1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 4 * 5 * Author: 6 * Casey Schaufler <casey@schaufler-ca.com> 7 */ 8 9 #include <linux/types.h> 10 #include <linux/slab.h> 11 #include <linux/fs.h> 12 #include <linux/sched.h> 13 #include "smack.h" 14 15 struct smack_known smack_known_huh = { 16 .smk_known = "?", 17 .smk_secid = 2, 18 }; 19 20 struct smack_known smack_known_hat = { 21 .smk_known = "^", 22 .smk_secid = 3, 23 }; 24 25 struct smack_known smack_known_star = { 26 .smk_known = "*", 27 .smk_secid = 4, 28 }; 29 30 struct smack_known smack_known_floor = { 31 .smk_known = "_", 32 .smk_secid = 5, 33 }; 34 35 struct smack_known smack_known_web = { 36 .smk_known = "@", 37 .smk_secid = 7, 38 }; 39 40 LIST_HEAD(smack_known_list); 41 42 /* 43 * The initial value needs to be bigger than any of the 44 * known values above. 45 */ 46 static u32 smack_next_secid = 10; 47 48 /* 49 * what events do we log 50 * can be overwritten at run-time by /smack/logging 51 */ 52 int log_policy = SMACK_AUDIT_DENIED; 53 54 /** 55 * smk_access_entry - look up matching access rule 56 * @subject_label: a pointer to the subject's Smack label 57 * @object_label: a pointer to the object's Smack label 58 * @rule_list: the list of rules to search 59 * 60 * This function looks up the subject/object pair in the 61 * access rule list and returns the access mode. If no 62 * entry is found returns -ENOENT. 63 * 64 * NOTE: 65 * 66 * Earlier versions of this function allowed for labels that 67 * were not on the label list. This was done to allow for 68 * labels to come over the network that had never been seen 69 * before on this host. Unless the receiving socket has the 70 * star label this will always result in a failure check. The 71 * star labeled socket case is now handled in the networking 72 * hooks so there is no case where the label is not on the 73 * label list. Checking to see if the address of two labels 74 * is the same is now a reliable test. 75 * 76 * Do the object check first because that is more 77 * likely to differ. 78 * 79 * Allowing write access implies allowing locking. 80 */ 81 int smk_access_entry(char *subject_label, char *object_label, 82 struct list_head *rule_list) 83 { 84 struct smack_rule *srp; 85 86 list_for_each_entry_rcu(srp, rule_list, list) { 87 if (srp->smk_object->smk_known == object_label && 88 srp->smk_subject->smk_known == subject_label) { 89 int may = srp->smk_access; 90 /* 91 * MAY_WRITE implies MAY_LOCK. 92 */ 93 if ((may & MAY_WRITE) == MAY_WRITE) 94 may |= MAY_LOCK; 95 return may; 96 } 97 } 98 99 return -ENOENT; 100 } 101 102 /** 103 * smk_access - determine if a subject has a specific access to an object 104 * @subject: a pointer to the subject's Smack label entry 105 * @object: a pointer to the object's Smack label entry 106 * @request: the access requested, in "MAY" format 107 * @a : a pointer to the audit data 108 * 109 * This function looks up the subject/object pair in the 110 * access rule list and returns 0 if the access is permitted, 111 * non zero otherwise. 112 * 113 * Smack labels are shared on smack_list 114 */ 115 int smk_access(struct smack_known *subject, struct smack_known *object, 116 int request, struct smk_audit_info *a) 117 { 118 int may = MAY_NOT; 119 int rc = 0; 120 121 /* 122 * Hardcoded comparisons. 123 */ 124 /* 125 * A star subject can't access any object. 126 */ 127 if (subject == &smack_known_star) { 128 rc = -EACCES; 129 goto out_audit; 130 } 131 /* 132 * An internet object can be accessed by any subject. 133 * Tasks cannot be assigned the internet label. 134 * An internet subject can access any object. 135 */ 136 if (object == &smack_known_web || subject == &smack_known_web) 137 goto out_audit; 138 /* 139 * A star object can be accessed by any subject. 140 */ 141 if (object == &smack_known_star) 142 goto out_audit; 143 /* 144 * An object can be accessed in any way by a subject 145 * with the same label. 