Lines Matching +full:user +full:- +full:otp
1 // SPDX-License-Identifier: GPL-2.0-only
8 * Casey Schaufler <casey@schaufler-ca.com>
11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
13 * Paul Moore <paul@paul-moore.com>
58 * SMACK64 - for access control,
59 * SMACK64TRANSMUTE - label initialization,
60 * Not saved on files - SMACK64IPIN and SMACK64IPOUT,
61 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP
72 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s}
78 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault},
126 sskp->smk_known, oskp->smk_known, acc, note); in smk_bu_note()
147 tsp->smk_task->smk_known, oskp->smk_known, in smk_bu_current()
148 acc, current->comm, note); in smk_bu_current()
156 static int smk_bu_task(struct task_struct *otp, int mode, int rc) in smk_bu_task() argument
159 struct smack_known *smk_task = smk_of_task_struct_obj(otp); in smk_bu_task()
169 tsp->smk_task->smk_known, smk_task->smk_known, acc, in smk_bu_task()
170 current->comm, otp->comm); in smk_bu_task()
174 #define smk_bu_task(otp, mode, RC) (RC) argument
184 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_inode()
186 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_inode()
194 isp->smk_flags |= SMK_INODE_IMPURE; in smk_bu_inode()
199 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, in smk_bu_inode()
200 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_inode()
211 struct smack_known *sskp = tsp->smk_task; in smk_bu_file()
216 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_file()
218 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_file()
227 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, in smk_bu_file()
228 inode->i_sb->s_id, inode->i_ino, file, in smk_bu_file()
229 current->comm); in smk_bu_file()
241 struct smack_known *sskp = tsp->smk_task; in smk_bu_credfile()
246 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_credfile()
248 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_credfile()
257 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, in smk_bu_credfile()
258 inode->i_sb->s_id, inode->i_ino, file, in smk_bu_credfile()
259 current->comm); in smk_bu_credfile()
267 * smk_fetch - Fetch the smack label from a file.
282 if (!(ip->i_opflags & IOP_XATTR)) in smk_fetch()
283 return ERR_PTR(-EOPNOTSUPP); in smk_fetch()
287 return ERR_PTR(-ENOMEM); in smk_fetch()
303 * init_inode_smack - initialize an inode security blob
312 isp->smk_inode = skp; in init_inode_smack()
313 isp->smk_flags = 0; in init_inode_smack()
317 * init_task_smack - initialize a task security blob
326 tsp->smk_task = task; in init_task_smack()
327 tsp->smk_forked = forked; in init_task_smack()
328 INIT_LIST_HEAD(&tsp->smk_rules); in init_task_smack()
329 INIT_LIST_HEAD(&tsp->smk_relabel); in init_task_smack()
330 mutex_init(&tsp->smk_rules_lock); in init_task_smack()
334 * smk_copy_rules - copy a rule set
339 * Returns 0 on success, -ENOMEM on error
351 rc = -ENOMEM; in smk_copy_rules()
355 list_add_rcu(&nrp->list, nhead); in smk_copy_rules()
361 * smk_copy_relabel - copy smk_relabel labels list
366 * Returns 0 on success, -ENOMEM on error
378 return -ENOMEM; in smk_copy_relabel()
380 nklep->smk_label = oklep->smk_label; in smk_copy_relabel()
381 list_add(&nklep->list, nhead); in smk_copy_relabel()
388 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
404 * smk_ptrace_rule_check - helper for ptrace access
410 * Returns 0 on access granted, -error on error
436 if (tracer_known->smk_known == tracee_known->smk_known) in smk_ptrace_rule_check()
439 rc = -EACCES; in smk_ptrace_rule_check()
443 rc = -EACCES; in smk_ptrace_rule_check()
446 smack_log(tracer_known->smk_known, in smk_ptrace_rule_check()
447 tracee_known->smk_known, in smk_ptrace_rule_check()
467 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
485 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
502 * smack_syslog - Smack approval on syslog
516 rc = -EACCES; in smack_syslog()
526 * smack_sb_alloc_security - allocate a superblock blob
529 * Returns 0 on success or -ENOMEM on error.
535 sbsp->smk_root = &smack_known_floor; in smack_sb_alloc_security()
536 sbsp->smk_default = &smack_known_floor; in smack_sb_alloc_security()
537 sbsp->smk_floor = &smack_known_floor; in smack_sb_alloc_security()
538 sbsp->smk_hat = &smack_known_hat; in smack_sb_alloc_security()
567 return -ENOMEM; in smack_add_opt()
571 return -ENOMEM; in smack_add_opt()
579 if (opts->fsdefault) in smack_add_opt()
581 opts->fsdefault = skp->smk_known; in smack_add_opt()
584 if (opts->fsfloor) in smack_add_opt()
586 opts->fsfloor = skp->smk_known; in smack_add_opt()
589 if (opts->fshat) in smack_add_opt()
591 opts->fshat = skp->smk_known; in smack_add_opt()
594 if (opts->fsroot) in smack_add_opt()
596 opts->fsroot = skp->smk_known; in smack_add_opt()
599 if (opts->fstransmute) in smack_add_opt()
601 opts->fstransmute = skp->smk_known; in smack_add_opt()
608 return -EINVAL; in smack_add_opt()
612 * smack_fs_context_submount - Initialise security data for a filesystem context
616 * Returns 0 on success or -ENOMEM on error.
627 return -ENOMEM; in smack_fs_context_submount()
628 fc->security = ctx; in smack_fs_context_submount()
631 isp = smack_inode(reference->s_root->d_inode); in smack_fs_context_submount()
633 if (sbsp->smk_default) { in smack_fs_context_submount()
634 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); in smack_fs_context_submount()
635 if (!ctx->fsdefault) in smack_fs_context_submount()
636 return -ENOMEM; in smack_fs_context_submount()
639 if (sbsp->smk_floor) { in smack_fs_context_submount()
640 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); in smack_fs_context_submount()
641 if (!ctx->fsfloor) in smack_fs_context_submount()
642 return -ENOMEM; in smack_fs_context_submount()
645 if (sbsp->smk_hat) { in smack_fs_context_submount()
646 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); in smack_fs_context_submount()
647 if (!ctx->fshat) in smack_fs_context_submount()
648 return -ENOMEM; in smack_fs_context_submount()
651 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { in smack_fs_context_submount()
652 if (sbsp->smk_root) { in smack_fs_context_submount()
653 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); in smack_fs_context_submount()
654 if (!ctx->fstransmute) in smack_fs_context_submount()
655 return -ENOMEM; in smack_fs_context_submount()
662 * smack_fs_context_dup - Duplicate the security data on fs_context duplication
666 * Returns 0 on success or -ENOMEM on error.
