1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/dccp.h> 31 #include <linux/slab.h> 32 #include <linux/mutex.h> 33 #include <linux/pipe_fs_i.h> 34 #include <net/cipso_ipv4.h> 35 #include <net/ip.h> 36 #include <net/ipv6.h> 37 #include <linux/audit.h> 38 #include <linux/magic.h> 39 #include <linux/dcache.h> 40 #include <linux/personality.h> 41 #include <linux/msg.h> 42 #include <linux/shm.h> 43 #include <linux/binfmts.h> 44 #include <linux/parser.h> 45 #include "smack.h" 46 47 #define TRANS_TRUE "TRUE" 48 #define TRANS_TRUE_SIZE 4 49 50 #define SMK_CONNECTING 0 51 #define SMK_RECEIVING 1 52 #define SMK_SENDING 2 53 54 #ifdef SMACK_IPV6_PORT_LABELING 55 static LIST_HEAD(smk_ipv6_port_list); 56 #endif 57 static struct kmem_cache *smack_inode_cache; 58 int smack_enabled; 59 60 static const match_table_t smk_mount_tokens = { 61 {Opt_fsdefault, SMK_FSDEFAULT "%s"}, 62 {Opt_fsfloor, SMK_FSFLOOR "%s"}, 63 {Opt_fshat, SMK_FSHAT "%s"}, 64 {Opt_fsroot, SMK_FSROOT "%s"}, 65 {Opt_fstransmute, SMK_FSTRANS "%s"}, 66 {Opt_error, NULL}, 67 }; 68 69 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 70 static char *smk_bu_mess[] = { 71 "Bringup Error", /* Unused */ 72 "Bringup", /* SMACK_BRINGUP_ALLOW */ 73 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 74 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 75 }; 76 77 static void smk_bu_mode(int mode, char *s) 78 { 79 int i = 0; 80 81 if (mode & MAY_READ) 82 s[i++] = 'r'; 83 if (mode & MAY_WRITE) 84 s[i++] = 'w'; 85 if (mode & MAY_EXEC) 86 s[i++] = 'x'; 87 if (mode & MAY_APPEND) 88 s[i++] = 'a'; 89 if (mode & MAY_TRANSMUTE) 90 s[i++] = 't'; 91 if (mode & MAY_LOCK) 92 s[i++] = 'l'; 93 if (i == 0) 94 s[i++] = '-'; 95 s[i] = '\0'; 96 } 97 #endif 98 99 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 100 static int smk_bu_note(char *note, struct smack_known *sskp, 101 struct smack_known *oskp, int mode, int rc) 102 { 103 char acc[SMK_NUM_ACCESS_TYPE + 1]; 104 105 if (rc <= 0) 106 return rc; 107 if (rc > SMACK_UNCONFINED_OBJECT) 108 rc = 0; 109 110 smk_bu_mode(mode, acc); 111 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 112 sskp->smk_known, oskp->smk_known, acc, note); 113 return 0; 114 } 115 #else 116 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 117 #endif 118 119 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 120 static int smk_bu_current(char *note, struct smack_known *oskp, 121 int mode, int rc) 122 { 123 struct task_smack *tsp = current_security(); 124 char acc[SMK_NUM_ACCESS_TYPE + 1]; 125 126 if (rc <= 0) 127 return rc; 128 if (rc > SMACK_UNCONFINED_OBJECT) 129 rc = 0; 130 131 smk_bu_mode(mode, acc); 132 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 133 tsp->smk_task->smk_known, oskp->smk_known, 134 acc, current->comm, note); 135 return 0; 136 } 137 #else 138 #define smk_bu_current(note, oskp, mode, RC) (RC) 139 #endif 140 141 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 142 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 143 { 144 struct task_smack *tsp = current_security(); 145 struct smack_known *smk_task = smk_of_task_struct(otp); 146 char acc[SMK_NUM_ACCESS_TYPE + 1]; 147 148 if (rc <= 0) 149 return rc; 150 if (rc > SMACK_UNCONFINED_OBJECT) 151 rc = 0; 152 153 smk_bu_mode(mode, acc); 154 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 155 tsp->smk_task->smk_known, smk_task->smk_known, acc, 156 current->comm, otp->comm); 157 return 0; 158 } 159 #else 160 #define smk_bu_task(otp, mode, RC) (RC) 161 #endif 162 163 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 164 static int smk_bu_inode(struct inode *inode, int mode, int rc) 165 { 166 struct task_smack *tsp = current_security(); 167 struct inode_smack *isp = inode->i_security; 168 char acc[SMK_NUM_ACCESS_TYPE + 1]; 169 170 if (isp->smk_flags & SMK_INODE_IMPURE) 171 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 172 inode->i_sb->s_id, inode->i_ino, current->comm); 173 174 if (rc <= 0) 175 return rc; 176 if (rc > SMACK_UNCONFINED_OBJECT) 177 rc = 0; 178 if (rc == SMACK_UNCONFINED_SUBJECT && 179 (mode & (MAY_WRITE | MAY_APPEND))) 180 isp->smk_flags |= SMK_INODE_IMPURE; 181 182 smk_bu_mode(mode, acc); 183 184 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 185 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 return 0; 188 } 189 #else 190 #define smk_bu_inode(inode, mode, RC) (RC) 191 #endif 192 193 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 194 static int smk_bu_file(struct file *file, int mode, int rc) 195 { 196 struct task_smack *tsp = current_security(); 197 struct smack_known *sskp = tsp->smk_task; 198 struct inode *inode = file_inode(file); 199 struct inode_smack *isp = inode->i_security; 200 char acc[SMK_NUM_ACCESS_TYPE + 1]; 201 202 if (isp->smk_flags & SMK_INODE_IMPURE) 203 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 204 inode->i_sb->s_id, inode->i_ino, current->comm); 205 206 if (rc <= 0) 207 return rc; 208 if (rc > SMACK_UNCONFINED_OBJECT) 209 rc = 0; 210 211 smk_bu_mode(mode, acc); 212 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 213 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 214 inode->i_sb->s_id, inode->i_ino, file, 215 current->comm); 216 return 0; 217 } 218 #else 219 #define smk_bu_file(file, mode, RC) (RC) 220 #endif 221 222 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 223 static int smk_bu_credfile(const struct cred *cred, struct file *file, 224 int mode, int rc) 225 { 226 struct task_smack *tsp = cred->security; 227 struct smack_known *sskp = tsp->smk_task; 228 struct inode *inode = file->f_inode; 229 struct inode_smack *isp = inode->i_security; 230 char acc[SMK_NUM_ACCESS_TYPE + 1]; 231 232 if (isp->smk_flags & SMK_INODE_IMPURE) 233 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 234 inode->i_sb->s_id, inode->i_ino, current->comm); 235 236 if (rc <= 0) 237 return rc; 238 if (rc > SMACK_UNCONFINED_OBJECT) 239 rc = 0; 240 241 smk_bu_mode(mode, acc); 242 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 243 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 244 inode->i_sb->s_id, inode->i_ino, file, 245 current->comm); 246 return 0; 247 } 248 #else 249 #define smk_bu_credfile(cred, file, mode, RC) (RC) 250 #endif 251 252 /** 253 * smk_fetch - Fetch the smack label from a file. 254 * @name: type of the label (attribute) 255 * @ip: a pointer to the inode 256 * @dp: a pointer to the dentry 257 * 258 * Returns a pointer to the master list entry for the Smack label, 259 * NULL if there was no label to fetch, or an error code. 260 */ 261 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 262 struct dentry *dp) 263 { 264 int rc; 265 char *buffer; 266 struct smack_known *skp = NULL; 267 268 if (!(ip->i_opflags & IOP_XATTR)) 269 return ERR_PTR(-EOPNOTSUPP); 270 271 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 272 if (buffer == NULL) 273 return ERR_PTR(-ENOMEM); 274 275 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 276 if (rc < 0) 277 skp = ERR_PTR(rc); 278 else if (rc == 0) 279 skp = NULL; 280 else 281 skp = smk_import_entry(buffer, rc); 282 283 kfree(buffer); 284 285 return skp; 286 } 287 288 /** 289 * new_inode_smack - allocate an inode security blob 290 * @skp: a pointer to the Smack label entry to use in the blob 291 * 292 * Returns the new blob or NULL if there's no memory available 293 */ 294 static struct inode_smack *new_inode_smack(struct smack_known *skp) 295 { 296 struct inode_smack *isp; 297 298 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS); 299 if (isp == NULL) 300 return NULL; 301 302 isp->smk_inode = skp; 303 isp->smk_flags = 0; 304 mutex_init(&isp->smk_lock); 305 306 return isp; 307 } 308 309 /** 310 * new_task_smack - allocate a task security blob 311 * @task: a pointer to the Smack label for the running task 312 * @forked: a pointer to the Smack label for the forked task 313 * @gfp: type of the memory for the allocation 314 * 315 * Returns the new blob or NULL if there's no memory available 316 */ 317 static struct task_smack *new_task_smack(struct smack_known *task, 318 struct smack_known *forked, gfp_t gfp) 319 { 320 struct task_smack *tsp; 321 322 tsp = kzalloc(sizeof(struct task_smack), gfp); 323 if (tsp == NULL) 324 return NULL; 325 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 INIT_LIST_HEAD(&tsp->smk_relabel); 330 mutex_init(&tsp->smk_rules_lock); 331 332 return tsp; 333 } 334 335 /** 336 * smk_copy_rules - copy a rule set 337 * @nhead: new rules header pointer 338 * @ohead: old rules header pointer 339 * @gfp: type of the memory for the allocation 340 * 341 * Returns 0 on success, -ENOMEM on error 342 */ 343 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 344 gfp_t gfp) 345 { 346 struct smack_rule *nrp; 347 struct smack_rule *orp; 348 int rc = 0; 349 350 INIT_LIST_HEAD(nhead); 351 352 list_for_each_entry_rcu(orp, ohead, list) { 353 nrp = kzalloc(sizeof(struct smack_rule), gfp); 354 if (nrp == NULL) { 355 rc = -ENOMEM; 356 break; 357 } 358 *nrp = *orp; 359 list_add_rcu(&nrp->list, nhead); 360 } 361 return rc; 362 } 363 364 /** 365 * smk_copy_relabel - copy smk_relabel labels list 366 * @nhead: new rules header pointer 367 * @ohead: old rules header pointer 368 * @gfp: type of the memory for the allocation 369 * 370 * Returns 0 on success, -ENOMEM on error 371 */ 372 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 373 gfp_t gfp) 374 { 375 struct smack_known_list_elem *nklep; 376 struct smack_known_list_elem *oklep; 377 378 INIT_LIST_HEAD(nhead); 379 380 list_for_each_entry(oklep, ohead, list) { 381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 382 if (nklep == NULL) { 383 smk_destroy_label_list(nhead); 384 return -ENOMEM; 385 } 386 nklep->smk_label = oklep->smk_label; 387 list_add(&nklep->list, nhead); 388 } 389 390 return 0; 391 } 392 393 /** 394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 395 * @mode - input mode in form of PTRACE_MODE_* 396 * 397 * Returns a converted MAY_* mode usable by smack rules 398 */ 399 static inline unsigned int smk_ptrace_mode(unsigned int mode) 400 { 401 if (mode & PTRACE_MODE_ATTACH) 402 return MAY_READWRITE; 403 if (mode & PTRACE_MODE_READ) 404 return MAY_READ; 405 406 return 0; 407 } 408 409 /** 410 * smk_ptrace_rule_check - helper for ptrace access 411 * @tracer: tracer process 412 * @tracee_known: label entry of the process that's about to be traced 413 * @mode: ptrace attachment mode (PTRACE_MODE_*) 414 * @func: name of the function that called us, used for audit 415 * 416 * Returns 0 on access granted, -error on error 417 */ 418 static int smk_ptrace_rule_check(struct task_struct *tracer, 419 struct smack_known *tracee_known, 420 unsigned int mode, const char *func) 421 { 422 int rc; 423 struct smk_audit_info ad, *saip = NULL; 424 struct task_smack *tsp; 425 struct smack_known *tracer_known; 426 427 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 428 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 429 smk_ad_setfield_u_tsk(&ad, tracer); 430 saip = &ad; 431 } 432 433 rcu_read_lock(); 434 tsp = __task_cred(tracer)->security; 435 tracer_known = smk_of_task(tsp); 436 437 if ((mode & PTRACE_MODE_ATTACH) && 438 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 439 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 440 if (tracer_known->smk_known == tracee_known->smk_known) 441 rc = 0; 442 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 443 rc = -EACCES; 444 else if (capable(CAP_SYS_PTRACE)) 445 rc = 0; 446 else 447 rc = -EACCES; 448 449 if (saip) 450 smack_log(tracer_known->smk_known, 451 tracee_known->smk_known, 452 0, rc, saip); 453 454 rcu_read_unlock(); 455 return rc; 456 } 457 458 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 459 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 460 461 rcu_read_unlock(); 462 return rc; 463 } 464 465 /* 466 * LSM hooks. 467 * We he, that is fun! 468 */ 469 470 /** 471 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 472 * @ctp: child task pointer 473 * @mode: ptrace attachment mode (PTRACE_MODE_*) 474 * 475 * Returns 0 if access is OK, an error code otherwise 476 * 477 * Do the capability checks. 478 */ 479 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 480 { 481 struct smack_known *skp; 482 483 skp = smk_of_task_struct(ctp); 484 485 return smk_ptrace_rule_check(current, skp, mode, __func__); 486 } 487 488 /** 489 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 490 * @ptp: parent task pointer 491 * 492 * Returns 0 if access is OK, an error code otherwise 493 * 494 * Do the capability checks, and require PTRACE_MODE_ATTACH. 495 */ 496 static int smack_ptrace_traceme(struct task_struct *ptp) 497 { 498 int rc; 499 struct smack_known *skp; 500 501 skp = smk_of_task(current_security()); 502 503 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 504 return rc; 505 } 506 507 /** 508 * smack_syslog - Smack approval on syslog 509 * @type: message type 510 * 511 * Returns 0 on success, error code otherwise. 512 */ 513 static int smack_syslog(int typefrom_file) 514 { 515 int rc = 0; 516 struct smack_known *skp = smk_of_current(); 517 518 if (smack_privileged(CAP_MAC_OVERRIDE)) 519 return 0; 520 521 if (smack_syslog_label != NULL && smack_syslog_label != skp) 522 rc = -EACCES; 523 524 return rc; 525 } 526 527 528 /* 529 * Superblock Hooks. 530 */ 531 532 /** 533 * smack_sb_alloc_security - allocate a superblock blob 534 * @sb: the superblock getting the blob 535 * 536 * Returns 0 on success or -ENOMEM on error. 537 */ 538 static int smack_sb_alloc_security(struct super_block *sb) 539 { 540 struct superblock_smack *sbsp; 541 542 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 543 544 if (sbsp == NULL) 545 return -ENOMEM; 546 547 sbsp->smk_root = &smack_known_floor; 548 sbsp->smk_default = &smack_known_floor; 549 sbsp->smk_floor = &smack_known_floor; 550 sbsp->smk_hat = &smack_known_hat; 551 /* 552 * SMK_SB_INITIALIZED will be zero from kzalloc. 553 */ 554 sb->s_security = sbsp; 555 556 return 0; 557 } 558 559 /** 560 * smack_sb_free_security - free a superblock blob 561 * @sb: the superblock getting the blob 562 * 563 */ 564 static void smack_sb_free_security(struct super_block *sb) 565 { 566 kfree(sb->s_security); 567 sb->s_security = NULL; 568 } 569 570 /** 571 * smack_sb_copy_data - copy mount options data for processing 572 * @orig: where to start 573 * @smackopts: mount options string 574 * 575 * Returns 0 on success or -ENOMEM on error. 576 * 577 * Copy the Smack specific mount options out of the mount 578 * options list. 579 */ 580 static int smack_sb_copy_data(char *orig, char *smackopts) 581 { 582 char *cp, *commap, *otheropts, *dp; 583 584 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 585 if (otheropts == NULL) 586 return -ENOMEM; 587 588 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 589 if (strstr(cp, SMK_FSDEFAULT) == cp) 590 dp = smackopts; 591 else if (strstr(cp, SMK_FSFLOOR) == cp) 592 dp = smackopts; 593 else if (strstr(cp, SMK_FSHAT) == cp) 594 dp = smackopts; 595 else if (strstr(cp, SMK_FSROOT) == cp) 596 dp = smackopts; 597 else if (strstr(cp, SMK_FSTRANS) == cp) 598 dp = smackopts; 599 else 600 dp = otheropts; 601 602 commap = strchr(cp, ','); 603 if (commap != NULL) 604 *commap = '\0'; 605 606 if (*dp != '\0') 607 strcat(dp, ","); 608 strcat(dp, cp); 609 } 610 611 strcpy(orig, otheropts); 612 free_page((unsigned long)otheropts); 613 614 return 0; 615 } 616 617 /** 618 * smack_parse_opts_str - parse Smack specific mount options 619 * @options: mount options string 620 * @opts: where to store converted mount opts 621 * 622 * Returns 0 on success or -ENOMEM on error. 623 * 624 * converts Smack specific mount options to generic security option format 625 */ 626 static int smack_parse_opts_str(char *options, 627 struct security_mnt_opts *opts) 628 { 629 char *p; 630 char *fsdefault = NULL; 631 char *fsfloor = NULL; 632 char *fshat = NULL; 633 char *fsroot = NULL; 634 char *fstransmute = NULL; 635 int rc = -ENOMEM; 636 int num_mnt_opts = 0; 637 int token; 638 639 opts->num_mnt_opts = 0; 640 641 if (!options) 642 return 0; 643 644 while ((p = strsep(&options, ",")) != NULL) { 645 substring_t args[MAX_OPT_ARGS]; 646 647 if (!