1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Author: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * 9 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2, 13 * as published by the Free Software Foundation. 14 */ 15 16 #include <linux/xattr.h> 17 #include <linux/pagemap.h> 18 #include <linux/mount.h> 19 #include <linux/stat.h> 20 #include <linux/ext2_fs.h> 21 #include <linux/kd.h> 22 #include <asm/ioctls.h> 23 #include <linux/tcp.h> 24 #include <linux/udp.h> 25 #include <linux/mutex.h> 26 #include <linux/pipe_fs_i.h> 27 #include <net/netlabel.h> 28 #include <net/cipso_ipv4.h> 29 #include <linux/audit.h> 30 31 #include "smack.h" 32 33 #define task_security(task) (task_cred_xxx((task), security)) 34 35 /* 36 * I hope these are the hokeyist lines of code in the module. Casey. 37 */ 38 #define DEVPTS_SUPER_MAGIC 0x1cd1 39 #define SOCKFS_MAGIC 0x534F434B 40 #define TMPFS_MAGIC 0x01021994 41 42 /** 43 * smk_fetch - Fetch the smack label from a file. 44 * @ip: a pointer to the inode 45 * @dp: a pointer to the dentry 46 * 47 * Returns a pointer to the master list entry for the Smack label 48 * or NULL if there was no label to fetch. 49 */ 50 static char *smk_fetch(struct inode *ip, struct dentry *dp) 51 { 52 int rc; 53 char in[SMK_LABELLEN]; 54 55 if (ip->i_op->getxattr == NULL) 56 return NULL; 57 58 rc = ip->i_op->getxattr(dp, XATTR_NAME_SMACK, in, SMK_LABELLEN); 59 if (rc < 0) 60 return NULL; 61 62 return smk_import(in, rc); 63 } 64 65 /** 66 * new_inode_smack - allocate an inode security blob 67 * @smack: a pointer to the Smack label to use in the blob 68 * 69 * Returns the new blob or NULL if there's no memory available 70 */ 71 struct inode_smack *new_inode_smack(char *smack) 72 { 73 struct inode_smack *isp; 74 75 isp = kzalloc(sizeof(struct inode_smack), GFP_KERNEL); 76 if (isp == NULL) 77 return NULL; 78 79 isp->smk_inode = smack; 80 isp->smk_flags = 0; 81 mutex_init(&isp->smk_lock); 82 83 return isp; 84 } 85 86 /* 87 * LSM hooks. 88 * We he, that is fun! 89 */ 90 91 /** 92 * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH 93 * @ctp: child task pointer 94 * @mode: ptrace attachment mode 95 * 96 * Returns 0 if access is OK, an error code otherwise 97 * 98 * Do the capability checks, and require read and write. 99 */ 100 static int smack_ptrace_may_access(struct task_struct *ctp, unsigned int mode) 101 { 102 int rc; 103 104 rc = cap_ptrace_may_access(ctp, mode); 105 if (rc != 0) 106 return rc; 107 108 rc = smk_access(current_security(), task_security(ctp), MAY_READWRITE); 109 if (rc != 0 && capable(CAP_MAC_OVERRIDE)) 110 return 0; 111 return rc; 112 } 113 114 /** 115 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 116 * @ptp: parent task pointer 117 * 118 * Returns 0 if access is OK, an error code otherwise 119 * 120 * Do the capability checks, and require read and write. 121 */ 122 static int smack_ptrace_traceme(struct task_struct *ptp) 123 { 124 int rc; 125 126 rc = cap_ptrace_traceme(ptp); 127 if (rc != 0) 128 return rc; 129 130 rc = smk_access(task_security(ptp), current_security(), MAY_READWRITE); 131 if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE)) 132 return 0; 133 return rc; 134 } 135 136 /** 137 * smack_syslog - Smack approval on syslog 138 * @type: message type 139 * 140 * Require that the task has the floor label 141 * 142 * Returns 0 on success, error code otherwise. 143 */ 144 static int smack_syslog(int type) 145 { 146 int rc; 147 char *sp = current_security(); 148 149 rc = cap_syslog(type); 150 if (rc != 0) 151 return rc; 152 153 if (capable(CAP_MAC_OVERRIDE)) 154 return 0; 155 156 if (sp != smack_known_floor.smk_known) 157 rc = -EACCES; 158 159 return rc; 160 } 161 162 163 /* 164 * Superblock Hooks. 165 */ 166 167 /** 168 * smack_sb_alloc_security - allocate a superblock blob 169 * @sb: the superblock getting the blob 170 * 171 * Returns 0 on success or -ENOMEM on error. 172 */ 173 static int smack_sb_alloc_security(struct super_block *sb) 174 { 175 struct superblock_smack *sbsp; 176 177 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 178 179 if (sbsp == NULL) 180 return -ENOMEM; 181 182 sbsp->smk_root = smack_known_floor.smk_known; 183 sbsp->smk_default = smack_known_floor.smk_known; 184 sbsp->smk_floor = smack_known_floor.smk_known; 185 sbsp->smk_hat = smack_known_hat.smk_known; 186 sbsp->smk_initialized = 0; 187 spin_lock_init(&sbsp->smk_sblock); 188 189 sb->s_security = sbsp; 190 191 return 0; 192 } 193 194 /** 195 * smack_sb_free_security - free a superblock blob 196 * @sb: the superblock getting the blob 197 * 198 */ 199 static void smack_sb_free_security(struct super_block *sb) 200 { 201 kfree(sb->s_security); 202 sb->s_security = NULL; 203 } 204 205 /** 206 * smack_sb_copy_data - copy mount options data for processing 207 * @orig: where to start 208 * @smackopts: mount options string 209 * 210 * Returns 0 on success or -ENOMEM on error. 211 * 212 * Copy the Smack specific mount options out of the mount 213 * options list. 214 */ 215 static int smack_sb_copy_data(char *orig, char *smackopts) 216 { 217 char *cp, *commap, *otheropts, *dp; 218 219 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 220 if (otheropts == NULL) 221 return -ENOMEM; 222 223 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 224 if (strstr(cp, SMK_FSDEFAULT) == cp) 225 dp = smackopts; 226 else if (strstr(cp, SMK_FSFLOOR) == cp) 227 dp = smackopts; 228 else if (strstr(cp, SMK_FSHAT) == cp) 229 dp = smackopts; 230 else if (strstr(cp, SMK_FSROOT) == cp) 231 dp = smackopts; 232 else 233 dp = otheropts; 234 235 commap = strchr(cp, ','); 236 if (commap != NULL) 237 *commap = '\0'; 238 239 if (*dp != '\0') 240 strcat(dp, ","); 241 strcat(dp, cp); 242 } 243 244 strcpy(orig, otheropts); 245 free_page((unsigned long)otheropts); 246 247 return 0; 248 } 249 250 /** 251 * smack_sb_kern_mount - Smack specific mount processing 252 * @sb: the file system superblock 253 * @flags: the mount flags 254 * @data: the smack mount options 255 * 256 * Returns 0 on success, an error code on failure 257 */ 258 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 259 { 260 struct dentry *root = sb->s_root; 261 struct inode *inode = root->d_inode; 262 struct superblock_smack *sp = sb->s_security; 263 struct inode_smack *isp; 264 char *op; 265 char *commap; 266 char *nsp; 267 268 spin_lock(&sp->smk_sblock); 269 if (sp->smk_initialized != 0) { 270 spin_unlock(&sp->smk_sblock); 271 return 0; 272 } 273 sp->smk_initialized = 1; 274 spin_unlock(&sp->smk_sblock); 275 276 for (op = data; op != NULL; op = commap) { 277 commap = strchr(op, ','); 278 if (commap != NULL) 279 *commap++ = '\0'; 280 281 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) { 282 op += strlen(SMK_FSHAT); 283 nsp = smk_import(op, 0); 284 if (nsp != NULL) 285 sp->smk_hat = nsp; 286 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) { 287 op += strlen(SMK_FSFLOOR); 288 nsp = smk_import(op, 0); 289 if (nsp != NULL) 290 sp->smk_floor = nsp; 291 } else if (strncmp(op, SMK_FSDEFAULT, 292 strlen(SMK_FSDEFAULT)) == 0) { 293 op += strlen(SMK_FSDEFAULT); 294 nsp = smk_import(op, 0); 295 if (nsp != NULL) 296 sp->smk_default = nsp; 297 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) { 298 op += strlen(SMK_FSROOT); 299 nsp = smk_import(op, 0); 300 if (nsp != NULL) 301 sp->smk_root = nsp; 302 } 303 } 304 305 /* 306 * Initialize the root inode. 307 */ 308 isp = inode->i_security; 309 if (isp == NULL) 310 inode->i_security = new_inode_smack(sp->smk_root); 311 else 312 isp->smk_inode = sp->smk_root; 313 314 return 0; 315 } 316 317 /** 318 * smack_sb_statfs - Smack check on statfs 319 * @dentry: identifies the file system in question 320 * 321 * Returns 0 if current can read the floor of the filesystem, 322 * and error code otherwise 323 */ 324 static int smack_sb_statfs(struct dentry *dentry) 325 { 326 struct superblock_smack *sbp = dentry->d_sb->s_security; 327 328 return smk_curacc(sbp->smk_floor, MAY_READ); 329 } 330 331 /** 332 * smack_sb_mount - Smack check for mounting 333 * @dev_name: unused 334 * @path: mount point 335 * @type: unused 336 * @flags: unused 337 * @data: unused 338 * 339 * Returns 0 if current can write the floor of the filesystem 340 * being mounted on, an error code otherwise. 341 */ 342 static int smack_sb_mount(char *dev_name, struct path *path, 343 char *type, unsigned long flags, void *data) 344 { 345 struct superblock_smack *sbp = path->mnt->mnt_sb->s_security; 346 347 return smk_curacc(sbp->smk_floor, MAY_WRITE); 348 } 349 350 /** 351 * smack_sb_umount - Smack check for unmounting 352 * @mnt: file system to unmount 353 * @flags: unused 354 * 355 * Returns 0 if current can write the floor of the filesystem 356 * being unmounted, an error code otherwise. 