1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/icmpv6.h> 28 #include <linux/slab.h> 29 #include <linux/mutex.h> 30 #include <net/cipso_ipv4.h> 31 #include <net/ip.h> 32 #include <net/ipv6.h> 33 #include <linux/audit.h> 34 #include <linux/magic.h> 35 #include <linux/dcache.h> 36 #include <linux/personality.h> 37 #include <linux/msg.h> 38 #include <linux/shm.h> 39 #include <uapi/linux/shm.h> 40 #include <linux/binfmts.h> 41 #include <linux/parser.h> 42 #include <linux/fs_context.h> 43 #include <linux/fs_parser.h> 44 #include <linux/watch_queue.h> 45 #include <linux/io_uring/cmd.h> 46 #include <uapi/linux/lsm.h> 47 #include "smack.h" 48 49 #define TRANS_TRUE "TRUE" 50 #define TRANS_TRUE_SIZE 4 51 52 #define SMK_CONNECTING 0 53 #define SMK_RECEIVING 1 54 #define SMK_SENDING 2 55 56 /* 57 * Smack uses multiple xattrs. 58 * SMACK64 - for access control, 59 * SMACK64TRANSMUTE - label initialization, 60 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 61 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 62 */ 63 #define SMACK_INODE_INIT_XATTRS 2 64 65 #ifdef SMACK_IPV6_PORT_LABELING 66 static DEFINE_MUTEX(smack_ipv6_lock); 67 static LIST_HEAD(smk_ipv6_port_list); 68 #endif 69 struct kmem_cache *smack_rule_cache; 70 int smack_enabled __initdata; 71 72 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 73 static struct { 74 const char *name; 75 int len; 76 int opt; 77 } smk_mount_opts[] = { 78 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 79 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 80 }; 81 #undef A 82 83 static int match_opt_prefix(char *s, int l, char **arg) 84 { 85 int i; 86 87 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 88 size_t len = smk_mount_opts[i].len; 89 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 90 continue; 91 if (len == l || s[len] != '=') 92 continue; 93 *arg = s + len + 1; 94 return smk_mount_opts[i].opt; 95 } 96 return Opt_error; 97 } 98 99 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 100 static char *smk_bu_mess[] = { 101 "Bringup Error", /* Unused */ 102 "Bringup", /* SMACK_BRINGUP_ALLOW */ 103 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 104 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 105 }; 106 107 static void smk_bu_mode(int mode, char *s) 108 { 109 smack_str_from_perm(s, mode); 110 } 111 #endif 112 113 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 114 static int smk_bu_note(char *note, struct smack_known *sskp, 115 struct smack_known *oskp, int mode, int rc) 116 { 117 char acc[SMK_NUM_ACCESS_TYPE + 1]; 118 119 if (rc <= 0) 120 return rc; 121 if (rc > SMACK_UNCONFINED_OBJECT) 122 rc = 0; 123 124 smk_bu_mode(mode, acc); 125 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 126 sskp->smk_known, oskp->smk_known, acc, note); 127 return 0; 128 } 129 #else 130 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 131 #endif 132 133 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 134 static int smk_bu_current(char *note, struct smack_known *oskp, 135 int mode, int rc) 136 { 137 struct task_smack *tsp = smack_cred(current_cred()); 138 char acc[SMK_NUM_ACCESS_TYPE + 1]; 139 140 if (rc <= 0) 141 return rc; 142 if (rc > SMACK_UNCONFINED_OBJECT) 143 rc = 0; 144 145 smk_bu_mode(mode, acc); 146 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 147 tsp->smk_task->smk_known, oskp->smk_known, 148 acc, current->comm, note); 149 return 0; 150 } 151 #else 152 #define smk_bu_current(note, oskp, mode, RC) (RC) 153 #endif 154 155 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 156 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 157 { 158 struct task_smack *tsp = smack_cred(current_cred()); 159 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 160 char acc[SMK_NUM_ACCESS_TYPE + 1]; 161 162 if (rc <= 0) 163 return rc; 164 if (rc > SMACK_UNCONFINED_OBJECT) 165 rc = 0; 166 167 smk_bu_mode(mode, acc); 168 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 169 tsp->smk_task->smk_known, smk_task->smk_known, acc, 170 current->comm, otp->comm); 171 return 0; 172 } 173 #else 174 #define smk_bu_task(otp, mode, RC) (RC) 175 #endif 176 177 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 178 static int smk_bu_inode(struct inode *inode, int mode, int rc) 179 { 180 struct task_smack *tsp = smack_cred(current_cred()); 181 struct inode_smack *isp = smack_inode(inode); 182 char acc[SMK_NUM_ACCESS_TYPE + 1]; 183 184 if (isp->smk_flags & SMK_INODE_IMPURE) 185 pr_info("Smack Unconfined Corruption: inode=(%s %llu) %s\n", 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 188 if (rc <= 0) 189 return rc; 190 if (rc > SMACK_UNCONFINED_OBJECT) 191 rc = 0; 192 if (rc == SMACK_UNCONFINED_SUBJECT && 193 (mode & (MAY_WRITE | MAY_APPEND))) 194 isp->smk_flags |= SMK_INODE_IMPURE; 195 196 smk_bu_mode(mode, acc); 197 198 pr_info("Smack %s: (%s %s %s) inode=(%s %llu) %s\n", smk_bu_mess[rc], 199 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 200 inode->i_sb->s_id, inode->i_ino, current->comm); 201 return 0; 202 } 203 #else 204 #define smk_bu_inode(inode, mode, RC) (RC) 205 #endif 206 207 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 208 static int smk_bu_file(struct file *file, int mode, int rc) 209 { 210 struct task_smack *tsp = smack_cred(current_cred()); 211 struct smack_known *sskp = tsp->smk_task; 212 struct inode *inode = file_inode(file); 213 struct inode_smack *isp = smack_inode(inode); 214 char acc[SMK_NUM_ACCESS_TYPE + 1]; 215 216 if (isp->smk_flags & SMK_INODE_IMPURE) 217 pr_info("Smack Unconfined Corruption: inode=(%s %llu) %s\n", 218 inode->i_sb->s_id, inode->i_ino, current->comm); 219 220 if (rc <= 0) 221 return rc; 222 if (rc > SMACK_UNCONFINED_OBJECT) 223 rc = 0; 224 225 smk_bu_mode(mode, acc); 226 pr_info("Smack %s: (%s %s %s) file=(%s %llu %pD) %s\n", smk_bu_mess[rc], 227 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 228 inode->i_sb->s_id, inode->i_ino, file, 229 current->comm); 230 return 0; 231 } 232 #else 233 #define smk_bu_file(file, mode, RC) (RC) 234 #endif 235 236 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 237 static int smk_bu_credfile(const struct cred *cred, struct file *file, 238 int mode, int rc) 239 { 240 struct task_smack *tsp = smack_cred(cred); 241 struct smack_known *sskp = tsp->smk_task; 242 struct inode *inode = file_inode(file); 243 struct inode_smack *isp = smack_inode(inode); 244 char acc[SMK_NUM_ACCESS_TYPE + 1]; 245 246 if (isp->smk_flags & SMK_INODE_IMPURE) 247 pr_info("Smack Unconfined Corruption: inode=(%s %llu) %s\n", 248 inode->i_sb->s_id, inode->i_ino, current->comm); 249 250 if (rc <= 0) 251 return rc; 252 if (rc > SMACK_UNCONFINED_OBJECT) 253 rc = 0; 254 255 smk_bu_mode(mode, acc); 256 pr_info("Smack %s: (%s %s %s) file=(%s %llu %pD) %s\n", smk_bu_mess[rc], 257 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 258 inode->i_sb->s_id, inode->i_ino, file, 259 current->comm); 260 return 0; 261 } 262 #else 263 #define smk_bu_credfile(cred, file, mode, RC) (RC) 264 #endif 265 266 /** 267 * smk_fetch - Fetch the smack label from a file. 268 * @name: type of the label (attribute) 269 * @ip: a pointer to the inode 270 * @dp: a pointer to the dentry 271 * 272 * Returns a pointer to the master list entry for the Smack label, 273 * NULL if there was no label to fetch, or an error code. 274 */ 275 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 276 struct dentry *dp) 277 { 278 int rc; 279 char *buffer; 280 struct smack_known *skp = NULL; 281 282 if (!(ip->i_opflags & IOP_XATTR)) 283 return ERR_PTR(-EOPNOTSUPP); 284 285 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 286 if (buffer == NULL) 287 return ERR_PTR(-ENOMEM); 288 289 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 290 if (rc < 0) 291 skp = ERR_PTR(rc); 292 else if (rc == 0) 293 skp = NULL; 294 else 295 skp = smk_import_entry(buffer, rc); 296 297 kfree(buffer); 298 299 return skp; 300 } 301 302 /** 303 * init_inode_smack - initialize an inode security blob 304 * @inode: inode to extract the info from 305 * @skp: a pointer to the Smack label entry to use in the blob 306 * 307 */ 308 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 309 { 310 struct inode_smack *isp = smack_inode(inode); 311 312 isp->smk_inode = skp; 313 isp->smk_flags = 0; 314 } 315 316 /** 317 * init_task_smack - initialize a task security blob 318 * @tsp: blob to initialize 319 * @task: a pointer to the Smack label for the running task 320 * @forked: a pointer to the Smack label for the forked task 321 * 322 */ 323 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 324 struct smack_known *forked) 325 { 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 INIT_LIST_HEAD(&tsp->smk_relabel); 330 mutex_init(&tsp->smk_rules_lock); 331 } 332 333 /** 334 * smk_copy_rules - copy a rule set 335 * @nhead: new rules header pointer 336 * @ohead: old rules header pointer 337 * @gfp: type of the memory for the allocation 338 * 339 * Returns 0 on success, -ENOMEM on error 340 */ 341 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 342 gfp_t gfp) 343 { 344 struct smack_rule *nrp; 345 struct smack_rule *orp; 346 int rc = 0; 347 348 list_for_each_entry_rcu(orp, ohead, list) { 349 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 350 if (nrp == NULL) { 351 rc = -ENOMEM; 352 break; 353 } 354 *nrp = *orp; 355 list_add_rcu(&nrp->list, nhead); 356 } 357 return rc; 358 } 359 360 /** 361 * smk_copy_relabel - copy smk_relabel labels list 362 * @nhead: new rules header pointer 363 * @ohead: old rules header pointer 364 * @gfp: type of the memory for the allocation 365 * 366 * Returns 0 on success, -ENOMEM on error 367 */ 368 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 369 gfp_t gfp) 370 { 371 struct smack_known_list_elem *nklep; 372 struct smack_known_list_elem *oklep; 373 374 list_for_each_entry(oklep, ohead, list) { 375 nklep = kzalloc_obj(struct smack_known_list_elem, gfp); 376 if (nklep == NULL) { 377 smk_destroy_label_list(nhead); 378 return -ENOMEM; 379 } 380 nklep->smk_label = oklep->smk_label; 381 list_add(&nklep->list, nhead); 382 } 383 384 return 0; 385 } 386 387 /** 388 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 389 * @mode: input mode in form of PTRACE_MODE_* 390 * 391 * Returns a converted MAY_* mode usable by smack rules 392 */ 393 static inline unsigned int smk_ptrace_mode(unsigned int mode) 394 { 395 if (mode & PTRACE_MODE_ATTACH) 396 return MAY_READWRITE; 397 if (mode & PTRACE_MODE_READ) 398 return MAY_READ; 399 400 return 0; 401 } 402 403 /** 404 * smk_ptrace_rule_check - helper for ptrace access 405 * @tracer: tracer process 406 * @tracee_known: label entry of the process that's about to be traced 407 * @mode: ptrace attachment mode (PTRACE_MODE_*) 408 * @func: name of the function that called us, used for audit 409 * 410 * Returns 0 on access granted, -error on error 411 */ 412 static int smk_ptrace_rule_check(struct task_struct *tracer, 413 struct smack_known *tracee_known, 414 unsigned int mode, const char *func) 415 { 416 int rc; 417 struct smk_audit_info ad, *saip = NULL; 418 struct task_smack *tsp; 419 struct smack_known *tracer_known; 420 const struct cred *tracercred; 421 422 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 423 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 424 smk_ad_setfield_u_tsk(&ad, tracer); 425 saip = &ad; 426 } 427 428 rcu_read_lock(); 429 tracercred = __task_cred(tracer); 430 tsp = smack_cred(tracercred); 431 tracer_known = smk_of_task(tsp); 432 433 if ((mode & PTRACE_MODE_ATTACH) && 434 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 435 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 436 if (tracer_known->smk_known == tracee_known->smk_known) 437 rc = 0; 438 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 439 rc = -EACCES; 440 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 441 rc = 0; 442 else 443 rc = -EACCES; 444 445 if (saip) 446 smack_log(tracer_known->smk_known, 447 tracee_known->smk_known, 448 0, rc, saip); 449 450 rcu_read_unlock(); 451 return rc; 452 } 453 454 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 455 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 456 457 rcu_read_unlock(); 458 return rc; 459 } 460 461 /* 462 * LSM hooks. 463 * We he, that is fun! 464 */ 465 466 /** 467 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 468 * @ctp: child task pointer 469 * @mode: ptrace attachment mode (PTRACE_MODE_*) 470 * 471 * Returns 0 if access is OK, an error code otherwise 472 * 473 * Do the capability checks. 474 */ 475 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 476 { 477 struct smack_known *skp; 478 479 skp = smk_of_task_struct_obj(ctp); 480 481 return smk_ptrace_rule_check(current, skp, mode, __func__); 482 } 483 484 /** 485 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 486 * @ptp: parent task pointer 487 * 488 * Returns 0 if access is OK, an error code otherwise 489 * 490 * Do the capability checks, and require PTRACE_MODE_ATTACH. 491 */ 492 static int smack_ptrace_traceme(struct task_struct *ptp) 493 { 494 struct smack_known *skp; 495 496 skp = smk_of_task(smack_cred(current_cred())); 497 498 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 499 } 500 501 /** 502 * smack_syslog - Smack approval on syslog 503 * @typefrom_file: unused 504 * 505 * Returns 0 on success, error code otherwise. 506 */ 507 static int smack_syslog(int typefrom_file) 508 { 509 int rc = 0; 510 struct smack_known *skp = smk_of_current(); 511 512 if (smack_privileged(CAP_MAC_OVERRIDE)) 513 return 0; 514 515 if (smack_syslog_label != NULL && smack_syslog_label != skp) 516 rc = -EACCES; 517 518 return rc; 519 } 520 521 /* 522 * Superblock Hooks. 523 */ 524 525 /** 526 * smack_sb_alloc_security - allocate a superblock blob 527 * @sb: the superblock getting the blob 528 * 529 * Returns 0 on success or -ENOMEM on error. 530 */ 531 static int smack_sb_alloc_security(struct super_block *sb) 532 { 533 struct superblock_smack *sbsp = smack_superblock(sb); 534 535 sbsp->smk_root = &smack_known_floor; 536 sbsp->smk_default = &smack_known_floor; 537 sbsp->smk_floor = &smack_known_floor; 538 sbsp->smk_hat = &smack_known_hat; 539 /* 540 * SMK_SB_INITIALIZED will be zero from kzalloc. 541 */ 542 543 return 0; 544 } 545 546 struct smack_mnt_opts { 547 const char *fsdefault; 548 const char *fsfloor; 549 const char *fshat; 550 const char *fsroot; 551 const char *fstransmute; 552 }; 553 554 static void smack_free_mnt_opts(void *mnt_opts) 555 { 556 kfree(mnt_opts); 557 } 558 559 static int smack_add_opt(int token, const char *s, void **mnt_opts) 560 { 561 struct smack_mnt_opts *opts = *mnt_opts; 562 struct smack_known *skp; 563 564 if (!opts) { 565 opts = kzalloc_obj(struct smack_mnt_opts); 566 if (!opts) 567 return -ENOMEM; 568 *mnt_opts = opts; 569 } 570 if (!s) 571 return -ENOMEM; 572 573 skp = smk_import_entry(s, 0); 574 if (IS_ERR(skp)) 575 return PTR_ERR(skp); 576 577 switch (token) { 578 case Opt_fsdefault: 579 if (opts->fsdefault) 580 goto out_opt_err; 581 opts->fsdefault = skp->smk_known; 582 break; 583 case Opt_fsfloor: 584 if (opts->fsfloor) 585 goto out_opt_err; 586 opts->fsfloor = skp->smk_known; 587 break; 588 case Opt_fshat: 589 if (opts->fshat) 590 goto out_opt_err; 591 opts->fshat = skp->smk_known; 592 break; 593 case Opt_fsroot: 594 if (opts->fsroot) 595 goto out_opt_err; 596 opts->fsroot = skp->smk_known; 597 break; 598 case Opt_fstransmute: 599 if (opts->fstransmute) 600 goto out_opt_err; 601 opts->fstransmute = skp->smk_known; 602 break; 603 } 604 return 0; 605 606 out_opt_err: 607 pr_warn("Smack: duplicate mount options\n"); 608 return -EINVAL; 609 } 610 611 /** 612 * smack_fs_context_submount - Initialise security data for a filesystem context 613 * @fc: The filesystem context. 614 * @reference: reference superblock 615 * 616 * Returns 0 on success or -ENOMEM on error. 617 */ 618 static int smack_fs_context_submount(struct fs_context *fc, 619 struct super_block *reference) 620 { 621 struct superblock_smack *sbsp; 622 struct smack_mnt_opts *ctx; 623 struct inode_smack *isp; 624 625 ctx = kzalloc_obj(*ctx); 626 if (!ctx) 627 return -ENOMEM; 628 fc->security = ctx; 629 630 sbsp = smack_superblock(reference); 631 isp = smack_inode(reference->s_root->d_inode); 632 633 if (sbsp->smk_default) { 634 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 635 if (!ctx->fsdefault) 636 return -ENOMEM; 637 } 638 639 if (sbsp->smk_floor) { 640 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 641 if (!ctx->fsfloor) 642 return -ENOMEM; 643 } 644 645 if (sbsp->smk_hat) { 646 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 647 if (!ctx->fshat) 648 return -ENOMEM; 649 } 650 651 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 652 if (sbsp->smk_root) { 653 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 654 if (!ctx->fstransmute) 655 return -ENOMEM; 656 } 657 } 658 return 0; 659 } 660 661 /** 662 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 663 * @fc: The new filesystem context. 664 * @src_fc: The source filesystem context being duplicated. 665 * 666 * Returns 0 on success or -ENOMEM on error. 667 */ 668 static int smack_fs_context_dup(struct fs_context *fc, 669 struct fs_context *src_fc) 670 { 671 struct smack_mnt_opts *dst, *src = src_fc->security; 672 673 if (!src) 674 return 0; 675 676 fc->security = kzalloc_obj(struct smack_mnt_opts); 677 if (!fc->security) 678 return -ENOMEM; 679 680 dst = fc->security; 681 dst->fsdefault = src->fsdefault; 682 dst->fsfloor = src->fsfloor; 683 dst->fshat = src->fshat; 684 dst->fsroot = src->fsroot; 685 dst->fstransmute = src->fstransmute; 686 687 return 0; 688 } 689 690 static const struct fs_parameter_spec smack_fs_parameters[] = { 691 fsparam_string("smackfsdef", Opt_fsdefault), 692 fsparam_string("smackfsdefault", Opt_fsdefault), 693 fsparam_string("smackfsfloor", Opt_fsfloor), 694 fsparam_string("smackfshat", Opt_fshat), 695 fsparam_string("smackfsroot", Opt_fsroot), 696 fsparam_string("smackfstransmute", Opt_fstransmute), 697 {} 698 }; 699 700 /** 701 * smack_fs_context_parse_param - Parse a single mount parameter 702 * @fc: The new filesystem context being constructed. 703 * @param: The parameter. 704 * 705 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 706 * error. 