1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <linux/pipe_fs_i.h> 32 #include <net/cipso_ipv4.h> 33 #include <net/ip.h> 34 #include <net/ipv6.h> 35 #include <linux/audit.h> 36 #include <linux/magic.h> 37 #include <linux/dcache.h> 38 #include <linux/personality.h> 39 #include <linux/msg.h> 40 #include <linux/shm.h> 41 #include <linux/binfmts.h> 42 #include <linux/parser.h> 43 #include <linux/fs_context.h> 44 #include <linux/fs_parser.h> 45 #include "smack.h" 46 47 #define TRANS_TRUE "TRUE" 48 #define TRANS_TRUE_SIZE 4 49 50 #define SMK_CONNECTING 0 51 #define SMK_RECEIVING 1 52 #define SMK_SENDING 2 53 54 #ifdef SMACK_IPV6_PORT_LABELING 55 DEFINE_MUTEX(smack_ipv6_lock); 56 static LIST_HEAD(smk_ipv6_port_list); 57 #endif 58 static struct kmem_cache *smack_inode_cache; 59 struct kmem_cache *smack_rule_cache; 60 int smack_enabled; 61 62 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 63 static struct { 64 const char *name; 65 int len; 66 int opt; 67 } smk_mount_opts[] = { 68 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 69 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 70 }; 71 #undef A 72 73 static int match_opt_prefix(char *s, int l, char **arg) 74 { 75 int i; 76 77 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 78 size_t len = smk_mount_opts[i].len; 79 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 80 continue; 81 if (len == l || s[len] != '=') 82 continue; 83 *arg = s + len + 1; 84 return smk_mount_opts[i].opt; 85 } 86 return Opt_error; 87 } 88 89 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 90 static char *smk_bu_mess[] = { 91 "Bringup Error", /* Unused */ 92 "Bringup", /* SMACK_BRINGUP_ALLOW */ 93 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 94 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 95 }; 96 97 static void smk_bu_mode(int mode, char *s) 98 { 99 int i = 0; 100 101 if (mode & MAY_READ) 102 s[i++] = 'r'; 103 if (mode & MAY_WRITE) 104 s[i++] = 'w'; 105 if (mode & MAY_EXEC) 106 s[i++] = 'x'; 107 if (mode & MAY_APPEND) 108 s[i++] = 'a'; 109 if (mode & MAY_TRANSMUTE) 110 s[i++] = 't'; 111 if (mode & MAY_LOCK) 112 s[i++] = 'l'; 113 if (i == 0) 114 s[i++] = '-'; 115 s[i] = '\0'; 116 } 117 #endif 118 119 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 120 static int smk_bu_note(char *note, struct smack_known *sskp, 121 struct smack_known *oskp, int mode, int rc) 122 { 123 char acc[SMK_NUM_ACCESS_TYPE + 1]; 124 125 if (rc <= 0) 126 return rc; 127 if (rc > SMACK_UNCONFINED_OBJECT) 128 rc = 0; 129 130 smk_bu_mode(mode, acc); 131 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 132 sskp->smk_known, oskp->smk_known, acc, note); 133 return 0; 134 } 135 #else 136 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 137 #endif 138 139 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 140 static int smk_bu_current(char *note, struct smack_known *oskp, 141 int mode, int rc) 142 { 143 struct task_smack *tsp = smack_cred(current_cred()); 144 char acc[SMK_NUM_ACCESS_TYPE + 1]; 145 146 if (rc <= 0) 147 return rc; 148 if (rc > SMACK_UNCONFINED_OBJECT) 149 rc = 0; 150 151 smk_bu_mode(mode, acc); 152 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 153 tsp->smk_task->smk_known, oskp->smk_known, 154 acc, current->comm, note); 155 return 0; 156 } 157 #else 158 #define smk_bu_current(note, oskp, mode, RC) (RC) 159 #endif 160 161 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 162 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 163 { 164 struct task_smack *tsp = smack_cred(current_cred()); 165 struct smack_known *smk_task = smk_of_task_struct(otp); 166 char acc[SMK_NUM_ACCESS_TYPE + 1]; 167 168 if (rc <= 0) 169 return rc; 170 if (rc > SMACK_UNCONFINED_OBJECT) 171 rc = 0; 172 173 smk_bu_mode(mode, acc); 174 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 175 tsp->smk_task->smk_known, smk_task->smk_known, acc, 176 current->comm, otp->comm); 177 return 0; 178 } 179 #else 180 #define smk_bu_task(otp, mode, RC) (RC) 181 #endif 182 183 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 184 static int smk_bu_inode(struct inode *inode, int mode, int rc) 185 { 186 struct task_smack *tsp = smack_cred(current_cred()); 187 struct inode_smack *isp = smack_inode(inode); 188 char acc[SMK_NUM_ACCESS_TYPE + 1]; 189 190 if (isp->smk_flags & SMK_INODE_IMPURE) 191 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 192 inode->i_sb->s_id, inode->i_ino, current->comm); 193 194 if (rc <= 0) 195 return rc; 196 if (rc > SMACK_UNCONFINED_OBJECT) 197 rc = 0; 198 if (rc == SMACK_UNCONFINED_SUBJECT && 199 (mode & (MAY_WRITE | MAY_APPEND))) 200 isp->smk_flags |= SMK_INODE_IMPURE; 201 202 smk_bu_mode(mode, acc); 203 204 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 205 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 206 inode->i_sb->s_id, inode->i_ino, current->comm); 207 return 0; 208 } 209 #else 210 #define smk_bu_inode(inode, mode, RC) (RC) 211 #endif 212 213 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 214 static int smk_bu_file(struct file *file, int mode, int rc) 215 { 216 struct task_smack *tsp = smack_cred(current_cred()); 217 struct smack_known *sskp = tsp->smk_task; 218 struct inode *inode = file_inode(file); 219 struct inode_smack *isp = smack_inode(inode); 220 char acc[SMK_NUM_ACCESS_TYPE + 1]; 221 222 if (isp->smk_flags & SMK_INODE_IMPURE) 223 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 224 inode->i_sb->s_id, inode->i_ino, current->comm); 225 226 if (rc <= 0) 227 return rc; 228 if (rc > SMACK_UNCONFINED_OBJECT) 229 rc = 0; 230 231 smk_bu_mode(mode, acc); 232 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 233 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 234 inode->i_sb->s_id, inode->i_ino, file, 235 current->comm); 236 return 0; 237 } 238 #else 239 #define smk_bu_file(file, mode, RC) (RC) 240 #endif 241 242 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 243 static int smk_bu_credfile(const struct cred *cred, struct file *file, 244 int mode, int rc) 245 { 246 struct task_smack *tsp = smack_cred(cred); 247 struct smack_known *sskp = tsp->smk_task; 248 struct inode *inode = file_inode(file); 249 struct inode_smack *isp = smack_inode(inode); 250 char acc[SMK_NUM_ACCESS_TYPE + 1]; 251 252 if (isp->smk_flags & SMK_INODE_IMPURE) 253 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 254 inode->i_sb->s_id, inode->i_ino, current->comm); 255 256 if (rc <= 0) 257 return rc; 258 if (rc > SMACK_UNCONFINED_OBJECT) 259 rc = 0; 260 261 smk_bu_mode(mode, acc); 262 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 263 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 264 inode->i_sb->s_id, inode->i_ino, file, 265 current->comm); 266 return 0; 267 } 268 #else 269 #define smk_bu_credfile(cred, file, mode, RC) (RC) 270 #endif 271 272 /** 273 * smk_fetch - Fetch the smack label from a file. 274 * @name: type of the label (attribute) 275 * @ip: a pointer to the inode 276 * @dp: a pointer to the dentry 277 * 278 * Returns a pointer to the master list entry for the Smack label, 279 * NULL if there was no label to fetch, or an error code. 280 */ 281 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 282 struct dentry *dp) 283 { 284 int rc; 285 char *buffer; 286 struct smack_known *skp = NULL; 287 288 if (!(ip->i_opflags & IOP_XATTR)) 289 return ERR_PTR(-EOPNOTSUPP); 290 291 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 292 if (buffer == NULL) 293 return ERR_PTR(-ENOMEM); 294 295 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 296 if (rc < 0) 297 skp = ERR_PTR(rc); 298 else if (rc == 0) 299 skp = NULL; 300 else 301 skp = smk_import_entry(buffer, rc); 302 303 kfree(buffer); 304 305 return skp; 306 } 307 308 /** 309 * init_inode_smack - initialize an inode security blob 310 * @isp: the blob to initialize 311 * @skp: a pointer to the Smack label entry to use in the blob 312 * 313 */ 314 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 315 { 316 struct inode_smack *isp = smack_inode(inode); 317 318 isp->smk_inode = skp; 319 isp->smk_flags = 0; 320 mutex_init(&isp->smk_lock); 321 } 322 323 /** 324 * init_task_smack - initialize a task security blob 325 * @tsp: blob to initialize 326 * @task: a pointer to the Smack label for the running task 327 * @forked: a pointer to the Smack label for the forked task 328 * 329 */ 330 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 331 struct smack_known *forked) 332 { 333 tsp->smk_task = task; 334 tsp->smk_forked = forked; 335 INIT_LIST_HEAD(&tsp->smk_rules); 336 INIT_LIST_HEAD(&tsp->smk_relabel); 337 mutex_init(&tsp->smk_rules_lock); 338 } 339 340 /** 341 * smk_copy_rules - copy a rule set 342 * @nhead: new rules header pointer 343 * @ohead: old rules header pointer 344 * @gfp: type of the memory for the allocation 345 * 346 * Returns 0 on success, -ENOMEM on error 347 */ 348 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 349 gfp_t gfp) 350 { 351 struct smack_rule *nrp; 352 struct smack_rule *orp; 353 int rc = 0; 354 355 list_for_each_entry_rcu(orp, ohead, list) { 356 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 357 if (nrp == NULL) { 358 rc = -ENOMEM; 359 break; 360 } 361 *nrp = *orp; 362 list_add_rcu(&nrp->list, nhead); 363 } 364 return rc; 365 } 366 367 /** 368 * smk_copy_relabel - copy smk_relabel labels list 369 * @nhead: new rules header pointer 370 * @ohead: old rules header pointer 371 * @gfp: type of the memory for the allocation 372 * 373 * Returns 0 on success, -ENOMEM on error 374 */ 375 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 376 gfp_t gfp) 377 { 378 struct smack_known_list_elem *nklep; 379 struct smack_known_list_elem *oklep; 380 381 list_for_each_entry(oklep, ohead, list) { 382 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 383 if (nklep == NULL) { 384 smk_destroy_label_list(nhead); 385 return -ENOMEM; 386 } 387 nklep->smk_label = oklep->smk_label; 388 list_add(&nklep->list, nhead); 389 } 390 391 return 0; 392 } 393 394 /** 395 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 396 * @mode - input mode in form of PTRACE_MODE_* 397 * 398 * Returns a converted MAY_* mode usable by smack rules 399 */ 400 static inline unsigned int smk_ptrace_mode(unsigned int mode) 401 { 402 if (mode & PTRACE_MODE_ATTACH) 403 return MAY_READWRITE; 404 if (mode & PTRACE_MODE_READ) 405 return MAY_READ; 406 407 return 0; 408 } 409 410 /** 411 * smk_ptrace_rule_check - helper for ptrace access 412 * @tracer: tracer process 413 * @tracee_known: label entry of the process that's about to be traced 414 * @mode: ptrace attachment mode (PTRACE_MODE_*) 415 * @func: name of the function that called us, used for audit 416 * 417 * Returns 0 on access granted, -error on error 418 */ 419 static int smk_ptrace_rule_check(struct task_struct *tracer, 420 struct smack_known *tracee_known, 421 unsigned int mode, const char *func) 422 { 423 int rc; 424 struct smk_audit_info ad, *saip = NULL; 425 struct task_smack *tsp; 426 struct smack_known *tracer_known; 427 const struct cred *tracercred; 428 429 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 430 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 431 smk_ad_setfield_u_tsk(&ad, tracer); 432 saip = &ad; 433 } 434 435 rcu_read_lock(); 436 tracercred = __task_cred(tracer); 437 tsp = smack_cred(tracercred); 438 tracer_known = smk_of_task(tsp); 439 440 if ((mode & PTRACE_MODE_ATTACH) && 441 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 442 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 443 if (tracer_known->smk_known == tracee_known->smk_known) 444 rc = 0; 445 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 446 rc = -EACCES; 447 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 448 rc = 0; 449 else 450 rc = -EACCES; 451 452 if (saip) 453 smack_log(tracer_known->smk_known, 454 tracee_known->smk_known, 455 0, rc, saip); 456 457 rcu_read_unlock(); 458 return rc; 459 } 460 461 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 462 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 463 464 rcu_read_unlock(); 465 return rc; 466 } 467 468 /* 469 * LSM hooks. 470 * We he, that is fun! 471 */ 472 473 /** 474 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 475 * @ctp: child task pointer 476 * @mode: ptrace attachment mode (PTRACE_MODE_*) 477 * 478 * Returns 0 if access is OK, an error code otherwise 479 * 480 * Do the capability checks. 481 */ 482 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 483 { 484 struct smack_known *skp; 485 486 skp = smk_of_task_struct(ctp); 487 488 return smk_ptrace_rule_check(current, skp, mode, __func__); 489 } 490 491 /** 492 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 493 * @ptp: parent task pointer 494 * 495 * Returns 0 if access is OK, an error code otherwise 496 * 497 * Do the capability checks, and require PTRACE_MODE_ATTACH. 498 */ 499 static int smack_ptrace_traceme(struct task_struct *ptp) 500 { 501 int rc; 502 struct smack_known *skp; 503 504 skp = smk_of_task(smack_cred(current_cred())); 505 506 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 507 return rc; 508 } 509 510 /** 511 * smack_syslog - Smack approval on syslog 512 * @type: message type 513 * 514 * Returns 0 on success, error code otherwise. 515 */ 516 static int smack_syslog(int typefrom_file) 517 { 518 int rc = 0; 519 struct smack_known *skp = smk_of_current(); 520 521 if (smack_privileged(CAP_MAC_OVERRIDE)) 522 return 0; 523 524 if (smack_syslog_label != NULL && smack_syslog_label != skp) 525 rc = -EACCES; 526 527 return rc; 528 } 529 530 /* 531 * Superblock Hooks. 532 */ 533 534 /** 535 * smack_sb_alloc_security - allocate a superblock blob 536 * @sb: the superblock getting the blob 537 * 538 * Returns 0 on success or -ENOMEM on error. 539 */ 540 static int smack_sb_alloc_security(struct super_block *sb) 541 { 542 struct superblock_smack *sbsp; 543 544 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 545 546 if (sbsp == NULL) 547 return -ENOMEM; 548 549 sbsp->smk_root = &smack_known_floor; 550 sbsp->smk_default = &smack_known_floor; 551 sbsp->smk_floor = &smack_known_floor; 552 sbsp->smk_hat = &smack_known_hat; 553 /* 554 * SMK_SB_INITIALIZED will be zero from kzalloc. 555 */ 556 sb->s_security = sbsp; 557 558 return 0; 559 } 560 561 /** 562 * smack_sb_free_security - free a superblock blob 563 * @sb: the superblock getting the blob 564 * 565 */ 566 static void smack_sb_free_security(struct super_block *sb) 567 { 568 kfree(sb->s_security); 569 sb->s_security = NULL; 570 } 571 572 struct smack_mnt_opts { 573 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute; 574 }; 575 576 static void smack_free_mnt_opts(void *mnt_opts) 577 { 578 struct smack_mnt_opts *opts = mnt_opts; 579 kfree(opts->fsdefault); 580 kfree(opts->fsfloor); 581 kfree(opts->fshat); 582 kfree(opts->fsroot); 583 kfree(opts->fstransmute); 584 kfree(opts); 585 } 586 587 static int smack_add_opt(int token, const char *s, void **mnt_opts) 588 { 589 struct smack_mnt_opts *opts = *mnt_opts; 590 591 if (!opts) { 592 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 593 if (!opts) 594 return -ENOMEM; 595 *mnt_opts = opts; 596 } 597 if (!s) 598 return -ENOMEM; 599 600 switch (token) { 601 case Opt_fsdefault: 602 if (opts->fsdefault) 603 goto out_opt_err; 604 opts->fsdefault = s; 605 break; 606 case Opt_fsfloor: 607 if (opts->fsfloor) 608 goto out_opt_err; 609 opts->fsfloor = s; 610 break; 611 case Opt_fshat: 612 if (opts->fshat) 613 goto out_opt_err; 614 opts->fshat = s; 615 break; 616 case Opt_fsroot: 617 if (opts->fsroot) 618 goto out_opt_err; 619 opts->fsroot = s; 620 break; 621 case Opt_fstransmute: 622 if (opts->fstransmute) 623 goto out_opt_err; 624 opts->fstransmute = s; 625 break; 626 } 627 return 0; 628 629 out_opt_err: 630 pr_warn("Smack: duplicate mount options\n"); 631 return -EINVAL; 632 } 633 634 /** 635 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 636 * @fc: The new filesystem context. 637 * @src_fc: The source filesystem context being duplicated. 638 * 639 * Returns 0 on success or -ENOMEM on error. 