357 */ 358 static int smack_sb_umount(struct vfsmount *mnt, int flags) 359 { 360 struct superblock_smack *sbp; 361 362 sbp = mnt->mnt_sb->s_security; 363 364 return smk_curacc(sbp->smk_floor, MAY_WRITE); 365 } 366 367 /* 368 * Inode hooks 369 */ 370 371 /** 372 * smack_inode_alloc_security - allocate an inode blob 373 * @inode: the inode in need of a blob 374 * 375 * Returns 0 if it gets a blob, -ENOMEM otherwise 376 */ 377 static int smack_inode_alloc_security(struct inode *inode) 378 { 379 inode->i_security = new_inode_smack(current_security()); 380 if (inode->i_security == NULL) 381 return -ENOMEM; 382 return 0; 383 } 384 385 /** 386 * smack_inode_free_security - free an inode blob 387 * @inode: the inode with a blob 388 * 389 * Clears the blob pointer in inode 390 */ 391 static void smack_inode_free_security(struct inode *inode) 392 { 393 kfree(inode->i_security); 394 inode->i_security = NULL; 395 } 396 397 /** 398 * smack_inode_init_security - copy out the smack from an inode 399 * @inode: the inode 400 * @dir: unused 401 * @name: where to put the attribute name 402 * @value: where to put the attribute value 403 * @len: where to put the length of the attribute 404 * 405 * Returns 0 if it all works out, -ENOMEM if there's no memory 406 */ 407 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 408 char **name, void **value, size_t *len) 409 { 410 char *isp = smk_of_inode(inode); 411 412 if (name) { 413 *name = kstrdup(XATTR_SMACK_SUFFIX, GFP_KERNEL); 414 if (*name == NULL) 415 return -ENOMEM; 416 } 417 418 if (value) { 419 *value = kstrdup(isp, GFP_KERNEL); 420 if (*value == NULL) 421 return -ENOMEM; 422 } 423 424 if (len) 425 *len = strlen(isp) + 1; 426 427 return 0; 428 } 429 430 /** 431 * smack_inode_link - Smack check on link 432 * @old_dentry: the existing object 433 * @dir: unused 434 * @new_dentry: the new object 435 * 436 * Returns 0 if access is permitted, an error code otherwise 437 */ 438 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 439 struct dentry *new_dentry) 440 { 441 int rc; 442 char *isp; 443 444 isp = smk_of_inode(old_dentry->d_inode); 445 rc = smk_curacc(isp, MAY_WRITE); 446 447 if (rc == 0 && new_dentry->d_inode != NULL) { 448 isp = smk_of_inode(new_dentry->d_inode); 449 rc = smk_curacc(isp, MAY_WRITE); 450 } 451 452 return rc; 453 } 454 455 /** 456 * smack_inode_unlink - Smack check on inode deletion 457 * @dir: containing directory object 458 * @dentry: file to unlink 459 * 460 * Returns 0 if current can write the containing directory 461 * and the object, error code otherwise 462 */ 463 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 464 { 465 struct inode *ip = dentry->d_inode; 466 int rc; 467 468 /* 469 * You need write access to the thing you're unlinking 470 */ 471 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE); 472 if (rc == 0) 473 /* 474 * You also need write access to the containing directory 475 */ 476 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE); 477 478 return rc; 479 } 480 481 /** 482 * smack_inode_rmdir - Smack check on directory deletion 483 * @dir: containing directory object 484 * @dentry: directory to unlink 485 * 486 * Returns 0 if current can write the containing directory 487 * and the directory, error code otherwise 488 */ 489 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 490 { 491 int rc; 492 493 /* 494 * You need write access to the thing you're removing 495 */ 496 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 497 if (rc == 0) 498 /* 499 * You also need write access to the containing directory 500 */ 501 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE); 502 503 return rc; 504 } 505 506 /** 507 * smack_inode_rename - Smack check on rename 508 * @old_inode: the old directory 509 * @old_dentry: unused 510 * @new_inode: the new directory 511 * @new_dentry: unused 512 * 513 * Read and write access is required on both the old and 514 * new directories. 515 * 516 * Returns 0 if access is permitted, an error code otherwise 517 */ 518 static int smack_inode_rename(struct inode *old_inode, 519 struct dentry *old_dentry, 520 struct inode *new_inode, 521 struct dentry *new_dentry) 522 { 523 int rc; 524 char *isp; 525 526 isp = smk_of_inode(old_dentry->d_inode); 527 rc = smk_curacc(isp, MAY_READWRITE); 528 529 if (rc == 0 && new_dentry->d_inode != NULL) { 530 isp = smk_of_inode(new_dentry->d_inode); 531 rc = smk_curacc(isp, MAY_READWRITE); 532 } 533 534 return rc; 535 } 536 537 /** 538 * smack_inode_permission - Smack version of permission() 539 * @inode: the inode in question 540 * @mask: the access requested 541 * 542 * This is the important Smack hook. 543 * 544 * Returns 0 if access is permitted, -EACCES otherwise 545 */ 546 static int smack_inode_permission(struct inode *inode, int mask) 547 { 548 /* 549 * No permission to check. Existence test. Yup, it's there. 550 */ 551 if (mask == 0) 552 return 0; 553 554 return smk_curacc(smk_of_inode(inode), mask); 555 } 556 557 /** 558 * smack_inode_setattr - Smack check for setting attributes 559 * @dentry: the object 560 * @iattr: for the force flag 561 * 562 * Returns 0 if access is permitted, an error code otherwise 563 */ 564 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 565 { 566 /* 567 * Need to allow for clearing the setuid bit. 568 */ 569 if (iattr->ia_valid & ATTR_FORCE) 570 return 0; 571 572 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 573 } 574 575 /** 576 * smack_inode_getattr - Smack check for getting attributes 577 * @mnt: unused 578 * @dentry: the object 579 * 580 * Returns 0 if access is permitted, an error code otherwise 581 */ 582 static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 583 { 584 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ); 585 } 586 587 /** 588 * smack_inode_setxattr - Smack check for setting xattrs 589 * @dentry: the object 590 * @name: name of the attribute 591 * @value: unused 592 * @size: unused 593 * @flags: unused 594 * 595 * This protects the Smack attribute explicitly. 596 * 597 * Returns 0 if access is permitted, an error code otherwise 598 */ 599 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 600 const void *value, size_t size, int flags) 601 { 602 int rc = 0; 603 604 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 605 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 606 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 607 if (!capable(CAP_MAC_ADMIN)) 608 rc = -EPERM; 609 } else 610 rc = cap_inode_setxattr(dentry, name, value, size, flags); 611 612 if (rc == 0) 613 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 614 615 return rc; 616 } 617 618 /** 619 * smack_inode_post_setxattr - Apply the Smack update approved above 620 * @dentry: object 621 * @name: attribute name 622 * @value: attribute value 623 * @size: attribute size 624 * @flags: unused 625 * 626 * Set the pointer in the inode blob to the entry found 627 * in the master label list. 628 */ 629 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 630 const void *value, size_t size, int flags) 631 { 632 struct inode_smack *isp; 633 char *nsp; 634 635 /* 636 * Not SMACK 637 */ 638 if (strcmp(name, XATTR_NAME_SMACK)) 639 return; 640 641 if (size >= SMK_LABELLEN) 642 return; 643 644 isp = dentry->d_inode->i_security; 645 646 /* 647 * No locking is done here. This is a pointer 648 * assignment. 649 */ 650 nsp = smk_import(value, size); 651 if (nsp != NULL) 652 isp->smk_inode = nsp; 653 else 654 isp->smk_inode = smack_known_invalid.smk_known; 655 656 return; 657 } 658 659 /* 660 * smack_inode_getxattr - Smack check on getxattr 661 * @dentry: the object 662 * @name: unused 663 * 664 * Returns 0 if access is permitted, an error code otherwise 665 */ 666 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 667 { 668 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ); 669 } 670 671 /* 672 * smack_inode_removexattr - Smack check on removexattr 673 * @dentry: the object 674 * @name: name of the attribute 675 * 676 * Removing the Smack attribute requires CAP_MAC_ADMIN 677 * 678 * Returns 0 if access is permitted, an error code otherwise 679 */ 680 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 681 { 682 int rc = 0; 683 684 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 685 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 686 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 687 if (!capable(CAP_MAC_ADMIN)) 688 rc = -EPERM; 689 } else 690 rc = cap_inode_removexattr(dentry, name); 691 692 if (rc == 0) 693 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE); 694 695 return rc; 696 } 697 698 /** 699 * smack_inode_getsecurity - get smack xattrs 700 * @inode: the object 701 * @name: attribute name 702 * @buffer: where to put the result 703 * @alloc: unused 704 * 705 * Returns the size of the attribute or an error code 706 */ 707 static int smack_inode_getsecurity(const struct inode *inode, 708 const char *name, void **buffer, 709 bool alloc) 710 { 711 struct socket_smack *ssp; 712 struct socket *sock; 713 struct super_block *sbp; 714 struct inode *ip = (struct inode *)inode; 715 char *isp; 716 int ilen; 717 int rc = 0; 718 719 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 720 isp = smk_of_inode(inode); 721 ilen = strlen(isp) + 1; 722 *buffer = isp; 723 return ilen; 724 } 725 726 /* 727 * The rest of the Smack xattrs are only on sockets. 728 */ 729 sbp = ip->i_sb; 730 if (sbp->s_magic != SOCKFS_MAGIC) 731 return -EOPNOTSUPP; 732 733 sock = SOCKET_I(ip); 734 if (sock == NULL || sock->sk == NULL) 735 return -EOPNOTSUPP; 736 737 ssp = sock->sk->sk_security; 738 739 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 740 isp = ssp->smk_in; 741 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 742 isp = ssp->smk_out; 743 else 744 return -EOPNOTSUPP; 745 746 ilen = strlen(isp) + 1; 747 if (rc == 0) { 748 *buffer = isp; 749 rc = ilen; 750 } 751 752 return rc; 753 } 754 755 756 /** 757 * smack_inode_listsecurity - list the Smack attributes 758 * @inode: the object 759 * @buffer: where they go 760 * @buffer_size: size of buffer 761 * 762 * Returns 0 on success, -EINVAL otherwise 763 */ 764 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 765 size_t buffer_size) 766 { 767 int len = strlen(XATTR_NAME_SMACK); 768 769 if (buffer != NULL && len <= buffer_size) { 770 memcpy(buffer, XATTR_NAME_SMACK, len); 771 return len; 772 } 773 return -EINVAL; 774 } 775 776 /** 777 * smack_inode_getsecid - Extract inode's security id 778 * @inode: inode to extract the info from 779 * @secid: where result will be saved 780 */ 781 static void smack_inode_getsecid(const struct inode *inode, u32 *secid) 782 { 783 struct inode_smack *isp = inode->i_security; 784 785 *secid = smack_to_secid(isp->smk_inode); 786 } 787 788 /* 789 * File Hooks 790 */ 791 792 /** 793 * smack_file_permission - Smack check on file operations 794 * @file: unused 795 * @mask: unused 796 * 797 * Returns 0 798 * 799 * Should access checks be done on each read or write? 