671 struct smack_mnt_opts *dst, *src = src_fc->security; in smack_fs_context_dup()
676 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); in smack_fs_context_dup()
677 if (!fc->security) in smack_fs_context_dup()
678 return -ENOMEM; in smack_fs_context_dup()
680 dst = fc->security; in smack_fs_context_dup()
681 dst->fsdefault = src->fsdefault; in smack_fs_context_dup()
682 dst->fsfloor = src->fsfloor; in smack_fs_context_dup()
683 dst->fshat = src->fshat; in smack_fs_context_dup()
684 dst->fsroot = src->fsroot; in smack_fs_context_dup()
685 dst->fstransmute = src->fstransmute; in smack_fs_context_dup()
701 * smack_fs_context_parse_param - Parse a single mount parameter
705 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on
718 rc = smack_add_opt(opt, param->string, &fc->security); in smack_fs_context_parse_param()
720 param->string = NULL; in smack_fs_context_parse_param()
735 len = next - from; in smack_sb_eat_lsm_opts()
741 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); in smack_sb_eat_lsm_opts()
752 from--; in smack_sb_eat_lsm_opts()
769 * smack_set_mnt_opts - set Smack specific mount options
772 * @kern_flags: mount option from kernel space or user space
785 struct dentry *root = sb->s_root; in smack_set_mnt_opts()
793 if (sp->smk_flags & SMK_SB_INITIALIZED) in smack_set_mnt_opts()
801 return -EPERM; in smack_set_mnt_opts()
806 sp->smk_root = skp; in smack_set_mnt_opts()
807 sp->smk_default = skp; in smack_set_mnt_opts()
809 * For a handful of fs types with no user-controlled in smack_set_mnt_opts()
813 if (sb->s_user_ns != &init_user_ns && in smack_set_mnt_opts()
814 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && in smack_set_mnt_opts()
815 sb->s_magic != RAMFS_MAGIC) { in smack_set_mnt_opts()
817 sp->smk_flags |= SMK_SB_UNTRUSTED; in smack_set_mnt_opts()
821 sp->smk_flags |= SMK_SB_INITIALIZED; in smack_set_mnt_opts()
824 if (opts->fsdefault) { in smack_set_mnt_opts()
825 skp = smk_import_entry(opts->fsdefault, 0); in smack_set_mnt_opts()
828 sp->smk_default = skp; in smack_set_mnt_opts()
830 if (opts->fsfloor) { in smack_set_mnt_opts()
831 skp = smk_import_entry(opts->fsfloor, 0); in smack_set_mnt_opts()
834 sp->smk_floor = skp; in smack_set_mnt_opts()
836 if (opts->fshat) { in smack_set_mnt_opts()
837 skp = smk_import_entry(opts->fshat, 0); in smack_set_mnt_opts()
840 sp->smk_hat = skp; in smack_set_mnt_opts()
842 if (opts->fsroot) { in smack_set_mnt_opts()
843 skp = smk_import_entry(opts->fsroot, 0); in smack_set_mnt_opts()
846 sp->smk_root = skp; in smack_set_mnt_opts()
848 if (opts->fstransmute) { in smack_set_mnt_opts()
849 skp = smk_import_entry(opts->fstransmute, 0); in smack_set_mnt_opts()
852 sp->smk_root = skp; in smack_set_mnt_opts()
860 init_inode_smack(inode, sp->smk_root); in smack_set_mnt_opts()
864 isp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_set_mnt_opts()
871 * smack_sb_statfs - Smack check on statfs
879 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); in smack_sb_statfs()
886 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); in smack_sb_statfs()
887 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); in smack_sb_statfs()
896 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec
899 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise
903 struct inode *inode = file_inode(bprm->file); in smack_bprm_creds_for_exec()
904 struct task_smack *bsp = smack_cred(bprm->cred); in smack_bprm_creds_for_exec()
910 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) in smack_bprm_creds_for_exec()
913 sbsp = smack_superblock(inode->i_sb); in smack_bprm_creds_for_exec()
914 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && in smack_bprm_creds_for_exec()
915 isp->smk_task != sbsp->smk_root) in smack_bprm_creds_for_exec()
918 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { in smack_bprm_creds_for_exec()
926 isp->smk_task, in smack_bprm_creds_for_exec()
934 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) in smack_bprm_creds_for_exec()
935 return -EPERM; in smack_bprm_creds_for_exec()
937 bsp->smk_task = isp->smk_task; in smack_bprm_creds_for_exec()
938 bprm->per_clear |= PER_CLEAR_ON_SETID; in smack_bprm_creds_for_exec()
941 if (bsp->smk_task != bsp->smk_forked) in smack_bprm_creds_for_exec()
942 bprm->secureexec = 1; in smack_bprm_creds_for_exec()
952 * smack_inode_alloc_security - allocate an inode blob
966 * smack_inode_init_security - copy out the smack from an inode
971 * @xattr_count: current number of LSM-provided xattrs (updated)
973 * Returns 0 if it all works out, -ENOMEM if there's no memory
991 if (tsp->smk_task != tsp->smk_transmuted) { in smack_inode_init_security()
993 may = smk_access_entry(skp->smk_known, dsp->smk_known, in smack_inode_init_security()
994 &skp->smk_rules); in smack_inode_init_security()
1004 if ((tsp->smk_task == tsp->smk_transmuted) || in smack_inode_init_security()