640 */ 641 static int smack_fs_context_dup(struct fs_context *fc, 642 struct fs_context *src_fc) 643 { 644 struct smack_mnt_opts *dst, *src = src_fc->security; 645 646 if (!src) 647 return 0; 648 649 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 650 if (!fc->security) 651 return -ENOMEM; 652 dst = fc->security; 653 654 if (src->fsdefault) { 655 dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL); 656 if (!dst->fsdefault) 657 return -ENOMEM; 658 } 659 if (src->fsfloor) { 660 dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL); 661 if (!dst->fsfloor) 662 return -ENOMEM; 663 } 664 if (src->fshat) { 665 dst->fshat = kstrdup(src->fshat, GFP_KERNEL); 666 if (!dst->fshat) 667 return -ENOMEM; 668 } 669 if (src->fsroot) { 670 dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL); 671 if (!dst->fsroot) 672 return -ENOMEM; 673 } 674 if (src->fstransmute) { 675 dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL); 676 if (!dst->fstransmute) 677 return -ENOMEM; 678 } 679 return 0; 680 } 681 682 static const struct fs_parameter_spec smack_param_specs[] = { 683 fsparam_string("smackfsdef", Opt_fsdefault), 684 fsparam_string("smackfsdefault", Opt_fsdefault), 685 fsparam_string("smackfsfloor", Opt_fsfloor), 686 fsparam_string("smackfshat", Opt_fshat), 687 fsparam_string("smackfsroot", Opt_fsroot), 688 fsparam_string("smackfstransmute", Opt_fstransmute), 689 {} 690 }; 691 692 static const struct fs_parameter_description smack_fs_parameters = { 693 .name = "smack", 694 .specs = smack_param_specs, 695 }; 696 697 /** 698 * smack_fs_context_parse_param - Parse a single mount parameter 699 * @fc: The new filesystem context being constructed. 700 * @param: The parameter. 701 * 702 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 703 * error. 704 */ 705 static int smack_fs_context_parse_param(struct fs_context *fc, 706 struct fs_parameter *param) 707 { 708 struct fs_parse_result result; 709 int opt, rc; 710 711 opt = fs_parse(fc, &smack_fs_parameters, param, &result); 712 if (opt < 0) 713 return opt; 714 715 rc = smack_add_opt(opt, param->string, &fc->security); 716 if (!rc) 717 param->string = NULL; 718 return rc; 719 } 720 721 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 722 { 723 char *from = options, *to = options; 724 bool first = true; 725 726 while (1) { 727 char *next = strchr(from, ','); 728 int token, len, rc; 729 char *arg = NULL; 730 731 if (next) 732 len = next - from; 733 else 734 len = strlen(from); 735 736 token = match_opt_prefix(from, len, &arg); 737 if (token != Opt_error) { 738 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 739 rc = smack_add_opt(token, arg, mnt_opts); 740 if (unlikely(rc)) { 741 kfree(arg); 742 if (*mnt_opts) 743 smack_free_mnt_opts(*mnt_opts); 744 *mnt_opts = NULL; 745 return rc; 746 } 747 } else { 748 if (!first) { // copy with preceding comma 749 from--; 750 len++; 751 } 752 if (to != from) 753 memmove(to, from, len); 754 to += len; 755 first = false; 756 } 757 if (!from[len]) 758 break; 759 from += len + 1; 760 } 761 *to = '\0'; 762 return 0; 763 } 764 765 /** 766 * smack_set_mnt_opts - set Smack specific mount options 767 * @sb: the file system superblock 768 * @opts: Smack mount options 769 * @kern_flags: mount option from kernel space or user space 770 * @set_kern_flags: where to store converted mount opts 771 * 772 * Returns 0 on success, an error code on failure 773 * 774 * Allow filesystems with binary mount data to explicitly set Smack mount 775 * labels. 776 */ 777 static int smack_set_mnt_opts(struct super_block *sb, 778 void *mnt_opts, 779 unsigned long kern_flags, 780 unsigned long *set_kern_flags) 781 { 782 struct dentry *root = sb->s_root; 783 struct inode *inode = d_backing_inode(root); 784 struct superblock_smack *sp = sb->s_security; 785 struct inode_smack *isp; 786 struct smack_known *skp; 787 struct smack_mnt_opts *opts = mnt_opts; 788 bool transmute = false; 789 790 if (sp->smk_flags & SMK_SB_INITIALIZED) 791 return 0; 792 793 if (inode->i_security == NULL) { 794 int rc = lsm_inode_alloc(inode); 795 796 if (rc) 797 return rc; 798 } 799 800 if (!smack_privileged(CAP_MAC_ADMIN)) { 801 /* 802 * Unprivileged mounts don't get to specify Smack values. 803 */ 804 if (opts) 805 return -EPERM; 806 /* 807 * Unprivileged mounts get root and default from the caller. 808 */ 809 skp = smk_of_current(); 810 sp->smk_root = skp; 811 sp->smk_default = skp; 812 /* 813 * For a handful of fs types with no user-controlled 814 * backing store it's okay to trust security labels 815 * in the filesystem. The rest are untrusted. 816 */ 817 if (sb->s_user_ns != &init_user_ns && 818 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 819 sb->s_magic != RAMFS_MAGIC) { 820 transmute = true; 821 sp->smk_flags |= SMK_SB_UNTRUSTED; 822 } 823 } 824 825 sp->smk_flags |= SMK_SB_INITIALIZED; 826 827 if (opts) { 828 if (opts->fsdefault) { 829 skp = smk_import_entry(opts->fsdefault, 0); 830 if (IS_ERR(skp)) 831 return PTR_ERR(skp); 832 sp->smk_default = skp; 833 } 834 if (opts->fsfloor) { 835 skp = smk_import_entry(opts->fsfloor, 0); 836 if (IS_ERR(skp)) 837 return PTR_ERR(skp); 838 sp->smk_floor = skp; 839 } 840 if (opts->fshat) { 841 skp = smk_import_entry(opts->fshat, 0); 842 if (IS_ERR(skp)) 843 return PTR_ERR(skp); 844 sp->smk_hat = skp; 845 } 846 if (opts->fsroot) { 847 skp = smk_import_entry(opts->fsroot, 0); 848 if (IS_ERR(skp)) 849 return PTR_ERR(skp); 850 sp->smk_root = skp; 851 } 852 if (opts->fstransmute) { 853 skp = smk_import_entry(opts->fstransmute, 0); 854 if (IS_ERR(skp)) 855 return PTR_ERR(skp); 856 sp->smk_root = skp; 857 transmute = true; 858 } 859 } 860 861 /* 862 * Initialize the root inode. 863 */ 864 init_inode_smack(inode, sp->smk_root); 865 866 if (transmute) { 867 isp = smack_inode(inode); 868 isp->smk_flags |= SMK_INODE_TRANSMUTE; 869 } 870 871 return 0; 872 } 873 874 /** 875 * smack_sb_statfs - Smack check on statfs 876 * @dentry: identifies the file system in question 877 * 878 * Returns 0 if current can read the floor of the filesystem, 879 * and error code otherwise 880 */ 881 static int smack_sb_statfs(struct dentry *dentry) 882 { 883 struct superblock_smack *sbp = dentry->d_sb->s_security; 884 int rc; 885 struct smk_audit_info ad; 886 887 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 888 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 889 890 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 891 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 892 return rc; 893 } 894 895 /* 896 * BPRM hooks 897 */ 898 899 /** 900 * smack_bprm_set_creds - set creds for exec 901 * @bprm: the exec information 902 * 903 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 904 */ 905 static int smack_bprm_set_creds(struct linux_binprm *bprm) 906 { 907 struct inode *inode = file_inode(bprm->file); 908 struct task_smack *bsp = smack_cred(bprm->cred); 909 struct inode_smack *isp; 910 struct superblock_smack *sbsp; 911 int rc; 912 913 if (bprm->called_set_creds) 914 return 0; 915 916 isp = smack_inode(inode); 917 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 918 return 0; 919 920 sbsp = inode->i_sb->s_security; 921 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 922 isp->smk_task != sbsp->smk_root) 923 return 0; 924 925 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 926 struct task_struct *tracer; 927 rc = 0; 928 929 rcu_read_lock(); 930 tracer = ptrace_parent(current); 931 if (likely(tracer != NULL)) 932 rc = smk_ptrace_rule_check(tracer, 933 isp->smk_task, 934 PTRACE_MODE_ATTACH, 935 __func__); 936 rcu_read_unlock(); 937 938 if (rc != 0) 939 return rc; 940 } else if (bprm->unsafe) 941 return -EPERM; 942 943 bsp->smk_task = isp->smk_task; 944 bprm->per_clear |= PER_CLEAR_ON_SETID; 945 946 /* Decide if this is a secure exec. */ 947 if (bsp->smk_task != bsp->smk_forked) 948 bprm->secureexec = 1; 949 950 return 0; 951 } 952 953 /* 954 * Inode hooks 955 */ 956 957 /** 958 * smack_inode_alloc_security - allocate an inode blob 959 * @inode: the inode in need of a blob 960 * 961 * Returns 0 if it gets a blob, -ENOMEM otherwise 962 */ 963 static int smack_inode_alloc_security(struct inode *inode) 964 { 965 struct smack_known *skp = smk_of_current(); 966 967 init_inode_smack(inode, skp); 968 return 0; 969 } 970 971 /** 972 * smack_inode_init_security - copy out the smack from an inode 973 * @inode: the newly created inode 974 * @dir: containing directory object 975 * @qstr: unused 976 * @name: where to put the attribute name 977 * @value: where to put the attribute value 978 * @len: where to put the length of the attribute 979 * 980 * Returns 0 if it all works out, -ENOMEM if there's no memory 981 */ 982 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 983 const struct qstr *qstr, const char **name, 984 void **value, size_t *len) 985 { 986 struct inode_smack *issp = smack_inode(inode); 987 struct smack_known *skp = smk_of_current(); 988 struct smack_known *isp = smk_of_inode(inode); 989 struct smack_known *dsp = smk_of_inode(dir); 990 int may; 991 992 if (name) 993 *name = XATTR_SMACK_SUFFIX; 994 995 if (value && len) { 996 rcu_read_lock(); 997 may = smk_access_entry(skp->smk_known, dsp->smk_known, 998 &skp->smk_rules); 999 rcu_read_unlock(); 1000 1001 /* 1002 * If the access rule allows transmutation and 1003 * the directory requests transmutation then 1004 * by all means transmute. 1005 * Mark the inode as changed. 1006 */ 1007 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1008 smk_inode_transmutable(dir)) { 1009 isp = dsp; 1010 issp->smk_flags |= SMK_INODE_CHANGED; 1011 } 1012 1013 *value = kstrdup(isp->smk_known, GFP_NOFS); 1014 if (*value == NULL) 1015 return -ENOMEM; 1016 1017 *len = strlen(isp->smk_known); 1018 } 1019 1020 return 0; 1021 } 1022 1023 /** 1024 * smack_inode_link - Smack check on link 1025 * @old_dentry: the existing object 1026 * @dir: unused 1027 * @new_dentry: the new object 1028 * 1029 * Returns 0 if access is permitted, an error code otherwise 1030 */ 1031 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1032 struct dentry *new_dentry) 1033 { 1034 struct smack_known *isp; 1035 struct smk_audit_info ad; 1036 int rc; 1037 1038 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1039 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1040 1041 isp = smk_of_inode(d_backing_inode(old_dentry)); 1042 rc = smk_curacc(isp, MAY_WRITE, &ad); 1043 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1044 1045 if (rc == 0 && d_is_positive(new_dentry)) { 1046 isp = smk_of_inode(d_backing_inode(new_dentry)); 1047 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1048 rc = smk_curacc(isp, MAY_WRITE, &ad); 1049 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1050 } 1051 1052 return rc; 1053 } 1054 1055 /** 1056 * smack_inode_unlink - Smack check on inode deletion 1057 * @dir: containing directory object 1058 * @dentry: file to unlink 1059 * 1060 * Returns 0 if current can write the containing directory 1061 * and the object, error code otherwise 1062 */ 1063 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1064 { 1065 struct inode *ip = d_backing_inode(dentry); 1066 struct smk_audit_info ad; 1067 int rc; 1068 1069 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1070 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1071 1072 /* 1073 * You need write access to the thing you're unlinking 1074 */ 1075 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1076 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1077 if (rc == 0) { 1078 /* 1079 * You also need write access to the containing directory 1080 */ 1081 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1082 smk_ad_setfield_u_fs_inode(&ad, dir); 1083 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1084 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1085 } 1086 return rc; 1087 } 1088 1089 /** 1090 * smack_inode_rmdir - Smack check on directory deletion 1091 * @dir: containing directory object 1092 * @dentry: directory to unlink 1093 * 1094 * Returns 0 if current can write the containing directory 1095 * and the directory, error code otherwise 1096 */ 1097 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1098 { 1099 struct smk_audit_info ad; 1100 int rc; 1101 1102 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1103 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1104 1105 /* 1106 * You need write access to the thing you're removing 1107 */ 1108 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1109 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1110 if (rc == 0) { 1111 /* 1112 * You also need write access to the containing directory 1113 */ 1114 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1115 smk_ad_setfield_u_fs_inode(&ad, dir); 1116 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1117 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1118 } 1119 1120 return rc; 1121 } 1122 1123 /** 1124 * smack_inode_rename - Smack check on rename 1125 * @old_inode: unused 1126 * @old_dentry: the old object 1127 * @new_inode: unused 1128 * @new_dentry: the new object 1129 * 1130 * Read and write access is required on both the old and 1131 * new directories. 1132 * 1133 * Returns 0 if access is permitted, an error code otherwise 1134 */ 1135 static int smack_inode_rename(struct inode *old_inode, 1136 struct dentry *old_dentry, 1137 struct inode *new_inode, 1138 struct dentry *new_dentry) 1139 { 1140 int rc; 1141 struct smack_known *isp; 1142 struct smk_audit_info ad; 1143 1144 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1145 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1146 1147 isp = smk_of_inode(d_backing_inode(old_dentry)); 1148 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1149 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1150 1151 if (rc == 0 && d_is_positive(new_dentry)) { 1152 isp = smk_of_inode(d_backing_inode(new_dentry)); 1153 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1154 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1155 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1156 } 1157 return rc; 1158 } 1159 1160 /** 1161 * smack_inode_permission - Smack version of permission() 1162 * @inode: the inode in question 1163 * @mask: the access requested 1164 * 1165 * This is the important Smack hook. 1166 * 1167 * Returns 0 if access is permitted, -EACCES otherwise 1168 */ 1169 static int smack_inode_permission(struct inode *inode, int mask) 1170 { 1171 struct superblock_smack *sbsp = inode->i_sb->s_security; 1172 struct smk_audit_info ad; 1173 int no_block = mask & MAY_NOT_BLOCK; 1174 int rc; 1175 1176 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1177 /* 1178 * No permission to check. Existence test. Yup, it's there. 1179 */ 1180 if (mask == 0) 1181 return 0; 1182 1183 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1184 if (smk_of_inode(inode) != sbsp->smk_root) 1185 return -EACCES; 1186 } 1187 1188 /* May be droppable after audit */ 1189 if (no_block) 1190 return -ECHILD; 1191 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1192 smk_ad_setfield_u_fs_inode(&ad, inode); 1193 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1194 rc = smk_bu_inode(inode, mask, rc); 1195 return rc; 1196 } 1197 1198 /** 1199 * smack_inode_setattr - Smack check for setting attributes 1200 * @dentry: the object 1201 * @iattr: for the force flag 1202 * 1203 * Returns 0 if access is permitted, an error code otherwise 1204 */ 1205 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1206 { 1207 struct smk_audit_info ad; 1208 int rc; 1209 1210 /* 1211 * Need to allow for clearing the setuid bit. 1212 */ 1213 if (iattr->ia_valid & ATTR_FORCE) 1214 return 0; 1215 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1216 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1217 1218 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1219 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1220 return rc; 1221 } 1222 1223 /** 1224 * smack_inode_getattr - Smack check for getting attributes 1225 * @mnt: vfsmount of the object 1226 * @dentry: the object 1227 * 1228 * Returns 0 if access is permitted, an error code otherwise 1229 */ 1230 static int smack_inode_getattr(const struct path *path) 1231 { 1232 struct smk_audit_info ad; 1233 struct inode *inode = d_backing_inode(path->dentry); 1234 int rc; 1235 1236 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1237 smk_ad_setfield_u_fs_path(&ad, *path); 1238 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1239 rc = smk_bu_inode(inode, MAY_READ, rc); 1240 return rc; 1241 } 1242 1243 /** 1244 * smack_inode_setxattr - Smack check for setting xattrs 1245 * @dentry: the object 1246 * @name: name of the attribute 1247 * @value: value of the attribute 1248 * @size: size of the value 1249 * @flags: unused 1250 * 1251 * This protects the Smack attribute explicitly. 