1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <net/cipso_ipv4.h> 32 #include <net/ip.h> 33 #include <net/ipv6.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <uapi/linux/shm.h> 41 #include <linux/binfmts.h> 42 #include <linux/parser.h> 43 #include <linux/fs_context.h> 44 #include <linux/fs_parser.h> 45 #include <linux/watch_queue.h> 46 #include <linux/io_uring/cmd.h> 47 #include <uapi/linux/lsm.h> 48 #include "smack.h" 49 50 #define TRANS_TRUE "TRUE" 51 #define TRANS_TRUE_SIZE 4 52 53 #define SMK_CONNECTING 0 54 #define SMK_RECEIVING 1 55 #define SMK_SENDING 2 56 57 /* 58 * Smack uses multiple xattrs. 59 * SMACK64 - for access control, 60 * SMACK64TRANSMUTE - label initialization, 61 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 62 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 63 */ 64 #define SMACK_INODE_INIT_XATTRS 2 65 66 #ifdef SMACK_IPV6_PORT_LABELING 67 static DEFINE_MUTEX(smack_ipv6_lock); 68 static LIST_HEAD(smk_ipv6_port_list); 69 #endif 70 struct kmem_cache *smack_rule_cache; 71 int smack_enabled __initdata; 72 73 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 74 static struct { 75 const char *name; 76 int len; 77 int opt; 78 } smk_mount_opts[] = { 79 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 80 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 81 }; 82 #undef A 83 84 static int match_opt_prefix(char *s, int l, char **arg) 85 { 86 int i; 87 88 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 89 size_t len = smk_mount_opts[i].len; 90 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 91 continue; 92 if (len == l || s[len] != '=') 93 continue; 94 *arg = s + len + 1; 95 return smk_mount_opts[i].opt; 96 } 97 return Opt_error; 98 } 99 100 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 101 static char *smk_bu_mess[] = { 102 "Bringup Error", /* Unused */ 103 "Bringup", /* SMACK_BRINGUP_ALLOW */ 104 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 105 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 106 }; 107 108 static void smk_bu_mode(int mode, char *s) 109 { 110 int i = 0; 111 112 if (mode & MAY_READ) 113 s[i++] = 'r'; 114 if (mode & MAY_WRITE) 115 s[i++] = 'w'; 116 if (mode & MAY_EXEC) 117 s[i++] = 'x'; 118 if (mode & MAY_APPEND) 119 s[i++] = 'a'; 120 if (mode & MAY_TRANSMUTE) 121 s[i++] = 't'; 122 if (mode & MAY_LOCK) 123 s[i++] = 'l'; 124 if (i == 0) 125 s[i++] = '-'; 126 s[i] = '\0'; 127 } 128 #endif 129 130 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 131 static int smk_bu_note(char *note, struct smack_known *sskp, 132 struct smack_known *oskp, int mode, int rc) 133 { 134 char acc[SMK_NUM_ACCESS_TYPE + 1]; 135 136 if (rc <= 0) 137 return rc; 138 if (rc > SMACK_UNCONFINED_OBJECT) 139 rc = 0; 140 141 smk_bu_mode(mode, acc); 142 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 143 sskp->smk_known, oskp->smk_known, acc, note); 144 return 0; 145 } 146 #else 147 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 148 #endif 149 150 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 151 static int smk_bu_current(char *note, struct smack_known *oskp, 152 int mode, int rc) 153 { 154 struct task_smack *tsp = smack_cred(current_cred()); 155 char acc[SMK_NUM_ACCESS_TYPE + 1]; 156 157 if (rc <= 0) 158 return rc; 159 if (rc > SMACK_UNCONFINED_OBJECT) 160 rc = 0; 161 162 smk_bu_mode(mode, acc); 163 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 164 tsp->smk_task->smk_known, oskp->smk_known, 165 acc, current->comm, note); 166 return 0; 167 } 168 #else 169 #define smk_bu_current(note, oskp, mode, RC) (RC) 170 #endif 171 172 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 173 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 174 { 175 struct task_smack *tsp = smack_cred(current_cred()); 176 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 177 char acc[SMK_NUM_ACCESS_TYPE + 1]; 178 179 if (rc <= 0) 180 return rc; 181 if (rc > SMACK_UNCONFINED_OBJECT) 182 rc = 0; 183 184 smk_bu_mode(mode, acc); 185 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 186 tsp->smk_task->smk_known, smk_task->smk_known, acc, 187 current->comm, otp->comm); 188 return 0; 189 } 190 #else 191 #define smk_bu_task(otp, mode, RC) (RC) 192 #endif 193 194 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 195 static int smk_bu_inode(struct inode *inode, int mode, int rc) 196 { 197 struct task_smack *tsp = smack_cred(current_cred()); 198 struct inode_smack *isp = smack_inode(inode); 199 char acc[SMK_NUM_ACCESS_TYPE + 1]; 200 201 if (isp->smk_flags & SMK_INODE_IMPURE) 202 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 203 inode->i_sb->s_id, inode->i_ino, current->comm); 204 205 if (rc <= 0) 206 return rc; 207 if (rc > SMACK_UNCONFINED_OBJECT) 208 rc = 0; 209 if (rc == SMACK_UNCONFINED_SUBJECT && 210 (mode & (MAY_WRITE | MAY_APPEND))) 211 isp->smk_flags |= SMK_INODE_IMPURE; 212 213 smk_bu_mode(mode, acc); 214 215 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 216 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 217 inode->i_sb->s_id, inode->i_ino, current->comm); 218 return 0; 219 } 220 #else 221 #define smk_bu_inode(inode, mode, RC) (RC) 222 #endif 223 224 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 225 static int smk_bu_file(struct file *file, int mode, int rc) 226 { 227 struct task_smack *tsp = smack_cred(current_cred()); 228 struct smack_known *sskp = tsp->smk_task; 229 struct inode *inode = file_inode(file); 230 struct inode_smack *isp = smack_inode(inode); 231 char acc[SMK_NUM_ACCESS_TYPE + 1]; 232 233 if (isp->smk_flags & SMK_INODE_IMPURE) 234 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 235 inode->i_sb->s_id, inode->i_ino, current->comm); 236 237 if (rc <= 0) 238 return rc; 239 if (rc > SMACK_UNCONFINED_OBJECT) 240 rc = 0; 241 242 smk_bu_mode(mode, acc); 243 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 244 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 245 inode->i_sb->s_id, inode->i_ino, file, 246 current->comm); 247 return 0; 248 } 249 #else 250 #define smk_bu_file(file, mode, RC) (RC) 251 #endif 252 253 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 254 static int smk_bu_credfile(const struct cred *cred, struct file *file, 255 int mode, int rc) 256 { 257 struct task_smack *tsp = smack_cred(cred); 258 struct smack_known *sskp = tsp->smk_task; 259 struct inode *inode = file_inode(file); 260 struct inode_smack *isp = smack_inode(inode); 261 char acc[SMK_NUM_ACCESS_TYPE + 1]; 262 263 if (isp->smk_flags & SMK_INODE_IMPURE) 264 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 265 inode->i_sb->s_id, inode->i_ino, current->comm); 266 267 if (rc <= 0) 268 return rc; 269 if (rc > SMACK_UNCONFINED_OBJECT) 270 rc = 0; 271 272 smk_bu_mode(mode, acc); 273 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 274 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 275 inode->i_sb->s_id, inode->i_ino, file, 276 current->comm); 277 return 0; 278 } 279 #else 280 #define smk_bu_credfile(cred, file, mode, RC) (RC) 281 #endif 282 283 /** 284 * smk_fetch - Fetch the smack label from a file. 285 * @name: type of the label (attribute) 286 * @ip: a pointer to the inode 287 * @dp: a pointer to the dentry 288 * 289 * Returns a pointer to the master list entry for the Smack label, 290 * NULL if there was no label to fetch, or an error code. 291 */ 292 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 293 struct dentry *dp) 294 { 295 int rc; 296 char *buffer; 297 struct smack_known *skp = NULL; 298 299 if (!(ip->i_opflags & IOP_XATTR)) 300 return ERR_PTR(-EOPNOTSUPP); 301 302 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 303 if (buffer == NULL) 304 return ERR_PTR(-ENOMEM); 305 306 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 307 if (rc < 0) 308 skp = ERR_PTR(rc); 309 else if (rc == 0) 310 skp = NULL; 311 else 312 skp = smk_import_entry(buffer, rc); 313 314 kfree(buffer); 315 316 return skp; 317 } 318 319 /** 320 * init_inode_smack - initialize an inode security blob 321 * @inode: inode to extract the info from 322 * @skp: a pointer to the Smack label entry to use in the blob 323 * 324 */ 325 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 326 { 327 struct inode_smack *isp = smack_inode(inode); 328 329 isp->smk_inode = skp; 330 isp->smk_flags = 0; 331 } 332 333 /** 334 * init_task_smack - initialize a task security blob 335 * @tsp: blob to initialize 336 * @task: a pointer to the Smack label for the running task 337 * @forked: a pointer to the Smack label for the forked task 338 * 339 */ 340 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 341 struct smack_known *forked) 342 { 343 tsp->smk_task = task; 344 tsp->smk_forked = forked; 345 INIT_LIST_HEAD(&tsp->smk_rules); 346 INIT_LIST_HEAD(&tsp->smk_relabel); 347 mutex_init(&tsp->smk_rules_lock); 348 } 349 350 /** 351 * smk_copy_rules - copy a rule set 352 * @nhead: new rules header pointer 353 * @ohead: old rules header pointer 354 * @gfp: type of the memory for the allocation 355 * 356 * Returns 0 on success, -ENOMEM on error 357 */ 358 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 359 gfp_t gfp) 360 { 361 struct smack_rule *nrp; 362 struct smack_rule *orp; 363 int rc = 0; 364 365 list_for_each_entry_rcu(orp, ohead, list) { 366 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 367 if (nrp == NULL) { 368 rc = -ENOMEM; 369 break; 370 } 371 *nrp = *orp; 372 list_add_rcu(&nrp->list, nhead); 373 } 374 return rc; 375 } 376 377 /** 378 * smk_copy_relabel - copy smk_relabel labels list 379 * @nhead: new rules header pointer 380 * @ohead: old rules header pointer 381 * @gfp: type of the memory for the allocation 382 * 383 * Returns 0 on success, -ENOMEM on error 384 */ 385 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 386 gfp_t gfp) 387 { 388 struct smack_known_list_elem *nklep; 389 struct smack_known_list_elem *oklep; 390 391 list_for_each_entry(oklep, ohead, list) { 392 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 393 if (nklep == NULL) { 394 smk_destroy_label_list(nhead); 395 return -ENOMEM; 396 } 397 nklep->smk_label = oklep->smk_label; 398 list_add(&nklep->list, nhead); 399 } 400 401 return 0; 402 } 403 404 /** 405 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 406 * @mode: input mode in form of PTRACE_MODE_* 407 * 408 * Returns a converted MAY_* mode usable by smack rules 409 */ 410 static inline unsigned int smk_ptrace_mode(unsigned int mode) 411 { 412 if (mode & PTRACE_MODE_ATTACH) 413 return MAY_READWRITE; 414 if (mode & PTRACE_MODE_READ) 415 return MAY_READ; 416 417 return 0; 418 } 419 420 /** 421 * smk_ptrace_rule_check - helper for ptrace access 422 * @tracer: tracer process 423 * @tracee_known: label entry of the process that's about to be traced 424 * @mode: ptrace attachment mode (PTRACE_MODE_*) 425 * @func: name of the function that called us, used for audit 426 * 427 * Returns 0 on access granted, -error on error 428 */ 429 static int smk_ptrace_rule_check(struct task_struct *tracer, 430 struct smack_known *tracee_known, 431 unsigned int mode, const char *func) 432 { 433 int rc; 434 struct smk_audit_info ad, *saip = NULL; 435 struct task_smack *tsp; 436 struct smack_known *tracer_known; 437 const struct cred *tracercred; 438 439 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 440 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 441 smk_ad_setfield_u_tsk(&ad, tracer); 442 saip = &ad; 443 } 444 445 rcu_read_lock(); 446 tracercred = __task_cred(tracer); 447 tsp = smack_cred(tracercred); 448 tracer_known = smk_of_task(tsp); 449 450 if ((mode & PTRACE_MODE_ATTACH) && 451 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 452 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 453 if (tracer_known->smk_known == tracee_known->smk_known) 454 rc = 0; 455 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 456 rc = -EACCES; 457 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 458 rc = 0; 459 else 460 rc = -EACCES; 461 462 if (saip) 463 smack_log(tracer_known->smk_known, 464 tracee_known->smk_known, 465 0, rc, saip); 466 467 rcu_read_unlock(); 468 return rc; 469 } 470 471 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 472 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 473 474 rcu_read_unlock(); 475 return rc; 476 } 477 478 /* 479 * LSM hooks. 480 * We he, that is fun! 481 */ 482 483 /** 484 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 485 * @ctp: child task pointer 486 * @mode: ptrace attachment mode (PTRACE_MODE_*) 487 * 488 * Returns 0 if access is OK, an error code otherwise 489 * 490 * Do the capability checks. 491 */ 492 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 493 { 494 struct smack_known *skp; 495 496 skp = smk_of_task_struct_obj(ctp); 497 498 return smk_ptrace_rule_check(current, skp, mode, __func__); 499 } 500 501 /** 502 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 503 * @ptp: parent task pointer 504 * 505 * Returns 0 if access is OK, an error code otherwise 506 * 507 * Do the capability checks, and require PTRACE_MODE_ATTACH. 508 */ 509 static int smack_ptrace_traceme(struct task_struct *ptp) 510 { 511 struct smack_known *skp; 512 513 skp = smk_of_task(smack_cred(current_cred())); 514 515 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 516 } 517 518 /** 519 * smack_syslog - Smack approval on syslog 520 * @typefrom_file: unused 521 * 522 * Returns 0 on success, error code otherwise. 523 */ 524 static int smack_syslog(int typefrom_file) 525 { 526 int rc = 0; 527 struct smack_known *skp = smk_of_current(); 528 529 if (smack_privileged(CAP_MAC_OVERRIDE)) 530 return 0; 531 532 if (smack_syslog_label != NULL && smack_syslog_label != skp) 533 rc = -EACCES; 534 535 return rc; 536 } 537 538 /* 539 * Superblock Hooks. 540 */ 541 542 /** 543 * smack_sb_alloc_security - allocate a superblock blob 544 * @sb: the superblock getting the blob 545 * 546 * Returns 0 on success or -ENOMEM on error. 547 */ 548 static int smack_sb_alloc_security(struct super_block *sb) 549 { 550 struct superblock_smack *sbsp = smack_superblock(sb); 551 552 sbsp->smk_root = &smack_known_floor; 553 sbsp->smk_default = &smack_known_floor; 554 sbsp->smk_floor = &smack_known_floor; 555 sbsp->smk_hat = &smack_known_hat; 556 /* 557 * SMK_SB_INITIALIZED will be zero from kzalloc. 558 */ 559 560 return 0; 561 } 562 563 struct smack_mnt_opts { 564 const char *fsdefault; 565 const char *fsfloor; 566 const char *fshat; 567 const char *fsroot; 568 const char *fstransmute; 569 }; 570 571 static void smack_free_mnt_opts(void *mnt_opts) 572 { 573 kfree(mnt_opts); 574 } 575 576 static int smack_add_opt(int token, const char *s, void **mnt_opts) 577 { 578 struct smack_mnt_opts *opts = *mnt_opts; 579 struct smack_known *skp; 580 581 if (!opts) { 582 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 583 if (!opts) 584 return -ENOMEM; 585 *mnt_opts = opts; 586 } 587 if (!s) 588 return -ENOMEM; 589 590 skp = smk_import_entry(s, 0); 591 if (IS_ERR(skp)) 592 return PTR_ERR(skp); 593 594 switch (token) { 595 case Opt_fsdefault: 596 if (opts->fsdefault) 597 goto out_opt_err; 598 opts->fsdefault = skp->smk_known; 599 break; 600 case Opt_fsfloor: 601 if (opts->fsfloor) 602 goto out_opt_err; 603 opts->fsfloor = skp->smk_known; 604 break; 605 case Opt_fshat: 606 if (opts->fshat) 607 goto out_opt_err; 608 opts->fshat = skp->smk_known; 609 break; 610 case Opt_fsroot: 611 if (opts->fsroot) 612 goto out_opt_err; 613 opts->fsroot = skp->smk_known; 614 break; 615 case Opt_fstransmute: 616 if (opts->fstransmute) 617 goto out_opt_err; 618 opts->fstransmute = skp->smk_known; 619 break; 620 } 621 return 0; 622 623 out_opt_err: 624 pr_warn("Smack: duplicate mount options\n"); 625 return -EINVAL; 626 } 627 628 /** 629 * smack_fs_context_submount - Initialise security data for a filesystem context 630 * @fc: The filesystem context. 631 * @reference: reference superblock 632 * 633 * Returns 0 on success or -ENOMEM on error. 634 */ 635 static int smack_fs_context_submount(struct fs_context *fc, 636 struct super_block *reference) 637 { 638 struct superblock_smack *sbsp; 639 struct smack_mnt_opts *ctx; 640 struct inode_smack *isp; 641 642 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 643 if (!ctx) 644 return -ENOMEM; 645 fc->security = ctx; 646 647 sbsp = smack_superblock(reference); 648 isp = smack_inode(reference->s_root->d_inode); 649 650 if (sbsp->smk_default) { 651 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 652 if (!ctx->fsdefault) 653 return -ENOMEM; 654 } 655 656 if (sbsp->smk_floor) { 657 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 658 if (!ctx->fsfloor) 659 return -ENOMEM; 660 } 661 662 if (sbsp->smk_hat) { 663 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 664 if (!ctx->fshat) 665 return -ENOMEM; 666 } 667 668 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 669 if (sbsp->smk_root) { 670 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 671 if (!ctx->fstransmute) 672 return -ENOMEM; 673 } 674 } 675 return 0; 676 } 677 678 /** 679 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 680 * @fc: The new filesystem context. 681 * @src_fc: The source filesystem context being duplicated. 682 * 683 * Returns 0 on success or -ENOMEM on error. 684 */ 685 static int smack_fs_context_dup(struct fs_context *fc, 686 struct fs_context *src_fc) 687 { 688 struct smack_mnt_opts *dst, *src = src_fc->security; 689 690 if (!src) 691 return 0; 692 693 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 694 if (!fc->security) 695 return -ENOMEM; 696 697 dst = fc->security; 698 dst->fsdefault = src->fsdefault; 699 dst->fsfloor = src->fsfloor; 700 dst->fshat = src->fshat; 701 dst->fsroot = src->fsroot; 702 dst->fstransmute = src->fstransmute; 703 704 return 0; 705 } 706 707 static const struct fs_parameter_spec smack_fs_parameters[] = { 708 fsparam_string("smackfsdef", Opt_fsdefault), 709 fsparam_string("smackfsdefault", Opt_fsdefault), 710 fsparam_string("smackfsfloor", Opt_fsfloor), 711 fsparam_string("smackfshat", Opt_fshat), 712 fsparam_string("smackfsroot", Opt_fsroot), 713 fsparam_string("smackfstransmute", Opt_fstransmute), 714 {} 715 }; 716 717 /** 718 * smack_fs_context_parse_param - Parse a single mount parameter 719 * @fc: The new filesystem context being constructed. 720 * @param: The parameter. 721 * 722 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 723 * error. 