1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <net/cipso_ipv4.h> 32 #include <net/ip.h> 33 #include <net/ipv6.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <uapi/linux/shm.h> 41 #include <linux/binfmts.h> 42 #include <linux/parser.h> 43 #include <linux/fs_context.h> 44 #include <linux/fs_parser.h> 45 #include <linux/watch_queue.h> 46 #include <linux/io_uring/cmd.h> 47 #include <uapi/linux/lsm.h> 48 #include "smack.h" 49 50 #define TRANS_TRUE "TRUE" 51 #define TRANS_TRUE_SIZE 4 52 53 #define SMK_CONNECTING 0 54 #define SMK_RECEIVING 1 55 #define SMK_SENDING 2 56 57 /* 58 * Smack uses multiple xattrs. 59 * SMACK64 - for access control, 60 * SMACK64TRANSMUTE - label initialization, 61 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 62 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 63 */ 64 #define SMACK_INODE_INIT_XATTRS 2 65 66 #ifdef SMACK_IPV6_PORT_LABELING 67 static DEFINE_MUTEX(smack_ipv6_lock); 68 static LIST_HEAD(smk_ipv6_port_list); 69 #endif 70 struct kmem_cache *smack_rule_cache; 71 int smack_enabled __initdata; 72 73 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 74 static struct { 75 const char *name; 76 int len; 77 int opt; 78 } smk_mount_opts[] = { 79 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 80 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 81 }; 82 #undef A 83 84 static int match_opt_prefix(char *s, int l, char **arg) 85 { 86 int i; 87 88 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 89 size_t len = smk_mount_opts[i].len; 90 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 91 continue; 92 if (len == l || s[len] != '=') 93 continue; 94 *arg = s + len + 1; 95 return smk_mount_opts[i].opt; 96 } 97 return Opt_error; 98 } 99 100 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 101 static char *smk_bu_mess[] = { 102 "Bringup Error", /* Unused */ 103 "Bringup", /* SMACK_BRINGUP_ALLOW */ 104 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 105 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 106 }; 107 108 static void smk_bu_mode(int mode, char *s) 109 { 110 int i = 0; 111 112 if (mode & MAY_READ) 113 s[i++] = 'r'; 114 if (mode & MAY_WRITE) 115 s[i++] = 'w'; 116 if (mode & MAY_EXEC) 117 s[i++] = 'x'; 118 if (mode & MAY_APPEND) 119 s[i++] = 'a'; 120 if (mode & MAY_TRANSMUTE) 121 s[i++] = 't'; 122 if (mode & MAY_LOCK) 123 s[i++] = 'l'; 124 if (i == 0) 125 s[i++] = '-'; 126 s[i] = '\0'; 127 } 128 #endif 129 130 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 131 static int smk_bu_note(char *note, struct smack_known *sskp, 132 struct smack_known *oskp, int mode, int rc) 133 { 134 char acc[SMK_NUM_ACCESS_TYPE + 1]; 135 136 if (rc <= 0) 137 return rc; 138 if (rc > SMACK_UNCONFINED_OBJECT) 139 rc = 0; 140 141 smk_bu_mode(mode, acc); 142 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 143 sskp->smk_known, oskp->smk_known, acc, note); 144 return 0; 145 } 146 #else 147 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 148 #endif 149 150 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 151 static int smk_bu_current(char *note, struct smack_known *oskp, 152 int mode, int rc) 153 { 154 struct task_smack *tsp = smack_cred(current_cred()); 155 char acc[SMK_NUM_ACCESS_TYPE + 1]; 156 157 if (rc <= 0) 158 return rc; 159 if (rc > SMACK_UNCONFINED_OBJECT) 160 rc = 0; 161 162 smk_bu_mode(mode, acc); 163 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 164 tsp->smk_task->smk_known, oskp->smk_known, 165 acc, current->comm, note); 166 return 0; 167 } 168 #else 169 #define smk_bu_current(note, oskp, mode, RC) (RC) 170 #endif 171 172 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 173 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 174 { 175 struct task_smack *tsp = smack_cred(current_cred()); 176 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 177 char acc[SMK_NUM_ACCESS_TYPE + 1]; 178 179 if (rc <= 0) 180 return rc; 181 if (rc > SMACK_UNCONFINED_OBJECT) 182 rc = 0; 183 184 smk_bu_mode(mode, acc); 185 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 186 tsp->smk_task->smk_known, smk_task->smk_known, acc, 187 current->comm, otp->comm); 188 return 0; 189 } 190 #else 191 #define smk_bu_task(otp, mode, RC) (RC) 192 #endif 193 194 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 195 static int smk_bu_inode(struct inode *inode, int mode, int rc) 196 { 197 struct task_smack *tsp = smack_cred(current_cred()); 198 struct inode_smack *isp = smack_inode(inode); 199 char acc[SMK_NUM_ACCESS_TYPE + 1]; 200 201 if (isp->smk_flags & SMK_INODE_IMPURE) 202 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 203 inode->i_sb->s_id, inode->i_ino, current->comm); 204 205 if (rc <= 0) 206 return rc; 207 if (rc > SMACK_UNCONFINED_OBJECT) 208 rc = 0; 209 if (rc == SMACK_UNCONFINED_SUBJECT && 210 (mode & (MAY_WRITE | MAY_APPEND))) 211 isp->smk_flags |= SMK_INODE_IMPURE; 212 213 smk_bu_mode(mode, acc); 214 215 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 216 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 217 inode->i_sb->s_id, inode->i_ino, current->comm); 218 return 0; 219 } 220 #else 221 #define smk_bu_inode(inode, mode, RC) (RC) 222 #endif 223 224 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 225 static int smk_bu_file(struct file *file, int mode, int rc) 226 { 227 struct task_smack *tsp = smack_cred(current_cred()); 228 struct smack_known *sskp = tsp->smk_task; 229 struct inode *inode = file_inode(file); 230 struct inode_smack *isp = smack_inode(inode); 231 char acc[SMK_NUM_ACCESS_TYPE + 1]; 232 233 if (isp->smk_flags & SMK_INODE_IMPURE) 234 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 235 inode->i_sb->s_id, inode->i_ino, current->comm); 236 237 if (rc <= 0) 238 return rc; 239 if (rc > SMACK_UNCONFINED_OBJECT) 240 rc = 0; 241 242 smk_bu_mode(mode, acc); 243 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 244 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 245 inode->i_sb->s_id, inode->i_ino, file, 246 current->comm); 247 return 0; 248 } 249 #else 250 #define smk_bu_file(file, mode, RC) (RC) 251 #endif 252 253 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 254 static int smk_bu_credfile(const struct cred *cred, struct file *file, 255 int mode, int rc) 256 { 257 struct task_smack *tsp = smack_cred(cred); 258 struct smack_known *sskp = tsp->smk_task; 259 struct inode *inode = file_inode(file); 260 struct inode_smack *isp = smack_inode(inode); 261 char acc[SMK_NUM_ACCESS_TYPE + 1]; 262 263 if (isp->smk_flags & SMK_INODE_IMPURE) 264 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 265 inode->i_sb->s_id, inode->i_ino, current->comm); 266 267 if (rc <= 0) 268 return rc; 269 if (rc > SMACK_UNCONFINED_OBJECT) 270 rc = 0; 271 272 smk_bu_mode(mode, acc); 273 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 274 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 275 inode->i_sb->s_id, inode->i_ino, file, 276 current->comm); 277 return 0; 278 } 279 #else 280 #define smk_bu_credfile(cred, file, mode, RC) (RC) 281 #endif 282 283 /** 284 * smk_fetch - Fetch the smack label from a file. 285 * @name: type of the label (attribute) 286 * @ip: a pointer to the inode 287 * @dp: a pointer to the dentry 288 * 289 * Returns a pointer to the master list entry for the Smack label, 290 * NULL if there was no label to fetch, or an error code. 291 */ 292 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 293 struct dentry *dp) 294 { 295 int rc; 296 char *buffer; 297 struct smack_known *skp = NULL; 298 299 if (!(ip->i_opflags & IOP_XATTR)) 300 return ERR_PTR(-EOPNOTSUPP); 301 302 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 303 if (buffer == NULL) 304 return ERR_PTR(-ENOMEM); 305 306 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 307 if (rc < 0) 308 skp = ERR_PTR(rc); 309 else if (rc == 0) 310 skp = NULL; 311 else 312 skp = smk_import_entry(buffer, rc); 313 314 kfree(buffer); 315 316 return skp; 317 } 318 319 /** 320 * init_inode_smack - initialize an inode security blob 321 * @inode: inode to extract the info from 322 * @skp: a pointer to the Smack label entry to use in the blob 323 * 324 */ 325 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 326 { 327 struct inode_smack *isp = smack_inode(inode); 328 329 isp->smk_inode = skp; 330 isp->smk_flags = 0; 331 } 332 333 /** 334 * init_task_smack - initialize a task security blob 335 * @tsp: blob to initialize 336 * @task: a pointer to the Smack label for the running task 337 * @forked: a pointer to the Smack label for the forked task 338 * 339 */ 340 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 341 struct smack_known *forked) 342 { 343 tsp->smk_task = task; 344 tsp->smk_forked = forked; 345 INIT_LIST_HEAD(&tsp->smk_rules); 346 INIT_LIST_HEAD(&tsp->smk_relabel); 347 mutex_init(&tsp->smk_rules_lock); 348 } 349 350 /** 351 * smk_copy_rules - copy a rule set 352 * @nhead: new rules header pointer 353 * @ohead: old rules header pointer 354 * @gfp: type of the memory for the allocation 355 * 356 * Returns 0 on success, -ENOMEM on error 357 */ 358 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 359 gfp_t gfp) 360 { 361 struct smack_rule *nrp; 362 struct smack_rule *orp; 363 int rc = 0; 364 365 list_for_each_entry_rcu(orp, ohead, list) { 366 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 367 if (nrp == NULL) { 368 rc = -ENOMEM; 369 break; 370 } 371 *nrp = *orp; 372 list_add_rcu(&nrp->list, nhead); 373 } 374 return rc; 375 } 376 377 /** 378 * smk_copy_relabel - copy smk_relabel labels list 379 * @nhead: new rules header pointer 380 * @ohead: old rules header pointer 381 * @gfp: type of the memory for the allocation 382 * 383 * Returns 0 on success, -ENOMEM on error 384 */ 385 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 386 gfp_t gfp) 387 { 388 struct smack_known_list_elem *nklep; 389 struct smack_known_list_elem *oklep; 390 391 list_for_each_entry(oklep, ohead, list) { 392 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 393 if (nklep == NULL) { 394 smk_destroy_label_list(nhead); 395 return -ENOMEM; 396 } 397 nklep->smk_label = oklep->smk_label; 398 list_add(&nklep->list, nhead); 399 } 400 401 return 0; 402 } 403 404 /** 405 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 406 * @mode: input mode in form of PTRACE_MODE_* 407 * 408 * Returns a converted MAY_* mode usable by smack rules 409 */ 410 static inline unsigned int smk_ptrace_mode(unsigned int mode) 411 { 412 if (mode & PTRACE_MODE_ATTACH) 413 return MAY_READWRITE; 414 if (mode & PTRACE_MODE_READ) 415 return MAY_READ; 416 417 return 0; 418 } 419 420 /** 421 * smk_ptrace_rule_check - helper for ptrace access 422 * @tracer: tracer process 423 * @tracee_known: label entry of the process that's about to be traced 424 * @mode: ptrace attachment mode (PTRACE_MODE_*) 425 * @func: name of the function that called us, used for audit 426 * 427 * Returns 0 on access granted, -error on error 428 */ 429 static int smk_ptrace_rule_check(struct task_struct *tracer, 430 struct smack_known *tracee_known, 431 unsigned int mode, const char *func) 432 { 433 int rc; 434 struct smk_audit_info ad, *saip = NULL; 435 struct task_smack *tsp; 436 struct smack_known *tracer_known; 437 const struct cred *tracercred; 438 439 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 440 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 441 smk_ad_setfield_u_tsk(&ad, tracer); 442 saip = &ad; 443 } 444 445 rcu_read_lock(); 446 tracercred = __task_cred(tracer); 447 tsp = smack_cred(tracercred); 448 tracer_known = smk_of_task(tsp); 449 450 if ((mode & PTRACE_MODE_ATTACH) && 451 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 452 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 453 if (tracer_known->smk_known == tracee_known->smk_known) 454 rc = 0; 455 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 456 rc = -EACCES; 457 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 458 rc = 0; 459 else 460 rc = -EACCES; 461 462 if (saip) 463 smack_log(tracer_known->smk_known, 464 tracee_known->smk_known, 465 0, rc, saip); 466 467 rcu_read_unlock(); 468 return rc; 469 } 470 471 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 472 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 473 474 rcu_read_unlock(); 475 return rc; 476 } 477 478 /* 479 * LSM hooks. 480 * We he, that is fun! 481 */ 482 483 /** 484 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 485 * @ctp: child task pointer 486 * @mode: ptrace attachment mode (PTRACE_MODE_*) 487 * 488 * Returns 0 if access is OK, an error code otherwise 489 * 490 * Do the capability checks. 491 */ 492 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 493 { 494 struct smack_known *skp; 495 496 skp = smk_of_task_struct_obj(ctp); 497 498 return smk_ptrace_rule_check(current, skp, mode, __func__); 499 } 500 501 /** 502 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 503 * @ptp: parent task pointer 504 * 505 * Returns 0 if access is OK, an error code otherwise 506 * 507 * Do the capability checks, and require PTRACE_MODE_ATTACH. 508 */ 509 static int smack_ptrace_traceme(struct task_struct *ptp) 510 { 511 struct smack_known *skp; 512 513 skp = smk_of_task(smack_cred(current_cred())); 514 515 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 516 } 517 518 /** 519 * smack_syslog - Smack approval on syslog 520 * @typefrom_file: unused 521 * 522 * Returns 0 on success, error code otherwise. 523 */ 524 static int smack_syslog(int typefrom_file) 525 { 526 int rc = 0; 527 struct smack_known *skp = smk_of_current(); 528 529 if (smack_privileged(CAP_MAC_OVERRIDE)) 530 return 0; 531 532 if (smack_syslog_label != NULL && smack_syslog_label != skp) 533 rc = -EACCES; 534 535 return rc; 536 } 537 538 /* 539 * Superblock Hooks. 540 */ 541 542 /** 543 * smack_sb_alloc_security - allocate a superblock blob 544 * @sb: the superblock getting the blob 545 * 546 * Returns 0 on success or -ENOMEM on error. 547 */ 548 static int smack_sb_alloc_security(struct super_block *sb) 549 { 550 struct superblock_smack *sbsp = smack_superblock(sb); 551 552 sbsp->smk_root = &smack_known_floor; 553 sbsp->smk_default = &smack_known_floor; 554 sbsp->smk_floor = &smack_known_floor; 555 sbsp->smk_hat = &smack_known_hat; 556 /* 557 * SMK_SB_INITIALIZED will be zero from kzalloc. 558 */ 559 560 return 0; 561 } 562 563 struct smack_mnt_opts { 564 const char *fsdefault; 565 const char *fsfloor; 566 const char *fshat; 567 const char *fsroot; 568 const char *fstransmute; 569 }; 570 571 static void smack_free_mnt_opts(void *mnt_opts) 572 { 573 kfree(mnt_opts); 574 } 575 576 static int smack_add_opt(int token, const char *s, void **mnt_opts) 577 { 578 struct smack_mnt_opts *opts = *mnt_opts; 579 struct smack_known *skp; 580 581 if (!opts) { 582 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 583 if (!opts) 584 return -ENOMEM; 585 *mnt_opts = opts; 586 } 587 if (!s) 588 return -ENOMEM; 589 590 skp = smk_import_entry(s, 0); 591 if (IS_ERR(skp)) 592 return PTR_ERR(skp); 593 594 switch (token) { 595 case Opt_fsdefault: 596 if (opts->fsdefault) 597 goto out_opt_err; 598 opts->fsdefault = skp->smk_known; 599 break; 600 case Opt_fsfloor: 601 if (opts->fsfloor) 602 goto out_opt_err; 603 opts->fsfloor = skp->smk_known; 604 break; 605 case Opt_fshat: 606 if (opts->fshat) 607 goto out_opt_err; 608 opts->fshat = skp->smk_known; 609 break; 610 case Opt_fsroot: 611 if (opts->fsroot) 612 goto out_opt_err; 613 opts->fsroot = skp->smk_known; 614 break; 615 case Opt_fstransmute: 616 if (opts->fstransmute) 617 goto out_opt_err; 618 opts->fstransmute = skp->smk_known; 619 break; 620 } 621 return 0; 622 623 out_opt_err: 624 pr_warn("Smack: duplicate mount options\n"); 625 return -EINVAL; 626 } 627 628 /** 629 * smack_fs_context_submount - Initialise security data for a filesystem context 630 * @fc: The filesystem context. 631 * @reference: reference superblock 632 * 633 * Returns 0 on success or -ENOMEM on error. 634 */ 635 static int smack_fs_context_submount(struct fs_context *fc, 636 struct super_block *reference) 637 { 638 struct superblock_smack *sbsp; 639 struct smack_mnt_opts *ctx; 640 struct inode_smack *isp; 641 642 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 643 if (!ctx) 644 return -ENOMEM; 645 fc->security = ctx; 646 647 sbsp = smack_superblock(reference); 648 isp = smack_inode(reference->s_root->d_inode); 649 650 if (sbsp->smk_default) { 651 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 652 if (!ctx->fsdefault) 653 return -ENOMEM; 654 } 655 656 if (sbsp->smk_floor) { 657 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 658 if (!ctx->fsfloor) 659 return -ENOMEM; 660 } 661 662 if (sbsp->smk_hat) { 663 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 664 if (!ctx->fshat) 665 return -ENOMEM; 666 } 667 668 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 669 if (sbsp->smk_root) { 670 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 671 if (!ctx->fstransmute) 672 return -ENOMEM; 673 } 674 } 675 return 0; 676 } 677 678 /** 679 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 680 * @fc: The new filesystem context. 681 * @src_fc: The source filesystem context being duplicated. 682 * 683 * Returns 0 on success or -ENOMEM on error. 684 */ 685 static int smack_fs_context_dup(struct fs_context *fc, 686 struct fs_context *src_fc) 687 { 688 struct smack_mnt_opts *dst, *src = src_fc->security; 689 690 if (!src) 691 return 0; 692 693 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 694 if (!fc->security) 695 return -ENOMEM; 696 697 dst = fc->security; 698 dst->fsdefault = src->fsdefault; 699 dst->fsfloor = src->fsfloor; 700 dst->fshat = src->fshat; 701 dst->fsroot = src->fsroot; 702 dst->fstransmute = src->fstransmute; 703 704 return 0; 705 } 706 707 static const struct fs_parameter_spec smack_fs_parameters[] = { 708 fsparam_string("smackfsdef", Opt_fsdefault), 709 fsparam_string("smackfsdefault", Opt_fsdefault), 710 fsparam_string("smackfsfloor", Opt_fsfloor), 711 fsparam_string("smackfshat", Opt_fshat), 712 fsparam_string("smackfsroot", Opt_fsroot), 713 fsparam_string("smackfstransmute", Opt_fstransmute), 714 {} 715 }; 716 717 /** 718 * smack_fs_context_parse_param - Parse a single mount parameter 719 * @fc: The new filesystem context being constructed. 720 * @param: The parameter. 721 * 722 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 723 * error. 