800 * UNICOS and SELinux say yes. 801 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 802 * 803 * I'll say no for now. Smack does not do the frequent 804 * label changing that SELinux does. 805 */ 806 static int smack_file_permission(struct file *file, int mask) 807 { 808 return 0; 809 } 810 811 /** 812 * smack_file_alloc_security - assign a file security blob 813 * @file: the object 814 * 815 * The security blob for a file is a pointer to the master 816 * label list, so no allocation is done. 817 * 818 * Returns 0 819 */ 820 static int smack_file_alloc_security(struct file *file) 821 { 822 file->f_security = current_security(); 823 return 0; 824 } 825 826 /** 827 * smack_file_free_security - clear a file security blob 828 * @file: the object 829 * 830 * The security blob for a file is a pointer to the master 831 * label list, so no memory is freed. 832 */ 833 static void smack_file_free_security(struct file *file) 834 { 835 file->f_security = NULL; 836 } 837 838 /** 839 * smack_file_ioctl - Smack check on ioctls 840 * @file: the object 841 * @cmd: what to do 842 * @arg: unused 843 * 844 * Relies heavily on the correct use of the ioctl command conventions. 845 * 846 * Returns 0 if allowed, error code otherwise 847 */ 848 static int smack_file_ioctl(struct file *file, unsigned int cmd, 849 unsigned long arg) 850 { 851 int rc = 0; 852 853 if (_IOC_DIR(cmd) & _IOC_WRITE) 854 rc = smk_curacc(file->f_security, MAY_WRITE); 855 856 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) 857 rc = smk_curacc(file->f_security, MAY_READ); 858 859 return rc; 860 } 861 862 /** 863 * smack_file_lock - Smack check on file locking 864 * @file: the object 865 * @cmd: unused 866 * 867 * Returns 0 if current has write access, error code otherwise 868 */ 869 static int smack_file_lock(struct file *file, unsigned int cmd) 870 { 871 return smk_curacc(file->f_security, MAY_WRITE); 872 } 873 874 /** 875 * smack_file_fcntl - Smack check on fcntl 876 * @file: the object 877 * @cmd: what action to check 878 * @arg: unused 879 * 880 * Returns 0 if current has access, error code otherwise 881 */ 882 static int smack_file_fcntl(struct file *file, unsigned int cmd, 883 unsigned long arg) 884 { 885 int rc; 886 887 switch (cmd) { 888 case F_DUPFD: 889 case F_GETFD: 890 case F_GETFL: 891 case F_GETLK: 892 case F_GETOWN: 893 case F_GETSIG: 894 rc = smk_curacc(file->f_security, MAY_READ); 895 break; 896 case F_SETFD: 897 case F_SETFL: 898 case F_SETLK: 899 case F_SETLKW: 900 case F_SETOWN: 901 case F_SETSIG: 902 rc = smk_curacc(file->f_security, MAY_WRITE); 903 break; 904 default: 905 rc = smk_curacc(file->f_security, MAY_READWRITE); 906 } 907 908 return rc; 909 } 910 911 /** 912 * smack_file_set_fowner - set the file security blob value 913 * @file: object in question 914 * 915 * Returns 0 916 * Further research may be required on this one. 917 */ 918 static int smack_file_set_fowner(struct file *file) 919 { 920 file->f_security = current_security(); 921 return 0; 922 } 923 924 /** 925 * smack_file_send_sigiotask - Smack on sigio 926 * @tsk: The target task 927 * @fown: the object the signal come from 928 * @signum: unused 929 * 930 * Allow a privileged task to get signals even if it shouldn't 931 * 932 * Returns 0 if a subject with the object's smack could 933 * write to the task, an error code otherwise. 934 */ 935 static int smack_file_send_sigiotask(struct task_struct *tsk, 936 struct fown_struct *fown, int signum) 937 { 938 struct file *file; 939 int rc; 940 941 /* 942 * struct fown_struct is never outside the context of a struct file 943 */ 944 file = container_of(fown, struct file, f_owner); 945 rc = smk_access(file->f_security, tsk->cred->security, MAY_WRITE); 946 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 947 return 0; 948 return rc; 949 } 950 951 /** 952 * smack_file_receive - Smack file receive check 953 * @file: the object 954 * 955 * Returns 0 if current has access, error code otherwise 956 */ 957 static int smack_file_receive(struct file *file) 958 { 959 int may = 0; 960 961 /* 962 * This code relies on bitmasks. 963 */ 964 if (file->f_mode & FMODE_READ) 965 may = MAY_READ; 966 if (file->f_mode & FMODE_WRITE) 967 may |= MAY_WRITE; 968 969 return smk_curacc(file->f_security, may); 970 } 971 972 /* 973 * Task hooks 974 */ 975 976 /** 977 * smack_cred_free - "free" task-level security credentials 978 * @cred: the credentials in question 979 * 980 * Smack isn't using copies of blobs. Everyone 981 * points to an immutable list. The blobs never go away. 982 * There is no leak here. 983 */ 984 static void smack_cred_free(struct cred *cred) 985 { 986 cred->security = NULL; 987 } 988 989 /** 990 * smack_cred_prepare - prepare new set of credentials for modification 991 * @new: the new credentials 992 * @old: the original credentials 993 * @gfp: the atomicity of any memory allocations 994 * 995 * Prepare a new set of credentials for modification. 996 */ 997 static int smack_cred_prepare(struct cred *new, const struct cred *old, 998 gfp_t gfp) 999 { 1000 new->security = old->security; 1001 return 0; 1002 } 1003 1004 /** 1005 * smack_cred_commit - commit new credentials 1006 * @new: the new credentials 1007 * @old: the original credentials 1008 */ 1009 static void smack_cred_commit(struct cred *new, const struct cred *old) 1010 { 1011 } 1012 1013 /** 1014 * smack_kernel_act_as - Set the subjective context in a set of credentials 1015 * @new: points to the set of credentials to be modified. 1016 * @secid: specifies the security ID to be set 1017 * 1018 * Set the security data for a kernel service. 1019 */ 1020 static int smack_kernel_act_as(struct cred *new, u32 secid) 1021 { 1022 char *smack = smack_from_secid(secid); 1023 1024 if (smack == NULL) 1025 return -EINVAL; 1026 1027 new->security = smack; 1028 return 0; 1029 } 1030 1031 /** 1032 * smack_kernel_create_files_as - Set the file creation label in a set of creds 1033 * @new: points to the set of credentials to be modified 1034 * @inode: points to the inode to use as a reference 1035 * 1036 * Set the file creation context in a set of credentials to the same 1037 * as the objective context of the specified inode 1038 */ 1039 static int smack_kernel_create_files_as(struct cred *new, 1040 struct inode *inode) 1041 { 1042 struct inode_smack *isp = inode->i_security; 1043 1044 new->security = isp->smk_inode; 1045 return 0; 1046 } 1047 1048 /** 1049 * smack_task_setpgid - Smack check on setting pgid 1050 * @p: the task object 1051 * @pgid: unused 1052 * 1053 * Return 0 if write access is permitted 1054 */ 1055 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1056 { 1057 return smk_curacc(task_security(p), MAY_WRITE); 1058 } 1059 1060 /** 1061 * smack_task_getpgid - Smack access check for getpgid 1062 * @p: the object task 1063 * 1064 * Returns 0 if current can read the object task, error code otherwise 1065 */ 1066 static int smack_task_getpgid(struct task_struct *p) 1067 { 1068 return smk_curacc(task_security(p), MAY_READ); 1069 } 1070 1071 /** 1072 * smack_task_getsid - Smack access check for getsid 1073 * @p: the object task 1074 * 1075 * Returns 0 if current can read the object task, error code otherwise 1076 */ 1077 static int smack_task_getsid(struct task_struct *p) 1078 { 1079 return smk_curacc(task_security(p), MAY_READ); 1080 } 1081 1082 /** 1083 * smack_task_getsecid - get the secid of the task 1084 * @p: the object task 1085 * @secid: where to put the result 1086 * 1087 * Sets the secid to contain a u32 version of the smack label. 1088 */ 1089 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1090 { 1091 *secid = smack_to_secid(task_security(p)); 1092 } 1093 1094 /** 1095 * smack_task_setnice - Smack check on setting nice 1096 * @p: the task object 1097 * @nice: unused 1098 * 1099 * Return 0 if write access is permitted 1100 */ 1101 static int smack_task_setnice(struct task_struct *p, int nice) 1102 { 1103 int rc; 1104 1105 rc = cap_task_setnice(p, nice); 1106 if (rc == 0) 1107 rc = smk_curacc(task_security(p), MAY_WRITE); 1108 return rc; 1109 } 1110 1111 /** 1112 * smack_task_setioprio - Smack check on setting ioprio 1113 * @p: the task object 1114 * @ioprio: unused 1115 * 1116 * Return 0 if write access is permitted 1117 */ 1118 static int smack_task_setioprio(struct task_struct *p, int ioprio) 1119 { 1120 int rc; 1121 1122 rc = cap_task_setioprio(p, ioprio); 1123 if (rc == 0) 1124 rc = smk_curacc(task_security(p), MAY_WRITE); 1125 return rc; 1126 } 1127 1128 /** 1129 * smack_task_getioprio - Smack check on reading ioprio 1130 * @p: the task object 1131 * 1132 * Return 0 if read access is permitted 1133 */ 1134 static int smack_task_getioprio(struct task_struct *p) 1135 { 1136 return smk_curacc(task_security(p), MAY_READ); 1137 } 1138 1139 /** 1140 * smack_task_setscheduler - Smack check on setting scheduler 1141 * @p: the task object 1142 * @policy: unused 1143 * @lp: unused 1144 * 1145 * Return 0 if read access is permitted 1146 */ 1147 static int smack_task_setscheduler(struct task_struct *p, int policy, 1148 struct sched_param *lp) 1149 { 1150 int rc; 1151 1152 rc = cap_task_setscheduler(p, policy, lp); 1153 if (rc == 0) 1154 rc = smk_curacc(task_security(p), MAY_WRITE); 1155 return rc; 1156 } 1157 1158 /** 1159 * smack_task_getscheduler - Smack check on reading scheduler 1160 * @p: the task object 1161 * 1162 * Return 0 if read access is permitted 1163 */ 1164 static int smack_task_getscheduler(struct task_struct *p) 1165 { 1166 return smk_curacc(task_security(p), MAY_READ); 1167 } 1168 1169 /** 1170 * smack_task_movememory - Smack check on moving memory 1171 * @p: the task object 1172 * 1173 * Return 0 if write access is permitted 1174 */ 1175 static int smack_task_movememory(struct task_struct *p) 1176 { 1177 return smk_curacc(task_security(p), MAY_WRITE); 1178 } 1179 1180 /** 1181 * smack_task_kill - Smack check on signal delivery 1182 * @p: the task object 1183 * @info: unused 1184 * @sig: unused 1185 * @secid: identifies the smack to use in lieu of current's 1186 * 1187 * Return 0 if write access is permitted 1188 * 1189 * The secid behavior is an artifact of an SELinux hack 1190 * in the USB code. Someday it may go away. 1191 */ 1192 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 1193 int sig, u32 secid) 1194 { 1195 /* 1196 * Sending a signal requires that the sender 1197 * can write the receiver. 