1 /* 2 * Simplified MAC Kernel (smack) security module 3 * 4 * This file contains the smack hook function implementations. 5 * 6 * Authors: 7 * Casey Schaufler <casey@schaufler-ca.com> 8 * Jarkko Sakkinen <ext-jarkko.2.sakkinen@nokia.com> 9 * 10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 12 * Paul Moore <paul.moore@hp.com> 13 * Copyright (C) 2010 Nokia Corporation 14 * 15 * This program is free software; you can redistribute it and/or modify 16 * it under the terms of the GNU General Public License version 2, 17 * as published by the Free Software Foundation. 18 */ 19 20 #include <linux/xattr.h> 21 #include <linux/pagemap.h> 22 #include <linux/mount.h> 23 #include <linux/stat.h> 24 #include <linux/kd.h> 25 #include <asm/ioctls.h> 26 #include <linux/ip.h> 27 #include <linux/tcp.h> 28 #include <linux/udp.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <linux/pipe_fs_i.h> 32 #include <net/netlabel.h> 33 #include <net/cipso_ipv4.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include "smack.h" 38 39 #define task_security(task) (task_cred_xxx((task), security)) 40 41 #define TRANS_TRUE "TRUE" 42 #define TRANS_TRUE_SIZE 4 43 44 /** 45 * smk_fetch - Fetch the smack label from a file. 46 * @ip: a pointer to the inode 47 * @dp: a pointer to the dentry 48 * 49 * Returns a pointer to the master list entry for the Smack label 50 * or NULL if there was no label to fetch. 51 */ 52 static char *smk_fetch(const char *name, struct inode *ip, struct dentry *dp) 53 { 54 int rc; 55 char in[SMK_LABELLEN]; 56 57 if (ip->i_op->getxattr == NULL) 58 return NULL; 59 60 rc = ip->i_op->getxattr(dp, name, in, SMK_LABELLEN); 61 if (rc < 0) 62 return NULL; 63 64 return smk_import(in, rc); 65 } 66 67 /** 68 * new_inode_smack - allocate an inode security blob 69 * @smack: a pointer to the Smack label to use in the blob 70 * 71 * Returns the new blob or NULL if there's no memory available 72 */ 73 struct inode_smack *new_inode_smack(char *smack) 74 { 75 struct inode_smack *isp; 76 77 isp = kzalloc(sizeof(struct inode_smack), GFP_KERNEL); 78 if (isp == NULL) 79 return NULL; 80 81 isp->smk_inode = smack; 82 isp->smk_flags = 0; 83 mutex_init(&isp->smk_lock); 84 85 return isp; 86 } 87 88 /** 89 * new_task_smack - allocate a task security blob 90 * @smack: a pointer to the Smack label to use in the blob 91 * 92 * Returns the new blob or NULL if there's no memory available 93 */ 94 static struct task_smack *new_task_smack(char *task, char *forked, gfp_t gfp) 95 { 96 struct task_smack *tsp; 97 98 tsp = kzalloc(sizeof(struct task_smack), gfp); 99 if (tsp == NULL) 100 return NULL; 101 102 tsp->smk_task = task; 103 tsp->smk_forked = forked; 104 INIT_LIST_HEAD(&tsp->smk_rules); 105 mutex_init(&tsp->smk_rules_lock); 106 107 return tsp; 108 } 109 110 /** 111 * smk_copy_rules - copy a rule set 112 * @nhead - new rules header pointer 113 * @ohead - old rules header pointer 114 * 115 * Returns 0 on success, -ENOMEM on error 116 */ 117 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 118 gfp_t gfp) 119 { 120 struct smack_rule *nrp; 121 struct smack_rule *orp; 122 int rc = 0; 123 124 INIT_LIST_HEAD(nhead); 125 126 list_for_each_entry_rcu(orp, ohead, list) { 127 nrp = kzalloc(sizeof(struct smack_rule), gfp); 128 if (nrp == NULL) { 129 rc = -ENOMEM; 130 break; 131 } 132 *nrp = *orp; 133 list_add_rcu(&nrp->list, nhead); 134 } 135 return rc; 136 } 137 138 /* 139 * LSM hooks. 140 * We he, that is fun! 141 */ 142 143 /** 144 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 145 * @ctp: child task pointer 146 * @mode: ptrace attachment mode 147 * 148 * Returns 0 if access is OK, an error code otherwise 149 * 150 * Do the capability checks, and require read and write. 151 */ 152 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 153 { 154 int rc; 155 struct smk_audit_info ad; 156 char *tsp; 157 158 rc = cap_ptrace_access_check(ctp, mode); 159 if (rc != 0) 160 return rc; 161 162 tsp = smk_of_task(task_security(ctp)); 163 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 164 smk_ad_setfield_u_tsk(&ad, ctp); 165 166 rc = smk_curacc(tsp, MAY_READWRITE, &ad); 167 return rc; 168 } 169 170 /** 171 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 172 * @ptp: parent task pointer 173 * 174 * Returns 0 if access is OK, an error code otherwise 175 * 176 * Do the capability checks, and require read and write. 177 */ 178 static int smack_ptrace_traceme(struct task_struct *ptp) 179 { 180 int rc; 181 struct smk_audit_info ad; 182 char *tsp; 183 184 rc = cap_ptrace_traceme(ptp); 185 if (rc != 0) 186 return rc; 187 188 tsp = smk_of_task(task_security(ptp)); 189 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 190 smk_ad_setfield_u_tsk(&ad, ptp); 191 192 rc = smk_curacc(tsp, MAY_READWRITE, &ad); 193 return rc; 194 } 195 196 /** 197 * smack_syslog - Smack approval on syslog 198 * @type: message type 199 * 200 * Require that the task has the floor label 201 * 202 * Returns 0 on success, error code otherwise. 203 */ 204 static int smack_syslog(int typefrom_file) 205 { 206 int rc = 0; 207 char *sp = smk_of_current(); 208 209 if (capable(CAP_MAC_OVERRIDE)) 210 return 0; 211 212 if (sp != smack_known_floor.smk_known) 213 rc = -EACCES; 214 215 return rc; 216 } 217 218 219 /* 220 * Superblock Hooks. 221 */ 222 223 /** 224 * smack_sb_alloc_security - allocate a superblock blob 225 * @sb: the superblock getting the blob 226 * 227 * Returns 0 on success or -ENOMEM on error. 228 */ 229 static int smack_sb_alloc_security(struct super_block *sb) 230 { 231 struct superblock_smack *sbsp; 232 233 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL); 234 235 if (sbsp == NULL) 236 return -ENOMEM; 237 238 sbsp->smk_root = smack_known_floor.smk_known; 239 sbsp->smk_default = smack_known_floor.smk_known; 240 sbsp->smk_floor = smack_known_floor.smk_known; 241 sbsp->smk_hat = smack_known_hat.smk_known; 242 sbsp->smk_initialized = 0; 243 spin_lock_init(&sbsp->smk_sblock); 244 245 sb->s_security = sbsp; 246 247 return 0; 248 } 249 250 /** 251 * smack_sb_free_security - free a superblock blob 252 * @sb: the superblock getting the blob 253 * 254 */ 255 static void smack_sb_free_security(struct super_block *sb) 256 { 257 kfree(sb->s_security); 258 sb->s_security = NULL; 259 } 260 261 /** 262 * smack_sb_copy_data - copy mount options data for processing 263 * @orig: where to start 264 * @smackopts: mount options string 265 * 266 * Returns 0 on success or -ENOMEM on error. 267 * 268 * Copy the Smack specific mount options out of the mount 269 * options list. 270 */ 271 static int smack_sb_copy_data(char *orig, char *smackopts) 272 { 273 char *cp, *commap, *otheropts, *dp; 274 275 otheropts = (char *)get_zeroed_page(GFP_KERNEL); 276 if (otheropts == NULL) 277 return -ENOMEM; 278 279 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) { 280 if (strstr(cp, SMK_FSDEFAULT) == cp) 281 dp = smackopts; 282 else if (strstr(cp, SMK_FSFLOOR) == cp) 283 dp = smackopts; 284 else if (strstr(cp, SMK_FSHAT) == cp) 285 dp = smackopts; 286 else if (strstr(cp, SMK_FSROOT) == cp) 287 dp = smackopts; 288 else 289 dp = otheropts; 290 291 commap = strchr(cp, ','); 292 if (commap != NULL) 293 *commap = '\0'; 294 295 if (*dp != '\0') 296 strcat(dp, ","); 297 strcat(dp, cp); 298 } 299 300 strcpy(orig, otheropts); 301 free_page((unsigned long)otheropts); 302 303 return 0; 304 } 305 306 /** 307 * smack_sb_kern_mount - Smack specific mount processing 308 * @sb: the file system superblock 309 * @flags: the mount flags 310 * @data: the smack mount options 311 * 312 * Returns 0 on success, an error code on failure 313 */ 314 static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data) 315 { 316 struct dentry *root = sb->s_root; 317 struct inode *inode = root->d_inode; 318 struct superblock_smack *sp = sb->s_security; 319 struct inode_smack *isp; 320 char *op; 321 char *commap; 322 char *nsp; 323 324 spin_lock(&sp->smk_sblock); 325 if (sp->smk_initialized != 0) { 326 spin_unlock(&sp->smk_sblock); 327 return 0; 328 } 329 sp->smk_initialized = 1; 330 spin_unlock(&sp->smk_sblock); 331 332 for (op = data; op != NULL; op = commap) { 333 commap = strchr(op, ','); 334 if (commap != NULL) 335 *commap++ = '\0'; 336 337 if (strncmp(op, SMK_FSHAT, strlen(SMK_FSHAT)) == 0) { 338 op += strlen(SMK_FSHAT); 339 nsp = smk_import(op, 0); 340 if (nsp != NULL) 341 sp->smk_hat = nsp; 342 } else if (strncmp(op, SMK_FSFLOOR, strlen(SMK_FSFLOOR)) == 0) { 343 op += strlen(SMK_FSFLOOR); 344 nsp = smk_import(op, 0); 345 if (nsp != NULL) 346 sp->smk_floor = nsp; 347 } else if (strncmp(op, SMK_FSDEFAULT, 348 strlen(SMK_FSDEFAULT)) == 0) { 349 op += strlen(SMK_FSDEFAULT); 350 nsp = smk_import(op, 0); 351 if (nsp != NULL) 352 sp->smk_default = nsp; 353 } else if (strncmp(op, SMK_FSROOT, strlen(SMK_FSROOT)) == 0) { 354 op += strlen(SMK_FSROOT); 355 nsp = smk_import(op, 0); 356 if (nsp != NULL) 357 sp->smk_root = nsp; 358 } 359 } 360 361 /* 362 * Initialize the root inode. 363 */ 364 isp = inode->i_security; 365 if (isp == NULL) 366 inode->i_security = new_inode_smack(sp->smk_root); 367 else 368 isp->smk_inode = sp->smk_root; 369 370 return 0; 371 } 372 373 /** 374 * smack_sb_statfs - Smack check on statfs 375 * @dentry: identifies the file system in question 376 * 377 * Returns 0 if current can read the floor of the filesystem, 378 * and error code otherwise 379 */ 380 static int smack_sb_statfs(struct dentry *dentry) 381 { 382 struct superblock_smack *sbp = dentry->d_sb->s_security; 383 int rc; 384 struct smk_audit_info ad; 385 386 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 387 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 388 389 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 390 return rc; 391 } 392 393 /** 394 * smack_sb_mount - Smack check for mounting 395 * @dev_name: unused 396 * @path: mount point 397 * @type: unused 398 * @flags: unused 399 * @data: unused 400 * 401 * Returns 0 if current can write the floor of the filesystem 402 * being mounted on, an error code otherwise. 403 */ 404 static int smack_sb_mount(char *dev_name, struct path *path, 405 char *type, unsigned long flags, void *data) 406 { 407 struct superblock_smack *sbp = path->mnt->mnt_sb->s_security; 408 struct smk_audit_info ad; 409 410 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 411 smk_ad_setfield_u_fs_path(&ad, *path); 412 413 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); 414 } 415 416 /** 417 * smack_sb_umount - Smack check for unmounting 418 * @mnt: file system to unmount 419 * @flags: unused 420 * 421 * Returns 0 if current can write the floor of the filesystem 422 * being unmounted, an error code otherwise. 423 */ 424 static int smack_sb_umount(struct vfsmount *mnt, int flags) 425 { 426 struct superblock_smack *sbp; 427 struct smk_audit_info ad; 428 429 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 430 smk_ad_setfield_u_fs_path_dentry(&ad, mnt->mnt_root); 431 smk_ad_setfield_u_fs_path_mnt(&ad, mnt); 432 433 sbp = mnt->mnt_sb->s_security; 434 return smk_curacc(sbp->smk_floor, MAY_WRITE, &ad); 435 } 436 437 /* 438 * BPRM hooks 439 */ 440 441 static int smack_bprm_set_creds(struct linux_binprm *bprm) 442 { 443 struct task_smack *tsp = bprm->cred->security; 444 struct inode_smack *isp; 445 struct dentry *dp; 446 int rc; 447 448 rc = cap_bprm_set_creds(bprm); 449 if (rc != 0) 450 return rc; 451 452 if (bprm->cred_prepared) 453 return 0; 454 455 if (bprm->file == NULL || bprm->file->f_dentry == NULL) 456 return 0; 457 458 dp = bprm->file->f_dentry; 459 460 if (dp->d_inode == NULL) 461 return 0; 462 463 isp = dp->d_inode->i_security; 464 465 if (isp->smk_task != NULL) 466 tsp->smk_task = isp->smk_task; 467 468 return 0; 469 } 470 471 /* 472 * Inode hooks 473 */ 474 475 /** 476 * smack_inode_alloc_security - allocate an inode blob 477 * @inode: the inode in need of a blob 478 * 479 * Returns 0 if it gets a blob, -ENOMEM otherwise 480 */ 481 static int smack_inode_alloc_security(struct inode *inode) 482 { 483 inode->i_security = new_inode_smack(smk_of_current()); 484 if (inode->i_security == NULL) 485 return -ENOMEM; 486 return 0; 487 } 488 489 /** 490 * smack_inode_free_security - free an inode blob 491 * @inode: the inode with a blob 492 * 493 * Clears the blob pointer in inode 494 */ 495 static void smack_inode_free_security(struct inode *inode) 496 { 497 kfree(inode->i_security); 498 inode->i_security = NULL; 499 } 500 501 /** 502 * smack_inode_init_security - copy out the smack from an inode 503 * @inode: the inode 504 * @dir: unused 505 * @qstr: unused 506 * @name: where to put the attribute name 507 * @value: where to put the attribute value 508 * @len: where to put the length of the attribute 509 * 510 * Returns 0 if it all works out, -ENOMEM if there's no memory 511 */ 512 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 513 const struct qstr *qstr, char **name, 514 void **value, size_t *len) 515 { 516 char *isp = smk_of_inode(inode); 517 char *dsp = smk_of_inode(dir); 518 int may; 519 520 if (name) { 521 *name = kstrdup(XATTR_SMACK_SUFFIX, GFP_KERNEL); 522 if (*name == NULL) 523 return -ENOMEM; 524 } 525 526 if (value) { 527 rcu_read_lock(); 528 may = smk_access_entry(smk_of_current(), dsp, &smack_rule_list); 529 rcu_read_unlock(); 530 531 /* 532 * If the access rule allows transmutation and 533 * the directory requests transmutation then 534 * by all means transmute. 