1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/dccp.h> 28 #include <linux/icmpv6.h> 29 #include <linux/slab.h> 30 #include <linux/mutex.h> 31 #include <net/cipso_ipv4.h> 32 #include <net/ip.h> 33 #include <net/ipv6.h> 34 #include <linux/audit.h> 35 #include <linux/magic.h> 36 #include <linux/dcache.h> 37 #include <linux/personality.h> 38 #include <linux/msg.h> 39 #include <linux/shm.h> 40 #include <uapi/linux/shm.h> 41 #include <linux/binfmts.h> 42 #include <linux/parser.h> 43 #include <linux/fs_context.h> 44 #include <linux/fs_parser.h> 45 #include <linux/watch_queue.h> 46 #include <linux/io_uring/cmd.h> 47 #include <uapi/linux/lsm.h> 48 #include "smack.h" 49 50 #define TRANS_TRUE "TRUE" 51 #define TRANS_TRUE_SIZE 4 52 53 #define SMK_CONNECTING 0 54 #define SMK_RECEIVING 1 55 #define SMK_SENDING 2 56 57 /* 58 * Smack uses multiple xattrs. 59 * SMACK64 - for access control, 60 * SMACK64TRANSMUTE - label initialization, 61 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 62 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 63 */ 64 #define SMACK_INODE_INIT_XATTRS 2 65 66 #ifdef SMACK_IPV6_PORT_LABELING 67 static DEFINE_MUTEX(smack_ipv6_lock); 68 static LIST_HEAD(smk_ipv6_port_list); 69 #endif 70 struct kmem_cache *smack_rule_cache; 71 int smack_enabled __initdata; 72 73 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 74 static struct { 75 const char *name; 76 int len; 77 int opt; 78 } smk_mount_opts[] = { 79 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 80 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 81 }; 82 #undef A 83 84 static int match_opt_prefix(char *s, int l, char **arg) 85 { 86 int i; 87 88 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 89 size_t len = smk_mount_opts[i].len; 90 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 91 continue; 92 if (len == l || s[len] != '=') 93 continue; 94 *arg = s + len + 1; 95 return smk_mount_opts[i].opt; 96 } 97 return Opt_error; 98 } 99 100 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 101 static char *smk_bu_mess[] = { 102 "Bringup Error", /* Unused */ 103 "Bringup", /* SMACK_BRINGUP_ALLOW */ 104 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 105 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 106 }; 107 108 static void smk_bu_mode(int mode, char *s) 109 { 110 int i = 0; 111 112 if (mode & MAY_READ) 113 s[i++] = 'r'; 114 if (mode & MAY_WRITE) 115 s[i++] = 'w'; 116 if (mode & MAY_EXEC) 117 s[i++] = 'x'; 118 if (mode & MAY_APPEND) 119 s[i++] = 'a'; 120 if (mode & MAY_TRANSMUTE) 121 s[i++] = 't'; 122 if (mode & MAY_LOCK) 123 s[i++] = 'l'; 124 if (i == 0) 125 s[i++] = '-'; 126 s[i] = '\0'; 127 } 128 #endif 129 130 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 131 static int smk_bu_note(char *note, struct smack_known *sskp, 132 struct smack_known *oskp, int mode, int rc) 133 { 134 char acc[SMK_NUM_ACCESS_TYPE + 1]; 135 136 if (rc <= 0) 137 return rc; 138 if (rc > SMACK_UNCONFINED_OBJECT) 139 rc = 0; 140 141 smk_bu_mode(mode, acc); 142 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 143 sskp->smk_known, oskp->smk_known, acc, note); 144 return 0; 145 } 146 #else 147 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 148 #endif 149 150 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 151 static int smk_bu_current(char *note, struct smack_known *oskp, 152 int mode, int rc) 153 { 154 struct task_smack *tsp = smack_cred(current_cred()); 155 char acc[SMK_NUM_ACCESS_TYPE + 1]; 156 157 if (rc <= 0) 158 return rc; 159 if (rc > SMACK_UNCONFINED_OBJECT) 160 rc = 0; 161 162 smk_bu_mode(mode, acc); 163 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 164 tsp->smk_task->smk_known, oskp->smk_known, 165 acc, current->comm, note); 166 return 0; 167 } 168 #else 169 #define smk_bu_current(note, oskp, mode, RC) (RC) 170 #endif 171 172 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 173 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 174 { 175 struct task_smack *tsp = smack_cred(current_cred()); 176 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 177 char acc[SMK_NUM_ACCESS_TYPE + 1]; 178 179 if (rc <= 0) 180 return rc; 181 if (rc > SMACK_UNCONFINED_OBJECT) 182 rc = 0; 183 184 smk_bu_mode(mode, acc); 185 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 186 tsp->smk_task->smk_known, smk_task->smk_known, acc, 187 current->comm, otp->comm); 188 return 0; 189 } 190 #else 191 #define smk_bu_task(otp, mode, RC) (RC) 192 #endif 193 194 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 195 static int smk_bu_inode(struct inode *inode, int mode, int rc) 196 { 197 struct task_smack *tsp = smack_cred(current_cred()); 198 struct inode_smack *isp = smack_inode(inode); 199 char acc[SMK_NUM_ACCESS_TYPE + 1]; 200 201 if (isp->smk_flags & SMK_INODE_IMPURE) 202 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 203 inode->i_sb->s_id, inode->i_ino, current->comm); 204 205 if (rc <= 0) 206 return rc; 207 if (rc > SMACK_UNCONFINED_OBJECT) 208 rc = 0; 209 if (rc == SMACK_UNCONFINED_SUBJECT && 210 (mode & (MAY_WRITE | MAY_APPEND))) 211 isp->smk_flags |= SMK_INODE_IMPURE; 212 213 smk_bu_mode(mode, acc); 214 215 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 216 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 217 inode->i_sb->s_id, inode->i_ino, current->comm); 218 return 0; 219 } 220 #else 221 #define smk_bu_inode(inode, mode, RC) (RC) 222 #endif 223 224 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 225 static int smk_bu_file(struct file *file, int mode, int rc) 226 { 227 struct task_smack *tsp = smack_cred(current_cred()); 228 struct smack_known *sskp = tsp->smk_task; 229 struct inode *inode = file_inode(file); 230 struct inode_smack *isp = smack_inode(inode); 231 char acc[SMK_NUM_ACCESS_TYPE + 1]; 232 233 if (isp->smk_flags & SMK_INODE_IMPURE) 234 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 235 inode->i_sb->s_id, inode->i_ino, current->comm); 236 237 if (rc <= 0) 238 return rc; 239 if (rc > SMACK_UNCONFINED_OBJECT) 240 rc = 0; 241 242 smk_bu_mode(mode, acc); 243 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 244 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 245 inode->i_sb->s_id, inode->i_ino, file, 246 current->comm); 247 return 0; 248 } 249 #else 250 #define smk_bu_file(file, mode, RC) (RC) 251 #endif 252 253 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 254 static int smk_bu_credfile(const struct cred *cred, struct file *file, 255 int mode, int rc) 256 { 257 struct task_smack *tsp = smack_cred(cred); 258 struct smack_known *sskp = tsp->smk_task; 259 struct inode *inode = file_inode(file); 260 struct inode_smack *isp = smack_inode(inode); 261 char acc[SMK_NUM_ACCESS_TYPE + 1]; 262 263 if (isp->smk_flags & SMK_INODE_IMPURE) 264 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 265 inode->i_sb->s_id, inode->i_ino, current->comm); 266 267 if (rc <= 0) 268 return rc; 269 if (rc > SMACK_UNCONFINED_OBJECT) 270 rc = 0; 271 272 smk_bu_mode(mode, acc); 273 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 274 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 275 inode->i_sb->s_id, inode->i_ino, file, 276 current->comm); 277 return 0; 278 } 279 #else 280 #define smk_bu_credfile(cred, file, mode, RC) (RC) 281 #endif 282 283 /** 284 * smk_fetch - Fetch the smack label from a file. 285 * @name: type of the label (attribute) 286 * @ip: a pointer to the inode 287 * @dp: a pointer to the dentry 288 * 289 * Returns a pointer to the master list entry for the Smack label, 290 * NULL if there was no label to fetch, or an error code. 291 */ 292 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 293 struct dentry *dp) 294 { 295 int rc; 296 char *buffer; 297 struct smack_known *skp = NULL; 298 299 if (!(ip->i_opflags & IOP_XATTR)) 300 return ERR_PTR(-EOPNOTSUPP); 301 302 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 303 if (buffer == NULL) 304 return ERR_PTR(-ENOMEM); 305 306 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 307 if (rc < 0) 308 skp = ERR_PTR(rc); 309 else if (rc == 0) 310 skp = NULL; 311 else 312 skp = smk_import_entry(buffer, rc); 313 314 kfree(buffer); 315 316 return skp; 317 } 318 319 /** 320 * init_inode_smack - initialize an inode security blob 321 * @inode: inode to extract the info from 322 * @skp: a pointer to the Smack label entry to use in the blob 323 * 324 */ 325 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 326 { 327 struct inode_smack *isp = smack_inode(inode); 328 329 isp->smk_inode = skp; 330 isp->smk_flags = 0; 331 } 332 333 /** 334 * init_task_smack - initialize a task security blob 335 * @tsp: blob to initialize 336 * @task: a pointer to the Smack label for the running task 337 * @forked: a pointer to the Smack label for the forked task 338 * 339 */ 340 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 341 struct smack_known *forked) 342 { 343 tsp->smk_task = task; 344 tsp->smk_forked = forked; 345 INIT_LIST_HEAD(&tsp->smk_rules); 346 INIT_LIST_HEAD(&tsp->smk_relabel); 347 mutex_init(&tsp->smk_rules_lock); 348 } 349 350 /** 351 * smk_copy_rules - copy a rule set 352 * @nhead: new rules header pointer 353 * @ohead: old rules header pointer 354 * @gfp: type of the memory for the allocation 355 * 356 * Returns 0 on success, -ENOMEM on error 357 */ 358 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 359 gfp_t gfp) 360 { 361 struct smack_rule *nrp; 362 struct smack_rule *orp; 363 int rc = 0; 364 365 list_for_each_entry_rcu(orp, ohead, list) { 366 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 367 if (nrp == NULL) { 368 rc = -ENOMEM; 369 break; 370 } 371 *nrp = *orp; 372 list_add_rcu(&nrp->list, nhead); 373 } 374 return rc; 375 } 376 377 /** 378 * smk_copy_relabel - copy smk_relabel labels list 379 * @nhead: new rules header pointer 380 * @ohead: old rules header pointer 381 * @gfp: type of the memory for the allocation 382 * 383 * Returns 0 on success, -ENOMEM on error 384 */ 385 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 386 gfp_t gfp) 387 { 388 struct smack_known_list_elem *nklep; 389 struct smack_known_list_elem *oklep; 390 391 list_for_each_entry(oklep, ohead, list) { 392 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 393 if (nklep == NULL) { 394 smk_destroy_label_list(nhead); 395 return -ENOMEM; 396 } 397 nklep->smk_label = oklep->smk_label; 398 list_add(&nklep->list, nhead); 399 } 400 401 return 0; 402 } 403 404 /** 405 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 406 * @mode: input mode in form of PTRACE_MODE_* 407 * 408 * Returns a converted MAY_* mode usable by smack rules 409 */ 410 static inline unsigned int smk_ptrace_mode(unsigned int mode) 411 { 412 if (mode & PTRACE_MODE_ATTACH) 413 return MAY_READWRITE; 414 if (mode & PTRACE_MODE_READ) 415 return MAY_READ; 416 417 return 0; 418 } 419 420 /** 421 * smk_ptrace_rule_check - helper for ptrace access 422 * @tracer: tracer process 423 * @tracee_known: label entry of the process that's about to be traced 424 * @mode: ptrace attachment mode (PTRACE_MODE_*) 425 * @func: name of the function that called us, used for audit 426 * 427 * Returns 0 on access granted, -error on error 428 */ 429 static int smk_ptrace_rule_check(struct task_struct *tracer, 430 struct smack_known *tracee_known, 431 unsigned int mode, const char *func) 432 { 433 int rc; 434 struct smk_audit_info ad, *saip = NULL; 435 struct task_smack *tsp; 436 struct smack_known *tracer_known; 437 const struct cred *tracercred; 438 439 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 440 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 441 smk_ad_setfield_u_tsk(&ad, tracer); 442 saip = &ad; 443 } 444 445 rcu_read_lock(); 446 tracercred = __task_cred(tracer); 447 tsp = smack_cred(tracercred); 448 tracer_known = smk_of_task(tsp); 449 450 if ((mode & PTRACE_MODE_ATTACH) && 451 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 452 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 453 if (tracer_known->smk_known == tracee_known->smk_known) 454 rc = 0; 455 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 456 rc = -EACCES; 457 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 458 rc = 0; 459 else 460 rc = -EACCES; 461 462 if (saip) 463 smack_log(tracer_known->smk_known, 464 tracee_known->smk_known, 465 0, rc, saip); 466 467 rcu_read_unlock(); 468 return rc; 469 } 470 471 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 472 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 473 474 rcu_read_unlock(); 475 return rc; 476 } 477 478 /* 479 * LSM hooks. 480 * We he, that is fun! 481 */ 482 483 /** 484 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 485 * @ctp: child task pointer 486 * @mode: ptrace attachment mode (PTRACE_MODE_*) 487 * 488 * Returns 0 if access is OK, an error code otherwise 489 * 490 * Do the capability checks. 491 */ 492 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 493 { 494 struct smack_known *skp; 495 496 skp = smk_of_task_struct_obj(ctp); 497 498 return smk_ptrace_rule_check(current, skp, mode, __func__); 499 } 500 501 /** 502 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 503 * @ptp: parent task pointer 504 * 505 * Returns 0 if access is OK, an error code otherwise 506 * 507 * Do the capability checks, and require PTRACE_MODE_ATTACH. 508 */ 509 static int smack_ptrace_traceme(struct task_struct *ptp) 510 { 511 struct smack_known *skp; 512 513 skp = smk_of_task(smack_cred(current_cred())); 514 515 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 516 } 517 518 /** 519 * smack_syslog - Smack approval on syslog 520 * @typefrom_file: unused 521 * 522 * Returns 0 on success, error code otherwise. 523 */ 524 static int smack_syslog(int typefrom_file) 525 { 526 int rc = 0; 527 struct smack_known *skp = smk_of_current(); 528 529 if (smack_privileged(CAP_MAC_OVERRIDE)) 530 return 0; 531 532 if (smack_syslog_label != NULL && smack_syslog_label != skp) 533 rc = -EACCES; 534 535 return rc; 536 } 537 538 /* 539 * Superblock Hooks. 540 */ 541 542 /** 543 * smack_sb_alloc_security - allocate a superblock blob 544 * @sb: the superblock getting the blob 545 * 546 * Returns 0 on success or -ENOMEM on error. 547 */ 548 static int smack_sb_alloc_security(struct super_block *sb) 549 { 550 struct superblock_smack *sbsp = smack_superblock(sb); 551 552 sbsp->smk_root = &smack_known_floor; 553 sbsp->smk_default = &smack_known_floor; 554 sbsp->smk_floor = &smack_known_floor; 555 sbsp->smk_hat = &smack_known_hat; 556 /* 557 * SMK_SB_INITIALIZED will be zero from kzalloc. 558 */ 559 560 return 0; 561 } 562 563 struct smack_mnt_opts { 564 const char *fsdefault; 565 const char *fsfloor; 566 const char *fshat; 567 const char *fsroot; 568 const char *fstransmute; 569 }; 570 571 static void smack_free_mnt_opts(void *mnt_opts) 572 { 573 kfree(mnt_opts); 574 } 575 576 static int smack_add_opt(int token, const char *s, void **mnt_opts) 577 { 578 struct smack_mnt_opts *opts = *mnt_opts; 579 struct smack_known *skp; 580 581 if (!opts) { 582 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 583 if (!opts) 584 return -ENOMEM; 585 *mnt_opts = opts; 586 } 587 if (!s) 588 return -ENOMEM; 589 590 skp = smk_import_entry(s, 0); 591 if (IS_ERR(skp)) 592 return PTR_ERR(skp); 593 594 switch (token) { 595 case Opt_fsdefault: 596 if (opts->fsdefault) 597 goto out_opt_err; 598 opts->fsdefault = skp->smk_known; 599 break; 600 case Opt_fsfloor: 601 if (opts->fsfloor) 602 goto out_opt_err; 603 opts->fsfloor = skp->smk_known; 604 break; 605 case Opt_fshat: 606 if (opts->fshat) 607 goto out_opt_err; 608 opts->fshat = skp->smk_known; 609 break; 610 case Opt_fsroot: 611 if (opts->fsroot) 612 goto out_opt_err; 613 opts->fsroot = skp->smk_known; 614 break; 615 case Opt_fstransmute: 616 if (opts->fstransmute) 617 goto out_opt_err; 618 opts->fstransmute = skp->smk_known; 619 break; 620 } 621 return 0; 622 623 out_opt_err: 624 pr_warn("Smack: duplicate mount options\n"); 625 return -EINVAL; 626 } 627 628 /** 629 * smack_fs_context_submount - Initialise security data for a filesystem context 630 * @fc: The filesystem context. 631 * @reference: reference superblock 632 * 633 * Returns 0 on success or -ENOMEM on error. 634 */ 635 static int smack_fs_context_submount(struct fs_context *fc, 636 struct super_block *reference) 637 { 638 struct superblock_smack *sbsp; 639 struct smack_mnt_opts *ctx; 640 struct inode_smack *isp; 641 642 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 643 if (!ctx) 644 return -ENOMEM; 645 fc->security = ctx; 646 647 sbsp = smack_superblock(reference); 648 isp = smack_inode(reference->s_root->d_inode); 649 650 if (sbsp->smk_default) { 651 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 652 if (!ctx->fsdefault) 653 return -ENOMEM; 654 } 655 656 if (sbsp->smk_floor) { 657 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 658 if (!ctx->fsfloor) 659 return -ENOMEM; 660 } 661 662 if (sbsp->smk_hat) { 663 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 664 if (!ctx->fshat) 665 return -ENOMEM; 666 } 667 668 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 669 if (sbsp->smk_root) { 670 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 671 if (!ctx->fstransmute) 672 return -ENOMEM; 673 } 674 } 675 return 0; 676 } 677 678 /** 679 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 680 * @fc: The new filesystem context. 681 * @src_fc: The source filesystem context being duplicated. 682 * 683 * Returns 0 on success or -ENOMEM on error. 684 */ 685 static int smack_fs_context_dup(struct fs_context *fc, 686 struct fs_context *src_fc) 687 { 688 struct smack_mnt_opts *dst, *src = src_fc->security; 689 690 if (!src) 691 return 0; 692 693 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 694 if (!fc->security) 695 return -ENOMEM; 696 697 dst = fc->security; 698 dst->fsdefault = src->fsdefault; 699 dst->fsfloor = src->fsfloor; 700 dst->fshat = src->fshat; 701 dst->fsroot = src->fsroot; 702 dst->fstransmute = src->fstransmute; 703 704 return 0; 705 } 706 707 static const struct fs_parameter_spec smack_fs_parameters[] = { 708 fsparam_string("smackfsdef", Opt_fsdefault), 709 fsparam_string("smackfsdefault", Opt_fsdefault), 710 fsparam_string("smackfsfloor", Opt_fsfloor), 711 fsparam_string("smackfshat", Opt_fshat), 712 fsparam_string("smackfsroot", Opt_fsroot), 713 fsparam_string("smackfstransmute", Opt_fstransmute), 714 {} 715 }; 716 717 /** 718 * smack_fs_context_parse_param - Parse a single mount parameter 719 * @fc: The new filesystem context being constructed. 720 * @param: The parameter. 721 * 722 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 723 * error. 