707 */ 708 static int smack_fs_context_parse_param(struct fs_context *fc, 709 struct fs_parameter *param) 710 { 711 struct fs_parse_result result; 712 int opt, rc; 713 714 opt = fs_parse(fc, smack_fs_parameters, param, &result); 715 if (opt < 0) 716 return opt; 717 718 rc = smack_add_opt(opt, param->string, &fc->security); 719 if (!rc) 720 param->string = NULL; 721 return rc; 722 } 723 724 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 725 { 726 char *from = options, *to = options; 727 bool first = true; 728 729 while (1) { 730 char *next = strchr(from, ','); 731 int token, len, rc; 732 char *arg = NULL; 733 734 if (next) 735 len = next - from; 736 else 737 len = strlen(from); 738 739 token = match_opt_prefix(from, len, &arg); 740 if (token != Opt_error) { 741 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 742 rc = smack_add_opt(token, arg, mnt_opts); 743 kfree(arg); 744 if (unlikely(rc)) { 745 if (*mnt_opts) 746 smack_free_mnt_opts(*mnt_opts); 747 *mnt_opts = NULL; 748 return rc; 749 } 750 } else { 751 if (!first) { // copy with preceding comma 752 from--; 753 len++; 754 } 755 if (to != from) 756 memmove(to, from, len); 757 to += len; 758 first = false; 759 } 760 if (!from[len]) 761 break; 762 from += len + 1; 763 } 764 *to = '\0'; 765 return 0; 766 } 767 768 /** 769 * smack_set_mnt_opts - set Smack specific mount options 770 * @sb: the file system superblock 771 * @mnt_opts: Smack mount options 772 * @kern_flags: mount option from kernel space or user space 773 * @set_kern_flags: where to store converted mount opts 774 * 775 * Returns 0 on success, an error code on failure 776 * 777 * Allow filesystems with binary mount data to explicitly set Smack mount 778 * labels. 779 */ 780 static int smack_set_mnt_opts(struct super_block *sb, 781 void *mnt_opts, 782 unsigned long kern_flags, 783 unsigned long *set_kern_flags) 784 { 785 struct dentry *root = sb->s_root; 786 struct inode *inode = d_backing_inode(root); 787 struct superblock_smack *sp = smack_superblock(sb); 788 struct inode_smack *isp; 789 struct smack_known *skp; 790 struct smack_mnt_opts *opts = mnt_opts; 791 bool transmute = false; 792 793 if (sp->smk_flags & SMK_SB_INITIALIZED) 794 return 0; 795 796 if (!smack_privileged(CAP_MAC_ADMIN)) { 797 /* 798 * Unprivileged mounts don't get to specify Smack values. 799 */ 800 if (opts) 801 return -EPERM; 802 /* 803 * Unprivileged mounts get root and default from the caller. 804 */ 805 skp = smk_of_current(); 806 sp->smk_root = skp; 807 sp->smk_default = skp; 808 /* 809 * For a handful of fs types with no user-controlled 810 * backing store it's okay to trust security labels 811 * in the filesystem. The rest are untrusted. 812 */ 813 if (sb->s_user_ns != &init_user_ns && 814 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 815 sb->s_magic != RAMFS_MAGIC) { 816 transmute = true; 817 sp->smk_flags |= SMK_SB_UNTRUSTED; 818 } 819 } 820 821 sp->smk_flags |= SMK_SB_INITIALIZED; 822 823 if (opts) { 824 if (opts->fsdefault) { 825 skp = smk_import_entry(opts->fsdefault, 0); 826 if (IS_ERR(skp)) 827 return PTR_ERR(skp); 828 sp->smk_default = skp; 829 } 830 if (opts->fsfloor) { 831 skp = smk_import_entry(opts->fsfloor, 0); 832 if (IS_ERR(skp)) 833 return PTR_ERR(skp); 834 sp->smk_floor = skp; 835 } 836 if (opts->fshat) { 837 skp = smk_import_entry(opts->fshat, 0); 838 if (IS_ERR(skp)) 839 return PTR_ERR(skp); 840 sp->smk_hat = skp; 841 } 842 if (opts->fsroot) { 843 skp = smk_import_entry(opts->fsroot, 0); 844 if (IS_ERR(skp)) 845 return PTR_ERR(skp); 846 sp->smk_root = skp; 847 } 848 if (opts->fstransmute) { 849 skp = smk_import_entry(opts->fstransmute, 0); 850 if (IS_ERR(skp)) 851 return PTR_ERR(skp); 852 sp->smk_root = skp; 853 transmute = true; 854 } 855 } 856 857 /* 858 * Initialize the root inode. 859 */ 860 init_inode_smack(inode, sp->smk_root); 861 862 if (transmute) { 863 isp = smack_inode(inode); 864 isp->smk_flags |= SMK_INODE_TRANSMUTE; 865 } 866 867 return 0; 868 } 869 870 /** 871 * smack_sb_statfs - Smack check on statfs 872 * @dentry: identifies the file system in question 873 * 874 * Returns 0 if current can read the floor of the filesystem, 875 * and error code otherwise 876 */ 877 static int smack_sb_statfs(struct dentry *dentry) 878 { 879 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 880 int rc; 881 struct smk_audit_info ad; 882 883 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 884 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 885 886 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 887 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 888 return rc; 889 } 890 891 /* 892 * BPRM hooks 893 */ 894 895 /** 896 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 897 * @bprm: the exec information 898 * 899 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 900 */ 901 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 902 { 903 struct inode *inode = file_inode(bprm->file); 904 struct task_smack *bsp = smack_cred(bprm->cred); 905 struct inode_smack *isp; 906 struct superblock_smack *sbsp; 907 int rc; 908 909 isp = smack_inode(inode); 910 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 911 return 0; 912 913 sbsp = smack_superblock(inode->i_sb); 914 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 915 isp->smk_task != sbsp->smk_root) 916 return 0; 917 918 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 919 struct task_struct *tracer; 920 rc = 0; 921 922 rcu_read_lock(); 923 tracer = ptrace_parent(current); 924 if (likely(tracer != NULL)) 925 rc = smk_ptrace_rule_check(tracer, 926 isp->smk_task, 927 PTRACE_MODE_ATTACH, 928 __func__); 929 rcu_read_unlock(); 930 931 if (rc != 0) 932 return rc; 933 } 934 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 935 return -EPERM; 936 937 bsp->smk_task = isp->smk_task; 938 bprm->per_clear |= PER_CLEAR_ON_SETID; 939 940 /* Decide if this is a secure exec. */ 941 if (bsp->smk_task != bsp->smk_forked) 942 bprm->secureexec = 1; 943 944 return 0; 945 } 946 947 /* 948 * Inode hooks 949 */ 950 951 /** 952 * smack_inode_alloc_security - allocate an inode blob 953 * @inode: the inode in need of a blob 954 * 955 * Returns 0 956 */ 957 static int smack_inode_alloc_security(struct inode *inode) 958 { 959 struct smack_known *skp = smk_of_current(); 960 961 init_inode_smack(inode, skp); 962 return 0; 963 } 964 965 /** 966 * smk_rule_transmutes - does access rule for (subject,object) contain 't'? 967 * @subject: a pointer to the subject's Smack label entry 968 * @object: a pointer to the object's Smack label entry 969 */ 970 static bool 971 smk_rule_transmutes(struct smack_known *subject, 972 const struct smack_known *object) 973 { 974 int may; 975 976 rcu_read_lock(); 977 may = smk_access_entry(subject->smk_known, object->smk_known, 978 &subject->smk_rules); 979 rcu_read_unlock(); 980 return (may > 0) && (may & MAY_TRANSMUTE); 981 } 982 983 static int 984 xattr_dupval(struct xattr *xattrs, int *xattr_count, 985 const char *name, const void *value, unsigned int vallen) 986 { 987 struct xattr * const xattr = lsm_get_xattr_slot(xattrs, xattr_count); 988 989 if (!xattr) 990 return 0; 991 992 xattr->value = kmemdup(value, vallen, GFP_NOFS); 993 if (!xattr->value) 994 return -ENOMEM; 995 996 xattr->value_len = vallen; 997 xattr->name = name; 998 return 0; 999 } 1000 1001 /** 1002 * smack_inode_init_security - copy out the smack from an inode 1003 * @inode: the newly created inode 1004 * @dir: containing directory object 1005 * @qstr: unused 1006 * @xattrs: where to put the attributes 1007 * @xattr_count: current number of LSM-provided xattrs (updated) 1008 * 1009 * Returns 0 if it all works out, -ENOMEM if there's no memory 1010 */ 1011 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 1012 const struct qstr *qstr, 1013 struct xattr *xattrs, int *xattr_count) 1014 { 1015 struct task_smack *tsp = smack_cred(current_cred()); 1016 struct inode_smack * const issp = smack_inode(inode); 1017 struct smack_known *dsp = smk_of_inode(dir); 1018 int rc = 0; 1019 int transflag = 0; 1020 bool trans_cred; 1021 bool trans_rule; 1022 1023 /* 1024 * UNIX domain sockets use lower level socket data. Let 1025 * UDS inode have fixed * label to keep smack_inode_permission() calm 1026 * when called from unix_find_bsd() 1027 */ 1028 if (S_ISSOCK(inode->i_mode)) { 1029 /* forced label, no need to save to xattrs */ 1030 issp->smk_inode = &smack_known_star; 1031 goto instant_inode; 1032 } 1033 /* 1034 * If equal, transmuting already occurred in 1035 * smack_dentry_create_files_as(). No need to check again. 1036 */ 1037 trans_cred = (tsp->smk_task == tsp->smk_transmuted); 1038 if (!trans_cred) 1039 trans_rule = smk_rule_transmutes(smk_of_task(tsp), dsp); 1040 1041 /* 1042 * In addition to having smk_task equal to smk_transmuted, 1043 * if the access rule allows transmutation and the directory 1044 * requests transmutation then by all means transmute. 1045 * Mark the inode as changed. 1046 */ 1047 if (trans_cred || (trans_rule && smk_inode_transmutable(dir))) { 1048 /* 1049 * The caller of smack_dentry_create_files_as() 1050 * should have overridden the current cred, so the 1051 * inode label was already set correctly in 1052 * smack_inode_alloc_security(). 1053 */ 1054 if (!trans_cred) 1055 issp->smk_inode = dsp; 1056 1057 if (S_ISDIR(inode->i_mode)) { 1058 transflag = SMK_INODE_TRANSMUTE; 1059 1060 if (xattr_dupval(xattrs, xattr_count, 1061 XATTR_SMACK_TRANSMUTE, 1062 TRANS_TRUE, 1063 TRANS_TRUE_SIZE 1064 )) 1065 rc = -ENOMEM; 1066 } 1067 } 1068 1069 if (rc == 0) 1070 if (xattr_dupval(xattrs, xattr_count, 1071 XATTR_SMACK_SUFFIX, 1072 issp->smk_inode->smk_known, 1073 strlen(issp->smk_inode->smk_known) 1074 )) 1075 rc = -ENOMEM; 1076 instant_inode: 1077 issp->smk_flags |= (SMK_INODE_INSTANT | transflag); 1078 return rc; 1079 } 1080 1081 /** 1082 * smack_inode_link - Smack check on link 1083 * @old_dentry: the existing object 1084 * @dir: unused 1085 * @new_dentry: the new object 1086 * 1087 * Returns 0 if access is permitted, an error code otherwise 1088 */ 1089 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1090 struct dentry *new_dentry) 1091 { 1092 struct smack_known *isp; 1093 struct smk_audit_info ad; 1094 int rc; 1095 1096 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1097 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1098 1099 isp = smk_of_inode(d_backing_inode(old_dentry)); 1100 rc = smk_curacc(isp, MAY_WRITE, &ad); 1101 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1102 1103 if (rc == 0 && d_is_positive(new_dentry)) { 1104 isp = smk_of_inode(d_backing_inode(new_dentry)); 1105 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1106 rc = smk_curacc(isp, MAY_WRITE, &ad); 1107 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1108 } 1109 1110 return rc; 1111 } 1112 1113 /** 1114 * smack_inode_unlink - Smack check on inode deletion 1115 * @dir: containing directory object 1116 * @dentry: file to unlink 1117 * 1118 * Returns 0 if current can write the containing directory 1119 * and the object, error code otherwise 1120 */ 1121 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1122 { 1123 struct inode *ip = d_backing_inode(dentry); 1124 struct smk_audit_info ad; 1125 int rc; 1126 1127 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1128 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1129 1130 /* 1131 * You need write access to the thing you're unlinking 1132 */ 1133 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1134 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1135 if (rc == 0) { 1136 /* 1137 * You also need write access to the containing directory 1138 */ 1139 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1140 smk_ad_setfield_u_fs_inode(&ad, dir); 1141 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1142 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1143 } 1144 return rc; 1145 } 1146 1147 /** 1148 * smack_inode_rmdir - Smack check on directory deletion 1149 * @dir: containing directory object 1150 * @dentry: directory to unlink 1151 * 1152 * Returns 0 if current can write the containing directory 1153 * and the directory, error code otherwise 1154 */ 1155 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1156 { 1157 struct smk_audit_info ad; 1158 int rc; 1159 1160 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1161 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1162 1163 /* 1164 * You need write access to the thing you're removing 1165 */ 1166 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1167 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1168 if (rc == 0) { 1169 /* 1170 * You also need write access to the containing directory 1171 */ 1172 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1173 smk_ad_setfield_u_fs_inode(&ad, dir); 1174 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1175 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1176 } 1177 1178 return rc; 1179 } 1180 1181 /** 1182 * smack_inode_rename - Smack check on rename 1183 * @old_inode: unused 1184 * @old_dentry: the old object 1185 * @new_inode: unused 1186 * @new_dentry: the new object 1187 * 1188 * Read and write access is required on both the old and 1189 * new directories. 1190 * 1191 * Returns 0 if access is permitted, an error code otherwise 1192 */ 1193 static int smack_inode_rename(struct inode *old_inode, 1194 struct dentry *old_dentry, 1195 struct inode *new_inode, 1196 struct dentry *new_dentry) 1197 { 1198 int rc; 1199 struct smack_known *isp; 1200 struct smk_audit_info ad; 1201 1202 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1203 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1204 1205 isp = smk_of_inode(d_backing_inode(old_dentry)); 1206 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1207 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1208 1209 if (rc == 0 && d_is_positive(new_dentry)) { 1210 isp = smk_of_inode(d_backing_inode(new_dentry)); 1211 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1212 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1213 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1214 } 1215 return rc; 1216 } 1217 1218 /** 1219 * smack_inode_permission - Smack version of permission() 1220 * @inode: the inode in question 1221 * @mask: the access requested 1222 * 1223 * This is the important Smack hook. 1224 * 1225 * Returns 0 if access is permitted, an error code otherwise 1226 */ 1227 static int smack_inode_permission(struct inode *inode, int mask) 1228 { 1229 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1230 struct smk_audit_info ad; 1231 int no_block = mask & MAY_NOT_BLOCK; 1232 int rc; 1233 1234 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1235 /* 1236 * No permission to check. Existence test. Yup, it's there. 1237 */ 1238 if (mask == 0) 1239 return 0; 1240 1241 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1242 if (smk_of_inode(inode) != sbsp->smk_root) 1243 return -EACCES; 1244 } 1245 1246 /* May be droppable after audit */ 1247 if (no_block) 1248 return -ECHILD; 1249 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1250 smk_ad_setfield_u_fs_inode(&ad, inode); 1251 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1252 rc = smk_bu_inode(inode, mask, rc); 1253 return rc; 1254 } 1255 1256 /** 1257 * smack_inode_setattr - Smack check for setting attributes 1258 * @idmap: idmap of the mount 1259 * @dentry: the object 1260 * @iattr: for the force flag 1261 * 1262 * Returns 0 if access is permitted, an error code otherwise 1263 */ 1264 static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 1265 struct iattr *iattr) 1266 { 1267 struct smk_audit_info ad; 1268 int rc; 1269 1270 /* 1271 * Need to allow for clearing the setuid bit. 1272 */ 1273 if (iattr->ia_valid & ATTR_FORCE) 1274 return 0; 1275 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1276 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1277 1278 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1279 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1280 return rc; 1281 } 1282 1283 /** 1284 * smack_inode_getattr - Smack check for getting attributes 1285 * @path: path to extract the info from 1286 * 1287 * Returns 0 if access is permitted, an error code otherwise 1288 */ 1289 static int smack_inode_getattr(const struct path *path) 1290 { 1291 struct smk_audit_info ad; 1292 struct inode *inode = d_backing_inode(path->dentry); 1293 int rc; 1294 1295 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1296 smk_ad_setfield_u_fs_path(&ad, *path); 1297 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1298 rc = smk_bu_inode(inode, MAY_READ, rc); 1299 return rc; 1300 } 1301 1302 /** 1303 * smack_inode_xattr_skipcap - Skip the xattr capability checks? 1304 * @name: name of the xattr 1305 * 1306 * Returns 1 to indicate that Smack "owns" the access control rights to xattrs 1307 * named @name; the LSM layer should avoid enforcing any traditional 1308 * capability based access controls on this xattr. Returns 0 to indicate that 1309 * Smack does not "own" the access control rights to xattrs named @name and is 1310 * deferring to the LSM layer for further access controls, including capability 1311 * based controls. 1312 */ 1313 static int smack_inode_xattr_skipcap(const char *name) 1314 { 1315 if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX))) 1316 return 0; 1317 1318 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1319 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1320 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1321 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1322 strcmp(name, XATTR_NAME_SMACKMMAP) == 0 || 1323 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1324 return 1; 1325 1326 return 0; 1327 } 1328 1329 /** 1330 * smack_inode_setxattr - Smack check for setting xattrs 1331 * @idmap: idmap of the mount 1332 * @dentry: the object 1333 * @name: name of the attribute 1334 * @value: value of the attribute 1335 * @size: size of the value 1336 * @flags: unused 1337 * 1338 * This protects the Smack attribute explicitly. 