1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <ext-jarkko.2.sakkinen@nokia.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul.moore@hp.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * 15 * This program is free software; you can redistribute it and/or modify 16 * it under the terms of the GNU General Public License version 2, 17 * as published by the Free Software Foundation. 18 */ 19 20 #include <linux/xattr.h> 21 #include <linux/pagemap.h> 22 #include <linux/mount.h> 23 #include <linux/stat.h> 24 #include <linux/kd.h> 25 #include <asm/ioctls.h> 26 #include <linux/ip.h> 27 #include <linux/tcp.h> 28 #include <linux/udp.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <linux/pipe_fs_i.h> 32 #include <net/netlabel.h> 33 #include <net/cipso_ipv4.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include "smack.h" 37 38 #define task_security(task) (task_cred_xxx((task), security)) 39 40 #define TRANS_TRUE "TRUE" 41 #define TRANS_TRUE_SIZE 4 42 43 /** 44 * smk_fetch - Fetch the smack label from a file. 45 * @ip: a pointer to the inode 46 * @dp: a pointer to the dentry 47 * 48 * Returns a pointer to the master list entry for the Smack label 49 * or NULL if there was no label to fetch. 50 */ 51 static char *smk_fetch(const char *name, struct inode *ip, struct dentry *dp) 52 { 53 int rc; 54 char in[SMK_LABELLEN]; 55 56 if (ip->i_op->getxattr == NULL) 57 return NULL; 58 59 rc = ip->i_op->getxattr(dp, name, in, SMK_LABELLEN); 60 if (rc < 0) 61 return NULL; 62 63 return smk_import(in, rc); 64 } 65 66 /** 67 * new_inode_smack - allocate an inode security blob 68 * @smack: a pointer to the Smack label to use in the blob 69 * 70 * Returns the new blob or NULL if there's no memory available 71 */ 72 struct inode_smack *new_inode_smack(char *smack) 73 { 74 struct inode_smack *isp; 75 76 isp = kzalloc(sizeof(struct inode_smack), GFP_KERNEL); 77 if (isp == NULL) 78 return NULL; 79 80 isp->smk_inode = smack; 81 isp->smk_flags = 0; 82 mutex_init(&isp->smk_lock); 83 84 return isp; 85 } 86 87 /* 88 * LSM hooks. 89 * We he, that is fun! 90 */ 91 92 /** 93 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 94 * @ctp: child task pointer 95 * @mode: ptrace attachment mode 96 * 97 * Returns 0 if access is OK, an error code otherwise 98 * 99 * Do the capability checks, and require read and write. 100 */ 101 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 102 { 103 int rc; 104 struct smk_audit_info ad; 105 char *sp, *tsp; 106 107 rc = cap_ptrace_access_check(ctp, mode); 108 if (rc != 0) 109 return rc; 110 111 sp = smk_of_current(); 112 tsp = smk_of_task(task_security(ctp)); 113 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 114 smk_ad_setfield_u_tsk(&ad, ctp); 115 116 /* we won't log here, because rc can be overriden */ 117 rc = smk_access(sp, tsp, MAY_READWRITE, NULL); 118 if (rc != 0 && capable(CAP_MAC_OVERRIDE)) 119 rc = 0; 120 121 smack_log(sp, tsp, MAY_READWRITE, rc, &ad); 122 return rc; 123 } 124 125 /** 126 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 127 * @ptp: parent task pointer 128 * 129 * Returns 0 if access is OK, an error code otherwise 130 * 131 * Do the capability checks, and require read and write. 132 */ 133 static int smack_ptrace_traceme(struct task_struct *ptp) 134 { 135 int rc; 136 struct smk_audit_info ad; 137 char *sp, *tsp; 138 139 rc = cap_ptrace_traceme(ptp); 140 if (rc != 0) 141 return rc; 142 143 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 144 smk_ad_setfield_u_tsk(&ad, ptp); 145 146 sp = smk_of_current(); 147 tsp = smk_of_task(task_security(ptp)); 148 /* we won't log here, because rc can be overriden */ 149 rc = smk_access(tsp, sp, MAY_READWRITE, NULL); 150 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) 151 rc = 0; 152 153 smack_log(tsp, sp, MAY_READWRITE, rc, &ad); 154 return rc; 155 } 156 157 /** 158 * smack_syslog - Smack approval on syslog 159 * @type: message type 160 * 161 * Require that the task has the floor label 162 * 163 * Returns 0 on success, error code otherwise. 164 */ 165 static int smack_syslog(int typefrom_file) 166 { 167 int rc = 0; 168 char *sp = smk_of_current(); 169 170 if (capable(CAP_MAC_OVERRIDE)) 171 return 0; 172 173 if (sp != smack_known_floor.smk_known) 174 rc = -EACCES; 175 176 return rc; 177 } 178 179 180 /* 181 * Superblock Hooks. 182 */ 183 184 /** 185 * smack_sb_alloc_security - allocate a superblock blob 186 * @sb: the superblock getting the blob 187 * 188 * Returns 0 on success or -ENOMEM on error. 189 */ 190 static int smack_sb_alloc_security(struct super_block *sb) 191 { 192 struct superblock_smack *sbsp; 193 194 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 195 196 if (sbsp == NULL) 197 return -ENOMEM; 198 199 sbsp->smk_root = smack_known_floor.smk_known; 200 sbsp->smk_default = smack_known_floor.smk_known; 201 sbsp->smk_floor = smack_known_floor.smk_known; 202 sbsp->smk_hat = smack_known_hat.smk_known; 203 sbsp->smk_initialized = 0; 204 spin_lock_init(&sbsp->smk_sblock); 205 206 sb->s_security = sbsp; 207 208 return 0; 209 } 210 211 /** 212 * smack_sb_free_security - free a superblock blob 213 * @sb: the superblock getting the blob 214 * 215 */ 216 static void smack_sb_free_security(struct super_block *sb) 217 { 218 kfree(sb->s_security); 219 sb->s_security = NULL; 220 } 221 222 /** 223 * smack_sb_copy_data - copy mount options data for processing 224 * @orig: where to start 225 * @smackopts: mount options string 226 * 227 * Returns 0 on success or -ENOMEM on error. 228 * 229 * Copy the Smack specific mount options out of the mount 230 * options list. 231 */ 232 static int smack_sb_copy_data(char *orig, char *smackopts) 233 { 234 char *cp, *commap, *otheropts, *dp; 235 236 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 237 if (otheropts == NULL) 238 return -ENOMEM; 239 240 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 241 if (strstr(cp, SMK_FSDEFAULT) == cp) 242 dp = smackopts; 243 else if (strstr(cp, SMK_FSFLOOR) == cp) 244 dp = smackopts; 245 else if (strstr(cp, SMK_FSHAT) == cp) 246 dp = smackopts; 247 else if (strstr(cp, SMK_FSROOT) == cp) 248 dp = smackopts; 249 else 250 dp = otheropts; 251 252 commap = strchr(cp, ','); 253 if (commap != NULL) 254 *commap = '\0'; 255 256 if (*dp != '\0') 257 strcat(dp, ","); 258 strcat(dp, cp); 259 } 260 261 strcpy(orig, otheropts); 262 free_page((unsigned long)otheropts); 263 264 return 0; 265 } 266 267 /** 268 * smack_sb_kern_mount - Smack specific mount processing 269 * @sb: the file system superblock 270 * @flags: the mount flags 271 * @data: the smack mount options 272 * 273 * Returns 0 on success, an error code on failure 274 */ 275 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 276 { 277 struct dentry *root = sb->s_root; 278 struct inode *inode = root->d_inode; 279 struct superblock_smack *sp = sb->s_security; 280 struct inode_smack *isp; 281 char *op; 282 char *commap; 283 char *nsp; 284 285 spin_lock(&sp->smk_sblock); 286 if (sp->smk_initialized != 0) { 287 spin_unlock(&sp->smk_sblock); 288 return 0; 289 } 290 sp->smk_initialized = 1; 291 spin_unlock(&sp->smk_sblock); 292 293 for (op = data; op != NULL; op = commap) { 294 commap = strchr(op, ','); 295 if (commap != NULL) 296 *commap++ = '\0'; 297 298 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) { 299 op += strlen(SMK_FSHAT); 300 nsp = smk_import(op, 0); 301 if (nsp != NULL) 302 sp->smk_hat = nsp; 303 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) { 304 op += strlen(SMK_FSFLOOR); 305 nsp = smk_import(op, 0); 306 if (nsp != NULL) 307 sp->smk_floor = nsp; 308 } else if (strncmp(op, SMK_FSDEFAULT, 309 strlen(SMK_FSDEFAULT)) == 0) { 310 op += strlen(SMK_FSDEFAULT); 311 nsp = smk_import(op, 0); 312 if (nsp != NULL) 313 sp->smk_default = nsp; 314 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) { 315 op += strlen(SMK_FSROOT); 316 nsp = smk_import(op, 0); 317 if (nsp != NULL) 318 sp->smk_root = nsp; 319 } 320 } 321 322 /* 323 * Initialize the root inode. 324 */ 325 isp = inode->i_security; 326 if (isp == NULL) 327 inode->i_security = new_inode_smack(sp->smk_root); 328 else 329 isp->smk_inode = sp->smk_root; 330 331 return 0; 332 } 333 334 /** 335 * smack_sb_statfs - Smack check on statfs 336 * @dentry: identifies the file system in question 337 * 338 * Returns 0 if current can read the floor of the filesystem, 339 * and error code otherwise 340 */ 341 static int smack_sb_statfs(struct dentry *dentry) 342 { 343 struct superblock_smack *sbp = dentry->d_sb->s_security; 344 int rc; 345 struct smk_audit_info ad; 346 347 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 348 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 349 350 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 351 return rc; 352 } 353 354 /** 355 * smack_sb_mount - Smack check for mounting 356 * @dev_name: unused 357 * @path: mount point 358 * @type: unused 359 * @flags: unused 360 * @data: unused 361 * 362 * Returns 0 if current can write the floor of the filesystem 363 * being mounted on, an error code otherwise. 364 */ 365 static int smack_sb_mount(char *dev_name, struct path *path, 366 char *type, unsigned long flags, void *data) 367 { 368 struct superblock_smack *sbp = path->mnt->mnt_sb->s_security; 369 struct smk_audit_info ad; 370 371 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 372 smk_ad_setfield_u_fs_path(&ad, *path); 373 374 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); 375 } 376 377 /** 378 * smack_sb_umount - Smack check for unmounting 379 * @mnt: file system to unmount 380 * @flags: unused 381 * 382 * Returns 0 if current can write the floor of the filesystem 383 * being unmounted, an error code otherwise. 384 */ 385 static int smack_sb_umount(struct vfsmount *mnt, int flags) 386 { 387 struct superblock_smack *sbp; 388 struct smk_audit_info ad; 389 390 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 391 smk_ad_setfield_u_fs_path_dentry(&ad, mnt->mnt_root); 392 smk_ad_setfield_u_fs_path_mnt(&ad, mnt); 393 394 sbp = mnt->mnt_sb->s_security; 395 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); 396 } 397 398 /* 399 * BPRM hooks 400 */ 401 402 static int smack_bprm_set_creds(struct linux_binprm *bprm) 403 { 404 struct task_smack *tsp = bprm->cred->security; 405 struct inode_smack *isp; 406 struct dentry *dp; 407 int rc; 408 409 rc = cap_bprm_set_creds(bprm); 410 if (rc != 0) 411 return rc; 412 413 if (bprm->cred_prepared) 414 return 0; 415 416 if (bprm->file == NULL || bprm->file->f_dentry == NULL) 417 return 0; 418 419 dp = bprm->file->f_dentry; 420 421 if (dp->d_inode == NULL) 422 return 0; 423 424 isp = dp->d_inode->i_security; 425 426 if (isp->smk_task != NULL) 427 tsp->smk_task = isp->smk_task; 428 429 return 0; 430 } 431 432 /* 433 * Inode hooks 434 */ 435 436 /** 437 * smack_inode_alloc_security - allocate an inode blob 438 * @inode: the inode in need of a blob 439 * 440 * Returns 0 if it gets a blob, -ENOMEM otherwise 441 */ 442 static int smack_inode_alloc_security(struct inode *inode) 443 { 444 inode->i_security = new_inode_smack(smk_of_current()); 445 if (inode->i_security == NULL) 446 return -ENOMEM; 447 return 0; 448 } 449 450 /** 451 * smack_inode_free_security - free an inode blob 452 * @inode: the inode with a blob 453 * 454 * Clears the blob pointer in inode 455 */ 456 static void smack_inode_free_security(struct inode *inode) 457 { 458 kfree(inode->i_security); 459 inode->i_security = NULL; 460 } 461 462 /** 463 * smack_inode_init_security - copy out the smack from an inode 464 * @inode: the inode 465 * @dir: unused 466 * @name: where to put the attribute name 467 * @value: where to put the attribute value 468 * @len: where to put the length of the attribute 469 * 470 * Returns 0 if it all works out, -ENOMEM if there's no memory 471 */ 472 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 473 char **name, void **value, size_t *len) 474 { 475 char *isp = smk_of_inode(inode); 476 char *dsp = smk_of_inode(dir); 477 u32 may; 478 479 if (name) { 480 *name = kstrdup(XATTR_SMACK_SUFFIX, GFP_KERNEL); 481 if (*name == NULL) 482 return -ENOMEM; 483 } 484 485 if (value) { 486 may = smk_access_entry(smk_of_current(), dsp); 487 488 /* 489 * If the access rule allows transmutation and 490 * the directory requests transmutation then 491 * by all means transmute. 