_UNCONFINED_OBJECT) 127 rc = 0; 128 129 smk_bu_mode(mode, acc); 130 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 131 sskp->smk_known, oskp->smk_known, acc, note); 132 return 0; 133 } 134 #else 135 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 136 #endif 137 138 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 139 static int smk_bu_current(char *note, struct smack_known *oskp, 140 int mode, int rc) 141 { 142 struct task_smack *tsp = smack_cred(current_cred()); 143 char acc[SMK_NUM_ACCESS_TYPE + 1]; 144 145 if (rc <= 0) 146 return rc; 147 if (rc > SMACK_UNCONFINED_OBJECT) 148 rc = 0; 149 150 smk_bu_mode(mode, acc); 151 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 152 tsp->smk_task->smk_known, oskp->smk_known, 153 acc, current->comm, note); 154 return 0; 155 } 156 #else 157 #define smk_bu_current(note, oskp, mode, RC) (RC) 158 #endif 159 160 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 161 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 162 { 163 struct task_smack *tsp = smack_cred(current_cred()); 164 struct smack_known *smk_task = smk_of_task_struct(otp); 165 char acc[SMK_NUM_ACCESS_TYPE + 1]; 166 167 if (rc <= 0) 168 return rc; 169 if (rc > SMACK_UNCONFINED_OBJECT) 170 rc = 0; 171 172 smk_bu_mode(mode, acc); 173 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 174 tsp->smk_task->smk_known, smk_task->smk_known, acc, 175 current->comm, otp->comm); 176 return 0; 177 } 178 #else 179 #define smk_bu_task(otp, mode, RC) (RC) 180 #endif 181 182 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 183 static int smk_bu_inode(struct inode *inode, int mode, int rc) 184 { 185 struct task_smack *tsp = smack_cred(current_cred()); 186 struct inode_smack *isp = smack_inode(inode); 187 char acc[SMK_NUM_ACCESS_TYPE + 1]; 188 189 if (isp->smk_flags & SMK_INODE_IMPURE) 190 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 191 inode->i_sb->s_id, inode->i_ino, current->comm); 192 193 if (rc <= 0) 194 return rc; 195 if (rc > SMACK_UNCONFINED_OBJECT) 196 rc = 0; 197 if (rc == SMACK_UNCONFINED_SUBJECT && 198 (mode & (MAY_WRITE | MAY_APPEND))) 199 isp->smk_flags |= SMK_INODE_IMPURE; 200 201 smk_bu_mode(mode, acc); 202 203 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 204 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 205 inode->i_sb->s_id, inode->i_ino, current->comm); 206 return 0; 207 } 208 #else 209 #define smk_bu_inode(inode, mode, RC) (RC) 210 #endif 211 212 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 213 static int smk_bu_file(struct file *file, int mode, int rc) 214 { 215 struct task_smack *tsp = smack_cred(current_cred()); 216 struct smack_known *sskp = tsp->smk_task; 217 struct inode *inode = file_inode(file); 218 struct inode_smack *isp = smack_inode(inode); 219 char acc[SMK_NUM_ACCESS_TYPE + 1]; 220 221 if (isp->smk_flags & SMK_INODE_IMPURE) 222 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 223 inode->i_sb->s_id, inode->i_ino, current->comm); 224 225 if (rc <= 0) 226 return rc; 227 if (rc > SMACK_UNCONFINED_OBJECT) 228 rc = 0; 229 230 smk_bu_mode(mode, acc); 231 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 232 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 233 inode->i_sb->s_id, inode->i_ino, file, 234 current->comm); 235 return 0; 236 } 237 #else 238 #define smk_bu_file(file, mode, RC) (RC) 239 #endif 240 241 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 242 static int smk_bu_credfile(const struct cred *cred, struct file *file, 243 int mode, int rc) 244 { 245 struct task_smack *tsp = smack_cred(cred); 246 struct smack_known *sskp = tsp->smk_task; 247 struct inode *inode = file_inode(file); 248 struct inode_smack *isp = smack_inode(inode); 249 char acc[SMK_NUM_ACCESS_TYPE + 1]; 250 251 if (isp->smk_flags & SMK_INODE_IMPURE) 252 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 253 inode->i_sb->s_id, inode->i_ino, current->comm); 254 255 if (rc <= 0) 256 return rc; 257 if (rc > SMACK_UNCONFINED_OBJECT) 258 rc = 0; 259 260 smk_bu_mode(mode, acc); 261 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 262 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 263 inode->i_sb->s_id, inode->i_ino, file, 264 current->comm); 265 return 0; 266 } 267 #else 268 #define smk_bu_credfile(cred, file, mode, RC) (RC) 269 #endif 270 271 /** 272 * smk_fetch - Fetch the smack label from a file. 273 * @name: type of the label (attribute) 274 * @ip: a pointer to the inode 275 * @dp: a pointer to the dentry 276 * 277 * Returns a pointer to the master list entry for the Smack label, 278 * NULL if there was no label to fetch, or an error code. 279 */ 280 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 281 struct dentry *dp) 282 { 283 int rc; 284 char *buffer; 285 struct smack_known *skp = NULL; 286 287 if (!(ip->i_opflags & IOP_XATTR)) 288 return ERR_PTR(-EOPNOTSUPP); 289 290 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 291 if (buffer == NULL) 292 return ERR_PTR(-ENOMEM); 293 294 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 295 if (rc < 0) 296 skp = ERR_PTR(rc); 297 else if (rc == 0) 298 skp = NULL; 299 else 300 skp = smk_import_entry(buffer, rc); 301 302 kfree(buffer); 303 304 return skp; 305 } 306 307 /** 308 * init_inode_smack - initialize an inode security blob 309 * @isp: the blob to initialize 310 * @skp: a pointer to the Smack label entry to use in the blob 311 * 312 */ 313 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 314 { 315 struct inode_smack *isp = smack_inode(inode); 316 317 isp->smk_inode = skp; 318 isp->smk_flags = 0; 319 mutex_init(&isp->smk_lock); 320 } 321 322 /** 323 * init_task_smack - initialize a task security blob 324 * @tsp: blob to initialize 325 * @task: a pointer to the Smack label for the running task 326 * @forked: a pointer to the Smack label for the forked task 327 * 328 */ 329 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 330 struct smack_known *forked) 331 { 332 tsp->smk_task = task; 333 tsp->smk_forked = forked; 334 INIT_LIST_HEAD(&tsp->smk_rules); 335 INIT_LIST_HEAD(&tsp->smk_relabel); 336 mutex_init(&tsp->smk_rules_lock); 337 } 338 339 /** 340 * smk_copy_rules - copy a rule set 341 * @nhead: new rules header pointer 342 * @ohead: old rules header pointer 343 * @gfp: type of the memory for the allocation 344 * 345 * Returns 0 on success, -ENOMEM on error 346 */ 347 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 348 gfp_t gfp) 349 { 350 struct smack_rule *nrp; 351 struct smack_rule *orp; 352 int rc = 0; 353 354 list_for_each_entry_rcu(orp, ohead, list) { 355 nrp = kzalloc(sizeof(struct smack_rule), gfp); 356 if (nrp == NULL) { 357 rc = -ENOMEM; 358 break; 359 } 360 *nrp = *orp; 361 list_add_rcu(&nrp->list, nhead); 362 } 363 return rc; 364 } 365 366 /** 367 * smk_copy_relabel - copy smk_relabel labels list 368 * @nhead: new rules header pointer 369 * @ohead: old rules header pointer 370 * @gfp: type of the memory for the allocation 371 * 372 * Returns 0 on success, -ENOMEM on error 373 */ 374 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 375 gfp_t gfp) 376 { 377 struct smack_known_list_elem *nklep; 378 struct smack_known_list_elem *oklep; 379 380 list_for_each_entry(oklep, ohead, list) { 381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 382 if (nklep == NULL) { 383 smk_destroy_label_list(nhead); 384 return -ENOMEM; 385 } 386 nklep->smk_label = oklep->smk_label; 387 list_add(&nklep->list, nhead); 388 } 389 390 return 0; 391 } 392 393 /** 394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 395 * @mode - input mode in form of PTRACE_MODE_* 396 * 397 * Returns a converted MAY_* mode usable by smack rules 398 */ 399 static inline unsigned int smk_ptrace_mode(unsigned int mode) 400 { 401 if (mode & PTRACE_MODE_ATTACH) 402 return MAY_READWRITE; 403 if (mode & PTRACE_MODE_READ) 404 return MAY_READ; 405 406 return 0; 407 } 408 409 /** 410 * smk_ptrace_rule_check - helper for ptrace access 411 * @tracer: tracer process 412 * @tracee_known: label entry of the process that's about to be traced 413 * @mode: ptrace attachment mode (PTRACE_MODE_*) 414 * @func: name of the function that called us, used for audit 415 * 416 * Returns 0 on access granted, -error on error 417 */ 418 static int smk_ptrace_rule_check(struct task_struct *tracer, 419 struct smack_known *tracee_known, 420 unsigned int mode, const char *func) 421 { 422 int rc; 423 struct smk_audit_info ad, *saip = NULL; 424 struct task_smack *tsp; 425 struct smack_known *tracer_known; 426 const struct cred *tracercred; 427 428 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 429 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 430 smk_ad_setfield_u_tsk(&ad, tracer); 431 saip = &ad; 432 } 433 434 rcu_read_lock(); 435 tracercred = __task_cred(tracer); 436 tsp = smack_cred(tracercred); 437 tracer_known = smk_of_task(tsp); 438 439 if ((mode & PTRACE_MODE_ATTACH) && 440 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 441 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 442 if (tracer_known->smk_known == tracee_known->smk_known) 443 rc = 0; 444 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 445 rc = -EACCES; 446 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 447 rc = 0; 448 else 449 rc = -EACCES; 450 451 if (saip) 452 smack_log(tracer_known->smk_known, 453 tracee_known->smk_known, 454 0, rc, saip); 455 456 rcu_read_unlock(); 457 return rc; 458 } 459 460 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 461 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 462 463 rcu_read_unlock(); 464 return rc; 465 } 466 467 /* 468 * LSM hooks. 469 * We he, that is fun! 470 */ 471 472 /** 473 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 474 * @ctp: child task pointer 475 * @mode: ptrace attachment mode (PTRACE_MODE_*) 476 * 477 * Returns 0 if access is OK, an error code otherwise 478 * 479 * Do the capability checks. 480 */ 481 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 482 { 483 struct smack_known *skp; 484 485 skp = smk_of_task_struct(ctp); 486 487 return smk_ptrace_rule_check(current, skp, mode, __func__); 488 } 489 490 /** 491 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 492 * @ptp: parent task pointer 493 * 494 * Returns 0 if access is OK, an error code otherwise 495 * 496 * Do the capability checks, and require PTRACE_MODE_ATTACH. 497 */ 498 static int smack_ptrace_traceme(struct task_struct *ptp) 499 { 500 int rc; 501 struct smack_known *skp; 502 503 skp = smk_of_task(smack_cred(current_cred())); 504 505 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 506 return rc; 507 } 508 509 /** 510 * smack_syslog - Smack approval on syslog 511 * @type: message type 512 * 513 * Returns 0 on success, error code otherwise. 514 */ 515 static int smack_syslog(int typefrom_file) 516 { 517 int rc = 0; 518 struct smack_known *skp = smk_of_current(); 519 520 if (smack_privileged(CAP_MAC_OVERRIDE)) 521 return 0; 522 523 if (smack_syslog_label != NULL && smack_syslog_label != skp) 524 rc = -EACCES; 525 526 return rc; 527 } 528 529 530 /* 531 * Superblock Hooks. 532 */ 533 534 /** 535 * smack_sb_alloc_security - allocate a superblock blob 536 * @sb: the superblock getting the blob 537 * 538 * Returns 0 on success or -ENOMEM on error. 539 */ 540 static int smack_sb_alloc_security(struct super_block *sb) 541 { 542 struct superblock_smack *sbsp; 543 544 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 545 546 if (sbsp == NULL) 547 return -ENOMEM; 548 549 sbsp->smk_root = &smack_known_floor; 550 sbsp->smk_default = &smack_known_floor; 551 sbsp->smk_floor = &smack_known_floor; 552 sbsp->smk_hat = &smack_known_hat; 553 /* 554 * SMK_SB_INITIALIZED will be zero from kzalloc. 555 */ 556 sb->s_security = sbsp; 557 558 return 0; 559 } 560 561 /** 562 * smack_sb_free_security - free a superblock blob 563 * @sb: the superblock getting the blob 564 * 565 */ 566 static void smack_sb_free_security(struct super_block *sb) 567 { 568 kfree(sb->s_security); 569 sb->s_security = NULL; 570 } 571 572 struct smack_mnt_opts { 573 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 574 }; 575 576 static void smack_free_mnt_opts(void *mnt_opts) 577 { 578 struct smack_mnt_opts *opts = mnt_opts; 579 kfree(opts->fsdefault); 580 kfree(opts->fsfloor); 581 kfree(opts->fshat); 582 kfree(opts->fsroot); 583 kfree(opts->fstransmute); 584 kfree(opts); 585 } 586 587 static int smack_add_opt(int token, const char *s, void **mnt_opts) 588 { 589 struct smack_mnt_opts *opts = *mnt_opts; 590 591 if (!opts) { 592 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 593 if (!opts) 594 return -ENOMEM; 595 *mnt_opts = opts; 596 } 597 if (!s) 598 return -ENOMEM; 599 600 switch (token) { 601 case Opt_fsdefault: 602 if (opts->fsdefault) 603 goto out_opt_err; 604 opts->fsdefault = s; 605 break; 606 case Opt_fsfloor: 607 if (opts->fsfloor) 608 goto out_opt_err; 609 opts->fsfloor = s; 610 break; 611 case Opt_fshat: 612 if (opts->fshat) 613 goto out_opt_err; 614 opts->fshat = s; 615 break; 616 case Opt_fsroot: 617 if (opts->fsroot) 618 goto out_opt_err; 619 opts->fsroot = s; 620 break; 621 case Opt_fstransmute: 622 if (opts->fstransmute) 623 goto out_opt_err; 624 opts->fstransmute = s; 625 break; 626 } 627 return 0; 628 629 out_opt_err: 630 pr_warn("Smack: duplicate mount options\n"); 631 return -EINVAL; 632 } 633 634 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 635 { 636 char *from = options, *to = options; 637 bool first = true; 638 639 while (1) { 640 char *next = strchr(from, ','); 641 int token, len, rc; 642 char *arg = NULL; 643 644 if (next) 645 len = next - from; 646 else 647 len = strlen(from); 648 649 token = match_opt_prefix(from, len, &arg); 650 if (token != Opt_error) { 651 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 652 rc = smack_add_opt(token, arg, mnt_opts); 653 if (unlikely(rc)) { 654 kfree(arg); 655 if (*mnt_opts) 656 smack_free_mnt_opts(*mnt_opts); 657 *mnt_opts = NULL; 658 return rc; 659 } 660 } else { 661 if (!first) { // copy with preceding comma 662 from--; 663 len++; 664 } 665 if (to != from) 666 memmove(to, from, len); 667 to += len; 668 first = false; 669 } 670 if (!from[len]) 671 break; 672 from += len + 1; 673 } 674 *to = '\0'; 675 return 0; 676 } 677 678 /** 679 * smack_set_mnt_opts - set Smack specific mount options 680 * @sb: the file system superblock 681 * @opts: Smack mount options 682 * @kern_flags: mount option from kernel space or user space 683 * @set_kern_flags: where to store converted mount opts 684 * 685 * Returns 0 on success, an error code on failure 686 * 687 * Allow filesystems with binary mount data to explicitly set Smack mount 688 * labels. 689 */ 690 static int smack_set_mnt_opts(struct super_block *sb, 691 void *mnt_opts, 692 unsigned long kern_flags, 693 unsigned long *set_kern_flags) 694 { 695 struct dentry *root = sb->s_root; 696 struct inode *inode = d_backing_inode(root); 697 struct superblock_smack *sp = sb->s_security; 698 struct inode_smack *isp; 699 struct smack_known *skp; 700 struct smack_mnt_opts *opts = mnt_opts; 701 bool transmute = false; 702 703 if (sp->smk_flags & SMK_SB_INITIALIZED) 704 return 0; 705 706 if (inode->i_security == NULL) { 707 int rc = lsm_inode_alloc(inode); 708 709 if (rc) 710 return rc; 711 } 712 713 if (!smack_privileged(CAP_MAC_ADMIN)) { 714 /* 715 * Unprivileged mounts don't get to specify Smack values. 716 */ 717 if (opts) 718 return -EPERM; 719 /* 720 * Unprivileged mounts get root and default from the caller. 721 */ 722 skp = smk_of_current(); 723 sp->smk_root = skp; 724 sp->smk_default = skp; 725 /* 726 * For a handful of fs types with no user-controlled 727 * backing store it's okay to trust security labels 728 * in the filesystem. The rest are untrusted. 