1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul@paul-moore.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * Copyright (C) 2011 Intel Corporation. 15 * 16 * This program is free software; you can redistribute it and/or modify 17 * it under the terms of the GNU General Public License version 2, 18 * as published by the Free Software Foundation. 19 */ 20 21 #include <linux/xattr.h> 22 #include <linux/pagemap.h> 23 #include <linux/mount.h> 24 #include <linux/stat.h> 25 #include <linux/kd.h> 26 #include <asm/ioctls.h> 27 #include <linux/ip.h> 28 #include <linux/tcp.h> 29 #include <linux/udp.h> 30 #include <linux/slab.h> 31 #include <linux/mutex.h> 32 #include <linux/pipe_fs_i.h> 33 #include <net/cipso_ipv4.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <linux/binfmts.h> 41 #include "smack.h" 42 43 #define task_security(task) (task_cred_xxx((task), security)) 44 45 #define TRANS_TRUE "TRUE" 46 #define TRANS_TRUE_SIZE 4 47 48 /** 49 * smk_fetch - Fetch the smack label from a file. 50 * @ip: a pointer to the inode 51 * @dp: a pointer to the dentry 52 * 53 * Returns a pointer to the master list entry for the Smack label 54 * or NULL if there was no label to fetch. 55 */ 56 static char *smk_fetch(const char *name, struct inode *ip, struct dentry *dp) 57 { 58 int rc; 59 char *buffer; 60 char *result = NULL; 61 62 if (ip->i_op->getxattr == NULL) 63 return NULL; 64 65 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL); 66 if (buffer == NULL) 67 return NULL; 68 69 rc = ip->i_op->getxattr(dp, name, buffer, SMK_LONGLABEL); 70 if (rc > 0) 71 result = smk_import(buffer, rc); 72 73 kfree(buffer); 74 75 return result; 76 } 77 78 /** 79 * new_inode_smack - allocate an inode security blob 80 * @smack: a pointer to the Smack label to use in the blob 81 * 82 * Returns the new blob or NULL if there's no memory available 83 */ 84 struct inode_smack *new_inode_smack(char *smack) 85 { 86 struct inode_smack *isp; 87 88 isp = kzalloc(sizeof(struct inode_smack), GFP_NOFS); 89 if (isp == NULL) 90 return NULL; 91 92 isp->smk_inode = smack; 93 isp->smk_flags = 0; 94 mutex_init(&isp->smk_lock); 95 96 return isp; 97 } 98 99 /** 100 * new_task_smack - allocate a task security blob 101 * @smack: a pointer to the Smack label to use in the blob 102 * 103 * Returns the new blob or NULL if there's no memory available 104 */ 105 static struct task_smack *new_task_smack(char *task, char *forked, gfp_t gfp) 106 { 107 struct task_smack *tsp; 108 109 tsp = kzalloc(sizeof(struct task_smack), gfp); 110 if (tsp == NULL) 111 return NULL; 112 113 tsp->smk_task = task; 114 tsp->smk_forked = forked; 115 INIT_LIST_HEAD(&tsp->smk_rules); 116 mutex_init(&tsp->smk_rules_lock); 117 118 return tsp; 119 } 120 121 /** 122 * smk_copy_rules - copy a rule set 123 * @nhead - new rules header pointer 124 * @ohead - old rules header pointer 125 * 126 * Returns 0 on success, -ENOMEM on error 127 */ 128 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 129 gfp_t gfp) 130 { 131 struct smack_rule *nrp; 132 struct smack_rule *orp; 133 int rc = 0; 134 135 INIT_LIST_HEAD(nhead); 136 137 list_for_each_entry_rcu(orp, ohead, list) { 138 nrp = kzalloc(sizeof(struct smack_rule), gfp); 139 if (nrp == NULL) { 140 rc = -ENOMEM; 141 break; 142 } 143 *nrp = *orp; 144 list_add_rcu(&nrp->list, nhead); 145 } 146 return rc; 147 } 148 149 /* 150 * LSM hooks. 151 * We he, that is fun! 152 */ 153 154 /** 155 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 156 * @ctp: child task pointer 157 * @mode: ptrace attachment mode 158 * 159 * Returns 0 if access is OK, an error code otherwise 160 * 161 * Do the capability checks, and require read and write. 162 */ 163 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 164 { 165 int rc; 166 struct smk_audit_info ad; 167 char *tsp; 168 169 rc = cap_ptrace_access_check(ctp, mode); 170 if (rc != 0) 171 return rc; 172 173 tsp = smk_of_task(task_security(ctp)); 174 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 175 smk_ad_setfield_u_tsk(&ad, ctp); 176 177 rc = smk_curacc(tsp, MAY_READWRITE, &ad); 178 return rc; 179 } 180 181 /** 182 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 183 * @ptp: parent task pointer 184 * 185 * Returns 0 if access is OK, an error code otherwise 186 * 187 * Do the capability checks, and require read and write. 188 */ 189 static int smack_ptrace_traceme(struct task_struct *ptp) 190 { 191 int rc; 192 struct smk_audit_info ad; 193 char *tsp; 194 195 rc = cap_ptrace_traceme(ptp); 196 if (rc != 0) 197 return rc; 198 199 tsp = smk_of_task(task_security(ptp)); 200 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 201 smk_ad_setfield_u_tsk(&ad, ptp); 202 203 rc = smk_curacc(tsp, MAY_READWRITE, &ad); 204 return rc; 205 } 206 207 /** 208 * smack_syslog - Smack approval on syslog 209 * @type: message type 210 * 211 * Require that the task has the floor label 212 * 213 * Returns 0 on success, error code otherwise. 214 */ 215 static int smack_syslog(int typefrom_file) 216 { 217 int rc = 0; 218 char *sp = smk_of_current(); 219 220 if (capable(CAP_MAC_OVERRIDE)) 221 return 0; 222 223 if (sp != smack_known_floor.smk_known) 224 rc = -EACCES; 225 226 return rc; 227 } 228 229 230 /* 231 * Superblock Hooks. 232 */ 233 234 /** 235 * smack_sb_alloc_security - allocate a superblock blob 236 * @sb: the superblock getting the blob 237 * 238 * Returns 0 on success or -ENOMEM on error. 239 */ 240 static int smack_sb_alloc_security(struct super_block *sb) 241 { 242 struct superblock_smack *sbsp; 243 244 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 245 246 if (sbsp == NULL) 247 return -ENOMEM; 248 249 sbsp->smk_root = smack_known_floor.smk_known; 250 sbsp->smk_default = smack_known_floor.smk_known; 251 sbsp->smk_floor = smack_known_floor.smk_known; 252 sbsp->smk_hat = smack_known_hat.smk_known; 253 sbsp->smk_initialized = 0; 254 spin_lock_init(&sbsp->smk_sblock); 255 256 sb->s_security = sbsp; 257 258 return 0; 259 } 260 261 /** 262 * smack_sb_free_security - free a superblock blob 263 * @sb: the superblock getting the blob 264 * 265 */ 266 static void smack_sb_free_security(struct super_block *sb) 267 { 268 kfree(sb->s_security); 269 sb->s_security = NULL; 270 } 271 272 /** 273 * smack_sb_copy_data - copy mount options data for processing 274 * @orig: where to start 275 * @smackopts: mount options string 276 * 277 * Returns 0 on success or -ENOMEM on error. 278 * 279 * Copy the Smack specific mount options out of the mount 280 * options list. 281 */ 282 static int smack_sb_copy_data(char *orig, char *smackopts) 283 { 284 char *cp, *commap, *otheropts, *dp; 285 286 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 287 if (otheropts == NULL) 288 return -ENOMEM; 289 290 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 291 if (strstr(cp, SMK_FSDEFAULT) == cp) 292 dp = smackopts; 293 else if (strstr(cp, SMK_FSFLOOR) == cp) 294 dp = smackopts; 295 else if (strstr(cp, SMK_FSHAT) == cp) 296 dp = smackopts; 297 else if (strstr(cp, SMK_FSROOT) == cp) 298 dp = smackopts; 299 else 300 dp = otheropts; 301 302 commap = strchr(cp, ','); 303 if (commap != NULL) 304 *commap = '\0'; 305 306 if (*dp != '\0') 307 strcat(dp, ","); 308 strcat(dp, cp); 309 } 310 311 strcpy(orig, otheropts); 312 free_page((unsigned long)otheropts); 313 314 return 0; 315 } 316 317 /** 318 * smack_sb_kern_mount - Smack specific mount processing 319 * @sb: the file system superblock 320 * @flags: the mount flags 321 * @data: the smack mount options 322 * 323 * Returns 0 on success, an error code on failure 324 */ 325 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 326 { 327 struct dentry *root = sb->s_root; 328 struct inode *inode = root->d_inode; 329 struct superblock_smack *sp = sb->s_security; 330 struct inode_smack *isp; 331 char *op; 332 char *commap; 333 char *nsp; 334 335 spin_lock(&sp->smk_sblock); 336 if (sp->smk_initialized != 0) { 337 spin_unlock(&sp->smk_sblock); 338 return 0; 339 } 340 sp->smk_initialized = 1; 341 spin_unlock(&sp->smk_sblock); 342 343 for (op = data; op != NULL; op = commap) { 344 commap = strchr(op, ','); 345 if (commap != NULL) 346 *commap++ = '\0'; 347 348 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) { 349 op += strlen(SMK_FSHAT); 350 nsp = smk_import(op, 0); 351 if (nsp != NULL) 352 sp->smk_hat = nsp; 353 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) { 354 op += strlen(SMK_FSFLOOR); 355 nsp = smk_import(op, 0); 356 if (nsp != NULL) 357 sp->smk_floor = nsp; 358 } else if (strncmp(op, SMK_FSDEFAULT, 359 strlen(SMK_FSDEFAULT)) == 0) { 360 op += strlen(SMK_FSDEFAULT); 361 nsp = smk_import(op, 0); 362 if (nsp != NULL) 363 sp->smk_default = nsp; 364 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) { 365 op += strlen(SMK_FSROOT); 366 nsp = smk_import(op, 0); 367 if (nsp != NULL) 368 sp->smk_root = nsp; 369 } 370 } 371 372 /* 373 * Initialize the root inode. 374 */ 375 isp = inode->i_security; 376 if (isp == NULL) 377 inode->i_security = new_inode_smack(sp->smk_root); 378 else 379 isp->smk_inode = sp->smk_root; 380 381 return 0; 382 } 383 384 /** 385 * smack_sb_statfs - Smack check on statfs 386 * @dentry: identifies the file system in question 387 * 388 * Returns 0 if current can read the floor of the filesystem, 389 * and error code otherwise 390 */ 391 static int smack_sb_statfs(struct dentry *dentry) 392 { 393 struct superblock_smack *sbp = dentry->d_sb->s_security; 394 int rc; 395 struct smk_audit_info ad; 396 397 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 398 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 399 400 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 401 return rc; 402 } 403 404 /** 405 * smack_sb_mount - Smack check for mounting 406 * @dev_name: unused 407 * @path: mount point 408 * @type: unused 409 * @flags: unused 410 * @data: unused 411 * 412 * Returns 0 if current can write the floor of the filesystem 413 * being mounted on, an error code otherwise. 414 */ 415 static int smack_sb_mount(char *dev_name, struct path *path, 416 char *type, unsigned long flags, void *data) 417 { 418 struct superblock_smack *sbp = path->dentry->d_sb->s_security; 419 struct smk_audit_info ad; 420 421 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 422 smk_ad_setfield_u_fs_path(&ad, *path); 423 424 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); 425 } 426 427 /** 428 * smack_sb_umount - Smack check for unmounting 429 * @mnt: file system to unmount 430 * @flags: unused 431 * 432 * Returns 0 if current can write the floor of the filesystem 433 * being unmounted, an error code otherwise. 434 */ 435 static int smack_sb_umount(struct vfsmount *mnt, int flags) 436 { 437 struct superblock_smack *sbp; 438 struct smk_audit_info ad; 439 struct path path; 440 441 path.dentry = mnt->mnt_root; 442 path.mnt = mnt; 443 444 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 445 smk_ad_setfield_u_fs_path(&ad, path); 446 447 sbp = path.dentry->d_sb->s_security; 448 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); 449 } 450 451 /* 452 * BPRM hooks 453 */ 454 455 /** 456 * smack_bprm_set_creds - set creds for exec 457 * @bprm: the exec information 458 * 459 * Returns 0 if it gets a blob, -ENOMEM otherwise 460 */ 461 static int smack_bprm_set_creds(struct linux_binprm *bprm) 462 { 463 struct inode *inode = bprm->file->f_path.dentry->d_inode; 464 struct task_smack *bsp = bprm->cred->security; 465 struct inode_smack *isp; 466 int rc; 467 468 rc = cap_bprm_set_creds(bprm); 469 if (rc != 0) 470 return rc; 471 472 if (bprm->cred_prepared) 473 return 0; 474 475 isp = inode->i_security; 476 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 477 return 0; 478 479 if (bprm->unsafe) 480 return -EPERM; 481 482 bsp->smk_task = isp->smk_task; 483 bprm->per_clear |= PER_CLEAR_ON_SETID; 484 485 return 0; 486 } 487 488 /** 489 * smack_bprm_committing_creds - Prepare to install the new credentials 490 * from bprm. 491 * 492 * @bprm: binprm for exec 493 */ 494 static void smack_bprm_committing_creds(struct linux_binprm *bprm) 495 { 496 struct task_smack *bsp = bprm->cred->security; 497 498 if (bsp->smk_task != bsp->smk_forked) 499 current->pdeath_signal = 0; 500 } 501 502 /** 503 * smack_bprm_secureexec - Return the decision to use secureexec. 504 * @bprm: binprm for exec 505 * 506 * Returns 0 on success. 