1339 * 1340 * Returns 0 if access is permitted, an error code otherwise 1341 */ 1342 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1343 struct dentry *dentry, const char *name, 1344 const void *value, size_t size, int flags) 1345 { 1346 struct smk_audit_info ad; 1347 struct smack_known *skp; 1348 int check_priv = 0; 1349 int check_import = 0; 1350 int check_star = 0; 1351 int rc = 0; 1352 umode_t const i_mode = d_backing_inode(dentry)->i_mode; 1353 1354 /* 1355 * Check label validity here so import won't fail in post_setxattr 1356 */ 1357 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1358 /* 1359 * UDS inode has fixed label 1360 */ 1361 if (S_ISSOCK(i_mode)) { 1362 rc = -EINVAL; 1363 } else { 1364 check_priv = 1; 1365 check_import = 1; 1366 } 1367 } else if (strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1368 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1369 check_priv = 1; 1370 check_import = 1; 1371 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1372 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1373 check_priv = 1; 1374 check_import = 1; 1375 check_star = 1; 1376 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1377 check_priv = 1; 1378 if (!S_ISDIR(i_mode) || 1379 size != TRANS_TRUE_SIZE || 1380 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1381 rc = -EINVAL; 1382 } 1383 1384 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1385 rc = -EPERM; 1386 1387 if (rc == 0 && check_import) { 1388 skp = size ? smk_import_entry(value, size) : NULL; 1389 if (IS_ERR(skp)) 1390 rc = PTR_ERR(skp); 1391 else if (skp == NULL || (check_star && 1392 (skp == &smack_known_star || skp == &smack_known_web))) 1393 rc = -EINVAL; 1394 } 1395 1396 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1397 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1398 1399 if (rc == 0) { 1400 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1401 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1402 } 1403 1404 return rc; 1405 } 1406 1407 /** 1408 * smack_inode_post_setxattr - Apply the Smack update approved above 1409 * @dentry: object 1410 * @name: attribute name 1411 * @value: attribute value 1412 * @size: attribute size 1413 * @flags: unused 1414 * 1415 * Set the pointer in the inode blob to the entry found 1416 * in the master label list. 1417 */ 1418 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1419 const void *value, size_t size, int flags) 1420 { 1421 struct smack_known *skp; 1422 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1423 1424 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1425 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1426 return; 1427 } 1428 1429 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1430 skp = smk_import_entry(value, size); 1431 if (!IS_ERR(skp)) 1432 isp->smk_inode = skp; 1433 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1434 skp = smk_import_entry(value, size); 1435 if (!IS_ERR(skp)) 1436 isp->smk_task = skp; 1437 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1438 skp = smk_import_entry(value, size); 1439 if (!IS_ERR(skp)) 1440 isp->smk_mmap = skp; 1441 } 1442 1443 return; 1444 } 1445 1446 /** 1447 * smack_inode_getxattr - Smack check on getxattr 1448 * @dentry: the object 1449 * @name: unused 1450 * 1451 * Returns 0 if access is permitted, an error code otherwise 1452 */ 1453 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1454 { 1455 struct smk_audit_info ad; 1456 int rc; 1457 1458 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1459 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1460 1461 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1462 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1463 return rc; 1464 } 1465 1466 /** 1467 * smack_inode_removexattr - Smack check on removexattr 1468 * @idmap: idmap of the mount 1469 * @dentry: the object 1470 * @name: name of the attribute 1471 * 1472 * Removing the Smack attribute requires CAP_MAC_ADMIN 1473 * 1474 * Returns 0 if access is permitted, an error code otherwise 1475 */ 1476 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1477 struct dentry *dentry, const char *name) 1478 { 1479 struct inode_smack *isp; 1480 struct smk_audit_info ad; 1481 int rc = 0; 1482 1483 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1484 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1485 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1486 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1487 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1488 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1489 if (!smack_privileged(CAP_MAC_ADMIN)) 1490 rc = -EPERM; 1491 } 1492 1493 if (rc != 0) 1494 return rc; 1495 1496 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1497 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1498 1499 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1500 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1501 if (rc != 0) 1502 return rc; 1503 1504 isp = smack_inode(d_backing_inode(dentry)); 1505 /* 1506 * Don't do anything special for these. 1507 * XATTR_NAME_SMACKIPIN 1508 * XATTR_NAME_SMACKIPOUT 1509 * XATTR_NAME_SMACK if S_ISSOCK (UDS inode has fixed label) 1510 */ 1511 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1512 if (!S_ISSOCK(d_backing_inode(dentry)->i_mode)) { 1513 struct super_block *sbp = dentry->d_sb; 1514 struct superblock_smack *sbsp = smack_superblock(sbp); 1515 1516 isp->smk_inode = sbsp->smk_default; 1517 } 1518 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1519 isp->smk_task = NULL; 1520 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1521 isp->smk_mmap = NULL; 1522 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1523 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1524 1525 return 0; 1526 } 1527 1528 /** 1529 * smack_inode_set_acl - Smack check for setting posix acls 1530 * @idmap: idmap of the mnt this request came from 1531 * @dentry: the object 1532 * @acl_name: name of the posix acl 1533 * @kacl: the posix acls 1534 * 1535 * Returns 0 if access is permitted, an error code otherwise 1536 */ 1537 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1538 struct dentry *dentry, const char *acl_name, 1539 struct posix_acl *kacl) 1540 { 1541 struct smk_audit_info ad; 1542 int rc; 1543 1544 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1545 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1546 1547 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1548 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1549 return rc; 1550 } 1551 1552 /** 1553 * smack_inode_get_acl - Smack check for getting posix acls 1554 * @idmap: idmap of the mnt this request came from 1555 * @dentry: the object 1556 * @acl_name: name of the posix acl 1557 * 1558 * Returns 0 if access is permitted, an error code otherwise 1559 */ 1560 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1561 struct dentry *dentry, const char *acl_name) 1562 { 1563 struct smk_audit_info ad; 1564 int rc; 1565 1566 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1567 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1568 1569 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1570 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1571 return rc; 1572 } 1573 1574 /** 1575 * smack_inode_remove_acl - Smack check for getting posix acls 1576 * @idmap: idmap of the mnt this request came from 1577 * @dentry: the object 1578 * @acl_name: name of the posix acl 1579 * 1580 * Returns 0 if access is permitted, an error code otherwise 1581 */ 1582 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1583 struct dentry *dentry, const char *acl_name) 1584 { 1585 struct smk_audit_info ad; 1586 int rc; 1587 1588 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1589 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1590 1591 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1592 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1593 return rc; 1594 } 1595 1596 /** 1597 * smack_inode_getsecurity - get smack xattrs 1598 * @idmap: idmap of the mount 1599 * @inode: the object 1600 * @name: attribute name 1601 * @buffer: where to put the result 1602 * @alloc: duplicate memory 1603 * 1604 * Returns the size of the attribute or an error code 1605 */ 1606 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1607 struct inode *inode, const char *name, 1608 void **buffer, bool alloc) 1609 { 1610 struct socket_smack *ssp; 1611 struct socket *sock; 1612 struct super_block *sbp; 1613 struct inode *ip = inode; 1614 struct smack_known *isp; 1615 struct inode_smack *ispp; 1616 size_t label_len; 1617 char *label = NULL; 1618 1619 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1620 isp = smk_of_inode(inode); 1621 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1622 ispp = smack_inode(inode); 1623 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1624 label = TRANS_TRUE; 1625 else 1626 label = ""; 1627 } else { 1628 /* 1629 * The rest of the Smack xattrs are only on sockets. 1630 */ 1631 sbp = ip->i_sb; 1632 if (sbp->s_magic != SOCKFS_MAGIC) 1633 return -EOPNOTSUPP; 1634 1635 sock = SOCKET_I(ip); 1636 if (sock == NULL || sock->sk == NULL) 1637 return -EOPNOTSUPP; 1638 1639 ssp = smack_sock(sock->sk); 1640 1641 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1642 isp = ssp->smk_in; 1643 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1644 isp = ssp->smk_out; 1645 else 1646 return -EOPNOTSUPP; 1647 } 1648 1649 if (!label) 1650 label = isp->smk_known; 1651 1652 label_len = strlen(label); 1653 1654 if (alloc) { 1655 *buffer = kstrdup(label, GFP_KERNEL); 1656 if (*buffer == NULL) 1657 return -ENOMEM; 1658 } 1659 1660 return label_len; 1661 } 1662 1663 1664 /** 1665 * smack_inode_listsecurity - list the Smack attributes 1666 * @inode: the object 1667 * @buffer: where they go 1668 * @remaining_size: size of buffer 1669 */ 1670 static int smack_inode_listsecurity(struct inode *inode, char **buffer, 1671 ssize_t *remaining_size) 1672 { 1673 return xattr_list_one(buffer, remaining_size, XATTR_NAME_SMACK); 1674 } 1675 1676 /** 1677 * smack_inode_getlsmprop - Extract inode's security id 1678 * @inode: inode to extract the info from 1679 * @prop: where result will be saved 1680 */ 1681 static void smack_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 1682 { 1683 prop->smack.skp = smk_of_inode(inode); 1684 } 1685 1686 /* 1687 * File Hooks 1688 */ 1689 1690 /* 1691 * There is no smack_file_permission hook 1692 * 1693 * Should access checks be done on each read or write? 1694 * UNICOS and SELinux say yes. 1695 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1696 * 1697 * I'll say no for now. Smack does not do the frequent 1698 * label changing that SELinux does. 1699 */ 1700 1701 /** 1702 * smack_file_alloc_security - assign a file security blob 1703 * @file: the object 1704 * 1705 * The security blob for a file is a pointer to the master 1706 * label list, so no allocation is done. 1707 * 1708 * f_security is the owner security information. It 1709 * isn't used on file access checks, it's for send_sigio. 1710 * 1711 * Returns 0 1712 */ 1713 static int smack_file_alloc_security(struct file *file) 1714 { 1715 struct smack_known **blob = smack_file(file); 1716 1717 *blob = smk_of_current(); 1718 return 0; 1719 } 1720 1721 /** 1722 * smack_file_ioctl - Smack check on ioctls 1723 * @file: the object 1724 * @cmd: what to do 1725 * @arg: unused 1726 * 1727 * Relies heavily on the correct use of the ioctl command conventions. 1728 * 1729 * Returns 0 if allowed, error code otherwise 1730 */ 1731 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1732 unsigned long arg) 1733 { 1734 int rc = 0; 1735 struct smk_audit_info ad; 1736 struct inode *inode = file_inode(file); 1737 1738 if (unlikely(IS_PRIVATE(inode))) 1739 return 0; 1740 1741 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1742 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1743 1744 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1745 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1746 rc = smk_bu_file(file, MAY_WRITE, rc); 1747 } 1748 1749 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1750 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1751 rc = smk_bu_file(file, MAY_READ, rc); 1752 } 1753 1754 return rc; 1755 } 1756 1757 /** 1758 * smack_file_lock - Smack check on file locking 1759 * @file: the object 1760 * @cmd: unused 1761 * 1762 * Returns 0 if current has lock access, error code otherwise 1763 */ 1764 static int smack_file_lock(struct file *file, unsigned int cmd) 1765 { 1766 struct smk_audit_info ad; 1767 int rc; 1768 struct inode *inode = file_inode(file); 1769 1770 if (unlikely(IS_PRIVATE(inode))) 1771 return 0; 1772 1773 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1774 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1775 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1776 rc = smk_bu_file(file, MAY_LOCK, rc); 1777 return rc; 1778 } 1779 1780 /** 1781 * smack_file_fcntl - Smack check on fcntl 1782 * @file: the object 1783 * @cmd: what action to check 1784 * @arg: unused 1785 * 1786 * Generally these operations are harmless. 1787 * File locking operations present an obvious mechanism 1788 * for passing information, so they require write access. 1789 * 1790 * Returns 0 if current has access, error code otherwise 1791 */ 1792 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1793 unsigned long arg) 1794 { 1795 struct smk_audit_info ad; 1796 int rc = 0; 1797 struct inode *inode = file_inode(file); 1798 1799 if (unlikely(IS_PRIVATE(inode))) 1800 return 0; 1801 1802 switch (cmd) { 1803 case F_GETLK: 1804 break; 1805 case F_SETLK: 1806 case F_SETLKW: 1807 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1808 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1809 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1810 rc = smk_bu_file(file, MAY_LOCK, rc); 1811 break; 1812 case F_SETOWN: 1813 case F_SETSIG: 1814 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1815 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1816 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1817 rc = smk_bu_file(file, MAY_WRITE, rc); 1818 break; 1819 default: 1820 break; 1821 } 1822 1823 return rc; 1824 } 1825 1826 /** 1827 * smack_mmap_file - Check permissions for a mmap operation. 1828 * @file: contains the file structure for file to map (may be NULL). 1829 * @reqprot: contains the protection requested by the application. 1830 * @prot: contains the protection that will be applied by the kernel. 1831 * @flags: contains the operational flags. 1832 * 1833 * The @file may be NULL, e.g. if mapping anonymous memory. 1834 * 1835 * Return 0 if permission is granted. 1836 */ 1837 static int smack_mmap_file(struct file *file, 1838 unsigned long reqprot, unsigned long prot, 1839 unsigned long flags) 1840 { 1841 struct smack_known *skp; 1842 struct smack_known *mkp; 1843 struct smack_rule *srp; 1844 struct task_smack *tsp; 1845 struct smack_known *okp; 1846 struct inode_smack *isp; 1847 struct superblock_smack *sbsp; 1848 int may; 1849 int mmay; 1850 int tmay; 1851 int rc; 1852 1853 if (file == NULL) 1854 return 0; 1855 1856 if (unlikely(IS_PRIVATE(file_inode(file)))) 1857 return 0; 1858 1859 isp = smack_inode(file_inode(file)); 1860 if (isp->smk_mmap == NULL) 1861 return 0; 1862 sbsp = smack_superblock(file_inode(file)->i_sb); 1863 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1864 isp->smk_mmap != sbsp->smk_root) 1865 return -EACCES; 1866 mkp = isp->smk_mmap; 1867 1868 tsp = smack_cred(current_cred()); 1869 skp = smk_of_current(); 1870 rc = 0; 1871 1872 rcu_read_lock(); 1873 /* 1874 * For each Smack rule associated with the subject 1875 * label verify that the SMACK64MMAP also has access 1876 * to that rule's object label. 1877 */ 1878 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1879 okp = srp->smk_object; 1880 /* 1881 * Matching labels always allows access. 1882 */ 1883 if (mkp->smk_known == okp->smk_known) 1884 continue; 1885 /* 1886 * If there is a matching local rule take 1887 * that into account as well. 1888 */ 1889 may = smk_access_entry(srp->smk_subject->smk_known, 1890 okp->smk_known, 1891 &tsp->smk_rules); 1892 if (may == -ENOENT) 1893 may = srp->smk_access; 1894 else 1895 may &= srp->smk_access; 1896 /* 1897 * If may is zero the SMACK64MMAP subject can't 1898 * possibly have less access. 1899 */ 1900 if (may == 0) 1901 continue; 1902 1903 /* 1904 * Fetch the global list entry. 1905 * If there isn't one a SMACK64MMAP subject 1906 * can't have as much access as current. 1907 */ 1908 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1909 &mkp->smk_rules); 1910 if (mmay == -ENOENT) { 1911 rc = -EACCES; 1912 break; 1913 } 1914 /* 1915 * If there is a local entry it modifies the 1916 * potential access, too. 1917 */ 1918 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1919 &tsp->smk_rules); 1920 if (tmay != -ENOENT) 1921 mmay &= tmay; 1922 1923 /* 1924 * If there is any access available to current that is 1925 * not available to a SMACK64MMAP subject 1926 * deny access. 1927 */ 1928 if ((may | mmay) != mmay) { 1929 rc = -EACCES; 1930 break; 1931 } 1932 } 1933 1934 rcu_read_unlock(); 1935 1936 return rc; 1937 } 1938 1939 /** 1940 * smack_file_set_fowner - set the file security blob value 1941 * @file: object in question 1942 * 1943 */ 1944 static void smack_file_set_fowner(struct file *file) 1945 { 1946 struct smack_known **blob = smack_file(file); 1947 1948 *blob = smk_of_current(); 1949 } 1950 1951 /** 1952 * smack_file_send_sigiotask - Smack on sigio 1953 * @tsk: The target task 1954 * @fown: the object the signal come from 1955 * @signum: unused 1956 * 1957 * Allow a privileged task to get signals even if it shouldn't 1958 * 1959 * Returns 0 if a subject with the object's smack could 1960 * write to the task, an error code otherwise. 1961 */ 1962 static int smack_file_send_sigiotask(struct task_struct *tsk, 1963 struct fown_struct *fown, int signum) 1964 { 1965 struct smack_known **blob; 1966 struct smack_known *skp; 1967 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1968 const struct cred *tcred; 1969 struct file *file; 1970 int rc; 1971 struct smk_audit_info ad; 1972 1973 /* 1974 * struct fown_struct is never outside the context of a struct file 1975 */ 1976 file = fown->file; 1977 1978 /* we don't log here as rc can be overridden */ 1979 blob = smack_file(file); 1980 skp = *blob; 1981 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1982 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1983 1984 rcu_read_lock(); 1985 tcred = __task_cred(tsk); 1986 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1987 rc = 0; 1988 rcu_read_unlock(); 1989 1990 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1991 smk_ad_setfield_u_tsk(&ad, tsk); 1992 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1993 return rc; 1994 } 1995 1996 /** 1997 * smack_file_receive - Smack file receive check 1998 * @file: the object 1999 * 2000 * Returns 0 if current has access, error code otherwise 2001 */ 2002 static int smack_file_receive(struct file *file) 2003 { 2004 int rc; 2005 int may = 0; 2006 struct smk_audit_info ad; 2007 struct inode *inode = file_inode(file); 2008 struct socket *sock; 2009 struct task_smack *tsp; 2010 struct socket_smack *ssp; 2011 2012 if (unlikely(IS_PRIVATE(inode))) 2013 return 0; 2014 2015 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2016 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2017 2018 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 2019 sock = SOCKET_I(inode); 2020 ssp = smack_sock(sock->sk); 2021 tsp = smack_cred(current_cred()); 2022 /* 2023 * If the receiving process can't write to the 2024 * passed socket or if the passed socket can't 2025 * write to the receiving process don't accept 2026 * the passed socket. 2027 */ 2028 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 2029 rc = smk_bu_file(file, may, rc); 2030 if (rc < 0) 2031 return rc; 2032 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 2033 rc = smk_bu_file(file, may, rc); 2034 return rc; 2035 } 2036 /* 2037 * This code relies on bitmasks. 