729 */ 730 if (sb->s_user_ns != &init_user_ns && 731 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 732 sb->s_magic != RAMFS_MAGIC) { 733 transmute = true; 734 sp->smk_flags |= SMK_SB_UNTRUSTED; 735 } 736 } 737 738 sp->smk_flags |= SMK_SB_INITIALIZED; 739 740 if (opts) { 741 if (opts->fsdefault) { 742 skp = smk_import_entry(opts->fsdefault, 0); 743 if (IS_ERR(skp)) 744 return PTR_ERR(skp); 745 sp->smk_default = skp; 746 } 747 if (opts->fsfloor) { 748 skp = smk_import_entry(opts->fsfloor, 0); 749 if (IS_ERR(skp)) 750 return PTR_ERR(skp); 751 sp->smk_floor = skp; 752 } 753 if (opts->fshat) { 754 skp = smk_import_entry(opts->fshat, 0); 755 if (IS_ERR(skp)) 756 return PTR_ERR(skp); 757 sp->smk_hat = skp; 758 } 759 if (opts->fsroot) { 760 skp = smk_import_entry(opts->fsroot, 0); 761 if (IS_ERR(skp)) 762 return PTR_ERR(skp); 763 sp->smk_root = skp; 764 } 765 if (opts->fstransmute) { 766 skp = smk_import_entry(opts->fstransmute, 0); 767 if (IS_ERR(skp)) 768 return PTR_ERR(skp); 769 sp->smk_root = skp; 770 transmute = true; 771 } 772 } 773 774 /* 775 * Initialize the root inode. 776 */ 777 init_inode_smack(inode, sp->smk_root); 778 779 if (transmute) { 780 isp = smack_inode(inode); 781 isp->smk_flags |= SMK_INODE_TRANSMUTE; 782 } 783 784 return 0; 785 } 786 787 /** 788 * smack_sb_statfs - Smack check on statfs 789 * @dentry: identifies the file system in question 790 * 791 * Returns 0 if current can read the floor of the filesystem, 792 * and error code otherwise 793 */ 794 static int smack_sb_statfs(struct dentry *dentry) 795 { 796 struct superblock_smack *sbp = dentry->d_sb->s_security; 797 int rc; 798 struct smk_audit_info ad; 799 800 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 801 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 802 803 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 804 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 805 return rc; 806 } 807 808 /* 809 * BPRM hooks 810 */ 811 812 /** 813 * smack_bprm_set_creds - set creds for exec 814 * @bprm: the exec information 815 * 816 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 817 */ 818 static int smack_bprm_set_creds(struct linux_binprm *bprm) 819 { 820 struct inode *inode = file_inode(bprm->file); 821 struct task_smack *bsp = smack_cred(bprm->cred); 822 struct inode_smack *isp; 823 struct superblock_smack *sbsp; 824 int rc; 825 826 if (bprm->called_set_creds) 827 return 0; 828 829 isp = smack_inode(inode); 830 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 831 return 0; 832 833 sbsp = inode->i_sb->s_security; 834 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 835 isp->smk_task != sbsp->smk_root) 836 return 0; 837 838 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 839 struct task_struct *tracer; 840 rc = 0; 841 842 rcu_read_lock(); 843 tracer = ptrace_parent(current); 844 if (likely(tracer != NULL)) 845 rc = smk_ptrace_rule_check(tracer, 846 isp->smk_task, 847 PTRACE_MODE_ATTACH, 848 __func__); 849 rcu_read_unlock(); 850 851 if (rc != 0) 852 return rc; 853 } else if (bprm->unsafe) 854 return -EPERM; 855 856 bsp->smk_task = isp->smk_task; 857 bprm->per_clear |= PER_CLEAR_ON_SETID; 858 859 /* Decide if this is a secure exec. */ 860 if (bsp->smk_task != bsp->smk_forked) 861 bprm->secureexec = 1; 862 863 return 0; 864 } 865 866 /* 867 * Inode hooks 868 */ 869 870 /** 871 * smack_inode_alloc_security - allocate an inode blob 872 * @inode: the inode in need of a blob 873 * 874 * Returns 0 if it gets a blob, -ENOMEM otherwise 875 */ 876 static int smack_inode_alloc_security(struct inode *inode) 877 { 878 struct smack_known *skp = smk_of_current(); 879 880 init_inode_smack(inode, skp); 881 return 0; 882 } 883 884 /** 885 * smack_inode_init_security - copy out the smack from an inode 886 * @inode: the newly created inode 887 * @dir: containing directory object 888 * @qstr: unused 889 * @name: where to put the attribute name 890 * @value: where to put the attribute value 891 * @len: where to put the length of the attribute 892 * 893 * Returns 0 if it all works out, -ENOMEM if there's no memory 894 */ 895 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 896 const struct qstr *qstr, const char **name, 897 void **value, size_t *len) 898 { 899 struct inode_smack *issp = smack_inode(inode); 900 struct smack_known *skp = smk_of_current(); 901 struct smack_known *isp = smk_of_inode(inode); 902 struct smack_known *dsp = smk_of_inode(dir); 903 int may; 904 905 if (name) 906 *name = XATTR_SMACK_SUFFIX; 907 908 if (value && len) { 909 rcu_read_lock(); 910 may = smk_access_entry(skp->smk_known, dsp->smk_known, 911 &skp->smk_rules); 912 rcu_read_unlock(); 913 914 /* 915 * If the access rule allows transmutation and 916 * the directory requests transmutation then 917 * by all means transmute. 918 * Mark the inode as changed. 919 */ 920 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 921 smk_inode_transmutable(dir)) { 922 isp = dsp; 923 issp->smk_flags |= SMK_INODE_CHANGED; 924 } 925 926 *value = kstrdup(isp->smk_known, GFP_NOFS); 927 if (*value == NULL) 928 return -ENOMEM; 929 930 *len = strlen(isp->smk_known); 931 } 932 933 return 0; 934 } 935 936 /** 937 * smack_inode_link - Smack check on link 938 * @old_dentry: the existing object 939 * @dir: unused 940 * @new_dentry: the new object 941 * 942 * Returns 0 if access is permitted, an error code otherwise 943 */ 944 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 945 struct dentry *new_dentry) 946 { 947 struct smack_known *isp; 948 struct smk_audit_info ad; 949 int rc; 950 951 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 952 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 953 954 isp = smk_of_inode(d_backing_inode(old_dentry)); 955 rc = smk_curacc(isp, MAY_WRITE, &ad); 956 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 957 958 if (rc == 0 && d_is_positive(new_dentry)) { 959 isp = smk_of_inode(d_backing_inode(new_dentry)); 960 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 961 rc = smk_curacc(isp, MAY_WRITE, &ad); 962 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 963 } 964 965 return rc; 966 } 967 968 /** 969 * smack_inode_unlink - Smack check on inode deletion 970 * @dir: containing directory object 971 * @dentry: file to unlink 972 * 973 * Returns 0 if current can write the containing directory 974 * and the object, error code otherwise 975 */ 976 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 977 { 978 struct inode *ip = d_backing_inode(dentry); 979 struct smk_audit_info ad; 980 int rc; 981 982 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 983 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 984 985 /* 986 * You need write access to the thing you're unlinking 987 */ 988 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 989 rc = smk_bu_inode(ip, MAY_WRITE, rc); 990 if (rc == 0) { 991 /* 992 * You also need write access to the containing directory 993 */ 994 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 995 smk_ad_setfield_u_fs_inode(&ad, dir); 996 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 997 rc = smk_bu_inode(dir, MAY_WRITE, rc); 998 } 999 return rc; 1000 } 1001 1002 /** 1003 * smack_inode_rmdir - Smack check on directory deletion 1004 * @dir: containing directory object 1005 * @dentry: directory to unlink 1006 * 1007 * Returns 0 if current can write the containing directory 1008 * and the directory, error code otherwise 1009 */ 1010 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1011 { 1012 struct smk_audit_info ad; 1013 int rc; 1014 1015 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1016 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1017 1018 /* 1019 * You need write access to the thing you're removing 1020 */ 1021 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1022 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1023 if (rc == 0) { 1024 /* 1025 * You also need write access to the containing directory 1026 */ 1027 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1028 smk_ad_setfield_u_fs_inode(&ad, dir); 1029 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1030 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1031 } 1032 1033 return rc; 1034 } 1035 1036 /** 1037 * smack_inode_rename - Smack check on rename 1038 * @old_inode: unused 1039 * @old_dentry: the old object 1040 * @new_inode: unused 1041 * @new_dentry: the new object 1042 * 1043 * Read and write access is required on both the old and 1044 * new directories. 1045 * 1046 * Returns 0 if access is permitted, an error code otherwise 1047 */ 1048 static int smack_inode_rename(struct inode *old_inode, 1049 struct dentry *old_dentry, 1050 struct inode *new_inode, 1051 struct dentry *new_dentry) 1052 { 1053 int rc; 1054 struct smack_known *isp; 1055 struct smk_audit_info ad; 1056 1057 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1058 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1059 1060 isp = smk_of_inode(d_backing_inode(old_dentry)); 1061 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1062 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1063 1064 if (rc == 0 && d_is_positive(new_dentry)) { 1065 isp = smk_of_inode(d_backing_inode(new_dentry)); 1066 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1067 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1068 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1069 } 1070 return rc; 1071 } 1072 1073 /** 1074 * smack_inode_permission - Smack version of permission() 1075 * @inode: the inode in question 1076 * @mask: the access requested 1077 * 1078 * This is the important Smack hook. 1079 * 1080 * Returns 0 if access is permitted, -EACCES otherwise 1081 */ 1082 static int smack_inode_permission(struct inode *inode, int mask) 1083 { 1084 struct superblock_smack *sbsp = inode->i_sb->s_security; 1085 struct smk_audit_info ad; 1086 int no_block = mask & MAY_NOT_BLOCK; 1087 int rc; 1088 1089 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1090 /* 1091 * No permission to check. Existence test. Yup, it's there. 1092 */ 1093 if (mask == 0) 1094 return 0; 1095 1096 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1097 if (smk_of_inode(inode) != sbsp->smk_root) 1098 return -EACCES; 1099 } 1100 1101 /* May be droppable after audit */ 1102 if (no_block) 1103 return -ECHILD; 1104 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1105 smk_ad_setfield_u_fs_inode(&ad, inode); 1106 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1107 rc = smk_bu_inode(inode, mask, rc); 1108 return rc; 1109 } 1110 1111 /** 1112 * smack_inode_setattr - Smack check for setting attributes 1113 * @dentry: the object 1114 * @iattr: for the force flag 1115 * 1116 * Returns 0 if access is permitted, an error code otherwise 1117 */ 1118 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1119 { 1120 struct smk_audit_info ad; 1121 int rc; 1122 1123 /* 1124 * Need to allow for clearing the setuid bit. 1125 */ 1126 if (iattr->ia_valid & ATTR_FORCE) 1127 return 0; 1128 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1129 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1130 1131 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1132 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1133 return rc; 1134 } 1135 1136 /** 1137 * smack_inode_getattr - Smack check for getting attributes 1138 * @mnt: vfsmount of the object 1139 * @dentry: the object 1140 * 1141 * Returns 0 if access is permitted, an error code otherwise 1142 */ 1143 static int smack_inode_getattr(const struct path *path) 1144 { 1145 struct smk_audit_info ad; 1146 struct inode *inode = d_backing_inode(path->dentry); 1147 int rc; 1148 1149 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1150 smk_ad_setfield_u_fs_path(&ad, *path); 1151 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1152 rc = smk_bu_inode(inode, MAY_READ, rc); 1153 return rc; 1154 } 1155 1156 /** 1157 * smack_inode_setxattr - Smack check for setting xattrs 1158 * @dentry: the object 1159 * @name: name of the attribute 1160 * @value: value of the attribute 1161 * @size: size of the value 1162 * @flags: unused 1163 * 1164 * This protects the Smack attribute explicitly. 1165 * 1166 * Returns 0 if access is permitted, an error code otherwise 1167 */ 1168 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1169 const void *value, size_t size, int flags) 1170 { 1171 struct smk_audit_info ad; 1172 struct smack_known *skp; 1173 int check_priv = 0; 1174 int check_import = 0; 1175 int check_star = 0; 1176 int rc = 0; 1177 1178 /* 1179 * Check label validity here so import won't fail in post_setxattr 1180 */ 1181 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1182 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1183 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1184 check_priv = 1; 1185 check_import = 1; 1186 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1187 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1188 check_priv = 1; 1189 check_import = 1; 1190 check_star = 1; 1191 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1192 check_priv = 1; 1193 if (size != TRANS_TRUE_SIZE || 1194 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1195 rc = -EINVAL; 1196 } else 1197 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1198 1199 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1200 rc = -EPERM; 1201 1202 if (rc == 0 && check_import) { 1203 skp = size ? smk_import_entry(value, size) : NULL; 1204 if (IS_ERR(skp)) 1205 rc = PTR_ERR(skp); 1206 else if (skp == NULL || (check_star && 1207 (skp == &smack_known_star || skp == &smack_known_web))) 1208 rc = -EINVAL; 1209 } 1210 1211 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1212 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1213 1214 if (rc == 0) { 1215 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1216 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1217 } 1218 1219 return rc; 1220 } 1221 1222 /** 1223 * smack_inode_post_setxattr - Apply the Smack update approved above 1224 * @dentry: object 1225 * @name: attribute name 1226 * @value: attribute value 1227 * @size: attribute size 1228 * @flags: unused 1229 * 1230 * Set the pointer in the inode blob to the entry found 1231 * in the master label list. 1232 */ 1233 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1234 const void *value, size_t size, int flags) 1235 { 1236 struct smack_known *skp; 1237 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1238 1239 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1240 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1241 return; 1242 } 1243 1244 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1245 skp = smk_import_entry(value, size); 1246 if (!IS_ERR(skp)) 1247 isp->smk_inode = skp; 1248 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1249 skp = smk_import_entry(value, size); 1250 if (!IS_ERR(skp)) 1251 isp->smk_task = skp; 1252 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1253 skp = smk_import_entry(value, size); 1254 if (!IS_ERR(skp)) 1255 isp->smk_mmap = skp; 1256 } 1257 1258 return; 1259 } 1260 1261 /** 1262 * smack_inode_getxattr - Smack check on getxattr 1263 * @dentry: the object 1264 * @name: unused 1265 * 1266 * Returns 0 if access is permitted, an error code otherwise 1267 */ 1268 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1269 { 1270 struct smk_audit_info ad; 1271 int rc; 1272 1273 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1274 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1275 1276 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1277 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1278 return rc; 1279 } 1280 1281 /** 1282 * smack_inode_removexattr - Smack check on removexattr 1283 * @dentry: the object 1284 * @name: name of the attribute 1285 * 1286 * Removing the Smack attribute requires CAP_MAC_ADMIN 1287 * 1288 * Returns 0 if access is permitted, an error code otherwise 1289 */ 1290 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1291 { 1292 struct inode_smack *isp; 1293 struct smk_audit_info ad; 1294 int rc = 0; 1295 1296 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1297 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1298 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1299 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1300 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1301 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1302 if (!smack_privileged(CAP_MAC_ADMIN)) 1303 rc = -EPERM; 1304 } else 1305 rc = cap_inode_removexattr(dentry, name); 1306 1307 if (rc != 0) 1308 return rc; 1309 1310 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1311 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1312 1313 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1314 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1315 if (rc != 0) 1316 return rc; 1317 1318 isp = smack_inode(d_backing_inode(dentry)); 1319 /* 1320 * Don't do anything special for these. 