724 */ 725 static int smack_fs_context_parse_param(struct fs_context *fc, 726 struct fs_parameter *param) 727 { 728 struct fs_parse_result result; 729 int opt, rc; 730 731 opt = fs_parse(fc, smack_fs_parameters, param, &result); 732 if (opt < 0) 733 return opt; 734 735 rc = smack_add_opt(opt, param->string, &fc->security); 736 if (!rc) 737 param->string = NULL; 738 return rc; 739 } 740 741 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 742 { 743 char *from = options, *to = options; 744 bool first = true; 745 746 while (1) { 747 char *next = strchr(from, ','); 748 int token, len, rc; 749 char *arg = NULL; 750 751 if (next) 752 len = next - from; 753 else 754 len = strlen(from); 755 756 token = match_opt_prefix(from, len, &arg); 757 if (token != Opt_error) { 758 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 759 rc = smack_add_opt(token, arg, mnt_opts); 760 kfree(arg); 761 if (unlikely(rc)) { 762 if (*mnt_opts) 763 smack_free_mnt_opts(*mnt_opts); 764 *mnt_opts = NULL; 765 return rc; 766 } 767 } else { 768 if (!first) { // copy with preceding comma 769 from--; 770 len++; 771 } 772 if (to != from) 773 memmove(to, from, len); 774 to += len; 775 first = false; 776 } 777 if (!from[len]) 778 break; 779 from += len + 1; 780 } 781 *to = '\0'; 782 return 0; 783 } 784 785 /** 786 * smack_set_mnt_opts - set Smack specific mount options 787 * @sb: the file system superblock 788 * @mnt_opts: Smack mount options 789 * @kern_flags: mount option from kernel space or user space 790 * @set_kern_flags: where to store converted mount opts 791 * 792 * Returns 0 on success, an error code on failure 793 * 794 * Allow filesystems with binary mount data to explicitly set Smack mount 795 * labels. 796 */ 797 static int smack_set_mnt_opts(struct super_block *sb, 798 void *mnt_opts, 799 unsigned long kern_flags, 800 unsigned long *set_kern_flags) 801 { 802 struct dentry *root = sb->s_root; 803 struct inode *inode = d_backing_inode(root); 804 struct superblock_smack *sp = smack_superblock(sb); 805 struct inode_smack *isp; 806 struct smack_known *skp; 807 struct smack_mnt_opts *opts = mnt_opts; 808 bool transmute = false; 809 810 if (sp->smk_flags & SMK_SB_INITIALIZED) 811 return 0; 812 813 if (!smack_privileged(CAP_MAC_ADMIN)) { 814 /* 815 * Unprivileged mounts don't get to specify Smack values. 816 */ 817 if (opts) 818 return -EPERM; 819 /* 820 * Unprivileged mounts get root and default from the caller. 821 */ 822 skp = smk_of_current(); 823 sp->smk_root = skp; 824 sp->smk_default = skp; 825 /* 826 * For a handful of fs types with no user-controlled 827 * backing store it's okay to trust security labels 828 * in the filesystem. The rest are untrusted. 829 */ 830 if (sb->s_user_ns != &init_user_ns && 831 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 832 sb->s_magic != RAMFS_MAGIC) { 833 transmute = true; 834 sp->smk_flags |= SMK_SB_UNTRUSTED; 835 } 836 } 837 838 sp->smk_flags |= SMK_SB_INITIALIZED; 839 840 if (opts) { 841 if (opts->fsdefault) { 842 skp = smk_import_entry(opts->fsdefault, 0); 843 if (IS_ERR(skp)) 844 return PTR_ERR(skp); 845 sp->smk_default = skp; 846 } 847 if (opts->fsfloor) { 848 skp = smk_import_entry(opts->fsfloor, 0); 849 if (IS_ERR(skp)) 850 return PTR_ERR(skp); 851 sp->smk_floor = skp; 852 } 853 if (opts->fshat) { 854 skp = smk_import_entry(opts->fshat, 0); 855 if (IS_ERR(skp)) 856 return PTR_ERR(skp); 857 sp->smk_hat = skp; 858 } 859 if (opts->fsroot) { 860 skp = smk_import_entry(opts->fsroot, 0); 861 if (IS_ERR(skp)) 862 return PTR_ERR(skp); 863 sp->smk_root = skp; 864 } 865 if (opts->fstransmute) { 866 skp = smk_import_entry(opts->fstransmute, 0); 867 if (IS_ERR(skp)) 868 return PTR_ERR(skp); 869 sp->smk_root = skp; 870 transmute = true; 871 } 872 } 873 874 /* 875 * Initialize the root inode. 876 */ 877 init_inode_smack(inode, sp->smk_root); 878 879 if (transmute) { 880 isp = smack_inode(inode); 881 isp->smk_flags |= SMK_INODE_TRANSMUTE; 882 } 883 884 return 0; 885 } 886 887 /** 888 * smack_sb_statfs - Smack check on statfs 889 * @dentry: identifies the file system in question 890 * 891 * Returns 0 if current can read the floor of the filesystem, 892 * and error code otherwise 893 */ 894 static int smack_sb_statfs(struct dentry *dentry) 895 { 896 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 897 int rc; 898 struct smk_audit_info ad; 899 900 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 901 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 902 903 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 904 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 905 return rc; 906 } 907 908 /* 909 * BPRM hooks 910 */ 911 912 /** 913 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 914 * @bprm: the exec information 915 * 916 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 917 */ 918 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 919 { 920 struct inode *inode = file_inode(bprm->file); 921 struct task_smack *bsp = smack_cred(bprm->cred); 922 struct inode_smack *isp; 923 struct superblock_smack *sbsp; 924 int rc; 925 926 isp = smack_inode(inode); 927 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 928 return 0; 929 930 sbsp = smack_superblock(inode->i_sb); 931 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 932 isp->smk_task != sbsp->smk_root) 933 return 0; 934 935 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 936 struct task_struct *tracer; 937 rc = 0; 938 939 rcu_read_lock(); 940 tracer = ptrace_parent(current); 941 if (likely(tracer != NULL)) 942 rc = smk_ptrace_rule_check(tracer, 943 isp->smk_task, 944 PTRACE_MODE_ATTACH, 945 __func__); 946 rcu_read_unlock(); 947 948 if (rc != 0) 949 return rc; 950 } 951 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 952 return -EPERM; 953 954 bsp->smk_task = isp->smk_task; 955 bprm->per_clear |= PER_CLEAR_ON_SETID; 956 957 /* Decide if this is a secure exec. */ 958 if (bsp->smk_task != bsp->smk_forked) 959 bprm->secureexec = 1; 960 961 return 0; 962 } 963 964 /* 965 * Inode hooks 966 */ 967 968 /** 969 * smack_inode_alloc_security - allocate an inode blob 970 * @inode: the inode in need of a blob 971 * 972 * Returns 0 973 */ 974 static int smack_inode_alloc_security(struct inode *inode) 975 { 976 struct smack_known *skp = smk_of_current(); 977 978 init_inode_smack(inode, skp); 979 return 0; 980 } 981 982 /** 983 * smack_inode_init_security - copy out the smack from an inode 984 * @inode: the newly created inode 985 * @dir: containing directory object 986 * @qstr: unused 987 * @xattrs: where to put the attributes 988 * @xattr_count: current number of LSM-provided xattrs (updated) 989 * 990 * Returns 0 if it all works out, -ENOMEM if there's no memory 991 */ 992 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 993 const struct qstr *qstr, 994 struct xattr *xattrs, int *xattr_count) 995 { 996 struct task_smack *tsp = smack_cred(current_cred()); 997 struct inode_smack *issp = smack_inode(inode); 998 struct smack_known *skp = smk_of_task(tsp); 999 struct smack_known *isp = smk_of_inode(inode); 1000 struct smack_known *dsp = smk_of_inode(dir); 1001 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 1002 int may; 1003 1004 /* 1005 * If equal, transmuting already occurred in 1006 * smack_dentry_create_files_as(). No need to check again. 1007 */ 1008 if (tsp->smk_task != tsp->smk_transmuted) { 1009 rcu_read_lock(); 1010 may = smk_access_entry(skp->smk_known, dsp->smk_known, 1011 &skp->smk_rules); 1012 rcu_read_unlock(); 1013 } 1014 1015 /* 1016 * In addition to having smk_task equal to smk_transmuted, 1017 * if the access rule allows transmutation and the directory 1018 * requests transmutation then by all means transmute. 1019 * Mark the inode as changed. 1020 */ 1021 if ((tsp->smk_task == tsp->smk_transmuted) || 1022 (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1023 smk_inode_transmutable(dir))) { 1024 struct xattr *xattr_transmute; 1025 1026 /* 1027 * The caller of smack_dentry_create_files_as() 1028 * should have overridden the current cred, so the 1029 * inode label was already set correctly in 1030 * smack_inode_alloc_security(). 1031 */ 1032 if (tsp->smk_task != tsp->smk_transmuted) 1033 isp = issp->smk_inode = dsp; 1034 1035 issp->smk_flags |= SMK_INODE_TRANSMUTE; 1036 xattr_transmute = lsm_get_xattr_slot(xattrs, 1037 xattr_count); 1038 if (xattr_transmute) { 1039 xattr_transmute->value = kmemdup(TRANS_TRUE, 1040 TRANS_TRUE_SIZE, 1041 GFP_NOFS); 1042 if (!xattr_transmute->value) 1043 return -ENOMEM; 1044 1045 xattr_transmute->value_len = TRANS_TRUE_SIZE; 1046 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; 1047 } 1048 } 1049 1050 issp->smk_flags |= SMK_INODE_INSTANT; 1051 1052 if (xattr) { 1053 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); 1054 if (!xattr->value) 1055 return -ENOMEM; 1056 1057 xattr->value_len = strlen(isp->smk_known); 1058 xattr->name = XATTR_SMACK_SUFFIX; 1059 } 1060 1061 return 0; 1062 } 1063 1064 /** 1065 * smack_inode_link - Smack check on link 1066 * @old_dentry: the existing object 1067 * @dir: unused 1068 * @new_dentry: the new object 1069 * 1070 * Returns 0 if access is permitted, an error code otherwise 1071 */ 1072 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1073 struct dentry *new_dentry) 1074 { 1075 struct smack_known *isp; 1076 struct smk_audit_info ad; 1077 int rc; 1078 1079 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1080 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1081 1082 isp = smk_of_inode(d_backing_inode(old_dentry)); 1083 rc = smk_curacc(isp, MAY_WRITE, &ad); 1084 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1085 1086 if (rc == 0 && d_is_positive(new_dentry)) { 1087 isp = smk_of_inode(d_backing_inode(new_dentry)); 1088 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1089 rc = smk_curacc(isp, MAY_WRITE, &ad); 1090 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1091 } 1092 1093 return rc; 1094 } 1095 1096 /** 1097 * smack_inode_unlink - Smack check on inode deletion 1098 * @dir: containing directory object 1099 * @dentry: file to unlink 1100 * 1101 * Returns 0 if current can write the containing directory 1102 * and the object, error code otherwise 1103 */ 1104 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1105 { 1106 struct inode *ip = d_backing_inode(dentry); 1107 struct smk_audit_info ad; 1108 int rc; 1109 1110 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1111 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1112 1113 /* 1114 * You need write access to the thing you're unlinking 1115 */ 1116 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1117 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1118 if (rc == 0) { 1119 /* 1120 * You also need write access to the containing directory 1121 */ 1122 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1123 smk_ad_setfield_u_fs_inode(&ad, dir); 1124 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1125 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1126 } 1127 return rc; 1128 } 1129 1130 /** 1131 * smack_inode_rmdir - Smack check on directory deletion 1132 * @dir: containing directory object 1133 * @dentry: directory to unlink 1134 * 1135 * Returns 0 if current can write the containing directory 1136 * and the directory, error code otherwise 1137 */ 1138 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1139 { 1140 struct smk_audit_info ad; 1141 int rc; 1142 1143 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1144 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1145 1146 /* 1147 * You need write access to the thing you're removing 1148 */ 1149 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1150 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1151 if (rc == 0) { 1152 /* 1153 * You also need write access to the containing directory 1154 */ 1155 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1156 smk_ad_setfield_u_fs_inode(&ad, dir); 1157 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1158 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1159 } 1160 1161 return rc; 1162 } 1163 1164 /** 1165 * smack_inode_rename - Smack check on rename 1166 * @old_inode: unused 1167 * @old_dentry: the old object 1168 * @new_inode: unused 1169 * @new_dentry: the new object 1170 * 1171 * Read and write access is required on both the old and 1172 * new directories. 1173 * 1174 * Returns 0 if access is permitted, an error code otherwise 1175 */ 1176 static int smack_inode_rename(struct inode *old_inode, 1177 struct dentry *old_dentry, 1178 struct inode *new_inode, 1179 struct dentry *new_dentry) 1180 { 1181 int rc; 1182 struct smack_known *isp; 1183 struct smk_audit_info ad; 1184 1185 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1186 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1187 1188 isp = smk_of_inode(d_backing_inode(old_dentry)); 1189 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1190 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1191 1192 if (rc == 0 && d_is_positive(new_dentry)) { 1193 isp = smk_of_inode(d_backing_inode(new_dentry)); 1194 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1195 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1196 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1197 } 1198 return rc; 1199 } 1200 1201 /** 1202 * smack_inode_permission - Smack version of permission() 1203 * @inode: the inode in question 1204 * @mask: the access requested 1205 * 1206 * This is the important Smack hook. 1207 * 1208 * Returns 0 if access is permitted, an error code otherwise 1209 */ 1210 static int smack_inode_permission(struct inode *inode, int mask) 1211 { 1212 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1213 struct smk_audit_info ad; 1214 int no_block = mask & MAY_NOT_BLOCK; 1215 int rc; 1216 1217 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1218 /* 1219 * No permission to check. Existence test. Yup, it's there. 1220 */ 1221 if (mask == 0) 1222 return 0; 1223 1224 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1225 if (smk_of_inode(inode) != sbsp->smk_root) 1226 return -EACCES; 1227 } 1228 1229 /* May be droppable after audit */ 1230 if (no_block) 1231 return -ECHILD; 1232 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1233 smk_ad_setfield_u_fs_inode(&ad, inode); 1234 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1235 rc = smk_bu_inode(inode, mask, rc); 1236 return rc; 1237 } 1238 1239 /** 1240 * smack_inode_setattr - Smack check for setting attributes 1241 * @idmap: idmap of the mount 1242 * @dentry: the object 1243 * @iattr: for the force flag 1244 * 1245 * Returns 0 if access is permitted, an error code otherwise 1246 */ 1247 static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 1248 struct iattr *iattr) 1249 { 1250 struct smk_audit_info ad; 1251 int rc; 1252 1253 /* 1254 * Need to allow for clearing the setuid bit. 1255 */ 1256 if (iattr->ia_valid & ATTR_FORCE) 1257 return 0; 1258 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1259 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1260 1261 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1262 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1263 return rc; 1264 } 1265 1266 /** 1267 * smack_inode_getattr - Smack check for getting attributes 1268 * @path: path to extract the info from 1269 * 1270 * Returns 0 if access is permitted, an error code otherwise 1271 */ 1272 static int smack_inode_getattr(const struct path *path) 1273 { 1274 struct smk_audit_info ad; 1275 struct inode *inode = d_backing_inode(path->dentry); 1276 int rc; 1277 1278 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1279 smk_ad_setfield_u_fs_path(&ad, *path); 1280 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1281 rc = smk_bu_inode(inode, MAY_READ, rc); 1282 return rc; 1283 } 1284 1285 /** 1286 * smack_inode_xattr_skipcap - Skip the xattr capability checks? 1287 * @name: name of the xattr 1288 * 1289 * Returns 1 to indicate that Smack "owns" the access control rights to xattrs 1290 * named @name; the LSM layer should avoid enforcing any traditional 1291 * capability based access controls on this xattr. Returns 0 to indicate that 1292 * Smack does not "own" the access control rights to xattrs named @name and is 1293 * deferring to the LSM layer for further access controls, including capability 1294 * based controls. 1295 */ 1296 static int smack_inode_xattr_skipcap(const char *name) 1297 { 1298 if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX))) 1299 return 0; 1300 1301 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1302 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1303 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1304 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1305 strcmp(name, XATTR_NAME_SMACKMMAP) == 0 || 1306 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1307 return 1; 1308 1309 return 0; 1310 } 1311 1312 /** 1313 * smack_inode_setxattr - Smack check for setting xattrs 1314 * @idmap: idmap of the mount 1315 * @dentry: the object 1316 * @name: name of the attribute 1317 * @value: value of the attribute 1318 * @size: size of the value 1319 * @flags: unused 1320 * 1321 * This protects the Smack attribute explicitly. 