535 */ 536 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 537 smk_inode_transmutable(dir)) 538 isp = dsp; 539 540 *value = kstrdup(isp, GFP_KERNEL); 541 if (*value == NULL) 542 return -ENOMEM; 543 } 544 545 if (len) 546 *len = strlen(isp) + 1; 547 548 return 0; 549 } 550 551 /** 552 * smack_inode_link - Smack check on link 553 * @old_dentry: the existing object 554 * @dir: unused 555 * @new_dentry: the new object 556 * 557 * Returns 0 if access is permitted, an error code otherwise 558 */ 559 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 560 struct dentry *new_dentry) 561 { 562 char *isp; 563 struct smk_audit_info ad; 564 int rc; 565 566 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 567 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 568 569 isp = smk_of_inode(old_dentry->d_inode); 570 rc = smk_curacc(isp, MAY_WRITE, &ad); 571 572 if (rc == 0 && new_dentry->d_inode != NULL) { 573 isp = smk_of_inode(new_dentry->d_inode); 574 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 575 rc = smk_curacc(isp, MAY_WRITE, &ad); 576 } 577 578 return rc; 579 } 580 581 /** 582 * smack_inode_unlink - Smack check on inode deletion 583 * @dir: containing directory object 584 * @dentry: file to unlink 585 * 586 * Returns 0 if current can write the containing directory 587 * and the object, error code otherwise 588 */ 589 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 590 { 591 struct inode *ip = dentry->d_inode; 592 struct smk_audit_info ad; 593 int rc; 594 595 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 596 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 597 598 /* 599 * You need write access to the thing you're unlinking 600 */ 601 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 602 if (rc == 0) { 603 /* 604 * You also need write access to the containing directory 605 */ 606 smk_ad_setfield_u_fs_path_dentry(&ad, NULL); 607 smk_ad_setfield_u_fs_inode(&ad, dir); 608 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 609 } 610 return rc; 611 } 612 613 /** 614 * smack_inode_rmdir - Smack check on directory deletion 615 * @dir: containing directory object 616 * @dentry: directory to unlink 617 * 618 * Returns 0 if current can write the containing directory 619 * and the directory, error code otherwise 620 */ 621 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 622 { 623 struct smk_audit_info ad; 624 int rc; 625 626 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 627 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 628 629 /* 630 * You need write access to the thing you're removing 631 */ 632 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 633 if (rc == 0) { 634 /* 635 * You also need write access to the containing directory 636 */ 637 smk_ad_setfield_u_fs_path_dentry(&ad, NULL); 638 smk_ad_setfield_u_fs_inode(&ad, dir); 639 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 640 } 641 642 return rc; 643 } 644 645 /** 646 * smack_inode_rename - Smack check on rename 647 * @old_inode: the old directory 648 * @old_dentry: unused 649 * @new_inode: the new directory 650 * @new_dentry: unused 651 * 652 * Read and write access is required on both the old and 653 * new directories. 654 * 655 * Returns 0 if access is permitted, an error code otherwise 656 */ 657 static int smack_inode_rename(struct inode *old_inode, 658 struct dentry *old_dentry, 659 struct inode *new_inode, 660 struct dentry *new_dentry) 661 { 662 int rc; 663 char *isp; 664 struct smk_audit_info ad; 665 666 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 667 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 668 669 isp = smk_of_inode(old_dentry->d_inode); 670 rc = smk_curacc(isp, MAY_READWRITE, &ad); 671 672 if (rc == 0 && new_dentry->d_inode != NULL) { 673 isp = smk_of_inode(new_dentry->d_inode); 674 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 675 rc = smk_curacc(isp, MAY_READWRITE, &ad); 676 } 677 return rc; 678 } 679 680 /** 681 * smack_inode_permission - Smack version of permission() 682 * @inode: the inode in question 683 * @mask: the access requested 684 * 685 * This is the important Smack hook. 686 * 687 * Returns 0 if access is permitted, -EACCES otherwise 688 */ 689 static int smack_inode_permission(struct inode *inode, int mask) 690 { 691 struct smk_audit_info ad; 692 693 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 694 /* 695 * No permission to check. Existence test. Yup, it's there. 696 */ 697 if (mask == 0) 698 return 0; 699 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 700 smk_ad_setfield_u_fs_inode(&ad, inode); 701 return smk_curacc(smk_of_inode(inode), mask, &ad); 702 } 703 704 /** 705 * smack_inode_setattr - Smack check for setting attributes 706 * @dentry: the object 707 * @iattr: for the force flag 708 * 709 * Returns 0 if access is permitted, an error code otherwise 710 */ 711 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 712 { 713 struct smk_audit_info ad; 714 /* 715 * Need to allow for clearing the setuid bit. 716 */ 717 if (iattr->ia_valid & ATTR_FORCE) 718 return 0; 719 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 720 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 721 722 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 723 } 724 725 /** 726 * smack_inode_getattr - Smack check for getting attributes 727 * @mnt: unused 728 * @dentry: the object 729 * 730 * Returns 0 if access is permitted, an error code otherwise 731 */ 732 static int smack_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 733 { 734 struct smk_audit_info ad; 735 736 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 737 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 738 smk_ad_setfield_u_fs_path_mnt(&ad, mnt); 739 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); 740 } 741 742 /** 743 * smack_inode_setxattr - Smack check for setting xattrs 744 * @dentry: the object 745 * @name: name of the attribute 746 * @value: unused 747 * @size: unused 748 * @flags: unused 749 * 750 * This protects the Smack attribute explicitly. 751 * 752 * Returns 0 if access is permitted, an error code otherwise 753 */ 754 static int smack_inode_setxattr(struct dentry *dentry, const char *name, 755 const void *value, size_t size, int flags) 756 { 757 struct smk_audit_info ad; 758 int rc = 0; 759 760 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 761 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 762 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 763 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 764 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 765 if (!capable(CAP_MAC_ADMIN)) 766 rc = -EPERM; 767 /* 768 * check label validity here so import wont fail on 769 * post_setxattr 770 */ 771 if (size == 0 || size >= SMK_LABELLEN || 772 smk_import(value, size) == NULL) 773 rc = -EINVAL; 774 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 775 if (!capable(CAP_MAC_ADMIN)) 776 rc = -EPERM; 777 if (size != TRANS_TRUE_SIZE || 778 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 779 rc = -EINVAL; 780 } else 781 rc = cap_inode_setxattr(dentry, name, value, size, flags); 782 783 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 784 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 785 786 if (rc == 0) 787 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 788 789 return rc; 790 } 791 792 /** 793 * smack_inode_post_setxattr - Apply the Smack update approved above 794 * @dentry: object 795 * @name: attribute name 796 * @value: attribute value 797 * @size: attribute size 798 * @flags: unused 799 * 800 * Set the pointer in the inode blob to the entry found 801 * in the master label list. 802 */ 803 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 804 const void *value, size_t size, int flags) 805 { 806 char *nsp; 807 struct inode_smack *isp = dentry->d_inode->i_security; 808 809 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 810 nsp = smk_import(value, size); 811 if (nsp != NULL) 812 isp->smk_inode = nsp; 813 else 814 isp->smk_inode = smack_known_invalid.smk_known; 815 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 816 nsp = smk_import(value, size); 817 if (nsp != NULL) 818 isp->smk_task = nsp; 819 else 820 isp->smk_task = smack_known_invalid.smk_known; 821 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 822 nsp = smk_import(value, size); 823 if (nsp != NULL) 824 isp->smk_mmap = nsp; 825 else 826 isp->smk_mmap = smack_known_invalid.smk_known; 827 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 828 isp->smk_flags |= SMK_INODE_TRANSMUTE; 829 830 return; 831 } 832 833 /* 834 * smack_inode_getxattr - Smack check on getxattr 835 * @dentry: the object 836 * @name: unused 837 * 838 * Returns 0 if access is permitted, an error code otherwise 839 */ 840 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 841 { 842 struct smk_audit_info ad; 843 844 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 845 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 846 847 return smk_curacc(smk_of_inode(dentry->d_inode), MAY_READ, &ad); 848 } 849 850 /* 851 * smack_inode_removexattr - Smack check on removexattr 852 * @dentry: the object 853 * @name: name of the attribute 854 * 855 * Removing the Smack attribute requires CAP_MAC_ADMIN 856 * 857 * Returns 0 if access is permitted, an error code otherwise 858 */ 859 static int smack_inode_removexattr(struct dentry *dentry, const char *name) 860 { 861 struct inode_smack *isp; 862 struct smk_audit_info ad; 863 int rc = 0; 864 865 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 866 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 867 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 868 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 869 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 870 strcmp(name, XATTR_NAME_SMACKMMAP)) { 871 if (!capable(CAP_MAC_ADMIN)) 872 rc = -EPERM; 873 } else 874 rc = cap_inode_removexattr(dentry, name); 875 876 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 877 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 878 if (rc == 0) 879 rc = smk_curacc(smk_of_inode(dentry->d_inode), MAY_WRITE, &ad); 880 881 if (rc == 0) { 882 isp = dentry->d_inode->i_security; 883 isp->smk_task = NULL; 884 isp->smk_mmap = NULL; 885 } 886 887 return rc; 888 } 889 890 /** 891 * smack_inode_getsecurity - get smack xattrs 892 * @inode: the object 893 * @name: attribute name 894 * @buffer: where to put the result 895 * @alloc: unused 896 * 897 * Returns the size of the attribute or an error code 898 */ 899 static int smack_inode_getsecurity(const struct inode *inode, 900 const char *name, void **buffer, 901 bool alloc) 902 { 903 struct socket_smack *ssp; 904 struct socket *sock; 905 struct super_block *sbp; 906 struct inode *ip = (struct inode *)inode; 907 char *isp; 908 int ilen; 909 int rc = 0; 910 911 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 912 isp = smk_of_inode(inode); 913 ilen = strlen(isp) + 1; 914 *buffer = isp; 915 return ilen; 916 } 917 918 /* 919 * The rest of the Smack xattrs are only on sockets. 