1321 * XATTR_NAME_SMACKIPIN 1322 * XATTR_NAME_SMACKIPOUT 1323 */ 1324 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1325 struct super_block *sbp = dentry->d_sb; 1326 struct superblock_smack *sbsp = sbp->s_security; 1327 1328 isp->smk_inode = sbsp->smk_default; 1329 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1330 isp->smk_task = NULL; 1331 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1332 isp->smk_mmap = NULL; 1333 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1334 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1335 1336 return 0; 1337 } 1338 1339 /** 1340 * smack_inode_getsecurity - get smack xattrs 1341 * @inode: the object 1342 * @name: attribute name 1343 * @buffer: where to put the result 1344 * @alloc: duplicate memory 1345 * 1346 * Returns the size of the attribute or an error code 1347 */ 1348 static int smack_inode_getsecurity(struct inode *inode, 1349 const char *name, void **buffer, 1350 bool alloc) 1351 { 1352 struct socket_smack *ssp; 1353 struct socket *sock; 1354 struct super_block *sbp; 1355 struct inode *ip = (struct inode *)inode; 1356 struct smack_known *isp; 1357 1358 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1359 isp = smk_of_inode(inode); 1360 else { 1361 /* 1362 * The rest of the Smack xattrs are only on sockets. 1363 */ 1364 sbp = ip->i_sb; 1365 if (sbp->s_magic != SOCKFS_MAGIC) 1366 return -EOPNOTSUPP; 1367 1368 sock = SOCKET_I(ip); 1369 if (sock == NULL || sock->sk == NULL) 1370 return -EOPNOTSUPP; 1371 1372 ssp = sock->sk->sk_security; 1373 1374 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1375 isp = ssp->smk_in; 1376 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1377 isp = ssp->smk_out; 1378 else 1379 return -EOPNOTSUPP; 1380 } 1381 1382 if (alloc) { 1383 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1384 if (*buffer == NULL) 1385 return -ENOMEM; 1386 } 1387 1388 return strlen(isp->smk_known); 1389 } 1390 1391 1392 /** 1393 * smack_inode_listsecurity - list the Smack attributes 1394 * @inode: the object 1395 * @buffer: where they go 1396 * @buffer_size: size of buffer 1397 */ 1398 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1399 size_t buffer_size) 1400 { 1401 int len = sizeof(XATTR_NAME_SMACK); 1402 1403 if (buffer != NULL && len <= buffer_size) 1404 memcpy(buffer, XATTR_NAME_SMACK, len); 1405 1406 return len; 1407 } 1408 1409 /** 1410 * smack_inode_getsecid - Extract inode's security id 1411 * @inode: inode to extract the info from 1412 * @secid: where result will be saved 1413 */ 1414 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1415 { 1416 struct smack_known *skp = smk_of_inode(inode); 1417 1418 *secid = skp->smk_secid; 1419 } 1420 1421 /* 1422 * File Hooks 1423 */ 1424 1425 /* 1426 * There is no smack_file_permission hook 1427 * 1428 * Should access checks be done on each read or write? 1429 * UNICOS and SELinux say yes. 1430 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1431 * 1432 * I'll say no for now. Smack does not do the frequent 1433 * label changing that SELinux does. 1434 */ 1435 1436 /** 1437 * smack_file_alloc_security - assign a file security blob 1438 * @file: the object 1439 * 1440 * The security blob for a file is a pointer to the master 1441 * label list, so no allocation is done. 1442 * 1443 * f_security is the owner security information. It 1444 * isn't used on file access checks, it's for send_sigio. 1445 * 1446 * Returns 0 1447 */ 1448 static int smack_file_alloc_security(struct file *file) 1449 { 1450 struct smack_known **blob = smack_file(file); 1451 1452 *blob = smk_of_current(); 1453 return 0; 1454 } 1455 1456 /** 1457 * smack_file_ioctl - Smack check on ioctls 1458 * @file: the object 1459 * @cmd: what to do 1460 * @arg: unused 1461 * 1462 * Relies heavily on the correct use of the ioctl command conventions. 1463 * 1464 * Returns 0 if allowed, error code otherwise 1465 */ 1466 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1467 unsigned long arg) 1468 { 1469 int rc = 0; 1470 struct smk_audit_info ad; 1471 struct inode *inode = file_inode(file); 1472 1473 if (unlikely(IS_PRIVATE(inode))) 1474 return 0; 1475 1476 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1477 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1478 1479 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1480 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1481 rc = smk_bu_file(file, MAY_WRITE, rc); 1482 } 1483 1484 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1485 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1486 rc = smk_bu_file(file, MAY_READ, rc); 1487 } 1488 1489 return rc; 1490 } 1491 1492 /** 1493 * smack_file_lock - Smack check on file locking 1494 * @file: the object 1495 * @cmd: unused 1496 * 1497 * Returns 0 if current has lock access, error code otherwise 1498 */ 1499 static int smack_file_lock(struct file *file, unsigned int cmd) 1500 { 1501 struct smk_audit_info ad; 1502 int rc; 1503 struct inode *inode = file_inode(file); 1504 1505 if (unlikely(IS_PRIVATE(inode))) 1506 return 0; 1507 1508 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1509 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1510 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1511 rc = smk_bu_file(file, MAY_LOCK, rc); 1512 return rc; 1513 } 1514 1515 /** 1516 * smack_file_fcntl - Smack check on fcntl 1517 * @file: the object 1518 * @cmd: what action to check 1519 * @arg: unused 1520 * 1521 * Generally these operations are harmless. 1522 * File locking operations present an obvious mechanism 1523 * for passing information, so they require write access. 1524 * 1525 * Returns 0 if current has access, error code otherwise 1526 */ 1527 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1528 unsigned long arg) 1529 { 1530 struct smk_audit_info ad; 1531 int rc = 0; 1532 struct inode *inode = file_inode(file); 1533 1534 if (unlikely(IS_PRIVATE(inode))) 1535 return 0; 1536 1537 switch (cmd) { 1538 case F_GETLK: 1539 break; 1540 case F_SETLK: 1541 case F_SETLKW: 1542 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1543 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1544 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1545 rc = smk_bu_file(file, MAY_LOCK, rc); 1546 break; 1547 case F_SETOWN: 1548 case F_SETSIG: 1549 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1550 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1551 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1552 rc = smk_bu_file(file, MAY_WRITE, rc); 1553 break; 1554 default: 1555 break; 1556 } 1557 1558 return rc; 1559 } 1560 1561 /** 1562 * smack_mmap_file : 1563 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1564 * if mapping anonymous memory. 1565 * @file contains the file structure for file to map (may be NULL). 1566 * @reqprot contains the protection requested by the application. 1567 * @prot contains the protection that will be applied by the kernel. 1568 * @flags contains the operational flags. 1569 * Return 0 if permission is granted. 1570 */ 1571 static int smack_mmap_file(struct file *file, 1572 unsigned long reqprot, unsigned long prot, 1573 unsigned long flags) 1574 { 1575 struct smack_known *skp; 1576 struct smack_known *mkp; 1577 struct smack_rule *srp; 1578 struct task_smack *tsp; 1579 struct smack_known *okp; 1580 struct inode_smack *isp; 1581 struct superblock_smack *sbsp; 1582 int may; 1583 int mmay; 1584 int tmay; 1585 int rc; 1586 1587 if (file == NULL) 1588 return 0; 1589 1590 if (unlikely(IS_PRIVATE(file_inode(file)))) 1591 return 0; 1592 1593 isp = smack_inode(file_inode(file)); 1594 if (isp->smk_mmap == NULL) 1595 return 0; 1596 sbsp = file_inode(file)->i_sb->s_security; 1597 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1598 isp->smk_mmap != sbsp->smk_root) 1599 return -EACCES; 1600 mkp = isp->smk_mmap; 1601 1602 tsp = smack_cred(current_cred()); 1603 skp = smk_of_current(); 1604 rc = 0; 1605 1606 rcu_read_lock(); 1607 /* 1608 * For each Smack rule associated with the subject 1609 * label verify that the SMACK64MMAP also has access 1610 * to that rule's object label. 1611 */ 1612 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1613 okp = srp->smk_object; 1614 /* 1615 * Matching labels always allows access. 1616 */ 1617 if (mkp->smk_known == okp->smk_known) 1618 continue; 1619 /* 1620 * If there is a matching local rule take 1621 * that into account as well. 1622 */ 1623 may = smk_access_entry(srp->smk_subject->smk_known, 1624 okp->smk_known, 1625 &tsp->smk_rules); 1626 if (may == -ENOENT) 1627 may = srp->smk_access; 1628 else 1629 may &= srp->smk_access; 1630 /* 1631 * If may is zero the SMACK64MMAP subject can't 1632 * possibly have less access. 1633 */ 1634 if (may == 0) 1635 continue; 1636 1637 /* 1638 * Fetch the global list entry. 1639 * If there isn't one a SMACK64MMAP subject 1640 * can't have as much access as current. 1641 */ 1642 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1643 &mkp->smk_rules); 1644 if (mmay == -ENOENT) { 1645 rc = -EACCES; 1646 break; 1647 } 1648 /* 1649 * If there is a local entry it modifies the 1650 * potential access, too. 1651 */ 1652 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1653 &tsp->smk_rules); 1654 if (tmay != -ENOENT) 1655 mmay &= tmay; 1656 1657 /* 1658 * If there is any access available to current that is 1659 * not available to a SMACK64MMAP subject 1660 * deny access. 1661 */ 1662 if ((may | mmay) != mmay) { 1663 rc = -EACCES; 1664 break; 1665 } 1666 } 1667 1668 rcu_read_unlock(); 1669 1670 return rc; 1671 } 1672 1673 /** 1674 * smack_file_set_fowner - set the file security blob value 1675 * @file: object in question 1676 * 1677 */ 1678 static void smack_file_set_fowner(struct file *file) 1679 { 1680 struct smack_known **blob = smack_file(file); 1681 1682 *blob = smk_of_current(); 1683 } 1684 1685 /** 1686 * smack_file_send_sigiotask - Smack on sigio 1687 * @tsk: The target task 1688 * @fown: the object the signal come from 1689 * @signum: unused 1690 * 1691 * Allow a privileged task to get signals even if it shouldn't 1692 * 1693 * Returns 0 if a subject with the object's smack could 1694 * write to the task, an error code otherwise. 1695 */ 1696 static int smack_file_send_sigiotask(struct task_struct *tsk, 1697 struct fown_struct *fown, int signum) 1698 { 1699 struct smack_known **blob; 1700 struct smack_known *skp; 1701 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1702 const struct cred *tcred; 1703 struct file *file; 1704 int rc; 1705 struct smk_audit_info ad; 1706 1707 /* 1708 * struct fown_struct is never outside the context of a struct file 1709 */ 1710 file = container_of(fown, struct file, f_owner); 1711 1712 /* we don't log here as rc can be overriden */ 1713 blob = smack_file(file); 1714 skp = *blob; 1715 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1716 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1717 1718 rcu_read_lock(); 1719 tcred = __task_cred(tsk); 1720 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1721 rc = 0; 1722 rcu_read_unlock(); 1723 1724 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1725 smk_ad_setfield_u_tsk(&ad, tsk); 1726 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1727 return rc; 1728 } 1729 1730 /** 1731 * smack_file_receive - Smack file receive check 1732 * @file: the object 1733 * 1734 * Returns 0 if current has access, error code otherwise 1735 */ 1736 static int smack_file_receive(struct file *file) 1737 { 1738 int rc; 1739 int may = 0; 1740 struct smk_audit_info ad; 1741 struct inode *inode = file_inode(file); 1742 struct socket *sock; 1743 struct task_smack *tsp; 1744 struct socket_smack *ssp; 1745 1746 if (unlikely(IS_PRIVATE(inode))) 1747 return 0; 1748 1749 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1750 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1751 1752 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1753 sock = SOCKET_I(inode); 1754 ssp = sock->sk->sk_security; 1755 tsp = smack_cred(current_cred()); 1756 /* 1757 * If the receiving process can't write to the 1758 * passed socket or if the passed socket can't 1759 * write to the receiving process don't accept 1760 * the passed socket. 1761 */ 1762 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1763 rc = smk_bu_file(file, may, rc); 1764 if (rc < 0) 1765 return rc; 1766 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1767 rc = smk_bu_file(file, may, rc); 1768 return rc; 1769 } 1770 /* 1771 * This code relies on bitmasks. 1772 */ 1773 if (file->f_mode & FMODE_READ) 1774 may = MAY_READ; 1775 if (file->f_mode & FMODE_WRITE) 1776 may |= MAY_WRITE; 1777 1778 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1779 rc = smk_bu_file(file, may, rc); 1780 return rc; 1781 } 1782 1783 /** 1784 * smack_file_open - Smack dentry open processing 1785 * @file: the object 1786 * @cred: task credential 1787 * 1788 * Set the security blob in the file structure. 1789 * Allow the open only if the task has read access. There are 1790 * many read operations (e.g. fstat) that you can do with an 1791 * fd even if you have the file open write-only. 1792 * 1793 * Returns 0 1794 */ 1795 static int smack_file_open(struct file *file) 1796 { 1797 struct task_smack *tsp = smack_cred(file->f_cred); 1798 struct inode *inode = file_inode(file); 1799 struct smk_audit_info ad; 1800 int rc; 1801 1802 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1803 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1804 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1805 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1806 1807 return rc; 1808 } 1809 1810 /* 1811 * Task hooks 1812 */ 1813 1814 /** 1815 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1816 * @new: the new credentials 1817 * @gfp: the atomicity of any memory allocations 1818 * 1819 * Prepare a blank set of credentials for modification. This must allocate all 1820 * the memory the LSM module might require such that cred_transfer() can 1821 * complete without error. 1822 */ 1823 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1824 { 1825 init_task_smack(smack_cred(cred), NULL, NULL); 1826 return 0; 1827 } 1828 1829 1830 /** 1831 * smack_cred_free - "free" task-level security credentials 1832 * @cred: the credentials in question 1833 * 1834 */ 1835 static void smack_cred_free(struct cred *cred) 1836 { 1837 struct task_smack *tsp = smack_cred(cred); 1838 struct smack_rule *rp; 1839 struct list_head *l; 1840 struct list_head *n; 1841 1842 smk_destroy_label_list(&tsp->smk_relabel); 1843 1844 list_for_each_safe(l, n, &tsp->smk_rules) { 1845 rp = list_entry(l, struct smack_rule, list); 1846 list_del(&rp->list); 1847 kfree(rp); 1848 } 1849 } 1850 1851 /** 1852 * smack_cred_prepare - prepare new set of credentials for modification 1853 * @new: the new credentials 1854 * @old: the original credentials 1855 * @gfp: the atomicity of any memory allocations 1856 * 1857 * Prepare a new set of credentials for modification. 1858 */ 1859 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1860 gfp_t gfp) 1861 { 1862 struct task_smack *old_tsp = smack_cred(old); 1863 struct task_smack *new_tsp = smack_cred(new); 1864 int rc; 1865 1866 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 1867 1868 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1869 if (rc != 0) 1870 return rc; 1871 1872 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1873 gfp); 1874 return rc; 1875 } 1876 1877 /** 1878 * smack_cred_transfer - Transfer the old credentials to the new credentials 1879 * @new: the new credentials 1880 * @old: the original credentials 1881 * 1882 * Fill in a set of blank credentials from another set of credentials. 