1322 * 1323 * Returns 0 if access is permitted, an error code otherwise 1324 */ 1325 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1326 struct dentry *dentry, const char *name, 1327 const void *value, size_t size, int flags) 1328 { 1329 struct smk_audit_info ad; 1330 struct smack_known *skp; 1331 int check_priv = 0; 1332 int check_import = 0; 1333 int check_star = 0; 1334 int rc = 0; 1335 1336 /* 1337 * Check label validity here so import won't fail in post_setxattr 1338 */ 1339 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1340 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1341 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1342 check_priv = 1; 1343 check_import = 1; 1344 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1345 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1346 check_priv = 1; 1347 check_import = 1; 1348 check_star = 1; 1349 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1350 check_priv = 1; 1351 if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || 1352 size != TRANS_TRUE_SIZE || 1353 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1354 rc = -EINVAL; 1355 } 1356 1357 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1358 rc = -EPERM; 1359 1360 if (rc == 0 && check_import) { 1361 skp = size ? smk_import_entry(value, size) : NULL; 1362 if (IS_ERR(skp)) 1363 rc = PTR_ERR(skp); 1364 else if (skp == NULL || (check_star && 1365 (skp == &smack_known_star || skp == &smack_known_web))) 1366 rc = -EINVAL; 1367 } 1368 1369 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1370 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1371 1372 if (rc == 0) { 1373 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1374 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1375 } 1376 1377 return rc; 1378 } 1379 1380 /** 1381 * smack_inode_post_setxattr - Apply the Smack update approved above 1382 * @dentry: object 1383 * @name: attribute name 1384 * @value: attribute value 1385 * @size: attribute size 1386 * @flags: unused 1387 * 1388 * Set the pointer in the inode blob to the entry found 1389 * in the master label list. 1390 */ 1391 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1392 const void *value, size_t size, int flags) 1393 { 1394 struct smack_known *skp; 1395 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1396 1397 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1398 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1399 return; 1400 } 1401 1402 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1403 skp = smk_import_entry(value, size); 1404 if (!IS_ERR(skp)) 1405 isp->smk_inode = skp; 1406 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1407 skp = smk_import_entry(value, size); 1408 if (!IS_ERR(skp)) 1409 isp->smk_task = skp; 1410 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1411 skp = smk_import_entry(value, size); 1412 if (!IS_ERR(skp)) 1413 isp->smk_mmap = skp; 1414 } 1415 1416 return; 1417 } 1418 1419 /** 1420 * smack_inode_getxattr - Smack check on getxattr 1421 * @dentry: the object 1422 * @name: unused 1423 * 1424 * Returns 0 if access is permitted, an error code otherwise 1425 */ 1426 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1427 { 1428 struct smk_audit_info ad; 1429 int rc; 1430 1431 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1432 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1433 1434 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1435 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1436 return rc; 1437 } 1438 1439 /** 1440 * smack_inode_removexattr - Smack check on removexattr 1441 * @idmap: idmap of the mount 1442 * @dentry: the object 1443 * @name: name of the attribute 1444 * 1445 * Removing the Smack attribute requires CAP_MAC_ADMIN 1446 * 1447 * Returns 0 if access is permitted, an error code otherwise 1448 */ 1449 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1450 struct dentry *dentry, const char *name) 1451 { 1452 struct inode_smack *isp; 1453 struct smk_audit_info ad; 1454 int rc = 0; 1455 1456 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1457 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1458 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1459 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1460 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1461 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1462 if (!smack_privileged(CAP_MAC_ADMIN)) 1463 rc = -EPERM; 1464 } 1465 1466 if (rc != 0) 1467 return rc; 1468 1469 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1470 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1471 1472 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1473 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1474 if (rc != 0) 1475 return rc; 1476 1477 isp = smack_inode(d_backing_inode(dentry)); 1478 /* 1479 * Don't do anything special for these. 1480 * XATTR_NAME_SMACKIPIN 1481 * XATTR_NAME_SMACKIPOUT 1482 */ 1483 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1484 struct super_block *sbp = dentry->d_sb; 1485 struct superblock_smack *sbsp = smack_superblock(sbp); 1486 1487 isp->smk_inode = sbsp->smk_default; 1488 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1489 isp->smk_task = NULL; 1490 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1491 isp->smk_mmap = NULL; 1492 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1493 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1494 1495 return 0; 1496 } 1497 1498 /** 1499 * smack_inode_set_acl - Smack check for setting posix acls 1500 * @idmap: idmap of the mnt this request came from 1501 * @dentry: the object 1502 * @acl_name: name of the posix acl 1503 * @kacl: the posix acls 1504 * 1505 * Returns 0 if access is permitted, an error code otherwise 1506 */ 1507 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1508 struct dentry *dentry, const char *acl_name, 1509 struct posix_acl *kacl) 1510 { 1511 struct smk_audit_info ad; 1512 int rc; 1513 1514 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1515 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1516 1517 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1518 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1519 return rc; 1520 } 1521 1522 /** 1523 * smack_inode_get_acl - Smack check for getting posix acls 1524 * @idmap: idmap of the mnt this request came from 1525 * @dentry: the object 1526 * @acl_name: name of the posix acl 1527 * 1528 * Returns 0 if access is permitted, an error code otherwise 1529 */ 1530 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1531 struct dentry *dentry, const char *acl_name) 1532 { 1533 struct smk_audit_info ad; 1534 int rc; 1535 1536 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1537 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1538 1539 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1540 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1541 return rc; 1542 } 1543 1544 /** 1545 * smack_inode_remove_acl - Smack check for getting posix acls 1546 * @idmap: idmap of the mnt this request came from 1547 * @dentry: the object 1548 * @acl_name: name of the posix acl 1549 * 1550 * Returns 0 if access is permitted, an error code otherwise 1551 */ 1552 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1553 struct dentry *dentry, const char *acl_name) 1554 { 1555 struct smk_audit_info ad; 1556 int rc; 1557 1558 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1559 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1560 1561 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1562 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1563 return rc; 1564 } 1565 1566 /** 1567 * smack_inode_getsecurity - get smack xattrs 1568 * @idmap: idmap of the mount 1569 * @inode: the object 1570 * @name: attribute name 1571 * @buffer: where to put the result 1572 * @alloc: duplicate memory 1573 * 1574 * Returns the size of the attribute or an error code 1575 */ 1576 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1577 struct inode *inode, const char *name, 1578 void **buffer, bool alloc) 1579 { 1580 struct socket_smack *ssp; 1581 struct socket *sock; 1582 struct super_block *sbp; 1583 struct inode *ip = inode; 1584 struct smack_known *isp; 1585 struct inode_smack *ispp; 1586 size_t label_len; 1587 char *label = NULL; 1588 1589 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1590 isp = smk_of_inode(inode); 1591 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1592 ispp = smack_inode(inode); 1593 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1594 label = TRANS_TRUE; 1595 else 1596 label = ""; 1597 } else { 1598 /* 1599 * The rest of the Smack xattrs are only on sockets. 1600 */ 1601 sbp = ip->i_sb; 1602 if (sbp->s_magic != SOCKFS_MAGIC) 1603 return -EOPNOTSUPP; 1604 1605 sock = SOCKET_I(ip); 1606 if (sock == NULL || sock->sk == NULL) 1607 return -EOPNOTSUPP; 1608 1609 ssp = smack_sock(sock->sk); 1610 1611 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1612 isp = ssp->smk_in; 1613 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1614 isp = ssp->smk_out; 1615 else 1616 return -EOPNOTSUPP; 1617 } 1618 1619 if (!label) 1620 label = isp->smk_known; 1621 1622 label_len = strlen(label); 1623 1624 if (alloc) { 1625 *buffer = kstrdup(label, GFP_KERNEL); 1626 if (*buffer == NULL) 1627 return -ENOMEM; 1628 } 1629 1630 return label_len; 1631 } 1632 1633 1634 /** 1635 * smack_inode_listsecurity - list the Smack attributes 1636 * @inode: the object 1637 * @buffer: where they go 1638 * @buffer_size: size of buffer 1639 */ 1640 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1641 size_t buffer_size) 1642 { 1643 int len = sizeof(XATTR_NAME_SMACK); 1644 1645 if (buffer != NULL && len <= buffer_size) 1646 memcpy(buffer, XATTR_NAME_SMACK, len); 1647 1648 return len; 1649 } 1650 1651 /** 1652 * smack_inode_getlsmprop - Extract inode's security id 1653 * @inode: inode to extract the info from 1654 * @prop: where result will be saved 1655 */ 1656 static void smack_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 1657 { 1658 prop->smack.skp = smk_of_inode(inode); 1659 } 1660 1661 /* 1662 * File Hooks 1663 */ 1664 1665 /* 1666 * There is no smack_file_permission hook 1667 * 1668 * Should access checks be done on each read or write? 1669 * UNICOS and SELinux say yes. 1670 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1671 * 1672 * I'll say no for now. Smack does not do the frequent 1673 * label changing that SELinux does. 1674 */ 1675 1676 /** 1677 * smack_file_alloc_security - assign a file security blob 1678 * @file: the object 1679 * 1680 * The security blob for a file is a pointer to the master 1681 * label list, so no allocation is done. 1682 * 1683 * f_security is the owner security information. It 1684 * isn't used on file access checks, it's for send_sigio. 1685 * 1686 * Returns 0 1687 */ 1688 static int smack_file_alloc_security(struct file *file) 1689 { 1690 struct smack_known **blob = smack_file(file); 1691 1692 *blob = smk_of_current(); 1693 return 0; 1694 } 1695 1696 /** 1697 * smack_file_ioctl - Smack check on ioctls 1698 * @file: the object 1699 * @cmd: what to do 1700 * @arg: unused 1701 * 1702 * Relies heavily on the correct use of the ioctl command conventions. 1703 * 1704 * Returns 0 if allowed, error code otherwise 1705 */ 1706 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1707 unsigned long arg) 1708 { 1709 int rc = 0; 1710 struct smk_audit_info ad; 1711 struct inode *inode = file_inode(file); 1712 1713 if (unlikely(IS_PRIVATE(inode))) 1714 return 0; 1715 1716 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1717 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1718 1719 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1720 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1721 rc = smk_bu_file(file, MAY_WRITE, rc); 1722 } 1723 1724 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1725 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1726 rc = smk_bu_file(file, MAY_READ, rc); 1727 } 1728 1729 return rc; 1730 } 1731 1732 /** 1733 * smack_file_lock - Smack check on file locking 1734 * @file: the object 1735 * @cmd: unused 1736 * 1737 * Returns 0 if current has lock access, error code otherwise 1738 */ 1739 static int smack_file_lock(struct file *file, unsigned int cmd) 1740 { 1741 struct smk_audit_info ad; 1742 int rc; 1743 struct inode *inode = file_inode(file); 1744 1745 if (unlikely(IS_PRIVATE(inode))) 1746 return 0; 1747 1748 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1749 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1750 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1751 rc = smk_bu_file(file, MAY_LOCK, rc); 1752 return rc; 1753 } 1754 1755 /** 1756 * smack_file_fcntl - Smack check on fcntl 1757 * @file: the object 1758 * @cmd: what action to check 1759 * @arg: unused 1760 * 1761 * Generally these operations are harmless. 1762 * File locking operations present an obvious mechanism 1763 * for passing information, so they require write access. 1764 * 1765 * Returns 0 if current has access, error code otherwise 1766 */ 1767 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1768 unsigned long arg) 1769 { 1770 struct smk_audit_info ad; 1771 int rc = 0; 1772 struct inode *inode = file_inode(file); 1773 1774 if (unlikely(IS_PRIVATE(inode))) 1775 return 0; 1776 1777 switch (cmd) { 1778 case F_GETLK: 1779 break; 1780 case F_SETLK: 1781 case F_SETLKW: 1782 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1783 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1784 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1785 rc = smk_bu_file(file, MAY_LOCK, rc); 1786 break; 1787 case F_SETOWN: 1788 case F_SETSIG: 1789 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1790 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1791 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1792 rc = smk_bu_file(file, MAY_WRITE, rc); 1793 break; 1794 default: 1795 break; 1796 } 1797 1798 return rc; 1799 } 1800 1801 /** 1802 * smack_mmap_file - Check permissions for a mmap operation. 1803 * @file: contains the file structure for file to map (may be NULL). 1804 * @reqprot: contains the protection requested by the application. 1805 * @prot: contains the protection that will be applied by the kernel. 1806 * @flags: contains the operational flags. 1807 * 1808 * The @file may be NULL, e.g. if mapping anonymous memory. 1809 * 1810 * Return 0 if permission is granted. 1811 */ 1812 static int smack_mmap_file(struct file *file, 1813 unsigned long reqprot, unsigned long prot, 1814 unsigned long flags) 1815 { 1816 struct smack_known *skp; 1817 struct smack_known *mkp; 1818 struct smack_rule *srp; 1819 struct task_smack *tsp; 1820 struct smack_known *okp; 1821 struct inode_smack *isp; 1822 struct superblock_smack *sbsp; 1823 int may; 1824 int mmay; 1825 int tmay; 1826 int rc; 1827 1828 if (file == NULL) 1829 return 0; 1830 1831 if (unlikely(IS_PRIVATE(file_inode(file)))) 1832 return 0; 1833 1834 isp = smack_inode(file_inode(file)); 1835 if (isp->smk_mmap == NULL) 1836 return 0; 1837 sbsp = smack_superblock(file_inode(file)->i_sb); 1838 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1839 isp->smk_mmap != sbsp->smk_root) 1840 return -EACCES; 1841 mkp = isp->smk_mmap; 1842 1843 tsp = smack_cred(current_cred()); 1844 skp = smk_of_current(); 1845 rc = 0; 1846 1847 rcu_read_lock(); 1848 /* 1849 * For each Smack rule associated with the subject 1850 * label verify that the SMACK64MMAP also has access 1851 * to that rule's object label. 1852 */ 1853 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1854 okp = srp->smk_object; 1855 /* 1856 * Matching labels always allows access. 1857 */ 1858 if (mkp->smk_known == okp->smk_known) 1859 continue; 1860 /* 1861 * If there is a matching local rule take 1862 * that into account as well. 1863 */ 1864 may = smk_access_entry(srp->smk_subject->smk_known, 1865 okp->smk_known, 1866 &tsp->smk_rules); 1867 if (may == -ENOENT) 1868 may = srp->smk_access; 1869 else 1870 may &= srp->smk_access; 1871 /* 1872 * If may is zero the SMACK64MMAP subject can't 1873 * possibly have less access. 1874 */ 1875 if (may == 0) 1876 continue; 1877 1878 /* 1879 * Fetch the global list entry. 1880 * If there isn't one a SMACK64MMAP subject 1881 * can't have as much access as current. 1882 */ 1883 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1884 &mkp->smk_rules); 1885 if (mmay == -ENOENT) { 1886 rc = -EACCES; 1887 break; 1888 } 1889 /* 1890 * If there is a local entry it modifies the 1891 * potential access, too. 1892 */ 1893 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1894 &tsp->smk_rules); 1895 if (tmay != -ENOENT) 1896 mmay &= tmay; 1897 1898 /* 1899 * If there is any access available to current that is 1900 * not available to a SMACK64MMAP subject 1901 * deny access. 1902 */ 1903 if ((may | mmay) != mmay) { 1904 rc = -EACCES; 1905 break; 1906 } 1907 } 1908 1909 rcu_read_unlock(); 1910 1911 return rc; 1912 } 1913 1914 /** 1915 * smack_file_set_fowner - set the file security blob value 1916 * @file: object in question 1917 * 1918 */ 1919 static void smack_file_set_fowner(struct file *file) 1920 { 1921 struct smack_known **blob = smack_file(file); 1922 1923 *blob = smk_of_current(); 1924 } 1925 1926 /** 1927 * smack_file_send_sigiotask - Smack on sigio 1928 * @tsk: The target task 1929 * @fown: the object the signal come from 1930 * @signum: unused 1931 * 1932 * Allow a privileged task to get signals even if it shouldn't 1933 * 1934 * Returns 0 if a subject with the object's smack could 1935 * write to the task, an error code otherwise. 1936 */ 1937 static int smack_file_send_sigiotask(struct task_struct *tsk, 1938 struct fown_struct *fown, int signum) 1939 { 1940 struct smack_known **blob; 1941 struct smack_known *skp; 1942 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1943 const struct cred *tcred; 1944 struct file *file; 1945 int rc; 1946 struct smk_audit_info ad; 1947 1948 /* 1949 * struct fown_struct is never outside the context of a struct file 1950 */ 1951 file = fown->file; 1952 1953 /* we don't log here as rc can be overriden */ 1954 blob = smack_file(file); 1955 skp = *blob; 1956 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1957 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1958 1959 rcu_read_lock(); 1960 tcred = __task_cred(tsk); 1961 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1962 rc = 0; 1963 rcu_read_unlock(); 1964 1965 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1966 smk_ad_setfield_u_tsk(&ad, tsk); 1967 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1968 return rc; 1969 } 1970 1971 /** 1972 * smack_file_receive - Smack file receive check 1973 * @file: the object 1974 * 1975 * Returns 0 if current has access, error code otherwise 1976 */ 1977 static int smack_file_receive(struct file *file) 1978 { 1979 int rc; 1980 int may = 0; 1981 struct smk_audit_info ad; 1982 struct inode *inode = file_inode(file); 1983 struct socket *sock; 1984 struct task_smack *tsp; 1985 struct socket_smack *ssp; 1986 1987 if (unlikely(IS_PRIVATE(inode))) 1988 return 0; 1989 1990 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1991 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1992 1993 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1994 sock = SOCKET_I(inode); 1995 ssp = smack_sock(sock->sk); 1996 tsp = smack_cred(current_cred()); 1997 /* 1998 * If the receiving process can't write to the 1999 * passed socket or if the passed socket can't 2000 * write to the receiving process don't accept 2001 * the passed socket. 2002 */ 2003 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 2004 rc = smk_bu_file(file, may, rc); 2005 if (rc < 0) 2006 return rc; 2007 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 2008 rc = smk_bu_file(file, may, rc); 2009 return rc; 2010 } 2011 /* 2012 * This code relies on bitmasks. 2013 */ 2014 if (file->f_mode & FMODE_READ) 2015 may = MAY_READ; 2016 if (file->f_mode & FMODE_WRITE) 2017 may |= MAY_WRITE; 2018 2019 rc = smk_curacc(smk_of_inode(inode), may, &ad); 2020 rc = smk_bu_file(file, may, rc); 2021 return rc; 2022 } 2023 2024 /** 2025 * smack_file_open - Smack dentry open processing 2026 * @file: the object 2027 * 2028 * Set the security blob in the file structure. 