146 */ 147 if (subject->smk_known == object->smk_known) 148 goto out_audit; 149 /* 150 * A hat subject can read or lock any object. 151 * A floor object can be read or locked by any subject. 152 */ 153 if ((request & MAY_ANYREAD) == request || 154 (request & MAY_LOCK) == request) { 155 if (object == &smack_known_floor) 156 goto out_audit; 157 if (subject == &smack_known_hat) 158 goto out_audit; 159 } 160 /* 161 * Beyond here an explicit relationship is required. 162 * If the requested access is contained in the available 163 * access (e.g. read is included in readwrite) it's 164 * good. A negative response from smk_access_entry() 165 * indicates there is no entry for this pair. 166 */ 167 rcu_read_lock(); 168 may = smk_access_entry(subject->smk_known, object->smk_known, 169 &subject->smk_rules); 170 rcu_read_unlock(); 171 172 if (may <= 0 || (request & may) != request) { 173 rc = -EACCES; 174 goto out_audit; 175 } 176 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 177 /* 178 * Return a positive value if using bringup mode. 179 * This allows the hooks to identify checks that 180 * succeed because of "b" rules. 181 */ 182 if (may & MAY_BRINGUP) 183 rc = SMACK_BRINGUP_ALLOW; 184 #endif 185 186 out_audit: 187 188 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 189 if (rc < 0) { 190 if (object == smack_unconfined) 191 rc = SMACK_UNCONFINED_OBJECT; 192 if (subject == smack_unconfined) 193 rc = SMACK_UNCONFINED_SUBJECT; 194 } 195 #endif 196 197 #ifdef CONFIG_AUDIT 198 if (a) 199 smack_log(subject->smk_known, object->smk_known, 200 request, rc, a); 201 #endif 202 203 return rc; 204 } 205 206 /** 207 * smk_tskacc - determine if a task has a specific access to an object 208 * @tsp: a pointer to the subject's task 209 * @obj_known: a pointer to the object's label entry 210 * @mode: the access requested, in "MAY" format 211 * @a : common audit data 212 * 213 * This function checks the subject task's label/object label pair 214 * in the access rule list and returns 0 if the access is permitted, 215 * non zero otherwise. It allows that the task may have the capability 216 * to override the rules. 217 */ 218 int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known, 219 u32 mode, struct smk_audit_info *a) 220 { 221 struct smack_known *sbj_known = smk_of_task(tsp); 222 int may; 223 int rc; 224 225 /* 226 * Check the global rule list 227 */ 228 rc = smk_access(sbj_known, obj_known, mode, NULL); 229 if (rc >= 0) { 230 /* 231 * If there is an entry in the task's rule list 232 * it can further restrict access. 233 */ 234 may = smk_access_entry(sbj_known->smk_known, 235 obj_known->smk_known, 236 &tsp->smk_rules); 237 if (may < 0) 238 goto out_audit; 239 if ((mode & may) == mode) 240 goto out_audit; 241 rc = -EACCES; 242 } 243 244 /* 245 * Allow for priviliged to override policy. 246 */ 247 if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE)) 248 rc = 0; 249 250 out_audit: 251 #ifdef CONFIG_AUDIT 252 if (a) 253 smack_log(sbj_known->smk_known, obj_known->smk_known, 254 mode, rc, a); 255 #endif 256 return rc; 257 } 258 259 /** 260 * smk_curacc - determine if current has a specific access to an object 261 * @obj_known: a pointer to the object's Smack label entry 262 * @mode: the access requested, in "MAY" format 263 * @a : common audit data 264 * 265 * This function checks the current subject label/object label pair 266 * in the access rule list and returns 0 if the access is permitted, 267 * non zero otherwise. It allows that current may have the capability 268 * to override the rules. 