1252 * 1253 * Returns 0 if access is permitted, an error code otherwise 1254 */ 1255 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1256 const void *value, size_t size, int flags) 1257 { 1258 struct smk_audit_info ad; 1259 struct smack_known *skp; 1260 int check_priv = 0; 1261 int check_import = 0; 1262 int check_star = 0; 1263 int rc = 0; 1264 1265 /* 1266 * Check label validity here so import won't fail in post_setxattr 1267 */ 1268 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1269 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1270 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1271 check_priv = 1; 1272 check_import = 1; 1273 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1274 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1275 check_priv = 1; 1276 check_import = 1; 1277 check_star = 1; 1278 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1279 check_priv = 1; 1280 if (size != TRANS_TRUE_SIZE || 1281 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1282 rc = -EINVAL; 1283 } else 1284 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1285 1286 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1287 rc = -EPERM; 1288 1289 if (rc == 0 && check_import) { 1290 skp = size ? smk_import_entry(value, size) : NULL; 1291 if (IS_ERR(skp)) 1292 rc = PTR_ERR(skp); 1293 else if (skp == NULL || (check_star && 1294 (skp == &smack_known_star || skp == &smack_known_web))) 1295 rc = -EINVAL; 1296 } 1297 1298 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1299 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1300 1301 if (rc == 0) { 1302 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1303 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1304 } 1305 1306 return rc; 1307 } 1308 1309 /** 1310 * smack_inode_post_setxattr - Apply the Smack update approved above 1311 * @dentry: object 1312 * @name: attribute name 1313 * @value: attribute value 1314 * @size: attribute size 1315 * @flags: unused 1316 * 1317 * Set the pointer in the inode blob to the entry found 1318 * in the master label list. 1319 */ 1320 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1321 const void *value, size_t size, int flags) 1322 { 1323 struct smack_known *skp; 1324 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1325 1326 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1327 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1328 return; 1329 } 1330 1331 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1332 skp = smk_import_entry(value, size); 1333 if (!IS_ERR(skp)) 1334 isp->smk_inode = skp; 1335 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1336 skp = smk_import_entry(value, size); 1337 if (!IS_ERR(skp)) 1338 isp->smk_task = skp; 1339 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1340 skp = smk_import_entry(value, size); 1341 if (!IS_ERR(skp)) 1342 isp->smk_mmap = skp; 1343 } 1344 1345 return; 1346 } 1347 1348 /** 1349 * smack_inode_getxattr - Smack check on getxattr 1350 * @dentry: the object 1351 * @name: unused 1352 * 1353 * Returns 0 if access is permitted, an error code otherwise 1354 */ 1355 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1356 { 1357 struct smk_audit_info ad; 1358 int rc; 1359 1360 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1361 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1362 1363 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1364 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1365 return rc; 1366 } 1367 1368 /** 1369 * smack_inode_removexattr - Smack check on removexattr 1370 * @dentry: the object 1371 * @name: name of the attribute 1372 * 1373 * Removing the Smack attribute requires CAP_MAC_ADMIN 1374 * 1375 * Returns 0 if access is permitted, an error code otherwise 1376 */ 1377 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1378 { 1379 struct inode_smack *isp; 1380 struct smk_audit_info ad; 1381 int rc = 0; 1382 1383 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1384 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1385 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1386 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1387 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1388 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1389 if (!smack_privileged(CAP_MAC_ADMIN)) 1390 rc = -EPERM; 1391 } else 1392 rc = cap_inode_removexattr(dentry, name); 1393 1394 if (rc != 0) 1395 return rc; 1396 1397 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1398 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1399 1400 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1401 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1402 if (rc != 0) 1403 return rc; 1404 1405 isp = smack_inode(d_backing_inode(dentry)); 1406 /* 1407 * Don't do anything special for these. 1408 * XATTR_NAME_SMACKIPIN 1409 * XATTR_NAME_SMACKIPOUT 1410 */ 1411 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1412 struct super_block *sbp = dentry->d_sb; 1413 struct superblock_smack *sbsp = sbp->s_security; 1414 1415 isp->smk_inode = sbsp->smk_default; 1416 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1417 isp->smk_task = NULL; 1418 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1419 isp->smk_mmap = NULL; 1420 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1421 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1422 1423 return 0; 1424 } 1425 1426 /** 1427 * smack_inode_getsecurity - get smack xattrs 1428 * @inode: the object 1429 * @name: attribute name 1430 * @buffer: where to put the result 1431 * @alloc: duplicate memory 1432 * 1433 * Returns the size of the attribute or an error code 1434 */ 1435 static int smack_inode_getsecurity(struct inode *inode, 1436 const char *name, void **buffer, 1437 bool alloc) 1438 { 1439 struct socket_smack *ssp; 1440 struct socket *sock; 1441 struct super_block *sbp; 1442 struct inode *ip = (struct inode *)inode; 1443 struct smack_known *isp; 1444 1445 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) 1446 isp = smk_of_inode(inode); 1447 else { 1448 /* 1449 * The rest of the Smack xattrs are only on sockets. 1450 */ 1451 sbp = ip->i_sb; 1452 if (sbp->s_magic != SOCKFS_MAGIC) 1453 return -EOPNOTSUPP; 1454 1455 sock = SOCKET_I(ip); 1456 if (sock == NULL || sock->sk == NULL) 1457 return -EOPNOTSUPP; 1458 1459 ssp = sock->sk->sk_security; 1460 1461 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1462 isp = ssp->smk_in; 1463 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1464 isp = ssp->smk_out; 1465 else 1466 return -EOPNOTSUPP; 1467 } 1468 1469 if (alloc) { 1470 *buffer = kstrdup(isp->smk_known, GFP_KERNEL); 1471 if (*buffer == NULL) 1472 return -ENOMEM; 1473 } 1474 1475 return strlen(isp->smk_known); 1476 } 1477 1478 1479 /** 1480 * smack_inode_listsecurity - list the Smack attributes 1481 * @inode: the object 1482 * @buffer: where they go 1483 * @buffer_size: size of buffer 1484 */ 1485 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1486 size_t buffer_size) 1487 { 1488 int len = sizeof(XATTR_NAME_SMACK); 1489 1490 if (buffer != NULL && len <= buffer_size) 1491 memcpy(buffer, XATTR_NAME_SMACK, len); 1492 1493 return len; 1494 } 1495 1496 /** 1497 * smack_inode_getsecid - Extract inode's security id 1498 * @inode: inode to extract the info from 1499 * @secid: where result will be saved 1500 */ 1501 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1502 { 1503 struct smack_known *skp = smk_of_inode(inode); 1504 1505 *secid = skp->smk_secid; 1506 } 1507 1508 /* 1509 * File Hooks 1510 */ 1511 1512 /* 1513 * There is no smack_file_permission hook 1514 * 1515 * Should access checks be done on each read or write? 1516 * UNICOS and SELinux say yes. 1517 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1518 * 1519 * I'll say no for now. Smack does not do the frequent 1520 * label changing that SELinux does. 1521 */ 1522 1523 /** 1524 * smack_file_alloc_security - assign a file security blob 1525 * @file: the object 1526 * 1527 * The security blob for a file is a pointer to the master 1528 * label list, so no allocation is done. 1529 * 1530 * f_security is the owner security information. It 1531 * isn't used on file access checks, it's for send_sigio. 1532 * 1533 * Returns 0 1534 */ 1535 static int smack_file_alloc_security(struct file *file) 1536 { 1537 struct smack_known **blob = smack_file(file); 1538 1539 *blob = smk_of_current(); 1540 return 0; 1541 } 1542 1543 /** 1544 * smack_file_ioctl - Smack check on ioctls 1545 * @file: the object 1546 * @cmd: what to do 1547 * @arg: unused 1548 * 1549 * Relies heavily on the correct use of the ioctl command conventions. 1550 * 1551 * Returns 0 if allowed, error code otherwise 1552 */ 1553 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1554 unsigned long arg) 1555 { 1556 int rc = 0; 1557 struct smk_audit_info ad; 1558 struct inode *inode = file_inode(file); 1559 1560 if (unlikely(IS_PRIVATE(inode))) 1561 return 0; 1562 1563 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1564 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1565 1566 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1567 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1568 rc = smk_bu_file(file, MAY_WRITE, rc); 1569 } 1570 1571 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1572 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1573 rc = smk_bu_file(file, MAY_READ, rc); 1574 } 1575 1576 return rc; 1577 } 1578 1579 /** 1580 * smack_file_lock - Smack check on file locking 1581 * @file: the object 1582 * @cmd: unused 1583 * 1584 * Returns 0 if current has lock access, error code otherwise 1585 */ 1586 static int smack_file_lock(struct file *file, unsigned int cmd) 1587 { 1588 struct smk_audit_info ad; 1589 int rc; 1590 struct inode *inode = file_inode(file); 1591 1592 if (unlikely(IS_PRIVATE(inode))) 1593 return 0; 1594 1595 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1596 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1597 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1598 rc = smk_bu_file(file, MAY_LOCK, rc); 1599 return rc; 1600 } 1601 1602 /** 1603 * smack_file_fcntl - Smack check on fcntl 1604 * @file: the object 1605 * @cmd: what action to check 1606 * @arg: unused 1607 * 1608 * Generally these operations are harmless. 1609 * File locking operations present an obvious mechanism 1610 * for passing information, so they require write access. 1611 * 1612 * Returns 0 if current has access, error code otherwise 1613 */ 1614 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1615 unsigned long arg) 1616 { 1617 struct smk_audit_info ad; 1618 int rc = 0; 1619 struct inode *inode = file_inode(file); 1620 1621 if (unlikely(IS_PRIVATE(inode))) 1622 return 0; 1623 1624 switch (cmd) { 1625 case F_GETLK: 1626 break; 1627 case F_SETLK: 1628 case F_SETLKW: 1629 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1630 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1631 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1632 rc = smk_bu_file(file, MAY_LOCK, rc); 1633 break; 1634 case F_SETOWN: 1635 case F_SETSIG: 1636 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1637 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1638 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1639 rc = smk_bu_file(file, MAY_WRITE, rc); 1640 break; 1641 default: 1642 break; 1643 } 1644 1645 return rc; 1646 } 1647 1648 /** 1649 * smack_mmap_file : 1650 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1651 * if mapping anonymous memory. 1652 * @file contains the file structure for file to map (may be NULL). 1653 * @reqprot contains the protection requested by the application. 1654 * @prot contains the protection that will be applied by the kernel. 1655 * @flags contains the operational flags. 1656 * Return 0 if permission is granted. 1657 */ 1658 static int smack_mmap_file(struct file *file, 1659 unsigned long reqprot, unsigned long prot, 1660 unsigned long flags) 1661 { 1662 struct smack_known *skp; 1663 struct smack_known *mkp; 1664 struct smack_rule *srp; 1665 struct task_smack *tsp; 1666 struct smack_known *okp; 1667 struct inode_smack *isp; 1668 struct superblock_smack *sbsp; 1669 int may; 1670 int mmay; 1671 int tmay; 1672 int rc; 1673 1674 if (file == NULL) 1675 return 0; 1676 1677 if (unlikely(IS_PRIVATE(file_inode(file)))) 1678 return 0; 1679 1680 isp = smack_inode(file_inode(file)); 1681 if (isp->smk_mmap == NULL) 1682 return 0; 1683 sbsp = file_inode(file)->i_sb->s_security; 1684 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1685 isp->smk_mmap != sbsp->smk_root) 1686 return -EACCES; 1687 mkp = isp->smk_mmap; 1688 1689 tsp = smack_cred(current_cred()); 1690 skp = smk_of_current(); 1691 rc = 0; 1692 1693 rcu_read_lock(); 1694 /* 1695 * For each Smack rule associated with the subject 1696 * label verify that the SMACK64MMAP also has access 1697 * to that rule's object label. 1698 */ 1699 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1700 okp = srp->smk_object; 1701 /* 1702 * Matching labels always allows access. 1703 */ 1704 if (mkp->smk_known == okp->smk_known) 1705 continue; 1706 /* 1707 * If there is a matching local rule take 1708 * that into account as well. 1709 */ 1710 may = smk_access_entry(srp->smk_subject->smk_known, 1711 okp->smk_known, 1712 &tsp->smk_rules); 1713 if (may == -ENOENT) 1714 may = srp->smk_access; 1715 else 1716 may &= srp->smk_access; 1717 /* 1718 * If may is zero the SMACK64MMAP subject can't 1719 * possibly have less access. 1720 */ 1721 if (may == 0) 1722 continue; 1723 1724 /* 1725 * Fetch the global list entry. 1726 * If there isn't one a SMACK64MMAP subject 1727 * can't have as much access as current. 1728 */ 1729 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1730 &mkp->smk_rules); 1731 if (mmay == -ENOENT) { 1732 rc = -EACCES; 1733 break; 1734 } 1735 /* 1736 * If there is a local entry it modifies the 1737 * potential access, too. 1738 */ 1739 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1740 &tsp->smk_rules); 1741 if (tmay != -ENOENT) 1742 mmay &= tmay; 1743 1744 /* 1745 * If there is any access available to current that is 1746 * not available to a SMACK64MMAP subject 1747 * deny access. 1748 */ 1749 if ((may | mmay) != mmay) { 1750 rc = -EACCES; 1751 break; 1752 } 1753 } 1754 1755 rcu_read_unlock(); 1756 1757 return rc; 1758 } 1759 1760 /** 1761 * smack_file_set_fowner - set the file security blob value 1762 * @file: object in question 1763 * 1764 */ 1765 static void smack_file_set_fowner(struct file *file) 1766 { 1767 struct smack_known **blob = smack_file(file); 1768 1769 *blob = smk_of_current(); 1770 } 1771 1772 /** 1773 * smack_file_send_sigiotask - Smack on sigio 1774 * @tsk: The target task 1775 * @fown: the object the signal come from 1776 * @signum: unused 1777 * 1778 * Allow a privileged task to get signals even if it shouldn't 1779 * 1780 * Returns 0 if a subject with the object's smack could 1781 * write to the task, an error code otherwise. 1782 */ 1783 static int smack_file_send_sigiotask(struct task_struct *tsk, 1784 struct fown_struct *fown, int signum) 1785 { 1786 struct smack_known **blob; 1787 struct smack_known *skp; 1788 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1789 const struct cred *tcred; 1790 struct file *file; 1791 int rc; 1792 struct smk_audit_info ad; 1793 1794 /* 1795 * struct fown_struct is never outside the context of a struct file 1796 */ 1797 file = container_of(fown, struct file, f_owner); 1798 1799 /* we don't log here as rc can be overriden */ 1800 blob = smack_file(file); 1801 skp = *blob; 1802 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1803 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1804 1805 rcu_read_lock(); 1806 tcred = __task_cred(tsk); 1807 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1808 rc = 0; 1809 rcu_read_unlock(); 1810 1811 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1812 smk_ad_setfield_u_tsk(&ad, tsk); 1813 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1814 return rc; 1815 } 1816 1817 /** 1818 * smack_file_receive - Smack file receive check 1819 * @file: the object 1820 * 1821 * Returns 0 if current has access, error code otherwise 1822 */ 1823 static int smack_file_receive(struct file *file) 1824 { 1825 int rc; 1826 int may = 0; 1827 struct smk_audit_info ad; 1828 struct inode *inode = file_inode(file); 1829 struct socket *sock; 1830 struct task_smack *tsp; 1831 struct socket_smack *ssp; 1832 1833 if (unlikely(IS_PRIVATE(inode))) 1834 return 0; 1835 1836 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1837 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1838 1839 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1840 sock = SOCKET_I(inode); 1841 ssp = sock->sk->sk_security; 1842 tsp = smack_cred(current_cred()); 1843 /* 1844 * If the receiving process can't write to the 1845 * passed socket or if the passed socket can't 1846 * write to the receiving process don't accept 1847 * the passed socket. 1848 */ 1849 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1850 rc = smk_bu_file(file, may, rc); 1851 if (rc < 0) 1852 return rc; 1853 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1854 rc = smk_bu_file(file, may, rc); 1855 return rc; 1856 } 1857 /* 1858 * This code relies on bitmasks. 