507 */ 508 static int smack_bprm_secureexec(struct linux_binprm *bprm) 509 { 510 struct task_smack *tsp = current_security(); 511 int ret = cap_bprm_secureexec(bprm); 512 513 if (!ret && (tsp->smk_task != tsp->smk_forked)) 514 ret = 1; 515 516 return ret; 517 } 518 519 /* 520 * Inode hooks 521 */ 522 523 /** 524 * smack_inode_alloc_security - allocate an inode blob 525 * @inode: the inode in need of a blob 526 * 527 * Returns 0 if it gets a blob, -ENOMEM otherwise 528 */ 529 static int smack_inode_alloc_security(struct inode *inode) 530 { 531 inode->i_security = new_inode_smack(smk_of_current()); 532 if (inode->i_security == NULL) 533 return -ENOMEM; 534 return 0; 535 } 536 537 /** 538 * smack_inode_free_security - free an inode blob 539 * @inode: the inode with a blob 540 * 541 * Clears the blob pointer in inode 542 */ 543 static void smack_inode_free_security(struct inode *inode) 544 { 545 kfree(inode->i_security); 546 inode->i_security = NULL; 547 } 548 549 /** 550 * smack_inode_init_security - copy out the smack from an inode 551 * @inode: the inode 552 * @dir: unused 553 * @qstr: unused 554 * @name: where to put the attribute name 555 * @value: where to put the attribute value 556 * @len: where to put the length of the attribute 557 * 558 * Returns 0 if it all works out, -ENOMEM if there's no memory 559 */ 560 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 561 const struct qstr *qstr, char **name, 562 void **value, size_t *len) 563 { 564 struct smack_known *skp; 565 struct inode_smack *issp = inode->i_security; 566 char *csp = smk_of_current(); 567 char *isp = smk_of_inode(inode); 568 char *dsp = smk_of_inode(dir); 569 int may; 570 571 if (name) { 572 *name = kstrdup(XATTR_SMACK_SUFFIX, GFP_NOFS); 573 if (*name == NULL) 574 return -ENOMEM; 575 } 576 577 if (value) { 578 skp = smk_find_entry(csp); 579 rcu_read_lock(); 580 may = smk_access_entry(csp, dsp, &skp->smk_rules); 581 rcu_read_unlock(); 582 583 /* 584 * If the access rule allows transmutation and 585 * the directory requests transmutation then 586 * by all means transmute. 587 * Mark the inode as changed. 588 */ 589 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 590 smk_inode_transmutable(dir)) { 591 isp = dsp; 592 issp->smk_flags |= SMK_INODE_CHANGED; 593 } 594 595 *value = kstrdup(isp, GFP_NOFS); 596 if (*value == NULL) 597 return -ENOMEM; 598 } 599 600 if (len) 601 *len = strlen(isp) + 1; 602 603 return 0; 604 } 605 606 /** 607 * smack_inode_link - Smack check on link 608 * @old_dentry: the existing object 609 * @dir: unused 610 * @new_dentry: the new object 611 * 612 * Returns 0 if access is permitted, an error code otherwise 613 */ 614 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 615 struct dentry *new_dentry) 616 { 617 char *isp; 618 struct smk_audit_info ad; 619 int rc; 620 621 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 622 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 623 624 isp = smk_of_inode(old_dentry->d_inode); 625 rc = smk_curacc(isp, MAY_WRITE, &ad); 626 627 if (rc == 0 && new_dentry->d_inode != NULL) { 628 isp = smk_of_inode(new_dentry->d_inode); 629 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 630 rc = smk_curacc(isp, MAY_WRITE, &ad); 631 } 632 633 return rc; 634 } 635 636 /** 637 * smack_inode_unlink - Smack check on inode deletion 638 * @dir: containing directory object 639 * @dentry: file to unlink 640 * 641 * Returns 0 if current can write the containing directory 642 * and the object, error code otherwise 643 */ 644 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 645 { 646 struct inode *ip = dentry->d_inode; 647 struct smk_audit_info ad; 648 int rc; 649 650 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 651 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 652 653 /* 654 * You need write access to the thing you're unlinking 655 */ 656 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 657 if (rc == 0) { 658 /* 659 * You also need write access to the containing directory 660 */ 661 smk_ad_setfield_u_fs_path_dentry(&ad, NULL); 662 smk_ad_setfield_u_fs_inode(&ad, dir); 663 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 664 } 665 return rc; 666 } 667 668 /** 669 * smack_inode_rmdir - Smack check on directory deletion 670 * @dir: containing directory object 671 * @dentry: directory to unlink 672 * 673 * Returns 0 if current can write the containing directory 674 * and the directory, error code otherwise 675 */ 676 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 677 { 678 struct smk_audit_info ad; 679 int rc; 680 681 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 682 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 683 684 /* 685 * You need write access to the thing you're removing 686 */ 687 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 688 if (rc == 0) { 689 /* 690 * You also need write access to the containing directory 691 */ 692 smk_ad_setfield_u_fs_path_dentry(&ad, NULL); 693 smk_ad_setfield_u_fs_inode(&ad, dir); 694 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 695 } 696 697 return rc; 698 } 699 700 /** 701 * smack_inode_rename - Smack check on rename 702 * @old_inode: the old directory 703 * @old_dentry: unused 704 * @new_inode: the new directory 705 * @new_dentry: unused 706 * 707 * Read and write access is required on both the old and 708 * new directories. 709 * 710 * Returns 0 if access is permitted, an error code otherwise 711 */ 712 static int smack_inode_rename(struct inode *old_inode, 713 struct dentry *old_dentry, 714 struct inode *new_inode, 715 struct dentry *new_dentry) 716 { 717 int rc; 718 char *isp; 719 struct smk_audit_info ad; 720 721 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 722 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 723 724 isp = smk_of_inode(old_dentry->d_inode); 725 rc = smk_curacc(isp, MAY_READWRITE, &ad); 726 727 if (rc == 0 && new_dentry->d_inode != NULL) { 728 isp = smk_of_inode(new_dentry->d_inode); 729 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 730 rc = smk_curacc(isp, MAY_READWRITE, &ad); 731 } 732 return rc; 733 } 734 735 /** 736 * smack_inode_permission - Smack version of permission() 737 * @inode: the inode in question 738 * @mask: the access requested 739 * 740 * This is the important Smack hook. 741 * 742 * Returns 0 if access is permitted, -EACCES otherwise 743 */ 744 static int smack_inode_permission(struct inode *inode, int mask) 745 { 746 struct smk_audit_info ad; 747 int no_block = mask & MAY_NOT_BLOCK; 748 749 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 750 /* 751 * No permission to check. Existence test. Yup, it's there. 752 */ 753 if (mask == 0) 754 return 0; 755 756 /* May be droppable after audit */ 757 if (no_block) 758 return -ECHILD; 759 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 760 smk_ad_setfield_u_fs_inode(&ad, inode); 761 return smk_curacc(smk_of_inode(inode), mask, &ad); 762 } 763 764 /** 765 * smack_inode_setattr - Smack check for setting attributes 766 * @dentry: the object 767 * @iattr: for the force flag 768 * 769 * Returns 0 if access is permitted, an error code otherwise 770 */ 771 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 772 { 773 struct smk_audit_info ad; 774 /* 775 * Need to allow for clearing the setuid bit. 776 */ 777 if (iattr->ia_valid & ATTR_FORCE) 778 return 0; 779 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 780 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 781 782 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 783 } 784 785 /** 786 * smack_inode_getattr - Smack check for getting attributes 787 * @mnt: unused 788 * @dentry: the object 789 * 790 * Returns 0 if access is permitted, an error code otherwise 791 */ 792 static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 793 { 794 struct smk_audit_info ad; 795 struct path path; 796 797 path.dentry = dentry; 798 path.mnt = mnt; 799 800 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 801 smk_ad_setfield_u_fs_path(&ad, path); 802 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); 803 } 804 805 /** 806 * smack_inode_setxattr - Smack check for setting xattrs 807 * @dentry: the object 808 * @name: name of the attribute 809 * @value: unused 810 * @size: unused 811 * @flags: unused 812 * 813 * This protects the Smack attribute explicitly. 814 * 815 * Returns 0 if access is permitted, an error code otherwise 816 */ 817 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 818 const void *value, size_t size, int flags) 819 { 820 struct smk_audit_info ad; 821 int rc = 0; 822 823 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 824 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 825 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 826 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 827 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 828 if (!capable(CAP_MAC_ADMIN)) 829 rc = -EPERM; 830 /* 831 * check label validity here so import wont fail on 832 * post_setxattr 833 */ 834 if (size == 0 || size >= SMK_LONGLABEL || 835 smk_import(value, size) == NULL) 836 rc = -EINVAL; 837 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 838 if (!capable(CAP_MAC_ADMIN)) 839 rc = -EPERM; 840 if (size != TRANS_TRUE_SIZE || 841 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 842 rc = -EINVAL; 843 } else 844 rc = cap_inode_setxattr(dentry, name, value, size, flags); 845 846 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 847 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 848 849 if (rc == 0) 850 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 851 852 return rc; 853 } 854 855 /** 856 * smack_inode_post_setxattr - Apply the Smack update approved above 857 * @dentry: object 858 * @name: attribute name 859 * @value: attribute value 860 * @size: attribute size 861 * @flags: unused 862 * 863 * Set the pointer in the inode blob to the entry found 864 * in the master label list. 865 */ 866 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 867 const void *value, size_t size, int flags) 868 { 869 char *nsp; 870 struct inode_smack *isp = dentry->d_inode->i_security; 871 872 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 873 nsp = smk_import(value, size); 874 if (nsp != NULL) 875 isp->smk_inode = nsp; 876 else 877 isp->smk_inode = smack_known_invalid.smk_known; 878 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 879 nsp = smk_import(value, size); 880 if (nsp != NULL) 881 isp->smk_task = nsp; 882 else 883 isp->smk_task = smack_known_invalid.smk_known; 884 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 885 nsp = smk_import(value, size); 886 if (nsp != NULL) 887 isp->smk_mmap = nsp; 888 else 889 isp->smk_mmap = smack_known_invalid.smk_known; 890 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 891 isp->smk_flags |= SMK_INODE_TRANSMUTE; 892 893 return; 894 } 895 896 /** 897 * smack_inode_getxattr - Smack check on getxattr 898 * @dentry: the object 899 * @name: unused 900 * 901 * Returns 0 if access is permitted, an error code otherwise 902 */ 903 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 904 { 905 struct smk_audit_info ad; 906 907 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 908 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 909 910 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); 911 } 912 913 /** 914 * smack_inode_removexattr - Smack check on removexattr 915 * @dentry: the object 916 * @name: name of the attribute 917 * 918 * Removing the Smack attribute requires CAP_MAC_ADMIN 919 * 920 * Returns 0 if access is permitted, an error code otherwise 921 */ 922 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 923 { 924 struct inode_smack *isp; 925 struct smk_audit_info ad; 926 int rc = 0; 927 928 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 929 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 930 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 931 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 932 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 933 strcmp(name, XATTR_NAME_SMACKMMAP)) { 934 if (!capable(CAP_MAC_ADMIN)) 935 rc = -EPERM; 936 } else 937 rc = cap_inode_removexattr(dentry, name); 938 939 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 940 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 941 if (rc == 0) 942 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 943 944 if (rc == 0) { 945 isp = dentry->d_inode->i_security; 946 isp->smk_task = NULL; 947 isp->smk_mmap = NULL; 948 } 949 950 return rc; 951 } 952 953 /** 954 * smack_inode_getsecurity - get smack xattrs 955 * @inode: the object 956 * @name: attribute name 957 * @buffer: where to put the result 958 * @alloc: unused 959 * 960 * Returns the size of the attribute or an error code 961 */ 962 static int smack_inode_getsecurity(const struct inode *inode, 963 const char *name, void **buffer, 964 bool alloc) 965 { 966 struct socket_smack *ssp; 967 struct socket *sock; 968 struct super_block *sbp; 969 struct inode *ip = (struct inode *)inode; 970 char *isp; 971 int ilen; 972 int rc = 0; 973 974 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 975 isp = smk_of_inode(inode); 976 ilen = strlen(isp) + 1; 977 *buffer = isp; 978 return ilen; 979 } 980 981 /* 982 * The rest of the Smack xattrs are only on sockets. 