1198 */ 1199 if (secid == 0) 1200 return smk_curacc(task_security(p), MAY_WRITE); 1201 /* 1202 * If the secid isn't 0 we're dealing with some USB IO 1203 * specific behavior. This is not clean. For one thing 1204 * we can't take privilege into account. 1205 */ 1206 return smk_access(smack_from_secid(secid), task_security(p), MAY_WRITE); 1207 } 1208 1209 /** 1210 * smack_task_wait - Smack access check for waiting 1211 * @p: task to wait for 1212 * 1213 * Returns 0 if current can wait for p, error code otherwise 1214 */ 1215 static int smack_task_wait(struct task_struct *p) 1216 { 1217 int rc; 1218 1219 rc = smk_access(current_security(), task_security(p), MAY_WRITE); 1220 if (rc == 0) 1221 return 0; 1222 1223 /* 1224 * Allow the operation to succeed if either task 1225 * has privilege to perform operations that might 1226 * account for the smack labels having gotten to 1227 * be different in the first place. 1228 * 1229 * This breaks the strict subject/object access 1230 * control ideal, taking the object's privilege 1231 * state into account in the decision as well as 1232 * the smack value. 1233 */ 1234 if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE)) 1235 return 0; 1236 1237 return rc; 1238 } 1239 1240 /** 1241 * smack_task_to_inode - copy task smack into the inode blob 1242 * @p: task to copy from 1243 * @inode: inode to copy to 1244 * 1245 * Sets the smack pointer in the inode security blob 1246 */ 1247 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1248 { 1249 struct inode_smack *isp = inode->i_security; 1250 isp->smk_inode = task_security(p); 1251 } 1252 1253 /* 1254 * Socket hooks. 1255 */ 1256 1257 /** 1258 * smack_sk_alloc_security - Allocate a socket blob 1259 * @sk: the socket 1260 * @family: unused 1261 * @gfp_flags: memory allocation flags 1262 * 1263 * Assign Smack pointers to current 1264 * 1265 * Returns 0 on success, -ENOMEM is there's no memory 1266 */ 1267 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1268 { 1269 char *csp = current_security(); 1270 struct socket_smack *ssp; 1271 1272 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1273 if (ssp == NULL) 1274 return -ENOMEM; 1275 1276 ssp->smk_in = csp; 1277 ssp->smk_out = csp; 1278 ssp->smk_labeled = SMACK_CIPSO_SOCKET; 1279 ssp->smk_packet[0] = '\0'; 1280 1281 sk->sk_security = ssp; 1282 1283 return 0; 1284 } 1285 1286 /** 1287 * smack_sk_free_security - Free a socket blob 1288 * @sk: the socket 1289 * 1290 * Clears the blob pointer 1291 */ 1292 static void smack_sk_free_security(struct sock *sk) 1293 { 1294 kfree(sk->sk_security); 1295 } 1296 1297 /** 1298 * smack_set_catset - convert a capset to netlabel mls categories 1299 * @catset: the Smack categories 1300 * @sap: where to put the netlabel categories 1301 * 1302 * Allocates and fills attr.mls.cat 1303 */ 1304 static void smack_set_catset(char *catset, struct netlbl_lsm_secattr *sap) 1305 { 1306 unsigned char *cp; 1307 unsigned char m; 1308 int cat; 1309 int rc; 1310 int byte; 1311 1312 if (!catset) 1313 return; 1314 1315 sap->flags |= NETLBL_SECATTR_MLS_CAT; 1316 sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); 1317 sap->attr.mls.cat->startbit = 0; 1318 1319 for (cat = 1, cp = catset, byte = 0; byte < SMK_LABELLEN; cp++, byte++) 1320 for (m = 0x80; m != 0; m >>= 1, cat++) { 1321 if ((m & *cp) == 0) 1322 continue; 1323 rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat, 1324 cat, GFP_ATOMIC); 1325 } 1326 } 1327 1328 /** 1329 * smack_to_secattr - fill a secattr from a smack value 1330 * @smack: the smack value 1331 * @nlsp: where the result goes 1332 * 1333 * Casey says that CIPSO is good enough for now. 1334 * It can be used to effect. 1335 * It can also be abused to effect when necessary. 1336 * Appologies to the TSIG group in general and GW in particular. 1337 */ 1338 static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) 1339 { 1340 struct smack_cipso cipso; 1341 int rc; 1342 1343 nlsp->domain = smack; 1344 nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; 1345 1346 rc = smack_to_cipso(smack, &cipso); 1347 if (rc == 0) { 1348 nlsp->attr.mls.lvl = cipso.smk_level; 1349 smack_set_catset(cipso.smk_catset, nlsp); 1350 } else { 1351 nlsp->attr.mls.lvl = smack_cipso_direct; 1352 smack_set_catset(smack, nlsp); 1353 } 1354 } 1355 1356 /** 1357 * smack_netlabel - Set the secattr on a socket 1358 * @sk: the socket 1359 * @labeled: socket label scheme 1360 * 1361 * Convert the outbound smack value (smk_out) to a 1362 * secattr and attach it to the socket. 1363 * 1364 * Returns 0 on success or an error code 1365 */ 1366 static int smack_netlabel(struct sock *sk, int labeled) 1367 { 1368 struct socket_smack *ssp; 1369 struct netlbl_lsm_secattr secattr; 1370 int rc = 0; 1371 1372 ssp = sk->sk_security; 1373 /* 1374 * Usually the netlabel code will handle changing the 1375 * packet labeling based on the label. 1376 * The case of a single label host is different, because 1377 * a single label host should never get a labeled packet 1378 * even though the label is usually associated with a packet 1379 * label. 1380 */ 1381 local_bh_disable(); 1382 bh_lock_sock_nested(sk); 1383 1384 if (ssp->smk_out == smack_net_ambient || 1385 labeled == SMACK_UNLABELED_SOCKET) 1386 netlbl_sock_delattr(sk); 1387 else { 1388 netlbl_secattr_init(&secattr); 1389 smack_to_secattr(ssp->smk_out, &secattr); 1390 rc = netlbl_sock_setattr(sk, &secattr); 1391 netlbl_secattr_destroy(&secattr); 1392 } 1393 1394 bh_unlock_sock(sk); 1395 local_bh_enable(); 1396 /* 1397 * Remember the label scheme used so that it is not 1398 * necessary to do the netlabel setting if it has not 1399 * changed the next time through. 1400 * 1401 * The -EDESTADDRREQ case is an indication that there's 1402 * a single level host involved. 1403 */ 1404 if (rc == 0) 1405 ssp->smk_labeled = labeled; 1406 1407 return rc; 1408 } 1409 1410 /** 1411 * smack_inode_setsecurity - set smack xattrs 1412 * @inode: the object 1413 * @name: attribute name 1414 * @value: attribute value 1415 * @size: size of the attribute 1416 * @flags: unused 1417 * 1418 * Sets the named attribute in the appropriate blob 1419 * 1420 * Returns 0 on success, or an error code 1421 */ 1422 static int smack_inode_setsecurity(struct inode *inode, const char *name, 1423 const void *value, size_t size, int flags) 1424 { 1425 char *sp; 1426 struct inode_smack *nsp = inode->i_security; 1427 struct socket_smack *ssp; 1428 struct socket *sock; 1429 int rc = 0; 1430 1431 if (value == NULL || size > SMK_LABELLEN) 1432 return -EACCES; 1433 1434 sp = smk_import(value, size); 1435 if (sp == NULL) 1436 return -EINVAL; 1437 1438 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1439 nsp->smk_inode = sp; 1440 return 0; 1441 } 1442 /* 1443 * The rest of the Smack xattrs are only on sockets. 1444 */ 1445 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 1446 return -EOPNOTSUPP; 1447 1448 sock = SOCKET_I(inode); 1449 if (sock == NULL || sock->sk == NULL) 1450 return -EOPNOTSUPP; 1451 1452 ssp = sock->sk->sk_security; 1453 1454 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1455 ssp->smk_in = sp; 1456 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 1457 ssp->smk_out = sp; 1458 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1459 if (rc != 0) 1460 printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n", 1461 __func__, -rc); 1462 } else 1463 return -EOPNOTSUPP; 1464 1465 return 0; 1466 } 1467 1468 /** 1469 * smack_socket_post_create - finish socket setup 1470 * @sock: the socket 1471 * @family: protocol family 1472 * @type: unused 1473 * @protocol: unused 1474 * @kern: unused 1475 * 1476 * Sets the netlabel information on the socket 1477 * 1478 * Returns 0 on success, and error code otherwise 1479 */ 1480 static int smack_socket_post_create(struct socket *sock, int family, 1481 int type, int protocol, int kern) 1482 { 1483 if (family != PF_INET || sock->sk == NULL) 1484 return 0; 1485 /* 1486 * Set the outbound netlbl. 1487 */ 1488 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1489 } 1490 1491 1492 /** 1493 * smack_host_label - check host based restrictions 1494 * @sip: the object end 1495 * 1496 * looks for host based access restrictions 1497 * 1498 * This version will only be appropriate for really small 1499 * sets of single label hosts. 1500 * 1501 * Returns the label of the far end or NULL if it's not special. 