1859 */ 1860 if (file->f_mode & FMODE_READ) 1861 may = MAY_READ; 1862 if (file->f_mode & FMODE_WRITE) 1863 may |= MAY_WRITE; 1864 1865 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1866 rc = smk_bu_file(file, may, rc); 1867 return rc; 1868 } 1869 1870 /** 1871 * smack_file_open - Smack dentry open processing 1872 * @file: the object 1873 * @cred: task credential 1874 * 1875 * Set the security blob in the file structure. 1876 * Allow the open only if the task has read access. There are 1877 * many read operations (e.g. fstat) that you can do with an 1878 * fd even if you have the file open write-only. 1879 * 1880 * Returns 0 1881 */ 1882 static int smack_file_open(struct file *file) 1883 { 1884 struct task_smack *tsp = smack_cred(file->f_cred); 1885 struct inode *inode = file_inode(file); 1886 struct smk_audit_info ad; 1887 int rc; 1888 1889 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1890 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1891 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 1892 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 1893 1894 return rc; 1895 } 1896 1897 /* 1898 * Task hooks 1899 */ 1900 1901 /** 1902 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1903 * @new: the new credentials 1904 * @gfp: the atomicity of any memory allocations 1905 * 1906 * Prepare a blank set of credentials for modification. This must allocate all 1907 * the memory the LSM module might require such that cred_transfer() can 1908 * complete without error. 1909 */ 1910 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1911 { 1912 init_task_smack(smack_cred(cred), NULL, NULL); 1913 return 0; 1914 } 1915 1916 1917 /** 1918 * smack_cred_free - "free" task-level security credentials 1919 * @cred: the credentials in question 1920 * 1921 */ 1922 static void smack_cred_free(struct cred *cred) 1923 { 1924 struct task_smack *tsp = smack_cred(cred); 1925 struct smack_rule *rp; 1926 struct list_head *l; 1927 struct list_head *n; 1928 1929 smk_destroy_label_list(&tsp->smk_relabel); 1930 1931 list_for_each_safe(l, n, &tsp->smk_rules) { 1932 rp = list_entry(l, struct smack_rule, list); 1933 list_del(&rp->list); 1934 kmem_cache_free(smack_rule_cache, rp); 1935 } 1936 } 1937 1938 /** 1939 * smack_cred_prepare - prepare new set of credentials for modification 1940 * @new: the new credentials 1941 * @old: the original credentials 1942 * @gfp: the atomicity of any memory allocations 1943 * 1944 * Prepare a new set of credentials for modification. 1945 */ 1946 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1947 gfp_t gfp) 1948 { 1949 struct task_smack *old_tsp = smack_cred(old); 1950 struct task_smack *new_tsp = smack_cred(new); 1951 int rc; 1952 1953 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 1954 1955 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1956 if (rc != 0) 1957 return rc; 1958 1959 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 1960 gfp); 1961 return rc; 1962 } 1963 1964 /** 1965 * smack_cred_transfer - Transfer the old credentials to the new credentials 1966 * @new: the new credentials 1967 * @old: the original credentials 1968 * 1969 * Fill in a set of blank credentials from another set of credentials. 1970 */ 1971 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1972 { 1973 struct task_smack *old_tsp = smack_cred(old); 1974 struct task_smack *new_tsp = smack_cred(new); 1975 1976 new_tsp->smk_task = old_tsp->smk_task; 1977 new_tsp->smk_forked = old_tsp->smk_task; 1978 mutex_init(&new_tsp->smk_rules_lock); 1979 INIT_LIST_HEAD(&new_tsp->smk_rules); 1980 1981 /* cbs copy rule list */ 1982 } 1983 1984 /** 1985 * smack_cred_getsecid - get the secid corresponding to a creds structure 1986 * @c: the object creds 1987 * @secid: where to put the result 1988 * 1989 * Sets the secid to contain a u32 version of the smack label. 1990 */ 1991 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 1992 { 1993 struct smack_known *skp; 1994 1995 rcu_read_lock(); 1996 skp = smk_of_task(smack_cred(cred)); 1997 *secid = skp->smk_secid; 1998 rcu_read_unlock(); 1999 } 2000 2001 /** 2002 * smack_kernel_act_as - Set the subjective context in a set of credentials 2003 * @new: points to the set of credentials to be modified. 2004 * @secid: specifies the security ID to be set 2005 * 2006 * Set the security data for a kernel service. 2007 */ 2008 static int smack_kernel_act_as(struct cred *new, u32 secid) 2009 { 2010 struct task_smack *new_tsp = smack_cred(new); 2011 2012 new_tsp->smk_task = smack_from_secid(secid); 2013 return 0; 2014 } 2015 2016 /** 2017 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2018 * @new: points to the set of credentials to be modified 2019 * @inode: points to the inode to use as a reference 2020 * 2021 * Set the file creation context in a set of credentials to the same 2022 * as the objective context of the specified inode 2023 */ 2024 static int smack_kernel_create_files_as(struct cred *new, 2025 struct inode *inode) 2026 { 2027 struct inode_smack *isp = smack_inode(inode); 2028 struct task_smack *tsp = smack_cred(new); 2029 2030 tsp->smk_forked = isp->smk_inode; 2031 tsp->smk_task = tsp->smk_forked; 2032 return 0; 2033 } 2034 2035 /** 2036 * smk_curacc_on_task - helper to log task related access 2037 * @p: the task object 2038 * @access: the access requested 2039 * @caller: name of the calling function for audit 2040 * 2041 * Return 0 if access is permitted 2042 */ 2043 static int smk_curacc_on_task(struct task_struct *p, int access, 2044 const char *caller) 2045 { 2046 struct smk_audit_info ad; 2047 struct smack_known *skp = smk_of_task_struct(p); 2048 int rc; 2049 2050 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2051 smk_ad_setfield_u_tsk(&ad, p); 2052 rc = smk_curacc(skp, access, &ad); 2053 rc = smk_bu_task(p, access, rc); 2054 return rc; 2055 } 2056 2057 /** 2058 * smack_task_setpgid - Smack check on setting pgid 2059 * @p: the task object 2060 * @pgid: unused 2061 * 2062 * Return 0 if write access is permitted 2063 */ 2064 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2065 { 2066 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2067 } 2068 2069 /** 2070 * smack_task_getpgid - Smack access check for getpgid 2071 * @p: the object task 2072 * 2073 * Returns 0 if current can read the object task, error code otherwise 2074 */ 2075 static int smack_task_getpgid(struct task_struct *p) 2076 { 2077 return smk_curacc_on_task(p, MAY_READ, __func__); 2078 } 2079 2080 /** 2081 * smack_task_getsid - Smack access check for getsid 2082 * @p: the object task 2083 * 2084 * Returns 0 if current can read the object task, error code otherwise 2085 */ 2086 static int smack_task_getsid(struct task_struct *p) 2087 { 2088 return smk_curacc_on_task(p, MAY_READ, __func__); 2089 } 2090 2091 /** 2092 * smack_task_getsecid - get the secid of the task 2093 * @p: the object task 2094 * @secid: where to put the result 2095 * 2096 * Sets the secid to contain a u32 version of the smack label. 2097 */ 2098 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2099 { 2100 struct smack_known *skp = smk_of_task_struct(p); 2101 2102 *secid = skp->smk_secid; 2103 } 2104 2105 /** 2106 * smack_task_setnice - Smack check on setting nice 2107 * @p: the task object 2108 * @nice: unused 2109 * 2110 * Return 0 if write access is permitted 2111 */ 2112 static int smack_task_setnice(struct task_struct *p, int nice) 2113 { 2114 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2115 } 2116 2117 /** 2118 * smack_task_setioprio - Smack check on setting ioprio 2119 * @p: the task object 2120 * @ioprio: unused 2121 * 2122 * Return 0 if write access is permitted 2123 */ 2124 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2125 { 2126 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2127 } 2128 2129 /** 2130 * smack_task_getioprio - Smack check on reading ioprio 2131 * @p: the task object 2132 * 2133 * Return 0 if read access is permitted 2134 */ 2135 static int smack_task_getioprio(struct task_struct *p) 2136 { 2137 return smk_curacc_on_task(p, MAY_READ, __func__); 2138 } 2139 2140 /** 2141 * smack_task_setscheduler - Smack check on setting scheduler 2142 * @p: the task object 2143 * @policy: unused 2144 * @lp: unused 2145 * 2146 * Return 0 if read access is permitted 2147 */ 2148 static int smack_task_setscheduler(struct task_struct *p) 2149 { 2150 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2151 } 2152 2153 /** 2154 * smack_task_getscheduler - Smack check on reading scheduler 2155 * @p: the task object 2156 * 2157 * Return 0 if read access is permitted 2158 */ 2159 static int smack_task_getscheduler(struct task_struct *p) 2160 { 2161 return smk_curacc_on_task(p, MAY_READ, __func__); 2162 } 2163 2164 /** 2165 * smack_task_movememory - Smack check on moving memory 2166 * @p: the task object 2167 * 2168 * Return 0 if write access is permitted 2169 */ 2170 static int smack_task_movememory(struct task_struct *p) 2171 { 2172 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2173 } 2174 2175 /** 2176 * smack_task_kill - Smack check on signal delivery 2177 * @p: the task object 2178 * @info: unused 2179 * @sig: unused 2180 * @cred: identifies the cred to use in lieu of current's 2181 * 2182 * Return 0 if write access is permitted 2183 * 2184 */ 2185 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2186 int sig, const struct cred *cred) 2187 { 2188 struct smk_audit_info ad; 2189 struct smack_known *skp; 2190 struct smack_known *tkp = smk_of_task_struct(p); 2191 int rc; 2192 2193 if (!sig) 2194 return 0; /* null signal; existence test */ 2195 2196 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2197 smk_ad_setfield_u_tsk(&ad, p); 2198 /* 2199 * Sending a signal requires that the sender 2200 * can write the receiver. 2201 */ 2202 if (cred == NULL) { 2203 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2204 rc = smk_bu_task(p, MAY_DELIVER, rc); 2205 return rc; 2206 } 2207 /* 2208 * If the cred isn't NULL we're dealing with some USB IO 2209 * specific behavior. This is not clean. For one thing 2210 * we can't take privilege into account. 2211 */ 2212 skp = smk_of_task(smack_cred(cred)); 2213 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2214 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2215 return rc; 2216 } 2217 2218 /** 2219 * smack_task_to_inode - copy task smack into the inode blob 2220 * @p: task to copy from 2221 * @inode: inode to copy to 2222 * 2223 * Sets the smack pointer in the inode security blob 2224 */ 2225 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2226 { 2227 struct inode_smack *isp = smack_inode(inode); 2228 struct smack_known *skp = smk_of_task_struct(p); 2229 2230 isp->smk_inode = skp; 2231 isp->smk_flags |= SMK_INODE_INSTANT; 2232 } 2233 2234 /* 2235 * Socket hooks. 2236 */ 2237 2238 /** 2239 * smack_sk_alloc_security - Allocate a socket blob 2240 * @sk: the socket 2241 * @family: unused 2242 * @gfp_flags: memory allocation flags 2243 * 2244 * Assign Smack pointers to current 2245 * 2246 * Returns 0 on success, -ENOMEM is there's no memory 2247 */ 2248 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2249 { 2250 struct smack_known *skp = smk_of_current(); 2251 struct socket_smack *ssp; 2252 2253 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2254 if (ssp == NULL) 2255 return -ENOMEM; 2256 2257 /* 2258 * Sockets created by kernel threads receive web label. 2259 */ 2260 if (unlikely(current->flags & PF_KTHREAD)) { 2261 ssp->smk_in = &smack_known_web; 2262 ssp->smk_out = &smack_known_web; 2263 } else { 2264 ssp->smk_in = skp; 2265 ssp->smk_out = skp; 2266 } 2267 ssp->smk_packet = NULL; 2268 2269 sk->sk_security = ssp; 2270 2271 return 0; 2272 } 2273 2274 /** 2275 * smack_sk_free_security - Free a socket blob 2276 * @sk: the socket 2277 * 2278 * Clears the blob pointer 2279 */ 2280 static void smack_sk_free_security(struct sock *sk) 2281 { 2282 #ifdef SMACK_IPV6_PORT_LABELING 2283 struct smk_port_label *spp; 2284 2285 if (sk->sk_family == PF_INET6) { 2286 rcu_read_lock(); 2287 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2288 if (spp->smk_sock != sk) 2289 continue; 2290 spp->smk_can_reuse = 1; 2291 break; 2292 } 2293 rcu_read_unlock(); 2294 } 2295 #endif 2296 kfree(sk->sk_security); 2297 } 2298 2299 /** 2300 * smack_ipv4host_label - check host based restrictions 2301 * @sip: the object end 2302 * 2303 * looks for host based access restrictions 2304 * 2305 * This version will only be appropriate for really small sets of single label 2306 * hosts. The caller is responsible for ensuring that the RCU read lock is 2307 * taken before calling this function. 2308 * 2309 * Returns the label of the far end or NULL if it's not special. 2310 */ 2311 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2312 { 2313 struct smk_net4addr *snp; 2314 struct in_addr *siap = &sip->sin_addr; 2315 2316 if (siap->s_addr == 0) 2317 return NULL; 2318 2319 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2320 /* 2321 * we break after finding the first match because 2322 * the list is sorted from longest to shortest mask 2323 * so we have found the most specific match 2324 */ 2325 if (snp->smk_host.s_addr == 2326 (siap->s_addr & snp->smk_mask.s_addr)) 2327 return snp->smk_label; 2328 2329 return NULL; 2330 } 2331 2332 #if IS_ENABLED(CONFIG_IPV6) 2333 /* 2334 * smk_ipv6_localhost - Check for local ipv6 host address 2335 * @sip: the address 2336 * 2337 * Returns boolean true if this is the localhost address 2338 */ 2339 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2340 { 2341 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2342 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2343 2344 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2345 ntohs(be16p[7]) == 1) 2346 return true; 2347 return false; 2348 } 2349 2350 /** 2351 * smack_ipv6host_label - check host based restrictions 2352 * @sip: the object end 2353 * 2354 * looks for host based access restrictions 2355 * 2356 * This version will only be appropriate for really small sets of single label 2357 * hosts. The caller is responsible for ensuring that the RCU read lock is 2358 * taken before calling this function. 2359 * 2360 * Returns the label of the far end or NULL if it's not special. 2361 */ 2362 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2363 { 2364 struct smk_net6addr *snp; 2365 struct in6_addr *sap = &sip->sin6_addr; 2366 int i; 2367 int found = 0; 2368 2369 /* 2370 * It's local. Don't look for a host label. 2371 */ 2372 if (smk_ipv6_localhost(sip)) 2373 return NULL; 2374 2375 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2376 /* 2377 * If the label is NULL the entry has 2378 * been renounced. Ignore it. 2379 */ 2380 if (snp->smk_label == NULL) 2381 continue; 2382 /* 2383 * we break after finding the first match because 2384 * the list is sorted from longest to shortest mask 2385 * so we have found the most specific match 2386 */ 2387 for (found = 1, i = 0; i < 8; i++) { 2388 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2389 snp->smk_host.s6_addr16[i]) { 2390 found = 0; 2391 break; 2392 } 2393 } 2394 if (found) 2395 return snp->smk_label; 2396 } 2397 2398 return NULL; 2399 } 2400 #endif /* CONFIG_IPV6 */ 2401 2402 /** 2403 * smack_netlabel - Set the secattr on a socket 2404 * @sk: the socket 2405 * @labeled: socket label scheme 2406 * 2407 * Convert the outbound smack value (smk_out) to a 2408 * secattr and attach it to the socket. 2409 * 2410 * Returns 0 on success or an error code 2411 */ 2412 static int smack_netlabel(struct sock *sk, int labeled) 2413 { 2414 struct smack_known *skp; 2415 struct socket_smack *ssp = sk->sk_security; 2416 int rc = 0; 2417 2418 /* 2419 * Usually the netlabel code will handle changing the 2420 * packet labeling based on the label. 2421 * The case of a single label host is different, because 2422 * a single label host should never get a labeled packet 2423 * even though the label is usually associated with a packet 2424 * label. 2425 */ 2426 local_bh_disable(); 2427 bh_lock_sock_nested(sk); 2428 2429 if (ssp->smk_out == smack_net_ambient || 2430 labeled == SMACK_UNLABELED_SOCKET) 2431 netlbl_sock_delattr(sk); 2432 else { 2433 skp = ssp->smk_out; 2434 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2435 } 2436 2437 bh_unlock_sock(sk); 2438 local_bh_enable(); 2439 2440 return rc; 2441 } 2442 2443 /** 2444 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2445 * @sk: the socket 2446 * @sap: the destination address 2447 * 2448 * Set the correct secattr for the given socket based on the destination 2449 * address and perform any outbound access checks needed. 