983 */ 984 sbp = ip->i_sb; 985 if (sbp->s_magic != SOCKFS_MAGIC) 986 return -EOPNOTSUPP; 987 988 sock = SOCKET_I(ip); 989 if (sock == NULL || sock->sk == NULL) 990 return -EOPNOTSUPP; 991 992 ssp = sock->sk->sk_security; 993 994 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 995 isp = ssp->smk_in; 996 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 997 isp = ssp->smk_out; 998 else 999 return -EOPNOTSUPP; 1000 1001 ilen = strlen(isp) + 1; 1002 if (rc == 0) { 1003 *buffer = isp; 1004 rc = ilen; 1005 } 1006 1007 return rc; 1008 } 1009 1010 1011 /** 1012 * smack_inode_listsecurity - list the Smack attributes 1013 * @inode: the object 1014 * @buffer: where they go 1015 * @buffer_size: size of buffer 1016 * 1017 * Returns 0 on success, -EINVAL otherwise 1018 */ 1019 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1020 size_t buffer_size) 1021 { 1022 int len = strlen(XATTR_NAME_SMACK); 1023 1024 if (buffer != NULL && len <= buffer_size) { 1025 memcpy(buffer, XATTR_NAME_SMACK, len); 1026 return len; 1027 } 1028 return -EINVAL; 1029 } 1030 1031 /** 1032 * smack_inode_getsecid - Extract inode's security id 1033 * @inode: inode to extract the info from 1034 * @secid: where result will be saved 1035 */ 1036 static void smack_inode_getsecid(const struct inode *inode, u32 *secid) 1037 { 1038 struct inode_smack *isp = inode->i_security; 1039 1040 *secid = smack_to_secid(isp->smk_inode); 1041 } 1042 1043 /* 1044 * File Hooks 1045 */ 1046 1047 /** 1048 * smack_file_permission - Smack check on file operations 1049 * @file: unused 1050 * @mask: unused 1051 * 1052 * Returns 0 1053 * 1054 * Should access checks be done on each read or write? 1055 * UNICOS and SELinux say yes. 1056 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1057 * 1058 * I'll say no for now. Smack does not do the frequent 1059 * label changing that SELinux does. 1060 */ 1061 static int smack_file_permission(struct file *file, int mask) 1062 { 1063 return 0; 1064 } 1065 1066 /** 1067 * smack_file_alloc_security - assign a file security blob 1068 * @file: the object 1069 * 1070 * The security blob for a file is a pointer to the master 1071 * label list, so no allocation is done. 1072 * 1073 * Returns 0 1074 */ 1075 static int smack_file_alloc_security(struct file *file) 1076 { 1077 file->f_security = smk_of_current(); 1078 return 0; 1079 } 1080 1081 /** 1082 * smack_file_free_security - clear a file security blob 1083 * @file: the object 1084 * 1085 * The security blob for a file is a pointer to the master 1086 * label list, so no memory is freed. 1087 */ 1088 static void smack_file_free_security(struct file *file) 1089 { 1090 file->f_security = NULL; 1091 } 1092 1093 /** 1094 * smack_file_ioctl - Smack check on ioctls 1095 * @file: the object 1096 * @cmd: what to do 1097 * @arg: unused 1098 * 1099 * Relies heavily on the correct use of the ioctl command conventions. 1100 * 1101 * Returns 0 if allowed, error code otherwise 1102 */ 1103 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1104 unsigned long arg) 1105 { 1106 int rc = 0; 1107 struct smk_audit_info ad; 1108 1109 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1110 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1111 1112 if (_IOC_DIR(cmd) & _IOC_WRITE) 1113 rc = smk_curacc(file->f_security, MAY_WRITE, &ad); 1114 1115 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) 1116 rc = smk_curacc(file->f_security, MAY_READ, &ad); 1117 1118 return rc; 1119 } 1120 1121 /** 1122 * smack_file_lock - Smack check on file locking 1123 * @file: the object 1124 * @cmd: unused 1125 * 1126 * Returns 0 if current has write access, error code otherwise 1127 */ 1128 static int smack_file_lock(struct file *file, unsigned int cmd) 1129 { 1130 struct smk_audit_info ad; 1131 1132 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1133 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1134 return smk_curacc(file->f_security, MAY_WRITE, &ad); 1135 } 1136 1137 /** 1138 * smack_file_fcntl - Smack check on fcntl 1139 * @file: the object 1140 * @cmd: what action to check 1141 * @arg: unused 1142 * 1143 * Generally these operations are harmless. 1144 * File locking operations present an obvious mechanism 1145 * for passing information, so they require write access. 1146 * 1147 * Returns 0 if current has access, error code otherwise 1148 */ 1149 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1150 unsigned long arg) 1151 { 1152 struct smk_audit_info ad; 1153 int rc = 0; 1154 1155 1156 switch (cmd) { 1157 case F_GETLK: 1158 case F_SETLK: 1159 case F_SETLKW: 1160 case F_SETOWN: 1161 case F_SETSIG: 1162 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1163 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1164 rc = smk_curacc(file->f_security, MAY_WRITE, &ad); 1165 break; 1166 default: 1167 break; 1168 } 1169 1170 return rc; 1171 } 1172 1173 /** 1174 * smack_mmap_file : 1175 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1176 * if mapping anonymous memory. 1177 * @file contains the file structure for file to map (may be NULL). 1178 * @reqprot contains the protection requested by the application. 1179 * @prot contains the protection that will be applied by the kernel. 1180 * @flags contains the operational flags. 1181 * Return 0 if permission is granted. 1182 */ 1183 static int smack_mmap_file(struct file *file, 1184 unsigned long reqprot, unsigned long prot, 1185 unsigned long flags) 1186 { 1187 struct smack_known *skp; 1188 struct smack_rule *srp; 1189 struct task_smack *tsp; 1190 char *sp; 1191 char *msmack; 1192 char *osmack; 1193 struct inode_smack *isp; 1194 struct dentry *dp; 1195 int may; 1196 int mmay; 1197 int tmay; 1198 int rc; 1199 1200 if (file == NULL || file->f_dentry == NULL) 1201 return 0; 1202 1203 dp = file->f_dentry; 1204 1205 if (dp->d_inode == NULL) 1206 return 0; 1207 1208 isp = dp->d_inode->i_security; 1209 if (isp->smk_mmap == NULL) 1210 return 0; 1211 msmack = isp->smk_mmap; 1212 1213 tsp = current_security(); 1214 sp = smk_of_current(); 1215 skp = smk_find_entry(sp); 1216 rc = 0; 1217 1218 rcu_read_lock(); 1219 /* 1220 * For each Smack rule associated with the subject 1221 * label verify that the SMACK64MMAP also has access 1222 * to that rule's object label. 1223 */ 1224 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1225 osmack = srp->smk_object; 1226 /* 1227 * Matching labels always allows access. 1228 */ 1229 if (msmack == osmack) 1230 continue; 1231 /* 1232 * If there is a matching local rule take 1233 * that into account as well. 1234 */ 1235 may = smk_access_entry(srp->smk_subject, osmack, 1236 &tsp->smk_rules); 1237 if (may == -ENOENT) 1238 may = srp->smk_access; 1239 else 1240 may &= srp->smk_access; 1241 /* 1242 * If may is zero the SMACK64MMAP subject can't 1243 * possibly have less access. 1244 */ 1245 if (may == 0) 1246 continue; 1247 1248 /* 1249 * Fetch the global list entry. 1250 * If there isn't one a SMACK64MMAP subject 1251 * can't have as much access as current. 1252 */ 1253 skp = smk_find_entry(msmack); 1254 mmay = smk_access_entry(msmack, osmack, &skp->smk_rules); 1255 if (mmay == -ENOENT) { 1256 rc = -EACCES; 1257 break; 1258 } 1259 /* 1260 * If there is a local entry it modifies the 1261 * potential access, too. 1262 */ 1263 tmay = smk_access_entry(msmack, osmack, &tsp->smk_rules); 1264 if (tmay != -ENOENT) 1265 mmay &= tmay; 1266 1267 /* 1268 * If there is any access available to current that is 1269 * not available to a SMACK64MMAP subject 1270 * deny access. 1271 */ 1272 if ((may | mmay) != mmay) { 1273 rc = -EACCES; 1274 break; 1275 } 1276 } 1277 1278 rcu_read_unlock(); 1279 1280 return rc; 1281 } 1282 1283 /** 1284 * smack_file_set_fowner - set the file security blob value 1285 * @file: object in question 1286 * 1287 * Returns 0 1288 * Further research may be required on this one. 1289 */ 1290 static int smack_file_set_fowner(struct file *file) 1291 { 1292 file->f_security = smk_of_current(); 1293 return 0; 1294 } 1295 1296 /** 1297 * smack_file_send_sigiotask - Smack on sigio 1298 * @tsk: The target task 1299 * @fown: the object the signal come from 1300 * @signum: unused 1301 * 1302 * Allow a privileged task to get signals even if it shouldn't 1303 * 1304 * Returns 0 if a subject with the object's smack could 1305 * write to the task, an error code otherwise. 1306 */ 1307 static int smack_file_send_sigiotask(struct task_struct *tsk, 1308 struct fown_struct *fown, int signum) 1309 { 1310 struct file *file; 1311 int rc; 1312 char *tsp = smk_of_task(tsk->cred->security); 1313 struct smk_audit_info ad; 1314 1315 /* 1316 * struct fown_struct is never outside the context of a struct file 1317 */ 1318 file = container_of(fown, struct file, f_owner); 1319 1320 /* we don't log here as rc can be overriden */ 1321 rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL); 1322 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1323 rc = 0; 1324 1325 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1326 smk_ad_setfield_u_tsk(&ad, tsk); 1327 smack_log(file->f_security, tsp, MAY_WRITE, rc, &ad); 1328 return rc; 1329 } 1330 1331 /** 1332 * smack_file_receive - Smack file receive check 1333 * @file: the object 1334 * 1335 * Returns 0 if current has access, error code otherwise 1336 */ 1337 static int smack_file_receive(struct file *file) 1338 { 1339 int may = 0; 1340 struct smk_audit_info ad; 1341 1342 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1343 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1344 /* 1345 * This code relies on bitmasks. 1346 */ 1347 if (file->f_mode & FMODE_READ) 1348 may = MAY_READ; 1349 if (file->f_mode & FMODE_WRITE) 1350 may |= MAY_WRITE; 1351 1352 return smk_curacc(file->f_security, may, &ad); 1353 } 1354 1355 /** 1356 * smack_file_open - Smack dentry open processing 1357 * @file: the object 1358 * @cred: unused 1359 * 1360 * Set the security blob in the file structure. 1361 * 1362 * Returns 0 1363 */ 1364 static int smack_file_open(struct file *file, const struct cred *cred) 1365 { 1366 struct inode_smack *isp = file->f_path.dentry->d_inode->i_security; 1367 1368 file->f_security = isp->smk_inode; 1369 1370 return 0; 1371 } 1372 1373 /* 1374 * Task hooks 1375 */ 1376 1377 /** 1378 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1379 * @new: the new credentials 1380 * @gfp: the atomicity of any memory allocations 1381 * 1382 * Prepare a blank set of credentials for modification. This must allocate all 1383 * the memory the LSM module might require such that cred_transfer() can 1384 * complete without error. 1385 */ 1386 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1387 { 1388 struct task_smack *tsp; 1389 1390 tsp = new_task_smack(NULL, NULL, gfp); 1391 if (tsp == NULL) 1392 return -ENOMEM; 1393 1394 cred->security = tsp; 1395 1396 return 0; 1397 } 1398 1399 1400 /** 1401 * smack_cred_free - "free" task-level security credentials 1402 * @cred: the credentials in question 1403 * 1404 */ 1405 static void smack_cred_free(struct cred *cred) 1406 { 1407 struct task_smack *tsp = cred->security; 1408 struct smack_rule *rp; 1409 struct list_head *l; 1410 struct list_head *n; 1411 1412 if (tsp == NULL) 1413 return; 1414 cred->security = NULL; 1415 1416 list_for_each_safe(l, n, &tsp->smk_rules) { 1417 rp = list_entry(l, struct smack_rule, list); 1418 list_del(&rp->list); 1419 kfree(rp); 1420 } 1421 kfree(tsp); 1422 } 1423 1424 /** 1425 * smack_cred_prepare - prepare new set of credentials for modification 1426 * @new: the new credentials 1427 * @old: the original credentials 1428 * @gfp: the atomicity of any memory allocations 1429 * 1430 * Prepare a new set of credentials for modification. 