1502 */ 1503 static char *smack_host_label(struct sockaddr_in *sip) 1504 { 1505 struct smk_netlbladdr *snp; 1506 struct in_addr *siap = &sip->sin_addr; 1507 1508 if (siap->s_addr == 0) 1509 return NULL; 1510 1511 for (snp = smack_netlbladdrs; snp != NULL; snp = snp->smk_next) { 1512 /* 1513 * we break after finding the first match because 1514 * the list is sorted from longest to shortest mask 1515 * so we have found the most specific match 1516 */ 1517 if ((&snp->smk_host.sin_addr)->s_addr == 1518 (siap->s_addr & (&snp->smk_mask)->s_addr)) { 1519 return snp->smk_label; 1520 } 1521 } 1522 1523 return NULL; 1524 } 1525 1526 /** 1527 * smack_socket_connect - connect access check 1528 * @sock: the socket 1529 * @sap: the other end 1530 * @addrlen: size of sap 1531 * 1532 * Verifies that a connection may be possible 1533 * 1534 * Returns 0 on success, and error code otherwise 1535 */ 1536 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 1537 int addrlen) 1538 { 1539 struct socket_smack *ssp = sock->sk->sk_security; 1540 char *hostsp; 1541 int rc; 1542 1543 if (sock->sk == NULL || sock->sk->sk_family != PF_INET) 1544 return 0; 1545 1546 if (addrlen < sizeof(struct sockaddr_in)) 1547 return -EINVAL; 1548 1549 hostsp = smack_host_label((struct sockaddr_in *)sap); 1550 if (hostsp == NULL) { 1551 if (ssp->smk_labeled != SMACK_CIPSO_SOCKET) 1552 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1553 return 0; 1554 } 1555 1556 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE); 1557 if (rc != 0) 1558 return rc; 1559 1560 if (ssp->smk_labeled != SMACK_UNLABELED_SOCKET) 1561 return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET); 1562 return 0; 1563 } 1564 1565 /** 1566 * smack_flags_to_may - convert S_ to MAY_ values 1567 * @flags: the S_ value 1568 * 1569 * Returns the equivalent MAY_ value 1570 */ 1571 static int smack_flags_to_may(int flags) 1572 { 1573 int may = 0; 1574 1575 if (flags & S_IRUGO) 1576 may |= MAY_READ; 1577 if (flags & S_IWUGO) 1578 may |= MAY_WRITE; 1579 if (flags & S_IXUGO) 1580 may |= MAY_EXEC; 1581 1582 return may; 1583 } 1584 1585 /** 1586 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 1587 * @msg: the object 1588 * 1589 * Returns 0 1590 */ 1591 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 1592 { 1593 msg->security = current_security(); 1594 return 0; 1595 } 1596 1597 /** 1598 * smack_msg_msg_free_security - Clear the security blob for msg_msg 1599 * @msg: the object 1600 * 1601 * Clears the blob pointer 1602 */ 1603 static void smack_msg_msg_free_security(struct msg_msg *msg) 1604 { 1605 msg->security = NULL; 1606 } 1607 1608 /** 1609 * smack_of_shm - the smack pointer for the shm 1610 * @shp: the object 1611 * 1612 * Returns a pointer to the smack value 1613 */ 1614 static char *smack_of_shm(struct shmid_kernel *shp) 1615 { 1616 return (char *)shp->shm_perm.security; 1617 } 1618 1619 /** 1620 * smack_shm_alloc_security - Set the security blob for shm 1621 * @shp: the object 1622 * 1623 * Returns 0 1624 */ 1625 static int smack_shm_alloc_security(struct shmid_kernel *shp) 1626 { 1627 struct kern_ipc_perm *isp = &shp->shm_perm; 1628 1629 isp->security = current_security(); 1630 return 0; 1631 } 1632 1633 /** 1634 * smack_shm_free_security - Clear the security blob for shm 1635 * @shp: the object 1636 * 1637 * Clears the blob pointer 1638 */ 1639 static void smack_shm_free_security(struct shmid_kernel *shp) 1640 { 1641 struct kern_ipc_perm *isp = &shp->shm_perm; 1642 1643 isp->security = NULL; 1644 } 1645 1646 /** 1647 * smack_shm_associate - Smack access check for shm 1648 * @shp: the object 1649 * @shmflg: access requested 1650 * 1651 * Returns 0 if current has the requested access, error code otherwise 1652 */ 1653 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 1654 { 1655 char *ssp = smack_of_shm(shp); 1656 int may; 1657 1658 may = smack_flags_to_may(shmflg); 1659 return smk_curacc(ssp, may); 1660 } 1661 1662 /** 1663 * smack_shm_shmctl - Smack access check for shm 1664 * @shp: the object 1665 * @cmd: what it wants to do 1666 * 1667 * Returns 0 if current has the requested access, error code otherwise 1668 */ 1669 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 1670 { 1671 char *ssp; 1672 int may; 1673 1674 switch (cmd) { 1675 case IPC_STAT: 1676 case SHM_STAT: 1677 may = MAY_READ; 1678 break; 1679 case IPC_SET: 1680 case SHM_LOCK: 1681 case SHM_UNLOCK: 1682 case IPC_RMID: 1683 may = MAY_READWRITE; 1684 break; 1685 case IPC_INFO: 1686 case SHM_INFO: 1687 /* 1688 * System level information. 1689 */ 1690 return 0; 1691 default: 1692 return -EINVAL; 1693 } 1694 1695 ssp = smack_of_shm(shp); 1696 return smk_curacc(ssp, may); 1697 } 1698 1699 /** 1700 * smack_shm_shmat - Smack access for shmat 1701 * @shp: the object 1702 * @shmaddr: unused 1703 * @shmflg: access requested 1704 * 1705 * Returns 0 if current has the requested access, error code otherwise 1706 */ 1707 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 1708 int shmflg) 1709 { 1710 char *ssp = smack_of_shm(shp); 1711 int may; 1712 1713 may = smack_flags_to_may(shmflg); 1714 return smk_curacc(ssp, may); 1715 } 1716 1717 /** 1718 * smack_of_sem - the smack pointer for the sem 1719 * @sma: the object 1720 * 1721 * Returns a pointer to the smack value 1722 */ 1723 static char *smack_of_sem(struct sem_array *sma) 1724 { 1725 return (char *)sma->sem_perm.security; 1726 } 1727 1728 /** 1729 * smack_sem_alloc_security - Set the security blob for sem 1730 * @sma: the object 1731 * 1732 * Returns 0 1733 */ 1734 static int smack_sem_alloc_security(struct sem_array *sma) 1735 { 1736 struct kern_ipc_perm *isp = &sma->sem_perm; 1737 1738 isp->security = current_security(); 1739 return 0; 1740 } 1741 1742 /** 1743 * smack_sem_free_security - Clear the security blob for sem 1744 * @sma: the object 1745 * 1746 * Clears the blob pointer 1747 */ 1748 static void smack_sem_free_security(struct sem_array *sma) 1749 { 1750 struct kern_ipc_perm *isp = &sma->sem_perm; 1751 1752 isp->security = NULL; 1753 } 1754 1755 /** 1756 * smack_sem_associate - Smack access check for sem 1757 * @sma: the object 1758 * @semflg: access requested 1759 * 1760 * Returns 0 if current has the requested access, error code otherwise 1761 */ 1762 static int smack_sem_associate(struct sem_array *sma, int semflg) 1763 { 1764 char *ssp = smack_of_sem(sma); 1765 int may; 1766 1767 may = smack_flags_to_may(semflg); 1768 return smk_curacc(ssp, may); 1769 } 1770 1771 /** 1772 * smack_sem_shmctl - Smack access check for sem 1773 * @sma: the object 1774 * @cmd: what it wants to do 1775 * 1776 * Returns 0 if current has the requested access, error code otherwise 1777 */ 1778 static int smack_sem_semctl(struct sem_array *sma, int cmd) 1779 { 1780 char *ssp; 1781 int may; 1782 1783 switch (cmd) { 1784 case GETPID: 1785 case GETNCNT: 1786 case GETZCNT: 1787 case GETVAL: 1788 case GETALL: 1789 case IPC_STAT: 1790 case SEM_STAT: 1791 may = MAY_READ; 1792 break; 1793 case SETVAL: 1794 case SETALL: 1795 case IPC_RMID: 1796 case IPC_SET: 1797 may = MAY_READWRITE; 1798 break; 1799 case IPC_INFO: 1800 case SEM_INFO: 1801 /* 1802 * System level information 1803 */ 1804 return 0; 1805 default: 1806 return -EINVAL; 1807 } 1808 1809 ssp = smack_of_sem(sma); 1810 return smk_curacc(ssp, may); 1811 } 1812 1813 /** 1814 * smack_sem_semop - Smack checks of semaphore operations 1815 * @sma: the object 1816 * @sops: unused 1817 * @nsops: unused 1818 * @alter: unused 1819 * 1820 * Treated as read and write in all cases. 1821 * 1822 * Returns 0 if access is allowed, error code otherwise 1823 */ 1824 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 1825 unsigned nsops, int alter) 1826 { 1827 char *ssp = smack_of_sem(sma); 1828 1829 return smk_curacc(ssp, MAY_READWRITE); 1830 } 1831 1832 /** 1833 * smack_msg_alloc_security - Set the security blob for msg 1834 * @msq: the object 1835 * 1836 * Returns 0 1837 */ 1838 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 1839 { 1840 struct kern_ipc_perm *kisp = &msq->q_perm; 1841 1842 kisp->security = current_security(); 1843 return 0; 1844 } 1845 1846 /** 1847 * smack_msg_free_security - Clear the security blob for msg 1848 * @msq: the object 1849 * 1850 * Clears the blob pointer 1851 */ 1852 static void smack_msg_queue_free_security(struct msg_queue *msq) 1853 { 1854 struct kern_ipc_perm *kisp = &msq->q_perm; 1855 1856 kisp->security = NULL; 1857 } 1858 1859 /** 1860 * smack_of_msq - the smack pointer for the msq 1861 * @msq: the object 1862 * 1863 * Returns a pointer to the smack value 1864 */ 1865 static char *smack_of_msq(struct msg_queue *msq) 1866 { 1867 return (char *)msq->q_perm.security; 1868 } 1869 1870 /** 1871 * smack_msg_queue_associate - Smack access check for msg_queue 1872 * @msq: the object 1873 * @msqflg: access requested 1874 * 1875 * Returns 0 if current has the requested access, error code otherwise 1876 */ 1877 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 1878 { 1879 char *msp = smack_of_msq(msq); 1880 int may; 1881 1882 may = smack_flags_to_may(msqflg); 1883 return smk_curacc(msp, may); 1884 } 1885 1886 /** 1887 * smack_msg_queue_msgctl - Smack access check for msg_queue 1888 * @msq: the object 1889 * @cmd: what it wants to do 1890 * 1891 * Returns 0 if current has the requested access, error code otherwise 1892 */ 1893 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 1894 { 1895 char *msp; 1896 int may; 1897 1898 switch (cmd) { 1899 case IPC_STAT: 1900 case MSG_STAT: 1901 may = MAY_READ; 1902 break; 1903 case IPC_SET: 1904 case IPC_RMID: 1905 may = MAY_READWRITE; 1906 break; 1907 case IPC_INFO: 1908 case MSG_INFO: 1909 /* 1910 * System level information 1911 */ 1912 return 0; 1913 default: 1914 return -EINVAL; 1915 } 1916 1917 msp = smack_of_msq(msq); 1918 return smk_curacc(msp, may); 1919 } 1920 1921 /** 1922 * smack_msg_queue_msgsnd - Smack access check for msg_queue 1923 * @msq: the object 1924 * @msg: unused 1925 * @msqflg: access requested 1926 * 1927 * Returns 0 if current has the requested access, error code otherwise 1928 */ 1929 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 1930 int msqflg) 1931 { 1932 char *msp = smack_of_msq(msq); 1933 int rc; 1934 1935 rc = smack_flags_to_may(msqflg); 1936 return