2038 */ 2039 if (file->f_mode & FMODE_READ) 2040 may = MAY_READ; 2041 if (file->f_mode & FMODE_WRITE) 2042 may |= MAY_WRITE; 2043 2044 rc = smk_curacc(smk_of_inode(inode), may, &ad); 2045 rc = smk_bu_file(file, may, rc); 2046 return rc; 2047 } 2048 2049 /** 2050 * smack_file_open - Smack dentry open processing 2051 * @file: the object 2052 * 2053 * Set the security blob in the file structure. 2054 * Allow the open only if the task has read access. There are 2055 * many read operations (e.g. fstat) that you can do with an 2056 * fd even if you have the file open write-only. 2057 * 2058 * Returns 0 if current has access, error code otherwise 2059 */ 2060 static int smack_file_open(struct file *file) 2061 { 2062 struct task_smack *tsp = smack_cred(file->f_cred); 2063 struct inode *inode = file_inode(file); 2064 struct smk_audit_info ad; 2065 int rc; 2066 2067 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2068 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2069 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2070 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2071 2072 return rc; 2073 } 2074 2075 /* 2076 * Task hooks 2077 */ 2078 2079 /** 2080 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2081 * @cred: the new credentials 2082 * @gfp: the atomicity of any memory allocations 2083 * 2084 * Prepare a blank set of credentials for modification. This must allocate all 2085 * the memory the LSM module might require such that cred_transfer() can 2086 * complete without error. 2087 */ 2088 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2089 { 2090 init_task_smack(smack_cred(cred), NULL, NULL); 2091 return 0; 2092 } 2093 2094 2095 /** 2096 * smack_cred_free - "free" task-level security credentials 2097 * @cred: the credentials in question 2098 * 2099 */ 2100 static void smack_cred_free(struct cred *cred) 2101 { 2102 struct task_smack *tsp = smack_cred(cred); 2103 struct smack_rule *rp; 2104 struct list_head *l; 2105 struct list_head *n; 2106 2107 smk_destroy_label_list(&tsp->smk_relabel); 2108 2109 list_for_each_safe(l, n, &tsp->smk_rules) { 2110 rp = list_entry(l, struct smack_rule, list); 2111 list_del(&rp->list); 2112 kmem_cache_free(smack_rule_cache, rp); 2113 } 2114 } 2115 2116 /** 2117 * smack_cred_prepare - prepare new set of credentials for modification 2118 * @new: the new credentials 2119 * @old: the original credentials 2120 * @gfp: the atomicity of any memory allocations 2121 * 2122 * Prepare a new set of credentials for modification. 2123 */ 2124 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2125 gfp_t gfp) 2126 { 2127 struct task_smack *old_tsp = smack_cred(old); 2128 struct task_smack *new_tsp = smack_cred(new); 2129 int rc; 2130 2131 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2132 2133 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2134 if (rc != 0) 2135 return rc; 2136 2137 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2138 gfp); 2139 return rc; 2140 } 2141 2142 /** 2143 * smack_cred_transfer - Transfer the old credentials to the new credentials 2144 * @new: the new credentials 2145 * @old: the original credentials 2146 * 2147 * Fill in a set of blank credentials from another set of credentials. 2148 */ 2149 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2150 { 2151 struct task_smack *old_tsp = smack_cred(old); 2152 struct task_smack *new_tsp = smack_cred(new); 2153 2154 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2155 } 2156 2157 /** 2158 * smack_cred_getsecid - get the secid corresponding to a creds structure 2159 * @cred: the object creds 2160 * @secid: where to put the result 2161 * 2162 * Sets the secid to contain a u32 version of the smack label. 2163 */ 2164 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2165 { 2166 struct smack_known *skp; 2167 2168 rcu_read_lock(); 2169 skp = smk_of_task(smack_cred(cred)); 2170 *secid = skp->smk_secid; 2171 rcu_read_unlock(); 2172 } 2173 2174 /** 2175 * smack_cred_getlsmprop - get the Smack label for a creds structure 2176 * @cred: the object creds 2177 * @prop: where to put the data 2178 * 2179 * Sets the Smack part of the ref 2180 */ 2181 static void smack_cred_getlsmprop(const struct cred *cred, 2182 struct lsm_prop *prop) 2183 { 2184 rcu_read_lock(); 2185 prop->smack.skp = smk_of_task(smack_cred(cred)); 2186 rcu_read_unlock(); 2187 } 2188 2189 /** 2190 * smack_kernel_act_as - Set the subjective context in a set of credentials 2191 * @new: points to the set of credentials to be modified. 2192 * @secid: specifies the security ID to be set 2193 * 2194 * Set the security data for a kernel service. 2195 */ 2196 static int smack_kernel_act_as(struct cred *new, u32 secid) 2197 { 2198 struct task_smack *new_tsp = smack_cred(new); 2199 2200 new_tsp->smk_task = smack_from_secid(secid); 2201 return 0; 2202 } 2203 2204 /** 2205 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2206 * @new: points to the set of credentials to be modified 2207 * @inode: points to the inode to use as a reference 2208 * 2209 * Set the file creation context in a set of credentials to the same 2210 * as the objective context of the specified inode 2211 */ 2212 static int smack_kernel_create_files_as(struct cred *new, 2213 struct inode *inode) 2214 { 2215 struct inode_smack *isp = smack_inode(inode); 2216 struct task_smack *tsp = smack_cred(new); 2217 2218 tsp->smk_forked = isp->smk_inode; 2219 tsp->smk_task = tsp->smk_forked; 2220 return 0; 2221 } 2222 2223 /** 2224 * smk_curacc_on_task - helper to log task related access 2225 * @p: the task object 2226 * @access: the access requested 2227 * @caller: name of the calling function for audit 2228 * 2229 * Return 0 if access is permitted 2230 */ 2231 static int smk_curacc_on_task(struct task_struct *p, int access, 2232 const char *caller) 2233 { 2234 struct smk_audit_info ad; 2235 struct smack_known *skp = smk_of_task_struct_obj(p); 2236 int rc; 2237 2238 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2239 smk_ad_setfield_u_tsk(&ad, p); 2240 rc = smk_curacc(skp, access, &ad); 2241 rc = smk_bu_task(p, access, rc); 2242 return rc; 2243 } 2244 2245 /** 2246 * smack_task_setpgid - Smack check on setting pgid 2247 * @p: the task object 2248 * @pgid: unused 2249 * 2250 * Return 0 if write access is permitted 2251 */ 2252 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2253 { 2254 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2255 } 2256 2257 /** 2258 * smack_task_getpgid - Smack access check for getpgid 2259 * @p: the object task 2260 * 2261 * Returns 0 if current can read the object task, error code otherwise 2262 */ 2263 static int smack_task_getpgid(struct task_struct *p) 2264 { 2265 return smk_curacc_on_task(p, MAY_READ, __func__); 2266 } 2267 2268 /** 2269 * smack_task_getsid - Smack access check for getsid 2270 * @p: the object task 2271 * 2272 * Returns 0 if current can read the object task, error code otherwise 2273 */ 2274 static int smack_task_getsid(struct task_struct *p) 2275 { 2276 return smk_curacc_on_task(p, MAY_READ, __func__); 2277 } 2278 2279 /** 2280 * smack_current_getlsmprop_subj - get the subjective secid of the current task 2281 * @prop: where to put the result 2282 * 2283 * Sets the secid to contain a u32 version of the task's subjective smack label. 2284 */ 2285 static void smack_current_getlsmprop_subj(struct lsm_prop *prop) 2286 { 2287 prop->smack.skp = smk_of_current(); 2288 } 2289 2290 /** 2291 * smack_task_getlsmprop_obj - get the objective data of the task 2292 * @p: the task 2293 * @prop: where to put the result 2294 * 2295 * Sets the secid to contain a u32 version of the task's objective smack label. 2296 */ 2297 static void smack_task_getlsmprop_obj(struct task_struct *p, 2298 struct lsm_prop *prop) 2299 { 2300 prop->smack.skp = smk_of_task_struct_obj(p); 2301 } 2302 2303 /** 2304 * smack_task_setnice - Smack check on setting nice 2305 * @p: the task object 2306 * @nice: unused 2307 * 2308 * Return 0 if write access is permitted 2309 */ 2310 static int smack_task_setnice(struct task_struct *p, int nice) 2311 { 2312 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2313 } 2314 2315 /** 2316 * smack_task_setioprio - Smack check on setting ioprio 2317 * @p: the task object 2318 * @ioprio: unused 2319 * 2320 * Return 0 if write access is permitted 2321 */ 2322 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2323 { 2324 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2325 } 2326 2327 /** 2328 * smack_task_getioprio - Smack check on reading ioprio 2329 * @p: the task object 2330 * 2331 * Return 0 if read access is permitted 2332 */ 2333 static int smack_task_getioprio(struct task_struct *p) 2334 { 2335 return smk_curacc_on_task(p, MAY_READ, __func__); 2336 } 2337 2338 /** 2339 * smack_task_setscheduler - Smack check on setting scheduler 2340 * @p: the task object 2341 * 2342 * Return 0 if read access is permitted 2343 */ 2344 static int smack_task_setscheduler(struct task_struct *p) 2345 { 2346 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2347 } 2348 2349 /** 2350 * smack_task_getscheduler - Smack check on reading scheduler 2351 * @p: the task object 2352 * 2353 * Return 0 if read access is permitted 2354 */ 2355 static int smack_task_getscheduler(struct task_struct *p) 2356 { 2357 return smk_curacc_on_task(p, MAY_READ, __func__); 2358 } 2359 2360 /** 2361 * smack_task_movememory - Smack check on moving memory 2362 * @p: the task object 2363 * 2364 * Return 0 if write access is permitted 2365 */ 2366 static int smack_task_movememory(struct task_struct *p) 2367 { 2368 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2369 } 2370 2371 /** 2372 * smack_task_kill - Smack check on signal delivery 2373 * @p: the task object 2374 * @info: unused 2375 * @sig: unused 2376 * @cred: identifies the cred to use in lieu of current's 2377 * 2378 * Return 0 if write access is permitted 2379 * 2380 */ 2381 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2382 int sig, const struct cred *cred) 2383 { 2384 struct smk_audit_info ad; 2385 struct smack_known *skp; 2386 struct smack_known *tkp = smk_of_task_struct_obj(p); 2387 int rc; 2388 2389 if (!sig) 2390 return 0; /* null signal; existence test */ 2391 2392 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2393 smk_ad_setfield_u_tsk(&ad, p); 2394 /* 2395 * Sending a signal requires that the sender 2396 * can write the receiver. 2397 */ 2398 if (cred == NULL) { 2399 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2400 rc = smk_bu_task(p, MAY_DELIVER, rc); 2401 return rc; 2402 } 2403 /* 2404 * If the cred isn't NULL we're dealing with some USB IO 2405 * specific behavior. This is not clean. For one thing 2406 * we can't take privilege into account. 2407 */ 2408 skp = smk_of_task(smack_cred(cred)); 2409 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2410 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2411 return rc; 2412 } 2413 2414 /** 2415 * smack_task_to_inode - copy task smack into the inode blob 2416 * @p: task to copy from 2417 * @inode: inode to copy to 2418 * 2419 * Sets the smack pointer in the inode security blob 2420 */ 2421 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2422 { 2423 struct inode_smack *isp = smack_inode(inode); 2424 struct smack_known *skp = smk_of_task_struct_obj(p); 2425 2426 isp->smk_inode = skp; 2427 isp->smk_flags |= SMK_INODE_INSTANT; 2428 } 2429 2430 /* 2431 * Socket hooks. 2432 */ 2433 2434 /** 2435 * smack_sk_alloc_security - Allocate a socket blob 2436 * @sk: the socket 2437 * @family: unused 2438 * @gfp_flags: memory allocation flags 2439 * 2440 * Assign Smack pointers to current 2441 * 2442 * Returns 0 on success, -ENOMEM is there's no memory 2443 */ 2444 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2445 { 2446 struct smack_known *skp = smk_of_current(); 2447 struct socket_smack *ssp = smack_sock(sk); 2448 2449 /* 2450 * Sockets created by kernel threads receive web label. 2451 */ 2452 if (unlikely(current->flags & PF_KTHREAD)) { 2453 ssp->smk_in = &smack_known_web; 2454 ssp->smk_out = &smack_known_web; 2455 } else { 2456 ssp->smk_in = skp; 2457 ssp->smk_out = skp; 2458 } 2459 ssp->smk_packet = NULL; 2460 2461 return 0; 2462 } 2463 2464 #ifdef SMACK_IPV6_PORT_LABELING 2465 /** 2466 * smack_sk_free_security - Free a socket blob 2467 * @sk: the socket 2468 * 2469 * Clears the blob pointer 2470 */ 2471 static void smack_sk_free_security(struct sock *sk) 2472 { 2473 struct smk_port_label *spp; 2474 2475 if (sk->sk_family == PF_INET6) { 2476 rcu_read_lock(); 2477 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2478 if (spp->smk_sock != sk) 2479 continue; 2480 spp->smk_can_reuse = 1; 2481 break; 2482 } 2483 rcu_read_unlock(); 2484 } 2485 } 2486 #endif 2487 2488 /** 2489 * smack_sk_clone_security - Copy security context 2490 * @sk: the old socket 2491 * @newsk: the new socket 2492 * 2493 * Copy the security context of the old socket pointer to the cloned 2494 */ 2495 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2496 { 2497 struct socket_smack *ssp_old = smack_sock(sk); 2498 struct socket_smack *ssp_new = smack_sock(newsk); 2499 2500 *ssp_new = *ssp_old; 2501 } 2502 2503 /** 2504 * smack_ipv4host_label - check host based restrictions 2505 * @sip: the object end 2506 * 2507 * looks for host based access restrictions 2508 * 2509 * This version will only be appropriate for really small sets of single label 2510 * hosts. The caller is responsible for ensuring that the RCU read lock is 2511 * taken before calling this function. 2512 * 2513 * Returns the label of the far end or NULL if it's not special. 2514 */ 2515 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2516 { 2517 struct smk_net4addr *snp; 2518 struct in_addr *siap = &sip->sin_addr; 2519 2520 if (siap->s_addr == 0) 2521 return NULL; 2522 2523 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2524 /* 2525 * we break after finding the first match because 2526 * the list is sorted from longest to shortest mask 2527 * so we have found the most specific match 2528 */ 2529 if (snp->smk_host.s_addr == 2530 (siap->s_addr & snp->smk_mask.s_addr)) 2531 return snp->smk_label; 2532 2533 return NULL; 2534 } 2535 2536 #if IS_ENABLED(CONFIG_IPV6) 2537 /* 2538 * smk_ipv6_localhost - Check for local ipv6 host address 2539 * @sip: the address 2540 * 2541 * Returns boolean true if this is the localhost address 2542 */ 2543 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2544 { 2545 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2546 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2547 2548 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2549 ntohs(be16p[7]) == 1) 2550 return true; 2551 return false; 2552 } 2553 2554 /** 2555 * smack_ipv6host_label - check host based restrictions 2556 * @sip: the object end 2557 * 2558 * looks for host based access restrictions 2559 * 2560 * This version will only be appropriate for really small sets of single label 2561 * hosts. The caller is responsible for ensuring that the RCU read lock is 2562 * taken before calling this function. 2563 * 2564 * Returns the label of the far end or NULL if it's not special. 2565 */ 2566 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2567 { 2568 struct smk_net6addr *snp; 2569 struct in6_addr *sap = &sip->sin6_addr; 2570 int i; 2571 int found = 0; 2572 2573 /* 2574 * It's local. Don't look for a host label. 2575 */ 2576 if (smk_ipv6_localhost(sip)) 2577 return NULL; 2578 2579 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2580 /* 2581 * If the label is NULL the entry has 2582 * been renounced. Ignore it. 2583 */ 2584 if (snp->smk_label == NULL) 2585 continue; 2586 /* 2587 * we break after finding the first match because 2588 * the list is sorted from longest to shortest mask 2589 * so we have found the most specific match 2590 */ 2591 for (found = 1, i = 0; i < 8; i++) { 2592 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2593 snp->smk_host.s6_addr16[i]) { 2594 found = 0; 2595 break; 2596 } 2597 } 2598 if (found) 2599 return snp->smk_label; 2600 } 2601 2602 return NULL; 2603 } 2604 #endif /* CONFIG_IPV6 */ 2605 2606 /** 2607 * smack_netlbl_add - Set the secattr on a socket 2608 * @sk: the socket 2609 * 2610 * Attach the outbound smack value (smk_out) to the socket. 2611 * 2612 * Returns 0 on success or an error code 2613 */ 2614 static int smack_netlbl_add(struct sock *sk) 2615 { 2616 struct socket_smack *ssp = smack_sock(sk); 2617 struct smack_known *skp = ssp->smk_out; 2618 int rc; 2619 2620 local_bh_disable(); 2621 bh_lock_sock_nested(sk); 2622 2623 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, 2624 netlbl_sk_lock_check(sk)); 2625 switch (rc) { 2626 case 0: 2627 ssp->smk_state = SMK_NETLBL_LABELED; 2628 break; 2629 case -EDESTADDRREQ: 2630 ssp->smk_state = SMK_NETLBL_REQSKB; 2631 rc = 0; 2632 break; 2633 } 2634 2635 bh_unlock_sock(sk); 2636 local_bh_enable(); 2637 2638 return rc; 2639 } 2640 2641 /** 2642 * smack_netlbl_delete - Remove the secattr from a socket 2643 * @sk: the socket 2644 * 2645 * Remove the outbound smack value from a socket 2646 */ 2647 static void smack_netlbl_delete(struct sock *sk) 2648 { 2649 struct socket_smack *ssp = smack_sock(sk); 2650 2651 /* 2652 * Take the label off the socket if one is set. 2653 */ 2654 if (ssp->smk_state != SMK_NETLBL_LABELED) 2655 return; 2656 2657 local_bh_disable(); 2658 bh_lock_sock_nested(sk); 2659 netlbl_sock_delattr(sk); 2660 bh_unlock_sock(sk); 2661 local_bh_enable(); 2662 ssp->smk_state = SMK_NETLBL_UNLABELED; 2663 } 2664 2665 /** 2666 * smk_ipv4_check - Perform IPv4 host access checks 2667 * @sk: the socket 2668 * @sap: the destination address 2669 * 2670 * Set the correct secattr for the given socket based on the destination 2671 * address and perform any outbound access checks needed. 