1431 */ 1432 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1433 gfp_t gfp) 1434 { 1435 struct task_smack *old_tsp = old->security; 1436 struct task_smack *new_tsp; 1437 int rc; 1438 1439 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 1440 if (new_tsp == NULL) 1441 return -ENOMEM; 1442 1443 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1444 if (rc != 0) 1445 return rc; 1446 1447 new->security = new_tsp; 1448 return 0; 1449 } 1450 1451 /** 1452 * smack_cred_transfer - Transfer the old credentials to the new credentials 1453 * @new: the new credentials 1454 * @old: the original credentials 1455 * 1456 * Fill in a set of blank credentials from another set of credentials. 1457 */ 1458 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1459 { 1460 struct task_smack *old_tsp = old->security; 1461 struct task_smack *new_tsp = new->security; 1462 1463 new_tsp->smk_task = old_tsp->smk_task; 1464 new_tsp->smk_forked = old_tsp->smk_task; 1465 mutex_init(&new_tsp->smk_rules_lock); 1466 INIT_LIST_HEAD(&new_tsp->smk_rules); 1467 1468 1469 /* cbs copy rule list */ 1470 } 1471 1472 /** 1473 * smack_kernel_act_as - Set the subjective context in a set of credentials 1474 * @new: points to the set of credentials to be modified. 1475 * @secid: specifies the security ID to be set 1476 * 1477 * Set the security data for a kernel service. 1478 */ 1479 static int smack_kernel_act_as(struct cred *new, u32 secid) 1480 { 1481 struct task_smack *new_tsp = new->security; 1482 char *smack = smack_from_secid(secid); 1483 1484 if (smack == NULL) 1485 return -EINVAL; 1486 1487 new_tsp->smk_task = smack; 1488 return 0; 1489 } 1490 1491 /** 1492 * smack_kernel_create_files_as - Set the file creation label in a set of creds 1493 * @new: points to the set of credentials to be modified 1494 * @inode: points to the inode to use as a reference 1495 * 1496 * Set the file creation context in a set of credentials to the same 1497 * as the objective context of the specified inode 1498 */ 1499 static int smack_kernel_create_files_as(struct cred *new, 1500 struct inode *inode) 1501 { 1502 struct inode_smack *isp = inode->i_security; 1503 struct task_smack *tsp = new->security; 1504 1505 tsp->smk_forked = isp->smk_inode; 1506 tsp->smk_task = isp->smk_inode; 1507 return 0; 1508 } 1509 1510 /** 1511 * smk_curacc_on_task - helper to log task related access 1512 * @p: the task object 1513 * @access: the access requested 1514 * @caller: name of the calling function for audit 1515 * 1516 * Return 0 if access is permitted 1517 */ 1518 static int smk_curacc_on_task(struct task_struct *p, int access, 1519 const char *caller) 1520 { 1521 struct smk_audit_info ad; 1522 1523 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 1524 smk_ad_setfield_u_tsk(&ad, p); 1525 return smk_curacc(smk_of_task(task_security(p)), access, &ad); 1526 } 1527 1528 /** 1529 * smack_task_setpgid - Smack check on setting pgid 1530 * @p: the task object 1531 * @pgid: unused 1532 * 1533 * Return 0 if write access is permitted 1534 */ 1535 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1536 { 1537 return smk_curacc_on_task(p, MAY_WRITE, __func__); 1538 } 1539 1540 /** 1541 * smack_task_getpgid - Smack access check for getpgid 1542 * @p: the object task 1543 * 1544 * Returns 0 if current can read the object task, error code otherwise 1545 */ 1546 static int smack_task_getpgid(struct task_struct *p) 1547 { 1548 return smk_curacc_on_task(p, MAY_READ, __func__); 1549 } 1550 1551 /** 1552 * smack_task_getsid - Smack access check for getsid 1553 * @p: the object task 1554 * 1555 * Returns 0 if current can read the object task, error code otherwise 1556 */ 1557 static int smack_task_getsid(struct task_struct *p) 1558 { 1559 return smk_curacc_on_task(p, MAY_READ, __func__); 1560 } 1561 1562 /** 1563 * smack_task_getsecid - get the secid of the task 1564 * @p: the object task 1565 * @secid: where to put the result 1566 * 1567 * Sets the secid to contain a u32 version of the smack label. 1568 */ 1569 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1570 { 1571 *secid = smack_to_secid(smk_of_task(task_security(p))); 1572 } 1573 1574 /** 1575 * smack_task_setnice - Smack check on setting nice 1576 * @p: the task object 1577 * @nice: unused 1578 * 1579 * Return 0 if write access is permitted 1580 */ 1581 static int smack_task_setnice(struct task_struct *p, int nice) 1582 { 1583 int rc; 1584 1585 rc = cap_task_setnice(p, nice); 1586 if (rc == 0) 1587 rc = smk_curacc_on_task(p, MAY_WRITE, __func__); 1588 return rc; 1589 } 1590 1591 /** 1592 * smack_task_setioprio - Smack check on setting ioprio 1593 * @p: the task object 1594 * @ioprio: unused 1595 * 1596 * Return 0 if write access is permitted 1597 */ 1598 static int smack_task_setioprio(struct task_struct *p, int ioprio) 1599 { 1600 int rc; 1601 1602 rc = cap_task_setioprio(p, ioprio); 1603 if (rc == 0) 1604 rc = smk_curacc_on_task(p, MAY_WRITE, __func__); 1605 return rc; 1606 } 1607 1608 /** 1609 * smack_task_getioprio - Smack check on reading ioprio 1610 * @p: the task object 1611 * 1612 * Return 0 if read access is permitted 1613 */ 1614 static int smack_task_getioprio(struct task_struct *p) 1615 { 1616 return smk_curacc_on_task(p, MAY_READ, __func__); 1617 } 1618 1619 /** 1620 * smack_task_setscheduler - Smack check on setting scheduler 1621 * @p: the task object 1622 * @policy: unused 1623 * @lp: unused 1624 * 1625 * Return 0 if read access is permitted 1626 */ 1627 static int smack_task_setscheduler(struct task_struct *p) 1628 { 1629 int rc; 1630 1631 rc = cap_task_setscheduler(p); 1632 if (rc == 0) 1633 rc = smk_curacc_on_task(p, MAY_WRITE, __func__); 1634 return rc; 1635 } 1636 1637 /** 1638 * smack_task_getscheduler - Smack check on reading scheduler 1639 * @p: the task object 1640 * 1641 * Return 0 if read access is permitted 1642 */ 1643 static int smack_task_getscheduler(struct task_struct *p) 1644 { 1645 return smk_curacc_on_task(p, MAY_READ, __func__); 1646 } 1647 1648 /** 1649 * smack_task_movememory - Smack check on moving memory 1650 * @p: the task object 1651 * 1652 * Return 0 if write access is permitted 1653 */ 1654 static int smack_task_movememory(struct task_struct *p) 1655 { 1656 return smk_curacc_on_task(p, MAY_WRITE, __func__); 1657 } 1658 1659 /** 1660 * smack_task_kill - Smack check on signal delivery 1661 * @p: the task object 1662 * @info: unused 1663 * @sig: unused 1664 * @secid: identifies the smack to use in lieu of current's 1665 * 1666 * Return 0 if write access is permitted 1667 * 1668 * The secid behavior is an artifact of an SELinux hack 1669 * in the USB code. Someday it may go away. 1670 */ 1671 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 1672 int sig, u32 secid) 1673 { 1674 struct smk_audit_info ad; 1675 1676 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1677 smk_ad_setfield_u_tsk(&ad, p); 1678 /* 1679 * Sending a signal requires that the sender 1680 * can write the receiver. 1681 */ 1682 if (secid == 0) 1683 return smk_curacc(smk_of_task(task_security(p)), MAY_WRITE, 1684 &ad); 1685 /* 1686 * If the secid isn't 0 we're dealing with some USB IO 1687 * specific behavior. This is not clean. For one thing 1688 * we can't take privilege into account. 1689 */ 1690 return smk_access(smack_from_secid(secid), 1691 smk_of_task(task_security(p)), MAY_WRITE, &ad); 1692 } 1693 1694 /** 1695 * smack_task_wait - Smack access check for waiting 1696 * @p: task to wait for 1697 * 1698 * Returns 0 if current can wait for p, error code otherwise 1699 */ 1700 static int smack_task_wait(struct task_struct *p) 1701 { 1702 struct smk_audit_info ad; 1703 char *sp = smk_of_current(); 1704 char *tsp = smk_of_forked(task_security(p)); 1705 int rc; 1706 1707 /* we don't log here, we can be overriden */ 1708 rc = smk_access(tsp, sp, MAY_WRITE, NULL); 1709 if (rc == 0) 1710 goto out_log; 1711 1712 /* 1713 * Allow the operation to succeed if either task 1714 * has privilege to perform operations that might 1715 * account for the smack labels having gotten to 1716 * be different in the first place. 1717 * 1718 * This breaks the strict subject/object access 1719 * control ideal, taking the object's privilege 1720 * state into account in the decision as well as 1721 * the smack value. 1722 */ 1723 if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE)) 1724 rc = 0; 1725 /* we log only if we didn't get overriden */ 1726 out_log: 1727 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1728 smk_ad_setfield_u_tsk(&ad, p); 1729 smack_log(tsp, sp, MAY_WRITE, rc, &ad); 1730 return rc; 1731 } 1732 1733 /** 1734 * smack_task_to_inode - copy task smack into the inode blob 1735 * @p: task to copy from 1736 * @inode: inode to copy to 1737 * 1738 * Sets the smack pointer in the inode security blob 1739 */ 1740 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1741 { 1742 struct inode_smack *isp = inode->i_security; 1743 isp->smk_inode = smk_of_task(task_security(p)); 1744 } 1745 1746 /* 1747 * Socket hooks. 1748 */ 1749 1750 /** 1751 * smack_sk_alloc_security - Allocate a socket blob 1752 * @sk: the socket 1753 * @family: unused 1754 * @gfp_flags: memory allocation flags 1755 * 1756 * Assign Smack pointers to current 1757 * 1758 * Returns 0 on success, -ENOMEM is there's no memory 1759 */ 1760 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1761 { 1762 char *csp = smk_of_current(); 1763 struct socket_smack *ssp; 1764 1765 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1766 if (ssp == NULL) 1767 return -ENOMEM; 1768 1769 ssp->smk_in = csp; 1770 ssp->smk_out = csp; 1771 ssp->smk_packet = NULL; 1772 1773 sk->sk_security = ssp; 1774 1775 return 0; 1776 } 1777 1778 /** 1779 * smack_sk_free_security - Free a socket blob 1780 * @sk: the socket 1781 * 1782 * Clears the blob pointer 1783 */ 1784 static void smack_sk_free_security(struct sock *sk) 1785 { 1786 kfree(sk->sk_security); 1787 } 1788 1789 /** 1790 * smack_host_label - check host based restrictions 1791 * @sip: the object end 1792 * 1793 * looks for host based access restrictions 1794 * 1795 * This version will only be appropriate for really small sets of single label 1796 * hosts. The caller is responsible for ensuring that the RCU read lock is 1797 * taken before calling this function. 1798 * 1799 * Returns the label of the far end or NULL if it's not special. 1800 */ 1801 static char *smack_host_label(struct sockaddr_in *sip) 1802 { 1803 struct smk_netlbladdr *snp; 1804 struct in_addr *siap = &sip->sin_addr; 1805 1806 if (siap->s_addr == 0) 1807 return NULL; 1808 1809 list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list) 1810 /* 1811 * we break after finding the first match because 1812 * the list is sorted from longest to shortest mask 1813 * so we have found the most specific match 1814 */ 1815 if ((&snp->smk_host.sin_addr)->s_addr == 1816 (siap->s_addr & (&snp->smk_mask)->s_addr)) { 1817 /* we have found the special CIPSO option */ 1818 if (snp->smk_label == smack_cipso_option) 1819 return NULL; 1820 return snp->smk_label; 1821 } 1822 1823 return NULL; 1824 } 1825 1826 /** 1827 * smack_netlabel - Set the secattr on a socket 1828 * @sk: the socket 1829 * @labeled: socket label scheme 1830 * 1831 * Convert the outbound smack value (smk_out) to a 1832 * secattr and attach it to the socket. 1833 * 1834 * Returns 0 on success or an error code 1835 */ 1836 static int smack_netlabel(struct sock *sk, int labeled) 1837 { 1838 struct smack_known *skp; 1839 struct socket_smack *ssp = sk->sk_security; 1840 int rc = 0; 1841 1842 /* 1843 * Usually the netlabel code will handle changing the 1844 * packet labeling based on the label. 1845 * The case of a single label host is different, because 1846 * a single label host should never get a labeled packet 1847 * even though the label is usually associated with a packet 1848 * label. 