724 */ 725 static int smack_fs_context_parse_param(struct fs_context *fc, 726 struct fs_parameter *param) 727 { 728 struct fs_parse_result result; 729 int opt, rc; 730 731 opt = fs_parse(fc, smack_fs_parameters, param, &result); 732 if (opt < 0) 733 return opt; 734 735 rc = smack_add_opt(opt, param->string, &fc->security); 736 if (!rc) 737 param->string = NULL; 738 return rc; 739 } 740 741 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 742 { 743 char *from = options, *to = options; 744 bool first = true; 745 746 while (1) { 747 char *next = strchr(from, ','); 748 int token, len, rc; 749 char *arg = NULL; 750 751 if (next) 752 len = next - from; 753 else 754 len = strlen(from); 755 756 token = match_opt_prefix(from, len, &arg); 757 if (token != Opt_error) { 758 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 759 rc = smack_add_opt(token, arg, mnt_opts); 760 kfree(arg); 761 if (unlikely(rc)) { 762 if (*mnt_opts) 763 smack_free_mnt_opts(*mnt_opts); 764 *mnt_opts = NULL; 765 return rc; 766 } 767 } else { 768 if (!first) { // copy with preceding comma 769 from--; 770 len++; 771 } 772 if (to != from) 773 memmove(to, from, len); 774 to += len; 775 first = false; 776 } 777 if (!from[len]) 778 break; 779 from += len + 1; 780 } 781 *to = '\0'; 782 return 0; 783 } 784 785 /** 786 * smack_set_mnt_opts - set Smack specific mount options 787 * @sb: the file system superblock 788 * @mnt_opts: Smack mount options 789 * @kern_flags: mount option from kernel space or user space 790 * @set_kern_flags: where to store converted mount opts 791 * 792 * Returns 0 on success, an error code on failure 793 * 794 * Allow filesystems with binary mount data to explicitly set Smack mount 795 * labels. 796 */ 797 static int smack_set_mnt_opts(struct super_block *sb, 798 void *mnt_opts, 799 unsigned long kern_flags, 800 unsigned long *set_kern_flags) 801 { 802 struct dentry *root = sb->s_root; 803 struct inode *inode = d_backing_inode(root); 804 struct superblock_smack *sp = smack_superblock(sb); 805 struct inode_smack *isp; 806 struct smack_known *skp; 807 struct smack_mnt_opts *opts = mnt_opts; 808 bool transmute = false; 809 810 if (sp->smk_flags & SMK_SB_INITIALIZED) 811 return 0; 812 813 if (!smack_privileged(CAP_MAC_ADMIN)) { 814 /* 815 * Unprivileged mounts don't get to specify Smack values. 816 */ 817 if (opts) 818 return -EPERM; 819 /* 820 * Unprivileged mounts get root and default from the caller. 821 */ 822 skp = smk_of_current(); 823 sp->smk_root = skp; 824 sp->smk_default = skp; 825 /* 826 * For a handful of fs types with no user-controlled 827 * backing store it's okay to trust security labels 828 * in the filesystem. The rest are untrusted. 829 */ 830 if (sb->s_user_ns != &init_user_ns && 831 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 832 sb->s_magic != RAMFS_MAGIC) { 833 transmute = true; 834 sp->smk_flags |= SMK_SB_UNTRUSTED; 835 } 836 } 837 838 sp->smk_flags |= SMK_SB_INITIALIZED; 839 840 if (opts) { 841 if (opts->fsdefault) { 842 skp = smk_import_entry(opts->fsdefault, 0); 843 if (IS_ERR(skp)) 844 return PTR_ERR(skp); 845 sp->smk_default = skp; 846 } 847 if (opts->fsfloor) { 848 skp = smk_import_entry(opts->fsfloor, 0); 849 if (IS_ERR(skp)) 850 return PTR_ERR(skp); 851 sp->smk_floor = skp; 852 } 853 if (opts->fshat) { 854 skp = smk_import_entry(opts->fshat, 0); 855 if (IS_ERR(skp)) 856 return PTR_ERR(skp); 857 sp->smk_hat = skp; 858 } 859 if (opts->fsroot) { 860 skp = smk_import_entry(opts->fsroot, 0); 861 if (IS_ERR(skp)) 862 return PTR_ERR(skp); 863 sp->smk_root = skp; 864 } 865 if (opts->fstransmute) { 866 skp = smk_import_entry(opts->fstransmute, 0); 867 if (IS_ERR(skp)) 868 return PTR_ERR(skp); 869 sp->smk_root = skp; 870 transmute = true; 871 } 872 } 873 874 /* 875 * Initialize the root inode. 876 */ 877 init_inode_smack(inode, sp->smk_root); 878 879 if (transmute) { 880 isp = smack_inode(inode); 881 isp->smk_flags |= SMK_INODE_TRANSMUTE; 882 } 883 884 return 0; 885 } 886 887 /** 888 * smack_sb_statfs - Smack check on statfs 889 * @dentry: identifies the file system in question 890 * 891 * Returns 0 if current can read the floor of the filesystem, 892 * and error code otherwise 893 */ 894 static int smack_sb_statfs(struct dentry *dentry) 895 { 896 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 897 int rc; 898 struct smk_audit_info ad; 899 900 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 901 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 902 903 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 904 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 905 return rc; 906 } 907 908 /* 909 * BPRM hooks 910 */ 911 912 /** 913 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 914 * @bprm: the exec information 915 * 916 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 917 */ 918 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 919 { 920 struct inode *inode = file_inode(bprm->file); 921 struct task_smack *bsp = smack_cred(bprm->cred); 922 struct inode_smack *isp; 923 struct superblock_smack *sbsp; 924 int rc; 925 926 isp = smack_inode(inode); 927 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 928 return 0; 929 930 sbsp = smack_superblock(inode->i_sb); 931 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 932 isp->smk_task != sbsp->smk_root) 933 return 0; 934 935 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 936 struct task_struct *tracer; 937 rc = 0; 938 939 rcu_read_lock(); 940 tracer = ptrace_parent(current); 941 if (likely(tracer != NULL)) 942 rc = smk_ptrace_rule_check(tracer, 943 isp->smk_task, 944 PTRACE_MODE_ATTACH, 945 __func__); 946 rcu_read_unlock(); 947 948 if (rc != 0) 949 return rc; 950 } 951 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 952 return -EPERM; 953 954 bsp->smk_task = isp->smk_task; 955 bprm->per_clear |= PER_CLEAR_ON_SETID; 956 957 /* Decide if this is a secure exec. */ 958 if (bsp->smk_task != bsp->smk_forked) 959 bprm->secureexec = 1; 960 961 return 0; 962 } 963 964 /* 965 * Inode hooks 966 */ 967 968 /** 969 * smack_inode_alloc_security - allocate an inode blob 970 * @inode: the inode in need of a blob 971 * 972 * Returns 0 973 */ 974 static int smack_inode_alloc_security(struct inode *inode) 975 { 976 struct smack_known *skp = smk_of_current(); 977 978 init_inode_smack(inode, skp); 979 return 0; 980 } 981 982 /** 983 * smack_inode_init_security - copy out the smack from an inode 984 * @inode: the newly created inode 985 * @dir: containing directory object 986 * @qstr: unused 987 * @xattrs: where to put the attributes 988 * @xattr_count: current number of LSM-provided xattrs (updated) 989 * 990 * Returns 0 if it all works out, -ENOMEM if there's no memory 991 */ 992 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 993 const struct qstr *qstr, 994 struct xattr *xattrs, int *xattr_count) 995 { 996 struct task_smack *tsp = smack_cred(current_cred()); 997 struct smack_known *skp = smk_of_task(tsp); 998 struct smack_known *isp = smk_of_inode(inode); 999 struct smack_known *dsp = smk_of_inode(dir); 1000 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 1001 int may; 1002 1003 if (xattr) { 1004 /* 1005 * If equal, transmuting already occurred in 1006 * smack_dentry_create_files_as(). No need to check again. 1007 */ 1008 if (tsp->smk_task != tsp->smk_transmuted) { 1009 rcu_read_lock(); 1010 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1011 &skp->smk_rules); 1012 rcu_read_unlock(); 1013 } 1014 1015 /* 1016 * In addition to having smk_task equal to smk_transmuted, 1017 * if the access rule allows transmutation and the directory 1018 * requests transmutation then by all means transmute. 1019 * Mark the inode as changed. 1020 */ 1021 if ((tsp->smk_task == tsp->smk_transmuted) || 1022 (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1023 smk_inode_transmutable(dir))) { 1024 struct xattr *xattr_transmute; 1025 1026 /* 1027 * The caller of smack_dentry_create_files_as() 1028 * should have overridden the current cred, so the 1029 * inode label was already set correctly in 1030 * smack_inode_alloc_security(). 1031 */ 1032 if (tsp->smk_task != tsp->smk_transmuted) 1033 isp = dsp; 1034 xattr_transmute = lsm_get_xattr_slot(xattrs, 1035 xattr_count); 1036 if (xattr_transmute) { 1037 xattr_transmute->value = kmemdup(TRANS_TRUE, 1038 TRANS_TRUE_SIZE, 1039 GFP_NOFS); 1040 if (!xattr_transmute->value) 1041 return -ENOMEM; 1042 1043 xattr_transmute->value_len = TRANS_TRUE_SIZE; 1044 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; 1045 } 1046 } 1047 1048 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); 1049 if (!xattr->value) 1050 return -ENOMEM; 1051 1052 xattr->value_len = strlen(isp->smk_known); 1053 xattr->name = XATTR_SMACK_SUFFIX; 1054 } 1055 1056 return 0; 1057 } 1058 1059 /** 1060 * smack_inode_link - Smack check on link 1061 * @old_dentry: the existing object 1062 * @dir: unused 1063 * @new_dentry: the new object 1064 * 1065 * Returns 0 if access is permitted, an error code otherwise 1066 */ 1067 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1068 struct dentry *new_dentry) 1069 { 1070 struct smack_known *isp; 1071 struct smk_audit_info ad; 1072 int rc; 1073 1074 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1075 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1076 1077 isp = smk_of_inode(d_backing_inode(old_dentry)); 1078 rc = smk_curacc(isp, MAY_WRITE, &ad); 1079 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1080 1081 if (rc == 0 && d_is_positive(new_dentry)) { 1082 isp = smk_of_inode(d_backing_inode(new_dentry)); 1083 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1084 rc = smk_curacc(isp, MAY_WRITE, &ad); 1085 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1086 } 1087 1088 return rc; 1089 } 1090 1091 /** 1092 * smack_inode_unlink - Smack check on inode deletion 1093 * @dir: containing directory object 1094 * @dentry: file to unlink 1095 * 1096 * Returns 0 if current can write the containing directory 1097 * and the object, error code otherwise 1098 */ 1099 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1100 { 1101 struct inode *ip = d_backing_inode(dentry); 1102 struct smk_audit_info ad; 1103 int rc; 1104 1105 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1106 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1107 1108 /* 1109 * You need write access to the thing you're unlinking 1110 */ 1111 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1112 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1113 if (rc == 0) { 1114 /* 1115 * You also need write access to the containing directory 1116 */ 1117 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1118 smk_ad_setfield_u_fs_inode(&ad, dir); 1119 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1120 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1121 } 1122 return rc; 1123 } 1124 1125 /** 1126 * smack_inode_rmdir - Smack check on directory deletion 1127 * @dir: containing directory object 1128 * @dentry: directory to unlink 1129 * 1130 * Returns 0 if current can write the containing directory 1131 * and the directory, error code otherwise 1132 */ 1133 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1134 { 1135 struct smk_audit_info ad; 1136 int rc; 1137 1138 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1139 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1140 1141 /* 1142 * You need write access to the thing you're removing 1143 */ 1144 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1145 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1146 if (rc == 0) { 1147 /* 1148 * You also need write access to the containing directory 1149 */ 1150 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1151 smk_ad_setfield_u_fs_inode(&ad, dir); 1152 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1153 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1154 } 1155 1156 return rc; 1157 } 1158 1159 /** 1160 * smack_inode_rename - Smack check on rename 1161 * @old_inode: unused 1162 * @old_dentry: the old object 1163 * @new_inode: unused 1164 * @new_dentry: the new object 1165 * 1166 * Read and write access is required on both the old and 1167 * new directories. 1168 * 1169 * Returns 0 if access is permitted, an error code otherwise 1170 */ 1171 static int smack_inode_rename(struct inode *old_inode, 1172 struct dentry *old_dentry, 1173 struct inode *new_inode, 1174 struct dentry *new_dentry) 1175 { 1176 int rc; 1177 struct smack_known *isp; 1178 struct smk_audit_info ad; 1179 1180 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1181 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1182 1183 isp = smk_of_inode(d_backing_inode(old_dentry)); 1184 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1185 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1186 1187 if (rc == 0 && d_is_positive(new_dentry)) { 1188 isp = smk_of_inode(d_backing_inode(new_dentry)); 1189 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1190 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1191 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1192 } 1193 return rc; 1194 } 1195 1196 /** 1197 * smack_inode_permission - Smack version of permission() 1198 * @inode: the inode in question 1199 * @mask: the access requested 1200 * 1201 * This is the important Smack hook. 1202 * 1203 * Returns 0 if access is permitted, an error code otherwise 1204 */ 1205 static int smack_inode_permission(struct inode *inode, int mask) 1206 { 1207 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1208 struct smk_audit_info ad; 1209 int no_block = mask & MAY_NOT_BLOCK; 1210 int rc; 1211 1212 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1213 /* 1214 * No permission to check. Existence test. Yup, it's there. 1215 */ 1216 if (mask == 0) 1217 return 0; 1218 1219 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1220 if (smk_of_inode(inode) != sbsp->smk_root) 1221 return -EACCES; 1222 } 1223 1224 /* May be droppable after audit */ 1225 if (no_block) 1226 return -ECHILD; 1227 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1228 smk_ad_setfield_u_fs_inode(&ad, inode); 1229 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1230 rc = smk_bu_inode(inode, mask, rc); 1231 return rc; 1232 } 1233 1234 /** 1235 * smack_inode_setattr - Smack check for setting attributes 1236 * @dentry: the object 1237 * @iattr: for the force flag 1238 * 1239 * Returns 0 if access is permitted, an error code otherwise 1240 */ 1241 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr) 1242 { 1243 struct smk_audit_info ad; 1244 int rc; 1245 1246 /* 1247 * Need to allow for clearing the setuid bit. 1248 */ 1249 if (iattr->ia_valid & ATTR_FORCE) 1250 return 0; 1251 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1252 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1253 1254 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1255 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1256 return rc; 1257 } 1258 1259 /** 1260 * smack_inode_getattr - Smack check for getting attributes 1261 * @path: path to extract the info from 1262 * 1263 * Returns 0 if access is permitted, an error code otherwise 1264 */ 1265 static int smack_inode_getattr(const struct path *path) 1266 { 1267 struct smk_audit_info ad; 1268 struct inode *inode = d_backing_inode(path->dentry); 1269 int rc; 1270 1271 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1272 smk_ad_setfield_u_fs_path(&ad, *path); 1273 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1274 rc = smk_bu_inode(inode, MAY_READ, rc); 1275 return rc; 1276 } 1277 1278 /** 1279 * smack_inode_setxattr - Smack check for setting xattrs 1280 * @idmap: idmap of the mount 1281 * @dentry: the object 1282 * @name: name of the attribute 1283 * @value: value of the attribute 1284 * @size: size of the value 1285 * @flags: unused 1286 * 1287 * This protects the Smack attribute explicitly. 