2029 * Allow the open only if the task has read access. There are 2030 * many read operations (e.g. fstat) that you can do with an 2031 * fd even if you have the file open write-only. 2032 * 2033 * Returns 0 if current has access, error code otherwise 2034 */ 2035 static int smack_file_open(struct file *file) 2036 { 2037 struct task_smack *tsp = smack_cred(file->f_cred); 2038 struct inode *inode = file_inode(file); 2039 struct smk_audit_info ad; 2040 int rc; 2041 2042 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2043 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2044 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2045 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2046 2047 return rc; 2048 } 2049 2050 /* 2051 * Task hooks 2052 */ 2053 2054 /** 2055 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2056 * @cred: the new credentials 2057 * @gfp: the atomicity of any memory allocations 2058 * 2059 * Prepare a blank set of credentials for modification. This must allocate all 2060 * the memory the LSM module might require such that cred_transfer() can 2061 * complete without error. 2062 */ 2063 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2064 { 2065 init_task_smack(smack_cred(cred), NULL, NULL); 2066 return 0; 2067 } 2068 2069 2070 /** 2071 * smack_cred_free - "free" task-level security credentials 2072 * @cred: the credentials in question 2073 * 2074 */ 2075 static void smack_cred_free(struct cred *cred) 2076 { 2077 struct task_smack *tsp = smack_cred(cred); 2078 struct smack_rule *rp; 2079 struct list_head *l; 2080 struct list_head *n; 2081 2082 smk_destroy_label_list(&tsp->smk_relabel); 2083 2084 list_for_each_safe(l, n, &tsp->smk_rules) { 2085 rp = list_entry(l, struct smack_rule, list); 2086 list_del(&rp->list); 2087 kmem_cache_free(smack_rule_cache, rp); 2088 } 2089 } 2090 2091 /** 2092 * smack_cred_prepare - prepare new set of credentials for modification 2093 * @new: the new credentials 2094 * @old: the original credentials 2095 * @gfp: the atomicity of any memory allocations 2096 * 2097 * Prepare a new set of credentials for modification. 2098 */ 2099 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2100 gfp_t gfp) 2101 { 2102 struct task_smack *old_tsp = smack_cred(old); 2103 struct task_smack *new_tsp = smack_cred(new); 2104 int rc; 2105 2106 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2107 2108 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2109 if (rc != 0) 2110 return rc; 2111 2112 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2113 gfp); 2114 return rc; 2115 } 2116 2117 /** 2118 * smack_cred_transfer - Transfer the old credentials to the new credentials 2119 * @new: the new credentials 2120 * @old: the original credentials 2121 * 2122 * Fill in a set of blank credentials from another set of credentials. 2123 */ 2124 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2125 { 2126 struct task_smack *old_tsp = smack_cred(old); 2127 struct task_smack *new_tsp = smack_cred(new); 2128 2129 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2130 } 2131 2132 /** 2133 * smack_cred_getsecid - get the secid corresponding to a creds structure 2134 * @cred: the object creds 2135 * @secid: where to put the result 2136 * 2137 * Sets the secid to contain a u32 version of the smack label. 2138 */ 2139 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2140 { 2141 struct smack_known *skp; 2142 2143 rcu_read_lock(); 2144 skp = smk_of_task(smack_cred(cred)); 2145 *secid = skp->smk_secid; 2146 rcu_read_unlock(); 2147 } 2148 2149 /** 2150 * smack_cred_getlsmprop - get the Smack label for a creds structure 2151 * @cred: the object creds 2152 * @prop: where to put the data 2153 * 2154 * Sets the Smack part of the ref 2155 */ 2156 static void smack_cred_getlsmprop(const struct cred *cred, 2157 struct lsm_prop *prop) 2158 { 2159 rcu_read_lock(); 2160 prop->smack.skp = smk_of_task(smack_cred(cred)); 2161 rcu_read_unlock(); 2162 } 2163 2164 /** 2165 * smack_kernel_act_as - Set the subjective context in a set of credentials 2166 * @new: points to the set of credentials to be modified. 2167 * @secid: specifies the security ID to be set 2168 * 2169 * Set the security data for a kernel service. 2170 */ 2171 static int smack_kernel_act_as(struct cred *new, u32 secid) 2172 { 2173 struct task_smack *new_tsp = smack_cred(new); 2174 2175 new_tsp->smk_task = smack_from_secid(secid); 2176 return 0; 2177 } 2178 2179 /** 2180 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2181 * @new: points to the set of credentials to be modified 2182 * @inode: points to the inode to use as a reference 2183 * 2184 * Set the file creation context in a set of credentials to the same 2185 * as the objective context of the specified inode 2186 */ 2187 static int smack_kernel_create_files_as(struct cred *new, 2188 struct inode *inode) 2189 { 2190 struct inode_smack *isp = smack_inode(inode); 2191 struct task_smack *tsp = smack_cred(new); 2192 2193 tsp->smk_forked = isp->smk_inode; 2194 tsp->smk_task = tsp->smk_forked; 2195 return 0; 2196 } 2197 2198 /** 2199 * smk_curacc_on_task - helper to log task related access 2200 * @p: the task object 2201 * @access: the access requested 2202 * @caller: name of the calling function for audit 2203 * 2204 * Return 0 if access is permitted 2205 */ 2206 static int smk_curacc_on_task(struct task_struct *p, int access, 2207 const char *caller) 2208 { 2209 struct smk_audit_info ad; 2210 struct smack_known *skp = smk_of_task_struct_obj(p); 2211 int rc; 2212 2213 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2214 smk_ad_setfield_u_tsk(&ad, p); 2215 rc = smk_curacc(skp, access, &ad); 2216 rc = smk_bu_task(p, access, rc); 2217 return rc; 2218 } 2219 2220 /** 2221 * smack_task_setpgid - Smack check on setting pgid 2222 * @p: the task object 2223 * @pgid: unused 2224 * 2225 * Return 0 if write access is permitted 2226 */ 2227 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2228 { 2229 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2230 } 2231 2232 /** 2233 * smack_task_getpgid - Smack access check for getpgid 2234 * @p: the object task 2235 * 2236 * Returns 0 if current can read the object task, error code otherwise 2237 */ 2238 static int smack_task_getpgid(struct task_struct *p) 2239 { 2240 return smk_curacc_on_task(p, MAY_READ, __func__); 2241 } 2242 2243 /** 2244 * smack_task_getsid - Smack access check for getsid 2245 * @p: the object task 2246 * 2247 * Returns 0 if current can read the object task, error code otherwise 2248 */ 2249 static int smack_task_getsid(struct task_struct *p) 2250 { 2251 return smk_curacc_on_task(p, MAY_READ, __func__); 2252 } 2253 2254 /** 2255 * smack_current_getlsmprop_subj - get the subjective secid of the current task 2256 * @prop: where to put the result 2257 * 2258 * Sets the secid to contain a u32 version of the task's subjective smack label. 2259 */ 2260 static void smack_current_getlsmprop_subj(struct lsm_prop *prop) 2261 { 2262 prop->smack.skp = smk_of_current(); 2263 } 2264 2265 /** 2266 * smack_task_getlsmprop_obj - get the objective data of the task 2267 * @p: the task 2268 * @prop: where to put the result 2269 * 2270 * Sets the secid to contain a u32 version of the task's objective smack label. 2271 */ 2272 static void smack_task_getlsmprop_obj(struct task_struct *p, 2273 struct lsm_prop *prop) 2274 { 2275 prop->smack.skp = smk_of_task_struct_obj(p); 2276 } 2277 2278 /** 2279 * smack_task_setnice - Smack check on setting nice 2280 * @p: the task object 2281 * @nice: unused 2282 * 2283 * Return 0 if write access is permitted 2284 */ 2285 static int smack_task_setnice(struct task_struct *p, int nice) 2286 { 2287 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2288 } 2289 2290 /** 2291 * smack_task_setioprio - Smack check on setting ioprio 2292 * @p: the task object 2293 * @ioprio: unused 2294 * 2295 * Return 0 if write access is permitted 2296 */ 2297 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2298 { 2299 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2300 } 2301 2302 /** 2303 * smack_task_getioprio - Smack check on reading ioprio 2304 * @p: the task object 2305 * 2306 * Return 0 if read access is permitted 2307 */ 2308 static int smack_task_getioprio(struct task_struct *p) 2309 { 2310 return smk_curacc_on_task(p, MAY_READ, __func__); 2311 } 2312 2313 /** 2314 * smack_task_setscheduler - Smack check on setting scheduler 2315 * @p: the task object 2316 * 2317 * Return 0 if read access is permitted 2318 */ 2319 static int smack_task_setscheduler(struct task_struct *p) 2320 { 2321 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2322 } 2323 2324 /** 2325 * smack_task_getscheduler - Smack check on reading scheduler 2326 * @p: the task object 2327 * 2328 * Return 0 if read access is permitted 2329 */ 2330 static int smack_task_getscheduler(struct task_struct *p) 2331 { 2332 return smk_curacc_on_task(p, MAY_READ, __func__); 2333 } 2334 2335 /** 2336 * smack_task_movememory - Smack check on moving memory 2337 * @p: the task object 2338 * 2339 * Return 0 if write access is permitted 2340 */ 2341 static int smack_task_movememory(struct task_struct *p) 2342 { 2343 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2344 } 2345 2346 /** 2347 * smack_task_kill - Smack check on signal delivery 2348 * @p: the task object 2349 * @info: unused 2350 * @sig: unused 2351 * @cred: identifies the cred to use in lieu of current's 2352 * 2353 * Return 0 if write access is permitted 2354 * 2355 */ 2356 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2357 int sig, const struct cred *cred) 2358 { 2359 struct smk_audit_info ad; 2360 struct smack_known *skp; 2361 struct smack_known *tkp = smk_of_task_struct_obj(p); 2362 int rc; 2363 2364 if (!sig) 2365 return 0; /* null signal; existence test */ 2366 2367 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2368 smk_ad_setfield_u_tsk(&ad, p); 2369 /* 2370 * Sending a signal requires that the sender 2371 * can write the receiver. 2372 */ 2373 if (cred == NULL) { 2374 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2375 rc = smk_bu_task(p, MAY_DELIVER, rc); 2376 return rc; 2377 } 2378 /* 2379 * If the cred isn't NULL we're dealing with some USB IO 2380 * specific behavior. This is not clean. For one thing 2381 * we can't take privilege into account. 2382 */ 2383 skp = smk_of_task(smack_cred(cred)); 2384 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2385 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2386 return rc; 2387 } 2388 2389 /** 2390 * smack_task_to_inode - copy task smack into the inode blob 2391 * @p: task to copy from 2392 * @inode: inode to copy to 2393 * 2394 * Sets the smack pointer in the inode security blob 2395 */ 2396 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2397 { 2398 struct inode_smack *isp = smack_inode(inode); 2399 struct smack_known *skp = smk_of_task_struct_obj(p); 2400 2401 isp->smk_inode = skp; 2402 isp->smk_flags |= SMK_INODE_INSTANT; 2403 } 2404 2405 /* 2406 * Socket hooks. 2407 */ 2408 2409 /** 2410 * smack_sk_alloc_security - Allocate a socket blob 2411 * @sk: the socket 2412 * @family: unused 2413 * @gfp_flags: memory allocation flags 2414 * 2415 * Assign Smack pointers to current 2416 * 2417 * Returns 0 on success, -ENOMEM is there's no memory 2418 */ 2419 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2420 { 2421 struct smack_known *skp = smk_of_current(); 2422 struct socket_smack *ssp = smack_sock(sk); 2423 2424 /* 2425 * Sockets created by kernel threads receive web label. 2426 */ 2427 if (unlikely(current->flags & PF_KTHREAD)) { 2428 ssp->smk_in = &smack_known_web; 2429 ssp->smk_out = &smack_known_web; 2430 } else { 2431 ssp->smk_in = skp; 2432 ssp->smk_out = skp; 2433 } 2434 ssp->smk_packet = NULL; 2435 2436 return 0; 2437 } 2438 2439 #ifdef SMACK_IPV6_PORT_LABELING 2440 /** 2441 * smack_sk_free_security - Free a socket blob 2442 * @sk: the socket 2443 * 2444 * Clears the blob pointer 2445 */ 2446 static void smack_sk_free_security(struct sock *sk) 2447 { 2448 struct smk_port_label *spp; 2449 2450 if (sk->sk_family == PF_INET6) { 2451 rcu_read_lock(); 2452 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2453 if (spp->smk_sock != sk) 2454 continue; 2455 spp->smk_can_reuse = 1; 2456 break; 2457 } 2458 rcu_read_unlock(); 2459 } 2460 } 2461 #endif 2462 2463 /** 2464 * smack_sk_clone_security - Copy security context 2465 * @sk: the old socket 2466 * @newsk: the new socket 2467 * 2468 * Copy the security context of the old socket pointer to the cloned 2469 */ 2470 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2471 { 2472 struct socket_smack *ssp_old = smack_sock(sk); 2473 struct socket_smack *ssp_new = smack_sock(newsk); 2474 2475 *ssp_new = *ssp_old; 2476 } 2477 2478 /** 2479 * smack_ipv4host_label - check host based restrictions 2480 * @sip: the object end 2481 * 2482 * looks for host based access restrictions 2483 * 2484 * This version will only be appropriate for really small sets of single label 2485 * hosts. The caller is responsible for ensuring that the RCU read lock is 2486 * taken before calling this function. 2487 * 2488 * Returns the label of the far end or NULL if it's not special. 2489 */ 2490 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2491 { 2492 struct smk_net4addr *snp; 2493 struct in_addr *siap = &sip->sin_addr; 2494 2495 if (siap->s_addr == 0) 2496 return NULL; 2497 2498 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2499 /* 2500 * we break after finding the first match because 2501 * the list is sorted from longest to shortest mask 2502 * so we have found the most specific match 2503 */ 2504 if (snp->smk_host.s_addr == 2505 (siap->s_addr & snp->smk_mask.s_addr)) 2506 return snp->smk_label; 2507 2508 return NULL; 2509 } 2510 2511 /* 2512 * smk_ipv6_localhost - Check for local ipv6 host address 2513 * @sip: the address 2514 * 2515 * Returns boolean true if this is the localhost address 2516 */ 2517 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2518 { 2519 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2520 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2521 2522 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2523 ntohs(be16p[7]) == 1) 2524 return true; 2525 return false; 2526 } 2527 2528 /** 2529 * smack_ipv6host_label - check host based restrictions 2530 * @sip: the object end 2531 * 2532 * looks for host based access restrictions 2533 * 2534 * This version will only be appropriate for really small sets of single label 2535 * hosts. The caller is responsible for ensuring that the RCU read lock is 2536 * taken before calling this function. 2537 * 2538 * Returns the label of the far end or NULL if it's not special. 2539 */ 2540 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2541 { 2542 struct smk_net6addr *snp; 2543 struct in6_addr *sap = &sip->sin6_addr; 2544 int i; 2545 int found = 0; 2546 2547 /* 2548 * It's local. Don't look for a host label. 2549 */ 2550 if (smk_ipv6_localhost(sip)) 2551 return NULL; 2552 2553 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2554 /* 2555 * If the label is NULL the entry has 2556 * been renounced. Ignore it. 2557 */ 2558 if (snp->smk_label == NULL) 2559 continue; 2560 /* 2561 * we break after finding the first match because 2562 * the list is sorted from longest to shortest mask 2563 * so we have found the most specific match 2564 */ 2565 for (found = 1, i = 0; i < 8; i++) { 2566 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2567 snp->smk_host.s6_addr16[i]) { 2568 found = 0; 2569 break; 2570 } 2571 } 2572 if (found) 2573 return snp->smk_label; 2574 } 2575 2576 return NULL; 2577 } 2578 2579 /** 2580 * smack_netlbl_add - Set the secattr on a socket 2581 * @sk: the socket 2582 * 2583 * Attach the outbound smack value (smk_out) to the socket. 2584 * 2585 * Returns 0 on success or an error code 2586 */ 2587 static int smack_netlbl_add(struct sock *sk) 2588 { 2589 struct socket_smack *ssp = smack_sock(sk); 2590 struct smack_known *skp = ssp->smk_out; 2591 int rc; 2592 2593 local_bh_disable(); 2594 bh_lock_sock_nested(sk); 2595 2596 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, 2597 netlbl_sk_lock_check(sk)); 2598 switch (rc) { 2599 case 0: 2600 ssp->smk_state = SMK_NETLBL_LABELED; 2601 break; 2602 case -EDESTADDRREQ: 2603 ssp->smk_state = SMK_NETLBL_REQSKB; 2604 rc = 0; 2605 break; 2606 } 2607 2608 bh_unlock_sock(sk); 2609 local_bh_enable(); 2610 2611 return rc; 2612 } 2613 2614 /** 2615 * smack_netlbl_delete - Remove the secattr from a socket 2616 * @sk: the socket 2617 * 2618 * Remove the outbound smack value from a socket 2619 */ 2620 static void smack_netlbl_delete(struct sock *sk) 2621 { 2622 struct socket_smack *ssp = smack_sock(sk); 2623 2624 /* 2625 * Take the label off the socket if one is set. 2626 */ 2627 if (ssp->smk_state != SMK_NETLBL_LABELED) 2628 return; 2629 2630 local_bh_disable(); 2631 bh_lock_sock_nested(sk); 2632 netlbl_sock_delattr(sk); 2633 bh_unlock_sock(sk); 2634 local_bh_enable(); 2635 ssp->smk_state = SMK_NETLBL_UNLABELED; 2636 } 2637 2638 /** 2639 * smk_ipv4_check - Perform IPv4 host access checks 2640 * @sk: the socket 2641 * @sap: the destination address 2642 * 2643 * Set the correct secattr for the given socket based on the destination 2644 * address and perform any outbound access checks needed. 