1883 */ 1884 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1885 { 1886 struct task_smack *old_tsp = smack_cred(old); 1887 struct task_smack *new_tsp = smack_cred(new); 1888 1889 new_tsp->smk_task = old_tsp->smk_task; 1890 new_tsp->smk_forked = old_tsp->smk_task; 1891 mutex_init(&new_tsp->smk_rules_lock); 1892 INIT_LIST_HEAD(&new_tsp->smk_rules); 1893 1894 /* cbs copy rule list */ 1895 } 1896 1897 /** 1898 * smack_cred_getsecid - get the secid corresponding to a creds structure 1899 * @c: the object creds 1900 * @secid: where to put the result 1901 * 1902 * Sets the secid to contain a u32 version of the smack label. 1903 */ 1904 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 1905 { 1906 struct smack_known *skp; 1907 1908 rcu_read_lock(); 1909 skp = smk_of_task(smack_cred(cred)); 1910 *secid = skp->smk_secid; 1911 rcu_read_unlock(); 1912 } 1913 1914 /** 1915 * smack_kernel_act_as - Set the subjective context in a set of credentials 1916 * @new: points to the set of credentials to be modified. 1917 * @secid: specifies the security ID to be set 1918 * 1919 * Set the security data for a kernel service. 1920 */ 1921 static int smack_kernel_act_as(struct cred *new, u32 secid) 1922 { 1923 struct task_smack *new_tsp = smack_cred(new); 1924 1925 new_tsp->smk_task = smack_from_secid(secid); 1926 return 0; 1927 } 1928 1929 /** 1930 * smack_kernel_create_files_as - Set the file creation label in a set of creds 1931 * @new: points to the set of credentials to be modified 1932 * @inode: points to the inode to use as a reference 1933 * 1934 * Set the file creation context in a set of credentials to the same 1935 * as the objective context of the specified inode 1936 */ 1937 static int smack_kernel_create_files_as(struct cred *new, 1938 struct inode *inode) 1939 { 1940 struct inode_smack *isp = smack_inode(inode); 1941 struct task_smack *tsp = smack_cred(new); 1942 1943 tsp->smk_forked = isp->smk_inode; 1944 tsp->smk_task = tsp->smk_forked; 1945 return 0; 1946 } 1947 1948 /** 1949 * smk_curacc_on_task - helper to log task related access 1950 * @p: the task object 1951 * @access: the access requested 1952 * @caller: name of the calling function for audit 1953 * 1954 * Return 0 if access is permitted 1955 */ 1956 static int smk_curacc_on_task(struct task_struct *p, int access, 1957 const char *caller) 1958 { 1959 struct smk_audit_info ad; 1960 struct smack_known *skp = smk_of_task_struct(p); 1961 int rc; 1962 1963 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 1964 smk_ad_setfield_u_tsk(&ad, p); 1965 rc = smk_curacc(skp, access, &ad); 1966 rc = smk_bu_task(p, access, rc); 1967 return rc; 1968 } 1969 1970 /** 1971 * smack_task_setpgid - Smack check on setting pgid 1972 * @p: the task object 1973 * @pgid: unused 1974 * 1975 * Return 0 if write access is permitted 1976 */ 1977 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1978 { 1979 return smk_curacc_on_task(p, MAY_WRITE, __func__); 1980 } 1981 1982 /** 1983 * smack_task_getpgid - Smack access check for getpgid 1984 * @p: the object task 1985 * 1986 * Returns 0 if current can read the object task, error code otherwise 1987 */ 1988 static int smack_task_getpgid(struct task_struct *p) 1989 { 1990 return smk_curacc_on_task(p, MAY_READ, __func__); 1991 } 1992 1993 /** 1994 * smack_task_getsid - Smack access check for getsid 1995 * @p: the object task 1996 * 1997 * Returns 0 if current can read the object task, error code otherwise 1998 */ 1999 static int smack_task_getsid(struct task_struct *p) 2000 { 2001 return smk_curacc_on_task(p, MAY_READ, __func__); 2002 } 2003 2004 /** 2005 * smack_task_getsecid - get the secid of the task 2006 * @p: the object task 2007 * @secid: where to put the result 2008 * 2009 * Sets the secid to contain a u32 version of the smack label. 2010 */ 2011 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2012 { 2013 struct smack_known *skp = smk_of_task_struct(p); 2014 2015 *secid = skp->smk_secid; 2016 } 2017 2018 /** 2019 * smack_task_setnice - Smack check on setting nice 2020 * @p: the task object 2021 * @nice: unused 2022 * 2023 * Return 0 if write access is permitted 2024 */ 2025 static int smack_task_setnice(struct task_struct *p, int nice) 2026 { 2027 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2028 } 2029 2030 /** 2031 * smack_task_setioprio - Smack check on setting ioprio 2032 * @p: the task object 2033 * @ioprio: unused 2034 * 2035 * Return 0 if write access is permitted 2036 */ 2037 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2038 { 2039 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2040 } 2041 2042 /** 2043 * smack_task_getioprio - Smack check on reading ioprio 2044 * @p: the task object 2045 * 2046 * Return 0 if read access is permitted 2047 */ 2048 static int smack_task_getioprio(struct task_struct *p) 2049 { 2050 return smk_curacc_on_task(p, MAY_READ, __func__); 2051 } 2052 2053 /** 2054 * smack_task_setscheduler - Smack check on setting scheduler 2055 * @p: the task object 2056 * @policy: unused 2057 * @lp: unused 2058 * 2059 * Return 0 if read access is permitted 2060 */ 2061 static int smack_task_setscheduler(struct task_struct *p) 2062 { 2063 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2064 } 2065 2066 /** 2067 * smack_task_getscheduler - Smack check on reading scheduler 2068 * @p: the task object 2069 * 2070 * Return 0 if read access is permitted 2071 */ 2072 static int smack_task_getscheduler(struct task_struct *p) 2073 { 2074 return smk_curacc_on_task(p, MAY_READ, __func__); 2075 } 2076 2077 /** 2078 * smack_task_movememory - Smack check on moving memory 2079 * @p: the task object 2080 * 2081 * Return 0 if write access is permitted 2082 */ 2083 static int smack_task_movememory(struct task_struct *p) 2084 { 2085 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2086 } 2087 2088 /** 2089 * smack_task_kill - Smack check on signal delivery 2090 * @p: the task object 2091 * @info: unused 2092 * @sig: unused 2093 * @cred: identifies the cred to use in lieu of current's 2094 * 2095 * Return 0 if write access is permitted 2096 * 2097 */ 2098 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2099 int sig, const struct cred *cred) 2100 { 2101 struct smk_audit_info ad; 2102 struct smack_known *skp; 2103 struct smack_known *tkp = smk_of_task_struct(p); 2104 int rc; 2105 2106 if (!sig) 2107 return 0; /* null signal; existence test */ 2108 2109 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2110 smk_ad_setfield_u_tsk(&ad, p); 2111 /* 2112 * Sending a signal requires that the sender 2113 * can write the receiver. 2114 */ 2115 if (cred == NULL) { 2116 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2117 rc = smk_bu_task(p, MAY_DELIVER, rc); 2118 return rc; 2119 } 2120 /* 2121 * If the cred isn't NULL we're dealing with some USB IO 2122 * specific behavior. This is not clean. For one thing 2123 * we can't take privilege into account. 2124 */ 2125 skp = smk_of_task(smack_cred(cred)); 2126 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2127 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2128 return rc; 2129 } 2130 2131 /** 2132 * smack_task_to_inode - copy task smack into the inode blob 2133 * @p: task to copy from 2134 * @inode: inode to copy to 2135 * 2136 * Sets the smack pointer in the inode security blob 2137 */ 2138 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2139 { 2140 struct inode_smack *isp = smack_inode(inode); 2141 struct smack_known *skp = smk_of_task_struct(p); 2142 2143 isp->smk_inode = skp; 2144 isp->smk_flags |= SMK_INODE_INSTANT; 2145 } 2146 2147 /* 2148 * Socket hooks. 2149 */ 2150 2151 /** 2152 * smack_sk_alloc_security - Allocate a socket blob 2153 * @sk: the socket 2154 * @family: unused 2155 * @gfp_flags: memory allocation flags 2156 * 2157 * Assign Smack pointers to current 2158 * 2159 * Returns 0 on success, -ENOMEM is there's no memory 2160 */ 2161 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2162 { 2163 struct smack_known *skp = smk_of_current(); 2164 struct socket_smack *ssp; 2165 2166 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2167 if (ssp == NULL) 2168 return -ENOMEM; 2169 2170 /* 2171 * Sockets created by kernel threads receive web label. 2172 */ 2173 if (unlikely(current->flags & PF_KTHREAD)) { 2174 ssp->smk_in = &smack_known_web; 2175 ssp->smk_out = &smack_known_web; 2176 } else { 2177 ssp->smk_in = skp; 2178 ssp->smk_out = skp; 2179 } 2180 ssp->smk_packet = NULL; 2181 2182 sk->sk_security = ssp; 2183 2184 return 0; 2185 } 2186 2187 /** 2188 * smack_sk_free_security - Free a socket blob 2189 * @sk: the socket 2190 * 2191 * Clears the blob pointer 2192 */ 2193 static void smack_sk_free_security(struct sock *sk) 2194 { 2195 #ifdef SMACK_IPV6_PORT_LABELING 2196 struct smk_port_label *spp; 2197 2198 if (sk->sk_family == PF_INET6) { 2199 rcu_read_lock(); 2200 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2201 if (spp->smk_sock != sk) 2202 continue; 2203 spp->smk_can_reuse = 1; 2204 break; 2205 } 2206 rcu_read_unlock(); 2207 } 2208 #endif 2209 kfree(sk->sk_security); 2210 } 2211 2212 /** 2213 * smack_ipv4host_label - check host based restrictions 2214 * @sip: the object end 2215 * 2216 * looks for host based access restrictions 2217 * 2218 * This version will only be appropriate for really small sets of single label 2219 * hosts. The caller is responsible for ensuring that the RCU read lock is 2220 * taken before calling this function. 2221 * 2222 * Returns the label of the far end or NULL if it's not special. 2223 */ 2224 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2225 { 2226 struct smk_net4addr *snp; 2227 struct in_addr *siap = &sip->sin_addr; 2228 2229 if (siap->s_addr == 0) 2230 return NULL; 2231 2232 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2233 /* 2234 * we break after finding the first match because 2235 * the list is sorted from longest to shortest mask 2236 * so we have found the most specific match 2237 */ 2238 if (snp->smk_host.s_addr == 2239 (siap->s_addr & snp->smk_mask.s_addr)) 2240 return snp->smk_label; 2241 2242 return NULL; 2243 } 2244 2245 #if IS_ENABLED(CONFIG_IPV6) 2246 /* 2247 * smk_ipv6_localhost - Check for local ipv6 host address 2248 * @sip: the address 2249 * 2250 * Returns boolean true if this is the localhost address 2251 */ 2252 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2253 { 2254 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2255 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2256 2257 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2258 ntohs(be16p[7]) == 1) 2259 return true; 2260 return false; 2261 } 2262 2263 /** 2264 * smack_ipv6host_label - check host based restrictions 2265 * @sip: the object end 2266 * 2267 * looks for host based access restrictions 2268 * 2269 * This version will only be appropriate for really small sets of single label 2270 * hosts. The caller is responsible for ensuring that the RCU read lock is 2271 * taken before calling this function. 2272 * 2273 * Returns the label of the far end or NULL if it's not special. 2274 */ 2275 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2276 { 2277 struct smk_net6addr *snp; 2278 struct in6_addr *sap = &sip->sin6_addr; 2279 int i; 2280 int found = 0; 2281 2282 /* 2283 * It's local. Don't look for a host label. 2284 */ 2285 if (smk_ipv6_localhost(sip)) 2286 return NULL; 2287 2288 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2289 /* 2290 * If the label is NULL the entry has 2291 * been renounced. Ignore it. 2292 */ 2293 if (snp->smk_label == NULL) 2294 continue; 2295 /* 2296 * we break after finding the first match because 2297 * the list is sorted from longest to shortest mask 2298 * so we have found the most specific match 2299 */ 2300 for (found = 1, i = 0; i < 8; i++) { 2301 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2302 snp->smk_host.s6_addr16[i]) { 2303 found = 0; 2304 break; 2305 } 2306 } 2307 if (found) 2308 return snp->smk_label; 2309 } 2310 2311 return NULL; 2312 } 2313 #endif /* CONFIG_IPV6 */ 2314 2315 /** 2316 * smack_netlabel - Set the secattr on a socket 2317 * @sk: the socket 2318 * @labeled: socket label scheme 2319 * 2320 * Convert the outbound smack value (smk_out) to a 2321 * secattr and attach it to the socket. 2322 * 2323 * Returns 0 on success or an error code 2324 */ 2325 static int smack_netlabel(struct sock *sk, int labeled) 2326 { 2327 struct smack_known *skp; 2328 struct socket_smack *ssp = sk->sk_security; 2329 int rc = 0; 2330 2331 /* 2332 * Usually the netlabel code will handle changing the 2333 * packet labeling based on the label. 2334 * The case of a single label host is different, because 2335 * a single label host should never get a labeled packet 2336 * even though the label is usually associated with a packet 2337 * label. 2338 */ 2339 local_bh_disable(); 2340 bh_lock_sock_nested(sk); 2341 2342 if (ssp->smk_out == smack_net_ambient || 2343 labeled == SMACK_UNLABELED_SOCKET) 2344 netlbl_sock_delattr(sk); 2345 else { 2346 skp = ssp->smk_out; 2347 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2348 } 2349 2350 bh_unlock_sock(sk); 2351 local_bh_enable(); 2352 2353 return rc; 2354 } 2355 2356 /** 2357 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2358 * @sk: the socket 2359 * @sap: the destination address 2360 * 2361 * Set the correct secattr for the given socket based on the destination 2362 * address and perform any outbound access checks needed. 2363 * 2364 * Returns 0 on success or an error code. 2365 * 2366 */ 2367 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2368 { 2369 struct smack_known *skp; 2370 int rc; 2371 int sk_lbl; 2372 struct smack_known *hkp; 2373 struct socket_smack *ssp = sk->sk_security; 2374 struct smk_audit_info ad; 2375 2376 rcu_read_lock(); 2377 hkp = smack_ipv4host_label(sap); 2378 if (hkp != NULL) { 2379 #ifdef CONFIG_AUDIT 2380 struct lsm_network_audit net; 2381 2382 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2383 ad.a.u.net->family = sap->sin_family; 2384 ad.a.u.net->dport = sap->sin_port; 2385 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2386 #endif 2387 sk_lbl = SMACK_UNLABELED_SOCKET; 2388 skp = ssp->smk_out; 2389 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2390 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2391 } else { 2392 sk_lbl = SMACK_CIPSO_SOCKET; 2393 rc = 0; 2394 } 2395 rcu_read_unlock(); 2396 if (rc != 0) 2397 return rc; 2398 2399 return smack_netlabel(sk, sk_lbl); 2400 } 2401 2402 #if IS_ENABLED(CONFIG_IPV6) 2403 /** 2404 * smk_ipv6_check - check Smack access 2405 * @subject: subject Smack label 2406 * @object: object Smack label 2407 * @address: address 2408 * @act: the action being taken 2409 * 2410 * Check an IPv6 access 2411 */ 2412 static int smk_ipv6_check(struct smack_known *subject, 2413 struct smack_known *object, 2414 struct sockaddr_in6 *address, int act) 2415 { 2416 #ifdef CONFIG_AUDIT 2417 struct lsm_network_audit net; 2418 #endif 2419 struct smk_audit_info ad; 2420 int rc; 2421 2422 #ifdef CONFIG_AUDIT 2423 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2424 ad.a.u.net->family = PF_INET6; 2425 ad.a.u.net->dport = ntohs(address->sin6_port); 2426 if (act == SMK_RECEIVING) 2427 ad.a.u.net->v6info.saddr = address->sin6_addr; 2428 else 2429 ad.a.u.net->v6info.daddr = address->sin6_addr; 2430 #endif 2431 rc = smk_access(subject, object, MAY_WRITE, &ad); 2432 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2433 return rc; 2434 } 2435 #endif /* CONFIG_IPV6 */ 2436 2437 #ifdef SMACK_IPV6_PORT_LABELING 2438 /** 2439 * smk_ipv6_port_label - Smack port access table management 2440 * @sock: socket 2441 * @address: address 2442 * 2443 * Create or update the port list entry 2444 */ 2445 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2446 { 2447 struct sock *sk = sock->sk; 2448 struct sockaddr_in6 *addr6; 2449 struct socket_smack *ssp = sock->sk->sk_security; 2450 struct smk_port_label *spp; 2451 unsigned short port = 0; 2452 2453 if (address == NULL) { 2454 /* 2455 * This operation is changing the Smack information 2456 * on the bound socket. Take the changes to the port 2457 * as well. 2458 */ 2459 rcu_read_lock(); 2460 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2461 if (sk != spp->smk_sock) 2462 continue; 2463 spp->smk_in = ssp->smk_in; 2464 spp->smk_out = ssp->smk_out; 2465 rcu_read_unlock(); 2466 return; 2467 } 2468 /* 2469 * A NULL address is only used for updating existing 2470 * bound entries. If there isn't one, it's OK. 2471 */ 2472 rcu_read_unlock(); 2473 return; 2474 } 2475 2476 addr6 = (struct sockaddr_in6 *)address; 2477 port = ntohs(addr6->sin6_port); 2478 /* 2479 * This is a special case that is safely ignored. 