1288 * 1289 * Returns 0 if access is permitted, an error code otherwise 1290 */ 1291 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1292 struct dentry *dentry, const char *name, 1293 const void *value, size_t size, int flags) 1294 { 1295 struct smk_audit_info ad; 1296 struct smack_known *skp; 1297 int check_priv = 0; 1298 int check_import = 0; 1299 int check_star = 0; 1300 int rc = 0; 1301 1302 /* 1303 * Check label validity here so import won't fail in post_setxattr 1304 */ 1305 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1306 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1307 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1308 check_priv = 1; 1309 check_import = 1; 1310 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1311 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1312 check_priv = 1; 1313 check_import = 1; 1314 check_star = 1; 1315 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1316 check_priv = 1; 1317 if (size != TRANS_TRUE_SIZE || 1318 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1319 rc = -EINVAL; 1320 } else 1321 rc = cap_inode_setxattr(dentry, name, value, size, flags); 1322 1323 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1324 rc = -EPERM; 1325 1326 if (rc == 0 && check_import) { 1327 skp = size ? smk_import_entry(value, size) : NULL; 1328 if (IS_ERR(skp)) 1329 rc = PTR_ERR(skp); 1330 else if (skp == NULL || (check_star && 1331 (skp == &smack_known_star || skp == &smack_known_web))) 1332 rc = -EINVAL; 1333 } 1334 1335 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1336 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1337 1338 if (rc == 0) { 1339 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1340 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1341 } 1342 1343 return rc; 1344 } 1345 1346 /** 1347 * smack_inode_post_setxattr - Apply the Smack update approved above 1348 * @dentry: object 1349 * @name: attribute name 1350 * @value: attribute value 1351 * @size: attribute size 1352 * @flags: unused 1353 * 1354 * Set the pointer in the inode blob to the entry found 1355 * in the master label list. 1356 */ 1357 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1358 const void *value, size_t size, int flags) 1359 { 1360 struct smack_known *skp; 1361 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1362 1363 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1364 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1365 return; 1366 } 1367 1368 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1369 skp = smk_import_entry(value, size); 1370 if (!IS_ERR(skp)) 1371 isp->smk_inode = skp; 1372 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1373 skp = smk_import_entry(value, size); 1374 if (!IS_ERR(skp)) 1375 isp->smk_task = skp; 1376 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1377 skp = smk_import_entry(value, size); 1378 if (!IS_ERR(skp)) 1379 isp->smk_mmap = skp; 1380 } 1381 1382 return; 1383 } 1384 1385 /** 1386 * smack_inode_getxattr - Smack check on getxattr 1387 * @dentry: the object 1388 * @name: unused 1389 * 1390 * Returns 0 if access is permitted, an error code otherwise 1391 */ 1392 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1393 { 1394 struct smk_audit_info ad; 1395 int rc; 1396 1397 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1398 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1399 1400 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1401 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1402 return rc; 1403 } 1404 1405 /** 1406 * smack_inode_removexattr - Smack check on removexattr 1407 * @idmap: idmap of the mount 1408 * @dentry: the object 1409 * @name: name of the attribute 1410 * 1411 * Removing the Smack attribute requires CAP_MAC_ADMIN 1412 * 1413 * Returns 0 if access is permitted, an error code otherwise 1414 */ 1415 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1416 struct dentry *dentry, const char *name) 1417 { 1418 struct inode_smack *isp; 1419 struct smk_audit_info ad; 1420 int rc = 0; 1421 1422 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1423 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1424 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1425 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1426 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1427 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1428 if (!smack_privileged(CAP_MAC_ADMIN)) 1429 rc = -EPERM; 1430 } else 1431 rc = cap_inode_removexattr(idmap, dentry, name); 1432 1433 if (rc != 0) 1434 return rc; 1435 1436 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1437 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1438 1439 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1440 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1441 if (rc != 0) 1442 return rc; 1443 1444 isp = smack_inode(d_backing_inode(dentry)); 1445 /* 1446 * Don't do anything special for these. 1447 * XATTR_NAME_SMACKIPIN 1448 * XATTR_NAME_SMACKIPOUT 1449 */ 1450 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1451 struct super_block *sbp = dentry->d_sb; 1452 struct superblock_smack *sbsp = smack_superblock(sbp); 1453 1454 isp->smk_inode = sbsp->smk_default; 1455 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1456 isp->smk_task = NULL; 1457 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1458 isp->smk_mmap = NULL; 1459 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1460 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1461 1462 return 0; 1463 } 1464 1465 /** 1466 * smack_inode_set_acl - Smack check for setting posix acls 1467 * @idmap: idmap of the mnt this request came from 1468 * @dentry: the object 1469 * @acl_name: name of the posix acl 1470 * @kacl: the posix acls 1471 * 1472 * Returns 0 if access is permitted, an error code otherwise 1473 */ 1474 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1475 struct dentry *dentry, const char *acl_name, 1476 struct posix_acl *kacl) 1477 { 1478 struct smk_audit_info ad; 1479 int rc; 1480 1481 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1482 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1483 1484 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1485 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1486 return rc; 1487 } 1488 1489 /** 1490 * smack_inode_get_acl - Smack check for getting posix acls 1491 * @idmap: idmap of the mnt this request came from 1492 * @dentry: the object 1493 * @acl_name: name of the posix acl 1494 * 1495 * Returns 0 if access is permitted, an error code otherwise 1496 */ 1497 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1498 struct dentry *dentry, const char *acl_name) 1499 { 1500 struct smk_audit_info ad; 1501 int rc; 1502 1503 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1504 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1505 1506 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1507 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1508 return rc; 1509 } 1510 1511 /** 1512 * smack_inode_remove_acl - Smack check for getting posix acls 1513 * @idmap: idmap of the mnt this request came from 1514 * @dentry: the object 1515 * @acl_name: name of the posix acl 1516 * 1517 * Returns 0 if access is permitted, an error code otherwise 1518 */ 1519 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1520 struct dentry *dentry, const char *acl_name) 1521 { 1522 struct smk_audit_info ad; 1523 int rc; 1524 1525 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1526 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1527 1528 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1529 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1530 return rc; 1531 } 1532 1533 /** 1534 * smack_inode_getsecurity - get smack xattrs 1535 * @idmap: idmap of the mount 1536 * @inode: the object 1537 * @name: attribute name 1538 * @buffer: where to put the result 1539 * @alloc: duplicate memory 1540 * 1541 * Returns the size of the attribute or an error code 1542 */ 1543 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1544 struct inode *inode, const char *name, 1545 void **buffer, bool alloc) 1546 { 1547 struct socket_smack *ssp; 1548 struct socket *sock; 1549 struct super_block *sbp; 1550 struct inode *ip = inode; 1551 struct smack_known *isp; 1552 struct inode_smack *ispp; 1553 size_t label_len; 1554 char *label = NULL; 1555 1556 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1557 isp = smk_of_inode(inode); 1558 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1559 ispp = smack_inode(inode); 1560 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1561 label = TRANS_TRUE; 1562 else 1563 label = ""; 1564 } else { 1565 /* 1566 * The rest of the Smack xattrs are only on sockets. 1567 */ 1568 sbp = ip->i_sb; 1569 if (sbp->s_magic != SOCKFS_MAGIC) 1570 return -EOPNOTSUPP; 1571 1572 sock = SOCKET_I(ip); 1573 if (sock == NULL || sock->sk == NULL) 1574 return -EOPNOTSUPP; 1575 1576 ssp = sock->sk->sk_security; 1577 1578 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1579 isp = ssp->smk_in; 1580 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1581 isp = ssp->smk_out; 1582 else 1583 return -EOPNOTSUPP; 1584 } 1585 1586 if (!label) 1587 label = isp->smk_known; 1588 1589 label_len = strlen(label); 1590 1591 if (alloc) { 1592 *buffer = kstrdup(label, GFP_KERNEL); 1593 if (*buffer == NULL) 1594 return -ENOMEM; 1595 } 1596 1597 return label_len; 1598 } 1599 1600 1601 /** 1602 * smack_inode_listsecurity - list the Smack attributes 1603 * @inode: the object 1604 * @buffer: where they go 1605 * @buffer_size: size of buffer 1606 */ 1607 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1608 size_t buffer_size) 1609 { 1610 int len = sizeof(XATTR_NAME_SMACK); 1611 1612 if (buffer != NULL && len <= buffer_size) 1613 memcpy(buffer, XATTR_NAME_SMACK, len); 1614 1615 return len; 1616 } 1617 1618 /** 1619 * smack_inode_getsecid - Extract inode's security id 1620 * @inode: inode to extract the info from 1621 * @secid: where result will be saved 1622 */ 1623 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1624 { 1625 struct smack_known *skp = smk_of_inode(inode); 1626 1627 *secid = skp->smk_secid; 1628 } 1629 1630 /* 1631 * File Hooks 1632 */ 1633 1634 /* 1635 * There is no smack_file_permission hook 1636 * 1637 * Should access checks be done on each read or write? 1638 * UNICOS and SELinux say yes. 1639 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1640 * 1641 * I'll say no for now. Smack does not do the frequent 1642 * label changing that SELinux does. 1643 */ 1644 1645 /** 1646 * smack_file_alloc_security - assign a file security blob 1647 * @file: the object 1648 * 1649 * The security blob for a file is a pointer to the master 1650 * label list, so no allocation is done. 1651 * 1652 * f_security is the owner security information. It 1653 * isn't used on file access checks, it's for send_sigio. 1654 * 1655 * Returns 0 1656 */ 1657 static int smack_file_alloc_security(struct file *file) 1658 { 1659 struct smack_known **blob = smack_file(file); 1660 1661 *blob = smk_of_current(); 1662 return 0; 1663 } 1664 1665 /** 1666 * smack_file_ioctl - Smack check on ioctls 1667 * @file: the object 1668 * @cmd: what to do 1669 * @arg: unused 1670 * 1671 * Relies heavily on the correct use of the ioctl command conventions. 1672 * 1673 * Returns 0 if allowed, error code otherwise 1674 */ 1675 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1676 unsigned long arg) 1677 { 1678 int rc = 0; 1679 struct smk_audit_info ad; 1680 struct inode *inode = file_inode(file); 1681 1682 if (unlikely(IS_PRIVATE(inode))) 1683 return 0; 1684 1685 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1686 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1687 1688 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1689 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1690 rc = smk_bu_file(file, MAY_WRITE, rc); 1691 } 1692 1693 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1694 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1695 rc = smk_bu_file(file, MAY_READ, rc); 1696 } 1697 1698 return rc; 1699 } 1700 1701 /** 1702 * smack_file_lock - Smack check on file locking 1703 * @file: the object 1704 * @cmd: unused 1705 * 1706 * Returns 0 if current has lock access, error code otherwise 1707 */ 1708 static int smack_file_lock(struct file *file, unsigned int cmd) 1709 { 1710 struct smk_audit_info ad; 1711 int rc; 1712 struct inode *inode = file_inode(file); 1713 1714 if (unlikely(IS_PRIVATE(inode))) 1715 return 0; 1716 1717 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1718 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1719 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1720 rc = smk_bu_file(file, MAY_LOCK, rc); 1721 return rc; 1722 } 1723 1724 /** 1725 * smack_file_fcntl - Smack check on fcntl 1726 * @file: the object 1727 * @cmd: what action to check 1728 * @arg: unused 1729 * 1730 * Generally these operations are harmless. 1731 * File locking operations present an obvious mechanism 1732 * for passing information, so they require write access. 1733 * 1734 * Returns 0 if current has access, error code otherwise 1735 */ 1736 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1737 unsigned long arg) 1738 { 1739 struct smk_audit_info ad; 1740 int rc = 0; 1741 struct inode *inode = file_inode(file); 1742 1743 if (unlikely(IS_PRIVATE(inode))) 1744 return 0; 1745 1746 switch (cmd) { 1747 case F_GETLK: 1748 break; 1749 case F_SETLK: 1750 case F_SETLKW: 1751 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1752 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1753 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1754 rc = smk_bu_file(file, MAY_LOCK, rc); 1755 break; 1756 case F_SETOWN: 1757 case F_SETSIG: 1758 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1759 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1760 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1761 rc = smk_bu_file(file, MAY_WRITE, rc); 1762 break; 1763 default: 1764 break; 1765 } 1766 1767 return rc; 1768 } 1769 1770 /** 1771 * smack_mmap_file - Check permissions for a mmap operation. 1772 * @file: contains the file structure for file to map (may be NULL). 1773 * @reqprot: contains the protection requested by the application. 1774 * @prot: contains the protection that will be applied by the kernel. 1775 * @flags: contains the operational flags. 1776 * 1777 * The @file may be NULL, e.g. if mapping anonymous memory. 1778 * 1779 * Return 0 if permission is granted. 1780 */ 1781 static int smack_mmap_file(struct file *file, 1782 unsigned long reqprot, unsigned long prot, 1783 unsigned long flags) 1784 { 1785 struct smack_known *skp; 1786 struct smack_known *mkp; 1787 struct smack_rule *srp; 1788 struct task_smack *tsp; 1789 struct smack_known *okp; 1790 struct inode_smack *isp; 1791 struct superblock_smack *sbsp; 1792 int may; 1793 int mmay; 1794 int tmay; 1795 int rc; 1796 1797 if (file == NULL) 1798 return 0; 1799 1800 if (unlikely(IS_PRIVATE(file_inode(file)))) 1801 return 0; 1802 1803 isp = smack_inode(file_inode(file)); 1804 if (isp->smk_mmap == NULL) 1805 return 0; 1806 sbsp = smack_superblock(file_inode(file)->i_sb); 1807 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1808 isp->smk_mmap != sbsp->smk_root) 1809 return -EACCES; 1810 mkp = isp->smk_mmap; 1811 1812 tsp = smack_cred(current_cred()); 1813 skp = smk_of_current(); 1814 rc = 0; 1815 1816 rcu_read_lock(); 1817 /* 1818 * For each Smack rule associated with the subject 1819 * label verify that the SMACK64MMAP also has access 1820 * to that rule's object label. 1821 */ 1822 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1823 okp = srp->smk_object; 1824 /* 1825 * Matching labels always allows access. 1826 */ 1827 if (mkp->smk_known == okp->smk_known) 1828 continue; 1829 /* 1830 * If there is a matching local rule take 1831 * that into account as well. 1832 */ 1833 may = smk_access_entry(srp->smk_subject->smk_known, 1834 okp->smk_known, 1835 &tsp->smk_rules); 1836 if (may == -ENOENT) 1837 may = srp->smk_access; 1838 else 1839 may &= srp->smk_access; 1840 /* 1841 * If may is zero the SMACK64MMAP subject can't 1842 * possibly have less access. 1843 */ 1844 if (may == 0) 1845 continue; 1846 1847 /* 1848 * Fetch the global list entry. 1849 * If there isn't one a SMACK64MMAP subject 1850 * can't have as much access as current. 1851 */ 1852 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1853 &mkp->smk_rules); 1854 if (mmay == -ENOENT) { 1855 rc = -EACCES; 1856 break; 1857 } 1858 /* 1859 * If there is a local entry it modifies the 1860 * potential access, too. 1861 */ 1862 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1863 &tsp->smk_rules); 1864 if (tmay != -ENOENT) 1865 mmay &= tmay; 1866 1867 /* 1868 * If there is any access available to current that is 1869 * not available to a SMACK64MMAP subject 1870 * deny access. 1871 */ 1872 if ((may | mmay) != mmay) { 1873 rc = -EACCES; 1874 break; 1875 } 1876 } 1877 1878 rcu_read_unlock(); 1879 1880 return rc; 1881 } 1882 1883 /** 1884 * smack_file_set_fowner - set the file security blob value 1885 * @file: object in question 1886 * 1887 */ 1888 static void smack_file_set_fowner(struct file *file) 1889 { 1890 struct smack_known **blob = smack_file(file); 1891 1892 *blob = smk_of_current(); 1893 } 1894 1895 /** 1896 * smack_file_send_sigiotask - Smack on sigio 1897 * @tsk: The target task 1898 * @fown: the object the signal come from 1899 * @signum: unused 1900 * 1901 * Allow a privileged task to get signals even if it shouldn't 1902 * 1903 * Returns 0 if a subject with the object's smack could 1904 * write to the task, an error code otherwise. 1905 */ 1906 static int smack_file_send_sigiotask(struct task_struct *tsk, 1907 struct fown_struct *fown, int signum) 1908 { 1909 struct smack_known **blob; 1910 struct smack_known *skp; 1911 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1912 const struct cred *tcred; 1913 struct file *file; 1914 int rc; 1915 struct smk_audit_info ad; 1916 1917 /* 1918 * struct fown_struct is never outside the context of a struct file 1919 */ 1920 file = container_of(fown, struct file, f_owner); 1921 1922 /* we don't log here as rc can be overriden */ 1923 blob = smack_file(file); 1924 skp = *blob; 1925 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1926 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1927 1928 rcu_read_lock(); 1929 tcred = __task_cred(tsk); 1930 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1931 rc = 0; 1932 rcu_read_unlock(); 1933 1934 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1935 smk_ad_setfield_u_tsk(&ad, tsk); 1936 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1937 return rc; 1938 } 1939 1940 /** 1941 * smack_file_receive - Smack file receive check 1942 * @file: the object 1943 * 1944 * Returns 0 if current has access, error code otherwise 1945 */ 1946 static int smack_file_receive(struct file *file) 1947 { 1948 int rc; 1949 int may = 0; 1950 struct smk_audit_info ad; 1951 struct inode *inode = file_inode(file); 1952 struct socket *sock; 1953 struct task_smack *tsp; 1954 struct socket_smack *ssp; 1955 1956 if (unlikely(IS_PRIVATE(inode))) 1957 return 0; 1958 1959 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1960 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1961 1962 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1963 sock = SOCKET_I(inode); 1964 ssp = sock->sk->sk_security; 1965 tsp = smack_cred(current_cred()); 1966 /* 1967 * If the receiving process can't write to the 1968 * passed socket or if the passed socket can't 1969 * write to the receiving process don't accept 1970 * the passed socket. 1971 */ 1972 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1973 rc = smk_bu_file(file, may, rc); 1974 if (rc < 0) 1975 return rc; 1976 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1977 rc = smk_bu_file(file, may, rc); 1978 return rc; 1979 } 1980 /* 1981 * This code relies on bitmasks. 1982 */ 1983 if (file->f_mode & FMODE_READ) 1984 may = MAY_READ; 1985 if (file->f_mode & FMODE_WRITE) 1986 may |= MAY_WRITE; 1987 1988 rc = smk_curacc(smk_of_inode(inode), may, &ad); 1989 rc = smk_bu_file(file, may, rc); 1990 return rc; 1991 } 1992 1993 /** 1994 * smack_file_open - Smack dentry open processing 1995 * @file: the object 1996 * 1997 * Set the security blob in the file structure. 