*p) 648 continue; 649 650 token = match_token(p, smk_mount_tokens, args); 651 652 switch (token) { 653 case Opt_fsdefault: 654 if (fsdefault) 655 goto out_opt_err; 656 fsdefault = match_strdup(&args[0]); 657 if (!fsdefault) 658 goto out_err; 659 break; 660 case Opt_fsfloor: 661 if (fsfloor) 662 goto out_opt_err; 663 fsfloor = match_strdup(&args[0]); 664 if (!fsfloor) 665 goto out_err; 666 break; 667 case Opt_fshat: 668 if (fshat) 669 goto out_opt_err; 670 fshat = match_strdup(&args[0]); 671 if (!fshat) 672 goto out_err; 673 break; 674 case Opt_fsroot: 675 if (fsroot) 676 goto out_opt_err; 677 fsroot = match_strdup(&args[0]); 678 if (!fsroot) 679 goto out_err; 680 break; 681 case Opt_fstransmute: 682 if (fstransmute) 683 goto out_opt_err; 684 fstransmute = match_strdup(&args[0]); 685 if (!fstransmute) 686 goto out_err; 687 break; 688 default: 689 rc = -EINVAL; 690 pr_warn("Smack: unknown mount option\n"); 691 goto out_err; 692 } 693 } 694 695 opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_ATOMIC); 696 if (!opts->mnt_opts) 697 goto out_err; 698 699 opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int), 700 GFP_ATOMIC); 701 if (!opts->mnt_opts_flags) { 702 kfree(opts->mnt_opts); 703 goto out_err; 704 } 705 706 if (fsdefault) { 707 opts->mnt_opts[num_mnt_opts] = fsdefault; 708 opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT; 709 } 710 if (fsfloor) { 711 opts->mnt_opts[num_mnt_opts] = fsfloor; 712 opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT; 713 } 714 if (fshat) { 715 opts->mnt_opts[num_mnt_opts] = fshat; 716 opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT; 717 } 718 if (fsroot) { 719 opts->mnt_opts[num_mnt_opts] = fsroot; 720 opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT; 721 } 722 if (fstransmute) { 723 opts->mnt_opts[num_mnt_opts] = fstransmute; 724 opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT; 725 } 726 727 opts->num_mnt_opts = num_mnt_opts; 728 return 0; 729 730 out_opt_err: 731 rc = -EINVAL; 732 pr_warn("Smack: duplicate mount options\n"); 733 734 out_err: 735 kfree(fsdefault); 736 kfree(fsfloor); 737 kfree(fshat); 738 kfree(fsroot); 739 kfree(fstransmute); 740 return rc; 741 } 742 743 /** 744 * smack_set_mnt_opts - set Smack specific mount options 745 * @sb: the file system superblock 746 * @opts: Smack mount options 747 * @kern_flags: mount option from kernel space or user space 748 * @set_kern_flags: where to store converted mount opts 749 * 750 * Returns 0 on success, an error code on failure 751 * 752 * Allow filesystems with binary mount data to explicitly set Smack mount 753 * labels. 754 */ 755 static int smack_set_mnt_opts(struct super_block *sb, 756 struct security_mnt_opts *opts, 757 unsigned long kern_flags, 758 unsigned long *set_kern_flags) 759 { 760 struct dentry *root = sb->s_root; 761 struct inode *inode = d_backing_inode(root); 762 struct superblock_smack *sp = sb->s_security; 763 struct inode_smack *isp; 764 struct smack_known *skp; 765 int i; 766 int num_opts = opts->num_mnt_opts; 767 int transmute = 0; 768 769 if (sp->smk_flags & SMK_SB_INITIALIZED) 770 return 0; 771 772 sp->smk_flags |= SMK_SB_INITIALIZED; 773 774 for (i = 0; i < num_opts; i++) { 775 switch (opts->mnt_opts_flags[i]) { 776 case FSDEFAULT_MNT: 777 skp = smk_import_entry(opts->mnt_opts[i], 0); 778 if (IS_ERR(skp)) 779 return PTR_ERR(skp); 780 sp->smk_default = skp; 781 break; 782 case FSFLOOR_MNT: 783 skp = smk_import_entry(opts->mnt_opts[i], 0); 784 if (IS_ERR(skp)) 785 return PTR_ERR(skp); 786 sp->smk_floor = skp; 787 break; 788 case FSHAT_MNT: 789 skp = smk_import_entry(opts->mnt_opts[i], 0); 790 if (IS_ERR(skp)) 791 return PTR_ERR(skp); 792 sp->smk_hat = skp; 793 break; 794 case FSROOT_MNT: 795 skp = smk_import_entry(opts->mnt_opts[i], 0); 796 if (IS_ERR(skp)) 797 return PTR_ERR(skp); 798 sp->smk_root = skp; 799 break; 800 case FSTRANS_MNT: 801 skp = smk_import_entry(opts->mnt_opts[i], 0); 802 if (IS_ERR(skp)) 803 return PTR_ERR(skp); 804 sp->smk_root = skp; 805 transmute = 1; 806 break; 807 default: 808 break; 809 } 810 } 811 812 if (!smack_privileged(CAP_MAC_ADMIN)) { 813 /* 814 * Unprivileged mounts don't get to specify Smack values. 815 */ 816 if (num_opts) 817 return -EPERM; 818 /* 819 * Unprivileged mounts get root and default from the caller. 820 */ 821 skp = smk_of_current(); 822 sp->smk_root = skp; 823 sp->smk_default = skp; 824 /* 825 * For a handful of fs types with no user-controlled 826 * backing store it's okay to trust security labels 827 * in the filesystem. The rest are untrusted. 828 */ 829 if (sb->s_user_ns != &init_user_ns && 830 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 831 sb->s_magic != RAMFS_MAGIC) { 832 transmute = 1; 833 sp->smk_flags |= SMK_SB_UNTRUSTED; 834 } 835 } 836 837 /* 838 * Initialize the root inode. 839 */ 840 isp = inode->i_security; 841 if (isp == NULL) { 842 isp = new_inode_smack(sp->smk_root); 843 if (isp == NULL) 844 return -ENOMEM; 845 inode->i_security = isp; 846 } else 847 isp->smk_inode = sp->smk_root; 848 849 if (transmute) 850 isp->smk_flags |= SMK_INODE_TRANSMUTE; 851 852 return 0; 853 } 854 855 /** 856 * smack_sb_kern_mount - Smack specific mount processing 857 * @sb: the file system superblock 858 * @flags: the mount flags 859 * @data: the smack mount options 860 * 861 * Returns 0 on success, an error code on failure 862 */ 863 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 864 { 865 int rc = 0; 866 char *options = data; 867 struct security_mnt_opts opts; 868 869 security_init_mnt_opts(&opts); 870 871 if (!options) 872 goto out; 873 874 rc = smack_parse_opts_str(options, &opts); 875 if (rc) 876 goto out_err; 877 878 out: 879 rc = smack_set_mnt_opts(sb, &opts, 0, NULL); 880 881 out_err: 882 security_free_mnt_opts(&opts); 883 return rc; 884 } 885 886 /** 887 * smack_sb_statfs - Smack check on statfs 888 * @dentry: identifies the file system in question 889 * 890 * Returns 0 if current can read the floor of the filesystem, 891 * and error code otherwise 892 */ 893 static int smack_sb_statfs(struct dentry *dentry) 894 { 895 struct superblock_smack *sbp = dentry->d_sb->s_security; 896 int rc; 897 struct smk_audit_info ad; 898 899 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 900 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 901 902 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 903 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 904 return rc; 905 } 906 907 /* 908 * BPRM hooks 909 */ 910 911 /** 912 * smack_bprm_set_creds - set creds for exec 913 * @bprm: the exec information 914 * 915 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 916 */ 917 static int smack_bprm_set_creds(struct linux_binprm *bprm) 918 { 919 struct inode *inode = file_inode(bprm->file); 920 struct task_smack *bsp = bprm->cred->security; 921 struct inode_smack *isp; 922 struct superblock_smack *sbsp; 923 int rc; 924 925 if (bprm->cred_prepared) 926 return 0; 927 928 isp = inode->i_security; 929 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 930 return 0; 931 932 sbsp = inode->i_sb->s_security; 933 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 934 isp->smk_task != sbsp->smk_root) 935 return 0; 936 937 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 938 struct task_struct *tracer; 939 rc = 0; 940 941 rcu_read_lock(); 942 tracer = ptrace_parent(current); 943 if (likely(tracer != NULL)) 944 rc = smk_ptrace_rule_check(tracer, 945 isp->smk_task, 946 PTRACE_MODE_ATTACH, 947 __func__); 948 rcu_read_unlock(); 949 950 if (rc != 0) 951 return rc; 952 } else if (bprm->unsafe) 953 return -EPERM; 954 955 bsp->smk_task = isp->smk_task; 956 bprm->per_clear |= PER_CLEAR_ON_SETID; 957 958 return 0; 959 } 960 961 /** 962 * smack_bprm_committing_creds - Prepare to install the new credentials 963 * from bprm. 964 * 965 * @bprm: binprm for exec 966 */ 967 static void smack_bprm_committing_creds(struct linux_binprm *bprm) 968 { 969 struct task_smack *bsp = bprm->cred->security; 970 971 if (bsp->smk_task != bsp->smk_forked) 972 current->pdeath_signal = 0; 973 } 974 975 /** 976 * smack_bprm_secureexec - Return the decision to use secureexec. 977 * @bprm: binprm for exec 978 * 979 * Returns 0 on success. 980 */ 981 static int smack_bprm_secureexec(struct linux_binprm *bprm) 982 { 983 struct task_smack *tsp = current_security(); 984 985 if (tsp->smk_task != tsp->smk_forked) 986 return 1; 987 988 return 0; 989 } 990 991 /* 992 * Inode hooks 993 */ 994 995 /** 996 * smack_inode_alloc_security - allocate an inode blob 997 * @inode: the inode in need of a blob 998 * 999 * Returns 0 if it gets a blob, -ENOMEM otherwise 1000 */ 1001 static int smack_inode_alloc_security(struct inode *inode) 1002 { 1003 struct smack_known *skp = smk_of_current(); 1004 1005 inode->i_security = new_inode_smack(skp); 1006 if (inode->i_security == NULL) 1007 return -ENOMEM; 1008 return 0; 1009 } 1010 1011 /** 1012 * smack_inode_free_security - free an inode blob 1013 * @inode: the inode with a blob 1014 * 1015 * Clears the blob pointer in inode 1016 */ 1017 static void smack_inode_free_security(struct inode *inode) 1018 { 1019 kmem_cache_free(smack_inode_cache, inode->i_security); 1020 inode->i_security = NULL; 1021 } 1022 1023 /** 1024 * smack_inode_init_security - copy out the smack from an inode 1025 * @inode: the newly created inode 1026 * @dir: containing directory object 1027 * @qstr: unused 1028 * @name: where to put the attribute name 1029 * @value: where to put the attribute value 1030 * @len: where to put the length of the attribute 1031 * 1032 * Returns 0 if it all works out, -ENOMEM if there's no memory 1033 */ 1034 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 1035 const struct qstr *qstr, const char **name, 1036 void **value, size_t *len) 1037 { 1038 struct inode_smack *issp = inode->i_security; 1039 struct smack_known *skp = smk_of_current(); 1040 struct smack_known *isp = smk_of_inode(inode); 1041 struct smack_known *dsp = smk_of_inode(dir); 1042 int may; 1043 1044 if (name) 1045 *name = XATTR_SMACK_SUFFIX; 1046 1047 if (value && len) { 1048 rcu_read_lock(); 1049 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1050 &skp->smk_rules); 1051 rcu_read_unlock(); 1052 1053 /* 1054 * If the access rule allows transmutation and 1055 * the directory requests transmutation then 1056 * by all means transmute. 1057 * Mark the inode as changed. 1058 */ 1059 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1060 smk_inode_transmutable(dir)) { 1061 isp = dsp; 1062 issp->smk_flags |= SMK_INODE_CHANGED; 1063 } 1064 1065 *value = kstrdup(isp->smk_known, GFP_NOFS); 1066 if (*value == NULL) 1067 return -ENOMEM; 1068 1069 *len = strlen(isp->smk_known); 1070 } 1071 1072 return 0; 1073 } 1074 1075 /** 1076 * smack_inode_link - Smack check on link 1077 * @old_dentry: the existing object 1078 * @dir: unused 1079 * @new_dentry: the new object 1080 * 1081 * Returns 0 if access is permitted, an error code otherwise 1082 */ 1083 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1084 struct dentry *new_dentry) 1085 { 1086 struct smack_known *isp; 1087 struct smk_audit_info ad; 1088 int rc; 1089 1090 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1091 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1092 1093 isp = smk_of_inode(d_backing_inode(old_dentry)); 1094 rc = smk_curacc(isp, MAY_WRITE, &ad); 1095 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1096 1097 if (rc == 0 && d_is_positive(new_dentry)) { 1098 isp = smk_of_inode(d_backing_inode(new_dentry)); 1099 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1100 rc = smk_curacc(isp, MAY_WRITE, &ad); 1101 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1102 } 1103 1104 return rc; 1105 } 1106 1107 /** 1108 * smack_inode_unlink - Smack check on inode deletion 1109 * @dir: containing directory object 1110 * @dentry: file to unlink 1111 * 1112 * Returns 0 if current can write the containing directory 1113 * and the object, error code otherwise 1114 */ 1115 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1116 { 1117 struct inode *ip = d_backing_inode(dentry); 1118 struct smk_audit_info ad; 1119 int rc; 1120 1121 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1122 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1123 1124 /* 1125 * You need write access to the thing you're unlinking 1126 */ 1127 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1128 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1129 if (rc == 0) { 1130 /* 1131 * You also need write access to the containing directory 1132 */ 1133 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1134 smk_ad_setfield_u_fs_inode(&ad, dir); 1135 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1136 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1137 } 1138 return rc; 1139 } 1140 1141 /** 1142 * smack_inode_rmdir - Smack check on directory deletion 1143 * @dir: containing directory object 1144 * @dentry: directory to unlink 1145 * 1146 * Returns 0 if current can write the containing directory 1147 * and the directory, error code otherwise 1148 */ 1149 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1150 { 1151 struct smk_audit_info ad; 1152 int rc; 1153 1154 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1155 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1156 1157 /* 1158 * You need write access to the thing you're removing 1159 */ 1160 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1161 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1162 if (rc == 0) { 1163 /* 1164 * You also need write access to the containing directory 1165 */ 1166 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1167 smk_ad_setfield_u_fs_inode(&ad, dir); 1168 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1169 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1170 } 1171 1172 return rc; 1173 } 1174 1175 /** 1176 * smack_inode_rename - Smack check on rename 1177 * @old_inode: unused 1178 * @old_dentry: the old object 1179 * @new_inode: unused 1180 * @new_dentry: the new object 1181 * 1182 * Read and write access is required on both the old and 1183 * new directories. 1184 * 1185 * Returns 0 if access is permitted, an error code otherwise 1186 */ 1187 static int smack_inode_rename(struct inode *old_inode, 1188 struct dentry *old_dentry, 1189 struct inode *new_inode, 1190 struct dentry *new_dentry) 1191 { 1192 int rc; 1193 struct smack_known *isp; 1194 struct smk_audit_info ad; 1195 1196 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1197 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1198 1199 isp = smk_of_inode(d_backing_inode(old_dentry)); 1200 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1201 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1202 1203 if (rc == 0 && d_is_positive(new_dentry)) { 1204 isp = smk_of_inode(d_backing_inode(new_dentry)); 1205 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1206 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1207 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1208 } 1209 return rc; 1210 } 1211 1212 /** 1213 * smack_inode_permission - Smack version of permission() 1214 * @inode: the inode in question 1215 * @mask: the access requested 1216 * 1217 * This is the important Smack hook. 1218 * 1219 * Returns 0 if access is permitted, -EACCES otherwise 1220 */ 1221 static int smack_inode_permission(struct inode *inode, int mask) 1222 { 1223 struct superblock_smack *sbsp = inode->i_sb->s_security; 1224 struct smk_audit_info ad; 1225 int no_block = mask & MAY_NOT_BLOCK; 1226 int rc; 1227 1228 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1229 /* 1230 * No permission to check. Existence test. Yup, it's there. 1231 */ 1232 if (mask == 0) 1233 return 0; 1234 1235 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1236 if (smk_of_inode(inode) != sbsp->smk_root) 1237 return -EACCES; 1238 } 1239 1240 /* May be droppable after audit */ 1241 if (no_block) 1242 return -ECHILD; 1243 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1244 smk_ad_setfield_u_fs_inode(&ad, inode); 1245 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1246 rc = smk_bu_inode(inode, mask, rc); 1247 return rc; 1248 } 1249 1250 /** 1251 * smack_inode_setattr - Smack check for setting attributes 1252 * @dentry: the object 1253 * @iattr: for the force flag 1254 * 1255 * Returns 0 if access is permitted, an error code otherwise 1256 */ 1257 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1258 { 1259 struct smk_audit_info ad; 1260 int rc; 1261 1262 /* 1263 * Need to allow for clearing the setuid bit. 1264 */ 1265 if (iattr->ia_valid & ATTR_FORCE) 1266 return 0; 1267 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1268 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1269 1270 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1271 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1272 return rc; 1273 } 1274 1275 /** 1276 * smack_inode_getattr - Smack check for getting attributes 1277 * @mnt: vfsmount of the object 1278 * @dentry: the object 1279 * 1280 * Returns 0 if access is permitted, an error code otherwise 1281 */ 1282 static int smack_inode_getattr(const struct path *path) 1283 { 1284 struct smk_audit_info ad; 1285 struct inode *inode = d_backing_inode(path->dentry); 1286 int rc; 1287 1288 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1289 smk_ad_setfield_u_fs_path(&ad, *path); 1290 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1291 rc = smk_bu_inode(inode, MAY_READ, rc); 1292 return rc; 1293 } 1294 1295 /** 1296 * smack_inode_setxattr - Smack check for setting xattrs 1297 * @dentry: the object 1298 * @name: name of the attribute 1299 * @value: value of the attribute 1300 * @size: size of the value 1301 * @flags: unused 1302 * 1303 * This protects the Smack attribute explicitly. 