2450 * 2451 * Returns 0 on success or an error code. 2452 * 2453 */ 2454 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2455 { 2456 struct smack_known *skp; 2457 int rc; 2458 int sk_lbl; 2459 struct smack_known *hkp; 2460 struct socket_smack *ssp = sk->sk_security; 2461 struct smk_audit_info ad; 2462 2463 rcu_read_lock(); 2464 hkp = smack_ipv4host_label(sap); 2465 if (hkp != NULL) { 2466 #ifdef CONFIG_AUDIT 2467 struct lsm_network_audit net; 2468 2469 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2470 ad.a.u.net->family = sap->sin_family; 2471 ad.a.u.net->dport = sap->sin_port; 2472 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2473 #endif 2474 sk_lbl = SMACK_UNLABELED_SOCKET; 2475 skp = ssp->smk_out; 2476 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2477 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2478 } else { 2479 sk_lbl = SMACK_CIPSO_SOCKET; 2480 rc = 0; 2481 } 2482 rcu_read_unlock(); 2483 if (rc != 0) 2484 return rc; 2485 2486 return smack_netlabel(sk, sk_lbl); 2487 } 2488 2489 #if IS_ENABLED(CONFIG_IPV6) 2490 /** 2491 * smk_ipv6_check - check Smack access 2492 * @subject: subject Smack label 2493 * @object: object Smack label 2494 * @address: address 2495 * @act: the action being taken 2496 * 2497 * Check an IPv6 access 2498 */ 2499 static int smk_ipv6_check(struct smack_known *subject, 2500 struct smack_known *object, 2501 struct sockaddr_in6 *address, int act) 2502 { 2503 #ifdef CONFIG_AUDIT 2504 struct lsm_network_audit net; 2505 #endif 2506 struct smk_audit_info ad; 2507 int rc; 2508 2509 #ifdef CONFIG_AUDIT 2510 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2511 ad.a.u.net->family = PF_INET6; 2512 ad.a.u.net->dport = ntohs(address->sin6_port); 2513 if (act == SMK_RECEIVING) 2514 ad.a.u.net->v6info.saddr = address->sin6_addr; 2515 else 2516 ad.a.u.net->v6info.daddr = address->sin6_addr; 2517 #endif 2518 rc = smk_access(subject, object, MAY_WRITE, &ad); 2519 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2520 return rc; 2521 } 2522 #endif /* CONFIG_IPV6 */ 2523 2524 #ifdef SMACK_IPV6_PORT_LABELING 2525 /** 2526 * smk_ipv6_port_label - Smack port access table management 2527 * @sock: socket 2528 * @address: address 2529 * 2530 * Create or update the port list entry 2531 */ 2532 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2533 { 2534 struct sock *sk = sock->sk; 2535 struct sockaddr_in6 *addr6; 2536 struct socket_smack *ssp = sock->sk->sk_security; 2537 struct smk_port_label *spp; 2538 unsigned short port = 0; 2539 2540 if (address == NULL) { 2541 /* 2542 * This operation is changing the Smack information 2543 * on the bound socket. Take the changes to the port 2544 * as well. 2545 */ 2546 rcu_read_lock(); 2547 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2548 if (sk != spp->smk_sock) 2549 continue; 2550 spp->smk_in = ssp->smk_in; 2551 spp->smk_out = ssp->smk_out; 2552 rcu_read_unlock(); 2553 return; 2554 } 2555 /* 2556 * A NULL address is only used for updating existing 2557 * bound entries. If there isn't one, it's OK. 2558 */ 2559 rcu_read_unlock(); 2560 return; 2561 } 2562 2563 addr6 = (struct sockaddr_in6 *)address; 2564 port = ntohs(addr6->sin6_port); 2565 /* 2566 * This is a special case that is safely ignored. 2567 */ 2568 if (port == 0) 2569 return; 2570 2571 /* 2572 * Look for an existing port list entry. 2573 * This is an indication that a port is getting reused. 2574 */ 2575 rcu_read_lock(); 2576 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2577 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2578 continue; 2579 if (spp->smk_can_reuse != 1) { 2580 rcu_read_unlock(); 2581 return; 2582 } 2583 spp->smk_port = port; 2584 spp->smk_sock = sk; 2585 spp->smk_in = ssp->smk_in; 2586 spp->smk_out = ssp->smk_out; 2587 spp->smk_can_reuse = 0; 2588 rcu_read_unlock(); 2589 return; 2590 } 2591 rcu_read_unlock(); 2592 /* 2593 * A new port entry is required. 2594 */ 2595 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2596 if (spp == NULL) 2597 return; 2598 2599 spp->smk_port = port; 2600 spp->smk_sock = sk; 2601 spp->smk_in = ssp->smk_in; 2602 spp->smk_out = ssp->smk_out; 2603 spp->smk_sock_type = sock->type; 2604 spp->smk_can_reuse = 0; 2605 2606 mutex_lock(&smack_ipv6_lock); 2607 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2608 mutex_unlock(&smack_ipv6_lock); 2609 return; 2610 } 2611 2612 /** 2613 * smk_ipv6_port_check - check Smack port access 2614 * @sock: socket 2615 * @address: address 2616 * 2617 * Create or update the port list entry 2618 */ 2619 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2620 int act) 2621 { 2622 struct smk_port_label *spp; 2623 struct socket_smack *ssp = sk->sk_security; 2624 struct smack_known *skp = NULL; 2625 unsigned short port; 2626 struct smack_known *object; 2627 2628 if (act == SMK_RECEIVING) { 2629 skp = smack_ipv6host_label(address); 2630 object = ssp->smk_in; 2631 } else { 2632 skp = ssp->smk_out; 2633 object = smack_ipv6host_label(address); 2634 } 2635 2636 /* 2637 * The other end is a single label host. 2638 */ 2639 if (skp != NULL && object != NULL) 2640 return smk_ipv6_check(skp, object, address, act); 2641 if (skp == NULL) 2642 skp = smack_net_ambient; 2643 if (object == NULL) 2644 object = smack_net_ambient; 2645 2646 /* 2647 * It's remote, so port lookup does no good. 2648 */ 2649 if (!smk_ipv6_localhost(address)) 2650 return smk_ipv6_check(skp, object, address, act); 2651 2652 /* 2653 * It's local so the send check has to have passed. 2654 */ 2655 if (act == SMK_RECEIVING) 2656 return 0; 2657 2658 port = ntohs(address->sin6_port); 2659 rcu_read_lock(); 2660 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2661 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2662 continue; 2663 object = spp->smk_in; 2664 if (act == SMK_CONNECTING) 2665 ssp->smk_packet = spp->smk_out; 2666 break; 2667 } 2668 rcu_read_unlock(); 2669 2670 return smk_ipv6_check(skp, object, address, act); 2671 } 2672 #endif /* SMACK_IPV6_PORT_LABELING */ 2673 2674 /** 2675 * smack_inode_setsecurity - set smack xattrs 2676 * @inode: the object 2677 * @name: attribute name 2678 * @value: attribute value 2679 * @size: size of the attribute 2680 * @flags: unused 2681 * 2682 * Sets the named attribute in the appropriate blob 2683 * 2684 * Returns 0 on success, or an error code 2685 */ 2686 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2687 const void *value, size_t size, int flags) 2688 { 2689 struct smack_known *skp; 2690 struct inode_smack *nsp = smack_inode(inode); 2691 struct socket_smack *ssp; 2692 struct socket *sock; 2693 int rc = 0; 2694 2695 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2696 return -EINVAL; 2697 2698 skp = smk_import_entry(value, size); 2699 if (IS_ERR(skp)) 2700 return PTR_ERR(skp); 2701 2702 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2703 nsp->smk_inode = skp; 2704 nsp->smk_flags |= SMK_INODE_INSTANT; 2705 return 0; 2706 } 2707 /* 2708 * The rest of the Smack xattrs are only on sockets. 2709 */ 2710 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2711 return -EOPNOTSUPP; 2712 2713 sock = SOCKET_I(inode); 2714 if (sock == NULL || sock->sk == NULL) 2715 return -EOPNOTSUPP; 2716 2717 ssp = sock->sk->sk_security; 2718 2719 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2720 ssp->smk_in = skp; 2721 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2722 ssp->smk_out = skp; 2723 if (sock->sk->sk_family == PF_INET) { 2724 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2725 if (rc != 0) 2726 printk(KERN_WARNING 2727 "Smack: \"%s\" netlbl error %d.\n", 2728 __func__, -rc); 2729 } 2730 } else 2731 return -EOPNOTSUPP; 2732 2733 #ifdef SMACK_IPV6_PORT_LABELING 2734 if (sock->sk->sk_family == PF_INET6) 2735 smk_ipv6_port_label(sock, NULL); 2736 #endif 2737 2738 return 0; 2739 } 2740 2741 /** 2742 * smack_socket_post_create - finish socket setup 2743 * @sock: the socket 2744 * @family: protocol family 2745 * @type: unused 2746 * @protocol: unused 2747 * @kern: unused 2748 * 2749 * Sets the netlabel information on the socket 2750 * 2751 * Returns 0 on success, and error code otherwise 2752 */ 2753 static int smack_socket_post_create(struct socket *sock, int family, 2754 int type, int protocol, int kern) 2755 { 2756 struct socket_smack *ssp; 2757 2758 if (sock->sk == NULL) 2759 return 0; 2760 2761 /* 2762 * Sockets created by kernel threads receive web label. 2763 */ 2764 if (unlikely(current->flags & PF_KTHREAD)) { 2765 ssp = sock->sk->sk_security; 2766 ssp->smk_in = &smack_known_web; 2767 ssp->smk_out = &smack_known_web; 2768 } 2769 2770 if (family != PF_INET) 2771 return 0; 2772 /* 2773 * Set the outbound netlbl. 2774 */ 2775 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2776 } 2777 2778 /** 2779 * smack_socket_socketpair - create socket pair 2780 * @socka: one socket 2781 * @sockb: another socket 2782 * 2783 * Cross reference the peer labels for SO_PEERSEC 2784 * 2785 * Returns 0 on success, and error code otherwise 2786 */ 2787 static int smack_socket_socketpair(struct socket *socka, 2788 struct socket *sockb) 2789 { 2790 struct socket_smack *asp = socka->sk->sk_security; 2791 struct socket_smack *bsp = sockb->sk->sk_security; 2792 2793 asp->smk_packet = bsp->smk_out; 2794 bsp->smk_packet = asp->smk_out; 2795 2796 return 0; 2797 } 2798 2799 #ifdef SMACK_IPV6_PORT_LABELING 2800 /** 2801 * smack_socket_bind - record port binding information. 2802 * @sock: the socket 2803 * @address: the port address 2804 * @addrlen: size of the address 2805 * 2806 * Records the label bound to a port. 2807 * 2808 * Returns 0 on success, and error code otherwise 2809 */ 2810 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2811 int addrlen) 2812 { 2813 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2814 if (addrlen < SIN6_LEN_RFC2133 || 2815 address->sa_family != AF_INET6) 2816 return -EINVAL; 2817 smk_ipv6_port_label(sock, address); 2818 } 2819 return 0; 2820 } 2821 #endif /* SMACK_IPV6_PORT_LABELING */ 2822 2823 /** 2824 * smack_socket_connect - connect access check 2825 * @sock: the socket 2826 * @sap: the other end 2827 * @addrlen: size of sap 2828 * 2829 * Verifies that a connection may be possible 2830 * 2831 * Returns 0 on success, and error code otherwise 2832 */ 2833 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2834 int addrlen) 2835 { 2836 int rc = 0; 2837 #if IS_ENABLED(CONFIG_IPV6) 2838 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2839 #endif 2840 #ifdef SMACK_IPV6_SECMARK_LABELING 2841 struct smack_known *rsp; 2842 struct socket_smack *ssp; 2843 #endif 2844 2845 if (sock->sk == NULL) 2846 return 0; 2847 2848 #ifdef SMACK_IPV6_SECMARK_LABELING 2849 ssp = sock->sk->sk_security; 2850 #endif 2851 2852 switch (sock->sk->sk_family) { 2853 case PF_INET: 2854 if (addrlen < sizeof(struct sockaddr_in) || 2855 sap->sa_family != AF_INET) 2856 return -EINVAL; 2857 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2858 break; 2859 case PF_INET6: 2860 if (addrlen < SIN6_LEN_RFC2133 || sap->sa_family != AF_INET6) 2861 return -EINVAL; 2862 #ifdef SMACK_IPV6_SECMARK_LABELING 2863 rsp = smack_ipv6host_label(sip); 2864 if (rsp != NULL) 2865 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2866 SMK_CONNECTING); 2867 #endif 2868 #ifdef SMACK_IPV6_PORT_LABELING 2869 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2870 #endif 2871 break; 2872 } 2873 return rc; 2874 } 2875 2876 /** 2877 * smack_flags_to_may - convert S_ to MAY_ values 2878 * @flags: the S_ value 2879 * 2880 * Returns the equivalent MAY_ value 2881 */ 2882 static int smack_flags_to_may(int flags) 2883 { 2884 int may = 0; 2885 2886 if (flags & S_IRUGO) 2887 may |= MAY_READ; 2888 if (flags & S_IWUGO) 2889 may |= MAY_WRITE; 2890 if (flags & S_IXUGO) 2891 may |= MAY_EXEC; 2892 2893 return may; 2894 } 2895 2896 /** 2897 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2898 * @msg: the object 2899 * 2900 * Returns 0 2901 */ 2902 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2903 { 2904 struct smack_known **blob = smack_msg_msg(msg); 2905 2906 *blob = smk_of_current(); 2907 return 0; 2908 } 2909 2910 /** 2911 * smack_of_ipc - the smack pointer for the ipc 2912 * @isp: the object 2913 * 2914 * Returns a pointer to the smack value 2915 */ 2916 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 2917 { 2918 struct smack_known **blob = smack_ipc(isp); 2919 2920 return *blob; 2921 } 2922 2923 /** 2924 * smack_ipc_alloc_security - Set the security blob for ipc 2925 * @isp: the object 2926 * 2927 * Returns 0 2928 */ 2929 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 2930 { 2931 struct smack_known **blob = smack_ipc(isp); 2932 2933 *blob = smk_of_current(); 2934 return 0; 2935 } 2936 2937 /** 2938 * smk_curacc_shm : check if current has access on shm 2939 * @isp : the object 2940 * @access : access requested 2941 * 2942 * Returns 0 if current has the requested access, error code otherwise 2943 */ 2944 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 2945 { 2946 struct smack_known *ssp = smack_of_ipc(isp); 2947 struct smk_audit_info ad; 2948 int rc; 2949 2950 #ifdef CONFIG_AUDIT 2951 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2952 ad.a.u.ipc_id = isp->id; 2953 #endif 2954 rc = smk_curacc(ssp, access, &ad); 2955 rc = smk_bu_current("shm", ssp, access, rc); 2956 return rc; 2957 } 2958 2959 /** 2960 * smack_shm_associate - Smack access check for shm 2961 * @isp: the object 2962 * @shmflg: access requested 2963 * 2964 * Returns 0 if current has the requested access, error code otherwise 2965 */ 2966 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 2967 { 2968 int may; 2969 2970 may = smack_flags_to_may(shmflg); 2971 return smk_curacc_shm(isp, may); 2972 } 2973 2974 /** 2975 * smack_shm_shmctl - Smack access check for shm 2976 * @isp: the object 2977 * @cmd: what it wants to do 2978 * 2979 * Returns 0 if current has the requested access, error code otherwise 2980 */ 2981 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 2982 { 2983 int may; 2984 2985 switch (cmd) { 2986 case IPC_STAT: 2987 case SHM_STAT: 2988 case SHM_STAT_ANY: 2989 may = MAY_READ; 2990 break; 2991 case IPC_SET: 2992 case SHM_LOCK: 2993 case SHM_UNLOCK: 2994 case IPC_RMID: 2995 may = MAY_READWRITE; 2996 break; 2997 case IPC_INFO: 2998 case SHM_INFO: 2999 /* 3000 * System level information. 3001 */ 3002 return 0; 3003 default: 3004 return -EINVAL; 3005 } 3006 return smk_curacc_shm(isp, may); 3007 } 3008 3009 /** 3010 * smack_shm_shmat - Smack access for shmat 3011 * @isp: the object 3012 * @shmaddr: unused 3013 * @shmflg: access requested 3014 * 3015 * Returns 0 if current has the requested access, error code otherwise 3016 */ 3017 static int smack_shm_shmat(struct kern_ipc_perm *ipc, char __user *shmaddr, 3018 int shmflg) 3019 { 3020 int may; 3021 3022 may = smack_flags_to_may(shmflg); 3023 return smk_curacc_shm(ipc, may); 3024 } 3025 3026 /** 3027 * smk_curacc_sem : check if current has access on sem 3028 * @isp : the object 3029 * @access : access requested 3030 * 3031 * Returns 0 if current has the requested access, error code otherwise 3032 */ 3033 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3034 { 3035 struct smack_known *ssp = smack_of_ipc(isp); 3036 struct smk_audit_info ad; 3037 int rc; 3038 3039 #ifdef CONFIG_AUDIT 3040 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3041 ad.a.u.ipc_id = isp->id; 3042 #endif 3043 rc = smk_curacc(ssp, access, &ad); 3044 rc = smk_bu_current("sem", ssp, access, rc); 3045 return rc; 3046 } 3047 3048 /** 3049 * smack_sem_associate - Smack access check for sem 3050 * @isp: the object 3051 * @semflg: access requested 3052 * 3053 * Returns 0 if current has the requested access, error code otherwise 3054 */ 3055 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3056 { 3057 int may; 3058 3059 may = smack_flags_to_may(semflg); 3060 return smk_curacc_sem(isp, may); 3061 } 3062 3063 /** 3064 * smack_sem_shmctl - Smack access check for sem 3065 * @isp: the object 3066 * @cmd: what it wants to do 3067 * 3068 * Returns 0 if current has the requested access, error code otherwise 3069 */ 3070 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3071 { 3072 int may; 3073 3074 switch (cmd) { 3075 case GETPID: 3076 case GETNCNT: 3077 case GETZCNT: 3078 case GETVAL: 3079 case GETALL: 3080 case IPC_STAT: 3081 case SEM_STAT: 3082 case SEM_STAT_ANY: 3083 may = MAY_READ; 3084 break; 3085 case SETVAL: 3086 case SETALL: 3087 case IPC_RMID: 3088 case IPC_SET: 3089 may = MAY_READWRITE; 3090 break; 3091 case IPC_INFO: 3092 case SEM_INFO: 3093 /* 3094 * System level information 3095 */ 3096 return 0; 3097 default: 3098 return -EINVAL; 3099 } 3100 3101 return smk_curacc_sem(isp, may); 3102 } 3103 3104 /** 3105 * smack_sem_semop - Smack checks of semaphore operations 3106 * @isp: the object 3107 * @sops: unused 3108 * @nsops: unused 3109 * @alter: unused 3110 * 3111 * Treated as read and write in all cases. 