1015 if (tsp->smk_task != tsp->smk_transmuted) in smack_inode_init_security()
1016 isp = issp->smk_inode = dsp; in smack_inode_init_security()
1018 issp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_inode_init_security()
1022 xattr_transmute->value = kmemdup(TRANS_TRUE, in smack_inode_init_security()
1025 if (!xattr_transmute->value) in smack_inode_init_security()
1026 return -ENOMEM; in smack_inode_init_security()
1028 xattr_transmute->value_len = TRANS_TRUE_SIZE; in smack_inode_init_security()
1029 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; in smack_inode_init_security()
1033 issp->smk_flags |= SMK_INODE_INSTANT; in smack_inode_init_security()
1036 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); in smack_inode_init_security()
1037 if (!xattr->value) in smack_inode_init_security()
1038 return -ENOMEM; in smack_inode_init_security()
1040 xattr->value_len = strlen(isp->smk_known); in smack_inode_init_security()
1041 xattr->name = XATTR_SMACK_SUFFIX; in smack_inode_init_security()
1048 * smack_inode_link - Smack check on link
1080 * smack_inode_unlink - Smack check on inode deletion
1114 * smack_inode_rmdir - Smack check on directory deletion
1148 * smack_inode_rename - Smack check on rename
1185 * smack_inode_permission - Smack version of permission()
1195 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); in smack_inode_permission()
1207 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { in smack_inode_permission()
1208 if (smk_of_inode(inode) != sbsp->smk_root) in smack_inode_permission()
1209 return -EACCES; in smack_inode_permission()
1214 return -ECHILD; in smack_inode_permission()
1223 * smack_inode_setattr - Smack check for setting attributes
1239 if (iattr->ia_valid & ATTR_FORCE) in smack_inode_setattr()
1250 * smack_inode_getattr - Smack check for getting attributes
1258 struct inode *inode = d_backing_inode(path->dentry); in smack_inode_getattr()
1269 * smack_inode_xattr_skipcap - Skip the xattr capability checks?
1296 * smack_inode_setxattr - Smack check for setting xattrs
1334 if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || in smack_inode_setxattr()
1337 rc = -EINVAL; in smack_inode_setxattr()
1341 rc = -EPERM; in smack_inode_setxattr()
1349 rc = -EINVAL; in smack_inode_setxattr()
1364 * smack_inode_post_setxattr - Apply the Smack update approved above
1381 isp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_inode_post_setxattr()
1388 isp->smk_inode = skp; in smack_inode_post_setxattr()
1392 isp->smk_task = skp; in smack_inode_post_setxattr()
1396 isp->smk_mmap = skp; in smack_inode_post_setxattr()
1403 * smack_inode_getxattr - Smack check on getxattr
1423 * smack_inode_removexattr - Smack check on removexattr
1446 rc = -EPERM; in smack_inode_removexattr()
1467 struct super_block *sbp = dentry->d_sb; in smack_inode_removexattr()
1470 isp->smk_inode = sbsp->smk_default; in smack_inode_removexattr()
1472 isp->smk_task = NULL; in smack_inode_removexattr()
1474 isp->smk_mmap = NULL; in smack_inode_removexattr()
1476 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; in smack_inode_removexattr()
1482 * smack_inode_set_acl - Smack check for setting posix acls
1506 * smack_inode_get_acl - Smack check for getting posix acls
1528 * smack_inode_remove_acl - Smack check for getting posix acls
1550 * smack_inode_getsecurity - get smack xattrs
1576 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) in smack_inode_getsecurity()
1584 sbp = ip->i_sb; in smack_inode_getsecurity()
1585 if (sbp->s_magic != SOCKFS_MAGIC) in smack_inode_getsecurity()
1586 return -EOPNOTSUPP; in smack_inode_getsecurity()
1589 if (sock == NULL || sock->sk == NULL) in smack_inode_getsecurity()
1590 return -EOPNOTSUPP; in smack_inode_getsecurity()
1592 ssp = smack_sock(sock->sk); in smack_inode_getsecurity()
1595 isp = ssp->smk_in; in smack_inode_getsecurity()
1597 isp = ssp->smk_out; in smack_inode_getsecurity()
1599 return -EOPNOTSUPP; in smack_inode_getsecurity()
1603 label = isp->smk_known; in smack_inode_getsecurity()
1610 return -ENOMEM; in smack_inode_getsecurity()
1618 * smack_inode_listsecurity - list the Smack attributes
1635 * smack_inode_getlsmprop - Extract inode's security id
1641 prop->smack.skp = smk_of_inode(inode); in smack_inode_getlsmprop()
1660 * smack_file_alloc_security - assign a file security blob
1680 * smack_file_ioctl - Smack check on ioctls
1700 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_ioctl()
1716 * smack_file_lock - Smack check on file locking
1732 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_lock()
1739 * smack_file_fcntl - Smack check on fcntl
1766 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_fcntl()
1773 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_fcntl()
1785 * smack_mmap_file - Check permissions for a mmap operation.