1304 * 1305 * Returns 0 if access is permitted, an error code otherwise 1306 */ 1307 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 1308 const void *value, size_t size, int flags) 1309 { 1310 struct smk_audit_info ad; 1311 struct smack_known *skp; 1312 int check_priv = 0; 1313 int check_import = 0; 1314 int check_star = 0; 1315 int rc = 0; 1316 1317 /* 1318 * Check label validity here so import won't fail in post_setxattr 1319 */ 1320 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1321 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1322 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1323 check_priv = 1; 1324 check_import = 1; 1325 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1326 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1327 check_priv = 1; 1328 check_import = 1; 1329 check_star = 1; 1330 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1331 check_priv = 1; 1332 if (size != TRANS_TRUE_SIZE || 1333 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1334 rc = -EINVAL; 1335 } else 1336 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1337 1338 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1339 rc = -EPERM; 1340 1341 if (rc == 0 && check_import) { 1342 skp = size ? smk_import_entry(value, size) : NULL; 1343 if (IS_ERR(skp)) 1344 rc = PTR_ERR(skp); 1345 else if (skp == NULL || (check_star && 1346 (skp == &smack_known_star || skp == &smack_known_web))) 1347 rc = -EINVAL; 1348 } 1349 1350 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1351 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1352 1353 if (rc == 0) { 1354 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1355 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1356 } 1357 1358 return rc; 1359 } 1360 1361 /** 1362 * smack_inode_post_setxattr - Apply the Smack update approved above 1363 * @dentry: object 1364 * @name: attribute name 1365 * @value: attribute value 1366 * @size: attribute size 1367 * @flags: unused 1368 * 1369 * Set the pointer in the inode blob to the entry found 1370 * in the master label list. 1371 */ 1372 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1373 const void *value, size_t size, int flags) 1374 { 1375 struct smack_known *skp; 1376 struct inode_smack *isp = d_backing_inode(dentry)->i_security; 1377 1378 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1379 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1380 return; 1381 } 1382 1383 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1384 skp = smk_import_entry(value, size); 1385 if (!IS_ERR(skp)) 1386 isp->smk_inode = skp; 1387 else 1388 isp->smk_inode = &smack_known_invalid; 1389 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1390 skp = smk_import_entry(value, size); 1391 if (!IS_ERR(skp)) 1392 isp->smk_task = skp; 1393 else 1394 isp->smk_task = &smack_known_invalid; 1395 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1396 skp = smk_import_entry(value, size); 1397 if (!IS_ERR(skp)) 1398 isp->smk_mmap = skp; 1399 else 1400 isp->smk_mmap = &smack_known_invalid; 1401 } 1402 1403 return; 1404 } 1405 1406 /** 1407 * smack_inode_getxattr - Smack check on getxattr 1408 * @dentry: the object 1409 * @name: unused 1410 * 1411 * Returns 0 if access is permitted, an error code otherwise 1412 */ 1413 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1414 { 1415 struct smk_audit_info ad; 1416 int rc; 1417 1418 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1419 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1420 1421 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1422 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1423 return rc; 1424 } 1425 1426 /** 1427 * smack_inode_removexattr - Smack check on removexattr 1428 * @dentry: the object 1429 * @name: name of the attribute 1430 * 1431 * Removing the Smack attribute requires CAP_MAC_ADMIN 1432 * 1433 * Returns 0 if access is permitted, an error code otherwise 1434 */ 1435 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 1436 { 1437 struct inode_smack *isp; 1438 struct smk_audit_info ad; 1439 int rc = 0; 1440 1441 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1442 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1443 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1444 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1445 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1446 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1447 if (!smack_privileged(CAP_MAC_ADMIN)) 1448 rc = -EPERM; 1449 } else 1450 rc = cap_inode_removexattr(dentry, name); 1451 1452 if (rc != 0) 1453 return rc; 1454 1455 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1456 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1457 1458 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1459 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1460 if (rc != 0) 1461 return rc; 1462 1463 isp = d_backing_inode(dentry)->i_security; 1464 /* 1465 * Don't do anything special for these. 1466 * XATTR_NAME_SMACKIPIN 1467 * XATTR_NAME_SMACKIPOUT 1468 */ 1469 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1470 struct super_block *sbp = dentry->d_sb; 1471 struct superblock_smack *sbsp = sbp->s_security; 1472 1473 isp->smk_inode = sbsp->smk_default; 1474 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1475 isp->smk_task = NULL; 1476 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1477 isp->smk_mmap = NULL; 1478 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1479 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1480 1481 return 0; 1482 } 1483 1484 /** 1485 * smack_inode_getsecurity - get smack xattrs 1486 * @inode: the object 1487 * @name: attribute name 1488 * @buffer: where to put the result 1489 * @alloc: unused 1490 * 1491 * Returns the size of the attribute or an error code 1492 */ 1493 static int smack_inode_getsecurity(struct inode *inode, 1494 const char *name, void **buffer, 1495 bool alloc) 1496 { 1497 struct socket_smack *ssp; 1498 struct socket *sock; 1499 struct super_block *sbp; 1500 struct inode *ip = (struct inode *)inode; 1501 struct smack_known *isp; 1502 int ilen; 1503 int rc = 0; 1504 1505 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1506 isp = smk_of_inode(inode); 1507 ilen = strlen(isp->smk_known); 1508 *buffer = isp->smk_known; 1509 return ilen; 1510 } 1511 1512 /* 1513 * The rest of the Smack xattrs are only on sockets. 1514 */ 1515 sbp = ip->i_sb; 1516 if (sbp->s_magic != SOCKFS_MAGIC) 1517 return -EOPNOTSUPP; 1518 1519 sock = SOCKET_I(ip); 1520 if (sock == NULL || sock->sk == NULL) 1521 return -EOPNOTSUPP; 1522 1523 ssp = sock->sk->sk_security; 1524 1525 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1526 isp = ssp->smk_in; 1527 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1528 isp = ssp->smk_out; 1529 else 1530 return -EOPNOTSUPP; 1531 1532 ilen = strlen(isp->smk_known); 1533 if (rc == 0) { 1534 *buffer = isp->smk_known; 1535 rc = ilen; 1536 } 1537 1538 return rc; 1539 } 1540 1541 1542 /** 1543 * smack_inode_listsecurity - list the Smack attributes 1544 * @inode: the object 1545 * @buffer: where they go 1546 * @buffer_size: size of buffer 1547 */ 1548 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1549 size_t buffer_size) 1550 { 1551 int len = sizeof(XATTR_NAME_SMACK); 1552 1553 if (buffer != NULL && len <= buffer_size) 1554 memcpy(buffer, XATTR_NAME_SMACK, len); 1555 1556 return len; 1557 } 1558 1559 /** 1560 * smack_inode_getsecid - Extract inode's security id 1561 * @inode: inode to extract the info from 1562 * @secid: where result will be saved 1563 */ 1564 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1565 { 1566 struct inode_smack *isp = inode->i_security; 1567 1568 *secid = isp->smk_inode->smk_secid; 1569 } 1570 1571 /* 1572 * File Hooks 1573 */ 1574 1575 /* 1576 * There is no smack_file_permission hook 1577 * 1578 * Should access checks be done on each read or write? 1579 * UNICOS and SELinux say yes. 1580 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1581 * 1582 * I'll say no for now. Smack does not do the frequent 1583 * label changing that SELinux does. 1584 */ 1585 1586 /** 1587 * smack_file_alloc_security - assign a file security blob 1588 * @file: the object 1589 * 1590 * The security blob for a file is a pointer to the master 1591 * label list, so no allocation is done. 1592 * 1593 * f_security is the owner security information. It 1594 * isn't used on file access checks, it's for send_sigio. 1595 * 1596 * Returns 0 1597 */ 1598 static int smack_file_alloc_security(struct file *file) 1599 { 1600 struct smack_known *skp = smk_of_current(); 1601 1602 file->f_security = skp; 1603 return 0; 1604 } 1605 1606 /** 1607 * smack_file_free_security - clear a file security blob 1608 * @file: the object 1609 * 1610 * The security blob for a file is a pointer to the master 1611 * label list, so no memory is freed. 1612 */ 1613 static void smack_file_free_security(struct file *file) 1614 { 1615 file->f_security = NULL; 1616 } 1617 1618 /** 1619 * smack_file_ioctl - Smack check on ioctls 1620 * @file: the object 1621 * @cmd: what to do 1622 * @arg: unused 1623 * 1624 * Relies heavily on the correct use of the ioctl command conventions. 1625 * 1626 * Returns 0 if allowed, error code otherwise 1627 */ 1628 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1629 unsigned long arg) 1630 { 1631 int rc = 0; 1632 struct smk_audit_info ad; 1633 struct inode *inode = file_inode(file); 1634 1635 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1636 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1637 1638 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1639 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1640 rc = smk_bu_file(file, MAY_WRITE, rc); 1641 } 1642 1643 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1644 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1645 rc = smk_bu_file(file, MAY_READ, rc); 1646 } 1647 1648 return rc; 1649 } 1650 1651 /** 1652 * smack_file_lock - Smack check on file locking 1653 * @file: the object 1654 * @cmd: unused 1655 * 1656 * Returns 0 if current has lock access, error code otherwise 1657 */ 1658 static int smack_file_lock(struct file *file, unsigned int cmd) 1659 { 1660 struct smk_audit_info ad; 1661 int rc; 1662 struct inode *inode = file_inode(file); 1663 1664 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1665 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1666 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1667 rc = smk_bu_file(file, MAY_LOCK, rc); 1668 return rc; 1669 } 1670 1671 /** 1672 * smack_file_fcntl - Smack check on fcntl 1673 * @file: the object 1674 * @cmd: what action to check 1675 * @arg: unused 1676 * 1677 * Generally these operations are harmless. 1678 * File locking operations present an obvious mechanism 1679 * for passing information, so they require write access. 1680 * 1681 * Returns 0 if current has access, error code otherwise 1682 */ 1683 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1684 unsigned long arg) 1685 { 1686 struct smk_audit_info ad; 1687 int rc = 0; 1688 struct inode *inode = file_inode(file); 1689 1690 switch (cmd) { 1691 case F_GETLK: 1692 break; 1693 case F_SETLK: 1694 case F_SETLKW: 1695 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1696 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1697 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1698 rc = smk_bu_file(file, MAY_LOCK, rc); 1699 break; 1700 case F_SETOWN: 1701 case F_SETSIG: 1702 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1703 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1704 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1705 rc = smk_bu_file(file, MAY_WRITE, rc); 1706 break; 1707 default: 1708 break; 1709 } 1710 1711 return rc; 1712 } 1713 1714 /** 1715 * smack_mmap_file : 1716 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1717 * if mapping anonymous memory. 1718 * @file contains the file structure for file to map (may be NULL). 1719 * @reqprot contains the protection requested by the application. 1720 * @prot contains the protection that will be applied by the kernel. 1721 * @flags contains the operational flags. 1722 * Return 0 if permission is granted. 1723 */ 1724 static int smack_mmap_file(struct file *file, 1725 unsigned long reqprot, unsigned long prot, 1726 unsigned long flags) 1727 { 1728 struct smack_known *skp; 1729 struct smack_known *mkp; 1730 struct smack_rule *srp; 1731 struct task_smack *tsp; 1732 struct smack_known *okp; 1733 struct inode_smack *isp; 1734 struct superblock_smack *sbsp; 1735 int may; 1736 int mmay; 1737 int tmay; 1738 int rc; 1739 1740 if (file == NULL) 1741 return 0; 1742 1743 isp = file_inode(file)->i_security; 1744 if (isp->smk_mmap == NULL) 1745 return 0; 1746 sbsp = file_inode(file)->i_sb->s_security; 1747 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1748 isp->smk_mmap != sbsp->smk_root) 1749 return -EACCES; 1750 mkp = isp->smk_mmap; 1751 1752 tsp = current_security(); 1753 skp = smk_of_current(); 1754 rc = 0; 1755 1756 rcu_read_lock(); 1757 /* 1758 * For each Smack rule associated with the subject 1759 * label verify that the SMACK64MMAP also has access 1760 * to that rule's object label. 1761 */ 1762 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1763 okp = srp->smk_object; 1764 /* 1765 * Matching labels always allows access. 1766 */ 1767 if (mkp->smk_known == okp->smk_known) 1768 continue; 1769 /* 1770 * If there is a matching local rule take 1771 * that into account as well. 1772 */ 1773 may = smk_access_entry(srp->smk_subject->smk_known, 1774 okp->smk_known, 1775 &tsp->smk_rules); 1776 if (may == -ENOENT) 1777 may = srp->smk_access; 1778 else 1779 may &= srp->smk_access; 1780 /* 1781 * If may is zero the SMACK64MMAP subject can't 1782 * possibly have less access. 1783 */ 1784 if (may == 0) 1785 continue; 1786 1787 /* 1788 * Fetch the global list entry. 1789 * If there isn't one a SMACK64MMAP subject 1790 * can't have as much access as current. 1791 */ 1792 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1793 &mkp->smk_rules); 1794 if (mmay == -ENOENT) { 1795 rc = -EACCES; 1796 break; 1797 } 1798 /* 1799 * If there is a local entry it modifies the 1800 * potential access, too. 1801 */ 1802 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1803 &tsp->smk_rules); 1804 if (tmay != -ENOENT) 1805 mmay &= tmay; 1806 1807 /* 1808 * If there is any access available to current that is 1809 * not available to a SMACK64MMAP subject 1810 * deny access. 1811 */ 1812 if ((may | mmay) != mmay) { 1813 rc = -EACCES; 1814 break; 1815 } 1816 } 1817 1818 rcu_read_unlock(); 1819 1820 return rc; 1821 } 1822 1823 /** 1824 * smack_file_set_fowner - set the file security blob value 1825 * @file: object in question 1826 * 1827 */ 1828 static void smack_file_set_fowner(struct file *file) 1829 { 1830 file->f_security = smk_of_current(); 1831 } 1832 1833 /** 1834 * smack_file_send_sigiotask - Smack on sigio 1835 * @tsk: The target task 1836 * @fown: the object the signal come from 1837 * @signum: unused 1838 * 1839 * Allow a privileged task to get signals even if it shouldn't 1840 * 1841 * Returns 0 if a subject with the object's smack could 1842 * write to the task, an error code otherwise. 1843 */ 1844 static int smack_file_send_sigiotask(struct task_struct *tsk, 1845 struct fown_struct *fown, int signum) 1846 { 1847 struct smack_known *skp; 1848 struct smack_known *tkp = smk_of_task(tsk->cred->security); 1849 struct file *file; 1850 int rc; 1851 struct smk_audit_info ad; 1852 1853 /* 1854 * struct fown_struct is never outside the context of a struct file 1855 */ 1856 file = container_of(fown, struct file, f_owner); 1857 1858 /* we don't log here as rc can be overriden */ 1859 skp = file->f_security; 1860 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1861 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1862 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1863 rc = 0; 1864 1865 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1866 smk_ad_setfield_u_tsk(&ad, tsk); 1867 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1868 return rc; 1869 } 1870 1871 /** 1872 * smack_file_receive - Smack file receive check 1873 * @file: the object 1874 * 1875 * Returns 0 if current has access, error code otherwise 1876 */ 1877 static int smack_file_receive(struct file *file) 1878 { 1879 int rc; 1880 int may = 0; 1881 struct smk_audit_info ad; 1882 struct inode *inode = file_inode(file); 1883 struct socket *sock; 1884 struct task_smack *tsp; 1885 struct socket_smack *ssp; 1886 1887 if (unlikely(IS_PRIVATE(inode))) 1888 return 0; 1889 1890 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1891 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1892 1893 if (S_ISSOCK(inode->i_mode)) { 1894 sock = SOCKET_I(inode); 1895 ssp = sock->sk->sk_security; 1896 tsp = current_security(); 1897 /* 1898 * If the receiving process can't write to the 1899 * passed socket or if the passed socket can't 1900 * write to the receiving process don't accept 1901 * the passed socket. 