smk_curacc(msp, rc); 1937 } 1938 1939 /** 1940 * smack_msg_queue_msgsnd - Smack access check for msg_queue 1941 * @msq: the object 1942 * @msg: unused 1943 * @target: unused 1944 * @type: unused 1945 * @mode: unused 1946 * 1947 * Returns 0 if current has read and write access, error code otherwise 1948 */ 1949 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 1950 struct task_struct *target, long type, int mode) 1951 { 1952 char *msp = smack_of_msq(msq); 1953 1954 return smk_curacc(msp, MAY_READWRITE); 1955 } 1956 1957 /** 1958 * smack_ipc_permission - Smack access for ipc_permission() 1959 * @ipp: the object permissions 1960 * @flag: access requested 1961 * 1962 * Returns 0 if current has read and write access, error code otherwise 1963 */ 1964 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 1965 { 1966 char *isp = ipp->security; 1967 int may; 1968 1969 may = smack_flags_to_may(flag); 1970 return smk_curacc(isp, may); 1971 } 1972 1973 /** 1974 * smack_ipc_getsecid - Extract smack security id 1975 * @ipp: the object permissions 1976 * @secid: where result will be saved 1977 */ 1978 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 1979 { 1980 char *smack = ipp->security; 1981 1982 *secid = smack_to_secid(smack); 1983 } 1984 1985 /** 1986 * smack_d_instantiate - Make sure the blob is correct on an inode 1987 * @opt_dentry: unused 1988 * @inode: the object 1989 * 1990 * Set the inode's security blob if it hasn't been done already. 1991 */ 1992 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 1993 { 1994 struct super_block *sbp; 1995 struct superblock_smack *sbsp; 1996 struct inode_smack *isp; 1997 char *csp = current_security(); 1998 char *fetched; 1999 char *final; 2000 struct dentry *dp; 2001 2002 if (inode == NULL) 2003 return; 2004 2005 isp = inode->i_security; 2006 2007 mutex_lock(&isp->smk_lock); 2008 /* 2009 * If the inode is already instantiated 2010 * take the quick way out 2011 */ 2012 if (isp->smk_flags & SMK_INODE_INSTANT) 2013 goto unlockandout; 2014 2015 sbp = inode->i_sb; 2016 sbsp = sbp->s_security; 2017 /* 2018 * We're going to use the superblock default label 2019 * if there's no label on the file. 2020 */ 2021 final = sbsp->smk_default; 2022 2023 /* 2024 * If this is the root inode the superblock 2025 * may be in the process of initialization. 2026 * If that is the case use the root value out 2027 * of the superblock. 2028 */ 2029 if (opt_dentry->d_parent == opt_dentry) { 2030 isp->smk_inode = sbsp->smk_root; 2031 isp->smk_flags |= SMK_INODE_INSTANT; 2032 goto unlockandout; 2033 } 2034 2035 /* 2036 * This is pretty hackish. 2037 * Casey says that we shouldn't have to do 2038 * file system specific code, but it does help 2039 * with keeping it simple. 2040 */ 2041 switch (sbp->s_magic) { 2042 case SMACK_MAGIC: 2043 /* 2044 * Casey says that it's a little embarassing 2045 * that the smack file system doesn't do 2046 * extended attributes. 2047 */ 2048 final = smack_known_star.smk_known; 2049 break; 2050 case PIPEFS_MAGIC: 2051 /* 2052 * Casey says pipes are easy (?) 2053 */ 2054 final = smack_known_star.smk_known; 2055 break; 2056 case DEVPTS_SUPER_MAGIC: 2057 /* 2058 * devpts seems content with the label of the task. 2059 * Programs that change smack have to treat the 2060 * pty with respect. 2061 */ 2062 final = csp; 2063 break; 2064 case SOCKFS_MAGIC: 2065 /* 2066 * Casey says sockets get the smack of the task. 2067 */ 2068 final = csp; 2069 break; 2070 case PROC_SUPER_MAGIC: 2071 /* 2072 * Casey says procfs appears not to care. 2073 * The superblock default suffices. 2074 */ 2075 break; 2076 case TMPFS_MAGIC: 2077 /* 2078 * Device labels should come from the filesystem, 2079 * but watch out, because they're volitile, 2080 * getting recreated on every reboot. 2081 */ 2082 final = smack_known_star.smk_known; 2083 /* 2084 * No break. 2085 * 2086 * If a smack value has been set we want to use it, 2087 * but since tmpfs isn't giving us the opportunity 2088 * to set mount options simulate setting the 2089 * superblock default. 2090 */ 2091 default: 2092 /* 2093 * This isn't an understood special case. 2094 * Get the value from the xattr. 2095 * 2096 * No xattr support means, alas, no SMACK label. 2097 * Use the aforeapplied default. 2098 * It would be curious if the label of the task 2099 * does not match that assigned. 2100 */ 2101 if (inode->i_op->getxattr == NULL) 2102 break; 2103 /* 2104 * Get the dentry for xattr. 2105 */ 2106 if (opt_dentry == NULL) { 2107 dp = d_find_alias(inode); 2108 if (dp == NULL) 2109 break; 2110 } else { 2111 dp = dget(opt_dentry); 2112 if (dp == NULL) 2113 break; 2114 } 2115 2116 fetched = smk_fetch(inode, dp); 2117 if (fetched != NULL) 2118 final = fetched; 2119 2120 dput(dp); 2121 break; 2122 } 2123 2124 if (final == NULL) 2125 isp->smk_inode = csp; 2126 else 2127 isp->smk_inode = final; 2128 2129 isp->smk_flags |= SMK_INODE_INSTANT; 2130 2131 unlockandout: 2132 mutex_unlock(&isp->smk_lock); 2133 return; 2134 } 2135 2136 /** 2137 * smack_getprocattr - Smack process attribute access 2138 * @p: the object task 2139 * @name: the name of the attribute in /proc/.../attr 2140 * @value: where to put the result 2141 * 2142 * Places a copy of the task Smack into value 2143 * 2144 * Returns the length of the smack label or an error code 2145 */ 2146 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 2147 { 2148 char *cp; 2149 int slen; 2150 2151 if (strcmp(name, "current") != 0) 2152 return -EINVAL; 2153 2154 cp = kstrdup(task_security(p), GFP_KERNEL); 2155 if (cp == NULL) 2156 return -ENOMEM; 2157 2158 slen = strlen(cp); 2159 *value = cp; 2160 return slen; 2161 } 2162 2163 /** 2164 * smack_setprocattr - Smack process attribute setting 2165 * @p: the object task 2166 * @name: the name of the attribute in /proc/.../attr 2167 * @value: the value to set 2168 * @size: the size of the value 2169 * 2170 * Sets the Smack value of the task. Only setting self 2171 * is permitted and only with privilege 2172 * 2173 * Returns the length of the smack label or an error code 2174 */ 2175 static int smack_setprocattr(struct task_struct *p, char *name, 2176 void *value, size_t size) 2177 { 2178 struct cred *new; 2179 char *newsmack; 2180 2181 /* 2182 * Changing another process' Smack value is too dangerous 2183 * and supports no sane use case. 2184 */ 2185 if (p != current) 2186 return -EPERM; 2187 2188 if (!capable(CAP_MAC_ADMIN)) 2189 return -EPERM; 2190 2191 if (value == NULL || size == 0 || size >= SMK_LABELLEN) 2192 return -EINVAL; 2193 2194 if (strcmp(name, "current") != 0) 2195 return -EINVAL; 2196 2197 newsmack = smk_import(value, size); 2198 if (newsmack == NULL) 2199 return -EINVAL; 2200 2201 /* 2202 * No process is ever allowed the web ("@") label. 2203 */ 2204 if (newsmack == smack_known_web.smk_known) 2205 return -EPERM; 2206 2207 new = prepare_creds(); 2208 if (new == NULL) 2209 return -ENOMEM; 2210 new->security = newsmack; 2211 commit_creds(new); 2212 return size; 2213 } 2214 2215 /** 2216 * smack_unix_stream_connect - Smack access on UDS 2217 * @sock: one socket 2218 * @other: the other socket 2219 * @newsk: unused 2220 * 2221 * Return 0 if a subject with the smack of sock could access 2222 * an object with the smack of other, otherwise an error code 2223 */ 2224 static int smack_unix_stream_connect(struct socket *sock, 2225 struct socket *other, struct sock *newsk) 2226 { 2227 struct inode *sp = SOCK_INODE(sock); 2228 struct inode *op = SOCK_INODE(other); 2229 2230 return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_READWRITE); 2231 } 2232 2233 /** 2234 * smack_unix_may_send - Smack access on UDS 2235 * @sock: one socket 2236 * @other: the other socket 2237 * 2238 * Return 0 if a subject with the smack of sock could access 2239 * an object with the smack of other, otherwise an error code 2240 */ 2241 static int smack_unix_may_send(struct socket *sock, struct socket *other) 2242 { 2243 struct inode *sp = SOCK_INODE(sock); 2244 struct inode *op = SOCK_INODE(other); 2245 2246 return smk_access(smk_of_inode(sp), smk_of_inode(op), MAY_WRITE); 2247 } 2248 2249 /** 2250 * smack_socket_sendmsg - Smack check based on destination host 2251 * @sock: the socket 2252 * @msg: the message 2253 * @size: the size of the message 2254 * 2255 * Return 0 if the current subject can write to the destination 2256 * host. This is only a question if the destination is a single 2257 * label host. 2258 */ 2259 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 2260 int size) 2261 { 2262 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 2263 struct socket_smack *ssp = sock->sk->sk_security; 2264 char *hostsp; 2265 int rc; 2266 2267 /* 2268 * Perfectly reasonable for this to be NULL 2269 */ 2270 if (sip == NULL || sip->sin_family != PF_INET) 2271 return 0; 2272 2273 hostsp = smack_host_label(sip); 2274 if (hostsp == NULL) { 2275 if (ssp->smk_labeled != SMACK_CIPSO_SOCKET) 2276 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 2277 return 0; 2278 } 2279 2280 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE); 2281 if (rc != 0) 2282 return rc; 2283 2284 if (ssp->smk_labeled != SMACK_UNLABELED_SOCKET) 2285 return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET); 2286 2287 return 0; 2288 2289 } 2290 2291 2292 /** 2293 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 2294 * @sap: netlabel secattr 2295 * @sip: where to put the result 2296 * 2297 * Copies a smack label into sip 2298 */ 2299 static void smack_from_secattr(struct netlbl_lsm_secattr *sap, char *sip) 2300 { 2301 char smack[SMK_LABELLEN]; 2302 char *sp; 2303 int pcat; 2304 2305 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 2306 /* 2307 * Looks like a CIPSO packet. 