2480 */ 2481 if (port == 0) 2482 return; 2483 2484 /* 2485 * Look for an existing port list entry. 2486 * This is an indication that a port is getting reused. 2487 */ 2488 rcu_read_lock(); 2489 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2490 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2491 continue; 2492 if (spp->smk_can_reuse != 1) { 2493 rcu_read_unlock(); 2494 return; 2495 } 2496 spp->smk_port = port; 2497 spp->smk_sock = sk; 2498 spp->smk_in = ssp->smk_in; 2499 spp->smk_out = ssp->smk_out; 2500 spp->smk_can_reuse = 0; 2501 rcu_read_unlock(); 2502 return; 2503 } 2504 rcu_read_unlock(); 2505 /* 2506 * A new port entry is required. 2507 */ 2508 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2509 if (spp == NULL) 2510 return; 2511 2512 spp->smk_port = port; 2513 spp->smk_sock = sk; 2514 spp->smk_in = ssp->smk_in; 2515 spp->smk_out = ssp->smk_out; 2516 spp->smk_sock_type = sock->type; 2517 spp->smk_can_reuse = 0; 2518 2519 mutex_lock(&smack_ipv6_lock); 2520 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2521 mutex_unlock(&smack_ipv6_lock); 2522 return; 2523 } 2524 2525 /** 2526 * smk_ipv6_port_check - check Smack port access 2527 * @sock: socket 2528 * @address: address 2529 * 2530 * Create or update the port list entry 2531 */ 2532 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2533 int act) 2534 { 2535 struct smk_port_label *spp; 2536 struct socket_smack *ssp = sk->sk_security; 2537 struct smack_known *skp = NULL; 2538 unsigned short port; 2539 struct smack_known *object; 2540 2541 if (act == SMK_RECEIVING) { 2542 skp = smack_ipv6host_label(address); 2543 object = ssp->smk_in; 2544 } else { 2545 skp = ssp->smk_out; 2546 object = smack_ipv6host_label(address); 2547 } 2548 2549 /* 2550 * The other end is a single label host. 2551 */ 2552 if (skp != NULL && object != NULL) 2553 return smk_ipv6_check(skp, object, address, act); 2554 if (skp == NULL) 2555 skp = smack_net_ambient; 2556 if (object == NULL) 2557 object = smack_net_ambient; 2558 2559 /* 2560 * It's remote, so port lookup does no good. 2561 */ 2562 if (!smk_ipv6_localhost(address)) 2563 return smk_ipv6_check(skp, object, address, act); 2564 2565 /* 2566 * It's local so the send check has to have passed. 2567 */ 2568 if (act == SMK_RECEIVING) 2569 return 0; 2570 2571 port = ntohs(address->sin6_port); 2572 rcu_read_lock(); 2573 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2574 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2575 continue; 2576 object = spp->smk_in; 2577 if (act == SMK_CONNECTING) 2578 ssp->smk_packet = spp->smk_out; 2579 break; 2580 } 2581 rcu_read_unlock(); 2582 2583 return smk_ipv6_check(skp, object, address, act); 2584 } 2585 #endif /* SMACK_IPV6_PORT_LABELING */ 2586 2587 /** 2588 * smack_inode_setsecurity - set smack xattrs 2589 * @inode: the object 2590 * @name: attribute name 2591 * @value: attribute value 2592 * @size: size of the attribute 2593 * @flags: unused 2594 * 2595 * Sets the named attribute in the appropriate blob 2596 * 2597 * Returns 0 on success, or an error code 2598 */ 2599 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2600 const void *value, size_t size, int flags) 2601 { 2602 struct smack_known *skp; 2603 struct inode_smack *nsp = smack_inode(inode); 2604 struct socket_smack *ssp; 2605 struct socket *sock; 2606 int rc = 0; 2607 2608 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2609 return -EINVAL; 2610 2611 skp = smk_import_entry(value, size); 2612 if (IS_ERR(skp)) 2613 return PTR_ERR(skp); 2614 2615 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2616 nsp->smk_inode = skp; 2617 nsp->smk_flags |= SMK_INODE_INSTANT; 2618 return 0; 2619 } 2620 /* 2621 * The rest of the Smack xattrs are only on sockets. 2622 */ 2623 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2624 return -EOPNOTSUPP; 2625 2626 sock = SOCKET_I(inode); 2627 if (sock == NULL || sock->sk == NULL) 2628 return -EOPNOTSUPP; 2629 2630 ssp = sock->sk->sk_security; 2631 2632 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2633 ssp->smk_in = skp; 2634 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2635 ssp->smk_out = skp; 2636 if (sock->sk->sk_family == PF_INET) { 2637 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2638 if (rc != 0) 2639 printk(KERN_WARNING 2640 "Smack: \"%s\" netlbl error %d.\n", 2641 __func__, -rc); 2642 } 2643 } else 2644 return -EOPNOTSUPP; 2645 2646 #ifdef SMACK_IPV6_PORT_LABELING 2647 if (sock->sk->sk_family == PF_INET6) 2648 smk_ipv6_port_label(sock, NULL); 2649 #endif 2650 2651 return 0; 2652 } 2653 2654 /** 2655 * smack_socket_post_create - finish socket setup 2656 * @sock: the socket 2657 * @family: protocol family 2658 * @type: unused 2659 * @protocol: unused 2660 * @kern: unused 2661 * 2662 * Sets the netlabel information on the socket 2663 * 2664 * Returns 0 on success, and error code otherwise 2665 */ 2666 static int smack_socket_post_create(struct socket *sock, int family, 2667 int type, int protocol, int kern) 2668 { 2669 struct socket_smack *ssp; 2670 2671 if (sock->sk == NULL) 2672 return 0; 2673 2674 /* 2675 * Sockets created by kernel threads receive web label. 2676 */ 2677 if (unlikely(current->flags & PF_KTHREAD)) { 2678 ssp = sock->sk->sk_security; 2679 ssp->smk_in = &smack_known_web; 2680 ssp->smk_out = &smack_known_web; 2681 } 2682 2683 if (family != PF_INET) 2684 return 0; 2685 /* 2686 * Set the outbound netlbl. 2687 */ 2688 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2689 } 2690 2691 /** 2692 * smack_socket_socketpair - create socket pair 2693 * @socka: one socket 2694 * @sockb: another socket 2695 * 2696 * Cross reference the peer labels for SO_PEERSEC 2697 * 2698 * Returns 0 on success, and error code otherwise 2699 */ 2700 static int smack_socket_socketpair(struct socket *socka, 2701 struct socket *sockb) 2702 { 2703 struct socket_smack *asp = socka->sk->sk_security; 2704 struct socket_smack *bsp = sockb->sk->sk_security; 2705 2706 asp->smk_packet = bsp->smk_out; 2707 bsp->smk_packet = asp->smk_out; 2708 2709 return 0; 2710 } 2711 2712 #ifdef SMACK_IPV6_PORT_LABELING 2713 /** 2714 * smack_socket_bind - record port binding information. 2715 * @sock: the socket 2716 * @address: the port address 2717 * @addrlen: size of the address 2718 * 2719 * Records the label bound to a port. 2720 * 2721 * Returns 0 2722 */ 2723 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2724 int addrlen) 2725 { 2726 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2727 smk_ipv6_port_label(sock, address); 2728 return 0; 2729 } 2730 #endif /* SMACK_IPV6_PORT_LABELING */ 2731 2732 /** 2733 * smack_socket_connect - connect access check 2734 * @sock: the socket 2735 * @sap: the other end 2736 * @addrlen: size of sap 2737 * 2738 * Verifies that a connection may be possible 2739 * 2740 * Returns 0 on success, and error code otherwise 2741 */ 2742 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2743 int addrlen) 2744 { 2745 int rc = 0; 2746 #if IS_ENABLED(CONFIG_IPV6) 2747 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2748 #endif 2749 #ifdef SMACK_IPV6_SECMARK_LABELING 2750 struct smack_known *rsp; 2751 struct socket_smack *ssp; 2752 #endif 2753 2754 if (sock->sk == NULL) 2755 return 0; 2756 2757 #ifdef SMACK_IPV6_SECMARK_LABELING 2758 ssp = sock->sk->sk_security; 2759 #endif 2760 2761 switch (sock->sk->sk_family) { 2762 case PF_INET: 2763 if (addrlen < sizeof(struct sockaddr_in)) 2764 return -EINVAL; 2765 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2766 break; 2767 case PF_INET6: 2768 if (addrlen < sizeof(struct sockaddr_in6)) 2769 return -EINVAL; 2770 #ifdef SMACK_IPV6_SECMARK_LABELING 2771 rsp = smack_ipv6host_label(sip); 2772 if (rsp != NULL) 2773 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2774 SMK_CONNECTING); 2775 #endif 2776 #ifdef SMACK_IPV6_PORT_LABELING 2777 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2778 #endif 2779 break; 2780 } 2781 return rc; 2782 } 2783 2784 /** 2785 * smack_flags_to_may - convert S_ to MAY_ values 2786 * @flags: the S_ value 2787 * 2788 * Returns the equivalent MAY_ value 2789 */ 2790 static int smack_flags_to_may(int flags) 2791 { 2792 int may = 0; 2793 2794 if (flags & S_IRUGO) 2795 may |= MAY_READ; 2796 if (flags & S_IWUGO) 2797 may |= MAY_WRITE; 2798 if (flags & S_IXUGO) 2799 may |= MAY_EXEC; 2800 2801 return may; 2802 } 2803 2804 /** 2805 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2806 * @msg: the object 2807 * 2808 * Returns 0 2809 */ 2810 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2811 { 2812 struct smack_known **blob = smack_msg_msg(msg); 2813 2814 *blob = smk_of_current(); 2815 return 0; 2816 } 2817 2818 /** 2819 * smack_of_ipc - the smack pointer for the ipc 2820 * @isp: the object 2821 * 2822 * Returns a pointer to the smack value 2823 */ 2824 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2825 { 2826 struct smack_known **blob = smack_ipc(isp); 2827 2828 return *blob; 2829 } 2830 2831 /** 2832 * smack_ipc_alloc_security - Set the security blob for ipc 2833 * @isp: the object 2834 * 2835 * Returns 0 2836 */ 2837 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2838 { 2839 struct smack_known **blob = smack_ipc(isp); 2840 2841 *blob = smk_of_current(); 2842 return 0; 2843 } 2844 2845 /** 2846 * smk_curacc_shm : check if current has access on shm 2847 * @isp : the object 2848 * @access : access requested 2849 * 2850 * Returns 0 if current has the requested access, error code otherwise 2851 */ 2852 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2853 { 2854 struct smack_known *ssp = smack_of_ipc(isp); 2855 struct smk_audit_info ad; 2856 int rc; 2857 2858 #ifdef CONFIG_AUDIT 2859 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2860 ad.a.u.ipc_id = isp->id; 2861 #endif 2862 rc = smk_curacc(ssp, access, &ad); 2863 rc = smk_bu_current("shm", ssp, access, rc); 2864 return rc; 2865 } 2866 2867 /** 2868 * smack_shm_associate - Smack access check for shm 2869 * @isp: the object 2870 * @shmflg: access requested 2871 * 2872 * Returns 0 if current has the requested access, error code otherwise 2873 */ 2874 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 2875 { 2876 int may; 2877 2878 may = smack_flags_to_may(shmflg); 2879 return smk_curacc_shm(isp, may); 2880 } 2881 2882 /** 2883 * smack_shm_shmctl - Smack access check for shm 2884 * @isp: the object 2885 * @cmd: what it wants to do 2886 * 2887 * Returns 0 if current has the requested access, error code otherwise 2888 */ 2889 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 2890 { 2891 int may; 2892 2893 switch (cmd) { 2894 case IPC_STAT: 2895 case SHM_STAT: 2896 case SHM_STAT_ANY: 2897 may = MAY_READ; 2898 break; 2899 case IPC_SET: 2900 case SHM_LOCK: 2901 case SHM_UNLOCK: 2902 case IPC_RMID: 2903 may = MAY_READWRITE; 2904 break; 2905 case IPC_INFO: 2906 case SHM_INFO: 2907 /* 2908 * System level information. 2909 */ 2910 return 0; 2911 default: 2912 return -EINVAL; 2913 } 2914 return smk_curacc_shm(isp, may); 2915 } 2916 2917 /** 2918 * smack_shm_shmat - Smack access for shmat 2919 * @isp: the object 2920 * @shmaddr: unused 2921 * @shmflg: access requested 2922 * 2923 * Returns 0 if current has the requested access, error code otherwise 2924 */ 2925 static int smack_shm_shmat(struct kern_ipc_perm *ipc, char __user *shmaddr, 2926 int shmflg) 2927 { 2928 int may; 2929 2930 may = smack_flags_to_may(shmflg); 2931 return smk_curacc_shm(ipc, may); 2932 } 2933 2934 /** 2935 * smk_curacc_sem : check if current has access on sem 2936 * @isp : the object 2937 * @access : access requested 2938 * 2939 * Returns 0 if current has the requested access, error code otherwise 2940 */ 2941 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 2942 { 2943 struct smack_known *ssp = smack_of_ipc(isp); 2944 struct smk_audit_info ad; 2945 int rc; 2946 2947 #ifdef CONFIG_AUDIT 2948 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2949 ad.a.u.ipc_id = isp->id; 2950 #endif 2951 rc = smk_curacc(ssp, access, &ad); 2952 rc = smk_bu_current("sem", ssp, access, rc); 2953 return rc; 2954 } 2955 2956 /** 2957 * smack_sem_associate - Smack access check for sem 2958 * @isp: the object 2959 * @semflg: access requested 2960 * 2961 * Returns 0 if current has the requested access, error code otherwise 2962 */ 2963 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 2964 { 2965 int may; 2966 2967 may = smack_flags_to_may(semflg); 2968 return smk_curacc_sem(isp, may); 2969 } 2970 2971 /** 2972 * smack_sem_shmctl - Smack access check for sem 2973 * @isp: the object 2974 * @cmd: what it wants to do 2975 * 2976 * Returns 0 if current has the requested access, error code otherwise 2977 */ 2978 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 2979 { 2980 int may; 2981 2982 switch (cmd) { 2983 case GETPID: 2984 case GETNCNT: 2985 case GETZCNT: 2986 case GETVAL: 2987 case GETALL: 2988 case IPC_STAT: 2989 case SEM_STAT: 2990 case SEM_STAT_ANY: 2991 may = MAY_READ; 2992 break; 2993 case SETVAL: 2994 case SETALL: 2995 case IPC_RMID: 2996 case IPC_SET: 2997 may = MAY_READWRITE; 2998 break; 2999 case IPC_INFO: 3000 case SEM_INFO: 3001 /* 3002 * System level information 3003 */ 3004 return 0; 3005 default: 3006 return -EINVAL; 3007 } 3008 3009 return smk_curacc_sem(isp, may); 3010 } 3011 3012 /** 3013 * smack_sem_semop - Smack checks of semaphore operations 3014 * @isp: the object 3015 * @sops: unused 3016 * @nsops: unused 3017 * @alter: unused 3018 * 3019 * Treated as read and write in all cases. 