1849 */ 1850 local_bh_disable(); 1851 bh_lock_sock_nested(sk); 1852 1853 if (ssp->smk_out == smack_net_ambient || 1854 labeled == SMACK_UNLABELED_SOCKET) 1855 netlbl_sock_delattr(sk); 1856 else { 1857 skp = smk_find_entry(ssp->smk_out); 1858 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 1859 } 1860 1861 bh_unlock_sock(sk); 1862 local_bh_enable(); 1863 1864 return rc; 1865 } 1866 1867 /** 1868 * smack_netlbel_send - Set the secattr on a socket and perform access checks 1869 * @sk: the socket 1870 * @sap: the destination address 1871 * 1872 * Set the correct secattr for the given socket based on the destination 1873 * address and perform any outbound access checks needed. 1874 * 1875 * Returns 0 on success or an error code. 1876 * 1877 */ 1878 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 1879 { 1880 int rc; 1881 int sk_lbl; 1882 char *hostsp; 1883 struct socket_smack *ssp = sk->sk_security; 1884 struct smk_audit_info ad; 1885 1886 rcu_read_lock(); 1887 hostsp = smack_host_label(sap); 1888 if (hostsp != NULL) { 1889 #ifdef CONFIG_AUDIT 1890 struct lsm_network_audit net; 1891 1892 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 1893 ad.a.u.net->family = sap->sin_family; 1894 ad.a.u.net->dport = sap->sin_port; 1895 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 1896 #endif 1897 sk_lbl = SMACK_UNLABELED_SOCKET; 1898 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad); 1899 } else { 1900 sk_lbl = SMACK_CIPSO_SOCKET; 1901 rc = 0; 1902 } 1903 rcu_read_unlock(); 1904 if (rc != 0) 1905 return rc; 1906 1907 return smack_netlabel(sk, sk_lbl); 1908 } 1909 1910 /** 1911 * smack_inode_setsecurity - set smack xattrs 1912 * @inode: the object 1913 * @name: attribute name 1914 * @value: attribute value 1915 * @size: size of the attribute 1916 * @flags: unused 1917 * 1918 * Sets the named attribute in the appropriate blob 1919 * 1920 * Returns 0 on success, or an error code 1921 */ 1922 static int smack_inode_setsecurity(struct inode *inode, const char *name, 1923 const void *value, size_t size, int flags) 1924 { 1925 char *sp; 1926 struct inode_smack *nsp = inode->i_security; 1927 struct socket_smack *ssp; 1928 struct socket *sock; 1929 int rc = 0; 1930 1931 if (value == NULL || size > SMK_LONGLABEL || size == 0) 1932 return -EACCES; 1933 1934 sp = smk_import(value, size); 1935 if (sp == NULL) 1936 return -EINVAL; 1937 1938 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1939 nsp->smk_inode = sp; 1940 nsp->smk_flags |= SMK_INODE_INSTANT; 1941 return 0; 1942 } 1943 /* 1944 * The rest of the Smack xattrs are only on sockets. 1945 */ 1946 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 1947 return -EOPNOTSUPP; 1948 1949 sock = SOCKET_I(inode); 1950 if (sock == NULL || sock->sk == NULL) 1951 return -EOPNOTSUPP; 1952 1953 ssp = sock->sk->sk_security; 1954 1955 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1956 ssp->smk_in = sp; 1957 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 1958 ssp->smk_out = sp; 1959 if (sock->sk->sk_family != PF_UNIX) { 1960 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1961 if (rc != 0) 1962 printk(KERN_WARNING 1963 "Smack: \"%s\" netlbl error %d.\n", 1964 __func__, -rc); 1965 } 1966 } else 1967 return -EOPNOTSUPP; 1968 1969 return 0; 1970 } 1971 1972 /** 1973 * smack_socket_post_create - finish socket setup 1974 * @sock: the socket 1975 * @family: protocol family 1976 * @type: unused 1977 * @protocol: unused 1978 * @kern: unused 1979 * 1980 * Sets the netlabel information on the socket 1981 * 1982 * Returns 0 on success, and error code otherwise 1983 */ 1984 static int smack_socket_post_create(struct socket *sock, int family, 1985 int type, int protocol, int kern) 1986 { 1987 if (family != PF_INET || sock->sk == NULL) 1988 return 0; 1989 /* 1990 * Set the outbound netlbl. 1991 */ 1992 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1993 } 1994 1995 /** 1996 * smack_socket_connect - connect access check 1997 * @sock: the socket 1998 * @sap: the other end 1999 * @addrlen: size of sap 2000 * 2001 * Verifies that a connection may be possible 2002 * 2003 * Returns 0 on success, and error code otherwise 2004 */ 2005 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2006 int addrlen) 2007 { 2008 if (sock->sk == NULL || sock->sk->sk_family != PF_INET) 2009 return 0; 2010 if (addrlen < sizeof(struct sockaddr_in)) 2011 return -EINVAL; 2012 2013 return smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2014 } 2015 2016 /** 2017 * smack_flags_to_may - convert S_ to MAY_ values 2018 * @flags: the S_ value 2019 * 2020 * Returns the equivalent MAY_ value 2021 */ 2022 static int smack_flags_to_may(int flags) 2023 { 2024 int may = 0; 2025 2026 if (flags & S_IRUGO) 2027 may |= MAY_READ; 2028 if (flags & S_IWUGO) 2029 may |= MAY_WRITE; 2030 if (flags & S_IXUGO) 2031 may |= MAY_EXEC; 2032 2033 return may; 2034 } 2035 2036 /** 2037 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2038 * @msg: the object 2039 * 2040 * Returns 0 2041 */ 2042 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2043 { 2044 msg->security = smk_of_current(); 2045 return 0; 2046 } 2047 2048 /** 2049 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2050 * @msg: the object 2051 * 2052 * Clears the blob pointer 2053 */ 2054 static void smack_msg_msg_free_security(struct msg_msg *msg) 2055 { 2056 msg->security = NULL; 2057 } 2058 2059 /** 2060 * smack_of_shm - the smack pointer for the shm 2061 * @shp: the object 2062 * 2063 * Returns a pointer to the smack value 2064 */ 2065 static char *smack_of_shm(struct shmid_kernel *shp) 2066 { 2067 return (char *)shp->shm_perm.security; 2068 } 2069 2070 /** 2071 * smack_shm_alloc_security - Set the security blob for shm 2072 * @shp: the object 2073 * 2074 * Returns 0 2075 */ 2076 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2077 { 2078 struct kern_ipc_perm *isp = &shp->shm_perm; 2079 2080 isp->security = smk_of_current(); 2081 return 0; 2082 } 2083 2084 /** 2085 * smack_shm_free_security - Clear the security blob for shm 2086 * @shp: the object 2087 * 2088 * Clears the blob pointer 2089 */ 2090 static void smack_shm_free_security(struct shmid_kernel *shp) 2091 { 2092 struct kern_ipc_perm *isp = &shp->shm_perm; 2093 2094 isp->security = NULL; 2095 } 2096 2097 /** 2098 * smk_curacc_shm : check if current has access on shm 2099 * @shp : the object 2100 * @access : access requested 2101 * 2102 * Returns 0 if current has the requested access, error code otherwise 2103 */ 2104 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2105 { 2106 char *ssp = smack_of_shm(shp); 2107 struct smk_audit_info ad; 2108 2109 #ifdef CONFIG_AUDIT 2110 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2111 ad.a.u.ipc_id = shp->shm_perm.id; 2112 #endif 2113 return smk_curacc(ssp, access, &ad); 2114 } 2115 2116 /** 2117 * smack_shm_associate - Smack access check for shm 2118 * @shp: the object 2119 * @shmflg: access requested 2120 * 2121 * Returns 0 if current has the requested access, error code otherwise 2122 */ 2123 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 2124 { 2125 int may; 2126 2127 may = smack_flags_to_may(shmflg); 2128 return smk_curacc_shm(shp, may); 2129 } 2130 2131 /** 2132 * smack_shm_shmctl - Smack access check for shm 2133 * @shp: the object 2134 * @cmd: what it wants to do 2135 * 2136 * Returns 0 if current has the requested access, error code otherwise 2137 */ 2138 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 2139 { 2140 int may; 2141 2142 switch (cmd) { 2143 case IPC_STAT: 2144 case SHM_STAT: 2145 may = MAY_READ; 2146 break; 2147 case IPC_SET: 2148 case SHM_LOCK: 2149 case SHM_UNLOCK: 2150 case IPC_RMID: 2151 may = MAY_READWRITE; 2152 break; 2153 case IPC_INFO: 2154 case SHM_INFO: 2155 /* 2156 * System level information. 2157 */ 2158 return 0; 2159 default: 2160 return -EINVAL; 2161 } 2162 return smk_curacc_shm(shp, may); 2163 } 2164 2165 /** 2166 * smack_shm_shmat - Smack access for shmat 2167 * @shp: the object 2168 * @shmaddr: unused 2169 * @shmflg: access requested 2170 * 2171 * Returns 0 if current has the requested access, error code otherwise 2172 */ 2173 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 2174 int shmflg) 2175 { 2176 int may; 2177 2178 may = smack_flags_to_may(shmflg); 2179 return smk_curacc_shm(shp, may); 2180 } 2181 2182 /** 2183 * smack_of_sem - the smack pointer for the sem 2184 * @sma: the object 2185 * 2186 * Returns a pointer to the smack value 2187 */ 2188 static char *smack_of_sem(struct sem_array *sma) 2189 { 2190 return (char *)sma->sem_perm.security; 2191 } 2192 2193 /** 2194 * smack_sem_alloc_security - Set the security blob for sem 2195 * @sma: the object 2196 * 2197 * Returns 0 2198 */ 2199 static int smack_sem_alloc_security(struct sem_array *sma) 2200 { 2201 struct kern_ipc_perm *isp = &sma->sem_perm; 2202 2203 isp->security = smk_of_current(); 2204 return 0; 2205 } 2206 2207 /** 2208 * smack_sem_free_security - Clear the security blob for sem 2209 * @sma: the object 2210 * 2211 * Clears the blob pointer 2212 */ 2213 static void smack_sem_free_security(struct sem_array *sma) 2214 { 2215 struct kern_ipc_perm *isp = &sma->sem_perm; 2216 2217 isp->security = NULL; 2218 } 2219 2220 /** 2221 * smk_curacc_sem : check if current has access on sem 2222 * @sma : the object 2223 * @access : access requested 2224 * 2225 * Returns 0 if current has the requested access, error code otherwise 2226 */ 2227 static int smk_curacc_sem(struct sem_array *sma, int access) 2228 { 2229 char *ssp = smack_of_sem(sma); 2230 struct smk_audit_info ad; 2231 2232 #ifdef CONFIG_AUDIT 2233 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2234 ad.a.u.ipc_id = sma->sem_perm.id; 2235 #endif 2236 return smk_curacc(ssp, access, &ad); 2237 } 2238 2239 /** 2240 * smack_sem_associate - Smack access check for sem 2241 * @sma: the object 2242 * @semflg: access requested 2243 * 2244 * Returns 0 if current has the requested access, error code otherwise 2245 */ 2246 static int smack_sem_associate(struct sem_array *sma, int semflg) 2247 { 2248 int may; 2249 2250 may = smack_flags_to_may(semflg); 2251 return smk_curacc_sem(sma, may); 2252 } 2253 2254 /** 2255 * smack_sem_shmctl - Smack access check for sem 2256 * @sma: the object 2257 * @cmd: what it wants to do 2258 * 2259 * Returns 0 if current has the requested access, error code otherwise 2260 */ 2261 static int smack_sem_semctl(struct sem_array *sma, int cmd) 2262 { 2263 int may; 2264 2265 switch (cmd) { 2266 case GETPID: 2267 case GETNCNT: 2268 case GETZCNT: 2269 case GETVAL: 2270 case GETALL: 2271 case IPC_STAT: 2272 case SEM_STAT: 2273 may = MAY_READ; 2274 break; 2275 case SETVAL: 2276 case SETALL: 2277 case IPC_RMID: 2278 case IPC_SET: 2279 may = MAY_READWRITE; 2280 break; 2281 case IPC_INFO: 2282 case SEM_INFO: 2283 /* 2284 * System level information 2285 */ 2286 return 0; 2287 default: 2288 return -EINVAL; 2289 } 2290 2291 return smk_curacc_sem(sma, may); 2292 } 2293 2294 /** 2295 * smack_sem_semop - Smack checks of semaphore operations 2296 * @sma: the object 2297 * @sops: unused 2298 * @nsops: unused 2299 * @alter: unused 2300 * 2301 * Treated as read and write in all cases. 