2308 * If there are flags but no level netlabel isn't 2309 * behaving the way we expect it to. 2310 * 2311 * Get the categories, if any 2312 * Without guidance regarding the smack value 2313 * for the packet fall back on the network 2314 * ambient value. 2315 */ 2316 memset(smack, '\0', SMK_LABELLEN); 2317 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) != 0) 2318 for (pcat = -1;;) { 2319 pcat = netlbl_secattr_catmap_walk( 2320 sap->attr.mls.cat, pcat + 1); 2321 if (pcat < 0) 2322 break; 2323 smack_catset_bit(pcat, smack); 2324 } 2325 /* 2326 * If it is CIPSO using smack direct mapping 2327 * we are already done. WeeHee. 2328 */ 2329 if (sap->attr.mls.lvl == smack_cipso_direct) { 2330 memcpy(sip, smack, SMK_MAXLEN); 2331 return; 2332 } 2333 /* 2334 * Look it up in the supplied table if it is not 2335 * a direct mapping. 2336 */ 2337 smack_from_cipso(sap->attr.mls.lvl, smack, sip); 2338 return; 2339 } 2340 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 2341 /* 2342 * Looks like a fallback, which gives us a secid. 2343 */ 2344 sp = smack_from_secid(sap->attr.secid); 2345 /* 2346 * This has got to be a bug because it is 2347 * impossible to specify a fallback without 2348 * specifying the label, which will ensure 2349 * it has a secid, and the only way to get a 2350 * secid is from a fallback. 2351 */ 2352 BUG_ON(sp == NULL); 2353 strncpy(sip, sp, SMK_MAXLEN); 2354 return; 2355 } 2356 /* 2357 * Without guidance regarding the smack value 2358 * for the packet fall back on the network 2359 * ambient value. 2360 */ 2361 strncpy(sip, smack_net_ambient, SMK_MAXLEN); 2362 return; 2363 } 2364 2365 /** 2366 * smack_socket_sock_rcv_skb - Smack packet delivery access check 2367 * @sk: socket 2368 * @skb: packet 2369 * 2370 * Returns 0 if the packet should be delivered, an error code otherwise 2371 */ 2372 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 2373 { 2374 struct netlbl_lsm_secattr secattr; 2375 struct socket_smack *ssp = sk->sk_security; 2376 char smack[SMK_LABELLEN]; 2377 char *csp; 2378 int rc; 2379 2380 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2381 return 0; 2382 2383 /* 2384 * Translate what netlabel gave us. 2385 */ 2386 netlbl_secattr_init(&secattr); 2387 2388 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 2389 if (rc == 0) { 2390 smack_from_secattr(&secattr, smack); 2391 csp = smack; 2392 } else 2393 csp = smack_net_ambient; 2394 2395 netlbl_secattr_destroy(&secattr); 2396 2397 /* 2398 * Receiving a packet requires that the other end 2399 * be able to write here. Read access is not required. 2400 * This is the simplist possible security model 2401 * for networking. 2402 */ 2403 rc = smk_access(csp, ssp->smk_in, MAY_WRITE); 2404 if (rc != 0) 2405 netlbl_skbuff_err(skb, rc, 0); 2406 return rc; 2407 } 2408 2409 /** 2410 * smack_socket_getpeersec_stream - pull in packet label 2411 * @sock: the socket 2412 * @optval: user's destination 2413 * @optlen: size thereof 2414 * @len: max thereof 2415 * 2416 * returns zero on success, an error code otherwise 2417 */ 2418 static int smack_socket_getpeersec_stream(struct socket *sock, 2419 char __user *optval, 2420 int __user *optlen, unsigned len) 2421 { 2422 struct socket_smack *ssp; 2423 int slen; 2424 int rc = 0; 2425 2426 ssp = sock->sk->sk_security; 2427 slen = strlen(ssp->smk_packet) + 1; 2428 2429 if (slen > len) 2430 rc = -ERANGE; 2431 else if (copy_to_user(optval, ssp->smk_packet, slen) != 0) 2432 rc = -EFAULT; 2433 2434 if (put_user(slen, optlen) != 0) 2435 rc = -EFAULT; 2436 2437 return rc; 2438 } 2439 2440 2441 /** 2442 * smack_socket_getpeersec_dgram - pull in packet label 2443 * @sock: the socket 2444 * @skb: packet data 2445 * @secid: pointer to where to put the secid of the packet 2446 * 2447 * Sets the netlabel socket state on sk from parent 2448 */ 2449 static int smack_socket_getpeersec_dgram(struct socket *sock, 2450 struct sk_buff *skb, u32 *secid) 2451 2452 { 2453 struct netlbl_lsm_secattr secattr; 2454 struct sock *sk; 2455 char smack[SMK_LABELLEN]; 2456 int family = PF_INET; 2457 u32 s; 2458 int rc; 2459 2460 /* 2461 * Only works for families with packets. 2462 */ 2463 if (sock != NULL) { 2464 sk = sock->sk; 2465 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2466 return 0; 2467 family = sk->sk_family; 2468 } 2469 /* 2470 * Translate what netlabel gave us. 2471 */ 2472 netlbl_secattr_init(&secattr); 2473 rc = netlbl_skbuff_getattr(skb, family, &secattr); 2474 if (rc == 0) 2475 smack_from_secattr(&secattr, smack); 2476 netlbl_secattr_destroy(&secattr); 2477 2478 /* 2479 * Give up if we couldn't get anything 2480 */ 2481 if (rc != 0) 2482 return rc; 2483 2484 s = smack_to_secid(smack); 2485 if (s == 0) 2486 return -EINVAL; 2487 2488 *secid = s; 2489 return 0; 2490 } 2491 2492 /** 2493 * smack_sock_graft - graft access state between two sockets 2494 * @sk: fresh sock 2495 * @parent: donor socket 2496 * 2497 * Sets the netlabel socket state on sk from parent 2498 */ 2499 static void smack_sock_graft(struct sock *sk, struct socket *parent) 2500 { 2501 struct socket_smack *ssp; 2502 int rc; 2503 2504 if (sk == NULL) 2505 return; 2506 2507 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2508 return; 2509 2510 ssp = sk->sk_security; 2511 ssp->smk_in = ssp->smk_out = current_security(); 2512 ssp->smk_packet[0] = '\0'; 2513 2514 rc = smack_netlabel(sk, SMACK_CIPSO_SOCKET); 2515 if (rc != 0) 2516 printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n", 2517 __func__, -rc); 2518 } 2519 2520 /** 2521 * smack_inet_conn_request - Smack access check on connect 2522 * @sk: socket involved 2523 * @skb: packet 2524 * @req: unused 2525 * 2526 * Returns 0 if a task with the packet label could write to 2527 * the socket, otherwise an error code 2528 */ 2529 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 2530 struct request_sock *req) 2531 { 2532 struct netlbl_lsm_secattr skb_secattr; 2533 struct socket_smack *ssp = sk->sk_security; 2534 char smack[SMK_LABELLEN]; 2535 int rc; 2536 2537 if (skb == NULL) 2538 return -EACCES; 2539 2540 netlbl_secattr_init(&skb_secattr); 2541 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &skb_secattr); 2542 if (rc == 0) 2543 smack_from_secattr(&skb_secattr, smack); 2544 else 2545 strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN); 2546 netlbl_secattr_destroy(&skb_secattr); 2547 /* 2548 * Receiving a packet requires that the other end 2549 * be able to write here. Read access is not required. 2550 * 2551 * If the request is successful save the peer's label 2552 * so that SO_PEERCRED can report it. 2553 */ 2554 rc = smk_access(smack, ssp->smk_in, MAY_WRITE); 2555 if (rc == 0) 2556 strncpy(ssp->smk_packet, smack, SMK_MAXLEN); 2557 2558 return rc; 2559 } 2560 2561 /* 2562 * Key management security hooks 2563 * 2564 * Casey has not tested key support very heavily. 2565 * The permission check is most likely too restrictive. 2566 * If you care about keys please have a look. 2567 */ 2568 #ifdef CONFIG_KEYS 2569 2570 /** 2571 * smack_key_alloc - Set the key security blob 2572 * @key: object 2573 * @cred: the credentials to use 2574 * @flags: unused 2575 * 2576 * No allocation required 2577 * 2578 * Returns 0 2579 */ 2580 static int smack_key_alloc(struct key *key, const struct cred *cred, 2581 unsigned long flags) 2582 { 2583 key->security = cred->security; 2584 return 0; 2585 } 2586 2587 /** 2588 * smack_key_free - Clear the key security blob 2589 * @key: the object 2590 * 2591 * Clear the blob pointer 2592 */ 2593 static void smack_key_free(struct key *key) 2594 { 2595 key->security = NULL; 2596 } 2597 2598 /* 2599 * smack_key_permission - Smack access on a key 2600 * @key_ref: gets to the object 2601 * @cred: the credentials to use 2602 * @perm: unused 2603 * 2604 * Return 0 if the task has read and write to the object, 2605 * an error code otherwise 2606 */ 2607 static int smack_key_permission(key_ref_t key_ref, 2608 const struct cred *cred, key_perm_t perm) 2609 { 2610 struct key *keyp; 2611 2612 keyp = key_ref_to_ptr(key_ref); 2613 if (keyp == NULL) 2614 return -EINVAL; 2615 /* 2616 * If the key hasn't been initialized give it access so that 2617 * it may do so. 2618 */ 2619 if (keyp->security == NULL) 2620 return 0; 2621 /* 2622 * This should not occur 2623 */ 2624 if (cred->security == NULL) 2625 return -EACCES; 2626 2627 return smk_access(cred->security, keyp->security, MAY_READWRITE); 2628 } 2629 #endif /* CONFIG_KEYS */ 2630 2631 /* 2632 * Smack Audit hooks 2633 * 2634 * Audit requires a unique representation of each Smack specific 2635 * rule. This unique representation is used to distinguish the 2636 * object to be audited from remaining kernel objects and also 2637 * works as a glue between the audit hooks. 2638 * 2639 * Since repository entries are added but never deleted, we'll use 2640 * the smack_known label address related to the given audit rule as 2641 * the needed unique representation. This also better fits the smack 2642 * model where nearly everything is a label. 2643 */ 2644 #ifdef CONFIG_AUDIT 2645 2646 /** 2647 * smack_audit_rule_init - Initialize a smack audit rule 2648 * @field: audit rule fields given from user-space (audit.h) 2649 * @op: required testing operator (=, !=, >, <, ...) 2650 * @rulestr: smack label to be audited 2651 * @vrule: pointer to save our own audit rule representation 2652 * 2653 * Prepare to audit cases where (@field @op @rulestr) is true. 2654 * The label to be audited is created if necessay. 