2672 * 2673 * Returns 0 on success or an error code. 2674 * 2675 */ 2676 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2677 { 2678 struct smack_known *skp; 2679 int rc = 0; 2680 struct smack_known *hkp; 2681 struct socket_smack *ssp = smack_sock(sk); 2682 struct smk_audit_info ad; 2683 2684 rcu_read_lock(); 2685 hkp = smack_ipv4host_label(sap); 2686 if (hkp != NULL) { 2687 #ifdef CONFIG_AUDIT 2688 struct lsm_network_audit net; 2689 2690 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2691 ad.a.u.net->family = sap->sin_family; 2692 ad.a.u.net->dport = sap->sin_port; 2693 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2694 #endif 2695 skp = ssp->smk_out; 2696 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2697 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2698 /* 2699 * Clear the socket netlabel if it's set. 2700 */ 2701 if (!rc) 2702 smack_netlbl_delete(sk); 2703 } 2704 rcu_read_unlock(); 2705 2706 return rc; 2707 } 2708 2709 #if IS_ENABLED(CONFIG_IPV6) 2710 /** 2711 * smk_ipv6_check - check Smack access 2712 * @subject: subject Smack label 2713 * @object: object Smack label 2714 * @address: address 2715 * @act: the action being taken 2716 * 2717 * Check an IPv6 access 2718 */ 2719 static int smk_ipv6_check(struct smack_known *subject, 2720 struct smack_known *object, 2721 struct sockaddr_in6 *address, int act) 2722 { 2723 #ifdef CONFIG_AUDIT 2724 struct lsm_network_audit net; 2725 #endif 2726 struct smk_audit_info ad; 2727 int rc; 2728 2729 #ifdef CONFIG_AUDIT 2730 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2731 ad.a.u.net->family = PF_INET6; 2732 ad.a.u.net->dport = address->sin6_port; 2733 if (act == SMK_RECEIVING) 2734 ad.a.u.net->v6info.saddr = address->sin6_addr; 2735 else 2736 ad.a.u.net->v6info.daddr = address->sin6_addr; 2737 #endif 2738 rc = smk_access(subject, object, MAY_WRITE, &ad); 2739 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2740 return rc; 2741 } 2742 #endif /* CONFIG_IPV6 */ 2743 2744 #ifdef SMACK_IPV6_PORT_LABELING 2745 /** 2746 * smk_ipv6_port_label - Smack port access table management 2747 * @sock: socket 2748 * @address: address 2749 * 2750 * Create or update the port list entry 2751 */ 2752 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2753 { 2754 struct sock *sk = sock->sk; 2755 struct sockaddr_in6 *addr6; 2756 struct socket_smack *ssp = smack_sock(sock->sk); 2757 struct smk_port_label *spp; 2758 unsigned short port = 0; 2759 2760 if (address == NULL) { 2761 /* 2762 * This operation is changing the Smack information 2763 * on the bound socket. Take the changes to the port 2764 * as well. 2765 */ 2766 rcu_read_lock(); 2767 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2768 if (sk != spp->smk_sock) 2769 continue; 2770 spp->smk_in = ssp->smk_in; 2771 spp->smk_out = ssp->smk_out; 2772 rcu_read_unlock(); 2773 return; 2774 } 2775 /* 2776 * A NULL address is only used for updating existing 2777 * bound entries. If there isn't one, it's OK. 2778 */ 2779 rcu_read_unlock(); 2780 return; 2781 } 2782 2783 addr6 = (struct sockaddr_in6 *)address; 2784 port = ntohs(addr6->sin6_port); 2785 /* 2786 * This is a special case that is safely ignored. 2787 */ 2788 if (port == 0) 2789 return; 2790 2791 /* 2792 * Look for an existing port list entry. 2793 * This is an indication that a port is getting reused. 2794 */ 2795 rcu_read_lock(); 2796 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2797 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2798 continue; 2799 if (spp->smk_can_reuse != 1) { 2800 rcu_read_unlock(); 2801 return; 2802 } 2803 spp->smk_port = port; 2804 spp->smk_sock = sk; 2805 spp->smk_in = ssp->smk_in; 2806 spp->smk_out = ssp->smk_out; 2807 spp->smk_can_reuse = 0; 2808 rcu_read_unlock(); 2809 return; 2810 } 2811 rcu_read_unlock(); 2812 /* 2813 * A new port entry is required. 2814 */ 2815 spp = kzalloc_obj(*spp); 2816 if (spp == NULL) 2817 return; 2818 2819 spp->smk_port = port; 2820 spp->smk_sock = sk; 2821 spp->smk_in = ssp->smk_in; 2822 spp->smk_out = ssp->smk_out; 2823 spp->smk_sock_type = sock->type; 2824 spp->smk_can_reuse = 0; 2825 2826 mutex_lock(&smack_ipv6_lock); 2827 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2828 mutex_unlock(&smack_ipv6_lock); 2829 return; 2830 } 2831 2832 /** 2833 * smk_ipv6_port_check - check Smack port access 2834 * @sk: socket 2835 * @address: address 2836 * @act: the action being taken 2837 * 2838 * Create or update the port list entry 2839 */ 2840 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2841 int act) 2842 { 2843 struct smk_port_label *spp; 2844 struct socket_smack *ssp = smack_sock(sk); 2845 struct smack_known *skp = NULL; 2846 unsigned short port; 2847 struct smack_known *object; 2848 2849 if (act == SMK_RECEIVING) { 2850 skp = smack_ipv6host_label(address); 2851 object = ssp->smk_in; 2852 } else { 2853 skp = ssp->smk_out; 2854 object = smack_ipv6host_label(address); 2855 } 2856 2857 /* 2858 * The other end is a single label host. 2859 */ 2860 if (skp != NULL && object != NULL) 2861 return smk_ipv6_check(skp, object, address, act); 2862 if (skp == NULL) 2863 skp = smack_net_ambient; 2864 if (object == NULL) 2865 object = smack_net_ambient; 2866 2867 /* 2868 * It's remote, so port lookup does no good. 2869 */ 2870 if (!smk_ipv6_localhost(address)) 2871 return smk_ipv6_check(skp, object, address, act); 2872 2873 /* 2874 * It's local so the send check has to have passed. 2875 */ 2876 if (act == SMK_RECEIVING) 2877 return 0; 2878 2879 port = ntohs(address->sin6_port); 2880 rcu_read_lock(); 2881 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2882 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2883 continue; 2884 object = spp->smk_in; 2885 if (act == SMK_CONNECTING) 2886 ssp->smk_packet = spp->smk_out; 2887 break; 2888 } 2889 rcu_read_unlock(); 2890 2891 return smk_ipv6_check(skp, object, address, act); 2892 } 2893 #endif 2894 2895 /** 2896 * smack_inode_setsecurity - set smack xattrs 2897 * @inode: the object 2898 * @name: attribute name 2899 * @value: attribute value 2900 * @size: size of the attribute 2901 * @flags: unused 2902 * 2903 * Sets the named attribute in the appropriate blob 2904 * 2905 * Returns 0 on success, or an error code 2906 */ 2907 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2908 const void *value, size_t size, int flags) 2909 { 2910 struct smack_known *skp; 2911 struct inode_smack *nsp = smack_inode(inode); 2912 struct socket_smack *ssp; 2913 struct socket *sock; 2914 int rc = 0; 2915 2916 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2917 return -EINVAL; 2918 2919 if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 2920 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || 2921 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 2922 return -EINVAL; 2923 2924 nsp->smk_flags |= SMK_INODE_TRANSMUTE; 2925 return 0; 2926 } 2927 2928 skp = smk_import_entry(value, size); 2929 if (IS_ERR(skp)) 2930 return PTR_ERR(skp); 2931 2932 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2933 nsp->smk_inode = skp; 2934 nsp->smk_flags |= SMK_INODE_INSTANT; 2935 return 0; 2936 } 2937 /* 2938 * The rest of the Smack xattrs are only on sockets. 2939 */ 2940 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2941 return -EOPNOTSUPP; 2942 2943 sock = SOCKET_I(inode); 2944 if (sock == NULL || sock->sk == NULL) 2945 return -EOPNOTSUPP; 2946 2947 ssp = smack_sock(sock->sk); 2948 2949 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2950 ssp->smk_in = skp; 2951 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2952 ssp->smk_out = skp; 2953 if (sock->sk->sk_family == PF_INET) { 2954 rc = smack_netlbl_add(sock->sk); 2955 if (rc != 0) 2956 printk(KERN_WARNING 2957 "Smack: \"%s\" netlbl error %d.\n", 2958 __func__, -rc); 2959 } 2960 } else 2961 return -EOPNOTSUPP; 2962 2963 #ifdef SMACK_IPV6_PORT_LABELING 2964 if (sock->sk->sk_family == PF_INET6) 2965 smk_ipv6_port_label(sock, NULL); 2966 #endif 2967 2968 return 0; 2969 } 2970 2971 /** 2972 * smack_socket_post_create - finish socket setup 2973 * @sock: the socket 2974 * @family: protocol family 2975 * @type: unused 2976 * @protocol: unused 2977 * @kern: unused 2978 * 2979 * Sets the netlabel information on the socket 2980 * 2981 * Returns 0 on success, and error code otherwise 2982 */ 2983 static int smack_socket_post_create(struct socket *sock, int family, 2984 int type, int protocol, int kern) 2985 { 2986 struct socket_smack *ssp; 2987 2988 if (sock->sk == NULL) 2989 return 0; 2990 2991 /* 2992 * Sockets created by kernel threads receive web label. 2993 */ 2994 if (unlikely(current->flags & PF_KTHREAD)) { 2995 ssp = smack_sock(sock->sk); 2996 ssp->smk_in = &smack_known_web; 2997 ssp->smk_out = &smack_known_web; 2998 } 2999 3000 if (family != PF_INET) 3001 return 0; 3002 /* 3003 * Set the outbound netlbl. 3004 */ 3005 return smack_netlbl_add(sock->sk); 3006 } 3007 3008 /** 3009 * smack_socket_socketpair - create socket pair 3010 * @socka: one socket 3011 * @sockb: another socket 3012 * 3013 * Cross reference the peer labels for SO_PEERSEC 3014 * 3015 * Returns 0 3016 */ 3017 static int smack_socket_socketpair(struct socket *socka, 3018 struct socket *sockb) 3019 { 3020 struct socket_smack *asp = smack_sock(socka->sk); 3021 struct socket_smack *bsp = smack_sock(sockb->sk); 3022 3023 asp->smk_packet = bsp->smk_out; 3024 bsp->smk_packet = asp->smk_out; 3025 3026 return 0; 3027 } 3028 3029 #ifdef SMACK_IPV6_PORT_LABELING 3030 /** 3031 * smack_socket_bind - record port binding information. 3032 * @sock: the socket 3033 * @address: the port address 3034 * @addrlen: size of the address 3035 * 3036 * Records the label bound to a port. 3037 * 3038 * Returns 0 on success, and error code otherwise 3039 */ 3040 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 3041 int addrlen) 3042 { 3043 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 3044 if (addrlen < SIN6_LEN_RFC2133 || 3045 address->sa_family != AF_INET6) 3046 return -EINVAL; 3047 smk_ipv6_port_label(sock, address); 3048 } 3049 return 0; 3050 } 3051 #endif /* SMACK_IPV6_PORT_LABELING */ 3052 3053 /** 3054 * smack_socket_connect - connect access check 3055 * @sock: the socket 3056 * @sap: the other end 3057 * @addrlen: size of sap 3058 * 3059 * Verifies that a connection may be possible 3060 * 3061 * Returns 0 on success, and error code otherwise 3062 */ 3063 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 3064 int addrlen) 3065 { 3066 int rc = 0; 3067 3068 if (sock->sk == NULL) 3069 return 0; 3070 if (sock->sk->sk_family != PF_INET && 3071 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3072 return 0; 3073 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3074 return 0; 3075 3076 #if IS_ENABLED(CONFIG_IPV6) 3077 if (sap->sa_family == AF_INET6) { 3078 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3079 struct smack_known *rsp = NULL; 3080 3081 if (addrlen < SIN6_LEN_RFC2133) 3082 return 0; 3083 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3084 rsp = smack_ipv6host_label(sip); 3085 if (rsp != NULL) { 3086 struct socket_smack *ssp = smack_sock(sock->sk); 3087 3088 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3089 SMK_CONNECTING); 3090 } 3091 #ifdef SMACK_IPV6_PORT_LABELING 3092 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3093 #endif 3094 3095 return rc; 3096 } 3097 #endif /* CONFIG_IPV6 */ 3098 3099 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3100 return 0; 3101 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3102 return rc; 3103 } 3104 3105 /** 3106 * smack_flags_to_may - convert S_ to MAY_ values 3107 * @flags: the S_ value 3108 * 3109 * Returns the equivalent MAY_ value 3110 */ 3111 static int smack_flags_to_may(int flags) 3112 { 3113 int may = 0; 3114 3115 if (flags & S_IRUGO) 3116 may |= MAY_READ; 3117 if (flags & S_IWUGO) 3118 may |= MAY_WRITE; 3119 if (flags & S_IXUGO) 3120 may |= MAY_EXEC; 3121 3122 return may; 3123 } 3124 3125 /** 3126 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3127 * @msg: the object 3128 * 3129 * Returns 0 3130 */ 3131 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3132 { 3133 struct smack_known **blob = smack_msg_msg(msg); 3134 3135 *blob = smk_of_current(); 3136 return 0; 3137 } 3138 3139 /** 3140 * smack_of_ipc - the smack pointer for the ipc 3141 * @isp: the object 3142 * 3143 * Returns a pointer to the smack value 3144 */ 3145 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3146 { 3147 struct smack_known **blob = smack_ipc(isp); 3148 3149 return *blob; 3150 } 3151 3152 /** 3153 * smack_ipc_alloc_security - Set the security blob for ipc 3154 * @isp: the object 3155 * 3156 * Returns 0 3157 */ 3158 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3159 { 3160 struct smack_known **blob = smack_ipc(isp); 3161 3162 *blob = smk_of_current(); 3163 return 0; 3164 } 3165 3166 /** 3167 * smk_curacc_shm : check if current has access on shm 3168 * @isp : the object 3169 * @access : access requested 3170 * 3171 * Returns 0 if current has the requested access, error code otherwise 3172 */ 3173 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3174 { 3175 struct smack_known *ssp = smack_of_ipc(isp); 3176 struct smk_audit_info ad; 3177 int rc; 3178 3179 #ifdef CONFIG_AUDIT 3180 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3181 ad.a.u.ipc_id = isp->id; 3182 #endif 3183 rc = smk_curacc(ssp, access, &ad); 3184 rc = smk_bu_current("shm", ssp, access, rc); 3185 return rc; 3186 } 3187 3188 /** 3189 * smack_shm_associate - Smack access check for shm 3190 * @isp: the object 3191 * @shmflg: access requested 3192 * 3193 * Returns 0 if current has the requested access, error code otherwise 3194 */ 3195 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3196 { 3197 int may; 3198 3199 may = smack_flags_to_may(shmflg); 3200 return smk_curacc_shm(isp, may); 3201 } 3202 3203 /** 3204 * smack_shm_shmctl - Smack access check for shm 3205 * @isp: the object 3206 * @cmd: what it wants to do 3207 * 3208 * Returns 0 if current has the requested access, error code otherwise 3209 */ 3210 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3211 { 3212 int may; 3213 3214 switch (cmd) { 3215 case IPC_STAT: 3216 case SHM_STAT: 3217 case SHM_STAT_ANY: 3218 may = MAY_READ; 3219 break; 3220 case IPC_SET: 3221 case SHM_LOCK: 3222 case SHM_UNLOCK: 3223 case IPC_RMID: 3224 may = MAY_READWRITE; 3225 break; 3226 case IPC_INFO: 3227 case SHM_INFO: 3228 /* 3229 * System level information. 3230 */ 3231 return 0; 3232 default: 3233 return -EINVAL; 3234 } 3235 return smk_curacc_shm(isp, may); 3236 } 3237 3238 /** 3239 * smack_shm_shmat - Smack access for shmat 3240 * @isp: the object 3241 * @shmaddr: unused 3242 * @shmflg: access requested 3243 * 3244 * Returns 0 if current has the requested access, error code otherwise 3245 */ 3246 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3247 int shmflg) 3248 { 3249 int may; 3250 3251 may = smack_flags_to_may(shmflg); 3252 return smk_curacc_shm(isp, may); 3253 } 3254 3255 /** 3256 * smk_curacc_sem : check if current has access on sem 3257 * @isp : the object 3258 * @access : access requested 3259 * 3260 * Returns 0 if current has the requested access, error code otherwise 3261 */ 3262 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3263 { 3264 struct smack_known *ssp = smack_of_ipc(isp); 3265 struct smk_audit_info ad; 3266 int rc; 3267 3268 #ifdef CONFIG_AUDIT 3269 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3270 ad.a.u.ipc_id = isp->id; 3271 #endif 3272 rc = smk_curacc(ssp, access, &ad); 3273 rc = smk_bu_current("sem", ssp, access, rc); 3274 return rc; 3275 } 3276 3277 /** 3278 * smack_sem_associate - Smack access check for sem 3279 * @isp: the object 3280 * @semflg: access requested 3281 * 3282 * Returns 0 if current has the requested access, error code otherwise 3283 */ 3284 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3285 { 3286 int may; 3287 3288 may = smack_flags_to_may(semflg); 3289 return smk_curacc_sem(isp, may); 3290 } 3291 3292 /** 3293 * smack_sem_semctl - Smack access check for sem 3294 * @isp: the object 3295 * @cmd: what it wants to do 3296 * 3297 * Returns 0 if current has the requested access, error code otherwise 3298 */ 3299 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3300 { 3301 int may; 3302 3303 switch (cmd) { 3304 case GETPID: 3305 case GETNCNT: 3306 case GETZCNT: 3307 case GETVAL: 3308 case GETALL: 3309 case IPC_STAT: 3310 case SEM_STAT: 3311 case SEM_STAT_ANY: 3312 may = MAY_READ; 3313 break; 3314 case SETVAL: 3315 case SETALL: 3316 case IPC_RMID: 3317 case IPC_SET: 3318 may = MAY_READWRITE; 3319 break; 3320 case IPC_INFO: 3321 case SEM_INFO: 3322 /* 3323 * System level information 3324 */ 3325 return 0; 3326 default: 3327 return -EINVAL; 3328 } 3329 3330 return smk_curacc_sem(isp, may); 3331 } 3332 3333 /** 3334 * smack_sem_semop - Smack checks of semaphore operations 3335 * @isp: the object 3336 * @sops: unused 3337 * @nsops: unused 3338 * @alter: unused 3339 * 3340 * Treated as read and write in all cases. 3341 * 3342 * Returns 0 if access is allowed, error code otherwise 3343 */ 3344 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3345 unsigned nsops, int alter) 3346 { 3347 return smk_curacc_sem(isp, MAY_READWRITE); 3348 } 3349 3350 /** 3351 * smk_curacc_msq : helper to check if current has access on msq 3352 * @isp : the msq 3353 * @access : access requested 3354 * 3355 * return 0 if current has access, error otherwise 3356 */ 3357 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3358 { 3359 struct smack_known *msp = smack_of_ipc(isp); 3360 struct smk_audit_info ad; 3361 int rc; 3362 3363 #ifdef CONFIG_AUDIT 3364 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3365 ad.a.u.ipc_id = isp->id; 3366 #endif 3367 rc = smk_curacc(msp, access, &ad); 3368 rc = smk_bu_current("msq", msp, access, rc); 3369 return rc; 3370 } 3371 3372 /** 3373 * smack_msg_queue_associate - Smack access check for msg_queue 3374 * @isp: the object 3375 * @msqflg: access requested 3376 * 3377 * Returns 0 if current has the requested access, error code otherwise 3378 */ 3379 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3380 { 3381 int may; 3382 3383 may = smack_flags_to_may(msqflg); 3384 return smk_curacc_msq(isp, may); 3385 } 3386 3387 /** 3388 * smack_msg_queue_msgctl - Smack access check for msg_queue 3389 * @isp: the object 3390 * @cmd: what it wants to do 3391 * 3392 * Returns 0 if current has the requested access, error code otherwise 3393 */ 3394 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3395 { 3396 int may; 3397 3398 switch (cmd) { 3399 case IPC_STAT: 3400 case MSG_STAT: 3401 case MSG_STAT_ANY: 3402 may = MAY_READ; 3403 break; 3404 case IPC_SET: 3405 case IPC_RMID: 3406 may = MAY_READWRITE; 3407 break; 3408 case IPC_INFO: 3409 case MSG_INFO: 3410 /* 3411 * System level information 3412 */ 3413 return 0; 3414 default: 3415 return -EINVAL; 3416 } 3417 3418 return smk_curacc_msq(isp, may); 3419 } 3420 3421 /** 3422 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3423 * @isp: the object 3424 * @msg: unused 3425 * @msqflg: access requested 3426 * 3427 * Returns 0 if current has the requested access, error code otherwise 3428 */ 3429 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3430 int msqflg) 3431 { 3432 int may; 3433 3434 may = smack_flags_to_may(msqflg); 3435 return smk_curacc_msq(isp, may); 3436 } 3437 3438 /** 3439 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3440 * @isp: the object 3441 * @msg: unused 3442 * @target: unused 3443 * @type: unused 3444 * @mode: unused 3445 * 3446 * Returns 0 if current has read and write access, error code otherwise 3447 */ 3448 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3449 struct msg_msg *msg, 3450 struct task_struct *target, long type, 3451 int mode) 3452 { 3453 return smk_curacc_msq(isp, MAY_READWRITE); 3454 } 3455 3456 /** 3457 * smack_ipc_permission - Smack access for ipc_permission() 3458 * @ipp: the object permissions 3459 * @flag: access requested 3460 * 3461 * Returns 0 if current has read and write access, error code otherwise 3462 */ 3463 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3464 { 3465 struct smack_known **blob = smack_ipc(ipp); 3466 struct smack_known *iskp = *blob; 3467 int may = smack_flags_to_may(flag); 3468 struct smk_audit_info ad; 3469 int rc; 3470 3471 #ifdef CONFIG_AUDIT 3472 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3473 ad.a.u.ipc_id = ipp->id; 3474 #endif 3475 rc = smk_curacc(iskp, may, &ad); 3476 rc = smk_bu_current("svipc", iskp, may, rc); 3477 return rc; 3478 } 3479 3480 /** 3481 * smack_ipc_getlsmprop - Extract smack security data 3482 * @ipp: the object permissions 3483 * @prop: where result will be saved 3484 */ 3485 static void smack_ipc_getlsmprop(struct kern_ipc_perm *ipp, struct lsm_prop *prop) 3486 { 3487 struct smack_known **iskpp = smack_ipc(ipp); 3488 3489 prop->smack.skp = *iskpp; 3490 } 3491 3492 /** 3493 * smack_d_instantiate - Make sure the blob is correct on an inode 3494 * @opt_dentry: dentry where inode will be attached 3495 * @inode: the object 3496 * 3497 * Set the inode's security blob if it hasn't been done already. 