3020 * 3021 * Returns 0 if access is allowed, error code otherwise 3022 */ 3023 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3024 unsigned nsops, int alter) 3025 { 3026 return smk_curacc_sem(isp, MAY_READWRITE); 3027 } 3028 3029 /** 3030 * smk_curacc_msq : helper to check if current has access on msq 3031 * @isp : the msq 3032 * @access : access requested 3033 * 3034 * return 0 if current has access, error otherwise 3035 */ 3036 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3037 { 3038 struct smack_known *msp = smack_of_ipc(isp); 3039 struct smk_audit_info ad; 3040 int rc; 3041 3042 #ifdef CONFIG_AUDIT 3043 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3044 ad.a.u.ipc_id = isp->id; 3045 #endif 3046 rc = smk_curacc(msp, access, &ad); 3047 rc = smk_bu_current("msq", msp, access, rc); 3048 return rc; 3049 } 3050 3051 /** 3052 * smack_msg_queue_associate - Smack access check for msg_queue 3053 * @isp: the object 3054 * @msqflg: access requested 3055 * 3056 * Returns 0 if current has the requested access, error code otherwise 3057 */ 3058 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3059 { 3060 int may; 3061 3062 may = smack_flags_to_may(msqflg); 3063 return smk_curacc_msq(isp, may); 3064 } 3065 3066 /** 3067 * smack_msg_queue_msgctl - Smack access check for msg_queue 3068 * @isp: the object 3069 * @cmd: what it wants to do 3070 * 3071 * Returns 0 if current has the requested access, error code otherwise 3072 */ 3073 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3074 { 3075 int may; 3076 3077 switch (cmd) { 3078 case IPC_STAT: 3079 case MSG_STAT: 3080 case MSG_STAT_ANY: 3081 may = MAY_READ; 3082 break; 3083 case IPC_SET: 3084 case IPC_RMID: 3085 may = MAY_READWRITE; 3086 break; 3087 case IPC_INFO: 3088 case MSG_INFO: 3089 /* 3090 * System level information 3091 */ 3092 return 0; 3093 default: 3094 return -EINVAL; 3095 } 3096 3097 return smk_curacc_msq(isp, may); 3098 } 3099 3100 /** 3101 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3102 * @isp: the object 3103 * @msg: unused 3104 * @msqflg: access requested 3105 * 3106 * Returns 0 if current has the requested access, error code otherwise 3107 */ 3108 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3109 int msqflg) 3110 { 3111 int may; 3112 3113 may = smack_flags_to_may(msqflg); 3114 return smk_curacc_msq(isp, may); 3115 } 3116 3117 /** 3118 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3119 * @isp: the object 3120 * @msg: unused 3121 * @target: unused 3122 * @type: unused 3123 * @mode: unused 3124 * 3125 * Returns 0 if current has read and write access, error code otherwise 3126 */ 3127 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3128 struct task_struct *target, long type, int mode) 3129 { 3130 return smk_curacc_msq(isp, MAY_READWRITE); 3131 } 3132 3133 /** 3134 * smack_ipc_permission - Smack access for ipc_permission() 3135 * @ipp: the object permissions 3136 * @flag: access requested 3137 * 3138 * Returns 0 if current has read and write access, error code otherwise 3139 */ 3140 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3141 { 3142 struct smack_known **blob = smack_ipc(ipp); 3143 struct smack_known *iskp = *blob; 3144 int may = smack_flags_to_may(flag); 3145 struct smk_audit_info ad; 3146 int rc; 3147 3148 #ifdef CONFIG_AUDIT 3149 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3150 ad.a.u.ipc_id = ipp->id; 3151 #endif 3152 rc = smk_curacc(iskp, may, &ad); 3153 rc = smk_bu_current("svipc", iskp, may, rc); 3154 return rc; 3155 } 3156 3157 /** 3158 * smack_ipc_getsecid - Extract smack security id 3159 * @ipp: the object permissions 3160 * @secid: where result will be saved 3161 */ 3162 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3163 { 3164 struct smack_known **blob = smack_ipc(ipp); 3165 struct smack_known *iskp = *blob; 3166 3167 *secid = iskp->smk_secid; 3168 } 3169 3170 /** 3171 * smack_d_instantiate - Make sure the blob is correct on an inode 3172 * @opt_dentry: dentry where inode will be attached 3173 * @inode: the object 3174 * 3175 * Set the inode's security blob if it hasn't been done already. 3176 */ 3177 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3178 { 3179 struct super_block *sbp; 3180 struct superblock_smack *sbsp; 3181 struct inode_smack *isp; 3182 struct smack_known *skp; 3183 struct smack_known *ckp = smk_of_current(); 3184 struct smack_known *final; 3185 char trattr[TRANS_TRUE_SIZE]; 3186 int transflag = 0; 3187 int rc; 3188 struct dentry *dp; 3189 3190 if (inode == NULL) 3191 return; 3192 3193 isp = smack_inode(inode); 3194 3195 mutex_lock(&isp->smk_lock); 3196 /* 3197 * If the inode is already instantiated 3198 * take the quick way out 3199 */ 3200 if (isp->smk_flags & SMK_INODE_INSTANT) 3201 goto unlockandout; 3202 3203 sbp = inode->i_sb; 3204 sbsp = sbp->s_security; 3205 /* 3206 * We're going to use the superblock default label 3207 * if there's no label on the file. 3208 */ 3209 final = sbsp->smk_default; 3210 3211 /* 3212 * If this is the root inode the superblock 3213 * may be in the process of initialization. 3214 * If that is the case use the root value out 3215 * of the superblock. 3216 */ 3217 if (opt_dentry->d_parent == opt_dentry) { 3218 switch (sbp->s_magic) { 3219 case CGROUP_SUPER_MAGIC: 3220 case CGROUP2_SUPER_MAGIC: 3221 /* 3222 * The cgroup filesystem is never mounted, 3223 * so there's no opportunity to set the mount 3224 * options. 3225 */ 3226 sbsp->smk_root = &smack_known_star; 3227 sbsp->smk_default = &smack_known_star; 3228 isp->smk_inode = sbsp->smk_root; 3229 break; 3230 case TMPFS_MAGIC: 3231 /* 3232 * What about shmem/tmpfs anonymous files with dentry 3233 * obtained from d_alloc_pseudo()? 3234 */ 3235 isp->smk_inode = smk_of_current(); 3236 break; 3237 case PIPEFS_MAGIC: 3238 isp->smk_inode = smk_of_current(); 3239 break; 3240 case SOCKFS_MAGIC: 3241 /* 3242 * Socket access is controlled by the socket 3243 * structures associated with the task involved. 3244 */ 3245 isp->smk_inode = &smack_known_star; 3246 break; 3247 default: 3248 isp->smk_inode = sbsp->smk_root; 3249 break; 3250 } 3251 isp->smk_flags |= SMK_INODE_INSTANT; 3252 goto unlockandout; 3253 } 3254 3255 /* 3256 * This is pretty hackish. 3257 * Casey says that we shouldn't have to do 3258 * file system specific code, but it does help 3259 * with keeping it simple. 3260 */ 3261 switch (sbp->s_magic) { 3262 case SMACK_MAGIC: 3263 case CGROUP_SUPER_MAGIC: 3264 case CGROUP2_SUPER_MAGIC: 3265 /* 3266 * Casey says that it's a little embarrassing 3267 * that the smack file system doesn't do 3268 * extended attributes. 3269 * 3270 * Cgroupfs is special 3271 */ 3272 final = &smack_known_star; 3273 break; 3274 case DEVPTS_SUPER_MAGIC: 3275 /* 3276 * devpts seems content with the label of the task. 3277 * Programs that change smack have to treat the 3278 * pty with respect. 3279 */ 3280 final = ckp; 3281 break; 3282 case PROC_SUPER_MAGIC: 3283 /* 3284 * Casey says procfs appears not to care. 3285 * The superblock default suffices. 3286 */ 3287 break; 3288 case TMPFS_MAGIC: 3289 /* 3290 * Device labels should come from the filesystem, 3291 * but watch out, because they're volitile, 3292 * getting recreated on every reboot. 3293 */ 3294 final = &smack_known_star; 3295 /* 3296 * Fall through. 3297 * 3298 * If a smack value has been set we want to use it, 3299 * but since tmpfs isn't giving us the opportunity 3300 * to set mount options simulate setting the 3301 * superblock default. 3302 */ 3303 default: 3304 /* 3305 * This isn't an understood special case. 3306 * Get the value from the xattr. 3307 */ 3308 3309 /* 3310 * UNIX domain sockets use lower level socket data. 3311 */ 3312 if (S_ISSOCK(inode->i_mode)) { 3313 final = &smack_known_star; 3314 break; 3315 } 3316 /* 3317 * No xattr support means, alas, no SMACK label. 3318 * Use the aforeapplied default. 3319 * It would be curious if the label of the task 3320 * does not match that assigned. 3321 */ 3322 if (!(inode->i_opflags & IOP_XATTR)) 3323 break; 3324 /* 3325 * Get the dentry for xattr. 3326 */ 3327 dp = dget(opt_dentry); 3328 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3329 if (!IS_ERR_OR_NULL(skp)) 3330 final = skp; 3331 3332 /* 3333 * Transmuting directory 3334 */ 3335 if (S_ISDIR(inode->i_mode)) { 3336 /* 3337 * If this is a new directory and the label was 3338 * transmuted when the inode was initialized 3339 * set the transmute attribute on the directory 3340 * and mark the inode. 3341 * 3342 * If there is a transmute attribute on the 3343 * directory mark the inode. 3344 */ 3345 if (isp->smk_flags & SMK_INODE_CHANGED) { 3346 isp->smk_flags &= ~SMK_INODE_CHANGED; 3347 rc = __vfs_setxattr(dp, inode, 3348 XATTR_NAME_SMACKTRANSMUTE, 3349 TRANS_TRUE, TRANS_TRUE_SIZE, 3350 0); 3351 } else { 3352 rc = __vfs_getxattr(dp, inode, 3353 XATTR_NAME_SMACKTRANSMUTE, trattr, 3354 TRANS_TRUE_SIZE); 3355 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3356 TRANS_TRUE_SIZE) != 0) 3357 rc = -EINVAL; 3358 } 3359 if (rc >= 0) 3360 transflag = SMK_INODE_TRANSMUTE; 3361 } 3362 /* 3363 * Don't let the exec or mmap label be "*" or "@". 3364 */ 3365 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3366 if (IS_ERR(skp) || skp == &smack_known_star || 3367 skp == &smack_known_web) 3368 skp = NULL; 3369 isp->smk_task = skp; 3370 3371 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3372 if (IS_ERR(skp) || skp == &smack_known_star || 3373 skp == &smack_known_web) 3374 skp = NULL; 3375 isp->smk_mmap = skp; 3376 3377 dput(dp); 3378 break; 3379 } 3380 3381 if (final == NULL) 3382 isp->smk_inode = ckp; 3383 else 3384 isp->smk_inode = final; 3385 3386 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3387 3388 unlockandout: 3389 mutex_unlock(&isp->smk_lock); 3390 return; 3391 } 3392 3393 /** 3394 * smack_getprocattr - Smack process attribute access 3395 * @p: the object task 3396 * @name: the name of the attribute in /proc/.../attr 3397 * @value: where to put the result 3398 * 3399 * Places a copy of the task Smack into value 3400 * 3401 * Returns the length of the smack label or an error code 3402 */ 3403 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3404 { 3405 struct smack_known *skp = smk_of_task_struct(p); 3406 char *cp; 3407 int slen; 3408 3409 if (strcmp(name, "current") != 0) 3410 return -EINVAL; 3411 3412 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3413 if (cp == NULL) 3414 return -ENOMEM; 3415 3416 slen = strlen(cp); 3417 *value = cp; 3418 return slen; 3419 } 3420 3421 /** 3422 * smack_setprocattr - Smack process attribute setting 3423 * @name: the name of the attribute in /proc/.../attr 3424 * @value: the value to set 3425 * @size: the size of the value 3426 * 3427 * Sets the Smack value of the task. Only setting self 3428 * is permitted and only with privilege 3429 * 3430 * Returns the length of the smack label or an error code 3431 */ 3432 static int smack_setprocattr(const char *name, void *value, size_t size) 3433 { 3434 struct task_smack *tsp = smack_cred(current_cred()); 3435 struct cred *new; 3436 struct smack_known *skp; 3437 struct smack_known_list_elem *sklep; 3438 int rc; 3439 3440 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3441 return -EPERM; 3442 3443 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3444 return -EINVAL; 3445 3446 if (strcmp(name, "current") != 0) 3447 return -EINVAL; 3448 3449 skp = smk_import_entry(value, size); 3450 if (IS_ERR(skp)) 3451 return PTR_ERR(skp); 3452 3453 /* 3454 * No process is ever allowed the web ("@") label 3455 * and the star ("*") label. 3456 */ 3457 if (skp == &smack_known_web || skp == &smack_known_star) 3458 return -EINVAL; 3459 3460 if (!smack_privileged(CAP_MAC_ADMIN)) { 3461 rc = -EPERM; 3462 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3463 if (sklep->smk_label == skp) { 3464 rc = 0; 3465 break; 3466 } 3467 if (rc) 3468 return rc; 3469 } 3470 3471 new = prepare_creds(); 3472 if (new == NULL) 3473 return -ENOMEM; 3474 3475 tsp = smack_cred(new); 3476 tsp->smk_task = skp; 3477 /* 3478 * process can change its label only once 3479 */ 3480 smk_destroy_label_list(&tsp->smk_relabel); 3481 3482 commit_creds(new); 3483 return size; 3484 } 3485 3486 /** 3487 * smack_unix_stream_connect - Smack access on UDS 3488 * @sock: one sock 3489 * @other: the other sock 3490 * @newsk: unused 3491 * 3492 * Return 0 if a subject with the smack of sock could access 3493 * an object with the smack of other, otherwise an error code 3494 */ 3495 static int smack_unix_stream_connect(struct sock *sock, 3496 struct sock *other, struct sock *newsk) 3497 { 3498 struct smack_known *skp; 3499 struct smack_known *okp; 3500 struct socket_smack *ssp = sock->sk_security; 3501 struct socket_smack *osp = other->sk_security; 3502 struct socket_smack *nsp = newsk->sk_security; 3503 struct smk_audit_info ad; 3504 int rc = 0; 3505 #ifdef CONFIG_AUDIT 3506 struct lsm_network_audit net; 3507 #endif 3508 3509 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3510 skp = ssp->smk_out; 3511 okp = osp->smk_in; 3512 #ifdef CONFIG_AUDIT 3513 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3514 smk_ad_setfield_u_net_sk(&ad, other); 3515 #endif 3516 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3517 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3518 if (rc == 0) { 3519 okp = osp->smk_out; 3520 skp = ssp->smk_in; 3521 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3522 rc = smk_bu_note("UDS connect", okp, skp, 3523 MAY_WRITE, rc); 3524 } 3525 } 3526 3527 /* 3528 * Cross reference the peer labels for SO_PEERSEC. 3529 */ 3530 if (rc == 0) { 3531 nsp->smk_packet = ssp->smk_out; 3532 ssp->smk_packet = osp->smk_out; 3533 } 3534 3535 return rc; 3536 } 3537 3538 /** 3539 * smack_unix_may_send - Smack access on UDS 3540 * @sock: one socket 3541 * @other: the other socket 3542 * 3543 * Return 0 if a subject with the smack of sock could access 3544 * an object with the smack of other, otherwise an error code 3545 */ 3546 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3547 { 3548 struct socket_smack *ssp = sock->sk->sk_security; 3549 struct socket_smack *osp = other->sk->sk_security; 3550 struct smk_audit_info ad; 3551 int rc; 3552 3553 #ifdef CONFIG_AUDIT 3554 struct lsm_network_audit net; 3555 3556 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3557 smk_ad_setfield_u_net_sk(&ad, other->sk); 3558 #endif 3559 3560 if (smack_privileged(CAP_MAC_OVERRIDE)) 3561 return 0; 3562 3563 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3564 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3565 return rc; 3566 } 3567 3568 /** 3569 * smack_socket_sendmsg - Smack check based on destination host 3570 * @sock: the socket 3571 * @msg: the message 3572 * @size: the size of the message 3573 * 3574 * Return 0 if the current subject can write to the destination host. 3575 * For IPv4 this is only a question if the destination is a single label host. 3576 * For IPv6 this is a check against the label of the port. 3577 */ 3578 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3579 int size) 3580 { 3581 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3582 #if IS_ENABLED(CONFIG_IPV6) 3583 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3584 #endif 3585 #ifdef SMACK_IPV6_SECMARK_LABELING 3586 struct socket_smack *ssp = sock->sk->sk_security; 3587 struct smack_known *rsp; 3588 #endif 3589 int rc = 0; 3590 3591 /* 3592 * Perfectly reasonable for this to be NULL 3593 */ 3594 if (sip == NULL) 3595 return 0; 3596 3597 switch (sock->sk->sk_family) { 3598 case AF_INET: 3599 rc = smack_netlabel_send(sock->sk, sip); 3600 break; 3601 case AF_INET6: 3602 #ifdef SMACK_IPV6_SECMARK_LABELING 3603 rsp = smack_ipv6host_label(sap); 3604 if (rsp != NULL) 3605 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3606 SMK_CONNECTING); 3607 #endif 3608 #ifdef SMACK_IPV6_PORT_LABELING 3609 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3610 #endif 3611 break; 3612 } 3613 return rc; 3614 } 3615 3616 /** 3617 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3618 * @sap: netlabel secattr 3619 * @ssp: socket security information 3620 * 3621 * Returns a pointer to a Smack label entry found on the label list. 3622 */ 3623 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3624 struct socket_smack *ssp) 3625 { 3626 struct smack_known *skp; 3627 int found = 0; 3628 int acat; 3629 int kcat; 3630 3631 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3632 /* 3633 * Looks like a CIPSO packet. 3634 * If there are flags but no level netlabel isn't 3635 * behaving the way we expect it to. 3636 * 3637 * Look it up in the label table 3638 * Without guidance regarding the smack value 3639 * for the packet fall back on the network 3640 * ambient value. 3641 */ 3642 rcu_read_lock(); 3643 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3644 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3645 continue; 3646 /* 3647 * Compare the catsets. Use the netlbl APIs. 3648 */ 3649 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3650 if ((skp->smk_netlabel.flags & 3651 NETLBL_SECATTR_MLS_CAT) == 0) 3652 found = 1; 3653 break; 3654 } 3655 for (acat = -1, kcat = -1; acat == kcat; ) { 3656 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3657 acat + 1); 3658 kcat = netlbl_catmap_walk( 3659 skp->smk_netlabel.attr.mls.cat, 3660 kcat + 1); 3661 if (acat < 0 || kcat < 0) 3662 break; 3663 } 3664 if (acat == kcat) { 3665 found = 1; 3666 break; 3667 } 3668 } 3669 rcu_read_unlock(); 3670 3671 if (found) 3672 return skp; 3673 3674 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3675 return &smack_known_web; 3676 return &smack_known_star; 3677 } 3678 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3679 /* 3680 * Looks like a fallback, which gives us a secid. 