1998 * Allow the open only if the task has read access. There are 1999 * many read operations (e.g. fstat) that you can do with an 2000 * fd even if you have the file open write-only. 2001 * 2002 * Returns 0 if current has access, error code otherwise 2003 */ 2004 static int smack_file_open(struct file *file) 2005 { 2006 struct task_smack *tsp = smack_cred(file->f_cred); 2007 struct inode *inode = file_inode(file); 2008 struct smk_audit_info ad; 2009 int rc; 2010 2011 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2012 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2013 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2014 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2015 2016 return rc; 2017 } 2018 2019 /* 2020 * Task hooks 2021 */ 2022 2023 /** 2024 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2025 * @cred: the new credentials 2026 * @gfp: the atomicity of any memory allocations 2027 * 2028 * Prepare a blank set of credentials for modification. This must allocate all 2029 * the memory the LSM module might require such that cred_transfer() can 2030 * complete without error. 2031 */ 2032 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2033 { 2034 init_task_smack(smack_cred(cred), NULL, NULL); 2035 return 0; 2036 } 2037 2038 2039 /** 2040 * smack_cred_free - "free" task-level security credentials 2041 * @cred: the credentials in question 2042 * 2043 */ 2044 static void smack_cred_free(struct cred *cred) 2045 { 2046 struct task_smack *tsp = smack_cred(cred); 2047 struct smack_rule *rp; 2048 struct list_head *l; 2049 struct list_head *n; 2050 2051 smk_destroy_label_list(&tsp->smk_relabel); 2052 2053 list_for_each_safe(l, n, &tsp->smk_rules) { 2054 rp = list_entry(l, struct smack_rule, list); 2055 list_del(&rp->list); 2056 kmem_cache_free(smack_rule_cache, rp); 2057 } 2058 } 2059 2060 /** 2061 * smack_cred_prepare - prepare new set of credentials for modification 2062 * @new: the new credentials 2063 * @old: the original credentials 2064 * @gfp: the atomicity of any memory allocations 2065 * 2066 * Prepare a new set of credentials for modification. 2067 */ 2068 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2069 gfp_t gfp) 2070 { 2071 struct task_smack *old_tsp = smack_cred(old); 2072 struct task_smack *new_tsp = smack_cred(new); 2073 int rc; 2074 2075 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2076 2077 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2078 if (rc != 0) 2079 return rc; 2080 2081 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2082 gfp); 2083 return rc; 2084 } 2085 2086 /** 2087 * smack_cred_transfer - Transfer the old credentials to the new credentials 2088 * @new: the new credentials 2089 * @old: the original credentials 2090 * 2091 * Fill in a set of blank credentials from another set of credentials. 2092 */ 2093 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2094 { 2095 struct task_smack *old_tsp = smack_cred(old); 2096 struct task_smack *new_tsp = smack_cred(new); 2097 2098 new_tsp->smk_task = old_tsp->smk_task; 2099 new_tsp->smk_forked = old_tsp->smk_task; 2100 mutex_init(&new_tsp->smk_rules_lock); 2101 INIT_LIST_HEAD(&new_tsp->smk_rules); 2102 2103 /* cbs copy rule list */ 2104 } 2105 2106 /** 2107 * smack_cred_getsecid - get the secid corresponding to a creds structure 2108 * @cred: the object creds 2109 * @secid: where to put the result 2110 * 2111 * Sets the secid to contain a u32 version of the smack label. 2112 */ 2113 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2114 { 2115 struct smack_known *skp; 2116 2117 rcu_read_lock(); 2118 skp = smk_of_task(smack_cred(cred)); 2119 *secid = skp->smk_secid; 2120 rcu_read_unlock(); 2121 } 2122 2123 /** 2124 * smack_kernel_act_as - Set the subjective context in a set of credentials 2125 * @new: points to the set of credentials to be modified. 2126 * @secid: specifies the security ID to be set 2127 * 2128 * Set the security data for a kernel service. 2129 */ 2130 static int smack_kernel_act_as(struct cred *new, u32 secid) 2131 { 2132 struct task_smack *new_tsp = smack_cred(new); 2133 2134 new_tsp->smk_task = smack_from_secid(secid); 2135 return 0; 2136 } 2137 2138 /** 2139 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2140 * @new: points to the set of credentials to be modified 2141 * @inode: points to the inode to use as a reference 2142 * 2143 * Set the file creation context in a set of credentials to the same 2144 * as the objective context of the specified inode 2145 */ 2146 static int smack_kernel_create_files_as(struct cred *new, 2147 struct inode *inode) 2148 { 2149 struct inode_smack *isp = smack_inode(inode); 2150 struct task_smack *tsp = smack_cred(new); 2151 2152 tsp->smk_forked = isp->smk_inode; 2153 tsp->smk_task = tsp->smk_forked; 2154 return 0; 2155 } 2156 2157 /** 2158 * smk_curacc_on_task - helper to log task related access 2159 * @p: the task object 2160 * @access: the access requested 2161 * @caller: name of the calling function for audit 2162 * 2163 * Return 0 if access is permitted 2164 */ 2165 static int smk_curacc_on_task(struct task_struct *p, int access, 2166 const char *caller) 2167 { 2168 struct smk_audit_info ad; 2169 struct smack_known *skp = smk_of_task_struct_obj(p); 2170 int rc; 2171 2172 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2173 smk_ad_setfield_u_tsk(&ad, p); 2174 rc = smk_curacc(skp, access, &ad); 2175 rc = smk_bu_task(p, access, rc); 2176 return rc; 2177 } 2178 2179 /** 2180 * smack_task_setpgid - Smack check on setting pgid 2181 * @p: the task object 2182 * @pgid: unused 2183 * 2184 * Return 0 if write access is permitted 2185 */ 2186 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2187 { 2188 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2189 } 2190 2191 /** 2192 * smack_task_getpgid - Smack access check for getpgid 2193 * @p: the object task 2194 * 2195 * Returns 0 if current can read the object task, error code otherwise 2196 */ 2197 static int smack_task_getpgid(struct task_struct *p) 2198 { 2199 return smk_curacc_on_task(p, MAY_READ, __func__); 2200 } 2201 2202 /** 2203 * smack_task_getsid - Smack access check for getsid 2204 * @p: the object task 2205 * 2206 * Returns 0 if current can read the object task, error code otherwise 2207 */ 2208 static int smack_task_getsid(struct task_struct *p) 2209 { 2210 return smk_curacc_on_task(p, MAY_READ, __func__); 2211 } 2212 2213 /** 2214 * smack_current_getsecid_subj - get the subjective secid of the current task 2215 * @secid: where to put the result 2216 * 2217 * Sets the secid to contain a u32 version of the task's subjective smack label. 2218 */ 2219 static void smack_current_getsecid_subj(u32 *secid) 2220 { 2221 struct smack_known *skp = smk_of_current(); 2222 2223 *secid = skp->smk_secid; 2224 } 2225 2226 /** 2227 * smack_task_getsecid_obj - get the objective secid of the task 2228 * @p: the task 2229 * @secid: where to put the result 2230 * 2231 * Sets the secid to contain a u32 version of the task's objective smack label. 2232 */ 2233 static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid) 2234 { 2235 struct smack_known *skp = smk_of_task_struct_obj(p); 2236 2237 *secid = skp->smk_secid; 2238 } 2239 2240 /** 2241 * smack_task_setnice - Smack check on setting nice 2242 * @p: the task object 2243 * @nice: unused 2244 * 2245 * Return 0 if write access is permitted 2246 */ 2247 static int smack_task_setnice(struct task_struct *p, int nice) 2248 { 2249 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2250 } 2251 2252 /** 2253 * smack_task_setioprio - Smack check on setting ioprio 2254 * @p: the task object 2255 * @ioprio: unused 2256 * 2257 * Return 0 if write access is permitted 2258 */ 2259 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2260 { 2261 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2262 } 2263 2264 /** 2265 * smack_task_getioprio - Smack check on reading ioprio 2266 * @p: the task object 2267 * 2268 * Return 0 if read access is permitted 2269 */ 2270 static int smack_task_getioprio(struct task_struct *p) 2271 { 2272 return smk_curacc_on_task(p, MAY_READ, __func__); 2273 } 2274 2275 /** 2276 * smack_task_setscheduler - Smack check on setting scheduler 2277 * @p: the task object 2278 * 2279 * Return 0 if read access is permitted 2280 */ 2281 static int smack_task_setscheduler(struct task_struct *p) 2282 { 2283 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2284 } 2285 2286 /** 2287 * smack_task_getscheduler - Smack check on reading scheduler 2288 * @p: the task object 2289 * 2290 * Return 0 if read access is permitted 2291 */ 2292 static int smack_task_getscheduler(struct task_struct *p) 2293 { 2294 return smk_curacc_on_task(p, MAY_READ, __func__); 2295 } 2296 2297 /** 2298 * smack_task_movememory - Smack check on moving memory 2299 * @p: the task object 2300 * 2301 * Return 0 if write access is permitted 2302 */ 2303 static int smack_task_movememory(struct task_struct *p) 2304 { 2305 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2306 } 2307 2308 /** 2309 * smack_task_kill - Smack check on signal delivery 2310 * @p: the task object 2311 * @info: unused 2312 * @sig: unused 2313 * @cred: identifies the cred to use in lieu of current's 2314 * 2315 * Return 0 if write access is permitted 2316 * 2317 */ 2318 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2319 int sig, const struct cred *cred) 2320 { 2321 struct smk_audit_info ad; 2322 struct smack_known *skp; 2323 struct smack_known *tkp = smk_of_task_struct_obj(p); 2324 int rc; 2325 2326 if (!sig) 2327 return 0; /* null signal; existence test */ 2328 2329 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2330 smk_ad_setfield_u_tsk(&ad, p); 2331 /* 2332 * Sending a signal requires that the sender 2333 * can write the receiver. 2334 */ 2335 if (cred == NULL) { 2336 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2337 rc = smk_bu_task(p, MAY_DELIVER, rc); 2338 return rc; 2339 } 2340 /* 2341 * If the cred isn't NULL we're dealing with some USB IO 2342 * specific behavior. This is not clean. For one thing 2343 * we can't take privilege into account. 2344 */ 2345 skp = smk_of_task(smack_cred(cred)); 2346 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2347 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2348 return rc; 2349 } 2350 2351 /** 2352 * smack_task_to_inode - copy task smack into the inode blob 2353 * @p: task to copy from 2354 * @inode: inode to copy to 2355 * 2356 * Sets the smack pointer in the inode security blob 2357 */ 2358 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2359 { 2360 struct inode_smack *isp = smack_inode(inode); 2361 struct smack_known *skp = smk_of_task_struct_obj(p); 2362 2363 isp->smk_inode = skp; 2364 isp->smk_flags |= SMK_INODE_INSTANT; 2365 } 2366 2367 /* 2368 * Socket hooks. 2369 */ 2370 2371 /** 2372 * smack_sk_alloc_security - Allocate a socket blob 2373 * @sk: the socket 2374 * @family: unused 2375 * @gfp_flags: memory allocation flags 2376 * 2377 * Assign Smack pointers to current 2378 * 2379 * Returns 0 on success, -ENOMEM is there's no memory 2380 */ 2381 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2382 { 2383 struct smack_known *skp = smk_of_current(); 2384 struct socket_smack *ssp; 2385 2386 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2387 if (ssp == NULL) 2388 return -ENOMEM; 2389 2390 /* 2391 * Sockets created by kernel threads receive web label. 2392 */ 2393 if (unlikely(current->flags & PF_KTHREAD)) { 2394 ssp->smk_in = &smack_known_web; 2395 ssp->smk_out = &smack_known_web; 2396 } else { 2397 ssp->smk_in = skp; 2398 ssp->smk_out = skp; 2399 } 2400 ssp->smk_packet = NULL; 2401 2402 sk->sk_security = ssp; 2403 2404 return 0; 2405 } 2406 2407 /** 2408 * smack_sk_free_security - Free a socket blob 2409 * @sk: the socket 2410 * 2411 * Clears the blob pointer 2412 */ 2413 static void smack_sk_free_security(struct sock *sk) 2414 { 2415 #ifdef SMACK_IPV6_PORT_LABELING 2416 struct smk_port_label *spp; 2417 2418 if (sk->sk_family == PF_INET6) { 2419 rcu_read_lock(); 2420 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2421 if (spp->smk_sock != sk) 2422 continue; 2423 spp->smk_can_reuse = 1; 2424 break; 2425 } 2426 rcu_read_unlock(); 2427 } 2428 #endif 2429 kfree(sk->sk_security); 2430 } 2431 2432 /** 2433 * smack_sk_clone_security - Copy security context 2434 * @sk: the old socket 2435 * @newsk: the new socket 2436 * 2437 * Copy the security context of the old socket pointer to the cloned 2438 */ 2439 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2440 { 2441 struct socket_smack *ssp_old = sk->sk_security; 2442 struct socket_smack *ssp_new = newsk->sk_security; 2443 2444 *ssp_new = *ssp_old; 2445 } 2446 2447 /** 2448 * smack_ipv4host_label - check host based restrictions 2449 * @sip: the object end 2450 * 2451 * looks for host based access restrictions 2452 * 2453 * This version will only be appropriate for really small sets of single label 2454 * hosts. The caller is responsible for ensuring that the RCU read lock is 2455 * taken before calling this function. 2456 * 2457 * Returns the label of the far end or NULL if it's not special. 2458 */ 2459 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2460 { 2461 struct smk_net4addr *snp; 2462 struct in_addr *siap = &sip->sin_addr; 2463 2464 if (siap->s_addr == 0) 2465 return NULL; 2466 2467 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2468 /* 2469 * we break after finding the first match because 2470 * the list is sorted from longest to shortest mask 2471 * so we have found the most specific match 2472 */ 2473 if (snp->smk_host.s_addr == 2474 (siap->s_addr & snp->smk_mask.s_addr)) 2475 return snp->smk_label; 2476 2477 return NULL; 2478 } 2479 2480 /* 2481 * smk_ipv6_localhost - Check for local ipv6 host address 2482 * @sip: the address 2483 * 2484 * Returns boolean true if this is the localhost address 2485 */ 2486 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2487 { 2488 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2489 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2490 2491 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2492 ntohs(be16p[7]) == 1) 2493 return true; 2494 return false; 2495 } 2496 2497 /** 2498 * smack_ipv6host_label - check host based restrictions 2499 * @sip: the object end 2500 * 2501 * looks for host based access restrictions 2502 * 2503 * This version will only be appropriate for really small sets of single label 2504 * hosts. The caller is responsible for ensuring that the RCU read lock is 2505 * taken before calling this function. 2506 * 2507 * Returns the label of the far end or NULL if it's not special. 2508 */ 2509 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2510 { 2511 struct smk_net6addr *snp; 2512 struct in6_addr *sap = &sip->sin6_addr; 2513 int i; 2514 int found = 0; 2515 2516 /* 2517 * It's local. Don't look for a host label. 2518 */ 2519 if (smk_ipv6_localhost(sip)) 2520 return NULL; 2521 2522 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2523 /* 2524 * If the label is NULL the entry has 2525 * been renounced. Ignore it. 2526 */ 2527 if (snp->smk_label == NULL) 2528 continue; 2529 /* 2530 * we break after finding the first match because 2531 * the list is sorted from longest to shortest mask 2532 * so we have found the most specific match 2533 */ 2534 for (found = 1, i = 0; i < 8; i++) { 2535 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2536 snp->smk_host.s6_addr16[i]) { 2537 found = 0; 2538 break; 2539 } 2540 } 2541 if (found) 2542 return snp->smk_label; 2543 } 2544 2545 return NULL; 2546 } 2547 2548 /** 2549 * smack_netlbl_add - Set the secattr on a socket 2550 * @sk: the socket 2551 * 2552 * Attach the outbound smack value (smk_out) to the socket. 2553 * 2554 * Returns 0 on success or an error code 2555 */ 2556 static int smack_netlbl_add(struct sock *sk) 2557 { 2558 struct socket_smack *ssp = sk->sk_security; 2559 struct smack_known *skp = ssp->smk_out; 2560 int rc; 2561 2562 local_bh_disable(); 2563 bh_lock_sock_nested(sk); 2564 2565 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel); 2566 switch (rc) { 2567 case 0: 2568 ssp->smk_state = SMK_NETLBL_LABELED; 2569 break; 2570 case -EDESTADDRREQ: 2571 ssp->smk_state = SMK_NETLBL_REQSKB; 2572 rc = 0; 2573 break; 2574 } 2575 2576 bh_unlock_sock(sk); 2577 local_bh_enable(); 2578 2579 return rc; 2580 } 2581 2582 /** 2583 * smack_netlbl_delete - Remove the secattr from a socket 2584 * @sk: the socket 2585 * 2586 * Remove the outbound smack value from a socket 2587 */ 2588 static void smack_netlbl_delete(struct sock *sk) 2589 { 2590 struct socket_smack *ssp = sk->sk_security; 2591 2592 /* 2593 * Take the label off the socket if one is set. 2594 */ 2595 if (ssp->smk_state != SMK_NETLBL_LABELED) 2596 return; 2597 2598 local_bh_disable(); 2599 bh_lock_sock_nested(sk); 2600 netlbl_sock_delattr(sk); 2601 bh_unlock_sock(sk); 2602 local_bh_enable(); 2603 ssp->smk_state = SMK_NETLBL_UNLABELED; 2604 } 2605 2606 /** 2607 * smk_ipv4_check - Perform IPv4 host access checks 2608 * @sk: the socket 2609 * @sap: the destination address 2610 * 2611 * Set the correct secattr for the given socket based on the destination 2612 * address and perform any outbound access checks needed. 