1902 */ 1903 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1904 rc = smk_bu_file(file, may, rc); 1905 if (rc < 0) 1906 return rc; 1907 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1908 rc = smk_bu_file(file, may, rc); 1909 return rc; 1910 } 1911 /* 1912 * This code relies on bitmasks. 1913 */ 1914 if (file->f_mode & FMODE_READ) 1915 may = MAY_READ; 1916 if (file->f_mode & FMODE_WRITE) 1917 may |= MAY_WRITE; 1918 1919 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1920 rc = smk_bu_file(file, may, rc); 1921 return rc; 1922 } 1923 1924 /** 1925 * smack_file_open - Smack dentry open processing 1926 * @file: the object 1927 * @cred: task credential 1928 * 1929 * Set the security blob in the file structure. 1930 * Allow the open only if the task has read access. There are 1931 * many read operations (e.g. fstat) that you can do with an 1932 * fd even if you have the file open write-only. 1933 * 1934 * Returns 0 1935 */ 1936 static int smack_file_open(struct file *file, const struct cred *cred) 1937 { 1938 struct task_smack *tsp = cred->security; 1939 struct inode *inode = file_inode(file); 1940 struct smk_audit_info ad; 1941 int rc; 1942 1943 if (smack_privileged(CAP_MAC_OVERRIDE)) 1944 return 0; 1945 1946 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1947 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1948 rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad); 1949 rc = smk_bu_credfile(cred, file, MAY_READ, rc); 1950 1951 return rc; 1952 } 1953 1954 /* 1955 * Task hooks 1956 */ 1957 1958 /** 1959 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1960 * @new: the new credentials 1961 * @gfp: the atomicity of any memory allocations 1962 * 1963 * Prepare a blank set of credentials for modification. This must allocate all 1964 * the memory the LSM module might require such that cred_transfer() can 1965 * complete without error. 1966 */ 1967 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1968 { 1969 struct task_smack *tsp; 1970 1971 tsp = new_task_smack(NULL, NULL, gfp); 1972 if (tsp == NULL) 1973 return -ENOMEM; 1974 1975 cred->security = tsp; 1976 1977 return 0; 1978 } 1979 1980 1981 /** 1982 * smack_cred_free - "free" task-level security credentials 1983 * @cred: the credentials in question 1984 * 1985 */ 1986 static void smack_cred_free(struct cred *cred) 1987 { 1988 struct task_smack *tsp = cred->security; 1989 struct smack_rule *rp; 1990 struct list_head *l; 1991 struct list_head *n; 1992 1993 if (tsp == NULL) 1994 return; 1995 cred->security = NULL; 1996 1997 smk_destroy_label_list(&tsp->smk_relabel); 1998 1999 list_for_each_safe(l, n, &tsp->smk_rules) { 2000 rp = list_entry(l, struct smack_rule, list); 2001 list_del(&rp->list); 2002 kfree(rp); 2003 } 2004 kfree(tsp); 2005 } 2006 2007 /** 2008 * smack_cred_prepare - prepare new set of credentials for modification 2009 * @new: the new credentials 2010 * @old: the original credentials 2011 * @gfp: the atomicity of any memory allocations 2012 * 2013 * Prepare a new set of credentials for modification. 2014 */ 2015 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2016 gfp_t gfp) 2017 { 2018 struct task_smack *old_tsp = old->security; 2019 struct task_smack *new_tsp; 2020 int rc; 2021 2022 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 2023 if (new_tsp == NULL) 2024 return -ENOMEM; 2025 2026 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2027 if (rc != 0) 2028 return rc; 2029 2030 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2031 gfp); 2032 if (rc != 0) 2033 return rc; 2034 2035 new->security = new_tsp; 2036 return 0; 2037 } 2038 2039 /** 2040 * smack_cred_transfer - Transfer the old credentials to the new credentials 2041 * @new: the new credentials 2042 * @old: the original credentials 2043 * 2044 * Fill in a set of blank credentials from another set of credentials. 2045 */ 2046 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2047 { 2048 struct task_smack *old_tsp = old->security; 2049 struct task_smack *new_tsp = new->security; 2050 2051 new_tsp->smk_task = old_tsp->smk_task; 2052 new_tsp->smk_forked = old_tsp->smk_task; 2053 mutex_init(&new_tsp->smk_rules_lock); 2054 INIT_LIST_HEAD(&new_tsp->smk_rules); 2055 2056 2057 /* cbs copy rule list */ 2058 } 2059 2060 /** 2061 * smack_kernel_act_as - Set the subjective context in a set of credentials 2062 * @new: points to the set of credentials to be modified. 2063 * @secid: specifies the security ID to be set 2064 * 2065 * Set the security data for a kernel service. 2066 */ 2067 static int smack_kernel_act_as(struct cred *new, u32 secid) 2068 { 2069 struct task_smack *new_tsp = new->security; 2070 struct smack_known *skp = smack_from_secid(secid); 2071 2072 if (skp == NULL) 2073 return -EINVAL; 2074 2075 new_tsp->smk_task = skp; 2076 return 0; 2077 } 2078 2079 /** 2080 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2081 * @new: points to the set of credentials to be modified 2082 * @inode: points to the inode to use as a reference 2083 * 2084 * Set the file creation context in a set of credentials to the same 2085 * as the objective context of the specified inode 2086 */ 2087 static int smack_kernel_create_files_as(struct cred *new, 2088 struct inode *inode) 2089 { 2090 struct inode_smack *isp = inode->i_security; 2091 struct task_smack *tsp = new->security; 2092 2093 tsp->smk_forked = isp->smk_inode; 2094 tsp->smk_task = tsp->smk_forked; 2095 return 0; 2096 } 2097 2098 /** 2099 * smk_curacc_on_task - helper to log task related access 2100 * @p: the task object 2101 * @access: the access requested 2102 * @caller: name of the calling function for audit 2103 * 2104 * Return 0 if access is permitted 2105 */ 2106 static int smk_curacc_on_task(struct task_struct *p, int access, 2107 const char *caller) 2108 { 2109 struct smk_audit_info ad; 2110 struct smack_known *skp = smk_of_task_struct(p); 2111 int rc; 2112 2113 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2114 smk_ad_setfield_u_tsk(&ad, p); 2115 rc = smk_curacc(skp, access, &ad); 2116 rc = smk_bu_task(p, access, rc); 2117 return rc; 2118 } 2119 2120 /** 2121 * smack_task_setpgid - Smack check on setting pgid 2122 * @p: the task object 2123 * @pgid: unused 2124 * 2125 * Return 0 if write access is permitted 2126 */ 2127 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2128 { 2129 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2130 } 2131 2132 /** 2133 * smack_task_getpgid - Smack access check for getpgid 2134 * @p: the object task 2135 * 2136 * Returns 0 if current can read the object task, error code otherwise 2137 */ 2138 static int smack_task_getpgid(struct task_struct *p) 2139 { 2140 return smk_curacc_on_task(p, MAY_READ, __func__); 2141 } 2142 2143 /** 2144 * smack_task_getsid - Smack access check for getsid 2145 * @p: the object task 2146 * 2147 * Returns 0 if current can read the object task, error code otherwise 2148 */ 2149 static int smack_task_getsid(struct task_struct *p) 2150 { 2151 return smk_curacc_on_task(p, MAY_READ, __func__); 2152 } 2153 2154 /** 2155 * smack_task_getsecid - get the secid of the task 2156 * @p: the object task 2157 * @secid: where to put the result 2158 * 2159 * Sets the secid to contain a u32 version of the smack label. 2160 */ 2161 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 2162 { 2163 struct smack_known *skp = smk_of_task_struct(p); 2164 2165 *secid = skp->smk_secid; 2166 } 2167 2168 /** 2169 * smack_task_setnice - Smack check on setting nice 2170 * @p: the task object 2171 * @nice: unused 2172 * 2173 * Return 0 if write access is permitted 2174 */ 2175 static int smack_task_setnice(struct task_struct *p, int nice) 2176 { 2177 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2178 } 2179 2180 /** 2181 * smack_task_setioprio - Smack check on setting ioprio 2182 * @p: the task object 2183 * @ioprio: unused 2184 * 2185 * Return 0 if write access is permitted 2186 */ 2187 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2188 { 2189 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2190 } 2191 2192 /** 2193 * smack_task_getioprio - Smack check on reading ioprio 2194 * @p: the task object 2195 * 2196 * Return 0 if read access is permitted 2197 */ 2198 static int smack_task_getioprio(struct task_struct *p) 2199 { 2200 return smk_curacc_on_task(p, MAY_READ, __func__); 2201 } 2202 2203 /** 2204 * smack_task_setscheduler - Smack check on setting scheduler 2205 * @p: the task object 2206 * @policy: unused 2207 * @lp: unused 2208 * 2209 * Return 0 if read access is permitted 2210 */ 2211 static int smack_task_setscheduler(struct task_struct *p) 2212 { 2213 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2214 } 2215 2216 /** 2217 * smack_task_getscheduler - Smack check on reading scheduler 2218 * @p: the task object 2219 * 2220 * Return 0 if read access is permitted 2221 */ 2222 static int smack_task_getscheduler(struct task_struct *p) 2223 { 2224 return smk_curacc_on_task(p, MAY_READ, __func__); 2225 } 2226 2227 /** 2228 * smack_task_movememory - Smack check on moving memory 2229 * @p: the task object 2230 * 2231 * Return 0 if write access is permitted 2232 */ 2233 static int smack_task_movememory(struct task_struct *p) 2234 { 2235 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2236 } 2237 2238 /** 2239 * smack_task_kill - Smack check on signal delivery 2240 * @p: the task object 2241 * @info: unused 2242 * @sig: unused 2243 * @secid: identifies the smack to use in lieu of current's 2244 * 2245 * Return 0 if write access is permitted 2246 * 2247 * The secid behavior is an artifact of an SELinux hack 2248 * in the USB code. Someday it may go away. 2249 */ 2250 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 2251 int sig, u32 secid) 2252 { 2253 struct smk_audit_info ad; 2254 struct smack_known *skp; 2255 struct smack_known *tkp = smk_of_task_struct(p); 2256 int rc; 2257 2258 if (!sig) 2259 return 0; /* null signal; existence test */ 2260 2261 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2262 smk_ad_setfield_u_tsk(&ad, p); 2263 /* 2264 * Sending a signal requires that the sender 2265 * can write the receiver. 2266 */ 2267 if (secid == 0) { 2268 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2269 rc = smk_bu_task(p, MAY_DELIVER, rc); 2270 return rc; 2271 } 2272 /* 2273 * If the secid isn't 0 we're dealing with some USB IO 2274 * specific behavior. This is not clean. For one thing 2275 * we can't take privilege into account. 2276 */ 2277 skp = smack_from_secid(secid); 2278 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2279 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2280 return rc; 2281 } 2282 2283 /** 2284 * smack_task_wait - Smack access check for waiting 2285 * @p: task to wait for 2286 * 2287 * Returns 0 2288 */ 2289 static int smack_task_wait(struct task_struct *p) 2290 { 2291 /* 2292 * Allow the operation to succeed. 2293 * Zombies are bad. 2294 * In userless environments (e.g. phones) programs 2295 * get marked with SMACK64EXEC and even if the parent 2296 * and child shouldn't be talking the parent still 2297 * may expect to know when the child exits. 2298 */ 2299 return 0; 2300 } 2301 2302 /** 2303 * smack_task_to_inode - copy task smack into the inode blob 2304 * @p: task to copy from 2305 * @inode: inode to copy to 2306 * 2307 * Sets the smack pointer in the inode security blob 2308 */ 2309 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2310 { 2311 struct inode_smack *isp = inode->i_security; 2312 struct smack_known *skp = smk_of_task_struct(p); 2313 2314 isp->smk_inode = skp; 2315 } 2316 2317 /* 2318 * Socket hooks. 2319 */ 2320 2321 /** 2322 * smack_sk_alloc_security - Allocate a socket blob 2323 * @sk: the socket 2324 * @family: unused 2325 * @gfp_flags: memory allocation flags 2326 * 2327 * Assign Smack pointers to current 2328 * 2329 * Returns 0 on success, -ENOMEM is there's no memory 2330 */ 2331 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2332 { 2333 struct smack_known *skp = smk_of_current(); 2334 struct socket_smack *ssp; 2335 2336 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2337 if (ssp == NULL) 2338 return -ENOMEM; 2339 2340 ssp->smk_in = skp; 2341 ssp->smk_out = skp; 2342 ssp->smk_packet = NULL; 2343 2344 sk->sk_security = ssp; 2345 2346 return 0; 2347 } 2348 2349 /** 2350 * smack_sk_free_security - Free a socket blob 2351 * @sk: the socket 2352 * 2353 * Clears the blob pointer 2354 */ 2355 static void smack_sk_free_security(struct sock *sk) 2356 { 2357 kfree(sk->sk_security); 2358 } 2359 2360 /** 2361 * smack_ipv4host_label - check host based restrictions 2362 * @sip: the object end 2363 * 2364 * looks for host based access restrictions 2365 * 2366 * This version will only be appropriate for really small sets of single label 2367 * hosts. The caller is responsible for ensuring that the RCU read lock is 2368 * taken before calling this function. 2369 * 2370 * Returns the label of the far end or NULL if it's not special. 2371 */ 2372 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2373 { 2374 struct smk_net4addr *snp; 2375 struct in_addr *siap = &sip->sin_addr; 2376 2377 if (siap->s_addr == 0) 2378 return NULL; 2379 2380 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2381 /* 2382 * we break after finding the first match because 2383 * the list is sorted from longest to shortest mask 2384 * so we have found the most specific match 2385 */ 2386 if (snp->smk_host.s_addr == 2387 (siap->s_addr & snp->smk_mask.s_addr)) 2388 return snp->smk_label; 2389 2390 return NULL; 2391 } 2392 2393 #if IS_ENABLED(CONFIG_IPV6) 2394 /* 2395 * smk_ipv6_localhost - Check for local ipv6 host address 2396 * @sip: the address 2397 * 2398 * Returns boolean true if this is the localhost address 2399 */ 2400 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2401 { 2402 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2403 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2404 2405 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2406 ntohs(be16p[7]) == 1) 2407 return true; 2408 return false; 2409 } 2410 2411 /** 2412 * smack_ipv6host_label - check host based restrictions 2413 * @sip: the object end 2414 * 2415 * looks for host based access restrictions 2416 * 2417 * This version will only be appropriate for really small sets of single label 2418 * hosts. The caller is responsible for ensuring that the RCU read lock is 2419 * taken before calling this function. 2420 * 2421 * Returns the label of the far end or NULL if it's not special. 2422 */ 2423 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2424 { 2425 struct smk_net6addr *snp; 2426 struct in6_addr *sap = &sip->sin6_addr; 2427 int i; 2428 int found = 0; 2429 2430 /* 2431 * It's local. Don't look for a host label. 2432 */ 2433 if (smk_ipv6_localhost(sip)) 2434 return NULL; 2435 2436 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2437 /* 2438 * we break after finding the first match because 2439 * the list is sorted from longest to shortest mask 2440 * so we have found the most specific match 2441 */ 2442 for (found = 1, i = 0; i < 8; i++) { 2443 /* 2444 * If the label is NULL the entry has 2445 * been renounced. Ignore it. 2446 */ 2447 if (snp->smk_label == NULL) 2448 continue; 2449 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2450 snp->smk_host.s6_addr16[i]) { 2451 found = 0; 2452 break; 2453 } 2454 } 2455 if (found) 2456 return snp->smk_label; 2457 } 2458 2459 return NULL; 2460 } 2461 #endif /* CONFIG_IPV6 */ 2462 2463 /** 2464 * smack_netlabel - Set the secattr on a socket 2465 * @sk: the socket 2466 * @labeled: socket label scheme 2467 * 2468 * Convert the outbound smack value (smk_out) to a 2469 * secattr and attach it to the socket. 2470 * 2471 * Returns 0 on success or an error code 2472 */ 2473 static int smack_netlabel(struct sock *sk, int labeled) 2474 { 2475 struct smack_known *skp; 2476 struct socket_smack *ssp = sk->sk_security; 2477 int rc = 0; 2478 2479 /* 2480 * Usually the netlabel code will handle changing the 2481 * packet labeling based on the label. 