1818 if (isp->smk_mmap == NULL) in smack_mmap_file()
1820 sbsp = smack_superblock(file_inode(file)->i_sb); in smack_mmap_file()
1821 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && in smack_mmap_file()
1822 isp->smk_mmap != sbsp->smk_root) in smack_mmap_file()
1823 return -EACCES; in smack_mmap_file()
1824 mkp = isp->smk_mmap; in smack_mmap_file()
1836 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { in smack_mmap_file()
1837 okp = srp->smk_object; in smack_mmap_file()
1841 if (mkp->smk_known == okp->smk_known) in smack_mmap_file()
1847 may = smk_access_entry(srp->smk_subject->smk_known, in smack_mmap_file()
1848 okp->smk_known, in smack_mmap_file()
1849 &tsp->smk_rules); in smack_mmap_file()
1850 if (may == -ENOENT) in smack_mmap_file()
1851 may = srp->smk_access; in smack_mmap_file()
1853 may &= srp->smk_access; in smack_mmap_file()
1866 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, in smack_mmap_file()
1867 &mkp->smk_rules); in smack_mmap_file()
1868 if (mmay == -ENOENT) { in smack_mmap_file()
1869 rc = -EACCES; in smack_mmap_file()
1876 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, in smack_mmap_file()
1877 &tsp->smk_rules); in smack_mmap_file()
1878 if (tmay != -ENOENT) in smack_mmap_file()
1887 rc = -EACCES; in smack_mmap_file()
1898 * smack_file_set_fowner - set the file security blob value
1910 * smack_file_send_sigiotask - Smack on sigio
1925 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); in smack_file_send_sigiotask()
1934 file = fown->file; in smack_file_send_sigiotask()
1950 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); in smack_file_send_sigiotask()
1955 * smack_file_receive - Smack file receive check
1974 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_receive()
1976 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { in smack_file_receive()
1978 ssp = smack_sock(sock->sk); in smack_file_receive()
1986 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); in smack_file_receive()
1990 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); in smack_file_receive()
1997 if (file->f_mode & FMODE_READ) in smack_file_receive()
1999 if (file->f_mode & FMODE_WRITE) in smack_file_receive()
2008 * smack_file_open - Smack dentry open processing
2014 * fd even if you have the file open write-only.
2020 struct task_smack *tsp = smack_cred(file->f_cred); in smack_file_open()
2026 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_open()
2028 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); in smack_file_open()
2038 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
2054 * smack_cred_free - "free" task-level security credentials
2065 smk_destroy_label_list(&tsp->smk_relabel); in smack_cred_free()
2067 list_for_each_safe(l, n, &tsp->smk_rules) { in smack_cred_free()
2069 list_del(&rp->list); in smack_cred_free()
2075 * smack_cred_prepare - prepare new set of credentials for modification
2089 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); in smack_cred_prepare()
2091 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); in smack_cred_prepare()
2095 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, in smack_cred_prepare()
2101 * smack_cred_transfer - Transfer the old credentials to the new credentials
2112 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); in smack_cred_transfer()
2116 * smack_cred_getsecid - get the secid corresponding to a creds structure
2128 *secid = skp->smk_secid; in smack_cred_getsecid()
2133 * smack_cred_getlsmprop - get the Smack label for a creds structure
2143 prop->smack.skp = smk_of_task(smack_cred(cred)); in smack_cred_getlsmprop()
2148 * smack_kernel_act_as - Set the subjective context in a set of credentials
2158 new_tsp->smk_task = smack_from_secid(secid); in smack_kernel_act_as()
2163 * smack_kernel_create_files_as - Set the file creation label in a set of creds
2176 tsp->smk_forked = isp->smk_inode; in smack_kernel_create_files_as()
2177 tsp->smk_task = tsp->smk_forked; in smack_kernel_create_files_as()
2182 * smk_curacc_on_task - helper to log task related access
2204 * smack_task_setpgid - Smack check on setting pgid
2216 * smack_task_getpgid - Smack access check for getpgid
2227 * smack_task_getsid - Smack access check for getsid
2238 * smack_current_getlsmprop_subj - get the subjective secid of the current task
2245 prop->smack.skp = smk_of_current(); in smack_current_getlsmprop_subj()
2249 * smack_task_getlsmprop_obj - get the objective data of the task
2258 prop->smack.skp = smk_of_task_struct_obj(p); in smack_task_getlsmprop_obj()
2262 * smack_task_setnice - Smack check on setting nice
2274 * smack_task_setioprio - Smack check on setting ioprio
2286 * smack_task_getioprio - Smack check on reading ioprio
2297 * smack_task_setscheduler - Smack check on setting scheduler
2308 * smack_task_getscheduler - Smack check on reading scheduler
2319 * smack_task_movememory - Smack check on moving memory
2330 * smack_task_kill - Smack check on signal delivery
2373 * smack_task_to_inode - copy task smack into the inode blob
2384 isp->smk_inode = skp; in smack_task_to_inode()
2385 isp->smk_flags |= SMK_INODE_INSTANT; in smack_task_to_inode()
2393 * smack_sk_alloc_security - Allocate a socket blob
2400 * Returns 0 on success, -ENOMEM is there's no memory
2410 if (unlikely(current->flags & PF_KTHREAD)) { in smack_sk_alloc_security()
2411 ssp->smk_in = &smack_known_web; in smack_sk_alloc_security()
2412 ssp->smk_out = &smack_known_web; in smack_sk_alloc_security()
2414 ssp->smk_in = skp; in smack_sk_alloc_security()
2415 ssp->smk_out = skp; in smack_sk_alloc_security()
2417 ssp->smk_packet = NULL; in smack_sk_alloc_security()
2424 * smack_sk_free_security - Free a socket blob
2433 if (sk->sk_family == PF_INET6) { in smack_sk_free_security()
2436 if (spp->smk_sock != sk) in smack_sk_free_security()
2438 spp->smk_can_reuse = 1; in smack_sk_free_security()
2447 * smack_sk_clone_security - Copy security context