3112 * 3113 * Returns 0 if access is allowed, error code otherwise 3114 */ 3115 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3116 unsigned nsops, int alter) 3117 { 3118 return smk_curacc_sem(isp, MAY_READWRITE); 3119 } 3120 3121 /** 3122 * smk_curacc_msq : helper to check if current has access on msq 3123 * @isp : the msq 3124 * @access : access requested 3125 * 3126 * return 0 if current has access, error otherwise 3127 */ 3128 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3129 { 3130 struct smack_known *msp = smack_of_ipc(isp); 3131 struct smk_audit_info ad; 3132 int rc; 3133 3134 #ifdef CONFIG_AUDIT 3135 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3136 ad.a.u.ipc_id = isp->id; 3137 #endif 3138 rc = smk_curacc(msp, access, &ad); 3139 rc = smk_bu_current("msq", msp, access, rc); 3140 return rc; 3141 } 3142 3143 /** 3144 * smack_msg_queue_associate - Smack access check for msg_queue 3145 * @isp: the object 3146 * @msqflg: access requested 3147 * 3148 * Returns 0 if current has the requested access, error code otherwise 3149 */ 3150 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3151 { 3152 int may; 3153 3154 may = smack_flags_to_may(msqflg); 3155 return smk_curacc_msq(isp, may); 3156 } 3157 3158 /** 3159 * smack_msg_queue_msgctl - Smack access check for msg_queue 3160 * @isp: the object 3161 * @cmd: what it wants to do 3162 * 3163 * Returns 0 if current has the requested access, error code otherwise 3164 */ 3165 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3166 { 3167 int may; 3168 3169 switch (cmd) { 3170 case IPC_STAT: 3171 case MSG_STAT: 3172 case MSG_STAT_ANY: 3173 may = MAY_READ; 3174 break; 3175 case IPC_SET: 3176 case IPC_RMID: 3177 may = MAY_READWRITE; 3178 break; 3179 case IPC_INFO: 3180 case MSG_INFO: 3181 /* 3182 * System level information 3183 */ 3184 return 0; 3185 default: 3186 return -EINVAL; 3187 } 3188 3189 return smk_curacc_msq(isp, may); 3190 } 3191 3192 /** 3193 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3194 * @isp: the object 3195 * @msg: unused 3196 * @msqflg: access requested 3197 * 3198 * Returns 0 if current has the requested access, error code otherwise 3199 */ 3200 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3201 int msqflg) 3202 { 3203 int may; 3204 3205 may = smack_flags_to_may(msqflg); 3206 return smk_curacc_msq(isp, may); 3207 } 3208 3209 /** 3210 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3211 * @isp: the object 3212 * @msg: unused 3213 * @target: unused 3214 * @type: unused 3215 * @mode: unused 3216 * 3217 * Returns 0 if current has read and write access, error code otherwise 3218 */ 3219 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg, 3220 struct task_struct *target, long type, int mode) 3221 { 3222 return smk_curacc_msq(isp, MAY_READWRITE); 3223 } 3224 3225 /** 3226 * smack_ipc_permission - Smack access for ipc_permission() 3227 * @ipp: the object permissions 3228 * @flag: access requested 3229 * 3230 * Returns 0 if current has read and write access, error code otherwise 3231 */ 3232 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3233 { 3234 struct smack_known **blob = smack_ipc(ipp); 3235 struct smack_known *iskp = *blob; 3236 int may = smack_flags_to_may(flag); 3237 struct smk_audit_info ad; 3238 int rc; 3239 3240 #ifdef CONFIG_AUDIT 3241 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3242 ad.a.u.ipc_id = ipp->id; 3243 #endif 3244 rc = smk_curacc(iskp, may, &ad); 3245 rc = smk_bu_current("svipc", iskp, may, rc); 3246 return rc; 3247 } 3248 3249 /** 3250 * smack_ipc_getsecid - Extract smack security id 3251 * @ipp: the object permissions 3252 * @secid: where result will be saved 3253 */ 3254 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3255 { 3256 struct smack_known **blob = smack_ipc(ipp); 3257 struct smack_known *iskp = *blob; 3258 3259 *secid = iskp->smk_secid; 3260 } 3261 3262 /** 3263 * smack_d_instantiate - Make sure the blob is correct on an inode 3264 * @opt_dentry: dentry where inode will be attached 3265 * @inode: the object 3266 * 3267 * Set the inode's security blob if it hasn't been done already. 3268 */ 3269 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3270 { 3271 struct super_block *sbp; 3272 struct superblock_smack *sbsp; 3273 struct inode_smack *isp; 3274 struct smack_known *skp; 3275 struct smack_known *ckp = smk_of_current(); 3276 struct smack_known *final; 3277 char trattr[TRANS_TRUE_SIZE]; 3278 int transflag = 0; 3279 int rc; 3280 struct dentry *dp; 3281 3282 if (inode == NULL) 3283 return; 3284 3285 isp = smack_inode(inode); 3286 3287 mutex_lock(&isp->smk_lock); 3288 /* 3289 * If the inode is already instantiated 3290 * take the quick way out 3291 */ 3292 if (isp->smk_flags & SMK_INODE_INSTANT) 3293 goto unlockandout; 3294 3295 sbp = inode->i_sb; 3296 sbsp = sbp->s_security; 3297 /* 3298 * We're going to use the superblock default label 3299 * if there's no label on the file. 3300 */ 3301 final = sbsp->smk_default; 3302 3303 /* 3304 * If this is the root inode the superblock 3305 * may be in the process of initialization. 3306 * If that is the case use the root value out 3307 * of the superblock. 3308 */ 3309 if (opt_dentry->d_parent == opt_dentry) { 3310 switch (sbp->s_magic) { 3311 case CGROUP_SUPER_MAGIC: 3312 case CGROUP2_SUPER_MAGIC: 3313 /* 3314 * The cgroup filesystem is never mounted, 3315 * so there's no opportunity to set the mount 3316 * options. 3317 */ 3318 sbsp->smk_root = &smack_known_star; 3319 sbsp->smk_default = &smack_known_star; 3320 isp->smk_inode = sbsp->smk_root; 3321 break; 3322 case TMPFS_MAGIC: 3323 /* 3324 * What about shmem/tmpfs anonymous files with dentry 3325 * obtained from d_alloc_pseudo()? 3326 */ 3327 isp->smk_inode = smk_of_current(); 3328 break; 3329 case PIPEFS_MAGIC: 3330 isp->smk_inode = smk_of_current(); 3331 break; 3332 case SOCKFS_MAGIC: 3333 /* 3334 * Socket access is controlled by the socket 3335 * structures associated with the task involved. 3336 */ 3337 isp->smk_inode = &smack_known_star; 3338 break; 3339 default: 3340 isp->smk_inode = sbsp->smk_root; 3341 break; 3342 } 3343 isp->smk_flags |= SMK_INODE_INSTANT; 3344 goto unlockandout; 3345 } 3346 3347 /* 3348 * This is pretty hackish. 3349 * Casey says that we shouldn't have to do 3350 * file system specific code, but it does help 3351 * with keeping it simple. 3352 */ 3353 switch (sbp->s_magic) { 3354 case SMACK_MAGIC: 3355 case CGROUP_SUPER_MAGIC: 3356 case CGROUP2_SUPER_MAGIC: 3357 /* 3358 * Casey says that it's a little embarrassing 3359 * that the smack file system doesn't do 3360 * extended attributes. 3361 * 3362 * Cgroupfs is special 3363 */ 3364 final = &smack_known_star; 3365 break; 3366 case DEVPTS_SUPER_MAGIC: 3367 /* 3368 * devpts seems content with the label of the task. 3369 * Programs that change smack have to treat the 3370 * pty with respect. 3371 */ 3372 final = ckp; 3373 break; 3374 case PROC_SUPER_MAGIC: 3375 /* 3376 * Casey says procfs appears not to care. 3377 * The superblock default suffices. 3378 */ 3379 break; 3380 case TMPFS_MAGIC: 3381 /* 3382 * Device labels should come from the filesystem, 3383 * but watch out, because they're volitile, 3384 * getting recreated on every reboot. 3385 */ 3386 final = &smack_known_star; 3387 /* 3388 * If a smack value has been set we want to use it, 3389 * but since tmpfs isn't giving us the opportunity 3390 * to set mount options simulate setting the 3391 * superblock default. 3392 */ 3393 /* Fall through */ 3394 default: 3395 /* 3396 * This isn't an understood special case. 3397 * Get the value from the xattr. 3398 */ 3399 3400 /* 3401 * UNIX domain sockets use lower level socket data. 3402 */ 3403 if (S_ISSOCK(inode->i_mode)) { 3404 final = &smack_known_star; 3405 break; 3406 } 3407 /* 3408 * No xattr support means, alas, no SMACK label. 3409 * Use the aforeapplied default. 3410 * It would be curious if the label of the task 3411 * does not match that assigned. 3412 */ 3413 if (!(inode->i_opflags & IOP_XATTR)) 3414 break; 3415 /* 3416 * Get the dentry for xattr. 3417 */ 3418 dp = dget(opt_dentry); 3419 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3420 if (!IS_ERR_OR_NULL(skp)) 3421 final = skp; 3422 3423 /* 3424 * Transmuting directory 3425 */ 3426 if (S_ISDIR(inode->i_mode)) { 3427 /* 3428 * If this is a new directory and the label was 3429 * transmuted when the inode was initialized 3430 * set the transmute attribute on the directory 3431 * and mark the inode. 3432 * 3433 * If there is a transmute attribute on the 3434 * directory mark the inode. 3435 */ 3436 if (isp->smk_flags & SMK_INODE_CHANGED) { 3437 isp->smk_flags &= ~SMK_INODE_CHANGED; 3438 rc = __vfs_setxattr(dp, inode, 3439 XATTR_NAME_SMACKTRANSMUTE, 3440 TRANS_TRUE, TRANS_TRUE_SIZE, 3441 0); 3442 } else { 3443 rc = __vfs_getxattr(dp, inode, 3444 XATTR_NAME_SMACKTRANSMUTE, trattr, 3445 TRANS_TRUE_SIZE); 3446 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3447 TRANS_TRUE_SIZE) != 0) 3448 rc = -EINVAL; 3449 } 3450 if (rc >= 0) 3451 transflag = SMK_INODE_TRANSMUTE; 3452 } 3453 /* 3454 * Don't let the exec or mmap label be "*" or "@". 3455 */ 3456 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3457 if (IS_ERR(skp) || skp == &smack_known_star || 3458 skp == &smack_known_web) 3459 skp = NULL; 3460 isp->smk_task = skp; 3461 3462 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3463 if (IS_ERR(skp) || skp == &smack_known_star || 3464 skp == &smack_known_web) 3465 skp = NULL; 3466 isp->smk_mmap = skp; 3467 3468 dput(dp); 3469 break; 3470 } 3471 3472 if (final == NULL) 3473 isp->smk_inode = ckp; 3474 else 3475 isp->smk_inode = final; 3476 3477 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3478 3479 unlockandout: 3480 mutex_unlock(&isp->smk_lock); 3481 return; 3482 } 3483 3484 /** 3485 * smack_getprocattr - Smack process attribute access 3486 * @p: the object task 3487 * @name: the name of the attribute in /proc/.../attr 3488 * @value: where to put the result 3489 * 3490 * Places a copy of the task Smack into value 3491 * 3492 * Returns the length of the smack label or an error code 3493 */ 3494 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3495 { 3496 struct smack_known *skp = smk_of_task_struct(p); 3497 char *cp; 3498 int slen; 3499 3500 if (strcmp(name, "current") != 0) 3501 return -EINVAL; 3502 3503 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3504 if (cp == NULL) 3505 return -ENOMEM; 3506 3507 slen = strlen(cp); 3508 *value = cp; 3509 return slen; 3510 } 3511 3512 /** 3513 * smack_setprocattr - Smack process attribute setting 3514 * @name: the name of the attribute in /proc/.../attr 3515 * @value: the value to set 3516 * @size: the size of the value 3517 * 3518 * Sets the Smack value of the task. Only setting self 3519 * is permitted and only with privilege 3520 * 3521 * Returns the length of the smack label or an error code 3522 */ 3523 static int smack_setprocattr(const char *name, void *value, size_t size) 3524 { 3525 struct task_smack *tsp = smack_cred(current_cred()); 3526 struct cred *new; 3527 struct smack_known *skp; 3528 struct smack_known_list_elem *sklep; 3529 int rc; 3530 3531 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3532 return -EPERM; 3533 3534 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3535 return -EINVAL; 3536 3537 if (strcmp(name, "current") != 0) 3538 return -EINVAL; 3539 3540 skp = smk_import_entry(value, size); 3541 if (IS_ERR(skp)) 3542 return PTR_ERR(skp); 3543 3544 /* 3545 * No process is ever allowed the web ("@") label 3546 * and the star ("*") label. 3547 */ 3548 if (skp == &smack_known_web || skp == &smack_known_star) 3549 return -EINVAL; 3550 3551 if (!smack_privileged(CAP_MAC_ADMIN)) { 3552 rc = -EPERM; 3553 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3554 if (sklep->smk_label == skp) { 3555 rc = 0; 3556 break; 3557 } 3558 if (rc) 3559 return rc; 3560 } 3561 3562 new = prepare_creds(); 3563 if (new == NULL) 3564 return -ENOMEM; 3565 3566 tsp = smack_cred(new); 3567 tsp->smk_task = skp; 3568 /* 3569 * process can change its label only once 3570 */ 3571 smk_destroy_label_list(&tsp->smk_relabel); 3572 3573 commit_creds(new); 3574 return size; 3575 } 3576 3577 /** 3578 * smack_unix_stream_connect - Smack access on UDS 3579 * @sock: one sock 3580 * @other: the other sock 3581 * @newsk: unused 3582 * 3583 * Return 0 if a subject with the smack of sock could access 3584 * an object with the smack of other, otherwise an error code 3585 */ 3586 static int smack_unix_stream_connect(struct sock *sock, 3587 struct sock *other, struct sock *newsk) 3588 { 3589 struct smack_known *skp; 3590 struct smack_known *okp; 3591 struct socket_smack *ssp = sock->sk_security; 3592 struct socket_smack *osp = other->sk_security; 3593 struct socket_smack *nsp = newsk->sk_security; 3594 struct smk_audit_info ad; 3595 int rc = 0; 3596 #ifdef CONFIG_AUDIT 3597 struct lsm_network_audit net; 3598 #endif 3599 3600 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3601 skp = ssp->smk_out; 3602 okp = osp->smk_in; 3603 #ifdef CONFIG_AUDIT 3604 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3605 smk_ad_setfield_u_net_sk(&ad, other); 3606 #endif 3607 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3608 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3609 if (rc == 0) { 3610 okp = osp->smk_out; 3611 skp = ssp->smk_in; 3612 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3613 rc = smk_bu_note("UDS connect", okp, skp, 3614 MAY_WRITE, rc); 3615 } 3616 } 3617 3618 /* 3619 * Cross reference the peer labels for SO_PEERSEC. 3620 */ 3621 if (rc == 0) { 3622 nsp->smk_packet = ssp->smk_out; 3623 ssp->smk_packet = osp->smk_out; 3624 } 3625 3626 return rc; 3627 } 3628 3629 /** 3630 * smack_unix_may_send - Smack access on UDS 3631 * @sock: one socket 3632 * @other: the other socket 3633 * 3634 * Return 0 if a subject with the smack of sock could access 3635 * an object with the smack of other, otherwise an error code 3636 */ 3637 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3638 { 3639 struct socket_smack *ssp = sock->sk->sk_security; 3640 struct socket_smack *osp = other->sk->sk_security; 3641 struct smk_audit_info ad; 3642 int rc; 3643 3644 #ifdef CONFIG_AUDIT 3645 struct lsm_network_audit net; 3646 3647 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3648 smk_ad_setfield_u_net_sk(&ad, other->sk); 3649 #endif 3650 3651 if (smack_privileged(CAP_MAC_OVERRIDE)) 3652 return 0; 3653 3654 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3655 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3656 return rc; 3657 } 3658 3659 /** 3660 * smack_socket_sendmsg - Smack check based on destination host 3661 * @sock: the socket 3662 * @msg: the message 3663 * @size: the size of the message 3664 * 3665 * Return 0 if the current subject can write to the destination host. 3666 * For IPv4 this is only a question if the destination is a single label host. 3667 * For IPv6 this is a check against the label of the port. 3668 */ 3669 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3670 int size) 3671 { 3672 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3673 #if IS_ENABLED(CONFIG_IPV6) 3674 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3675 #endif 3676 #ifdef SMACK_IPV6_SECMARK_LABELING 3677 struct socket_smack *ssp = sock->sk->sk_security; 3678 struct smack_known *rsp; 3679 #endif 3680 int rc = 0; 3681 3682 /* 3683 * Perfectly reasonable for this to be NULL 3684 */ 3685 if (sip == NULL) 3686 return 0; 3687 3688 switch (sock->sk->sk_family) { 3689 case AF_INET: 3690 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3691 sip->sin_family != AF_INET) 3692 return -EINVAL; 3693 rc = smack_netlabel_send(sock->sk, sip); 3694 break; 3695 #if IS_ENABLED(CONFIG_IPV6) 3696 case AF_INET6: 3697 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3698 sap->sin6_family != AF_INET6) 3699 return -EINVAL; 3700 #ifdef SMACK_IPV6_SECMARK_LABELING 3701 rsp = smack_ipv6host_label(sap); 3702 if (rsp != NULL) 3703 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3704 SMK_CONNECTING); 3705 #endif 3706 #ifdef SMACK_IPV6_PORT_LABELING 3707 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3708 #endif 3709 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3710 break; 3711 } 3712 return rc; 3713 } 3714 3715 /** 3716 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3717 * @sap: netlabel secattr 3718 * @ssp: socket security information 3719 * 3720 * Returns a pointer to a Smack label entry found on the label list. 3721 */ 3722 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3723 struct socket_smack *ssp) 3724 { 3725 struct smack_known *skp; 3726 int found = 0; 3727 int acat; 3728 int kcat; 3729 3730 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3731 /* 3732 * Looks like a CIPSO packet. 