920 */ 921 sbp = ip->i_sb; 922 if (sbp->s_magic != SOCKFS_MAGIC) 923 return -EOPNOTSUPP; 924 925 sock = SOCKET_I(ip); 926 if (sock == NULL || sock->sk == NULL) 927 return -EOPNOTSUPP; 928 929 ssp = sock->sk->sk_security; 930 931 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 932 isp = ssp->smk_in; 933 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 934 isp = ssp->smk_out; 935 else 936 return -EOPNOTSUPP; 937 938 ilen = strlen(isp) + 1; 939 if (rc == 0) { 940 *buffer = isp; 941 rc = ilen; 942 } 943 944 return rc; 945 } 946 947 948 /** 949 * smack_inode_listsecurity - list the Smack attributes 950 * @inode: the object 951 * @buffer: where they go 952 * @buffer_size: size of buffer 953 * 954 * Returns 0 on success, -EINVAL otherwise 955 */ 956 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 957 size_t buffer_size) 958 { 959 int len = strlen(XATTR_NAME_SMACK); 960 961 if (buffer != NULL && len <= buffer_size) { 962 memcpy(buffer, XATTR_NAME_SMACK, len); 963 return len; 964 } 965 return -EINVAL; 966 } 967 968 /** 969 * smack_inode_getsecid - Extract inode's security id 970 * @inode: inode to extract the info from 971 * @secid: where result will be saved 972 */ 973 static void smack_inode_getsecid(const struct inode *inode, u32 *secid) 974 { 975 struct inode_smack *isp = inode->i_security; 976 977 *secid = smack_to_secid(isp->smk_inode); 978 } 979 980 /* 981 * File Hooks 982 */ 983 984 /** 985 * smack_file_permission - Smack check on file operations 986 * @file: unused 987 * @mask: unused 988 * 989 * Returns 0 990 * 991 * Should access checks be done on each read or write? 992 * UNICOS and SELinux say yes. 993 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 994 * 995 * I'll say no for now. Smack does not do the frequent 996 * label changing that SELinux does. 997 */ 998 static int smack_file_permission(struct file *file, int mask) 999 { 1000 return 0; 1001 } 1002 1003 /** 1004 * smack_file_alloc_security - assign a file security blob 1005 * @file: the object 1006 * 1007 * The security blob for a file is a pointer to the master 1008 * label list, so no allocation is done. 1009 * 1010 * Returns 0 1011 */ 1012 static int smack_file_alloc_security(struct file *file) 1013 { 1014 file->f_security = smk_of_current(); 1015 return 0; 1016 } 1017 1018 /** 1019 * smack_file_free_security - clear a file security blob 1020 * @file: the object 1021 * 1022 * The security blob for a file is a pointer to the master 1023 * label list, so no memory is freed. 1024 */ 1025 static void smack_file_free_security(struct file *file) 1026 { 1027 file->f_security = NULL; 1028 } 1029 1030 /** 1031 * smack_file_ioctl - Smack check on ioctls 1032 * @file: the object 1033 * @cmd: what to do 1034 * @arg: unused 1035 * 1036 * Relies heavily on the correct use of the ioctl command conventions. 1037 * 1038 * Returns 0 if allowed, error code otherwise 1039 */ 1040 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1041 unsigned long arg) 1042 { 1043 int rc = 0; 1044 struct smk_audit_info ad; 1045 1046 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 1047 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1048 1049 if (_IOC_DIR(cmd) & _IOC_WRITE) 1050 rc = smk_curacc(file->f_security, MAY_WRITE, &ad); 1051 1052 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) 1053 rc = smk_curacc(file->f_security, MAY_READ, &ad); 1054 1055 return rc; 1056 } 1057 1058 /** 1059 * smack_file_lock - Smack check on file locking 1060 * @file: the object 1061 * @cmd: unused 1062 * 1063 * Returns 0 if current has write access, error code otherwise 1064 */ 1065 static int smack_file_lock(struct file *file, unsigned int cmd) 1066 { 1067 struct smk_audit_info ad; 1068 1069 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 1070 smk_ad_setfield_u_fs_path_dentry(&ad, file->f_path.dentry); 1071 return smk_curacc(file->f_security, MAY_WRITE, &ad); 1072 } 1073 1074 /** 1075 * smack_file_fcntl - Smack check on fcntl 1076 * @file: the object 1077 * @cmd: what action to check 1078 * @arg: unused 1079 * 1080 * Returns 0 if current has access, error code otherwise 1081 */ 1082 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1083 unsigned long arg) 1084 { 1085 struct smk_audit_info ad; 1086 int rc; 1087 1088 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_FS); 1089 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1090 1091 switch (cmd) { 1092 case F_DUPFD: 1093 case F_GETFD: 1094 case F_GETFL: 1095 case F_GETLK: 1096 case F_GETOWN: 1097 case F_GETSIG: 1098 rc = smk_curacc(file->f_security, MAY_READ, &ad); 1099 break; 1100 case F_SETFD: 1101 case F_SETFL: 1102 case F_SETLK: 1103 case F_SETLKW: 1104 case F_SETOWN: 1105 case F_SETSIG: 1106 rc = smk_curacc(file->f_security, MAY_WRITE, &ad); 1107 break; 1108 default: 1109 rc = smk_curacc(file->f_security, MAY_READWRITE, &ad); 1110 } 1111 1112 return rc; 1113 } 1114 1115 /** 1116 * smack_file_mmap : 1117 * Check permissions for a mmap operation. The @file may be NULL, e.g. 1118 * if mapping anonymous memory. 1119 * @file contains the file structure for file to map (may be NULL). 1120 * @reqprot contains the protection requested by the application. 1121 * @prot contains the protection that will be applied by the kernel. 1122 * @flags contains the operational flags. 1123 * Return 0 if permission is granted. 1124 */ 1125 static int smack_file_mmap(struct file *file, 1126 unsigned long reqprot, unsigned long prot, 1127 unsigned long flags, unsigned long addr, 1128 unsigned long addr_only) 1129 { 1130 struct smack_rule *srp; 1131 struct task_smack *tsp; 1132 char *sp; 1133 char *msmack; 1134 char *osmack; 1135 struct inode_smack *isp; 1136 struct dentry *dp; 1137 int may; 1138 int mmay; 1139 int tmay; 1140 int rc; 1141 1142 /* do DAC check on address space usage */ 1143 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 1144 if (rc || addr_only) 1145 return rc; 1146 1147 if (file == NULL || file->f_dentry == NULL) 1148 return 0; 1149 1150 dp = file->f_dentry; 1151 1152 if (dp->d_inode == NULL) 1153 return 0; 1154 1155 isp = dp->d_inode->i_security; 1156 if (isp->smk_mmap == NULL) 1157 return 0; 1158 msmack = isp->smk_mmap; 1159 1160 tsp = current_security(); 1161 sp = smk_of_current(); 1162 rc = 0; 1163 1164 rcu_read_lock(); 1165 /* 1166 * For each Smack rule associated with the subject 1167 * label verify that the SMACK64MMAP also has access 1168 * to that rule's object label. 1169 * 1170 * Because neither of the labels comes 1171 * from the networking code it is sufficient 1172 * to compare pointers. 1173 */ 1174 list_for_each_entry_rcu(srp, &smack_rule_list, list) { 1175 if (srp->smk_subject != sp) 1176 continue; 1177 1178 osmack = srp->smk_object; 1179 /* 1180 * Matching labels always allows access. 1181 */ 1182 if (msmack == osmack) 1183 continue; 1184 /* 1185 * If there is a matching local rule take 1186 * that into account as well. 1187 */ 1188 may = smk_access_entry(srp->smk_subject, osmack, 1189 &tsp->smk_rules); 1190 if (may == -ENOENT) 1191 may = srp->smk_access; 1192 else 1193 may &= srp->smk_access; 1194 /* 1195 * If may is zero the SMACK64MMAP subject can't 1196 * possibly have less access. 1197 */ 1198 if (may == 0) 1199 continue; 1200 1201 /* 1202 * Fetch the global list entry. 1203 * If there isn't one a SMACK64MMAP subject 1204 * can't have as much access as current. 1205 */ 1206 mmay = smk_access_entry(msmack, osmack, &smack_rule_list); 1207 if (mmay == -ENOENT) { 1208 rc = -EACCES; 1209 break; 1210 } 1211 /* 1212 * If there is a local entry it modifies the 1213 * potential access, too. 1214 */ 1215 tmay = smk_access_entry(msmack, osmack, &tsp->smk_rules); 1216 if (tmay != -ENOENT) 1217 mmay &= tmay; 1218 1219 /* 1220 * If there is any access available to current that is 1221 * not available to a SMACK64MMAP subject 1222 * deny access. 1223 */ 1224 if ((may | mmay) != mmay) { 1225 rc = -EACCES; 1226 break; 1227 } 1228 } 1229 1230 rcu_read_unlock(); 1231 1232 return rc; 1233 } 1234 1235 /** 1236 * smack_file_set_fowner - set the file security blob value 1237 * @file: object in question 1238 * 1239 * Returns 0 1240 * Further research may be required on this one. 1241 */ 1242 static int smack_file_set_fowner(struct file *file) 1243 { 1244 file->f_security = smk_of_current(); 1245 return 0; 1246 } 1247 1248 /** 1249 * smack_file_send_sigiotask - Smack on sigio 1250 * @tsk: The target task 1251 * @fown: the object the signal come from 1252 * @signum: unused 1253 * 1254 * Allow a privileged task to get signals even if it shouldn't 1255 * 1256 * Returns 0 if a subject with the object's smack could 1257 * write to the task, an error code otherwise. 1258 */ 1259 static int smack_file_send_sigiotask(struct task_struct *tsk, 1260 struct fown_struct *fown, int signum) 1261 { 1262 struct file *file; 1263 int rc; 1264 char *tsp = smk_of_task(tsk->cred->security); 1265 struct smk_audit_info ad; 1266 1267 /* 1268 * struct fown_struct is never outside the context of a struct file 1269 */ 1270 file = container_of(fown, struct file, f_owner); 1271 1272 /* we don't log here as rc can be overriden */ 1273 rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL); 1274 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE)) 1275 rc = 0; 1276 1277 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1278 smk_ad_setfield_u_tsk(&ad, tsk); 1279 smack_log(file->f_security, tsp, MAY_WRITE, rc, &ad); 1280 return rc; 1281 } 1282 1283 /** 1284 * smack_file_receive - Smack file receive check 1285 * @file: the object 1286 * 1287 * Returns 0 if current has access, error code otherwise 1288 */ 1289 static int smack_file_receive(struct file *file) 1290 { 1291 int may = 0; 1292 struct smk_audit_info ad; 1293 1294 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1295 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1296 /* 1297 * This code relies on bitmasks. 1298 */ 1299 if (file->f_mode & FMODE_READ) 1300 may = MAY_READ; 1301 if (file->f_mode & FMODE_WRITE) 1302 may |= MAY_WRITE; 1303 1304 return smk_curacc(file->f_security, may, &ad); 1305 } 1306 1307 /* 1308 * Task hooks 1309 */ 1310 1311 /** 1312 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 1313 * @new: the new credentials 1314 * @gfp: the atomicity of any memory allocations 1315 * 1316 * Prepare a blank set of credentials for modification. This must allocate all 1317 * the memory the LSM module might require such that cred_transfer() can 1318 * complete without error. 1319 */ 1320 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1321 { 1322 struct task_smack *tsp; 1323 1324 tsp = new_task_smack(NULL, NULL, gfp); 1325 if (tsp == NULL) 1326 return -ENOMEM; 1327 1328 cred->security = tsp; 1329 1330 return 0; 1331 } 1332 1333 1334 /** 1335 * smack_cred_free - "free" task-level security credentials 1336 * @cred: the credentials in question 1337 * 1338 */ 1339 static void smack_cred_free(struct cred *cred) 1340 { 1341 struct task_smack *tsp = cred->security; 1342 struct smack_rule *rp; 1343 struct list_head *l; 1344 struct list_head *n; 1345 1346 if (tsp == NULL) 1347 return; 1348 cred->security = NULL; 1349 1350 list_for_each_safe(l, n, &tsp->smk_rules) { 1351 rp = list_entry(l, struct smack_rule, list); 1352 list_del(&rp->list); 1353 kfree(rp); 1354 } 1355 kfree(tsp); 1356 } 1357 1358 /** 1359 * smack_cred_prepare - prepare new set of credentials for modification 1360 * @new: the new credentials 1361 * @old: the original credentials 1362 * @gfp: the atomicity of any memory allocations 1363 * 1364 * Prepare a new set of credentials for modification. 1365 */ 1366 static int smack_cred_prepare(struct cred *new, const struct cred *old, 1367 gfp_t gfp) 1368 { 1369 struct task_smack *old_tsp = old->security; 1370 struct task_smack *new_tsp; 1371 int rc; 1372 1373 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp); 1374 if (new_tsp == NULL) 1375 return -ENOMEM; 1376 1377 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 1378 if (rc != 0) 1379 return rc; 1380 1381 new->security = new_tsp; 1382 return 0; 1383 } 1384 1385 /** 1386 * smack_cred_transfer - Transfer the old credentials to the new credentials 1387 * @new: the new credentials 1388 * @old: the original credentials 1389 * 1390 * Fill in a set of blank credentials from another set of credentials. 