2655 */ 2656 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 2657 { 2658 char **rule = (char **)vrule; 2659 *rule = NULL; 2660 2661 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 2662 return -EINVAL; 2663 2664 if (op != Audit_equal && op != Audit_not_equal) 2665 return -EINVAL; 2666 2667 *rule = smk_import(rulestr, 0); 2668 2669 return 0; 2670 } 2671 2672 /** 2673 * smack_audit_rule_known - Distinguish Smack audit rules 2674 * @krule: rule of interest, in Audit kernel representation format 2675 * 2676 * This is used to filter Smack rules from remaining Audit ones. 2677 * If it's proved that this rule belongs to us, the 2678 * audit_rule_match hook will be called to do the final judgement. 2679 */ 2680 static int smack_audit_rule_known(struct audit_krule *krule) 2681 { 2682 struct audit_field *f; 2683 int i; 2684 2685 for (i = 0; i < krule->field_count; i++) { 2686 f = &krule->fields[i]; 2687 2688 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 2689 return 1; 2690 } 2691 2692 return 0; 2693 } 2694 2695 /** 2696 * smack_audit_rule_match - Audit given object ? 2697 * @secid: security id for identifying the object to test 2698 * @field: audit rule flags given from user-space 2699 * @op: required testing operator 2700 * @vrule: smack internal rule presentation 2701 * @actx: audit context associated with the check 2702 * 2703 * The core Audit hook. It's used to take the decision of 2704 * whether to audit or not to audit a given object. 2705 */ 2706 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 2707 struct audit_context *actx) 2708 { 2709 char *smack; 2710 char *rule = vrule; 2711 2712 if (!rule) { 2713 audit_log(actx, GFP_KERNEL, AUDIT_SELINUX_ERR, 2714 "Smack: missing rule\n"); 2715 return -ENOENT; 2716 } 2717 2718 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 2719 return 0; 2720 2721 smack = smack_from_secid(secid); 2722 2723 /* 2724 * No need to do string comparisons. If a match occurs, 2725 * both pointers will point to the same smack_known 2726 * label. 2727 */ 2728 if (op == Audit_equal) 2729 return (rule == smack); 2730 if (op == Audit_not_equal) 2731 return (rule != smack); 2732 2733 return 0; 2734 } 2735 2736 /** 2737 * smack_audit_rule_free - free smack rule representation 2738 * @vrule: rule to be freed. 2739 * 2740 * No memory was allocated. 2741 */ 2742 static void smack_audit_rule_free(void *vrule) 2743 { 2744 /* No-op */ 2745 } 2746 2747 #endif /* CONFIG_AUDIT */ 2748 2749 /** 2750 * smack_secid_to_secctx - return the smack label for a secid 2751 * @secid: incoming integer 2752 * @secdata: destination 2753 * @seclen: how long it is 2754 * 2755 * Exists for networking code. 2756 */ 2757 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 2758 { 2759 char *sp = smack_from_secid(secid); 2760 2761 *secdata = sp; 2762 *seclen = strlen(sp); 2763 return 0; 2764 } 2765 2766 /** 2767 * smack_secctx_to_secid - return the secid for a smack label 2768 * @secdata: smack label 2769 * @seclen: how long result is 2770 * @secid: outgoing integer 2771 * 2772 * Exists for audit and networking code. 2773 */ 2774 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 2775 { 2776 *secid = smack_to_secid(secdata); 2777 return 0; 2778 } 2779 2780 /** 2781 * smack_release_secctx - don't do anything. 2782 * @secdata: unused 2783 * @seclen: unused 2784 * 2785 * Exists to make sure nothing gets done, and properly 2786 */ 2787 static void smack_release_secctx(char *secdata, u32 seclen) 2788 { 2789 } 2790 2791 struct security_operations smack_ops = { 2792 .name = "smack", 2793 2794 .ptrace_may_access = smack_ptrace_may_access, 2795 .ptrace_traceme = smack_ptrace_traceme, 2796 .capget = cap_capget, 2797 .capset = cap_capset, 2798 .capable = cap_capable, 2799 .syslog = smack_syslog, 2800 .settime = cap_settime, 2801 .vm_enough_memory = cap_vm_enough_memory, 2802 2803 .bprm_set_creds = cap_bprm_set_creds, 2804 .bprm_secureexec = cap_bprm_secureexec, 2805 2806 .sb_alloc_security = smack_sb_alloc_security, 2807 .sb_free_security = smack_sb_free_security, 2808 .sb_copy_data = smack_sb_copy_data, 2809 .sb_kern_mount = smack_sb_kern_mount, 2810 .sb_statfs = smack_sb_statfs, 2811 .sb_mount = smack_sb_mount, 2812 .sb_umount = smack_sb_umount, 2813 2814 .inode_alloc_security = smack_inode_alloc_security, 2815 .inode_free_security = smack_inode_free_security, 2816 .inode_init_security = smack_inode_init_security, 2817 .inode_link = smack_inode_link, 2818 .inode_unlink = smack_inode_unlink, 2819 .inode_rmdir = smack_inode_rmdir, 2820 .inode_rename = smack_inode_rename, 2821 .inode_permission = smack_inode_permission, 2822 .inode_setattr = smack_inode_setattr, 2823 .inode_getattr = smack_inode_getattr, 2824 .inode_setxattr = smack_inode_setxattr, 2825 .inode_post_setxattr = smack_inode_post_setxattr, 2826 .inode_getxattr = smack_inode_getxattr, 2827 .inode_removexattr = smack_inode_removexattr, 2828 .inode_need_killpriv = cap_inode_need_killpriv, 2829 .inode_killpriv = cap_inode_killpriv, 2830 .inode_getsecurity = smack_inode_getsecurity, 2831 .inode_setsecurity = smack_inode_setsecurity, 2832 .inode_listsecurity = smack_inode_listsecurity, 2833 .inode_getsecid = smack_inode_getsecid, 2834 2835 .file_permission = smack_file_permission, 2836 .file_alloc_security = smack_file_alloc_security, 2837 .file_free_security = smack_file_free_security, 2838 .file_ioctl = smack_file_ioctl, 2839 .file_lock = smack_file_lock, 2840 .file_fcntl = smack_file_fcntl, 2841 .file_set_fowner = smack_file_set_fowner, 2842 .file_send_sigiotask = smack_file_send_sigiotask, 2843 .file_receive = smack_file_receive, 2844 2845 .cred_free = smack_cred_free, 2846 .cred_prepare = smack_cred_prepare, 2847 .cred_commit = smack_cred_commit, 2848 .kernel_act_as = smack_kernel_act_as, 2849 .kernel_create_files_as = smack_kernel_create_files_as, 2850 .task_fix_setuid = cap_task_fix_setuid, 2851 .task_setpgid = smack_task_setpgid, 2852 .task_getpgid = smack_task_getpgid, 2853 .task_getsid = smack_task_getsid, 2854 .task_getsecid = smack_task_getsecid, 2855 .task_setnice = smack_task_setnice, 2856 .task_setioprio = smack_task_setioprio, 2857 .task_getioprio = smack_task_getioprio, 2858 .task_setscheduler = smack_task_setscheduler, 2859 .task_getscheduler = smack_task_getscheduler, 2860 .task_movememory = smack_task_movememory, 2861 .task_kill = smack_task_kill, 2862 .task_wait = smack_task_wait, 2863 .task_to_inode = smack_task_to_inode, 2864 .task_prctl = cap_task_prctl, 2865 2866 .ipc_permission = smack_ipc_permission, 2867 .ipc_getsecid = smack_ipc_getsecid, 2868 2869 .msg_msg_alloc_security = smack_msg_msg_alloc_security, 2870 .msg_msg_free_security = smack_msg_msg_free_security, 2871 2872 .msg_queue_alloc_security = smack_msg_queue_alloc_security, 2873 .msg_queue_free_security = smack_msg_queue_free_security, 2874 .msg_queue_associate = smack_msg_queue_associate, 2875 .msg_queue_msgctl = smack_msg_queue_msgctl, 2876 .msg_queue_msgsnd = smack_msg_queue_msgsnd, 2877 .msg_queue_msgrcv = smack_msg_queue_msgrcv, 2878 2879 .shm_alloc_security = smack_shm_alloc_security, 2880 .shm_free_security = smack_shm_free_security, 2881 .shm_associate = smack_shm_associate, 2882 .shm_shmctl = smack_shm_shmctl, 2883 .shm_shmat = smack_shm_shmat, 2884 2885 .sem_alloc_security = smack_sem_alloc_security, 2886 .sem_free_security = smack_sem_free_security, 2887 .sem_associate = smack_sem_associate, 2888 .sem_semctl = smack_sem_semctl, 2889 .sem_semop = smack_sem_semop, 2890 2891 .netlink_send = cap_netlink_send, 2892 .netlink_recv = cap_netlink_recv, 2893 2894 .d_instantiate = smack_d_instantiate, 2895 2896 .getprocattr = smack_getprocattr, 2897 .setprocattr = smack_setprocattr, 2898 2899 .unix_stream_connect = smack_unix_stream_connect, 2900 .unix_may_send = smack_unix_may_send, 2901 2902 .socket_post_create = smack_socket_post_create, 2903 .socket_connect = smack_socket_connect, 2904 .socket_sendmsg = smack_socket_sendmsg, 2905 .socket_sock_rcv_skb = smack_socket_sock_rcv_skb, 2906 .socket_getpeersec_stream = smack_socket_getpeersec_stream, 2907 .socket_getpeersec_dgram = smack_socket_getpeersec_dgram, 2908 .sk_alloc_security = smack_sk_alloc_security, 2909 .sk_free_security = smack_sk_free_security, 2910 .sock_graft = smack_sock_graft, 2911 .inet_conn_request = smack_inet_conn_request, 2912 2913 /* key management security hooks */ 2914 #ifdef CONFIG_KEYS 2915 .key_alloc = smack_key_alloc, 2916 .key_free = smack_key_free, 2917 .key_permission = smack_key_permission, 2918 #endif /* CONFIG_KEYS */ 2919 2920 /* Audit hooks */ 2921 #ifdef CONFIG_AUDIT 2922 .audit_rule_init = smack_audit_rule_init, 2923 .audit_rule_known = smack_audit_rule_known, 2924 .audit_rule_match = smack_audit_rule_match, 2925 .audit_rule_free = smack_audit_rule_free, 2926 #endif /* CONFIG_AUDIT */ 2927 2928 .secid_to_secctx = smack_secid_to_secctx, 2929 .secctx_to_secid = smack_secctx_to_secid, 2930 .release_secctx = smack_release_secctx, 2931 }; 2932 2933 /** 2934 * smack_init - initialize the smack system 2935 * 2936 * Returns 0 2937 */ 2938 static __init int smack_init(void) 2939 { 2940 struct cred *cred; 2941 2942 if (!security_module_enable(&smack_ops)) 2943 return 0; 2944 2945 printk(KERN_INFO "Smack: Initializing.\n"); 2946 2947 /* 2948 * Set the security state for the initial task. 2949 */ 2950 cred = (struct cred *) current->cred; 2951 cred->security = &smack_known_floor.smk_known; 2952 2953 /* 2954 * Initialize locks 2955 */ 2956 spin_lock_init(&smack_known_huh.smk_cipsolock); 2957 spin_lock_init(&smack_known_hat.smk_cipsolock); 2958 spin_lock_init(&smack_known_star.smk_cipsolock); 2959 spin_lock_init(&smack_known_floor.smk_cipsolock); 2960 spin_lock_init(&smack_known_invalid.smk_cipsolock); 2961 2962 /* 2963 * Register with LSM 2964 */ 2965 if (register_security(&smack_ops)) 2966 panic("smack: Unable to register with kernel.\n"); 2967 2968 return 0; 2969 } 2970 2971 /* 2972 * Smack requires early initialization in order to label 2973 * all processes and objects when they are created. 2974 */ 2975 security_initcall(smack_init); 2976