2482 * The case of a single label host is different, because 2483 * a single label host should never get a labeled packet 2484 * even though the label is usually associated with a packet 2485 * label. 2486 */ 2487 local_bh_disable(); 2488 bh_lock_sock_nested(sk); 2489 2490 if (ssp->smk_out == smack_net_ambient || 2491 labeled == SMACK_UNLABELED_SOCKET) 2492 netlbl_sock_delattr(sk); 2493 else { 2494 skp = ssp->smk_out; 2495 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2496 } 2497 2498 bh_unlock_sock(sk); 2499 local_bh_enable(); 2500 2501 return rc; 2502 } 2503 2504 /** 2505 * smack_netlbel_send - Set the secattr on a socket and perform access checks 2506 * @sk: the socket 2507 * @sap: the destination address 2508 * 2509 * Set the correct secattr for the given socket based on the destination 2510 * address and perform any outbound access checks needed. 2511 * 2512 * Returns 0 on success or an error code. 2513 * 2514 */ 2515 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 2516 { 2517 struct smack_known *skp; 2518 int rc; 2519 int sk_lbl; 2520 struct smack_known *hkp; 2521 struct socket_smack *ssp = sk->sk_security; 2522 struct smk_audit_info ad; 2523 2524 rcu_read_lock(); 2525 hkp = smack_ipv4host_label(sap); 2526 if (hkp != NULL) { 2527 #ifdef CONFIG_AUDIT 2528 struct lsm_network_audit net; 2529 2530 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2531 ad.a.u.net->family = sap->sin_family; 2532 ad.a.u.net->dport = sap->sin_port; 2533 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2534 #endif 2535 sk_lbl = SMACK_UNLABELED_SOCKET; 2536 skp = ssp->smk_out; 2537 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2538 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2539 } else { 2540 sk_lbl = SMACK_CIPSO_SOCKET; 2541 rc = 0; 2542 } 2543 rcu_read_unlock(); 2544 if (rc != 0) 2545 return rc; 2546 2547 return smack_netlabel(sk, sk_lbl); 2548 } 2549 2550 #if IS_ENABLED(CONFIG_IPV6) 2551 /** 2552 * smk_ipv6_check - check Smack access 2553 * @subject: subject Smack label 2554 * @object: object Smack label 2555 * @address: address 2556 * @act: the action being taken 2557 * 2558 * Check an IPv6 access 2559 */ 2560 static int smk_ipv6_check(struct smack_known *subject, 2561 struct smack_known *object, 2562 struct sockaddr_in6 *address, int act) 2563 { 2564 #ifdef CONFIG_AUDIT 2565 struct lsm_network_audit net; 2566 #endif 2567 struct smk_audit_info ad; 2568 int rc; 2569 2570 #ifdef CONFIG_AUDIT 2571 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2572 ad.a.u.net->family = PF_INET6; 2573 ad.a.u.net->dport = ntohs(address->sin6_port); 2574 if (act == SMK_RECEIVING) 2575 ad.a.u.net->v6info.saddr = address->sin6_addr; 2576 else 2577 ad.a.u.net->v6info.daddr = address->sin6_addr; 2578 #endif 2579 rc = smk_access(subject, object, MAY_WRITE, &ad); 2580 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2581 return rc; 2582 } 2583 #endif /* CONFIG_IPV6 */ 2584 2585 #ifdef SMACK_IPV6_PORT_LABELING 2586 /** 2587 * smk_ipv6_port_label - Smack port access table management 2588 * @sock: socket 2589 * @address: address 2590 * 2591 * Create or update the port list entry 2592 */ 2593 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2594 { 2595 struct sock *sk = sock->sk; 2596 struct sockaddr_in6 *addr6; 2597 struct socket_smack *ssp = sock->sk->sk_security; 2598 struct smk_port_label *spp; 2599 unsigned short port = 0; 2600 2601 if (address == NULL) { 2602 /* 2603 * This operation is changing the Smack information 2604 * on the bound socket. Take the changes to the port 2605 * as well. 2606 */ 2607 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2608 if (sk != spp->smk_sock) 2609 continue; 2610 spp->smk_in = ssp->smk_in; 2611 spp->smk_out = ssp->smk_out; 2612 return; 2613 } 2614 /* 2615 * A NULL address is only used for updating existing 2616 * bound entries. If there isn't one, it's OK. 2617 */ 2618 return; 2619 } 2620 2621 addr6 = (struct sockaddr_in6 *)address; 2622 port = ntohs(addr6->sin6_port); 2623 /* 2624 * This is a special case that is safely ignored. 2625 */ 2626 if (port == 0) 2627 return; 2628 2629 /* 2630 * Look for an existing port list entry. 2631 * This is an indication that a port is getting reused. 2632 */ 2633 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2634 if (spp->smk_port != port) 2635 continue; 2636 spp->smk_port = port; 2637 spp->smk_sock = sk; 2638 spp->smk_in = ssp->smk_in; 2639 spp->smk_out = ssp->smk_out; 2640 return; 2641 } 2642 2643 /* 2644 * A new port entry is required. 2645 */ 2646 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2647 if (spp == NULL) 2648 return; 2649 2650 spp->smk_port = port; 2651 spp->smk_sock = sk; 2652 spp->smk_in = ssp->smk_in; 2653 spp->smk_out = ssp->smk_out; 2654 2655 list_add(&spp->list, &smk_ipv6_port_list); 2656 return; 2657 } 2658 2659 /** 2660 * smk_ipv6_port_check - check Smack port access 2661 * @sock: socket 2662 * @address: address 2663 * 2664 * Create or update the port list entry 2665 */ 2666 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2667 int act) 2668 { 2669 struct smk_port_label *spp; 2670 struct socket_smack *ssp = sk->sk_security; 2671 struct smack_known *skp = NULL; 2672 unsigned short port; 2673 struct smack_known *object; 2674 2675 if (act == SMK_RECEIVING) { 2676 skp = smack_ipv6host_label(address); 2677 object = ssp->smk_in; 2678 } else { 2679 skp = ssp->smk_out; 2680 object = smack_ipv6host_label(address); 2681 } 2682 2683 /* 2684 * The other end is a single label host. 2685 */ 2686 if (skp != NULL && object != NULL) 2687 return smk_ipv6_check(skp, object, address, act); 2688 if (skp == NULL) 2689 skp = smack_net_ambient; 2690 if (object == NULL) 2691 object = smack_net_ambient; 2692 2693 /* 2694 * It's remote, so port lookup does no good. 2695 */ 2696 if (!smk_ipv6_localhost(address)) 2697 return smk_ipv6_check(skp, object, address, act); 2698 2699 /* 2700 * It's local so the send check has to have passed. 2701 */ 2702 if (act == SMK_RECEIVING) 2703 return 0; 2704 2705 port = ntohs(address->sin6_port); 2706 list_for_each_entry(spp, &smk_ipv6_port_list, list) { 2707 if (spp->smk_port != port) 2708 continue; 2709 object = spp->smk_in; 2710 if (act == SMK_CONNECTING) 2711 ssp->smk_packet = spp->smk_out; 2712 break; 2713 } 2714 2715 return smk_ipv6_check(skp, object, address, act); 2716 } 2717 #endif /* SMACK_IPV6_PORT_LABELING */ 2718 2719 /** 2720 * smack_inode_setsecurity - set smack xattrs 2721 * @inode: the object 2722 * @name: attribute name 2723 * @value: attribute value 2724 * @size: size of the attribute 2725 * @flags: unused 2726 * 2727 * Sets the named attribute in the appropriate blob 2728 * 2729 * Returns 0 on success, or an error code 2730 */ 2731 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2732 const void *value, size_t size, int flags) 2733 { 2734 struct smack_known *skp; 2735 struct inode_smack *nsp = inode->i_security; 2736 struct socket_smack *ssp; 2737 struct socket *sock; 2738 int rc = 0; 2739 2740 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2741 return -EINVAL; 2742 2743 skp = smk_import_entry(value, size); 2744 if (IS_ERR(skp)) 2745 return PTR_ERR(skp); 2746 2747 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2748 nsp->smk_inode = skp; 2749 nsp->smk_flags |= SMK_INODE_INSTANT; 2750 return 0; 2751 } 2752 /* 2753 * The rest of the Smack xattrs are only on sockets. 2754 */ 2755 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2756 return -EOPNOTSUPP; 2757 2758 sock = SOCKET_I(inode); 2759 if (sock == NULL || sock->sk == NULL) 2760 return -EOPNOTSUPP; 2761 2762 ssp = sock->sk->sk_security; 2763 2764 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2765 ssp->smk_in = skp; 2766 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2767 ssp->smk_out = skp; 2768 if (sock->sk->sk_family == PF_INET) { 2769 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2770 if (rc != 0) 2771 printk(KERN_WARNING 2772 "Smack: \"%s\" netlbl error %d.\n", 2773 __func__, -rc); 2774 } 2775 } else 2776 return -EOPNOTSUPP; 2777 2778 #ifdef SMACK_IPV6_PORT_LABELING 2779 if (sock->sk->sk_family == PF_INET6) 2780 smk_ipv6_port_label(sock, NULL); 2781 #endif 2782 2783 return 0; 2784 } 2785 2786 /** 2787 * smack_socket_post_create - finish socket setup 2788 * @sock: the socket 2789 * @family: protocol family 2790 * @type: unused 2791 * @protocol: unused 2792 * @kern: unused 2793 * 2794 * Sets the netlabel information on the socket 2795 * 2796 * Returns 0 on success, and error code otherwise 2797 */ 2798 static int smack_socket_post_create(struct socket *sock, int family, 2799 int type, int protocol, int kern) 2800 { 2801 struct socket_smack *ssp; 2802 2803 if (sock->sk == NULL) 2804 return 0; 2805 2806 /* 2807 * Sockets created by kernel threads receive web label. 2808 */ 2809 if (unlikely(current->flags & PF_KTHREAD)) { 2810 ssp = sock->sk->sk_security; 2811 ssp->smk_in = &smack_known_web; 2812 ssp->smk_out = &smack_known_web; 2813 } 2814 2815 if (family != PF_INET) 2816 return 0; 2817 /* 2818 * Set the outbound netlbl. 2819 */ 2820 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2821 } 2822 2823 #ifdef SMACK_IPV6_PORT_LABELING 2824 /** 2825 * smack_socket_bind - record port binding information. 2826 * @sock: the socket 2827 * @address: the port address 2828 * @addrlen: size of the address 2829 * 2830 * Records the label bound to a port. 2831 * 2832 * Returns 0 2833 */ 2834 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2835 int addrlen) 2836 { 2837 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) 2838 smk_ipv6_port_label(sock, address); 2839 return 0; 2840 } 2841 #endif /* SMACK_IPV6_PORT_LABELING */ 2842 2843 /** 2844 * smack_socket_connect - connect access check 2845 * @sock: the socket 2846 * @sap: the other end 2847 * @addrlen: size of sap 2848 * 2849 * Verifies that a connection may be possible 2850 * 2851 * Returns 0 on success, and error code otherwise 2852 */ 2853 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2854 int addrlen) 2855 { 2856 int rc = 0; 2857 #if IS_ENABLED(CONFIG_IPV6) 2858 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 2859 #endif 2860 #ifdef SMACK_IPV6_SECMARK_LABELING 2861 struct smack_known *rsp; 2862 struct socket_smack *ssp = sock->sk->sk_security; 2863 #endif 2864 2865 if (sock->sk == NULL) 2866 return 0; 2867 2868 switch (sock->sk->sk_family) { 2869 case PF_INET: 2870 if (addrlen < sizeof(struct sockaddr_in)) 2871 return -EINVAL; 2872 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2873 break; 2874 case PF_INET6: 2875 if (addrlen < sizeof(struct sockaddr_in6)) 2876 return -EINVAL; 2877 #ifdef SMACK_IPV6_SECMARK_LABELING 2878 rsp = smack_ipv6host_label(sip); 2879 if (rsp != NULL) 2880 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 2881 SMK_CONNECTING); 2882 #endif 2883 #ifdef SMACK_IPV6_PORT_LABELING 2884 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 2885 #endif 2886 break; 2887 } 2888 return rc; 2889 } 2890 2891 /** 2892 * smack_flags_to_may - convert S_ to MAY_ values 2893 * @flags: the S_ value 2894 * 2895 * Returns the equivalent MAY_ value 2896 */ 2897 static int smack_flags_to_may(int flags) 2898 { 2899 int may = 0; 2900 2901 if (flags & S_IRUGO) 2902 may |= MAY_READ; 2903 if (flags & S_IWUGO) 2904 may |= MAY_WRITE; 2905 if (flags & S_IXUGO) 2906 may |= MAY_EXEC; 2907 2908 return may; 2909 } 2910 2911 /** 2912 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2913 * @msg: the object 2914 * 2915 * Returns 0 2916 */ 2917 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2918 { 2919 struct smack_known *skp = smk_of_current(); 2920 2921 msg->security = skp; 2922 return 0; 2923 } 2924 2925 /** 2926 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2927 * @msg: the object 2928 * 2929 * Clears the blob pointer 2930 */ 2931 static void smack_msg_msg_free_security(struct msg_msg *msg) 2932 { 2933 msg->security = NULL; 2934 } 2935 2936 /** 2937 * smack_of_shm - the smack pointer for the shm 2938 * @shp: the object 2939 * 2940 * Returns a pointer to the smack value 2941 */ 2942 static struct smack_known *smack_of_shm(struct shmid_kernel *shp) 2943 { 2944 return (struct smack_known *)shp->shm_perm.security; 2945 } 2946 2947 /** 2948 * smack_shm_alloc_security - Set the security blob for shm 2949 * @shp: the object 2950 * 2951 * Returns 0 2952 */ 2953 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2954 { 2955 struct kern_ipc_perm *isp = &shp->shm_perm; 2956 struct smack_known *skp = smk_of_current(); 2957 2958 isp->security = skp; 2959 return 0; 2960 } 2961 2962 /** 2963 * smack_shm_free_security - Clear the security blob for shm 2964 * @shp: the object 2965 * 2966 * Clears the blob pointer 2967 */ 2968 static void smack_shm_free_security(struct shmid_kernel *shp) 2969 { 2970 struct kern_ipc_perm *isp = &shp->shm_perm; 2971 2972 isp->security = NULL; 2973 } 2974 2975 /** 2976 * smk_curacc_shm : check if current has access on shm 2977 * @shp : the object 2978 * @access : access requested 2979 * 2980 * Returns 0 if current has the requested access, error code otherwise 2981 */ 2982 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2983 { 2984 struct smack_known *ssp = smack_of_shm(shp); 2985 struct smk_audit_info ad; 2986 int rc; 2987 2988 #ifdef CONFIG_AUDIT 2989 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2990 ad.a.u.ipc_id = shp->shm_perm.id; 2991 #endif 2992 rc = smk_curacc(ssp, access, &ad); 2993 rc = smk_bu_current("shm", ssp, access, rc); 2994 return rc; 2995 } 2996 2997 /** 2998 * smack_shm_associate - Smack access check for shm 2999 * @shp: the object 3000 * @shmflg: access requested 3001 * 3002 * Returns 0 if current has the requested access, error code otherwise 3003 */ 3004 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 3005 { 3006 int may; 3007 3008 may = smack_flags_to_may(shmflg); 3009 return smk_curacc_shm(shp, may); 3010 } 3011 3012 /** 3013 * smack_shm_shmctl - Smack access check for shm 3014 * @shp: the object 3015 * @cmd: what it wants to do 3016 * 3017 * Returns 0 if current has the requested access, error code otherwise 3018 */ 3019 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 3020 { 3021 int may; 3022 3023 switch (cmd) { 3024 case IPC_STAT: 3025 case SHM_STAT: 3026 may = MAY_READ; 3027 break; 3028 case IPC_SET: 3029 case SHM_LOCK: 3030 case SHM_UNLOCK: 3031 case IPC_RMID: 3032 may = MAY_READWRITE; 3033 break; 3034 case IPC_INFO: 3035 case SHM_INFO: 3036 /* 3037 * System level information. 3038 */ 3039 return 0; 3040 default: 3041 return -EINVAL; 3042 } 3043 return smk_curacc_shm(shp, may); 3044 } 3045 3046 /** 3047 * smack_shm_shmat - Smack access for shmat 3048 * @shp: the object 3049 * @shmaddr: unused 3050 * @shmflg: access requested 3051 * 3052 * Returns 0 if current has the requested access, error code otherwise 3053 */ 3054 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 3055 int shmflg) 3056 { 3057 int may; 3058 3059 may = smack_flags_to_may(shmflg); 3060 return smk_curacc_shm(shp, may); 3061 } 3062 3063 /** 3064 * smack_of_sem - the smack pointer for the sem 3065 * @sma: the object 3066 * 3067 * Returns a pointer to the smack value 3068 */ 3069 static struct smack_known *smack_of_sem(struct sem_array *sma) 3070 { 3071 return (struct smack_known *)sma->sem_perm.security; 3072 } 3073 3074 /** 3075 * smack_sem_alloc_security - Set the security blob for sem 3076 * @sma: the object 3077 * 3078 * Returns 0 3079 */ 3080 static int smack_sem_alloc_security(struct sem_array *sma) 3081 { 3082 struct kern_ipc_perm *isp = &sma->sem_perm; 3083 struct smack_known *skp = smk_of_current(); 3084 3085 isp->security = skp; 3086 return 0; 3087 } 3088 3089 /** 3090 * smack_sem_free_security - Clear the security blob for sem 3091 * @sma: the object 3092 * 3093 * Clears the blob pointer 3094 */ 3095 static void smack_sem_free_security(struct sem_array *sma) 3096 { 3097 struct kern_ipc_perm *isp = &sma->sem_perm; 3098 3099 isp->security = NULL; 3100 } 3101 3102 /** 3103 * smk_curacc_sem : check if current has access on sem 3104 * @sma : the object 3105 * @access : access requested 3106 * 3107 * Returns 0 if current has the requested access, error code otherwise 3108 */ 3109 static int smk_curacc_sem(struct sem_array *sma, int access) 3110 { 3111 struct smack_known *ssp = smack_of_sem(sma); 3112 struct smk_audit_info ad; 3113 int rc; 3114 3115 #ifdef CONFIG_AUDIT 3116 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3117 ad.a.u.ipc_id = sma->sem_perm.id; 3118 #endif 3119 rc = smk_curacc(ssp, access, &ad); 3120 rc = smk_bu_current("sem", ssp, access, rc); 3121 return rc; 3122 } 3123 3124 /** 3125 * smack_sem_associate - Smack access check for sem 3126 * @sma: the object 3127 * @semflg: access requested 3128 * 3129 * Returns 0 if current has the requested access, error code otherwise 3130 */ 3131 static int smack_sem_associate(struct sem_array *sma, int semflg) 3132 { 3133 int may; 3134 3135 may = smack_flags_to_may(semflg); 3136 return smk_curacc_sem(sma, may); 3137 } 3138 3139 /** 3140 * smack_sem_shmctl - Smack access check for sem 3141 * @sma: the object 3142 * @cmd: what it wants to do 3143 * 3144 * Returns 0 if current has the requested access, error code otherwise 3145 */ 3146 static int smack_sem_semctl(struct sem_array *sma, int cmd) 3147 { 3148 int may; 3149 3150 switch (cmd) { 3151 case GETPID: 3152 case GETNCNT: 3153 case GETZCNT: 3154 case GETVAL: 3155 case GETALL: 3156 case IPC_STAT: 3157 case SEM_STAT: 3158 may = MAY_READ; 3159 break; 3160 case SETVAL: 3161 case SETALL: 3162 case IPC_RMID: 3163 case IPC_SET: 3164 may = MAY_READWRITE; 3165 break; 3166 case IPC_INFO: 3167 case SEM_INFO: 3168 /* 3169 * System level information 3170 */ 3171 return 0; 3172 default: 3173 return -EINVAL; 3174 } 3175 3176 return smk_curacc_sem(sma, may); 3177 } 3178 3179 /** 3180 * smack_sem_semop - Smack checks of semaphore operations 3181 * @sma: the object 3182 * @sops: unused 3183 * @nsops: unused 3184 * @alter: unused 3185 * 3186 * Treated as read and write in all cases. 