724 */ 725 static int smack_fs_context_parse_param(struct fs_context *fc, 726 struct fs_parameter *param) 727 { 728 struct fs_parse_result result; 729 int opt, rc; 730 731 opt = fs_parse(fc, smack_fs_parameters, param, &result); 732 if (opt < 0) 733 return opt; 734 735 rc = smack_add_opt(opt, param->string, &fc->security); 736 if (!rc) 737 param->string = NULL; 738 return rc; 739 } 740 741 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 742 { 743 char *from = options, *to = options; 744 bool first = true; 745 746 while (1) { 747 char *next = strchr(from, ','); 748 int token, len, rc; 749 char *arg = NULL; 750 751 if (next) 752 len = next - from; 753 else 754 len = strlen(from); 755 756 token = match_opt_prefix(from, len, &arg); 757 if (token != Opt_error) { 758 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 759 rc = smack_add_opt(token, arg, mnt_opts); 760 kfree(arg); 761 if (unlikely(rc)) { 762 if (*mnt_opts) 763 smack_free_mnt_opts(*mnt_opts); 764 *mnt_opts = NULL; 765 return rc; 766 } 767 } else { 768 if (!first) { // copy with preceding comma 769 from--; 770 len++; 771 } 772 if (to != from) 773 memmove(to, from, len); 774 to += len; 775 first = false; 776 } 777 if (!from[len]) 778 break; 779 from += len + 1; 780 } 781 *to = '\0'; 782 return 0; 783 } 784 785 /** 786 * smack_set_mnt_opts - set Smack specific mount options 787 * @sb: the file system superblock 788 * @mnt_opts: Smack mount options 789 * @kern_flags: mount option from kernel space or user space 790 * @set_kern_flags: where to store converted mount opts 791 * 792 * Returns 0 on success, an error code on failure 793 * 794 * Allow filesystems with binary mount data to explicitly set Smack mount 795 * labels. 796 */ 797 static int smack_set_mnt_opts(struct super_block *sb, 798 void *mnt_opts, 799 unsigned long kern_flags, 800 unsigned long *set_kern_flags) 801 { 802 struct dentry *root = sb->s_root; 803 struct inode *inode = d_backing_inode(root); 804 struct superblock_smack *sp = smack_superblock(sb); 805 struct inode_smack *isp; 806 struct smack_known *skp; 807 struct smack_mnt_opts *opts = mnt_opts; 808 bool transmute = false; 809 810 if (sp->smk_flags & SMK_SB_INITIALIZED) 811 return 0; 812 813 if (!smack_privileged(CAP_MAC_ADMIN)) { 814 /* 815 * Unprivileged mounts don't get to specify Smack values. 816 */ 817 if (opts) 818 return -EPERM; 819 /* 820 * Unprivileged mounts get root and default from the caller. 821 */ 822 skp = smk_of_current(); 823 sp->smk_root = skp; 824 sp->smk_default = skp; 825 /* 826 * For a handful of fs types with no user-controlled 827 * backing store it's okay to trust security labels 828 * in the filesystem. The rest are untrusted. 829 */ 830 if (sb->s_user_ns != &init_user_ns && 831 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 832 sb->s_magic != RAMFS_MAGIC) { 833 transmute = true; 834 sp->smk_flags |= SMK_SB_UNTRUSTED; 835 } 836 } 837 838 sp->smk_flags |= SMK_SB_INITIALIZED; 839 840 if (opts) { 841 if (opts->fsdefault) { 842 skp = smk_import_entry(opts->fsdefault, 0); 843 if (IS_ERR(skp)) 844 return PTR_ERR(skp); 845 sp->smk_default = skp; 846 } 847 if (opts->fsfloor) { 848 skp = smk_import_entry(opts->fsfloor, 0); 849 if (IS_ERR(skp)) 850 return PTR_ERR(skp); 851 sp->smk_floor = skp; 852 } 853 if (opts->fshat) { 854 skp = smk_import_entry(opts->fshat, 0); 855 if (IS_ERR(skp)) 856 return PTR_ERR(skp); 857 sp->smk_hat = skp; 858 } 859 if (opts->fsroot) { 860 skp = smk_import_entry(opts->fsroot, 0); 861 if (IS_ERR(skp)) 862 return PTR_ERR(skp); 863 sp->smk_root = skp; 864 } 865 if (opts->fstransmute) { 866 skp = smk_import_entry(opts->fstransmute, 0); 867 if (IS_ERR(skp)) 868 return PTR_ERR(skp); 869 sp->smk_root = skp; 870 transmute = true; 871 } 872 } 873 874 /* 875 * Initialize the root inode. 876 */ 877 init_inode_smack(inode, sp->smk_root); 878 879 if (transmute) { 880 isp = smack_inode(inode); 881 isp->smk_flags |= SMK_INODE_TRANSMUTE; 882 } 883 884 return 0; 885 } 886 887 /** 888 * smack_sb_statfs - Smack check on statfs 889 * @dentry: identifies the file system in question 890 * 891 * Returns 0 if current can read the floor of the filesystem, 892 * and error code otherwise 893 */ 894 static int smack_sb_statfs(struct dentry *dentry) 895 { 896 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 897 int rc; 898 struct smk_audit_info ad; 899 900 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 901 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 902 903 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 904 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 905 return rc; 906 } 907 908 /* 909 * BPRM hooks 910 */ 911 912 /** 913 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 914 * @bprm: the exec information 915 * 916 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 917 */ 918 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 919 { 920 struct inode *inode = file_inode(bprm->file); 921 struct task_smack *bsp = smack_cred(bprm->cred); 922 struct inode_smack *isp; 923 struct superblock_smack *sbsp; 924 int rc; 925 926 isp = smack_inode(inode); 927 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 928 return 0; 929 930 sbsp = smack_superblock(inode->i_sb); 931 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 932 isp->smk_task != sbsp->smk_root) 933 return 0; 934 935 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 936 struct task_struct *tracer; 937 rc = 0; 938 939 rcu_read_lock(); 940 tracer = ptrace_parent(current); 941 if (likely(tracer != NULL)) 942 rc = smk_ptrace_rule_check(tracer, 943 isp->smk_task, 944 PTRACE_MODE_ATTACH, 945 __func__); 946 rcu_read_unlock(); 947 948 if (rc != 0) 949 return rc; 950 } 951 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 952 return -EPERM; 953 954 bsp->smk_task = isp->smk_task; 955 bprm->per_clear |= PER_CLEAR_ON_SETID; 956 957 /* Decide if this is a secure exec. */ 958 if (bsp->smk_task != bsp->smk_forked) 959 bprm->secureexec = 1; 960 961 return 0; 962 } 963 964 /* 965 * Inode hooks 966 */ 967 968 /** 969 * smack_inode_alloc_security - allocate an inode blob 970 * @inode: the inode in need of a blob 971 * 972 * Returns 0 973 */ 974 static int smack_inode_alloc_security(struct inode *inode) 975 { 976 struct smack_known *skp = smk_of_current(); 977 978 init_inode_smack(inode, skp); 979 return 0; 980 } 981 982 /** 983 * smack_inode_init_security - copy out the smack from an inode 984 * @inode: the newly created inode 985 * @dir: containing directory object 986 * @qstr: unused 987 * @xattrs: where to put the attributes 988 * @xattr_count: current number of LSM-provided xattrs (updated) 989 * 990 * Returns 0 if it all works out, -ENOMEM if there's no memory 991 */ 992 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 993 const struct qstr *qstr, 994 struct xattr *xattrs, int *xattr_count) 995 { 996 struct task_smack *tsp = smack_cred(current_cred()); 997 struct inode_smack *issp = smack_inode(inode); 998 struct smack_known *skp = smk_of_task(tsp); 999 struct smack_known *isp = smk_of_inode(inode); 1000 struct smack_known *dsp = smk_of_inode(dir); 1001 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 1002 int may; 1003 1004 /* 1005 * If equal, transmuting already occurred in 1006 * smack_dentry_create_files_as(). No need to check again. 1007 */ 1008 if (tsp->smk_task != tsp->smk_transmuted) { 1009 rcu_read_lock(); 1010 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1011 &skp->smk_rules); 1012 rcu_read_unlock(); 1013 } 1014 1015 /* 1016 * In addition to having smk_task equal to smk_transmuted, 1017 * if the access rule allows transmutation and the directory 1018 * requests transmutation then by all means transmute. 1019 * Mark the inode as changed. 1020 */ 1021 if ((tsp->smk_task == tsp->smk_transmuted) || 1022 (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1023 smk_inode_transmutable(dir))) { 1024 struct xattr *xattr_transmute; 1025 1026 /* 1027 * The caller of smack_dentry_create_files_as() 1028 * should have overridden the current cred, so the 1029 * inode label was already set correctly in 1030 * smack_inode_alloc_security(). 1031 */ 1032 if (tsp->smk_task != tsp->smk_transmuted) 1033 isp = issp->smk_inode = dsp; 1034 1035 issp->smk_flags |= SMK_INODE_TRANSMUTE; 1036 xattr_transmute = lsm_get_xattr_slot(xattrs, 1037 xattr_count); 1038 if (xattr_transmute) { 1039 xattr_transmute->value = kmemdup(TRANS_TRUE, 1040 TRANS_TRUE_SIZE, 1041 GFP_NOFS); 1042 if (!xattr_transmute->value) 1043 return -ENOMEM; 1044 1045 xattr_transmute->value_len = TRANS_TRUE_SIZE; 1046 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; 1047 } 1048 } 1049 1050 issp->smk_flags |= SMK_INODE_INSTANT; 1051 1052 if (xattr) { 1053 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); 1054 if (!xattr->value) 1055 return -ENOMEM; 1056 1057 xattr->value_len = strlen(isp->smk_known); 1058 xattr->name = XATTR_SMACK_SUFFIX; 1059 } 1060 1061 return 0; 1062 } 1063 1064 /** 1065 * smack_inode_link - Smack check on link 1066 * @old_dentry: the existing object 1067 * @dir: unused 1068 * @new_dentry: the new object 1069 * 1070 * Returns 0 if access is permitted, an error code otherwise 1071 */ 1072 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1073 struct dentry *new_dentry) 1074 { 1075 struct smack_known *isp; 1076 struct smk_audit_info ad; 1077 int rc; 1078 1079 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1080 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1081 1082 isp = smk_of_inode(d_backing_inode(old_dentry)); 1083 rc = smk_curacc(isp, MAY_WRITE, &ad); 1084 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1085 1086 if (rc == 0 && d_is_positive(new_dentry)) { 1087 isp = smk_of_inode(d_backing_inode(new_dentry)); 1088 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1089 rc = smk_curacc(isp, MAY_WRITE, &ad); 1090 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1091 } 1092 1093 return rc; 1094 } 1095 1096 /** 1097 * smack_inode_unlink - Smack check on inode deletion 1098 * @dir: containing directory object 1099 * @dentry: file to unlink 1100 * 1101 * Returns 0 if current can write the containing directory 1102 * and the object, error code otherwise 1103 */ 1104 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1105 { 1106 struct inode *ip = d_backing_inode(dentry); 1107 struct smk_audit_info ad; 1108 int rc; 1109 1110 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1111 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1112 1113 /* 1114 * You need write access to the thing you're unlinking 1115 */ 1116 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1117 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1118 if (rc == 0) { 1119 /* 1120 * You also need write access to the containing directory 1121 */ 1122 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1123 smk_ad_setfield_u_fs_inode(&ad, dir); 1124 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1125 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1126 } 1127 return rc; 1128 } 1129 1130 /** 1131 * smack_inode_rmdir - Smack check on directory deletion 1132 * @dir: containing directory object 1133 * @dentry: directory to unlink 1134 * 1135 * Returns 0 if current can write the containing directory 1136 * and the directory, error code otherwise 1137 */ 1138 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1139 { 1140 struct smk_audit_info ad; 1141 int rc; 1142 1143 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1144 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1145 1146 /* 1147 * You need write access to the thing you're removing 1148 */ 1149 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1150 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1151 if (rc == 0) { 1152 /* 1153 * You also need write access to the containing directory 1154 */ 1155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1156 smk_ad_setfield_u_fs_inode(&ad, dir); 1157 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1158 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1159 } 1160 1161 return rc; 1162 } 1163 1164 /** 1165 * smack_inode_rename - Smack check on rename 1166 * @old_inode: unused 1167 * @old_dentry: the old object 1168 * @new_inode: unused 1169 * @new_dentry: the new object 1170 * 1171 * Read and write access is required on both the old and 1172 * new directories. 1173 * 1174 * Returns 0 if access is permitted, an error code otherwise 1175 */ 1176 static int smack_inode_rename(struct inode *old_inode, 1177 struct dentry *old_dentry, 1178 struct inode *new_inode, 1179 struct dentry *new_dentry) 1180 { 1181 int rc; 1182 struct smack_known *isp; 1183 struct smk_audit_info ad; 1184 1185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1186 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1187 1188 isp = smk_of_inode(d_backing_inode(old_dentry)); 1189 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1190 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1191 1192 if (rc == 0 && d_is_positive(new_dentry)) { 1193 isp = smk_of_inode(d_backing_inode(new_dentry)); 1194 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1195 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1196 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1197 } 1198 return rc; 1199 } 1200 1201 /** 1202 * smack_inode_permission - Smack version of permission() 1203 * @inode: the inode in question 1204 * @mask: the access requested 1205 * 1206 * This is the important Smack hook. 1207 * 1208 * Returns 0 if access is permitted, an error code otherwise 1209 */ 1210 static int smack_inode_permission(struct inode *inode, int mask) 1211 { 1212 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1213 struct smk_audit_info ad; 1214 int no_block = mask & MAY_NOT_BLOCK; 1215 int rc; 1216 1217 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1218 /* 1219 * No permission to check. Existence test. Yup, it's there. 1220 */ 1221 if (mask == 0) 1222 return 0; 1223 1224 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1225 if (smk_of_inode(inode) != sbsp->smk_root) 1226 return -EACCES; 1227 } 1228 1229 /* May be droppable after audit */ 1230 if (no_block) 1231 return -ECHILD; 1232 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1233 smk_ad_setfield_u_fs_inode(&ad, inode); 1234 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1235 rc = smk_bu_inode(inode, mask, rc); 1236 return rc; 1237 } 1238 1239 /** 1240 * smack_inode_setattr - Smack check for setting attributes 1241 * @idmap: idmap of the mount 1242 * @dentry: the object 1243 * @iattr: for the force flag 1244 * 1245 * Returns 0 if access is permitted, an error code otherwise 1246 */ 1247 static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 1248 struct iattr *iattr) 1249 { 1250 struct smk_audit_info ad; 1251 int rc; 1252 1253 /* 1254 * Need to allow for clearing the setuid bit. 1255 */ 1256 if (iattr->ia_valid & ATTR_FORCE) 1257 return 0; 1258 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1259 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1260 1261 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1262 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1263 return rc; 1264 } 1265 1266 /** 1267 * smack_inode_getattr - Smack check for getting attributes 1268 * @path: path to extract the info from 1269 * 1270 * Returns 0 if access is permitted, an error code otherwise 1271 */ 1272 static int smack_inode_getattr(const struct path *path) 1273 { 1274 struct smk_audit_info ad; 1275 struct inode *inode = d_backing_inode(path->dentry); 1276 int rc; 1277 1278 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1279 smk_ad_setfield_u_fs_path(&ad, *path); 1280 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1281 rc = smk_bu_inode(inode, MAY_READ, rc); 1282 return rc; 1283 } 1284 1285 /** 1286 * smack_inode_xattr_skipcap - Skip the xattr capability checks? 1287 * @name: name of the xattr 1288 * 1289 * Returns 1 to indicate that Smack "owns" the access control rights to xattrs 1290 * named @name; the LSM layer should avoid enforcing any traditional 1291 * capability based access controls on this xattr. Returns 0 to indicate that 1292 * Smack does not "own" the access control rights to xattrs named @name and is 1293 * deferring to the LSM layer for further access controls, including capability 1294 * based controls. 1295 */ 1296 static int smack_inode_xattr_skipcap(const char *name) 1297 { 1298 if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX))) 1299 return 0; 1300 1301 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1302 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1303 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1304 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1305 strcmp(name, XATTR_NAME_SMACKMMAP) == 0 || 1306 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1307 return 1; 1308 1309 return 0; 1310 } 1311 1312 /** 1313 * smack_inode_setxattr - Smack check for setting xattrs 1314 * @idmap: idmap of the mount 1315 * @dentry: the object 1316 * @name: name of the attribute 1317 * @value: value of the attribute 1318 * @size: size of the value 1319 * @flags: unused 1320 * 1321 * This protects the Smack attribute explicitly. 