2613 * 2614 * Returns 0 on success or an error code. 2615 * 2616 */ 2617 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2618 { 2619 struct smack_known *skp; 2620 int rc = 0; 2621 struct smack_known *hkp; 2622 struct socket_smack *ssp = sk->sk_security; 2623 struct smk_audit_info ad; 2624 2625 rcu_read_lock(); 2626 hkp = smack_ipv4host_label(sap); 2627 if (hkp != NULL) { 2628 #ifdef CONFIG_AUDIT 2629 struct lsm_network_audit net; 2630 2631 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2632 ad.a.u.net->family = sap->sin_family; 2633 ad.a.u.net->dport = sap->sin_port; 2634 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2635 #endif 2636 skp = ssp->smk_out; 2637 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2638 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2639 /* 2640 * Clear the socket netlabel if it's set. 2641 */ 2642 if (!rc) 2643 smack_netlbl_delete(sk); 2644 } 2645 rcu_read_unlock(); 2646 2647 return rc; 2648 } 2649 2650 /** 2651 * smk_ipv6_check - check Smack access 2652 * @subject: subject Smack label 2653 * @object: object Smack label 2654 * @address: address 2655 * @act: the action being taken 2656 * 2657 * Check an IPv6 access 2658 */ 2659 static int smk_ipv6_check(struct smack_known *subject, 2660 struct smack_known *object, 2661 struct sockaddr_in6 *address, int act) 2662 { 2663 #ifdef CONFIG_AUDIT 2664 struct lsm_network_audit net; 2665 #endif 2666 struct smk_audit_info ad; 2667 int rc; 2668 2669 #ifdef CONFIG_AUDIT 2670 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2671 ad.a.u.net->family = PF_INET6; 2672 ad.a.u.net->dport = address->sin6_port; 2673 if (act == SMK_RECEIVING) 2674 ad.a.u.net->v6info.saddr = address->sin6_addr; 2675 else 2676 ad.a.u.net->v6info.daddr = address->sin6_addr; 2677 #endif 2678 rc = smk_access(subject, object, MAY_WRITE, &ad); 2679 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2680 return rc; 2681 } 2682 2683 #ifdef SMACK_IPV6_PORT_LABELING 2684 /** 2685 * smk_ipv6_port_label - Smack port access table management 2686 * @sock: socket 2687 * @address: address 2688 * 2689 * Create or update the port list entry 2690 */ 2691 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2692 { 2693 struct sock *sk = sock->sk; 2694 struct sockaddr_in6 *addr6; 2695 struct socket_smack *ssp = sock->sk->sk_security; 2696 struct smk_port_label *spp; 2697 unsigned short port = 0; 2698 2699 if (address == NULL) { 2700 /* 2701 * This operation is changing the Smack information 2702 * on the bound socket. Take the changes to the port 2703 * as well. 2704 */ 2705 rcu_read_lock(); 2706 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2707 if (sk != spp->smk_sock) 2708 continue; 2709 spp->smk_in = ssp->smk_in; 2710 spp->smk_out = ssp->smk_out; 2711 rcu_read_unlock(); 2712 return; 2713 } 2714 /* 2715 * A NULL address is only used for updating existing 2716 * bound entries. If there isn't one, it's OK. 2717 */ 2718 rcu_read_unlock(); 2719 return; 2720 } 2721 2722 addr6 = (struct sockaddr_in6 *)address; 2723 port = ntohs(addr6->sin6_port); 2724 /* 2725 * This is a special case that is safely ignored. 2726 */ 2727 if (port == 0) 2728 return; 2729 2730 /* 2731 * Look for an existing port list entry. 2732 * This is an indication that a port is getting reused. 2733 */ 2734 rcu_read_lock(); 2735 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2736 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2737 continue; 2738 if (spp->smk_can_reuse != 1) { 2739 rcu_read_unlock(); 2740 return; 2741 } 2742 spp->smk_port = port; 2743 spp->smk_sock = sk; 2744 spp->smk_in = ssp->smk_in; 2745 spp->smk_out = ssp->smk_out; 2746 spp->smk_can_reuse = 0; 2747 rcu_read_unlock(); 2748 return; 2749 } 2750 rcu_read_unlock(); 2751 /* 2752 * A new port entry is required. 2753 */ 2754 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2755 if (spp == NULL) 2756 return; 2757 2758 spp->smk_port = port; 2759 spp->smk_sock = sk; 2760 spp->smk_in = ssp->smk_in; 2761 spp->smk_out = ssp->smk_out; 2762 spp->smk_sock_type = sock->type; 2763 spp->smk_can_reuse = 0; 2764 2765 mutex_lock(&smack_ipv6_lock); 2766 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2767 mutex_unlock(&smack_ipv6_lock); 2768 return; 2769 } 2770 2771 /** 2772 * smk_ipv6_port_check - check Smack port access 2773 * @sk: socket 2774 * @address: address 2775 * @act: the action being taken 2776 * 2777 * Create or update the port list entry 2778 */ 2779 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2780 int act) 2781 { 2782 struct smk_port_label *spp; 2783 struct socket_smack *ssp = sk->sk_security; 2784 struct smack_known *skp = NULL; 2785 unsigned short port; 2786 struct smack_known *object; 2787 2788 if (act == SMK_RECEIVING) { 2789 skp = smack_ipv6host_label(address); 2790 object = ssp->smk_in; 2791 } else { 2792 skp = ssp->smk_out; 2793 object = smack_ipv6host_label(address); 2794 } 2795 2796 /* 2797 * The other end is a single label host. 2798 */ 2799 if (skp != NULL && object != NULL) 2800 return smk_ipv6_check(skp, object, address, act); 2801 if (skp == NULL) 2802 skp = smack_net_ambient; 2803 if (object == NULL) 2804 object = smack_net_ambient; 2805 2806 /* 2807 * It's remote, so port lookup does no good. 2808 */ 2809 if (!smk_ipv6_localhost(address)) 2810 return smk_ipv6_check(skp, object, address, act); 2811 2812 /* 2813 * It's local so the send check has to have passed. 2814 */ 2815 if (act == SMK_RECEIVING) 2816 return 0; 2817 2818 port = ntohs(address->sin6_port); 2819 rcu_read_lock(); 2820 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2821 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2822 continue; 2823 object = spp->smk_in; 2824 if (act == SMK_CONNECTING) 2825 ssp->smk_packet = spp->smk_out; 2826 break; 2827 } 2828 rcu_read_unlock(); 2829 2830 return smk_ipv6_check(skp, object, address, act); 2831 } 2832 #endif 2833 2834 /** 2835 * smack_inode_setsecurity - set smack xattrs 2836 * @inode: the object 2837 * @name: attribute name 2838 * @value: attribute value 2839 * @size: size of the attribute 2840 * @flags: unused 2841 * 2842 * Sets the named attribute in the appropriate blob 2843 * 2844 * Returns 0 on success, or an error code 2845 */ 2846 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2847 const void *value, size_t size, int flags) 2848 { 2849 struct smack_known *skp; 2850 struct inode_smack *nsp = smack_inode(inode); 2851 struct socket_smack *ssp; 2852 struct socket *sock; 2853 int rc = 0; 2854 2855 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2856 return -EINVAL; 2857 2858 skp = smk_import_entry(value, size); 2859 if (IS_ERR(skp)) 2860 return PTR_ERR(skp); 2861 2862 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2863 nsp->smk_inode = skp; 2864 nsp->smk_flags |= SMK_INODE_INSTANT; 2865 return 0; 2866 } 2867 /* 2868 * The rest of the Smack xattrs are only on sockets. 2869 */ 2870 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2871 return -EOPNOTSUPP; 2872 2873 sock = SOCKET_I(inode); 2874 if (sock == NULL || sock->sk == NULL) 2875 return -EOPNOTSUPP; 2876 2877 ssp = sock->sk->sk_security; 2878 2879 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2880 ssp->smk_in = skp; 2881 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2882 ssp->smk_out = skp; 2883 if (sock->sk->sk_family == PF_INET) { 2884 rc = smack_netlbl_add(sock->sk); 2885 if (rc != 0) 2886 printk(KERN_WARNING 2887 "Smack: \"%s\" netlbl error %d.\n", 2888 __func__, -rc); 2889 } 2890 } else 2891 return -EOPNOTSUPP; 2892 2893 #ifdef SMACK_IPV6_PORT_LABELING 2894 if (sock->sk->sk_family == PF_INET6) 2895 smk_ipv6_port_label(sock, NULL); 2896 #endif 2897 2898 return 0; 2899 } 2900 2901 /** 2902 * smack_socket_post_create - finish socket setup 2903 * @sock: the socket 2904 * @family: protocol family 2905 * @type: unused 2906 * @protocol: unused 2907 * @kern: unused 2908 * 2909 * Sets the netlabel information on the socket 2910 * 2911 * Returns 0 on success, and error code otherwise 2912 */ 2913 static int smack_socket_post_create(struct socket *sock, int family, 2914 int type, int protocol, int kern) 2915 { 2916 struct socket_smack *ssp; 2917 2918 if (sock->sk == NULL) 2919 return 0; 2920 2921 /* 2922 * Sockets created by kernel threads receive web label. 2923 */ 2924 if (unlikely(current->flags & PF_KTHREAD)) { 2925 ssp = sock->sk->sk_security; 2926 ssp->smk_in = &smack_known_web; 2927 ssp->smk_out = &smack_known_web; 2928 } 2929 2930 if (family != PF_INET) 2931 return 0; 2932 /* 2933 * Set the outbound netlbl. 2934 */ 2935 return smack_netlbl_add(sock->sk); 2936 } 2937 2938 /** 2939 * smack_socket_socketpair - create socket pair 2940 * @socka: one socket 2941 * @sockb: another socket 2942 * 2943 * Cross reference the peer labels for SO_PEERSEC 2944 * 2945 * Returns 0 2946 */ 2947 static int smack_socket_socketpair(struct socket *socka, 2948 struct socket *sockb) 2949 { 2950 struct socket_smack *asp = socka->sk->sk_security; 2951 struct socket_smack *bsp = sockb->sk->sk_security; 2952 2953 asp->smk_packet = bsp->smk_out; 2954 bsp->smk_packet = asp->smk_out; 2955 2956 return 0; 2957 } 2958 2959 #ifdef SMACK_IPV6_PORT_LABELING 2960 /** 2961 * smack_socket_bind - record port binding information. 2962 * @sock: the socket 2963 * @address: the port address 2964 * @addrlen: size of the address 2965 * 2966 * Records the label bound to a port. 2967 * 2968 * Returns 0 on success, and error code otherwise 2969 */ 2970 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2971 int addrlen) 2972 { 2973 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 2974 if (addrlen < SIN6_LEN_RFC2133 || 2975 address->sa_family != AF_INET6) 2976 return -EINVAL; 2977 smk_ipv6_port_label(sock, address); 2978 } 2979 return 0; 2980 } 2981 #endif /* SMACK_IPV6_PORT_LABELING */ 2982 2983 /** 2984 * smack_socket_connect - connect access check 2985 * @sock: the socket 2986 * @sap: the other end 2987 * @addrlen: size of sap 2988 * 2989 * Verifies that a connection may be possible 2990 * 2991 * Returns 0 on success, and error code otherwise 2992 */ 2993 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 2994 int addrlen) 2995 { 2996 int rc = 0; 2997 2998 if (sock->sk == NULL) 2999 return 0; 3000 if (sock->sk->sk_family != PF_INET && 3001 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3002 return 0; 3003 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3004 return 0; 3005 if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { 3006 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3007 struct smack_known *rsp = NULL; 3008 3009 if (addrlen < SIN6_LEN_RFC2133) 3010 return 0; 3011 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3012 rsp = smack_ipv6host_label(sip); 3013 if (rsp != NULL) { 3014 struct socket_smack *ssp = sock->sk->sk_security; 3015 3016 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3017 SMK_CONNECTING); 3018 } 3019 #ifdef SMACK_IPV6_PORT_LABELING 3020 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3021 #endif 3022 3023 return rc; 3024 } 3025 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3026 return 0; 3027 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3028 return rc; 3029 } 3030 3031 /** 3032 * smack_flags_to_may - convert S_ to MAY_ values 3033 * @flags: the S_ value 3034 * 3035 * Returns the equivalent MAY_ value 3036 */ 3037 static int smack_flags_to_may(int flags) 3038 { 3039 int may = 0; 3040 3041 if (flags & S_IRUGO) 3042 may |= MAY_READ; 3043 if (flags & S_IWUGO) 3044 may |= MAY_WRITE; 3045 if (flags & S_IXUGO) 3046 may |= MAY_EXEC; 3047 3048 return may; 3049 } 3050 3051 /** 3052 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3053 * @msg: the object 3054 * 3055 * Returns 0 3056 */ 3057 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3058 { 3059 struct smack_known **blob = smack_msg_msg(msg); 3060 3061 *blob = smk_of_current(); 3062 return 0; 3063 } 3064 3065 /** 3066 * smack_of_ipc - the smack pointer for the ipc 3067 * @isp: the object 3068 * 3069 * Returns a pointer to the smack value 3070 */ 3071 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3072 { 3073 struct smack_known **blob = smack_ipc(isp); 3074 3075 return *blob; 3076 } 3077 3078 /** 3079 * smack_ipc_alloc_security - Set the security blob for ipc 3080 * @isp: the object 3081 * 3082 * Returns 0 3083 */ 3084 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3085 { 3086 struct smack_known **blob = smack_ipc(isp); 3087 3088 *blob = smk_of_current(); 3089 return 0; 3090 } 3091 3092 /** 3093 * smk_curacc_shm : check if current has access on shm 3094 * @isp : the object 3095 * @access : access requested 3096 * 3097 * Returns 0 if current has the requested access, error code otherwise 3098 */ 3099 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3100 { 3101 struct smack_known *ssp = smack_of_ipc(isp); 3102 struct smk_audit_info ad; 3103 int rc; 3104 3105 #ifdef CONFIG_AUDIT 3106 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3107 ad.a.u.ipc_id = isp->id; 3108 #endif 3109 rc = smk_curacc(ssp, access, &ad); 3110 rc = smk_bu_current("shm", ssp, access, rc); 3111 return rc; 3112 } 3113 3114 /** 3115 * smack_shm_associate - Smack access check for shm 3116 * @isp: the object 3117 * @shmflg: access requested 3118 * 3119 * Returns 0 if current has the requested access, error code otherwise 3120 */ 3121 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3122 { 3123 int may; 3124 3125 may = smack_flags_to_may(shmflg); 3126 return smk_curacc_shm(isp, may); 3127 } 3128 3129 /** 3130 * smack_shm_shmctl - Smack access check for shm 3131 * @isp: the object 3132 * @cmd: what it wants to do 3133 * 3134 * Returns 0 if current has the requested access, error code otherwise 3135 */ 3136 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3137 { 3138 int may; 3139 3140 switch (cmd) { 3141 case IPC_STAT: 3142 case SHM_STAT: 3143 case SHM_STAT_ANY: 3144 may = MAY_READ; 3145 break; 3146 case IPC_SET: 3147 case SHM_LOCK: 3148 case SHM_UNLOCK: 3149 case IPC_RMID: 3150 may = MAY_READWRITE; 3151 break; 3152 case IPC_INFO: 3153 case SHM_INFO: 3154 /* 3155 * System level information. 3156 */ 3157 return 0; 3158 default: 3159 return -EINVAL; 3160 } 3161 return smk_curacc_shm(isp, may); 3162 } 3163 3164 /** 3165 * smack_shm_shmat - Smack access for shmat 3166 * @isp: the object 3167 * @shmaddr: unused 3168 * @shmflg: access requested 3169 * 3170 * Returns 0 if current has the requested access, error code otherwise 3171 */ 3172 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3173 int shmflg) 3174 { 3175 int may; 3176 3177 may = smack_flags_to_may(shmflg); 3178 return smk_curacc_shm(isp, may); 3179 } 3180 3181 /** 3182 * smk_curacc_sem : check if current has access on sem 3183 * @isp : the object 3184 * @access : access requested 3185 * 3186 * Returns 0 if current has the requested access, error code otherwise 3187 */ 3188 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3189 { 3190 struct smack_known *ssp = smack_of_ipc(isp); 3191 struct smk_audit_info ad; 3192 int rc; 3193 3194 #ifdef CONFIG_AUDIT 3195 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3196 ad.a.u.ipc_id = isp->id; 3197 #endif 3198 rc = smk_curacc(ssp, access, &ad); 3199 rc = smk_bu_current("sem", ssp, access, rc); 3200 return rc; 3201 } 3202 3203 /** 3204 * smack_sem_associate - Smack access check for sem 3205 * @isp: the object 3206 * @semflg: access requested 3207 * 3208 * Returns 0 if current has the requested access, error code otherwise 3209 */ 3210 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3211 { 3212 int may; 3213 3214 may = smack_flags_to_may(semflg); 3215 return smk_curacc_sem(isp, may); 3216 } 3217 3218 /** 3219 * smack_sem_semctl - Smack access check for sem 3220 * @isp: the object 3221 * @cmd: what it wants to do 3222 * 3223 * Returns 0 if current has the requested access, error code otherwise 3224 */ 3225 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3226 { 3227 int may; 3228 3229 switch (cmd) { 3230 case GETPID: 3231 case GETNCNT: 3232 case GETZCNT: 3233 case GETVAL: 3234 case GETALL: 3235 case IPC_STAT: 3236 case SEM_STAT: 3237 case SEM_STAT_ANY: 3238 may = MAY_READ; 3239 break; 3240 case SETVAL: 3241 case SETALL: 3242 case IPC_RMID: 3243 case IPC_SET: 3244 may = MAY_READWRITE; 3245 break; 3246 case IPC_INFO: 3247 case SEM_INFO: 3248 /* 3249 * System level information 3250 */ 3251 return 0; 3252 default: 3253 return -EINVAL; 3254 } 3255 3256 return smk_curacc_sem(isp, may); 3257 } 3258 3259 /** 3260 * smack_sem_semop - Smack checks of semaphore operations 3261 * @isp: the object 3262 * @sops: unused 3263 * @nsops: unused 3264 * @alter: unused 3265 * 3266 * Treated as read and write in all cases. 3267 * 3268 * Returns 0 if access is allowed, error code otherwise 3269 */ 3270 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3271 unsigned nsops, int alter) 3272 { 3273 return smk_curacc_sem(isp, MAY_READWRITE); 3274 } 3275 3276 /** 3277 * smk_curacc_msq : helper to check if current has access on msq 3278 * @isp : the msq 3279 * @access : access requested 3280 * 3281 * return 0 if current has access, error otherwise 3282 */ 3283 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3284 { 3285 struct smack_known *msp = smack_of_ipc(isp); 3286 struct smk_audit_info ad; 3287 int rc; 3288 3289 #ifdef CONFIG_AUDIT 3290 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3291 ad.a.u.ipc_id = isp->id; 3292 #endif 3293 rc = smk_curacc(msp, access, &ad); 3294 rc = smk_bu_current("msq", msp, access, rc); 3295 return rc; 3296 } 3297 3298 /** 3299 * smack_msg_queue_associate - Smack access check for msg_queue 3300 * @isp: the object 3301 * @msqflg: access requested 3302 * 3303 * Returns 0 if current has the requested access, error code otherwise 3304 */ 3305 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3306 { 3307 int may; 3308 3309 may = smack_flags_to_may(msqflg); 3310 return smk_curacc_msq(isp, may); 3311 } 3312 3313 /** 3314 * smack_msg_queue_msgctl - Smack access check for msg_queue 3315 * @isp: the object 3316 * @cmd: what it wants to do 3317 * 3318 * Returns 0 if current has the requested access, error code otherwise 3319 */ 3320 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3321 { 3322 int may; 3323 3324 switch (cmd) { 3325 case IPC_STAT: 3326 case MSG_STAT: 3327 case MSG_STAT_ANY: 3328 may = MAY_READ; 3329 break; 3330 case IPC_SET: 3331 case IPC_RMID: 3332 may = MAY_READWRITE; 3333 break; 3334 case IPC_INFO: 3335 case MSG_INFO: 3336 /* 3337 * System level information 3338 */ 3339 return 0; 3340 default: 3341 return -EINVAL; 3342 } 3343 3344 return smk_curacc_msq(isp, may); 3345 } 3346 3347 /** 3348 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3349 * @isp: the object 3350 * @msg: unused 3351 * @msqflg: access requested 3352 * 3353 * Returns 0 if current has the requested access, error code otherwise 3354 */ 3355 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3356 int msqflg) 3357 { 3358 int may; 3359 3360 may = smack_flags_to_may(msqflg); 3361 return smk_curacc_msq(isp, may); 3362 } 3363 3364 /** 3365 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3366 * @isp: the object 3367 * @msg: unused 3368 * @target: unused 3369 * @type: unused 3370 * @mode: unused 3371 * 3372 * Returns 0 if current has read and write access, error code otherwise 3373 */ 3374 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3375 struct msg_msg *msg, 3376 struct task_struct *target, long type, 3377 int mode) 3378 { 3379 return smk_curacc_msq(isp, MAY_READWRITE); 3380 } 3381 3382 /** 3383 * smack_ipc_permission - Smack access for ipc_permission() 3384 * @ipp: the object permissions 3385 * @flag: access requested 3386 * 3387 * Returns 0 if current has read and write access, error code otherwise 3388 */ 3389 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3390 { 3391 struct smack_known **blob = smack_ipc(ipp); 3392 struct smack_known *iskp = *blob; 3393 int may = smack_flags_to_may(flag); 3394 struct smk_audit_info ad; 3395 int rc; 3396 3397 #ifdef CONFIG_AUDIT 3398 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3399 ad.a.u.ipc_id = ipp->id; 3400 #endif 3401 rc = smk_curacc(iskp, may, &ad); 3402 rc = smk_bu_current("svipc", iskp, may, rc); 3403 return rc; 3404 } 3405 3406 /** 3407 * smack_ipc_getsecid - Extract smack security id 3408 * @ipp: the object permissions 3409 * @secid: where result will be saved 3410 */ 3411 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3412 { 3413 struct smack_known **blob = smack_ipc(ipp); 3414 struct smack_known *iskp = *blob; 3415 3416 *secid = iskp->smk_secid; 3417 } 3418 3419 /** 3420 * smack_d_instantiate - Make sure the blob is correct on an inode 3421 * @opt_dentry: dentry where inode will be attached 3422 * @inode: the object 3423 * 3424 * Set the inode's security blob if it hasn't been done already. 