2462 * smack_ipv4host_label - check host based restrictions
2476 struct in_addr *siap = &sip->sin_addr; in smack_ipv4host_label()
2478 if (siap->s_addr == 0) in smack_ipv4host_label()
2487 if (snp->smk_host.s_addr == in smack_ipv4host_label()
2488 (siap->s_addr & snp->smk_mask.s_addr)) in smack_ipv4host_label()
2489 return snp->smk_label; in smack_ipv4host_label()
2496 * smk_ipv6_localhost - Check for local ipv6 host address
2503 __be16 *be16p = (__be16 *)&sip->sin6_addr; in smk_ipv6_localhost()
2504 __be32 *be32p = (__be32 *)&sip->sin6_addr; in smk_ipv6_localhost()
2513 * smack_ipv6host_label - check host based restrictions
2527 struct in6_addr *sap = &sip->sin6_addr; in smack_ipv6host_label()
2542 if (snp->smk_label == NULL) in smack_ipv6host_label()
2550 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != in smack_ipv6host_label()
2551 snp->smk_host.s6_addr16[i]) { in smack_ipv6host_label()
2557 return snp->smk_label; in smack_ipv6host_label()
2565 * smack_netlbl_add - Set the secattr on a socket
2575 struct smack_known *skp = ssp->smk_out; in smack_netlbl_add()
2581 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, in smack_netlbl_add()
2585 ssp->smk_state = SMK_NETLBL_LABELED; in smack_netlbl_add()
2587 case -EDESTADDRREQ: in smack_netlbl_add()
2588 ssp->smk_state = SMK_NETLBL_REQSKB; in smack_netlbl_add()
2600 * smack_netlbl_delete - Remove the secattr from a socket
2612 if (ssp->smk_state != SMK_NETLBL_LABELED) in smack_netlbl_delete()
2620 ssp->smk_state = SMK_NETLBL_UNLABELED; in smack_netlbl_delete()
2624 * smk_ipv4_check - Perform IPv4 host access checks
2649 ad.a.u.net->family = sap->sin_family; in smk_ipv4_check()
2650 ad.a.u.net->dport = sap->sin_port; in smk_ipv4_check()
2651 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; in smk_ipv4_check()
2653 skp = ssp->smk_out; in smk_ipv4_check()
2669 * smk_ipv6_check - check Smack access
2689 ad.a.u.net->family = PF_INET6; in smk_ipv6_check()
2690 ad.a.u.net->dport = address->sin6_port; in smk_ipv6_check()
2692 ad.a.u.net->v6info.saddr = address->sin6_addr; in smk_ipv6_check()
2694 ad.a.u.net->v6info.daddr = address->sin6_addr; in smk_ipv6_check()
2704 * smk_ipv6_port_label - Smack port access table management
2712 struct sock *sk = sock->sk; in smk_ipv6_port_label()
2714 struct socket_smack *ssp = smack_sock(sock->sk); in smk_ipv6_port_label()
2726 if (sk != spp->smk_sock) in smk_ipv6_port_label()
2728 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2729 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2742 port = ntohs(addr6->sin6_port); in smk_ipv6_port_label()
2755 if (spp->smk_port != port || spp->smk_sock_type != sock->type) in smk_ipv6_port_label()
2757 if (spp->smk_can_reuse != 1) { in smk_ipv6_port_label()
2761 spp->smk_port = port; in smk_ipv6_port_label()
2762 spp->smk_sock = sk; in smk_ipv6_port_label()
2763 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2764 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2765 spp->smk_can_reuse = 0; in smk_ipv6_port_label()
2777 spp->smk_port = port; in smk_ipv6_port_label()
2778 spp->smk_sock = sk; in smk_ipv6_port_label()
2779 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2780 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2781 spp->smk_sock_type = sock->type; in smk_ipv6_port_label()
2782 spp->smk_can_reuse = 0; in smk_ipv6_port_label()
2785 list_add_rcu(&spp->list, &smk_ipv6_port_list); in smk_ipv6_port_label()
2791 * smk_ipv6_port_check - check Smack port access
2809 object = ssp->smk_in; in smk_ipv6_port_check()
2811 skp = ssp->smk_out; in smk_ipv6_port_check()
2837 port = ntohs(address->sin6_port); in smk_ipv6_port_check()
2840 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) in smk_ipv6_port_check()
2842 object = spp->smk_in; in smk_ipv6_port_check()
2844 ssp->smk_packet = spp->smk_out; in smk_ipv6_port_check()
2854 * smack_inode_setsecurity - set smack xattrs
2875 return -EINVAL; in smack_inode_setsecurity()
2878 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || in smack_inode_setsecurity()
2880 return -EINVAL; in smack_inode_setsecurity()
2882 nsp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_inode_setsecurity()
2891 nsp->smk_inode = skp; in smack_inode_setsecurity()
2892 nsp->smk_flags |= SMK_INODE_INSTANT; in smack_inode_setsecurity()
2898 if (inode->i_sb->s_magic != SOCKFS_MAGIC) in smack_inode_setsecurity()
2899 return -EOPNOTSUPP; in smack_inode_setsecurity()
2902 if (sock == NULL || sock->sk == NULL) in smack_inode_setsecurity()
2903 return -EOPNOTSUPP; in smack_inode_setsecurity()
2905 ssp = smack_sock(sock->sk); in smack_inode_setsecurity()
2908 ssp->smk_in = skp; in smack_inode_setsecurity()
2910 ssp->smk_out = skp; in smack_inode_setsecurity()
2911 if (sock->sk->sk_family == PF_INET) { in smack_inode_setsecurity()
2912 rc = smack_netlbl_add(sock->sk); in smack_inode_setsecurity()
2916 __func__, -rc); in smack_inode_setsecurity()
2919 return -EOPNOTSUPP; in smack_inode_setsecurity()
2922 if (sock->sk->sk_family == PF_INET6) in smack_inode_setsecurity()
2930 * smack_socket_post_create - finish socket setup
2946 if (sock->sk == NULL) in smack_socket_post_create()
2952 if (unlikely(current->flags & PF_KTHREAD)) { in smack_socket_post_create()
2953 ssp = smack_sock(sock->sk); in smack_socket_post_create()
2954 ssp->smk_in = &smack_known_web; in smack_socket_post_create()
2955 ssp->smk_out = &smack_known_web; in smack_socket_post_create()
2963 return smack_netlbl_add(sock->sk); in smack_socket_post_create()
2967 * smack_socket_socketpair - create socket pair
2978 struct socket_smack *asp = smack_sock(socka->sk); in smack_socket_socketpair()
2979 struct socket_smack *bsp = smack_sock(sockb->sk); in smack_socket_socketpair()
2981 asp->smk_packet = bsp->smk_out; in smack_socket_socketpair()
2982 bsp->smk_packet = asp->smk_out; in smack_socket_socketpair()
2989 * smack_socket_bind - record port binding information.