2645 * 2646 * Returns 0 on success or an error code. 2647 * 2648 */ 2649 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2650 { 2651 struct smack_known *skp; 2652 int rc = 0; 2653 struct smack_known *hkp; 2654 struct socket_smack *ssp = smack_sock(sk); 2655 struct smk_audit_info ad; 2656 2657 rcu_read_lock(); 2658 hkp = smack_ipv4host_label(sap); 2659 if (hkp != NULL) { 2660 #ifdef CONFIG_AUDIT 2661 struct lsm_network_audit net; 2662 2663 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2664 ad.a.u.net->family = sap->sin_family; 2665 ad.a.u.net->dport = sap->sin_port; 2666 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2667 #endif 2668 skp = ssp->smk_out; 2669 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2670 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2671 /* 2672 * Clear the socket netlabel if it's set. 2673 */ 2674 if (!rc) 2675 smack_netlbl_delete(sk); 2676 } 2677 rcu_read_unlock(); 2678 2679 return rc; 2680 } 2681 2682 /** 2683 * smk_ipv6_check - check Smack access 2684 * @subject: subject Smack label 2685 * @object: object Smack label 2686 * @address: address 2687 * @act: the action being taken 2688 * 2689 * Check an IPv6 access 2690 */ 2691 static int smk_ipv6_check(struct smack_known *subject, 2692 struct smack_known *object, 2693 struct sockaddr_in6 *address, int act) 2694 { 2695 #ifdef CONFIG_AUDIT 2696 struct lsm_network_audit net; 2697 #endif 2698 struct smk_audit_info ad; 2699 int rc; 2700 2701 #ifdef CONFIG_AUDIT 2702 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2703 ad.a.u.net->family = PF_INET6; 2704 ad.a.u.net->dport = address->sin6_port; 2705 if (act == SMK_RECEIVING) 2706 ad.a.u.net->v6info.saddr = address->sin6_addr; 2707 else 2708 ad.a.u.net->v6info.daddr = address->sin6_addr; 2709 #endif 2710 rc = smk_access(subject, object, MAY_WRITE, &ad); 2711 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2712 return rc; 2713 } 2714 2715 #ifdef SMACK_IPV6_PORT_LABELING 2716 /** 2717 * smk_ipv6_port_label - Smack port access table management 2718 * @sock: socket 2719 * @address: address 2720 * 2721 * Create or update the port list entry 2722 */ 2723 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2724 { 2725 struct sock *sk = sock->sk; 2726 struct sockaddr_in6 *addr6; 2727 struct socket_smack *ssp = smack_sock(sock->sk); 2728 struct smk_port_label *spp; 2729 unsigned short port = 0; 2730 2731 if (address == NULL) { 2732 /* 2733 * This operation is changing the Smack information 2734 * on the bound socket. Take the changes to the port 2735 * as well. 2736 */ 2737 rcu_read_lock(); 2738 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2739 if (sk != spp->smk_sock) 2740 continue; 2741 spp->smk_in = ssp->smk_in; 2742 spp->smk_out = ssp->smk_out; 2743 rcu_read_unlock(); 2744 return; 2745 } 2746 /* 2747 * A NULL address is only used for updating existing 2748 * bound entries. If there isn't one, it's OK. 2749 */ 2750 rcu_read_unlock(); 2751 return; 2752 } 2753 2754 addr6 = (struct sockaddr_in6 *)address; 2755 port = ntohs(addr6->sin6_port); 2756 /* 2757 * This is a special case that is safely ignored. 2758 */ 2759 if (port == 0) 2760 return; 2761 2762 /* 2763 * Look for an existing port list entry. 2764 * This is an indication that a port is getting reused. 2765 */ 2766 rcu_read_lock(); 2767 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2768 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2769 continue; 2770 if (spp->smk_can_reuse != 1) { 2771 rcu_read_unlock(); 2772 return; 2773 } 2774 spp->smk_port = port; 2775 spp->smk_sock = sk; 2776 spp->smk_in = ssp->smk_in; 2777 spp->smk_out = ssp->smk_out; 2778 spp->smk_can_reuse = 0; 2779 rcu_read_unlock(); 2780 return; 2781 } 2782 rcu_read_unlock(); 2783 /* 2784 * A new port entry is required. 2785 */ 2786 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2787 if (spp == NULL) 2788 return; 2789 2790 spp->smk_port = port; 2791 spp->smk_sock = sk; 2792 spp->smk_in = ssp->smk_in; 2793 spp->smk_out = ssp->smk_out; 2794 spp->smk_sock_type = sock->type; 2795 spp->smk_can_reuse = 0; 2796 2797 mutex_lock(&smack_ipv6_lock); 2798 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2799 mutex_unlock(&smack_ipv6_lock); 2800 return; 2801 } 2802 2803 /** 2804 * smk_ipv6_port_check - check Smack port access 2805 * @sk: socket 2806 * @address: address 2807 * @act: the action being taken 2808 * 2809 * Create or update the port list entry 2810 */ 2811 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2812 int act) 2813 { 2814 struct smk_port_label *spp; 2815 struct socket_smack *ssp = smack_sock(sk); 2816 struct smack_known *skp = NULL; 2817 unsigned short port; 2818 struct smack_known *object; 2819 2820 if (act == SMK_RECEIVING) { 2821 skp = smack_ipv6host_label(address); 2822 object = ssp->smk_in; 2823 } else { 2824 skp = ssp->smk_out; 2825 object = smack_ipv6host_label(address); 2826 } 2827 2828 /* 2829 * The other end is a single label host. 2830 */ 2831 if (skp != NULL && object != NULL) 2832 return smk_ipv6_check(skp, object, address, act); 2833 if (skp == NULL) 2834 skp = smack_net_ambient; 2835 if (object == NULL) 2836 object = smack_net_ambient; 2837 2838 /* 2839 * It's remote, so port lookup does no good. 2840 */ 2841 if (!smk_ipv6_localhost(address)) 2842 return smk_ipv6_check(skp, object, address, act); 2843 2844 /* 2845 * It's local so the send check has to have passed. 2846 */ 2847 if (act == SMK_RECEIVING) 2848 return 0; 2849 2850 port = ntohs(address->sin6_port); 2851 rcu_read_lock(); 2852 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2853 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2854 continue; 2855 object = spp->smk_in; 2856 if (act == SMK_CONNECTING) 2857 ssp->smk_packet = spp->smk_out; 2858 break; 2859 } 2860 rcu_read_unlock(); 2861 2862 return smk_ipv6_check(skp, object, address, act); 2863 } 2864 #endif 2865 2866 /** 2867 * smack_inode_setsecurity - set smack xattrs 2868 * @inode: the object 2869 * @name: attribute name 2870 * @value: attribute value 2871 * @size: size of the attribute 2872 * @flags: unused 2873 * 2874 * Sets the named attribute in the appropriate blob 2875 * 2876 * Returns 0 on success, or an error code 2877 */ 2878 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2879 const void *value, size_t size, int flags) 2880 { 2881 struct smack_known *skp; 2882 struct inode_smack *nsp = smack_inode(inode); 2883 struct socket_smack *ssp; 2884 struct socket *sock; 2885 int rc = 0; 2886 2887 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2888 return -EINVAL; 2889 2890 if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 2891 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || 2892 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 2893 return -EINVAL; 2894 2895 nsp->smk_flags |= SMK_INODE_TRANSMUTE; 2896 return 0; 2897 } 2898 2899 skp = smk_import_entry(value, size); 2900 if (IS_ERR(skp)) 2901 return PTR_ERR(skp); 2902 2903 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2904 nsp->smk_inode = skp; 2905 nsp->smk_flags |= SMK_INODE_INSTANT; 2906 return 0; 2907 } 2908 /* 2909 * The rest of the Smack xattrs are only on sockets. 2910 */ 2911 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2912 return -EOPNOTSUPP; 2913 2914 sock = SOCKET_I(inode); 2915 if (sock == NULL || sock->sk == NULL) 2916 return -EOPNOTSUPP; 2917 2918 ssp = smack_sock(sock->sk); 2919 2920 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2921 ssp->smk_in = skp; 2922 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2923 ssp->smk_out = skp; 2924 if (sock->sk->sk_family == PF_INET) { 2925 rc = smack_netlbl_add(sock->sk); 2926 if (rc != 0) 2927 printk(KERN_WARNING 2928 "Smack: \"%s\" netlbl error %d.\n", 2929 __func__, -rc); 2930 } 2931 } else 2932 return -EOPNOTSUPP; 2933 2934 #ifdef SMACK_IPV6_PORT_LABELING 2935 if (sock->sk->sk_family == PF_INET6) 2936 smk_ipv6_port_label(sock, NULL); 2937 #endif 2938 2939 return 0; 2940 } 2941 2942 /** 2943 * smack_socket_post_create - finish socket setup 2944 * @sock: the socket 2945 * @family: protocol family 2946 * @type: unused 2947 * @protocol: unused 2948 * @kern: unused 2949 * 2950 * Sets the netlabel information on the socket 2951 * 2952 * Returns 0 on success, and error code otherwise 2953 */ 2954 static int smack_socket_post_create(struct socket *sock, int family, 2955 int type, int protocol, int kern) 2956 { 2957 struct socket_smack *ssp; 2958 2959 if (sock->sk == NULL) 2960 return 0; 2961 2962 /* 2963 * Sockets created by kernel threads receive web label. 2964 */ 2965 if (unlikely(current->flags & PF_KTHREAD)) { 2966 ssp = smack_sock(sock->sk); 2967 ssp->smk_in = &smack_known_web; 2968 ssp->smk_out = &smack_known_web; 2969 } 2970 2971 if (family != PF_INET) 2972 return 0; 2973 /* 2974 * Set the outbound netlbl. 2975 */ 2976 return smack_netlbl_add(sock->sk); 2977 } 2978 2979 /** 2980 * smack_socket_socketpair - create socket pair 2981 * @socka: one socket 2982 * @sockb: another socket 2983 * 2984 * Cross reference the peer labels for SO_PEERSEC 2985 * 2986 * Returns 0 2987 */ 2988 static int smack_socket_socketpair(struct socket *socka, 2989 struct socket *sockb) 2990 { 2991 struct socket_smack *asp = smack_sock(socka->sk); 2992 struct socket_smack *bsp = smack_sock(sockb->sk); 2993 2994 asp->smk_packet = bsp->smk_out; 2995 bsp->smk_packet = asp->smk_out; 2996 2997 return 0; 2998 } 2999 3000 #ifdef SMACK_IPV6_PORT_LABELING 3001 /** 3002 * smack_socket_bind - record port binding information. 3003 * @sock: the socket 3004 * @address: the port address 3005 * @addrlen: size of the address 3006 * 3007 * Records the label bound to a port. 3008 * 3009 * Returns 0 on success, and error code otherwise 3010 */ 3011 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 3012 int addrlen) 3013 { 3014 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 3015 if (addrlen < SIN6_LEN_RFC2133 || 3016 address->sa_family != AF_INET6) 3017 return -EINVAL; 3018 smk_ipv6_port_label(sock, address); 3019 } 3020 return 0; 3021 } 3022 #endif /* SMACK_IPV6_PORT_LABELING */ 3023 3024 /** 3025 * smack_socket_connect - connect access check 3026 * @sock: the socket 3027 * @sap: the other end 3028 * @addrlen: size of sap 3029 * 3030 * Verifies that a connection may be possible 3031 * 3032 * Returns 0 on success, and error code otherwise 3033 */ 3034 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 3035 int addrlen) 3036 { 3037 int rc = 0; 3038 3039 if (sock->sk == NULL) 3040 return 0; 3041 if (sock->sk->sk_family != PF_INET && 3042 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3043 return 0; 3044 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3045 return 0; 3046 if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) { 3047 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3048 struct smack_known *rsp = NULL; 3049 3050 if (addrlen < SIN6_LEN_RFC2133) 3051 return 0; 3052 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3053 rsp = smack_ipv6host_label(sip); 3054 if (rsp != NULL) { 3055 struct socket_smack *ssp = smack_sock(sock->sk); 3056 3057 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3058 SMK_CONNECTING); 3059 } 3060 #ifdef SMACK_IPV6_PORT_LABELING 3061 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3062 #endif 3063 3064 return rc; 3065 } 3066 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3067 return 0; 3068 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3069 return rc; 3070 } 3071 3072 /** 3073 * smack_flags_to_may - convert S_ to MAY_ values 3074 * @flags: the S_ value 3075 * 3076 * Returns the equivalent MAY_ value 3077 */ 3078 static int smack_flags_to_may(int flags) 3079 { 3080 int may = 0; 3081 3082 if (flags & S_IRUGO) 3083 may |= MAY_READ; 3084 if (flags & S_IWUGO) 3085 may |= MAY_WRITE; 3086 if (flags & S_IXUGO) 3087 may |= MAY_EXEC; 3088 3089 return may; 3090 } 3091 3092 /** 3093 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3094 * @msg: the object 3095 * 3096 * Returns 0 3097 */ 3098 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3099 { 3100 struct smack_known **blob = smack_msg_msg(msg); 3101 3102 *blob = smk_of_current(); 3103 return 0; 3104 } 3105 3106 /** 3107 * smack_of_ipc - the smack pointer for the ipc 3108 * @isp: the object 3109 * 3110 * Returns a pointer to the smack value 3111 */ 3112 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3113 { 3114 struct smack_known **blob = smack_ipc(isp); 3115 3116 return *blob; 3117 } 3118 3119 /** 3120 * smack_ipc_alloc_security - Set the security blob for ipc 3121 * @isp: the object 3122 * 3123 * Returns 0 3124 */ 3125 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3126 { 3127 struct smack_known **blob = smack_ipc(isp); 3128 3129 *blob = smk_of_current(); 3130 return 0; 3131 } 3132 3133 /** 3134 * smk_curacc_shm : check if current has access on shm 3135 * @isp : the object 3136 * @access : access requested 3137 * 3138 * Returns 0 if current has the requested access, error code otherwise 3139 */ 3140 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3141 { 3142 struct smack_known *ssp = smack_of_ipc(isp); 3143 struct smk_audit_info ad; 3144 int rc; 3145 3146 #ifdef CONFIG_AUDIT 3147 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3148 ad.a.u.ipc_id = isp->id; 3149 #endif 3150 rc = smk_curacc(ssp, access, &ad); 3151 rc = smk_bu_current("shm", ssp, access, rc); 3152 return rc; 3153 } 3154 3155 /** 3156 * smack_shm_associate - Smack access check for shm 3157 * @isp: the object 3158 * @shmflg: access requested 3159 * 3160 * Returns 0 if current has the requested access, error code otherwise 3161 */ 3162 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3163 { 3164 int may; 3165 3166 may = smack_flags_to_may(shmflg); 3167 return smk_curacc_shm(isp, may); 3168 } 3169 3170 /** 3171 * smack_shm_shmctl - Smack access check for shm 3172 * @isp: the object 3173 * @cmd: what it wants to do 3174 * 3175 * Returns 0 if current has the requested access, error code otherwise 3176 */ 3177 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3178 { 3179 int may; 3180 3181 switch (cmd) { 3182 case IPC_STAT: 3183 case SHM_STAT: 3184 case SHM_STAT_ANY: 3185 may = MAY_READ; 3186 break; 3187 case IPC_SET: 3188 case SHM_LOCK: 3189 case SHM_UNLOCK: 3190 case IPC_RMID: 3191 may = MAY_READWRITE; 3192 break; 3193 case IPC_INFO: 3194 case SHM_INFO: 3195 /* 3196 * System level information. 3197 */ 3198 return 0; 3199 default: 3200 return -EINVAL; 3201 } 3202 return smk_curacc_shm(isp, may); 3203 } 3204 3205 /** 3206 * smack_shm_shmat - Smack access for shmat 3207 * @isp: the object 3208 * @shmaddr: unused 3209 * @shmflg: access requested 3210 * 3211 * Returns 0 if current has the requested access, error code otherwise 3212 */ 3213 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3214 int shmflg) 3215 { 3216 int may; 3217 3218 may = smack_flags_to_may(shmflg); 3219 return smk_curacc_shm(isp, may); 3220 } 3221 3222 /** 3223 * smk_curacc_sem : check if current has access on sem 3224 * @isp : the object 3225 * @access : access requested 3226 * 3227 * Returns 0 if current has the requested access, error code otherwise 3228 */ 3229 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3230 { 3231 struct smack_known *ssp = smack_of_ipc(isp); 3232 struct smk_audit_info ad; 3233 int rc; 3234 3235 #ifdef CONFIG_AUDIT 3236 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3237 ad.a.u.ipc_id = isp->id; 3238 #endif 3239 rc = smk_curacc(ssp, access, &ad); 3240 rc = smk_bu_current("sem", ssp, access, rc); 3241 return rc; 3242 } 3243 3244 /** 3245 * smack_sem_associate - Smack access check for sem 3246 * @isp: the object 3247 * @semflg: access requested 3248 * 3249 * Returns 0 if current has the requested access, error code otherwise 3250 */ 3251 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3252 { 3253 int may; 3254 3255 may = smack_flags_to_may(semflg); 3256 return smk_curacc_sem(isp, may); 3257 } 3258 3259 /** 3260 * smack_sem_semctl - Smack access check for sem 3261 * @isp: the object 3262 * @cmd: what it wants to do 3263 * 3264 * Returns 0 if current has the requested access, error code otherwise 3265 */ 3266 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3267 { 3268 int may; 3269 3270 switch (cmd) { 3271 case GETPID: 3272 case GETNCNT: 3273 case GETZCNT: 3274 case GETVAL: 3275 case GETALL: 3276 case IPC_STAT: 3277 case SEM_STAT: 3278 case SEM_STAT_ANY: 3279 may = MAY_READ; 3280 break; 3281 case SETVAL: 3282 case SETALL: 3283 case IPC_RMID: 3284 case IPC_SET: 3285 may = MAY_READWRITE; 3286 break; 3287 case IPC_INFO: 3288 case SEM_INFO: 3289 /* 3290 * System level information 3291 */ 3292 return 0; 3293 default: 3294 return -EINVAL; 3295 } 3296 3297 return smk_curacc_sem(isp, may); 3298 } 3299 3300 /** 3301 * smack_sem_semop - Smack checks of semaphore operations 3302 * @isp: the object 3303 * @sops: unused 3304 * @nsops: unused 3305 * @alter: unused 3306 * 3307 * Treated as read and write in all cases. 3308 * 3309 * Returns 0 if access is allowed, error code otherwise 3310 */ 3311 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3312 unsigned nsops, int alter) 3313 { 3314 return smk_curacc_sem(isp, MAY_READWRITE); 3315 } 3316 3317 /** 3318 * smk_curacc_msq : helper to check if current has access on msq 3319 * @isp : the msq 3320 * @access : access requested 3321 * 3322 * return 0 if current has access, error otherwise 3323 */ 3324 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3325 { 3326 struct smack_known *msp = smack_of_ipc(isp); 3327 struct smk_audit_info ad; 3328 int rc; 3329 3330 #ifdef CONFIG_AUDIT 3331 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3332 ad.a.u.ipc_id = isp->id; 3333 #endif 3334 rc = smk_curacc(msp, access, &ad); 3335 rc = smk_bu_current("msq", msp, access, rc); 3336 return rc; 3337 } 3338 3339 /** 3340 * smack_msg_queue_associate - Smack access check for msg_queue 3341 * @isp: the object 3342 * @msqflg: access requested 3343 * 3344 * Returns 0 if current has the requested access, error code otherwise 3345 */ 3346 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3347 { 3348 int may; 3349 3350 may = smack_flags_to_may(msqflg); 3351 return smk_curacc_msq(isp, may); 3352 } 3353 3354 /** 3355 * smack_msg_queue_msgctl - Smack access check for msg_queue 3356 * @isp: the object 3357 * @cmd: what it wants to do 3358 * 3359 * Returns 0 if current has the requested access, error code otherwise 3360 */ 3361 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3362 { 3363 int may; 3364 3365 switch (cmd) { 3366 case IPC_STAT: 3367 case MSG_STAT: 3368 case MSG_STAT_ANY: 3369 may = MAY_READ; 3370 break; 3371 case IPC_SET: 3372 case IPC_RMID: 3373 may = MAY_READWRITE; 3374 break; 3375 case IPC_INFO: 3376 case MSG_INFO: 3377 /* 3378 * System level information 3379 */ 3380 return 0; 3381 default: 3382 return -EINVAL; 3383 } 3384 3385 return smk_curacc_msq(isp, may); 3386 } 3387 3388 /** 3389 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3390 * @isp: the object 3391 * @msg: unused 3392 * @msqflg: access requested 3393 * 3394 * Returns 0 if current has the requested access, error code otherwise 3395 */ 3396 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3397 int msqflg) 3398 { 3399 int may; 3400 3401 may = smack_flags_to_may(msqflg); 3402 return smk_curacc_msq(isp, may); 3403 } 3404 3405 /** 3406 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3407 * @isp: the object 3408 * @msg: unused 3409 * @target: unused 3410 * @type: unused 3411 * @mode: unused 3412 * 3413 * Returns 0 if current has read and write access, error code otherwise 3414 */ 3415 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3416 struct msg_msg *msg, 3417 struct task_struct *target, long type, 3418 int mode) 3419 { 3420 return smk_curacc_msq(isp, MAY_READWRITE); 3421 } 3422 3423 /** 3424 * smack_ipc_permission - Smack access for ipc_permission() 3425 * @ipp: the object permissions 3426 * @flag: access requested 3427 * 3428 * Returns 0 if current has read and write access, error code otherwise 3429 */ 3430 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3431 { 3432 struct smack_known **blob = smack_ipc(ipp); 3433 struct smack_known *iskp = *blob; 3434 int may = smack_flags_to_may(flag); 3435 struct smk_audit_info ad; 3436 int rc; 3437 3438 #ifdef CONFIG_AUDIT 3439 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3440 ad.a.u.ipc_id = ipp->id; 3441 #endif 3442 rc = smk_curacc(iskp, may, &ad); 3443 rc = smk_bu_current("svipc", iskp, may, rc); 3444 return rc; 3445 } 3446 3447 /** 3448 * smack_ipc_getlsmprop - Extract smack security data 3449 * @ipp: the object permissions 3450 * @prop: where result will be saved 3451 */ 3452 static void smack_ipc_getlsmprop(struct kern_ipc_perm *ipp, struct lsm_prop *prop) 3453 { 3454 struct smack_known **iskpp = smack_ipc(ipp); 3455 3456 prop->smack.skp = *iskpp; 3457 } 3458 3459 /** 3460 * smack_d_instantiate - Make sure the blob is correct on an inode 3461 * @opt_dentry: dentry where inode will be attached 3462 * @inode: the object 3463 * 3464 * Set the inode's security blob if it hasn't been done already. 