3425 */ 3426 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3427 { 3428 struct super_block *sbp; 3429 struct superblock_smack *sbsp; 3430 struct inode_smack *isp; 3431 struct smack_known *skp; 3432 struct smack_known *ckp = smk_of_current(); 3433 struct smack_known *final; 3434 char trattr[TRANS_TRUE_SIZE]; 3435 int transflag = 0; 3436 int rc; 3437 struct dentry *dp; 3438 3439 if (inode == NULL) 3440 return; 3441 3442 isp = smack_inode(inode); 3443 3444 /* 3445 * If the inode is already instantiated 3446 * take the quick way out 3447 */ 3448 if (isp->smk_flags & SMK_INODE_INSTANT) 3449 return; 3450 3451 sbp = inode->i_sb; 3452 sbsp = smack_superblock(sbp); 3453 /* 3454 * We're going to use the superblock default label 3455 * if there's no label on the file. 3456 */ 3457 final = sbsp->smk_default; 3458 3459 /* 3460 * If this is the root inode the superblock 3461 * may be in the process of initialization. 3462 * If that is the case use the root value out 3463 * of the superblock. 3464 */ 3465 if (opt_dentry->d_parent == opt_dentry) { 3466 switch (sbp->s_magic) { 3467 case CGROUP_SUPER_MAGIC: 3468 case CGROUP2_SUPER_MAGIC: 3469 /* 3470 * The cgroup filesystem is never mounted, 3471 * so there's no opportunity to set the mount 3472 * options. 3473 */ 3474 sbsp->smk_root = &smack_known_star; 3475 sbsp->smk_default = &smack_known_star; 3476 isp->smk_inode = sbsp->smk_root; 3477 break; 3478 case TMPFS_MAGIC: 3479 /* 3480 * What about shmem/tmpfs anonymous files with dentry 3481 * obtained from d_alloc_pseudo()? 3482 */ 3483 isp->smk_inode = smk_of_current(); 3484 break; 3485 case PIPEFS_MAGIC: 3486 isp->smk_inode = smk_of_current(); 3487 break; 3488 case SOCKFS_MAGIC: 3489 /* 3490 * Socket access is controlled by the socket 3491 * structures associated with the task involved. 3492 */ 3493 isp->smk_inode = &smack_known_star; 3494 break; 3495 default: 3496 isp->smk_inode = sbsp->smk_root; 3497 break; 3498 } 3499 isp->smk_flags |= SMK_INODE_INSTANT; 3500 return; 3501 } 3502 3503 /* 3504 * This is pretty hackish. 3505 * Casey says that we shouldn't have to do 3506 * file system specific code, but it does help 3507 * with keeping it simple. 3508 */ 3509 switch (sbp->s_magic) { 3510 case SMACK_MAGIC: 3511 case CGROUP_SUPER_MAGIC: 3512 case CGROUP2_SUPER_MAGIC: 3513 /* 3514 * Casey says that it's a little embarrassing 3515 * that the smack file system doesn't do 3516 * extended attributes. 3517 * 3518 * Cgroupfs is special 3519 */ 3520 final = &smack_known_star; 3521 break; 3522 case DEVPTS_SUPER_MAGIC: 3523 /* 3524 * devpts seems content with the label of the task. 3525 * Programs that change smack have to treat the 3526 * pty with respect. 3527 */ 3528 final = ckp; 3529 break; 3530 case PROC_SUPER_MAGIC: 3531 /* 3532 * Casey says procfs appears not to care. 3533 * The superblock default suffices. 3534 */ 3535 break; 3536 case TMPFS_MAGIC: 3537 /* 3538 * Device labels should come from the filesystem, 3539 * but watch out, because they're volitile, 3540 * getting recreated on every reboot. 3541 */ 3542 final = &smack_known_star; 3543 /* 3544 * If a smack value has been set we want to use it, 3545 * but since tmpfs isn't giving us the opportunity 3546 * to set mount options simulate setting the 3547 * superblock default. 3548 */ 3549 fallthrough; 3550 default: 3551 /* 3552 * This isn't an understood special case. 3553 * Get the value from the xattr. 3554 */ 3555 3556 /* 3557 * UNIX domain sockets use lower level socket data. 3558 */ 3559 if (S_ISSOCK(inode->i_mode)) { 3560 final = &smack_known_star; 3561 break; 3562 } 3563 /* 3564 * No xattr support means, alas, no SMACK label. 3565 * Use the aforeapplied default. 3566 * It would be curious if the label of the task 3567 * does not match that assigned. 3568 */ 3569 if (!(inode->i_opflags & IOP_XATTR)) 3570 break; 3571 /* 3572 * Get the dentry for xattr. 3573 */ 3574 dp = dget(opt_dentry); 3575 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3576 if (!IS_ERR_OR_NULL(skp)) 3577 final = skp; 3578 3579 /* 3580 * Transmuting directory 3581 */ 3582 if (S_ISDIR(inode->i_mode)) { 3583 /* 3584 * If this is a new directory and the label was 3585 * transmuted when the inode was initialized 3586 * set the transmute attribute on the directory 3587 * and mark the inode. 3588 * 3589 * If there is a transmute attribute on the 3590 * directory mark the inode. 3591 */ 3592 rc = __vfs_getxattr(dp, inode, 3593 XATTR_NAME_SMACKTRANSMUTE, trattr, 3594 TRANS_TRUE_SIZE); 3595 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3596 TRANS_TRUE_SIZE) != 0) 3597 rc = -EINVAL; 3598 if (rc >= 0) 3599 transflag = SMK_INODE_TRANSMUTE; 3600 } 3601 /* 3602 * Don't let the exec or mmap label be "*" or "@". 3603 */ 3604 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3605 if (IS_ERR(skp) || skp == &smack_known_star || 3606 skp == &smack_known_web) 3607 skp = NULL; 3608 isp->smk_task = skp; 3609 3610 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3611 if (IS_ERR(skp) || skp == &smack_known_star || 3612 skp == &smack_known_web) 3613 skp = NULL; 3614 isp->smk_mmap = skp; 3615 3616 dput(dp); 3617 break; 3618 } 3619 3620 if (final == NULL) 3621 isp->smk_inode = ckp; 3622 else 3623 isp->smk_inode = final; 3624 3625 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3626 3627 return; 3628 } 3629 3630 /** 3631 * smack_getselfattr - Smack current process attribute 3632 * @attr: which attribute to fetch 3633 * @ctx: buffer to receive the result 3634 * @size: available size in, actual size out 3635 * @flags: unused 3636 * 3637 * Fill the passed user space @ctx with the details of the requested 3638 * attribute. 3639 * 3640 * Returns the number of attributes on success, an error code otherwise. 3641 * There will only ever be one attribute. 3642 */ 3643 static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3644 size_t *size, u32 flags) 3645 { 3646 int rc; 3647 struct smack_known *skp; 3648 3649 if (attr != LSM_ATTR_CURRENT) 3650 return -EOPNOTSUPP; 3651 3652 skp = smk_of_current(); 3653 rc = lsm_fill_user_ctx(ctx, size, 3654 skp->smk_known, strlen(skp->smk_known) + 1, 3655 LSM_ID_SMACK, 0); 3656 return (!rc ? 1 : rc); 3657 } 3658 3659 /** 3660 * smack_getprocattr - Smack process attribute access 3661 * @p: the object task 3662 * @name: the name of the attribute in /proc/.../attr 3663 * @value: where to put the result 3664 * 3665 * Places a copy of the task Smack into value 3666 * 3667 * Returns the length of the smack label or an error code 3668 */ 3669 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3670 { 3671 struct smack_known *skp = smk_of_task_struct_obj(p); 3672 char *cp; 3673 int slen; 3674 3675 if (strcmp(name, "current") != 0) 3676 return -EINVAL; 3677 3678 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3679 if (cp == NULL) 3680 return -ENOMEM; 3681 3682 slen = strlen(cp); 3683 *value = cp; 3684 return slen; 3685 } 3686 3687 /** 3688 * do_setattr - Smack process attribute setting 3689 * @attr: the ID of the attribute 3690 * @value: the value to set 3691 * @size: the size of the value 3692 * 3693 * Sets the Smack value of the task. Only setting self 3694 * is permitted and only with privilege 3695 * 3696 * Returns the length of the smack label or an error code 3697 */ 3698 static int do_setattr(u64 attr, void *value, size_t size) 3699 { 3700 struct task_smack *tsp = smack_cred(current_cred()); 3701 struct cred *new; 3702 struct smack_known *skp; 3703 struct smack_known_list_elem *sklep; 3704 int rc; 3705 3706 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3707 return -EPERM; 3708 3709 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3710 return -EINVAL; 3711 3712 if (attr != LSM_ATTR_CURRENT) 3713 return -EOPNOTSUPP; 3714 3715 skp = smk_import_entry(value, size); 3716 if (IS_ERR(skp)) 3717 return PTR_ERR(skp); 3718 3719 /* 3720 * No process is ever allowed the web ("@") label 3721 * and the star ("*") label. 3722 */ 3723 if (skp == &smack_known_web || skp == &smack_known_star) 3724 return -EINVAL; 3725 3726 if (!smack_privileged(CAP_MAC_ADMIN)) { 3727 rc = -EPERM; 3728 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3729 if (sklep->smk_label == skp) { 3730 rc = 0; 3731 break; 3732 } 3733 if (rc) 3734 return rc; 3735 } 3736 3737 new = prepare_creds(); 3738 if (new == NULL) 3739 return -ENOMEM; 3740 3741 tsp = smack_cred(new); 3742 tsp->smk_task = skp; 3743 /* 3744 * process can change its label only once 3745 */ 3746 smk_destroy_label_list(&tsp->smk_relabel); 3747 3748 commit_creds(new); 3749 return size; 3750 } 3751 3752 /** 3753 * smack_setselfattr - Set a Smack process attribute 3754 * @attr: which attribute to set 3755 * @ctx: buffer containing the data 3756 * @size: size of @ctx 3757 * @flags: unused 3758 * 3759 * Fill the passed user space @ctx with the details of the requested 3760 * attribute. 3761 * 3762 * Returns 0 on success, an error code otherwise. 3763 */ 3764 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3765 size_t size, u32 flags) 3766 { 3767 int rc; 3768 3769 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); 3770 if (rc > 0) 3771 return 0; 3772 return rc; 3773 } 3774 3775 /** 3776 * smack_setprocattr - Smack process attribute setting 3777 * @name: the name of the attribute in /proc/.../attr 3778 * @value: the value to set 3779 * @size: the size of the value 3780 * 3781 * Sets the Smack value of the task. Only setting self 3782 * is permitted and only with privilege 3783 * 3784 * Returns the length of the smack label or an error code 3785 */ 3786 static int smack_setprocattr(const char *name, void *value, size_t size) 3787 { 3788 int attr = lsm_name_to_attr(name); 3789 3790 if (attr != LSM_ATTR_UNDEF) 3791 return do_setattr(attr, value, size); 3792 return -EINVAL; 3793 } 3794 3795 /** 3796 * smack_unix_stream_connect - Smack access on UDS 3797 * @sock: one sock 3798 * @other: the other sock 3799 * @newsk: unused 3800 * 3801 * Return 0 if a subject with the smack of sock could access 3802 * an object with the smack of other, otherwise an error code 3803 */ 3804 static int smack_unix_stream_connect(struct sock *sock, 3805 struct sock *other, struct sock *newsk) 3806 { 3807 struct smack_known *skp; 3808 struct smack_known *okp; 3809 struct socket_smack *ssp = sock->sk_security; 3810 struct socket_smack *osp = other->sk_security; 3811 struct socket_smack *nsp = newsk->sk_security; 3812 struct smk_audit_info ad; 3813 int rc = 0; 3814 #ifdef CONFIG_AUDIT 3815 struct lsm_network_audit net; 3816 #endif 3817 3818 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3819 skp = ssp->smk_out; 3820 okp = osp->smk_in; 3821 #ifdef CONFIG_AUDIT 3822 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3823 smk_ad_setfield_u_net_sk(&ad, other); 3824 #endif 3825 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3826 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3827 if (rc == 0) { 3828 okp = osp->smk_out; 3829 skp = ssp->smk_in; 3830 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3831 rc = smk_bu_note("UDS connect", okp, skp, 3832 MAY_WRITE, rc); 3833 } 3834 } 3835 3836 /* 3837 * Cross reference the peer labels for SO_PEERSEC. 3838 */ 3839 if (rc == 0) { 3840 nsp->smk_packet = ssp->smk_out; 3841 ssp->smk_packet = osp->smk_out; 3842 } 3843 3844 return rc; 3845 } 3846 3847 /** 3848 * smack_unix_may_send - Smack access on UDS 3849 * @sock: one socket 3850 * @other: the other socket 3851 * 3852 * Return 0 if a subject with the smack of sock could access 3853 * an object with the smack of other, otherwise an error code 3854 */ 3855 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3856 { 3857 struct socket_smack *ssp = sock->sk->sk_security; 3858 struct socket_smack *osp = other->sk->sk_security; 3859 struct smk_audit_info ad; 3860 int rc; 3861 3862 #ifdef CONFIG_AUDIT 3863 struct lsm_network_audit net; 3864 3865 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3866 smk_ad_setfield_u_net_sk(&ad, other->sk); 3867 #endif 3868 3869 if (smack_privileged(CAP_MAC_OVERRIDE)) 3870 return 0; 3871 3872 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3873 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3874 return rc; 3875 } 3876 3877 /** 3878 * smack_socket_sendmsg - Smack check based on destination host 3879 * @sock: the socket 3880 * @msg: the message 3881 * @size: the size of the message 3882 * 3883 * Return 0 if the current subject can write to the destination host. 3884 * For IPv4 this is only a question if the destination is a single label host. 3885 * For IPv6 this is a check against the label of the port. 3886 */ 3887 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3888 int size) 3889 { 3890 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3891 #if IS_ENABLED(CONFIG_IPV6) 3892 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3893 #endif 3894 #ifdef SMACK_IPV6_SECMARK_LABELING 3895 struct socket_smack *ssp = sock->sk->sk_security; 3896 struct smack_known *rsp; 3897 #endif 3898 int rc = 0; 3899 3900 /* 3901 * Perfectly reasonable for this to be NULL 3902 */ 3903 if (sip == NULL) 3904 return 0; 3905 3906 switch (sock->sk->sk_family) { 3907 case AF_INET: 3908 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3909 sip->sin_family != AF_INET) 3910 return -EINVAL; 3911 rc = smk_ipv4_check(sock->sk, sip); 3912 break; 3913 #if IS_ENABLED(CONFIG_IPV6) 3914 case AF_INET6: 3915 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3916 sap->sin6_family != AF_INET6) 3917 return -EINVAL; 3918 #ifdef SMACK_IPV6_SECMARK_LABELING 3919 rsp = smack_ipv6host_label(sap); 3920 if (rsp != NULL) 3921 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3922 SMK_CONNECTING); 3923 #endif 3924 #ifdef SMACK_IPV6_PORT_LABELING 3925 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3926 #endif 3927 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3928 break; 3929 } 3930 return rc; 3931 } 3932 3933 /** 3934 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3935 * @sap: netlabel secattr 3936 * @ssp: socket security information 3937 * 3938 * Returns a pointer to a Smack label entry found on the label list. 3939 */ 3940 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3941 struct socket_smack *ssp) 3942 { 3943 struct smack_known *skp; 3944 int found = 0; 3945 int acat; 3946 int kcat; 3947 3948 /* 3949 * Netlabel found it in the cache. 3950 */ 3951 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 3952 return (struct smack_known *)sap->cache->data; 3953 3954 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3955 /* 3956 * Looks like a fallback, which gives us a secid. 3957 */ 3958 return smack_from_secid(sap->attr.secid); 3959 3960 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3961 /* 3962 * Looks like a CIPSO packet. 3963 * If there are flags but no level netlabel isn't 3964 * behaving the way we expect it to. 3965 * 3966 * Look it up in the label table 3967 * Without guidance regarding the smack value 3968 * for the packet fall back on the network 3969 * ambient value. 3970 */ 3971 rcu_read_lock(); 3972 list_for_each_entry_rcu(skp, &smack_known_list, list) { 3973 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 3974 continue; 3975 /* 3976 * Compare the catsets. Use the netlbl APIs. 3977 */ 3978 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 3979 if ((skp->smk_netlabel.flags & 3980 NETLBL_SECATTR_MLS_CAT) == 0) 3981 found = 1; 3982 break; 3983 } 3984 for (acat = -1, kcat = -1; acat == kcat; ) { 3985 acat = netlbl_catmap_walk(sap->attr.mls.cat, 3986 acat + 1); 3987 kcat = netlbl_catmap_walk( 3988 skp->smk_netlabel.attr.mls.cat, 3989 kcat + 1); 3990 if (acat < 0 || kcat < 0) 3991 break; 3992 } 3993 if (acat == kcat) { 3994 found = 1; 3995 break; 3996 } 3997 } 3998 rcu_read_unlock(); 3999 4000 if (found) 4001 return skp; 4002 4003 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4004 return &smack_known_web; 4005 return &smack_known_star; 4006 } 4007 /* 4008 * Without guidance regarding the smack value 4009 * for the packet fall back on the network 4010 * ambient value. 