1391 */ 1392 static void smack_cred_transfer(struct cred *new, const struct cred *old) 1393 { 1394 struct task_smack *old_tsp = old->security; 1395 struct task_smack *new_tsp = new->security; 1396 1397 new_tsp->smk_task = old_tsp->smk_task; 1398 new_tsp->smk_forked = old_tsp->smk_task; 1399 mutex_init(&new_tsp->smk_rules_lock); 1400 INIT_LIST_HEAD(&new_tsp->smk_rules); 1401 1402 1403 /* cbs copy rule list */ 1404 } 1405 1406 /** 1407 * smack_kernel_act_as - Set the subjective context in a set of credentials 1408 * @new: points to the set of credentials to be modified. 1409 * @secid: specifies the security ID to be set 1410 * 1411 * Set the security data for a kernel service. 1412 */ 1413 static int smack_kernel_act_as(struct cred *new, u32 secid) 1414 { 1415 struct task_smack *new_tsp = new->security; 1416 char *smack = smack_from_secid(secid); 1417 1418 if (smack == NULL) 1419 return -EINVAL; 1420 1421 new_tsp->smk_task = smack; 1422 return 0; 1423 } 1424 1425 /** 1426 * smack_kernel_create_files_as - Set the file creation label in a set of creds 1427 * @new: points to the set of credentials to be modified 1428 * @inode: points to the inode to use as a reference 1429 * 1430 * Set the file creation context in a set of credentials to the same 1431 * as the objective context of the specified inode 1432 */ 1433 static int smack_kernel_create_files_as(struct cred *new, 1434 struct inode *inode) 1435 { 1436 struct inode_smack *isp = inode->i_security; 1437 struct task_smack *tsp = new->security; 1438 1439 tsp->smk_forked = isp->smk_inode; 1440 tsp->smk_task = isp->smk_inode; 1441 return 0; 1442 } 1443 1444 /** 1445 * smk_curacc_on_task - helper to log task related access 1446 * @p: the task object 1447 * @access : the access requested 1448 * 1449 * Return 0 if access is permitted 1450 */ 1451 static int smk_curacc_on_task(struct task_struct *p, int access) 1452 { 1453 struct smk_audit_info ad; 1454 1455 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1456 smk_ad_setfield_u_tsk(&ad, p); 1457 return smk_curacc(smk_of_task(task_security(p)), access, &ad); 1458 } 1459 1460 /** 1461 * smack_task_setpgid - Smack check on setting pgid 1462 * @p: the task object 1463 * @pgid: unused 1464 * 1465 * Return 0 if write access is permitted 1466 */ 1467 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 1468 { 1469 return smk_curacc_on_task(p, MAY_WRITE); 1470 } 1471 1472 /** 1473 * smack_task_getpgid - Smack access check for getpgid 1474 * @p: the object task 1475 * 1476 * Returns 0 if current can read the object task, error code otherwise 1477 */ 1478 static int smack_task_getpgid(struct task_struct *p) 1479 { 1480 return smk_curacc_on_task(p, MAY_READ); 1481 } 1482 1483 /** 1484 * smack_task_getsid - Smack access check for getsid 1485 * @p: the object task 1486 * 1487 * Returns 0 if current can read the object task, error code otherwise 1488 */ 1489 static int smack_task_getsid(struct task_struct *p) 1490 { 1491 return smk_curacc_on_task(p, MAY_READ); 1492 } 1493 1494 /** 1495 * smack_task_getsecid - get the secid of the task 1496 * @p: the object task 1497 * @secid: where to put the result 1498 * 1499 * Sets the secid to contain a u32 version of the smack label. 1500 */ 1501 static void smack_task_getsecid(struct task_struct *p, u32 *secid) 1502 { 1503 *secid = smack_to_secid(smk_of_task(task_security(p))); 1504 } 1505 1506 /** 1507 * smack_task_setnice - Smack check on setting nice 1508 * @p: the task object 1509 * @nice: unused 1510 * 1511 * Return 0 if write access is permitted 1512 */ 1513 static int smack_task_setnice(struct task_struct *p, int nice) 1514 { 1515 int rc; 1516 1517 rc = cap_task_setnice(p, nice); 1518 if (rc == 0) 1519 rc = smk_curacc_on_task(p, MAY_WRITE); 1520 return rc; 1521 } 1522 1523 /** 1524 * smack_task_setioprio - Smack check on setting ioprio 1525 * @p: the task object 1526 * @ioprio: unused 1527 * 1528 * Return 0 if write access is permitted 1529 */ 1530 static int smack_task_setioprio(struct task_struct *p, int ioprio) 1531 { 1532 int rc; 1533 1534 rc = cap_task_setioprio(p, ioprio); 1535 if (rc == 0) 1536 rc = smk_curacc_on_task(p, MAY_WRITE); 1537 return rc; 1538 } 1539 1540 /** 1541 * smack_task_getioprio - Smack check on reading ioprio 1542 * @p: the task object 1543 * 1544 * Return 0 if read access is permitted 1545 */ 1546 static int smack_task_getioprio(struct task_struct *p) 1547 { 1548 return smk_curacc_on_task(p, MAY_READ); 1549 } 1550 1551 /** 1552 * smack_task_setscheduler - Smack check on setting scheduler 1553 * @p: the task object 1554 * @policy: unused 1555 * @lp: unused 1556 * 1557 * Return 0 if read access is permitted 1558 */ 1559 static int smack_task_setscheduler(struct task_struct *p) 1560 { 1561 int rc; 1562 1563 rc = cap_task_setscheduler(p); 1564 if (rc == 0) 1565 rc = smk_curacc_on_task(p, MAY_WRITE); 1566 return rc; 1567 } 1568 1569 /** 1570 * smack_task_getscheduler - Smack check on reading scheduler 1571 * @p: the task object 1572 * 1573 * Return 0 if read access is permitted 1574 */ 1575 static int smack_task_getscheduler(struct task_struct *p) 1576 { 1577 return smk_curacc_on_task(p, MAY_READ); 1578 } 1579 1580 /** 1581 * smack_task_movememory - Smack check on moving memory 1582 * @p: the task object 1583 * 1584 * Return 0 if write access is permitted 1585 */ 1586 static int smack_task_movememory(struct task_struct *p) 1587 { 1588 return smk_curacc_on_task(p, MAY_WRITE); 1589 } 1590 1591 /** 1592 * smack_task_kill - Smack check on signal delivery 1593 * @p: the task object 1594 * @info: unused 1595 * @sig: unused 1596 * @secid: identifies the smack to use in lieu of current's 1597 * 1598 * Return 0 if write access is permitted 1599 * 1600 * The secid behavior is an artifact of an SELinux hack 1601 * in the USB code. Someday it may go away. 1602 */ 1603 static int smack_task_kill(struct task_struct *p, struct siginfo *info, 1604 int sig, u32 secid) 1605 { 1606 struct smk_audit_info ad; 1607 1608 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1609 smk_ad_setfield_u_tsk(&ad, p); 1610 /* 1611 * Sending a signal requires that the sender 1612 * can write the receiver. 1613 */ 1614 if (secid == 0) 1615 return smk_curacc(smk_of_task(task_security(p)), MAY_WRITE, 1616 &ad); 1617 /* 1618 * If the secid isn't 0 we're dealing with some USB IO 1619 * specific behavior. This is not clean. For one thing 1620 * we can't take privilege into account. 1621 */ 1622 return smk_access(smack_from_secid(secid), 1623 smk_of_task(task_security(p)), MAY_WRITE, &ad); 1624 } 1625 1626 /** 1627 * smack_task_wait - Smack access check for waiting 1628 * @p: task to wait for 1629 * 1630 * Returns 0 if current can wait for p, error code otherwise 1631 */ 1632 static int smack_task_wait(struct task_struct *p) 1633 { 1634 struct smk_audit_info ad; 1635 char *sp = smk_of_current(); 1636 char *tsp = smk_of_forked(task_security(p)); 1637 int rc; 1638 1639 /* we don't log here, we can be overriden */ 1640 rc = smk_access(tsp, sp, MAY_WRITE, NULL); 1641 if (rc == 0) 1642 goto out_log; 1643 1644 /* 1645 * Allow the operation to succeed if either task 1646 * has privilege to perform operations that might 1647 * account for the smack labels having gotten to 1648 * be different in the first place. 1649 * 1650 * This breaks the strict subject/object access 1651 * control ideal, taking the object's privilege 1652 * state into account in the decision as well as 1653 * the smack value. 1654 */ 1655 if (capable(CAP_MAC_OVERRIDE) || has_capability(p, CAP_MAC_OVERRIDE)) 1656 rc = 0; 1657 /* we log only if we didn't get overriden */ 1658 out_log: 1659 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1660 smk_ad_setfield_u_tsk(&ad, p); 1661 smack_log(tsp, sp, MAY_WRITE, rc, &ad); 1662 return rc; 1663 } 1664 1665 /** 1666 * smack_task_to_inode - copy task smack into the inode blob 1667 * @p: task to copy from 1668 * @inode: inode to copy to 1669 * 1670 * Sets the smack pointer in the inode security blob 1671 */ 1672 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 1673 { 1674 struct inode_smack *isp = inode->i_security; 1675 isp->smk_inode = smk_of_task(task_security(p)); 1676 } 1677 1678 /* 1679 * Socket hooks. 1680 */ 1681 1682 /** 1683 * smack_sk_alloc_security - Allocate a socket blob 1684 * @sk: the socket 1685 * @family: unused 1686 * @gfp_flags: memory allocation flags 1687 * 1688 * Assign Smack pointers to current 1689 * 1690 * Returns 0 on success, -ENOMEM is there's no memory 1691 */ 1692 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 1693 { 1694 char *csp = smk_of_current(); 1695 struct socket_smack *ssp; 1696 1697 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 1698 if (ssp == NULL) 1699 return -ENOMEM; 1700 1701 ssp->smk_in = csp; 1702 ssp->smk_out = csp; 1703 ssp->smk_packet[0] = '\0'; 1704 1705 sk->sk_security = ssp; 1706 1707 return 0; 1708 } 1709 1710 /** 1711 * smack_sk_free_security - Free a socket blob 1712 * @sk: the socket 1713 * 1714 * Clears the blob pointer 1715 */ 1716 static void smack_sk_free_security(struct sock *sk) 1717 { 1718 kfree(sk->sk_security); 1719 } 1720 1721 /** 1722 * smack_host_label - check host based restrictions 1723 * @sip: the object end 1724 * 1725 * looks for host based access restrictions 1726 * 1727 * This version will only be appropriate for really small sets of single label 1728 * hosts. The caller is responsible for ensuring that the RCU read lock is 1729 * taken before calling this function. 1730 * 1731 * Returns the label of the far end or NULL if it's not special. 1732 */ 1733 static char *smack_host_label(struct sockaddr_in *sip) 1734 { 1735 struct smk_netlbladdr *snp; 1736 struct in_addr *siap = &sip->sin_addr; 1737 1738 if (siap->s_addr == 0) 1739 return NULL; 1740 1741 list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list) 1742 /* 1743 * we break after finding the first match because 1744 * the list is sorted from longest to shortest mask 1745 * so we have found the most specific match 1746 */ 1747 if ((&snp->smk_host.sin_addr)->s_addr == 1748 (siap->s_addr & (&snp->smk_mask)->s_addr)) { 1749 /* we have found the special CIPSO option */ 1750 if (snp->smk_label == smack_cipso_option) 1751 return NULL; 1752 return snp->smk_label; 1753 } 1754 1755 return NULL; 1756 } 1757 1758 /** 1759 * smack_set_catset - convert a capset to netlabel mls categories 1760 * @catset: the Smack categories 1761 * @sap: where to put the netlabel categories 1762 * 1763 * Allocates and fills attr.mls.cat 1764 */ 1765 static void smack_set_catset(char *catset, struct netlbl_lsm_secattr *sap) 1766 { 1767 unsigned char *cp; 1768 unsigned char m; 1769 int cat; 1770 int rc; 1771 int byte; 1772 1773 if (!catset) 1774 return; 1775 1776 sap->flags |= NETLBL_SECATTR_MLS_CAT; 1777 sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); 1778 sap->attr.mls.cat->startbit = 0; 1779 1780 for (cat = 1, cp = catset, byte = 0; byte < SMK_LABELLEN; cp++, byte++) 1781 for (m = 0x80; m != 0; m >>= 1, cat++) { 1782 if ((m & *cp) == 0) 1783 continue; 1784 rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat, 1785 cat, GFP_ATOMIC); 1786 } 1787 } 1788 1789 /** 1790 * smack_to_secattr - fill a secattr from a smack value 1791 * @smack: the smack value 1792 * @nlsp: where the result goes 1793 * 1794 * Casey says that CIPSO is good enough for now. 1795 * It can be used to effect. 1796 * It can also be abused to effect when necessary. 1797 * Appologies to the TSIG group in general and GW in particular. 1798 */ 1799 static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp) 1800 { 1801 struct smack_cipso cipso; 1802 int rc; 1803 1804 nlsp->domain = smack; 1805 nlsp->flags = NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; 1806 1807 rc = smack_to_cipso(smack, &cipso); 1808 if (rc == 0) { 1809 nlsp->attr.mls.lvl = cipso.smk_level; 1810 smack_set_catset(cipso.smk_catset, nlsp); 1811 } else { 1812 nlsp->attr.mls.lvl = smack_cipso_direct; 1813 smack_set_catset(smack, nlsp); 1814 } 1815 } 1816 1817 /** 1818 * smack_netlabel - Set the secattr on a socket 1819 * @sk: the socket 1820 * @labeled: socket label scheme 1821 * 1822 * Convert the outbound smack value (smk_out) to a 1823 * secattr and attach it to the socket. 