3465 */ 3466 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3467 { 3468 struct super_block *sbp; 3469 struct superblock_smack *sbsp; 3470 struct inode_smack *isp; 3471 struct smack_known *skp; 3472 struct smack_known *ckp = smk_of_current(); 3473 struct smack_known *final; 3474 char trattr[TRANS_TRUE_SIZE]; 3475 int transflag = 0; 3476 int rc; 3477 struct dentry *dp; 3478 3479 if (inode == NULL) 3480 return; 3481 3482 isp = smack_inode(inode); 3483 3484 /* 3485 * If the inode is already instantiated 3486 * take the quick way out 3487 */ 3488 if (isp->smk_flags & SMK_INODE_INSTANT) 3489 return; 3490 3491 sbp = inode->i_sb; 3492 sbsp = smack_superblock(sbp); 3493 /* 3494 * We're going to use the superblock default label 3495 * if there's no label on the file. 3496 */ 3497 final = sbsp->smk_default; 3498 3499 /* 3500 * If this is the root inode the superblock 3501 * may be in the process of initialization. 3502 * If that is the case use the root value out 3503 * of the superblock. 3504 */ 3505 if (opt_dentry->d_parent == opt_dentry) { 3506 switch (sbp->s_magic) { 3507 case CGROUP_SUPER_MAGIC: 3508 case CGROUP2_SUPER_MAGIC: 3509 /* 3510 * The cgroup filesystem is never mounted, 3511 * so there's no opportunity to set the mount 3512 * options. 3513 */ 3514 sbsp->smk_root = &smack_known_star; 3515 sbsp->smk_default = &smack_known_star; 3516 isp->smk_inode = sbsp->smk_root; 3517 break; 3518 case TMPFS_MAGIC: 3519 /* 3520 * What about shmem/tmpfs anonymous files with dentry 3521 * obtained from d_alloc_pseudo()? 3522 */ 3523 isp->smk_inode = smk_of_current(); 3524 break; 3525 case PIPEFS_MAGIC: 3526 isp->smk_inode = smk_of_current(); 3527 break; 3528 case SOCKFS_MAGIC: 3529 /* 3530 * Socket access is controlled by the socket 3531 * structures associated with the task involved. 3532 */ 3533 isp->smk_inode = &smack_known_star; 3534 break; 3535 default: 3536 isp->smk_inode = sbsp->smk_root; 3537 break; 3538 } 3539 isp->smk_flags |= SMK_INODE_INSTANT; 3540 return; 3541 } 3542 3543 /* 3544 * This is pretty hackish. 3545 * Casey says that we shouldn't have to do 3546 * file system specific code, but it does help 3547 * with keeping it simple. 3548 */ 3549 switch (sbp->s_magic) { 3550 case SMACK_MAGIC: 3551 case CGROUP_SUPER_MAGIC: 3552 case CGROUP2_SUPER_MAGIC: 3553 /* 3554 * Casey says that it's a little embarrassing 3555 * that the smack file system doesn't do 3556 * extended attributes. 3557 * 3558 * Cgroupfs is special 3559 */ 3560 final = &smack_known_star; 3561 break; 3562 case DEVPTS_SUPER_MAGIC: 3563 /* 3564 * devpts seems content with the label of the task. 3565 * Programs that change smack have to treat the 3566 * pty with respect. 3567 */ 3568 final = ckp; 3569 break; 3570 case PROC_SUPER_MAGIC: 3571 /* 3572 * Casey says procfs appears not to care. 3573 * The superblock default suffices. 3574 */ 3575 break; 3576 case TMPFS_MAGIC: 3577 /* 3578 * Device labels should come from the filesystem, 3579 * but watch out, because they're volitile, 3580 * getting recreated on every reboot. 3581 */ 3582 final = &smack_known_star; 3583 /* 3584 * If a smack value has been set we want to use it, 3585 * but since tmpfs isn't giving us the opportunity 3586 * to set mount options simulate setting the 3587 * superblock default. 3588 */ 3589 fallthrough; 3590 default: 3591 /* 3592 * This isn't an understood special case. 3593 * Get the value from the xattr. 3594 */ 3595 3596 /* 3597 * UNIX domain sockets use lower level socket data. 3598 */ 3599 if (S_ISSOCK(inode->i_mode)) { 3600 final = &smack_known_star; 3601 break; 3602 } 3603 /* 3604 * No xattr support means, alas, no SMACK label. 3605 * Use the aforeapplied default. 3606 * It would be curious if the label of the task 3607 * does not match that assigned. 3608 */ 3609 if (!(inode->i_opflags & IOP_XATTR)) 3610 break; 3611 /* 3612 * Get the dentry for xattr. 3613 */ 3614 dp = dget(opt_dentry); 3615 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3616 if (!IS_ERR_OR_NULL(skp)) 3617 final = skp; 3618 3619 /* 3620 * Transmuting directory 3621 */ 3622 if (S_ISDIR(inode->i_mode)) { 3623 /* 3624 * If this is a new directory and the label was 3625 * transmuted when the inode was initialized 3626 * set the transmute attribute on the directory 3627 * and mark the inode. 3628 * 3629 * If there is a transmute attribute on the 3630 * directory mark the inode. 3631 */ 3632 rc = __vfs_getxattr(dp, inode, 3633 XATTR_NAME_SMACKTRANSMUTE, trattr, 3634 TRANS_TRUE_SIZE); 3635 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3636 TRANS_TRUE_SIZE) != 0) 3637 rc = -EINVAL; 3638 if (rc >= 0) 3639 transflag = SMK_INODE_TRANSMUTE; 3640 } 3641 /* 3642 * Don't let the exec or mmap label be "*" or "@". 3643 */ 3644 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3645 if (IS_ERR(skp) || skp == &smack_known_star || 3646 skp == &smack_known_web) 3647 skp = NULL; 3648 isp->smk_task = skp; 3649 3650 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3651 if (IS_ERR(skp) || skp == &smack_known_star || 3652 skp == &smack_known_web) 3653 skp = NULL; 3654 isp->smk_mmap = skp; 3655 3656 dput(dp); 3657 break; 3658 } 3659 3660 if (final == NULL) 3661 isp->smk_inode = ckp; 3662 else 3663 isp->smk_inode = final; 3664 3665 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3666 3667 return; 3668 } 3669 3670 /** 3671 * smack_getselfattr - Smack current process attribute 3672 * @attr: which attribute to fetch 3673 * @ctx: buffer to receive the result 3674 * @size: available size in, actual size out 3675 * @flags: unused 3676 * 3677 * Fill the passed user space @ctx with the details of the requested 3678 * attribute. 3679 * 3680 * Returns the number of attributes on success, an error code otherwise. 3681 * There will only ever be one attribute. 3682 */ 3683 static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3684 u32 *size, u32 flags) 3685 { 3686 int rc; 3687 struct smack_known *skp; 3688 3689 if (attr != LSM_ATTR_CURRENT) 3690 return -EOPNOTSUPP; 3691 3692 skp = smk_of_current(); 3693 rc = lsm_fill_user_ctx(ctx, size, 3694 skp->smk_known, strlen(skp->smk_known) + 1, 3695 LSM_ID_SMACK, 0); 3696 return (!rc ? 1 : rc); 3697 } 3698 3699 /** 3700 * smack_getprocattr - Smack process attribute access 3701 * @p: the object task 3702 * @name: the name of the attribute in /proc/.../attr 3703 * @value: where to put the result 3704 * 3705 * Places a copy of the task Smack into value 3706 * 3707 * Returns the length of the smack label or an error code 3708 */ 3709 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3710 { 3711 struct smack_known *skp = smk_of_task_struct_obj(p); 3712 char *cp; 3713 int slen; 3714 3715 if (strcmp(name, "current") != 0) 3716 return -EINVAL; 3717 3718 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3719 if (cp == NULL) 3720 return -ENOMEM; 3721 3722 slen = strlen(cp); 3723 *value = cp; 3724 return slen; 3725 } 3726 3727 /** 3728 * do_setattr - Smack process attribute setting 3729 * @attr: the ID of the attribute 3730 * @value: the value to set 3731 * @size: the size of the value 3732 * 3733 * Sets the Smack value of the task. Only setting self 3734 * is permitted and only with privilege 3735 * 3736 * Returns the length of the smack label or an error code 3737 */ 3738 static int do_setattr(u64 attr, void *value, size_t size) 3739 { 3740 struct task_smack *tsp = smack_cred(current_cred()); 3741 struct cred *new; 3742 struct smack_known *skp; 3743 struct smack_known_list_elem *sklep; 3744 int rc; 3745 3746 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3747 return -EPERM; 3748 3749 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3750 return -EINVAL; 3751 3752 if (attr != LSM_ATTR_CURRENT) 3753 return -EOPNOTSUPP; 3754 3755 skp = smk_import_entry(value, size); 3756 if (IS_ERR(skp)) 3757 return PTR_ERR(skp); 3758 3759 /* 3760 * No process is ever allowed the web ("@") label 3761 * and the star ("*") label. 3762 */ 3763 if (skp == &smack_known_web || skp == &smack_known_star) 3764 return -EINVAL; 3765 3766 if (!smack_privileged(CAP_MAC_ADMIN)) { 3767 rc = -EPERM; 3768 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3769 if (sklep->smk_label == skp) { 3770 rc = 0; 3771 break; 3772 } 3773 if (rc) 3774 return rc; 3775 } 3776 3777 new = prepare_creds(); 3778 if (new == NULL) 3779 return -ENOMEM; 3780 3781 tsp = smack_cred(new); 3782 tsp->smk_task = skp; 3783 /* 3784 * process can change its label only once 3785 */ 3786 smk_destroy_label_list(&tsp->smk_relabel); 3787 3788 commit_creds(new); 3789 return size; 3790 } 3791 3792 /** 3793 * smack_setselfattr - Set a Smack process attribute 3794 * @attr: which attribute to set 3795 * @ctx: buffer containing the data 3796 * @size: size of @ctx 3797 * @flags: unused 3798 * 3799 * Fill the passed user space @ctx with the details of the requested 3800 * attribute. 3801 * 3802 * Returns 0 on success, an error code otherwise. 3803 */ 3804 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3805 u32 size, u32 flags) 3806 { 3807 int rc; 3808 3809 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); 3810 if (rc > 0) 3811 return 0; 3812 return rc; 3813 } 3814 3815 /** 3816 * smack_setprocattr - Smack process attribute setting 3817 * @name: the name of the attribute in /proc/.../attr 3818 * @value: the value to set 3819 * @size: the size of the value 3820 * 3821 * Sets the Smack value of the task. Only setting self 3822 * is permitted and only with privilege 3823 * 3824 * Returns the length of the smack label or an error code 3825 */ 3826 static int smack_setprocattr(const char *name, void *value, size_t size) 3827 { 3828 int attr = lsm_name_to_attr(name); 3829 3830 if (attr != LSM_ATTR_UNDEF) 3831 return do_setattr(attr, value, size); 3832 return -EINVAL; 3833 } 3834 3835 /** 3836 * smack_unix_stream_connect - Smack access on UDS 3837 * @sock: one sock 3838 * @other: the other sock 3839 * @newsk: unused 3840 * 3841 * Return 0 if a subject with the smack of sock could access 3842 * an object with the smack of other, otherwise an error code 3843 */ 3844 static int smack_unix_stream_connect(struct sock *sock, 3845 struct sock *other, struct sock *newsk) 3846 { 3847 struct smack_known *skp; 3848 struct smack_known *okp; 3849 struct socket_smack *ssp = smack_sock(sock); 3850 struct socket_smack *osp = smack_sock(other); 3851 struct socket_smack *nsp = smack_sock(newsk); 3852 struct smk_audit_info ad; 3853 int rc = 0; 3854 #ifdef CONFIG_AUDIT 3855 struct lsm_network_audit net; 3856 #endif 3857 3858 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3859 skp = ssp->smk_out; 3860 okp = osp->smk_in; 3861 #ifdef CONFIG_AUDIT 3862 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3863 smk_ad_setfield_u_net_sk(&ad, other); 3864 #endif 3865 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3866 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3867 if (rc == 0) { 3868 okp = osp->smk_out; 3869 skp = ssp->smk_in; 3870 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3871 rc = smk_bu_note("UDS connect", okp, skp, 3872 MAY_WRITE, rc); 3873 } 3874 } 3875 3876 if (rc == 0) { 3877 /* 3878 * Cross reference the peer labels for SO_PEERSEC. 3879 */ 3880 nsp->smk_packet = ssp->smk_out; 3881 ssp->smk_packet = osp->smk_out; 3882 3883 /* 3884 * new/child/established socket must inherit listening socket labels 3885 */ 3886 nsp->smk_out = osp->smk_out; 3887 nsp->smk_in = osp->smk_in; 3888 } 3889 3890 return rc; 3891 } 3892 3893 /** 3894 * smack_unix_may_send - Smack access on UDS 3895 * @sock: one socket 3896 * @other: the other socket 3897 * 3898 * Return 0 if a subject with the smack of sock could access 3899 * an object with the smack of other, otherwise an error code 3900 */ 3901 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3902 { 3903 struct socket_smack *ssp = smack_sock(sock->sk); 3904 struct socket_smack *osp = smack_sock(other->sk); 3905 struct smk_audit_info ad; 3906 int rc; 3907 3908 #ifdef CONFIG_AUDIT 3909 struct lsm_network_audit net; 3910 3911 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3912 smk_ad_setfield_u_net_sk(&ad, other->sk); 3913 #endif 3914 3915 if (smack_privileged(CAP_MAC_OVERRIDE)) 3916 return 0; 3917 3918 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3919 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3920 return rc; 3921 } 3922 3923 /** 3924 * smack_socket_sendmsg - Smack check based on destination host 3925 * @sock: the socket 3926 * @msg: the message 3927 * @size: the size of the message 3928 * 3929 * Return 0 if the current subject can write to the destination host. 3930 * For IPv4 this is only a question if the destination is a single label host. 3931 * For IPv6 this is a check against the label of the port. 3932 */ 3933 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3934 int size) 3935 { 3936 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3937 #if IS_ENABLED(CONFIG_IPV6) 3938 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3939 #endif 3940 #ifdef SMACK_IPV6_SECMARK_LABELING 3941 struct socket_smack *ssp = smack_sock(sock->sk); 3942 struct smack_known *rsp; 3943 #endif 3944 int rc = 0; 3945 3946 /* 3947 * Perfectly reasonable for this to be NULL 3948 */ 3949 if (sip == NULL) 3950 return 0; 3951 3952 switch (sock->sk->sk_family) { 3953 case AF_INET: 3954 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3955 sip->sin_family != AF_INET) 3956 return -EINVAL; 3957 rc = smk_ipv4_check(sock->sk, sip); 3958 break; 3959 #if IS_ENABLED(CONFIG_IPV6) 3960 case AF_INET6: 3961 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3962 sap->sin6_family != AF_INET6) 3963 return -EINVAL; 3964 #ifdef SMACK_IPV6_SECMARK_LABELING 3965 rsp = smack_ipv6host_label(sap); 3966 if (rsp != NULL) 3967 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3968 SMK_CONNECTING); 3969 #endif 3970 #ifdef SMACK_IPV6_PORT_LABELING 3971 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3972 #endif 3973 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3974 break; 3975 } 3976 return rc; 3977 } 3978 3979 /** 3980 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3981 * @sap: netlabel secattr 3982 * @ssp: socket security information 3983 * 3984 * Returns a pointer to a Smack label entry found on the label list. 3985 */ 3986 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3987 struct socket_smack *ssp) 3988 { 3989 struct smack_known *skp; 3990 int found = 0; 3991 int acat; 3992 int kcat; 3993 3994 /* 3995 * Netlabel found it in the cache. 3996 */ 3997 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 3998 return (struct smack_known *)sap->cache->data; 3999 4000 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 4001 /* 4002 * Looks like a fallback, which gives us a secid. 4003 */ 4004 return smack_from_secid(sap->attr.secid); 4005 4006 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 4007 /* 4008 * Looks like a CIPSO packet. 4009 * If there are flags but no level netlabel isn't 4010 * behaving the way we expect it to. 4011 * 4012 * Look it up in the label table 4013 * Without guidance regarding the smack value 4014 * for the packet fall back on the network 4015 * ambient value. 4016 */ 4017 rcu_read_lock(); 4018 list_for_each_entry_rcu(skp, &smack_known_list, list) { 4019 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 4020 continue; 4021 /* 4022 * Compare the catsets. Use the netlbl APIs. 4023 */ 4024 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 4025 if ((skp->smk_netlabel.flags & 4026 NETLBL_SECATTR_MLS_CAT) == 0) 4027 found = 1; 4028 break; 4029 } 4030 for (acat = -1, kcat = -1; acat == kcat; ) { 4031 acat = netlbl_catmap_walk(sap->attr.mls.cat, 4032 acat + 1); 4033 kcat = netlbl_catmap_walk( 4034 skp->smk_netlabel.attr.mls.cat, 4035 kcat + 1); 4036 if (acat < 0 || kcat < 0) 4037 break; 4038 } 4039 if (acat == kcat) { 4040 found = 1; 4041 break; 4042 } 4043 } 4044 rcu_read_unlock(); 4045 4046 if (found) 4047 return skp; 4048 4049 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4050 return &smack_known_web; 4051 return &smack_known_star; 4052 } 4053 /* 4054 * Without guidance regarding the smack value 4055 * for the packet fall back on the network 4056 * ambient value. 