1322 * 1323 * Returns 0 if access is permitted, an error code otherwise 1324 */ 1325 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1326 struct dentry *dentry, const char *name, 1327 const void *value, size_t size, int flags) 1328 { 1329 struct smk_audit_info ad; 1330 struct smack_known *skp; 1331 int check_priv = 0; 1332 int check_import = 0; 1333 int check_star = 0; 1334 int rc = 0; 1335 1336 /* 1337 * Check label validity here so import won't fail in post_setxattr 1338 */ 1339 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1340 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1341 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1342 check_priv = 1; 1343 check_import = 1; 1344 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1345 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1346 check_priv = 1; 1347 check_import = 1; 1348 check_star = 1; 1349 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1350 check_priv = 1; 1351 if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || 1352 size != TRANS_TRUE_SIZE || 1353 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1354 rc = -EINVAL; 1355 } 1356 1357 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1358 rc = -EPERM; 1359 1360 if (rc == 0 && check_import) { 1361 skp = size ? smk_import_entry(value, size) : NULL; 1362 if (IS_ERR(skp)) 1363 rc = PTR_ERR(skp); 1364 else if (skp == NULL || (check_star && 1365 (skp == &smack_known_star || skp == &smack_known_web))) 1366 rc = -EINVAL; 1367 } 1368 1369 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1370 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1371 1372 if (rc == 0) { 1373 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1374 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1375 } 1376 1377 return rc; 1378 } 1379 1380 /** 1381 * smack_inode_post_setxattr - Apply the Smack update approved above 1382 * @dentry: object 1383 * @name: attribute name 1384 * @value: attribute value 1385 * @size: attribute size 1386 * @flags: unused 1387 * 1388 * Set the pointer in the inode blob to the entry found 1389 * in the master label list. 1390 */ 1391 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1392 const void *value, size_t size, int flags) 1393 { 1394 struct smack_known *skp; 1395 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1396 1397 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1398 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1399 return; 1400 } 1401 1402 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1403 skp = smk_import_entry(value, size); 1404 if (!IS_ERR(skp)) 1405 isp->smk_inode = skp; 1406 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1407 skp = smk_import_entry(value, size); 1408 if (!IS_ERR(skp)) 1409 isp->smk_task = skp; 1410 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1411 skp = smk_import_entry(value, size); 1412 if (!IS_ERR(skp)) 1413 isp->smk_mmap = skp; 1414 } 1415 1416 return; 1417 } 1418 1419 /** 1420 * smack_inode_getxattr - Smack check on getxattr 1421 * @dentry: the object 1422 * @name: unused 1423 * 1424 * Returns 0 if access is permitted, an error code otherwise 1425 */ 1426 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1427 { 1428 struct smk_audit_info ad; 1429 int rc; 1430 1431 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1432 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1433 1434 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1435 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1436 return rc; 1437 } 1438 1439 /** 1440 * smack_inode_removexattr - Smack check on removexattr 1441 * @idmap: idmap of the mount 1442 * @dentry: the object 1443 * @name: name of the attribute 1444 * 1445 * Removing the Smack attribute requires CAP_MAC_ADMIN 1446 * 1447 * Returns 0 if access is permitted, an error code otherwise 1448 */ 1449 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1450 struct dentry *dentry, const char *name) 1451 { 1452 struct inode_smack *isp; 1453 struct smk_audit_info ad; 1454 int rc = 0; 1455 1456 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1457 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1458 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1459 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1460 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1461 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1462 if (!smack_privileged(CAP_MAC_ADMIN)) 1463 rc = -EPERM; 1464 } 1465 1466 if (rc != 0) 1467 return rc; 1468 1469 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1470 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1471 1472 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1473 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1474 if (rc != 0) 1475 return rc; 1476 1477 isp = smack_inode(d_backing_inode(dentry)); 1478 /* 1479 * Don't do anything special for these. 1480 * XATTR_NAME_SMACKIPIN 1481 * XATTR_NAME_SMACKIPOUT 1482 */ 1483 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1484 struct super_block *sbp = dentry->d_sb; 1485 struct superblock_smack *sbsp = smack_superblock(sbp); 1486 1487 isp->smk_inode = sbsp->smk_default; 1488 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1489 isp->smk_task = NULL; 1490 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1491 isp->smk_mmap = NULL; 1492 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1493 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1494 1495 return 0; 1496 } 1497 1498 /** 1499 * smack_inode_set_acl - Smack check for setting posix acls 1500 * @idmap: idmap of the mnt this request came from 1501 * @dentry: the object 1502 * @acl_name: name of the posix acl 1503 * @kacl: the posix acls 1504 * 1505 * Returns 0 if access is permitted, an error code otherwise 1506 */ 1507 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1508 struct dentry *dentry, const char *acl_name, 1509 struct posix_acl *kacl) 1510 { 1511 struct smk_audit_info ad; 1512 int rc; 1513 1514 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1515 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1516 1517 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1518 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1519 return rc; 1520 } 1521 1522 /** 1523 * smack_inode_get_acl - Smack check for getting posix acls 1524 * @idmap: idmap of the mnt this request came from 1525 * @dentry: the object 1526 * @acl_name: name of the posix acl 1527 * 1528 * Returns 0 if access is permitted, an error code otherwise 1529 */ 1530 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1531 struct dentry *dentry, const char *acl_name) 1532 { 1533 struct smk_audit_info ad; 1534 int rc; 1535 1536 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1537 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1538 1539 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1540 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1541 return rc; 1542 } 1543 1544 /** 1545 * smack_inode_remove_acl - Smack check for getting posix acls 1546 * @idmap: idmap of the mnt this request came from 1547 * @dentry: the object 1548 * @acl_name: name of the posix acl 1549 * 1550 * Returns 0 if access is permitted, an error code otherwise 1551 */ 1552 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1553 struct dentry *dentry, const char *acl_name) 1554 { 1555 struct smk_audit_info ad; 1556 int rc; 1557 1558 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1559 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1560 1561 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1562 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1563 return rc; 1564 } 1565 1566 /** 1567 * smack_inode_getsecurity - get smack xattrs 1568 * @idmap: idmap of the mount 1569 * @inode: the object 1570 * @name: attribute name 1571 * @buffer: where to put the result 1572 * @alloc: duplicate memory 1573 * 1574 * Returns the size of the attribute or an error code 1575 */ 1576 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1577 struct inode *inode, const char *name, 1578 void **buffer, bool alloc) 1579 { 1580 struct socket_smack *ssp; 1581 struct socket *sock; 1582 struct super_block *sbp; 1583 struct inode *ip = inode; 1584 struct smack_known *isp; 1585 struct inode_smack *ispp; 1586 size_t label_len; 1587 char *label = NULL; 1588 1589 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1590 isp = smk_of_inode(inode); 1591 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1592 ispp = smack_inode(inode); 1593 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1594 label = TRANS_TRUE; 1595 else 1596 label = ""; 1597 } else { 1598 /* 1599 * The rest of the Smack xattrs are only on sockets. 1600 */ 1601 sbp = ip->i_sb; 1602 if (sbp->s_magic != SOCKFS_MAGIC) 1603 return -EOPNOTSUPP; 1604 1605 sock = SOCKET_I(ip); 1606 if (sock == NULL || sock->sk == NULL) 1607 return -EOPNOTSUPP; 1608 1609 ssp = sock->sk->sk_security; 1610 1611 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1612 isp = ssp->smk_in; 1613 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1614 isp = ssp->smk_out; 1615 else 1616 return -EOPNOTSUPP; 1617 } 1618 1619 if (!label) 1620 label = isp->smk_known; 1621 1622 label_len = strlen(label); 1623 1624 if (alloc) { 1625 *buffer = kstrdup(label, GFP_KERNEL); 1626 if (*buffer == NULL) 1627 return -ENOMEM; 1628 } 1629 1630 return label_len; 1631 } 1632 1633 1634 /** 1635 * smack_inode_listsecurity - list the Smack attributes 1636 * @inode: the object 1637 * @buffer: where they go 1638 * @buffer_size: size of buffer 1639 */ 1640 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1641 size_t buffer_size) 1642 { 1643 int len = sizeof(XATTR_NAME_SMACK); 1644 1645 if (buffer != NULL && len <= buffer_size) 1646 memcpy(buffer, XATTR_NAME_SMACK, len); 1647 1648 return len; 1649 } 1650 1651 /** 1652 * smack_inode_getsecid - Extract inode's security id 1653 * @inode: inode to extract the info from 1654 * @secid: where result will be saved 1655 */ 1656 static void smack_inode_getsecid(struct inode *inode, u32 *secid) 1657 { 1658 struct smack_known *skp = smk_of_inode(inode); 1659 1660 *secid = skp->smk_secid; 1661 } 1662 1663 /* 1664 * File Hooks 1665 */ 1666 1667 /* 1668 * There is no smack_file_permission hook 1669 * 1670 * Should access checks be done on each read or write? 1671 * UNICOS and SELinux say yes. 1672 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1673 * 1674 * I'll say no for now. Smack does not do the frequent 1675 * label changing that SELinux does. 1676 */ 1677 1678 /** 1679 * smack_file_alloc_security - assign a file security blob 1680 * @file: the object 1681 * 1682 * The security blob for a file is a pointer to the master 1683 * label list, so no allocation is done. 1684 * 1685 * f_security is the owner security information. It 1686 * isn't used on file access checks, it's for send_sigio. 1687 * 1688 * Returns 0 1689 */ 1690 static int smack_file_alloc_security(struct file *file) 1691 { 1692 struct smack_known **blob = smack_file(file); 1693 1694 *blob = smk_of_current(); 1695 return 0; 1696 } 1697 1698 /** 1699 * smack_file_ioctl - Smack check on ioctls 1700 * @file: the object 1701 * @cmd: what to do 1702 * @arg: unused 1703 * 1704 * Relies heavily on the correct use of the ioctl command conventions. 1705 * 1706 * Returns 0 if allowed, error code otherwise 1707 */ 1708 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1709 unsigned long arg) 1710 { 1711 int rc = 0; 1712 struct smk_audit_info ad; 1713 struct inode *inode = file_inode(file); 1714 1715 if (unlikely(IS_PRIVATE(inode))) 1716 return 0; 1717 1718 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1719 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1720 1721 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1722 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1723 rc = smk_bu_file(file, MAY_WRITE, rc); 1724 } 1725 1726 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1727 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1728 rc = smk_bu_file(file, MAY_READ, rc); 1729 } 1730 1731 return rc; 1732 } 1733 1734 /** 1735 * smack_file_lock - Smack check on file locking 1736 * @file: the object 1737 * @cmd: unused 1738 * 1739 * Returns 0 if current has lock access, error code otherwise 1740 */ 1741 static int smack_file_lock(struct file *file, unsigned int cmd) 1742 { 1743 struct smk_audit_info ad; 1744 int rc; 1745 struct inode *inode = file_inode(file); 1746 1747 if (unlikely(IS_PRIVATE(inode))) 1748 return 0; 1749 1750 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1751 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1752 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1753 rc = smk_bu_file(file, MAY_LOCK, rc); 1754 return rc; 1755 } 1756 1757 /** 1758 * smack_file_fcntl - Smack check on fcntl 1759 * @file: the object 1760 * @cmd: what action to check 1761 * @arg: unused 1762 * 1763 * Generally these operations are harmless. 1764 * File locking operations present an obvious mechanism 1765 * for passing information, so they require write access. 1766 * 1767 * Returns 0 if current has access, error code otherwise 1768 */ 1769 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1770 unsigned long arg) 1771 { 1772 struct smk_audit_info ad; 1773 int rc = 0; 1774 struct inode *inode = file_inode(file); 1775 1776 if (unlikely(IS_PRIVATE(inode))) 1777 return 0; 1778 1779 switch (cmd) { 1780 case F_GETLK: 1781 break; 1782 case F_SETLK: 1783 case F_SETLKW: 1784 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1785 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1786 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1787 rc = smk_bu_file(file, MAY_LOCK, rc); 1788 break; 1789 case F_SETOWN: 1790 case F_SETSIG: 1791 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1792 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1793 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1794 rc = smk_bu_file(file, MAY_WRITE, rc); 1795 break; 1796 default: 1797 break; 1798 } 1799 1800 return rc; 1801 } 1802 1803 /** 1804 * smack_mmap_file - Check permissions for a mmap operation. 1805 * @file: contains the file structure for file to map (may be NULL). 1806 * @reqprot: contains the protection requested by the application. 1807 * @prot: contains the protection that will be applied by the kernel. 1808 * @flags: contains the operational flags. 1809 * 1810 * The @file may be NULL, e.g. if mapping anonymous memory. 1811 * 1812 * Return 0 if permission is granted. 1813 */ 1814 static int smack_mmap_file(struct file *file, 1815 unsigned long reqprot, unsigned long prot, 1816 unsigned long flags) 1817 { 1818 struct smack_known *skp; 1819 struct smack_known *mkp; 1820 struct smack_rule *srp; 1821 struct task_smack *tsp; 1822 struct smack_known *okp; 1823 struct inode_smack *isp; 1824 struct superblock_smack *sbsp; 1825 int may; 1826 int mmay; 1827 int tmay; 1828 int rc; 1829 1830 if (file == NULL) 1831 return 0; 1832 1833 if (unlikely(IS_PRIVATE(file_inode(file)))) 1834 return 0; 1835 1836 isp = smack_inode(file_inode(file)); 1837 if (isp->smk_mmap == NULL) 1838 return 0; 1839 sbsp = smack_superblock(file_inode(file)->i_sb); 1840 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1841 isp->smk_mmap != sbsp->smk_root) 1842 return -EACCES; 1843 mkp = isp->smk_mmap; 1844 1845 tsp = smack_cred(current_cred()); 1846 skp = smk_of_current(); 1847 rc = 0; 1848 1849 rcu_read_lock(); 1850 /* 1851 * For each Smack rule associated with the subject 1852 * label verify that the SMACK64MMAP also has access 1853 * to that rule's object label. 1854 */ 1855 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1856 okp = srp->smk_object; 1857 /* 1858 * Matching labels always allows access. 1859 */ 1860 if (mkp->smk_known == okp->smk_known) 1861 continue; 1862 /* 1863 * If there is a matching local rule take 1864 * that into account as well. 1865 */ 1866 may = smk_access_entry(srp->smk_subject->smk_known, 1867 okp->smk_known, 1868 &tsp->smk_rules); 1869 if (may == -ENOENT) 1870 may = srp->smk_access; 1871 else 1872 may &= srp->smk_access; 1873 /* 1874 * If may is zero the SMACK64MMAP subject can't 1875 * possibly have less access. 1876 */ 1877 if (may == 0) 1878 continue; 1879 1880 /* 1881 * Fetch the global list entry. 1882 * If there isn't one a SMACK64MMAP subject 1883 * can't have as much access as current. 1884 */ 1885 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1886 &mkp->smk_rules); 1887 if (mmay == -ENOENT) { 1888 rc = -EACCES; 1889 break; 1890 } 1891 /* 1892 * If there is a local entry it modifies the 1893 * potential access, too. 1894 */ 1895 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1896 &tsp->smk_rules); 1897 if (tmay != -ENOENT) 1898 mmay &= tmay; 1899 1900 /* 1901 * If there is any access available to current that is 1902 * not available to a SMACK64MMAP subject 1903 * deny access. 1904 */ 1905 if ((may | mmay) != mmay) { 1906 rc = -EACCES; 1907 break; 1908 } 1909 } 1910 1911 rcu_read_unlock(); 1912 1913 return rc; 1914 } 1915 1916 /** 1917 * smack_file_set_fowner - set the file security blob value 1918 * @file: object in question 1919 * 1920 */ 1921 static void smack_file_set_fowner(struct file *file) 1922 { 1923 struct smack_known **blob = smack_file(file); 1924 1925 *blob = smk_of_current(); 1926 } 1927 1928 /** 1929 * smack_file_send_sigiotask - Smack on sigio 1930 * @tsk: The target task 1931 * @fown: the object the signal come from 1932 * @signum: unused 1933 * 1934 * Allow a privileged task to get signals even if it shouldn't 1935 * 1936 * Returns 0 if a subject with the object's smack could 1937 * write to the task, an error code otherwise. 1938 */ 1939 static int smack_file_send_sigiotask(struct task_struct *tsk, 1940 struct fown_struct *fown, int signum) 1941 { 1942 struct smack_known **blob; 1943 struct smack_known *skp; 1944 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1945 const struct cred *tcred; 1946 struct file *file; 1947 int rc; 1948 struct smk_audit_info ad; 1949 1950 /* 1951 * struct fown_struct is never outside the context of a struct file 1952 */ 1953 file = container_of(fown, struct file, f_owner); 1954 1955 /* we don't log here as rc can be overriden */ 1956 blob = smack_file(file); 1957 skp = *blob; 1958 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1959 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1960 1961 rcu_read_lock(); 1962 tcred = __task_cred(tsk); 1963 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1964 rc = 0; 1965 rcu_read_unlock(); 1966 1967 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1968 smk_ad_setfield_u_tsk(&ad, tsk); 1969 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1970 return rc; 1971 } 1972 1973 /** 1974 * smack_file_receive - Smack file receive check 1975 * @file: the object 1976 * 1977 * Returns 0 if current has access, error code otherwise 1978 */ 1979 static int smack_file_receive(struct file *file) 1980 { 1981 int rc; 1982 int may = 0; 1983 struct smk_audit_info ad; 1984 struct inode *inode = file_inode(file); 1985 struct socket *sock; 1986 struct task_smack *tsp; 1987 struct socket_smack *ssp; 1988 1989 if (unlikely(IS_PRIVATE(inode))) 1990 return 0; 1991 1992 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1993 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1994 1995 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1996 sock = SOCKET_I(inode); 1997 ssp = sock->sk->sk_security; 1998 tsp = smack_cred(current_cred()); 1999 /* 2000 * If the receiving process can't write to the 2001 * passed socket or if the passed socket can't 2002 * write to the receiving process don't accept 2003 * the passed socket. 2004 */ 2005 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 2006 rc = smk_bu_file(file, may, rc); 2007 if (rc < 0) 2008 return rc; 2009 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 2010 rc = smk_bu_file(file, may, rc); 2011 return rc; 2012 } 2013 /* 2014 * This code relies on bitmasks. 