3733 * If there are flags but no level netlabel isn't 3734 * behaving the way we expect it to. 3735 * 3736 * Look it up in the label table 3737 * Without guidance regarding the smack value 3738 * for the packet fall back on the network 3739 * ambient value. 3740 */ 3741 rcu_read_lock(); 3742 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3743 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3744 continue; 3745 /* 3746 * Compare the catsets. Use the netlbl APIs. 3747 */ 3748 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3749 if ((skp->smk_netlabel.flags & 3750 NETLBL_SECATTR_MLS_CAT) == 0) 3751 found = 1; 3752 break; 3753 } 3754 for (acat = -1, kcat = -1; acat == kcat; ) { 3755 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3756 acat + 1); 3757 kcat = netlbl_catmap_walk( 3758 skp->smk_netlabel.attr.mls.cat, 3759 kcat + 1); 3760 if (acat < 0 || kcat < 0) 3761 break; 3762 } 3763 if (acat == kcat) { 3764 found = 1; 3765 break; 3766 } 3767 } 3768 rcu_read_unlock(); 3769 3770 if (found) 3771 return skp; 3772 3773 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3774 return &smack_known_web; 3775 return &smack_known_star; 3776 } 3777 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3778 /* 3779 * Looks like a fallback, which gives us a secid. 3780 */ 3781 return smack_from_secid(sap->attr.secid); 3782 /* 3783 * Without guidance regarding the smack value 3784 * for the packet fall back on the network 3785 * ambient value. 3786 */ 3787 return smack_net_ambient; 3788 } 3789 3790 #if IS_ENABLED(CONFIG_IPV6) 3791 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3792 { 3793 u8 nexthdr; 3794 int offset; 3795 int proto = -EINVAL; 3796 struct ipv6hdr _ipv6h; 3797 struct ipv6hdr *ip6; 3798 __be16 frag_off; 3799 struct tcphdr _tcph, *th; 3800 struct udphdr _udph, *uh; 3801 struct dccp_hdr _dccph, *dh; 3802 3803 sip->sin6_port = 0; 3804 3805 offset = skb_network_offset(skb); 3806 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3807 if (ip6 == NULL) 3808 return -EINVAL; 3809 sip->sin6_addr = ip6->saddr; 3810 3811 nexthdr = ip6->nexthdr; 3812 offset += sizeof(_ipv6h); 3813 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3814 if (offset < 0) 3815 return -EINVAL; 3816 3817 proto = nexthdr; 3818 switch (proto) { 3819 case IPPROTO_TCP: 3820 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3821 if (th != NULL) 3822 sip->sin6_port = th->source; 3823 break; 3824 case IPPROTO_UDP: 3825 case IPPROTO_UDPLITE: 3826 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3827 if (uh != NULL) 3828 sip->sin6_port = uh->source; 3829 break; 3830 case IPPROTO_DCCP: 3831 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3832 if (dh != NULL) 3833 sip->sin6_port = dh->dccph_sport; 3834 break; 3835 } 3836 return proto; 3837 } 3838 #endif /* CONFIG_IPV6 */ 3839 3840 /** 3841 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3842 * @sk: socket 3843 * @skb: packet 3844 * 3845 * Returns 0 if the packet should be delivered, an error code otherwise 3846 */ 3847 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3848 { 3849 struct netlbl_lsm_secattr secattr; 3850 struct socket_smack *ssp = sk->sk_security; 3851 struct smack_known *skp = NULL; 3852 int rc = 0; 3853 struct smk_audit_info ad; 3854 u16 family = sk->sk_family; 3855 #ifdef CONFIG_AUDIT 3856 struct lsm_network_audit net; 3857 #endif 3858 #if IS_ENABLED(CONFIG_IPV6) 3859 struct sockaddr_in6 sadd; 3860 int proto; 3861 3862 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3863 family = PF_INET; 3864 #endif /* CONFIG_IPV6 */ 3865 3866 switch (family) { 3867 case PF_INET: 3868 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3869 /* 3870 * If there is a secmark use it rather than the CIPSO label. 3871 * If there is no secmark fall back to CIPSO. 3872 * The secmark is assumed to reflect policy better. 3873 */ 3874 if (skb && skb->secmark != 0) { 3875 skp = smack_from_secid(skb->secmark); 3876 goto access_check; 3877 } 3878 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3879 /* 3880 * Translate what netlabel gave us. 3881 */ 3882 netlbl_secattr_init(&secattr); 3883 3884 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3885 if (rc == 0) 3886 skp = smack_from_secattr(&secattr, ssp); 3887 else 3888 skp = smack_net_ambient; 3889 3890 netlbl_secattr_destroy(&secattr); 3891 3892 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3893 access_check: 3894 #endif 3895 #ifdef CONFIG_AUDIT 3896 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3897 ad.a.u.net->family = family; 3898 ad.a.u.net->netif = skb->skb_iif; 3899 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3900 #endif 3901 /* 3902 * Receiving a packet requires that the other end 3903 * be able to write here. Read access is not required. 3904 * This is the simplist possible security model 3905 * for networking. 3906 */ 3907 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3908 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 3909 MAY_WRITE, rc); 3910 if (rc != 0) 3911 netlbl_skbuff_err(skb, family, rc, 0); 3912 break; 3913 #if IS_ENABLED(CONFIG_IPV6) 3914 case PF_INET6: 3915 proto = smk_skb_to_addr_ipv6(skb, &sadd); 3916 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 3917 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 3918 break; 3919 #ifdef SMACK_IPV6_SECMARK_LABELING 3920 if (skb && skb->secmark != 0) 3921 skp = smack_from_secid(skb->secmark); 3922 else if (smk_ipv6_localhost(&sadd)) 3923 break; 3924 else 3925 skp = smack_ipv6host_label(&sadd); 3926 if (skp == NULL) 3927 skp = smack_net_ambient; 3928 #ifdef CONFIG_AUDIT 3929 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3930 ad.a.u.net->family = family; 3931 ad.a.u.net->netif = skb->skb_iif; 3932 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 3933 #endif /* CONFIG_AUDIT */ 3934 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 3935 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 3936 MAY_WRITE, rc); 3937 #endif /* SMACK_IPV6_SECMARK_LABELING */ 3938 #ifdef SMACK_IPV6_PORT_LABELING 3939 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 3940 #endif /* SMACK_IPV6_PORT_LABELING */ 3941 if (rc != 0) 3942 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 3943 ICMPV6_ADM_PROHIBITED, 0); 3944 break; 3945 #endif /* CONFIG_IPV6 */ 3946 } 3947 3948 return rc; 3949 } 3950 3951 /** 3952 * smack_socket_getpeersec_stream - pull in packet label 3953 * @sock: the socket 3954 * @optval: user's destination 3955 * @optlen: size thereof 3956 * @len: max thereof 3957 * 3958 * returns zero on success, an error code otherwise 3959 */ 3960 static int smack_socket_getpeersec_stream(struct socket *sock, 3961 char __user *optval, 3962 int __user *optlen, unsigned len) 3963 { 3964 struct socket_smack *ssp; 3965 char *rcp = ""; 3966 int slen = 1; 3967 int rc = 0; 3968 3969 ssp = sock->sk->sk_security; 3970 if (ssp->smk_packet != NULL) { 3971 rcp = ssp->smk_packet->smk_known; 3972 slen = strlen(rcp) + 1; 3973 } 3974 3975 if (slen > len) 3976 rc = -ERANGE; 3977 else if (copy_to_user(optval, rcp, slen) != 0) 3978 rc = -EFAULT; 3979 3980 if (put_user(slen, optlen) != 0) 3981 rc = -EFAULT; 3982 3983 return rc; 3984 } 3985 3986 3987 /** 3988 * smack_socket_getpeersec_dgram - pull in packet label 3989 * @sock: the peer socket 3990 * @skb: packet data 3991 * @secid: pointer to where to put the secid of the packet 3992 * 3993 * Sets the netlabel socket state on sk from parent 3994 */ 3995 static int smack_socket_getpeersec_dgram(struct socket *sock, 3996 struct sk_buff *skb, u32 *secid) 3997 3998 { 3999 struct netlbl_lsm_secattr secattr; 4000 struct socket_smack *ssp = NULL; 4001 struct smack_known *skp; 4002 int family = PF_UNSPEC; 4003 u32 s = 0; /* 0 is the invalid secid */ 4004 int rc; 4005 4006 if (skb != NULL) { 4007 if (skb->protocol == htons(ETH_P_IP)) 4008 family = PF_INET; 4009 #if IS_ENABLED(CONFIG_IPV6) 4010 else if (skb->protocol == htons(ETH_P_IPV6)) 4011 family = PF_INET6; 4012 #endif /* CONFIG_IPV6 */ 4013 } 4014 if (family == PF_UNSPEC && sock != NULL) 4015 family = sock->sk->sk_family; 4016 4017 switch (family) { 4018 case PF_UNIX: 4019 ssp = sock->sk->sk_security; 4020 s = ssp->smk_out->smk_secid; 4021 break; 4022 case PF_INET: 4023 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4024 s = skb->secmark; 4025 if (s != 0) 4026 break; 4027 #endif 4028 /* 4029 * Translate what netlabel gave us. 4030 */ 4031 if (sock != NULL && sock->sk != NULL) 4032 ssp = sock->sk->sk_security; 4033 netlbl_secattr_init(&secattr); 4034 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4035 if (rc == 0) { 4036 skp = smack_from_secattr(&secattr, ssp); 4037 s = skp->smk_secid; 4038 } 4039 netlbl_secattr_destroy(&secattr); 4040 break; 4041 case PF_INET6: 4042 #ifdef SMACK_IPV6_SECMARK_LABELING 4043 s = skb->secmark; 4044 #endif 4045 break; 4046 } 4047 *secid = s; 4048 if (s == 0) 4049 return -EINVAL; 4050 return 0; 4051 } 4052 4053 /** 4054 * smack_sock_graft - Initialize a newly created socket with an existing sock 4055 * @sk: child sock 4056 * @parent: parent socket 4057 * 4058 * Set the smk_{in,out} state of an existing sock based on the process that 4059 * is creating the new socket. 4060 */ 4061 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4062 { 4063 struct socket_smack *ssp; 4064 struct smack_known *skp = smk_of_current(); 4065 4066 if (sk == NULL || 4067 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4068 return; 4069 4070 ssp = sk->sk_security; 4071 ssp->smk_in = skp; 4072 ssp->smk_out = skp; 4073 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4074 } 4075 4076 /** 4077 * smack_inet_conn_request - Smack access check on connect 4078 * @sk: socket involved 4079 * @skb: packet 4080 * @req: unused 4081 * 4082 * Returns 0 if a task with the packet label could write to 4083 * the socket, otherwise an error code 4084 */ 4085 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4086 struct request_sock *req) 4087 { 4088 u16 family = sk->sk_family; 4089 struct smack_known *skp; 4090 struct socket_smack *ssp = sk->sk_security; 4091 struct netlbl_lsm_secattr secattr; 4092 struct sockaddr_in addr; 4093 struct iphdr *hdr; 4094 struct smack_known *hskp; 4095 int rc; 4096 struct smk_audit_info ad; 4097 #ifdef CONFIG_AUDIT 4098 struct lsm_network_audit net; 4099 #endif 4100 4101 #if IS_ENABLED(CONFIG_IPV6) 4102 if (family == PF_INET6) { 4103 /* 4104 * Handle mapped IPv4 packets arriving 4105 * via IPv6 sockets. Don't set up netlabel 4106 * processing on IPv6. 4107 */ 4108 if (skb->protocol == htons(ETH_P_IP)) 4109 family = PF_INET; 4110 else 4111 return 0; 4112 } 4113 #endif /* CONFIG_IPV6 */ 4114 4115 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4116 /* 4117 * If there is a secmark use it rather than the CIPSO label. 4118 * If there is no secmark fall back to CIPSO. 4119 * The secmark is assumed to reflect policy better. 4120 */ 4121 if (skb && skb->secmark != 0) { 4122 skp = smack_from_secid(skb->secmark); 4123 goto access_check; 4124 } 4125 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4126 4127 netlbl_secattr_init(&secattr); 4128 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4129 if (rc == 0) 4130 skp = smack_from_secattr(&secattr, ssp); 4131 else 4132 skp = &smack_known_huh; 4133 netlbl_secattr_destroy(&secattr); 4134 4135 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4136 access_check: 4137 #endif 4138 4139 #ifdef CONFIG_AUDIT 4140 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4141 ad.a.u.net->family = family; 4142 ad.a.u.net->netif = skb->skb_iif; 4143 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4144 #endif 4145 /* 4146 * Receiving a packet requires that the other end be able to write 4147 * here. Read access is not required. 4148 */ 4149 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4150 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4151 if (rc != 0) 4152 return rc; 4153 4154 /* 4155 * Save the peer's label in the request_sock so we can later setup 4156 * smk_packet in the child socket so that SO_PEERCRED can report it. 4157 */ 4158 req->peer_secid = skp->smk_secid; 4159 4160 /* 4161 * We need to decide if we want to label the incoming connection here 4162 * if we do we only need to label the request_sock and the stack will 4163 * propagate the wire-label to the sock when it is created. 4164 */ 4165 hdr = ip_hdr(skb); 4166 addr.sin_addr.s_addr = hdr->saddr; 4167 rcu_read_lock(); 4168 hskp = smack_ipv4host_label(&addr); 4169 rcu_read_unlock(); 4170 4171 if (hskp == NULL) 4172 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4173 else 4174 netlbl_req_delattr(req); 4175 4176 return rc; 4177 } 4178 4179 /** 4180 * smack_inet_csk_clone - Copy the connection information to the new socket 4181 * @sk: the new socket 4182 * @req: the connection's request_sock 4183 * 4184 * Transfer the connection's peer label to the newly created socket. 4185 */ 4186 static void smack_inet_csk_clone(struct sock *sk, 4187 const struct request_sock *req) 4188 { 4189 struct socket_smack *ssp = sk->sk_security; 4190 struct smack_known *skp; 4191 4192 if (req->peer_secid != 0) { 4193 skp = smack_from_secid(req->peer_secid); 4194 ssp->smk_packet = skp; 4195 } else 4196 ssp->smk_packet = NULL; 4197 } 4198 4199 /* 4200 * Key management security hooks 4201 * 4202 * Casey has not tested key support very heavily. 4203 * The permission check is most likely too restrictive. 4204 * If you care about keys please have a look. 4205 */ 4206 #ifdef CONFIG_KEYS 4207 4208 /** 4209 * smack_key_alloc - Set the key security blob 4210 * @key: object 4211 * @cred: the credentials to use 4212 * @flags: unused 4213 * 4214 * No allocation required 4215 * 4216 * Returns 0 4217 */ 4218 static int smack_key_alloc(struct key *key, const struct cred *cred, 4219 unsigned long flags) 4220 { 4221 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4222 4223 key->security = skp; 4224 return 0; 4225 } 4226 4227 /** 4228 * smack_key_free - Clear the key security blob 4229 * @key: the object 4230 * 4231 * Clear the blob pointer 4232 */ 4233 static void smack_key_free(struct key *key) 4234 { 4235 key->security = NULL; 4236 } 4237 4238 /** 4239 * smack_key_permission - Smack access on a key 4240 * @key_ref: gets to the object 4241 * @cred: the credentials to use 4242 * @perm: requested key permissions 4243 * 4244 * Return 0 if the task has read and write to the object, 4245 * an error code otherwise 4246 */ 4247 static int smack_key_permission(key_ref_t key_ref, 4248 const struct cred *cred, unsigned perm) 4249 { 4250 struct key *keyp; 4251 struct smk_audit_info ad; 4252 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4253 int request = 0; 4254 int rc; 4255 4256 /* 4257 * Validate requested permissions 4258 */ 4259 if (perm & ~KEY_NEED_ALL) 4260 return -EINVAL; 4261 4262 keyp = key_ref_to_ptr(key_ref); 4263 if (keyp == NULL) 4264 return -EINVAL; 4265 /* 4266 * If the key hasn't been initialized give it access so that 4267 * it may do so. 4268 */ 4269 if (keyp->security == NULL) 4270 return 0; 4271 /* 4272 * This should not occur 4273 */ 4274 if (tkp == NULL) 4275 return -EACCES; 4276 4277 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred)) 4278 return 0; 4279 4280 #ifdef CONFIG_AUDIT 4281 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4282 ad.a.u.key_struct.key = keyp->serial; 4283 ad.a.u.key_struct.key_desc = keyp->description; 4284 #endif 4285 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) 4286 request |= MAY_READ; 4287 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4288 request |= MAY_WRITE; 4289 rc = smk_access(tkp, keyp->security, request, &ad); 4290 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4291 return rc; 4292 } 4293 4294 /* 4295 * smack_key_getsecurity - Smack label tagging the key 4296 * @key points to the key to be queried 4297 * @_buffer points to a pointer that should be set to point to the 4298 * resulting string (if no label or an error occurs). 4299 * Return the length of the string (including terminating NUL) or -ve if 4300 * an error. 4301 * May also return 0 (and a NULL buffer pointer) if there is no label. 4302 */ 4303 static int smack_key_getsecurity(struct key *key, char **_buffer) 4304 { 4305 struct smack_known *skp = key->security; 4306 size_t length; 4307 char *copy; 4308 4309 if (key->security == NULL) { 4310 *_buffer = NULL; 4311 return 0; 4312 } 4313 4314 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4315 if (copy == NULL) 4316 return -ENOMEM; 4317 length = strlen(copy) + 1; 4318 4319 *_buffer = copy; 4320 return length; 4321 } 4322 4323 #endif /* CONFIG_KEYS */ 4324 4325 /* 4326 * Smack Audit hooks 4327 * 4328 * Audit requires a unique representation of each Smack specific 4329 * rule. This unique representation is used to distinguish the 4330 * object to be audited from remaining kernel objects and also 4331 * works as a glue between the audit hooks. 