492 */ 493 if (((may & MAY_TRANSMUTE) != 0) && smk_inode_transmutable(dir)) 494 isp = dsp; 495 496 *value = kstrdup(isp, GFP_KERNEL); 497 if (*value == NULL) 498 return -ENOMEM; 499 } 500 501 if (len) 502 *len = strlen(isp) + 1; 503 504 return 0; 505 } 506 507 /** 508 * smack_inode_link - Smack check on link 509 * @old_dentry: the existing object 510 * @dir: unused 511 * @new_dentry: the new object 512 * 513 * Returns 0 if access is permitted, an error code otherwise 514 */ 515 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 516 struct dentry *new_dentry) 517 { 518 char *isp; 519 struct smk_audit_info ad; 520 int rc; 521 522 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 523 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 524 525 isp = smk_of_inode(old_dentry->d_inode); 526 rc = smk_curacc(isp, MAY_WRITE, &ad); 527 528 if (rc == 0 && new_dentry->d_inode != NULL) { 529 isp = smk_of_inode(new_dentry->d_inode); 530 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 531 rc = smk_curacc(isp, MAY_WRITE, &ad); 532 } 533 534 return rc; 535 } 536 537 /** 538 * smack_inode_unlink - Smack check on inode deletion 539 * @dir: containing directory object 540 * @dentry: file to unlink 541 * 542 * Returns 0 if current can write the containing directory 543 * and the object, error code otherwise 544 */ 545 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 546 { 547 struct inode *ip = dentry->d_inode; 548 struct smk_audit_info ad; 549 int rc; 550 551 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 552 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 553 554 /* 555 * You need write access to the thing you're unlinking 556 */ 557 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 558 if (rc == 0) { 559 /* 560 * You also need write access to the containing directory 561 */ 562 smk_ad_setfield_u_fs_path_dentry(&ad, NULL); 563 smk_ad_setfield_u_fs_inode(&ad, dir); 564 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 565 } 566 return rc; 567 } 568 569 /** 570 * smack_inode_rmdir - Smack check on directory deletion 571 * @dir: containing directory object 572 * @dentry: directory to unlink 573 * 574 * Returns 0 if current can write the containing directory 575 * and the directory, error code otherwise 576 */ 577 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 578 { 579 struct smk_audit_info ad; 580 int rc; 581 582 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 583 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 584 585 /* 586 * You need write access to the thing you're removing 587 */ 588 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 589 if (rc == 0) { 590 /* 591 * You also need write access to the containing directory 592 */ 593 smk_ad_setfield_u_fs_path_dentry(&ad, NULL); 594 smk_ad_setfield_u_fs_inode(&ad, dir); 595 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 596 } 597 598 return rc; 599 } 600 601 /** 602 * smack_inode_rename - Smack check on rename 603 * @old_inode: the old directory 604 * @old_dentry: unused 605 * @new_inode: the new directory 606 * @new_dentry: unused 607 * 608 * Read and write access is required on both the old and 609 * new directories. 610 * 611 * Returns 0 if access is permitted, an error code otherwise 612 */ 613 static int smack_inode_rename(struct inode *old_inode, 614 struct dentry *old_dentry, 615 struct inode *new_inode, 616 struct dentry *new_dentry) 617 { 618 int rc; 619 char *isp; 620 struct smk_audit_info ad; 621 622 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 623 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 624 625 isp = smk_of_inode(old_dentry->d_inode); 626 rc = smk_curacc(isp, MAY_READWRITE, &ad); 627 628 if (rc == 0 && new_dentry->d_inode != NULL) { 629 isp = smk_of_inode(new_dentry->d_inode); 630 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 631 rc = smk_curacc(isp, MAY_READWRITE, &ad); 632 } 633 return rc; 634 } 635 636 /** 637 * smack_inode_permission - Smack version of permission() 638 * @inode: the inode in question 639 * @mask: the access requested 640 * 641 * This is the important Smack hook. 642 * 643 * Returns 0 if access is permitted, -EACCES otherwise 644 */ 645 static int smack_inode_permission(struct inode *inode, int mask) 646 { 647 struct smk_audit_info ad; 648 649 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 650 /* 651 * No permission to check. Existence test. Yup, it's there. 652 */ 653 if (mask == 0) 654 return 0; 655 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 656 smk_ad_setfield_u_fs_inode(&ad, inode); 657 return smk_curacc(smk_of_inode(inode), mask, &ad); 658 } 659 660 /** 661 * smack_inode_setattr - Smack check for setting attributes 662 * @dentry: the object 663 * @iattr: for the force flag 664 * 665 * Returns 0 if access is permitted, an error code otherwise 666 */ 667 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 668 { 669 struct smk_audit_info ad; 670 /* 671 * Need to allow for clearing the setuid bit. 672 */ 673 if (iattr->ia_valid & ATTR_FORCE) 674 return 0; 675 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 676 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 677 678 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 679 } 680 681 /** 682 * smack_inode_getattr - Smack check for getting attributes 683 * @mnt: unused 684 * @dentry: the object 685 * 686 * Returns 0 if access is permitted, an error code otherwise 687 */ 688 static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 689 { 690 struct smk_audit_info ad; 691 692 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 693 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 694 smk_ad_setfield_u_fs_path_mnt(&ad, mnt); 695 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); 696 } 697 698 /** 699 * smack_inode_setxattr - Smack check for setting xattrs 700 * @dentry: the object 701 * @name: name of the attribute 702 * @value: unused 703 * @size: unused 704 * @flags: unused 705 * 706 * This protects the Smack attribute explicitly. 707 * 708 * Returns 0 if access is permitted, an error code otherwise 709 */ 710 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 711 const void *value, size_t size, int flags) 712 { 713 struct smk_audit_info ad; 714 int rc = 0; 715 716 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 717 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 718 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 719 strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 720 if (!capable(CAP_MAC_ADMIN)) 721 rc = -EPERM; 722 /* 723 * check label validity here so import wont fail on 724 * post_setxattr 725 */ 726 if (size == 0 || size >= SMK_LABELLEN || 727 smk_import(value, size) == NULL) 728 rc = -EINVAL; 729 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 730 if (!capable(CAP_MAC_ADMIN)) 731 rc = -EPERM; 732 if (size != TRANS_TRUE_SIZE || 733 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 734 rc = -EINVAL; 735 } else 736 rc = cap_inode_setxattr(dentry, name, value, size, flags); 737 738 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 739 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 740 741 if (rc == 0) 742 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 743 744 return rc; 745 } 746 747 /** 748 * smack_inode_post_setxattr - Apply the Smack update approved above 749 * @dentry: object 750 * @name: attribute name 751 * @value: attribute value 752 * @size: attribute size 753 * @flags: unused 754 * 755 * Set the pointer in the inode blob to the entry found 756 * in the master label list. 757 */ 758 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 759 const void *value, size_t size, int flags) 760 { 761 char *nsp; 762 struct inode_smack *isp = dentry->d_inode->i_security; 763 764 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 765 nsp = smk_import(value, size); 766 if (nsp != NULL) 767 isp->smk_inode = nsp; 768 else 769 isp->smk_inode = smack_known_invalid.smk_known; 770 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 771 nsp = smk_import(value, size); 772 if (nsp != NULL) 773 isp->smk_task = nsp; 774 else 775 isp->smk_task = smack_known_invalid.smk_known; 776 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 777 isp->smk_flags |= SMK_INODE_TRANSMUTE; 778 779 return; 780 } 781 782 /* 783 * smack_inode_getxattr - Smack check on getxattr 784 * @dentry: the object 785 * @name: unused 786 * 787 * Returns 0 if access is permitted, an error code otherwise 788 */ 789 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 790 { 791 struct smk_audit_info ad; 792 793 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 794 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 795 796 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); 797 } 798 799 /* 800 * smack_inode_removexattr - Smack check on removexattr 801 * @dentry: the object 802 * @name: name of the attribute 803 * 804 * Removing the Smack attribute requires CAP_MAC_ADMIN 805 * 806 * Returns 0 if access is permitted, an error code otherwise 807 */ 808 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 809 { 810 struct inode_smack *isp; 811 struct smk_audit_info ad; 812 int rc = 0; 813 814 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 815 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 816 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 817 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 818 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 819 if (!capable(CAP_MAC_ADMIN)) 820 rc = -EPERM; 821 } else 822 rc = cap_inode_removexattr(dentry, name); 823 824 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 825 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 826 if (rc == 0) 827 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 828 829 if (rc == 0) { 830 isp = dentry->d_inode->i_security; 831 isp->smk_task = NULL; 832 } 833 834 return rc; 835 } 836 837 /** 838 * smack_inode_getsecurity - get smack xattrs 839 * @inode: the object 840 * @name: attribute name 841 * @buffer: where to put the result 842 * @alloc: unused 843 * 844 * Returns the size of the attribute or an error code 845 */ 846 static int smack_inode_getsecurity(const struct inode *inode, 847 const char *name, void **buffer, 848 bool alloc) 849 { 850 struct socket_smack *ssp; 851 struct socket *sock; 852 struct super_block *sbp; 853 struct inode *ip = (struct inode *)inode; 854 char *isp; 855 int ilen; 856 int rc = 0; 857 858 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 859 isp = smk_of_inode(inode); 860 ilen = strlen(isp) + 1; 861 *buffer = isp; 862 return ilen; 863 } 864 865 /* 866 * The rest of the Smack xattrs are only on sockets. 