2015 */ 2016 if (file->f_mode & FMODE_READ) 2017 may = MAY_READ; 2018 if (file->f_mode & FMODE_WRITE) 2019 may |= MAY_WRITE; 2020 2021 rc = smk_curacc(smk_of_inode(inode), may, &ad); 2022 rc = smk_bu_file(file, may, rc); 2023 return rc; 2024 } 2025 2026 /** 2027 * smack_file_open - Smack dentry open processing 2028 * @file: the object 2029 * 2030 * Set the security blob in the file structure. 2031 * Allow the open only if the task has read access. There are 2032 * many read operations (e.g. fstat) that you can do with an 2033 * fd even if you have the file open write-only. 2034 * 2035 * Returns 0 if current has access, error code otherwise 2036 */ 2037 static int smack_file_open(struct file *file) 2038 { 2039 struct task_smack *tsp = smack_cred(file->f_cred); 2040 struct inode *inode = file_inode(file); 2041 struct smk_audit_info ad; 2042 int rc; 2043 2044 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2045 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2046 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2047 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2048 2049 return rc; 2050 } 2051 2052 /* 2053 * Task hooks 2054 */ 2055 2056 /** 2057 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2058 * @cred: the new credentials 2059 * @gfp: the atomicity of any memory allocations 2060 * 2061 * Prepare a blank set of credentials for modification. This must allocate all 2062 * the memory the LSM module might require such that cred_transfer() can 2063 * complete without error. 2064 */ 2065 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2066 { 2067 init_task_smack(smack_cred(cred), NULL, NULL); 2068 return 0; 2069 } 2070 2071 2072 /** 2073 * smack_cred_free - "free" task-level security credentials 2074 * @cred: the credentials in question 2075 * 2076 */ 2077 static void smack_cred_free(struct cred *cred) 2078 { 2079 struct task_smack *tsp = smack_cred(cred); 2080 struct smack_rule *rp; 2081 struct list_head *l; 2082 struct list_head *n; 2083 2084 smk_destroy_label_list(&tsp->smk_relabel); 2085 2086 list_for_each_safe(l, n, &tsp->smk_rules) { 2087 rp = list_entry(l, struct smack_rule, list); 2088 list_del(&rp->list); 2089 kmem_cache_free(smack_rule_cache, rp); 2090 } 2091 } 2092 2093 /** 2094 * smack_cred_prepare - prepare new set of credentials for modification 2095 * @new: the new credentials 2096 * @old: the original credentials 2097 * @gfp: the atomicity of any memory allocations 2098 * 2099 * Prepare a new set of credentials for modification. 2100 */ 2101 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2102 gfp_t gfp) 2103 { 2104 struct task_smack *old_tsp = smack_cred(old); 2105 struct task_smack *new_tsp = smack_cred(new); 2106 int rc; 2107 2108 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2109 2110 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2111 if (rc != 0) 2112 return rc; 2113 2114 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2115 gfp); 2116 return rc; 2117 } 2118 2119 /** 2120 * smack_cred_transfer - Transfer the old credentials to the new credentials 2121 * @new: the new credentials 2122 * @old: the original credentials 2123 * 2124 * Fill in a set of blank credentials from another set of credentials. 2125 */ 2126 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2127 { 2128 struct task_smack *old_tsp = smack_cred(old); 2129 struct task_smack *new_tsp = smack_cred(new); 2130 2131 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2132 } 2133 2134 /** 2135 * smack_cred_getsecid - get the secid corresponding to a creds structure 2136 * @cred: the object creds 2137 * @secid: where to put the result 2138 * 2139 * Sets the secid to contain a u32 version of the smack label. 2140 */ 2141 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2142 { 2143 struct smack_known *skp; 2144 2145 rcu_read_lock(); 2146 skp = smk_of_task(smack_cred(cred)); 2147 *secid = skp->smk_secid; 2148 rcu_read_unlock(); 2149 } 2150 2151 /** 2152 * smack_kernel_act_as - Set the subjective context in a set of credentials 2153 * @new: points to the set of credentials to be modified. 2154 * @secid: specifies the security ID to be set 2155 * 2156 * Set the security data for a kernel service. 2157 */ 2158 static int smack_kernel_act_as(struct cred *new, u32 secid) 2159 { 2160 struct task_smack *new_tsp = smack_cred(new); 2161 2162 new_tsp->smk_task = smack_from_secid(secid); 2163 return 0; 2164 } 2165 2166 /** 2167 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2168 * @new: points to the set of credentials to be modified 2169 * @inode: points to the inode to use as a reference 2170 * 2171 * Set the file creation context in a set of credentials to the same 2172 * as the objective context of the specified inode 2173 */ 2174 static int smack_kernel_create_files_as(struct cred *new, 2175 struct inode *inode) 2176 { 2177 struct inode_smack *isp = smack_inode(inode); 2178 struct task_smack *tsp = smack_cred(new); 2179 2180 tsp->smk_forked = isp->smk_inode; 2181 tsp->smk_task = tsp->smk_forked; 2182 return 0; 2183 } 2184 2185 /** 2186 * smk_curacc_on_task - helper to log task related access 2187 * @p: the task object 2188 * @access: the access requested 2189 * @caller: name of the calling function for audit 2190 * 2191 * Return 0 if access is permitted 2192 */ 2193 static int smk_curacc_on_task(struct task_struct *p, int access, 2194 const char *caller) 2195 { 2196 struct smk_audit_info ad; 2197 struct smack_known *skp = smk_of_task_struct_obj(p); 2198 int rc; 2199 2200 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2201 smk_ad_setfield_u_tsk(&ad, p); 2202 rc = smk_curacc(skp, access, &ad); 2203 rc = smk_bu_task(p, access, rc); 2204 return rc; 2205 } 2206 2207 /** 2208 * smack_task_setpgid - Smack check on setting pgid 2209 * @p: the task object 2210 * @pgid: unused 2211 * 2212 * Return 0 if write access is permitted 2213 */ 2214 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2215 { 2216 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2217 } 2218 2219 /** 2220 * smack_task_getpgid - Smack access check for getpgid 2221 * @p: the object task 2222 * 2223 * Returns 0 if current can read the object task, error code otherwise 2224 */ 2225 static int smack_task_getpgid(struct task_struct *p) 2226 { 2227 return smk_curacc_on_task(p, MAY_READ, __func__); 2228 } 2229 2230 /** 2231 * smack_task_getsid - Smack access check for getsid 2232 * @p: the object task 2233 * 2234 * Returns 0 if current can read the object task, error code otherwise 2235 */ 2236 static int smack_task_getsid(struct task_struct *p) 2237 { 2238 return smk_curacc_on_task(p, MAY_READ, __func__); 2239 } 2240 2241 /** 2242 * smack_current_getsecid_subj - get the subjective secid of the current task 2243 * @secid: where to put the result 2244 * 2245 * Sets the secid to contain a u32 version of the task's subjective smack label. 2246 */ 2247 static void smack_current_getsecid_subj(u32 *secid) 2248 { 2249 struct smack_known *skp = smk_of_current(); 2250 2251 *secid = skp->smk_secid; 2252 } 2253 2254 /** 2255 * smack_task_getsecid_obj - get the objective secid of the task 2256 * @p: the task 2257 * @secid: where to put the result 2258 * 2259 * Sets the secid to contain a u32 version of the task's objective smack label. 2260 */ 2261 static void smack_task_getsecid_obj(struct task_struct *p, u32 *secid) 2262 { 2263 struct smack_known *skp = smk_of_task_struct_obj(p); 2264 2265 *secid = skp->smk_secid; 2266 } 2267 2268 /** 2269 * smack_task_setnice - Smack check on setting nice 2270 * @p: the task object 2271 * @nice: unused 2272 * 2273 * Return 0 if write access is permitted 2274 */ 2275 static int smack_task_setnice(struct task_struct *p, int nice) 2276 { 2277 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2278 } 2279 2280 /** 2281 * smack_task_setioprio - Smack check on setting ioprio 2282 * @p: the task object 2283 * @ioprio: unused 2284 * 2285 * Return 0 if write access is permitted 2286 */ 2287 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2288 { 2289 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2290 } 2291 2292 /** 2293 * smack_task_getioprio - Smack check on reading ioprio 2294 * @p: the task object 2295 * 2296 * Return 0 if read access is permitted 2297 */ 2298 static int smack_task_getioprio(struct task_struct *p) 2299 { 2300 return smk_curacc_on_task(p, MAY_READ, __func__); 2301 } 2302 2303 /** 2304 * smack_task_setscheduler - Smack check on setting scheduler 2305 * @p: the task object 2306 * 2307 * Return 0 if read access is permitted 2308 */ 2309 static int smack_task_setscheduler(struct task_struct *p) 2310 { 2311 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2312 } 2313 2314 /** 2315 * smack_task_getscheduler - Smack check on reading scheduler 2316 * @p: the task object 2317 * 2318 * Return 0 if read access is permitted 2319 */ 2320 static int smack_task_getscheduler(struct task_struct *p) 2321 { 2322 return smk_curacc_on_task(p, MAY_READ, __func__); 2323 } 2324 2325 /** 2326 * smack_task_movememory - Smack check on moving memory 2327 * @p: the task object 2328 * 2329 * Return 0 if write access is permitted 2330 */ 2331 static int smack_task_movememory(struct task_struct *p) 2332 { 2333 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2334 } 2335 2336 /** 2337 * smack_task_kill - Smack check on signal delivery 2338 * @p: the task object 2339 * @info: unused 2340 * @sig: unused 2341 * @cred: identifies the cred to use in lieu of current's 2342 * 2343 * Return 0 if write access is permitted 2344 * 2345 */ 2346 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2347 int sig, const struct cred *cred) 2348 { 2349 struct smk_audit_info ad; 2350 struct smack_known *skp; 2351 struct smack_known *tkp = smk_of_task_struct_obj(p); 2352 int rc; 2353 2354 if (!sig) 2355 return 0; /* null signal; existence test */ 2356 2357 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2358 smk_ad_setfield_u_tsk(&ad, p); 2359 /* 2360 * Sending a signal requires that the sender 2361 * can write the receiver. 2362 */ 2363 if (cred == NULL) { 2364 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2365 rc = smk_bu_task(p, MAY_DELIVER, rc); 2366 return rc; 2367 } 2368 /* 2369 * If the cred isn't NULL we're dealing with some USB IO 2370 * specific behavior. This is not clean. For one thing 2371 * we can't take privilege into account. 2372 */ 2373 skp = smk_of_task(smack_cred(cred)); 2374 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2375 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2376 return rc; 2377 } 2378 2379 /** 2380 * smack_task_to_inode - copy task smack into the inode blob 2381 * @p: task to copy from 2382 * @inode: inode to copy to 2383 * 2384 * Sets the smack pointer in the inode security blob 2385 */ 2386 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2387 { 2388 struct inode_smack *isp = smack_inode(inode); 2389 struct smack_known *skp = smk_of_task_struct_obj(p); 2390 2391 isp->smk_inode = skp; 2392 isp->smk_flags |= SMK_INODE_INSTANT; 2393 } 2394 2395 /* 2396 * Socket hooks. 2397 */ 2398 2399 /** 2400 * smack_sk_alloc_security - Allocate a socket blob 2401 * @sk: the socket 2402 * @family: unused 2403 * @gfp_flags: memory allocation flags 2404 * 2405 * Assign Smack pointers to current 2406 * 2407 * Returns 0 on success, -ENOMEM is there's no memory 2408 */ 2409 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2410 { 2411 struct smack_known *skp = smk_of_current(); 2412 struct socket_smack *ssp; 2413 2414 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags); 2415 if (ssp == NULL) 2416 return -ENOMEM; 2417 2418 /* 2419 * Sockets created by kernel threads receive web label. 2420 */ 2421 if (unlikely(current->flags & PF_KTHREAD)) { 2422 ssp->smk_in = &smack_known_web; 2423 ssp->smk_out = &smack_known_web; 2424 } else { 2425 ssp->smk_in = skp; 2426 ssp->smk_out = skp; 2427 } 2428 ssp->smk_packet = NULL; 2429 2430 sk->sk_security = ssp; 2431 2432 return 0; 2433 } 2434 2435 /** 2436 * smack_sk_free_security - Free a socket blob 2437 * @sk: the socket 2438 * 2439 * Clears the blob pointer 2440 */ 2441 static void smack_sk_free_security(struct sock *sk) 2442 { 2443 #ifdef SMACK_IPV6_PORT_LABELING 2444 struct smk_port_label *spp; 2445 2446 if (sk->sk_family == PF_INET6) { 2447 rcu_read_lock(); 2448 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2449 if (spp->smk_sock != sk) 2450 continue; 2451 spp->smk_can_reuse = 1; 2452 break; 2453 } 2454 rcu_read_unlock(); 2455 } 2456 #endif 2457 kfree(sk->sk_security); 2458 } 2459 2460 /** 2461 * smack_sk_clone_security - Copy security context 2462 * @sk: the old socket 2463 * @newsk: the new socket 2464 * 2465 * Copy the security context of the old socket pointer to the cloned 2466 */ 2467 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2468 { 2469 struct socket_smack *ssp_old = sk->sk_security; 2470 struct socket_smack *ssp_new = newsk->sk_security; 2471 2472 *ssp_new = *ssp_old; 2473 } 2474 2475 /** 2476 * smack_ipv4host_label - check host based restrictions 2477 * @sip: the object end 2478 * 2479 * looks for host based access restrictions 2480 * 2481 * This version will only be appropriate for really small sets of single label 2482 * hosts. The caller is responsible for ensuring that the RCU read lock is 2483 * taken before calling this function. 2484 * 2485 * Returns the label of the far end or NULL if it's not special. 2486 */ 2487 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2488 { 2489 struct smk_net4addr *snp; 2490 struct in_addr *siap = &sip->sin_addr; 2491 2492 if (siap->s_addr == 0) 2493 return NULL; 2494 2495 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2496 /* 2497 * we break after finding the first match because 2498 * the list is sorted from longest to shortest mask 2499 * so we have found the most specific match 2500 */ 2501 if (snp->smk_host.s_addr == 2502 (siap->s_addr & snp->smk_mask.s_addr)) 2503 return snp->smk_label; 2504 2505 return NULL; 2506 } 2507 2508 /* 2509 * smk_ipv6_localhost - Check for local ipv6 host address 2510 * @sip: the address 2511 * 2512 * Returns boolean true if this is the localhost address 2513 */ 2514 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2515 { 2516 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2517 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2518 2519 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2520 ntohs(be16p[7]) == 1) 2521 return true; 2522 return false; 2523 } 2524 2525 /** 2526 * smack_ipv6host_label - check host based restrictions 2527 * @sip: the object end 2528 * 2529 * looks for host based access restrictions 2530 * 2531 * This version will only be appropriate for really small sets of single label 2532 * hosts. The caller is responsible for ensuring that the RCU read lock is 2533 * taken before calling this function. 2534 * 2535 * Returns the label of the far end or NULL if it's not special. 2536 */ 2537 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2538 { 2539 struct smk_net6addr *snp; 2540 struct in6_addr *sap = &sip->sin6_addr; 2541 int i; 2542 int found = 0; 2543 2544 /* 2545 * It's local. Don't look for a host label. 2546 */ 2547 if (smk_ipv6_localhost(sip)) 2548 return NULL; 2549 2550 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2551 /* 2552 * If the label is NULL the entry has 2553 * been renounced. Ignore it. 2554 */ 2555 if (snp->smk_label == NULL) 2556 continue; 2557 /* 2558 * we break after finding the first match because 2559 * the list is sorted from longest to shortest mask 2560 * so we have found the most specific match 2561 */ 2562 for (found = 1, i = 0; i < 8; i++) { 2563 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2564 snp->smk_host.s6_addr16[i]) { 2565 found = 0; 2566 break; 2567 } 2568 } 2569 if (found) 2570 return snp->smk_label; 2571 } 2572 2573 return NULL; 2574 } 2575 2576 /** 2577 * smack_netlbl_add - Set the secattr on a socket 2578 * @sk: the socket 2579 * 2580 * Attach the outbound smack value (smk_out) to the socket. 2581 * 2582 * Returns 0 on success or an error code 2583 */ 2584 static int smack_netlbl_add(struct sock *sk) 2585 { 2586 struct socket_smack *ssp = sk->sk_security; 2587 struct smack_known *skp = ssp->smk_out; 2588 int rc; 2589 2590 local_bh_disable(); 2591 bh_lock_sock_nested(sk); 2592 2593 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, 2594 netlbl_sk_lock_check(sk)); 2595 switch (rc) { 2596 case 0: 2597 ssp->smk_state = SMK_NETLBL_LABELED; 2598 break; 2599 case -EDESTADDRREQ: 2600 ssp->smk_state = SMK_NETLBL_REQSKB; 2601 rc = 0; 2602 break; 2603 } 2604 2605 bh_unlock_sock(sk); 2606 local_bh_enable(); 2607 2608 return rc; 2609 } 2610 2611 /** 2612 * smack_netlbl_delete - Remove the secattr from a socket 2613 * @sk: the socket 2614 * 2615 * Remove the outbound smack value from a socket 2616 */ 2617 static void smack_netlbl_delete(struct sock *sk) 2618 { 2619 struct socket_smack *ssp = sk->sk_security; 2620 2621 /* 2622 * Take the label off the socket if one is set. 2623 */ 2624 if (ssp->smk_state != SMK_NETLBL_LABELED) 2625 return; 2626 2627 local_bh_disable(); 2628 bh_lock_sock_nested(sk); 2629 netlbl_sock_delattr(sk); 2630 bh_unlock_sock(sk); 2631 local_bh_enable(); 2632 ssp->smk_state = SMK_NETLBL_UNLABELED; 2633 } 2634 2635 /** 2636 * smk_ipv4_check - Perform IPv4 host access checks 2637 * @sk: the socket 2638 * @sap: the destination address 2639 * 2640 * Set the correct secattr for the given socket based on the destination 2641 * address and perform any outbound access checks needed. 