3187 * 3188 * Returns 0 if access is allowed, error code otherwise 3189 */ 3190 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 3191 unsigned nsops, int alter) 3192 { 3193 return smk_curacc_sem(sma, MAY_READWRITE); 3194 } 3195 3196 /** 3197 * smack_msg_alloc_security - Set the security blob for msg 3198 * @msq: the object 3199 * 3200 * Returns 0 3201 */ 3202 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 3203 { 3204 struct kern_ipc_perm *kisp = &msq->q_perm; 3205 struct smack_known *skp = smk_of_current(); 3206 3207 kisp->security = skp; 3208 return 0; 3209 } 3210 3211 /** 3212 * smack_msg_free_security - Clear the security blob for msg 3213 * @msq: the object 3214 * 3215 * Clears the blob pointer 3216 */ 3217 static void smack_msg_queue_free_security(struct msg_queue *msq) 3218 { 3219 struct kern_ipc_perm *kisp = &msq->q_perm; 3220 3221 kisp->security = NULL; 3222 } 3223 3224 /** 3225 * smack_of_msq - the smack pointer for the msq 3226 * @msq: the object 3227 * 3228 * Returns a pointer to the smack label entry 3229 */ 3230 static struct smack_known *smack_of_msq(struct msg_queue *msq) 3231 { 3232 return (struct smack_known *)msq->q_perm.security; 3233 } 3234 3235 /** 3236 * smk_curacc_msq : helper to check if current has access on msq 3237 * @msq : the msq 3238 * @access : access requested 3239 * 3240 * return 0 if current has access, error otherwise 3241 */ 3242 static int smk_curacc_msq(struct msg_queue *msq, int access) 3243 { 3244 struct smack_known *msp = smack_of_msq(msq); 3245 struct smk_audit_info ad; 3246 int rc; 3247 3248 #ifdef CONFIG_AUDIT 3249 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3250 ad.a.u.ipc_id = msq->q_perm.id; 3251 #endif 3252 rc = smk_curacc(msp, access, &ad); 3253 rc = smk_bu_current("msq", msp, access, rc); 3254 return rc; 3255 } 3256 3257 /** 3258 * smack_msg_queue_associate - Smack access check for msg_queue 3259 * @msq: the object 3260 * @msqflg: access requested 3261 * 3262 * Returns 0 if current has the requested access, error code otherwise 3263 */ 3264 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 3265 { 3266 int may; 3267 3268 may = smack_flags_to_may(msqflg); 3269 return smk_curacc_msq(msq, may); 3270 } 3271 3272 /** 3273 * smack_msg_queue_msgctl - Smack access check for msg_queue 3274 * @msq: the object 3275 * @cmd: what it wants to do 3276 * 3277 * Returns 0 if current has the requested access, error code otherwise 3278 */ 3279 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 3280 { 3281 int may; 3282 3283 switch (cmd) { 3284 case IPC_STAT: 3285 case MSG_STAT: 3286 may = MAY_READ; 3287 break; 3288 case IPC_SET: 3289 case IPC_RMID: 3290 may = MAY_READWRITE; 3291 break; 3292 case IPC_INFO: 3293 case MSG_INFO: 3294 /* 3295 * System level information 3296 */ 3297 return 0; 3298 default: 3299 return -EINVAL; 3300 } 3301 3302 return smk_curacc_msq(msq, may); 3303 } 3304 3305 /** 3306 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3307 * @msq: the object 3308 * @msg: unused 3309 * @msqflg: access requested 3310 * 3311 * Returns 0 if current has the requested access, error code otherwise 3312 */ 3313 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 3314 int msqflg) 3315 { 3316 int may; 3317 3318 may = smack_flags_to_may(msqflg); 3319 return smk_curacc_msq(msq, may); 3320 } 3321 3322 /** 3323 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3324 * @msq: the object 3325 * @msg: unused 3326 * @target: unused 3327 * @type: unused 3328 * @mode: unused 3329 * 3330 * Returns 0 if current has read and write access, error code otherwise 3331 */ 3332 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 3333 struct task_struct *target, long type, int mode) 3334 { 3335 return smk_curacc_msq(msq, MAY_READWRITE); 3336 } 3337 3338 /** 3339 * smack_ipc_permission - Smack access for ipc_permission() 3340 * @ipp: the object permissions 3341 * @flag: access requested 3342 * 3343 * Returns 0 if current has read and write access, error code otherwise 3344 */ 3345 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3346 { 3347 struct smack_known *iskp = ipp->security; 3348 int may = smack_flags_to_may(flag); 3349 struct smk_audit_info ad; 3350 int rc; 3351 3352 #ifdef CONFIG_AUDIT 3353 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3354 ad.a.u.ipc_id = ipp->id; 3355 #endif 3356 rc = smk_curacc(iskp, may, &ad); 3357 rc = smk_bu_current("svipc", iskp, may, rc); 3358 return rc; 3359 } 3360 3361 /** 3362 * smack_ipc_getsecid - Extract smack security id 3363 * @ipp: the object permissions 3364 * @secid: where result will be saved 3365 */ 3366 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3367 { 3368 struct smack_known *iskp = ipp->security; 3369 3370 *secid = iskp->smk_secid; 3371 } 3372 3373 /** 3374 * smack_d_instantiate - Make sure the blob is correct on an inode 3375 * @opt_dentry: dentry where inode will be attached 3376 * @inode: the object 3377 * 3378 * Set the inode's security blob if it hasn't been done already. 3379 */ 3380 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3381 { 3382 struct super_block *sbp; 3383 struct superblock_smack *sbsp; 3384 struct inode_smack *isp; 3385 struct smack_known *skp; 3386 struct smack_known *ckp = smk_of_current(); 3387 struct smack_known *final; 3388 char trattr[TRANS_TRUE_SIZE]; 3389 int transflag = 0; 3390 int rc; 3391 struct dentry *dp; 3392 3393 if (inode == NULL) 3394 return; 3395 3396 isp = inode->i_security; 3397 3398 mutex_lock(&isp->smk_lock); 3399 /* 3400 * If the inode is already instantiated 3401 * take the quick way out 3402 */ 3403 if (isp->smk_flags & SMK_INODE_INSTANT) 3404 goto unlockandout; 3405 3406 sbp = inode->i_sb; 3407 sbsp = sbp->s_security; 3408 /* 3409 * We're going to use the superblock default label 3410 * if there's no label on the file. 3411 */ 3412 final = sbsp->smk_default; 3413 3414 /* 3415 * If this is the root inode the superblock 3416 * may be in the process of initialization. 3417 * If that is the case use the root value out 3418 * of the superblock. 3419 */ 3420 if (opt_dentry->d_parent == opt_dentry) { 3421 switch (sbp->s_magic) { 3422 case CGROUP_SUPER_MAGIC: 3423 /* 3424 * The cgroup filesystem is never mounted, 3425 * so there's no opportunity to set the mount 3426 * options. 3427 */ 3428 sbsp->smk_root = &smack_known_star; 3429 sbsp->smk_default = &smack_known_star; 3430 isp->smk_inode = sbsp->smk_root; 3431 break; 3432 case TMPFS_MAGIC: 3433 /* 3434 * What about shmem/tmpfs anonymous files with dentry 3435 * obtained from d_alloc_pseudo()? 3436 */ 3437 isp->smk_inode = smk_of_current(); 3438 break; 3439 case PIPEFS_MAGIC: 3440 isp->smk_inode = smk_of_current(); 3441 break; 3442 default: 3443 isp->smk_inode = sbsp->smk_root; 3444 break; 3445 } 3446 isp->smk_flags |= SMK_INODE_INSTANT; 3447 goto unlockandout; 3448 } 3449 3450 /* 3451 * This is pretty hackish. 3452 * Casey says that we shouldn't have to do 3453 * file system specific code, but it does help 3454 * with keeping it simple. 3455 */ 3456 switch (sbp->s_magic) { 3457 case SMACK_MAGIC: 3458 case PIPEFS_MAGIC: 3459 case SOCKFS_MAGIC: 3460 case CGROUP_SUPER_MAGIC: 3461 /* 3462 * Casey says that it's a little embarrassing 3463 * that the smack file system doesn't do 3464 * extended attributes. 3465 * 3466 * Casey says pipes are easy (?) 3467 * 3468 * Socket access is controlled by the socket 3469 * structures associated with the task involved. 3470 * 3471 * Cgroupfs is special 3472 */ 3473 final = &smack_known_star; 3474 break; 3475 case DEVPTS_SUPER_MAGIC: 3476 /* 3477 * devpts seems content with the label of the task. 3478 * Programs that change smack have to treat the 3479 * pty with respect. 3480 */ 3481 final = ckp; 3482 break; 3483 case PROC_SUPER_MAGIC: 3484 /* 3485 * Casey says procfs appears not to care. 3486 * The superblock default suffices. 3487 */ 3488 break; 3489 case TMPFS_MAGIC: 3490 /* 3491 * Device labels should come from the filesystem, 3492 * but watch out, because they're volitile, 3493 * getting recreated on every reboot. 3494 */ 3495 final = &smack_known_star; 3496 /* 3497 * No break. 3498 * 3499 * If a smack value has been set we want to use it, 3500 * but since tmpfs isn't giving us the opportunity 3501 * to set mount options simulate setting the 3502 * superblock default. 3503 */ 3504 default: 3505 /* 3506 * This isn't an understood special case. 3507 * Get the value from the xattr. 3508 */ 3509 3510 /* 3511 * UNIX domain sockets use lower level socket data. 3512 */ 3513 if (S_ISSOCK(inode->i_mode)) { 3514 final = &smack_known_star; 3515 break; 3516 } 3517 /* 3518 * No xattr support means, alas, no SMACK label. 3519 * Use the aforeapplied default. 3520 * It would be curious if the label of the task 3521 * does not match that assigned. 3522 */ 3523 if (!(inode->i_opflags & IOP_XATTR)) 3524 break; 3525 /* 3526 * Get the dentry for xattr. 3527 */ 3528 dp = dget(opt_dentry); 3529 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3530 if (!IS_ERR_OR_NULL(skp)) 3531 final = skp; 3532 3533 /* 3534 * Transmuting directory 3535 */ 3536 if (S_ISDIR(inode->i_mode)) { 3537 /* 3538 * If this is a new directory and the label was 3539 * transmuted when the inode was initialized 3540 * set the transmute attribute on the directory 3541 * and mark the inode. 3542 * 3543 * If there is a transmute attribute on the 3544 * directory mark the inode. 3545 */ 3546 if (isp->smk_flags & SMK_INODE_CHANGED) { 3547 isp->smk_flags &= ~SMK_INODE_CHANGED; 3548 rc = __vfs_setxattr(dp, inode, 3549 XATTR_NAME_SMACKTRANSMUTE, 3550 TRANS_TRUE, TRANS_TRUE_SIZE, 3551 0); 3552 } else { 3553 rc = __vfs_getxattr(dp, inode, 3554 XATTR_NAME_SMACKTRANSMUTE, trattr, 3555 TRANS_TRUE_SIZE); 3556 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3557 TRANS_TRUE_SIZE) != 0) 3558 rc = -EINVAL; 3559 } 3560 if (rc >= 0) 3561 transflag = SMK_INODE_TRANSMUTE; 3562 } 3563 /* 3564 * Don't let the exec or mmap label be "*" or "@". 3565 */ 3566 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3567 if (IS_ERR(skp) || skp == &smack_known_star || 3568 skp == &smack_known_web) 3569 skp = NULL; 3570 isp->smk_task = skp; 3571 3572 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3573 if (IS_ERR(skp) || skp == &smack_known_star || 3574 skp == &smack_known_web) 3575 skp = NULL; 3576 isp->smk_mmap = skp; 3577 3578 dput(dp); 3579 break; 3580 } 3581 3582 if (final == NULL) 3583 isp->smk_inode = ckp; 3584 else 3585 isp->smk_inode = final; 3586 3587 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3588 3589 unlockandout: 3590 mutex_unlock(&isp->smk_lock); 3591 return; 3592 } 3593 3594 /** 3595 * smack_getprocattr - Smack process attribute access 3596 * @p: the object task 3597 * @name: the name of the attribute in /proc/.../attr 3598 * @value: where to put the result 3599 * 3600 * Places a copy of the task Smack into value 3601 * 3602 * Returns the length of the smack label or an error code 3603 */ 3604 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 3605 { 3606 struct smack_known *skp = smk_of_task_struct(p); 3607 char *cp; 3608 int slen; 3609 3610 if (strcmp(name, "current") != 0) 3611 return -EINVAL; 3612 3613 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3614 if (cp == NULL) 3615 return -ENOMEM; 3616 3617 slen = strlen(cp); 3618 *value = cp; 3619 return slen; 3620 } 3621 3622 /** 3623 * smack_setprocattr - Smack process attribute setting 3624 * @p: the object task 3625 * @name: the name of the attribute in /proc/.../attr 3626 * @value: the value to set 3627 * @size: the size of the value 3628 * 3629 * Sets the Smack value of the task. Only setting self 3630 * is permitted and only with privilege 3631 * 3632 * Returns the length of the smack label or an error code 3633 */ 3634 static int smack_setprocattr(struct task_struct *p, char *name, 3635 void *value, size_t size) 3636 { 3637 struct task_smack *tsp = current_security(); 3638 struct cred *new; 3639 struct smack_known *skp; 3640 struct smack_known_list_elem *sklep; 3641 int rc; 3642 3643 /* 3644 * Changing another process' Smack value is too dangerous 3645 * and supports no sane use case. 3646 */ 3647 if (p != current) 3648 return -EPERM; 3649 3650 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3651 return -EPERM; 3652 3653 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3654 return -EINVAL; 3655 3656 if (strcmp(name, "current") != 0) 3657 return -EINVAL; 3658 3659 skp = smk_import_entry(value, size); 3660 if (IS_ERR(skp)) 3661 return PTR_ERR(skp); 3662 3663 /* 3664 * No process is ever allowed the web ("@") label. 3665 */ 3666 if (skp == &smack_known_web) 3667 return -EPERM; 3668 3669 if (!smack_privileged(CAP_MAC_ADMIN)) { 3670 rc = -EPERM; 3671 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3672 if (sklep->smk_label == skp) { 3673 rc = 0; 3674 break; 3675 } 3676 if (rc) 3677 return rc; 3678 } 3679 3680 new = prepare_creds(); 3681 if (new == NULL) 3682 return -ENOMEM; 3683 3684 tsp = new->security; 3685 tsp->smk_task = skp; 3686 /* 3687 * process can change its label only once 3688 */ 3689 smk_destroy_label_list(&tsp->smk_relabel); 3690 3691 commit_creds(new); 3692 return size; 3693 } 3694 3695 /** 3696 * smack_unix_stream_connect - Smack access on UDS 3697 * @sock: one sock 3698 * @other: the other sock 3699 * @newsk: unused 3700 * 3701 * Return 0 if a subject with the smack of sock could access 3702 * an object with the smack of other, otherwise an error code 3703 */ 3704 static int smack_unix_stream_connect(struct sock *sock, 3705 struct sock *other, struct sock *newsk) 3706 { 3707 struct smack_known *skp; 3708 struct smack_known *okp; 3709 struct socket_smack *ssp = sock->sk_security; 3710 struct socket_smack *osp = other->sk_security; 3711 struct socket_smack *nsp = newsk->sk_security; 3712 struct smk_audit_info ad; 3713 int rc = 0; 3714 #ifdef CONFIG_AUDIT 3715 struct lsm_network_audit net; 3716 #endif 3717 3718 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3719 skp = ssp->smk_out; 3720 okp = osp->smk_in; 3721 #ifdef CONFIG_AUDIT 3722 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3723 smk_ad_setfield_u_net_sk(&ad, other); 3724 #endif 3725 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3726 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3727 if (rc == 0) { 3728 okp = osp->smk_out; 3729 skp = ssp->smk_in; 3730 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3731 rc = smk_bu_note("UDS connect", okp, skp, 3732 MAY_WRITE, rc); 3733 } 3734 } 3735 3736 /* 3737 * Cross reference the peer labels for SO_PEERSEC. 