867 */ 868 sbp = ip->i_sb; 869 if (sbp->s_magic != SOCKFS_MAGIC) 870 return -EOPNOTSUPP; 871 872 sock = SOCKET_I(ip); 873 if (sock == NULL || sock->sk == NULL) 874 return -EOPNOTSUPP; 875 876 ssp = sock->sk->sk_security; 877 878 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 879 isp = ssp->smk_in; 880 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 881 isp = ssp->smk_out; 882 else 883 return -EOPNOTSUPP; 884 885 ilen = strlen(isp) + 1; 886 if (rc == 0) { 887 *buffer = isp; 888 rc = ilen; 889 } 890 891 return rc; 892 } 893 894 895 /** 896 * smack_inode_listsecurity - list the Smack attributes 897 * @inode: the object 898 * @buffer: where they go 899 * @buffer_size: size of buffer 900 * 901 * Returns 0 on success, -EINVAL otherwise 902 */ 903 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 904 size_t buffer_size) 905 { 906 int len = strlen(XATTR_NAME_SMACK); 907 908 if (buffer != NULL && len <= buffer_size) { 909 memcpy(buffer, XATTR_NAME_SMACK, len); 910 return len; 911 } 912 return -EINVAL; 913 } 914 915 /** 916 * smack_inode_getsecid - Extract inode's security id 917 * @inode: inode to extract the info from 918 * @secid: where result will be saved 919 */ 920 static void smack_inode_getsecid(const struct inode *inode, u32 *secid) 921 { 922 struct inode_smack *isp = inode->i_security; 923 924 *secid = smack_to_secid(isp->smk_inode); 925 } 926 927 /* 928 * File Hooks 929 */ 930 931 /** 932 * smack_file_permission - Smack check on file operations 933 * @file: unused 934 * @mask: unused 935 * 936 * Returns 0 937 * 938 * Should access checks be done on each read or write? 939 * UNICOS and SELinux say yes. 940 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 941 * 942 * I'll say no for now. Smack does not do the frequent 943 * label changing that SELinux does. 944 */ 945 static int smack_file_permission(struct file *file, int mask) 946 { 947 return 0; 948 } 949 950 /** 951 * smack_file_alloc_security - assign a file security blob 952 * @file: the object 953 * 954 * The security blob for a file is a pointer to the master 955 * label list, so no allocation is done. 956 * 957 * Returns 0 958 */ 959 static int smack_file_alloc_security(struct file *file) 960 { 961 file->f_security = smk_of_current(); 962 return 0; 963 } 964 965 /** 966 * smack_file_free_security - clear a file security blob 967 * @file: the object 968 * 969 * The security blob for a file is a pointer to the master 970 * label list, so no memory is freed. 971 */ 972 static void smack_file_free_security(struct file *file) 973 { 974 file->f_security = NULL; 975 } 976 977 /** 978 * smack_file_ioctl - Smack check on ioctls 979 * @file: the object 980 * @cmd: what to do 981 * @arg: unused 982 * 983 * Relies heavily on the correct use of the ioctl command conventions. 984 * 985 * Returns 0 if allowed, error code otherwise 986 */ 987 static int smack_file_ioctl(struct file *file, unsigned int cmd, 988 unsigned long arg) 989 { 990 int rc = 0; 991 struct smk_audit_info ad; 992 993 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 994 smk_ad_setfield_u_fs_path(&ad, file->f_path); 995 996 if (_IOC_DIR(cmd) & _IOC_WRITE) 997 rc = smk_curacc(file->f_security, MAY_WRITE, &ad); 998 999 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) 1000 rc = smk_curacc(file->f_security, MAY_READ, &ad); 1001 1002 return rc; 1003 } 1004 1005 /** 1006 * smack_file_lock - Smack check on file locking 1007 * @file: the object 1008 * @cmd: unused 1009 * 1010 * Returns 0 if current has write access, error code otherwise 1011 */ 1012 static int smack_file_lock(struct file *file, unsigned int cmd) 1013 { 1014 struct smk_audit_info ad; 1015 1016 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 1017 smk_ad_setfield_u_fs_path_dentry(&ad, file->f_path.dentry); 1018 return smk_curacc(file->f_security, MAY_WRITE, &ad); 1019 } 1020 1021 /** 1022 * smack_file_fcntl - Smack check on fcntl 1023 * @file: the object 1024 * @cmd: what action to check 1025 * @arg: unused 1026 * 1027 * Returns 0 if current has access, error code otherwise 1028 */ 1029 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1030 unsigned long arg) 1031 { 1032 struct smk_audit_info ad; 1033 int rc; 1034 1035 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 1036 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1037 1038 switch (cmd) { 1039 case F_DUPFD: 1040 case F_GETFD: 1041 case F_GETFL: 1042 case F_GETLK: 1043 case F_GETOWN: 1044 case F_GETSIG: 1045 rc = smk_curacc(file->f_security, MAY_READ, &ad); 1046 break; 1047 case F_SETFD: 1048 case F_SETFL: 1049 case F_SETLK: 1050 case F_SETLKW: 1051 case F_SETOWN: 1052 case F_SETSIG: 1053 rc = smk_curacc(file->f_security, MAY_WRITE, &ad); 1054 break; 1055 default: 1056 rc = smk_curacc(file->f_security, MAY_READWRITE, &ad); 1057 } 1058 1059 return rc; 1060 } 1061 1062 /** 1063 * smack_file_set_fowner - set the file security blob value 1064 * @file: object in question 1065 * 1066 * Returns 0 1067 * Further research may be required on this one. 1068 */ 1069 static int smack_file_set_fowner(struct file *file) 1070 { 1071 file->f_security = smk_of_current(); 1072 return 0; 1073 } 1074 1075 /** 1076 * smack_file_send_sigiotask - Smack on sigio 1077 * @tsk: The target task 1078 * @fown: the object the signal come from 1079 * @signum: unused 1080 * 1081 * Allow a privileged task to get signals even if it shouldn't 1082 * 1083 * Returns 0 if a subject with the object's smack could 1084 * write to the task, an error code otherwise. 1085 */ 1086 static int smack_file_send_sigiotask(struct task_struct *tsk, 1087 struct fown_struct *fown, int signum) 1088 { 1089 struct file *file; 1090 int rc; 1091 char *tsp = smk_of_task(tsk->cred->security); 1092 struct smk_audit_info ad; 1093 1094 /* 1095 * struct fown_struct is never outside the context of a struct file 1096 */ 1097 file = container_of(fown, struct file, f_owner); 1098 /* we don't log here as rc can be overriden */ 1099 rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL); 1100 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1101 rc = 0; 1102 1103 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1104 smk_ad_setfield_u_tsk(&ad, tsk); 1105 smack_log(file->f_security, tsp, MAY_WRITE, rc, &ad); 1106 return rc; 1107 } 1108 1109 /** 1110 * smack_file_receive - Smack file receive check 1111 * @file: the object 1112 * 1113 * Returns 0 if current has access, error code otherwise 1114 */ 1115 static int smack_file_receive(struct file *file) 1116 { 1117 int may = 0; 1118 struct smk_audit_info ad; 1119 1120 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1121 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1122 /* 1123 * This code relies on bitmasks. 1124 */ 1125 if (file->f_mode & FMODE_READ) 1126 may = MAY_READ; 1127 if (file->f_mode & FMODE_WRITE) 1128 may |= MAY_WRITE; 1129 1130 return smk_curacc(file->f_security, may, &ad); 1131 } 1132 1133 /* 1134 * Task hooks 1135 */ 1136 1137 /** 1138 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1139 * @new: the new credentials 1140 * @gfp: the atomicity of any memory allocations 1141 * 1142 * Prepare a blank set of credentials for modification. This must allocate all 1143 * the memory the LSM module might require such that cred_transfer() can 1144 * complete without error. 1145 */ 1146 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1147 { 1148 cred->security = kzalloc(sizeof(struct task_smack), gfp); 1149 if (cred->security == NULL) 1150 return -ENOMEM; 1151 return 0; 1152 } 1153 1154 1155 /** 1156 * smack_cred_free - "free" task-level security credentials 1157 * @cred: the credentials in question 1158 * 1159 * Smack isn't using copies of blobs. Everyone 1160 * points to an immutable list. The blobs never go away. 1161 * There is no leak here. 1162 */ 1163 static void smack_cred_free(struct cred *cred) 1164 { 1165 kfree(cred->security); 1166 } 1167 1168 /** 1169 * smack_cred_prepare - prepare new set of credentials for modification 1170 * @new: the new credentials 1171 * @old: the original credentials 1172 * @gfp: the atomicity of any memory allocations 1173 * 1174 * Prepare a new set of credentials for modification. 1175 */ 1176 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1177 gfp_t gfp) 1178 { 1179 struct task_smack *old_tsp = old->security; 1180 struct task_smack *new_tsp; 1181 1182 new_tsp = kzalloc(sizeof(struct task_smack), gfp); 1183 if (new_tsp == NULL) 1184 return -ENOMEM; 1185 1186 new_tsp->smk_task = old_tsp->smk_task; 1187 new_tsp->smk_forked = old_tsp->smk_task; 1188 new->security = new_tsp; 1189 return 0; 1190 } 1191 1192 /** 1193 * smack_cred_transfer - Transfer the old credentials to the new credentials 1194 * @new: the new credentials 1195 * @old: the original credentials 1196 * 1197 * Fill in a set of blank credentials from another set of credentials. 1198 */ 1199 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1200 { 1201 struct task_smack *old_tsp = old->security; 1202 struct task_smack *new_tsp = new->security; 1203 1204 new_tsp->smk_task = old_tsp->smk_task; 1205 new_tsp->smk_forked = old_tsp->smk_task; 1206 } 1207 1208 /** 1209 * smack_kernel_act_as - Set the subjective context in a set of credentials 1210 * @new: points to the set of credentials to be modified. 1211 * @secid: specifies the security ID to be set 1212 * 1213 * Set the security data for a kernel service. 1214 */ 1215 static int smack_kernel_act_as(struct cred *new, u32 secid) 1216 { 1217 struct task_smack *new_tsp = new->security; 1218 char *smack = smack_from_secid(secid); 1219 1220 if (smack == NULL) 1221 return -EINVAL; 1222 1223 new_tsp->smk_task = smack; 1224 return 0; 1225 } 1226 1227 /** 1228 * smack_kernel_create_files_as - Set the file creation label in a set of creds 1229 * @new: points to the set of credentials to be modified 1230 * @inode: points to the inode to use as a reference 1231 * 1232 * Set the file creation context in a set of credentials to the same 1233 * as the objective context of the specified inode 1234 */ 1235 static int smack_kernel_create_files_as(struct cred *new, 1236 struct inode *inode) 1237 { 1238 struct inode_smack *isp = inode->i_security; 1239 struct task_smack *tsp = new->security; 1240 1241 tsp->smk_forked = isp->smk_inode; 1242 tsp->smk_task = isp->smk_inode; 1243 return 0; 1244 } 1245 1246 /** 1247 * smk_curacc_on_task - helper to log task related access 1248 * @p: the task object 1249 * @access : the access requested 1250 * 1251 * Return 0 if access is permitted 1252 */ 1253 static int smk_curacc_on_task(struct task_struct *p, int access) 1254 { 1255 struct smk_audit_info ad; 1256 1257 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1258 smk_ad_setfield_u_tsk(&ad, p); 1259 return smk_curacc(smk_of_task(task_security(p)), access, &ad); 1260 } 1261 1262 /** 1263 * smack_task_setpgid - Smack check on setting pgid 1264 * @p: the task object 1265 * @pgid: unused 1266 * 1267 * Return 0 if write access is permitted 1268 */ 1269 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1270 { 1271 return smk_curacc_on_task(p, MAY_WRITE); 1272 } 1273 1274 /** 1275 * smack_task_getpgid - Smack access check for getpgid 1276 * @p: the object task 1277 * 1278 * Returns 0 if current can read the object task, error code otherwise 1279 */ 1280 static int smack_task_getpgid(struct task_struct *p) 1281 { 1282 return smk_curacc_on_task(p, MAY_READ); 1283 } 1284 1285 /** 1286 * smack_task_getsid - Smack access check for getsid 1287 * @p: the object task 1288 * 1289 * Returns 0 if current can read the object task, error code otherwise 1290 */ 1291 static int smack_task_getsid(struct task_struct *p) 1292 { 1293 return smk_curacc_on_task(p, MAY_READ); 1294 } 1295 1296 /** 1297 * smack_task_getsecid - get the secid of the task 1298 * @p: the object task 1299 * @secid: where to put the result 1300 * 1301 * Sets the secid to contain a u32 version of the smack label. 