2642 * 2643 * Returns 0 on success or an error code. 2644 * 2645 */ 2646 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2647 { 2648 struct smack_known *skp; 2649 int rc = 0; 2650 struct smack_known *hkp; 2651 struct socket_smack *ssp = sk->sk_security; 2652 struct smk_audit_info ad; 2653 2654 rcu_read_lock(); 2655 hkp = smack_ipv4host_label(sap); 2656 if (hkp != NULL) { 2657 #ifdef CONFIG_AUDIT 2658 struct lsm_network_audit net; 2659 2660 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2661 ad.a.u.net->family = sap->sin_family; 2662 ad.a.u.net->dport = sap->sin_port; 2663 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2664 #endif 2665 skp = ssp->smk_out; 2666 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2667 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2668 /* 2669 * Clear the socket netlabel if it's set. 2670 */ 2671 if (!rc) 2672 smack_netlbl_delete(sk); 2673 } 2674 rcu_read_unlock(); 2675 2676 return rc; 2677 } 2678 2679 /** 2680 * smk_ipv6_check - check Smack access 2681 * @subject: subject Smack label 2682 * @object: object Smack label 2683 * @address: address 2684 * @act: the action being taken 2685 * 2686 * Check an IPv6 access 2687 */ 2688 static int smk_ipv6_check(struct smack_known *subject, 2689 struct smack_known *object, 2690 struct sockaddr_in6 *address, int act) 2691 { 2692 #ifdef CONFIG_AUDIT 2693 struct lsm_network_audit net; 2694 #endif 2695 struct smk_audit_info ad; 2696 int rc; 2697 2698 #ifdef CONFIG_AUDIT 2699 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2700 ad.a.u.net->family = PF_INET6; 2701 ad.a.u.net->dport = address->sin6_port; 2702 if (act == SMK_RECEIVING) 2703 ad.a.u.net->v6info.saddr = address->sin6_addr; 2704 else 2705 ad.a.u.net->v6info.daddr = address->sin6_addr; 2706 #endif 2707 rc = smk_access(subject, object, MAY_WRITE, &ad); 2708 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2709 return rc; 2710 } 2711 2712 #ifdef SMACK_IPV6_PORT_LABELING 2713 /** 2714 * smk_ipv6_port_label - Smack port access table management 2715 * @sock: socket 2716 * @address: address 2717 * 2718 * Create or update the port list entry 2719 */ 2720 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2721 { 2722 struct sock *sk = sock->sk; 2723 struct sockaddr_in6 *addr6; 2724 struct socket_smack *ssp = sock->sk->sk_security; 2725 struct smk_port_label *spp; 2726 unsigned short port = 0; 2727 2728 if (address == NULL) { 2729 /* 2730 * This operation is changing the Smack information 2731 * on the bound socket. Take the changes to the port 2732 * as well. 2733 */ 2734 rcu_read_lock(); 2735 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2736 if (sk != spp->smk_sock) 2737 continue; 2738 spp->smk_in = ssp->smk_in; 2739 spp->smk_out = ssp->smk_out; 2740 rcu_read_unlock(); 2741 return; 2742 } 2743 /* 2744 * A NULL address is only used for updating existing 2745 * bound entries. If there isn't one, it's OK. 2746 */ 2747 rcu_read_unlock(); 2748 return; 2749 } 2750 2751 addr6 = (struct sockaddr_in6 *)address; 2752 port = ntohs(addr6->sin6_port); 2753 /* 2754 * This is a special case that is safely ignored. 2755 */ 2756 if (port == 0) 2757 return; 2758 2759 /* 2760 * Look for an existing port list entry. 2761 * This is an indication that a port is getting reused. 2762 */ 2763 rcu_read_lock(); 2764 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2765 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2766 continue; 2767 if (spp->smk_can_reuse != 1) { 2768 rcu_read_unlock(); 2769 return; 2770 } 2771 spp->smk_port = port; 2772 spp->smk_sock = sk; 2773 spp->smk_in = ssp->smk_in; 2774 spp->smk_out = ssp->smk_out; 2775 spp->smk_can_reuse = 0; 2776 rcu_read_unlock(); 2777 return; 2778 } 2779 rcu_read_unlock(); 2780 /* 2781 * A new port entry is required. 2782 */ 2783 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2784 if (spp == NULL) 2785 return; 2786 2787 spp->smk_port = port; 2788 spp->smk_sock = sk; 2789 spp->smk_in = ssp->smk_in; 2790 spp->smk_out = ssp->smk_out; 2791 spp->smk_sock_type = sock->type; 2792 spp->smk_can_reuse = 0; 2793 2794 mutex_lock(&smack_ipv6_lock); 2795 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2796 mutex_unlock(&smack_ipv6_lock); 2797 return; 2798 } 2799 2800 /** 2801 * smk_ipv6_port_check - check Smack port access 2802 * @sk: socket 2803 * @address: address 2804 * @act: the action being taken 2805 * 2806 * Create or update the port list entry 2807 */ 2808 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2809 int act) 2810 { 2811 struct smk_port_label *spp; 2812 struct socket_smack *ssp = sk->sk_security; 2813 struct smack_known *skp = NULL; 2814 unsigned short port; 2815 struct smack_known *object; 2816 2817 if (act == SMK_RECEIVING) { 2818 skp = smack_ipv6host_label(address); 2819 object = ssp->smk_in; 2820 } else { 2821 skp = ssp->smk_out; 2822 object = smack_ipv6host_label(address); 2823 } 2824 2825 /* 2826 * The other end is a single label host. 2827 */ 2828 if (skp != NULL && object != NULL) 2829 return smk_ipv6_check(skp, object, address, act); 2830 if (skp == NULL) 2831 skp = smack_net_ambient; 2832 if (object == NULL) 2833 object = smack_net_ambient; 2834 2835 /* 2836 * It's remote, so port lookup does no good. 2837 */ 2838 if (!smk_ipv6_localhost(address)) 2839 return smk_ipv6_check(skp, object, address, act); 2840 2841 /* 2842 * It's local so the send check has to have passed. 2843 */ 2844 if (act == SMK_RECEIVING) 2845 return 0; 2846 2847 port = ntohs(address->sin6_port); 2848 rcu_read_lock(); 2849 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2850 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2851 continue; 2852 object = spp->smk_in; 2853 if (act == SMK_CONNECTING) 2854 ssp->smk_packet = spp->smk_out; 2855 break; 2856 } 2857 rcu_read_unlock(); 2858 2859 return smk_ipv6_check(skp, object, address, act); 2860 } 2861 #endif 2862 2863 /** 2864 * smack_inode_setsecurity - set smack xattrs 2865 * @inode: the object 2866 * @name: attribute name 2867 * @value: attribute value 2868 * @size: size of the attribute 2869 * @flags: unused 2870 * 2871 * Sets the named attribute in the appropriate blob 2872 * 2873 * Returns 0 on success, or an error code 2874 */ 2875 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2876 const void *value, size_t size, int flags) 2877 { 2878 struct smack_known *skp; 2879 struct inode_smack *nsp = smack_inode(inode); 2880 struct socket_smack *ssp; 2881 struct socket *sock; 2882 int rc = 0; 2883 2884 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2885 return -EINVAL; 2886 2887 if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 2888 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || 2889 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 2890 return -EINVAL; 2891 2892 nsp->smk_flags |= SMK_INODE_TRANSMUTE; 2893 return 0; 2894 } 2895 2896 skp = smk_import_entry(value, size); 2897 if (IS_ERR(skp)) 2898 return PTR_ERR(skp); 2899 2900 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2901 nsp->smk_inode = skp; 2902 nsp->smk_flags |= SMK_INODE_INSTANT; 2903 return 0; 2904 } 2905 /* 2906 * The rest of the Smack xattrs are only on sockets. 2907 */ 2908 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2909 return -EOPNOTSUPP; 2910 2911 sock = SOCKET_I(inode); 2912 if (sock == NULL || sock->sk == NULL) 2913 return -EOPNOTSUPP; 2914 2915 ssp = sock->sk->sk_security; 2916 2917 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2918 ssp->smk_in = skp; 2919 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2920 ssp->smk_out = skp; 2921 if (sock->sk->sk_family == PF_INET) { 2922 rc = smack_netlbl_add(sock->sk); 2923 if (rc != 0) 2924 printk(KERN_WARNING 2925 "Smack: \"%s\" netlbl error %d.\n", 2926 __func__, -rc); 2927 } 2928 } else 2929 return -EOPNOTSUPP; 2930 2931 #ifdef SMACK_IPV6_PORT_LABELING 2932 if (sock->sk->sk_family == PF_INET6) 2933 smk_ipv6_port_label(sock, NULL); 2934 #endif 2935 2936 return 0; 2937 } 2938 2939 /** 2940 * smack_socket_post_create - finish socket setup 2941 * @sock: the socket 2942 * @family: protocol family 2943 * @type: unused 2944 * @protocol: unused 2945 * @kern: unused 2946 * 2947 * Sets the netlabel information on the socket 2948 * 2949 * Returns 0 on success, and error code otherwise 2950 */ 2951 static int smack_socket_post_create(struct socket *sock, int family, 2952 int type, int protocol, int kern) 2953 { 2954 struct socket_smack *ssp; 2955 2956 if (sock->sk == NULL) 2957 return 0; 2958 2959 /* 2960 * Sockets created by kernel threads receive web label. 2961 */ 2962 if (unlikely(current->flags & PF_KTHREAD)) { 2963 ssp = sock->sk->sk_security; 2964 ssp->smk_in = &smack_known_web; 2965 ssp->smk_out = &smack_known_web; 2966 } 2967 2968 if (family != PF_INET) 2969 return 0; 2970 /* 2971 * Set the outbound netlbl. 2972 */ 2973 return smack_netlbl_add(sock->sk); 2974 } 2975 2976 /** 2977 * smack_socket_socketpair - create socket pair 2978 * @socka: one socket 2979 * @sockb: another socket 2980 * 2981 * Cross reference the peer labels for SO_PEERSEC 2982 * 2983 * Returns 0 2984 */ 2985 static int smack_socket_socketpair(struct socket *socka, 2986 struct socket *sockb) 2987 { 2988 struct socket_smack *asp = socka->sk->sk_security; 2989 struct socket_smack *bsp = sockb->sk->sk_security; 2990 2991 asp->smk_packet = bsp->smk_out; 2992 bsp->smk_packet = asp->smk_out; 2993 2994 return 0; 2995 } 2996 2997 #ifdef SMACK_IPV6_PORT_LABELING 2998 /** 2999 * smack_socket_bind - record port binding information. 3000 * @sock: the socket 3001 * @address: the port address 3002 * @addrlen: size of the address 3003 * 3004 * Records the label bound to a port. 3005 * 3006 * Returns 0 on success, and error code otherwise 3007 */ 3008 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 3009 int addrlen) 3010 { 3011 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 3012 if (addrlen < SIN6_LEN_RFC2133 || 3013 address->sa_family != AF_INET6) 3014 return -EINVAL; 3015 smk_ipv6_port_label(sock, address); 3016 } 3017 return 0; 3018 } 3019 #endif /* SMACK_IPV6_PORT_LABELING */ 3020 3021 /** 3022 * smack_socket_connect - connect access check 3023 * @sock: the socket 3024 * @sap: the other end 3025 * @addrlen: size of sap 3026 * 3027 * Verifies that a connection may be possible 3028 * 3029 * Returns 0 on success, and error code otherwise 3030 */ 3031 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 3032 int addrlen) 3033 { 3034 int rc = 0; 3035 3036 if (sock->sk == NULL) 3037 return 0; 3038 if (sock->sk->sk_family != PF_INET && 3039 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3040 return 0; 3041 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3042 return 0; 3043 if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { 3044 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3045 struct smack_known *rsp = NULL; 3046 3047 if (addrlen < SIN6_LEN_RFC2133) 3048 return 0; 3049 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3050 rsp = smack_ipv6host_label(sip); 3051 if (rsp != NULL) { 3052 struct socket_smack *ssp = sock->sk->sk_security; 3053 3054 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3055 SMK_CONNECTING); 3056 } 3057 #ifdef SMACK_IPV6_PORT_LABELING 3058 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3059 #endif 3060 3061 return rc; 3062 } 3063 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3064 return 0; 3065 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3066 return rc; 3067 } 3068 3069 /** 3070 * smack_flags_to_may - convert S_ to MAY_ values 3071 * @flags: the S_ value 3072 * 3073 * Returns the equivalent MAY_ value 3074 */ 3075 static int smack_flags_to_may(int flags) 3076 { 3077 int may = 0; 3078 3079 if (flags & S_IRUGO) 3080 may |= MAY_READ; 3081 if (flags & S_IWUGO) 3082 may |= MAY_WRITE; 3083 if (flags & S_IXUGO) 3084 may |= MAY_EXEC; 3085 3086 return may; 3087 } 3088 3089 /** 3090 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3091 * @msg: the object 3092 * 3093 * Returns 0 3094 */ 3095 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3096 { 3097 struct smack_known **blob = smack_msg_msg(msg); 3098 3099 *blob = smk_of_current(); 3100 return 0; 3101 } 3102 3103 /** 3104 * smack_of_ipc - the smack pointer for the ipc 3105 * @isp: the object 3106 * 3107 * Returns a pointer to the smack value 3108 */ 3109 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3110 { 3111 struct smack_known **blob = smack_ipc(isp); 3112 3113 return *blob; 3114 } 3115 3116 /** 3117 * smack_ipc_alloc_security - Set the security blob for ipc 3118 * @isp: the object 3119 * 3120 * Returns 0 3121 */ 3122 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3123 { 3124 struct smack_known **blob = smack_ipc(isp); 3125 3126 *blob = smk_of_current(); 3127 return 0; 3128 } 3129 3130 /** 3131 * smk_curacc_shm : check if current has access on shm 3132 * @isp : the object 3133 * @access : access requested 3134 * 3135 * Returns 0 if current has the requested access, error code otherwise 3136 */ 3137 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3138 { 3139 struct smack_known *ssp = smack_of_ipc(isp); 3140 struct smk_audit_info ad; 3141 int rc; 3142 3143 #ifdef CONFIG_AUDIT 3144 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3145 ad.a.u.ipc_id = isp->id; 3146 #endif 3147 rc = smk_curacc(ssp, access, &ad); 3148 rc = smk_bu_current("shm", ssp, access, rc); 3149 return rc; 3150 } 3151 3152 /** 3153 * smack_shm_associate - Smack access check for shm 3154 * @isp: the object 3155 * @shmflg: access requested 3156 * 3157 * Returns 0 if current has the requested access, error code otherwise 3158 */ 3159 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3160 { 3161 int may; 3162 3163 may = smack_flags_to_may(shmflg); 3164 return smk_curacc_shm(isp, may); 3165 } 3166 3167 /** 3168 * smack_shm_shmctl - Smack access check for shm 3169 * @isp: the object 3170 * @cmd: what it wants to do 3171 * 3172 * Returns 0 if current has the requested access, error code otherwise 3173 */ 3174 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3175 { 3176 int may; 3177 3178 switch (cmd) { 3179 case IPC_STAT: 3180 case SHM_STAT: 3181 case SHM_STAT_ANY: 3182 may = MAY_READ; 3183 break; 3184 case IPC_SET: 3185 case SHM_LOCK: 3186 case SHM_UNLOCK: 3187 case IPC_RMID: 3188 may = MAY_READWRITE; 3189 break; 3190 case IPC_INFO: 3191 case SHM_INFO: 3192 /* 3193 * System level information. 3194 */ 3195 return 0; 3196 default: 3197 return -EINVAL; 3198 } 3199 return smk_curacc_shm(isp, may); 3200 } 3201 3202 /** 3203 * smack_shm_shmat - Smack access for shmat 3204 * @isp: the object 3205 * @shmaddr: unused 3206 * @shmflg: access requested 3207 * 3208 * Returns 0 if current has the requested access, error code otherwise 3209 */ 3210 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3211 int shmflg) 3212 { 3213 int may; 3214 3215 may = smack_flags_to_may(shmflg); 3216 return smk_curacc_shm(isp, may); 3217 } 3218 3219 /** 3220 * smk_curacc_sem : check if current has access on sem 3221 * @isp : the object 3222 * @access : access requested 3223 * 3224 * Returns 0 if current has the requested access, error code otherwise 3225 */ 3226 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3227 { 3228 struct smack_known *ssp = smack_of_ipc(isp); 3229 struct smk_audit_info ad; 3230 int rc; 3231 3232 #ifdef CONFIG_AUDIT 3233 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3234 ad.a.u.ipc_id = isp->id; 3235 #endif 3236 rc = smk_curacc(ssp, access, &ad); 3237 rc = smk_bu_current("sem", ssp, access, rc); 3238 return rc; 3239 } 3240 3241 /** 3242 * smack_sem_associate - Smack access check for sem 3243 * @isp: the object 3244 * @semflg: access requested 3245 * 3246 * Returns 0 if current has the requested access, error code otherwise 3247 */ 3248 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3249 { 3250 int may; 3251 3252 may = smack_flags_to_may(semflg); 3253 return smk_curacc_sem(isp, may); 3254 } 3255 3256 /** 3257 * smack_sem_semctl - Smack access check for sem 3258 * @isp: the object 3259 * @cmd: what it wants to do 3260 * 3261 * Returns 0 if current has the requested access, error code otherwise 3262 */ 3263 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3264 { 3265 int may; 3266 3267 switch (cmd) { 3268 case GETPID: 3269 case GETNCNT: 3270 case GETZCNT: 3271 case GETVAL: 3272 case GETALL: 3273 case IPC_STAT: 3274 case SEM_STAT: 3275 case SEM_STAT_ANY: 3276 may = MAY_READ; 3277 break; 3278 case SETVAL: 3279 case SETALL: 3280 case IPC_RMID: 3281 case IPC_SET: 3282 may = MAY_READWRITE; 3283 break; 3284 case IPC_INFO: 3285 case SEM_INFO: 3286 /* 3287 * System level information 3288 */ 3289 return 0; 3290 default: 3291 return -EINVAL; 3292 } 3293 3294 return smk_curacc_sem(isp, may); 3295 } 3296 3297 /** 3298 * smack_sem_semop - Smack checks of semaphore operations 3299 * @isp: the object 3300 * @sops: unused 3301 * @nsops: unused 3302 * @alter: unused 3303 * 3304 * Treated as read and write in all cases. 3305 * 3306 * Returns 0 if access is allowed, error code otherwise 3307 */ 3308 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3309 unsigned nsops, int alter) 3310 { 3311 return smk_curacc_sem(isp, MAY_READWRITE); 3312 } 3313 3314 /** 3315 * smk_curacc_msq : helper to check if current has access on msq 3316 * @isp : the msq 3317 * @access : access requested 3318 * 3319 * return 0 if current has access, error otherwise 3320 */ 3321 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3322 { 3323 struct smack_known *msp = smack_of_ipc(isp); 3324 struct smk_audit_info ad; 3325 int rc; 3326 3327 #ifdef CONFIG_AUDIT 3328 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3329 ad.a.u.ipc_id = isp->id; 3330 #endif 3331 rc = smk_curacc(msp, access, &ad); 3332 rc = smk_bu_current("msq", msp, access, rc); 3333 return rc; 3334 } 3335 3336 /** 3337 * smack_msg_queue_associate - Smack access check for msg_queue 3338 * @isp: the object 3339 * @msqflg: access requested 3340 * 3341 * Returns 0 if current has the requested access, error code otherwise 3342 */ 3343 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3344 { 3345 int may; 3346 3347 may = smack_flags_to_may(msqflg); 3348 return smk_curacc_msq(isp, may); 3349 } 3350 3351 /** 3352 * smack_msg_queue_msgctl - Smack access check for msg_queue 3353 * @isp: the object 3354 * @cmd: what it wants to do 3355 * 3356 * Returns 0 if current has the requested access, error code otherwise 3357 */ 3358 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3359 { 3360 int may; 3361 3362 switch (cmd) { 3363 case IPC_STAT: 3364 case MSG_STAT: 3365 case MSG_STAT_ANY: 3366 may = MAY_READ; 3367 break; 3368 case IPC_SET: 3369 case IPC_RMID: 3370 may = MAY_READWRITE; 3371 break; 3372 case IPC_INFO: 3373 case MSG_INFO: 3374 /* 3375 * System level information 3376 */ 3377 return 0; 3378 default: 3379 return -EINVAL; 3380 } 3381 3382 return smk_curacc_msq(isp, may); 3383 } 3384 3385 /** 3386 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3387 * @isp: the object 3388 * @msg: unused 3389 * @msqflg: access requested 3390 * 3391 * Returns 0 if current has the requested access, error code otherwise 3392 */ 3393 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3394 int msqflg) 3395 { 3396 int may; 3397 3398 may = smack_flags_to_may(msqflg); 3399 return smk_curacc_msq(isp, may); 3400 } 3401 3402 /** 3403 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3404 * @isp: the object 3405 * @msg: unused 3406 * @target: unused 3407 * @type: unused 3408 * @mode: unused 3409 * 3410 * Returns 0 if current has read and write access, error code otherwise 3411 */ 3412 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3413 struct msg_msg *msg, 3414 struct task_struct *target, long type, 3415 int mode) 3416 { 3417 return smk_curacc_msq(isp, MAY_READWRITE); 3418 } 3419 3420 /** 3421 * smack_ipc_permission - Smack access for ipc_permission() 3422 * @ipp: the object permissions 3423 * @flag: access requested 3424 * 3425 * Returns 0 if current has read and write access, error code otherwise 3426 */ 3427 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3428 { 3429 struct smack_known **blob = smack_ipc(ipp); 3430 struct smack_known *iskp = *blob; 3431 int may = smack_flags_to_may(flag); 3432 struct smk_audit_info ad; 3433 int rc; 3434 3435 #ifdef CONFIG_AUDIT 3436 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3437 ad.a.u.ipc_id = ipp->id; 3438 #endif 3439 rc = smk_curacc(iskp, may, &ad); 3440 rc = smk_bu_current("svipc", iskp, may, rc); 3441 return rc; 3442 } 3443 3444 /** 3445 * smack_ipc_getsecid - Extract smack security id 3446 * @ipp: the object permissions 3447 * @secid: where result will be saved 3448 */ 3449 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) 3450 { 3451 struct smack_known **blob = smack_ipc(ipp); 3452 struct smack_known *iskp = *blob; 3453 3454 *secid = iskp->smk_secid; 3455 } 3456 3457 /** 3458 * smack_d_instantiate - Make sure the blob is correct on an inode 3459 * @opt_dentry: dentry where inode will be attached 3460 * @inode: the object 3461 * 3462 * Set the inode's security blob if it hasn't been done already. 