3681 */ 3682 return smack_from_secid(sap->attr.secid); 3683 /* 3684 * Without guidance regarding the smack value 3685 * for the packet fall back on the network 3686 * ambient value. 3687 */ 3688 return smack_net_ambient; 3689 } 3690 3691 #if IS_ENABLED(CONFIG_IPV6) 3692 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3693 { 3694 u8 nexthdr; 3695 int offset; 3696 int proto = -EINVAL; 3697 struct ipv6hdr _ipv6h; 3698 struct ipv6hdr *ip6; 3699 __be16 frag_off; 3700 struct tcphdr _tcph, *th; 3701 struct udphdr _udph, *uh; 3702 struct dccp_hdr _dccph, *dh; 3703 3704 sip->sin6_port = 0; 3705 3706 offset = skb_network_offset(skb); 3707 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3708 if (ip6 == NULL) 3709 return -EINVAL; 3710 sip->sin6_addr = ip6->saddr; 3711 3712 nexthdr = ip6->nexthdr; 3713 offset += sizeof(_ipv6h); 3714 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3715 if (offset < 0) 3716 return -EINVAL; 3717 3718 proto = nexthdr; 3719 switch (proto) { 3720 case IPPROTO_TCP: 3721 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3722 if (th != NULL) 3723 sip->sin6_port = th->source; 3724 break; 3725 case IPPROTO_UDP: 3726 case IPPROTO_UDPLITE: 3727 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3728 if (uh != NULL) 3729 sip->sin6_port = uh->source; 3730 break; 3731 case IPPROTO_DCCP: 3732 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3733 if (dh != NULL) 3734 sip->sin6_port = dh->dccph_sport; 3735 break; 3736 } 3737 return proto; 3738 } 3739 #endif /* CONFIG_IPV6 */ 3740 3741 /** 3742 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3743 * @sk: socket 3744 * @skb: packet 3745 * 3746 * Returns 0 if the packet should be delivered, an error code otherwise 3747 */ 3748 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3749 { 3750 struct netlbl_lsm_secattr secattr; 3751 struct socket_smack *ssp = sk->sk_security; 3752 struct smack_known *skp = NULL; 3753 int rc = 0; 3754 struct smk_audit_info ad; 3755 u16 family = sk->sk_family; 3756 #ifdef CONFIG_AUDIT 3757 struct lsm_network_audit net; 3758 #endif 3759 #if IS_ENABLED(CONFIG_IPV6) 3760 struct sockaddr_in6 sadd; 3761 int proto; 3762 3763 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3764 family = PF_INET; 3765 #endif /* CONFIG_IPV6 */ 3766 3767 switch (family) { 3768 case PF_INET: 3769 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3770 /* 3771 * If there is a secmark use it rather than the CIPSO label. 3772 * If there is no secmark fall back to CIPSO. 3773 * The secmark is assumed to reflect policy better. 3774 */ 3775 if (skb && skb->secmark != 0) { 3776 skp = smack_from_secid(skb->secmark); 3777 goto access_check; 3778 } 3779 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3780 /* 3781 * Translate what netlabel gave us. 3782 */ 3783 netlbl_secattr_init(&secattr); 3784 3785 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3786 if (rc == 0) 3787 skp = smack_from_secattr(&secattr, ssp); 3788 else 3789 skp = smack_net_ambient; 3790 3791 netlbl_secattr_destroy(&secattr); 3792 3793 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3794 access_check: 3795 #endif 3796 #ifdef CONFIG_AUDIT 3797 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3798 ad.a.u.net->family = family; 3799 ad.a.u.net->netif = skb->skb_iif; 3800 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3801 #endif 3802 /* 3803 * Receiving a packet requires that the other end 3804 * be able to write here. Read access is not required. 3805 * This is the simplist possible security model 3806 * for networking. 3807 */ 3808 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3809 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3810 MAY_WRITE, rc); 3811 if (rc != 0) 3812 netlbl_skbuff_err(skb, family, rc, 0); 3813 break; 3814 #if IS_ENABLED(CONFIG_IPV6) 3815 case PF_INET6: 3816 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3817 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3818 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3819 break; 3820 #ifdef SMACK_IPV6_SECMARK_LABELING 3821 if (skb && skb->secmark != 0) 3822 skp = smack_from_secid(skb->secmark); 3823 else 3824 skp = smack_ipv6host_label(&sadd); 3825 if (skp == NULL) 3826 skp = smack_net_ambient; 3827 #ifdef CONFIG_AUDIT 3828 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3829 ad.a.u.net->family = family; 3830 ad.a.u.net->netif = skb->skb_iif; 3831 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3832 #endif /* CONFIG_AUDIT */ 3833 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3834 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3835 MAY_WRITE, rc); 3836 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3837 #ifdef SMACK_IPV6_PORT_LABELING 3838 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3839 #endif /* SMACK_IPV6_PORT_LABELING */ 3840 if (rc != 0) 3841 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3842 ICMPV6_ADM_PROHIBITED, 0); 3843 break; 3844 #endif /* CONFIG_IPV6 */ 3845 } 3846 3847 return rc; 3848 } 3849 3850 /** 3851 * smack_socket_getpeersec_stream - pull in packet label 3852 * @sock: the socket 3853 * @optval: user's destination 3854 * @optlen: size thereof 3855 * @len: max thereof 3856 * 3857 * returns zero on success, an error code otherwise 3858 */ 3859 static int smack_socket_getpeersec_stream(struct socket *sock, 3860 char __user *optval, 3861 int __user *optlen, unsigned len) 3862 { 3863 struct socket_smack *ssp; 3864 char *rcp = ""; 3865 int slen = 1; 3866 int rc = 0; 3867 3868 ssp = sock->sk->sk_security; 3869 if (ssp->smk_packet != NULL) { 3870 rcp = ssp->smk_packet->smk_known; 3871 slen = strlen(rcp) + 1; 3872 } 3873 3874 if (slen > len) 3875 rc = -ERANGE; 3876 else if (copy_to_user(optval, rcp, slen) != 0) 3877 rc = -EFAULT; 3878 3879 if (put_user(slen, optlen) != 0) 3880 rc = -EFAULT; 3881 3882 return rc; 3883 } 3884 3885 3886 /** 3887 * smack_socket_getpeersec_dgram - pull in packet label 3888 * @sock: the peer socket 3889 * @skb: packet data 3890 * @secid: pointer to where to put the secid of the packet 3891 * 3892 * Sets the netlabel socket state on sk from parent 3893 */ 3894 static int smack_socket_getpeersec_dgram(struct socket *sock, 3895 struct sk_buff *skb, u32 *secid) 3896 3897 { 3898 struct netlbl_lsm_secattr secattr; 3899 struct socket_smack *ssp = NULL; 3900 struct smack_known *skp; 3901 int family = PF_UNSPEC; 3902 u32 s = 0; /* 0 is the invalid secid */ 3903 int rc; 3904 3905 if (skb != NULL) { 3906 if (skb->protocol == htons(ETH_P_IP)) 3907 family = PF_INET; 3908 #if IS_ENABLED(CONFIG_IPV6) 3909 else if (skb->protocol == htons(ETH_P_IPV6)) 3910 family = PF_INET6; 3911 #endif /* CONFIG_IPV6 */ 3912 } 3913 if (family == PF_UNSPEC && sock != NULL) 3914 family = sock->sk->sk_family; 3915 3916 switch (family) { 3917 case PF_UNIX: 3918 ssp = sock->sk->sk_security; 3919 s = ssp->smk_out->smk_secid; 3920 break; 3921 case PF_INET: 3922 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3923 s = skb->secmark; 3924 if (s != 0) 3925 break; 3926 #endif 3927 /* 3928 * Translate what netlabel gave us. 3929 */ 3930 if (sock != NULL && sock->sk != NULL) 3931 ssp = sock->sk->sk_security; 3932 netlbl_secattr_init(&secattr); 3933 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3934 if (rc == 0) { 3935 skp = smack_from_secattr(&secattr, ssp); 3936 s = skp->smk_secid; 3937 } 3938 netlbl_secattr_destroy(&secattr); 3939 break; 3940 case PF_INET6: 3941 #ifdef SMACK_IPV6_SECMARK_LABELING 3942 s = skb->secmark; 3943 #endif 3944 break; 3945 } 3946 *secid = s; 3947 if (s == 0) 3948 return -EINVAL; 3949 return 0; 3950 } 3951 3952 /** 3953 * smack_sock_graft - Initialize a newly created socket with an existing sock 3954 * @sk: child sock 3955 * @parent: parent socket 3956 * 3957 * Set the smk_{in,out} state of an existing sock based on the process that 3958 * is creating the new socket. 3959 */ 3960 static void smack_sock_graft(struct sock *sk, struct socket *parent) 3961 { 3962 struct socket_smack *ssp; 3963 struct smack_known *skp = smk_of_current(); 3964 3965 if (sk == NULL || 3966 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 3967 return; 3968 3969 ssp = sk->sk_security; 3970 ssp->smk_in = skp; 3971 ssp->smk_out = skp; 3972 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 3973 } 3974 3975 /** 3976 * smack_inet_conn_request - Smack access check on connect 3977 * @sk: socket involved 3978 * @skb: packet 3979 * @req: unused 3980 * 3981 * Returns 0 if a task with the packet label could write to 3982 * the socket, otherwise an error code 3983 */ 3984 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 3985 struct request_sock *req) 3986 { 3987 u16 family = sk->sk_family; 3988 struct smack_known *skp; 3989 struct socket_smack *ssp = sk->sk_security; 3990 struct netlbl_lsm_secattr secattr; 3991 struct sockaddr_in addr; 3992 struct iphdr *hdr; 3993 struct smack_known *hskp; 3994 int rc; 3995 struct smk_audit_info ad; 3996 #ifdef CONFIG_AUDIT 3997 struct lsm_network_audit net; 3998 #endif 3999 4000 #if IS_ENABLED(CONFIG_IPV6) 4001 if (family == PF_INET6) { 4002 /* 4003 * Handle mapped IPv4 packets arriving 4004 * via IPv6 sockets. Don't set up netlabel 4005 * processing on IPv6. 4006 */ 4007 if (skb->protocol == htons(ETH_P_IP)) 4008 family = PF_INET; 4009 else 4010 return 0; 4011 } 4012 #endif /* CONFIG_IPV6 */ 4013 4014 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4015 /* 4016 * If there is a secmark use it rather than the CIPSO label. 4017 * If there is no secmark fall back to CIPSO. 4018 * The secmark is assumed to reflect policy better. 4019 */ 4020 if (skb && skb->secmark != 0) { 4021 skp = smack_from_secid(skb->secmark); 4022 goto access_check; 4023 } 4024 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4025 4026 netlbl_secattr_init(&secattr); 4027 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4028 if (rc == 0) 4029 skp = smack_from_secattr(&secattr, ssp); 4030 else 4031 skp = &smack_known_huh; 4032 netlbl_secattr_destroy(&secattr); 4033 4034 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4035 access_check: 4036 #endif 4037 4038 #ifdef CONFIG_AUDIT 4039 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4040 ad.a.u.net->family = family; 4041 ad.a.u.net->netif = skb->skb_iif; 4042 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4043 #endif 4044 /* 4045 * Receiving a packet requires that the other end be able to write 4046 * here. Read access is not required. 4047 */ 4048 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4049 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4050 if (rc != 0) 4051 return rc; 4052 4053 /* 4054 * Save the peer's label in the request_sock so we can later setup 4055 * smk_packet in the child socket so that SO_PEERCRED can report it. 4056 */ 4057 req->peer_secid = skp->smk_secid; 4058 4059 /* 4060 * We need to decide if we want to label the incoming connection here 4061 * if we do we only need to label the request_sock and the stack will 4062 * propagate the wire-label to the sock when it is created. 4063 */ 4064 hdr = ip_hdr(skb); 4065 addr.sin_addr.s_addr = hdr->saddr; 4066 rcu_read_lock(); 4067 hskp = smack_ipv4host_label(&addr); 4068 rcu_read_unlock(); 4069 4070 if (hskp == NULL) 4071 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4072 else 4073 netlbl_req_delattr(req); 4074 4075 return rc; 4076 } 4077 4078 /** 4079 * smack_inet_csk_clone - Copy the connection information to the new socket 4080 * @sk: the new socket 4081 * @req: the connection's request_sock 4082 * 4083 * Transfer the connection's peer label to the newly created socket. 4084 */ 4085 static void smack_inet_csk_clone(struct sock *sk, 4086 const struct request_sock *req) 4087 { 4088 struct socket_smack *ssp = sk->sk_security; 4089 struct smack_known *skp; 4090 4091 if (req->peer_secid != 0) { 4092 skp = smack_from_secid(req->peer_secid); 4093 ssp->smk_packet = skp; 4094 } else 4095 ssp->smk_packet = NULL; 4096 } 4097 4098 /* 4099 * Key management security hooks 4100 * 4101 * Casey has not tested key support very heavily. 4102 * The permission check is most likely too restrictive. 4103 * If you care about keys please have a look. 4104 */ 4105 #ifdef CONFIG_KEYS 4106 4107 /** 4108 * smack_key_alloc - Set the key security blob 4109 * @key: object 4110 * @cred: the credentials to use 4111 * @flags: unused 4112 * 4113 * No allocation required 4114 * 4115 * Returns 0 4116 */ 4117 static int smack_key_alloc(struct key *key, const struct cred *cred, 4118 unsigned long flags) 4119 { 4120 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4121 4122 key->security = skp; 4123 return 0; 4124 } 4125 4126 /** 4127 * smack_key_free - Clear the key security blob 4128 * @key: the object 4129 * 4130 * Clear the blob pointer 4131 */ 4132 static void smack_key_free(struct key *key) 4133 { 4134 key->security = NULL; 4135 } 4136 4137 /** 4138 * smack_key_permission - Smack access on a key 4139 * @key_ref: gets to the object 4140 * @cred: the credentials to use 4141 * @perm: requested key permissions 4142 * 4143 * Return 0 if the task has read and write to the object, 4144 * an error code otherwise 4145 */ 4146 static int smack_key_permission(key_ref_t key_ref, 4147 const struct cred *cred, unsigned perm) 4148 { 4149 struct key *keyp; 4150 struct smk_audit_info ad; 4151 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4152 int request = 0; 4153 int rc; 4154 4155 /* 4156 * Validate requested permissions 4157 */ 4158 if (perm & ~KEY_NEED_ALL) 4159 return -EINVAL; 4160 4161 keyp = key_ref_to_ptr(key_ref); 4162 if (keyp == NULL) 4163 return -EINVAL; 4164 /* 4165 * If the key hasn't been initialized give it access so that 4166 * it may do so. 4167 */ 4168 if (keyp->security == NULL) 4169 return 0; 4170 /* 4171 * This should not occur 4172 */ 4173 if (tkp == NULL) 4174 return -EACCES; 4175 4176 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4177 return 0; 4178 4179 #ifdef CONFIG_AUDIT 4180 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4181 ad.a.u.key_struct.key = keyp->serial; 4182 ad.a.u.key_struct.key_desc = keyp->description; 4183 #endif 4184 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) 4185 request |= MAY_READ; 4186 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4187 request |= MAY_WRITE; 4188 rc = smk_access(tkp, keyp->security, request, &ad); 4189 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4190 return rc; 4191 } 4192 4193 /* 4194 * smack_key_getsecurity - Smack label tagging the key 4195 * @key points to the key to be queried 4196 * @_buffer points to a pointer that should be set to point to the 4197 * resulting string (if no label or an error occurs). 4198 * Return the length of the string (including terminating NUL) or -ve if 4199 * an error. 4200 * May also return 0 (and a NULL buffer pointer) if there is no label. 4201 */ 4202 static int smack_key_getsecurity(struct key *key, char **_buffer) 4203 { 4204 struct smack_known *skp = key->security; 4205 size_t length; 4206 char *copy; 4207 4208 if (key->security == NULL) { 4209 *_buffer = NULL; 4210 return 0; 4211 } 4212 4213 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4214 if (copy == NULL) 4215 return -ENOMEM; 4216 length = strlen(copy) + 1; 4217 4218 *_buffer = copy; 4219 return length; 4220 } 4221 4222 #endif /* CONFIG_KEYS */ 4223 4224 /* 4225 * Smack Audit hooks 4226 * 4227 * Audit requires a unique representation of each Smack specific 4228 * rule. This unique representation is used to distinguish the 4229 * object to be audited from remaining kernel objects and also 4230 * works as a glue between the audit hooks. 