1302 */ 1303 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1304 { 1305 *secid = smack_to_secid(smk_of_task(task_security(p))); 1306 } 1307 1308 /** 1309 * smack_task_setnice - Smack check on setting nice 1310 * @p: the task object 1311 * @nice: unused 1312 * 1313 * Return 0 if write access is permitted 1314 */ 1315 static int smack_task_setnice(struct task_struct *p, int nice) 1316 { 1317 int rc; 1318 1319 rc = cap_task_setnice(p, nice); 1320 if (rc == 0) 1321 rc = smk_curacc_on_task(p, MAY_WRITE); 1322 return rc; 1323 } 1324 1325 /** 1326 * smack_task_setioprio - Smack check on setting ioprio 1327 * @p: the task object 1328 * @ioprio: unused 1329 * 1330 * Return 0 if write access is permitted 1331 */ 1332 static int smack_task_setioprio(struct task_struct *p, int ioprio) 1333 { 1334 int rc; 1335 1336 rc = cap_task_setioprio(p, ioprio); 1337 if (rc == 0) 1338 rc = smk_curacc_on_task(p, MAY_WRITE); 1339 return rc; 1340 } 1341 1342 /** 1343 * smack_task_getioprio - Smack check on reading ioprio 1344 * @p: the task object 1345 * 1346 * Return 0 if read access is permitted 1347 */ 1348 static int smack_task_getioprio(struct task_struct *p) 1349 { 1350 return smk_curacc_on_task(p, MAY_READ); 1351 } 1352 1353 /** 1354 * smack_task_setscheduler - Smack check on setting scheduler 1355 * @p: the task object 1356 * @policy: unused 1357 * @lp: unused 1358 * 1359 * Return 0 if read access is permitted 1360 */ 1361 static int smack_task_setscheduler(struct task_struct *p) 1362 { 1363 int rc; 1364 1365 rc = cap_task_setscheduler(p); 1366 if (rc == 0) 1367 rc = smk_curacc_on_task(p, MAY_WRITE); 1368 return rc; 1369 } 1370 1371 /** 1372 * smack_task_getscheduler - Smack check on reading scheduler 1373 * @p: the task object 1374 * 1375 * Return 0 if read access is permitted 1376 */ 1377 static int smack_task_getscheduler(struct task_struct *p) 1378 { 1379 return smk_curacc_on_task(p, MAY_READ); 1380 } 1381 1382 /** 1383 * smack_task_movememory - Smack check on moving memory 1384 * @p: the task object 1385 * 1386 * Return 0 if write access is permitted 1387 */ 1388 static int smack_task_movememory(struct task_struct *p) 1389 { 1390 return smk_curacc_on_task(p, MAY_WRITE); 1391 } 1392 1393 /** 1394 * smack_task_kill - Smack check on signal delivery 1395 * @p: the task object 1396 * @info: unused 1397 * @sig: unused 1398 * @secid: identifies the smack to use in lieu of current's 1399 * 1400 * Return 0 if write access is permitted 1401 * 1402 * The secid behavior is an artifact of an SELinux hack 1403 * in the USB code. Someday it may go away. 1404 */ 1405 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 1406 int sig, u32 secid) 1407 { 1408 struct smk_audit_info ad; 1409 1410 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1411 smk_ad_setfield_u_tsk(&ad, p); 1412 /* 1413 * Sending a signal requires that the sender 1414 * can write the receiver. 1415 */ 1416 if (secid == 0) 1417 return smk_curacc(smk_of_task(task_security(p)), MAY_WRITE, 1418 &ad); 1419 /* 1420 * If the secid isn't 0 we're dealing with some USB IO 1421 * specific behavior. This is not clean. For one thing 1422 * we can't take privilege into account. 1423 */ 1424 return smk_access(smack_from_secid(secid), 1425 smk_of_task(task_security(p)), MAY_WRITE, &ad); 1426 } 1427 1428 /** 1429 * smack_task_wait - Smack access check for waiting 1430 * @p: task to wait for 1431 * 1432 * Returns 0 if current can wait for p, error code otherwise 1433 */ 1434 static int smack_task_wait(struct task_struct *p) 1435 { 1436 struct smk_audit_info ad; 1437 char *sp = smk_of_current(); 1438 char *tsp = smk_of_forked(task_security(p)); 1439 int rc; 1440 1441 /* we don't log here, we can be overriden */ 1442 rc = smk_access(tsp, sp, MAY_WRITE, NULL); 1443 if (rc == 0) 1444 goto out_log; 1445 1446 /* 1447 * Allow the operation to succeed if either task 1448 * has privilege to perform operations that might 1449 * account for the smack labels having gotten to 1450 * be different in the first place. 1451 * 1452 * This breaks the strict subject/object access 1453 * control ideal, taking the object's privilege 1454 * state into account in the decision as well as 1455 * the smack value. 1456 */ 1457 if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE)) 1458 rc = 0; 1459 /* we log only if we didn't get overriden */ 1460 out_log: 1461 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1462 smk_ad_setfield_u_tsk(&ad, p); 1463 smack_log(tsp, sp, MAY_WRITE, rc, &ad); 1464 return rc; 1465 } 1466 1467 /** 1468 * smack_task_to_inode - copy task smack into the inode blob 1469 * @p: task to copy from 1470 * @inode: inode to copy to 1471 * 1472 * Sets the smack pointer in the inode security blob 1473 */ 1474 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1475 { 1476 struct inode_smack *isp = inode->i_security; 1477 isp->smk_inode = smk_of_task(task_security(p)); 1478 } 1479 1480 /* 1481 * Socket hooks. 1482 */ 1483 1484 /** 1485 * smack_sk_alloc_security - Allocate a socket blob 1486 * @sk: the socket 1487 * @family: unused 1488 * @gfp_flags: memory allocation flags 1489 * 1490 * Assign Smack pointers to current 1491 * 1492 * Returns 0 on success, -ENOMEM is there's no memory 1493 */ 1494 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1495 { 1496 char *csp = smk_of_current(); 1497 struct socket_smack *ssp; 1498 1499 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1500 if (ssp == NULL) 1501 return -ENOMEM; 1502 1503 ssp->smk_in = csp; 1504 ssp->smk_out = csp; 1505 ssp->smk_packet[0] = '\0'; 1506 1507 sk->sk_security = ssp; 1508 1509 return 0; 1510 } 1511 1512 /** 1513 * smack_sk_free_security - Free a socket blob 1514 * @sk: the socket 1515 * 1516 * Clears the blob pointer 1517 */ 1518 static void smack_sk_free_security(struct sock *sk) 1519 { 1520 kfree(sk->sk_security); 1521 } 1522 1523 /** 1524 * smack_host_label - check host based restrictions 1525 * @sip: the object end 1526 * 1527 * looks for host based access restrictions 1528 * 1529 * This version will only be appropriate for really small sets of single label 1530 * hosts. The caller is responsible for ensuring that the RCU read lock is 1531 * taken before calling this function. 1532 * 1533 * Returns the label of the far end or NULL if it's not special. 1534 */ 1535 static char *smack_host_label(struct sockaddr_in *sip) 1536 { 1537 struct smk_netlbladdr *snp; 1538 struct in_addr *siap = &sip->sin_addr; 1539 1540 if (siap->s_addr == 0) 1541 return NULL; 1542 1543 list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list) 1544 /* 1545 * we break after finding the first match because 1546 * the list is sorted from longest to shortest mask 1547 * so we have found the most specific match 1548 */ 1549 if ((&snp->smk_host.sin_addr)->s_addr == 1550 (siap->s_addr & (&snp->smk_mask)->s_addr)) { 1551 /* we have found the special CIPSO option */ 1552 if (snp->smk_label == smack_cipso_option) 1553 return NULL; 1554 return snp->smk_label; 1555 } 1556 1557 return NULL; 1558 } 1559 1560 /** 1561 * smack_set_catset - convert a capset to netlabel mls categories 1562 * @catset: the Smack categories 1563 * @sap: where to put the netlabel categories 1564 * 1565 * Allocates and fills attr.mls.cat 1566 */ 1567 static void smack_set_catset(char *catset, struct netlbl_lsm_secattr *sap) 1568 { 1569 unsigned char *cp; 1570 unsigned char m; 1571 int cat; 1572 int rc; 1573 int byte; 1574 1575 if (!catset) 1576 return; 1577 1578 sap->flags |= NETLBL_SECATTR_MLS_CAT; 1579 sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); 1580 sap->attr.mls.cat->startbit = 0; 1581 1582 for (cat = 1, cp = catset, byte = 0; byte < SMK_LABELLEN; cp++, byte++) 1583 for (m = 0x80; m != 0; m >>= 1, cat++) { 1584 if ((m & *cp) == 0) 1585 continue; 1586 rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat, 1587 cat, GFP_ATOMIC); 1588 } 1589 } 1590 1591 /** 1592 * smack_to_secattr - fill a secattr from a smack value 1593 * @smack: the smack value 1594 * @nlsp: where the result goes 1595 * 1596 * Casey says that CIPSO is good enough for now. 1597 * It can be used to effect. 1598 * It can also be abused to effect when necessary. 1599 * Appologies to the TSIG group in general and GW in particular. 1600 */ 1601 static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) 1602 { 1603 struct smack_cipso cipso; 1604 int rc; 1605 1606 nlsp->domain = smack; 1607 nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; 1608 1609 rc = smack_to_cipso(smack, &cipso); 1610 if (rc == 0) { 1611 nlsp->attr.mls.lvl = cipso.smk_level; 1612 smack_set_catset(cipso.smk_catset, nlsp); 1613 } else { 1614 nlsp->attr.mls.lvl = smack_cipso_direct; 1615 smack_set_catset(smack, nlsp); 1616 } 1617 } 1618 1619 /** 1620 * smack_netlabel - Set the secattr on a socket 1621 * @sk: the socket 1622 * @labeled: socket label scheme 1623 * 1624 * Convert the outbound smack value (smk_out) to a 1625 * secattr and attach it to the socket. 1626 * 1627 * Returns 0 on success or an error code 1628 */ 1629 static int smack_netlabel(struct sock *sk, int labeled) 1630 { 1631 struct socket_smack *ssp = sk->sk_security; 1632 struct netlbl_lsm_secattr secattr; 1633 int rc = 0; 1634 1635 /* 1636 * Usually the netlabel code will handle changing the 1637 * packet labeling based on the label. 1638 * The case of a single label host is different, because 1639 * a single label host should never get a labeled packet 1640 * even though the label is usually associated with a packet 1641 * label. 1642 */ 1643 local_bh_disable(); 1644 bh_lock_sock_nested(sk); 1645 1646 if (ssp->smk_out == smack_net_ambient || 1647 labeled == SMACK_UNLABELED_SOCKET) 1648 netlbl_sock_delattr(sk); 1649 else { 1650 netlbl_secattr_init(&secattr); 1651 smack_to_secattr(ssp->smk_out, &secattr); 1652 rc = netlbl_sock_setattr(sk, sk->sk_family, &secattr); 1653 netlbl_secattr_destroy(&secattr); 1654 } 1655 1656 bh_unlock_sock(sk); 1657 local_bh_enable(); 1658 1659 return rc; 1660 } 1661 1662 /** 1663 * smack_netlbel_send - Set the secattr on a socket and perform access checks 1664 * @sk: the socket 1665 * @sap: the destination address 1666 * 1667 * Set the correct secattr for the given socket based on the destination 1668 * address and perform any outbound access checks needed. 1669 * 1670 * Returns 0 on success or an error code. 1671 * 1672 */ 1673 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 1674 { 1675 int rc; 1676 int sk_lbl; 1677 char *hostsp; 1678 struct socket_smack *ssp = sk->sk_security; 1679 struct smk_audit_info ad; 1680 1681 rcu_read_lock(); 1682 hostsp = smack_host_label(sap); 1683 if (hostsp != NULL) { 1684 sk_lbl = SMACK_UNLABELED_SOCKET; 1685 #ifdef CONFIG_AUDIT 1686 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 1687 ad.a.u.net.family = sap->sin_family; 1688 ad.a.u.net.dport = sap->sin_port; 1689 ad.a.u.net.v4info.daddr = sap->sin_addr.s_addr; 1690 #endif 1691 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad); 1692 } else { 1693 sk_lbl = SMACK_CIPSO_SOCKET; 1694 rc = 0; 1695 } 1696 rcu_read_unlock(); 1697 if (rc != 0) 1698 return rc; 1699 1700 return smack_netlabel(sk, sk_lbl); 1701 } 1702 1703 /** 1704 * smack_inode_setsecurity - set smack xattrs 1705 * @inode: the object 1706 * @name: attribute name 1707 * @value: attribute value 1708 * @size: size of the attribute 1709 * @flags: unused 1710 * 1711 * Sets the named attribute in the appropriate blob 1712 * 1713 * Returns 0 on success, or an error code 1714 */ 1715 static int smack_inode_setsecurity(struct inode *inode, const char *name, 1716 const void *value, size_t size, int flags) 1717 { 1718 char *sp; 1719 struct inode_smack *nsp = inode->i_security; 1720 struct socket_smack *ssp; 1721 struct socket *sock; 1722 int rc = 0; 1723 1724 if (value == NULL || size > SMK_LABELLEN || size == 0) 1725 return -EACCES; 1726 1727 sp = smk_import(value, size); 1728 if (sp == NULL) 1729 return -EINVAL; 1730 1731 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1732 nsp->smk_inode = sp; 1733 nsp->smk_flags |= SMK_INODE_INSTANT; 1734 return 0; 1735 } 1736 /* 1737 * The rest of the Smack xattrs are only on sockets. 