3463 */ 3464 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3465 { 3466 struct super_block *sbp; 3467 struct superblock_smack *sbsp; 3468 struct inode_smack *isp; 3469 struct smack_known *skp; 3470 struct smack_known *ckp = smk_of_current(); 3471 struct smack_known *final; 3472 char trattr[TRANS_TRUE_SIZE]; 3473 int transflag = 0; 3474 int rc; 3475 struct dentry *dp; 3476 3477 if (inode == NULL) 3478 return; 3479 3480 isp = smack_inode(inode); 3481 3482 /* 3483 * If the inode is already instantiated 3484 * take the quick way out 3485 */ 3486 if (isp->smk_flags & SMK_INODE_INSTANT) 3487 return; 3488 3489 sbp = inode->i_sb; 3490 sbsp = smack_superblock(sbp); 3491 /* 3492 * We're going to use the superblock default label 3493 * if there's no label on the file. 3494 */ 3495 final = sbsp->smk_default; 3496 3497 /* 3498 * If this is the root inode the superblock 3499 * may be in the process of initialization. 3500 * If that is the case use the root value out 3501 * of the superblock. 3502 */ 3503 if (opt_dentry->d_parent == opt_dentry) { 3504 switch (sbp->s_magic) { 3505 case CGROUP_SUPER_MAGIC: 3506 case CGROUP2_SUPER_MAGIC: 3507 /* 3508 * The cgroup filesystem is never mounted, 3509 * so there's no opportunity to set the mount 3510 * options. 3511 */ 3512 sbsp->smk_root = &smack_known_star; 3513 sbsp->smk_default = &smack_known_star; 3514 isp->smk_inode = sbsp->smk_root; 3515 break; 3516 case TMPFS_MAGIC: 3517 /* 3518 * What about shmem/tmpfs anonymous files with dentry 3519 * obtained from d_alloc_pseudo()? 3520 */ 3521 isp->smk_inode = smk_of_current(); 3522 break; 3523 case PIPEFS_MAGIC: 3524 isp->smk_inode = smk_of_current(); 3525 break; 3526 case SOCKFS_MAGIC: 3527 /* 3528 * Socket access is controlled by the socket 3529 * structures associated with the task involved. 3530 */ 3531 isp->smk_inode = &smack_known_star; 3532 break; 3533 default: 3534 isp->smk_inode = sbsp->smk_root; 3535 break; 3536 } 3537 isp->smk_flags |= SMK_INODE_INSTANT; 3538 return; 3539 } 3540 3541 /* 3542 * This is pretty hackish. 3543 * Casey says that we shouldn't have to do 3544 * file system specific code, but it does help 3545 * with keeping it simple. 3546 */ 3547 switch (sbp->s_magic) { 3548 case SMACK_MAGIC: 3549 case CGROUP_SUPER_MAGIC: 3550 case CGROUP2_SUPER_MAGIC: 3551 /* 3552 * Casey says that it's a little embarrassing 3553 * that the smack file system doesn't do 3554 * extended attributes. 3555 * 3556 * Cgroupfs is special 3557 */ 3558 final = &smack_known_star; 3559 break; 3560 case DEVPTS_SUPER_MAGIC: 3561 /* 3562 * devpts seems content with the label of the task. 3563 * Programs that change smack have to treat the 3564 * pty with respect. 3565 */ 3566 final = ckp; 3567 break; 3568 case PROC_SUPER_MAGIC: 3569 /* 3570 * Casey says procfs appears not to care. 3571 * The superblock default suffices. 3572 */ 3573 break; 3574 case TMPFS_MAGIC: 3575 /* 3576 * Device labels should come from the filesystem, 3577 * but watch out, because they're volitile, 3578 * getting recreated on every reboot. 3579 */ 3580 final = &smack_known_star; 3581 /* 3582 * If a smack value has been set we want to use it, 3583 * but since tmpfs isn't giving us the opportunity 3584 * to set mount options simulate setting the 3585 * superblock default. 3586 */ 3587 fallthrough; 3588 default: 3589 /* 3590 * This isn't an understood special case. 3591 * Get the value from the xattr. 3592 */ 3593 3594 /* 3595 * UNIX domain sockets use lower level socket data. 3596 */ 3597 if (S_ISSOCK(inode->i_mode)) { 3598 final = &smack_known_star; 3599 break; 3600 } 3601 /* 3602 * No xattr support means, alas, no SMACK label. 3603 * Use the aforeapplied default. 3604 * It would be curious if the label of the task 3605 * does not match that assigned. 3606 */ 3607 if (!(inode->i_opflags & IOP_XATTR)) 3608 break; 3609 /* 3610 * Get the dentry for xattr. 3611 */ 3612 dp = dget(opt_dentry); 3613 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3614 if (!IS_ERR_OR_NULL(skp)) 3615 final = skp; 3616 3617 /* 3618 * Transmuting directory 3619 */ 3620 if (S_ISDIR(inode->i_mode)) { 3621 /* 3622 * If this is a new directory and the label was 3623 * transmuted when the inode was initialized 3624 * set the transmute attribute on the directory 3625 * and mark the inode. 3626 * 3627 * If there is a transmute attribute on the 3628 * directory mark the inode. 3629 */ 3630 rc = __vfs_getxattr(dp, inode, 3631 XATTR_NAME_SMACKTRANSMUTE, trattr, 3632 TRANS_TRUE_SIZE); 3633 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3634 TRANS_TRUE_SIZE) != 0) 3635 rc = -EINVAL; 3636 if (rc >= 0) 3637 transflag = SMK_INODE_TRANSMUTE; 3638 } 3639 /* 3640 * Don't let the exec or mmap label be "*" or "@". 3641 */ 3642 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3643 if (IS_ERR(skp) || skp == &smack_known_star || 3644 skp == &smack_known_web) 3645 skp = NULL; 3646 isp->smk_task = skp; 3647 3648 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3649 if (IS_ERR(skp) || skp == &smack_known_star || 3650 skp == &smack_known_web) 3651 skp = NULL; 3652 isp->smk_mmap = skp; 3653 3654 dput(dp); 3655 break; 3656 } 3657 3658 if (final == NULL) 3659 isp->smk_inode = ckp; 3660 else 3661 isp->smk_inode = final; 3662 3663 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3664 3665 return; 3666 } 3667 3668 /** 3669 * smack_getselfattr - Smack current process attribute 3670 * @attr: which attribute to fetch 3671 * @ctx: buffer to receive the result 3672 * @size: available size in, actual size out 3673 * @flags: unused 3674 * 3675 * Fill the passed user space @ctx with the details of the requested 3676 * attribute. 3677 * 3678 * Returns the number of attributes on success, an error code otherwise. 3679 * There will only ever be one attribute. 3680 */ 3681 static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3682 u32 *size, u32 flags) 3683 { 3684 int rc; 3685 struct smack_known *skp; 3686 3687 if (attr != LSM_ATTR_CURRENT) 3688 return -EOPNOTSUPP; 3689 3690 skp = smk_of_current(); 3691 rc = lsm_fill_user_ctx(ctx, size, 3692 skp->smk_known, strlen(skp->smk_known) + 1, 3693 LSM_ID_SMACK, 0); 3694 return (!rc ? 1 : rc); 3695 } 3696 3697 /** 3698 * smack_getprocattr - Smack process attribute access 3699 * @p: the object task 3700 * @name: the name of the attribute in /proc/.../attr 3701 * @value: where to put the result 3702 * 3703 * Places a copy of the task Smack into value 3704 * 3705 * Returns the length of the smack label or an error code 3706 */ 3707 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3708 { 3709 struct smack_known *skp = smk_of_task_struct_obj(p); 3710 char *cp; 3711 int slen; 3712 3713 if (strcmp(name, "current") != 0) 3714 return -EINVAL; 3715 3716 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3717 if (cp == NULL) 3718 return -ENOMEM; 3719 3720 slen = strlen(cp); 3721 *value = cp; 3722 return slen; 3723 } 3724 3725 /** 3726 * do_setattr - Smack process attribute setting 3727 * @attr: the ID of the attribute 3728 * @value: the value to set 3729 * @size: the size of the value 3730 * 3731 * Sets the Smack value of the task. Only setting self 3732 * is permitted and only with privilege 3733 * 3734 * Returns the length of the smack label or an error code 3735 */ 3736 static int do_setattr(u64 attr, void *value, size_t size) 3737 { 3738 struct task_smack *tsp = smack_cred(current_cred()); 3739 struct cred *new; 3740 struct smack_known *skp; 3741 struct smack_known_list_elem *sklep; 3742 int rc; 3743 3744 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3745 return -EPERM; 3746 3747 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3748 return -EINVAL; 3749 3750 if (attr != LSM_ATTR_CURRENT) 3751 return -EOPNOTSUPP; 3752 3753 skp = smk_import_entry(value, size); 3754 if (IS_ERR(skp)) 3755 return PTR_ERR(skp); 3756 3757 /* 3758 * No process is ever allowed the web ("@") label 3759 * and the star ("*") label. 3760 */ 3761 if (skp == &smack_known_web || skp == &smack_known_star) 3762 return -EINVAL; 3763 3764 if (!smack_privileged(CAP_MAC_ADMIN)) { 3765 rc = -EPERM; 3766 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3767 if (sklep->smk_label == skp) { 3768 rc = 0; 3769 break; 3770 } 3771 if (rc) 3772 return rc; 3773 } 3774 3775 new = prepare_creds(); 3776 if (new == NULL) 3777 return -ENOMEM; 3778 3779 tsp = smack_cred(new); 3780 tsp->smk_task = skp; 3781 /* 3782 * process can change its label only once 3783 */ 3784 smk_destroy_label_list(&tsp->smk_relabel); 3785 3786 commit_creds(new); 3787 return size; 3788 } 3789 3790 /** 3791 * smack_setselfattr - Set a Smack process attribute 3792 * @attr: which attribute to set 3793 * @ctx: buffer containing the data 3794 * @size: size of @ctx 3795 * @flags: unused 3796 * 3797 * Fill the passed user space @ctx with the details of the requested 3798 * attribute. 3799 * 3800 * Returns 0 on success, an error code otherwise. 3801 */ 3802 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3803 u32 size, u32 flags) 3804 { 3805 int rc; 3806 3807 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); 3808 if (rc > 0) 3809 return 0; 3810 return rc; 3811 } 3812 3813 /** 3814 * smack_setprocattr - Smack process attribute setting 3815 * @name: the name of the attribute in /proc/.../attr 3816 * @value: the value to set 3817 * @size: the size of the value 3818 * 3819 * Sets the Smack value of the task. Only setting self 3820 * is permitted and only with privilege 3821 * 3822 * Returns the length of the smack label or an error code 3823 */ 3824 static int smack_setprocattr(const char *name, void *value, size_t size) 3825 { 3826 int attr = lsm_name_to_attr(name); 3827 3828 if (attr != LSM_ATTR_UNDEF) 3829 return do_setattr(attr, value, size); 3830 return -EINVAL; 3831 } 3832 3833 /** 3834 * smack_unix_stream_connect - Smack access on UDS 3835 * @sock: one sock 3836 * @other: the other sock 3837 * @newsk: unused 3838 * 3839 * Return 0 if a subject with the smack of sock could access 3840 * an object with the smack of other, otherwise an error code 3841 */ 3842 static int smack_unix_stream_connect(struct sock *sock, 3843 struct sock *other, struct sock *newsk) 3844 { 3845 struct smack_known *skp; 3846 struct smack_known *okp; 3847 struct socket_smack *ssp = sock->sk_security; 3848 struct socket_smack *osp = other->sk_security; 3849 struct socket_smack *nsp = newsk->sk_security; 3850 struct smk_audit_info ad; 3851 int rc = 0; 3852 #ifdef CONFIG_AUDIT 3853 struct lsm_network_audit net; 3854 #endif 3855 3856 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3857 skp = ssp->smk_out; 3858 okp = osp->smk_in; 3859 #ifdef CONFIG_AUDIT 3860 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3861 smk_ad_setfield_u_net_sk(&ad, other); 3862 #endif 3863 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3864 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3865 if (rc == 0) { 3866 okp = osp->smk_out; 3867 skp = ssp->smk_in; 3868 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3869 rc = smk_bu_note("UDS connect", okp, skp, 3870 MAY_WRITE, rc); 3871 } 3872 } 3873 3874 if (rc == 0) { 3875 /* 3876 * Cross reference the peer labels for SO_PEERSEC. 3877 */ 3878 nsp->smk_packet = ssp->smk_out; 3879 ssp->smk_packet = osp->smk_out; 3880 3881 /* 3882 * new/child/established socket must inherit listening socket labels 3883 */ 3884 nsp->smk_out = osp->smk_out; 3885 nsp->smk_in = osp->smk_in; 3886 } 3887 3888 return rc; 3889 } 3890 3891 /** 3892 * smack_unix_may_send - Smack access on UDS 3893 * @sock: one socket 3894 * @other: the other socket 3895 * 3896 * Return 0 if a subject with the smack of sock could access 3897 * an object with the smack of other, otherwise an error code 3898 */ 3899 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3900 { 3901 struct socket_smack *ssp = sock->sk->sk_security; 3902 struct socket_smack *osp = other->sk->sk_security; 3903 struct smk_audit_info ad; 3904 int rc; 3905 3906 #ifdef CONFIG_AUDIT 3907 struct lsm_network_audit net; 3908 3909 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3910 smk_ad_setfield_u_net_sk(&ad, other->sk); 3911 #endif 3912 3913 if (smack_privileged(CAP_MAC_OVERRIDE)) 3914 return 0; 3915 3916 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3917 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3918 return rc; 3919 } 3920 3921 /** 3922 * smack_socket_sendmsg - Smack check based on destination host 3923 * @sock: the socket 3924 * @msg: the message 3925 * @size: the size of the message 3926 * 3927 * Return 0 if the current subject can write to the destination host. 3928 * For IPv4 this is only a question if the destination is a single label host. 3929 * For IPv6 this is a check against the label of the port. 3930 */ 3931 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3932 int size) 3933 { 3934 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3935 #if IS_ENABLED(CONFIG_IPV6) 3936 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3937 #endif 3938 #ifdef SMACK_IPV6_SECMARK_LABELING 3939 struct socket_smack *ssp = sock->sk->sk_security; 3940 struct smack_known *rsp; 3941 #endif 3942 int rc = 0; 3943 3944 /* 3945 * Perfectly reasonable for this to be NULL 3946 */ 3947 if (sip == NULL) 3948 return 0; 3949 3950 switch (sock->sk->sk_family) { 3951 case AF_INET: 3952 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3953 sip->sin_family != AF_INET) 3954 return -EINVAL; 3955 rc = smk_ipv4_check(sock->sk, sip); 3956 break; 3957 #if IS_ENABLED(CONFIG_IPV6) 3958 case AF_INET6: 3959 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3960 sap->sin6_family != AF_INET6) 3961 return -EINVAL; 3962 #ifdef SMACK_IPV6_SECMARK_LABELING 3963 rsp = smack_ipv6host_label(sap); 3964 if (rsp != NULL) 3965 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3966 SMK_CONNECTING); 3967 #endif 3968 #ifdef SMACK_IPV6_PORT_LABELING 3969 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3970 #endif 3971 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3972 break; 3973 } 3974 return rc; 3975 } 3976 3977 /** 3978 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3979 * @sap: netlabel secattr 3980 * @ssp: socket security information 3981 * 3982 * Returns a pointer to a Smack label entry found on the label list. 3983 */ 3984 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3985 struct socket_smack *ssp) 3986 { 3987 struct smack_known *skp; 3988 int found = 0; 3989 int acat; 3990 int kcat; 3991 3992 /* 3993 * Netlabel found it in the cache. 3994 */ 3995 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 3996 return (struct smack_known *)sap->cache->data; 3997 3998 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3999 /* 4000 * Looks like a fallback, which gives us a secid. 4001 */ 4002 return smack_from_secid(sap->attr.secid); 4003 4004 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 4005 /* 4006 * Looks like a CIPSO packet. 4007 * If there are flags but no level netlabel isn't 4008 * behaving the way we expect it to. 4009 * 4010 * Look it up in the label table 4011 * Without guidance regarding the smack value 4012 * for the packet fall back on the network 4013 * ambient value. 4014 */ 4015 rcu_read_lock(); 4016 list_for_each_entry_rcu(skp, &smack_known_list, list) { 4017 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 4018 continue; 4019 /* 4020 * Compare the catsets. Use the netlbl APIs. 4021 */ 4022 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 4023 if ((skp->smk_netlabel.flags & 4024 NETLBL_SECATTR_MLS_CAT) == 0) 4025 found = 1; 4026 break; 4027 } 4028 for (acat = -1, kcat = -1; acat == kcat; ) { 4029 acat = netlbl_catmap_walk(sap->attr.mls.cat, 4030 acat + 1); 4031 kcat = netlbl_catmap_walk( 4032 skp->smk_netlabel.attr.mls.cat, 4033 kcat + 1); 4034 if (acat < 0 || kcat < 0) 4035 break; 4036 } 4037 if (acat == kcat) { 4038 found = 1; 4039 break; 4040 } 4041 } 4042 rcu_read_unlock(); 4043 4044 if (found) 4045 return skp; 4046 4047 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4048 return &smack_known_web; 4049 return &smack_known_star; 4050 } 4051 /* 4052 * Without guidance regarding the smack value 4053 * for the packet fall back on the network 4054 * ambient value. 