3738 */ 3739 if (rc == 0) { 3740 nsp->smk_packet = ssp->smk_out; 3741 ssp->smk_packet = osp->smk_out; 3742 } 3743 3744 return rc; 3745 } 3746 3747 /** 3748 * smack_unix_may_send - Smack access on UDS 3749 * @sock: one socket 3750 * @other: the other socket 3751 * 3752 * Return 0 if a subject with the smack of sock could access 3753 * an object with the smack of other, otherwise an error code 3754 */ 3755 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3756 { 3757 struct socket_smack *ssp = sock->sk->sk_security; 3758 struct socket_smack *osp = other->sk->sk_security; 3759 struct smk_audit_info ad; 3760 int rc; 3761 3762 #ifdef CONFIG_AUDIT 3763 struct lsm_network_audit net; 3764 3765 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3766 smk_ad_setfield_u_net_sk(&ad, other->sk); 3767 #endif 3768 3769 if (smack_privileged(CAP_MAC_OVERRIDE)) 3770 return 0; 3771 3772 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3773 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3774 return rc; 3775 } 3776 3777 /** 3778 * smack_socket_sendmsg - Smack check based on destination host 3779 * @sock: the socket 3780 * @msg: the message 3781 * @size: the size of the message 3782 * 3783 * Return 0 if the current subject can write to the destination host. 3784 * For IPv4 this is only a question if the destination is a single label host. 3785 * For IPv6 this is a check against the label of the port. 3786 */ 3787 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3788 int size) 3789 { 3790 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3791 #if IS_ENABLED(CONFIG_IPV6) 3792 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3793 #endif 3794 #ifdef SMACK_IPV6_SECMARK_LABELING 3795 struct socket_smack *ssp = sock->sk->sk_security; 3796 struct smack_known *rsp; 3797 #endif 3798 int rc = 0; 3799 3800 /* 3801 * Perfectly reasonable for this to be NULL 3802 */ 3803 if (sip == NULL) 3804 return 0; 3805 3806 switch (sock->sk->sk_family) { 3807 case AF_INET: 3808 rc = smack_netlabel_send(sock->sk, sip); 3809 break; 3810 case AF_INET6: 3811 #ifdef SMACK_IPV6_SECMARK_LABELING 3812 rsp = smack_ipv6host_label(sap); 3813 if (rsp != NULL) 3814 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3815 SMK_CONNECTING); 3816 #endif 3817 #ifdef SMACK_IPV6_PORT_LABELING 3818 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3819 #endif 3820 break; 3821 } 3822 return rc; 3823 } 3824 3825 /** 3826 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3827 * @sap: netlabel secattr 3828 * @ssp: socket security information 3829 * 3830 * Returns a pointer to a Smack label entry found on the label list. 3831 */ 3832 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3833 struct socket_smack *ssp) 3834 { 3835 struct smack_known *skp; 3836 int found = 0; 3837 int acat; 3838 int kcat; 3839 3840 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3841 /* 3842 * Looks like a CIPSO packet. 3843 * If there are flags but no level netlabel isn't 3844 * behaving the way we expect it to. 3845 * 3846 * Look it up in the label table 3847 * Without guidance regarding the smack value 3848 * for the packet fall back on the network 3849 * ambient value. 3850 */ 3851 rcu_read_lock(); 3852 list_for_each_entry(skp, &smack_known_list, list) { 3853 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3854 continue; 3855 /* 3856 * Compare the catsets. Use the netlbl APIs. 3857 */ 3858 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3859 if ((skp->smk_netlabel.flags & 3860 NETLBL_SECATTR_MLS_CAT) == 0) 3861 found = 1; 3862 break; 3863 } 3864 for (acat = -1, kcat = -1; acat == kcat; ) { 3865 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3866 acat + 1); 3867 kcat = netlbl_catmap_walk( 3868 skp->smk_netlabel.attr.mls.cat, 3869 kcat + 1); 3870 if (acat < 0 || kcat < 0) 3871 break; 3872 } 3873 if (acat == kcat) { 3874 found = 1; 3875 break; 3876 } 3877 } 3878 rcu_read_unlock(); 3879 3880 if (found) 3881 return skp; 3882 3883 if (ssp != NULL && ssp->smk_in == &smack_known_star) 3884 return &smack_known_web; 3885 return &smack_known_star; 3886 } 3887 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 3888 /* 3889 * Looks like a fallback, which gives us a secid. 3890 */ 3891 skp = smack_from_secid(sap->attr.secid); 3892 /* 3893 * This has got to be a bug because it is 3894 * impossible to specify a fallback without 3895 * specifying the label, which will ensure 3896 * it has a secid, and the only way to get a 3897 * secid is from a fallback. 3898 */ 3899 BUG_ON(skp == NULL); 3900 return skp; 3901 } 3902 /* 3903 * Without guidance regarding the smack value 3904 * for the packet fall back on the network 3905 * ambient value. 3906 */ 3907 return smack_net_ambient; 3908 } 3909 3910 #if IS_ENABLED(CONFIG_IPV6) 3911 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 3912 { 3913 u8 nexthdr; 3914 int offset; 3915 int proto = -EINVAL; 3916 struct ipv6hdr _ipv6h; 3917 struct ipv6hdr *ip6; 3918 __be16 frag_off; 3919 struct tcphdr _tcph, *th; 3920 struct udphdr _udph, *uh; 3921 struct dccp_hdr _dccph, *dh; 3922 3923 sip->sin6_port = 0; 3924 3925 offset = skb_network_offset(skb); 3926 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 3927 if (ip6 == NULL) 3928 return -EINVAL; 3929 sip->sin6_addr = ip6->saddr; 3930 3931 nexthdr = ip6->nexthdr; 3932 offset += sizeof(_ipv6h); 3933 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 3934 if (offset < 0) 3935 return -EINVAL; 3936 3937 proto = nexthdr; 3938 switch (proto) { 3939 case IPPROTO_TCP: 3940 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 3941 if (th != NULL) 3942 sip->sin6_port = th->source; 3943 break; 3944 case IPPROTO_UDP: 3945 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 3946 if (uh != NULL) 3947 sip->sin6_port = uh->source; 3948 break; 3949 case IPPROTO_DCCP: 3950 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 3951 if (dh != NULL) 3952 sip->sin6_port = dh->dccph_sport; 3953 break; 3954 } 3955 return proto; 3956 } 3957 #endif /* CONFIG_IPV6 */ 3958 3959 /** 3960 * smack_socket_sock_rcv_skb - Smack packet delivery access check 3961 * @sk: socket 3962 * @skb: packet 3963 * 3964 * Returns 0 if the packet should be delivered, an error code otherwise 3965 */ 3966 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 3967 { 3968 struct netlbl_lsm_secattr secattr; 3969 struct socket_smack *ssp = sk->sk_security; 3970 struct smack_known *skp = NULL; 3971 int rc = 0; 3972 struct smk_audit_info ad; 3973 #ifdef CONFIG_AUDIT 3974 struct lsm_network_audit net; 3975 #endif 3976 #if IS_ENABLED(CONFIG_IPV6) 3977 struct sockaddr_in6 sadd; 3978 int proto; 3979 #endif /* CONFIG_IPV6 */ 3980 3981 switch (sk->sk_family) { 3982 case PF_INET: 3983 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 3984 /* 3985 * If there is a secmark use it rather than the CIPSO label. 3986 * If there is no secmark fall back to CIPSO. 3987 * The secmark is assumed to reflect policy better. 3988 */ 3989 if (skb && skb->secmark != 0) { 3990 skp = smack_from_secid(skb->secmark); 3991 goto access_check; 3992 } 3993 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 3994 /* 3995 * Translate what netlabel gave us. 3996 */ 3997 netlbl_secattr_init(&secattr); 3998 3999 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 4000 if (rc == 0) 4001 skp = smack_from_secattr(&secattr, ssp); 4002 else 4003 skp = smack_net_ambient; 4004 4005 netlbl_secattr_destroy(&secattr); 4006 4007 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4008 access_check: 4009 #endif 4010 #ifdef CONFIG_AUDIT 4011 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4012 ad.a.u.net->family = sk->sk_family; 4013 ad.a.u.net->netif = skb->skb_iif; 4014 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4015 #endif 4016 /* 4017 * Receiving a packet requires that the other end 4018 * be able to write here. Read access is not required. 4019 * This is the simplist possible security model 4020 * for networking. 4021 */ 4022 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4023 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4024 MAY_WRITE, rc); 4025 if (rc != 0) 4026 netlbl_skbuff_err(skb, sk->sk_family, rc, 0); 4027 break; 4028 #if IS_ENABLED(CONFIG_IPV6) 4029 case PF_INET6: 4030 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4031 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 4032 break; 4033 #ifdef SMACK_IPV6_SECMARK_LABELING 4034 if (skb && skb->secmark != 0) 4035 skp = smack_from_secid(skb->secmark); 4036 else 4037 skp = smack_ipv6host_label(&sadd); 4038 if (skp == NULL) 4039 skp = smack_net_ambient; 4040 #ifdef CONFIG_AUDIT 4041 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4042 ad.a.u.net->family = sk->sk_family; 4043 ad.a.u.net->netif = skb->skb_iif; 4044 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4045 #endif /* CONFIG_AUDIT */ 4046 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4047 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4048 MAY_WRITE, rc); 4049 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4050 #ifdef SMACK_IPV6_PORT_LABELING 4051 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4052 #endif /* SMACK_IPV6_PORT_LABELING */ 4053 break; 4054 #endif /* CONFIG_IPV6 */ 4055 } 4056 4057 return rc; 4058 } 4059 4060 /** 4061 * smack_socket_getpeersec_stream - pull in packet label 4062 * @sock: the socket 4063 * @optval: user's destination 4064 * @optlen: size thereof 4065 * @len: max thereof 4066 * 4067 * returns zero on success, an error code otherwise 4068 */ 4069 static int smack_socket_getpeersec_stream(struct socket *sock, 4070 char __user *optval, 4071 int __user *optlen, unsigned len) 4072 { 4073 struct socket_smack *ssp; 4074 char *rcp = ""; 4075 int slen = 1; 4076 int rc = 0; 4077 4078 ssp = sock->sk->sk_security; 4079 if (ssp->smk_packet != NULL) { 4080 rcp = ssp->smk_packet->smk_known; 4081 slen = strlen(rcp) + 1; 4082 } 4083 4084 if (slen > len) 4085 rc = -ERANGE; 4086 else if (copy_to_user(optval, rcp, slen) != 0) 4087 rc = -EFAULT; 4088 4089 if (put_user(slen, optlen) != 0) 4090 rc = -EFAULT; 4091 4092 return rc; 4093 } 4094 4095 4096 /** 4097 * smack_socket_getpeersec_dgram - pull in packet label 4098 * @sock: the peer socket 4099 * @skb: packet data 4100 * @secid: pointer to where to put the secid of the packet 4101 * 4102 * Sets the netlabel socket state on sk from parent 4103 */ 4104 static int smack_socket_getpeersec_dgram(struct socket *sock, 4105 struct sk_buff *skb, u32 *secid) 4106 4107 { 4108 struct netlbl_lsm_secattr secattr; 4109 struct socket_smack *ssp = NULL; 4110 struct smack_known *skp; 4111 int family = PF_UNSPEC; 4112 u32 s = 0; /* 0 is the invalid secid */ 4113 int rc; 4114 4115 if (skb != NULL) { 4116 if (skb->protocol == htons(ETH_P_IP)) 4117 family = PF_INET; 4118 #if IS_ENABLED(CONFIG_IPV6) 4119 else if (skb->protocol == htons(ETH_P_IPV6)) 4120 family = PF_INET6; 4121 #endif /* CONFIG_IPV6 */ 4122 } 4123 if (family == PF_UNSPEC && sock != NULL) 4124 family = sock->sk->sk_family; 4125 4126 switch (family) { 4127 case PF_UNIX: 4128 ssp = sock->sk->sk_security; 4129 s = ssp->smk_out->smk_secid; 4130 break; 4131 case PF_INET: 4132 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4133 s = skb->secmark; 4134 if (s != 0) 4135 break; 4136 #endif 4137 /* 4138 * Translate what netlabel gave us. 4139 */ 4140 if (sock != NULL && sock->sk != NULL) 4141 ssp = sock->sk->sk_security; 4142 netlbl_secattr_init(&secattr); 4143 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4144 if (rc == 0) { 4145 skp = smack_from_secattr(&secattr, ssp); 4146 s = skp->smk_secid; 4147 } 4148 netlbl_secattr_destroy(&secattr); 4149 break; 4150 case PF_INET6: 4151 #ifdef SMACK_IPV6_SECMARK_LABELING 4152 s = skb->secmark; 4153 #endif 4154 break; 4155 } 4156 *secid = s; 4157 if (s == 0) 4158 return -EINVAL; 4159 return 0; 4160 } 4161 4162 /** 4163 * smack_sock_graft - Initialize a newly created socket with an existing sock 4164 * @sk: child sock 4165 * @parent: parent socket 4166 * 4167 * Set the smk_{in,out} state of an existing sock based on the process that 4168 * is creating the new socket. 4169 */ 4170 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4171 { 4172 struct socket_smack *ssp; 4173 struct smack_known *skp = smk_of_current(); 4174 4175 if (sk == NULL || 4176 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4177 return; 4178 4179 ssp = sk->sk_security; 4180 ssp->smk_in = skp; 4181 ssp->smk_out = skp; 4182 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4183 } 4184 4185 /** 4186 * smack_inet_conn_request - Smack access check on connect 4187 * @sk: socket involved 4188 * @skb: packet 4189 * @req: unused 4190 * 4191 * Returns 0 if a task with the packet label could write to 4192 * the socket, otherwise an error code 4193 */ 4194 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 4195 struct request_sock *req) 4196 { 4197 u16 family = sk->sk_family; 4198 struct smack_known *skp; 4199 struct socket_smack *ssp = sk->sk_security; 4200 struct netlbl_lsm_secattr secattr; 4201 struct sockaddr_in addr; 4202 struct iphdr *hdr; 4203 struct smack_known *hskp; 4204 int rc; 4205 struct smk_audit_info ad; 4206 #ifdef CONFIG_AUDIT 4207 struct lsm_network_audit net; 4208 #endif 4209 4210 #if IS_ENABLED(CONFIG_IPV6) 4211 if (family == PF_INET6) { 4212 /* 4213 * Handle mapped IPv4 packets arriving 4214 * via IPv6 sockets. Don't set up netlabel 4215 * processing on IPv6. 4216 */ 4217 if (skb->protocol == htons(ETH_P_IP)) 4218 family = PF_INET; 4219 else 4220 return 0; 4221 } 4222 #endif /* CONFIG_IPV6 */ 4223 4224 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4225 /* 4226 * If there is a secmark use it rather than the CIPSO label. 4227 * If there is no secmark fall back to CIPSO. 4228 * The secmark is assumed to reflect policy better. 4229 */ 4230 if (skb && skb->secmark != 0) { 4231 skp = smack_from_secid(skb->secmark); 4232 goto access_check; 4233 } 4234 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */ 4235 4236 netlbl_secattr_init(&secattr); 4237 rc = netlbl_skbuff_getattr(skb, family, &secattr); 4238 if (rc == 0) 4239 skp = smack_from_secattr(&secattr, ssp); 4240 else 4241 skp = &smack_known_huh; 4242 netlbl_secattr_destroy(&secattr); 4243 4244 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4245 access_check: 4246 #endif 4247 4248 #ifdef CONFIG_AUDIT 4249 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4250 ad.a.u.net->family = family; 4251 ad.a.u.net->netif = skb->skb_iif; 4252 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4253 #endif 4254 /* 4255 * Receiving a packet requires that the other end be able to write 4256 * here. Read access is not required. 4257 */ 4258 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4259 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4260 if (rc != 0) 4261 return rc; 4262 4263 /* 4264 * Save the peer's label in the request_sock so we can later setup 4265 * smk_packet in the child socket so that SO_PEERCRED can report it. 4266 */ 4267 req->peer_secid = skp->smk_secid; 4268 4269 /* 4270 * We need to decide if we want to label the incoming connection here 4271 * if we do we only need to label the request_sock and the stack will 4272 * propagate the wire-label to the sock when it is created. 4273 */ 4274 hdr = ip_hdr(skb); 4275 addr.sin_addr.s_addr = hdr->saddr; 4276 rcu_read_lock(); 4277 hskp = smack_ipv4host_label(&addr); 4278 rcu_read_unlock(); 4279 4280 if (hskp == NULL) 4281 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4282 else 4283 netlbl_req_delattr(req); 4284 4285 return rc; 4286 } 4287 4288 /** 4289 * smack_inet_csk_clone - Copy the connection information to the new socket 4290 * @sk: the new socket 4291 * @req: the connection's request_sock 4292 * 4293 * Transfer the connection's peer label to the newly created socket. 4294 */ 4295 static void smack_inet_csk_clone(struct sock *sk, 4296 const struct request_sock *req) 4297 { 4298 struct socket_smack *ssp = sk->sk_security; 4299 struct smack_known *skp; 4300 4301 if (req->peer_secid != 0) { 4302 skp = smack_from_secid(req->peer_secid); 4303 ssp->smk_packet = skp; 4304 } else 4305 ssp->smk_packet = NULL; 4306 } 4307 4308 /* 4309 * Key management security hooks 4310 * 4311 * Casey has not tested key support very heavily. 4312 * The permission check is most likely too restrictive. 4313 * If you care about keys please have a look. 4314 */ 4315 #ifdef CONFIG_KEYS 4316 4317 /** 4318 * smack_key_alloc - Set the key security blob 4319 * @key: object 4320 * @cred: the credentials to use 4321 * @flags: unused 4322 * 4323 * No allocation required 4324 * 4325 * Returns 0 4326 */ 4327 static int smack_key_alloc(struct key *key, const struct cred *cred, 4328 unsigned long flags) 4329 { 4330 struct smack_known *skp = smk_of_task(cred->security); 4331 4332 key->security = skp; 4333 return 0; 4334 } 4335 4336 /** 4337 * smack_key_free - Clear the key security blob 4338 * @key: the object 4339 * 4340 * Clear the blob pointer 4341 */ 4342 static void smack_key_free(struct key *key) 4343 { 4344 key->security = NULL; 4345 } 4346 4347 /** 4348 * smack_key_permission - Smack access on a key 4349 * @key_ref: gets to the object 4350 * @cred: the credentials to use 4351 * @perm: requested key permissions 4352 * 4353 * Return 0 if the task has read and write to the object, 4354 * an error code otherwise 4355 */ 4356 static int smack_key_permission(key_ref_t key_ref, 4357 const struct cred *cred, unsigned perm) 4358 { 4359 struct key *keyp; 4360 struct smk_audit_info ad; 4361 struct smack_known *tkp = smk_of_task(cred->security); 4362 int request = 0; 4363 int rc; 4364 4365 keyp = key_ref_to_ptr(key_ref); 4366 if (keyp == NULL) 4367 return -EINVAL; 4368 /* 4369 * If the key hasn't been initialized give it access so that 4370 * it may do so. 4371 */ 4372 if (keyp->security == NULL) 4373 return 0; 4374 /* 4375 * This should not occur 4376 */ 4377 if (tkp == NULL) 4378 return -EACCES; 4379 #ifdef CONFIG_AUDIT 4380 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4381 ad.a.u.key_struct.key = keyp->serial; 4382 ad.a.u.key_struct.key_desc = keyp->description; 4383 #endif 4384 if (perm & KEY_NEED_READ) 4385 request = MAY_READ; 4386 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) 4387 request = MAY_WRITE; 4388 rc = smk_access(tkp, keyp->security, request, &ad); 4389 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4390 return rc; 4391 } 4392 4393 /* 4394 * smack_key_getsecurity - Smack label tagging the key 4395 * @key points to the key to be queried 4396 * @_buffer points to a pointer that should be set to point to the 4397 * resulting string (if no label or an error occurs). 