1738 */ 1739 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 1740 return -EOPNOTSUPP; 1741 1742 sock = SOCKET_I(inode); 1743 if (sock == NULL || sock->sk == NULL) 1744 return -EOPNOTSUPP; 1745 1746 ssp = sock->sk->sk_security; 1747 1748 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1749 ssp->smk_in = sp; 1750 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 1751 ssp->smk_out = sp; 1752 if (sock->sk->sk_family != PF_UNIX) { 1753 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1754 if (rc != 0) 1755 printk(KERN_WARNING 1756 "Smack: \"%s\" netlbl error %d.\n", 1757 __func__, -rc); 1758 } 1759 } else 1760 return -EOPNOTSUPP; 1761 1762 return 0; 1763 } 1764 1765 /** 1766 * smack_socket_post_create - finish socket setup 1767 * @sock: the socket 1768 * @family: protocol family 1769 * @type: unused 1770 * @protocol: unused 1771 * @kern: unused 1772 * 1773 * Sets the netlabel information on the socket 1774 * 1775 * Returns 0 on success, and error code otherwise 1776 */ 1777 static int smack_socket_post_create(struct socket *sock, int family, 1778 int type, int protocol, int kern) 1779 { 1780 if (family != PF_INET || sock->sk == NULL) 1781 return 0; 1782 /* 1783 * Set the outbound netlbl. 1784 */ 1785 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1786 } 1787 1788 /** 1789 * smack_socket_connect - connect access check 1790 * @sock: the socket 1791 * @sap: the other end 1792 * @addrlen: size of sap 1793 * 1794 * Verifies that a connection may be possible 1795 * 1796 * Returns 0 on success, and error code otherwise 1797 */ 1798 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 1799 int addrlen) 1800 { 1801 if (sock->sk == NULL || sock->sk->sk_family != PF_INET) 1802 return 0; 1803 if (addrlen < sizeof(struct sockaddr_in)) 1804 return -EINVAL; 1805 1806 return smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 1807 } 1808 1809 /** 1810 * smack_flags_to_may - convert S_ to MAY_ values 1811 * @flags: the S_ value 1812 * 1813 * Returns the equivalent MAY_ value 1814 */ 1815 static int smack_flags_to_may(int flags) 1816 { 1817 int may = 0; 1818 1819 if (flags & S_IRUGO) 1820 may |= MAY_READ; 1821 if (flags & S_IWUGO) 1822 may |= MAY_WRITE; 1823 if (flags & S_IXUGO) 1824 may |= MAY_EXEC; 1825 1826 return may; 1827 } 1828 1829 /** 1830 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 1831 * @msg: the object 1832 * 1833 * Returns 0 1834 */ 1835 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 1836 { 1837 msg->security = smk_of_current(); 1838 return 0; 1839 } 1840 1841 /** 1842 * smack_msg_msg_free_security - Clear the security blob for msg_msg 1843 * @msg: the object 1844 * 1845 * Clears the blob pointer 1846 */ 1847 static void smack_msg_msg_free_security(struct msg_msg *msg) 1848 { 1849 msg->security = NULL; 1850 } 1851 1852 /** 1853 * smack_of_shm - the smack pointer for the shm 1854 * @shp: the object 1855 * 1856 * Returns a pointer to the smack value 1857 */ 1858 static char *smack_of_shm(struct shmid_kernel *shp) 1859 { 1860 return (char *)shp->shm_perm.security; 1861 } 1862 1863 /** 1864 * smack_shm_alloc_security - Set the security blob for shm 1865 * @shp: the object 1866 * 1867 * Returns 0 1868 */ 1869 static int smack_shm_alloc_security(struct shmid_kernel *shp) 1870 { 1871 struct kern_ipc_perm *isp = &shp->shm_perm; 1872 1873 isp->security = smk_of_current(); 1874 return 0; 1875 } 1876 1877 /** 1878 * smack_shm_free_security - Clear the security blob for shm 1879 * @shp: the object 1880 * 1881 * Clears the blob pointer 1882 */ 1883 static void smack_shm_free_security(struct shmid_kernel *shp) 1884 { 1885 struct kern_ipc_perm *isp = &shp->shm_perm; 1886 1887 isp->security = NULL; 1888 } 1889 1890 /** 1891 * smk_curacc_shm : check if current has access on shm 1892 * @shp : the object 1893 * @access : access requested 1894 * 1895 * Returns 0 if current has the requested access, error code otherwise 1896 */ 1897 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 1898 { 1899 char *ssp = smack_of_shm(shp); 1900 struct smk_audit_info ad; 1901 1902 #ifdef CONFIG_AUDIT 1903 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 1904 ad.a.u.ipc_id = shp->shm_perm.id; 1905 #endif 1906 return smk_curacc(ssp, access, &ad); 1907 } 1908 1909 /** 1910 * smack_shm_associate - Smack access check for shm 1911 * @shp: the object 1912 * @shmflg: access requested 1913 * 1914 * Returns 0 if current has the requested access, error code otherwise 1915 */ 1916 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 1917 { 1918 int may; 1919 1920 may = smack_flags_to_may(shmflg); 1921 return smk_curacc_shm(shp, may); 1922 } 1923 1924 /** 1925 * smack_shm_shmctl - Smack access check for shm 1926 * @shp: the object 1927 * @cmd: what it wants to do 1928 * 1929 * Returns 0 if current has the requested access, error code otherwise 1930 */ 1931 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 1932 { 1933 int may; 1934 1935 switch (cmd) { 1936 case IPC_STAT: 1937 case SHM_STAT: 1938 may = MAY_READ; 1939 break; 1940 case IPC_SET: 1941 case SHM_LOCK: 1942 case SHM_UNLOCK: 1943 case IPC_RMID: 1944 may = MAY_READWRITE; 1945 break; 1946 case IPC_INFO: 1947 case SHM_INFO: 1948 /* 1949 * System level information. 1950 */ 1951 return 0; 1952 default: 1953 return -EINVAL; 1954 } 1955 return smk_curacc_shm(shp, may); 1956 } 1957 1958 /** 1959 * smack_shm_shmat - Smack access for shmat 1960 * @shp: the object 1961 * @shmaddr: unused 1962 * @shmflg: access requested 1963 * 1964 * Returns 0 if current has the requested access, error code otherwise 1965 */ 1966 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 1967 int shmflg) 1968 { 1969 int may; 1970 1971 may = smack_flags_to_may(shmflg); 1972 return smk_curacc_shm(shp, may); 1973 } 1974 1975 /** 1976 * smack_of_sem - the smack pointer for the sem 1977 * @sma: the object 1978 * 1979 * Returns a pointer to the smack value 1980 */ 1981 static char *smack_of_sem(struct sem_array *sma) 1982 { 1983 return (char *)sma->sem_perm.security; 1984 } 1985 1986 /** 1987 * smack_sem_alloc_security - Set the security blob for sem 1988 * @sma: the object 1989 * 1990 * Returns 0 1991 */ 1992 static int smack_sem_alloc_security(struct sem_array *sma) 1993 { 1994 struct kern_ipc_perm *isp = &sma->sem_perm; 1995 1996 isp->security = smk_of_current(); 1997 return 0; 1998 } 1999 2000 /** 2001 * smack_sem_free_security - Clear the security blob for sem 2002 * @sma: the object 2003 * 2004 * Clears the blob pointer 2005 */ 2006 static void smack_sem_free_security(struct sem_array *sma) 2007 { 2008 struct kern_ipc_perm *isp = &sma->sem_perm; 2009 2010 isp->security = NULL; 2011 } 2012 2013 /** 2014 * smk_curacc_sem : check if current has access on sem 2015 * @sma : the object 2016 * @access : access requested 2017 * 2018 * Returns 0 if current has the requested access, error code otherwise 2019 */ 2020 static int smk_curacc_sem(struct sem_array *sma, int access) 2021 { 2022 char *ssp = smack_of_sem(sma); 2023 struct smk_audit_info ad; 2024 2025 #ifdef CONFIG_AUDIT 2026 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2027 ad.a.u.ipc_id = sma->sem_perm.id; 2028 #endif 2029 return smk_curacc(ssp, access, &ad); 2030 } 2031 2032 /** 2033 * smack_sem_associate - Smack access check for sem 2034 * @sma: the object 2035 * @semflg: access requested 2036 * 2037 * Returns 0 if current has the requested access, error code otherwise 2038 */ 2039 static int smack_sem_associate(struct sem_array *sma, int semflg) 2040 { 2041 int may; 2042 2043 may = smack_flags_to_may(semflg); 2044 return smk_curacc_sem(sma, may); 2045 } 2046 2047 /** 2048 * smack_sem_shmctl - Smack access check for sem 2049 * @sma: the object 2050 * @cmd: what it wants to do 2051 * 2052 * Returns 0 if current has the requested access, error code otherwise 2053 */ 2054 static int smack_sem_semctl(struct sem_array *sma, int cmd) 2055 { 2056 int may; 2057 2058 switch (cmd) { 2059 case GETPID: 2060 case GETNCNT: 2061 case GETZCNT: 2062 case GETVAL: 2063 case GETALL: 2064 case IPC_STAT: 2065 case SEM_STAT: 2066 may = MAY_READ; 2067 break; 2068 case SETVAL: 2069 case SETALL: 2070 case IPC_RMID: 2071 case IPC_SET: 2072 may = MAY_READWRITE; 2073 break; 2074 case IPC_INFO: 2075 case SEM_INFO: 2076 /* 2077 * System level information 2078 */ 2079 return 0; 2080 default: 2081 return -EINVAL; 2082 } 2083 2084 return smk_curacc_sem(sma, may); 2085 } 2086 2087 /** 2088 * smack_sem_semop - Smack checks of semaphore operations 2089 * @sma: the object 2090 * @sops: unused 2091 * @nsops: unused 2092 * @alter: unused 2093 * 2094 * Treated as read and write in all cases. 2095 * 2096 * Returns 0 if access is allowed, error code otherwise 2097 */ 2098 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 2099 unsigned nsops, int alter) 2100 { 2101 return smk_curacc_sem(sma, MAY_READWRITE); 2102 } 2103 2104 /** 2105 * smack_msg_alloc_security - Set the security blob for msg 2106 * @msq: the object 2107 * 2108 * Returns 0 2109 */ 2110 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 2111 { 2112 struct kern_ipc_perm *kisp = &msq->q_perm; 2113 2114 kisp->security = smk_of_current(); 2115 return 0; 2116 } 2117 2118 /** 2119 * smack_msg_free_security - Clear the security blob for msg 2120 * @msq: the object 2121 * 2122 * Clears the blob pointer 2123 */ 2124 static void smack_msg_queue_free_security(struct msg_queue *msq) 2125 { 2126 struct kern_ipc_perm *kisp = &msq->q_perm; 2127 2128 kisp->security = NULL; 2129 } 2130 2131 /** 2132 * smack_of_msq - the smack pointer for the msq 2133 * @msq: the object 2134 * 2135 * Returns a pointer to the smack value 2136 */ 2137 static char *smack_of_msq(struct msg_queue *msq) 2138 { 2139 return (char *)msq->q_perm.security; 2140 } 2141 2142 /** 2143 * smk_curacc_msq : helper to check if current has access on msq 2144 * @msq : the msq 2145 * @access : access requested 2146 * 2147 * return 0 if current has access, error otherwise 2148 */ 2149 static int smk_curacc_msq(struct msg_queue *msq, int access) 2150 { 2151 char *msp = smack_of_msq(msq); 2152 struct smk_audit_info ad; 2153 2154 #ifdef CONFIG_AUDIT 2155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2156 ad.a.u.ipc_id = msq->q_perm.id; 2157 #endif 2158 return smk_curacc(msp, access, &ad); 2159 } 2160 2161 /** 2162 * smack_msg_queue_associate - Smack access check for msg_queue 2163 * @msq: the object 2164 * @msqflg: access requested 2165 * 2166 * Returns 0 if current has the requested access, error code otherwise 2167 */ 2168 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 2169 { 2170 int may; 2171 2172 may = smack_flags_to_may(msqflg); 2173 return smk_curacc_msq(msq, may); 2174 } 2175 2176 /** 2177 * smack_msg_queue_msgctl - Smack access check for msg_queue 2178 * @msq: the object 2179 * @cmd: what it wants to do 2180 * 2181 * Returns 0 if current has the requested access, error code otherwise 2182 */ 2183 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 2184 { 2185 int may; 2186 2187 switch (cmd) { 2188 case IPC_STAT: 2189 case MSG_STAT: 2190 may = MAY_READ; 2191 break; 2192 case IPC_SET: 2193 case IPC_RMID: 2194 may = MAY_READWRITE; 2195 break; 2196 case IPC_INFO: 2197 case MSG_INFO: 2198 /* 2199 * System level information 2200 */ 2201 return 0; 2202 default: 2203 return -EINVAL; 2204 } 2205 2206 return smk_curacc_msq(msq, may); 2207 } 2208 2209 /** 2210 * smack_msg_queue_msgsnd - Smack access check for msg_queue 2211 * @msq: the object 2212 * @msg: unused 2213 * @msqflg: access requested 2214 * 2215 * Returns 0 if current has the requested access, error code otherwise 2216 */ 2217 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 2218 int msqflg) 2219 { 2220 int may; 2221 2222 may = smack_flags_to_may(msqflg); 2223 return smk_curacc_msq(msq, may); 2224 } 2225 2226 /** 2227 * smack_msg_queue_msgsnd - Smack access check for msg_queue 2228 * @msq: the object 2229 * @msg: unused 2230 * @target: unused 2231 * @type: unused 2232 * @mode: unused 2233 * 2234 * Returns 0 if current has read and write access, error code otherwise 2235 */ 2236 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 2237 struct task_struct *target, long type, int mode) 2238 { 2239 return smk_curacc_msq(msq, MAY_READWRITE); 2240 } 2241 2242 /** 2243 * smack_ipc_permission - Smack access for ipc_permission() 2244 * @ipp: the object permissions 2245 * @flag: access requested 2246 * 2247 * Returns 0 if current has read and write access, error code otherwise 2248 */ 2249 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 2250 { 2251 char *isp = ipp->security; 2252 int may = smack_flags_to_may(flag); 2253 struct smk_audit_info ad; 2254 2255 #ifdef CONFIG_AUDIT 2256 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2257 ad.a.u.ipc_id = ipp->id; 2258 #endif 2259 return smk_curacc(isp, may, &ad); 2260 } 2261 2262 /** 2263 * smack_ipc_getsecid - Extract smack security id 2264 * @ipp: the object permissions 2265 * @secid: where result will be saved 2266 */ 2267 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 2268 { 2269 char *smack = ipp->security; 2270 2271 *secid = smack_to_secid(smack); 2272 } 2273 2274 /** 2275 * smack_d_instantiate - Make sure the blob is correct on an inode 2276 * @opt_dentry: dentry where inode will be attached 2277 * @inode: the object 2278 * 2279 * Set the inode's security blob if it hasn't been done already. 2280 */ 2281 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 2282 { 2283 struct super_block *sbp; 2284 struct superblock_smack *sbsp; 2285 struct inode_smack *isp; 2286 char *csp = smk_of_current(); 2287 char *fetched; 2288 char *final; 2289 char trattr[TRANS_TRUE_SIZE]; 2290 int transflag = 0; 2291 struct dentry *dp; 2292 2293 if (inode == NULL) 2294 return; 2295 2296 isp = inode->i_security; 2297 2298 mutex_lock(&isp->smk_lock); 2299 /* 2300 * If the inode is already instantiated 2301 * take the quick way out 2302 */ 2303 if (isp->smk_flags & SMK_INODE_INSTANT) 2304 goto unlockandout; 2305 2306 sbp = inode->i_sb; 2307 sbsp = sbp->s_security; 2308 /* 2309 * We're going to use the superblock default label 2310 * if there's no label on the file. 2311 */ 2312 final = sbsp->smk_default; 2313 2314 /* 2315 * If this is the root inode the superblock 2316 * may be in the process of initialization. 2317 * If that is the case use the root value out 2318 * of the superblock. 2319 */ 2320 if (opt_dentry->d_parent == opt_dentry) { 2321 isp->smk_inode = sbsp->smk_root; 2322 isp->smk_flags |= SMK_INODE_INSTANT; 2323 goto unlockandout; 2324 } 2325 2326 /* 2327 * This is pretty hackish. 2328 * Casey says that we shouldn't have to do 2329 * file system specific code, but it does help 2330 * with keeping it simple. 2331 */ 2332 switch (sbp->s_magic) { 2333 case SMACK_MAGIC: 2334 /* 2335 * Casey says that it's a little embarassing 2336 * that the smack file system doesn't do 2337 * extended attributes. 2338 */ 2339 final = smack_known_star.smk_known; 2340 break; 2341 case PIPEFS_MAGIC: 2342 /* 2343 * Casey says pipes are easy (?) 2344 */ 2345 final = smack_known_star.smk_known; 2346 break; 2347 case DEVPTS_SUPER_MAGIC: 2348 /* 2349 * devpts seems content with the label of the task. 2350 * Programs that change smack have to treat the 2351 * pty with respect. 2352 */ 2353 final = csp; 2354 break; 2355 case SOCKFS_MAGIC: 2356 /* 2357 * Socket access is controlled by the socket 2358 * structures associated with the task involved. 2359 */ 2360 final = smack_known_star.smk_known; 2361 break; 2362 case PROC_SUPER_MAGIC: 2363 /* 2364 * Casey says procfs appears not to care. 2365 * The superblock default suffices. 2366 */ 2367 break; 2368 case TMPFS_MAGIC: 2369 /* 2370 * Device labels should come from the filesystem, 2371 * but watch out, because they're volitile, 2372 * getting recreated on every reboot. 2373 */ 2374 final = smack_known_star.smk_known; 2375 /* 2376 * No break. 2377 * 2378 * If a smack value has been set we want to use it, 2379 * but since tmpfs isn't giving us the opportunity 2380 * to set mount options simulate setting the 2381 * superblock default. 2382 */ 2383 default: 2384 /* 2385 * This isn't an understood special case. 2386 * Get the value from the xattr. 2387 */ 2388 2389 /* 2390 * UNIX domain sockets use lower level socket data. 2391 */ 2392 if (S_ISSOCK(inode->i_mode)) { 2393 final = smack_known_star.smk_known; 2394 break; 2395 } 2396 /* 2397 * No xattr support means, alas, no SMACK label. 2398 * Use the aforeapplied default. 2399 * It would be curious if the label of the task 2400 * does not match that assigned. 2401 */ 2402 if (inode->i_op->getxattr == NULL) 2403 break; 2404 /* 2405 * Get the dentry for xattr. 2406 */ 2407 dp = dget(opt_dentry); 2408 fetched = smk_fetch(XATTR_NAME_SMACK, inode, dp); 2409 if (fetched != NULL) { 2410 final = fetched; 2411 if (S_ISDIR(inode->i_mode)) { 2412 trattr[0] = '\0'; 2413 inode->i_op->getxattr(dp, 2414 XATTR_NAME_SMACKTRANSMUTE, 2415 trattr, TRANS_TRUE_SIZE); 2416 if (strncmp(trattr, TRANS_TRUE, 2417 TRANS_TRUE_SIZE) == 0) 2418 transflag = SMK_INODE_TRANSMUTE; 2419 } 2420 } 2421 isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 2422 2423 dput(dp); 2424 break; 2425 } 2426 2427 if (final == NULL) 2428 isp->smk_inode = csp; 2429 else 2430 isp->smk_inode = final; 2431 2432 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 2433 2434 unlockandout: 2435 mutex_unlock(&isp->smk_lock); 2436 return; 2437 } 2438 2439 /** 2440 * smack_getprocattr - Smack process attribute access 2441 * @p: the object task 2442 * @name: the name of the attribute in /proc/.../attr 2443 * @value: where to put the result 2444 * 2445 * Places a copy of the task Smack into value 2446 * 2447 * Returns the length of the smack label or an error code 2448 */ 2449 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 2450 { 2451 char *cp; 2452 int slen; 2453 2454 if (strcmp(name, "current") != 0) 2455 return -EINVAL; 2456 2457 cp = kstrdup(smk_of_task(task_security(p)), GFP_KERNEL); 2458 if (cp == NULL) 2459 return -ENOMEM; 2460 2461 slen = strlen(cp); 2462 *value = cp; 2463 return slen; 2464 } 2465 2466 /** 2467 * smack_setprocattr - Smack process attribute setting 2468 * @p: the object task 2469 * @name: the name of the attribute in /proc/.../attr 2470 * @value: the value to set 2471 * @size: the size of the value 2472 * 2473 * Sets the Smack value of the task. Only setting self 2474 * is permitted and only with privilege 2475 * 2476 * Returns the length of the smack label or an error code 2477 */ 2478 static int smack_setprocattr(struct task_struct *p, char *name, 2479 void *value, size_t size) 2480 { 2481 struct task_smack *tsp; 2482 struct task_smack *oldtsp; 2483 struct cred *new; 2484 char *newsmack; 2485 2486 /* 2487 * Changing another process' Smack value is too dangerous 2488 * and supports no sane use case. 2489 */ 2490 if (p != current) 2491 return -EPERM; 2492 2493 if (!capable(CAP_MAC_ADMIN)) 2494 return -EPERM; 2495 2496 if (value == NULL || size == 0 || size >= SMK_LABELLEN) 2497 return -EINVAL; 2498 2499 if (strcmp(name, "current") != 0) 2500 return -EINVAL; 2501 2502 newsmack = smk_import(value, size); 2503 if (newsmack == NULL) 2504 return -EINVAL; 2505 2506 /* 2507 * No process is ever allowed the web ("@") label. 2508 */ 2509 if (newsmack == smack_known_web.smk_known) 2510 return -EPERM; 2511 2512 oldtsp = p->cred->security; 2513 new = prepare_creds(); 2514 if (new == NULL) 2515 return -ENOMEM; 2516 tsp = kzalloc(sizeof(struct task_smack), GFP_KERNEL); 2517 if (tsp == NULL) { 2518 kfree(new); 2519 return -ENOMEM; 2520 } 2521 tsp->smk_task = newsmack; 2522 tsp->smk_forked = oldtsp->smk_forked; 2523 new->security = tsp; 2524 commit_creds(new); 2525 return size; 2526 } 2527 2528 /** 2529 * smack_unix_stream_connect - Smack access on UDS 2530 * @sock: one sock 2531 * @other: the other sock 2532 * @newsk: unused 2533 * 2534 * Return 0 if a subject with the smack of sock could access 2535 * an object with the smack of other, otherwise an error code 2536 */ 2537 static int smack_unix_stream_connect(struct sock *sock, 2538 struct sock *other, struct sock *newsk) 2539 { 2540 struct socket_smack *ssp = sock->sk_security; 2541 struct socket_smack *osp = other->sk_security; 2542 struct smk_audit_info ad; 2543 int rc = 0; 2544 2545 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2546 smk_ad_setfield_u_net_sk(&ad, other); 2547 2548 if (!capable(CAP_MAC_OVERRIDE)) 2549 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2550 2551 return rc; 2552 } 2553 2554 /** 2555 * smack_unix_may_send - Smack access on UDS 2556 * @sock: one socket 2557 * @other: the other socket 2558 * 2559 * Return 0 if a subject with the smack of sock could access 2560 * an object with the smack of other, otherwise an error code 2561 */ 2562 static int smack_unix_may_send(struct socket *sock, struct socket *other) 2563 { 2564 struct socket_smack *ssp = sock->sk->sk_security; 2565 struct socket_smack *osp = other->sk->sk_security; 2566 struct smk_audit_info ad; 2567 int rc = 0; 2568 2569 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2570 smk_ad_setfield_u_net_sk(&ad, other->sk); 2571 2572 if (!capable(CAP_MAC_OVERRIDE)) 2573 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2574 2575 return rc; 2576 } 2577 2578 /** 2579 * smack_socket_sendmsg - Smack check based on destination host 2580 * @sock: the socket 2581 * @msg: the message 2582 * @size: the size of the message 2583 * 2584 * Return 0 if the current subject can write to the destination 2585 * host. This is only a question if the destination is a single 2586 * label host. 2587 */ 2588 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 2589 int size) 2590 { 2591 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 2592 2593 /* 2594 * Perfectly reasonable for this to be NULL 2595 */ 2596 if (sip == NULL || sip->sin_family != AF_INET) 2597 return 0; 2598 2599 return smack_netlabel_send(sock->sk, sip); 2600 } 2601 2602 2603 /** 2604 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 2605 * @sap: netlabel secattr 2606 * @sip: where to put the result 2607 * 2608 * Copies a smack label into sip 2609 */ 2610 static void smack_from_secattr(struct netlbl_lsm_secattr *sap, char *sip) 2611 { 2612 char smack[SMK_LABELLEN]; 2613 char *sp; 2614 int pcat; 2615 2616 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 2617 /* 2618 * Looks like a CIPSO packet. 