4057 */ 4058 return smack_net_ambient; 4059 } 4060 4061 #if IS_ENABLED(CONFIG_IPV6) 4062 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4063 { 4064 u8 nexthdr; 4065 int offset; 4066 int proto = -EINVAL; 4067 struct ipv6hdr _ipv6h; 4068 struct ipv6hdr *ip6; 4069 __be16 frag_off; 4070 struct tcphdr _tcph, *th; 4071 struct udphdr _udph, *uh; 4072 struct dccp_hdr _dccph, *dh; 4073 4074 sip->sin6_port = 0; 4075 4076 offset = skb_network_offset(skb); 4077 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4078 if (ip6 == NULL) 4079 return -EINVAL; 4080 sip->sin6_addr = ip6->saddr; 4081 4082 nexthdr = ip6->nexthdr; 4083 offset += sizeof(_ipv6h); 4084 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4085 if (offset < 0) 4086 return -EINVAL; 4087 4088 proto = nexthdr; 4089 switch (proto) { 4090 case IPPROTO_TCP: 4091 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4092 if (th != NULL) 4093 sip->sin6_port = th->source; 4094 break; 4095 case IPPROTO_UDP: 4096 case IPPROTO_UDPLITE: 4097 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4098 if (uh != NULL) 4099 sip->sin6_port = uh->source; 4100 break; 4101 case IPPROTO_DCCP: 4102 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 4103 if (dh != NULL) 4104 sip->sin6_port = dh->dccph_sport; 4105 break; 4106 } 4107 return proto; 4108 } 4109 #endif /* CONFIG_IPV6 */ 4110 4111 /** 4112 * smack_from_skb - Smack data from the secmark in an skb 4113 * @skb: packet 4114 * 4115 * Returns smack_known of the secmark or NULL if that won't work. 4116 */ 4117 #ifdef CONFIG_NETWORK_SECMARK 4118 static struct smack_known *smack_from_skb(struct sk_buff *skb) 4119 { 4120 if (skb == NULL || skb->secmark == 0) 4121 return NULL; 4122 4123 return smack_from_secid(skb->secmark); 4124 } 4125 #else 4126 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4127 { 4128 return NULL; 4129 } 4130 #endif 4131 4132 /** 4133 * smack_from_netlbl - Smack data from the IP options in an skb 4134 * @sk: socket data came in on 4135 * @family: address family 4136 * @skb: packet 4137 * 4138 * Find the Smack label in the IP options. If it hasn't been 4139 * added to the netlabel cache, add it here. 4140 * 4141 * Returns smack_known of the IP options or NULL if that won't work. 4142 */ 4143 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4144 struct sk_buff *skb) 4145 { 4146 struct netlbl_lsm_secattr secattr; 4147 struct socket_smack *ssp = NULL; 4148 struct smack_known *skp = NULL; 4149 4150 netlbl_secattr_init(&secattr); 4151 4152 if (sk) 4153 ssp = smack_sock(sk); 4154 4155 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4156 skp = smack_from_secattr(&secattr, ssp); 4157 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4158 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4159 } 4160 4161 netlbl_secattr_destroy(&secattr); 4162 4163 return skp; 4164 } 4165 4166 /** 4167 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4168 * @sk: socket 4169 * @skb: packet 4170 * 4171 * Returns 0 if the packet should be delivered, an error code otherwise 4172 */ 4173 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4174 { 4175 struct socket_smack *ssp = smack_sock(sk); 4176 struct smack_known *skp = NULL; 4177 int rc = 0; 4178 struct smk_audit_info ad; 4179 u16 family = sk->sk_family; 4180 #ifdef CONFIG_AUDIT 4181 struct lsm_network_audit net; 4182 #endif 4183 #if IS_ENABLED(CONFIG_IPV6) 4184 struct sockaddr_in6 sadd; 4185 int proto; 4186 4187 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4188 family = PF_INET; 4189 #endif /* CONFIG_IPV6 */ 4190 4191 switch (family) { 4192 case PF_INET: 4193 /* 4194 * If there is a secmark use it rather than the CIPSO label. 4195 * If there is no secmark fall back to CIPSO. 4196 * The secmark is assumed to reflect policy better. 4197 */ 4198 skp = smack_from_skb(skb); 4199 if (skp == NULL) { 4200 skp = smack_from_netlbl(sk, family, skb); 4201 if (skp == NULL) 4202 skp = smack_net_ambient; 4203 } 4204 4205 #ifdef CONFIG_AUDIT 4206 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4207 ad.a.u.net->family = family; 4208 ad.a.u.net->netif = skb->skb_iif; 4209 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4210 #endif 4211 /* 4212 * Receiving a packet requires that the other end 4213 * be able to write here. Read access is not required. 4214 * This is the simplist possible security model 4215 * for networking. 4216 */ 4217 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4218 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4219 MAY_WRITE, rc); 4220 if (rc != 0) 4221 netlbl_skbuff_err(skb, family, rc, 0); 4222 break; 4223 #if IS_ENABLED(CONFIG_IPV6) 4224 case PF_INET6: 4225 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4226 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4227 proto != IPPROTO_TCP && proto != IPPROTO_DCCP) 4228 break; 4229 #ifdef SMACK_IPV6_SECMARK_LABELING 4230 skp = smack_from_skb(skb); 4231 if (skp == NULL) { 4232 if (smk_ipv6_localhost(&sadd)) 4233 break; 4234 skp = smack_ipv6host_label(&sadd); 4235 if (skp == NULL) 4236 skp = smack_net_ambient; 4237 } 4238 #ifdef CONFIG_AUDIT 4239 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4240 ad.a.u.net->family = family; 4241 ad.a.u.net->netif = skb->skb_iif; 4242 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4243 #endif /* CONFIG_AUDIT */ 4244 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4245 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4246 MAY_WRITE, rc); 4247 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4248 #ifdef SMACK_IPV6_PORT_LABELING 4249 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4250 #endif /* SMACK_IPV6_PORT_LABELING */ 4251 if (rc != 0) 4252 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4253 ICMPV6_ADM_PROHIBITED, 0); 4254 break; 4255 #endif /* CONFIG_IPV6 */ 4256 } 4257 4258 return rc; 4259 } 4260 4261 /** 4262 * smack_socket_getpeersec_stream - pull in packet label 4263 * @sock: the socket 4264 * @optval: user's destination 4265 * @optlen: size thereof 4266 * @len: max thereof 4267 * 4268 * returns zero on success, an error code otherwise 4269 */ 4270 static int smack_socket_getpeersec_stream(struct socket *sock, 4271 sockptr_t optval, sockptr_t optlen, 4272 unsigned int len) 4273 { 4274 struct socket_smack *ssp; 4275 char *rcp = ""; 4276 u32 slen = 1; 4277 int rc = 0; 4278 4279 ssp = smack_sock(sock->sk); 4280 if (ssp->smk_packet != NULL) { 4281 rcp = ssp->smk_packet->smk_known; 4282 slen = strlen(rcp) + 1; 4283 } 4284 if (slen > len) { 4285 rc = -ERANGE; 4286 goto out_len; 4287 } 4288 4289 if (copy_to_sockptr(optval, rcp, slen)) 4290 rc = -EFAULT; 4291 out_len: 4292 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4293 rc = -EFAULT; 4294 return rc; 4295 } 4296 4297 4298 /** 4299 * smack_socket_getpeersec_dgram - pull in packet label 4300 * @sock: the peer socket 4301 * @skb: packet data 4302 * @secid: pointer to where to put the secid of the packet 4303 * 4304 * Sets the netlabel socket state on sk from parent 4305 */ 4306 static int smack_socket_getpeersec_dgram(struct socket *sock, 4307 struct sk_buff *skb, u32 *secid) 4308 4309 { 4310 struct socket_smack *ssp = NULL; 4311 struct smack_known *skp; 4312 struct sock *sk = NULL; 4313 int family = PF_UNSPEC; 4314 u32 s = 0; /* 0 is the invalid secid */ 4315 4316 if (skb != NULL) { 4317 if (skb->protocol == htons(ETH_P_IP)) 4318 family = PF_INET; 4319 #if IS_ENABLED(CONFIG_IPV6) 4320 else if (skb->protocol == htons(ETH_P_IPV6)) 4321 family = PF_INET6; 4322 #endif /* CONFIG_IPV6 */ 4323 } 4324 if (family == PF_UNSPEC && sock != NULL) 4325 family = sock->sk->sk_family; 4326 4327 switch (family) { 4328 case PF_UNIX: 4329 ssp = smack_sock(sock->sk); 4330 s = ssp->smk_out->smk_secid; 4331 break; 4332 case PF_INET: 4333 skp = smack_from_skb(skb); 4334 if (skp) { 4335 s = skp->smk_secid; 4336 break; 4337 } 4338 /* 4339 * Translate what netlabel gave us. 4340 */ 4341 if (sock != NULL) 4342 sk = sock->sk; 4343 skp = smack_from_netlbl(sk, family, skb); 4344 if (skp != NULL) 4345 s = skp->smk_secid; 4346 break; 4347 case PF_INET6: 4348 #ifdef SMACK_IPV6_SECMARK_LABELING 4349 skp = smack_from_skb(skb); 4350 if (skp) 4351 s = skp->smk_secid; 4352 #endif 4353 break; 4354 } 4355 *secid = s; 4356 if (s == 0) 4357 return -EINVAL; 4358 return 0; 4359 } 4360 4361 /** 4362 * smack_sock_graft - Initialize a newly created socket with an existing sock 4363 * @sk: child sock 4364 * @parent: parent socket 4365 * 4366 * Set the smk_{in,out} state of an existing sock based on the process that 4367 * is creating the new socket. 4368 */ 4369 static void smack_sock_graft(struct sock *sk, struct socket *parent) 4370 { 4371 struct socket_smack *ssp; 4372 struct smack_known *skp = smk_of_current(); 4373 4374 if (sk == NULL || 4375 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)) 4376 return; 4377 4378 ssp = smack_sock(sk); 4379 ssp->smk_in = skp; 4380 ssp->smk_out = skp; 4381 /* cssp->smk_packet is already set in smack_inet_csk_clone() */ 4382 } 4383 4384 /** 4385 * smack_inet_conn_request - Smack access check on connect 4386 * @sk: socket involved 4387 * @skb: packet 4388 * @req: unused 4389 * 4390 * Returns 0 if a task with the packet label could write to 4391 * the socket, otherwise an error code 4392 */ 4393 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4394 struct request_sock *req) 4395 { 4396 u16 family = sk->sk_family; 4397 struct smack_known *skp; 4398 struct socket_smack *ssp = smack_sock(sk); 4399 struct sockaddr_in addr; 4400 struct iphdr *hdr; 4401 struct smack_known *hskp; 4402 int rc; 4403 struct smk_audit_info ad; 4404 #ifdef CONFIG_AUDIT 4405 struct lsm_network_audit net; 4406 #endif 4407 4408 #if IS_ENABLED(CONFIG_IPV6) 4409 if (family == PF_INET6) { 4410 /* 4411 * Handle mapped IPv4 packets arriving 4412 * via IPv6 sockets. Don't set up netlabel 4413 * processing on IPv6. 4414 */ 4415 if (skb->protocol == htons(ETH_P_IP)) 4416 family = PF_INET; 4417 else 4418 return 0; 4419 } 4420 #endif /* CONFIG_IPV6 */ 4421 4422 /* 4423 * If there is a secmark use it rather than the CIPSO label. 4424 * If there is no secmark fall back to CIPSO. 4425 * The secmark is assumed to reflect policy better. 4426 */ 4427 skp = smack_from_skb(skb); 4428 if (skp == NULL) { 4429 skp = smack_from_netlbl(sk, family, skb); 4430 if (skp == NULL) 4431 skp = &smack_known_huh; 4432 } 4433 4434 #ifdef CONFIG_AUDIT 4435 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4436 ad.a.u.net->family = family; 4437 ad.a.u.net->netif = skb->skb_iif; 4438 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4439 #endif 4440 /* 4441 * Receiving a packet requires that the other end be able to write 4442 * here. Read access is not required. 4443 */ 4444 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4445 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4446 if (rc != 0) 4447 return rc; 4448 4449 /* 4450 * Save the peer's label in the request_sock so we can later setup 4451 * smk_packet in the child socket so that SO_PEERCRED can report it. 4452 */ 4453 req->peer_secid = skp->smk_secid; 4454 4455 /* 4456 * We need to decide if we want to label the incoming connection here 4457 * if we do we only need to label the request_sock and the stack will 4458 * propagate the wire-label to the sock when it is created. 4459 */ 4460 hdr = ip_hdr(skb); 4461 addr.sin_addr.s_addr = hdr->saddr; 4462 rcu_read_lock(); 4463 hskp = smack_ipv4host_label(&addr); 4464 rcu_read_unlock(); 4465 4466 if (hskp == NULL) 4467 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); 4468 else 4469 netlbl_req_delattr(req); 4470 4471 return rc; 4472 } 4473 4474 /** 4475 * smack_inet_csk_clone - Copy the connection information to the new socket 4476 * @sk: the new socket 4477 * @req: the connection's request_sock 4478 * 4479 * Transfer the connection's peer label to the newly created socket. 4480 */ 4481 static void smack_inet_csk_clone(struct sock *sk, 4482 const struct request_sock *req) 4483 { 4484 struct socket_smack *ssp = smack_sock(sk); 4485 struct smack_known *skp; 4486 4487 if (req->peer_secid != 0) { 4488 skp = smack_from_secid(req->peer_secid); 4489 ssp->smk_packet = skp; 4490 } else 4491 ssp->smk_packet = NULL; 4492 } 4493 4494 /* 4495 * Key management security hooks 4496 * 4497 * Casey has not tested key support very heavily. 4498 * The permission check is most likely too restrictive. 4499 * If you care about keys please have a look. 4500 */ 4501 #ifdef CONFIG_KEYS 4502 4503 /** 4504 * smack_key_alloc - Set the key security blob 4505 * @key: object 4506 * @cred: the credentials to use 4507 * @flags: unused 4508 * 4509 * No allocation required 4510 * 4511 * Returns 0 4512 */ 4513 static int smack_key_alloc(struct key *key, const struct cred *cred, 4514 unsigned long flags) 4515 { 4516 struct smack_known **blob = smack_key(key); 4517 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4518 4519 *blob = skp; 4520 return 0; 4521 } 4522 4523 /** 4524 * smack_key_permission - Smack access on a key 4525 * @key_ref: gets to the object 4526 * @cred: the credentials to use 4527 * @need_perm: requested key permission 4528 * 4529 * Return 0 if the task has read and write to the object, 4530 * an error code otherwise 4531 */ 4532 static int smack_key_permission(key_ref_t key_ref, 4533 const struct cred *cred, 4534 enum key_need_perm need_perm) 4535 { 4536 struct smack_known **blob; 4537 struct smack_known *skp; 4538 struct key *keyp; 4539 struct smk_audit_info ad; 4540 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4541 int request = 0; 4542 int rc; 4543 4544 /* 4545 * Validate requested permissions 4546 */ 4547 switch (need_perm) { 4548 case KEY_NEED_READ: 4549 case KEY_NEED_SEARCH: 4550 case KEY_NEED_VIEW: 4551 request |= MAY_READ; 4552 break; 4553 case KEY_NEED_WRITE: 4554 case KEY_NEED_LINK: 4555 case KEY_NEED_SETATTR: 4556 request |= MAY_WRITE; 4557 break; 4558 case KEY_NEED_UNSPECIFIED: 4559 case KEY_NEED_UNLINK: 4560 case KEY_SYSADMIN_OVERRIDE: 4561 case KEY_AUTHTOKEN_OVERRIDE: 4562 case KEY_DEFER_PERM_CHECK: 4563 return 0; 4564 default: 4565 return -EINVAL; 4566 } 4567 4568 keyp = key_ref_to_ptr(key_ref); 4569 if (keyp == NULL) 4570 return -EINVAL; 4571 /* 4572 * If the key hasn't been initialized give it access so that 4573 * it may do so. 4574 */ 4575 blob = smack_key(keyp); 4576 skp = *blob; 4577 if (skp == NULL) 4578 return 0; 4579 /* 4580 * This should not occur 4581 */ 4582 if (tkp == NULL) 4583 return -EACCES; 4584 4585 if (smack_privileged(CAP_MAC_OVERRIDE)) 4586 return 0; 4587 4588 #ifdef CONFIG_AUDIT 4589 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4590 ad.a.u.key_struct.key = keyp->serial; 4591 ad.a.u.key_struct.key_desc = keyp->description; 4592 #endif 4593 rc = smk_access(tkp, skp, request, &ad); 4594 rc = smk_bu_note("key access", tkp, skp, request, rc); 4595 return rc; 4596 } 4597 4598 /* 4599 * smack_key_getsecurity - Smack label tagging the key 4600 * @key points to the key to be queried 4601 * @_buffer points to a pointer that should be set to point to the 4602 * resulting string (if no label or an error occurs). 4603 * Return the length of the string (including terminating NUL) or -ve if 4604 * an error. 4605 * May also return 0 (and a NULL buffer pointer) if there is no label. 4606 */ 4607 static int smack_key_getsecurity(struct key *key, char **_buffer) 4608 { 4609 struct smack_known **blob = smack_key(key); 4610 struct smack_known *skp = *blob; 4611 size_t length; 4612 char *copy; 4613 4614 if (skp == NULL) { 4615 *_buffer = NULL; 4616 return 0; 4617 } 4618 4619 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4620 if (copy == NULL) 4621 return -ENOMEM; 4622 length = strlen(copy) + 1; 4623 4624 *_buffer = copy; 4625 return length; 4626 } 4627 4628 4629 #ifdef CONFIG_KEY_NOTIFICATIONS 4630 /** 4631 * smack_watch_key - Smack access to watch a key for notifications. 4632 * @key: The key to be watched 4633 * 4634 * Return 0 if the @watch->cred has permission to read from the key object and 4635 * an error otherwise. 4636 */ 4637 static int smack_watch_key(struct key *key) 4638 { 4639 struct smk_audit_info ad; 4640 struct smack_known *tkp = smk_of_current(); 4641 struct smack_known **blob = smack_key(key); 4642 int rc; 4643 4644 /* 4645 * This should not occur 4646 */ 4647 if (tkp == NULL) 4648 return -EACCES; 4649 4650 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4651 return 0; 4652 4653 #ifdef CONFIG_AUDIT 4654 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4655 ad.a.u.key_struct.key = key->serial; 4656 ad.a.u.key_struct.key_desc = key->description; 4657 #endif 4658 rc = smk_access(tkp, *blob, MAY_READ, &ad); 4659 rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc); 4660 return rc; 4661 } 4662 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4663 #endif /* CONFIG_KEYS */ 4664 4665 #ifdef CONFIG_WATCH_QUEUE 4666 /** 4667 * smack_post_notification - Smack access to post a notification to a queue 4668 * @w_cred: The credentials of the watcher. 4669 * @cred: The credentials of the event source (may be NULL). 4670 * @n: The notification message to be posted. 4671 */ 4672 static int smack_post_notification(const struct cred *w_cred, 4673 const struct cred *cred, 4674 struct watch_notification *n) 4675 { 4676 struct smk_audit_info ad; 4677 struct smack_known *subj, *obj; 4678 int rc; 4679 4680 /* Always let maintenance notifications through. */ 4681 if (n->type == WATCH_TYPE_META) 4682 return 0; 4683 4684 if (!cred) 4685 return 0; 4686 subj = smk_of_task(smack_cred(cred)); 4687 obj = smk_of_task(smack_cred(w_cred)); 4688 4689 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4690 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4691 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4692 return rc; 4693 } 4694 #endif /* CONFIG_WATCH_QUEUE */ 4695 4696 /* 4697 * Smack Audit hooks 4698 * 4699 * Audit requires a unique representation of each Smack specific 4700 * rule. This unique representation is used to distinguish the 4701 * object to be audited from remaining kernel objects and also 4702 * works as a glue between the audit hooks. 4703 * 4704 * Since repository entries are added but never deleted, we'll use 4705 * the smack_known label address related to the given audit rule as 4706 * the needed unique representation. This also better fits the smack 4707 * model where nearly everything is a label. 4708 */ 4709 #ifdef CONFIG_AUDIT 4710 4711 /** 4712 * smack_audit_rule_init - Initialize a smack audit rule 4713 * @field: audit rule fields given from user-space (audit.h) 4714 * @op: required testing operator (=, !=, >, <, ...) 4715 * @rulestr: smack label to be audited 4716 * @vrule: pointer to save our own audit rule representation 4717 * @gfp: type of the memory for the allocation 4718 * 4719 * Prepare to audit cases where (@field @op @rulestr) is true. 4720 * The label to be audited is created if necessay. 4721 */ 4722 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4723 gfp_t gfp) 4724 { 4725 struct smack_known *skp; 4726 char **rule = (char **)vrule; 4727 *rule = NULL; 4728 4729 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4730 return -EINVAL; 4731 4732 if (op != Audit_equal && op != Audit_not_equal) 4733 return -EINVAL; 4734 4735 skp = smk_import_entry(rulestr, 0); 4736 if (IS_ERR(skp)) 4737 return PTR_ERR(skp); 4738 4739 *rule = skp->smk_known; 4740 4741 return 0; 4742 } 4743 4744 /** 4745 * smack_audit_rule_known - Distinguish Smack audit rules 4746 * @krule: rule of interest, in Audit kernel representation format 4747 * 4748 * This is used to filter Smack rules from remaining Audit ones. 4749 * If it's proved that this rule belongs to us, the 4750 * audit_rule_match hook will be called to do the final judgement. 