2302 * 2303 * Returns 0 if access is allowed, error code otherwise 2304 */ 2305 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 2306 unsigned nsops, int alter) 2307 { 2308 return smk_curacc_sem(sma, MAY_READWRITE); 2309 } 2310 2311 /** 2312 * smack_msg_alloc_security - Set the security blob for msg 2313 * @msq: the object 2314 * 2315 * Returns 0 2316 */ 2317 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 2318 { 2319 struct kern_ipc_perm *kisp = &msq->q_perm; 2320 2321 kisp->security = smk_of_current(); 2322 return 0; 2323 } 2324 2325 /** 2326 * smack_msg_free_security - Clear the security blob for msg 2327 * @msq: the object 2328 * 2329 * Clears the blob pointer 2330 */ 2331 static void smack_msg_queue_free_security(struct msg_queue *msq) 2332 { 2333 struct kern_ipc_perm *kisp = &msq->q_perm; 2334 2335 kisp->security = NULL; 2336 } 2337 2338 /** 2339 * smack_of_msq - the smack pointer for the msq 2340 * @msq: the object 2341 * 2342 * Returns a pointer to the smack value 2343 */ 2344 static char *smack_of_msq(struct msg_queue *msq) 2345 { 2346 return (char *)msq->q_perm.security; 2347 } 2348 2349 /** 2350 * smk_curacc_msq : helper to check if current has access on msq 2351 * @msq : the msq 2352 * @access : access requested 2353 * 2354 * return 0 if current has access, error otherwise 2355 */ 2356 static int smk_curacc_msq(struct msg_queue *msq, int access) 2357 { 2358 char *msp = smack_of_msq(msq); 2359 struct smk_audit_info ad; 2360 2361 #ifdef CONFIG_AUDIT 2362 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2363 ad.a.u.ipc_id = msq->q_perm.id; 2364 #endif 2365 return smk_curacc(msp, access, &ad); 2366 } 2367 2368 /** 2369 * smack_msg_queue_associate - Smack access check for msg_queue 2370 * @msq: the object 2371 * @msqflg: access requested 2372 * 2373 * Returns 0 if current has the requested access, error code otherwise 2374 */ 2375 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 2376 { 2377 int may; 2378 2379 may = smack_flags_to_may(msqflg); 2380 return smk_curacc_msq(msq, may); 2381 } 2382 2383 /** 2384 * smack_msg_queue_msgctl - Smack access check for msg_queue 2385 * @msq: the object 2386 * @cmd: what it wants to do 2387 * 2388 * Returns 0 if current has the requested access, error code otherwise 2389 */ 2390 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 2391 { 2392 int may; 2393 2394 switch (cmd) { 2395 case IPC_STAT: 2396 case MSG_STAT: 2397 may = MAY_READ; 2398 break; 2399 case IPC_SET: 2400 case IPC_RMID: 2401 may = MAY_READWRITE; 2402 break; 2403 case IPC_INFO: 2404 case MSG_INFO: 2405 /* 2406 * System level information 2407 */ 2408 return 0; 2409 default: 2410 return -EINVAL; 2411 } 2412 2413 return smk_curacc_msq(msq, may); 2414 } 2415 2416 /** 2417 * smack_msg_queue_msgsnd - Smack access check for msg_queue 2418 * @msq: the object 2419 * @msg: unused 2420 * @msqflg: access requested 2421 * 2422 * Returns 0 if current has the requested access, error code otherwise 2423 */ 2424 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 2425 int msqflg) 2426 { 2427 int may; 2428 2429 may = smack_flags_to_may(msqflg); 2430 return smk_curacc_msq(msq, may); 2431 } 2432 2433 /** 2434 * smack_msg_queue_msgsnd - Smack access check for msg_queue 2435 * @msq: the object 2436 * @msg: unused 2437 * @target: unused 2438 * @type: unused 2439 * @mode: unused 2440 * 2441 * Returns 0 if current has read and write access, error code otherwise 2442 */ 2443 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 2444 struct task_struct *target, long type, int mode) 2445 { 2446 return smk_curacc_msq(msq, MAY_READWRITE); 2447 } 2448 2449 /** 2450 * smack_ipc_permission - Smack access for ipc_permission() 2451 * @ipp: the object permissions 2452 * @flag: access requested 2453 * 2454 * Returns 0 if current has read and write access, error code otherwise 2455 */ 2456 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 2457 { 2458 char *isp = ipp->security; 2459 int may = smack_flags_to_may(flag); 2460 struct smk_audit_info ad; 2461 2462 #ifdef CONFIG_AUDIT 2463 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2464 ad.a.u.ipc_id = ipp->id; 2465 #endif 2466 return smk_curacc(isp, may, &ad); 2467 } 2468 2469 /** 2470 * smack_ipc_getsecid - Extract smack security id 2471 * @ipp: the object permissions 2472 * @secid: where result will be saved 2473 */ 2474 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 2475 { 2476 char *smack = ipp->security; 2477 2478 *secid = smack_to_secid(smack); 2479 } 2480 2481 /** 2482 * smack_d_instantiate - Make sure the blob is correct on an inode 2483 * @opt_dentry: dentry where inode will be attached 2484 * @inode: the object 2485 * 2486 * Set the inode's security blob if it hasn't been done already. 2487 */ 2488 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 2489 { 2490 struct super_block *sbp; 2491 struct superblock_smack *sbsp; 2492 struct inode_smack *isp; 2493 char *csp = smk_of_current(); 2494 char *fetched; 2495 char *final; 2496 char trattr[TRANS_TRUE_SIZE]; 2497 int transflag = 0; 2498 int rc; 2499 struct dentry *dp; 2500 2501 if (inode == NULL) 2502 return; 2503 2504 isp = inode->i_security; 2505 2506 mutex_lock(&isp->smk_lock); 2507 /* 2508 * If the inode is already instantiated 2509 * take the quick way out 2510 */ 2511 if (isp->smk_flags & SMK_INODE_INSTANT) 2512 goto unlockandout; 2513 2514 sbp = inode->i_sb; 2515 sbsp = sbp->s_security; 2516 /* 2517 * We're going to use the superblock default label 2518 * if there's no label on the file. 2519 */ 2520 final = sbsp->smk_default; 2521 2522 /* 2523 * If this is the root inode the superblock 2524 * may be in the process of initialization. 2525 * If that is the case use the root value out 2526 * of the superblock. 2527 */ 2528 if (opt_dentry->d_parent == opt_dentry) { 2529 isp->smk_inode = sbsp->smk_root; 2530 isp->smk_flags |= SMK_INODE_INSTANT; 2531 goto unlockandout; 2532 } 2533 2534 /* 2535 * This is pretty hackish. 2536 * Casey says that we shouldn't have to do 2537 * file system specific code, but it does help 2538 * with keeping it simple. 2539 */ 2540 switch (sbp->s_magic) { 2541 case SMACK_MAGIC: 2542 /* 2543 * Casey says that it's a little embarrassing 2544 * that the smack file system doesn't do 2545 * extended attributes. 2546 */ 2547 final = smack_known_star.smk_known; 2548 break; 2549 case PIPEFS_MAGIC: 2550 /* 2551 * Casey says pipes are easy (?) 2552 */ 2553 final = smack_known_star.smk_known; 2554 break; 2555 case DEVPTS_SUPER_MAGIC: 2556 /* 2557 * devpts seems content with the label of the task. 2558 * Programs that change smack have to treat the 2559 * pty with respect. 2560 */ 2561 final = csp; 2562 break; 2563 case SOCKFS_MAGIC: 2564 /* 2565 * Socket access is controlled by the socket 2566 * structures associated with the task involved. 2567 */ 2568 final = smack_known_star.smk_known; 2569 break; 2570 case PROC_SUPER_MAGIC: 2571 /* 2572 * Casey says procfs appears not to care. 2573 * The superblock default suffices. 2574 */ 2575 break; 2576 case TMPFS_MAGIC: 2577 /* 2578 * Device labels should come from the filesystem, 2579 * but watch out, because they're volitile, 2580 * getting recreated on every reboot. 2581 */ 2582 final = smack_known_star.smk_known; 2583 /* 2584 * No break. 2585 * 2586 * If a smack value has been set we want to use it, 2587 * but since tmpfs isn't giving us the opportunity 2588 * to set mount options simulate setting the 2589 * superblock default. 2590 */ 2591 default: 2592 /* 2593 * This isn't an understood special case. 2594 * Get the value from the xattr. 2595 */ 2596 2597 /* 2598 * UNIX domain sockets use lower level socket data. 2599 */ 2600 if (S_ISSOCK(inode->i_mode)) { 2601 final = smack_known_star.smk_known; 2602 break; 2603 } 2604 /* 2605 * No xattr support means, alas, no SMACK label. 2606 * Use the aforeapplied default. 2607 * It would be curious if the label of the task 2608 * does not match that assigned. 2609 */ 2610 if (inode->i_op->getxattr == NULL) 2611 break; 2612 /* 2613 * Get the dentry for xattr. 2614 */ 2615 dp = dget(opt_dentry); 2616 fetched = smk_fetch(XATTR_NAME_SMACK, inode, dp); 2617 if (fetched != NULL) 2618 final = fetched; 2619 2620 /* 2621 * Transmuting directory 2622 */ 2623 if (S_ISDIR(inode->i_mode)) { 2624 /* 2625 * If this is a new directory and the label was 2626 * transmuted when the inode was initialized 2627 * set the transmute attribute on the directory 2628 * and mark the inode. 2629 * 2630 * If there is a transmute attribute on the 2631 * directory mark the inode. 2632 */ 2633 if (isp->smk_flags & SMK_INODE_CHANGED) { 2634 isp->smk_flags &= ~SMK_INODE_CHANGED; 2635 rc = inode->i_op->setxattr(dp, 2636 XATTR_NAME_SMACKTRANSMUTE, 2637 TRANS_TRUE, TRANS_TRUE_SIZE, 2638 0); 2639 } else { 2640 rc = inode->i_op->getxattr(dp, 2641 XATTR_NAME_SMACKTRANSMUTE, trattr, 2642 TRANS_TRUE_SIZE); 2643 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 2644 TRANS_TRUE_SIZE) != 0) 2645 rc = -EINVAL; 2646 } 2647 if (rc >= 0) 2648 transflag = SMK_INODE_TRANSMUTE; 2649 } 2650 isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 2651 isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 2652 2653 dput(dp); 2654 break; 2655 } 2656 2657 if (final == NULL) 2658 isp->smk_inode = csp; 2659 else 2660 isp->smk_inode = final; 2661 2662 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 2663 2664 unlockandout: 2665 mutex_unlock(&isp->smk_lock); 2666 return; 2667 } 2668 2669 /** 2670 * smack_getprocattr - Smack process attribute access 2671 * @p: the object task 2672 * @name: the name of the attribute in /proc/.../attr 2673 * @value: where to put the result 2674 * 2675 * Places a copy of the task Smack into value 2676 * 2677 * Returns the length of the smack label or an error code 2678 */ 2679 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 2680 { 2681 char *cp; 2682 int slen; 2683 2684 if (strcmp(name, "current") != 0) 2685 return -EINVAL; 2686 2687 cp = kstrdup(smk_of_task(task_security(p)), GFP_KERNEL); 2688 if (cp == NULL) 2689 return -ENOMEM; 2690 2691 slen = strlen(cp); 2692 *value = cp; 2693 return slen; 2694 } 2695 2696 /** 2697 * smack_setprocattr - Smack process attribute setting 2698 * @p: the object task 2699 * @name: the name of the attribute in /proc/.../attr 2700 * @value: the value to set 2701 * @size: the size of the value 2702 * 2703 * Sets the Smack value of the task. Only setting self 2704 * is permitted and only with privilege 2705 * 2706 * Returns the length of the smack label or an error code 2707 */ 2708 static int smack_setprocattr(struct task_struct *p, char *name, 2709 void *value, size_t size) 2710 { 2711 int rc; 2712 struct task_smack *tsp; 2713 struct task_smack *oldtsp; 2714 struct cred *new; 2715 char *newsmack; 2716 2717 /* 2718 * Changing another process' Smack value is too dangerous 2719 * and supports no sane use case. 2720 */ 2721 if (p != current) 2722 return -EPERM; 2723 2724 if (!capable(CAP_MAC_ADMIN)) 2725 return -EPERM; 2726 2727 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 2728 return -EINVAL; 2729 2730 if (strcmp(name, "current") != 0) 2731 return -EINVAL; 2732 2733 newsmack = smk_import(value, size); 2734 if (newsmack == NULL) 2735 return -EINVAL; 2736 2737 /* 2738 * No process is ever allowed the web ("@") label. 2739 */ 2740 if (newsmack == smack_known_web.smk_known) 2741 return -EPERM; 2742 2743 oldtsp = p->cred->security; 2744 new = prepare_creds(); 2745 if (new == NULL) 2746 return -ENOMEM; 2747 2748 tsp = new_task_smack(newsmack, oldtsp->smk_forked, GFP_KERNEL); 2749 if (tsp == NULL) { 2750 kfree(new); 2751 return -ENOMEM; 2752 } 2753 rc = smk_copy_rules(&tsp->smk_rules, &oldtsp->smk_rules, GFP_KERNEL); 2754 if (rc != 0) 2755 return rc; 2756 2757 new->security = tsp; 2758 commit_creds(new); 2759 return size; 2760 } 2761 2762 /** 2763 * smack_unix_stream_connect - Smack access on UDS 2764 * @sock: one sock 2765 * @other: the other sock 2766 * @newsk: unused 2767 * 2768 * Return 0 if a subject with the smack of sock could access 2769 * an object with the smack of other, otherwise an error code 2770 */ 2771 static int smack_unix_stream_connect(struct sock *sock, 2772 struct sock *other, struct sock *newsk) 2773 { 2774 struct socket_smack *ssp = sock->sk_security; 2775 struct socket_smack *osp = other->sk_security; 2776 struct socket_smack *nsp = newsk->sk_security; 2777 struct smk_audit_info ad; 2778 int rc = 0; 2779 2780 #ifdef CONFIG_AUDIT 2781 struct lsm_network_audit net; 2782 2783 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2784 smk_ad_setfield_u_net_sk(&ad, other); 2785 #endif 2786 2787 if (!capable(CAP_MAC_OVERRIDE)) 2788 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2789 2790 /* 2791 * Cross reference the peer labels for SO_PEERSEC. 