3001 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { in smack_socket_bind()
3003 address->sa_family != AF_INET6) in smack_socket_bind()
3004 return -EINVAL; in smack_socket_bind()
3012 * smack_socket_connect - connect access check
3026 if (sock->sk == NULL) in smack_socket_connect()
3028 if (sock->sk->sk_family != PF_INET && in smack_socket_connect()
3029 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) in smack_socket_connect()
3035 if (sap->sa_family == AF_INET6) { in smack_socket_connect()
3044 struct socket_smack *ssp = smack_sock(sock->sk); in smack_socket_connect()
3046 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, in smack_socket_connect()
3050 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); in smack_socket_connect()
3057 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) in smack_socket_connect()
3059 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); in smack_socket_connect()
3064 * smack_flags_to_may - convert S_ to MAY_ values
3084 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
3098 * smack_of_ipc - the smack pointer for the ipc
3111 * smack_ipc_alloc_security - Set the security blob for ipc
3139 ad.a.u.ipc_id = isp->id; in smk_curacc_shm()
3147 * smack_shm_associate - Smack access check for shm
3162 * smack_shm_shmctl - Smack access check for shm
3191 return -EINVAL; in smack_shm_shmctl()
3197 * smack_shm_shmat - Smack access for shmat
3228 ad.a.u.ipc_id = isp->id; in smk_curacc_sem()
3236 * smack_sem_associate - Smack access check for sem
3251 * smack_sem_semctl - Smack access check for sem
3285 return -EINVAL; in smack_sem_semctl()
3292 * smack_sem_semop - Smack checks of semaphore operations
3323 ad.a.u.ipc_id = isp->id; in smk_curacc_msq()
3331 * smack_msg_queue_associate - Smack access check for msg_queue
3346 * smack_msg_queue_msgctl - Smack access check for msg_queue
3373 return -EINVAL; in smack_msg_queue_msgctl()
3380 * smack_msg_queue_msgsnd - Smack access check for msg_queue
3397 * smack_msg_queue_msgrcv - Smack access check for msg_queue
3415 * smack_ipc_permission - Smack access for ipc_permission()
3431 ad.a.u.ipc_id = ipp->id; in smack_ipc_permission()
3439 * smack_ipc_getlsmprop - Extract smack security data
3447 prop->smack.skp = *iskpp; in smack_ipc_getlsmprop()
3451 * smack_d_instantiate - Make sure the blob is correct on an inode
3479 if (isp->smk_flags & SMK_INODE_INSTANT) in smack_d_instantiate()
3482 sbp = inode->i_sb; in smack_d_instantiate()
3488 final = sbsp->smk_default; in smack_d_instantiate()
3496 if (opt_dentry->d_parent == opt_dentry) { in smack_d_instantiate()
3497 switch (sbp->s_magic) { in smack_d_instantiate()
3505 sbsp->smk_root = &smack_known_star; in smack_d_instantiate()
3506 sbsp->smk_default = &smack_known_star; in smack_d_instantiate()
3507 isp->smk_inode = sbsp->smk_root; in smack_d_instantiate()
3514 isp->smk_inode = smk_of_current(); in smack_d_instantiate()
3517 isp->smk_inode = smk_of_current(); in smack_d_instantiate()
3524 isp->smk_inode = &smack_known_star; in smack_d_instantiate()
3527 isp->smk_inode = sbsp->smk_root; in smack_d_instantiate()
3530 isp->smk_flags |= SMK_INODE_INSTANT; in smack_d_instantiate()
3540 switch (sbp->s_magic) { in smack_d_instantiate()
3590 if (S_ISSOCK(inode->i_mode)) { in smack_d_instantiate()
3600 if (!(inode->i_opflags & IOP_XATTR)) in smack_d_instantiate()
3613 if (S_ISDIR(inode->i_mode)) { in smack_d_instantiate()
3628 rc = -EINVAL; in smack_d_instantiate()
3639 isp->smk_task = skp; in smack_d_instantiate()
3645 isp->smk_mmap = skp; in smack_d_instantiate()
3652 isp->smk_inode = ckp; in smack_d_instantiate()
3654 isp->smk_inode = final; in smack_d_instantiate()
3656 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); in smack_d_instantiate()
3662 * smack_getselfattr - Smack current process attribute
3668 * Fill the passed user space @ctx with the details of the requested
3681 return -EOPNOTSUPP; in smack_getselfattr()
3685 skp->smk_known, strlen(skp->smk_known) + 1, in smack_getselfattr()
3691 * smack_getprocattr - Smack process attribute access
3707 return -EINVAL; in smack_getprocattr()
3709 cp = kstrdup(skp->smk_known, GFP_KERNEL); in smack_getprocattr()
3711 return -ENOMEM; in smack_getprocattr()
3719 * do_setattr - Smack process attribute setting
3737 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) in do_setattr()
3738 return -EPERM; in do_setattr()
3741 return -EINVAL; in do_setattr()
3744 return -EOPNOTSUPP; in do_setattr()
3755 return -EINVAL; in do_setattr()
3758 rc = -EPERM; in do_setattr()
3759 list_for_each_entry(sklep, &tsp->smk_relabel, list) in do_setattr()
3760 if (sklep->smk_label == skp) { in do_setattr()
3770 return -ENOMEM; in do_setattr()
3773 tsp->smk_task = skp; in do_setattr()
3777 smk_destroy_label_list(&tsp->smk_relabel); in do_setattr()
3784 * smack_setselfattr - Set a Smack process attribute
3790 * Fill the passed user space @ctx with the details of the requested
3800 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); in smack_setselfattr()
3807 * smack_setprocattr - Smack process attribute setting
3823 return -EINVAL; in smack_setprocattr()
3827 * smack_unix_stream_connect - Smack access on UDS
3850 skp = ssp->smk_out; in smack_unix_stream_connect()
3851 okp = osp->smk_in; in smack_unix_stream_connect()
3859 okp = osp->smk_out; in smack_unix_stream_connect()
3860 skp = ssp->smk_in; in smack_unix_stream_connect()
3871 nsp->smk_packet = ssp->smk_out; in smack_unix_stream_connect()
3872 ssp->smk_packet = osp->smk_out; in smack_unix_stream_connect()
3877 nsp->smk_out = osp->smk_out; in smack_unix_stream_connect()
3878 nsp->smk_in = osp->smk_in; in smack_unix_stream_connect()
3885 * smack_unix_may_send - Smack access on UDS
3894 struct socket_smack *ssp = smack_sock(sock->sk); in smack_unix_may_send()
3895 struct socket_smack *osp = smack_sock(other->sk); in smack_unix_may_send()
3903 smk_ad_setfield_u_net_sk(&ad, other->sk); in smack_unix_may_send()
3909 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); in smack_unix_may_send()
3910 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); in smack_unix_may_send()
3915 * smack_socket_sendmsg - Smack check based on destination host
3927 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; in smack_socket_sendmsg()
3929 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; in smack_socket_sendmsg()