1824 * 1825 * Returns 0 on success or an error code 1826 */ 1827 static int smack_netlabel(struct sock *sk, int labeled) 1828 { 1829 struct socket_smack *ssp = sk->sk_security; 1830 struct netlbl_lsm_secattr secattr; 1831 int rc = 0; 1832 1833 /* 1834 * Usually the netlabel code will handle changing the 1835 * packet labeling based on the label. 1836 * The case of a single label host is different, because 1837 * a single label host should never get a labeled packet 1838 * even though the label is usually associated with a packet 1839 * label. 1840 */ 1841 local_bh_disable(); 1842 bh_lock_sock_nested(sk); 1843 1844 if (ssp->smk_out == smack_net_ambient || 1845 labeled == SMACK_UNLABELED_SOCKET) 1846 netlbl_sock_delattr(sk); 1847 else { 1848 netlbl_secattr_init(&secattr); 1849 smack_to_secattr(ssp->smk_out, &secattr); 1850 rc = netlbl_sock_setattr(sk, sk->sk_family, &secattr); 1851 netlbl_secattr_destroy(&secattr); 1852 } 1853 1854 bh_unlock_sock(sk); 1855 local_bh_enable(); 1856 1857 return rc; 1858 } 1859 1860 /** 1861 * smack_netlbel_send - Set the secattr on a socket and perform access checks 1862 * @sk: the socket 1863 * @sap: the destination address 1864 * 1865 * Set the correct secattr for the given socket based on the destination 1866 * address and perform any outbound access checks needed. 1867 * 1868 * Returns 0 on success or an error code. 1869 * 1870 */ 1871 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap) 1872 { 1873 int rc; 1874 int sk_lbl; 1875 char *hostsp; 1876 struct socket_smack *ssp = sk->sk_security; 1877 struct smk_audit_info ad; 1878 1879 rcu_read_lock(); 1880 hostsp = smack_host_label(sap); 1881 if (hostsp != NULL) { 1882 sk_lbl = SMACK_UNLABELED_SOCKET; 1883 #ifdef CONFIG_AUDIT 1884 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 1885 ad.a.u.net.family = sap->sin_family; 1886 ad.a.u.net.dport = sap->sin_port; 1887 ad.a.u.net.v4info.daddr = sap->sin_addr.s_addr; 1888 #endif 1889 rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE, &ad); 1890 } else { 1891 sk_lbl = SMACK_CIPSO_SOCKET; 1892 rc = 0; 1893 } 1894 rcu_read_unlock(); 1895 if (rc != 0) 1896 return rc; 1897 1898 return smack_netlabel(sk, sk_lbl); 1899 } 1900 1901 /** 1902 * smack_inode_setsecurity - set smack xattrs 1903 * @inode: the object 1904 * @name: attribute name 1905 * @value: attribute value 1906 * @size: size of the attribute 1907 * @flags: unused 1908 * 1909 * Sets the named attribute in the appropriate blob 1910 * 1911 * Returns 0 on success, or an error code 1912 */ 1913 static int smack_inode_setsecurity(struct inode *inode, const char *name, 1914 const void *value, size_t size, int flags) 1915 { 1916 char *sp; 1917 struct inode_smack *nsp = inode->i_security; 1918 struct socket_smack *ssp; 1919 struct socket *sock; 1920 int rc = 0; 1921 1922 if (value == NULL || size > SMK_LABELLEN || size == 0) 1923 return -EACCES; 1924 1925 sp = smk_import(value, size); 1926 if (sp == NULL) 1927 return -EINVAL; 1928 1929 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1930 nsp->smk_inode = sp; 1931 nsp->smk_flags |= SMK_INODE_INSTANT; 1932 return 0; 1933 } 1934 /* 1935 * The rest of the Smack xattrs are only on sockets. 1936 */ 1937 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 1938 return -EOPNOTSUPP; 1939 1940 sock = SOCKET_I(inode); 1941 if (sock == NULL || sock->sk == NULL) 1942 return -EOPNOTSUPP; 1943 1944 ssp = sock->sk->sk_security; 1945 1946 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1947 ssp->smk_in = sp; 1948 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 1949 ssp->smk_out = sp; 1950 if (sock->sk->sk_family != PF_UNIX) { 1951 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1952 if (rc != 0) 1953 printk(KERN_WARNING 1954 "Smack: \"%s\" netlbl error %d.\n", 1955 __func__, -rc); 1956 } 1957 } else 1958 return -EOPNOTSUPP; 1959 1960 return 0; 1961 } 1962 1963 /** 1964 * smack_socket_post_create - finish socket setup 1965 * @sock: the socket 1966 * @family: protocol family 1967 * @type: unused 1968 * @protocol: unused 1969 * @kern: unused 1970 * 1971 * Sets the netlabel information on the socket 1972 * 1973 * Returns 0 on success, and error code otherwise 1974 */ 1975 static int smack_socket_post_create(struct socket *sock, int family, 1976 int type, int protocol, int kern) 1977 { 1978 if (family != PF_INET || sock->sk == NULL) 1979 return 0; 1980 /* 1981 * Set the outbound netlbl. 1982 */ 1983 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET); 1984 } 1985 1986 /** 1987 * smack_socket_connect - connect access check 1988 * @sock: the socket 1989 * @sap: the other end 1990 * @addrlen: size of sap 1991 * 1992 * Verifies that a connection may be possible 1993 * 1994 * Returns 0 on success, and error code otherwise 1995 */ 1996 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 1997 int addrlen) 1998 { 1999 if (sock->sk == NULL || sock->sk->sk_family != PF_INET) 2000 return 0; 2001 if (addrlen < sizeof(struct sockaddr_in)) 2002 return -EINVAL; 2003 2004 return smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap); 2005 } 2006 2007 /** 2008 * smack_flags_to_may - convert S_ to MAY_ values 2009 * @flags: the S_ value 2010 * 2011 * Returns the equivalent MAY_ value 2012 */ 2013 static int smack_flags_to_may(int flags) 2014 { 2015 int may = 0; 2016 2017 if (flags & S_IRUGO) 2018 may |= MAY_READ; 2019 if (flags & S_IWUGO) 2020 may |= MAY_WRITE; 2021 if (flags & S_IXUGO) 2022 may |= MAY_EXEC; 2023 2024 return may; 2025 } 2026 2027 /** 2028 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 2029 * @msg: the object 2030 * 2031 * Returns 0 2032 */ 2033 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 2034 { 2035 msg->security = smk_of_current(); 2036 return 0; 2037 } 2038 2039 /** 2040 * smack_msg_msg_free_security - Clear the security blob for msg_msg 2041 * @msg: the object 2042 * 2043 * Clears the blob pointer 2044 */ 2045 static void smack_msg_msg_free_security(struct msg_msg *msg) 2046 { 2047 msg->security = NULL; 2048 } 2049 2050 /** 2051 * smack_of_shm - the smack pointer for the shm 2052 * @shp: the object 2053 * 2054 * Returns a pointer to the smack value 2055 */ 2056 static char *smack_of_shm(struct shmid_kernel *shp) 2057 { 2058 return (char *)shp->shm_perm.security; 2059 } 2060 2061 /** 2062 * smack_shm_alloc_security - Set the security blob for shm 2063 * @shp: the object 2064 * 2065 * Returns 0 2066 */ 2067 static int smack_shm_alloc_security(struct shmid_kernel *shp) 2068 { 2069 struct kern_ipc_perm *isp = &shp->shm_perm; 2070 2071 isp->security = smk_of_current(); 2072 return 0; 2073 } 2074 2075 /** 2076 * smack_shm_free_security - Clear the security blob for shm 2077 * @shp: the object 2078 * 2079 * Clears the blob pointer 2080 */ 2081 static void smack_shm_free_security(struct shmid_kernel *shp) 2082 { 2083 struct kern_ipc_perm *isp = &shp->shm_perm; 2084 2085 isp->security = NULL; 2086 } 2087 2088 /** 2089 * smk_curacc_shm : check if current has access on shm 2090 * @shp : the object 2091 * @access : access requested 2092 * 2093 * Returns 0 if current has the requested access, error code otherwise 2094 */ 2095 static int smk_curacc_shm(struct shmid_kernel *shp, int access) 2096 { 2097 char *ssp = smack_of_shm(shp); 2098 struct smk_audit_info ad; 2099 2100 #ifdef CONFIG_AUDIT 2101 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2102 ad.a.u.ipc_id = shp->shm_perm.id; 2103 #endif 2104 return smk_curacc(ssp, access, &ad); 2105 } 2106 2107 /** 2108 * smack_shm_associate - Smack access check for shm 2109 * @shp: the object 2110 * @shmflg: access requested 2111 * 2112 * Returns 0 if current has the requested access, error code otherwise 2113 */ 2114 static int smack_shm_associate(struct shmid_kernel *shp, int shmflg) 2115 { 2116 int may; 2117 2118 may = smack_flags_to_may(shmflg); 2119 return smk_curacc_shm(shp, may); 2120 } 2121 2122 /** 2123 * smack_shm_shmctl - Smack access check for shm 2124 * @shp: the object 2125 * @cmd: what it wants to do 2126 * 2127 * Returns 0 if current has the requested access, error code otherwise 2128 */ 2129 static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd) 2130 { 2131 int may; 2132 2133 switch (cmd) { 2134 case IPC_STAT: 2135 case SHM_STAT: 2136 may = MAY_READ; 2137 break; 2138 case IPC_SET: 2139 case SHM_LOCK: 2140 case SHM_UNLOCK: 2141 case IPC_RMID: 2142 may = MAY_READWRITE; 2143 break; 2144 case IPC_INFO: 2145 case SHM_INFO: 2146 /* 2147 * System level information. 2148 */ 2149 return 0; 2150 default: 2151 return -EINVAL; 2152 } 2153 return smk_curacc_shm(shp, may); 2154 } 2155 2156 /** 2157 * smack_shm_shmat - Smack access for shmat 2158 * @shp: the object 2159 * @shmaddr: unused 2160 * @shmflg: access requested 2161 * 2162 * Returns 0 if current has the requested access, error code otherwise 2163 */ 2164 static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, 2165 int shmflg) 2166 { 2167 int may; 2168 2169 may = smack_flags_to_may(shmflg); 2170 return smk_curacc_shm(shp, may); 2171 } 2172 2173 /** 2174 * smack_of_sem - the smack pointer for the sem 2175 * @sma: the object 2176 * 2177 * Returns a pointer to the smack value 2178 */ 2179 static char *smack_of_sem(struct sem_array *sma) 2180 { 2181 return (char *)sma->sem_perm.security; 2182 } 2183 2184 /** 2185 * smack_sem_alloc_security - Set the security blob for sem 2186 * @sma: the object 2187 * 2188 * Returns 0 2189 */ 2190 static int smack_sem_alloc_security(struct sem_array *sma) 2191 { 2192 struct kern_ipc_perm *isp = &sma->sem_perm; 2193 2194 isp->security = smk_of_current(); 2195 return 0; 2196 } 2197 2198 /** 2199 * smack_sem_free_security - Clear the security blob for sem 2200 * @sma: the object 2201 * 2202 * Clears the blob pointer 2203 */ 2204 static void smack_sem_free_security(struct sem_array *sma) 2205 { 2206 struct kern_ipc_perm *isp = &sma->sem_perm; 2207 2208 isp->security = NULL; 2209 } 2210 2211 /** 2212 * smk_curacc_sem : check if current has access on sem 2213 * @sma : the object 2214 * @access : access requested 2215 * 2216 * Returns 0 if current has the requested access, error code otherwise 2217 */ 2218 static int smk_curacc_sem(struct sem_array *sma, int access) 2219 { 2220 char *ssp = smack_of_sem(sma); 2221 struct smk_audit_info ad; 2222 2223 #ifdef CONFIG_AUDIT 2224 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2225 ad.a.u.ipc_id = sma->sem_perm.id; 2226 #endif 2227 return smk_curacc(ssp, access, &ad); 2228 } 2229 2230 /** 2231 * smack_sem_associate - Smack access check for sem 2232 * @sma: the object 2233 * @semflg: access requested 2234 * 2235 * Returns 0 if current has the requested access, error code otherwise 2236 */ 2237 static int smack_sem_associate(struct sem_array *sma, int semflg) 2238 { 2239 int may; 2240 2241 may = smack_flags_to_may(semflg); 2242 return smk_curacc_sem(sma, may); 2243 } 2244 2245 /** 2246 * smack_sem_shmctl - Smack access check for sem 2247 * @sma: the object 2248 * @cmd: what it wants to do 2249 * 2250 * Returns 0 if current has the requested access, error code otherwise 2251 */ 2252 static int smack_sem_semctl(struct sem_array *sma, int cmd) 2253 { 2254 int may; 2255 2256 switch (cmd) { 2257 case GETPID: 2258 case GETNCNT: 2259 case GETZCNT: 2260 case GETVAL: 2261 case GETALL: 2262 case IPC_STAT: 2263 case SEM_STAT: 2264 may = MAY_READ; 2265 break; 2266 case SETVAL: 2267 case SETALL: 2268 case IPC_RMID: 2269 case IPC_SET: 2270 may = MAY_READWRITE; 2271 break; 2272 case IPC_INFO: 2273 case SEM_INFO: 2274 /* 2275 * System level information 2276 */ 2277 return 0; 2278 default: 2279 return -EINVAL; 2280 } 2281 2282 return smk_curacc_sem(sma, may); 2283 } 2284 2285 /** 2286 * smack_sem_semop - Smack checks of semaphore operations 2287 * @sma: the object 2288 * @sops: unused 2289 * @nsops: unused 2290 * @alter: unused 2291 * 2292 * Treated as read and write in all cases. 