2792 */ 2793 if (rc == 0) { 2794 nsp->smk_packet = ssp->smk_out; 2795 ssp->smk_packet = osp->smk_out; 2796 } 2797 2798 return rc; 2799 } 2800 2801 /** 2802 * smack_unix_may_send - Smack access on UDS 2803 * @sock: one socket 2804 * @other: the other socket 2805 * 2806 * Return 0 if a subject with the smack of sock could access 2807 * an object with the smack of other, otherwise an error code 2808 */ 2809 static int smack_unix_may_send(struct socket *sock, struct socket *other) 2810 { 2811 struct socket_smack *ssp = sock->sk->sk_security; 2812 struct socket_smack *osp = other->sk->sk_security; 2813 struct smk_audit_info ad; 2814 int rc = 0; 2815 2816 #ifdef CONFIG_AUDIT 2817 struct lsm_network_audit net; 2818 2819 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2820 smk_ad_setfield_u_net_sk(&ad, other->sk); 2821 #endif 2822 2823 if (!capable(CAP_MAC_OVERRIDE)) 2824 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2825 2826 return rc; 2827 } 2828 2829 /** 2830 * smack_socket_sendmsg - Smack check based on destination host 2831 * @sock: the socket 2832 * @msg: the message 2833 * @size: the size of the message 2834 * 2835 * Return 0 if the current subject can write to the destination 2836 * host. This is only a question if the destination is a single 2837 * label host. 2838 */ 2839 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 2840 int size) 2841 { 2842 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 2843 2844 /* 2845 * Perfectly reasonable for this to be NULL 2846 */ 2847 if (sip == NULL || sip->sin_family != AF_INET) 2848 return 0; 2849 2850 return smack_netlabel_send(sock->sk, sip); 2851 } 2852 2853 /** 2854 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 2855 * @sap: netlabel secattr 2856 * @ssp: socket security information 2857 * 2858 * Returns a pointer to a Smack label found on the label list. 2859 */ 2860 static char *smack_from_secattr(struct netlbl_lsm_secattr *sap, 2861 struct socket_smack *ssp) 2862 { 2863 struct smack_known *kp; 2864 char *sp; 2865 int found = 0; 2866 2867 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 2868 /* 2869 * Looks like a CIPSO packet. 2870 * If there are flags but no level netlabel isn't 2871 * behaving the way we expect it to. 2872 * 2873 * Look it up in the label table 2874 * Without guidance regarding the smack value 2875 * for the packet fall back on the network 2876 * ambient value. 2877 */ 2878 rcu_read_lock(); 2879 list_for_each_entry(kp, &smack_known_list, list) { 2880 if (sap->attr.mls.lvl != kp->smk_netlabel.attr.mls.lvl) 2881 continue; 2882 if (memcmp(sap->attr.mls.cat, 2883 kp->smk_netlabel.attr.mls.cat, 2884 SMK_CIPSOLEN) != 0) 2885 continue; 2886 found = 1; 2887 break; 2888 } 2889 rcu_read_unlock(); 2890 2891 if (found) 2892 return kp->smk_known; 2893 2894 if (ssp != NULL && ssp->smk_in == smack_known_star.smk_known) 2895 return smack_known_web.smk_known; 2896 return smack_known_star.smk_known; 2897 } 2898 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 2899 /* 2900 * Looks like a fallback, which gives us a secid. 2901 */ 2902 sp = smack_from_secid(sap->attr.secid); 2903 /* 2904 * This has got to be a bug because it is 2905 * impossible to specify a fallback without 2906 * specifying the label, which will ensure 2907 * it has a secid, and the only way to get a 2908 * secid is from a fallback. 2909 */ 2910 BUG_ON(sp == NULL); 2911 return sp; 2912 } 2913 /* 2914 * Without guidance regarding the smack value 2915 * for the packet fall back on the network 2916 * ambient value. 2917 */ 2918 return smack_net_ambient; 2919 } 2920 2921 /** 2922 * smack_socket_sock_rcv_skb - Smack packet delivery access check 2923 * @sk: socket 2924 * @skb: packet 2925 * 2926 * Returns 0 if the packet should be delivered, an error code otherwise 2927 */ 2928 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 2929 { 2930 struct netlbl_lsm_secattr secattr; 2931 struct socket_smack *ssp = sk->sk_security; 2932 char *csp; 2933 int rc; 2934 struct smk_audit_info ad; 2935 #ifdef CONFIG_AUDIT 2936 struct lsm_network_audit net; 2937 #endif 2938 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2939 return 0; 2940 2941 /* 2942 * Translate what netlabel gave us. 2943 */ 2944 netlbl_secattr_init(&secattr); 2945 2946 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 2947 if (rc == 0) 2948 csp = smack_from_secattr(&secattr, ssp); 2949 else 2950 csp = smack_net_ambient; 2951 2952 netlbl_secattr_destroy(&secattr); 2953 2954 #ifdef CONFIG_AUDIT 2955 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2956 ad.a.u.net->family = sk->sk_family; 2957 ad.a.u.net->netif = skb->skb_iif; 2958 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 2959 #endif 2960 /* 2961 * Receiving a packet requires that the other end 2962 * be able to write here. Read access is not required. 2963 * This is the simplist possible security model 2964 * for networking. 2965 */ 2966 rc = smk_access(csp, ssp->smk_in, MAY_WRITE, &ad); 2967 if (rc != 0) 2968 netlbl_skbuff_err(skb, rc, 0); 2969 return rc; 2970 } 2971 2972 /** 2973 * smack_socket_getpeersec_stream - pull in packet label 2974 * @sock: the socket 2975 * @optval: user's destination 2976 * @optlen: size thereof 2977 * @len: max thereof 2978 * 2979 * returns zero on success, an error code otherwise 2980 */ 2981 static int smack_socket_getpeersec_stream(struct socket *sock, 2982 char __user *optval, 2983 int __user *optlen, unsigned len) 2984 { 2985 struct socket_smack *ssp; 2986 char *rcp = ""; 2987 int slen = 1; 2988 int rc = 0; 2989 2990 ssp = sock->sk->sk_security; 2991 if (ssp->smk_packet != NULL) { 2992 rcp = ssp->smk_packet; 2993 slen = strlen(rcp) + 1; 2994 } 2995 2996 if (slen > len) 2997 rc = -ERANGE; 2998 else if (copy_to_user(optval, rcp, slen) != 0) 2999 rc = -EFAULT; 3000 3001 if (put_user(slen, optlen) != 0) 3002 rc = -EFAULT; 3003 3004 return rc; 3005 } 3006 3007 3008 /** 3009 * smack_socket_getpeersec_dgram - pull in packet label 3010 * @sock: the peer socket 3011 * @skb: packet data 3012 * @secid: pointer to where to put the secid of the packet 3013 * 3014 * Sets the netlabel socket state on sk from parent 3015 */ 3016 static int smack_socket_getpeersec_dgram(struct socket *sock, 3017 struct sk_buff *skb, u32 *secid) 3018 3019 { 3020 struct netlbl_lsm_secattr secattr; 3021 struct socket_smack *ssp = NULL; 3022 char *sp; 3023 int family = PF_UNSPEC; 3024 u32 s = 0; /* 0 is the invalid secid */ 3025 int rc; 3026 3027 if (skb != NULL) { 3028 if (skb->protocol == htons(ETH_P_IP)) 3029 family = PF_INET; 3030 else if (skb->protocol == htons(ETH_P_IPV6)) 3031 family = PF_INET6; 3032 } 3033 if (family == PF_UNSPEC && sock != NULL) 3034 family = sock->sk->sk_family; 3035 3036 if (family == PF_UNIX) { 3037 ssp = sock->sk->sk_security; 3038 s = smack_to_secid(ssp->smk_out); 3039 } else if (family == PF_INET || family == PF_INET6) { 3040 /* 3041 * Translate what netlabel gave us. 3042 */ 3043 if (sock != NULL && sock->sk != NULL) 3044 ssp = sock->sk->sk_security; 3045 netlbl_secattr_init(&secattr); 3046 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3047 if (rc == 0) { 3048 sp = smack_from_secattr(&secattr, ssp); 3049 s = smack_to_secid(sp); 3050 } 3051 netlbl_secattr_destroy(&secattr); 3052 } 3053 *secid = s; 3054 if (s == 0) 3055 return -EINVAL; 3056 return 0; 3057 } 3058 3059 /** 3060 * smack_sock_graft - Initialize a newly created socket with an existing sock 3061 * @sk: child sock 3062 * @parent: parent socket 3063 * 3064 * Set the smk_{in,out} state of an existing sock based on the process that 3065 * is creating the new socket. 3066 */ 3067 static void smack_sock_graft(struct sock *sk, struct socket *parent) 3068 { 3069 struct socket_smack *ssp; 3070 3071 if (sk == NULL || 3072 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 3073 return; 3074 3075 ssp = sk->sk_security; 3076 ssp->smk_in = ssp->smk_out = smk_of_current(); 3077 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 3078 } 3079 3080 /** 3081 * smack_inet_conn_request - Smack access check on connect 3082 * @sk: socket involved 3083 * @skb: packet 3084 * @req: unused 3085 * 3086 * Returns 0 if a task with the packet label could write to 3087 * the socket, otherwise an error code 3088 */ 3089 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 3090 struct request_sock *req) 3091 { 3092 u16 family = sk->sk_family; 3093 struct smack_known *skp; 3094 struct socket_smack *ssp = sk->sk_security; 3095 struct netlbl_lsm_secattr secattr; 3096 struct sockaddr_in addr; 3097 struct iphdr *hdr; 3098 char *sp; 3099 char *hsp; 3100 int rc; 3101 struct smk_audit_info ad; 3102 #ifdef CONFIG_AUDIT 3103 struct lsm_network_audit net; 3104 #endif 3105 3106 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 3107 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3108 family = PF_INET; 3109 3110 netlbl_secattr_init(&secattr); 3111 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3112 if (rc == 0) 3113 sp = smack_from_secattr(&secattr, ssp); 3114 else 3115 sp = smack_known_huh.smk_known; 3116 netlbl_secattr_destroy(&secattr); 3117 3118 #ifdef CONFIG_AUDIT 3119 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3120 ad.a.u.net->family = family; 3121 ad.a.u.net->netif = skb->skb_iif; 3122 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3123 #endif 3124 /* 3125 * Receiving a packet requires that the other end be able to write 3126 * here. Read access is not required. 3127 */ 3128 rc = smk_access(sp, ssp->smk_in, MAY_WRITE, &ad); 3129 if (rc != 0) 3130 return rc; 3131 3132 /* 3133 * Save the peer's label in the request_sock so we can later setup 3134 * smk_packet in the child socket so that SO_PEERCRED can report it. 3135 */ 3136 req->peer_secid = smack_to_secid(sp); 3137 3138 /* 3139 * We need to decide if we want to label the incoming connection here 3140 * if we do we only need to label the request_sock and the stack will 3141 * propagate the wire-label to the sock when it is created. 3142 */ 3143 hdr = ip_hdr(skb); 3144 addr.sin_addr.s_addr = hdr->saddr; 3145 rcu_read_lock(); 3146 hsp = smack_host_label(&addr); 3147 rcu_read_unlock(); 3148 3149 if (hsp == NULL) { 3150 skp = smk_find_entry(sp); 3151 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 3152 } else 3153 netlbl_req_delattr(req); 3154 3155 return rc; 3156 } 3157 3158 /** 3159 * smack_inet_csk_clone - Copy the connection information to the new socket 3160 * @sk: the new socket 3161 * @req: the connection's request_sock 3162 * 3163 * Transfer the connection's peer label to the newly created socket. 3164 */ 3165 static void smack_inet_csk_clone(struct sock *sk, 3166 const struct request_sock *req) 3167 { 3168 struct socket_smack *ssp = sk->sk_security; 3169 3170 if (req->peer_secid != 0) 3171 ssp->smk_packet = smack_from_secid(req->peer_secid); 3172 else 3173 ssp->smk_packet = NULL; 3174 } 3175 3176 /* 3177 * Key management security hooks 3178 * 3179 * Casey has not tested key support very heavily. 3180 * The permission check is most likely too restrictive. 3181 * If you care about keys please have a look. 3182 */ 3183 #ifdef CONFIG_KEYS 3184 3185 /** 3186 * smack_key_alloc - Set the key security blob 3187 * @key: object 3188 * @cred: the credentials to use 3189 * @flags: unused 3190 * 3191 * No allocation required 3192 * 3193 * Returns 0 3194 */ 3195 static int smack_key_alloc(struct key *key, const struct cred *cred, 3196 unsigned long flags) 3197 { 3198 key->security = smk_of_task(cred->security); 3199 return 0; 3200 } 3201 3202 /** 3203 * smack_key_free - Clear the key security blob 3204 * @key: the object 3205 * 3206 * Clear the blob pointer 3207 */ 3208 static void smack_key_free(struct key *key) 3209 { 3210 key->security = NULL; 3211 } 3212 3213 /* 3214 * smack_key_permission - Smack access on a key 3215 * @key_ref: gets to the object 3216 * @cred: the credentials to use 3217 * @perm: unused 3218 * 3219 * Return 0 if the task has read and write to the object, 3220 * an error code otherwise 3221 */ 3222 static int smack_key_permission(key_ref_t key_ref, 3223 const struct cred *cred, key_perm_t perm) 3224 { 3225 struct key *keyp; 3226 struct smk_audit_info ad; 3227 char *tsp = smk_of_task(cred->security); 3228 3229 keyp = key_ref_to_ptr(key_ref); 3230 if (keyp == NULL) 3231 return -EINVAL; 3232 /* 3233 * If the key hasn't been initialized give it access so that 3234 * it may do so. 3235 */ 3236 if (keyp->security == NULL) 3237 return 0; 3238 /* 3239 * This should not occur 3240 */ 3241 if (tsp == NULL) 3242 return -EACCES; 3243 #ifdef CONFIG_AUDIT 3244 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 3245 ad.a.u.key_struct.key = keyp->serial; 3246 ad.a.u.key_struct.key_desc = keyp->description; 3247 #endif 3248 return smk_access(tsp, keyp->security, 3249 MAY_READWRITE, &ad); 3250 } 3251 #endif /* CONFIG_KEYS */ 3252 3253 /* 3254 * Smack Audit hooks 3255 * 3256 * Audit requires a unique representation of each Smack specific 3257 * rule. This unique representation is used to distinguish the 3258 * object to be audited from remaining kernel objects and also 3259 * works as a glue between the audit hooks. 