4398 * Return the length of the string (including terminating NUL) or -ve if 4399 * an error. 4400 * May also return 0 (and a NULL buffer pointer) if there is no label. 4401 */ 4402 static int smack_key_getsecurity(struct key *key, char **_buffer) 4403 { 4404 struct smack_known *skp = key->security; 4405 size_t length; 4406 char *copy; 4407 4408 if (key->security == NULL) { 4409 *_buffer = NULL; 4410 return 0; 4411 } 4412 4413 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4414 if (copy == NULL) 4415 return -ENOMEM; 4416 length = strlen(copy) + 1; 4417 4418 *_buffer = copy; 4419 return length; 4420 } 4421 4422 #endif /* CONFIG_KEYS */ 4423 4424 /* 4425 * Smack Audit hooks 4426 * 4427 * Audit requires a unique representation of each Smack specific 4428 * rule. This unique representation is used to distinguish the 4429 * object to be audited from remaining kernel objects and also 4430 * works as a glue between the audit hooks. 4431 * 4432 * Since repository entries are added but never deleted, we'll use 4433 * the smack_known label address related to the given audit rule as 4434 * the needed unique representation. This also better fits the smack 4435 * model where nearly everything is a label. 4436 */ 4437 #ifdef CONFIG_AUDIT 4438 4439 /** 4440 * smack_audit_rule_init - Initialize a smack audit rule 4441 * @field: audit rule fields given from user-space (audit.h) 4442 * @op: required testing operator (=, !=, >, <, ...) 4443 * @rulestr: smack label to be audited 4444 * @vrule: pointer to save our own audit rule representation 4445 * 4446 * Prepare to audit cases where (@field @op @rulestr) is true. 4447 * The label to be audited is created if necessay. 4448 */ 4449 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4450 { 4451 struct smack_known *skp; 4452 char **rule = (char **)vrule; 4453 *rule = NULL; 4454 4455 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4456 return -EINVAL; 4457 4458 if (op != Audit_equal && op != Audit_not_equal) 4459 return -EINVAL; 4460 4461 skp = smk_import_entry(rulestr, 0); 4462 if (IS_ERR(skp)) 4463 return PTR_ERR(skp); 4464 4465 *rule = skp->smk_known; 4466 4467 return 0; 4468 } 4469 4470 /** 4471 * smack_audit_rule_known - Distinguish Smack audit rules 4472 * @krule: rule of interest, in Audit kernel representation format 4473 * 4474 * This is used to filter Smack rules from remaining Audit ones. 4475 * If it's proved that this rule belongs to us, the 4476 * audit_rule_match hook will be called to do the final judgement. 4477 */ 4478 static int smack_audit_rule_known(struct audit_krule *krule) 4479 { 4480 struct audit_field *f; 4481 int i; 4482 4483 for (i = 0; i < krule->field_count; i++) { 4484 f = &krule->fields[i]; 4485 4486 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4487 return 1; 4488 } 4489 4490 return 0; 4491 } 4492 4493 /** 4494 * smack_audit_rule_match - Audit given object ? 4495 * @secid: security id for identifying the object to test 4496 * @field: audit rule flags given from user-space 4497 * @op: required testing operator 4498 * @vrule: smack internal rule presentation 4499 * @actx: audit context associated with the check 4500 * 4501 * The core Audit hook. It's used to take the decision of 4502 * whether to audit or not to audit a given object. 4503 */ 4504 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 4505 struct audit_context *actx) 4506 { 4507 struct smack_known *skp; 4508 char *rule = vrule; 4509 4510 if (unlikely(!rule)) { 4511 WARN_ONCE(1, "Smack: missing rule\n"); 4512 return -ENOENT; 4513 } 4514 4515 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4516 return 0; 4517 4518 skp = smack_from_secid(secid); 4519 4520 /* 4521 * No need to do string comparisons. If a match occurs, 4522 * both pointers will point to the same smack_known 4523 * label. 4524 */ 4525 if (op == Audit_equal) 4526 return (rule == skp->smk_known); 4527 if (op == Audit_not_equal) 4528 return (rule != skp->smk_known); 4529 4530 return 0; 4531 } 4532 4533 /* 4534 * There is no need for a smack_audit_rule_free hook. 4535 * No memory was allocated. 4536 */ 4537 4538 #endif /* CONFIG_AUDIT */ 4539 4540 /** 4541 * smack_ismaclabel - check if xattr @name references a smack MAC label 4542 * @name: Full xattr name to check. 4543 */ 4544 static int smack_ismaclabel(const char *name) 4545 { 4546 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4547 } 4548 4549 4550 /** 4551 * smack_secid_to_secctx - return the smack label for a secid 4552 * @secid: incoming integer 4553 * @secdata: destination 4554 * @seclen: how long it is 4555 * 4556 * Exists for networking code. 4557 */ 4558 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4559 { 4560 struct smack_known *skp = smack_from_secid(secid); 4561 4562 if (secdata) 4563 *secdata = skp->smk_known; 4564 *seclen = strlen(skp->smk_known); 4565 return 0; 4566 } 4567 4568 /** 4569 * smack_secctx_to_secid - return the secid for a smack label 4570 * @secdata: smack label 4571 * @seclen: how long result is 4572 * @secid: outgoing integer 4573 * 4574 * Exists for audit and networking code. 4575 */ 4576 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4577 { 4578 struct smack_known *skp = smk_find_entry(secdata); 4579 4580 if (skp) 4581 *secid = skp->smk_secid; 4582 else 4583 *secid = 0; 4584 return 0; 4585 } 4586 4587 /* 4588 * There used to be a smack_release_secctx hook 4589 * that did nothing back when hooks were in a vector. 4590 * Now that there's a list such a hook adds cost. 4591 */ 4592 4593 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4594 { 4595 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 4596 } 4597 4598 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4599 { 4600 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 4601 } 4602 4603 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4604 { 4605 int len = 0; 4606 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 4607 4608 if (len < 0) 4609 return len; 4610 *ctxlen = len; 4611 return 0; 4612 } 4613 4614 static struct security_hook_list smack_hooks[] = { 4615 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 4616 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 4617 LSM_HOOK_INIT(syslog, smack_syslog), 4618 4619 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 4620 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security), 4621 LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data), 4622 LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount), 4623 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 4624 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 4625 LSM_HOOK_INIT(sb_parse_opts_str, smack_parse_opts_str), 4626 4627 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds), 4628 LSM_HOOK_INIT(bprm_committing_creds, smack_bprm_committing_creds), 4629 LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec), 4630 4631 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 4632 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security), 4633 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 4634 LSM_HOOK_INIT(inode_link, smack_inode_link), 4635 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 4636 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 4637 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 4638 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 4639 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 4640 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 4641 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 4642 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 4643 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 4644 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 4645 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 4646 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 4647 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 4648 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 4649 4650 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 4651 LSM_HOOK_INIT(file_free_security, smack_file_free_security), 4652 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 4653 LSM_HOOK_INIT(file_lock, smack_file_lock), 4654 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 4655 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 4656 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 4657 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 4658 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 4659 LSM_HOOK_INIT(file_receive, smack_file_receive), 4660 4661 LSM_HOOK_INIT(file_open, smack_file_open), 4662 4663 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 4664 LSM_HOOK_INIT(cred_free, smack_cred_free), 4665 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 4666 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 4667 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 4668 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 4669 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 4670 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 4671 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 4672 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid), 4673 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 4674 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 4675 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 4676 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 4677 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 4678 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 4679 LSM_HOOK_INIT(task_kill, smack_task_kill), 4680 LSM_HOOK_INIT(task_wait, smack_task_wait), 4681 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 4682 4683 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 4684 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 4685 4686 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 4687 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security), 4688 4689 LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security), 4690 LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security), 4691 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 4692 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 4693 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 4694 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 4695 4696 LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security), 4697 LSM_HOOK_INIT(shm_free_security, smack_shm_free_security), 4698 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 4699 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 4700 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 4701 4702 LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security), 4703 LSM_HOOK_INIT(sem_free_security, smack_sem_free_security), 4704 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 4705 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 4706 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 4707 4708 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 4709 4710 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 4711 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 4712 4713 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 4714 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 4715 4716 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 4717 #ifdef SMACK_IPV6_PORT_LABELING 4718 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 4719 #endif 4720 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 4721 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 4722 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 4723 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 4724 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 4725 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 4726 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 4727 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 4728 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 4729 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 4730 4731 /* key management security hooks */ 4732 #ifdef CONFIG_KEYS 4733 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 4734 LSM_HOOK_INIT(key_free, smack_key_free), 4735 LSM_HOOK_INIT(key_permission, smack_key_permission), 4736 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 4737 #endif /* CONFIG_KEYS */ 4738 4739 /* Audit hooks */ 4740 #ifdef CONFIG_AUDIT 4741 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 4742 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 4743 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 4744 #endif /* CONFIG_AUDIT */ 4745 4746 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 4747 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 4748 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 4749 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 4750 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 4751 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 4752 }; 4753 4754 4755 static __init void init_smack_known_list(void) 4756 { 4757 /* 4758 * Initialize rule list locks 4759 */ 4760 mutex_init(&smack_known_huh.smk_rules_lock); 4761 mutex_init(&smack_known_hat.smk_rules_lock); 4762 mutex_init(&smack_known_floor.smk_rules_lock); 4763 mutex_init(&smack_known_star.smk_rules_lock); 4764 mutex_init(&smack_known_invalid.smk_rules_lock); 4765 mutex_init(&smack_known_web.smk_rules_lock); 4766 /* 4767 * Initialize rule lists 4768 */ 4769 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 4770 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 4771 INIT_LIST_HEAD(&smack_known_star.smk_rules); 4772 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 4773 INIT_LIST_HEAD(&smack_known_invalid.smk_rules); 4774 INIT_LIST_HEAD(&smack_known_web.smk_rules); 4775 /* 4776 * Create the known labels list 4777 */ 4778 smk_insert_entry(&smack_known_huh); 4779 smk_insert_entry(&smack_known_hat); 4780 smk_insert_entry(&smack_known_star); 4781 smk_insert_entry(&smack_known_floor); 4782 smk_insert_entry(&smack_known_invalid); 4783 smk_insert_entry(&smack_known_web); 4784 } 4785 4786 /** 4787 * smack_init - initialize the smack system 4788 * 4789 * Returns 0 4790 */ 4791 static __init int smack_init(void) 4792 { 4793 struct cred *cred; 4794 struct task_smack *tsp; 4795 4796 if (!security_module_enable("smack")) 4797 return 0; 4798 4799 smack_inode_cache = KMEM_CACHE(inode_smack, 0); 4800 if (!smack_inode_cache) 4801 return -ENOMEM; 4802 4803 tsp = new_task_smack(&smack_known_floor, &smack_known_floor, 4804 GFP_KERNEL); 4805 if (tsp == NULL) { 4806 kmem_cache_destroy(smack_inode_cache); 4807 return -ENOMEM; 4808 } 4809 4810 smack_enabled = 1; 4811 4812 pr_info("Smack: Initializing.\n"); 4813 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 4814 pr_info("Smack: Netfilter enabled.\n"); 4815 #endif 4816 #ifdef SMACK_IPV6_PORT_LABELING 4817 pr_info("Smack: IPv6 port labeling enabled.\n"); 4818 #endif 4819 #ifdef SMACK_IPV6_SECMARK_LABELING 4820 pr_info("Smack: IPv6 Netfilter enabled.\n"); 4821 #endif 4822 4823 /* 4824 * Set the security state for the initial task. 4825 */ 4826 cred = (struct cred *) current->cred; 4827 cred->security = tsp; 4828 4829 /* initialize the smack_known_list */ 4830 init_smack_known_list(); 4831 4832 /* 4833 * Register with LSM 4834 */ 4835 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks)); 4836 4837 return 0; 4838 } 4839 4840 /* 4841 * Smack requires early initialization in order to label 4842 * all processes and objects when they are created. 4843 */ 4844 security_initcall(smack_init); 4845