4011 */ 4012 return smack_net_ambient; 4013 } 4014 4015 #if IS_ENABLED(CONFIG_IPV6) 4016 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4017 { 4018 u8 nexthdr; 4019 int offset; 4020 int proto = -EINVAL; 4021 struct ipv6hdr _ipv6h; 4022 struct ipv6hdr *ip6; 4023 __be16 frag_off; 4024 struct tcphdr _tcph, *th; 4025 struct udphdr _udph, *uh; 4026 struct dccp_hdr _dccph, *dh; 4027 4028 sip->sin6_port = 0; 4029 4030 offset = skb_network_offset(skb); 4031 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4032 if (ip6 == NULL) 4033 return -EINVAL; 4034 sip->sin6_addr = ip6->saddr; 4035 4036 nexthdr = ip6->nexthdr; 4037 offset += sizeof(_ipv6h); 4038 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4039 if (offset < 0) 4040 return -EINVAL; 4041 4042 proto = nexthdr; 4043 switch (proto) { 4044 case IPPROTO_TCP: 4045 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4046 if (th != NULL) 4047 sip->sin6_port = th->source; 4048 break; 4049 case IPPROTO_UDP: 4050 case IPPROTO_UDPLITE: 4051 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4052 if (uh != NULL) 4053 sip->sin6_port = uh->source; 4054 break; 4055 case IPPROTO_DCCP: 4056 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4057 if (dh != NULL) 4058 sip->sin6_port = dh->dccph_sport; 4059 break; 4060 } 4061 return proto; 4062 } 4063 #endif /* CONFIG_IPV6 */ 4064 4065 /** 4066 * smack_from_skb - Smack data from the secmark in an skb 4067 * @skb: packet 4068 * 4069 * Returns smack_known of the secmark or NULL if that won't work. 4070 */ 4071 #ifdef CONFIG_NETWORK_SECMARK 4072 static struct smack_known *smack_from_skb(struct sk_buff *skb) 4073 { 4074 if (skb == NULL || skb->secmark == 0) 4075 return NULL; 4076 4077 return smack_from_secid(skb->secmark); 4078 } 4079 #else 4080 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4081 { 4082 return NULL; 4083 } 4084 #endif 4085 4086 /** 4087 * smack_from_netlbl - Smack data from the IP options in an skb 4088 * @sk: socket data came in on 4089 * @family: address family 4090 * @skb: packet 4091 * 4092 * Find the Smack label in the IP options. If it hasn't been 4093 * added to the netlabel cache, add it here. 4094 * 4095 * Returns smack_known of the IP options or NULL if that won't work. 4096 */ 4097 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4098 struct sk_buff *skb) 4099 { 4100 struct netlbl_lsm_secattr secattr; 4101 struct socket_smack *ssp = NULL; 4102 struct smack_known *skp = NULL; 4103 4104 netlbl_secattr_init(&secattr); 4105 4106 if (sk) 4107 ssp = sk->sk_security; 4108 4109 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4110 skp = smack_from_secattr(&secattr, ssp); 4111 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4112 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4113 } 4114 4115 netlbl_secattr_destroy(&secattr); 4116 4117 return skp; 4118 } 4119 4120 /** 4121 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4122 * @sk: socket 4123 * @skb: packet 4124 * 4125 * Returns 0 if the packet should be delivered, an error code otherwise 4126 */ 4127 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4128 { 4129 struct socket_smack *ssp = sk->sk_security; 4130 struct smack_known *skp = NULL; 4131 int rc = 0; 4132 struct smk_audit_info ad; 4133 u16 family = sk->sk_family; 4134 #ifdef CONFIG_AUDIT 4135 struct lsm_network_audit net; 4136 #endif 4137 #if IS_ENABLED(CONFIG_IPV6) 4138 struct sockaddr_in6 sadd; 4139 int proto; 4140 4141 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4142 family = PF_INET; 4143 #endif /* CONFIG_IPV6 */ 4144 4145 switch (family) { 4146 case PF_INET: 4147 /* 4148 * If there is a secmark use it rather than the CIPSO label. 4149 * If there is no secmark fall back to CIPSO. 4150 * The secmark is assumed to reflect policy better. 4151 */ 4152 skp = smack_from_skb(skb); 4153 if (skp == NULL) { 4154 skp = smack_from_netlbl(sk, family, skb); 4155 if (skp == NULL) 4156 skp = smack_net_ambient; 4157 } 4158 4159 #ifdef CONFIG_AUDIT 4160 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4161 ad.a.u.net->family = family; 4162 ad.a.u.net->netif = skb->skb_iif; 4163 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4164 #endif 4165 /* 4166 * Receiving a packet requires that the other end 4167 * be able to write here. Read access is not required. 4168 * This is the simplist possible security model 4169 * for networking. 4170 */ 4171 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4172 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4173 MAY_WRITE, rc); 4174 if (rc != 0) 4175 netlbl_skbuff_err(skb, family, rc, 0); 4176 break; 4177 #if IS_ENABLED(CONFIG_IPV6) 4178 case PF_INET6: 4179 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4180 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4181 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 4182 break; 4183 #ifdef SMACK_IPV6_SECMARK_LABELING 4184 skp = smack_from_skb(skb); 4185 if (skp == NULL) { 4186 if (smk_ipv6_localhost(&sadd)) 4187 break; 4188 skp = smack_ipv6host_label(&sadd); 4189 if (skp == NULL) 4190 skp = smack_net_ambient; 4191 } 4192 #ifdef CONFIG_AUDIT 4193 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4194 ad.a.u.net->family = family; 4195 ad.a.u.net->netif = skb->skb_iif; 4196 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4197 #endif /* CONFIG_AUDIT */ 4198 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4199 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4200 MAY_WRITE, rc); 4201 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4202 #ifdef SMACK_IPV6_PORT_LABELING 4203 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4204 #endif /* SMACK_IPV6_PORT_LABELING */ 4205 if (rc != 0) 4206 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4207 ICMPV6_ADM_PROHIBITED, 0); 4208 break; 4209 #endif /* CONFIG_IPV6 */ 4210 } 4211 4212 return rc; 4213 } 4214 4215 /** 4216 * smack_socket_getpeersec_stream - pull in packet label 4217 * @sock: the socket 4218 * @optval: user's destination 4219 * @optlen: size thereof 4220 * @len: max thereof 4221 * 4222 * returns zero on success, an error code otherwise 4223 */ 4224 static int smack_socket_getpeersec_stream(struct socket *sock, 4225 sockptr_t optval, sockptr_t optlen, 4226 unsigned int len) 4227 { 4228 struct socket_smack *ssp; 4229 char *rcp = ""; 4230 u32 slen = 1; 4231 int rc = 0; 4232 4233 ssp = sock->sk->sk_security; 4234 if (ssp->smk_packet != NULL) { 4235 rcp = ssp->smk_packet->smk_known; 4236 slen = strlen(rcp) + 1; 4237 } 4238 if (slen > len) { 4239 rc = -ERANGE; 4240 goto out_len; 4241 } 4242 4243 if (copy_to_sockptr(optval, rcp, slen)) 4244 rc = -EFAULT; 4245 out_len: 4246 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4247 rc = -EFAULT; 4248 return rc; 4249 } 4250 4251 4252 /** 4253 * smack_socket_getpeersec_dgram - pull in packet label 4254 * @sock: the peer socket 4255 * @skb: packet data 4256 * @secid: pointer to where to put the secid of the packet 4257 * 4258 * Sets the netlabel socket state on sk from parent 4259 */ 4260 static int smack_socket_getpeersec_dgram(struct socket *sock, 4261 struct sk_buff *skb, u32 *secid) 4262 4263 { 4264 struct socket_smack *ssp = NULL; 4265 struct smack_known *skp; 4266 struct sock *sk = NULL; 4267 int family = PF_UNSPEC; 4268 u32 s = 0; /* 0 is the invalid secid */ 4269 4270 if (skb != NULL) { 4271 if (skb->protocol == htons(ETH_P_IP)) 4272 family = PF_INET; 4273 #if IS_ENABLED(CONFIG_IPV6) 4274 else if (skb->protocol == htons(ETH_P_IPV6)) 4275 family = PF_INET6; 4276 #endif /* CONFIG_IPV6 */ 4277 } 4278 if (family == PF_UNSPEC && sock != NULL) 4279 family = sock->sk->sk_family; 4280 4281 switch (family) { 4282 case PF_UNIX: 4283 ssp = sock->sk->sk_security; 4284 s = ssp->smk_out->smk_secid; 4285 break; 4286 case PF_INET: 4287 skp = smack_from_skb(skb); 4288 if (skp) { 4289 s = skp->smk_secid; 4290 break; 4291 } 4292 /* 4293 * Translate what netlabel gave us. 4294 */ 4295 if (sock != NULL) 4296 sk = sock->sk; 4297 skp = smack_from_netlbl(sk, family, skb); 4298 if (skp != NULL) 4299 s = skp->smk_secid; 4300 break; 4301 case PF_INET6: 4302 #ifdef SMACK_IPV6_SECMARK_LABELING 4303 skp = smack_from_skb(skb); 4304 if (skp) 4305 s = skp->smk_secid; 4306 #endif 4307 break; 4308 } 4309 *secid = s; 4310 if (s == 0) 4311 return -EINVAL; 4312 return 0; 4313 } 4314 4315 /** 4316 * smack_sock_graft - Initialize a newly created socket with an existing sock 4317 * @sk: child sock 4318 * @parent: parent socket 4319 * 4320 * Set the smk_{in,out} state of an existing sock based on the process that 4321 * is creating the new socket. 4322 */ 4323 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4324 { 4325 struct socket_smack *ssp; 4326 struct smack_known *skp = smk_of_current(); 4327 4328 if (sk == NULL || 4329 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4330 return; 4331 4332 ssp = sk->sk_security; 4333 ssp->smk_in = skp; 4334 ssp->smk_out = skp; 4335 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4336 } 4337 4338 /** 4339 * smack_inet_conn_request - Smack access check on connect 4340 * @sk: socket involved 4341 * @skb: packet 4342 * @req: unused 4343 * 4344 * Returns 0 if a task with the packet label could write to 4345 * the socket, otherwise an error code 4346 */ 4347 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4348 struct request_sock *req) 4349 { 4350 u16 family = sk->sk_family; 4351 struct smack_known *skp; 4352 struct socket_smack *ssp = sk->sk_security; 4353 struct sockaddr_in addr; 4354 struct iphdr *hdr; 4355 struct smack_known *hskp; 4356 int rc; 4357 struct smk_audit_info ad; 4358 #ifdef CONFIG_AUDIT 4359 struct lsm_network_audit net; 4360 #endif 4361 4362 #if IS_ENABLED(CONFIG_IPV6) 4363 if (family == PF_INET6) { 4364 /* 4365 * Handle mapped IPv4 packets arriving 4366 * via IPv6 sockets. Don't set up netlabel 4367 * processing on IPv6. 4368 */ 4369 if (skb->protocol == htons(ETH_P_IP)) 4370 family = PF_INET; 4371 else 4372 return 0; 4373 } 4374 #endif /* CONFIG_IPV6 */ 4375 4376 /* 4377 * If there is a secmark use it rather than the CIPSO label. 4378 * If there is no secmark fall back to CIPSO. 4379 * The secmark is assumed to reflect policy better. 4380 */ 4381 skp = smack_from_skb(skb); 4382 if (skp == NULL) { 4383 skp = smack_from_netlbl(sk, family, skb); 4384 if (skp == NULL) 4385 skp = &smack_known_huh; 4386 } 4387 4388 #ifdef CONFIG_AUDIT 4389 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4390 ad.a.u.net->family = family; 4391 ad.a.u.net->netif = skb->skb_iif; 4392 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4393 #endif 4394 /* 4395 * Receiving a packet requires that the other end be able to write 4396 * here. Read access is not required. 4397 */ 4398 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4399 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4400 if (rc != 0) 4401 return rc; 4402 4403 /* 4404 * Save the peer's label in the request_sock so we can later setup 4405 * smk_packet in the child socket so that SO_PEERCRED can report it. 4406 */ 4407 req->peer_secid = skp->smk_secid; 4408 4409 /* 4410 * We need to decide if we want to label the incoming connection here 4411 * if we do we only need to label the request_sock and the stack will 4412 * propagate the wire-label to the sock when it is created. 4413 */ 4414 hdr = ip_hdr(skb); 4415 addr.sin_addr.s_addr = hdr->saddr; 4416 rcu_read_lock(); 4417 hskp = smack_ipv4host_label(&addr); 4418 rcu_read_unlock(); 4419 4420 if (hskp == NULL) 4421 rc = netlbl_req_setattr(req, &skp->smk_netlabel); 4422 else 4423 netlbl_req_delattr(req); 4424 4425 return rc; 4426 } 4427 4428 /** 4429 * smack_inet_csk_clone - Copy the connection information to the new socket 4430 * @sk: the new socket 4431 * @req: the connection's request_sock 4432 * 4433 * Transfer the connection's peer label to the newly created socket. 4434 */ 4435 static void smack_inet_csk_clone(struct sock *sk, 4436 const struct request_sock *req) 4437 { 4438 struct socket_smack *ssp = sk->sk_security; 4439 struct smack_known *skp; 4440 4441 if (req->peer_secid != 0) { 4442 skp = smack_from_secid(req->peer_secid); 4443 ssp->smk_packet = skp; 4444 } else 4445 ssp->smk_packet = NULL; 4446 } 4447 4448 /* 4449 * Key management security hooks 4450 * 4451 * Casey has not tested key support very heavily. 4452 * The permission check is most likely too restrictive. 4453 * If you care about keys please have a look. 4454 */ 4455 #ifdef CONFIG_KEYS 4456 4457 /** 4458 * smack_key_alloc - Set the key security blob 4459 * @key: object 4460 * @cred: the credentials to use 4461 * @flags: unused 4462 * 4463 * No allocation required 4464 * 4465 * Returns 0 4466 */ 4467 static int smack_key_alloc(struct key *key, const struct cred *cred, 4468 unsigned long flags) 4469 { 4470 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4471 4472 key->security = skp; 4473 return 0; 4474 } 4475 4476 /** 4477 * smack_key_free - Clear the key security blob 4478 * @key: the object 4479 * 4480 * Clear the blob pointer 4481 */ 4482 static void smack_key_free(struct key *key) 4483 { 4484 key->security = NULL; 4485 } 4486 4487 /** 4488 * smack_key_permission - Smack access on a key 4489 * @key_ref: gets to the object 4490 * @cred: the credentials to use 4491 * @need_perm: requested key permission 4492 * 4493 * Return 0 if the task has read and write to the object, 4494 * an error code otherwise 4495 */ 4496 static int smack_key_permission(key_ref_t key_ref, 4497 const struct cred *cred, 4498 enum key_need_perm need_perm) 4499 { 4500 struct key *keyp; 4501 struct smk_audit_info ad; 4502 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4503 int request = 0; 4504 int rc; 4505 4506 /* 4507 * Validate requested permissions 4508 */ 4509 switch (need_perm) { 4510 case KEY_NEED_READ: 4511 case KEY_NEED_SEARCH: 4512 case KEY_NEED_VIEW: 4513 request |= MAY_READ; 4514 break; 4515 case KEY_NEED_WRITE: 4516 case KEY_NEED_LINK: 4517 case KEY_NEED_SETATTR: 4518 request |= MAY_WRITE; 4519 break; 4520 case KEY_NEED_UNSPECIFIED: 4521 case KEY_NEED_UNLINK: 4522 case KEY_SYSADMIN_OVERRIDE: 4523 case KEY_AUTHTOKEN_OVERRIDE: 4524 case KEY_DEFER_PERM_CHECK: 4525 return 0; 4526 default: 4527 return -EINVAL; 4528 } 4529 4530 keyp = key_ref_to_ptr(key_ref); 4531 if (keyp == NULL) 4532 return -EINVAL; 4533 /* 4534 * If the key hasn't been initialized give it access so that 4535 * it may do so. 4536 */ 4537 if (keyp->security == NULL) 4538 return 0; 4539 /* 4540 * This should not occur 4541 */ 4542 if (tkp == NULL) 4543 return -EACCES; 4544 4545 if (smack_privileged(CAP_MAC_OVERRIDE)) 4546 return 0; 4547 4548 #ifdef CONFIG_AUDIT 4549 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4550 ad.a.u.key_struct.key = keyp->serial; 4551 ad.a.u.key_struct.key_desc = keyp->description; 4552 #endif 4553 rc = smk_access(tkp, keyp->security, request, &ad); 4554 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4555 return rc; 4556 } 4557 4558 /* 4559 * smack_key_getsecurity - Smack label tagging the key 4560 * @key points to the key to be queried 4561 * @_buffer points to a pointer that should be set to point to the 4562 * resulting string (if no label or an error occurs). 4563 * Return the length of the string (including terminating NUL) or -ve if 4564 * an error. 4565 * May also return 0 (and a NULL buffer pointer) if there is no label. 4566 */ 4567 static int smack_key_getsecurity(struct key *key, char **_buffer) 4568 { 4569 struct smack_known *skp = key->security; 4570 size_t length; 4571 char *copy; 4572 4573 if (key->security == NULL) { 4574 *_buffer = NULL; 4575 return 0; 4576 } 4577 4578 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4579 if (copy == NULL) 4580 return -ENOMEM; 4581 length = strlen(copy) + 1; 4582 4583 *_buffer = copy; 4584 return length; 4585 } 4586 4587 4588 #ifdef CONFIG_KEY_NOTIFICATIONS 4589 /** 4590 * smack_watch_key - Smack access to watch a key for notifications. 4591 * @key: The key to be watched 4592 * 4593 * Return 0 if the @watch->cred has permission to read from the key object and 4594 * an error otherwise. 4595 */ 4596 static int smack_watch_key(struct key *key) 4597 { 4598 struct smk_audit_info ad; 4599 struct smack_known *tkp = smk_of_current(); 4600 int rc; 4601 4602 if (key == NULL) 4603 return -EINVAL; 4604 /* 4605 * If the key hasn't been initialized give it access so that 4606 * it may do so. 4607 */ 4608 if (key->security == NULL) 4609 return 0; 4610 /* 4611 * This should not occur 4612 */ 4613 if (tkp == NULL) 4614 return -EACCES; 4615 4616 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4617 return 0; 4618 4619 #ifdef CONFIG_AUDIT 4620 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4621 ad.a.u.key_struct.key = key->serial; 4622 ad.a.u.key_struct.key_desc = key->description; 4623 #endif 4624 rc = smk_access(tkp, key->security, MAY_READ, &ad); 4625 rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc); 4626 return rc; 4627 } 4628 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4629 #endif /* CONFIG_KEYS */ 4630 4631 #ifdef CONFIG_WATCH_QUEUE 4632 /** 4633 * smack_post_notification - Smack access to post a notification to a queue 4634 * @w_cred: The credentials of the watcher. 4635 * @cred: The credentials of the event source (may be NULL). 4636 * @n: The notification message to be posted. 4637 */ 4638 static int smack_post_notification(const struct cred *w_cred, 4639 const struct cred *cred, 4640 struct watch_notification *n) 4641 { 4642 struct smk_audit_info ad; 4643 struct smack_known *subj, *obj; 4644 int rc; 4645 4646 /* Always let maintenance notifications through. */ 4647 if (n->type == WATCH_TYPE_META) 4648 return 0; 4649 4650 if (!cred) 4651 return 0; 4652 subj = smk_of_task(smack_cred(cred)); 4653 obj = smk_of_task(smack_cred(w_cred)); 4654 4655 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4656 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4657 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4658 return rc; 4659 } 4660 #endif /* CONFIG_WATCH_QUEUE */ 4661 4662 /* 4663 * Smack Audit hooks 4664 * 4665 * Audit requires a unique representation of each Smack specific 4666 * rule. This unique representation is used to distinguish the 4667 * object to be audited from remaining kernel objects and also 4668 * works as a glue between the audit hooks. 4669 * 4670 * Since repository entries are added but never deleted, we'll use 4671 * the smack_known label address related to the given audit rule as 4672 * the needed unique representation. This also better fits the smack 4673 * model where nearly everything is a label. 4674 */ 4675 #ifdef CONFIG_AUDIT 4676 4677 /** 4678 * smack_audit_rule_init - Initialize a smack audit rule 4679 * @field: audit rule fields given from user-space (audit.h) 4680 * @op: required testing operator (=, !=, >, <, ...) 4681 * @rulestr: smack label to be audited 4682 * @vrule: pointer to save our own audit rule representation 4683 * 4684 * Prepare to audit cases where (@field @op @rulestr) is true. 4685 * The label to be audited is created if necessay. 4686 */ 4687 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 4688 { 4689 struct smack_known *skp; 4690 char **rule = (char **)vrule; 4691 *rule = NULL; 4692 4693 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4694 return -EINVAL; 4695 4696 if (op != Audit_equal && op != Audit_not_equal) 4697 return -EINVAL; 4698 4699 skp = smk_import_entry(rulestr, 0); 4700 if (IS_ERR(skp)) 4701 return PTR_ERR(skp); 4702 4703 *rule = skp->smk_known; 4704 4705 return 0; 4706 } 4707 4708 /** 4709 * smack_audit_rule_known - Distinguish Smack audit rules 4710 * @krule: rule of interest, in Audit kernel representation format 4711 * 4712 * This is used to filter Smack rules from remaining Audit ones. 4713 * If it's proved that this rule belongs to us, the 4714 * audit_rule_match hook will be called to do the final judgement. 