3260 * 3261 * Since repository entries are added but never deleted, we'll use 3262 * the smack_known label address related to the given audit rule as 3263 * the needed unique representation. This also better fits the smack 3264 * model where nearly everything is a label. 3265 */ 3266 #ifdef CONFIG_AUDIT 3267 3268 /** 3269 * smack_audit_rule_init - Initialize a smack audit rule 3270 * @field: audit rule fields given from user-space (audit.h) 3271 * @op: required testing operator (=, !=, >, <, ...) 3272 * @rulestr: smack label to be audited 3273 * @vrule: pointer to save our own audit rule representation 3274 * 3275 * Prepare to audit cases where (@field @op @rulestr) is true. 3276 * The label to be audited is created if necessay. 3277 */ 3278 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3279 { 3280 char **rule = (char **)vrule; 3281 *rule = NULL; 3282 3283 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 3284 return -EINVAL; 3285 3286 if (op != Audit_equal && op != Audit_not_equal) 3287 return -EINVAL; 3288 3289 *rule = smk_import(rulestr, 0); 3290 3291 return 0; 3292 } 3293 3294 /** 3295 * smack_audit_rule_known - Distinguish Smack audit rules 3296 * @krule: rule of interest, in Audit kernel representation format 3297 * 3298 * This is used to filter Smack rules from remaining Audit ones. 3299 * If it's proved that this rule belongs to us, the 3300 * audit_rule_match hook will be called to do the final judgement. 3301 */ 3302 static int smack_audit_rule_known(struct audit_krule *krule) 3303 { 3304 struct audit_field *f; 3305 int i; 3306 3307 for (i = 0; i < krule->field_count; i++) { 3308 f = &krule->fields[i]; 3309 3310 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 3311 return 1; 3312 } 3313 3314 return 0; 3315 } 3316 3317 /** 3318 * smack_audit_rule_match - Audit given object ? 3319 * @secid: security id for identifying the object to test 3320 * @field: audit rule flags given from user-space 3321 * @op: required testing operator 3322 * @vrule: smack internal rule presentation 3323 * @actx: audit context associated with the check 3324 * 3325 * The core Audit hook. It's used to take the decision of 3326 * whether to audit or not to audit a given object. 3327 */ 3328 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 3329 struct audit_context *actx) 3330 { 3331 char *smack; 3332 char *rule = vrule; 3333 3334 if (!rule) { 3335 audit_log(actx, GFP_ATOMIC, AUDIT_SELINUX_ERR, 3336 "Smack: missing rule\n"); 3337 return -ENOENT; 3338 } 3339 3340 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 3341 return 0; 3342 3343 smack = smack_from_secid(secid); 3344 3345 /* 3346 * No need to do string comparisons. If a match occurs, 3347 * both pointers will point to the same smack_known 3348 * label. 3349 */ 3350 if (op == Audit_equal) 3351 return (rule == smack); 3352 if (op == Audit_not_equal) 3353 return (rule != smack); 3354 3355 return 0; 3356 } 3357 3358 /** 3359 * smack_audit_rule_free - free smack rule representation 3360 * @vrule: rule to be freed. 3361 * 3362 * No memory was allocated. 3363 */ 3364 static void smack_audit_rule_free(void *vrule) 3365 { 3366 /* No-op */ 3367 } 3368 3369 #endif /* CONFIG_AUDIT */ 3370 3371 /** 3372 * smack_secid_to_secctx - return the smack label for a secid 3373 * @secid: incoming integer 3374 * @secdata: destination 3375 * @seclen: how long it is 3376 * 3377 * Exists for networking code. 3378 */ 3379 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 3380 { 3381 char *sp = smack_from_secid(secid); 3382 3383 if (secdata) 3384 *secdata = sp; 3385 *seclen = strlen(sp); 3386 return 0; 3387 } 3388 3389 /** 3390 * smack_secctx_to_secid - return the secid for a smack label 3391 * @secdata: smack label 3392 * @seclen: how long result is 3393 * @secid: outgoing integer 3394 * 3395 * Exists for audit and networking code. 3396 */ 3397 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 3398 { 3399 *secid = smack_to_secid(secdata); 3400 return 0; 3401 } 3402 3403 /** 3404 * smack_release_secctx - don't do anything. 3405 * @secdata: unused 3406 * @seclen: unused 3407 * 3408 * Exists to make sure nothing gets done, and properly 3409 */ 3410 static void smack_release_secctx(char *secdata, u32 seclen) 3411 { 3412 } 3413 3414 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 3415 { 3416 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 3417 } 3418 3419 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 3420 { 3421 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 3422 } 3423 3424 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 3425 { 3426 int len = 0; 3427 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 3428 3429 if (len < 0) 3430 return len; 3431 *ctxlen = len; 3432 return 0; 3433 } 3434 3435 struct security_operations smack_ops = { 3436 .name = "smack", 3437 3438 .ptrace_access_check = smack_ptrace_access_check, 3439 .ptrace_traceme = smack_ptrace_traceme, 3440 .syslog = smack_syslog, 3441 3442 .sb_alloc_security = smack_sb_alloc_security, 3443 .sb_free_security = smack_sb_free_security, 3444 .sb_copy_data = smack_sb_copy_data, 3445 .sb_kern_mount = smack_sb_kern_mount, 3446 .sb_statfs = smack_sb_statfs, 3447 .sb_mount = smack_sb_mount, 3448 .sb_umount = smack_sb_umount, 3449 3450 .bprm_set_creds = smack_bprm_set_creds, 3451 .bprm_committing_creds = smack_bprm_committing_creds, 3452 .bprm_secureexec = smack_bprm_secureexec, 3453 3454 .inode_alloc_security = smack_inode_alloc_security, 3455 .inode_free_security = smack_inode_free_security, 3456 .inode_init_security = smack_inode_init_security, 3457 .inode_link = smack_inode_link, 3458 .inode_unlink = smack_inode_unlink, 3459 .inode_rmdir = smack_inode_rmdir, 3460 .inode_rename = smack_inode_rename, 3461 .inode_permission = smack_inode_permission, 3462 .inode_setattr = smack_inode_setattr, 3463 .inode_getattr = smack_inode_getattr, 3464 .inode_setxattr = smack_inode_setxattr, 3465 .inode_post_setxattr = smack_inode_post_setxattr, 3466 .inode_getxattr = smack_inode_getxattr, 3467 .inode_removexattr = smack_inode_removexattr, 3468 .inode_getsecurity = smack_inode_getsecurity, 3469 .inode_setsecurity = smack_inode_setsecurity, 3470 .inode_listsecurity = smack_inode_listsecurity, 3471 .inode_getsecid = smack_inode_getsecid, 3472 3473 .file_permission = smack_file_permission, 3474 .file_alloc_security = smack_file_alloc_security, 3475 .file_free_security = smack_file_free_security, 3476 .file_ioctl = smack_file_ioctl, 3477 .file_lock = smack_file_lock, 3478 .file_fcntl = smack_file_fcntl, 3479 .mmap_file = smack_mmap_file, 3480 .mmap_addr = cap_mmap_addr, 3481 .file_set_fowner = smack_file_set_fowner, 3482 .file_send_sigiotask = smack_file_send_sigiotask, 3483 .file_receive = smack_file_receive, 3484 3485 .file_open = smack_file_open, 3486 3487 .cred_alloc_blank = smack_cred_alloc_blank, 3488 .cred_free = smack_cred_free, 3489 .cred_prepare = smack_cred_prepare, 3490 .cred_transfer = smack_cred_transfer, 3491 .kernel_act_as = smack_kernel_act_as, 3492 .kernel_create_files_as = smack_kernel_create_files_as, 3493 .task_setpgid = smack_task_setpgid, 3494 .task_getpgid = smack_task_getpgid, 3495 .task_getsid = smack_task_getsid, 3496 .task_getsecid = smack_task_getsecid, 3497 .task_setnice = smack_task_setnice, 3498 .task_setioprio = smack_task_setioprio, 3499 .task_getioprio = smack_task_getioprio, 3500 .task_setscheduler = smack_task_setscheduler, 3501 .task_getscheduler = smack_task_getscheduler, 3502 .task_movememory = smack_task_movememory, 3503 .task_kill = smack_task_kill, 3504 .task_wait = smack_task_wait, 3505 .task_to_inode = smack_task_to_inode, 3506 3507 .ipc_permission = smack_ipc_permission, 3508 .ipc_getsecid = smack_ipc_getsecid, 3509 3510 .msg_msg_alloc_security = smack_msg_msg_alloc_security, 3511 .msg_msg_free_security = smack_msg_msg_free_security, 3512 3513 .msg_queue_alloc_security = smack_msg_queue_alloc_security, 3514 .msg_queue_free_security = smack_msg_queue_free_security, 3515 .msg_queue_associate = smack_msg_queue_associate, 3516 .msg_queue_msgctl = smack_msg_queue_msgctl, 3517 .msg_queue_msgsnd = smack_msg_queue_msgsnd, 3518 .msg_queue_msgrcv = smack_msg_queue_msgrcv, 3519 3520 .shm_alloc_security = smack_shm_alloc_security, 3521 .shm_free_security = smack_shm_free_security, 3522 .shm_associate = smack_shm_associate, 3523 .shm_shmctl = smack_shm_shmctl, 3524 .shm_shmat = smack_shm_shmat, 3525 3526 .sem_alloc_security = smack_sem_alloc_security, 3527 .sem_free_security = smack_sem_free_security, 3528 .sem_associate = smack_sem_associate, 3529 .sem_semctl = smack_sem_semctl, 3530 .sem_semop = smack_sem_semop, 3531 3532 .d_instantiate = smack_d_instantiate, 3533 3534 .getprocattr = smack_getprocattr, 3535 .setprocattr = smack_setprocattr, 3536 3537 .unix_stream_connect = smack_unix_stream_connect, 3538 .unix_may_send = smack_unix_may_send, 3539 3540 .socket_post_create = smack_socket_post_create, 3541 .socket_connect = smack_socket_connect, 3542 .socket_sendmsg = smack_socket_sendmsg, 3543 .socket_sock_rcv_skb = smack_socket_sock_rcv_skb, 3544 .socket_getpeersec_stream = smack_socket_getpeersec_stream, 3545 .socket_getpeersec_dgram = smack_socket_getpeersec_dgram, 3546 .sk_alloc_security = smack_sk_alloc_security, 3547 .sk_free_security = smack_sk_free_security, 3548 .sock_graft = smack_sock_graft, 3549 .inet_conn_request = smack_inet_conn_request, 3550 .inet_csk_clone = smack_inet_csk_clone, 3551 3552 /* key management security hooks */ 3553 #ifdef CONFIG_KEYS 3554 .key_alloc = smack_key_alloc, 3555 .key_free = smack_key_free, 3556 .key_permission = smack_key_permission, 3557 #endif /* CONFIG_KEYS */ 3558 3559 /* Audit hooks */ 3560 #ifdef CONFIG_AUDIT 3561 .audit_rule_init = smack_audit_rule_init, 3562 .audit_rule_known = smack_audit_rule_known, 3563 .audit_rule_match = smack_audit_rule_match, 3564 .audit_rule_free = smack_audit_rule_free, 3565 #endif /* CONFIG_AUDIT */ 3566 3567 .secid_to_secctx = smack_secid_to_secctx, 3568 .secctx_to_secid = smack_secctx_to_secid, 3569 .release_secctx = smack_release_secctx, 3570 .inode_notifysecctx = smack_inode_notifysecctx, 3571 .inode_setsecctx = smack_inode_setsecctx, 3572 .inode_getsecctx = smack_inode_getsecctx, 3573 }; 3574 3575 3576 static __init void init_smack_known_list(void) 3577 { 3578 /* 3579 * Initialize rule list locks 3580 */ 3581 mutex_init(&smack_known_huh.smk_rules_lock); 3582 mutex_init(&smack_known_hat.smk_rules_lock); 3583 mutex_init(&smack_known_floor.smk_rules_lock); 3584 mutex_init(&smack_known_star.smk_rules_lock); 3585 mutex_init(&smack_known_invalid.smk_rules_lock); 3586 mutex_init(&smack_known_web.smk_rules_lock); 3587 /* 3588 * Initialize rule lists 3589 */ 3590 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 3591 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 3592 INIT_LIST_HEAD(&smack_known_star.smk_rules); 3593 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 3594 INIT_LIST_HEAD(&smack_known_invalid.smk_rules); 3595 INIT_LIST_HEAD(&smack_known_web.smk_rules); 3596 /* 3597 * Create the known labels list 3598 */ 3599 list_add(&smack_known_huh.list, &smack_known_list); 3600 list_add(&smack_known_hat.list, &smack_known_list); 3601 list_add(&smack_known_star.list, &smack_known_list); 3602 list_add(&smack_known_floor.list, &smack_known_list); 3603 list_add(&smack_known_invalid.list, &smack_known_list); 3604 list_add(&smack_known_web.list, &smack_known_list); 3605 } 3606 3607 /** 3608 * smack_init - initialize the smack system 3609 * 3610 * Returns 0 3611 */ 3612 static __init int smack_init(void) 3613 { 3614 struct cred *cred; 3615 struct task_smack *tsp; 3616 3617 if (!security_module_enable(&smack_ops)) 3618 return 0; 3619 3620 tsp = new_task_smack(smack_known_floor.smk_known, 3621 smack_known_floor.smk_known, GFP_KERNEL); 3622 if (tsp == NULL) 3623 return -ENOMEM; 3624 3625 printk(KERN_INFO "Smack: Initializing.\n"); 3626 3627 /* 3628 * Set the security state for the initial task. 3629 */ 3630 cred = (struct cred *) current->cred; 3631 cred->security = tsp; 3632 3633 /* initialize the smack_known_list */ 3634 init_smack_known_list(); 3635 3636 /* 3637 * Register with LSM 3638 */ 3639 if (register_security(&smack_ops)) 3640 panic("smack: Unable to register with kernel.\n"); 3641 3642 return 0; 3643 } 3644 3645 /* 3646 * Smack requires early initialization in order to label 3647 * all processes and objects when they are created. 3648 */ 3649 security_initcall(smack_init); 3650