269 */ 270 int smk_curacc(struct smack_known *obj_known, 271 u32 mode, struct smk_audit_info *a) 272 { 273 struct task_smack *tsp = smack_cred(current_cred()); 274 275 return smk_tskacc(tsp, obj_known, mode, a); 276 } 277 278 /** 279 * smack_str_from_perm : helper to transalate an int to a 280 * readable string 281 * @string : the string to fill 282 * @access : the int 283 * 284 */ 285 int smack_str_from_perm(char *string, int access) 286 { 287 int i = 0; 288 289 if (access & MAY_READ) 290 string[i++] = 'r'; 291 if (access & MAY_WRITE) 292 string[i++] = 'w'; 293 if (access & MAY_EXEC) 294 string[i++] = 'x'; 295 if (access & MAY_APPEND) 296 string[i++] = 'a'; 297 if (access & MAY_TRANSMUTE) 298 string[i++] = 't'; 299 if (access & MAY_LOCK) 300 string[i++] = 'l'; 301 if (access & MAY_BRINGUP) 302 string[i++] = 'b'; 303 if (i == 0) 304 string[i++] = '-'; 305 string[i] = '\0'; 306 return i; 307 } 308 309 #ifdef CONFIG_AUDIT 310 /** 311 * smack_log_callback - SMACK specific information 312 * will be called by generic audit code 313 * @ab : the audit_buffer 314 * @a : audit_data 315 * 316 */ 317 static void smack_log_callback(struct audit_buffer *ab, void *a) 318 { 319 struct common_audit_data *ad = a; 320 struct smack_audit_data *sad = ad->smack_audit_data; 321 audit_log_format(ab, "lsm=SMACK fn=%s action=%s", 322 ad->smack_audit_data->function, 323 sad->result ? "denied" : "granted"); 324 audit_log_format(ab, " subject="); 325 audit_log_untrustedstring(ab, sad->subject); 326 audit_log_format(ab, " object="); 327 audit_log_untrustedstring(ab, sad->object); 328 if (sad->request[0] == '\0') 329 audit_log_format(ab, " labels_differ"); 330 else 331 audit_log_format(ab, " requested=%s", sad->request); 332 } 333 334 /** 335 * smack_log - Audit the granting or denial of permissions. 336 * @subject_label : smack label of the requester 337 * @object_label : smack label of the object being accessed 338 * @request: requested permissions 339 * @result: result from smk_access 340 * @ad: auxiliary audit data 341 * 342 * Audit the granting or denial of permissions in accordance 343 * with the policy. 344 */ 345 void smack_log(char *subject_label, char *object_label, int request, 346 int result, struct smk_audit_info *ad) 347 { 348 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 349 char request_buffer[SMK_NUM_ACCESS_TYPE + 5]; 350 #else 351 char request_buffer[SMK_NUM_ACCESS_TYPE + 1]; 352 #endif 353 struct smack_audit_data *sad; 354 struct common_audit_data *a = &ad->a; 355 356 /* check if we have to log the current event */ 357 if (result < 0 && (log_policy & SMACK_AUDIT_DENIED) == 0) 358 return; 359 if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0) 360 return; 361 362 sad = a->smack_audit_data; 363 364 if (sad->function == NULL) 365 sad->function = "unknown"; 366 367 /* end preparing the audit data */ 368 smack_str_from_perm(request_buffer, request); 369 sad->subject = subject_label; 370 sad->object = object_label; 371 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 372 /* 373 * The result may be positive in bringup mode. 374 * A positive result is an allow, but not for normal reasons. 375 * Mark it as successful, but don't filter it out even if 376 * the logging policy says to do so. 377 */ 378 if (result == SMACK_UNCONFINED_SUBJECT) 379 strcat(request_buffer, "(US)"); 380 else if (result == SMACK_UNCONFINED_OBJECT) 381 strcat(request_buffer, "(UO)"); 382 383 if (result > 0) 384 result = 0; 385 #endif 386 sad->request = request_buffer; 387 sad->result = result; 388 389 common_lsm_audit(a, smack_log_callback, NULL); 390 } 391 #else /* #ifdef CONFIG_AUDIT */ 392 void smack_log(char *subject_label, char *object_label, int request, 393 int result, struct smk_audit_info *ad) 394 { 395 } 396 #endif 397 398 DEFINE_MUTEX(smack_known_lock); 399 400 struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; 401 402 /** 403 * smk_insert_entry - insert a smack label into a hash map, 404 * @skp: smack label 405 * 406 * this function must be called under smack_known_lock 407 */ 408 void smk_insert_entry(struct smack_known *skp) 409 { 410 unsigned int hash; 411 struct hlist_head *head; 412 413 hash = full_name_hash(NULL, skp->smk_known, strlen(skp->smk_known)); 414 head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; 415 416 hlist_add_head_rcu(&skp->smk_hashed, head); 417 list_add_rcu(&skp->list, &smack_known_list); 418 } 419 420 /** 421 * smk_find_entry - find a label on the list, return the list entry 422 * @string: a text string that might be a Smack label 423 * 424 * Returns a pointer to the entry in the label list that 425 * matches the passed string or NULL if not found. 