3498 */ 3499 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3500 { 3501 struct super_block *sbp; 3502 struct superblock_smack *sbsp; 3503 struct inode_smack *isp; 3504 struct smack_known *skp; 3505 struct smack_known *ckp = smk_of_current(); 3506 struct smack_known *final; 3507 char trattr[TRANS_TRUE_SIZE]; 3508 int transflag = 0; 3509 int rc; 3510 struct dentry *dp; 3511 3512 if (inode == NULL) 3513 return; 3514 3515 isp = smack_inode(inode); 3516 3517 /* 3518 * If the inode is already instantiated 3519 * take the quick way out 3520 */ 3521 if (isp->smk_flags & SMK_INODE_INSTANT) 3522 return; 3523 3524 sbp = inode->i_sb; 3525 sbsp = smack_superblock(sbp); 3526 /* 3527 * We're going to use the superblock default label 3528 * if there's no label on the file. 3529 */ 3530 final = sbsp->smk_default; 3531 3532 /* 3533 * If this is the root inode the superblock 3534 * may be in the process of initialization. 3535 * If that is the case use the root value out 3536 * of the superblock. 3537 */ 3538 if (opt_dentry->d_parent == opt_dentry) { 3539 switch (sbp->s_magic) { 3540 case CGROUP_SUPER_MAGIC: 3541 case CGROUP2_SUPER_MAGIC: 3542 /* 3543 * The cgroup filesystem is never mounted, 3544 * so there's no opportunity to set the mount 3545 * options. 3546 */ 3547 sbsp->smk_root = &smack_known_star; 3548 sbsp->smk_default = &smack_known_star; 3549 isp->smk_inode = sbsp->smk_root; 3550 break; 3551 case TMPFS_MAGIC: 3552 /* 3553 * What about shmem/tmpfs anonymous files with dentry 3554 * obtained from d_alloc_pseudo()? 3555 */ 3556 isp->smk_inode = smk_of_current(); 3557 break; 3558 case PIPEFS_MAGIC: 3559 isp->smk_inode = smk_of_current(); 3560 break; 3561 case SOCKFS_MAGIC: 3562 /* 3563 * Socket access is controlled by the socket 3564 * structures associated with the task involved. 3565 */ 3566 isp->smk_inode = &smack_known_star; 3567 break; 3568 default: 3569 isp->smk_inode = sbsp->smk_root; 3570 break; 3571 } 3572 isp->smk_flags |= SMK_INODE_INSTANT; 3573 return; 3574 } 3575 3576 /* 3577 * This is pretty hackish. 3578 * Casey says that we shouldn't have to do 3579 * file system specific code, but it does help 3580 * with keeping it simple. 3581 */ 3582 switch (sbp->s_magic) { 3583 case SMACK_MAGIC: 3584 case CGROUP_SUPER_MAGIC: 3585 case CGROUP2_SUPER_MAGIC: 3586 /* 3587 * Casey says that it's a little embarrassing 3588 * that the smack file system doesn't do 3589 * extended attributes. 3590 * 3591 * Cgroupfs is special 3592 */ 3593 final = &smack_known_star; 3594 break; 3595 case DEVPTS_SUPER_MAGIC: 3596 /* 3597 * devpts seems content with the label of the task. 3598 * Programs that change smack have to treat the 3599 * pty with respect. 3600 */ 3601 final = ckp; 3602 break; 3603 case PROC_SUPER_MAGIC: 3604 /* 3605 * Casey says procfs appears not to care. 3606 * The superblock default suffices. 3607 */ 3608 break; 3609 case TMPFS_MAGIC: 3610 /* 3611 * Device labels should come from the filesystem, 3612 * but watch out, because they're volitile, 3613 * getting recreated on every reboot. 3614 */ 3615 final = &smack_known_star; 3616 /* 3617 * If a smack value has been set we want to use it, 3618 * but since tmpfs isn't giving us the opportunity 3619 * to set mount options simulate setting the 3620 * superblock default. 3621 */ 3622 fallthrough; 3623 default: 3624 /* 3625 * This isn't an understood special case. 3626 * Get the value from the xattr. 3627 */ 3628 3629 /* 3630 * UDS inode has fixed label (*) 3631 */ 3632 if (S_ISSOCK(inode->i_mode)) { 3633 final = &smack_known_star; 3634 break; 3635 } 3636 /* 3637 * No xattr support means, alas, no SMACK label. 3638 * Use the aforeapplied default. 3639 * It would be curious if the label of the task 3640 * does not match that assigned. 3641 */ 3642 if (!(inode->i_opflags & IOP_XATTR)) 3643 break; 3644 /* 3645 * Get the dentry for xattr. 3646 */ 3647 dp = dget(opt_dentry); 3648 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3649 if (!IS_ERR_OR_NULL(skp)) 3650 final = skp; 3651 3652 /* 3653 * Transmuting directory 3654 */ 3655 if (S_ISDIR(inode->i_mode)) { 3656 /* 3657 * If this is a new directory and the label was 3658 * transmuted when the inode was initialized 3659 * set the transmute attribute on the directory 3660 * and mark the inode. 3661 * 3662 * If there is a transmute attribute on the 3663 * directory mark the inode. 3664 */ 3665 rc = __vfs_getxattr(dp, inode, 3666 XATTR_NAME_SMACKTRANSMUTE, trattr, 3667 TRANS_TRUE_SIZE); 3668 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3669 TRANS_TRUE_SIZE) != 0) 3670 rc = -EINVAL; 3671 if (rc >= 0) 3672 transflag = SMK_INODE_TRANSMUTE; 3673 } 3674 /* 3675 * Don't let the exec or mmap label be "*" or "@". 3676 */ 3677 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3678 if (IS_ERR(skp) || skp == &smack_known_star || 3679 skp == &smack_known_web) 3680 skp = NULL; 3681 isp->smk_task = skp; 3682 3683 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3684 if (IS_ERR(skp) || skp == &smack_known_star || 3685 skp == &smack_known_web) 3686 skp = NULL; 3687 isp->smk_mmap = skp; 3688 3689 dput(dp); 3690 break; 3691 } 3692 3693 if (final == NULL) 3694 isp->smk_inode = ckp; 3695 else 3696 isp->smk_inode = final; 3697 3698 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3699 3700 return; 3701 } 3702 3703 /** 3704 * smack_getselfattr - Smack current process attribute 3705 * @attr: which attribute to fetch 3706 * @ctx: buffer to receive the result 3707 * @size: available size in, actual size out 3708 * @flags: reserved, currently zero 3709 * 3710 * Fill the passed user space @ctx with the details of the requested 3711 * attribute. 3712 * 3713 * Returns the number of attributes on success, an error code otherwise. 3714 * There will only ever be one attribute. 3715 */ 3716 static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3717 u32 *size, u32 flags) 3718 { 3719 int rc; 3720 struct smack_known *skp; 3721 3722 if (attr != LSM_ATTR_CURRENT) 3723 return -EOPNOTSUPP; 3724 3725 skp = smk_of_current(); 3726 rc = lsm_fill_user_ctx(ctx, size, 3727 skp->smk_known, strlen(skp->smk_known) + 1, 3728 LSM_ID_SMACK, 0); 3729 return (!rc ? 1 : rc); 3730 } 3731 3732 /** 3733 * smack_getprocattr - Smack process attribute access 3734 * @p: the object task 3735 * @name: the name of the attribute in /proc/.../attr 3736 * @value: where to put the result 3737 * 3738 * Places a copy of the task Smack into value 3739 * 3740 * Returns the length of the smack label or an error code 3741 */ 3742 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3743 { 3744 struct smack_known *skp = smk_of_task_struct_obj(p); 3745 char *cp; 3746 int slen; 3747 3748 if (strcmp(name, "current") != 0) 3749 return -EINVAL; 3750 3751 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3752 if (cp == NULL) 3753 return -ENOMEM; 3754 3755 slen = strlen(cp); 3756 *value = cp; 3757 return slen; 3758 } 3759 3760 /** 3761 * do_setattr - Smack process attribute setting 3762 * @attr: the ID of the attribute 3763 * @value: the value to set 3764 * @size: the size of the value 3765 * 3766 * Sets the Smack value of the task. Only setting self 3767 * is permitted and only with privilege 3768 * 3769 * Returns zero on success or an error code 3770 */ 3771 static int do_setattr(unsigned int attr, void *value, size_t size) 3772 { 3773 struct task_smack *tsp = smack_cred(current_cred()); 3774 struct cred *new; 3775 struct smack_known *skp; 3776 int label_len; 3777 3778 /* 3779 * let unprivileged user validate input, check permissions later 3780 */ 3781 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3782 return -EINVAL; 3783 3784 label_len = smk_parse_label_len(value, size); 3785 if (label_len < 0 || label_len != size) 3786 return -EINVAL; 3787 3788 /* 3789 * No process is ever allowed the web ("@") label 3790 * and the star ("*") label. 3791 */ 3792 if (label_len == 1 /* '@', '*' */) { 3793 const char c = *(const char *)value; 3794 3795 if (c == *smack_known_web.smk_known || 3796 c == *smack_known_star.smk_known) 3797 return -EPERM; 3798 } 3799 3800 if (!smack_privileged(CAP_MAC_ADMIN)) { 3801 const struct smack_known_list_elem *sklep; 3802 list_for_each_entry(sklep, &tsp->smk_relabel, list) { 3803 const char *cp = sklep->smk_label->smk_known; 3804 3805 if (strlen(cp) == label_len && 3806 strncmp(cp, value, label_len) == 0) 3807 goto in_relabel; 3808 } 3809 return -EPERM; 3810 in_relabel: 3811 ; 3812 } 3813 3814 skp = smk_import_valid_label(value, label_len, GFP_KERNEL); 3815 if (IS_ERR(skp)) 3816 return PTR_ERR(skp); 3817 3818 new = prepare_creds(); 3819 if (new == NULL) 3820 return -ENOMEM; 3821 3822 tsp = smack_cred(new); 3823 tsp->smk_task = skp; 3824 /* 3825 * process can change its label only once 3826 */ 3827 smk_destroy_label_list(&tsp->smk_relabel); 3828 3829 commit_creds(new); 3830 return 0; 3831 } 3832 3833 /** 3834 * smack_setselfattr - Set a Smack process attribute 3835 * @attr: which attribute to set 3836 * @ctx: buffer containing the data 3837 * @size: size of @ctx 3838 * @flags: reserved, must be zero 3839 * 3840 * Fill the passed user space @ctx with the details of the requested 3841 * attribute. 3842 * 3843 * Returns 0 on success, an error code otherwise. 3844 */ 3845 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3846 u32 size, u32 flags) 3847 { 3848 if (attr != LSM_ATTR_CURRENT) 3849 return -EOPNOTSUPP; 3850 3851 if (ctx->flags) 3852 return -EINVAL; 3853 /* 3854 * string must have \0 terminator, included in ctx->ctx 3855 * (see description of struct lsm_ctx) 3856 */ 3857 if (ctx->ctx_len == 0) 3858 return -EINVAL; 3859 3860 if (ctx->ctx[ctx->ctx_len - 1] != '\0') 3861 return -EINVAL; 3862 /* 3863 * other do_setattr() caller, smack_setprocattr(), 3864 * does not count \0 into size, so 3865 * decreasing length by 1 to accommodate the divergence. 3866 */ 3867 return do_setattr(attr, ctx->ctx, ctx->ctx_len - 1); 3868 } 3869 3870 /** 3871 * smack_setprocattr - Smack process attribute setting 3872 * @name: the name of the attribute in /proc/.../attr 3873 * @value: the value to set 3874 * @size: the size of the value 3875 * 3876 * Sets the Smack value of the task. Only setting self 3877 * is permitted and only with privilege 3878 * 3879 * Returns the size of the input value or an error code 3880 */ 3881 static int smack_setprocattr(const char *name, void *value, size_t size) 3882 { 3883 size_t realsize = size; 3884 unsigned int attr = lsm_name_to_attr(name); 3885 3886 switch (attr) { 3887 case LSM_ATTR_UNDEF: return -EINVAL; 3888 default: return -EOPNOTSUPP; 3889 case LSM_ATTR_CURRENT: 3890 ; 3891 } 3892 3893 /* 3894 * The value for the "current" attribute is the label 3895 * followed by one of the 4 trailers: none, \0, \n, \n\0 3896 * 3897 * I.e. following inputs are accepted as 3-characters long label "foo": 3898 * 3899 * "foo" (3 characters) 3900 * "foo\0" (4 characters) 3901 * "foo\n" (4 characters) 3902 * "foo\n\0" (5 characters) 3903 */ 3904 3905 if (realsize && (((const char *)value)[realsize - 1] == '\0')) 3906 --realsize; 3907 3908 if (realsize && (((const char *)value)[realsize - 1] == '\n')) 3909 --realsize; 3910 3911 return do_setattr(attr, value, realsize) ? : size; 3912 } 3913 3914 /** 3915 * smack_unix_stream_connect - Smack access on UDS 3916 * @sock: one sock 3917 * @other: the other sock 3918 * @newsk: unused 3919 * 3920 * Return 0 if a subject with the smack of sock could access 3921 * an object with the smack of other, otherwise an error code 3922 */ 3923 static int smack_unix_stream_connect(struct sock *sock, 3924 struct sock *other, struct sock *newsk) 3925 { 3926 struct smack_known *skp; 3927 struct smack_known *okp; 3928 struct socket_smack *ssp = smack_sock(sock); 3929 struct socket_smack *osp = smack_sock(other); 3930 struct socket_smack *nsp = smack_sock(newsk); 3931 struct smk_audit_info ad; 3932 int rc = 0; 3933 #ifdef CONFIG_AUDIT 3934 struct lsm_network_audit net; 3935 #endif 3936 3937 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3938 skp = ssp->smk_out; 3939 okp = osp->smk_in; 3940 #ifdef CONFIG_AUDIT 3941 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3942 smk_ad_setfield_u_net_sk(&ad, other); 3943 #endif 3944 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3945 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3946 if (rc == 0) { 3947 okp = osp->smk_out; 3948 skp = ssp->smk_in; 3949 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3950 rc = smk_bu_note("UDS connect", okp, skp, 3951 MAY_WRITE, rc); 3952 } 3953 } 3954 3955 if (rc == 0) { 3956 /* 3957 * Cross reference the peer labels for SO_PEERSEC. 3958 */ 3959 nsp->smk_packet = ssp->smk_out; 3960 ssp->smk_packet = osp->smk_out; 3961 3962 /* 3963 * new/child/established socket must inherit listening socket labels 3964 */ 3965 nsp->smk_out = osp->smk_out; 3966 nsp->smk_in = osp->smk_in; 3967 } 3968 3969 return rc; 3970 } 3971 3972 /** 3973 * smack_unix_may_send - Smack access on UDS 3974 * @sock: one socket 3975 * @other: the other socket 3976 * 3977 * Return 0 if a subject with the smack of sock could access 3978 * an object with the smack of other, otherwise an error code 3979 */ 3980 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3981 { 3982 struct socket_smack *ssp = smack_sock(sock->sk); 3983 struct socket_smack *osp = smack_sock(other->sk); 3984 struct smk_audit_info ad; 3985 int rc; 3986 3987 #ifdef CONFIG_AUDIT 3988 struct lsm_network_audit net; 3989 3990 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3991 smk_ad_setfield_u_net_sk(&ad, other->sk); 3992 #endif 3993 3994 if (smack_privileged(CAP_MAC_OVERRIDE)) 3995 return 0; 3996 3997 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3998 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3999 return rc; 4000 } 4001 4002 /** 4003 * smack_socket_sendmsg - Smack check based on destination host 4004 * @sock: the socket 4005 * @msg: the message 4006 * @size: the size of the message 4007 * 4008 * Return 0 if the current subject can write to the destination host. 4009 * For IPv4 this is only a question if the destination is a single label host. 4010 * For IPv6 this is a check against the label of the port. 4011 */ 4012 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 4013 int size) 4014 { 4015 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 4016 #if IS_ENABLED(CONFIG_IPV6) 4017 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 4018 #endif 4019 #ifdef SMACK_IPV6_SECMARK_LABELING 4020 struct socket_smack *ssp = smack_sock(sock->sk); 4021 struct smack_known *rsp; 4022 #endif 4023 int rc = 0; 4024 4025 /* 4026 * Perfectly reasonable for this to be NULL 4027 */ 4028 if (sip == NULL) 4029 return 0; 4030 4031 switch (sock->sk->sk_family) { 4032 case AF_INET: 4033 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 4034 sip->sin_family != AF_INET) 4035 return -EINVAL; 4036 rc = smk_ipv4_check(sock->sk, sip); 4037 break; 4038 #if IS_ENABLED(CONFIG_IPV6) 4039 case AF_INET6: 4040 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 4041 sap->sin6_family != AF_INET6) 4042 return -EINVAL; 4043 #ifdef SMACK_IPV6_SECMARK_LABELING 4044 rsp = smack_ipv6host_label(sap); 4045 if (rsp != NULL) 4046 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 4047 SMK_CONNECTING); 4048 #endif 4049 #ifdef SMACK_IPV6_PORT_LABELING 4050 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 4051 #endif 4052 #endif /* IS_ENABLED(CONFIG_IPV6) */ 4053 break; 4054 } 4055 return rc; 4056 } 4057 4058 /** 4059 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 4060 * @sap: netlabel secattr 4061 * @ssp: socket security information 4062 * 4063 * Returns a pointer to a Smack label entry found on the label list. 4064 */ 4065 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 4066 struct socket_smack *ssp) 4067 { 4068 struct smack_known *skp; 4069 int found = 0; 4070 int acat; 4071 int kcat; 4072 4073 /* 4074 * Netlabel found it in the cache. 4075 */ 4076 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 4077 return (struct smack_known *)sap->cache->data; 4078 4079 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 4080 /* 4081 * Looks like a fallback, which gives us a secid. 4082 */ 4083 return smack_from_secid(sap->attr.secid); 4084 4085 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 4086 /* 4087 * Looks like a CIPSO packet. 4088 * If there are flags but no level netlabel isn't 4089 * behaving the way we expect it to. 4090 * 4091 * Look it up in the label table 4092 * Without guidance regarding the smack value 4093 * for the packet fall back on the network 4094 * ambient value. 4095 */ 4096 rcu_read_lock(); 4097 list_for_each_entry_rcu(skp, &smack_known_list, list) { 4098 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 4099 continue; 4100 /* 4101 * Compare the catsets. Use the netlbl APIs. 4102 */ 4103 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 4104 if ((skp->smk_netlabel.flags & 4105 NETLBL_SECATTR_MLS_CAT) == 0) 4106 found = 1; 4107 break; 4108 } 4109 for (acat = -1, kcat = -1; acat == kcat; ) { 4110 acat = netlbl_catmap_walk(sap->attr.mls.cat, 4111 acat + 1); 4112 kcat = netlbl_catmap_walk( 4113 skp->smk_netlabel.attr.mls.cat, 4114 kcat + 1); 4115 if (acat < 0 || kcat < 0) 4116 break; 4117 } 4118 if (acat == kcat) { 4119 found = 1; 4120 break; 4121 } 4122 } 4123 rcu_read_unlock(); 4124 4125 if (found) 4126 return skp; 4127 4128 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4129 return &smack_known_web; 4130 return &smack_known_star; 4131 } 4132 /* 4133 * Without guidance regarding the smack value 4134 * for the packet fall back on the network 4135 * ambient value. 