3932 struct socket_smack *ssp = smack_sock(sock->sk); in smack_socket_sendmsg()
3943 switch (sock->sk->sk_family) { in smack_socket_sendmsg()
3945 if (msg->msg_namelen < sizeof(struct sockaddr_in) || in smack_socket_sendmsg()
3946 sip->sin_family != AF_INET) in smack_socket_sendmsg()
3947 return -EINVAL; in smack_socket_sendmsg()
3948 rc = smk_ipv4_check(sock->sk, sip); in smack_socket_sendmsg()
3952 if (msg->msg_namelen < SIN6_LEN_RFC2133 || in smack_socket_sendmsg()
3953 sap->sin6_family != AF_INET6) in smack_socket_sendmsg()
3954 return -EINVAL; in smack_socket_sendmsg()
3958 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, in smack_socket_sendmsg()
3962 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); in smack_socket_sendmsg()
3971 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
3988 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) in smack_from_secattr()
3989 return (struct smack_known *)sap->cache->data; in smack_from_secattr()
3991 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) in smack_from_secattr()
3995 return smack_from_secid(sap->attr.secid); in smack_from_secattr()
3997 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { in smack_from_secattr()
4010 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) in smack_from_secattr()
4015 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { in smack_from_secattr()
4016 if ((skp->smk_netlabel.flags & in smack_from_secattr()
4021 for (acat = -1, kcat = -1; acat == kcat; ) { in smack_from_secattr()
4022 acat = netlbl_catmap_walk(sap->attr.mls.cat, in smack_from_secattr()
4025 skp->smk_netlabel.attr.mls.cat, in smack_from_secattr()
4040 if (ssp != NULL && ssp->smk_in == &smack_known_star) in smack_from_secattr()
4057 int proto = -EINVAL; in smk_skb_to_addr_ipv6()
4064 sip->sin6_port = 0; in smk_skb_to_addr_ipv6()
4069 return -EINVAL; in smk_skb_to_addr_ipv6()
4070 sip->sin6_addr = ip6->saddr; in smk_skb_to_addr_ipv6()
4072 nexthdr = ip6->nexthdr; in smk_skb_to_addr_ipv6()
4076 return -EINVAL; in smk_skb_to_addr_ipv6()
4083 sip->sin6_port = th->source; in smk_skb_to_addr_ipv6()
4089 sip->sin6_port = uh->source; in smk_skb_to_addr_ipv6()
4097 * smack_from_skb - Smack data from the secmark in an skb
4105 if (skb == NULL || skb->secmark == 0) in smack_from_skb()
4108 return smack_from_secid(skb->secmark); in smack_from_skb()
4118 * smack_from_netlbl - Smack data from the IP options in an skb
4143 netlbl_cache_add(skb, family, &skp->smk_netlabel); in smack_from_netlbl()
4152 * smack_socket_sock_rcv_skb - Smack packet delivery access check
4164 u16 family = sk->sk_family; in smack_socket_sock_rcv_skb()
4172 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) in smack_socket_sock_rcv_skb()
4192 ad.a.u.net->family = family; in smack_socket_sock_rcv_skb()
4193 ad.a.u.net->netif = skb->skb_iif; in smack_socket_sock_rcv_skb()
4202 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_socket_sock_rcv_skb()
4203 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, in smack_socket_sock_rcv_skb()
4225 ad.a.u.net->family = family; in smack_socket_sock_rcv_skb()
4226 ad.a.u.net->netif = skb->skb_iif; in smack_socket_sock_rcv_skb()
4229 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_socket_sock_rcv_skb()
4230 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, in smack_socket_sock_rcv_skb()
4247 * smack_socket_getpeersec_stream - pull in packet label
4249 * @optval: user's destination
4264 ssp = smack_sock(sock->sk); in smack_socket_getpeersec_stream()
4265 if (ssp->smk_packet != NULL) { in smack_socket_getpeersec_stream()
4266 rcp = ssp->smk_packet->smk_known; in smack_socket_getpeersec_stream()
4270 rc = -ERANGE; in smack_socket_getpeersec_stream()
4275 rc = -EFAULT; in smack_socket_getpeersec_stream()
4278 rc = -EFAULT; in smack_socket_getpeersec_stream()
4284 * smack_socket_getpeersec_dgram - pull in packet label
4302 if (skb->protocol == htons(ETH_P_IP)) in smack_socket_getpeersec_dgram()
4305 else if (skb->protocol == htons(ETH_P_IPV6)) in smack_socket_getpeersec_dgram()
4310 family = sock->sk->sk_family; in smack_socket_getpeersec_dgram()
4314 ssp = smack_sock(sock->sk); in smack_socket_getpeersec_dgram()
4315 s = ssp->smk_out->smk_secid; in smack_socket_getpeersec_dgram()
4320 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4327 sk = sock->sk; in smack_socket_getpeersec_dgram()
4330 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4336 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4342 return -EINVAL; in smack_socket_getpeersec_dgram()
4347 * smack_inet_conn_request - Smack access check on connect
4358 u16 family = sk->sk_family; in smack_inet_conn_request()
4377 if (skb->protocol == htons(ETH_P_IP)) in smack_inet_conn_request()
4398 ad.a.u.net->family = family; in smack_inet_conn_request()
4399 ad.a.u.net->netif = skb->skb_iif; in smack_inet_conn_request()
4406 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_inet_conn_request()
4407 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); in smack_inet_conn_request()
4415 req->peer_secid = skp->smk_secid; in smack_inet_conn_request()
4420 * propagate the wire-label to the sock when it is created. in smack_inet_conn_request()
4423 addr.sin_addr.s_addr = hdr->saddr; in smack_inet_conn_request()
4429 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); in smack_inet_conn_request()
4437 * smack_inet_csk_clone - Copy the connection information to the new socket
4449 if (req->peer_secid != 0) { in smack_inet_csk_clone()
4450 skp = smack_from_secid(req->peer_secid); in smack_inet_csk_clone()
4451 ssp->smk_packet = skp; in smack_inet_csk_clone()
4453 ssp->smk_packet = NULL; in smack_inet_csk_clone()
4466 * smack_key_alloc - Set the key security blob
4486 * smack_key_permission - Smack access on a key
4527 return -EINVAL; in smack_key_permission()
4532 return -EINVAL; in smack_key_permission()
4545 return -EACCES; in smack_key_permission()
4552 ad.a.u.key_struct.key = keyp->serial; in smack_key_permission()
4553 ad.a.u.key_struct.key_desc = keyp->description; in smack_key_permission()
4561 * smack_key_getsecurity - Smack label tagging the key
4565 * Return the length of the string (including terminating NUL) or -ve if
4581 copy = kstrdup(skp->smk_known, GFP_KERNEL); in smack_key_getsecurity()
4583 return -ENOMEM; in smack_key_getsecurity()
4593 * smack_watch_key - Smack access to watch a key for notifications.