426 */ 427 struct smack_known *smk_find_entry(const char *string) 428 { 429 unsigned int hash; 430 struct hlist_head *head; 431 struct smack_known *skp; 432 433 hash = full_name_hash(NULL, string, strlen(string)); 434 head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; 435 436 hlist_for_each_entry_rcu(skp, head, smk_hashed) 437 if (strcmp(skp->smk_known, string) == 0) 438 return skp; 439 440 return NULL; 441 } 442 443 /** 444 * smk_parse_smack - parse smack label from a text string 445 * @string: a text string that might contain a Smack label 446 * @len: the maximum size, or zero if it is NULL terminated. 447 * 448 * Returns a pointer to the clean label or an error code. 449 */ 450 char *smk_parse_smack(const char *string, int len) 451 { 452 char *smack; 453 int i; 454 455 if (len <= 0) 456 len = strlen(string) + 1; 457 458 /* 459 * Reserve a leading '-' as an indicator that 460 * this isn't a label, but an option to interfaces 461 * including /smack/cipso and /smack/cipso2 462 */ 463 if (string[0] == '-') 464 return ERR_PTR(-EINVAL); 465 466 for (i = 0; i < len; i++) 467 if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' || 468 string[i] == '"' || string[i] == '\\' || string[i] == '\'') 469 break; 470 471 if (i == 0 || i >= SMK_LONGLABEL) 472 return ERR_PTR(-EINVAL); 473 474 smack = kstrndup(string, i, GFP_NOFS); 475 if (!smack) 476 return ERR_PTR(-ENOMEM); 477 return smack; 478 } 479 480 /** 481 * smk_netlbl_mls - convert a catset to netlabel mls categories 482 * @level: MLS sensitivity level 483 * @catset: the Smack categories 484 * @sap: where to put the netlabel categories 485 * @len: number of bytes for the levels in a CIPSO IP option 486 * 487 * Allocates and fills attr.mls 488 * Returns 0 on success, error code on failure. 489 */ 490 int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap, 491 int len) 492 { 493 unsigned char *cp; 494 unsigned char m; 495 int cat; 496 int rc; 497 int byte; 498 499 sap->flags |= NETLBL_SECATTR_MLS_CAT; 500 sap->attr.mls.lvl = level; 501 sap->attr.mls.cat = NULL; 502 503 for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++) 504 for (m = 0x80; m != 0; m >>= 1, cat++) { 505 if ((m & *cp) == 0) 506 continue; 507 rc = netlbl_catmap_setbit(&sap->attr.mls.cat, 508 cat, GFP_NOFS); 509 if (rc < 0) { 510 netlbl_catmap_free(sap->attr.mls.cat); 511 return rc; 512 } 513 } 514 515 return 0; 516 } 517 518 /** 519 * smack_populate_secattr - fill in the smack_known netlabel information 520 * @skp: pointer to the structure to fill 521 * 522 * Populate the netlabel secattr structure for a Smack label. 523 * 524 * Returns 0 unless creating the category mapping fails 525 */ 526 int smack_populate_secattr(struct smack_known *skp) 527 { 528 int slen; 529 530 skp->smk_netlabel.attr.secid = skp->smk_secid; 531 skp->smk_netlabel.domain = skp->smk_known; 532 skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 533 if (skp->smk_netlabel.cache != NULL) { 534 skp->smk_netlabel.flags |= NETLBL_SECATTR_CACHE; 535 skp->smk_netlabel.cache->free = NULL; 536 skp->smk_netlabel.cache->data = skp; 537 } 538 skp->smk_netlabel.flags |= NETLBL_SECATTR_SECID | 539 NETLBL_SECATTR_MLS_LVL | 540 NETLBL_SECATTR_DOMAIN; 541 /* 542 * If direct labeling works use it. 543 * Otherwise use mapped labeling. 544 */ 545 slen = strlen(skp->smk_known); 546 if (slen < SMK_CIPSOLEN) 547 return smk_netlbl_mls(smack_cipso_direct, skp->smk_known, 548 &skp->smk_netlabel, slen); 549 550 return smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid, 551 &skp->smk_netlabel, sizeof(skp->smk_secid)); 552 } 553 554 /** 555 * smk_import_entry - import a label, return the list entry 556 * @string: a text string that might be a Smack label 557 * @len: the maximum size, or zero if it is NULL terminated. 