4055 */ 4056 return smack_net_ambient; 4057 } 4058 4059 #if IS_ENABLED(CONFIG_IPV6) 4060 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4061 { 4062 u8 nexthdr; 4063 int offset; 4064 int proto = -EINVAL; 4065 struct ipv6hdr _ipv6h; 4066 struct ipv6hdr *ip6; 4067 __be16 frag_off; 4068 struct tcphdr _tcph, *th; 4069 struct udphdr _udph, *uh; 4070 struct dccp_hdr _dccph, *dh; 4071 4072 sip->sin6_port = 0; 4073 4074 offset = skb_network_offset(skb); 4075 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4076 if (ip6 == NULL) 4077 return -EINVAL; 4078 sip->sin6_addr = ip6->saddr; 4079 4080 nexthdr = ip6->nexthdr; 4081 offset += sizeof(_ipv6h); 4082 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4083 if (offset < 0) 4084 return -EINVAL; 4085 4086 proto = nexthdr; 4087 switch (proto) { 4088 case IPPROTO_TCP: 4089 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4090 if (th != NULL) 4091 sip->sin6_port = th->source; 4092 break; 4093 case IPPROTO_UDP: 4094 case IPPROTO_UDPLITE: 4095 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4096 if (uh != NULL) 4097 sip->sin6_port = uh->source; 4098 break; 4099 case IPPROTO_DCCP: 4100 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4101 if (dh != NULL) 4102 sip->sin6_port = dh->dccph_sport; 4103 break; 4104 } 4105 return proto; 4106 } 4107 #endif /* CONFIG_IPV6 */ 4108 4109 /** 4110 * smack_from_skb - Smack data from the secmark in an skb 4111 * @skb: packet 4112 * 4113 * Returns smack_known of the secmark or NULL if that won't work. 4114 */ 4115 #ifdef CONFIG_NETWORK_SECMARK 4116 static struct smack_known *smack_from_skb(struct sk_buff *skb) 4117 { 4118 if (skb == NULL || skb->secmark == 0) 4119 return NULL; 4120 4121 return smack_from_secid(skb->secmark); 4122 } 4123 #else 4124 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4125 { 4126 return NULL; 4127 } 4128 #endif 4129 4130 /** 4131 * smack_from_netlbl - Smack data from the IP options in an skb 4132 * @sk: socket data came in on 4133 * @family: address family 4134 * @skb: packet 4135 * 4136 * Find the Smack label in the IP options. If it hasn't been 4137 * added to the netlabel cache, add it here. 4138 * 4139 * Returns smack_known of the IP options or NULL if that won't work. 4140 */ 4141 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4142 struct sk_buff *skb) 4143 { 4144 struct netlbl_lsm_secattr secattr; 4145 struct socket_smack *ssp = NULL; 4146 struct smack_known *skp = NULL; 4147 4148 netlbl_secattr_init(&secattr); 4149 4150 if (sk) 4151 ssp = sk->sk_security; 4152 4153 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4154 skp = smack_from_secattr(&secattr, ssp); 4155 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4156 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4157 } 4158 4159 netlbl_secattr_destroy(&secattr); 4160 4161 return skp; 4162 } 4163 4164 /** 4165 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4166 * @sk: socket 4167 * @skb: packet 4168 * 4169 * Returns 0 if the packet should be delivered, an error code otherwise 4170 */ 4171 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4172 { 4173 struct socket_smack *ssp = sk->sk_security; 4174 struct smack_known *skp = NULL; 4175 int rc = 0; 4176 struct smk_audit_info ad; 4177 u16 family = sk->sk_family; 4178 #ifdef CONFIG_AUDIT 4179 struct lsm_network_audit net; 4180 #endif 4181 #if IS_ENABLED(CONFIG_IPV6) 4182 struct sockaddr_in6 sadd; 4183 int proto; 4184 4185 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4186 family = PF_INET; 4187 #endif /* CONFIG_IPV6 */ 4188 4189 switch (family) { 4190 case PF_INET: 4191 /* 4192 * If there is a secmark use it rather than the CIPSO label. 4193 * If there is no secmark fall back to CIPSO. 4194 * The secmark is assumed to reflect policy better. 4195 */ 4196 skp = smack_from_skb(skb); 4197 if (skp == NULL) { 4198 skp = smack_from_netlbl(sk, family, skb); 4199 if (skp == NULL) 4200 skp = smack_net_ambient; 4201 } 4202 4203 #ifdef CONFIG_AUDIT 4204 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4205 ad.a.u.net->family = family; 4206 ad.a.u.net->netif = skb->skb_iif; 4207 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4208 #endif 4209 /* 4210 * Receiving a packet requires that the other end 4211 * be able to write here. Read access is not required. 4212 * This is the simplist possible security model 4213 * for networking. 4214 */ 4215 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4216 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4217 MAY_WRITE, rc); 4218 if (rc != 0) 4219 netlbl_skbuff_err(skb, family, rc, 0); 4220 break; 4221 #if IS_ENABLED(CONFIG_IPV6) 4222 case PF_INET6: 4223 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4224 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4225 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 4226 break; 4227 #ifdef SMACK_IPV6_SECMARK_LABELING 4228 skp = smack_from_skb(skb); 4229 if (skp == NULL) { 4230 if (smk_ipv6_localhost(&sadd)) 4231 break; 4232 skp = smack_ipv6host_label(&sadd); 4233 if (skp == NULL) 4234 skp = smack_net_ambient; 4235 } 4236 #ifdef CONFIG_AUDIT 4237 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4238 ad.a.u.net->family = family; 4239 ad.a.u.net->netif = skb->skb_iif; 4240 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4241 #endif /* CONFIG_AUDIT */ 4242 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4243 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4244 MAY_WRITE, rc); 4245 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4246 #ifdef SMACK_IPV6_PORT_LABELING 4247 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4248 #endif /* SMACK_IPV6_PORT_LABELING */ 4249 if (rc != 0) 4250 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4251 ICMPV6_ADM_PROHIBITED, 0); 4252 break; 4253 #endif /* CONFIG_IPV6 */ 4254 } 4255 4256 return rc; 4257 } 4258 4259 /** 4260 * smack_socket_getpeersec_stream - pull in packet label 4261 * @sock: the socket 4262 * @optval: user's destination 4263 * @optlen: size thereof 4264 * @len: max thereof 4265 * 4266 * returns zero on success, an error code otherwise 4267 */ 4268 static int smack_socket_getpeersec_stream(struct socket *sock, 4269 sockptr_t optval, sockptr_t optlen, 4270 unsigned int len) 4271 { 4272 struct socket_smack *ssp; 4273 char *rcp = ""; 4274 u32 slen = 1; 4275 int rc = 0; 4276 4277 ssp = sock->sk->sk_security; 4278 if (ssp->smk_packet != NULL) { 4279 rcp = ssp->smk_packet->smk_known; 4280 slen = strlen(rcp) + 1; 4281 } 4282 if (slen > len) { 4283 rc = -ERANGE; 4284 goto out_len; 4285 } 4286 4287 if (copy_to_sockptr(optval, rcp, slen)) 4288 rc = -EFAULT; 4289 out_len: 4290 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4291 rc = -EFAULT; 4292 return rc; 4293 } 4294 4295 4296 /** 4297 * smack_socket_getpeersec_dgram - pull in packet label 4298 * @sock: the peer socket 4299 * @skb: packet data 4300 * @secid: pointer to where to put the secid of the packet 4301 * 4302 * Sets the netlabel socket state on sk from parent 4303 */ 4304 static int smack_socket_getpeersec_dgram(struct socket *sock, 4305 struct sk_buff *skb, u32 *secid) 4306 4307 { 4308 struct socket_smack *ssp = NULL; 4309 struct smack_known *skp; 4310 struct sock *sk = NULL; 4311 int family = PF_UNSPEC; 4312 u32 s = 0; /* 0 is the invalid secid */ 4313 4314 if (skb != NULL) { 4315 if (skb->protocol == htons(ETH_P_IP)) 4316 family = PF_INET; 4317 #if IS_ENABLED(CONFIG_IPV6) 4318 else if (skb->protocol == htons(ETH_P_IPV6)) 4319 family = PF_INET6; 4320 #endif /* CONFIG_IPV6 */ 4321 } 4322 if (family == PF_UNSPEC && sock != NULL) 4323 family = sock->sk->sk_family; 4324 4325 switch (family) { 4326 case PF_UNIX: 4327 ssp = sock->sk->sk_security; 4328 s = ssp->smk_out->smk_secid; 4329 break; 4330 case PF_INET: 4331 skp = smack_from_skb(skb); 4332 if (skp) { 4333 s = skp->smk_secid; 4334 break; 4335 } 4336 /* 4337 * Translate what netlabel gave us. 4338 */ 4339 if (sock != NULL) 4340 sk = sock->sk; 4341 skp = smack_from_netlbl(sk, family, skb); 4342 if (skp != NULL) 4343 s = skp->smk_secid; 4344 break; 4345 case PF_INET6: 4346 #ifdef SMACK_IPV6_SECMARK_LABELING 4347 skp = smack_from_skb(skb); 4348 if (skp) 4349 s = skp->smk_secid; 4350 #endif 4351 break; 4352 } 4353 *secid = s; 4354 if (s == 0) 4355 return -EINVAL; 4356 return 0; 4357 } 4358 4359 /** 4360 * smack_sock_graft - Initialize a newly created socket with an existing sock 4361 * @sk: child sock 4362 * @parent: parent socket 4363 * 4364 * Set the smk_{in,out} state of an existing sock based on the process that 4365 * is creating the new socket. 4366 */ 4367 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4368 { 4369 struct socket_smack *ssp; 4370 struct smack_known *skp = smk_of_current(); 4371 4372 if (sk == NULL || 4373 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4374 return; 4375 4376 ssp = sk->sk_security; 4377 ssp->smk_in = skp; 4378 ssp->smk_out = skp; 4379 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4380 } 4381 4382 /** 4383 * smack_inet_conn_request - Smack access check on connect 4384 * @sk: socket involved 4385 * @skb: packet 4386 * @req: unused 4387 * 4388 * Returns 0 if a task with the packet label could write to 4389 * the socket, otherwise an error code 4390 */ 4391 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4392 struct request_sock *req) 4393 { 4394 u16 family = sk->sk_family; 4395 struct smack_known *skp; 4396 struct socket_smack *ssp = sk->sk_security; 4397 struct sockaddr_in addr; 4398 struct iphdr *hdr; 4399 struct smack_known *hskp; 4400 int rc; 4401 struct smk_audit_info ad; 4402 #ifdef CONFIG_AUDIT 4403 struct lsm_network_audit net; 4404 #endif 4405 4406 #if IS_ENABLED(CONFIG_IPV6) 4407 if (family == PF_INET6) { 4408 /* 4409 * Handle mapped IPv4 packets arriving 4410 * via IPv6 sockets. Don't set up netlabel 4411 * processing on IPv6. 4412 */ 4413 if (skb->protocol == htons(ETH_P_IP)) 4414 family = PF_INET; 4415 else 4416 return 0; 4417 } 4418 #endif /* CONFIG_IPV6 */ 4419 4420 /* 4421 * If there is a secmark use it rather than the CIPSO label. 4422 * If there is no secmark fall back to CIPSO. 4423 * The secmark is assumed to reflect policy better. 4424 */ 4425 skp = smack_from_skb(skb); 4426 if (skp == NULL) { 4427 skp = smack_from_netlbl(sk, family, skb); 4428 if (skp == NULL) 4429 skp = &smack_known_huh; 4430 } 4431 4432 #ifdef CONFIG_AUDIT 4433 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4434 ad.a.u.net->family = family; 4435 ad.a.u.net->netif = skb->skb_iif; 4436 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4437 #endif 4438 /* 4439 * Receiving a packet requires that the other end be able to write 4440 * here. Read access is not required. 4441 */ 4442 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4443 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4444 if (rc != 0) 4445 return rc; 4446 4447 /* 4448 * Save the peer's label in the request_sock so we can later setup 4449 * smk_packet in the child socket so that SO_PEERCRED can report it. 4450 */ 4451 req->peer_secid = skp->smk_secid; 4452 4453 /* 4454 * We need to decide if we want to label the incoming connection here 4455 * if we do we only need to label the request_sock and the stack will 4456 * propagate the wire-label to the sock when it is created. 4457 */ 4458 hdr = ip_hdr(skb); 4459 addr.sin_addr.s_addr = hdr->saddr; 4460 rcu_read_lock(); 4461 hskp = smack_ipv4host_label(&addr); 4462 rcu_read_unlock(); 4463 4464 if (hskp == NULL) 4465 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); 4466 else 4467 netlbl_req_delattr(req); 4468 4469 return rc; 4470 } 4471 4472 /** 4473 * smack_inet_csk_clone - Copy the connection information to the new socket 4474 * @sk: the new socket 4475 * @req: the connection's request_sock 4476 * 4477 * Transfer the connection's peer label to the newly created socket. 4478 */ 4479 static void smack_inet_csk_clone(struct sock *sk, 4480 const struct request_sock *req) 4481 { 4482 struct socket_smack *ssp = sk->sk_security; 4483 struct smack_known *skp; 4484 4485 if (req->peer_secid != 0) { 4486 skp = smack_from_secid(req->peer_secid); 4487 ssp->smk_packet = skp; 4488 } else 4489 ssp->smk_packet = NULL; 4490 } 4491 4492 /* 4493 * Key management security hooks 4494 * 4495 * Casey has not tested key support very heavily. 4496 * The permission check is most likely too restrictive. 4497 * If you care about keys please have a look. 4498 */ 4499 #ifdef CONFIG_KEYS 4500 4501 /** 4502 * smack_key_alloc - Set the key security blob 4503 * @key: object 4504 * @cred: the credentials to use 4505 * @flags: unused 4506 * 4507 * No allocation required 4508 * 4509 * Returns 0 4510 */ 4511 static int smack_key_alloc(struct key *key, const struct cred *cred, 4512 unsigned long flags) 4513 { 4514 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4515 4516 key->security = skp; 4517 return 0; 4518 } 4519 4520 /** 4521 * smack_key_free - Clear the key security blob 4522 * @key: the object 4523 * 4524 * Clear the blob pointer 4525 */ 4526 static void smack_key_free(struct key *key) 4527 { 4528 key->security = NULL; 4529 } 4530 4531 /** 4532 * smack_key_permission - Smack access on a key 4533 * @key_ref: gets to the object 4534 * @cred: the credentials to use 4535 * @need_perm: requested key permission 4536 * 4537 * Return 0 if the task has read and write to the object, 4538 * an error code otherwise 4539 */ 4540 static int smack_key_permission(key_ref_t key_ref, 4541 const struct cred *cred, 4542 enum key_need_perm need_perm) 4543 { 4544 struct key *keyp; 4545 struct smk_audit_info ad; 4546 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4547 int request = 0; 4548 int rc; 4549 4550 /* 4551 * Validate requested permissions 4552 */ 4553 switch (need_perm) { 4554 case KEY_NEED_READ: 4555 case KEY_NEED_SEARCH: 4556 case KEY_NEED_VIEW: 4557 request |= MAY_READ; 4558 break; 4559 case KEY_NEED_WRITE: 4560 case KEY_NEED_LINK: 4561 case KEY_NEED_SETATTR: 4562 request |= MAY_WRITE; 4563 break; 4564 case KEY_NEED_UNSPECIFIED: 4565 case KEY_NEED_UNLINK: 4566 case KEY_SYSADMIN_OVERRIDE: 4567 case KEY_AUTHTOKEN_OVERRIDE: 4568 case KEY_DEFER_PERM_CHECK: 4569 return 0; 4570 default: 4571 return -EINVAL; 4572 } 4573 4574 keyp = key_ref_to_ptr(key_ref); 4575 if (keyp == NULL) 4576 return -EINVAL; 4577 /* 4578 * If the key hasn't been initialized give it access so that 4579 * it may do so. 4580 */ 4581 if (keyp->security == NULL) 4582 return 0; 4583 /* 4584 * This should not occur 4585 */ 4586 if (tkp == NULL) 4587 return -EACCES; 4588 4589 if (smack_privileged(CAP_MAC_OVERRIDE)) 4590 return 0; 4591 4592 #ifdef CONFIG_AUDIT 4593 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4594 ad.a.u.key_struct.key = keyp->serial; 4595 ad.a.u.key_struct.key_desc = keyp->description; 4596 #endif 4597 rc = smk_access(tkp, keyp->security, request, &ad); 4598 rc = smk_bu_note("key access", tkp, keyp->security, request, rc); 4599 return rc; 4600 } 4601 4602 /* 4603 * smack_key_getsecurity - Smack label tagging the key 4604 * @key points to the key to be queried 4605 * @_buffer points to a pointer that should be set to point to the 4606 * resulting string (if no label or an error occurs). 4607 * Return the length of the string (including terminating NUL) or -ve if 4608 * an error. 4609 * May also return 0 (and a NULL buffer pointer) if there is no label. 4610 */ 4611 static int smack_key_getsecurity(struct key *key, char **_buffer) 4612 { 4613 struct smack_known *skp = key->security; 4614 size_t length; 4615 char *copy; 4616 4617 if (key->security == NULL) { 4618 *_buffer = NULL; 4619 return 0; 4620 } 4621 4622 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4623 if (copy == NULL) 4624 return -ENOMEM; 4625 length = strlen(copy) + 1; 4626 4627 *_buffer = copy; 4628 return length; 4629 } 4630 4631 4632 #ifdef CONFIG_KEY_NOTIFICATIONS 4633 /** 4634 * smack_watch_key - Smack access to watch a key for notifications. 4635 * @key: The key to be watched 4636 * 4637 * Return 0 if the @watch->cred has permission to read from the key object and 4638 * an error otherwise. 4639 */ 4640 static int smack_watch_key(struct key *key) 4641 { 4642 struct smk_audit_info ad; 4643 struct smack_known *tkp = smk_of_current(); 4644 int rc; 4645 4646 if (key == NULL) 4647 return -EINVAL; 4648 /* 4649 * If the key hasn't been initialized give it access so that 4650 * it may do so. 4651 */ 4652 if (key->security == NULL) 4653 return 0; 4654 /* 4655 * This should not occur 4656 */ 4657 if (tkp == NULL) 4658 return -EACCES; 4659 4660 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4661 return 0; 4662 4663 #ifdef CONFIG_AUDIT 4664 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4665 ad.a.u.key_struct.key = key->serial; 4666 ad.a.u.key_struct.key_desc = key->description; 4667 #endif 4668 rc = smk_access(tkp, key->security, MAY_READ, &ad); 4669 rc = smk_bu_note("key watch", tkp, key->security, MAY_READ, rc); 4670 return rc; 4671 } 4672 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4673 #endif /* CONFIG_KEYS */ 4674 4675 #ifdef CONFIG_WATCH_QUEUE 4676 /** 4677 * smack_post_notification - Smack access to post a notification to a queue 4678 * @w_cred: The credentials of the watcher. 4679 * @cred: The credentials of the event source (may be NULL). 4680 * @n: The notification message to be posted. 4681 */ 4682 static int smack_post_notification(const struct cred *w_cred, 4683 const struct cred *cred, 4684 struct watch_notification *n) 4685 { 4686 struct smk_audit_info ad; 4687 struct smack_known *subj, *obj; 4688 int rc; 4689 4690 /* Always let maintenance notifications through. */ 4691 if (n->type == WATCH_TYPE_META) 4692 return 0; 4693 4694 if (!cred) 4695 return 0; 4696 subj = smk_of_task(smack_cred(cred)); 4697 obj = smk_of_task(smack_cred(w_cred)); 4698 4699 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4700 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4701 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4702 return rc; 4703 } 4704 #endif /* CONFIG_WATCH_QUEUE */ 4705 4706 /* 4707 * Smack Audit hooks 4708 * 4709 * Audit requires a unique representation of each Smack specific 4710 * rule. This unique representation is used to distinguish the 4711 * object to be audited from remaining kernel objects and also 4712 * works as a glue between the audit hooks. 4713 * 4714 * Since repository entries are added but never deleted, we'll use 4715 * the smack_known label address related to the given audit rule as 4716 * the needed unique representation. This also better fits the smack 4717 * model where nearly everything is a label. 4718 */ 4719 #ifdef CONFIG_AUDIT 4720 4721 /** 4722 * smack_audit_rule_init - Initialize a smack audit rule 4723 * @field: audit rule fields given from user-space (audit.h) 4724 * @op: required testing operator (=, !=, >, <, ...) 4725 * @rulestr: smack label to be audited 4726 * @vrule: pointer to save our own audit rule representation 4727 * @gfp: type of the memory for the allocation 4728 * 4729 * Prepare to audit cases where (@field @op @rulestr) is true. 4730 * The label to be audited is created if necessay. 