4596 * Return 0 if the @watch->cred has permission to read from the key object and
4610 return -EACCES; in smack_watch_key()
4617 ad.a.u.key_struct.key = key->serial; in smack_watch_key()
4618 ad.a.u.key_struct.key_desc = key->description; in smack_watch_key()
4629 * smack_post_notification - Smack access to post a notification to a queue
4643 if (n->type == WATCH_TYPE_META) in smack_post_notification()
4674 * smack_audit_rule_init - Initialize a smack audit rule
4675 * @field: audit rule fields given from user-space (audit.h)
4692 return -EINVAL; in smack_audit_rule_init()
4695 return -EINVAL; in smack_audit_rule_init()
4701 *rule = skp->smk_known; in smack_audit_rule_init()
4707 * smack_audit_rule_known - Distinguish Smack audit rules
4719 for (i = 0; i < krule->field_count; i++) { in smack_audit_rule_known()
4720 f = &krule->fields[i]; in smack_audit_rule_known()
4722 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) in smack_audit_rule_known()
4730 * smack_audit_rule_match - Audit given object ?
4732 * @field: audit rule flags given from user-space
4742 struct smack_known *skp = prop->smack.skp; in smack_audit_rule_match()
4747 return -ENOENT; in smack_audit_rule_match()
4759 return (rule == skp->smk_known); in smack_audit_rule_match()
4761 return (rule != skp->smk_known); in smack_audit_rule_match()
4774 * smack_ismaclabel - check if xattr @name references a smack MAC label
4783 * smack_to_secctx - fill a lsm_context
4791 int len = strlen(skp->smk_known); in smack_to_secctx()
4794 cp->context = skp->smk_known; in smack_to_secctx()
4795 cp->len = len; in smack_to_secctx()
4796 cp->id = LSM_ID_SMACK; in smack_to_secctx()
4802 * smack_secid_to_secctx - return the smack label for a secid
4814 * smack_lsmprop_to_secctx - return the smack label
4823 return smack_to_secctx(prop->smack.skp, cp); in smack_lsmprop_to_secctx()
4827 * smack_secctx_to_secid - return the secid for a smack label
4839 *secid = skp->smk_secid; in smack_secctx_to_secid()
4867 cp->context = skp->smk_known; in smack_inode_getsecctx()
4868 cp->len = strlen(skp->smk_known); in smack_inode_getsecctx()
4869 cp->id = LSM_ID_SMACK; in smack_inode_getsecctx()
4884 return -ENOMEM; in smack_inode_copy_up()
4893 skp = isp->smk_inode; in smack_inode_copy_up()
4894 tsp->smk_task = skp; in smack_inode_copy_up()
4902 * Return -ECANCELED if this is the smack access Smack attribute. in smack_inode_copy_up_xattr()
4905 return -ECANCELED; in smack_inode_copy_up_xattr()
4907 return -EOPNOTSUPP; in smack_inode_copy_up_xattr()
4924 ntsp->smk_task = otsp->smk_task; in smack_dentry_create_files_as()
4929 isp = smack_inode(d_inode(dentry->d_parent)); in smack_dentry_create_files_as()
4931 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { in smack_dentry_create_files_as()
4933 may = smk_access_entry(otsp->smk_task->smk_known, in smack_dentry_create_files_as()
4934 isp->smk_inode->smk_known, in smack_dentry_create_files_as()
4935 &otsp->smk_task->smk_rules); in smack_dentry_create_files_as()
4944 ntsp->smk_task = isp->smk_inode; in smack_dentry_create_files_as()
4945 ntsp->smk_transmuted = ntsp->smk_task; in smack_dentry_create_files_as()
4953 * smack_uring_override_creds - Is io_uring cred override allowed?
4968 if (tsp->smk_task == nsp->smk_task) in smack_uring_override_creds()
4974 return -EPERM; in smack_uring_override_creds()
4978 * smack_uring_sqpoll - check if a io_uring polling thread can be created
4988 return -EPERM; in smack_uring_sqpoll()
4992 * smack_uring_cmd - check on file operations for io_uring
5001 struct file *file = ioucmd->file; in smack_uring_cmd()
5008 return -EINVAL; in smack_uring_cmd()
5010 tsp = smack_cred(file->f_cred); in smack_uring_cmd()
5014 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_uring_cmd()
5016 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); in smack_uring_cmd()
5231 * smack_init - initialize the smack system
5233 * Returns 0 on success, -ENOMEM is there's no memory
5237 struct cred *cred = (struct cred *) current->cred; in smack_init()
5242 return -ENOMEM; in smack_init()