4231 * 4232 * Since repository entries are added but never deleted, we'll use 4233 * the smack_known label address related to the given audit rule as 4234 * the needed unique representation. This also better fits the smack 4235 * model where nearly everything is a label. 4236 */ 4237 #ifdef CONFIG_AUDIT 4238 4239 /** 4240 * smack_audit_rule_init - Initialize a smack audit rule 4241 * @field: audit rule fields given from user-space (audit.h) 4242 * @op: required testing operator (=, !=, >, <, ...) 4243 * @rulestr: smack label to be audited 4244 * @vrule: pointer to save our own audit rule representation 4245 * 4246 * Prepare to audit cases where (@field @op @rulestr) is true. 4247 * The label to be audited is created if necessay. 4248 */ 4249 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4250 { 4251 struct smack_known *skp; 4252 char **rule = (char **)vrule; 4253 *rule = NULL; 4254 4255 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4256 return -EINVAL; 4257 4258 if (op != Audit_equal && op != Audit_not_equal) 4259 return -EINVAL; 4260 4261 skp = smk_import_entry(rulestr, 0); 4262 if (IS_ERR(skp)) 4263 return PTR_ERR(skp); 4264 4265 *rule = skp->smk_known; 4266 4267 return 0; 4268 } 4269 4270 /** 4271 * smack_audit_rule_known - Distinguish Smack audit rules 4272 * @krule: rule of interest, in Audit kernel representation format 4273 * 4274 * This is used to filter Smack rules from remaining Audit ones. 4275 * If it's proved that this rule belongs to us, the 4276 * audit_rule_match hook will be called to do the final judgement. 4277 */ 4278 static int smack_audit_rule_known(struct audit_krule *krule) 4279 { 4280 struct audit_field *f; 4281 int i; 4282 4283 for (i = 0; i < krule->field_count; i++) { 4284 f = &krule->fields[i]; 4285 4286 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4287 return 1; 4288 } 4289 4290 return 0; 4291 } 4292 4293 /** 4294 * smack_audit_rule_match - Audit given object ? 4295 * @secid: security id for identifying the object to test 4296 * @field: audit rule flags given from user-space 4297 * @op: required testing operator 4298 * @vrule: smack internal rule presentation 4299 * @actx: audit context associated with the check 4300 * 4301 * The core Audit hook. It's used to take the decision of 4302 * whether to audit or not to audit a given object. 4303 */ 4304 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4305 struct audit_context *actx) 4306 { 4307 struct smack_known *skp; 4308 char *rule = vrule; 4309 4310 if (unlikely(!rule)) { 4311 WARN_ONCE(1, "Smack: missing rule\n"); 4312 return -ENOENT; 4313 } 4314 4315 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4316 return 0; 4317 4318 skp = smack_from_secid(secid); 4319 4320 /* 4321 * No need to do string comparisons. If a match occurs, 4322 * both pointers will point to the same smack_known 4323 * label. 4324 */ 4325 if (op == Audit_equal) 4326 return (rule == skp->smk_known); 4327 if (op == Audit_not_equal) 4328 return (rule != skp->smk_known); 4329 4330 return 0; 4331 } 4332 4333 /* 4334 * There is no need for a smack_audit_rule_free hook. 4335 * No memory was allocated. 4336 */ 4337 4338 #endif /* CONFIG_AUDIT */ 4339 4340 /** 4341 * smack_ismaclabel - check if xattr @name references a smack MAC label 4342 * @name: Full xattr name to check. 4343 */ 4344 static int smack_ismaclabel(const char *name) 4345 { 4346 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4347 } 4348 4349 4350 /** 4351 * smack_secid_to_secctx - return the smack label for a secid 4352 * @secid: incoming integer 4353 * @secdata: destination 4354 * @seclen: how long it is 4355 * 4356 * Exists for networking code. 4357 */ 4358 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4359 { 4360 struct smack_known *skp = smack_from_secid(secid); 4361 4362 if (secdata) 4363 *secdata = skp->smk_known; 4364 *seclen = strlen(skp->smk_known); 4365 return 0; 4366 } 4367 4368 /** 4369 * smack_secctx_to_secid - return the secid for a smack label 4370 * @secdata: smack label 4371 * @seclen: how long result is 4372 * @secid: outgoing integer 4373 * 4374 * Exists for audit and networking code. 4375 */ 4376 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4377 { 4378 struct smack_known *skp = smk_find_entry(secdata); 4379 4380 if (skp) 4381 *secid = skp->smk_secid; 4382 else 4383 *secid = 0; 4384 return 0; 4385 } 4386 4387 /* 4388 * There used to be a smack_release_secctx hook 4389 * that did nothing back when hooks were in a vector. 4390 * Now that there's a list such a hook adds cost. 4391 */ 4392 4393 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4394 { 4395 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4396 } 4397 4398 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4399 { 4400 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4401 } 4402 4403 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4404 { 4405 struct smack_known *skp = smk_of_inode(inode); 4406 4407 *ctx = skp->smk_known; 4408 *ctxlen = strlen(skp->smk_known); 4409 return 0; 4410 } 4411 4412 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4413 { 4414 4415 struct task_smack *tsp; 4416 struct smack_known *skp; 4417 struct inode_smack *isp; 4418 struct cred *new_creds = *new; 4419 4420 if (new_creds == NULL) { 4421 new_creds = prepare_creds(); 4422 if (new_creds == NULL) 4423 return -ENOMEM; 4424 } 4425 4426 tsp = smack_cred(new_creds); 4427 4428 /* 4429 * Get label from overlay inode and set it in create_sid 4430 */ 4431 isp = smack_inode(d_inode(dentry->d_parent)); 4432 skp = isp->smk_inode; 4433 tsp->smk_task = skp; 4434 *new = new_creds; 4435 return 0; 4436 } 4437 4438 static int smack_inode_copy_up_xattr(const char *name) 4439 { 4440 /* 4441 * Return 1 if this is the smack access Smack attribute. 4442 */ 4443 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4444 return 1; 4445 4446 return -EOPNOTSUPP; 4447 } 4448 4449 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4450 struct qstr *name, 4451 const struct cred *old, 4452 struct cred *new) 4453 { 4454 struct task_smack *otsp = smack_cred(old); 4455 struct task_smack *ntsp = smack_cred(new); 4456 struct inode_smack *isp; 4457 int may; 4458 4459 /* 4460 * Use the process credential unless all of 4461 * the transmuting criteria are met 4462 */ 4463 ntsp->smk_task = otsp->smk_task; 4464 4465 /* 4466 * the attribute of the containing directory 4467 */ 4468 isp = smack_inode(d_inode(dentry->d_parent)); 4469 4470 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4471 rcu_read_lock(); 4472 may = smk_access_entry(otsp->smk_task->smk_known, 4473 isp->smk_inode->smk_known, 4474 &otsp->smk_task->smk_rules); 4475 rcu_read_unlock(); 4476 4477 /* 4478 * If the directory is transmuting and the rule 4479 * providing access is transmuting use the containing 4480 * directory label instead of the process label. 4481 */ 4482 if (may > 0 && (may & MAY_TRANSMUTE)) 4483 ntsp->smk_task = isp->smk_inode; 4484 } 4485 return 0; 4486 } 4487 4488 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4489 .lbs_cred = sizeof(struct task_smack), 4490 .lbs_file = sizeof(struct smack_known *), 4491 .lbs_inode = sizeof(struct inode_smack), 4492 .lbs_ipc = sizeof(struct smack_known *), 4493 .lbs_msg_msg = sizeof(struct smack_known *), 4494 }; 4495 4496 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4497 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4498 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4499 LSM_HOOK_INIT(syslog, smack_syslog), 4500 4501 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4502 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4503 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4504 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4505 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4506 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4507 4508 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4509 4510 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4511 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4512 LSM_HOOK_INIT(inode_link, smack_inode_link), 4513 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4514 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4515 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4516 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4517 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4518 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4519 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4520 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4521 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4522 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4523 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4524 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4525 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4526 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4527 4528 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4529 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4530 LSM_HOOK_INIT(file_lock, smack_file_lock), 4531 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4532 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4533 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4534 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4535 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4536 LSM_HOOK_INIT(file_receive, smack_file_receive), 4537 4538 LSM_HOOK_INIT(file_open, smack_file_open), 4539 4540 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4541 LSM_HOOK_INIT(cred_free, smack_cred_free), 4542 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4543 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4544 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4545 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4546 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4547 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4548 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4549 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4550 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4551 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4552 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4553 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4554 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4555 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4556 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4557 LSM_HOOK_INIT(task_kill, smack_task_kill), 4558 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4559 4560 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4561 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4562 4563 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4564 4565 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4566 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4567 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4568 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4569 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4570 4571 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4572 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4573 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4574 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4575 4576 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4577 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4578 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4579 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4580 4581 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4582 4583 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4584 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4585 4586 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4587 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4588 4589 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4590 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4591 #ifdef SMACK_IPV6_PORT_LABELING 4592 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4593 #endif 4594 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4595 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4596 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4597 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4598 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4599 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4600 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4601 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4602 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4603 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4604 4605 /* key management security hooks */ 4606 #ifdef CONFIG_KEYS 4607 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4608 LSM_HOOK_INIT(key_free, smack_key_free), 4609 LSM_HOOK_INIT(key_permission, smack_key_permission), 4610 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4611 #endif /* CONFIG_KEYS */ 4612 4613 /* Audit hooks */ 4614 #ifdef CONFIG_AUDIT 4615 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4616 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4617 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4618 #endif /* CONFIG_AUDIT */ 4619 4620 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4621 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4622 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4623 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4624 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4625 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4626 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4627 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4628 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4629 }; 4630 4631 4632 static __init void init_smack_known_list(void) 4633 { 4634 /* 4635 * Initialize rule list locks 4636 */ 4637 mutex_init(&smack_known_huh.smk_rules_lock); 4638 mutex_init(&smack_known_hat.smk_rules_lock); 4639 mutex_init(&smack_known_floor.smk_rules_lock); 4640 mutex_init(&smack_known_star.smk_rules_lock); 4641 mutex_init(&smack_known_web.smk_rules_lock); 4642 /* 4643 * Initialize rule lists 4644 */ 4645 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4646 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4647 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4648 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4649 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4650 /* 4651 * Create the known labels list 4652 */ 4653 smk_insert_entry(&smack_known_huh); 4654 smk_insert_entry(&smack_known_hat); 4655 smk_insert_entry(&smack_known_star); 4656 smk_insert_entry(&smack_known_floor); 4657 smk_insert_entry(&smack_known_web); 4658 } 4659 4660 /** 4661 * smack_init - initialize the smack system 4662 * 4663 * Returns 0 4664 */ 4665 static __init int smack_init(void) 4666 { 4667 struct cred *cred = (struct cred *) current->cred; 4668 struct task_smack *tsp; 4669 4670 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4671 if (!smack_inode_cache) 4672 return -ENOMEM; 4673 4674 /* 4675 * Set the security state for the initial task. 4676 */ 4677 tsp = smack_cred(cred); 4678 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 4679 4680 /* 4681 * Register with LSM 4682 */ 4683 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4684 smack_enabled = 1; 4685 4686 pr_info("Smack: Initializing.\n"); 4687 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4688 pr_info("Smack: Netfilter enabled.\n"); 4689 #endif 4690 #ifdef SMACK_IPV6_PORT_LABELING 4691 pr_info("Smack: IPv6 port labeling enabled.\n"); 4692 #endif 4693 #ifdef SMACK_IPV6_SECMARK_LABELING 4694 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4695 #endif 4696 4697 /* initialize the smack_known_list */ 4698 init_smack_known_list(); 4699 4700 return 0; 4701 } 4702 4703 /* 4704 * Smack requires early initialization in order to label 4705 * all processes and objects when they are created. 4706 */ 4707 DEFINE_LSM(smack) = { 4708 .name = "smack", 4709 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 4710 .blobs = &smack_blob_sizes, 4711 .init = smack_init, 4712 }; 4713