2293 * 2294 * Returns 0 if access is allowed, error code otherwise 2295 */ 2296 static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops, 2297 unsigned nsops, int alter) 2298 { 2299 return smk_curacc_sem(sma, MAY_READWRITE); 2300 } 2301 2302 /** 2303 * smack_msg_alloc_security - Set the security blob for msg 2304 * @msq: the object 2305 * 2306 * Returns 0 2307 */ 2308 static int smack_msg_queue_alloc_security(struct msg_queue *msq) 2309 { 2310 struct kern_ipc_perm *kisp = &msq->q_perm; 2311 2312 kisp->security = smk_of_current(); 2313 return 0; 2314 } 2315 2316 /** 2317 * smack_msg_free_security - Clear the security blob for msg 2318 * @msq: the object 2319 * 2320 * Clears the blob pointer 2321 */ 2322 static void smack_msg_queue_free_security(struct msg_queue *msq) 2323 { 2324 struct kern_ipc_perm *kisp = &msq->q_perm; 2325 2326 kisp->security = NULL; 2327 } 2328 2329 /** 2330 * smack_of_msq - the smack pointer for the msq 2331 * @msq: the object 2332 * 2333 * Returns a pointer to the smack value 2334 */ 2335 static char *smack_of_msq(struct msg_queue *msq) 2336 { 2337 return (char *)msq->q_perm.security; 2338 } 2339 2340 /** 2341 * smk_curacc_msq : helper to check if current has access on msq 2342 * @msq : the msq 2343 * @access : access requested 2344 * 2345 * return 0 if current has access, error otherwise 2346 */ 2347 static int smk_curacc_msq(struct msg_queue *msq, int access) 2348 { 2349 char *msp = smack_of_msq(msq); 2350 struct smk_audit_info ad; 2351 2352 #ifdef CONFIG_AUDIT 2353 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2354 ad.a.u.ipc_id = msq->q_perm.id; 2355 #endif 2356 return smk_curacc(msp, access, &ad); 2357 } 2358 2359 /** 2360 * smack_msg_queue_associate - Smack access check for msg_queue 2361 * @msq: the object 2362 * @msqflg: access requested 2363 * 2364 * Returns 0 if current has the requested access, error code otherwise 2365 */ 2366 static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg) 2367 { 2368 int may; 2369 2370 may = smack_flags_to_may(msqflg); 2371 return smk_curacc_msq(msq, may); 2372 } 2373 2374 /** 2375 * smack_msg_queue_msgctl - Smack access check for msg_queue 2376 * @msq: the object 2377 * @cmd: what it wants to do 2378 * 2379 * Returns 0 if current has the requested access, error code otherwise 2380 */ 2381 static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd) 2382 { 2383 int may; 2384 2385 switch (cmd) { 2386 case IPC_STAT: 2387 case MSG_STAT: 2388 may = MAY_READ; 2389 break; 2390 case IPC_SET: 2391 case IPC_RMID: 2392 may = MAY_READWRITE; 2393 break; 2394 case IPC_INFO: 2395 case MSG_INFO: 2396 /* 2397 * System level information 2398 */ 2399 return 0; 2400 default: 2401 return -EINVAL; 2402 } 2403 2404 return smk_curacc_msq(msq, may); 2405 } 2406 2407 /** 2408 * smack_msg_queue_msgsnd - Smack access check for msg_queue 2409 * @msq: the object 2410 * @msg: unused 2411 * @msqflg: access requested 2412 * 2413 * Returns 0 if current has the requested access, error code otherwise 2414 */ 2415 static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, 2416 int msqflg) 2417 { 2418 int may; 2419 2420 may = smack_flags_to_may(msqflg); 2421 return smk_curacc_msq(msq, may); 2422 } 2423 2424 /** 2425 * smack_msg_queue_msgsnd - Smack access check for msg_queue 2426 * @msq: the object 2427 * @msg: unused 2428 * @target: unused 2429 * @type: unused 2430 * @mode: unused 2431 * 2432 * Returns 0 if current has read and write access, error code otherwise 2433 */ 2434 static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 2435 struct task_struct *target, long type, int mode) 2436 { 2437 return smk_curacc_msq(msq, MAY_READWRITE); 2438 } 2439 2440 /** 2441 * smack_ipc_permission - Smack access for ipc_permission() 2442 * @ipp: the object permissions 2443 * @flag: access requested 2444 * 2445 * Returns 0 if current has read and write access, error code otherwise 2446 */ 2447 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 2448 { 2449 char *isp = ipp->security; 2450 int may = smack_flags_to_may(flag); 2451 struct smk_audit_info ad; 2452 2453 #ifdef CONFIG_AUDIT 2454 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 2455 ad.a.u.ipc_id = ipp->id; 2456 #endif 2457 return smk_curacc(isp, may, &ad); 2458 } 2459 2460 /** 2461 * smack_ipc_getsecid - Extract smack security id 2462 * @ipp: the object permissions 2463 * @secid: where result will be saved 2464 */ 2465 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 2466 { 2467 char *smack = ipp->security; 2468 2469 *secid = smack_to_secid(smack); 2470 } 2471 2472 /** 2473 * smack_d_instantiate - Make sure the blob is correct on an inode 2474 * @opt_dentry: dentry where inode will be attached 2475 * @inode: the object 2476 * 2477 * Set the inode's security blob if it hasn't been done already. 2478 */ 2479 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 2480 { 2481 struct super_block *sbp; 2482 struct superblock_smack *sbsp; 2483 struct inode_smack *isp; 2484 char *csp = smk_of_current(); 2485 char *fetched; 2486 char *final; 2487 char trattr[TRANS_TRUE_SIZE]; 2488 int transflag = 0; 2489 struct dentry *dp; 2490 2491 if (inode == NULL) 2492 return; 2493 2494 isp = inode->i_security; 2495 2496 mutex_lock(&isp->smk_lock); 2497 /* 2498 * If the inode is already instantiated 2499 * take the quick way out 2500 */ 2501 if (isp->smk_flags & SMK_INODE_INSTANT) 2502 goto unlockandout; 2503 2504 sbp = inode->i_sb; 2505 sbsp = sbp->s_security; 2506 /* 2507 * We're going to use the superblock default label 2508 * if there's no label on the file. 2509 */ 2510 final = sbsp->smk_default; 2511 2512 /* 2513 * If this is the root inode the superblock 2514 * may be in the process of initialization. 2515 * If that is the case use the root value out 2516 * of the superblock. 2517 */ 2518 if (opt_dentry->d_parent == opt_dentry) { 2519 isp->smk_inode = sbsp->smk_root; 2520 isp->smk_flags |= SMK_INODE_INSTANT; 2521 goto unlockandout; 2522 } 2523 2524 /* 2525 * This is pretty hackish. 2526 * Casey says that we shouldn't have to do 2527 * file system specific code, but it does help 2528 * with keeping it simple. 2529 */ 2530 switch (sbp->s_magic) { 2531 case SMACK_MAGIC: 2532 /* 2533 * Casey says that it's a little embarassing 2534 * that the smack file system doesn't do 2535 * extended attributes. 2536 */ 2537 final = smack_known_star.smk_known; 2538 break; 2539 case PIPEFS_MAGIC: 2540 /* 2541 * Casey says pipes are easy (?) 2542 */ 2543 final = smack_known_star.smk_known; 2544 break; 2545 case DEVPTS_SUPER_MAGIC: 2546 /* 2547 * devpts seems content with the label of the task. 2548 * Programs that change smack have to treat the 2549 * pty with respect. 2550 */ 2551 final = csp; 2552 break; 2553 case SOCKFS_MAGIC: 2554 /* 2555 * Socket access is controlled by the socket 2556 * structures associated with the task involved. 2557 */ 2558 final = smack_known_star.smk_known; 2559 break; 2560 case PROC_SUPER_MAGIC: 2561 /* 2562 * Casey says procfs appears not to care. 2563 * The superblock default suffices. 2564 */ 2565 break; 2566 case TMPFS_MAGIC: 2567 /* 2568 * Device labels should come from the filesystem, 2569 * but watch out, because they're volitile, 2570 * getting recreated on every reboot. 2571 */ 2572 final = smack_known_star.smk_known; 2573 /* 2574 * No break. 2575 * 2576 * If a smack value has been set we want to use it, 2577 * but since tmpfs isn't giving us the opportunity 2578 * to set mount options simulate setting the 2579 * superblock default. 2580 */ 2581 default: 2582 /* 2583 * This isn't an understood special case. 2584 * Get the value from the xattr. 2585 */ 2586 2587 /* 2588 * UNIX domain sockets use lower level socket data. 2589 */ 2590 if (S_ISSOCK(inode->i_mode)) { 2591 final = smack_known_star.smk_known; 2592 break; 2593 } 2594 /* 2595 * No xattr support means, alas, no SMACK label. 2596 * Use the aforeapplied default. 2597 * It would be curious if the label of the task 2598 * does not match that assigned. 2599 */ 2600 if (inode->i_op->getxattr == NULL) 2601 break; 2602 /* 2603 * Get the dentry for xattr. 2604 */ 2605 dp = dget(opt_dentry); 2606 fetched = smk_fetch(XATTR_NAME_SMACK, inode, dp); 2607 if (fetched != NULL) { 2608 final = fetched; 2609 if (S_ISDIR(inode->i_mode)) { 2610 trattr[0] = '\0'; 2611 inode->i_op->getxattr(dp, 2612 XATTR_NAME_SMACKTRANSMUTE, 2613 trattr, TRANS_TRUE_SIZE); 2614 if (strncmp(trattr, TRANS_TRUE, 2615 TRANS_TRUE_SIZE) == 0) 2616 transflag = SMK_INODE_TRANSMUTE; 2617 } 2618 } 2619 isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 2620 isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 2621 2622 dput(dp); 2623 break; 2624 } 2625 2626 if (final == NULL) 2627 isp->smk_inode = csp; 2628 else 2629 isp->smk_inode = final; 2630 2631 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 2632 2633 unlockandout: 2634 mutex_unlock(&isp->smk_lock); 2635 return; 2636 } 2637 2638 /** 2639 * smack_getprocattr - Smack process attribute access 2640 * @p: the object task 2641 * @name: the name of the attribute in /proc/.../attr 2642 * @value: where to put the result 2643 * 2644 * Places a copy of the task Smack into value 2645 * 2646 * Returns the length of the smack label or an error code 2647 */ 2648 static int smack_getprocattr(struct task_struct *p, char *name, char **value) 2649 { 2650 char *cp; 2651 int slen; 2652 2653 if (strcmp(name, "current") != 0) 2654 return -EINVAL; 2655 2656 cp = kstrdup(smk_of_task(task_security(p)), GFP_KERNEL); 2657 if (cp == NULL) 2658 return -ENOMEM; 2659 2660 slen = strlen(cp); 2661 *value = cp; 2662 return slen; 2663 } 2664 2665 /** 2666 * smack_setprocattr - Smack process attribute setting 2667 * @p: the object task 2668 * @name: the name of the attribute in /proc/.../attr 2669 * @value: the value to set 2670 * @size: the size of the value 2671 * 2672 * Sets the Smack value of the task. Only setting self 2673 * is permitted and only with privilege 2674 * 2675 * Returns the length of the smack label or an error code 2676 */ 2677 static int smack_setprocattr(struct task_struct *p, char *name, 2678 void *value, size_t size) 2679 { 2680 int rc; 2681 struct task_smack *tsp; 2682 struct task_smack *oldtsp; 2683 struct cred *new; 2684 char *newsmack; 2685 2686 /* 2687 * Changing another process' Smack value is too dangerous 2688 * and supports no sane use case. 2689 */ 2690 if (p != current) 2691 return -EPERM; 2692 2693 if (!capable(CAP_MAC_ADMIN)) 2694 return -EPERM; 2695 2696 if (value == NULL || size == 0 || size >= SMK_LABELLEN) 2697 return -EINVAL; 2698 2699 if (strcmp(name, "current") != 0) 2700 return -EINVAL; 2701 2702 newsmack = smk_import(value, size); 2703 if (newsmack == NULL) 2704 return -EINVAL; 2705 2706 /* 2707 * No process is ever allowed the web ("@") label. 2708 */ 2709 if (newsmack == smack_known_web.smk_known) 2710 return -EPERM; 2711 2712 oldtsp = p->cred->security; 2713 new = prepare_creds(); 2714 if (new == NULL) 2715 return -ENOMEM; 2716 2717 tsp = new_task_smack(newsmack, oldtsp->smk_forked, GFP_KERNEL); 2718 if (tsp == NULL) { 2719 kfree(new); 2720 return -ENOMEM; 2721 } 2722 rc = smk_copy_rules(&tsp->smk_rules, &oldtsp->smk_rules, GFP_KERNEL); 2723 if (rc != 0) 2724 return rc; 2725 2726 new->security = tsp; 2727 commit_creds(new); 2728 return size; 2729 } 2730 2731 /** 2732 * smack_unix_stream_connect - Smack access on UDS 2733 * @sock: one sock 2734 * @other: the other sock 2735 * @newsk: unused 2736 * 2737 * Return 0 if a subject with the smack of sock could access 2738 * an object with the smack of other, otherwise an error code 2739 */ 2740 static int smack_unix_stream_connect(struct sock *sock, 2741 struct sock *other, struct sock *newsk) 2742 { 2743 struct socket_smack *ssp = sock->sk_security; 2744 struct socket_smack *osp = other->sk_security; 2745 struct smk_audit_info ad; 2746 int rc = 0; 2747 2748 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2749 smk_ad_setfield_u_net_sk(&ad, other); 2750 2751 if (!capable(CAP_MAC_OVERRIDE)) 2752 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2753 2754 return rc; 2755 } 2756 2757 /** 2758 * smack_unix_may_send - Smack access on UDS 2759 * @sock: one socket 2760 * @other: the other socket 2761 * 2762 * Return 0 if a subject with the smack of sock could access 2763 * an object with the smack of other, otherwise an error code 2764 */ 2765 static int smack_unix_may_send(struct socket *sock, struct socket *other) 2766 { 2767 struct socket_smack *ssp = sock->sk->sk_security; 2768 struct socket_smack *osp = other->sk->sk_security; 2769 struct smk_audit_info ad; 2770 int rc = 0; 2771 2772 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2773 smk_ad_setfield_u_net_sk(&ad, other->sk); 2774 2775 if (!capable(CAP_MAC_OVERRIDE)) 2776 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 2777 2778 return rc; 2779 } 2780 2781 /** 2782 * smack_socket_sendmsg - Smack check based on destination host 2783 * @sock: the socket 2784 * @msg: the message 2785 * @size: the size of the message 2786 * 2787 * Return 0 if the current subject can write to the destination 2788 * host. This is only a question if the destination is a single 2789 * label host. 2790 */ 2791 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 2792 int size) 2793 { 2794 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 2795 2796 /* 2797 * Perfectly reasonable for this to be NULL 2798 */ 2799 if (sip == NULL || sip->sin_family != AF_INET) 2800 return 0; 2801 2802 return smack_netlabel_send(sock->sk, sip); 2803 } 2804 2805 2806 /** 2807 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 2808 * @sap: netlabel secattr 2809 * @sip: where to put the result 2810 * 2811 * Copies a smack label into sip 2812 */ 2813 static void smack_from_secattr(struct netlbl_lsm_secattr *sap, char *sip) 2814 { 2815 char smack[SMK_LABELLEN]; 2816 char *sp; 2817 int pcat; 2818 2819 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 2820 /* 2821 * Looks like a CIPSO packet. 