558 * 559 * Returns a pointer to the entry in the label list that 560 * matches the passed string, adding it if necessary, 561 * or an error code. 562 */ 563 struct smack_known *smk_import_entry(const char *string, int len) 564 { 565 struct smack_known *skp; 566 char *smack; 567 int rc; 568 569 smack = smk_parse_smack(string, len); 570 if (IS_ERR(smack)) 571 return ERR_CAST(smack); 572 573 mutex_lock(&smack_known_lock); 574 575 skp = smk_find_entry(smack); 576 if (skp != NULL) 577 goto freeout; 578 579 skp = kzalloc(sizeof(*skp), GFP_NOFS); 580 if (skp == NULL) { 581 skp = ERR_PTR(-ENOMEM); 582 goto freeout; 583 } 584 585 skp->smk_known = smack; 586 skp->smk_secid = smack_next_secid++; 587 588 rc = smack_populate_secattr(skp); 589 if (rc >= 0) { 590 INIT_LIST_HEAD(&skp->smk_rules); 591 mutex_init(&skp->smk_rules_lock); 592 /* 593 * Make sure that the entry is actually 594 * filled before putting it on the list. 595 */ 596 smk_insert_entry(skp); 597 goto unlockout; 598 } 599 kfree(skp); 600 skp = ERR_PTR(rc); 601 freeout: 602 kfree(smack); 603 unlockout: 604 mutex_unlock(&smack_known_lock); 605 606 return skp; 607 } 608 609 /** 610 * smack_from_secid - find the Smack label associated with a secid 611 * @secid: an integer that might be associated with a Smack label 612 * 613 * Returns a pointer to the appropriate Smack label entry if there is one, 614 * otherwise a pointer to the invalid Smack label. 615 */ 616 struct smack_known *smack_from_secid(const u32 secid) 617 { 618 struct smack_known *skp; 619 620 rcu_read_lock(); 621 list_for_each_entry_rcu(skp, &smack_known_list, list) { 622 if (skp->smk_secid == secid) { 623 rcu_read_unlock(); 624 return skp; 625 } 626 } 627 628 /* 629 * If we got this far someone asked for the translation 630 * of a secid that is not on the list. 631 */ 632 rcu_read_unlock(); 633 return &smack_known_huh; 634 } 635 636 /* 637 * Unless a process is running with one of these labels 638 * even having CAP_MAC_OVERRIDE isn't enough to grant 639 * privilege to violate MAC policy. If no labels are 640 * designated (the empty list case) capabilities apply to 641 * everyone. 642 */ 643 LIST_HEAD(smack_onlycap_list); 644 DEFINE_MUTEX(smack_onlycap_lock); 645 646 /** 647 * smack_privileged_cred - are all privilege requirements met by cred 648 * @cap: The requested capability 649 * @cred: the credential to use 650 * 651 * Is the task privileged and allowed to be privileged 652 * by the onlycap rule. 653 * 654 * Returns true if the task is allowed to be privileged, false if it's not. 655 */ 656 bool smack_privileged_cred(int cap, const struct cred *cred) 657 { 658 struct task_smack *tsp = smack_cred(cred); 659 struct smack_known *skp = tsp->smk_task; 660 struct smack_known_list_elem *sklep; 661 int rc; 662 663 rc = cap_capable(cred, &init_user_ns, cap, CAP_OPT_NONE); 664 if (rc) 665 return false; 666 667 rcu_read_lock(); 668 if (list_empty(&smack_onlycap_list)) { 669 rcu_read_unlock(); 670 return true; 671 } 672 673 list_for_each_entry_rcu(sklep, &smack_onlycap_list, list) { 674 if (sklep->smk_label == skp) { 675 rcu_read_unlock(); 676 return true; 677 } 678 } 679 rcu_read_unlock(); 680 681 return false; 682 } 683 684 /** 685 * smack_privileged - are all privilege requirements met 686 * @cap: The requested capability 687 * 688 * Is the task privileged and allowed to be privileged 689 * by the onlycap rule. 690 * 691 * Returns true if the task is allowed to be privileged, false if it's not. 692 */ 693 bool smack_privileged(int cap) 694 { 695 /* 696 * All kernel tasks are privileged 697 */ 698 if (unlikely(current->flags & PF_KTHREAD)) 699 return true; 700 701 return smack_privileged_cred(cap, current_cred()); 702 } 703