4751 */ 4752 static int smack_audit_rule_known(struct audit_krule *krule) 4753 { 4754 struct audit_field *f; 4755 int i; 4756 4757 for (i = 0; i < krule->field_count; i++) { 4758 f = &krule->fields[i]; 4759 4760 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4761 return 1; 4762 } 4763 4764 return 0; 4765 } 4766 4767 /** 4768 * smack_audit_rule_match - Audit given object ? 4769 * @prop: security id for identifying the object to test 4770 * @field: audit rule flags given from user-space 4771 * @op: required testing operator 4772 * @vrule: smack internal rule presentation 4773 * 4774 * The core Audit hook. It's used to take the decision of 4775 * whether to audit or not to audit a given object. 4776 */ 4777 static int smack_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, 4778 void *vrule) 4779 { 4780 struct smack_known *skp = prop->smack.skp; 4781 char *rule = vrule; 4782 4783 if (unlikely(!rule)) { 4784 WARN_ONCE(1, "Smack: missing rule\n"); 4785 return -ENOENT; 4786 } 4787 4788 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4789 return 0; 4790 4791 /* 4792 * No need to do string comparisons. If a match occurs, 4793 * both pointers will point to the same smack_known 4794 * label. 4795 */ 4796 if (op == Audit_equal) 4797 return (rule == skp->smk_known); 4798 if (op == Audit_not_equal) 4799 return (rule != skp->smk_known); 4800 4801 return 0; 4802 } 4803 4804 /* 4805 * There is no need for a smack_audit_rule_free hook. 4806 * No memory was allocated. 4807 */ 4808 4809 #endif /* CONFIG_AUDIT */ 4810 4811 /** 4812 * smack_ismaclabel - check if xattr @name references a smack MAC label 4813 * @name: Full xattr name to check. 4814 */ 4815 static int smack_ismaclabel(const char *name) 4816 { 4817 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4818 } 4819 4820 /** 4821 * smack_secid_to_secctx - return the smack label for a secid 4822 * @secid: incoming integer 4823 * @secdata: destination 4824 * @seclen: how long it is 4825 * 4826 * Exists for networking code. 4827 */ 4828 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 4829 { 4830 struct smack_known *skp = smack_from_secid(secid); 4831 4832 if (secdata) 4833 *secdata = skp->smk_known; 4834 *seclen = strlen(skp->smk_known); 4835 return 0; 4836 } 4837 4838 /** 4839 * smack_lsmprop_to_secctx - return the smack label 4840 * @prop: includes incoming Smack data 4841 * @secdata: destination 4842 * @seclen: how long it is 4843 * 4844 * Exists for audit code. 4845 */ 4846 static int smack_lsmprop_to_secctx(struct lsm_prop *prop, char **secdata, 4847 u32 *seclen) 4848 { 4849 struct smack_known *skp = prop->smack.skp; 4850 4851 if (secdata) 4852 *secdata = skp->smk_known; 4853 *seclen = strlen(skp->smk_known); 4854 return 0; 4855 } 4856 4857 /** 4858 * smack_secctx_to_secid - return the secid for a smack label 4859 * @secdata: smack label 4860 * @seclen: how long result is 4861 * @secid: outgoing integer 4862 * 4863 * Exists for audit and networking code. 4864 */ 4865 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4866 { 4867 struct smack_known *skp = smk_find_entry(secdata); 4868 4869 if (skp) 4870 *secid = skp->smk_secid; 4871 else 4872 *secid = 0; 4873 return 0; 4874 } 4875 4876 /* 4877 * There used to be a smack_release_secctx hook 4878 * that did nothing back when hooks were in a vector. 4879 * Now that there's a list such a hook adds cost. 4880 */ 4881 4882 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4883 { 4884 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4885 ctxlen, 0); 4886 } 4887 4888 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4889 { 4890 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4891 ctx, ctxlen, 0, NULL); 4892 } 4893 4894 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 4895 { 4896 struct smack_known *skp = smk_of_inode(inode); 4897 4898 *ctx = skp->smk_known; 4899 *ctxlen = strlen(skp->smk_known); 4900 return 0; 4901 } 4902 4903 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4904 { 4905 4906 struct task_smack *tsp; 4907 struct smack_known *skp; 4908 struct inode_smack *isp; 4909 struct cred *new_creds = *new; 4910 4911 if (new_creds == NULL) { 4912 new_creds = prepare_creds(); 4913 if (new_creds == NULL) 4914 return -ENOMEM; 4915 } 4916 4917 tsp = smack_cred(new_creds); 4918 4919 /* 4920 * Get label from overlay inode and set it in create_sid 4921 */ 4922 isp = smack_inode(d_inode(dentry)); 4923 skp = isp->smk_inode; 4924 tsp->smk_task = skp; 4925 *new = new_creds; 4926 return 0; 4927 } 4928 4929 static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4930 { 4931 /* 4932 * Return -ECANCELED if this is the smack access Smack attribute. 4933 */ 4934 if (!strcmp(name, XATTR_NAME_SMACK)) 4935 return -ECANCELED; 4936 4937 return -EOPNOTSUPP; 4938 } 4939 4940 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4941 struct qstr *name, 4942 const struct cred *old, 4943 struct cred *new) 4944 { 4945 struct task_smack *otsp = smack_cred(old); 4946 struct task_smack *ntsp = smack_cred(new); 4947 struct inode_smack *isp; 4948 int may; 4949 4950 /* 4951 * Use the process credential unless all of 4952 * the transmuting criteria are met 4953 */ 4954 ntsp->smk_task = otsp->smk_task; 4955 4956 /* 4957 * the attribute of the containing directory 4958 */ 4959 isp = smack_inode(d_inode(dentry->d_parent)); 4960 4961 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4962 rcu_read_lock(); 4963 may = smk_access_entry(otsp->smk_task->smk_known, 4964 isp->smk_inode->smk_known, 4965 &otsp->smk_task->smk_rules); 4966 rcu_read_unlock(); 4967 4968 /* 4969 * If the directory is transmuting and the rule 4970 * providing access is transmuting use the containing 4971 * directory label instead of the process label. 4972 */ 4973 if (may > 0 && (may & MAY_TRANSMUTE)) { 4974 ntsp->smk_task = isp->smk_inode; 4975 ntsp->smk_transmuted = ntsp->smk_task; 4976 } 4977 } 4978 return 0; 4979 } 4980 4981 #ifdef CONFIG_IO_URING 4982 /** 4983 * smack_uring_override_creds - Is io_uring cred override allowed? 4984 * @new: the target creds 4985 * 4986 * Check to see if the current task is allowed to override it's credentials 4987 * to service an io_uring operation. 4988 */ 4989 static int smack_uring_override_creds(const struct cred *new) 4990 { 4991 struct task_smack *tsp = smack_cred(current_cred()); 4992 struct task_smack *nsp = smack_cred(new); 4993 4994 /* 4995 * Allow the degenerate case where the new Smack value is 4996 * the same as the current Smack value. 4997 */ 4998 if (tsp->smk_task == nsp->smk_task) 4999 return 0; 5000 5001 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 5002 return 0; 5003 5004 return -EPERM; 5005 } 5006 5007 /** 5008 * smack_uring_sqpoll - check if a io_uring polling thread can be created 5009 * 5010 * Check to see if the current task is allowed to create a new io_uring 5011 * kernel polling thread. 5012 */ 5013 static int smack_uring_sqpoll(void) 5014 { 5015 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 5016 return 0; 5017 5018 return -EPERM; 5019 } 5020 5021 /** 5022 * smack_uring_cmd - check on file operations for io_uring 5023 * @ioucmd: the command in question 5024 * 5025 * Make a best guess about whether a io_uring "command" should 5026 * be allowed. Use the same logic used for determining if the 5027 * file could be opened for read in the absence of better criteria. 5028 */ 5029 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 5030 { 5031 struct file *file = ioucmd->file; 5032 struct smk_audit_info ad; 5033 struct task_smack *tsp; 5034 struct inode *inode; 5035 int rc; 5036 5037 if (!file) 5038 return -EINVAL; 5039 5040 tsp = smack_cred(file->f_cred); 5041 inode = file_inode(file); 5042 5043 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 5044 smk_ad_setfield_u_fs_path(&ad, file->f_path); 5045 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 5046 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 5047 5048 return rc; 5049 } 5050 5051 #endif /* CONFIG_IO_URING */ 5052 5053 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5054 .lbs_cred = sizeof(struct task_smack), 5055 .lbs_file = sizeof(struct smack_known *), 5056 .lbs_inode = sizeof(struct inode_smack), 5057 .lbs_ipc = sizeof(struct smack_known *), 5058 .lbs_key = sizeof(struct smack_known *), 5059 .lbs_msg_msg = sizeof(struct smack_known *), 5060 .lbs_sock = sizeof(struct socket_smack), 5061 .lbs_superblock = sizeof(struct superblock_smack), 5062 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5063 }; 5064 5065 static const struct lsm_id smack_lsmid = { 5066 .name = "smack", 5067 .id = LSM_ID_SMACK, 5068 }; 5069 5070 static struct security_hook_list smack_hooks[] __ro_after_init = { 5071 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5072 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5073 LSM_HOOK_INIT(syslog, smack_syslog), 5074 5075 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5076 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5077 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5078 5079 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5080 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5081 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5082 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5083 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5084 5085 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5086 5087 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5088 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5089 LSM_HOOK_INIT(inode_link, smack_inode_link), 5090 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5091 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5092 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5093 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5094 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5095 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5096 LSM_HOOK_INIT(inode_xattr_skipcap, smack_inode_xattr_skipcap), 5097 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5098 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5099 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5100 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5101 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5102 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5103 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5104 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5105 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5106 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5107 LSM_HOOK_INIT(inode_getlsmprop, smack_inode_getlsmprop), 5108 5109 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5110 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5111 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5112 LSM_HOOK_INIT(file_lock, smack_file_lock), 5113 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5114 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5115 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5116 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5117 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5118 LSM_HOOK_INIT(file_receive, smack_file_receive), 5119 5120 LSM_HOOK_INIT(file_open, smack_file_open), 5121 5122 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5123 LSM_HOOK_INIT(cred_free, smack_cred_free), 5124 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5125 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5126 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5127 LSM_HOOK_INIT(cred_getlsmprop, smack_cred_getlsmprop), 5128 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5129 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5130 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5131 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5132 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5133 LSM_HOOK_INIT(current_getlsmprop_subj, smack_current_getlsmprop_subj), 5134 LSM_HOOK_INIT(task_getlsmprop_obj, smack_task_getlsmprop_obj), 5135 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5136 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5137 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5138 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5139 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5140 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5141 LSM_HOOK_INIT(task_kill, smack_task_kill), 5142 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5143 5144 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5145 LSM_HOOK_INIT(ipc_getlsmprop, smack_ipc_getlsmprop), 5146 5147 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5148 5149 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5150 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5151 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5152 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5153 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5154 5155 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5156 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5157 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5158 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5159 5160 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5161 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5162 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5163 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5164 5165 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5166 5167 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5168 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5169 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5170 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5171 5172 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5173 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5174 5175 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5176 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5177 #ifdef SMACK_IPV6_PORT_LABELING 5178 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5179 #endif 5180 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5181 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5182 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5183 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5184 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5185 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5186 #ifdef SMACK_IPV6_PORT_LABELING 5187 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5188 #endif 5189 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5190 LSM_HOOK_INIT(sock_graft, smack_sock_graft), 5191 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5192 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5193 5194 /* key management security hooks */ 5195 #ifdef CONFIG_KEYS 5196 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5197 LSM_HOOK_INIT(key_permission, smack_key_permission), 5198 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5199 #ifdef CONFIG_KEY_NOTIFICATIONS 5200 LSM_HOOK_INIT(watch_key, smack_watch_key), 5201 #endif 5202 #endif /* CONFIG_KEYS */ 5203 5204 #ifdef CONFIG_WATCH_QUEUE 5205 LSM_HOOK_INIT(post_notification, smack_post_notification), 5206 #endif 5207 5208 /* Audit hooks */ 5209 #ifdef CONFIG_AUDIT 5210 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5211 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5212 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5213 #endif /* CONFIG_AUDIT */ 5214 5215 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5216 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5217 LSM_HOOK_INIT(lsmprop_to_secctx, smack_lsmprop_to_secctx), 5218 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5219 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5220 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5221 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5222 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5223 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5224 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5225 #ifdef CONFIG_IO_URING 5226 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5227 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5228 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5229 #endif 5230 }; 5231 5232 5233 static __init void init_smack_known_list(void) 5234 { 5235 /* 5236 * Initialize rule list locks 5237 */ 5238 mutex_init(&smack_known_huh.smk_rules_lock); 5239 mutex_init(&smack_known_hat.smk_rules_lock); 5240 mutex_init(&smack_known_floor.smk_rules_lock); 5241 mutex_init(&smack_known_star.smk_rules_lock); 5242 mutex_init(&smack_known_web.smk_rules_lock); 5243 /* 5244 * Initialize rule lists 5245 */ 5246 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5247 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5248 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5249 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5250 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5251 /* 5252 * Create the known labels list 5253 */ 5254 smk_insert_entry(&smack_known_huh); 5255 smk_insert_entry(&smack_known_hat); 5256 smk_insert_entry(&smack_known_star); 5257 smk_insert_entry(&smack_known_floor); 5258 smk_insert_entry(&smack_known_web); 5259 } 5260 5261 /** 5262 * smack_init - initialize the smack system 5263 * 5264 * Returns 0 on success, -ENOMEM is there's no memory 5265 */ 5266 static __init int smack_init(void) 5267 { 5268 struct cred *cred = (struct cred *) current->cred; 5269 struct task_smack *tsp; 5270 5271 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5272 if (!smack_rule_cache) 5273 return -ENOMEM; 5274 5275 /* 5276 * Set the security state for the initial task. 5277 */ 5278 tsp = smack_cred(cred); 5279 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5280 5281 /* 5282 * Register with LSM 5283 */ 5284 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5285 smack_enabled = 1; 5286 5287 pr_info("Smack: Initializing.\n"); 5288 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5289 pr_info("Smack: Netfilter enabled.\n"); 5290 #endif 5291 #ifdef SMACK_IPV6_PORT_LABELING 5292 pr_info("Smack: IPv6 port labeling enabled.\n"); 5293 #endif 5294 #ifdef SMACK_IPV6_SECMARK_LABELING 5295 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5296 #endif 5297 5298 /* initialize the smack_known_list */ 5299 init_smack_known_list(); 5300 5301 return 0; 5302 } 5303 5304 /* 5305 * Smack requires early initialization in order to label 5306 * all processes and objects when they are created. 5307 */ 5308 DEFINE_LSM(smack) = { 5309 .name = "smack", 5310 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5311 .blobs = &smack_blob_sizes, 5312 .init = smack_init, 5313 }; 5314