2822 * If there are flags but no level netlabel isn't 2823 * behaving the way we expect it to. 2824 * 2825 * Get the categories, if any 2826 * Without guidance regarding the smack value 2827 * for the packet fall back on the network 2828 * ambient value. 2829 */ 2830 memset(smack, '\0', SMK_LABELLEN); 2831 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) != 0) 2832 for (pcat = -1;;) { 2833 pcat = netlbl_secattr_catmap_walk( 2834 sap->attr.mls.cat, pcat + 1); 2835 if (pcat < 0) 2836 break; 2837 smack_catset_bit(pcat, smack); 2838 } 2839 /* 2840 * If it is CIPSO using smack direct mapping 2841 * we are already done. WeeHee. 2842 */ 2843 if (sap->attr.mls.lvl == smack_cipso_direct) { 2844 memcpy(sip, smack, SMK_MAXLEN); 2845 return; 2846 } 2847 /* 2848 * Look it up in the supplied table if it is not 2849 * a direct mapping. 2850 */ 2851 smack_from_cipso(sap->attr.mls.lvl, smack, sip); 2852 return; 2853 } 2854 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) { 2855 /* 2856 * Looks like a fallback, which gives us a secid. 2857 */ 2858 sp = smack_from_secid(sap->attr.secid); 2859 /* 2860 * This has got to be a bug because it is 2861 * impossible to specify a fallback without 2862 * specifying the label, which will ensure 2863 * it has a secid, and the only way to get a 2864 * secid is from a fallback. 2865 */ 2866 BUG_ON(sp == NULL); 2867 strncpy(sip, sp, SMK_MAXLEN); 2868 return; 2869 } 2870 /* 2871 * Without guidance regarding the smack value 2872 * for the packet fall back on the network 2873 * ambient value. 2874 */ 2875 strncpy(sip, smack_net_ambient, SMK_MAXLEN); 2876 return; 2877 } 2878 2879 /** 2880 * smack_socket_sock_rcv_skb - Smack packet delivery access check 2881 * @sk: socket 2882 * @skb: packet 2883 * 2884 * Returns 0 if the packet should be delivered, an error code otherwise 2885 */ 2886 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 2887 { 2888 struct netlbl_lsm_secattr secattr; 2889 struct socket_smack *ssp = sk->sk_security; 2890 char smack[SMK_LABELLEN]; 2891 char *csp; 2892 int rc; 2893 struct smk_audit_info ad; 2894 if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6) 2895 return 0; 2896 2897 /* 2898 * Translate what netlabel gave us. 2899 */ 2900 netlbl_secattr_init(&secattr); 2901 2902 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr); 2903 if (rc == 0) { 2904 smack_from_secattr(&secattr, smack); 2905 csp = smack; 2906 } else 2907 csp = smack_net_ambient; 2908 2909 netlbl_secattr_destroy(&secattr); 2910 2911 #ifdef CONFIG_AUDIT 2912 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 2913 ad.a.u.net.family = sk->sk_family; 2914 ad.a.u.net.netif = skb->skb_iif; 2915 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 2916 #endif 2917 /* 2918 * Receiving a packet requires that the other end 2919 * be able to write here. Read access is not required. 2920 * This is the simplist possible security model 2921 * for networking. 2922 */ 2923 rc = smk_access(csp, ssp->smk_in, MAY_WRITE, &ad); 2924 if (rc != 0) 2925 netlbl_skbuff_err(skb, rc, 0); 2926 return rc; 2927 } 2928 2929 /** 2930 * smack_socket_getpeersec_stream - pull in packet label 2931 * @sock: the socket 2932 * @optval: user's destination 2933 * @optlen: size thereof 2934 * @len: max thereof 2935 * 2936 * returns zero on success, an error code otherwise 2937 */ 2938 static int smack_socket_getpeersec_stream(struct socket *sock, 2939 char __user *optval, 2940 int __user *optlen, unsigned len) 2941 { 2942 struct socket_smack *ssp; 2943 int slen; 2944 int rc = 0; 2945 2946 ssp = sock->sk->sk_security; 2947 slen = strlen(ssp->smk_packet) + 1; 2948 2949 if (slen > len) 2950 rc = -ERANGE; 2951 else if (copy_to_user(optval, ssp->smk_packet, slen) != 0) 2952 rc = -EFAULT; 2953 2954 if (put_user(slen, optlen) != 0) 2955 rc = -EFAULT; 2956 2957 return rc; 2958 } 2959 2960 2961 /** 2962 * smack_socket_getpeersec_dgram - pull in packet label 2963 * @sock: the peer socket 2964 * @skb: packet data 2965 * @secid: pointer to where to put the secid of the packet 2966 * 2967 * Sets the netlabel socket state on sk from parent 2968 */ 2969 static int smack_socket_getpeersec_dgram(struct socket *sock, 2970 struct sk_buff *skb, u32 *secid) 2971 2972 { 2973 struct netlbl_lsm_secattr secattr; 2974 struct socket_smack *sp; 2975 char smack[SMK_LABELLEN]; 2976 int family = PF_UNSPEC; 2977 u32 s = 0; /* 0 is the invalid secid */ 2978 int rc; 2979 2980 if (skb != NULL) { 2981 if (skb->protocol == htons(ETH_P_IP)) 2982 family = PF_INET; 2983 else if (skb->protocol == htons(ETH_P_IPV6)) 2984 family = PF_INET6; 2985 } 2986 if (family == PF_UNSPEC && sock != NULL) 2987 family = sock->sk->sk_family; 2988 2989 if (family == PF_UNIX) { 2990 sp = sock->sk->sk_security; 2991 s = smack_to_secid(sp->smk_out); 2992 } else if (family == PF_INET || family == PF_INET6) { 2993 /* 2994 * Translate what netlabel gave us. 2995 */ 2996 netlbl_secattr_init(&secattr); 2997 rc = netlbl_skbuff_getattr(skb, family, &secattr); 2998 if (rc == 0) { 2999 smack_from_secattr(&secattr, smack); 3000 s = smack_to_secid(smack); 3001 } 3002 netlbl_secattr_destroy(&secattr); 3003 } 3004 *secid = s; 3005 if (s == 0) 3006 return -EINVAL; 3007 return 0; 3008 } 3009 3010 /** 3011 * smack_sock_graft - Initialize a newly created socket with an existing sock 3012 * @sk: child sock 3013 * @parent: parent socket 3014 * 3015 * Set the smk_{in,out} state of an existing sock based on the process that 3016 * is creating the new socket. 3017 */ 3018 static void smack_sock_graft(struct sock *sk, struct socket *parent) 3019 { 3020 struct socket_smack *ssp; 3021 3022 if (sk == NULL || 3023 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 3024 return; 3025 3026 ssp = sk->sk_security; 3027 ssp->smk_in = ssp->smk_out = smk_of_current(); 3028 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 3029 } 3030 3031 /** 3032 * smack_inet_conn_request - Smack access check on connect 3033 * @sk: socket involved 3034 * @skb: packet 3035 * @req: unused 3036 * 3037 * Returns 0 if a task with the packet label could write to 3038 * the socket, otherwise an error code 3039 */ 3040 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb, 3041 struct request_sock *req) 3042 { 3043 u16 family = sk->sk_family; 3044 struct socket_smack *ssp = sk->sk_security; 3045 struct netlbl_lsm_secattr secattr; 3046 struct sockaddr_in addr; 3047 struct iphdr *hdr; 3048 char smack[SMK_LABELLEN]; 3049 int rc; 3050 struct smk_audit_info ad; 3051 3052 /* handle mapped IPv4 packets arriving via IPv6 sockets */ 3053 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 3054 family = PF_INET; 3055 3056 netlbl_secattr_init(&secattr); 3057 rc = netlbl_skbuff_getattr(skb, family, &secattr); 3058 if (rc == 0) 3059 smack_from_secattr(&secattr, smack); 3060 else 3061 strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN); 3062 netlbl_secattr_destroy(&secattr); 3063 3064 #ifdef CONFIG_AUDIT 3065 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET); 3066 ad.a.u.net.family = family; 3067 ad.a.u.net.netif = skb->skb_iif; 3068 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 3069 #endif 3070 /* 3071 * Receiving a packet requires that the other end be able to write 3072 * here. Read access is not required. 3073 */ 3074 rc = smk_access(smack, ssp->smk_in, MAY_WRITE, &ad); 3075 if (rc != 0) 3076 return rc; 3077 3078 /* 3079 * Save the peer's label in the request_sock so we can later setup 3080 * smk_packet in the child socket so that SO_PEERCRED can report it. 3081 */ 3082 req->peer_secid = smack_to_secid(smack); 3083 3084 /* 3085 * We need to decide if we want to label the incoming connection here 3086 * if we do we only need to label the request_sock and the stack will 3087 * propogate the wire-label to the sock when it is created. 3088 */ 3089 hdr = ip_hdr(skb); 3090 addr.sin_addr.s_addr = hdr->saddr; 3091 rcu_read_lock(); 3092 if (smack_host_label(&addr) == NULL) { 3093 rcu_read_unlock(); 3094 netlbl_secattr_init(&secattr); 3095 smack_to_secattr(smack, &secattr); 3096 rc = netlbl_req_setattr(req, &secattr); 3097 netlbl_secattr_destroy(&secattr); 3098 } else { 3099 rcu_read_unlock(); 3100 netlbl_req_delattr(req); 3101 } 3102 3103 return rc; 3104 } 3105 3106 /** 3107 * smack_inet_csk_clone - Copy the connection information to the new socket 3108 * @sk: the new socket 3109 * @req: the connection's request_sock 3110 * 3111 * Transfer the connection's peer label to the newly created socket. 3112 */ 3113 static void smack_inet_csk_clone(struct sock *sk, 3114 const struct request_sock *req) 3115 { 3116 struct socket_smack *ssp = sk->sk_security; 3117 char *smack; 3118 3119 if (req->peer_secid != 0) { 3120 smack = smack_from_secid(req->peer_secid); 3121 strncpy(ssp->smk_packet, smack, SMK_MAXLEN); 3122 } else 3123 ssp->smk_packet[0] = '\0'; 3124 } 3125 3126 /* 3127 * Key management security hooks 3128 * 3129 * Casey has not tested key support very heavily. 3130 * The permission check is most likely too restrictive. 3131 * If you care about keys please have a look. 3132 */ 3133 #ifdef CONFIG_KEYS 3134 3135 /** 3136 * smack_key_alloc - Set the key security blob 3137 * @key: object 3138 * @cred: the credentials to use 3139 * @flags: unused 3140 * 3141 * No allocation required 3142 * 3143 * Returns 0 3144 */ 3145 static int smack_key_alloc(struct key *key, const struct cred *cred, 3146 unsigned long flags) 3147 { 3148 key->security = smk_of_task(cred->security); 3149 return 0; 3150 } 3151 3152 /** 3153 * smack_key_free - Clear the key security blob 3154 * @key: the object 3155 * 3156 * Clear the blob pointer 3157 */ 3158 static void smack_key_free(struct key *key) 3159 { 3160 key->security = NULL; 3161 } 3162 3163 /* 3164 * smack_key_permission - Smack access on a key 3165 * @key_ref: gets to the object 3166 * @cred: the credentials to use 3167 * @perm: unused 3168 * 3169 * Return 0 if the task has read and write to the object, 3170 * an error code otherwise 3171 */ 3172 static int smack_key_permission(key_ref_t key_ref, 3173 const struct cred *cred, key_perm_t perm) 3174 { 3175 struct key *keyp; 3176 struct smk_audit_info ad; 3177 char *tsp = smk_of_task(cred->security); 3178 3179 keyp = key_ref_to_ptr(key_ref); 3180 if (keyp == NULL) 3181 return -EINVAL; 3182 /* 3183 * If the key hasn't been initialized give it access so that 3184 * it may do so. 3185 */ 3186 if (keyp->security == NULL) 3187 return 0; 3188 /* 3189 * This should not occur 3190 */ 3191 if (tsp == NULL) 3192 return -EACCES; 3193 #ifdef CONFIG_AUDIT 3194 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 3195 ad.a.u.key_struct.key = keyp->serial; 3196 ad.a.u.key_struct.key_desc = keyp->description; 3197 #endif 3198 return smk_access(tsp, keyp->security, 3199 MAY_READWRITE, &ad); 3200 } 3201 #endif /* CONFIG_KEYS */ 3202 3203 /* 3204 * Smack Audit hooks 3205 * 3206 * Audit requires a unique representation of each Smack specific 3207 * rule. This unique representation is used to distinguish the 3208 * object to be audited from remaining kernel objects and also 3209 * works as a glue between the audit hooks. 