2619 * If there are flags but no level netlabel isn't 2620 * behaving the way we expect it to. 2621 * 2622 * Get the categories, if any 2623 * Without guidance regarding the smack value 2624 * for the packet fall back on the network 2625 * ambient value. 2626 */ 2627 memset(smack, '\0', SMK_LABELLEN); 2628 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) != 0) 2629 for (pcat = -1;;) { 2630 pcat = netlbl_secattr_catmap_walk( 2631 sap->attr.mls.cat, pcat + 1); 2632 if (pcat < 0) 2633 break; 2634 smack_catset_bit(pcat, smack); 2635 } 2636 /* 2637 * If it is CIPSO using smack direct mapping 2638 * we are already done. WeeHee. 2639 */ 2640 if (sap->attr.mls.lvl == smack_cipso_direct) { 2641 memcpy(sip, smack, SMK_MAXLEN); 2642 return; 2643 } 2644 /* 2645 * Look it up in the supplied table if it is not 2646 * a direct mapping. 2647 */ 2648 smack_from_cipso(sap->attr.mls.lvl, smack, sip); 2649 return; 2650 } 2651 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 2652 /* 2653 * Looks like a fallback, which gives us a secid. 2654 */ 2655 sp = smack_from_secid(sap->attr.secid); 2656 /* 2657 * This has got to be a bug because it is 2658 * impossible to specify a fallback without 2659 * specifying the label, which will ensure 2660 * it has a secid, and the only way to get a 2661 * secid is from a fallback. 2662 */ 2663 BUG_ON(sp == NULL); 2664 strncpy(sip, sp, SMK_MAXLEN); 2665 return; 2666 } 2667 /* 2668 * Without guidance regarding the smack value 2669 * for the packet fall back on the network 2670 * ambient value. 2671 */ 2672 strncpy(sip, smack_net_ambient, SMK_MAXLEN); 2673 return; 2674 } 2675 2676 /** 2677 * smack_socket_sock_rcv_skb - Smack packet delivery access check 2678 * @sk: socket 2679 * @skb: packet 2680 * 2681 * Returns 0 if the packet should be delivered, an error code otherwise 2682 */ 2683 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 2684 { 2685 struct netlbl_lsm_secattr secattr; 2686 struct socket_smack *ssp = sk->sk_security; 2687 char smack[SMK_LABELLEN]; 2688 char *csp; 2689 int rc; 2690 struct smk_audit_info ad; 2691 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2692 return 0; 2693 2694 /* 2695 * Translate what netlabel gave us. 2696 */ 2697 netlbl_secattr_init(&secattr); 2698 2699 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 2700 if (rc == 0) { 2701 smack_from_secattr(&secattr, smack); 2702 csp = smack; 2703 } else 2704 csp = smack_net_ambient; 2705 2706 netlbl_secattr_destroy(&secattr); 2707 2708 #ifdef CONFIG_AUDIT 2709 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2710 ad.a.u.net.family = sk->sk_family; 2711 ad.a.u.net.netif = skb->skb_iif; 2712 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 2713 #endif 2714 /* 2715 * Receiving a packet requires that the other end 2716 * be able to write here. Read access is not required. 2717 * This is the simplist possible security model 2718 * for networking. 2719 */ 2720 rc = smk_access(csp, ssp->smk_in, MAY_WRITE, &ad); 2721 if (rc != 0) 2722 netlbl_skbuff_err(skb, rc, 0); 2723 return rc; 2724 } 2725 2726 /** 2727 * smack_socket_getpeersec_stream - pull in packet label 2728 * @sock: the socket 2729 * @optval: user's destination 2730 * @optlen: size thereof 2731 * @len: max thereof 2732 * 2733 * returns zero on success, an error code otherwise 2734 */ 2735 static int smack_socket_getpeersec_stream(struct socket *sock, 2736 char __user *optval, 2737 int __user *optlen, unsigned len) 2738 { 2739 struct socket_smack *ssp; 2740 int slen; 2741 int rc = 0; 2742 2743 ssp = sock->sk->sk_security; 2744 slen = strlen(ssp->smk_packet) + 1; 2745 2746 if (slen > len) 2747 rc = -ERANGE; 2748 else if (copy_to_user(optval, ssp->smk_packet, slen) != 0) 2749 rc = -EFAULT; 2750 2751 if (put_user(slen, optlen) != 0) 2752 rc = -EFAULT; 2753 2754 return rc; 2755 } 2756 2757 2758 /** 2759 * smack_socket_getpeersec_dgram - pull in packet label 2760 * @sock: the peer socket 2761 * @skb: packet data 2762 * @secid: pointer to where to put the secid of the packet 2763 * 2764 * Sets the netlabel socket state on sk from parent 2765 */ 2766 static int smack_socket_getpeersec_dgram(struct socket *sock, 2767 struct sk_buff *skb, u32 *secid) 2768 2769 { 2770 struct netlbl_lsm_secattr secattr; 2771 struct socket_smack *sp; 2772 char smack[SMK_LABELLEN]; 2773 int family = PF_UNSPEC; 2774 u32 s = 0; /* 0 is the invalid secid */ 2775 int rc; 2776 2777 if (skb != NULL) { 2778 if (skb->protocol == htons(ETH_P_IP)) 2779 family = PF_INET; 2780 else if (skb->protocol == htons(ETH_P_IPV6)) 2781 family = PF_INET6; 2782 } 2783 if (family == PF_UNSPEC && sock != NULL) 2784 family = sock->sk->sk_family; 2785 2786 if (family == PF_UNIX) { 2787 sp = sock->sk->sk_security; 2788 s = smack_to_secid(sp->smk_out); 2789 } else if (family == PF_INET || family == PF_INET6) { 2790 /* 2791 * Translate what netlabel gave us. 2792 */ 2793 netlbl_secattr_init(&secattr); 2794 rc = netlbl_skbuff_getattr(skb, family, &secattr); 2795 if (rc == 0) { 2796 smack_from_secattr(&secattr, smack); 2797 s = smack_to_secid(smack); 2798 } 2799 netlbl_secattr_destroy(&secattr); 2800 } 2801 *secid = s; 2802 if (s == 0) 2803 return -EINVAL; 2804 return 0; 2805 } 2806 2807 /** 2808 * smack_sock_graft - Initialize a newly created socket with an existing sock 2809 * @sk: child sock 2810 * @parent: parent socket 2811 * 2812 * Set the smk_{in,out} state of an existing sock based on the process that 2813 * is creating the new socket. 2814 */ 2815 static void smack_sock_graft(struct sock *sk, struct socket *parent) 2816 { 2817 struct socket_smack *ssp; 2818 2819 if (sk == NULL || 2820 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 2821 return; 2822 2823 ssp = sk->sk_security; 2824 ssp->smk_in = ssp->smk_out = smk_of_current(); 2825 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 2826 } 2827 2828 /** 2829 * smack_inet_conn_request - Smack access check on connect 2830 * @sk: socket involved 2831 * @skb: packet 2832 * @req: unused 2833 * 2834 * Returns 0 if a task with the packet label could write to 2835 * the socket, otherwise an error code 2836 */ 2837 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 2838 struct request_sock *req) 2839 { 2840 u16 family = sk->sk_family; 2841 struct socket_smack *ssp = sk->sk_security; 2842 struct netlbl_lsm_secattr secattr; 2843 struct sockaddr_in addr; 2844 struct iphdr *hdr; 2845 char smack[SMK_LABELLEN]; 2846 int rc; 2847 struct smk_audit_info ad; 2848 2849 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 2850 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 2851 family = PF_INET; 2852 2853 netlbl_secattr_init(&secattr); 2854 rc = netlbl_skbuff_getattr(skb, family, &secattr); 2855 if (rc == 0) 2856 smack_from_secattr(&secattr, smack); 2857 else 2858 strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN); 2859 netlbl_secattr_destroy(&secattr); 2860 2861 #ifdef CONFIG_AUDIT 2862 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2863 ad.a.u.net.family = family; 2864 ad.a.u.net.netif = skb->skb_iif; 2865 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 2866 #endif 2867 /* 2868 * Receiving a packet requires that the other end be able to write 2869 * here. Read access is not required. 2870 */ 2871 rc = smk_access(smack, ssp->smk_in, MAY_WRITE, &ad); 2872 if (rc != 0) 2873 return rc; 2874 2875 /* 2876 * Save the peer's label in the request_sock so we can later setup 2877 * smk_packet in the child socket so that SO_PEERCRED can report it. 2878 */ 2879 req->peer_secid = smack_to_secid(smack); 2880 2881 /* 2882 * We need to decide if we want to label the incoming connection here 2883 * if we do we only need to label the request_sock and the stack will 2884 * propogate the wire-label to the sock when it is created. 2885 */ 2886 hdr = ip_hdr(skb); 2887 addr.sin_addr.s_addr = hdr->saddr; 2888 rcu_read_lock(); 2889 if (smack_host_label(&addr) == NULL) { 2890 rcu_read_unlock(); 2891 netlbl_secattr_init(&secattr); 2892 smack_to_secattr(smack, &secattr); 2893 rc = netlbl_req_setattr(req, &secattr); 2894 netlbl_secattr_destroy(&secattr); 2895 } else { 2896 rcu_read_unlock(); 2897 netlbl_req_delattr(req); 2898 } 2899 2900 return rc; 2901 } 2902 2903 /** 2904 * smack_inet_csk_clone - Copy the connection information to the new socket 2905 * @sk: the new socket 2906 * @req: the connection's request_sock 2907 * 2908 * Transfer the connection's peer label to the newly created socket. 2909 */ 2910 static void smack_inet_csk_clone(struct sock *sk, 2911 const struct request_sock *req) 2912 { 2913 struct socket_smack *ssp = sk->sk_security; 2914 char *smack; 2915 2916 if (req->peer_secid != 0) { 2917 smack = smack_from_secid(req->peer_secid); 2918 strncpy(ssp->smk_packet, smack, SMK_MAXLEN); 2919 } else 2920 ssp->smk_packet[0] = '\0'; 2921 } 2922 2923 /* 2924 * Key management security hooks 2925 * 2926 * Casey has not tested key support very heavily. 2927 * The permission check is most likely too restrictive. 2928 * If you care about keys please have a look. 2929 */ 2930 #ifdef CONFIG_KEYS 2931 2932 /** 2933 * smack_key_alloc - Set the key security blob 2934 * @key: object 2935 * @cred: the credentials to use 2936 * @flags: unused 2937 * 2938 * No allocation required 2939 * 2940 * Returns 0 2941 */ 2942 static int smack_key_alloc(struct key *key, const struct cred *cred, 2943 unsigned long flags) 2944 { 2945 key->security = smk_of_task(cred->security); 2946 return 0; 2947 } 2948 2949 /** 2950 * smack_key_free - Clear the key security blob 2951 * @key: the object 2952 * 2953 * Clear the blob pointer 2954 */ 2955 static void smack_key_free(struct key *key) 2956 { 2957 key->security = NULL; 2958 } 2959 2960 /* 2961 * smack_key_permission - Smack access on a key 2962 * @key_ref: gets to the object 2963 * @cred: the credentials to use 2964 * @perm: unused 2965 * 2966 * Return 0 if the task has read and write to the object, 2967 * an error code otherwise 2968 */ 2969 static int smack_key_permission(key_ref_t key_ref, 2970 const struct cred *cred, key_perm_t perm) 2971 { 2972 struct key *keyp; 2973 struct smk_audit_info ad; 2974 char *tsp = smk_of_task(cred->security); 2975 2976 keyp = key_ref_to_ptr(key_ref); 2977 if (keyp == NULL) 2978 return -EINVAL; 2979 /* 2980 * If the key hasn't been initialized give it access so that 2981 * it may do so. 2982 */ 2983 if (keyp->security == NULL) 2984 return 0; 2985 /* 2986 * This should not occur 2987 */ 2988 if (tsp == NULL) 2989 return -EACCES; 2990 #ifdef CONFIG_AUDIT 2991 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 2992 ad.a.u.key_struct.key = keyp->serial; 2993 ad.a.u.key_struct.key_desc = keyp->description; 2994 #endif 2995 return smk_access(tsp, keyp->security, 2996 MAY_READWRITE, &ad); 2997 } 2998 #endif /* CONFIG_KEYS */ 2999 3000 /* 3001 * Smack Audit hooks 3002 * 3003 * Audit requires a unique representation of each Smack specific 3004 * rule. This unique representation is used to distinguish the 3005 * object to be audited from remaining kernel objects and also 3006 * works as a glue between the audit hooks. 3007 * 3008 * Since repository entries are added but never deleted, we'll use 3009 * the smack_known label address related to the given audit rule as 3010 * the needed unique representation. This also better fits the smack 3011 * model where nearly everything is a label. 