4136 */ 4137 return smack_net_ambient; 4138 } 4139 4140 #if IS_ENABLED(CONFIG_IPV6) 4141 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4142 { 4143 u8 nexthdr; 4144 int offset; 4145 int proto = -EINVAL; 4146 struct ipv6hdr _ipv6h; 4147 struct ipv6hdr *ip6; 4148 __be16 frag_off; 4149 struct tcphdr _tcph, *th; 4150 struct udphdr _udph, *uh; 4151 4152 sip->sin6_port = 0; 4153 4154 offset = skb_network_offset(skb); 4155 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4156 if (ip6 == NULL) 4157 return -EINVAL; 4158 sip->sin6_addr = ip6->saddr; 4159 4160 nexthdr = ip6->nexthdr; 4161 offset += sizeof(_ipv6h); 4162 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4163 if (offset < 0) 4164 return -EINVAL; 4165 4166 proto = nexthdr; 4167 switch (proto) { 4168 case IPPROTO_TCP: 4169 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4170 if (th != NULL) 4171 sip->sin6_port = th->source; 4172 break; 4173 case IPPROTO_UDP: 4174 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4175 if (uh != NULL) 4176 sip->sin6_port = uh->source; 4177 break; 4178 } 4179 return proto; 4180 } 4181 #endif /* CONFIG_IPV6 */ 4182 4183 /** 4184 * smack_from_skb - Smack data from the secmark in an skb 4185 * @skb: packet 4186 * 4187 * Returns smack_known of the secmark or NULL if that won't work. 4188 */ 4189 #ifdef CONFIG_NETWORK_SECMARK 4190 static struct smack_known *smack_from_skb(struct sk_buff *skb) 4191 { 4192 if (skb == NULL || skb->secmark == 0) 4193 return NULL; 4194 4195 return smack_from_secid(skb->secmark); 4196 } 4197 #else 4198 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4199 { 4200 return NULL; 4201 } 4202 #endif 4203 4204 /** 4205 * smack_from_netlbl - Smack data from the IP options in an skb 4206 * @sk: socket data came in on 4207 * @family: address family 4208 * @skb: packet 4209 * 4210 * Find the Smack label in the IP options. If it hasn't been 4211 * added to the netlabel cache, add it here. 4212 * 4213 * Returns smack_known of the IP options or NULL if that won't work. 4214 */ 4215 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4216 struct sk_buff *skb) 4217 { 4218 struct netlbl_lsm_secattr secattr; 4219 struct socket_smack *ssp = NULL; 4220 struct smack_known *skp = NULL; 4221 4222 netlbl_secattr_init(&secattr); 4223 4224 if (sk) 4225 ssp = smack_sock(sk); 4226 4227 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4228 skp = smack_from_secattr(&secattr, ssp); 4229 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4230 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4231 } 4232 4233 netlbl_secattr_destroy(&secattr); 4234 4235 return skp; 4236 } 4237 4238 /** 4239 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4240 * @sk: socket 4241 * @skb: packet 4242 * 4243 * Returns 0 if the packet should be delivered, an error code otherwise 4244 */ 4245 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4246 { 4247 struct socket_smack *ssp = smack_sock(sk); 4248 struct smack_known *skp = NULL; 4249 int rc = 0; 4250 struct smk_audit_info ad; 4251 u16 family = sk->sk_family; 4252 #ifdef CONFIG_AUDIT 4253 struct lsm_network_audit net; 4254 #endif 4255 #if IS_ENABLED(CONFIG_IPV6) 4256 struct sockaddr_in6 sadd; 4257 int proto; 4258 4259 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4260 family = PF_INET; 4261 #endif /* CONFIG_IPV6 */ 4262 4263 switch (family) { 4264 case PF_INET: 4265 /* 4266 * If there is a secmark use it rather than the CIPSO label. 4267 * If there is no secmark fall back to CIPSO. 4268 * The secmark is assumed to reflect policy better. 4269 */ 4270 skp = smack_from_skb(skb); 4271 if (skp == NULL) { 4272 skp = smack_from_netlbl(sk, family, skb); 4273 if (skp == NULL) 4274 skp = smack_net_ambient; 4275 } 4276 4277 #ifdef CONFIG_AUDIT 4278 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4279 ad.a.u.net->family = family; 4280 ad.a.u.net->netif = skb->skb_iif; 4281 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4282 #endif 4283 /* 4284 * Receiving a packet requires that the other end 4285 * be able to write here. Read access is not required. 4286 * This is the simplest possible security model 4287 * for networking. 4288 */ 4289 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4290 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4291 MAY_WRITE, rc); 4292 if (rc != 0) 4293 netlbl_skbuff_err(skb, family, rc, 0); 4294 break; 4295 #if IS_ENABLED(CONFIG_IPV6) 4296 case PF_INET6: 4297 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4298 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP) 4299 break; 4300 #ifdef SMACK_IPV6_SECMARK_LABELING 4301 skp = smack_from_skb(skb); 4302 if (skp == NULL) { 4303 if (smk_ipv6_localhost(&sadd)) 4304 break; 4305 skp = smack_ipv6host_label(&sadd); 4306 if (skp == NULL) 4307 skp = smack_net_ambient; 4308 } 4309 #ifdef CONFIG_AUDIT 4310 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4311 ad.a.u.net->family = family; 4312 ad.a.u.net->netif = skb->skb_iif; 4313 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4314 #endif /* CONFIG_AUDIT */ 4315 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4316 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4317 MAY_WRITE, rc); 4318 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4319 #ifdef SMACK_IPV6_PORT_LABELING 4320 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4321 #endif /* SMACK_IPV6_PORT_LABELING */ 4322 if (rc != 0) 4323 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4324 ICMPV6_ADM_PROHIBITED, 0); 4325 break; 4326 #endif /* CONFIG_IPV6 */ 4327 } 4328 4329 return rc; 4330 } 4331 4332 /** 4333 * smack_socket_getpeersec_stream - pull in packet label 4334 * @sock: the socket 4335 * @optval: user's destination 4336 * @optlen: size thereof 4337 * @len: max thereof 4338 * 4339 * returns zero on success, an error code otherwise 4340 */ 4341 static int smack_socket_getpeersec_stream(struct socket *sock, 4342 sockptr_t optval, sockptr_t optlen, 4343 unsigned int len) 4344 { 4345 struct socket_smack *ssp; 4346 char *rcp = ""; 4347 u32 slen = 1; 4348 int rc = 0; 4349 4350 ssp = smack_sock(sock->sk); 4351 if (ssp->smk_packet != NULL) { 4352 rcp = ssp->smk_packet->smk_known; 4353 slen = strlen(rcp) + 1; 4354 } 4355 if (slen > len) { 4356 rc = -ERANGE; 4357 goto out_len; 4358 } 4359 4360 if (copy_to_sockptr(optval, rcp, slen)) 4361 rc = -EFAULT; 4362 out_len: 4363 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4364 rc = -EFAULT; 4365 return rc; 4366 } 4367 4368 4369 /** 4370 * smack_socket_getpeersec_dgram - pull in packet label 4371 * @sock: the peer socket 4372 * @skb: packet data 4373 * @secid: pointer to where to put the secid of the packet 4374 * 4375 * Sets the netlabel socket state on sk from parent 4376 */ 4377 static int smack_socket_getpeersec_dgram(struct socket *sock, 4378 struct sk_buff *skb, u32 *secid) 4379 4380 { 4381 struct socket_smack *ssp = NULL; 4382 struct smack_known *skp; 4383 struct sock *sk = NULL; 4384 int family = PF_UNSPEC; 4385 u32 s = 0; /* 0 is the invalid secid */ 4386 4387 if (skb != NULL) { 4388 if (skb->protocol == htons(ETH_P_IP)) 4389 family = PF_INET; 4390 #if IS_ENABLED(CONFIG_IPV6) 4391 else if (skb->protocol == htons(ETH_P_IPV6)) 4392 family = PF_INET6; 4393 #endif /* CONFIG_IPV6 */ 4394 } 4395 if (family == PF_UNSPEC && sock != NULL) 4396 family = sock->sk->sk_family; 4397 4398 switch (family) { 4399 case PF_UNIX: 4400 ssp = smack_sock(sock->sk); 4401 s = ssp->smk_out->smk_secid; 4402 break; 4403 case PF_INET: 4404 skp = smack_from_skb(skb); 4405 if (skp) { 4406 s = skp->smk_secid; 4407 break; 4408 } 4409 /* 4410 * Translate what netlabel gave us. 4411 */ 4412 if (sock != NULL) 4413 sk = sock->sk; 4414 skp = smack_from_netlbl(sk, family, skb); 4415 if (skp != NULL) 4416 s = skp->smk_secid; 4417 break; 4418 case PF_INET6: 4419 #ifdef SMACK_IPV6_SECMARK_LABELING 4420 skp = smack_from_skb(skb); 4421 if (skp) 4422 s = skp->smk_secid; 4423 #endif 4424 break; 4425 } 4426 *secid = s; 4427 if (s == 0) 4428 return -EINVAL; 4429 return 0; 4430 } 4431 4432 /** 4433 * smack_inet_conn_request - Smack access check on connect 4434 * @sk: socket involved 4435 * @skb: packet 4436 * @req: unused 4437 * 4438 * Returns 0 if a task with the packet label could write to 4439 * the socket, otherwise an error code 4440 */ 4441 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4442 struct request_sock *req) 4443 { 4444 u16 family = sk->sk_family; 4445 struct smack_known *skp; 4446 struct socket_smack *ssp = smack_sock(sk); 4447 struct sockaddr_in addr; 4448 struct iphdr *hdr; 4449 struct smack_known *hskp; 4450 int rc; 4451 struct smk_audit_info ad; 4452 #ifdef CONFIG_AUDIT 4453 struct lsm_network_audit net; 4454 #endif 4455 4456 #if IS_ENABLED(CONFIG_IPV6) 4457 if (family == PF_INET6) { 4458 /* 4459 * Handle mapped IPv4 packets arriving 4460 * via IPv6 sockets. Don't set up netlabel 4461 * processing on IPv6. 4462 */ 4463 if (skb->protocol == htons(ETH_P_IP)) 4464 family = PF_INET; 4465 else 4466 return 0; 4467 } 4468 #endif /* CONFIG_IPV6 */ 4469 4470 /* 4471 * If there is a secmark use it rather than the CIPSO label. 4472 * If there is no secmark fall back to CIPSO. 4473 * The secmark is assumed to reflect policy better. 4474 */ 4475 skp = smack_from_skb(skb); 4476 if (skp == NULL) { 4477 skp = smack_from_netlbl(sk, family, skb); 4478 if (skp == NULL) 4479 skp = &smack_known_huh; 4480 } 4481 4482 #ifdef CONFIG_AUDIT 4483 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4484 ad.a.u.net->family = family; 4485 ad.a.u.net->netif = skb->skb_iif; 4486 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4487 #endif 4488 /* 4489 * Receiving a packet requires that the other end be able to write 4490 * here. Read access is not required. 4491 */ 4492 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4493 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4494 if (rc != 0) 4495 return rc; 4496 4497 /* 4498 * Save the peer's label in the request_sock so we can later setup 4499 * smk_packet in the child socket so that SO_PEERCRED can report it. 4500 */ 4501 req->peer_secid = skp->smk_secid; 4502 4503 /* 4504 * We need to decide if we want to label the incoming connection here 4505 * if we do we only need to label the request_sock and the stack will 4506 * propagate the wire-label to the sock when it is created. 4507 */ 4508 hdr = ip_hdr(skb); 4509 addr.sin_addr.s_addr = hdr->saddr; 4510 rcu_read_lock(); 4511 hskp = smack_ipv4host_label(&addr); 4512 rcu_read_unlock(); 4513 4514 if (hskp == NULL) 4515 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); 4516 else 4517 netlbl_req_delattr(req); 4518 4519 return rc; 4520 } 4521 4522 /** 4523 * smack_inet_csk_clone - Copy the connection information to the new socket 4524 * @sk: the new socket 4525 * @req: the connection's request_sock 4526 * 4527 * Transfer the connection's peer label to the newly created socket. 4528 */ 4529 static void smack_inet_csk_clone(struct sock *sk, 4530 const struct request_sock *req) 4531 { 4532 struct socket_smack *ssp = smack_sock(sk); 4533 struct smack_known *skp; 4534 4535 if (req->peer_secid != 0) { 4536 skp = smack_from_secid(req->peer_secid); 4537 ssp->smk_packet = skp; 4538 } else 4539 ssp->smk_packet = NULL; 4540 } 4541 4542 /* 4543 * Key management security hooks 4544 * 4545 * Casey has not tested key support very heavily. 4546 * The permission check is most likely too restrictive. 4547 * If you care about keys please have a look. 4548 */ 4549 #ifdef CONFIG_KEYS 4550 4551 /** 4552 * smack_key_alloc - Set the key security blob 4553 * @key: object 4554 * @cred: the credentials to use 4555 * @flags: unused 4556 * 4557 * No allocation required 4558 * 4559 * Returns 0 4560 */ 4561 static int smack_key_alloc(struct key *key, const struct cred *cred, 4562 unsigned long flags) 4563 { 4564 struct smack_known **blob = smack_key(key); 4565 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4566 4567 *blob = skp; 4568 return 0; 4569 } 4570 4571 /** 4572 * smack_key_permission - Smack access on a key 4573 * @key_ref: gets to the object 4574 * @cred: the credentials to use 4575 * @need_perm: requested key permission 4576 * 4577 * Return 0 if the task has read and write to the object, 4578 * an error code otherwise 4579 */ 4580 static int smack_key_permission(key_ref_t key_ref, 4581 const struct cred *cred, 4582 enum key_need_perm need_perm) 4583 { 4584 struct smack_known **blob; 4585 struct smack_known *skp; 4586 struct key *keyp; 4587 struct smk_audit_info ad; 4588 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4589 int request = 0; 4590 int rc; 4591 4592 /* 4593 * Validate requested permissions 4594 */ 4595 switch (need_perm) { 4596 case KEY_NEED_READ: 4597 case KEY_NEED_SEARCH: 4598 case KEY_NEED_VIEW: 4599 request |= MAY_READ; 4600 break; 4601 case KEY_NEED_WRITE: 4602 case KEY_NEED_LINK: 4603 case KEY_NEED_SETATTR: 4604 request |= MAY_WRITE; 4605 break; 4606 case KEY_NEED_UNSPECIFIED: 4607 case KEY_NEED_UNLINK: 4608 case KEY_SYSADMIN_OVERRIDE: 4609 case KEY_AUTHTOKEN_OVERRIDE: 4610 case KEY_DEFER_PERM_CHECK: 4611 return 0; 4612 default: 4613 return -EINVAL; 4614 } 4615 4616 keyp = key_ref_to_ptr(key_ref); 4617 if (keyp == NULL) 4618 return -EINVAL; 4619 /* 4620 * If the key hasn't been initialized give it access so that 4621 * it may do so. 4622 */ 4623 blob = smack_key(keyp); 4624 skp = *blob; 4625 if (skp == NULL) 4626 return 0; 4627 /* 4628 * This should not occur 4629 */ 4630 if (tkp == NULL) 4631 return -EACCES; 4632 4633 if (smack_privileged(CAP_MAC_OVERRIDE)) 4634 return 0; 4635 4636 #ifdef CONFIG_AUDIT 4637 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4638 ad.a.u.key_struct.key = keyp->serial; 4639 ad.a.u.key_struct.key_desc = keyp->description; 4640 #endif 4641 rc = smk_access(tkp, skp, request, &ad); 4642 rc = smk_bu_note("key access", tkp, skp, request, rc); 4643 return rc; 4644 } 4645 4646 /* 4647 * smack_key_getsecurity - Smack label tagging the key 4648 * @key points to the key to be queried 4649 * @_buffer points to a pointer that should be set to point to the 4650 * resulting string (if no label or an error occurs). 4651 * Return the length of the string (including terminating NUL) or -ve if 4652 * an error. 4653 * May also return 0 (and a NULL buffer pointer) if there is no label. 4654 */ 4655 static int smack_key_getsecurity(struct key *key, char **_buffer) 4656 { 4657 struct smack_known **blob = smack_key(key); 4658 struct smack_known *skp = *blob; 4659 size_t length; 4660 char *copy; 4661 4662 if (skp == NULL) { 4663 *_buffer = NULL; 4664 return 0; 4665 } 4666 4667 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4668 if (copy == NULL) 4669 return -ENOMEM; 4670 length = strlen(copy) + 1; 4671 4672 *_buffer = copy; 4673 return length; 4674 } 4675 4676 4677 #ifdef CONFIG_KEY_NOTIFICATIONS 4678 /** 4679 * smack_watch_key - Smack access to watch a key for notifications. 4680 * @key: The key to be watched 4681 * 4682 * Return 0 if the @watch->cred has permission to read from the key object and 4683 * an error otherwise. 4684 */ 4685 static int smack_watch_key(struct key *key) 4686 { 4687 struct smk_audit_info ad; 4688 struct smack_known *tkp = smk_of_current(); 4689 struct smack_known **blob = smack_key(key); 4690 int rc; 4691 4692 /* 4693 * This should not occur 4694 */ 4695 if (tkp == NULL) 4696 return -EACCES; 4697 4698 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4699 return 0; 4700 4701 #ifdef CONFIG_AUDIT 4702 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4703 ad.a.u.key_struct.key = key->serial; 4704 ad.a.u.key_struct.key_desc = key->description; 4705 #endif 4706 rc = smk_access(tkp, *blob, MAY_READ, &ad); 4707 rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc); 4708 return rc; 4709 } 4710 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4711 #endif /* CONFIG_KEYS */ 4712 4713 #ifdef CONFIG_WATCH_QUEUE 4714 /** 4715 * smack_post_notification - Smack access to post a notification to a queue 4716 * @w_cred: The credentials of the watcher. 4717 * @cred: The credentials of the event source (may be NULL). 4718 * @n: The notification message to be posted. 4719 */ 4720 static int smack_post_notification(const struct cred *w_cred, 4721 const struct cred *cred, 4722 struct watch_notification *n) 4723 { 4724 struct smk_audit_info ad; 4725 struct smack_known *subj, *obj; 4726 int rc; 4727 4728 /* Always let maintenance notifications through. */ 4729 if (n->type == WATCH_TYPE_META) 4730 return 0; 4731 4732 if (!cred) 4733 return 0; 4734 subj = smk_of_task(smack_cred(cred)); 4735 obj = smk_of_task(smack_cred(w_cred)); 4736 4737 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4738 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4739 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4740 return rc; 4741 } 4742 #endif /* CONFIG_WATCH_QUEUE */ 4743 4744 /* 4745 * Smack Audit hooks 4746 * 4747 * Audit requires a unique representation of each Smack specific 4748 * rule. This unique representation is used to distinguish the 4749 * object to be audited from remaining kernel objects and also 4750 * works as a glue between the audit hooks. 4751 * 4752 * Since repository entries are added but never deleted, we'll use 4753 * the smack_known label address related to the given audit rule as 4754 * the needed unique representation. This also better fits the smack 4755 * model where nearly everything is a label. 4756 */ 4757 #ifdef CONFIG_AUDIT 4758 4759 /** 4760 * smack_audit_rule_init - Initialize a smack audit rule 4761 * @field: audit rule fields given from user-space (audit.h) 4762 * @op: required testing operator (=, !=, >, <, ...) 4763 * @rulestr: smack label to be audited 4764 * @vrule: pointer to save our own audit rule representation 4765 * @gfp: type of the memory for the allocation 4766 * 4767 * Prepare to audit cases where (@field @op @rulestr) is true. 4768 * The label to be audited is created if necessary. 4769 */ 4770 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4771 gfp_t gfp) 4772 { 4773 struct smack_known *skp; 4774 char **rule = (char **)vrule; 4775 *rule = NULL; 4776 4777 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4778 return -EINVAL; 4779 4780 if (op != Audit_equal && op != Audit_not_equal) 4781 return -EINVAL; 4782 4783 skp = smk_import_entry(rulestr, 0); 4784 if (IS_ERR(skp)) 4785 return PTR_ERR(skp); 4786 4787 *rule = skp->smk_known; 4788 4789 return 0; 4790 } 4791 4792 /** 4793 * smack_audit_rule_known - Distinguish Smack audit rules 4794 * @krule: rule of interest, in Audit kernel representation format 4795 * 4796 * This is used to filter Smack rules from remaining Audit ones. 4797 * If it's proved that this rule belongs to us, the 4798 * audit_rule_match hook will be called to do the final judgement. 4799 */ 4800 static int smack_audit_rule_known(struct audit_krule *krule) 4801 { 4802 struct audit_field *f; 4803 int i; 4804 4805 for (i = 0; i < krule->field_count; i++) { 4806 f = &krule->fields[i]; 4807 4808 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4809 return 1; 4810 } 4811 4812 return 0; 4813 } 4814 4815 /** 4816 * smack_audit_rule_match - Audit given object ? 