3210 * 3211 * Since repository entries are added but never deleted, we'll use 3212 * the smack_known label address related to the given audit rule as 3213 * the needed unique representation. This also better fits the smack 3214 * model where nearly everything is a label. 3215 */ 3216 #ifdef CONFIG_AUDIT 3217 3218 /** 3219 * smack_audit_rule_init - Initialize a smack audit rule 3220 * @field: audit rule fields given from user-space (audit.h) 3221 * @op: required testing operator (=, !=, >, <, ...) 3222 * @rulestr: smack label to be audited 3223 * @vrule: pointer to save our own audit rule representation 3224 * 3225 * Prepare to audit cases where (@field @op @rulestr) is true. 3226 * The label to be audited is created if necessay. 3227 */ 3228 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 3229 { 3230 char **rule = (char **)vrule; 3231 *rule = NULL; 3232 3233 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 3234 return -EINVAL; 3235 3236 if (op != Audit_equal && op != Audit_not_equal) 3237 return -EINVAL; 3238 3239 *rule = smk_import(rulestr, 0); 3240 3241 return 0; 3242 } 3243 3244 /** 3245 * smack_audit_rule_known - Distinguish Smack audit rules 3246 * @krule: rule of interest, in Audit kernel representation format 3247 * 3248 * This is used to filter Smack rules from remaining Audit ones. 3249 * If it's proved that this rule belongs to us, the 3250 * audit_rule_match hook will be called to do the final judgement. 3251 */ 3252 static int smack_audit_rule_known(struct audit_krule *krule) 3253 { 3254 struct audit_field *f; 3255 int i; 3256 3257 for (i = 0; i < krule->field_count; i++) { 3258 f = &krule->fields[i]; 3259 3260 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 3261 return 1; 3262 } 3263 3264 return 0; 3265 } 3266 3267 /** 3268 * smack_audit_rule_match - Audit given object ? 3269 * @secid: security id for identifying the object to test 3270 * @field: audit rule flags given from user-space 3271 * @op: required testing operator 3272 * @vrule: smack internal rule presentation 3273 * @actx: audit context associated with the check 3274 * 3275 * The core Audit hook. It's used to take the decision of 3276 * whether to audit or not to audit a given object. 3277 */ 3278 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule, 3279 struct audit_context *actx) 3280 { 3281 char *smack; 3282 char *rule = vrule; 3283 3284 if (!rule) { 3285 audit_log(actx, GFP_KERNEL, AUDIT_SELINUX_ERR, 3286 "Smack: missing rule\n"); 3287 return -ENOENT; 3288 } 3289 3290 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 3291 return 0; 3292 3293 smack = smack_from_secid(secid); 3294 3295 /* 3296 * No need to do string comparisons. If a match occurs, 3297 * both pointers will point to the same smack_known 3298 * label. 3299 */ 3300 if (op == Audit_equal) 3301 return (rule == smack); 3302 if (op == Audit_not_equal) 3303 return (rule != smack); 3304 3305 return 0; 3306 } 3307 3308 /** 3309 * smack_audit_rule_free - free smack rule representation 3310 * @vrule: rule to be freed. 3311 * 3312 * No memory was allocated. 3313 */ 3314 static void smack_audit_rule_free(void *vrule) 3315 { 3316 /* No-op */ 3317 } 3318 3319 #endif /* CONFIG_AUDIT */ 3320 3321 /** 3322 * smack_secid_to_secctx - return the smack label for a secid 3323 * @secid: incoming integer 3324 * @secdata: destination 3325 * @seclen: how long it is 3326 * 3327 * Exists for networking code. 3328 */ 3329 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 3330 { 3331 char *sp = smack_from_secid(secid); 3332 3333 if (secdata) 3334 *secdata = sp; 3335 *seclen = strlen(sp); 3336 return 0; 3337 } 3338 3339 /** 3340 * smack_secctx_to_secid - return the secid for a smack label 3341 * @secdata: smack label 3342 * @seclen: how long result is 3343 * @secid: outgoing integer 3344 * 3345 * Exists for audit and networking code. 3346 */ 3347 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 3348 { 3349 *secid = smack_to_secid(secdata); 3350 return 0; 3351 } 3352 3353 /** 3354 * smack_release_secctx - don't do anything. 3355 * @secdata: unused 3356 * @seclen: unused 3357 * 3358 * Exists to make sure nothing gets done, and properly 3359 */ 3360 static void smack_release_secctx(char *secdata, u32 seclen) 3361 { 3362 } 3363 3364 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 3365 { 3366 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0); 3367 } 3368 3369 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 3370 { 3371 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0); 3372 } 3373 3374 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 3375 { 3376 int len = 0; 3377 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true); 3378 3379 if (len < 0) 3380 return len; 3381 *ctxlen = len; 3382 return 0; 3383 } 3384 3385 struct security_operations smack_ops = { 3386 .name = "smack", 3387 3388 .ptrace_access_check = smack_ptrace_access_check, 3389 .ptrace_traceme = smack_ptrace_traceme, 3390 .syslog = smack_syslog, 3391 3392 .sb_alloc_security = smack_sb_alloc_security, 3393 .sb_free_security = smack_sb_free_security, 3394 .sb_copy_data = smack_sb_copy_data, 3395 .sb_kern_mount = smack_sb_kern_mount, 3396 .sb_statfs = smack_sb_statfs, 3397 .sb_mount = smack_sb_mount, 3398 .sb_umount = smack_sb_umount, 3399 3400 .bprm_set_creds = smack_bprm_set_creds, 3401 3402 .inode_alloc_security = smack_inode_alloc_security, 3403 .inode_free_security = smack_inode_free_security, 3404 .inode_init_security = smack_inode_init_security, 3405 .inode_link = smack_inode_link, 3406 .inode_unlink = smack_inode_unlink, 3407 .inode_rmdir = smack_inode_rmdir, 3408 .inode_rename = smack_inode_rename, 3409 .inode_permission = smack_inode_permission, 3410 .inode_setattr = smack_inode_setattr, 3411 .inode_getattr = smack_inode_getattr, 3412 .inode_setxattr = smack_inode_setxattr, 3413 .inode_post_setxattr = smack_inode_post_setxattr, 3414 .inode_getxattr = smack_inode_getxattr, 3415 .inode_removexattr = smack_inode_removexattr, 3416 .inode_getsecurity = smack_inode_getsecurity, 3417 .inode_setsecurity = smack_inode_setsecurity, 3418 .inode_listsecurity = smack_inode_listsecurity, 3419 .inode_getsecid = smack_inode_getsecid, 3420 3421 .file_permission = smack_file_permission, 3422 .file_alloc_security = smack_file_alloc_security, 3423 .file_free_security = smack_file_free_security, 3424 .file_ioctl = smack_file_ioctl, 3425 .file_lock = smack_file_lock, 3426 .file_fcntl = smack_file_fcntl, 3427 .file_mmap = smack_file_mmap, 3428 .file_set_fowner = smack_file_set_fowner, 3429 .file_send_sigiotask = smack_file_send_sigiotask, 3430 .file_receive = smack_file_receive, 3431 3432 .cred_alloc_blank = smack_cred_alloc_blank, 3433 .cred_free = smack_cred_free, 3434 .cred_prepare = smack_cred_prepare, 3435 .cred_transfer = smack_cred_transfer, 3436 .kernel_act_as = smack_kernel_act_as, 3437 .kernel_create_files_as = smack_kernel_create_files_as, 3438 .task_setpgid = smack_task_setpgid, 3439 .task_getpgid = smack_task_getpgid, 3440 .task_getsid = smack_task_getsid, 3441 .task_getsecid = smack_task_getsecid, 3442 .task_setnice = smack_task_setnice, 3443 .task_setioprio = smack_task_setioprio, 3444 .task_getioprio = smack_task_getioprio, 3445 .task_setscheduler = smack_task_setscheduler, 3446 .task_getscheduler = smack_task_getscheduler, 3447 .task_movememory = smack_task_movememory, 3448 .task_kill = smack_task_kill, 3449 .task_wait = smack_task_wait, 3450 .task_to_inode = smack_task_to_inode, 3451 3452 .ipc_permission = smack_ipc_permission, 3453 .ipc_getsecid = smack_ipc_getsecid, 3454 3455 .msg_msg_alloc_security = smack_msg_msg_alloc_security, 3456 .msg_msg_free_security = smack_msg_msg_free_security, 3457 3458 .msg_queue_alloc_security = smack_msg_queue_alloc_security, 3459 .msg_queue_free_security = smack_msg_queue_free_security, 3460 .msg_queue_associate = smack_msg_queue_associate, 3461 .msg_queue_msgctl = smack_msg_queue_msgctl, 3462 .msg_queue_msgsnd = smack_msg_queue_msgsnd, 3463 .msg_queue_msgrcv = smack_msg_queue_msgrcv, 3464 3465 .shm_alloc_security = smack_shm_alloc_security, 3466 .shm_free_security = smack_shm_free_security, 3467 .shm_associate = smack_shm_associate, 3468 .shm_shmctl = smack_shm_shmctl, 3469 .shm_shmat = smack_shm_shmat, 3470 3471 .sem_alloc_security = smack_sem_alloc_security, 3472 .sem_free_security = smack_sem_free_security, 3473 .sem_associate = smack_sem_associate, 3474 .sem_semctl = smack_sem_semctl, 3475 .sem_semop = smack_sem_semop, 3476 3477 .d_instantiate = smack_d_instantiate, 3478 3479 .getprocattr = smack_getprocattr, 3480 .setprocattr = smack_setprocattr, 3481 3482 .unix_stream_connect = smack_unix_stream_connect, 3483 .unix_may_send = smack_unix_may_send, 3484 3485 .socket_post_create = smack_socket_post_create, 3486 .socket_connect = smack_socket_connect, 3487 .socket_sendmsg = smack_socket_sendmsg, 3488 .socket_sock_rcv_skb = smack_socket_sock_rcv_skb, 3489 .socket_getpeersec_stream = smack_socket_getpeersec_stream, 3490 .socket_getpeersec_dgram = smack_socket_getpeersec_dgram, 3491 .sk_alloc_security = smack_sk_alloc_security, 3492 .sk_free_security = smack_sk_free_security, 3493 .sock_graft = smack_sock_graft, 3494 .inet_conn_request = smack_inet_conn_request, 3495 .inet_csk_clone = smack_inet_csk_clone, 3496 3497 /* key management security hooks */ 3498 #ifdef CONFIG_KEYS 3499 .key_alloc = smack_key_alloc, 3500 .key_free = smack_key_free, 3501 .key_permission = smack_key_permission, 3502 #endif /* CONFIG_KEYS */ 3503 3504 /* Audit hooks */ 3505 #ifdef CONFIG_AUDIT 3506 .audit_rule_init = smack_audit_rule_init, 3507 .audit_rule_known = smack_audit_rule_known, 3508 .audit_rule_match = smack_audit_rule_match, 3509 .audit_rule_free = smack_audit_rule_free, 3510 #endif /* CONFIG_AUDIT */ 3511 3512 .secid_to_secctx = smack_secid_to_secctx, 3513 .secctx_to_secid = smack_secctx_to_secid, 3514 .release_secctx = smack_release_secctx, 3515 .inode_notifysecctx = smack_inode_notifysecctx, 3516 .inode_setsecctx = smack_inode_setsecctx, 3517 .inode_getsecctx = smack_inode_getsecctx, 3518 }; 3519 3520 3521 static __init void init_smack_know_list(void) 3522 { 3523 list_add(&smack_known_huh.list, &smack_known_list); 3524 list_add(&smack_known_hat.list, &smack_known_list); 3525 list_add(&smack_known_star.list, &smack_known_list); 3526 list_add(&smack_known_floor.list, &smack_known_list); 3527 list_add(&smack_known_invalid.list, &smack_known_list); 3528 list_add(&smack_known_web.list, &smack_known_list); 3529 } 3530 3531 /** 3532 * smack_init - initialize the smack system 3533 * 3534 * Returns 0 3535 */ 3536 static __init int smack_init(void) 3537 { 3538 struct cred *cred; 3539 struct task_smack *tsp; 3540 3541 if (!security_module_enable(&smack_ops)) 3542 return 0; 3543 3544 tsp = new_task_smack(smack_known_floor.smk_known, 3545 smack_known_floor.smk_known, GFP_KERNEL); 3546 if (tsp == NULL) 3547 return -ENOMEM; 3548 3549 printk(KERN_INFO "Smack: Initializing.\n"); 3550 3551 /* 3552 * Set the security state for the initial task. 3553 */ 3554 cred = (struct cred *) current->cred; 3555 cred->security = tsp; 3556 3557 /* initialize the smack_know_list */ 3558 init_smack_know_list(); 3559 /* 3560 * Initialize locks 3561 */ 3562 spin_lock_init(&smack_known_huh.smk_cipsolock); 3563 spin_lock_init(&smack_known_hat.smk_cipsolock); 3564 spin_lock_init(&smack_known_star.smk_cipsolock); 3565 spin_lock_init(&smack_known_floor.smk_cipsolock); 3566 spin_lock_init(&smack_known_invalid.smk_cipsolock); 3567 3568 /* 3569 * Register with LSM 3570 */ 3571 if (register_security(&smack_ops)) 3572 panic("smack: Unable to register with kernel.\n"); 3573 3574 return 0; 3575 } 3576 3577 /* 3578 * Smack requires early initialization in order to label 3579 * all processes and objects when they are created. 3580 */ 3581 security_initcall(smack_init); 3582