3012 */ 3013 #ifdef CONFIG_AUDIT 3014 3015 /** 3016 * smack_audit_rule_init - Initialize a smack audit rule 3017 * @field: audit rule fields given from user-space (audit.h) 3018 * @op: required testing operator (=, !=, >, <, ...) 3019 * @rulestr: smack label to be audited 3020 * @vrule: pointer to save our own audit rule representation 3021 * 3022 * Prepare to audit cases where (@field @op @rulestr) is true. 3023 * The label to be audited is created if necessay. 3024 */ 3025 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3026 { 3027 char **rule = (char **)vrule; 3028 *rule = NULL; 3029 3030 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 3031 return -EINVAL; 3032 3033 if (op != Audit_equal && op != Audit_not_equal) 3034 return -EINVAL; 3035 3036 *rule = smk_import(rulestr, 0); 3037 3038 return 0; 3039 } 3040 3041 /** 3042 * smack_audit_rule_known - Distinguish Smack audit rules 3043 * @krule: rule of interest, in Audit kernel representation format 3044 * 3045 * This is used to filter Smack rules from remaining Audit ones. 3046 * If it's proved that this rule belongs to us, the 3047 * audit_rule_match hook will be called to do the final judgement. 3048 */ 3049 static int smack_audit_rule_known(struct audit_krule *krule) 3050 { 3051 struct audit_field *f; 3052 int i; 3053 3054 for (i = 0; i < krule->field_count; i++) { 3055 f = &krule->fields[i]; 3056 3057 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 3058 return 1; 3059 } 3060 3061 return 0; 3062 } 3063 3064 /** 3065 * smack_audit_rule_match - Audit given object ? 3066 * @secid: security id for identifying the object to test 3067 * @field: audit rule flags given from user-space 3068 * @op: required testing operator 3069 * @vrule: smack internal rule presentation 3070 * @actx: audit context associated with the check 3071 * 3072 * The core Audit hook. It's used to take the decision of 3073 * whether to audit or not to audit a given object. 3074 */ 3075 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 3076 struct audit_context *actx) 3077 { 3078 char *smack; 3079 char *rule = vrule; 3080 3081 if (!rule) { 3082 audit_log(actx, GFP_KERNEL, AUDIT_SELINUX_ERR, 3083 "Smack: missing rule\n"); 3084 return -ENOENT; 3085 } 3086 3087 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 3088 return 0; 3089 3090 smack = smack_from_secid(secid); 3091 3092 /* 3093 * No need to do string comparisons. If a match occurs, 3094 * both pointers will point to the same smack_known 3095 * label. 3096 */ 3097 if (op == Audit_equal) 3098 return (rule == smack); 3099 if (op == Audit_not_equal) 3100 return (rule != smack); 3101 3102 return 0; 3103 } 3104 3105 /** 3106 * smack_audit_rule_free - free smack rule representation 3107 * @vrule: rule to be freed. 3108 * 3109 * No memory was allocated. 3110 */ 3111 static void smack_audit_rule_free(void *vrule) 3112 { 3113 /* No-op */ 3114 } 3115 3116 #endif /* CONFIG_AUDIT */ 3117 3118 /** 3119 * smack_secid_to_secctx - return the smack label for a secid 3120 * @secid: incoming integer 3121 * @secdata: destination 3122 * @seclen: how long it is 3123 * 3124 * Exists for networking code. 3125 */ 3126 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 3127 { 3128 char *sp = smack_from_secid(secid); 3129 3130 if (secdata) 3131 *secdata = sp; 3132 *seclen = strlen(sp); 3133 return 0; 3134 } 3135 3136 /** 3137 * smack_secctx_to_secid - return the secid for a smack label 3138 * @secdata: smack label 3139 * @seclen: how long result is 3140 * @secid: outgoing integer 3141 * 3142 * Exists for audit and networking code. 3143 */ 3144 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 3145 { 3146 *secid = smack_to_secid(secdata); 3147 return 0; 3148 } 3149 3150 /** 3151 * smack_release_secctx - don't do anything. 3152 * @secdata: unused 3153 * @seclen: unused 3154 * 3155 * Exists to make sure nothing gets done, and properly 3156 */ 3157 static void smack_release_secctx(char *secdata, u32 seclen) 3158 { 3159 } 3160 3161 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 3162 { 3163 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 3164 } 3165 3166 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 3167 { 3168 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 3169 } 3170 3171 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 3172 { 3173 int len = 0; 3174 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 3175 3176 if (len < 0) 3177 return len; 3178 *ctxlen = len; 3179 return 0; 3180 } 3181 3182 struct security_operations smack_ops = { 3183 .name = "smack", 3184 3185 .ptrace_access_check = smack_ptrace_access_check, 3186 .ptrace_traceme = smack_ptrace_traceme, 3187 .syslog = smack_syslog, 3188 3189 .sb_alloc_security = smack_sb_alloc_security, 3190 .sb_free_security = smack_sb_free_security, 3191 .sb_copy_data = smack_sb_copy_data, 3192 .sb_kern_mount = smack_sb_kern_mount, 3193 .sb_statfs = smack_sb_statfs, 3194 .sb_mount = smack_sb_mount, 3195 .sb_umount = smack_sb_umount, 3196 3197 .bprm_set_creds = smack_bprm_set_creds, 3198 3199 .inode_alloc_security = smack_inode_alloc_security, 3200 .inode_free_security = smack_inode_free_security, 3201 .inode_init_security = smack_inode_init_security, 3202 .inode_link = smack_inode_link, 3203 .inode_unlink = smack_inode_unlink, 3204 .inode_rmdir = smack_inode_rmdir, 3205 .inode_rename = smack_inode_rename, 3206 .inode_permission = smack_inode_permission, 3207 .inode_setattr = smack_inode_setattr, 3208 .inode_getattr = smack_inode_getattr, 3209 .inode_setxattr = smack_inode_setxattr, 3210 .inode_post_setxattr = smack_inode_post_setxattr, 3211 .inode_getxattr = smack_inode_getxattr, 3212 .inode_removexattr = smack_inode_removexattr, 3213 .inode_getsecurity = smack_inode_getsecurity, 3214 .inode_setsecurity = smack_inode_setsecurity, 3215 .inode_listsecurity = smack_inode_listsecurity, 3216 .inode_getsecid = smack_inode_getsecid, 3217 3218 .file_permission = smack_file_permission, 3219 .file_alloc_security = smack_file_alloc_security, 3220 .file_free_security = smack_file_free_security, 3221 .file_ioctl = smack_file_ioctl, 3222 .file_lock = smack_file_lock, 3223 .file_fcntl = smack_file_fcntl, 3224 .file_set_fowner = smack_file_set_fowner, 3225 .file_send_sigiotask = smack_file_send_sigiotask, 3226 .file_receive = smack_file_receive, 3227 3228 .cred_alloc_blank = smack_cred_alloc_blank, 3229 .cred_free = smack_cred_free, 3230 .cred_prepare = smack_cred_prepare, 3231 .cred_transfer = smack_cred_transfer, 3232 .kernel_act_as = smack_kernel_act_as, 3233 .kernel_create_files_as = smack_kernel_create_files_as, 3234 .task_setpgid = smack_task_setpgid, 3235 .task_getpgid = smack_task_getpgid, 3236 .task_getsid = smack_task_getsid, 3237 .task_getsecid = smack_task_getsecid, 3238 .task_setnice = smack_task_setnice, 3239 .task_setioprio = smack_task_setioprio, 3240 .task_getioprio = smack_task_getioprio, 3241 .task_setscheduler = smack_task_setscheduler, 3242 .task_getscheduler = smack_task_getscheduler, 3243 .task_movememory = smack_task_movememory, 3244 .task_kill = smack_task_kill, 3245 .task_wait = smack_task_wait, 3246 .task_to_inode = smack_task_to_inode, 3247 3248 .ipc_permission = smack_ipc_permission, 3249 .ipc_getsecid = smack_ipc_getsecid, 3250 3251 .msg_msg_alloc_security = smack_msg_msg_alloc_security, 3252 .msg_msg_free_security = smack_msg_msg_free_security, 3253 3254 .msg_queue_alloc_security = smack_msg_queue_alloc_security, 3255 .msg_queue_free_security = smack_msg_queue_free_security, 3256 .msg_queue_associate = smack_msg_queue_associate, 3257 .msg_queue_msgctl = smack_msg_queue_msgctl, 3258 .msg_queue_msgsnd = smack_msg_queue_msgsnd, 3259 .msg_queue_msgrcv = smack_msg_queue_msgrcv, 3260 3261 .shm_alloc_security = smack_shm_alloc_security, 3262 .shm_free_security = smack_shm_free_security, 3263 .shm_associate = smack_shm_associate, 3264 .shm_shmctl = smack_shm_shmctl, 3265 .shm_shmat = smack_shm_shmat, 3266 3267 .sem_alloc_security = smack_sem_alloc_security, 3268 .sem_free_security = smack_sem_free_security, 3269 .sem_associate = smack_sem_associate, 3270 .sem_semctl = smack_sem_semctl, 3271 .sem_semop = smack_sem_semop, 3272 3273 .d_instantiate = smack_d_instantiate, 3274 3275 .getprocattr = smack_getprocattr, 3276 .setprocattr = smack_setprocattr, 3277 3278 .unix_stream_connect = smack_unix_stream_connect, 3279 .unix_may_send = smack_unix_may_send, 3280 3281 .socket_post_create = smack_socket_post_create, 3282 .socket_connect = smack_socket_connect, 3283 .socket_sendmsg = smack_socket_sendmsg, 3284 .socket_sock_rcv_skb = smack_socket_sock_rcv_skb, 3285 .socket_getpeersec_stream = smack_socket_getpeersec_stream, 3286 .socket_getpeersec_dgram = smack_socket_getpeersec_dgram, 3287 .sk_alloc_security = smack_sk_alloc_security, 3288 .sk_free_security = smack_sk_free_security, 3289 .sock_graft = smack_sock_graft, 3290 .inet_conn_request = smack_inet_conn_request, 3291 .inet_csk_clone = smack_inet_csk_clone, 3292 3293 /* key management security hooks */ 3294 #ifdef CONFIG_KEYS 3295 .key_alloc = smack_key_alloc, 3296 .key_free = smack_key_free, 3297 .key_permission = smack_key_permission, 3298 #endif /* CONFIG_KEYS */ 3299 3300 /* Audit hooks */ 3301 #ifdef CONFIG_AUDIT 3302 .audit_rule_init = smack_audit_rule_init, 3303 .audit_rule_known = smack_audit_rule_known, 3304 .audit_rule_match = smack_audit_rule_match, 3305 .audit_rule_free = smack_audit_rule_free, 3306 #endif /* CONFIG_AUDIT */ 3307 3308 .secid_to_secctx = smack_secid_to_secctx, 3309 .secctx_to_secid = smack_secctx_to_secid, 3310 .release_secctx = smack_release_secctx, 3311 .inode_notifysecctx = smack_inode_notifysecctx, 3312 .inode_setsecctx = smack_inode_setsecctx, 3313 .inode_getsecctx = smack_inode_getsecctx, 3314 }; 3315 3316 3317 static __init void init_smack_know_list(void) 3318 { 3319 list_add(&smack_known_huh.list, &smack_known_list); 3320 list_add(&smack_known_hat.list, &smack_known_list); 3321 list_add(&smack_known_star.list, &smack_known_list); 3322 list_add(&smack_known_floor.list, &smack_known_list); 3323 list_add(&smack_known_invalid.list, &smack_known_list); 3324 list_add(&smack_known_web.list, &smack_known_list); 3325 } 3326 3327 /** 3328 * smack_init - initialize the smack system 3329 * 3330 * Returns 0 3331 */ 3332 static __init int smack_init(void) 3333 { 3334 struct cred *cred; 3335 struct task_smack *tsp; 3336 3337 tsp = kzalloc(sizeof(struct task_smack), GFP_KERNEL); 3338 if (tsp == NULL) 3339 return -ENOMEM; 3340 3341 if (!security_module_enable(&smack_ops)) { 3342 kfree(tsp); 3343 return 0; 3344 } 3345 3346 printk(KERN_INFO "Smack: Initializing.\n"); 3347 3348 /* 3349 * Set the security state for the initial task. 3350 */ 3351 cred = (struct cred *) current->cred; 3352 tsp->smk_forked = smack_known_floor.smk_known; 3353 tsp->smk_task = smack_known_floor.smk_known; 3354 cred->security = tsp; 3355 3356 /* initialize the smack_know_list */ 3357 init_smack_know_list(); 3358 /* 3359 * Initialize locks 3360 */ 3361 spin_lock_init(&smack_known_huh.smk_cipsolock); 3362 spin_lock_init(&smack_known_hat.smk_cipsolock); 3363 spin_lock_init(&smack_known_star.smk_cipsolock); 3364 spin_lock_init(&smack_known_floor.smk_cipsolock); 3365 spin_lock_init(&smack_known_invalid.smk_cipsolock); 3366 3367 /* 3368 * Register with LSM 3369 */ 3370 if (register_security(&smack_ops)) 3371 panic("smack: Unable to register with kernel.\n"); 3372 3373 return 0; 3374 } 3375 3376 /* 3377 * Smack requires early initialization in order to label 3378 * all processes and objects when they are created. 3379 */ 3380 security_initcall(smack_init); 3381