4731 */ 4732 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4733 gfp_t gfp) 4734 { 4735 struct smack_known *skp; 4736 char **rule = (char **)vrule; 4737 *rule = NULL; 4738 4739 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4740 return -EINVAL; 4741 4742 if (op != Audit_equal && op != Audit_not_equal) 4743 return -EINVAL; 4744 4745 skp = smk_import_entry(rulestr, 0); 4746 if (IS_ERR(skp)) 4747 return PTR_ERR(skp); 4748 4749 *rule = skp->smk_known; 4750 4751 return 0; 4752 } 4753 4754 /** 4755 * smack_audit_rule_known - Distinguish Smack audit rules 4756 * @krule: rule of interest, in Audit kernel representation format 4757 * 4758 * This is used to filter Smack rules from remaining Audit ones. 4759 * If it's proved that this rule belongs to us, the 4760 * audit_rule_match hook will be called to do the final judgement. 4761 */ 4762 static int smack_audit_rule_known(struct audit_krule *krule) 4763 { 4764 struct audit_field *f; 4765 int i; 4766 4767 for (i = 0; i < krule->field_count; i++) { 4768 f = &krule->fields[i]; 4769 4770 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4771 return 1; 4772 } 4773 4774 return 0; 4775 } 4776 4777 /** 4778 * smack_audit_rule_match - Audit given object ? 4779 * @secid: security id for identifying the object to test 4780 * @field: audit rule flags given from user-space 4781 * @op: required testing operator 4782 * @vrule: smack internal rule presentation 4783 * 4784 * The core Audit hook. It's used to take the decision of 4785 * whether to audit or not to audit a given object. 4786 */ 4787 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule) 4788 { 4789 struct smack_known *skp; 4790 char *rule = vrule; 4791 4792 if (unlikely(!rule)) { 4793 WARN_ONCE(1, "Smack: missing rule\n"); 4794 return -ENOENT; 4795 } 4796 4797 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4798 return 0; 4799 4800 skp = smack_from_secid(secid); 4801 4802 /* 4803 * No need to do string comparisons. If a match occurs, 4804 * both pointers will point to the same smack_known 4805 * label. 4806 */ 4807 if (op == Audit_equal) 4808 return (rule == skp->smk_known); 4809 if (op == Audit_not_equal) 4810 return (rule != skp->smk_known); 4811 4812 return 0; 4813 } 4814 4815 /* 4816 * There is no need for a smack_audit_rule_free hook. 4817 * No memory was allocated. 4818 */ 4819 4820 #endif /* CONFIG_AUDIT */ 4821 4822 /** 4823 * smack_ismaclabel - check if xattr @name references a smack MAC label 4824 * @name: Full xattr name to check. 4825 */ 4826 static int smack_ismaclabel(const char *name) 4827 { 4828 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4829 } 4830 4831 4832 /** 4833 * smack_secid_to_secctx - return the smack label for a secid 4834 * @secid: incoming integer 4835 * @secdata: destination 4836 * @seclen: how long it is 4837 * 4838 * Exists for networking code. 4839 */ 4840 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4841 { 4842 struct smack_known *skp = smack_from_secid(secid); 4843 4844 if (secdata) 4845 *secdata = skp->smk_known; 4846 *seclen = strlen(skp->smk_known); 4847 return 0; 4848 } 4849 4850 /** 4851 * smack_secctx_to_secid - return the secid for a smack label 4852 * @secdata: smack label 4853 * @seclen: how long result is 4854 * @secid: outgoing integer 4855 * 4856 * Exists for audit and networking code. 4857 */ 4858 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4859 { 4860 struct smack_known *skp = smk_find_entry(secdata); 4861 4862 if (skp) 4863 *secid = skp->smk_secid; 4864 else 4865 *secid = 0; 4866 return 0; 4867 } 4868 4869 /* 4870 * There used to be a smack_release_secctx hook 4871 * that did nothing back when hooks were in a vector. 4872 * Now that there's a list such a hook adds cost. 4873 */ 4874 4875 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4876 { 4877 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4878 ctxlen, 0); 4879 } 4880 4881 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4882 { 4883 return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4884 ctx, ctxlen, 0); 4885 } 4886 4887 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4888 { 4889 struct smack_known *skp = smk_of_inode(inode); 4890 4891 *ctx = skp->smk_known; 4892 *ctxlen = strlen(skp->smk_known); 4893 return 0; 4894 } 4895 4896 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4897 { 4898 4899 struct task_smack *tsp; 4900 struct smack_known *skp; 4901 struct inode_smack *isp; 4902 struct cred *new_creds = *new; 4903 4904 if (new_creds == NULL) { 4905 new_creds = prepare_creds(); 4906 if (new_creds == NULL) 4907 return -ENOMEM; 4908 } 4909 4910 tsp = smack_cred(new_creds); 4911 4912 /* 4913 * Get label from overlay inode and set it in create_sid 4914 */ 4915 isp = smack_inode(d_inode(dentry)); 4916 skp = isp->smk_inode; 4917 tsp->smk_task = skp; 4918 *new = new_creds; 4919 return 0; 4920 } 4921 4922 static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4923 { 4924 /* 4925 * Return 1 if this is the smack access Smack attribute. 4926 */ 4927 if (strcmp(name, XATTR_NAME_SMACK) == 0) 4928 return 1; 4929 4930 return -EOPNOTSUPP; 4931 } 4932 4933 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4934 struct qstr *name, 4935 const struct cred *old, 4936 struct cred *new) 4937 { 4938 struct task_smack *otsp = smack_cred(old); 4939 struct task_smack *ntsp = smack_cred(new); 4940 struct inode_smack *isp; 4941 int may; 4942 4943 /* 4944 * Use the process credential unless all of 4945 * the transmuting criteria are met 4946 */ 4947 ntsp->smk_task = otsp->smk_task; 4948 4949 /* 4950 * the attribute of the containing directory 4951 */ 4952 isp = smack_inode(d_inode(dentry->d_parent)); 4953 4954 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4955 rcu_read_lock(); 4956 may = smk_access_entry(otsp->smk_task->smk_known, 4957 isp->smk_inode->smk_known, 4958 &otsp->smk_task->smk_rules); 4959 rcu_read_unlock(); 4960 4961 /* 4962 * If the directory is transmuting and the rule 4963 * providing access is transmuting use the containing 4964 * directory label instead of the process label. 4965 */ 4966 if (may > 0 && (may & MAY_TRANSMUTE)) { 4967 ntsp->smk_task = isp->smk_inode; 4968 ntsp->smk_transmuted = ntsp->smk_task; 4969 } 4970 } 4971 return 0; 4972 } 4973 4974 #ifdef CONFIG_IO_URING 4975 /** 4976 * smack_uring_override_creds - Is io_uring cred override allowed? 4977 * @new: the target creds 4978 * 4979 * Check to see if the current task is allowed to override it's credentials 4980 * to service an io_uring operation. 4981 */ 4982 static int smack_uring_override_creds(const struct cred *new) 4983 { 4984 struct task_smack *tsp = smack_cred(current_cred()); 4985 struct task_smack *nsp = smack_cred(new); 4986 4987 /* 4988 * Allow the degenerate case where the new Smack value is 4989 * the same as the current Smack value. 4990 */ 4991 if (tsp->smk_task == nsp->smk_task) 4992 return 0; 4993 4994 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4995 return 0; 4996 4997 return -EPERM; 4998 } 4999 5000 /** 5001 * smack_uring_sqpoll - check if a io_uring polling thread can be created 5002 * 5003 * Check to see if the current task is allowed to create a new io_uring 5004 * kernel polling thread. 5005 */ 5006 static int smack_uring_sqpoll(void) 5007 { 5008 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 5009 return 0; 5010 5011 return -EPERM; 5012 } 5013 5014 /** 5015 * smack_uring_cmd - check on file operations for io_uring 5016 * @ioucmd: the command in question 5017 * 5018 * Make a best guess about whether a io_uring "command" should 5019 * be allowed. Use the same logic used for determining if the 5020 * file could be opened for read in the absence of better criteria. 5021 */ 5022 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 5023 { 5024 struct file *file = ioucmd->file; 5025 struct smk_audit_info ad; 5026 struct task_smack *tsp; 5027 struct inode *inode; 5028 int rc; 5029 5030 if (!file) 5031 return -EINVAL; 5032 5033 tsp = smack_cred(file->f_cred); 5034 inode = file_inode(file); 5035 5036 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 5037 smk_ad_setfield_u_fs_path(&ad, file->f_path); 5038 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 5039 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 5040 5041 return rc; 5042 } 5043 5044 #endif /* CONFIG_IO_URING */ 5045 5046 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5047 .lbs_cred = sizeof(struct task_smack), 5048 .lbs_file = sizeof(struct smack_known *), 5049 .lbs_inode = sizeof(struct inode_smack), 5050 .lbs_ipc = sizeof(struct smack_known *), 5051 .lbs_msg_msg = sizeof(struct smack_known *), 5052 .lbs_superblock = sizeof(struct superblock_smack), 5053 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5054 }; 5055 5056 static const struct lsm_id smack_lsmid = { 5057 .name = "smack", 5058 .id = LSM_ID_SMACK, 5059 }; 5060 5061 static struct security_hook_list smack_hooks[] __ro_after_init = { 5062 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5063 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5064 LSM_HOOK_INIT(syslog, smack_syslog), 5065 5066 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5067 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5068 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5069 5070 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5071 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5072 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5073 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5074 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5075 5076 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5077 5078 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5079 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5080 LSM_HOOK_INIT(inode_link, smack_inode_link), 5081 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5082 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5083 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5084 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5085 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5086 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5087 LSM_HOOK_INIT(inode_xattr_skipcap, smack_inode_xattr_skipcap), 5088 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5089 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5090 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5091 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5092 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5093 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5094 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5095 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5096 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5097 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5098 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid), 5099 5100 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5101 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5102 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5103 LSM_HOOK_INIT(file_lock, smack_file_lock), 5104 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5105 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5106 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5107 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5108 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5109 LSM_HOOK_INIT(file_receive, smack_file_receive), 5110 5111 LSM_HOOK_INIT(file_open, smack_file_open), 5112 5113 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5114 LSM_HOOK_INIT(cred_free, smack_cred_free), 5115 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5116 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5117 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5118 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5119 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5120 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5121 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5122 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5123 LSM_HOOK_INIT(current_getsecid_subj, smack_current_getsecid_subj), 5124 LSM_HOOK_INIT(task_getsecid_obj, smack_task_getsecid_obj), 5125 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5126 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5127 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5128 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5129 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5130 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5131 LSM_HOOK_INIT(task_kill, smack_task_kill), 5132 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5133 5134 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5135 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid), 5136 5137 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5138 5139 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5140 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5141 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5142 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5143 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5144 5145 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5146 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5147 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5148 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5149 5150 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5151 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5152 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5153 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5154 5155 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5156 5157 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5158 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5159 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5160 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5161 5162 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5163 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5164 5165 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5166 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5167 #ifdef SMACK_IPV6_PORT_LABELING 5168 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5169 #endif 5170 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5171 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5172 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5173 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5174 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5175 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5176 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5177 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5178 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 5179 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5180 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5181 5182 /* key management security hooks */ 5183 #ifdef CONFIG_KEYS 5184 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5185 LSM_HOOK_INIT(key_free, smack_key_free), 5186 LSM_HOOK_INIT(key_permission, smack_key_permission), 5187 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5188 #ifdef CONFIG_KEY_NOTIFICATIONS 5189 LSM_HOOK_INIT(watch_key, smack_watch_key), 5190 #endif 5191 #endif /* CONFIG_KEYS */ 5192 5193 #ifdef CONFIG_WATCH_QUEUE 5194 LSM_HOOK_INIT(post_notification, smack_post_notification), 5195 #endif 5196 5197 /* Audit hooks */ 5198 #ifdef CONFIG_AUDIT 5199 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5200 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5201 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5202 #endif /* CONFIG_AUDIT */ 5203 5204 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5205 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5206 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5207 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5208 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5209 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5210 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5211 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5212 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5213 #ifdef CONFIG_IO_URING 5214 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5215 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5216 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5217 #endif 5218 }; 5219 5220 5221 static __init void init_smack_known_list(void) 5222 { 5223 /* 5224 * Initialize rule list locks 5225 */ 5226 mutex_init(&smack_known_huh.smk_rules_lock); 5227 mutex_init(&smack_known_hat.smk_rules_lock); 5228 mutex_init(&smack_known_floor.smk_rules_lock); 5229 mutex_init(&smack_known_star.smk_rules_lock); 5230 mutex_init(&smack_known_web.smk_rules_lock); 5231 /* 5232 * Initialize rule lists 5233 */ 5234 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5235 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5236 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5237 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5238 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5239 /* 5240 * Create the known labels list 5241 */ 5242 smk_insert_entry(&smack_known_huh); 5243 smk_insert_entry(&smack_known_hat); 5244 smk_insert_entry(&smack_known_star); 5245 smk_insert_entry(&smack_known_floor); 5246 smk_insert_entry(&smack_known_web); 5247 } 5248 5249 /** 5250 * smack_init - initialize the smack system 5251 * 5252 * Returns 0 on success, -ENOMEM is there's no memory 5253 */ 5254 static __init int smack_init(void) 5255 { 5256 struct cred *cred = (struct cred *) current->cred; 5257 struct task_smack *tsp; 5258 5259 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5260 if (!smack_rule_cache) 5261 return -ENOMEM; 5262 5263 /* 5264 * Set the security state for the initial task. 5265 */ 5266 tsp = smack_cred(cred); 5267 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5268 5269 /* 5270 * Register with LSM 5271 */ 5272 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5273 smack_enabled = 1; 5274 5275 pr_info("Smack: Initializing.\n"); 5276 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5277 pr_info("Smack: Netfilter enabled.\n"); 5278 #endif 5279 #ifdef SMACK_IPV6_PORT_LABELING 5280 pr_info("Smack: IPv6 port labeling enabled.\n"); 5281 #endif 5282 #ifdef SMACK_IPV6_SECMARK_LABELING 5283 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5284 #endif 5285 5286 /* initialize the smack_known_list */ 5287 init_smack_known_list(); 5288 5289 return 0; 5290 } 5291 5292 /* 5293 * Smack requires early initialization in order to label 5294 * all processes and objects when they are created. 5295 */ 5296 DEFINE_LSM(smack) = { 5297 .name = "smack", 5298 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5299 .blobs = &smack_blob_sizes, 5300 .init = smack_init, 5301 }; 5302