4715 */ 4716 static int smack_audit_rule_known(struct audit_krule *krule) 4717 { 4718 struct audit_field *f; 4719 int i; 4720 4721 for (i = 0; i < krule->field_count; i++) { 4722 f = &krule->fields[i]; 4723 4724 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4725 return 1; 4726 } 4727 4728 return 0; 4729 } 4730 4731 /** 4732 * smack_audit_rule_match - Audit given object ? 4733 * @secid: security id for identifying the object to test 4734 * @field: audit rule flags given from user-space 4735 * @op: required testing operator 4736 * @vrule: smack internal rule presentation 4737 * 4738 * The core Audit hook. It's used to take the decision of 4739 * whether to audit or not to audit a given object. 4740 */ 4741 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4742 { 4743 struct smack_known *skp; 4744 char *rule = vrule; 4745 4746 if (unlikely(!rule)) { 4747 WARN_ONCE(1, "Smack: missing rule\n"); 4748 return -ENOENT; 4749 } 4750 4751 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4752 return 0; 4753 4754 skp = smack_from_secid(secid); 4755 4756 /* 4757 * No need to do string comparisons. If a match occurs, 4758 * both pointers will point to the same smack_known 4759 * label. 4760 */ 4761 if (op == Audit_equal) 4762 return (rule == skp->smk_known); 4763 if (op == Audit_not_equal) 4764 return (rule != skp->smk_known); 4765 4766 return 0; 4767 } 4768 4769 /* 4770 * There is no need for a smack_audit_rule_free hook. 4771 * No memory was allocated. 4772 */ 4773 4774 #endif /* CONFIG_AUDIT */ 4775 4776 /** 4777 * smack_ismaclabel - check if xattr @name references a smack MAC label 4778 * @name: Full xattr name to check. 4779 */ 4780 static int smack_ismaclabel(const char *name) 4781 { 4782 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4783 } 4784 4785 4786 /** 4787 * smack_secid_to_secctx - return the smack label for a secid 4788 * @secid: incoming integer 4789 * @secdata: destination 4790 * @seclen: how long it is 4791 * 4792 * Exists for networking code. 4793 */ 4794 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4795 { 4796 struct smack_known *skp = smack_from_secid(secid); 4797 4798 if (secdata) 4799 *secdata = skp->smk_known; 4800 *seclen = strlen(skp->smk_known); 4801 return 0; 4802 } 4803 4804 /** 4805 * smack_secctx_to_secid - return the secid for a smack label 4806 * @secdata: smack label 4807 * @seclen: how long result is 4808 * @secid: outgoing integer 4809 * 4810 * Exists for audit and networking code. 4811 */ 4812 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4813 { 4814 struct smack_known *skp = smk_find_entry(secdata); 4815 4816 if (skp) 4817 *secid = skp->smk_secid; 4818 else 4819 *secid = 0; 4820 return 0; 4821 } 4822 4823 /* 4824 * There used to be a smack_release_secctx hook 4825 * that did nothing back when hooks were in a vector. 4826 * Now that there's a list such a hook adds cost. 4827 */ 4828 4829 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4830 { 4831 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4832 ctxlen, 0); 4833 } 4834 4835 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4836 { 4837 return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4838 ctx, ctxlen, 0); 4839 } 4840 4841 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4842 { 4843 struct smack_known *skp = smk_of_inode(inode); 4844 4845 *ctx = skp->smk_known; 4846 *ctxlen = strlen(skp->smk_known); 4847 return 0; 4848 } 4849 4850 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4851 { 4852 4853 struct task_smack *tsp; 4854 struct smack_known *skp; 4855 struct inode_smack *isp; 4856 struct cred *new_creds = *new; 4857 4858 if (new_creds == NULL) { 4859 new_creds = prepare_creds(); 4860 if (new_creds == NULL) 4861 return -ENOMEM; 4862 } 4863 4864 tsp = smack_cred(new_creds); 4865 4866 /* 4867 * Get label from overlay inode and set it in create_sid 4868 */ 4869 isp = smack_inode(d_inode(dentry)); 4870 skp = isp->smk_inode; 4871 tsp->smk_task = skp; 4872 *new = new_creds; 4873 return 0; 4874 } 4875 4876 static int smack_inode_copy_up_xattr(const char *name) 4877 { 4878 /* 4879 * Return 1 if this is the smack access Smack attribute. 4880 */ 4881 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4882 return 1; 4883 4884 return -EOPNOTSUPP; 4885 } 4886 4887 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4888 struct qstr *name, 4889 const struct cred *old, 4890 struct cred *new) 4891 { 4892 struct task_smack *otsp = smack_cred(old); 4893 struct task_smack *ntsp = smack_cred(new); 4894 struct inode_smack *isp; 4895 int may; 4896 4897 /* 4898 * Use the process credential unless all of 4899 * the transmuting criteria are met 4900 */ 4901 ntsp->smk_task = otsp->smk_task; 4902 4903 /* 4904 * the attribute of the containing directory 4905 */ 4906 isp = smack_inode(d_inode(dentry->d_parent)); 4907 4908 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4909 rcu_read_lock(); 4910 may = smk_access_entry(otsp->smk_task->smk_known, 4911 isp->smk_inode->smk_known, 4912 &otsp->smk_task->smk_rules); 4913 rcu_read_unlock(); 4914 4915 /* 4916 * If the directory is transmuting and the rule 4917 * providing access is transmuting use the containing 4918 * directory label instead of the process label. 4919 */ 4920 if (may > 0 && (may & MAY_TRANSMUTE)) { 4921 ntsp->smk_task = isp->smk_inode; 4922 ntsp->smk_transmuted = ntsp->smk_task; 4923 } 4924 } 4925 return 0; 4926 } 4927 4928 #ifdef CONFIG_IO_URING 4929 /** 4930 * smack_uring_override_creds - Is io_uring cred override allowed? 4931 * @new: the target creds 4932 * 4933 * Check to see if the current task is allowed to override it's credentials 4934 * to service an io_uring operation. 4935 */ 4936 static int smack_uring_override_creds(const struct cred *new) 4937 { 4938 struct task_smack *tsp = smack_cred(current_cred()); 4939 struct task_smack *nsp = smack_cred(new); 4940 4941 /* 4942 * Allow the degenerate case where the new Smack value is 4943 * the same as the current Smack value. 4944 */ 4945 if (tsp->smk_task == nsp->smk_task) 4946 return 0; 4947 4948 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4949 return 0; 4950 4951 return -EPERM; 4952 } 4953 4954 /** 4955 * smack_uring_sqpoll - check if a io_uring polling thread can be created 4956 * 4957 * Check to see if the current task is allowed to create a new io_uring 4958 * kernel polling thread. 4959 */ 4960 static int smack_uring_sqpoll(void) 4961 { 4962 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 4963 return 0; 4964 4965 return -EPERM; 4966 } 4967 4968 /** 4969 * smack_uring_cmd - check on file operations for io_uring 4970 * @ioucmd: the command in question 4971 * 4972 * Make a best guess about whether a io_uring "command" should 4973 * be allowed. Use the same logic used for determining if the 4974 * file could be opened for read in the absence of better criteria. 4975 */ 4976 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 4977 { 4978 struct file *file = ioucmd->file; 4979 struct smk_audit_info ad; 4980 struct task_smack *tsp; 4981 struct inode *inode; 4982 int rc; 4983 4984 if (!file) 4985 return -EINVAL; 4986 4987 tsp = smack_cred(file->f_cred); 4988 inode = file_inode(file); 4989 4990 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 4991 smk_ad_setfield_u_fs_path(&ad, file->f_path); 4992 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 4993 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 4994 4995 return rc; 4996 } 4997 4998 #endif /* CONFIG_IO_URING */ 4999 5000 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5001 .lbs_cred = sizeof(struct task_smack), 5002 .lbs_file = sizeof(struct smack_known *), 5003 .lbs_inode = sizeof(struct inode_smack), 5004 .lbs_ipc = sizeof(struct smack_known *), 5005 .lbs_msg_msg = sizeof(struct smack_known *), 5006 .lbs_superblock = sizeof(struct superblock_smack), 5007 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5008 }; 5009 5010 static const struct lsm_id smack_lsmid = { 5011 .name = "smack", 5012 .id = LSM_ID_SMACK, 5013 }; 5014 5015 static struct security_hook_list smack_hooks[] __ro_after_init = { 5016 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5017 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5018 LSM_HOOK_INIT(syslog, smack_syslog), 5019 5020 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5021 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5022 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5023 5024 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5025 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5026 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5027 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5028 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5029 5030 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5031 5032 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5033 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5034 LSM_HOOK_INIT(inode_link, smack_inode_link), 5035 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5036 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5037 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5038 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5039 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5040 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5041 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5042 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5043 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5044 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5045 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5046 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5047 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5048 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5049 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5050 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5051 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 5052 5053 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5054 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5055 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5056 LSM_HOOK_INIT(file_lock, smack_file_lock), 5057 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5058 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5059 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5060 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5061 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5062 LSM_HOOK_INIT(file_receive, smack_file_receive), 5063 5064 LSM_HOOK_INIT(file_open, smack_file_open), 5065 5066 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5067 LSM_HOOK_INIT(cred_free, smack_cred_free), 5068 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5069 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5070 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5071 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5072 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5073 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5074 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5075 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5076 LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj), 5077 LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj), 5078 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5079 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5080 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5081 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5082 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5083 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5084 LSM_HOOK_INIT(task_kill, smack_task_kill), 5085 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5086 5087 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5088 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 5089 5090 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5091 5092 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5093 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5094 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5095 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5096 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5097 5098 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5099 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5100 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5101 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5102 5103 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5104 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5105 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5106 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5107 5108 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5109 5110 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5111 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5112 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5113 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5114 5115 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5116 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5117 5118 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5119 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5120 #ifdef SMACK_IPV6_PORT_LABELING 5121 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5122 #endif 5123 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5124 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5125 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5126 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5127 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5128 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5129 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5130 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5131 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 5132 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5133 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5134 5135 /* key management security hooks */ 5136 #ifdef CONFIG_KEYS 5137 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5138 LSM_HOOK_INIT(key_free, smack_key_free), 5139 LSM_HOOK_INIT(key_permission, smack_key_permission), 5140 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5141 #ifdef CONFIG_KEY_NOTIFICATIONS 5142 LSM_HOOK_INIT(watch_key, smack_watch_key), 5143 #endif 5144 #endif /* CONFIG_KEYS */ 5145 5146 #ifdef CONFIG_WATCH_QUEUE 5147 LSM_HOOK_INIT(post_notification, smack_post_notification), 5148 #endif 5149 5150 /* Audit hooks */ 5151 #ifdef CONFIG_AUDIT 5152 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5153 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5154 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5155 #endif /* CONFIG_AUDIT */ 5156 5157 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5158 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5159 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5160 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5161 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5162 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5163 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5164 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5165 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5166 #ifdef CONFIG_IO_URING 5167 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5168 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5169 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5170 #endif 5171 }; 5172 5173 5174 static __init void init_smack_known_list(void) 5175 { 5176 /* 5177 * Initialize rule list locks 5178 */ 5179 mutex_init(&smack_known_huh.smk_rules_lock); 5180 mutex_init(&smack_known_hat.smk_rules_lock); 5181 mutex_init(&smack_known_floor.smk_rules_lock); 5182 mutex_init(&smack_known_star.smk_rules_lock); 5183 mutex_init(&smack_known_web.smk_rules_lock); 5184 /* 5185 * Initialize rule lists 5186 */ 5187 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5188 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5189 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5190 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5191 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5192 /* 5193 * Create the known labels list 5194 */ 5195 smk_insert_entry(&smack_known_huh); 5196 smk_insert_entry(&smack_known_hat); 5197 smk_insert_entry(&smack_known_star); 5198 smk_insert_entry(&smack_known_floor); 5199 smk_insert_entry(&smack_known_web); 5200 } 5201 5202 /** 5203 * smack_init - initialize the smack system 5204 * 5205 * Returns 0 on success, -ENOMEM is there's no memory 5206 */ 5207 static __init int smack_init(void) 5208 { 5209 struct cred *cred = (struct cred *) current->cred; 5210 struct task_smack *tsp; 5211 5212 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5213 if (!smack_rule_cache) 5214 return -ENOMEM; 5215 5216 /* 5217 * Set the security state for the initial task. 5218 */ 5219 tsp = smack_cred(cred); 5220 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5221 5222 /* 5223 * Register with LSM 5224 */ 5225 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5226 smack_enabled = 1; 5227 5228 pr_info("Smack: Initializing.\n"); 5229 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5230 pr_info("Smack: Netfilter enabled.\n"); 5231 #endif 5232 #ifdef SMACK_IPV6_PORT_LABELING 5233 pr_info("Smack: IPv6 port labeling enabled.\n"); 5234 #endif 5235 #ifdef SMACK_IPV6_SECMARK_LABELING 5236 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5237 #endif 5238 5239 /* initialize the smack_known_list */ 5240 init_smack_known_list(); 5241 5242 return 0; 5243 } 5244 5245 /* 5246 * Smack requires early initialization in order to label 5247 * all processes and objects when they are created. 5248 */ 5249 DEFINE_LSM(smack) = { 5250 .name = "smack", 5251 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5252 .blobs = &smack_blob_sizes, 5253 .init = smack_init, 5254 }; 5255