4817 * @prop: security id for identifying the object to test 4818 * @field: audit rule flags given from user-space 4819 * @op: required testing operator 4820 * @vrule: smack internal rule presentation 4821 * 4822 * The core Audit hook. It's used to take the decision of 4823 * whether to audit or not to audit a given object. 4824 */ 4825 static int smack_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, 4826 void *vrule) 4827 { 4828 struct smack_known *skp = prop->smack.skp; 4829 char *rule = vrule; 4830 4831 if (unlikely(!rule)) { 4832 WARN_ONCE(1, "Smack: missing rule\n"); 4833 return -ENOENT; 4834 } 4835 4836 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4837 return 0; 4838 4839 /* 4840 * No need to do string comparisons. If a match occurs, 4841 * both pointers will point to the same smack_known 4842 * label. 4843 */ 4844 if (op == Audit_equal) 4845 return (rule == skp->smk_known); 4846 if (op == Audit_not_equal) 4847 return (rule != skp->smk_known); 4848 4849 return 0; 4850 } 4851 4852 /* 4853 * There is no need for a smack_audit_rule_free hook. 4854 * No memory was allocated. 4855 */ 4856 4857 #endif /* CONFIG_AUDIT */ 4858 4859 /** 4860 * smack_ismaclabel - check if xattr @name references a smack MAC label 4861 * @name: Full xattr name to check. 4862 */ 4863 static int smack_ismaclabel(const char *name) 4864 { 4865 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4866 } 4867 4868 /** 4869 * smack_to_secctx - fill a lsm_context 4870 * @skp: Smack label 4871 * @cp: destination 4872 * 4873 * Fill the passed @cp and return the length of the string 4874 */ 4875 static int smack_to_secctx(struct smack_known *skp, struct lsm_context *cp) 4876 { 4877 int len = strlen(skp->smk_known); 4878 4879 if (cp) { 4880 cp->context = skp->smk_known; 4881 cp->len = len; 4882 cp->id = LSM_ID_SMACK; 4883 } 4884 return len; 4885 } 4886 4887 /** 4888 * smack_secid_to_secctx - return the smack label for a secid 4889 * @secid: incoming integer 4890 * @cp: destination 4891 * 4892 * Exists for networking code. 4893 */ 4894 static int smack_secid_to_secctx(u32 secid, struct lsm_context *cp) 4895 { 4896 return smack_to_secctx(smack_from_secid(secid), cp); 4897 } 4898 4899 /** 4900 * smack_lsmprop_to_secctx - return the smack label 4901 * @prop: includes incoming Smack data 4902 * @cp: destination 4903 * 4904 * Exists for audit code. 4905 */ 4906 static int smack_lsmprop_to_secctx(struct lsm_prop *prop, 4907 struct lsm_context *cp) 4908 { 4909 return smack_to_secctx(prop->smack.skp, cp); 4910 } 4911 4912 /** 4913 * smack_secctx_to_secid - return the secid for a smack label 4914 * @secdata: smack label 4915 * @seclen: how long result is 4916 * @secid: outgoing integer 4917 * 4918 * Exists for audit and networking code. 4919 */ 4920 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4921 { 4922 struct smack_known *skp = smk_find_entry(secdata); 4923 4924 if (skp) 4925 *secid = skp->smk_secid; 4926 else 4927 *secid = 0; 4928 return 0; 4929 } 4930 4931 /* 4932 * There used to be a smack_release_secctx hook 4933 * that did nothing back when hooks were in a vector. 4934 * Now that there's a list such a hook adds cost. 4935 */ 4936 4937 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4938 { 4939 /* 4940 * UDS inode has fixed label. Ignore nfs label. 4941 */ 4942 if (S_ISSOCK(inode->i_mode)) 4943 return 0; 4944 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4945 ctxlen, 0); 4946 } 4947 4948 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4949 { 4950 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4951 ctx, ctxlen, 0, NULL); 4952 } 4953 4954 static int smack_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 4955 { 4956 struct smack_known *skp = smk_of_inode(inode); 4957 4958 cp->context = skp->smk_known; 4959 cp->len = strlen(skp->smk_known); 4960 cp->id = LSM_ID_SMACK; 4961 return 0; 4962 } 4963 4964 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4965 { 4966 4967 struct task_smack *tsp; 4968 struct smack_known *skp; 4969 struct inode_smack *isp; 4970 struct cred *new_creds = *new; 4971 4972 if (new_creds == NULL) { 4973 new_creds = prepare_creds(); 4974 if (new_creds == NULL) 4975 return -ENOMEM; 4976 } 4977 4978 tsp = smack_cred(new_creds); 4979 4980 /* 4981 * Get label from overlay inode and set it in create_sid 4982 */ 4983 isp = smack_inode(d_inode(dentry)); 4984 skp = isp->smk_inode; 4985 tsp->smk_task = skp; 4986 *new = new_creds; 4987 return 0; 4988 } 4989 4990 static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4991 { 4992 /* 4993 * Return -ECANCELED if this is the smack access Smack attribute. 4994 */ 4995 if (!strcmp(name, XATTR_NAME_SMACK)) 4996 return -ECANCELED; 4997 4998 return -EOPNOTSUPP; 4999 } 5000 5001 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 5002 const struct qstr *name, 5003 const struct cred *old, 5004 struct cred *new) 5005 { 5006 struct task_smack *otsp = smack_cred(old); 5007 struct task_smack *ntsp = smack_cred(new); 5008 struct inode_smack *isp; 5009 5010 /* 5011 * Use the process credential unless all of 5012 * the transmuting criteria are met 5013 */ 5014 ntsp->smk_task = otsp->smk_task; 5015 5016 /* 5017 * the attribute of the containing directory 5018 */ 5019 isp = smack_inode(d_inode(dentry->d_parent)); 5020 5021 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 5022 /* 5023 * If the directory is transmuting and the rule 5024 * providing access is transmuting use the containing 5025 * directory label instead of the process label. 5026 */ 5027 if (smk_rule_transmutes(otsp->smk_task, isp->smk_inode)) { 5028 ntsp->smk_task = isp->smk_inode; 5029 ntsp->smk_transmuted = ntsp->smk_task; 5030 } 5031 } 5032 return 0; 5033 } 5034 5035 #ifdef CONFIG_IO_URING 5036 /** 5037 * smack_uring_override_creds - Is io_uring cred override allowed? 5038 * @new: the target creds 5039 * 5040 * Check to see if the current task is allowed to override it's credentials 5041 * to service an io_uring operation. 5042 */ 5043 static int smack_uring_override_creds(const struct cred *new) 5044 { 5045 struct task_smack *tsp = smack_cred(current_cred()); 5046 struct task_smack *nsp = smack_cred(new); 5047 5048 /* 5049 * Allow the degenerate case where the new Smack value is 5050 * the same as the current Smack value. 5051 */ 5052 if (tsp->smk_task == nsp->smk_task) 5053 return 0; 5054 5055 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 5056 return 0; 5057 5058 return -EPERM; 5059 } 5060 5061 /** 5062 * smack_uring_sqpoll - check if a io_uring polling thread can be created 5063 * 5064 * Check to see if the current task is allowed to create a new io_uring 5065 * kernel polling thread. 5066 */ 5067 static int smack_uring_sqpoll(void) 5068 { 5069 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 5070 return 0; 5071 5072 return -EPERM; 5073 } 5074 5075 /** 5076 * smack_uring_cmd - check on file operations for io_uring 5077 * @ioucmd: the command in question 5078 * 5079 * Make a best guess about whether a io_uring "command" should 5080 * be allowed. Use the same logic used for determining if the 5081 * file could be opened for read in the absence of better criteria. 5082 */ 5083 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 5084 { 5085 struct file *file = ioucmd->file; 5086 struct smk_audit_info ad; 5087 struct task_smack *tsp; 5088 struct inode *inode; 5089 int rc; 5090 5091 if (!file) 5092 return -EINVAL; 5093 5094 tsp = smack_cred(file->f_cred); 5095 inode = file_inode(file); 5096 5097 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 5098 smk_ad_setfield_u_fs_path(&ad, file->f_path); 5099 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 5100 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 5101 5102 return rc; 5103 } 5104 5105 #endif /* CONFIG_IO_URING */ 5106 5107 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5108 .lbs_cred = sizeof(struct task_smack), 5109 .lbs_file = sizeof(struct smack_known *), 5110 .lbs_inode = sizeof(struct inode_smack), 5111 .lbs_ipc = sizeof(struct smack_known *), 5112 .lbs_key = sizeof(struct smack_known *), 5113 .lbs_msg_msg = sizeof(struct smack_known *), 5114 .lbs_sock = sizeof(struct socket_smack), 5115 .lbs_superblock = sizeof(struct superblock_smack), 5116 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5117 }; 5118 5119 static const struct lsm_id smack_lsmid = { 5120 .name = "smack", 5121 .id = LSM_ID_SMACK, 5122 }; 5123 5124 static struct security_hook_list smack_hooks[] __ro_after_init = { 5125 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5126 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5127 LSM_HOOK_INIT(syslog, smack_syslog), 5128 5129 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5130 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5131 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5132 5133 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5134 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5135 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5136 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5137 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5138 5139 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5140 5141 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5142 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5143 LSM_HOOK_INIT(inode_link, smack_inode_link), 5144 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5145 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5146 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5147 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5148 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5149 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5150 LSM_HOOK_INIT(inode_xattr_skipcap, smack_inode_xattr_skipcap), 5151 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5152 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5153 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5154 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5155 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5156 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5157 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5158 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5159 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5160 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5161 LSM_HOOK_INIT(inode_getlsmprop, smack_inode_getlsmprop), 5162 5163 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5164 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5165 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5166 LSM_HOOK_INIT(file_lock, smack_file_lock), 5167 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5168 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5169 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5170 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5171 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5172 LSM_HOOK_INIT(file_receive, smack_file_receive), 5173 5174 LSM_HOOK_INIT(file_open, smack_file_open), 5175 5176 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5177 LSM_HOOK_INIT(cred_free, smack_cred_free), 5178 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5179 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5180 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5181 LSM_HOOK_INIT(cred_getlsmprop, smack_cred_getlsmprop), 5182 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5183 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5184 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5185 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5186 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5187 LSM_HOOK_INIT(current_getlsmprop_subj, smack_current_getlsmprop_subj), 5188 LSM_HOOK_INIT(task_getlsmprop_obj, smack_task_getlsmprop_obj), 5189 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5190 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5191 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5192 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5193 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5194 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5195 LSM_HOOK_INIT(task_kill, smack_task_kill), 5196 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5197 5198 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5199 LSM_HOOK_INIT(ipc_getlsmprop, smack_ipc_getlsmprop), 5200 5201 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5202 5203 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5204 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5205 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5206 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5207 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5208 5209 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5210 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5211 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5212 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5213 5214 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5215 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5216 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5217 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5218 5219 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5220 5221 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5222 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5223 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5224 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5225 5226 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5227 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5228 5229 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5230 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5231 #ifdef SMACK_IPV6_PORT_LABELING 5232 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5233 #endif 5234 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5235 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5236 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5237 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5238 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5239 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5240 #ifdef SMACK_IPV6_PORT_LABELING 5241 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5242 #endif 5243 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5244 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5245 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5246 5247 /* key management security hooks */ 5248 #ifdef CONFIG_KEYS 5249 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5250 LSM_HOOK_INIT(key_permission, smack_key_permission), 5251 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5252 #ifdef CONFIG_KEY_NOTIFICATIONS 5253 LSM_HOOK_INIT(watch_key, smack_watch_key), 5254 #endif 5255 #endif /* CONFIG_KEYS */ 5256 5257 #ifdef CONFIG_WATCH_QUEUE 5258 LSM_HOOK_INIT(post_notification, smack_post_notification), 5259 #endif 5260 5261 /* Audit hooks */ 5262 #ifdef CONFIG_AUDIT 5263 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5264 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5265 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5266 #endif /* CONFIG_AUDIT */ 5267 5268 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5269 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5270 LSM_HOOK_INIT(lsmprop_to_secctx, smack_lsmprop_to_secctx), 5271 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5272 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5273 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5274 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5275 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5276 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5277 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5278 #ifdef CONFIG_IO_URING 5279 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5280 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5281 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5282 #endif 5283 }; 5284 5285 5286 static __init void init_smack_known_list(void) 5287 { 5288 /* 5289 * Initialize rule list locks 5290 */ 5291 mutex_init(&smack_known_huh.smk_rules_lock); 5292 mutex_init(&smack_known_hat.smk_rules_lock); 5293 mutex_init(&smack_known_floor.smk_rules_lock); 5294 mutex_init(&smack_known_star.smk_rules_lock); 5295 mutex_init(&smack_known_web.smk_rules_lock); 5296 /* 5297 * Initialize rule lists 5298 */ 5299 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5300 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5301 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5302 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5303 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5304 /* 5305 * Create the known labels list 5306 */ 5307 smk_insert_entry(&smack_known_huh); 5308 smk_insert_entry(&smack_known_hat); 5309 smk_insert_entry(&smack_known_star); 5310 smk_insert_entry(&smack_known_floor); 5311 smk_insert_entry(&smack_known_web); 5312 } 5313 5314 /** 5315 * smack_init - initialize the smack system 5316 * 5317 * Returns 0 on success, -ENOMEM is there's no memory 5318 */ 5319 static __init int smack_init(void) 5320 { 5321 struct cred *cred = (struct cred *) current->cred; 5322 struct task_smack *tsp; 5323 5324 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5325 if (!smack_rule_cache) 5326 return -ENOMEM; 5327 5328 /* 5329 * Set the security state for the initial task. 5330 */ 5331 tsp = smack_cred(cred); 5332 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5333 5334 /* 5335 * Register with LSM 5336 */ 5337 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5338 smack_enabled = 1; 5339 5340 pr_info("Smack: Initializing.\n"); 5341 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5342 pr_info("Smack: Netfilter enabled.\n"); 5343 #endif 5344 #ifdef SMACK_IPV6_PORT_LABELING 5345 pr_info("Smack: IPv6 port labeling enabled.\n"); 5346 #endif 5347 #ifdef SMACK_IPV6_SECMARK_LABELING 5348 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5349 #endif 5350 5351 /* initialize the smack_known_list */ 5352 init_smack_known_list(); 5353 5354 /* Inform the audit system that secctx is used */ 5355 audit_cfg_lsm(&smack_lsmid, 5356 AUDIT_CFG_LSM_SECCTX_SUBJECT | 5357 AUDIT_CFG_LSM_SECCTX_OBJECT); 5358 5359 return 0; 5360 } 5361 5362 int __init smack_initcall(void) 5363 { 5364 int rc_fs = init_smk_fs(); 5365 int rc_nf = smack_nf_ip_init(); 5366 5367 return rc_fs ? rc_fs : rc_nf; 5368 } 5369 5370 /* 5371 * Smack requires early initialization in order to label 5372 * all processes and objects when they are created. 5373 */ 5374 DEFINE_LSM(smack) = { 5375 .id = &smack_lsmid, 5376 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5377 .blobs = &smack_blob_sizes, 5378 .init = smack_init, 5379 .initcall_device = smack_initcall, 5380 }; 5381