4332 * 4333 * Since repository entries are added but never deleted, we'll use 4334 * the smack_known label address related to the given audit rule as 4335 * the needed unique representation. This also better fits the smack 4336 * model where nearly everything is a label. 4337 */ 4338 #ifdef CONFIG_AUDIT 4339 4340 /** 4341 * smack_audit_rule_init - Initialize a smack audit rule 4342 * @field: audit rule fields given from user-space (audit.h) 4343 * @op: required testing operator (=, !=, >, <, ...) 4344 * @rulestr: smack label to be audited 4345 * @vrule: pointer to save our own audit rule representation 4346 * 4347 * Prepare to audit cases where (@field @op @rulestr) is true. 4348 * The label to be audited is created if necessay. 4349 */ 4350 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4351 { 4352 struct smack_known *skp; 4353 char **rule = (char **)vrule; 4354 *rule = NULL; 4355 4356 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4357 return -EINVAL; 4358 4359 if (op != Audit_equal && op != Audit_not_equal) 4360 return -EINVAL; 4361 4362 skp = smk_import_entry(rulestr, 0); 4363 if (IS_ERR(skp)) 4364 return PTR_ERR(skp); 4365 4366 *rule = skp->smk_known; 4367 4368 return 0; 4369 } 4370 4371 /** 4372 * smack_audit_rule_known - Distinguish Smack audit rules 4373 * @krule: rule of interest, in Audit kernel representation format 4374 * 4375 * This is used to filter Smack rules from remaining Audit ones. 4376 * If it's proved that this rule belongs to us, the 4377 * audit_rule_match hook will be called to do the final judgement. 4378 */ 4379 static int smack_audit_rule_known(struct audit_krule *krule) 4380 { 4381 struct audit_field *f; 4382 int i; 4383 4384 for (i = 0; i < krule->field_count; i++) { 4385 f = &krule->fields[i]; 4386 4387 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4388 return 1; 4389 } 4390 4391 return 0; 4392 } 4393 4394 /** 4395 * smack_audit_rule_match - Audit given object ? 4396 * @secid: security id for identifying the object to test 4397 * @field: audit rule flags given from user-space 4398 * @op: required testing operator 4399 * @vrule: smack internal rule presentation 4400 * 4401 * The core Audit hook. It's used to take the decision of 4402 * whether to audit or not to audit a given object. 4403 */ 4404 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4405 { 4406 struct smack_known *skp; 4407 char *rule = vrule; 4408 4409 if (unlikely(!rule)) { 4410 WARN_ONCE(1, "Smack: missing rule\n"); 4411 return -ENOENT; 4412 } 4413 4414 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4415 return 0; 4416 4417 skp = smack_from_secid(secid); 4418 4419 /* 4420 * No need to do string comparisons. If a match occurs, 4421 * both pointers will point to the same smack_known 4422 * label. 4423 */ 4424 if (op == Audit_equal) 4425 return (rule == skp->smk_known); 4426 if (op == Audit_not_equal) 4427 return (rule != skp->smk_known); 4428 4429 return 0; 4430 } 4431 4432 /* 4433 * There is no need for a smack_audit_rule_free hook. 4434 * No memory was allocated. 4435 */ 4436 4437 #endif /* CONFIG_AUDIT */ 4438 4439 /** 4440 * smack_ismaclabel - check if xattr @name references a smack MAC label 4441 * @name: Full xattr name to check. 4442 */ 4443 static int smack_ismaclabel(const char *name) 4444 { 4445 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4446 } 4447 4448 4449 /** 4450 * smack_secid_to_secctx - return the smack label for a secid 4451 * @secid: incoming integer 4452 * @secdata: destination 4453 * @seclen: how long it is 4454 * 4455 * Exists for networking code. 4456 */ 4457 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4458 { 4459 struct smack_known *skp = smack_from_secid(secid); 4460 4461 if (secdata) 4462 *secdata = skp->smk_known; 4463 *seclen = strlen(skp->smk_known); 4464 return 0; 4465 } 4466 4467 /** 4468 * smack_secctx_to_secid - return the secid for a smack label 4469 * @secdata: smack label 4470 * @seclen: how long result is 4471 * @secid: outgoing integer 4472 * 4473 * Exists for audit and networking code. 4474 */ 4475 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4476 { 4477 struct smack_known *skp = smk_find_entry(secdata); 4478 4479 if (skp) 4480 *secid = skp->smk_secid; 4481 else 4482 *secid = 0; 4483 return 0; 4484 } 4485 4486 /* 4487 * There used to be a smack_release_secctx hook 4488 * that did nothing back when hooks were in a vector. 4489 * Now that there's a list such a hook adds cost. 4490 */ 4491 4492 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4493 { 4494 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4495 } 4496 4497 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4498 { 4499 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4500 } 4501 4502 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4503 { 4504 struct smack_known *skp = smk_of_inode(inode); 4505 4506 *ctx = skp->smk_known; 4507 *ctxlen = strlen(skp->smk_known); 4508 return 0; 4509 } 4510 4511 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4512 { 4513 4514 struct task_smack *tsp; 4515 struct smack_known *skp; 4516 struct inode_smack *isp; 4517 struct cred *new_creds = *new; 4518 4519 if (new_creds == NULL) { 4520 new_creds = prepare_creds(); 4521 if (new_creds == NULL) 4522 return -ENOMEM; 4523 } 4524 4525 tsp = smack_cred(new_creds); 4526 4527 /* 4528 * Get label from overlay inode and set it in create_sid 4529 */ 4530 isp = smack_inode(d_inode(dentry->d_parent)); 4531 skp = isp->smk_inode; 4532 tsp->smk_task = skp; 4533 *new = new_creds; 4534 return 0; 4535 } 4536 4537 static int smack_inode_copy_up_xattr(const char *name) 4538 { 4539 /* 4540 * Return 1 if this is the smack access Smack attribute. 4541 */ 4542 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4543 return 1; 4544 4545 return -EOPNOTSUPP; 4546 } 4547 4548 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4549 struct qstr *name, 4550 const struct cred *old, 4551 struct cred *new) 4552 { 4553 struct task_smack *otsp = smack_cred(old); 4554 struct task_smack *ntsp = smack_cred(new); 4555 struct inode_smack *isp; 4556 int may; 4557 4558 /* 4559 * Use the process credential unless all of 4560 * the transmuting criteria are met 4561 */ 4562 ntsp->smk_task = otsp->smk_task; 4563 4564 /* 4565 * the attribute of the containing directory 4566 */ 4567 isp = smack_inode(d_inode(dentry->d_parent)); 4568 4569 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4570 rcu_read_lock(); 4571 may = smk_access_entry(otsp->smk_task->smk_known, 4572 isp->smk_inode->smk_known, 4573 &otsp->smk_task->smk_rules); 4574 rcu_read_unlock(); 4575 4576 /* 4577 * If the directory is transmuting and the rule 4578 * providing access is transmuting use the containing 4579 * directory label instead of the process label. 4580 */ 4581 if (may > 0 && (may & MAY_TRANSMUTE)) 4582 ntsp->smk_task = isp->smk_inode; 4583 } 4584 return 0; 4585 } 4586 4587 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = { 4588 .lbs_cred = sizeof(struct task_smack), 4589 .lbs_file = sizeof(struct smack_known *), 4590 .lbs_inode = sizeof(struct inode_smack), 4591 .lbs_ipc = sizeof(struct smack_known *), 4592 .lbs_msg_msg = sizeof(struct smack_known *), 4593 }; 4594 4595 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = { 4596 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4597 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4598 LSM_HOOK_INIT(syslog, smack_syslog), 4599 4600 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 4601 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 4602 4603 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4604 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4605 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 4606 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 4607 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4608 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4609 4610 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4611 4612 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4613 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4614 LSM_HOOK_INIT(inode_link, smack_inode_link), 4615 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4616 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4617 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4618 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4619 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4620 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4621 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4622 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4623 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4624 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4625 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4626 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4627 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4628 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4629 4630 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4631 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4632 LSM_HOOK_INIT(file_lock, smack_file_lock), 4633 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4634 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4635 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4636 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4637 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4638 LSM_HOOK_INIT(file_receive, smack_file_receive), 4639 4640 LSM_HOOK_INIT(file_open, smack_file_open), 4641 4642 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4643 LSM_HOOK_INIT(cred_free, smack_cred_free), 4644 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4645 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4646 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 4647 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4648 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4649 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4650 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4651 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4652 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4653 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4654 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4655 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4656 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4657 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4658 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4659 LSM_HOOK_INIT(task_kill, smack_task_kill), 4660 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4661 4662 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4663 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4664 4665 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4666 4667 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 4668 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4669 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4670 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4671 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4672 4673 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 4674 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4675 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4676 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4677 4678 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 4679 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4680 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4681 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4682 4683 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4684 4685 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4686 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4687 4688 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4689 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4690 4691 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4692 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 4693 #ifdef SMACK_IPV6_PORT_LABELING 4694 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4695 #endif 4696 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4697 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4698 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4699 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4700 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4701 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4702 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4703 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4704 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4705 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4706 4707 /* key management security hooks */ 4708 #ifdef CONFIG_KEYS 4709 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4710 LSM_HOOK_INIT(key_free, smack_key_free), 4711 LSM_HOOK_INIT(key_permission, smack_key_permission), 4712 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4713 #endif /* CONFIG_KEYS */ 4714 4715 /* Audit hooks */ 4716 #ifdef CONFIG_AUDIT 4717 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4718 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4719 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4720 #endif /* CONFIG_AUDIT */ 4721 4722 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4723 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4724 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4725 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4726 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4727 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4728 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 4729 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 4730 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 4731 }; 4732 4733 4734 static __init void init_smack_known_list(void) 4735 { 4736 /* 4737 * Initialize rule list locks 4738 */ 4739 mutex_init(&smack_known_huh.smk_rules_lock); 4740 mutex_init(&smack_known_hat.smk_rules_lock); 4741 mutex_init(&smack_known_floor.smk_rules_lock); 4742 mutex_init(&smack_known_star.smk_rules_lock); 4743 mutex_init(&smack_known_web.smk_rules_lock); 4744 /* 4745 * Initialize rule lists 4746 */ 4747 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4748 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4749 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4750 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4751 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4752 /* 4753 * Create the known labels list 4754 */ 4755 smk_insert_entry(&smack_known_huh); 4756 smk_insert_entry(&smack_known_hat); 4757 smk_insert_entry(&smack_known_star); 4758 smk_insert_entry(&smack_known_floor); 4759 smk_insert_entry(&smack_known_web); 4760 } 4761 4762 /** 4763 * smack_init - initialize the smack system 4764 * 4765 * Returns 0 4766 */ 4767 static __init int smack_init(void) 4768 { 4769 struct cred *cred = (struct cred *) current->cred; 4770 struct task_smack *tsp; 4771 4772 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4773 if (!smack_inode_cache) 4774 return -ENOMEM; 4775 4776 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 4777 if (!smack_rule_cache) { 4778 kmem_cache_destroy(smack_inode_cache); 4779 return -ENOMEM; 4780 } 4781 4782 /* 4783 * Set the security state for the initial task. 4784 */ 4785 tsp = smack_cred(cred); 4786 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 4787 4788 /* 4789 * Register with LSM 4790 */ 4791 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack"); 4792 smack_enabled = 1; 4793 4794 pr_info("Smack: Initializing.\n"); 4795 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4796 pr_info("Smack: Netfilter enabled.\n"); 4797 #endif 4798 #ifdef SMACK_IPV6_PORT_LABELING 4799 pr_info("Smack: IPv6 port labeling enabled.\n"); 4800 #endif 4801 #ifdef SMACK_IPV6_SECMARK_LABELING 4802 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4803 #endif 4804 4805 /* initialize the smack_known_list */ 4806 init_smack_known_list(); 4807 4808 return 0; 4809 } 4810 4811 /* 4812 * Smack requires early initialization in order to label 4813 * all processes and objects when they are created. 4814 */ 4815 DEFINE_LSM(smack) = { 4816 .name = "smack", 4817 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 4818 .blobs = &smack_blob_sizes, 4819 .init = smack_init, 4820 }; 4821